@sentropic/h2a 0.11.0 → 0.12.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +1 -0
- package/dist/index.js.map +1 -1
- package/dist/nhi-export.d.ts +97 -0
- package/dist/nhi-export.d.ts.map +1 -0
- package/dist/nhi-export.js +94 -0
- package/dist/nhi-export.js.map +1 -0
- package/package.json +1 -1
package/dist/index.d.ts
CHANGED
|
@@ -23,6 +23,8 @@ export { H2A_HOST_BRIDGE_CLAUSES, H2A_HOST_BRIDGE_PROFILES, auditHostBridge, get
|
|
|
23
23
|
export type { H2AHostBridgeAuditResult, H2AHostBridgeAuthBoundaryClause, H2AHostBridgeClause, H2AHostBridgeDisclosureClause, H2AHostBridgeIdentityClause, H2AHostBridgeLifecycleClause, H2AHostBridgeProfileDescriptor, H2AHostBridgeProfileId, H2AHostBridgeResourceLimitsClause } from "./h2a-bridge.js";
|
|
24
24
|
export { H2A_NHI_ATTESTATION_BODY_KIND, H2A_NHI_DEFAULT_LONG_LIVED_KEY_DAYS, H2A_NHI_RISK_IDS, auditNhiPosture, nhiAttestationEnvelope, nhiInventory, nhiKeyFingerprint } from "./nhi.js";
|
|
25
25
|
export type { H2ANhiAttestationActor, H2ANhiAttestationBody, H2ANhiFinding, H2ANhiInstanceInventory, H2ANhiInstanceSnapshot, H2ANhiInventory, H2ANhiInventoryInput, H2ANhiInventoryTotals, H2ANhiKeyEventSnapshot, H2ANhiKeyInventory, H2ANhiOffboardSnapshot, H2ANhiPostureInput, H2ANhiPostureReport, H2ANhiPostureSummary, H2ANhiRiskId, H2ANhiSeverity, H2ANhiSubagentInventory, H2ANhiSubagentSnapshot } from "./nhi.js";
|
|
26
|
+
export { H2A_NHI_EXPORT_KEY_USE, H2A_NHI_SPIFFE_PATH_ENCODINGS, nhiSpiffeId, nhiTrustBundle } from "./nhi-export.js";
|
|
27
|
+
export type { H2ANhiTrustBundle, H2ANhiTrustBundleInput, H2ANhiTrustBundleKey } from "./nhi-export.js";
|
|
26
28
|
export { H2A_BLOCKAGE_BODY_KIND, H2A_BLOCKAGE_CLEARED_BODY_KIND, blockageEnvelope, isActiveBlockage } from "./blockage.js";
|
|
27
29
|
export type { H2ABlockage, H2ABlockageBody } from "./blockage.js";
|
|
28
30
|
export { assertValidNegotiationState } from "./negotiation.js";
|
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,sBAAsB,EACtB,0BAA0B,EAC1B,kBAAkB,EACnB,MAAM,UAAU,CAAC;AAClB,YAAY,EACV,qBAAqB,EACrB,+BAA+B,EAC/B,2BAA2B,EAC3B,8BAA8B,EAC9B,aAAa,EACb,4BAA4B,EAC5B,cAAc,EACd,WAAW,EACZ,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,wBAAwB,EACxB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACrB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,oBAAoB,EACpB,2BAA2B,EAC3B,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,6BAA6B,EAC7B,8BAA8B,EAC9B,gCAAgC,EAChC,0BAA0B,EAC1B,2BAA2B,EAC5B,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,mCAAmC,EACnC,2BAA2B,EAC3B,0BAA0B,EAC1B,2BAA2B,EAC5B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,2CAA2C,EAC3C,8BAA8B,EAC9B,2BAA2B,EAC3B,4BAA4B,EAC5B,0BAA0B,EAC3B,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,8BAA8B,EAC9B,sCAAsC,EACtC,oCAAoC,EACpC,uBAAuB,EACxB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,oCAAoC,EACpC,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACrB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,gCAAgC,EAChC,iBAAiB,EACjB,8BAA8B,EAC/B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,kCAAkC,EAClC,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,EAC5B,gBAAgB,EACjB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,uBAAuB,EACvB,8CAA8C,EAC9C,iCAAiC,EACjC,+BAA+B,EAC/B,6BAA6B,EAC9B,MAAM,4BAA4B,CAAC;AACpC,YAAY,EACV,oBAAoB,EACpB,iCAAiC,EACjC,yCAAyC,EACzC,uCAAuC,EACxC,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,sCAAsC,EACtC,sBAAsB,EACtB,yBAAyB,EACzB,wBAAwB,EACxB,sBAAsB,EACvB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EACV,0BAA0B,EAC1B,kCAAkC,EAClC,mBAAmB,EACnB,gCAAgC,EACjC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,cAAc,EACd,aAAa,EACb,YAAY,EACZ,uBAAuB,EACxB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,EAClB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,mBAAmB,EACnB,cAAc,EACd,cAAc,EACd,kBAAkB,EACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,yCAAyC,EACzC,+BAA