@mindees/updates 0.1.0

package/dist/server.d.ts

@@ -0,0 +1,83 @@
+import { SignedManifest } from "./signing.js";
+
+//#region src/server.d.ts
+/** A published release the server can offer. */
+interface PublishedRelease {
+  /** The pre-signed manifest (the server never signs — signing is offline). */
+  readonly signed: SignedManifest;
+  /** Release channel; defaults to `"stable"`. */
+  readonly channel?: string;
+  /** Staged-rollout percentage in `[0, 100]`. Default 100 (everyone). */
+  readonly rollout?: number;
+}
+/** An operator directive to roll a channel's clients back to the embedded build. */
+interface RollbackDirective {
+  /** Channel the directive applies to; defaults to `"stable"`. */
+  readonly channel?: string;
+  /** Applies to clients whose current version is ≥ this. Default 0 (all). */
+  readonly sinceVersion?: number;
+}
+/** Injected server I/O: the release catalog + asset bytes (+ optional rollbacks). */
+interface UpdateServerStore {
+  /** Every published release the server may select among. */
+  listReleases(): Promise<readonly PublishedRelease[]>;
+  /** Asset bytes by lowercase-hex SHA-256, or `null` if absent. */
+  getAsset(sha256: string): Promise<Uint8Array | null>;
+  /** Active rollback directives. Optional; default none. */
+  listRollbacks?(): Promise<readonly RollbackDirective[]>;
+}
+/** A client's update query. */
+interface ResolveUpdateQuery {
+  /** The client's native runtime version (must match a release exactly). */
+  readonly runtimeVersion: string;
+  /** Channel to resolve against; defaults to `"stable"`. */
+  readonly channel?: string;
+  /**
+   * The client's anti-downgrade floor — its **high-water mark** (`state().highestVersion`),
+   * not necessarily the version currently running (which can be lower after a rollback).
+   * The server never offers a version `≤` this. Default 0. A non-integer/negative value
+   * is treated as 0 (fail closed).
+   */
+  readonly currentVersion?: number;
+  /** A stable per-device id for deterministic staged-rollout bucketing. */
+  readonly rolloutKey?: string;
+}
+/** The outcome of {@link UpdateServer.resolveUpdate}. */
+type UpdateResolution = {
+  readonly type: 'update';
+  readonly signed: SignedManifest;
+} | {
+  readonly type: 'no-update';
+} | {
+  readonly type: 'roll-back-to-embedded';
+};
+/** Options for {@link createUpdateServer}. */
+interface UpdateServerOptions {
+  /** Injected release/asset/rollback I/O. */
+  readonly store: UpdateServerStore;
+  /** Clock, for expiry checks + tests. Default `() => Date.now()`. */
+  readonly now?: () => number;
+}
+/** The reference update server. */
+interface UpdateServer {
+  /** Resolve the best update for a client query (or no-update / roll-back). */
+  resolveUpdate(query: ResolveUpdateQuery): Promise<UpdateResolution>;
+  /** Serve an asset's bytes by SHA-256 (or `null` if absent / malformed address). */
+  getAsset(sha256: string): Promise<Uint8Array | null>;
+}
+/** Create a {@link UpdateServer}. */
+declare function createUpdateServer(options: UpdateServerOptions): UpdateServer;
+/** A mutable in-memory {@link UpdateServerStore} for tests, examples, and reference. */
+interface MemoryUpdateServerStore extends UpdateServerStore {
+  /** Publish a release. */
+  publish(release: PublishedRelease): void;
+  /** Store an asset's bytes under its SHA-256. */
+  putAsset(sha256: string, bytes: Uint8Array): void;
+  /** Post a rollback directive. */
+  rollback(directive: RollbackDirective): void;
+}
+/** Create an in-memory {@link UpdateServerStore}. */
+declare function createMemoryUpdateServerStore(): MemoryUpdateServerStore;
+//#endregion
+export { MemoryUpdateServerStore, PublishedRelease, ResolveUpdateQuery, RollbackDirective, UpdateResolution, UpdateServer, UpdateServerOptions, UpdateServerStore, createMemoryUpdateServerStore, createUpdateServer };
+//# sourceMappingURL=server.d.ts.map

package/dist/server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.d.ts","names":[],"sources":["../src/server.ts"],"mappings":";;;AAyCA;AAAA,UAlBiB,gBAAA;;WAEN,MAAA,EAAQ,cAAc;EAkBf;EAAA,SAhBP,OAAA;EAkBiB;EAAA,SAhBjB,OAAA;AAAA;;UAIM,iBAAA;EAUf;EAAA,SARS,OAAA;EAQwB;EAAA,SANxB,YAAY;AAAA;;UAIN,iBAAA;EAMf;EAJA,YAAA,IAAgB,OAAA,UAAiB,gBAAA;EAIE;EAFnC,QAAA,CAAS,MAAA,WAAiB,OAAA,CAAQ,UAAA;EAEkB;EAApD,aAAA,KAAkB,OAAA,UAAiB,iBAAA;AAAA;;UAIpB,kBAAA;EAEN;EAAA,SAAA,cAAA;EASA;EAAA,SAPA,OAAA;EASU;AAAA;AAIrB;;;;EAJqB,SAFV,cAAA;EAO6B;EAAA,SAL7B,UAAA;AAAA;;KAIC,gBAAA;EAAA,SACG,IAAA;EAAA,SAAyB,MAAA,EAAQ,cAAc;AAAA;EAAA,SAC/C,IAAA;AAAA;EAAA,SACA,IAAA;AAAA;;UAGE,mBAAA;EAIH;EAAA,SAFH,KAAA,EAAO,iBAAiB;EAMN;EAAA,SAJlB,GAAA;AAAA;;UAIM,YAAA;EAImB;EAFlC,aAAA,CAAc,KAAA,EAAO,kBAAA,GAAqB,OAAA,CAAQ,gBAAA;EAEjB;EAAjC,QAAA,CAAS,MAAA,WAAiB,OAAA,CAAQ,UAAA;AAAA;;iBAqBpB,kBAAA,CAAmB,OAAA,EAAS,mBAAA,GAAsB,YAAY;;UA6D7D,uBAAA,SAAgC,iBAAA;EAlF/C;EAoFA,OAAA,CAAQ,OAAA,EAAS,gBAAA;EApFS;EAsF1B,QAAA,CAAS,MAAA,UAAgB,KAAA,EAAO,UAAA;EAtFY;EAwF5C,QAAA,CAAS,SAAA,EAAW,iBAAA;AAAA;;iBAIN,6BAAA,IAAiC,uBAAuB"}

