@hashproof/sdk 0.2.0

package/README.md

@@ -0,0 +1,248 @@
+# @hashproof/sdk
+
+> Published as `@hashproof/sdk` on npm. The source directory is `packages/sdk-js` (legacy name).
+
+Official JavaScript/TypeScript SDK for the [Hashproof](https://hashproof.ai) Content Provenance API.
+
+Hashproof provides content provenance infrastructure built on the C2PA standard. This SDK wraps the REST API with a type-safe client for storing, resolving, verifying, and signing digital assets.
+
+## Installation
+
+```bash
+npm install @hashproof/sdk
+# or
+pnpm add @hashproof/sdk
+# or
+yarn add @hashproof/sdk
+```
+
+## Quick Start
+
+```ts
+import { HashproofClient } from '@hashproof/sdk';
+import { readFileSync } from 'node:fs';
+
+const client = new HashproofClient({ apiKey: 'hpsk_...' });
+
+// Verify a file's provenance
+const file = readFileSync('photo.jpg');
+const result = await client.verify(file);
+
+if (result.hasProvenance) {
+  console.log(`Provenance found via: ${result.source}`);
+  console.log(`Trust status: ${result.trustStatus}`);
+  console.log(`Signer: ${result.manifest?.signatureInfo.subject}`);
+} else {
+  console.log('No provenance found for this file.');
+}
+```
+
+## Configuration
+
+```ts
+const client = new HashproofClient({
+  apiKey: 'hpsk_...',             // Required. Your Hashproof API key.
+  baseUrl: 'https://api.hashproof.ai', // Optional. Defaults to production.
+  timeout: 30000,                 // Optional. Request timeout in ms.
+});
+```
+
+## API Reference
+
+### `store(file, options?)`
+
+Upload a digital asset and extract/store its C2PA manifest. Perceptual fingerprints are computed automatically.
+
+```ts
+const result = await client.store(fileBuffer, { title: 'Press Photo' });
+console.log(result.manifestId);
+console.log(result.softBindings); // computed perceptual hashes
+```
+
+**Parameters:**
+| Name | Type | Description |
+|------|------|-------------|
+| `file` | `Buffer \| Blob` | The digital asset to store |
+| `options.title` | `string` | Optional human-readable title |
+
+**Returns:** `Promise<StoreResult>`
+
+---
+
+### `resolve(file)` / `resolve(fingerprint, algorithm?)`
+
+Resolve provenance for a file or pre-computed fingerprint. Finds matching manifests via perceptual hashing (soft binding).
+
+```ts
+// By file upload
+const result = await client.resolve(imageBuffer);
+
+// By pre-computed fingerprint (no upload needed)
+const result = await client.resolve('a1b2c3d4...', 'phash-dct-64');
+
+for (const match of result.matches) {
+  console.log(`${match.similarity * 100}% similar — ${match.manifest.title}`);
+}
+```
+
+**Parameters (file overload):**
+| Name | Type | Description |
+|------|------|-------------|
+| `file` | `Buffer \| Blob` | The file to resolve |
+
+**Parameters (fingerprint overload):**
+| Name | Type | Description |
+|------|------|-------------|
+| `fingerprint` | `string` | Hex-encoded perceptual hash |
+| `algorithm` | `string` | Algorithm name (default: `phash-dct-64`) |
+
+**Returns:** `Promise<ResolveResult>`
+
+---
+
+### `verify(file)`
+
+One-call provenance verification. Checks embedded C2PA manifests, hard binding (hash match), and soft binding (perceptual hash resolution).
+
+```ts
+const result = await client.verify(imageBuffer);
+console.log(result.hasProvenance);  // boolean
+console.log(result.source);        // 'embedded' | 'resolved' | 'none'
+console.log(result.trustStatus);   // 'trusted' | 'untrusted' | 'unknown'
+```
+
+**Parameters:**
+| Name | Type | Description |
+|------|------|-------------|
+| `file` | `Buffer \| Blob` | The file to verify |
+
+**Returns:** `Promise<VerifyResult>`
+
+---
+
+### `getManifest(id)`
+
+Retrieve a manifest by its UUID.
+
+```ts
+const manifest = await client.getManifest('550e8400-...');
+```
+
+**Returns:** `Promise<ManifestData>`
+
+---
+
+### `getManifestByHash(hash)`
+
+Retrieve a manifest by its hard binding hash (SHA-256 of the original asset).
+
+```ts
+const manifest = await client.getManifestByHash('e3b0c44298fc...');
+```
+
+**Returns:** `Promise<ManifestData>`
+
+---
+
+### `listManifests(options?)`
+
+List manifests with pagination and search.
+
+```ts
+const page = await client.listManifests({ page: 1, perPage: 50, search: 'photo' });
+console.log(`${page.total} total manifests`);
+```
+
+**Parameters:**
+| Name | Type | Description |
+|------|------|-------------|
+| `options.page` | `number` | Page number (default: 1) |
+| `options.perPage` | `number` | Results per page (default: 20) |
+| `options.search` | `string` | Filter by title |
+
+**Returns:** `Promise<PaginatedResponse<ManifestData>>`
+
+---
+
+### `sign(file, options?)`
+
+Sign a digital asset with a C2PA manifest using Hashproof managed signing. Requires the `sign` scope on your API key.
+
+```ts
+const result = await client.sign(imageBuffer, { title: 'Press Photo' });
+console.log(result.manifestId);
+```
+
+**Parameters:**
+| Name | Type | Description |
+|------|------|-------------|
+| `file` | `Buffer \| Blob` | The file to sign |
+| `options.title` | `string` | Optional title |
+
+**Returns:** `Promise<SignResult>`
+
+---
+
+### `computeFingerprint(file, algorithm?)`
+
+Compute a perceptual fingerprint without resolving. Useful for offline computation followed by later resolution.
