settld 0.1.2 → 0.2.0

package/scripts/release/generate-release-index.mjs

@@ -0,0 +1,112 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { spawnSync } from "node:child_process";
+
+import { listFilesFlat, sha256FileHex, classifyArtifactKind, assertNoDuplicatePaths, writeCanonicalJsonFile } from "./release-index-lib.mjs";
+
+function usage() {
+  // eslint-disable-next-line no-console
+  console.error(
+    "usage: node scripts/release/generate-release-index.mjs --dir <release-assets-dir> [--tag vX.Y.Z] [--version X.Y.Z] [--commit <sha>] [--out <path>]"
+  );
+  process.exit(2);
+}
+
+function parseArgs(argv) {
+  const out = { dir: null, tag: null, version: null, commit: null, outPath: null };
+  for (let i = 0; i < argv.length; i += 1) {
+    const a = argv[i];
+    if (a === "--dir") {
+      out.dir = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--tag") {
+      out.tag = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--version") {
+      out.version = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--commit") {
+      out.commit = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--out") {
+      out.outPath = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--help" || a === "-h") usage();
+    usage();
+  }
+  if (!out.dir) usage();
+  return out;
+}
+
+function gitCommit() {
+  const res = spawnSync("git", ["rev-parse", "HEAD"], { encoding: "utf8" });
+  if (res.status !== 0) return null;
+  return String(res.stdout ?? "").trim() || null;
+}
+
+function gitCommitEpochSeconds(commit) {
+  const sha = commit ?? "HEAD";
+  const res = spawnSync("git", ["show", "-s", "--format=%ct", sha], { encoding: "utf8" });
+  if (res.status !== 0) return null;
+  const raw = String(res.stdout ?? "").trim();
+  const n = Number.parseInt(raw, 10);
+  if (!Number.isInteger(n) || n < 0) return null;
+  return n;
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const dir = path.resolve(process.cwd(), args.dir);
+  const outPath = args.outPath ? path.resolve(process.cwd(), args.outPath) : path.join(dir, "release_index_v1.json");
+
+  const commit = args.commit || process.env.GITHUB_SHA || process.env.SETTLD_COMMIT_SHA || gitCommit();
+  const epochEnv = process.env.SOURCE_DATE_EPOCH || process.env.SETTLD_RELEASE_EPOCH || null;
+  const buildEpochSeconds = epochEnv ? Number.parseInt(String(epochEnv), 10) : gitCommitEpochSeconds(commit);
+
+  const files = await listFilesFlat(dir);
+  const artifactNames = files
+    .filter((n) => !n.startsWith("."))
+    // Avoid circularity: never include ReleaseIndex itself or any sibling copies.
+    .filter((n) => !n.startsWith("release_index_v1"));
+
+  const artifacts = [];
+  for (const name of artifactNames) {
+    // eslint-disable-next-line no-await-in-loop
+    const st = await fs.stat(path.join(dir, name));
+    if (!st.isFile()) continue;
+    // eslint-disable-next-line no-await-in-loop
+    const sha256 = await sha256FileHex(path.join(dir, name));
+    artifacts.push({ path: name, sha256, sizeBytes: st.size, kind: classifyArtifactKind(name) });
+  }
+  artifacts.sort((a, b) => (a.path < b.path ? -1 : a.path > b.path ? 1 : 0));
+  assertNoDuplicatePaths(artifacts);
+
+  const index = {
+    schemaVersion: "ReleaseIndex.v1",
+    release: {
+      tag: args.tag || process.env.GITHUB_REF_NAME || "unknown",