package/dist/server.js

@@ -0,0 +1,109 @@
+import { sha256Hex, utf8 } from "./crypto.js";
+import { parseManifest } from "./manifest.js";
+//#region src/server.ts
+/**
+* The Pulse **reference update server** core — the other side of the wire from the
+* {@link "./client".UpdateClient}. It is a pure, capability-injected function of an
+* {@link UpdateServerStore} (the release list + asset bytes + optional rollback
+* directives) and a clock, so selection / staged-rollout / anti-downgrade / freeze
+* logic is deterministic and unit-testable with no network and no native I/O.
+*
+* It is exported from the **`@mindees/updates/server`** subpath, never the device
+* entry, so a client bundle never pulls server code. A thin `node:http` adapter lives
+* in `examples/pulse-server/`.
+*
+* **The server never signs.** Signing is an offline build step (see `signing.ts`); the
+* store holds only pre-signed {@link SignedManifest} objects, and the server returns
+* them verbatim — it holds no private key. See `docs/adr/0010-pulse-reference-server.md`.
+*
+* @module
+*/
+const SHA256_HEX = /^[0-9a-f]{64}$/;
+const UINT32 = 4294967296;
+/** Deterministic `[0, 100)` cohort bucket for a (release, device) pair. */
+function rolloutBucket(manifestId, rolloutKey) {
+	const hex = sha256Hex(utf8(`${manifestId}:${rolloutKey}`)).slice(0, 8);
+	return Number.parseInt(hex, 16) / UINT32 * 100;
+}
+/** Whether a device is eligible for a release at the given rollout percentage. */
+function isEligible(manifestId, rollout, rolloutKey) {
+	if (rollout >= 100) return true;
+	if (rollout <= 0) return false;
+	if (rolloutKey === void 0) return false;
+	return rolloutBucket(manifestId, rolloutKey) < rollout;
+}
+/** Create a {@link UpdateServer}. */
+function createUpdateServer(options) {
+	const { store, now = () => Date.now() } = options;
+	return {
+		async resolveUpdate(query) {
+			const channel = query.channel ?? "stable";
+			const cv = query.currentVersion;
+			const currentVersion = typeof cv === "number" && Number.isInteger(cv) && cv >= 0 ? cv : 0;
+			const rollbacks = store.listRollbacks ? await store.listRollbacks() : [];
+			for (const rb of rollbacks) if ((rb.channel ?? "stable") === channel && currentVersion >= (rb.sinceVersion ?? 0)) return { type: "roll-back-to-embedded" };
+			const releases = await store.listReleases();
+			let best = null;
+			for (const rel of releases) {
+				if ((rel.channel ?? "stable") !== channel) continue;
+				let id;
+				let version;
+				let runtimeVersion;
+				let expires;
+				try {
+					const m = parseManifest(rel.signed.manifest);
+					id = m.id;
+					version = m.version;
+					runtimeVersion = m.runtimeVersion;
+					expires = m.expires;
+				} catch {
+					continue;
+				}
+				if (runtimeVersion !== query.runtimeVersion) continue;
+				if (version <= currentVersion) continue;
+				if (expires !== void 0 && Date.parse(expires) <= now()) continue;
+				if (!isEligible(id, rel.rollout ?? 100, query.rolloutKey)) continue;
+				if (!best || version > best.version || version === best.version && id < best.id) best = {
+					version,
+					id,
+					signed: rel.signed
+				};
+			}
+			return best ? {
+				type: "update",
+				signed: best.signed
+			} : { type: "no-update" };
+		},
+		getAsset(sha256) {
+			if (!SHA256_HEX.test(sha256)) return Promise.resolve(null);
+			return store.getAsset(sha256);
+		}
+	};
+}
+/** Create an in-memory {@link UpdateServerStore}. */
+function createMemoryUpdateServerStore() {
+	const releases = [];
+	const rollbacks = [];
+	const assets = /* @__PURE__ */ new Map();
+	return {
+		listReleases: () => Promise.resolve([...releases]),
+		listRollbacks: () => Promise.resolve([...rollbacks]),
+		getAsset: (sha256) => {
+			const bytes = assets.get(sha256);
+			return Promise.resolve(bytes ? new Uint8Array(bytes) : null);
+		},
+		publish: (release) => {
+			releases.push(release);
+		},
+		putAsset: (sha256, bytes) => {
+			assets.set(sha256, new Uint8Array(bytes));
+		},
+		rollback: (directive) => {
+			rollbacks.push(directive);
+		}
+	};
+}
+//#endregion
+export { createMemoryUpdateServerStore, createUpdateServer };
+
+//# sourceMappingURL=server.js.map

