@gnufoo/canaad 0.1.0 → 0.1.2

package/canaad_wasm.d.ts

@@ -251,3 +251,54 @@ export function hash(json: string): Uint8Array;
  * `true` if the JSON is valid AAD, `false` otherwise.
  */
 export function validate(json: string): boolean;
+
+export type InitInput = RequestInfo | URL | Response | BufferSource | WebAssembly.Module;
+
+export interface InitOutput {
+    readonly memory: WebAssembly.Memory;
+    readonly MAX_SAFE_INTEGER: () => number;
+    readonly MAX_SERIALIZED_BYTES: () => number;
+    readonly SPEC_VERSION: () => number;
+    readonly __wbg_aadbuilder_free: (a: number, b: number) => void;
+    readonly aadbuilder_build: (a: number) => [number, number, number, number];
+    readonly aadbuilder_buildString: (a: number) => [number, number, number, number];
+    readonly aadbuilder_extensionInt: (a: number, b: number, c: number, d: number) => number;
+    readonly aadbuilder_extensionString: (a: number, b: number, c: number, d: number, e: number) => number;
+    readonly aadbuilder_new: () => number;
+    readonly aadbuilder_purpose: (a: number, b: number, c: number) => number;
+    readonly aadbuilder_resource: (a: number, b: number, c: number) => number;
+    readonly aadbuilder_tenant: (a: number, b: number, c: number) => number;
+    readonly aadbuilder_timestamp: (a: number, b: number) => number;
+    readonly canonicalize: (a: number, b: number) => [number, number, number, number];
+    readonly canonicalizeString: (a: number, b: number) => [number, number, number, number];
+    readonly hash: (a: number, b: number) => [number, number, number, number];
+    readonly validate: (a: number, b: number) => number;
+    readonly __wbindgen_externrefs: WebAssembly.Table;
+    readonly __externref_table_dealloc: (a: number) => void;
+    readonly __wbindgen_free: (a: number, b: number, c: number) => void;
+    readonly __wbindgen_malloc: (a: number, b: number) => number;
+    readonly __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number;
+    readonly __wbindgen_start: () => void;
+}
+
+export type SyncInitInput = BufferSource | WebAssembly.Module;
+
+/**
+ * Instantiates the given `module`, which can either be bytes or
+ * a precompiled `WebAssembly.Module`.
+ *
+ * @param {{ module: SyncInitInput }} module - Passing `SyncInitInput` directly is deprecated.
+ *
+ * @returns {InitOutput}
+ */
+export function initSync(module: { module: SyncInitInput } | SyncInitInput): InitOutput;
+
+/**
+ * If `module_or_path` is {RequestInfo} or {URL}, makes a request and
+ * for everything else, calls `WebAssembly.instantiate` directly.
+ *
+ * @param {{ module_or_path: InitInput | Promise<InitInput> }} module_or_path - Passing `InitInput` directly is deprecated.
+ *
+ * @returns {Promise<InitOutput>}
+ */
+export default function __wbg_init (module_or_path?: { module_or_path: InitInput | Promise<InitInput> } | InitInput | Promise<InitInput>): Promise<InitOutput>;

package/canaad_wasm.js

@@ -20,7 +20,7 @@
  * const canonical = builder.buildString();
  * ```
  */
-class AadBuilder {
+export class AadBuilder {
     static __wrap(ptr) {
         ptr = ptr >>> 0;
         const obj = Object.create(AadBuilder.prototype);
@@ -240,7 +240,6 @@ class AadBuilder {
     }
 }
 if (Symbol.dispose) AadBuilder.prototype[Symbol.dispose] = AadBuilder.prototype.free;
-exports.AadBuilder = AadBuilder;
 
 /**
  * Returns the maximum safe integer value (2^53 - 1).
@@ -249,21 +248,19 @@ exports.AadBuilder = AadBuilder;
  * JavaScript's Number type.
  * @returns {number}
  */
-function MAX_SAFE_INTEGER() {
+export function MAX_SAFE_INTEGER() {
     const ret = wasm.MAX_SAFE_INTEGER();
     return ret;
 }
-exports.MAX_SAFE_INTEGER = MAX_SAFE_INTEGER;
 
 /**
  * Returns the maximum serialized AAD size in bytes (16 KiB).
  * @returns {number}
  */
-function MAX_SERIALIZED_BYTES() {
+export function MAX_SERIALIZED_BYTES() {
     const ret = wasm.MAX_SERIALIZED_BYTES();
     return ret >>> 0;
 }
-exports.MAX_SERIALIZED_BYTES = MAX_SERIALIZED_BYTES;
 
 /**
  * Returns the current AAD specification version.
