@certrev/cert-block 0.1.0 → 0.1.2

package/src/__tests__/verify.test.ts

@@ -119,6 +119,42 @@ describe('getVerifiedEnvelope — metafield source', () => {
 		})
 		expect(verdict.decision).toBe('suppress')
 	})
+
+	it('DISTINCT metafield envelopes at one placement do NOT collide on a shared cache (value-keyed)', async () => {
+		// Regression: the metafield cache key must include a hash of the envelope value, else
+		// the first verdict (render) is served for a later, DIFFERENT envelope — a fail-closed
+		// violation (an unverified/tampered credential rendered). Here a valid + a tampered
+		// envelope share the SAME resolver, context, and cache; each must get its own verdict.
+		const { envelope, resolveKid } = makeSignedEnvelope()
+		const tampered: CertDeliveryEnvelope = {
+			...envelope,
+			payload: {
+				...envelope.payload,
+				content: {
+					...envelope.payload.content,
+					expert: { ...envelope.payload.content.expert, displayName: 'Dr. Forged' },
+				},
+			},
+		}
+		const cache = new TtlCache<import('../contract/kernel.js').CertVerdict>()
+		const ctx = { ...RENDER_CTX, now: new Date('2026-06-22T00:00:00Z') }
+
+		const validVerdict = await getVerifiedEnvelope({
+			source: { kind: 'metafield', value: envelope },
+			resolveKid,
+			context: ctx,
+			cache,
+		})
+		const tamperedVerdict = await getVerifiedEnvelope({
+			source: { kind: 'metafield', value: tampered },
+			resolveKid,
+			context: ctx,
+			cache,
+		})
+
+		expect(validVerdict.decision).toBe('render')
+		expect(tamperedVerdict).toEqual({ decision: 'suppress', reason: 'invalid_signature' })
+	})
 })
 
 describe('getVerifiedEnvelope — Delivery API source', () => {

package/src/builder/__tests__/builder.test.tsx

@@ -0,0 +1,81 @@
+/**
+ * SSR-render tests for the Builder.io adapter (`@certrev/cert-block/builder`), exercised
+ * through `react-dom/server`'s `renderToStaticMarkup` — the same path Hydrogen/Next use to
+ * produce crawlable HTML on the edge. These prove the adapter's load-bearing contract:
+ *
+ *   • a render-verdict placement renders the in-DOM cert badge (crawlable);
+ *   • EVERY non-render path — suppress verdict, unknown placement, missing placementId —
+ *     renders NOTHING (fail-closed survives the CMS boundary);
+ *   • when one Content tree mixes a valid + a revoked placement (the /builder-cert proof
+ *     shape), only the valid one renders.
+ *
+ * Authority comes solely from the loader-supplied verdict in <CertVerifyProvider>; the
+ * `placementId` is an opaque pointer the CMS cannot use to manufacture a badge.
+ */
+import { renderToStaticMarkup } from 'react-dom/server'
+import { describe, expect, it } from 'vitest'
+import { makeMockPayload } from '../../contract/fixtures.js'
+import type { CertVerdict } from '../../contract/kernel.js'
+import { CertReviewBlock, CertVerifyProvider, certReviewBuilderComponent, type VerifiedPlacements } from '../index.js'
+
+const renderVerdict: CertVerdict = { decision: 'render', payload: makeMockPayload() }
+const suppressVerdict: CertVerdict = { decision: 'suppress', reason: 'revoked' }
+
+function renderBlock(placements: VerifiedPlacements, placementId?: string): string {
+	return renderToStaticMarkup(
+		<CertVerifyProvider value={placements}>
+			<CertReviewBlock placementId={placementId} />
+		</CertVerifyProvider>,
+	)
+}
+
+describe('Builder adapter — registration', () => {
+	it('registers as "CertREV Review" with a single required string `placementId` input', () => {
+		expect(certReviewBuilderComponent.name).toBe('CertREV Review')
+		expect(certReviewBuilderComponent.component).toBe(CertReviewBlock)
+		const input = certReviewBuilderComponent.inputs?.find((i) => i.name === 'placementId')
+		expect(input).toBeDefined()
+		expect(input?.required).toBe(true)
+		expect(input?.type).toBe('string')
+	})
+})
+
+describe('Builder adapter — CertReviewBlock render', () => {
+	it('renders the verified badge for a render-verdict placement (in-DOM, crawlable)', () => {
+		const html = renderBlock({ 'p-valid': { verdict: renderVerdict, pageUrl: 'https://brand.example.com/a' } }, 'p-valid')
+		expect(html).toContain('certrev-badge')
+		expect(html).toContain('Dr. Jane Doe')
+		expect(html).toContain('data-certrev-cert-id="cert_fixture_001"')
+	})
+
+	it('FAIL-CLOSED: a suppress-verdict placement renders nothing', () => {
+		expect(renderBlock({ 'p-revoked': { verdict: suppressVerdict } }, 'p-revoked')).toBe('')
+	})
+
+	it('FAIL-CLOSED: an unknown placementId renders nothing', () => {
+		expect(renderBlock({ 'p-valid': { verdict: renderVerdict } }, 'p-not-here')).toBe('')
+	})
+
+	it('FAIL-CLOSED: a missing placementId renders nothing', () => {
+		expect(renderBlock({ 'p-valid': { verdict: renderVerdict } }, undefined)).toBe('')
+	})
+
+	it('mixed content (valid + revoked in one Content tree): only the valid placement renders', () => {
+		const placements: VerifiedPlacements = {
+			'p-valid': { verdict: renderVerdict, pageUrl: 'https://brand.example.com/a' },
+			'p-revoked': { verdict: suppressVerdict },
+		}
+		const html = renderToStaticMarkup(
+			<CertVerifyProvider value={placements}>
+				<div id="valid-block">
+					<CertReviewBlock placementId="p-valid" />
+				</div>
+				<div id="revoked-block">
+					<CertReviewBlock placementId="p-revoked" />
+				</div>
+			</CertVerifyProvider>,
+		)
+		expect(html).toContain('certrev-badge') // valid rendered
+		expect(html).toContain('<div id="revoked-block"></div>') // revoked empty — fail-closed through the CMS
+	})
+})

