Add TypeScript port (vectorpin npm package)

Third reference implementation alongside Python and Rust. Same
protocol version 1, same canonicalization (sorted-key compact JSON,
NFC-normalized UTF-8, little-endian f32/f64 vector bytes). Pins
produced by any of the three implementations verify on the other
two; enforced by `testvectors/v1.json` and `negative_v1.json`,
which the new TS test suite consumes byte-for-byte alongside the
existing Rust cross_lang test.

Layout (typescript/):
  src/
    attestation.ts   Pin / PinHeader / canonicalJsonStringify /
                     base64url helpers
    hash.ts          canonicalVectorBytes, hashText, hashVector
    signer.ts        Signer with named-options pin()
    verifier.ts      Verifier, VerifyErrorCode (string-valued enum
                     matching the Python wire form)
    index.ts         public API
  test/
    hash.test.ts             unit tests for canonicalization and SHA-256
    signer-verifier.test.ts  honest verify, every failure mode,
                             rotation, JSON round-trip
    cross-lang.test.ts       loads testvectors/*.json and asserts
                             byte-for-byte parity with Python/Rust

Crypto via @noble/ed25519 + @noble/hashes — pure JavaScript, no
native deps, works in Node 20+, Deno, Bun, and Cloudflare Workers.
The package is ESM-only; built artifacts ship from dist/.

All 28 TS tests pass (including the cross-language fixture suite
that exercises the same private seed and timestamps Python and
Rust use).

Author: jaschadub

README.md

@@ -5,6 +5,7 @@
 [![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
 [![Python 3.11+](https://img.shields.io/badge/python-3.11+-blue.svg)](https://www.python.org/downloads/)
 [![Rust stable](https://img.shields.io/badge/rust-stable-orange.svg)](https://www.rust-lang.org/)
+[![Node 20+](https://img.shields.io/badge/node-20+-green.svg)](https://nodejs.org/)
 [![Status: alpha](https://img.shields.io/badge/status-alpha-orange.svg)](#status)
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.20058256.svg)](https://doi.org/10.5281/zenodo.20058256)
 
@@ -87,7 +88,32 @@ let result = verifier.verify_full::<&[f32]>(
 assert!(result.is_ok());
 ```
 
-The Python and Rust implementations are byte-for-byte compatible. A pin produced by either side verifies on both, enforced by shared test vectors at [`testvectors/v1.json`](testvectors/) consumed in both test suites.
+### TypeScript / JavaScript
+
+```bash
+npm install vectorpin
+```
+
+```ts
+import { Signer, Verifier } from 'vectorpin';
+
+const signer = Signer.generate('prod-2026-05');
+const embedding = new Float32Array(/* ... 3072 floats from your model ... */);
+const pin = signer.pin({
+  source: 'The quick brown fox.',
+  model: 'text-embedding-3-large',
+  vector: embedding,
+});
+
+const verifier = new Verifier({ [signer.keyId]: signer.publicKeyBytes() });
+const result = verifier.verify(pin, {
+  source: 'The quick brown fox.',
+  vector: embedding,
+});
+if (!result.ok) throw new Error(`integrity failure: ${result.error}`);
+```
+
+The Python, Rust, and TypeScript implementations are byte-for-byte compatible. A pin produced by any of them verifies on the other two, enforced by shared test vectors at [`testvectors/v1.json`](testvectors/) consumed in all three test suites. The TS port is pure JavaScript via [`@noble/ed25519`](https://github.com/paulmillr/noble-ed25519) and [`@noble/hashes`](https://github.com/paulmillr/noble-hashes), so it also runs in Deno, Bun, and edge runtimes.
 
 ## What VectorPin guarantees
 

typescript/.gitignore

@@ -0,0 +1,5 @@
+node_modules/
+dist/
+*.log
+.npm
+.DS_Store

typescript/README.md

@@ -0,0 +1,55 @@
+# vectorpin (TypeScript)
+
+TypeScript / JavaScript reference implementation of VectorPin, byte-for-byte compatible with the Python and Rust ports.
+
+```bash
+npm install vectorpin
+```
+
+```ts
+import { Signer, Verifier } from 'vectorpin';
+
+// At ingestion time
+const signer = Signer.generate('prod-2026-05');
+const embedding = new Float32Array(/* ... 3072 floats from your model ... */);
+const pin = signer.pin({
+  source: 'The quick brown fox.',
+  model: 'text-embedding-3-large',
+  vector: embedding,
+});
+// Store JSON.stringify-able pin alongside the embedding in your vector DB metadata.
+import { pinToJSON } from 'vectorpin';
+const json = pinToJSON(pin);
+
+// At read/audit time
+const verifier = new Verifier({ [signer.keyId]: signer.publicKeyBytes() });
+const result = verifier.verify(pin, {
+  source: 'The quick brown fox.',
+  vector: embedding,
+});
+if (!result.ok) {
+  throw new Error(`integrity failure: ${result.error} - ${result.detail}`);
+}
+```
+
+## Compatibility
+
+The TypeScript port consumes the same `testvectors/v1.json` and `testvectors/negative_v1.json` fixtures the Python and Rust ports use in CI. A pin produced by any of the three implementations verifies on the other two; canonical bytes and signatures are identical byte-for-byte.
+
+## Runtime support
+
+- Node.js 20+ (uses `Buffer.from(s, 'base64url')` and `globalThis.crypto.getRandomValues`).
+- The crypto path is pure JavaScript via [`@noble/ed25519`](https://github.com/paulmillr/noble-ed25519) and [`@noble/hashes`](https://github.com/paulmillr/noble-hashes), so it also works in Deno, Bun, and Cloudflare Workers. Replace the `Buffer.from('base64url')` calls if you target a runtime without `Buffer`.
+
+## Build & test
+
+```bash
+npm install
+npm run typecheck   # tsc --noEmit
+npm test            # node:test via tsx
+npm run build       # emit dist/
+```
+
+## License
+
+Apache 2.0. See `../LICENSE`.