+B,EAC/B,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,gBAAgB,EAChB,UAAU,EACV,uBAAuB,EACvB,mBAAmB,EACnB,2BAA2B,EAC3B,eAAe,EACf,eAAe,EACf,cAAc,EACd,eAAe,EACf,aAAa,EACd,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,eAAe,EACf,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,+BAA+B,EAC/B,mBAAmB,EACnB,6BAA6B,EAC7B,2BAA2B,EAC3B,4BAA4B,EAC5B,8BAA8B,EAC9B,sBAAsB,EACtB,iCAAiC,EAClC,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,6BAA6B,EAC7B,mCAAmC,EACnC,gBAAgB,EAChB,eAAe,EACf,sBAAsB,EACtB,YAAY,EACZ,iBAAiB,EAClB,MAAM,UAAU,CAAC;AAClB,YAAY,EACV,sBAAsB,EACtB,qBAAqB,EACrB,aAAa,EACb,uBAAuB,EACvB,sBAAsB,EACtB,eAAe,EACf,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,sBAAsB,EACtB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,uBAAuB,EACvB,sBAAsB,EACvB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,gBAAgB,EAChB,gBAAgB,EACjB,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAChE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,6BAA6B,EAC7B,kBAAkB,EACnB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,eAAe,EACf,iBAAiB,EACjB,sBAAsB,EACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,WAAW,EACX,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,WAAW,EACZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,iCAAiC,EACjC,mCAAmC,EACnC,wBAAwB,EACxB,6BAA6B,EAC9B,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,sBAAsB,EACtB,iCAAiC,EACjC,0BAA0B,EAC1B,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,8BAA8B,EAC9B,uBAAuB,EACxB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,0BAA0B,EAC1B,oBAAoB,EACpB,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC9B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,YAAY,EAAE,gCAAgC,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,eAAe,EACf,uBAAuB,EACxB,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,kBAAkB,EAClB,qBAAqB,EACrB,0BAA0B,EAC3B,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,YAAY,EACZ,SAAS,EACT,WAAW,EACZ,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,eAAe,EACf,UAAU,EACV,oBAAoB,EACpB,mBAAmB,EACnB,SAAS,EACT,qBAAqB,EACrB,OAAO,EACP,YAAY,EACb,MAAM,YAAY,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,sBAAsB,EACtB,0BAA0B,EAC1B,kBAAkB,EACnB,MAAM,UAAU,CAAC;AAClB,YAAY,EACV,qBAAqB,EACrB,+BAA+B,EAC/B,2BAA2B,EAC3B,8BAA8B,EAC9B,aAAa,EACb,4BAA4B,EAC5B,cAAc,EACd,WAAW,EACZ,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,wBAAwB,EACxB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACrB,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,oBAAoB,EACpB,2BAA2B,EAC3B,mBAAmB,EACnB,wBAAwB,EACxB,0BAA0B,EAC1B,iCAAiC,EACjC,gCAAgC,EACjC,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,6BAA6B,EAC7B,8BAA8B,EAC9B,gCAAgC,EAChC,0BAA0B,EAC1B,2BAA2B,EAC5B,MAAM,0BAA0B,CAAC;AAClC,YAAY,EACV,mCAAmC,EACnC,2BAA2B,EAC3B,0BAA0B,EAC1B,2BAA2B,EAC5B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EACL,2CAA2C,EAC3C,8BAA8B,EAC9B,2BAA2B,EAC3B,4BAA4B,EAC5B,0BAA0B,EAC3B,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,8BAA8B,EAC9B,sCAAsC,EACtC,oCAAoC,EACpC,uBAAuB,EACxB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,oCAAoC,EACpC,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACrB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,gCAAgC,EAChC,iBAAiB,EACjB,8BAA8B,EAC/B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,kCAAkC,EAClC,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,eAAe,CAAC;AACvB,YAAY,EACV,sBAAsB,EACtB,8BAA8B,EAC9B,4BAA4B,EAC5B,gBAAgB,EACjB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,uBAAuB,EACvB,8CAA8C,EAC9C,iCAAiC,EACjC,+BAA+B,EAC/B,6BAA6B,EAC9B,MAAM,4BAA4B,CAAC;AACpC,YAAY,EACV,oBAAoB,EACpB,iCAAiC,EACjC,yCAAyC,EACzC,uCAAuC,EACxC,MAAM,4BAA4B,CAAC;AACpC,OAAO,EACL,sCAAsC,EACtC,sBAAsB,EACtB,yBAAyB,EACzB,wBAAwB,EACxB,sBAAsB,EACvB,MAAM,mBAAmB,CAAC;AAC3B,YAAY,EACV,0BAA0B,EAC1B,kCAAkC,EAClC,mBAAmB,EACnB,gCAAgC,EACjC,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EACL,cAAc,EACd,