+      version: args.version || (args.tag ? String(args.tag).replace(/^v/, "") : process.env.SETTLD_VERSION || "unknown")
+    },
+    toolchain: {
+      commit: commit ?? null,
+      buildEpochSeconds: Number.isInteger(buildEpochSeconds) ? buildEpochSeconds : null,
+      canonicalJson: "RFC8785",
+      includedSchemas: ["VerifyCliOutput.v1", "ProduceCliOutput.v1", "ReleaseIndex.v1", "VerifyReleaseOutput.v1"]
+    },
+    artifacts
+  };
+
+  await writeCanonicalJsonFile(outPath, index);
+}
+
+await main();

package/scripts/release/release-index-lib.mjs

@@ -0,0 +1,232 @@
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+
+import { canonicalJsonStringify } from "../../src/core/canonical-json.js";
+import { keyIdFromPublicKeyPem } from "../../src/core/crypto.js";
+
+export function sha256Hex(bytes) {
+  return crypto.createHash("sha256").update(bytes).digest("hex");
+}
+
+export async function sha256FileHex(fp) {
+  const h = crypto.createHash("sha256");
+  const f = await fs.open(fp, "r");
+  try {
+    const buf = Buffer.alloc(1024 * 1024);
+    while (true) {
+      // eslint-disable-next-line no-await-in-loop
+      const { bytesRead } = await f.read(buf, 0, buf.length, null);
+      if (bytesRead === 0) break;
+      h.update(buf.subarray(0, bytesRead));
+    }
+  } finally {
+    await f.close();
+  }
+  return h.digest("hex");
+}
+
+export async function listFilesFlat(dir) {
+  const entries = await fs.readdir(dir, { withFileTypes: true });
+  const out = [];
+  for (const e of entries) {
+    if (!e.isFile()) continue;
+    out.push(e.name);
+  }
+  return out.sort();
+}
+
+export function canonicalIndexBytes(indexJson) {
+  const canonical = canonicalJsonStringify(indexJson);
+  return Buffer.from(canonical, "utf8");
+}
+
+export function indexMessageSha256Hex(indexJson) {
+  return sha256Hex(canonicalIndexBytes(indexJson));
+}
+
+export function signIndex({ indexJson, privateKeyPem }) {
+  const messageSha256 = indexMessageSha256Hex(indexJson);
+  const messageBytes = Buffer.from(messageSha256, "hex");
+  const sig = crypto.sign(null, messageBytes, privateKeyPem).toString("base64");
+
+  const pub = crypto.createPublicKey(crypto.createPrivateKey(privateKeyPem)).export({ type: "spki", format: "pem" });
+  const publicKeyPem = String(pub);
+  const keyId = keyIdFromPublicKeyPem(publicKeyPem);
+
+  return {
+    schemaVersion: "ReleaseIndexSignature.v1",
+    algorithm: "ed25519-sha256",
+    keyId,
+    messageSha256,
+    publicKeyPem,
+    signatureBase64: sig
+  };
+}
+
+export function wrapSignaturesV1(signatures) {
+  const list = Array.isArray(signatures) ? signatures.filter(Boolean) : [];
+  return {
+    schemaVersion: "ReleaseIndexSignatures.v1",
+    signatures: list
+  };
+}
+
+export function unwrapSignaturesV1(sigJson) {
+  if (sigJson && typeof sigJson === "object" && !Array.isArray(sigJson)) {
+    if (sigJson.schemaVersion === "ReleaseIndexSignature.v1") return [sigJson];
+    if (sigJson.schemaVersion === "ReleaseIndexSignatures.v1") {
+      const arr = Array.isArray(sigJson.signatures) ? sigJson.signatures : [];
+      return arr.filter(Boolean);
+    }
+  }
+  return [];
+}
+
+export function verifyIndexSignature({ indexJson, signatureJson, trustedPublicKeyPem = null }) {
+  const errors = [];
