secretless-ai 0.17.0 → 0.18.0

package/README.md

@@ -1,20 +1,25 @@
-> **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [CLI](https://github.com/opena2a-org/opena2a) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [Browser Guard](https://github.com/opena2a-org/AI-BrowserGuard) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
 # secretless-ai
 
+[![Status: stable](https://img.shields.io/badge/status-stable-green)](./STATUS.md)
+
+> **[OpenA2A](https://github.com/opena2a-org/opena2a)**: [CLI](https://github.com/opena2a-org/opena2a) · [HackMyAgent](https://github.com/opena2a-org/hackmyagent) · [Secretless](https://github.com/opena2a-org/secretless-ai) · [AIM](https://github.com/opena2a-org/agent-identity-management) · [Browser Guard](https://github.com/opena2a-org/AI-BrowserGuard) · [DVAA](https://github.com/opena2a-org/damn-vulnerable-ai-agent)
+
+Keep API keys and other secrets invisible to AI coding tools. Works with Claude Code, Cursor, GitHub Copilot, Windsurf, Cline, and Aider. Apache 2.0.
+
 [![npm version](https://img.shields.io/npm/v/secretless-ai.svg)](https://www.npmjs.com/package/secretless-ai)
-[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
-[![Tests](https://img.shields.io/badge/tests-988-brightgreen)](https://github.com/opena2a-org/secretless-ai)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](LICENSE)
+[![Tests](https://img.shields.io/badge/tests-988%20passing-brightgreen)](https://github.com/opena2a-org/secretless-ai)
 
-Keep API keys and secrets invisible to AI coding tools. Works with Claude Code, Cursor, GitHub Copilot, Windsurf, Cline, and Aider.
+[Website](https://opena2a.org/secretless) · [Demos](https://opena2a.org/demos) · [Discord](https://discord.gg/uRZa3KXgEn)
 
-## Quick Start
+## Quick start
 
 ```bash
 npx secretless-ai init
 ```
 
 ```
-  Secretless v0.17.0
+  Secretless v0.17.1
   Keeping secrets out of AI
 
   Configured: Claude Code (1 of 1 detected)
@@ -34,13 +39,52 @@ npx secretless-ai init
 
 ![Secretless AI Demo](docs/secretless-ai-demo.gif)
 
-For a full security dashboard covering credentials, shadow AI, config integrity, and more:
+## Install
+
+### npm
+
+```bash
+npx secretless-ai init          # run once, no install
+npm install -g secretless-ai    # install globally
+```
+
+Requires Node.js 18 or later.
+
+### Homebrew
+
+```bash
+brew install opena2a-org/tap/secretless-ai
+```
+
+### From source
+
+```bash
+git clone https://github.com/opena2a-org/secretless-ai.git
+cd secretless-ai
+npm install
+npm run build && npm test
+node dist/cli.js verify
+```
+
+### Verifying what was installed
+
+Every release publishes via npm Trusted Publishing with SLSA v1 provenance. No long-lived `NPM_TOKEN`. GitHub Actions exchanges its OIDC token with npm at publish time.
 
 ```bash
-npx opena2a-cli review
+npm view secretless-ai dist.attestations --json
+# Expects non-empty result with predicateType "https://slsa.dev/provenance/v1"
 ```
 
-## MCP Server Protection
+Secretless never reads or transmits credential values it manages. Backends (OS keychain, 1Password, HashiCorp Vault, GCP Secret Manager, AES-256-GCM encrypted file) decrypt on demand at subprocess spawn time. `secretless-ai verify` runs an integrity check of your local install.
+
+## How it works
+
+1. **Scans** your project for hardcoded credentials in config files and source code. 56 credential patterns from [`@opena2a/credential-patterns@0.1.1`](https://www.npmjs.com/package/@opena2a/credential-patterns), lockstep-asserted, across `.js`, `.ts`, `.py`, `.go`, `.java`, `.rb`, and more. Suppresses fixture-path false positives via `.secretlessignore` defaults (`test/`, `__tests__/`, `examples/`, `e2e/`, `docs/vhs/`, `node_modules/`, etc.).
+2. **Migrates** them to secure storage: OS keychain, 1Password, HashiCorp Vault, GCP Secret Manager, or AES-256-GCM encrypted file.
+3. **Blocks** AI tools from reading credential files. 21 file patterns enforced at the AI-tool hook layer.
+4. **Brokers** access through environment variables. Secrets never enter AI context.
+
+## MCP server protection
 
 Every MCP server config has plaintext API keys in JSON files on your machine. The LLM sees them. Secretless encrypts them.
 
@@ -59,50 +103,43 @@ npx secretless-ai protect-mcp
       STRIPE_SECRET_KEY (encrypted)
 
   3 secret(s) encrypted across 3 server(s).
-  MCP servers start normally -- no workflow changes needed.
+  MCP servers start normally. No workflow changes needed.
 ```
 
