npm - @peac/protocol - Versions diffs - 0.10.14 → 0.11.1 - Mend

@peac/protocol 0.10.14 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/dist/discovery.d.ts.map +1 -1
package/dist/index.cjs +905 -783
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.mjs +906 -785
package/dist/index.mjs.map +1 -1
package/dist/issue.d.ts.map +1 -1
package/dist/jwks-resolver.d.ts +88 -0
package/dist/jwks-resolver.d.ts.map +1 -0
package/dist/verifier-core.d.ts +0 -8
package/dist/verifier-core.d.ts.map +1 -1
package/dist/verify-local.cjs +9 -0
package/dist/verify-local.cjs.map +1 -1
package/dist/verify-local.d.ts +1 -1
package/dist/verify-local.d.ts.map +1 -1
package/dist/verify-local.mjs +10 -1
package/dist/verify-local.mjs.map +1 -1
package/dist/verify.d.ts +8 -1
package/dist/verify.d.ts.map +1 -1
package/package.json +5 -5

package/dist/index.cjs CHANGED Viewed

@@ -140,6 +140,10 @@ async function issue(options) {
     ...options.purpose_enforced && { purpose_enforced: options.purpose_enforced },
     ...options.purpose_reason && { purpose_reason: options.purpose_reason }
   };
+  const constraintResult = schema.validateKernelConstraints(claims);
+  if (!constraintResult.valid) {
+    throw new IssueError(schema.createConstraintViolationError(constraintResult.violations));
+  }
   try {
     schema.ReceiptClaims.parse(claims);
   } catch (err) {
@@ -148,7 +152,10 @@ async function issue(options) {
         (issue2) => issue2.path.some((p) => p === "evidence" || p === "payment")
       );
       if (evidenceIssue && evidenceIssue.path.includes("evidence")) {
-        const peacError = schema.createEvidenceNotJsonError(evidenceIssue.message, evidenceIssue.path);
+        const peacError = schema.createEvidenceNotJsonError(
+          evidenceIssue.message,
+          evidenceIssue.path
+        );
         throw new IssueError(peacError);
       }
     }
@@ -172,605 +179,253 @@ async function issueJws(options) {
   const result = await issue(options);
   return result.jws;
 }
-var jwksCache = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-async function fetchJWKS(issuerUrl) {
-  if (!issuerUrl.startsWith("https://")) {
-    throw new Error("Issuer URL must be https://");
+function parseIssuerConfig(json) {
+  let config;
+  if (typeof json === "string") {
+    const bytes = new TextEncoder().encode(json).length;
+    if (bytes > schema.PEAC_ISSUER_CONFIG_MAX_BYTES) {
+      throw new Error(`Issuer config exceeds ${schema.PEAC_ISSUER_CONFIG_MAX_BYTES} bytes (got ${bytes})`);
+    }
+    try {
+      config = JSON.parse(json);
+    } catch {
+      throw new Error("Issuer config is not valid JSON");
+    }
+  } else {
+    config = json;
+  }
+  if (typeof config !== "object" || config === null) {
+    throw new Error("Issuer config must be an object");
+  }
+  const obj = config;
+  if (typeof obj.version !== "string" || !obj.version) {
+    throw new Error("Missing required field: version");
+  }
+  if (typeof obj.issuer !== "string" || !obj.issuer) {
+    throw new Error("Missing required field: issuer");
+  }
+  if (typeof obj.jwks_uri !== "string" || !obj.jwks_uri) {
+    throw new Error("Missing required field: jwks_uri");
+  }
+  if (!obj.issuer.startsWith("https://")) {
+    throw new Error("issuer must be an HTTPS URL");
   }
-  const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
   try {
-    const discoveryResp = await fetch(discoveryUrl, {
-      headers: { Accept: "text/plain" },
-      // Timeout after 5 seconds
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!discoveryResp.ok) {
-      throw new Error(`Discovery fetch failed: ${discoveryResp.status}`);
+    new URL(obj.jwks_uri);
+  } catch {
+    throw new Error("jwks_uri must be a valid URL");
+  }
+  if (obj.verify_endpoint !== void 0) {
+    if (typeof obj.verify_endpoint !== "string") {
+      throw new Error("verify_endpoint must be a string");
+    }
+    if (!obj.verify_endpoint.startsWith("https://")) {
+      throw new Error("verify_endpoint must be an HTTPS URL");
+    }
+  }
+  if (obj.receipt_versions !== void 0) {
+    if (!Array.isArray(obj.receipt_versions)) {
+      throw new Error("receipt_versions must be an array");
     }
-    const discoveryText = await discoveryResp.text();
-    const jwksLine = discoveryText.split("\n").find((line) => line.startsWith("jwks:"));
-    if (!jwksLine) {
-      throw new Error("No jwks field in discovery");
+  }
+  if (obj.algorithms !== void 0) {
+    if (!Array.isArray(obj.algorithms)) {
+      throw new Error("algorithms must be an array");
     }
-    const jwksUrl = jwksLine.replace("jwks:", "").trim();
-    if (!jwksUrl.startsWith("https://")) {
-      throw new Error("JWKS URL must be https://");
+  }
+  if (obj.payment_rails !== void 0) {
+    if (!Array.isArray(obj.payment_rails)) {
+      throw new Error("payment_rails must be an array");
     }
-    const jwksResp = await fetch(jwksUrl, {
+  }
+  return {
+    version: obj.version,
+    issuer: obj.issuer,
+    jwks_uri: obj.jwks_uri,
+    verify_endpoint: obj.verify_endpoint,
+    receipt_versions: obj.receipt_versions,
+    algorithms: obj.algorithms,
+    payment_rails: obj.payment_rails,
+    security_contact: obj.security_contact
+  };
+}
+async function fetchIssuerConfig(issuerUrl) {
+  if (!issuerUrl.startsWith("https://")) {
+    throw new Error("Issuer URL must be https://");
+  }
+  const baseUrl = issuerUrl.replace(/\/$/, "");
+  const configUrl = `${baseUrl}${schema.PEAC_ISSUER_CONFIG_PATH}`;
+  try {
+    const resp = await fetch(configUrl, {
       headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(5e3)
+      signal: AbortSignal.timeout(1e4)
     });
-    if (!jwksResp.ok) {
-      throw new Error(`JWKS fetch failed: ${jwksResp.status}`);
+    if (!resp.ok) {
+      throw new Error(`Issuer config fetch failed: ${resp.status}`);
+    }
+    const text = await resp.text();
+    const config = parseIssuerConfig(text);
+    const normalizedExpected = baseUrl.replace(/\/$/, "");
+    const normalizedActual = config.issuer.replace(/\/$/, "");
+    if (normalizedActual !== normalizedExpected) {
+      throw new Error(`Issuer mismatch: expected ${normalizedExpected}, got ${normalizedActual}`);
     }
-    const jwks = await jwksResp.json();
-    return jwks;
+    return config;
   } catch (err) {
-    throw new Error(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`, {
-      cause: err
-    });
+    throw new Error(
+      `Failed to fetch issuer config from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
   }
 }
-async function getJWKS(issuerUrl) {
-  const now = Date.now();
-  const cached = jwksCache.get(issuerUrl);
-  if (cached && cached.expiresAt > now) {
-    return { jwks: cached.keys, fromCache: true };
-  }
-  const jwks = await fetchJWKS(issuerUrl);
-  jwksCache.set(issuerUrl, {
-    keys: jwks,
-    expiresAt: now + CACHE_TTL_MS
-  });
-  return { jwks, fromCache: false };
+function isJsonContent(text, contentType) {
+  if (contentType?.includes("application/json")) {
+    return true;
+  }
+  const firstChar = text.trimStart()[0];
+  return firstChar === "{";
 }
-function jwkToPublicKey(jwk) {
-  if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") {
-    throw new Error("Only Ed25519 keys (OKP/Ed25519) are supported");
+function parsePolicyManifest(text, contentType) {
+  const bytes = new TextEncoder().encode(text).length;
+  if (bytes > schema.PEAC_POLICY_MAX_BYTES) {
+    throw new Error(`Policy manifest exceeds ${schema.PEAC_POLICY_MAX_BYTES} bytes (got ${bytes})`);
