@harborclient/sdk 0.4.3

package/dist/signing/canonical.js

@@ -0,0 +1,92 @@
+import { PLUGIN_SIGNATURE_ALGORITHM, PLUGIN_SIGNATURE_SCHEMA_VERSION } from './types.js';
+/**
+ * Builds the canonical signing payload object from manifest identity and file hashes.
+ *
+ * @param pluginId - Plugin manifest id.
+ * @param pluginVersion - Plugin manifest version.
+ * @param files - Sorted plugin file inventory.
+ * @param keyId - Optional signing key label.
+ */
+export function buildSignaturePayload(pluginId, pluginVersion, files, keyId) {
+    const payload = {
+        schemaVersion: PLUGIN_SIGNATURE_SCHEMA_VERSION,
+        pluginId,
+        pluginVersion,
+        algorithm: PLUGIN_SIGNATURE_ALGORITHM,
+        files: [...files]
+    };
+    if (keyId?.trim()) {
+        payload.keyId = keyId.trim();
+    }
+    return payload;
+}
+/**
+ * Serializes a signing payload to canonical JSON bytes for Ed25519 signing.
+ *
+ * @param payload - Unsigned signature payload.
+ */
+export function canonicalizeSignaturePayload(payload) {
+    return Buffer.from(JSON.stringify(payload), 'utf8');
+}
+/**
+ * Parses and validates a signature.json object read from disk.
+ *
+ * @param raw - Parsed JSON value.
+ * @returns Validated signature file contents.
+ * @throws When the payload shape is invalid.
+ */
+export function parsePluginSignatureFile(raw) {
+    if (typeof raw !== 'object' || raw == null) {
+        throw new Error('Plugin signature must be a JSON object.');
+    }
+    const record = raw;
+    if (record.schemaVersion !== PLUGIN_SIGNATURE_SCHEMA_VERSION) {
+        throw new Error(`Unsupported plugin signature schema version: ${String(record.schemaVersion)}`);
+    }
+    if (record.algorithm !== PLUGIN_SIGNATURE_ALGORITHM) {
+        throw new Error(`Unsupported plugin signature algorithm: ${String(record.algorithm)}`);
+    }
+    if (typeof record.pluginId !== 'string' || record.pluginId.trim().length === 0) {
+        throw new Error('Plugin signature is missing pluginId.');
+    }
+    if (typeof record.pluginVersion !== 'string' || record.pluginVersion.trim().length === 0) {
+        throw new Error('Plugin signature is missing pluginVersion.');
+    }
+    if (typeof record.signature !== 'string' || record.signature.trim().length === 0) {
+        throw new Error('Plugin signature is missing signature.');
+    }
+    if (!Array.isArray(record.files)) {
+        throw new Error('Plugin signature files must be an array.');
+    }
+    const files = record.files.map((entry, index) => {
+        if (typeof entry !== 'object' || entry == null) {
+            throw new Error(`Plugin signature files[${index}] must be an object.`);
+        }
+        const fileRecord = entry;
+        if (typeof fileRecord.path !== 'string' || fileRecord.path.trim().length === 0) {
+            throw new Error(`Plugin signature files[${index}].path is invalid.`);
+        }
+        if (typeof fileRecord.sha256 !== 'string' || !/^[a-f0-9]{64}$/i.test(fileRecord.sha256)) {
+            throw new Error(`Plugin signature files[${index}].sha256 is invalid.`);
+        }
+        return {
+            path: fileRecord.path,
+            sha256: fileRecord.sha256.toLowerCase()
+        };
+    });
+    const payload = {
+        schemaVersion: PLUGIN_SIGNATURE_SCHEMA_VERSION,
+        pluginId: record.pluginId,
+        pluginVersion: record.pluginVersion,
+        algorithm: PLUGIN_SIGNATURE_ALGORITHM,
+        files,
+        signature: record.signature
+    };
+    if (record.keyId != null) {
+        if (typeof record.keyId !== 'string' || record.keyId.trim().length === 0) {
+            throw new Error('Plugin signature keyId must be a non-empty string when present.');
+        }
+        payload.keyId = record.keyId.trim();
+    }
+    return payload;
+}

package/dist/signing/cli-sign.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli-sign.d.ts.map

package/dist/signing/cli-sign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-sign.d.ts","sourceRoot":"","sources":["../../src/signing/cli-sign.ts"],"names":[],"mappings":""}