 Scans configs across Claude Desktop, Cursor, Claude Code, VS Code, and Windsurf. Secrets move to your configured backend. Non-secret env vars (URLs, regions) stay untouched.
 
 ```bash
-npx secretless-ai protect-mcp --backend 1password  # Store MCP secrets in 1Password
-npx secretless-ai mcp-status                       # Show which servers are protected
-npx secretless-ai mcp-unprotect                    # Restore original configs from backup
+npx secretless-ai protect-mcp --backend 1password   # store MCP secrets in 1Password
+npx secretless-ai mcp-status                        # show which servers are protected
+npx secretless-ai mcp-unprotect                     # restore original configs from backup
 ```
 
-## Triage Helpers
+## Triage helpers
 
 ```bash
-npx secretless-ai scan --min-confidence 0.85   # Show only high-confidence findings
-npx secretless-ai ignore docs/migration.md     # Append a path to .secretlessignore
+npx secretless-ai scan --min-confidence 0.85   # high-confidence findings only
+npx secretless-ai ignore docs/migration.md     # append a path to .secretlessignore
 npx secretless-ai ignore --pattern '*.golden.txt'
-npx secretless-ai diff main                    # Audit secretless-managed file changes vs a git ref
+npx secretless-ai diff main                    # audit secretless-managed file changes vs a git ref
 ```
 
-`scan` now renders a `Confidence: high (0.92)` line under every finding. The score combines pattern specificity, value entropy, value length, and path tier. With `--no-ignore`, findings whose path matches the default-ignore list are tagged `(looks like a test fixture)` so users can keep them in view without re-suppressing them.
-
-## How It Works
-
-1. **Scans** your project for hardcoded credentials in config files *and* source code (56 patterns from `@opena2a/credential-patterns@0.1.1`, lockstep-asserted, across .js, .ts, .py, .go, .java, .rb, and more). Suppresses fixture-path false positives via `.secretlessignore` defaults (`test/`, `__tests__/`, `examples/`, `e2e/`, `docs/vhs/`, `node_modules/` ...)
-2. **Migrates** them to secure storage (OS keychain, 1Password, Vault, GCP Secret Manager)
-3. **Blocks** AI tools from reading credential files (21 file patterns)
-4. **Brokers** access through environment variables -- secrets never enter AI context
+`scan` renders a `Confidence: high (0.92)` line under every finding. The score combines pattern specificity, value entropy, value length, and path tier. With `--no-ignore`, findings whose path matches the default-ignore list are tagged `(looks like a test fixture)` so they stay visible without being re-suppressed.
 
 ## Architecture
 
-Secretless has three layers. You can use one, two, or all three — each is independent and works against any supported backend.
+Three layers. Use one, two, or all three. Each works against any supported backend.
 
-**Tier 1 — In-process SDK.** Credentials resolved in the call stack and zeroized after use. Available in the Python and TypeScript AIM SDKs. Sub-millisecond overhead.
+**Tier 1: In-process SDK.** Credentials resolved in the call stack and zeroized after use. Available in the Python and TypeScript AIM SDKs. Sub-millisecond overhead.
 
-**Tier 2 — Vault Exec.** A subprocess primitive that injects a credential into a child process's environment without exposing it to the parent. The agent running under an AI assistant never sees the secret.
+**Tier 2: Vault Exec.** A subprocess primitive that injects a credential into a child process's environment without exposing it to the parent. The agent running under an AI assistant never sees the secret.
 
 ```bash
 npx secretless-ai vault exec github -- curl https://api.github.com/user
 ```
 
-The child process receives `$GITHUB`. The parent shell, the AI tool's context, and any process listing see nothing. Language-agnostic — wraps any command.
+The child process receives `$GITHUB`. The parent shell, the AI tool's context, and any process listing see nothing. Language-agnostic. Wraps any command.
 
