@humanagencyp/hap-core 0.4.0

package/dist/index.js

@@ -0,0 +1,676 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  attestationId: () => attestationId,
+  canonicalBounds: () => canonicalBounds,
+  canonicalContext: () => canonicalContext,
+  canonicalFrame: () => canonicalFrame,
+  checkAttestationExpiry: () => checkAttestationExpiry,
+  clearProfiles: () => clearProfiles,
+  computeBoundsHash: () => computeBoundsHash,
+  computeContextHash: () => computeContextHash,
+  computeFrameHash: () => computeFrameHash,
+  decodeAttestationBlob: () => decodeAttestationBlob,
+  encodeAttestationBlob: () => encodeAttestationBlob,
+  frameHash: () => frameHash,
+  getAllProfiles: () => getAllProfiles,
+  getProfile: () => getProfile,
+  isV4Attestation: () => isV4Attestation,
+  listProfiles: () => listProfiles,
+  registerProfile: () => registerProfile,
+  validateBoundsParams: () => validateBoundsParams,
+  validateContextParams: () => validateContextParams,
+  validateFrameParams: () => validateFrameParams,
+  verify: () => verify,
+  verifyAttestation: () => verifyAttestation,
+  verifyAttestationSignature: () => verifyAttestationSignature,
+  verifyAttestationV4: () => verifyAttestationV4,
+  verifyBoundsHash: () => verifyBoundsHash,
+  verifyContextHash: () => verifyContextHash,
+  verifyFrameHash: () => verifyFrameHash
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/frame.ts
+var import_crypto = require("crypto");
+function validateFrameParams(params, profile) {
+  const errors = [];
+  if (!profile.frameSchema) {
+    return { valid: false, errors: ["Profile does not have a frameSchema"] };
+  }
+  for (const [fieldName, fieldDef] of Object.entries(profile.frameSchema.fields)) {
+    if (fieldDef.required && !(fieldName in params)) {
+      errors.push(`Missing required field: ${fieldName}`);
+    }
+  }
+  for (const [field, value] of Object.entries(params)) {
+    const fieldDef = profile.frameSchema.fields[field];
+    if (!fieldDef) {
+      errors.push(`Unknown field "${field}" not defined in profile ${profile.id}`);
+      continue;
+    }
+    if (fieldDef.type === "number" && typeof value !== "number") {
+      errors.push(`Field "${field}" must be a number, got ${typeof value}`);
+    }
+    if (fieldDef.type === "string" && typeof value !== "string") {
+      errors.push(`Field "${field}" must be a string, got ${typeof value}`);
+    }
+  }
+  return { valid: errors.length === 0, errors };
+}
+function canonicalFrame(params, profile) {
+  const validation = validateFrameParams(params, profile);
+  if (!validation.valid) {
+    throw new Error(`Invalid frame parameters: ${validation.errors.join("; ")}`);
+  }
+  const lines = profile.frameSchema.keyOrder.map(
+    (key) => `${key}=${String(params[key])}`
+  );
+  return lines.join("\n");
+}
+function frameHash(canonicalFrameString) {
+  const hash = (0, import_crypto.createHash)("sha256").update(canonicalFrameString, "utf8").digest("hex");
+  return `sha256:${hash}`;
+}
+function computeFrameHash(params, profile) {
+  return frameHash(canonicalFrame(params, profile));
+}
+function validateBoundsParams(params, profile) {
+  const errors = [];
+  if (!profile.boundsSchema) {
+    return { valid: false, errors: ["Profile does not have a boundsSchema"] };
+  }
+  for (const [fieldName, fieldDef] of Object.entries(profile.boundsSchema.fields)) {
+    if (fieldDef.required && !(fieldName in params)) {
+      errors.push(`Missing required field: ${fieldName}`);
+    }
+  }
+  for (const [field, value] of Object.entries(params)) {
+    const fieldDef = profile.boundsSchema.fields[field];
+    if (!fieldDef) {
+      errors.push(`Unknown field "${field}" not defined in boundsSchema of profile ${profile.id}`);
+      continue;
+    }
+    if (fieldDef.type === "number" && typeof value !== "number") {
+      errors.push(`Field "${field}" must be a number, got ${typeof value}`);
+    }
+    if (fieldDef.type === "string" && typeof value !== "string") {
+      errors.push(`Field "${field}" must be a string, got ${typeof value}`);
+    }
+  }
+  return { valid: errors.length === 0, errors };
+}
+function validateContextParams(params, profile) {
+  const errors = [];
+  if (!profile.contextSchema) {
