settld 0.1.2 → 0.2.0

package/scripts/quickstart/x402.mjs

@@ -0,0 +1,334 @@
+import { spawn } from "node:child_process";
+import process from "node:process";
+import { setTimeout as delay } from "node:timers/promises";
+
+function readIntEnv(name, fallback) {
+  const raw = process.env[name];
+  if (raw === undefined || raw === null || String(raw).trim() === "") return fallback;
+  const n = Number(raw);
+  if (!Number.isSafeInteger(n) || n <= 0) throw new Error(`${name} must be a positive integer`);
+  return n;
+}
+
+function readNonNegativeIntEnv(name, fallback) {
+  const raw = process.env[name];
+  if (raw === undefined || raw === null || String(raw).trim() === "") return fallback;
+  const n = Number(raw);
+  if (!Number.isSafeInteger(n) || n < 0) throw new Error(`${name} must be a non-negative integer`);
+  return n;
+}
+
+function readBoolEnv(name, fallback) {
+  const raw = process.env[name];
+  if (raw === undefined || raw === null || String(raw).trim() === "") return fallback;
+  const v = String(raw).trim().toLowerCase();
+  if (v === "1" || v === "true" || v === "yes") return true;
+  if (v === "0" || v === "false" || v === "no") return false;
+  throw new Error(`${name} must be a boolean (1/0/true/false)`);
+}
+
+function sanitize(text) {
+  return String(text ?? "").replaceAll(/[\r\n]+/g, " ").trim();
+}
+
+function log(prefix, msg) {
+  process.stderr.write(`[${prefix}] ${msg}\n`);
+}
+
+function spawnProc({ name, cmd, args, env }) {
+  log(name, `spawn: ${cmd} ${args.join(" ")}`);
+  const child = spawn(cmd, args, {
+    env: { ...process.env, ...(env ?? {}) },
+    stdio: ["ignore", "pipe", "pipe"]
+  });
+  child.stdout?.on("data", (buf) => {
+    const s = sanitize(buf.toString("utf8"));
+    if (s) log(name, s);
+  });
+  child.stderr?.on("data", (buf) => {
+    const s = sanitize(buf.toString("utf8"));
+    if (s) log(name, s);
+  });
+  child.on("exit", (code, signal) => {
+    log(name, `exit: code=${code} signal=${signal ?? ""}`);
+  });
+  return child;
+}
+
+async function waitForJson(url, { name, timeoutMs = 30_000, proc = null } = {}) {
+  const start = Date.now();
+  while (true) {
+    if (proc && proc.exitCode !== null) {
+      throw new Error(`${name ?? url} exited before becoming ready (exitCode=${proc.exitCode})`);
+    }
+    try {
+      const res = await fetch(url, { method: "GET" });
+      if (res.ok) {
+        const text = await res.text();
+        try {
+          return text ? JSON.parse(text) : null;
+        } catch {
+          return null;
+        }
+      }
+    } catch {}
+
+    if (Date.now() - start > timeoutMs) {
+      throw new Error(`${name ?? url} did not become ready within ${timeoutMs}ms: ${url}`);
+    }
+    await delay(250);
+  }
+}
+
+async function mintApiKey({ apiUrl, opsToken, tenantId }) {
+  const res = await fetch(new URL("/ops/api-keys", apiUrl), {
+    method: "POST",
+    headers: {
+      "x-proxy-ops-token": opsToken,
+      authorization: `Bearer ${opsToken}`,
+      "x-proxy-tenant-id": tenantId,
+      "content-type": "application/json"
+    },
+    body: JSON.stringify({
+      scopes: ["ops_read", "ops_write", "finance_read", "finance_write", "audit_read"],
+      description: "x402 quickstart script"
+    })
+  });
+  const text = await res.text();
+  let json;
+  try {
+    json = text ? JSON.parse(text) : null;
+  } catch {
+    json = null;