@@ -271,11 +268,10 @@ exports.MAX_SERIALIZED_BYTES = MAX_SERIALIZED_BYTES;
  * Currently always returns 1.
  * @returns {number}
  */
-function SPEC_VERSION() {
+export function SPEC_VERSION() {
     const ret = wasm.SPEC_VERSION();
     return ret >>> 0;
 }
-exports.SPEC_VERSION = SPEC_VERSION;
 
 /**
  * Parses and canonicalizes a JSON string to bytes.
@@ -302,7 +298,7 @@ exports.SPEC_VERSION = SPEC_VERSION;
  * @param {string} json
  * @returns {Uint8Array}
  */
-function canonicalize(json) {
+export function canonicalize(json) {
     const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len0 = WASM_VECTOR_LEN;
     const ret = wasm.canonicalize(ptr0, len0);
@@ -313,7 +309,6 @@ function canonicalize(json) {
     wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
     return v2;
 }
-exports.canonicalize = canonicalize;
 
 /**
  * Parses and canonicalizes a JSON string to a UTF-8 string.
@@ -337,7 +332,7 @@ exports.canonicalize = canonicalize;
  * @param {string} json
  * @returns {string}
  */
-function canonicalizeString(json) {
+export function canonicalizeString(json) {
     let deferred3_0;
     let deferred3_1;
     try {
@@ -357,7 +352,6 @@ function canonicalizeString(json) {
         wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
     }
 }
-exports.canonicalizeString = canonicalizeString;
 
 /**
  * Computes the SHA-256 hash of the canonical JSON form.
@@ -384,7 +378,7 @@ exports.canonicalizeString = canonicalizeString;
  * @param {string} json
  * @returns {Uint8Array}
  */
-function hash(json) {
+export function hash(json) {
     const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len0 = WASM_VECTOR_LEN;
     const ret = wasm.hash(ptr0, len0);
@@ -395,7 +389,6 @@ function hash(json) {
     wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
     return v2;
 }
-exports.hash = hash;
 
 /**
  * Validates a JSON string against the AAD specification.
@@ -413,13 +406,12 @@ exports.hash = hash;
  * @param {string} json
  * @returns {boolean}
  */
-function validate(json) {
+export function validate(json) {
     const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
     const len0 = WASM_VECTOR_LEN;
     const ret = wasm.validate(ptr0, len0);
     return ret !== 0;
 }
-exports.validate = validate;
 
 function __wbg_get_imports() {
     const import0 = {
@@ -514,7 +506,15 @@ function takeFromExternrefTable0(idx) {
 
 let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
 cachedTextDecoder.decode();
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
 function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
     return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
 }
 
@@ -533,8 +533,94 @@ if (!('encodeInto' in cachedTextEncoder)) {
 
 let WASM_VECTOR_LEN = 0;
 
-const wasmPath = `${__dirname}/canaad_wasm_bg.wasm`;
-const wasmBytes = require('fs').readFileSync(wasmPath);
-const wasmModule = new WebAssembly.Module(wasmBytes);
-const wasm = new WebAssembly.Instance(wasmModule, __wbg_get_imports()).exports;
-wasm.__wbindgen_start();
+let wasmModule, wasm;
+function __wbg_finalize_init(instance, module) {
+    wasm = instance.exports;
+    wasmModule = module;
+    cachedUint8ArrayMemory0 = null;
+    wasm.__wbindgen_start();
+    return wasm;
+}
+
+async function __wbg_load(module, imports) {
+    if (typeof Response === 'function' && module instanceof Response) {
+        if (typeof WebAssembly.instantiateStreaming === 'function') {
+            try {
+                return await WebAssembly.instantiateStreaming(module, imports);
+            } catch (e) {
+                const validResponse = module.ok && expectedResponseType(module.type);
+
+                if (validResponse && module.headers.get('Content-Type') !== 'application/wasm') {
+                    console.warn("`WebAssembly.instantiateStreaming` failed because your server does not serve Wasm with `application/wasm` MIME type. Falling back to `WebAssembly.instantiate` which is slower. Original error:\n", e);
+
+                } else { throw e; }
+            }
+        }
+
+        const bytes = await module.arrayBuffer();
+        return await WebAssembly.instantiate(bytes, imports);
