@peac/kernel 0.11.1 → 0.11.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +52 -3
- package/dist/__tests__/registries.test.d.ts +2 -0
- package/dist/__tests__/registries.test.d.ts.map +1 -0
- package/dist/carrier.d.ts +14 -0
- package/dist/carrier.d.ts.map +1 -1
- package/dist/constants.cjs +2 -1
- package/dist/constants.cjs.map +1 -1
- package/dist/constants.d.ts +4 -2
- package/dist/constants.d.ts.map +1 -1
- package/dist/constants.mjs +2 -1
- package/dist/constants.mjs.map +1 -1
- package/dist/error-categories.generated.d.ts +1 -1
- package/dist/errors.cjs +325 -149
- package/dist/errors.cjs.map +1 -1
- package/dist/errors.d.ts +1 -1
- package/dist/errors.generated.d.ts +6 -3
- package/dist/errors.generated.d.ts.map +1 -1
- package/dist/errors.mjs +325 -149
- package/dist/errors.mjs.map +1 -1
- package/dist/index.cjs +329 -150
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.ts +3 -3
- package/dist/index.d.ts.map +1 -1
- package/dist/index.mjs +328 -150
- package/dist/index.mjs.map +1 -1
- package/dist/types.cjs.map +1 -1
- package/dist/types.d.ts +10 -1
- package/dist/types.d.ts.map +1 -1
- package/dist/types.mjs.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# @peac/kernel
|
|
2
2
|
|
|
3
|
-
PEAC protocol kernel
|
|
3
|
+
PEAC protocol kernel: normative constants, error codes, registries, and core types. Zero runtime dependencies.
|
|
4
4
|
|
|
5
5
|
## Installation
|
|
6
6
|
|
|
@@ -8,9 +8,58 @@ PEAC protocol kernel - normative constants, errors, and registries
|
|
|
8
8
|
pnpm add @peac/kernel
|
|
9
9
|
```
|
|
10
10
|
|
|
11
|
-
##
|
|
11
|
+
## What It Does
|
|
12
12
|
|
|
13
|
-
|
|
13
|
+
`@peac/kernel` is Layer 0 of the PEAC protocol stack. It provides the type definitions, constants, and error codes that all other packages depend on. It has zero runtime dependencies and no I/O.
|
|
14
|
+
|
|
15
|
+
## How Do I Use It?
|
|
16
|
+
|
|
17
|
+
### Import types for evidence carriers
|
|
18
|
+
|
|
19
|
+
```typescript
|
|
20
|
+
import type { PeacEvidenceCarrier, CarrierAdapter, CarrierMeta } from '@peac/kernel';
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
### Use wire format constants
|
|
24
|
+
|
|
25
|
+
```typescript
|
|
26
|
+
import { WIRE_TYPE, HEADERS, ALGORITHMS } from '@peac/kernel';
|
|
27
|
+
|
|
28
|
+
console.log(WIRE_TYPE); // 'peac-receipt/0.1'
|
|
29
|
+
console.log(HEADERS.receipt); // 'PEAC-Receipt'
|
|
30
|
+
```
|
|
31
|
+
|
|
32
|
+
### Access error definitions with recovery hints
|
|
33
|
+
|
|
34
|
+
```typescript
|
|
35
|
+
import { ERRORS } from '@peac/kernel';
|
|
36
|
+
|
|
37
|
+
const err = ERRORS.E_JWKS_FETCH_FAILED;
|
|
38
|
+
console.log(err.code); // 'E_JWKS_FETCH_FAILED'
|
|
39
|
+
console.log(err.retryable); // true
|
|
40
|
+
console.log(err.next_action); // 'retry_after_delay'
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
### Use registry enums
|
|
44
|
+
|
|
45
|
+
```typescript
|
|
46
|
+
import { PAYMENT_RAILS, CHALLENGE_TYPES, PURPOSE_TOKENS } from '@peac/kernel';
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
## Integrates With
|
|
50
|
+
|
|
51
|
+
- `@peac/schema` (Layer 1): Zod validators built on kernel types
|
|
52
|
+
- `@peac/crypto` (Layer 2): Signing/verification using kernel constants
|
|
53
|
+
- `@peac/protocol` (Layer 3): High-level API using kernel error codes
|
|
54
|
+
- All `@peac/mappings-*` and `@peac/adapter-*` packages (Layer 4)
|
|
55
|
+
|
|
56
|
+
## For Agent Developers
|
|
57
|
+
|
|
58
|
+
If you are building an AI agent or MCP server that needs evidence receipts:
|
|
59
|
+
|
|
60
|
+
- Start with [`@peac/mcp-server`](https://www.npmjs.com/package/@peac/mcp-server) for a ready-to-use MCP tool server
|
|
61
|
+
- Use `@peac/protocol` for programmatic receipt issuance and verification
|
|
62
|
+
- See the [llms.txt](https://github.com/peacprotocol/peac/blob/main/llms.txt) for a concise overview
|
|
14
63
|
|
|
15
64
|
## License
|
|
16
65
|
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"registries.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/registries.test.ts"],"names":[],"mappings":""}
|
package/dist/carrier.d.ts
CHANGED
|
@@ -16,6 +16,13 @@
|
|
|
16
16
|
* fixtures and attach() output MUST use this exact spelling.
