@passportsign/core 0.1.0 → 0.2.0

package/dist/statement.js

@@ -7,14 +7,22 @@
  * `test/fixtures/canonical-vectors.json` pin the canonicalization
  * output for representative statements built here.
  */
+import { sha256Hex, utf8ToBytes } from './encoding.js';
 export const IN_TOTO_STATEMENT_TYPE = 'https://in-toto.io/Statement/v1';
 export const PASSPORTSIGN_PREDICATE_TYPE = 'https://passportsign.dev/personhood/v1';
+export const PASSPORTSIGN_REVOCATION_PREDICATE_TYPE = 'https://passportsign.dev/personhood/v1#revocation';
 const SHA256_HEX = /^[0-9a-f]{64}$/;
+const REKOR_UUID = /^[0-9a-f]{80}$/;
 function assertSha256Hex(value, field) {
     if (!SHA256_HEX.test(value)) {
         throw new TypeError(`${field}: expected lowercase 64-char hex SHA-256, got ${JSON.stringify(value)}`);
     }
 }
+function assertRekorUuid(value, field) {
+    if (!REKOR_UUID.test(value)) {
+        throw new TypeError(`${field}: expected 80-char lowercase hex Rekor entry UUID, got ${JSON.stringify(value)}`);
+    }
+}
 function assertNonEmpty(value, field) {
     if (value.length === 0) {
         throw new TypeError(`${field}: must be non-empty`);
@@ -64,4 +72,39 @@ export function buildStatement(input) {
         },
     };
 }
+/**
+ * Build a passportsign revocation statement (spec §7, roadmap v0.5.2).
+ *
+ * Revocation requires only a fresh proof from the same passport — there
+ * are deliberately no gist fields (no GitHub control needed; that's the
+ * recovery property). The revocation always targets one concrete
+ * binding entry; the subject digest is the sha256 of that entry's UUID
+ * string, tying the statement to the artifact it acts on.
+ */
+export function buildRevocationStatement(input) {
+    assertRekorUuid(input.revokes_rekor_entry_hash, 'revokes_rekor_entry_hash');
+    assertSha256Hex(input.proof_blob_sha256, 'proof_blob_sha256');
+    assertNonEmpty(input.github_username, 'github_username');
+    assertNonEmpty(input.unique_identifier, 'unique_identifier');
+    assertNonEmpty(input.scope, 'scope');
+    assertNonEmpty(input.zkpassport_sdk_version, 'zkpassport_sdk_version');
+    const subjectDigest = sha256Hex(utf8ToBytes(input.revokes_rekor_entry_hash));
+    return {
+        _type: IN_TOTO_STATEMENT_TYPE,
+        subject: [
+            {
+                name: `github.com/${input.github_username}`,
+                digest: { sha256: subjectDigest },
+            },
+        ],
+        predicateType: PASSPORTSIGN_REVOCATION_PREDICATE_TYPE,
+        predicate: {
+            unique_identifier: input.unique_identifier,
+            revokes_rekor_entry_hash: input.revokes_rekor_entry_hash,
+            proof_blob_sha256: input.proof_blob_sha256,
+            scope: input.scope,
+            zkpassport_sdk_version: input.zkpassport_sdk_version,
+        },
+    };
+}
 //# sourceMappingURL=statement.js.map

package/dist/statement.js.map

@@ -1 +1 @@
-{"version":3,"file":"statement.js","sourceRoot":"","sources":["../src/statement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,iCAA0C,CAAC;AACjF,MAAM,CAAC,MAAM,2BAA2B,GACtC,wCAAiD,CAAC;AA4CpD,MAAM,UAAU,GAAG,gBAAgB,CAAC;AAEpC,SAAS,eAAe,CAAC,KAAa,EAAE,KAAa;IACnD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,GAAG,KAAK,iDAAiD,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CACjF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,KAAa;IAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,SAAS,CAAC,GAAG,KAAK,qBAAqB,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAAC,KAA0B;IACvD,eAAe,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC9D,eAAe,CAAC,KAAK,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IAClE,cAAc,CAAC,KAAK,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;IACzD,cAAc,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC7D,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC3C,cAAc,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACrC,cAAc,CAAC,KAAK,CAAC,sBAAsB,EAAE,wBAAwB,CAAC,CAAC;IAEvE,MAAM,gBAAgB,GACpB,KAAK,CAAC,eAAe,KAAK,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC;IAEvE,OAAO;QACL,KAAK,EAAE,sBAAsB;QAC7B,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,cAAc,KAAK,CAAC,eAAe,EAAE;gBAC3C,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,mBAAmB,EAAE;aAC9C;SACF;QACD,aAAa,EAAE,2BAA2B;QAC1C,SAAS,EAAE;YACT,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,gBAAgB;YAChB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;YAC9C,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;SACrD;KACF,CAAC;AACJ,CAAC"}
+{"version":3,"file":"statement.js","sourceRoot":"","sources":["../src/statement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAEvD,MAAM,CAAC,MAAM,sBAAsB,GAAG,iCAA0C,CAAC;AACjF,MAAM,CAAC,MAAM,2BAA2B,GACtC,wCAAiD,CAAC;AACpD,MAAM,CAAC,MAAM,sCAAsC,GACjD,mDAA4D,CAAC;AA4C/D,MAAM,UAAU,GAAG,gBAAgB,CAAC;AACpC,MAAM,UAAU,GAAG,gBAAgB,CAAC;AAEpC,SAAS,eAAe,CAAC,KAAa,EAAE,KAAa;IACnD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,GAAG,KAAK,iDAAiD,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CACjF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,KAAa,EAAE,KAAa;IACnD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,GAAG,KAAK,0DAA0D,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAC1F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,KAAa;IAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,SAAS,CAAC,GAAG,KAAK,qBAAqB,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAAC,KAA0B;IACvD,eAAe,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC9D,eAAe,CAAC,KAAK,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IAClE,cAAc,CAAC,KAAK,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;IACzD,cAAc,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC7D,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC3C,cAAc,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACrC,cAAc,CAAC,KAAK,CAAC,sBAAsB,EAAE,wBAAwB,CAAC,CAAC;IAEvE,MAAM,gBAAgB,GACpB,KAAK,CAAC,eAAe,KAAK,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC;IAEvE,OAAO;QACL,KAAK,EAAE,sBAAsB;QAC7B,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,cAAc,KAAK,CAAC,eAAe,EAAE;gBAC3C,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,mBAAmB,EAAE;aAC9C;SACF;QACD,aAAa,EAAE,2BAA2B;QAC1C,SAAS,EAAE;YACT,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,gBAAgB;YAChB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;YAC9C,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;SACrD;KACF,CAAC;AACJ,CAAC;AAiCD;;;;;;;;GAQG;AACH,MAAM,UAAU,wBAAwB,CACtC,KAAoC;IAEpC,eAAe,CAAC,KAAK,CAAC,wBAAwB,EAAE,0BAA0B,CAAC,CAAC;IAC5E,eAAe,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC9D,cAAc,CAAC,KAAK,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;IACzD,cAAc,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC7D,cAAc,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACrC,cAAc,CAAC,KAAK,CAAC,sBAAsB,EAAE,wBAAwB,CAAC,CAAC;IAEvE,MAAM,aAAa,GAAG,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,wBAAwB,CAAC,CAAC,CAAC;IAE7E,OAAO;QACL,KAAK,EAAE,sBAAsB;QAC7B,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,cAAc,KAAK,CAAC,eAAe,EAAE;gBAC3C,MAAM,EAAE,EAAE,MAAM,EAAE,aAAa,EAAE;aAClC;SACF;QACD,aAAa,EAAE,sCAAsC;QACrD,SAAS,EAAE;YACT,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,wBAAwB,EAAE,KAAK,CAAC,wBAAwB;YACxD,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;SACrD;KACF,CAAC;AACJ,CAAC"}

