@certrev/cert-block 0.1.0

package/dist/verify/get-verified-envelope.d.ts

@@ -0,0 +1,65 @@
+/**
+ * ─────────────────────────────────────────────────────────────────────────────
+ * getVerifiedEnvelope — the server-side fetch + verify + cache entry point
+ * ─────────────────────────────────────────────────────────────────────────────
+ *
+ * The headless edge calls this ONCE per render in its server loader (Hydrogen loader,
+ * Next server component / route handler, Builder server fetch). It:
+ *   1. SOURCES the signed `CertDeliveryEnvelope` from EITHER a Shopify metafield (already
+ *      fetched via the Storefront API) OR the public Delivery API
+ *      (`GET /api/cert/v1/delivery/{platform}/{externalId}`).
+ *   2. Runs the shared VerdictKernel (signature + subject/lifecycle/drift), FAIL-CLOSED.
+ *   3. Caches the resulting verdict per-instance (TTL + single-flight) so concurrent SSR
+ *      renders don't stampede the origin.
+ *
+ * It returns a `CertVerdict`: `{ decision: 'render', payload }` → render the badge +
+ * JSON-LD; `{ decision: 'suppress', reason }` → render NOTHING. Any error (network,
+ * malformed JSON, throwing resolver) collapses to a `suppress` verdict — never throws
+ * into the render path, never renders an unverified credential.
+ */
+import type { CertDeliveryEnvelope, CertVerdict, RenderContext, ResolvePublicKeyByKid } from '../contract/kernel.js';
+import { TtlCache } from './cache.js';
+/** Where the signed envelope comes from. Exactly one of the two source shapes. */
+export type EnvelopeSource = 
+/** PULL: the public, CDN-cacheable Delivery API. The helper fetches it. */
+{
+    readonly kind: 'delivery_api';
+    /** Base URL of the portal Delivery API, e.g. 'https://portal.certrev.com'. */
+    readonly baseUrl: string;
+    readonly platform: string;
+    readonly externalId: string;
+}
+/** PUSH/native: an envelope already read from a Shopify app-owned metafield (or any
+ *  native store). The caller fetched it via the Storefront API; we just verify it. The
+ *  value may be the parsed envelope or its JSON string (metafields store strings). */
+ | {
+    readonly kind: 'metafield';
+    readonly value: CertDeliveryEnvelope | string | null | undefined;
+};
+export interface GetVerifiedEnvelopeOptions {
+    readonly source: EnvelopeSource;
+    /** kid → public-key resolver (see ./resolve-kid). Required: no verify without keys. */
+    readonly resolveKid: ResolvePublicKeyByKid;
+    /** Render context: the platform + externalId this edge IS, plus optional live hash. */
+    readonly context: Omit<RenderContext, 'now'> & {
+        readonly now?: Date;
+    };
+    /** Injectable fetch for tests / non-global-fetch runtimes. */
+    readonly fetchImpl?: typeof fetch;
+    /** Cache override (per-instance). Defaults to the module-level shared cache. */
+    readonly cache?: TtlCache<CertVerdict>;
+    /** Positive verdict TTL ms (default 60_000). */
+    readonly ttlMs?: number;
+}
+/** Module-level shared cache so all calls in a process coordinate by default. */
+declare const sharedVerdictCache: TtlCache<CertVerdict>;
+/**
+ * Fetch (if needed), verify, and cache the certification verdict for one placement.
+ * FAIL-CLOSED on every error path. Safe to call on every SSR render — the cache +
+ * single-flight keep the origin load bounded.
+ */
+export declare function getVerifiedEnvelope(opts: GetVerifiedEnvelopeOptions): Promise<CertVerdict>;
+/** Expose the shared cache so a revocation webhook handler can invalidate proactively. */
+export declare function invalidateVerdict(source: EnvelopeSource, context: RenderContext, cache?: TtlCache<CertVerdict>): void;
+export { sharedVerdictCache };
+//# sourceMappingURL=get-verified-envelope.d.ts.map

package/dist/verify/get-verified-envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-verified-envelope.d.ts","sourceRoot":"","sources":["../../src/verify/get-verified-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,KAAK,EAAE,oBAAoB,EAAE,WAAW,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAEpH,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAErC,kFAAkF;AAClF,MAAM,MAAM,cAAc;AACzB,2EAA2E;AACzE;IACA,QAAQ,CAAC,IAAI,EAAE,cAAc,CAAA;IAC7B,8EAA8E;IAC9E,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAA;IACzB,QAAQ,CAAC,UAAU,EAAE,MAAM,CAAA;CAC1B;AACH;;sFAEsF;GACpF;IACA,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAA;IAC1B,QAAQ,CAAC,KAAK,EAAE,oBAAoB,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAA;CAC/D,CAAA;AAEJ,MAAM,WAAW,0BAA0B;IAC1C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAA;IAC/B,uFAAuF;IACvF,QAAQ,CAAC,UAAU,EAAE,qBAAqB,CAAA;IAC1C,uFAAuF;IACvF,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,EAAE,KAAK,CAAC,GAAG;QAAE,QAAQ,CAAC,GAAG,CAAC,EAAE,IAAI,CAAA;KAAE,CAAA;IACtE,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;IACjC,gFAAgF;IAChF,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAA;IACtC,gDAAgD;IAChD,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,iFAAiF;AACjF,QAAA,MAAM,kBAAkB,uBAAqE,CAAA;AAgD7F;;;;GAIG;AACH,wBAAsB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,OAAO,CAAC,WAAW,CAAC,CAkChG;AAED,0FAA0F;AAC1F,wBAAgB,iBAAiB,CAChC,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,aAAa,EACtB,KAAK,GAAE,QAAQ,CAAC,WAAW,CAAsB,GAC/C,IAAI,CAEN;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA"}

