withub-cli 0.1.0

package/dist/lib/keys.js

@@ -0,0 +1,224 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.KEY_HOME = void 0;
+exports.keyPathFor = keyPathFor;
+exports.createSigner = createSigner;
+exports.loadSigner = loadSigner;
+exports.checkResources = checkResources;
+exports.normalizeAddress = normalizeAddress;
+exports.listStoredKeys = listStoredKeys;
+exports.readActiveAddress = readActiveAddress;
+exports.setActiveAddress = setActiveAddress;
+const promises_1 = __importDefault(require("fs/promises"));
+const os_1 = __importDefault(require("os"));
+const path_1 = __importDefault(require("path"));
+const ed25519_1 = require("@mysten/sui/keypairs/ed25519");
+const client_1 = require("@mysten/sui/client");
+const walrus_1 = require("./walrus");
+exports.KEY_HOME = process.env.WIT_KEY_HOME || path_1.default.join(os_1.default.homedir(), '.wit', 'keys');
+const GLOBAL_CONFIG = path_1.default.join(os_1.default.homedir(), '.witconfig');
+const SUI_COIN = '0x2::sui::SUI';
+// WAL CoinType map (9 decimals). Default to testnet when unknown.
+const WAL_COIN_BY_NETWORK = {
+    testnet: '0x8270feb7375eee355e64fdb69c50abb6b5f9393a722883c1cf45f8e26048810a::wal::WAL',
+    mainnet: '0x356a26eb9e012a68958082340d4c4116e7f55615cf27affcff209cf0ae544f59::wal::WAL',
+};
+const MIN_SUI_BALANCE = 100000000n; // 0.1 SUI (in MIST) for smoother dev flow
+const MIN_WAL_BALANCE = 1000000000n; // 1 WAL (assuming 9 decimals)
+function keyPathFor(address) {
+    return path_1.default.join(exports.KEY_HOME, `${normalizeAddress(address)}.key`);
+}
+async function createSigner(alias = 'default') {
+    const keypair = ed25519_1.Ed25519Keypair.generate();
+    const address = keypair.getPublicKey().toSuiAddress();
+    const file = keyPathFor(address);
+    await promises_1.default.mkdir(path_1.default.dirname(file), { recursive: true });
+    const payload = {
+        scheme: 'ED25519',
+        privateKey: keypair.getSecretKey(),
+        address,
+        publicKey: Buffer.from(keypair.getPublicKey().toRawBytes()).toString('base64'),
+        createdAt: new Date().toISOString(),
+        alias,
+    };
+    await promises_1.default.writeFile(file, JSON.stringify(payload, null, 2) + '\n', { encoding: 'utf8', mode: 0o600 });
+    await upsertGlobalConfig((cfg) => ({
+        ...cfg,
+        active_address: address,
+        key_alias: alias || cfg.key_alias || 'default',
+        author: cfg.author && cfg.author !== 'unknown' ? cfg.author : address,
+    }));
+    return { signer: keypair, address, file };
+}
+async function loadSigner(address) {
+    const globalCfg = await readGlobalConfig();
+    const resolvedAddress = normalizeAddress(address || globalCfg.active_address || guessAddress(globalCfg.author));
+    if (!resolvedAddress) {
+        throw new Error('No active address configured. Generate a key with createSigner() or set active_address in ~/.witconfig.');
+    }
+    const file = keyPathFor(resolvedAddress);
+    const stored = await readKeyFile(file);
+    const signer = ed25519_1.Ed25519Keypair.fromSecretKey(stored.privateKey);
+    const derived = signer.getPublicKey().toSuiAddress();
+    if (stored.address && stored.address !== derived) {
+        // eslint-disable-next-line no-console
+        console.warn(`Warning: address mismatch for ${file}. Using derived address ${derived}.`);
+    }
+    return { signer, address: derived, file };
+}
+async function checkResources(address, opts) {
+    const minSui = opts?.minSui ?? MIN_SUI_BALANCE;
+    const minWal = opts?.minWal ?? MIN_WAL_BALANCE;
+    const resolved = await safeResolveWalrusConfig();
+    let rpcUrl = opts?.rpcUrl;
+    if (!rpcUrl) {
+        try {
+            rpcUrl = resolved?.suiRpcUrl;
+        }
+        catch {
+            rpcUrl = (0, client_1.getFullnodeUrl)('testnet');
+        }
+    }
+    if (!rpcUrl) {
+        rpcUrl = (0, client_1.getFullnodeUrl)('testnet');
+    }
+    const client = new client_1.SuiClient({ url: rpcUrl });
+    try {
+        const respSui = await client.getBalance({ owner: address, coinType: SUI_COIN, signal: opts?.signal });
+        const rawSui = respSui?.balance?.balance ?? respSui?.totalBalance ?? respSui?.balance;
+        const suiBalance = typeof rawSui === 'string' ? BigInt(rawSui) : BigInt(rawSui || 0);
+        const walCoin = opts?.walCoin || (resolved?.network ? WAL_COIN_BY_NETWORK[resolved.network] : undefined) || WAL_COIN_BY_NETWORK.testnet;