package/src/builder/index.tsx

@@ -0,0 +1,100 @@
+/**
+ * @certrev/cert-block/builder — the Builder.io adapter for the cert-block render edge.
+ *
+ * Lets a Builder.io content editor place a "CertREV Review" block into a page; the
+ * headless app's loader (Hydrogen/Next/Remix) crypto-verifies that placement's signed
+ * envelope and supplies the verdict via React context; this block renders cert-block's
+ * <CertReview> from the VERIFIED verdict — and renders NOTHING (fail-closed) on any
+ * suppress or unknown placement.
+ *
+ * THE TRUST BOUNDARY: the credential is never trusted from CMS content. A Builder block
+ * only carries an opaque `placementId` pointer; the authority comes solely from the
+ * loader-side WebCrypto verdict supplied through <CertVerifyProvider>. So a revoked /
+ * tampered / expired / wrong-subject placement that an editor drops into Builder renders
+ * nothing, even though the block is present in the published content.
+ *
+ * cert-block carries NO dependency on `@builder.io/sdk-react` — the registration's shape is
+ * declared structurally below, so the emitted JS pulls no Builder code and the type resolves
+ * without Builder installed. The consumer (who already has Builder) passes
+ * `certReviewBuilderComponent` to Builder's `<Content customComponents={[...]}>`; it is
+ * assignable to Builder's `RegisteredComponent` there.
+ */
+import { createContext, type ReactNode, useContext } from 'react'
+import { CertReview } from '../components/CertReview.js'
+import type { CertVerdict } from '../contract/kernel.js'
+
+/** A loader-verified placement: the verdict cert-block renders from, plus the canonical
+ *  page URL for JSON-LD @id alignment. */
+export interface VerifiedPlacement {
+	readonly verdict: CertVerdict
+	readonly pageUrl?: string
+}
+
+/** Map of `placementId` → the loader's verified result. Built server-side in the loader
+ *  (it crypto-verifies each placement) and handed to <CertVerifyProvider>. */
+export type VerifiedPlacements = Record<string, VerifiedPlacement>
+
+const CertVerifyContext = createContext<VerifiedPlacements>({})
+
+/** Wraps Builder's <Content>; carries the loader's verified verdicts down to every
+ *  CertReview block, keyed by `placementId`. */
+export function CertVerifyProvider({
+	value,
+	children,
+}: {
+	readonly value: VerifiedPlacements
+	readonly children: ReactNode
+}) {
+	return <CertVerifyContext.Provider value={value}>{children}</CertVerifyContext.Provider>
+}
+
+export interface CertReviewBlockProps {
+	/** The CertREV placement id the editor set on this Builder block. */
+	readonly placementId?: string
+}
+
+/**
+ * The component Builder renders for a "CertREV Review" block. It pulls the loader-verified
+ * verdict for its `placementId` from context and renders <CertReview>. Unknown placement
+ * OR a non-`render` verdict → renders nothing. cert-block's <CertReview> ALSO suppresses on
+ * a non-render verdict, so the boundary fails closed twice over (defense in depth).
+ */
+export function CertReviewBlock({ placementId }: CertReviewBlockProps) {
+	const placements = useContext(CertVerifyContext)
+	const placement = placementId ? placements[placementId] : undefined
+	if (!placement) return null
+	return <CertReview verdict={placement.verdict} pageUrl={placement.pageUrl} />
+}
+
+/**
+ * Structural shape of `@builder.io/sdk-react`'s `RegisteredComponent` — exactly the subset
+ * cert-block populates. Declared locally (not imported) so cert-block needs no Builder
+ * build- or runtime-dependency; the object below is assignable to Builder's
+ * `RegisteredComponent` at the consumer's `<Content customComponents={[...]}>` call site.
+ */
+export interface CertReviewBuilderRegistration {
+	component: typeof CertReviewBlock
+	name: string
+	inputs: Array<{ name: string; type: 'string'; required?: boolean; helperText?: string }>
+}
+
+/**
+ * The registration object to pass to Builder's `<Content customComponents={[...]}>`.
+ * Editors see a "CertREV Review" component with one input — the placement id. Because the
+ * block is matched by NAME at render time, this also works for content created via the
+ * Builder Write API (no visual-editor registration required for rendering).
+ */
+export const certReviewBuilderComponent: CertReviewBuilderRegistration = {
+	component: CertReviewBlock,
+	name: 'CertREV Review',
+	inputs: [
+		{
+			name: 'placementId',
+			type: 'string',
+			required: true,
+			helperText:
+				'CertREV placement id (which certified article this badge attests). The headless ' +
+				'loader verifies that placement’s signed envelope; only a render-verdict shows a badge.',
+		},
+	],
+}

