@peac/kernel 0.11.3 → 0.12.0-preview.2

package/dist/constants.cjs

@@ -139,6 +139,29 @@ var VERIFICATION_MODES = {
   /** Allow network fetches for key discovery */
   networkAllowed: "network_allowed"
 };
+var WIRE_01_JWS_TYP = "peac-receipt/0.1";
+var WIRE_02_JWS_TYP = "interaction-record+jwt";
+var WIRE_02_JWS_TYP_ACCEPT = [
+  "interaction-record+jwt",
+  "application/interaction-record+jwt"
+];
+var WIRE_02_VERSION = "0.2";
+var WIRE_VERSIONS = ["0.1", "0.2"];
+var ISS_CANONICAL = {
+  maxLength: 2048,
+  supportedSchemes: ["https", "did"],
+  /** Default port for https (rejected if explicit in iss). */
+  defaultPorts: { https: 443 }
+};
+var TYPE_GRAMMAR = { maxLength: 256 };
+var POLICY_BLOCK = {
+  /** Maximum length of the policy.uri HTTPS hint (chars). */
+  uriMaxLength: 2048,
+  /** Maximum length of the policy.version label (chars). */
+  versionMaxLength: 256
+};
+var OCCURRED_AT_TOLERANCE_SECONDS = 300;
+var PEAC_ALG = ALGORITHMS.default;
 var CONSTANTS = {
   WIRE_TYPE,
   WIRE_VERSION,
@@ -164,18 +187,28 @@ exports.DISCOVERY = DISCOVERY;
 exports.HASH = HASH;
 exports.HEADERS = HEADERS;
 exports.ISSUER_CONFIG = ISSUER_CONFIG;
+exports.ISS_CANONICAL = ISS_CANONICAL;
 exports.JWKS = JWKS;
 exports.LIMITS = LIMITS;
+exports.OCCURRED_AT_TOLERANCE_SECONDS = OCCURRED_AT_TOLERANCE_SECONDS;
+exports.PEAC_ALG = PEAC_ALG;
 exports.POLICY = POLICY;
+exports.POLICY_BLOCK = POLICY_BLOCK;
 exports.PRIVATE_IP_RANGES = PRIVATE_IP_RANGES;
 exports.RECEIPT = RECEIPT;
+exports.TYPE_GRAMMAR = TYPE_GRAMMAR;
 exports.VERIFICATION_MODES = VERIFICATION_MODES;
 exports.VERIFICATION_REPORT_VERSION = VERIFICATION_REPORT_VERSION;
 exports.VERIFIER_LIMITS = VERIFIER_LIMITS;
 exports.VERIFIER_NETWORK = VERIFIER_NETWORK;
 exports.VERIFIER_POLICY_VERSION = VERIFIER_POLICY_VERSION;
+exports.WIRE_01_JWS_TYP = WIRE_01_JWS_TYP;
+exports.WIRE_02_JWS_TYP = WIRE_02_JWS_TYP;
+exports.WIRE_02_JWS_TYP_ACCEPT = WIRE_02_JWS_TYP_ACCEPT;
+exports.WIRE_02_VERSION = WIRE_02_VERSION;
 exports.WIRE_TYPE = WIRE_TYPE;
 exports.WIRE_VERSION = WIRE_VERSION;
+exports.WIRE_VERSIONS = WIRE_VERSIONS;
 exports.formatHash = formatHash;
 exports.isValidHash = isValidHash;
 exports.parseHash = parseHash;

