@enactprotocol/trust 2.1.15 → 2.1.20

package/dist/index.d.ts

@@ -6,6 +6,8 @@
  */
 export declare const version = "0.1.0";
 export { hashContent, hashBuffer, hashFile } from "./hash";
+export { createChecksumManifest, computeManifestHash, verifyChecksumManifest, verifyManifestAttestation, parseChecksumManifest, serializeChecksumManifest, MANIFEST_VERSION, } from "./manifest";
+export type { ChecksumManifest, FileChecksum, CreateManifestOptions, ManifestVerificationResult, ManifestAttestationVerificationResult, } from "./manifest";
 export { generateKeyPair, isValidPEMKey, getKeyTypeFromPEM } from "./keys";
 export * from "./sigstore";
 export type { HashAlgorithm, HashResult, FileHashOptions, KeyType, KeyFormat, KeyPair, KeyGenerationOptions, } from "./types";

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,OAAO,UAAU,CAAC;AAG/B,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAG3D,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAG3E,cAAc,YAAY,CAAC;AAG3B,YAAY,EACV,aAAa,EACb,UAAU,EACV,eAAe,EACf,OAAO,EACP,SAAS,EACT,OAAO,EACP,oBAAoB,GACrB,MAAM,SAAS,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,eAAO,MAAM,OAAO,UAAU,CAAC;AAG/B,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAG3D,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,yBAAyB,EACzB,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,GACjB,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,gBAAgB,EAChB,YAAY,EACZ,qBAAqB,EACrB,0BAA0B,EAC1B,qCAAqC,GACtC,MAAM,YAAY,CAAC;AAGpB,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAG3E,cAAc,YAAY,CAAC;AAG3B,YAAY,EACV,aAAa,EACb,UAAU,EACV,eAAe,EACf,OAAO,EACP,SAAS,EACT,OAAO,EACP,oBAAoB,GACrB,MAAM,SAAS,CAAC"}

package/dist/index.js

@@ -7,6 +7,8 @@
 export const version = "0.1.0";
 // Hash utilities
 export { hashContent, hashBuffer, hashFile } from "./hash";
+// Checksum manifest (for deterministic signing)
+export { createChecksumManifest, computeManifestHash, verifyChecksumManifest, verifyManifestAttestation, parseChecksumManifest, serializeChecksumManifest, MANIFEST_VERSION, } from "./manifest";
 // Key management
 export { generateKeyPair, isValidPEMKey, getKeyTypeFromPEM } from "./keys";
 // Sigstore integration (attestation signing, verification, trust policies)

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,iBAAiB;AACjB,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAE3D,iBAAiB;AACjB,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAE3E,2EAA2E;AAC3E,cAAc,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC;AAE/B,iBAAiB;AACjB,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAE3D,gDAAgD;AAChD,OAAO,EACL,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,yBAAyB,EACzB,qBAAqB,EACrB,yBAAyB,EACzB,gBAAgB,GACjB,MAAM,YAAY,CAAC;AASpB,iBAAiB;AACjB,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAE3E,2EAA2E;AAC3E,cAAc,YAAY,CAAC"}

package/dist/manifest.d.ts

@@ -0,0 +1,181 @@
+/**
+ * Checksum manifest creation and verification
+ *
+ * Creates deterministic manifests of file checksums for signing.
+ * This enables pre-publish signing by avoiding tar.gz non-determinism.
+ *
+ * Based on recommendation from Bob Callaway (Google Sigstore team):
+ * "Most folks would just create and sign a manifest of checksums."
+ */
+import type { HashResult } from "./types";
+/**
+ * Checksum manifest version
+ */
+export declare const MANIFEST_VERSION: "1.0";
+/**
+ * Individual file checksum entry
+ */
+export interface FileChecksum {
+    /** Relative path from tool root (always uses forward slashes) */
+    path: string;
+    /** SHA-256 hash of file contents */
+    sha256: string;
+    /** File size in bytes */
+    size: number;
+}
+/**
+ * Complete checksum manifest for a tool
+ */
+export interface ChecksumManifest {
+    /** Manifest format version */
+    version: typeof MANIFEST_VERSION;
+    /** Tool metadata */
+    tool: {
+        /** Tool name (e.g., "author/tool-name") */
+        name: string;
+        /** Tool version (e.g., "1.0.0") */
+        version: string;
+    };
+    /** Array of file checksums, sorted by path */
+    files: FileChecksum[];
+    /** Hash of the manifest itself (for signing) */
+    manifestHash: {
+        algorithm: "sha256";
+        digest: string;
+    };
+}
+/**
+ * Options for creating a checksum manifest
+ */
+export interface CreateManifestOptions {
+    /** Patterns to ignore (glob-style, relative to tool root) */
+    ignorePatterns?: string[] | undefined;
+    /** Progress callback for each file processed */
+    onProgress?: ((file: string) => void) | undefined;
+}
+/**
+ * Result of manifest verification
+ */
+export interface ManifestVerificationResult {
+    /** Whether all files match the manifest */
+    valid: boolean;
+    /** Error messages if verification failed */
+    errors?: string[] | undefined;
+    /** Files in manifest but missing from directory */
+    missingFiles?: string[] | undefined;
+    /** Files that exist but have different hashes */
+    modifiedFiles?: string[] | undefined;
+    /** Files in directory but not in manifest */
+    extraFiles?: string[] | undefined;
+}
+/**
+ * Create a checksum manifest for a tool directory
+ *
+ * Scans all files in the directory, computes SHA-256 hashes,
+ * and creates a manifest suitable for signing.