+
+```ts
+const fp = await client.computeFingerprint(imageBuffer);
+console.log(fp.fingerprint); // hex string
+console.log(fp.algorithm);   // 'phash-dct-64'
+
+// Later, resolve without re-uploading:
+const matches = await client.resolve(fp.fingerprint, fp.algorithm);
+```
+
+**Parameters:**
+| Name | Type | Description |
+|------|------|-------------|
+| `file` | `Buffer \| Blob` | The file to fingerprint |
+| `algorithm` | `string` | Algorithm (default: `phash-dct-64`) |
+
+**Returns:** `Promise<FingerprintResult>`
+
+## Error Handling
+
+All API errors are thrown as `HashproofApiError` instances:
+
+```ts
+import { HashproofClient, HashproofApiError } from '@hashproof/sdk';
+
+try {
+  await client.getManifest('nonexistent');
+} catch (err) {
+  if (err instanceof HashproofApiError) {
+    console.error(err.message);    // "Manifest not found"
+    console.error(err.statusCode); // 404
+    console.error(err.code);       // "NOT_FOUND"
+  }
+}
+```
+
+## TypeScript
+
+All types are exported from the package for full type safety:
+
+```ts
+import type {
+  ManifestData,
+  VerifyResult,
+  ResolveResult,
+  ValidationStatus,
+  PaginatedResponse,
+} from '@hashproof/sdk';
+```
+
+## Supported Runtimes
+
+- Node.js 18+ (uses native `fetch`)
+- Deno
+- Bun
+- Modern browsers (via bundler)
+
+## License
+
+MIT

package/dist/index.cjs

@@ -0,0 +1,335 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  HashproofApiError: () => HashproofApiError,
+  HashproofClient: () => HashproofClient
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/types.ts
+var HashproofApiError = class extends Error {
+  /** HTTP status code. */
+  statusCode;
+  /** Machine-readable error code. */
+  code;
+  /** Additional error details. */
+  details;
+  constructor(message, statusCode, code, details) {
+    super(message);
+    this.name = "HashproofApiError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/index.ts
+var DEFAULT_BASE_URL = "https://api.hashproof.ai";
+var DEFAULT_TIMEOUT = 3e4;
+var HashproofClient = class {
+  apiKey;
+  baseUrl;
+  timeout;
+  /**
+   * Create a new HashproofClient instance.
+   *
+   * @param options - Client configuration options.
+   * @param options.apiKey - Your Hashproof API key (starts with `hpsk_`).
+   * @param options.baseUrl - Base URL for the API. Defaults to `https://api.hashproof.ai`.
+   * @param options.timeout - Request timeout in milliseconds. Defaults to 30000.
+   * @throws {Error} If no API key is provided.
+   */
+  constructor(options) {
+    if (!options.apiKey) {
+      throw new Error('Hashproof API key is required. Pass { apiKey: "hpsk_..." } to the constructor.');
+    }
+    this.apiKey = options.apiKey;
+    this.baseUrl = (options.baseUrl || DEFAULT_BASE_URL).replace(/\/+$/, "");
+    this.timeout = options.timeout ?? DEFAULT_TIMEOUT;
+  }
+  // ============================================================
+  // Manifest Operations
+  // ============================================================
+  /**
+   * Store a C2PA manifest by uploading a digital asset.
+   *
+   * The API extracts the embedded C2PA manifest from the file,
+   * computes perceptual fingerprints (soft bindings), and stores
+   * everything for future resolution and verification.
+   *
+   * @param file - The file to store as a Buffer or Blob.
+   * @param options - Optional parameters.
+   * @param options.title - A human-readable title for the asset.
+   * @returns The stored manifest data along with computed soft bindings.
+   *
+   * @example
+   * ```ts
+   * const result = await client.store(fileBuffer, { title: 'My Photo' });
+   * console.log(result.manifestId);
+   * ```
+   */
+  async store(file, options) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    if (options?.title) {
+      formData.append("title", options.title);
+    }
+    return this.request("POST", "/v1/manifests", formData);
+  }
+  async resolve(fileOrFingerprint, algorithm) {
+    if (typeof fileOrFingerprint === "string") {
+      const params = new URLSearchParams({ fingerprint: fileOrFingerprint });
+      if (algorithm) params.set("algorithm", algorithm);
+      return this.request("GET", `/v1/resolve?${params.toString()}`);
+    }
+    const formData = new FormData();
+    const blob = fileOrFingerprint instanceof Blob ? fileOrFingerprint : new Blob([fileOrFingerprint]);
+    formData.append("file", blob, "upload");
+    if (algorithm) {
+      formData.append("algorithm", algorithm);
+    }
+    return this.request("POST", "/v1/resolve", formData);
+  }
+  /**
+   * Verify the provenance of a digital asset.
+   *
+   * This is the main one-call verification endpoint. It checks:
+   * 1. Embedded C2PA manifests in the file
+   * 2. Hard binding (SHA-256 hash match) against stored manifests
+   * 3. Soft binding (perceptual hash) resolution
+   *
+   * @param file - The file to verify as a Buffer or Blob.
+   * @returns Verification result including provenance source, manifest data, and trust status.
+   *
+   * @example
+   * ```ts
+   * const result = await client.verify(imageBuffer);
+   * if (result.hasProvenance) {
+   *   console.log(`Source: ${result.source}, Trust: ${result.trustStatus}`);
+   * }
+   * ```
+   */
+  async verify(file) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    return this.request("POST", "/v1/verify", formData);
+  }
+  /**
+   * Retrieve a manifest by its ID.
+   *
+   * @param id - The manifest UUID.
+   * @returns The full manifest data.
