@socketsecurity/lib 6.0.6 → 6.0.7

package/dist/http-request/browser.js

@@ -3,11 +3,13 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_math = require('../primordials/math.js');
+const require_primordials_string = require('../primordials/string.js');
 const require_primordials_array = require('../primordials/array.js');
 const require_primordials_date = require('../primordials/date.js');
 const require_primordials_json = require('../primordials/json.js');
 const require_primordials_promise = require('../primordials/promise.js');
 const require_http_request_browser_fetch = require('./browser-fetch.js');
+const require_primordials_headers = require('../primordials/headers.js');
 
 //#region src/http-request/browser.ts
 /**
@@ -136,8 +138,8 @@ function decodeText(bytes) {
 }
 function headersToRecord(headers) {
 	const out = {};
-	headers.forEach((value, key) => {
-		out[key.toLowerCase()] = value;
+	require_primordials_headers.HeadersPrototypeForEach(headers, (value, key) => {
+		out[require_primordials_string.StringPrototypeToLowerCase(key)] = value;
 	});
 	return out;
 }

package/dist/http-request/checksum-file.d.ts

@@ -0,0 +1,55 @@
+/**
+ * @file Checksum file fetching + parsing for download verification.
+ *   `parseChecksumFile` understands the three common text-file shapes:
+ *
+ *   - BSD style: `SHA256 (filename) = hash`
+ *   - GNU style: `hash filename` (two spaces)
+ *   - Simple: `hash filename` (single space) Comment lines (`#…`) and blank lines
+ *     are skipped. Each hex digest is converted to an SRI integrity string
+ *     (`sha256-<base64>=`) so callers always work in the same format as
+ *     `external-tools.json` and other integrity-string consumers.
+ *     `fetchChecksumFile` is the URL helper — fetches via `httpRequest` and
+ *     runs the body through `parseChecksumFile`.
+ */
+import type { ChecksumFile, FetchChecksumFileOptions } from './download-types';
+/**
+ * Fetch and parse a checksums file from a URL.
+ *
+ * Returns a map of filenames to SRI integrity strings (`sha256-<base64>=`).
+ * Feed `httpDownload({ sha256 })` by converting back to hex via
+ * `integrityToChecksum()`; pass the SRI string through verbatim to consumers
+ * that accept SRI directly.
+ *
+ * @example
+ *   ;```ts
+ *   import { integrityToChecksum } from '@socketsecurity/lib/integrity'
+ *
+ *   const sums = await fetchChecksumFile(
+ *     'https://github.com/org/repo/releases/download/v1.0.0/checksums.txt',
+ *   )
+ *   await httpDownload(url, '/tmp/tool.tar.gz', {
+ *     sha256: integrityToChecksum(sums['tool_linux.tar.gz']!),
+ *   })
+ *   ```
+ */
+export declare function fetchChecksumFile(url: string, options?: FetchChecksumFileOptions | undefined): Promise<ChecksumFile>;
+/**
+ * Parse a checksums file text into a filename-to-integrity map.
+ *
+ * Supports standard checksums file formats: - BSD style: `SHA256 (filename) =
+ * hash` - GNU style: `hash filename` (two spaces) - Simple style: `hash
+ * filename` (single space)
+ *
+ * Lines starting with `#` are treated as comments and ignored. Empty lines are
+ * ignored. Each 64-char hex digest is converted to an SRI integrity string so
+ * the result is uniform regardless of source format.
+ *
+ * @example
+ *   ;```ts
+ *   const sums = parseChecksumFile(
+ *     'e3b0c44...  file.zip\nSHA256 (other.tar.gz) = abc123...\n',
+ *   )
+ *   // sums['file.zip'] === 'sha256-47DEQpj8HBSa+/...'
+ *   ```
+ */
+export declare function parseChecksumFile(text: string): ChecksumFile;

package/dist/http-request/checksum-file.js

@@ -0,0 +1,95 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_error = require('../primordials/error.js');
+const require_integrity = require('../integrity.js');
+const require_primordials_string = require('../primordials/string.js');
+const require_http_request_request = require('./request.js');
+
+//#region src/http-request/checksum-file.ts
+/**
+* @file Checksum file fetching + parsing for download verification.
+*   `parseChecksumFile` understands the three common text-file shapes:
+*
+*   - BSD style: `SHA256 (filename) = hash`
+*   - GNU style: `hash filename` (two spaces)
+*   - Simple: `hash filename` (single space) Comment lines (`#…`) and blank lines
+*     are skipped. Each hex digest is converted to an SRI integrity string
+*     (`sha256-<base64>=`) so callers always work in the same format as
+*     `external-tools.json` and other integrity-string consumers.
