@passportsign/core 0.1.0

package/dist/sdk-payload.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sdk-payload.d.ts","sourceRoot":"","sources":["../src/sdk-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAKH,MAAM,WAAW,UAAU;IACzB,6DAA6D;IAC7D,WAAW,EAAE,MAAM,CAAC;IACpB,oEAAoE;IACpE,MAAM,EAAE,OAAO,EAAE,CAAC;IAClB,8DAA8D;IAC9D,cAAc,EAAE,OAAO,CAAC;IACxB,wDAAwD;IACxD,YAAY,EAAE,OAAO,CAAC;IACtB,yDAAyD;IACzD,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,gBAAgB;IAC/B,4CAA4C;IAC5C,KAAK,EAAE,UAAU,CAAC;IAClB,wEAAwE;IACxE,GAAG,EAAE,MAAM,CAAC;IACZ,uGAAuG;IACvG,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,wBAAgB,cAAc,CAAC,OAAO,EAAE,UAAU,GAAG,gBAAgB,CAKpE;AAED,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,CAkBxD"}

package/dist/sdk-payload.js

@@ -0,0 +1,36 @@
+/**
+ * Pack/unpack the zkPassport SDK inputs that a verifier needs to re-run
+ * proof verification offline.
+ *
+ * Rather than expanding the bundle schema, we re-purpose the existing
+ * `proof_blob` field: it's the base64 of canonical JCS bytes of an
+ * {@link SdkPayload} object. The statement's `proof_blob_sha256` already
+ * binds those bytes to the rest of the binding — Day 5's hash check
+ * carries through.
+ */
+import { createHash } from 'node:crypto';
+import { canonicalize } from './canonical.js';
+export function packSdkPayload(payload) {
+    const bytes = canonicalize(payload);
+    const b64 = Buffer.from(bytes).toString('base64');
+    const sha256Hex = createHash('sha256').update(bytes).digest('hex');
+    return { bytes, b64, sha256Hex };
+}
+export function unpackSdkPayload(b64) {
+    const bytes = Buffer.from(b64, 'base64');
+    const parsed = JSON.parse(bytes.toString('utf8'));
+    // Defensive shape check (cheap; the canonicalize round-trip would already catch shape issues elsewhere).
+    if (typeof parsed['sdk_version'] !== 'string' ||
+        typeof parsed['dev_mode'] !== 'boolean' ||
+        !Array.isArray(parsed['proofs'])) {
+        throw new TypeError('unpackSdkPayload: not a valid SdkPayload shape');
+    }
+    return {
+        sdk_version: parsed['sdk_version'],
+        proofs: parsed['proofs'],
+        original_query: parsed['original_query'],
+        query_result: parsed['query_result'],
+        dev_mode: parsed['dev_mode'],
+    };
+}
+//# sourceMappingURL=sdk-payload.js.map

package/dist/sdk-payload.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sdk-payload.js","sourceRoot":"","sources":["../src/sdk-payload.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAwB9C,MAAM,UAAU,cAAc,CAAC,OAAmB;IAChD,MAAM,KAAK,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;IACpC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,CAAC;AACnC,CAAC;AAED,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IACzC,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAA4B,CAAC;IAC7E,yGAAyG;IACzG,IACE,OAAO,MAAM,CAAC,aAAa,CAAC,KAAK,QAAQ;QACzC,OAAO,MAAM,CAAC,UAAU,CAAC,KAAK,SAAS;QACvC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,EAChC,CAAC;QACD,MAAM,IAAI,SAAS,CAAC,gDAAgD,CAAC,CAAC;IACxE,CAAC;IACD,OAAO;QACL,WAAW,EAAE,MAAM,CAAC,aAAa,CAAC;QAClC,MAAM,EAAE,MAAM,CAAC,QAAQ,CAAC;QACxB,cAAc,EAAE,MAAM,CAAC,gBAAgB,CAAC;QACxC,YAAY,EAAE,MAAM,CAAC,cAAc,CAAC;QACpC,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC;KAC7B,CAAC;AACJ,CAAC"}