-**Tier 3 — Broker with identity policy.** A local daemon that mediates credential access across multiple agents. Policy rules allow or deny access by agent ID, credential name, time window, and rate limit. Optional AIM integration adds trust-score and capability constraints.
+**Tier 3: Broker with identity policy.** A local daemon that mediates credential access across multiple agents. Policy rules allow or deny access by agent ID, credential name, time window, and rate limit. Optional AIM integration adds trust-score and capability constraints.
 
 ```bash
 npx secretless-ai broker start
@@ -110,23 +147,12 @@ npx secretless-ai broker start
 
 See [Run the Broker](docs/use-cases/run-broker.md) for when to use the daemon and how to configure it.
 
-**AIM is optional.** Tier 1 and Tier 2 work against any of the five [storage backends](#storage-backends) with no AIM involvement. Tier 3 adds identity-bound policy when an AIM server is reachable; it still enforces default-deny locally without one.
+AIM is optional. Tier 1 and Tier 2 work against any of the five [storage backends](#storage-backends) with no AIM involvement. Tier 3 adds identity-bound policy when an AIM server is reachable. Default-deny still enforces locally without one.
 
-## Use Cases
+## Supported tools
 
-Step-by-step guides for common workflows: [docs/USE-CASES.md](docs/USE-CASES.md)
-
-- [Protect My Credentials](docs/use-cases/protect-my-credentials.md) -- Keep API keys out of AI tools (2 min)
-- [Secure MCP Configs](docs/use-cases/secure-mcp-configs.md) -- Encrypt MCP server credentials (3 min)
-- [Bring Your Own Vault](docs/use-cases/bring-your-own-vault.md) -- Point Secretless at HashiCorp Vault, GCP SM, or 1Password (3 min)
-- [Run the Broker](docs/use-cases/run-broker.md) -- Policy-gated credential daemon for multi-agent runtimes (3 min)
-- [Team Setup](docs/use-cases/team-setup.md) -- Shared backend, CI/CD, onboarding (5 min)
-- [Migrate from .env](docs/use-cases/migrate-from-dotenv.md) -- Move .env files to encrypted storage (3 min)
-
-## Supported Tools
-
-| Tool | Protection Method |
-|------|------------------|
+| Tool | Protection method |
+|---|---|
 | Claude Code | PreToolUse hook (blocks reads before they happen) + deny rules + CLAUDE.md |
 | Cursor | `.cursorrules` instructions |
 | GitHub Copilot | `.github/copilot-instructions.md` instructions |
@@ -134,68 +160,92 @@ Step-by-step guides for common workflows: [docs/USE-CASES.md](docs/USE-CASES.md)
 | Cline | `.clinerules` instructions |
 | Aider | `.aiderignore` file patterns |
 
-Claude Code gets the strongest protection because it supports [hooks](https://docs.anthropic.com/en/docs/claude-code/hooks) -- a shell script runs *before* every file read and blocks access at the tool level.
+Claude Code gets the strongest protection because it supports [hooks](https://docs.anthropic.com/en/docs/claude-code/hooks). A shell script runs before every file read and blocks access at the tool level.
 
-## Storage Backends
+## Storage backends
 
-| Backend | Storage | Best For |
-|---------|---------|----------|
+| Backend | Storage | Best for |
+|---|---|---|
 | `local` | AES-256-GCM encrypted file | Quick start, single machine |
-| `keychain` | macOS Keychain / Linux Secret Service | Native OS integration |
+| `keychain` | macOS Keychain or Linux Secret Service | Native OS integration |
 | `1password` | 1Password vault | Teams, CI/CD, multi-device |
 | `vault` | HashiCorp Vault KV v2 | Enterprise, self-hosted |
 | `gcp-sm` | GCP Secret Manager | GCP-native workloads |
 