   }
-  const xBytes = Buffer.from(jwk.x, "base64url");
-  if (xBytes.length !== 32) {
-    throw new Error("Ed25519 public key must be 32 bytes");
+  let manifest;
+  if (isJsonContent(text, contentType)) {
+    try {
+      manifest = JSON.parse(text);
+    } catch {
+      throw new Error("Policy manifest is not valid JSON");
+    }
+  } else {
+    manifest = parseSimpleYaml(text);
   }
-  return new Uint8Array(xBytes);
+  if (typeof manifest.version !== "string" || !manifest.version) {
+    throw new Error("Missing required field: version");
+  }
+  if (!manifest.version.startsWith("peac-policy/")) {
+    throw new Error(
+      `Invalid version format: "${manifest.version}". Must start with "peac-policy/" (e.g., "peac-policy/0.1")`
+    );
+  }
+  if (manifest.usage !== "open" && manifest.usage !== "conditional") {
+    throw new Error('Missing or invalid field: usage (must be "open" or "conditional")');
+  }
+  return {
+    version: manifest.version,
+    usage: manifest.usage,
+    purposes: manifest.purposes,
+    receipts: manifest.receipts,
+    attribution: manifest.attribution,
+    rate_limit: manifest.rate_limit,
+    daily_limit: manifest.daily_limit,
+    negotiate: manifest.negotiate,
+    contact: manifest.contact,
+    license: manifest.license,
+    price: manifest.price,
+    currency: manifest.currency,
+    payment_methods: manifest.payment_methods,
+    payment_endpoint: manifest.payment_endpoint
+  };
 }
-async function verifyReceipt(optionsOrJws) {
-  const receiptJws = typeof optionsOrJws === "string" ? optionsOrJws : optionsOrJws.receiptJws;
-  const inputSnapshot = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.subject_snapshot;
-  const telemetry = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.telemetry;
-  const startTime = performance.now();
-  let jwksFetchTime;
-  try {
-    const { header, payload } = crypto.decode(receiptJws);
-    schema.ReceiptClaims.parse(payload);
-    if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
-      const durationMs = performance.now() - startTime;
-      fireTelemetryHook(telemetry?.onReceiptVerified, {
-        receiptHash: hashReceipt(receiptJws),
-        valid: false,
-        reasonCode: "expired",
-        issuer: payload.iss,
-        kid: header.kid,
-        durationMs
-      });
-      return {
-        ok: false,
-        reason: "expired",
-        details: `Receipt expired at ${new Date(payload.exp * 1e3).toISOString()}`
-      };
-    }
-    const jwksFetchStart = performance.now();
-    const { jwks, fromCache } = await getJWKS(payload.iss);
-    if (!fromCache) {
-      jwksFetchTime = performance.now() - jwksFetchStart;
+function parseSimpleYaml(text) {
+  const lines = text.split("\n");
+  const result = {};
+  if (text.includes("<<:")) {
+    throw new Error("YAML merge keys are not allowed");
+  }
+  if (text.includes("&") || text.includes("*")) {
+    throw new Error("YAML anchors and aliases are not allowed");
+  }
+  if (/!\w+/.test(text)) {
+    throw new Error("YAML custom tags are not allowed");
+  }
+  const docSeparators = text.match(/^---$/gm);
+  if (docSeparators && docSeparators.length > 1) {
+    throw new Error("Multi-document YAML is not allowed");
+  }
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#") || trimmed === "---") {
+      continue;
     }
-    const jwk = jwks.keys.find((k) => k.kid === header.kid);
-    if (!jwk) {
-      const durationMs = performance.now() - startTime;
-      fireTelemetryHook(telemetry?.onReceiptVerified, {
-        receiptHash: hashReceipt(receiptJws),
-        valid: false,
-        reasonCode: "unknown_key",
-        issuer: payload.iss,
-        kid: header.kid,
-        durationMs
-      });
-      return {
-        ok: false,
-        reason: "unknown_key",
-        details: `No key found with kid=${header.kid}`
-      };
+    const colonIndex = trimmed.indexOf(":");
+    if (colonIndex === -1) continue;
+    const key = trimmed.slice(0, colonIndex).trim();
+    let value = trimmed.slice(colonIndex + 1).trim();
+    if (value === "") {
+      value = void 0;
+    } else if (typeof value === "string") {
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      } else if (value.startsWith("[") && value.endsWith("]")) {
+        const inner = value.slice(1, -1);
+        value = inner.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
+      } else if (/^-?\d+(\.\d+)?$/.test(value)) {
+        value = parseFloat(value);
+      } else if (value === "true") {
+        value = true;
+      } else if (value === "false") {
+        value = false;
+      }
     }
-    const publicKey = jwkToPublicKey(jwk);
-    const result = await crypto.verify(receiptJws, publicKey);
-    if (!result.valid) {
-      const durationMs = performance.now() - startTime;
-      fireTelemetryHook(telemetry?.onReceiptVerified, {
-        receiptHash: hashReceipt(receiptJws),
-        valid: false,
-        reasonCode: "invalid_signature",
-        issuer: payload.iss,
-        kid: header.kid,
-        durationMs
-      });
-      return {
-        ok: false,
-        reason: "invalid_signature",
-        details: "Ed25519 signature verification failed"
-      };
+    if (value !== void 0) {
+      result[key] = value;
     }
-    const validatedSnapshot = schema.validateSubjectSnapshot(inputSnapshot);
-    const verifyTime = performance.now() - startTime;
-    fireTelemetryHook(telemetry?.onReceiptVerified, {
-      receiptHash: hashReceipt(receiptJws),
-      valid: true,
-      issuer: payload.iss,
-      kid: header.kid,
-      durationMs: verifyTime
-    });
-    return {
-      ok: true,
-      claims: payload,
-      ...validatedSnapshot && { subject_snapshot: validatedSnapshot },
-      perf: {
-        verify_ms: verifyTime,
-        ...jwksFetchTime && { jwks_fetch_ms: jwksFetchTime }
-      }
-    };
-  } catch (err) {
-    const durationMs = performance.now() - startTime;
-    fireTelemetryHook(telemetry?.onReceiptVerified, {
-      receiptHash: hashReceipt(receiptJws),
-      valid: false,
-      reasonCode: "verification_error",
-      durationMs
-    });
-    return {
-      ok: false,
-      reason: "verification_error",
-      details: err instanceof Error ? err.message : String(err)
-    };
   }
+  return result;
 }
-function isCryptoError(err) {
-  return err !== null && typeof err === "object" && "name" in err && err.name === "CryptoError" && "code" in err && typeof err.code === "string" && err.code.startsWith("CRYPTO_") && "message" in err && typeof err.message === "string";
-}
-var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
-  "CRYPTO_INVALID_JWS_FORMAT",
-  "CRYPTO_INVALID_TYP",
-  "CRYPTO_INVALID_ALG",
-  "CRYPTO_INVALID_KEY_LENGTH"
-]);
-var MAX_PARSE_ISSUES = 25;
-function sanitizeParseIssues(issues) {
-  if (!Array.isArray(issues)) return void 0;
-  return issues.slice(0, MAX_PARSE_ISSUES).map((issue2) => ({
-    path: Array.isArray(issue2?.path) ? issue2.path.join(".") : "",
-    message: typeof issue2?.message === "string" ? issue2.message : String(issue2)
-  }));
-}
-async function verifyLocal(jws, publicKey, options = {}) {
-  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
-  const now = options.now ?? Math.floor(Date.now() / 1e3);
+async function fetchPolicyManifest(baseUrl) {
+  if (!baseUrl.startsWith("https://") && !baseUrl.startsWith("http://localhost")) {
+    throw new Error("Base URL must be https://");
+  }