package/dist/statement.d.ts

@@ -0,0 +1,67 @@
+/**
+ * in-toto Statement v1 builder for passportsign attestations.
+ *
+ * The statement's canonical JCS bytes are what gets hashed into the
+ * Rekor entry, so this module is the authoritative source for the
+ * statement shape. Test vectors in
+ * `test/fixtures/canonical-vectors.json` pin the canonicalization
+ * output for representative statements built here.
+ */
+export declare const IN_TOTO_STATEMENT_TYPE: "https://in-toto.io/Statement/v1";
+export declare const PASSPORTSIGN_PREDICATE_TYPE: "https://passportsign.dev/personhood/v1";
+export type DisclosureLevel = 'personhood' | 'personhood+country';
+export interface PassportsignPredicate {
+    /** From the zkPassport SDK — deterministic for (passport, domain, scope). */
+    unique_identifier: string;
+    /** ICAO 3-letter code if disclosed, else null. Pass through as-returned by SDK. */
+    issuing_country: string | null;
+    /** Derived from issuing_country (null → personhood, set → personhood+country). */
+    disclosure_level: DisclosureLevel;
+    /** Lowercase hex SHA-256 of the proof blob bytes. */
+    proof_blob_sha256: string;
+    /** Public gist URL captured at binding time. */
+    gist_url: string;
+    /** Lowercase hex SHA-256 of the gist's content bytes. Also the subject digest. */
+    gist_content_sha256: string;
+    /** zkPassport scope (e.g. "passportsign.dev:nationality-disclose:1"). */
+    scope: string;
+    /** Version string from the zkPassport SDK that produced the proof. */
+    zkpassport_sdk_version: string;
+}
+export interface PassportsignStatement {
+    _type: typeof IN_TOTO_STATEMENT_TYPE;
+    subject: Array<{
+        name: string;
+        digest: {
+            sha256: string;
+        };
+    }>;
+    predicateType: typeof PASSPORTSIGN_PREDICATE_TYPE;
+    predicate: PassportsignPredicate;
+}
+export interface BuildStatementInput {
+    github_username: string;
+    unique_identifier: string;
+    issuing_country: string | null;
+    proof_blob_sha256: string;
+    gist_url: string;
+    gist_content_sha256: string;
+    scope: string;
+    zkpassport_sdk_version: string;
+}
+/**
+ * Build a passportsign in-toto Statement v1.
+ *
+ * Invariants enforced here (so the canonical bytes are always well-formed):
+ * - `proof_blob_sha256` and `gist_content_sha256` are lowercase 64-char hex.
+ * - `github_username`, `unique_identifier`, `gist_url`, `scope`,
+ *   `zkpassport_sdk_version` are non-empty.
+ * - `subject[0].digest.sha256 === gist_content_sha256` — the subject digest
+ *   is the artifact whose control was demonstrated (the gist content).
+ * - `disclosure_level` is derived from `issuing_country` and is never
+ *   accepted from the caller.
+ * - There is no `bound_at` field — the Rekor inclusion timestamp is the
+ *   authoritative time of binding.
+ */
+export declare function buildStatement(input: BuildStatementInput): PassportsignStatement;
+//# sourceMappingURL=statement.d.ts.map

package/dist/statement.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement.d.ts","sourceRoot":"","sources":["../src/statement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,eAAO,MAAM,sBAAsB,EAAG,iCAA0C,CAAC;AACjF,eAAO,MAAM,2BAA2B,EACtC,wCAAiD,CAAC;AAEpD,MAAM,MAAM,eAAe,GAAG,YAAY,GAAG,oBAAoB,CAAC;AAElE,MAAM,WAAW,qBAAqB;IACpC,6EAA6E;IAC7E,iBAAiB,EAAE,MAAM,CAAC;IAC1B,mFAAmF;IACnF,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,kFAAkF;IAClF,gBAAgB,EAAE,eAAe,CAAC;IAClC,qDAAqD;IACrD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,mBAAmB,EAAE,MAAM,CAAC;IAC5B,yEAAyE;IACzE,KAAK,EAAE,MAAM,CAAC;IACd,sEAAsE;IACtE,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,sBAAsB,CAAC;IACrC,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE;YAAE,MAAM,EAAE,MAAM,CAAA;SAAE,CAAC;KAC5B,CAAC,CAAC;IACH,aAAa,EAAE,OAAO,2BAA2B,CAAC;IAClD,SAAS,EAAE,qBAAqB,CAAC;CAClC;AAED,MAAM,WAAW,mBAAmB;IAClC,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,KAAK,EAAE,MAAM,CAAC;IACd,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAkBD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,qBAAqB,CAgChF"}

