@peac/protocol 0.10.6 → 0.10.8

package/dist/verification-report.d.ts

@@ -0,0 +1,135 @@
+/**
+ * PEAC Verification Report Builder
+ *
+ * Constructs deterministic verification reports per VERIFICATION-REPORT-FORMAT.md.
+ * Reports are designed to be portable, deterministic, safe, and policy-aware.
+ *
+ * @packageDocumentation
+ */
+import type { CheckId, CheckStatus, ReasonCode, VerificationMeta, VerificationReport, VerifierPolicy } from './verifier-types.js';
+/**
+ * Verification Report Builder
+ *
+ * Builds verification reports with proper check ordering and short-circuit behavior.
+ * Ensures reports conform to VERIFICATION-REPORT-FORMAT.md requirements.
+ *
+ * Shape-stable: Always emits all checks with pass/fail/skip status.
+ */
+export declare class VerificationReportBuilder {
+    private state;
+    constructor(policy: VerifierPolicy);
+    /**
+     * Set the input descriptor with pre-computed digest
+     *
+     * Use this when you've already computed the SHA-256 hash.
+     *
+     * @param digestHex - SHA-256 digest as lowercase hex (64 chars)
+     * @param type - Input type
+     */
+    setInputWithDigest(digestHex: string, type?: 'receipt_jws' | 'bundle_entry'): this;
+    /**
+     * Set the input descriptor (async - computes SHA-256)
+     *
+     * @param receiptBytes - Raw receipt bytes
+     * @param type - Input type
+     */
+    setInputAsync(receiptBytes: Uint8Array, type?: 'receipt_jws' | 'bundle_entry'): Promise<this>;
+    /**
+     * Add a check result
+     *
+     * Checks can be added in any order; they will be sorted in build().
+     * If a previous check failed, subsequent checks should be marked as skip.
+     */
+    addCheck(id: CheckId, status: CheckStatus, detail?: Record<string, unknown>, errorCode?: string): this;
+    /**
+     * Add a passing check
+     */
+    pass(id: CheckId, detail?: Record<string, unknown>): this;
+    /**
+     * Add a failing check
+     */
+    fail(id: CheckId, errorCode: string, detail?: Record<string, unknown>): this;
+    /**
+     * Add a skipped check
+     */
+    skip(id: CheckId, detail?: Record<string, unknown>): this;
+    /**
+     * Set the final result
+     */
+    setResult(valid: boolean, reason: ReasonCode, options?: {
+        issuer?: string;
+        kid?: string;
+        receiptType?: string;
+    }): this;
+    /**
+     * Set success result
+     */
+    success(issuer: string, kid: string): this;
+    /**
+     * Set failure result
+     */
+    failure(reason: ReasonCode, issuer?: string, kid?: string): this;
+    /**
+     * Add artifacts
+     */
+    addArtifact(key: string, value: unknown): this;
+    /**
+     * Set metadata (non-deterministic fields)
+     */
+    setMeta(meta: VerificationMeta): this;
+    /**
+     * Add current timestamp to meta
+     */
+    addTimestamp(): this;
+    /**
+     * Build the final report
+     *
+     * Ensures all checks are present (shape-stable).
+     * Missing checks after a failure are marked as 'skip'.
+     * Missing checks before a failure (or in success) are marked as 'pass'.
+     */
+    build(): VerificationReport;
+    /**
+     * Build in deterministic mode (excludes meta and non-deterministic artifacts)
+     *
+     * Deterministic mode ensures that the same inputs and policy always produce
+     * the same report output, regardless of cache state or timing.
+     *
+     * Excludes:
+     * - `meta`: Contains timestamps and verifier info
+     * - Non-deterministic artifacts: `issuer_jwks_digest` (depends on cache state)
+     *
+     * @returns Report without meta and with only deterministic artifacts
+     */
+    buildDeterministic(): Omit<VerificationReport, 'meta'>;
+}
+/**
+ * Create a new report builder
+ */
+export declare function createReportBuilder(policy: VerifierPolicy): VerificationReportBuilder;
+/**
+ * Compute receipt digest for report input
+ *
+ * @param receiptBytes - Raw receipt bytes (JWS string as UTF-8)
+ * @returns SHA-256 digest as lowercase hex (64 chars)
+ */
+export declare function computeReceiptDigest(receiptBytes: Uint8Array | string): Promise<string>;
+/**
+ * Build a quick failure report without going through all checks
+ *
+ * Useful for early failures like receipt_too_large or malformed_receipt
+ * where most checks are skipped.
