@adastracomputing/ink 0.2.0 → 0.4.0

package/dist/discovery/agent-card.d.ts

@@ -24,13 +24,15 @@ export interface FetchAgentCardOptions {
      * connect targets (e.g. undici with a custom dispatcher on Node, or
      * `cf: { resolveOverride: validatedIp }` on Cloudflare Workers). */
     fetch?: typeof fetch;
-    /** Strict mode: require that the caller supply `options.fetch`. When
-     * true, the default global `fetch` is refused for non-literal hostnames
-     * because the default cannot perform connect-time IP filtering and is
-     * therefore vulnerable to DNS rebinding. Off by default for backwards
-     * compatibility; on by default for any production integration where
-     * `baseUrl` is taken from untrusted input. Returns null without
-     * fetching when the condition fails. */
+    /** Strict mode: require that the caller supply `options.fetch`, returning
+     * null (without fetching) if it is absent. This only guarantees that *some*
+     * fetch override was provided; it does NOT and cannot verify that the
+     * override pins connect-time IPs, so passing `requireSafeFetch: true` with
+     * the plain global `fetch` does not close the DNS-rebinding window. The
+     * literal-private-IP allowlist this module applies to `baseUrl` does not stop
+     * a public hostname that resolves to a private address at fetch time; only a
+     * connect-time-IP-pinning `options.fetch` (for example a custom undici
+     * dispatcher) does. Off by default for backwards compatibility. */
     requireSafeFetch?: boolean;
 }
 /**

package/dist/index.d.ts

@@ -1,15 +1,15 @@
 export { signInkMessage, verifyInkSignature, buildSignatureBase, buildAuthHeader, computeMessageHash, computeEventHash, computeAuditMerkleLeafHash, signAuditEvent, verifyAuditEventSignature, signAuditResponse, verifyAuditResponseSignature, verifyAuditEventChain, signAuditQueryResponse, verifyAuditQueryResponseSignature, encryptInkPayload, decryptInkPayload, checkReplay, base64urlEncode, base64urlDecode, hexToBytes, bytesToHex, jcsCanonicalize, MAX_TIMESTAMP_AGE_MS, MAX_FUTURE_TIMESTAMP_MS, } from "./crypto/ink.js";
 export { signMessage, verifyMessage } from "./crypto/sign.js";
 export { verifyInkSignatureWithKeys } from "./crypto/multi-key-verify.js";
-export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, } from "./crypto/keys.js";
+export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, canonicalAgentPrincipal, AGENT_ID_KEY_PREFIXES, } from "./crypto/keys.js";
 export { fetchAgentCard, extractCandidateKeys, resolveBaseUrl, } from "./discovery/agent-card.js";
 export { verifyInkAuth, type NonceStore } from "./middleware/ink-auth.js";
 export { verifyInclusionReceipt, verifyAuditQueryResponse, type InclusionReceipt, type InclusionReceiptVerifyResult, type AuditQueryResponse, type AuditQueryResponseVerifyResult, type VerifyStep, } from "./audit/inclusion-receipt.js";
 export { HandshakeBudgetTracker } from "./ink/handshake-budget.js";
-export { buildReceipt, shouldSendReceipt, sendReceiptFireAndForget, } from "./ink/receipts.js";
+export { buildReceipt, verifyReceipt, shouldSendReceipt, sendReceiptFireAndForget, } from "./ink/receipts.js";
 export { resolveEffectiveTransports, checkTransportAllowed, } from "./ink/transport-auth.js";
 export { buildRedactedCard, shouldRedactOnGet, AgentCardQuerySchema, } from "./ink/discovery-gating.js";
-export { parseCheckpoint, formatCheckpoint, } from "./ink/checkpoint.js";
+export { parseCheckpoint, formatCheckpoint, verifyCheckpoint, } from "./ink/checkpoint.js";
 export type { CheckpointData } from "./ink/checkpoint.js";
 export { InkAuditEventTypeSchema, InkAuditEventSchema, InkAuditInclusionSchema, InkReceiptSchema, InkAuditQuerySchema, InkIntroductionReceiptSchema, } from "./models/ink-audit.js";
 export type { InkAuditEventType, InkAuditEvent, InkAuditInclusion, InkReceipt, InkAuditQuery, InkAuditResponse, InkIntroductionReceiptStatus, } from "./models/ink-audit.js";