package/dist/statement.js

@@ -0,0 +1,67 @@
+/**
+ * in-toto Statement v1 builder for passportsign attestations.
+ *
+ * The statement's canonical JCS bytes are what gets hashed into the
+ * Rekor entry, so this module is the authoritative source for the
+ * statement shape. Test vectors in
+ * `test/fixtures/canonical-vectors.json` pin the canonicalization
+ * output for representative statements built here.
+ */
+export const IN_TOTO_STATEMENT_TYPE = 'https://in-toto.io/Statement/v1';
+export const PASSPORTSIGN_PREDICATE_TYPE = 'https://passportsign.dev/personhood/v1';
+const SHA256_HEX = /^[0-9a-f]{64}$/;
+function assertSha256Hex(value, field) {
+    if (!SHA256_HEX.test(value)) {
+        throw new TypeError(`${field}: expected lowercase 64-char hex SHA-256, got ${JSON.stringify(value)}`);
+    }
+}
+function assertNonEmpty(value, field) {
+    if (value.length === 0) {
+        throw new TypeError(`${field}: must be non-empty`);
+    }
+}
+/**
+ * Build a passportsign in-toto Statement v1.
+ *
+ * Invariants enforced here (so the canonical bytes are always well-formed):
+ * - `proof_blob_sha256` and `gist_content_sha256` are lowercase 64-char hex.
+ * - `github_username`, `unique_identifier`, `gist_url`, `scope`,
+ *   `zkpassport_sdk_version` are non-empty.
+ * - `subject[0].digest.sha256 === gist_content_sha256` — the subject digest
+ *   is the artifact whose control was demonstrated (the gist content).
+ * - `disclosure_level` is derived from `issuing_country` and is never
+ *   accepted from the caller.
+ * - There is no `bound_at` field — the Rekor inclusion timestamp is the
+ *   authoritative time of binding.
+ */
+export function buildStatement(input) {
+    assertSha256Hex(input.proof_blob_sha256, 'proof_blob_sha256');
+    assertSha256Hex(input.gist_content_sha256, 'gist_content_sha256');
+    assertNonEmpty(input.github_username, 'github_username');
+    assertNonEmpty(input.unique_identifier, 'unique_identifier');
+    assertNonEmpty(input.gist_url, 'gist_url');
+    assertNonEmpty(input.scope, 'scope');
+    assertNonEmpty(input.zkpassport_sdk_version, 'zkpassport_sdk_version');
+    const disclosure_level = input.issuing_country === null ? 'personhood' : 'personhood+country';
+    return {
+        _type: IN_TOTO_STATEMENT_TYPE,
+        subject: [
+            {
+                name: `github.com/${input.github_username}`,
+                digest: { sha256: input.gist_content_sha256 },
+            },
+        ],
+        predicateType: PASSPORTSIGN_PREDICATE_TYPE,
+        predicate: {
+            unique_identifier: input.unique_identifier,
+            issuing_country: input.issuing_country,
+            disclosure_level,
+            proof_blob_sha256: input.proof_blob_sha256,
+            gist_url: input.gist_url,
+            gist_content_sha256: input.gist_content_sha256,
+            scope: input.scope,
+            zkpassport_sdk_version: input.zkpassport_sdk_version,
+        },
+    };
+}
+//# sourceMappingURL=statement.js.map

package/dist/statement.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"statement.js","sourceRoot":"","sources":["../src/statement.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG,iCAA0C,CAAC;AACjF,MAAM,CAAC,MAAM,2BAA2B,GACtC,wCAAiD,CAAC;AA4CpD,MAAM,UAAU,GAAG,gBAAgB,CAAC;AAEpC,SAAS,eAAe,CAAC,KAAa,EAAE,KAAa;IACnD,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,IAAI,SAAS,CACjB,GAAG,KAAK,iDAAiD,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CACjF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,KAAa,EAAE,KAAa;IAClD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,SAAS,CAAC,GAAG,KAAK,qBAAqB,CAAC,CAAC;IACrD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,cAAc,CAAC,KAA0B;IACvD,eAAe,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC9D,eAAe,CAAC,KAAK,CAAC,mBAAmB,EAAE,qBAAqB,CAAC,CAAC;IAClE,cAAc,CAAC,KAAK,CAAC,eAAe,EAAE,iBAAiB,CAAC,CAAC;IACzD,cAAc,CAAC,KAAK,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAC;IAC7D,cAAc,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;IAC3C,cAAc,CAAC,KAAK,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACrC,cAAc,CAAC,KAAK,CAAC,sBAAsB,EAAE,wBAAwB,CAAC,CAAC;IAEvE,MAAM,gBAAgB,GACpB,KAAK,CAAC,eAAe,KAAK,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,oBAAoB,CAAC;IAEvE,OAAO;QACL,KAAK,EAAE,sBAAsB;QAC7B,OAAO,EAAE;YACP;gBACE,IAAI,EAAE,cAAc,KAAK,CAAC,eAAe,EAAE;gBAC3C,MAAM,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,mBAAmB,EAAE;aAC9C;SACF;QACD,aAAa,EAAE,2BAA2B;QAC1C,SAAS,EAAE;YACT,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,eAAe,EAAE,KAAK,CAAC,eAAe;YACtC,gBAAgB;YAChB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;YAC1C,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,mBAAmB,EAAE,KAAK,CAAC,mBAAmB;YAC9C,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,sBAAsB,EAAE,KAAK,CAAC,sBAAsB;SACrD;KACF,CAAC;AACJ,CAAC"}

