npm - @peac/kernel - Versions diffs - 0.11.3 → 0.12.0-preview.2 - Mend

@peac/kernel 0.11.3 → 0.12.0-preview.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/dist/constants.cjs +33 -0
package/dist/constants.cjs.map +1 -1
package/dist/constants.d.ts +89 -8
package/dist/constants.d.ts.map +1 -1
package/dist/constants.mjs +24 -1
package/dist/constants.mjs.map +1 -1
package/dist/error-categories.generated.d.ts +2 -2
package/dist/error-categories.generated.d.ts.map +1 -1
package/dist/errors.cjs +202 -0
package/dist/errors.cjs.map +1 -1
package/dist/errors.generated.d.ts +21 -1
package/dist/errors.generated.d.ts.map +1 -1
package/dist/errors.mjs +202 -0
package/dist/errors.mjs.map +1 -1
package/dist/index.cjs +236 -0
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +4 -2
package/dist/index.d.ts.map +1 -1
package/dist/index.mjs +227 -1
package/dist/index.mjs.map +1 -1
package/dist/types.cjs +1 -0
package/dist/types.cjs.map +1 -1
package/dist/types.d.ts +10 -0
package/dist/types.d.ts.map +1 -1
package/dist/types.mjs +1 -0
package/dist/types.mjs.map +1 -1
package/dist/wire-02-types.d.ts +60 -0
package/dist/wire-02-types.d.ts.map +1 -0
package/package.json +1 -1

package/dist/index.cjs CHANGED Viewed

@@ -5,6 +5,7 @@ var ERROR_CATEGORIES = [
   "attribution",
   "bundle",
   "control",
+  "cryptography",
   "dispute",
   "identity",
   "infrastructure",
@@ -155,6 +156,29 @@ var VERIFICATION_MODES = {
   /** Allow network fetches for key discovery */
   networkAllowed: "network_allowed"
 };
+var WIRE_01_JWS_TYP = "peac-receipt/0.1";
+var WIRE_02_JWS_TYP = "interaction-record+jwt";
+var WIRE_02_JWS_TYP_ACCEPT = [
+  "interaction-record+jwt",
+  "application/interaction-record+jwt"
+];
+var WIRE_02_VERSION = "0.2";
+var WIRE_VERSIONS = ["0.1", "0.2"];
+var ISS_CANONICAL = {
+  maxLength: 2048,
+  supportedSchemes: ["https", "did"],
+  /** Default port for https (rejected if explicit in iss). */
+  defaultPorts: { https: 443 }
+};
+var TYPE_GRAMMAR = { maxLength: 256 };
+var POLICY_BLOCK = {
+  /** Maximum length of the policy.uri HTTPS hint (chars). */
+  uriMaxLength: 2048,
+  /** Maximum length of the policy.version label (chars). */
+  versionMaxLength: 256
+};
+var OCCURRED_AT_TOLERANCE_SECONDS = 300;
+var PEAC_ALG = ALGORITHMS.default;
 var CONSTANTS = {
   WIRE_TYPE,
   WIRE_VERSION,
@@ -209,6 +233,12 @@ var ERROR_CODES = {
   // Control error codes
   E_CONTROL_DENIED: "E_CONTROL_DENIED",
   E_CONTROL_REVIEW_REQUIRED: "E_CONTROL_REVIEW_REQUIRED",
+  // Cryptography error codes
+  E_JWS_B64_REJECTED: "E_JWS_B64_REJECTED",
+  E_JWS_CRIT_REJECTED: "E_JWS_CRIT_REJECTED",
+  E_JWS_EMBEDDED_KEY: "E_JWS_EMBEDDED_KEY",
+  E_JWS_MISSING_KID: "E_JWS_MISSING_KID",
+  E_JWS_ZIP_REJECTED: "E_JWS_ZIP_REJECTED",
   // Dispute error codes
   E_DISPUTE_DUPLICATE: "E_DISPUTE_DUPLICATE",
   E_DISPUTE_EXPIRED: "E_DISPUTE_EXPIRED",
@@ -282,6 +312,10 @@ var ERROR_CODES = {
   E_UCP_VERIFICATION_FAILED: "E_UCP_VERIFICATION_FAILED",
   // Validation error codes
   E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION",
+  E_EAT_INVALID_CBOR: "E_EAT_INVALID_CBOR",
+  E_EAT_INVALID_COSE: "E_EAT_INVALID_COSE",
+  E_EAT_SIZE_EXCEEDED: "E_EAT_SIZE_EXCEEDED",
+  E_EAT_UNSUPPORTED_ALG: "E_EAT_UNSUPPORTED_ALG",
   E_EVIDENCE_NOT_JSON: "E_EVIDENCE_NOT_JSON",