+  }
+  if (!res.ok) {
+    throw new Error(`mint api key failed: HTTP ${res.status} ${text}`);
+  }
+  const keyId = json?.keyId;
+  const secret = json?.secret;
+  if (typeof keyId !== "string" || typeof secret !== "string" || !keyId || !secret) {
+    throw new Error(`mint api key returned unexpected body: ${text}`);
+  }
+  return `${keyId}.${secret}`;
+}
+
+function headerValue(headersText, headerName) {
+  const want = String(headerName).trim().toLowerCase() + ":";
+  const lines = String(headersText)
+    .split("\n")
+    .map((l) => l.replaceAll("\r", ""));
+  for (const line of lines) {
+    const idx = line.indexOf(":");
+    if (idx <= 0) continue;
+    const key = line.slice(0, idx + 1).trim().toLowerCase();
+    if (key === want) return line.slice(idx + 1).trim();
+  }
+  return null;
+}
+
+async function fetchHeaders(url, { headers } = {}) {
+  const res = await fetch(url, { method: "GET", headers: headers ?? {} });
+  const status = res.status;
+  const text = await res.text();
+  const headersObj = Object.fromEntries(res.headers.entries());
+  return { status, text, headers: headersObj };
+}
+
+async function runSmokeTest({ gatewayUrl, holdbackBps, disputeWindowMs }) {
+  const first = await fetch(gatewayUrl);
+  const firstText = await first.text();
+  const firstHeaders = Object.fromEntries(first.headers.entries());
+  if (first.status !== 402) {
+    throw new Error(`expected first request to return 402; got ${first.status}`);
+  }
+  const paymentRequired = firstHeaders["x-payment-required"];
+  if (!paymentRequired) throw new Error("missing x-payment-required header on 402 response");
+
+  const gateId = firstHeaders["x-settld-gate-id"];
+  if (!gateId) throw new Error("missing x-settld-gate-id header on 402 response");
+
+  // Parse amountCents=... out of x-payment-required.
+  const m = String(paymentRequired).match(/(?:^|;)\s*amountCents=([0-9]+)\b/);
+  if (!m) throw new Error(`could not parse amountCents from x-payment-required: ${paymentRequired}`);
+  const amountCents = Number(m[1]);
+  if (!Number.isSafeInteger(amountCents) || amountCents <= 0) throw new Error(`invalid amountCents: ${m[1]}`);
+
+  const second = await fetch(gatewayUrl, {
+    method: "GET",
+    headers: {
+      "x-settld-gate-id": gateId,
+      "x-payment": "paid"
+    }
+  });
+  await second.arrayBuffer();
+  const secondHeaders = Object.fromEntries(second.headers.entries());
+  if (second.status !== 200) {
+    throw new Error(`expected second request to return 200; got ${second.status}`);
+  }
+
+  const settlementStatus = secondHeaders["x-settld-settlement-status"];
+  const releasedAmountCents = Number(secondHeaders["x-settld-released-amount-cents"] ?? "NaN");
+  const refundedAmountCents = Number(secondHeaders["x-settld-refunded-amount-cents"] ?? "NaN");
+  const holdbackStatus = secondHeaders["x-settld-holdback-status"];
+  const holdbackAmountCents = Number(secondHeaders["x-settld-holdback-amount-cents"] ?? "NaN");
+
+  const expectedHoldbackCents = Math.floor((amountCents * holdbackBps) / 10_000);
+  const expectedReleasedCents = amountCents - expectedHoldbackCents;
+  const expectedRefundedCents = expectedHoldbackCents;
+  const expectedHoldbackStatus = disputeWindowMs > 0 ? "held" : "released";
+
+  if (settlementStatus !== "released") throw new Error(`expected settlement status released; got ${settlementStatus}`);
