@passportsign/core 0.1.0 → 0.2.0

package/dist/badge.d.ts

@@ -17,6 +17,11 @@ export interface BadgeInput {
     bound_at: string;
     /** Rekor entry UUID for the `<title>` tooltip. */
     log_entry_hash?: string;
+    /**
+     * Binding state (spec §4 color logic). Defaults to `'active'` so
+     * v0-era callers (static badges) are unchanged.
+     */
+    state?: 'active' | 'stale' | 'revoked';
 }
 /**
  * Render the badge SVG. The output is intentionally a string (not a

package/dist/badge.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"badge.d.ts","sourceRoot":"","sources":["../src/badge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,MAAM,WAAW,UAAU;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AA6BD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CA0CxD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,MAAM,CAKT"}
+{"version":3,"file":"badge.d.ts","sourceRoot":"","sources":["../src/badge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,MAAM,WAAW,UAAU;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,kDAAkD;IAClD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;OAGG;IACH,KAAK,CAAC,EAAE,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;CACxC;AAkCD;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CA2CxD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE;IACzC,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB,GAAG,MAAM,CAKT"}

package/dist/badge.js

@@ -12,6 +12,11 @@
  * trick used by shields.io for crisper text rendering.
  */
 const LABEL = 'passportsign';
+const STATE_COLORS = {
+    active: '#4c1',
+    stale: '#dfb317',
+    revoked: '#e05d44',
+};
 const CHAR_WIDTH_PX = 7; // Approx Verdana 11pt character width
 const SIDE_PADDING_PX = 8;
 function escapeXml(s) {
@@ -42,8 +47,9 @@ function dateStringFor(isoTimestamp) {
  * `writeFileSync`.
  */
 export function renderBadgeSvg(input) {
+    const state = input.state ?? 'active';
     const date = dateStringFor(input.bound_at);
-    const valueParts = ['verified human'];
+    const valueParts = [state === 'revoked' ? 'revoked' : 'verified human'];
     if (input.issuing_country)
         valueParts.push(input.issuing_country);
     valueParts.push(date);
@@ -69,7 +75,7 @@ export function renderBadgeSvg(input) {
         `<clipPath id="r"><rect width="${totalW}" height="20" rx="3" fill="#fff"/></clipPath>`,
         `<g clip-path="url(#r)">`,
         `<rect width="${labelW}" height="20" fill="#555"/>`,
-        `<rect x="${labelW}" width="${valueW}" height="20" fill="#4c1"/>`,
+        `<rect x="${labelW}" width="${valueW}" height="20" fill="${STATE_COLORS[state]}"/>`,
         `<rect width="${totalW}" height="20" fill="url(#s)"/>`,
         `</g>`,
         `<g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110">`,

