@certrev/cert-block 0.1.0 → 0.1.1

package/dist/contract/fixtures.d.ts

@@ -16,7 +16,7 @@
  * end-to-end under the production `verifyEnvelope`, not a stand-in canonicalizer.
  */
 import { type KeyObject } from 'node:crypto';
-import { type CertDeliveryEnvelope, type CertPayload, type ResolvePublicKeyByKid } from '@certrev/cert-contract';
+import type { CertDeliveryEnvelope, CertPayload, ResolvePublicKeyByKid } from '@certrev/cert-contract';
 declare const FIXTURE_KID = "certrev-fixture-key-1";
 /** Build a complete mock payload. Pass overrides to exercise specific render branches. */
 export declare function makeMockPayload(overrides?: Partial<CertPayload>): CertPayload;

package/dist/contract/fixtures.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"fixtures.d.ts","sourceRoot":"","sources":["../../src/contract/fixtures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAuB,KAAK,SAAS,EAAoB,MAAM,aAAa,CAAA;AACnF,OAAO,EAEN,KAAK,oBAAoB,EACzB,KAAK,WAAW,EAEhB,KAAK,qBAAqB,EAC1B,MAAM,wBAAwB,CAAA;AAE/B,QAAA,MAAM,WAAW,0BAA0B,CAAA;AAE3C,0FAA0F;AAC1F,wBAAgB,eAAe,CAAC,SAAS,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,WAAW,CA4CjF;AAED,MAAM,WAAW,qBAAqB;IACrC,QAAQ,CAAC,QAAQ,EAAE,oBAAoB,CAAA;IACvC,QAAQ,CAAC,UAAU,EAAE,qBAAqB,CAAA;IAC1C,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAA;IAC7B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;CACpB;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,GAAE,OAAO,CAAC,WAAW,CAAM,EAAE,GAAG,SAAc,GAAG,qBAAqB,CAgBjH;AAED,OAAO,EAAE,WAAW,EAAE,CAAA"}
+{"version":3,"file":"fixtures.d.ts","sourceRoot":"","sources":["../../src/contract/fixtures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAuB,KAAK,SAAS,EAAE,MAAM,aAAa,CAAA;AACjE,OAAO,KAAK,EACX,oBAAoB,EACpB,WAAW,EAEX,qBAAqB,EACrB,MAAM,wBAAwB,CAAA;AAM/B,QAAA,MAAM,WAAW,0BAA0B,CAAA;AAE3C,0FAA0F;AAC1F,wBAAgB,eAAe,CAAC,SAAS,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,WAAW,CA4CjF;AAED,MAAM,WAAW,qBAAqB;IACrC,QAAQ,CAAC,QAAQ,EAAE,oBAAoB,CAAA;IACvC,QAAQ,CAAC,UAAU,EAAE,qBAAqB,CAAA;IAC1C,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAA;IAC7B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;CACpB;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,GAAE,OAAO,CAAC,WAAW,CAAM,EAAE,GAAG,SAAc,GAAG,qBAAqB,CAiBjH;AAED,OAAO,EAAE,WAAW,EAAE,CAAA"}

package/dist/contract/fixtures.js

@@ -15,8 +15,11 @@
  * the SAME bytes the real kernel recomputes on verify — so a fixture envelope verifies
  * end-to-end under the production `verifyEnvelope`, not a stand-in canonicalizer.
  */
-import { generateKeyPairSync, sign as nodeSign } from 'node:crypto';
-import { canonicalPayloadBytes, } from '@certrev/cert-contract';
+import { generateKeyPairSync } from 'node:crypto';
+// SIGN is Node-only and lives on the contract's signer subpath. Fixtures are themselves
+// Node-only (they stand in for the issuer) and ship from the './fixtures' subpath, so the
+// SDK's edge-safe main entry never pulls a Node builtin.
+import { signPayloadEd25519 } from '@certrev/cert-contract/signer';
 const FIXTURE_KID = 'certrev-fixture-key-1';
 /** Build a complete mock payload. Pass overrides to exercise specific render branches. */
 export function makeMockPayload(overrides = {}) {
@@ -72,8 +75,9 @@ export function makeMockPayload(overrides = {}) {
 export function makeSignedEnvelope(overrides = {}, kid = FIXTURE_KID) {
     const { publicKey, privateKey } = generateKeyPairSync('ed25519');
     const payload = makeMockPayload(overrides);
-    const bytes = canonicalPayloadBytes(payload);
-    const sig = nodeSign(null, bytes, privateKey).toString('base64url');
+    // Sign the RFC-8785 canonical bytes via the contract's signer — the SAME bytes the
+    // edge-safe kernel recomputes on verify, so the fixture verifies end-to-end.
+    const sig = signPayloadEd25519(payload, privateKey);
     const envelope = {
         payload,
         signature: { alg: 'ed25519', kid, sig, signedAt: payload.lifecycle.issuedAt },

package/dist/contract/fixtures.js.map

@@ -1 +1 @@
-{"version":3,"file":"fixtures.js","sourceRoot":"","sources":["../../src/contract/fixtures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,mBAAmB,EAAkB,IAAI,IAAI,QAAQ,EAAE,MAAM,aAAa,CAAA;AACnF,OAAO,EACN,qBAAqB,GAKrB,MAAM,wBAAwB,CAAA;AAE/B,MAAM,WAAW,GAAG,uBAAuB,CAAA;AAE3C,0FAA0F;AAC1F,MAAM,UAAU,eAAe,CAAC,YAAkC,EAAE;IACnE,MAAM,IAAI,GAAgB;QACzB,eAAe,EAAE,CAAC;QAClB,MAAM,EAAE,kBAAkB;QAC1B,OAAO,EAAE;YACR,QAAQ,EAAE,SAAS;YACnB,UAAU,EAAE,iCAAiC;YAC7C,gBAAgB,EAAE,iBAAiB;YACnC,aAAa,EAAE,CAAC,wDAAwD,CAAC;YACzE,cAAc,EAAE,iBAAiB;YACjC,aAAa,EAAE,kEAAkE;SACjF;QACD,OAAO,EAAE;YACR,MAAM,EAAE;gBACP,WAAW,EAAE,cAAc;gBAC3B,WAAW,EAAE;oBACZ,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,oBAAoB,EAAE;oBACtD,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,+CAA+C,EAAE;iBACnF;gBACD,UAAU,EAAE,sCAAsC;gBAClD,QAAQ,EAAE,8CAA8C;aACxD;YACD,MAAM,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,uBAAuB,EAAE;YAC9D,IAAI,EAAE,gJAAgJ;YACtJ,WAAW,EAAE,0BAA0B;YACvC,iBAAiB,EAAE,0BAA0B;YAC7C,SAAS,EAAE,6CAA6C;YACxD,OAAO,EAAE;gBACR,WAAW,EAAE,SAAS;gBACtB,eAAe,EAAE,IAAI;gBACrB,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,MAAM;aAClB;SACD;QACD,SAAS,EAAE;YACV,QAAQ,EAAE,0BAA0B;YACpC,SAAS,EAAE,0BAA0B;YACrC,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,CAAC;SACX;QACD,GAAG,SAAS;KACZ,CAAA;IACD,OAAO,IAAI,CAAA;AACZ,CAAC;AASD;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAkC,EAAE,EAAE,GAAG,GAAG,WAAW;IACzF,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAA;IAChE,MAAM,OAAO,GAAG,eAAe,CAAC,SAAS,CAAC,CAAA;IAC1C,MAAM,KAAK,GAAG,qBAAqB,CAAC,OAAO,CAAC,CAAA;IAC5C,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,EAAE,KAAK,EAAE,UAAU,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;IAEnE,MAAM,QAAQ,GAAyB;QACtC,OAAO;QACP,SAAS,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE;KAC7E,CAAA;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IACvF,MAAM,QAAQ,GAA0B,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;IACrF,MAAM,UAAU,GAA0B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;IAE9E,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,CAAA;AAChD,CAAC;AAED,OAAO,EAAE,WAAW,EAAE,CAAA"}
+{"version":3,"file":"fixtures.js","sourceRoot":"","sources":["../../src/contract/fixtures.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,mBAAmB,EAAkB,MAAM,aAAa,CAAA;AAOjE,wFAAwF;AACxF,0FAA0F;AAC1F,yDAAyD;AACzD,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAA;AAElE,MAAM,WAAW,GAAG,uBAAuB,CAAA;AAE3C,0FAA0F;AAC1F,MAAM,UAAU,eAAe,CAAC,YAAkC,EAAE;IACnE,MAAM,IAAI,GAAgB;QACzB,eAAe,EAAE,CAAC;QAClB,MAAM,EAAE,kBAAkB;QAC1B,OAAO,EAAE;YACR,QAAQ,EAAE,SAAS;YACnB,UAAU,EAAE,iCAAiC;YAC7C,gBAAgB,EAAE,iBAAiB;YACnC,aAAa,EAAE,CAAC,wDAAwD,CAAC;YACzE,cAAc,EAAE,iBAAiB;YACjC,aAAa,EAAE,kEAAkE;SACjF;QACD,OAAO,EAAE;YACR,MAAM,EAAE;gBACP,WAAW,EAAE,cAAc;gBAC3B,WAAW,EAAE;oBACZ,EAAE,YAAY,EAAE,IAAI,EAAE,QAAQ,EAAE,oBAAoB,EAAE;oBACtD,EAAE,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,+CAA+C,EAAE;iBACnF;gBACD,UAAU,EAAE,sCAAsC;gBAClD,QAAQ,EAAE,8CAA8C;aACxD;YACD,MAAM,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,KAAK,EAAE,uBAAuB,EAAE;YAC9D,IAAI,EAAE,gJAAgJ;YACtJ,WAAW,EAAE,0BAA0B;YACvC,iBAAiB,EAAE,0BAA0B;YAC7C,SAAS,EAAE,6CAA6C;YACxD,OAAO,EAAE;gBACR,WAAW,EAAE,SAAS;gBACtB,eAAe,EAAE,IAAI;gBACrB,UAAU,EAAE,IAAI;gBAChB,QAAQ,EAAE,IAAI;gBACd,UAAU,EAAE,MAAM;aAClB;SACD;QACD,SAAS,EAAE;YACV,QAAQ,EAAE,0BAA0B;YACpC,SAAS,EAAE,0BAA0B;YACrC,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,CAAC;SACX;QACD,GAAG,SAAS;KACZ,CAAA;IACD,OAAO,IAAI,CAAA;AACZ,CAAC;AASD;;;;GAIG;AACH,MAAM,UAAU,kBAAkB,CAAC,YAAkC,EAAE,EAAE,GAAG,GAAG,WAAW;IACzF,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAA;IAChE,MAAM,OAAO,GAAG,eAAe,CAAC,SAAS,CAAC,CAAA;IAC1C,mFAAmF;IACnF,6EAA6E;IAC7E,MAAM,GAAG,GAAG,kBAAkB,CAAC,OAAO,EAAE,UAAU,CAAC,CAAA;IAEnD,MAAM,QAAQ,GAAyB;QACtC,OAAO;QACP,SAAS,EAAE,EAAE,GAAG,EAAE,SAAS,EAAE,GAAG,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE;KAC7E,CAAA;IAED,MAAM,UAAU,GAAG,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IACvF,MAAM,QAAQ,GAA0B,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,UAAU,EAAE,CAAA;IACrF,MAAM,UAAU,GAA0B,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAA;IAE9E,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,EAAE,CAAA;AAChD,CAAC;AAED,OAAO,EAAE,WAAW,EAAE,CAAA"}