+        let walBalance;
+        let hasMinWal = null;
+        let walError;
+        try {
+            const respWal = await client.getBalance({ owner: address, coinType: walCoin, signal: opts?.signal });
+            const rawWal = respWal?.balance?.balance ?? respWal?.totalBalance ?? respWal?.balance;
+            walBalance = typeof rawWal === 'string' ? BigInt(rawWal) : BigInt(rawWal || 0);
+            hasMinWal = walBalance >= minWal;
+        }
+        catch (err) {
+            walError = err?.message || String(err);
+        }
+        return {
+            suiBalance,
+            hasMinSui: suiBalance >= minSui,
+            minSui,
+            walBalance,
+            hasMinWal,
+            minWal,
+            walError,
+        };
+    }
+    catch (err) {
+        return { hasMinSui: null, minSui, hasMinWal: null, minWal, error: err?.message || String(err) };
+    }
+}
+async function readKeyFile(file) {
+    try {
+        const raw = await promises_1.default.readFile(file, 'utf8');
+        const parsed = JSON.parse(raw);
+        if (!parsed.privateKey) {
+            throw new Error(`Missing privateKey in ${file}`);
+        }
+        return parsed;
+    }
+    catch (err) {
+        if (err?.code === 'ENOENT') {
+            throw new Error(`Key file not found: ${file}`);
+        }
+        throw err;
+    }
+}
+async function readGlobalConfig() {
+    try {
+        const raw = await promises_1.default.readFile(GLOBAL_CONFIG, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err?.code === 'ENOENT')
+            return {};
+        // eslint-disable-next-line no-console
+        console.warn(`Warning: could not read ${GLOBAL_CONFIG}: ${err.message}`);
+        return {};
+    }
+}
+async function upsertGlobalConfig(mutator) {
+    const cfg = await readGlobalConfig();
+    const next = mutator(cfg);
+    await promises_1.default.writeFile(GLOBAL_CONFIG, JSON.stringify(next, null, 2) + '\n', 'utf8');
+}
+function normalizeAddress(addr) {
+    if (!addr)
+        return '';
+    const normalized = addr.toLowerCase();
+    return normalized.startsWith('0x') ? normalized : `0x${normalized}`;
+}
+function guessAddress(author) {
+    if (!author)
+        return undefined;
+    if (/^0x[0-9a-fA-F]+$/.test(author.trim()))
+        return author.trim();
+    return undefined;
+}
+async function listStoredKeys() {
+    let entries;
+    try {
+        entries = await promises_1.default.readdir(exports.KEY_HOME, { withFileTypes: true });
+    }
+    catch (err) {
+        if (err?.code === 'ENOENT')
+            return [];
+        throw err;
+    }
+    const keys = [];
+    for (const entry of entries) {
+        if (!entry.isFile() || !entry.name.endsWith('.key'))
+            continue;
+        const file = path_1.default.join(exports.KEY_HOME, entry.name);
+        try {
+            const parsed = await readKeyFile(file);
+            const derived = parsed.address || ed25519_1.Ed25519Keypair.fromSecretKey(parsed.privateKey).getPublicKey().toSuiAddress();
+            keys.push({
+                address: normalizeAddress(derived),
+                alias: parsed.alias,
+                file,
+                createdAt: parsed.createdAt,
+            });
+        }
+        catch (err) {
+            // eslint-disable-next-line no-console
+            console.warn(`Skipping key ${file}: ${err.message}`);
+        }
+    }
+    return keys.sort((a, b) => (a.createdAt || '').localeCompare(b.createdAt || ''));
+}
+async function readActiveAddress() {
+    const cfg = await readGlobalConfig();
+    if (cfg.active_address)
+        return normalizeAddress(cfg.active_address);
+    const guessed = guessAddress(cfg.author);
+    return guessed ? normalizeAddress(guessed) : null;
+}
+async function setActiveAddress(address, opts) {
+    await upsertGlobalConfig((cfg) => {
+        const next = { ...cfg, active_address: normalizeAddress(address) };
+        if (opts?.alias)
+            next.key_alias = opts.alias;
+        if (opts?.updateAuthorIfUnknown && (!cfg.author || cfg.author === 'unknown')) {
+            next.author = normalizeAddress(address);
+        }
+        return next;
+    });
+}
+async function safeResolveWalrusConfig() {
+    try {
+        return await (0, walrus_1.resolveWalrusConfig)();
+    }
+    catch {
+        return null;
+    }
+}