+  if (!Number.isSafeInteger(releasedAmountCents) || releasedAmountCents !== expectedReleasedCents) {
+    throw new Error(`released cents mismatch: got=${releasedAmountCents} expected=${expectedReleasedCents}`);
+  }
+  if (!Number.isSafeInteger(refundedAmountCents) || refundedAmountCents !== expectedRefundedCents) {
+    throw new Error(`refunded cents mismatch: got=${refundedAmountCents} expected=${expectedRefundedCents}`);
+  }
+  if (expectedHoldbackCents > 0) {
+    if (holdbackStatus !== expectedHoldbackStatus) {
+      throw new Error(`holdback status mismatch: got=${holdbackStatus} expected=${expectedHoldbackStatus}`);
+    }
+    if (!Number.isSafeInteger(holdbackAmountCents) || holdbackAmountCents !== expectedHoldbackCents) {
+      throw new Error(`holdback cents mismatch: got=${holdbackAmountCents} expected=${expectedHoldbackCents}`);
+    }
+  }
+
+  return { gateId, amountCents };
+}
+
+async function main() {
+  const apiPort = readIntEnv("SETTLD_QUICKSTART_API_PORT", 3000);
+  const upstreamPort = readIntEnv("SETTLD_QUICKSTART_UPSTREAM_PORT", 9402);
+  const gatewayPort = readIntEnv("SETTLD_QUICKSTART_GATEWAY_PORT", 8402);
+
+  const opsToken = String(process.env.SETTLD_QUICKSTART_OPS_TOKEN ?? "tok_ops").trim() || "tok_ops";
+  const tenantId = String(process.env.SETTLD_TENANT_ID ?? "tenant_default").trim() || "tenant_default";
+
+  const holdbackBps = readNonNegativeIntEnv("HOLDBACK_BPS", 0);
+  if (holdbackBps > 10_000) throw new Error("HOLDBACK_BPS must be within 0..10000");
+  const disputeWindowMs = readNonNegativeIntEnv("DISPUTE_WINDOW_MS", 3_600_000);
+  const autoFund = readBoolEnv("X402_AUTOFUND", true);
+
+  const keepAlive = readBoolEnv("SETTLD_QUICKSTART_KEEP_ALIVE", true);
+
+  const apiUrl = new URL(`http://127.0.0.1:${apiPort}`);
+  const upstreamUrl = new URL(`http://127.0.0.1:${upstreamPort}`);
+  const gatewayUrl = new URL(`http://127.0.0.1:${gatewayPort}/resource`);
+
+  const procs = [];
+  const stopAll = () => {
+    for (const p of procs) {
+      try {
+        p.kill("SIGTERM");
+      } catch {}
+    }
+  };
+  process.on("SIGINT", () => {
+    log("quickstart", "SIGINT: shutting down...");
+    stopAll();
+    process.exit(130);
+  });
+  process.on("SIGTERM", () => {
+    log("quickstart", "SIGTERM: shutting down...");
+    stopAll();
+    process.exit(143);
+  });
+
+  // 1) API
+  const api = spawnProc({
+    name: "api",
+    cmd: "node",
+    args: ["src/api/server.js"],
+    env: {
+      PROXY_OPS_TOKEN: opsToken,
+      BIND_HOST: "127.0.0.1",
+      PORT: String(apiPort)
+    }
+  });
+  procs.push(api);
+  await waitForJson(new URL("/healthz", apiUrl).toString(), { name: "api /healthz", proc: api });
+
+  // 2) Mint API key
+  const apiKey = await mintApiKey({ apiUrl, opsToken, tenantId });
+  log("quickstart", "SETTLD_API_KEY minted");
+
+  // 3) Upstream mock
+  const upstream = spawnProc({
+    name: "upstream",
+    cmd: "node",
+    args: ["services/x402-gateway/examples/upstream-mock.js"],
+    env: {
+      BIND_HOST: "127.0.0.1",
+      PORT: String(upstreamPort),
+      SETTLD_PAY_KEYSET_URL: new URL("/.well-known/settld-keys.json", apiUrl).toString()
+    }
+  });
+  procs.push(upstream);
+  await waitForJson(new URL("/healthz", upstreamUrl).toString(), { name: "upstream /healthz", proc: upstream });
+
+  // Provider signature key (for correctness-verification demo).
