npm - @peac/protocol - Versions diffs - 0.10.6 → 0.10.8 - Mend

@peac/protocol 0.10.6 → 0.10.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (33) hide show

package/dist/crypto-utils.d.ts +9 -0
package/dist/crypto-utils.d.ts.map +1 -0
package/dist/crypto-utils.js +21 -0
package/dist/crypto-utils.js.map +1 -0
package/dist/index.d.ts +7 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +14 -1
package/dist/index.js.map +1 -1
package/dist/pointer-fetch.d.ts +86 -0
package/dist/pointer-fetch.d.ts.map +1 -0
package/dist/pointer-fetch.js +305 -0
package/dist/pointer-fetch.js.map +1 -0
package/dist/ssrf-safe-fetch.d.ts +205 -0
package/dist/ssrf-safe-fetch.d.ts.map +1 -0
package/dist/ssrf-safe-fetch.js +671 -0
package/dist/ssrf-safe-fetch.js.map +1 -0
package/dist/transport-profiles.d.ts +115 -0
package/dist/transport-profiles.d.ts.map +1 -0
package/dist/transport-profiles.js +424 -0
package/dist/transport-profiles.js.map +1 -0
package/dist/verification-report.d.ts +135 -0
package/dist/verification-report.d.ts.map +1 -0
package/dist/verification-report.js +322 -0
package/dist/verification-report.js.map +1 -0
package/dist/verifier-core.d.ts +62 -0
package/dist/verifier-core.d.ts.map +1 -0
package/dist/verifier-core.js +578 -0
package/dist/verifier-core.js.map +1 -0
package/dist/verifier-types.d.ts +328 -0
package/dist/verifier-types.d.ts.map +1 -0
package/dist/verifier-types.js +161 -0
package/dist/verifier-types.js.map +1 -0
package/package.json +17 -5

package/dist/crypto-utils.d.ts ADDED Viewed

@@ -0,0 +1,9 @@
+/**
+ * Cryptographic utilities for PEAC verifiers
+ *
+ * @deprecated Use @peac/crypto directly instead. This re-export exists for backwards compatibility.
+ *
+ * @packageDocumentation
+ */
+export { base64urlDecode, base64urlEncode, bytesToHex, computeJwkThumbprint, hexToBytes, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, } from '@peac/crypto';
+//# sourceMappingURL=crypto-utils.d.ts.map

package/dist/crypto-utils.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"crypto-utils.d.ts","sourceRoot":"","sources":["../src/crypto-utils.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,eAAe,EACf,eAAe,EACf,UAAU,EACV,oBAAoB,EACpB,UAAU,EACV,mBAAmB,EACnB,WAAW,EACX,SAAS,GACV,MAAM,cAAc,CAAC"}

package/dist/crypto-utils.js ADDED Viewed

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * Cryptographic utilities for PEAC verifiers
+ *
+ * @deprecated Use @peac/crypto directly instead. This re-export exists for backwards compatibility.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sha256Hex = exports.sha256Bytes = exports.jwkToPublicKeyBytes = exports.hexToBytes = exports.computeJwkThumbprint = exports.bytesToHex = exports.base64urlEncode = exports.base64urlDecode = void 0;
+// Re-export all crypto utilities from @peac/crypto for backwards compatibility
+var crypto_1 = require("@peac/crypto");
+Object.defineProperty(exports, "base64urlDecode", { enumerable: true, get: function () { return crypto_1.base64urlDecode; } });
+Object.defineProperty(exports, "base64urlEncode", { enumerable: true, get: function () { return crypto_1.base64urlEncode; } });
+Object.defineProperty(exports, "bytesToHex", { enumerable: true, get: function () { return crypto_1.bytesToHex; } });
+Object.defineProperty(exports, "computeJwkThumbprint", { enumerable: true, get: function () { return crypto_1.computeJwkThumbprint; } });
+Object.defineProperty(exports, "hexToBytes", { enumerable: true, get: function () { return crypto_1.hexToBytes; } });
+Object.defineProperty(exports, "jwkToPublicKeyBytes", { enumerable: true, get: function () { return crypto_1.jwkToPublicKeyBytes; } });
+Object.defineProperty(exports, "sha256Bytes", { enumerable: true, get: function () { return crypto_1.sha256Bytes; } });
+Object.defineProperty(exports, "sha256Hex", { enumerable: true, get: function () { return crypto_1.sha256Hex; } });
+//# sourceMappingURL=crypto-utils.js.map