package/dist/lib/manifest.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.computeRootHash = computeRootHash;
+exports.buildManifest = buildManifest;
+const fs_1 = require("./fs");
+const serialize_1 = require("./serialize");
+const schema_1 = require("./schema");
+function computeRootHash(index) {
+    const entries = Object.keys(index)
+        .sort()
+        .map((rel) => {
+        const meta = index[rel];
+        return {
+            path: (0, fs_1.pathToPosix)(rel),
+            hash: meta.hash,
+            size: meta.size,
+            mode: meta.mode,
+            mtime: meta.mtime,
+        };
+    });
+    const serialized = (0, serialize_1.canonicalStringify)(entries);
+    return (0, serialize_1.sha256Base64)(serialized);
+}
+function buildManifest(index, quiltId) {
+    const files = {};
+    for (const rel of Object.keys(index).sort()) {
+        const posix = (0, fs_1.pathToPosix)(rel);
+        files[posix] = index[rel];
+    }
+    const manifest = {
+        version: 1,
+        quilt_id: quiltId,
+        root_hash: computeRootHash(index),
+        files,
+    };
+    return schema_1.ManifestSchema.parse(manifest);
+}

package/dist/lib/quilt.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchQuiltFileById = fetchQuiltFileById;
+exports.listQuiltIdentifiers = listQuiltIdentifiers;
+const walrus_1 = require("./walrus");
+async function fetchQuiltFileById(quiltId, identifier) {
+    const svc = await walrus_1.WalrusService.fromRepo();
+    // Prefer aggregator fast path; fallback to relay blob/files
+    try {
+        const bytes = await svc.readQuiltFile(quiltId, identifier);
+        return { bytes, tags: {} };
+    }
+    catch {
+        // fallback to relay
+    }
+    const blob = await svc.getClient().getBlob({ blobId: quiltId });
+    const files = await blob.files({ identifiers: [identifier] });
+    if (files.length) {
+        const file = files[0];
+        return { bytes: await file.bytes(), tags: await file.getTags() };
+    }
+    throw new Error(`Identifier not found in quilt: ${identifier}`);
+}
+async function listQuiltIdentifiers(quiltId) {
+    const svc = await walrus_1.WalrusService.fromRepo();
+    try {
+        const blob = await svc.getClient().getBlob({ blobId: quiltId });
+        const files = await blob.files();
+        const ids = await Promise.all(files.map((f) => f.getIdentifier()));
+        return ids.filter((i) => !!i).sort();
+    }
+    catch {
+        // fallback: getFiles and list identifiers
+        const files = await svc.getClient().getFiles({ ids: [quiltId] });
+        const ids = await Promise.all(files.map((f) => f.getIdentifier()));
+        return ids.filter((i) => !!i).sort();
+    }
+}