package/dist/contract/kernel.d.ts

@@ -7,8 +7,8 @@
  * never directly from `@certrev/cert-contract`, so the whole SDK's dependency on the
  * contract is funnelled through one module. The published package owns the envelope types
  * (`CertDeliveryEnvelope`, `CertPayload`, `CertCredential`, …), the RFC-8785
- * canonicalization (`canonicalPayloadBytes`), and the fail-closed kernel (`verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey`).
+ * canonicalization (`canonicalPayloadBytes`), and the fail-closed WebCrypto kernel
+ * (`verifyEnvelope`, `renderVerdict`, `verifySignatureOnly`, `importEd25519PublicKey`).
  *
  * `VerdictKernel` is the ONE name NOT re-exported from the package: the contract exposes
  * the kernel as free functions, and different edges bundle them with different key-resolver

package/dist/contract/kernel.js

@@ -7,8 +7,8 @@
  * never directly from `@certrev/cert-contract`, so the whole SDK's dependency on the
  * contract is funnelled through one module. The published package owns the envelope types
  * (`CertDeliveryEnvelope`, `CertPayload`, `CertCredential`, …), the RFC-8785
- * canonicalization (`canonicalPayloadBytes`), and the fail-closed kernel (`verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey`).
+ * canonicalization (`canonicalPayloadBytes`), and the fail-closed WebCrypto kernel
+ * (`verifyEnvelope`, `renderVerdict`, `verifySignatureOnly`, `importEd25519PublicKey`).
  *
  * `VerdictKernel` is the ONE name NOT re-exported from the package: the contract exposes
  * the kernel as free functions, and different edges bundle them with different key-resolver

package/dist/index.d.ts

@@ -8,11 +8,16 @@
  *     graph, mergeable by @id (won't collide with Yoast).
  *   • Verify layer — `getVerifiedEnvelope` (fetch from metafield OR Delivery API + run
  *     the fail-closed VerdictKernel + cache), kid resolvers, the TTL/single-flight cache.
- *   • Contract types — re-exported from `@certrev/cert-contract` (stubbed locally until
- *     that package publishes; see the contract binding point in ./contract/kernel).
+ *   • Contract types — re-exported from `@certrev/cert-contract` (the binding point in
+ *     ./contract/kernel).
  *
- * The Web Component (`<certrev-badge>`) ships from the './webcomponent' subpath export so
- * importing the main entry doesn't touch `customElements` (which is undefined server-side).
+ * EDGE-RUNTIME SAFE. This main entry imports NO `node:crypto` and uses NO `Buffer`, so it
+ * loads + runs on edge/Workers runtimes (Shopify Oxygen, Cloudflare Workers, Vercel Edge).
+ * Two things are deliberately kept OFF this entry:
+ *   • the Web Component (`<certrev-badge>`) → './webcomponent' subpath (touches
+ *     `customElements`, undefined server-side);
+ *   • the Node-only test/dev fixtures (`makeSignedEnvelope`, which signs with `node:crypto`)
+ *     → './fixtures' subpath. Importing the main entry must never pull a Node builtin.
  */
 export { CertBadge, type CertBadgeProps } from './components/CertBadge.js';
 export { CertJsonLd, type CertJsonLdProps } from './components/CertJsonLd.js';
@@ -21,7 +26,6 @@ export { CertReview, type CertReviewProps } from './components/CertReview.js';
 export { ExpertBio, type ExpertBioProps } from './components/ExpertBio.js';
 export { escapeAttribute, escapeHtml, safeCssColor, safeHttpUrl, tidyText } from './components/escape.js';
 export { credentialSuffix, DEFAULT_ACCENT, expertNameWithCredentials, formatDate, type ResolvedDisplay, resolveDisplay, } from './components/format.js';
-export { FIXTURE_KID, makeMockPayload, makeSignedEnvelope, type SignedEnvelopeFixture } from './contract/fixtures.js';
 export { CANONICALIZATION, type CertContent, type CertCredential, type CertDeliveryEnvelope, type CertDisplayConfig, type CertLifecycle, type CertPayload, type CertSignature, type CertSubject, type CertSuppressReason, type CertVerdict, CONTRACT_VERSION, type ContractVersion, type Ed25519PublicKeyInput, type RenderContext, type ResolvePublicKeyByKid, renderVerdict, SIGNATURE_ALG, type SignatureAlg, type VerdictKernel, verifyEnvelope, verifySignatureOnly, } from './contract/kernel.js';
 export { type JsonLdValue, type ProjectJsonLdOptions, projectCertJsonLd, projectCertJsonLdString, serializeJsonLdForScript, } from './jsonld/project.js';
 export { TtlCache, type TtlCacheOptions } from './verify/cache.js';

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAGH,OAAO,EAAE,SAAS,EAAE,KAAK,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,eAAe,EAAE,KAAK,oBAAoB,EAAE,MAAM,iCAAiC,CAAA;AAC5F,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAE,KAAK,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAEzG,OAAO,EACN,gBAAgB,EAChB,cAAc,EACd,yBAAyB,EACzB,UAAU,EACV,KAAK,eAAe,EACpB,cAAc,GACd,MAAM,wBAAwB,CAAA;AAE/B,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,kBAAkB,EAAE,KAAK,qBAAqB,EAAE,MAAM,wBAAwB,CAAA;AAErH,OAAO,EACN,gBAAgB,EAChB,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,WAAW,EAChB,gBAAgB,EAChB,KAAK,eAAe,EACpB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,EAClB,KAAK,qBAAqB,EAC1B,aAAa,EACb,aAAa,EACb,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,cAAc,EACd,mBAAmB,GACnB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EACN,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,GACxB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,QAAQ,EAAE,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAElE,OAAO,EACN,KAAK,cAAc,EACnB,KAAK,0BAA0B,EAC/B,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,GAClB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EACN,KAAK,0BAA0B,EAC/B,mBAAmB,EACnB,KAAK,YAAY,EACjB,iBAAiB,GACjB,MAAM,yBAAyB,CAAA;AAEhC,OAAO,EAAE,KAAK,kBAAkB,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAE,SAAS,EAAE,KAAK,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,eAAe,EAAE,KAAK,oBAAoB,EAAE,MAAM,iCAAiC,CAAA;AAC5F,OAAO,EAAE,UAAU,EAAE,KAAK,eAAe,EAAE,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAE,KAAK,cAAc,EAAE,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AAEzG,OAAO,EACN,gBAAgB,EAChB,cAAc,EACd,yBAAyB,EACzB,UAAU,EACV,KAAK,eAAe,EACpB,cAAc,GACd,MAAM,wBAAwB,CAAA;AAI/B,OAAO,EACN,gBAAgB,EAChB,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,EACtB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,kBAAkB,EACvB,KAAK,WAAW,EAChB,gBAAgB,EAChB,KAAK,eAAe,EACpB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,EAClB,KAAK,qBAAqB,EAC1B,aAAa,EACb,aAAa,EACb,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,cAAc,EACd,mBAAmB,GACnB,MAAM,sBAAsB,CAAA;AAE7B,OAAO,EACN,KAAK,WAAW,EAChB,KAAK,oBAAoB,EACzB,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,GACxB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,QAAQ,EAAE,KAAK,eAAe,EAAE,MAAM,mBAAmB,CAAA;AAElE,OAAO,EACN,KAAK,cAAc,EACnB,KAAK,0BAA0B,EAC/B,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,GAClB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EACN,KAAK,0BAA0B,EAC/B,mBAAmB,EACnB,KAAK,YAAY,EACjB,iBAAiB,GACjB,MAAM,yBAAyB,CAAA;AAEhC,OAAO,EAAE,KAAK,kBAAkB,EAAE,eAAe,EAAE,MAAM,qCAAqC,CAAA"}

package/dist/index.js

@@ -8,11 +8,16 @@
  *     graph, mergeable by @id (won't collide with Yoast).
  *   • Verify layer — `getVerifiedEnvelope` (fetch from metafield OR Delivery API + run
  *     the fail-closed VerdictKernel + cache), kid resolvers, the TTL/single-flight cache.
- *   • Contract types — re-exported from `@certrev/cert-contract` (stubbed locally until
- *     that package publishes; see the contract binding point in ./contract/kernel).
+ *   • Contract types — re-exported from `@certrev/cert-contract` (the binding point in
+ *     ./contract/kernel).
  *
- * The Web Component (`<certrev-badge>`) ships from the './webcomponent' subpath export so
- * importing the main entry doesn't touch `customElements` (which is undefined server-side).
+ * EDGE-RUNTIME SAFE. This main entry imports NO `node:crypto` and uses NO `Buffer`, so it
+ * loads + runs on edge/Workers runtimes (Shopify Oxygen, Cloudflare Workers, Vercel Edge).
+ * Two things are deliberately kept OFF this entry:
+ *   • the Web Component (`<certrev-badge>`) → './webcomponent' subpath (touches
+ *     `customElements`, undefined server-side);
+ *   • the Node-only test/dev fixtures (`makeSignedEnvelope`, which signs with `node:crypto`)
+ *     → './fixtures' subpath. Importing the main entry must never pull a Node builtin.
  */
 // ── React components ──────────────────────────────────────────────────────────────
 export { CertBadge } from './components/CertBadge.js';
@@ -23,9 +28,9 @@ export { ExpertBio } from './components/ExpertBio.js';
 export { escapeAttribute, escapeHtml, safeCssColor, safeHttpUrl, tidyText } from './components/escape.js';
 // ── Presentation helpers (shared with the Web Component) ────────────────────────────
 export { credentialSuffix, DEFAULT_ACCENT, expertNameWithCredentials, formatDate, resolveDisplay, } from './components/format.js';
-// ── Test/dev fixtures (mock facts + signed-envelope generator) ─────────────────────
-export { FIXTURE_KID, makeMockPayload, makeSignedEnvelope } from './contract/fixtures.js';
 // ── Contract surface (types + kernel) — re-export the binding point ────────────────
+// NOTE: the test/dev fixtures (makeSignedEnvelope, makeMockPayload, FIXTURE_KID) are
+// Node-only (they sign with node:crypto) and ship from the './fixtures' subpath, NOT here.
 export { CANONICALIZATION, CONTRACT_VERSION, renderVerdict, SIGNATURE_ALG, verifyEnvelope, verifySignatureOnly, } from './contract/kernel.js';
 // ── JSON-LD projector ───────────────────────────────────────────────────────────────
 export { projectCertJsonLd, projectCertJsonLdString, serializeJsonLdForScript, } from './jsonld/project.js';