+   *
+   * @example
+   * ```ts
+   * const manifest = await client.getManifest('550e8400-e29b-41d4-a716-446655440000');
+   * console.log(manifest.title, manifest.validationStatus);
+   * ```
+   */
+  async getManifest(id) {
+    return this.request("GET", `/v1/manifests/${encodeURIComponent(id)}`);
+  }
+  /**
+   * Retrieve a manifest by its hard binding hash (SHA-256).
+   *
+   * @param hash - The SHA-256 hash of the original asset.
+   * @returns The matching manifest data.
+   *
+   * @example
+   * ```ts
+   * const manifest = await client.getManifestByHash('e3b0c44298fc1c149afbf4c8996fb924...');
+   * ```
+   */
+  async getManifestByHash(hash) {
+    const params = new URLSearchParams({ hash });
+    return this.request("GET", `/v1/manifests?${params.toString()}`);
+  }
+  /**
+   * List manifests with optional pagination and search.
+   *
+   * @param options - Pagination and search options.
+   * @param options.page - Page number (1-indexed). Defaults to 1.
+   * @param options.perPage - Results per page. Defaults to 20.
+   * @param options.search - Search term to filter manifests by title.
+   * @returns A paginated list of manifests.
+   *
+   * @example
+   * ```ts
+   * const page = await client.listManifests({ page: 1, search: 'photo' });
+   * console.log(`${page.total} manifests found`);
+   * ```
+   */
+  async listManifests(options) {
+    const params = new URLSearchParams();
+    if (options?.page) params.set("page", String(options.page));
+    if (options?.perPage) params.set("perPage", String(options.perPage));
+    if (options?.search) params.set("search", options.search);
+    const query = params.toString();
+    return this.request(
+      "GET",
+      `/v1/manifests${query ? `?${query}` : ""}`
+    );
+  }
+  // ============================================================
+  // Signing
+  // ============================================================
+  /**
+   * Sign a digital asset with a C2PA manifest using Hashproof's managed signing.
+   *
+   * This is the "Let's Encrypt for C2PA" endpoint -- you upload a file and
+   * Hashproof creates a signed C2PA manifest on your behalf, without you
+   * needing to manage certificates or PKI.
+   *
+   * Requires the `sign` scope on your API key.
+   *
+   * @param file - The file to sign as a Buffer or Blob.
+   * @param options - Optional parameters.
+   * @param options.title - A human-readable title for the asset.
+   * @returns The signing result including the new manifest ID.
+   *
+   * @example
+   * ```ts
+   * const result = await client.sign(imageBuffer, { title: 'Press Photo 2024' });
+   * console.log(result.manifestId);
+   * ```
+   */
+  async sign(file, options) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    if (options?.title) {
+      formData.append("title", options.title);
+    }
+    return this.request("POST", "/v1/sign", formData);
+  }
+  // ============================================================
+  // Fingerprinting
+  // ============================================================
+  /**
+   * Compute a perceptual fingerprint for a file without resolving.
+   *
+   * Useful when you want to compute and store a fingerprint client-side
+   * for later resolution via `resolve(fingerprint, algorithm)`.
+   *
+   * @param file - The file to fingerprint as a Buffer or Blob.
+   * @param algorithm - The algorithm to use. Defaults to `phash-dct-64`.
+   * @returns The computed fingerprint, algorithm, and bit length.
+   *
+   * @example
+   * ```ts
+   * const fp = await client.computeFingerprint(imageBuffer, 'phash-dct-64');
+   * console.log(fp.fingerprint); // hex string
+   * ```
+   */
+  async computeFingerprint(file, algorithm) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    if (algorithm) {
+      formData.append("algorithm", algorithm);
+    }
+    return this.request("POST", "/v1/fingerprint", formData);
+  }
+  // ============================================================
+  // Internal HTTP Client
+  // ============================================================
+  /**
+   * Make an authenticated HTTP request to the Hashproof API.
+   * @internal
+   */
+  async request(method, path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const headers = {
+      Authorization: `Bearer ${this.apiKey}`,
+      Accept: "application/json"
+    };
+    let requestBody;
+    if (body instanceof FormData) {
+      requestBody = body;
+    } else if (body) {
+      headers["Content-Type"] = "application/json";
+      requestBody = JSON.stringify(body);
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    let response;
+    try {
+      response = await fetch(url, {
+        method,
+        headers,
+        body: requestBody,
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timeoutId);
+      if (err instanceof DOMException && err.name === "AbortError") {
+        throw new HashproofApiError(
+          `Request timed out after ${this.timeout}ms`,
+          0,
+          "TIMEOUT"
+        );
+      }
+      throw new HashproofApiError(
+        `Network error: ${err instanceof Error ? err.message : String(err)}`,
+        0,
+        "NETWORK_ERROR"
+      );
+    } finally {
+      clearTimeout(timeoutId);
+    }
+    const responseBody = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(responseBody);
+    } catch {
+      if (!response.ok) {
+        throw new HashproofApiError(
+          `HTTP ${response.status}: ${responseBody.slice(0, 200)}`,
+          response.status,
+          "UNEXPECTED_RESPONSE"
+        );
+      }
+      throw new HashproofApiError(
+        "Failed to parse API response as JSON",
+        response.status,
+        "PARSE_ERROR"
+      );
+    }
+    if (!response.ok) {
+      const errBody = parsed;
+      throw new HashproofApiError(
+        errBody.error || `HTTP ${response.status}`,
+        errBody.statusCode || response.status,
+        errBody.code || "API_ERROR",
+        errBody.details
+      );
+    }
+    return parsed;
+  }
+};
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  HashproofApiError,