package/dist/index.js

@@ -4,7 +4,7 @@
 export { signInkMessage, verifyInkSignature, buildSignatureBase, buildAuthHeader, computeMessageHash, computeEventHash, computeAuditMerkleLeafHash, signAuditEvent, verifyAuditEventSignature, signAuditResponse, verifyAuditResponseSignature, verifyAuditEventChain, signAuditQueryResponse, verifyAuditQueryResponseSignature, encryptInkPayload, decryptInkPayload, checkReplay, base64urlEncode, base64urlDecode, hexToBytes, bytesToHex, jcsCanonicalize, MAX_TIMESTAMP_AGE_MS, MAX_FUTURE_TIMESTAMP_MS, } from "./crypto/ink.js";
 export { signMessage, verifyMessage } from "./crypto/sign.js";
 export { verifyInkSignatureWithKeys } from "./crypto/multi-key-verify.js";
-export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, } from "./crypto/keys.js";
+export { generateKeypair, generateEncryptionKeypair, deriveAgentId, encodePublicKeyMultibase, encodeEncryptionKeyMultibase, decodePublicKeyMultibase, decodeEncryptionKeyMultibase, extractPublicKeyFromAgentId, canonicalAgentPrincipal, AGENT_ID_KEY_PREFIXES, } from "./crypto/keys.js";
 // Discovery: Agent Card fetch + candidate-key extraction
 export { fetchAgentCard, extractCandidateKeys, resolveBaseUrl, } from "./discovery/agent-card.js";
 // Middleware: transport-level INK auth
@@ -13,14 +13,14 @@ export { verifyInkAuth } from "./middleware/ink-auth.js";
 export { verifyInclusionReceipt, verifyAuditQueryResponse, } from "./audit/inclusion-receipt.js";
 // Optional containment / governance primitives
 export { HandshakeBudgetTracker } from "./ink/handshake-budget.js";
-// Receipts: build and send INK delivery receipts
-export { buildReceipt, shouldSendReceipt, sendReceiptFireAndForget, } from "./ink/receipts.js";
+// Receipts: build, verify, and send INK delivery receipts
+export { buildReceipt, verifyReceipt, shouldSendReceipt, sendReceiptFireAndForget, } from "./ink/receipts.js";
 // Transport-auth: token-level transport allowlist for extension tokens
 export { resolveEffectiveTransports, checkTransportAllowed, } from "./ink/transport-auth.js";
 // Discovery-gating: visibility-aware Agent Card redaction
 export { buildRedactedCard, shouldRedactOnGet, AgentCardQuerySchema, } from "./ink/discovery-gating.js";
-// Checkpoint parsing for transparency-log signed checkpoints
-export { parseCheckpoint, formatCheckpoint, } from "./ink/checkpoint.js";
+// Checkpoint parsing and signature verification for transparency-log checkpoints
+export { parseCheckpoint, formatCheckpoint, verifyCheckpoint, } from "./ink/checkpoint.js";
 // Audit event schemas + types for receipts, query, inclusion proofs
 export { InkAuditEventTypeSchema, InkAuditEventSchema, InkAuditInclusionSchema, InkReceiptSchema, InkAuditQuerySchema, InkIntroductionReceiptSchema, } from "./models/ink-audit.js";
 // Handshake message schemas

package/dist/ink/checkpoint.d.ts

@@ -17,3 +17,24 @@ export interface CheckpointData {
 export declare function formatCheckpoint(data: CheckpointData): string;
 /** Parse a checkpoint body. Returns null if invalid. */
 export declare function parseCheckpoint(body: string): CheckpointData | null;
+/**
+ * Verify a signed checkpoint and return its parsed body, or `null` if the
+ * signature, origin, or format is invalid.
+ *
+ * The signed form is the C2SP-style note used by the INK witness:
+ *
+ *   <origin>\n<treeSize>\n<rootHash>\n\n-- <origin> <base64url(sig)>\n
+ *
+ * The Ed25519 signature covers the body bytes `<origin>\n<treeSize>\n<rootHash>`
+ * exactly (no trailing newline), so the `origin` first line is the domain
+ * separator binding the signed bytes to this log. Verification REQUIRES the
+ * caller's `expectedOrigin`: a checkpoint whose body origin, or whose matching
+ * signature-line origin, is not `expectedOrigin` is rejected, so a witness that
+ * operates several logs (or an attacker replaying another log's signed
+ * checkpoint) cannot substitute a different tree. This is the authenticated
+ * input that anti-rollback / freshness checks MUST consume; an unverified
+ * checkpoint body provides no security.
+ *
+ * Verification uses RFC 8032 strict mode (small-order keys rejected).
+ */
+export declare function verifyCheckpoint(signed: string, witnessPublicKey: Uint8Array, expectedOrigin: string): Promise<CheckpointData | null>;

