@peac/protocol 0.10.9 → 0.10.11

package/dist/index.mjs

@@ -0,0 +1,2612 @@
+import { uuidv7 } from 'uuidv7';
+import { sign, decode, verify, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
+export { base64urlDecode, base64urlEncode, computeJwkThumbprint, generateKeypair, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, verify } from '@peac/crypto';
+import { ZodError } from 'zod';
+import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH } from '@peac/schema';
+import { createHash } from 'crypto';
+import { VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
+
+// src/issue.ts
+function fireTelemetryHook(fn, input) {
+  if (!fn) return;
+  try {
+    const result = fn(input);
+    if (result && typeof result.catch === "function") {
+      result.catch(() => {
+      });
+    }
+  } catch {
+  }
+}
+function hashReceipt(jws) {
+  const hash = createHash("sha256").update(jws).digest("hex");
+  return `sha256:${hash.slice(0, 16)}`;
+}
+
+// src/issue.ts
+var IssueError = class extends Error {
+  /** Structured error details */
+  peacError;
+  constructor(peacError) {
+    const details = peacError.details;
+    super(details?.message ?? peacError.code);
+    this.name = "IssueError";
+    this.peacError = peacError;
+  }
+};
+async function issue(options) {
+  if (!options.iss.startsWith("https://")) {
+    throw new Error("Issuer URL must start with https://");
+  }
+  if (!options.aud.startsWith("https://")) {
+    throw new Error("Audience URL must start with https://");
+  }
+  if (options.subject && !options.subject.startsWith("https://")) {
+    throw new Error("Subject URI must start with https://");
+  }
+  if (!/^[A-Z]{3}$/.test(options.cur)) {
+    throw new Error("Currency must be ISO 4217 uppercase (e.g., USD)");
+  }
+  if (!Number.isInteger(options.amt) || options.amt < 0) {
+    throw new Error("Amount must be a non-negative integer");
+  }
+  if (options.exp !== void 0) {
+    if (!Number.isInteger(options.exp) || options.exp < 0) {
+      throw new Error("Expiry must be a non-negative integer");
+    }
+  }
+  let purposeDeclared;
+  if (options.purpose !== void 0) {
+    const rawPurposes = Array.isArray(options.purpose) ? options.purpose : [options.purpose];
+    const invalidTokens = [];
+    for (const token of rawPurposes) {
+      if (!isValidPurposeToken(token)) {
+        invalidTokens.push(token);
+      }
+    }
+    if (invalidTokens.length > 0) {
+      throw new Error(`Invalid purpose tokens: ${invalidTokens.join(", ")}`);
+    }
+    if (rawPurposes.includes("undeclared")) {
+      throw new Error("Explicit 'undeclared' is not a valid purpose token (internal-only)");
+    }
+    purposeDeclared = rawPurposes;
+  }
+  if (options.purpose_enforced !== void 0) {
+    if (!isCanonicalPurpose(options.purpose_enforced)) {
+      throw new Error(
+        `purpose_enforced must be a canonical purpose, got: ${options.purpose_enforced}`
+      );
+    }
+  }
+  if (options.purpose_reason !== void 0) {
+    if (!isValidPurposeReason(options.purpose_reason)) {
+      throw new Error(`Invalid purpose_reason: ${options.purpose_reason}`);
+    }
+  }
+  if (options.workflow_context !== void 0) {
+    if (!isValidWorkflowContext(options.workflow_context)) {
+      throw new IssueError(
+        createWorkflowContextInvalidError("Does not conform to WorkflowContextSchema")
+      );
+    }
+    if (!hasValidDagSemantics(options.workflow_context)) {
+      const ctx = options.workflow_context;
+      const isSelfParent = ctx.parent_step_ids.includes(ctx.step_id);
+      const hasDuplicates = new Set(ctx.parent_step_ids).size !== ctx.parent_step_ids.length;
+      const reason = isSelfParent ? "self_parent" : hasDuplicates ? "duplicate_parent" : "cycle";
+      throw new IssueError(createWorkflowDagInvalidError(reason));
+    }
+  }
+  const rid = uuidv7();
+  const iat = Math.floor(Date.now() / 1e3);
+  const claims = {
+    iss: options.iss,
+    aud: options.aud,
+    iat,
+    rid,
+    amt: options.amt,
+    cur: options.cur,
+    payment: {
+      rail: options.rail,
+      reference: options.reference,
+      amount: options.amt,
+      currency: options.cur,
+      asset: options.asset ?? options.cur,
+      // Default asset to currency for backward compatibility
+      env: options.env ?? "test",
+      // Default to test environment for backward compatibility
+      evidence: options.evidence ?? {},
+      // Default to empty object for backward compatibility
+      ...options.network && { network: options.network },
+      ...options.facilitator_ref && { facilitator_ref: options.facilitator_ref },
+      ...options.idempotency_key && { idempotency_key: options.idempotency_key },
+      ...options.metadata && { metadata: options.metadata }
+    },
+    ...options.exp && { exp: options.exp },
+    ...options.subject && { subject: { uri: options.subject } },
+    // Build extensions (merge user-provided ext with workflow_context)
+    ...(options.ext || options.workflow_context) && {
+      ext: {
+        ...options.ext,
+        ...options.workflow_context && {
+          [WORKFLOW_EXTENSION_KEY]: options.workflow_context
+        }
+      }
+    },
+    // Purpose claims (v0.9.24+)
+    ...purposeDeclared && { purpose_declared: purposeDeclared },
+    ...options.purpose_enforced && { purpose_enforced: options.purpose_enforced },
+    ...options.purpose_reason && { purpose_reason: options.purpose_reason }
+  };
+  try {
+    ReceiptClaims.parse(claims);
+  } catch (err) {
+    if (err instanceof ZodError) {
+      const evidenceIssue = err.issues.find(
+        (issue2) => issue2.path.some((p) => p === "evidence" || p === "payment")
+      );
+      if (evidenceIssue && evidenceIssue.path.includes("evidence")) {
+        const peacError = createEvidenceNotJsonError(evidenceIssue.message, evidenceIssue.path);
+        throw new IssueError(peacError);
+      }
+    }
+    throw err;
+  }
+  const validatedSnapshot = validateSubjectSnapshot(options.subject_snapshot);
+  const startTime = performance.now();
+  const jws = await sign(claims, options.privateKey, options.kid);
+  fireTelemetryHook(options.telemetry?.onReceiptIssued, {
+    receiptHash: hashReceipt(jws),
+    issuer: options.iss,
+    kid: options.kid,
+    durationMs: performance.now() - startTime
+  });
+  return {
+    jws,
+    ...validatedSnapshot && { subject_snapshot: validatedSnapshot }
+  };
+}
+async function issueJws(options) {
+  const result = await issue(options);
+  return result.jws;
+}
+var jwksCache = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS = 5 * 60 * 1e3;
+async function fetchJWKS(issuerUrl) {
+  if (!issuerUrl.startsWith("https://")) {
+    throw new Error("Issuer URL must be https://");
+  }
+  const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
+  try {
+    const discoveryResp = await fetch(discoveryUrl, {
+      headers: { Accept: "text/plain" },
+      // Timeout after 5 seconds
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!discoveryResp.ok) {
+      throw new Error(`Discovery fetch failed: ${discoveryResp.status}`);
+    }
+    const discoveryText = await discoveryResp.text();
+    const jwksLine = discoveryText.split("\n").find((line) => line.startsWith("jwks:"));
+    if (!jwksLine) {
+      throw new Error("No jwks field in discovery");
+    }
+    const jwksUrl = jwksLine.replace("jwks:", "").trim();
+    if (!jwksUrl.startsWith("https://")) {
+      throw new Error("JWKS URL must be https://");
+    }
+    const jwksResp = await fetch(jwksUrl, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!jwksResp.ok) {