+  const providerKeyRes = await fetch(new URL("/settld/provider-key", upstreamUrl));
+  const providerKey = providerKeyRes.ok ? await providerKeyRes.json() : null;
+  const providerPublicKeyPem = typeof providerKey?.publicKeyPem === "string" ? providerKey.publicKeyPem : null;
+  if (!providerPublicKeyPem) {
+    throw new Error("upstream did not expose a provider public key at /settld/provider-key");
+  }
+
+  // 4) Gateway
+  const gateway = spawnProc({
+    name: "gateway",
+    cmd: "node",
+    args: ["services/x402-gateway/src/server.js"],
+    env: {
+      BIND_HOST: "127.0.0.1",
+      SETTLD_API_URL: apiUrl.toString(),
+      SETTLD_API_KEY: apiKey,
+      UPSTREAM_URL: upstreamUrl.toString(),
+      HOLDBACK_BPS: String(holdbackBps),
+      DISPUTE_WINDOW_MS: String(disputeWindowMs),
+      X402_AUTOFUND: autoFund ? "1" : "0",
+      X402_PROVIDER_PUBLIC_KEY_PEM: providerPublicKeyPem,
+      PORT: String(gatewayPort)
+    }
+  });
+  procs.push(gateway);
+  await waitForJson(new URL("/healthz", `http://127.0.0.1:${gatewayPort}`).toString(), { name: "gateway /healthz", proc: gateway });
+
+  // 5) Smoke test
+  const { gateId } = await runSmokeTest({ gatewayUrl: gatewayUrl.toString(), holdbackBps, disputeWindowMs });
+  log("quickstart", `gateId=${gateId}`);
+
+  // Fetch gate state (proof of receipt trail)
+  const gateStateRes = await fetch(new URL(`/x402/gate/${encodeURIComponent(gateId)}`, apiUrl), {
+    method: "GET",
+    headers: {
+      authorization: `Bearer ${apiKey}`,
+      "x-proxy-tenant-id": tenantId,
+      "x-settld-protocol": "1.0"
+    }
+  });
+  const gateStateText = await gateStateRes.text();
+  if (!gateStateRes.ok) {
+    throw new Error(`gate state fetch failed: HTTP ${gateStateRes.status} ${gateStateText}`);
+  }
+  log("quickstart", "gate state fetched (receipt trail exists)");
+
+  process.stdout.write("OK\n");
+  process.stdout.write(`gateId=${gateId}\n`);
+  process.stdout.write(`gateStateUrl=${new URL(`/x402/gate/${encodeURIComponent(gateId)}`, apiUrl).toString()}\n`);
+
+  if (!keepAlive) {
+    stopAll();
+    return;
+  }
+
+  log("quickstart", "Services are running. Press Ctrl+C to stop.");
+  // Keep the process alive.