package/dist/constants.cjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";;;AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.cjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n  supported: ['EdDSA'] as const,\n  default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n  receipt: 'PEAC-Receipt' as const,\n  receiptPointer: 'PEAC-Receipt-Pointer' as const,\n  dpop: 'DPoP' as const,\n  // Purpose headers (v0.9.24+)\n  purpose: 'PEAC-Purpose' as const,\n  purposeApplied: 'PEAC-Purpose-Applied' as const,\n  purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n  manifestPath: '/.well-known/peac.txt' as const,\n  fallbackPath: '/peac.txt' as const,\n  manifestVersion: 'peac-policy/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 262144, // 256 KiB\n  maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n  configPath: '/.well-known/peac-issuer.json' as const,\n  configVersion: 'peac-issuer/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 65536, // 64 KiB\n  maxDepth: 4,\n  fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n  manifestPath: POLICY.manifestPath,\n  manifestVersion: 'peac/0.9' as const,\n  cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n  rotationDays: 90,\n  /** Normative minimum overlap period (DD-148, v0.11.3+) */\n  overlapDays: 30,\n  emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n  minReceiptIdLength: 16,\n  maxReceiptIdLength: 64,\n  defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n  maxAmountCents: 999999999999,\n  minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n  /** Canonical hash algorithm */\n  algorithm: 'sha256' as const,\n\n  /** Hash prefix pattern */\n  prefix: 'sha256:' as const,\n\n  /** Valid hash regex: sha256:<64 lowercase hex> */\n  pattern: /^sha256:[0-9a-f]{64}$/,\n\n  /** Hex-only pattern for legacy comparison */\n  hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n  if (!HASH.pattern.test(hash)) {\n    return null;\n  }\n  return {\n    alg: 'sha256',\n    hex: hash.slice(7), // Remove 'sha256:' prefix\n  };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n  if (!HASH.hexPattern.test(hex)) {\n    return null;\n  }\n  return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n  return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n  /** Maximum receipt size in bytes (256 KB) */\n  maxReceiptBytes: 262144,\n  /** Maximum number of claims in a receipt */\n  maxClaimsCount: 100,\n  /** Maximum extension size in bytes (64 KB) */\n  maxExtensionBytes: 65536,\n  /** Maximum string length for individual claims (64 KB) */\n  maxStringLength: 65536,\n  /** Maximum JWKS document size in bytes (64 KB) */\n  maxJwksBytes: 65536,\n  /** Maximum number of keys in a JWKS */\n  maxJwksKeys: 20,\n  /** Maximum individual key size in bytes */\n  maxKeySize: 4096,\n  /** Network fetch timeout in milliseconds */\n  fetchTimeoutMs: 5000,\n  /** Maximum number of redirects to follow */\n  maxRedirects: 3,\n  /** Maximum network response size in bytes (256 KB) */\n  maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n  /** Only allow HTTPS URLs */\n  httpsOnly: true,\n  /** Block requests to private IP ranges */\n  blockPrivateIps: true,\n  /** Default redirect policy (false = no redirects) */\n  allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n  /** RFC 1918 private ranges */\n  rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n  /** Link-local addresses */\n  linkLocal: ['169.254.0.0/16'] as const,\n  /** Loopback addresses */\n  loopback: ['127.0.0.0/8'] as const,\n  /** IPv6 loopback */\n  ipv6Loopback: ['::1/128'] as const,\n  /** IPv6 link-local */\n  ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n  /** All verification in browser/client, may fetch JWKS */\n  clientSide: 'client_side' as const,\n  /** No network access, uses bundled/pinned keys */\n  offlineOnly: 'offline_only' as const,\n  /** Prefer offline, fallback to network */\n  offlinePreferred: 'offline_preferred' as const,\n  /** Allow network fetches for key discovery */\n  networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n  WIRE_TYPE,\n  WIRE_VERSION,\n  ALGORITHMS,\n  HEADERS,\n  DISCOVERY,\n  JWKS,\n  RECEIPT,\n  LIMITS,\n  BUNDLE_VERSION,\n  VERIFICATION_REPORT_VERSION,\n  HASH,\n  VERIFIER_LIMITS,\n  VERIFIER_NETWORK,\n  VERIFIER_POLICY_VERSION,\n  VERIFICATION_MODES,\n} as const;\n"]}
+{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";;;AAWO,IAAM,SAAA,GAAY;AASlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAYO,IAAM,eAAA,GAAkB;AAQxB,IAAM,eAAA,GAAkB;AAOxB,IAAM,sBAAA,GAAyB;AAAA,EACpC,wBAAA;AAAA,EACA;AACF;AAMO,IAAM,eAAA,GAAkB;AAKxB,IAAM,aAAA,GAAgB,CAAC,KAAA,EAAO,KAAK;AAYnC,IAAM,aAAA,GAAgB;AAAA,EAC3B,SAAA,EAAW,IAAA;AAAA,EACX,gBAAA,EAAkB,CAAC,OAAA,EAAS,KAAK,CAAA;AAAA;AAAA,EAEjC,YAAA,EAAc,EAAE,KAAA,EAAO,GAAA;AACzB;AAKO,IAAM,YAAA,GAAe,EAAE,SAAA,EAAW,GAAA;AAMlC,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,YAAA,EAAc,IAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAOO,IAAM,6BAAA,GAAgC;AAetC,IAAM,WAAW,UAAA,CAAW;AAS5B,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.cjs","sourcesContent":["/**\n * PEAC Protocol Constants\n */\n\n/**\n * Wire 0.1 JWS `typ` claim (legacy constant name).\n *\n * @deprecated Use `WIRE_01_JWS_TYP` for new code. `WIRE_TYPE` and\n * `WIRE_01_JWS_TYP` resolve to the same string; `WIRE_01_JWS_TYP` is the\n * canonical name at the JWS layer (v0.12.0-preview.1+, Wire 0.2 dual-stack).\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire 0.1 version string (legacy constant name).\n *\n * @deprecated Use `WIRE_VERSIONS` or compare against `WIRE_02_VERSION` for\n * dual-stack version detection. `WIRE_VERSION` remains valid for Wire 0.1\n * but does not participate in the Wire 0.2 version model.\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n  supported: ['EdDSA'] as const,\n  default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n  receipt: 'PEAC-Receipt' as const,\n  receiptPointer: 'PEAC-Receipt-Pointer' as const,\n  dpop: 'DPoP' as const,\n  // Purpose headers (v0.9.24+)\n  purpose: 'PEAC-Purpose' as const,\n  purposeApplied: 'PEAC-Purpose-Applied' as const,\n  purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n  manifestPath: '/.well-known/peac.txt' as const,\n  fallbackPath: '/peac.txt' as const,\n  manifestVersion: 'peac-policy/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 262144, // 256 KiB\n  maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n  configPath: '/.well-known/peac-issuer.json' as const,\n  configVersion: 'peac-issuer/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 65536, // 64 KiB\n  maxDepth: 4,\n  fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n  manifestPath: POLICY.manifestPath,\n  manifestVersion: 'peac/0.9' as const,\n  cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n  rotationDays: 90,\n  /** Normative minimum overlap period (DD-148, v0.11.3+) */\n  overlapDays: 30,\n  emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n  minReceiptIdLength: 16,\n  maxReceiptIdLength: 64,\n  defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n  maxAmountCents: 999999999999,\n  minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n  /** Canonical hash algorithm */\n  algorithm: 'sha256' as const,\n\n  /** Hash prefix pattern */\n  prefix: 'sha256:' as const,\n\n  /** Valid hash regex: sha256:<64 lowercase hex> */\n  pattern: /^sha256:[0-9a-f]{64}$/,\n\n  /** Hex-only pattern for legacy comparison */\n  hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n  if (!HASH.pattern.test(hash)) {\n    return null;\n  }\n  return {\n    alg: 'sha256',\n    hex: hash.slice(7), // Remove 'sha256:' prefix\n  };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n  if (!HASH.hexPattern.test(hex)) {\n    return null;\n  }\n  return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n  return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n  /** Maximum receipt size in bytes (256 KB) */\n  maxReceiptBytes: 262144,\n  /** Maximum number of claims in a receipt */\n  maxClaimsCount: 100,\n  /** Maximum extension size in bytes (64 KB) */\n  maxExtensionBytes: 65536,\n  /** Maximum string length for individual claims (64 KB) */\n  maxStringLength: 65536,\n  /** Maximum JWKS document size in bytes (64 KB) */\n  maxJwksBytes: 65536,\n  /** Maximum number of keys in a JWKS */\n  maxJwksKeys: 20,\n  /** Maximum individual key size in bytes */\n  maxKeySize: 4096,\n  /** Network fetch timeout in milliseconds */\n  fetchTimeoutMs: 5000,\n  /** Maximum number of redirects to follow */\n  maxRedirects: 3,\n  /** Maximum network response size in bytes (256 KB) */\n  maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n  /** Only allow HTTPS URLs */\n  httpsOnly: true,\n  /** Block requests to private IP ranges */\n  blockPrivateIps: true,\n  /** Default redirect policy (false = no redirects) */\n  allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n  /** RFC 1918 private ranges */\n  rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n  /** Link-local addresses */\n  linkLocal: ['169.254.0.0/16'] as const,\n  /** Loopback addresses */\n  loopback: ['127.0.0.0/8'] as const,\n  /** IPv6 loopback */\n  ipv6Loopback: ['::1/128'] as const,\n  /** IPv6 link-local */\n  ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n  /** All verification in browser/client, may fetch JWKS */\n  clientSide: 'client_side' as const,\n  /** No network access, uses bundled/pinned keys */\n  offlineOnly: 'offline_only' as const,\n  /** Prefer offline, fallback to network */\n  offlinePreferred: 'offline_preferred' as const,\n  /** Allow network fetches for key discovery */\n  networkAllowed: 'network_allowed' as const,\n} as const;\n\n// ---------------------------------------------------------------------------\n// Wire 0.2 constants (v0.12.0-preview.1, DD-156)\n// ---------------------------------------------------------------------------\n\n/**\n * JWS header typ value for Wire 0.1 receipts.\n * Canonical location: @peac/kernel (layer correction from @peac/schema).\n * The existing WIRE_TYPE constant is unchanged; both resolve to the same string.\n * @peac/schema re-exports this as PEAC_WIRE_TYP for backward compatibility.\n */\nexport const WIRE_01_JWS_TYP = 'peac-receipt/0.1' as const;\n\n/**\n * JWS header typ value for Wire 0.2 receipts (compact form).\n * Per RFC 7515 Section 4.1.9, the full media type form\n * 'application/interaction-record+jwt' is also accepted by verifiers and\n * normalized to this compact form before returning the header.\n */\nexport const WIRE_02_JWS_TYP = 'interaction-record+jwt' as const;\n\n/**\n * All accepted typ values for Wire 0.2 (compact + full media type form).\n * Used internally by @peac/crypto to fast-reject unrelated tokens.\n * Verifiers normalize the full form to WIRE_02_JWS_TYP before returning.\n */\nexport const WIRE_02_JWS_TYP_ACCEPT = [\n  'interaction-record+jwt',\n  'application/interaction-record+jwt',\n] as const;\n\n/**\n * Wire 0.2 peac_version payload claim value.\n * Discriminates Wire 0.2 envelopes from Wire 0.1 (which have no peac_version field).\n */\nexport const WIRE_02_VERSION = '0.2' as const;\n\n/**\n * All supported wire version strings for dual-stack implementations.\n */\nexport const WIRE_VERSIONS = ['0.1', '0.2'] as const;\n\n/**\n * TypeScript union type for supported wire version values.\n */\nexport type WireVersion = (typeof WIRE_VERSIONS)[number];\n\n/**\n * Canonical issuer (iss) constraints for Wire 0.2.\n * Supported schemes: 'https' (RFC 3986 origin-only) and 'did' (DID Core).\n * All other schemes produce E_ISS_NOT_CANONICAL.\n */\nexport const ISS_CANONICAL = {\n  maxLength: 2048,\n  supportedSchemes: ['https', 'did'] as const,\n  /** Default port for https (rejected if explicit in iss). */\n  defaultPorts: { https: 443 } as Record<string, number>,\n} as const;\n\n/**\n * type claim grammar constraints (open vocabulary: reverse-DNS or absolute URI).\n */\nexport const TYPE_GRAMMAR = { maxLength: 256 } as const;\n\n/**\n * policy block field constraints (Wire 0.2, DD-151).\n * Separate from ISS_CANONICAL to allow independent evolution of each limit.\n */\nexport const POLICY_BLOCK = {\n  /** Maximum length of the policy.uri HTTPS hint (chars). */\n  uriMaxLength: 2048,\n  /** Maximum length of the policy.version label (chars). */\n  versionMaxLength: 256,\n} as const;\n\n/**\n * Maximum tolerated skew between occurred_at and iat for evidence receipts (seconds).\n * If occurred_at > iat within this tolerance, a 'occurred_at_skew' warning is emitted.\n * If occurred_at > now + tolerance, E_OCCURRED_AT_FUTURE is a hard error.\n */\nexport const OCCURRED_AT_TOLERANCE_SECONDS = 300;\n\n/**\n * Verification strictness profiles for Wire 0.2.\n * Owned exclusively by @peac/protocol.verifyLocal(); @peac/crypto has no strictness parameter.\n *\n * - 'strict' (default): typ MUST be present and correct; missing typ is a hard error.\n * - 'interop': tolerates missing typ; emits 'typ_missing' warning; routes by peac_version.\n */\nexport type VerificationStrictness = 'strict' | 'interop';\n\n/**\n * JOSE signature algorithm (EdDSA / Ed25519). Re-exported from kernel for layer\n * correctness: @peac/crypto imports all typ/alg constants from @peac/kernel only.\n */\nexport const PEAC_ALG = ALGORITHMS.default;\n\n// ---------------------------------------------------------------------------\n// Legacy aggregate export (unchanged)\n// ---------------------------------------------------------------------------\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n  WIRE_TYPE,\n  WIRE_VERSION,\n  ALGORITHMS,\n  HEADERS,\n  DISCOVERY,\n  JWKS,\n  RECEIPT,\n  LIMITS,\n  BUNDLE_VERSION,\n  VERIFICATION_REPORT_VERSION,\n  HASH,\n  VERIFIER_LIMITS,\n  VERIFIER_NETWORK,\n  VERIFIER_POLICY_VERSION,\n  VERIFICATION_MODES,\n} as const;\n"]}

