Function isProvenanceError

Source
Expand description

Public API barrel for node-addon-slsa. Consumers import from here; everything re-exported is covered by semver.

Two entry points, picked by integration style:

  • verifyPackage — verify an already-installed package, then call verifyAddonFromFile on each binary the host is about to load.
  • requireAddon — one-call loader: verifies, downloads if missing, and require()s the .node binary. Use when postinstall scripts are blocked (e.g. pnpm ≥ 10 default config).
import { verifyPackage, requireAddon } from "node-addon-slsa";

// Host-orchestrated flow:
const p = await verifyPackage({ packageName: "my-addon", repo: "owner/repo" });
await p.verifyAddonFromFile("/path/to/addon.node.gz");

// Consuming-package flow (called from inside the addon package):
const addon = await requireAddon<MyAddon>();

Workspace-internal primitives (branded-type constructors, manifest shapes, low-level HTTP/FS helpers) live under @node-addon-slsa/internal and are not covered by semver.

isProvenanceError(err: unknown): err is ProvenanceError

Type guard for ProvenanceError. Use in catch blocks to distinguish security failures from transient errors.