package/dist/server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"server.js","names":[],"sources":["../src/server.ts"],"sourcesContent":["/**\n * The Pulse **reference update server** core — the other side of the wire from the\n * {@link \"./client\".UpdateClient}. It is a pure, capability-injected function of an\n * {@link UpdateServerStore} (the release list + asset bytes + optional rollback\n * directives) and a clock, so selection / staged-rollout / anti-downgrade / freeze\n * logic is deterministic and unit-testable with no network and no native I/O.\n *\n * It is exported from the **`@mindees/updates/server`** subpath, never the device\n * entry, so a client bundle never pulls server code. A thin `node:http` adapter lives\n * in `examples/pulse-server/`.\n *\n * **The server never signs.** Signing is an offline build step (see `signing.ts`); the\n * store holds only pre-signed {@link SignedManifest} objects, and the server returns\n * them verbatim — it holds no private key. See `docs/adr/0010-pulse-reference-server.md`.\n *\n * @module\n */\n\nimport { sha256Hex, utf8 } from './crypto'\nimport { parseManifest } from './manifest'\nimport type { SignedManifest } from './signing'\n\n/** A published release the server can offer. */\nexport interface PublishedRelease {\n  /** The pre-signed manifest (the server never signs — signing is offline). */\n  readonly signed: SignedManifest\n  /** Release channel; defaults to `\"stable\"`. */\n  readonly channel?: string\n  /** Staged-rollout percentage in `[0, 100]`. Default 100 (everyone). */\n  readonly rollout?: number\n}\n\n/** An operator directive to roll a channel's clients back to the embedded build. */\nexport interface RollbackDirective {\n  /** Channel the directive applies to; defaults to `\"stable\"`. */\n  readonly channel?: string\n  /** Applies to clients whose current version is ≥ this. Default 0 (all). */\n  readonly sinceVersion?: number\n}\n\n/** Injected server I/O: the release catalog + asset bytes (+ optional rollbacks). */\nexport interface UpdateServerStore {\n  /** Every published release the server may select among. */\n  listReleases(): Promise<readonly PublishedRelease[]>\n  /** Asset bytes by lowercase-hex SHA-256, or `null` if absent. */\n  getAsset(sha256: string): Promise<Uint8Array | null>\n  /** Active rollback directives. Optional; default none. */\n  listRollbacks?(): Promise<readonly RollbackDirective[]>\n}\n\n/** A client's update query. */\nexport interface ResolveUpdateQuery {\n  /** The client's native runtime version (must match a release exactly). */\n  readonly runtimeVersion: string\n  /** Channel to resolve against; defaults to `\"stable\"`. */\n  readonly channel?: string\n  /**\n   * The client's anti-downgrade floor — its **high-water mark** (`state().highestVersion`),\n   * not necessarily the version currently running (which can be lower after a rollback).\n   * The server never offers a version `≤` this. Default 0. A non-integer/negative value\n   * is treated as 0 (fail closed).\n   */\n  readonly currentVersion?: number\n  /** A stable per-device id for deterministic staged-rollout bucketing. */\n  readonly rolloutKey?: string\n}\n\n/** The outcome of {@link UpdateServer.resolveUpdate}. */\nexport type UpdateResolution =\n  | { readonly type: 'update'; readonly signed: SignedManifest }\n  | { readonly type: 'no-update' }\n  | { readonly type: 'roll-back-to-embedded' }\n\n/** Options for {@link createUpdateServer}. */\nexport interface UpdateServerOptions {\n  /** Injected release/asset/rollback I/O. */\n  readonly store: UpdateServerStore\n  /** Clock, for expiry checks + tests. Default `() => Date.now()`. */\n  readonly now?: () => number\n}\n\n/** The reference update server. */\nexport interface UpdateServer {\n  /** Resolve the best update for a client query (or no-update / roll-back). */\n  resolveUpdate(query: ResolveUpdateQuery): Promise<UpdateResolution>\n  /** Serve an asset's bytes by SHA-256 (or `null` if absent / malformed address). */\n  getAsset(sha256: string): Promise<Uint8Array | null>\n}\n\nconst SHA256_HEX = /^[0-9a-f]{64}$/\nconst UINT32 = 0x1_0000_0000\n\n/** Deterministic `[0, 100)` cohort bucket for a (release, device) pair. */\nfunction rolloutBucket(manifestId: string, rolloutKey: string): number {\n  const hex = sha256Hex(utf8(`${manifestId}:${rolloutKey}`)).slice(0, 8)\n  return (Number.parseInt(hex, 16) / UINT32) * 100\n}\n\n/** Whether a device is eligible for a release at the given rollout percentage. */\nfunction isEligible(manifestId: string, rollout: number, rolloutKey: string | undefined): boolean {\n  if (rollout >= 100) return true\n  if (rollout <= 0) return false\n  if (rolloutKey === undefined) return false // a partial rollout needs a stable key\n  return rolloutBucket(manifestId, rolloutKey) < rollout\n}\n\n/** Create a {@link UpdateServer}. */\nexport function createUpdateServer(options: UpdateServerOptions): UpdateServer {\n  const { store, now = () => Date.now() } = options\n\n  return {\n    async resolveUpdate(query): Promise<UpdateResolution> {\n      const channel = query.channel ?? 'stable'\n      // Fail closed on a degenerate floor: a NaN/negative/non-integer currentVersion\n      // would otherwise make `version <= currentVersion` and `>= sinceVersion` silently\n      // no-op (NaN comparisons are always false). Treat anything invalid as 0.\n      const cv = query.currentVersion\n      const currentVersion = typeof cv === 'number' && Number.isInteger(cv) && cv >= 0 ? cv : 0\n\n      // 1. Emergency rollback directive for this channel takes precedence (the\n      //    \"stop everything\" signal). To ship a forward fix instead, clear the\n      //    directive — see ADR-0010 (a version-bounded directive is a future extension).\n      const rollbacks = store.listRollbacks ? await store.listRollbacks() : []\n      for (const rb of rollbacks) {\n        if ((rb.channel ?? 'stable') === channel && currentVersion >= (rb.sinceVersion ?? 0)) {\n          return { type: 'roll-back-to-embedded' }\n        }\n      }\n\n      // 2. Best eligible release: channel + runtime match, strictly newer than the\n      //    client's floor, not expired, rollout-eligible; highest version wins, ties\n      //    broken by id so selection never depends on store iteration order.\n      const releases = await store.listReleases()\n      let best: { version: number; id: string; signed: SignedManifest } | null = null\n      for (const rel of releases) {\n        if ((rel.channel ?? 'stable') !== channel) continue\n        let id: string\n        let version: number\n        let runtimeVersion: string\n        let expires: string | undefined\n        try {\n          const m = parseManifest(rel.signed.manifest)\n          id = m.id\n          version = m.version\n          runtimeVersion = m.runtimeVersion\n          expires = m.expires\n        } catch {\n          continue // skip a malformed release rather than failing the whole query\n        }\n        if (runtimeVersion !== query.runtimeVersion) continue\n        if (version <= currentVersion) continue // anti-downgrade: never offer an older build\n        if (expires !== undefined && Date.parse(expires) <= now()) continue // freeze\n        if (!isEligible(id, rel.rollout ?? 100, query.rolloutKey)) continue\n        if (!best || version > best.version || (version === best.version && id < best.id)) {\n          best = { version, id, signed: rel.signed }\n        }\n      }\n      return best ? { type: 'update', signed: best.signed } : { type: 'no-update' }\n    },\n\n    getAsset(sha256): Promise<Uint8Array | null> {\n      if (!SHA256_HEX.test(sha256)) return Promise.resolve(null)\n      return store.getAsset(sha256)\n    },\n  }\n}\n\n/** A mutable in-memory {@link UpdateServerStore} for tests, examples, and reference. */\nexport interface MemoryUpdateServerStore extends UpdateServerStore {\n  /** Publish a release. */\n  publish(release: PublishedRelease): void\n  /** Store an asset's bytes under its SHA-256. */\n  putAsset(sha256: string, bytes: Uint8Array): void\n  /** Post a rollback directive. */\n  rollback(directive: RollbackDirective): void\n}\n\n/** Create an in-memory {@link UpdateServerStore}. */\nexport function createMemoryUpdateServerStore(): MemoryUpdateServerStore {\n  const releases: PublishedRelease[] = []\n  const rollbacks: RollbackDirective[] = []\n  const assets = new Map<string, Uint8Array>()\n  return {\n    listReleases: () => Promise.resolve([...releases]),\n    listRollbacks: () => Promise.resolve([...rollbacks]),\n    getAsset: (sha256) => {\n      const bytes = assets.get(sha256)\n      return Promise.resolve(bytes ? new Uint8Array(bytes) : null)\n    },\n    publish: (release) => {\n      releases.push(release)\n    },\n    putAsset: (sha256, bytes) => {\n      assets.set(sha256, new Uint8Array(bytes))\n    },\n    rollback: (directive) => {\n      rollbacks.push(directive)\n    },\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AAyFA,MAAM,aAAa;AACnB,MAAM,SAAS;;AAGf,SAAS,cAAc,YAAoB,YAA4B;CACrE,MAAM,MAAM,UAAU,KAAK,GAAG,WAAW,GAAG,YAAY,CAAC,EAAE,MAAM,GAAG,CAAC;CACrE,OAAQ,OAAO,SAAS,KAAK,EAAE,IAAI,SAAU;AAC/C;;AAGA,SAAS,WAAW,YAAoB,SAAiB,YAAyC;CAChG,IAAI,WAAW,KAAK,OAAO;CAC3B,IAAI,WAAW,GAAG,OAAO;CACzB,IAAI,eAAe,KAAA,GAAW,OAAO;CACrC,OAAO,cAAc,YAAY,UAAU,IAAI;AACjD;;AAGA,SAAgB,mBAAmB,SAA4C;CAC7E,MAAM,EAAE,OAAO,YAAY,KAAK,IAAI,MAAM;CAE1C,OAAO;EACL,MAAM,cAAc,OAAkC;GACpD,MAAM,UAAU,MAAM,WAAW;GAIjC,MAAM,KAAK,MAAM;GACjB,MAAM,iBAAiB,OAAO,OAAO,YAAY,OAAO,UAAU,EAAE,KAAK,MAAM,IAAI,KAAK;GAKxF,MAAM,YAAY,MAAM,gBAAgB,MAAM,MAAM,cAAc,IAAI,CAAC;GACvE,KAAK,MAAM,MAAM,WACf,KAAK,GAAG,WAAW,cAAc,WAAW,mBAAmB,GAAG,gBAAgB,IAChF,OAAO,EAAE,MAAM,wBAAwB;GAO3C,MAAM,WAAW,MAAM,MAAM,aAAa;GAC1C,IAAI,OAAuE;GAC3E,KAAK,MAAM,OAAO,UAAU;IAC1B,KAAK,IAAI,WAAW,cAAc,SAAS;IAC3C,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;IACJ,IAAI;KACF,MAAM,IAAI,cAAc,IAAI,OAAO,QAAQ;KAC3C,KAAK,EAAE;KACP,UAAU,EAAE;KACZ,iBAAiB,EAAE;KACnB,UAAU,EAAE;IACd,QAAQ;KACN;IACF;IACA,IAAI,mBAAmB,MAAM,gBAAgB;IAC7C,IAAI,WAAW,gBAAgB;IAC/B,IAAI,YAAY,KAAA,KAAa,KAAK,MAAM,OAAO,KAAK,IAAI,GAAG;IAC3D,IAAI,CAAC,WAAW,IAAI,IAAI,WAAW,KAAK,MAAM,UAAU,GAAG;IAC3D,IAAI,CAAC,QAAQ,UAAU,KAAK,WAAY,YAAY,KAAK,WAAW,KAAK,KAAK,IAC5E,OAAO;KAAE;KAAS;KAAI,QAAQ,IAAI;IAAO;GAE7C;GACA,OAAO,OAAO;IAAE,MAAM;IAAU,QAAQ,KAAK;GAAO,IAAI,EAAE,MAAM,YAAY;EAC9E;EAEA,SAAS,QAAoC;GAC3C,IAAI,CAAC,WAAW,KAAK,MAAM,GAAG,OAAO,QAAQ,QAAQ,IAAI;GACzD,OAAO,MAAM,SAAS,MAAM;EAC9B;CACF;AACF;;AAaA,SAAgB,gCAAyD;CACvE,MAAM,WAA+B,CAAC;CACtC,MAAM,YAAiC,CAAC;CACxC,MAAM,yBAAS,IAAI,IAAwB;CAC3C,OAAO;EACL,oBAAoB,QAAQ,QAAQ,CAAC,GAAG,QAAQ,CAAC;EACjD,qBAAqB,QAAQ,QAAQ,CAAC,GAAG,SAAS,CAAC;EACnD,WAAW,WAAW;GACpB,MAAM,QAAQ,OAAO,IAAI,MAAM;GAC/B,OAAO,QAAQ,QAAQ,QAAQ,IAAI,WAAW,KAAK,IAAI,IAAI;EAC7D;EACA,UAAU,YAAY;GACpB,SAAS,KAAK,OAAO;EACvB;EACA,WAAW,QAAQ,UAAU;GAC3B,OAAO,IAAI,QAAQ,IAAI,WAAW,KAAK,CAAC;EAC1C;EACA,WAAW,cAAc;GACvB,UAAU,KAAK,SAAS;EAC1B;CACF;AACF"}

