@passportsign/core 0.1.0

package/dist/bundle.js

@@ -0,0 +1,95 @@
+/**
+ * `binding.passportsign.json` bundle format — the portable unit of
+ * verification.
+ *
+ * Rekor stores hashes, not artifacts. To verify a binding, a third party
+ * needs both the Rekor entry (hash + inclusion proof) and the artifacts
+ * that were hashed. The bundle carries both: the canonical statement bytes
+ * (hex), the proof blob (base64), and the Rekor metadata.
+ *
+ * Shape follows the Sigstore verification-bundle pattern. The
+ * `rekor.inclusion_proof` field is intentionally `unknown` for now — its
+ * shape gets pinned in Day 5 after we've smoke-tested the public Sigstore
+ * Rekor response format.
+ */
+import { readFileSync, writeFileSync } from 'node:fs';
+export const BUNDLE_FORMAT_VERSION = 1;
+const HEX_EVEN = /^(?:[0-9a-f]{2})+$/;
+// Standard base64: A-Z, a-z, 0-9, +, /, with 0-2 trailing '=' for padding.
+// Length must be multiple of 4.
+const BASE64 = /^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/;
+export class BundleValidationError extends Error {
+    path;
+    constructor(path, message) {
+        super(`${path}: ${message}`);
+        this.path = path;
+        this.name = 'BundleValidationError';
+    }
+}
+function fail(path, message) {
+    throw new BundleValidationError(path, message);
+}
+function isObject(v) {
+    return typeof v === 'object' && v !== null && !Array.isArray(v);
+}
+/**
+ * Type-guard validator for `PassportsignBundle`. Throws
+ * `BundleValidationError` with a structured path on the first issue.
+ */
+export function validateBundle(value) {
+    if (!isObject(value))
+        fail('$', 'bundle must be a JSON object');
+    if (value['bundle_format_version'] !== BUNDLE_FORMAT_VERSION) {
+        fail('$.bundle_format_version', `expected ${BUNDLE_FORMAT_VERSION}, got ${JSON.stringify(value['bundle_format_version'])}`);
+    }
+    const statement = value['statement'];
+    if (typeof statement !== 'string')
+        fail('$.statement', 'must be a string');
+    if (!HEX_EVEN.test(statement)) {
+        fail('$.statement', 'must be lowercase even-length hex (canonical JCS bytes)');
+    }
+    const proofBlob = value['proof_blob'];
+    if (typeof proofBlob !== 'string')
+        fail('$.proof_blob', 'must be a string');
+    if (!BASE64.test(proofBlob)) {
+        fail('$.proof_blob', 'must be standard base64 (A-Z, a-z, 0-9, +, /, = padding)');
+    }
+    const rekor = value['rekor'];
+    if (!isObject(rekor))
+        fail('$.rekor', 'must be an object');
+    const logEntryHash = rekor['log_entry_hash'];
+    if (typeof logEntryHash !== 'string' || logEntryHash.length === 0) {
+        fail('$.rekor.log_entry_hash', 'must be a non-empty string');
+    }
+    if (!('inclusion_proof' in rekor)) {
+        fail('$.rekor.inclusion_proof', 'is required (shape pinned in Day 5)');
+    }
+    const logRootAtSubmission = rekor['log_root_at_submission'];
+    if (typeof logRootAtSubmission !== 'string' || logRootAtSubmission.length === 0) {
+        fail('$.rekor.log_root_at_submission', 'must be a non-empty string');
+    }
+}
+/**
+ * Read and validate a `binding.passportsign.json` file. Throws on
+ * invalid JSON or schema violations.
+ */
+export function readBundle(path) {
+    const raw = readFileSync(path, 'utf8');
+    let parsed;
+    try {
+        parsed = JSON.parse(raw);
+    }
+    catch (err) {
+        throw new BundleValidationError('$', `invalid JSON: ${err instanceof Error ? err.message : String(err)}`);
+    }
+    validateBundle(parsed);
+    return parsed;
+}
+/**
+ * Validate and write a `binding.passportsign.json` file (pretty-printed).
+ */
+export function writeBundle(path, bundle) {
+    validateBundle(bundle);
+    writeFileSync(path, JSON.stringify(bundle, null, 2) + '\n', 'utf8');
+}
+//# sourceMappingURL=bundle.js.map