package/dist/signing/cli-sign.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+import { runSignCli } from './cli.js';
+const exitCode = await runSignCli(process.argv);
+process.exit(exitCode);

package/dist/signing/cli-verify.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli-verify.d.ts.map

package/dist/signing/cli-verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli-verify.d.ts","sourceRoot":"","sources":["../../src/signing/cli-verify.ts"],"names":[],"mappings":""}

package/dist/signing/cli-verify.js

@@ -0,0 +1,4 @@
+#!/usr/bin/env node
+import { runVerifyCli } from './cli.js';
+const exitCode = await runVerifyCli(process.argv);
+process.exit(exitCode);

package/dist/signing/cli.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Runs the plugin sign CLI and returns a process exit code.
+ *
+ * @param argv - Raw process argv including node and script paths.
+ */
+export declare function runSignCli(argv: string[]): Promise<number>;
+/**
+ * Runs the plugin verify CLI and returns a process exit code.
+ *
+ * @param argv - Raw process argv including node and script paths.
+ */
+export declare function runVerifyCli(argv: string[]): Promise<number>;
+//# sourceMappingURL=cli.d.ts.map

package/dist/signing/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/signing/cli.ts"],"names":[],"mappings":"AAwFA;;;;GAIG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CA8BhE;AAED;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAyClE"}

package/dist/signing/cli.js

@@ -0,0 +1,148 @@
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { signPlugin } from './sign.js';
+import { verifyPlugin } from './verify.js';
+const SIGN_USAGE = 'Usage: hc-plugin-sign --dir <pluginDir> --private-key <path> [--key-id <id>] [--signature <path>]';
+const VERIFY_USAGE = 'Usage: hc-plugin-verify --dir <pluginDir> --public-key <path> [--public-key <path> ...] [--signature <path>] [--allow-unsigned]';
+/**
+ * Parses supported CLI flags from process argv.
+ *
+ * @param argv - Raw process argv including node and script paths.
+ */
+function parseCliArgs(argv) {
+    const parsed = {
+        publicKeyPaths: [],
+        allowUnsigned: false
+    };
+    for (let index = 2; index < argv.length; index += 1) {
+        const arg = argv[index];
+        if (arg === '--') {
+            continue;
+        }
+        switch (arg) {
+            case '--dir': {
+                parsed.dir = argv[index + 1];
+                index += 1;
+                break;
+            }
+            case '--private-key': {
+                parsed.privateKeyPath = argv[index + 1];
+                index += 1;
+                break;
+            }
+            case '--public-key': {
+                const value = argv[index + 1];
+                if (value) {
+                    parsed.publicKeyPaths.push(value);
+                }
+                index += 1;
+                break;
+            }
+            case '--key-id': {
+                parsed.keyId = argv[index + 1];
+                index += 1;
+                break;
+            }
+            case '--signature': {
+                parsed.signaturePath = argv[index + 1];
+                index += 1;
+                break;
+            }
+            case '--allow-unsigned': {
+                parsed.allowUnsigned = true;
+                break;
+            }
+            default:
+                throw new Error(`Unknown argument: ${arg}`);
+        }
+    }
+    return parsed;
+}
+/**
+ * Reads a PEM key file from disk.
+ *
+ * @param path - Absolute or relative key file path.
+ */
+function readKeyFile(path) {
+    return readFileSync(resolve(path), 'utf8');
+}
+/**
+ * Runs the plugin sign CLI and returns a process exit code.
+ *
+ * @param argv - Raw process argv including node and script paths.
+ */
+export async function runSignCli(argv) {
+    let parsed;
+    try {
+        parsed = parseCliArgs(argv);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(message);
+        console.error(SIGN_USAGE);
+        return 1;
+    }
+    if (!parsed.dir || !parsed.privateKeyPath) {
+        console.error(SIGN_USAGE);
+        return 1;
+    }
+    try {
+        const result = await signPlugin({
+            pluginDir: parsed.dir,
+            privateKeyPem: readKeyFile(parsed.privateKeyPath),
+            keyId: parsed.keyId,
+            signaturePath: parsed.signaturePath
+        });
+        console.log(`Wrote ${result.signaturePath}`);
+        return 0;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(message);
+        return 2;
+    }
+}
+/**
+ * Runs the plugin verify CLI and returns a process exit code.
+ *
+ * @param argv - Raw process argv including node and script paths.
+ */
+export async function runVerifyCli(argv) {
+    let parsed;
+    try {
+        parsed = parseCliArgs(argv);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(message);
+        console.error(VERIFY_USAGE);
+        return 1;
+    }
+    if (!parsed.dir || parsed.publicKeyPaths.length === 0) {
+        console.error(VERIFY_USAGE);
+        return 1;
+    }
+    try {
+        const result = await verifyPlugin({
+            pluginDir: parsed.dir,
+            trustedPublicKeysPem: parsed.publicKeyPaths.map(readKeyFile),
+            signaturePath: parsed.signaturePath
+        });
+        if (result.status === 'valid') {
+            const keyLabel = result.keyId ? ` (keyId: ${result.keyId})` : '';
+            console.log(`Plugin signature is valid${keyLabel}.`);
+            return 0;
+        }
+        if (result.status === 'unsigned') {
+            console.error('Plugin is unsigned.');
+            return parsed.allowUnsigned ? 0 : 4;
+        }
+        console.error(result.error ?? 'Plugin signature is invalid.');
+        return 3;
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : String(error);
+        console.error(message);
+        return 3;
+    }
+}