package/dist/crypto-utils.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"crypto-utils.js","sourceRoot":"","sources":["../src/crypto-utils.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;AAEH,+EAA+E;AAC/E,uCASsB;AARpB,yGAAA,eAAe,OAAA;AACf,yGAAA,eAAe,OAAA;AACf,oGAAA,UAAU,OAAA;AACV,8GAAA,oBAAoB,OAAA;AACpB,oGAAA,UAAU,OAAA;AACV,6GAAA,mBAAmB,OAAA;AACnB,qGAAA,WAAW,OAAA;AACX,mGAAA,SAAS,OAAA"}

package/dist/index.d.ts CHANGED Viewed

@@ -7,5 +7,11 @@ export * from './verify';
 export * from './verify-local';
 export * from './headers';
 export * from './discovery';
-export { generateKeypair, verify } from '@peac/crypto';
+export * from './verifier-types';
+export * from './verifier-core';
+export * from './verification-report';
+export * from './ssrf-safe-fetch';
+export * from './transport-profiles';
+export * from './pointer-fetch';
+export { base64urlDecode, base64urlEncode, computeJwkThumbprint, generateKeypair, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, verify, } from '@peac/crypto';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAG5B,OAAO,~~EAAE~~,eAAe,~~EAAE~~,MAAM,~~EAAE~~,MAAM,cAAc,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAG5B,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,MAAM,GACP,MAAM,cAAc,CAAC"}

package/dist/index.js CHANGED Viewed

@@ -18,14 +18,27 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.verify = exports.generateKeypair = void 0;
+exports.verify = exports.sha256Hex = exports.sha256Bytes = exports.jwkToPublicKeyBytes = exports.generateKeypair = exports.computeJwkThumbprint = exports.base64urlEncode = exports.base64urlDecode = void 0;
 __exportStar(require("./issue"), exports);
 __exportStar(require("./verify"), exports);
 __exportStar(require("./verify-local"), exports);
 __exportStar(require("./headers"), exports);
 __exportStar(require("./discovery"), exports);
+// Verifier core (v0.10.8+)
+__exportStar(require("./verifier-types"), exports);
+__exportStar(require("./verifier-core"), exports);
+__exportStar(require("./verification-report"), exports);
+__exportStar(require("./ssrf-safe-fetch"), exports);
+__exportStar(require("./transport-profiles"), exports);
+__exportStar(require("./pointer-fetch"), exports);
 // Re-export crypto utilities for single-package quickstart
 var crypto_1 = require("@peac/crypto");
+Object.defineProperty(exports, "base64urlDecode", { enumerable: true, get: function () { return crypto_1.base64urlDecode; } });
+Object.defineProperty(exports, "base64urlEncode", { enumerable: true, get: function () { return crypto_1.base64urlEncode; } });
+Object.defineProperty(exports, "computeJwkThumbprint", { enumerable: true, get: function () { return crypto_1.computeJwkThumbprint; } });
 Object.defineProperty(exports, "generateKeypair", { enumerable: true, get: function () { return crypto_1.generateKeypair; } });
+Object.defineProperty(exports, "jwkToPublicKeyBytes", { enumerable: true, get: function () { return crypto_1.jwkToPublicKeyBytes; } });
+Object.defineProperty(exports, "sha256Bytes", { enumerable: true, get: function () { return crypto_1.sha256Bytes; } });
+Object.defineProperty(exports, "sha256Hex", { enumerable: true, get: function () { return crypto_1.sha256Hex; } });
 Object.defineProperty(exports, "verify", { enumerable: true, get: function () { return crypto_1.verify; } });
 //# sourceMappingURL=index.js.map

