@forwardimpact/libutil 0.1.87 → 0.1.89

package/bin/fit-download-bundle.js

@@ -2,25 +2,16 @@
 
 import "@forwardimpact/libpreflight/node22";
 
-import { readFileSync } from "node:fs";
 import { spawn } from "node:child_process";
 import { createCli } from "@forwardimpact/libcli";
 import { createScriptConfig } from "@forwardimpact/libconfig";
 import { createStorage } from "@forwardimpact/libstorage";
 import { createLogger } from "@forwardimpact/libtelemetry";
 import { createBundleDownloader, execLine } from "@forwardimpact/libutil";
-
-// `bun build --compile` injects FIT_DOWNLOAD_BUNDLE_VERSION via --define,
-// eliminating the readFileSync branch in the compiled binary (which would
-// ENOENT against the bunfs virtual mount). Source execution falls through.
-const VERSION =
-  process.env.FIT_DOWNLOAD_BUNDLE_VERSION ||
-  JSON.parse(readFileSync(new URL("../package.json", import.meta.url), "utf8"))
-    .version;
+import { createDefaultRuntime } from "@forwardimpact/libutil/runtime";
 
 const definition = {
   name: "fit-download-bundle",
-  version: VERSION,
   description: "Download generated code bundle from remote storage",
   globalOptions: {
     help: { type: "boolean", short: "h", description: "Show this help" },
@@ -29,8 +20,12 @@ const definition = {
   },
 };
 
-const cli = createCli(definition);
-const logger = createLogger("generated");
+const runtime = createDefaultRuntime();
+const cli = createCli(definition, {
+  runtime,
+  packageJsonUrl: new URL("../package.json", import.meta.url),
+});
+const logger = createLogger("generated", runtime);
 
 /**
  * Downloads generated code bundle from remote storage.
@@ -42,7 +37,7 @@ async function main() {
   if (!parsed) process.exit(0);
 
   await createScriptConfig("download-bundle");
-  const downloader = createBundleDownloader(createStorage, logger);
+  const downloader = createBundleDownloader(createStorage, logger, runtime);
   await downloader.download();
 
   // If additional arguments provided, execute them after download

package/bin/fit-tiktoken.js

@@ -1,22 +1,13 @@
 #!/usr/bin/env node
 import "@forwardimpact/libpreflight/node22";
 
-import { readFileSync } from "node:fs";
 import { createCli } from "@forwardimpact/libcli";
+import { createDefaultRuntime } from "@forwardimpact/libutil/runtime";
 import { createLogger } from "@forwardimpact/libtelemetry";
 import { countTokens } from "@forwardimpact/libutil";
 
-// `bun build --compile` injects FIT_TIKTOKEN_VERSION via --define, eliminating
-// the readFileSync branch in the compiled binary (which would ENOENT against
-// the bunfs virtual mount). Source execution falls through to package.json.
-const VERSION =
-  process.env.FIT_TIKTOKEN_VERSION ||
-  JSON.parse(readFileSync(new URL("../package.json", import.meta.url), "utf8"))
-    .version;
-
 const definition = {
   name: "fit-tiktoken",
-  version: VERSION,
   description: "Count tokens in text",
   usage: "fit-tiktoken <text>\n       echo 'text' | fit-tiktoken",
   globalOptions: {
@@ -27,8 +18,12 @@ const definition = {
   examples: ['fit-tiktoken "hello world"', "echo 'hello world' | fit-tiktoken"],
 };
 
-const cli = createCli(definition);
-const logger = createLogger("tiktoken");
+const runtime = createDefaultRuntime();
+const cli = createCli(definition, {
+  runtime,
+  packageJsonUrl: new URL("../package.json", import.meta.url),
+});
+const logger = createLogger("tiktoken", runtime);
 