+      throw new Error(`JWKS fetch failed: ${jwksResp.status}`);
+    }
+    const jwks = await jwksResp.json();
+    return jwks;
+  } catch (err) {
+    throw new Error(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`, {
+      cause: err
+    });
+  }
+}
+async function getJWKS(issuerUrl) {
+  const now = Date.now();
+  const cached = jwksCache.get(issuerUrl);
+  if (cached && cached.expiresAt > now) {
+    return { jwks: cached.keys, fromCache: true };
+  }
+  const jwks = await fetchJWKS(issuerUrl);
+  jwksCache.set(issuerUrl, {
+    keys: jwks,
+    expiresAt: now + CACHE_TTL_MS
+  });
+  return { jwks, fromCache: false };
+}
+function jwkToPublicKey(jwk) {
+  if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") {
+    throw new Error("Only Ed25519 keys (OKP/Ed25519) are supported");
+  }
+  const xBytes = Buffer.from(jwk.x, "base64url");
+  if (xBytes.length !== 32) {
+    throw new Error("Ed25519 public key must be 32 bytes");
+  }
+  return new Uint8Array(xBytes);
+}
+async function verifyReceipt(optionsOrJws) {
+  const receiptJws = typeof optionsOrJws === "string" ? optionsOrJws : optionsOrJws.receiptJws;
+  const inputSnapshot = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.subject_snapshot;
+  const telemetry = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.telemetry;
+  const startTime = performance.now();
+  let jwksFetchTime;
+  try {
+    const { header, payload } = decode(receiptJws);
+    ReceiptClaims.parse(payload);
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "expired",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "expired",
+        details: `Receipt expired at ${new Date(payload.exp * 1e3).toISOString()}`
+      };
+    }
+    const jwksFetchStart = performance.now();
+    const { jwks, fromCache } = await getJWKS(payload.iss);
+    if (!fromCache) {
+      jwksFetchTime = performance.now() - jwksFetchStart;
+    }
+    const jwk = jwks.keys.find((k) => k.kid === header.kid);
+    if (!jwk) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "unknown_key",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "unknown_key",
+        details: `No key found with kid=${header.kid}`
+      };
+    }
+    const publicKey = jwkToPublicKey(jwk);
+    const result = await verify(receiptJws, publicKey);
+    if (!result.valid) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "invalid_signature",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "invalid_signature",
+        details: "Ed25519 signature verification failed"
+      };
+    }
+    const validatedSnapshot = validateSubjectSnapshot(inputSnapshot);
+    const verifyTime = performance.now() - startTime;
+    fireTelemetryHook(telemetry?.onReceiptVerified, {
+      receiptHash: hashReceipt(receiptJws),
+      valid: true,
+      issuer: payload.iss,
+      kid: header.kid,
+      durationMs: verifyTime
+    });
+    return {
+      ok: true,
+      claims: payload,
+      ...validatedSnapshot && { subject_snapshot: validatedSnapshot },
+      perf: {
+        verify_ms: verifyTime,
+        ...jwksFetchTime && { jwks_fetch_ms: jwksFetchTime }
+      }
+    };
+  } catch (err) {
+    const durationMs = performance.now() - startTime;
+    fireTelemetryHook(telemetry?.onReceiptVerified, {
+      receiptHash: hashReceipt(receiptJws),
+      valid: false,
+      reasonCode: "verification_error",
+      durationMs
+    });
+    return {
+      ok: false,
+      reason: "verification_error",
+      details: err instanceof Error ? err.message : String(err)
+    };
+  }
+}
+function isCryptoError(err) {
+  return err !== null && typeof err === "object" && "name" in err && err.name === "CryptoError" && "code" in err && typeof err.code === "string" && err.code.startsWith("CRYPTO_") && "message" in err && typeof err.message === "string";
+}
+var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
+  "CRYPTO_INVALID_JWS_FORMAT",
+  "CRYPTO_INVALID_TYP",
+  "CRYPTO_INVALID_ALG",
+  "CRYPTO_INVALID_KEY_LENGTH"
+]);
+var MAX_PARSE_ISSUES = 25;
+function sanitizeParseIssues(issues) {
+  if (!Array.isArray(issues)) return void 0;
+  return issues.slice(0, MAX_PARSE_ISSUES).map((issue2) => ({
+    path: Array.isArray(issue2?.path) ? issue2.path.join(".") : "",
+    message: typeof issue2?.message === "string" ? issue2.message : String(issue2)
+  }));
+}
+async function verifyLocal(jws, publicKey, options = {}) {
+  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  try {
+    const result = await verify(jws, publicKey);
+    if (!result.valid) {
+      return {
+        valid: false,
+        code: "E_INVALID_SIGNATURE",
+        message: "Ed25519 signature verification failed"
+      };
+    }
+    const pr = parseReceiptClaims(result.payload);
+    if (!pr.ok) {
+      return {
+        valid: false,
+        code: "E_INVALID_FORMAT",
+        message: `Receipt schema validation failed: ${pr.error.message}`,
+        details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
+      };
+    }
+    if (issuer !== void 0 && pr.claims.iss !== issuer) {
+      return {
+        valid: false,
+        code: "E_INVALID_ISSUER",
+        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
+      };
+    }
+    if (audience !== void 0 && pr.claims.aud !== audience) {
+      return {
+        valid: false,
+        code: "E_INVALID_AUDIENCE",
+        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
+      };
+    }
+    if (rid !== void 0 && pr.claims.rid !== rid) {
+      return {
+        valid: false,
+        code: "E_INVALID_RECEIPT_ID",
+        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
+      };
+    }
+    if (requireExp && pr.claims.exp === void 0) {
+      return {
+        valid: false,
+        code: "E_MISSING_EXP",
+        message: "Receipt missing required exp claim"
+      };
+    }
+    if (pr.claims.iat > now + maxClockSkew) {
+      return {
+        valid: false,
+        code: "E_NOT_YET_VALID",
+        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+      };
+    }
+    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
+      return {
+        valid: false,
+        code: "E_EXPIRED",
+        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
+      };
+    }
+    if (pr.variant === "commerce") {
+      const claims = pr.claims;
+      if (subjectUri !== void 0 && claims.subject?.uri !== subjectUri) {
+        return {
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? "undefined"}"`
+        };
+      }
+      return {
+        valid: true,
+        variant: "commerce",
+        claims,
+        kid: result.header.kid,
+        policy_binding: "unavailable"
+      };
+    } else {
+      const claims = pr.claims;
+      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
+        return {
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
+        };
+      }
+      return {
+        valid: true,
+        variant: "attestation",
+        claims,
+        kid: result.header.kid,
+        policy_binding: "unavailable"
+      };
+    }
+  } catch (err) {
+    if (isCryptoError(err)) {
+      if (FORMAT_ERROR_CODES.has(err.code)) {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: err.message
+        };
+      }
+      if (err.code === "CRYPTO_INVALID_SIGNATURE") {
+        return {
+          valid: false,
+          code: "E_INVALID_SIGNATURE",
+          message: err.message
+        };
+      }
+    }
+    if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
+      const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
+      return {
