@motebit/verify 1.2.1 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +38 -12
- package/dist/adapters.d.ts +8 -31
- package/dist/adapters.d.ts.map +1 -1
- package/dist/adapters.js +0 -13
- package/dist/adapters.js.map +1 -1
- package/dist/cli.d.ts +49 -7
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +396 -36
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +3 -3
- package/dist/index.js +3 -3
- package/package.json +10 -10
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# @motebit/verify
|
|
2
2
|
|
|
3
|
-
The canonical `motebit-verify` command-line tool. A single binary that verifies any signed motebit artifact — identity files, execution receipts, credentials, presentations — including credentials carrying hardware-attestation claims under any of the four canonical sovereign-verifiable platforms (Apple App Attest, Android Hardware-Backed Keystore Attestation, TPM 2.0, WebAuthn)
|
|
3
|
+
The canonical `motebit-verify` command-line tool. A single binary that verifies any signed motebit artifact — identity files, execution receipts, credentials, presentations — including credentials carrying hardware-attestation claims under any of the four canonical sovereign-verifiable platforms (Apple App Attest, Android Hardware-Backed Keystore Attestation, TPM 2.0, WebAuthn).
|
|
4
4
|
|
|
5
5
|
Network-free. No relay contact, no external service, no cloud dependency. Every trust anchor is pinned in the installed package.
|
|
6
6
|
|
|
@@ -28,14 +28,14 @@ VALID (credential)
|
|
|
28
28
|
|
|
29
29
|
Hardware-attestation channel covers every currently-shipped platform:
|
|
30
30
|
|
|
31
|
-
| Platform
|
|
32
|
-
|
|
|
33
|
-
| `secure_enclave`
|
|
34
|
-
| `device_check`
|
|
35
|
-
| `tpm`
|
|
36
|
-
| `android_keystore`
|
|
37
|
-
| `webauthn`
|
|
38
|
-
| `play_integrity` _(
|
|
31
|
+
| Platform | Adapter | Trust anchor |
|
|
32
|
+
| ---------------------------- | ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|
|
33
|
+
| `secure_enclave` | `@motebit/crypto` (built-in) | ECDSA-P256 signature; self-asserted SE public key |
|
|
34
|
+
| `device_check` | `@motebit/crypto-appattest` | Pinned Apple App Attestation Root CA |
|
|
35
|
+
| `tpm` | `@motebit/crypto-tpm` | Pinned Infineon / Nuvoton / STMicro / Intel PTT vendor roots |
|
|
36
|
+
| `android_keystore` | `@motebit/crypto-android-keystore` | Pinned Google Hardware Attestation roots (RSA + ECDSA P-384) |
|
|
37
|
+
| `webauthn` | `@motebit/crypto-webauthn` | Pinned Apple / Yubico / Microsoft FIDO roots |
|
|
38
|
+
| `play_integrity` _(removed)_ | _(no adapter wired)_ | Removed 2026-05-03. Credentials carrying this platform fail-closed. Use `@motebit/crypto-android-keystore` instead — see `docs/doctrine/hardware-attestation.md`. |
|
|
39
39
|
|
|
40
40
|
Unknown platform → named error, fail-closed. Missing adapter context → named error, fail-closed. Never silent acceptance.
|
|
41
41
|
|
|
@@ -51,11 +51,10 @@ motebit-verify <file> --clock-skew 30 # allow N seconds of clock drift
|
|
|
51
51
|
motebit-verify <file> \
|
|
52
52
|
--bundle-id com.example.app \
|
|
53
53
|
--android-attestation-application-id ./app-id.bin \
|
|
54
|
-
--android-package com.example.app \
|
|
55
54
|
--rp-id example.com
|
|
56
55
|
```
|
|
57
56
|
|
|
58
|
-
**Verifying `android_keystore` credentials requires `--android-attestation-application-id`.** The flag's value is a path to a binary file containing the raw bytes of the leaf cert's `attestationApplicationId` extension — operators capture this once at build time (deterministic from the registered Android package name + signing-cert SHA-256) and commit the file alongside other pinned config. Without the flag, the Android Keystore arm is intentionally unwired (passing a placeholder would false-reject every real claim); the dispatcher reports `"verifier not wired"`.
|
|
57
|
+
**Verifying `android_keystore` credentials requires `--android-attestation-application-id`.** The flag's value is a path to a binary file containing the raw bytes of the leaf cert's `attestationApplicationId` extension — operators capture this once at build time (deterministic from the registered Android package name + signing-cert SHA-256) and commit the file alongside other pinned config. Without the flag, the Android Keystore arm is intentionally unwired (passing a placeholder would false-reject every real claim); the dispatcher reports `"verifier not wired"`.
|
|
59
58
|
|
|
60
59
|
Exit codes:
|
|
61
60
|
|
|
@@ -76,6 +75,33 @@ const result = await verifyFile("cred.json", {
|
|
|
76
75
|
});
|
|
77
76
|
```
|
|
78
77
|
|
|
78
|
+
`buildHardwareVerifiers()` with no arguments uses motebit's canonical defaults (`com.motebit.mobile` bundle, `motebit.com` RP ID, pinned Apple/Google/FIDO/TPM roots). To verify credentials minted by a fork, a federation peer, or a custom build, pass a `HardwareVerifierBundleConfig`:
|
|
79
|
+
|
|
80
|
+
```ts
|
|
81
|
+
import { readFileSync } from "node:fs";
|
|
82
|
+
import { buildHardwareVerifiers } from "@motebit/verify";
|
|
83
|
+
import { verifyFile } from "@motebit/verifier";
|
|
84
|
+
|
|
85
|
+
const result = await verifyFile("cred.json", {
|
|
86
|
+
hardwareAttestation: buildHardwareVerifiers({
|
|
87
|
+
// Apple App Attest — non-motebit iOS build
|
|
88
|
+
appAttestBundleId: "com.example.app",
|
|
89
|
+
// Android Keystore — raw attestationApplicationId bytes from the
|
|
90
|
+
// leaf cert, computed once at build time from (packageName, signing-cert SHA-256)
|
|
91
|
+
androidKeystoreExpectedAttestationApplicationId: readFileSync("./app-id.bin"),
|
|
92
|
+
// WebAuthn — relying-party domain
|
|
93
|
+
webauthnRpId: "example.com",
|
|
94
|
+
// Optional — override any pinned root set (test fabrications, federation peer roots, etc.)
|
|
95
|
+
appAttestRootPem: customAppleRootPem,
|
|
96
|
+
androidKeystoreRootPems: [customGoogleRoot1, customGoogleRoot2],
|
|
97
|
+
webauthnRootPems: [customYubicoRoot],
|
|
98
|
+
tpmRootPems: [customInfineonRoot],
|
|
99
|
+
}),
|
|
100
|
+
});
|
|
101
|
+
```
|
|
102
|
+
|
|
103
|
+
Every field is optional and falls back to the motebit-canonical default. The Android Keystore arm is wired only when `androidKeystoreExpectedAttestationApplicationId` is supplied — there is no canonical default for the leaf-cert package binding, by design.
|
|
104
|
+
|
|
79
105
|
## The three-package lineage
|
|
80
106
|
|
|
81
107
|
This package sits at the top of a deliberate three-layer split — the same shape long-lived tool lineages use (git / libgit2, cargo / tokio, npm / @npm/arborist):
|
|
@@ -113,7 +139,7 @@ If you were on `@motebit/verify@^0.7.0`, migration depends on what you were usin
|
|
|
113
139
|
- [`@motebit/verifier`](https://www.npmjs.com/package/@motebit/verifier) — Apache-2.0 library underneath this CLI (`verifyFile`, `verifyArtifact`, `formatHuman`)
|
|
114
140
|
- [`@motebit/crypto`](https://www.npmjs.com/package/@motebit/crypto) — Apache-2.0 primitives (`verify`, `sign`, suite dispatch; zero monorepo deps)
|
|
115
141
|
- [`@motebit/crypto-appattest`](https://www.npmjs.com/package/@motebit/crypto-appattest) — Apple App Attest adapter bundled into this CLI
|
|
116
|
-
- [`@motebit/crypto-
|
|
142
|
+
- [`@motebit/crypto-android-keystore`](https://www.npmjs.com/package/@motebit/crypto-android-keystore) — Android Hardware-Backed Keystore Attestation adapter bundled into this CLI
|
|
117
143
|
- [`@motebit/crypto-tpm`](https://www.npmjs.com/package/@motebit/crypto-tpm) — TPM 2.0 EK chain adapter bundled into this CLI
|
|
118
144
|
- [`@motebit/crypto-webauthn`](https://www.npmjs.com/package/@motebit/crypto-webauthn) — WebAuthn packed-attestation adapter bundled into this CLI
|
|
119
145
|
- [`motebit`](https://www.npmjs.com/package/motebit) — reference runtime and operator console
|
package/dist/adapters.d.ts
CHANGED
|
@@ -4,11 +4,9 @@
|
|
|
4
4
|
* `@motebit/verifier` (Apache-2.0) accepts an optional
|
|
5
5
|
* `HardwareAttestationVerifiers` record but wires none of the leaves
|
|
6
6
|
* itself; that keeps it dep-thin. This Apache-2.0 aggregator imports
|
|
7
|
-
* every leaf (`@motebit/crypto-appattest`,
|
|
7
|
+
* every canonical leaf (`@motebit/crypto-appattest`,
|
|
8
8
|
* `@motebit/crypto-android-keystore`, `@motebit/crypto-tpm`,
|
|
9
|
-
* `@motebit/crypto-webauthn
|
|
10
|
-
* `@motebit/crypto-play-integrity` for backward compatibility during
|
|
11
|
-
* its 1.x deprecation cycle) and produces a single
|
|
9
|
+
* `@motebit/crypto-webauthn`) and produces a single
|
|
12
10
|
* `HardwareAttestationVerifiers` object the CLI hands to `verifyFile`.
|
|
13
11
|
* Any credential whose subject carries a hardware-attestation claim
|
|
14
12
|
* for any of the canonical platforms now verifies end-to-end — chain
|
|
@@ -28,15 +26,15 @@
|
|
|
28
26
|
* Operators verifying credentials from a different motebit deployment
|
|
29
27
|
* can override any of these via the config parameter.
|
|
30
28
|
*
|
|
31
|
-
*
|
|
32
|
-
*
|
|
33
|
-
*
|
|
34
|
-
*
|
|
29
|
+
* Note: `@motebit/crypto-play-integrity` was deprecated 2026-04-26 and
|
|
30
|
+
* fully removed 2026-05-03. The structural reason — Google publishes no
|
|
31
|
+
* global Play Integrity JWKS, so the package can't satisfy motebit's
|
|
32
|
+
* third-party-verifiability invariant — is captured in
|
|
35
33
|
* `docs/doctrine/hardware-attestation.md` § "Three architectural
|
|
36
|
-
* categories".
|
|
34
|
+
* categories". Android attestation lives entirely on
|
|
35
|
+
* `@motebit/crypto-android-keystore` now.
|
|
37
36
|
*/
|
|
38
37
|
import type { HardwareAttestationVerifiers } from "@motebit/crypto";
|
|
39
|
-
import { type GoogleJwks } from "@motebit/crypto-play-integrity";
|
|
40
38
|
export interface HardwareVerifierBundleConfig {
|
|
41
39
|
/**
|
|
42
40
|
* Apple App Attest — bundle ID the attested iOS app was built with.