package/dist/bundle.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bundle.js","sourceRoot":"","sources":["../src/bundle.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,YAAY,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEtD,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAU,CAAC;AAiBhD,MAAM,QAAQ,GAAG,oBAAoB,CAAC;AACtC,2EAA2E;AAC3E,gCAAgC;AAChC,MAAM,MAAM,GAAG,kEAAkE,CAAC;AAElF,MAAM,OAAO,qBAAsB,SAAQ,KAAK;IAEnC;IADX,YACW,IAAY,EACrB,OAAe;QAEf,KAAK,CAAC,GAAG,IAAI,KAAK,OAAO,EAAE,CAAC,CAAC;QAHpB,SAAI,GAAJ,IAAI,CAAQ;QAIrB,IAAI,CAAC,IAAI,GAAG,uBAAuB,CAAC;IACtC,CAAC;CACF;AAED,SAAS,IAAI,CAAC,IAAY,EAAE,OAAe;IACzC,MAAM,IAAI,qBAAqB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AACjD,CAAC;AAED,SAAS,QAAQ,CAAC,CAAU;IAC1B,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AAClE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,cAAc,CAAC,KAAc;IAC3C,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,GAAG,EAAE,8BAA8B,CAAC,CAAC;IAEhE,IAAI,KAAK,CAAC,uBAAuB,CAAC,KAAK,qBAAqB,EAAE,CAAC;QAC7D,IAAI,CACF,yBAAyB,EACzB,YAAY,qBAAqB,SAAS,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,uBAAuB,CAAC,CAAC,EAAE,CAC3F,CAAC;IACJ,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,WAAW,CAAC,CAAC;IACrC,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAAC;IAC3E,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9B,IAAI,CAAC,aAAa,EAAE,yDAAyD,CAAC,CAAC;IACjF,CAAC;IAED,MAAM,SAAS,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC;IACtC,IAAI,OAAO,SAAS,KAAK,QAAQ;QAAE,IAAI,CAAC,cAAc,EAAE,kBAAkB,CAAC,CAAC;IAC5E,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QAC5B,IAAI,CAAC,cAAc,EAAE,0DAA0D,CAAC,CAAC;IACnF,CAAC;IAED,MAAM,KAAK,GAAG,KAAK,CAAC,OAAO,CAAC,CAAC;IAC7B,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,IAAI,CAAC,SAAS,EAAE,mBAAmB,CAAC,CAAC;IAE3D,MAAM,YAAY,GAAG,KAAK,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,OAAO,YAAY,KAAK,QAAQ,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,IAAI,CAAC,wBAAwB,EAAE,4BAA4B,CAAC,CAAC;IAC/D,CAAC;IAED,IAAI,CAAC,CAAC,iBAAiB,IAAI,KAAK,CAAC,EAAE,CAAC;QAClC,IAAI,CAAC,yBAAyB,EAAE,qCAAqC,CAAC,CAAC;IACzE,CAAC;IAED,MAAM,mBAAmB,GAAG,KAAK,CAAC,wBAAwB,CAAC,CAAC;IAC5D,IAAI,OAAO,mBAAmB,KAAK,QAAQ,IAAI,mBAAmB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChF,IAAI,CAAC,gCAAgC,EAAE,4BAA4B,CAAC,CAAC;IACvE,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,IAAY;IACrC,MAAM,GAAG,GAAG,YAAY,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IACvC,IAAI,MAAe,CAAC;IACpB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3B,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,qBAAqB,CAC7B,GAAG,EACH,iBAAiB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CACpE,CAAC;IACJ,CAAC;IACD,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,MAA0B;IAClE,cAAc,CAAC,MAAM,CAAC,CAAC;IACvB,aAAa,CAAC,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,EAAE,MAAM,CAAC,CAAC;AACtE,CAAC"}

package/dist/canonical.d.ts

@@ -0,0 +1,19 @@
+/**
+ * RFC 8785 JCS-canonical UTF-8 bytes for a JSON-serializable value.
+ *
+ * Wraps `@truestamp/canonify` (pinned at exact 1.0.3) and UTF-8 encodes the
+ * resulting string. The fixture-pinned drift test in
+ * `test/canonical.test.ts` guards against silent behavior changes in the
+ * underlying library — JCS implementations have had subtle bugs and this
+ * function's output is the most security-critical artifact in the repo.
+ *
+ * Throws `TypeError` if the value cannot be canonicalized (e.g. undefined,
+ * cycles, non-JSON-serializable types).
+ */
+export declare function canonicalize(value: unknown): Uint8Array;
+/**
+ * Lowercase-hex SHA-256 of `canonicalize(value)`. Used to derive the
+ * Rekor entry hash for the in-toto statement.
+ */
+export declare function canonicalSha256Hex(value: unknown): string;
+//# sourceMappingURL=canonical.d.ts.map

package/dist/canonical.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,OAAO,GAAG,UAAU,CAQvD;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,CAGzD"}

package/dist/canonical.js

@@ -0,0 +1,30 @@
+import canonify from '@truestamp/canonify';
+import { createHash } from 'node:crypto';
+/**
+ * RFC 8785 JCS-canonical UTF-8 bytes for a JSON-serializable value.
+ *
+ * Wraps `@truestamp/canonify` (pinned at exact 1.0.3) and UTF-8 encodes the
+ * resulting string. The fixture-pinned drift test in
+ * `test/canonical.test.ts` guards against silent behavior changes in the
+ * underlying library — JCS implementations have had subtle bugs and this
+ * function's output is the most security-critical artifact in the repo.
+ *
+ * Throws `TypeError` if the value cannot be canonicalized (e.g. undefined,
+ * cycles, non-JSON-serializable types).
+ */
+export function canonicalize(value) {
+    const canonical = canonify(value);
+    if (canonical === undefined) {
+        throw new TypeError('canonicalize: value cannot be JCS-canonicalized (undefined / cycle / non-JSON)');
+    }
+    return new TextEncoder().encode(canonical);
+}
+/**
+ * Lowercase-hex SHA-256 of `canonicalize(value)`. Used to derive the
+ * Rekor entry hash for the in-toto statement.
+ */
+export function canonicalSha256Hex(value) {
+    const bytes = canonicalize(value);
+    return createHash('sha256').update(bytes).digest('hex');
+}
+//# sourceMappingURL=canonical.js.map