package/dist/verify/get-verified-envelope.js

@@ -0,0 +1,104 @@
+/**
+ * ─────────────────────────────────────────────────────────────────────────────
+ * getVerifiedEnvelope — the server-side fetch + verify + cache entry point
+ * ─────────────────────────────────────────────────────────────────────────────
+ *
+ * The headless edge calls this ONCE per render in its server loader (Hydrogen loader,
+ * Next server component / route handler, Builder server fetch). It:
+ *   1. SOURCES the signed `CertDeliveryEnvelope` from EITHER a Shopify metafield (already
+ *      fetched via the Storefront API) OR the public Delivery API
+ *      (`GET /api/cert/v1/delivery/{platform}/{externalId}`).
+ *   2. Runs the shared VerdictKernel (signature + subject/lifecycle/drift), FAIL-CLOSED.
+ *   3. Caches the resulting verdict per-instance (TTL + single-flight) so concurrent SSR
+ *      renders don't stampede the origin.
+ *
+ * It returns a `CertVerdict`: `{ decision: 'render', payload }` → render the badge +
+ * JSON-LD; `{ decision: 'suppress', reason }` → render NOTHING. Any error (network,
+ * malformed JSON, throwing resolver) collapses to a `suppress` verdict — never throws
+ * into the render path, never renders an unverified credential.
+ */
+import { verifyEnvelope } from '../contract/kernel.js';
+import { TtlCache } from './cache.js';
+/** Module-level shared cache so all calls in a process coordinate by default. */
+const sharedVerdictCache = new TtlCache({ ttlMs: 60_000, negativeTtlMs: 5_000 });
+function suppress(reason) {
+    return { decision: 'suppress', reason };
+}
+function parseEnvelope(value) {
+    if (value == null)
+        return null;
+    if (typeof value !== 'string')
+        return value;
+    try {
+        return JSON.parse(value);
+    }
+    catch {
+        return null;
+    }
+}
+function deliveryApiUrl(s) {
+    const base = s.baseUrl.replace(/\/+$/, '');
+    return `${base}/api/cert/v1/delivery/${encodeURIComponent(s.platform)}/${encodeURIComponent(s.externalId)}`;
+}
+/** Stable cache key per (source identity × render externalId). */
+function cacheKey(source, ctx) {
+    if (source.kind === 'delivery_api') {
+        return `api:${source.platform}:${source.externalId}`;
+    }
+    // Metafield: key on the rendering identity (the value is already in hand; the verdict
+    // still depends on context). Include a short hash of the value to bust on push update.
+    return `mf:${ctx.platform}:${ctx.externalId}`;
+}
+async function fetchFromDeliveryApi(s, fetchImpl) {
+    const res = await fetchImpl(deliveryApiUrl(s), { headers: { accept: 'application/json' } });
+    if (!res.ok)
+        return null; // 404 / 410 (revoked, no longer served) → no envelope → suppress
+    try {
+        return (await res.json());
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Fetch (if needed), verify, and cache the certification verdict for one placement.
+ * FAIL-CLOSED on every error path. Safe to call on every SSR render — the cache +
+ * single-flight keep the origin load bounded.
+ */
+export async function getVerifiedEnvelope(opts) {
+    const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+    const cache = opts.cache ?? sharedVerdictCache;
+    const ctx = { ...opts.context };
+    const key = cacheKey(opts.source, ctx);
+    const isSuppress = (v) => v.decision !== 'render';
+    return cache.getOrLoad(key, async () => {
+        let envelope;
+        try {
+            envelope =
+                opts.source.kind === 'delivery_api'
+                    ? await fetchFromDeliveryApi(opts.source, fetchImpl)
+                    : parseEnvelope(opts.source.value);
+        }
+        catch {
+            // Network/JSON failure → fail closed (do NOT render an unverified credential).
+            return suppress('unsupported_contract_version');
+        }
+        if (!envelope) {
+            // No envelope present (never certified / revoked + cleared / 404) → suppress.
+            return suppress('unsupported_contract_version');
+        }
+        // The kernel itself never throws (it fails closed), but guard the resolver too.
+        try {
+            return await verifyEnvelope(envelope, opts.resolveKid, ctx);
+        }
+        catch {
+            return suppress('unknown_key');
+        }
+    }, isSuppress);
+}
+/** Expose the shared cache so a revocation webhook handler can invalidate proactively. */
+export function invalidateVerdict(source, context, cache = sharedVerdictCache) {
+    cache.delete(cacheKey(source, context));
+}
+export { sharedVerdictCache };
+//# sourceMappingURL=get-verified-envelope.js.map