package/src/contract/fixtures.ts

@@ -16,14 +16,17 @@
  * end-to-end under the production `verifyEnvelope`, not a stand-in canonicalizer.
  */
 
-import { generateKeyPairSync, type KeyObject, sign as nodeSign } from 'node:crypto'
-import {
-	canonicalPayloadBytes,
-	type CertDeliveryEnvelope,
-	type CertPayload,
-	type Ed25519PublicKeyInput,
-	type ResolvePublicKeyByKid,
+import { generateKeyPairSync, type KeyObject } from 'node:crypto'
+import type {
+	CertDeliveryEnvelope,
+	CertPayload,
+	Ed25519PublicKeyInput,
+	ResolvePublicKeyByKid,
 } from '@certrev/cert-contract'
+// SIGN is Node-only and lives on the contract's signer subpath. Fixtures are themselves
+// Node-only (they stand in for the issuer) and ship from the './fixtures' subpath, so the
+// SDK's edge-safe main entry never pulls a Node builtin.
+import { signPayloadEd25519 } from '@certrev/cert-contract/signer'
 
 const FIXTURE_KID = 'certrev-fixture-key-1'
 
@@ -89,8 +92,9 @@ export interface SignedEnvelopeFixture {
 export function makeSignedEnvelope(overrides: Partial<CertPayload> = {}, kid = FIXTURE_KID): SignedEnvelopeFixture {
 	const { publicKey, privateKey } = generateKeyPairSync('ed25519')
 	const payload = makeMockPayload(overrides)
-	const bytes = canonicalPayloadBytes(payload)
-	const sig = nodeSign(null, bytes, privateKey).toString('base64url')
+	// Sign the RFC-8785 canonical bytes via the contract's signer — the SAME bytes the
+	// edge-safe kernel recomputes on verify, so the fixture verifies end-to-end.
+	const sig = signPayloadEd25519(payload, privateKey)
 
 	const envelope: CertDeliveryEnvelope = {
 		payload,

package/src/contract/kernel.ts

@@ -7,8 +7,8 @@
  * never directly from `@certrev/cert-contract`, so the whole SDK's dependency on the
  * contract is funnelled through one module. The published package owns the envelope types
  * (`CertDeliveryEnvelope`, `CertPayload`, `CertCredential`, …), the RFC-8785
- * canonicalization (`canonicalPayloadBytes`), and the fail-closed kernel (`verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey`).
+ * canonicalization (`canonicalPayloadBytes`), and the fail-closed WebCrypto kernel
+ * (`verifyEnvelope`, `renderVerdict`, `verifySignatureOnly`, `importEd25519PublicKey`).
  *
  * `VerdictKernel` is the ONE name NOT re-exported from the package: the contract exposes
  * the kernel as free functions, and different edges bundle them with different key-resolver

package/src/index.ts

@@ -8,11 +8,16 @@
  *     graph, mergeable by @id (won't collide with Yoast).
  *   • Verify layer — `getVerifiedEnvelope` (fetch from metafield OR Delivery API + run
  *     the fail-closed VerdictKernel + cache), kid resolvers, the TTL/single-flight cache.
- *   • Contract types — re-exported from `@certrev/cert-contract` (stubbed locally until
- *     that package publishes; see the contract binding point in ./contract/kernel).
+ *   • Contract types — re-exported from `@certrev/cert-contract` (the binding point in
+ *     ./contract/kernel).
  *
- * The Web Component (`<certrev-badge>`) ships from the './webcomponent' subpath export so
- * importing the main entry doesn't touch `customElements` (which is undefined server-side).
+ * EDGE-RUNTIME SAFE. This main entry imports NO `node:crypto` and uses NO `Buffer`, so it
+ * loads + runs on edge/Workers runtimes (Shopify Oxygen, Cloudflare Workers, Vercel Edge).
+ * Two things are deliberately kept OFF this entry:
+ *   • the Web Component (`<certrev-badge>`) → './webcomponent' subpath (touches
+ *     `customElements`, undefined server-side);
+ *   • the Node-only test/dev fixtures (`makeSignedEnvelope`, which signs with `node:crypto`)
+ *     → './fixtures' subpath. Importing the main entry must never pull a Node builtin.
  */
 