package/dist/canonical.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../src/canonical.ts"],"names":[],"mappings":"AAAA,OAAO,QAAQ,MAAM,qBAAqB,CAAC;AAC3C,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,YAAY,CAAC,KAAc;IACzC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,gFAAgF,CACjF,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;AAC7C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,KAAc;IAC/C,MAAM,KAAK,GAAG,YAAY,CAAC,KAAK,CAAC,CAAC;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC"}

package/dist/dsse.d.ts

@@ -0,0 +1,55 @@
+/**
+ * DSSE (Dead Simple Signing Envelope) envelope builder.
+ *
+ * Per-binding ephemeral ECDSA P-256 key — the private key is discarded
+ * after signing. The DSSE signature is a Rekor schema requirement, not
+ * a trust mechanism. The actual authentication for passportsign comes
+ * from the zkPassport proof + GitHub gist evidence carried inside the
+ * statement's predicate, not from this signature.
+ *
+ * Spec: https://github.com/secure-systems-lab/dsse/blob/master/protocol.md
+ *
+ * Note on key algorithm choice: ECDSA P-256 over SHA-256 is what
+ * Rekor's public instance accepts for intoto v0.0.2 entries. Ed25519
+ * is in the DSSE spec but the public Rekor's verification path rejected
+ * it during the Day 5 smoke test (500 "error generating canonicalized
+ * entry"). See `docs/v0-acceptance.md` Day 5 evidence.
+ */
+export declare const DSSE_VERSION = "DSSEv1";
+export declare const IN_TOTO_PAYLOAD_TYPE = "application/vnd.in-toto+json";
+export interface DsseSignature {
+    /** Single-base64 of the raw signature bytes. */
+    sig: string;
+    /** PEM-encoded SubjectPublicKeyInfo. */
+    publicKey: string;
+    /** Optional key identifier. Omit (don't pass empty string) when not set. */
+    keyid?: string;
+}
+export interface DsseEnvelope {
+    /** Media type of the payload (e.g. `application/vnd.in-toto+json`). */
+    payloadType: string;
+    /** Single-base64 of the raw payload bytes. */
+    payload: string;
+    signatures: DsseSignature[];
+}
+/**
+ * DSSE Pre-Authentication Encoding (PAE):
+ *
+ *   "DSSEv1" SP LEN(type) SP type SP LEN(body) SP body
+ *
+ * Where SP is a single 0x20 space, LEN is the ASCII-decimal length of
+ * the following byte string.
+ */
+export declare function pae(type: string, body: Uint8Array): Uint8Array;
+export interface SignEnvelopeResult {
+    envelope: DsseEnvelope;
+    /** PEM of the ephemeral public key (also embedded in envelope.signatures[0].publicKey). */
+    publicKeyPem: string;
+}
+/**
+ * Generate an ephemeral ECDSA P-256 keypair, sign PAE(payloadType,
+ * payload), and return a DSSE envelope. The private key is discarded
+ * before return.
+ */
+export declare function signEnvelope(payload: Uint8Array, payloadType: string): SignEnvelopeResult;
+//# sourceMappingURL=dsse.d.ts.map

package/dist/dsse.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"dsse.d.ts","sourceRoot":"","sources":["../src/dsse.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,eAAO,MAAM,YAAY,WAAW,CAAC;AACrC,eAAO,MAAM,oBAAoB,iCAAiC,CAAC;AAEnE,MAAM,WAAW,aAAa;IAC5B,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,wCAAwC;IACxC,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,YAAY;IAC3B,uEAAuE;IACvE,WAAW,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,aAAa,EAAE,CAAC;CAC7B;AAED;;;;;;;GAOG;AACH,wBAAgB,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,UAAU,CAQ9D;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,YAAY,CAAC;IACvB,2FAA2F;IAC3F,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,GAAG,kBAAkB,CAqBzF"}