   E_EXPIRED: "E_EXPIRED",
   E_INVALID_AMOUNT: "E_INVALID_AMOUNT",
@@ -289,16 +323,27 @@ var ERROR_CODES = {
   E_INVALID_CURRENCY: "E_INVALID_CURRENCY",
   E_INVALID_FORMAT: "E_INVALID_FORMAT",
   E_INVALID_ISSUER: "E_INVALID_ISSUER",
+  E_INVALID_KIND: "E_INVALID_KIND",
+  E_INVALID_PILLAR_VALUE: "E_INVALID_PILLAR_VALUE",
   E_INVALID_RAIL: "E_INVALID_RAIL",
   E_INVALID_RECEIPT_ID: "E_INVALID_RECEIPT_ID",
   E_INVALID_SUBJECT: "E_INVALID_SUBJECT",
+  E_INVALID_TYPE: "E_INVALID_TYPE",
+  E_ISS_NOT_CANONICAL: "E_ISS_NOT_CANONICAL",
   E_MISSING_EXP: "E_MISSING_EXP",
   E_MISSING_REQUIRED_CLAIM: "E_MISSING_REQUIRED_CLAIM",
   E_NOT_YET_VALID: "E_NOT_YET_VALID",
+  E_OCCURRED_AT_FUTURE: "E_OCCURRED_AT_FUTURE",
+  E_OCCURRED_AT_ON_CHALLENGE: "E_OCCURRED_AT_ON_CHALLENGE",
   E_PARSE_ATTESTATION_INVALID: "E_PARSE_ATTESTATION_INVALID",
   E_PARSE_COMMERCE_INVALID: "E_PARSE_COMMERCE_INVALID",
   E_PARSE_INVALID_INPUT: "E_PARSE_INVALID_INPUT",
+  E_PILLARS_NOT_SORTED: "E_PILLARS_NOT_SORTED",
+  E_POLICY_BINDING_FAILED: "E_POLICY_BINDING_FAILED",
+  E_UNSUPPORTED_WIRE_VERSION: "E_UNSUPPORTED_WIRE_VERSION",
+  E_WIRE_VERSION_MISMATCH: "E_WIRE_VERSION_MISMATCH",
   // Verification error codes
+  E_EAT_SIGNATURE_FAILED: "E_EAT_SIGNATURE_FAILED",
   E_INVALID_SIGNATURE: "E_INVALID_SIGNATURE",
   E_KEY_NOT_FOUND: "E_KEY_NOT_FOUND",
   E_KID_REUSE_DETECTED: "E_KID_REUSE_DETECTED",
@@ -620,6 +665,52 @@ var ERRORS = {
     next_action: "contact_issuer",
     category: "control"
   },
+  // Cryptography error codes
+  E_JWS_B64_REJECTED: {
+    code: "E_JWS_B64_REJECTED",
+    http_status: 400,
+    title: "JWS b64:false Rejected",
+    description: "JWS header contains b64:false (RFC 7797 unencoded payload); unencoded payloads are not supported",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_CRIT_REJECTED: {
+    code: "E_JWS_CRIT_REJECTED",
+    http_status: 400,
+    title: "JWS crit Header Rejected",
+    description: "JWS header contains a crit field; critical header extensions are not supported and are rejected",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_EMBEDDED_KEY: {
+    code: "E_JWS_EMBEDDED_KEY",
+    http_status: 400,
+    title: "JWS Embedded Key Rejected",
+    description: "JWS header contains an embedded key (jwk, x5c, x5u, or jku); embedded key material is rejected by the PEAC JOSE hardening rules",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_MISSING_KID: {
+    code: "E_JWS_MISSING_KID",
+    http_status: 400,
+    title: "JWS kid Missing or Invalid",
+    description: "JWS header kid field is absent, empty, or exceeds the maximum allowed length (256 characters)",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
+  E_JWS_ZIP_REJECTED: {
+    code: "E_JWS_ZIP_REJECTED",
+    http_status: 400,
+    title: "JWS zip Header Rejected",
+    description: "JWS header contains a zip compression field; payload compression is not supported",
+    retryable: false,
+    next_action: "abort",
+    category: "cryptography"
+  },
   // Dispute error codes
   E_DISPUTE_DUPLICATE: {
     code: "E_DISPUTE_DUPLICATE",
@@ -1229,6 +1320,42 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_EAT_INVALID_CBOR: {
+    code: "E_EAT_INVALID_CBOR",
+    http_status: 400,
+    title: "EAT Invalid CBOR",