+        valid: false,
+        code: "E_INVALID_FORMAT",
+        message: `Invalid receipt payload: ${syntaxMessage}`
+      };
+    }
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      valid: false,
+      code: "E_INTERNAL",
+      message: `Unexpected verification error: ${message}`
+    };
+  }
+}
+function isCommerceResult(r) {
+  return r.valid === true && r.variant === "commerce";
+}
+function isAttestationResult(r) {
+  return r.valid === true && r.variant === "attestation";
+}
+function setReceiptHeader(headers, receiptJws) {
+  headers.set(PEAC_RECEIPT_HEADER, receiptJws);
+}
+function getReceiptHeader(headers) {
+  return headers.get(PEAC_RECEIPT_HEADER);
+}
+function setVaryHeader(headers) {
+  const existing = headers.get("Vary");
+  if (existing) {
+    const varies = existing.split(",").map((v) => v.trim());
+    if (!varies.includes(PEAC_RECEIPT_HEADER)) {
+      headers.set("Vary", `${existing}, ${PEAC_RECEIPT_HEADER}`);
+    }
+  } else {
+    headers.set("Vary", PEAC_RECEIPT_HEADER);
+  }
+}
+function getPurposeHeader(headers) {
+  const value = headers.get(PEAC_PURPOSE_HEADER);
+  if (!value) {
+    return [];
+  }
+  return parsePurposeHeader(value);
+}
+function setPurposeAppliedHeader(headers, purpose) {
+  headers.set(PEAC_PURPOSE_APPLIED_HEADER, purpose);
+}
+function setPurposeReasonHeader(headers, reason) {
+  headers.set(PEAC_PURPOSE_REASON_HEADER, reason);
+}
+function setVaryPurposeHeader(headers) {
+  const existing = headers.get("Vary");
+  if (existing) {
+    const varies = existing.split(",").map((v) => v.trim());
+    if (!varies.includes(PEAC_PURPOSE_HEADER)) {
+      headers.set("Vary", `${existing}, ${PEAC_PURPOSE_HEADER}`);
+    }
+  } else {
+    headers.set("Vary", PEAC_PURPOSE_HEADER);
+  }
+}
+function parseIssuerConfig(json) {
+  let config;
+  if (typeof json === "string") {
+    const bytes = new TextEncoder().encode(json).length;
+    if (bytes > PEAC_ISSUER_CONFIG_MAX_BYTES) {
+      throw new Error(`Issuer config exceeds ${PEAC_ISSUER_CONFIG_MAX_BYTES} bytes (got ${bytes})`);
+    }
+    try {
+      config = JSON.parse(json);
+    } catch {
+      throw new Error("Issuer config is not valid JSON");
+    }
+  } else {
+    config = json;
+  }
+  if (typeof config !== "object" || config === null) {
+    throw new Error("Issuer config must be an object");
+  }
+  const obj = config;
+  if (typeof obj.version !== "string" || !obj.version) {
+    throw new Error("Missing required field: version");
+  }
+  if (typeof obj.issuer !== "string" || !obj.issuer) {
+    throw new Error("Missing required field: issuer");
+  }
+  if (typeof obj.jwks_uri !== "string" || !obj.jwks_uri) {
+    throw new Error("Missing required field: jwks_uri");
+  }
+  if (!obj.issuer.startsWith("https://")) {
+    throw new Error("issuer must be an HTTPS URL");
+  }
+  if (!obj.jwks_uri.startsWith("https://")) {
+    throw new Error("jwks_uri must be an HTTPS URL");
+  }
+  if (obj.verify_endpoint !== void 0) {
+    if (typeof obj.verify_endpoint !== "string") {
+      throw new Error("verify_endpoint must be a string");
+    }
+    if (!obj.verify_endpoint.startsWith("https://")) {
+      throw new Error("verify_endpoint must be an HTTPS URL");
+    }
+  }
+  if (obj.receipt_versions !== void 0) {
+    if (!Array.isArray(obj.receipt_versions)) {
+      throw new Error("receipt_versions must be an array");
+    }
+  }
+  if (obj.algorithms !== void 0) {
+    if (!Array.isArray(obj.algorithms)) {
+      throw new Error("algorithms must be an array");
+    }
+  }
+  if (obj.payment_rails !== void 0) {
+    if (!Array.isArray(obj.payment_rails)) {
+      throw new Error("payment_rails must be an array");
+    }
+  }
+  return {
+    version: obj.version,
+    issuer: obj.issuer,
+    jwks_uri: obj.jwks_uri,
+    verify_endpoint: obj.verify_endpoint,
+    receipt_versions: obj.receipt_versions,
+    algorithms: obj.algorithms,
+    payment_rails: obj.payment_rails,
+    security_contact: obj.security_contact
+  };
+}
+async function fetchIssuerConfig(issuerUrl) {
+  if (!issuerUrl.startsWith("https://")) {
+    throw new Error("Issuer URL must be https://");
+  }
+  const baseUrl = issuerUrl.replace(/\/$/, "");
+  const configUrl = `${baseUrl}${PEAC_ISSUER_CONFIG_PATH}`;
+  try {
+    const resp = await fetch(configUrl, {
+      headers: { Accept: "application/json" },
+      signal: AbortSignal.timeout(1e4)
+    });
+    if (!resp.ok) {
+      throw new Error(`Issuer config fetch failed: ${resp.status}`);
+    }
+    const text = await resp.text();
+    const config = parseIssuerConfig(text);
+    const normalizedExpected = baseUrl.replace(/\/$/, "");
+    const normalizedActual = config.issuer.replace(/\/$/, "");
+    if (normalizedActual !== normalizedExpected) {
+      throw new Error(`Issuer mismatch: expected ${normalizedExpected}, got ${normalizedActual}`);
+    }
+    return config;
+  } catch (err) {
+    throw new Error(
+      `Failed to fetch issuer config from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
+  }
+}
+function isJsonContent(text, contentType) {
+  if (contentType?.includes("application/json")) {
+    return true;
+  }
+  const firstChar = text.trimStart()[0];
+  return firstChar === "{";
+}
+function parsePolicyManifest(text, contentType) {
+  const bytes = new TextEncoder().encode(text).length;
+  if (bytes > PEAC_POLICY_MAX_BYTES) {
+    throw new Error(`Policy manifest exceeds ${PEAC_POLICY_MAX_BYTES} bytes (got ${bytes})`);
+  }
+  let manifest;
+  if (isJsonContent(text, contentType)) {
+    try {
+      manifest = JSON.parse(text);
+    } catch {
+      throw new Error("Policy manifest is not valid JSON");
+    }
+  } else {
+    manifest = parseSimpleYaml(text);
+  }
+  if (typeof manifest.version !== "string" || !manifest.version) {
+    throw new Error("Missing required field: version");
+  }
+  if (!manifest.version.startsWith("peac-policy/")) {
+    throw new Error(
+      `Invalid version format: "${manifest.version}". Must start with "peac-policy/" (e.g., "peac-policy/0.1")`
+    );
+  }
+  if (manifest.usage !== "open" && manifest.usage !== "conditional") {
+    throw new Error('Missing or invalid field: usage (must be "open" or "conditional")');
+  }
+  return {
+    version: manifest.version,
+    usage: manifest.usage,
+    purposes: manifest.purposes,
+    receipts: manifest.receipts,
+    attribution: manifest.attribution,
+    rate_limit: manifest.rate_limit,
+    daily_limit: manifest.daily_limit,
+    negotiate: manifest.negotiate,
+    contact: manifest.contact,
+    license: manifest.license,
+    price: manifest.price,
+    currency: manifest.currency,
+    payment_methods: manifest.payment_methods,
+    payment_endpoint: manifest.payment_endpoint
+  };
+}
+function parseSimpleYaml(text) {
+  const lines = text.split("\n");
+  const result = {};
+  if (text.includes("<<:")) {
+    throw new Error("YAML merge keys are not allowed");
+  }
+  if (text.includes("&") || text.includes("*")) {
+    throw new Error("YAML anchors and aliases are not allowed");
+  }
+  if (/!\w+/.test(text)) {
+    throw new Error("YAML custom tags are not allowed");
+  }
+  const docSeparators = text.match(/^---$/gm);
+  if (docSeparators && docSeparators.length > 1) {
+    throw new Error("Multi-document YAML is not allowed");
+  }
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#") || trimmed === "---") {
+      continue;
+    }
+    const colonIndex = trimmed.indexOf(":");
+    if (colonIndex === -1) continue;
+    const key = trimmed.slice(0, colonIndex).trim();