package/dist/dsse.js

@@ -0,0 +1,64 @@
+/**
+ * DSSE (Dead Simple Signing Envelope) envelope builder.
+ *
+ * Per-binding ephemeral ECDSA P-256 key — the private key is discarded
+ * after signing. The DSSE signature is a Rekor schema requirement, not
+ * a trust mechanism. The actual authentication for passportsign comes
+ * from the zkPassport proof + GitHub gist evidence carried inside the
+ * statement's predicate, not from this signature.
+ *
+ * Spec: https://github.com/secure-systems-lab/dsse/blob/master/protocol.md
+ *
+ * Note on key algorithm choice: ECDSA P-256 over SHA-256 is what
+ * Rekor's public instance accepts for intoto v0.0.2 entries. Ed25519
+ * is in the DSSE spec but the public Rekor's verification path rejected
+ * it during the Day 5 smoke test (500 "error generating canonicalized
+ * entry"). See `docs/v0-acceptance.md` Day 5 evidence.
+ */
+import { createSign, generateKeyPairSync } from 'node:crypto';
+export const DSSE_VERSION = 'DSSEv1';
+export const IN_TOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json';
+/**
+ * DSSE Pre-Authentication Encoding (PAE):
+ *
+ *   "DSSEv1" SP LEN(type) SP type SP LEN(body) SP body
+ *
+ * Where SP is a single 0x20 space, LEN is the ASCII-decimal length of
+ * the following byte string.
+ */
+export function pae(type, body) {
+    const typeBytes = new TextEncoder().encode(type);
+    const prefix = `${DSSE_VERSION} ${typeBytes.length} ${type} ${body.length} `;
+    const prefixBytes = new TextEncoder().encode(prefix);
+    const out = new Uint8Array(prefixBytes.length + body.length);
+    out.set(prefixBytes);
+    out.set(body, prefixBytes.length);
+    return out;
+}
+/**
+ * Generate an ephemeral ECDSA P-256 keypair, sign PAE(payloadType,
+ * payload), and return a DSSE envelope. The private key is discarded
+ * before return.
+ */
+export function signEnvelope(payload, payloadType) {
+    const { privateKey, publicKey } = generateKeyPairSync('ec', { namedCurve: 'P-256' });
+    const paeBytes = pae(payloadType, payload);
+    const signer = createSign('SHA256');
+    signer.update(Buffer.from(paeBytes));
+    const sigBuf = signer.sign(privateKey);
+    const publicKeyPem = publicKey.export({ type: 'spki', format: 'pem' });
+    return {
+        envelope: {
+            payloadType,
+            payload: Buffer.from(payload).toString('base64'),
+            signatures: [
+                {
+                    sig: sigBuf.toString('base64'),
+                    publicKey: publicKeyPem,
+                },
+            ],
+        },
+        publicKeyPem,
+    };
+}
+//# sourceMappingURL=dsse.js.map

package/dist/dsse.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"dsse.js","sourceRoot":"","sources":["../src/dsse.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,aAAa,CAAC;AAE9D,MAAM,CAAC,MAAM,YAAY,GAAG,QAAQ,CAAC;AACrC,MAAM,CAAC,MAAM,oBAAoB,GAAG,8BAA8B,CAAC;AAmBnE;;;;;;;GAOG;AACH,MAAM,UAAU,GAAG,CAAC,IAAY,EAAE,IAAgB;IAChD,MAAM,SAAS,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,GAAG,YAAY,IAAI,SAAS,CAAC,MAAM,IAAI,IAAI,IAAI,IAAI,CAAC,MAAM,GAAG,CAAC;IAC7E,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IACrD,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,WAAW,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC7D,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;IACrB,GAAG,CAAC,GAAG,CAAC,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC;AAQD;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,OAAmB,EAAE,WAAmB;IACnE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,mBAAmB,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC;IACrF,MAAM,QAAQ,GAAG,GAAG,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;IAC3C,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;IACrC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvC,MAAM,YAAY,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,CAAW,CAAC;IAEjF,OAAO;QACL,QAAQ,EAAE;YACR,WAAW;YACX,OAAO,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAChD,UAAU,EAAE;gBACV;oBACE,GAAG,EAAE,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC;oBAC9B,SAAS,EAAE,YAAY;iBACxB;aACF;SACF;QACD,YAAY;KACb,CAAC;AACJ,CAAC"}

package/dist/errors.d.ts

@@ -0,0 +1,17 @@
+/**
+ * §4 error vocabulary — the set of failure codes a bind/verify call can
+ * surface to a caller. Verbatim from `docs/passportsign.md` §4.
+ *
+ * Callers should `catch` `PassportsignError` and branch on `.code`. The
+ * `cause` field carries the underlying error (HTTP response body, SDK
+ * error, etc.) for logging — never for client display, since it may
+ * include identifying data.
+ */
+export declare const ERROR_CODES: readonly ["username_invalid", "binding_pending_expired", "gist_not_found", "gist_wrong_content", "gist_wrong_owner", "gist_predates_init", "proof_invalid", "proof_scope_mismatch", "proof_missing_personhood", "log_submission_failed", "internal_error"];
+export type ErrorCode = (typeof ERROR_CODES)[number];
+export declare class PassportsignError extends Error {
+    readonly code: ErrorCode;
+    readonly cause: unknown;
+    constructor(code: ErrorCode, message: string, cause?: unknown);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,WAAW,4PAYd,CAAC;AAEX,MAAM,MAAM,SAAS,GAAG,CAAC,OAAO,WAAW,CAAC,CAAC,MAAM,CAAC,CAAC;AAErD,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;IACzB,SAAkB,KAAK,EAAE,OAAO,CAAC;gBAErB,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;CAM9D"}

