@motebit/verify 0.7.0 → 1.1.0

package/LICENSE

@@ -1,26 +1,206 @@
-MIT License
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
 
-Copyright (c) 2026 Motebit
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+   1. Definitions.
 
-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
 
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
 
-"Motebit" is a trademark of Motebit, Inc. The MIT License grants rights to
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for describing the origin of the Work and
+      reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Motebit, Inc.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+
+"Motebit" is a trademark of Motebit, Inc. The Apache License grants rights to
 this software, not to any Motebit trademarks, logos, or branding. You may not
 use Motebit branding in a way that suggests endorsement or affiliation without
 written permission.

package/NOTICE

@@ -0,0 +1,19 @@
+Motebit
+Copyright 2026 Motebit, Inc.
+
+This product includes software developed at Motebit, Inc. (https://motebit.com).
+
+The permissive-floor packages (the protocol, SDK, cryptographic primitives,
+platform-attestation verifier leaves, scaffolding CLI, and GitHub Action) are
+licensed under the Apache License, Version 2.0. See LICENSE files in each
+`packages/*/` subdirectory and in `spec/` for the full license text.
+
+The remaining packages, apps, and services are licensed under the Business
+Source License 1.1 and convert to the Apache License, Version 2.0 four years
+after each version's first public release. See `LICENSE` at the repository
+root and `LICENSING.md` for the full license boundary.
+
+"Motebit" is a trademark of Motebit, Inc. The licenses granted here cover
+this software only, not Motebit trademarks, logos, or branding. Use of
+Motebit branding in a way that suggests endorsement or affiliation requires
+written permission.

package/README.md

@@ -1,102 +1,125 @@
 # @motebit/verify
 
-Verify any Motebit artifact — identity files, execution receipts, verifiable credentials, and verifiable presentations.
+The canonical `motebit-verify` command-line tool. A single binary that verifies any signed motebit artifact — identity files, execution receipts, credentials, presentations — including credentials carrying hardware-attestation claims under any of the four canonical sovereign-verifiable platforms (Apple App Attest, Android Hardware-Backed Keystore Attestation, TPM 2.0, WebAuthn) plus the deprecated Play Integrity adapter bundled for one minor cycle for backward compat with already-minted credentials.
 
-One function. Any artifact. Zero runtime dependencies. MIT licensed.
-
-## Install
+Network-free. No relay contact, no external service, no cloud dependency. Every trust anchor is pinned in the installed package.
 
 ```bash
-npm install @motebit/verify
+npm install -g @motebit/verify
+motebit-verify cred.json
+```
+
+```
+VALID (credential)
+  issuer:   did:key:z6MkhaXgBZDvotDkL5257...
+  subject:  did:key:z6MkhaXgBZDvotDkL5257...
+  expired:  no
+  hardware: secure_enclave ✓
 ```
 
+## What it verifies
+
+| Artifact                    | Detection                                                       |
+| --------------------------- | --------------------------------------------------------------- |
+| `motebit.md` identity files | YAML frontmatter + Ed25519 proof                                |
+| Execution receipts          | Signed JSON, signer keys chain                                  |
+| W3C VerifiableCredentials   | `eddsa-jcs-2022` proof, hardware-attestation channel if present |
+| VerifiablePresentations     | Signed envelope + every embedded credential                     |
+
+Hardware-attestation channel covers every currently-shipped platform:
+
+| Platform                        | Adapter                            | Trust anchor                                                                                                                                         |
+| ------------------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `secure_enclave`                | `@motebit/crypto` (built-in)       | ECDSA-P256 signature; self-asserted SE public key                                                                                                    |
+| `device_check`                  | `@motebit/crypto-appattest`        | Pinned Apple App Attestation Root CA                                                                                                                 |
+| `tpm`                           | `@motebit/crypto-tpm`              | Pinned Infineon / Nuvoton / STMicro / Intel PTT vendor roots                                                                                         |
+| `android_keystore`              | `@motebit/crypto-android-keystore` | Pinned Google Hardware Attestation roots (RSA + ECDSA P-384)                                                                                         |
+| `webauthn`                      | `@motebit/crypto-webauthn`         | Pinned Apple / Yubico / Microsoft FIDO roots                                                                                                         |
+| `play_integrity` _(deprecated)_ | `@motebit/crypto-play-integrity`   | Operator-supplied JWKS (no global Google JWKS exists; bundled for one minor cycle for backward compat — see `docs/doctrine/hardware-attestation.md`) |
+
+Unknown platform → named error, fail-closed. Missing adapter context → named error, fail-closed. Never silent acceptance.
+
 ## Usage
 