 // ── React components ──────────────────────────────────────────────────────────────
@@ -31,9 +36,9 @@ export {
 	type ResolvedDisplay,
 	resolveDisplay,
 } from './components/format.js'
-// ── Test/dev fixtures (mock facts + signed-envelope generator) ─────────────────────
-export { FIXTURE_KID, makeMockPayload, makeSignedEnvelope, type SignedEnvelopeFixture } from './contract/fixtures.js'
 // ── Contract surface (types + kernel) — re-export the binding point ────────────────
+// NOTE: the test/dev fixtures (makeSignedEnvelope, makeMockPayload, FIXTURE_KID) are
+// Node-only (they sign with node:crypto) and ship from the './fixtures' subpath, NOT here.
 export {
 	CANONICALIZATION,
 	type CertContent,

package/src/verify/get-verified-envelope.ts

@@ -80,14 +80,39 @@ function deliveryApiUrl(s: Extract<EnvelopeSource, { kind: 'delivery_api' }>): s
 	return `${base}/api/cert/v1/delivery/${encodeURIComponent(s.platform)}/${encodeURIComponent(s.externalId)}`
 }
 
-/** Stable cache key per (source identity × render externalId). */
+/**
+ * A short, fast, NON-cryptographic string hash (FNV-1a, 32-bit) — used ONLY to disambiguate
+ * cache keys, never for security. Edge-safe (no node:crypto). Distinct envelope values for
+ * the same placement must produce distinct keys so a push update (or, in tests/proofs,
+ * verifying several different envelopes against one render context) can't be served a stale
+ * verdict for a different envelope.
+ */
+function fnv1a(s: string): string {
+	let h = 0x811c9dc5
+	for (let i = 0; i < s.length; i++) {
+		h ^= s.charCodeAt(i)
+		// 32-bit FNV prime multiply via shifts (stays in 32-bit unsigned)
+		h = (h + ((h << 1) + (h << 4) + (h << 7) + (h << 8) + (h << 24))) >>> 0
+	}
+	return h.toString(16).padStart(8, '0')
+}
+
+/** A stable string form of the metafield value for hashing (parsed → canonical-ish JSON). */
+function metafieldValueKey(value: CertDeliveryEnvelope | string | null | undefined): string {
+	if (value == null) return 'null'
+	const s = typeof value === 'string' ? value : JSON.stringify(value)
+	return fnv1a(s)
+}
+
+/** Stable cache key per (source identity × render externalId × envelope value). */
 function cacheKey(source: EnvelopeSource, ctx: RenderContext): string {
 	if (source.kind === 'delivery_api') {
 		return `api:${source.platform}:${source.externalId}`
 	}
-	// Metafield: key on the rendering identity (the value is already in hand; the verdict
-	// still depends on context). Include a short hash of the value to bust on push update.
-	return `mf:${ctx.platform}:${ctx.externalId}`
+	// Metafield: key on the rendering identity AND a short hash of the envelope value, so a
+	// push update (new envelope at the same placement) busts the entry, and verifying
+	// different envelopes against one render context never collides on a stale verdict.
+	return `mf:${ctx.platform}:${ctx.externalId}:${metafieldValueKey(source.value)}`
 }
 
 async function fetchFromDeliveryApi(

package/src/verify/resolve-kid.ts

@@ -17,6 +17,7 @@
  * Ed25519 `x` (base64url raw key).
  */
 
+import { base64urlDecode } from '@certrev/cert-contract'
 import type { Ed25519PublicKeyInput, ResolvePublicKeyByKid } from '../contract/kernel.js'
 import { TtlCache } from './cache.js'
 
@@ -52,8 +53,9 @@ interface PublishedKeySetDoc {
 	readonly keys: ReadonlyArray<PublishedJwk>
 }
 