package/dist/submit.d.ts

@@ -6,9 +6,9 @@
  * with a {@link RekorClient}. Day 7 calls this to turn a real-passport
  * bind into a public-log entry plus a portable bundle.
  */
-import { type PreparedBinding } from './bind.js';
-import { type PassportsignBundle } from './bundle.js';
+import { type PassportsignBundle, type SubmittableStatement } from './bundle.js';
 import { type RekorClient, type RekorEntryResponse } from './log/rekor.js';
+export { type SubmittableStatement } from './bundle.js';
 export interface SubmitBindingDeps {
     rekor: RekorClient;
 }
@@ -22,5 +22,5 @@ export interface SubmitBindingResult {
  * `PassportsignError('log_submission_failed', …)` (from the client) on
  * any Rekor failure.
  */
-export declare function submitBinding(prepared: PreparedBinding, deps: SubmitBindingDeps): Promise<SubmitBindingResult>;
+export declare function submitBinding(prepared: SubmittableStatement, deps: SubmitBindingDeps): Promise<SubmitBindingResult>;
 //# sourceMappingURL=submit.d.ts.map

package/dist/submit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"submit.d.ts","sourceRoot":"","sources":["../src/submit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAEL,KAAK,kBAAkB,EAExB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,KAAK,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAE3E,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,WAAW,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,UAAU,EAAE,kBAAkB,CAAC;CAChC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,eAAe,EACzB,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,mBAAmB,CAAC,CAiB9B"}
+{"version":3,"file":"submit.d.ts","sourceRoot":"","sources":["../src/submit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAkB,KAAK,kBAAkB,EAAE,KAAK,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAEjG,OAAO,EAAE,KAAK,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAE3E,OAAO,EAAE,KAAK,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAExD,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,WAAW,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,UAAU,EAAE,kBAAkB,CAAC;CAChC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,oBAAoB,EAC9B,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,mBAAmB,CAAC,CAI9B"}

package/dist/submit.js

@@ -6,10 +6,10 @@
  * with a {@link RekorClient}. Day 7 calls this to turn a real-passport
  * bind into a public-log entry plus a portable bundle.
  */
-import {} from './bind.js';
-import { BUNDLE_FORMAT_VERSION, validateBundle, } from './bundle.js';
+import { assembleBundle } from './bundle.js';
 import { IN_TOTO_PAYLOAD_TYPE, signEnvelope } from './dsse.js';
 import {} from './log/rekor.js';
+export {} from './bundle.js';
 /**
  * Sign the canonical statement bytes with an ephemeral ECDSA P-256 key,
  * submit the in-toto entry to Rekor, and assemble the bundle. Throws
@@ -19,17 +19,6 @@ import {} from './log/rekor.js';
 export async function submitBinding(prepared, deps) {
     const { envelope } = signEnvelope(prepared.statement_canonical, IN_TOTO_PAYLOAD_TYPE);
     const rekorEntry = await deps.rekor.submitIntoto(envelope);
-    const bundle = {
-        bundle_format_version: BUNDLE_FORMAT_VERSION,
-        statement: Buffer.from(prepared.statement_canonical).toString('hex'),
-        proof_blob: prepared.proof_blob_b64,
-        rekor: {
-            log_entry_hash: rekorEntry.uuid,
-            inclusion_proof: rekorEntry.verification.inclusionProof,
-            log_root_at_submission: rekorEntry.verification.inclusionProof.rootHash,
-        },
-    };
-    validateBundle(bundle);
-    return { bundle, rekorEntry };
+    return { bundle: assembleBundle(prepared, rekorEntry), rekorEntry };
 }
 //# sourceMappingURL=submit.js.map

package/dist/submit.js.map

@@ -1 +1 @@
-{"version":3,"file":"submit.js","sourceRoot":"","sources":["../src/submit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAwB,MAAM,WAAW,CAAC;AACjD,OAAO,EACL,qBAAqB,EAErB,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAA6C,MAAM,gBAAgB,CAAC;AAW3E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAyB,EACzB,IAAuB;IAEvB,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAAC,QAAQ,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAE3D,MAAM,MAAM,GAAuB;QACjC,qBAAqB,EAAE,qBAAqB;QAC5C,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QACpE,UAAU,EAAE,QAAQ,CAAC,cAAc;QACnC,KAAK,EAAE;YACL,cAAc,EAAE,UAAU,CAAC,IAAI;YAC/B,eAAe,EAAE,UAAU,CAAC,YAAY,CAAC,cAAc;YACvD,sBAAsB,EAAE,UAAU,CAAC,YAAY,CAAC,cAAc,CAAC,QAAQ;SACxE;KACF,CAAC;IACF,cAAc,CAAC,MAAM,CAAC,CAAC;IAEvB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;AAChC,CAAC"}
+{"version":3,"file":"submit.js","sourceRoot":"","sources":["../src/submit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,cAAc,EAAsD,MAAM,aAAa,CAAC;AACjG,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAA6C,MAAM,gBAAgB,CAAC;AAE3E,OAAO,EAA6B,MAAM,aAAa,CAAC;AAWxD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAA8B,EAC9B,IAAuB;IAEvB,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAAC,QAAQ,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAC3D,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC,QAAQ,EAAE,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC;AACtE,CAAC"}