-```typescript
-import { verify } from "@motebit/verify";
-
-// Identity file
-const r1 = await verify(fs.readFileSync("motebit.md", "utf-8"));
-if (r1.type === "identity" && r1.valid) {
-  console.log(r1.did); // did:key:z...
-  console.log(r1.identity); // full identity file contents
-  console.log(r1.succession); // key rotation chain (if present)
-}
-
-// Execution receipt (object or JSON string)
-const r2 = await verify(receipt);
-if (r2.type === "receipt" && r2.valid) {
-  console.log(r2.signer); // did:key of the signing agent
-  console.log(r2.delegations); // nested delegation verification results
-}
-
-// Verifiable credential
-const r3 = await verify(credential);
-if (r3.type === "credential" && r3.valid) {
-  console.log(r3.issuer); // did:key of the issuer
-  console.log(r3.subject); // did:key of the subject
-  console.log(r3.expired); // false
-}
-
-// Verifiable presentation
-const r4 = await verify(presentation);
-if (r4.type === "presentation" && r4.valid) {
-  console.log(r4.holder); // did:key of the holder
-  console.log(r4.credentials); // each credential verified independently
-}
+```bash
+motebit-verify <file>                     # auto-detect, print human-readable
+motebit-verify <file> --json              # structured JSON output
+motebit-verify <file> --expect credential # pin expected artifact type
+motebit-verify <file> --clock-skew 30     # allow N seconds of clock drift
+
+# Platform overrides (defaults match motebit's canonical identifiers)
+motebit-verify <file> \
+  --bundle-id com.example.app \
+  --android-attestation-application-id ./app-id.bin \
+  --android-package com.example.app \
+  --rp-id example.com
 ```
 
-### Strict mode
+**Verifying `android_keystore` credentials requires `--android-attestation-application-id`.** The flag's value is a path to a binary file containing the raw bytes of the leaf cert's `attestationApplicationId` extension — operators capture this once at build time (deterministic from the registered Android package name + signing-cert SHA-256) and commit the file alongside other pinned config. Without the flag, the Android Keystore arm is intentionally unwired (passing a placeholder would false-reject every real claim); the dispatcher reports `"verifier not wired"`. The legacy `--android-package` flag still configures the deprecated Play Integrity adapter for backward-compat with already-minted credentials.
 
-Pass `expectedType` to fail fast if the artifact doesn't match:
+Exit codes:
 
-```typescript
-const result = await verify(artifact, { expectedType: "receipt" });
-// result.valid is false if artifact is not a receipt
-```
+- `0` — artifact verified (including hardware-attestation channel)
+- `1` — artifact detected but signature / hardware channel invalid
+- `2` — usage or I/O error
 
-### Parse without verifying
+## Programmatic use
 
-```typescript
-import { parse } from "@motebit/verify";
+The CLI is a thin wrapper — every capability is available programmatically:
 
-const { frontmatter, signature, rawFrontmatter } = parse(identityFileContent);
-console.log(frontmatter.motebit_id);
+```ts
+import { verifyFile } from "@motebit/verifier"; // Apache-2.0 library (file I/O + formatting)
+import { buildHardwareVerifiers } from "@motebit/verify"; // Apache-2.0 CLI + programmatic adapter bundle
+
+const result = await verifyFile("cred.json", {
+  hardwareAttestation: buildHardwareVerifiers(),
+});
 ```
 
-## API
+## The three-package lineage
 
-### `verify(artifact, options?): Promise<VerifyResult>`
+This package sits at the top of a deliberate three-layer split — the same shape long-lived tool lineages use (git / libgit2, cargo / tokio, npm / @npm/arborist):
 
-Verify any Motebit artifact. Detects the type automatically from the input.
+```
+@motebit/verify     Apache-2.0  the CLI motebit-verify + bundled adapters  (the tool — this package)
+@motebit/verifier   Apache-2.0  library: verifyFile, verifyArtifact, formatHuman
+@motebit/crypto     Apache-2.0  primitives: verify, sign, suite dispatch
+```
 
-- **Strings** containing `---` are parsed as identity files
-- **Strings** containing JSON are parsed and detected by shape
-- **Objects** are detected by shape: receipts have `task_id` + `signature`, credentials have `credentialSubject` + `proof`, presentations have `holder` + `verifiableCredential` + `proof`
+All three are Apache-2.0 with explicit patent grant — the full verification surface ships under the permissive floor. The BSL line stays at `motebit` (the operator console) and everything below it, where the motebit-proprietary judgment actually lives.
 
