@peac/protocol 0.10.6 → 0.10.8

package/dist/verifier-types.d.ts

@@ -0,0 +1,328 @@
+/**
+ * PEAC Verifier Types
+ *
+ * Types for verification policy, trust pinning, and verification reports
+ * per VERIFIER-SECURITY-MODEL.md, TRUST-PINNING-POLICY.md, and
+ * VERIFICATION-REPORT-FORMAT.md
+ *
+ * @packageDocumentation
+ */
+import { VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION } from '@peac/kernel';
+/**
+ * Verification mode per VERIFIER-SECURITY-MODEL.md
+ */
+export type VerificationMode = 'offline_only' | 'offline_preferred' | 'network_allowed';
+/**
+ * Pinned key entry per TRUST-PINNING-POLICY.md
+ *
+ * Uses RFC 7638 JWK Thumbprint with base64url encoding (NOT hex).
+ * SHA-256 thumbprints are 43 characters in base64url.
+ *
+ * For offline verification, include either `public_key` (base64url 32 bytes)
+ * or the full `jwk` object. If only thumbprint is provided, the key can only
+ * be pin-checked after fetching JWKS (requires network mode).
+ */
+export interface PinnedKey {
+    /** Issuer origin (https://host[:port]) */
+    issuer: string;
+    /** Key identifier (kid from JWKS) */
+    kid: string;
+    /** RFC 7638 JWK Thumbprint, SHA-256, base64url-encoded (43 chars) */
+    jwk_thumbprint_sha256: string;
+    /**
+     * Ed25519 public key bytes, base64url-encoded (43 chars for 32 bytes).
+     * If provided, enables offline verification without JWKS fetch.
+     */
+    public_key?: string;
+    /**
+     * Full JWK for offline verification.
+     * If provided, enables offline verification without JWKS fetch.
+     * Takes precedence over public_key.
+     */
+    jwk?: {
+        kty: 'OKP';
+        crv: 'Ed25519';
+        x: string;
+        kid?: string;
+    };
+}
+/**
+ * Issuer allowlist entry
+ *
+ * Full origin format: https://host[:port]
+ * The port is only included if non-standard (not 443 for HTTPS).
+ */
+export type IssuerOrigin = string;
+/**
+ * Verifier security limits
+ */
+export interface VerifierLimits {
+    /** Maximum receipt size in bytes */
+    max_receipt_bytes: number;
+    /** Maximum JWKS document size in bytes */
+    max_jwks_bytes: number;
+    /** Maximum number of keys in a JWKS */
+    max_jwks_keys: number;
+    /** Maximum redirects to follow */
+    max_redirects: number;
+    /** Network fetch timeout in milliseconds */
+    fetch_timeout_ms: number;
+    /** Maximum extension size in bytes */
+    max_extension_bytes: number;
+}
+/**
+ * Default verifier limits from VERIFIER-SECURITY-MODEL.md
+ */
+export declare const DEFAULT_VERIFIER_LIMITS: VerifierLimits;
+/**
+ * Network security settings
+ */
+export interface NetworkSecurity {
+    /** Only allow HTTPS URLs */
+    https_only: boolean;
+    /** Block requests to private IP ranges */
+    block_private_ips: boolean;
+    /** Allow redirects */
+    allow_redirects: boolean;
+    /**
+     * Allow cross-origin redirects (default: true for CDN compatibility).
+     * When true, redirects to different origins are allowed if they pass SSRF checks.
+     * When false, only same-origin redirects are allowed.
+     */
+    allow_cross_origin_redirects?: boolean;
+    /**
+     * Behavior on DNS resolution failure (default: 'block' for security).
+     * - 'block': Treat DNS failure as blocked (fail-closed, more secure)
+     * - 'fail': Return fetch error (allows retry, less restrictive)
+     */
+    dns_failure_behavior?: 'block' | 'fail';
+}
+/**
+ * Default network security settings from VERIFIER-SECURITY-MODEL.md
+ */
+export declare const DEFAULT_NETWORK_SECURITY: NetworkSecurity;
+/**
+ * Verifier policy configuration
+ *
+ * This structure echoes the policy used for verification, making trust
+ * decisions auditable per VERIFICATION-REPORT-FORMAT.md.
