@peac/kernel 0.10.9 → 0.10.11

package/LICENSE

@@ -175,7 +175,7 @@ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
 
 END OF TERMS AND CONDITIONS
 
-Copyright 2025 PEAC Protocol Contributors
+Copyright 2025-2026 PEAC Protocol Contributors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.

package/dist/constants.cjs

@@ -0,0 +1,182 @@
+'use strict';
+
+// src/constants.ts
+var WIRE_TYPE = "peac-receipt/0.1";
+var WIRE_VERSION = "0.1";
+var ALGORITHMS = {
+  supported: ["EdDSA"],
+  default: "EdDSA"
+};
+var HEADERS = {
+  receipt: "PEAC-Receipt",
+  receiptPointer: "PEAC-Receipt-Pointer",
+  dpop: "DPoP",
+  // Purpose headers (v0.9.24+)
+  purpose: "PEAC-Purpose",
+  purposeApplied: "PEAC-Purpose-Applied",
+  purposeReason: "PEAC-Purpose-Reason"
+};
+var POLICY = {
+  manifestPath: "/.well-known/peac.txt",
+  fallbackPath: "/peac.txt",
+  manifestVersion: "peac-policy/0.1",
+  cacheTtlSeconds: 3600,
+  maxBytes: 262144,
+  // 256 KiB
+  maxDepth: 8
+};
+var ISSUER_CONFIG = {
+  configPath: "/.well-known/peac-issuer.json",
+  configVersion: "peac-issuer/0.1",
+  cacheTtlSeconds: 3600,
+  maxBytes: 65536,
+  // 64 KiB
+  maxDepth: 4,
+  fetchTimeoutMs: 1e4
+};
+var DISCOVERY = {
+  manifestPath: POLICY.manifestPath,
+  manifestVersion: "peac/0.9",
+  cacheTtlSeconds: POLICY.cacheTtlSeconds
+};
+var JWKS = {
+  rotationDays: 90,
+  overlapDays: 7,
+  emergencyRevocationHours: 24
+};
+var RECEIPT = {
+  minReceiptIdLength: 16,
+  maxReceiptIdLength: 64,
+  defaultTtlSeconds: 86400
+  // 24 hours
+};
+var LIMITS = {
+  maxAmountCents: 999999999999,
+  minAmountCents: 1
+};
+var BUNDLE_VERSION = "peac-bundle/0.1";
+var VERIFICATION_REPORT_VERSION = "peac-verification-report/0.1";
+var HASH = {
+  /** Canonical hash algorithm */
+  algorithm: "sha256",
+  /** Hash prefix pattern */
+  prefix: "sha256:",
+  /** Valid hash regex: sha256:<64 lowercase hex> */
+  pattern: /^sha256:[0-9a-f]{64}$/,
+  /** Hex-only pattern for legacy comparison */
+  hexPattern: /^[0-9a-f]{64}$/
+};
+function parseHash(hash) {
+  if (!HASH.pattern.test(hash)) {
+    return null;
+  }
+  return {
+    alg: "sha256",
+    hex: hash.slice(7)
+    // Remove 'sha256:' prefix
+  };
+}
+function formatHash(hex) {
+  if (!HASH.hexPattern.test(hex)) {
+    return null;
+  }
+  return `sha256:${hex}`;
+}
+function isValidHash(hash) {
+  return HASH.pattern.test(hash);
+}
+var VERIFIER_LIMITS = {
+  /** Maximum receipt size in bytes (256 KB) */
+  maxReceiptBytes: 262144,
+  /** Maximum number of claims in a receipt */
+  maxClaimsCount: 100,
+  /** Maximum extension size in bytes (64 KB) */
+  maxExtensionBytes: 65536,
+  /** Maximum string length for individual claims (64 KB) */