+    if (Object.keys(params).length > 0) {
+      errors.push("Profile does not have a contextSchema but context params were provided");
+    }
+    return { valid: errors.length === 0, errors };
+  }
+  for (const [fieldName, fieldDef] of Object.entries(profile.contextSchema.fields)) {
+    if (fieldDef.required && !(fieldName in params)) {
+      errors.push(`Missing required field: ${fieldName}`);
+    }
+  }
+  for (const [field, value] of Object.entries(params)) {
+    const fieldDef = profile.contextSchema.fields[field];
+    if (!fieldDef) {
+      errors.push(`Unknown field "${field}" not defined in contextSchema of profile ${profile.id}`);
+      continue;
+    }
+    if (fieldDef.type === "number" && typeof value !== "number") {
+      errors.push(`Field "${field}" must be a number, got ${typeof value}`);
+    }
+    if (fieldDef.type === "string" && typeof value !== "string") {
+      errors.push(`Field "${field}" must be a string, got ${typeof value}`);
+    }
+  }
+  return { valid: errors.length === 0, errors };
+}
+function canonicalBounds(params, profile) {
+  const validation = validateBoundsParams(params, profile);
+  if (!validation.valid) {
+    throw new Error(`Invalid bounds parameters: ${validation.errors.join("; ")}`);
+  }
+  const lines = profile.boundsSchema.keyOrder.map(
+    (key) => `${key}=${String(params[key])}`
+  );
+  return lines.join("\n");
+}
+function canonicalContext(params, profile) {
+  if (!profile.contextSchema || Object.keys(profile.contextSchema.fields).length === 0) {
+    return "";
+  }
+  const validation = validateContextParams(params, profile);
+  if (!validation.valid) {
+    throw new Error(`Invalid context parameters: ${validation.errors.join("; ")}`);
+  }
+  const lines = profile.contextSchema.keyOrder.map(
+    (key) => `${key}=${String(params[key])}`
+  );
+  return lines.join("\n");
+}
+function computeBoundsHash(params, profile) {
+  const canonical = canonicalBounds(params, profile);
+  const hash = (0, import_crypto.createHash)("sha256").update(canonical, "utf8").digest("hex");
+  return `sha256:${hash}`;
+}
+function computeContextHash(params, profile) {
+  const canonical = canonicalContext(params, profile);
+  const hash = (0, import_crypto.createHash)("sha256").update(canonical, "utf8").digest("hex");
+  return `sha256:${hash}`;
+}
+
+// src/attestation.ts
+var import_crypto2 = require("crypto");
+var ed = __toESM(require("@noble/ed25519"));
+function decodeAttestationBlob(blob) {
+  try {
+    const base64 = blob.replace(/-/g, "+").replace(/_/g, "/");
+    const padding = base64.length % 4 === 0 ? "" : "=".repeat(4 - base64.length % 4);
+    const json = Buffer.from(base64 + padding, "base64").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    throw new Error("MALFORMED_ATTESTATION: Failed to decode attestation blob");
+  }
+}
+function encodeAttestationBlob(attestation) {
+  const json = JSON.stringify(attestation);
+  const base64 = Buffer.from(json, "utf8").toString("base64");
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function attestationId(blob) {
+  const hash = (0, import_crypto2.createHash)("sha256").update(blob, "utf8").digest("hex");
+  return `sha256:${hash}`;
+}
+async function verifyAttestationSignature(attestation, publicKeyHex) {
+  try {
+    const payloadJson = JSON.stringify(attestation.payload);
+    const payloadBytes = new TextEncoder().encode(payloadJson);
+    const signatureBytes = Buffer.from(attestation.signature, "base64");
+    const publicKeyBytes = Buffer.from(publicKeyHex, "hex");
+    const isValid = await ed.verifyAsync(signatureBytes, payloadBytes, publicKeyBytes);
+    if (!isValid) {
+      throw new Error("INVALID_SIGNATURE: Attestation signature verification failed");
+    }
+  } catch (error) {
+    if (error instanceof Error && error.message.startsWith("INVALID_SIGNATURE")) throw error;
+    throw new Error(`INVALID_SIGNATURE: Signature verification error: ${error}`);
+  }
+}
+function checkAttestationExpiry(payload, now = Math.floor(Date.now() / 1e3)) {
+  if (payload.expires_at <= now) {
+    throw new Error(
+      `TTL_EXPIRED: Attestation expired at ${payload.expires_at}, current time is ${now}`