aAAa,EACb,YAAY,EACZ,uBAAuB,EACxB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,EAClB,MAAM,aAAa,CAAC;AACrB,YAAY,EACV,mBAAmB,EACnB,cAAc,EACd,cAAc,EACd,kBAAkB,EACnB,MAAM,aAAa,CAAC;AACrB,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,yCAAyC,EACzC,+BAA+B,EAC/B,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,gBAAgB,EAChB,UAAU,EACV,uBAAuB,EACvB,mBAAmB,EACnB,2BAA2B,EAC3B,eAAe,EACf,eAAe,EACf,cAAc,EACd,eAAe,EACf,aAAa,EACd,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,eAAe,EACf,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,wBAAwB,EACxB,+BAA+B,EAC/B,mBAAmB,EACnB,6BAA6B,EAC7B,2BAA2B,EAC3B,4BAA4B,EAC5B,8BAA8B,EAC9B,sBAAsB,EACtB,iCAAiC,EAClC,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,6BAA6B,EAC7B,mCAAmC,EACnC,gBAAgB,EAChB,eAAe,EACf,sBAAsB,EACtB,YAAY,EACZ,iBAAiB,EAClB,MAAM,UAAU,CAAC;AAClB,YAAY,EACV,sBAAsB,EACtB,qBAAqB,EACrB,aAAa,EACb,uBAAuB,EACvB,sBAAsB,EACtB,eAAe,EACf,oBAAoB,EACpB,qBAAqB,EACrB,sBAAsB,EACtB,kBAAkB,EAClB,sBAAsB,EACtB,kBAAkB,EAClB,mBAAmB,EACnB,oBAAoB,EACpB,YAAY,EACZ,cAAc,EACd,uBAAuB,EACvB,sBAAsB,EACvB,MAAM,UAAU,CAAC;AAClB,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,WAAW,EACX,cAAc,EACf,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,iBAAiB,EACjB,sBAAsB,EACtB,oBAAoB,EACrB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,gBAAgB,EAChB,gBAAgB,EACjB,MAAM,eAAe,CAAC;AACvB,YAAY,EAAE,WAAW,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAClE,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAChE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAClD,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,6BAA6B,EAC7B,kBAAkB,EACnB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,eAAe,EACf,iBAAiB,EACjB,sBAAsB,EACvB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,WAAW,EACX,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,WAAW,EACZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,iCAAiC,EACjC,mCAAmC,EACnC,wBAAwB,EACxB,6BAA6B,EAC9B,MAAM,kBAAkB,CAAC;AAC1B,YAAY,EACV,sBAAsB,EACtB,iCAAiC,EACjC,0BAA0B,EAC1B,6BAA6B,EAC7B,uCAAuC,EACxC,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,8BAA8B,EAC9B,uBAAuB,EACxB,MAAM,iBAAiB,CAAC;AACzB,YAAY,EACV,0BAA0B,EAC1B,oBAAoB,EACpB,uBAAuB,EACvB,2BAA2B,EAC3B,2BAA2B,EAC3B,0BAA0B,EAC1B,6BAA6B,EAC9B,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,YAAY,EAAE,gCAAgC,EAAE,MAAM,qBAAqB,CAAC;AAC5E,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,eAAe,EACf,uBAAuB,EACxB,MAAM,gBAAgB,CAAC;AACxB,YAAY,EACV,kBAAkB,EAClB,qBAAqB,EACrB,0BAA0B,EAC3B,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,YAAY,EACZ,SAAS,EACT,WAAW,EACZ,MAAM,YAAY,CAAC;AACpB,YAAY,EACV,WAAW,EACX,oBAAoB,EACpB,YAAY,EACZ,eAAe,EACf,YAAY,EACZ,gBAAgB,EAChB,WAAW,EACX,kBAAkB,EAClB,aAAa,EACb,WAAW,EACX,eAAe,EACf,UAAU,EACV,oBAAoB,EACpB,mBAAmB,EACnB,SAAS,EACT,qBAAqB,EACrB,OAAO,EACP,YAAY,EACb,MAAM,YAAY,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -11,6 +11,7 @@ export { H2A_DEFAULT_MAX_AGE_MS, H2A_DEFAULT_MAX_SKEW_MS, checkEnvelopeFreshness
|
|
|
11
11
|
export { H2A_DEFAULT_STALL_IDLE_MS, H2A_SESSION_DEFAULT_EXPIRY_MS, H2A_SESSION_DEFAULT_HEARTBEAT_INTERVAL_MS, H2A_SESSION_NOTIFICATION_TOPICS, H2A_SESSION_STATES, H2A_WORK_STATUSES, inferStall, isH2ASession, isSessionExpired, pickFreshSessions } from "./session.js";
|
|
12
12
|
export { H2A_HOST_BRIDGE_CLAUSES, H2A_HOST_BRIDGE_PROFILES, auditHostBridge, getHostBridgeProfile, listHostBridgeProfiles } from "./h2a-bridge.js";
|
|
13
13
|
export { H2A_NHI_ATTESTATION_BODY_KIND, H2A_NHI_DEFAULT_LONG_LIVED_KEY_DAYS, H2A_NHI_RISK_IDS, auditNhiPosture, nhiAttestationEnvelope, nhiInventory, nhiKeyFingerprint } from "./nhi.js";
|
|
14
|
+
export { H2A_NHI_EXPORT_KEY_USE, H2A_NHI_SPIFFE_PATH_ENCODINGS, nhiSpiffeId, nhiTrustBundle } from "./nhi-export.js";
|
|
14
15
|
export { H2A_BLOCKAGE_BODY_KIND, H2A_BLOCKAGE_CLEARED_BODY_KIND, blockageEnvelope, isActiveBlockage } from "./blockage.js";
|
|
15
16
|