package/dist/verify/get-verified-envelope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"get-verified-envelope.js","sourceRoot":"","sources":["../../src/verify/get-verified-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAGH,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AACtD,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAkCrC,iFAAiF;AACjF,MAAM,kBAAkB,GAAG,IAAI,QAAQ,CAAc,EAAE,KAAK,EAAE,MAAM,EAAE,aAAa,EAAE,KAAK,EAAE,CAAC,CAAA;AAE7F,SAAS,QAAQ,CAChB,MAE2D;IAE3D,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;AACxC,CAAC;AAED,SAAS,aAAa,CAAC,KAAuD;IAC7E,IAAI,KAAK,IAAI,IAAI;QAAE,OAAO,IAAI,CAAA;IAC9B,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,KAAK,CAAA;IAC3C,IAAI,CAAC;QACJ,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAyB,CAAA;IACjD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAA;IACZ,CAAC;AACF,CAAC;AAED,SAAS,cAAc,CAAC,CAAoD;IAC3E,MAAM,IAAI,GAAG,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;IAC1C,OAAO,GAAG,IAAI,yBAAyB,kBAAkB,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,kBAAkB,CAAC,CAAC,CAAC,UAAU,CAAC,EAAE,CAAA;AAC5G,CAAC;AAED,kEAAkE;AAClE,SAAS,QAAQ,CAAC,MAAsB,EAAE,GAAkB;IAC3D,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;QACpC,OAAO,OAAO,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAA;IACrD,CAAC;IACD,sFAAsF;IACtF,uFAAuF;IACvF,OAAO,MAAM,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,UAAU,EAAE,CAAA;AAC9C,CAAC;AAED,KAAK,UAAU,oBAAoB,CAClC,CAAoD,EACpD,SAAuB;IAEvB,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAA;IAC3F,IAAI,CAAC,GAAG,CAAC,EAAE;QAAE,OAAO,IAAI,CAAA,CAAC,iEAAiE;IAC1F,IAAI,CAAC;QACJ,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAyB,CAAA;IAClD,CAAC;IAAC,MAAM,CAAC;QACR,OAAO,IAAI,CAAA;IACZ,CAAC;AACF,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,IAAgC;IACzE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAA;IACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,IAAI,kBAAkB,CAAA;IAC9C,MAAM,GAAG,GAAkB,EAAE,GAAG,IAAI,CAAC,OAAO,EAAE,CAAA;IAC9C,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAEtC,MAAM,UAAU,GAAG,CAAC,CAAc,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAA;IAE9D,OAAO,KAAK,CAAC,SAAS,CACrB,GAAG,EACH,KAAK,IAAI,EAAE;QACV,IAAI,QAAqC,CAAA;QACzC,IAAI,CAAC;YACJ,QAAQ;gBACP,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,cAAc;oBAClC,CAAC,CAAC,MAAM,oBAAoB,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;oBACpD,CAAC,CAAC,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;QACrC,CAAC;QAAC,MAAM,CAAC;YACR,+EAA+E;YAC/E,OAAO,QAAQ,CAAC,8BAA8B,CAAC,CAAA;QAChD,CAAC;QACD,IAAI,CAAC,QAAQ,EAAE,CAAC;YACf,8EAA8E;YAC9E,OAAO,QAAQ,CAAC,8BAA8B,CAAC,CAAA;QAChD,CAAC;QACD,gFAAgF;QAChF,IAAI,CAAC;YACJ,OAAO,MAAM,cAAc,CAAC,QAAQ,EAAE,IAAI,CAAC,UAAU,EAAE,GAAG,CAAC,CAAA;QAC5D,CAAC;QAAC,MAAM,CAAC;YACR,OAAO,QAAQ,CAAC,aAAa,CAAC,CAAA;QAC/B,CAAC;IACF,CAAC,EACD,UAAU,CACV,CAAA;AACF,CAAC;AAED,0FAA0F;AAC1F,MAAM,UAAU,iBAAiB,CAChC,MAAsB,EACtB,OAAsB,EACtB,QAA+B,kBAAkB;IAEjD,KAAK,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;AACxC,CAAC;AAED,OAAO,EAAE,kBAAkB,EAAE,CAAA"}

package/dist/verify/resolve-kid.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Public-key resolution for the kernel's signature-verification step.
+ *
+ * The kernel needs a `kid → Ed25519 public key` resolver. CertREV publishes its public
+ * key set (a JWKS-like document) so any edge can verify without a shared secret; rotation
+ * is "publish N+1 keys, start signing with the new kid, retire the old once edges refresh".
+ *
+ * This module gives two resolvers:
+ *   • `staticKidResolver(keys)` — for a key set baked into the deploy (the headless edge
+ *     ships CertREV's current public keys as config; zero network at render time).
+ *   • `fetchingKidResolver({ jwksUrl })` — fetches + caches the published key set, so a
+ *     newly-rotated kid resolves without a redeploy. Cached with a long TTL (keys rotate
+ *     rarely) + single-flight (no thundering herd on the JWKS endpoint).
+ *
+ * Both return the `Ed25519PublicKeyInput` shape the kernel accepts. The fetching resolver
+ * understands the two encodings CertREV may publish: a PEM string, or a JWK with an
+ * Ed25519 `x` (base64url raw key).
+ */
+import type { Ed25519PublicKeyInput, ResolvePublicKeyByKid } from '../contract/kernel.js';
+/** A static map of kid → public key (PEM string or an explicit input). */
+export type StaticKeySet = Readonly<Record<string, string | Ed25519PublicKeyInput>>;
+/** Resolver over a key set baked into the deploy. No network at render time. */
+export declare function staticKidResolver(keys: StaticKeySet): ResolvePublicKeyByKid;
+export interface FetchingKidResolverOptions {
+    /** URL of CertREV's published key set (JWKS-like). */
+    readonly jwksUrl: string;
+    /** Key-set cache TTL in ms (default 1h — keys rotate rarely). */
+    readonly ttlMs?: number;
+    /** Injectable fetch for tests / non-global-fetch runtimes. */
+    readonly fetchImpl?: typeof fetch;
+}
+/**
+ * Resolver that fetches + caches CertREV's published key set. A single fetch populates
+ * all kids; concurrent misses single-flight through the cache. A kid absent from the
+ * fetched set resolves to null (→ kernel suppresses 'unknown_key' — fail-closed).
+ */
+export declare function fetchingKidResolver(opts: FetchingKidResolverOptions): ResolvePublicKeyByKid;
+//# sourceMappingURL=resolve-kid.d.ts.map

package/dist/verify/resolve-kid.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-kid.d.ts","sourceRoot":"","sources":["../../src/verify/resolve-kid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,qBAAqB,EAAE,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAGzF,0EAA0E;AAC1E,MAAM,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,qBAAqB,CAAC,CAAC,CAAA;AAOnF,gFAAgF;AAChF,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,YAAY,GAAG,qBAAqB,CAK3E;AA+BD,MAAM,WAAW,0BAA0B;IAC1C,sDAAsD;IACtD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAA;IACxB,iEAAiE;IACjE,QAAQ,CAAC,KAAK,CAAC,EAAE,MAAM,CAAA;IACvB,8DAA8D;IAC9D,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,KAAK,CAAA;CACjC;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,0BAA0B,GAAG,qBAAqB,CAqB3F"}