package/dist/badge.js.map

@@ -1 +1 @@
-{"version":3,"file":"badge.js","sourceRoot":"","sources":["../src/badge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAUH,MAAM,KAAK,GAAG,cAAc,CAAC;AAC7B,MAAM,aAAa,GAAG,CAAC,CAAC,CAAQ,sCAAsC;AACtE,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE;QACjC,QAAQ,CAAC,EAAE,CAAC;YACV,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,CAAC;YACxB,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,CAAC;YACxB,KAAK,GAAG,CAAC,CAAC,OAAO,OAAO,CAAC;YACzB,KAAK,GAAG,CAAC,CAAC,OAAO,QAAQ,CAAC;YAC1B,KAAK,GAAG,CAAC,CAAC,OAAO,QAAQ,CAAC;YAC1B,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,YAAoB;IACzC,sCAAsC;IACtC,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC;IACjC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QAAE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChE,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,CAAC;IAC7B,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC;AAC5B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAiB;IAC9C,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,CAAC,gBAAgB,CAAC,CAAC;IACtC,IAAI,KAAK,CAAC,eAAe;QAAE,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAClE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,eAAe;IAEzD,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IAEtC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,aAAa,GAAG,CAAC,GAAG,eAAe,CAAC;IAClE,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,aAAa,GAAG,CAAC,GAAG,eAAe,CAAC;IACtE,MAAM,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAE/B,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,CAAC,CAAU,sCAAsC;IAC7E,MAAM,SAAS,GAAG,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,SAAS,GAAG,GAAG,QAAQ,KAAK,QAAQ,EAAE,CAAC;IAC7C,MAAM,YAAY,GAAG,KAAK,CAAC,cAAc;QACvC,CAAC,CAAC,iBAAiB,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI;QACnE,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;QACL,kDAAkD,MAAM,wCAAwC,SAAS,IAAI;QAC7G,UAAU,SAAS,GAAG,YAAY,UAAU;QAC5C,0CAA0C;QAC1C,wDAAwD;QACxD,sCAAsC;QACtC,mBAAmB;QACnB,iCAAiC,MAAM,+CAA+C;QACtF,yBAAyB;QACzB,gBAAgB,MAAM,6BAA6B;QACnD,YAAY,MAAM,YAAY,MAAM,6BAA6B;QACjE,gBAAgB,MAAM,gCAAgC;QACtD,MAAM;QACN,8IAA8I;QAC9I,YAAY,SAAS,oEAAoE,QAAQ,SAAS;QAC1G,YAAY,SAAS,mCAAmC,QAAQ,SAAS;QACzE,YAAY,SAAS,oEAAoE,QAAQ,SAAS;QAC1G,YAAY,SAAS,mCAAmC,QAAQ,SAAS;QACzE,MAAM;QACN,QAAQ;KACT,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAKnC;IACC,MAAM,IAAI,GAAG,KAAK,CAAC,cAAc,IAAI,4BAA4B,CAAC;IAClE,MAAM,GAAG,GAAG,GAAG,IAAI,uBAAuB,KAAK,CAAC,cAAc,EAAE,CAAC;IACjE,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,IAAI,uBAAuB,CAAC;IACtD,OAAO,MAAM,GAAG,KAAK,KAAK,CAAC,UAAU,MAAM,GAAG,GAAG,CAAC;AACpD,CAAC"}
+{"version":3,"file":"badge.js","sourceRoot":"","sources":["../src/badge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAeH,MAAM,KAAK,GAAG,cAAc,CAAC;AAC7B,MAAM,YAAY,GAAG;IACnB,MAAM,EAAE,MAAM;IACd,KAAK,EAAE,SAAS;IAChB,OAAO,EAAE,SAAS;CACV,CAAC;AACX,MAAM,aAAa,GAAG,CAAC,CAAC,CAAQ,sCAAsC;AACtE,MAAM,eAAe,GAAG,CAAC,CAAC;AAE1B,SAAS,SAAS,CAAC,CAAS;IAC1B,OAAO,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE;QACjC,QAAQ,CAAC,EAAE,CAAC;YACV,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,CAAC;YACxB,KAAK,GAAG,CAAC,CAAC,OAAO,MAAM,CAAC;YACxB,KAAK,GAAG,CAAC,CAAC,OAAO,OAAO,CAAC;YACzB,KAAK,GAAG,CAAC,CAAC,OAAO,QAAQ,CAAC;YAC1B,KAAK,GAAG,CAAC,CAAC,OAAO,QAAQ,CAAC;YAC1B,OAAO,CAAC,CAAC,OAAO,CAAC,CAAC;QACpB,CAAC;IACH,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,YAAoB;IACzC,sCAAsC;IACtC,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,YAAY,CAAC,CAAC;IACjC,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;QAAE,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChE,MAAM,CAAC,GAAG,CAAC,CAAC,cAAc,EAAE,CAAC;IAC7B,MAAM,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACvD,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,IAAI,CAAC,IAAI,GAAG,EAAE,CAAC;AAC5B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,KAAiB;IAC9C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,QAAQ,CAAC;IACtC,MAAM,IAAI,GAAG,aAAa,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;IAC3C,MAAM,UAAU,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,gBAAgB,CAAC,CAAC;IACxE,IAAI,KAAK,CAAC,eAAe;QAAE,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,CAAC;IAClE,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACtB,MAAM,SAAS,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,eAAe;IAEzD,MAAM,QAAQ,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;IAClC,MAAM,QAAQ,GAAG,SAAS,CAAC,SAAS,CAAC,CAAC;IAEtC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,GAAG,aAAa,GAAG,CAAC,GAAG,eAAe,CAAC;IAClE,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,GAAG,aAAa,GAAG,CAAC,GAAG,eAAe,CAAC;IACtE,MAAM,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;IAE/B,MAAM,SAAS,GAAG,MAAM,GAAG,CAAC,CAAC,CAAU,sCAAsC;IAC7E,MAAM,SAAS,GAAG,CAAC,MAAM,GAAG,MAAM,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC;IAC7C,MAAM,SAAS,GAAG,GAAG,QAAQ,KAAK,QAAQ,EAAE,CAAC;IAC7C,MAAM,YAAY,GAAG,KAAK,CAAC,cAAc;QACvC,CAAC,CAAC,iBAAiB,SAAS,CAAC,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI;QACnE,CAAC,CAAC,EAAE,CAAC;IAEP,OAAO;QACL,kDAAkD,MAAM,wCAAwC,SAAS,IAAI;QAC7G,UAAU,SAAS,GAAG,YAAY,UAAU;QAC5C,0CAA0C;QAC1C,wDAAwD;QACxD,sCAAsC;QACtC,mBAAmB;QACnB,iCAAiC,MAAM,+CAA+C;QACtF,yBAAyB;QACzB,gBAAgB,MAAM,6BAA6B;QACnD,YAAY,MAAM,YAAY,MAAM,uBAAuB,YAAY,CAAC,KAAK,CAAC,KAAK;QACnF,gBAAgB,MAAM,gCAAgC;QACtD,MAAM;QACN,8IAA8I;QAC9I,YAAY,SAAS,oEAAoE,QAAQ,SAAS;QAC1G,YAAY,SAAS,mCAAmC,QAAQ,SAAS;QACzE,YAAY,SAAS,oEAAoE,QAAQ,SAAS;QAC1G,YAAY,SAAS,mCAAmC,QAAQ,SAAS;QACzE,MAAM;QACN,QAAQ;KACT,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;AACb,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,KAKnC;IACC,MAAM,IAAI,GAAG,KAAK,CAAC,cAAc,IAAI,4BAA4B,CAAC;IAClE,MAAM,GAAG,GAAG,GAAG,IAAI,uBAAuB,KAAK,CAAC,cAAc,EAAE,CAAC;IACjE,MAAM,GAAG,GAAG,KAAK,CAAC,QAAQ,IAAI,uBAAuB,CAAC;IACtD,OAAO,MAAM,GAAG,KAAK,KAAK,CAAC,UAAU,MAAM,GAAG,GAAG,CAAC;AACpD,CAAC"}

package/dist/bind.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bind.d.ts","sourceRoot":"","sources":["../src/bind.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAMH,OAAO,EAAE,gBAAgB,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAkB,KAAK,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAE5E,MAAM,WAAW,mBAAmB;IAClC,eAAe,EAAE,MAAM,CAAC;IACxB,mFAAmF;IACnF,cAAc,EAAE,MAAM,CAAC;IACvB,mFAAmF;IACnF,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mFAAmF;IACnF,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,kFAAkF;IAClF,KAAK,EAAE,MAAM,CAAC;IACd,0EAA0E;IAC1E,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,sBAAsB,EAAE,MAAM,CAAC;IAC/B,uFAAuF;IACvF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,mEAAmE;IACnE,QAAQ,EAAE,IAAI,CAAC;IACf,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,MAAM,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACjC,4CAA4C;IAC5C,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,qBAAqB,CAAC;IACjC,mBAAmB,EAAE,UAAU,CAAC;IAChC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,IAAI,EAAE,YAAY,CAAC;CACpB;AAYD;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,mBAAmB,EAC1B,IAAI,EAAE,kBAAkB,EACxB,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAqD1B"}
+{"version":3,"file":"bind.d.ts","sourceRoot":"","sources":["../src/bind.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAKH,OAAO,EAAE,gBAAgB,EAAE,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAClE,OAAO,EAAkB,KAAK,qBAAqB,EAAE,MAAM,gBAAgB,CAAC;AAE5E,MAAM,WAAW,mBAAmB;IAClC,eAAe,EAAE,MAAM,CAAC;IACxB,mFAAmF;IACnF,cAAc,EAAE,MAAM,CAAC;IACvB,mFAAmF;IACnF,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mFAAmF;IACnF,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,kFAAkF;IAClF,KAAK,EAAE,MAAM,CAAC;IACd,0EAA0E;IAC1E,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,sBAAsB,EAAE,MAAM,CAAC;IAC/B,uFAAuF;IACvF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,mEAAmE;IACnE,QAAQ,EAAE,IAAI,CAAC;IACf,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,MAAM,CAAC,EAAE,OAAO,gBAAgB,CAAC;IACjC,4CAA4C;IAC5C,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,qBAAqB,CAAC;IACjC,mBAAmB,EAAE,UAAU,CAAC;IAChC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,qBAAqB,EAAE,MAAM,CAAC;IAC9B,IAAI,EAAE,YAAY,CAAC;CACpB;AAID;;;;;;GAMG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,mBAAmB,EAC1B,IAAI,EAAE,kBAAkB,EACxB,IAAI,GAAE,kBAAuB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAqD1B"}