+ */
+export interface VerifierPolicy {
+    /** Policy schema version */
+    policy_version: typeof VERIFIER_POLICY_VERSION;
+    /** Verification mode */
+    mode: VerificationMode;
+    /** Allowed issuer origins (optional, if empty all issuers allowed) */
+    issuer_allowlist?: IssuerOrigin[];
+    /** Pinned keys for offline verification */
+    pinned_keys?: PinnedKey[];
+    /** Effective security limits */
+    limits: VerifierLimits;
+    /** Network security settings */
+    network: NetworkSecurity;
+}
+/**
+ * Create a default verifier policy
+ */
+export declare function createDefaultPolicy(mode: VerificationMode): VerifierPolicy;
+/**
+ * Check status
+ */
+export type CheckStatus = 'pass' | 'fail' | 'skip';
+/**
+ * Standard check IDs per VERIFIER-SECURITY-MODEL.md (in order)
+ */
+export declare const CHECK_IDS: readonly ["jws.parse", "limits.receipt_bytes", "jws.protected_header", "claims.schema_unverified", "issuer.trust_policy", "issuer.discovery", "key.resolve", "jws.signature", "claims.time_window", "extensions.limits", "transport.profile_binding"];
+export type CheckId = (typeof CHECK_IDS)[number];
+/**
+ * Single verification check result
+ */
+export interface CheckResult {
+    /** Stable check identifier */
+    id: CheckId;
+    /** Check status */
+    status: CheckStatus;
+    /** Machine-readable details (optional) */
+    detail?: Record<string, unknown>;
+    /** Stable error code (if failed) */
+    error_code?: string;
+}
+/**
+ * Input type for verification
+ */
+export type InputType = 'receipt_jws' | 'bundle_entry';
+/**
+ * Digest object (algorithm + value)
+ */
+export interface DigestObject {
+    /** Hash algorithm */
+    alg: 'sha-256';
+    /** Hash value in lowercase hex */
+    value: string;
+}
+/**
+ * Bundle context for bundle_entry input type
+ */
+export interface BundleContext {
+    /** Digest of bundle bytes */
+    bundle_digest: DigestObject;
+    /** 0-based entry index */
+    entry_index: number;
+    /** Stable entry ID (optional) */
+    entry_id?: string;
+}
+/**
+ * Verification input descriptor
+ */
+export interface VerificationInput {
+    /** Input type */
+    type: InputType;
+    /** Digest of receipt bytes */
+    receipt_digest: DigestObject;
+    /** Bundle context (if type = bundle_entry) */
+    bundle?: BundleContext;
+}
+/**
+ * Result severity
+ */
+export type ResultSeverity = 'info' | 'warning' | 'error';
+/**
+ * Reason codes per VERIFIER-SECURITY-MODEL.md
+ */
+export type ReasonCode = 'ok' | 'receipt_too_large' | 'malformed_receipt' | 'signature_invalid' | 'issuer_not_allowed' | 'key_not_found' | 'key_fetch_blocked' | 'key_fetch_failed' | 'key_fetch_timeout' | 'pointer_fetch_blocked' | 'pointer_fetch_failed' | 'pointer_fetch_timeout' | 'pointer_fetch_too_large' | 'pointer_digest_mismatch' | 'jwks_too_large' | 'jwks_too_many_keys' | 'expired' | 'not_yet_valid' | 'audience_mismatch' | 'schema_invalid' | 'policy_violation' | 'extension_too_large' | 'invalid_transport';
+/**
+ * High-level verification result
+ */
+export interface VerificationResult {
+    /** Overall verification result */
+    valid: boolean;
+    /** Stable reason code */
+    reason: ReasonCode;
+    /** Result severity */
+    severity: ResultSeverity;
+    /** Receipt wire format (e.g., peac-receipt/0.1) */
+    receipt_type: string;
+    /** Normalized issuer origin (optional) */
+    issuer?: string;
+    /** Key ID used for verification (optional) */
+    kid?: string;
+}
+/**
+ * Pointer resolution details
+ */
+export interface PointerArtifact {
+    /** Pointer URL */
+    url: string;
+    /** Expected digest from header */
+    expected_digest: DigestObject;
+    /** Actual digest of fetched content */
+    actual_digest?: DigestObject;
+    /** Whether digests matched */
+    digest_matched?: boolean;
+}
+/**
+ * Key source for enterprise debuggability
+ */
+export type KeySource = 'pinned' | 'jwks_fetch';
+/**
+ * Additional verification artifacts
+ *
+ * Artifacts are divided into two categories:
+ *
+ * **Deterministic artifacts** (same inputs and policy -> same values):
+ * - `issuer_key_source`: Always determined by policy and receipt
+ * - `issuer_key_thumbprint`: Computed from the signing key
+ * - `normalized_claims_digest`: Computed from the claims
+ * - `receipt_pointer`: Derived from the input pointer header
+ *
+ * **Non-deterministic artifacts** (may vary based on runtime state):
+ * - `issuer_jwks_digest`: Only present when JWKS is fetched fresh (not from cache)
+ *
+ * Use `buildDeterministic()` to exclude non-deterministic artifacts for
+ * reproducible report generation.