+  HashproofClient
+});

package/dist/index.d.cts

@@ -0,0 +1,231 @@
+import * as _hashproof_shared from '@hashproof/shared';
+import { ResolveResult, VerifyResult, ManifestData, PaginatedResponse } from '@hashproof/shared';
+export { ApiError, ApiKey, ApiScope, Assertion, ComplianceDetail, ComplianceReport, HardBinding, Ingredient, ManifestData, MerkleAnchor, MerkleProof, PaginatedResponse, ResolveMatch, ResolveResult, SignatureInfo, SoftBinding, SoftBindingAlgorithm, SubscriptionTier, UsageSummary, ValidationError, ValidationResult, ValidationStatus, VerifyResult } from '@hashproof/shared';
+
+/** Options for constructing the HashproofClient. */
+interface HashproofClientOptions {
+    /** Your Hashproof API key (starts with hpsk_). */
+    apiKey: string;
+    /** Base URL for the API. Defaults to https://api.hashproof.ai. */
+    baseUrl?: string;
+    /** Request timeout in milliseconds. Defaults to 30000. */
+    timeout?: number;
+}
+/** Result returned from the store() method. */
+interface StoreResult {
+    manifestId: string;
+    manifest: _hashproof_shared.ManifestData;
+    softBindings: Array<{
+        algorithm: string;
+        value: string;
+    }>;
+}
+/** Result returned from the sign() method. */
+interface SignResult {
+    manifestId: string;
+    manifest: _hashproof_shared.ManifestData;
+    signedAssetUrl: string | null;
+    message: string;
+}
+/** Result returned from the computeFingerprint() method. */
+interface FingerprintResult {
+    fingerprint: string;
+    algorithm: _hashproof_shared.SoftBindingAlgorithm;
+    bitLength: number;
+}
+/** Error thrown by the SDK for API error responses. */
+declare class HashproofApiError extends Error {
+    /** HTTP status code. */
+    readonly statusCode: number;
+    /** Machine-readable error code. */
+    readonly code: string;
+    /** Additional error details. */
+    readonly details?: Record<string, unknown>;
+    constructor(message: string, statusCode: number, code: string, details?: Record<string, unknown>);
+}
+
+/**
+ * Official JavaScript/TypeScript client for the Hashproof Content Provenance API.
+ *
+ * @example
+ * ```ts
+ * import { HashproofClient } from '@hashproof/sdk';
+ *
+ * const client = new HashproofClient({ apiKey: 'hpsk_...' });
+ * const result = await client.verify(fileBuffer);
+ * console.log(result.hasProvenance);
+ * ```
+ */
+declare class HashproofClient {
+    private readonly apiKey;
+    private readonly baseUrl;
+    private readonly timeout;
+    /**
+     * Create a new HashproofClient instance.
+     *
+     * @param options - Client configuration options.
+     * @param options.apiKey - Your Hashproof API key (starts with `hpsk_`).
+     * @param options.baseUrl - Base URL for the API. Defaults to `https://api.hashproof.ai`.
+     * @param options.timeout - Request timeout in milliseconds. Defaults to 30000.
+     * @throws {Error} If no API key is provided.
+     */
+    constructor(options: HashproofClientOptions);
+    /**
+     * Store a C2PA manifest by uploading a digital asset.
+     *
+     * The API extracts the embedded C2PA manifest from the file,
+     * computes perceptual fingerprints (soft bindings), and stores
+     * everything for future resolution and verification.
+     *
+     * @param file - The file to store as a Buffer or Blob.
+     * @param options - Optional parameters.
+     * @param options.title - A human-readable title for the asset.
+     * @returns The stored manifest data along with computed soft bindings.
+     *
+     * @example
+     * ```ts
+     * const result = await client.store(fileBuffer, { title: 'My Photo' });
+     * console.log(result.manifestId);
+     * ```
+     */
+    store(file: Buffer | Blob, options?: {
+        title?: string;
+    }): Promise<StoreResult>;
+    /**
+     * Resolve provenance for a file or fingerprint.
+     *
+     * When called with a Buffer/Blob, the file is uploaded and a perceptual
+     * fingerprint is computed server-side, then matched against the manifest
+     * repository.
+     *
+     * When called with a fingerprint string, a lightweight lookup is performed
+     * without any file upload.
+     *
+     * @param fileOrFingerprint - A file (Buffer/Blob) or a hex fingerprint string.
+     * @param algorithm - The soft binding algorithm to use (default: `phash-dct-64`).
+     * @returns Matching manifests sorted by similarity.
+     *
+     * @example
+     * ```ts
+     * // Resolve by file upload
+     * const result = await client.resolve(imageBuffer);
+     *
+     * // Resolve by pre-computed fingerprint
+     * const result = await client.resolve('a1b2c3d4e5f6...', 'phash-dct-64');
+     * ```
+     */
+    resolve(file: Buffer | Blob): Promise<ResolveResult>;
+    resolve(fingerprint: string, algorithm?: string): Promise<ResolveResult>;
+    /**
+     * Verify the provenance of a digital asset.
+     *
+     * This is the main one-call verification endpoint. It checks:
+     * 1. Embedded C2PA manifests in the file
+     * 2. Hard binding (SHA-256 hash match) against stored manifests
+     * 3. Soft binding (perceptual hash) resolution
+     *
+     * @param file - The file to verify as a Buffer or Blob.
+     * @returns Verification result including provenance source, manifest data, and trust status.
+     *
+     * @example
+     * ```ts
+     * const result = await client.verify(imageBuffer);
+     * if (result.hasProvenance) {
+     *   console.log(`Source: ${result.source}, Trust: ${result.trustStatus}`);
+     * }
+     * ```
+     */
+    verify(file: Buffer | Blob): Promise<VerifyResult>;
+    /**
+     * Retrieve a manifest by its ID.
+     *
+     * @param id - The manifest UUID.
+     * @returns The full manifest data.
+     *
+     * @example
+     * ```ts
+     * const manifest = await client.getManifest('550e8400-e29b-41d4-a716-446655440000');
+     * console.log(manifest.title, manifest.validationStatus);
+     * ```
+     */
+    getManifest(id: string): Promise<ManifestData>;
+    /**
+     * Retrieve a manifest by its hard binding hash (SHA-256).