+ *
+ * @param toolDir - Path to the tool directory
+ * @param toolName - Tool name (e.g., "author/tool-name")
+ * @param toolVersion - Tool version (e.g., "1.0.0")
+ * @param options - Optional settings for ignore patterns and progress
+ * @returns Complete checksum manifest ready for signing
+ *
+ * @example
+ * ```ts
+ * const manifest = await createChecksumManifest(
+ *   "./my-tool",
+ *   "alice/my-tool",
+ *   "1.0.0",
+ *   { onProgress: (file) => console.log(`Hashing: ${file}`) }
+ * );
+ * ```
+ */
+export declare function createChecksumManifest(toolDir: string, toolName: string, toolVersion: string, options?: CreateManifestOptions): Promise<ChecksumManifest>;
+/**
+ * Compute the canonical hash of a manifest (for signing)
+ *
+ * Creates a deterministic hash by:
+ * 1. Excluding the manifestHash field itself
+ * 2. Using canonical JSON (sorted keys, no whitespace)
+ * 3. Computing SHA-256
+ *
+ * @param manifest - The manifest to hash (manifestHash field is ignored)
+ * @returns Hash result with algorithm and digest
+ */
+export declare function computeManifestHash(manifest: Omit<ChecksumManifest, "manifestHash"> | ChecksumManifest): HashResult;
+/**
+ * Verify that files in a directory match a checksum manifest
+ *
+ * @param toolDir - Path to the tool directory
+ * @param manifest - The manifest to verify against
+ * @param options - Optional settings for ignore patterns
+ * @returns Verification result with details on any mismatches
+ *
+ * @example
+ * ```ts
+ * const result = await verifyChecksumManifest("./my-tool", manifest);
+ * if (!result.valid) {
+ *   console.error("Verification failed:", result.errors);
+ * }
+ * ```
+ */
+export declare function verifyChecksumManifest(toolDir: string, manifest: ChecksumManifest, options?: {
+    ignorePatterns?: string[];
+}): Promise<ManifestVerificationResult>;
+/**
+ * Parse a checksum manifest from JSON string
+ *
+ * @param json - JSON string containing the manifest
+ * @returns Parsed manifest
+ * @throws Error if JSON is invalid or manifest structure is wrong
+ */
+export declare function parseChecksumManifest(json: string): ChecksumManifest;
+/**
+ * Serialize a checksum manifest to JSON string (pretty-printed for storage)
+ *
+ * @param manifest - The manifest to serialize
+ * @returns Pretty-printed JSON string
+ */
+export declare function serializeChecksumManifest(manifest: ChecksumManifest): string;
+/**
+ * Result of verifying a manifest attestation
+ */
+export interface ManifestAttestationVerificationResult {
+    /** Whether the attestation is valid */
+    valid: boolean;
+    /** The auditor identity (email) from the certificate */
+    auditor?: string | undefined;
+    /** The OIDC provider used for signing */
+    provider?: string | undefined;
+    /** Error message if verification failed */
+    error?: string | undefined;
+    /** Detailed verification results */
+    details?: {
+        /** Whether the Sigstore bundle was verified */
+        bundleVerified: boolean;
+        /** Whether the manifest hash matches what was signed */
+        manifestHashMatches: boolean;
+        /** Whether the manifest matches the current files */
+        manifestMatchesFiles?: boolean | undefined;
+    } | undefined;
+}
+/**
+ * Verify a manifest-based attestation
+ *
+ * This verifies that:
+ * 1. The Sigstore bundle is valid
+ * 2. The bundle was signed over the manifest hash
+ * 3. Optionally, the manifest matches the current files on disk
+ *
+ * @param manifest - The checksum manifest that was signed
+ * @param sigstoreBundle - The Sigstore bundle containing the signature
+ * @param options - Verification options
+ * @returns Verification result
+ */
+export declare function verifyManifestAttestation(manifest: ChecksumManifest, sigstoreBundle: unknown, options?: {
+    /** If provided, also verify manifest matches files in this directory */
+    toolDir?: string | undefined;
+    /** Additional patterns to ignore when verifying against directory */
+    ignorePatterns?: string[] | undefined;