+ */
+export interface VerificationArtifacts {
+    /**
+     * Digest of JWKS used for verification.
+     *
+     * NON-DETERMINISTIC: Only present when JWKS is fetched fresh (not from cache).
+     * Excluded by `buildDeterministic()`.
+     */
+    issuer_jwks_digest?: DigestObject;
+    /** Source of the signing key used for verification (DETERMINISTIC) */
+    issuer_key_source?: KeySource;
+    /** RFC 7638 JWK Thumbprint (SHA-256, base64url) of the key used (DETERMINISTIC) */
+    issuer_key_thumbprint?: string;
+    /** Digest of canonicalized claims (DETERMINISTIC) */
+    normalized_claims_digest?: DigestObject;
+    /** Pointer resolution details (DETERMINISTIC) */
+    receipt_pointer?: PointerArtifact;
+}
+/**
+ * Keys of artifacts that are non-deterministic (depend on runtime state)
+ */
+export declare const NON_DETERMINISTIC_ARTIFACT_KEYS: (keyof VerificationArtifacts)[];
+/**
+ * Verifier implementation info
+ */
+export interface VerifierInfo {
+    /** Verifier name */
+    name: string;
+    /** Verifier version */
+    version: string;
+}
+/**
+ * Non-deterministic metadata (MUST be excluded from report hashes)
+ */
+export interface VerificationMeta {
+    /** RFC 3339 timestamp when report was generated */
+    generated_at?: string;
+    /** Verifier implementation info */
+    verifier?: VerifierInfo;
+}
+/**
+ * PEAC Verification Report per VERIFICATION-REPORT-FORMAT.md
+ *
+ * This report is designed to be:
+ * - Portable: shareable across organizations
+ * - Deterministic: reproducible given same inputs
+ * - Safe: bounded resource usage
+ * - Policy-aware: trust decisions are explicit
+ */
+export interface VerificationReport {
+    /** Format version identifier (REQUIRED) */
+    report_version: typeof VERIFICATION_REPORT_VERSION;
+    /** What was verified (REQUIRED) */
+    input: VerificationInput;
+    /** Policy used for verification (REQUIRED) */
+    policy: VerifierPolicy;
+    /** High-level outcome (REQUIRED) */
+    result: VerificationResult;
+    /** Ordered list of checks (REQUIRED) */
+    checks: CheckResult[];
+    /** Additional outputs (OPTIONAL) */
+    artifacts?: VerificationArtifacts;
+    /** Non-deterministic fields (OPTIONAL, excluded from hashes) */
+    meta?: VerificationMeta;
+}
+/**
+ * Create a digest object from a hex string
+ */
+export declare function createDigest(hexValue: string): DigestObject;
+/**
+ * Create an empty verification report structure
+ */
+export declare function createEmptyReport(policy: VerifierPolicy): Omit<VerificationReport, 'input' | 'result' | 'checks'>;
+/**
+ * Map SSRF fetch error reason to verification reason code
+ */
+export declare function ssrfErrorToReasonCode(ssrfReason: string, fetchType: 'key' | 'pointer'): ReasonCode;
+/**
+ * Map reason code to severity
+ */
+export declare function reasonCodeToSeverity(reason: ReasonCode): ResultSeverity;
+/**
+ * Map reason code to error code
+ */
+export declare function reasonCodeToErrorCode(reason: ReasonCode): string;
