npm - @enactprotocol/trust - Versions diffs - 2.0.0 → 2.0.2 - Mend

@enactprotocol/trust 2.0.0 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (57) hide show

package/dist/hash.d.ts +53 -0
package/dist/hash.d.ts.map +1 -0
package/dist/hash.js +104 -0
package/dist/hash.js.map +1 -0
package/dist/index.d.ts +12 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +14 -0
package/dist/index.js.map +1 -0
package/dist/keys.d.ts +41 -0
package/dist/keys.d.ts.map +1 -0
package/dist/keys.js +130 -0
package/dist/keys.js.map +1 -0
package/dist/sigstore/attestation.d.ts +245 -0
package/dist/sigstore/attestation.d.ts.map +1 -0
package/dist/sigstore/attestation.js +324 -0
package/dist/sigstore/attestation.js.map +1 -0
package/dist/sigstore/cosign.d.ts +90 -0
package/dist/sigstore/cosign.d.ts.map +1 -0
package/dist/sigstore/cosign.js +457 -0
package/dist/sigstore/cosign.js.map +1 -0
package/dist/sigstore/index.d.ts +17 -0
package/dist/sigstore/index.d.ts.map +1 -0
package/dist/sigstore/index.js +21 -0
package/dist/sigstore/index.js.map +1 -0
package/dist/sigstore/oauth/client.d.ts +38 -0
package/dist/sigstore/oauth/client.d.ts.map +1 -0
package/dist/sigstore/oauth/client.js +71 -0
package/dist/sigstore/oauth/client.js.map +1 -0
package/dist/sigstore/oauth/index.d.ts +47 -0
package/dist/sigstore/oauth/index.d.ts.map +1 -0
package/dist/sigstore/oauth/index.js +66 -0
package/dist/sigstore/oauth/index.js.map +1 -0
package/dist/sigstore/oauth/server.d.ts +29 -0
package/dist/sigstore/oauth/server.d.ts.map +1 -0
package/dist/sigstore/oauth/server.js +145 -0
package/dist/sigstore/oauth/server.js.map +1 -0
package/dist/sigstore/policy.d.ts +85 -0
package/dist/sigstore/policy.d.ts.map +1 -0
package/dist/sigstore/policy.js +351 -0
package/dist/sigstore/policy.js.map +1 -0
package/dist/sigstore/signing.d.ts +94 -0
package/dist/sigstore/signing.d.ts.map +1 -0
package/dist/sigstore/signing.js +477 -0
package/dist/sigstore/signing.js.map +1 -0
package/dist/sigstore/types.d.ts +541 -0
package/dist/sigstore/types.d.ts.map +1 -0
package/dist/sigstore/types.js +5 -0
package/dist/sigstore/types.js.map +1 -0
package/dist/sigstore/verification.d.ts +66 -0
package/dist/sigstore/verification.d.ts.map +1 -0
package/dist/sigstore/verification.js +317 -0
package/dist/sigstore/verification.js.map +1 -0
package/dist/types.d.ts +61 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +5 -0
package/dist/types.js.map +1 -0
package/package.json +1 -1

package/dist/sigstore/oauth/index.d.ts ADDED Viewed

@@ -0,0 +1,47 @@
+/**
+ * OAuth Identity Provider
+ *
+ * Provides interactive OIDC authentication for keyless signing.
+ * Opens a browser for the user to authenticate with their identity provider
+ * (GitHub, Google, Microsoft) and returns an OIDC token that can be used
+ * with Fulcio to obtain a signing certificate.
+ */
+/** Default Sigstore OAuth issuer */
+export declare const SIGSTORE_OAUTH_ISSUER = "https://oauth2.sigstore.dev/auth";
+/** Default Sigstore OAuth client ID */
+export declare const SIGSTORE_CLIENT_ID = "sigstore";
+export interface OAuthIdentityProviderOptions {
+    /** OIDC issuer URL (default: Sigstore public instance) */
+    issuer?: string;
+    /** OAuth client ID (default: "sigstore") */
+    clientID?: string;
+    /** OAuth client secret (optional, not needed for public clients) */
+    clientSecret?: string;
+    /** Redirect URL (optional, auto-generated if not provided) */
+    redirectURL?: string;
+}
+/**
+ * IdentityProvider interface - matches sigstore's expected interface
+ */
+export interface IdentityProvider {
+    getToken: () => Promise<string>;
+}
+/**
+ * OAuthIdentityProvider implements interactive browser-based OAuth flow
+ * to obtain an OIDC token for keyless signing.
+ */
+export declare class OAuthIdentityProvider implements IdentityProvider {
+    private server;
+    private issuer;
+    private clientID;
+    private clientSecret;
+    constructor(options?: OAuthIdentityProviderOptions);
+    /**
+     * Get an OIDC token by performing interactive OAuth flow.
+     * Opens a browser for the user to authenticate.
+     */
+    getToken(): Promise<string>;
+}
+export { CallbackServer } from "./server";
+export { OAuthClient, initializeOAuthClient } from "./client";
+//# sourceMappingURL=index.d.ts.map