+}): Promise<ManifestAttestationVerificationResult>;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAM1C;;GAEG;AACH,eAAO,MAAM,gBAAgB,EAAG,KAAc,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,iEAAiE;IACjE,IAAI,EAAE,MAAM,CAAC;IACb,oCAAoC;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,yBAAyB;IACzB,IAAI,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,8BAA8B;IAC9B,OAAO,EAAE,OAAO,gBAAgB,CAAC;IACjC,oBAAoB;IACpB,IAAI,EAAE;QACJ,2CAA2C;QAC3C,IAAI,EAAE,MAAM,CAAC;QACb,mCAAmC;QACnC,OAAO,EAAE,MAAM,CAAC;KACjB,CAAC;IACF,8CAA8C;IAC9C,KAAK,EAAE,YAAY,EAAE,CAAC;IACtB,gDAAgD;IAChD,YAAY,EAAE;QACZ,SAAS,EAAE,QAAQ,CAAC;QACpB,MAAM,EAAE,MAAM,CAAC;KAChB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,6DAA6D;IAC7D,cAAc,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;IACtC,gDAAgD;IAChD,UAAU,CAAC,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAC,GAAG,SAAS,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,0BAA0B;IACzC,2CAA2C;IAC3C,KAAK,EAAE,OAAO,CAAC;IACf,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;IAC9B,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;IACpC,iDAAiD;IACjD,aAAa,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;IACrC,6CAA6C;IAC7C,UAAU,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;CACnC;AAkJD;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,qBAA0B,GAClC,OAAO,CAAC,gBAAgB,CAAC,CAsD3B;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,cAAc,CAAC,GAAG,gBAAgB,GAClE,UAAU,CAOZ;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,gBAAgB,EAC1B,OAAO,GAAE;IAAE,cAAc,CAAC,EAAE,MAAM,EAAE,CAAA;CAAO,GAC1C,OAAO,CAAC,0BAA0B,CAAC,CA8DrC;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,MAAM,GAAG,gBAAgB,CAuBpE;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,gBAAgB,GAAG,MAAM,CAE5E;AAMD;;GAEG;AACH,MAAM,WAAW,qCAAqC;IACpD,uCAAuC;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,yCAAyC;IACzC,QAAQ,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B,2CAA2C;IAC3C,KAAK,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC3B,oCAAoC;IACpC,OAAO,CAAC,EACJ;QACE,+CAA+C;QAC/C,cAAc,EAAE,OAAO,CAAC;QACxB,wDAAwD;QACxD,mBAAmB,EAAE,OAAO,CAAC;QAC7B,qDAAqD;QACrD,oBAAoB,CAAC,EAAE,OAAO,GAAG,SAAS,CAAC;KAC5C,GACD,SAAS,CAAC;CACf;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,gBAAgB,EAC1B,cAAc,EAAE,OAAO,EACvB,OAAO,GAAE;IACP,wEAAwE;IACxE,OAAO,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,qEAAqE;IACrE,cAAc,CAAC,EAAE,MAAM,EAAE,GAAG,SAAS,CAAC;CAClC,GACL,OAAO,CAAC,qCAAqC,CAAC,CA4EhD"}

package/dist/manifest.js

@@ -0,0 +1,402 @@
+/**
+ * Checksum manifest creation and verification
+ *
+ * Creates deterministic manifests of file checksums for signing.
+ * This enables pre-publish signing by avoiding tar.gz non-determinism.
+ *
+ * Based on recommendation from Bob Callaway (Google Sigstore team):
+ * "Most folks would just create and sign a manifest of checksums."
+ */
+import { readdirSync, statSync } from "node:fs";
+import { join, posix, relative, sep } from "node:path";
+import { hashContent, hashFile } from "./hash";
+// ============================================================================
+// Types
+// ============================================================================
+/**
+ * Checksum manifest version
+ */
+export const MANIFEST_VERSION = "1.0";
+// ============================================================================
+// Default Ignore Patterns
+// ============================================================================
+/**
+ * Files that should always be ignored when creating manifests
+ */
+const ALWAYS_IGNORE = [
+    // Manifest artifacts (we're creating these)
+    ".enact-manifest.json",
+    ".sigstore-bundle.json",
+    // Version control
+    ".git",
+    ".gitignore",
+    ".gitattributes",
+    // OS artifacts
+    ".DS_Store",
+    "Thumbs.db",
+    // IDE/Editor
+    ".vscode",
+    ".idea",
+    "*.swp",
+    "*.swo",
+    // Dependencies (should be installed, not bundled)
+    "node_modules",
+    "__pycache__",
+    ".pytest_cache",
+    "*.pyc",
+    "*.pyo",
+    // Build artifacts
+    "dist",
+    "build",
+    ".next",
+    // Logs
+    "*.log",
+    "npm-debug.log*",
+];
+// ============================================================================
+// Helper Functions
+// ============================================================================
+/**
+ * Check if a path should be ignored
+ */
+function shouldIgnore(relativePath, fileName, customPatterns = []) {
+    const allPatterns = [...ALWAYS_IGNORE, ...customPatterns];
+    for (const pattern of allPatterns) {
+        // Exact match
+        if (pattern === fileName || pattern === relativePath) {
+            return true;
+        }
+        // Glob pattern matching (simplified)
+        if (pattern.startsWith("*")) {
+            const suffix = pattern.slice(1);
+            if (fileName.endsWith(suffix) || relativePath.endsWith(suffix)) {
+                return true;
+            }
+        }