 ```bash
-npx secretless-ai backend set 1password              # Switch backend
-npx secretless-ai migrate --from local --to 1password # Migrate existing secrets
+npx secretless-ai backend set 1password               # switch backend
+npx secretless-ai migrate --from local --to 1password # migrate existing secrets
 ```
 
-## NanoMind Integration
+## NanoMind integration
 
 Optional integration with [NanoMind](https://github.com/opena2a-org/nanomind) for enhanced security analysis:
 
 ```bash
-npm install @nanomind/guard @nanomind/engine  # Optional
+npm install @nanomind/guard @nanomind/engine  # optional
 ```
 
-- **MCP injection screening**: `protect-mcp` screens env var values for prompt injection patterns and warns when suspicious content is detected
-- **Rich scan explanations**: `scan --explain` generates context-aware security explanations for each finding using NanoMind's local inference engine
+- **MCP injection screening.** `protect-mcp` screens env-var values for prompt-injection patterns and warns when suspicious content is detected.
+- **Rich scan explanations.** `scan --explain` generates context-aware security explanations for each finding using NanoMind's local inference engine.
 
 Both features gracefully degrade when NanoMind packages are not installed.
 
 ## Using with opena2a-cli
 
-[opena2a-cli](https://github.com/opena2a-org/opena2a) unifies all OpenA2A security tools:
+[`opena2a-cli`](https://github.com/opena2a-org/opena2a) is the unified CLI for the OpenA2A security toolchain. Secretless powers `opena2a secrets`.
 
 ```bash
 npm install -g opena2a-cli
-opena2a review          # Full security dashboard
-opena2a secrets init    # Initialize secretless protection
+opena2a review          # full security dashboard
+opena2a secrets init    # initialize secretless protection
 ```
 
-## Development
+## Telemetry
+
+Secretless sends anonymous tier-1 usage data to the OpenA2A Registry: tool name (`secretless-ai`), version, command name (`scan`, `protect`, etc.), success, duration, platform, Node major version, and a stable per-machine `install_id`. No content is collected. No scanned secrets, no file paths, no env-var values, no rule contents, no IPs.
+
+- Policy: [opena2a.org/telemetry](https://opena2a.org/telemetry).
+- Status: `secretless-ai telemetry status`.
+- Disable per-invocation: `OPENA2A_TELEMETRY=off secretless-ai <anything>`.
+- Disable persistently: `secretless-ai telemetry off`.
+- Audit every payload: `OPENA2A_TELEMETRY_DEBUG=print secretless-ai <anything>` echoes each event to stderr as JSON.
+
+Fire-and-forget with a 2-second timeout. Telemetry never blocks Secretless.
+
+## Use cases
+
+| Guide | Time |
+|---|---|
+| [Protect My Credentials](docs/use-cases/protect-my-credentials.md) | 2 min |
+| [Secure MCP Configs](docs/use-cases/secure-mcp-configs.md) | 3 min |
+| [Bring Your Own Vault](docs/use-cases/bring-your-own-vault.md) | 3 min |
+| [Run the Broker](docs/use-cases/run-broker.md) | 3 min |
+| [Team Setup](docs/use-cases/team-setup.md) | 5 min |
+| [Migrate from .env](docs/use-cases/migrate-from-dotenv.md) | 3 min |
+
+Full index: [docs/USE-CASES.md](docs/USE-CASES.md).
+
+## Contributing
+
+Apache 2.0. PRs from outside the org welcome.
 