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;AAEH,0CAAwB;AACxB,2CAAyB;AACzB,iDAA+B;AAC/B,4CAA0B;AAC1B,8CAA4B;AAE5B,2DAA2D;AAC3D,~~uCAAuD~~;~~AAA9C~~,yGAAA,eAAe,OAAA;~~AAAE~~,gGAAA,MAAM,OAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;AAEH,0CAAwB;AACxB,2CAAyB;AACzB,iDAA+B;AAC/B,4CAA0B;AAC1B,8CAA4B;AAE5B,2BAA2B;AAC3B,mDAAiC;AACjC,kDAAgC;AAChC,wDAAsC;AACtC,oDAAkC;AAClC,uDAAqC;AACrC,kDAAgC;AAEhC,2DAA2D;AAC3D,uCASsB;AARpB,yGAAA,eAAe,OAAA;AACf,yGAAA,eAAe,OAAA;AACf,8GAAA,oBAAoB,OAAA;AACpB,yGAAA,eAAe,OAAA;AACf,6GAAA,mBAAmB,OAAA;AACnB,qGAAA,WAAW,OAAA;AACX,mGAAA,SAAS,OAAA;AACT,gGAAA,MAAM,OAAA"}

package/dist/pointer-fetch.d.ts ADDED Viewed

@@ -0,0 +1,86 @@
+/**
+ * PEAC Pointer Fetch with Digest Verification
+ *
+ * Implements secure receipt fetching via pointers per TRANSPORT-PROFILES.md:
+ * - SSRF-safe fetch
+ * - SHA-256 digest verification
+ * - Size limits
+ *
+ * @packageDocumentation
+ */
+import { type SSRFFetchOptions } from './ssrf-safe-fetch.js';
+/**
+ * Pointer fetch options
+ */
+export interface PointerFetchOptions {
+    /** URL to fetch the receipt from */
+    url: string;
+    /** Expected SHA-256 digest (lowercase hex, 64 chars) */
+    expectedDigest: string;
+    /** Optional SSRF fetch options */
+    fetchOptions?: Omit<SSRFFetchOptions, 'maxBytes'>;
+}
+/**
+ * Successful pointer fetch result
+ */
+export interface PointerFetchSuccess {
+    ok: true;
+    /** Fetched receipt (JWS compact serialization) */
+    receipt: string;
+    /** Actual SHA-256 digest of fetched content */
+    actualDigest: string;
+    /** Whether digest matched expected */
+    digestMatched: true;
+    /** Content-Type header (if present) */
+    contentType?: string;
+    /**
+     * Warning about unexpected Content-Type.
+     * Present when Content-Type is not application/jose, application/json, or text/plain.
+     * Does not cause rejection (for interoperability) but callers may want to log.
+     */
+    contentTypeWarning?: string;
+}
+/**
+ * Failed pointer fetch result
+ */
+export interface PointerFetchError {
+    ok: false;
+    /** Error reason */
+    reason: 'pointer_fetch_blocked' | 'pointer_fetch_failed' | 'pointer_fetch_timeout' | 'pointer_fetch_too_large' | 'pointer_digest_mismatch' | 'malformed_receipt';
+    /** Error code for reports */
+    errorCode: string;
+    /** Human-readable error message */
+    message: string;
+    /** Actual digest if computed (for mismatch errors) */
+    actualDigest?: string;
+    /** Expected digest */
+    expectedDigest?: string;
+}
+/**
+ * Pointer fetch result
+ */
+export type PointerFetchResult = PointerFetchSuccess | PointerFetchError;
+/**
+ * Fetch a receipt via pointer with digest verification
+ *
+ * Per TRANSPORT-PROFILES.md:
+ * - Fetch the URL using SSRF-safe fetch
+ * - Compute SHA-256 digest of response
+ * - Verify digest matches expected value from header
+ * - Return receipt only if digest matches
+ *
+ * @param options - Pointer fetch options
+ * @returns Fetch result
+ */
+export declare function fetchPointerWithDigest(options: PointerFetchOptions): Promise<PointerFetchResult>;
+/**
+ * Verify a pointer header and fetch the receipt
+ *
+ * Combines parsing and fetching in a single operation.
+ *
+ * @param pointerHeader - PEAC-Receipt-Pointer header value
+ * @param fetchOptions - Optional SSRF fetch options
+ * @returns Fetch result
+ */
+export declare function verifyAndFetchPointer(pointerHeader: string, fetchOptions?: Omit<SSRFFetchOptions, 'maxBytes'>): Promise<PointerFetchResult>;
+//# sourceMappingURL=pointer-fetch.d.ts.map