 /**
  * Counts tokens in the provided text

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@forwardimpact/libutil",
-  "version": "0.1.87",
+  "version": "0.1.89",
   "description": "Cross-cutting utilities: retry, hashing, token counting, and project discovery.",
   "keywords": [
     "util",
@@ -22,6 +22,8 @@
   "exports": {
     ".": "./src/index.js",
     "./runtime": "./src/runtime.js",
+    "./trusted-origins": "./src/trusted-origins.js",
+    "./completion-ticket": "./src/completion-ticket.js",
     "./git-client": "./src/git-client.js",
     "./gh-client": "./src/gh-client.js",
     "./bin/fit-download-bundle.js": "./bin/fit-download-bundle.js",

package/src/completion-ticket.js

@@ -0,0 +1,163 @@
+import { createHmac, timingSafeEqual } from "node:crypto";
+
+import { isTrusted } from "./trusted-origins.js";
+
+/** Ticket lifetime in milliseconds. 5 minutes covers IdP round-trip + redirect
+ * with margin and is well inside browser/proxy URL-lifetime norms. */
+export const TICKET_TTL_MS = 5 * 60 * 1000;
+
+/**
+ * Canonical-JSON encoding of the ticket payload. Keys are sorted alphabetically
+ * (`exp, idp_origin, link_token, surface_user_id`) so the wire bytes do not
+ * depend on input-object property iteration order — minting the same claims
+ * twice produces byte-identical payloads.
+ *
+ * @param {object} claims
+ * @param {number} claims.exp Absolute ms-since-epoch expiry.
+ * @param {string} claims.idpOrigin Normalised IdP origin (`new URL(…).origin`).
+ * @param {string} claims.linkToken Opaque link-token claim.
+ * @param {string} claims.surfaceUserId Caller surface user id.
+ * @returns {string} Canonical JSON.
+ */
+function canonicalJson({ exp, idpOrigin, linkToken, surfaceUserId }) {
+  return JSON.stringify({
+    exp,
+    idp_origin: idpOrigin,
+    link_token: linkToken,
+    surface_user_id: surfaceUserId,
+  });
+}
+
+function b64urlEncode(bufOrStr) {
+  const buf =
+    typeof bufOrStr === "string" ? Buffer.from(bufOrStr, "utf8") : bufOrStr;
+  return buf
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/g, "");
+}
+
+function b64urlDecodeToBuffer(s) {
+  const pad = s.length % 4 === 0 ? "" : "=".repeat(4 - (s.length % 4));
+  return Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/") + pad, "base64");
+}
+
+function sign(secret, payloadB64) {
+  return createHmac("sha256", secret).update(payloadB64).digest();
+}
+
+/**
+ * Mint a completion ticket for the bridge to verify after the IdP round-trip.
+ * Wire form: `<base64url(canonicalJson)>.<base64url(hmacSha256(secret, payload))>`.
+ *
+ * @param {object} args
+ * @param {string} args.linkToken Opaque link-token bound to a queued dispatch.
+ * @param {string} args.surfaceUserId Caller surface user id.
+ * @param {string} args.idpOrigin Normalised IdP origin (`new URL(…).origin`).
+ * @param {string} args.secret Shared HMAC secret. Must match the verifier's.
+ * @param {number} args.now Absolute ms-since-epoch.
+ * @returns {string} Wire-form ticket.
+ */
+export function mintCompletionTicket({
+  linkToken,
+  surfaceUserId,
+  idpOrigin,
+  secret,
+  now,
+}) {
+  const exp = now + TICKET_TTL_MS;
+  const payloadJson = canonicalJson({
+    exp,
+    idpOrigin,
+    linkToken,
+    surfaceUserId,
+  });
+  const payloadB64 = b64urlEncode(payloadJson);
+  const sig = sign(secret, payloadB64);
+  return `${payloadB64}.${b64urlEncode(sig)}`;
+}
+
+/**
+ * Verify a wire-form completion ticket. Returns `{ ok: true, claims }` on
+ * success or `{ ok: false, reason }` on failure. All failure reasons are
+ * caller-rendered as the same "Unable to verify completion" page —
+ * indistinguishability is intentional.
+ *
+ * Failure reasons: `malformed`, `bad_signature`, `expired`,
+ * `link_token_mismatch`, `untrusted_origin`.
+ *
+ * The `surface_user_id` claim is returned in `claims.surfaceUserId` for the
+ * handler to cross-check against the freshly-resolved `pending.surface_user_id`
+ * — see `services/bridge` step 8 in the plan. Folding that check into the
+ * verifier would require it to take a pending store, which the design
+ * explicitly avoids.
+ *
+ * @param {object} args
+ * @param {string} args.ticket Wire-form ticket.
+ * @param {{linkToken: string}} args.expected Link-token the handler resolved.
+ * @param {Set<string>} args.trustedOrigins Trusted-origin set from libutil.
+ * @param {string} args.secret Shared HMAC secret.
+ * @param {number} args.now Absolute ms-since-epoch.
+ * @returns {{ok: true, claims: {linkToken: string, surfaceUserId: string, idpOrigin: string, exp: number}} | {ok: false, reason: string}}
+ */
+export function verifyCompletionTicket({
+  ticket,
+  expected,
+  trustedOrigins,
+  secret,
+  now,
+}) {
+  if (typeof ticket !== "string" || !ticket.includes(".")) {
+    return { ok: false, reason: "malformed" };
+  }
+  const dot = ticket.indexOf(".");
+  if (dot === 0 || dot === ticket.length - 1) {
+    return { ok: false, reason: "malformed" };
+  }
+  const payloadB64 = ticket.slice(0, dot);
+  const sigB64 = ticket.slice(dot + 1);
+
+  const presentedSig = b64urlDecodeToBuffer(sigB64);
+  const expectedSig = sign(secret, payloadB64);
+  if (
+    presentedSig.length !== expectedSig.length ||
+    !timingSafeEqual(presentedSig, expectedSig)
+  ) {
+    return { ok: false, reason: "bad_signature" };
+  }
+
+  let claims;
+  try {
+    claims = JSON.parse(b64urlDecodeToBuffer(payloadB64).toString("utf8"));
+  } catch {
+    return { ok: false, reason: "malformed" };
+  }
+
+  const { exp, idp_origin, link_token, surface_user_id } = claims;
+  if (
+    typeof exp !== "number" ||
+    typeof idp_origin !== "string" ||
+    typeof link_token !== "string" ||
+    typeof surface_user_id !== "string"
+  ) {
+    return { ok: false, reason: "malformed" };
+  }
+
+  if (now >= exp) return { ok: false, reason: "expired" };
+  if (link_token !== expected.linkToken) {
+    return { ok: false, reason: "link_token_mismatch" };
+  }
+  if (!isTrusted(idp_origin, trustedOrigins)) {
+    return { ok: false, reason: "untrusted_origin" };
+  }
+  return {
+    ok: true,
+    claims: {
+      linkToken: link_token,
+      surfaceUserId: surface_user_id,
+      idpOrigin: idp_origin,
+      exp,
+    },
+  };
+}

