Project node-addon-slsa

Namespaces§

PackageProvenance: Provenance handle returned by verifyPackage.
ProvenanceErrorKind: Discriminator for programmatic dispatch on provenance failures. Kept as a union so future causes can be added without breaking the catch shape — currently just one case.
RequireAddonOptions: Options for requireAddon. Extends VerifyOptions with a single extra field identifying which package's addon to load.
VerifyOptions: Consumer-side verification options. All fields optional — defaults apply to the common case. Escape hatches are for heavy callers (reusing a verifier across calls) and slow networks (timeouts / retries).
VerifyPackageOptions: Options for verifyPackage.

isProvenanceError: Public API barrel for node-addon-slsa. Consumers import from here; everything re-exported is covered by semver.
requireAddon: Returns the native addon, running the slsa wget flow (verify + download) first when the binary is missing on disk.
verifyPackage: Verify an installed npm package's SLSA manifest and return a handle for per-addon provenance verification. Manifest-level checks run once; the returned handle reuses them across every addon file the caller feeds in, so call verifyPackage once and verifyAddonFromFile for each .node binary the host is about to load.

ProvenanceError: Thrown when provenance verification detects a security issue. The message is prefixed with SECURITY: and includes remediation advice. kind lets callers dispatch without regex-matching the message.