@groundnuty/macf-core 0.2.0-rc.0

package/dist/certs/ca.js

@@ -0,0 +1,306 @@
+import { createCipheriv, createDecipheriv, randomBytes, pbkdf2Sync, } from 'node:crypto';
+import { readFileSync, writeFileSync, mkdirSync, chmodSync, existsSync } from 'node:fs';
+import { dirname } from 'node:path';
+import { x509, webcrypto, RSA_ALGORITHM, CA_CERT_VALIDITY_YEARS, } from './crypto-provider.js';
+import { toVariableSegment } from '../registry/variable-name.js';
+import { MacfError } from '../errors.js';
+export class CaError extends MacfError {
+    constructor(message) {
+        super('CA_ERROR', message);
+        this.name = 'CaError';
+    }
+}
+// Tight perms on the leaf so the CA private key's parent dir isn't
+// world-traversable even when this path is hit outside `certs init`
+// (e.g. recoverCAKey in a fresh env). mkdirSync's `mode` is ANDed
+// with the process umask, so follow up with chmodSync to guarantee
+// 0o700 regardless of umask. Intermediate dirs keep umask defaults —
+// they're usually ~/.macf/ or similar and not key-adjacent. (#107)
+function ensureDir(filePath) {
+    const dir = dirname(filePath);
+    if (!existsSync(dir)) {
+        mkdirSync(dir, { recursive: true, mode: 0o700 });
+    }
+    chmodSync(dir, 0o700);
+}
+function exportKeyToPem(exported) {
+    const b64 = Buffer.from(exported).toString('base64');
+    const lines = b64.match(/.{1,64}/g) ?? [];
+    return `-----BEGIN PRIVATE KEY-----\n${lines.join('\n')}\n-----END PRIVATE KEY-----\n`;
+}
+/**
+ * Create a new CA certificate and key pair.
+ * Saves to disk and optionally uploads cert to registry.
+ */
+export async function createCA(config) {
+    const { project, certPath, keyPath, client } = config;
+    const keys = await webcrypto.subtle.generateKey(RSA_ALGORITHM, true, ['sign', 'verify']);
+    const notBefore = new Date();
+    const notAfter = new Date();
+    notAfter.setFullYear(notAfter.getFullYear() + CA_CERT_VALIDITY_YEARS);
+    const cert = await x509.X509CertificateGenerator.createSelfSigned({
+        serialNumber: randomBytes(8).toString('hex'),
+        name: `CN=${project}-ca`,
+        notBefore,
+        notAfter,
+        signingAlgorithm: RSA_ALGORITHM,
+        keys,
+        extensions: [
+            new x509.BasicConstraintsExtension(true, 2, true),
+            new x509.KeyUsagesExtension(x509.KeyUsageFlags.keyCertSign | x509.KeyUsageFlags.cRLSign, true),
+        ],
+    });
+    const certPem = cert.toString('pem');
+    const exported = await webcrypto.subtle.exportKey('pkcs8', keys.privateKey);
+    const keyPem = exportKeyToPem(exported);
+    // Save to disk
+    ensureDir(certPath);
+    writeFileSync(certPath, certPem, { mode: 0o644 });
+    ensureDir(keyPath);
+    writeFileSync(keyPath, keyPem, { mode: 0o600 });
+    // Upload CA cert to registry (plaintext PEM)
+    if (client) {
+        await client.writeVariable(`${toVariableSegment(project)}_CA_CERT`, certPem);
+    }
+    return { certPem, keyPem };
+}
+/**
+ * Backup CA key to registry, encrypted with AES-256-CBC + PBKDF2.
+ * Format is interoperable with openssl enc -aes-256-cbc -pbkdf2.
+ */
+export async function backupCAKey(config) {
+    const encrypted = encryptCAKey(config.keyPem, config.passphrase);
+    const varName = `${toVariableSegment(config.project)}_CA_KEY_ENCRYPTED`;
+    await config.client.writeVariable(varName, encrypted);
+}
+/**
+ * Recover CA key from registry.
+ */
+export async function recoverCAKey(config) {
+    const varName = `${toVariableSegment(config.project)}_CA_KEY_ENCRYPTED`;
+    const encrypted = await config.client.readVariable(varName);
+    if (encrypted === null) {
+        throw new CaError('No encrypted CA key found in registry');
+    }
+    const keyPem = decryptCAKey(encrypted, config.passphrase);
+    ensureDir(config.keyPath);
+    writeFileSync(config.keyPath, keyPem, { mode: 0o600 });
+    return keyPem;
+}
+// DR-011 rev2 constants. `iter` lives in the v2 envelope so future
+// bumps (e.g. 600k → 1.2M) are iter-only changes without a v-bump.
+// v-bumps are reserved for actual wire-format changes (envelope shape,
+// algorithm swap). See design/decisions/DR-011-ca-key-backup.md.
+export const WIRE_FORMAT_VERSION = 2;
+export const V2_PBKDF2_ITERS = 600000;
+export const V1_PBKDF2_ITERS = 10000;