|
|
17
17
|
*/
|
|
18
18
|
export declare const PEAC_RECEIPT_HEADER: "PEAC-Receipt";
|
|
19
|
+
/**
|
|
20
|
+
* Canonical HTTP header name for receipt URL locator hint (DD-135).
|
|
21
|
+
*
|
|
22
|
+
* HTTPS-only, max 2048 chars, no credentials.
|
|
23
|
+
* MUST NOT trigger implicit fetch (DD-55).
|
|
24
|
+
*/
|
|
25
|
+
export declare const PEAC_RECEIPT_URL_HEADER: "PEAC-Receipt-URL";
|
|
19
26
|
/** Content-addressed receipt reference: SHA-256 of the compact JWS bytes */
|
|
20
27
|
export type ReceiptRef = `sha256:${string}`;
|
|
21
28
|
/** Carrier format: embed (inline) or reference (URL/pointer) */
|
|
@@ -31,6 +38,13 @@ export interface PeacEvidenceCarrier {
|
|
|
31
38
|
receipt_ref: ReceiptRef;
|
|
32
39
|
/** Compact JWS of the signed receipt (SHOULD for embed format) */
|
|
33
40
|
receipt_jws?: string;
|
|
41
|
+
/**
|
|
42
|
+
* Locator hint for detached receipt resolution (DD-135).
|
|
43
|
+
* HTTPS-only, max 2048 chars, no credentials.
|
|
44
|
+
* MUST NOT trigger implicit fetch (DD-55).
|
|
45
|
+
* If a caller fetches, it MUST verify sha256(receipt_jws) == receipt_ref.
|
|
46
|
+
*/
|
|
47
|
+
receipt_url?: string;
|
|
34
48
|
/** Policy binding hash for verification (MAY) */
|
|
35
49
|
policy_binding?: string;
|
|
36
50
|
/** Actor binding identifier (MAY) */
|
package/dist/carrier.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"carrier.d.ts","sourceRoot":"","sources":["../src/carrier.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH;;;;;;;GAOG;AACH,eAAO,MAAM,mBAAmB,EAAG,cAAuB,CAAC;
|
|
1
|
+
{"version":3,"file":"carrier.d.ts","sourceRoot":"","sources":["../src/carrier.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH;;;;;;;GAOG;AACH,eAAO,MAAM,mBAAmB,EAAG,cAAuB,CAAC;AAE3D;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,EAAG,kBAA2B,CAAC;AAMnE,4EAA4E;AAC5E,MAAM,MAAM,UAAU,GAAG,UAAU,MAAM,EAAE,CAAC;AAE5C,gEAAgE;AAChE,MAAM,MAAM,aAAa,GAAG,OAAO,GAAG,WAAW,CAAC;AAMlD;;;;;GAKG;AACH,MAAM,WAAW,mBAAmB;IAClC,iEAAiE;IACjE,WAAW,EAAE,UAAU,CAAC;IACxB,kEAAkE;IAClE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iDAAiD;IACjD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,qCAAqC;IACrC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,gDAAgD;IAChD,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,+CAA+C;IAC/C,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,sCAAsC;IACtC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0CAA0C;IAC1C,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,wCAAwC;IACxC,eAAe,CAAC,EAAE,MAAM,CAAC;CAC1B;AAMD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC1B,6EAA6E;IAC7E,SAAS,EAAE,MAAM,CAAC;IAClB,yCAAyC;IACzC,MAAM,EAAE,aAAa,CAAC;IACtB,uDAAuD;IACvD,QAAQ,EAAE,MAAM,CAAC;IACjB,2CAA2C;IAC3C,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAMD,8CAA8C;AAC9C,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,OAAO,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAMD;;;;;;;;GAQG;AACH,MAAM,WAAW,cAAc,CAAC,MAAM,EAAE,OAAO;IAC7C;;;OAGG;IACH,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG;QAAE,QAAQ,EAAE,mBAAmB,EAAE,CAAC;QAAC,IAAI,EAAE,WAAW,CAAA;KAAE,GAAG,IAAI,CAAC;IAEtF;;;OAGG;IACH,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,mBAAmB,EAAE,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC;IAEtF;;;OAGG;IACH,mBAAmB,CAAC,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,WAAW,GAAG,uBAAuB,CAAC;CAC/F"}
|
package/dist/constants.cjs
CHANGED
