@tegis/player 0.1.0 → 0.1.1

package/CHANGELOG.md

@@ -2,7 +2,12 @@
 
 All notable changes to `@tegis/player` are documented here. This project follows [semver](https://semver.org).
 
-## [0.1.0] — unreleased
+## [0.1.1]
+
+- **Fix:** `0.1.0` shipped a non-bundled stub `dist/index.js` (a newer `bun build` regressed bundling); the
+  entry is now a verified self-contained bundle. Use `>=0.1.1` — `0.1.0` is broken.
+
+## [0.1.0]
 
 Initial extraction from the Tegis reference SDK (formerly the private `@aegis/sdk`).
 

package/dist/bundle-entry.js

@@ -156,6 +156,39 @@ class TegisPlayer {
 }
 
 // src/handshake-wasm.ts
+async function loadWasmHandshake(secret, wasmBytes) {
+  const { instance } = await WebAssembly.instantiate(wasmBytes, {
+    env: { abort: () => {
+      throw new Error("wasm abort");
+    } }
+  });
+  const ex = instance.exports;
+  const te2 = new TextEncoder;
+  const mem = () => new Uint8Array(ex.memory.buffer);
+  function write(data) {
+    const p = ex.alloc(data.length);
+    mem().set(data, p);
+    return p;
+  }
+  function sha256(data) {
+    const p = write(data);
+    const out = ex.alloc(32);
+    ex.sha256(p, data.length, out);
+    return mem().slice(out, out + 32);
+  }
+  function hmac(key, msg) {
+    const kp = write(key);
+    const mp = write(msg);
+    const out = ex.alloc(32);
+    ex.hmac(kp, key.length, mp, msg.length, out);
+    return mem().slice(out, out + 32);
+  }
+  return async (att, ent, nonce, t) => {
+    const entDigest = b64u(sha256(te2.encode(ent)));
+    const msg = te2.encode(`${att}.${entDigest}.${nonce}.${t}`);
+    return b64u(hmac(secret, msg));
+  };
+}
 async function loadWhitenedHandshake(wasmBytes) {
   const { instance } = await WebAssembly.instantiate(wasmBytes, {
     env: { abort: () => {