package/dist/pointer-fetch.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pointer-fetch.d.ts","sourceRoot":"","sources":["../src/pointer-fetch.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAAiB,KAAK,gBAAgB,EAAuB,MAAM,sBAAsB,CAAC;AAMjG;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,oCAAoC;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,wDAAwD;IACxD,cAAc,EAAE,MAAM,CAAC;IACvB,kCAAkC;IAClC,YAAY,CAAC,EAAE,IAAI,CAAC,gBAAgB,EAAE,UAAU,CAAC,CAAC;CACnD;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,kDAAkD;IAClD,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,YAAY,EAAE,MAAM,CAAC;IACrB,sCAAsC;IACtC,aAAa,EAAE,IAAI,CAAC;IACpB,uCAAuC;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;OAIG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,EAAE,EAAE,KAAK,CAAC;IACV,mBAAmB;IACnB,MAAM,EACF,uBAAuB,GACvB,sBAAsB,GACtB,uBAAuB,GACvB,yBAAyB,GACzB,yBAAyB,GACzB,mBAAmB,CAAC;IACxB,6BAA6B;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,sDAAsD;IACtD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sBAAsB;IACtB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,mBAAmB,GAAG,iBAAiB,CAAC;AAwDzE;;;;;;;;;;;GAWG;AACH,wBAAsB,sBAAsB,CAC1C,OAAO,EAAE,mBAAmB,GAC3B,OAAO,CAAC,kBAAkB,CAAC,CA4G7B;AAyGD;;;;;;;;GAQG;AACH,wBAAsB,qBAAqB,CACzC,aAAa,EAAE,MAAM,EACrB,YAAY,CAAC,EAAE,IAAI,CAAC,gBAAgB,EAAE,UAAU,CAAC,GAChD,OAAO,CAAC,kBAAkB,CAAC,CA6B7B"}

