npm - @ternent/seal - Versions diffs - 0.3.10 - Mend

@ternent/seal 0.3.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/README.md +258 -0
package/bin/seal +6 -0
package/dist/artifact.js +256 -0
package/dist/artifact.js.map +1 -0
package/dist/chunks/utils.es-ad8f1dc4.js +54 -0
package/dist/chunks/utils.es-ad8f1dc4.js.map +1 -0
package/dist/cli.js +441 -0
package/dist/cli.js.map +1 -0
package/dist/crypto.js +41 -0
package/dist/crypto.js.map +1 -0
package/dist/errors.js +65 -0
package/dist/errors.js.map +1 -0
package/dist/index.js +9 -0
package/dist/index.js.map +1 -0
package/dist/manifest.js +82 -0
package/dist/manifest.js.map +1 -0
package/dist/proof.js +237 -0
package/dist/proof.js.map +1 -0
package/package.json +59 -0

package/README.md ADDED Viewed

@@ -0,0 +1,258 @@
+# @ternent/seal-cli
+Seal signs files and manifests. It verifies artifacts offline. It emits portable proof JSON for legacy flows and recipient-targeted sealed artifacts for encrypted flows.
+## Install
+```bash
+pnpm add -D @ternent/seal-cli
+```
+## Environment
+Create a signer identity with Seal:
+```bash
+seal identity create --out identity.json
+```
+Create a mnemonic-backed identity and save the recovery phrase separately:
+```bash
+seal identity create --out identity.json --words 24 --mnemonic-out seal-seed-phrase.txt
+```
+`@ternent/seal-cli` reads signer material from a v2 identity JSON payload:
+```bash
+export SEAL_IDENTITY="$(cat identity.json)"
+# or
+export SEAL_IDENTITY_FILE="./identity.json"
+```
+## Commands
+```bash
+seal identity create --out identity.json
+seal identity create --out identity.json --words 24 --mnemonic-out seal-seed-phrase.txt
+seal manifest create --input apps/seal/dist --out apps/seal/dist/dist-manifest.json
+seal sign --input apps/seal/dist/dist-manifest.json --out apps/seal/dist/proof.json
+seal sign --input artifact.tar.gz --recipient age1... --recipient age1... --out artifact.seal.json
+seal verify --proof apps/seal/dist/proof.json --input apps/seal/dist/dist-manifest.json --json
+seal verify --artifact artifact.seal.json --json
+seal public-key --json
+```
+When one or more `--recipient` flags are provided, Seal encrypts the input bytes with `@ternent/armour`, then signs the unsigned artifact container. Recipient values are never serialized into the emitted artifact.
+## JavaScript API
+Create a Seal-compatible identity and persist it as the `SEAL_IDENTITY` payload:
+```ts
+import {
+  createSealIdentity,
+  createSealMnemonicIdentity,
+  exportIdentityJson,
+} from "@ternent/seal-cli";
+const identity = await createSealIdentity();
+const identityJson = exportIdentityJson(identity);
+const { identity: mnemonicIdentity, mnemonic } = await createSealMnemonicIdentity({ words: 24 });
+```
+Create and verify recipient-targeted artifacts:
+```ts
+import {
+  createSealArtifact,
+  decryptSealArtifactPayload,
+  verifySealArtifact,
+} from "@ternent/seal-cli/artifact";
+const artifact = await createSealArtifact({
+  signer: { identity },
+  subjectPath: "artifact.tar.gz",
+  payload: artifactBytes,
+  recipients: ["age1..."],
+});
+const verification = await verifySealArtifact(artifact);
+const plaintext = await decryptSealArtifactPayload({
+  artifact,
+  identity,
+});
+```
+## GitHub Actions
+Use the published GitHub Action:
+```yaml
+- name: Generate Seal artifacts
+  uses: samternent/seal-action@v2
+  env:
+    SEAL_IDENTITY: ${{ secrets.SEAL_IDENTITY }}
+  with:
+    assets-directory: dist
+    package-name: @ternent/seal-cli
+    package-version: latest
+```
+The action is intentionally narrow. Your workflow still needs to:
+- check out the repo
+- set up Node
+- build the static directory you want to sign
+Inputs:
+- `assets-directory`: built static directory to sign
+- `working-directory`: base directory for path resolution
+- `manifest-name`: manifest output filename
+- `proof-name`: proof output filename
+- `public-key-name`: public key output filename
+- `package-name`: npm package name to execute when `cli-command` is omitted
+- `package-version`: npm version or dist-tag to execute when `cli-command` is omitted
+- `cli-command`: command prefix used to invoke Seal
+Outputs:
+- `manifest-path`
+- `proof-path`
+- `public-key-path`
+The default path is npm-backed: if `cli-command` is empty, the action runs `npm exec --yes --package=<package-name>@<package-version> seal`.
+## Schemas
+Manifest:
+```json
+{
+  "version": "1",
+  "type": "seal-manifest",
+  "root": "dist",
+  "files": {
+    "assets/index.js": "sha256:..."
+  }
+}
+```
+Proof:
+```json
+{
+  "version": "2",
+  "type": "seal-proof",
+  "algorithm": "Ed25519",
+  "createdAt": "2026-03-13T00:00:00.000Z",
+  "subject": {
+    "kind": "manifest",
+    "path": "dist-manifest.json",
+    "hash": "sha256:..."
+  },
+  "signer": {
+    "publicKey": "BASE64URL-RAW-ED25519-PUBLIC-KEY",
+    "keyId": "..."
+  },
+  "signature": "..."
+}
+```
+Encrypted artifact:
+```json
+{
+  "version": "1",
+  "type": "seal-artifact",
+  "manifest": {
+    "version": "1",
+    "payloadType": "encrypted",
+    "payloadScheme": "age",
+    "payloadMode": "recipients",
+    "payloadEncoding": "armor",
+    "payloadHash": "sha256:..."
+  },
+  "payload": {
+    "type": "encrypted",
+    "scheme": "age",
+    "mode": "recipients",
+    "encoding": "armor",
+    "data": "-----BEGIN AGE ENCRYPTED FILE-----\n...\n-----END AGE ENCRYPTED FILE-----\n"
+  },
+  "proof": {
+    "version": "2",
+    "type": "seal-proof",
+    "algorithm": "Ed25519",
+    "createdAt": "2026-03-17T00:00:00.000Z",
+    "subject": {
+      "kind": "artifact",
+      "path": "artifact.tar.gz",
+      "hash": "sha256:..."
+    },
+    "signer": {
+      "publicKey": "BASE64URL-RAW-ED25519-PUBLIC-KEY",
+      "keyId": "..."
+    },
+    "signature": "..."
+  }
+}
+```
+Public key:
+```json
+{
+  "version": "2",
+  "type": "seal-public-key",
+  "algorithm": "Ed25519",
+  "publicKey": "BASE64URL-RAW-ED25519-PUBLIC-KEY",
+  "keyId": "..."