+*     `fetchChecksumFile` is the URL helper — fetches via `httpRequest` and
+*     runs the body through `parseChecksumFile`.
+*/
+const CHECKSUM_BSD_RE = /^SHA256\s+\((.+)\)\s+=\s+([a-fA-F0-9]{64})$/;
+const CHECKSUM_GNU_RE = /^([a-fA-F0-9]{64})\s+(.+)$/;
+/**
+* Fetch and parse a checksums file from a URL.
+*
+* Returns a map of filenames to SRI integrity strings (`sha256-<base64>=`).
+* Feed `httpDownload({ sha256 })` by converting back to hex via
+* `integrityToChecksum()`; pass the SRI string through verbatim to consumers
+* that accept SRI directly.
+*
+* @example
+*   ;```ts
+*   import { integrityToChecksum } from '@socketsecurity/lib/integrity'
+*
+*   const sums = await fetchChecksumFile(
+*     'https://github.com/org/repo/releases/download/v1.0.0/checksums.txt',
+*   )
+*   await httpDownload(url, '/tmp/tool.tar.gz', {
+*     sha256: integrityToChecksum(sums['tool_linux.tar.gz']!),
+*   })
+*   ```
+*/
+async function fetchChecksumFile(url, options) {
+	const { ca, headers = {}, timeout = 3e4 } = {
+		__proto__: null,
+		...options
+	};
+	const response = await require_http_request_request.httpRequest(url, {
+		ca,
+		headers,
+		timeout
+	});
+	if (!response.ok) throw new require_primordials_error.ErrorCtor(`Failed to fetch checksums from ${url}: ${response.status} ${response.statusText}`);
+	return parseChecksumFile(response.body.toString("utf8"));
+}
+/**
+* Parse a checksums file text into a filename-to-integrity map.
+*
+* Supports standard checksums file formats: - BSD style: `SHA256 (filename) =
+* hash` - GNU style: `hash filename` (two spaces) - Simple style: `hash
+* filename` (single space)
+*
+* Lines starting with `#` are treated as comments and ignored. Empty lines are
+* ignored. Each 64-char hex digest is converted to an SRI integrity string so
+* the result is uniform regardless of source format.
+*
+* @example
+*   ;```ts
+*   const sums = parseChecksumFile(
+*     'e3b0c44...  file.zip\nSHA256 (other.tar.gz) = abc123...\n',
+*   )
+*   // sums['file.zip'] === 'sha256-47DEQpj8HBSa+/...'
+*   ```
+*/
+function parseChecksumFile(text) {
+	const result = { __proto__: null };
+	for (const line of require_primordials_string.StringPrototypeSplit(text, "\n")) {
+		const trimmed = line.trim();
+		if (!trimmed || require_primordials_string.StringPrototypeStartsWith(trimmed, "#")) continue;
+		const bsdMatch = CHECKSUM_BSD_RE.exec(trimmed);
+		if (bsdMatch) {
+			result[bsdMatch[1]] = require_integrity.checksumToIntegrity(bsdMatch[2].toLowerCase());
+			continue;
+		}
+		const gnuMatch = CHECKSUM_GNU_RE.exec(trimmed);
+		if (gnuMatch) result[gnuMatch[2]] = require_integrity.checksumToIntegrity(gnuMatch[1].toLowerCase());
+	}
+	return result;
+}
+
+//#endregion
+exports.fetchChecksumFile = fetchChecksumFile;
+exports.parseChecksumFile = parseChecksumFile;

package/dist/http-request/download-types.d.ts

@@ -3,7 +3,7 @@
  *   `http-request/types.ts` for size hygiene.
  *
  *   - `HttpDownloadOptions` / `HttpDownloadResult` — file-download surface
- *   - `Checksums` / `FetchChecksumsOptions` — checksum-file helpers
+ *   - `ChecksumFile` / `FetchChecksumFileOptions` — checksum-file helpers
  */
 import type { IncomingHttpHeaders } from 'node:http';
 import type { Logger } from '../logger/node';
@@ -136,23 +136,14 @@ export interface HttpDownloadOptions {
      * fail if the computed hash doesn't match. The hash should be a lowercase hex
      * string (64 characters).