package/dist/pointer-fetch.js ADDED Viewed

@@ -0,0 +1,305 @@
+"use strict";
+/**
+ * PEAC Pointer Fetch with Digest Verification
+ *
+ * Implements secure receipt fetching via pointers per TRANSPORT-PROFILES.md:
+ * - SSRF-safe fetch
+ * - SHA-256 digest verification
+ * - Size limits
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.fetchPointerWithDigest = fetchPointerWithDigest;
+exports.verifyAndFetchPointer = verifyAndFetchPointer;
+const crypto_1 = require("@peac/crypto");
+const kernel_1 = require("@peac/kernel");
+const ssrf_safe_fetch_js_1 = require("./ssrf-safe-fetch.js");
+// ---------------------------------------------------------------------------
+// Error Mapping
+// ---------------------------------------------------------------------------
+/**
+ * Map SSRF error reason to pointer error reason
+ */
+function mapSsrfError(ssrfError) {
+    const reason = ssrfError.reason;
+    switch (reason) {
+        case 'not_https':
+        case 'private_ip':
+        case 'loopback':
+        case 'link_local':
+        case 'dns_failure':
+        case 'cross_origin_redirect':
+            return {
+                ok: false,
+                reason: 'pointer_fetch_blocked',
+                errorCode: 'E_VERIFY_POINTER_FETCH_BLOCKED',
+                message: ssrfError.message,
+            };
+        case 'timeout':
+            return {
+                ok: false,
+                reason: 'pointer_fetch_timeout',
+                errorCode: 'E_VERIFY_POINTER_FETCH_TIMEOUT',
+                message: ssrfError.message,
+            };
+        case 'response_too_large':
+            return {
+                ok: false,
+                reason: 'pointer_fetch_too_large',
+                errorCode: 'E_VERIFY_POINTER_FETCH_TOO_LARGE',
+                message: ssrfError.message,
+            };
+        default:
+            return {
+                ok: false,
+                reason: 'pointer_fetch_failed',
+                errorCode: 'E_VERIFY_POINTER_FETCH_FAILED',
+                message: ssrfError.message,
+            };
+    }
+}
+// ---------------------------------------------------------------------------
+// Pointer Fetch
+// ---------------------------------------------------------------------------
+/**
+ * Fetch a receipt via pointer with digest verification
+ *
+ * Per TRANSPORT-PROFILES.md:
+ * - Fetch the URL using SSRF-safe fetch
+ * - Compute SHA-256 digest of response
+ * - Verify digest matches expected value from header
+ * - Return receipt only if digest matches
+ *
+ * @param options - Pointer fetch options
+ * @returns Fetch result
+ */
+async function fetchPointerWithDigest(options) {
+    const { url, expectedDigest, fetchOptions = {} } = options;
+    // Validate expected digest format
+    const hexRegex = /^[0-9a-f]{64}$/;
+    if (!hexRegex.test(expectedDigest)) {
+        return {
+            ok: false,
+            reason: 'pointer_fetch_failed',
+            errorCode: 'E_VERIFY_POINTER_FETCH_FAILED',
+            message: 'Invalid expected digest: must be 64 lowercase hex characters',
+        };
+    }
+    // Validate URL is HTTPS (pre-check before fetch)
+    try {
+        const parsedUrl = new URL(url);
+        if (parsedUrl.protocol !== 'https:') {
+            return {
+                ok: false,
+                reason: 'pointer_fetch_blocked',
+                errorCode: 'E_VERIFY_POINTER_FETCH_BLOCKED',
+                message: 'Pointer URL must use HTTPS',
+            };
+        }
+    }
+    catch {
+        return {
+            ok: false,
+            reason: 'pointer_fetch_failed',
+            errorCode: 'E_VERIFY_POINTER_FETCH_FAILED',
+            message: 'Invalid pointer URL',
+        };
+    }
+    // Fetch with SSRF protection and DoS bounds
+    // - Size cap: maxReceiptBytes (prevents memory exhaustion)
+    // - No redirects: prevents redirect-based SSRF (pointer URL must be direct)
+    // - Timeout: prevents slow-loris style attacks
+    const fetchResult = await (0, ssrf_safe_fetch_js_1.ssrfSafeFetch)(url, {
+        ...fetchOptions,
+        maxBytes: kernel_1.VERIFIER_LIMITS.maxReceiptBytes,
+        allowRedirects: false, // Pointer URL must be direct - no redirects
+        timeoutMs: fetchOptions?.timeoutMs ?? kernel_1.VERIFIER_LIMITS.fetchTimeoutMs,
+        headers: {
+            Accept: 'application/jose, application/json, text/plain',
+            ...fetchOptions.headers,
+        },
+    });
+    if (!fetchResult.ok) {
+        return mapSsrfError(fetchResult);
+    }
+    const receipt = fetchResult.body;
+    // Validate Content-Type if present (warn but don't reject for interoperability)
+    // Expected: application/jose, application/json, or text/plain
+    const contentType = fetchResult.contentType;
+    const expectedContentTypes = ['application/jose', 'application/json', 'text/plain'];
+    const contentTypeWarning = contentType && !expectedContentTypes.some((expected) => contentType.startsWith(expected))
+        ? `Unexpected Content-Type: ${contentType}; expected application/jose, application/json, or text/plain`
+        : undefined;
+    // Validate: reject empty body
+    if (!receipt || receipt.trim().length === 0) {
+        return {
+            ok: false,
+            reason: 'malformed_receipt',
+            errorCode: 'E_VERIFY_MALFORMED_RECEIPT',
+            message: 'Pointer target returned empty content',
+        };
