@peac/protocol 0.10.14 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +26 -1
- package/dist/index.cjs.map +1 -1
- package/dist/index.mjs +27 -2
- package/dist/index.mjs.map +1 -1
- package/dist/issue.d.ts.map +1 -1
- package/dist/verify-local.cjs +9 -0
- package/dist/verify-local.cjs.map +1 -1
- package/dist/verify-local.d.ts +1 -1
- package/dist/verify-local.d.ts.map +1 -1
- package/dist/verify-local.mjs +10 -1
- package/dist/verify-local.mjs.map +1 -1
- package/dist/verify.d.ts.map +1 -1
- package/package.json +5 -5
package/dist/index.mjs
CHANGED
|
@@ -2,7 +2,7 @@ import { uuidv7 } from 'uuidv7';
|
|
|
2
2
|
import { sign, decode, verify, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
|
|
3
3
|
export { base64urlDecode, base64urlEncode, computeJwkThumbprint, generateKeypair, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, verify } from '@peac/crypto';
|
|
4
4
|
import { ZodError } from 'zod';
|
|
5
|
-
import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH } from '@peac/schema';
|
|
5
|
+
import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH } from '@peac/schema';
|
|
6
6
|
import { createHash } from 'crypto';
|
|
7
7
|
import { VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
|
|
8
8
|
|
|
@@ -139,6 +139,10 @@ async function issue(options) {
|
|
|
139
139
|
...options.purpose_enforced && { purpose_enforced: options.purpose_enforced },
|
|
140
140
|
...options.purpose_reason && { purpose_reason: options.purpose_reason }
|
|
141
141
|
};
|
|
142
|
+
const constraintResult = validateKernelConstraints(claims);
|
|
143
|
+
if (!constraintResult.valid) {
|
|
144
|
+
throw new IssueError(createConstraintViolationError(constraintResult.violations));
|
|
145
|
+
}
|
|
142
146
|
try {
|
|
143
147
|
ReceiptClaims.parse(claims);
|
|
144
148
|
} catch (err) {
|
|
@@ -147,7 +151,10 @@ async function issue(options) {
|
|
|
147
151
|
(issue2) => issue2.path.some((p) => p === "evidence" || p === "payment")
|
|
148
152
|
);
|
|
149
153
|
if (evidenceIssue && evidenceIssue.path.includes("evidence")) {
|
|
150
|
-
const peacError = createEvidenceNotJsonError(
|
|
154
|
+
const peacError = createEvidenceNotJsonError(
|
|
155
|
+
evidenceIssue.message,
|
|
156
|
+
evidenceIssue.path
|
|
157
|
+
);
|
|
151
158
|
throw new IssueError(peacError);
|
|
152
159
|
}
|
|
153
160
|
}
|
|
@@ -242,6 +249,15 @@ async function verifyReceipt(optionsOrJws) {
|
|
|
242
249
|
let jwksFetchTime;
|
|
243
250
|
try {
|
|
244
251
|
const { header, payload } = decode(receiptJws);
|
|
252
|
+
const constraintResult = validateKernelConstraints(payload);
|
|
253
|
+
if (!constraintResult.valid) {
|
|
254
|
+
const v = constraintResult.violations[0];
|
|
255
|
+
return {
|
|
256
|
+
ok: false,
|
|
257
|
+
reason: "constraint_violation",
|
|
258
|
+
details: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
|
|
259
|
+
};
|
|
260
|
+
}
|
|
245
261
|
ReceiptClaims.parse(payload);
|
|
246
262
|
if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
|
|
247
263
|
const durationMs = performance.now() - startTime;
|
|
@@ -361,6 +377,15 @@ async function verifyLocal(jws, publicKey, options = {}) {
|
|
|
361
377
|
message: "Ed25519 signature verification failed"
|
|
362
378
|
};
|
|
363
379
|
}
|
|
380
|
+
const constraintResult = validateKernelConstraints(result.payload);
|
|
381
|
+
if (!constraintResult.valid) {
|
|
382
|
+
const v = constraintResult.violations[0];
|
|
383
|
+
return {
|
|
384
|
+
valid: false,
|
|
385
|
+
code: "E_CONSTRAINT_VIOLATION",
|
|
386
|
+
message: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
|
|
387
|
+
};
|
|
388
|
+
}
|
|
364
389
|
const pr = parseReceiptClaims(result.payload);
|
|
365
390
|
if (!pr.ok) {
|
|
366
391
|
return {
|