package/dist/constants.d.ts

@@ -1,18 +1,20 @@
 /**
  * PEAC Protocol Constants
- * Derived from specs/kernel/constants.json
- *
- * NOTE: This file is manually synced for v0.9.15.
- * From v0.9.16+, this will be auto-generated via codegen.
  */
 /**
- * Wire format type for PEAC receipts
- * Normalized to peac-receipt/0.1 per DEC-20260114-002
+ * Wire 0.1 JWS `typ` claim (legacy constant name).
+ *
+ * @deprecated Use `WIRE_01_JWS_TYP` for new code. `WIRE_TYPE` and
+ * `WIRE_01_JWS_TYP` resolve to the same string; `WIRE_01_JWS_TYP` is the
+ * canonical name at the JWS layer (v0.12.0-preview.1+, Wire 0.2 dual-stack).
  */
 export declare const WIRE_TYPE: "peac-receipt/0.1";
 /**
- * Wire format version (extracted from WIRE_TYPE)
- * Use this for wire_version fields in receipts
+ * Wire 0.1 version string (legacy constant name).
+ *
+ * @deprecated Use `WIRE_VERSIONS` or compare against `WIRE_02_VERSION` for
+ * dual-stack version detection. `WIRE_VERSION` remains valid for Wire 0.1
+ * but does not participate in the Wire 0.2 version model.
  */
 export declare const WIRE_VERSION: "0.1";
 /**
@@ -210,6 +212,85 @@ export declare const VERIFICATION_MODES: {
     /** Allow network fetches for key discovery */
     readonly networkAllowed: "network_allowed";
 };
+/**
+ * JWS header typ value for Wire 0.1 receipts.
+ * Canonical location: @peac/kernel (layer correction from @peac/schema).
+ * The existing WIRE_TYPE constant is unchanged; both resolve to the same string.
+ * @peac/schema re-exports this as PEAC_WIRE_TYP for backward compatibility.
+ */
+export declare const WIRE_01_JWS_TYP: "peac-receipt/0.1";
+/**
+ * JWS header typ value for Wire 0.2 receipts (compact form).
+ * Per RFC 7515 Section 4.1.9, the full media type form
+ * 'application/interaction-record+jwt' is also accepted by verifiers and
+ * normalized to this compact form before returning the header.
+ */
+export declare const WIRE_02_JWS_TYP: "interaction-record+jwt";
+/**
+ * All accepted typ values for Wire 0.2 (compact + full media type form).
+ * Used internally by @peac/crypto to fast-reject unrelated tokens.
+ * Verifiers normalize the full form to WIRE_02_JWS_TYP before returning.
+ */
+export declare const WIRE_02_JWS_TYP_ACCEPT: readonly ["interaction-record+jwt", "application/interaction-record+jwt"];
+/**
+ * Wire 0.2 peac_version payload claim value.
+ * Discriminates Wire 0.2 envelopes from Wire 0.1 (which have no peac_version field).
+ */
+export declare const WIRE_02_VERSION: "0.2";
+/**
+ * All supported wire version strings for dual-stack implementations.
+ */
+export declare const WIRE_VERSIONS: readonly ["0.1", "0.2"];
+/**
+ * TypeScript union type for supported wire version values.
+ */
+export type WireVersion = (typeof WIRE_VERSIONS)[number];
+/**
+ * Canonical issuer (iss) constraints for Wire 0.2.
+ * Supported schemes: 'https' (RFC 3986 origin-only) and 'did' (DID Core).
+ * All other schemes produce E_ISS_NOT_CANONICAL.
+ */
+export declare const ISS_CANONICAL: {
+    readonly maxLength: 2048;
+    readonly supportedSchemes: readonly ["https", "did"];
+    /** Default port for https (rejected if explicit in iss). */
+    readonly defaultPorts: Record<string, number>;
+};
+/**
+ * type claim grammar constraints (open vocabulary: reverse-DNS or absolute URI).
+ */
+export declare const TYPE_GRAMMAR: {
+    readonly maxLength: 256;
+};
+/**
+ * policy block field constraints (Wire 0.2, DD-151).
+ * Separate from ISS_CANONICAL to allow independent evolution of each limit.
+ */
+export declare const POLICY_BLOCK: {
+    /** Maximum length of the policy.uri HTTPS hint (chars). */
+    readonly uriMaxLength: 2048;
+    /** Maximum length of the policy.version label (chars). */
+    readonly versionMaxLength: 256;
+};
+/**
+ * Maximum tolerated skew between occurred_at and iat for evidence receipts (seconds).
+ * If occurred_at > iat within this tolerance, a 'occurred_at_skew' warning is emitted.
+ * If occurred_at > now + tolerance, E_OCCURRED_AT_FUTURE is a hard error.
+ */
+export declare const OCCURRED_AT_TOLERANCE_SECONDS = 300;
+/**
+ * Verification strictness profiles for Wire 0.2.
+ * Owned exclusively by @peac/protocol.verifyLocal(); @peac/crypto has no strictness parameter.
+ *
+ * - 'strict' (default): typ MUST be present and correct; missing typ is a hard error.
+ * - 'interop': tolerates missing typ; emits 'typ_missing' warning; routes by peac_version.
+ */
+export type VerificationStrictness = 'strict' | 'interop';
+/**
+ * JOSE signature algorithm (EdDSA / Ed25519). Re-exported from kernel for layer
+ * correctness: @peac/crypto imports all typ/alg constants from @peac/kernel only.
+ */
+export declare const PEAC_ALG: "EdDSA";
 /**
  * All constants export
  */