      *
-     * Use `fetchChecksums()` to fetch hashes from a checksums URL, then pass the
-     * specific hash here.
+     * Pair with `fetchChecksumFile()` + `integrityToChecksum()` when working from
+     * a checksums URL, since `fetchChecksumFile()` returns SRI strings.
      *
      * @example
      *   ;```ts
-     *   // Verify download integrity with direct hash
+     *   // Verify download with a sha256 hex digest
      *   await httpDownload('https://example.com/file.zip', '/tmp/file.zip', {
-     *     sha256:
-     *       'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
-     *   })
-     *
-     *   // Verify using checksums from a URL
-     *   const checksums = await fetchChecksums(
-     *     'https://example.com/checksums.txt',
-     *   )
-     *   await httpDownload('https://example.com/file.zip', '/tmp/file.zip', {
-     *     sha256: checksums['file.zip'],
+     *     sha256: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
      *   })
      *   ```
      */
@@ -189,23 +180,24 @@ export interface HttpDownloadResult {
     statusText: string;
 }
 /**
- * Map of filenames to their SHA256 hashes. Keys are filenames (not paths),
- * values are lowercase hex-encoded SHA256 hashes.
+ * Map of filenames to SRI integrity strings (`sha256-<base64>=`). Returned by
+ * `parseChecksumFile` / `fetchChecksumFile`. Pass through
+ * `integrityToChecksum()` to feed `httpDownload({ sha256 })`, or pass the SRI
+ * string directly to consumers that accept SRI.
  *
  * @example
  *   ;```ts
- *   const checksums: Checksums = {
- *     'file.zip':
- *       'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
- *     'other.tar.gz': 'abc123...',
+ *   const sums: ChecksumFile = {
+ *     'file.zip': 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=',
+ *     'other.tar.gz': 'sha256-...',
  *   }
  *   ```
  */
-export type Checksums = Record<string, string>;
+export type ChecksumFile = Record<string, string>;
 /**
- * Options for fetching checksums from a URL.
+ * Options for fetching a checksum file from a URL.
  */
-export interface FetchChecksumsOptions {
+export interface FetchChecksumFileOptions {
     /**
      * Custom CA certificates for TLS connections. See `HttpRequestOptions.ca` for
      * details.

package/dist/http-request/download.js

@@ -98,8 +98,8 @@ async function httpDownload(url, destPath, options) {
 		};
 	}
 	/* c8 ignore stop */
-	const crypto = /* @__PURE__ */ require_node_crypto.getNodeCrypto();
-	const fs = /* @__PURE__ */ require_node_fs.getNodeFs();
+	const crypto = require_node_crypto.getNodeCrypto();
+	const fs = require_node_fs.getNodeFs();
 	const tempPath = `${destPath}.${crypto.randomBytes(6).toString("hex")}.download`;
 	if (fs.existsSync(tempPath)) await require_fs_safe.safeDelete(tempPath);
 	let lastError;
@@ -155,7 +155,7 @@ async function httpDownloadAttempt(url, destPath, options) {
 	const res = response.rawResponse;
 	/* c8 ignore next 3 */
 	if (!res) throw new require_primordials_error.ErrorCtor("Stream response missing rawResponse");
-	const { createWriteStream } = /* @__PURE__ */ require_node_fs.getNodeFs();
+	const { createWriteStream } = require_node_fs.getNodeFs();
 	const totalSize = require_primordials_number.NumberParseInt(response.headers["content-length"] || "0", 10);
 	return await new require_primordials_promise.PromiseCtor((resolve, reject) => {
 		let downloadedSize = 0;

package/dist/http-request/headers.js

@@ -37,7 +37,6 @@ const RETRY_AFTER_INT_RE = /^\d+$/;
 *
 * @returns The `Authorization` header value, e.g. `Basic <base64>`.