+ */
+export declare function buildFailureReport(policy: VerifierPolicy, receiptBytes: Uint8Array | string, reason: ReasonCode, failedCheckId: CheckId, errorCode?: string, detail?: Record<string, unknown>, options?: {
+    issuer?: string;
+    kid?: string;
+    meta?: VerificationMeta;
+}): Promise<VerificationReport>;
+/**
+ * Build a success report
+ */
+export declare function buildSuccessReport(policy: VerifierPolicy, receiptBytes: Uint8Array | string, issuer: string, kid: string, checkDetails?: Partial<Record<CheckId, Record<string, unknown>>>, options?: {
+    artifacts?: VerificationReport['artifacts'];
+    meta?: VerificationMeta;
+}): Promise<VerificationReport>;
+//# sourceMappingURL=verification-report.d.ts.map

package/dist/verification-report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification-report.d.ts","sourceRoot":"","sources":["../src/verification-report.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EACV,OAAO,EAEP,WAAW,EAEX,UAAU,EAGV,gBAAgB,EAChB,kBAAkB,EAElB,cAAc,EACf,MAAM,qBAAqB,CAAC;AAwB7B;;;;;;;GAOG;AACH,qBAAa,yBAAyB;IACpC,OAAO,CAAC,KAAK,CAAqB;gBAEtB,MAAM,EAAE,cAAc;IAQlC;;;;;;;OAOG;IACH,kBAAkB,CAChB,SAAS,EAAE,MAAM,EACjB,IAAI,GAAE,aAAa,GAAG,cAA8B,GACnD,IAAI;IASP;;;;;OAKG;IACG,aAAa,CACjB,YAAY,EAAE,UAAU,EACxB,IAAI,GAAE,aAAa,GAAG,cAA8B,GACnD,OAAO,CAAC,IAAI,CAAC;IAKhB;;;;;OAKG;IACH,QAAQ,CACN,EAAE,EAAE,OAAO,EACX,MAAM,EAAE,WAAW,EACnB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,SAAS,CAAC,EAAE,MAAM,GACjB,IAAI;IAoBP;;OAEG;IACH,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAIzD;;OAEG;IACH,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAI5E;;OAEG;IACH,IAAI,CAAC,EAAE,EAAE,OAAO,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAIzD;;OAEG;IACH,SAAS,CACP,KAAK,EAAE,OAAO,EACd,MAAM,EAAE,UAAU,EAClB,OAAO,CAAC,EAAE;QACR,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,GACA,IAAI;IAYP;;OAEG;IACH,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,IAAI;IAI1C;;OAEG;IACH,OAAO,CAAC,MAAM,EAAE,UAAU,EAAE,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI;IAIhE;;OAEG;IACH,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,GAAG,IAAI;IAQ9C;;OAEG;IACH,OAAO,CAAC,IAAI,EAAE,gBAAgB,GAAG,IAAI;IAKrC;;OAEG;IACH,YAAY,IAAI,IAAI;IAQpB;;;;;;OAMG;IACH,KAAK,IAAI,kBAAkB;IAqD3B;;;;;;;;;;;OAWG;IACH,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,EAAE,MAAM,CAAC;CAqBvD;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,yBAAyB,CAErF;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CAAC,YAAY,EAAE,UAAU,GAAG,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAI7F;AAED;;;;;GAKG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,cAAc,EACtB,YAAY,EAAE,UAAU,GAAG,MAAM,EACjC,MAAM,EAAE,UAAU,EAClB,aAAa,EAAE,OAAO,EACtB,SAAS,CAAC,EAAE,MAAM,EAClB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,OAAO,CAAC,EAAE;IACR,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,gBAAgB,CAAC;CACzB,GACA,OAAO,CAAC,kBAAkB,CAAC,CA0B7B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,cAAc,EACtB,YAAY,EAAE,UAAU,GAAG,MAAM,EACjC,MAAM,EAAE,MAAM,EACd,GAAG,EAAE,MAAM,EACX,YAAY,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,EAChE,OAAO,CAAC,EAAE;IACR,SAAS,CAAC,EAAE,kBAAkB,CAAC,WAAW,CAAC,CAAC;IAC5C,IAAI,CAAC,EAAE,gBAAgB,CAAC;CACzB,GACA,OAAO,CAAC,kBAAkB,CAAC,CAsC7B"}

package/dist/verification-report.js

@@ -0,0 +1,322 @@
+"use strict";
+/**
+ * PEAC Verification Report Builder
+ *
+ * Constructs deterministic verification reports per VERIFICATION-REPORT-FORMAT.md.