package/dist/bind.js

@@ -11,18 +11,12 @@
  * command is the producer of that data (it drives the SDK + UI),
  * keeping this module pure and unit-testable without the SDK.
  */
-import { createHash } from 'node:crypto';
 import { canonicalize, canonicalSha256Hex } from './canonical.js';
+import { base64ToBytes, sha256Hex } from './encoding.js';
 import { PassportsignError } from './errors.js';
 import { checkGistControl } from './github.js';
 import { buildStatement } from './statement.js';
 const DEFAULT_GIST_FILENAME = 'passportsign.txt';
-function decodeBase64(b64) {
-    return new Uint8Array(Buffer.from(b64, 'base64'));
-}
-function sha256Hex(bytes) {
-    return createHash('sha256').update(bytes).digest('hex');
-}
 /**
  * Run the GitHub gist control check, then build the in-toto statement and
  * compute canonical bytes + hashes for the Rekor handoff.
@@ -44,7 +38,7 @@ export async function prepareBinding(input, init, deps = {}) {
     // 2. Derive proof_blob sha256 from the base64 input.
     let proofBytes;
     try {
-        proofBytes = decodeBase64(input.proof_blob_b64);
+        proofBytes = base64ToBytes(input.proof_blob_b64);
     }
     catch (err) {
         throw new PassportsignError('proof_invalid', `proof_blob_b64 is not valid base64`, err);

package/dist/bind.js.map

@@ -1 +1 @@
-{"version":3,"file":"bind.js","sourceRoot":"","sources":["../src/bind.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAqB,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,cAAc,EAA8B,MAAM,gBAAgB,CAAC;AA2C5E,MAAM,qBAAqB,GAAG,kBAAkB,CAAC;AAEjD,SAAS,YAAY,CAAC,GAAW;IAC/B,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,CAAC;AACpD,CAAC;AAED,SAAS,SAAS,CAAC,KAAiB;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAA0B,EAC1B,IAAwB,EACxB,OAA2B,EAAE;IAE7B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,IAAI,gBAAgB,CAAC;IAEnD,0EAA0E;IAC1E,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;QAC5B,QAAQ,EAAE,KAAK,CAAC,eAAe;QAC/B,iBAAiB,EAAE,IAAI,CAAC,YAAY,IAAI,qBAAqB;QAC7D,gBAAgB,EAAE,KAAK,CAAC,KAAK;QAC7B,UAAU,EAAE,IAAI,CAAC,QAAQ;QACzB,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAEH,qDAAqD;IACrD,IAAI,UAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IAClD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CACzB,eAAe,EACf,oCAAoC,EACpC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,iBAAiB,CAAC,eAAe,EAAE,sCAAsC,CAAC,CAAC;IACvF,CAAC;IACD,MAAM,qBAAqB,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;IAEpD,wEAAwE;IACxE,MAAM,SAAS,GAAG,cAAc,CAAC;QAC/B,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,iBAAiB,EAAE,qBAAqB;QACxC,QAAQ,EAAE,IAAI,CAAC,GAAG;QAClB,mBAAmB,EAAE,IAAI,CAAC,cAAc;QACxC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;KACrD,CAAC,CAAC;IAEH,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAE3D,OAAO;QACL,SAAS;QACT,mBAAmB;QACnB,oBAAoB;QACpB,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,qBAAqB;QACrB,IAAI;KACL,CAAC;AACJ,CAAC"}
+{"version":3,"file":"bind.js","sourceRoot":"","sources":["../src/bind.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAClE,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AACzD,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAAE,gBAAgB,EAAqB,MAAM,aAAa,CAAC;AAClE,OAAO,EAAE,cAAc,EAA8B,MAAM,gBAAgB,CAAC;AA2C5E,MAAM,qBAAqB,GAAG,kBAAkB,CAAC;AAEjD;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,KAA0B,EAC1B,IAAwB,EACxB,OAA2B,EAAE;IAE7B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,IAAI,gBAAgB,CAAC;IAEnD,0EAA0E;IAC1E,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC;QAC5B,QAAQ,EAAE,KAAK,CAAC,eAAe;QAC/B,iBAAiB,EAAE,IAAI,CAAC,YAAY,IAAI,qBAAqB;QAC7D,gBAAgB,EAAE,KAAK,CAAC,KAAK;QAC7B,UAAU,EAAE,IAAI,CAAC,QAAQ;QACzB,GAAG,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5D,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAEH,qDAAqD;IACrD,IAAI,UAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,UAAU,GAAG,aAAa,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IACnD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CACzB,eAAe,EACf,oCAAoC,EACpC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,iBAAiB,CAAC,eAAe,EAAE,sCAAsC,CAAC,CAAC;IACvF,CAAC;IACD,MAAM,qBAAqB,GAAG,SAAS,CAAC,UAAU,CAAC,CAAC;IAEpD,wEAAwE;IACxE,MAAM,SAAS,GAAG,cAAc,CAAC;QAC/B,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,eAAe,EAAE,KAAK,CAAC,eAAe;QACtC,iBAAiB,EAAE,qBAAqB;QACxC,QAAQ,EAAE,IAAI,CAAC,GAAG;QAClB,mBAAmB,EAAE,IAAI,CAAC,cAAc;QACxC,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;KACrD,CAAC,CAAC;IAEH,mDAAmD;IACnD,MAAM,mBAAmB,GAAG,YAAY,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAC;IAE3D,OAAO;QACL,SAAS;QACT,mBAAmB;QACnB,oBAAoB;QACpB,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,qBAAqB;QACrB,IAAI;KACL,CAAC;AACJ,CAAC"}

package/dist/bundle-fs.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Node-only file I/O for `binding.passportsign.json` bundles. Kept out
+ * of `bundle.ts` so the validation logic stays runtime-neutral (the
+ * `./web` subpath exports validation but not these).
+ */
+import { type PassportsignBundle } from './bundle.js';
+/**
+ * Read and validate a `binding.passportsign.json` file. Throws on
+ * invalid JSON or schema violations.
+ */
+export declare function readBundle(path: string): PassportsignBundle;
+/**
+ * Validate and write a `binding.passportsign.json` file (pretty-printed).
+ */
+export declare function writeBundle(path: string, bundle: PassportsignBundle): void;
+//# sourceMappingURL=bundle-fs.d.ts.map

package/dist/bundle-fs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundle-fs.d.ts","sourceRoot":"","sources":["../src/bundle-fs.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,OAAO,EAGL,KAAK,kBAAkB,EACxB,MAAM,aAAa,CAAC;AAErB;;;GAGG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,kBAAkB,CAa3D;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,GAAG,IAAI,CAG1E"}