package/dist/signing.d.ts

@@ -0,0 +1,54 @@
+import { UpdateManifest } from "./manifest.js";
+
+//#region src/signing.d.ts
+/** One signature over the canonical manifest bytes, tagged with its key id. */
+interface SignatureEntry {
+  /** Which trusted key produced this signature. */
+  readonly keyId: string;
+  /** Lowercase hex Ed25519 signature over `utf8(manifest)`. */
+  readonly signature: string;
+}
+/** A manifest plus the canonical bytes that were signed and the signatures. */
+interface SignedManifest {
+  /** The exact canonical JSON string that was signed (verify over these bytes). */
+  readonly manifest: string;
+  /** One or more signatures over `manifest`. */
+  readonly signatures: readonly SignatureEntry[];
+}
+/** A signing key (build/server side — keep the secret key offline). */
+interface Signer {
+  readonly keyId: string;
+  readonly secretKey: Uint8Array;
+}
+/** A trusted verification key (embedded in the app). */
+interface TrustedKey {
+  readonly keyId: string;
+  /** Lowercase hex Ed25519 public key. */
+  readonly publicKey: string;
+}
+declare const verifiedBrand: unique symbol;
+/**
+ * An {@link UpdateManifest} whose signature has been verified against trusted keys.
+ * The brand is unforgeable in TypeScript: only {@link verifySignedManifest} (and
+ * therefore {@link "./client".UpdateClient.check}) can produce one. APIs that
+ * activate code — `download()` / `apply()` — accept only a `VerifiedManifest`, so a
+ * caller cannot smuggle an unsigned, locally-constructed manifest past the trust gate.
+ */
+type VerifiedManifest = UpdateManifest & {
+  readonly [verifiedBrand]: true;
+};
+/**
+ * Sign a manifest with one or more {@link Signer}s. Produces the canonical bytes
+ * and a signature per signer.
+ */
+declare function signManifest(manifest: UpdateManifest, signers: readonly Signer[]): SignedManifest;
+/**
+ * Verify a {@link SignedManifest}: require `≥ threshold` valid signatures from
+ * **distinct trusted public keys** (verified over the exact shipped bytes), then
+ * parse and return the manifest. `threshold` must be a positive integer. Throws
+ * {@link UpdateError} (`SIGNATURE_INVALID`) otherwise.
+ */
+declare function verifySignedManifest(signed: SignedManifest, trustedKeys: readonly TrustedKey[], threshold?: number): VerifiedManifest;
+//#endregion
+export { SignatureEntry, SignedManifest, Signer, TrustedKey, VerifiedManifest, signManifest, verifySignedManifest };
+//# sourceMappingURL=signing.d.ts.map