+    );
+  }
+}
+function verifyFrameHash(attestation, expectedFrameHash) {
+  if (attestation.payload.frame_hash !== expectedFrameHash) {
+    throw new Error("FRAME_MISMATCH: Frame hash mismatch");
+  }
+}
+function isV4Attestation(attestation) {
+  return attestation.payload.bounds_hash !== void 0;
+}
+function verifyBoundsHash(attestation, expectedBoundsHash) {
+  const attestedHash = attestation.payload.bounds_hash ?? attestation.payload.frame_hash;
+  if (attestedHash !== expectedBoundsHash) {
+    throw new Error("BOUNDS_MISMATCH: Bounds hash mismatch");
+  }
+}
+function verifyContextHash(attestation, expectedContextHash) {
+  if (attestation.payload.context_hash !== expectedContextHash) {
+    throw new Error("CONTEXT_MISMATCH: Context hash mismatch");
+  }
+}
+async function verifyAttestation(blob, publicKeyHex, expectedFrameHash) {
+  const attestation = decodeAttestationBlob(blob);
+  await verifyAttestationSignature(attestation, publicKeyHex);
+  checkAttestationExpiry(attestation.payload);
+  verifyFrameHash(attestation, expectedFrameHash);
+  return attestation.payload;
+}
+async function verifyAttestationV4(blob, publicKeyHex, expectedBoundsHash, expectedContextHash) {
+  const attestation = decodeAttestationBlob(blob);
+  await verifyAttestationSignature(attestation, publicKeyHex);
+  checkAttestationExpiry(attestation.payload);
+  verifyBoundsHash(attestation, expectedBoundsHash);
+  verifyContextHash(attestation, expectedContextHash);
+  return attestation.payload;
+}
+
+// src/profiles/index.ts
+var PROFILES = {};
+function registerProfile(profileId, profile) {
+  PROFILES[profileId] = profile;
+}
+function getProfile(profileId) {
+  return PROFILES[profileId];
+}
+function listProfiles() {
+  return Object.keys(PROFILES);
+}
+function getAllProfiles() {
+  return Object.values(PROFILES);
+}
+function clearProfiles() {
+  for (const key of Object.keys(PROFILES)) {
+    delete PROFILES[key];
+  }
+}
+
+// src/gatekeeper.ts
+async function verify(request, publicKeyHex, now = Math.floor(Date.now() / 1e3), executionLog) {
+  const errors = [];
+  const profileId = request.frame.profile;
+  if (typeof profileId !== "string") {
+    return { approved: false, errors: [{ code: "INVALID_PROFILE", message: "Missing profile in frame" }] };
+  }
+  const profile = getProfile(profileId);
+  if (!profile) {
+    return { approved: false, errors: [{ code: "INVALID_PROFILE", message: `Unknown profile: ${profileId}` }] };
+  }
+  const isV4Profile = !!profile.boundsSchema;
+  if (isV4Profile) {
+    return verifyV4(request, profile, publicKeyHex, now, executionLog);
+  } else {
+    return verifyV3(request, profile, publicKeyHex, now, executionLog, errors);
+  }
+}
+async function verifyV3(request, profile, publicKeyHex, now, executionLog, errors) {
+  const pathId = request.frame.path;
+  if (typeof pathId !== "string") {
+    return { approved: false, errors: [{ code: "INVALID_PROFILE", message: "Missing path in frame" }] };
+  }
+  const executionPath = profile.executionPaths[pathId];
+  if (!executionPath) {
+    return { approved: false, errors: [{ code: "INVALID_PROFILE", message: `Unknown execution path: ${pathId}` }] };
+  }
+  let expectedFrameHash;
+  try {
+    expectedFrameHash = computeFrameHash(request.frame, profile);
+  } catch (err) {
+    return { approved: false, errors: [{ code: "FRAME_MISMATCH", message: `Frame hash computation failed: ${err}` }] };
+  }
+  const requiredDomains = executionPath.requiredDomains ?? [];
+  const coveredDomains = /* @__PURE__ */ new Set();
+  for (const blob of request.attestations) {
+    let attestation;
+    try {
+      attestation = decodeAttestationBlob(blob);
+    } catch {
+      errors.push({ code: "MALFORMED_ATTESTATION", message: "Failed to decode attestation blob" });
+      continue;
+    }
+    try {
+      await verifyAttestationSignature(attestation, publicKeyHex);
+    } catch {
+      errors.push({ code: "INVALID_SIGNATURE", message: "Attestation signature verification failed" });
+      continue;
+    }
+    try {
+      verifyFrameHash(attestation, expectedFrameHash);
+    } catch {
+      errors.push({ code: "FRAME_MISMATCH", message: "Attestation frame_hash does not match computed frame_hash" });
