@noidme/capabilities
v0.1.0-beta.0
Published
Boot capability gate for privacy/consent SDKs. Detects up front whether the browser has crypto.subtle, WebCrypto Ed25519 (for verifying signed config), service workers, and usable cookies — so you fall back to a bundled/last-good policy and emit a health
Maintainers
Readme
@noidme/capabilities
Zero-dependency browser capability probe for privacy/consent SDKs that load a signed configuration. Detects up front whether the runtime has the primitives such a stack needs — so an integrator can fall back gracefully instead of silently failing closed.
Extracted from noidme.js; usable standalone.
Why
A signed-config privacy SDK verifies its policy with WebCrypto Ed25519. On older Safari
(< 17), legacy Android WebViews, or a non-secure context, crypto.subtle (or Ed25519
specifically) is absent. Without an up-front check, key import throws, the policy never loads,
and the SDK silently stops enforcing. Probe first, then decide: load a bundled/last-good
policy, degrade a feature, or emit a health signal.
Install
npm i @noidme/capabilitiesUsage
import { detectCapabilities } from '@noidme/capabilities';
const caps = await detectCapabilities(); // async — always await it
// { subtleCrypto: boolean, ed25519: boolean, serviceWorker: boolean, cookies: boolean }
if (!caps.ed25519) {
// WebCrypto can't verify the signed policy — use a bundled fallback + report health.
}Secure context required.
crypto.subtleis unavailable on plain HTTP, so on an insecure originsubtleCryptoanded25519both returnfalse. That's the intended signal — treat it as "verification unavailable here".
Script tag (IIFE global)
<!-- Self-host this file in production — an external CDN origin must be added to your
script-src, which a strict privacy CSP forbids. unpkg is fine for a quick eval only. -->
<script src="/vendor/capabilities.global.js"></script>
<script>
NoidmeCapabilities.detectCapabilities().then(caps => console.log(caps));
</script>API
detectCapabilities(): Promise<Capabilities>
| field | meaning |
| -------------- | ------------------------------------------------------------------------ |
| subtleCrypto | crypto.subtle present (a secure context). |
| ed25519 | WebCrypto can import + verify an Ed25519 public key — the exact operation a signed-config loader depends on (not generateKey, which a partial engine can support independently). |
| serviceWorker| navigator.serviceWorker.register is present (absent in iOS in-app webviews / private mode). Presence only — it does not guarantee registration succeeds. |
| cookies | document.cookie is a readable string (consent persistence). A read-only check, so it can read true in a sandboxed iframe that still can't persist. |
The probe is non-destructive — the Ed25519 check imports a throwaway raw public key for
verify and never touches storage or the network.
License
MIT