package/dist/bundle-fs.js

@@ -0,0 +1,31 @@
+/**
+ * Node-only file I/O for `binding.passportsign.json` bundles. Kept out
+ * of `bundle.ts` so the validation logic stays runtime-neutral (the
+ * `./web` subpath exports validation but not these).
+ */
+import { readFileSync, writeFileSync } from 'node:fs';
+import { BundleValidationError, validateBundle, } from './bundle.js';
+/**
+ * Read and validate a `binding.passportsign.json` file. Throws on
+ * invalid JSON or schema violations.
+ */
+export function readBundle(path) {
+    const raw = readFileSync(path, 'utf8');
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        throw new BundleValidationError('$', `invalid JSON: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    validateBundle(parsed);
+    return parsed;
+}
+/**
+ * Validate and write a `binding.passportsign.json` file (pretty-printed).
+ */
+export function writeBundle(path, bundle) {
+    validateBundle(bundle);
+    writeFileSync(path, JSON.stringify(bundle, null, 2) + '\n', 'utf8');
+}
+//# sourceMappingURL=bundle-fs.js.map

package/dist/bundle-fs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundle-fs.js","sourceRoot":"","sources":["../src/bundle-fs.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEtD,OAAO,EACL,qBAAqB,EACrB,cAAc,GAEf,MAAM,aAAa,CAAC;AAErB;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,qBAAqB,CAC7B,GAAG,EACH,iBAAiB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACpE,CAAC;IACJ,CAAC;IACD,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,MAA0B;IAClE,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;AACtE,CAAC"}

package/dist/bundle.d.ts

@@ -12,6 +12,7 @@
  * shape gets pinned in Day 5 after we've smoke-tested the public Sigstore
  * Rekor response format.
  */
+import { type RekorEntryResponse } from './log/rekor.js';
 export declare const BUNDLE_FORMAT_VERSION: 1;
 export interface RekorBundleFields {
     log_entry_hash: string;
@@ -36,12 +37,19 @@ export declare class BundleValidationError extends Error {
  */
 export declare function validateBundle(value: unknown): asserts value is PassportsignBundle;
 /**
- * Read and validate a `binding.passportsign.json` file. Throws on
- * invalid JSON or schema violations.
+ * What bundle assembly needs from a prepared statement — satisfied by
+ * both `PreparedBinding` and `PreparedRevocation`. The statement kind
+ * doesn't matter; Rekor sees canonical bytes either way.
  */
-export declare function readBundle(path: string): PassportsignBundle;
+export interface SubmittableStatement {
+    statement_canonical: Uint8Array;
+    proof_blob_b64: string;
+}
 /**
- * Validate and write a `binding.passportsign.json` file (pretty-printed).
+ * Assemble (and validate) the portable bundle from a prepared
+ * statement and the Rekor entry it produced. Pure — used by the node
+ * `submitBinding` path and by runtimes that sign with
+ * `signEnvelopeWeb` and submit through the Rekor client themselves.
  */
-export declare function writeBundle(path: string, bundle: PassportsignBundle): void;
+export declare function assembleBundle(prepared: SubmittableStatement, rekorEntry: RekorEntryResponse): PassportsignBundle;
 //# sourceMappingURL=bundle.d.ts.map

package/dist/bundle.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../src/bundle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,eAAO,MAAM,qBAAqB,EAAG,CAAU,CAAC;AAEhD,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,OAAO,CAAC;IACzB,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,kBAAkB;IACjC,qBAAqB,EAAE,OAAO,qBAAqB,CAAC;IACpD,gEAAgE;IAChE,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,iBAAiB,CAAC;CAC1B;AAOD,qBAAa,qBAAsB,SAAQ,KAAK;IAE5C,QAAQ,CAAC,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM;CAKlB;AAUD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,KAAK,IAAI,kBAAkB,CAsClF;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,kBAAkB,CAa3D;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,GAAG,IAAI,CAG1E"}
+{"version":3,"file":"bundle.d.ts","sourceRoot":"","sources":["../src/bundle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAE,KAAK,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEzD,eAAO,MAAM,qBAAqB,EAAG,CAAU,CAAC;AAEhD,MAAM,WAAW,iBAAiB;IAChC,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,OAAO,CAAC;IACzB,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,kBAAkB;IACjC,qBAAqB,EAAE,OAAO,qBAAqB,CAAC;IACpD,gEAAgE;IAChE,SAAS,EAAE,MAAM,CAAC;IAClB,4CAA4C;IAC5C,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,iBAAiB,CAAC;CAC1B;AAOD,qBAAa,qBAAsB,SAAQ,KAAK;IAE5C,QAAQ,CAAC,IAAI,EAAE,MAAM;gBAAZ,IAAI,EAAE,MAAM,EACrB,OAAO,EAAE,MAAM;CAKlB;AAUD;;;GAGG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,KAAK,IAAI,kBAAkB,CAsClF;AAKD;;;;GAIG;AACH,MAAM,WAAW,oBAAoB;IACnC,mBAAmB,EAAE,UAAU,CAAC;IAChC,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,kBAAkB,GAC7B,kBAAkB,CAapB"}

package/dist/bundle.js

@@ -12,7 +12,8 @@
  * shape gets pinned in Day 5 after we've smoke-tested the public Sigstore
  * Rekor response format.
  */
-import { readFileSync, writeFileSync } from 'node:fs';
+import { bytesToHex } from './encoding.js';
+import {} from './log/rekor.js';
 export const BUNDLE_FORMAT_VERSION = 1;
 const HEX_EVEN = /^(?:[0-9a-f]{2})+$/;
 // Standard base64: A-Z, a-z, 0-9, +, /, with 0-2 trailing '=' for padding.
@@ -70,26 +71,23 @@ export function validateBundle(value) {
     }
 }
 /**
- * Read and validate a `binding.passportsign.json` file. Throws on
- * invalid JSON or schema violations.
+ * Assemble (and validate) the portable bundle from a prepared
+ * statement and the Rekor entry it produced. Pure — used by the node
+ * `submitBinding` path and by runtimes that sign with
+ * `signEnvelopeWeb` and submit through the Rekor client themselves.
  */
-export function readBundle(path) {
-    const raw = readFileSync(path, 'utf8');
-    let parsed;
-    try {
-        parsed = JSON.parse(raw);
-    }
-    catch (err) {
-        throw new BundleValidationError('$', `invalid JSON: ${err instanceof Error ? err.message : String(err)}`);
-    }
-    validateBundle(parsed);
-    return parsed;
-}
-/**
- * Validate and write a `binding.passportsign.json` file (pretty-printed).
- */
-export function writeBundle(path, bundle) {
+export function assembleBundle(prepared, rekorEntry) {
+    const bundle = {
+        bundle_format_version: BUNDLE_FORMAT_VERSION,
+        statement: bytesToHex(prepared.statement_canonical),
+        proof_blob: prepared.proof_blob_b64,
+        rekor: {
+            log_entry_hash: rekorEntry.uuid,
+            inclusion_proof: rekorEntry.verification.inclusionProof,
+            log_root_at_submission: rekorEntry.verification.inclusionProof.rootHash,
+        },
+    };
     validateBundle(bundle);
-    writeFileSync(path, JSON.stringify(bundle, null, 2) + '\n', 'utf8');
+    return bundle;
 }
 //# sourceMappingURL=bundle.js.map