package/dist/constants.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;GAGG;AACH,eAAO,MAAM,SAAS,EAAG,kBAA2B,CAAC;AAErD;;;GAGG;AACH,eAAO,MAAM,YAAY,EAAG,KAAc,CAAC;AAE3C;;GAEG;AACH,eAAO,MAAM,UAAU;;;CAGb,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,OAAO;;;;;;;CAQV,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,MAAM;;;;;;;CAOT,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,aAAa;;;;;;;CAOhB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;;;;CAIZ,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,IAAI;;IAEf,0DAA0D;;;CAGlD,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,OAAO;;;;CAIV,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,MAAM;;;CAGT,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,cAAc,EAAG,iBAA0B,CAAC;AAEzD;;GAEG;AACH,eAAO,MAAM,2BAA2B,EAAG,8BAAuC,CAAC;AAEnF;;;GAGG;AACH,eAAO,MAAM,IAAI;IACf,+BAA+B;;IAG/B,0BAA0B;;IAG1B,kDAAkD;;IAGlD,6CAA6C;;CAE9C,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,GAAG,EAAE,QAAQ,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAQ7E;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKrD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEjD;AAED;;GAEG;AACH,eAAO,MAAM,eAAe;IAC1B,6CAA6C;;IAE7C,4CAA4C;;IAE5C,8CAA8C;;IAE9C,0DAA0D;;IAE1D,kDAAkD;;IAElD,uCAAuC;;IAEvC,2CAA2C;;IAE3C,4CAA4C;;IAE5C,4CAA4C;;IAE5C,sDAAsD;;CAE9C,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,gBAAgB;IAC3B,4BAA4B;;IAE5B,0CAA0C;;IAE1C,qDAAqD;;CAE7C,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC5B,8BAA8B;;IAE9B,2BAA2B;;IAE3B,yBAAyB;;IAEzB,oBAAoB;;IAEpB,sBAAsB;;CAEd,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAG,0BAAmC,CAAC;AAE3E;;GAEG;AACH,eAAO,MAAM,kBAAkB;IAC7B,yDAAyD;;IAEzD,kDAAkD;;IAElD,0CAA0C;;IAE1C,8CAA8C;;CAEtC,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;QAxKpB,0DAA0D;;;;;;;;;;;;;;;;QAsC1D,+BAA+B;;QAG/B,0BAA0B;;QAG1B,kDAAkD;;QAGlD,6CAA6C;;;;QAiD7C,6CAA6C;;QAE7C,4CAA4C;;QAE5C,8CAA8C;;QAE9C,0DAA0D;;QAE1D,kDAAkD;;QAElD,uCAAuC;;QAEvC,2CAA2C;;QAE3C,4CAA4C;;QAE5C,4CAA4C;;QAE5C,sDAAsD;;;;QAQtD,4BAA4B;;QAE5B,0CAA0C;;QAE1C,qDAAqD;;;;;QA6BrD,yDAAyD;;QAEzD,kDAAkD;;QAElD,0CAA0C;;QAE1C,8CAA8C;;;CAuBtC,CAAC"}
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../src/constants.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,SAAS,EAAG,kBAA2B,CAAC;AAErD;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,EAAG,KAAc,CAAC;AAE3C;;GAEG;AACH,eAAO,MAAM,UAAU;;;CAGb,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,OAAO;;;;;;;CAQV,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,MAAM;;;;;;;CAOT,CAAC;AAEX;;;;;GAKG;AACH,eAAO,MAAM,aAAa;;;;;;;CAOhB,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,SAAS;;;;CAIZ,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,IAAI;;IAEf,0DAA0D;;;CAGlD,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,OAAO;;;;CAIV,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,MAAM;;;CAGT,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,cAAc,EAAG,iBAA0B,CAAC;AAEzD;;GAEG;AACH,eAAO,MAAM,2BAA2B,EAAG,8BAAuC,CAAC;AAEnF;;;GAGG;AACH,eAAO,MAAM,IAAI;IACf,+BAA+B;;IAG/B,0BAA0B;;IAG1B,kDAAkD;;IAGlD,6CAA6C;;CAE9C,CAAC;AAEF;;;;;;GAMG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG;IAAE,GAAG,EAAE,QAAQ,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,CAQ7E;AAED;;;;;;GAMG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAKrD;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEjD;AAED;;GAEG;AACH,eAAO,MAAM,eAAe;IAC1B,6CAA6C;;IAE7C,4CAA4C;;IAE5C,8CAA8C;;IAE9C,0DAA0D;;IAE1D,kDAAkD;;IAElD,uCAAuC;;IAEvC,2CAA2C;;IAE3C,4CAA4C;;IAE5C,4CAA4C;;IAE5C,sDAAsD;;CAE9C,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,gBAAgB;IAC3B,4BAA4B;;IAE5B,0CAA0C;;IAE1C,qDAAqD;;CAE7C,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,iBAAiB;IAC5B,8BAA8B;;IAE9B,2BAA2B;;IAE3B,yBAAyB;;IAEzB,oBAAoB;;IAEpB,sBAAsB;;CAEd,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAG,0BAAmC,CAAC;AAE3E;;GAEG;AACH,eAAO,MAAM,kBAAkB;IAC7B,yDAAyD;;IAEzD,kDAAkD;;IAElD,0CAA0C;;IAE1C,8CAA8C;;CAEtC,CAAC;AAMX;;;;;GAKG;AACH,eAAO,MAAM,eAAe,EAAG,kBAA2B,CAAC;AAE3D;;;;;GAKG;AACH,eAAO,MAAM,eAAe,EAAG,wBAAiC,CAAC;AAEjE;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,2EAGzB,CAAC;AAEX;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAG,KAAc,CAAC;AAE9C;;GAEG;AACH,eAAO,MAAM,aAAa,yBAA0B,CAAC;AAErD;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzD;;;;GAIG;AACH,eAAO,MAAM,aAAa;;;IAGxB,4DAA4D;2BAC5B,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;CAC9C,CAAC;AAEX;;GAEG;AACH,eAAO,MAAM,YAAY;;CAA8B,CAAC;AAExD;;;GAGG;AACH,eAAO,MAAM,YAAY;IACvB,2DAA2D;;IAE3D,0DAA0D;;CAElD,CAAC;AAEX;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,MAAM,CAAC;AAEjD;;;;;;GAMG;AACH,MAAM,MAAM,sBAAsB,GAAG,QAAQ,GAAG,SAAS,CAAC;AAE1D;;;GAGG;AACH,eAAO,MAAM,QAAQ,SAAqB,CAAC;AAM3C;;GAEG;AACH,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;QA5QpB,0DAA0D;;;;;;;;;;;;;;;;QAsC1D,+BAA+B;;QAG/B,0BAA0B;;QAG1B,kDAAkD;;QAGlD,6CAA6C;;;;QAiD7C,6CAA6C;;QAE7C,4CAA4C;;QAE5C,8CAA8C;;QAE9C,0DAA0D;;QAE1D,kDAAkD;;QAElD,uCAAuC;;QAEvC,2CAA2C;;QAE3C,4CAA4C;;QAE5C,4CAA4C;;QAE5C,sDAAsD;;;;QAQtD,4BAA4B;;QAE5B,0CAA0C;;QAE1C,qDAAqD;;;;;QA6BrD,yDAAyD;;QAEzD,kDAAkD;;QAElD,0CAA0C;;QAE1C,8CAA8C;;;CA2HtC,CAAC"}