package/dist/verifier.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,EAAE,KAAK,kBAAkB,EAAkB,MAAM,aAAa,CAAC;AACtE,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAIlD,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,UAAU,EAAE,WAAW,CAAC;IACxB;;;OAGG;IACH,eAAe,EAAE,WAAW,CAAC;IAC7B;;;;OAIG;IACH,gBAAgB,EAAE,WAAW,CAAC;IAC9B;;;;OAIG;IACH,SAAS,EAAE,WAAW,CAAC;IACvB;;;OAGG;IACH,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,OAAO,EAAE,CAAC;IAClB,aAAa,EAAE,OAAO,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,OAAO,CAAC;IAClB,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;CACtC;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,gBAAgB;IAC/B,mFAAmF;IACnF,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,sEAAsE;IACtE,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AA+BD;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,kBAAkB,EAC1B,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAoI7B"}
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,KAAK,kBAAkB,EAAkB,MAAM,aAAa,CAAC;AAEtE,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAIlD,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,UAAU,EAAE,WAAW,CAAC;IACxB;;;OAGG;IACH,eAAe,EAAE,WAAW,CAAC;IAC7B;;;;OAIG;IACH,gBAAgB,EAAE,WAAW,CAAC;IAC9B;;;;OAIG;IACH,SAAS,EAAE,WAAW,CAAC;IACvB;;;OAGG;IACH,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,OAAO,EAAE,CAAC;IAClB,aAAa,EAAE,OAAO,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,OAAO,CAAC;IAClB,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;CACtC;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,gBAAgB;IAC/B,mFAAmF;IACnF,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,sEAAsE;IACtE,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AAmBD;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,kBAAkB,EAC1B,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAoI7B"}

package/dist/verifier.js

@@ -11,23 +11,13 @@
  * originalQuery, queryResult). For now `sdk_proof` reports
  * `'pending_day_7'`.
  */
-import { createHash } from 'node:crypto';
 import { validateBundle } from './bundle.js';
+import { base64ToBytes, bytesToUtf8, hexToBytes, sha256Hex } from './encoding.js';
 import {} from './log/rekor.js';
 import { hashLeaf, verifyConsistency, verifyInclusion } from './merkle.js';
 import { unpackSdkPayload } from './sdk-payload.js';
-function hexToBytes(hex) {
-    const out = new Uint8Array(hex.length / 2);
-    for (let i = 0; i < out.length; i++) {
-        out[i] = parseInt(hex.substr(i * 2, 2), 16);
-    }
-    return out;
-}
-function sha256Hex(bytes) {
-    return createHash('sha256').update(bytes).digest('hex');
-}
 function parseEntryBody(bodyBase64) {
-    const bytes = Buffer.from(bodyBase64, 'base64').toString('utf8');
+    const bytes = bytesToUtf8(base64ToBytes(bodyBase64));
     const body = JSON.parse(bytes);
     const spec = body['spec'];
     const content = spec?.['content'];
@@ -96,7 +86,7 @@ export async function verifyBundle(bundle, deps = {}) {
         result.errors.push(`payloadHash mismatch: bundle says ${expectedPayloadHash}, Rekor entry has ${entryPayloadHash}`);
     }
     // 3. inclusion_proof: leaf hash = sha256(0x00 || decoded-body-bytes); verify against captured root.
-    const bodyBytes = new Uint8Array(Buffer.from(entry.body, 'base64'));
+    const bodyBytes = base64ToBytes(entry.body);
     const leaf = hashLeaf(bodyBytes);
     const captured = bundle.rekor.inclusion_proof;
     const proofHashes = captured.hashes.map(hexToBytes);
@@ -169,7 +159,7 @@ async function runSdkVerification(bundle, sdkVerifier, errors) {
     // The returned uniqueIdentifier must match the statement's predicate.
     let statementUniqueId;
     try {
-        const statementBytes = Buffer.from(bundle.statement, 'hex').toString('utf8');
+        const statementBytes = bytesToUtf8(hexToBytes(bundle.statement));
         const parsed = JSON.parse(statementBytes);
         statementUniqueId = parsed.predicate?.unique_identifier;
     }