package/dist/verify/resolve-kid.js

@@ -0,0 +1,71 @@
+/**
+ * Public-key resolution for the kernel's signature-verification step.
+ *
+ * The kernel needs a `kid → Ed25519 public key` resolver. CertREV publishes its public
+ * key set (a JWKS-like document) so any edge can verify without a shared secret; rotation
+ * is "publish N+1 keys, start signing with the new kid, retire the old once edges refresh".
+ *
+ * This module gives two resolvers:
+ *   • `staticKidResolver(keys)` — for a key set baked into the deploy (the headless edge
+ *     ships CertREV's current public keys as config; zero network at render time).
+ *   • `fetchingKidResolver({ jwksUrl })` — fetches + caches the published key set, so a
+ *     newly-rotated kid resolves without a redeploy. Cached with a long TTL (keys rotate
+ *     rarely) + single-flight (no thundering herd on the JWKS endpoint).
+ *
+ * Both return the `Ed25519PublicKeyInput` shape the kernel accepts. The fetching resolver
+ * understands the two encodings CertREV may publish: a PEM string, or a JWK with an
+ * Ed25519 `x` (base64url raw key).
+ */
+import { TtlCache } from './cache.js';
+function asInput(v) {
+    // A bare string is treated as PEM (the common deploy-config form).
+    return typeof v === 'string' ? { format: 'pem', pem: v } : v;
+}
+/** Resolver over a key set baked into the deploy. No network at render time. */
+export function staticKidResolver(keys) {
+    return (kid) => {
+        const k = keys[kid];
+        return k ? asInput(k) : null;
+    };
+}
+function base64urlToBytes(b64url) {
+    return new Uint8Array(Buffer.from(b64url, 'base64url'));
+}
+function jwkToInput(jwk) {
+    if (jwk.pem)
+        return { format: 'pem', pem: jwk.pem };
+    if (jwk.x) {
+        const bytes = base64urlToBytes(jwk.x);
+        if (bytes.length === 32)
+            return { format: 'raw', bytes };
+    }
+    return null;
+}
+/**
+ * Resolver that fetches + caches CertREV's published key set. A single fetch populates
+ * all kids; concurrent misses single-flight through the cache. A kid absent from the
+ * fetched set resolves to null (→ kernel suppresses 'unknown_key' — fail-closed).
+ */
+export function fetchingKidResolver(opts) {
+    const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+    const cache = new TtlCache({ ttlMs: opts.ttlMs ?? 3_600_000 });
+    const CACHE_KEY = opts.jwksUrl;
+    async function loadKeySet() {
+        const map = new Map();
+        const res = await fetchImpl(opts.jwksUrl, { headers: { accept: 'application/json' } });
+        if (!res.ok)
+            return map; // empty → every kid resolves null → fail closed
+        const doc = (await res.json());
+        for (const jwk of doc.keys ?? []) {
+            const input = jwkToInput(jwk);
+            if (input && jwk.kid)
+                map.set(jwk.kid, input);
+        }
+        return map;
+    }
+    return async (kid) => {
+        const keySet = await cache.getOrLoad(CACHE_KEY, loadKeySet, (m) => m.size === 0);
+        return keySet.get(kid) ?? null;
+    };
+}
+//# sourceMappingURL=resolve-kid.js.map

package/dist/verify/resolve-kid.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"resolve-kid.js","sourceRoot":"","sources":["../../src/verify/resolve-kid.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAGH,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAA;AAKrC,SAAS,OAAO,CAAC,CAAiC;IACjD,mEAAmE;IACnE,OAAO,OAAO,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;AAC7D,CAAC;AAED,gFAAgF;AAChF,MAAM,UAAU,iBAAiB,CAAC,IAAkB;IACnD,OAAO,CAAC,GAAG,EAAE,EAAE;QACd,MAAM,CAAC,GAAG,IAAI,CAAC,GAAG,CAAC,CAAA;QACnB,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAC7B,CAAC,CAAA;AACF,CAAC;AAkBD,SAAS,gBAAgB,CAAC,MAAc;IACvC,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAA;AACxD,CAAC;AAED,SAAS,UAAU,CAAC,GAAiB;IACpC,IAAI,GAAG,CAAC,GAAG;QAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAA;IACnD,IAAI,GAAG,CAAC,CAAC,EAAE,CAAC;QACX,MAAM,KAAK,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QACrC,IAAI,KAAK,CAAC,MAAM,KAAK,EAAE;YAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,CAAA;IACzD,CAAC;IACD,OAAO,IAAI,CAAA;AACZ,CAAC;AAWD;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,IAAgC;IACnE,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,UAAU,CAAC,KAAK,CAAA;IACpD,MAAM,KAAK,GAAG,IAAI,QAAQ,CAAqC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,IAAI,SAAS,EAAE,CAAC,CAAA;IAClG,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,CAAA;IAE9B,KAAK,UAAU,UAAU;QACxB,MAAM,GAAG,GAAG,IAAI,GAAG,EAAiC,CAAA;QACpD,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAA;QACtF,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,OAAO,GAAG,CAAA,CAAC,gDAAgD;QACxE,MAAM,GAAG,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAuB,CAAA;QACpD,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;YAClC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAA;YAC7B,IAAI,KAAK,IAAI,GAAG,CAAC,GAAG;gBAAE,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,CAAC,CAAA;QAC9C,CAAC;QACD,OAAO,GAAG,CAAA;IACX,CAAC;IAED,OAAO,KAAK,EAAE,GAAG,EAAE,EAAE;QACpB,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,SAAS,CAAC,SAAS,EAAE,UAAU,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAA;QAChF,OAAO,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;IAC/B,CAAC,CAAA;AACF,CAAC"}