+    let value = trimmed.slice(colonIndex + 1).trim();
+    if (value === "") {
+      value = void 0;
+    } else if (typeof value === "string") {
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      } else if (value.startsWith("[") && value.endsWith("]")) {
+        const inner = value.slice(1, -1);
+        value = inner.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
+      } else if (/^-?\d+(\.\d+)?$/.test(value)) {
+        value = parseFloat(value);
+      } else if (value === "true") {
+        value = true;
+      } else if (value === "false") {
+        value = false;
+      }
+    }
+    if (value !== void 0) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+async function fetchPolicyManifest(baseUrl) {
+  if (!baseUrl.startsWith("https://") && !baseUrl.startsWith("http://localhost")) {
+    throw new Error("Base URL must be https://");
+  }
+  const normalizedBase = baseUrl.replace(/\/$/, "");
+  const primaryUrl = `${normalizedBase}${PEAC_POLICY_PATH}`;
+  const fallbackUrl = `${normalizedBase}${PEAC_POLICY_FALLBACK_PATH}`;
+  try {
+    const resp = await fetch(primaryUrl, {
+      headers: { Accept: "text/plain, application/json" },
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (resp.ok) {
+      const text = await resp.text();
+      const contentType = resp.headers.get("content-type") || void 0;
+      return parsePolicyManifest(text, contentType);
+    }
+    if (resp.status === 404) {
+      const fallbackResp = await fetch(fallbackUrl, {
+        headers: { Accept: "text/plain, application/json" },
+        signal: AbortSignal.timeout(5e3)
+      });
+      if (fallbackResp.ok) {
+        const text = await fallbackResp.text();
+        const contentType = fallbackResp.headers.get("content-type") || void 0;
+        return parsePolicyManifest(text, contentType);
+      }
+      throw new Error("Policy manifest not found at primary or fallback location");
+    }
+    throw new Error(`Policy manifest fetch failed: ${resp.status}`);
+  } catch (err) {
+    throw new Error(
+      `Failed to fetch policy manifest from ${baseUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
+  }
+}
+function parseDiscovery(text) {
+  const bytes = new TextEncoder().encode(text).length;
+  if (bytes > 2e3) {
+    throw new Error(`Discovery manifest exceeds 2000 bytes (got ${bytes})`);
+  }
+  const lines = text.trim().split("\n");
+  if (lines.length > 20) {
+    throw new Error(`Discovery manifest exceeds 20 lines (got ${lines.length})`);
+  }
+  const discovery = {};
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
+    }
+    if (trimmed.includes(":")) {
+      const [key, ...valueParts] = trimmed.split(":");
+      const value = valueParts.join(":").trim();
+      switch (key.trim()) {
+        case "version":
+          discovery.version = value;
+          break;
+        case "issuer":
+          discovery.issuer = value;
+          break;
+        case "verify":
+          discovery.verify_endpoint = value;
+          break;
+        case "jwks":
+          discovery.jwks_uri = value;
+          break;
+        case "security":
+          discovery.security_contact = value;
+          break;
+      }
+    }
+  }
+  if (!discovery.version) throw new Error("Missing required field: version");
+  if (!discovery.issuer) throw new Error("Missing required field: issuer");
+  if (!discovery.verify_endpoint) throw new Error("Missing required field: verify");
+  if (!discovery.jwks_uri) throw new Error("Missing required field: jwks");
+  return discovery;
+}
+async function fetchDiscovery(issuerUrl) {
+  if (!issuerUrl.startsWith("https://")) {
+    throw new Error("Issuer URL must be https://");
+  }
+  const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
+  try {
+    const resp = await fetch(discoveryUrl, {
+      headers: { Accept: "text/plain" },
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (!resp.ok) {
+      throw new Error(`Discovery fetch failed: ${resp.status}`);
+    }
+    const text = await resp.text();
+    return parseDiscovery(text);
+  } catch (err) {
+    throw new Error(
+      `Failed to fetch discovery from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
+  }
+}
+var DEFAULT_VERIFIER_LIMITS = {
+  max_receipt_bytes: VERIFIER_LIMITS.maxReceiptBytes,
+  max_jwks_bytes: VERIFIER_LIMITS.maxJwksBytes,
+  max_jwks_keys: VERIFIER_LIMITS.maxJwksKeys,
+  max_redirects: VERIFIER_LIMITS.maxRedirects,
+  fetch_timeout_ms: VERIFIER_LIMITS.fetchTimeoutMs,
+  max_extension_bytes: VERIFIER_LIMITS.maxExtensionBytes
+};
+var DEFAULT_NETWORK_SECURITY = {
+  https_only: VERIFIER_NETWORK.httpsOnly,
+  block_private_ips: VERIFIER_NETWORK.blockPrivateIps,
+  allow_redirects: VERIFIER_NETWORK.allowRedirects,
+  allow_cross_origin_redirects: true,
+  // Allow for CDN compatibility
+  dns_failure_behavior: "block"
+  // Fail-closed by default
+};
+function createDefaultPolicy(mode) {
+  return {
+    policy_version: VERIFIER_POLICY_VERSION,
+    mode,
+    limits: { ...DEFAULT_VERIFIER_LIMITS },
+    network: { ...DEFAULT_NETWORK_SECURITY }
+  };
+}
+var CHECK_IDS = [
+  "jws.parse",
+  "limits.receipt_bytes",
+  "jws.protected_header",
+  "claims.schema_unverified",
+  "issuer.trust_policy",
+  "issuer.discovery",
+  "key.resolve",
+  "jws.signature",
+  "claims.time_window",
+  "extensions.limits",
+  "transport.profile_binding",
+  "policy.binding"
+];
+var NON_DETERMINISTIC_ARTIFACT_KEYS = [
+  "issuer_jwks_digest"
+];
+function createDigest(hexValue) {
+  return {
+    alg: "sha-256",
+    value: hexValue.toLowerCase()
+  };
+}
+function createEmptyReport(policy) {
+  return {
+    report_version: VERIFICATION_REPORT_VERSION,
+    policy
+  };
+}
+function ssrfErrorToReasonCode(ssrfReason, fetchType) {
+  const prefix = fetchType === "key" ? "key_fetch" : "pointer_fetch";
+  switch (ssrfReason) {
+    case "not_https":
+    case "private_ip":
+    case "loopback":
+    case "link_local":
+    case "cross_origin_redirect":
+    case "dns_failure":
+      return `${prefix}_blocked`;
+    case "timeout":
+      return `${prefix}_timeout`;
+    case "response_too_large":
+      return fetchType === "pointer" ? "pointer_fetch_too_large" : "jwks_too_large";
+    case "jwks_too_many_keys":
+      return "jwks_too_many_keys";
+    case "too_many_redirects":
+    case "scheme_downgrade":
+    case "network_error":
+    case "invalid_url":
+    default:
+      return `${prefix}_failed`;
+  }
+}
+function reasonCodeToSeverity(reason) {
+  if (reason === "ok") return "info";
+  return "error";
+}
+function reasonCodeToErrorCode(reason) {
+  const mapping = {
+    ok: "",
+    receipt_too_large: "E_VERIFY_RECEIPT_TOO_LARGE",
+    malformed_receipt: "E_VERIFY_MALFORMED_RECEIPT",
+    signature_invalid: "E_VERIFY_SIGNATURE_INVALID",
+    issuer_not_allowed: "E_VERIFY_ISSUER_NOT_ALLOWED",
+    key_not_found: "E_VERIFY_KEY_NOT_FOUND",
+    key_fetch_blocked: "E_VERIFY_KEY_FETCH_BLOCKED",
+    key_fetch_failed: "E_VERIFY_KEY_FETCH_FAILED",
+    key_fetch_timeout: "E_VERIFY_KEY_FETCH_TIMEOUT",
+    pointer_fetch_blocked: "E_VERIFY_POINTER_FETCH_BLOCKED",
+    pointer_fetch_failed: "E_VERIFY_POINTER_FETCH_FAILED",
+    pointer_fetch_timeout: "E_VERIFY_POINTER_FETCH_TIMEOUT",
+    pointer_fetch_too_large: "E_VERIFY_POINTER_FETCH_TOO_LARGE",
+    pointer_digest_mismatch: "E_VERIFY_POINTER_DIGEST_MISMATCH",
+    jwks_too_large: "E_VERIFY_JWKS_TOO_LARGE",
+    jwks_too_many_keys: "E_VERIFY_JWKS_TOO_MANY_KEYS",
+    expired: "E_VERIFY_EXPIRED",
+    not_yet_valid: "E_VERIFY_NOT_YET_VALID",
+    audience_mismatch: "E_VERIFY_AUDIENCE_MISMATCH",