package/src/finder.js

@@ -1,81 +1,76 @@
-import nodeFsSync from "node:fs";
-import nodeFsPromises from "node:fs/promises";
 import path from "path";
 import { createRequire } from "node:module";
+import { LIBCLI_IS_COMPILED } from "@forwardimpact/libcli";
 
 const NOOP_LOGGER = { debug() {} };
 
-/**
- * Detect the new collaborator-config constructor form. The legacy positional
- * form passes an fs module as the first argument (which carries `readFile`);
- * the new form passes `{ fs, fsSync?, proc, logger? }`.
- * @param {*} arg - The first constructor argument.
- * @returns {boolean}
- */
-function isRuntimeConfig(arg) {
-  return (
-    arg != null &&
-    typeof arg === "object" &&
-    !Array.isArray(arg) &&
-    (arg.proc !== undefined ||
-      arg.fsSync !== undefined ||
-      (arg.fs !== undefined && typeof arg.readFile !== "function"))
-  );
-}
-
 /**
  * Finder class for project path resolution and symlink management.
  * Handles filesystem operations for linking generated code to packages.
  *
- * Two constructor forms are supported during the ambient-to-injected migration:
- *
- * - Collaborator config (canonical): `new Finder({ fs, fsSync?, proc, logger? })`.
- *   The injected `fs` (async) and `fsSync` (sync, for existence checks) flow
- *   through to every internal call — the spec-flagged dead-`fs` bug is fixed.
- * - Legacy positional (deprecated, one migration cycle):
- *   `new Finder(fs, logger, process)`. Preserved byte-for-byte so existing
- *   call sites stay green until their per-unit migration PRs convert them.
+ * Constructed with injected collaborators: `new Finder({ fs, fsSync?, proc,
+ * logger? })`. The injected `fs` (async) and `fsSync` (sync, for existence
+ * checks) flow through to every internal call.
  */
 export class Finder {
   #fs;
+  #fsSync;
   #existsSync;
   #logger;
   #proc;
+  #isCompiled;
 