package/dist/signing/index.d.ts

@@ -0,0 +1,10 @@
+export { PLUGIN_SIGNATURE_ALGORITHM, PLUGIN_SIGNATURE_FILENAME, PLUGIN_SIGNATURE_SCHEMA_VERSION } from './types.js';
+export type { PluginFileHash, PluginSignatureFile, PluginSignaturePayload, PluginVerifyStatus, SignPluginOptions, SignPluginResult, VerifyPluginOptions, VerifyPluginResult } from './types.js';
+export { readPluginManifestIdentity } from './manifest.js';
+export type { PluginManifestIdentity } from './manifest.js';
+export { assertPluginDirectory, collectPluginFiles, shouldExcludePluginPath } from './inventory.js';
+export { buildSignaturePayload, canonicalizeSignaturePayload, parsePluginSignatureFile } from './canonical.js';
+export { signPlugin } from './sign.js';
+export { readPluginSignature, verifyPlugin } from './verify.js';
+export { runSignCli, runVerifyCli } from './cli.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/signing/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/signing/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0BAA0B,EAC1B,yBAAyB,EACzB,+BAA+B,EAChC,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,cAAc,EACd,mBAAmB,EACnB,sBAAsB,EACtB,kBAAkB,EAClB,iBAAiB,EACjB,gBAAgB,EAChB,mBAAmB,EACnB,kBAAkB,EACnB,MAAM,YAAY,CAAC;AAEpB,OAAO,EAAE,0BAA0B,EAAE,MAAM,eAAe,CAAC;AAC3D,YAAY,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAE5D,OAAO,EAAE,qBAAqB,EAAE,kBAAkB,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AAEpG,OAAO,EACL,qBAAqB,EACrB,4BAA4B,EAC5B,wBAAwB,EACzB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,mBAAmB,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC"}

package/dist/signing/index.js

@@ -0,0 +1,7 @@
+export { PLUGIN_SIGNATURE_ALGORITHM, PLUGIN_SIGNATURE_FILENAME, PLUGIN_SIGNATURE_SCHEMA_VERSION } from './types.js';
+export { readPluginManifestIdentity } from './manifest.js';
+export { assertPluginDirectory, collectPluginFiles, shouldExcludePluginPath } from './inventory.js';
+export { buildSignaturePayload, canonicalizeSignaturePayload, parsePluginSignatureFile } from './canonical.js';
+export { signPlugin } from './sign.js';
+export { readPluginSignature, verifyPlugin } from './verify.js';
+export { runSignCli, runVerifyCli } from './cli.js';

package/dist/signing/inventory.d.ts

@@ -0,0 +1,21 @@
+import type { PluginFileHash } from './types.js';
+/**
+ * Returns true when a relative plugin path should be excluded from signing.
+ *
+ * @param relativePath - Path relative to the plugin root using POSIX separators.
+ */
+export declare function shouldExcludePluginPath(relativePath: string): boolean;
+/**
+ * Walks a plugin directory and returns a sorted inventory of file hashes.
+ *
+ * @param pluginDir - Plugin root directory.
+ * @returns File paths (POSIX) and SHA-256 digests sorted by path.
+ */
+export declare function collectPluginFiles(pluginDir: string): PluginFileHash[];
+/**
+ * Returns true when a plugin path exists and is a directory.
+ *
+ * @param pluginDir - Plugin root directory.
+ */
+export declare function assertPluginDirectory(pluginDir: string): void;
+//# sourceMappingURL=inventory.d.ts.map