+}
+```
+Identity:
+```json
+{
+  "format": "ternent-identity",
+  "version": "2",
+  "algorithm": "Ed25519",
+  "createdAt": "2026-03-17T00:00:00.000Z",
+  "publicKey": "BASE64URL-RAW-ED25519-PUBLIC-KEY",
+  "keyId": "...",
+  "material": {
+    "kind": "seed",
+    "seed": "BASE64URL-RAW-32-BYTE-SEED"
+  }
+}
+```
+## Frontend Contract
+`apps/seal` verifies published artifacts by fetching:
+- `/dist-manifest.json`
+- `/proof.json`
+- `/public-key.json` (optional)
+Browser verification reuses `@ternent/seal-cli/proof`, `@ternent/seal-cli/crypto`, `@ternent/identity`, and `ternent-utils`.
+Validation rules:
+- parse `seal-proof`
+- recompute the fetched manifest hash from raw bytes
+- verify the embedded signature
+- verify `signer.keyId`
+- if `/public-key.json` exists, require its `publicKey` and `keyId` to match the proof signer
+## Exit Codes
+- `0` success
+- `1` general failure
+- `2` subject hash mismatch
+- `3` signature invalid
+- `4` invalid proof
+- `5` key or config error

package/bin/seal ADDED Viewed

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+import { runCli } from "../dist/cli.js";
+runCli(process.argv.slice(2)).then((exitCode) => {
+  process.exitCode = exitCode;
+});

package/dist/artifact.js ADDED Viewed

@@ -0,0 +1,256 @@
+import { initArmour, encryptForRecipients, decryptWithIdentity } from "@ternent/armour";
+import { c as canonicalStringify } from "./chunks/utils.es-ad8f1dc4.js";
+import { createSealHash, createSealProof, validateSealProofShape, verifySealProofSignature } from "./proof.js";
+import { toSealEncryptionError, unsupportedEncryptionModeError, toSealDecryptionError } from "./errors.js";
+import "./crypto.js";
+import "@ternent/identity";
+const utf8Encoder = new TextEncoder();
+const utf8Decoder = new TextDecoder();
+const SEAL_ARTIFACT_VERSION = "1";
+const SEAL_ARTIFACT_TYPE = "seal-artifact";
+const SEAL_ARTIFACT_MANIFEST_VERSION = "1";
+function isRecord(value) {
+  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
+}
+function hasOnlyKeys(value, allowed) {
+  return Object.keys(value).every((key) => allowed.includes(key));
+}
+function isSealHash(value) {
+  return typeof value === "string" && /^sha256:[0-9a-f]{64}$/.test(value);
+}
+function normalizeBytes(value) {
+  return value instanceof Uint8Array ? value : new Uint8Array(value);
+}
+function getSealArtifactUnsignedFields(artifact) {
+  return {
+    version: artifact.version,
+    type: artifact.type,
+    manifest: artifact.manifest,
+    payload: artifact.payload
+  };
+}
+function getUnsignedArtifactBytes(artifact) {
+  return utf8Encoder.encode(canonicalStringify(getSealArtifactUnsignedFields(artifact)));
+}
+async function createSealArtifact(input) {
+  const plaintext = normalizeBytes(input.payload);
+  try {
+    await initArmour();
+    const ciphertext = await encryptForRecipients({
+      recipients: input.recipients,
+      data: plaintext,
+      output: "armor"
+    });
+    const payloadData = utf8Decoder.decode(ciphertext);
+    const manifest = {
+      version: SEAL_ARTIFACT_MANIFEST_VERSION,
+      payloadType: "encrypted",
+      payloadScheme: "age",
+      payloadMode: "recipients",
+      payloadEncoding: "armor",
+      payloadHash: await createSealHash(ciphertext)
+    };
+    const payload = {
+      type: "encrypted",
+      scheme: "age",
+      mode: "recipients",
+      encoding: "armor",
+      data: payloadData
+    };
+    const unsignedArtifact = {
+      version: SEAL_ARTIFACT_VERSION,
+      type: SEAL_ARTIFACT_TYPE,
+      manifest,
+      payload
+    };
+    const proof = await createSealProof({
+      createdAt: input.createdAt,
+      signer: input.signer,
+      subject: {
+        kind: "artifact",
+        path: input.subjectPath,
+        hash: await createSealHash(getUnsignedArtifactBytes(unsignedArtifact))
+      }
+    });
+    return {
+      ...unsignedArtifact,
+      proof
+    };
+  } catch (error) {
+    throw toSealEncryptionError(error);
+  }
+}
+function validateSealArtifactShape(value) {
+  if (!isRecord(value)) {
+    return {
+      ok: false,
+      errors: ["Artifact must be a JSON object."],
+      artifact: null
+    };
+  }
+  const errors = [];
+  if (!hasOnlyKeys(value, ["version", "type", "manifest", "payload", "proof"])) {
+    errors.push("Artifact contains unsupported fields.");
+  }
+  if (value.version !== SEAL_ARTIFACT_VERSION) {
+    errors.push(`Artifact version must be ${SEAL_ARTIFACT_VERSION}.`);
+  }
+  if (value.type !== SEAL_ARTIFACT_TYPE) {
+    errors.push(`Artifact type must be ${SEAL_ARTIFACT_TYPE}.`);
+  }
+  if (!isRecord(value.manifest)) {
+    errors.push("Artifact manifest must be an object.");
+  }
+  if (!isRecord(value.payload)) {
+    errors.push("Artifact payload must be an object.");
+  }
+  if (!isRecord(value.proof)) {
+    errors.push("Artifact proof must be an object.");
+  }
+  if (errors.length > 0 || !isRecord(value.manifest) || !isRecord(value.payload) || !isRecord(value.proof)) {
+    return {
+      ok: false,
+      errors,
+      artifact: null
+    };
+  }
+  if (!hasOnlyKeys(value.manifest, [