package/dist/lib/repo.js

@@ -0,0 +1,70 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.requireWitDir = requireWitDir;
+exports.readRepoConfig = readRepoConfig;
+exports.writeRepoConfig = writeRepoConfig;
+exports.readRemoteState = readRemoteState;
+exports.writeRemoteState = writeRemoteState;
+exports.readRemoteRef = readRemoteRef;
+exports.writeRemoteRef = writeRemoteRef;
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const DEFAULT_REMOTE_REF = path_1.default.join('refs', 'remotes', 'main');
+async function requireWitDir(cwd = process.cwd()) {
+    const dir = path_1.default.join(cwd, '.wit');
+    try {
+        await promises_1.default.access(dir);
+        return dir;
+    }
+    catch {
+        throw new Error('Not a wit repository (missing .wit). Run `wit init` first.');
+    }
+}
+async function readRepoConfig(witPath) {
+    const file = path_1.default.join(witPath, 'config.json');
+    const raw = await promises_1.default.readFile(file, 'utf8');
+    return JSON.parse(raw);
+}
+async function writeRepoConfig(witPath, cfg) {
+    const file = path_1.default.join(witPath, 'config.json');
+    await promises_1.default.writeFile(file, JSON.stringify(cfg, null, 2) + '\n', 'utf8');
+}
+async function readRemoteState(witPath) {
+    const file = path_1.default.join(witPath, 'state', 'remote.json');
+    try {
+        const raw = await promises_1.default.readFile(file, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err?.code === 'ENOENT')
+            return null;
+        throw err;
+    }
+}
+async function writeRemoteState(witPath, state) {
+    const file = path_1.default.join(witPath, 'state', 'remote.json');
+    await promises_1.default.mkdir(path_1.default.dirname(file), { recursive: true });
+    await promises_1.default.writeFile(file, JSON.stringify(state, null, 2) + '\n', 'utf8');
+}
+async function readRemoteRef(witPath) {
+    const file = path_1.default.join(witPath, DEFAULT_REMOTE_REF);
+    try {
+        const raw = await promises_1.default.readFile(file, 'utf8');
+        const val = raw.trim();
+        return val.length ? val : null;
+    }
+    catch (err) {
+        if (err?.code === 'ENOENT')
+            return null;
+        throw err;
+    }
+}
+async function writeRemoteRef(witPath, commitId) {
+    const file = path_1.default.join(witPath, DEFAULT_REMOTE_REF);
+    await promises_1.default.mkdir(path_1.default.dirname(file), { recursive: true });
+    const val = commitId ? `${commitId}\n` : '';
+    await promises_1.default.writeFile(file, val, 'utf8');
+}