package/dist/storage/sqlite.d.ts

@@ -0,0 +1,45 @@
+/**
+ * SQLite cache mirroring spec §5's `bindings` table.
+ *
+ * The cache is **non-authoritative** by design — losing it is an
+ * availability incident, not a security one. The canonical state lives
+ * in Rekor, and `passportsign rebuild` reconstructs the cache from log
+ * entries.
+ *
+ * Uses Node's built-in `node:sqlite` (experimental but functional in
+ * Node 22.5+; stable enough for our single-user CLI use). Avoids the
+ * `better-sqlite3` native-build dependency, which requires Visual
+ * Studio C++ tools on Windows.
+ *
+ * Usernames are normalized to lowercase on insert and read per spec §10
+ * row 7. Display casing is the caller's responsibility.
+ */
+export type Status = 'active' | 'stale' | 'revoked';
+export type DisclosureLevel = 'personhood' | 'personhood+country';
+export interface BindingRow {
+    github_username: string;
+    unique_identifier: string;
+    issuing_country: string | null;
+    disclosure_level: DisclosureLevel;
+    scope: string;
+    zkpassport_sdk_ver: string;
+    proof_blob: Uint8Array;
+    gist_url: string;
+    gist_content_sha256: string;
+    bound_at: string;
+    log_entry_hash: string;
+    log_inclusion_proof: unknown;
+    log_root_at_submission: string;
+    last_checked_at: string;
+    status: Status;
+}
+export interface PassportsignCache {
+    upsertBinding(row: BindingRow): void;
+    getByUsername(username: string): BindingRow | null;
+    getByUniqueIdentifier(uid: string): BindingRow[];
+    setStatus(username: string, status: Status): void;
+    setLastChecked(username: string, when: Date): void;
+    close(): void;
+}
+export declare function openCache(path: string): PassportsignCache;
+//# sourceMappingURL=sqlite.d.ts.map

package/dist/storage/sqlite.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlite.d.ts","sourceRoot":"","sources":["../../src/storage/sqlite.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,MAAM,MAAM,MAAM,GAAG,QAAQ,GAAG,OAAO,GAAG,SAAS,CAAC;AACpD,MAAM,MAAM,eAAe,GAAG,YAAY,GAAG,oBAAoB,CAAC;AAElE,MAAM,WAAW,UAAU;IACzB,eAAe,EAAE,MAAM,CAAC;IACxB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,gBAAgB,EAAE,eAAe,CAAC;IAClC,KAAK,EAAE,MAAM,CAAC;IACd,kBAAkB,EAAE,MAAM,CAAC;IAC3B,UAAU,EAAE,UAAU,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,mBAAmB,EAAE,MAAM,CAAC;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,cAAc,EAAE,MAAM,CAAC;IACvB,mBAAmB,EAAE,OAAO,CAAC;IAC7B,sBAAsB,EAAE,MAAM,CAAC;IAC/B,eAAe,EAAE,MAAM,CAAC;IACxB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,iBAAiB;IAChC,aAAa,CAAC,GAAG,EAAE,UAAU,GAAG,IAAI,CAAC;IACrC,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAAC;IACnD,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU,EAAE,CAAC;IACjD,SAAS,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAClD,cAAc,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;IACnD,KAAK,IAAI,IAAI,CAAC;CACf;AA6DD,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,iBAAiB,CA4EzD"}