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,qFAAqF;AACrF,OAAO,EAAE,SAAS,EAAuB,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAwB,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,eAAe,EAA6B,MAAM,iCAAiC,CAAA;AAC5F,OAAO,EAAE,UAAU,EAAwB,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAuB,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACzG,uFAAuF;AACvF,OAAO,EACN,gBAAgB,EAChB,cAAc,EACd,yBAAyB,EACzB,UAAU,EAEV,cAAc,GACd,MAAM,wBAAwB,CAAA;AAC/B,sFAAsF;AACtF,OAAO,EAAE,WAAW,EAAE,eAAe,EAAE,kBAAkB,EAA8B,MAAM,wBAAwB,CAAA;AACrH,sFAAsF;AACtF,OAAO,EACN,gBAAgB,EAWhB,gBAAgB,EAKhB,aAAa,EACb,aAAa,EAGb,cAAc,EACd,mBAAmB,GACnB,MAAM,sBAAsB,CAAA;AAC7B,uFAAuF;AACvF,OAAO,EAGN,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,GACxB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,QAAQ,EAAwB,MAAM,mBAAmB,CAAA;AAClE,qFAAqF;AACrF,OAAO,EAGN,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,GAClB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAEN,mBAAmB,EAEnB,iBAAiB,GACjB,MAAM,yBAAyB,CAAA;AAChC,sFAAsF;AACtF,OAAO,EAA2B,eAAe,EAAE,MAAM,qCAAqC,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,qFAAqF;AACrF,OAAO,EAAE,SAAS,EAAuB,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,UAAU,EAAwB,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,eAAe,EAA6B,MAAM,iCAAiC,CAAA;AAC5F,OAAO,EAAE,UAAU,EAAwB,MAAM,4BAA4B,CAAA;AAC7E,OAAO,EAAE,SAAS,EAAuB,MAAM,2BAA2B,CAAA;AAC1E,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,QAAQ,EAAE,MAAM,wBAAwB,CAAA;AACzG,uFAAuF;AACvF,OAAO,EACN,gBAAgB,EAChB,cAAc,EACd,yBAAyB,EACzB,UAAU,EAEV,cAAc,GACd,MAAM,wBAAwB,CAAA;AAC/B,sFAAsF;AACtF,qFAAqF;AACrF,2FAA2F;AAC3F,OAAO,EACN,gBAAgB,EAWhB,gBAAgB,EAKhB,aAAa,EACb,aAAa,EAGb,cAAc,EACd,mBAAmB,GACnB,MAAM,sBAAsB,CAAA;AAC7B,uFAAuF;AACvF,OAAO,EAGN,iBAAiB,EACjB,uBAAuB,EACvB,wBAAwB,GACxB,MAAM,qBAAqB,CAAA;AAC5B,OAAO,EAAE,QAAQ,EAAwB,MAAM,mBAAmB,CAAA;AAClE,qFAAqF;AACrF,OAAO,EAGN,mBAAmB,EACnB,iBAAiB,EACjB,kBAAkB,GAClB,MAAM,mCAAmC,CAAA;AAC1C,OAAO,EAEN,mBAAmB,EAEnB,iBAAiB,GACjB,MAAM,yBAAyB,CAAA;AAChC,sFAAsF;AACtF,OAAO,EAA2B,eAAe,EAAE,MAAM,qCAAqC,CAAA"}

package/dist/verify/get-verified-envelope.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"get-verified-envelope.d.ts","sourceRoot":"","sources":["../../src/verify/get-verified-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAEpH,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAErC,kFAAkF;AAClF,MAAM,MAAM,cAAc;AACzB,2EAA2E;AACzE;IACA,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAA;IAC7B,8EAA8E;IAC9E,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAC1B;AACH;;sFAEsF;GACpF;IACA,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAA;IAC1B,QAAQ,CAAC,KAAK,EAAE,oBAAoB,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAA;CAC/D,CAAA;AAEJ,MAAM,WAAW,0BAA0B;IAC1C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAA;IAC/B,uFAAuF;IACvF,QAAQ,CAAC,UAAU,EAAE,qBAAqB,CAAA;IAC1C,uFAAuF;IACvF,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,GAAG;QAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAA;KAAE,CAAA;IACtE,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;IACjC,gFAAgF;IAChF,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAA;IACtC,gDAAgD;IAChD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,iFAAiF;AACjF,QAAA,MAAM,kBAAkB,uBAAqE,CAAA;AAgD7F;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,OAAO,CAAC,WAAW,CAAC,CAkChG;AAED,0FAA0F;AAC1F,wBAAgB,iBAAiB,CAChC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,aAAa,EACtB,KAAK,GAAE,QAAQ,CAAC,WAAW,CAAsB,GAC/C,IAAI,CAEN;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA"}
+{"version":3,"file":"get-verified-envelope.d.ts","sourceRoot":"","sources":["../../src/verify/get-verified-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAEpH,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAErC,kFAAkF;AAClF,MAAM,MAAM,cAAc;AACzB,2EAA2E;AACzE;IACA,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAA;IAC7B,8EAA8E;IAC9E,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAC1B;AACH;;sFAEsF;GACpF;IACA,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAA;IAC1B,QAAQ,CAAC,KAAK,EAAE,oBAAoB,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAA;CAC/D,CAAA;AAEJ,MAAM,WAAW,0BAA0B;IAC1C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAA;IAC/B,uFAAuF;IACvF,QAAQ,CAAC,UAAU,EAAE,qBAAqB,CAAA;IAC1C,uFAAuF;IACvF,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,GAAG;QAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAA;KAAE,CAAA;IACtE,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;IACjC,gFAAgF;IAChF,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAA;IACtC,gDAAgD;IAChD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,iFAAiF;AACjF,QAAA,MAAM,kBAAkB,uBAAqE,CAAA;AAyE7F;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,OAAO,CAAC,WAAW,CAAC,CAkChG;AAED,0FAA0F;AAC1F,wBAAgB,iBAAiB,CAChC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,aAAa,EACtB,KAAK,GAAE,QAAQ,CAAC,WAAW,CAAsB,GAC/C,IAAI,CAEN;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA"}

package/dist/verify/get-verified-envelope.js

@@ -40,14 +40,38 @@ function deliveryApiUrl(s) {
     const base = s.baseUrl.replace(/\/+$/, '');
     return `${base}/api/cert/v1/delivery/${encodeURIComponent(s.platform)}/${encodeURIComponent(s.externalId)}`;
 }
-/** Stable cache key per (source identity × render externalId). */
+/**
+ * A short, fast, NON-cryptographic string hash (FNV-1a, 32-bit) — used ONLY to disambiguate
+ * cache keys, never for security. Edge-safe (no node:crypto). Distinct envelope values for
+ * the same placement must produce distinct keys so a push update (or, in tests/proofs,
+ * verifying several different envelopes against one render context) can't be served a stale
+ * verdict for a different envelope.
+ */
+function fnv1a(s) {
+    let h = 0x811c9dc5;
+    for (let i = 0; i < s.length; i++) {
+        h ^= s.charCodeAt(i);
+        // 32-bit FNV prime multiply via shifts (stays in 32-bit unsigned)
+        h = (h + ((h << 1) + (h << 4) + (h << 7) + (h << 8) + (h << 24))) >>> 0;
+    }
+    return h.toString(16).padStart(8, '0');
+}
+/** A stable string form of the metafield value for hashing (parsed → canonical-ish JSON). */
+function metafieldValueKey(value) {
+    if (value == null)
+        return 'null';
+    const s = typeof value === 'string' ? value : JSON.stringify(value);
+    return fnv1a(s);
+}
+/** Stable cache key per (source identity × render externalId × envelope value). */
 function cacheKey(source, ctx) {
     if (source.kind === 'delivery_api') {
         return `api:${source.platform}:${source.externalId}`;
     }
-    // Metafield: key on the rendering identity (the value is already in hand; the verdict
-    // still depends on context). Include a short hash of the value to bust on push update.
-    return `mf:${ctx.platform}:${ctx.externalId}`;
+    // Metafield: key on the rendering identity AND a short hash of the envelope value, so a
+    // push update (new envelope at the same placement) busts the entry, and verifying
+    // different envelopes against one render context never collides on a stale verdict.
+    return `mf:${ctx.platform}:${ctx.externalId}:${metafieldValueKey(source.value)}`;
 }
 async function fetchFromDeliveryApi(s, fetchImpl) {
     const res = await fetchImpl(deliveryApiUrl(s), { headers: { accept: 'application/json' } });