package/dist/verifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAA2B,cAAc,EAAE,MAAM,aAAa,CAAC;AACtE,OAAO,EAAoB,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AA2DpD,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACpC,GAAG,CAAC,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,SAAS,CAAC,KAAiB;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAMD,SAAS,cAAc,CAAC,UAAkB;IACxC,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjE,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAA4B,CAAC;IAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAC;IACjE,MAAM,OAAO,GAAG,IAAI,EAAE,CAAC,SAAS,CAAwC,CAAC;IACzE,MAAM,WAAW,GAAG,OAAO,EAAE,CAAC,aAAa,CAAwC,CAAC;IACpF,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;AACnC,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,OAAyB,EAAE;IAE3B,cAAc,CAAC,MAAM,CAAC,CAAC;IAEvB,MAAM,MAAM,GAAuB;QACjC,UAAU,EAAE,SAAS;QACrB,eAAe,EAAE,SAAS;QAC1B,gBAAgB,EAAE,SAAS;QAC3B,SAAS,EAAE,SAAS;QACpB,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,EAAE;KACX,CAAC;IAEF,qEAAqE;IACrE,yCAAyC;IACzC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACrB,MAAM,CAAC,SAAS,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACvF,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,CAAC,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACxC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wEAAwE;IACxE,IAAI,KAAK,CAAC;IACV,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACnF,CAAC;QACF,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC;QACxB,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC;QAChC,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;QACjC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,qFAAqF;IACrF,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,mBAAmB,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;IACtD,IAAI,gBAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,gBAAgB,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC;IAC/D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,qCAAqC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACxF,CAAC;QACF,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC;QAChC,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;QACjC,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC;QACxB,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,MAAM,CAAC,UAAU,GAAG,mBAAmB,KAAK,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAC/E,IAAI,MAAM,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,qCAAqC,mBAAmB,qBAAqB,gBAAgB,EAAE,CAChG,CAAC;IACJ,CAAC;IAED,oGAAoG;IACpG,MAAM,SAAS,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC,CAAC;IACpE,MAAM,IAAI,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,eAK7B,CAAC;IACF,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,CAAC,eAAe,GAAG,eAAe,CACtC,IAAI,EACJ,QAAQ,CAAC,QAAQ,EACjB,QAAQ,CAAC,QAAQ,EACjB,WAAW,EACX,SAAS,CACV;QACC,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,MAAM,CAAC;IACX,IAAI,MAAM,CAAC,eAAe,KAAK,MAAM,EAAE,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IAC9E,CAAC;IAED,iFAAiF;IACjF,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,qBAAqB,OAAO,CAAC,QAAQ,6BAA6B,QAAQ,CAAC,QAAQ,8BAA8B,CAClH,CAAC;YACF,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAClD,gCAAgC;YAChC,MAAM,CAAC,gBAAgB;gBACrB,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;YAC3D,IAAI,MAAM,CAAC,gBAAgB,KAAK,MAAM,EAAE,CAAC;gBACvC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,4CAA4C,QAAQ,CAAC,QAAQ,aAAa,OAAO,CAAC,QAAQ,EAAE,CAC7F,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAChD,QAAQ,CAAC,QAAQ,EACjB,OAAO,CAAC,QAAQ,CACjB,CAAC;YACF,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAChD,MAAM,CAAC,gBAAgB,GAAG,iBAAiB,CACzC,QAAQ,CAAC,QAAQ,EACjB,OAAO,CAAC,QAAQ,EAChB,SAAS,EACT,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,EAC5B,UAAU,CACX;gBACC,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,MAAM,CAAC;YACX,IAAI,MAAM,CAAC,gBAAgB,KAAK,MAAM,EAAE,CAAC;gBACvC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,sFAAsF,CACvF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAC;QACF,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;IACnC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAA0B,EAC1B,WAAwB,EACxB,MAAgB;IAEhB,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CACT,wDACE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CACjD,EAAE,CACH,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,SAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC;YACnC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,aAAa,EAAE,OAAO,CAAC,cAAc;YACrC,WAAW,EAAE,OAAO,CAAC,YAAY;YACjC,OAAO,EAAE,OAAO,CAAC,QAAQ;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,SAAS,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sEAAsE;IACtE,IAAI,iBAAqC,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QAC7E,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAEvC,CAAC;QACF,iBAAiB,GAAG,MAAM,CAAC,SAAS,EAAE,iBAAiB,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB,GAAG,SAAS,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;QACzE,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,SAAS,CAAC,gBAAgB,KAAK,iBAAiB,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CACT,wBAAwB,MAAM,CAAC,SAAS,CAAC,gBAAgB,CAAC,yDAAyD,iBAAiB,EAAE,CACvI,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,CAAqB;IAC3C,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC;IAC/E,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IACjD,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAClD,OAAO,SAAS,CAAC;AACnB,CAAC"}
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAA2B,cAAc,EAAE,MAAM,aAAa,CAAC;AACtE,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAClF,OAAO,EAAoB,MAAM,gBAAgB,CAAC;AAClD,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AA+DpD,SAAS,cAAc,CAAC,UAAkB;IACxC,MAAM,KAAK,GAAG,WAAW,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAA4B,CAAC;IAC1D,MAAM,IAAI,GAAG,IAAI,CAAC,MAAM,CAAwC,CAAC;IACjE,MAAM,OAAO,GAAG,IAAI,EAAE,CAAC,SAAS,CAAwC,CAAC;IACzE,MAAM,WAAW,GAAG,OAAO,EAAE,CAAC,aAAa,CAAwC,CAAC;IACpF,MAAM,KAAK,GAAG,WAAW,EAAE,CAAC,OAAO,CAAC,CAAC;IACrC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,OAAO,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC;AACnC,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,MAA0B,EAC1B,OAAyB,EAAE;IAE3B,cAAc,CAAC,MAAM,CAAC,CAAC;IAEvB,MAAM,MAAM,GAAuB;QACjC,UAAU,EAAE,SAAS;QACrB,eAAe,EAAE,SAAS;QAC1B,gBAAgB,EAAE,SAAS;QAC3B,SAAS,EAAE,SAAS;QACpB,OAAO,EAAE,SAAS;QAClB,MAAM,EAAE,EAAE;KACX,CAAC;IAEF,qEAAqE;IACrE,yCAAyC;IACzC,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;QACrB,MAAM,CAAC,SAAS,GAAG,MAAM,kBAAkB,CAAC,MAAM,EAAE,IAAI,CAAC,WAAW,EAAE,MAAM,CAAC,MAAM,CAAC,CAAC;IACvF,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,KAAK,EAAE,CAAC;QAChB,MAAM,CAAC,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;QACxC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,wEAAwE;IACxE,IAAI,KAAK,CAAC;IACV,IAAI,CAAC;QACH,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,gCAAgC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACnF,CAAC;QACF,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC;QACxB,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC;QAChC,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;QACjC,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,qFAAqF;IACrF,MAAM,cAAc,GAAG,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,MAAM,mBAAmB,GAAG,SAAS,CAAC,cAAc,CAAC,CAAC;IACtD,IAAI,gBAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,gBAAgB,GAAG,cAAc,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC;IAC/D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,qCAAqC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACxF,CAAC;QACF,MAAM,CAAC,UAAU,GAAG,MAAM,CAAC;QAC3B,MAAM,CAAC,eAAe,GAAG,MAAM,CAAC;QAChC,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;QACjC,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC;QACxB,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,MAAM,CAAC,UAAU,GAAG,mBAAmB,KAAK,gBAAgB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAC/E,IAAI,MAAM,CAAC,UAAU,KAAK,MAAM,EAAE,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,qCAAqC,mBAAmB,qBAAqB,gBAAgB,EAAE,CAChG,CAAC;IACJ,CAAC;IAED,oGAAoG;IACpG,MAAM,SAAS,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC5C,MAAM,IAAI,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAC;IACjC,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,CAAC,eAK7B,CAAC;IACF,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAChD,MAAM,CAAC,eAAe,GAAG,eAAe,CACtC,IAAI,EACJ,QAAQ,CAAC,QAAQ,EACjB,QAAQ,CAAC,QAAQ,EACjB,WAAW,EACX,SAAS,CACV;QACC,CAAC,CAAC,MAAM;QACR,CAAC,CAAC,MAAM,CAAC;IACX,IAAI,MAAM,CAAC,eAAe,KAAK,MAAM,EAAE,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,uDAAuD,CAAC,CAAC;IAC9E,CAAC;IAED,iFAAiF;IACjF,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC;QAC9C,IAAI,OAAO,CAAC,QAAQ,GAAG,QAAQ,CAAC,QAAQ,EAAE,CAAC;YACzC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,qBAAqB,OAAO,CAAC,QAAQ,6BAA6B,QAAQ,CAAC,QAAQ,8BAA8B,CAClH,CAAC;YACF,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;QACnC,CAAC;aAAM,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,QAAQ,EAAE,CAAC;YAClD,gCAAgC;YAChC,MAAM,CAAC,gBAAgB;gBACrB,OAAO,CAAC,QAAQ,KAAK,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;YAC3D,IAAI,MAAM,CAAC,gBAAgB,KAAK,MAAM,EAAE,CAAC;gBACvC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,4CAA4C,QAAQ,CAAC,QAAQ,aAAa,OAAO,CAAC,QAAQ,EAAE,CAC7F,CAAC;YACJ,CAAC;QACH,CAAC;aAAM,CAAC;YACN,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAChD,QAAQ,CAAC,QAAQ,EACjB,OAAO,CAAC,QAAQ,CACjB,CAAC;YACF,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;YAChD,MAAM,CAAC,gBAAgB,GAAG,iBAAiB,CACzC,QAAQ,CAAC,QAAQ,EACjB,OAAO,CAAC,QAAQ,EAChB,SAAS,EACT,UAAU,CAAC,OAAO,CAAC,QAAQ,CAAC,EAC5B,UAAU,CACX;gBACC,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,MAAM,CAAC;YACX,IAAI,MAAM,CAAC,gBAAgB,KAAK,MAAM,EAAE,CAAC;gBACvC,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,sFAAsF,CACvF,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,MAAM,CAAC,IAAI,CAChB,4BAA4B,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC/E,CAAC;QACF,MAAM,CAAC,gBAAgB,GAAG,MAAM,CAAC;IACnC,CAAC;IAED,MAAM,CAAC,OAAO,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAC/B,MAA0B,EAC1B,WAAwB,EACxB,MAAgB;IAEhB,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QACH,OAAO,GAAG,gBAAgB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAChD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CACT,wDACE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CACjD,EAAE,CACH,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,SAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,WAAW,CAAC,MAAM,CAAC;YACnC,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,aAAa,EAAE,OAAO,CAAC,cAAc;YACrC,WAAW,EAAE,OAAO,CAAC,YAAY;YACjC,OAAO,EAAE,OAAO,CAAC,QAAQ;SAC1B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,qBAAqB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QACrF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,SAAS,CAAC,QAAQ,KAAK,IAAI,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,yBAAyB,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;QACnE,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,sEAAsE;IACtE,IAAI,iBAAqC,CAAC;IAC1C,IAAI,CAAC;QACH,MAAM,cAAc,GAAG,WAAW,CAAC,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC;QACjE,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,cAAc,CAEvC,CAAC;QACF,iBAAiB,GAAG,MAAM,CAAC,SAAS,EAAE,iBAAiB,CAAC;IAC1D,CAAC;IAAC,MAAM,CAAC;QACP,iBAAiB,GAAG,SAAS,CAAC;IAChC,CAAC;IAED,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,MAAM,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;QACzE,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,SAAS,CAAC,gBAAgB,KAAK,iBAAiB,EAAE,CAAC;QACrD,MAAM,CAAC,IAAI,CACT,wBAAwB,MAAM,CAAC,SAAS,CAAC,gBAAgB,CAAC,yDAAyD,iBAAiB,EAAE,CACvI,CAAC;QACF,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,cAAc,CAAC,CAAqB;IAC3C,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC;IAC/E,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IACjD,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,MAAM,CAAC;QAAE,OAAO,MAAM,CAAC;IAClD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/web.d.ts