package/dist/constants.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";;;AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA,EACd,WAAA,EAAa,CAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.cjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n supported: ['EdDSA'] as const,\n default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n receipt: 'PEAC-Receipt' as const,\n receiptPointer: 'PEAC-Receipt-Pointer' as const,\n dpop: 'DPoP' as const,\n // Purpose headers (v0.9.24+)\n purpose: 'PEAC-Purpose' as const,\n purposeApplied: 'PEAC-Purpose-Applied' as const,\n purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n manifestPath: '/.well-known/peac.txt' as const,\n fallbackPath: '/peac.txt' as const,\n manifestVersion: 'peac-policy/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 262144, // 256 KiB\n maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n configPath: '/.well-known/peac-issuer.json' as const,\n configVersion: 'peac-issuer/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 65536, // 64 KiB\n maxDepth: 4,\n fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n manifestPath: POLICY.manifestPath,\n manifestVersion: 'peac/0.9' as const,\n cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n rotationDays: 90,\n overlapDays: 7,\n emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n minReceiptIdLength: 16,\n maxReceiptIdLength: 64,\n defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n maxAmountCents: 999999999999,\n minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n /** Canonical hash algorithm */\n algorithm: 'sha256' as const,\n\n /** Hash prefix pattern */\n prefix: 'sha256:' as const,\n\n /** Valid hash regex: sha256:<64 lowercase hex> */\n pattern: /^sha256:[0-9a-f]{64}$/,\n\n /** Hex-only pattern for legacy comparison */\n hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n if (!HASH.pattern.test(hash)) {\n return null;\n }\n return {\n alg: 'sha256',\n hex: hash.slice(7), // Remove 'sha256:' prefix\n };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n if (!HASH.hexPattern.test(hex)) {\n return null;\n }\n return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n /** Maximum receipt size in bytes (256 KB) */\n maxReceiptBytes: 262144,\n /** Maximum number of claims in a receipt */\n maxClaimsCount: 100,\n /** Maximum extension size in bytes (64 KB) */\n maxExtensionBytes: 65536,\n /** Maximum string length for individual claims (64 KB) */\n maxStringLength: 65536,\n /** Maximum JWKS document size in bytes (64 KB) */\n maxJwksBytes: 65536,\n /** Maximum number of keys in a JWKS */\n maxJwksKeys: 20,\n /** Maximum individual key size in bytes */\n maxKeySize: 4096,\n /** Network fetch timeout in milliseconds */\n fetchTimeoutMs: 5000,\n /** Maximum number of redirects to follow */\n maxRedirects: 3,\n /** Maximum network response size in bytes (256 KB) */\n maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n /** Only allow HTTPS URLs */\n httpsOnly: true,\n /** Block requests to private IP ranges */\n blockPrivateIps: true,\n /** Default redirect policy (false = no redirects) */\n allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n /** RFC 1918 private ranges */\n rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n /** Link-local addresses */\n linkLocal: ['169.254.0.0/16'] as const,\n /** Loopback addresses */\n loopback: ['127.0.0.0/8'] as const,\n /** IPv6 loopback */\n ipv6Loopback: ['::1/128'] as const,\n /** IPv6 link-local */\n ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n /** All verification in browser/client, may fetch JWKS */\n clientSide: 'client_side' as const,\n /** No network access, uses bundled/pinned keys */\n offlineOnly: 'offline_only' as const,\n /** Prefer offline, fallback to network */\n offlinePreferred: 'offline_preferred' as const,\n /** Allow network fetches for key discovery */\n networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n WIRE_TYPE,\n WIRE_VERSION,\n ALGORITHMS,\n HEADERS,\n DISCOVERY,\n JWKS,\n RECEIPT,\n LIMITS,\n BUNDLE_VERSION,\n VERIFICATION_REPORT_VERSION,\n HASH,\n VERIFIER_LIMITS,\n VERIFIER_NETWORK,\n VERIFIER_POLICY_VERSION,\n VERIFICATION_MODES,\n} as const;\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";;;AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.cjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n supported: ['EdDSA'] as const,\n default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n