+    } else {
+        const instance = await WebAssembly.instantiate(module, imports);
+
+        if (instance instanceof WebAssembly.Instance) {
+            return { instance, module };
+        } else {
+            return instance;
+        }
+    }
+
+    function expectedResponseType(type) {
+        switch (type) {
+            case 'basic': case 'cors': case 'default': return true;
+        }
+        return false;
+    }
+}
+
+function initSync(module) {
+    if (wasm !== undefined) return wasm;
+
+
+    if (module !== undefined) {
+        if (Object.getPrototypeOf(module) === Object.prototype) {
+            ({module} = module)
+        } else {
+            console.warn('using deprecated parameters for `initSync()`; pass a single object instead')
+        }
+    }
+
+    const imports = __wbg_get_imports();
+    if (!(module instanceof WebAssembly.Module)) {
+        module = new WebAssembly.Module(module);
+    }
+    const instance = new WebAssembly.Instance(module, imports);
+    return __wbg_finalize_init(instance, module);
+}
+
+async function __wbg_init(module_or_path) {
+    if (wasm !== undefined) return wasm;
+
+
+    if (module_or_path !== undefined) {
+        if (Object.getPrototypeOf(module_or_path) === Object.prototype) {
+            ({module_or_path} = module_or_path)
+        } else {
+            console.warn('using deprecated parameters for the initialization function; pass a single object instead')
+        }
+    }
+
+    if (module_or_path === undefined) {
+        module_or_path = new URL('canaad_wasm_bg.wasm', import.meta.url);
+    }
+    const imports = __wbg_get_imports();
+
+    if (typeof module_or_path === 'string' || (typeof Request === 'function' && module_or_path instanceof Request) || (typeof URL === 'function' && module_or_path instanceof URL)) {
+        module_or_path = fetch(module_or_path);
+    }
+
+    const { instance, module } = await __wbg_load(await module_or_path, imports);
+
+    return __wbg_finalize_init(instance, module);
+}
+
+export { initSync, __wbg_init as default };

package/canaad_wasm_bg.js

@@ -0,0 +1,527 @@
+/**
+ * Builder for constructing AAD objects programmatically.
+ *
+ * Provides a fluent API for building AAD with method chaining.
+ * All setter methods return a new builder to enable chaining.
+ *
+ * # Example (JavaScript)
+ *
+ * ```javascript
+ * const builder = new AadBuilder()
+ *     .tenant("org_abc")
+ *     .resource("secrets/db")
+ *     .purpose("encryption")
+ *     .timestamp(1706400000)
+ *     .extensionString("x_vault_cluster", "us-east-1");
+ *
+ * const bytes = builder.build();
+ * const canonical = builder.buildString();
+ * ```
+ */
+export class AadBuilder {
+    static __wrap(ptr) {
+        ptr = ptr >>> 0;
+        const obj = Object.create(AadBuilder.prototype);
+        obj.__wbg_ptr = ptr;
+        AadBuilderFinalization.register(obj, obj.__wbg_ptr, obj);
+        return obj;
+    }
+    __destroy_into_raw() {
+        const ptr = this.__wbg_ptr;
+        this.__wbg_ptr = 0;
+        AadBuilderFinalization.unregister(this);
+        return ptr;
+    }
+    free() {
+        const ptr = this.__destroy_into_raw();
+        wasm.__wbg_aadbuilder_free(ptr, 0);
+    }
+    /**
+     * Builds the AAD and returns the canonical bytes.
+     *
+     * # Returns
+     *
+     * A `Uint8Array` containing the UTF-8 encoded canonical JSON.
+     *
+     * # Errors
+     *
+     * Throws a JavaScript error if:
+     * - Required fields (tenant, resource, purpose) are missing
+     * - Any field value is invalid
+     * - Extension keys don't match the required pattern
+     * - The serialized output exceeds 16 KiB
+     * @returns {Uint8Array}
+     */
+    build() {
+        const ret = wasm.aadbuilder_build(this.__wbg_ptr);
+        if (ret[3]) {
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        var v1 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+        wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+        return v1;
+    }
+    /**
+     * Builds the AAD and returns the canonical string.
+     *
+     * # Returns
+     *
+     * The canonical (JCS) representation as a string.