package/dist/constants.mjs

@@ -137,6 +137,29 @@ var VERIFICATION_MODES = {
   /** Allow network fetches for key discovery */
   networkAllowed: "network_allowed"
 };
+var WIRE_01_JWS_TYP = "peac-receipt/0.1";
+var WIRE_02_JWS_TYP = "interaction-record+jwt";
+var WIRE_02_JWS_TYP_ACCEPT = [
+  "interaction-record+jwt",
+  "application/interaction-record+jwt"
+];
+var WIRE_02_VERSION = "0.2";
+var WIRE_VERSIONS = ["0.1", "0.2"];
+var ISS_CANONICAL = {
+  maxLength: 2048,
+  supportedSchemes: ["https", "did"],
+  /** Default port for https (rejected if explicit in iss). */
+  defaultPorts: { https: 443 }
+};
+var TYPE_GRAMMAR = { maxLength: 256 };
+var POLICY_BLOCK = {
+  /** Maximum length of the policy.uri HTTPS hint (chars). */
+  uriMaxLength: 2048,
+  /** Maximum length of the policy.version label (chars). */
+  versionMaxLength: 256
+};
+var OCCURRED_AT_TOLERANCE_SECONDS = 300;
+var PEAC_ALG = ALGORITHMS.default;
 var CONSTANTS = {
   WIRE_TYPE,
   WIRE_VERSION,
@@ -155,6 +178,6 @@ var CONSTANTS = {
   VERIFICATION_MODES
 };
 
-export { ALGORITHMS, BUNDLE_VERSION, CONSTANTS, DISCOVERY, HASH, HEADERS, ISSUER_CONFIG, JWKS, LIMITS, POLICY, PRIVATE_IP_RANGES, RECEIPT, VERIFICATION_MODES, VERIFICATION_REPORT_VERSION, VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, WIRE_TYPE, WIRE_VERSION, formatHash, isValidHash, parseHash };
+export { ALGORITHMS, BUNDLE_VERSION, CONSTANTS, DISCOVERY, HASH, HEADERS, ISSUER_CONFIG, ISS_CANONICAL, JWKS, LIMITS, OCCURRED_AT_TOLERANCE_SECONDS, PEAC_ALG, POLICY, POLICY_BLOCK, PRIVATE_IP_RANGES, RECEIPT, TYPE_GRAMMAR, VERIFICATION_MODES, VERIFICATION_REPORT_VERSION, VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, WIRE_01_JWS_TYP, WIRE_02_JWS_TYP, WIRE_02_JWS_TYP_ACCEPT, WIRE_02_VERSION, WIRE_TYPE, WIRE_VERSION, WIRE_VERSIONS, formatHash, isValidHash, parseHash };
 //# sourceMappingURL=constants.mjs.map
 //# sourceMappingURL=constants.mjs.map