+// Runtime-agnostic base64url decode from the contract (no `Buffer` — edge/Workers safe).
 function base64urlToBytes(b64url: string): Uint8Array {
-	return new Uint8Array(Buffer.from(b64url, 'base64url'))
+	return base64urlDecode(b64url)
 }
 
 function jwkToInput(jwk: PublishedJwk): Ed25519PublicKeyInput | null {

package/dist/contract/kernel-contract.d.ts

@@ -1,154 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * @certrev/cert-contract — INTERFACE STUB (delete on publish; see INTEGRATION below)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * The shared `CertDeliveryEnvelope` types + the fail-closed `VerdictKernel` live in
- * the published `@certrev/cert-contract` package. That package is not yet on a registry
- * this workspace can `pnpm install` from (it ships `file:`/workspace-only today), so
- * `@certrev/cert-block` imports the contract surface from THIS local interface module
- * instead. The types here are a byte-for-byte mirror of `cert-contract`'s `types.ts`
- * (the settled, panel-revised shape: structured FACTS, no rendered JSON-LD in the
- * payload; `subject` carries `logicalArticleId`, `canonicalUrls[]`, `installationId`,
- * `contentDigest`).
- *
- * INTEGRATION (when @certrev/cert-contract publishes — see README "Integration TODOs"):
- *   1. Delete this file and `./kernel-stub.ts`.
- *   2. Replace every `from '../contract/kernel-contract.js'` with
- *      `from '@certrev/cert-contract'`.
- *   3. The exported names here are deliberately identical to cert-contract's exports
- *      (`CertDeliveryEnvelope`, `CertPayload`, `CertVerdict`, `verifyEnvelope`,
- *      `renderVerdict`, `verifySignatureOnly`, `ResolvePublicKeyByKid`, `RenderContext`,
- *      `Ed25519PublicKeyInput`), so the swap is a find-and-replace of the import
- *      specifier — no call-site churn.
- *
- * Because this is type-only for everything the SDK consumes at COMPILE time, swapping
- * the import path is the only change; the runtime kernel comes from `./kernel-stub.ts`
- * today and from `@certrev/cert-contract` after publish.
- */
-/** Bump on ANY breaking change to the payload shape or signing rules. */
-export declare const CONTRACT_VERSION: 1;
-export type ContractVersion = typeof CONTRACT_VERSION;
-/** RFC 8785 JSON Canonicalization Scheme — the bytes that get signed/hashed. */
-export declare const CANONICALIZATION: "RFC8785-JCS";
-/** Ed25519 (PureEdDSA). */
-export declare const SIGNATURE_ALG: "ed25519";
-export type SignatureAlg = typeof SIGNATURE_ALG;
-export interface CertSubject {
-    readonly platform: string;
-    readonly externalId: string;
-    readonly logicalArticleId: string;
-    readonly canonicalUrls: ReadonlyArray<string>;
-    readonly installationId: string | null;
-    readonly contentDigest: string | null;
-}
-export interface CertDisplayConfig {
-    readonly accentColor?: string | null;
-    readonly showExpertPhoto?: boolean;
-    readonly showAuthor?: boolean;
-    readonly showMemo?: boolean;
-    readonly badgeStyle?: 'full' | 'compact';
-}
-export interface CertCredential {
-    readonly abbreviation: string;
-    readonly fullName: string;
-}
-export interface CertContent {
-    readonly expert: {
-        readonly displayName: string;
-        readonly credentials: ReadonlyArray<CertCredential>;
-        readonly profileUrl: string | null;
-        readonly photoUrl: string | null;
-    };
-    readonly author: {
-        readonly name: string;
-        readonly title: string | null;
-    };
-    readonly memo: string | null;
-    readonly certifiedAt: string;
-    readonly contentModifiedAt: string | null;
-    readonly verifyUrl: string;
-    readonly display: CertDisplayConfig;
-}
-export interface CertLifecycle {
-    readonly issuedAt: string;
-    readonly expiresAt: string;
-    readonly revokedAt: string | null;
-    readonly revision: number;
-}
-export interface CertPayload {
-    readonly contractVersion: ContractVersion;
-    readonly certId: string;
-    readonly subject: CertSubject;
-    readonly content: CertContent;
-    readonly lifecycle: CertLifecycle;
-}
-export interface CertSignature {
-    readonly alg: SignatureAlg;
-    readonly kid: string;
-    readonly sig: string;
-    readonly signedAt: string;
-}
-export interface CertDeliveryEnvelope {
-    readonly payload: CertPayload;
-    readonly signature: CertSignature;
-}
-export type CertVerdict = {
-    readonly decision: 'render';
-    readonly payload: CertPayload;
-} | {
-    readonly decision: 'suppress';
-    readonly reason: CertSuppressReason;
-};
-export type CertSuppressReason = 'unsupported_contract_version' | 'unsupported_alg' | 'unknown_key' | 'invalid_signature' | 'platform_mismatch' | 'subject_mismatch' | 'revoked' | 'expired' | 'content_drift';
-/** The Ed25519 public-key encodings a kid resolver may hand the kernel. */
-export type Ed25519PublicKeyInput = {
-    readonly format: 'spki-der';
-    readonly bytes: Uint8Array;
-} | {
-    readonly format: 'spki-base64';
-    readonly base64: string;
-} | {
-    readonly format: 'pem';
-    readonly pem: string;
-} | {
-    readonly format: 'raw';
-    readonly bytes: Uint8Array;
-};
-/**
- * A kid → public-key resolver. Returns a usable Ed25519 key for the given kid, or
- * null/undefined when the kid is unknown (→ suppress 'unknown_key'). May be async so
- * an edge can fetch + cache a published key set. The real kernel also accepts a Node
- * KeyObject; we model only the SDK-relevant inputs here.
- */
-export type ResolvePublicKeyByKid = (kid: string) => Promise<Ed25519PublicKeyInput | null | undefined> | Ed25519PublicKeyInput | null | undefined;
-/** Edge-supplied context for the policy phase. */
-export interface RenderContext {
-    readonly platform: string;
-    readonly externalId: string;
-    readonly liveContentHash?: string | null;
-    readonly now?: Date;
-}
-/** Full kernel: verify signature, then apply subject/lifecycle/drift policy. */
-export type VerifyEnvelope = (envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid, ctx: RenderContext) => Promise<CertVerdict>;
-/** Phase-2-only policy over an already-verified payload. */
-export type RenderVerdict = (payload: CertPayload, ctx: RenderContext) => CertVerdict;
-/** Phase-1-only cryptographic verification. */
-export type VerifySignatureOnly = (envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid) => Promise<{
-    ok: true;
-} | {
-    ok: false;
-    reason: CertSuppressReason;
-}>;
-/**
- * The kernel function set as a single named interface — what the SDK depends on at
- * the value level. `@certrev/cert-contract` exposes these as free functions; the SDK
- * binds them through `./kernel-stub` today and re-points to the real exports on
- * publish.
- */
-export interface VerdictKernel {
-    readonly verifyEnvelope: VerifyEnvelope;
-    readonly renderVerdict: RenderVerdict;
-    readonly verifySignatureOnly: VerifySignatureOnly;
-}
-//# sourceMappingURL=kernel-contract.d.ts.map