+    description: "EAT token is not valid CBOR or the payload is not a CBOR map",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_EAT_INVALID_COSE: {
+    code: "E_EAT_INVALID_COSE",
+    http_status: 400,
+    title: "EAT Invalid COSE",
+    description: "EAT token is not a valid COSE_Sign1 structure per RFC 9052 Section 4.2",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_EAT_SIZE_EXCEEDED: {
+    code: "E_EAT_SIZE_EXCEEDED",
+    http_status: 400,
+    title: "EAT Size Exceeded",
+    description: "EAT token exceeds the 64 KB size limit enforced before CBOR decode",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_EAT_UNSUPPORTED_ALG: {
+    code: "E_EAT_UNSUPPORTED_ALG",
+    http_status: 400,
+    title: "EAT Unsupported Algorithm",
+    description: "COSE_Sign1 uses an unsupported algorithm; only EdDSA (alg: -8) is supported",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_EVIDENCE_NOT_JSON: {
     code: "E_EVIDENCE_NOT_JSON",
     http_status: 400,
@@ -1292,6 +1419,24 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_INVALID_KIND: {
+    code: "E_INVALID_KIND",
+    http_status: 400,
+    title: "Invalid Kind",
+    description: "Wire 0.2 receipt kind field is missing or not one of the accepted structural kinds (evidence, challenge)",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_INVALID_PILLAR_VALUE: {
+    code: "E_INVALID_PILLAR_VALUE",
+    http_status: 400,
+    title: "Invalid Pillar Value",
+    description: "Wire 0.2 pillars array contains an unrecognized pillar value outside the closed 10-value taxonomy",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_INVALID_RAIL: {
     code: "E_INVALID_RAIL",
     http_status: 400,
@@ -1319,6 +1464,24 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_INVALID_TYPE: {
+    code: "E_INVALID_TYPE",
+    http_status: 400,
+    title: "Invalid Type",
+    description: "Wire 0.2 receipt type field is missing or does not conform to the required grammar (reverse-DNS or absolute URI)",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_ISS_NOT_CANONICAL: {
+    code: "E_ISS_NOT_CANONICAL",
+    http_status: 400,
+    title: "Issuer Not Canonical",
+    description: "Wire 0.2 iss claim does not conform to canonical form: must be an https:// ASCII origin (no default port, no path) or a did: identifier",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_MISSING_EXP: {
     code: "E_MISSING_EXP",
     http_status: 400,
@@ -1346,6 +1509,24 @@ var ERRORS = {
     next_action: "retry_after_delay",
     category: "validation"
   },
+  E_OCCURRED_AT_FUTURE: {
+    code: "E_OCCURRED_AT_FUTURE",
+    http_status: 400,
+    title: "occurred_at in Future",
+    description: "Wire 0.2 occurred_at is more than the tolerance window ahead of the current time; the timestamp appears to be in the future",
+    retryable: false,
+    next_action: "retry_after_delay",
+    category: "validation"
+  },
+  E_OCCURRED_AT_ON_CHALLENGE: {
+    code: "E_OCCURRED_AT_ON_CHALLENGE",
+    http_status: 400,
+    title: "occurred_at on Challenge",
+    description: "Wire 0.2 occurred_at field is present on a challenge-kind receipt; occurred_at is only permitted on evidence-kind receipts",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   E_PARSE_ATTESTATION_INVALID: {
     code: "E_PARSE_ATTESTATION_INVALID",
     http_status: 400,