+     *
+     * @param hash - The SHA-256 hash of the original asset.
+     * @returns The matching manifest data.
+     *
+     * @example
+     * ```ts
+     * const manifest = await client.getManifestByHash('e3b0c44298fc1c149afbf4c8996fb924...');
+     * ```
+     */
+    getManifestByHash(hash: string): Promise<ManifestData>;
+    /**
+     * List manifests with optional pagination and search.
+     *
+     * @param options - Pagination and search options.
+     * @param options.page - Page number (1-indexed). Defaults to 1.
+     * @param options.perPage - Results per page. Defaults to 20.
+     * @param options.search - Search term to filter manifests by title.
+     * @returns A paginated list of manifests.
+     *
+     * @example
+     * ```ts
+     * const page = await client.listManifests({ page: 1, search: 'photo' });
+     * console.log(`${page.total} manifests found`);
+     * ```
+     */
+    listManifests(options?: {
+        page?: number;
+        perPage?: number;
+        search?: string;
+    }): Promise<PaginatedResponse<ManifestData>>;
+    /**
+     * Sign a digital asset with a C2PA manifest using Hashproof's managed signing.
+     *
+     * This is the "Let's Encrypt for C2PA" endpoint -- you upload a file and
+     * Hashproof creates a signed C2PA manifest on your behalf, without you
+     * needing to manage certificates or PKI.
+     *
+     * Requires the `sign` scope on your API key.
+     *
+     * @param file - The file to sign as a Buffer or Blob.
+     * @param options - Optional parameters.
+     * @param options.title - A human-readable title for the asset.
+     * @returns The signing result including the new manifest ID.
+     *
+     * @example
+     * ```ts
+     * const result = await client.sign(imageBuffer, { title: 'Press Photo 2024' });
+     * console.log(result.manifestId);
+     * ```
+     */
+    sign(file: Buffer | Blob, options?: {
+        title?: string;
+    }): Promise<SignResult>;
+    /**
+     * Compute a perceptual fingerprint for a file without resolving.
+     *
+     * Useful when you want to compute and store a fingerprint client-side
+     * for later resolution via `resolve(fingerprint, algorithm)`.
+     *
+     * @param file - The file to fingerprint as a Buffer or Blob.
+     * @param algorithm - The algorithm to use. Defaults to `phash-dct-64`.
+     * @returns The computed fingerprint, algorithm, and bit length.
+     *
+     * @example
+     * ```ts
+     * const fp = await client.computeFingerprint(imageBuffer, 'phash-dct-64');
+     * console.log(fp.fingerprint); // hex string
+     * ```
+     */
+    computeFingerprint(file: Buffer | Blob, algorithm?: string): Promise<FingerprintResult>;
+    /**
+     * Make an authenticated HTTP request to the Hashproof API.
+     * @internal
+     */
+    private request;
+}
+
+export { type FingerprintResult, HashproofApiError, HashproofClient, type HashproofClientOptions, type SignResult, type StoreResult };

package/dist/index.d.ts

@@ -0,0 +1,231 @@
+import * as _hashproof_shared from '@hashproof/shared';
+import { ResolveResult, VerifyResult, ManifestData, PaginatedResponse } from '@hashproof/shared';
+export { ApiError, ApiKey, ApiScope, Assertion, ComplianceDetail, ComplianceReport, HardBinding, Ingredient, ManifestData, MerkleAnchor, MerkleProof, PaginatedResponse, ResolveMatch, ResolveResult, SignatureInfo, SoftBinding, SoftBindingAlgorithm, SubscriptionTier, UsageSummary, ValidationError, ValidationResult, ValidationStatus, VerifyResult } from '@hashproof/shared';
+
+/** Options for constructing the HashproofClient. */
+interface HashproofClientOptions {
+    /** Your Hashproof API key (starts with hpsk_). */
+    apiKey: string;
+    /** Base URL for the API. Defaults to https://api.hashproof.ai. */
+    baseUrl?: string;
+    /** Request timeout in milliseconds. Defaults to 30000. */
+    timeout?: number;
+}
+/** Result returned from the store() method. */
+interface StoreResult {
+    manifestId: string;
+    manifest: _hashproof_shared.ManifestData;
+    softBindings: Array<{
+        algorithm: string;
+        value: string;
+    }>;
+}
+/** Result returned from the sign() method. */
+interface SignResult {
+    manifestId: string;
+    manifest: _hashproof_shared.ManifestData;
+    signedAssetUrl: string | null;
+    message: string;
+}
+/** Result returned from the computeFingerprint() method. */
+interface FingerprintResult {
+    fingerprint: string;
+    algorithm: _hashproof_shared.SoftBindingAlgorithm;
+    bitLength: number;
+}
+/** Error thrown by the SDK for API error responses. */
+declare class HashproofApiError extends Error {
+    /** HTTP status code. */
+    readonly statusCode: number;
+    /** Machine-readable error code. */
+    readonly code: string;
+    /** Additional error details. */
+    readonly details?: Record<string, unknown>;
+    constructor(message: string, statusCode: number, code: string, details?: Record<string, unknown>);
+}
+
+/**
+ * Official JavaScript/TypeScript client for the Hashproof Content Provenance API.
+ *
+ * @example
+ * ```ts
+ * import { HashproofClient } from '@hashproof/sdk';
+ *
+ * const client = new HashproofClient({ apiKey: 'hpsk_...' });
+ * const result = await client.verify(fileBuffer);
+ * console.log(result.hasProvenance);
+ * ```
+ */
+declare class HashproofClient {
+    private readonly apiKey;
+    private readonly baseUrl;
+    private readonly timeout;
+    /**
+     * Create a new HashproofClient instance.
+     *
+     * @param options - Client configuration options.
+     * @param options.apiKey - Your Hashproof API key (starts with `hpsk_`).