|
|
@@ -69,27 +67,6 @@ export interface HardwareVerifierBundleConfig {
|
|
|
69
67
|
* covering both pre- and post-rotation device fleets).
|
|
70
68
|
*/
|
|
71
69
|
readonly androidKeystoreRootPems?: ReadonlyArray<string>;
|
|
72
|
-
/**
|
|
73
|
-
* Google Play Integrity (DEPRECATED) — Android package name the
|
|
74
|
-
* attested app was built with. Defaults to `com.motebit.mobile`.
|
|
75
|
-
* Wired during the `@motebit/crypto-play-integrity@1.x`
|
|
76
|
-
* deprecation cycle so already-minted credentials continue to
|
|
77
|
-
* verify; new mobile builds emit `platform: "android_keystore"`.
|
|
78
|
-
*/
|
|
79
|
-
readonly playIntegrityPackageName?: string;
|
|
80
|
-
/**
|
|
81
|
-
* Google Play Integrity (DEPRECATED) — override the pinned JWKS.
|
|
82
|
-
* Fail-closed by default — see the structural-mismatch note in
|
|
83
|
-
* `@motebit/crypto-play-integrity`'s CLAUDE.md (no global Google
|
|
84
|
-
* JWKS exists; this verifier is operator-key-mediated rather than
|
|
85
|
-
* sovereign-verifiable, which is why it's been deprecated).
|
|
86
|
-
*/
|
|
87
|
-
readonly playIntegrityPinnedJwks?: GoogleJwks;
|
|
88
|
-
/**
|
|
89
|
-
* Google Play Integrity (DEPRECATED) — relax the device-integrity
|
|
90
|
-
* floor. Defaults to the strict `"MEETS_DEVICE_INTEGRITY"`.
|
|
91
|
-
*/
|
|
92
|
-
readonly playIntegrityRequiredDeviceIntegrity?: string;
|
|
93
70
|
/**
|
|
94
71
|
* WebAuthn — Relying Party ID the credential was minted for.
|
|
95
72
|
* Defaults to `motebit.com`.
|
package/dist/adapters.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"adapters.d.ts","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,OAAO,KAAK,EAAE,4BAA4B,EAAE,MAAM,iBAAiB,CAAC;AAMpE,MAAM,WAAW,4BAA4B;IAC3C;;;;OAIG;IACH,QAAQ,CAAC,iBAAiB,CAAC,EAAE,MAAM,CAAC;IACpC;;;;;OAKG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;;;;;;;OASG;IACH,QAAQ,CAAC,+CAA+C,CAAC,EAAE,UAAU,CAAC;IACtE;;;;;OAKG;IACH,QAAQ,CAAC,uBAAuB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzD;;;OAGG;IACH,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAClD;;;;OAIG;IACH,QAAQ,CAAC,WAAW,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC9C;AAOD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,CAAC,EAAE,4BAA4B,GACpC,4BAA4B,CAiC9B"}
|
package/dist/adapters.js
CHANGED
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
import { androidKeystoreVerifier } from "@motebit/crypto-android-keystore";
|
|
2
2
|
import { deviceCheckVerifier, APPLE_APPATTEST_ROOT_PEM } from "@motebit/crypto-appattest";
|
|
3
|
-
// eslint-disable-next-line @typescript-eslint/no-deprecated -- consumed for one minor deprecation cycle so already-minted Play Integrity claims continue to verify; removed at @motebit/crypto-play-integrity@2.0.0.
|
|
4
|
-
import { playIntegrityVerifier } from "@motebit/crypto-play-integrity";
|
|
5
3
|
import { tpmVerifier } from "@motebit/crypto-tpm";
|
|
6
4
|
import { webauthnVerifier, DEFAULT_FIDO_ROOTS } from "@motebit/crypto-webauthn";
|
|
7
5
|
/** Motebit's canonical iOS / Android app identifier. */
|
|
@@ -31,7 +29,6 @@ const DEFAULT_WEBAUTHN_RP_ID = "motebit.com";
|
|
|
31
29
|
*/
|
|
32
30
|
export function buildHardwareVerifiers(config) {
|
|
33
31
|
const appAttestBundleId = config?.appAttestBundleId ?? DEFAULT_BUNDLE_ID;
|
|
34
|
-
const playIntegrityPackageName = config?.playIntegrityPackageName ?? DEFAULT_BUNDLE_ID;
|
|
35
32
|
const webauthnRpId = config?.webauthnRpId ?? DEFAULT_WEBAUTHN_RP_ID;
|
|
36
33
|
const verifiers = {
|
|
37
34
|
deviceCheck: deviceCheckVerifier({
|
|
@@ -41,16 +38,6 @@ export function buildHardwareVerifiers(config) {
|
|
|
41
38
|
tpm: tpmVerifier({
|
|
42
39
|
...(config?.tpmRootPems !== undefined ? { rootPems: config.tpmRootPems } : {}),
|
|
43
40
|
}),
|
|
44
|
-
// eslint-disable-next-line @typescript-eslint/no-deprecated -- one-minor-cycle backward compat for already-minted Play Integrity credentials; removed at @motebit/crypto-play-integrity@2.0.0.
|
|
45
|
-
playIntegrity: playIntegrityVerifier({
|
|
46
|
-
expectedPackageName: playIntegrityPackageName,
|
|
47
|
-
...(config?.playIntegrityPinnedJwks !== undefined
|
|
48
|
-
? { pinnedJwks: config.playIntegrityPinnedJwks }
|
|
49
|
-
: {}),
|
|
50
|
-
...(config?.playIntegrityRequiredDeviceIntegrity !== undefined
|
|
51
|
-
? { requiredDeviceIntegrity: config.playIntegrityRequiredDeviceIntegrity }
|
|
52
|
-
: {}),
|
|
53
|
-
}),
|
|
54
41
|
webauthn: webauthnVerifier({
|
|
55
42
|
expectedRpId: webauthnRpId,
|
|
56
43
|
rootPems: config?.webauthnRootPems ?? DEFAULT_FIDO_ROOTS,
|
package/dist/adapters.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"adapters.js","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"adapters.js","sourceRoot":"","sources":["../src/adapters.ts"],"names":[],"mappings":"AAqCA,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC;AAC3E,OAAO,EAAE,mBAAmB,EAAE,wBAAwB,EAAE,MAAM,2BAA2B,CAAC;AAC1F,OAAO,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AAClD,OAAO,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,MAAM,0BAA0B,CAAC;AAoDhF,wDAAwD;AACxD,MAAM,iBAAiB,GAAG,oBAAoB,CAAC;AAC/C,qEAAqE;AACrE,MAAM,sBAAsB,GAAG,aAAa,CAAC;AAE7C;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,MAAM,UAAU,sBAAsB,CACpC,MAAqC;IAErC,MAAM,iBAAiB,GAAG,MAAM,EAAE,iBAAiB,IAAI,iBAAiB,CAAC;IACzE,MAAM,YAAY,GAAG,MAAM,EAAE,YAAY,IAAI,sBAAsB,CAAC;IAEpE,MAAM,SAAS,GAA0C;QACvD,WAAW,EAAE,mBAAmB,CAAC;YAC/B,gBAAgB,EAAE,iBAAiB;YACnC,OAAO,EAAE,MAAM,EAAE,gBAAgB,IAAI,wBAAwB;SAC9D,CAAC;QACF,GAAG,EAAE,WAAW,CAAC;YACf,GAAG,CAAC,MAAM,EAAE,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SAC/E,CAAC;QACF,QAAQ,EAAE,gBAAgB,CAAC;YACzB,YAAY,EAAE,YAAY;YAC1B,QAAQ,EAAE,MAAM,EAAE,gBAAgB,IAAI,kBAAkB;SACzD,CAAC;KACH,CAAC;IAEF,oEAAoE;IACpE,oEAAoE;IACpE,gEAAgE;IAChE,2DAA2D;IAC3D,iCAAiC;IACjC,IAAI,MAAM,EAAE,+CAA+C,KAAK,SAAS,EAAE,CAAC;QAC1E,SAAS,CAAC,eAAe,GAAG,uBAAuB,CAAC;YAClD,gCAAgC,EAAE,MAAM,CAAC,+CAA+C;YACxF,GAAG,CAAC,MAAM,CAAC,uBAAuB,KAAK,SAAS;gBAC9C,CAAC,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,uBAAuB,EAAE;gBAC9C,CAAC,CAAC,EAAE,CAAC;SACR,CAAC,CAAC;IACL,CAAC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
package/dist/cli.d.ts
CHANGED
|
@@ -5,10 +5,9 @@
|
|
|
5
5
|
* Verifies identity files, execution receipts, credentials, and
|
|
6
6
|
* presentations against their embedded signatures. When a credential
|
|
7
7
|
* carries a `hardware_attestation` claim for `device_check` / `tpm` /
|
|
8
|
-
* `android_keystore` / `webauthn
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
* identity binding end-to-end.
|
|
8
|
+
* `android_keystore` / `webauthn`, the bundled platform adapters
|
|
9
|
+
* verify the chain, extension, package binding, and identity binding
|
|
10
|
+
* end-to-end.
|
|
12
11
|
*
|
|
13
12
|
* ```
|
|
14
13
|
* motebit-verify <file> # auto-detect, print human
|
|
@@ -30,9 +29,8 @@
|
|
|
30
29
|
* 2 usage / I/O error
|
|
31
30
|
*
|
|
32
31
|
* Network-free by design. Every adapter pins its own trust anchor
|
|
33
|
-
* (Apple App Attest Root CA, FIDO roots, TPM vendor roots
|
|
34
|
-
*
|
|
35
|
-
* real bytes (see `@motebit/crypto-play-integrity`'s CLAUDE.md).
|
|
32
|
+
* (Apple App Attest Root CA, FIDO roots, TPM vendor roots, Google
|
|
33
|
+
* Hardware Attestation roots).
|
|
36
34
|
*
|
|
37
35
|
* Three-package lineage — mirrors how tools like `git` / `libgit2` or
|
|
38
36
|
* `cargo` / `tokio` separate the verb-tool from the library layer:
|
|
@@ -41,5 +39,49 @@
|
|
|
41
39
|
* @motebit/verifier — Apache-2.0 library (file I/O, human formatting)
|
|
42
40
|
* @motebit/crypto — Apache-2.0 primitives (verify, sign, suite dispatch)
|
|
43
41
|
*/
|
|
42
|
+
import type { ArtifactType, ContentArtifactManifest } from "@motebit/crypto";
|
|
43
|
+
import type { ContentArtifactType } from "@motebit/protocol";
|
|
44
|
+
interface ParsedArgs {
|
|
45
|
+
readonly mode: "verify" | "verify-content-artifact" | "help" | "version";
|
|
46
|
+
readonly file?: string;
|
|
47
|
+
readonly json: boolean;
|
|
48
|
+
readonly expectedType?: ArtifactType;
|
|
49
|
+
readonly clockSkewSeconds?: number;
|
|
50
|
+
readonly bundleId?: string;
|
|
51
|
+
readonly androidAttestationApplicationIdPath?: string;
|
|
52
|
+
readonly rpId?: string;
|
|
53
|
+
/** Content-artifact mode: manifest input — either base64url header value or path to JSON file. */
|
|
54
|
+
readonly manifest?: string;
|
|
55
|
+
/** Content-artifact mode: optional pinned producer key (hex, 64 chars). */
|
|
56
|
+
readonly expectedProducerKey?: string;
|
|
57
|
+
/** Content-artifact mode: optional expected artifact-type from the closed registry. */
|
|
58
|
+
readonly expectedArtifactType?: ContentArtifactType;
|
|
59
|
+
readonly usageError?: string;
|
|
60
|
+
}
|
|
61
|
+
export declare function parseArgs(argv: readonly string[]): ParsedArgs;
|
|
62
|
+
/**
|
|
63
|
+
* Decode the `--manifest` argument. Tries the value as a filesystem
|
|
64
|
+
* path first; if the file exists and parses as JSON, returns that.