@@ -1373,7 +1554,52 @@ var ERRORS = {
     next_action: "retry_with_different_input",
     category: "validation"
   },
+  E_PILLARS_NOT_SORTED: {
+    code: "E_PILLARS_NOT_SORTED",
+    http_status: 400,
+    title: "Pillars Not Sorted",
+    description: "Wire 0.2 pillars array is not in ascending lexicographic order or contains duplicates",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_POLICY_BINDING_FAILED: {
+    code: "E_POLICY_BINDING_FAILED",
+    http_status: 400,
+    title: "Policy Binding Failed",
+    description: "Wire 0.2 policy.digest does not match the computed digest of the provided policy document",
+    retryable: false,
+    next_action: "none",
+    category: "validation"
+  },
+  E_UNSUPPORTED_WIRE_VERSION: {
+    code: "E_UNSUPPORTED_WIRE_VERSION",
+    http_status: 400,
+    title: "Unsupported Wire Version",
+    description: "Receipt peac_version field specifies a wire version that is not supported by this implementation",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
+  E_WIRE_VERSION_MISMATCH: {
+    code: "E_WIRE_VERSION_MISMATCH",
+    http_status: 400,
+    title: "Wire Version Mismatch",
+    description: "JWS header typ value and peac_version payload claim indicate different wire versions; the receipt is incoherent",
+    retryable: false,
+    next_action: "abort",
+    category: "validation"
+  },
   // Verification error codes
+  E_EAT_SIGNATURE_FAILED: {
+    code: "E_EAT_SIGNATURE_FAILED",
+    http_status: 400,
+    title: "EAT Signature Failed",
+    description: "COSE_Sign1 Ed25519 signature verification failed over the Sig_structure",
+    retryable: false,
+    next_action: "retry_with_different_key",
+    category: "verification"
+  },
   E_INVALID_SIGNATURE: {
     code: "E_INVALID_SIGNATURE",
     http_status: 400,
@@ -1902,24 +2128,34 @@ exports.ERROR_CODES = ERROR_CODES;
 exports.HASH = HASH;
 exports.HEADERS = HEADERS;
 exports.ISSUER_CONFIG = ISSUER_CONFIG;
+exports.ISS_CANONICAL = ISS_CANONICAL;
 exports.JWKS = JWKS;
 exports.LIMITS = LIMITS;
+exports.OCCURRED_AT_TOLERANCE_SECONDS = OCCURRED_AT_TOLERANCE_SECONDS;
 exports.PAYMENT_RAILS = PAYMENT_RAILS;
+exports.PEAC_ALG = PEAC_ALG;
 exports.PEAC_RECEIPT_HEADER = PEAC_RECEIPT_HEADER;
 exports.PEAC_RECEIPT_URL_HEADER = PEAC_RECEIPT_URL_HEADER;
 exports.POLICY = POLICY;
+exports.POLICY_BLOCK = POLICY_BLOCK;
 exports.PRIVATE_IP_RANGES = PRIVATE_IP_RANGES;
 exports.RECEIPT = RECEIPT;
 exports.REGISTRIES = REGISTRIES;
 exports.TRANSPORT_METHODS = TRANSPORT_METHODS;
+exports.TYPE_GRAMMAR = TYPE_GRAMMAR;
 exports.VARY_HEADERS = VARY_HEADERS;
 exports.VERIFICATION_MODES = VERIFICATION_MODES;
 exports.VERIFICATION_REPORT_VERSION = VERIFICATION_REPORT_VERSION;
 exports.VERIFIER_LIMITS = VERIFIER_LIMITS;
 exports.VERIFIER_NETWORK = VERIFIER_NETWORK;
 exports.VERIFIER_POLICY_VERSION = VERIFIER_POLICY_VERSION;
+exports.WIRE_01_JWS_TYP = WIRE_01_JWS_TYP;
+exports.WIRE_02_JWS_TYP = WIRE_02_JWS_TYP;
+exports.WIRE_02_JWS_TYP_ACCEPT = WIRE_02_JWS_TYP_ACCEPT;
+exports.WIRE_02_VERSION = WIRE_02_VERSION;
 exports.WIRE_TYPE = WIRE_TYPE;
 exports.WIRE_VERSION = WIRE_VERSION;
+exports.WIRE_VERSIONS = WIRE_VERSIONS;
 exports.applyPurposeVary = applyPurposeVary;
 exports.findAgentProtocol = findAgentProtocol;
 exports.findControlEngine = findControlEngine;