+     * @param options.baseUrl - Base URL for the API. Defaults to `https://api.hashproof.ai`.
+     * @param options.timeout - Request timeout in milliseconds. Defaults to 30000.
+     * @throws {Error} If no API key is provided.
+     */
+    constructor(options: HashproofClientOptions);
+    /**
+     * Store a C2PA manifest by uploading a digital asset.
+     *
+     * The API extracts the embedded C2PA manifest from the file,
+     * computes perceptual fingerprints (soft bindings), and stores
+     * everything for future resolution and verification.
+     *
+     * @param file - The file to store as a Buffer or Blob.
+     * @param options - Optional parameters.
+     * @param options.title - A human-readable title for the asset.
+     * @returns The stored manifest data along with computed soft bindings.
+     *
+     * @example
+     * ```ts
+     * const result = await client.store(fileBuffer, { title: 'My Photo' });
+     * console.log(result.manifestId);
+     * ```
+     */
+    store(file: Buffer | Blob, options?: {
+        title?: string;
+    }): Promise<StoreResult>;
+    /**
+     * Resolve provenance for a file or fingerprint.
+     *
+     * When called with a Buffer/Blob, the file is uploaded and a perceptual
+     * fingerprint is computed server-side, then matched against the manifest
+     * repository.
+     *
+     * When called with a fingerprint string, a lightweight lookup is performed
+     * without any file upload.
+     *
+     * @param fileOrFingerprint - A file (Buffer/Blob) or a hex fingerprint string.
+     * @param algorithm - The soft binding algorithm to use (default: `phash-dct-64`).
+     * @returns Matching manifests sorted by similarity.
+     *
+     * @example
+     * ```ts
+     * // Resolve by file upload
+     * const result = await client.resolve(imageBuffer);
+     *
+     * // Resolve by pre-computed fingerprint
+     * const result = await client.resolve('a1b2c3d4e5f6...', 'phash-dct-64');
+     * ```
+     */
+    resolve(file: Buffer | Blob): Promise<ResolveResult>;
+    resolve(fingerprint: string, algorithm?: string): Promise<ResolveResult>;
+    /**
+     * Verify the provenance of a digital asset.
+     *
+     * This is the main one-call verification endpoint. It checks:
+     * 1. Embedded C2PA manifests in the file
+     * 2. Hard binding (SHA-256 hash match) against stored manifests
+     * 3. Soft binding (perceptual hash) resolution
+     *
+     * @param file - The file to verify as a Buffer or Blob.
+     * @returns Verification result including provenance source, manifest data, and trust status.
+     *
+     * @example
+     * ```ts
+     * const result = await client.verify(imageBuffer);
+     * if (result.hasProvenance) {
+     *   console.log(`Source: ${result.source}, Trust: ${result.trustStatus}`);
+     * }
+     * ```
+     */
+    verify(file: Buffer | Blob): Promise<VerifyResult>;
+    /**
+     * Retrieve a manifest by its ID.
+     *
+     * @param id - The manifest UUID.
+     * @returns The full manifest data.
+     *
+     * @example
+     * ```ts
+     * const manifest = await client.getManifest('550e8400-e29b-41d4-a716-446655440000');
+     * console.log(manifest.title, manifest.validationStatus);
+     * ```
+     */
+    getManifest(id: string): Promise<ManifestData>;
+    /**
+     * Retrieve a manifest by its hard binding hash (SHA-256).
+     *
+     * @param hash - The SHA-256 hash of the original asset.
+     * @returns The matching manifest data.
+     *
+     * @example
+     * ```ts
+     * const manifest = await client.getManifestByHash('e3b0c44298fc1c149afbf4c8996fb924...');
+     * ```
+     */
+    getManifestByHash(hash: string): Promise<ManifestData>;
+    /**
+     * List manifests with optional pagination and search.
+     *
+     * @param options - Pagination and search options.
+     * @param options.page - Page number (1-indexed). Defaults to 1.
+     * @param options.perPage - Results per page. Defaults to 20.
+     * @param options.search - Search term to filter manifests by title.
+     * @returns A paginated list of manifests.
+     *
+     * @example
+     * ```ts
+     * const page = await client.listManifests({ page: 1, search: 'photo' });
+     * console.log(`${page.total} manifests found`);
+     * ```
+     */
+    listManifests(options?: {
+        page?: number;
+        perPage?: number;
+        search?: string;
+    }): Promise<PaginatedResponse<ManifestData>>;
+    /**
+     * Sign a digital asset with a C2PA manifest using Hashproof's managed signing.
+     *
+     * This is the "Let's Encrypt for C2PA" endpoint -- you upload a file and
+     * Hashproof creates a signed C2PA manifest on your behalf, without you
+     * needing to manage certificates or PKI.
+     *
+     * Requires the `sign` scope on your API key.
+     *
+     * @param file - The file to sign as a Buffer or Blob.
+     * @param options - Optional parameters.
+     * @param options.title - A human-readable title for the asset.
+     * @returns The signing result including the new manifest ID.
+     *
+     * @example
+     * ```ts
+     * const result = await client.sign(imageBuffer, { title: 'Press Photo 2024' });
+     * console.log(result.manifestId);
+     * ```
+     */
+    sign(file: Buffer | Blob, options?: {
+        title?: string;
+    }): Promise<SignResult>;
+    /**
+     * Compute a perceptual fingerprint for a file without resolving.
+     *
+     * Useful when you want to compute and store a fingerprint client-side
+     * for later resolution via `resolve(fingerprint, algorithm)`.
+     *
+     * @param file - The file to fingerprint as a Buffer or Blob.
+     * @param algorithm - The algorithm to use. Defaults to `phash-dct-64`.
+     * @returns The computed fingerprint, algorithm, and bit length.