+  const normalizedBase = baseUrl.replace(/\/$/, "");
+  const primaryUrl = `${normalizedBase}${schema.PEAC_POLICY_PATH}`;
+  const fallbackUrl = `${normalizedBase}${schema.PEAC_POLICY_FALLBACK_PATH}`;
   try {
-    const result = await crypto.verify(jws, publicKey);
-    if (!result.valid) {
-      return {
-        valid: false,
-        code: "E_INVALID_SIGNATURE",
-        message: "Ed25519 signature verification failed"
-      };
-    }
-    const pr = schema.parseReceiptClaims(result.payload);
-    if (!pr.ok) {
-      return {
-        valid: false,
-        code: "E_INVALID_FORMAT",
-        message: `Receipt schema validation failed: ${pr.error.message}`,
-        details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
-      };
-    }
-    if (issuer !== void 0 && pr.claims.iss !== issuer) {
-      return {
-        valid: false,
-        code: "E_INVALID_ISSUER",
-        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
-      };
-    }
-    if (audience !== void 0 && pr.claims.aud !== audience) {
-      return {
-        valid: false,
-        code: "E_INVALID_AUDIENCE",
-        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
-      };
-    }
-    if (rid !== void 0 && pr.claims.rid !== rid) {
-      return {
-        valid: false,
-        code: "E_INVALID_RECEIPT_ID",
-        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
-      };
-    }
-    if (requireExp && pr.claims.exp === void 0) {
-      return {
-        valid: false,
-        code: "E_MISSING_EXP",
-        message: "Receipt missing required exp claim"
-      };
-    }
-    if (pr.claims.iat > now + maxClockSkew) {
-      return {
-        valid: false,
-        code: "E_NOT_YET_VALID",
-        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
-      };
-    }
-    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
-      return {
-        valid: false,
-        code: "E_EXPIRED",
-        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
-      };
+    const resp = await fetch(primaryUrl, {
+      headers: { Accept: "text/plain, application/json" },
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (resp.ok) {
+      const text = await resp.text();
+      const contentType = resp.headers.get("content-type") || void 0;
+      return parsePolicyManifest(text, contentType);
     }
-    if (pr.variant === "commerce") {
-      const claims = pr.claims;
-      if (subjectUri !== void 0 && claims.subject?.uri !== subjectUri) {
-        return {
-          valid: false,
-          code: "E_INVALID_SUBJECT",
-          message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? "undefined"}"`
-        };
-      }
-      return {
-        valid: true,
-        variant: "commerce",
-        claims,
-        kid: result.header.kid,
-        policy_binding: "unavailable"
-      };
-    } else {
-      const claims = pr.claims;
-      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
-        return {
-          valid: false,
-          code: "E_INVALID_SUBJECT",
-          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
-        };
+    if (resp.status === 404) {
+      const fallbackResp = await fetch(fallbackUrl, {
+        headers: { Accept: "text/plain, application/json" },
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (fallbackResp.ok) {
+        const text = await fallbackResp.text();
+        const contentType = fallbackResp.headers.get("content-type") || void 0;
+        return parsePolicyManifest(text, contentType);
       }
-      return {
-        valid: true,
-        variant: "attestation",
-        claims,
-        kid: result.header.kid,
-        policy_binding: "unavailable"
-      };
+      throw new Error("Policy manifest not found at primary or fallback location");
     }
+    throw new Error(`Policy manifest fetch failed: ${resp.status}`);
   } catch (err) {
-    if (isCryptoError(err)) {
-      if (FORMAT_ERROR_CODES.has(err.code)) {
-        return {
-          valid: false,
-          code: "E_INVALID_FORMAT",
-          message: err.message
-        };
-      }
-      if (err.code === "CRYPTO_INVALID_SIGNATURE") {
-        return {
-          valid: false,
-          code: "E_INVALID_SIGNATURE",
-          message: err.message
-        };
-      }
-    }
-    if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
-      const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
-      return {
-        valid: false,
-        code: "E_INVALID_FORMAT",
-        message: `Invalid receipt payload: ${syntaxMessage}`
-      };
-    }
-    const message = err instanceof Error ? err.message : String(err);
-    return {
-      valid: false,
-      code: "E_INTERNAL",
-      message: `Unexpected verification error: ${message}`
-    };
+    throw new Error(
+      `Failed to fetch policy manifest from ${baseUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
   }
 }
-function isCommerceResult(r) {
-  return r.valid === true && r.variant === "commerce";
-}
-function isAttestationResult(r) {
-  return r.valid === true && r.variant === "attestation";
-}
-function setReceiptHeader(headers, receiptJws) {
-  headers.set(schema.PEAC_RECEIPT_HEADER, receiptJws);
-}
-function getReceiptHeader(headers) {
-  return headers.get(schema.PEAC_RECEIPT_HEADER);
-}
-function setVaryHeader(headers) {
-  const existing = headers.get("Vary");
-  if (existing) {
-    const varies = existing.split(",").map((v) => v.trim());
-    if (!varies.includes(schema.PEAC_RECEIPT_HEADER)) {
-      headers.set("Vary", `${existing}, ${schema.PEAC_RECEIPT_HEADER}`);
-    }
-  } else {
-    headers.set("Vary", schema.PEAC_RECEIPT_HEADER);
+function parseDiscovery(text) {
+  const bytes = new TextEncoder().encode(text).length;
+  if (bytes > 2e3) {
+    throw new Error(`Discovery manifest exceeds 2000 bytes (got ${bytes})`);
   }
-}
-function getPurposeHeader(headers) {
-  const value = headers.get(schema.PEAC_PURPOSE_HEADER);
-  if (!value) {
-    return [];
+  const lines = text.trim().split("\n");
+  if (lines.length > 20) {
+    throw new Error(`Discovery manifest exceeds 20 lines (got ${lines.length})`);
   }
-  return schema.parsePurposeHeader(value);
-}
-function setPurposeAppliedHeader(headers, purpose) {
-  headers.set(schema.PEAC_PURPOSE_APPLIED_HEADER, purpose);
-}
-function setPurposeReasonHeader(headers, reason) {
-  headers.set(schema.PEAC_PURPOSE_REASON_HEADER, reason);
-}
-function setVaryPurposeHeader(headers) {
-  const existing = headers.get("Vary");
-  if (existing) {
-    const varies = existing.split(",").map((v) => v.trim());
-    if (!varies.includes(schema.PEAC_PURPOSE_HEADER)) {
-      headers.set("Vary", `${existing}, ${schema.PEAC_PURPOSE_HEADER}`);
-    }
-  } else {
-    headers.set("Vary", schema.PEAC_PURPOSE_HEADER);
-  }
-}
-function parseIssuerConfig(json) {
-  let config;
-  if (typeof json === "string") {
-    const bytes = new TextEncoder().encode(json).length;
-    if (bytes > schema.PEAC_ISSUER_CONFIG_MAX_BYTES) {
-      throw new Error(`Issuer config exceeds ${schema.PEAC_ISSUER_CONFIG_MAX_BYTES} bytes (got ${bytes})`);
-    }
-    try {
-      config = JSON.parse(json);
-    } catch {
-      throw new Error("Issuer config is not valid JSON");
-    }
-  } else {
-    config = json;
-  }
-  if (typeof config !== "object" || config === null) {
-    throw new Error("Issuer config must be an object");
-  }
-  const obj = config;
-  if (typeof obj.version !== "string" || !obj.version) {
-    throw new Error("Missing required field: version");
-  }