package/dist/errors.js

@@ -0,0 +1,33 @@
+/**
+ * §4 error vocabulary — the set of failure codes a bind/verify call can
+ * surface to a caller. Verbatim from `docs/passportsign.md` §4.
+ *
+ * Callers should `catch` `PassportsignError` and branch on `.code`. The
+ * `cause` field carries the underlying error (HTTP response body, SDK
+ * error, etc.) for logging — never for client display, since it may
+ * include identifying data.
+ */
+export const ERROR_CODES = [
+    'username_invalid',
+    'binding_pending_expired',
+    'gist_not_found',
+    'gist_wrong_content',
+    'gist_wrong_owner',
+    'gist_predates_init',
+    'proof_invalid',
+    'proof_scope_mismatch',
+    'proof_missing_personhood',
+    'log_submission_failed',
+    'internal_error',
+];
+export class PassportsignError extends Error {
+    code;
+    cause;
+    constructor(code, message, cause) {
+        super(message);
+        this.name = 'PassportsignError';
+        this.code = code;
+        this.cause = cause;
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,CAAC,MAAM,WAAW,GAAG;IACzB,kBAAkB;IAClB,yBAAyB;IACzB,gBAAgB;IAChB,oBAAoB;IACpB,kBAAkB;IAClB,oBAAoB;IACpB,eAAe;IACf,sBAAsB;IACtB,0BAA0B;IAC1B,uBAAuB;IACvB,gBAAgB;CACR,CAAC;AAIX,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IACjC,IAAI,CAAY;IACP,KAAK,CAAU;IAEjC,YAAY,IAAe,EAAE,OAAe,EAAE,KAAe;QAC3D,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAC;QAChC,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;CACF"}

package/dist/github.d.ts

@@ -0,0 +1,28 @@
+/**
+ * GitHub gist control check per spec §3 step 5 and §14 "The gist control check."
+ *
+ * The honest semantic claim is: at the moment we checked, the named user
+ * controlled a public gist with the expected filename and content. We
+ * capture `html_url`, `updated_at`, and a SHA-256 of the content so the
+ * evidence is independently re-checkable later (e.g. via the Wayback
+ * Machine).
+ *
+ * The optional `token` is **purely for rate-limit headroom** — it
+ * carries zero special access. Unauth'd: 60 req/hr; with token: 5000.
+ */
+export interface GistEvidence {
+    url: string;
+    content_sha256: string;
+    updated_at: string;
+}
+export interface CheckGistOptions {
+    username: string;
+    expected_filename: string;
+    expected_content: string;
+    not_before: Date;
+    token?: string;
+    fetch?: typeof fetch;
+    baseUrl?: string;
+}
+export declare function checkGistControl(opts: CheckGistOptions): Promise<GistEvidence>;
+//# sourceMappingURL=github.d.ts.map

package/dist/github.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.d.ts","sourceRoot":"","sources":["../src/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAKH,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,EAAE,MAAM,CAAC;IACjB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,EAAE,IAAI,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AA+BD,wBAAsB,gBAAgB,CAAC,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,YAAY,CAAC,CAsIpF"}