+     *
+     * @example
+     * ```ts
+     * const fp = await client.computeFingerprint(imageBuffer, 'phash-dct-64');
+     * console.log(fp.fingerprint); // hex string
+     * ```
+     */
+    computeFingerprint(file: Buffer | Blob, algorithm?: string): Promise<FingerprintResult>;
+    /**
+     * Make an authenticated HTTP request to the Hashproof API.
+     * @internal
+     */
+    private request;
+}
+
+export { type FingerprintResult, HashproofApiError, HashproofClient, type HashproofClientOptions, type SignResult, type StoreResult };

package/dist/index.js

@@ -0,0 +1,307 @@
+// src/types.ts
+var HashproofApiError = class extends Error {
+  /** HTTP status code. */
+  statusCode;
+  /** Machine-readable error code. */
+  code;
+  /** Additional error details. */
+  details;
+  constructor(message, statusCode, code, details) {
+    super(message);
+    this.name = "HashproofApiError";
+    this.statusCode = statusCode;
+    this.code = code;
+    this.details = details;
+  }
+};
+
+// src/index.ts
+var DEFAULT_BASE_URL = "https://api.hashproof.ai";
+var DEFAULT_TIMEOUT = 3e4;
+var HashproofClient = class {
+  apiKey;
+  baseUrl;
+  timeout;
+  /**
+   * Create a new HashproofClient instance.
+   *
+   * @param options - Client configuration options.
+   * @param options.apiKey - Your Hashproof API key (starts with `hpsk_`).
+   * @param options.baseUrl - Base URL for the API. Defaults to `https://api.hashproof.ai`.
+   * @param options.timeout - Request timeout in milliseconds. Defaults to 30000.
+   * @throws {Error} If no API key is provided.
+   */
+  constructor(options) {
+    if (!options.apiKey) {
+      throw new Error('Hashproof API key is required. Pass { apiKey: "hpsk_..." } to the constructor.');
+    }
+    this.apiKey = options.apiKey;
+    this.baseUrl = (options.baseUrl || DEFAULT_BASE_URL).replace(/\/+$/, "");
+    this.timeout = options.timeout ?? DEFAULT_TIMEOUT;
+  }
+  // ============================================================
+  // Manifest Operations
+  // ============================================================
+  /**
+   * Store a C2PA manifest by uploading a digital asset.
+   *
+   * The API extracts the embedded C2PA manifest from the file,
+   * computes perceptual fingerprints (soft bindings), and stores
+   * everything for future resolution and verification.
+   *
+   * @param file - The file to store as a Buffer or Blob.
+   * @param options - Optional parameters.
+   * @param options.title - A human-readable title for the asset.
+   * @returns The stored manifest data along with computed soft bindings.
+   *
+   * @example
+   * ```ts
+   * const result = await client.store(fileBuffer, { title: 'My Photo' });
+   * console.log(result.manifestId);
+   * ```
+   */
+  async store(file, options) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    if (options?.title) {
+      formData.append("title", options.title);
+    }
+    return this.request("POST", "/v1/manifests", formData);
+  }
+  async resolve(fileOrFingerprint, algorithm) {
+    if (typeof fileOrFingerprint === "string") {
+      const params = new URLSearchParams({ fingerprint: fileOrFingerprint });
+      if (algorithm) params.set("algorithm", algorithm);
+      return this.request("GET", `/v1/resolve?${params.toString()}`);
+    }
+    const formData = new FormData();
+    const blob = fileOrFingerprint instanceof Blob ? fileOrFingerprint : new Blob([fileOrFingerprint]);
+    formData.append("file", blob, "upload");
+    if (algorithm) {
+      formData.append("algorithm", algorithm);
+    }
+    return this.request("POST", "/v1/resolve", formData);
+  }
+  /**
+   * Verify the provenance of a digital asset.
+   *
+   * This is the main one-call verification endpoint. It checks:
+   * 1. Embedded C2PA manifests in the file
+   * 2. Hard binding (SHA-256 hash match) against stored manifests
+   * 3. Soft binding (perceptual hash) resolution
+   *
+   * @param file - The file to verify as a Buffer or Blob.
+   * @returns Verification result including provenance source, manifest data, and trust status.
+   *
+   * @example
+   * ```ts
+   * const result = await client.verify(imageBuffer);
+   * if (result.hasProvenance) {
+   *   console.log(`Source: ${result.source}, Trust: ${result.trustStatus}`);
+   * }
+   * ```
+   */
+  async verify(file) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    return this.request("POST", "/v1/verify", formData);
+  }
+  /**
+   * Retrieve a manifest by its ID.
+   *
+   * @param id - The manifest UUID.
+   * @returns The full manifest data.
+   *
+   * @example
+   * ```ts
+   * const manifest = await client.getManifest('550e8400-e29b-41d4-a716-446655440000');
+   * console.log(manifest.title, manifest.validationStatus);
+   * ```
+   */
+  async getManifest(id) {
+    return this.request("GET", `/v1/manifests/${encodeURIComponent(id)}`);
+  }
+  /**
+   * Retrieve a manifest by its hard binding hash (SHA-256).
+   *
+   * @param hash - The SHA-256 hash of the original asset.
+   * @returns The matching manifest data.
+   *
+   * @example
+   * ```ts
+   * const manifest = await client.getManifestByHash('e3b0c44298fc1c149afbf4c8996fb924...');
+   * ```
+   */
+  async getManifestByHash(hash) {
+    const params = new URLSearchParams({ hash });
+    return this.request("GET", `/v1/manifests?${params.toString()}`);
+  }
+  /**
+   * List manifests with optional pagination and search.
+   *
+   * @param options - Pagination and search options.
+   * @param options.page - Page number (1-indexed). Defaults to 1.
+   * @param options.perPage - Results per page. Defaults to 20.
+   * @param options.search - Search term to filter manifests by title.
+   * @returns A paginated list of manifests.