receipt: 'PEAC-Receipt' as const,\n receiptPointer: 'PEAC-Receipt-Pointer' as const,\n dpop: 'DPoP' as const,\n // Purpose headers (v0.9.24+)\n purpose: 'PEAC-Purpose' as const,\n purposeApplied: 'PEAC-Purpose-Applied' as const,\n purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n manifestPath: '/.well-known/peac.txt' as const,\n fallbackPath: '/peac.txt' as const,\n manifestVersion: 'peac-policy/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 262144, // 256 KiB\n maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n configPath: '/.well-known/peac-issuer.json' as const,\n configVersion: 'peac-issuer/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 65536, // 64 KiB\n maxDepth: 4,\n fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n manifestPath: POLICY.manifestPath,\n manifestVersion: 'peac/0.9' as const,\n cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n rotationDays: 90,\n /** Normative minimum overlap period (DD-148, v0.11.3+) */\n overlapDays: 30,\n emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n minReceiptIdLength: 16,\n maxReceiptIdLength: 64,\n defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n maxAmountCents: 999999999999,\n minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n /** Canonical hash algorithm */\n algorithm: 'sha256' as const,\n\n /** Hash prefix pattern */\n prefix: 'sha256:' as const,\n\n /** Valid hash regex: sha256:<64 lowercase hex> */\n pattern: /^sha256:[0-9a-f]{64}$/,\n\n /** Hex-only pattern for legacy comparison */\n hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n if (!HASH.pattern.test(hash)) {\n return null;\n }\n return {\n alg: 'sha256',\n hex: hash.slice(7), // Remove 'sha256:' prefix\n };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n if (!HASH.hexPattern.test(hex)) {\n return null;\n }\n return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n /** Maximum receipt size in bytes (256 KB) */\n maxReceiptBytes: 262144,\n /** Maximum number of claims in a receipt */\n maxClaimsCount: 100,\n /** Maximum extension size in bytes (64 KB) */\n maxExtensionBytes: 65536,\n /** Maximum string length for individual claims (64 KB) */\n maxStringLength: 65536,\n /** Maximum JWKS document size in bytes (64 KB) */\n maxJwksBytes: 65536,\n /** Maximum number of keys in a JWKS */\n maxJwksKeys: 20,\n /** Maximum individual key size in bytes */\n maxKeySize: 4096,\n /** Network fetch timeout in milliseconds */\n fetchTimeoutMs: 5000,\n /** Maximum number of redirects to follow */\n maxRedirects: 3,\n /** Maximum network response size in bytes (256 KB) */\n maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n /** Only allow HTTPS URLs */\n httpsOnly: true,\n /** Block requests to private IP ranges */\n blockPrivateIps: true,\n /** Default redirect policy (false = no redirects) */\n allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n /** RFC 1918 private ranges */\n rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n /** Link-local addresses */\n linkLocal: ['169.254.0.0/16'] as const,\n /** Loopback addresses */\n loopback: ['127.0.0.0/8'] as const,\n /** IPv6 loopback */\n ipv6Loopback: ['::1/128'] as const,\n /** IPv6 link-local */\n ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n /** All verification in browser/client, may fetch JWKS */\n clientSide: 'client_side' as const,\n /** No network access, uses bundled/pinned keys */\n offlineOnly: 'offline_only' as const,\n /** Prefer offline, fallback to network */\n offlinePreferred: 'offline_preferred' as const,\n /** Allow network fetches for key discovery */\n networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n WIRE_TYPE,\n WIRE_VERSION,\n ALGORITHMS,\n HEADERS,\n DISCOVERY,\n JWKS,\n RECEIPT,\n LIMITS,\n BUNDLE_VERSION,\n VERIFICATION_REPORT_VERSION,\n HASH,\n VERIFIER_LIMITS,\n VERIFIER_NETWORK,\n VERIFIER_POLICY_VERSION,\n VERIFICATION_MODES,\n} as const;\n"]}