export { assertValidNegotiationState } from "./negotiation.js";
|
|
16
17
|
export { canonicalize, computeHash } from "./canonical.js";
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,sBAAsB,EACtB,0BAA0B,EAC1B,kBAAkB,EACnB,MAAM,UAAU,CAAC;AAWlB,OAAO,EACL,wBAAwB,EACxB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACrB,MAAM,kBAAkB,CAAC;AAU1B,OAAO,EACL,6BAA6B,EAC7B,8BAA8B,EAC9B,gCAAgC,EAChC,0BAA0B,EAC1B,2BAA2B,EAC5B,MAAM,0BAA0B,CAAC;AAOlC,OAAO,EACL,2CAA2C,EAC3C,8BAA8B,EAC9B,2BAA2B,EAC3B,4BAA4B,EAC5B,0BAA0B,EAC3B,MAAM,wBAAwB,CAAC;AAOhC,OAAO,EACL,oCAAoC,EACpC,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACrB,MAAM,iBAAiB,CAAC;AAOzB,OAAO,EACL,kCAAkC,EAClC,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,eAAe,CAAC;AAOvB,OAAO,EACL,uBAAuB,EACvB,8CAA8C,EAC9C,iCAAiC,EACjC,+BAA+B,EAC/B,6BAA6B,EAC9B,MAAM,4BAA4B,CAAC;AAOpC,OAAO,EACL,sCAAsC,EACtC,sBAAsB,EACtB,yBAAyB,EACzB,wBAAwB,EACxB,sBAAsB,EACvB,MAAM,mBAAmB,CAAC;AAO3B,OAAO,EACL,cAAc,EACd,aAAa,EACb,YAAY,EACZ,uBAAuB,EACxB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,EAClB,MAAM,aAAa,CAAC;AAOrB,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,yCAAyC,EACzC,+BAA+B,EAC/B,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,cAAc,CAAC;AAatB,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,eAAe,EACf,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,iBAAiB,CAAC;AAYzB,OAAO,EACL,6BAA6B,EAC7B,mCAAmC,EACnC,gBAAgB,EAChB,eAAe,EACf,sBAAsB,EACtB,YAAY,EACZ,iBAAiB,EAClB,MAAM,UAAU,CAAC;AAqBlB,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,gBAAgB,EAChB,gBAAgB,EACjB,MAAM,eAAe,CAAC;AAEvB,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEhE,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,6BAA6B,EAC7B,kBAAkB,EACnB,MAAM,cAAc,CAAC;AAMtB,OAAO,EACL,WAAW,EACX,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,WAAW,EACZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,iCAAiC,EACjC,mCAAmC,EACnC,wBAAwB,EACxB,6BAA6B,EAC9B,MAAM,kBAAkB,CAAC;AAQ1B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,8BAA8B,EAC9B,uBAAuB,EACxB,MAAM,iBAAiB,CAAC;AAUzB,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAE7D,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,eAAe,EACf,uBAAuB,EACxB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,YAAY,EACZ,SAAS,EACT,WAAW,EACZ,MAAM,YAAY,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,sBAAsB,EACtB,0BAA0B,EAC1B,kBAAkB,EACnB,MAAM,UAAU,CAAC;AAWlB,OAAO,EACL,wBAAwB,EACxB,qBAAqB,EACrB,iBAAiB,EACjB,oBAAoB,EACrB,MAAM,kBAAkB,CAAC;AAU1B,OAAO,EACL,6BAA6B,EAC7B,8BAA8B,EAC9B,gCAAgC,EAChC,0BAA0B,EAC1B,2BAA2B,EAC5B,MAAM,0BAA0B,CAAC;AAOlC,OAAO,EACL,2CAA2C,EAC3C,8BAA8B,EAC9B,2BAA2B,EAC3B,4BAA4B,EAC5B,0BAA0B,EAC3B,MAAM,wBAAwB,CAAC;AAOhC,OAAO,EACL,oCAAoC,EACpC,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,oBAAoB,EACrB,MAAM,iBAAiB,CAAC;AAOzB,OAAO,EACL,kCAAkC,EAClC,qBAAqB,EACrB,mBAAmB,EACnB,oBAAoB,EACpB,kBAAkB,EACnB,MAAM,eAAe,CAAC;AAOvB,OAAO,EACL,uBAAuB,EACvB,8CAA8C,EAC9C,iCAAiC,EACjC,+BAA+B,EAC/B,6BAA6B,EAC9B,MAAM,4BAA4B,CAAC;AAOpC,OAAO,EACL,sCAAsC,EACtC,sBAAsB,EACtB,yBAAyB,EACzB,wBAAwB,EACxB,sBAAsB,EACvB,MAAM,mBAAmB,CAAC;AAO3B,OAAO,EACL,cAAc,EACd,aAAa,EACb,YAAY,EACZ,uBAAuB,EACxB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,sBAAsB,EACtB,uBAAuB,EACvB,sBAAsB,EACtB,iBAAiB,EAClB,MAAM,aAAa,CAAC;AAOrB,OAAO,EACL,yBAAyB,EACzB,6BAA6B,EAC7B,yCAAyC,EACzC,+BAA+B,EAC/B,kBAAkB,EAClB,iBAAiB,EACjB,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,iBAAiB,EAClB,MAAM,cAAc,CAAC;AAatB,OAAO,EACL,uBAAuB,EACvB,wBAAwB,EACxB,eAAe,EACf,oBAAoB,EACpB,sBAAsB,EACvB,MAAM,iBAAiB,CAAC;AAYzB,OAAO,EACL,6BAA6B,EAC7B,mCAAmC,EACnC,gBAAgB,EAChB,eAAe,EACf,sBAAsB,EACtB,YAAY,EACZ,iBAAiB,EAClB,MAAM,UAAU,CAAC;AAqBlB,OAAO,EACL,sBAAsB,EACtB,6BAA6B,EAC7B,WAAW,EACX,cAAc,EACf,MAAM,iBAAiB,CAAC;AAMzB,OAAO,EACL,sBAAsB,EACtB,8BAA8B,EAC9B,gBAAgB,EAChB,gBAAgB,EACjB,MAAM,eAAe,CAAC;AAEvB,OAAO,EAAE,2BAA2B,EAAE,MAAM,kBAAkB,CAAC;AAC/D,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,gBAAgB,CAAC;AAC3D,OAAO,EAAE,aAAa,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAC;AAEhE,OAAO,EACL,kBAAkB,EAClB,kBAAkB,EAClB,6BAA6B,EAC7B,kBAAkB,EACnB,MAAM,cAAc,CAAC;AAMtB,OAAO,EACL,WAAW,EACX,WAAW,EACX,UAAU,EACV,iBAAiB,EACjB,YAAY,EACZ,SAAS,EACT,QAAQ,EACR,WAAW,EACZ,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,oBAAoB,EACpB,yBAAyB,EACzB,mBAAmB,EACpB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,iCAAiC,EACjC,mCAAmC,EACnC,wBAAwB,EACxB,6BAA6B,EAC9B,MAAM,kBAAkB,CAAC;AAQ1B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,8BAA8B,EAC9B,uBAAuB,EACxB,MAAM,iBAAiB,CAAC;AAUzB,OAAO,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAE7D,OAAO,EACL,0BAA0B,EAC1B,iBAAiB,EACjB,oBAAoB,EACpB,gBAAgB,EAChB,eAAe,EACf,uBAAuB,EACxB,MAAM,gBAAgB,CAAC;AAMxB,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EACnB,kBAAkB,EAClB,sBAAsB,EACtB,yBAAyB,EACzB,YAAY,EACZ,SAAS,EACT,WAAW,EACZ,MAAM,YAAY,CAAC"}
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* NHI P3 (interop) — SPIFFE/SPIRE-compatible **export** primitives. Pure and
|
|
3
|
+
* deterministic, like `nhi.ts`: the caller gathers an instance's active public
|
|
4
|
+
* keys (the keyring) and a trust-domain name and passes them in; this module
|
|
5
|
+
* only transforms them into a SPIFFE-bundle-/JWKS-shaped object and a SPIFFE
|
|
6
|
+
* ID. It owns no I/O, no clock, no network and adds no dependency.
|
|
7
|
+
*
|
|
8
|
+
* Design + sourced SPIFFE facts: `docs/superpowers/specs/2026-05-28-nhi-p3-interop-design.md`.
|
|
9
|
+
* Gate / shortlist: `evaluations/nhi-landscape.md` (§6 #1, SPIFFE-first).
|
|
10
|
+
*
|
|
11
|
+
* Scope honesty: h2a is **not** a SPIRE replacement. It mints no SVIDs and does
|
|
12
|
+
* no node/workload attestation. h2a holds PEM (SPKI) ed25519 *public* keys, not
|
|
13
|
+
* JWK-encoded keys and not X.509/JWT SVIDs. So this is the **trust-anchor**
|
|
14
|
+
* material in a bundle *shape*: the real SPIFFE/RFC-7517 bundle-level fields
|
|
15
|
+
* (`keys`, optional `spiffe_sequence`/`spiffe_refresh_hint`), but each key entry
|
|
16
|
+
* is an h2a-native descriptor (fingerprint as `kid` + the PEM) explicitly tagged
|
|
17
|
+
* so it is not mistaken for an `x509-svid`/`jwt-svid` JWK. PEM→JWK(OKP) encoding,
|
|
18
|
+
* SVID minting and the live HTTPS bundle endpoint are an external connector's job
|
|
19
|
+
* (`../sentropic/`), where a crypto dependency is acceptable; core stays pure.
|
|
20
|
+
*
|
|
21
|
+
* SPIFFE references (verified):
|
|
22
|
+
* - SPIFFE-ID format: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md
|
|
23
|
+
* - Trust Domain & Bundle (JWK Set): https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md
|
|
24
|
+
*/
|
|
25
|
+
/** Honest `use` tag: h2a keys sign h2a envelopes — NOT `x509-svid`/`jwt-svid`. */
|
|
26
|
+
export declare const H2A_NHI_EXPORT_KEY_USE: "h2a-envelope-signing";
|
|
27
|
+
/**
|
|
28
|
+
* Documented, convention-reversible mapping of h2a instance-id characters that
|
|
29
|
+
* are outside the SPIFFE path-segment set `[a-zA-Z0-9._-]`. h2a instance ids use
|
|
30
|
+
* `:` (e.g. `claude:p1`) and subagents use `~` (`parent~name`), neither of which
|
|
31
|
+
* is a legal SPIFFE path char. Open question (see spec): confirm canonical
|
|
32
|
+
* encoding with a DEC before treating it as stable across a real SPIRE consumer.
|
|
33
|
+
*/
|
|
34
|
+
export declare const H2A_NHI_SPIFFE_PATH_ENCODINGS: ReadonlyArray<readonly [string, string]>;
|
|
35
|
+
/**
|
|
36
|
+
* Map an h2a instance id to a spec-valid SPIFFE ID `spiffe://<trust-domain>/<instance>`.
|
|
37
|
+
* The trust domain is validated (lowercase `[a-z0-9._-]`); disallowed instance-id
|
|
38
|
+
* characters are encoded per `H2A_NHI_SPIFFE_PATH_ENCODINGS`. Throws on an
|
|
39
|
+
* empty/invalid trust domain or an instance that cannot map to a legal path
|
|
40
|
+
* segment — keeping outputs well-formed, consistent with `nhi.ts`.