package/dist/constants.mjs.map

@@ -1 +1 @@
-{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";AAYO,IAAM,SAAA,GAAY;AAMlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.mjs","sourcesContent":["/**\n * PEAC Protocol Constants\n * Derived from specs/kernel/constants.json\n *\n * NOTE: This file is manually synced for v0.9.15.\n * From v0.9.16+, this will be auto-generated via codegen.\n */\n\n/**\n * Wire format type for PEAC receipts\n * Normalized to peac-receipt/0.1 per DEC-20260114-002\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire format version (extracted from WIRE_TYPE)\n * Use this for wire_version fields in receipts\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n  supported: ['EdDSA'] as const,\n  default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n  receipt: 'PEAC-Receipt' as const,\n  receiptPointer: 'PEAC-Receipt-Pointer' as const,\n  dpop: 'DPoP' as const,\n  // Purpose headers (v0.9.24+)\n  purpose: 'PEAC-Purpose' as const,\n  purposeApplied: 'PEAC-Purpose-Applied' as const,\n  purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n  manifestPath: '/.well-known/peac.txt' as const,\n  fallbackPath: '/peac.txt' as const,\n  manifestVersion: 'peac-policy/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 262144, // 256 KiB\n  maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n  configPath: '/.well-known/peac-issuer.json' as const,\n  configVersion: 'peac-issuer/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 65536, // 64 KiB\n  maxDepth: 4,\n  fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n  manifestPath: POLICY.manifestPath,\n  manifestVersion: 'peac/0.9' as const,\n  cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n  rotationDays: 90,\n  /** Normative minimum overlap period (DD-148, v0.11.3+) */\n  overlapDays: 30,\n  emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n  minReceiptIdLength: 16,\n  maxReceiptIdLength: 64,\n  defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n  maxAmountCents: 999999999999,\n  minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n  /** Canonical hash algorithm */\n  algorithm: 'sha256' as const,\n\n  /** Hash prefix pattern */\n  prefix: 'sha256:' as const,\n\n  /** Valid hash regex: sha256:<64 lowercase hex> */\n  pattern: /^sha256:[0-9a-f]{64}$/,\n\n  /** Hex-only pattern for legacy comparison */\n  hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n  if (!HASH.pattern.test(hash)) {\n    return null;\n  }\n  return {\n    alg: 'sha256',\n    hex: hash.slice(7), // Remove 'sha256:' prefix\n  };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n  if (!HASH.hexPattern.test(hex)) {\n    return null;\n  }\n  return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n  return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n  /** Maximum receipt size in bytes (256 KB) */\n  maxReceiptBytes: 262144,\n  /** Maximum number of claims in a receipt */\n  maxClaimsCount: 100,\n  /** Maximum extension size in bytes (64 KB) */\n  maxExtensionBytes: 65536,\n  /** Maximum string length for individual claims (64 KB) */\n  maxStringLength: 65536,\n  /** Maximum JWKS document size in bytes (64 KB) */\n  maxJwksBytes: 65536,\n  /** Maximum number of keys in a JWKS */\n  maxJwksKeys: 20,\n  /** Maximum individual key size in bytes */\n  maxKeySize: 4096,\n  /** Network fetch timeout in milliseconds */\n  fetchTimeoutMs: 5000,\n  /** Maximum number of redirects to follow */\n  maxRedirects: 3,\n  /** Maximum network response size in bytes (256 KB) */\n  maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n  /** Only allow HTTPS URLs */\n  httpsOnly: true,\n  /** Block requests to private IP ranges */\n  blockPrivateIps: true,\n  /** Default redirect policy (false = no redirects) */\n  allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n  /** RFC 1918 private ranges */\n  rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n  /** Link-local addresses */\n  linkLocal: ['169.254.0.0/16'] as const,\n  /** Loopback addresses */\n  loopback: ['127.0.0.0/8'] as const,\n  /** IPv6 loopback */\n  ipv6Loopback: ['::1/128'] as const,\n  /** IPv6 link-local */\n  ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n  /** All verification in browser/client, may fetch JWKS */\n  clientSide: 'client_side' as const,\n  /** No network access, uses bundled/pinned keys */\n  offlineOnly: 'offline_only' as const,\n  /** Prefer offline, fallback to network */\n  offlinePreferred: 'offline_preferred' as const,\n  /** Allow network fetches for key discovery */\n  networkAllowed: 'network_allowed' as const,\n} as const;\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n  WIRE_TYPE,\n  WIRE_VERSION,\n  ALGORITHMS,\n  HEADERS,\n  DISCOVERY,\n  JWKS,\n  RECEIPT,\n  LIMITS,\n  BUNDLE_VERSION,\n  VERIFICATION_REPORT_VERSION,\n  HASH,\n  VERIFIER_LIMITS,\n  VERIFIER_NETWORK,\n  VERIFIER_POLICY_VERSION,\n  VERIFICATION_MODES,\n} as const;\n"]}
+{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";AAWO,IAAM,SAAA,GAAY;AASlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAYO,IAAM,eAAA,GAAkB;AAQxB,IAAM,eAAA,GAAkB;AAOxB,IAAM,sBAAA,GAAyB;AAAA,EACpC,wBAAA;AAAA,EACA;AACF;AAMO,IAAM,eAAA,GAAkB;AAKxB,IAAM,aAAA,GAAgB,CAAC,KAAA,EAAO,KAAK;AAYnC,IAAM,aAAA,GAAgB;AAAA,EAC3B,SAAA,EAAW,IAAA;AAAA,EACX,gBAAA,EAAkB,CAAC,OAAA,EAAS,KAAK,CAAA;AAAA;AAAA,EAEjC,YAAA,EAAc,EAAE,KAAA,EAAO,GAAA;AACzB;AAKO,IAAM,YAAA,GAAe,EAAE,SAAA,EAAW,GAAA;AAMlC,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,YAAA,EAAc,IAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAOO,IAAM,6BAAA,GAAgC;AAetC,IAAM,WAAW,UAAA,CAAW;AAS5B,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.mjs","sourcesContent":["/**\n * PEAC Protocol Constants\n */\n\n/**\n * Wire 0.1 JWS `typ` claim (legacy constant name).\n *\n * @deprecated Use `WIRE_01_JWS_TYP` for new code. `WIRE_TYPE` and\n * `WIRE_01_JWS_TYP` resolve to the same string; `WIRE_01_JWS_TYP` is the\n * canonical name at the JWS layer (v0.12.0-preview.1+, Wire 0.2 dual-stack).\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire 0.1 version string (legacy constant name).\n *\n * @deprecated Use `WIRE_VERSIONS` or compare against `WIRE_02_VERSION` for\n * dual-stack version detection. `WIRE_VERSION` remains valid for Wire 0.1\n * but does not participate in the Wire 0.2 version model.\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n  supported: ['EdDSA'] as const,\n  default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n  receipt: 'PEAC-Receipt' as const,\n  receiptPointer: 'PEAC-Receipt-Pointer' as const,\n  dpop: 'DPoP' as const,\n  // Purpose headers (v0.9.24+)\n  purpose: 'PEAC-Purpose' as const,\n  purposeApplied: 'PEAC-Purpose-Applied' as const,\n  purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n  manifestPath: '/.well-known/peac.txt' as const,\n  fallbackPath: '/peac.txt' as const,\n  manifestVersion: 'peac-policy/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 262144, // 256 KiB\n  maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n  configPath: '/.well-known/peac-issuer.json' as const,\n  configVersion: 'peac-issuer/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 65536, // 64 KiB\n  maxDepth: 4,\n  fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n  manifestPath: POLICY.manifestPath,\n  manifestVersion: 'peac/0.9' as const,\n  cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n  rotationDays: 90,\n  /** Normative minimum overlap period (DD-148, v0.11.3+) */\n  overlapDays: 30,\n  emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n  minReceiptIdLength: 16,\n  maxReceiptIdLength: 64,\n  defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n  maxAmountCents: 999999999999,\n  minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n  /** Canonical hash algorithm */\n  algorithm: 'sha256' as const,\n\n  /** Hash prefix pattern */\n  prefix: 'sha256:' as const,\n\n  /** Valid hash regex: sha256:<64 lowercase hex> */\n  pattern: /^sha256:[0-9a-f]{64}$/,\n\n  /** Hex-only pattern for legacy comparison */\n  hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n  if (!HASH.pattern.test(hash)) {\n    return null;\n  }\n  return {\n    alg: 'sha256',\n    hex: hash.slice(7), // Remove 'sha256:' prefix\n  };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n  if (!HASH.hexPattern.test(hex)) {\n    return null;\n  }\n  return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n  return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n  /** Maximum receipt size in bytes (256 KB) */\n  maxReceiptBytes: 262144,\n  /** Maximum number of claims in a receipt */\n  maxClaimsCount: 100,\n  /** Maximum extension size in bytes (64 KB) */\n  maxExtensionBytes: 65536,\n  /** Maximum string length for individual claims (64 KB) */\n  maxStringLength: 65536,\n  /** Maximum JWKS document size in bytes (64 KB) */\n  maxJwksBytes: 65536,\n  /** Maximum number of keys in a JWKS */\n  maxJwksKeys: 20,\n  /** Maximum individual key size in bytes */\n  maxKeySize: 4096,\n  /** Network fetch timeout in milliseconds */\n  fetchTimeoutMs: 5000,\n  /** Maximum number of redirects to follow */\n  maxRedirects: 3,\n  /** Maximum network response size in bytes (256 KB) */\n  maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n  /** Only allow HTTPS URLs */\n  httpsOnly: true,\n  /** Block requests to private IP ranges */\n  blockPrivateIps: true,\n  /** Default redirect policy (false = no redirects) */\n  allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n  /** RFC 1918 private ranges */\n  rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n  /** Link-local addresses */\n  linkLocal: ['169.254.0.0/16'] as const,\n  /** Loopback addresses */\n  loopback: ['127.0.0.0/8'] as const,\n  /** IPv6 loopback */\n  ipv6Loopback: ['::1/128'] as const,\n  /** IPv6 link-local */\n  ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n  /** All verification in browser/client, may fetch JWKS */\n  clientSide: 'client_side' as const,\n  /** No network access, uses bundled/pinned keys */\n  offlineOnly: 'offline_only' as const,\n  /** Prefer offline, fallback to network */\n  offlinePreferred: 'offline_preferred' as const,\n  /** Allow network fetches for key discovery */\n  networkAllowed: 'network_allowed' as const,\n} as const;\n\n// ---------------------------------------------------------------------------\n// Wire 0.2 constants (v0.12.0-preview.1, DD-156)\n// ---------------------------------------------------------------------------\n\n/**\n * JWS header typ value for Wire 0.1 receipts.\n * Canonical location: @peac/kernel (layer correction from @peac/schema).\n * The existing WIRE_TYPE constant is unchanged; both resolve to the same string.\n * @peac/schema re-exports this as PEAC_WIRE_TYP for backward compatibility.\n */\nexport const WIRE_01_JWS_TYP = 'peac-receipt/0.1' as const;\n\n/**\n * JWS header typ value for Wire 0.2 receipts (compact form).\n * Per RFC 7515 Section 4.1.9, the full media type form\n * 'application/interaction-record+jwt' is also accepted by verifiers and\n * normalized to this compact form before returning the header.\n */\nexport const WIRE_02_JWS_TYP = 'interaction-record+jwt' as const;\n\n/**\n * All accepted typ values for Wire 0.2 (compact + full media type form).\n * Used internally by @peac/crypto to fast-reject unrelated tokens.\n * Verifiers normalize the full form to WIRE_02_JWS_TYP before returning.\n */\nexport const WIRE_02_JWS_TYP_ACCEPT = [\n  'interaction-record+jwt',\n  'application/interaction-record+jwt',\n] as const;\n\n/**\n * Wire 0.2 peac_version payload claim value.\n * Discriminates Wire 0.2 envelopes from Wire 0.1 (which have no peac_version field).\n */\nexport const WIRE_02_VERSION = '0.2' as const;\n\n/**\n * All supported wire version strings for dual-stack implementations.\n */\nexport const WIRE_VERSIONS = ['0.1', '0.2'] as const;\n\n/**\n * TypeScript union type for supported wire version values.\n */\nexport type WireVersion = (typeof WIRE_VERSIONS)[number];\n\n/**\n * Canonical issuer (iss) constraints for Wire 0.2.\n * Supported schemes: 'https' (RFC 3986 origin-only) and 'did' (DID Core).\n * All other schemes produce E_ISS_NOT_CANONICAL.\n */\nexport const ISS_CANONICAL = {\n  maxLength: 2048,\n  supportedSchemes: ['https', 'did'] as const,\n  /** Default port for https (rejected if explicit in iss). */\n  defaultPorts: { https: 443 } as Record<string, number>,\n} as const;\n\n/**\n * type claim grammar constraints (open vocabulary: reverse-DNS or absolute URI).\n */\nexport const TYPE_GRAMMAR = { maxLength: 256 } as const;\n\n/**\n * policy block field constraints (Wire 0.2, DD-151).\n * Separate from ISS_CANONICAL to allow independent evolution of each limit.\n */\nexport const POLICY_BLOCK = {\n  /** Maximum length of the policy.uri HTTPS hint (chars). */\n  uriMaxLength: 2048,\n  /** Maximum length of the policy.version label (chars). */\n  versionMaxLength: 256,\n} as const;\n\n/**\n * Maximum tolerated skew between occurred_at and iat for evidence receipts (seconds).\n * If occurred_at > iat within this tolerance, a 'occurred_at_skew' warning is emitted.\n * If occurred_at > now + tolerance, E_OCCURRED_AT_FUTURE is a hard error.\n */\nexport const OCCURRED_AT_TOLERANCE_SECONDS = 300;\n\n/**\n * Verification strictness profiles for Wire 0.2.\n * Owned exclusively by @peac/protocol.verifyLocal(); @peac/crypto has no strictness parameter.\n *\n * - 'strict' (default): typ MUST be present and correct; missing typ is a hard error.\n * - 'interop': tolerates missing typ; emits 'typ_missing' warning; routes by peac_version.\n */\nexport type VerificationStrictness = 'strict' | 'interop';\n\n/**\n * JOSE signature algorithm (EdDSA / Ed25519). Re-exported from kernel for layer\n * correctness: @peac/crypto imports all typ/alg constants from @peac/kernel only.\n */\nexport const PEAC_ALG = ALGORITHMS.default;\n\n// ---------------------------------------------------------------------------\n// Legacy aggregate export (unchanged)\n// ---------------------------------------------------------------------------\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n  WIRE_TYPE,\n  WIRE_VERSION,\n  ALGORITHMS,\n  HEADERS,\n  DISCOVERY,\n  JWKS,\n  RECEIPT,\n  LIMITS,\n  BUNDLE_VERSION,\n  VERIFICATION_REPORT_VERSION,\n  HASH,\n  VERIFIER_LIMITS,\n  VERIFIER_NETWORK,\n  VERIFIER_POLICY_VERSION,\n  VERIFICATION_MODES,\n} as const;\n"]}

