@socketsecurity/lib 6.0.8 → 6.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (119) hide show
  1. package/CHANGELOG.md +22 -0
  2. package/dist/ai/route.d.mts +21 -8
  3. package/dist/ai/route.js +21 -6
  4. package/dist/ai/spawn.d.mts +32 -0
  5. package/dist/ai/spawn.js +91 -2
  6. package/dist/ai/types.d.mts +10 -0
  7. package/dist/bin/prim.cjs +18797 -13627
  8. package/dist/bin/resolve.js +1 -1
  9. package/dist/cache/ttl/store.js +1 -1
  10. package/dist/compression/brotli.js +1 -1
  11. package/dist/compression/gzip.js +1 -1
  12. package/dist/config/layers.d.ts +53 -0
  13. package/dist/config/layers.js +83 -0
  14. package/dist/constants/socket.js +1 -1
  15. package/dist/debug/caller-info.js +1 -1
  16. package/dist/dlx/binary-cache.js +1 -1
  17. package/dist/dlx/binary-resolution.js +1 -1
  18. package/dist/dlx/firewall.js +1 -1
  19. package/dist/dlx/lockfile.js +1 -1
  20. package/dist/eco/npm/npm/parse-lockfile.js +1 -1
  21. package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
  22. package/dist/env/rewire.d.ts +5 -3
  23. package/dist/env/rewire.js +6 -7
  24. package/dist/env/xdg.d.ts +17 -0
  25. package/dist/env/xdg.js +21 -1
  26. package/dist/errors/stack.js +1 -2
  27. package/dist/external/@npmcli/package-json.js +3455 -4881
  28. package/dist/external/@yarnpkg/extensions.js +1 -1
  29. package/dist/external/external-pack.js +1 -1
  30. package/dist/external/npm-pack.js +29164 -31799
  31. package/dist/external/tar-fs.js +63 -16
  32. package/dist/external-tools/jre/detect-platform-arch.js +1 -1
  33. package/dist/external-tools/manifest.js +1 -1
  34. package/dist/external-tools/python/asset-names.js +1 -1
  35. package/dist/external-tools/python/uv-install.d.ts +89 -0
  36. package/dist/external-tools/python/uv-install.js +165 -0
  37. package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
  38. package/dist/external-tools/skillspector/from-uv.js +56 -0
  39. package/dist/external-tools/skillspector/resolve.d.ts +18 -3
  40. package/dist/external-tools/skillspector/resolve.js +21 -8
  41. package/dist/external-tools/skillspector/types.d.ts +3 -1
  42. package/dist/external-tools/uv/asset-names.d.ts +36 -0
  43. package/dist/external-tools/uv/asset-names.js +73 -0
  44. package/dist/external-tools/uv/from-download.d.ts +17 -0
  45. package/dist/external-tools/uv/from-download.js +50 -0
  46. package/dist/external-tools/uv/from-path.d.ts +5 -0
  47. package/dist/external-tools/uv/from-path.js +22 -0
  48. package/dist/external-tools/uv/from-vfs.d.ts +7 -0
  49. package/dist/external-tools/uv/from-vfs.js +26 -0
  50. package/dist/external-tools/uv/resolve.d.ts +25 -0
  51. package/dist/external-tools/uv/resolve.js +61 -0
  52. package/dist/external-tools/uv/types.d.ts +24 -0
  53. package/dist/external-tools/uv/types.js +2 -0
  54. package/dist/fleet/repo-config.d.ts +53 -0
  55. package/dist/fleet/repo-config.js +79 -0
  56. package/dist/fs/allowed-dirs-cache.js +3 -5
  57. package/dist/fs/copy.d.ts +88 -0
  58. package/dist/fs/copy.js +89 -0
  59. package/dist/fs/safe.js +1 -1
  60. package/dist/git/_internal.js +2 -2
  61. package/dist/github/refs.js +10 -15
  62. package/dist/globs/_internal.js +1 -1
  63. package/dist/http-request/browser.js +1 -1
  64. package/dist/http-request/checksum-file.js +1 -1
  65. package/dist/http-request/headers.js +1 -1
  66. package/dist/integrity.d.ts +125 -78
  67. package/dist/integrity.js +168 -84
  68. package/dist/logger/colors.d.ts +1 -2
  69. package/dist/logger/colors.js +2 -2
  70. package/dist/logger/symbols-builder.js +7 -8
  71. package/dist/logger/symbols.js +8 -8
  72. package/dist/node/module.d.ts +73 -2