|
|
65
|
+
* Otherwise, treats it as a base64url-encoded canonical-JSON
|
|
66
|
+
* representation (the form `services/relay/src/state-export.ts` emits
|
|
67
|
+
* in the `X-Motebit-Content-Manifest` HTTP header). Returns the
|
|
68
|
+
* parsed manifest object or a usage error.
|
|
69
|
+
*
|
|
70
|
+
* Auto-detect order matters: a base64url string could in principle be
|
|
71
|
+
* a legal path on disk, but the path-first try is bounded (readFileSync
|
|
72
|
+
* + JSON.parse) and falls through silently to header-decode. The
|
|
73
|
+
* inverse — treating every input as header bytes — would accidentally
|
|
74
|
+
* succeed on JSON files whose contents happen to base64-decode as
|
|
75
|
+
* arbitrary bytes, returning malformed garbage.
|
|
76
|
+
*/
|
|
77
|
+
export declare function decodeManifestInput(value: string): {
|
|
78
|
+
ok: true;
|
|
79
|
+
manifest: ContentArtifactManifest;
|
|
80
|
+
} | {
|
|
81
|
+
ok: false;
|
|
82
|
+
error: string;
|
|
83
|
+
};
|
|
84
|
+
/** Failure-reason → human-readable phrase for the human-mode CLI output. */
|
|
85
|
+
export declare function describeContentArtifactReason(reason: string): string;
|
|
44
86
|
export {};
|
|
45
87
|
//# sourceMappingURL=cli.d.ts.map
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,uBAAuB,EAAE,MAAM,iBAAiB,CAAC;AAE7E,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,mBAAmB,CAAC;AA6B7D,UAAU,UAAU;IAClB,QAAQ,CAAC,IAAI,EAAE,QAAQ,GAAG,yBAAyB,GAAG,MAAM,GAAG,SAAS,CAAC;IACzE,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC;IACvB,QAAQ,CAAC,YAAY,CAAC,EAAE,YAAY,CAAC;IACrC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,mCAAmC,CAAC,EAAE,MAAM,CAAC;IACtD,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,kGAAkG;IAClG,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,2EAA2E;IAC3E,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;IACtC,uFAAuF;IACvF,QAAQ,CAAC,oBAAoB,CAAC,EAAE,mBAAmB,CAAC;IACpD,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,wBAAgB,SAAS,CAAC,IAAI,EAAE,SAAS,MAAM,EAAE,GAAG,UAAU,CAsH7D;AAgND;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,MAAM,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,QAAQ,EAAE,uBAAuB,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CA0BhF;AAED,4EAA4E;AAC5E,wBAAgB,6BAA6B,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAmBpE"}
|
package/dist/cli.js
CHANGED
|
@@ -5,10 +5,9 @@
|
|
|
5
5
|
* Verifies identity files, execution receipts, credentials, and
|
|
6
6
|
* presentations against their embedded signatures. When a credential
|
|
7
7
|
* carries a `hardware_attestation` claim for `device_check` / `tpm` /
|
|
8
|
-
* `android_keystore` / `webauthn
|
|
9
|
-
*
|
|
10
|
-
*
|
|
11
|
-
* identity binding end-to-end.
|
|
8
|
+
* `android_keystore` / `webauthn`, the bundled platform adapters
|
|
9
|
+
* verify the chain, extension, package binding, and identity binding
|
|
10
|
+
* end-to-end.
|
|
12
11
|
*
|
|
13
12
|
* ```
|
|
14
13
|
* motebit-verify <file> # auto-detect, print human
|
|
@@ -30,9 +29,8 @@
|
|
|
30
29
|
* 2 usage / I/O error
|
|
31
30
|
*
|
|
32
31
|
* Network-free by design. Every adapter pins its own trust anchor
|
|
33
|
-
* (Apple App Attest Root CA, FIDO roots, TPM vendor roots
|
|
34
|
-
*
|
|
35
|
-
* real bytes (see `@motebit/crypto-play-integrity`'s CLAUDE.md).
|
|
32
|
+
* (Apple App Attest Root CA, FIDO roots, TPM vendor roots, Google
|
|
33
|
+
* Hardware Attestation roots).
|
|
36
34
|
*
|
|
37
35
|
* Three-package lineage — mirrors how tools like `git` / `libgit2` or
|
|
38
36
|
* `cargo` / `tokio` separate the verb-tool from the library layer:
|
|
@@ -44,6 +42,9 @@
|
|
|
44
42
|
import { readFileSync } from "node:fs";
|
|
45
43
|
import { dirname, join } from "node:path";
|
|
46
44
|
import { fileURLToPath } from "node:url";
|
|
45
|
+
import { verifyContentArtifact } from "@motebit/crypto";
|
|
46
|
+
import { ALL_CONTENT_ARTIFACT_TYPES, isContentArtifactType } from "@motebit/protocol";
|
|
47
|
+
import { verifyInnerSignedReceipts, } from "@motebit/state-export-client";
|
|
47
48
|
import { formatHuman, verifyFile } from "@motebit/verifier";
|
|
48
49
|
import { buildHardwareVerifiers } from "./adapters.js";
|
|
49
50
|
const EXPECT_VALUES = [
|
|
@@ -53,13 +54,29 @@ const EXPECT_VALUES = [
|
|
|
53
54
|
"presentation",
|
|
54
55
|
"skill",
|
|
55
56
|
];
|
|
56
|
-
|
|
57
|
+
/**
|
|
58
|
+
* First positional argument that switches the CLI into content-artifact
|
|
59
|
+
* mode. Verifies a relay-asserted (or motebit-asserted) C2PA-shape
|
|
60
|
+
* manifest against the bytes it covers — the consumer-side primitive
|
|
61
|
+
* for the state-export-signing surface (`docs/doctrine/nist-alignment.md`
|
|
62
|
+
* §8). Stays a subcommand rather than auto-detection because
|
|
63
|
+
* content-artifact mode takes TWO inputs (body + manifest); auto-
|
|
64
|
+
* detection on a single positional cannot distinguish them.
|
|
65
|
+
*/
|
|
66
|
+
const CONTENT_ARTIFACT_SUBCOMMAND = "content-artifact";
|
|
67
|
+
export function parseArgs(argv) {
|
|
68
|
+
// Detect content-artifact subcommand at the head of the arg list.
|
|
69
|
+
// The remaining args are parsed in content-artifact mode — a strict
|
|
70
|
+
// subset of the credential-verification flags (no platform-specific
|
|
71
|
+
// overrides) plus content-artifact-specific flags.
|
|
72
|
+
if (argv[0] === CONTENT_ARTIFACT_SUBCOMMAND) {
|
|
73
|
+
return parseContentArtifactArgs(argv.slice(1));
|
|
74
|
+
}
|
|
57
75
|
let file;
|
|
58
76
|
let json = false;
|
|
59
77
|
let expectedType;
|
|
60
78
|
let clockSkewSeconds;
|
|
61
79
|
let bundleId;
|
|
62
|
-
let androidPackage;
|
|
63
80
|
let androidAttestationApplicationIdPath;
|
|
64
81
|
let rpId;
|
|
65
82
|
let help = false;
|
|
@@ -114,14 +131,6 @@ function parseArgs(argv) {
|
|
|
114
131
|
i += 2;
|
|
115
132
|
break;
|
|
116
133
|
}
|
|
117
|
-
case "--android-package": {
|
|
118
|
-
const value = argv[i + 1];
|
|
119
|
-
if (value === undefined)
|
|
120
|
-
return usage("--android-package requires a value");
|
|
121
|
-
androidPackage = value;
|
|
122
|
-
i += 2;
|
|
123
|
-
break;
|
|
124
|
-
}
|
|
125
134
|
case "--android-attestation-application-id": {
|
|
126
135
|
// Path to a binary file containing the raw bytes of the leaf
|
|
127
136
|
// cert's `attestationApplicationId` extension value. Operators
|
|
@@ -170,7 +179,6 @@ function parseArgs(argv) {
|
|
|
170
179
|
...(expectedType !== undefined && { expectedType }),
|
|
171
180
|
...(clockSkewSeconds !== undefined && { clockSkewSeconds }),
|
|
172
181
|
...(bundleId !== undefined && { bundleId }),
|
|
173
|
-
...(androidPackage !== undefined && { androidPackage }),
|
|
174
182
|
...(androidAttestationApplicationIdPath !== undefined && {
|
|
175
183
|
androidAttestationApplicationIdPath,
|
|
176
184
|
}),
|
|
@@ -180,12 +188,115 @@ function parseArgs(argv) {
|
|
|
180
188
|
function usage(message) {
|
|
181
189
|
return { mode: "help", json: false, usageError: message };
|
|
182
190
|
}
|
|
191
|
+
/**
|
|
192
|
+
* Parse args for the `content-artifact` subcommand. Accepts:
|
|
193
|
+
*
|
|
194
|
+
* motebit-verify content-artifact <body-file> --manifest <header-or-path>
|
|
195
|
+
* [--expect <artifact-type>]
|
|
196
|
+
* [--producer-key <hex>]
|
|
197
|
+
* [--json]
|
|
198
|
+
*
|
|
199
|
+
* `--manifest` accepts EITHER a base64url-encoded canonical-JSON value
|
|
200
|
+
* (as emitted in the `X-Motebit-Content-Manifest` HTTP header) OR a
|
|
201
|
+
* filesystem path to a JSON file. Auto-detected by checking if the
|
|
202
|
+
* value parses as JSON when treated as a path; on filesystem read
|
|
203
|
+
* failure, falls back to base64url-header interpretation.
|
|
204
|
+
*
|
|
205
|
+
* `--producer-key` (optional) pins the expected producer's hex public
|
|
206
|
+
* key (32 bytes / 64 hex chars). When set, the CLI rejects with
|
|
207
|
+
* `producer_key_mismatch` if the manifest's declared key differs —
|
|
208
|
+
* the offline trust-anchor primitive (a verifier who has pinned the
|
|
209
|
+
* relay's pubkey from `/.well-known/motebit-transparency.json` can
|
|
210
|
+
* confirm the producer matches).
|
|
211
|
+
*
|
|
212
|
+
* `--expect` (optional) narrows to a member of the `ContentArtifactType`
|
|
213
|
+
* registry; mirrors the closed-registry pattern of the credential-
|
|
214
|
+
* mode `--expect`.