|
|
41
|
+
*
|
|
42
|
+
* SPIFFE-ID.md: scheme MUST be `spiffe`, non-zero trust domain, no
|
|
43
|
+
* query/fragment, no trailing `/`, no percent-encoding.
|
|
44
|
+
*/
|
|
45
|
+
export declare function nhiSpiffeId(trustDomain: string, instance: string): string;
|
|
46
|
+
/**
|
|
47
|
+
* One key entry in an h2a trust-bundle export. JWK-shaped (`kid`/`kty`) so a
|
|
48
|
+
* SPIFFE/JWKS reader recognises the structure, but the key material and `use`
|
|
49
|
+
* are h2a-namespaced because they are NOT a real SVID-backing JWK (see module
|
|
50
|
+
* note). `kid` reuses the existing `nhiKeyFingerprint` (RFC 7517 key id).
|
|
51
|
+
*/
|
|
52
|
+
export interface H2ANhiTrustBundleKey {
|
|
53
|
+
/** RFC 7517 `kid`: the stable, non-reversible 12-char key fingerprint. */
|
|
54
|
+
readonly kid: string;
|
|
55
|
+
/** RFC 7517 `kty`: ed25519 is an OKP key (RFC 8037). */
|
|
56
|
+
readonly kty: "OKP";
|
|
57
|
+
/** h2a-native: the actual PEM (SPKI) public key — the trust-anchor material. */
|
|
58
|
+
readonly h2a_public_key_pem: string;
|
|
59
|
+
/** Honest tag: not `x509-svid`/`jwt-svid`; h2a keys sign h2a envelopes. */
|
|
60
|
+
readonly h2a_use: typeof H2A_NHI_EXPORT_KEY_USE;
|
|
61
|
+
}
|
|
62
|
+
/**
|
|
63
|
+
* A SPIFFE-trust-bundle-/JWKS-shaped export for one h2a instance. `keys` and the
|
|
64
|
+
* optional `spiffe_sequence`/`spiffe_refresh_hint` are the real SPIFFE bundle
|
|
65
|
+
* field names (Trust Domain & Bundle md); `spiffe_id`/`trust_domain` are added
|
|
66
|
+
* for convenience so a consumer/connector has the owning identity inline.
|
|
67
|
+
*/
|
|
68
|
+
export interface H2ANhiTrustBundle {
|
|
69
|
+
/** Convenience: the bundle's owning SPIFFE ID (`spiffe://<domain>/<instance>`). */
|
|
70
|
+
readonly spiffe_id: string;
|
|
71
|
+
/** The trust-domain name this bundle is authoritative for. */
|
|
72
|
+
readonly trust_domain: string;
|
|
73
|
+
/** SPIFFE/JWKS bundle field: the public keys (one per active key). */
|
|
74
|
+
readonly keys: readonly H2ANhiTrustBundleKey[];
|
|
75
|
+
/** Optional SPIFFE field: supersession/ordering counter (caller-supplied). */
|
|
76
|
+
readonly spiffe_sequence?: number;
|
|
77
|
+
/** Optional SPIFFE field: how often a consumer should re-fetch (caller-supplied). */
|
|
78
|
+
readonly spiffe_refresh_hint?: number;
|
|
79
|
+
}
|
|
80
|
+
export interface H2ANhiTrustBundleInput {
|
|
81
|
+
readonly instance: string;
|
|
82
|
+
readonly trustDomain: string;
|
|
83
|
+
/** The instance's currently-active public keys (PEM), net of revocations. */
|
|
84
|
+
readonly activeKeys: readonly string[];
|
|
85
|
+
/** Optional SPIFFE `spiffe_sequence` (omitted from output when absent). */
|
|
86
|
+
readonly sequence?: number;
|
|
87
|
+
/** Optional SPIFFE `spiffe_refresh_hint` in seconds (omitted when absent). */
|
|
88
|
+
readonly refreshHint?: number;
|
|
89
|
+
}
|
|
90
|
+
/**
|
|
91
|
+
* Build a SPIFFE-bundle-shaped trust-anchor export from an instance's active
|
|
92
|
+
* public keys. Pure: same key in → same bundle out. Empty `activeKeys` yields an
|
|
93
|
+
* empty `keys[]` (a well-formed bundle, not an error). Carries only public
|
|
94
|
+
* material — never a private key.
