npm Provenance发布声明治理（来源-时间窗-证据）最佳实践

实现示例type Provenance = { iss: string; sub: string; repo: string; iat: number; exp: number } function within(created: number, expires: number, now: number, leewaySec: number): boolean { if (expires <= created) return false; return now + leewaySec * 1000 >= created && now - leewaySec * 1000 <= expires } function validIssuer(iss: string, allow: Set<string>): boolean { try { const u = new URL(iss); return u.protocol === 'https:' && allow.has(u.origin) } catch { return false } } function validRepo(repo: string, allow: RegExp): boolean { return allow.test(repo) } function gate(p: Provenance, policy: { allowIss: Set<string>; allowRepo: RegExp; maxTtlSec: number }): { ok: boolean; errors: string[] } { const errors: string[] = []; const now = Date.now(); if (!validIssuer(p.iss, policy.allowIss)) errors.push('iss'); if (!validRepo(p.repo, policy.allowRepo)) errors.push('repo'); const iat = p.iat * 1000; const exp = p.exp * 1000; if (!within(iat, exp, now, 60)) errors.push('time'); if ((exp - iat) > policy.maxTtlSec * 1000) errors.push('ttl'); return { ok: errors.length === 0, errors } } 审计与发布治理-- 审计发行方、仓库与时间窗口；异常阻断并输出修复建议。策略变更需审批与归档。