package/dist/error-categories.generated.d.ts

@@ -3,14 +3,14 @@
  *
  * AUTO-GENERATED from specs/kernel/errors.json
  * DO NOT EDIT MANUALLY - run: npx tsx scripts/codegen-errors.ts
- * Spec version: 0.11.3
+ * Spec version: 0.12.0-preview.2
  */
 /**
  * Canonical error categories derived from specs/kernel/errors.json.
  * This is the single source of truth for all error category definitions.
  * Sorted alphabetically. This ordering is a codegen invariant.
  */
-export declare const ERROR_CATEGORIES: readonly ["attribution", "bundle", "control", "dispute", "identity", "infrastructure", "interaction", "ucp", "validation", "verification", "verifier", "workflow"];
+export declare const ERROR_CATEGORIES: readonly ["attribution", "bundle", "control", "cryptography", "dispute", "identity", "infrastructure", "interaction", "ucp", "validation", "verification", "verifier", "workflow"];
 /**
  * Error category type - union of all categories in specs/kernel/errors.json
  */

package/dist/error-categories.generated.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"error-categories.generated.d.ts","sourceRoot":"","sources":["../src/error-categories.generated.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,oKAanB,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC"}
+{"version":3,"file":"error-categories.generated.d.ts","sourceRoot":"","sources":["../src/error-categories.generated.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,oLAcnB,CAAC;AAEX;;GAEG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,OAAO,gBAAgB,CAAC,CAAC,MAAM,CAAC,CAAC"}