+  const messageSha256 = indexMessageSha256Hex(indexJson);
+
+  if (!signatureJson || typeof signatureJson !== "object") {
+    errors.push({ code: "SIGNATURE_INVALID", message: "signature JSON missing/invalid", path: null });
+    return { ok: false, messageSha256, errors };
+  }
+  if (signatureJson.schemaVersion !== "ReleaseIndexSignature.v1") {
+    errors.push({ code: "SIGNATURE_INVALID", message: "unexpected signature schemaVersion", path: null });
+    return { ok: false, messageSha256, errors };
+  }
+  if (signatureJson.algorithm !== "ed25519-sha256") {
+    errors.push({ code: "SIGNATURE_UNSUPPORTED_ALGORITHM", message: "unsupported signature algorithm", path: null });
+    return { ok: false, messageSha256, errors };
+  }
+  if (typeof signatureJson.signatureBase64 !== "string" || !signatureJson.signatureBase64.trim()) {
+    errors.push({ code: "SIGNATURE_INVALID", message: "signatureBase64 missing", path: null });
+    return { ok: false, messageSha256, errors };
+  }
+
+  const publicKeyPem = trustedPublicKeyPem ? String(trustedPublicKeyPem) : String(signatureJson.publicKeyPem ?? "");
+  if (!publicKeyPem.trim()) {
+    errors.push({ code: "SIGNATURE_INVALID", message: "publicKeyPem missing", path: null });
+    return { ok: false, messageSha256, errors };
+  }
+
+  if (typeof signatureJson.messageSha256 === "string" && signatureJson.messageSha256.toLowerCase() !== messageSha256) {
+    errors.push({ code: "SIGNATURE_MISMATCH", message: "messageSha256 mismatch", path: null });
+    return { ok: false, messageSha256, errors };
+  }
+
+  try {
+    const ok = crypto.verify(
+      null,
+      Buffer.from(messageSha256, "hex"),
+      publicKeyPem,
+      Buffer.from(String(signatureJson.signatureBase64), "base64")
+    );
+    if (!ok) errors.push({ code: "SIGNATURE_INVALID", message: "signature verification failed", path: null });
+  } catch (e) {
+    errors.push({ code: "SIGNATURE_INVALID", message: `signature verification error: ${e?.message ?? String(e)}`, path: null });
+  }
+
+  return { ok: errors.length === 0, messageSha256, errors };
+}
+
+export function normalizeReleaseTrust(trustJson) {
+  if (!trustJson || typeof trustJson !== "object" || Array.isArray(trustJson)) {
+    throw new Error("release trust JSON missing/invalid");
+  }
+
+  if (trustJson.schemaVersion === "ReleaseTrust.v1") {
+    const roots = trustJson.releaseRoots ?? null;
+    if (!roots || typeof roots !== "object" || Array.isArray(roots)) throw new Error("ReleaseTrust.v1.releaseRoots missing/invalid");
+    const keys = [];
+    for (const [keyId, publicKeyPem] of Object.entries(roots)) {
+      if (typeof keyId !== "string" || !keyId.trim()) continue;
+      if (typeof publicKeyPem !== "string" || !publicKeyPem.trim()) continue;
+      keys.push({ keyId, publicKeyPem });
+    }
+    keys.sort((a, b) => (a.keyId < b.keyId ? -1 : a.keyId > b.keyId ? 1 : 0));
+    return { schemaVersion: "ReleaseTrust.v1", policy: { minSignatures: 1, requiredKeyIds: null }, keys };
+  }
+
+  if (trustJson.schemaVersion === "ReleaseTrust.v2") {
+    const policy = trustJson.policy ?? null;
+    if (!policy || typeof policy !== "object" || Array.isArray(policy)) throw new Error("ReleaseTrust.v2.policy missing/invalid");
+    const minSignatures = policy.minSignatures;