+// Upper bound on the envelope `iter` field. Without a cap, an
+// attacker with registry-write access could store `{"v":2,"iter":
+// 2147483647, ...}` and block the Node.js main thread on the next
+// decryptCAKey (CPU-DoS via pbkdf2Sync). 10M is already ~16× the
+// current 600k policy and well above any plausible future bump —
+// any registry-stored value above this is treated as malformed.
+// See ultrareview finding C1.
+const MAX_ENVELOPE_ITER = 10_000_000;
+/**
+ * Parse an on-wire value as a v2 JSON envelope, or return null for
+ * anything else. Disambiguation is safe by construction: a raw base64
+ * `Salted__` blob never starts with `{` (base64 alphabet excludes it),
+ * so only v2 envelopes parse as JSON objects with the `v` field.
+ */
+function parseV2Envelope(value) {
+    // Fast-path: base64 output never starts with `{`, so a non-`{` first
+    // char is immediately v1. Skip JSON.parse for the common case.
+    if (!value.trimStart().startsWith('{'))
+        return null;
+    let parsed;
+    try {
+        parsed = JSON.parse(value);
+    }
+    catch {
+        return null;
+    }
+    if (typeof parsed !== 'object' || parsed === null)
+        return null;
+    const rec = parsed;
+    if (rec['v'] !== 2)
+        return null;
+    if (typeof rec['iter'] !== 'number' || rec['iter'] < 1)
+        return null;
+    if (rec['iter'] > MAX_ENVELOPE_ITER)
+        return null;
+    if (typeof rec['payload'] !== 'string' || rec['payload'].length === 0)
+        return null;
+    return { v: 2, iter: rec['iter'], payload: rec['payload'] };
+}
+/**
+ * Decrypt a raw `Salted__` OpenSSL-compatible blob at a given iter
+ * count. Shared by v1 and v2 paths after envelope is unwrapped.
+ * Throws CaError on bad shape, padding failure, or non-PEM output.
+ */
+function decryptSaltedBlob(payloadBase64, passphrase, iters) {
+    const data = Buffer.from(payloadBase64, 'base64');
+    const magic = data.subarray(0, 8).toString('utf-8');
+    if (magic !== 'Salted__') {
+        throw new CaError('Invalid encrypted CA key format (missing Salted__ header)');
+    }
+    const salt = data.subarray(8, 16);
+    const ciphertext = data.subarray(16);
+    const keyIv = pbkdf2Sync(passphrase, salt, iters, 48, 'sha256');
+    const key = keyIv.subarray(0, 32);
+    const iv = keyIv.subarray(32, 48);
+    const decipher = createDecipheriv('aes-256-cbc', key, iv);
+    let decryptedBuf;
+    try {
+        decryptedBuf = Buffer.concat([
+            decipher.update(ciphertext),
+            decipher.final(),
+        ]);
+    }
+    catch {
+        // AES-CBC padding failure — most wrong-passphrase attempts hit
+        // this path. Generic error so callers can re-prompt.
+        throw new CaError('Decryption failed (wrong passphrase or corrupted ciphertext)');
+    }
+    const decrypted = decryptedBuf.toString('utf-8');
+    if (!isLikelyPemPrivateKey(decrypted)) {
+        // Passphrase happened to produce valid PKCS7 padding by chance but
+        // the plaintext is random garbage. See #94.
+        throw new CaError('Decryption failed (wrong passphrase or corrupted ciphertext)');
+    }
+    return decrypted;
+}
+/**
+ * Encrypt CA key using AES-256-CBC + PBKDF2-SHA256 at 600k iters
+ * (DR-011 rev2, OWASP 2023 alignment). Output is a versioned JSON
+ * envelope wrapping the OpenSSL-compatible `Salted__` blob:
+ *
+ *   {"v": 2, "iter": 600000, "payload": "<base64 Salted__ ...>"}
+ *
+ * Manual recovery with openssl CLI (see DR-011-rev2 for full doc):
+ *   gh api ... --jq '.value' | jq -r .payload | base64 -d | \
+ *     openssl enc -aes-256-cbc -pbkdf2 -md sha256 -iter 600000 -d -out ca-key.pem
+ */
+export function encryptCAKey(keyPem, passphrase) {
+    const salt = randomBytes(8);
+    const keyIv = pbkdf2Sync(passphrase, salt, V2_PBKDF2_ITERS, 48, 'sha256');
+    const key = keyIv.subarray(0, 32);
+    const iv = keyIv.subarray(32, 48);
+    const cipher = createCipheriv('aes-256-cbc', key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(keyPem, 'utf-8'),
+        cipher.final(),
+    ]);
+    // OpenSSL format: "Salted__" + 8-byte salt + ciphertext
+    const payload = Buffer.concat([
+        Buffer.from('Salted__'),
+        salt,
+        encrypted,
+    ]).toString('base64');
+    const envelope = {
+        v: WIRE_FORMAT_VERSION,