   /**
-   * @param {object} fsOrConfig - Either `{ fs, fsSync?, proc, logger? }` (new)
-   *   or the async fs module (legacy positional first argument).
-   * @param {object} [logger] - Legacy positional logger.
-   * @param {object} [proc] - Legacy positional process (cwd provider).
+   * @param {object} config - Injected collaborators.
+   * @param {object} config.fs - Async fs surface (mkdir, lstat, symlink, …).
+   * @param {object} [config.fsSync] - Sync fs surface for existence checks;
+   *   falls back to `fs` when omitted.
+   * @param {object} config.proc - Process collaborator (cwd provider).
+   * @param {object} [config.logger] - Optional logger; defaults to a no-op.
+   * @param {boolean} [config.isCompiled] - Whether the host is a
+   *   `bun build --compile` binary; defaults to libcli's `LIBCLI_IS_COMPILED`.
+   *   Injectable so tests can exercise the compiled branch of
+   *   {@link Finder#findProjectRoot} without a real binary.
    */
-  constructor(fsOrConfig, logger, proc = global.process) {
-    if (isRuntimeConfig(fsOrConfig)) {
-      // Finder is the one module that legitimately bridges the sync and async
-      // fs surfaces (existence checks vs. symlink ops), so it reads both fields
-      // by property access rather than a single `{ fs, fsSync }` destructure
-      // (which design Decision 7 reserves for consumer modules).
-      const fs = fsOrConfig.fs;
-      const fsSync = fsOrConfig.fsSync;
-      const procArg = fsOrConfig.proc;
-      if (!fs) throw new Error("fs is required");
-      if (!procArg) throw new Error("proc is required");
-      this.#fs = fs;
-      const existsTarget = fsSync ?? fs;
-      this.#existsSync = existsTarget.existsSync.bind(existsTarget);
-      this.#proc = procArg;
-      this.#logger = fsOrConfig.logger ?? NOOP_LOGGER;
-      return;
-    }
-    // Legacy positional form: behavior identical to the pre-1370 Finder —
-    // every fs operation routes through the module-level node:fs imports
-    // (the historical dead-`fs` behavior callers depend on).
-    if (!fsOrConfig) throw new Error("fs is required");
-    if (!logger) throw new Error("logger is required");
-    if (!proc) throw new Error("process is required");
-    this.#fs = nodeFsPromises;
-    this.#existsSync = (p) => nodeFsSync.existsSync(p);
-    this.#logger = logger;
+  constructor(config = {}) {
+    // Finder is the one module that legitimately bridges the sync and async
+    // fs surfaces (existence checks vs. symlink ops), so it reads both fields
+    // by property access rather than a single `{ fs, fsSync }` destructure
+    // (which design Decision 7 reserves for consumer modules).
+    const fs = config.fs;
+    const fsSync = config.fsSync;
+    const proc = config.proc;
+    if (!fs) throw new Error("fs is required");
+    if (!proc) throw new Error("proc is required");
+    this.#fs = fs;
+    // Retain the raw collaborators so `withLogger` can rebuild an identically
+    // bound Finder with a different logger (private fields can't be copied
+    // onto a bare clone, and `#existsSync` is derived from `fsSync ?? fs`).
+    this.#fsSync = fsSync;
+    const existsTarget = fsSync ?? fs;
+    this.#existsSync = existsTarget.existsSync.bind(existsTarget);
     this.#proc = proc;
+    this.#logger = config.logger ?? NOOP_LOGGER;
+    this.#isCompiled = config.isCompiled ?? LIBCLI_IS_COMPILED;
+  }
+
+  /**
+   * Return a Finder over the same collaborators but with the given logger.
+   * The shared `runtime.finder` carries a no-op logger; a site that needs
+   * symlink debug logs (e.g. codegen) calls `runtime.finder.withLogger(logger)`
+   * instead of constructing its own Finder (Success Criterion 9 keeps `new
+   * Finder(...)` inside libutil).
+   * @param {object} logger - Logger with a `debug(scope, msg, data)` method.
+   * @returns {Finder} A logger-bound view sharing this Finder's fs/proc.
+   */
+  withLogger(logger) {
+    return new Finder({
+      fs: this.#fs,
+      fsSync: this.#fsSync,
+      proc: this.#proc,
+      logger,
+      isCompiled: this.#isCompiled,
+    });
   }
 