@@ -0,0 +1,35 @@
+/**
+ * `@passportsign/core/web` — the runtime-neutral surface.
+ *
+ * Everything exported here runs on Node, Cloudflare Workers, and
+ * browsers: no `node:fs`, no `node:crypto`, no `node:sqlite`, no
+ * `Buffer`. The Worker badge service and the browser bind flow import
+ * from this subpath; if something node-only sneaks in, their bundlers
+ * fail loudly at build time — that's the contract this file enforces.
+ *
+ * Node-only counterparts stay on the main entry: `readBundle` /
+ * `writeBundle` (fs), `signEnvelope` (node crypto; use
+ * `signEnvelopeWeb` here), `submitBinding` (composes the node signer;
+ * compose `signEnvelopeWeb` + `RekorClient.submitIntoto` +
+ * `assembleBundle` instead), and the SQLite cache.
+ */
+export { canonicalize, canonicalSha256Hex } from './canonical.js';
+export { base64ToBytes, bytesToBase64, bytesToHex, bytesToUtf8, hexToBytes, randomBytes, sha256Bytes, sha256Hex, utf8ToBytes, } from './encoding.js';
+export { IN_TOTO_STATEMENT_TYPE, PASSPORTSIGN_PREDICATE_TYPE, PASSPORTSIGN_REVOCATION_PREDICATE_TYPE, buildRevocationStatement, buildStatement, type BuildRevocationStatementInput, type BuildStatementInput, type DisclosureLevel, type PassportsignPredicate, type PassportsignRevocationPredicate, type PassportsignRevocationStatement, type PassportsignStatement, } from './statement.js';
+export { BUNDLE_FORMAT_VERSION, BundleValidationError, assembleBundle, validateBundle, type PassportsignBundle, type RekorBundleFields, type SubmittableStatement, } from './bundle.js';
+export { ERROR_CODES, PassportsignError, type ErrorCode } from './errors.js';
+export { NONCE_BYTES, NONCE_BASE32_LENGTH, base32Encode, generateNonce, } from './nonce.js';
+export { checkGistControl, type CheckGistOptions, type GistEvidence, } from './github.js';
+export { prepareBinding, type PrepareBindingDeps, type PrepareBindingInit, type PrepareBindingInput, type PreparedBinding, } from './bind.js';
+export { prepareRevocation, type PrepareRevocationInput, type PreparedRevocation, } from './revoke.js';
+export { DSSE_VERSION, IN_TOTO_PAYLOAD_TYPE, pae, type DsseEnvelope, type DsseSignature, } from './dsse-common.js';
+export { p1363ToDer, signEnvelopeWeb, type SignEnvelopeWebResult, } from './dsse-web.js';
+export { DEFAULT_REKOR_BASE_URL, PublicSigstoreRekorClient, buildIntotoEntryBody, type InclusionProof, type PublicSigstoreRekorClientOptions, type RekorClient, type RekorEntryResponse, } from './log/rekor.js';
+export { hashLeaf, hashPair, verifyConsistency, verifyInclusion, } from './merkle.js';
+export { packSdkPayload, unpackSdkPayload, type PackedSdkPayload, type SdkPayload, } from './sdk-payload.js';
+export { renderBadgeMarkdown, renderBadgeSvg, type BadgeInput, } from './badge.js';
+export { PROFILE_INDEX_FILENAME, PROFILE_INDEX_VERSION, ProfileIndexValidationError, addBinding, addRevocation, createProfileIndex, fetchProfileIndex, mergeProfileIndexes, profileIndexUrl, validateProfileIndex, type FetchProfileIndexOptions, type ProfileIndex, type ProfileIndexBinding, type ProfileIndexRevocation, } from './profile-index.js';
+export { EntryParseError, STALENESS_WINDOW_MS, classifyBindings, parseIntotoEntry, type BindingState, type ClassifiedBinding, type ClassifyBindingsInput, type InTotoStatement, type ParsedIntotoEntry, } from './classify.js';
+export { lookupBindings, lookupFromIndex, type LookupBindingsDeps, type LookupDeps, type LookupEntryProblem, type LookupResult, } from './lookup.js';
+export { verifyBundle, type BundleVerifyResult, type CheckResult, type SdkVerifier, type SdkVerifyInput, type SdkVerifyResult, type VerifyBundleDeps, } from './verifier.js';
+//# sourceMappingURL=web.d.ts.map