 ```bash
-npm run build && npm test    # 809 tests
+git clone https://github.com/opena2a-org/secretless-ai.git
+cd secretless-ai && npm install && npm run build && npm test
 ```
 
-## Telemetry
+Security issues: `security@opena2a.org` (coordinated disclosure, response within 24 hours).
 
-Secretless sends anonymous tier-1 usage data to the OpenA2A Registry: tool name (`secretless-ai`), version, command name (`scan`, `protect`, etc.), success, duration, platform, Node major version, and a stable per-machine `install_id`. **No content is collected** — no scanned secrets, no file paths, no env-var values, no rule contents, no IPs.
+## Links
 
-- **Policy:** [opena2a.org/telemetry](https://opena2a.org/telemetry).
-- **Status:** `secretless-ai telemetry status`.
-- **Disable per-invocation:** `OPENA2A_TELEMETRY=off secretless-ai <anything>`.
-- **Disable persistently:** `secretless-ai telemetry off`.
-- **Audit every payload:** `OPENA2A_TELEMETRY_DEBUG=print secretless-ai <anything>` echoes each event to stderr in JSON.
+- [Website](https://opena2a.org/secretless)
+- [Documentation](https://opena2a.org/docs/secretless)
+- [Demos](https://opena2a.org/demos)
+- [OpenA2A CLI](https://github.com/opena2a-org/opena2a)
+- [Credential patterns library](https://www.npmjs.com/package/@opena2a/credential-patterns)
 
-Fire-and-forget with a 2-second timeout — telemetry never blocks Secretless.
+Part of the [OpenA2A](https://opena2a.org) security platform.
 
 ## License
 
-Apache-2.0
-
----
-
-Part of the [OpenA2A](https://opena2a.org) ecosystem. Full reference: [opena2a.org/docs/secretless](https://opena2a.org/docs/secretless)
+Apache-2.0. See [LICENSE](LICENSE).

package/dist/broker/atx.d.ts

@@ -0,0 +1,168 @@
+/**
+ * ATX (Agent Trust eXtension) verification — the subject-claim check the broker
+ * runs before resolving any grant. AAP §6 step 2.
+ *
+ * The ATX is the signed, portable credential defined by ATP/ATX that states what an
+ * agent *is*. AAP does not redefine it; this verifier mirrors the OpenA2A reference
+ * verifier (`atx-conformance/verifiers/python/verify.py`, itself a port of
+ * `opena2a-registry/pkg/atcverify/verify.go canonicalPayload()`) VERBATIM so a broker
+ * accepts exactly the credentials the conformance suite accepts.
+ *
+ * (ATX is the current name for the credential formerly called ATC; fixtures use the
+ * `atcVersion` field. This verifier dual-supports both signing forms.)
+ *
+ * Scope: Ed25519 is verified fully. ML-DSA-65 presence is recorded but verification is
+ * delegated — Node's stdlib has no ML-DSA, exactly as the Python reference verifier
+ * skips it. Production wires the post-quantum half + the live trusted-issuer/CRL anchors
+ * to AIM's verification path (see AtxVerifier / RegistryAtxVerifier seam below).
+ *
+ * SECURITY — signature coverage depends on atcVersion:
+ *  - v1.0 (canonicalPayload): the pipe-delimited string covers identity, issuer,
+ *    trustLevel, trustScore, contentHash, buildAttestation, and the validity window.
+ *    It does NOT cover `capabilities`, `scanSummary.oasbLevel`, `issuerChain`, or
+ *    `jurisdiction`. A holder of any validly-signed v1.0 ATX can edit those without
+ *    invalidating the signature, so they MUST NOT be trusted for authorization.
+ *  - v1.1 (canonicalPayloadV11): the signature covers JCS(TBS), which includes
+ *    `capabilities`, `scanSummary`, `issuerChain`, and `publisher`. Those fields are
+ *    integrity-protected and safe to authorize on.
+ *
+ * The verified context exposes `signedCapabilities` (true iff v1.1) so callers can tell
+ * the two apart. Phase 3 of the ATX v1.1 rollout adds a `requireSignedCapabilities`
+ * grant-policy flag that refuses capability-gated grants whose context has
+ * `signedCapabilities === false`. Until then a production verifier still SHOULD source
+ * authorization attributes for v1.0 credentials from the issuing Registry/AIM for the
+ * verified `agentId` rather than the presented blob.