+//# sourceMappingURL=verifier-types.d.ts.map

package/dist/verifier-types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier-types.d.ts","sourceRoot":"","sources":["../src/verifier-types.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAGL,uBAAuB,EACvB,2BAA2B,EAC5B,MAAM,cAAc,CAAC;AAMtB;;GAEG;AACH,MAAM,MAAM,gBAAgB,GAAG,cAAc,GAAG,mBAAmB,GAAG,iBAAiB,CAAC;AAMxF;;;;;;;;;GASG;AACH,MAAM,WAAW,SAAS;IACxB,0CAA0C;IAC1C,MAAM,EAAE,MAAM,CAAC;IACf,qCAAqC;IACrC,GAAG,EAAE,MAAM,CAAC;IACZ,qEAAqE;IACrE,qBAAqB,EAAE,MAAM,CAAC;IAC9B;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB;;;;OAIG;IACH,GAAG,CAAC,EAAE;QACJ,GAAG,EAAE,KAAK,CAAC;QACX,GAAG,EAAE,SAAS,CAAC;QACf,CAAC,EAAE,MAAM,CAAC;QACV,GAAG,CAAC,EAAE,MAAM,CAAC;KACd,CAAC;CACH;AAED;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GAAG,MAAM,CAAC;AAMlC;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,oCAAoC;IACpC,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0CAA0C;IAC1C,cAAc,EAAE,MAAM,CAAC;IACvB,uCAAuC;IACvC,aAAa,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,gBAAgB,EAAE,MAAM,CAAC;IACzB,sCAAsC;IACtC,mBAAmB,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,cAOrC,CAAC;AAMF;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,4BAA4B;IAC5B,UAAU,EAAE,OAAO,CAAC;IACpB,0CAA0C;IAC1C,iBAAiB,EAAE,OAAO,CAAC;IAC3B,sBAAsB;IACtB,eAAe,EAAE,OAAO,CAAC;IACzB;;;;OAIG;IACH,4BAA4B,CAAC,EAAE,OAAO,CAAC;IACvC;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;CACzC;AAED;;GAEG;AACH,eAAO,MAAM,wBAAwB,EAAE,eAMtC,CAAC;AAMF;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,4BAA4B;IAC5B,cAAc,EAAE,OAAO,uBAAuB,CAAC;IAC/C,wBAAwB;IACxB,IAAI,EAAE,gBAAgB,CAAC;IACvB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,YAAY,EAAE,CAAC;IAClC,2CAA2C;IAC3C,WAAW,CAAC,EAAE,SAAS,EAAE,CAAC;IAC1B,gCAAgC;IAChC,MAAM,EAAE,cAAc,CAAC;IACvB,gCAAgC;IAChC,OAAO,EAAE,eAAe,CAAC;CAC1B;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,gBAAgB,GAAG,cAAc,CAO1E;AAMD;;GAEG;AACH,MAAM,MAAM,WAAW,GAAG,MAAM,GAAG,MAAM,GAAG,MAAM,CAAC;AAEnD;;GAEG;AACH,eAAO,MAAM,SAAS,uPAYZ,CAAC;AAEX,MAAM,MAAM,OAAO,GAAG,CAAC,OAAO,SAAS,CAAC,CAAC,MAAM,CAAC,CAAC;AAEjD;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,8BAA8B;IAC9B,EAAE,EAAE,OAAO,CAAC;IACZ,mBAAmB;IACnB,MAAM,EAAE,WAAW,CAAC;IACpB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,oCAAoC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAMD;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,aAAa,GAAG,cAAc,CAAC;AAEvD;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,qBAAqB;IACrB,GAAG,EAAE,SAAS,CAAC;IACf,kCAAkC;IAClC,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,6BAA6B;IAC7B,aAAa,EAAE,YAAY,CAAC;IAC5B,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,iBAAiB;IACjB,IAAI,EAAE,SAAS,CAAC;IAChB,8BAA8B;IAC9B,cAAc,EAAE,YAAY,CAAC;IAC7B,8CAA8C;IAC9C,MAAM,CAAC,EAAE,aAAa,CAAC;CACxB;AAMD;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,MAAM,GAAG,SAAS,GAAG,OAAO,CAAC;AAE1D;;GAEG;AACH,MAAM,MAAM,UAAU,GAClB,IAAI,GACJ,mBAAmB,GACnB,mBAAmB,GACnB,mBAAmB,GACnB,oBAAoB,GACpB,eAAe,GACf,mBAAmB,GACnB,kBAAkB,GAClB,mBAAmB,GACnB,uBAAuB,GACvB,sBAAsB,GACtB,uBAAuB,GACvB,yBAAyB,GACzB,yBAAyB,GACzB,gBAAgB,GAChB,oBAAoB,GACpB,SAAS,GACT,eAAe,GACf,mBAAmB,GACnB,gBAAgB,GAChB,kBAAkB,GAClB,qBAAqB,GACrB,mBAAmB,CAAC;AAExB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,kCAAkC;IAClC,KAAK,EAAE,OAAO,CAAC;IACf,yBAAyB;IACzB,MAAM,EAAE,UAAU,CAAC;IACnB,sBAAsB;IACtB,QAAQ,EAAE,cAAc,CAAC;IACzB,mDAAmD;IACnD,YAAY,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,8CAA8C;IAC9C,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAMD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,kBAAkB;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,kCAAkC;IAClC,eAAe,EAAE,YAAY,CAAC;IAC9B,uCAAuC;IACvC,aAAa,CAAC,EAAE,YAAY,CAAC;IAC7B,8BAA8B;IAC9B,cAAc,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,YAAY,CAAC;AAEhD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;;OAKG;IACH,kBAAkB,CAAC,EAAE,YAAY,CAAC;IAClC,sEAAsE;IACtE,iBAAiB,CAAC,EAAE,SAAS,CAAC;IAC9B,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,qDAAqD;IACrD,wBAAwB,CAAC,EAAE,YAAY,CAAC;IACxC,iDAAiD;IACjD,eAAe,CAAC,EAAE,eAAe,CAAC;CACnC;AAED;;GAEG;AACH,eAAO,MAAM,+BAA+B,EAAE,CAAC,MAAM,qBAAqB,CAAC,EAE1E,CAAC;AAMF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,oBAAoB;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,uBAAuB;IACvB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,mDAAmD;IACnD,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,mCAAmC;IACnC,QAAQ,CAAC,EAAE,YAAY,CAAC;CACzB;AAMD;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAkB;IACjC,2CAA2C;IAC3C,cAAc,EAAE,OAAO,2BAA2B,CAAC;IACnD,mCAAmC;IACnC,KAAK,EAAE,iBAAiB,CAAC;IACzB,8CAA8C;IAC9C,MAAM,EAAE,cAAc,CAAC;IACvB,oCAAoC;IACpC,MAAM,EAAE,kBAAkB,CAAC;IAC3B,wCAAwC;IACxC,MAAM,EAAE,WAAW,EAAE,CAAC;IACtB,oCAAoC;IACpC,SAAS,CAAC,EAAE,qBAAqB,CAAC;IAClC,gEAAgE;IAChE,IAAI,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAMD;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,MAAM,GAAG,YAAY,CAK3D;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,MAAM,EAAE,cAAc,GACrB,IAAI,CAAC,kBAAkB,EAAE,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAC,CAKzD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,EAAE,MAAM,EAClB,SAAS,EAAE,KAAK,GAAG,SAAS,GAC3B,UAAU,CAwBZ;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,UAAU,GAAG,cAAc,CAGvE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CA2BhE"}

package/dist/verifier-types.js

@@ -0,0 +1,161 @@
+"use strict";
+/**
+ * PEAC Verifier Types
+ *
+ * Types for verification policy, trust pinning, and verification reports
+ * per VERIFIER-SECURITY-MODEL.md, TRUST-PINNING-POLICY.md, and
+ * VERIFICATION-REPORT-FORMAT.md
+ *
+ * @packageDocumentation
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NON_DETERMINISTIC_ARTIFACT_KEYS = exports.CHECK_IDS = exports.DEFAULT_NETWORK_SECURITY = exports.DEFAULT_VERIFIER_LIMITS = void 0;
+exports.createDefaultPolicy = createDefaultPolicy;
+exports.createDigest = createDigest;
+exports.createEmptyReport = createEmptyReport;
+exports.ssrfErrorToReasonCode = ssrfErrorToReasonCode;