+        iter: V2_PBKDF2_ITERS,
+        payload,
+    };
+    return JSON.stringify(envelope);
+}
+/**
+ * Decrypt a CA key from the on-wire registry value. Dispatches by
+ * wire format:
+ *
+ * - **v2 (JSON envelope, DR-011 rev2+):** parses `{v, iter, payload}`,
+ *   decrypts `payload` at the envelope's iter count.
+ * - **v1 (raw base64 `Salted__` blob, legacy pre-2026-04-16):** treats
+ *   the value as a raw base64 blob and decrypts at iter=10000 (the
+ *   OpenSSL 3.0/3.1 default at the time the blob was written).
+ *
+ * Both paths share the same PEM-shape check (#94) after AES decryption
+ * to catch wrong-passphrase attempts that produce valid PKCS7 padding
+ * by chance (~6% of wrong passphrases).
+ *
+ * Disambiguation is safe by construction — base64 output never starts
+ * with `{`, so only v2 JSON envelopes hit the JSON path. See DR-011
+ * rev2 \"Wire Format\" section for the full spec.
+ *
+ * Throws CaError on:
+ *   - malformed v2 envelope (missing/invalid v/iter/payload fields)
+ *   - missing `Salted__` header inside the payload
+ *   - PKCS7 padding failure (wrong passphrase, ~94% of the time)
+ *   - decrypted content doesn't look like a PEM private key (wrong
+ *     passphrase that happened to produce valid PKCS7 padding)
+ */
+export function decryptCAKey(encryptedValue, passphrase) {
+    // If the value looks like JSON (starts with `{`), the caller intends
+    // v2. Validate strictly and throw on malformed envelope rather than
+    // fall through to v1 — otherwise a typoed envelope would produce a
+    // confusing "missing Salted__" error that doesn't point at the real
+    // problem.
+    if (encryptedValue.trimStart().startsWith('{')) {
+        const envelope = parseV2Envelope(encryptedValue);
+        if (!envelope) {
+            throw new CaError('Invalid v2 CA key envelope (expected {"v":2, "iter":<number>, "payload":"<base64>"})');
+        }
+        return decryptSaltedBlob(envelope.payload, passphrase, envelope.iter);
+    }
+    // v1 legacy path — raw base64 Salted__ blob, implicit iter=10000.
+    return decryptSaltedBlob(encryptedValue, passphrase, V1_PBKDF2_ITERS);
+}
+/**
+ * Hand-construct a v1-shaped CA key backup (legacy wire format) at
+ * 10000 iters. Exported for `test/certs/wire-format-compat.test.ts`
+ * regression guard and for any future tooling that needs to produce
+ * legacy-shaped backups (none expected). NOT used by `encryptCAKey`
+ * itself — `encryptCAKey` always writes v2. (#115)
+ */
+export function encryptCAKeyV1Legacy(keyPem, passphrase) {
+    const salt = randomBytes(8);
+    const keyIv = pbkdf2Sync(passphrase, salt, V1_PBKDF2_ITERS, 48, 'sha256');
+    const key = keyIv.subarray(0, 32);
+    const iv = keyIv.subarray(32, 48);
+    const cipher = createCipheriv('aes-256-cbc', key, iv);
+    const encrypted = Buffer.concat([
+        cipher.update(keyPem, 'utf-8'),
+        cipher.final(),
+    ]);
+    return Buffer.concat([
+        Buffer.from('Salted__'),
+        salt,
+        encrypted,
+    ]).toString('base64');
+}
+/**
+ * Cheap semantic check: does this look like a PEM-encoded private key?
+ * Exported for unit tests. Doesn't validate DER content — only the
+ * PEM envelope.
+ *
+ * Random bytes faking BOTH the 28-char BEGIN and 26-char END markers
+ * simultaneously is ~2^-432 per decrypted buffer — effectively
+ * impossible. No minimum body length is needed; the markers alone are
+ * the distinguisher.
+ */
+export function isLikelyPemPrivateKey(text) {
+    // PKCS#8 ("-----BEGIN PRIVATE KEY-----") or legacy RSA/EC variants.
+    const beginIdx = text.search(/-----BEGIN [A-Z ]*PRIVATE KEY-----/);
+    if (beginIdx < 0)
+        return false;
+    const endIdx = text.search(/-----END [A-Z ]*PRIVATE KEY-----/);
+    if (endIdx <= beginIdx)
+        return false;
+    return true;
+}
+/**
+ * Load CA cert and key from disk.
+ */
+export function loadCA(certPath, keyPath) {
+    if (!existsSync(certPath)) {
+        throw new CaError(`CA certificate not found: ${certPath}`);
+    }
+    if (!existsSync(keyPath)) {
+        throw new CaError(`CA key not found: ${keyPath}`);
+    }
+    return {
+        certPem: readFileSync(certPath, 'utf-8'),
+        keyPem: readFileSync(keyPath, 'utf-8'),
+    };
+}
+//# sourceMappingURL=ca.js.map