 */
-/*@__NO_SIDE_EFFECTS__*/
 function basicAuthHeader(token) {
 	return `Basic ${require_primordials_globals.btoa(`${token}:`)}`;
 }

package/dist/http-request/request-attempt.js

@@ -1,15 +1,17 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_buffer = require('../primordials/buffer.js');
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_date = require('../primordials/date.js');
-const require_primordials_object = require('../primordials/object.js');
 const require_primordials_json = require('../primordials/json.js');
+const require_primordials_object = require('../primordials/object.js');
 const require_primordials_promise = require('../primordials/promise.js');
 const require_node_http = require('../node/http.js');
 const require_node_https = require('../node/https.js');
 const require_primordials_url = require('../primordials/url.js');
 const require_http_request_errors = require('./errors.js');
+const require_http_request_response_reader = require('./response-reader.js');
 const require_http_request_user_agent = require('./user-agent.js');
 
 //#region src/http-request/request-attempt.ts
@@ -70,7 +72,7 @@ async function httpRequestAttempt(url, options) {
 		};
 		const parsedUrl = new require_primordials_url.URLCtor(url);
 		const isHttps = parsedUrl.protocol === "https:";
-		const httpModule = isHttps ? /* @__PURE__ */ require_node_https.getNodeHttps() : /* @__PURE__ */ require_node_http.getNodeHttp();
+		const httpModule = isHttps ? require_node_https.getNodeHttps() : require_node_http.getNodeHttp();
 		const requestOptions = {
 			headers: mergedHeaders,
 			hostname: parsedUrl.hostname,
@@ -106,15 +108,15 @@ async function httpRequestAttempt(url, options) {
 					reject(new require_primordials_error.ErrorCtor(`Too many redirects (exceeded maximum: ${maxRedirects})`));
 					return;
 				}
-				const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new URL(res.headers.location, url).toString();
-				const redirectParsed = new URL(redirectUrl);
+				const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new require_primordials_url.URLCtor(res.headers.location, url).toString();
+				const redirectParsed = new require_primordials_url.URLCtor(redirectUrl);
 				if (isHttps && redirectParsed.protocol !== "https:") {
 					settled = true;
 					reject(new require_primordials_error.ErrorCtor(`Redirect from HTTPS to HTTP is not allowed: ${redirectUrl}`));
 					return;
 				}
 				let redirectHeaders = headers;
-				if (new URL(url).origin !== redirectParsed.origin) {
+				if (new require_primordials_url.URLCtor(url).origin !== redirectParsed.origin) {
 					redirectHeaders = { __proto__: null };
 					const stripped = new Set([
 						"authorization",
@@ -148,7 +150,7 @@ async function httpRequestAttempt(url, options) {
 					status,
 					statusText
 				});
-				const emptyBody = Buffer.alloc(0);
+				const emptyBody = require_primordials_buffer.BufferAlloc(0);
 				resolveOnce({
 					arrayBuffer: () => emptyBody.buffer,
 					body: emptyBody,
@@ -178,31 +180,33 @@ async function httpRequestAttempt(url, options) {
 			});
 			res.on("end", () => {
 				if (settled) return;
-				const responseBody = Buffer.concat(chunks);
-				const ok = res.statusCode !== void 0 && res.statusCode >= 200 && res.statusCode < 300;
-				const response = {
-					arrayBuffer() {
-						return responseBody.buffer.slice(responseBody.byteOffset, responseBody.byteOffset + responseBody.byteLength);
-					},
-					body: responseBody,
-					headers: res.headers,
-					json() {
-						return require_primordials_json.JSONParse(responseBody.toString("utf8"));
-					},
-					ok,
-					rawResponse: res,
-					status: res.statusCode || 0,
-					statusText: res.statusMessage || "",
-					text() {
-						return responseBody.toString("utf8");
-					}
-				};
-				emitResponse({
-					headers: res.headers,
-					status: res.statusCode,
-					statusText: res.statusMessage
+				const rawBody = require_primordials_buffer.BufferConcat(chunks);
+				require_http_request_response_reader.decodeBody(rawBody, res.headers["content-encoding"]).catch(() => rawBody).then((responseBody) => {
+					const ok = res.statusCode !== void 0 && res.statusCode >= 200 && res.statusCode < 300;
+					const response = {
+						arrayBuffer() {
+							return responseBody.buffer.slice(responseBody.byteOffset, responseBody.byteOffset + responseBody.byteLength);
+						},
+						body: responseBody,
+						headers: res.headers,
+						json() {
+							return require_primordials_json.JSONParse(responseBody.toString("utf8"));
+						},
+						ok,
+						rawResponse: res,
+						status: res.statusCode || 0,