package/dist/github.js

@@ -0,0 +1,113 @@
+/**
+ * GitHub gist control check per spec §3 step 5 and §14 "The gist control check."
+ *
+ * The honest semantic claim is: at the moment we checked, the named user
+ * controlled a public gist with the expected filename and content. We
+ * capture `html_url`, `updated_at`, and a SHA-256 of the content so the
+ * evidence is independently re-checkable later (e.g. via the Wayback
+ * Machine).
+ *
+ * The optional `token` is **purely for rate-limit headroom** — it
+ * carries zero special access. Unauth'd: 60 req/hr; with token: 5000.
+ */
+import { createHash } from 'node:crypto';
+import { PassportsignError } from './errors.js';
+const DEFAULT_BASE_URL = 'https://api.github.com';
+const GIST_LIST_PER_PAGE = 100;
+function sha256Hex(content) {
+    return createHash('sha256').update(content, 'utf8').digest('hex');
+}
+function authHeaders(token) {
+    return {
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+        'User-Agent': 'passportsign-cli',
+        ...(token ? { Authorization: `Bearer ${token}` } : {}),
+    };
+}
+export async function checkGistControl(opts) {
+    const fetchImpl = opts.fetch ?? globalThis.fetch;
+    const baseUrl = opts.baseUrl ?? DEFAULT_BASE_URL;
+    const headers = authHeaders(opts.token);
+    if (opts.username.length === 0) {
+        throw new PassportsignError('username_invalid', 'username must be non-empty');
+    }
+    // Step 1: list the user's gists, filter by filename.
+    const listUrl = `${baseUrl}/users/${encodeURIComponent(opts.username)}/gists?per_page=${GIST_LIST_PER_PAGE}`;
+    let listResponse;
+    try {
+        listResponse = await fetchImpl(listUrl, { headers });
+    }
+    catch (err) {
+        throw new PassportsignError('internal_error', `GitHub list-gists request failed: ${err instanceof Error ? err.message : String(err)}`, err);
+    }
+    if (listResponse.status === 404) {
+        throw new PassportsignError('username_invalid', `GitHub user '${opts.username}' not found`);
+    }
+    if (!listResponse.ok) {
+        throw new PassportsignError('internal_error', `GitHub list-gists returned HTTP ${listResponse.status}`);
+    }
+    let listBody;
+    try {
+        listBody = await listResponse.json();
+    }
+    catch (err) {
+        throw new PassportsignError('internal_error', 'GitHub list-gists returned non-JSON', err);
+    }
+    if (!Array.isArray(listBody)) {
+        throw new PassportsignError('internal_error', 'GitHub list-gists did not return an array');
+    }
+    const matches = listBody
+        .filter((g) => g && typeof g === 'object' && opts.expected_filename in (g.files ?? {}))
+        .sort((a, b) => (a.updated_at < b.updated_at ? 1 : -1));
+    const match = matches[0];
+    if (!match) {
+        throw new PassportsignError('gist_not_found', `no public gist owned by '${opts.username}' contains file '${opts.expected_filename}'`);
+    }
+    // Step 2: re-fetch the gist by id to get the full content.
+    let detailResponse;
+    try {
+        detailResponse = await fetchImpl(`${baseUrl}/gists/${match.id}`, { headers });
+    }
+    catch (err) {
+        throw new PassportsignError('internal_error', `GitHub get-gist request failed: ${err instanceof Error ? err.message : String(err)}`, err);
+    }
+    if (!detailResponse.ok) {
+        throw new PassportsignError('internal_error', `GitHub get-gist returned HTTP ${detailResponse.status}`);
+    }
+    let detail;
+    try {
+        detail = (await detailResponse.json());
+    }
+    catch (err) {
+        throw new PassportsignError('internal_error', 'GitHub get-gist returned non-JSON', err);
+    }
+    // Step 3: owner check (case-insensitive per spec §10 row 7).
+    const ownerLogin = detail.owner?.login;
+    if (!ownerLogin || ownerLogin.toLowerCase() !== opts.username.toLowerCase()) {
+        throw new PassportsignError('gist_wrong_owner', `gist ${match.id} owner '${ownerLogin ?? 'unknown'}' does not match expected '${opts.username}'`);
+    }
+    // Step 4: content exact match.
+    const file = (detail.files ?? {})[opts.expected_filename];
+    const content = file?.content;
+    if (typeof content !== 'string') {
+        throw new PassportsignError('gist_wrong_content', `gist ${match.id} has no readable content for '${opts.expected_filename}'`);
+    }
+    if (content !== opts.expected_content) {
+        throw new PassportsignError('gist_wrong_content', `gist ${match.id} content does not exactly match the expected nonce`);
+    }
+    // Step 5: freshness — gist's updated_at must be at/after init.
+    const updatedAtMs = Date.parse(detail.updated_at);
+    if (Number.isNaN(updatedAtMs)) {
+        throw new PassportsignError('internal_error', `gist ${match.id} updated_at is unparseable: ${detail.updated_at}`);
+    }
+    if (updatedAtMs < opts.not_before.getTime()) {
+        throw new PassportsignError('gist_predates_init', `gist ${match.id} updated_at (${detail.updated_at}) predates init (${opts.not_before.toISOString()})`);
+    }
+    return {
+        url: detail.html_url,
+        content_sha256: sha256Hex(content),
+        updated_at: detail.updated_at,
+    };
+}
+//# sourceMappingURL=github.js.map