+        // Directory pattern (pattern without extension matches directories)
+        if (!pattern.includes(".") && !pattern.includes("*")) {
+            if (relativePath.startsWith(`${pattern}/`) || relativePath === pattern) {
+                return true;
+            }
+        }
+    }
+    return false;
+}
+/**
+ * Normalize path to use forward slashes (for cross-platform consistency)
+ */
+function normalizePath(filePath) {
+    return filePath.split(sep).join(posix.sep);
+}
+/**
+ * Recursively collect all files in a directory
+ */
+function collectFiles(dir, baseDir, ignorePatterns, files = []) {
+    const entries = readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+        const fullPath = join(dir, entry.name);
+        const relativePath = normalizePath(relative(baseDir, fullPath));
+        // Check if should be ignored
+        if (shouldIgnore(relativePath, entry.name, ignorePatterns)) {
+            continue;
+        }
+        if (entry.isDirectory()) {
+            collectFiles(fullPath, baseDir, ignorePatterns, files);
+        }
+        else if (entry.isFile()) {
+            files.push(fullPath);
+        }
+        // Skip symlinks and other special files
+    }
+    return files;
+}
+/**
+ * Create canonical JSON string for hashing
+ *
+ * - Sorts object keys recursively
+ * - No whitespace (minified)
+ * - Consistent output across platforms
+ */
+function canonicalJSON(obj) {
+    if (obj === null || typeof obj !== "object") {
+        return JSON.stringify(obj);
+    }
+    if (Array.isArray(obj)) {
+        return `[${obj.map(canonicalJSON).join(",")}]`;
+    }
+    // Sort keys and recursively process
+    const sortedKeys = Object.keys(obj).sort();
+    const pairs = sortedKeys.map((key) => `${JSON.stringify(key)}:${canonicalJSON(obj[key])}`);
+    return `{${pairs.join(",")}}`;
+}
+// ============================================================================
+// Main Functions
+// ============================================================================
+/**
+ * Create a checksum manifest for a tool directory
+ *
+ * Scans all files in the directory, computes SHA-256 hashes,
+ * and creates a manifest suitable for signing.
+ *
+ * @param toolDir - Path to the tool directory
+ * @param toolName - Tool name (e.g., "author/tool-name")
+ * @param toolVersion - Tool version (e.g., "1.0.0")
+ * @param options - Optional settings for ignore patterns and progress
+ * @returns Complete checksum manifest ready for signing
+ *
+ * @example
+ * ```ts
+ * const manifest = await createChecksumManifest(
+ *   "./my-tool",
+ *   "alice/my-tool",
+ *   "1.0.0",
+ *   { onProgress: (file) => console.log(`Hashing: ${file}`) }
+ * );
+ * ```
+ */
+export async function createChecksumManifest(toolDir, toolName, toolVersion, options = {}) {
+    const { ignorePatterns = [], onProgress } = options;
+    // Collect all files
+    const filePaths = collectFiles(toolDir, toolDir, ignorePatterns);
+    // Hash each file
+    const fileChecksums = [];
+    for (const filePath of filePaths) {
+        const relativePath = normalizePath(relative(toolDir, filePath));
+        if (onProgress) {
+            onProgress(relativePath);
+        }
+        const stats = statSync(filePath);
+        const hashResult = await hashFile(filePath);
+        fileChecksums.push({
+            path: relativePath,
+            sha256: hashResult.digest,
+            size: stats.size,
+        });
+    }
+    // Sort by path for deterministic ordering (using simple string comparison)
+    fileChecksums.sort((a, b) => {
+        if (a.path < b.path)
+            return -1;
+        if (a.path > b.path)
+            return 1;
+        return 0;
+    });
+    // Create manifest without the hash first
+    const manifestWithoutHash = {
+        version: MANIFEST_VERSION,
+        tool: {
+            name: toolName,
+            version: toolVersion,
+        },
+        files: fileChecksums,
+    };
+    // Compute manifest hash from canonical JSON
+    const manifestHash = computeManifestHash(manifestWithoutHash);
+    // Return complete manifest
+    return {
+        ...manifestWithoutHash,
+        manifestHash: {
+            algorithm: "sha256",
+            digest: manifestHash.digest,
+        },
+    };
+}
+/**
+ * Compute the canonical hash of a manifest (for signing)
+ *
+ * Creates a deterministic hash by:
+ * 1. Excluding the manifestHash field itself
+ * 2. Using canonical JSON (sorted keys, no whitespace)
+ * 3. Computing SHA-256
+ *