package/dist/lib/schema.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.QuiltSchema = exports.QuiltEntrySchema = exports.CommitSchema = exports.ManifestSchema = void 0;
+const zod_1 = require("zod");
+const fileMeta = zod_1.z.object({
+    hash: zod_1.z.string().min(1),
+    size: zod_1.z.number().int().nonnegative(),
+    mode: zod_1.z.string().regex(/^\d{6}$/),
+    mtime: zod_1.z.number().int().nonnegative(),
+    id: zod_1.z.string().min(1).optional(),
+    enc: zod_1.z
+        .object({
+        alg: zod_1.z.union([zod_1.z.literal('aes-256-gcm'), zod_1.z.literal('seal-aes-256-gcm')]),
+        iv: zod_1.z.string().min(1),
+        tag: zod_1.z.string().min(1),
+        policy: zod_1.z.string().min(1).optional(),
+        policy_id: zod_1.z.string().min(1).optional(),
+        package_id: zod_1.z.string().min(1).optional(),
+        sealed_session_key: zod_1.z.string().min(1).optional(),
+        cipher_size: zod_1.z.number().int().nonnegative().optional(),
+    })
+        .optional(),
+});
+exports.ManifestSchema = zod_1.z.object({
+    version: zod_1.z.literal(1),
+    quilt_id: zod_1.z.string().min(1),
+    root_hash: zod_1.z.string().min(1),
+    files: zod_1.z.record(fileMeta),
+});
+exports.CommitSchema = zod_1.z.object({
+    tree: zod_1.z.object({
+        quilt_id: zod_1.z.string().min(1).nullable(),
+        manifest_id: zod_1.z.string().min(1).nullable(),
+        root_hash: zod_1.z.string().min(1),
+        files: zod_1.z.record(fileMeta).optional(),
+    }),
+    parent: zod_1.z.string().min(1).nullable(),
+    author: zod_1.z.string().min(1),
+    message: zod_1.z.string().min(1),
+    timestamp: zod_1.z.number().int().nonnegative(),
+    extras: zod_1.z.object({
+        patch_id: zod_1.z.string().nullable(),
+        tags: zod_1.z.record(zod_1.z.string()),
+    }),
+});
+exports.QuiltEntrySchema = zod_1.z.object({
+    identifier: zod_1.z.string().min(1),
+    contents: zod_1.z.instanceof(Uint8Array).or(zod_1.z.any()),
+    tags: zod_1.z.record(zod_1.z.string()).optional(),
+});
+exports.QuiltSchema = zod_1.z.object({
+    blobs: zod_1.z.array(exports.QuiltEntrySchema),
+});