package/dist/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","names":[],"sources":["../src/signing.ts"],"mappings":";;;;UAkBiB,cAAA;EAY6B;EAAA,SAVnC,KAAA;EAcM;EAAA,SAZN,SAAS;AAAA;;UAIH,cAAA;EAUN;EAAA,SARA,QAAA;EAQqB;EAAA,SANrB,UAAA,WAAqB,cAAc;AAAA;;UAI7B,MAAA;EAAA,SACN,KAAA;EAAA,SACA,SAAA,EAAW,UAAU;AAAA;;UAIf,UAAA;EAAA,SACN,KAAA;EAK+B;EAAA,SAH/B,SAAS;AAAA;AAAA,cAGN,aAAA;;AAS2D;AAMzE;;;;;KANY,gBAAA,GAAmB,cAAA;EAAA,UAA6B,aAAa;AAAA;;;;;iBAMzD,YAAA,CAAa,QAAA,EAAU,cAAA,EAAgB,OAAA,WAAkB,MAAA,KAAW,cAAA;;AAAc;AAiBlG;;;;iBAAgB,oBAAA,CACd,MAAA,EAAQ,cAAA,EACR,WAAA,WAAsB,UAAA,IACtB,SAAA,YACC,gBAAA"}

package/dist/signing.js

@@ -0,0 +1,64 @@
+import { fromHex, sign, toHex, utf8, verify } from "./crypto.js";
+import { UpdateError } from "./errors.js";
+import { canonicalManifestJson, parseManifest } from "./manifest.js";
+//#region src/signing.ts
+/**
+* Signing + verification of update manifests (the trust layer over {@link crypto}).
+*
+* A {@link SignedManifest} ships the **exact canonical JSON bytes that were signed**
+* plus the signatures, so the verifier checks the signature over the *received*
+* bytes and never re-serializes — sidestepping JSON-canonicalization edge cases.
+* Verification requires `≥ threshold` valid signatures from **distinct trusted
+* public keys** (default 1), which supports key rotation (trust old + new) and
+* multi-party signing. A signature whose `keyId` is not trusted is ignored.
+*
+* @module
+*/
+/**
+* Sign a manifest with one or more {@link Signer}s. Produces the canonical bytes
+* and a signature per signer.
+*/
+function signManifest(manifest, signers) {
+	if (signers.length === 0) throw new UpdateError("SIGNATURE_INVALID", "no signers provided");
+	const canonical = canonicalManifestJson(manifest);
+	const bytes = utf8(canonical);
+	return {
+		manifest: canonical,
+		signatures: signers.map((s) => ({
+			keyId: s.keyId,
+			signature: toHex(sign(bytes, s.secretKey))
+		}))
+	};
+}
+/**
+* Verify a {@link SignedManifest}: require `≥ threshold` valid signatures from
+* **distinct trusted public keys** (verified over the exact shipped bytes), then
+* parse and return the manifest. `threshold` must be a positive integer. Throws
+* {@link UpdateError} (`SIGNATURE_INVALID`) otherwise.
+*/
+function verifySignedManifest(signed, trustedKeys, threshold = 1) {
+	if (!Number.isInteger(threshold) || threshold < 1) throw new UpdateError("SIGNATURE_INVALID", `threshold must be a positive integer, got ${threshold}`);
+	const bytes = utf8(signed.manifest);
+	const trusted = new Map(trustedKeys.map((k) => [k.keyId, k.publicKey]));
+	const validPublicKeys = /* @__PURE__ */ new Set();
+	for (const sig of signed.signatures) {
+		const publicKeyHex = trusted.get(sig.keyId);
+		if (publicKeyHex === void 0) continue;
+		if (validPublicKeys.has(publicKeyHex)) continue;
+		let sigBytes;
+		let pubBytes;
+		try {
+			sigBytes = fromHex(sig.signature);
+			pubBytes = fromHex(publicKeyHex);
+		} catch {
+			continue;
+		}
+		if (verify(sigBytes, bytes, pubBytes)) validPublicKeys.add(publicKeyHex);
+	}
+	if (validPublicKeys.size < threshold) throw new UpdateError("SIGNATURE_INVALID", `manifest has ${validPublicKeys.size} valid trusted signature(s), need ${threshold}`);
+	return parseManifest(signed.manifest);
+}
+//#endregion
+export { signManifest, verifySignedManifest };
+
+//# sourceMappingURL=signing.js.map