package/dist/webcomponent/certrev-badge.d.ts

@@ -0,0 +1,38 @@
+/**
+ * ─────────────────────────────────────────────────────────────────────────────
+ * <certrev-badge> — the framework-agnostic universal-embed Web Component
+ * ─────────────────────────────────────────────────────────────────────────────
+ *
+ * The `universal_embed` surface class: a custom element any site can drop in, fed by the
+ * Delivery API, that renders the SAME badge as <CertBadge> (it shares
+ * `renderBadgeHtml`). Two usage modes, both crawler-friendly:
+ *
+ *   1. SSR + hydrate (PREFERRED, crawlable). A server-side include emits the badge HTML
+ *      (via `renderBadgeHtml`) INSIDE the element, plus the element tag. The component
+ *      sees existing light-DOM children and leaves them; it only re-renders if asked to
+ *      refresh. The crawler reads the server HTML; the component is progressive
+ *      enhancement.
+ *
+ *   2. Client fetch (fallback, NOT crawlable — for already-client-only contexts). Given a
+ *      `delivery-api` + `platform` + `external-id`, it fetches the envelope, runs the
+ *      verdict via the kernel (WebCrypto path lives in cert-contract; here we accept a
+ *      pre-supplied `resolveKid`), and renders on `render`. Documented as the weaker mode.
+ *
+ * The element NEVER renders an unverified credential: client-mode renders only on a
+ * `render` verdict; on any suppress/error it renders nothing (fail-closed).
+ *
+ * Registration is side-effect-free until you call `defineCertRevBadge()` (so importing
+ * the module in SSR doesn't touch `customElements`, which doesn't exist server-side).
+ */
+import type { ResolvePublicKeyByKid } from '../contract/kernel.js';
+export declare const CERTREV_BADGE_TAG = "certrev-badge";
+export declare function setCertRevKidResolver(resolver: ResolvePublicKeyByKid): void;
+export declare class CertRevBadgeElement extends HTMLElement {
+    static get observedAttributes(): string[];
+    connectedCallback(): void;
+    attributeChangedCallback(_name: string, oldValue: string | null, newValue: string | null): void;
+    private clientFetchAndRender;
+}
+/** Register the element. Idempotent + safe to call only in a browser/customElements env. */
+export declare function defineCertRevBadge(): void;
+//# sourceMappingURL=certrev-badge.d.ts.map

package/dist/webcomponent/certrev-badge.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certrev-badge.d.ts","sourceRoot":"","sources":["../../src/webcomponent/certrev-badge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAe,qBAAqB,EAAE,MAAM,uBAAuB,CAAA;AAI/E,eAAO,MAAM,iBAAiB,kBAAkB,CAAA;AAQhD,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE,qBAAqB,GAAG,IAAI,CAE3E;AAED,qBAAa,mBAAoB,SAAQ,WAAW;IACnD,MAAM,KAAK,kBAAkB,IAAI,MAAM,EAAE,CAExC;IAED,iBAAiB,IAAI,IAAI;IAOzB,wBAAwB,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,EAAE,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,IAAI;YAQjF,oBAAoB;CA4BlC;AAED,4FAA4F;AAC5F,wBAAgB,kBAAkB,IAAI,IAAI,CAKzC"}

package/dist/webcomponent/certrev-badge.js

@@ -0,0 +1,98 @@
+/**
+ * ─────────────────────────────────────────────────────────────────────────────
+ * <certrev-badge> — the framework-agnostic universal-embed Web Component
+ * ─────────────────────────────────────────────────────────────────────────────
+ *
+ * The `universal_embed` surface class: a custom element any site can drop in, fed by the
+ * Delivery API, that renders the SAME badge as <CertBadge> (it shares
+ * `renderBadgeHtml`). Two usage modes, both crawler-friendly:
+ *
+ *   1. SSR + hydrate (PREFERRED, crawlable). A server-side include emits the badge HTML
+ *      (via `renderBadgeHtml`) INSIDE the element, plus the element tag. The component
+ *      sees existing light-DOM children and leaves them; it only re-renders if asked to
+ *      refresh. The crawler reads the server HTML; the component is progressive
+ *      enhancement.
+ *
+ *   2. Client fetch (fallback, NOT crawlable — for already-client-only contexts). Given a
+ *      `delivery-api` + `platform` + `external-id`, it fetches the envelope, runs the
+ *      verdict via the kernel (WebCrypto path lives in cert-contract; here we accept a
+ *      pre-supplied `resolveKid`), and renders on `render`. Documented as the weaker mode.
+ *
+ * The element NEVER renders an unverified credential: client-mode renders only on a
+ * `render` verdict; on any suppress/error it renders nothing (fail-closed).
+ *
+ * Registration is side-effect-free until you call `defineCertRevBadge()` (so importing
+ * the module in SSR doesn't touch `customElements`, which doesn't exist server-side).
+ */
+import { getVerifiedEnvelope } from '../verify/get-verified-envelope.js';
+import { renderBadgeHtml } from './render-badge-html.js';
+export const CERTREV_BADGE_TAG = 'certrev-badge';
+/**
+ * A resolver registry the page sets once (the published CertREV keys) so the element can
+ * verify in client-fetch mode without each tag carrying key config. SSR mode never needs
+ * this (verification happened server-side).
+ */
+let globalResolveKid = null;
+export function setCertRevKidResolver(resolver) {
+    globalResolveKid = resolver;
+}
+export class CertRevBadgeElement extends HTMLElement {
+    static get observedAttributes() {
+        return ['delivery-api', 'platform', 'external-id', 'accent-color', 'badge-style', 'content-hash'];
+    }
+    connectedCallback() {
+        // SSR/light-DOM-present mode: server already rendered the badge inside us. Leave it.
+        // Only client-fetch when there are no rendered children AND we have a source.
+        if (this.querySelector('.certrev-badge'))
+            return;
+        void this.clientFetchAndRender();
+    }
+    attributeChangedCallback(_name, oldValue, newValue) {
+        if (oldValue === newValue)
+            return;
+        // Re-fetch only in client mode (no server-rendered child present).
+        if (this.isConnected && !this.querySelector('.certrev-badge')) {
+            void this.clientFetchAndRender();
+        }
+    }
+    async clientFetchAndRender() {
+        const baseUrl = this.getAttribute('delivery-api');
+        const platform = this.getAttribute('platform');
+        const externalId = this.getAttribute('external-id');
+        if (!baseUrl || !platform || !externalId)
+            return; // nothing to fetch → render nothing
+        if (!globalResolveKid) {
+            // No keys configured → cannot verify → fail closed (render nothing).
+            return;
+        }
+        let verdict;
+        try {
+            verdict = await getVerifiedEnvelope({
+                source: { kind: 'delivery_api', baseUrl, platform, externalId },
+                resolveKid: globalResolveKid,
+                context: {
+                    platform,
+                    externalId,
+                    liveContentHash: this.getAttribute('content-hash'),
+                },
+            });
+        }
+        catch {
+            return; // fail closed
+        }
+        if (verdict.decision !== 'render')
+            return;
+        const accentColor = this.getAttribute('accent-color') ?? undefined;
+        const badgeStyle = this.getAttribute('badge-style') ?? undefined;
+        this.innerHTML = renderBadgeHtml(verdict.payload, { accentColor, badgeStyle });
+    }
+}
+/** Register the element. Idempotent + safe to call only in a browser/customElements env. */
+export function defineCertRevBadge() {
+    if (typeof customElements === 'undefined')
+        return;
+    if (!customElements.get(CERTREV_BADGE_TAG)) {
+        customElements.define(CERTREV_BADGE_TAG, CertRevBadgeElement);
+    }
+}
+//# sourceMappingURL=certrev-badge.js.map