package/dist/storage/sqlite.js

@@ -0,0 +1,132 @@
+/**
+ * SQLite cache mirroring spec §5's `bindings` table.
+ *
+ * The cache is **non-authoritative** by design — losing it is an
+ * availability incident, not a security one. The canonical state lives
+ * in Rekor, and `passportsign rebuild` reconstructs the cache from log
+ * entries.
+ *
+ * Uses Node's built-in `node:sqlite` (experimental but functional in
+ * Node 22.5+; stable enough for our single-user CLI use). Avoids the
+ * `better-sqlite3` native-build dependency, which requires Visual
+ * Studio C++ tools on Windows.
+ *
+ * Usernames are normalized to lowercase on insert and read per spec §10
+ * row 7. Display casing is the caller's responsibility.
+ */
+import { DatabaseSync } from 'node:sqlite';
+const SCHEMA = `
+CREATE TABLE IF NOT EXISTS bindings (
+  github_username        TEXT PRIMARY KEY,
+  unique_identifier      TEXT NOT NULL,
+  issuing_country        TEXT,
+  disclosure_level       TEXT NOT NULL CHECK (disclosure_level IN ('personhood','personhood+country')),
+  scope                  TEXT NOT NULL,
+  zkpassport_sdk_ver     TEXT NOT NULL,
+  proof_blob             BLOB NOT NULL,
+  gist_url               TEXT NOT NULL,
+  gist_content_sha256    TEXT NOT NULL,
+  bound_at               TEXT NOT NULL,
+  log_entry_hash         TEXT NOT NULL UNIQUE,
+  log_inclusion_proof    TEXT NOT NULL,
+  log_root_at_submission TEXT NOT NULL,
+  last_checked_at        TEXT NOT NULL,
+  status                 TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active','stale','revoked'))
+);
+CREATE INDEX IF NOT EXISTS bindings_unique_identifier ON bindings(unique_identifier);
+`;
+function rowFromDb(r) {
+    return {
+        github_username: r.github_username,
+        unique_identifier: r.unique_identifier,
+        issuing_country: r.issuing_country,
+        disclosure_level: r.disclosure_level,
+        scope: r.scope,
+        zkpassport_sdk_ver: r.zkpassport_sdk_ver,
+        proof_blob: new Uint8Array(r.proof_blob),
+        gist_url: r.gist_url,
+        gist_content_sha256: r.gist_content_sha256,
+        bound_at: r.bound_at,
+        log_entry_hash: r.log_entry_hash,
+        log_inclusion_proof: JSON.parse(r.log_inclusion_proof),
+        log_root_at_submission: r.log_root_at_submission,
+        last_checked_at: r.last_checked_at,
+        status: r.status,
+    };
+}
+export function openCache(path) {
+    const db = new DatabaseSync(path);
+    db.exec('PRAGMA journal_mode = WAL');
+    db.exec(SCHEMA);
+    const upsertStmt = db.prepare(`
+    INSERT INTO bindings (
+      github_username, unique_identifier, issuing_country, disclosure_level,
+      scope, zkpassport_sdk_ver, proof_blob, gist_url, gist_content_sha256,
+      bound_at, log_entry_hash, log_inclusion_proof, log_root_at_submission,
+      last_checked_at, status
+    ) VALUES (
+      :github_username, :unique_identifier, :issuing_country, :disclosure_level,
+      :scope, :zkpassport_sdk_ver, :proof_blob, :gist_url, :gist_content_sha256,
+      :bound_at, :log_entry_hash, :log_inclusion_proof, :log_root_at_submission,
+      :last_checked_at, :status
+    )
+    ON CONFLICT(github_username) DO UPDATE SET
+      unique_identifier      = excluded.unique_identifier,
+      issuing_country        = excluded.issuing_country,
+      disclosure_level       = excluded.disclosure_level,
+      scope                  = excluded.scope,
+      zkpassport_sdk_ver     = excluded.zkpassport_sdk_ver,
+      proof_blob             = excluded.proof_blob,
+      gist_url               = excluded.gist_url,
+      gist_content_sha256    = excluded.gist_content_sha256,
+      bound_at               = excluded.bound_at,
+      log_entry_hash         = excluded.log_entry_hash,
+      log_inclusion_proof    = excluded.log_inclusion_proof,
+      log_root_at_submission = excluded.log_root_at_submission,
+      last_checked_at        = excluded.last_checked_at,
+      status                 = excluded.status
+  `);
+    const getByUsernameStmt = db.prepare(`SELECT * FROM bindings WHERE github_username = ?`);
+    const getByUniqueIdStmt = db.prepare(`SELECT * FROM bindings WHERE unique_identifier = ? ORDER BY bound_at`);
+    const setStatusStmt = db.prepare(`UPDATE bindings SET status = ? WHERE github_username = ?`);
+    const setLastCheckedStmt = db.prepare(`UPDATE bindings SET last_checked_at = ? WHERE github_username = ?`);
+    return {
+        upsertBinding(row) {
+            upsertStmt.run({
+                github_username: row.github_username.toLowerCase(),
+                unique_identifier: row.unique_identifier,
+                issuing_country: row.issuing_country,
+                disclosure_level: row.disclosure_level,
+                scope: row.scope,
+                zkpassport_sdk_ver: row.zkpassport_sdk_ver,
+                proof_blob: row.proof_blob,
+                gist_url: row.gist_url,
+                gist_content_sha256: row.gist_content_sha256,
+                bound_at: row.bound_at,
+                log_entry_hash: row.log_entry_hash,
+                log_inclusion_proof: JSON.stringify(row.log_inclusion_proof),
+                log_root_at_submission: row.log_root_at_submission,
+                last_checked_at: row.last_checked_at,
+                status: row.status,
+            });
+        },
+        getByUsername(username) {
+            const r = getByUsernameStmt.get(username.toLowerCase());
+            return r ? rowFromDb(r) : null;
+        },
+        getByUniqueIdentifier(uid) {
+            const rows = getByUniqueIdStmt.all(uid);
+            return rows.map(rowFromDb);
+        },
+        setStatus(username, status) {
+            setStatusStmt.run(status, username.toLowerCase());
+        },
+        setLastChecked(username, when) {
+            setLastCheckedStmt.run(when.toISOString(), username.toLowerCase());
+        },
+        close() {
+            db.close();
+        },
+    };
+}
+//# sourceMappingURL=sqlite.js.map