package/dist/signing/inventory.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inventory.d.ts","sourceRoot":"","sources":["../../src/signing/inventory.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAKjD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAOrE;AAWD;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,GAAG,cAAc,EAAE,CAoCtE;AAED;;;;GAIG;AACH,wBAAgB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAS7D"}

package/dist/signing/inventory.js

@@ -0,0 +1,80 @@
+import { createHash } from 'node:crypto';
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import { join, relative } from 'node:path';
+import { PLUGIN_SIGNATURE_FILENAME } from './types.js';
+const EXCLUDED_PATH_SEGMENTS = new Set(['.git', 'node_modules']);
+const EXCLUDED_FILE_NAMES = new Set(['.DS_Store', PLUGIN_SIGNATURE_FILENAME]);
+/**
+ * Returns true when a relative plugin path should be excluded from signing.
+ *
+ * @param relativePath - Path relative to the plugin root using POSIX separators.
+ */
+export function shouldExcludePluginPath(relativePath) {
+    const segments = relativePath.split('/');
+    if (segments.some((segment) => EXCLUDED_PATH_SEGMENTS.has(segment))) {
+        return true;
+    }
+    const fileName = segments.at(-1);
+    return fileName != null && EXCLUDED_FILE_NAMES.has(fileName);
+}
+/**
+ * Computes a SHA-256 hex digest for one file.
+ *
+ * @param absolutePath - Absolute path to the file on disk.
+ */
+function hashFile(absolutePath) {
+    return createHash('sha256').update(readFileSync(absolutePath)).digest('hex');
+}
+/**
+ * Walks a plugin directory and returns a sorted inventory of file hashes.
+ *
+ * @param pluginDir - Plugin root directory.
+ * @returns File paths (POSIX) and SHA-256 digests sorted by path.
+ */
+export function collectPluginFiles(pluginDir) {
+    const files = [];
+    /**
+     * Recursively collects file hashes under one directory.
+     *
+     * @param currentDir - Absolute directory being scanned.
+     */
+    function walk(currentDir) {
+        for (const entry of readdirSync(currentDir, { withFileTypes: true })) {
+            const absolutePath = join(currentDir, entry.name);
+            const relativePath = relative(pluginDir, absolutePath).split('\\').join('/');
+            if (shouldExcludePluginPath(relativePath)) {
+                continue;
+            }
+            if (entry.isDirectory()) {
+                walk(absolutePath);
+                continue;
+            }
+            if (!entry.isFile()) {
+                continue;
+            }
+            files.push({
+                path: relativePath,
+                sha256: hashFile(absolutePath)
+            });
+        }
+    }
+    walk(pluginDir);
+    files.sort((left, right) => left.path.localeCompare(right.path));
+    return files;
+}
+/**
+ * Returns true when a plugin path exists and is a directory.
+ *
+ * @param pluginDir - Plugin root directory.
+ */
+export function assertPluginDirectory(pluginDir) {
+    try {
+        const stats = statSync(pluginDir);
+        if (!stats.isDirectory()) {
+            throw new Error(`Plugin directory is not a folder: ${pluginDir}`);
+        }
+    }
+    catch (error) {
+        throw new Error(`Plugin directory not found: ${pluginDir}`, { cause: error });
+    }
+}

package/dist/signing/manifest.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Minimal manifest fields required for plugin signing.
+ */
+export interface PluginManifestIdentity {
+    id: string;
+    version: string;
+}
+/**
+ * Reads and validates plugin id and version from manifest.json.
+ *
+ * @param pluginDir - Plugin root directory containing manifest.json.
+ * @returns Parsed manifest identity fields.
+ * @throws When manifest.json is missing, invalid JSON, or fails validation.
+ */
+export declare function readPluginManifestIdentity(pluginDir: string): PluginManifestIdentity;
+//# sourceMappingURL=manifest.d.ts.map

package/dist/signing/manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manifest.d.ts","sourceRoot":"","sources":["../../src/signing/manifest.ts"],"names":[],"mappings":"AAKA;;GAEG;AACH,MAAM,WAAW,sBAAsB;IACrC,EAAE,EAAE,MAAM,CAAC;IACX,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;;;;;GAMG;AACH,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG,sBAAsB,CAyBpF"}