   /**
@@ -119,12 +114,28 @@ export class Finder {
   }
 
   /**
-   * Find the project root directory.
-   * @param {string} startPath - Starting directory path
+   * Find the project root a tool operates against, transparently handling
+   * compiled binaries.
+   *
+   * In a `bun build --compile` binary the entry module lives in the virtual
+   * `/$bunfs` root, so `import.meta.url`/`__dirname`-relative traversal is
+   * meaningless — the binary operates on whatever project tree it is launched
+   * from, so the working directory *is* the project root. In source/npx
+   * execution the working directory may sit anywhere inside the project, so we
+   * walk upward from `startPath` for the nearest `package.json`.
+   *
+   * Folding the compiled check in here keeps it out of every consumer: callers
+   * just ask the injected `runtime.finder` for the project root and get the
+   * right answer in both worlds.
+   *
+   * @param {string} [startPath] - Source-mode search origin; defaults to cwd.
    * @returns {string} Project root directory path
    */
   findProjectRoot(startPath) {
-    const projectRoot = this.findUpward(startPath, "package.json", 5);
+    if (this.#isCompiled) return this.#proc.cwd();
+
+    const start = startPath ?? this.#proc.cwd();
+    const projectRoot = this.findUpward(start, "package.json", 5);
     if (projectRoot) {
       return path.dirname(projectRoot);
     }
@@ -194,10 +205,15 @@ export class Finder {
     // Ensure the target's parent directory exists before symlinking
     await this.#fs.mkdir(path.dirname(targetPath), { recursive: true });
 
-    // Create the symlink
-    await this.#fs.symlink(sourcePath, targetPath, "dir");
+    // Link relative to the symlink's own directory, not absolute. A relative
+    // target survives being moved or restored at a different path — e.g. the
+    // CI workspace cache restoring libraries/*/src/generated on a runner whose
+    // checkout root differs from where codegen first ran. An absolute target
+    // would dangle, forcing a full codegen re-run on every warm cache.
+    const relativeSource = path.relative(path.dirname(targetPath), sourcePath);
+    await this.#fs.symlink(relativeSource, targetPath, "dir");
     this.#logger.debug("Finder", "Created symlink", {
-      source_path: sourcePath,
+      source_path: relativeSource,
       target_path: targetPath,
     });
   }

package/src/index.js

@@ -101,13 +101,16 @@ export function createTokenizer() {
  * Used in containerized deployments to download pre-generated code bundles.
  * @param {Function} createStorage - Storage factory function from libstorage
  * @param {object} logger - Logger instance
+ * @param {import("./runtime.js").Runtime} runtime - Injected runtime bag; supplies
+ *   the `fs`/`fsSync`/`proc` collaborators the Finder reads.
  * @returns {BundleDownloader} Configured BundleDownloader instance
  */
-export function createBundleDownloader(createStorage, logger) {
+export function createBundleDownloader(createStorage, logger, runtime) {
   if (!createStorage) throw new Error("createStorage is required");
   if (!logger) throw new Error("logger is required");
+  if (!runtime) throw new Error("runtime is required");
 
-  const finder = new Finder(fs, logger);
+  const finder = new Finder({ ...runtime, logger });
   const extractor = new TarExtractor(fs, path);
 
   return new BundleDownloader(createStorage, finder, logger, extractor);

package/src/runtime.js

@@ -4,6 +4,7 @@ import nodeFsSync, {
   createWriteStream as nodeCreateWriteStream,
 } from "node:fs";
 import nodeFs from "node:fs/promises";
+import { Writable } from "node:stream";
 import { Finder } from "./finder.js";
 