+ * Reports are designed to be portable, deterministic, safe, and policy-aware.
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VerificationReportBuilder = void 0;
+exports.createReportBuilder = createReportBuilder;
+exports.computeReceiptDigest = computeReceiptDigest;
+exports.buildFailureReport = buildFailureReport;
+exports.buildSuccessReport = buildSuccessReport;
+const crypto_1 = require("@peac/crypto");
+const kernel_1 = require("@peac/kernel");
+const verifier_types_js_1 = require("./verifier-types.js");
+/**
+ * Verification Report Builder
+ *
+ * Builds verification reports with proper check ordering and short-circuit behavior.
+ * Ensures reports conform to VERIFICATION-REPORT-FORMAT.md requirements.
+ *
+ * Shape-stable: Always emits all checks with pass/fail/skip status.
+ */
+class VerificationReportBuilder {
+    state;
+    constructor(policy) {
+        this.state = {
+            policy,
+            checks: new Map(),
+            shortCircuited: false,
+        };
+    }
+    /**
+     * Set the input descriptor with pre-computed digest
+     *
+     * Use this when you've already computed the SHA-256 hash.
+     *
+     * @param digestHex - SHA-256 digest as lowercase hex (64 chars)
+     * @param type - Input type
+     */
+    setInputWithDigest(digestHex, type = 'receipt_jws') {
+        this.state.receiptDigestHex = digestHex;
+        this.state.input = {
+            type,
+            receipt_digest: (0, verifier_types_js_1.createDigest)(digestHex),
+        };
+        return this;
+    }
+    /**
+     * Set the input descriptor (async - computes SHA-256)
+     *
+     * @param receiptBytes - Raw receipt bytes
+     * @param type - Input type
+     */
+    async setInputAsync(receiptBytes, type = 'receipt_jws') {
+        const digestHex = await (0, crypto_1.sha256Hex)(receiptBytes);
+        return this.setInputWithDigest(digestHex, type);
+    }
+    /**
+     * Add a check result
+     *
+     * Checks can be added in any order; they will be sorted in build().
+     * If a previous check failed, subsequent checks should be marked as skip.
+     */
+    addCheck(id, status, detail, errorCode) {
+        const check = { id, status };
+        if (detail && Object.keys(detail).length > 0) {
+            check.detail = detail;
+        }
+        if (errorCode) {
+            check.error_code = errorCode;
+        }
+        this.state.checks.set(id, check);
+        // Track short-circuit on failure
+        if (status === 'fail' && !this.state.shortCircuited) {
+            this.state.shortCircuited = true;
+            this.state.failedAtCheck = id;
+        }
+        return this;
+    }
+    /**
+     * Add a passing check
+     */
+    pass(id, detail) {
+        return this.addCheck(id, 'pass', detail);
+    }
+    /**
+     * Add a failing check
+     */
+    fail(id, errorCode, detail) {
+        return this.addCheck(id, 'fail', detail, errorCode);
+    }
+    /**
+     * Add a skipped check
+     */
+    skip(id, detail) {
+        return this.addCheck(id, 'skip', detail);
+    }
+    /**
+     * Set the final result
+     */
+    setResult(valid, reason, options) {
+        this.state.result = {
+            valid,
+            reason,
+            severity: (0, verifier_types_js_1.reasonCodeToSeverity)(reason),
+            receipt_type: options?.receiptType ?? kernel_1.WIRE_TYPE,
+            ...(options?.issuer && { issuer: options.issuer }),
+            ...(options?.kid && { kid: options.kid }),
+        };
+        return this;
+    }
+    /**
+     * Set success result
+     */
+    success(issuer, kid) {
+        return this.setResult(true, 'ok', { issuer, kid });
+    }
+    /**
+     * Set failure result
+     */
+    failure(reason, issuer, kid) {
+        return this.setResult(false, reason, { issuer, kid });
+    }
+    /**
+     * Add artifacts
+     */
+    addArtifact(key, value) {
+        if (!this.state.artifacts) {
+            this.state.artifacts = {};
+        }
+        this.state.artifacts[key] = value;
+        return this;
+    }
+    /**
+     * Set metadata (non-deterministic fields)
+     */
+    setMeta(meta) {
+        this.state.meta = meta;
+        return this;
+    }
+    /**
+     * Add current timestamp to meta
+     */
+    addTimestamp() {
+        if (!this.state.meta) {
+            this.state.meta = {};
+        }
+        this.state.meta.generated_at = new Date().toISOString();
+        return this;
+    }
+    /**
+     * Build the final report
+     *
+     * Ensures all checks are present (shape-stable).