package/dist/ink/checkpoint.js

@@ -2,6 +2,8 @@
  * INK Checkpoint formatting (C2SP tlog-checkpoint compatible).
  * Used for the public checkpoint endpoint (INK Auditability §7.7).
  */
+import * as ed from "@noble/ed25519";
+import { base64urlDecode } from "../crypto/ink.js";
 /**
  * Format a checkpoint body per C2SP tlog-checkpoint spec:
  *   line 1: origin (log identity)
@@ -67,3 +69,80 @@ export function parseCheckpoint(body) {
         return null;
     return { origin, treeSize, rootHash };
 }
+/** A signed checkpoint is the 3-line body, a blank line, then one or more
+ *  signature lines, plus a trailing newline. Bound the whole thing so an
+ *  attacker-supplied blob cannot drive large scans before rejection. */
+const MAX_SIGNED_CHECKPOINT_BODY = 4096;
+/** Cap the number of cosignature lines a verifier will scan. */
+const MAX_CHECKPOINT_SIGNATURES = 8;
+/**
+ * Verify a signed checkpoint and return its parsed body, or `null` if the
+ * signature, origin, or format is invalid.
+ *
+ * The signed form is the C2SP-style note used by the INK witness:
+ *
+ *   <origin>\n<treeSize>\n<rootHash>\n\n-- <origin> <base64url(sig)>\n
+ *
+ * The Ed25519 signature covers the body bytes `<origin>\n<treeSize>\n<rootHash>`
+ * exactly (no trailing newline), so the `origin` first line is the domain
+ * separator binding the signed bytes to this log. Verification REQUIRES the
+ * caller's `expectedOrigin`: a checkpoint whose body origin, or whose matching
+ * signature-line origin, is not `expectedOrigin` is rejected, so a witness that
+ * operates several logs (or an attacker replaying another log's signed
+ * checkpoint) cannot substitute a different tree. This is the authenticated
+ * input that anti-rollback / freshness checks MUST consume; an unverified
+ * checkpoint body provides no security.
+ *
+ * Verification uses RFC 8032 strict mode (small-order keys rejected).
+ */
+export async function verifyCheckpoint(signed, witnessPublicKey, expectedOrigin) {
+    if (typeof signed !== "string" || signed.length === 0 || signed.length > MAX_SIGNED_CHECKPOINT_BODY) {
+        return null;
+    }
+    if (!(witnessPublicKey instanceof Uint8Array) || witnessPublicKey.length !== 32) {
+        return null;
+    }
+    if (typeof expectedOrigin !== "string" || expectedOrigin.length === 0 || expectedOrigin.length > MAX_CHECKPOINT_LINE) {
+        return null;
+    }
+    const SEP = "\n\n-- ";
+    const idx = signed.indexOf(SEP);
+    if (idx === -1)
+        return null;
+    const body = signed.slice(0, idx); // <origin>\n<treeSize>\n<rootHash>
+    const data = parseCheckpoint(body + "\n");
+    if (!data)
+        return null;
+    // Bind the body's own origin to the caller's expectation before any crypto.
+    if (data.origin !== expectedOrigin)
+        return null;
+    // Signature block starts at the "-- " that began the separator.
+    const sigBlock = signed.slice(idx + 2);
+    const sigLines = sigBlock.split("\n").filter((l) => l.length > 0);
+    if (sigLines.length === 0 || sigLines.length > MAX_CHECKPOINT_SIGNATURES)
+        return null;
+    const bodyBytes = new TextEncoder().encode(body);
+    for (const line of sigLines) {
+        if (!line.startsWith("-- "))
+            return null; // any malformed signature line is fatal
+        const rest = line.slice(3);
+        const sp = rest.indexOf(" ");
+        if (sp === -1)
+            return null;
+        const lineOrigin = rest.slice(0, sp);
+        const sigB64 = rest.slice(sp + 1);
+        if (lineOrigin !== expectedOrigin)
+            continue; // a cosigner whose key we were not given
+        try {
+            const sig = base64urlDecode(sigB64);
+            if (sig.length !== 64)
+                return null;
+            const ok = await ed.verifyAsync(sig, bodyBytes, witnessPublicKey, { zip215: false });
+            return ok ? data : null; // a matching-origin signature that fails verification is fatal
+        }
+        catch {
+            return null;
+        }
+    }
+    return null; // no signature line for the expected origin
+}