package/dist/index.js

@@ -1,3 +1,219 @@
+// src/crypto.ts
+var te = new TextEncoder;
+function b64u(buf) {
+  const b = buf instanceof Uint8Array ? buf : new Uint8Array(buf);
+  let s = "";
+  for (const x of b)
+    s += String.fromCharCode(x);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function unb64u(s) {
+  s = s.replace(/-/g, "+").replace(/_/g, "/");
+  while (s.length % 4)
+    s += "=";
+  const bin = atob(s);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0;i < bin.length; i++)
+    out[i] = bin.charCodeAt(i);
+  return out;
+}
+async function hmacSha256(secret, msg) {
+  const key = await crypto.subtle.importKey("raw", secret, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+  return new Uint8Array(await crypto.subtle.sign("HMAC", key, te.encode(msg)));
+}
+async function sha256b64u(s) {
+  return b64u(await crypto.subtle.digest("SHA-256", te.encode(s)));
+}
+async function handshake(secret, att, ent, nonce, t) {
+  const d = await sha256b64u(ent);
+  return b64u(await hmacSha256(secret, `${att}.${d}.${nonce}.${t}`));
+}
+async function hbSign(hbKeyB64u, hbJSON) {
+  return b64u(await hmacSha256(unb64u(hbKeyB64u), hbJSON));
+}
+async function decryptSegment(keyRaw, blob) {
+  const iv = blob.slice(0, 16);
+  const ct = blob.slice(16);
+  const key = await crypto.subtle.importKey("raw", keyRaw, { name: "AES-CTR" }, false, ["decrypt"]);
+  const pt = await crypto.subtle.decrypt({ name: "AES-CTR", counter: iv, length: 128 }, key, ct);
+  return new Uint8Array(pt);
+}
+
+// src/player.ts
+function randHex(n) {
+  const b = new Uint8Array(n);
+  crypto.getRandomValues(b);
+  return [...b].map((x) => x.toString(16).padStart(2, "0")).join("");
+}
+
+class TegisPlayer {
+  cfg;
+  att;
+  attSes;
+  constructor(cfg) {
+    this.cfg = cfg;
+  }
+  get f() {
+    return this.cfg.fetchImpl ?? globalThis.fetch.bind(globalThis);
+  }
+  hdr(extra = {}) {
+    const h = { "content-type": "application/json", ...extra };
+    if (this.cfg.demoHeaders) {
+      h["x-aegis-tenant"] = this.cfg.tid;
+      if (this.cfg.clientIp)
+        h["x-aegis-client-ip"] = this.cfg.clientIp;
+    }
+    return h;
+  }
+  async post(path, body) {
+    const r = await this.f(this.cfg.mint + path, { method: "POST", headers: this.hdr(), body: JSON.stringify(body) });
+    return { status: r.status, json: await r.json().catch(() => ({})) };
+  }
+  handshake(att, ent, nonce, t) {
+    return (this.cfg.handshakeFn ?? ((a, e, n, tt) => handshake(this.cfg.handshakeSecret, a, e, n, tt)))(att, ent, nonce, t);
+  }
+  async prewarm(opts = {}) {
+    const ses = opts.ses ?? "ses_" + randHex(4);
+    const body = { ses, fph: opts.fph ?? "fp_" + ses };
+    if (opts.solution) {
+      body.nonce = opts.nonce;
+      body.solution = opts.solution;
+    }
+    if (opts.token)
+      body.token = opts.token;
+    const r = await this.post("/attest/v1/verify", body);
+    if (!r.json.att)
+      throw new Error("attestation failed: " + JSON.stringify(r.json));
+    this.att = r.json.att;
+    this.attSes = ses;
+    return this.att;
+  }
+  async mint(opts) {
+    const ses = this.attSes ?? opts.ses ?? "ses_" + randHex(4);
+    if (!this.att)
+      await this.prewarm({ ses, fph: opts.fph, token: opts.token });
+    const nonce = (await this.post("/mint/v1/nonce", { ses })).json.nonce;
+    const t = Math.floor(Date.now() / 1000);
+    const hs = await this.handshake(this.att, opts.entitlement, nonce, t);
+    const r = await this.post("/mint/v1", { assetId: opts.assetId, att: this.att, entitlement: opts.entitlement, nonce, handshake: hs, t });
+    if (r.status !== 200)
+      throw new Error("mint failed: " + r.status + " " + JSON.stringify(r.json));
+    return r.json;
+  }
+  async contentKey(assetId) {
+    const r = await this.f(`${this.cfg.mint}/key/v1/${assetId}?att=${this.att}`, { headers: this.hdr() });
+    if (r.status !== 200)
+      throw new Error("key fetch failed: " + r.status);
+    return unb64u((await r.json()).key);
+  }
+  async fetchBytes(url) {
+    const r = await this.f(url.startsWith("http") ? url : this.cfg.edge + url, { headers: this.hdr() });
+    if (r.status !== 200)
+      throw new Error("fetch failed " + r.status + ": " + url);
+    return new Uint8Array(await r.arrayBuffer());
+  }
+  async decryptedSegment(assetId, url, key) {
+    const k = key ?? await this.contentKey(assetId);
+    return decryptSegment(k, await this.fetchBytes(url));
+  }
+  async renew(playbackId, hbKeyB64u, progress) {
+    const hb = { pbk: playbackId, pos: progress.pos, seq: progress.seq, state: "playing", iat: Math.floor(Date.now() / 1000) };
+    const sig = await hbSign(hbKeyB64u, JSON.stringify(hb));
+    const r = await this.post("/mint/v1/renew", { playbackId, heartbeat: hb, sig });
+    if (r.status !== 200)
+      throw new Error("renew failed: " + r.status);
+    return r.json;
+  }
+  async play(video, opts) {
+    if (typeof MediaSource === "undefined")
+      throw new Error("MSE unavailable in this environment");
+    const g = await this.mint(opts);
+    const key = await this.contentKey(opts.assetId);
+    const ms = new MediaSource;
+    video.src = URL.createObjectURL(ms);
+    await new Promise((res) => ms.addEventListener("sourceopen", () => res(), { once: true }));
+    const mime = opts.mime ?? 'video/mp4; codecs="avc1.4d401e, mp4a.40.2"';
+    const sb = ms.addSourceBuffer(mime);
+    const append = (buf) => new Promise((res, rej) => {
+      sb.addEventListener("updateend", () => res(), { once: true });
+      sb.addEventListener("error", (e) => rej(e), { once: true });
+      sb.appendBuffer(buf);
+    });
+    await append(await this.fetchBytes(g.init));
+    for (const url of g.manifest) {
+      let seg;
+      try {
+        seg = await this.decryptedSegment(opts.assetId, url, key);
+      } catch {
+        break;
+      }
+      await append(seg);
+    }
+    ms.endOfStream();
+    await video.play().catch(() => {});
+    return g;
+  }
+}
+// src/handshake-wasm.ts
+async function loadWasmHandshake(secret, wasmBytes) {
+  const { instance } = await WebAssembly.instantiate(wasmBytes, {
+    env: { abort: () => {
+      throw new Error("wasm abort");
+    } }
+  });
+  const ex = instance.exports;
+  const te2 = new TextEncoder;
+  const mem = () => new Uint8Array(ex.memory.buffer);
+  function write(data) {
+    const p = ex.alloc(data.length);
+    mem().set(data, p);
+    return p;
+  }
+  function sha256(data) {
+    const p = write(data);
+    const out = ex.alloc(32);
+    ex.sha256(p, data.length, out);
+    return mem().slice(out, out + 32);
+  }
+  function hmac(key, msg) {
+    const kp = write(key);
+    const mp = write(msg);
+    const out = ex.alloc(32);
+    ex.hmac(kp, key.length, mp, msg.length, out);
+    return mem().slice(out, out + 32);
+  }
+  return async (att, ent, nonce, t) => {
+    const entDigest = b64u(sha256(te2.encode(ent)));
+    const msg = te2.encode(`${att}.${entDigest}.${nonce}.${t}`);
+    return b64u(hmac(secret, msg));
+  };
+}
+async function loadWhitenedHandshake(wasmBytes) {
+  const { instance } = await WebAssembly.instantiate(wasmBytes, {
+    env: { abort: () => {
+      throw new Error("wasm abort");
+    } }
+  });
+  const ex = instance.exports;
+  const te2 = new TextEncoder;
+  const mem = () => new Uint8Array(ex.memory.buffer);
+  function write(data) {
+    const p = ex.alloc(data.length);
+    mem().set(data, p);
+    return p;
+  }
+  function call(fn, data) {
+    const p = write(data);
+    const out = ex.alloc(32);
+    fn(p, data.length, out);
+    return mem().slice(out, out + 32);
+  }
+  return async (att, ent, nonce, t) => {
+    const entDigest = b64u(call(ex.sha256, te2.encode(ent)));
+    const msg = te2.encode(`${att}.${entDigest}.${nonce}.${t}`);
+    return b64u(call(ex.signKeyed, msg));
+  };
+}
 export {
   loadWhitenedHandshake,
   loadWasmHandshake,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tegis/player",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Tegis browser player SDK — attest → WASM handshake → mint → renew, with WebCrypto AES-CTR segment playback. Never holds a tenant key.",
   "type": "module",
   "license": "MIT",