package/dist/bundle.js.map

@@ -1 +1 @@
-{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../src/bundle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEtD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAU,CAAC;AAiBhD,MAAM,QAAQ,GAAG,oBAAoB,CAAC;AACtC,2EAA2E;AAC3E,gCAAgC;AAChC,MAAM,MAAM,GAAG,kEAAkE,CAAC;AAElF,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAEnC;IADX,YACW,IAAY,EACrB,OAAe;QAEf,KAAK,CAAC,GAAG,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAHpB,SAAI,GAAJ,IAAI,CAAQ;QAIrB,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,SAAS,IAAI,CAAC,IAAY,EAAE,OAAe;IACzC,MAAM,IAAI,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAC;IAEhE,IAAI,KAAK,CAAC,uBAAuB,CAAC,KAAK,qBAAqB,EAAE,CAAC;QAC7D,IAAI,CACF,yBAAyB,EACzB,YAAY,qBAAqB,SAAS,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAC3F,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC;IACrC,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;IAC3E,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC,aAAa,EAAE,yDAAyD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,IAAI,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAC5E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,cAAc,EAAE,0DAA0D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAE3D,MAAM,YAAY,GAAG,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,wBAAwB,EAAE,4BAA4B,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC,CAAC,iBAAiB,IAAI,KAAK,CAAC,EAAE,CAAC;QAClC,IAAI,CAAC,yBAAyB,EAAE,qCAAqC,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,mBAAmB,GAAG,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5D,IAAI,OAAO,mBAAmB,KAAK,QAAQ,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,gCAAgC,EAAE,4BAA4B,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,qBAAqB,CAC7B,GAAG,EACH,iBAAiB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACpE,CAAC;IACJ,CAAC;IACD,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,MAA0B;IAClE,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;AACtE,CAAC"}
+{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../src/bundle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAC3C,OAAO,EAA2B,MAAM,gBAAgB,CAAC;AAEzD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAU,CAAC;AAiBhD,MAAM,QAAQ,GAAG,oBAAoB,CAAC;AACtC,2EAA2E;AAC3E,gCAAgC;AAChC,MAAM,MAAM,GAAG,kEAAkE,CAAC;AAElF,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAEnC;IADX,YACW,IAAY,EACrB,OAAe;QAEf,KAAK,CAAC,GAAG,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAHpB,SAAI,GAAJ,IAAI,CAAQ;QAIrB,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,SAAS,IAAI,CAAC,IAAY,EAAE,OAAe;IACzC,MAAM,IAAI,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAC;IAEhE,IAAI,KAAK,CAAC,uBAAuB,CAAC,KAAK,qBAAqB,EAAE,CAAC;QAC7D,IAAI,CACF,yBAAyB,EACzB,YAAY,qBAAqB,SAAS,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAC3F,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC;IACrC,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;IAC3E,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC,aAAa,EAAE,yDAAyD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,IAAI,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAC5E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,cAAc,EAAE,0DAA0D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAE3D,MAAM,YAAY,GAAG,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,wBAAwB,EAAE,4BAA4B,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC,CAAC,iBAAiB,IAAI,KAAK,CAAC,EAAE,CAAC;QAClC,IAAI,CAAC,yBAAyB,EAAE,qCAAqC,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,mBAAmB,GAAG,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5D,IAAI,OAAO,mBAAmB,KAAK,QAAQ,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,gCAAgC,EAAE,4BAA4B,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAeD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAC5B,QAA8B,EAC9B,UAA8B;IAE9B,MAAM,MAAM,GAAuB;QACjC,qBAAqB,EAAE,qBAAqB;QAC5C,SAAS,EAAE,UAAU,CAAC,QAAQ,CAAC,mBAAmB,CAAC;QACnD,UAAU,EAAE,QAAQ,CAAC,cAAc;QACnC,KAAK,EAAE;YACL,cAAc,EAAE,UAAU,CAAC,IAAI;YAC/B,eAAe,EAAE,UAAU,CAAC,YAAY,CAAC,cAAc;YACvD,sBAAsB,EAAE,UAAU,CAAC,YAAY,CAAC,cAAc,CAAC,QAAQ;SACxE;KACF,CAAC;IACF,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/canonical.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU,CAQvD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAGzD"}
+{"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAIA;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU,CAQvD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAEzD"}

package/dist/canonical.js

@@ -1,5 +1,5 @@
 import canonify from '@truestamp/canonify';
-import { createHash } from 'node:crypto';
+import { sha256Hex, utf8ToBytes } from './encoding.js';
 /**
  * RFC 8785 JCS-canonical UTF-8 bytes for a JSON-serializable value.
  *
@@ -17,14 +17,13 @@ export function canonicalize(value) {
     if (canonical === undefined) {
         throw new TypeError('canonicalize: value cannot be JCS-canonicalized (undefined / cycle / non-JSON)');
     }
-    return new TextEncoder().encode(canonical);
+    return utf8ToBytes(canonical);
 }
 /**
  * Lowercase-hex SHA-256 of `canonicalize(value)`. Used to derive the
  * Rekor entry hash for the in-toto statement.
  */
 export function canonicalSha256Hex(value) {
-    const bytes = canonicalize(value);
-    return createHash('sha256').update(bytes).digest('hex');
+    return sha256Hex(canonicalize(value));
 }
 //# sourceMappingURL=canonical.js.map

package/dist/canonical.js.map

@@ -1 +1 @@
-{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC"}
+{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,qBAAqB,CAAC;AAE3C,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEvD;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,OAAO,WAAW,CAAC,SAAS,CAAC,CAAC;AAChC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,OAAO,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC;AACxC,CAAC"}