package/dist/ink/discovery-gating.js

@@ -66,16 +66,16 @@ export function buildRedactedCard(card) {
 export const AgentCardQuerySchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.agent_card_query"),
-    from: z.string(),
-    nonce: z.string(),
+    from: z.string().max(512),
+    nonce: z.string().max(256),
     timestamp: z.string().datetime(),
-    requestedFields: z.array(z.string()).optional(),
+    requestedFields: z.array(z.string().max(64)).max(32).optional(),
 });
 export const AgentCardResponseSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.agent_card_response"),
     card: AgentCardSchema,
-    grantedFields: z.array(z.string()),
+    grantedFields: z.array(z.string().max(64)).max(32),
     timestamp: z.string().datetime(),
 });
 export const AgentCardDeniedSchema = z.object({

package/dist/ink/receipts.d.ts

@@ -1,4 +1,4 @@
-import type { InkReceipt } from "../models/ink-audit.js";
+import { type InkReceipt } from "../models/ink-audit.js";
 export interface BuildReceiptInput {
     from: string;
     to: string;
@@ -10,6 +10,38 @@ export interface BuildReceiptInput {
 }
 /** Build a signed INK receipt envelope. */
 export declare function buildReceipt(input: BuildReceiptInput): Promise<InkReceipt>;
+export interface VerifyReceiptResult {
+    valid: boolean;
+    /** Machine-readable reason when `valid` is false. */
+    reason?: string;
+}
+/**
+ * Verify an INK receipt against the message it claims to acknowledge.
+ *
+ * Checks all the bindings a hand-rolled verifier commonly forgets: the
+ * receipt's Ed25519 signature against the issuer's (`from`) key, that `from`,
+ * `to` and `messageId` equal the expected values, and that `messageHash`
+ * equals the hash of the exact message body that was sent (recomputed here,
+ * not trusted from the receipt). A receipt that passes proves the named
+ * counterparty acknowledged that specific message; nothing weaker should be
+ * treated as proof of delivery.
+ */
+export declare function verifyReceipt(opts: {
+    receipt: unknown;
+    /** Raw 32-byte Ed25519 public key of the issuer (the receipt's `from`). */
+    senderPublicKey: Uint8Array;
+    expected: {
+        from: string;
+        to: string;
+        messageId: string;
+        messageBody: Record<string, unknown>;
+        /** When set, require the receipt to acknowledge this specific disposition
+         *  (e.g. "delivered"). The disposition is covered by the signature, but
+         *  without this a signed receipt for a different state would still pass, so
+         *  callers proving a specific delivery state MUST pin it. */
+        disposition?: InkReceipt["disposition"];
+    };
+}): Promise<VerifyReceiptResult>;
 export declare function shouldSendReceipt(intentOrType: string): boolean;
 export interface SendReceiptOptions {
     /** Allow endpoints whose hostname is loopback / private / link-local /