package/dist/contract/kernel-contract.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-contract.d.ts","sourceRoot":"","sources":["../../src/contract/kernel-contract.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,yEAAyE;AACzE,eAAO,MAAM,gBAAgB,EAAG,CAAU,CAAA;AAC1C,MAAM,MAAM,eAAe,GAAG,OAAO,gBAAgB,CAAA;AAErD,gFAAgF;AAChF,eAAO,MAAM,gBAAgB,EAAG,aAAsB,CAAA;AAEtD,2BAA2B;AAC3B,eAAO,MAAM,aAAa,EAAG,SAAkB,CAAA;AAC/C,MAAM,MAAM,YAAY,GAAG,OAAO,aAAa,CAAA;AAG/C,MAAM,WAAW,WAAW;IAC3B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAA;IACjC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC,MAAM,CAAC,CAAA;IAC7C,QAAQ,CAAC,cAAc,EAAE,MAAM,GAAG,IAAI,CAAA;IACtC,QAAQ,CAAC,aAAa,EAAE,MAAM,GAAG,IAAI,CAAA;CACrC;AAGD,MAAM,WAAW,iBAAiB;IACjC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACpC,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAA;IAClC,QAAQ,CAAC,UAAU,CAAC,EAAE,OAAO,CAAA;IAC7B,QAAQ,CAAC,QAAQ,CAAC,EAAE,OAAO,CAAA;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CACxC;AAGD,MAAM,WAAW,cAAc;IAC9B,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;CACzB;AAED,MAAM,WAAW,WAAW;IAC3B,QAAQ,CAAC,MAAM,EAAE;QAChB,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;QAC5B,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,cAAc,CAAC,CAAA;QACnD,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;QAClC,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;KAChC,CAAA;IACD,QAAQ,CAAC,MAAM,EAAE;QAChB,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAA;QACrB,QAAQ,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;KAC7B,CAAA;IACD,QAAQ,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,CAAA;IAC5B,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAA;IAC5B,QAAQ,CAAC,iBAAiB,EAAE,MAAM,GAAG,IAAI,CAAA;IACzC,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,OAAO,EAAE,iBAAiB,CAAA;CACnC;AAGD,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAA;IAC1B,QAAQ,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;IACjC,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;CACzB;AAGD,MAAM,WAAW,WAAW;IAC3B,QAAQ,CAAC,eAAe,EAAE,eAAe,CAAA;IACzC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;IACvB,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAA;CACjC;AAGD,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,GAAG,EAAE,YAAY,CAAA;IAC1B,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;IACpB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;CACzB;AAGD,MAAM,WAAW,oBAAoB;IACpC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;IAC7B,QAAQ,CAAC,SAAS,EAAE,aAAa,CAAA;CACjC;AAGD,MAAM,MAAM,WAAW,GACpB;IAAE,QAAQ,CAAC,QAAQ,EAAE,QAAQ,CAAC;IAAC,QAAQ,CAAC,OAAO,EAAE,WAAW,CAAA;CAAE,GAC9D;IAAE,QAAQ,CAAC,QAAQ,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,kBAAkB,CAAA;CAAE,CAAA;AAEzE,MAAM,MAAM,kBAAkB,GAC3B,8BAA8B,GAC9B,iBAAiB,GACjB,aAAa,GACb,mBAAmB,GACnB,mBAAmB,GACnB,kBAAkB,GAClB,SAAS,GACT,SAAS,GACT,eAAe,CAAA;AAIlB,2EAA2E;AAC3E,MAAM,MAAM,qBAAqB,GAC9B;IAAE,QAAQ,CAAC,MAAM,EAAE,UAAU,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;CAAE,GAC3D;IAAE,QAAQ,CAAC,MAAM,EAAE,aAAa,CAAC;IAAC,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GAC3D;IAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAChD;IAAE,QAAQ,CAAC,MAAM,EAAE,KAAK,CAAC;IAAC,QAAQ,CAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAAA;AAEzD;;;;;GAKG;AACH,MAAM,MAAM,qBAAqB,GAAG,CACnC,GAAG,EAAE,MAAM,KACP,OAAO,CAAC,qBAAqB,GAAG,IAAI,GAAG,SAAS,CAAC,GAAG,qBAAqB,GAAG,IAAI,GAAG,SAAS,CAAA;AAEjG,kDAAkD;AAClD,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;IAC3B,QAAQ,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACxC,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAA;CACnB;AAED,gFAAgF;AAChF,MAAM,MAAM,cAAc,GAAG,CAC5B,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,EACjC,GAAG,EAAE,aAAa,KACd,OAAO,CAAC,WAAW,CAAC,CAAA;AAEzB,4DAA4D;AAC5D,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,aAAa,KAAK,WAAW,CAAA;AAErF,+CAA+C;AAC/C,MAAM,MAAM,mBAAmB,GAAG,CACjC,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,KAC7B,OAAO,CAAC;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,kBAAkB,CAAA;CAAE,CAAC,CAAA;AAEtE;;;;;GAKG;AACH,MAAM,WAAW,aAAa;IAC7B,QAAQ,CAAC,cAAc,EAAE,cAAc,CAAA;IACvC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAA;IACrC,QAAQ,CAAC,mBAAmB,EAAE,mBAAmB,CAAA;CACjD"}