+    if (!Number.isInteger(minSignatures) || minSignatures < 1) throw new Error("ReleaseTrust.v2.policy.minSignatures missing/invalid");
+    const requiredKeyIds = Array.isArray(policy.requiredKeyIds)
+      ? policy.requiredKeyIds.filter((v) => typeof v === "string" && v.trim())
+      : null;
+
+    const arr = Array.isArray(trustJson.keys) ? trustJson.keys : null;
+    if (!arr) throw new Error("ReleaseTrust.v2.keys missing/invalid");
+    const keys = [];
+    for (const item of arr) {
+      if (!item || typeof item !== "object" || Array.isArray(item)) continue;
+      const keyId = typeof item.keyId === "string" && item.keyId.trim() ? item.keyId.trim() : null;
+      const publicKeyPem = typeof item.publicKeyPem === "string" && item.publicKeyPem.trim() ? item.publicKeyPem : null;
+      if (!keyId || !publicKeyPem) continue;
+
+      const derived = keyIdFromPublicKeyPem(publicKeyPem);
+      if (derived !== keyId) throw new Error(`ReleaseTrust.v2 keyId mismatch: declared=${keyId} derived=${derived}`);
+
+      const notBeforeEpochSeconds = Number.isInteger(item.notBeforeEpochSeconds) && item.notBeforeEpochSeconds >= 0 ? item.notBeforeEpochSeconds : null;
+      const notAfterEpochSeconds = Number.isInteger(item.notAfterEpochSeconds) && item.notAfterEpochSeconds >= 0 ? item.notAfterEpochSeconds : null;
+      const revokedAtEpochSeconds = Number.isInteger(item.revokedAtEpochSeconds) && item.revokedAtEpochSeconds >= 0 ? item.revokedAtEpochSeconds : null;
+      const comment = typeof item.comment === "string" && item.comment.trim() ? item.comment : null;
+
+      keys.push({ keyId, publicKeyPem, notBeforeEpochSeconds, notAfterEpochSeconds, revokedAtEpochSeconds, comment });
+    }
+    keys.sort((a, b) => (a.keyId < b.keyId ? -1 : a.keyId > b.keyId ? 1 : 0));
+    return { schemaVersion: "ReleaseTrust.v2", policy: { minSignatures, requiredKeyIds }, keys };
+  }
+
+  throw new Error("release trust schemaVersion must be ReleaseTrust.v1 or ReleaseTrust.v2");
+}
+
+export async function loadReleaseTrustPublicKeyPem({ trustPath, keyId }) {
+  const raw = await fs.readFile(trustPath, "utf8");
+  const trust = normalizeReleaseTrust(JSON.parse(raw));
+  const pem = trust.keys.find((k) => k.keyId === keyId)?.publicKeyPem ?? null;
+  if (typeof pem !== "string" || !pem.trim()) throw new Error(`release trust missing keyId: ${keyId}`);
+  return String(pem);
+}
+
+export async function loadReleaseTrust({ trustPath }) {
+  const raw = await fs.readFile(trustPath, "utf8");
+  return normalizeReleaseTrust(JSON.parse(raw));
+}
+
+export function classifyArtifactKind(name) {
+  if (/^settld-[a-z0-9-]+-\d+\.\d+\.\d+.*\.tgz$/i.test(name)) return "npm-tgz";
+  if (/^settld-\d+\.\d+\.\d+.*\.tgz$/i.test(name)) return "helm-chart-tgz";
+  if (name.endsWith(".whl")) return "python-wheel";
+  if (/^settld_api_sdk_python-.*\.tar\.gz$/i.test(name)) return "python-sdist";
+  if (name.endsWith(".tgz")) return "tgz";
+  if (name.endsWith(".tar.gz")) return "tar.gz";
+  if (name.endsWith(".zip")) return "zip";
+  if (name.endsWith("SHA256SUMS") || name.endsWith(".sha256")) return "checksum";
+  if (name.endsWith(".spdx.json")) return "sbom";
+  return null;
+}
+
+export function assertNoDuplicatePaths(artifacts) {
+  const seen = new Set();
+  for (const a of artifacts) {
+    const p = String(a?.path ?? "");