+    "version",
+    "payloadType",
+    "payloadScheme",
+    "payloadMode",
+    "payloadEncoding",
+    "payloadHash"
+  ])) {
+    errors.push("Artifact manifest contains unsupported fields.");
+  }
+  if (!hasOnlyKeys(value.payload, ["type", "scheme", "mode", "encoding", "data"])) {
+    errors.push("Artifact payload contains unsupported fields.");
+  }
+  if (value.manifest.version !== SEAL_ARTIFACT_MANIFEST_VERSION) {
+    errors.push(`Artifact manifest version must be ${SEAL_ARTIFACT_MANIFEST_VERSION}.`);
+  }
+  if (value.manifest.payloadType !== "encrypted") {
+    errors.push("Artifact manifest payloadType must be encrypted.");
+  }
+  if (value.manifest.payloadScheme !== "age") {
+    errors.push("Artifact manifest payloadScheme must be age.");
+  }
+  if (value.manifest.payloadMode !== "recipients") {
+    errors.push("Artifact manifest payloadMode must be recipients.");
+  }
+  if (value.manifest.payloadEncoding !== "armor") {
+    errors.push("Artifact manifest payloadEncoding must be armor.");
+  }
+  if (!isSealHash(value.manifest.payloadHash)) {
+    errors.push("Artifact manifest payloadHash must be a sha256 hash.");
+  }
+  if (value.payload.type !== "encrypted") {
+    errors.push("Artifact payload type must be encrypted.");
+  }
+  if (value.payload.scheme !== "age") {
+    errors.push("Artifact payload scheme must be age.");
+  }
+  if (value.payload.mode !== "recipients") {
+    errors.push("Artifact payload mode must be recipients.");
+  }
+  if (value.payload.encoding !== "armor") {
+    errors.push("Artifact payload encoding must be armor.");
+  }
+  if (typeof value.payload.data !== "string" || value.payload.data.length === 0) {
+    errors.push("Artifact payload data must be a non-empty string.");
+  }
+  if (value.manifest.payloadType !== value.payload.type || value.manifest.payloadScheme !== value.payload.scheme || value.manifest.payloadMode !== value.payload.mode || value.manifest.payloadEncoding !== value.payload.encoding) {
+    errors.push("Artifact manifest and payload metadata must match.");
+  }
+  const proofValidation = validateSealProofShape(value.proof);
+  if (!proofValidation.ok || !proofValidation.proof) {
+    errors.push(...proofValidation.errors);
+  } else if (proofValidation.proof.subject.kind !== "artifact") {
+    errors.push("Artifact proof subject kind must be artifact.");
+  }
+  if (errors.length > 0) {
+    return {
+      ok: false,
+      errors,
+      artifact: null
+    };
+  }
+  return {
+    ok: true,
+    errors: [],
+    artifact: value
+  };
+}
+function parseSealArtifactJson(raw) {
+  try {
+    return validateSealArtifactShape(JSON.parse(raw));
+  } catch {
+    return {
+      ok: false,
+      errors: ["Artifact JSON is not valid JSON."],
+      artifact: null
+    };
+  }
+}
+async function verifySealArtifact(artifact) {
+  const validation = validateSealArtifactShape(artifact);
+  if (!validation.ok || !validation.artifact) {
+    return {
+      valid: false,
+      hashMatch: false,
+      signatureValid: false,
+      encrypted: true,
+      payloadScheme: "age",
+      payloadMode: "recipients",
+      keyId: "",
+      algorithm: "Ed25519",
+      subjectHash: "sha256:0000000000000000000000000000000000000000000000000000000000000000",
+      errors: validation.errors
+    };
+  }
+  const signatureCheck = await verifySealProofSignature(artifact.proof);
+  const subjectHash = await createSealHash(getUnsignedArtifactBytes(artifact));
+  const payloadHash = await createSealHash(utf8Encoder.encode(artifact.payload.data));
+  const artifactHashMatch = artifact.proof.subject.hash === subjectHash;
+  const payloadHashMatch = artifact.manifest.payloadHash === payloadHash;
+  const errors = [...signatureCheck.errors];
+  if (!artifactHashMatch) {
+    errors.push("Artifact hash does not match proof subject hash.");
+  }
+  if (!payloadHashMatch) {
+    errors.push("Encrypted payload hash does not match manifest payload hash.");
+  }
+  return {
+    valid: signatureCheck.ok && artifactHashMatch && payloadHashMatch,
+    hashMatch: artifactHashMatch && payloadHashMatch,
+    signatureValid: signatureCheck.ok,
+    encrypted: true,
+    payloadScheme: artifact.payload.scheme,
+    payloadMode: artifact.payload.mode,
+    keyId: artifact.proof.signer.keyId,
+    algorithm: artifact.proof.algorithm,
+    subjectHash,
+    errors
+  };
+}
+async function decryptSealArtifactPayload(input) {
+  const verification = await verifySealArtifact(input.artifact);
+  if (!verification.valid) {
+    throw new Error(verification.errors.join(" ") || "Artifact verification failed.");
+  }
+  if (input.artifact.payload.type !== "encrypted" || input.artifact.payload.scheme !== "age" || input.artifact.payload.mode !== "recipients" || input.artifact.payload.encoding !== "armor") {
+    throw unsupportedEncryptionModeError("Seal only supports age recipient-mode armored payloads.");
+  }
+  try {
+    await initArmour();
+    return await decryptWithIdentity({
+      identity: input.identity,
+      data: utf8Encoder.encode(input.artifact.payload.data)