-Returns a discriminated union — narrow on `result.type` to access type-specific fields.
+- Install **`@motebit/verify`** when you want the command-line tool with every platform bundled. One install, verify anything offline, no license friction in CI pipelines.
+- Install **`@motebit/verifier`** when you're writing TypeScript code that needs to read + verify motebit artifacts programmatically and want the dep-thin library without the bundled platform adapters.
+- Install **`@motebit/crypto`** when you want the primitives — the verify dispatcher, sign APIs, suite registry — to build your own verification tooling from scratch.
 
-### `verifyIdentityFile(content): Promise<LegacyVerifyResult>` _(deprecated)_
+## Superseding the deprecated `@motebit/verify@0.x`
 
-Verify a `motebit.md` identity file. Returns the legacy result shape with `.identity`, `.did`, `.error` fields directly (no type narrowing needed). Use `verify(content)` instead — it handles all artifact types and returns a richer result.
+The original `@motebit/verify@0.7.0` was a zero-dep MIT library with a single `verify()` function. It was deprecated and split:
 
-### `parse(content): { frontmatter, signature, rawFrontmatter }`
+- **The `verify()` library primitive** moved to [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto). Now Apache-2.0 (upgraded from MIT — adds an explicit patent grant), same zero deps, same function shape, plus full sign / verify / cryptosuite support.
+- **The file-reading + human-formatting helpers** live at [`@motebit/verifier`](https://www.npmjs.com/package/@motebit/verifier). Apache-2.0, thin layer above `@motebit/crypto`.
+- **The `motebit-verify` CLI — the tool most users actually wanted when they typed `npm install @motebit/verify`** — is now this package, shipped at `1.0.0`. Runs offline. Verifies every motebit artifact. Bundles every hardware-attestation platform.
 
-Parse a `motebit.md` file into its components. Does not verify the signature. Throws if malformed.
+If you were on `@motebit/verify@^0.7.0`, migration depends on what you were using:
 
-## What can it verify?
+| You were using                                               | Migrate to                                                                          |
+| ------------------------------------------------------------ | ----------------------------------------------------------------------------------- |
+| The `verify()` function in TypeScript                        | `import { verify } from "@motebit/crypto"` — same shape, more features              |
+| `verifyFile()` / `formatHuman()` / programmatic CLI wrappers | `import { ... } from "@motebit/verifier"`                                           |
+| Running `motebit-verify` on the command line                 | `npm install -g @motebit/verify` at `^1.0.0` — same command, full platform coverage |
 
-| Artifact                | Input                                         | What it checks                                                                         |
-| ----------------------- | --------------------------------------------- | -------------------------------------------------------------------------------------- |
-| Identity file           | String (YAML frontmatter + Ed25519 signature) | Signature over frontmatter, succession chain linkage + temporal ordering               |
-| Execution receipt       | Object or JSON                                | Ed25519 signature over canonical JSON, embedded public key, recursive delegation chain |
-| Verifiable credential   | Object or JSON                                | eddsa-jcs-2022 Data Integrity proof, expiry, issuer DID extraction                     |
-| Verifiable presentation | Object or JSON                                | Envelope proof + each contained credential independently                               |
+## Related
 
-All verification is **offline** — no network calls, no relay lookup, no runtime dependency. Receipts embed the signer's public key. Credentials embed the issuer's DID. Everything needed for verification is in the artifact itself.
+- [`@motebit/verifier`](https://www.npmjs.com/package/@motebit/verifier) — Apache-2.0 library underneath this CLI (`verifyFile`, `verifyArtifact`, `formatHuman`)
+- [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto) — Apache-2.0 primitives (`verify`, `sign`, suite dispatch; zero monorepo deps)
+- [`@motebit/crypto-appattest`](https://www.npmjs.com/package/@motebit/crypto-appattest) — Apple App Attest adapter bundled into this CLI
+- [`@motebit/crypto-play-integrity`](https://www.npmjs.com/package/@motebit/crypto-play-integrity) — Google Play Integrity adapter bundled into this CLI
+- [`@motebit/crypto-tpm`](https://www.npmjs.com/package/@motebit/crypto-tpm) — TPM 2.0 EK chain adapter bundled into this CLI
+- [`@motebit/crypto-webauthn`](https://www.npmjs.com/package/@motebit/crypto-webauthn) — WebAuthn packed-attestation adapter bundled into this CLI
+- [`motebit`](https://www.npmjs.com/package/motebit) — reference runtime and operator console
 