-  if (typeof obj.issuer !== "string" || !obj.issuer) {
-    throw new Error("Missing required field: issuer");
-  }
-  if (typeof obj.jwks_uri !== "string" || !obj.jwks_uri) {
-    throw new Error("Missing required field: jwks_uri");
-  }
-  if (!obj.issuer.startsWith("https://")) {
-    throw new Error("issuer must be an HTTPS URL");
-  }
-  if (!obj.jwks_uri.startsWith("https://")) {
-    throw new Error("jwks_uri must be an HTTPS URL");
-  }
-  if (obj.verify_endpoint !== void 0) {
-    if (typeof obj.verify_endpoint !== "string") {
-      throw new Error("verify_endpoint must be a string");
-    }
-    if (!obj.verify_endpoint.startsWith("https://")) {
-      throw new Error("verify_endpoint must be an HTTPS URL");
-    }
-  }
-  if (obj.receipt_versions !== void 0) {
-    if (!Array.isArray(obj.receipt_versions)) {
-      throw new Error("receipt_versions must be an array");
-    }
-  }
-  if (obj.algorithms !== void 0) {
-    if (!Array.isArray(obj.algorithms)) {
-      throw new Error("algorithms must be an array");
-    }
-  }
-  if (obj.payment_rails !== void 0) {
-    if (!Array.isArray(obj.payment_rails)) {
-      throw new Error("payment_rails must be an array");
-    }
-  }
-  return {
-    version: obj.version,
-    issuer: obj.issuer,
-    jwks_uri: obj.jwks_uri,
-    verify_endpoint: obj.verify_endpoint,
-    receipt_versions: obj.receipt_versions,
-    algorithms: obj.algorithms,
-    payment_rails: obj.payment_rails,
-    security_contact: obj.security_contact
-  };
-}
-async function fetchIssuerConfig(issuerUrl) {
-  if (!issuerUrl.startsWith("https://")) {
-    throw new Error("Issuer URL must be https://");
-  }
-  const baseUrl = issuerUrl.replace(/\/$/, "");
-  const configUrl = `${baseUrl}${schema.PEAC_ISSUER_CONFIG_PATH}`;
-  try {
-    const resp = await fetch(configUrl, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(1e4)
-    });
-    if (!resp.ok) {
-      throw new Error(`Issuer config fetch failed: ${resp.status}`);
-    }
-    const text = await resp.text();
-    const config = parseIssuerConfig(text);
-    const normalizedExpected = baseUrl.replace(/\/$/, "");
-    const normalizedActual = config.issuer.replace(/\/$/, "");
-    if (normalizedActual !== normalizedExpected) {
-      throw new Error(`Issuer mismatch: expected ${normalizedExpected}, got ${normalizedActual}`);
-    }
-    return config;
-  } catch (err) {
-    throw new Error(
-      `Failed to fetch issuer config from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
-      { cause: err }
-    );
-  }
-}
-function isJsonContent(text, contentType) {
-  if (contentType?.includes("application/json")) {
-    return true;
-  }
-  const firstChar = text.trimStart()[0];
-  return firstChar === "{";
-}
-function parsePolicyManifest(text, contentType) {
-  const bytes = new TextEncoder().encode(text).length;
-  if (bytes > schema.PEAC_POLICY_MAX_BYTES) {
-    throw new Error(`Policy manifest exceeds ${schema.PEAC_POLICY_MAX_BYTES} bytes (got ${bytes})`);
-  }
-  let manifest;
-  if (isJsonContent(text, contentType)) {
-    try {
-      manifest = JSON.parse(text);
-    } catch {
-      throw new Error("Policy manifest is not valid JSON");
-    }
-  } else {
-    manifest = parseSimpleYaml(text);
-  }
-  if (typeof manifest.version !== "string" || !manifest.version) {
-    throw new Error("Missing required field: version");
-  }
-  if (!manifest.version.startsWith("peac-policy/")) {
-    throw new Error(
-      `Invalid version format: "${manifest.version}". Must start with "peac-policy/" (e.g., "peac-policy/0.1")`
-    );
-  }
-  if (manifest.usage !== "open" && manifest.usage !== "conditional") {
-    throw new Error('Missing or invalid field: usage (must be "open" or "conditional")');
-  }
-  return {
-    version: manifest.version,
-    usage: manifest.usage,
-    purposes: manifest.purposes,
-    receipts: manifest.receipts,
-    attribution: manifest.attribution,
-    rate_limit: manifest.rate_limit,
-    daily_limit: manifest.daily_limit,
-    negotiate: manifest.negotiate,
-    contact: manifest.contact,
-    license: manifest.license,
-    price: manifest.price,
-    currency: manifest.currency,
-    payment_methods: manifest.payment_methods,
-    payment_endpoint: manifest.payment_endpoint
-  };
-}
-function parseSimpleYaml(text) {
-  const lines = text.split("\n");
-  const result = {};
-  if (text.includes("<<:")) {
-    throw new Error("YAML merge keys are not allowed");
-  }
-  if (text.includes("&") || text.includes("*")) {
-    throw new Error("YAML anchors and aliases are not allowed");
-  }
-  if (/!\w+/.test(text)) {
-    throw new Error("YAML custom tags are not allowed");
-  }
-  const docSeparators = text.match(/^---$/gm);
-  if (docSeparators && docSeparators.length > 1) {
-    throw new Error("Multi-document YAML is not allowed");
-  }
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#") || trimmed === "---") {
-      continue;
-    }
-    const colonIndex = trimmed.indexOf(":");
-    if (colonIndex === -1) continue;
-    const key = trimmed.slice(0, colonIndex).trim();
-    let value = trimmed.slice(colonIndex + 1).trim();
-    if (value === "") {
-      value = void 0;
-    } else if (typeof value === "string") {
-      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-        value = value.slice(1, -1);
-      } else if (value.startsWith("[") && value.endsWith("]")) {
-        const inner = value.slice(1, -1);
-        value = inner.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
-      } else if (/^-?\d+(\.\d+)?$/.test(value)) {
-        value = parseFloat(value);
-      } else if (value === "true") {
-        value = true;
-      } else if (value === "false") {
-        value = false;
-      }
-    }
-    if (value !== void 0) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-async function fetchPolicyManifest(baseUrl) {
-  if (!baseUrl.startsWith("https://") && !baseUrl.startsWith("http://localhost")) {
-    throw new Error("Base URL must be https://");
-  }
-  const normalizedBase = baseUrl.replace(/\/$/, "");
-  const primaryUrl = `${normalizedBase}${schema.PEAC_POLICY_PATH}`;
-  const fallbackUrl = `${normalizedBase}${schema.PEAC_POLICY_FALLBACK_PATH}`;
-  try {
-    const resp = await fetch(primaryUrl, {
-      headers: { Accept: "text/plain, application/json" },
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (resp.ok) {
-      const text = await resp.text();
-      const contentType = resp.headers.get("content-type") || void 0;
-      return parsePolicyManifest(text, contentType);
-    }
-    if (resp.status === 404) {
-      const fallbackResp = await fetch(fallbackUrl, {
-        headers: { Accept: "text/plain, application/json" },
-        signal: AbortSignal.timeout(5e3)
-      });
-      if (fallbackResp.ok) {
-        const text = await fallbackResp.text();
-        const contentType = fallbackResp.headers.get("content-type") || void 0;
-        return parsePolicyManifest(text, contentType);
-      }
-      throw new Error("Policy manifest not found at primary or fallback location");
-    }
-    throw new Error(`Policy manifest fetch failed: ${resp.status}`);
-  } catch (err) {
-    throw new Error(
-      `Failed to fetch policy manifest from ${baseUrl}: ${err instanceof Error ? err.message : String(err)}`,
-      { cause: err }
-    );
-  }
-}
-function parseDiscovery(text) {
-  const bytes = new TextEncoder().encode(text).length;
-  if (bytes > 2e3) {
-    throw new Error(`Discovery manifest exceeds 2000 bytes (got ${bytes})`);