+    }
+    // Validate: content must look like JWS compact serialization (3 dot-separated segments)
+    const jwsValidation = validateJwsCompactStructure(receipt);
+    if (!jwsValidation.valid) {
+        return {
+            ok: false,
+            reason: 'malformed_receipt',
+            errorCode: 'E_VERIFY_MALFORMED_RECEIPT',
+            message: jwsValidation.message,
+        };
+    }
+    // Compute digest of fetched content (hash the raw string bytes)
+    const actualDigest = await (0, crypto_1.sha256Hex)(receipt);
+    // Verify digest matches
+    if (actualDigest !== expectedDigest) {
+        return {
+            ok: false,
+            reason: 'pointer_digest_mismatch',
+            errorCode: 'E_VERIFY_POINTER_DIGEST_MISMATCH',
+            message: 'Fetched receipt digest does not match expected digest',
+            actualDigest,
+            expectedDigest,
+        };
+    }
+    return {
+        ok: true,
+        receipt,
+        actualDigest,
+        digestMatched: true,
+        contentType: fetchResult.contentType,
+        ...(contentTypeWarning && { contentTypeWarning }),
+    };
+}
+/**
+ * Validate that a string looks like JWS compact serialization
+ *
+ * A valid JWS compact has exactly 3 dot-separated base64url segments.
+ *
+ * @param value - String to validate
+ * @returns Validation result
+ */
+function validateJwsCompactStructure(value) {
+    const segments = value.split('.');
+    if (segments.length !== 3) {
+        return {
+            valid: false,
+            message: `Invalid JWS compact serialization: expected 3 segments, got ${segments.length}`,
+        };
+    }
+    // All segments must be non-empty and contain only base64url characters
+    const base64urlRegex = /^[A-Za-z0-9_-]+$/;
+    for (let i = 0; i < segments.length; i++) {
+        const segment = segments[i];
+        if (segment.length === 0) {
+            return {
+                valid: false,
+                message: `Invalid JWS compact serialization: segment ${i + 1} is empty`,
+            };
+        }
+        if (!base64urlRegex.test(segment)) {
+            return {
+                valid: false,
+                message: `Invalid JWS compact serialization: segment ${i + 1} contains invalid characters`,
+            };
+        }
+    }
+    return { valid: true };
+}
+/**
+ * Parse pointer header key=value pairs (ReDoS-safe)
+ *
+ * Handles both quoted and unquoted values without complex regex alternation.
+ */
+function parsePointerHeader(input) {
+    const params = {};
+    let i = 0;
+    const len = input.length;
+    while (i < len) {
+        // Skip whitespace and commas
+        while (i < len && (input[i] === ' ' || input[i] === ',' || input[i] === '\t')) {
+            i++;
+        }
+        if (i >= len)
+            break;
+        // Parse key (word characters only)
+        const keyStart = i;
+        while (i < len && /\w/.test(input[i])) {
+            i++;
+        }
+        const key = input.slice(keyStart, i);
+        if (!key)
+            break;
+        // Skip whitespace before '='
+        while (i < len && input[i] === ' ')
+            i++;
+        // Expect '='
+        if (i >= len || input[i] !== '=')
+            break;
+        i++; // skip '='
+        // Skip whitespace after '='
+        while (i < len && input[i] === ' ')
+            i++;
+        // Parse value (quoted or unquoted)
+        let value;
+        if (input[i] === '"') {
+            // Quoted value - find closing quote
+            i++; // skip opening quote
+            const valueStart = i;
+            while (i < len && input[i] !== '"') {
+                i++;
+            }
+            value = input.slice(valueStart, i);
+            if (i < len)
+                i++; // skip closing quote
+        }
+        else {
+            // Unquoted value - read until comma or whitespace
+            const valueStart = i;
+            while (i < len && input[i] !== ',' && input[i] !== ' ' && input[i] !== '\t') {
+                i++;
+            }
+            value = input.slice(valueStart, i);
+        }
+        params[key] = value;
+    }
+    return params;
+}
+/**
+ * Verify a pointer header and fetch the receipt
+ *
+ * Combines parsing and fetching in a single operation.
+ *
+ * @param pointerHeader - PEAC-Receipt-Pointer header value
+ * @param fetchOptions - Optional SSRF fetch options
+ * @returns Fetch result
+ */
+async function verifyAndFetchPointer(pointerHeader, fetchOptions) {
+    // Parse pointer header (RFC 8941 dictionary format)
+    // Format: sha256="<hex>", url="<url>"
+    // Using explicit parsing to avoid ReDoS in regex alternation
+    const params = parsePointerHeader(pointerHeader);
+    if (!params.sha256) {
+        return {
+            ok: false,
+            reason: 'pointer_fetch_failed',
+            errorCode: 'E_VERIFY_POINTER_FETCH_FAILED',
+            message: 'PEAC-Receipt-Pointer missing sha256 parameter',
+        };
+    }
+    if (!params.url) {
+        return {
+            ok: false,
+            reason: 'pointer_fetch_failed',
+            errorCode: 'E_VERIFY_POINTER_FETCH_FAILED',
+            message: 'PEAC-Receipt-Pointer missing url parameter',
+        };
+    }
+    return fetchPointerWithDigest({
+        url: params.url,
+        expectedDigest: params.sha256,
+        fetchOptions,
+    });
+}
+//# sourceMappingURL=pointer-fetch.js.map