package/dist/web.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"web.d.ts","sourceRoot":"","sources":["../src/web.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,aAAa,EACb,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,WAAW,EACX,WAAW,EACX,SAAS,EACT,WAAW,GACZ,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,sBAAsB,EACtB,2BAA2B,EAC3B,sCAAsC,EACtC,wBAAwB,EACxB,cAAc,EACd,KAAK,6BAA6B,EAClC,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,qBAAqB,EAC1B,KAAK,+BAA+B,EACpC,KAAK,+BAA+B,EACpC,KAAK,qBAAqB,GAC3B,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,cAAc,EACd,cAAc,EACd,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EACtB,KAAK,oBAAoB,GAC1B,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAE,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAE7E,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,YAAY,EACZ,aAAa,GACd,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,YAAY,GAClB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,cAAc,EACd,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,eAAe,GACrB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,iBAAiB,EACjB,KAAK,sBAAsB,EAC3B,KAAK,kBAAkB,GACxB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,GAAG,EACH,KAAK,YAAY,EACjB,KAAK,aAAa,GACnB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,UAAU,EACV,eAAe,EACf,KAAK,qBAAqB,GAC3B,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,gCAAgC,EACrC,KAAK,WAAW,EAChB,KAAK,kBAAkB,GACxB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,KAAK,UAAU,GAChB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,2BAA2B,EAC3B,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,iBAAiB,EACjB,mBAAmB,EACnB,eAAe,EACf,oBAAoB,EACpB,KAAK,wBAAwB,EAC7B,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,GAC5B,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,EAChB,KAAK,YAAY,EACjB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,eAAe,EACpB,KAAK,iBAAiB,GACvB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,cAAc,EACd,eAAe,EACf,KAAK,kBAAkB,EACvB,KAAK,UAAU,EACf,KAAK,kBAAkB,EACvB,KAAK,YAAY,GAClB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,YAAY,EACZ,KAAK,kBAAkB,EACvB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,eAAe,CAAC"}

package/dist/web.js

@@ -0,0 +1,35 @@
+/**
+ * `@passportsign/core/web` — the runtime-neutral surface.
+ *
+ * Everything exported here runs on Node, Cloudflare Workers, and
+ * browsers: no `node:fs`, no `node:crypto`, no `node:sqlite`, no
+ * `Buffer`. The Worker badge service and the browser bind flow import
+ * from this subpath; if something node-only sneaks in, their bundlers
+ * fail loudly at build time — that's the contract this file enforces.
+ *
+ * Node-only counterparts stay on the main entry: `readBundle` /
+ * `writeBundle` (fs), `signEnvelope` (node crypto; use
+ * `signEnvelopeWeb` here), `submitBinding` (composes the node signer;
+ * compose `signEnvelopeWeb` + `RekorClient.submitIntoto` +
+ * `assembleBundle` instead), and the SQLite cache.
+ */
+export { canonicalize, canonicalSha256Hex } from './canonical.js';
+export { base64ToBytes, bytesToBase64, bytesToHex, bytesToUtf8, hexToBytes, randomBytes, sha256Bytes, sha256Hex, utf8ToBytes, } from './encoding.js';
+export { IN_TOTO_STATEMENT_TYPE, PASSPORTSIGN_PREDICATE_TYPE, PASSPORTSIGN_REVOCATION_PREDICATE_TYPE, buildRevocationStatement, buildStatement, } from './statement.js';
+export { BUNDLE_FORMAT_VERSION, BundleValidationError, assembleBundle, validateBundle, } from './bundle.js';
+export { ERROR_CODES, PassportsignError } from './errors.js';
+export { NONCE_BYTES, NONCE_BASE32_LENGTH, base32Encode, generateNonce, } from './nonce.js';
+export { checkGistControl, } from './github.js';
+export { prepareBinding, } from './bind.js';
+export { prepareRevocation, } from './revoke.js';
+export { DSSE_VERSION, IN_TOTO_PAYLOAD_TYPE, pae, } from './dsse-common.js';
+export { p1363ToDer, signEnvelopeWeb, } from './dsse-web.js';
+export { DEFAULT_REKOR_BASE_URL, PublicSigstoreRekorClient, buildIntotoEntryBody, } from './log/rekor.js';
+export { hashLeaf, hashPair, verifyConsistency, verifyInclusion, } from './merkle.js';
+export { packSdkPayload, unpackSdkPayload, } from './sdk-payload.js';
+export { renderBadgeMarkdown, renderBadgeSvg, } from './badge.js';
+export { PROFILE_INDEX_FILENAME, PROFILE_INDEX_VERSION, ProfileIndexValidationError, addBinding, addRevocation, createProfileIndex, fetchProfileIndex, mergeProfileIndexes, profileIndexUrl, validateProfileIndex, } from './profile-index.js';
+export { EntryParseError, STALENESS_WINDOW_MS, classifyBindings, parseIntotoEntry, } from './classify.js';
+export { lookupBindings, lookupFromIndex, } from './lookup.js';
+export { verifyBundle, } from './verifier.js';
+//# sourceMappingURL=web.js.map