package/dist/certs/ca.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ca.js","sourceRoot":"","sources":["../../src/certs/ca.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,GAC1D,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACxF,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EACL,IAAI,EAAE,SAAS,EAAE,aAAa,EAAE,sBAAsB,GACvD,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAEzC,MAAM,OAAO,OAAQ,SAAQ,SAAS;IACpC,YAAY,OAAe;QACzB,KAAK,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;QAC3B,IAAI,CAAC,IAAI,GAAG,SAAS,CAAC;IACxB,CAAC;CACF;AAOD,mEAAmE;AACnE,oEAAoE;AACpE,kEAAkE;AAClE,mEAAmE;AACnE,qEAAqE;AACrE,mEAAmE;AACnE,SAAS,SAAS,CAAC,QAAgB;IACjC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;IAC9B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QACrB,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACnD,CAAC;IACD,SAAS,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,cAAc,CAAC,QAAqB;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACrD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;IAC1C,OAAO,gCAAgC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,+BAA+B,CAAC;AACzF,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,MAK9B;IACC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAEtD,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,WAAW,CAC7C,aAAa,EACb,IAAI,EACJ,CAAC,MAAM,EAAE,QAAQ,CAAC,CACnB,CAAC;IAEF,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,QAAQ,GAAG,IAAI,IAAI,EAAE,CAAC;IAC5B,QAAQ,CAAC,WAAW,CAAC,QAAQ,CAAC,WAAW,EAAE,GAAG,sBAAsB,CAAC,CAAC;IAEtE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,wBAAwB,CAAC,gBAAgB,CAAC;QAChE,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QAC5C,IAAI,EAAE,MAAM,OAAO,KAAK;QACxB,SAAS;QACT,QAAQ;QACR,gBAAgB,EAAE,aAAa;QAC/B,IAAI;QACJ,UAAU,EAAE;YACV,IAAI,IAAI,CAAC,yBAAyB,CAAC,IAAI,EAAE,CAAC,EAAE,IAAI,CAAC;YACjD,IAAI,IAAI,CAAC,kBAAkB,CACzB,IAAI,CAAC,aAAa,CAAC,WAAW,GAAG,IAAI,CAAC,aAAa,CAAC,OAAO,EAC3D,IAAI,CACL;SACF;KACF,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;IAC5E,MAAM,MAAM,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;IAExC,eAAe;IACf,SAAS,CAAC,QAAQ,CAAC,CAAC;IACpB,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAClD,SAAS,CAAC,OAAO,CAAC,CAAC;IACnB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEhD,6CAA6C;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,MAAM,MAAM,CAAC,aAAa,CAAC,GAAG,iBAAiB,CAAC,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC;AAC7B,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,MAKjC;IACC,MAAM,SAAS,GAAG,YAAY,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;IACjE,MAAM,OAAO,GAAG,GAAG,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC;IACxE,MAAM,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,MAKlC;IACC,MAAM,OAAO,GAAG,GAAG,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC,mBAAmB,CAAC;IACxE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IAC5D,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;QACvB,MAAM,IAAI,OAAO,CAAC,uCAAuC,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,SAAS,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;IAE1D,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1B,aAAa,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IAEvD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,mEAAmE;AACnE,mEAAmE;AACnE,uEAAuE;AACvE,iEAAiE;AACjE,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,CAAC;AACrC,MAAM,CAAC,MAAM,eAAe,GAAG,MAAM,CAAC;AACtC,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,CAAC;AACrC,8DAA8D;AAC9D,kEAAkE;AAClE,kEAAkE;AAClE,iEAAiE;AACjE,iEAAiE;AACjE,gEAAgE;AAChE,8BAA8B;AAC9B,MAAM,iBAAiB,GAAG,UAAU,CAAC;AAQrC;;;;;GAKG;AACH,SAAS,eAAe,CAAC,KAAa;IACpC,qEAAqE;IACrE,+DAA+D;IAC/D,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpD,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;IACD,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAC/D,MAAM,GAAG,GAAG,MAAiC,CAAC;IAC9C,IAAI,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,OAAO,GAAG,CAAC,MAAM,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACpE,IAAI,GAAG,CAAC,MAAM,CAAC,GAAG,iBAAiB;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,OAAO,GAAG,CAAC,SAAS,CAAC,KAAK,QAAQ,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnF,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;AAC9D,CAAC;AAED;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,aAAqB,EAAE,UAAkB,EAAE,KAAa;IACjF,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC;IAElD,MAAM,KAAK,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACpD,IAAI,KAAK,KAAK,UAAU,EAAE,CAAC;QACzB,MAAM,IAAI,OAAO,CAAC,2DAA2D,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IAErC,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,KAAK,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IAChE,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClC,MAAM,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAElC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAC1D,IAAI,YAAoB,CAAC;IACzB,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,CAAC,MAAM,CAAC;YAC3B,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC;YAC3B,QAAQ,CAAC,KAAK,EAAE;SACjB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,+DAA+D;QAC/D,qDAAqD;QACrD,MAAM,IAAI,OAAO,CAAC,8DAA8D,CAAC,CAAC;IACpF,CAAC;IAED,MAAM,SAAS,GAAG,YAAY,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACjD,IAAI,CAAC,qBAAqB,CAAC,SAAS,CAAC,EAAE,CAAC;QACtC,mEAAmE;QACnE,4CAA4C;QAC5C,MAAM,IAAI,OAAO,CAAC,8DAA8D,CAAC,CAAC;IACpF,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,YAAY,CAAC,MAAc,EAAE,UAAkB;IAC7D,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC1E,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClC,MAAM,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAElC,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;QAC9B,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IAEH,wDAAwD;IACxD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACvB,IAAI;QACJ,SAAS;KACV,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAEtB,MAAM,QAAQ,GAAe;QAC3B,CAAC,EAAE,mBAAwB;QAC3B,IAAI,EAAE,eAAe;QACrB,OAAO;KACR,CAAC;IACF,OAAO,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;AAClC,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,UAAU,YAAY,CAAC,cAAsB,EAAE,UAAkB;IACrE,qEAAqE;IACrE,oEAAoE;IACpE,mEAAmE;IACnE,oEAAoE;IACpE,WAAW;IACX,IAAI,cAAc,CAAC,SAAS,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,QAAQ,GAAG,eAAe,CAAC,cAAc,CAAC,CAAC;QACjD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,OAAO,CACf,sFAAsF,CACvF,CAAC;QACJ,CAAC;QACD,OAAO,iBAAiB,CAAC,QAAQ,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC,IAAI,CAAC,CAAC;IACxE,CAAC;IACD,kEAAkE;IAClE,OAAO,iBAAiB,CAAC,cAAc,EAAE,UAAU,EAAE,eAAe,CAAC,CAAC;AACxE,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,oBAAoB,CAAC,MAAc,EAAE,UAAkB;IACrE,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,UAAU,CAAC,UAAU,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC1E,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAClC,MAAM,EAAE,GAAG,KAAK,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;IAElC,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;QAC9B,MAAM,CAAC,KAAK,EAAE;KACf,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,MAAM,CAAC;QACnB,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC;QACvB,IAAI;QACJ,SAAS;KACV,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AACxB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAY;IAChD,oEAAoE;IACpE,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,oCAAoC,CAAC,CAAC;IACnE,IAAI,QAAQ,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IAC/B,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,kCAAkC,CAAC,CAAC;IAC/D,IAAI,MAAM,IAAI,QAAQ;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,MAAM,CAAC,QAAgB,EAAE,OAAe;IACtD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC1B,MAAM,IAAI,OAAO,CAAC,6BAA6B,QAAQ,EAAE,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACzB,MAAM,IAAI,OAAO,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,OAAO;QACL,OAAO,EAAE,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC;QACxC,MAAM,EAAE,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC;KACvC,CAAC;AACJ,CAAC"}