+    schema_invalid: "E_VERIFY_SCHEMA_INVALID",
+    policy_violation: "E_VERIFY_POLICY_VIOLATION",
+    extension_too_large: "E_VERIFY_EXTENSION_TOO_LARGE",
+    invalid_transport: "E_VERIFY_INVALID_TRANSPORT"
+  };
+  return mapping[reason] || "E_VERIFY_POLICY_VIOLATION";
+}
+var cachedCapabilities = null;
+function getSSRFCapabilities() {
+  if (cachedCapabilities) {
+    return cachedCapabilities;
+  }
+  cachedCapabilities = detectCapabilities();
+  return cachedCapabilities;
+}
+function detectCapabilities() {
+  if (typeof process !== "undefined" && process.versions?.node) {
+    return {
+      runtime: "node",
+      dnsPreResolution: true,
+      ipBlocking: true,
+      networkIsolation: false,
+      protectionLevel: "full",
+      notes: [
+        "Full SSRF protection available via Node.js dns module",
+        "DNS resolution checked before HTTP connection",
+        "All RFC 1918 private ranges blocked"
+      ]
+    };
+  }
+  if (typeof process !== "undefined" && process.versions?.bun) {
+    return {
+      runtime: "bun",
+      dnsPreResolution: true,
+      ipBlocking: true,
+      networkIsolation: false,
+      protectionLevel: "full",
+      notes: [
+        "Full SSRF protection available via Bun dns compatibility",
+        "DNS resolution checked before HTTP connection"
+      ]
+    };
+  }
+  if (typeof globalThis !== "undefined" && "Deno" in globalThis) {
+    return {
+      runtime: "deno",
+      dnsPreResolution: false,
+      ipBlocking: false,
+      networkIsolation: false,
+      protectionLevel: "partial",
+      notes: [
+        "DNS pre-resolution not available in Deno by default",
+        "SSRF protection limited to URL validation and response limits",
+        "Consider using Deno.connect with hostname resolution for enhanced protection"
+      ]
+    };
+  }
+  if (typeof globalThis !== "undefined" && typeof globalThis.caches !== "undefined" && typeof globalThis.HTMLRewriter !== "undefined") {
+    return {
+      runtime: "cloudflare-workers",
+      dnsPreResolution: false,
+      ipBlocking: false,
+      networkIsolation: true,
+      protectionLevel: "partial",
+      notes: [
+        "Cloudflare Workers provide network-level isolation",
+        "DNS pre-resolution not available in Workers runtime",
+        "CF network blocks many SSRF vectors at infrastructure level",
+        "SSRF protection supplemented by URL validation and response limits"
+      ]
+    };
+  }
+  const g = globalThis;
+  if (typeof g.window !== "undefined" || typeof g.document !== "undefined") {
+    return {
+      runtime: "browser",
+      dnsPreResolution: false,
+      ipBlocking: false,
+      networkIsolation: false,
+      protectionLevel: "minimal",
+      notes: [
+        "Browser environment detected; DNS pre-resolution not available",
+        "SSRF protection limited to URL scheme validation",
+        "Consider validating URLs server-side before browser fetch",
+        "Same-origin policy provides some protection against SSRF"
+      ]
+    };
+  }
+  return {
+    runtime: "edge-generic",
+    dnsPreResolution: false,
+    ipBlocking: false,
+    networkIsolation: false,
+    protectionLevel: "partial",
+    notes: [
+      "Edge runtime detected; DNS pre-resolution may not be available",
+      "SSRF protection limited to URL validation and response limits",
+      "Verify runtime provides additional network-level protections"
+    ]
+  };
+}
+function resetSSRFCapabilitiesCache() {
+  cachedCapabilities = null;
+}
+function parseIPv4(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return null;
+  const octets = [];
+  for (const part of parts) {
+    const num = parseInt(part, 10);
+    if (isNaN(num) || num < 0 || num > 255) return null;
+    octets.push(num);
+  }
+  return { octets };
+}
+function isInCIDR(ip, cidr) {
+  const [rangeStr, maskStr] = cidr.split("/");
+  const range = parseIPv4(rangeStr);
+  if (!range) return false;
+  const maskBits = parseInt(maskStr, 10);
+  if (isNaN(maskBits) || maskBits < 0 || maskBits > 32) return false;
+  const ipNum = ip.octets[0] << 24 | ip.octets[1] << 16 | ip.octets[2] << 8 | ip.octets[3];
+  const rangeNum = range.octets[0] << 24 | range.octets[1] << 16 | range.octets[2] << 8 | range.octets[3];
+  const mask = maskBits === 0 ? 0 : ~((1 << 32 - maskBits) - 1);
+  return (ipNum & mask) === (rangeNum & mask);
+}
+function isIPv6Loopback(ip) {
+  const normalized = ip.toLowerCase().replace(/^::ffff:/, "");
+  return normalized === "::1" || normalized === "0:0:0:0:0:0:0:1";
+}
+function isIPv6LinkLocal(ip) {
+  const normalized = ip.toLowerCase();
+  return normalized.startsWith("fe8") || normalized.startsWith("fe9") || normalized.startsWith("fea") || normalized.startsWith("feb");
+}
+function isBlockedIP(ip) {
+  const ipv4Match = ip.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i);
+  const effectiveIP = ipv4Match ? ipv4Match[1] : ip;
+  const ipv4 = parseIPv4(effectiveIP);
+  if (ipv4) {
+    if (isInCIDR(ipv4, "10.0.0.0/8") || isInCIDR(ipv4, "172.16.0.0/12") || isInCIDR(ipv4, "192.168.0.0/16")) {
+      return { blocked: true, reason: "private_ip" };
+    }
+    if (isInCIDR(ipv4, "127.0.0.0/8")) {
+      return { blocked: true, reason: "loopback" };
+    }
+    if (isInCIDR(ipv4, "169.254.0.0/16")) {
+      return { blocked: true, reason: "link_local" };
+    }
+    return { blocked: false };
+  }
+  if (isIPv6Loopback(ip)) {
+    return { blocked: true, reason: "loopback" };
+  }
+  if (isIPv6LinkLocal(ip)) {
+    return { blocked: true, reason: "link_local" };
+  }
+  return { blocked: false };
+}
+async function resolveHostname(hostname) {
+  if (typeof process !== "undefined" && process.versions?.node) {
+    try {
+      const dns = await import('dns');
+      const { promisify } = await import('util');
+      const resolve4 = promisify(dns.resolve4);
+      const resolve6 = promisify(dns.resolve6);
+      const results = [];
+      let ipv4Error = null;
+      let ipv6Error = null;
+      try {
+        const ipv4 = await resolve4(hostname);
+        results.push(...ipv4);
+      } catch (err) {
+        ipv4Error = err;
+      }
+      try {
+        const ipv6 = await resolve6(hostname);
+        results.push(...ipv6);
+      } catch (err) {
+        ipv6Error = err;
+      }
+      if (results.length > 0) {
+        return { ok: true, ips: results, browser: false };
+      }
+      if (ipv4Error && ipv6Error) {
+        return {
+          ok: false,
+          message: `DNS resolution failed for ${hostname}: ${ipv4Error.message}`
+        };
+      }
+      return { ok: true, ips: [], browser: false };
+    } catch (err) {
+      return {
+        ok: false,
+        message: `DNS resolution error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+  return { ok: true, ips: [], browser: true };
+}
+async function ssrfSafeFetch(url, options = {}) {
+  const {
+    timeoutMs = VERIFIER_LIMITS.fetchTimeoutMs,
+    maxBytes = VERIFIER_LIMITS.maxResponseBytes,
+    maxRedirects = 0,
+    allowRedirects = VERIFIER_NETWORK.allowRedirects,
+    allowCrossOriginRedirects = true,
+    // Default: allow for CDN compatibility
+    dnsFailureBehavior = "block",
+    // Default: fail-closed for security
+    headers = {}
+  } = options;
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    return {
+      ok: false,
+      reason: "invalid_url",
+      message: `Invalid URL: ${url}`,
+      blockedUrl: url
+    };
+  }
+  if (parsedUrl.protocol !== "https:") {
+    return {
+      ok: false,
+      reason: "not_https",