-  }
-  const lines = text.trim().split("\n");
-  if (lines.length > 20) {
-    throw new Error(`Discovery manifest exceeds 20 lines (got ${lines.length})`);
-  }
-  const discovery = {};
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) {
-      continue;
+  const discovery = {};
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
     }
     if (trimmed.includes(":")) {
       const [key, ...valueParts] = trimmed.split(":");
@@ -822,116 +477,6 @@ async function fetchDiscovery(issuerUrl) {
     );
   }
 }
-var DEFAULT_VERIFIER_LIMITS = {
-  max_receipt_bytes: kernel.VERIFIER_LIMITS.maxReceiptBytes,
-  max_jwks_bytes: kernel.VERIFIER_LIMITS.maxJwksBytes,
-  max_jwks_keys: kernel.VERIFIER_LIMITS.maxJwksKeys,
-  max_redirects: kernel.VERIFIER_LIMITS.maxRedirects,
-  fetch_timeout_ms: kernel.VERIFIER_LIMITS.fetchTimeoutMs,
-  max_extension_bytes: kernel.VERIFIER_LIMITS.maxExtensionBytes
-};
-var DEFAULT_NETWORK_SECURITY = {
-  https_only: kernel.VERIFIER_NETWORK.httpsOnly,
-  block_private_ips: kernel.VERIFIER_NETWORK.blockPrivateIps,
-  allow_redirects: kernel.VERIFIER_NETWORK.allowRedirects,
-  allow_cross_origin_redirects: true,
-  // Allow for CDN compatibility
-  dns_failure_behavior: "block"
-  // Fail-closed by default
-};
-function createDefaultPolicy(mode) {
-  return {
-    policy_version: kernel.VERIFIER_POLICY_VERSION,
-    mode,
-    limits: { ...DEFAULT_VERIFIER_LIMITS },
-    network: { ...DEFAULT_NETWORK_SECURITY }
-  };
-}
-var CHECK_IDS = [
-  "jws.parse",
-  "limits.receipt_bytes",
-  "jws.protected_header",
-  "claims.schema_unverified",
-  "issuer.trust_policy",
-  "issuer.discovery",
-  "key.resolve",
-  "jws.signature",
-  "claims.time_window",
-  "extensions.limits",
-  "transport.profile_binding",
-  "policy.binding"
-];
-var NON_DETERMINISTIC_ARTIFACT_KEYS = [
-  "issuer_jwks_digest"
-];
-function createDigest(hexValue) {
-  return {
-    alg: "sha-256",
-    value: hexValue.toLowerCase()
-  };
-}
-function createEmptyReport(policy) {
-  return {
-    report_version: kernel.VERIFICATION_REPORT_VERSION,
-    policy
-  };
-}
-function ssrfErrorToReasonCode(ssrfReason, fetchType) {
-  const prefix = fetchType === "key" ? "key_fetch" : "pointer_fetch";
-  switch (ssrfReason) {
-    case "not_https":
-    case "private_ip":
-    case "loopback":
-    case "link_local":
-    case "cross_origin_redirect":
-    case "dns_failure":
-      return `${prefix}_blocked`;
-    case "timeout":
-      return `${prefix}_timeout`;
-    case "response_too_large":
-      return fetchType === "pointer" ? "pointer_fetch_too_large" : "jwks_too_large";
-    case "jwks_too_many_keys":
-      return "jwks_too_many_keys";
-    case "too_many_redirects":
-    case "scheme_downgrade":
-    case "network_error":
-    case "invalid_url":
-    default:
-      return `${prefix}_failed`;
-  }
-}
-function reasonCodeToSeverity(reason) {
-  if (reason === "ok") return "info";
-  return "error";
-}
-function reasonCodeToErrorCode(reason) {
-  const mapping = {
-    ok: "",
-    receipt_too_large: "E_VERIFY_RECEIPT_TOO_LARGE",
-    malformed_receipt: "E_VERIFY_MALFORMED_RECEIPT",
-    signature_invalid: "E_VERIFY_SIGNATURE_INVALID",
-    issuer_not_allowed: "E_VERIFY_ISSUER_NOT_ALLOWED",
-    key_not_found: "E_VERIFY_KEY_NOT_FOUND",
-    key_fetch_blocked: "E_VERIFY_KEY_FETCH_BLOCKED",
-    key_fetch_failed: "E_VERIFY_KEY_FETCH_FAILED",
-    key_fetch_timeout: "E_VERIFY_KEY_FETCH_TIMEOUT",
-    pointer_fetch_blocked: "E_VERIFY_POINTER_FETCH_BLOCKED",
-    pointer_fetch_failed: "E_VERIFY_POINTER_FETCH_FAILED",
-    pointer_fetch_timeout: "E_VERIFY_POINTER_FETCH_TIMEOUT",
-    pointer_fetch_too_large: "E_VERIFY_POINTER_FETCH_TOO_LARGE",
-    pointer_digest_mismatch: "E_VERIFY_POINTER_DIGEST_MISMATCH",
-    jwks_too_large: "E_VERIFY_JWKS_TOO_LARGE",
-    jwks_too_many_keys: "E_VERIFY_JWKS_TOO_MANY_KEYS",
-    expired: "E_VERIFY_EXPIRED",
-    not_yet_valid: "E_VERIFY_NOT_YET_VALID",
-    audience_mismatch: "E_VERIFY_AUDIENCE_MISMATCH",
-    schema_invalid: "E_VERIFY_SCHEMA_INVALID",
-    policy_violation: "E_VERIFY_POLICY_VIOLATION",
-    extension_too_large: "E_VERIFY_EXTENSION_TOO_LARGE",
-    invalid_transport: "E_VERIFY_INVALID_TRANSPORT"
-  };
-  return mapping[reason] || "E_VERIFY_POLICY_VIOLATION";
-}
 var cachedCapabilities = null;
 function getSSRFCapabilities() {
   if (cachedCapabilities) {
@@ -1339,49 +884,685 @@ async function ssrfSafeFetch(url, options = {}) {
       }, new Uint8Array());
       const body = new TextDecoder().decode(rawBytes);
       return {
-        ok: true,
-        status: response.status,
-        body,
-        rawBytes,
-        contentType: response.headers.get("content-type") ?? void 0
+        ok: true,
+        status: response.status,
+        body,
+        rawBytes,
+        contentType: response.headers.get("content-type") ?? void 0
+      };
+    } catch (err) {
+      if (err instanceof Error) {
+        if (err.name === "AbortError" || err.message.includes("timeout")) {
+          return {
+            ok: false,
+            reason: "timeout",
+            message: `Fetch timeout after ${timeoutMs}ms: ${currentUrl}`
+          };
+        }
+      }
+      return {
+        ok: false,
+        reason: "network_error",
+        message: `Network error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+}
+async function fetchJWKSSafe(jwksUrl, options) {
+  return ssrfSafeFetch(jwksUrl, {
+    ...options,
+    maxBytes: kernel.VERIFIER_LIMITS.maxJwksBytes,
+    headers: {
+      Accept: "application/json",
+      ...options?.headers
+    }
+  });
+}
+async function fetchPointerSafe(pointerUrl, options) {
+  return ssrfSafeFetch(pointerUrl, {
+    ...options,
+    maxBytes: kernel.VERIFIER_LIMITS.maxReceiptBytes,
+    headers: {
+      Accept: "application/jose, application/json",
+      ...options?.headers
+    }
+  });
+}
+// src/jwks-resolver.ts
+var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
+var DEFAULT_MAX_CACHE_ENTRIES = 1e3;
+var jwksCache = /* @__PURE__ */ new Map();
+function cacheGet(key, now) {
+  const entry = jwksCache.get(key);
+  if (!entry) return void 0;
+  if (entry.expiresAt <= now) {
+    jwksCache.delete(key);
+    return void 0;
+  }
+  jwksCache.delete(key);
+  jwksCache.set(key, entry);
+  return entry;
+}
+function cacheSet(key, entry, maxEntries) {
+  if (jwksCache.has(key)) jwksCache.delete(key);
+  jwksCache.set(key, entry);
+  while (jwksCache.size > maxEntries) {
+    const oldestKey = jwksCache.keys().next().value;
+    if (oldestKey !== void 0) jwksCache.delete(oldestKey);
+  }
+}
+function clearJWKSCache() {
+  jwksCache.clear();
+}
+function getJWKSCacheSize() {
+  return jwksCache.size;
+}
+function canonicalizeIssuerOrigin(issuerUrl) {
+  try {
+    const origin = new URL(issuerUrl).origin;
+    if (origin === "null") {
+      return { ok: false, message: `Issuer URL has no valid origin: ${issuerUrl}` };
+    }
+    return { ok: true, origin };
+  } catch {
+    return { ok: false, message: `Issuer URL is not a valid URL: ${issuerUrl}` };
+  }
+}
+function mapSSRFError(reason, context) {
+  let code;
+  switch (reason) {
+    case "not_https":
+      code = "E_VERIFY_INSECURE_SCHEME_BLOCKED";
+      break;
+    case "private_ip":
+    case "loopback":
+    case "link_local":
+      code = "E_VERIFY_KEY_FETCH_BLOCKED";
+      break;
+    case "timeout":
+      code = "E_VERIFY_KEY_FETCH_TIMEOUT";
+      break;
+    case "response_too_large":