package/dist/pointer-fetch.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"pointer-fetch.js","sourceRoot":"","sources":["../src/pointer-fetch.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;AAyIH,wDA8GC;AAkHD,sDAgCC;AAvYD,yCAAyC;AACzC,yCAA+C;AAC/C,6DAAiG;AAmEjG,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E;;GAEG;AACH,SAAS,YAAY,CAAC,SAAyB;IAC7C,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAC;IAEhC,QAAQ,MAAM,EAAE,CAAC;QACf,KAAK,WAAW,CAAC;QACjB,KAAK,YAAY,CAAC;QAClB,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,aAAa,CAAC;QACnB,KAAK,uBAAuB;YAC1B,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,uBAAuB;gBAC/B,SAAS,EAAE,gCAAgC;gBAC3C,OAAO,EAAE,SAAS,CAAC,OAAO;aAC3B,CAAC;QAEJ,KAAK,SAAS;YACZ,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,uBAAuB;gBAC/B,SAAS,EAAE,gCAAgC;gBAC3C,OAAO,EAAE,SAAS,CAAC,OAAO;aAC3B,CAAC;QAEJ,KAAK,oBAAoB;YACvB,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,yBAAyB;gBACjC,SAAS,EAAE,kCAAkC;gBAC7C,OAAO,EAAE,SAAS,CAAC,OAAO;aAC3B,CAAC;QAEJ;YACE,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,sBAAsB;gBAC9B,SAAS,EAAE,+BAA+B;gBAC1C,OAAO,EAAE,SAAS,CAAC,OAAO;aAC3B,CAAC;IACN,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,gBAAgB;AAChB,8EAA8E;AAE9E;;;;;;;;;;;GAWG;AACI,KAAK,UAAU,sBAAsB,CAC1C,OAA4B;IAE5B,MAAM,EAAE,GAAG,EAAE,cAAc,EAAE,YAAY,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IAE3D,kCAAkC;IAClC,MAAM,QAAQ,GAAG,gBAAgB,CAAC;IAClC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC;QACnC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,sBAAsB;YAC9B,SAAS,EAAE,+BAA+B;YAC1C,OAAO,EAAE,8DAA8D;SACxE,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAI,SAAS,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YACpC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,uBAAuB;gBAC/B,SAAS,EAAE,gCAAgC;gBAC3C,OAAO,EAAE,4BAA4B;aACtC,CAAC;QACJ,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,sBAAsB;YAC9B,SAAS,EAAE,+BAA+B;YAC1C,OAAO,EAAE,qBAAqB;SAC/B,CAAC;IACJ,CAAC;IAED,4CAA4C;IAC5C,2DAA2D;IAC3D,4EAA4E;IAC5E,+CAA+C;IAC/C,MAAM,WAAW,GAAG,MAAM,IAAA,kCAAa,EAAC,GAAG,EAAE;QAC3C,GAAG,YAAY;QACf,QAAQ,EAAE,wBAAe,CAAC,eAAe;QACzC,cAAc,EAAE,KAAK,EAAE,4CAA4C;QACnE,SAAS,EAAE,YAAY,EAAE,SAAS,IAAI,wBAAe,CAAC,cAAc;QACpE,OAAO,EAAE;YACP,MAAM,EAAE,gDAAgD;YACxD,GAAG,YAAY,CAAC,OAAO;SACxB;KACF,CAAC,CAAC;IAEH,IAAI,CAAC,WAAW,CAAC,EAAE,EAAE,CAAC;QACpB,OAAO,YAAY,CAAC,WAAW,CAAC,CAAC;IACnC,CAAC;IAED,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC;IAEjC,gFAAgF;IAChF,8DAA8D;IAC9D,MAAM,WAAW,GAAG,WAAW,CAAC,WAAW,CAAC;IAC5C,MAAM,oBAAoB,GAAG,CAAC,kBAAkB,EAAE,kBAAkB,EAAE,YAAY,CAAC,CAAC;IACpF,MAAM,kBAAkB,GACtB,WAAW,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,WAAW,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;QACvF,CAAC,CAAC,4BAA4B,WAAW,8DAA8D;QACvG,CAAC,CAAC,SAAS,CAAC;IAEhB,8BAA8B;IAC9B,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5C,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,mBAAmB;YAC3B,SAAS,EAAE,4BAA4B;YACvC,OAAO,EAAE,uCAAuC;SACjD,CAAC;IACJ,CAAC;IAED,wFAAwF;IACxF,MAAM,aAAa,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC3D,IAAI,CAAC,aAAa,CAAC,KAAK,EAAE,CAAC;QACzB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,mBAAmB;YAC3B,SAAS,EAAE,4BAA4B;YACvC,OAAO,EAAE,aAAa,CAAC,OAAO;SAC/B,CAAC;IACJ,CAAC;IAED,