package/dist/ink/receipts.js

@@ -1,6 +1,7 @@
 import { computeMessageHash, signInkMessage, buildAuthHeader } from "../crypto/ink.js";
-import { signMessage } from "../crypto/sign.js";
+import { signMessage, verifyMessage } from "../crypto/sign.js";
 import { isPrivateHostname } from "../discovery/agent-card.js";
+import { InkReceiptSchema } from "../models/ink-audit.js";
 /** Build a signed INK receipt envelope. */
 export async function buildReceipt(input) {
     if (input === null || typeof input !== "object" || Array.isArray(input)) {
@@ -28,6 +29,49 @@ export async function buildReceipt(input) {
     const signature = await signMessage(unsigned, input.privateKey);
     return { ...unsigned, signature };
 }
+/**
+ * Verify an INK receipt against the message it claims to acknowledge.
+ *
+ * Checks all the bindings a hand-rolled verifier commonly forgets: the
+ * receipt's Ed25519 signature against the issuer's (`from`) key, that `from`,
+ * `to` and `messageId` equal the expected values, and that `messageHash`
+ * equals the hash of the exact message body that was sent (recomputed here,
+ * not trusted from the receipt). A receipt that passes proves the named
+ * counterparty acknowledged that specific message; nothing weaker should be
+ * treated as proof of delivery.
+ */
+export async function verifyReceipt(opts) {
+    const parsed = InkReceiptSchema.safeParse(opts.receipt);
+    if (!parsed.success)
+        return { valid: false, reason: "malformed_receipt" };
+    const receipt = parsed.data;
+    const { senderPublicKey, expected } = opts;
+    if (!(senderPublicKey instanceof Uint8Array) || senderPublicKey.length !== 32) {
+        return { valid: false, reason: "invalid_public_key" };
+    }
+    if (receipt.from !== expected.from)
+        return { valid: false, reason: "from_mismatch" };
+    if (receipt.to !== expected.to)
+        return { valid: false, reason: "to_mismatch" };
+    if (receipt.messageId !== expected.messageId)
+        return { valid: false, reason: "message_id_mismatch" };
+    if (expected.disposition !== undefined && receipt.disposition !== expected.disposition) {
+        return { valid: false, reason: "disposition_mismatch" };
+    }
+    let expectedHash;
+    try {
+        expectedHash = await computeMessageHash(expected.messageBody);
+    }
+    catch {
+        return { valid: false, reason: "message_hash_error" };
+    }
+    if (receipt.messageHash !== expectedHash)
+        return { valid: false, reason: "message_hash_mismatch" };
+    const sigOk = await verifyMessage(receipt, senderPublicKey);
+    if (!sigOk)
+        return { valid: false, reason: "invalid_signature" };
+    return { valid: true };
+}
 /** Loop prevention: don't send receipts for receipts or audit messages. */
 const NO_RECEIPT_TYPES = new Set([
     "network.tulpa.receipt",

package/dist/middleware/ink-auth.d.ts

@@ -60,6 +60,7 @@ export declare function verifyInkAuth(opts: {
 }): Promise<{
     valid: true;
     senderAgentId: string;
+    principal: string;
     keyId?: string;
     keyStatus?: KeyStatus;
 } | {

package/dist/middleware/ink-auth.js

@@ -1,5 +1,5 @@
 import { verifyInkSignature, MAX_TIMESTAMP_AGE_MS, MAX_FUTURE_TIMESTAMP_MS } from "../crypto/ink.js";
-import { extractPublicKeyFromAgentId } from "../crypto/keys.js";
+import { extractPublicKeyFromAgentId, canonicalAgentPrincipal } from "../crypto/keys.js";
 import { verifyInkSignatureWithKeys } from "../crypto/multi-key-verify.js";
 /**
  * Parse and verify an INK-Ed25519 Authorization header.
@@ -33,8 +33,10 @@ export async function verifyInkAuth(opts) {
     }
     // Ed25519 signatures are exactly 86 base64url chars — tighten the regex to
     // {86} so clearly-wrong lengths get rejected up front, rather than burning
-    // CPU on verifyInkSignature for a malformed value.
-    const match = opts.authHeader.match(/^INK-Ed25519\s+([A-Za-z0-9_-]{86})(?:\s+keyId=([A-Za-z0-9_:.-]{1,128}))?$/);
+    // CPU on verifyInkSignature for a malformed value. Single literal spaces
+    // match the spec grammar and buildAuthHeader's output; `\s` would let
+    // CR/LF/TAB into a parsed header value.
+    const match = opts.authHeader.match(/^INK-Ed25519 ([A-Za-z0-9_-]{86})(?: keyId=([A-Za-z0-9_:.-]{1,128}))?$/);
     if (!match) {
         return { valid: false, error: "invalid_auth_scheme" };
     }
@@ -172,6 +174,7 @@ export async function verifyInkAuth(opts) {
                     return {
                         valid: true,
                         senderAgentId: senderDid,
+                        principal: canonicalAgentPrincipal(senderDid),
                         keyId: result.keyId,
                         keyStatus: result.keyStatus,
                     };
@@ -206,7 +209,7 @@ export async function verifyInkAuth(opts) {
         const noncePass = await recordNonce();
         if (!noncePass.ok)
             return { valid: false, error: noncePass.error };
-        return { valid: true, senderAgentId: senderDid };
+        return { valid: true, senderAgentId: senderDid, principal: canonicalAgentPrincipal(senderDid) };
     }
     catch {
         return { valid: false, error: "signature_verification_failed" };