|
|
215
|
+
*/
|
|
216
|
+
function parseContentArtifactArgs(argv) {
|
|
217
|
+
let file;
|
|
218
|
+
let manifest;
|
|
219
|
+
let expectedArtifactType;
|
|
220
|
+
let expectedProducerKey;
|
|
221
|
+
let json = false;
|
|
222
|
+
let help = false;
|
|
223
|
+
let i = 0;
|
|
224
|
+
while (i < argv.length) {
|
|
225
|
+
const arg = argv[i];
|
|
226
|
+
switch (arg) {
|
|
227
|
+
case "-h":
|
|
228
|
+
case "--help":
|
|
229
|
+
help = true;
|
|
230
|
+
i++;
|
|
231
|
+
break;
|
|
232
|
+
case "--json":
|
|
233
|
+
json = true;
|
|
234
|
+
i++;
|
|
235
|
+
break;
|
|
236
|
+
case "--manifest": {
|
|
237
|
+
const value = argv[i + 1];
|
|
238
|
+
if (value === undefined)
|
|
239
|
+
return usage("--manifest requires a value (header or file path)");
|
|
240
|
+
manifest = value;
|
|
241
|
+
i += 2;
|
|
242
|
+
break;
|
|
243
|
+
}
|
|
244
|
+
case "--expect":
|
|
245
|
+
case "--expected-type": {
|
|
246
|
+
const value = argv[i + 1];
|
|
247
|
+
if (value === undefined)
|
|
248
|
+
return usage(`${arg} requires a value`);
|
|
249
|
+
if (!isContentArtifactType(value)) {
|
|
250
|
+
return usage(`unknown --expect value "${value}" (valid: ${ALL_CONTENT_ARTIFACT_TYPES.join(", ")})`);
|
|
251
|
+
}
|
|
252
|
+
expectedArtifactType = value;
|
|
253
|
+
i += 2;
|
|
254
|
+
break;
|
|
255
|
+
}
|
|
256
|
+
case "--producer-key": {
|
|
257
|
+
const value = argv[i + 1];
|
|
258
|
+
if (value === undefined)
|
|
259
|
+
return usage("--producer-key requires a hex value");
|
|
260
|
+
if (!/^[0-9a-fA-F]{64}$/.test(value)) {
|
|
261
|
+
return usage("--producer-key must be 64 hex characters (32-byte Ed25519 public key)");
|
|
262
|
+
}
|
|
263
|
+
expectedProducerKey = value.toLowerCase();
|
|
264
|
+
i += 2;
|
|
265
|
+
break;
|
|
266
|
+
}
|
|
267
|
+
default:
|
|
268
|
+
if (arg.startsWith("-"))
|
|
269
|
+
return usage(`unknown flag: ${arg}`);
|
|
270
|
+
if (file !== undefined) {
|
|
271
|
+
return usage(`expected exactly one body-file argument, got a second: "${arg}" (after "${file}")`);
|
|
272
|
+
}
|
|
273
|
+
file = arg;
|
|
274
|
+
i++;
|
|
275
|
+
break;
|
|
276
|
+
}
|
|
277
|
+
}
|
|
278
|
+
if (help)
|
|
279
|
+
return { mode: "help", json };
|
|
280
|
+
if (file === undefined)
|
|
281
|
+
return usage("content-artifact: missing body-file argument");
|
|
282
|
+
if (manifest === undefined)
|
|
283
|
+
return usage("content-artifact: --manifest is required");
|
|
284
|
+
return {
|
|
285
|
+
mode: "verify-content-artifact",
|
|
286
|
+
file,
|
|
287
|
+
manifest,
|
|
288
|
+
json,
|
|
289
|
+
...(expectedArtifactType !== undefined && { expectedArtifactType }),
|
|
290
|
+
...(expectedProducerKey !== undefined && { expectedProducerKey }),
|
|
291
|
+
};
|
|
292
|
+
}
|
|
183
293
|
function renderHelp() {
|
|
184
294
|
return [
|
|
185
295
|
"motebit-verify — verify any signed Motebit artifact offline.",
|
|
186
296
|
"",
|
|
187
297
|
"USAGE",
|
|
188
298
|
" motebit-verify <path> [options]",
|
|
299
|
+
" motebit-verify content-artifact <body-file> --manifest <header-or-path> [options]",
|
|
189
300
|
"",
|
|
190
301
|
" <path> may be a single file (identity, receipt, credential, presentation,",
|
|
191
302
|
" or a skill envelope JSON) OR a skill directory containing SKILL.md +",
|
|
@@ -194,15 +305,20 @@ function renderHelp() {
|
|
|
194
305
|
" body-hash + per-file-hash cross-check; single-file inputs run the",
|
|
195
306
|
" artifact's own signature check.",
|
|
196
307
|
"",
|
|
308
|
+
" `content-artifact` mode verifies a C2PA-shape relay-asserted",
|
|
309
|
+
" manifest (e.g. the `X-Motebit-Content-Manifest` HTTP header emitted",
|
|
310
|
+
" on every state-export endpoint) against the response-body bytes",
|
|
311
|
+
" it covers. Two-step check: SHA-256 content-hash recomputation +",
|
|
312
|
+
" Ed25519 signature verification against the manifest's declared",
|
|
313
|
+
" producer key. Offline by design; pin the producer key with",
|
|
314
|
+
` --producer-key from /.well-known/motebit-transparency.json.`,
|
|
315
|
+
"",
|
|
197
316
|
"OPTIONS",
|
|
198
317
|
" --json Print structured JSON instead of human-readable.",
|
|
199
318
|
" --expect <type> Require the artifact to be of the named type.",
|
|
200
319
|
" --clock-skew <seconds> Allow N seconds of clock skew.",
|
|
201
320
|
" --bundle-id <id> Override the expected iOS bundle ID for App Attest",
|
|
202
321
|
" (default: com.motebit.mobile).",
|
|
203
|
-
" --android-package <name> Override the expected Android package name for",
|
|
204
|
-
" the deprecated Play Integrity adapter",
|
|
205
|
-
" (default: com.motebit.mobile).",
|
|
206
322
|
" --android-attestation-application-id <path>",
|
|
207
323
|
" Path to a binary file containing the raw bytes",
|
|
208
324
|
" of the leaf cert's `attestationApplicationId`",
|
|
@@ -215,6 +331,24 @@ function renderHelp() {
|
|
|
215
331
|
" alongside other pinned config.",
|
|
216
332
|
" --rp-id <id> Override the expected WebAuthn Relying Party ID",
|
|
217
333
|
" (default: motebit.com).",
|
|
334
|
+
"",
|
|
335
|
+
" CONTENT-ARTIFACT MODE — `motebit-verify content-artifact <body> ...`",
|
|
336
|
+
" --manifest <header-or-path>",
|
|
337
|
+
" Either a base64url-encoded canonical-JSON",
|
|
338
|
+
" manifest value (the form emitted in the",
|
|
339
|
+
" X-Motebit-Content-Manifest HTTP header) OR a",
|
|
340
|
+
" filesystem path to a JSON manifest file.",
|
|
341
|
+
" Auto-detected.",
|
|
342
|
+
" --producer-key <hex> Pin the expected producer's Ed25519 public",
|
|
343
|
+
" key (64 hex chars). When set, rejects with",
|
|
344
|
+
" producer_key_mismatch if the manifest's",
|
|
345
|
+
" declared key differs. Pair with a key fetched",
|
|
346
|
+
" from /.well-known/motebit-transparency.json",
|
|
347
|
+
" for offline trust-anchor enforcement.",
|
|
348
|
+
" --expect <artifact-type> In content-artifact mode, narrows to a member",
|
|
349
|
+
" of the ContentArtifactType registry",
|
|
350
|
+
` (${ALL_CONTENT_ARTIFACT_TYPES.length} types today; see @motebit/protocol).`,
|
|
351
|
+
"",
|
|
218
352
|
" -h, --help Show this help.",
|
|
219
353
|
" -V, --version Print version.",
|
|
220
354
|
"",
|
|
@@ -231,11 +365,13 @@ function renderHelp() {
|
|
|
231
365
|
" --android-attestation-application-id)",
|
|
232
366
|
" webauthn WebAuthn packed attestation (pinned Apple / Yubico / Microsoft)",
|
|
233
367
|
"",
|
|
234
|
-
"PLATFORMS
|
|
235
|
-
" play_integrity Google Play Integrity
|
|
236
|
-
"
|
|
237
|
-
"
|
|
238
|
-
"
|
|
368
|
+
"PLATFORMS REMOVED",
|
|
369
|
+
" play_integrity Google Play Integrity adapter was removed 2026-05-03.",
|
|
370
|
+
" Credentials carrying this platform now hit the canonical",
|
|
371
|
+
" dispatcher's fail-closed 'verifier not wired' branch.",
|
|
372
|
+
" Use @motebit/crypto-android-keystore instead — see",
|
|
373
|
+
" docs/doctrine/hardware-attestation.md § 'Three",
|
|
374
|
+
" architectural categories' for the structural reason.",
|
|
239
375
|
].join("\n");
|
|
240
376
|
}
|
|
241
377
|
let cachedVersion;
|
|
@@ -253,6 +389,210 @@ function getPackageVersion() {
|
|
|
253
389
|
}
|
|
254
390
|
return cachedVersion;
|
|
255
391
|
}
|
|
392
|
+
/**
|
|
393
|
+
* Decode the `--manifest` argument. Tries the value as a filesystem
|
|
394
|
+
* path first; if the file exists and parses as JSON, returns that.
|
|
395
|
+
* Otherwise, treats it as a base64url-encoded canonical-JSON
|
|
396
|
+
* representation (the form `services/relay/src/state-export.ts` emits
|
|
397
|
+
* in the `X-Motebit-Content-Manifest` HTTP header). Returns the
|
|
398
|
+
* parsed manifest object or a usage error.
|
|
399
|
+
*
|
|
400
|
+
* Auto-detect order matters: a base64url string could in principle be
|
|
401
|
+
* a legal path on disk, but the path-first try is bounded (readFileSync
|
|
402
|
+
* + JSON.parse) and falls through silently to header-decode. The
|
|
403
|
+
* inverse — treating every input as header bytes — would accidentally
|
|
404
|
+
* succeed on JSON files whose contents happen to base64-decode as
|
|
405
|
+
* arbitrary bytes, returning malformed garbage.
|
|
406
|
+
*/
|
|
407
|
+
export function decodeManifestInput(value) {
|
|
408
|
+
// Path-first: if the value looks like a path and readable as JSON, use that.
|
|
409
|
+
try {
|
|
410
|
+
const fileContents = readFileSync(value, "utf-8");
|
|
411
|
+
const parsed = JSON.parse(fileContents);
|
|
412
|
+
return { ok: true, manifest: parsed };
|
|
413
|
+
}
|
|
414
|
+
catch {
|
|
415
|
+
// Fall through to header-decode.
|
|
416
|
+
}
|
|
417
|
+
// Header-form: base64url → UTF-8 → JSON. Buffer is available because
|
|
418
|
+
// the CLI runs in Node ≥20 (per repo engines).