+exports.reasonCodeToSeverity = reasonCodeToSeverity;
+exports.reasonCodeToErrorCode = reasonCodeToErrorCode;
+const kernel_1 = require("@peac/kernel");
+/**
+ * Default verifier limits from VERIFIER-SECURITY-MODEL.md
+ */
+exports.DEFAULT_VERIFIER_LIMITS = {
+    max_receipt_bytes: kernel_1.VERIFIER_LIMITS.maxReceiptBytes,
+    max_jwks_bytes: kernel_1.VERIFIER_LIMITS.maxJwksBytes,
+    max_jwks_keys: kernel_1.VERIFIER_LIMITS.maxJwksKeys,
+    max_redirects: kernel_1.VERIFIER_LIMITS.maxRedirects,
+    fetch_timeout_ms: kernel_1.VERIFIER_LIMITS.fetchTimeoutMs,
+    max_extension_bytes: kernel_1.VERIFIER_LIMITS.maxExtensionBytes,
+};
+/**
+ * Default network security settings from VERIFIER-SECURITY-MODEL.md
+ */
+exports.DEFAULT_NETWORK_SECURITY = {
+    https_only: kernel_1.VERIFIER_NETWORK.httpsOnly,
+    block_private_ips: kernel_1.VERIFIER_NETWORK.blockPrivateIps,
+    allow_redirects: kernel_1.VERIFIER_NETWORK.allowRedirects,
+    allow_cross_origin_redirects: true, // Allow for CDN compatibility
+    dns_failure_behavior: 'block', // Fail-closed by default
+};
+/**
+ * Create a default verifier policy
+ */
+function createDefaultPolicy(mode) {
+    return {
+        policy_version: kernel_1.VERIFIER_POLICY_VERSION,
+        mode,
+        limits: { ...exports.DEFAULT_VERIFIER_LIMITS },
+        network: { ...exports.DEFAULT_NETWORK_SECURITY },
+    };
+}
+/**
+ * Standard check IDs per VERIFIER-SECURITY-MODEL.md (in order)
+ */
+exports.CHECK_IDS = [
+    'jws.parse',
+    'limits.receipt_bytes',
+    'jws.protected_header',
+    'claims.schema_unverified',
+    'issuer.trust_policy',
+    'issuer.discovery',
+    'key.resolve',
+    'jws.signature',
+    'claims.time_window',
+    'extensions.limits',
+    'transport.profile_binding',
+];
+/**
+ * Keys of artifacts that are non-deterministic (depend on runtime state)
+ */
+exports.NON_DETERMINISTIC_ARTIFACT_KEYS = [
+    'issuer_jwks_digest',
+];
+// ---------------------------------------------------------------------------
+// Report Builder Utilities
+// ---------------------------------------------------------------------------
+/**
+ * Create a digest object from a hex string
+ */
+function createDigest(hexValue) {
+    return {
+        alg: 'sha-256',
+        value: hexValue.toLowerCase(),
+    };
+}
+/**
+ * Create an empty verification report structure
+ */
+function createEmptyReport(policy) {
+    return {
+        report_version: kernel_1.VERIFICATION_REPORT_VERSION,
+        policy,
+    };
+}
+/**
+ * Map SSRF fetch error reason to verification reason code
+ */
+function ssrfErrorToReasonCode(ssrfReason, fetchType) {
+    const prefix = fetchType === 'key' ? 'key_fetch' : 'pointer_fetch';
+    switch (ssrfReason) {
+        case 'not_https':
+        case 'private_ip':
+        case 'loopback':
+        case 'link_local':
+        case 'cross_origin_redirect':
+        case 'dns_failure':
+            return `${prefix}_blocked`;
+        case 'timeout':