package/dist/certs/challenge-store.d.ts

@@ -0,0 +1,28 @@
+/** Challenge state tracked by the server for each outstanding flow. */
+export interface ChallengeRecord {
+    readonly challengeId: string;
+    readonly agentName: string;
+    readonly expectedValue: string;
+    readonly expiresAt: number;
+}
+/** Default TTL for a challenge (5 minutes). */
+export declare const DEFAULT_CHALLENGE_TTL_MS: number;
+/**
+ * Pluggable clock so tests can advance time deterministically. In
+ * production this is just `Date.now`.
+ */
+export type Clock = () => number;
+/**
+ * Create a new challenge store. Return a minimal API surface — the store
+ * is opaque to the caller except via these methods.
+ */
+export declare function createChallengeStore(options?: {
+    readonly ttlMs?: number;
+    readonly clock?: Clock;
+}): {
+    readonly issue: (agentName: string) => ChallengeRecord;
+    readonly consume: (challengeId: string, agentName: string, observedValue: string) => 'ok' | 'mismatch';
+    readonly size: () => number;
+};
+export type ChallengeStore = ReturnType<typeof createChallengeStore>;
+//# sourceMappingURL=challenge-store.d.ts.map

package/dist/certs/challenge-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge-store.d.ts","sourceRoot":"","sources":["../../src/certs/challenge-store.ts"],"names":[],"mappings":"AAmBA,uEAAuE;AACvE,MAAM,WAAW,eAAe;IAC9B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,aAAa,EAAE,MAAM,CAAC;IAC/B,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;CAC5B;AAED,+CAA+C;AAC/C,eAAO,MAAM,wBAAwB,QAAgB,CAAC;AAEtD;;;GAGG;AACH,MAAM,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC;AAEjC;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,GAAE;IAC5C,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC;CACnB,GAAG;IACP,QAAQ,CAAC,KAAK,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,eAAe,CAAC;IACvD,QAAQ,CAAC,OAAO,EAAE,CAAC,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,KAAK,IAAI,GAAG,UAAU,CAAC;IACvG,QAAQ,CAAC,IAAI,EAAE,MAAM,MAAM,CAAC;CAC7B,CAwEA;AAED,MAAM,MAAM,cAAc,GAAG,UAAU,CAAC,OAAO,oBAAoB,CAAC,CAAC"}

package/dist/certs/challenge-store.js

@@ -0,0 +1,94 @@
+/**
+ * In-memory challenge store for the /sign endpoint's challenge-response
+ * protocol (DR-010).
+ *
+ * Each outstanding challenge keeps its agent_name, the expected value that
+ * the client is supposed to write to the registry, and an expiry timestamp.
+ * Expired entries are discarded lazily on each access (no background timer
+ * — the server process footprint stays constant regardless of how many
+ * abandoned flows accumulate).
+ *
+ * The store is process-local. If a cert-signing peer is replaced / restarted
+ * between step 1 and step 2 of a flow, the in-memory entry is lost and the
+ * client's step 2 fails — they must restart with a fresh step 1. This is
+ * acceptable: the window is short (5 min default), and losing in-flight
+ * state during a server restart is the standard trade-off for avoiding a
+ * persistent database. See `design/decisions/DR-010-cert-signing.md`.
+ */
+import { randomUUID, randomBytes, timingSafeEqual } from 'node:crypto';
+/** Default TTL for a challenge (5 minutes). */
+export const DEFAULT_CHALLENGE_TTL_MS = 5 * 60 * 1000;
+/**
+ * Create a new challenge store. Return a minimal API surface — the store
+ * is opaque to the caller except via these methods.
+ */
+export function createChallengeStore(options = {}) {
+    const ttlMs = options.ttlMs ?? DEFAULT_CHALLENGE_TTL_MS;
+    const now = options.clock ?? Date.now;
+    const map = new Map();
+    /** Drop expired entries. O(n); acceptable for our scale (outstanding flows dozen-ish at most). */
+    function sweep() {
+        const t = now();
+        for (const [id, rec] of map) {
+            if (rec.expiresAt <= t)
+                map.delete(id);
+        }
+    }
+    /** Issue a new challenge for `agentName`. */
+    function issue(agentName) {
+        sweep();
+        const challengeId = randomUUID();
+        // 32 bytes → base64url keeps the variable value printable + URL-safe
+        // (GitHub variables accept any UTF-8 but keeping it ASCII avoids edge
+        // cases around encoding). 43 chars after base64url with no padding.
+        const expectedValue = randomBytes(32).toString('base64url');
+        const rec = {
+            challengeId,
+            agentName,
+            expectedValue,
+            expiresAt: now() + ttlMs,
+        };
+        map.set(challengeId, rec);
+        return rec;
+    }
+    /**
+     * Consume a challenge: match challenge_id + agent_name + timing-safe value
+     * comparison. On both success AND mismatch, the in-memory entry is deleted
+     * to prevent replay. The caller is responsible for deleting the registry
+     * variable (so that the success-log-then-delete-variable sequence stays
+     * atomic in the server; keeping that outside the store avoids passing the
+     * GitHub client in here).
+     *
+     * Returns:
+     *   'ok'        — challenge matched, entry deleted (caller should sign)
+     *   'mismatch'  — anything wrong (not found / expired / wrong agent / wrong value)
+     *                 — do NOT leak which; caller returns generic error
+     */
+    function consume(challengeId, agentName, observedValue) {
+        sweep();
+        const rec = map.get(challengeId);
+        if (!rec)
+            return 'mismatch';
+        // Always delete on any observation to block replay, even on mismatch.
+        map.delete(challengeId);
+        if (rec.agentName !== agentName)
+            return 'mismatch';
+        // timingSafeEqual requires equal-length buffers. Different-length
+        // observed value is an obvious mismatch — short-circuit before the
+        // crypto call so we don't throw on the length mismatch.
+        const expected = Buffer.from(rec.expectedValue, 'utf-8');
+        const observed = Buffer.from(observedValue, 'utf-8');
+        if (expected.length !== observed.length)
+            return 'mismatch';
+        if (!timingSafeEqual(expected, observed))
+            return 'mismatch';
+        return 'ok';
+    }
+    /** For tests + observability. */
+    function size() {
+        sweep();
+        return map.size;
+    }
+    return { issue, consume, size };
+}
+//# sourceMappingURL=challenge-store.js.map