package/dist/classify.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Parse Rekor in-toto entries back into statements and classify
+ * binding state (active / stale / revoked).
+ *
+ * This is the read-side counterpart of `statement.ts`/`submit.ts`:
+ * the `list` command and the badge service both consume entries the
+ * profile index points at, and neither may trust the index — every
+ * entry is integrity-checked against the hash Rekor recorded.
+ *
+ * Staleness (spec §10 row 1): a binding moves to `stale` 12 months
+ * after its Rekor inclusion time. `integratedTime` is authoritative;
+ * user-supplied dates in the index are display-only.
+ */
+import { type RekorEntryResponse } from './log/rekor.js';
+import { IN_TOTO_STATEMENT_TYPE } from './statement.js';
+/** Spec §10 row 1: bindings move to `stale` after 12 months. */
+export declare const STALENESS_WINDOW_MS: number;
+export declare class EntryParseError extends Error {
+    constructor(message: string);
+}
+/** Generic in-toto Statement v1 shape (predicate left untyped — callers narrow). */
+export interface InTotoStatement {
+    _type: typeof IN_TOTO_STATEMENT_TYPE;
+    subject: Array<{
+        name: string;
+        digest: Record<string, string>;
+    }>;
+    predicateType: string;
+    predicate: unknown;
+}
+export interface ParsedIntotoEntry {
+    uuid: string;
+    /** Unix seconds — Rekor's authoritative inclusion time. */
+    integratedTime: number;
+    predicateType: string;
+    statement: InTotoStatement;
+}
+/**
+ * Decode a Rekor in-toto entry's stored attestation back into its
+ * statement, verifying the attestation bytes hash to the
+ * `payloadHash` Rekor recorded in the entry body. The hash check is
+ * what lets consumers trust an entry fetched via an untrusted index.
+ */
+export declare function parseIntotoEntry(entry: RekorEntryResponse): ParsedIntotoEntry;
+export type BindingState = 'active' | 'stale' | 'revoked';
+export interface ClassifiedBinding {
+    entry: ParsedIntotoEntry;
+    state: BindingState;
+    /** UUID of the revocation entry that caused `revoked`, when applicable. */
+    revokedBy?: string;
+}
+export interface ClassifyBindingsInput {
+    bindings: ParsedIntotoEntry[];
+    revocations: ParsedIntotoEntry[];
+    /** Epoch milliseconds; defaults to the current time. */
+    now?: number;
+}
+/**
+ * Classify each binding:
+ * - `revoked` if a revocation entry (predicateType `…#revocation`)
+ *   carries the same `unique_identifier` and either targets this
+ *   binding's UUID via `revokes_rekor_entry_hash` or has no target
+ *   (revokes all bindings under that identifier);
+ * - else `stale` if older than {@link STALENESS_WINDOW_MS};
+ * - else `active`.
+ */
+export declare function classifyBindings(input: ClassifyBindingsInput): ClassifiedBinding[];
+//# sourceMappingURL=classify.d.ts.map

package/dist/classify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"classify.d.ts","sourceRoot":"","sources":["../src/classify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAE,KAAK,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EACL,sBAAsB,EAEvB,MAAM,gBAAgB,CAAC;AAExB,gEAAgE;AAChE,eAAO,MAAM,mBAAmB,QAA4B,CAAC;AAE7D,qBAAa,eAAgB,SAAQ,KAAK;gBAC5B,OAAO,EAAE,MAAM;CAI5B;AAED,oFAAoF;AACpF,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,OAAO,sBAAsB,CAAC;IACrC,OAAO,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;KAAE,CAAC,CAAC;IACjE,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,2DAA2D;IAC3D,cAAc,EAAE,MAAM,CAAC;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,eAAe,CAAC;CAC5B;AAMD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,kBAAkB,GAAG,iBAAiB,CAkD7E;AAED,MAAM,MAAM,YAAY,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;AAE1D,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,iBAAiB,CAAC;IACzB,KAAK,EAAE,YAAY,CAAC;IACpB,2EAA2E;IAC3E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,iBAAiB,EAAE,CAAC;IAC9B,WAAW,EAAE,iBAAiB,EAAE,CAAC;IACjC,wDAAwD;IACxD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AASD;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,qBAAqB,GAAG,iBAAiB,EAAE,CAuBlF"}