+      code = context === "jwks" ? "E_VERIFY_JWKS_TOO_LARGE" : "E_VERIFY_KEY_FETCH_FAILED";
+      break;
+    case "dns_failure":
+    case "network_error":
+    case "too_many_redirects":
+    case "scheme_downgrade":
+    case "cross_origin_redirect":
+    case "invalid_url":
+      code = context === "issuer_config" ? "E_VERIFY_ISSUER_CONFIG_MISSING" : "E_VERIFY_KEY_FETCH_FAILED";
+      break;
+    case "jwks_too_many_keys":
+      code = "E_VERIFY_JWKS_TOO_MANY_KEYS";
+      break;
+    default:
+      code = "E_VERIFY_KEY_FETCH_FAILED";
+      break;
+  }
+  return { code, reason };
+}
+async function resolveJWKS(issuerUrl, options) {
+  const cacheTtlMs = options?.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+  const maxCacheEntries = options?.maxCacheEntries ?? DEFAULT_MAX_CACHE_ENTRIES;
+  const noCache = options?.noCache ?? false;
+  const normalized = canonicalizeIssuerOrigin(issuerUrl);
+  if (!normalized.ok) {
+    return {
+      ok: false,
+      code: "E_VERIFY_ISSUER_CONFIG_INVALID",
+      message: normalized.message,
+      blockedUrl: issuerUrl
+    };
+  }
+  const normalizedIssuer = normalized.origin;
+  const now = Date.now();
+  if (!noCache) {
+    const cached = cacheGet(normalizedIssuer, now);
+    if (cached) {
+      return { ok: true, jwks: cached.jwks, fromCache: true };
+    }
+  }
+  if (!normalizedIssuer.startsWith("https://")) {
+    return {
+      ok: false,
+      code: "E_VERIFY_INSECURE_SCHEME_BLOCKED",
+      message: `Issuer URL must be HTTPS: ${normalizedIssuer}`,
+      blockedUrl: normalizedIssuer
+    };
+  }
+  const configUrl = `${normalizedIssuer}/.well-known/peac-issuer.json`;
+  const configResult = await ssrfSafeFetch(configUrl, {
+    maxBytes: schema.PEAC_ISSUER_CONFIG_MAX_BYTES,
+    headers: { Accept: "application/json" }
+  });
+  if (!configResult.ok) {
+    const mapped = mapSSRFError(configResult.reason, "issuer_config");
+    return {
+      ok: false,
+      code: mapped.code,
+      message: `Failed to fetch peac-issuer.json: ${configResult.message}`,
+      reason: mapped.reason,
+      blockedUrl: configResult.blockedUrl
+    };
+  }
+  let issuerConfig;
+  try {
+    issuerConfig = parseIssuerConfig(configResult.body);
+  } catch (err) {
+    return {
+      ok: false,
+      code: "E_VERIFY_ISSUER_CONFIG_INVALID",
+      message: `Invalid peac-issuer.json: ${err instanceof Error ? err.message : String(err)}`
+    };
+  }
+  const configIssuerResult = canonicalizeIssuerOrigin(issuerConfig.issuer);
+  const configIssuer = configIssuerResult.ok ? configIssuerResult.origin : issuerConfig.issuer;
+  if (configIssuer !== normalizedIssuer) {
+    return {
+      ok: false,
+      code: "E_VERIFY_ISSUER_MISMATCH",
+      message: `Issuer mismatch: expected ${normalizedIssuer}, got ${configIssuer}`
+    };
+  }
+  if (!issuerConfig.jwks_uri) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_URI_INVALID",
+      message: "peac-issuer.json missing required jwks_uri field"
+    };
+  }
+  if (!issuerConfig.jwks_uri.startsWith("https://")) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_URI_INVALID",
+      message: `jwks_uri must be HTTPS: ${issuerConfig.jwks_uri}`,
+      blockedUrl: issuerConfig.jwks_uri
+    };
+  }
+  const jwksResult = await fetchJWKSSafe(issuerConfig.jwks_uri);
+  if (!jwksResult.ok) {
+    const mapped = mapSSRFError(jwksResult.reason, "jwks");
+    return {
+      ok: false,
+      code: mapped.code,
+      message: `Failed to fetch JWKS from ${issuerConfig.jwks_uri}: ${jwksResult.message}`,
+      reason: mapped.reason,
+      blockedUrl: jwksResult.blockedUrl
+    };
+  }
+  let jwks;
+  try {
+    jwks = JSON.parse(jwksResult.body);
+  } catch {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_INVALID",
+      message: "JWKS response is not valid JSON"
+    };
+  }
+  if (!jwks.keys || !Array.isArray(jwks.keys)) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_INVALID",
+      message: "JWKS missing required keys array"
+    };
+  }
+  if (jwks.keys.length > kernel.VERIFIER_LIMITS.maxJwksKeys) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_TOO_MANY_KEYS",
+      message: `JWKS has too many keys: ${jwks.keys.length} > ${kernel.VERIFIER_LIMITS.maxJwksKeys}`
+    };
+  }
+  if (!noCache) {
+    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs }, maxCacheEntries);
+  }
+  return {
+    ok: true,
+    jwks,
+    fromCache: false,
+    rawBytes: jwksResult.rawBytes
+  };
+}
+// src/verify.ts
+function jwkToPublicKey(jwk) {
+  if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") {
+    throw new Error("Only Ed25519 keys (OKP/Ed25519) are supported");
+  }
+  const xBytes = Buffer.from(jwk.x, "base64url");
+  if (xBytes.length !== 32) {
+    throw new Error("Ed25519 public key must be 32 bytes");
+  }
+  return new Uint8Array(xBytes);
+}
+async function verifyReceipt(optionsOrJws) {
+  const receiptJws = typeof optionsOrJws === "string" ? optionsOrJws : optionsOrJws.receiptJws;
+  const inputSnapshot = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.subject_snapshot;
+  const telemetry = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.telemetry;
+  const startTime = performance.now();
+  let jwksFetchTime;
+  try {
+    const { header, payload } = crypto.decode(receiptJws);
+    const constraintResult = schema.validateKernelConstraints(payload);
+    if (!constraintResult.valid) {
+      const v = constraintResult.violations[0];
+      return {
+        ok: false,
+        reason: "constraint_violation",
+        details: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
+      };
+    }
+    schema.ReceiptClaims.parse(payload);
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "expired",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "expired",
+        details: `Receipt expired at ${new Date(payload.exp * 1e3).toISOString()}`
+      };
+    }
+    const jwksFetchStart = performance.now();
+    const jwksResult = await resolveJWKS(payload.iss);
+    if (!jwksResult.ok) {
+      return {
+        ok: false,
+        reason: jwksResult.code,
+        details: jwksResult.message
+      };
+    }
+    if (!jwksResult.fromCache) {
+      jwksFetchTime = performance.now() - jwksFetchStart;
+    }
+    const jwk = jwksResult.jwks.keys.find((k) => k.kid === header.kid);
+    if (!jwk) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "unknown_key",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "unknown_key",
+        details: `No key found with kid=${header.kid}`
+      };
+    }
+    const publicKey = jwkToPublicKey(jwk);
+    const result = await crypto.verify(receiptJws, publicKey);
+    if (!result.valid) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "invalid_signature",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "invalid_signature",
+        details: "Ed25519 signature verification failed"
+      };
+    }
+    const validatedSnapshot = schema.validateSubjectSnapshot(inputSnapshot);
+    const verifyTime = performance.now() - startTime;
+    fireTelemetryHook(telemetry?.onReceiptVerified, {
+      receiptHash: hashReceipt(receiptJws),
+      valid: true,
+      issuer: payload.iss,
+      kid: header.kid,
+      durationMs: verifyTime
+    });
+    return {
+      ok: true,
+      claims: payload,
+      ...validatedSnapshot && { subject_snapshot: validatedSnapshot },
+      perf: {
+        verify_ms: verifyTime,
+        ...jwksFetchTime && { jwks_fetch_ms: jwksFetchTime }
+      }
+    };
+  } catch (err) {