+ */
+/** Legacy schema version: signs the 11-field pipe string (Go quirk, replicated). */
+export declare const SUPPORTED_ATX_VERSION = "1.0";
+/**
+ * ATX v1.1: signs JCS(TBS) (RFC 8785) per atx-spec core.md §1.3a.2, bringing
+ * capabilities, scanSummary, issuerChain, publisher, and behavioralProfile under
+ * the signature. Verified here using the same canonicalizer (erdtman/canonicalize)
+ * and the same TBS projection the registry and conformance verifiers use; byte
+ * agreement is proven by atx-conformance/jcs-vectors.
+ */
+export declare const SUPPORTED_ATX_VERSION_V11 = "1.1";
+/** A signature reference on an ATX. */
+export interface AtxSignature {
+    keyId?: string;
+    algorithm: 'Ed25519' | 'ML-DSA-65' | string;
+    /** base64-encoded signature value. */
+    value: string;
+}
+/** The ATX credential (subset used for verification + context derivation). */
+export interface Atx {
+    atcVersion?: string;
+    agentId: string;
+    agentDid: string;
+    /** Publisher identity. Unsigned under v1.0; covered by the v1.1 signature. */
+    publisher?: string;
+    publisherDid?: string;
+    version: string;
+    contentHash: string;
+    buildAttestation?: string;
+    issuerDid: string;
+    issuerChain?: string[];
+    trustLevel: number;
+    trustScore: number;
+    issuedAt: string;
+    expiresAt: string;
+    capabilities?: string[];
+    /** Observed-behavior summary. Covered by the v1.1 signature. */
+    behavioralProfile?: {
+        checksum?: string;
+        generatedAt?: string;
+        observationDays?: number;
+    } | null;
+    scanSummary?: {
+        oasbLevel?: string;
+        [k: string]: unknown;
+    };
+    /** Optional, optional-to-ignore jurisdiction claim (AAP §9). */
+    jurisdiction?: string[];
+    revoked?: boolean;
+    signatures: AtxSignature[];
+}
+/** A public key the verifier trusts, keyed by algorithm. */
+export interface AtxPublicKey {
+    algorithm: 'Ed25519' | 'ML-DSA-65' | string;
+    /** hex-encoded raw public key (32 bytes for Ed25519). */
+    publicKeyHex: string;
+}
+/** Trust anchors the verifier evaluates against (in production: fetched from AIM/Registry). */
+export interface AtxTrustAnchors {
+    trustedIssuers: string[];
+    publicKeys: AtxPublicKey[];
+    /** Cached, federated CRL. Revocation rides entirely on the ATX + CRL (AAP §6). */
+    crl?: {
+        entries: Array<{
+            agentId: string;
+            reason?: string;
+        }>;
+    };
+    /** Clock source (injectable for tests). Defaults to wall clock. */
+    now?: () => Date;
+}
+export type RejectCategory = 'UNSUPPORTED_VERSION' | 'EXPIRED' | 'REVOKED' | 'UNTRUSTED_ISSUER' | 'SIGNATURE_INVALID' | 'MALFORMED';
+/** Context the broker derives from a *verified* ATX. Contains no backend information. */
+export interface ResolutionContext {
+    agentId: string;
+    agentDid: string;
+    issuerDid: string;
+    issuerChain: string[];
+    trustLevel: number;
+    trustScore: number;
+    capabilities: string[];
+    oasbLevel?: string;
+    jurisdiction?: string[];
+    /**
+     * True when the credential is v1.1+, i.e. capabilities/scanSummary/issuerChain
+     * are covered by the signature and may be trusted for authorization. False for
+     * v1.0, where those fields are forgeable by the holder. Phase 3 of the ATX v1.1
+     * rollout gates capability-based grants on this.
+     */
+    signedCapabilities: boolean;
+}
+export interface AtxVerificationResult {
+    valid: boolean;
+    /** Present when valid: the context the broker resolves against. */
+    context?: ResolutionContext;
+    /** Present when invalid. */
+    rejectCategory?: RejectCategory;
+    reason?: string;
+    /** Whether an ML-DSA-65 signature was present (and therefore delegated, not skipped silently). */
+    mldsaPresent?: boolean;
+}
+/** The verification interface. Lets the broker swap a local verifier for an AIM-backed one. */