+     *
+     * # Errors
+     *
+     * Throws a JavaScript error if:
+     * - Required fields (tenant, resource, purpose) are missing
+     * - Any field value is invalid
+     * - Extension keys don't match the required pattern
+     * - The serialized output exceeds 16 KiB
+     * @returns {string}
+     */
+    buildString() {
+        let deferred2_0;
+        let deferred2_1;
+        try {
+            const ret = wasm.aadbuilder_buildString(this.__wbg_ptr);
+            var ptr1 = ret[0];
+            var len1 = ret[1];
+            if (ret[3]) {
+                ptr1 = 0; len1 = 0;
+                throw takeFromExternrefTable0(ret[2]);
+            }
+            deferred2_0 = ptr1;
+            deferred2_1 = len1;
+            return getStringFromWasm0(ptr1, len1);
+        } finally {
+            wasm.__wbindgen_free(deferred2_0, deferred2_1, 1);
+        }
+    }
+    /**
+     * Adds an integer extension field.
+     *
+     * Extension keys must match pattern `x_<app>_<field>` where:
+     * - `<app>` is one or more lowercase letters
+     * - `<field>` is one or more lowercase letters or underscores
+     *
+     * # Arguments
+     *
+     * * `key` - Extension key (e.g., `x_app_priority`)
+     * * `value` - Integer value (0 to 2^53-1)
+     *
+     * # Returns
+     *
+     * A new builder with the extension added.
+     * @param {string} key
+     * @param {number} value
+     * @returns {AadBuilder}
+     */
+    extensionInt(key, value) {
+        const ptr = this.__destroy_into_raw();
+        const ptr0 = passStringToWasm0(key, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.aadbuilder_extensionInt(ptr, ptr0, len0, value);
+        return AadBuilder.__wrap(ret);
+    }
+    /**
+     * Adds a string extension field.
+     *
+     * Extension keys must match pattern `x_<app>_<field>` where:
+     * - `<app>` is one or more lowercase letters
+     * - `<field>` is one or more lowercase letters or underscores
+     *
+     * # Arguments
+     *
+     * * `key` - Extension key (e.g., `x_vault_cluster`)
+     * * `value` - String value (no NUL bytes)
+     *
+     * # Returns
+     *
+     * A new builder with the extension added.
+     * @param {string} key
+     * @param {string} value
+     * @returns {AadBuilder}
+     */
+    extensionString(key, value) {
+        const ptr = this.__destroy_into_raw();
+        const ptr0 = passStringToWasm0(key, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ptr1 = passStringToWasm0(value, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len1 = WASM_VECTOR_LEN;
+        const ret = wasm.aadbuilder_extensionString(ptr, ptr0, len0, ptr1, len1);
+        return AadBuilder.__wrap(ret);
+    }
+    /**
+     * Creates a new AAD builder.
+     */
+    constructor() {
+        const ret = wasm.aadbuilder_new();
+        this.__wbg_ptr = ret >>> 0;
+        AadBuilderFinalization.register(this, this.__wbg_ptr, this);
+        return this;
+    }
+    /**
+     * Sets the purpose or usage context.
+     *
+     * # Arguments
+     *
+     * * `value` - Purpose description (1+ bytes, no NUL bytes)
+     *
+     * # Returns
+     *
+     * A new builder with the purpose set.
+     * @param {string} value
+     * @returns {AadBuilder}
+     */
+    purpose(value) {
+        const ptr = this.__destroy_into_raw();
+        const ptr0 = passStringToWasm0(value, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.aadbuilder_purpose(ptr, ptr0, len0);
+        return AadBuilder.__wrap(ret);
+    }
+    /**
+     * Sets the resource path or identifier.
+     *
+     * # Arguments
+     *
+     * * `value` - Resource path (1-1024 bytes, no NUL bytes)
+     *
+     * # Returns
+     *
+     * A new builder with the resource set.
+     * @param {string} value
+     * @returns {AadBuilder}
+     */
+    resource(value) {
+        const ptr = this.__destroy_into_raw();
+        const ptr0 = passStringToWasm0(value, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.aadbuilder_resource(ptr, ptr0, len0);
+        return AadBuilder.__wrap(ret);
+    }
+    /**
+     * Sets the tenant identifier.
+     *
+     * # Arguments
+     *
+     * * `value` - Tenant identifier (1-256 bytes, no NUL bytes)
+     *
+     * # Returns
+     *
+     * A new builder with the tenant set.
+     * @param {string} value
+     * @returns {AadBuilder}
+     */
+    tenant(value) {
+        const ptr = this.__destroy_into_raw();
+        const ptr0 = passStringToWasm0(value, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.aadbuilder_tenant(ptr, ptr0, len0);
+        return AadBuilder.__wrap(ret);
+    }
+    /**
+     * Sets the timestamp.