package/dist/verify/get-verified-envelope.js.map

@@ -1 +1 @@
-{"version":3,"file":"get-verified-envelope.js","sourceRoot":"","sources":["../../src/verify/get-verified-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAkCrC,iFAAiF;AACjF,MAAM,kBAAkB,GAAG,IAAI,QAAQ,CAAc,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAA;AAE7F,SAAS,QAAQ,CAChB,MAE2D;IAE3D,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,aAAa,CAAC,KAAuD;IAC7E,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,CAAA;IAC9B,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAA;IAC3C,IAAI,CAAC;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAyB,CAAA;IACjD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAA;IACZ,CAAC;AACF,CAAC;AAED,SAAS,cAAc,CAAC,CAAoD;IAC3E,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IAC1C,OAAO,GAAG,IAAI,yBAAyB,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,kBAAkB,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAA;AAC5G,CAAC;AAED,kEAAkE;AAClE,SAAS,QAAQ,CAAC,MAAsB,EAAE,GAAkB;IAC3D,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QACpC,OAAO,OAAO,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAA;IACrD,CAAC;IACD,sFAAsF;IACtF,uFAAuF;IACvF,OAAO,MAAM,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,UAAU,EAAE,CAAA;AAC9C,CAAC;AAED,KAAK,UAAU,oBAAoB,CAClC,CAAoD,EACpD,SAAuB;IAEvB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAA;IAC3F,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAA,CAAC,iEAAiE;IAC1F,IAAI,CAAC;QACJ,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAA;IACZ,CAAC;AACF,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAgC;IACzE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAA;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,kBAAkB,CAAA;IAC9C,MAAM,GAAG,GAAkB,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAA;IAC9C,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAEtC,MAAM,UAAU,GAAG,CAAC,CAAc,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAA;IAE9D,OAAO,KAAK,CAAC,SAAS,CACrB,GAAG,EACH,KAAK,IAAI,EAAE;QACV,IAAI,QAAqC,CAAA;QACzC,IAAI,CAAC;YACJ,QAAQ;gBACP,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,cAAc;oBAClC,CAAC,CAAC,MAAM,oBAAoB,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;oBACpD,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACR,+EAA+E;YAC/E,OAAO,QAAQ,CAAC,8BAA8B,CAAC,CAAA;QAChD,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,8EAA8E;YAC9E,OAAO,QAAQ,CAAC,8BAA8B,CAAC,CAAA;QAChD,CAAC;QACD,gFAAgF;QAChF,IAAI,CAAC;YACJ,OAAO,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;QAC5D,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,QAAQ,CAAC,aAAa,CAAC,CAAA;QAC/B,CAAC;IACF,CAAC,EACD,UAAU,CACV,CAAA;AACF,CAAC;AAED,0FAA0F;AAC1F,MAAM,UAAU,iBAAiB,CAChC,MAAsB,EACtB,OAAsB,EACtB,QAA+B,kBAAkB;IAEjD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;AACxC,CAAC;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA"}
+{"version":3,"file":"get-verified-envelope.js","sourceRoot":"","sources":["../../src/verify/get-verified-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAkCrC,iFAAiF;AACjF,MAAM,kBAAkB,GAAG,IAAI,QAAQ,CAAc,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAA;AAE7F,SAAS,QAAQ,CAChB,MAE2D;IAE3D,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,aAAa,CAAC,KAAuD;IAC7E,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,CAAA;IAC9B,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAA;IAC3C,IAAI,CAAC;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAyB,CAAA;IACjD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAA;IACZ,CAAC;AACF,CAAC;AAED,SAAS,cAAc,CAAC,CAAoD;IAC3E,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IAC1C,OAAO,GAAG,IAAI,yBAAyB,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,kBAAkB,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAA;AAC5G,CAAC;AAED;;;;;;GAMG;AACH,SAAS,KAAK,CAAC,CAAS;IACvB,IAAI,CAAC,GAAG,UAAU,CAAA;IAClB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACnC,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAA;QACpB,kEAAkE;QAClE,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAA;IACxE,CAAC;IACD,OAAO,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;AACvC,CAAC;AAED,6FAA6F;AAC7F,SAAS,iBAAiB,CAAC,KAAuD;IACjF,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,MAAM,CAAA;IAChC,MAAM,CAAC,GAAG,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IACnE,OAAO,KAAK,CAAC,CAAC,CAAC,CAAA;AAChB,CAAC;AAED,mFAAmF;AACnF,SAAS,QAAQ,CAAC,MAAsB,EAAE,GAAkB;IAC3D,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QACpC,OAAO,OAAO,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAA;IACrD,CAAC;IACD,wFAAwF;IACxF,kFAAkF;IAClF,oFAAoF;IACpF,OAAO,MAAM,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,UAAU,IAAI,iBAAiB,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;AACjF,CAAC;AAED,KAAK,UAAU,oBAAoB,CAClC,CAAoD,EACpD,SAAuB;IAEvB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAA;IAC3F,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAA,CAAC,iEAAiE;IAC1F,IAAI,CAAC;QACJ,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAA;IACZ,CAAC;AACF,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAgC;IACzE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAA;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,kBAAkB,CAAA;IAC9C,MAAM,GAAG,GAAkB,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAA;IAC9C,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAEtC,MAAM,UAAU,GAAG,CAAC,CAAc,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAA;IAE9D,OAAO,KAAK,CAAC,SAAS,CACrB,GAAG,EACH,KAAK,IAAI,EAAE;QACV,IAAI,QAAqC,CAAA;QACzC,IAAI,CAAC;YACJ,QAAQ;gBACP,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,cAAc;oBAClC,CAAC,CAAC,MAAM,oBAAoB,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;oBACpD,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACR,+EAA+E;YAC/E,OAAO,QAAQ,CAAC,8BAA8B,CAAC,CAAA;QAChD,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,8EAA8E;YAC9E,OAAO,QAAQ,CAAC,8BAA8B,CAAC,CAAA;QAChD,CAAC;QACD,gFAAgF;QAChF,IAAI,CAAC;YACJ,OAAO,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;QAC5D,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,QAAQ,CAAC,aAAa,CAAC,CAAA;QAC/B,CAAC;IACF,CAAC,EACD,UAAU,CACV,CAAA;AACF,CAAC;AAED,0FAA0F;AAC1F,MAAM,UAAU,iBAAiB,CAChC,MAAsB,EACtB,OAAsB,EACtB,QAA+B,kBAAkB;IAEjD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;AACxC,CAAC;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA"}

package/dist/verify/resolve-kid.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"resolve-kid.d.ts","sourceRoot":"","sources":["../../src/verify/resolve-kid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAGzF,0EAA0E;AAC1E,MAAM,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,qBAAqB,CAAC,CAAC,CAAA;AAOnF,gFAAgF;AAChF,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,YAAY,GAAG,qBAAqB,CAK3E;AA+BD,MAAM,WAAW,0BAA0B;IAC1C,sDAAsD;IACtD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,iEAAiE;IACjE,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;IACvB,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;CACjC;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,qBAAqB,CAqB3F"}
+{"version":3,"file":"resolve-kid.d.ts","sourceRoot":"","sources":["../../src/verify/resolve-kid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,KAAK,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAGzF,0EAA0E;AAC1E,MAAM,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,qBAAqB,CAAC,CAAC,CAAA;AAOnF,gFAAgF;AAChF,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,YAAY,GAAG,qBAAqB,CAK3E;AAgCD,MAAM,WAAW,0BAA0B;IAC1C,sDAAsD;IACtD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,iEAAiE;IACjE,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;IACvB,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;CACjC;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,qBAAqB,CAqB3F"}

package/dist/verify/resolve-kid.js

@@ -16,6 +16,7 @@
  * understands the two encodings CertREV may publish: a PEM string, or a JWK with an
  * Ed25519 `x` (base64url raw key).
  */
+import { base64urlDecode } from '@certrev/cert-contract';
 import { TtlCache } from './cache.js';
 function asInput(v) {
     // A bare string is treated as PEM (the common deploy-config form).
@@ -28,8 +29,9 @@ export function staticKidResolver(keys) {
         return k ? asInput(k) : null;
     };
 }
+// Runtime-agnostic base64url decode from the contract (no `Buffer` — edge/Workers safe).
 function base64urlToBytes(b64url) {
-    return new Uint8Array(Buffer.from(b64url, 'base64url'));
+    return base64urlDecode(b64url);
 }
 function jwkToInput(jwk) {
     if (jwk.pem)

package/dist/verify/resolve-kid.js.map

@@ -1 +1 @@
-{"version":3,"file":"resolve-kid.js","sourceRoot":"","sources":["../../src/verify/resolve-kid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAKrC,SAAS,OAAO,CAAC,CAAiC;IACjD,mEAAmE;IACnE,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;AAC7D,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,iBAAiB,CAAC,IAAkB;IACnD,OAAO,CAAC,GAAG,EAAE,EAAE;QACd,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAA;QACnB,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAC7B,CAAC,CAAA;AACF,CAAC;AAkBD,SAAS,gBAAgB,CAAC,MAAc;IACvC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;AACxD,CAAC;AAED,SAAS,UAAU,CAAC,GAAiB;IACpC,IAAI,GAAG,CAAC,GAAG;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAA;IACnD,IAAI,GAAG,CAAC,CAAC,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;IACzD,CAAC;IACD,OAAO,IAAI,CAAA;AACZ,CAAC;AAWD;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAgC;IACnE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAA;IACpD,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAqC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS,EAAE,CAAC,CAAA;IAClG,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAA;IAE9B,KAAK,UAAU,UAAU;QACxB,MAAM,GAAG,GAAG,IAAI,GAAG,EAAiC,CAAA;QACpD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAA;QACtF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAA,CAAC,gDAAgD;QACxE,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAA;QACpD,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAA;YAC7B,IAAI,KAAK,IAAI,GAAG,CAAC,GAAG;gBAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAC9C,CAAC;QACD,OAAO,GAAG,CAAA;IACX,CAAC;IAED,OAAO,KAAK,EAAE,GAAG,EAAE,EAAE;QACpB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAA;QAChF,OAAO,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;IAC/B,CAAC,CAAA;AACF,CAAC"}
+{"version":3,"file":"resolve-kid.js","sourceRoot":"","sources":["../../src/verify/resolve-kid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAExD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAKrC,SAAS,OAAO,CAAC,CAAiC;IACjD,mEAAmE;IACnE,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;AAC7D,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,iBAAiB,CAAC,IAAkB;IACnD,OAAO,CAAC,GAAG,EAAE,EAAE;QACd,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAA;QACnB,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAC7B,CAAC,CAAA;AACF,CAAC;AAkBD,yFAAyF;AACzF,SAAS,gBAAgB,CAAC,MAAc;IACvC,OAAO,eAAe,CAAC,MAAM,CAAC,CAAA;AAC/B,CAAC;AAED,SAAS,UAAU,CAAC,GAAiB;IACpC,IAAI,GAAG,CAAC,GAAG;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAA;IACnD,IAAI,GAAG,CAAC,CAAC,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;IACzD,CAAC;IACD,OAAO,IAAI,CAAA;AACZ,CAAC;AAWD;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAgC;IACnE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAA;IACpD,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAqC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS,EAAE,CAAC,CAAA;IAClG,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAA;IAE9B,KAAK,UAAU,UAAU;QACxB,MAAM,GAAG,GAAG,IAAI,GAAG,EAAiC,CAAA;QACpD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAA;QACtF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAA,CAAC,gDAAgD;QACxE,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAA;QACpD,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAA;YAC7B,IAAI,KAAK,IAAI,GAAG,CAAC,GAAG;gBAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAC9C,CAAC;QACD,OAAO,GAAG,CAAA;IACX,CAAC;IAED,OAAO,KAAK,EAAE,GAAG,EAAE,EAAE;QACpB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAA;QAChF,OAAO,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;IAC/B,CAAC,CAAA;AACF,CAAC"}