package/dist/signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.js","names":[],"sources":["../src/signing.ts"],"sourcesContent":["/**\n * Signing + verification of update manifests (the trust layer over {@link crypto}).\n *\n * A {@link SignedManifest} ships the **exact canonical JSON bytes that were signed**\n * plus the signatures, so the verifier checks the signature over the *received*\n * bytes and never re-serializes — sidestepping JSON-canonicalization edge cases.\n * Verification requires `≥ threshold` valid signatures from **distinct trusted\n * public keys** (default 1), which supports key rotation (trust old + new) and\n * multi-party signing. A signature whose `keyId` is not trusted is ignored.\n *\n * @module\n */\n\nimport { fromHex, sign, toHex, utf8, verify } from './crypto'\nimport { UpdateError } from './errors'\nimport { canonicalManifestJson, parseManifest, type UpdateManifest } from './manifest'\n\n/** One signature over the canonical manifest bytes, tagged with its key id. */\nexport interface SignatureEntry {\n  /** Which trusted key produced this signature. */\n  readonly keyId: string\n  /** Lowercase hex Ed25519 signature over `utf8(manifest)`. */\n  readonly signature: string\n}\n\n/** A manifest plus the canonical bytes that were signed and the signatures. */\nexport interface SignedManifest {\n  /** The exact canonical JSON string that was signed (verify over these bytes). */\n  readonly manifest: string\n  /** One or more signatures over `manifest`. */\n  readonly signatures: readonly SignatureEntry[]\n}\n\n/** A signing key (build/server side — keep the secret key offline). */\nexport interface Signer {\n  readonly keyId: string\n  readonly secretKey: Uint8Array\n}\n\n/** A trusted verification key (embedded in the app). */\nexport interface TrustedKey {\n  readonly keyId: string\n  /** Lowercase hex Ed25519 public key. */\n  readonly publicKey: string\n}\n\ndeclare const verifiedBrand: unique symbol\n\n/**\n * An {@link UpdateManifest} whose signature has been verified against trusted keys.\n * The brand is unforgeable in TypeScript: only {@link verifySignedManifest} (and\n * therefore {@link \"./client\".UpdateClient.check}) can produce one. APIs that\n * activate code — `download()` / `apply()` — accept only a `VerifiedManifest`, so a\n * caller cannot smuggle an unsigned, locally-constructed manifest past the trust gate.\n */\nexport type VerifiedManifest = UpdateManifest & { readonly [verifiedBrand]: true }\n\n/**\n * Sign a manifest with one or more {@link Signer}s. Produces the canonical bytes\n * and a signature per signer.\n */\nexport function signManifest(manifest: UpdateManifest, signers: readonly Signer[]): SignedManifest {\n  if (signers.length === 0) throw new UpdateError('SIGNATURE_INVALID', 'no signers provided')\n  const canonical = canonicalManifestJson(manifest)\n  const bytes = utf8(canonical)\n  const signatures = signers.map((s) => ({\n    keyId: s.keyId,\n    signature: toHex(sign(bytes, s.secretKey)),\n  }))\n  return { manifest: canonical, signatures }\n}\n\n/**\n * Verify a {@link SignedManifest}: require `≥ threshold` valid signatures from\n * **distinct trusted public keys** (verified over the exact shipped bytes), then\n * parse and return the manifest. `threshold` must be a positive integer. Throws\n * {@link UpdateError} (`SIGNATURE_INVALID`) otherwise.\n */\nexport function verifySignedManifest(\n  signed: SignedManifest,\n  trustedKeys: readonly TrustedKey[],\n  threshold = 1,\n): VerifiedManifest {\n  // A non-positive (or non-integer) threshold would otherwise accept a manifest\n  // with *zero* valid signatures — a signature-check bypass. Fail closed.\n  if (!Number.isInteger(threshold) || threshold < 1) {\n    throw new UpdateError(\n      'SIGNATURE_INVALID',\n      `threshold must be a positive integer, got ${threshold}`,\n    )\n  }\n  const bytes = utf8(signed.manifest)\n  const trusted = new Map(trustedKeys.map((k) => [k.keyId, k.publicKey]))\n  // Count distinct *public keys* (not key ids): two trusted ids mapped to the same\n  // public key are one signer and must not jointly satisfy a multi-key threshold.\n  const validPublicKeys = new Set<string>()\n\n  for (const sig of signed.signatures) {\n    const publicKeyHex = trusted.get(sig.keyId)\n    if (publicKeyHex === undefined) continue // untrusted key id\n    if (validPublicKeys.has(publicKeyHex)) continue // this key already counted\n    let sigBytes: Uint8Array\n    let pubBytes: Uint8Array\n    try {\n      sigBytes = fromHex(sig.signature)\n      pubBytes = fromHex(publicKeyHex)\n    } catch {\n      continue // malformed hex → not a valid signature\n    }\n    if (verify(sigBytes, bytes, pubBytes)) validPublicKeys.add(publicKeyHex)\n  }\n\n  if (validPublicKeys.size < threshold) {\n    throw new UpdateError(\n      'SIGNATURE_INVALID',\n      `manifest has ${validPublicKeys.size} valid trusted signature(s), need ${threshold}`,\n    )\n  }\n  // Signature verified ⇒ mint the brand. parseManifest still strictly validates shape.\n  return parseManifest(signed.manifest) as VerifiedManifest\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;AA6DA,SAAgB,aAAa,UAA0B,SAA4C;CACjG,IAAI,QAAQ,WAAW,GAAG,MAAM,IAAI,YAAY,qBAAqB,qBAAqB;CAC1F,MAAM,YAAY,sBAAsB,QAAQ;CAChD,MAAM,QAAQ,KAAK,SAAS;CAK5B,OAAO;EAAE,UAAU;EAAW,YAJX,QAAQ,KAAK,OAAO;GACrC,OAAO,EAAE;GACT,WAAW,MAAM,KAAK,OAAO,EAAE,SAAS,CAAC;EAC3C,EACuC;CAAE;AAC3C;;;;;;;AAQA,SAAgB,qBACd,QACA,aACA,YAAY,GACM;CAGlB,IAAI,CAAC,OAAO,UAAU,SAAS,KAAK,YAAY,GAC9C,MAAM,IAAI,YACR,qBACA,6CAA6C,WAC/C;CAEF,MAAM,QAAQ,KAAK,OAAO,QAAQ;CAClC,MAAM,UAAU,IAAI,IAAI,YAAY,KAAK,MAAM,CAAC,EAAE,OAAO,EAAE,SAAS,CAAC,CAAC;CAGtE,MAAM,kCAAkB,IAAI,IAAY;CAExC,KAAK,MAAM,OAAO,OAAO,YAAY;EACnC,MAAM,eAAe,QAAQ,IAAI,IAAI,KAAK;EAC1C,IAAI,iBAAiB,KAAA,GAAW;EAChC,IAAI,gBAAgB,IAAI,YAAY,GAAG;EACvC,IAAI;EACJ,IAAI;EACJ,IAAI;GACF,WAAW,QAAQ,IAAI,SAAS;GAChC,WAAW,QAAQ,YAAY;EACjC,QAAQ;GACN;EACF;EACA,IAAI,OAAO,UAAU,OAAO,QAAQ,GAAG,gBAAgB,IAAI,YAAY;CACzE;CAEA,IAAI,gBAAgB,OAAO,WACzB,MAAM,IAAI,YACR,qBACA,gBAAgB,gBAAgB,KAAK,oCAAoC,WAC3E;CAGF,OAAO,cAAc,OAAO,QAAQ;AACtC"}