package/dist/github.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"github.js","sourceRoot":"","sources":["../src/github.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC;AA+BhD,MAAM,gBAAgB,GAAG,wBAAwB,CAAC;AAClD,MAAM,kBAAkB,GAAG,GAAG,CAAC;AAE/B,SAAS,SAAS,CAAC,OAAe;IAChC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACpE,CAAC;AAED,SAAS,WAAW,CAAC,KAAyB;IAC5C,OAAO;QACL,MAAM,EAAE,6BAA6B;QACrC,sBAAsB,EAAE,YAAY;QACpC,YAAY,EAAE,kBAAkB;QAChC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,UAAU,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAsB;IAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,IAAI,UAAU,CAAC,KAAK,CAAC;IACjD,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,IAAI,gBAAgB,CAAC;IACjD,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAExC,IAAI,IAAI,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,iBAAiB,CAAC,kBAAkB,EAAE,4BAA4B,CAAC,CAAC;IAChF,CAAC;IAED,qDAAqD;IACrD,MAAM,OAAO,GAAG,GAAG,OAAO,UAAU,kBAAkB,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,kBAAkB,EAAE,CAAC;IAC7G,IAAI,YAAsB,CAAC;IAC3B,IAAI,CAAC;QACH,YAAY,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,qCAAqC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACvF,GAAG,CACJ,CAAC;IACJ,CAAC;IAED,IAAI,YAAY,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;QAChC,MAAM,IAAI,iBAAiB,CACzB,kBAAkB,EAClB,gBAAgB,IAAI,CAAC,QAAQ,aAAa,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,mCAAmC,YAAY,CAAC,MAAM,EAAE,CACzD,CAAC;IACJ,CAAC;IAED,IAAI,QAAiB,CAAC;IACtB,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,CAAC;IACvC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,qCAAqC,EACrC,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,2CAA2C,CAC5C,CAAC;IACJ,CAAC;IAED,MAAM,OAAO,GAAI,QAA0B;SACxC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,IAAI,CAAC,iBAAiB,IAAI,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;SACtF,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAE1D,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;IACzB,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,4BAA4B,IAAI,CAAC,QAAQ,oBAAoB,IAAI,CAAC,iBAAiB,GAAG,CACvF,CAAC;IACJ,CAAC;IAED,2DAA2D;IAC3D,IAAI,cAAwB,CAAC;IAC7B,IAAI,CAAC;QACH,cAAc,GAAG,MAAM,SAAS,CAAC,GAAG,OAAO,UAAU,KAAK,CAAC,EAAE,EAAE,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;IAChF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,mCAAmC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EACrF,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,EAAE,EAAE,CAAC;QACvB,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,iCAAiC,cAAc,CAAC,MAAM,EAAE,CACzD,CAAC;IACJ,CAAC;IAED,IAAI,MAAmB,CAAC;IACxB,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,MAAM,cAAc,CAAC,IAAI,EAAE,CAAgB,CAAC;IACxD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,iBAAiB,CAAC,gBAAgB,EAAE,mCAAmC,EAAE,GAAG,CAAC,CAAC;IAC1F,CAAC;IAED,6DAA6D;IAC7D,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC;IACvC,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,WAAW,EAAE,KAAK,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QAC5E,MAAM,IAAI,iBAAiB,CACzB,kBAAkB,EAClB,QAAQ,KAAK,CAAC,EAAE,WAAW,UAAU,IAAI,SAAS,8BAA8B,IAAI,CAAC,QAAQ,GAAG,CACjG,CAAC;IACJ,CAAC;IAED,+BAA+B;IAC/B,MAAM,IAAI,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAC1D,MAAM,OAAO,GAAG,IAAI,EAAE,OAAO,CAAC;IAC9B,IAAI,OAAO,OAAO,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,IAAI,iBAAiB,CACzB,oBAAoB,EACpB,QAAQ,KAAK,CAAC,EAAE,iCAAiC,IAAI,CAAC,iBAAiB,GAAG,CAC3E,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,KAAK,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtC,MAAM,IAAI,iBAAiB,CACzB,oBAAoB,EACpB,QAAQ,KAAK,CAAC,EAAE,oDAAoD,CACrE,CAAC;IACJ,CAAC;IAED,+DAA+D;IAC/D,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IAClD,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,iBAAiB,CACzB,gBAAgB,EAChB,QAAQ,KAAK,CAAC,EAAE,+BAA+B,MAAM,CAAC,UAAU,EAAE,CACnE,CAAC;IACJ,CAAC;IACD,IAAI,WAAW,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC;QAC5C,MAAM,IAAI,iBAAiB,CACzB,oBAAoB,EACpB,QAAQ,KAAK,CAAC,EAAE,gBAAgB,MAAM,CAAC,UAAU,oBAAoB,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,GAAG,CACtG,CAAC;IACJ,CAAC;IAED,OAAO;QACL,GAAG,EAAE,MAAM,CAAC,QAAQ;QACpB,cAAc,EAAE,SAAS,CAAC,OAAO,CAAC;QAClC,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Public API of @passportsign/core.
+ *
+ * Day 1-2: canonical JCS + in-toto statement + bundle format.
+ * Day 3-4: §4 error vocabulary + nonce + GitHub gist check +
+ *          SQLite cache + bind orchestrator (no Rekor yet).
+ */
+export { canonicalize, canonicalSha256Hex, } from './canonical.js';
+export { IN_TOTO_STATEMENT_TYPE, PASSPORTSIGN_PREDICATE_TYPE, buildStatement, type BuildStatementInput, type DisclosureLevel, type PassportsignPredicate, type PassportsignStatement, } from './statement.js';
+export { BUNDLE_FORMAT_VERSION, BundleValidationError, readBundle, validateBundle, writeBundle, type PassportsignBundle, type RekorBundleFields, } from './bundle.js';
+export { ERROR_CODES, PassportsignError, type ErrorCode, } from './errors.js';
+export { NONCE_BYTES, NONCE_BASE32_LENGTH, base32Encode, generateNonce, } from './nonce.js';
+export { checkGistControl, type CheckGistOptions, type GistEvidence, } from './github.js';
+export { prepareBinding, type PrepareBindingDeps, type PrepareBindingInit, type PrepareBindingInput, type PreparedBinding, } from './bind.js';
+export { DSSE_VERSION, IN_TOTO_PAYLOAD_TYPE, pae, signEnvelope, type DsseEnvelope, type DsseSignature, type SignEnvelopeResult, } from './dsse.js';
+export { DEFAULT_REKOR_BASE_URL, PublicSigstoreRekorClient, buildIntotoEntryBody, type InclusionProof, type PublicSigstoreRekorClientOptions, type RekorClient, type RekorEntryResponse, } from './log/rekor.js';
+export { submitBinding, type SubmitBindingDeps, type SubmitBindingResult, } from './submit.js';
+export { hashLeaf, hashPair, verifyConsistency, verifyInclusion, } from './merkle.js';
+export { packSdkPayload, unpackSdkPayload, type PackedSdkPayload, type SdkPayload, } from './sdk-payload.js';
+export { renderBadgeMarkdown, renderBadgeSvg, type BadgeInput, } from './badge.js';
+export { verifyBundle, type BundleVerifyResult, type CheckResult, type SdkVerifier, type SdkVerifyInput, type SdkVerifyResult, type VerifyBundleDeps, } from './verifier.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,YAAY,EACZ,kBAAkB,GACnB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,2BAA2B,EAC3B,cAAc,EACd,KAAK,mBAAmB,EACxB,KAAK,eAAe,EACpB,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,GAC3B,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,UAAU,EACV,cAAc,EACd,WAAW,EACX,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,GACvB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,iBAAiB,EACjB,KAAK,SAAS,GACf,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,YAAY,EACZ,aAAa,GACd,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,YAAY,GAClB,MAAM,aAAa,CAAC;AAQrB,OAAO,EACL,cAAc,EACd,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,eAAe,GACrB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,GAAG,EACH,YAAY,EACZ,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,kBAAkB,GACxB,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,oBAAoB,EACpB,KAAK,cAAc,EACnB,KAAK,gCAAgC,EACrC,KAAK,WAAW,EAChB,KAAK,kBAAkB,GACxB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,aAAa,EACb,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,GACzB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,cAAc,EACd,gBAAgB,EAChB,KAAK,gBAAgB,EACrB,KAAK,UAAU,GAChB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,mBAAmB,EACnB,cAAc,EACd,KAAK,UAAU,GAChB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,YAAY,EACZ,KAAK,kBAAkB,EACvB,KAAK,WAAW,EAChB,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,gBAAgB,GACtB,MAAM,eAAe,CAAC"}