+    if (!p) continue;
+    if (seen.has(p)) throw new Error(`duplicate artifact path: ${p}`);
+    seen.add(p);
+  }
+}
+
+export async function writeCanonicalJsonFile(fp, json) {
+  await fs.writeFile(fp, canonicalJsonStringify(json) + "\n", "utf8");
+}
+
+export function cmpString(a, b) {
+  const aa = String(a ?? "");
+  const bb = String(b ?? "");
+  if (aa < bb) return -1;
+  if (aa > bb) return 1;
+  return 0;
+}

package/scripts/release/sign-release-index.mjs

@@ -0,0 +1,85 @@
+import fs from "node:fs/promises";
+import fsSync from "node:fs";
+import path from "node:path";
+
+import { signIndex, unwrapSignaturesV1, wrapSignaturesV1, cmpString, writeCanonicalJsonFile } from "./release-index-lib.mjs";
+
+function usage() {
+  // eslint-disable-next-line no-console
+  console.error(
+    "usage: node scripts/release/sign-release-index.mjs --index <release_index_v1.json> [--out <release_index_v1.sig>] [--append] (--private-key-env <ENV>|--private-key-file <path>)"
+  );
+  process.exit(2);
+}
+
+function parseArgs(argv) {
+  const out = { indexPath: null, outPath: null, privateKeyEnv: null, privateKeyFile: null, append: false };
+  for (let i = 0; i < argv.length; i += 1) {
+    const a = argv[i];
+    if (a === "--index") {
+      out.indexPath = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--out") {
+      out.outPath = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--private-key-env") {
+      out.privateKeyEnv = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--private-key-file") {
+      out.privateKeyFile = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--append") {
+      out.append = true;
+      continue;
+    }
+    if (a === "--help" || a === "-h") usage();
+    usage();
+  }
+  if (!out.indexPath) usage();
+  if (!out.privateKeyEnv && !out.privateKeyFile) usage();
+  return out;
+}
+
+async function main() {
+  const args = parseArgs(process.argv.slice(2));
+  const indexPath = path.resolve(process.cwd(), args.indexPath);
+  const outPath = args.outPath
+    ? path.resolve(process.cwd(), args.outPath)
+    : path.join(path.dirname(indexPath), "release_index_v1.sig");
+
+  const privateKeyPem = args.privateKeyFile
+    ? await fs.readFile(path.resolve(process.cwd(), args.privateKeyFile), "utf8")
+    : process.env[String(args.privateKeyEnv)] ?? "";
+  if (!String(privateKeyPem ?? "").trim()) throw new Error("missing release signing private key (env/file)");
+
+  const indexJson = JSON.parse(await fs.readFile(indexPath, "utf8"));
+  const sig = signIndex({ indexJson, privateKeyPem: String(privateKeyPem) });
+
+  let signatures = [sig];
+  if (args.append && fsSync.existsSync(outPath)) {
+    const existing = JSON.parse(await fs.readFile(outPath, "utf8"));
+    signatures = [...unwrapSignaturesV1(existing), sig];
+  }
+
+  const byKeyId = new Map();
+  for (const s of signatures) {
+    const keyId = typeof s?.keyId === "string" && s.keyId.trim() ? s.keyId.trim() : null;
+    if (!keyId) continue;
+    byKeyId.set(keyId, s);
+  }
+  const merged = Array.from(byKeyId.values());
+  merged.sort((a, b) => cmpString(a?.keyId ?? "", b?.keyId ?? ""));
+  const out = wrapSignaturesV1(merged);
+
+  await writeCanonicalJsonFile(outPath, out);
+}
+
+await main();

package/scripts/release/validate-release-assets.mjs

@@ -0,0 +1,170 @@