package/dist/storage/sqlite.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sqlite.js","sourceRoot":"","sources":["../../src/storage/sqlite.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAgC3C,MAAM,MAAM,GAAG;;;;;;;;;;;;;;;;;;;CAmBd,CAAC;AAoBF,SAAS,SAAS,CAAC,CAAQ;IACzB,OAAO;QACL,eAAe,EAAE,CAAC,CAAC,eAAe;QAClC,iBAAiB,EAAE,CAAC,CAAC,iBAAiB;QACtC,eAAe,EAAE,CAAC,CAAC,eAAe;QAClC,gBAAgB,EAAE,CAAC,CAAC,gBAAgB;QACpC,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,kBAAkB,EAAE,CAAC,CAAC,kBAAkB;QACxC,UAAU,EAAE,IAAI,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC;QACxC,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,mBAAmB,EAAE,CAAC,CAAC,mBAAmB;QAC1C,QAAQ,EAAE,CAAC,CAAC,QAAQ;QACpB,cAAc,EAAE,CAAC,CAAC,cAAc;QAChC,mBAAmB,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,mBAAmB,CAAC;QACtD,sBAAsB,EAAE,CAAC,CAAC,sBAAsB;QAChD,eAAe,EAAE,CAAC,CAAC,eAAe;QAClC,MAAM,EAAE,CAAC,CAAC,MAAM;KACjB,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,MAAM,EAAE,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,EAAE,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IACrC,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAEhB,MAAM,UAAU,GAAG,EAAE,CAAC,OAAO,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2B7B,CAAC,CAAC;IACH,MAAM,iBAAiB,GAAG,EAAE,CAAC,OAAO,CAAC,kDAAkD,CAAC,CAAC;IACzF,MAAM,iBAAiB,GAAG,EAAE,CAAC,OAAO,CAAC,sEAAsE,CAAC,CAAC;IAC7G,MAAM,aAAa,GAAG,EAAE,CAAC,OAAO,CAAC,0DAA0D,CAAC,CAAC;IAC7F,MAAM,kBAAkB,GAAG,EAAE,CAAC,OAAO,CAAC,mEAAmE,CAAC,CAAC;IAE3G,OAAO;QACL,aAAa,CAAC,GAAG;YACf,UAAU,CAAC,GAAG,CAAC;gBACb,eAAe,EAAE,GAAG,CAAC,eAAe,CAAC,WAAW,EAAE;gBAClD,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;gBACxC,eAAe,EAAE,GAAG,CAAC,eAAe;gBACpC,gBAAgB,EAAE,GAAG,CAAC,gBAAgB;gBACtC,KAAK,EAAE,GAAG,CAAC,KAAK;gBAChB,kBAAkB,EAAE,GAAG,CAAC,kBAAkB;gBAC1C,UAAU,EAAE,GAAG,CAAC,UAAU;gBAC1B,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,mBAAmB,EAAE,GAAG,CAAC,mBAAmB;gBAC5C,QAAQ,EAAE,GAAG,CAAC,QAAQ;gBACtB,cAAc,EAAE,GAAG,CAAC,cAAc;gBAClC,mBAAmB,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,mBAAmB,CAAC;gBAC5D,sBAAsB,EAAE,GAAG,CAAC,sBAAsB;gBAClD,eAAe,EAAE,GAAG,CAAC,eAAe;gBACpC,MAAM,EAAE,GAAG,CAAC,MAAM;aACnB,CAAC,CAAC;QACL,CAAC;QACD,aAAa,CAAC,QAAQ;YACpB,MAAM,CAAC,GAAG,iBAAiB,CAAC,GAAG,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAiC,CAAC;YACxF,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;QACjC,CAAC;QACD,qBAAqB,CAAC,GAAG;YACvB,MAAM,IAAI,GAAG,iBAAiB,CAAC,GAAG,CAAC,GAAG,CAAuB,CAAC;YAC9D,OAAO,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAC7B,CAAC;QACD,SAAS,CAAC,QAAQ,EAAE,MAAM;YACxB,aAAa,CAAC,GAAG,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;QACpD,CAAC;QACD,cAAc,CAAC,QAAQ,EAAE,IAAI;YAC3B,kBAAkB,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,QAAQ,CAAC,WAAW,EAAE,CAAC,CAAC;QACrE,CAAC;QACD,KAAK;YACH,EAAE,CAAC,KAAK,EAAE,CAAC;QACb,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/submit.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Submit a {@link PreparedBinding} to a Rekor log and assemble the
+ * resulting {@link PassportsignBundle}.
+ *
+ * Composes the DSSE envelope step (with ephemeral ECDSA P-256 key)
+ * with a {@link RekorClient}. Day 7 calls this to turn a real-passport
+ * bind into a public-log entry plus a portable bundle.
+ */
+import { type PreparedBinding } from './bind.js';
+import { type PassportsignBundle } from './bundle.js';
+import { type RekorClient, type RekorEntryResponse } from './log/rekor.js';
+export interface SubmitBindingDeps {
+    rekor: RekorClient;
+}
+export interface SubmitBindingResult {
+    bundle: PassportsignBundle;
+    rekorEntry: RekorEntryResponse;
+}
+/**
+ * Sign the canonical statement bytes with an ephemeral ECDSA P-256 key,
+ * submit the in-toto entry to Rekor, and assemble the bundle. Throws
+ * `PassportsignError('log_submission_failed', …)` (from the client) on
+ * any Rekor failure.
+ */
+export declare function submitBinding(prepared: PreparedBinding, deps: SubmitBindingDeps): Promise<SubmitBindingResult>;
+//# sourceMappingURL=submit.d.ts.map