+   *
+   * @example
+   * ```ts
+   * const page = await client.listManifests({ page: 1, search: 'photo' });
+   * console.log(`${page.total} manifests found`);
+   * ```
+   */
+  async listManifests(options) {
+    const params = new URLSearchParams();
+    if (options?.page) params.set("page", String(options.page));
+    if (options?.perPage) params.set("perPage", String(options.perPage));
+    if (options?.search) params.set("search", options.search);
+    const query = params.toString();
+    return this.request(
+      "GET",
+      `/v1/manifests${query ? `?${query}` : ""}`
+    );
+  }
+  // ============================================================
+  // Signing
+  // ============================================================
+  /**
+   * Sign a digital asset with a C2PA manifest using Hashproof's managed signing.
+   *
+   * This is the "Let's Encrypt for C2PA" endpoint -- you upload a file and
+   * Hashproof creates a signed C2PA manifest on your behalf, without you
+   * needing to manage certificates or PKI.
+   *
+   * Requires the `sign` scope on your API key.
+   *
+   * @param file - The file to sign as a Buffer or Blob.
+   * @param options - Optional parameters.
+   * @param options.title - A human-readable title for the asset.
+   * @returns The signing result including the new manifest ID.
+   *
+   * @example
+   * ```ts
+   * const result = await client.sign(imageBuffer, { title: 'Press Photo 2024' });
+   * console.log(result.manifestId);
+   * ```
+   */
+  async sign(file, options) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    if (options?.title) {
+      formData.append("title", options.title);
+    }
+    return this.request("POST", "/v1/sign", formData);
+  }
+  // ============================================================
+  // Fingerprinting
+  // ============================================================
+  /**
+   * Compute a perceptual fingerprint for a file without resolving.
+   *
+   * Useful when you want to compute and store a fingerprint client-side
+   * for later resolution via `resolve(fingerprint, algorithm)`.
+   *
+   * @param file - The file to fingerprint as a Buffer or Blob.
+   * @param algorithm - The algorithm to use. Defaults to `phash-dct-64`.
+   * @returns The computed fingerprint, algorithm, and bit length.
+   *
+   * @example
+   * ```ts
+   * const fp = await client.computeFingerprint(imageBuffer, 'phash-dct-64');
+   * console.log(fp.fingerprint); // hex string
+   * ```
+   */
+  async computeFingerprint(file, algorithm) {
+    const formData = new FormData();
+    const blob = file instanceof Blob ? file : new Blob([file]);
+    formData.append("file", blob, "upload");
+    if (algorithm) {
+      formData.append("algorithm", algorithm);
+    }
+    return this.request("POST", "/v1/fingerprint", formData);
+  }
+  // ============================================================
+  // Internal HTTP Client
+  // ============================================================
+  /**
+   * Make an authenticated HTTP request to the Hashproof API.
+   * @internal
+   */
+  async request(method, path, body) {
+    const url = `${this.baseUrl}${path}`;
+    const headers = {
+      Authorization: `Bearer ${this.apiKey}`,
+      Accept: "application/json"
+    };
+    let requestBody;
+    if (body instanceof FormData) {
+      requestBody = body;
+    } else if (body) {
+      headers["Content-Type"] = "application/json";
+      requestBody = JSON.stringify(body);
+    }
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    let response;
+    try {
+      response = await fetch(url, {
+        method,
+        headers,
+        body: requestBody,
+        signal: controller.signal
+      });
+    } catch (err) {
+      clearTimeout(timeoutId);
+      if (err instanceof DOMException && err.name === "AbortError") {
+        throw new HashproofApiError(
+          `Request timed out after ${this.timeout}ms`,
+          0,
+          "TIMEOUT"
+        );
+      }
+      throw new HashproofApiError(
+        `Network error: ${err instanceof Error ? err.message : String(err)}`,
+        0,
+        "NETWORK_ERROR"
+      );
+    } finally {
+      clearTimeout(timeoutId);
+    }
+    const responseBody = await response.text();
+    let parsed;
+    try {
+      parsed = JSON.parse(responseBody);
+    } catch {
+      if (!response.ok) {
+        throw new HashproofApiError(
+          `HTTP ${response.status}: ${responseBody.slice(0, 200)}`,
+          response.status,
+          "UNEXPECTED_RESPONSE"
+        );
+      }
+      throw new HashproofApiError(
+        "Failed to parse API response as JSON",
+        response.status,
+        "PARSE_ERROR"
+      );
+    }
+    if (!response.ok) {
+      const errBody = parsed;
+      throw new HashproofApiError(
+        errBody.error || `HTTP ${response.status}`,
+        errBody.statusCode || response.status,
+        errBody.code || "API_ERROR",
+        errBody.details
+      );
+    }
+    return parsed;
+  }
+};
+export {
+  HashproofApiError,
+  HashproofClient
+};

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@hashproof/sdk",
+  "version": "0.2.0",
+  "description": "Official JavaScript/TypeScript SDK for the Hashproof Content Provenance API",
+  "type": "module",
+  "main": "./dist/index.cjs",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": {
+        "types": "./dist/index.d.ts",
+        "default": "./dist/index.js"
+      },
+      "require": {
+        "types": "./dist/index.d.cts",
+        "default": "./dist/index.cjs"
+      }
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@hashproof/shared": "0.1.0"
+  },
+  "devDependencies": {
+    "typescript": "^5.4.0",
+    "tsup": "^8.0.0",
+    "vitest": "^1.3.0",
+    "@types/node": "^20.11.0"
+  },
+  "keywords": [
+    "hashproof",
+    "c2pa",
+    "content-provenance",
+    "content-authenticity",
+    "sdk"
+  ],
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hashproof/hashproof",
+    "directory": "packages/sdk-js"
+  },
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs,esm --dts --out-dir dist",
+    "build:tsc": "tsc",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit",
+    "lint": "eslint src/"
+  }
+}