+     *
+     * # Arguments
+     *
+     * * `ts` - Unix timestamp (0 to 2^53-1)
+     *
+     * # Returns
+     *
+     * A new builder with the timestamp set.
+     * @param {number} ts
+     * @returns {AadBuilder}
+     */
+    timestamp(ts) {
+        const ptr = this.__destroy_into_raw();
+        const ret = wasm.aadbuilder_timestamp(ptr, ts);
+        return AadBuilder.__wrap(ret);
+    }
+}
+if (Symbol.dispose) AadBuilder.prototype[Symbol.dispose] = AadBuilder.prototype.free;
+
+/**
+ * Returns the maximum safe integer value (2^53 - 1).
+ *
+ * This is the maximum integer value that can be exactly represented in
+ * JavaScript's Number type.
+ * @returns {number}
+ */
+export function MAX_SAFE_INTEGER() {
+    const ret = wasm.MAX_SAFE_INTEGER();
+    return ret;
+}
+
+/**
+ * Returns the maximum serialized AAD size in bytes (16 KiB).
+ * @returns {number}
+ */
+export function MAX_SERIALIZED_BYTES() {
+    const ret = wasm.MAX_SERIALIZED_BYTES();
+    return ret >>> 0;
+}
+
+/**
+ * Returns the current AAD specification version.
+ *
+ * Currently always returns 1.
+ * @returns {number}
+ */
+export function SPEC_VERSION() {
+    const ret = wasm.SPEC_VERSION();
+    return ret >>> 0;
+}
+
+/**
+ * Parses and canonicalizes a JSON string to bytes.
+ *
+ * This function:
+ * 1. Parses the JSON with duplicate key detection
+ * 2. Validates all fields according to the AAD specification
+ * 3. Returns the canonical (JCS) representation as bytes
+ *
+ * # Arguments
+ *
+ * * `json` - A JSON string containing an AAD object
+ *
+ * # Returns
+ *
+ * A `Uint8Array` containing the UTF-8 encoded canonical JSON.
+ *
+ * # Errors
+ *
+ * Throws a JavaScript error if:
+ * - The JSON is invalid or contains duplicate keys
+ * - Any field violates AAD constraints
+ * - The serialized output exceeds 16 KiB
+ * @param {string} json
+ * @returns {Uint8Array}
+ */
+export function canonicalize(json) {
+    const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.canonicalize(ptr0, len0);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v2 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v2;
+}
+
+/**
+ * Parses and canonicalizes a JSON string to a UTF-8 string.
+ *
+ * This is equivalent to `canonicalize` but returns a string instead of bytes.
+ *
+ * # Arguments
+ *
+ * * `json` - A JSON string containing an AAD object
+ *
+ * # Returns
+ *
+ * The canonical (JCS) representation as a string.
+ *
+ * # Errors
+ *
+ * Throws a JavaScript error if:
+ * - The JSON is invalid or contains duplicate keys
+ * - Any field violates AAD constraints
+ * - The serialized output exceeds 16 KiB
+ * @param {string} json
+ * @returns {string}
+ */
+export function canonicalizeString(json) {
+    let deferred3_0;
+    let deferred3_1;
+    try {
+        const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+        const len0 = WASM_VECTOR_LEN;
+        const ret = wasm.canonicalizeString(ptr0, len0);
+        var ptr2 = ret[0];
+        var len2 = ret[1];
+        if (ret[3]) {
+            ptr2 = 0; len2 = 0;
+            throw takeFromExternrefTable0(ret[2]);
+        }
+        deferred3_0 = ptr2;
+        deferred3_1 = len2;
+        return getStringFromWasm0(ptr2, len2);
+    } finally {
+        wasm.__wbindgen_free(deferred3_0, deferred3_1, 1);
+    }
+}
+
+/**
+ * Computes the SHA-256 hash of the canonical JSON form.
+ *
+ * This function:
+ * 1. Parses and validates the JSON
+ * 2. Canonicalizes according to RFC 8785
+ * 3. Returns the SHA-256 hash of the canonical bytes
+ *
+ * # Arguments
+ *
+ * * `json` - A JSON string containing an AAD object
+ *
+ * # Returns
+ *
+ * A 32-byte `Uint8Array` containing the SHA-256 hash.