+export interface AtxVerifier {
+    verify(atx: Atx): AtxVerificationResult;
+}
+/**
+ * Local ATX verifier. Cryptographically real (Ed25519) and interoperable with the
+ * conformance fixtures; trust anchors are injected. The production counterpart
+ * (`RegistryAtxVerifier`, a seam for a later pass) fetches `trustedIssuers`,
+ * `publicKeys`, and the `crl` from AIM's verification endpoint and adds ML-DSA-65.
+ */
+export declare class LocalAtxVerifier implements AtxVerifier {
+    private readonly anchors;
+    constructor(anchors: AtxTrustAnchors);
+    verify(atx: Atx): AtxVerificationResult;
+}
+/**
+ * Mirror of `opena2a-registry/pkg/atcverify/verify.go canonicalPayload()`:
+ *   fmt.Sprintf("%s|%s|%s|%s|%s|%s|%d|%.6f|%s|%s|%s", ...)
+ * with atxVersion hardcoded to "1.0".
+ */
+export declare function canonicalPayload(atx: Atx): Buffer;
+/**
+ * Project an ATX into the v1.1 TBS and return JCS(TBS) (RFC 8785). Unlike
+ * canonicalPayload, this covers capabilities, scanSummary, issuerChain,
+ * publisher, and behavioralProfile. The projection (canonical empties,
+ * always-full scanSummary, %.6f string trustScore, root-first issuerChain) and
+ * the canonicalizer match opena2a-registry/pkg/atcverify and the conformance
+ * verifiers exactly; byte agreement is pinned by atx-conformance/jcs-vectors.
+ */
+export declare function canonicalPayloadV11(atx: Atx): Buffer;
+/** Normalize an RFC 3339 timestamp to UTC "YYYY-MM-DDTHH:MM:SSZ" (Go time.RFC3339 for UTC). */
+export declare function normalizeRfc3339(s: string): string;
+//# sourceMappingURL=atx.d.ts.map

package/dist/broker/atx.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"atx.d.ts","sourceRoot":"","sources":["../../src/broker/atx.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAKH,oFAAoF;AACpF,eAAO,MAAM,qBAAqB,QAAQ,CAAC;AAE3C;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,QAAQ,CAAC;AAE/C,uCAAuC;AACvC,MAAM,WAAW,YAAY;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,SAAS,GAAG,WAAW,GAAG,MAAM,CAAC;IAC5C,sCAAsC;IACtC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,8EAA8E;AAC9E,MAAM,WAAW,GAAG;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,gEAAgE;IAChE,iBAAiB,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,WAAW,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,IAAI,CAAC;IACjG,WAAW,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,CAAC,EAAE,MAAM,GAAG,OAAO,CAAA;KAAE,CAAC;IAC3D,gEAAgE;IAChE,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,UAAU,EAAE,YAAY,EAAE,CAAC;CAC5B;AAED,4DAA4D;AAC5D,MAAM,WAAW,YAAY;IAC3B,SAAS,EAAE,SAAS,GAAG,WAAW,GAAG,MAAM,CAAC;IAC5C,yDAAyD;IACzD,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,+FAA+F;AAC/F,MAAM,WAAW,eAAe;IAC9B,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,UAAU,EAAE,YAAY,EAAE,CAAC;IAC3B,kFAAkF;IAClF,GAAG,CAAC,EAAE;QAAE,OAAO,EAAE,KAAK,CAAC;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,MAAM,CAAC,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC;IAC/D,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,IAAI,CAAC;CAClB;AAED,MAAM,MAAM,cAAc,GACtB,qBAAqB,GACrB,SAAS,GACT,SAAS,GACT,kBAAkB,GAClB,mBAAmB,GACnB,WAAW,CAAC;AAEhB,yFAAyF;AACzF,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB;;;;;OAKG;IACH,kBAAkB,EAAE,OAAO,CAAC;CAC7B;AAED,MAAM,WAAW,qBAAqB;IACpC,KAAK,EAAE,OAAO,CAAC;IACf,mEAAmE;IACnE,OAAO,CAAC,EAAE,iBAAiB,CAAC;IAC5B,4BAA4B;IAC5B,cAAc,CAAC,EAAE,cAAc,CAAC;IAChC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kGAAkG;IAClG,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,+FAA+F;AAC/F,MAAM,WAAW,WAAW;IAC1B,MAAM,CAAC,GAAG,EAAE,GAAG,GAAG,qBAAqB,CAAC;CACzC;AAED;;;;;GAKG;AACH,qBAAa,gBAAiB,YAAW,WAAW;IACtC,OAAO,CAAC,QAAQ,CAAC,OAAO;gBAAP,OAAO,EAAE,eAAe;IAErD,MAAM,CAAC,GAAG,EAAE,GAAG,GAAG,qBAAqB;CAqGxC;AAMD;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,CAejD;AAED;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,GAAG,MAAM,CAkCpD;AAwBD,+FAA+F;AAC/F,wBAAgB,gBAAgB,CAAC,CAAC,EAAE,MAAM,GAAG,MAAM,CAMlD"}