gEAAgE;IAChE,MAAM,YAAY,GAAG,MAAM,IAAA,kBAAS,EAAC,OAAO,CAAC,CAAC;IAE9C,wBAAwB;IACxB,IAAI,YAAY,KAAK,cAAc,EAAE,CAAC;QACpC,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,yBAAyB;YACjC,SAAS,EAAE,kCAAkC;YAC7C,OAAO,EAAE,uDAAuD;YAChE,YAAY;YACZ,cAAc;SACf,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,OAAO;QACP,YAAY;QACZ,aAAa,EAAE,IAAI;QACnB,WAAW,EAAE,WAAW,CAAC,WAAW;QACpC,GAAG,CAAC,kBAAkB,IAAI,EAAE,kBAAkB,EAAE,CAAC;KAClD,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,2BAA2B,CAClC,KAAa;IAEb,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAElC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,OAAO,EAAE,+DAA+D,QAAQ,CAAC,MAAM,EAAE;SAC1F,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,MAAM,cAAc,GAAG,kBAAkB,CAAC;IAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,8CAA8C,CAAC,GAAG,CAAC,WAAW;aACxE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;YAClC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,OAAO,EAAE,8CAA8C,CAAC,GAAG,CAAC,8BAA8B;aAC3F,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;AACzB,CAAC;AAED;;;;GAIG;AACH,SAAS,kBAAkB,CAAC,KAAa;IACvC,MAAM,MAAM,GAA2B,EAAE,CAAC;IAC1C,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC;IAEzB,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACf,6BAA6B;QAC7B,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC;YAC9E,CAAC,EAAE,CAAC;QACN,CAAC;QACD,IAAI,CAAC,IAAI,GAAG;YAAE,MAAM;QAEpB,mCAAmC;QACnC,MAAM,QAAQ,GAAG,CAAC,CAAC;QACnB,OAAO,CAAC,GAAG,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YACtC,CAAC,EAAE,CAAC;QACN,CAAC;QACD,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,GAAG;YAAE,MAAM;QAEhB,6BAA6B;QAC7B,OAAO,CAAC,GAAG,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,CAAC,EAAE,CAAC;QAExC,aAAa;QACb,IAAI,CAAC,IAAI,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,MAAM;QACxC,CAAC,EAAE,CAAC,CAAC,WAAW;QAEhB,4BAA4B;QAC5B,OAAO,CAAC,GAAG,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG;YAAE,CAAC,EAAE,CAAC;QAExC,mCAAmC;QACnC,IAAI,KAAa,CAAC;QAClB,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACrB,oCAAoC;YACpC,CAAC,EAAE,CAAC,CAAC,qBAAqB;YAC1B,MAAM,UAAU,GAAG,CAAC,CAAC;YACrB,OAAO,CAAC,GAAG,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBACnC,CAAC,EAAE,CAAC;YACN,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;YACnC,IAAI,CAAC,GAAG,GAAG;gBAAE,CAAC,EAAE,CAAC,CAAC,qBAAqB;QACzC,CAAC;aAAM,CAAC;YACN,kDAAkD;YAClD,MAAM,UAAU,GAAG,CAAC,CAAC;YACrB,OAAO,CAAC,GAAG,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;gBAC5E,CAAC,EAAE,CAAC;YACN,CAAC;YACD,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC;QACrC,CAAC;QAED,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACtB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,qBAAqB,CACzC,aAAqB,EACrB,YAAiD;IAEjD,oDAAoD;IACpD,sCAAsC;IACtC,6DAA6D;IAC7D,MAAM,MAAM,GAAG,kBAAkB,CAAC,aAAa,CAAC,CAAC;IAEjD,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,sBAAsB;YAC9B,SAAS,EAAE,+BAA+B;YAC1C,OAAO,EAAE,+CAA+C;SACzD,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;QAChB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,sBAAsB;YAC9B,SAAS,EAAE,+BAA+B;YAC1C,OAAO,EAAE,4CAA4C;SACtD,CAAC;IACJ,CAAC;IAED,OAAO,sBAAsB,CAAC;QAC5B,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,cAAc,EAAE,MAAM,CAAC,MAAM;QAC7B,YAAY;KACb,CAAC,CAAC;AACL,CAAC"}