 ## License
 
-MIT — see [LICENSE](./LICENSE).
+Apache-2.0 — see [LICENSE](./LICENSE) and [NOTICE](./NOTICE).
 
-"Motebit" is a trademark. The MIT License grants rights to this software, not to any Motebit trademarks, logos, or branding. You may not use Motebit branding in a way that suggests endorsement or affiliation without written permission.
+"Motebit" is a trademark. The Apache License grants rights to this software, not to any Motebit trademarks, logos, or branding. You may not use Motebit branding in a way that suggests endorsement or affiliation without written permission.

package/dist/adapters.d.ts

@@ -0,0 +1,132 @@
+/**
+ * Bundled-adapter wiring — the core reason this package exists.
+ *
+ * `@motebit/verifier` (Apache-2.0) accepts an optional
+ * `HardwareAttestationVerifiers` record but wires none of the leaves
+ * itself; that keeps it dep-thin. This Apache-2.0 aggregator imports
+ * every leaf (`@motebit/crypto-appattest`,
+ * `@motebit/crypto-android-keystore`, `@motebit/crypto-tpm`,
+ * `@motebit/crypto-webauthn`, plus the deprecated
+ * `@motebit/crypto-play-integrity` for backward compatibility during
+ * its 1.x deprecation cycle) and produces a single
+ * `HardwareAttestationVerifiers` object the CLI hands to `verifyFile`.
+ * Any credential whose subject carries a hardware-attestation claim
+ * for any of the canonical platforms now verifies end-to-end — chain
+ * + nonce + bundle + identity — instead of returning the
+ * `adapter not yet shipped` sentinel.
+ *
+ * Defaults match motebit's canonical app identifiers:
+ *   - App Attest      → bundleId `com.motebit.mobile`
+ *   - Android Keystore → caller-supplied attestationApplicationId (no
+ *                       canonical default — the bytes are
+ *                       deterministic from `(packageName, signing-cert
+ *                       SHA-256)` known at the operator's build time;
+ *                       no analogous "magic string" fits)
+ *   - WebAuthn        → rpId `motebit.com`
+ *   - TPM             → the pinned vendor roots in `@motebit/crypto-tpm`
+ *
+ * Operators verifying credentials from a different motebit deployment
+ * can override any of these via the config parameter.
+ *
+ * Play Integrity (deprecated): wired for one minor cycle so
+ * already-minted credentials carrying `platform: "play_integrity"`
+ * continue to verify cleanly through the same CLI invocation. New
+ * mobile builds emit `platform: "android_keystore"` instead — see
+ * `docs/doctrine/hardware-attestation.md` § "Three architectural
+ * categories".
+ */
+import type { HardwareAttestationVerifiers } from "@motebit/crypto";
+import { type GoogleJwks } from "@motebit/crypto-play-integrity";
+export interface HardwareVerifierBundleConfig {
+    /**
+     * Apple App Attest — bundle ID the attested iOS app was built with.
+     * Defaults to `com.motebit.mobile`. Override when verifying credentials
+     * minted by a different motebit iOS build.
+     */
+    readonly appAttestBundleId?: string;
+    /**
+     * Apple App Attest — override the pinned Apple App Attestation Root
+     * CA PEM. Defaults to the constant in `@motebit/crypto-appattest`.
+     * Exposed only so test fabrications can exercise the chain-validation
+     * code path with a fabricated root.
+     */
+    readonly appAttestRootPem?: string;
+    /**
+     * Android Hardware-Backed Keystore Attestation — `attestationApplicationId`
+     * bytes (raw, captured-from-leaf-cert form) the leaf cert MUST carry.
+     * Required at wiring time when verifying Android-Keystore-attested
+     * credentials. Operators compute this at build time as
+     * `(packageName, signing-cert SHA-256)` and pin the result here; the
+     * verifier byte-compares against the leaf's KeyDescription extension.
+     * Absent → the Android Keystore arm is not wired and the canonical