package/dist/sigstore/oauth/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/sigstore/oauth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAMH,oCAAoC;AACpC,eAAO,MAAM,qBAAqB,qCAAqC,CAAC;AAExE,uCAAuC;AACvC,eAAO,MAAM,kBAAkB,aAAa,CAAC;AAE7C,MAAM,WAAW,4BAA4B;IAC3C,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,oEAAoE;IACpE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,8DAA8D;IAC9D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,CAAC;CACjC;AAED;;;GAGG;AACH,qBAAa,qBAAsB,YAAW,gBAAgB;IAC5D,OAAO,CAAC,MAAM,CAAiB;IAC/B,OAAO,CAAC,MAAM,CAAS;IACvB,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,YAAY,CAAqB;gBAE7B,OAAO,GAAE,4BAAiC;IAiBtD;;;OAGG;IACU,QAAQ,IAAI,OAAO,CAAC,MAAM,CAAC;CAsBzC;AAGD,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC"}

package/dist/sigstore/oauth/index.js ADDED Viewed

@@ -0,0 +1,66 @@
+/**
+ * OAuth Identity Provider
+ *
+ * Provides interactive OIDC authentication for keyless signing.
+ * Opens a browser for the user to authenticate with their identity provider
+ * (GitHub, Google, Microsoft) and returns an OIDC token that can be used
+ * with Fulcio to obtain a signing certificate.
+ */
+import open from "open";
+import { initializeOAuthClient } from "./client";
+import { CallbackServer } from "./server";
+/** Default Sigstore OAuth issuer */
+export const SIGSTORE_OAUTH_ISSUER = "https://oauth2.sigstore.dev/auth";
+/** Default Sigstore OAuth client ID */
+export const SIGSTORE_CLIENT_ID = "sigstore";
+/**
+ * OAuthIdentityProvider implements interactive browser-based OAuth flow
+ * to obtain an OIDC token for keyless signing.
+ */
+export class OAuthIdentityProvider {
+    server;
+    issuer;
+    clientID;
+    clientSecret;
+    constructor(options = {}) {
+        this.issuer = options.issuer ?? SIGSTORE_OAUTH_ISSUER;
+        this.clientID = options.clientID ?? SIGSTORE_CLIENT_ID;
+        this.clientSecret = options.clientSecret;
+        let serverOpts;
+        if (options.redirectURL) {
+            const url = new URL(options.redirectURL);
+            serverOpts = { hostname: url.hostname, port: Number(url.port) };
+        }
+        else {
+            // Use random port on localhost
+            serverOpts = { hostname: "localhost", port: 0 };
+        }
+        this.server = new CallbackServer(serverOpts);
+    }
+    /**
+     * Get an OIDC token by performing interactive OAuth flow.
+     * Opens a browser for the user to authenticate.
+     */
+    async getToken() {
+        // Start server to receive OAuth callback
+        const serverURL = await this.server.start();
+        // Initialize OAuth client with discovered configuration
+        const client = await initializeOAuthClient({
+            issuer: this.issuer,
+            redirectURL: serverURL,
+            clientID: this.clientID,
+            clientSecret: this.clientSecret,
+        });
+        // Open browser to OAuth login page
+        await open(client.authorizationUrl);
+        if (!this.server.callback) {
+            throw new Error("callback server not started");
+        }
+        // Wait for callback and exchange auth code for ID token
+        return this.server.callback.then((callbackURL) => client.getIDToken(callbackURL));
+    }
+}
+// Re-export for convenience
+export { CallbackServer } from "./server";
+export { OAuthClient, initializeOAuthClient } from "./client";
+//# sourceMappingURL=index.js.map