+     * Missing checks after a failure are marked as 'skip'.
+     * Missing checks before a failure (or in success) are marked as 'pass'.
+     */
+    build() {
+        // Validate required fields
+        if (!this.state.input) {
+            throw new Error('Input is required. Call setInputWithDigest() or setInputAsync() first.');
+        }
+        if (!this.state.result) {
+            throw new Error('Result is required. Call setResult() or success()/failure() first.');
+        }
+        // Build shape-stable checks array
+        const checks = [];
+        const failedIndex = this.state.failedAtCheck ? verifier_types_js_1.CHECK_IDS.indexOf(this.state.failedAtCheck) : -1;
+        for (let i = 0; i < verifier_types_js_1.CHECK_IDS.length; i++) {
+            const checkId = verifier_types_js_1.CHECK_IDS[i];
+            const existing = this.state.checks.get(checkId);
+            if (existing) {
+                checks.push(existing);
+            }
+            else if (this.state.shortCircuited && i > failedIndex) {
+                // After failure, missing checks are skipped
+                checks.push({ id: checkId, status: 'skip', detail: { reason: 'short_circuit' } });
+            }
+            else {
+                // Before failure or in success, missing checks get default status
+                // For optional checks like transport.profile_binding, mark as skip
+                if (checkId === 'transport.profile_binding') {
+                    checks.push({ id: checkId, status: 'skip', detail: { reason: 'not_applicable' } });
+                }
+                else {
+                    // This shouldn't happen in well-formed builds - indicates a bug
+                    checks.push({ id: checkId, status: 'skip', detail: { reason: 'not_executed' } });
+                }
+            }
+        }
+        const report = {
+            report_version: kernel_1.VERIFICATION_REPORT_VERSION,
+            input: this.state.input,
+            policy: this.state.policy,
+            result: this.state.result,
+            checks,
+        };
+        if (this.state.artifacts && Object.keys(this.state.artifacts).length > 0) {
+            report.artifacts = this.state.artifacts;
+        }
+        if (this.state.meta) {
+            report.meta = this.state.meta;
+        }
+        return report;
+    }
+    /**
+     * Build in deterministic mode (excludes meta and non-deterministic artifacts)
+     *
+     * Deterministic mode ensures that the same inputs and policy always produce
+     * the same report output, regardless of cache state or timing.