+    const durationMs = performance.now() - startTime;
+    fireTelemetryHook(telemetry?.onReceiptVerified, {
+      receiptHash: hashReceipt(receiptJws),
+      valid: false,
+      reasonCode: "verification_error",
+      durationMs
+    });
+    return {
+      ok: false,
+      reason: "verification_error",
+      details: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+function isCryptoError(err) {
+  return err !== null && typeof err === "object" && "name" in err && err.name === "CryptoError" && "code" in err && typeof err.code === "string" && err.code.startsWith("CRYPTO_") && "message" in err && typeof err.message === "string";
+}
+var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
+  "CRYPTO_INVALID_JWS_FORMAT",
+  "CRYPTO_INVALID_TYP",
+  "CRYPTO_INVALID_ALG",
+  "CRYPTO_INVALID_KEY_LENGTH"
+]);
+var MAX_PARSE_ISSUES = 25;
+function sanitizeParseIssues(issues) {
+  if (!Array.isArray(issues)) return void 0;
+  return issues.slice(0, MAX_PARSE_ISSUES).map((issue2) => ({
+    path: Array.isArray(issue2?.path) ? issue2.path.join(".") : "",
+    message: typeof issue2?.message === "string" ? issue2.message : String(issue2)
+  }));
+}
+async function verifyLocal(jws, publicKey, options = {}) {
+  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  try {
+    const result = await crypto.verify(jws, publicKey);
+    if (!result.valid) {
+      return {
+        valid: false,
+        code: "E_INVALID_SIGNATURE",
+        message: "Ed25519 signature verification failed"
+      };
+    }
+    const constraintResult = schema.validateKernelConstraints(result.payload);
+    if (!constraintResult.valid) {
+      const v = constraintResult.violations[0];
+      return {
+        valid: false,
+        code: "E_CONSTRAINT_VIOLATION",
+        message: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
+      };
+    }
+    const pr = schema.parseReceiptClaims(result.payload);
+    if (!pr.ok) {
+      return {
+        valid: false,
+        code: "E_INVALID_FORMAT",
+        message: `Receipt schema validation failed: ${pr.error.message}`,
+        details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
+      };
+    }
+    if (issuer !== void 0 && pr.claims.iss !== issuer) {
+      return {
+        valid: false,
+        code: "E_INVALID_ISSUER",
+        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
+      };
+    }
+    if (audience !== void 0 && pr.claims.aud !== audience) {
+      return {
+        valid: false,
+        code: "E_INVALID_AUDIENCE",
+        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
+      };
+    }
+    if (rid !== void 0 && pr.claims.rid !== rid) {
+      return {
+        valid: false,
+        code: "E_INVALID_RECEIPT_ID",
+        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
+      };
+    }
+    if (requireExp && pr.claims.exp === void 0) {
+      return {
+        valid: false,
+        code: "E_MISSING_EXP",
+        message: "Receipt missing required exp claim"
+      };
+    }
+    if (pr.claims.iat > now + maxClockSkew) {
+      return {
+        valid: false,
+        code: "E_NOT_YET_VALID",
+        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+      };
+    }
+    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
+      return {
+        valid: false,
+        code: "E_EXPIRED",
+        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
+      };
+    }
+    if (pr.variant === "commerce") {
+      const claims = pr.claims;
+      if (subjectUri !== void 0 && claims.subject?.uri !== subjectUri) {
+        return {
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? "undefined"}"`
+        };
+      }
+      return {
+        valid: true,
+        variant: "commerce",
+        claims,
+        kid: result.header.kid,
+        policy_binding: "unavailable"
+      };
+    } else {
+      const claims = pr.claims;
+      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
+        return {
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
+        };
+      }
+      return {
+        valid: true,
+        variant: "attestation",
+        claims,
+        kid: result.header.kid,
+        policy_binding: "unavailable"
       };
-    } catch (err) {
-      if (err instanceof Error) {
-        if (err.name === "AbortError" || err.message.includes("timeout")) {
-          return {
-            ok: false,
-            reason: "timeout",
-            message: `Fetch timeout after ${timeoutMs}ms: ${currentUrl}`
-          };
-        }
+    }
+  } catch (err) {
+    if (isCryptoError(err)) {
+      if (FORMAT_ERROR_CODES.has(err.code)) {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: err.message
+        };
+      }
+      if (err.code === "CRYPTO_INVALID_SIGNATURE") {
+        return {
+          valid: false,
+          code: "E_INVALID_SIGNATURE",
+          message: err.message
+        };
       }
+    }
+    if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
+      const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
       return {
-        ok: false,
-        reason: "network_error",
-        message: `Network error: ${err instanceof Error ? err.message : String(err)}`
+        valid: false,
+        code: "E_INVALID_FORMAT",
+        message: `Invalid receipt payload: ${syntaxMessage}`
       };
     }
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      valid: false,
+      code: "E_INTERNAL",
+      message: `Unexpected verification error: ${message}`
+    };
   }
 }
-async function fetchJWKSSafe(jwksUrl, options) {
-  return ssrfSafeFetch(jwksUrl, {
-    ...options,
-    maxBytes: kernel.VERIFIER_LIMITS.maxJwksBytes,
-    headers: {
-      Accept: "application/json",
-      ...options?.headers
+function isCommerceResult(r) {
+  return r.valid === true && r.variant === "commerce";
+}
+function isAttestationResult(r) {
+  return r.valid === true && r.variant === "attestation";
+}
+function setReceiptHeader(headers, receiptJws) {
+  headers.set(schema.PEAC_RECEIPT_HEADER, receiptJws);
+}
+function getReceiptHeader(headers) {
+  return headers.get(schema.PEAC_RECEIPT_HEADER);
+}
+function setVaryHeader(headers) {
+  const existing = headers.get("Vary");
+  if (existing) {
+    const varies = existing.split(",").map((v) => v.trim());
+    if (!varies.includes(schema.PEAC_RECEIPT_HEADER)) {
+      headers.set("Vary", `${existing}, ${schema.PEAC_RECEIPT_HEADER}`);
     }
-  });
+  } else {
+    headers.set("Vary", schema.PEAC_RECEIPT_HEADER);
+  }
 }
-async function fetchPointerSafe(pointerUrl, options) {
-  return ssrfSafeFetch(pointerUrl, {
-    ...options,
-    maxBytes: kernel.VERIFIER_LIMITS.maxReceiptBytes,
-    headers: {
-      Accept: "application/jose, application/json",
-      ...options?.headers
+function getPurposeHeader(headers) {
+  const value = headers.get(schema.PEAC_PURPOSE_HEADER);
+  if (!value) {
+    return [];
+  }
+  return schema.parsePurposeHeader(value);
+}
+function setPurposeAppliedHeader(headers, purpose) {
+  headers.set(schema.PEAC_PURPOSE_APPLIED_HEADER, purpose);
+}
+function setPurposeReasonHeader(headers, reason) {
+  headers.set(schema.PEAC_PURPOSE_REASON_HEADER, reason);
+}
+function setVaryPurposeHeader(headers) {
+  const existing = headers.get("Vary");
+  if (existing) {
+    const varies = existing.split(",").map((v) => v.trim());
+    if (!varies.includes(schema.PEAC_PURPOSE_HEADER)) {
+      headers.set("Vary", `${existing}, ${schema.PEAC_PURPOSE_HEADER}`);
     }
-  });
+  } else {