package/package.json

@@ -1,70 +1,74 @@
 {
-  "name": "@certrev/cert-block",
-  "version": "0.1.0",
-  "description": "Headless / crypto_verify render edge for the CertREV CertDeliveryEnvelope. SSR-safe React components (<CertBadge>/<ExpertBio>/<CertRevBacklink>), a deterministic schema.org JSON-LD projector, a fail-closed verify layer over the shared VerdictKernel, and a framework-agnostic <certrev-badge> Web Component. Sign once (portal), render everywhere (Hydrogen / Next / Builder / universal embed).",
-  "type": "module",
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "types": "./dist/index.d.ts",
-      "default": "./dist/index.js"
-    },
-    "./webcomponent": {
-      "types": "./dist/webcomponent/certrev-badge.d.ts",
-      "default": "./dist/webcomponent/certrev-badge.js"
-    }
-  },
-  "files": [
-    "dist",
-    "src",
-    "README.md"
-  ],
-  "publishConfig": {
-    "registry": "https://registry.npmjs.org",
-    "access": "public"
-  },
-  "publishTargets": [
-    "npmjs"
-  ],
-  "peerDependencies": {
-    "@certrev/cert-contract": ">=0.1.1",
-    "react": ">=18.0.0"
-  },
-  "peerDependenciesMeta": {
-    "react": {
-      "optional": false
-    }
-  },
-  "devDependencies": {
-    "@testing-library/react": "^16.1.0",
-    "@types/node": "^20.0.0",
-    "@types/react": "^18.3.0",
-    "@types/react-dom": "^18.3.0",
-    "jsdom": "^25.0.0",
-    "react": "^18.3.1",
-    "react-dom": "^18.3.1",
-    "typescript": "^6.0.3",
-    "vitest": "^4.1.5",
-    "@certrev/cert-contract": "0.1.1"
-  },
-  "keywords": [
-    "certrev",
-    "certification",
-    "react",
-    "server-components",
-    "hydrogen",
-    "shopify",
-    "json-ld",
-    "schema-org",
-    "web-component",
-    "ed25519",
-    "ssr"
-  ],
-  "license": "MIT",
-  "scripts": {
-    "build": "tsc",
-    "typecheck": "tsc --noEmit",
-    "test": "vitest run"
-  }
-}
+	"name": "@certrev/cert-block",
+	"version": "0.1.1",
+	"description": "Headless / crypto_verify render edge for the CertREV CertDeliveryEnvelope. SSR-safe React components (<CertBadge>/<ExpertBio>/<CertRevBacklink>), a deterministic schema.org JSON-LD projector, a fail-closed verify layer over the shared VerdictKernel, and a framework-agnostic <certrev-badge> Web Component. Sign once (portal), render everywhere (Hydrogen / Next / Builder / universal embed).",
+	"type": "module",
+	"main": "./dist/index.js",
+	"types": "./dist/index.d.ts",
+	"exports": {
+		".": {
+			"types": "./dist/index.d.ts",
+			"default": "./dist/index.js"
+		},
+		"./webcomponent": {
+			"types": "./dist/webcomponent/certrev-badge.d.ts",
+			"default": "./dist/webcomponent/certrev-badge.js"
+		},
+		"./fixtures": {
+			"types": "./dist/contract/fixtures.d.ts",
+			"default": "./dist/contract/fixtures.js"
+		}
+	},
+	"files": [
+		"dist",
+		"src",
+		"README.md"
+	],
+	"publishConfig": {
+		"registry": "https://registry.npmjs.org",
+		"access": "public"
+	},
+	"publishTargets": [
+		"npmjs"
+	],
+	"scripts": {
+		"build": "tsc",
+		"typecheck": "tsc --noEmit",
+		"test": "vitest run"
+	},
+	"peerDependencies": {
+		"@certrev/cert-contract": ">=0.1.2",
+		"react": ">=18.0.0"
+	},
+	"peerDependenciesMeta": {
+		"react": {
+			"optional": false
+		}
+	},
+	"devDependencies": {
+		"@certrev/cert-contract": "workspace:*",
+		"@testing-library/react": "^16.1.0",
+		"@types/node": "^20.0.0",
+		"@types/react": "^18.3.0",
+		"@types/react-dom": "^18.3.0",
+		"jsdom": "^25.0.0",
+		"react": "^18.3.1",
+		"react-dom": "^18.3.1",
+		"typescript": "^6.0.3",
+		"vitest": "^4.1.5"
+	},
+	"keywords": [
+		"certrev",
+		"certification",
+		"react",
+		"server-components",
+		"hydrogen",
+		"shopify",
+		"json-ld",
+		"schema-org",
+		"web-component",
+		"ed25519",
+		"ssr"
+	],
+	"license": "MIT"
+}

package/src/__tests__/verify.test.ts

@@ -119,6 +119,42 @@ describe('getVerifiedEnvelope — metafield source', () => {
 		})
 		expect(verdict.decision).toBe('suppress')
 	})
+
+	it('DISTINCT metafield envelopes at one placement do NOT collide on a shared cache (value-keyed)', async () => {
+		// Regression: the metafield cache key must include a hash of the envelope value, else
+		// the first verdict (render) is served for a later, DIFFERENT envelope — a fail-closed
+		// violation (an unverified/tampered credential rendered). Here a valid + a tampered
+		// envelope share the SAME resolver, context, and cache; each must get its own verdict.
+		const { envelope, resolveKid } = makeSignedEnvelope()
+		const tampered: CertDeliveryEnvelope = {
+			...envelope,
+			payload: {
+				...envelope.payload,
+				content: {
+					...envelope.payload.content,
+					expert: { ...envelope.payload.content.expert, displayName: 'Dr. Forged' },
+				},
+			},
+		}
+		const cache = new TtlCache<import('../contract/kernel.js').CertVerdict>()
+		const ctx = { ...RENDER_CTX, now: new Date('2026-06-22T00:00:00Z') }
+
+		const validVerdict = await getVerifiedEnvelope({
+			source: { kind: 'metafield', value: envelope },
+			resolveKid,
+			context: ctx,
+			cache,
+		})
+		const tamperedVerdict = await getVerifiedEnvelope({
+			source: { kind: 'metafield', value: tampered },
+			resolveKid,
+			context: ctx,
+			cache,
+		})
+
+		expect(validVerdict.decision).toBe('render')
+		expect(tamperedVerdict).toEqual({ decision: 'suppress', reason: 'invalid_signature' })
+	})
 })
 
 describe('getVerifiedEnvelope — Delivery API source', () => {

package/src/contract/fixtures.ts

@@ -16,14 +16,17 @@
  * end-to-end under the production `verifyEnvelope`, not a stand-in canonicalizer.
  */
 
-import { generateKeyPairSync, type KeyObject, sign as nodeSign } from 'node:crypto'
-import {
-	canonicalPayloadBytes,
-	type CertDeliveryEnvelope,
-	type CertPayload,
-	type Ed25519PublicKeyInput,
-	type ResolvePublicKeyByKid,
+import { generateKeyPairSync, type KeyObject } from 'node:crypto'
+import type {
+	CertDeliveryEnvelope,
+	CertPayload,
+	Ed25519PublicKeyInput,
+	ResolvePublicKeyByKid,
 } from '@certrev/cert-contract'
+// SIGN is Node-only and lives on the contract's signer subpath. Fixtures are themselves
+// Node-only (they stand in for the issuer) and ship from the './fixtures' subpath, so the
+// SDK's edge-safe main entry never pulls a Node builtin.
+import { signPayloadEd25519 } from '@certrev/cert-contract/signer'
 
 const FIXTURE_KID = 'certrev-fixture-key-1'
 
@@ -89,8 +92,9 @@ export interface SignedEnvelopeFixture {
 export function makeSignedEnvelope(overrides: Partial<CertPayload> = {}, kid = FIXTURE_KID): SignedEnvelopeFixture {
 	const { publicKey, privateKey } = generateKeyPairSync('ed25519')
 	const payload = makeMockPayload(overrides)
-	const bytes = canonicalPayloadBytes(payload)
-	const sig = nodeSign(null, bytes, privateKey).toString('base64url')
+	// Sign the RFC-8785 canonical bytes via the contract's signer — the SAME bytes the
+	// edge-safe kernel recomputes on verify, so the fixture verifies end-to-end.
+	const sig = signPayloadEd25519(payload, privateKey)
 
 	const envelope: CertDeliveryEnvelope = {
 		payload,

package/src/contract/kernel.ts

@@ -7,8 +7,8 @@
  * never directly from `@certrev/cert-contract`, so the whole SDK's dependency on the
  * contract is funnelled through one module. The published package owns the envelope types
  * (`CertDeliveryEnvelope`, `CertPayload`, `CertCredential`, …), the RFC-8785
- * canonicalization (`canonicalPayloadBytes`), and the fail-closed kernel (`verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey`).
+ * canonicalization (`canonicalPayloadBytes`), and the fail-closed WebCrypto kernel
+ * (`verifyEnvelope`, `renderVerdict`, `verifySignatureOnly`, `importEd25519PublicKey`).
  *
  * `VerdictKernel` is the ONE name NOT re-exported from the package: the contract exposes
  * the kernel as free functions, and different edges bundle them with different key-resolver

package/src/index.ts

@@ -8,11 +8,16 @@
  *     graph, mergeable by @id (won't collide with Yoast).
  *   • Verify layer — `getVerifiedEnvelope` (fetch from metafield OR Delivery API + run
  *     the fail-closed VerdictKernel + cache), kid resolvers, the TTL/single-flight cache.
- *   • Contract types — re-exported from `@certrev/cert-contract` (stubbed locally until
- *     that package publishes; see the contract binding point in ./contract/kernel).
+ *   • Contract types — re-exported from `@certrev/cert-contract` (the binding point in
+ *     ./contract/kernel).
  *
- * The Web Component (`<certrev-badge>`) ships from the './webcomponent' subpath export so
- * importing the main entry doesn't touch `customElements` (which is undefined server-side).
+ * EDGE-RUNTIME SAFE. This main entry imports NO `node:crypto` and uses NO `Buffer`, so it
+ * loads + runs on edge/Workers runtimes (Shopify Oxygen, Cloudflare Workers, Vercel Edge).
+ * Two things are deliberately kept OFF this entry:
+ *   • the Web Component (`<certrev-badge>`) → './webcomponent' subpath (touches
+ *     `customElements`, undefined server-side);
+ *   • the Node-only test/dev fixtures (`makeSignedEnvelope`, which signs with `node:crypto`)
+ *     → './fixtures' subpath. Importing the main entry must never pull a Node builtin.
  */
 
 // ── React components ──────────────────────────────────────────────────────────────
@@ -31,9 +36,9 @@ export {
 	type ResolvedDisplay,
 	resolveDisplay,
 } from './components/format.js'
-// ── Test/dev fixtures (mock facts + signed-envelope generator) ─────────────────────
-export { FIXTURE_KID, makeMockPayload, makeSignedEnvelope, type SignedEnvelopeFixture } from './contract/fixtures.js'
 // ── Contract surface (types + kernel) — re-export the binding point ────────────────
+// NOTE: the test/dev fixtures (makeSignedEnvelope, makeMockPayload, FIXTURE_KID) are
+// Node-only (they sign with node:crypto) and ship from the './fixtures' subpath, NOT here.
 export {
 	CANONICALIZATION,
 	type CertContent,

package/src/verify/get-verified-envelope.ts

@@ -80,14 +80,39 @@ function deliveryApiUrl(s: Extract<EnvelopeSource, { kind: 'delivery_api' }>): s
 	return `${base}/api/cert/v1/delivery/${encodeURIComponent(s.platform)}/${encodeURIComponent(s.externalId)}`
 }
 