+      continue;
+    }
+    try {
+      checkAttestationExpiry(attestation.payload, now);
+    } catch {
+      const domainNames = attestation.payload.resolved_domains.map((d) => d.domain).join(", ");
+      errors.push({ code: "TTL_EXPIRED", message: `Attestation for domain "${domainNames}" has expired` });
+      continue;
+    }
+    for (const rd of attestation.payload.resolved_domains) {
+      coveredDomains.add(rd.domain);
+    }
+  }
+  for (const domain of requiredDomains) {
+    if (!coveredDomains.has(domain)) {
+      errors.push({ code: "DOMAIN_NOT_COVERED", message: `Required domain "${domain}" not covered by any valid attestation` });
+    }
+  }
+  if (errors.length > 0) {
+    return { approved: false, errors };
+  }
+  if (executionLog && profile.executionContextSchema?.fields) {
+    const cumulativeErrors = resolveCumulativeFields(request, profile, executionLog, now);
+    if (cumulativeErrors.length > 0) {
+      return { approved: false, errors: cumulativeErrors };
+    }
+  }
+  const boundsErrors = checkBoundsFromFrameSchema(request, profile);
+  if (boundsErrors.length > 0) {
+    return { approved: false, errors: boundsErrors };
+  }
+  return { approved: true };
+}
+async function verifyV4(request, profile, publicKeyHex, now, executionLog) {
+  const errors = [];
+  const bounds = request.frame;
+  const context = request.context ?? {};
+  const pathId = bounds.path;
+  if (typeof pathId !== "string") {
+    return { approved: false, errors: [{ code: "INVALID_PROFILE", message: "Missing path in bounds" }] };
+  }
+  const executionPath = profile.executionPaths[pathId];
+  if (!executionPath) {
+    return { approved: false, errors: [{ code: "INVALID_PROFILE", message: `Unknown execution path: ${pathId}` }] };
+  }
+  let expectedBoundsHash;
+  let expectedContextHash;
+  try {
+    expectedBoundsHash = computeBoundsHash(bounds, profile);
+  } catch (err) {
+    return { approved: false, errors: [{ code: "BOUNDS_MISMATCH", message: `Bounds hash computation failed: ${err}` }] };
+  }
+  try {
+    expectedContextHash = computeContextHash(context, profile);
+  } catch (err) {
+    return { approved: false, errors: [{ code: "CONTEXT_MISMATCH", message: `Context hash computation failed: ${err}` }] };
+  }
+  const requiredDomains = executionPath.requiredDomains ?? [];
+  const coveredDomains = /* @__PURE__ */ new Set();
+  for (const blob of request.attestations) {
+    let attestation;
+    try {
+      attestation = decodeAttestationBlob(blob);
+    } catch {
+      errors.push({ code: "MALFORMED_ATTESTATION", message: "Failed to decode attestation blob" });
+      continue;
+    }
+    try {
+      await verifyAttestationSignature(attestation, publicKeyHex);
+    } catch {
+      errors.push({ code: "INVALID_SIGNATURE", message: "Attestation signature verification failed" });
+      continue;
+    }
+    try {
+      verifyBoundsHash(attestation, expectedBoundsHash);
+    } catch {
+      errors.push({ code: "BOUNDS_MISMATCH", message: "Attestation bounds_hash does not match computed bounds_hash" });
+      continue;
+    }
+    if (isV4Attestation(attestation)) {
+      try {
+        verifyContextHash(attestation, expectedContextHash);
+      } catch {
+        errors.push({ code: "CONTEXT_MISMATCH", message: "Attestation context_hash does not match computed context_hash" });
+        continue;
+      }
+    }
+    try {
+      checkAttestationExpiry(attestation.payload, now);
+    } catch {
+      const domainNames = attestation.payload.resolved_domains.map((d) => d.domain).join(", ");
+      errors.push({ code: "TTL_EXPIRED", message: `Attestation for domain "${domainNames}" has expired` });
+      continue;
+    }
+    for (const rd of attestation.payload.resolved_domains) {
+      coveredDomains.add(rd.domain);
+    }
+  }
+  for (const domain of requiredDomains) {
+    if (!coveredDomains.has(domain)) {
+      errors.push({ code: "DOMAIN_NOT_COVERED", message: `Required domain "${domain}" not covered by any valid attestation` });
+    }
+  }
+  if (errors.length > 0) {
+    return { approved: false, errors };
+  }
+  if (executionLog && profile.executionContextSchema?.fields) {