  73. package/dist/node/module.js +97 -12
  74. package/dist/objects/predicates.js +1 -1
  75. package/dist/packages/exports.js +2 -2
  76. package/dist/packages/isolation.js +1 -1
  77. package/dist/packages/manifest.d.ts +29 -0
  78. package/dist/packages/manifest.js +38 -2
  79. package/dist/packages/normalize.js +1 -1
  80. package/dist/packages/provenance.js +2 -2
  81. package/dist/packages/specs.js +1 -1
  82. package/dist/paths/_internal.d.ts +1 -7
  83. package/dist/paths/_internal.js +9 -15
  84. package/dist/paths/conversion.js +1 -1
  85. package/dist/paths/normalize.js +1 -1
  86. package/dist/paths/predicates.js +2 -1
  87. package/dist/paths/socket.d.ts +74 -23
  88. package/dist/paths/socket.js +97 -23
  89. package/dist/perf/metrics.js +1 -1
  90. package/dist/perf/report.js +1 -1
  91. package/dist/regexps/spec.js +1 -1
  92. package/dist/schema/validate.js +1 -1
  93. package/dist/secrets/broker.d.ts +35 -0
  94. package/dist/secrets/broker.js +72 -0
  95. package/dist/secrets/find.d.ts +6 -4
  96. package/dist/secrets/find.js +15 -1
  97. package/dist/secrets/rc.js +1 -1
  98. package/dist/smol/detect.js +1 -1
  99. package/dist/smol/http.js +1 -1
  100. package/dist/smol/https.js +1 -1
  101. package/dist/smol/manifest.js +1 -1
  102. package/dist/smol/path.js +1 -1
  103. package/dist/smol/primordial.js +1 -1
  104. package/dist/smol/purl.js +1 -1
  105. package/dist/smol/versions.js +1 -1
  106. package/dist/smol/vfs.js +1 -1
  107. package/dist/sorts/_internal.d.ts +1 -2
  108. package/dist/sorts/_internal.js +2 -6
  109. package/dist/sorts/semver.js +2 -2
  110. package/dist/spinner/create-spinner-class.js +1 -1
  111. package/dist/stdio/progress.js +1 -1
  112. package/dist/stdio/prompts.d.ts +0 -8
  113. package/dist/stdio/prompts.js +10 -23
  114. package/dist/strings/format.js +1 -1
  115. package/dist/strings/search.js +1 -1
  116. package/dist/themes/context.d.ts +5 -3
  117. package/dist/themes/context.js +5 -6
  118. package/llms.txt +750 -0
  119. package/package.json +79 -13
@@ -0,0 +1,89 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
3
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_primordials_object = require('../primordials/object.js');
5
+ const require_paths__internal = require('../paths/_internal.js');
6
+ const require_node_fs = require('../node/fs.js');
7
+ const require_node_path = require('../node/path.js');
8
+ const require_fs_safe = require('./safe.js');
9
+ const require_fs_unique = require('./unique.js');
10
+
11
+ //#region src/fs/copy.ts
12
+ /**
13
+ * @file Recursive copy for a file or directory tree, with three destination
14
+ * modes (see {@link CopyMode}). Plain `fs.cp` (even with `force`) overwrites
15
+ * files present in the source but never deletes destination files absent from
16
+ * it, so copying onto an existing target leaves stale leftovers behind. The
17
+ * `'pave'` mode makes the destination an exact copy of the source by staging
18
+ * a fresh tree in a sibling temp directory and swapping it in with a single
19
+ * rename — atomic, with no stale survivors.
20
+ */
21
+ /**
22
+ * Named values for {@link CopyMode}. A frozen object rather than a TypeScript
23
+ * `enum` so the declaration is erasable (enums emit runtime helper code).
24
+ */
25
+ const CopyMode = require_primordials_object.ObjectFreeze({
26
+ Fill: "fill",
27
+ Overlay: "overlay",
28
+ Pave: "pave"
29
+ });
30
+ /**
31
+ * Recursively copy a file or directory tree from `from` to `to`.
32
+ *
33
+ * Works for both files and directories. The `mode` option chooses how an
34
+ * existing destination is treated — overlay (default), pave, or fill; see
35
+ * {@link CopyMode}.