package/dist/web.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"web.js","sourceRoot":"","sources":["../src/web.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,YAAY,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAElE,OAAO,EACL,aAAa,EACb,aAAa,EACb,UAAU,EACV,WAAW,EACX,UAAU,EACV,WAAW,EACX,WAAW,EACX,SAAS,EACT,WAAW,GACZ,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,sBAAsB,EACtB,2BAA2B,EAC3B,sCAAsC,EACtC,wBAAwB,EACxB,cAAc,GAQf,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,cAAc,EACd,cAAc,GAIf,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,WAAW,EAAE,iBAAiB,EAAkB,MAAM,aAAa,CAAC;AAE7E,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,YAAY,EACZ,aAAa,GACd,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,GAGjB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,cAAc,GAKf,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,iBAAiB,GAGlB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,GAAG,GAGJ,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,UAAU,EACV,eAAe,GAEhB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,oBAAoB,GAKrB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,cAAc,EACd,gBAAgB,GAGjB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,mBAAmB,EACnB,cAAc,GAEf,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,sBAAsB,EACtB,qBAAqB,EACrB,2BAA2B,EAC3B,UAAU,EACV,aAAa,EACb,kBAAkB,EAClB,iBAAiB,EACjB,mBAAmB,EACnB,eAAe,EACf,oBAAoB,GAKrB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EACL,eAAe,EACf,mBAAmB,EACnB,gBAAgB,EAChB,gBAAgB,GAMjB,MAAM,eAAe,CAAC;AAEvB,OAAO,EACL,cAAc,EACd,eAAe,GAKhB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,YAAY,GAOb,MAAM,eAAe,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@passportsign/core",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "description": "Core primitives for passportsign: canonical serialization, in-toto Statement v1 builder, binding bundle format, GitHub gist check, Rekor client, RFC 6962 Merkle, DSSE envelope, bundle verifier. Apache-2.0.",
   "keywords": [
     "passportsign",
@@ -31,6 +31,10 @@
       "types": "./dist/index.d.ts",
       "default": "./dist/index.js"
     },
+    "./web": {
+      "types": "./dist/web.d.ts",
+      "default": "./dist/web.js"
+    },
     "./storage/sqlite": {
       "types": "./dist/storage/sqlite.d.ts",
       "default": "./dist/storage/sqlite.js"
@@ -49,9 +53,9 @@
     "node": ">=22.5"
   },
   "dependencies": {
+    "@noble/hashes": "^1.8.0",
     "@truestamp/canonify": "1.0.3"
   },
-  "devDependencies": {},
   "scripts": {
     "build": "tsc -p tsconfig.json",
     "test": "vitest run",