|
|
419
|
+
try {
|
|
420
|
+
const decoded = Buffer.from(value, "base64url").toString("utf-8");
|
|
421
|
+
if (decoded === "") {
|
|
422
|
+
return { ok: false, error: "--manifest is empty or undecodable as base64url" };
|
|
423
|
+
}
|
|
424
|
+
const parsed = JSON.parse(decoded);
|
|
425
|
+
return { ok: true, manifest: parsed };
|
|
426
|
+
}
|
|
427
|
+
catch (err) {
|
|
428
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
429
|
+
return {
|
|
430
|
+
ok: false,
|
|
431
|
+
error: `--manifest is neither a readable JSON file nor a valid base64url-encoded manifest: ${msg}`,
|
|
432
|
+
};
|
|
433
|
+
}
|
|
434
|
+
}
|
|
435
|
+
/** Failure-reason → human-readable phrase for the human-mode CLI output. */
|
|
436
|
+
export function describeContentArtifactReason(reason) {
|
|
437
|
+
switch (reason) {
|
|
438
|
+
case "content_hash_mismatch":
|
|
439
|
+
return "body bytes do not match the manifest's content_hash (the artifact was tampered, OR the manifest was issued for different bytes)";
|
|
440
|
+
case "signature_invalid":
|
|
441
|
+
return "signature does not verify against the declared producer key (manifest tampered, OR signed by a different key than the one declared)";
|
|
442
|
+
case "malformed_public_key":
|
|
443
|
+
return "manifest's producer_public_key is not 64 hex characters (32-byte Ed25519)";
|
|
444
|
+
case "malformed_signature":
|
|
445
|
+
return "manifest's signature is not valid base64url";
|
|
446
|
+
case "unsupported_suite":
|
|
447
|
+
return "manifest's cryptosuite is not yet implemented by this verifier (post-quantum migration pending)";
|
|
448
|
+
case "producer_key_mismatch":
|
|
449
|
+
return "manifest's declared producer key does not match the value pinned via --producer-key";
|
|
450
|
+
case "artifact_type_mismatch":
|
|
451
|
+
return "manifest's artifact_type does not match the value required via --expect";
|
|
452
|
+
default:
|
|
453
|
+
return reason;
|
|
454
|
+
}
|
|
455
|
+
}
|
|
456
|
+
async function verifyContentArtifactCli(args, json) {
|
|
457
|
+
if (args.file === undefined) {
|
|
458
|
+
process.stderr.write(`motebit-verify: content-artifact missing body-file argument\n`);
|
|
459
|
+
return 2;
|
|
460
|
+
}
|
|
461
|
+
if (args.manifest === undefined) {
|
|
462
|
+
process.stderr.write(`motebit-verify: content-artifact requires --manifest\n`);
|
|
463
|
+
return 2;
|
|
464
|
+
}
|
|
465
|
+
let bodyBytes;
|
|
466
|
+
try {
|
|
467
|
+
const buf = readFileSync(args.file);
|
|
468
|
+
bodyBytes = new Uint8Array(buf.buffer, buf.byteOffset, buf.byteLength);
|
|
469
|
+
}
|
|
470
|
+
catch (err) {
|
|
471
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
472
|
+
process.stderr.write(`motebit-verify: cannot read body-file ${args.file}: ${msg}\n`);
|
|
473
|
+
return 2;
|
|
474
|
+
}
|
|
475
|
+
const decoded = decodeManifestInput(args.manifest);
|
|
476
|
+
if (!decoded.ok) {
|
|
477
|
+
process.stderr.write(`motebit-verify: ${decoded.error}\n`);
|
|
478
|
+
return 2;
|
|
479
|
+
}
|
|
480
|
+
const manifest = decoded.manifest;
|
|
481
|
+
// Pre-crypto policy checks: producer-key pin and artifact-type narrow.
|
|
482
|
+
// Both bounded to bytes-level comparison — no new crypto in this
|
|
483
|
+
// package per CLAUDE.md Rule 1. The primitive's failure modes stay
|
|
484
|
+
// pristine; these CLI-layer rejections carry their own typed reasons.
|
|
485
|
+
if (args.expectedProducerKey !== undefined &&
|
|
486
|
+
manifest.producer_public_key.toLowerCase() !== args.expectedProducerKey) {
|
|
487
|
+
const result = {
|
|
488
|
+
valid: false,
|
|
489
|
+
reason: "producer_key_mismatch",
|
|
490
|
+
expected_producer_public_key: args.expectedProducerKey,
|
|
491
|
+
actual_producer_public_key: manifest.producer_public_key.toLowerCase(),
|
|
492
|
+
};
|
|
493
|
+
if (json) {
|
|
494
|
+
process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
|
|
495
|
+
}
|
|
496
|
+
else {
|
|
497
|
+
process.stdout.write(`✗ content-artifact INVALID — ${describeContentArtifactReason(result.reason)}\n`);
|
|
498
|
+
}
|
|
499
|
+
return 1;
|
|
500
|
+
}
|
|
501
|
+
if (args.expectedArtifactType !== undefined &&
|
|
502
|
+
manifest.artifact_type !== args.expectedArtifactType) {
|
|
503
|
+
const result = {
|
|
504
|
+
valid: false,
|
|
505
|
+
reason: "artifact_type_mismatch",
|
|
506
|
+
expected_artifact_type: args.expectedArtifactType,
|
|
507
|
+
actual_artifact_type: manifest.artifact_type,
|
|
508
|
+
};
|
|
509
|
+
if (json) {
|
|
510
|
+
process.stdout.write(`${JSON.stringify(result, null, 2)}\n`);
|
|
511
|
+
}
|
|
512
|
+
else {
|
|
513
|
+
process.stdout.write(`✗ content-artifact INVALID — ${describeContentArtifactReason(result.reason)}\n`);
|
|
514
|
+
}
|
|
515
|
+
return 1;
|
|
516
|
+
}
|
|
517
|
+
const result = await verifyContentArtifact(manifest, bodyBytes);
|
|
518
|
+
// v1.1 inner-receipt recursive verification — only when the outer
|
|
519
|
+
// manifest already verified (no point auditing the inside of bytes
|
|
520
|
+
// we don't trust were assembled by the relay we expected). Auto-on
|
|
521
|
+
// when applicable; no flag to remember. Calm-software register:
|
|
522
|
+
// surfaces a per-inner-receipt summary only when v1.1 bodies are
|
|
523
|
+
// detected. Per `spec/execution-ledger-v1.md` §4.3 + closure of the
|
|
524
|
+
// operator-trust gap (`docs/doctrine/nist-alignment.md` §8).
|
|
525
|
+
let innerVerification;
|
|
526
|
+
if (result.valid && manifest.artifact_type === "execution-ledger") {
|
|
527
|
+
try {
|
|
528
|
+
const parsed = JSON.parse(new TextDecoder().decode(bodyBytes));
|
|
529
|
+
const inner = await verifyInnerSignedReceipts(parsed);
|
|
530
|
+
if (inner.applicable)
|
|
531
|
+
innerVerification = inner;
|
|
532
|
+
}
|
|
533
|
+
catch {
|
|
534
|
+
// Body parsed earlier for the outer manifest, but if v1.1 inner
|
|
535
|
+
// recursion can't parse it (somehow), silently skip — the outer
|
|
536
|
+
// check has already verified the bytes. v1.0 bodies and bodies
|
|
537
|
+
// without `signed_receipts` set `applicable: false` and don't
|
|
538
|
+
// surface a section.
|
|
539
|
+
}
|
|
540
|
+
}
|
|
541
|
+
const innerFailed = innerVerification !== undefined && !innerVerification.allValid;
|
|
542
|
+
if (json) {
|
|
543
|
+
process.stdout.write(`${JSON.stringify({
|
|
544
|
+
valid: result.valid && !innerFailed,
|
|
545
|
+
...(result.reason !== undefined && { reason: result.reason }),
|
|
546
|
+
manifest: {
|
|
547
|
+
suite: manifest.suite,
|
|
548
|
+
artifact_type: manifest.artifact_type,
|
|
549
|
+
producer: manifest.producer,
|
|
550
|
+
producer_public_key: manifest.producer_public_key,
|
|
551
|
+
claim_generator: manifest.claim_generator,
|
|
552
|
+
produced_at: manifest.produced_at,
|
|
553
|
+
content_hash: manifest.content_hash,
|
|
554
|
+
...(manifest.invocation !== undefined && { invocation: manifest.invocation }),
|
|
555
|
+
},
|
|
556
|
+
...(innerVerification !== undefined && { inner_receipts: innerVerification }),
|
|
557
|
+
}, null, 2)}\n`);
|
|
558
|
+
}
|
|
559
|
+
else {
|
|
560
|
+
if (result.valid) {
|
|
561
|
+
process.stdout.write([
|
|
562
|
+
`✓ content-artifact VERIFIED`,
|
|
563
|
+
` artifact_type ${manifest.artifact_type}`,
|
|
564
|
+
` producer ${manifest.producer}`,
|
|
565
|
+
` producer_key ${manifest.producer_public_key}`,
|
|
566
|
+
` claim_generator ${manifest.claim_generator}`,
|
|
567
|
+
` produced_at ${manifest.produced_at}`,
|
|
568
|
+
` suite ${manifest.suite}`,
|
|
569
|
+
` content_hash ${manifest.content_hash}`,
|
|
570
|
+
``,
|
|
571
|
+
].join("\n"));
|
|
572
|
+
if (innerVerification !== undefined) {
|
|
573
|
+
const allOk = innerVerification.allValid;
|
|
574
|
+
process.stdout.write([
|
|
575
|
+
`${allOk ? "✓" : "✗"} inner receipts ${innerVerification.verifiedCount}/${innerVerification.totalCount} VERIFIED (spec: motebit/execution-ledger@1.1)`,
|
|
576
|
+
...innerVerification.results.map((r) => {
|
|
577
|
+
if (r.valid) {
|
|
578
|
+
return ` ✓ ${r.taskId} motebit=${r.motebitId}${r.signerDid !== undefined ? ` signer=${r.signerDid}` : ""}`;
|
|
579
|
+
}
|
|
580
|
+
return ` ✗ ${r.taskId} motebit=${r.motebitId} reason=${r.reason ?? "unknown"}${r.detail !== undefined ? ` detail=${r.detail}` : ""}`;
|
|
581
|
+
}),
|
|
582
|
+
``,
|
|
583
|
+
].join("\n"));
|
|
584
|
+
}
|
|
585
|
+
}
|
|
586
|
+
else {
|
|
587
|
+
process.stdout.write(`✗ content-artifact INVALID — ${describeContentArtifactReason(result.reason ?? "unknown")}\n`);
|
|
588
|
+
}
|
|
589
|
+
}
|
|
590
|
+
// Overall validity gates on outer AND inner — a v1.1 bundle where any
|
|
591
|
+
// inner receipt fails is not a clean verification, even if the relay's
|
|
592
|
+
// outer signature checks out (the relay is correctly attesting bytes
|
|
593
|
+
// it assembled, but those bytes contain falsified inner claims).