+ * @param manifest - The manifest to hash (manifestHash field is ignored)
+ * @returns Hash result with algorithm and digest
+ */
+export function computeManifestHash(manifest) {
+    // Create a copy without manifestHash
+    const { manifestHash: _, ...manifestWithoutHash } = manifest;
+    // Compute canonical JSON and hash
+    const canonical = canonicalJSON(manifestWithoutHash);
+    return hashContent(canonical, "sha256");
+}
+/**
+ * Verify that files in a directory match a checksum manifest
+ *
+ * @param toolDir - Path to the tool directory
+ * @param manifest - The manifest to verify against
+ * @param options - Optional settings for ignore patterns
+ * @returns Verification result with details on any mismatches
+ *
+ * @example
+ * ```ts
+ * const result = await verifyChecksumManifest("./my-tool", manifest);
+ * if (!result.valid) {
+ *   console.error("Verification failed:", result.errors);
+ * }
+ * ```
+ */
+export async function verifyChecksumManifest(toolDir, manifest, options = {}) {
+    const { ignorePatterns = [] } = options;
+    const errors = [];
+    const missingFiles = [];
+    const modifiedFiles = [];
+    const extraFiles = [];
+    // First, verify the manifest hash itself
+    const computedHash = computeManifestHash(manifest);
+    if (computedHash.digest !== manifest.manifestHash.digest) {
+        errors.push(`Manifest hash mismatch: expected ${manifest.manifestHash.digest}, got ${computedHash.digest}`);
+    }
+    // Collect current files in directory
+    const currentFilePaths = collectFiles(toolDir, toolDir, ignorePatterns);
+    const currentFiles = new Set(currentFilePaths.map((fp) => normalizePath(relative(toolDir, fp))));
+    // Check each file in manifest
+    const manifestFiles = new Set();
+    for (const fileEntry of manifest.files) {
+        manifestFiles.add(fileEntry.path);
+        const fullPath = join(toolDir, fileEntry.path);
+        // Check if file exists
+        if (!currentFiles.has(fileEntry.path)) {
+            missingFiles.push(fileEntry.path);
+            errors.push(`Missing file: ${fileEntry.path}`);
+            continue;
+        }
+        // Check hash
+        try {
+            const hashResult = await hashFile(fullPath);
+            if (hashResult.digest !== fileEntry.sha256) {
+                modifiedFiles.push(fileEntry.path);
+                errors.push(`Modified file: ${fileEntry.path} (expected ${fileEntry.sha256.slice(0, 12)}..., got ${hashResult.digest.slice(0, 12)}...)`);
+            }
+        }
+        catch (err) {
+            errors.push(`Failed to hash file ${fileEntry.path}: ${err}`);
+        }
+    }
+    // Check for extra files not in manifest
+    for (const currentFile of currentFiles) {
+        if (!manifestFiles.has(currentFile)) {
+            extraFiles.push(currentFile);
+            errors.push(`Extra file not in manifest: ${currentFile}`);
+        }
+    }
+    return {
+        valid: errors.length === 0,
+        errors: errors.length > 0 ? errors : undefined,
+        missingFiles: missingFiles.length > 0 ? missingFiles : undefined,
+        modifiedFiles: modifiedFiles.length > 0 ? modifiedFiles : undefined,
+        extraFiles: extraFiles.length > 0 ? extraFiles : undefined,
+    };
+}
+/**
+ * Parse a checksum manifest from JSON string
+ *
+ * @param json - JSON string containing the manifest
+ * @returns Parsed manifest
+ * @throws Error if JSON is invalid or manifest structure is wrong
+ */
+export function parseChecksumManifest(json) {
+    const parsed = JSON.parse(json);
+    // Validate structure
+    if (!parsed.version || parsed.version !== MANIFEST_VERSION) {
+        throw new Error(`Invalid manifest version: expected ${MANIFEST_VERSION}, got ${parsed.version}`);
+    }
+    if (!parsed.tool?.name || !parsed.tool?.version) {
+        throw new Error("Invalid manifest: missing tool name or version");
+    }
+    if (!Array.isArray(parsed.files)) {
+        throw new Error("Invalid manifest: files must be an array");
+    }
+    if (!parsed.manifestHash?.algorithm || !parsed.manifestHash?.digest) {
+        throw new Error("Invalid manifest: missing manifestHash");
+    }
+    return parsed;
+}
+/**
+ * Serialize a checksum manifest to JSON string (pretty-printed for storage)
+ *
+ * @param manifest - The manifest to serialize
+ * @returns Pretty-printed JSON string
+ */
+export function serializeChecksumManifest(manifest) {
+    return JSON.stringify(manifest, null, 2);
+}
+/**