package/dist/webcomponent/certrev-badge.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certrev-badge.js","sourceRoot":"","sources":["../../src/webcomponent/certrev-badge.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,EAAE,mBAAmB,EAAE,MAAM,oCAAoC,CAAA;AACxE,OAAO,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAA;AAExD,MAAM,CAAC,MAAM,iBAAiB,GAAG,eAAe,CAAA;AAEhD;;;;GAIG;AACH,IAAI,gBAAgB,GAAiC,IAAI,CAAA;AACzD,MAAM,UAAU,qBAAqB,CAAC,QAA+B;IACpE,gBAAgB,GAAG,QAAQ,CAAA;AAC5B,CAAC;AAED,MAAM,OAAO,mBAAoB,SAAQ,WAAW;IACnD,MAAM,KAAK,kBAAkB;QAC5B,OAAO,CAAC,cAAc,EAAE,UAAU,EAAE,aAAa,EAAE,cAAc,EAAE,aAAa,EAAE,cAAc,CAAC,CAAA;IAClG,CAAC;IAED,iBAAiB;QAChB,qFAAqF;QACrF,8EAA8E;QAC9E,IAAI,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC;YAAE,OAAM;QAChD,KAAK,IAAI,CAAC,oBAAoB,EAAE,CAAA;IACjC,CAAC;IAED,wBAAwB,CAAC,KAAa,EAAE,QAAuB,EAAE,QAAuB;QACvF,IAAI,QAAQ,KAAK,QAAQ;YAAE,OAAM;QACjC,mEAAmE;QACnE,IAAI,IAAI,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,aAAa,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC/D,KAAK,IAAI,CAAC,oBAAoB,EAAE,CAAA;QACjC,CAAC;IACF,CAAC;IAEO,KAAK,CAAC,oBAAoB;QACjC,MAAM,OAAO,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,CAAA;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,CAAA;QAC9C,MAAM,UAAU,GAAG,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,CAAA;QACnD,IAAI,CAAC,OAAO,IAAI,CAAC,QAAQ,IAAI,CAAC,UAAU;YAAE,OAAM,CAAC,oCAAoC;QACrF,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACvB,qEAAqE;YACrE,OAAM;QACP,CAAC;QACD,IAAI,OAAoB,CAAA;QACxB,IAAI,CAAC;YACJ,OAAO,GAAG,MAAM,mBAAmB,CAAC;gBACnC,MAAM,EAAE,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE;gBAC/D,UAAU,EAAE,gBAAgB;gBAC5B,OAAO,EAAE;oBACR,QAAQ;oBACR,UAAU;oBACV,eAAe,EAAE,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC;iBAClD;aACD,CAAC,CAAA;QACH,CAAC;QAAC,MAAM,CAAC;YACR,OAAM,CAAC,cAAc;QACtB,CAAC;QACD,IAAI,OAAO,CAAC,QAAQ,KAAK,QAAQ;YAAE,OAAM;QACzC,MAAM,WAAW,GAAG,IAAI,CAAC,YAAY,CAAC,cAAc,CAAC,IAAI,SAAS,CAAA;QAClE,MAAM,UAAU,GAAI,IAAI,CAAC,YAAY,CAAC,aAAa,CAA+B,IAAI,SAAS,CAAA;QAC/F,IAAI,CAAC,SAAS,GAAG,eAAe,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAA;IAC/E,CAAC;CACD;AAED,4FAA4F;AAC5F,MAAM,UAAU,kBAAkB;IACjC,IAAI,OAAO,cAAc,KAAK,WAAW;QAAE,OAAM;IACjD,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,CAAC;QAC5C,cAAc,CAAC,MAAM,CAAC,iBAAiB,EAAE,mBAAmB,CAAC,CAAA;IAC9D,CAAC;AACF,CAAC"}

package/dist/webcomponent/render-badge-html.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Framework-agnostic badge HTML renderer.
+ *
+ * The single source of badge markup for BOTH the Web Component (client upgrade) and any
+ * server-side include that wants to emit the badge as a string without React. It mirrors
+ * the <CertBadge> JSX one-for-one — same classes, same structure, same accessibility —
+ * but builds an HTML string, so EVERY interpolated field is escaped by hand
+ * (`escapeHtml` for content, `escapeAttribute` for attributes, `safeHttpUrl` for hrefs).
+ *
+ * It is pure + DOM-free, so it runs server-side (the SSR string the crawler sees) and is
+ * reused client-side by the Web Component. Crawlability requirement from the contract:
+ * the badge must be in the server HTML, never client-only.
+ */
+import type { CertPayload } from '../contract/kernel.js';
+export interface RenderBadgeOptions {
+    readonly accentColor?: string;
+    readonly badgeStyle?: 'full' | 'compact';
+}
+/**
+ * Render the certified-badge markup for a verified payload as an HTML string. Returns ''
+ * when there is nothing safe to link to AND nothing to show (defensive; the kernel has
+ * already decided to render by the time this is called).
+ */
+export declare function renderBadgeHtml(payload: CertPayload, opts?: RenderBadgeOptions): string;
+//# sourceMappingURL=render-badge-html.d.ts.map