package/dist/contract/kernel-contract.js

@@ -1,35 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * @certrev/cert-contract — INTERFACE STUB (delete on publish; see INTEGRATION below)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * The shared `CertDeliveryEnvelope` types + the fail-closed `VerdictKernel` live in
- * the published `@certrev/cert-contract` package. That package is not yet on a registry
- * this workspace can `pnpm install` from (it ships `file:`/workspace-only today), so
- * `@certrev/cert-block` imports the contract surface from THIS local interface module
- * instead. The types here are a byte-for-byte mirror of `cert-contract`'s `types.ts`
- * (the settled, panel-revised shape: structured FACTS, no rendered JSON-LD in the
- * payload; `subject` carries `logicalArticleId`, `canonicalUrls[]`, `installationId`,
- * `contentDigest`).
- *
- * INTEGRATION (when @certrev/cert-contract publishes — see README "Integration TODOs"):
- *   1. Delete this file and `./kernel-stub.ts`.
- *   2. Replace every `from '../contract/kernel-contract.js'` with
- *      `from '@certrev/cert-contract'`.
- *   3. The exported names here are deliberately identical to cert-contract's exports
- *      (`CertDeliveryEnvelope`, `CertPayload`, `CertVerdict`, `verifyEnvelope`,
- *      `renderVerdict`, `verifySignatureOnly`, `ResolvePublicKeyByKid`, `RenderContext`,
- *      `Ed25519PublicKeyInput`), so the swap is a find-and-replace of the import
- *      specifier — no call-site churn.
- *
- * Because this is type-only for everything the SDK consumes at COMPILE time, swapping
- * the import path is the only change; the runtime kernel comes from `./kernel-stub.ts`
- * today and from `@certrev/cert-contract` after publish.
- */
-/** Bump on ANY breaking change to the payload shape or signing rules. */
-export const CONTRACT_VERSION = 1;
-/** RFC 8785 JSON Canonicalization Scheme — the bytes that get signed/hashed. */
-export const CANONICALIZATION = 'RFC8785-JCS';
-/** Ed25519 (PureEdDSA). */
-export const SIGNATURE_ALG = 'ed25519';
-//# sourceMappingURL=kernel-contract.js.map

package/dist/contract/kernel-contract.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-contract.js","sourceRoot":"","sources":["../../src/contract/kernel-contract.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,yEAAyE;AACzE,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAU,CAAA;AAG1C,gFAAgF;AAChF,MAAM,CAAC,MAAM,gBAAgB,GAAG,aAAsB,CAAA;AAEtD,2BAA2B;AAC3B,MAAM,CAAC,MAAM,aAAa,GAAG,SAAkB,CAAA"}