package/dist/sigstore/oauth/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/sigstore/oauth/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAE1C,oCAAoC;AACpC,MAAM,CAAC,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AAExE,uCAAuC;AACvC,MAAM,CAAC,MAAM,kBAAkB,GAAG,UAAU,CAAC;AAoB7C;;;GAGG;AACH,MAAM,OAAO,qBAAqB;IACxB,MAAM,CAAiB;IACvB,MAAM,CAAS;IACf,QAAQ,CAAS;IACjB,YAAY,CAAqB;IAEzC,YAAY,UAAwC,EAAE;QACpD,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,qBAAqB,CAAC;QACtD,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,kBAAkB,CAAC;QACvD,IAAI,CAAC,YAAY,GAAG,OAAO,CAAC,YAAY,CAAC;QAEzC,IAAI,UAA8C,CAAC;QACnD,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;YACzC,UAAU,GAAG,EAAE,QAAQ,EAAE,GAAG,CAAC,QAAQ,EAAE,IAAI,EAAE,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QAClE,CAAC;aAAM,CAAC;YACN,+BAA+B;YAC/B,UAAU,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;QAClD,CAAC;QAED,IAAI,CAAC,MAAM,GAAG,IAAI,cAAc,CAAC,UAAU,CAAC,CAAC;IAC/C,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,QAAQ;QACnB,yCAAyC;QACzC,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QAE5C,wDAAwD;QACxD,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC;YACzC,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,WAAW,EAAE,SAAS;YACtB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,YAAY,EAAE,IAAI,CAAC,YAAY;SAChC,CAAC,CAAC;QAEH,mCAAmC;QACnC,MAAM,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC;QAEpC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QAED,wDAAwD;QACxD,OAAO,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,CAAC,CAAC;IACpF,CAAC;CACF;AAED,4BAA4B;AAC5B,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAC1C,OAAO,EAAE,WAAW,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC"}

package/dist/sigstore/oauth/server.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+/**
+ * OAuth Callback Server
+ *
+ * A simple HTTP server that receives the OAuth redirect callback
+ * after the user authenticates in their browser.
+ */
+interface CallbackServerOptions {
+    port: number;
+    hostname: string;
+}
+/**
+ * CallbackServer is a simple HTTP server which receives the OAuth
+ * redirect from the OAuth provider after the user signs-in. It will shutdown
+ * once the callback is received and the callback promise will resolve with
+ * the URL of the incoming request.
+ */
+export declare class CallbackServer {
+    private server;
+    private sockets;
+    private port;
+    private hostname;
+    callback: Promise<string> | undefined;
+    constructor(options: CallbackServerOptions);
+    start(): Promise<string>;
+    shutdown(): Promise<void>;
+    private serverURL;
+}
+export {};
+//# sourceMappingURL=server.d.ts.map

package/dist/sigstore/oauth/server.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../../src/sigstore/oauth/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAKH,UAAU,qBAAqB;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;GAKG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,OAAO,CAAc;IAC7B,OAAO,CAAC,IAAI,CAAS;IACrB,OAAO,CAAC,QAAQ,CAAS;IAElB,QAAQ,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,SAAS,CAAC;gBAEjC,OAAO,EAAE,qBAAqB;IAOpC,KAAK,IAAI,OAAO,CAAC,MAAM,CAAC;IA4BjB,QAAQ,IAAI,OAAO,CAAC,IAAI,CAAC;IAWtC,OAAO,CAAC,SAAS;CAWlB"}