+  // eslint-disable-next-line no-constant-condition
+  while (true) await delay(1000);
+}
+
+main().catch((err) => {
+  log("quickstart", `failed: ${err?.message ?? String(err ?? "")}`);
+  process.exitCode = 1;
+});

package/scripts/register-entity-secret.mjs

@@ -0,0 +1,102 @@
+#!/usr/bin/env node
+
+import path from "node:path";
+import process from "node:process";
+
+import { registerEntitySecretCiphertext } from "@circle-fin/developer-controlled-wallets";
+
+function usage() {
+  const text = [
+    "usage:",
+    "  node scripts/register-entity-secret.mjs [--api-key <key>] [--entity-secret-hex <hex64>] [--recovery-dir <path>]",
+    "",
+    "env fallbacks:",
+    "  CIRCLE_API_KEY",
+    "  CIRCLE_ENTITY_SECRET_HEX (or ENTITY_SECRET)",
+    "  CIRCLE_RECOVERY_DIR (default: ./artifacts/circle-recovery)"
+  ].join("\n");
+  process.stderr.write(`${text}\n`);
+}
+
+function readArgValue(argv, index, arg) {
+  const raw = String(arg ?? "");
+  const eq = raw.indexOf("=");
+  if (eq >= 0) return { value: raw.slice(eq + 1), nextIndex: index };
+  return { value: String(argv[index + 1] ?? ""), nextIndex: index + 1 };
+}
+
+function parseArgs(argv) {
+  const out = {
+    apiKey: null,
+    entitySecretHex: null,
+    recoveryDir: null,
+    help: false
+  };
+  for (let i = 0; i < argv.length; i += 1) {
+    const arg = String(argv[i] ?? "");
+    if (arg === "--help" || arg === "-h") {
+      out.help = true;
+      continue;
+    }
+    if (arg === "--api-key" || arg.startsWith("--api-key=")) {
+      const parsed = readArgValue(argv, i, arg);
+      out.apiKey = parsed.value;
+      i = parsed.nextIndex;
+      continue;
+    }
+    if (arg === "--entity-secret-hex" || arg.startsWith("--entity-secret-hex=")) {
+      const parsed = readArgValue(argv, i, arg);
+      out.entitySecretHex = parsed.value;
+      i = parsed.nextIndex;
+      continue;
+    }
+    if (arg === "--recovery-dir" || arg.startsWith("--recovery-dir=")) {
+      const parsed = readArgValue(argv, i, arg);
+      out.recoveryDir = parsed.value;
+      i = parsed.nextIndex;
+      continue;
+    }
+    throw new Error(`unknown argument: ${arg}`);
+  }
+  return out;
+}
+
+function normalizeHex64(value) {
+  const raw = String(value ?? "").trim().toLowerCase();
+  if (!raw) return null;
+  if (!/^[0-9a-f]{64}$/.test(raw)) {
+    throw new Error("entity secret must be a 64-char hex string");
+  }
+  return raw;
+}
+
+async function main(argv = process.argv.slice(2)) {
+  const args = parseArgs(argv);
+  if (args.help) {
+    usage();
+    return;
+  }
+
+  const apiKey = String(args.apiKey ?? process.env.CIRCLE_API_KEY ?? "").trim();
+  const entitySecret = normalizeHex64(args.entitySecretHex ?? process.env.CIRCLE_ENTITY_SECRET_HEX ?? process.env.ENTITY_SECRET ?? "");
+  const recoveryFileDownloadPath = path.resolve(
+    process.cwd(),
+    String(args.recoveryDir ?? process.env.CIRCLE_RECOVERY_DIR ?? "./artifacts/circle-recovery")
+  );
+
+  if (!apiKey) throw new Error("CIRCLE_API_KEY missing (or pass --api-key)");
+  if (!entitySecret) throw new Error("CIRCLE_ENTITY_SECRET_HEX missing (or pass --entity-secret-hex)");
+
+  const res = await registerEntitySecretCiphertext({
+    apiKey,
+    entitySecret,
+    recoveryFileDownloadPath
+  });
+
+  process.stdout.write(`${JSON.stringify(res?.data ?? res, null, 2)}\n`);
+}
+
+main(process.argv.slice(2)).catch((err) => {
+  process.stderr.write(`${err?.message ?? String(err)}\n`);