package/dist/models/agent-card.js

@@ -5,17 +5,17 @@ import { ProfileSnapshotSchema } from "./profile.js";
 import { KeyEntrySchema } from "./key-entry.js";
 import { InkTransportSchema, AgentCardVisibilitySchema } from "./ink-handshake.js";
 export const ThirdPartyAuditServiceSchema = z.object({
-    endpoint: z.string().url(),
-    did: z.string(),
-    publicKey: z.string(),
+    endpoint: z.string().max(2048).url(),
+    did: z.string().max(512),
+    publicKey: z.string().max(256),
 });
 export const AgentCardSchema = z.object({
     protocol: z.literal("ink/0.1"),
-    agentId: z.string(),
-    ownerDid: z.string().optional(),
-    ownerHandle: z.string().optional(),
-    atprotoRecordUri: z.string().optional(),
-    handle: z.string(),
+    agentId: z.string().max(512),
+    ownerDid: z.string().max(512).optional(),
+    ownerHandle: z.string().max(256).optional(),
+    atprotoRecordUri: z.string().max(2048).optional(),
+    handle: z.string().max(256),
     displayName: z.string().max(200),
     /**
      * Inbound message endpoint URL. Required.
@@ -27,36 +27,36 @@ export const AgentCardSchema = z.object({
      * MAY emit `inboxEndpoint` alongside it. The runtime helper
      * `resolveAgentInbox(card)` returns whichever value is present.
      */
-    endpoint: z.string().url(),
-    inboxEndpoint: z.string().url().optional(),
-    publicKeyMultibase: z.string().startsWith("z"),
+    endpoint: z.string().max(2048).url(),
+    inboxEndpoint: z.string().max(2048).url().optional(),
+    publicKeyMultibase: z.string().startsWith("z").max(128),
     // (other fields below; the `inboxEndpoint === endpoint` invariant
     // is enforced by the .superRefine() at the bottom of this schema.)
     profileSnapshot: ProfileSnapshotSchema.optional(),
     capabilities: z.object({
-        intentsAccepted: z.array(IntentTypeSchema),
-        intentsSent: z.array(IntentTypeSchema),
+        intentsAccepted: z.array(IntentTypeSchema).max(32),
+        intentsSent: z.array(IntentTypeSchema).max(32),
         receipts: z.object({
             send: z.boolean(),
-            dispositions: z.array(InkReceiptDispositionSchema),
+            dispositions: z.array(InkReceiptDispositionSchema).max(16),
         }).optional(),
         auditExchange: z.boolean().optional(),
         thirdPartyAudit: z.object({
-            services: z.array(ThirdPartyAuditServiceSchema),
+            services: z.array(ThirdPartyAuditServiceSchema).max(16),
             submitPolicy: z.enum(["all", "high_value", "none"]),
         }).optional(),
     }),
     availability: z.object({
-        timezone: z.string(),
-        meetingHours: z.string().optional(),
-        responseSla: z.string().optional(),
+        timezone: z.string().max(64),
+        meetingHours: z.string().max(200).optional(),
+        responseSla: z.string().max(200).optional(),
     }),
     keys: z.object({
-        signing: z.array(KeyEntrySchema),
-        encryption: z.array(KeyEntrySchema),
+        signing: z.array(KeyEntrySchema).max(32),
+        encryption: z.array(KeyEntrySchema).max(32),
     }).optional(),
-    currentSigningKeyId: z.string().optional(),
-    currentEncryptionKeyId: z.string().optional(),
+    currentSigningKeyId: z.string().max(128).optional(),
+    currentEncryptionKeyId: z.string().max(128).optional(),
     keySetVersion: z.number().int().positive().optional(),
     // Message protocol versions this agent's receiver can verify on the
     // body signature. When absent, assume ink/0.1 only. A sender MUST NOT