+      message: `URL must use HTTPS: ${url}`,
+      blockedUrl: url
+    };
+  }
+  const dnsResult = await resolveHostname(parsedUrl.hostname);
+  if (!dnsResult.ok) {
+    if (dnsFailureBehavior === "block") {
+      return {
+        ok: false,
+        reason: "dns_failure",
+        message: `DNS resolution blocked: ${dnsResult.message}`,
+        blockedUrl: url
+      };
+    }
+    return {
+      ok: false,
+      reason: "network_error",
+      message: dnsResult.message,
+      blockedUrl: url
+    };
+  }
+  if (!dnsResult.browser) {
+    for (const ip of dnsResult.ips) {
+      const blockResult = isBlockedIP(ip);
+      if (blockResult.blocked) {
+        return {
+          ok: false,
+          reason: blockResult.reason,
+          message: `Blocked ${blockResult.reason} address: ${ip} for ${url}`,
+          blockedUrl: url
+        };
+      }
+    }
+  }
+  let redirectCount = 0;
+  let currentUrl = url;
+  const originalOrigin = parsedUrl.origin;
+  while (true) {
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+      const response = await fetch(currentUrl, {
+        headers: {
+          Accept: "application/json, text/plain",
+          ...headers
+        },
+        signal: controller.signal,
+        redirect: "manual"
+        // Handle redirects manually for security
+      });
+      clearTimeout(timeoutId);
+      if (response.status >= 300 && response.status < 400) {
+        const location = response.headers.get("location");
+        if (!location) {
+          return {
+            ok: false,
+            reason: "network_error",
+            message: `Redirect without Location header from ${currentUrl}`
+          };
+        }
+        if (!allowRedirects) {
+          return {
+            ok: false,
+            reason: "too_many_redirects",
+            message: `Redirects not allowed: ${currentUrl} -> ${location}`,
+            blockedUrl: location
+          };
+        }
+        redirectCount++;
+        if (redirectCount > maxRedirects) {
+          return {
+            ok: false,
+            reason: "too_many_redirects",
+            message: `Too many redirects (${redirectCount} > ${maxRedirects})`,
+            blockedUrl: location
+          };
+        }
+        let redirectUrl;
+        try {
+          redirectUrl = new URL(location, currentUrl);
+        } catch {
+          return {
+            ok: false,
+            reason: "invalid_url",
+            message: `Invalid redirect URL: ${location}`,
+            blockedUrl: location
+          };
+        }
+        if (redirectUrl.protocol !== "https:") {
+          return {
+            ok: false,
+            reason: "scheme_downgrade",
+            message: `HTTPS to HTTP downgrade not allowed: ${currentUrl} -> ${redirectUrl.href}`,
+            blockedUrl: redirectUrl.href
+          };
+        }
+        if (redirectUrl.origin !== originalOrigin && !allowCrossOriginRedirects) {
+          return {
+            ok: false,
+            reason: "cross_origin_redirect",
+            message: `Cross-origin redirect not allowed: ${originalOrigin} -> ${redirectUrl.origin}`,
+            blockedUrl: redirectUrl.href
+          };
+        }
+        const redirectDnsResult = await resolveHostname(redirectUrl.hostname);
+        if (!redirectDnsResult.ok) {
+          if (dnsFailureBehavior === "block") {
+            return {
+              ok: false,
+              reason: "dns_failure",
+              message: `Redirect DNS resolution blocked: ${redirectDnsResult.message}`,
+              blockedUrl: redirectUrl.href
+            };
+          }
+          return {
+            ok: false,
+            reason: "network_error",
+            message: redirectDnsResult.message,
+            blockedUrl: redirectUrl.href
+          };
+        }
+        if (!redirectDnsResult.browser) {
+          for (const ip of redirectDnsResult.ips) {
+            const blockResult = isBlockedIP(ip);
+            if (blockResult.blocked) {
+              return {
+                ok: false,
+                reason: blockResult.reason,
+                message: `Redirect to blocked ${blockResult.reason} address: ${ip}`,
+                blockedUrl: redirectUrl.href
+              };
+            }
+          }
+        }
+        currentUrl = redirectUrl.href;
+        continue;
+      }
+      const contentLength = response.headers.get("content-length");
+      if (contentLength && parseInt(contentLength, 10) > maxBytes) {
+        return {
+          ok: false,
+          reason: "response_too_large",
+          message: `Response too large: ${contentLength} bytes > ${maxBytes} max`
+        };
+      }
+      const reader = response.body?.getReader();
+      if (!reader) {
+        const body2 = await response.text();
+        if (body2.length > maxBytes) {
+          return {
+            ok: false,
+            reason: "response_too_large",
+            message: `Response too large: ${body2.length} bytes > ${maxBytes} max`
+          };
+        }
+        const rawBytes2 = new TextEncoder().encode(body2);
+        return {
+          ok: true,
+          status: response.status,
+          body: body2,
+          rawBytes: rawBytes2,
+          contentType: response.headers.get("content-type") ?? void 0
+        };
+      }
+      const chunks = [];
+      let totalSize = 0;
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        totalSize += value.length;
+        if (totalSize > maxBytes) {
+          reader.cancel();
+          return {
+            ok: false,
+            reason: "response_too_large",
+            message: `Response too large: ${totalSize} bytes > ${maxBytes} max`
+          };
+        }
+        chunks.push(value);
+      }
+      const rawBytes = chunks.reduce((acc, chunk) => {
+        const result = new Uint8Array(acc.length + chunk.length);
+        result.set(acc);
+        result.set(chunk, acc.length);
+        return result;
+      }, new Uint8Array());
+      const body = new TextDecoder().decode(rawBytes);
+      return {
+        ok: true,
+        status: response.status,
+        body,
+        rawBytes,
+        contentType: response.headers.get("content-type") ?? void 0
+      };
+    } catch (err) {
+      if (err instanceof Error) {
+        if (err.name === "AbortError" || err.message.includes("timeout")) {
+          return {
+            ok: false,
+            reason: "timeout",
+            message: `Fetch timeout after ${timeoutMs}ms: ${currentUrl}`
+          };
+        }
+      }
+      return {
+        ok: false,
+        reason: "network_error",
+        message: `Network error: ${err instanceof Error ? err.message : String(err)}`
+      };
+    }
+  }
+}
+async function fetchJWKSSafe(jwksUrl, options) {
+  return ssrfSafeFetch(jwksUrl, {
+    ...options,
+    maxBytes: VERIFIER_LIMITS.maxJwksBytes,
+    headers: {
+      Accept: "application/json",
+      ...options?.headers
+    }
+  });
+}
+async function fetchPointerSafe(pointerUrl, options) {
+  return ssrfSafeFetch(pointerUrl, {
+    ...options,
+    maxBytes: VERIFIER_LIMITS.maxReceiptBytes,
+    headers: {
+      Accept: "application/jose, application/json",
+      ...options?.headers
+    }
+  });
+}
+var VerificationReportBuilder = class {
+  state;
+  constructor(policy) {
+    this.state = {
+      policy,
+      checks: /* @__PURE__ */ new Map(),
+      shortCircuited: false
+    };
+  }
+  /**
+   * Set the input descriptor with pre-computed digest
+   *
+   * Use this when you've already computed the SHA-256 hash.