package/dist/lib/seal.js

@@ -0,0 +1,157 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSealClient = getSealClient;
+exports.encryptWithSeal = encryptWithSeal;
+exports.decryptWithSeal = decryptWithSeal;
+const seal_1 = require("@mysten/seal");
+const seal_2 = require("@mysten/seal");
+const transactions_1 = require("@mysten/sui/transactions");
+const crypto_1 = __importDefault(require("crypto"));
+// Seal Testnet Servers
+const SEAL_SERVERS = [
+    {
+        objectId: '0x73d05d62c18d9374e3ea529e8e0ed6161da1a141a94d3f76ae3fe4e99356db75',
+        weight: 1,
+    },
+    {
+        objectId: '0xf5d14a81a982144ae441cd7d64b09027f116a468bd36e7eca494f750591623c8',
+        weight: 1,
+    },
+    {
+        objectId: '0x6068c0acb197dddbacd4746a9de7f025b2ed5a5b6c1b1ab44dade4426d141da2',
+        weight: 1,
+    }
+];
+let _sealClient = null;
+function getSealClient(suiClient) {
+    if (!_sealClient) {
+        _sealClient = new seal_1.SealClient({
+            serverConfigs: SEAL_SERVERS,
+            suiClient: suiClient, // Cast to compatible client
+        });
+    }
+    return _sealClient;
+}
+// WAIT! If I use Seal to encrypt the whole file, I rely on Seal's DEM (Data Encapsulation Mechanism).
+// Is it efficient for large files (GBs)?
+// It likely uses AES-GCM or Chacha20Poly1305.
+// But if I want to use my own chunking or streaming, I might want to encrypt a session key only.
+// If I encrypt a session key (32 bytes) with Seal.
+// I get `encryptedObject` (small).
+// And `key` (the key used to encrypt the session key).
+// This `key` is NOT the session key I passed!
+// It's the key derived from KEM.
+// So:
+// 1. Generate `mySessionKey` (32 bytes).
+// 2. Call `client.encrypt({ data: mySessionKey })`.
+// 3. Get `res.encryptedObject` (Sealed Session Key).
+// 4. Use `mySessionKey` to encrypt the file using AES-GCM.
+// This is the standard "Envelope Encryption" pattern.
+// And `decrypt`:
+// 1. Call `client.decrypt({ data: sealedSessionKey })`.
+// 2. Get `decryptedData` (which is `mySessionKey`).
+// 3. Use `mySessionKey` to decrypt the file.
+// This is better because it decouples file encryption from Seal SDK (which might change or have overhead).
+// And allows me to use standard AES-GCM.
+/**
+ * Encrypts data using Seal.
+ * 1. Seal SDK generates a symmetric key and encrypts it for the policy.
+ * 2. We use that symmetric key to encrypt the data (AES-GCM).
+ */
+async function encryptWithSeal(plain, policyId, packageId, suiClient) {
+    const client = getSealClient(suiClient);
+    // 1. Generate Session Key
+    const sessionKey = crypto_1.default.randomBytes(32);
+    const iv = crypto_1.default.randomBytes(12);
+    // 2. Seal the Session Key
+    const res = await client.encrypt({
+        packageId,
+        id: policyId,
+        data: sessionKey,
+        threshold: 1,
+    });
+    // 3. Encrypt Data with Session Key
+    const cipher = crypto_1.default.createCipheriv('aes-256-gcm', sessionKey, iv);
+    const cipherBuf = Buffer.concat([cipher.update(plain), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        cipher: cipherBuf,
+        meta: {
+            alg: 'seal-aes-256-gcm',
+            policy_id: policyId,
+            package_id: packageId,
+            sealed_session_key: Buffer.from(res.encryptedObject).toString('base64'),
+            iv: iv.toString('base64'),
+            tag: tag.toString('base64'),
+        },
+    };
+}
+// Rename to encryptWithSeal for compatibility
+/**
+ * Decrypts data using Seal.
+ */
+async function decryptWithSeal(cipher, meta, signer, suiClient) {
+    if (meta.alg !== 'seal-aes-256-gcm') {
+        throw new Error(`Unsupported encryption alg: ${meta.alg}`);
+    }
+    try {
+        const client = getSealClient(suiClient);
+        const sealedKey = Buffer.from(meta.sealed_session_key, 'base64');
+        // 1. Create Ephemeral Session Key for Seal Protocol
+        // This is NOT the AES key. This is for the decryption request.
+        const address = signer.getPublicKey().toSuiAddress();
+        const sessionKey = await seal_2.SessionKey.create({
+            address: address,
+            packageId: meta.package_id,
+            ttlMin: 10,
+            signer,
+            suiClient: suiClient,
+        });
+        // 2. Construct Transaction for seal_approve
+        const tx = new transactions_1.Transaction();
+        // Helper to convert hex to bytes
+        const policyIdBytes = fromHex(meta.policy_id);
+        tx.moveCall({
+            target: `${meta.package_id}::whitelist::seal_approve`,
+            arguments: [
+                tx.pure.vector('u8', policyIdBytes),
+                tx.object(meta.policy_id), // The Whitelist object itself
+            ],
+        });
+        // 3. Build the transaction to get txBytes
+        // Important: Use onlyTransactionKind: true as per Seal examples
+        const txBytes = await tx.build({ client: suiClient, onlyTransactionKind: true });
+        // 4. Decrypt the sealed session key
+        const sessionKeyBytes = await client.decrypt({
+            data: sealedKey,
+            sessionKey,
+            txBytes: Buffer.from(txBytes),
+        });
+        const decryptedSessionKey = Buffer.from(sessionKeyBytes);
+        // 5. Decrypt Data with the session key
+        const iv = Buffer.from(meta.iv, 'base64');
+        const tag = Buffer.from(meta.tag, 'base64');
+        const decipher = crypto_1.default.createDecipheriv('aes-256-gcm', decryptedSessionKey, iv);
+        decipher.setAuthTag(tag);
+        return Buffer.concat([decipher.update(cipher), decipher.final()]);
+    }
+    catch (err) {
+        // Handle specific error types with user-friendly messages
+        if (err.name === 'NoAccessError' || err.message?.includes('does not have access')) {
+            throw new Error('NoAccess: User is not whitelisted for this repository');
+        }
+        if (err.name === 'TimeoutError' || err.message?.includes('timeout')) {
+            throw new Error('Timeout: Unable to connect to Seal servers');
+        }
+        // For other errors, throw with original message
+        throw new Error(`Seal decryption failed: ${err.message || err}`);
+    }
+}
+function fromHex(hex) {
+    if (hex.startsWith('0x'))
+        hex = hex.slice(2);
+    return Array.from(Buffer.from(hex, 'hex'));
+}