|
package/dist/constants.d.ts
CHANGED
|
@@ -74,7 +74,8 @@ export declare const DISCOVERY: {
|
|
|
74
74
|
*/
|
|
75
75
|
export declare const JWKS: {
|
|
76
76
|
readonly rotationDays: 90;
|
|
77
|
-
|
|
77
|
+
/** Normative minimum overlap period (DD-148, v0.11.3+) */
|
|
78
|
+
readonly overlapDays: 30;
|
|
78
79
|
readonly emergencyRevocationHours: 24;
|
|
79
80
|
};
|
|
80
81
|
/**
|
|
@@ -234,7 +235,8 @@ export declare const CONSTANTS: {
|
|
|
234
235
|
};
|
|
235
236
|
readonly JWKS: {
|
|
236
237
|
readonly rotationDays: 90;
|
|
237
|
-
|
|
238
|
+
/** Normative minimum overlap period (DD-148, v0.11.3+) */
|
|
239
|
+
readonly overlapDays: 30;
|
|
238
240
|
readonly emergencyRevocationHours: 24;
|
|
239
241
|
};
|
|
240
242
|
readonly RECEIPT: {
|
package/dist/constants.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;GAGG;AACH,eAAO,MAAM,SAAS,EAAG,kBAA2B,CAAC;AAErD;;;GAGG;AACH,eAAO,MAAM,YAAY,EAAG,KAAc,CAAC;AAE3C;;GAEG;AACH,eAAO,MAAM,UAAU;;;CAGb,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,OAAO;;;;;;;CAQV,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,MAAM;;;;;;;CAOT,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,aAAa;;;;;;;CAOhB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;;;;CAIZ,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,IAAI
|
|
1
|
+
{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;GAGG;AACH,eAAO,MAAM,SAAS,EAAG,kBAA2B,CAAC;AAErD;;;GAGG;AACH,eAAO,MAAM,YAAY,EAAG,KAAc,CAAC;AAE3C;;GAEG;AACH,eAAO,MAAM,UAAU;;;CAGb,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,OAAO;;;;;;;CAQV,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,MAAM;;;;;;;CAOT,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,aAAa;;;;;;;CAOhB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;;;;CAIZ,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,IAAI;;IAEf,0DAA0D;;;CAGlD,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,OAAO;;;;CAIV,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,MAAM;;;CAGT,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,cAAc,EAAG,iBAA0B,CAAC;AAEzD;;GAEG;AACH,eAAO,MAAM,2BAA2B,EAAG,8BAAuC,CAAC;AAEnF;;;GAGG;AACH,eAAO,MAAM,IAAI;IACf,+BAA+B;;IAG/B,0BAA0B;;IAG1B,kDAAkD;;IAGlD,6CAA6C;;CAE9C,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,GAAG,EAAE,QAAQ,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAQ7E;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKrD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEjD;AAED;;GAEG;AACH,eAAO,MAAM,eAAe;IAC1B,6CAA6C;;IAE7C,4CAA4C;;IAE5C,8CAA8C;;IAE9C,0DAA0D;;IAE1D,kDAAkD;;IAElD,uCAAuC;;IAEvC,2CAA2C;;IAE3C,4CAA4C;;IAE5C,4CAA4C;;IAE5C,sDAAsD;;CAE9C,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,gBAAgB;IAC3B,4BAA4B;;IAE5B,0CAA0C;;IAE1C,qDAAqD;;CAE7C,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC5B,8BAA8B;;IAE9B,2BAA2B;;IAE3B,yBAAyB;;IAEzB,oBAAoB;;IAEpB,sBAAsB;;CAEd,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAG,0BAAmC,CAAC;AAE3E;;GAEG;AACH,eAAO,MAAM,kBAAkB;IAC7B,yDAAyD;;IAEzD,kDAAkD;;IAElD,0CAA0C;;IAE1C,8CAA8C;;CAEtC,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;QAxKpB,0DAA0D;;;;;;;;;;;;;;;;QAsC1D,+BAA+B;;QAG/B,0BAA0B;;QAG1B,kDAAkD;;QAGlD,6CAA6C;;;;QAiD7C,6CAA6C;;QAE7C,4CAA4C;;QAE5C,8CAA8C;;QAE9C,0DAA0D;;QAE1D,kDAAkD;;QAElD,uCAAuC;;QAEvC,2CAA2C;;QAE3C,4CAA4C;;QAE5C,4CAA4C;;QAE5C,sDAAsD;;;;QAQtD,4BAA4B;;QAE5B,0CAA0C;;QAE1C,qDAAqD;;;;;QA6BrD,yDAAyD;;QAEzD,kDAAkD;;QAElD,0CAA0C;;QAE1C,8CAA8C;;;CAuBtC,CAAC"}
|
package/dist/constants.mjs
CHANGED