|
|
594
|
+
return result.valid && !innerFailed ? 0 : 1;
|
|
595
|
+
}
|
|
256
596
|
async function main() {
|
|
257
597
|
const args = parseArgs(process.argv.slice(2));
|
|
258
598
|
if (args.mode === "version") {
|
|
@@ -268,6 +608,9 @@ async function main() {
|
|
|
268
608
|
process.stdout.write(`${help}\n`);
|
|
269
609
|
return 0;
|
|
270
610
|
}
|
|
611
|
+
if (args.mode === "verify-content-artifact") {
|
|
612
|
+
return verifyContentArtifactCli(args, args.json);
|
|
613
|
+
}
|
|
271
614
|
if (args.file === undefined) {
|
|
272
615
|
process.stderr.write(`motebit-verify: missing file argument\n\n${renderHelp()}\n`);
|
|
273
616
|
return 2;
|
|
@@ -286,7 +629,6 @@ async function main() {
|
|
|
286
629
|
}
|
|
287
630
|
const hardwareAttestation = buildHardwareVerifiers({
|
|
288
631
|
...(args.bundleId !== undefined && { appAttestBundleId: args.bundleId }),
|
|
289
|
-
...(args.androidPackage !== undefined && { playIntegrityPackageName: args.androidPackage }),
|
|
290
632
|
...(androidKeystoreExpectedAttestationApplicationId !== undefined && {
|
|
291
633
|
androidKeystoreExpectedAttestationApplicationId,
|
|
292
634
|
}),
|
|
@@ -313,13 +655,31 @@ async function main() {
|
|
|
313
655
|
}
|
|
314
656
|
return result.valid ? 0 : 1;
|
|
315
657
|
}
|
|
316
|
-
|
|
317
|
-
|
|
318
|
-
|
|
319
|
-
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
process.
|
|
323
|
-
|
|
324
|
-
|
|
658
|
+
// Entry-point guard: only run when invoked as the binary, not when
|
|
659
|
+
// imported by tests or programmatic consumers. Mirrors the standard
|
|
660
|
+
// Node ESM pattern `if (import.meta.url === pathToFileURL(argv[1]))`.
|
|
661
|
+
// Without this, importing cli.ts to test the pure-function helpers
|
|
662
|
+
// triggers main() with vitest's argv and exits the test process.
|
|
663
|
+
const invokedAsBinary = (() => {
|
|
664
|
+
if (process.argv[1] === undefined)
|
|
665
|
+
return false;
|
|
666
|
+
try {
|
|
667
|
+
const argvFileUrl = new URL(`file://${process.argv[1]}`).href;
|
|
668
|
+
return import.meta.url === argvFileUrl;
|
|
669
|
+
}
|
|
670
|
+
catch {
|
|
671
|
+
return false;
|
|
672
|
+
}
|
|
673
|
+
})();
|
|
674
|
+
if (invokedAsBinary) {
|
|
675
|
+
main()
|
|
676
|
+
.then((code) => {
|
|
677
|
+
process.exit(code);
|
|
678
|
+
})
|
|
679
|
+
.catch((err) => {
|
|
680
|
+
const msg = err instanceof Error ? err.message : String(err);
|
|
681
|
+
process.stderr.write(`motebit-verify: ${msg}\n`);
|
|
682
|
+
process.exit(2);
|
|
683
|
+
});
|
|
684
|
+
}
|
|
325
685
|
//# sourceMappingURL=cli.js.map
|
package/dist/cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyCG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,aAAa,GAA4B;IAC7C,UAAU;IACV,SAAS;IACT,YAAY;IACZ,cAAc;IACd,OAAO;CACR,CAAC;AAeF,SAAS,SAAS,CAAC,IAAuB;IACxC,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,YAAsC,CAAC;IAC3C,IAAI,gBAAoC,CAAC;IACzC,IAAI,QAA4B,CAAC;IACjC,IAAI,cAAkC,CAAC;IACvC,IAAI,mCAAuD,CAAC;IAC5D,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,IAAI,CAAC;YACV,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,IAAI,CAAC;YACV,KAAK,WAAW;gBACd,OAAO,GAAG,IAAI,CAAC;gBACf,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,GAAG,GAAG,mBAAmB,CAAC,CAAC;gBACjE,IAAI,CAAE,aAAmC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1D,OAAO,KAAK,CAAC,2BAA2B,KAAK,aAAa,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACzF,CAAC;gBACD,YAAY,GAAG,KAAqB,CAAC;gBACrC,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,cAAc,CAAC,CAAC,CAAC;gBACpB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,gDAAgD,CAAC,CAAC;gBACxF,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,OAAO,KAAK,CAAC,qDAAqD,KAAK,IAAI,CAAC,CAAC;gBAC/E,CAAC;gBACD,gBAAgB,GAAG,CAAC,CAAC;gBACrB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBACtE,QAAQ,GAAG,KAAK,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,mBAAmB,CAAC,CAAC,CAAC;gBACzB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBAC5E,cAAc,GAAG,KAAK,CAAC;gBACvB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,sCAAsC,CAAC,CAAC,CAAC;gBAC5C,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,2DAA2D;gBAC3D,+DAA+D;gBAC/D,8DAA8D;gBAC9D,8CAA8C;gBAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,KAAK,CAAC,uEAAuE,CAAC,CAAC;gBACxF,CAAC;gBACD,mCAAmC,GAAG,KAAK,CAAC;gBAC5C,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAClE,IAAI,GAAG,KAAK,CAAC;gBACb,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD;gBACE,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC,CAAC;gBAC9D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,OAAO,KAAK,CACV,sDAAsD,GAAG,aAAa,IAAI,IAAI,CAC/E,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,GAAG,CAAC;gBACX,CAAC,EAAE,CAAC;gBACJ,MAAM;QACV,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxC,IAAI,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC9C,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAE9D,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,IAAI;QACJ,GAAG,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,CAAC;QACnD,GAAG,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,CAAC;QAC3D,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,CAAC;QAC3C,GAAG,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,cAAc,EAAE,CAAC;QACvD,GAAG,CAAC,mCAAmC,KAAK,SAAS,IAAI;YACvD,mCAAmC;SACpC,CAAC;QACF,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,IAAI,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,OAAe;IAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AAC5D,CAAC;AAED,SAAS,UAAU;IACjB,OAAO;QACL,8DAA8D;QAC9D,EAAE;QACF,OAAO;QACP,mCAAmC;QACnC,EAAE;QACF,6EAA6E;QAC7E,wEAAwE;QACxE,6DAA6D;QAC7D,oEAAoE;QACpE,qEAAqE;QACrE,mCAAmC;QACnC,EAAE;QACF,SAAS;QACT,8EAA8E;QAC9E,2EAA2E;QAC3E,4DAA4D;QAC5D,gFAAgF;QAChF,4DAA4D;QAC5D,4EAA4E;QAC5E,mEAAmE;QACnE,4DAA4D;QAC5D,+CAA+C;QAC/C,4EAA4E;QAC5E,2EAA2E;QAC3E,qEAAqE;QACrE,yEAAyE;QACzE,uEAAuE;QACvE,0EAA0E;QAC1E,4EAA4E;QAC5E,yEAAyE;QACzE,4DAA4D;QAC5D,6EAA6E;QAC7E,qDAAqD;QACrD,6CAA6C;QAC7C,4CAA4C;QAC5C,EAAE;QACF,YAAY;QACZ,kEAAkE;QAClE,qFAAqF;QACrF,0BAA0B;QAC1B,EAAE;QACF,6BAA6B;QAC7B,2DAA2D;QAC3D,sFAAsF;QACtF,mEAAmE;QACnE,iEAAiE;QACjE,4DAA4D;QAC5D,sFAAsF;QACtF,EAAE;QACF,+EAA+E;QAC/E,qEAAqE;QACrE,uEAAuE;QACvE,yEAAyE;QACzE,4EAA4E;KAC7E,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,IAAI,aAAiC,CAAC;AACtC,SAAS,iBAAiB;IACxB,IAAI,aAAa,KAAK,SAAS;QAAE,OAAO,aAAa,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAyB,CAAC;QAC/E,aAAa,GAAG,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,OAAO,CAAC;IAC1B,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9C,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,IAAI,CAAC,UAAU,OAAO,IAAI,IAAI,CAAC,CAAC;YACxE,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,UAAU,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,+CAAuE,CAAC;IAC5E,IAAI,IAAI,CAAC,mCAAmC,KAAK,SAAS,EAAE,CAAC;QAC3D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACrE,+CAA+C,GAAG,IAAI,UAAU,CAC9D,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,uEAAuE,IAAI,CAAC,mCAAmC,KAAK,GAAG,IAAI,CAC5H,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,iBAAiB,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxE,GAAG,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS,IAAI,EAAE,wBAAwB,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;QAC3F,GAAG,CAAC,+CAA+C,KAAK,SAAS,IAAI;YACnE,+CAA+C;SAChD,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;KAC5D,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3E,GAAG,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACvF,mBAAmB;SACpB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,IAAI,EAAE;KACH,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;IACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC,CAAC;KACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;IACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;IACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
|
1
|
+