package/dist/sigstore/oauth/server.js ADDED Viewed

@@ -0,0 +1,145 @@
+/**
+ * OAuth Callback Server
+ *
+ * A simple HTTP server that receives the OAuth redirect callback
+ * after the user authenticates in their browser.
+ */
+import http from "node:http";
+/**
+ * CallbackServer is a simple HTTP server which receives the OAuth
+ * redirect from the OAuth provider after the user signs-in. It will shutdown
+ * once the callback is received and the callback promise will resolve with
+ * the URL of the incoming request.
+ */
+export class CallbackServer {
+    server;
+    sockets;
+    port;
+    hostname;
+    callback;
+    constructor(options) {
+        this.server = http.createServer();
+        this.sockets = new Set();
+        this.port = options.port;
+        this.hostname = options.hostname;
+    }
+    async start() {
+        await new Promise((resolve) => {
+            this.server.listen(this.port, this.hostname, resolve);
+        });
+        // Keep track of connections so we can force a shutdown
+        this.server.on("connection", (socket) => {
+            this.sockets.add(socket);
+            socket.on("close", () => {
+                this.sockets.delete(socket);
+            });
+        });
+        // The callback will resolve with the incoming request URL
+        this.callback = new Promise((resolve) => {
+            this.server.on("request", ({ url }, res) => {
+                res.writeHead(200, { "Content-Type": "text/html" });
+                res.end(AUTH_SUCCESS_HTML);
+                // Shutdown the server and resolve the callback promise
+                this.shutdown().then(() => resolve(url));
+            });
+        });
+        // Calculate and return the URL which can be used to reach the server
+        return this.serverURL(this.server);
+    }
+    async shutdown() {
+        // Destroy all sockets and close the server
+        return new Promise((resolve) => {
+            for (const socket of this.sockets) {
+                socket.destroy();
+                this.sockets.delete(socket);
+            }
+            this.server.close(() => resolve());
+        });
+    }
+    serverURL(server) {
+        const address = server.address();
+        if (address === null) {
+            throw new Error("invalid server config: address is null");
+        }
+        if (typeof address === "string") {
+            throw new Error("invalid server config: address is a string");
+        }
+        return `http://${this.hostname}:${address.port}`;
+    }
+}
+// Success HTML page shown after authentication
+const AUTH_SUCCESS_HTML = `
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Enact - Authentication Successful</title>
+    <style>
+      :root { font-family: system-ui, -apple-system, sans-serif; }
+      body {
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        min-height: 100vh;
+        margin: 0;
+        background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      }
+      .container {
+        background: white;
+        padding: 3rem;
+        border-radius: 1rem;
+        box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1);
+        text-align: center;
+        max-width: 400px;
+      }
+      .checkmark {
+        width: 80px;
+        height: 80px;
+        margin: 0 auto 1.5rem;
+        background: #10b981;
+        border-radius: 50%;
+        display: flex;
+        align-items: center;
+        justify-content: center;
+      }
+      .checkmark svg {
+        width: 40px;
+        height: 40px;
+        stroke: white;
+        stroke-width: 3;
+        fill: none;
+      }
+      h1 {
+        color: #1f2937;
+        margin: 0 0 0.5rem;
+        font-size: 1.5rem;
+      }
+      p {
+        color: #6b7280;
+        margin: 0;
+        font-size: 1rem;
+      }
+      .brand {
+        margin-top: 2rem;
+        color: #9ca3af;
+        font-size: 0.875rem;
+      }
+      .brand strong {
+        color: #667eea;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="checkmark">
+        <svg viewBox="0 0 24 24">
+          <polyline points="20 6 9 17 4 12"></polyline>
+        </svg>
+      </div>
+      <h1>Authentication Successful!</h1>
+      <p>You may now close this window and return to your terminal.</p>
+      <p class="brand">Signed with <strong>Sigstore</strong> via <strong>Enact</strong></p>
+    </div>
+  </body>
+</html>
+`;
+//# sourceMappingURL=server.js.map

package/dist/sigstore/oauth/server.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"server.js","sourceRoot":"","sources":["../../../src/sigstore/oauth/server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,IAAI,MAAM,WAAW,CAAC;AAQ7B;;;;;GAKG;AACH,MAAM,OAAO,cAAc;IACjB,MAAM,CAAc;IACpB,OAAO,CAAc;IACrB,IAAI,CAAS;IACb,QAAQ,CAAS;IAElB,QAAQ,CAA8B;IAE7C,YAAY,OAA8B;QACxC,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,YAAY,EAAE,CAAC;QAClC,IAAI,CAAC,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;QACjC,IAAI,CAAC,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QACzB,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAClC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,uDAAuD;QACvD,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,YAAY,EAAE,CAAC,MAAM,EAAE,EAAE;YACtC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;YACzB,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE;gBACtB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,0DAA0D;QAC1D,IAAI,CAAC,QAAQ,GAAG,IAAI,OAAO,CAAS,CAAC,OAAO,EAAE,EAAE;YAC9C,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,CAAC,EAAE,GAAG,EAAE,EAAE,GAAG,EAAE,EAAE;gBACzC,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,WAAW,EAAE,CAAC,CAAC;gBACpD,GAAG,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;gBAE3B,uDAAuD;gBACvD,IAAI,CAAC,QAAQ,EAAE,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,GAAI,CAAC,CAAC,CAAC;YAC5C,CAAC,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;QAEH,qEAAqE;QACrE,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IACrC,CAAC;IAEM,KAAK,CAAC,QAAQ;QACnB,2CAA2C;QAC3C,OAAO,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YACnC,KAAK,MAAM,MAAM,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC9B,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,SAAS,CAAC,MAAmB;QACnC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;YACrB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QACD,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;YAChC,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QAED,OAAO,UAAU,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;IACnD,CAAC;CACF;AAED,+CAA+C;AAC/C,MAAM,iBAAiB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAyEzB,CAAC"}