package/dist/store.d.ts

@@ -0,0 +1,61 @@
+//#region src/store.d.ts
+/**
+ * Content-addressed update storage + the persisted generation state.
+ *
+ * Storage is an **injected capability** (like the CLI's `FileSystem`), so the
+ * client is deterministic in tests and backend-agnostic (filesystem, S3/R2, RN
+ * storage). Blobs are keyed by SHA-256, so identical files across updates are
+ * stored once and only changed hashes are ever downloaded — differential download
+ * falls out of content-addressing for free. {@link createMemoryStorage} is the
+ * in-memory reference implementation.
+ *
+ * @module
+ */
+/** Lifecycle status of a stored generation. */
+type GenerationStatus = 'pending' | 'current' | 'previous' | 'failed';
+/** Metadata for one downloaded update generation. */
+interface GenerationMeta {
+  /** The manifest id (also the generation id). */
+  readonly id: string;
+  /** The manifest's monotonic version. */
+  readonly version: number;
+  /** The verified canonical manifest JSON. */
+  readonly manifest: string;
+  /** Where this generation sits in the lifecycle. */
+  readonly status: GenerationStatus;
+}
+/** Persisted client state: the generation pointers + rollback bookkeeping. */
+interface UpdateState {
+  /** Active generation id, or `null` to run the embedded build. */
+  readonly current: string | null;
+  /** Last-known-good fallback generation id (or `null` = embedded). */
+  readonly previous: string | null;
+  /** Highest version ever applied — rejects downgrades (rollback protection). */
+  readonly highestVersion: number;
+  /** The current generation has not yet confirmed itself via `notifyReady()`. */
+  readonly pendingVerification: boolean;
+  /** Boots into an unconfirmed current generation (crash-loop detection). */
+  readonly bootAttempts: number;
+  /** All known generations, by id. */
+  readonly generations: Readonly<Record<string, GenerationMeta>>;
+}
+/** Injected storage capability: content-addressed blobs + a small state document. */
+interface UpdateStorage {
+  /** Whether a blob with this SHA-256 is stored. */
+  hasBlob(sha256: string): Promise<boolean>;
+  /** Read a blob's bytes (throws `ASSET_MISSING` if absent). */
+  readBlob(sha256: string): Promise<Uint8Array>;
+  /** Store a blob under its SHA-256. */
+  writeBlob(sha256: string, data: Uint8Array): Promise<void>;
+  /** Read the persisted state, or `null` on a fresh install. */
+  readState(): Promise<UpdateState | null>;
+  /** Persist the state. */
+  writeState(state: UpdateState): Promise<void>;
+}
+/** The initial state for a fresh install (running the embedded build). */
+declare function initialState(embeddedVersion?: number): UpdateState;
+/** An in-memory {@link UpdateStorage} for tests and as a reference implementation. */
+declare function createMemoryStorage(): UpdateStorage;
+//#endregion
+export { GenerationMeta, GenerationStatus, UpdateState, UpdateStorage, createMemoryStorage, initialState };
+//# sourceMappingURL=store.d.ts.map

package/dist/store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.d.ts","names":[],"sources":["../src/store.ts"],"mappings":";;AAgBA;;;;AAA4B;AAG5B;;;;;;;KAHY,gBAAA;;UAGK,cAAA;EAQkB;EAAA,SANxB,EAAA;EAUiB;EAAA,SARjB,OAAA;EAoBqC;EAAA,SAlBrC,QAAA;EAkBa;EAAA,SAhBb,MAAA,EAAQ,gBAAgB;AAAA;;UAIlB,WAAA;EAMN;EAAA,SAJA,OAAA;EAQA;EAAA,SANA,QAAA;EAQa;EAAA,SANb,cAAA;EAMqC;EAAA,SAJrC,mBAAA;EAImD;EAAA,SAFnD,YAAA;EAMmB;EAAA,SAJnB,WAAA,EAAa,QAAA,CAAS,MAAA,SAAe,cAAA;AAAA;;UAI/B,aAAA;EAMiB;EAJhC,OAAA,CAAQ,MAAA,WAAiB,OAAA;EAMJ;EAJrB,QAAA,CAAS,MAAA,WAAiB,OAAA,CAAQ,UAAA;EAMhB;EAJlB,SAAA,CAAU,MAAA,UAAgB,IAAA,EAAM,UAAA,GAAa,OAAA;EAIN;EAFvC,SAAA,IAAa,OAAA,CAAQ,WAAA;EANrB;EAQA,UAAA,CAAW,KAAA,EAAO,WAAA,GAAc,OAAA;AAAA;;iBAIlB,YAAA,CAAa,eAAA,YAAsB,WAAW;;iBAY9C,mBAAA,IAAuB,aAAa"}

package/dist/store.js

@@ -0,0 +1,55 @@
+import { UpdateError } from "./errors.js";
+//#region src/store.ts
+/**
+* Content-addressed update storage + the persisted generation state.
+*
+* Storage is an **injected capability** (like the CLI's `FileSystem`), so the
+* client is deterministic in tests and backend-agnostic (filesystem, S3/R2, RN
+* storage). Blobs are keyed by SHA-256, so identical files across updates are
+* stored once and only changed hashes are ever downloaded — differential download
+* falls out of content-addressing for free. {@link createMemoryStorage} is the
+* in-memory reference implementation.
+*
+* @module
+*/
+/** The initial state for a fresh install (running the embedded build). */
+function initialState(embeddedVersion = 0) {
+	return {
+		current: null,
+		previous: null,
+		highestVersion: embeddedVersion,
+		pendingVerification: false,
+		bootAttempts: 0,
+		generations: {}
+	};
+}
+/** An in-memory {@link UpdateStorage} for tests and as a reference implementation. */
+function createMemoryStorage() {
+	const blobs = /* @__PURE__ */ new Map();
+	let state = null;
+	const cloneState = (value) => value === null ? null : {
+		...value,
+		generations: Object.fromEntries(Object.entries(value.generations).map(([id, meta]) => [id, { ...meta }]))
+	};
+	return {
+		hasBlob: (sha256) => Promise.resolve(blobs.has(sha256)),
+		readBlob: (sha256) => {
+			const blob = blobs.get(sha256);
+			if (!blob) return Promise.reject(new UpdateError("ASSET_MISSING", `blob ${sha256} not found`));
+			return Promise.resolve(new Uint8Array(blob));
+		},
+		writeBlob: (sha256, data) => {
+			blobs.set(sha256, new Uint8Array(data));
+			return Promise.resolve();
+		},
+		readState: () => Promise.resolve(cloneState(state)),
+		writeState: (next) => {
+			state = cloneState(next);
+			return Promise.resolve();
+		}
+	};
+}
+//#endregion
+export { createMemoryStorage, initialState };
+
+//# sourceMappingURL=store.js.map