package/dist/signing/manifest.js

@@ -0,0 +1,33 @@
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+const PLUGIN_ID_PATTERN = /^[a-zA-Z][a-zA-Z0-9.-]*\.[a-zA-Z][a-zA-Z0-9.-]+$/;
+/**
+ * Reads and validates plugin id and version from manifest.json.
+ *
+ * @param pluginDir - Plugin root directory containing manifest.json.
+ * @returns Parsed manifest identity fields.
+ * @throws When manifest.json is missing, invalid JSON, or fails validation.
+ */
+export function readPluginManifestIdentity(pluginDir) {
+    const manifestPath = join(pluginDir, 'manifest.json');
+    let raw;
+    try {
+        raw = JSON.parse(readFileSync(manifestPath, 'utf8'));
+    }
+    catch (error) {
+        throw new Error(`Plugin manifest is not valid JSON: ${manifestPath}`, { cause: error });
+    }
+    if (typeof raw !== 'object' || raw == null) {
+        throw new Error(`Plugin manifest must be a JSON object: ${manifestPath}`);
+    }
+    const record = raw;
+    const id = record.id;
+    const version = record.version;
+    if (typeof id !== 'string' || !PLUGIN_ID_PATTERN.test(id)) {
+        throw new Error(`Plugin manifest id is invalid: ${manifestPath}`);
+    }
+    if (typeof version !== 'string' || version.trim().length === 0) {
+        throw new Error(`Plugin manifest version is invalid: ${manifestPath}`);
+    }
+    return { id, version };
+}

package/dist/signing/sign.d.ts

@@ -0,0 +1,10 @@
+import type { SignPluginOptions, SignPluginResult } from './types.js';
+/**
+ * Signs a plugin directory and writes signature.json beside manifest.json.
+ *
+ * @param options - Plugin directory and signing key options.
+ * @returns Path to the written signature file and parsed signature contents.
+ * @throws When manifest validation, inventory, or signing fails.
+ */
+export declare function signPlugin(options: SignPluginOptions): Promise<SignPluginResult>;
+//# sourceMappingURL=sign.d.ts.map

package/dist/signing/sign.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/signing/sign.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,iBAAiB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEtE;;;;;;GAMG;AACH,wBAAsB,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA6BtF"}

package/dist/signing/sign.js

@@ -0,0 +1,48 @@
+import { createPrivateKey, sign } from 'node:crypto';
+import { writeFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import { buildSignaturePayload, canonicalizeSignaturePayload } from './canonical.js';
+import { assertPluginDirectory, collectPluginFiles } from './inventory.js';
+import { readPluginManifestIdentity } from './manifest.js';
+import { PLUGIN_SIGNATURE_FILENAME } from './types.js';
+/**
+ * Signs a plugin directory and writes signature.json beside manifest.json.
+ *
+ * @param options - Plugin directory and signing key options.
+ * @returns Path to the written signature file and parsed signature contents.
+ * @throws When manifest validation, inventory, or signing fails.
+ */
+export async function signPlugin(options) {
+    const pluginDir = resolve(options.pluginDir);
+    assertPluginDirectory(pluginDir);
+    const { id, version } = readPluginManifestIdentity(pluginDir);
+    const files = collectPluginFiles(pluginDir);
+    const payload = buildSignaturePayload(id, version, files, options.keyId);
+    const payloadBytes = canonicalizeSignaturePayload(payload);
+    let privateKey;
+    try {
+        privateKey = createPrivateKey(options.privateKeyPem);
+    }
+    catch (error) {
+        throw new Error('Invalid Ed25519 private key', { cause: error });
+    }
+    const signature = sign(null, new Uint8Array(payloadBytes), privateKey).toString('base64');
+    const signatureFile = {
+        ...payload,
+        signature
+    };
+    const signaturePath = resolve(options.signaturePath ?? joinSignaturePath(pluginDir));
+    writeFileSync(signaturePath, `${JSON.stringify(signatureFile, null, 2)}\n`, 'utf8');
+    return {
+        signaturePath,
+        signature: signatureFile
+    };
+}
+/**
+ * Returns the default signature.json path for one plugin directory.
+ *
+ * @param pluginDir - Plugin root directory.
+ */
+function joinSignaturePath(pluginDir) {
+    return resolve(pluginDir, PLUGIN_SIGNATURE_FILENAME);
+}

package/dist/signing/signing.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=signing.test.d.ts.map