 /**
@@ -29,8 +30,9 @@ import { Finder } from "./finder.js";
  *   `readFileSync`, `writeFileSync`, `mkdirSync`, `readdirSync`, `statSync`,
  *   `openSync`, `readSync`, `closeSync`, `unlinkSync`.
  * @property {Object} proc
- *   Process surface: `cwd()`, `env`, `argv`, `stdin`, `stdout.write`,
- *   `stderr.write`, `exit(code)`, `kill(pid, signal)` (a negative `pid`
+ *   Process surface: `cwd()`, `env`, `argv`, `stdin`, `stdout`/`stderr`
+ *   (pipeline-grade `Writable`s — they support `.write(str)` and also serve as
+ *   `pipeline()` sinks), `exit(code)`, `kill(pid, signal)` (a negative `pid`
  *   signals the process group, e.g. for daemon teardown), `pid` (this
  *   process's id — used to exclude self from process-group descendant scans),
  *   `platform` (the `process.platform` string — `"darwin"`/`"win32"`/`"linux"`
@@ -93,8 +95,12 @@ export function createDefaultProc({ source = process, env = source.env } = {}) {
     }),
     argv: Object.freeze([...source.argv]),
     stdin: lineIterator(source.stdin),
-    stdout: { write: (s) => source.stdout.write(s) },
-    stderr: { write: (s) => source.stderr.write(s) },
+    // Pipeline-grade Writables: they support `.write(str)` like the old
+    // `{ write }` shim and also serve as `pipeline()` sinks. The wrapper
+    // forwards each chunk to the real stream; `.end()` finishes the wrapper
+    // without closing `source.stdout`/`stderr`.
+    stdout: forwardingWritable(source.stdout),
+    stderr: forwardingWritable(source.stderr),
     exit: (code) => source.exit(code),
     kill: (pid, signal) => source.kill(pid, signal),
     pid: source.pid,
@@ -111,6 +117,28 @@ export function createDefaultProc({ source = process, env = source.env } = {}) {
   return proc;
 }
 
+/**
+ * Wrap an underlying writable (`process.stdout`/`stderr`) in a pipeline-grade
+ * `Writable` sink that forwards every chunk to it. Used so `runtime.proc.stdout`
+ * can be both `.write(str)`-ed and used as a `pipeline()` destination, without
+ * `.end()` on the wrapper closing the real stream.
+ * @param {object} target - The underlying writable to forward chunks to.
+ * @returns {import("node:stream").Writable}
+ */
+function forwardingWritable(target) {
+  return new Writable({
+    write(chunk, _encoding, callback) {
+      // Forward and complete immediately. The underlying stream's
+      // backpressure signal is not propagated, which is fine for the CLI
+      // sinks this serves (a one-shot `librc logs()` tail); a future
+      // high-volume consumer that needs flow control should respect
+      // `target.write()`'s return value here.
+      target.write(chunk);
+      callback();
+    },
+  });
+}
+
 /**
  * Adapt a readable stream into an `AsyncIterable<string>` of UTF-8 lines.
  * @param {object} stream - A Node readable stream (e.g. `process.stdin`).

package/src/trusted-origins.js

@@ -0,0 +1,56 @@
+/**
+ * Parse a comma-separated list of trusted `https://…` origins into a Set of
+ * normalised origin strings (`new URL(s).origin`). Empty entries are dropped.
+ * `http://` and malformed entries are skipped at load with a logged warning.
+ * No globals read; caller hands in the raw string from its `libconfig`-loaded
+ * service config.
+ *
+ * @param {string|null|undefined} raw Comma-separated string of origins.
+ * @param {object} [options]
+ * @param {{warn?: (msg: string, meta?: object) => void}} [options.logger]
+ *   Optional logger; warnings are emitted but never thrown.
+ * @returns {Set<string>} Set of normalised origin strings.
+ */
+export function loadTrustedIdpOrigins(raw, { logger } = {}) {
+  const set = new Set();
+  const entries = String(raw ?? "")
+    .split(",")
+    .map((s) => s.trim())
+    .filter(Boolean);
+  for (const entry of entries) {
+    let url;
+    try {
+      url = new URL(entry);
+    } catch {
+      logger?.error?.("trusted-origins", "malformed entry; skipping", {
+        entry,
+      });
+      continue;
+    }
+    if (url.protocol !== "https:") {
+      logger?.error?.("trusted-origins", "non-TLS entry refused; skipping", {
+        entry,
+      });
+      continue;
+    }
+    set.add(url.origin);
+  }
+  return set;
+}
+
+/**
+ * Test whether `origin` (any URL string the caller has) belongs to `set`.
+ * Compared as `new URL(origin).origin` against the Set's normalised entries.
+ * Returns `false` on any URL parse error rather than throwing.
+ *
+ * @param {string} origin URL or origin string to test.
+ * @param {Set<string>} set Set produced by `loadTrustedIdpOrigins`.
+ * @returns {boolean} `true` if the URL's origin is in the set.
+ */
+export function isTrusted(origin, set) {
+  try {
+    return set.has(new URL(origin).origin);
+  } catch {
+    return false;
+  }
+}