-/** Stable cache key per (source identity × render externalId). */
+/**
+ * A short, fast, NON-cryptographic string hash (FNV-1a, 32-bit) — used ONLY to disambiguate
+ * cache keys, never for security. Edge-safe (no node:crypto). Distinct envelope values for
+ * the same placement must produce distinct keys so a push update (or, in tests/proofs,
+ * verifying several different envelopes against one render context) can't be served a stale
+ * verdict for a different envelope.
+ */
+function fnv1a(s: string): string {
+	let h = 0x811c9dc5
+	for (let i = 0; i < s.length; i++) {
+		h ^= s.charCodeAt(i)
+		// 32-bit FNV prime multiply via shifts (stays in 32-bit unsigned)
+		h = (h + ((h << 1) + (h << 4) + (h << 7) + (h << 8) + (h << 24))) >>> 0
+	}
+	return h.toString(16).padStart(8, '0')
+}
+
+/** A stable string form of the metafield value for hashing (parsed → canonical-ish JSON). */
+function metafieldValueKey(value: CertDeliveryEnvelope | string | null | undefined): string {
+	if (value == null) return 'null'
+	const s = typeof value === 'string' ? value : JSON.stringify(value)
+	return fnv1a(s)
+}
+
+/** Stable cache key per (source identity × render externalId × envelope value). */
 function cacheKey(source: EnvelopeSource, ctx: RenderContext): string {
 	if (source.kind === 'delivery_api') {
 		return `api:${source.platform}:${source.externalId}`
 	}
-	// Metafield: key on the rendering identity (the value is already in hand; the verdict
-	// still depends on context). Include a short hash of the value to bust on push update.
-	return `mf:${ctx.platform}:${ctx.externalId}`
+	// Metafield: key on the rendering identity AND a short hash of the envelope value, so a
+	// push update (new envelope at the same placement) busts the entry, and verifying
+	// different envelopes against one render context never collides on a stale verdict.
+	return `mf:${ctx.platform}:${ctx.externalId}:${metafieldValueKey(source.value)}`
 }
 
 async function fetchFromDeliveryApi(

package/src/verify/resolve-kid.ts

@@ -17,6 +17,7 @@
  * Ed25519 `x` (base64url raw key).
  */
 
+import { base64urlDecode } from '@certrev/cert-contract'
 import type { Ed25519PublicKeyInput, ResolvePublicKeyByKid } from '../contract/kernel.js'
 import { TtlCache } from './cache.js'
 
@@ -52,8 +53,9 @@ interface PublishedKeySetDoc {
 	readonly keys: ReadonlyArray<PublishedJwk>
 }
 
+// Runtime-agnostic base64url decode from the contract (no `Buffer` — edge/Workers safe).
 function base64urlToBytes(b64url: string): Uint8Array {
-	return new Uint8Array(Buffer.from(b64url, 'base64url'))
+	return base64urlDecode(b64url)
 }
 
 function jwkToInput(jwk: PublishedJwk): Ed25519PublicKeyInput | null {

package/dist/contract/kernel-contract.d.ts

@@ -1,154 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * @certrev/cert-contract — INTERFACE STUB (delete on publish; see INTEGRATION below)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * The shared `CertDeliveryEnvelope` types + the fail-closed `VerdictKernel` live in
- * the published `@certrev/cert-contract` package. That package is not yet on a registry
- * this workspace can `pnpm install` from (it ships `file:`/workspace-only today), so
- * `@certrev/cert-block` imports the contract surface from THIS local interface module
- * instead. The types here are a byte-for-byte mirror of `cert-contract`'s `types.ts`
- * (the settled, panel-revised shape: structured FACTS, no rendered JSON-LD in the
- * payload; `subject` carries `logicalArticleId`, `canonicalUrls[]`, `installationId`,
- * `contentDigest`).
- *
- * INTEGRATION (when @certrev/cert-contract publishes — see README "Integration TODOs"):
- *   1. Delete this file and `./kernel-stub.ts`.
- *   2. Replace every `from '../contract/kernel-contract.js'` with
- *      `from '@certrev/cert-contract'`.
- *   3. The exported names here are deliberately identical to cert-contract's exports
- *      (`CertDeliveryEnvelope`, `CertPayload`, `CertVerdict`, `verifyEnvelope`,
- *      `renderVerdict`, `verifySignatureOnly`, `ResolvePublicKeyByKid`, `RenderContext`,
- *      `Ed25519PublicKeyInput`), so the swap is a find-and-replace of the import
- *      specifier — no call-site churn.
- *
- * Because this is type-only for everything the SDK consumes at COMPILE time, swapping
- * the import path is the only change; the runtime kernel comes from `./kernel-stub.ts`
- * today and from `@certrev/cert-contract` after publish.
- */
-/** Bump on ANY breaking change to the payload shape or signing rules. */
-export declare const CONTRACT_VERSION: 1;
-export type ContractVersion = typeof CONTRACT_VERSION;
-/** RFC 8785 JSON Canonicalization Scheme — the bytes that get signed/hashed. */
-export declare const CANONICALIZATION: "RFC8785-JCS";
-/** Ed25519 (PureEdDSA). */
-export declare const SIGNATURE_ALG: "ed25519";
-export type SignatureAlg = typeof SIGNATURE_ALG;
-export interface CertSubject {
-    readonly platform: string;
-    readonly externalId: string;
-    readonly logicalArticleId: string;
-    readonly canonicalUrls: ReadonlyArray<string>;
-    readonly installationId: string | null;
-    readonly contentDigest: string | null;
-}
-export interface CertDisplayConfig {
-    readonly accentColor?: string | null;
-    readonly showExpertPhoto?: boolean;
-    readonly showAuthor?: boolean;
-    readonly showMemo?: boolean;
-    readonly badgeStyle?: 'full' | 'compact';
-}
-export interface CertCredential {
-    readonly abbreviation: string;
-    readonly fullName: string;
-}
-export interface CertContent {
-    readonly expert: {
-        readonly displayName: string;
-        readonly credentials: ReadonlyArray<CertCredential>;
-        readonly profileUrl: string | null;
-        readonly photoUrl: string | null;
-    };
-    readonly author: {
-        readonly name: string;
-        readonly title: string | null;
-    };
-    readonly memo: string | null;
-    readonly certifiedAt: string;
-    readonly contentModifiedAt: string | null;
-    readonly verifyUrl: string;
-    readonly display: CertDisplayConfig;
-}
-export interface CertLifecycle {
-    readonly issuedAt: string;
-    readonly expiresAt: string;
-    readonly revokedAt: string | null;
-    readonly revision: number;
-}
-export interface CertPayload {
-    readonly contractVersion: ContractVersion;
-    readonly certId: string;
-    readonly subject: CertSubject;
-    readonly content: CertContent;
-    readonly lifecycle: CertLifecycle;
-}
-export interface CertSignature {
-    readonly alg: SignatureAlg;
-    readonly kid: string;
-    readonly sig: string;
-    readonly signedAt: string;
-}
-export interface CertDeliveryEnvelope {
-    readonly payload: CertPayload;
-    readonly signature: CertSignature;
-}
-export type CertVerdict = {
-    readonly decision: 'render';
-    readonly payload: CertPayload;
-} | {
-    readonly decision: 'suppress';
-    readonly reason: CertSuppressReason;
-};
-export type CertSuppressReason = 'unsupported_contract_version' | 'unsupported_alg' | 'unknown_key' | 'invalid_signature' | 'platform_mismatch' | 'subject_mismatch' | 'revoked' | 'expired' | 'content_drift';
-/** The Ed25519 public-key encodings a kid resolver may hand the kernel. */
-export type Ed25519PublicKeyInput = {
-    readonly format: 'spki-der';
-    readonly bytes: Uint8Array;
-} | {
-    readonly format: 'spki-base64';
-    readonly base64: string;
-} | {
-    readonly format: 'pem';
-    readonly pem: string;
-} | {
-    readonly format: 'raw';
-    readonly bytes: Uint8Array;
-};
-/**
- * A kid → public-key resolver. Returns a usable Ed25519 key for the given kid, or
- * null/undefined when the kid is unknown (→ suppress 'unknown_key'). May be async so
- * an edge can fetch + cache a published key set. The real kernel also accepts a Node
- * KeyObject; we model only the SDK-relevant inputs here.
- */
-export type ResolvePublicKeyByKid = (kid: string) => Promise<Ed25519PublicKeyInput | null | undefined> | Ed25519PublicKeyInput | null | undefined;
-/** Edge-supplied context for the policy phase. */
-export interface RenderContext {
-    readonly platform: string;
-    readonly externalId: string;
-    readonly liveContentHash?: string | null;
-    readonly now?: Date;
-}
-/** Full kernel: verify signature, then apply subject/lifecycle/drift policy. */
-export type VerifyEnvelope = (envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid, ctx: RenderContext) => Promise<CertVerdict>;
-/** Phase-2-only policy over an already-verified payload. */
-export type RenderVerdict = (payload: CertPayload, ctx: RenderContext) => CertVerdict;
-/** Phase-1-only cryptographic verification. */
-export type VerifySignatureOnly = (envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid) => Promise<{
-    ok: true;
-} | {
-    ok: false;
-    reason: CertSuppressReason;
-}>;
-/**
- * The kernel function set as a single named interface — what the SDK depends on at
- * the value level. `@certrev/cert-contract` exposes these as free functions; the SDK
- * binds them through `./kernel-stub` today and re-points to the real exports on
- * publish.
- */
-export interface VerdictKernel {
-    readonly verifyEnvelope: VerifyEnvelope;
-    readonly renderVerdict: RenderVerdict;
-    readonly verifySignatureOnly: VerifySignatureOnly;
-}
-//# sourceMappingURL=kernel-contract.d.ts.map