+ * Verify a manifest-based attestation
+ *
+ * This verifies that:
+ * 1. The Sigstore bundle is valid
+ * 2. The bundle was signed over the manifest hash
+ * 3. Optionally, the manifest matches the current files on disk
+ *
+ * @param manifest - The checksum manifest that was signed
+ * @param sigstoreBundle - The Sigstore bundle containing the signature
+ * @param options - Verification options
+ * @returns Verification result
+ */
+export async function verifyManifestAttestation(manifest, sigstoreBundle, options = {}) {
+    // Dynamic import to avoid circular dependencies
+    const { verifyBundle, extractIdentityFromBundle } = await import("./sigstore");
+    try {
+        // Get the manifest hash that should have been signed
+        const expectedHash = manifest.manifestHash.digest;
+        // Convert hash to Buffer for verification
+        const hashBuffer = Buffer.from(expectedHash.match(/.{1,2}/g).map((byte) => Number.parseInt(byte, 16)));
+        // Cast the bundle to the expected type
+        const bundle = sigstoreBundle;
+        // Verify the Sigstore bundle
+        const bundleResult = await verifyBundle(bundle, hashBuffer);
+        if (!bundleResult.verified) {
+            return {
+                valid: false,
+                error: bundleResult.error ?? "Sigstore bundle verification failed",
+                details: {
+                    bundleVerified: false,
+                    manifestHashMatches: false,
+                },
+            };
+        }
+        // Extract identity from the bundle
+        const identity = extractIdentityFromBundle(bundle);
+        // If toolDir is provided, also verify manifest matches files
+        let manifestMatchesFiles;
+        if (options.toolDir) {
+            const ignoreOpts = options.ignorePatterns ? { ignorePatterns: options.ignorePatterns } : {};
+            const fileVerification = await verifyChecksumManifest(options.toolDir, manifest, ignoreOpts);
+            manifestMatchesFiles = fileVerification.valid;
+            if (!fileVerification.valid) {
+                return {
+                    valid: false,
+                    auditor: identity?.email ?? identity?.subject,
+                    provider: identity?.issuer,
+                    error: `Manifest does not match files: ${fileVerification.errors?.join(", ")}`,
+                    details: {
+                        bundleVerified: true,
+                        manifestHashMatches: true,
+                        manifestMatchesFiles: false,
+                    },
+                };
+            }
+        }
+        return {
+            valid: true,
+            auditor: identity?.email ?? identity?.subject,
+            provider: identity?.issuer,
+            details: {
+                bundleVerified: true,
+                manifestHashMatches: true,
+                manifestMatchesFiles,
+            },
+        };
+    }
+    catch (error) {
+        return {
+            valid: false,
+            error: `Verification failed: ${error.message}`,
+            details: {
+                bundleVerified: false,
+                manifestHashMatches: false,
+            },
+        };
+    }
+}
+//# sourceMappingURL=manifest.js.map

package/dist/manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.js","sourceRoot":"","sources":["../src/manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,SAAS,CAAC;AAChD,OAAO,EAAE,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AACvD,OAAO,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAG/C,+EAA+E;AAC/E,QAAQ;AACR,+EAA+E;AAE/E;;GAEG;AACH,MAAM,CAAC,MAAM,gBAAgB,GAAG,KAAc,CAAC;AA8D/C,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,MAAM,aAAa,GAAG;IACpB,4CAA4C;IAC5C,sBAAsB;IACtB,uBAAuB;IACvB,kBAAkB;IAClB,MAAM;IACN,YAAY;IACZ,gBAAgB;IAChB,eAAe;IACf,WAAW;IACX,WAAW;IACX,aAAa;IACb,SAAS;IACT,OAAO;IACP,OAAO;IACP,OAAO;IACP,kDAAkD;IAClD,cAAc;IACd,aAAa;IACb,eAAe;IACf,OAAO;IACP,OAAO;IACP,kBAAkB;IAClB,MAAM;IACN,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,gBAAgB;CACjB,CAAC;AAEF,+EAA+E;AAC/E,mBAAmB;AACnB,+EAA+E;AAE/E;;GAEG;AACH,SAAS,YAAY,CACnB,YAAoB,EACpB,QAAgB,EAChB,iBAA2B,EAAE;IAE7B,MAAM,WAAW,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,cAAc,CAAC,CAAC;IAE1D,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE,CAAC;QAClC,cAAc;QACd,IAAI,OAAO,KAAK,QAAQ,IAAI,OAAO,KAAK,YAAY,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,qCAAqC;QACrC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAChC,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