/** * Publish primitives for `zveltio extension publish` (S4-05). * * Pure functions: WebCrypto Ed25519 keypairs, archive hashing, signature * envelope shape that matches the engine's verifier (S1-01). No filesystem, * no HTTP — the CLI layers those on top. * * Storage format: JWK. We pick JWK over PKCS#8 because it is JSON-native * (one file per key, plain `Bun.write`), works in Cloudflare Workers without * conversion, and survives copy-paste through environment variables. * * Signature shape mirrors `ExtensionSignature` in * `packages/engine/src/lib/signature-verify.ts` so the engine can verify * archives produced here without translation. */ /** Stored keypair format. Matches WebCrypto JWK + a Zveltio-specific keyId. */ export interface ZveltioKeypair { /** Stable identifier; default is a short random hex string. */ keyId: string; /** Created-at, RFC 3339. Informational. */ createdAt: string; /** Public half — safe to share. */ publicJwk: JsonWebKey; /** Private half — keep on disk + permission 600. */ privateJwk: JsonWebKey; } /** Signature envelope written next to `.zvext` as `.zvext.sig`. */ export interface ExtensionSignature { algorithm: 'ed25519'; /** Base64 of the 64-byte Ed25519 signature. */ signature: string; /** Hex of sha256(archive bytes). */ bundleSha256: string; /** RFC 3339, informational. */ signedAt: string; /** Key identifier — engine looks this up in its trusted keys list. */ keyId: string; } declare function bytesToHex(bytes: ArrayBuffer | Uint8Array): string; declare function bytesToBase64(bytes: Uint8Array): string; declare function base64ToBytes(b64: string): Uint8Array; /** Compute sha256(bytes) → lowercase hex. */ export declare function sha256Hex(bytes: Uint8Array): Promise; /** * Generate a fresh Ed25519 keypair. * * @param keyId Optional stable identifier. If omitted, generates a short * random hex string. Useful to keep human-readable * ("zveltio-prod-2026") or to scope per-publisher. */ export declare function generateKeypair(keyId?: string): Promise; /** Import a private JWK back into a CryptoKey usable for signing. */ export declare function importPrivateKey(jwk: JsonWebKey): Promise; /** Import a public JWK back into a CryptoKey usable for verification. */ export declare function importPublicKey(jwk: JsonWebKey): Promise; /** * Build the signature envelope for a given archive. * * Signs over the UTF-8 bytes of the lowercase hex sha256 — same shape the * engine verifier (`verifySignature`) expects. Stays away from signing the * raw archive directly so the signature payload is a fixed 64 bytes * regardless of archive size. */ export declare function signBundle(archive: Uint8Array, keypair: ZveltioKeypair): Promise; /** * Verify a signature against an archive — symmetric to the engine's * `verifySignature`. Returned errors are plain strings so the CLI can * print them without leaking internal types. */ export declare function verifyBundle(archive: Uint8Array, signature: ExtensionSignature, publicJwk: JsonWebKey): Promise<{ ok: true; } | { ok: false; reason: string; }>; /** * Convenience: derive a registry-style "trusted key" entry from a public * JWK so a publisher can copy-paste it into the engine's * `REGISTRY_PUBLIC_KEYS_JSON` env (or hand it to the registry admin). * * Returns `{ keyId, publicKeyHex }` — exact shape the engine's * `registry-keys.ts` parser expects. */ export declare function exportTrustedKeyEntry(keyId: string, publicJwk: JsonWebKey): Promise<{ keyId: string; publicKeyHex: string; }>; export declare const _bytes: { bytesToHex: typeof bytesToHex; bytesToBase64: typeof bytesToBase64; base64ToBytes: typeof base64ToBytes; }; export {}; //# sourceMappingURL=index.d.ts.map