+    });
+  } catch (error) {
+    throw toSealDecryptionError(error);
+  }
+}
+export { SEAL_ARTIFACT_MANIFEST_VERSION, SEAL_ARTIFACT_TYPE, SEAL_ARTIFACT_VERSION, createSealArtifact, decryptSealArtifactPayload, getSealArtifactUnsignedFields, parseSealArtifactJson, validateSealArtifactShape, verifySealArtifact };
+//# sourceMappingURL=artifact.js.map

package/dist/artifact.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"artifact.js","sources":["../src/artifact.ts"],"sourcesContent":["import {\n decryptWithIdentity,\n encryptForRecipients,\n initArmour,\n type ArmourIdentityInput,\n} from \"@ternent/armour\";\nimport { canonicalStringify } from \"ternent-utils\";\nimport type { SealHash } from \"./manifest\";\nimport {\n createSealHash,\n createSealProof,\n validateSealProofShape,\n verifySealProofSignature,\n type SealProofV1,\n} from \"./proof\";\nimport type { SealSignerInput } from \"./crypto\";\nimport {\n toSealDecryptionError,\n toSealEncryptionError,\n unsupportedEncryptionModeError,\n} from \"./errors\";\n\nconst utf8Encoder = new TextEncoder();\nconst utf8Decoder = new TextDecoder();\n\nexport const SEAL_ARTIFACT_VERSION = \"1\" as const;\nexport const SEAL_ARTIFACT_TYPE = \"seal-artifact\" as const;\nexport const SEAL_ARTIFACT_MANIFEST_VERSION = \"1\" as const;\n\nexport type SealArtifactManifestV1 = {\n version: typeof SEAL_ARTIFACT_MANIFEST_VERSION;\n payloadType: \"encrypted\";\n payloadScheme: \"age\";\n payloadMode: \"recipients\";\n payloadEncoding: \"armor\";\n payloadHash: SealHash;\n};\n\nexport type SealEncryptedPayloadV1 = {\n type: \"encrypted\";\n scheme: \"age\";\n mode: \"recipients\";\n encoding: \"armor\";\n data: string;\n};\n\nexport type SealArtifactUnsignedV1 = {\n version: typeof SEAL_ARTIFACT_VERSION;\n type: typeof SEAL_ARTIFACT_TYPE;\n manifest: SealArtifactManifestV1;\n payload: SealEncryptedPayloadV1;\n};\n\nexport type SealArtifactV1 = SealArtifactUnsignedV1 & {\n proof: SealProofV1;\n};\n\nexport type VerifySealArtifactResult = {\n valid: boolean;\n hashMatch: boolean;\n signatureValid: boolean;\n encrypted: boolean;\n payloadScheme: \"age\";\n payloadMode: \"recipients\";\n keyId: string;\n algorithm: SealProofV1[\"algorithm\"];\n subjectHash: SealHash;\n errors: string[];\n};\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return Boolean(value) && typeof value === \"object\" && !Array.isArray(value);\n}\n\nfunction hasOnlyKeys(value: Record<string, unknown>, allowed: string[]): boolean {\n return Object.keys(value).every((key) => allowed.includes(key));\n}\n\nfunction isSealHash(value: unknown): value is SealHash {\n return typeof value === \"string\" && /^sha256:[0-9a-f]{64}$/.test(value);\n}\n\nfunction normalizeBytes(value: Uint8Array | ArrayBuffer): Uint8Array {\n return value instanceof Uint8Array ? value : new Uint8Array(value);\n}\n\nexport function getSealArtifactUnsignedFields(\n artifact: SealArtifactV1 | SealArtifactUnsignedV1,\n): SealArtifactUnsignedV1 {\n return {\n version: artifact.version,\n type: artifact.type,\n manifest: artifact.manifest,\n payload: artifact.payload,\n };\n}\n\nfunction getUnsignedArtifactBytes(artifact: SealArtifactV1 | SealArtifactUnsignedV1): Uint8Array {\n return utf8Encoder.encode(canonicalStringify(getSealArtifactUnsignedFields(artifact)));\n}\n\nexport async function createSealArtifact(input: {\n createdAt?: string;\n signer: SealSignerInput;\n subjectPath: string;\n payload: Uint8Array | ArrayBuffer;\n recipients: string[];\n}): Promise<SealArtifactV1> {\n const plaintext = normalizeBytes(input.payload);\n\n try {\n await initArmour();\n\n const ciphertext = await encryptForRecipients({\n recipients: input.recipients,\n data: plaintext,\n output: \"armor\",\n });\n const payloadData = utf8Decoder.decode(ciphertext);\n const manifest: SealArtifactManifestV1 = {\n version: SEAL_ARTIFACT_MANIFEST_VERSION,\n payloadType: \"encrypted\",\n payloadScheme: \"age\",\n payloadMode: \"recipients\",\n payloadEncoding: \"armor\",\n payloadHash: await createSealHash(ciphertext),\n };\n const payload: SealEncryptedPayloadV1 = {\n type: \"encrypted\",\n scheme: \"age\",\n mode: \"recipients\",\n encoding: \"armor\",\n data: payloadData,\n };\n const unsignedArtifact: SealArtifactUnsignedV1 = {\n version: SEAL_ARTIFACT_VERSION,\n type: SEAL_ARTIFACT_TYPE,\n manifest,\n payload,\n };\n\n const proof = await createSealProof({\n createdAt: input.createdAt,\n signer: input.signer,\n subject: {\n kind: \"artifact\",\n path: input.subjectPath,\n hash: await createSealHash(getUnsignedArtifactBytes(unsignedArtifact)),\n },\n });\n\n return {\n ...unsignedArtifact,\n proof,\n };\n } catch (error) {\n throw toSealEncryptionError(error);\n }\n}\n\nexport function validateSealArtifactShape(value: unknown): {\n ok: boolean;\n errors: string[];\n artifact: SealArtifactV1 | null;\n} {\n if (!isRecord(value)) {\n return {\n ok: false,\n errors: [\"Artifact must be a JSON object.\"],\n artifact: null,\n };\n }\n\n const errors: string[] = [];\n\n if (!hasOnlyKeys(value, [\"version\", \"type\", \"manifest\", \"payload\", \"proof\"])) {\n errors.push(\"Artifact contains unsupported fields.