;gBAC/D,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAED,oEAAoE;QACpE,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACrD,IAAI,YAAY,CAAC,UAAU,CAAC,GAAG,OAAO,GAAG,CAAC,IAAI,YAAY,KAAK,OAAO,EAAE,CAAC;gBACvE,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAS,aAAa,CAAC,QAAgB;IACrC,OAAO,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAS,YAAY,CACnB,GAAW,EACX,OAAe,EACf,cAAwB,EACxB,QAAkB,EAAE;IAEpB,MAAM,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAE1D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,YAAY,GAAG,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAEhE,6BAA6B;QAC7B,IAAI,YAAY,CAAC,YAAY,EAAE,KAAK,CAAC,IAAI,EAAE,cAAc,CAAC,EAAE,CAAC;YAC3D,SAAS;QACX,CAAC;QAED,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,cAAc,EAAE,KAAK,CAAC,CAAC;QACzD,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QACvB,CAAC;QACD,wCAAwC;IAC1C,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;GAMG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,IAAI,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,IAAI,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;IACjD,CAAC;IAED,oCAAoC;IACpC,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;IAC3C,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAC1B,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,aAAa,CAAE,GAA+B,CAAC,GAAG,CAAC,CAAC,EAAE,CAC1F,CAAC;IAEF,OAAO,IAAI,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;AAChC,CAAC;AAED,+EAA+E;AAC/E,iBAAiB;AACjB,+EAA+E;AAE/E;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAe,EACf,QAAgB,EAChB,WAAmB,EACnB,UAAiC,EAAE;IAEnC,MAAM,EAAE,cAAc,GAAG,EAAE,EAAE,UAAU,EAAE,GAAG,OAAO,CAAC;IAEpD,oBAAoB;IACpB,MAAM,SAAS,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IAEjE,iBAAiB;IACjB,MAAM,aAAa,GAAmB,EAAE,CAAC;IAEzC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,YAAY,GAAG,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAEhE,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC,YAAY,CAAC,CAAC;QAC3B,CAAC;QAED,MAAM,KAAK,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACjC,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;QAE5C,aAAa,CAAC,IAAI,CAAC;YACjB,IAAI,EAAE,YAAY;YAClB,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,IAAI,EAAE,KAAK,CAAC,IAAI;SACjB,CAAC,CAAC;IACL,CAAC;IAED,2EAA2E;IAC3E,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QAC1B,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI;YAAE,OAAO,CAAC,CAAC,CAAC;QAC/B,IAAI,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC,IAAI;YAAE,OAAO,CAAC,CAAC;QAC9B,OAAO,CAAC,CAAC;IACX,CAAC,CAAC,CAAC;IAEH,yCAAyC;IACzC,MAAM,mBAAmB,GAAG;QAC1B,OAAO,EAAE,gBAAgB;QACzB,IAAI,EAAE;YACJ,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,WAAW;SACrB;QACD,KAAK,EAAE,aAAa;KACrB,CAAC;IAEF,4CAA4C;IAC5C,MAAM,YAAY,GAAG,mBAAmB,CAAC,mBAAmB,CAAC,CAAC;IAE9D,2BAA2B;IAC3B,OAAO;QACL,GAAG,mBAAmB;QACtB,YAAY,EAAE;YACZ,SAAS,EAAE,QAAQ;YACnB,MAAM,EAAE,YAAY,CAAC,MAAM;SAC5B;KACF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAmE;IAEnE,qCAAqC;IACrC,MAAM,EAAE,YAAY,EAAE,CAAC,EAAE,GAAG,mBAAmB,EAAE,GAAG,QAA4B,CAAC;IAEjF,kCAAkC;IAClC,MAAM,SAAS,GAAG,aAAa,CAAC,mBAAmB,CAAC,CAAC;IACrD,OAAO,WAAW,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;AAC1C,CAAC;AAED;;;;;;;;;;;;;;;GAeG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,OAAe,EACf,QAA0B,EAC1B,UAAyC,EAAE;IAE3C,MAAM,EAAE,cAAc,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IACxC,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,aAAa,GAAa,EAAE,CAAC;IACnC,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,yCAAyC;IACzC,MAAM,YAAY,GAAG,mBAAmB,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,YAAY,CAAC,MAAM,KAAK,QAAQ,CAAC,YAAY,CAAC,MAAM,EAAE,CAAC;QACzD,MAAM,CAAC,IAAI,CACT,oCAAoC,QAAQ,CAAC,YAAY,CAAC,MAAM,SAAS,YAAY,CAAC,MAAM,EAAE,CAC/F,CAAC;IACJ,CAAC;IAED,qCAAqC;IACrC,MAAM,gBAAgB,GAAG,YAAY,CAAC,OAAO,EAAE,OAAO,EAAE,cAAc,CAAC,CAAC;IACxE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;IAEjG,8BAA8B;IAC9B,MAAM,aAAa,GAAG,IAAI,GAAG,EAAU,CAAC;IAExC,KAAK,MAAM,SAAS,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QACvC,aAAa,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC;QAE/C,uBAAuB;QACvB,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC;YACtC,YAAY,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAClC,MAAM,CAAC,IAAI,CAAC,iBAAiB,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;YAC/C,SAAS;QACX,CAAC;QAED,aAAa;QACb,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAC5C,IAAI,UAAU,CAAC,MAAM,KAAK,SAAS,CAAC,MAAM,EAAE,CAAC;gBAC3C,