+   *
+   * @param digestHex - SHA-256 digest as lowercase hex (64 chars)
+   * @param type - Input type
+   */
+  setInputWithDigest(digestHex, type = "receipt_jws") {
+    this.state.receiptDigestHex = digestHex;
+    this.state.input = {
+      type,
+      receipt_digest: createDigest(digestHex)
+    };
+    return this;
+  }
+  /**
+   * Set the input descriptor (async - computes SHA-256)
+   *
+   * @param receiptBytes - Raw receipt bytes
+   * @param type - Input type
+   */
+  async setInputAsync(receiptBytes, type = "receipt_jws") {
+    const digestHex = await sha256Hex(receiptBytes);
+    return this.setInputWithDigest(digestHex, type);
+  }
+  /**
+   * Add a check result
+   *
+   * Checks can be added in any order; they will be sorted in build().
+   * If a previous check failed, subsequent checks should be marked as skip.
+   */
+  addCheck(id, status, detail, errorCode) {
+    const check = { id, status };
+    if (detail && Object.keys(detail).length > 0) {
+      check.detail = detail;
+    }
+    if (errorCode) {
+      check.error_code = errorCode;
+    }
+    this.state.checks.set(id, check);
+    if (status === "fail" && !this.state.shortCircuited) {
+      this.state.shortCircuited = true;
+      this.state.failedAtCheck = id;
+    }
+    return this;
+  }
+  /**
+   * Add a passing check
+   */
+  pass(id, detail) {
+    return this.addCheck(id, "pass", detail);
+  }
+  /**
+   * Add a failing check
+   */
+  fail(id, errorCode, detail) {
+    return this.addCheck(id, "fail", detail, errorCode);
+  }
+  /**
+   * Add a skipped check
+   */
+  skip(id, detail) {
+    return this.addCheck(id, "skip", detail);
+  }
+  /**
+   * Set the final result
+   */
+  setResult(valid, reason, options) {
+    this.state.result = {
+      valid,
+      reason,
+      severity: reasonCodeToSeverity(reason),
+      receipt_type: options?.receiptType ?? WIRE_TYPE,
+      // Wire 0.1: always 'unavailable' (DD-49). Wire 0.2 will set this via options.
+      policy_binding: "unavailable",
+      ...options?.issuer && { issuer: options.issuer },
+      ...options?.kid && { kid: options.kid }
+    };
+    return this;
+  }
+  /**
+   * Set success result
+   */
+  success(issuer, kid) {
+    return this.setResult(true, "ok", { issuer, kid });
+  }
+  /**
+   * Set failure result
+   */
+  failure(reason, issuer, kid) {
+    return this.setResult(false, reason, { issuer, kid });
+  }
+  /**
+   * Add artifacts
+   */
+  addArtifact(key, value) {
+    if (!this.state.artifacts) {
+      this.state.artifacts = {};
+    }
+    this.state.artifacts[key] = value;
+    return this;
+  }
+  /**
+   * Set metadata (non-deterministic fields)
+   */
+  setMeta(meta) {
+    this.state.meta = meta;
+    return this;
+  }
+  /**
+   * Add current timestamp to meta
+   */
+  addTimestamp() {
+    if (!this.state.meta) {
+      this.state.meta = {};
+    }
+    this.state.meta.generated_at = (/* @__PURE__ */ new Date()).toISOString();
+    return this;
+  }
+  /**
+   * Build the final report
+   *
+   * Ensures all checks are present (shape-stable).
+   * Missing checks after a failure are marked as 'skip'.
+   * Missing checks before a failure (or in success) are marked as 'pass'.
+   */
+  build() {
+    if (!this.state.input) {
+      throw new Error("Input is required. Call setInputWithDigest() or setInputAsync() first.");
+    }
+    if (!this.state.result) {
+      throw new Error("Result is required. Call setResult() or success()/failure() first.");
+    }
+    const checks = [];
+    const failedIndex = this.state.failedAtCheck ? CHECK_IDS.indexOf(this.state.failedAtCheck) : -1;
+    for (let i = 0; i < CHECK_IDS.length; i++) {
+      const checkId = CHECK_IDS[i];
+      const existing = this.state.checks.get(checkId);
+      if (existing) {
+        checks.push(existing);
+      } else if (this.state.shortCircuited && i > failedIndex) {
+        checks.push({ id: checkId, status: "skip", detail: { reason: "short_circuit" } });
+      } else {
+        if (checkId === "transport.profile_binding") {
+          checks.push({ id: checkId, status: "skip", detail: { reason: "not_applicable" } });
+        } else if (checkId === "policy.binding") {
+          checks.push({
+            id: checkId,
+            status: "skip",
+            detail: { reason: "wire_01_no_policy_digest" }
+          });
+        } else {
+          checks.push({ id: checkId, status: "skip", detail: { reason: "not_executed" } });
+        }
+      }
+    }
+    const report = {
+      report_version: VERIFICATION_REPORT_VERSION,
+      input: this.state.input,
+      policy: this.state.policy,
+      result: this.state.result,
+      checks
+    };
+    if (this.state.artifacts && Object.keys(this.state.artifacts).length > 0) {
+      report.artifacts = this.state.artifacts;
+    }
+    if (this.state.meta) {
+      report.meta = this.state.meta;
+    }
+    return report;
+  }
+  /**
+   * Build in deterministic mode (excludes meta and non-deterministic artifacts)
+   *
+   * Deterministic mode ensures that the same inputs and policy always produce
+   * the same report output, regardless of cache state or timing.
+   *
+   * Excludes:
+   * - `meta`: Contains timestamps and verifier info
+   * - Non-deterministic artifacts: `issuer_jwks_digest` (depends on cache state)
+   *
+   * @returns Report without meta and with only deterministic artifacts
+   */
+  buildDeterministic() {
+    const report = this.build();
+    const { meta: _meta, ...deterministic } = report;
+    if (deterministic.artifacts) {
+      const filteredArtifacts = { ...deterministic.artifacts };
+      for (const key of NON_DETERMINISTIC_ARTIFACT_KEYS) {
+        delete filteredArtifacts[key];
+      }
+      if (Object.keys(filteredArtifacts).length === 0) {
+        delete deterministic.artifacts;
+      } else {
+        deterministic.artifacts = filteredArtifacts;
+      }
+    }
+    return deterministic;
+  }
+};
+function createReportBuilder(policy) {
+  return new VerificationReportBuilder(policy);
+}
+async function computeReceiptDigest(receiptBytes) {
+  const bytes = typeof receiptBytes === "string" ? new TextEncoder().encode(receiptBytes) : receiptBytes;
+  return sha256Hex(bytes);
+}
+async function buildFailureReport(policy, receiptBytes, reason, failedCheckId, errorCode, detail, options) {
+  const bytes = typeof receiptBytes === "string" ? new TextEncoder().encode(receiptBytes) : receiptBytes;
+  const digestHex = await sha256Hex(bytes);
+  const builder = createReportBuilder(policy).setInputWithDigest(digestHex).failure(reason, options?.issuer, options?.kid);
+  const failedIndex = CHECK_IDS.indexOf(failedCheckId);
+  for (let i = 0; i < CHECK_IDS.length; i++) {
+    const checkId = CHECK_IDS[i];
+    if (i < failedIndex) {
+      builder.pass(checkId);
+    } else if (i === failedIndex) {
+      builder.fail(checkId, errorCode ?? reasonCodeToErrorCode(reason), detail);
+    }
+  }
+  if (options?.meta) {
+    builder.setMeta(options.meta);
+  }
+  return builder.build();
+}
+async function buildSuccessReport(policy, receiptBytes, issuer, kid, checkDetails, options) {
+  const bytes = typeof receiptBytes === "string" ? new TextEncoder().encode(receiptBytes) : receiptBytes;
+  const digestHex = await sha256Hex(bytes);