+  maxStringLength: 65536,
+  /** Maximum JWKS document size in bytes (64 KB) */
+  maxJwksBytes: 65536,
+  /** Maximum number of keys in a JWKS */
+  maxJwksKeys: 20,
+  /** Maximum individual key size in bytes */
+  maxKeySize: 4096,
+  /** Network fetch timeout in milliseconds */
+  fetchTimeoutMs: 5e3,
+  /** Maximum number of redirects to follow */
+  maxRedirects: 3,
+  /** Maximum network response size in bytes (256 KB) */
+  maxResponseBytes: 262144
+};
+var VERIFIER_NETWORK = {
+  /** Only allow HTTPS URLs */
+  httpsOnly: true,
+  /** Block requests to private IP ranges */
+  blockPrivateIps: true,
+  /** Default redirect policy (false = no redirects) */
+  allowRedirects: false
+};
+var PRIVATE_IP_RANGES = {
+  /** RFC 1918 private ranges */
+  rfc1918: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
+  /** Link-local addresses */
+  linkLocal: ["169.254.0.0/16"],
+  /** Loopback addresses */
+  loopback: ["127.0.0.0/8"],
+  /** IPv6 loopback */
+  ipv6Loopback: ["::1/128"],
+  /** IPv6 link-local */
+  ipv6LinkLocal: ["fe80::/10"]
+};
+var VERIFIER_POLICY_VERSION = "peac-verifier-policy/0.1";
+var VERIFICATION_MODES = {
+  /** All verification in browser/client, may fetch JWKS */
+  clientSide: "client_side",
+  /** No network access, uses bundled/pinned keys */
+  offlineOnly: "offline_only",
+  /** Prefer offline, fallback to network */
+  offlinePreferred: "offline_preferred",
+  /** Allow network fetches for key discovery */
+  networkAllowed: "network_allowed"
+};
+var CONSTANTS = {
+  WIRE_TYPE,
+  WIRE_VERSION,
+  ALGORITHMS,
+  HEADERS,
+  DISCOVERY,
+  JWKS,
+  RECEIPT,
+  LIMITS,
+  BUNDLE_VERSION,
+  VERIFICATION_REPORT_VERSION,
+  HASH,
+  VERIFIER_LIMITS,
+  VERIFIER_NETWORK,
+  VERIFIER_POLICY_VERSION,
+  VERIFICATION_MODES
+};
+
+exports.ALGORITHMS = ALGORITHMS;
+exports.BUNDLE_VERSION = BUNDLE_VERSION;
+exports.CONSTANTS = CONSTANTS;
+exports.DISCOVERY = DISCOVERY;
+exports.HASH = HASH;
+exports.HEADERS = HEADERS;
+exports.ISSUER_CONFIG = ISSUER_CONFIG;
+exports.JWKS = JWKS;
+exports.LIMITS = LIMITS;
+exports.POLICY = POLICY;
+exports.PRIVATE_IP_RANGES = PRIVATE_IP_RANGES;
+exports.RECEIPT = RECEIPT;
+exports.VERIFICATION_MODES = VERIFICATION_MODES;
+exports.VERIFICATION_REPORT_VERSION = VERIFICATION_REPORT_VERSION;
+exports.VERIFIER_LIMITS = VERIFIER_LIMITS;
+exports.VERIFIER_NETWORK = VERIFIER_NETWORK;
+exports.VERIFIER_POLICY_VERSION = VERIFIER_POLICY_VERSION;
+exports.WIRE_TYPE = WIRE_TYPE;
+exports.WIRE_VERSION = WIRE_VERSION;
+exports.formatHash = formatHash;
+exports.isValidHash = isValidHash;
+exports.parseHash = parseHash;
+//# sourceMappingURL=constants.cjs.map
+//# sourceMappingURL=constants.cjs.map