package/dist/contract/kernel-stub.d.ts

@@ -1,44 +0,0 @@
-/**
- * ─────────────────────────────────────────────────────────────────────────────
- * VerdictKernel — LOCAL STUB (delete on publish; mirrors @certrev/cert-contract)
- * ─────────────────────────────────────────────────────────────────────────────
- *
- * A faithful, self-contained implementation of the cert-contract VerdictKernel so the
- * SDK's verify layer + tests run NOW, before `@certrev/cert-contract` publishes to a
- * registry this workspace installs from. The behavior is identical to the real kernel:
- *   • Ed25519 detached signature verified over the RFC-8785 (JCS) canonical bytes of
- *     `payload` (lexicographic key order, minimal whitespace, UTF-8).
- *   • Fail-closed pipeline: shape → alg → kid → signature → platform → subject →
- *     revoked → expired → drift → render. Any failure short-circuits to `suppress`.
- *   • Never throws on a bad envelope — a malformed input / throwing resolver fails
- *     closed to `suppress`, not to an exception a caller might swallow into a render.
- *
- * The byte-identical canonicalization across PHP / Node is what makes the credential
- * portable; here we hand-roll a deterministic JCS serializer (sufficient for the
- * envelope's all-string/number/bool/array/object shape — no exotic numbers) so the SDK
- * carries no production crypto-canonicalization of its own that could DRIFT from the
- * contract. On publish, the real `canonicalize` (RFC 8785) from cert-contract is used.
- *
- * INTEGRATION: delete this file + `./kernel-contract.ts`; import `verifyEnvelope`,
- * `renderVerdict`, `verifySignatureOnly`, `toEd25519PublicKey` from
- * `@certrev/cert-contract`. See README "Integration TODOs".
- */
-import { type KeyObject } from 'node:crypto';
-import type { CertDeliveryEnvelope, CertPayload, CertSuppressReason, CertVerdict, Ed25519PublicKeyInput, RenderContext, ResolvePublicKeyByKid } from './kernel-contract.js';
-/** Mirror of cert-contract's `toEd25519PublicKey` for the input encodings the SDK uses. */
-declare function toEd25519PublicKey(input: Ed25519PublicKeyInput): KeyObject;
-type CryptoResult = {
-    ok: true;
-} | {
-    ok: false;
-    reason: CertSuppressReason;
-};
-/** Phase-2-only policy verdict over an already-authentic payload. Pure + synchronous. */
-export declare function renderVerdict(payload: CertPayload, ctx: RenderContext): CertVerdict;
-/** Phase-1-only cryptographic verification. */
-export declare function verifySignatureOnly(envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid): Promise<CryptoResult>;
-/** Full kernel: verify signature, then apply policy. Fail-closed, never throws. */
-export declare function verifyEnvelope(envelope: CertDeliveryEnvelope, resolveKid: ResolvePublicKeyByKid, ctx: RenderContext): Promise<CertVerdict>;
-/** Re-export for tests that need to build a public key from raw/spki bytes. */
-export { toEd25519PublicKey };
-//# sourceMappingURL=kernel-stub.d.ts.map

package/dist/contract/kernel-stub.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"kernel-stub.d.ts","sourceRoot":"","sources":["../../src/contract/kernel-stub.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAAmB,KAAK,SAAS,EAAwB,MAAM,aAAa,CAAA;AACnF,OAAO,KAAK,EACX,oBAAoB,EACpB,WAAW,EACX,kBAAkB,EAClB,WAAW,EACX,qBAAqB,EACrB,aAAa,EACb,qBAAqB,EACrB,MAAM,sBAAsB,CAAA;AA4C7B,2FAA2F;AAC3F,iBAAS,kBAAkB,CAAC,KAAK,EAAE,qBAAqB,GAAG,SAAS,CAkBnE;AAUD,KAAK,YAAY,GAAG;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,MAAM,EAAE,kBAAkB,CAAA;CAAE,CAAA;AA6B5E,yFAAyF;AACzF,wBAAgB,aAAa,CAAC,OAAO,EAAE,WAAW,EAAE,GAAG,EAAE,aAAa,GAAG,WAAW,CAoBnF;AAED,+CAA+C;AAC/C,wBAAsB,mBAAmB,CACxC,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,GAC/B,OAAO,CAAC,YAAY,CAAC,CAEvB;AAED,mFAAmF;AACnF,wBAAsB,cAAc,CACnC,QAAQ,EAAE,oBAAoB,EAC9B,UAAU,EAAE,qBAAqB,EACjC,GAAG,EAAE,aAAa,GAChB,OAAO,CAAC,WAAW,CAAC,CAWtB;AAED,+EAA+E;AAC/E,OAAO,EAAE,kBAAkB,EAAE,CAAA"}