+     *
+     * Excludes:
+     * - `meta`: Contains timestamps and verifier info
+     * - Non-deterministic artifacts: `issuer_jwks_digest` (depends on cache state)
+     *
+     * @returns Report without meta and with only deterministic artifacts
+     */
+    buildDeterministic() {
+        const report = this.build();
+        const { meta: _meta, ...deterministic } = report;
+        // Filter out non-deterministic artifacts
+        if (deterministic.artifacts) {
+            const filteredArtifacts = { ...deterministic.artifacts };
+            for (const key of verifier_types_js_1.NON_DETERMINISTIC_ARTIFACT_KEYS) {
+                delete filteredArtifacts[key];
+            }
+            // Remove artifacts object if empty after filtering
+            if (Object.keys(filteredArtifacts).length === 0) {
+                delete deterministic.artifacts;
+            }
+            else {
+                deterministic.artifacts = filteredArtifacts;
+            }
+        }
+        return deterministic;
+    }
+}
+exports.VerificationReportBuilder = VerificationReportBuilder;
+/**
+ * Create a new report builder
+ */
+function createReportBuilder(policy) {
+    return new VerificationReportBuilder(policy);
+}
+/**
+ * Compute receipt digest for report input
+ *
+ * @param receiptBytes - Raw receipt bytes (JWS string as UTF-8)
+ * @returns SHA-256 digest as lowercase hex (64 chars)
+ */
+async function computeReceiptDigest(receiptBytes) {
+    const bytes = typeof receiptBytes === 'string' ? new TextEncoder().encode(receiptBytes) : receiptBytes;
+    return (0, crypto_1.sha256Hex)(bytes);
+}
+/**
+ * Build a quick failure report without going through all checks
+ *
+ * Useful for early failures like receipt_too_large or malformed_receipt
+ * where most checks are skipped.
+ */
+async function buildFailureReport(policy, receiptBytes, reason, failedCheckId, errorCode, detail, options) {
+    const bytes = typeof receiptBytes === 'string' ? new TextEncoder().encode(receiptBytes) : receiptBytes;
+    const digestHex = await (0, crypto_1.sha256Hex)(bytes);
+    const builder = createReportBuilder(policy)
+        .setInputWithDigest(digestHex)
+        .failure(reason, options?.issuer, options?.kid);
+    // Add passing checks up to the failure point
+    const failedIndex = verifier_types_js_1.CHECK_IDS.indexOf(failedCheckId);
+    for (let i = 0; i < verifier_types_js_1.CHECK_IDS.length; i++) {
+        const checkId = verifier_types_js_1.CHECK_IDS[i];
+        if (i < failedIndex) {
+            builder.pass(checkId);
+        }
+        else if (i === failedIndex) {
+            builder.fail(checkId, errorCode ?? (0, verifier_types_js_1.reasonCodeToErrorCode)(reason), detail);
+        }
+        // Remaining checks will be auto-skipped by build()
+    }
+    if (options?.meta) {
+        builder.setMeta(options.meta);
+    }
+    return builder.build();
+}
+/**
+ * Build a success report
+ */
+async function buildSuccessReport(policy, receiptBytes, issuer, kid, checkDetails, options) {
+    const bytes = typeof receiptBytes === 'string' ? new TextEncoder().encode(receiptBytes) : receiptBytes;
+    const digestHex = await (0, crypto_1.sha256Hex)(bytes);
+    const builder = createReportBuilder(policy).setInputWithDigest(digestHex).success(issuer, kid);
+    // Add all checks as passing (except optional ones)
+    for (const checkId of verifier_types_js_1.CHECK_IDS) {
+        // Skip issuer.discovery for offline mode
+        if (checkId === 'issuer.discovery' && policy.mode === 'offline_only') {
+            builder.skip(checkId, { reason: 'offline_mode' });
+            continue;
+        }
+        // transport.profile_binding is optional
+        if (checkId === 'transport.profile_binding') {
+            if (checkDetails?.[checkId]) {
+                builder.pass(checkId, checkDetails[checkId]);