package/dist/constants.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";;;AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA,EACd,WAAA,EAAa,CAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.cjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n  supported: ['EdDSA'] as const,\n  default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n  receipt: 'PEAC-Receipt' as const,\n  receiptPointer: 'PEAC-Receipt-Pointer' as const,\n  dpop: 'DPoP' as const,\n  // Purpose headers (v0.9.24+)\n  purpose: 'PEAC-Purpose' as const,\n  purposeApplied: 'PEAC-Purpose-Applied' as const,\n  purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n  manifestPath: '/.well-known/peac.txt' as const,\n  fallbackPath: '/peac.txt' as const,\n  manifestVersion: 'peac-policy/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 262144, // 256 KiB\n  maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n  configPath: '/.well-known/peac-issuer.json' as const,\n  configVersion: 'peac-issuer/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 65536, // 64 KiB\n  maxDepth: 4,\n  fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n  manifestPath: POLICY.manifestPath,\n  manifestVersion: 'peac/0.9' as const,\n  cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n  rotationDays: 90,\n  overlapDays: 7,\n  emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n  minReceiptIdLength: 16,\n  maxReceiptIdLength: 64,\n  defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n  maxAmountCents: 999999999999,\n  minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n  /** Canonical hash algorithm */\n  algorithm: 'sha256' as const,\n\n  /** Hash prefix pattern */\n  prefix: 'sha256:' as const,\n\n  /** Valid hash regex: sha256:<64 lowercase hex> */\n  pattern: /^sha256:[0-9a-f]{64}$/,\n\n  /** Hex-only pattern for legacy comparison */\n  hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n  if (!HASH.pattern.test(hash)) {\n    return null;\n  }\n  return {\n    alg: 'sha256',\n    hex: hash.slice(7), // Remove 'sha256:' prefix\n  };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n  if (!HASH.hexPattern.test(hex)) {\n    return null;\n  }\n  return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n  return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n  /** Maximum receipt size in bytes (256 KB) */\n  maxReceiptBytes: 262144,\n  /** Maximum number of claims in a receipt */\n  maxClaimsCount: 100,\n  /** Maximum extension size in bytes (64 KB) */\n  maxExtensionBytes: 65536,\n  /** Maximum string length for individual claims (64 KB) */\n  maxStringLength: 65536,\n  /** Maximum JWKS document size in bytes (64 KB) */\n  maxJwksBytes: 65536,\n  /** Maximum number of keys in a JWKS */\n  maxJwksKeys: 20,\n  /** Maximum individual key size in bytes */\n  maxKeySize: 4096,\n  /** Network fetch timeout in milliseconds */\n  fetchTimeoutMs: 5000,\n  /** Maximum number of redirects to follow */\n  maxRedirects: 3,\n  /** Maximum network response size in bytes (256 KB) */\n  maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n  /** Only allow HTTPS URLs */\n  httpsOnly: true,\n  /** Block requests to private IP ranges */\n  blockPrivateIps: true,\n  /** Default redirect policy (false = no redirects) */\n  allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n  /** RFC 1918 private ranges */\n  rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n  /** Link-local addresses */\n  linkLocal: ['169.254.0.0/16'] as const,\n  /** Loopback addresses */\n  loopback: ['127.0.0.0/8'] as const,\n  /** IPv6 loopback */\n  ipv6Loopback: ['::1/128'] as const,\n  /** IPv6 link-local */\n  ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n  /** All verification in browser/client, may fetch JWKS */\n  clientSide: 'client_side' as const,\n  /** No network access, uses bundled/pinned keys */\n  offlineOnly: 'offline_only' as const,\n  /** Prefer offline, fallback to network */\n  offlinePreferred: 'offline_preferred' as const,\n  /** Allow network fetches for key discovery */\n  networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n  WIRE_TYPE,\n  WIRE_VERSION,\n  ALGORITHMS,\n  HEADERS,\n  DISCOVERY,\n  JWKS,\n  RECEIPT,\n  LIMITS,\n  BUNDLE_VERSION,\n  VERIFICATION_REPORT_VERSION,\n  HASH,\n  VERIFIER_LIMITS,\n  VERIFIER_NETWORK,\n  VERIFIER_POLICY_VERSION,\n  VERIFICATION_MODES,\n} as const;\n"]}