36
+ *
37
+ * @example
38
+ * ;```ts
39
+ * // Overlay (default) — overwrite collisions, keep files already in dest:
40
+ * await copy('./src', './dest')
41
+ *
42
+ * // Pave — dest ends up identical to src, no stale survivors:
43
+ * await copy('./vendor/upstream', './deps/upstream', { mode: CopyMode.Pave })
44
+ *
45
+ * // Fill — add only what's missing, never overwrite an existing file:
46
+ * await copy('./defaults', './config', { mode: CopyMode.Fill })
47
+ * ```
48
+ *
49
+ * @param from - Source file or directory to copy.
50
+ * @param to - Destination path.
51
+ * @param options - Copy options (mode, filter, dereference, abort signal).
52
+ */
53
+ async function copy(from, to, options) {
54
+ const fs = require_node_fs.getNodeFs();
55
+ const opts = {
56
+ __proto__: null,
57
+ ...options
58
+ };
59
+ const { mode } = opts;
60
+ const fromStr = require_paths__internal.pathLikeToString(from);
61
+ const toStr = require_paths__internal.pathLikeToString(to);
62
+ const cpOptions = {
63
+ __proto__: null,
64
+ dereference: opts.dereference === true,
65
+ force: mode !== CopyMode.Fill,
66
+ recursive: true,
67
+ ...opts.filter ? { filter: opts.filter } : {}
68
+ };
69
+ if (mode !== CopyMode.Pave) {
70
+ await fs.promises.cp(fromStr, toStr, cpOptions);
71
+ return;
72
+ }
73
+ const path = require_node_path.getNodePath();
74
+ const tmp = require_fs_unique.uniqueSync(`${toStr}.tmp`);
75
+ try {
76
+ await fs.promises.cp(fromStr, tmp, cpOptions);
77
+ await require_fs_safe.safeMkdir(path.dirname(toStr));
78
+ await require_fs_safe.safeDelete(toStr, { signal: opts.signal });
79
+ await fs.promises.rename(tmp, toStr);
80
+ } catch (e) {
81
+ /* c8 ignore start - best-effort cleanup of the staged copy on failure */
82
+ await require_fs_safe.safeDelete(tmp, { signal: opts.signal });
83
+ throw e;
84
+ }
85
+ }
86
+
87
+ //#endregion
88
+ exports.CopyMode = CopyMode;
89
+ exports.copy = copy;
package/dist/fs/safe.js CHANGED
@@ -1,8 +1,8 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
- const require_arrays_predicates = require('../arrays/predicates.js');
5
4
  const require_primordials_string = require('../primordials/string.js');
5
+ const require_arrays_predicates = require('../arrays/predicates.js');
6
6
  const require_paths__internal = require('../paths/_internal.js');
7
7
  const require_primordials_array = require('../primordials/array.js');
8
8
  const require_node_fs = require('../node/fs.js');
@@ -3,8 +3,8 @@
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_buffer = require('../primordials/buffer.js');
5
5
  const require_primordials_object = require('../primordials/object.js');
6
- const require_primordials_map_set = require('../primordials/map-set.js');
7
6
  const require_primordials_string = require('../primordials/string.js');
7
+ const require_primordials_map_set = require('../primordials/map-set.js');
8
8
  const require_paths_normalize = require('../paths/normalize.js');
9
9
  const require_primordials_array = require('../primordials/array.js');
10
10
  const require_node_path = require('../node/path.js');
@@ -13,9 +13,9 @@ const require_primordials_json = require('../primordials/json.js');
13
13
  const require_bin_which = require('../bin/which.js');
14
14
  const require_ansi_strip = require('../ansi/strip.js');
15
15
  const require_process_spawn_child = require('../process/spawn/child.js');
16
+ const require_git_repo = require('./repo.js');
16
17
  const require_debug_output = require('../debug/output.js');
17
18
  const require_globs_matcher = require('../globs/matcher.js');
18
- const require_git_repo = require('./repo.js');
19
19
 
20
20
  //#region src/git/_internal.ts
21
21
  /**
@@ -1,7 +1,12 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
+ const require_github_refs_graphql = require('./refs-graphql.js');
6
+ const require_github_refs_rest = require('./refs-rest.js');
4
7
  const require_github_refs_cache = require('./refs-cache.js');
8
+ let node_process = require("node:process");
9
+ node_process = require_runtime.__toESM(node_process);
5
10
 
6
11
  //#region src/github/refs.ts
7
12
  /**