\");\n }\n if (value.version !== SEAL_ARTIFACT_VERSION) {\n errors.push(`Artifact version must be ${SEAL_ARTIFACT_VERSION}.`);\n }\n if (value.type !== SEAL_ARTIFACT_TYPE) {\n errors.push(`Artifact type must be ${SEAL_ARTIFACT_TYPE}.`);\n }\n if (!isRecord(value.manifest)) {\n errors.push(\"Artifact manifest must be an object.\");\n }\n if (!isRecord(value.payload)) {\n errors.push(\"Artifact payload must be an object.\");\n }\n if (!isRecord(value.proof)) {\n errors.push(\"Artifact proof must be an object.\");\n }\n\n if (\n errors.length > 0 ||\n !isRecord(value.manifest) ||\n !isRecord(value.payload) ||\n !isRecord(value.proof)\n ) {\n return {\n ok: false,\n errors,\n artifact: null,\n };\n }\n\n if (\n !hasOnlyKeys(value.manifest, [\n \"version\",\n \"payloadType\",\n \"payloadScheme\",\n \"payloadMode\",\n \"payloadEncoding\",\n \"payloadHash\",\n ])\n ) {\n errors.push(\"Artifact manifest contains unsupported fields.\");\n }\n if (!hasOnlyKeys(value.payload, [\"type\", \"scheme\", \"mode\", \"encoding\", \"data\"])) {\n errors.push(\"Artifact payload contains unsupported fields.\");\n }\n\n if (value.manifest.version !== SEAL_ARTIFACT_MANIFEST_VERSION) {\n errors.push(`Artifact manifest version must be ${SEAL_ARTIFACT_MANIFEST_VERSION}.`);\n }\n if (value.manifest.payloadType !== \"encrypted\") {\n errors.push(\"Artifact manifest payloadType must be encrypted.\");\n }\n if (value.manifest.payloadScheme !== \"age\") {\n errors.push(\"Artifact manifest payloadScheme must be age.\");\n }\n if (value.manifest.payloadMode !== \"recipients\") {\n errors.push(\"Artifact manifest payloadMode must be recipients.\");\n }\n if (value.manifest.payloadEncoding !== \"armor\") {\n errors.push(\"Artifact manifest payloadEncoding must be armor.\");\n }\n if (!isSealHash(value.manifest.payloadHash)) {\n errors.push(\"Artifact manifest payloadHash must be a sha256 hash.\");\n }\n\n if (value.payload.type !== \"encrypted\") {\n errors.push(\"Artifact payload type must be encrypted.\");\n }\n if (value.payload.scheme !== \"age\") {\n errors.push(\"Artifact payload scheme must be age.\");\n }\n if (value.payload.mode !== \"recipients\") {\n errors.push(\"Artifact payload mode must be recipients.\");\n }\n if (value.payload.encoding !== \"armor\") {\n errors.push(\"Artifact payload encoding must be armor.\");\n }\n if (typeof value.payload.data !== \"string\" || value.payload.data.length === 0) {\n errors.push(\"Artifact payload data must be a non-empty string.\");\n }\n\n if (\n value.manifest.payloadType !== value.payload.type ||\n value.manifest.payloadScheme !== value.payload.scheme ||\n value.manifest.payloadMode !== value.payload.mode ||\n value.manifest.payloadEncoding !== value.payload.encoding\n ) {\n errors.push(\"Artifact manifest and payload metadata must match.\");\n }\n\n const proofValidation = validateSealProofShape(value.proof);\n if (!proofValidation.ok || !proofValidation.proof) {\n errors.push(...proofValidation.errors);\n } else if (proofValidation.proof.subject.kind !== \"artifact\") {\n errors.push(\"Artifact proof subject kind must be artifact.\");\n }\n\n if (errors.length > 0) {\n return {\n ok: false,\n errors,\n artifact: null,\n };\n }\n\n return {\n ok: true,\n errors: [],\n artifact: value as SealArtifactV1,\n };\n}\n\nexport function parseSealArtifactJson(raw: string): {\n ok: boolean;\n errors: string[];\n artifact: SealArtifactV1 | null;\n} {\n try {\n return validateSealArtifactShape(JSON.parse(raw));\n } catch {\n return {\n ok: false,\n errors: [\"Artifact JSON is not valid JSON.\"],\n artifact: null,\n };\n }\n}\n\nexport async function verifySealArtifact(\n artifact: SealArtifactV1,\n): Promise<VerifySealArtifactResult> {\n const validation = validateSealArtifactShape(artifact);\n if (!validation.ok || !validation.artifact) {\n return {\n valid: false,\n hashMatch: false,\n signatureValid: false,\n encrypted: true,\n payloadScheme: \"age\",\n payloadMode: \"recipients\",\n keyId: \"\",\n algorithm: \"Ed25519\",\n subjectHash: \"sha256:0000000000000000000000000000000000000000000000000000000000000000\",\n errors: validation.errors,\n };\n }\n\n const signatureCheck = await verifySealProofSignature(artifact.proof);\n const subjectHash = await createSealHash(getUnsignedArtifactBytes(artifact));\n const payloadHash = await createSealHash(utf8Encoder.encode(artifact.payload.data));\n const artifactHashMatch = artifact.proof.subject.hash === subjectHash;\n const payloadHashMatch = artifact.manifest.payloadHash === payloadHash;\n const errors = [...signatureCheck.errors];\n\n if (!artifactHashMatch) {\n errors.push(\"Artifact hash does not match proof subject hash.\");\n }\n if (!payloadHashMatch) {\n errors.push(\"Encrypted payload hash does not match manifest payload hash.