package/dist/webcomponent/render-badge-html.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"render-badge-html.d.ts","sourceRoot":"","sources":["../../src/webcomponent/render-badge-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAIH,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AAExD,MAAM,WAAW,kBAAkB;IAClC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAA;IAC7B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,GAAG,SAAS,CAAA;CACxC;AASD;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,WAAW,EAAE,IAAI,GAAE,kBAAuB,GAAG,MAAM,CAsE3F"}

package/dist/webcomponent/render-badge-html.js

@@ -0,0 +1,81 @@
+/**
+ * Framework-agnostic badge HTML renderer.
+ *
+ * The single source of badge markup for BOTH the Web Component (client upgrade) and any
+ * server-side include that wants to emit the badge as a string without React. It mirrors
+ * the <CertBadge> JSX one-for-one — same classes, same structure, same accessibility —
+ * but builds an HTML string, so EVERY interpolated field is escaped by hand
+ * (`escapeHtml` for content, `escapeAttribute` for attributes, `safeHttpUrl` for hrefs).
+ *
+ * It is pure + DOM-free, so it runs server-side (the SSR string the crawler sees) and is
+ * reused client-side by the Web Component. Crawlability requirement from the contract:
+ * the badge must be in the server HTML, never client-only.
+ */
+import { escapeAttribute, escapeHtml, safeCssColor, safeHttpUrl } from '../components/escape.js';
+import { credentialSuffix, formatDate, resolveDisplay } from '../components/format.js';
+const C = 'certrev-badge';
+function attr(name, value) {
+    if (value == null || value === '')
+        return '';
+    return ` ${name}="${escapeAttribute(value)}"`;
+}
+/**
+ * Render the certified-badge markup for a verified payload as an HTML string. Returns ''
+ * when there is nothing safe to link to AND nothing to show (defensive; the kernel has
+ * already decided to render by the time this is called).
+ */
+export function renderBadgeHtml(payload, opts = {}) {
+    const content = payload.content;
+    const display = resolveDisplay(content.display, opts.accentColor);
+    const style = opts.badgeStyle ?? display.badgeStyle;
+    const accent = safeCssColor(display.accentColor) ?? '#0f766e';
+    const verifyUrl = safeHttpUrl(content.verifyUrl);
+    const profileUrl = safeHttpUrl(content.expert.profileUrl);
+    const photoUrl = style === 'full' && display.showExpertPhoto ? safeHttpUrl(content.expert.photoUrl) : null;
+    const suffix = credentialSuffix(content);
+    const certified = formatDate(content.certifiedAt);
+    const updated = formatDate(content.contentModifiedAt);
+    const name = `${escapeHtml(content.expert.displayName)}${suffix ? `<span class="${C}__credentials">, ${escapeHtml(suffix)}</span>` : ''}`;
+    const nameNode = profileUrl
+        ? `<a class="${C}__expert-link" href="${escapeAttribute(profileUrl)}" rel="noopener">${name}</a>`
+        : name;
+    const mark = `<svg class="${C}__mark" width="20" height="20" viewBox="0 0 24 24" fill="none" aria-hidden="true" focusable="false">` +
+        `<circle cx="12" cy="12" r="11" fill="${escapeAttribute(accent)}"></circle>` +
+        `<path d="M7 12.5l3.2 3.2L17 9" stroke="#ffffff" stroke-width="2.2" stroke-linecap="round" stroke-linejoin="round"></path></svg>`;
+    const photo = photoUrl
+        ? `<img class="${C}__photo" src="${escapeAttribute(photoUrl)}" alt="Photo of ${escapeAttribute(content.expert.displayName)}" width="40" height="40" loading="lazy" decoding="async" />`
+        : '';
+    const header = `<div class="${C}__header">${mark}${photo}` +
+        `<div class="${C}__heading">` +
+        `<span class="${C}__eyebrow">Expert reviewed</span>` +
+        `<span class="${C}__byline">Reviewed by ${nameNode}</span>` +
+        `</div></div>`;
+    let body = '';
+    if (style === 'full') {
+        if (display.showMemo && content.memo) {
+            body += `<p class="${C}__memo">${escapeHtml(content.memo)}</p>`;
+        }
+        if (display.showAuthor && content.author.name && content.author.name !== content.expert.displayName) {
+            const title = content.author.title ? `, ${escapeHtml(content.author.title)}` : '';
+            body += `<p class="${C}__author">Written by ${escapeHtml(content.author.name)}${title}</p>`;
+        }
+        const dates = [];
+        if (certified) {
+            dates.push(`<div class="${C}__date"><dt>Certified</dt><dd><time datetime="${escapeAttribute(content.certifiedAt)}">${escapeHtml(certified)}</time></dd></div>`);
+        }
+        if (updated && content.contentModifiedAt) {
+            dates.push(`<div class="${C}__date"><dt>Last updated</dt><dd><time datetime="${escapeAttribute(content.contentModifiedAt)}">${escapeHtml(updated)}</time></dd></div>`);
+        }
+        if (dates.length)
+            body += `<dl class="${C}__dates">${dates.join('')}</dl>`;
+    }
+    const verify = verifyUrl
+        ? `<a class="${C}__verify" href="${escapeAttribute(verifyUrl)}" rel="noopener" aria-label="Verify this certification on CertREV">Verify on CertREV</a>`
+        : '';
+    const ariaLabel = `Content reviewed by ${content.expert.displayName}${suffix ? `, ${suffix}` : ''}`;
+    const rootStyle = `--certrev-accent:${accent};border-inline-start-color:${accent}`;
+    return (`<section class="${C} ${C}--${escapeAttribute(style)}" style="${escapeAttribute(rootStyle)}"` +
+        attr('data-certrev-cert-id', payload.certId) +
+        ` aria-label="${escapeAttribute(ariaLabel)}">${header}${body}${verify}</section>`);
+}
+//# sourceMappingURL=render-badge-html.js.map