@@ -89,25 +94,15 @@ async function resolveRefToSha(owner, repo, ref, options) {
89
94
  ...options
90
95
  };
91
96
  const cacheKey = `${owner}/${repo}@${ref}`;
92
- if (process.env["DISABLE_GITHUB_CACHE"]) return await fetchRefSha$1(owner, repo, ref, opts);
93
- return await getGithubCache$1().getOrFetch(cacheKey, async () => {
94
- return await fetchRefSha$1(owner, repo, ref, opts);
97
+ if (node_process.default.env["DISABLE_GITHUB_CACHE"]) return await require_github_refs_rest.fetchRefSha(owner, repo, ref, opts);
98
+ return await require_github_refs_cache.getGithubCache().getOrFetch(cacheKey, async () => {
99
+ return await require_github_refs_rest.fetchRefSha(owner, repo, ref, opts);
95
100
  });
96
101
  }
97
102
 
98
103
  //#endregion
99
104
  exports.clearRefCache = require_github_refs_cache.clearRefCache;
100
- Object.defineProperty(exports, 'fetchRefSha', {
101
- enumerable: true,
102
- get: function () {
103
- return fetchRefSha;
104
- }
105
- });
106
- Object.defineProperty(exports, 'fetchRefShaViaGraphQL', {
107
- enumerable: true,
108
- get: function () {
109
- return fetchRefShaViaGraphQL;
110
- }
111
- });
105
+ exports.fetchRefSha = require_github_refs_rest.fetchRefSha;
106
+ exports.fetchRefShaViaGraphQL = require_github_refs_graphql.fetchRefShaViaGraphQL;
112
107
  exports.getGithubCache = require_github_refs_cache.getGithubCache;
113
108
  exports.resolveRefToSha = resolveRefToSha;
@@ -1,8 +1,8 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
- const require_primordials_map_set = require('../primordials/map-set.js');
5
4
  const require_primordials_string = require('../primordials/string.js');
5
+ const require_primordials_map_set = require('../primordials/map-set.js');
6
6
  const require_paths_normalize = require('../paths/normalize.js');
7
7
  const require_primordials_array = require('../primordials/array.js');
8
8
  const require_node_fs = require('../node/fs.js');
@@ -2,8 +2,8 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../primordials/error.js');
5
- const require_primordials_math = require('../primordials/math.js');
6
5
  const require_primordials_string = require('../primordials/string.js');
6
+ const require_primordials_math = require('../primordials/math.js');
7
7
  const require_primordials_array = require('../primordials/array.js');
8
8
  const require_primordials_date = require('../primordials/date.js');
9
9
  const require_primordials_json = require('../primordials/json.js');
@@ -2,8 +2,8 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../primordials/error.js');
5
- const require_integrity = require('../integrity.js');
6
5
  const require_primordials_string = require('../primordials/string.js');
6
+ const require_integrity = require('../integrity.js');
7
7
  const require_http_request_request = require('./request.js');
8
8
 
9
9
  //#region src/http-request/checksum-file.ts
@@ -1,8 +1,8 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
- const require_primordials_number = require('../primordials/number.js');
5
4
  const require_primordials_object = require('../primordials/object.js');
5
+ const require_primordials_number = require('../primordials/number.js');
6
6
  const require_primordials_array = require('../primordials/array.js');
7
7
  const require_primordials_date = require('../primordials/date.js');
8
8
  const require_primordials_globals = require('../primordials/globals.js');
@@ -1,18 +1,36 @@
1
+ /**
2
+ * SRI-blessed hash algorithms. The W3C set; the prefix is part of the wire
3
+ * format, not a fleet convention.
4
+ */
5
+ export type HashAlgorithm = 'sha256' | 'sha384' | 'sha512';
6
+ /**
7
+ * A cryptographic hash: an algorithm plus the digest in both encodings. Frozen,
8
+ * plain, self-describing — `h.algorithm` removes every "is this 256 or 512?"
9
+ * guess, and `h.hex` / `h.sri` are precomputed views (cheap transcodes of the
10
+ * digest, eager so the value stays serializable and structurally comparable).
11
+ */
12
+ export interface Hash {
13
+ readonly algorithm: HashAlgorithm;
14
+ /**
15
+ * Lowercase hex digest (64 chars sha256, 96 sha384, 128 sha512).