+ *
+ * # Errors
+ *
+ * Throws a JavaScript error if:
+ * - The JSON is invalid or contains duplicate keys
+ * - Any field violates AAD constraints
+ * - The serialized output exceeds 16 KiB
+ * @param {string} json
+ * @returns {Uint8Array}
+ */
+export function hash(json) {
+    const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.hash(ptr0, len0);
+    if (ret[3]) {
+        throw takeFromExternrefTable0(ret[2]);
+    }
+    var v2 = getArrayU8FromWasm0(ret[0], ret[1]).slice();
+    wasm.__wbindgen_free(ret[0], ret[1] * 1, 1);
+    return v2;
+}
+
+/**
+ * Validates a JSON string against the AAD specification.
+ *
+ * This function performs full validation without returning the context.
+ * Use this for quick validation checks.
+ *
+ * # Arguments
+ *
+ * * `json` - A JSON string to validate
+ *
+ * # Returns
+ *
+ * `true` if the JSON is valid AAD, `false` otherwise.
+ * @param {string} json
+ * @returns {boolean}
+ */
+export function validate(json) {
+    const ptr0 = passStringToWasm0(json, wasm.__wbindgen_malloc, wasm.__wbindgen_realloc);
+    const len0 = WASM_VECTOR_LEN;
+    const ret = wasm.validate(ptr0, len0);
+    return ret !== 0;
+}
+export function __wbg_Error_8c4e43fe74559d73(arg0, arg1) {
+    const ret = Error(getStringFromWasm0(arg0, arg1));
+    return ret;
+}
+export function __wbg___wbindgen_throw_be289d5034ed271b(arg0, arg1) {
+    throw new Error(getStringFromWasm0(arg0, arg1));
+}
+export function __wbindgen_init_externref_table() {
+    const table = wasm.__wbindgen_externrefs;
+    const offset = table.grow(4);
+    table.set(0, undefined);
+    table.set(offset + 0, undefined);
+    table.set(offset + 1, null);
+    table.set(offset + 2, true);
+    table.set(offset + 3, false);
+}
+const AadBuilderFinalization = (typeof FinalizationRegistry === 'undefined')
+    ? { register: () => {}, unregister: () => {} }
+    : new FinalizationRegistry(ptr => wasm.__wbg_aadbuilder_free(ptr >>> 0, 1));
+
+function getArrayU8FromWasm0(ptr, len) {
+    ptr = ptr >>> 0;
+    return getUint8ArrayMemory0().subarray(ptr / 1, ptr / 1 + len);
+}
+
+function getStringFromWasm0(ptr, len) {
+    ptr = ptr >>> 0;
+    return decodeText(ptr, len);
+}
+
+let cachedUint8ArrayMemory0 = null;
+function getUint8ArrayMemory0() {
+    if (cachedUint8ArrayMemory0 === null || cachedUint8ArrayMemory0.byteLength === 0) {
+        cachedUint8ArrayMemory0 = new Uint8Array(wasm.memory.buffer);
+    }
+    return cachedUint8ArrayMemory0;
+}
+
+function passStringToWasm0(arg, malloc, realloc) {
+    if (realloc === undefined) {
+        const buf = cachedTextEncoder.encode(arg);
+        const ptr = malloc(buf.length, 1) >>> 0;
+        getUint8ArrayMemory0().subarray(ptr, ptr + buf.length).set(buf);
+        WASM_VECTOR_LEN = buf.length;
+        return ptr;
+    }
+
+    let len = arg.length;
+    let ptr = malloc(len, 1) >>> 0;
+
+    const mem = getUint8ArrayMemory0();
+
+    let offset = 0;
+
+    for (; offset < len; offset++) {
+        const code = arg.charCodeAt(offset);
+        if (code > 0x7F) break;
+        mem[ptr + offset] = code;
+    }
+    if (offset !== len) {
+        if (offset !== 0) {
+            arg = arg.slice(offset);
+        }
+        ptr = realloc(ptr, len, len = offset + arg.length * 3, 1) >>> 0;
+        const view = getUint8ArrayMemory0().subarray(ptr + offset, ptr + len);
+        const ret = cachedTextEncoder.encodeInto(arg, view);
+
+        offset += ret.written;
+        ptr = realloc(ptr, len, offset, 1) >>> 0;
+    }
+
+    WASM_VECTOR_LEN = offset;
+    return ptr;
+}
+
+function takeFromExternrefTable0(idx) {
+    const value = wasm.__wbindgen_externrefs.get(idx);
+    wasm.__externref_table_dealloc(idx);
+    return value;
+}
+
+let cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+cachedTextDecoder.decode();
+const MAX_SAFARI_DECODE_BYTES = 2146435072;
+let numBytesDecoded = 0;
+function decodeText(ptr, len) {
+    numBytesDecoded += len;