package/dist/certs/challenge-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge-store.js","sourceRoot":"","sources":["../../src/certs/challenge-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAUvE,+CAA+C;AAC/C,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAQtD;;;GAGG;AACH,MAAM,UAAU,oBAAoB,CAAC,UAGjC,EAAE;IAKJ,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,wBAAwB,CAAC;IACxD,MAAM,GAAG,GAAU,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC;IAC7C,MAAM,GAAG,GAAG,IAAI,GAAG,EAA2B,CAAC;IAE/C,kGAAkG;IAClG,SAAS,KAAK;QACZ,MAAM,CAAC,GAAG,GAAG,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,EAAE,EAAE,GAAG,CAAC,IAAI,GAAG,EAAE,CAAC;YAC5B,IAAI,GAAG,CAAC,SAAS,IAAI,CAAC;gBAAE,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,SAAS,KAAK,CAAC,SAAiB;QAC9B,KAAK,EAAE,CAAC;QACR,MAAM,WAAW,GAAG,UAAU,EAAE,CAAC;QACjC,qEAAqE;QACrE,sEAAsE;QACtE,oEAAoE;QACpE,MAAM,aAAa,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAoB;YAC3B,WAAW;YACX,SAAS;YACT,aAAa;YACb,SAAS,EAAE,GAAG,EAAE,GAAG,KAAK;SACzB,CAAC;QACF,GAAG,CAAC,GAAG,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;QAC1B,OAAO,GAAG,CAAC;IACb,CAAC;IAED;;;;;;;;;;;;OAYG;IACH,SAAS,OAAO,CACd,WAAmB,EACnB,SAAiB,EACjB,aAAqB;QAErB,KAAK,EAAE,CAAC;QACR,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;QACjC,IAAI,CAAC,GAAG;YAAE,OAAO,UAAU,CAAC;QAC5B,sEAAsE;QACtE,GAAG,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;QACxB,IAAI,GAAG,CAAC,SAAS,KAAK,SAAS;YAAE,OAAO,UAAU,CAAC;QACnD,kEAAkE;QAClE,mEAAmE;QACnE,wDAAwD;QACxD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QACrD,IAAI,QAAQ,CAAC,MAAM,KAAK,QAAQ,CAAC,MAAM;YAAE,OAAO,UAAU,CAAC;QAC3D,IAAI,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,CAAC;YAAE,OAAO,UAAU,CAAC;QAC5D,OAAO,IAAI,CAAC;IACd,CAAC;IAED,iCAAiC;IACjC,SAAS,IAAI;QACX,KAAK,EAAE,CAAC;QACR,OAAO,GAAG,CAAC,IAAI,CAAC;IAClB,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AAClC,CAAC"}

package/dist/certs/challenge.d.ts

@@ -0,0 +1,70 @@
+/**
+ * Challenge-response for /sign per DR-010 (security fix — issue #80).
+ *
+ * Protocol (corrected per science-agent's implementation guidance):
+ *
+ *   Step 1 (server):  createChallenge(store, agentName)
+ *                        — allocate (challenge_id, expected_value) in the
+ *                          server's in-memory store
+ *                        — return id + instruction to the client
+ *                        — **do NOT write** the registry variable; that's
+ *                          the client's job, and their doing so is the
+ *                          actual proof-of-GitHub-write-access
+ *
+ *   Client:            writes MACF_CHALLENGE_<agent> = <expected_value>
+ *                        in the registry, using ITS OWN github token
+ *
+ *   Step 2 (server):  verifyAndConsumeChallenge(store, client, challenge_id,
+ *                                                agent_name)
+ *                        — look up challenge_id in store (reject if absent,
+ *                          expired, or agent_name doesn't match)
+ *                        — read MACF_CHALLENGE_<agent> from the registry
+ *                        — timing-safe compare observed vs expected
+ *                        — delete the registry variable + in-memory entry
+ *                          on ANY outcome (success or failure) to prevent
+ *                          replay
+ *                        — return 'ok' / 'mismatch' — caller returns a
+ *                          GENERIC error ('challenge verification failed')
+ *                          for all failure modes to avoid oracle attacks
+ *
+ * The previous implementation (pre-#80) had the SERVER write the variable
+ * in step 1, then read what it itself wrote in step 6 — no comparison,
+ * no client-side proof of GitHub write access. Any mTLS cert holder could
+ * obtain a cert for arbitrary agent_name. This module is the fix.
+ */
+import type { GitHubVariablesClient } from '../registry/types.js';
+import { MacfError } from '../errors.js';
+import type { ChallengeStore } from './challenge-store.js';
+export declare class ChallengeError extends MacfError {
+    constructor(message: string);
+}
+/** Registry variable name for an agent's current challenge. */
+export declare function challengeVarName(project: string, agentName: string): string;
+/**
+ * Allocate a challenge and return the client-facing (id + instruction).
+ * Does NOT write the registry variable — the client does that in the next
+ * round-trip, proving GitHub write access at the registry scope.
+ */
+export declare function createChallenge(config: {
+    readonly project: string;
+    readonly agentName: string;
+    readonly store: ChallengeStore;
+}): {
+    readonly challengeId: string;
+    readonly instruction: string;
+};
+/**
+ * Verify a step-2 request. Caller passes the client-supplied challenge_id
+ * and agent_name. We read the registry variable, delete it regardless of
+ * outcome (prevents replay), consume the in-memory entry, and return
+ * 'ok' / 'mismatch' — the caller surfaces a generic error on mismatch to
+ * avoid telling the attacker WHICH check failed.
+ */
+export declare function verifyAndConsumeChallenge(config: {
+    readonly project: string;
+    readonly agentName: string;
+    readonly challengeId: string;
+    readonly store: ChallengeStore;
+    readonly client: GitHubVariablesClient;
+}): Promise<'ok' | 'mismatch'>;
+//# sourceMappingURL=challenge.d.ts.map