|
|
95
|
+
*/
|
|
96
|
+
export declare function nhiTrustBundle(input: H2ANhiTrustBundleInput): H2ANhiTrustBundle;
|
|
97
|
+
//# sourceMappingURL=nhi-export.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nhi-export.d.ts","sourceRoot":"","sources":["../src/nhi-export.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAIH,kFAAkF;AAClF,eAAO,MAAM,sBAAsB,EAAG,sBAA+B,CAAC;AAEtE;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,EAAE,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,MAAM,CAAC,CAGlF,CAAC;AAeF;;;;;;;;;GASG;AACH,wBAAgB,WAAW,CAAC,WAAW,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,MAAM,CAezE;AAED;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,0EAA0E;IAC1E,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,wDAAwD;IACxD,QAAQ,CAAC,GAAG,EAAE,KAAK,CAAC;IACpB,gFAAgF;IAChF,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,2EAA2E;IAC3E,QAAQ,CAAC,OAAO,EAAE,OAAO,sBAAsB,CAAC;CACjD;AAED;;;;;GAKG;AACH,MAAM,WAAW,iBAAiB;IAChC,mFAAmF;IACnF,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAC3B,8DAA8D;IAC9D,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,sEAAsE;IACtE,QAAQ,CAAC,IAAI,EAAE,SAAS,oBAAoB,EAAE,CAAC;IAC/C,8EAA8E;IAC9E,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,CAAC;IAClC,qFAAqF;IACrF,QAAQ,CAAC,mBAAmB,CAAC,EAAE,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,sBAAsB;IACrC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;IAC7B,6EAA6E;IAC7E,QAAQ,CAAC,UAAU,EAAE,SAAS,MAAM,EAAE,CAAC;IACvC,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,8EAA8E;IAC9E,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,sBAAsB,GAAG,iBAAiB,CAe/E"}
|
|
@@ -0,0 +1,94 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* NHI P3 (interop) — SPIFFE/SPIRE-compatible **export** primitives. Pure and
|
|
3
|
+
* deterministic, like `nhi.ts`: the caller gathers an instance's active public
|
|
4
|
+
* keys (the keyring) and a trust-domain name and passes them in; this module
|
|
5
|
+
* only transforms them into a SPIFFE-bundle-/JWKS-shaped object and a SPIFFE
|
|
6
|
+
* ID. It owns no I/O, no clock, no network and adds no dependency.
|
|
7
|
+
*
|
|
8
|
+
* Design + sourced SPIFFE facts: `docs/superpowers/specs/2026-05-28-nhi-p3-interop-design.md`.
|
|
9
|
+
* Gate / shortlist: `evaluations/nhi-landscape.md` (§6 #1, SPIFFE-first).
|
|
10
|
+
*
|
|
11
|
+
* Scope honesty: h2a is **not** a SPIRE replacement. It mints no SVIDs and does
|
|
12
|
+
* no node/workload attestation. h2a holds PEM (SPKI) ed25519 *public* keys, not
|
|
13
|
+
* JWK-encoded keys and not X.509/JWT SVIDs. So this is the **trust-anchor**
|
|
14
|
+
* material in a bundle *shape*: the real SPIFFE/RFC-7517 bundle-level fields
|
|
15
|
+
* (`keys`, optional `spiffe_sequence`/`spiffe_refresh_hint`), but each key entry
|
|
16
|
+
* is an h2a-native descriptor (fingerprint as `kid` + the PEM) explicitly tagged
|
|
17
|
+
* so it is not mistaken for an `x509-svid`/`jwt-svid` JWK. PEM→JWK(OKP) encoding,
|
|
18
|
+
* SVID minting and the live HTTPS bundle endpoint are an external connector's job
|
|
19
|
+
* (`../sentropic/`), where a crypto dependency is acceptable; core stays pure.
|
|
20
|
+
*
|
|
21
|
+
* SPIFFE references (verified):
|
|
22
|
+
* - SPIFFE-ID format: https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE-ID.md
|
|
23
|
+
* - Trust Domain & Bundle (JWK Set): https://github.com/spiffe/spiffe/blob/main/standards/SPIFFE_Trust_Domain_and_Bundle.md
|
|
24
|
+
*/
|
|
25
|
+
import { nhiKeyFingerprint } from "./nhi.js";
|
|
26
|
+
/** Honest `use` tag: h2a keys sign h2a envelopes — NOT `x509-svid`/`jwt-svid`. */
|
|
27
|
+
export const H2A_NHI_EXPORT_KEY_USE = "h2a-envelope-signing";
|
|
28
|
+
/**
|
|
29
|
+
* Documented, convention-reversible mapping of h2a instance-id characters that
|
|
30
|
+
* are outside the SPIFFE path-segment set `[a-zA-Z0-9._-]`. h2a instance ids use
|
|
31
|
+
* `:` (e.g. `claude:p1`) and subagents use `~` (`parent~name`), neither of which
|
|
32
|
+
* is a legal SPIFFE path char. Open question (see spec): confirm canonical
|
|
33
|
+
* encoding with a DEC before treating it as stable across a real SPIRE consumer.
|
|
34
|
+
*/
|
|
35
|
+
export const H2A_NHI_SPIFFE_PATH_ENCODINGS = [
|
|
36
|
+
[":", "."],
|
|
37
|
+
["~", "--"]
|
|
38
|
+
];
|
|
39
|
+
/** Trust-domain host rule (SPIFFE-ID.md): lowercase `[a-z0-9._-]`, non-zero length. */
|
|
40
|
+
const TRUST_DOMAIN_RE = /^[a-z0-9._-]+$/;
|
|
41
|
+
/** Legal SPIFFE path-segment chars after our encoding (SPIFFE-ID.md). */
|
|
42
|
+
const PATH_SEGMENT_RE = /^[a-zA-Z0-9._-]+$/;
|
|
43
|
+
function encodeInstanceToPath(instance) {
|
|
44
|
+
let out = instance;
|
|
45
|
+
for (const [from, to] of H2A_NHI_SPIFFE_PATH_ENCODINGS) {
|
|
46
|
+
out = out.split(from).join(to);
|
|
47
|
+
}
|
|
48
|
+
return out;
|
|
49
|
+
}
|
|
50
|
+
/**
|
|
51
|
+
* Map an h2a instance id to a spec-valid SPIFFE ID `spiffe://<trust-domain>/<instance>`.