+            return `${prefix}_timeout`;
+        case 'response_too_large':
+            return fetchType === 'pointer' ? 'pointer_fetch_too_large' : 'jwks_too_large';
+        case 'jwks_too_many_keys':
+            return 'jwks_too_many_keys';
+        case 'too_many_redirects':
+        case 'scheme_downgrade':
+        case 'network_error':
+        case 'invalid_url':
+        default:
+            return `${prefix}_failed`;
+    }
+}
+/**
+ * Map reason code to severity
+ */
+function reasonCodeToSeverity(reason) {
+    if (reason === 'ok')
+        return 'info';
+    return 'error';
+}
+/**
+ * Map reason code to error code
+ */
+function reasonCodeToErrorCode(reason) {
+    const mapping = {
+        ok: '',
+        receipt_too_large: 'E_VERIFY_RECEIPT_TOO_LARGE',
+        malformed_receipt: 'E_VERIFY_MALFORMED_RECEIPT',
+        signature_invalid: 'E_VERIFY_SIGNATURE_INVALID',
+        issuer_not_allowed: 'E_VERIFY_ISSUER_NOT_ALLOWED',
+        key_not_found: 'E_VERIFY_KEY_NOT_FOUND',
+        key_fetch_blocked: 'E_VERIFY_KEY_FETCH_BLOCKED',
+        key_fetch_failed: 'E_VERIFY_KEY_FETCH_FAILED',
+        key_fetch_timeout: 'E_VERIFY_KEY_FETCH_TIMEOUT',
+        pointer_fetch_blocked: 'E_VERIFY_POINTER_FETCH_BLOCKED',
+        pointer_fetch_failed: 'E_VERIFY_POINTER_FETCH_FAILED',
+        pointer_fetch_timeout: 'E_VERIFY_POINTER_FETCH_TIMEOUT',
+        pointer_fetch_too_large: 'E_VERIFY_POINTER_FETCH_TOO_LARGE',
+        pointer_digest_mismatch: 'E_VERIFY_POINTER_DIGEST_MISMATCH',
+        jwks_too_large: 'E_VERIFY_JWKS_TOO_LARGE',
+        jwks_too_many_keys: 'E_VERIFY_JWKS_TOO_MANY_KEYS',
+        expired: 'E_VERIFY_EXPIRED',
+        not_yet_valid: 'E_VERIFY_NOT_YET_VALID',
+        audience_mismatch: 'E_VERIFY_AUDIENCE_MISMATCH',
+        schema_invalid: 'E_VERIFY_SCHEMA_INVALID',
+        policy_violation: 'E_VERIFY_POLICY_VIOLATION',
+        extension_too_large: 'E_VERIFY_EXTENSION_TOO_LARGE',
+        invalid_transport: 'E_VERIFY_INVALID_TRANSPORT',
+    };
+    return mapping[reason] || 'E_VERIFY_POLICY_VIOLATION';
+}
+//# sourceMappingURL=verifier-types.js.map

package/dist/verifier-types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier-types.js","sourceRoot":"","sources":["../src/verifier-types.ts"],"names":[],"mappings":";AAAA;;;;;;;;GAQG;;;AAsKH,kDAOC;AA4QD,oCAKC;AAKD,8CAOC;AAKD,sDA2BC;AAKD,oDAGC;AAKD,sDA2BC;AAhhBD,yCAKsB;AAgFtB;;GAEG;AACU,QAAA,uBAAuB,GAAmB;IACrD,iBAAiB,EAAE,wBAAe,CAAC,eAAe;IAClD,cAAc,EAAE,wBAAe,CAAC,YAAY;IAC5C,aAAa,EAAE,wBAAe,CAAC,WAAW;IAC1C,aAAa,EAAE,wBAAe,CAAC,YAAY;IAC3C,gBAAgB,EAAE,wBAAe,CAAC,cAAc;IAChD,mBAAmB,EAAE,wBAAe,CAAC,iBAAiB;CACvD,CAAC;AA8BF;;GAEG;AACU,QAAA,wBAAwB,GAAoB;IACvD,UAAU,EAAE,yBAAgB,CAAC,SAAS;IACtC,iBAAiB,EAAE,yBAAgB,CAAC,eAAe;IACnD,eAAe,EAAE,yBAAgB,CAAC,cAAc;IAChD,4BAA4B,EAAE,IAAI,EAAE,8BAA8B;IAClE,oBAAoB,EAAE,OAAO,EAAE,yBAAyB;CACzD,CAAC;AA2BF;;GAEG;AACH,SAAgB,mBAAmB,CAAC,IAAsB;IACxD,OAAO;QACL,cAAc,EAAE,gCAAuB;QACvC,IAAI;QACJ,MAAM,EAAE,EAAE,GAAG,+BAAuB,EAAE;QACtC,OAAO,EAAE,EAAE