package/dist/webcomponent/render-badge-html.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"render-badge-html.js","sourceRoot":"","sources":["../../src/webcomponent/render-badge-html.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,eAAe,EAAE,UAAU,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAChG,OAAO,EAAE,gBAAgB,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AAQtF,MAAM,CAAC,GAAG,eAAe,CAAA;AAEzB,SAAS,IAAI,CAAC,IAAY,EAAE,KAAgC;IAC3D,IAAI,KAAK,IAAI,IAAI,IAAI,KAAK,KAAK,EAAE;QAAE,OAAO,EAAE,CAAA;IAC5C,OAAO,IAAI,IAAI,KAAK,eAAe,CAAC,KAAK,CAAC,GAAG,CAAA;AAC9C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,OAAoB,EAAE,OAA2B,EAAE;IAClF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,CAAA;IAC/B,MAAM,OAAO,GAAG,cAAc,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,CAAA;IACjE,MAAM,KAAK,GAAG,IAAI,CAAC,UAAU,IAAI,OAAO,CAAC,UAAU,CAAA;IACnD,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,SAAS,CAAA;IAC7D,MAAM,SAAS,GAAG,WAAW,CAAC,OAAO,CAAC,SAAS,CAAC,CAAA;IAChD,MAAM,UAAU,GAAG,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,UAAU,CAAC,CAAA;IACzD,MAAM,QAAQ,GAAG,KAAK,KAAK,MAAM,IAAI,OAAO,CAAC,eAAe,CAAC,CAAC,CAAC,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;IAC1G,MAAM,MAAM,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;IACxC,MAAM,SAAS,GAAG,UAAU,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;IACjD,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAA;IAErD,MAAM,IAAI,GAAG,GAAG,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,GACrD,MAAM,CAAC,CAAC,CAAC,gBAAgB,CAAC,oBAAoB,UAAU,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,EAC7E,EAAE,CAAA;IACF,MAAM,QAAQ,GAAG,UAAU;QAC1B,CAAC,CAAC,aAAa,CAAC,wBAAwB,eAAe,CAAC,UAAU,CAAC,oBAAoB,IAAI,MAAM;QACjG,CAAC,CAAC,IAAI,CAAA;IAEP,MAAM,IAAI,GACT,eAAe,CAAC,sGAAsG;QACtH,wCAAwC,eAAe,CAAC,MAAM,CAAC,aAAa;QAC5E,iIAAiI,CAAA;IAElI,MAAM,KAAK,GAAG,QAAQ;QACrB,CAAC,CAAC,eAAe,CAAC,iBAAiB,eAAe,CAAC,QAAQ,CAAC,mBAAmB,eAAe,CAAC,OAAO,CAAC,MAAM,CAAC,WAAW,CAAC,6DAA6D;QACvL,CAAC,CAAC,EAAE,CAAA;IAEL,MAAM,MAAM,GACX,eAAe,CAAC,aAAa,IAAI,GAAG,KAAK,EAAE;QAC3C,eAAe,CAAC,aAAa;QAC7B,gBAAgB,CAAC,mCAAmC;QACpD,gBAAgB,CAAC,yBAAyB,QAAQ,SAAS;QAC3D,cAAc,CAAA;IAEf,IAAI,IAAI,GAAG,EAAE,CAAA;IACb,IAAI,KAAK,KAAK,MAAM,EAAE,CAAC;QACtB,IAAI,OAAO,CAAC,QAAQ,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACtC,IAAI,IAAI,aAAa,CAAC,WAAW,UAAU,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAA;QAChE,CAAC;QACD,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,KAAK,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;YACrG,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAA;YACjF,IAAI,IAAI,aAAa,CAAC,wBAAwB,UAAU,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,MAAM,CAAA;QAC5F,CAAC;QACD,MAAM,KAAK,GAAa,EAAE,CAAA;QAC1B,IAAI,SAAS,EAAE,CAAC;YACf,KAAK,CAAC,IAAI,CACT,eAAe,CAAC,iDAAiD,eAAe,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,UAAU,CAAC,SAAS,CAAC,oBAAoB,CACnJ,CAAA;QACF,CAAC;QACD,IAAI,OAAO,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;YAC1C,KAAK,CAAC,IAAI,CACT,eAAe,CAAC,oDAAoD,eAAe,CAAC,OAAO,CAAC,iBAAiB,CAAC,KAAK,UAAU,CAAC,OAAO,CAAC,oBAAoB,CAC1J,CAAA;QACF,CAAC;QACD,IAAI,KAAK,CAAC,MAAM;YAAE,IAAI,IAAI,cAAc,CAAC,YAAY,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,CAAA;IAC3E,CAAC;IAED,MAAM,MAAM,GAAG,SAAS;QACvB,CAAC,CAAC,aAAa,CAAC,mBAAmB,eAAe,CAAC,SAAS,CAAC,0FAA0F;QACvJ,CAAC,CAAC,EAAE,CAAA;IAEL,MAAM,SAAS,GAAG,uBAAuB,OAAO,CAAC,MAAM,CAAC,WAAW,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAA;IACnG,MAAM,SAAS,GAAG,oBAAoB,MAAM,8BAA8B,MAAM,EAAE,CAAA;IAElF,OAAO,CACN,mBAAmB,CAAC,IAAI,CAAC,KAAK,eAAe,CAAC,KAAK,CAAC,YAAY,eAAe,CAAC,SAAS,CAAC,GAAG;QAC7F,IAAI,CAAC,sBAAsB,EAAE,OAAO,CAAC,MAAM,CAAC;QAC5C,gBAAgB,eAAe,CAAC,SAAS,CAAC,KAAK,MAAM,GAAG,IAAI,GAAG,MAAM,YAAY,CACjF,CAAA;AACF,CAAC"}