+						statusText: res.statusMessage || "",
+						text() {
+							return responseBody.toString("utf8");
+						}
+					};
+					emitResponse({
+						headers: res.headers,
+						status: res.statusCode,
+						statusText: res.statusMessage
+					});
+					resolveOnce(response);
 				});
-				resolveOnce(response);
 			});
 			res.on("error", (error) => {
 				rejectOnce(error);
@@ -217,12 +221,12 @@ async function httpRequestAttempt(url, options) {
 		});
 		if (body) {
 			if (typeof body === "object" && typeof body.pipe === "function") {
-				const stream = body;
-				stream.on("error", (err) => {
+				const bodyStream = body;
+				bodyStream.on("error", (err) => {
 					request.destroy();
 					rejectOnce(err);
 				});
-				stream.pipe(request);
+				bodyStream.pipe(request);
 				return;
 			}
 			request.write(body);

package/dist/http-request/request-types.d.ts

@@ -8,7 +8,7 @@
  *     observability
  *   - `HttpRequestOptions` — the main request configuration interface
  */
-import type { IncomingMessage } from 'node:http';
+import type { IncomingHttpHeaders, IncomingMessage } from 'node:http';
 import type { Readable } from 'node:stream';
 /**
  * IncomingMessage received as a response to a client request (http.request
@@ -35,7 +35,7 @@ export interface HttpHookRequestInfo {
 export interface HttpHookResponseInfo {
     duration: number;
     error?: Error | undefined;
-    headers?: import('node:http').IncomingHttpHeaders | undefined;
+    headers?: IncomingHttpHeaders | undefined;
     method: string;
     status?: number | undefined;
     statusText?: string | undefined;

package/dist/http-request/request.js

@@ -4,9 +4,9 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_math = require('../primordials/math.js');
 const require_primordials_number = require('../primordials/number.js');
+const require_http_request_response_reader = require('./response-reader.js');
 const require_http_request_request_attempt = require('./request-attempt.js');
 const require_http_request_response_types = require('./response-types.js');
-const require_http_request_response_reader = require('./response-reader.js');
 let node_timers_promises = require("node:timers/promises");
 
 //#region src/http-request/request.ts

package/dist/http-request/user-agent.js

@@ -4,7 +4,7 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
 const require_env_rewire = require('../env/rewire.js');
 const require_constants_socket = require('../constants/socket.js');
-const require_packages_operations = require('../packages/operations.js');
+const require_packages_specs = require('../packages/specs.js');
 let node_process = require("node:process");
 node_process = require_runtime.__toESM(node_process);
 
@@ -38,9 +38,8 @@ node_process = require_runtime.__toESM(node_process);
 *   // 'sdxgen/0.5.0 node/v22.10.0 darwin/arm64 embedded-by-foo/1'
 *   ```
 */
-/*@__NO_SIDE_EFFECTS__*/
 function buildUserAgent(pkg, caller) {
-	const base = `${/* @__PURE__ */ require_packages_operations.pkgNameToSlug(pkg.name)}/${pkg.version} node/${node_process.default.version} ${node_process.default.platform}/${node_process.default.arch}`;
+	const base = `${require_packages_specs.pkgNameToSlug(pkg.name)}/${pkg.version} node/${node_process.default.version} ${node_process.default.platform}/${node_process.default.arch}`;
 	return caller ? `${base} ${caller}` : base;
 }
 let cachedBaseUserAgent;
@@ -66,7 +65,7 @@ let cachedBaseUserAgent;
 *   ```
 */
 function getSocketCallerUserAgent() {
-	if (cachedBaseUserAgent === void 0) cachedBaseUserAgent = /* @__PURE__ */ buildUserAgent({
+	if (cachedBaseUserAgent === void 0) cachedBaseUserAgent = buildUserAgent({
 		name: require_constants_socket.SOCKET_LIB_NAME,
 		version: require_constants_socket.SOCKET_LIB_VERSION
 	});

package/dist/integrity.d.ts

@@ -1,21 +1,9 @@
-/**
- * @file Integrity specification helpers for downloads and file verification.
- *   Used by `dlx/binary-download` and external-tools resolvers; safe to consume
- *   from any module that needs to verify bytes against an expected hash. Single
- *   supported format per flavor:
- *
- *   - integrity: SRI with sha512 only (what npm registry returns)
- *   - checksum: sha256 hex (what `shasum -a 256` produces; common for binary
- *     release assets on GitHub) Callers may pass a {@link HashSpec} as a bare
- *     string (sniffed via format) or as an explicit `{ type, value }` object.
- *     The normalized form carried around internally is always the object.
- */
 /**
  * Tagged union representing an expected hash.
  *
  * @example
  *   // Bare SRI (sniffed as integrity):
- *   'sha512-abc...'