package/dist/constants.mjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA,EACd,WAAA,EAAa,CAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.mjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n supported: ['EdDSA'] as const,\n default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n receipt: 'PEAC-Receipt' as const,\n receiptPointer: 'PEAC-Receipt-Pointer' as const,\n dpop: 'DPoP' as const,\n // Purpose headers (v0.9.24+)\n purpose: 'PEAC-Purpose' as const,\n purposeApplied: 'PEAC-Purpose-Applied' as const,\n purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n manifestPath: '/.well-known/peac.txt' as const,\n fallbackPath: '/peac.txt' as const,\n manifestVersion: 'peac-policy/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 262144, // 256 KiB\n maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n configPath: '/.well-known/peac-issuer.json' as const,\n configVersion: 'peac-issuer/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 65536, // 64 KiB\n maxDepth: 4,\n fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n manifestPath: POLICY.manifestPath,\n manifestVersion: 'peac/0.9' as const,\n cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n rotationDays: 90,\n overlapDays: 7,\n emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n minReceiptIdLength: 16,\n maxReceiptIdLength: 64,\n defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n maxAmountCents: 999999999999,\n minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n /** Canonical hash algorithm */\n algorithm: 'sha256' as const,\n\n /** Hash prefix pattern */\n prefix: 'sha256:' as const,\n\n /** Valid hash regex: sha256:<64 lowercase hex> */\n pattern: /^sha256:[0-9a-f]{64}$/,\n\n /** Hex-only pattern for legacy comparison */\n hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n if (!HASH.pattern.test(hash)) {\n return null;\n }\n return {\n alg: 'sha256',\n hex: hash.slice(7), // Remove 'sha256:' prefix\n };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n if (!HASH.hexPattern.test(hex)) {\n return null;\n }\n return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n /** Maximum receipt size in bytes (256 KB) */\n maxReceiptBytes: 262144,\n /** Maximum number of claims in a receipt */\n maxClaimsCount: 100,\n /** Maximum extension size in bytes (64 KB) */\n maxExtensionBytes: 65536,\n /** Maximum string length for individual claims (64 KB) */\n maxStringLength: 65536,\n /** Maximum JWKS document size in bytes (64 KB) */\n maxJwksBytes: 65536,\n /** Maximum number of keys in a JWKS */\n maxJwksKeys: 20,\n /** Maximum individual key size in bytes */\n maxKeySize: 4096,\n /** Network fetch timeout in milliseconds */\n fetchTimeoutMs: 5000,\n /** Maximum number of redirects to follow */\n maxRedirects: 3,\n /** Maximum network response size in bytes (256 KB) */\n maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n /** Only allow HTTPS URLs */\n httpsOnly: true,\n /** Block requests to private IP ranges */\n blockPrivateIps: true,\n /** Default redirect policy (false = no redirects) */\n allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n /** RFC 1918 private ranges */\n rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n /** Link-local addresses */\n linkLocal: ['169.254.0.0/16'] as const,\n /** Loopback addresses */\n loopback: ['127.0.0.0/8'] as const,\n /** IPv6 loopback */\n ipv6Loopback: ['::1/128'] as const,\n /** IPv6 link-local */\n ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n /** All verification in browser/client, may fetch JWKS */\n clientSide: 'client_side' as const,\n /** No network access, uses bundled/pinned keys */\n offlineOnly: 'offline_only' as const,\n /** Prefer offline, fallback to network */\n offlinePreferred: 'offline_preferred' as const,\n /** Allow network fetches for key discovery */\n networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n WIRE_TYPE,\n WIRE_VERSION,\n ALGORITHMS,\n HEADERS,\n DISCOVERY,\n JWKS,\n RECEIPT,\n LIMITS,\n BUNDLE_VERSION,\n VERIFICATION_REPORT_VERSION,\n HASH,\n VERIFIER_LIMITS,\n VERIFIER_NETWORK,\n VERIFIER_POLICY_VERSION,\n VERIFICATION_MODES,\n} as const;\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.mjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n supported: ['EdDSA'] as const,\n default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n