+    if (numBytesDecoded >= MAX_SAFARI_DECODE_BYTES) {
+        cachedTextDecoder = new TextDecoder('utf-8', { ignoreBOM: true, fatal: true });
+        cachedTextDecoder.decode();
+        numBytesDecoded = len;
+    }
+    return cachedTextDecoder.decode(getUint8ArrayMemory0().subarray(ptr, ptr + len));
+}
+
+const cachedTextEncoder = new TextEncoder();
+
+if (!('encodeInto' in cachedTextEncoder)) {
+    cachedTextEncoder.encodeInto = function (arg, view) {
+        const buf = cachedTextEncoder.encode(arg);
+        view.set(buf);
+        return {
+            read: arg.length,
+            written: buf.length
+        };
+    };
+}
+
+let WASM_VECTOR_LEN = 0;
+
+
+let wasm;
+export function __wbg_set_wasm(val) {
+    wasm = val;
+}

package/canaad_wasm_bg.wasm.d.ts

@@ -0,0 +1,26 @@
+/* tslint:disable */
+/* eslint-disable */
+export const memory: WebAssembly.Memory;
+export const MAX_SAFE_INTEGER: () => number;
+export const MAX_SERIALIZED_BYTES: () => number;
+export const SPEC_VERSION: () => number;
+export const __wbg_aadbuilder_free: (a: number, b: number) => void;
+export const aadbuilder_build: (a: number) => [number, number, number, number];
+export const aadbuilder_buildString: (a: number) => [number, number, number, number];
+export const aadbuilder_extensionInt: (a: number, b: number, c: number, d: number) => number;
+export const aadbuilder_extensionString: (a: number, b: number, c: number, d: number, e: number) => number;
+export const aadbuilder_new: () => number;
+export const aadbuilder_purpose: (a: number, b: number, c: number) => number;
+export const aadbuilder_resource: (a: number, b: number, c: number) => number;
+export const aadbuilder_tenant: (a: number, b: number, c: number) => number;
+export const aadbuilder_timestamp: (a: number, b: number) => number;
+export const canonicalize: (a: number, b: number) => [number, number, number, number];
+export const canonicalizeString: (a: number, b: number) => [number, number, number, number];
+export const hash: (a: number, b: number) => [number, number, number, number];
+export const validate: (a: number, b: number) => number;
+export const __wbindgen_externrefs: WebAssembly.Table;
+export const __externref_table_dealloc: (a: number) => void;
+export const __wbindgen_free: (a: number, b: number, c: number) => void;
+export const __wbindgen_malloc: (a: number, b: number) => number;
+export const __wbindgen_realloc: (a: number, b: number, c: number, d: number) => number;
+export const __wbindgen_start: () => void;

package/meta.d.ts

@@ -0,0 +1,19 @@
+import { z } from 'zod';
+
+export declare const inputSchema: z.ZodType;
+export declare const outputSchema: z.ZodType;
+
+export type CanaadInput = z.infer<typeof inputSchema>;
+export type CanaadOutput = z.infer<typeof outputSchema>;
+
+export declare const meta: {
+  id: string;
+  name: string;
+  slug: string;
+  description: string;
+  category: string;
+  executionType: string;
+  positionalArgs: { order: string[]; required: number };
+  inputSchema: typeof inputSchema;
+  outputSchema: typeof outputSchema;
+};

package/meta.js

@@ -0,0 +1,51 @@
+import { z } from 'zod';
+
+const extensionSchema = z.object({
+  key: z.string().regex(/^x_[a-z]+_[a-z_]+$/),
+  value: z.union([z.string(), z.number().int().nonnegative()]),
+});
+
+export const inputSchema = z.discriminatedUnion('action', [
+  z.object({
+    action: z.literal('canonicalize'),
+    input: z.string(),
+    outputFormat: z.enum(['bytes', 'string']).default('string'),
+  }),
+  z.object({
+    action: z.literal('validate'),
+    input: z.string(),
+  }),
+  z.object({
+    action: z.literal('hash'),
+    input: z.string(),
+    outputFormat: z.enum(['hex', 'base64']).default('hex'),
+  }),
+  z.object({
+    action: z.literal('build'),
+    tenant: z.string().min(1).max(256),
+    resource: z.string().min(1).max(1024),
+    purpose: z.string().min(1),
+    timestamp: z.number().int().nonnegative().optional(),