+     * dispatcher returns "verifier not wired".
+     */
+    readonly androidKeystoreExpectedAttestationApplicationId?: Uint8Array;
+    /**
+     * Android Hardware-Backed Keystore Attestation — override the pinned
+     * Google attestation roots. Defaults to
+     * `DEFAULT_ANDROID_KEYSTORE_TRUST_ANCHORS` (RSA-4096 + ECDSA P-384,
+     * covering both pre- and post-rotation device fleets).
+     */
+    readonly androidKeystoreRootPems?: ReadonlyArray<string>;
+    /**
+     * Google Play Integrity (DEPRECATED) — Android package name the
+     * attested app was built with. Defaults to `com.motebit.mobile`.
+     * Wired during the `@motebit/crypto-play-integrity@1.x`
+     * deprecation cycle so already-minted credentials continue to
+     * verify; new mobile builds emit `platform: "android_keystore"`.
+     */
+    readonly playIntegrityPackageName?: string;
+    /**
+     * Google Play Integrity (DEPRECATED) — override the pinned JWKS.
+     * Fail-closed by default — see the structural-mismatch note in
+     * `@motebit/crypto-play-integrity`'s CLAUDE.md (no global Google
+     * JWKS exists; this verifier is operator-key-mediated rather than
+     * sovereign-verifiable, which is why it's been deprecated).
+     */
+    readonly playIntegrityPinnedJwks?: GoogleJwks;
+    /**
+     * Google Play Integrity (DEPRECATED) — relax the device-integrity
+     * floor. Defaults to the strict `"MEETS_DEVICE_INTEGRITY"`.
+     */
+    readonly playIntegrityRequiredDeviceIntegrity?: string;
+    /**
+     * WebAuthn — Relying Party ID the credential was minted for.
+     * Defaults to `motebit.com`.
+     */
+    readonly webauthnRpId?: string;
+    /**
+     * WebAuthn — override the pinned FIDO root set. Defaults to
+     * `DEFAULT_FIDO_ROOTS` (Apple Anonymous Attestation, Yubico, Microsoft).
+     */
+    readonly webauthnRootPems?: ReadonlyArray<string>;
+    /**
+     * TPM — override the pinned vendor root PEMs. Defaults to the four
+     * TPM-vendor roots in `@motebit/crypto-tpm` (Infineon, Nuvoton,
+     * STMicro, Intel PTT).
+     */
+    readonly tpmRootPems?: ReadonlyArray<string>;
+}
+/**
+ * Build the full `HardwareAttestationVerifiers` object covering every
+ * canonical platform adapter. Pass the result to `verifyFile`:
+ *
+ * ```ts
+ * import { verifyFile } from "@motebit/verifier";
+ * import { buildHardwareVerifiers } from "@motebit/verify";
+ *
+ * const result = await verifyFile("cred.json", {
+ *   hardwareAttestation: buildHardwareVerifiers({
+ *     androidKeystoreExpectedAttestationApplicationId: appIdBytes,
+ *   }),
+ * });
+ * ```
+ *
+ * Pure function: every dependency is captured at factory time and the
+ * returned verifiers are idempotent across calls. The Android Keystore
+ * arm is wired only when `androidKeystoreExpectedAttestationApplicationId`
+ * is supplied — there is no canonical default for the leaf-cert
+ * package binding, by design.
+ */
+export declare function buildHardwareVerifiers(config?: HardwareVerifierBundleConfig): HardwareAttestationVerifiers;
+//# sourceMappingURL=adapters.d.ts.map

package/dist/adapters.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAIpE,OAAO,EAAyB,KAAK,UAAU,EAAE,MAAM,gCAAgC,CAAC;AAIxF,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;;;;;;;OASG;IACH,QAAQ,CAAC,+CAA+C,CAAC,EAAE,UAAU,CAAC;IACtE;;;;;OAKG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzD;;;;;;OAMG;IACH,QAAQ,CAAC,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAC3C;;;;;;OAMG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,UAAU,CAAC;IAC9C;;;OAGG;IACH,QAAQ,CAAC,oCAAoC,CAAC,EAAE,MAAM,CAAC;IACvD;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAClD;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAOD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,CAAC,EAAE,4BAA4B,GACpC,4BAA4B,CA4C9B"}