package/dist/store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"store.js","names":[],"sources":["../src/store.ts"],"sourcesContent":["/**\n * Content-addressed update storage + the persisted generation state.\n *\n * Storage is an **injected capability** (like the CLI's `FileSystem`), so the\n * client is deterministic in tests and backend-agnostic (filesystem, S3/R2, RN\n * storage). Blobs are keyed by SHA-256, so identical files across updates are\n * stored once and only changed hashes are ever downloaded — differential download\n * falls out of content-addressing for free. {@link createMemoryStorage} is the\n * in-memory reference implementation.\n *\n * @module\n */\n\nimport { UpdateError } from './errors'\n\n/** Lifecycle status of a stored generation. */\nexport type GenerationStatus = 'pending' | 'current' | 'previous' | 'failed'\n\n/** Metadata for one downloaded update generation. */\nexport interface GenerationMeta {\n  /** The manifest id (also the generation id). */\n  readonly id: string\n  /** The manifest's monotonic version. */\n  readonly version: number\n  /** The verified canonical manifest JSON. */\n  readonly manifest: string\n  /** Where this generation sits in the lifecycle. */\n  readonly status: GenerationStatus\n}\n\n/** Persisted client state: the generation pointers + rollback bookkeeping. */\nexport interface UpdateState {\n  /** Active generation id, or `null` to run the embedded build. */\n  readonly current: string | null\n  /** Last-known-good fallback generation id (or `null` = embedded). */\n  readonly previous: string | null\n  /** Highest version ever applied — rejects downgrades (rollback protection). */\n  readonly highestVersion: number\n  /** The current generation has not yet confirmed itself via `notifyReady()`. */\n  readonly pendingVerification: boolean\n  /** Boots into an unconfirmed current generation (crash-loop detection). */\n  readonly bootAttempts: number\n  /** All known generations, by id. */\n  readonly generations: Readonly<Record<string, GenerationMeta>>\n}\n\n/** Injected storage capability: content-addressed blobs + a small state document. */\nexport interface UpdateStorage {\n  /** Whether a blob with this SHA-256 is stored. */\n  hasBlob(sha256: string): Promise<boolean>\n  /** Read a blob's bytes (throws `ASSET_MISSING` if absent). */\n  readBlob(sha256: string): Promise<Uint8Array>\n  /** Store a blob under its SHA-256. */\n  writeBlob(sha256: string, data: Uint8Array): Promise<void>\n  /** Read the persisted state, or `null` on a fresh install. */\n  readState(): Promise<UpdateState | null>\n  /** Persist the state. */\n  writeState(state: UpdateState): Promise<void>\n}\n\n/** The initial state for a fresh install (running the embedded build). */\nexport function initialState(embeddedVersion = 0): UpdateState {\n  return {\n    current: null,\n    previous: null,\n    highestVersion: embeddedVersion,\n    pendingVerification: false,\n    bootAttempts: 0,\n    generations: {},\n  }\n}\n\n/** An in-memory {@link UpdateStorage} for tests and as a reference implementation. */\nexport function createMemoryStorage(): UpdateStorage {\n  const blobs = new Map<string, Uint8Array>()\n  let state: UpdateState | null = null\n\n  // Clone at the boundary: callers must never hold a reference into the store's\n  // internals, or they could mutate a blob after writeBlob() (breaking the\n  // content-addressed integrity guarantee) or mutate state without a writeState().\n  const cloneState = (value: UpdateState | null): UpdateState | null =>\n    value === null\n      ? null\n      : {\n          ...value,\n          generations: Object.fromEntries(\n            Object.entries(value.generations).map(([id, meta]) => [id, { ...meta }]),\n          ),\n        }\n\n  return {\n    hasBlob: (sha256) => Promise.resolve(blobs.has(sha256)),\n    readBlob: (sha256) => {\n      const blob = blobs.get(sha256)\n      if (!blob) return Promise.reject(new UpdateError('ASSET_MISSING', `blob ${sha256} not found`))\n      return Promise.resolve(new Uint8Array(blob))\n    },\n    writeBlob: (sha256, data) => {\n      blobs.set(sha256, new Uint8Array(data))\n      return Promise.resolve()\n    },\n    readState: () => Promise.resolve(cloneState(state)),\n    writeState: (next) => {\n      state = cloneState(next)\n      return Promise.resolve()\n    },\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;AA6DA,SAAgB,aAAa,kBAAkB,GAAgB;CAC7D,OAAO;EACL,SAAS;EACT,UAAU;EACV,gBAAgB;EAChB,qBAAqB;EACrB,cAAc;EACd,aAAa,CAAC;CAChB;AACF;;AAGA,SAAgB,sBAAqC;CACnD,MAAM,wBAAQ,IAAI,IAAwB;CAC1C,IAAI,QAA4B;CAKhC,MAAM,cAAc,UAClB,UAAU,OACN,OACA;EACE,GAAG;EACH,aAAa,OAAO,YAClB,OAAO,QAAQ,MAAM,WAAW,EAAE,KAAK,CAAC,IAAI,UAAU,CAAC,IAAI,EAAE,GAAG,KAAK,CAAC,CAAC,CACzE;CACF;CAEN,OAAO;EACL,UAAU,WAAW,QAAQ,QAAQ,MAAM,IAAI,MAAM,CAAC;EACtD,WAAW,WAAW;GACpB,MAAM,OAAO,MAAM,IAAI,MAAM;GAC7B,IAAI,CAAC,MAAM,OAAO,QAAQ,OAAO,IAAI,YAAY,iBAAiB,QAAQ,OAAO,WAAW,CAAC;GAC7F,OAAO,QAAQ,QAAQ,IAAI,WAAW,IAAI,CAAC;EAC7C;EACA,YAAY,QAAQ,SAAS;GAC3B,MAAM,IAAI,QAAQ,IAAI,WAAW,IAAI,CAAC;GACtC,OAAO,QAAQ,QAAQ;EACzB;EACA,iBAAiB,QAAQ,QAAQ,WAAW,KAAK,CAAC;EAClD,aAAa,SAAS;GACpB,QAAQ,WAAW,IAAI;GACvB,OAAO,QAAQ,QAAQ;EACzB;CACF;AACF"}

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "@mindees/updates",
+  "version": "0.1.0",
+  "description": "MindeesNative Pulse - signed over-the-air (OTA) updates: hash-addressed manifests, Ed25519 signing, content-addressed storage, atomic generations with crash-loop rollback.",
+  "license": "MIT OR Apache-2.0",
+  "type": "module",
+  "sideEffects": false,
+  "files": [
+    "dist"
+  ],
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./server": {
+      "types": "./dist/server.d.ts",
+      "import": "./dist/server.js"
+    },
+    "./sdui": {
+      "types": "./dist/sdui.d.ts",
+      "import": "./dist/sdui.js"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/mindees/mindees.git",
+    "directory": "packages/updates"
+  },
+  "dependencies": {
+    "@noble/curves": "2.2.0",
+    "@noble/hashes": "2.2.0",
+    "@mindees/core": "0.1.0"
+  },
+  "devDependencies": {
+    "fast-check": "4.8.0"
+  },
+  "scripts": {
+    "build": "tsdown",
+    "typecheck": "tsc --noEmit"
+  }
+}