16
+ */
17
+ readonly hex: string;
18
+ /**
19
+ * W3C SRI string: `<algorithm>-<base64>`.
20
+ */
21
+ readonly sri: string;
22
+ }
23
+ /**
24
+ * Anything a caller can hand verify/convert as "the expected hash": a parsed
25
+ * {@link Hash}, an SRI string, or a bare hex digest (algorithm inferred by
26
+ * length).
27
+ */
28
+ export type HashInput = string | Hash;
1
29
  /**
2
30
  * Tagged union representing an expected hash.
3
31
  *
4
- * @example
5
- * // Bare SRI (sniffed as integrity):
6
- * 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
7
- *
8
- * @example
9
- * // Bare sha256 hex (sniffed as checksum):
10
- * 'a1b2c3...'
11
- *
12
- * @example
13
- * // Explicit:
14
- * { type: 'integrity', value: 'sha512-...' }
15
- * { type: 'checksum', value: 'a1b2c3...' }
32
+ * @deprecated Prefer {@link HashInput} + {@link parseHash}. Kept for the
33
+ * `integrity?: HashSpec` option fields across dlx / external-tools.
16
34
  */
17
35
  export type HashSpec = string | {
18
36
  type: 'integrity';
@@ -22,15 +40,16 @@ export type HashSpec = string | {
22
40
  value: string;
23
41
  };
24
42
  /**
25
- * Normalized internal form. Always an object.
43
+ * Normalized internal form of a {@link HashSpec}. Always an object.
26
44
  */
27
45
  export interface NormalizedHash {
28
46
  type: 'integrity' | 'checksum';
29
47
  value: string;
30
48
  }
31
49
  /**
32
- * Both hash formats for the same bytes. Returned from downloads so callers can
33
- * record whichever format their config uses.
50
+ * Both pinned hash formats for the same bytes: the sha512 SRI we pin against
51
+ * and the sha256 hex upstream tools emit. Returned from downloads so callers
52
+ * record whichever their config uses.
34
53
  */
35
54
  export interface ComputedHashes {
36
55
  /**
@@ -43,7 +62,7 @@ export interface ComputedHashes {
43
62
  checksum: string;
44
63
  }
45
64
  /**
46
- * Parsed components of an integrity string.
65
+ * Parsed components of an SRI integrity string.
47
66
  */
48
67
  export interface ParsedIntegrity {
49
68
  /**
@@ -56,60 +75,64 @@ export interface ParsedIntegrity {
56
75
  body: string;
57
76
  }
58
77
  /**
59
- * Convert a sha256 hex checksum to its SRI integrity form (`sha256-<base64>`).
60
- * Idempotent on integrity input — call this on user-supplied data without first
61
- * sniffing the format.
62
- *
63
- * The default algorithm is `'sha256'` because this converts a _checksum_, and
64
- * checksums are sha256 by fleet convention (the GitHub-SHA256SUMS interop shape
65
- * its only caller, `checksum-file.ts`, parses). Do NOT flip this default to
66
- * sha512: this function only relabels the hex bytes, it does not re-hash, so a
67
- * sha512 label on a 256-bit digest would be a lie. The canonical algorithm for
68
- * OUR-side integrity values is sha512 — emitted by `computeHashes` as the
69
- * `integrity` (`sha512-<base64>`) field; sha256 is reserved for
70
- * upstream-SHASUMS interop and content addressing. Pass an explicit algorithm
71
- * if you have a hex digest from `sha384` or `sha512` (the function does not
72
- * verify hex length against the algorithm — caller's responsibility).
78
+ * Convert a hex checksum to its SRI integrity form.
73
79
  *
74
- * @example
75
- * ;```typescript
76
- * checksumToIntegrity(
77
- * '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
78
- * )
79
- * // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
80
- *
81
- * checksumToIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
82
- * // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' (idempotent)
83
- * ```
80
+ * @deprecated Prefer `parseHash(x).sri`, which is total across all algorithms
81
+ * and infers the algorithm from a bare hex digest. This shim defaults to
82
+ * `'sha256'` because it only relabels the hex bytes — it does NOT re-hash, so
83
+ * a sha512 label on a 256-bit digest would be a lie. Idempotent on SRI input.
84
84
  *
85
85
  * @throws TypeError when the input is neither a recognized SRI nor a hex
86
86
  * digest.