package/dist/constants.mjs

@@ -0,0 +1,159 @@
+// src/constants.ts
+var WIRE_TYPE = "peac-receipt/0.1";
+var WIRE_VERSION = "0.1";
+var ALGORITHMS = {
+  supported: ["EdDSA"],
+  default: "EdDSA"
+};
+var HEADERS = {
+  receipt: "PEAC-Receipt",
+  receiptPointer: "PEAC-Receipt-Pointer",
+  dpop: "DPoP",
+  // Purpose headers (v0.9.24+)
+  purpose: "PEAC-Purpose",
+  purposeApplied: "PEAC-Purpose-Applied",
+  purposeReason: "PEAC-Purpose-Reason"
+};
+var POLICY = {
+  manifestPath: "/.well-known/peac.txt",
+  fallbackPath: "/peac.txt",
+  manifestVersion: "peac-policy/0.1",
+  cacheTtlSeconds: 3600,
+  maxBytes: 262144,
+  // 256 KiB
+  maxDepth: 8
+};
+var ISSUER_CONFIG = {
+  configPath: "/.well-known/peac-issuer.json",
+  configVersion: "peac-issuer/0.1",
+  cacheTtlSeconds: 3600,
+  maxBytes: 65536,
+  // 64 KiB
+  maxDepth: 4,
+  fetchTimeoutMs: 1e4
+};
+var DISCOVERY = {
+  manifestPath: POLICY.manifestPath,
+  manifestVersion: "peac/0.9",
+  cacheTtlSeconds: POLICY.cacheTtlSeconds
+};
+var JWKS = {
+  rotationDays: 90,
+  overlapDays: 7,
+  emergencyRevocationHours: 24
+};
+var RECEIPT = {
+  minReceiptIdLength: 16,
+  maxReceiptIdLength: 64,
+  defaultTtlSeconds: 86400
+  // 24 hours
+};
+var LIMITS = {
+  maxAmountCents: 999999999999,
+  minAmountCents: 1
+};
+var BUNDLE_VERSION = "peac-bundle/0.1";
+var VERIFICATION_REPORT_VERSION = "peac-verification-report/0.1";
+var HASH = {
+  /** Canonical hash algorithm */
+  algorithm: "sha256",
+  /** Hash prefix pattern */
+  prefix: "sha256:",
+  /** Valid hash regex: sha256:<64 lowercase hex> */
+  pattern: /^sha256:[0-9a-f]{64}$/,
+  /** Hex-only pattern for legacy comparison */
+  hexPattern: /^[0-9a-f]{64}$/
+};
+function parseHash(hash) {
+  if (!HASH.pattern.test(hash)) {
+    return null;
+  }
+  return {
+    alg: "sha256",
+    hex: hash.slice(7)
+    // Remove 'sha256:' prefix
+  };
+}
+function formatHash(hex) {
+  if (!HASH.hexPattern.test(hex)) {
+    return null;
+  }
+  return `sha256:${hex}`;
+}
+function isValidHash(hash) {
+  return HASH.pattern.test(hash);
+}
+var VERIFIER_LIMITS = {
+  /** Maximum receipt size in bytes (256 KB) */
+  maxReceiptBytes: 262144,
+  /** Maximum number of claims in a receipt */
+  maxClaimsCount: 100,
+  /** Maximum extension size in bytes (64 KB) */
+  maxExtensionBytes: 65536,
+  /** Maximum string length for individual claims (64 KB) */
+  maxStringLength: 65536,
+  /** Maximum JWKS document size in bytes (64 KB) */
+  maxJwksBytes: 65536,
+  /** Maximum number of keys in a JWKS */
+  maxJwksKeys: 20,
+  /** Maximum individual key size in bytes */
+  maxKeySize: 4096,
+  /** Network fetch timeout in milliseconds */
+  fetchTimeoutMs: 5e3,
+  /** Maximum number of redirects to follow */
+  maxRedirects: 3,
+  /** Maximum network response size in bytes (256 KB) */
+  maxResponseBytes: 262144
+};
+var VERIFIER_NETWORK = {
+  /** Only allow HTTPS URLs */
+  httpsOnly: true,
+  /** Block requests to private IP ranges */
+  blockPrivateIps: true,
+  /** Default redirect policy (false = no redirects) */
+  allowRedirects: false
+};
+var PRIVATE_IP_RANGES = {
+  /** RFC 1918 private ranges */
+  rfc1918: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"],
+  /** Link-local addresses */
+  linkLocal: ["169.254.0.0/16"],
+  /** Loopback addresses */
+  loopback: ["127.0.0.0/8"],
+  /** IPv6 loopback */
+  ipv6Loopback: ["::1/128"],
+  /** IPv6 link-local */
+  ipv6LinkLocal: ["fe80::/10"]
+};
+var VERIFIER_POLICY_VERSION = "peac-verifier-policy/0.1";
+var VERIFICATION_MODES = {
+  /** All verification in browser/client, may fetch JWKS */
+  clientSide: "client_side",
+  /** No network access, uses bundled/pinned keys */
+  offlineOnly: "offline_only",
+  /** Prefer offline, fallback to network */
+  offlinePreferred: "offline_preferred",
+  /** Allow network fetches for key discovery */
+  networkAllowed: "network_allowed"
+};
+var CONSTANTS = {
+  WIRE_TYPE,
+  WIRE_VERSION,
+  ALGORITHMS,
+  HEADERS,
+  DISCOVERY,
+  JWKS,
+  RECEIPT,
+  LIMITS,
+  BUNDLE_VERSION,
+  VERIFICATION_REPORT_VERSION,
+  HASH,
+  VERIFIER_LIMITS,
+  VERIFIER_NETWORK,
+  VERIFIER_POLICY_VERSION,
+  VERIFICATION_MODES
+};
+
+export { ALGORITHMS, BUNDLE_VERSION, CONSTANTS, DISCOVERY, HASH, HEADERS, ISSUER_CONFIG, JWKS, LIMITS, POLICY, PRIVATE_IP_RANGES, RECEIPT, VERIFICATION_MODES, VERIFICATION_REPORT_VERSION, VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, WIRE_TYPE, WIRE_VERSION, formatHash, isValidHash, parseHash };
+//# sourceMappingURL=constants.mjs.map
+//# sourceMappingURL=constants.mjs.map