package/dist/classify.js

@@ -0,0 +1,117 @@
+/**
+ * Parse Rekor in-toto entries back into statements and classify
+ * binding state (active / stale / revoked).
+ *
+ * This is the read-side counterpart of `statement.ts`/`submit.ts`:
+ * the `list` command and the badge service both consume entries the
+ * profile index points at, and neither may trust the index — every
+ * entry is integrity-checked against the hash Rekor recorded.
+ *
+ * Staleness (spec §10 row 1): a binding moves to `stale` 12 months
+ * after its Rekor inclusion time. `integratedTime` is authoritative;
+ * user-supplied dates in the index are display-only.
+ */
+import { base64ToBytes, bytesToUtf8, sha256Hex } from './encoding.js';
+import {} from './log/rekor.js';
+import { IN_TOTO_STATEMENT_TYPE, PASSPORTSIGN_REVOCATION_PREDICATE_TYPE, } from './statement.js';
+/** Spec §10 row 1: bindings move to `stale` after 12 months. */
+export const STALENESS_WINDOW_MS = 365 * 24 * 60 * 60 * 1000;
+export class EntryParseError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = 'EntryParseError';
+    }
+}
+function fail(message) {
+    throw new EntryParseError(message);
+}
+/**
+ * Decode a Rekor in-toto entry's stored attestation back into its
+ * statement, verifying the attestation bytes hash to the
+ * `payloadHash` Rekor recorded in the entry body. The hash check is
+ * what lets consumers trust an entry fetched via an untrusted index.
+ */
+export function parseIntotoEntry(entry) {
+    const data = entry.attestation?.data;
+    if (typeof data !== 'string' || data.length === 0) {
+        fail(`entry ${entry.uuid}: no stored attestation`);
+    }
+    const decoded = (() => {
+        try {
+            return {
+                attestationBytes: base64ToBytes(data),
+                bodyObj: JSON.parse(bytesToUtf8(base64ToBytes(entry.body))),
+            };
+        }
+        catch {
+            fail(`entry ${entry.uuid}: attestation/body is not base64 JSON`);
+        }
+    })();
+    const { attestationBytes, bodyObj } = decoded;
+    const payloadHash = bodyObj?.spec?.content?.payloadHash;
+    if (payloadHash?.algorithm !== 'sha256' || typeof payloadHash.value !== 'string') {
+        fail(`entry ${entry.uuid}: body has no sha256 payloadHash`);
+    }
+    const computed = sha256Hex(attestationBytes);
+    if (computed !== payloadHash.value) {
+        fail(`entry ${entry.uuid}: attestation hash mismatch (computed ${computed}, recorded ${payloadHash.value})`);
+    }
+    let statement;
+    try {
+        statement = JSON.parse(bytesToUtf8(attestationBytes));
+    }
+    catch {
+        fail(`entry ${entry.uuid}: attestation is not JSON`);
+    }
+    const s = statement;
+    if (s?._type !== IN_TOTO_STATEMENT_TYPE ||
+        !Array.isArray(s.subject) ||
+        typeof s.predicateType !== 'string') {
+        fail(`entry ${entry.uuid}: attestation is not an in-toto Statement v1`);
+    }
+    return {
+        uuid: entry.uuid,
+        integratedTime: entry.integratedTime,
+        predicateType: s.predicateType,
+        statement: s,
+    };
+}
+function predicateField(entry, field) {
+    const predicate = entry.statement.predicate;
+    if (typeof predicate !== 'object' || predicate === null)
+        return undefined;
+    const value = predicate[field];
+    return typeof value === 'string' ? value : undefined;
+}
+/**
+ * Classify each binding:
+ * - `revoked` if a revocation entry (predicateType `…#revocation`)
+ *   carries the same `unique_identifier` and either targets this
+ *   binding's UUID via `revokes_rekor_entry_hash` or has no target
+ *   (revokes all bindings under that identifier);
+ * - else `stale` if older than {@link STALENESS_WINDOW_MS};
+ * - else `active`.
+ */
+export function classifyBindings(input) {
+    const now = input.now ?? Date.now();
+    // Exact match, not endsWith — a foreign predicateType that happens to
+    // end in #revocation must never revoke a binding.
+    const revocations = input.revocations.filter((r) => r.predicateType === PASSPORTSIGN_REVOCATION_PREDICATE_TYPE);
+    return input.bindings.map((entry) => {
+        const uid = predicateField(entry, 'unique_identifier');
+        const revokedBy = revocations.find((r) => {
+            if (predicateField(r, 'unique_identifier') !== uid || uid === undefined)
+                return false;
+            const target = predicateField(r, 'revokes_rekor_entry_hash');
+            return target === undefined || target === entry.uuid;
+        });
+        if (revokedBy) {
+            return { entry, state: 'revoked', revokedBy: revokedBy.uuid };
+        }
+        if (now - entry.integratedTime * 1000 > STALENESS_WINDOW_MS) {
+            return { entry, state: 'stale' };
+        }
+        return { entry, state: 'active' };
+    });
+}
+//# sourceMappingURL=classify.js.map

package/dist/classify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"classify.js","sourceRoot":"","sources":["../src/classify.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AACtE,OAAO,EAA2B,MAAM,gBAAgB,CAAC;AACzD,OAAO,EACL,sBAAsB,EACtB,sCAAsC,GACvC,MAAM,gBAAgB,CAAC;AAExB,gEAAgE;AAChE,MAAM,CAAC,MAAM,mBAAmB,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAE7D,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAkBD,SAAS,IAAI,CAAC,OAAe;IAC3B,MAAM,IAAI,eAAe,CAAC,OAAO,CAAC,CAAC;AACrC,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAAyB;IACxD,MAAM,IAAI,GAAG,KAAK,CAAC,WAAW,EAAE,IAAI,CAAC;IACrC,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClD,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,yBAAyB,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,OAAO,GAAG,CAAC,GAAG,EAAE;QACpB,IAAI,CAAC;YACH,OAAO;gBACL,gBAAgB,EAAE,aAAa,CAAC,IAAI,CAAC;gBACrC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAY;aACvE,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,uCAAuC,CAAC,CAAC;QACnE,CAAC;IACH,CAAC,CAAC,EAAE,CAAC;IACL,MAAM,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC;IAC9C,MAAM,WAAW,GACf,OACD,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,CAAC;IAC9B,IAAI,WAAW,EAAE,SAAS,KAAK,QAAQ,IAAI,OAAO,WAAW,CAAC,KAAK,KAAK,QAAQ,EAAE,CAAC;QACjF,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,kCAAkC,CAAC,CAAC;IAC9D,CAAC;IACD,MAAM,QAAQ,GAAG,SAAS,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,QAAQ,KAAK,WAAW,CAAC,KAAK,EAAE,CAAC;QACnC,IAAI,CACF,SAAS,KAAK,CAAC,IAAI,yCAAyC,QAAQ,cAAc,WAAW,CAAC,KAAK,GAAG,CACvG,CAAC;IACJ,CAAC;IAED,IAAI,SAAkB,CAAC;IACvB,IAAI,CAAC;QACH,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,gBAAgB,CAAC,CAAC,CAAC;IACxD,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,2BAA2B,CAAC,CAAC;IACvD,CAAC;IACD,MAAM,CAAC,GAAG,SAAqC,CAAC;IAChD,IACE,CAAC,EAAE,KAAK,KAAK,sBAAsB;QACnC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC;QACzB,OAAO,CAAC,CAAC,aAAa,KAAK,QAAQ,EACnC,CAAC;QACD,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,8CAA8C,CAAC,CAAC;IAC1E,CAAC;IAED,OAAO;QACL,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,cAAc,EAAE,KAAK,CAAC,cAAc;QACpC,aAAa,EAAE,CAAC,CAAC,aAAa;QAC9B,SAAS,EAAE,CAAoB;KAChC,CAAC;AACJ,CAAC;AAkBD,SAAS,cAAc,CAAC,KAAwB,EAAE,KAAa;IAC7D,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,SAAS,CAAC;IAC5C,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,KAAK,IAAI;QAAE,OAAO,SAAS,CAAC;IAC1E,MAAM,KAAK,GAAI,SAAqC,CAAC,KAAK,CAAC,CAAC;IAC5D,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC;AACvD,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,gBAAgB,CAAC,KAA4B;IAC3D,MAAM,GAAG,GAAG,KAAK,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,EAAE,CAAC;IACpC,sEAAsE;IACtE,kDAAkD;IAClD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,CAAC,MAAM,CAC1C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,aAAa,KAAK,sCAAsC,CAClE,CAAC;IAEF,OAAO,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE;QAClC,MAAM,GAAG,GAAG,cAAc,CAAC,KAAK,EAAE,mBAAmB,CAAC,CAAC;QACvD,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;YACvC,IAAI,cAAc,CAAC,CAAC,EAAE,mBAAmB,CAAC,KAAK,GAAG,IAAI,GAAG,KAAK,SAAS;gBAAE,OAAO,KAAK,CAAC;YACtF,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,EAAE,0BAA0B,CAAC,CAAC;YAC7D,OAAO,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,CAAC,IAAI,CAAC;QACvD,CAAC,CAAC,CAAC;QACH,IAAI,SAAS,EAAE,CAAC;YACd,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC,IAAI,EAAE,CAAC;QAChE,CAAC;QACD,IAAI,GAAG,GAAG,KAAK,CAAC,cAAc,GAAG,IAAI,GAAG,mBAAmB,EAAE,CAAC;YAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;QACnC,CAAC;QACD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;IACpC,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/dsse-common.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Runtime-neutral DSSE pieces shared by the node signer (`dsse.ts`)
+ * and the WebCrypto signer (`dsse-web.ts`): the envelope shape and the
+ * Pre-Authentication Encoding.
+ */
+export declare const DSSE_VERSION = "DSSEv1";
+export declare const IN_TOTO_PAYLOAD_TYPE = "application/vnd.in-toto+json";
+export interface DsseSignature {
+    /** Single-base64 of the raw signature bytes. */
+    sig: string;
+    /** PEM-encoded SubjectPublicKeyInfo. */
+    publicKey: string;
+    /** Optional key identifier. Omit (don't pass empty string) when not set. */
+    keyid?: string;
+}
+export interface DsseEnvelope {
+    /** Media type of the payload (e.g. `application/vnd.in-toto+json`). */
+    payloadType: string;
+    /** Single-base64 of the raw payload bytes. */
+    payload: string;
+    signatures: DsseSignature[];
+}
+/**
+ * DSSE Pre-Authentication Encoding (PAE):
+ *
+ *   "DSSEv1" SP LEN(type) SP type SP LEN(body) SP body
+ *
+ * Where SP is a single 0x20 space, LEN is the ASCII-decimal length of
+ * the following byte string.
+ */
+export declare function pae(type: string, body: Uint8Array): Uint8Array;
+//# sourceMappingURL=dsse-common.d.ts.map