87
87
  */
88
- export declare function checksumToIntegrity(input: string, algorithm?: string): string;
88
+ export declare function checksumToIntegrity(input: string, algorithm?: HashAlgorithm): string;
89
89
  /**
90
- * Compute both integrity (sha512 SRI) and checksum (sha256 hex) for a buffer of
91
- * bytes.
90
+ * Compute a single {@link Hash} of `bytes`. Defaults to sha512 the canonical
91
+ * trust string we pin against. Pass `'sha256'` for the upstream-interop digest.
92
+ *
93
+ * @example
94
+ * ;```typescript
95
+ * computeHash(bytes).sri // 'sha512-…' (pin this)
96
+ * computeHash(bytes, 'sha256').hex // '3620a0…' (compare to SHA256SUMS)
97
+ * ```
98
+ */
99
+ export declare function computeHash(bytes: NodeJS.ArrayBufferView, algorithm?: HashAlgorithm): Hash;
100
+ /**
101
+ * Compute both pinned formats for `bytes`: the sha512 SRI integrity and the
102
+ * sha256 hex checksum. Use when a config records both (e.g.
103
+ * `external-tools.json`, dlx lockfiles).
92
104
  */
93
105
  export declare function computeHashes(bytes: Buffer): ComputedHashes;
94
106
  /**
95
- * Convert a sha256 SRI integrity string to its hex checksum form (64 lowercase
96
- * chars). Idempotent on checksum input.
107
+ * Compare two hashes for equality, ENCODING-agnostically. Parses both and
108
+ * only when they share an algorithm — timing-safe compares the digests.
97
109
  *
98
- * Throws on `sha384` and `sha512` SRI checksums are sha256-only by fleet
99
- * convention. Callers that need a hex digest for those algorithms can call
100
- * `parseIntegrity(sri)` and decode `.body` manually.
110
+ * Returns false when the algorithms differ. A sha512 and a sha256 are different
111
+ * functions of the same bytes: their digests are unrelated values, so they can
112
+ * never be "equal", and you CANNOT derive or check one against the other
113
+ * without the original bytes. To confirm a sha256 and a sha512 describe the
114
+ * same content, hash the bytes both ways (`computeHashes`) or `verifyHash` the
115
+ * bytes against each — there is no hash-to-hash shortcut across algorithms.
116
+ *
117
+ * What this DOES solve is the cross-ENCODING case that bites string `===`: a
118
+ * sha256 SRI and the same sha256 hex compare equal here.
101
119
  *
102
120
  * @example
103
121
  * ;```typescript
104
- * integrityToChecksum('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
105
- * // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b'
106
- *
107
- * integrityToChecksum(
108
- * '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
109
- * )
110
- * // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b' (idempotent)
122
+ * equalHashes('sha256-NiCg', '3620a0fc…') // true (same digest, SRI vs hex)
123
+ * equalHashes('sha512-…', '3620a0fc…') // false (different algorithms)
111
124
  * ```
112
125
  *
126
+ * @throws TypeError when either input is not a recognized hash.
127
+ */
128
+ export declare function equalHashes(a: HashInput, b: HashInput): boolean;
129
+ /**
130
+ * Convert an SRI integrity string to its hex checksum form.
131
+ *
132
+ * @deprecated Prefer `parseHash(x).hex`, which is total across all algorithms.
133
+ * This shim is sha256-only (throws on sha384 / sha512) to preserve its
134
+ * historical "checksums are sha256" contract. Idempotent on hex input.
135
+ *
113
136
  * @throws TypeError when the input is neither a recognized SRI nor a hex
114
137
  * checksum, or when the input is a non-sha256 SRI.
115
138
  */
@@ -118,49 +141,73 @@ export declare function integrityToChecksum(input: string): string;
118
141
  * True when `s` is a sha256 hex checksum (exactly 64 hex chars).
119
142
  */
120
143
  export declare function isChecksum(s: string): boolean;
144
+ /**
145
+ * True when `s` is a bare hex digest of a recognized length (sha256 / sha384 /
146
+ * sha512).
147
+ */
148
+ export declare function isHex(s: string): boolean;
121
149
  /**
122
150
  * True when `s` is a W3C SRI integrity string: `sha(256|384|512)-<base64>`.
123
151
  */
124
152
  export declare function isIntegrity(s: string): boolean;
153
+ /**
154
+ * Build a frozen {@link Hash} from an algorithm and a hex digest. The internal
155
+ * constructor — trusts its inputs (lowercases the hex, computes the SRI view);
156
+ * use {@link parseHash} for untrusted strings, which validates first.