+            }
+            // Will be marked as skip by build() if not added
+            continue;
+        }
+        builder.pass(checkId, checkDetails?.[checkId]);
+    }
+    if (options?.artifacts) {
+        for (const [key, value] of Object.entries(options.artifacts)) {
+            builder.addArtifact(key, value);
+        }
+    }
+    if (options?.meta) {
+        builder.setMeta(options.meta);
+    }
+    return builder.build();
+}
+//# sourceMappingURL=verification-report.js.map

package/dist/verification-report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification-report.js","sourceRoot":"","sources":["../src/verification-report.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAsTH,kDAEC;AAQD,oDAIC;AAQD,gDAsCC;AAKD,gDAgDC;AAraD,yCAAyC;AACzC,yCAAsE;AActE,2DAM6B;AAiB7B;;;;;;;GAOG;AACH,MAAa,yBAAyB;IAC5B,KAAK,CAAqB;IAElC,YAAY,MAAsB;QAChC,IAAI,CAAC,KAAK,GAAG;YACX,MAAM;YACN,MAAM,EAAE,IAAI,GAAG,EAAE;YACjB,cAAc,EAAE,KAAK;SACtB,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,kBAAkB,CAChB,SAAiB,EACjB,OAAuC,aAAa;QAEpD,IAAI,CAAC,KAAK,CAAC,gBAAgB,GAAG,SAAS,CAAC;QACxC,IAAI,CAAC,KAAK,CAAC,KAAK,GAAG;YACjB,IAAI;YACJ,cAAc,EAAE,IAAA,gCAAY,EAAC,SAAS,CAAC;SACxC,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CACjB,YAAwB,EACxB,OAAuC,aAAa;QAEpD,MAAM,SAAS,GAAG,MAAM,IAAA,kBAAS,EAAC,YAAY,CAAC,CAAC;QAChD,OAAO,IAAI,CAAC,kBAAkB,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;IAClD,CAAC;IAED;;;;;OAKG;IACH,QAAQ,CACN,EAAW,EACX,MAAmB,EACnB,MAAgC,EAChC,SAAkB;QAElB,MAAM,KAAK,GAAgB,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;QAC1C,IAAI,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7C,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC;QACxB,CAAC;QACD,IAAI,SAAS,EAAE,CAAC;YACd,KAAK,CAAC,UAAU,GAAG,SAAS,CAAC;QAC/B,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,KAAK,CAAC,CAAC;QAEjC,iCAAiC;QACjC,IAAI,MAAM,KAAK,MAAM,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YACpD,IAAI,CAAC,KAAK,CAAC,cAAc,GAAG,IAAI,CAAC;YACjC,IAAI,CAAC,KAAK,CAAC,aAAa,GAAG,EAAE,CAAC;QAChC,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,EAAW,EAAE,MAAgC;QAChD,OAAO,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,EAAW,EAAE,SAAiB,EAAE,MAAgC;QACnE,OAAO,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,CAAC;IACtD,CAAC;IAED;;OAEG;IACH,IAAI,CAAC,EAAW,EAAE,MAAgC;QAChD,OAAO,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAED;;OAEG;IACH,SAAS,CACP,KAAc,EACd,MAAkB,EAClB,OAIC;QAED,IAAI,CAAC,KAAK,CAAC,MAAM,GAAG;YAClB,KAAK;YACL,MAAM;YACN,QAAQ,EAAE,IAAA,wCAAoB,EAAC,MAAM,CAAC;YACtC,YAAY,EAAE,OAAO,EAAE,WAAW,IAAI,kBAAS;YAC/C,GAAG,CAAC,OAAO,EAAE,MAAM,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE,CAAC;YAClD,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC1C,CAAC;QACF,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,MAAc,EAAE,GAAW;QACjC,OAAO,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,MAAkB,EAAE,MAAe,EAAE,GAAY;QACvD,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC;IACxD,CAAC;IAED;;OAEG;IACH,WAAW,CAAC,GAAW,EAAE,KAAc;QACrC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;YAC1B,IAAI,CAAC,KAAK,CAAC,SAAS,GAAG,EAAE,CAAC;QAC5B,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;QAClC,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,OAAO,CAAC,IAAsB;QAC5B,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,IAAI,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;OAEG;IACH,YAAY;QACV,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACrB,IAAI,CAAC,KAAK,CAAC,IAAI,GAAG,EAAE,CAAC;QACvB,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QACxD,OAAO,IAAI,CAAC;IACd,CAAC;IAED;;;;;;OAMG;IACH,KAAK;QACH,2BAA2B;QAC3B,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,wEAAwE,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QAED,kCAAkC;QAClC,MAAM,MAAM,GAAkB,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,6BAAS,