,GAAG,gCAAwB,EAAE;KACzC,CAAC;AACJ,CAAC;AAWD;;GAEG;AACU,QAAA,SAAS,GAAG;IACvB,WAAW;IACX,sBAAsB;IACtB,sBAAsB;IACtB,0BAA0B;IAC1B,qBAAqB;IACrB,kBAAkB;IAClB,aAAa;IACb,eAAe;IACf,oBAAoB;IACpB,mBAAmB;IACnB,2BAA2B;CACnB,CAAC;AA8KX;;GAEG;AACU,QAAA,+BAA+B,GAAoC;IAC9E,oBAAoB;CACrB,CAAC;AAwDF,8EAA8E;AAC9E,2BAA2B;AAC3B,8EAA8E;AAE9E;;GAEG;AACH,SAAgB,YAAY,CAAC,QAAgB;IAC3C,OAAO;QACL,GAAG,EAAE,SAAS;QACd,KAAK,EAAE,QAAQ,CAAC,WAAW,EAAE;KAC9B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAC/B,MAAsB;IAEtB,OAAO;QACL,cAAc,EAAE,oCAA2B;QAC3C,MAAM;KACP,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CACnC,UAAkB,EAClB,SAA4B;IAE5B,MAAM,MAAM,GAAG,SAAS,KAAK,KAAK,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,eAAe,CAAC;IAEnE,QAAQ,UAAU,EAAE,CAAC;QACnB,KAAK,WAAW,CAAC;QACjB,KAAK,YAAY,CAAC;QAClB,KAAK,UAAU,CAAC;QAChB,KAAK,YAAY,CAAC;QAClB,KAAK,uBAAuB,CAAC;QAC7B,KAAK,aAAa;YAChB,OAAO,GAAG,MAAM,UAAwB,CAAC;QAC3C,KAAK,SAAS;YACZ,OAAO,GAAG,MAAM,UAAwB,CAAC;QAC3C,KAAK,oBAAoB;YACvB,OAAO,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,yBAAyB,CAAC,CAAC,CAAC,gBAAgB,CAAC;QAChF,KAAK,oBAAoB;YACvB,OAAO,oBAAoB,CAAC;QAC9B,KAAK,oBAAoB,CAAC;QAC1B,KAAK,kBAAkB,CAAC;QACxB,KAAK,eAAe,CAAC;QACrB,KAAK,aAAa,CAAC;QACnB;YACE,OAAO,GAAG,MAAM,SAAuB,CAAC;IAC5C,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAkB;IACrD,IAAI,MAAM,KAAK,IAAI;QAAE,OAAO,MAAM,CAAC;IACnC,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAgB,qBAAqB,CAAC,MAAkB;IACtD,MAAM,OAAO,GAA+B;QAC1C,EAAE,EAAE,EAAE;QACN,iBAAiB,EAAE,4BAA4B;QAC/C,iBAAiB,EAAE,4BAA4B;QAC/C,iBAAiB,EAAE,4BAA4B;QAC/C,kBAAkB,EAAE,6BAA6B;QACjD,aAAa,EAAE,wBAAwB;QACvC,iBAAiB,EAAE,4BAA4B;QAC/C,gBAAgB,EAAE,2BAA2B;QAC7C,iBAAiB,EAAE,4BAA4B;QAC/C,qBAAqB,EAAE,gCAAgC;QACvD,oBAAoB,EAAE,+BAA+B;QACrD,qBAAqB,EAAE,gCAAgC;QACvD,uBAAuB,EAAE,kCAAkC;QAC3D,uBAAuB,EAAE,kCAAkC;QAC3D,cAAc,EAAE,yBAAyB;QACzC,kBAAkB,EAAE,6BAA6B;QACjD,OAAO,EAAE,kBAAkB;QAC3B,aAAa,EAAE,wBAAwB;QACvC,iBAAiB,EAAE,4BAA4B;QAC/C,cAAc,EAAE,yBAAyB;QACzC,gBAAgB,EAAE,2BAA2B;QAC7C,mBAAmB,EAAE,8BAA8B;QACnD,iBAAiB,EAAE,4BAA4B;KAChD,CAAC;IACF,OAAO,OAAO,CAAC,MAAM,CAAC,IAAI,2BAA2B,CAAC;AACxD,CAAC"}

package/package.json

@@ -1,9 +1,21 @@
 {
   "name": "@peac/protocol",
-  "version": "0.10.6",
+  "version": "0.10.8",
   "description": "PEAC protocol implementation - receipt issuance and verification",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.js"
+    },
+    "./verify-local": {
+      "types": "./dist/verify-local.d.ts",
+      "import": "./dist/verify-local.js",
+      "require": "./dist/verify-local.js"
+    }
+  },
   "repository": {
     "type": "git",
     "url": "https://github.com/peacprotocol/peac.git",
@@ -25,10 +37,10 @@
   "dependencies": {
     "uuidv7": "^0.6.3",
     "zod": "^3.22.4",
-    "@peac/kernel": "0.10.6",
-    "@peac/schema": "0.10.6",
-    "@peac/crypto": "0.10.6",
-    "@peac/telemetry": "0.10.6"
+    "@peac/kernel": "0.10.8",
+    "@peac/schema": "0.10.8",
+    "@peac/crypto": "0.10.8",
+    "@peac/telemetry": "0.10.8"
   },
   "devDependencies": {
     "@types/node": "^20.10.0",