+    headers.set("Vary", schema.PEAC_PURPOSE_HEADER);
+  }
+}
+var DEFAULT_VERIFIER_LIMITS = {
+  max_receipt_bytes: kernel.VERIFIER_LIMITS.maxReceiptBytes,
+  max_jwks_bytes: kernel.VERIFIER_LIMITS.maxJwksBytes,
+  max_jwks_keys: kernel.VERIFIER_LIMITS.maxJwksKeys,
+  max_redirects: kernel.VERIFIER_LIMITS.maxRedirects,
+  fetch_timeout_ms: kernel.VERIFIER_LIMITS.fetchTimeoutMs,
+  max_extension_bytes: kernel.VERIFIER_LIMITS.maxExtensionBytes
+};
+var DEFAULT_NETWORK_SECURITY = {
+  https_only: kernel.VERIFIER_NETWORK.httpsOnly,
+  block_private_ips: kernel.VERIFIER_NETWORK.blockPrivateIps,
+  allow_redirects: kernel.VERIFIER_NETWORK.allowRedirects,
+  allow_cross_origin_redirects: true,
+  // Allow for CDN compatibility
+  dns_failure_behavior: "block"
+  // Fail-closed by default
+};
+function createDefaultPolicy(mode) {
+  return {
+    policy_version: kernel.VERIFIER_POLICY_VERSION,
+    mode,
+    limits: { ...DEFAULT_VERIFIER_LIMITS },
+    network: { ...DEFAULT_NETWORK_SECURITY }
+  };
+}
+var CHECK_IDS = [
+  "jws.parse",
+  "limits.receipt_bytes",
+  "jws.protected_header",
+  "claims.schema_unverified",
+  "issuer.trust_policy",
+  "issuer.discovery",
+  "key.resolve",
+  "jws.signature",
+  "claims.time_window",
+  "extensions.limits",
+  "transport.profile_binding",
+  "policy.binding"
+];
+var NON_DETERMINISTIC_ARTIFACT_KEYS = [
+  "issuer_jwks_digest"
+];
+function createDigest(hexValue) {
+  return {
+    alg: "sha-256",
+    value: hexValue.toLowerCase()
+  };
+}
+function createEmptyReport(policy) {
+  return {
+    report_version: kernel.VERIFICATION_REPORT_VERSION,
+    policy
+  };
+}
+function ssrfErrorToReasonCode(ssrfReason, fetchType) {
+  const prefix = fetchType === "key" ? "key_fetch" : "pointer_fetch";
+  switch (ssrfReason) {
+    case "not_https":
+    case "private_ip":
+    case "loopback":
+    case "link_local":
+    case "cross_origin_redirect":
+    case "dns_failure":
+      return `${prefix}_blocked`;
+    case "timeout":
+      return `${prefix}_timeout`;
+    case "response_too_large":
+      return fetchType === "pointer" ? "pointer_fetch_too_large" : "jwks_too_large";
+    case "jwks_too_many_keys":
+      return "jwks_too_many_keys";
+    case "too_many_redirects":
+    case "scheme_downgrade":
+    case "network_error":
+    case "invalid_url":
+    default:
+      return `${prefix}_failed`;
+  }
+}
+function reasonCodeToSeverity(reason) {
+  if (reason === "ok") return "info";
+  return "error";
+}
+function reasonCodeToErrorCode(reason) {
+  const mapping = {
+    ok: "",
+    receipt_too_large: "E_VERIFY_RECEIPT_TOO_LARGE",
+    malformed_receipt: "E_VERIFY_MALFORMED_RECEIPT",
+    signature_invalid: "E_VERIFY_SIGNATURE_INVALID",
+    issuer_not_allowed: "E_VERIFY_ISSUER_NOT_ALLOWED",
+    key_not_found: "E_VERIFY_KEY_NOT_FOUND",
+    key_fetch_blocked: "E_VERIFY_KEY_FETCH_BLOCKED",
+    key_fetch_failed: "E_VERIFY_KEY_FETCH_FAILED",
+    key_fetch_timeout: "E_VERIFY_KEY_FETCH_TIMEOUT",
+    pointer_fetch_blocked: "E_VERIFY_POINTER_FETCH_BLOCKED",
+    pointer_fetch_failed: "E_VERIFY_POINTER_FETCH_FAILED",
+    pointer_fetch_timeout: "E_VERIFY_POINTER_FETCH_TIMEOUT",
+    pointer_fetch_too_large: "E_VERIFY_POINTER_FETCH_TOO_LARGE",
+    pointer_digest_mismatch: "E_VERIFY_POINTER_DIGEST_MISMATCH",
+    jwks_too_large: "E_VERIFY_JWKS_TOO_LARGE",
+    jwks_too_many_keys: "E_VERIFY_JWKS_TOO_MANY_KEYS",
+    expired: "E_VERIFY_EXPIRED",
+    not_yet_valid: "E_VERIFY_NOT_YET_VALID",
+    audience_mismatch: "E_VERIFY_AUDIENCE_MISMATCH",
+    schema_invalid: "E_VERIFY_SCHEMA_INVALID",
+    policy_violation: "E_VERIFY_POLICY_VIOLATION",
+    extension_too_large: "E_VERIFY_EXTENSION_TOO_LARGE",
+    invalid_transport: "E_VERIFY_INVALID_TRANSPORT"
+  };
+  return mapping[reason] || "E_VERIFY_POLICY_VIOLATION";
 }
 var VerificationReportBuilder = class {
   state;
@@ -1650,8 +1831,6 @@ async function buildSuccessReport(policy, receiptBytes, issuer, kid, checkDetail
 }
 // src/verifier-core.ts
-var jwksCache2 = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS2 = 5 * 60 * 1e3;
 function normalizeIssuer(issuer) {
   try {
     const url = new URL(issuer);
@@ -1677,75 +1856,23 @@ function findPinnedKey(issuer, kid, pinnedKeys) {
   const normalizedIssuer = normalizeIssuer(issuer);
   return pinnedKeys.find((pk) => normalizeIssuer(pk.issuer) === normalizedIssuer && pk.kid === kid);
 }
-async function fetchIssuerConfig2(issuerOrigin) {
-  const configUrl = `${issuerOrigin}/.well-known/peac-issuer.json`;
-  const result = await ssrfSafeFetch(configUrl, {
-    maxBytes: 65536,
-    // 64 KB
-    headers: { Accept: "application/json" }
-  });
-  if (!result.ok) {
-    return null;
-  }
-  try {
-    return JSON.parse(result.body);
-  } catch {
-    return null;
-  }
-}
 async function fetchIssuerJWKS(issuerOrigin) {
-  const now = Date.now();
-  const cached = jwksCache2.get(issuerOrigin);
-  if (cached && cached.expiresAt > now) {
-    return { jwks: cached.jwks, fromCache: true };
-  }
-  const config = await fetchIssuerConfig2(issuerOrigin);
-  if (!config?.jwks_uri) {
-    const fallbackUrl = `${issuerOrigin}/.well-known/jwks.json`;
-    const result2 = await fetchJWKSSafe(fallbackUrl);
-    if (!result2.ok) {
-      return { error: result2 };
-    }
-    try {
-      const jwks = JSON.parse(result2.body);
-      jwksCache2.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS2 });
-      return { jwks, fromCache: false, rawBytes: result2.rawBytes };
-    } catch {
-      return {
-        error: {
-          ok: false,
-          reason: "network_error",
-          message: "Invalid JWKS JSON"
-        }
-      };
-    }
-  }
-  const result = await fetchJWKSSafe(config.jwks_uri);
+  const result = await resolveJWKS(issuerOrigin);
   if (!result.ok) {
-    return { error: result };
-  }
-  try {
-    const jwks = JSON.parse(result.body);
-    if (jwks.keys.length > kernel.VERIFIER_LIMITS.maxJwksKeys) {
-      return {
-        error: {
-          ok: false,
-          reason: "jwks_too_many_keys",
-          message: `JWKS has too many keys: ${jwks.keys.length} > ${kernel.VERIFIER_LIMITS.maxJwksKeys}`
-        }
-      };
-    }
-    jwksCache2.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS2 });
-    return { jwks, fromCache: false, rawBytes: result.rawBytes };
-  } catch {
     return {
       error: {
         ok: false,
-        reason: "network_error",
-        message: "Invalid JWKS JSON"
+        reason: result.reason ?? "network_error",
+        message: result.message,
+        blockedUrl: result.blockedUrl
       }
     };
   }
+  return {
+    jwks: result.jwks,
+    fromCache: result.fromCache,
+    rawBytes: result.rawBytes
+  };
 }
 async function verifyReceiptCore(options) {
   const {
@@ -2082,12 +2209,6 @@ async function verifyReceiptCore(options) {
     claims: parsedClaims
   };
 }
-function clearJWKSCache() {
-  jwksCache2.clear();
-}
-function getJWKSCacheSize() {
-  return jwksCache2.size;
-}
 // src/transport-profiles.ts
 function parseHeaderProfile(headerValue) {
@@ -2679,6 +2800,7 @@ exports.parseTransportProfile = parseTransportProfile;
 exports.reasonCodeToErrorCode = reasonCodeToErrorCode;
 exports.reasonCodeToSeverity = reasonCodeToSeverity;
 exports.resetSSRFCapabilitiesCache = resetSSRFCapabilitiesCache;
+exports.resolveJWKS = resolveJWKS;
 exports.setPurposeAppliedHeader = setPurposeAppliedHeader;
 exports.setPurposeReasonHeader = setPurposeReasonHeader;
 exports.setReceiptHeader = setReceiptHeader;