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAEhG,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,6BAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAC1C,MAAM,OAAO,GAAG,6BAAS,CAAC,CAAC,CAAC,CAAC;YAC7B,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;YAEhD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACxB,CAAC;iBAAM,IAAI,IAAI,CAAC,KAAK,CAAC,cAAc,IAAI,CAAC,GAAG,WAAW,EAAE,CAAC;gBACxD,4CAA4C;gBAC5C,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,eAAe,EAAE,EAAE,CAAC,CAAC;YACpF,CAAC;iBAAM,CAAC;gBACN,kEAAkE;gBAClE,mEAAmE;gBACnE,IAAI,OAAO,KAAK,2BAA2B,EAAE,CAAC;oBAC5C,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,EAAE,CAAC,CAAC;gBACrF,CAAC;qBAAM,CAAC;oBACN,gEAAgE;oBAChE,MAAM,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,EAAE,CAAC,CAAC;gBACnF,CAAC;YACH,CAAC;QACH,CAAC;QAED,MAAM,MAAM,GAAuB;YACjC,cAAc,EAAE,oCAA2B;YAC3C,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK;YACvB,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM;YACzB,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM;YACzB,MAAM;SACP,CAAC;QAEF,IAAI,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzE,MAAM,CAAC,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAA4C,CAAC;QAC7E,CAAC;QAED,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YACpB,MAAM,CAAC,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC;QAChC,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED;;;;;;;;;;;OAWG;IACH,kBAAkB;QAChB,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,EAAE,CAAC;QAC5B,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,aAAa,EAAE,GAAG,MAAM,CAAC;QAEjD,yCAAyC;QACzC,IAAI,aAAa,CAAC,SAAS,EAAE,CAAC;YAC5B,MAAM,iBAAiB,GAAmC,EAAE,GAAG,aAAa,CAAC,SAAS,EAAE,CAAC;YACzF,KAAK,MAAM,GAAG,IAAI,mDAA+B,EAAE,CAAC;gBAClD,OAAO,iBAAiB,CAAC,GAAG,CAAC,CAAC;YAChC,CAAC;YAED,mDAAmD;YACnD,IAAI,MAAM,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAChD,OAAO,aAAa,CAAC,SAAS,CAAC;YACjC,CAAC;iBAAM,CAAC;gBACN,aAAa,CAAC,SAAS,GAAG,iBAA0C,CAAC;YACvE,CAAC;QACH,CAAC;QAED,OAAO,aAAa,CAAC;IACvB,CAAC;CACF;AAjQD,8DAiQC;AAED;;GAEG;AACH,SAAgB,mBAAmB,CAAC,MAAsB;IACxD,OAAO,IAAI,yBAAyB,CAAC,MAAM,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,oBAAoB,CAAC,YAAiC;IAC1E,MAAM,KAAK,GACT,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;IAC3F,OAAO,IAAA,kBAAS,EAAC,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,kBAAkB,CACtC,MAAsB,EACtB,YAAiC,EACjC,MAAkB,EAClB,aAAsB,EACtB,SAAkB,EAClB,MAAgC,EAChC,OAIC;IAED,MAAM,KAAK,GACT,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;IAC3F,MAAM,SAAS,GAAG,MAAM,IAAA,kBAAS,EAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC;SACxC,kBAAkB,CAAC,SAAS,CAAC;SAC7B,OAAO,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,CAAC,CAAC;IAElD,6CAA6C;IAC7C,MAAM,WAAW,GAAG,6BAAS,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACrD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,6BAAS,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC1C,MAAM,OAAO,GAAG,6BAAS,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,CAAC,GAAG,WAAW,EAAE,CAAC;YACpB,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;aAAM,IAAI,CAAC,KAAK,WAAW,EAAE,CAAC;YAC7B,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,IAAI,IAAA,yCAAqB,EAAC,MAAM,CAAC,EAAE,MAAM,CAAC,CAAC;QAC5E,CAAC;QACD,mDAAmD;IACrD,CAAC;IAED,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;QAClB,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,OAAO,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC;AAED;;GAEG;AACI,KAAK,UAAU,kBAAkB,CACtC,MAAsB,EACtB,YAAiC,EACjC,MAAc,EACd,GAAW,EACX,YAAgE,EAChE,OAGC;IAED,MAAM,KAAK,GACT,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC;IAC3F,MAAM,SAAS,GAAG,MAAM,IAAA,kBAAS,EAAC,KAAK,CAAC,CAAC;IAEzC,MAAM,OAAO,GAAG,mBAAmB,CAAC,MAAM,CAAC,CAAC,kBAAkB,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IAE/F,mDAAmD;IACnD,KAAK,MAAM,OAAO,IAAI,6BAAS,EAAE,CAAC;QAChC,yCAAyC;QACzC,IAAI,OAAO,KAAK,kBAAkB,IAAI,MAAM,CAAC,IAAI,KAAK,cAAc,EAAE,CAAC;YACrE,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,EAAE,MAAM,EAAE,cAAc,EAAE,CAAC,CAAC;YAClD,SAAS;QACX,CAAC;QAED,wCAAwC;QACxC,IAAI,OAAO,KAAK,2BAA2B,EAAE,CAAC;YAC5C,IAAI,YAAY,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5B,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,CAAC,OAAO,CAAC,CAAC,CAAC;YAC/C,CAAC;YACD,iDAAiD;YACjD,SAAS;QACX,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,YAAY,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;IACjD,CAAC;IAED,IAAI,OAAO,EAAE,SAAS,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC;YAC7D,OAAO,CAAC,WAAW,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAClC,CAAC;IACH,CAAC;IAED,IAAI,OAAO,EAAE,IAAI,EAAE,CAAC;QAClB,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IAChC,CAAC;IAED,OAAO,OAAO,CAAC,KAAK,EAAE,CAAC;AACzB,CAAC"}

package/dist/verifier-core.d.ts

@@ -0,0 +1,62 @@
+/**
+ * PEAC Verifier Core
+ *
+ * Implements the verification flow per VERIFIER-SECURITY-MODEL.md with:
+ * - Ordered checks with short-circuit behavior
+ * - Trust pinning (issuer allowlist + RFC 7638 thumbprints)
+ * - SSRF-safe network fetches
+ * - Deterministic verification reports
+ *
+ * @packageDocumentation
+ */
+import { PEACReceiptClaims } from '@peac/schema';
+import type { VerificationReport, VerifierPolicy } from './verifier-types.js';
+/**
+ * Verification options for verifier-core
+ */
+export interface VerifyCoreOptions {
+    /** Receipt JWS (compact serialization) or raw bytes */
+    receipt: string | Uint8Array;
+    /** Verification policy */
+    policy?: VerifierPolicy;
+    /** Reference time for deterministic verification (seconds since epoch) */
+    referenceTime?: number;
+    /** Include non-deterministic metadata in report */
+    includeMeta?: boolean;
+}
+/**
+ * Verification result
+ */
+export interface VerifyCoreResult {
+    /** Whether verification succeeded */
+    valid: boolean;
+    /** Verification report */
+    report: VerificationReport;
+    /** Parsed claims (if valid) */
+    claims?: PEACReceiptClaims;
+}
+/**
+ * Verify a PEAC receipt with full security checks and report emission
+ *
+ * Implements the verification flow per VERIFIER-SECURITY-MODEL.md:
+ * 1. jws.parse - Parse JWS structure
+ * 2. limits.receipt_bytes - Check receipt size
+ * 3. jws.protected_header - Validate protected header
+ * 4. claims.schema_unverified - Pre-signature schema check
+ * 5. issuer.trust_policy - Check issuer allowlist/pins
+ * 6. issuer.discovery - Fetch JWKS (if network mode)
+ * 7. key.resolve - Resolve signing key by kid
+ * 8. jws.signature - Verify signature
+ * 9. claims.time_window - Check iat/exp
+ * 10. extensions.limits - Check extension sizes
+ */
+export declare function verifyReceiptCore(options: VerifyCoreOptions): Promise<VerifyCoreResult>;
+/**
+ * Clear the JWKS cache
+ */
+export declare function clearJWKSCache(): void;
+/**
+ * Get JWKS cache size (for testing)
+ */
+export declare function getJWKSCacheSize(): number;
+//# sourceMappingURL=verifier-core.d.ts.map

package/dist/verifier-core.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier-core.d.ts","sourceRoot":"","sources":["../src/verifier-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAWH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,cAAc,CAAC;AAIhE,OAAO,KAAK,EAAa,kBAAkB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAqCzF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,OAAO,EAAE,MAAM,GAAG,UAAU,CAAC;IAC7B,0BAA0B;IAC1B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mDAAmD;IACnD,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,0BAA0B;IAC1B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B;AAmLD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAob7F;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAErC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC"}