package/dist/models/ink-audit.js

@@ -60,18 +60,18 @@ export const InkAuditEventTypeSchema = z.enum([
 ]);
 // ── INK Audit Event (hash-chained, signed) ──
 export const InkAuditEventSchema = z.object({
-    id: z.string().min(1),
+    id: z.string().min(1).max(256),
     version: z.literal("ink-audit/1"),
-    agentId: z.string().min(1),
-    agentSignature: z.string().min(1),
+    agentId: z.string().min(1).max(512),
+    agentSignature: z.string().min(1).max(256),
     sequence: z.number().int().positive(),
     previousEventHash: z.string().regex(/^[0-9a-f]{64}$/).nullable(),
     eventType: InkAuditEventTypeSchema,
     timestamp: z.string().datetime(),
-    messageId: z.string().min(1).optional(),
-    correlationId: z.string().min(1).optional(),
-    counterpartyId: z.string().min(1).optional(),
-    signingKeyId: z.string().min(1).optional(),
+    messageId: z.string().min(1).max(256).optional(),
+    correlationId: z.string().min(1).max(256).optional(),
+    counterpartyId: z.string().min(1).max(512).optional(),
+    signingKeyId: z.string().min(1).max(128).optional(),
     data: z.record(z.string(), z.unknown()).optional(),
 });
 // ── Receipt (INK Auditability §1) ──
@@ -85,34 +85,38 @@ export const InkReceiptDispositionSchema = z.enum([
 export const InkReceiptSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.receipt"),
-    from: z.string(),
-    to: z.string(),
-    messageId: z.string(),
+    from: z.string().max(512),
+    to: z.string().max(512),
+    messageId: z.string().max(256),
     disposition: InkReceiptDispositionSchema,
     dispositionAt: z.string().datetime(),
     note: z.string().max(500).optional(),
-    messageHash: z.string(),
-    nonce: z.string(),
+    messageHash: z.string().max(256),
+    nonce: z.string().max(256),
     timestamp: z.string().datetime(),
-    signature: z.string(),
+    signature: z.string().max(256),
 });
 // ── Audit Query (INK Auditability §3) ──
 export const InkAuditQuerySchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.audit_query"),
-    from: z.string(),
-    to: z.string(),
-    messageId: z.string(),
-    nonce: z.string(),
+    from: z.string().max(512),
+    to: z.string().max(512),
+    messageId: z.string().max(256),
+    nonce: z.string().max(256),
     timestamp: z.string().datetime(),
 });
 // ── Audit Response (INK Auditability §3) ──
 export const InkAuditResponseSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.audit_response"),
-    messageId: z.string(),
-    events: z.array(InkAuditEventSchema),
-    responseSignature: z.string(),
+    messageId: z.string().max(256),
+    // Bound both the event count and (via InkAuditEventSchema's per-field caps)
+    // each event, so an audit response from an untrusted witness cannot force
+    // unbounded buffering. A single response that needs more than this should
+    // page rather than return one giant array.
+    events: z.array(InkAuditEventSchema).max(1000),
+    responseSignature: z.string().max(256),
 });
 // ── Third-Party Audit Submit (INK Auditability §7.2) ──
 export const InkAuditSubmitSchema = z.object({
@@ -128,10 +132,10 @@ export const InkAuditSubmitSchema = z.object({
 export const InkAuditInclusionSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.audit_inclusion"),
-    eventId: z.string(),
+    eventId: z.string().max(256),
     treeSize: z.number().int().positive(),
     leafIndex: z.number().int().min(0),
-    rootHash: z.string(),
+    rootHash: z.string().max(128),
     /** Optional Merkle inclusion proof — array of 64-character lowercase hex
      *  hash siblings on the path from the leaf to the root. Consumers that
      *  verify proofs (third-party auditor clients) read this field; consumers
@@ -141,7 +145,7 @@ export const InkAuditInclusionSchema = z.object({
      *  force the parser to allocate megabytes of garbage proof data. */
     inclusionProof: z.array(z.string().regex(/^[0-9a-f]{64}$/)).max(64).optional(),
     timestamp: z.string().datetime(),
-    serviceSignature: z.string(),
+    serviceSignature: z.string().max(256),
 });
 // ── Introduction Receipt (INK Introduction Receipts Extension §4) ──
 export const InkIntroductionReceiptStatusSchema = z.enum([
@@ -154,22 +158,22 @@ export const InkIntroductionReceiptStatusSchema = z.enum([
 export const InkIntroductionReceiptSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.introduction_receipt"),
-    id: z.string(),
-    correlationId: z.string(),
-    from: z.string(),
-    to: z.string(),
-    requesterDid: z.string(),
-    introducerDid: z.string(),
-    beneficiaryDid: z.string(),
-    targetDid: z.string(),
+    id: z.string().max(256),
+    correlationId: z.string().max(256),
+    from: z.string().max(512),
+    to: z.string().max(512),
+    requesterDid: z.string().max(512),
+    introducerDid: z.string().max(512),
+    beneficiaryDid: z.string().max(512),
+    targetDid: z.string().max(512),
     status: InkIntroductionReceiptStatusSchema,
     purpose: z.string().min(1).max(500),
-    nonce: z.string(),
+    nonce: z.string().max(256),
     timestamp: z.string().datetime(),
-    relatedIntentId: z.string().optional(),
-    relatedResolutionId: z.string().optional(),
+    relatedIntentId: z.string().max(256).optional(),
+    relatedResolutionId: z.string().max(256).optional(),
     note: z.string().max(500).optional(),
-    contextHash: z.string().optional(),
-    authorizationChainRef: z.string().optional(),
+    contextHash: z.string().max(256).optional(),
+    authorizationChainRef: z.string().max(512).optional(),
     expiresAt: z.string().datetime().optional(),
 });

