From 435e3151d6623fbe9b92fdb08ea2a0da2927fea3 Mon Sep 17 00:00:00 2001
From: Bernhard Seefeld <berni@common.tools>
Date: Wed, 1 Oct 2025 16:30:43 -0700
Subject: [PATCH 1/2] Fix TypeScript errors after Deno upgrade to 2.5.2
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Deno 2.5.2 has stricter type checking for WebCrypto and Web APIs.
Uint8Array now has a buffer property typed as ArrayBufferLike
(ArrayBuffer | SharedArrayBuffer), but WebCrypto APIs require the
stricter BufferSource type with ArrayBuffer specifically.

Added explicit type casts to satisfy the stricter type requirements:
- crypto.subtle.sign/verify/digest/importKey now require BufferSource casts
- WebAuthn credential creation requires BufferSource casts for challenge and user.id
- Response constructor requires BodyInit cast for Uint8Array bodies

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 packages/charm/deno.json                        |  2 +-
 packages/identity/src/ed25519/native.ts         | 12 ++++++------
 packages/identity/src/pass-key.ts               | 10 +++++++---
 packages/identity/src/utils.ts                  |  4 +++-
 packages/static/etag.ts                         |  2 +-
 packages/toolshed/routes/static/static.index.ts |  2 +-
 tasks/check.sh                                  |  2 +-
 7 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/packages/charm/deno.json b/packages/charm/deno.json
index 7fc239163..a9df87714 100644
--- a/packages/charm/deno.json
+++ b/packages/charm/deno.json
@@ -1,7 +1,7 @@
 {
   "name": "@commontools/charm",
   "tasks": {
-    "test": "deno test --allow-env --allow-ffi --allow-read"
+    "test": "deno test --allow-env --allow-ffi --allow-read --allow-write"
   },
   "exports": {
     ".": "./src/index.ts",
diff --git a/packages/identity/src/ed25519/native.ts b/packages/identity/src/ed25519/native.ts
index b9ac5d275..cfde6fc8a 100644
--- a/packages/identity/src/ed25519/native.ts
+++ b/packages/identity/src/ed25519/native.ts
@@ -59,7 +59,7 @@ export class NativeEd25519Signer<ID extends DIDKey> implements Signer<ID> {
         await globalThis.crypto.subtle.sign(
           ED25519_ALG,
           this.#keypair.privateKey,
-          payload,
+          payload as BufferSource,
         ),
       );
 
@@ -76,7 +76,7 @@ export class NativeEd25519Signer<ID extends DIDKey> implements Signer<ID> {
     const rawPublic = await ed25519.getPublicKeyAsync(rawPrivateKey);
     const privateKey = await globalThis.crypto.subtle.importKey(
       "pkcs8",
-      pkcs8Private,
+      pkcs8Private as BufferSource,
       ED25519_ALG,
       false,
       ["sign"],
@@ -84,7 +84,7 @@ export class NativeEd25519Signer<ID extends DIDKey> implements Signer<ID> {
     // Set the public key to be extractable for DID generation.
     const publicKey = await globalThis.crypto.subtle.importKey(
       "raw",
-      rawPublic,
+      rawPublic as BufferSource,
       ED25519_ALG,
       true,
       [
@@ -135,8 +135,8 @@ export class NativeEd25519Verifier<ID extends DIDKey> implements Verifier<ID> {
       await globalThis.crypto.subtle.verify(
         ED25519_ALG,
         this.#publicKey,
-        signature,
-        payload,
+        signature as BufferSource,
+        payload as BufferSource,
       )
     ) {
       return { ok: {} };
@@ -159,7 +159,7 @@ export class NativeEd25519Verifier<ID extends DIDKey> implements Verifier<ID> {
     // Set the public key to be extractable for DID generation.
     const publicKey = await globalThis.crypto.subtle.importKey(
       "raw",
-      rawPublicKey,
+      rawPublicKey as BufferSource,
       ED25519_ALG,
       true,
       [
diff --git a/packages/identity/src/pass-key.ts b/packages/identity/src/pass-key.ts
index 907982358..45dd86ab6 100644
--- a/packages/identity/src/pass-key.ts
+++ b/packages/identity/src/pass-key.ts
@@ -84,9 +84,13 @@ export class PassKey {
     };
 