\");\n }\n\n return {\n valid: signatureCheck.ok && artifactHashMatch && payloadHashMatch,\n hashMatch: artifactHashMatch && payloadHashMatch,\n signatureValid: signatureCheck.ok,\n encrypted: true,\n payloadScheme: artifact.payload.scheme,\n payloadMode: artifact.payload.mode,\n keyId: artifact.proof.signer.keyId,\n algorithm: artifact.proof.algorithm,\n subjectHash,\n errors,\n };\n}\n\nexport async function decryptSealArtifactPayload(input: {\n artifact: SealArtifactV1;\n identity: ArmourIdentityInput;\n}): Promise<Uint8Array> {\n const verification = await verifySealArtifact(input.artifact);\n if (!verification.valid) {\n throw new Error(verification.errors.join(\" \") || \"Artifact verification failed.\");\n }\n\n if (\n input.artifact.payload.type !== \"encrypted\" ||\n input.artifact.payload.scheme !== \"age\" ||\n input.artifact.payload.mode !== \"recipients\" ||\n input.artifact.payload.encoding !== \"armor\"\n ) {\n throw unsupportedEncryptionModeError(\"Seal only supports age recipient-mode armored payloads.\");\n }\n\n try {\n await initArmour();\n return await decryptWithIdentity({\n identity: input.identity,\n data: utf8Encoder.encode(input.artifact.payload.data),\n });\n } catch (error) {\n throw toSealDecryptionError(error);\n }\n}\n"],"names":[],"mappings":";;;;;;AAsBA,MAAM,cAAc,IAAI;AACxB,MAAM,cAAc,IAAI;AAEjB,MAAM,wBAAwB;AAC9B,MAAM,qBAAqB;AAC3B,MAAM,iCAAiC;AA2C9C,SAAS,SAAS,OAAkD;AAC3D,SAAA,QAAQ,KAAK,KAAK,OAAO,UAAU,YAAY,CAAC,MAAM,QAAQ,KAAK;AAC5E;AAEA,SAAS,YAAY,OAAgC,SAA4B;AACxE,SAAA,OAAO,KAAK,KAAK,EAAE,MAAM,CAAC,QAAQ,QAAQ,SAAS,GAAG,CAAC;AAChE;AAEA,SAAS,WAAW,OAAmC;AACrD,SAAO,OAAO,UAAU,YAAY,wBAAwB,KAAK,KAAK;AACxE;AAEA,SAAS,eAAe,OAA6C;AACnE,SAAO,iBAAiB,aAAa,QAAQ,IAAI,WAAW,KAAK;AACnE;AAEO,SAAS,8BACd,UACwB;AACjB,SAAA;AAAA,IACL,SAAS,SAAS;AAAA,IAClB,MAAM,SAAS;AAAA,IACf,UAAU,SAAS;AAAA,IACnB,SAAS,SAAS;AAAA,EAAA;AAEtB;AAEA,SAAS,yBAAyB,UAA+D;AAC/F,SAAO,YAAY,OAAO,mBAAmB,8BAA8B,QAAQ,CAAC,CAAC;AACvF;AAEA,eAAsB,mBAAmB,OAMb;AACpB,QAAA,YAAY,eAAe,MAAM,OAAO;AAE1C,MAAA;AACF,UAAM,WAAW;AAEX,UAAA,aAAa,MAAM,qBAAqB;AAAA,MAC5C,YAAY,MAAM;AAAA,MAClB,MAAM;AAAA,MACN,QAAQ;AAAA,IAAA,CACT;AACK,UAAA,cAAc,YAAY,OAAO,UAAU;AACjD,UAAM,WAAmC;AAAA,MACvC,SAAS;AAAA,MACT,aAAa;AAAA,MACb,eAAe;AAAA,MACf,aAAa;AAAA,MACb,iBAAiB;AAAA,MACjB,aAAa,MAAM,eAAe,UAAU;AAAA,IAAA;AAE9C,UAAM,UAAkC;AAAA,MACtC,MAAM;AAAA,MACN,QAAQ;AAAA,MACR,MAAM;AAAA,MACN,UAAU;AAAA,MACV,MAAM;AAAA,IAAA;AAER,UAAM,mBAA2C;AAAA,MAC/C,SAAS;AAAA,MACT,MAAM;AAAA,MACN;AAAA,MACA;AAAA,IAAA;AAGI,UAAA,QAAQ,MAAM,gBAAgB;AAAA,MAClC,WAAW,MAAM;AAAA,MACjB,QAAQ,MAAM;AAAA,MACd,SAAS;AAAA,QACP,MAAM;AAAA,QACN,MAAM,MAAM;AAAA,QACZ,MAAM,MAAM,eAAe,yBAAyB,gBAAgB,CAAC;AAAA,MACvE;AAAA,IAAA,CACD;AAEM,WAAA;AAAA,MACL,GAAG;AAAA,MACH;AAAA,IAAA;AAAA,WAEK;AACP,UAAM,sBAAsB,KAAK;AAAA,EACnC;AACF;AAEO,SAAS,0BAA0B,OAIxC;AACI,MAAA,CAAC,SAAS,KAAK,GAAG;AACb,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,iCAAiC;AAAA,MAC1C,UAAU;AAAA,IAAA;AAAA,EAEd;AAEA,QAAM,SAAmB,CAAA;AAErB,MAAA,CAAC,YAAY,OAAO,CAAC,WAAW,QAAQ,YAAY,WAAW,OAAO,CAAC,GAAG;AAC5E,WAAO,KAAK,uCAAuC;AAAA,EACrD;AACI,MAAA,MAAM,YAAY,uBAAuB;AACpC,WAAA,KAAK,4BAA4B,wBAAwB;AAAA,EAClE;AACI,MAAA,MAAM,SAAS,oBAAoB;AAC9B,WAAA,KAAK,yBAAyB,qBAAqB;AAAA,EAC5D;AACA,MAAI,CAAC,SAAS,MAAM,QAAQ,GAAG;AAC7B,WAAO,KAAK,sCAAsC;AAAA,EACpD;AACA,MAAI,CAAC,SAAS,MAAM,OAAO,GAAG;AAC5B,WAAO,KAAK,qCAAqC;AAAA,EACnD;AACA,MAAI,CAAC,SAAS,MAAM,KAAK,GAAG;AAC1B,WAAO,KAAK,mCAAmC;AAAA,EACjD;AAEA,MACE,OAAO,SAAS,KAChB,CAAC,SAAS,MAAM,QAAQ,KACxB,CAAC,SAAS,MAAM,OAAO,KACvB,CAAC,SAAS,MAAM,KAAK,GACrB;AACO,WAAA;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA,UAAU;AAAA,IAAA;AAAA,EAEd;AAGE,MAAA,CAAC,YAAY,MAAM,UAAU;AAAA,IAC3B;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,EAAA,CACD,GACD;AACA,WAAO,KAAK,gDAAgD;AAAA,EAC9D;AACI,MAAA,CAAC,YAAY,MAAM,SAAS,CAAC,QAAQ,UAAU,QAAQ,YAAY,MAAM,CAAC,GAAG;AAC/E,WAAO,KAAK,+CAA+C;AAAA,EAC7D;AAEI,MAAA,MAAM,SAAS,YAAY,gCAAgC;AACtD,WAAA,KAAK,qCAAqC,iCAAiC;AAAA,EACpF;AACI,MAAA,MAAM,SAAS,gBAAgB,aAAa;AAC9C,WAAO,KAAK,kDAAkD;AAAA,EAChE;AACI,MAAA,MAAM,SAAS,kBAAkB,OAAO;AAC1C,WAAO,KAAK,8CAA8C;AAAA,EAC5D;AACI,MAAA,MAAM,SAAS,gBAAgB,cAAc;AAC/C,WAAO,KAAK,mDAAmD;AAAA,EACjE;AACI,MAAA,MAAM,SAAS,oBAAoB,SAAS;AAC9C,WAAO,KAAK,kDAAkD;AAAA,EAChE;AACA,MAAI,CAAC,WAAW,MAAM,SAAS,WAAW,GAAG;AAC3C,WAAO,KAAK,sDAAsD;AAAA,EACpE;AAEI,MAAA,MAAM,QAAQ,SAAS,aAAa;AACtC,WAAO,KAAK,0CAA0C;AAAA,EACxD;AACI,MAAA,MAAM,QAAQ,WAAW,OAAO;AAClC,WAAO,KAAK,sCAAsC;AAAA,EACpD;AACI,MAAA,MAAM,QAAQ,SAAS,cAAc;AACvC,WAAO,KAAK,2CAA2C;AAAA,EACzD;AACI,MAAA,MAAM,QAAQ,aAAa,SAAS;AACtC,WAAO,KAAK,0CAA0C;AAAA,EACxD;AACI,MAAA,OAAO,MAAM,QAAQ,SAAS,YAAY,MAAM,QAAQ,KAAK,WAAW,GAAG;AAC7E,WAAO,KAAK,mDAAmD;AAAA,EACjE;AAGE,MAAA,MAAM,SAAS,gBAAgB,MAAM,QAAQ,QAC7C,MAAM,SAAS,kBAAkB,MAAM,QAAQ,UAC/C,MAAM,SAAS,gBAAgB,MAAM,QAAQ,QAC7C,MAAM,SAAS,oBAAoB,MAAM,QAAQ,UACjD;AACA,WAAO,KAAK,oDAAoD;AAAA,EAClE;AAEM,QAAA,kBAAkB,uBAAuB,MAAM,KAAK;AAC1D,MAAI,CAAC,gBAAgB,MAAM,CAAC,gBAAgB,OAAO;AAC1C,WAAA,KAAK,GAAG,gBAAgB,MAAM;AAAA,EAC5B,WAAA,gBAAgB,MAAM,QAAQ,SAAS,YAAY;AAC5D,WAAO,KAAK,+CAA+C;AAAA,EAC7D;AAEI,MAAA,OAAO,SAAS,GAAG;AACd,WAAA;AAAA,MACL,IAAI;AAAA,MACJ;AAAA,MACA,UAAU;AAAA,IAAA;AAAA,EAEd;AAEO,SAAA;AAAA,IACL,IAAI;AAAA,IACJ,QAAQ,CAAC;AAAA,IACT,UAAU;AAAA,EAAA;AAEd;AAEO,SAAS,sBAAsB,KAIpC;AACI,MAAA;AACF,WAAO,0BAA0B,KAAK,MAAM,GAAG,CAAC;AAAA,EAAA,QAChD;AACO,WAAA;AAAA,MACL,IAAI;AAAA,MACJ,QAAQ,CAAC,kCAAkC;AAAA,MAC3C,UAAU;AAAA,IAAA;AAAA,EAEd;AACF;AAEA,eAAsB,mBACpB,UACmC;AAC7B,QAAA,aAAa,0BAA0B,QAAQ;AACrD,MAAI,CAAC,WAAW,MAAM,CAAC,WAAW,UAAU;AACnC,WAAA;AAAA,MACL,OAAO;AAAA,MACP,WAAW;AAAA,MACX,gBAAgB;AAAA,MAChB,WAAW;AAAA,MACX,eAAe;AAAA,MACf,aAAa;AAAA,MACb,OAAO;AAAA,MACP,WAAW;AAAA,MACX,aAAa;AAAA,MACb,QAAQ,WAAW;AAAA,IAAA;AAAA,EAEvB;AAEA,QAAM,iBAAiB,MAAM,yBAAyB,SAAS,KAAK;AACpE,QAAM,cAAc,MAAM,eAAe,yBAAyB,QAAQ,CAAC;AACrE,QAAA,cAAc,MAAM,eAAe,YAAY,OAAO,SAAS,QAAQ,IAAI,CAAC;AAClF,QAAM,oBAAoB,SAAS,MAAM,QAAQ,SAAS;AACpD,QAAA,mBAAmB,SAAS,SAAS,gBAAgB;AAC3D,QAAM,SAAS,CAAC,GAAG,eAAe,MAAM;AAExC,MAAI,CAAC,mBAAmB;AACtB,WAAO,KAAK,kDAAkD;AAAA,EAChE;AACA,MAAI,CAAC,kBAAkB;AACrB,WAAO,KAAK,8DAA8D;AAAA,EAC5E;AAEO,SAAA;AAAA,IACL,OAAO,eAAe,MAAM,qBAAqB;AAAA,IACjD,WAAW,qBAAqB;AAAA,IAChC,gBAAgB,eAAe;AAAA,IAC/B,WAAW;AAAA,IACX,eAAe,SAAS,QAAQ;AAAA,IAChC,aAAa,SAAS,QAAQ;AAAA,IAC9B,OAAO,SAAS,MAAM,OAAO;AAAA,IAC7B,WAAW,SAAS,MAAM;AAAA,IAC1B;AAAA,IACA;AAAA,EAAA;AAEJ;AAEA,eAAsB,2BAA2B,OAGzB;AACtB,QAAM,eAAe,MAAM,mBAAmB,MAAM,QAAQ;AACxD,MAAA,CAAC,aAAa,OAAO;AACvB,UAAM,IAAI,MAAM,aAAa,OAAO,KAAK,GAAG,KAAK,+BAA+B;AAAA,EAClF;AAEA,MACE,MAAM,SAAS,QAAQ,SAAS,eAChC,MAAM,SAAS,QAAQ,WAAW,SAClC,MAAM,SAAS,QAAQ,SAAS,gBAChC,MAAM,SAAS,QAAQ,aAAa,SACpC;AACA,UAAM,+BAA+B,yDAAyD;AAAA,EAChG;AAEI,MAAA;AACF,UAAM,WAAW;AACjB,WAAO,MAAM,oBAAoB;AAAA,MAC/B,UAAU,MAAM;AAAA,MAChB,MAAM,YAAY,OAAO,MAAM,SAAS,QAAQ,IAAI;AAAA,IAAA,CACrD;AAAA,WACM;AACP,UAAM,sBAAsB,KAAK;AAAA,EACnC;AACF;;"}

package/dist/chunks/utils.es-ad8f1dc4.js ADDED Viewed

@@ -0,0 +1,54 @@
+function toCryptoBuffer(data) {
+  const bytes = data instanceof Uint8Array ? data : new Uint8Array(data);
+  return Uint8Array.from(bytes).buffer;
+}
+function getHashArray(hash) {
+  return Array.from(new Uint8Array(hash));
+}
+function getHashHex(hash) {
+  return hash.map((buf) => buf.toString(16).padStart(2, "0")).join("");
+}
+function canonicalize(value, seen) {
+  if (value === void 0) {
+    throw new TypeError("Cannot hash undefined");
+  }
+  const valueType = typeof value;
+  if (valueType === "function" || valueType === "symbol") {
+    throw new TypeError(`Cannot hash ${valueType} values`);
+  }
+  if (value === null || valueType === "string" || valueType === "number" || valueType === "boolean") {
+    return value;
+  }
+  if (valueType === "bigint") {
+    throw new TypeError("Cannot hash bigint values");
+  }
+  if (typeof value.toJSON === "function") {
+    return canonicalize(value.toJSON(), seen);
+  }
+  if (Array.isArray(value)) {
+    return value.map((item) => canonicalize(item, seen));
+  }
+  if (typeof value === "object") {
+    if (seen.has(value)) {
+      throw new TypeError("Cannot hash circular references");
+    }
+    seen.add(value);
+    const entries = Object.keys(value).sort();
+    const result = {};
+    for (const key of entries) {
+      result[key] = canonicalize(value[key], seen);
+    }
+    seen.delete(value);
+    return result;
+  }
+  throw new TypeError(`Cannot hash unsupported value type: ${valueType}`);
+}
+function canonicalStringify(data) {
+  return JSON.stringify(canonicalize(data, /* @__PURE__ */ new WeakSet()));
+}
+async function hashBytes(input) {
+  const hashBuffer = await crypto.subtle.digest("SHA-256", toCryptoBuffer(input));
+  return getHashHex(getHashArray(hashBuffer));
+}
+export { canonicalStringify as c, hashBytes as h };
+//# sourceMappingURL=utils.es-ad8f1dc4.js.map

package/dist/chunks/utils.es-ad8f1dc4.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"utils.es-ad8f1dc4.js","sources":["../../../utils/dist/utils.es.js"],"sourcesContent":["function getBufferCtor() {\n const maybeBuffer = globalThis.Buffer;\n return maybeBuffer != null ? maybeBuffer : null;\n}\nfunction addNewLines(str) {\n let finalString = \"\";\n while (str.length > 0) {\n finalString += str.substring(0, 64) + \"\\n\";\n str = str.substring(64);\n }\n return finalString;\n}\nfunction removeLines(str) {\n return str.replaceAll(\"\\n\", \"\");\n}\nfunction stripIdentityKey(key) {\n return key.replace(\"-----BEGIN PUBLIC KEY-----\\n\", \"\").replace(\"\\n-----END PUBLIC KEY-----\", \"\");\n}\nfunction formatIdentityKey(key) {\n return `-----BEGIN PUBLIC KEY-----\n${key}\n-----END PUBLIC KEY-----`;\n}\nfunction stripEncryptionFile(file) {\n return file.replace(\"-----BEGIN AGE ENCRYPTED FILE-----\\n\", \"\").replace(\"\\n-----END AGE ENCRYPTED FILE-----\\n\", \"\");\n}\nfunction formatEncryptionFile(file) {\n return `-----BEGIN AGE ENCRYPTED FILE-----\n${file}\n-----END AGE ENCRYPTED FILE-----\n`;\n}\nfunction generateId() {\n const uint32 = crypto.getRandomValues(new Uint32Array(1))[0];\n return uint32.toString(16);\n}\nfunction arrayBufferToBase64(arrayBuffer) {\n const byteArray = new Uint8Array(arrayBuffer);\n const bufferCtor = getBufferCtor();\n if (bufferCtor) {\n return bufferCtor.from(byteArray).toString(\"base64\");\n }\n let byteString = \"\";\n for (let i = 0; i < byteArray.byteLength; i++) {\n byteString += String.fromCharCode(byteArray[i]);\n }\n return btoa(byteString);\n}\nfunction base64ToArrayBuffer(b64) {\n const bufferCtor = getBufferCtor();\n if (bufferCtor) {\n const bytes = Uint8Array.from(\n bufferCtor.from(b64, \"base64\").toString(\"binary\"),\n (char) => char.charCodeAt(0)\n );\n return bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);\n }\n const byteString = atob(b64);\n const byteArray = new Uint8Array(byteString.length);\n for (let i = 0; i < byteString.length; i++) {\n byteArray[i] = byteString.charCodeAt(i);\n }\n return byteArray.buffer;\n}\nfunction b64encode(buf) {\n return arrayBufferToBase64(buf);\n}\nfunction b64decode(str) {\n return base64ToArrayBuffer(str);\n}\nfunction encode(data) {\n const payload = typeof data === \"string\" ? data : JSON.stringify(data);\n return new TextEncoder().encode(payload);\n}\nfunction decode(data) {\n return new TextDecoder(\"utf-8\").decode(new Uint8Array(data));\n}\nfunction toCryptoBuffer(data) {\n const bytes = data instanceof Uint8Array ? data : new Uint8Array(data);\n return Uint8Array.from(bytes).buffer;\n}\nfunction getHashBuffer(data) {\n return crypto.subtle.digest(\"SHA-256\", toCryptoBuffer(encode(data)));\n}\nfunction getHashArray(hash) {\n return Array.from(new Uint8Array(hash));\n}\nfunction getHashHex(hash) {\n return hash.map((buf) => buf.toString(16).padStart(2, \"0\")).join(\"\");\n}\nfunction canonicalize(value, seen) {\n if (value === void 0) {\n throw new TypeError(\"Cannot hash undefined\");\n }\n const valueType = typeof value;\n if (valueType === \"function\" || valueType === \"symbol\") {\n throw new TypeError(`Cannot hash ${valueType} values`);\n }\n if (value === null || valueType === \"string\" || valueType === \"number\" || valueType === \"boolean\") {\n return value;\n }\n if (valueType === \"bigint\") {\n throw new TypeError(\"Cannot hash bigint values\");\n }\n if (typeof value.toJSON === \"function\") {\n return canonicalize(value.toJSON(), seen);\n }\n if (Array.isArray(value)) {\n return value.map((item) => canonicalize(item, seen));\n }\n if (typeof value === \"object\") {\n if (seen.has(value)) {\n throw new TypeError(\"Cannot hash circular references\");\n }\n seen.add(value);\n const entries = Object.keys(value).sort();\n const result = {};\n for (const key of entries) {\n result[key] = canonicalize(value[key], seen);\n }\n seen.delete(value);\n return result;\n }\n throw new TypeError(`Cannot hash unsupported value type: ${valueType}`);\n}\nfunction canonicalStringify(data) {\n return JSON.stringify(canonicalize(data, /* @__PURE__ */ new WeakSet()));\n}\nasync function hashData(data) {\n const hash_buffer = await getHashBuffer(canonicalStringify(data));\n const hash_array = getHashArray(hash_buffer);\n return getHashHex(hash_array);\n}\nasync function hashBytes(input) {\n const hashBuffer = await crypto.subtle.digest(\"SHA-256\", toCryptoBuffer(input));\n return getHashHex(getHashArray(hashBuffer));\n}\nfunction generateColorStops(primaryColor, secondaryColor, steps) {\n const colors = [];\n for (let i = 0; i <= steps; i++) {\n const ratio = i / steps;\n const color = lerpColor(primaryColor, secondaryColor, ratio);\n colors.push(color);\n }\n return colors;\n}\nfunction lerpColor(color1, color2, ratio) {\n const r1 = parseInt(color1.substring(1, 3), 16);\n const g1 = parseInt(color1.substring(3, 5), 16);\n const b1 = parseInt(color1.substring(5, 7), 16);\n const r2 = parseInt(color2.substring(1, 3), 16);\n const g2 = parseInt(color2.substring(3, 5), 16);\n const b2 = parseInt(color2.substring(5, 7), 16);\n const r = Math.round(r1 + (r2 - r1) * ratio);\n const g = Math.round(g1 + (g2 - g1) * ratio);\n const b = Math.round(b1 + (b2 - b1) * ratio);\n return `#${(1 << 24 | r << 16 | g << 8 | b).toString(16).slice(1).toUpperCase()}`;\n}\nexport { addNewLines, arrayBufferToBase64, b64decode, b64encode, base64ToArrayBuffer, canonicalStringify, decode, encode, formatEncryptionFile, formatIdentityKey, generateColorStops, generateId, getHashArray, getHashBuffer, getHashHex, hashBytes, hashData, removeLines, stripEncryptionFile, stripIdentityKey };\n"],"names":[],"mappings":"AA6EA,SAAS,eAAe,MAAM;AAC5B,QAAM,QAAQ,gBAAgB,aAAa,OAAO,IAAI,WAAW,IAAI;AACrE,SAAO,WAAW,KAAK,KAAK,EAAE;AAChC;AAIA,SAAS,aAAa,MAAM;AAC1B,SAAO,MAAM,KAAK,IAAI,WAAW,IAAI,CAAC;AACxC;AACA,SAAS,WAAW,MAAM;AACxB,SAAO,KAAK,IAAI,CAAC,QAAQ,IAAI,SAAS,EAAE,EAAE,SAAS,GAAG,GAAG,CAAC,EAAE,KAAK,EAAE;AACrE;AACA,SAAS,aAAa,OAAO,MAAM;AACjC,MAAI,UAAU,QAAQ;AACpB,UAAM,IAAI,UAAU,uBAAuB;AAAA,EAC5C;AACD,QAAM,YAAY,OAAO;AACzB,MAAI,cAAc,cAAc,cAAc,UAAU;AACtD,UAAM,IAAI,UAAU,eAAe,kBAAkB;AAAA,EACtD;AACD,MAAI,UAAU,QAAQ,cAAc,YAAY,cAAc,YAAY,cAAc,WAAW;AACjG,WAAO;AAAA,EACR;AACD,MAAI,cAAc,UAAU;AAC1B,UAAM,IAAI,UAAU,2BAA2B;AAAA,EAChD;AACD,MAAI,OAAO,MAAM,WAAW,YAAY;AACtC,WAAO,aAAa,MAAM,OAAQ,GAAE,IAAI;AAAA,EACzC;AACD,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,CAAC,SAAS,aAAa,MAAM,IAAI,CAAC;AAAA,EACpD;AACD,MAAI,OAAO,UAAU,UAAU;AAC7B,QAAI,KAAK,IAAI,KAAK,GAAG;AACnB,YAAM,IAAI,UAAU,iCAAiC;AAAA,IACtD;AACD,SAAK,IAAI,KAAK;AACd,UAAM,UAAU,OAAO,KAAK,KAAK,EAAE,KAAI;AACvC,UAAM,SAAS,CAAA;AACf,eAAW,OAAO,SAAS;AACzB,aAAO,OAAO,aAAa,MAAM,MAAM,IAAI;AAAA,IAC5C;AACD,SAAK,OAAO,KAAK;AACjB,WAAO;AAAA,EACR;AACD,QAAM,IAAI,UAAU,uCAAuC,WAAW;AACxE;AACA,SAAS,mBAAmB,MAAM;AAChC,SAAO,KAAK,UAAU,aAAa,MAAsB,oBAAI,QAAS,CAAA,CAAC;AACzE;AAMA,eAAe,UAAU,OAAO;AAC9B,QAAM,aAAa,MAAM,OAAO,OAAO,OAAO,WAAW,eAAe,KAAK,CAAC;AAC9E,SAAO,WAAW,aAAa,UAAU,CAAC;AAC5C;;"}