package/dist/sigstore/policy.d.ts ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * Trust policy evaluation module
+ *
+ * This module provides functions for creating and evaluating trust policies
+ * that determine whether an artifact should be trusted based on its attestations.
+ */
+import type { SigstoreBundle, TrustPolicy, TrustPolicyResult, TrustedIdentityRule } from "./types";
+/**
+ * Default trust policy - requires publisher attestation
+ */
+export declare const DEFAULT_TRUST_POLICY: TrustPolicy;
+/**
+ * Permissive policy - allows unsigned tools (for development)
+ */
+export declare const PERMISSIVE_POLICY: TrustPolicy;
+/**
+ * Strict policy - requires publisher + auditor attestations and SLSA level 2+
+ */
+export declare const STRICT_POLICY: TrustPolicy;
+/**
+ * Create a trust policy
+ *
+ * @param options - Policy options
+ * @returns The trust policy
+ *
+ * @example
+ * ```ts
+ * const policy = createTrustPolicy({
+ *   name: "my-org-policy",
+ *   trustedPublishers: [
+ *     { name: "My Team", type: "email", pattern: "*@myorg.com" }
+ *   ],
+ *   minimumSLSALevel: 1
+ * });
+ * ```
+ */
+export declare function createTrustPolicy(options: Partial<TrustPolicy> & {
+    name: string;
+}): TrustPolicy;
+/**
+ * Create a trusted identity rule
+ *
+ * @param name - Rule name
+ * @param type - Identity type
+ * @param pattern - Pattern to match
+ * @param options - Additional options
+ * @returns The identity rule
+ */
+export declare function createIdentityRule(name: string, type: TrustedIdentityRule["type"], pattern: string, options?: {
+    issuer?: string;
+    requiredClaims?: Record<string, string | string[]>;
+}): TrustedIdentityRule;
+/**
+ * Evaluate trust policy for a set of attestations
+ *
+ * @param attestationBundles - Array of Sigstore bundles containing attestations
+ * @param policy - The trust policy to evaluate against
+ * @returns The trust policy evaluation result
+ *
+ * @example
+ * ```ts
+ * const result = await evaluateTrustPolicy(bundles, myPolicy);
+ * if (result.trusted) {
+ *   console.log(`Trusted at level ${result.trustLevel}`);
+ * }
+ * ```
+ */
+export declare function evaluateTrustPolicy(attestationBundles: SigstoreBundle[], policy: TrustPolicy): Promise<TrustPolicyResult>;
+/**
+ * Quick check if an artifact should be trusted
+ *
+ * @param attestationBundles - Array of Sigstore bundles
+ * @param policy - Trust policy (defaults to DEFAULT_TRUST_POLICY)
+ * @returns True if artifact is trusted
+ */
+export declare function isTrusted(attestationBundles: SigstoreBundle[], policy?: TrustPolicy): Promise<boolean>;
+/**
+ * Serialize a trust policy to JSON
+ */
+export declare function serializeTrustPolicy(policy: TrustPolicy): string;
+/**
+ * Deserialize a trust policy from JSON
+ */
+export declare function deserializeTrustPolicy(json: string): TrustPolicy;
+//# sourceMappingURL=policy.d.ts.map

package/dist/sigstore/policy.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"policy.d.ts","sourceRoot":"","sources":["../../src/sigstore/policy.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAGV,cAAc,EACd,WAAW,EACX,iBAAiB,EACjB,mBAAmB,EAEpB,MAAM,SAAS,CAAC;AAOjB;;GAEG;AACH,eAAO,MAAM,oBAAoB,EAAE,WASlC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,EAAE,WAS/B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,aAAa,EAAE,WAS3B,CAAC;AAMF;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,WAAW,CAAC,GAAG;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAAG,WAAW,CAM/F;AAED;;;;;;;;GAQG;AACH,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,IAAI,EAAE,mBAAmB,CAAC,MAAM,CAAC,EACjC,OAAO,EAAE,MAAM,EACf,OAAO,GAAE;IAAE,MAAM,CAAC,EAAE,MAAM,CAAC;IAAC,cAAc,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC,CAAA;CAAO,GACpF,mBAAmB,CAgBrB;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,mBAAmB,CACvC,kBAAkB,EAAE,cAAc,EAAE,EACpC,MAAM,EAAE,WAAW,GAClB,OAAO,CAAC,iBAAiB,CAAC,CAqI5B;AAED;;;;;;GAMG;AACH,wBAAsB,SAAS,CAC7B,kBAAkB,EAAE,cAAc,EAAE,EACpC,MAAM,GAAE,WAAkC,GACzC,OAAO,CAAC,OAAO,CAAC,CAGlB;AA0HD;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,WAAW,GAAG,MAAM,CAEhE;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,IAAI,EAAE,MAAM,GAAG,WAAW,CAoBhE"}