package/dist/lib/serialize.js

@@ -0,0 +1,30 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.canonicalize = canonicalize;
+exports.canonicalStringify = canonicalStringify;
+exports.sha256Base64 = sha256Base64;
+const crypto_1 = __importDefault(require("crypto"));
+function canonicalize(value) {
+    if (Array.isArray(value)) {
+        return value.map(canonicalize);
+    }
+    if (value && typeof value === 'object') {
+        const sortedKeys = Object.keys(value).sort();
+        const result = {};
+        for (const key of sortedKeys) {
+            result[key] = canonicalize(value[key]);
+        }
+        return result;
+    }
+    return value;
+}
+function canonicalStringify(value) {
+    return JSON.stringify(canonicalize(value)) + '\n';
+}
+function sha256Base64(data) {
+    const buf = Buffer.isBuffer(data) ? data : Buffer.from(data);
+    return 'sha256-' + crypto_1.default.createHash('sha256').update(buf).digest('base64');
+}

package/dist/lib/state.js

@@ -0,0 +1,57 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.readHeadRefPath = readHeadRefPath;
+exports.readRef = readRef;
+exports.readCommitById = readCommitById;
+exports.idToFileName = idToFileName;
+exports.readCommitIdMap = readCommitIdMap;
+exports.writeCommitIdMap = writeCommitIdMap;
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+async function readHeadRefPath(witPath) {
+    const headFile = path_1.default.join(witPath, 'HEAD');
+    const raw = await promises_1.default.readFile(headFile, 'utf8');
+    const ref = raw.trim() || 'refs/heads/main';
+    return path_1.default.join(witPath, ref);
+}
+async function readRef(refPath) {
+    try {
+        const raw = await promises_1.default.readFile(refPath, 'utf8');
+        const val = raw.trim();
+        return val.length ? val : null;
+    }
+    catch (err) {
+        if (err?.code === 'ENOENT')
+            return null;
+        throw err;
+    }
+}
+async function readCommitById(witPath, commitId) {
+    const file = path_1.default.join(witPath, 'objects', 'commits', `${idToFileName(commitId)}.json`);
+    const raw = await promises_1.default.readFile(file, 'utf8');
+    return JSON.parse(raw);
+}
+function idToFileName(id) {
+    return id.replace(/\//g, '_').replace(/\+/g, '-');
+}
+const MAP_REL = path_1.default.join('objects', 'maps', 'commit_id_map.json');
+async function readCommitIdMap(witPath) {
+    const file = path_1.default.join(witPath, MAP_REL);
+    try {
+        const raw = await promises_1.default.readFile(file, 'utf8');
+        return JSON.parse(raw);
+    }
+    catch (err) {
+        if (err?.code === 'ENOENT')
+            return {};
+        throw err;
+    }
+}
+async function writeCommitIdMap(witPath, map) {
+    const file = path_1.default.join(witPath, MAP_REL);
+    await promises_1.default.mkdir(path_1.default.dirname(file), { recursive: true });
+    await promises_1.default.writeFile(file, JSON.stringify(map, null, 2) + '\n', 'utf8');
+}