package/dist/certs/challenge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.d.ts","sourceRoot":"","sources":["../../src/certs/challenge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAElE,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AACzC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE3D,qBAAa,cAAe,SAAQ,SAAS;gBAC/B,OAAO,EAAE,MAAM;CAI5B;AAED,+DAA+D;AAC/D,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAE3E;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE;IACtC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;CAChC,GAAG;IAAE,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAAC,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;CAAE,CASjE;AAED;;;;;;GAMG;AACH,wBAAsB,yBAAyB,CAAC,MAAM,EAAE;IACtD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,KAAK,EAAE,cAAc,CAAC;IAC/B,QAAQ,CAAC,MAAM,EAAE,qBAAqB,CAAC;CACxC,GAAG,OAAO,CAAC,IAAI,GAAG,UAAU,CAAC,CAsB7B"}

package/dist/certs/challenge.js

@@ -0,0 +1,54 @@
+import { toVariableSegment } from '../registry/variable-name.js';
+import { MacfError } from '../errors.js';
+export class ChallengeError extends MacfError {
+    constructor(message) {
+        super('CHALLENGE_ERROR', message);
+        this.name = 'ChallengeError';
+    }
+}
+/** Registry variable name for an agent's current challenge. */
+export function challengeVarName(project, agentName) {
+    return `${toVariableSegment(project)}_CHALLENGE_${toVariableSegment(agentName)}`;
+}
+/**
+ * Allocate a challenge and return the client-facing (id + instruction).
+ * Does NOT write the registry variable — the client does that in the next
+ * round-trip, proving GitHub write access at the registry scope.
+ */
+export function createChallenge(config) {
+    const rec = config.store.issue(config.agentName);
+    const varName = challengeVarName(config.project, config.agentName);
+    return {
+        challengeId: rec.challengeId,
+        instruction: `Write registry variable ${varName} = '${rec.expectedValue}'. ` +
+            `Then POST /sign again with { challenge_done: true, challenge_id: '${rec.challengeId}' }.`,
+    };
+}
+/**
+ * Verify a step-2 request. Caller passes the client-supplied challenge_id
+ * and agent_name. We read the registry variable, delete it regardless of
+ * outcome (prevents replay), consume the in-memory entry, and return
+ * 'ok' / 'mismatch' — the caller surfaces a generic error on mismatch to
+ * avoid telling the attacker WHICH check failed.
+ */
+export async function verifyAndConsumeChallenge(config) {
+    const varName = challengeVarName(config.project, config.agentName);
+    const observedValue = await config.client.readVariable(varName);
+    // Delete the registry variable unconditionally (best-effort). Intentional:
+    // mismatch attempts don't leave a re-usable variable behind; attackers get
+    // one shot per outstanding challenge.
+    try {
+        await config.client.deleteVariable(varName);
+    }
+    catch {
+        // Ignore; consuming the in-memory entry below still blocks replay
+        // server-side, which is the security-critical half.
+    }
+    if (observedValue === null) {
+        // Still consume the in-memory entry (replay-block).
+        config.store.consume(config.challengeId, config.agentName, '');
+        return 'mismatch';
+    }
+    return config.store.consume(config.challengeId, config.agentName, observedValue);
+}
+//# sourceMappingURL=challenge.js.map

package/dist/certs/challenge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"challenge.js","sourceRoot":"","sources":["../../src/certs/challenge.ts"],"names":[],"mappings":"AAmCA,OAAO,EAAE,iBAAiB,EAAE,MAAM,8BAA8B,CAAC;AACjE,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAGzC,MAAM,OAAO,cAAe,SAAQ,SAAS;IAC3C,YAAY,OAAe;QACzB,KAAK,CAAC,iBAAiB,EAAE,OAAO,CAAC,CAAC;QAClC,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAED,+DAA+D;AAC/D,MAAM,UAAU,gBAAgB,CAAC,OAAe,EAAE,SAAiB;IACjE,OAAO,GAAG,iBAAiB,CAAC,OAAO,CAAC,cAAc,iBAAiB,CAAC,SAAS,CAAC,EAAE,CAAC;AACnF,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,MAI/B;IACC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IACnE,OAAO;QACL,WAAW,EAAE,GAAG,CAAC,WAAW;QAC5B,WAAW,EACT,2BAA2B,OAAO,OAAO,GAAG,CAAC,aAAa,KAAK;YAC/D,qEAAqE,GAAG,CAAC,WAAW,MAAM;KAC7F,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAAC,MAM/C;IACC,MAAM,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,SAAS,CAAC,CAAC;IAEnE,MAAM,aAAa,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IAEhE,2EAA2E;IAC3E,2EAA2E;IAC3E,sCAAsC;IACtC,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAAC,MAAM,CAAC;QACP,kEAAkE;QAClE,oDAAoD;IACtD,CAAC;IAED,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;QAC3B,oDAAoD;QACpD,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QAC/D,OAAO,UAAU,CAAC;IACpB,CAAC;IAED,OAAO,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,SAAS,EAAE,aAAa,CAAC,CAAC;AACnF,CAAC"}