package/dist/submit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"submit.d.ts","sourceRoot":"","sources":["../src/submit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,WAAW,CAAC;AACjD,OAAO,EAEL,KAAK,kBAAkB,EAExB,MAAM,aAAa,CAAC;AAErB,OAAO,EAAE,KAAK,WAAW,EAAE,KAAK,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAE3E,MAAM,WAAW,iBAAiB;IAChC,KAAK,EAAE,WAAW,CAAC;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,UAAU,EAAE,kBAAkB,CAAC;CAChC;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,eAAe,EACzB,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,mBAAmB,CAAC,CAiB9B"}

package/dist/submit.js

@@ -0,0 +1,35 @@
+/**
+ * Submit a {@link PreparedBinding} to a Rekor log and assemble the
+ * resulting {@link PassportsignBundle}.
+ *
+ * Composes the DSSE envelope step (with ephemeral ECDSA P-256 key)
+ * with a {@link RekorClient}. Day 7 calls this to turn a real-passport
+ * bind into a public-log entry plus a portable bundle.
+ */
+import {} from './bind.js';
+import { BUNDLE_FORMAT_VERSION, validateBundle, } from './bundle.js';
+import { IN_TOTO_PAYLOAD_TYPE, signEnvelope } from './dsse.js';
+import {} from './log/rekor.js';
+/**
+ * Sign the canonical statement bytes with an ephemeral ECDSA P-256 key,
+ * submit the in-toto entry to Rekor, and assemble the bundle. Throws
+ * `PassportsignError('log_submission_failed', …)` (from the client) on
+ * any Rekor failure.
+ */
+export async function submitBinding(prepared, deps) {
+    const { envelope } = signEnvelope(prepared.statement_canonical, IN_TOTO_PAYLOAD_TYPE);
+    const rekorEntry = await deps.rekor.submitIntoto(envelope);
+    const bundle = {
+        bundle_format_version: BUNDLE_FORMAT_VERSION,
+        statement: Buffer.from(prepared.statement_canonical).toString('hex'),
+        proof_blob: prepared.proof_blob_b64,
+        rekor: {
+            log_entry_hash: rekorEntry.uuid,
+            inclusion_proof: rekorEntry.verification.inclusionProof,
+            log_root_at_submission: rekorEntry.verification.inclusionProof.rootHash,
+        },
+    };
+    validateBundle(bundle);
+    return { bundle, rekorEntry };
+}
+//# sourceMappingURL=submit.js.map

package/dist/submit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"submit.js","sourceRoot":"","sources":["../src/submit.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAwB,MAAM,WAAW,CAAC;AACjD,OAAO,EACL,qBAAqB,EAErB,cAAc,GACf,MAAM,aAAa,CAAC;AACrB,OAAO,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAC/D,OAAO,EAA6C,MAAM,gBAAgB,CAAC;AAW3E;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,QAAyB,EACzB,IAAuB;IAEvB,MAAM,EAAE,QAAQ,EAAE,GAAG,YAAY,CAAC,QAAQ,CAAC,mBAAmB,EAAE,oBAAoB,CAAC,CAAC;IACtF,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IAE3D,MAAM,MAAM,GAAuB;QACjC,qBAAqB,EAAE,qBAAqB;QAC5C,SAAS,EAAE,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,mBAAmB,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC;QACpE,UAAU,EAAE,QAAQ,CAAC,cAAc;QACnC,KAAK,EAAE;YACL,cAAc,EAAE,UAAU,CAAC,IAAI;YAC/B,eAAe,EAAE,UAAU,CAAC,YAAY,CAAC,cAAc;YACvD,sBAAsB,EAAE,UAAU,CAAC,YAAY,CAAC,cAAc,CAAC,QAAQ;SACxE;KACF,CAAC;IACF,cAAc,CAAC,MAAM,CAAC,CAAC;IAEvB,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC;AAChC,CAAC"}