package/dist/contract/kernel-contract.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-contract.d.ts","sourceRoot":"","sources":["../../src/contract/kernel-contract.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,yEAAyE;AACzE,eAAO,MAAM,gBAAgB,EAAG,CAAU,CAAA;AAC1C,MAAM,MAAM,eAAe,GAAG,OAAO,gBAAgB,CAAA;AAErD,gFAAgF;AAChF,eAAO,MAAM,gBAAgB,EAAG,aAAsB,CAAA;AAEtD,2BAA2B;AAC3B,eAAO,MAAM,aAAa,EAAG,SAAkB,CAAA;AAC/C,MAAM,MAAM,YAAY,GAAG,OAAO,aAAa,CAAA;AAG/C,MAAM,WAAW,WAAW;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAA;IACjC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IAC7C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAA;IACtC,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;CACrC;AAGD,MAAM,WAAW,iBAAiB;IACjC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACpC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAA;IAClC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAA;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CACxC;AAGD,MAAM,WAAW,cAAc;IAC9B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,WAAW;IAC3B,QAAQ,CAAC,MAAM,EAAE;QAChB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;QAC5B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,cAAc,CAAC,CAAA;QACnD,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;QAClC,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;KAChC,CAAA;IACD,QAAQ,CAAC,MAAM,EAAE;QAChB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;QACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAC7B,CAAA;IACD,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IAC5B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAA;IACzC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAAA;CACnC;AAGD,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACjC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;CACzB;AAGD,MAAM,WAAW,WAAW;IAC3B,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACzC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAA;CACjC;AAGD,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;CACzB;AAGD,MAAM,WAAW,oBAAoB;IACpC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAA;CACjC;AAGD,MAAM,MAAM,WAAW,GACpB;IAAE,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;CAAE,GAC9D;IAAE,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,kBAAkB,CAAA;CAAE,CAAA;AAEzE,MAAM,MAAM,kBAAkB,GAC3B,8BAA8B,GAC9B,iBAAiB,GACjB,aAAa,GACb,mBAAmB,GACnB,mBAAmB,GACnB,kBAAkB,GAClB,SAAS,GACT,SAAS,GACT,eAAe,CAAA;AAIlB,2EAA2E;AAC3E,MAAM,MAAM,qBAAqB,GAC9B;IAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAC3D;IAAE,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3D;IAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAChD;IAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAAA;AAEzD;;;;;GAKG;AACH,MAAM,MAAM,qBAAqB,GAAG,CACnC,GAAG,EAAE,MAAM,KACP,OAAO,CAAC,qBAAqB,GAAG,IAAI,GAAG,SAAS,CAAC,GAAG,qBAAqB,GAAG,IAAI,GAAG,SAAS,CAAA;AAEjG,kDAAkD;AAClD,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACxC,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAA;CACnB;AAED,gFAAgF;AAChF,MAAM,MAAM,cAAc,GAAG,CAC5B,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,EACjC,GAAG,EAAE,aAAa,KACd,OAAO,CAAC,WAAW,CAAC,CAAA;AAEzB,4DAA4D;AAC5D,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,aAAa,KAAK,WAAW,CAAA;AAErF,+CAA+C;AAC/C,MAAM,MAAM,mBAAmB,GAAG,CACjC,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,KAC7B,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,kBAAkB,CAAA;CAAE,CAAC,CAAA;AAEtE;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,mBAAmB,EAAE,mBAAmB,CAAA;CACjD"}

package/dist/contract/kernel-contract.js

@@ -1,35 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * @certrev/cert-contract — INTERFACE STUB (delete on publish; see INTEGRATION below)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * The shared `CertDeliveryEnvelope` types + the fail-closed `VerdictKernel` live in
- * the published `@certrev/cert-contract` package. That package is not yet on a registry
- * this workspace can `pnpm install` from (it ships `file:`/workspace-only today), so
- * `@certrev/cert-block` imports the contract surface from THIS local interface module
- * instead. The types here are a byte-for-byte mirror of `cert-contract`'s `types.ts`
- * (the settled, panel-revised shape: structured FACTS, no rendered JSON-LD in the
- * payload; `subject` carries `logicalArticleId`, `canonicalUrls[]`, `installationId`,
- * `contentDigest`).
- *
- * INTEGRATION (when @certrev/cert-contract publishes — see README "Integration TODOs"):
- *   1. Delete this file and `./kernel-stub.ts`.
- *   2. Replace every `from '../contract/kernel-contract.js'` with
- *      `from '@certrev/cert-contract'`.
- *   3. The exported names here are deliberately identical to cert-contract's exports
- *      (`CertDeliveryEnvelope`, `CertPayload`, `CertVerdict`, `verifyEnvelope`,
- *      `renderVerdict`, `verifySignatureOnly`, `ResolvePublicKeyByKid`, `RenderContext`,
- *      `Ed25519PublicKeyInput`), so the swap is a find-and-replace of the import
- *      specifier — no call-site churn.
- *
- * Because this is type-only for everything the SDK consumes at COMPILE time, swapping
- * the import path is the only change; the runtime kernel comes from `./kernel-stub.ts`
- * today and from `@certrev/cert-contract` after publish.
- */
-/** Bump on ANY breaking change to the payload shape or signing rules. */
-export const CONTRACT_VERSION = 1;
-/** RFC 8785 JSON Canonicalization Scheme — the bytes that get signed/hashed. */
-export const CANONICALIZATION = 'RFC8785-JCS';
-/** Ed25519 (PureEdDSA). */
-export const SIGNATURE_ALG = 'ed25519';
-//# sourceMappingURL=kernel-contract.js.map

package/dist/contract/kernel-contract.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-contract.js","sourceRoot":"","sources":["../../src/contract/kernel-contract.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,yEAAyE;AACzE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAU,CAAA;AAG1C,gFAAgF;AAChF,MAAM,CAAC,MAAM,gBAAgB,GAAG,aAAsB,CAAA;AAEtD,2BAA2B;AAC3B,MAAM,CAAC,MAAM,aAAa,GAAG,SAAkB,CAAA"}

package/dist/contract/kernel-stub.d.ts

@@ -1,44 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * VerdictKernel — LOCAL STUB (delete on publish; mirrors @certrev/cert-contract)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * A faithful, self-contained implementation of the cert-contract VerdictKernel so the
- * SDK's verify layer + tests run NOW, before `@certrev/cert-contract` publishes to a
- * registry this workspace installs from. The behavior is identical to the real kernel:
- *   • Ed25519 detached signature verified over the RFC-8785 (JCS) canonical bytes of
- *     `payload` (lexicographic key order, minimal whitespace, UTF-8).
- *   • Fail-closed pipeline: shape → alg → kid → signature → platform → subject →
- *     revoked → expired → drift → render. Any failure short-circuits to `suppress`.
- *   • Never throws on a bad envelope — a malformed input / throwing resolver fails
- *     closed to `suppress`, not to an exception a caller might swallow into a render.
- *
- * The byte-identical canonicalization across PHP / Node is what makes the credential
- * portable; here we hand-roll a deterministic JCS serializer (sufficient for the
- * envelope's all-string/number/bool/array/object shape — no exotic numbers) so the SDK
- * carries no production crypto-canonicalization of its own that could DRIFT from the
- * contract. On publish, the real `canonicalize` (RFC 8785) from cert-contract is used.
- *
- * INTEGRATION: delete this file + `./kernel-contract.ts`; import `verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey` from
- * `@certrev/cert-contract`. See README "Integration TODOs".
- */
-import { type KeyObject } from 'node:crypto';
-import type { CertDeliveryEnvelope, CertPayload, CertSuppressReason, CertVerdict, Ed25519PublicKeyInput, RenderContext, ResolvePublicKeyByKid } from './kernel-contract.js';
-/** Mirror of cert-contract's `toEd25519PublicKey` for the input encodings the SDK uses. */
-declare function toEd25519PublicKey(input: Ed25519PublicKeyInput): KeyObject;
-type CryptoResult = {
-    ok: true;
-} | {
-    ok: false;
-    reason: CertSuppressReason;
-};
-/** Phase-2-only policy verdict over an already-authentic payload. Pure + synchronous. */
-export declare function renderVerdict(payload: CertPayload, ctx: RenderContext): CertVerdict;
-/** Phase-1-only cryptographic verification. */
-export declare function verifySignatureOnly(envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid): Promise<CryptoResult>;
-/** Full kernel: verify signature, then apply policy. Fail-closed, never throws. */
-export declare function verifyEnvelope(envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid, ctx: RenderContext): Promise<CertVerdict>;
-/** Re-export for tests that need to build a public key from raw/spki bytes. */
-export { toEd25519PublicKey };
-//# sourceMappingURL=kernel-stub.d.ts.map

package/dist/contract/kernel-stub.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-stub.d.ts","sourceRoot":"","sources":["../../src/contract/kernel-stub.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAmB,KAAK,SAAS,EAAwB,MAAM,aAAa,CAAA;AACnF,OAAO,KAAK,EACX,oBAAoB,EACpB,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EACrB,aAAa,EACb,qBAAqB,EACrB,MAAM,sBAAsB,CAAA;AA4C7B,2FAA2F;AAC3F,iBAAS,kBAAkB,CAAC,KAAK,EAAE,qBAAqB,GAAG,SAAS,CAkBnE;AAUD,KAAK,YAAY,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,kBAAkB,CAAA;CAAE,CAAA;AA6B5E,yFAAyF;AACzF,wBAAgB,aAAa,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,aAAa,GAAG,WAAW,CAoBnF;AAED,+CAA+C;AAC/C,wBAAsB,mBAAmB,CACxC,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,GAC/B,OAAO,CAAC,YAAY,CAAC,CAEvB;AAED,mFAAmF;AACnF,wBAAsB,cAAc,CACnC,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,EACjC,GAAG,EAAE,aAAa,GAChB,OAAO,CAAC,WAAW,CAAC,CAWtB;AAED,+EAA+E;AAC/E,OAAO,EAAE,kBAAkB,EAAE,CAAA"}