+    const cumulativeErrors = resolveCumulativeFields(request, profile, executionLog, now);
+    if (cumulativeErrors.length > 0) {
+      return { approved: false, errors: cumulativeErrors };
+    }
+  }
+  const boundsErrors = checkBoundsFromBoundsSchema(request, profile);
+  if (boundsErrors.length > 0) {
+    return { approved: false, errors: boundsErrors };
+  }
+  if (profile.contextSchema && Object.keys(profile.contextSchema.fields).length > 0) {
+    const contextErrors = checkContextConstraints(context, request.execution, profile);
+    if (contextErrors.length > 0) {
+      return { approved: false, errors: contextErrors };
+    }
+  }
+  return { approved: true };
+}
+function checkBoundsFromFrameSchema(request, profile) {
+  const errors = [];
+  if (!profile.frameSchema) return errors;
+  for (const [fieldName, fieldDef] of Object.entries(profile.frameSchema.fields)) {
+    if (!fieldDef.constraint) continue;
+    const constraint = fieldDef.constraint;
+    for (const enforceType of constraint.enforceable) {
+      if (enforceType === "max") {
+        const execField = fieldName.replace(/_max$/, "");
+        const boundValue = request.frame[fieldName];
+        const actualValue = request.execution[execField];
+        if (actualValue === void 0) continue;
+        if (typeof boundValue !== "number" || typeof actualValue !== "number") {
+          errors.push({
+            code: "BOUND_EXCEEDED",
+            field: execField,
+            message: `Bound check requires numeric values for "${execField}"`,
+            bound: boundValue,
+            actual: actualValue
+          });
+          continue;
+        }
+        if (actualValue > boundValue) {
+          errors.push({
+            code: "BOUND_EXCEEDED",
+            field: execField,
+            message: `Value ${actualValue} exceeds authorized maximum of ${boundValue}`,
+            bound: boundValue,
+            actual: actualValue
+          });
+        }
+      }
+      if (enforceType === "enum") {
+        const boundValue = request.frame[fieldName];
+        const actualValue = request.execution[fieldName];
+        if (actualValue === void 0) continue;
+        const allowed = typeof boundValue === "string" ? boundValue.split(",").map((s) => s.trim()) : [String(boundValue)];
+        const actualStr = String(actualValue);
+        if (!allowed.includes(actualStr)) {
+          errors.push({
+            code: "BOUND_EXCEEDED",
+            field: fieldName,
+            message: `Value "${actualStr}" not in authorized values [${allowed.join(", ")}]`,
+            bound: boundValue,
+            actual: actualValue
+          });
+        }
+      }
+    }
+  }
+  return errors;
+}
+function checkBoundsFromBoundsSchema(request, profile) {
+  const errors = [];
+  const bounds = request.frame;
+  if (!profile.boundsSchema) return errors;
+  for (const [fieldName, fieldDef] of Object.entries(profile.boundsSchema.fields)) {
+    if (!fieldDef.constraint) continue;
+    const constraint = fieldDef.constraint;
+    for (const enforceType of constraint.enforceable) {
+      if (enforceType === "max") {
+        const execField = fieldName.replace(/_max$/, "");
+        const boundValue = bounds[fieldName];
+        const actualValue = request.execution[execField];
+        if (actualValue === void 0) continue;
+        if (typeof boundValue !== "number" || typeof actualValue !== "number") {
+          errors.push({
+            code: "BOUND_EXCEEDED",
+            field: execField,
+            message: `Bound check requires numeric values for "${execField}"`,
+            bound: boundValue,
+            actual: actualValue
+          });
+          continue;
+        }
+        if (actualValue > boundValue) {
+          errors.push({
+            code: "BOUND_EXCEEDED",
+            field: execField,
+            message: `Value ${actualValue} exceeds authorized maximum of ${boundValue}`,
+            bound: boundValue,
+            actual: actualValue
+          });
+        }
+      }
+    }
+  }
+  return errors;
+}
+function checkContextConstraints(context, execution, profile) {
+  const errors = [];
+  if (!profile.contextSchema) return errors;