+ *   'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
  *
  * @example
  *   // Bare sha256 hex (sniffed as checksum):
@@ -23,7 +11,7 @@
  *
  * @example
  *   // Explicit:
- *   { type: 'integrity', value: 'sha512-abc...' }
+ *   { type: 'integrity', value: 'sha512-...' }
  *   { type: 'checksum', value: 'a1b2c3...' }
  */
 export type HashSpec = string | {
@@ -50,22 +38,89 @@ export interface ComputedHashes {
      */
     integrity: string;
     /**
-     * SHA-256 hex (64 chars). Matches `shasum -a 256`.
+     * Sha256 hex (64 chars). Matches `shasum -a 256`.
      */
     checksum: string;
 }
+/**
+ * Parsed components of an integrity string.
+ */
+export interface ParsedIntegrity {
+    /**
+     * SRI algorithm: `'sha256' | 'sha384' | 'sha512'`.
+     */
+    algorithm: string;
+    /**
+     * Base64-encoded digest body (everything after the `-`).
+     */
+    body: string;
+}
+/**
+ * Convert a sha256 hex checksum to its SRI integrity form (`sha256-<base64>`).
+ * Idempotent on integrity input — call this on user-supplied data without first
+ * sniffing the format.
+ *
+ * The default algorithm is `'sha256'` because that's the fleet's checksum
+ * convention; pass an explicit algorithm if you have a hex digest from `sha384`
+ * or `sha512` (the function does not verify hex length against the algorithm —
+ * caller's responsibility).
+ *
+ * @example
+ *   ;```typescript
+ *   checksumToIntegrity(
+ *     '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
+ *   )
+ *   // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
+ *
+ *   checksumToIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
+ *   // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' (idempotent)
+ *   ```
+ *
+ * @throws TypeError when the input is neither a recognized SRI nor a hex
+ *   digest.
+ */
+export declare function checksumToIntegrity(input: string, algorithm?: string): string;
 /**
  * Compute both integrity (sha512 SRI) and checksum (sha256 hex) for a buffer of
  * bytes.
  */
 export declare function computeHashes(bytes: Buffer): ComputedHashes;
-export declare function isChecksumString(s: string): boolean;
-export declare function isIntegrityString(s: string): boolean;
+/**
+ * Convert a sha256 SRI integrity string to its hex checksum form (64 lowercase
+ * chars). Idempotent on checksum input.
+ *
+ * Throws on `sha384` and `sha512` SRI — checksums are sha256-only by fleet
+ * convention. Callers that need a hex digest for those algorithms can call
+ * `parseIntegrity(sri)` and decode `.body` manually.
+ *
+ * @example
+ *   ;```typescript
+ *   integrityToChecksum('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
+ *   // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b'
+ *
+ *   integrityToChecksum(
+ *     '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
+ *   )
+ *   // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b' (idempotent)
+ *   ```
+ *
+ * @throws TypeError when the input is neither a recognized SRI nor a hex
+ *   checksum, or when the input is a non-sha256 SRI.
+ */
+export declare function integrityToChecksum(input: string): string;
+/**
+ * True when `s` is a sha256 hex checksum (exactly 64 hex chars).
+ */
+export declare function isChecksum(s: string): boolean;
+/**
+ * True when `s` is a W3C SRI integrity string: `sha(256|384|512)-<base64>`.
+ */
+export declare function isIntegrity(s: string): boolean;
 /**
  * Normalize a {@link HashSpec} to its canonical `{ type, value }` form.
  *
  * - Object form is trusted (its `value` is validated for shape).
- * - Bare string matching sha512 SRI → integrity.
+ * - Bare string matching SRI → integrity.
  * - Bare string of 64 hex chars → checksum.
  * - Anything else throws TypeError.
  *
@@ -73,6 +128,19 @@ export declare function isIntegrityString(s: string): boolean;
  *   object's value doesn't match its declared type.
  */
 export declare function normalizeHash(spec: HashSpec): NormalizedHash;
+/**
+ * Split an integrity string into its `{ algorithm, body }` components. `body`
+ * is the base64-encoded digest (everything after the algorithm + dash).
+ *
+ * @example
+ *   ;```typescript
+ *   parseIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
+ *   // { algorithm: 'sha256', body: 'NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' }
+ *   ```
+ *
+ * @throws Error when the input is not a valid SRI integrity string.
+ */
+export declare function parseIntegrity(sri: string): ParsedIntegrity;
 /**
  * Verify computed hashes against an expected {@link NormalizedHash}. Uses
  * `crypto.timingSafeEqual` for constant-time comparison.