receipt: 'PEAC-Receipt' as const,\n receiptPointer: 'PEAC-Receipt-Pointer' as const,\n dpop: 'DPoP' as const,\n // Purpose headers (v0.9.24+)\n purpose: 'PEAC-Purpose' as const,\n purposeApplied: 'PEAC-Purpose-Applied' as const,\n purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n manifestPath: '/.well-known/peac.txt' as const,\n fallbackPath: '/peac.txt' as const,\n manifestVersion: 'peac-policy/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 262144, // 256 KiB\n maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n configPath: '/.well-known/peac-issuer.json' as const,\n configVersion: 'peac-issuer/0.1' as const,\n cacheTtlSeconds: 3600,\n maxBytes: 65536, // 64 KiB\n maxDepth: 4,\n fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n manifestPath: POLICY.manifestPath,\n manifestVersion: 'peac/0.9' as const,\n cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n rotationDays: 90,\n /** Normative minimum overlap period (DD-148, v0.11.3+) */\n overlapDays: 30,\n emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n minReceiptIdLength: 16,\n maxReceiptIdLength: 64,\n defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n maxAmountCents: 999999999999,\n minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n /** Canonical hash algorithm */\n algorithm: 'sha256' as const,\n\n /** Hash prefix pattern */\n prefix: 'sha256:' as const,\n\n /** Valid hash regex: sha256:<64 lowercase hex> */\n pattern: /^sha256:[0-9a-f]{64}$/,\n\n /** Hex-only pattern for legacy comparison */\n hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n if (!HASH.pattern.test(hash)) {\n return null;\n }\n return {\n alg: 'sha256',\n hex: hash.slice(7), // Remove 'sha256:' prefix\n };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n if (!HASH.hexPattern.test(hex)) {\n return null;\n }\n return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n /** Maximum receipt size in bytes (256 KB) */\n maxReceiptBytes: 262144,\n /** Maximum number of claims in a receipt */\n maxClaimsCount: 100,\n /** Maximum extension size in bytes (64 KB) */\n maxExtensionBytes: 65536,\n /** Maximum string length for individual claims (64 KB) */\n maxStringLength: 65536,\n /** Maximum JWKS document size in bytes (64 KB) */\n maxJwksBytes: 65536,\n /** Maximum number of keys in a JWKS */\n maxJwksKeys: 20,\n /** Maximum individual key size in bytes */\n maxKeySize: 4096,\n /** Network fetch timeout in milliseconds */\n fetchTimeoutMs: 5000,\n /** Maximum number of redirects to follow */\n maxRedirects: 3,\n /** Maximum network response size in bytes (256 KB) */\n maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n /** Only allow HTTPS URLs */\n httpsOnly: true,\n /** Block requests to private IP ranges */\n blockPrivateIps: true,\n /** Default redirect policy (false = no redirects) */\n allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n /** RFC 1918 private ranges */\n rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n /** Link-local addresses */\n linkLocal: ['169.254.0.0/16'] as const,\n /** Loopback addresses */\n loopback: ['127.0.0.0/8'] as const,\n /** IPv6 loopback */\n ipv6Loopback: ['::1/128'] as const,\n /** IPv6 link-local */\n ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n /** All verification in browser/client, may fetch JWKS */\n clientSide: 'client_side' as const,\n /** No network access, uses bundled/pinned keys */\n offlineOnly: 'offline_only' as const,\n /** Prefer offline, fallback to network */\n offlinePreferred: 'offline_preferred' as const,\n /** Allow network fetches for key discovery */\n networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n WIRE_TYPE,\n WIRE_VERSION,\n ALGORITHMS,\n HEADERS,\n DISCOVERY,\n JWKS,\n RECEIPT,\n LIMITS,\n BUNDLE_VERSION,\n VERIFICATION_REPORT_VERSION,\n HASH,\n VERIFIER_LIMITS,\n VERIFIER_NETWORK,\n VERIFIER_POLICY_VERSION,\n VERIFICATION_MODES,\n} as const;\n"]}
|