package/dist/dsse-common.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dsse-common.d.ts","sourceRoot":"","sources":["../src/dsse-common.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAIH,eAAO,MAAM,YAAY,WAAW,CAAC;AACrC,eAAO,MAAM,oBAAoB,iCAAiC,CAAC;AAEnE,MAAM,WAAW,aAAa;IAC5B,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,wCAAwC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,uEAAuE;IACvE,WAAW,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,aAAa,EAAE,CAAC;CAC7B;AAED;;;;;;;GAOG;AACH,wBAAgB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,UAAU,CAQ9D"}

package/dist/dsse-common.js

@@ -0,0 +1,26 @@
+/**
+ * Runtime-neutral DSSE pieces shared by the node signer (`dsse.ts`)
+ * and the WebCrypto signer (`dsse-web.ts`): the envelope shape and the
+ * Pre-Authentication Encoding.
+ */
+import { utf8ToBytes } from './encoding.js';
+export const DSSE_VERSION = 'DSSEv1';
+export const IN_TOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
+/**
+ * DSSE Pre-Authentication Encoding (PAE):
+ *
+ *   "DSSEv1" SP LEN(type) SP type SP LEN(body) SP body
+ *
+ * Where SP is a single 0x20 space, LEN is the ASCII-decimal length of
+ * the following byte string.
+ */
+export function pae(type, body) {
+    const typeBytes = utf8ToBytes(type);
+    const prefix = `${DSSE_VERSION} ${typeBytes.length} ${type} ${body.length} `;
+    const prefixBytes = utf8ToBytes(prefix);
+    const out = new Uint8Array(prefixBytes.length + body.length);
+    out.set(prefixBytes);
+    out.set(body, prefixBytes.length);
+    return out;
+}
+//# sourceMappingURL=dsse-common.js.map

package/dist/dsse-common.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dsse-common.js","sourceRoot":"","sources":["../src/dsse-common.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAE5C,MAAM,CAAC,MAAM,YAAY,GAAG,QAAQ,CAAC;AACrC,MAAM,CAAC,MAAM,oBAAoB,GAAG,8BAA8B,CAAC;AAmBnE;;;;;;;GAOG;AACH,MAAM,UAAU,GAAG,CAAC,IAAY,EAAE,IAAgB;IAChD,MAAM,SAAS,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,GAAG,YAAY,IAAI,SAAS,CAAC,MAAM,IAAI,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;IAC7E,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7D,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACrB,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/dsse-web.d.ts

@@ -0,0 +1,28 @@
+/**
+ * WebCrypto variant of the DSSE envelope signer for runtimes without
+ * `node:crypto` sign APIs (browsers, edge workers). Same semantics as
+ * `dsse.ts`'s `signEnvelope`: ephemeral ECDSA P-256 key, discarded
+ * after signing; the signature is a Rekor schema requirement, not a
+ * trust mechanism.
+ *
+ * Two impedance mismatches with what Rekor expects, both handled here:
+ * - WebCrypto emits raw P1363 (`r || s`) signatures; Rekor needs DER.
+ * - WebCrypto exports SPKI as raw bytes; Rekor needs PEM text.
+ *
+ * The drift test in `test/dsse-web.test.ts` verifies output with
+ * `node:crypto.createVerify` so the two signers cannot diverge silently.
+ */
+import { type DsseEnvelope } from './dsse-common.js';
+export interface SignEnvelopeWebResult {
+    envelope: DsseEnvelope;
+    publicKeyPem: string;
+}
+/** Convert a P1363 (r||s) ECDSA signature to DER SEQUENCE(INTEGER r, INTEGER s). */
+export declare function p1363ToDer(sig: Uint8Array): Uint8Array;
+/**
+ * Generate an ephemeral ECDSA P-256 keypair via WebCrypto, sign
+ * PAE(payloadType, payload), and return a DSSE envelope. Async because
+ * WebCrypto is; otherwise interchangeable with `signEnvelope`.
+ */
+export declare function signEnvelopeWeb(payload: Uint8Array, payloadType: string): Promise<SignEnvelopeWebResult>;
+//# sourceMappingURL=dsse-web.d.ts.map

package/dist/dsse-web.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dsse-web.d.ts","sourceRoot":"","sources":["../src/dsse-web.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EAAO,KAAK,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAE1D,MAAM,WAAW,qBAAqB;IACpC,QAAQ,EAAE,YAAY,CAAC;IACvB,YAAY,EAAE,MAAM,CAAC;CACtB;AAeD,oFAAoF;AACpF,wBAAgB,UAAU,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAoBtD;AAQD;;;;GAIG;AACH,wBAAsB,eAAe,CACnC,OAAO,EAAE,UAAU,EACnB,WAAW,EAAE,MAAM,GAClB,OAAO,CAAC,qBAAqB,CAAC,CAuBhC"}