     const publicKey: PublicKeyCredentialCreationOptions = {
-      challenge,
+      challenge: challenge as BufferSource,
       rp: { id: RP_ID(), name: RP },
-      user,
+      user: {
+        id: userId as BufferSource,
+        name,
+        displayName,
+      },
       attestation: "none", // default
       authenticatorSelection: {
         // "Resident Keys" have been renamed to "Discoverable Keys",
@@ -130,7 +134,7 @@ export class PassKey {
     const credential = (await navigator.credentials.get({
       publicKey: {
         allowCredentials,
-        challenge: random(32),
+        challenge: random(32) as BufferSource,
         rpId: RP_ID(),
         userVerification: userVerification ?? "preferred",
         extensions: { prf: { eval: { first: PRF_SALT } } },
diff --git a/packages/identity/src/utils.ts b/packages/identity/src/utils.ts
index f6f852059..84ad67cd8 100644
--- a/packages/identity/src/utils.ts
+++ b/packages/identity/src/utils.ts
@@ -26,5 +26,7 @@ export function once(
 const HASH_ALG = "SHA-256";
 // Hash input via SHA-256.
 export async function hash(input: Uint8Array): Promise<Uint8Array> {
-  return new Uint8Array(await globalThis.crypto.subtle.digest(HASH_ALG, input));
+  return new Uint8Array(
+    await globalThis.crypto.subtle.digest(HASH_ALG, input as BufferSource),
+  );
 }
diff --git a/packages/static/etag.ts b/packages/static/etag.ts
index 1940026a8..2c5a5ea7d 100644
--- a/packages/static/etag.ts
+++ b/packages/static/etag.ts
@@ -8,7 +8,7 @@
  * Returns a base64-encoded hash in quotes.
  */
 export async function generateETag(content: Uint8Array): Promise<string> {
-  const hash = await crypto.subtle.digest("SHA-256", content);
+  const hash = await crypto.subtle.digest("SHA-256", content as BufferSource);
   const base64 = btoa(String.fromCharCode(...new Uint8Array(hash)))
     .replace(/\+/g, "-")
     .replace(/\//g, "_")
diff --git a/packages/toolshed/routes/static/static.index.ts b/packages/toolshed/routes/static/static.index.ts
index d8d045de3..e7877759a 100644
--- a/packages/toolshed/routes/static/static.index.ts
+++ b/packages/toolshed/routes/static/static.index.ts
@@ -43,7 +43,7 @@ router.get("/static/*", async (c) => {
   // Simple caching: always validate with ETag
   const cacheHeaders = createCacheHeaders(etag);
 
-  return new Response(buffer, {
+  return new Response(buffer as BodyInit, {
     status: 200,
     headers: {
       "Content-Type": mimeType,
diff --git a/tasks/check.sh b/tasks/check.sh
index 2e217deb9..7e6c6dde0 100755
--- a/tasks/check.sh
+++ b/tasks/check.sh
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -e
 
-DENO_VERSION_REQUIRED="2.4.5"
+DENO_VERSION_REQUIRED="2.5.2"
 # This is more portable than parsing `deno --version`
 DENO_VERSION=$(echo "console.log(Deno.version.deno)" | deno run -)
 if [ "$DENO_VERSION" != "$DENO_VERSION_REQUIRED" ]; then

From b06c8765054c3d2d42463137756160758c829eca Mon Sep 17 00:00:00 2001
From: Bernhard Seefeld <berni@common.tools>
Date: Wed, 1 Oct 2025 16:34:23 -0700
Subject: [PATCH 2/2] support multiple deno versions during transition

---
 tasks/check.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/check.sh b/tasks/check.sh
index 7e6c6dde0..2aa866b98 100755
--- a/tasks/check.sh
+++ b/tasks/check.sh
@@ -1,11 +1,11 @@
 #!/usr/bin/env bash
 set -e
 
-DENO_VERSION_REQUIRED="2.5.2"
+DENO_VERSIONS_ALLOWED=("2.5.2" "2.4.5")
 # This is more portable than parsing `deno --version`
 DENO_VERSION=$(echo "console.log(Deno.version.deno)" | deno run -)
-if [ "$DENO_VERSION" != "$DENO_VERSION_REQUIRED" ]; then
-  echo "ERROR: Deno version is $DENO_VERSION, expected $DENO_VERSION_REQUIRED."
+if [[ ! " ${DENO_VERSIONS_ALLOWED[@]} " =~ " ${DENO_VERSION} " ]]; then
+  echo "ERROR: Deno version is $DENO_VERSION, expected one of: ${DENO_VERSIONS_ALLOWED[*]}."
   exit 1
 fi