package/dist/constants.mjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA,EACd,WAAA,EAAa,CAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.mjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n  supported: ['EdDSA'] as const,\n  default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n  receipt: 'PEAC-Receipt' as const,\n  receiptPointer: 'PEAC-Receipt-Pointer' as const,\n  dpop: 'DPoP' as const,\n  // Purpose headers (v0.9.24+)\n  purpose: 'PEAC-Purpose' as const,\n  purposeApplied: 'PEAC-Purpose-Applied' as const,\n  purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n  manifestPath: '/.well-known/peac.txt' as const,\n  fallbackPath: '/peac.txt' as const,\n  manifestVersion: 'peac-policy/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 262144, // 256 KiB\n  maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n  configPath: '/.well-known/peac-issuer.json' as const,\n  configVersion: 'peac-issuer/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 65536, // 64 KiB\n  maxDepth: 4,\n  fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n  manifestPath: POLICY.manifestPath,\n  manifestVersion: 'peac/0.9' as const,\n  cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n  rotationDays: 90,\n  overlapDays: 7,\n  emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n  minReceiptIdLength: 16,\n  maxReceiptIdLength: 64,\n  defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n  maxAmountCents: 999999999999,\n  minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n  /** Canonical hash algorithm */\n  algorithm: 'sha256' as const,\n\n  /** Hash prefix pattern */\n  prefix: 'sha256:' as const,\n\n  /** Valid hash regex: sha256:<64 lowercase hex> */\n  pattern: /^sha256:[0-9a-f]{64}$/,\n\n  /** Hex-only pattern for legacy comparison */\n  hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n  if (!HASH.pattern.test(hash)) {\n    return null;\n  }\n  return {\n    alg: 'sha256',\n    hex: hash.slice(7), // Remove 'sha256:' prefix\n  };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n  if (!HASH.hexPattern.test(hex)) {\n    return null;\n  }\n  return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n  return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n  /** Maximum receipt size in bytes (256 KB) */\n  maxReceiptBytes: 262144,\n  /** Maximum number of claims in a receipt */\n  maxClaimsCount: 100,\n  /** Maximum extension size in bytes (64 KB) */\n  maxExtensionBytes: 65536,\n  /** Maximum string length for individual claims (64 KB) */\n  maxStringLength: 65536,\n  /** Maximum JWKS document size in bytes (64 KB) */\n  maxJwksBytes: 65536,\n  /** Maximum number of keys in a JWKS */\n  maxJwksKeys: 20,\n  /** Maximum individual key size in bytes */\n  maxKeySize: 4096,\n  /** Network fetch timeout in milliseconds */\n  fetchTimeoutMs: 5000,\n  /** Maximum number of redirects to follow */\n  maxRedirects: 3,\n  /** Maximum network response size in bytes (256 KB) */\n  maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n  /** Only allow HTTPS URLs */\n  httpsOnly: true,\n  /** Block requests to private IP ranges */\n  blockPrivateIps: true,\n  /** Default redirect policy (false = no redirects) */\n  allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n  /** RFC 1918 private ranges */\n  rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n  /** Link-local addresses */\n  linkLocal: ['169.254.0.0/16'] as const,\n  /** Loopback addresses */\n  loopback: ['127.0.0.0/8'] as const,\n  /** IPv6 loopback */\n  ipv6Loopback: ['::1/128'] as const,\n  /** IPv6 link-local */\n  ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n  /** All verification in browser/client, may fetch JWKS */\n  clientSide: 'client_side' as const,\n  /** No network access, uses bundled/pinned keys */\n  offlineOnly: 'offline_only' as const,\n  /** Prefer offline, fallback to network */\n  offlinePreferred: 'offline_preferred' as const,\n  /** Allow network fetches for key discovery */\n  networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n  WIRE_TYPE,\n  WIRE_VERSION,\n  ALGORITHMS,\n  HEADERS,\n  DISCOVERY,\n  JWKS,\n  RECEIPT,\n  LIMITS,\n  BUNDLE_VERSION,\n  VERIFICATION_REPORT_VERSION,\n  HASH,\n  VERIFIER_LIMITS,\n  VERIFIER_NETWORK,\n  VERIFIER_POLICY_VERSION,\n  VERIFICATION_MODES,\n} as const;\n"]}