+  process.exit(1);
+});

package/scripts/release/build-artifacts.mjs

@@ -0,0 +1,181 @@
+import { spawnSync } from "node:child_process";
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+
+function readVersionForIndex() {
+  const v = process.env.SETTLD_VERSION ?? null;
+  return typeof v === "string" && v.trim() ? v.trim() : "0.0.0-local";
+}
+
+function sh(cmd, args, { cwd, env } = {}) {
+  const res = spawnSync(cmd, args, { cwd, env, encoding: "utf8" });
+  if (res.status !== 0) {
+    const err = (res.stderr || res.stdout || "").trim();
+    throw new Error(`${cmd} ${args.join(" ")} failed (exit ${res.status})${err ? `: ${err}` : ""}`);
+  }
+  return res.stdout;
+}
+
+async function sha256FileHex(fp) {
+  const h = crypto.createHash("sha256");
+  const f = await fs.open(fp, "r");
+  try {
+    const buf = Buffer.alloc(1024 * 1024);
+    while (true) {
+      // eslint-disable-next-line no-await-in-loop
+      const { bytesRead } = await f.read(buf, 0, buf.length, null);
+      if (bytesRead === 0) break;
+      h.update(buf.subarray(0, bytesRead));
+    }
+  } finally {
+    await f.close();
+  }
+  return h.digest("hex");
+}
+
+async function writeSha256File({ outPath, files }) {
+  const lines = [];
+  for (const fp of files) {
+    // eslint-disable-next-line no-await-in-loop
+    const sum = await sha256FileHex(fp);
+    lines.push(`${sum}  ${path.basename(fp)}`);
+  }
+  lines.sort((a, b) => (a < b ? -1 : a > b ? 1 : 0));
+  await fs.writeFile(outPath, lines.join("\n") + "\n", "utf8");
+}
+
+function parseArgs(argv) {
+  let outDir = path.resolve(process.cwd(), "dist", "release-artifacts");
+  let signReleaseIndex = false;
+  for (let i = 0; i < argv.length; i += 1) {
+    const a = argv[i];
+    if (a === "--out") {
+      outDir = path.resolve(process.cwd(), String(argv[i + 1] ?? ""));
+      i += 1;
+      continue;
+    }
+    if (a === "--sign-release-index") {
+      signReleaseIndex = true;
+      continue;
+    }
+    if (a === "--help" || a === "-h") {
+      // eslint-disable-next-line no-console
+      console.error("usage: node scripts/release/build-artifacts.mjs [--out <dir>] [--sign-release-index]");
+      process.exit(2);
+    }
+    // eslint-disable-next-line no-console
+    console.error(`unknown arg: ${a}`);
+    process.exit(2);
+  }
+  return { outDir, signReleaseIndex };
+}
+
+async function main() {
+  const { outDir, signReleaseIndex } = parseArgs(process.argv.slice(2));
+  await fs.mkdir(outDir, { recursive: true });
+
+  sh("npm", ["test"]);
+  sh(process.execPath, ["scripts/ci/npm-pack-smoke.mjs"]);
+  sh(process.execPath, ["scripts/ci/cli-pack-smoke.mjs"]);
+
+  const npmPackages = [
+    ".",
+    "packages/api-sdk",
+    "packages/executor-sdk",
+    "packages/artifact-verify",
+    "packages/provider-kit",
+    "packages/create-settld-paid-tool"
+  ];
+  const npmTgzs = [];
+  for (const p of npmPackages) {
+    // eslint-disable-next-line no-await-in-loop
+    const name = sh("npm", ["pack", "--silent", "--pack-destination", outDir], { cwd: path.resolve(process.cwd(), p) }).trim().split("\n").at(-1);
+    if (!name) throw new Error(`npm pack did not output tarball for ${p}`);
+    npmTgzs.push(path.join(outDir, name));
+  }
+  const npmChecksumsPath = path.join(outDir, "npm-SHA256SUMS");
+  await writeSha256File({ outPath: npmChecksumsPath, files: npmTgzs });
+
+  // Python SDK artifacts (sdist + wheel).