{"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":";AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAC1C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAGzC,OAAO,EAAE,qBAAqB,EAAE,MAAM,iBAAiB,CAAC;AAExD,OAAO,EAAE,0BAA0B,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AACtF,OAAO,EACL,yBAAyB,GAE1B,MAAM,8BAA8B,CAAC;AACtC,OAAO,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE5D,OAAO,EAAE,sBAAsB,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,aAAa,GAA4B;IAC7C,UAAU;IACV,SAAS;IACT,YAAY;IACZ,cAAc;IACd,OAAO;CACR,CAAC;AAEF;;;;;;;;GAQG;AACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC;AAoBvD,MAAM,UAAU,SAAS,CAAC,IAAuB;IAC/C,kEAAkE;IAClE,oEAAoE;IACpE,oEAAoE;IACpE,mDAAmD;IACnD,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,2BAA2B,EAAE,CAAC;QAC5C,OAAO,wBAAwB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,YAAsC,CAAC;IAC3C,IAAI,gBAAoC,CAAC;IACzC,IAAI,QAA4B,CAAC;IACjC,IAAI,mCAAuD,CAAC;IAC5D,IAAI,IAAwB,CAAC;IAC7B,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,OAAO,GAAG,KAAK,CAAC;IAEpB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,IAAI,CAAC;YACV,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,IAAI,CAAC;YACV,KAAK,WAAW;gBACd,OAAO,GAAG,IAAI,CAAC;gBACf,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,UAAU,CAAC;YAChB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,GAAG,GAAG,mBAAmB,CAAC,CAAC;gBACjE,IAAI,CAAE,aAAmC,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBAC1D,OAAO,KAAK,CAAC,2BAA2B,KAAK,aAAa,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACzF,CAAC;gBACD,YAAY,GAAG,KAAqB,CAAC;gBACrC,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,cAAc,CAAC,CAAC,CAAC;gBACpB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,gDAAgD,CAAC,CAAC;gBACxF,MAAM,CAAC,GAAG,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACjC,OAAO,KAAK,CAAC,qDAAqD,KAAK,IAAI,CAAC,CAAC;gBAC/E,CAAC;gBACD,gBAAgB,GAAG,CAAC,CAAC;gBACrB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,aAAa,CAAC,CAAC,CAAC;gBACnB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,8BAA8B,CAAC,CAAC;gBACtE,QAAQ,GAAG,KAAK,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,sCAAsC,CAAC,CAAC,CAAC;gBAC5C,6DAA6D;gBAC7D,+DAA+D;gBAC/D,0DAA0D;gBAC1D,2DAA2D;gBAC3D,+DAA+D;gBAC/D,8DAA8D;gBAC9D,8CAA8C;gBAC9C,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;oBACxB,OAAO,KAAK,CAAC,uEAAuE,CAAC,CAAC;gBACxF,CAAC;gBACD,mCAAmC,GAAG,KAAK,CAAC;gBAC5C,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAClE,IAAI,GAAG,KAAK,CAAC;gBACb,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD;gBACE,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC,CAAC;gBAC9D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,OAAO,KAAK,CACV,sDAAsD,GAAG,aAAa,IAAI,IAAI,CAC/E,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,GAAG,CAAC;gBACX,CAAC,EAAE,CAAC;gBACJ,MAAM;QACV,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxC,IAAI,OAAO;QAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAC9C,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAE9D,OAAO;QACL,IAAI,EAAE,QAAQ;QACd,IAAI;QACJ,IAAI;QACJ,GAAG,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,CAAC;QACnD,GAAG,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,CAAC;QAC3D,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,QAAQ,EAAE,CAAC;QAC3C,GAAG,CAAC,mCAAmC,KAAK,SAAS,IAAI;YACvD,mCAAmC;SACpC,CAAC;QACF,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,IAAI,EAAE,CAAC;KACpC,CAAC;AACJ,CAAC;AAED,SAAS,KAAK,CAAC,OAAe;IAC5B,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC;AAC5D,CAAC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,SAAS,wBAAwB,CAAC,IAAuB;IACvD,IAAI,IAAwB,CAAC;IAC7B,IAAI,QAA4B,CAAC;IACjC,IAAI,oBAAqD,CAAC;IAC1D,IAAI,mBAAuC,CAAC;IAC5C,IAAI,IAAI,GAAG,KAAK,CAAC;IACjB,IAAI,IAAI,GAAG,KAAK,CAAC;IAEjB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC;QACvB,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAE,CAAC;QACrB,QAAQ,GAAG,EAAE,CAAC;YACZ,KAAK,IAAI,CAAC;YACV,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,QAAQ;gBACX,IAAI,GAAG,IAAI,CAAC;gBACZ,CAAC,EAAE,CAAC;gBACJ,MAAM;YACR,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,mDAAmD,CAAC,CAAC;gBAC3F,QAAQ,GAAG,KAAK,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,UAAU,CAAC;YAChB,KAAK,iBAAiB,CAAC,CAAC,CAAC;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,GAAG,GAAG,mBAAmB,CAAC,CAAC;gBACjE,IAAI,CAAC,qBAAqB,CAAC,KAAK,CAAC,EAAE,CAAC;oBAClC,OAAO,KAAK,CACV,2BAA2B,KAAK,aAAa,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CACtF,CAAC;gBACJ,CAAC;gBACD,oBAAoB,GAAG,KAAK,CAAC;gBAC7B,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD,KAAK,gBAAgB,CAAC,CAAC,CAAC;gBACtB,MAAM,KAAK,GAAG,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;gBAC1B,IAAI,KAAK,KAAK,SAAS;oBAAE,OAAO,KAAK,CAAC,qCAAqC,CAAC,CAAC;gBAC7E,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;oBACrC,OAAO,KAAK,CAAC,uEAAuE,CAAC,CAAC;gBACxF,CAAC;gBACD,mBAAmB,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC;gBAC1C,CAAC,IAAI,CAAC,CAAC;gBACP,MAAM;YACR,CAAC;YACD;gBACE,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,OAAO,KAAK,CAAC,iBAAiB,GAAG,EAAE,CAAC,CAAC;gBAC9D,IAAI,IAAI,KAAK,SAAS,EAAE,CAAC;oBACvB,OAAO,KAAK,CACV,2DAA2D,GAAG,aAAa,IAAI,IAAI,CACpF,CAAC;gBACJ,CAAC;gBACD,IAAI,GAAG,GAAG,CAAC;gBACX,CAAC,EAAE,CAAC;gBACJ,MAAM;QACV,CAAC;IACH,CAAC;IAED,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IACxC,IAAI,IAAI,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,8CAA8C,CAAC,CAAC;IACrF,IAAI,QAAQ,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,0CAA0C,CAAC,CAAC;IAErF,OAAO;QACL,IAAI,EAAE,yBAAyB;QAC/B,IAAI;QACJ,QAAQ;QACR,IAAI;QACJ,GAAG,CAAC,oBAAoB,KAAK,SAAS,IAAI,EAAE,oBAAoB,EAAE,CAAC;QACnE,GAAG,CAAC,mBAAmB,KAAK,SAAS,IAAI,EAAE,mBAAmB,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED,SAAS,UAAU;IACjB,OAAO;QACL,8DAA8D;QAC9D,EAAE;QACF,OAAO;QACP,mCAAmC;QACnC,qFAAqF;QACrF,EAAE;QACF,6EAA6E;QAC7E,wEAAwE;QACxE,6DAA6D;QAC7D,oEAAoE;QACpE,qEAAqE;QACrE,mCAAmC;QACnC,EAAE;QACF,gEAAgE;QAChE,uEAAuE;QACvE,mEAAmE;QACnE,mEAAmE;QACnE,kEAAkE;QAClE,8DAA8D;QAC9D,+DAA+D;QAC/D,EAAE;QACF,SAAS;QACT,8EAA8E;QAC9E,2EAA2E;QAC3E,4DAA4D;QAC5D,gFAAgF;QAChF,4DAA4D;QAC5D,+CAA+C;QAC/C,4EAA4E;QAC5E,2EAA2E;QAC3E,qEAAqE;QACrE,yEAAyE;QACzE,uEAAuE;QACvE,0EAA0E;QAC1E,4EAA4E;QAC5E,yEAAyE;QACzE,4DAA4D;QAC5D,6EAA6E;QAC7E,qDAAqD;QACrD,EAAE;QACF,wEAAwE;QACxE,+BAA+B;QAC/B,uEAAuE;QACvE,qEAAqE;QACrE,0EAA0E;QAC1E,sEAAsE;QACtE,4CAA4C;QAC5C,wEAAwE;QACxE,wEAAwE;QACxE,qEAAqE;QACrE,2EAA2E;QAC3E,yEAAyE;QACzE,mEAAmE;QACnE,2EAA2E;QAC3E,iEAAiE;QACjE,gCAAgC,0BAA0B,CAAC,MAAM,uCAAuC;QACxG,EAAE;QACF,6CAA6C;QAC7C,4CAA4C;QAC5C,EAAE;QACF,YAAY;QACZ,kEAAkE;QAClE,qFAAqF;QACrF,0BAA0B;QAC1B,EAAE;QACF,6BAA6B;QAC7B,2DAA2D;QAC3D,sFAAsF;QACtF,mEAAmE;QACnE,iEAAiE;QACjE,4DAA4D;QAC5D,sFAAsF;QACtF,EAAE;QACF,mBAAmB;QACnB,4EAA4E;QAC5E,+EAA+E;QAC/E,4EAA4E;QAC5E,yEAAyE;QACzE,qEAAqE;QACrE,2EAA2E;KAC5E,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,IAAI,aAAiC,CAAC;AACtC,SAAS,iBAAiB;IACxB,IAAI,aAAa,KAAK,SAAS;QAAE,OAAO,aAAa,CAAC;IACtD,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;QACrD,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;QACjD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,OAAO,EAAE,OAAO,CAAC,CAAyB,CAAC;QAC/E,aAAa,GAAG,GAAG,CAAC,OAAO,IAAI,OAAO,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,aAAa,GAAG,OAAO,CAAC;IAC1B,CAAC;IACD,OAAO,aAAa,CAAC;AACvB,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,mBAAmB,CACjC,KAAa;IAEb,6EAA6E;IAC7E,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,YAAY,CAA4B,CAAC;QACnE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IACxC,CAAC;IAAC,MAAM,CAAC;QACP,iCAAiC;IACnC,CAAC;IAED,qEAAqE;IACrE,+CAA+C;IAC/C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAClE,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YACnB,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,iDAAiD,EAAE,CAAC;QACjF,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAA4B,CAAC;QAC9D,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO;YACL,EAAE,EAAE,KAAK;YACT,KAAK,EAAE,sFAAsF,GAAG,EAAE;SACnG,CAAC;IACJ,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,6BAA6B,CAAC,MAAc;IAC1D,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,uBAAuB;YAC1B,OAAO,iIAAiI,CAAC;QAC3I,KAAK,mBAAmB;YACtB,OAAO,qIAAqI,CAAC;QAC/I,KAAK,sBAAsB;YACzB,OAAO,2EAA2E,CAAC;QACrF,KAAK,qBAAqB;YACxB,OAAO,6CAA6C,CAAC;QACvD,KAAK,mBAAmB;YACtB,OAAO,iGAAiG,CAAC;QAC3G,KAAK,uBAAuB;YAC1B,OAAO,qFAAqF,CAAC;QAC/F,KAAK,wBAAwB;YAC3B,OAAO,yEAAyE,CAAC;QACnF;YACE,OAAO,MAAM,CAAC;IAClB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,wBAAwB,CAAC,IAAgB,EAAE,IAAa;IACrE,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+DAA+D,CAAC,CAAC;QACtF,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QAChC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QAC/E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,SAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpC,SAAS,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,UAAU,CAAC,CAAC;IACzE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,yCAAyC,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,CAAC;QACrF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,OAAO,GAAG,mBAAmB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACnD,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;QAC3D,OAAO,CAAC,CAAC;IACX,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;IAElC,uEAAuE;IACvE,iEAAiE;IACjE,mEAAmE;IACnE,sEAAsE;IACtE,IACE,IAAI,CAAC,mBAAmB,KAAK,SAAS;QACtC,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,mBAAmB,EACvE,CAAC;QACD,MAAM,MAAM,GAAG;YACb,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,uBAAuB;YAC/B,4BAA4B,EAAE,IAAI,CAAC,mBAAmB;YACtD,0BAA0B,EAAE,QAAQ,CAAC,mBAAmB,CAAC,WAAW,EAAE;SACvE,CAAC;QACF,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,gCAAgC,6BAA6B,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CACjF,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IACE,IAAI,CAAC,oBAAoB,KAAK,SAAS;QACvC,QAAQ,CAAC,aAAa,KAAK,IAAI,CAAC,oBAAoB,EACpD,CAAC;QACD,MAAM,MAAM,GAAG;YACb,KAAK,EAAE,KAAK;YACZ,MAAM,EAAE,wBAAwB;YAChC,sBAAsB,EAAE,IAAI,CAAC,oBAAoB;YACjD,oBAAoB,EAAE,QAAQ,CAAC,aAAa;SAC7C,CAAC;QACF,IAAI,IAAI,EAAE,CAAC;YACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;QAC/D,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,gCAAgC,6BAA6B,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CACjF,