package/dist/contract/kernel-stub.js

@@ -1,163 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * VerdictKernel — LOCAL STUB (delete on publish; mirrors @certrev/cert-contract)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * A faithful, self-contained implementation of the cert-contract VerdictKernel so the
- * SDK's verify layer + tests run NOW, before `@certrev/cert-contract` publishes to a
- * registry this workspace installs from. The behavior is identical to the real kernel:
- *   • Ed25519 detached signature verified over the RFC-8785 (JCS) canonical bytes of
- *     `payload` (lexicographic key order, minimal whitespace, UTF-8).
- *   • Fail-closed pipeline: shape → alg → kid → signature → platform → subject →
- *     revoked → expired → drift → render. Any failure short-circuits to `suppress`.
- *   • Never throws on a bad envelope — a malformed input / throwing resolver fails
- *     closed to `suppress`, not to an exception a caller might swallow into a render.
- *
- * The byte-identical canonicalization across PHP / Node is what makes the credential
- * portable; here we hand-roll a deterministic JCS serializer (sufficient for the
- * envelope's all-string/number/bool/array/object shape — no exotic numbers) so the SDK
- * carries no production crypto-canonicalization of its own that could DRIFT from the
- * contract. On publish, the real `canonicalize` (RFC 8785) from cert-contract is used.
- *
- * INTEGRATION: delete this file + `./kernel-contract.ts`; import `verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey` from
- * `@certrev/cert-contract`. See README "Integration TODOs".
- */
-import { createPublicKey, verify as nodeVerify } from 'node:crypto';
-import { CONTRACT_VERSION, SIGNATURE_ALG } from './kernel-contract.js';
-// ── RFC-8785 (JCS) canonicalization — minimal, deterministic, envelope-shaped ─────
-/**
- * Serialize a JSON value to its RFC-8785 canonical string form: object keys sorted by
- * UTF-16 code unit, no insignificant whitespace, JSON string escaping. The payload is
- * all strings / finite numbers / booleans / null / arrays / objects, so we do NOT need
- * the full ECMAScript number-formatting machinery the production `canonicalize` package
- * implements — integers + ISO strings serialize identically either way. This stub
- * exists only so tests run; the published path uses cert-contract's vetted JCS.
- */
-function jcs(value) {
-    if (value === null)
-        return 'null';
-    const t = typeof value;
-    if (t === 'string')
-        return JSON.stringify(value);
-    if (t === 'number') {
-        if (!Number.isFinite(value))
-            throw new Error('jcs: non-finite number');
-        return JSON.stringify(value);
-    }
-    if (t === 'boolean')
-        return value ? 'true' : 'false';
-    if (Array.isArray(value)) {
-        return `[${value.map((v) => jcs(v)).join(',')}]`;
-    }
-    if (t === 'object') {
-        const obj = value;
-        const keys = Object.keys(obj)
-            .filter((k) => obj[k] !== undefined)
-            .sort();
-        return `{${keys.map((k) => `${JSON.stringify(k)}:${jcs(obj[k])}`).join(',')}}`;
-    }
-    throw new Error(`jcs: unsupported value type ${t}`);
-}
-function canonicalPayloadBytes(payload) {
-    return new TextEncoder().encode(jcs(payload));
-}
-function base64urlDecode(s) {
-    return new Uint8Array(Buffer.from(s, 'base64url'));
-}
-const RAW_SPKI_PREFIX = Uint8Array.from([0x30, 0x2a, 0x30, 0x05, 0x06, 0x03, 0x2b, 0x65, 0x70, 0x03, 0x21, 0x00]);
-/** Mirror of cert-contract's `toEd25519PublicKey` for the input encodings the SDK uses. */
-function toEd25519PublicKey(input) {
-    switch (input.format) {
-        case 'pem':
-            return createPublicKey({ key: input.pem, format: 'pem' });
-        case 'spki-base64':
-            return createPublicKey({ key: Buffer.from(input.base64, 'base64'), format: 'der', type: 'spki' });
-        case 'spki-der':
-            return createPublicKey({ key: Buffer.from(input.bytes), format: 'der', type: 'spki' });
-        case 'raw': {
-            if (input.bytes.length !== 32) {
-                throw new Error(`ed25519 raw public key must be 32 bytes, got ${input.bytes.length}`);
-            }
-            const spki = new Uint8Array(RAW_SPKI_PREFIX.length + 32);
-            spki.set(RAW_SPKI_PREFIX, 0);
-            spki.set(input.bytes, RAW_SPKI_PREFIX.length);
-            return createPublicKey({ key: Buffer.from(spki), format: 'der', type: 'spki' });
-        }
-    }
-}
-function verifyDetached(payload, sigBase64url, publicKey) {
-    try {
-        return nodeVerify(null, canonicalPayloadBytes(payload), publicKey, base64urlDecode(sigBase64url));
-    }
-    catch {
-        return false;
-    }
-}
-async function verifyCryptographic(envelope, resolveKid) {
-    const { payload, signature } = envelope ?? {};
-    if (!payload || !signature || payload.contractVersion !== CONTRACT_VERSION) {
-        return { ok: false, reason: 'unsupported_contract_version' };
-    }
-    if (signature.alg !== SIGNATURE_ALG) {
-        return { ok: false, reason: 'unsupported_alg' };
-    }
-    const resolved = await resolveKid(signature.kid);
-    if (!resolved) {
-        return { ok: false, reason: 'unknown_key' };
-    }
-    let key;
-    try {
-        key = toEd25519PublicKey(resolved);
-    }
-    catch {
-        return { ok: false, reason: 'unknown_key' };
-    }
-    if (!verifyDetached(payload, signature.sig, key)) {
-        return { ok: false, reason: 'invalid_signature' };
-    }
-    return { ok: true };
-}
-/** Phase-2-only policy verdict over an already-authentic payload. Pure + synchronous. */
-export function renderVerdict(payload, ctx) {
-    const now = ctx.now ?? new Date();
-    if (payload.subject.platform !== ctx.platform) {
-        return { decision: 'suppress', reason: 'platform_mismatch' };
-    }
-    if (payload.subject.externalId !== ctx.externalId) {
-        return { decision: 'suppress', reason: 'subject_mismatch' };
-    }
-    if (payload.lifecycle.revokedAt !== null) {
-        return { decision: 'suppress', reason: 'revoked' };
-    }
-    if (now.getTime() >= Date.parse(payload.lifecycle.expiresAt)) {
-        return { decision: 'suppress', reason: 'expired' };
-    }
-    const bound = payload.subject.contentDigest;
-    const live = ctx.liveContentHash;
-    if (bound !== null && live != null && bound !== live) {
-        return { decision: 'suppress', reason: 'content_drift' };
-    }
-    return { decision: 'render', payload };
-}
-/** Phase-1-only cryptographic verification. */
-export async function verifySignatureOnly(envelope, resolveKid) {
-    return verifyCryptographic(envelope, resolveKid);
-}
-/** Full kernel: verify signature, then apply policy. Fail-closed, never throws. */
-export async function verifyEnvelope(envelope, resolveKid, ctx) {
-    let crypto;
-    try {
-        crypto = await verifyCryptographic(envelope, resolveKid);
-    }
-    catch {
-        return { decision: 'suppress', reason: 'unknown_key' };
-    }
-    if (!crypto.ok) {
-        return { decision: 'suppress', reason: crypto.reason };
-    }
-    return renderVerdict(envelope.payload, ctx);
-}
-/** Re-export for tests that need to build a public key from raw/spki bytes. */
-export { toEd25519PublicKey };
-//# sourceMappingURL=kernel-stub.js.map

package/dist/contract/kernel-stub.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-stub.js","sourceRoot":"","sources":["../../src/contract/kernel-stub.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAE,eAAe,EAAkB,MAAM,IAAI,UAAU,EAAE,MAAM,aAAa,CAAA;AAUnF,OAAO,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AAEtE,qFAAqF;AACrF;;;;;;;GAOG;AACH,SAAS,GAAG,CAAC,KAAc;IAC1B,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,MAAM,CAAA;IACjC,MAAM,CAAC,GAAG,OAAO,KAAK,CAAA;IACtB,IAAI,CAAC,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAChD,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;QACpB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAe,CAAC;YAAE,MAAM,IAAI,KAAK,CAAC,wBAAwB,CAAC,CAAA;QAChF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IAC7B,CAAC;IACD,IAAI,CAAC,KAAK,SAAS;QAAE,OAAQ,KAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAA;IACjE,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,IAAI,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;IACjD,CAAC;IACD,IAAI,CAAC,KAAK,QAAQ,EAAE,CAAC;QACpB,MAAM,GAAG,GAAG,KAAgC,CAAA;QAC5C,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC;aAC3B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC;aACnC,IAAI,EAAE,CAAA;QACR,OAAO,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;IAC/E,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,EAAE,CAAC,CAAA;AACpD,CAAC;AAED,SAAS,qBAAqB,CAAC,OAAoB;IAClD,OAAO,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAA;AAC9C,CAAC;AAED,SAAS,eAAe,CAAC,CAAS;IACjC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,CAAA;AACnD,CAAC;AAED,MAAM,eAAe,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC,CAAA;AAEjH,2FAA2F;AAC3F,SAAS,kBAAkB,CAAC,KAA4B;IACvD,QAAQ,KAAK,CAAC,MAAM,EAAE,CAAC;QACtB,KAAK,KAAK;YACT,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAA;QAC1D,KAAK,aAAa;YACjB,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAA;QAClG,KAAK,UAAU;YACd,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAA;QACvF,KAAK,KAAK,CAAC,CAAC,CAAC;YACZ,IAAI,KAAK,CAAC,KAAK,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;gBAC/B,MAAM,IAAI,KAAK,CAAC,gDAAgD,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAA;YACtF,CAAC;YACD,MAAM,IAAI,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,EAAE,CAAC,CAAA;YACxD,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,CAAA;YAC5B,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,EAAE,eAAe,CAAC,MAAM,CAAC,CAAA;YAC7C,OAAO,eAAe,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAA;QAChF,CAAC;IACF,CAAC;AACF,CAAC;AAED,SAAS,cAAc,CAAC,OAAoB,EAAE,YAAoB,EAAE,SAAoB;IACvF,IAAI,CAAC;QACJ,OAAO,UAAU,CAAC,IAAI,EAAE,qBAAqB,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,eAAe,CAAC,YAAY,CAAC,CAAC,CAAA;IAClG,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,KAAK,CAAA;IACb,CAAC;AACF,CAAC;AAID,KAAK,UAAU,mBAAmB,CACjC,QAA8B,EAC9B,UAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,SAAS,EAAE,GAAG,QAAQ,IAAK,EAA2B,CAAA;IACvE,IAAI,CAAC,OAAO,IAAI,CAAC,SAAS,IAAI,OAAO,CAAC,eAAe,KAAK,gBAAgB,EAAE,CAAC;QAC5E,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;IAC7D,CAAC;IACD,IAAI,SAAS,CAAC,GAAG,KAAK,aAAa,EAAE,CAAC;QACrC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAA;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IAChD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACf,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IAC5C,CAAC;IACD,IAAI,GAAc,CAAA;IAClB,IAAI,CAAC;QACJ,GAAG,GAAG,kBAAkB,CAAC,QAAQ,CAAC,CAAA;IACnC,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IAC5C,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,SAAS,CAAC,GAAG,EAAE,GAAG,CAAC,EAAE,CAAC;QAClD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IAClD,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;AACpB,CAAC;AAED,yFAAyF;AACzF,MAAM,UAAU,aAAa,CAAC,OAAoB,EAAE,GAAkB;IACrE,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,EAAE,CAAA;IACjC,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,KAAK,GAAG,CAAC,QAAQ,EAAE,CAAC;QAC/C,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IAC7D,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,CAAC,UAAU,KAAK,GAAG,CAAC,UAAU,EAAE,CAAC;QACnD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAA;IAC5D,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,CAAC,SAAS,KAAK,IAAI,EAAE,CAAC;QAC1C,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACnD,CAAC;IACD,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,CAAC;QAC9D,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACnD,CAAC;IACD,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,aAAa,CAAA;IAC3C,MAAM,IAAI,GAAG,GAAG,CAAC,eAAe,CAAA;IAChC,IAAI,KAAK,KAAK,IAAI,IAAI,IAAI,IAAI,IAAI,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QACtD,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IACzD,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAA;AACvC,CAAC;AAED,+CAA+C;AAC/C,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACxC,QAA8B,EAC9B,UAAiC;IAEjC,OAAO,mBAAmB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;AACjD,CAAC;AAED,mFAAmF;AACnF,MAAM,CAAC,KAAK,UAAU,cAAc,CACnC,QAA8B,EAC9B,UAAiC,EACjC,GAAkB;IAElB,IAAI,MAAoB,CAAA;IACxB,IAAI,CAAC;QACJ,MAAM,GAAG,MAAM,mBAAmB,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAA;IACzD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,aAAa,EAAE,CAAA;IACvD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,EAAE,EAAE,CAAC;QAChB,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,CAAA;IACvD,CAAC;IACD,OAAO,aAAa,CAAC,QAAQ,CAAC,OAAO,EAAE,GAAG,CAAC,CAAA;AAC5C,CAAC;AAED,+EAA+E;AAC/E,OAAO,EAAE,kBAAkB,EAAE,CAAA"}