157
+ */
158
+ export declare function makeHash(algorithm: HashAlgorithm, hex: string): Hash;
125
159
  /**
126
160
  * Normalize a {@link HashSpec} to its canonical `{ type, value }` form.
127
161
  *
128
- * - Object form is trusted (its `value` is validated for shape).
129
- * - Bare string matching SRI integrity.
130
- * - Bare string of 64 hex chars → checksum.
131
- * - Anything else throws TypeError.
162
+ * @deprecated Prefer {@link parseHash}, which returns an algorithm-tagged
163
+ * {@link Hash}. Kept for callers that branch on integrity-vs-checksum type.
132
164
  *
133
165
  * @throws TypeError if the string is not a recognized format, or if an explicit
134
166
  * object's value doesn't match its declared type.
135
167
  */
136
168
  export declare function normalizeHash(spec: HashSpec): NormalizedHash;
137
169
  /**
138
- * Split an integrity string into its `{ algorithm, body }` components. `body`
139
- * is the base64-encoded digest (everything after the algorithm + dash).
170
+ * Parse any {@link HashInput} into a canonical {@link Hash}. The one entry
171
+ * point for untrusted input validates shape + length, then freezes.
140
172
  *
141
- * @example
142
- * ;```typescript
143
- * parseIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
144
- * // { algorithm: 'sha256', body: 'NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' }
145
- * ```
173
+ * - A {@link Hash} object is re-canonicalized from its `algorithm` + `hex`.
174
+ * - An SRI string carries its algorithm in the prefix (the body length is checked
175
+ * against it).
176
+ * - A bare hex digest infers the algorithm from its length (64 / 96 / 128).
177
+ *
178
+ * @throws TypeError when the input is not a recognized SRI or hex digest, or
179
+ * when an SRI body's length doesn't match its declared algorithm.
180
+ */
181
+ export declare function parseHash(input: HashInput): Hash;
182
+ /**
183
+ * Split an SRI integrity string into its `{ algorithm, body }` components.
184
+ * `body` is the base64-encoded digest.
146
185
  *
147
186
  * @throws Error when the input is not a valid SRI integrity string.
148
187
  */
149
188
  export declare function parseIntegrity(sri: string): ParsedIntegrity;
150
189
  /**
151
- * Verify computed hashes against an expected {@link NormalizedHash}. Uses
152
- * `crypto.timingSafeEqual` for constant-time comparison.
153
- *
154
- * @throws DlxHashMismatchError when the hash of the matching type doesn't match
155
- * the expected value.
190
+ * Verify `bytes` against an expected hash. Reads the algorithm the expected
191
+ * hash declares, computes only that digest, and compares with
192
+ * `crypto.timingSafeEqual` — so any encoding (hex / SRI / {@link Hash}) and any
193
+ * algorithm (sha256 / sha384 / sha512) verifies without the caller reconciling
194
+ * formats first.
195
+ *
196
+ * @throws HashMismatchError when the recomputed digest doesn't match.
197
+ * @throws TypeError when `expected` is not a recognized hash.
156
198
  */
157
- export declare function verifyHash(expected: NormalizedHash, computed: ComputedHashes): void;
199
+ export declare function verifyHash(bytes: NodeJS.ArrayBufferView, expected: HashInput): void;
158
200
  /**
159
- * Thrown when an expected hash doesn't match the computed hash of the
160
- * downloaded bytes. Carries both sides for diagnostics.
201
+ * Thrown when an expected hash doesn't match the computed hash of the verified
202
+ * bytes. Carries both sides (as {@link Hash}) for diagnostics.
161
203
  */
162
- export declare class DlxHashMismatchError extends Error {
163
- readonly expected: NormalizedHash;
164
- readonly actual: ComputedHashes;
165
- constructor(expected: NormalizedHash, actual: ComputedHashes);
204
+ export declare class HashMismatchError extends Error {
205
+ readonly expected: Hash;
206
+ readonly actual: Hash;
207
+ constructor(expected: Hash, actual: Hash);
166
208
  }
209
+ /**
210
+ * @deprecated Renamed to {@link HashMismatchError}. Alias kept for callers that
211
+ * catch the old name.
212
+ */
213
+ export declare const DlxHashMismatchError: typeof HashMismatchError;