+  for (const [fieldName, fieldDef] of Object.entries(profile.contextSchema.fields)) {
+    if (!fieldDef.constraint) continue;
+    for (const enforceType of fieldDef.constraint.enforceable) {
+      if (enforceType === "enum") {
+        const boundValue = context[fieldName];
+        const actualValue = execution[fieldName];
+        if (actualValue === void 0) continue;
+        const allowed = typeof boundValue === "string" ? boundValue.split(",").map((s) => s.trim()) : [String(boundValue)];
+        const actualStr = String(actualValue);
+        if (!allowed.includes(actualStr)) {
+          errors.push({
+            code: "BOUND_EXCEEDED",
+            field: fieldName,
+            message: `Value "${actualStr}" not in authorized context values [${allowed.join(", ")}]`,
+            bound: boundValue,
+            actual: actualValue
+          });
+        }
+      }
+      if (enforceType === "subset") {
+        const boundValue = context[fieldName];
+        const actualValue = execution[fieldName];
+        if (boundValue === void 0 || boundValue === "") continue;
+        if (actualValue === void 0 || actualValue === "") continue;
+        const allowed = String(boundValue).split(",").map((s) => s.trim().toLowerCase()).filter(Boolean);
+        const actuals = String(actualValue).split(",").map((s) => s.trim().toLowerCase()).filter(Boolean);
+        const disallowed = actuals.filter((v) => !allowed.includes(v));
+        if (disallowed.length > 0) {
+          errors.push({
+            code: "BOUND_EXCEEDED",
+            field: fieldName,
+            message: `Values [${disallowed.join(", ")}] not in authorized set [${allowed.join(", ")}]`,
+            bound: boundValue,
+            actual: actualValue
+          });
+        }
+      }
+    }
+  }
+  return errors;
+}
+function resolveCumulativeFields(request, profile, executionLog, now) {
+  const errors = [];
+  const profileId = String(request.frame.profile);
+  const path = String(request.frame.path);
+  const boundsOrFrame = request.frame;
+  for (const [fieldName, fieldDef] of Object.entries(profile.executionContextSchema.fields)) {
+    if (fieldDef.source !== "cumulative") continue;
+    const cumDef = fieldDef;
+    const { cumulativeField, window: windowType } = cumDef;
+    const runningTotal = executionLog.sumByWindow(profileId, path, cumulativeField, windowType, now);
+    let currentContribution;
+    if (cumulativeField === "_count") {
+      currentContribution = 1;
+    } else {
+      const val = request.execution[cumulativeField];
+      currentContribution = typeof val === "number" ? val : val !== void 0 ? Number(val) : 0;
+    }
+    const cumulativeValue = runningTotal + currentContribution;
+    request.execution[fieldName] = cumulativeValue;
+    const boundFieldName = fieldName + "_max";
+    const boundValue = boundsOrFrame[boundFieldName];
+    if (boundValue === void 0) continue;
+    if (typeof boundValue !== "number") {
+      errors.push({
+        code: "CUMULATIVE_LIMIT_EXCEEDED",
+        field: fieldName,
+        message: `Cumulative bound requires numeric value for "${boundFieldName}"`,
+        bound: boundValue,
+        actual: cumulativeValue
+      });
+      continue;
+    }
+    if (cumulativeValue > boundValue) {
+      errors.push({
+        code: "CUMULATIVE_LIMIT_EXCEEDED",
+        field: fieldName,
+        message: `Cumulative ${windowType} value ${cumulativeValue} exceeds limit of ${boundValue}`,
+        bound: boundValue,
+        actual: cumulativeValue
+      });
+    }
+  }
+  return errors;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  attestationId,
+  canonicalBounds,
+  canonicalContext,
+  canonicalFrame,
+  checkAttestationExpiry,
+  clearProfiles,
+  computeBoundsHash,
+  computeContextHash,
+  computeFrameHash,
+  decodeAttestationBlob,
+  encodeAttestationBlob,
+  frameHash,
+  getAllProfiles,
+  getProfile,
+  isV4Attestation,
+  listProfiles,
+  registerProfile,
+  validateBoundsParams,
+  validateContextParams,
+  validateFrameParams,
+  verify,
+  verifyAttestation,
+  verifyAttestationSignature,
+  verifyAttestationV4,
+  verifyBoundsHash,
+  verifyContextHash,
+  verifyFrameHash
+});