package/dist/index.js

@@ -0,0 +1,27 @@
+/**
+ * Public API of @passportsign/core.
+ *
+ * Day 1-2: canonical JCS + in-toto statement + bundle format.
+ * Day 3-4: §4 error vocabulary + nonce + GitHub gist check +
+ *          SQLite cache + bind orchestrator (no Rekor yet).
+ */
+export { canonicalize, canonicalSha256Hex, } from './canonical.js';
+export { IN_TOTO_STATEMENT_TYPE, PASSPORTSIGN_PREDICATE_TYPE, buildStatement, } from './statement.js';
+export { BUNDLE_FORMAT_VERSION, BundleValidationError, readBundle, validateBundle, writeBundle, } from './bundle.js';
+export { ERROR_CODES, PassportsignError, } from './errors.js';
+export { NONCE_BYTES, NONCE_BASE32_LENGTH, base32Encode, generateNonce, } from './nonce.js';
+export { checkGistControl, } from './github.js';
+// SQLite cache is intentionally not re-exported from the main entry —
+// `node:sqlite` doesn't bundle cleanly (esbuild strips the `node:` prefix
+// and there's no public `sqlite` npm package by that name). Consumers
+// who need it should import from `@passportsign/core/storage/sqlite`
+// directly. The v0 CLI doesn't use the cache; rebuild is v1 work.
+export { prepareBinding, } from './bind.js';
+export { DSSE_VERSION, IN_TOTO_PAYLOAD_TYPE, pae, signEnvelope, } from './dsse.js';
+export { DEFAULT_REKOR_BASE_URL, PublicSigstoreRekorClient, buildIntotoEntryBody, } from './log/rekor.js';
+export { submitBinding, } from './submit.js';
+export { hashLeaf, hashPair, verifyConsistency, verifyInclusion, } from './merkle.js';
+export { packSdkPayload, unpackSdkPayload, } from './sdk-payload.js';
+export { renderBadgeMarkdown, renderBadgeSvg, } from './badge.js';
+export { verifyBundle, } from './verifier.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EACL,YAAY,EACZ,kBAAkB,GACnB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,sBAAsB,EACtB,2BAA2B,EAC3B,cAAc,GAKf,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,qBAAqB,EACrB,qBAAqB,EACrB,UAAU,EACV,cAAc,EACd,WAAW,GAGZ,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,iBAAiB,GAElB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,WAAW,EACX,mBAAmB,EACnB,YAAY,EACZ,aAAa,GACd,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,gBAAgB,GAGjB,MAAM,aAAa,CAAC;AAErB,sEAAsE;AACtE,0EAA0E;AAC1E,sEAAsE;AACtE,qEAAqE;AACrE,kEAAkE;AAElE,OAAO,EACL,cAAc,GAKf,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,YAAY,EACZ,oBAAoB,EACpB,GAAG,EACH,YAAY,GAIb,MAAM,WAAW,CAAC;AAEnB,OAAO,EACL,sBAAsB,EACtB,yBAAyB,EACzB,oBAAoB,GAKrB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,aAAa,GAGd,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,QAAQ,EACR,QAAQ,EACR,iBAAiB,EACjB,eAAe,GAChB,MAAM,aAAa,CAAC;AAErB,OAAO,EACL,cAAc,EACd,gBAAgB,GAGjB,MAAM,kBAAkB,CAAC;AAE1B,OAAO,EACL,mBAAmB,EACnB,cAAc,GAEf,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,YAAY,GAOb,MAAM,eAAe,CAAC"}