package/dist/errors.cjs

@@ -36,6 +36,12 @@ var ERROR_CODES = {
   // Control error codes
   E_CONTROL_DENIED: "E_CONTROL_DENIED",
   E_CONTROL_REVIEW_REQUIRED: "E_CONTROL_REVIEW_REQUIRED",
+  // Cryptography error codes
+  E_JWS_B64_REJECTED: "E_JWS_B64_REJECTED",
+  E_JWS_CRIT_REJECTED: "E_JWS_CRIT_REJECTED",
+  E_JWS_EMBEDDED_KEY: "E_JWS_EMBEDDED_KEY",
+  E_JWS_MISSING_KID: "E_JWS_MISSING_KID",
+  E_JWS_ZIP_REJECTED: "E_JWS_ZIP_REJECTED",
   // Dispute error codes
   E_DISPUTE_DUPLICATE: "E_DISPUTE_DUPLICATE",
   E_DISPUTE_EXPIRED: "E_DISPUTE_EXPIRED",
@@ -109,6 +115,10 @@ var ERROR_CODES = {
   E_UCP_VERIFICATION_FAILED: "E_UCP_VERIFICATION_FAILED",
   // Validation error codes
   E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION",
+  E_EAT_INVALID_CBOR: "E_EAT_INVALID_CBOR",
+  E_EAT_INVALID_COSE: "E_EAT_INVALID_COSE",
+  E_EAT_SIZE_EXCEEDED: "E_EAT_SIZE_EXCEEDED",
+  E_EAT_UNSUPPORTED_ALG: "E_EAT_UNSUPPORTED_ALG",
   E_EVIDENCE_NOT_JSON: "E_EVIDENCE_NOT_JSON",
   E_EXPIRED: "E_EXPIRED",
   E_INVALID_AMOUNT: "E_INVALID_AMOUNT",
@@ -116,16 +126,27 @@ var ERROR_CODES = {
   E_INVALID_CURRENCY: "E_INVALID_CURRENCY",
   E_INVALID_FORMAT: "E_INVALID_FORMAT",
   E_INVALID_ISSUER: "E_INVALID_ISSUER",
+  E_INVALID_KIND: "E_INVALID_KIND",
+  E_INVALID_PILLAR_VALUE: "E_INVALID_PILLAR_VALUE",
   E_INVALID_RAIL: "E_INVALID_RAIL",
   E_INVALID_RECEIPT_ID: "E_INVALID_RECEIPT_ID",
   E_INVALID_SUBJECT: "E_INVALID_SUBJECT",
+  E_INVALID_TYPE: "E_INVALID_TYPE",
+  E_ISS_NOT_CANONICAL: "E_ISS_NOT_CANONICAL",
   E_MISSING_EXP: "E_MISSING_EXP",
   E_MISSING_REQUIRED_CLAIM: "E_MISSING_REQUIRED_CLAIM",
   E_NOT_YET_VALID: "E_NOT_YET_VALID",
+  E_OCCURRED_AT_FUTURE: "E_OCCURRED_AT_FUTURE",
+  E_OCCURRED_AT_ON_CHALLENGE: "E_OCCURRED_AT_ON_CHALLENGE",
   E_PARSE_ATTESTATION_INVALID: "E_PARSE_ATTESTATION_INVALID",
   E_PARSE_COMMERCE_INVALID: "E_PARSE_COMMERCE_INVALID",
   E_PARSE_INVALID_INPUT: "E_PARSE_INVALID_INPUT",
+  E_PILLARS_NOT_SORTED: "E_PILLARS_NOT_SORTED",
+  E_POLICY_BINDING_FAILED: "E_POLICY_BINDING_FAILED",
+  E_UNSUPPORTED_WIRE_VERSION: "E_UNSUPPORTED_WIRE_VERSION",
+  E_WIRE_VERSION_MISMATCH: "E_WIRE_VERSION_MISMATCH",
   // Verification error codes
+  E_EAT_SIGNATURE_FAILED: "E_EAT_SIGNATURE_FAILED",
   E_INVALID_SIGNATURE: "E_INVALID_SIGNATURE",
   E_KEY_NOT_FOUND: "E_KEY_NOT_FOUND",
   E_KID_REUSE_DETECTED: "E_KID_REUSE_DETECTED",
@@ -447,6 +468,52 @@ var ERRORS = {
     next_action: "contact_issuer",
     category: "control"
   },
+  // Cryptography error codes
+  E_JWS_B64_REJECTED: {
+    code: "E_JWS_B64_REJECTED",
+    http_status: 400,
+    title: "JWS b64:false Rejected",
+    description: "JWS header contains b64:false (RFC 7797 unencoded payload); unencoded payloads are not supported",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_CRIT_REJECTED: {
+    code: "E_JWS_CRIT_REJECTED",
+    http_status: 400,
+    title: "JWS crit Header Rejected",
+    description: "JWS header contains a crit field; critical header extensions are not supported and are rejected",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_EMBEDDED_KEY: {
+    code: "E_JWS_EMBEDDED_KEY",
+    http_status: 400,
+    title: "JWS Embedded Key Rejected",
+    description: "JWS header contains an embedded key (jwk, x5c, x5u, or jku); embedded key material is rejected by the PEAC JOSE hardening rules",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_MISSING_KID: {
+    code: "E_JWS_MISSING_KID",
+    http_status: 400,
+    title: "JWS kid Missing or Invalid",
+    description: "JWS header kid field is absent, empty, or exceeds the maximum allowed length (256 characters)",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_ZIP_REJECTED: {
+    code: "E_JWS_ZIP_REJECTED",
+    http_status: 400,
+    title: "JWS zip Header Rejected",
+    description: "JWS header contains a zip compression field; payload compression is not supported",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
   // Dispute error codes
   E_DISPUTE_DUPLICATE: {
     code: "E_DISPUTE_DUPLICATE",
@@ -1056,6 +1123,42 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_EAT_INVALID_CBOR: {
+    code: "E_EAT_INVALID_CBOR",
+    http_status: 400,
+    title: "EAT Invalid CBOR",
+    description: "EAT token is not valid CBOR or the payload is not a CBOR map",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_EAT_INVALID_COSE: {
+    code: "E_EAT_INVALID_COSE",
+    http_status: 400,
+    title: "EAT Invalid COSE",
+    description: "EAT token is not a valid COSE_Sign1 structure per RFC 9052 Section 4.2",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_EAT_SIZE_EXCEEDED: {
+    code: "E_EAT_SIZE_EXCEEDED",
+    http_status: 400,
+    title: "EAT Size Exceeded",
+    description: "EAT token exceeds the 64 KB size limit enforced before CBOR decode",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_EAT_UNSUPPORTED_ALG: {
+    code: "E_EAT_UNSUPPORTED_ALG",
+    http_status: 400,
+    title: "EAT Unsupported Algorithm",
+    description: "COSE_Sign1 uses an unsupported algorithm; only EdDSA (alg: -8) is supported",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_EVIDENCE_NOT_JSON: {
     code: "E_EVIDENCE_NOT_JSON",
     http_status: 400,
@@ -1119,6 +1222,24 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_INVALID_KIND: {
+    code: "E_INVALID_KIND",
+    http_status: 400,
+    title: "Invalid Kind",
+    description: "Wire 0.2 receipt kind field is missing or not one of the accepted structural kinds (evidence, challenge)",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_INVALID_PILLAR_VALUE: {
+    code: "E_INVALID_PILLAR_VALUE",
+    http_status: 400,
+    title: "Invalid Pillar Value",
+    description: "Wire 0.2 pillars array contains an unrecognized pillar value outside the closed 10-value taxonomy",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_INVALID_RAIL: {
     code: "E_INVALID_RAIL",
     http_status: 400,
@@ -1146,6 +1267,24 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_INVALID_TYPE: {
+    code: "E_INVALID_TYPE",
+    http_status: 400,
+    title: "Invalid Type",
+    description: "Wire 0.2 receipt type field is missing or does not conform to the required grammar (reverse-DNS or absolute URI)",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_ISS_NOT_CANONICAL: {
+    code: "E_ISS_NOT_CANONICAL",
+    http_status: 400,
+    title: "Issuer Not Canonical",
+    description: "Wire 0.2 iss claim does not conform to canonical form: must be an https:// ASCII origin (no default port, no path) or a did: identifier",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_MISSING_EXP: {
     code: "E_MISSING_EXP",
     http_status: 400,
@@ -1173,6 +1312,24 @@ var ERRORS = {
     next_action: "retry_after_delay",
     category: "validation"
   },
+  E_OCCURRED_AT_FUTURE: {
+    code: "E_OCCURRED_AT_FUTURE",
+    http_status: 400,
+    title: "occurred_at in Future",
+    description: "Wire 0.2 occurred_at is more than the tolerance window ahead of the current time; the timestamp appears to be in the future",
+    retryable: false,
+    next_action: "retry_after_delay",
+    category: "validation"
+  },
+  E_OCCURRED_AT_ON_CHALLENGE: {
+    code: "E_OCCURRED_AT_ON_CHALLENGE",
+    http_status: 400,
+    title: "occurred_at on Challenge",
+    description: "Wire 0.2 occurred_at field is present on a challenge-kind receipt; occurred_at is only permitted on evidence-kind receipts",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_PARSE_ATTESTATION_INVALID: {
     code: "E_PARSE_ATTESTATION_INVALID",
     http_status: 400,
@@ -1200,7 +1357,52 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_PILLARS_NOT_SORTED: {
+    code: "E_PILLARS_NOT_SORTED",
+    http_status: 400,
+    title: "Pillars Not Sorted",
+    description: "Wire 0.2 pillars array is not in ascending lexicographic order or contains duplicates",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_POLICY_BINDING_FAILED: {
+    code: "E_POLICY_BINDING_FAILED",
+    http_status: 400,
+    title: "Policy Binding Failed",
+    description: "Wire 0.2 policy.digest does not match the computed digest of the provided policy document",
+    retryable: false,
+    next_action: "none",
+    category: "validation"
+  },
+  E_UNSUPPORTED_WIRE_VERSION: {
+    code: "E_UNSUPPORTED_WIRE_VERSION",
+    http_status: 400,
+    title: "Unsupported Wire Version",
+    description: "Receipt peac_version field specifies a wire version that is not supported by this implementation",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_WIRE_VERSION_MISMATCH: {
+    code: "E_WIRE_VERSION_MISMATCH",
+    http_status: 400,
+    title: "Wire Version Mismatch",
+    description: "JWS header typ value and peac_version payload claim indicate different wire versions; the receipt is incoherent",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   // Verification error codes
+  E_EAT_SIGNATURE_FAILED: {
+    code: "E_EAT_SIGNATURE_FAILED",
+    http_status: 400,
+    title: "EAT Signature Failed",
+    description: "COSE_Sign1 Ed25519 signature verification failed over the Sig_structure",
+    retryable: false,
+    next_action: "retry_with_different_key",
+    category: "verification"
+  },
   E_INVALID_SIGNATURE: {
     code: "E_INVALID_SIGNATURE",
     http_status: 400,