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;gBACnC,MAAM,CAAC,IAAI,CACT,kBAAkB,SAAS,CAAC,IAAI,cAAc,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,UAAU,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAC5H,CAAC;YACJ,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,uBAAuB,SAAS,CAAC,IAAI,KAAK,GAAG,EAAE,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC;IAED,wCAAwC;IACxC,KAAK,MAAM,WAAW,IAAI,YAAY,EAAE,CAAC;QACvC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC;YACpC,UAAU,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,+BAA+B,WAAW,EAAE,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED,OAAO;QACL,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC;QAC1B,MAAM,EAAE,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;QAC9C,YAAY,EAAE,YAAY,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,SAAS;QAChE,aAAa,EAAE,aAAa,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS;QACnE,UAAU,EAAE,UAAU,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS;KAC3D,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEhC,qBAAqB;IACrB,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,OAAO,KAAK,gBAAgB,EAAE,CAAC;QAC3D,MAAM,IAAI,KAAK,CACb,sCAAsC,gBAAgB,SAAS,MAAM,CAAC,OAAO,EAAE,CAChF,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACpE,CAAC;IAED,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,SAAS,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,MAAM,EAAE,CAAC;QACpE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IAED,OAAO,MAA0B,CAAC;AACpC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,QAA0B;IAClE,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AAC3C,CAAC;AA+BD;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,QAA0B,EAC1B,cAAuB,EACvB,UAKI,EAAE;IAEN,gDAAgD;IAChD,MAAM,EAAE,YAAY,EAAE,yBAAyB,EAAE,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,CAAC;IAG/E,IAAI,CAAC;QACH,qDAAqD;QACrD,MAAM,YAAY,GAAG,QAAQ,CAAC,YAAY,CAAC,MAAM,CAAC;QAElD,0CAA0C;QAC1C,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAC5B,YAAY,CAAC,KAAK,CAAC,SAAS,CAAE,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CACxE,CAAC;QAEF,uCAAuC;QACvC,MAAM,MAAM,GAAG,cAAoC,CAAC;QAEpD,6BAA6B;QAC7B,MAAM,YAAY,GAAG,MAAM,YAAY,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC;QAE5D,IAAI,CAAC,YAAY,CAAC,QAAQ,EAAE,CAAC;YAC3B,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE,YAAY,CAAC,KAAK,IAAI,qCAAqC;gBAClE,OAAO,EAAE;oBACP,cAAc,EAAE,KAAK;oBACrB,mBAAmB,EAAE,KAAK;iBAC3B;aACF,CAAC;QACJ,CAAC;QAED,mCAAmC;QACnC,MAAM,QAAQ,GAAG,yBAAyB,CAAC,MAAM,CAAC,CAAC;QAEnD,6DAA6D;QAC7D,IAAI,oBAAyC,CAAC;QAC9C,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;YACpB,MAAM,UAAU,GAAG,OAAO,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC5F,MAAM,gBAAgB,GAAG,MAAM,sBAAsB,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC7F,oBAAoB,GAAG,gBAAgB,CAAC,KAAK,CAAC;YAE9C,IAAI,CAAC,gBAAgB,CAAC,KAAK,EAAE,CAAC;gBAC5B,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,OAAO,EAAE,QAAQ,EAAE,KAAK,IAAI,QAAQ,EAAE,OAAO;oBAC7C,QAAQ,EAAE,QAAQ,EAAE,MAAM;oBAC1B,KAAK,EAAE,kCAAkC,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE;oBAC9E,OAAO,EAAE;wBACP,cAAc,EAAE,IAAI;wBACpB,mBAAmB,EAAE,IAAI;wBACzB,oBAAoB,EAAE,KAAK;qBAC5B;iBACF,CAAC;YACJ,CAAC;QACH,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,OAAO,EAAE,QAAQ,EAAE,KAAK,IAAI,QAAQ,EAAE,OAAO;YAC7C,QAAQ,EAAE,QAAQ,EAAE,MAAM;YAC1B,OAAO,EAAE;gBACP,cAAc,EAAE,IAAI;gBACpB,mBAAmB,EAAE,IAAI;gBACzB,oBAAoB;aACrB;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,KAAK,EAAE,wBAAyB,KAAe,CAAC,OAAO,EAAE;YACzD,OAAO,EAAE;gBACP,cAAc,EAAE,KAAK;gBACrB,mBAAmB,EAAE,KAAK;aAC3B;SACF,CAAC;IACJ,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@enactprotocol/trust",
-  "version": "2.1.15",
+  "version": "2.1.20",
   "description": "Sigstore integration, attestations, and verification for Enact",
   "type": "module",
   "main": "./dist/index.js",

package/src/index.ts

@@ -10,6 +10,24 @@ export const version = "0.1.0";
 // Hash utilities
 export { hashContent, hashBuffer, hashFile } from "./hash";
 
+// Checksum manifest (for deterministic signing)
+export {
+  createChecksumManifest,
+  computeManifestHash,
+  verifyChecksumManifest,
+  verifyManifestAttestation,
+  parseChecksumManifest,
+  serializeChecksumManifest,
+  MANIFEST_VERSION,
+} from "./manifest";
+export type {
+  ChecksumManifest,
+  FileChecksum,
+  CreateManifestOptions,
+  ManifestVerificationResult,
+  ManifestAttestationVerificationResult,
+} from "./manifest";
+
 // Key management
 export { generateKeyPair, isValidPEMKey, getKeyTypeFromPEM } from "./keys";