package/src/badge.ts

@@ -1,113 +1,124 @@
-/**
- * Self-contained inline SVG badge generator for passportsign.
- *
- * v0 ships without a hosted badge service. Maintainers commit the
- * generated `passportsign-badge.svg` to a public repo (typically the
- * `username/username` profile repo) and reference it from their
- * README. GitHub's image proxy renders the SVG; the badge wraps a
- * link to the Rekor entry for click-through verification.
- *
- * Visual: shields.io-style pill, two segments, ~190-280px wide
- * depending on text. Renders with the 10x scale + transform=scale(.1)
- * trick used by shields.io for crisper text rendering.
- */
-
-export interface BadgeInput {
-  github_username: string;
-  issuing_country: string | null;
-  bound_at: string;            // ISO 8601 timestamp
-  /** Rekor entry UUID for the `<title>` tooltip. */
-  log_entry_hash?: string;
-}
-
-const LABEL = 'passportsign';
-const CHAR_WIDTH_PX = 7;        // Approx Verdana 11pt character width
-const SIDE_PADDING_PX = 8;
-
-function escapeXml(s: string): string {
-  return s.replace(/[<>&"']/g, (c) => {
-    switch (c) {
-      case '<': return '&lt;';
-      case '>': return '&gt;';
-      case '&': return '&amp;';
-      case '"': return '&quot;';
-      case "'": return '&apos;';
-      default: return c;
-    }
-  });
-}
-
-function dateStringFor(isoTimestamp: string): string {
-  // Render as YYYY-MM-DD for the badge.
-  const d = new Date(isoTimestamp);
-  if (Number.isNaN(d.getTime())) return isoTimestamp.slice(0, 10);
-  const y = d.getUTCFullYear();
-  const m = String(d.getUTCMonth() + 1).padStart(2, '0');
-  const day = String(d.getUTCDate()).padStart(2, '0');
-  return `${y}-${m}-${day}`;
-}
-
-/**
- * Render the badge SVG. The output is intentionally a string (not a
- * DOM tree or stream) so callers can write it to disk directly with
- * `writeFileSync`.
- */
-export function renderBadgeSvg(input: BadgeInput): string {
-  const date = dateStringFor(input.bound_at);
-  const valueParts = ['verified human'];
-  if (input.issuing_country) valueParts.push(input.issuing_country);
-  valueParts.push(date);
-  const valueText = valueParts.join(' · '); // middle dot ·
-
-  const labelEsc = escapeXml(LABEL);
-  const valueEsc = escapeXml(valueText);
-
-  const labelW = LABEL.length * CHAR_WIDTH_PX + 2 * SIDE_PADDING_PX;
-  const valueW = valueText.length * CHAR_WIDTH_PX + 2 * SIDE_PADDING_PX;
-  const totalW = labelW + valueW;
-
-  const labelCx10 = labelW * 5;          // centre of label segment, scaled x10
-  const valueCx10 = (labelW + valueW / 2) * 10;
-  const ariaLabel = `${labelEsc}: ${valueEsc}`;
-  const tooltipExtra = input.log_entry_hash
-    ? ` (rekor entry ${escapeXml(input.log_entry_hash.slice(0, 16))}…)`
-    : '';
-
-  return [
-    `<svg xmlns="http://www.w3.org/2000/svg" width="${totalW}" height="20" role="img" aria-label="${ariaLabel}">`,
-    `<title>${ariaLabel}${tooltipExtra}</title>`,
-    `<linearGradient id="s" x2="0" y2="100%">`,
-    `<stop offset="0" stop-color="#bbb" stop-opacity=".1"/>`,
-    `<stop offset="1" stop-opacity=".1"/>`,
-    `</linearGradient>`,
-    `<clipPath id="r"><rect width="${totalW}" height="20" rx="3" fill="#fff"/></clipPath>`,
-    `<g clip-path="url(#r)">`,
-    `<rect width="${labelW}" height="20" fill="#555"/>`,
-    `<rect x="${labelW}" width="${valueW}" height="20" fill="#4c1"/>`,
-    `<rect width="${totalW}" height="20" fill="url(#s)"/>`,
-    `</g>`,
-    `<g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110">`,
-    `<text x="${labelCx10}" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)">${labelEsc}</text>`,
-    `<text x="${labelCx10}" y="140" transform="scale(.1)">${labelEsc}</text>`,
-    `<text x="${valueCx10}" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)">${valueEsc}</text>`,
-    `<text x="${valueCx10}" y="140" transform="scale(.1)">${valueEsc}</text>`,
-    `</g>`,
-    `</svg>`,
-  ].join('');
-}
-
-/**
- * Render the Markdown snippet that wraps the badge in a click-through
- * link to the Rekor entry. Suitable for pasting into a README.
- */
-export function renderBadgeMarkdown(input: {
-  badge_path: string;            // relative path the user will commit
-  log_entry_hash: string;        // Rekor entry UUID
-  rekor_base_url?: string;       // default: https://rekor.sigstore.dev
-  alt_text?: string;
-}): string {
-  const base = input.rekor_base_url ?? 'https://rekor.sigstore.dev';
-  const url = `${base}/api/v1/log/entries/${input.log_entry_hash}`;
-  const alt = input.alt_text ?? 'passportsign verified';
-  return `[![${alt}](${input.badge_path})](${url})`;
-}
+/**
+ * Self-contained inline SVG badge generator for passportsign.
+ *
+ * v0 ships without a hosted badge service. Maintainers commit the
+ * generated `passportsign-badge.svg` to a public repo (typically the
+ * `username/username` profile repo) and reference it from their
+ * README. GitHub's image proxy renders the SVG; the badge wraps a
+ * link to the Rekor entry for click-through verification.
+ *
+ * Visual: shields.io-style pill, two segments, ~190-280px wide
+ * depending on text. Renders with the 10x scale + transform=scale(.1)
+ * trick used by shields.io for crisper text rendering.
+ */
+
+export interface BadgeInput {
+  github_username: string;
+  issuing_country: string | null;
+  bound_at: string;            // ISO 8601 timestamp
+  /** Rekor entry UUID for the `<title>` tooltip. */
+  log_entry_hash?: string;
+  /**
+   * Binding state (spec §4 color logic). Defaults to `'active'` so
+   * v0-era callers (static badges) are unchanged.
+   */
+  state?: 'active' | 'stale' | 'revoked';
+}
+
+const LABEL = 'passportsign';
+const STATE_COLORS = {
+  active: '#4c1',
+  stale: '#dfb317',
+  revoked: '#e05d44',
+} as const;
+const CHAR_WIDTH_PX = 7;        // Approx Verdana 11pt character width
+const SIDE_PADDING_PX = 8;
+
+function escapeXml(s: string): string {
+  return s.replace(/[<>&"']/g, (c) => {
+    switch (c) {
+      case '<': return '&lt;';
+      case '>': return '&gt;';
+      case '&': return '&amp;';
+      case '"': return '&quot;';
+      case "'": return '&apos;';
+      default: return c;
+    }
+  });
+}
+
+function dateStringFor(isoTimestamp: string): string {
+  // Render as YYYY-MM-DD for the badge.
+  const d = new Date(isoTimestamp);
+  if (Number.isNaN(d.getTime())) return isoTimestamp.slice(0, 10);
+  const y = d.getUTCFullYear();
+  const m = String(d.getUTCMonth() + 1).padStart(2, '0');
+  const day = String(d.getUTCDate()).padStart(2, '0');
+  return `${y}-${m}-${day}`;
+}
+
+/**
+ * Render the badge SVG. The output is intentionally a string (not a
+ * DOM tree or stream) so callers can write it to disk directly with
+ * `writeFileSync`.
+ */
+export function renderBadgeSvg(input: BadgeInput): string {
+  const state = input.state ?? 'active';
+  const date = dateStringFor(input.bound_at);
+  const valueParts = [state === 'revoked' ? 'revoked' : 'verified human'];
+  if (input.issuing_country) valueParts.push(input.issuing_country);
+  valueParts.push(date);
+  const valueText = valueParts.join(' · '); // middle dot ·
+
+  const labelEsc = escapeXml(LABEL);
+  const valueEsc = escapeXml(valueText);
+
+  const labelW = LABEL.length * CHAR_WIDTH_PX + 2 * SIDE_PADDING_PX;
+  const valueW = valueText.length * CHAR_WIDTH_PX + 2 * SIDE_PADDING_PX;
+  const totalW = labelW + valueW;
+
+  const labelCx10 = labelW * 5;          // centre of label segment, scaled x10
+  const valueCx10 = (labelW + valueW / 2) * 10;
+  const ariaLabel = `${labelEsc}: ${valueEsc}`;
+  const tooltipExtra = input.log_entry_hash
+    ? ` (rekor entry ${escapeXml(input.log_entry_hash.slice(0, 16))}…)`
+    : '';
+
+  return [
+    `<svg xmlns="http://www.w3.org/2000/svg" width="${totalW}" height="20" role="img" aria-label="${ariaLabel}">`,
+    `<title>${ariaLabel}${tooltipExtra}</title>`,
+    `<linearGradient id="s" x2="0" y2="100%">`,
+    `<stop offset="0" stop-color="#bbb" stop-opacity=".1"/>`,
+    `<stop offset="1" stop-opacity=".1"/>`,
+    `</linearGradient>`,
+    `<clipPath id="r"><rect width="${totalW}" height="20" rx="3" fill="#fff"/></clipPath>`,
+    `<g clip-path="url(#r)">`,
+    `<rect width="${labelW}" height="20" fill="#555"/>`,
+    `<rect x="${labelW}" width="${valueW}" height="20" fill="${STATE_COLORS[state]}"/>`,
+    `<rect width="${totalW}" height="20" fill="url(#s)"/>`,
+    `</g>`,
+    `<g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110">`,
+    `<text x="${labelCx10}" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)">${labelEsc}</text>`,
+    `<text x="${labelCx10}" y="140" transform="scale(.1)">${labelEsc}</text>`,
+    `<text x="${valueCx10}" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)">${valueEsc}</text>`,
+    `<text x="${valueCx10}" y="140" transform="scale(.1)">${valueEsc}</text>`,
+    `</g>`,
+    `</svg>`,
+  ].join('');
+}
+
+/**
+ * Render the Markdown snippet that wraps the badge in a click-through
+ * link to the Rekor entry. Suitable for pasting into a README.
+ */
+export function renderBadgeMarkdown(input: {
+  badge_path: string;            // relative path the user will commit
+  log_entry_hash: string;        // Rekor entry UUID
+  rekor_base_url?: string;       // default: https://rekor.sigstore.dev
+  alt_text?: string;
+}): string {
+  const base = input.rekor_base_url ?? 'https://rekor.sigstore.dev';
+  const url = `${base}/api/v1/log/entries/${input.log_entry_hash}`;
+  const alt = input.alt_text ?? 'passportsign verified';
+  return `[![${alt}](${input.badge_path})](${url})`;
+}