+    extensions: z.array(extensionSchema).optional(),
+    outputFormat: z.enum(['bytes', 'string']).default('string'),
+  }),
+]);
+
+export const outputSchema = z.discriminatedUnion('action', [
+  z.object({ action: z.literal('canonicalize'), output: z.union([z.string(), z.array(z.number())]), outputFormat: z.enum(['bytes', 'string']) }),
+  z.object({ action: z.literal('validate'), valid: z.boolean() }),
+  z.object({ action: z.literal('hash'), hash: z.string(), outputFormat: z.enum(['hex', 'base64']) }),
+  z.object({ action: z.literal('build'), output: z.union([z.string(), z.array(z.number())]), outputFormat: z.enum(['bytes', 'string']) }),
+]);
+
+export const meta = {
+  id: 'canaad',
+  name: 'canaad',
+  slug: 'canaad',
+  description: 'canonicalize JSON for AAD (Additional Authenticated Data) per RFC 8785',
+  category: 'crypto',
+  executionType: 'client',
+  positionalArgs: { order: ['action', 'input'], required: 1 },
+  inputSchema,
+  outputSchema,
+};

package/package.json

@@ -1,20 +1,30 @@
 {
   "name": "@gnufoo/canaad",
-  "description": "WASM bindings for AAD canonicalization per RFC 8785",
-  "version": "0.1.0",
-  "license": "MIT OR Apache-2.0",
-  "files": [
-    "canaad_wasm_bg.wasm",
-    "canaad_wasm.js",
-    "canaad_wasm.d.ts"
-  ],
+  "version": "0.1.2",
+  "type": "module",
   "main": "canaad_wasm.js",
   "types": "canaad_wasm.d.ts",
+  "exports": {
+    ".": "./canaad_wasm.js",
+    "./meta": "./meta.js",
+    "./tool": "./tool.js"
+  },
+  "dependencies": {
+    "zod": "^3.24.0"
+  },
+  "files": [
+    "*.js",
+    "*.d.ts",
+    "*.wasm"
+  ],
   "keywords": [
     "aead",
     "aad",
     "canonicalization",
     "jcs",
-    "rfc8785"
-  ]
-}
+    "rfc8785",
+    "wasm"
+  ],
+  "license": "MIT OR Apache-2.0",
+  "description": "AAD canonicalization library (RFC 8785)"
+}

package/tool.d.ts

@@ -0,0 +1,5 @@
+import { meta, CanaadInput, CanaadOutput } from './meta.js';
+
+export declare const toolDefinition: typeof meta & {
+  execute(input: CanaadInput): Promise<CanaadOutput>;
+};

package/tool.js

@@ -0,0 +1,44 @@
+import { meta, inputSchema } from './meta.js';
+import init, { canonicalize, canonicalize_string, hash, validate, AadBuilder } from './canaad_wasm.js';
+
+let ready = false;
+async function ensureReady() {
+  if (!ready) { await init(); ready = true; }
+}
+
+const bytesToHex = (bytes) => Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+const bytesToBase64 = (bytes) => btoa(String.fromCharCode(...bytes));
+
+export const toolDefinition = {
+  ...meta,
+  async execute(rawInput) {
+    await ensureReady();
+    const input = inputSchema.parse(rawInput);
+
+    switch (input.action) {
+      case 'canonicalize': {
+        if (input.outputFormat === 'bytes') {
+          return { action: 'canonicalize', output: Array.from(canonicalize(input.input)), outputFormat: 'bytes' };
+        }
+        return { action: 'canonicalize', output: canonicalize_string(input.input), outputFormat: 'string' };
+      }
+      case 'validate':
+        return { action: 'validate', valid: validate(input.input) };
+      case 'hash': {
+        const h = hash(input.input);
+        return { action: 'hash', hash: input.outputFormat === 'base64' ? bytesToBase64(h) : bytesToHex(h), outputFormat: input.outputFormat };
+      }
+      case 'build': {
+        let b = new AadBuilder().tenant(input.tenant).resource(input.resource).purpose(input.purpose);
+        if (input.timestamp !== undefined) b = b.timestamp(input.timestamp);
+        for (const ext of input.extensions || []) {
+          b = typeof ext.value === 'string' ? b.extension_string(ext.key, ext.value) : b.extension_int(ext.key, ext.value);
+        }
+        if (input.outputFormat === 'bytes') {
+          return { action: 'build', output: Array.from(b.build()), outputFormat: 'bytes' };
+        }
+        return { action: 'build', output: b.build_string(), outputFormat: 'string' };
+      }
+    }
+  },
+};