+import crypto from "node:crypto";
+import fs from "node:fs/promises";
+import path from "node:path";
+import { spawnSync } from "node:child_process";
+
+function usage() {
+  // eslint-disable-next-line no-console
+  console.error(
+    "usage: node scripts/release/validate-release-assets.mjs --dir <release-assets-dir> [--release-trust <ReleaseTrust.v1.json>]"
+  );
+  process.exit(2);
+}
+
+function parseArgs(argv) {
+  let dir = null;
+  let releaseTrust = null;
+  for (let i = 0; i < argv.length; i += 1) {
+    const a = argv[i];
+    if (a === "--dir") {
+      dir = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--release-trust") {
+      releaseTrust = String(argv[i + 1] ?? "");
+      i += 1;
+      continue;
+    }
+    if (a === "--help" || a === "-h") usage();
+    usage();
+  }
+  if (!dir) usage();
+  return { dir, releaseTrust };
+}
+
+function sha256Hex(buf) {
+  return crypto.createHash("sha256").update(buf).digest("hex");
+}
+
+async function fileExists(fp) {
+  try {
+    await fs.stat(fp);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function parseSha256sumFile(text) {
+  // sha256sum format: "<hex>  <filename>"
+  const out = new Map();
+  for (const line of String(text ?? "").split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const m = trimmed.match(/^([0-9a-f]{64})\s+(\S+)$/i);
+    if (!m) throw new Error(`invalid sha256sum line: ${JSON.stringify(line)}`);
+    const hex = m[1].toLowerCase();
+    const name = m[2];
+    out.set(name, hex);
+  }
+  return out;
+}
+
+function sh(cmd, args, { cwd } = {}) {
+  const res = spawnSync(cmd, args, { cwd, encoding: "utf8" });
+  if (res.status !== 0) {
+    throw new Error(`${cmd} ${args.join(" ")} failed (exit ${res.status})${res.stderr ? `: ${res.stderr.trim()}` : ""}`);
+  }
+  return String(res.stdout ?? "");
+}
+
+async function assertFileSha256({ dir, checksumFile, targetName }) {
+  const fp = path.join(dir, checksumFile);
+  const raw = await fs.readFile(fp, "utf8");
+  const map = parseSha256sumFile(raw);
+  if (!map.has(targetName)) throw new Error(`${checksumFile} missing entry for ${targetName}`);
+  const expected = map.get(targetName);
+  const actual = sha256Hex(await fs.readFile(path.join(dir, targetName)));
+  if (expected !== actual) throw new Error(`${targetName} sha256 mismatch expected=${expected} actual=${actual}`);
+}
+
+async function main() {
+  const { dir, releaseTrust } = parseArgs(process.argv.slice(2));
+
+  const required = [
+    "conformance-v1.tar.gz",
+    "conformance-v1-SHA256SUMS",
+    "release_index_v1.json",
+    "release_index_v1.sig",
+    "settld-audit-packet-v1.zip",
+    "settld-audit-packet-v1.zip.sha256",
+    "npm-SHA256SUMS",
+    "python-SHA256SUMS"
+  ];
+  for (const name of required) {
+    // eslint-disable-next-line no-await-in-loop
+    if (!(await fileExists(path.join(dir, name)))) throw new Error(`missing required release asset: ${name}`);
+  }
+
+  // Validate conformance checksum
+  await assertFileSha256({ dir, checksumFile: "conformance-v1-SHA256SUMS", targetName: "conformance-v1.tar.gz" });
+
+  // Validate audit packet checksum
+  await assertFileSha256({ dir, checksumFile: "settld-audit-packet-v1.zip.sha256", targetName: "settld-audit-packet-v1.zip" });
+
+  // Validate npm tgz checksums based on npm-SHA256SUMS entries.