package/dist/certs/crypto-provider.d.ts

@@ -0,0 +1,14 @@
+import 'reflect-metadata';
+import * as x509 from '@peculiar/x509';
+import { webcrypto } from 'node:crypto';
+export declare const RSA_ALGORITHM: {
+    readonly name: "RSASSA-PKCS1-v1_5";
+    readonly hash: "SHA-256";
+    readonly publicExponent: Uint8Array<ArrayBuffer>;
+    readonly modulusLength: 2048;
+};
+export declare const CA_CERT_VALIDITY_YEARS = 5;
+export declare const AGENT_CERT_VALIDITY_YEARS = 1;
+export { x509 };
+export { webcrypto };
+//# sourceMappingURL=crypto-provider.d.ts.map

package/dist/certs/crypto-provider.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-provider.d.ts","sourceRoot":"","sources":["../../src/certs/crypto-provider.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAOxC,eAAO,MAAM,aAAa;;;;;CAKhB,CAAC;AAEX,eAAO,MAAM,sBAAsB,IAAI,CAAC;AACxC,eAAO,MAAM,yBAAyB,IAAI,CAAC;AAE3C,OAAO,EAAE,IAAI,EAAE,CAAC;AAChB,OAAO,EAAE,SAAS,EAAE,CAAC"}

package/dist/certs/crypto-provider.js

@@ -0,0 +1,18 @@
+import 'reflect-metadata';
+import * as x509 from '@peculiar/x509';
+import { webcrypto } from 'node:crypto';
+// Set Node.js WebCrypto as the provider for @peculiar/x509
+// webcrypto satisfies the Crypto interface at runtime but TypeScript
+// doesn't include DOM types in our Node-only tsconfig.
+x509.cryptoProvider.set(webcrypto);
+export const RSA_ALGORITHM = {
+    name: 'RSASSA-PKCS1-v1_5',
+    hash: 'SHA-256',
+    publicExponent: new Uint8Array([1, 0, 1]),
+    modulusLength: 2048,
+};
+export const CA_CERT_VALIDITY_YEARS = 5;
+export const AGENT_CERT_VALIDITY_YEARS = 1;
+export { x509 };
+export { webcrypto };
+//# sourceMappingURL=crypto-provider.js.map

package/dist/certs/crypto-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-provider.js","sourceRoot":"","sources":["../../src/certs/crypto-provider.ts"],"names":[],"mappings":"AAAA,OAAO,kBAAkB,CAAC;AAC1B,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,2DAA2D;AAC3D,qEAAqE;AACrE,uDAAuD;AACvD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,SAAgB,CAAC,CAAC;AAE1C,MAAM,CAAC,MAAM,aAAa,GAAG;IAC3B,IAAI,EAAE,mBAAmB;IACzB,IAAI,EAAE,SAAS;IACf,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;IACzC,aAAa,EAAE,IAAI;CACX,CAAC;AAEX,MAAM,CAAC,MAAM,sBAAsB,GAAG,CAAC,CAAC;AACxC,MAAM,CAAC,MAAM,yBAAyB,GAAG,CAAC,CAAC;AAE3C,OAAO,EAAE,IAAI,EAAE,CAAC;AAChB,OAAO,EAAE,SAAS,EAAE,CAAC"}

package/dist/certs/index.d.ts

@@ -0,0 +1,7 @@
+export { createCA, backupCAKey, recoverCAKey, encryptCAKey, encryptCAKeyV1Legacy, decryptCAKey, loadCA, CaError } from './ca.js';
+export type { CaKeyPair } from './ca.js';
+export { generateAgentCert, generateClientCert, generateCSR, signCSR, importPrivateKey, AgentCertError } from './agent-cert.js';
+export type { AgentCertResult } from './agent-cert.js';
+export { createChallenge, verifyAndConsumeChallenge, ChallengeError } from './challenge.js';
+export { RSA_ALGORITHM, CA_CERT_VALIDITY_YEARS, AGENT_CERT_VALIDITY_YEARS } from './crypto-provider.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/certs/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/certs/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,YAAY,EAAE,YAAY,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AACjI,YAAY,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,WAAW,EAAE,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AAChI,YAAY,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AACvD,OAAO,EAAE,eAAe,EAAE,yBAAyB,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAC5F,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,yBAAyB,EAAE,MAAM,sBAAsB,CAAC"}

package/dist/certs/index.js

@@ -0,0 +1,5 @@
+export { createCA, backupCAKey, recoverCAKey, encryptCAKey, encryptCAKeyV1Legacy, decryptCAKey, loadCA, CaError } from './ca.js';
+export { generateAgentCert, generateClientCert, generateCSR, signCSR, importPrivateKey, AgentCertError } from './agent-cert.js';
+export { createChallenge, verifyAndConsumeChallenge, ChallengeError } from './challenge.js';
+export { RSA_ALGORITHM, CA_CERT_VALIDITY_YEARS, AGENT_CERT_VALIDITY_YEARS } from './crypto-provider.js';
+//# sourceMappingURL=index.js.map