package/dist/verifier.d.ts

@@ -0,0 +1,74 @@
+/**
+ * Bundle verifier — the trust anchor for everyone who is not us.
+ *
+ * Day 6 scope: structural integrity (statement hash matches Rekor's
+ * recorded payloadHash), Merkle inclusion proof against the captured
+ * root, and log-root consistency between the captured root and the
+ * current witnessed root.
+ *
+ * Day 7 scope (deferred): SDK proof verification. Requires a
+ * bundle-schema extension to carry SDK inputs (proofs array,
+ * originalQuery, queryResult). For now `sdk_proof` reports
+ * `'pending_day_7'`.
+ */
+import { type PassportsignBundle } from './bundle.js';
+import { type RekorClient } from './log/rekor.js';
+export type CheckResult = 'pass' | 'fail' | 'skipped';
+export interface BundleVerifyResult {
+    /**
+     * Statement bytes in the bundle hash to the `payloadHash` Rekor recorded
+     * for the entry.
+     */
+    hash_match: CheckResult;
+    /**
+     * The captured inclusion proof verifies the Rekor entry's leaf hash
+     * against the captured root.
+     */
+    inclusion_proof: CheckResult;
+    /**
+     * The captured root is a prefix of the current witnessed root (the log
+     * has not been rewritten in a way that orphans our entry). Skipped when
+     * no rekor client is provided.
+     */
+    root_consistency: CheckResult;
+    /**
+     * SDK proof verification. `'skipped'` when no SDK verifier is injected.
+     * `'pass'` when the SDK validates the proofs AND the returned
+     * uniqueIdentifier matches the statement's predicate.
+     */
+    sdk_proof: CheckResult;
+    /**
+     * `'pass'` only when every enabled check passes; `'fail'` if any check
+     * fails; `'pending'` when one or more checks are `'skipped'`.
+     */
+    overall: 'pass' | 'fail' | 'pending';
+    errors: string[];
+}
+export interface SdkVerifyInput {
+    proofs: unknown[];
+    originalQuery: unknown;
+    queryResult: unknown;
+    scope?: string;
+    devMode?: boolean;
+}
+export interface SdkVerifyResult {
+    verified: boolean;
+    uniqueIdentifier: string | undefined;
+}
+export interface SdkVerifier {
+    verify(input: SdkVerifyInput): Promise<SdkVerifyResult>;
+}
+export interface VerifyBundleDeps {
+    /** Inject a Rekor client to enable hash_match / inclusion / consistency checks. */
+    rekor?: RekorClient;
+    /** Inject a zkPassport SDK verifier to enable the sdk_proof check. */
+    sdkVerifier?: SdkVerifier;
+}
+/**
+ * Verify a passportsign bundle. Online checks (hash_match, inclusion_proof,
+ * root_consistency) require a {@link RekorClient}; without one they are
+ * marked `'skipped'`. SDK proof verification is Day 7 work and currently
+ * always returns `'pending_day_7'`.
+ */
+export declare function verifyBundle(bundle: PassportsignBundle, deps?: VerifyBundleDeps): Promise<BundleVerifyResult>;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,EAAE,KAAK,kBAAkB,EAAkB,MAAM,aAAa,CAAC;AACtE,OAAO,EAAE,KAAK,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAIlD,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,kBAAkB;IACjC;;;OAGG;IACH,UAAU,EAAE,WAAW,CAAC;IACxB;;;OAGG;IACH,eAAe,EAAE,WAAW,CAAC;IAC7B;;;;OAIG;IACH,gBAAgB,EAAE,WAAW,CAAC;IAC9B;;;;OAIG;IACH,SAAS,EAAE,WAAW,CAAC;IACvB;;;OAGG;IACH,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAC;IACrC,MAAM,EAAE,MAAM,EAAE,CAAC;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,OAAO,EAAE,CAAC;IAClB,aAAa,EAAE,OAAO,CAAC;IACvB,WAAW,EAAE,OAAO,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,QAAQ,EAAE,OAAO,CAAC;IAClB,gBAAgB,EAAE,MAAM,GAAG,SAAS,CAAC;CACtC;AAED,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,KAAK,EAAE,cAAc,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;CACzD;AAED,MAAM,WAAW,gBAAgB;IAC/B,mFAAmF;IACnF,KAAK,CAAC,EAAE,WAAW,CAAC;IACpB,sEAAsE;IACtE,WAAW,CAAC,EAAE,WAAW,CAAC;CAC3B;AA+BD;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,MAAM,EAAE,kBAAkB,EAC1B,IAAI,GAAE,gBAAqB,GAC1B,OAAO,CAAC,kBAAkB,CAAC,CAoI7B"}