+  const sourceDateEpoch = String(Math.floor(Date.parse("2026-02-02T00:00:00Z") / 1000));
+  sh("python3", ["-m", "build", "packages/api-sdk-python", "--sdist", "--wheel", "--outdir", outDir], {
+    env: {
+      ...process.env,
+      SOURCE_DATE_EPOCH: sourceDateEpoch,
+      PYTHONDONTWRITEBYTECODE: "1"
+    }
+  });
+  const outNames = await fs.readdir(outDir);
+  const pythonArtifacts = outNames
+    .filter((name) => /^settld_api_sdk_python-.*\.(whl|tar\.gz)$/.test(name))
+    .sort()
+    .map((name) => path.join(outDir, name));
+  const hasWheel = pythonArtifacts.some((fp) => fp.endsWith(".whl"));
+  const hasSdist = pythonArtifacts.some((fp) => fp.endsWith(".tar.gz"));
+  if (!hasWheel || !hasSdist) {
+    throw new Error("python build did not produce both wheel and sdist for packages/api-sdk-python");
+  }
+  const pythonChecksumsPath = path.join(outDir, "python-SHA256SUMS");
+  await writeSha256File({ outPath: pythonChecksumsPath, files: pythonArtifacts });
+
+  // Conformance pack (deterministic tar.gz)
+  const conformanceDir = path.join(outDir, "conformance-v1");
+  const conformanceTar = path.join(outDir, "conformance-v1.tar");
+  const conformanceTgz = path.join(outDir, "conformance-v1.tar.gz");
+  await fs.rm(conformanceDir, { recursive: true, force: true });
+  await fs.rm(conformanceTar, { force: true });
+  await fs.rm(conformanceTgz, { force: true });
+  await fs.cp(path.join(process.cwd(), "conformance", "v1"), conformanceDir, { recursive: true });
+  sh("tar", ["--sort=name", "--mtime=2026-02-02 00:00:00Z", "--owner=0", "--group=0", "--numeric-owner", "-cf", conformanceTar, "-C", outDir, "conformance-v1"]);
+  const gz = spawnSync("gzip", ["-n", "-9", "-c", conformanceTar]);
+  if (gz.status !== 0) throw new Error("gzip failed");
+  await fs.writeFile(conformanceTgz, gz.stdout);
+  await fs.rm(conformanceTar, { force: true });
+  await fs.rm(conformanceDir, { recursive: true, force: true });
+  const conformanceChecksumsPath = path.join(outDir, "conformance-v1-SHA256SUMS");
+  await writeSha256File({ outPath: conformanceChecksumsPath, files: [conformanceTgz] });
+
+  // Audit packet zip (deterministic)
+  sh(process.execPath, ["scripts/audit/build-audit-packet.mjs", "--out", outDir, "--packet-version", "v1"]);
+  const auditZip = path.join(outDir, "settld-audit-packet-v1.zip");
+  await fs.access(auditZip);
+  const auditChecksumsPath = path.join(outDir, "settld-audit-packet-v1.zip.sha256");
+  await writeSha256File({ outPath: auditChecksumsPath, files: [auditZip] });
+
+  const allArtifactsForGlobalChecksums = [
+    ...npmTgzs,
+    npmChecksumsPath,
+    ...pythonArtifacts,
+    pythonChecksumsPath,
+    conformanceTgz,
+    conformanceChecksumsPath,
+    auditZip,
+    auditChecksumsPath
+  ].sort();
+  await writeSha256File({
+    outPath: path.join(outDir, "SHA256SUMS"),
+    files: allArtifactsForGlobalChecksums
+  });
+
+  // ReleaseIndex.v1 is a signed release manifest (artifact authenticity surface).
+  const version = readVersionForIndex();
+  const tag = `v${version}`;
+  sh(process.execPath, ["scripts/release/generate-release-index.mjs", "--dir", outDir, "--tag", tag, "--version", version]);
+  if (signReleaseIndex) {
+    if (!String(process.env.SETTLD_RELEASE_SIGNING_PRIVATE_KEY_PEM ?? "").trim()) {
+      throw new Error("missing SETTLD_RELEASE_SIGNING_PRIVATE_KEY_PEM; required for --sign-release-index");
+    }
+    sh(process.execPath, [
+      "scripts/release/sign-release-index.mjs",
+      "--index",
+      path.join(outDir, "release_index_v1.json"),
+      "--out",
+      path.join(outDir, "release_index_v1.sig"),
+      "--private-key-env",
+      "SETTLD_RELEASE_SIGNING_PRIVATE_KEY_PEM"
+    ]);
+  }
+}
+
+await main();