package/dist/models/ink-handshake.js

@@ -32,12 +32,12 @@ export const ChallengeTypeSchema = z.enum([
 export const InkChallengeSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.challenge"),
-    intentRef: z.string(),
+    intentRef: z.string().max(256),
     challengeType: ChallengeTypeSchema,
-    fields: z.array(z.string()).optional(),
-    availableWindows: z.array(z.string()).optional(),
-    contextFields: z.array(z.string()).optional(),
-    nonce: z.string(),
+    fields: z.array(z.string().max(256)).max(32).optional(),
+    availableWindows: z.array(z.string().max(64)).max(32).optional(),
+    contextFields: z.array(z.string().max(256)).max(32).optional(),
+    nonce: z.string().max(256),
     timestamp: z.string().datetime(),
 });
 // ── Rejection (network.tulpa.rejection) — Stage 2b ──
@@ -58,12 +58,12 @@ export const RejectionReasonSchema = z.enum([
 export const InkRejectionSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.rejection"),
-    intentRef: z.string(),
+    intentRef: z.string().max(256),
     reason: RejectionReasonSchema,
     detail: z.string().max(500).optional(),
-    retryAfter: z.string().optional(),
+    retryAfter: z.string().max(64).optional(),
     backoffHint: InkBackoffHintSchema.optional(),
-    nonce: z.string(),
+    nonce: z.string().max(256),
     timestamp: z.string().datetime(),
 });
 // ── Resolution (network.tulpa.resolution) — Stage 3 ──
@@ -74,16 +74,16 @@ export const ResolutionOutcomeSchema = z.enum([
     "expired",
 ]);
 export const ResolutionDetailsSchema = z.object({
-    scheduledAt: z.string().optional(),
-    duration: z.string().optional(),
+    scheduledAt: z.string().max(64).optional(),
+    duration: z.string().max(64).optional(),
 }).passthrough();
 export const InkResolutionSchema = z.object({
     protocol: z.literal("ink/0.1"),
     type: z.literal("network.tulpa.resolution"),
-    intentRef: z.string(),
+    intentRef: z.string().max(256),
     outcome: ResolutionOutcomeSchema,
     details: ResolutionDetailsSchema.optional(),
-    counterpartyDid: z.string().optional(),
-    nonce: z.string(),
+    counterpartyDid: z.string().max(512).optional(),
+    nonce: z.string().max(256),
     timestamp: z.string().datetime(),
 });

package/dist/models/intent.d.ts

@@ -223,14 +223,14 @@ export declare const MessageProvenanceSchema: z.ZodOptional<z.ZodObject<{
  */
 export declare const INK_PROTOCOL_VERSIONS: readonly ["ink/0.1", "ink/0.2"];
 export declare const ProtocolVersionSchema: z.ZodEnum<{
-    "ink/0.1": "ink/0.1";
     "ink/0.2": "ink/0.2";
+    "ink/0.1": "ink/0.1";
 }>;
 export type ProtocolVersion = z.infer<typeof ProtocolVersionSchema>;
 export declare const MessageEnvelopeSchema: z.ZodObject<{
     protocol: z.ZodEnum<{
-        "ink/0.1": "ink/0.1";
         "ink/0.2": "ink/0.2";
+        "ink/0.1": "ink/0.1";
     }>;
     id: z.ZodString;
     correlationId: z.ZodString;