|
|
52
|
+
* The trust domain is validated (lowercase `[a-z0-9._-]`); disallowed instance-id
|
|
53
|
+
* characters are encoded per `H2A_NHI_SPIFFE_PATH_ENCODINGS`. Throws on an
|
|
54
|
+
* empty/invalid trust domain or an instance that cannot map to a legal path
|
|
55
|
+
* segment — keeping outputs well-formed, consistent with `nhi.ts`.
|
|
56
|
+
*
|
|
57
|
+
* SPIFFE-ID.md: scheme MUST be `spiffe`, non-zero trust domain, no
|
|
58
|
+
* query/fragment, no trailing `/`, no percent-encoding.
|
|
59
|
+
*/
|
|
60
|
+
export function nhiSpiffeId(trustDomain, instance) {
|
|
61
|
+
if (!TRUST_DOMAIN_RE.test(trustDomain)) {
|
|
62
|
+
throw new Error(`nhiSpiffeId: invalid trust domain ${JSON.stringify(trustDomain)} ` +
|
|
63
|
+
"(must be non-empty lowercase [a-z0-9._-])");
|
|
64
|
+
}
|
|
65
|
+
const path = encodeInstanceToPath(instance);
|
|
66
|
+
if (!PATH_SEGMENT_RE.test(path)) {
|
|
67
|
+
throw new Error(`nhiSpiffeId: instance ${JSON.stringify(instance)} does not map to a legal ` +
|
|
68
|
+
"SPIFFE path segment [a-zA-Z0-9._-] after encoding");
|
|
69
|
+
}
|
|
70
|
+
return `spiffe://${trustDomain}/${path}`;
|
|
71
|
+
}
|
|
72
|
+
/**
|
|
73
|
+
* Build a SPIFFE-bundle-shaped trust-anchor export from an instance's active
|
|
74
|
+
* public keys. Pure: same key in → same bundle out. Empty `activeKeys` yields an
|
|
75
|
+
* empty `keys[]` (a well-formed bundle, not an error). Carries only public
|
|
76
|
+
* material — never a private key.
|
|
77
|
+
*/
|
|
78
|
+
export function nhiTrustBundle(input) {
|
|
79
|
+
const spiffe_id = nhiSpiffeId(input.trustDomain, input.instance);
|
|
80
|
+
const keys = input.activeKeys.map((pem) => ({
|
|
81
|
+
kid: nhiKeyFingerprint(pem),
|
|
82
|
+
kty: "OKP",
|
|
83
|
+
h2a_public_key_pem: pem,
|
|
84
|
+
h2a_use: H2A_NHI_EXPORT_KEY_USE
|
|
85
|
+
}));
|
|
86
|
+
return {
|
|
87
|
+
spiffe_id,
|
|
88
|
+
trust_domain: input.trustDomain,
|
|
89
|
+
keys,
|
|
90
|
+
...(input.sequence !== undefined ? { spiffe_sequence: input.sequence } : {}),
|
|
91
|
+
...(input.refreshHint !== undefined ? { spiffe_refresh_hint: input.refreshHint } : {})
|
|
92
|
+
};
|
|
93
|
+
}
|
|
94
|
+
//# sourceMappingURL=nhi-export.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"nhi-export.js","sourceRoot":"","sources":["../src/nhi-export.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAE7C,kFAAkF;AAClF,MAAM,CAAC,MAAM,sBAAsB,GAAG,sBAA+B,CAAC;AAEtE;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAA6C;IACrF,CAAC,GAAG,EAAE,GAAG,CAAC;IACV,CAAC,GAAG,EAAE,IAAI,CAAC;CACZ,CAAC;AAEF,uFAAuF;AACvF,MAAM,eAAe,GAAG,gBAAgB,CAAC;AACzC,yEAAyE;AACzE,MAAM,eAAe,GAAG,mBAAmB,CAAC;AAE5C,SAAS,oBAAoB,CAAC,QAAgB;IAC5C,IAAI,GAAG,GAAG,QAAQ,CAAC;IACnB,KAAK,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,6BAA6B,EAAE,CAAC;QACvD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjC,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,WAAW,CAAC,WAAmB,EAAE,QAAgB;IAC/D,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,qCAAqC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,GAAG;YACjE,2CAA2C,CAC9C,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,GAAG,oBAAoB,CAAC,QAAQ,CAAC,CAAC;IAC5C,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,yBAAyB,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,2BAA2B;YAC1E,mDAAmD,CACtD,CAAC;IACJ,CAAC;IACD,OAAO,YAAY,WAAW,IAAI,IAAI,EAAE,CAAC;AAC3C,CAAC;AAiDD;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,KAA6B;IAC1D,MAAM,SAAS,GAAG,WAAW,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,CAAC,QAAQ,CAAC,CAAC;IACjE,MAAM,IAAI,GAA2B,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;QAClE,GAAG,EAAE,iBAAiB,CAAC,GAAG,CAAC;QAC3B,GAAG,EAAE,KAAK;QACV,kBAAkB,EAAE,GAAG;QACvB,OAAO,EAAE,sBAAsB;KAChC,CAAC,CAAC,CAAC;IACJ,OAAO;QACL,SAAS;QACT,YAAY,EAAE,KAAK,CAAC,WAAW;QAC/B,IAAI;QACJ,GAAG,CAAC,KAAK,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5E,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvF,CAAC;AACJ,CAAC"}
|