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,CAAC;IACX,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEhE,kEAAkE;IAClE,mEAAmE;IACnE,mEAAmE;IACnE,gEAAgE;IAChE,iEAAiE;IACjE,oEAAoE;IACpE,6DAA6D;IAC7D,IAAI,iBAAwD,CAAC;IAC7D,IAAI,MAAM,CAAC,KAAK,IAAI,QAAQ,CAAC,aAAa,KAAK,kBAAkB,EAAE,CAAC;QAClE,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAY,CAAC;YAC1E,MAAM,KAAK,GAAG,MAAM,yBAAyB,CAAC,MAAM,CAAC,CAAC;YACtD,IAAI,KAAK,CAAC,UAAU;gBAAE,iBAAiB,GAAG,KAAK,CAAC;QAClD,CAAC;QAAC,MAAM,CAAC;YACP,gEAAgE;YAChE,gEAAgE;YAChE,+DAA+D;YAC/D,8DAA8D;YAC9D,qBAAqB;QACvB,CAAC;IACH,CAAC;IACD,MAAM,WAAW,GAAG,iBAAiB,KAAK,SAAS,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC;IAEnF,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,GAAG,IAAI,CAAC,SAAS,CACf;YACE,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,CAAC,WAAW;YACnC,GAAG,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,IAAI,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC;YAC7D,QAAQ,EAAE;gBACR,KAAK,EAAE,QAAQ,CAAC,KAAK;gBACrB,aAAa,EAAE,QAAQ,CAAC,aAAa;gBACrC,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,mBAAmB,EAAE,QAAQ,CAAC,mBAAmB;gBACjD,eAAe,EAAE,QAAQ,CAAC,eAAe;gBACzC,WAAW,EAAE,QAAQ,CAAC,WAAW;gBACjC,YAAY,EAAE,QAAQ,CAAC,YAAY;gBACnC,GAAG,CAAC,QAAQ,CAAC,UAAU,KAAK,SAAS,IAAI,EAAE,UAAU,EAAE,QAAQ,CAAC,UAAU,EAAE,CAAC;aAC9E;YACD,GAAG,CAAC,iBAAiB,KAAK,SAAS,IAAI,EAAE,cAAc,EAAE,iBAAiB,EAAE,CAAC;SAC9E,EACD,IAAI,EACJ,CAAC,CACF,IAAI,CACN,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;YACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB;gBACE,6BAA6B;gBAC7B,sBAAsB,QAAQ,CAAC,aAAa,EAAE;gBAC9C,sBAAsB,QAAQ,CAAC,QAAQ,EAAE;gBACzC,sBAAsB,QAAQ,CAAC,mBAAmB,EAAE;gBACpD,sBAAsB,QAAQ,CAAC,eAAe,EAAE;gBAChD,sBAAsB,QAAQ,CAAC,WAAW,EAAE;gBAC5C,sBAAsB,QAAQ,CAAC,KAAK,EAAE;gBACtC,sBAAsB,QAAQ,CAAC,YAAY,EAAE;gBAC7C,EAAE;aACH,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACF,IAAI,iBAAiB,KAAK,SAAS,EAAE,CAAC;gBACpC,MAAM,KAAK,GAAG,iBAAiB,CAAC,QAAQ,CAAC;gBACzC,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB;oBACE,GAAG,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,mBAAmB,iBAAiB,CAAC,aAAa,IAAI,iBAAiB,CAAC,UAAU,gDAAgD;oBACtJ,GAAG,iBAAiB,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;wBACrC,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;4BACZ,OAAO,OAAO,CAAC,CAAC,MAAM,aAAa,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;wBAChH,CAAC;wBACD,OAAO,OAAO,CAAC,CAAC,MAAM,aAAa,CAAC,CAAC,SAAS,YAAY,CAAC,CAAC,MAAM,IAAI,SAAS,GAAG,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;oBAC3I,CAAC,CAAC;oBACF,EAAE;iBACH,CAAC,IAAI,CAAC,IAAI,CAAC,CACb,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,gCAAgC,6BAA6B,CAAC,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC,IAAI,CAC9F,CAAC;QACJ,CAAC;IACH,CAAC;IACD,sEAAsE;IACtE,uEAAuE;IACvE,qEAAqE;IACrE,iEAAiE;IACjE,OAAO,MAAM,CAAC,KAAK,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9C,CAAC;AAED,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,GAAG,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAE9C,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,iBAAiB,EAAE,IAAI,CAAC,CAAC;QACjD,OAAO,CAAC,CAAC;IACX,CAAC;IACD,IAAI,IAAI,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,UAAU,EAAE,CAAC;QAC1B,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,IAAI,CAAC,UAAU,OAAO,IAAI,IAAI,CAAC,CAAC;YACxE,OAAO,CAAC,CAAC;QACX,CAAC;QACD,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,CAAC;QAClC,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,yBAAyB,EAAE,CAAC;QAC5C,OAAO,wBAAwB,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC5B,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,UAAU,EAAE,IAAI,CAAC,CAAC;QACnF,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,+CAAuE,CAAC;IAC5E,IAAI,IAAI,CAAC,mCAAmC,KAAK,SAAS,EAAE,CAAC;QAC3D,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC;YACrE,+CAA+C,GAAG,IAAI,UAAU,CAC9D,KAAK,CAAC,MAAM,EACZ,KAAK,CAAC,UAAU,EAChB,KAAK,CAAC,UAAU,CACjB,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,uEAAuE,IAAI,CAAC,mCAAmC,KAAK,GAAG,IAAI,CAC5H,CAAC;YACF,OAAO,CAAC,CAAC;QACX,CAAC;IACH,CAAC;IAED,MAAM,mBAAmB,GAAG,sBAAsB,CAAC;QACjD,GAAG,CAAC,IAAI,CAAC,QAAQ,KAAK,SAAS,IAAI,EAAE,iBAAiB,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACxE,GAAG,CAAC,+CAA+C,KAAK,SAAS,IAAI;YACnE,+CAA+C;SAChD,CAAC;QACF,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC;KAC5D,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC;IACX,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,UAAU,CAAC,IAAI,CAAC,IAAI,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,YAAY,KAAK,SAAS,IAAI,EAAE,YAAY,EAAE,IAAI,CAAC,YAAY,EAAE,CAAC;YAC3E,GAAG,CAAC,IAAI,CAAC,gBAAgB,KAAK,SAAS,IAAI,EAAE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACvF,mBAAmB;SACpB,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,+BAA+B,IAAI,CAAC,IAAI,KAAK,GAAG,IAAI,CAAC,CAAC;QAC3E,OAAO,CAAC,CAAC;IACX,CAAC;IAED,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;QACd,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IACD,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC9B,CAAC;AAED,mEAAmE;AACnE,oEAAoE;AACpE,sEAAsE;AACtE,mEAAmE;AACnE,iEAAiE;AACjE,MAAM,eAAe,GAAG,CAAC,GAAG,EAAE;IAC5B,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IAChD,IAAI,CAAC;QACH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,UAAU,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC;QAC9D,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,WAAW,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC,CAAC,EAAE,CAAC;AAEL,IAAI,eAAe,EAAE,CAAC;IACpB,IAAI,EAAE;SACH,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QACb,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACrB,CAAC,CAAC;SACD,KAAK,CAAC,CAAC,GAAY,EAAE,EAAE;QACtB,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QAC7D,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,GAAG,IAAI,CAAC,CAAC;QACjD,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC,CAAC,CAAC;AACP,CAAC"}
|
package/dist/index.d.ts
CHANGED
|
@@ -9,9 +9,9 @@
|
|
|
9
9
|
* "tpm" | "android_keystore" | "webauthn", ... }` verifies end-to-end
|
|
10
10
|
* through this package instead of returning the permissive-floor
|
|
11
11
|
* verifier's `adapter not yet shipped` sentinel. The deprecated
|
|
12
|
-
* `play_integrity`
|
|
13
|
-
*
|
|
14
|
-
*
|
|
12
|
+
* `play_integrity` adapter was removed 2026-05-03 — credentials
|
|
13
|
+
* carrying that platform hit the canonical dispatcher's fail-closed
|
|
14
|
+
* "verifier not wired" branch.
|
|
15
15
|
*
|
|
16
16
|
* Programmatic use:
|
|
17
17
|
*
|
package/dist/index.js
CHANGED
|
@@ -9,9 +9,9 @@
|
|
|
9
9
|
* "tpm" | "android_keystore" | "webauthn", ... }` verifies end-to-end
|
|
10
10
|
* through this package instead of returning the permissive-floor
|
|
11
11
|
* verifier's `adapter not yet shipped` sentinel. The deprecated
|
|
12
|
-
* `play_integrity`
|
|
13
|
-
*
|
|
14
|
-
*
|
|
12
|
+
* `play_integrity` adapter was removed 2026-05-03 — credentials
|
|
13
|
+
* carrying that platform hit the canonical dispatcher's fail-closed
|
|
14
|
+
* "verifier not wired" branch.
|
|
15
15
|
*
|
|
16
16
|
* Programmatic use:
|
|
17
17
|
*
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@motebit/verify",
|
|
3
|
-
"version": "1.
|
|
4
|
-
"description": "The canonical `motebit-verify` command-line tool — verifies any signed motebit artifact offline, with every hardware-attestation platform bundled (Apple App Attest, Android Hardware-Backed Keystore Attestation, TPM 2.0, WebAuthn
|
|
3
|
+
"version": "1.3.0",
|
|
4
|
+
"description": "The canonical `motebit-verify` command-line tool — verifies any signed motebit artifact offline, with every hardware-attestation platform bundled (Apple App Attest, Android Hardware-Backed Keystore Attestation, TPM 2.0, WebAuthn). One install, no network, self-attesting. Replaces the deprecated @motebit/verify@0.x zero-dep library: library primitives now live in @motebit/crypto; file-reading + formatting helpers in @motebit/verifier; this package is the binary.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"main": "./dist/index.js",
|
|
7
7
|
"types": "./dist/index.d.ts",
|
|
@@ -36,7 +36,6 @@
|
|
|
36
36
|
"tpm",
|
|
37
37
|
"webauthn",
|
|
38
38
|
"ed25519",
|
|
39
|
-
"play-integrity",
|
|
40
39
|
"attestation"
|
|
41
40
|
],
|
|
42
41
|
"homepage": "https://github.com/motebit/motebit/tree/main/packages/verify#readme",
|
|
@@ -52,13 +51,14 @@
|
|
|
52
51
|
"access": "public"
|
|
53
52
|
},
|
|
54
53
|
"dependencies": {
|
|
55
|
-
"@motebit/crypto": "1.
|
|
56
|
-
"@motebit/crypto-android-keystore": "1.1.
|
|
57
|
-
"@motebit/crypto-
|
|
58
|
-
"@motebit/crypto-
|
|
59
|
-
"@motebit/crypto-
|
|
60
|
-
"@motebit/
|
|
61
|
-
"@motebit/
|
|
54
|
+
"@motebit/crypto": "1.3.0",
|
|
55
|
+
"@motebit/crypto-android-keystore": "1.1.3",
|
|
56
|
+
"@motebit/crypto-tpm": "1.1.4",
|
|
57
|
+
"@motebit/crypto-webauthn": "1.0.5",
|
|
58
|
+
"@motebit/crypto-appattest": "1.0.5",
|
|
59
|
+
"@motebit/protocol": "1.3.0",
|
|
60
|
+
"@motebit/state-export-client": "0.2.0",
|
|
61
|
+
"@motebit/verifier": "1.1.2"
|
|
62
62
|
},
|
|
63
63
|
"devDependencies": {
|
|
64
64
|
"@noble/curves": "^1.9.0",
|