+  const npmSumRaw = await fs.readFile(path.join(dir, "npm-SHA256SUMS"), "utf8");
+  const npmMap = parseSha256sumFile(npmSumRaw);
+  const npmNames = Array.from(npmMap.keys()).sort();
+  if (!npmNames.length) throw new Error("npm-SHA256SUMS has no entries");
+  for (const name of npmNames) {
+    if (!name.endsWith(".tgz")) throw new Error(`npm-SHA256SUMS contains non-tgz entry: ${name}`);
+    // eslint-disable-next-line no-await-in-loop
+    if (!(await fileExists(path.join(dir, name)))) throw new Error(`missing npm tarball listed in npm-SHA256SUMS: ${name}`);
+    // eslint-disable-next-line no-await-in-loop
+    const actual = sha256Hex(await fs.readFile(path.join(dir, name)));
+    const expected = npmMap.get(name);
+    if (expected !== actual) throw new Error(`${name} sha256 mismatch expected=${expected} actual=${actual}`);
+  }
+
+  // Validate Python distribution checksums.
+  const pythonSumRaw = await fs.readFile(path.join(dir, "python-SHA256SUMS"), "utf8");
+  const pythonMap = parseSha256sumFile(pythonSumRaw);
+  const pythonNames = Array.from(pythonMap.keys()).sort();
+  if (!pythonNames.length) throw new Error("python-SHA256SUMS has no entries");
+  const hasWheel = pythonNames.some((name) => name.endsWith(".whl"));
+  const hasSdist = pythonNames.some((name) => name.endsWith(".tar.gz"));
+  if (!hasWheel || !hasSdist) throw new Error("python-SHA256SUMS must include both .whl and .tar.gz artifacts");
+  for (const name of pythonNames) {
+    if (!(name.endsWith(".whl") || name.endsWith(".tar.gz"))) {
+      throw new Error(`python-SHA256SUMS contains unsupported artifact type: ${name}`);
+    }
+    // eslint-disable-next-line no-await-in-loop
+    if (!(await fileExists(path.join(dir, name)))) throw new Error(`missing python artifact listed in python-SHA256SUMS: ${name}`);
+    // eslint-disable-next-line no-await-in-loop
+    const actual = sha256Hex(await fs.readFile(path.join(dir, name)));
+    const expected = pythonMap.get(name);
+    if (expected !== actual) throw new Error(`${name} sha256 mismatch expected=${expected} actual=${actual}`);
+  }
+
+  // Light sanity check of archive contents (avoid surprises).
+  const conformanceListing = sh("tar", ["-tzf", "conformance-v1.tar.gz"], { cwd: dir });
+  for (const must of ["conformance-v1/README.md", "conformance-v1/cases.json", "conformance-v1/expected/"]) {
+    if (!conformanceListing.includes(must)) throw new Error(`conformance-v1.tar.gz missing expected entry: ${must}`);
+  }
+  const auditListing = sh("unzip", ["-l", "settld-audit-packet-v1.zip"], { cwd: dir });
+  const auditExpectedEntries = [
+    // Current audit packet layout (scripts/audit/build-audit-packet.mjs)
+    "spec/THREAT_MODEL.md",
+    "conformance/conformance-v1.tar.gz",
+    "conformance/conformance-v1-SHA256SUMS",
+    "protocol-vectors/v1.json",
+    "tool.json",
+    "SHA256SUMS"
+  ];
+  for (const must of auditExpectedEntries) {
+    if (!auditListing.includes(must)) throw new Error(`settld-audit-packet-v1.zip missing expected entry: ${must}`);
+  }
+
+  // Verify signed ReleaseIndex and ensure artifacts match its hashes.
+  const verifyArgs = ["scripts/release/verify-release.mjs", "--dir", dir, "--format", "json"];
+  if (releaseTrust) verifyArgs.push("--trust", releaseTrust);
+  const verifyRes = spawnSync(process.execPath, verifyArgs, { encoding: "utf8" });
+  if (verifyRes.status !== 0) {
+    const msg = (verifyRes.stdout || verifyRes.stderr || "").trim();
+    throw new Error(`verify-release failed${msg ? `: ${msg}` : ""}`);
+  }
+}
+
+await main();