package/dist/signing/signing.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.test.d.ts","sourceRoot":"","sources":["../../src/signing/signing.test.ts"],"names":[],"mappings":""}

package/dist/signing/signing.test.js

@@ -0,0 +1,100 @@
+import { describe, expect, it } from '@jest/globals';
+import { writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import { signPlugin } from './sign.js';
+import { createTestPluginDir, createTestSigningKeys } from './testFixtures.js';
+import { verifyPlugin } from './verify.js';
+describe('signPlugin', () => {
+    it('writes signature.json for a valid plugin directory', async () => {
+        const keys = createTestSigningKeys();
+        const fixture = createTestPluginDir();
+        try {
+            const result = await signPlugin({
+                pluginDir: fixture.pluginDir,
+                privateKeyPem: keys.privateKeyPem,
+                keyId: 'test-key'
+            });
+            expect(result.signature.pluginId).toBe('com.example.test-plugin');
+            expect(result.signature.pluginVersion).toBe('1.0.0');
+            expect(result.signature.keyId).toBe('test-key');
+            expect(result.signature.files.map((file) => file.path)).toEqual([
+                'dist/renderer.js',
+                'manifest.json'
+            ]);
+            const verification = await verifyPlugin({
+                pluginDir: fixture.pluginDir,
+                trustedPublicKeysPem: [keys.publicKeyPem]
+            });
+            expect(verification.status).toBe('valid');
+        }
+        finally {
+            fixture.cleanup();
+        }
+    });
+    it('rejects invalid private keys', async () => {
+        const fixture = createTestPluginDir();
+        try {
+            await expect(signPlugin({
+                pluginDir: fixture.pluginDir,
+                privateKeyPem: 'not-a-key'
+            })).rejects.toThrow(/invalid ed25519 private key/i);
+        }
+        finally {
+            fixture.cleanup();
+        }
+    });
+});
+describe('verifyPlugin', () => {
+    it('returns unsigned when signature.json is absent', async () => {
+        const fixture = createTestPluginDir();
+        try {
+            const result = await verifyPlugin({
+                pluginDir: fixture.pluginDir,
+                trustedPublicKeysPem: [createTestSigningKeys().publicKeyPem]
+            });
+            expect(result.status).toBe('unsigned');
+        }
+        finally {
+            fixture.cleanup();
+        }
+    });
+    it('returns invalid when a signed file is tampered with', async () => {
+        const keys = createTestSigningKeys();
+        const fixture = createTestPluginDir();
+        try {
+            await signPlugin({
+                pluginDir: fixture.pluginDir,
+                privateKeyPem: keys.privateKeyPem
+            });
+            writeFileSync(join(fixture.pluginDir, 'dist', 'renderer.js'), 'export function activate() { return 1; }');
+            const result = await verifyPlugin({
+                pluginDir: fixture.pluginDir,
+                trustedPublicKeysPem: [keys.publicKeyPem]
+            });
+            expect(result.status).toBe('invalid');
+            expect(result.error).toMatch(/signed inventory/i);
+        }
+        finally {
+            fixture.cleanup();
+        }
+    });
+    it('returns invalid when verified with the wrong public key', async () => {
+        const keys = createTestSigningKeys();
+        const otherKeys = createTestSigningKeys();
+        const fixture = createTestPluginDir();
+        try {
+            await signPlugin({
+                pluginDir: fixture.pluginDir,
+                privateKeyPem: keys.privateKeyPem
+            });
+            const result = await verifyPlugin({
+                pluginDir: fixture.pluginDir,
+                trustedPublicKeysPem: [otherKeys.publicKeyPem]
+            });
+            expect(result.status).toBe('invalid');
+        }
+        finally {
+            fixture.cleanup();
+        }
+    });
+});

package/dist/signing/testFixtures.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Temporary Ed25519 key pair for signing tests.
+ */
+export interface TestSigningKeys {
+    privateKeyPem: string;
+    publicKeyPem: string;
+}
+/**
+ * Generates an Ed25519 PEM key pair for tests.
+ */
+export declare function createTestSigningKeys(): TestSigningKeys;
+/**
+ * Creates a minimal plugin directory suitable for signing tests.
+ *
+ * @param pluginId - Plugin manifest id.
+ */
+export declare function createTestPluginDir(pluginId?: string): {
+    pluginDir: string;
+    cleanup: () => void;
+};
+//# sourceMappingURL=testFixtures.d.ts.map