+  const builder = createReportBuilder(policy).setInputWithDigest(digestHex).success(issuer, kid);
+  for (const checkId of CHECK_IDS) {
+    if (checkId === "issuer.discovery" && policy.mode === "offline_only") {
+      builder.skip(checkId, { reason: "offline_mode" });
+      continue;
+    }
+    if (checkId === "transport.profile_binding") {
+      if (checkDetails?.[checkId]) {
+        builder.pass(checkId, checkDetails[checkId]);
+      }
+      continue;
+    }
+    if (checkId === "policy.binding") {
+      continue;
+    }
+    builder.pass(checkId, checkDetails?.[checkId]);
+  }
+  if (options?.artifacts) {
+    for (const [key, value] of Object.entries(options.artifacts)) {
+      builder.addArtifact(key, value);
+    }
+  }
+  if (options?.meta) {
+    builder.setMeta(options.meta);
+  }
+  return builder.build();
+}
+
+// src/verifier-core.ts
+var jwksCache2 = /* @__PURE__ */ new Map();
+var CACHE_TTL_MS2 = 5 * 60 * 1e3;
+function normalizeIssuer(issuer) {
+  try {
+    const url = new URL(issuer);
+    if (url.port && url.port !== "443") {
+      return `${url.protocol}//${url.hostname}:${url.port}`;
+    }
+    return `${url.protocol}//${url.hostname}`;
+  } catch {
+    return issuer;
+  }
+}
+function isIssuerAllowed(issuer, allowlist) {
+  if (!allowlist || allowlist.length === 0) {
+    return true;
+  }
+  const normalized = normalizeIssuer(issuer);
+  return allowlist.some((allowed) => normalizeIssuer(allowed) === normalized);
+}
+function findPinnedKey(issuer, kid, pinnedKeys) {
+  if (!pinnedKeys || pinnedKeys.length === 0) {
+    return void 0;
+  }
+  const normalizedIssuer = normalizeIssuer(issuer);
+  return pinnedKeys.find((pk) => normalizeIssuer(pk.issuer) === normalizedIssuer && pk.kid === kid);
+}
+async function fetchIssuerConfig2(issuerOrigin) {
+  const configUrl = `${issuerOrigin}/.well-known/peac-issuer.json`;
+  const result = await ssrfSafeFetch(configUrl, {
+    maxBytes: 65536,
+    // 64 KB
+    headers: { Accept: "application/json" }
+  });
+  if (!result.ok) {
+    return null;
+  }
+  try {
+    return JSON.parse(result.body);
+  } catch {
+    return null;
+  }
+}
+async function fetchIssuerJWKS(issuerOrigin) {
+  const now = Date.now();
+  const cached = jwksCache2.get(issuerOrigin);
+  if (cached && cached.expiresAt > now) {
+    return { jwks: cached.jwks, fromCache: true };
+  }
+  const config = await fetchIssuerConfig2(issuerOrigin);
+  if (!config?.jwks_uri) {
+    const fallbackUrl = `${issuerOrigin}/.well-known/jwks.json`;
+    const result2 = await fetchJWKSSafe(fallbackUrl);
+    if (!result2.ok) {
+      return { error: result2 };
+    }
+    try {
+      const jwks = JSON.parse(result2.body);
+      jwksCache2.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS2 });
+      return { jwks, fromCache: false, rawBytes: result2.rawBytes };
+    } catch {
+      return {
+        error: {
+          ok: false,
+          reason: "network_error",
+          message: "Invalid JWKS JSON"
+        }
+      };
+    }
+  }
+  const result = await fetchJWKSSafe(config.jwks_uri);
+  if (!result.ok) {
+    return { error: result };
+  }
+  try {
+    const jwks = JSON.parse(result.body);
+    if (jwks.keys.length > VERIFIER_LIMITS.maxJwksKeys) {
+      return {
+        error: {
+          ok: false,
+          reason: "jwks_too_many_keys",
+          message: `JWKS has too many keys: ${jwks.keys.length} > ${VERIFIER_LIMITS.maxJwksKeys}`
+        }
+      };
+    }
+    jwksCache2.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS2 });
+    return { jwks, fromCache: false, rawBytes: result.rawBytes };
+  } catch {
+    return {
+      error: {
+        ok: false,
+        reason: "network_error",
+        message: "Invalid JWKS JSON"
+      }
+    };
+  }
+}
+async function verifyReceiptCore(options) {
+  const {
+    receipt,
+    policy = createDefaultPolicy("offline_preferred"),
+    referenceTime,
+    includeMeta = false
+  } = options;
+  const receiptJws = typeof receipt === "string" ? receipt : new TextDecoder().decode(receipt);
+  const receiptBytes = typeof receipt === "string" ? new TextEncoder().encode(receipt) : receipt;
+  const receiptDigestHex = await sha256Hex(receiptBytes);
+  const builder = createReportBuilder(policy);
+  builder.setInputWithDigest(receiptDigestHex);
+  const nowSeconds = referenceTime ?? Math.floor(Date.now() / 1e3);
+  let issuer;
+  let kid;
+  let parsedClaims;
+  let header;
+  let payload;
+  try {
+    const decoded = decode(receiptJws);
+    header = decoded.header;
+    payload = decoded.payload;
+    builder.pass("jws.parse");
+  } catch (err) {
+    builder.fail("jws.parse", "E_VERIFY_MALFORMED_RECEIPT", {
+      error: err instanceof Error ? err.message : String(err)
+    });
+    builder.failure("malformed_receipt");
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  if (receiptBytes.length > policy.limits.max_receipt_bytes) {
+    builder.fail("limits.receipt_bytes", "E_VERIFY_RECEIPT_TOO_LARGE", {
+      size: receiptBytes.length,
+      limit: policy.limits.max_receipt_bytes
+    });
+    builder.failure("receipt_too_large");
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  builder.pass("limits.receipt_bytes", { size: receiptBytes.length });
+  if (header.alg !== "EdDSA") {
+    builder.fail("jws.protected_header", "E_VERIFY_MALFORMED_RECEIPT", {
+      expected_alg: "EdDSA",
+      actual_alg: header.alg
+    });
+    builder.failure("malformed_receipt");
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  if (header.typ !== WIRE_TYPE) {
+    builder.fail("jws.protected_header", "E_VERIFY_MALFORMED_RECEIPT", {
+      expected_typ: WIRE_TYPE,
+      actual_typ: header.typ
+    });
+    builder.failure("malformed_receipt");
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  if (!header.kid) {
+    builder.fail("jws.protected_header", "E_VERIFY_MALFORMED_RECEIPT", {
+      error: "Missing kid in protected header"
+    });
+    builder.failure("malformed_receipt");
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  kid = header.kid;
+  builder.pass("jws.protected_header", { alg: header.alg, typ: header.typ, kid: header.kid });
+  try {
+    ReceiptClaims.parse(payload);
+    issuer = payload.iss;
+    builder.pass("claims.schema_unverified");
+  } catch (err) {
+    builder.fail("claims.schema_unverified", "E_VERIFY_SCHEMA_INVALID", {
+      error: err instanceof Error ? err.message : String(err)
+    });
+    builder.failure("schema_invalid");
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  const normalizedIssuer = normalizeIssuer(issuer);
+  if (!isIssuerAllowed(issuer, policy.issuer_allowlist)) {
+    builder.fail("issuer.trust_policy", "E_VERIFY_ISSUER_NOT_ALLOWED", {
+      issuer: normalizedIssuer,
+      allowlist: policy.issuer_allowlist
+    });
+    builder.failure("issuer_not_allowed", normalizedIssuer, kid);
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  builder.pass("issuer.trust_policy", { issuer: normalizedIssuer });
+  let publicKey;
+  let keySource;
+  let keyThumbprint;
+  let jwksRawBytes;
+  const pinnedKey = findPinnedKey(issuer, kid, policy.pinned_keys);
+  if (pinnedKey) {
+    builder.skip("issuer.discovery", { reason: "pinned_key_available" });
+    if (pinnedKey.jwk) {
+      const actualThumbprint = await computeJwkThumbprint(pinnedKey.jwk);
+      if (actualThumbprint !== pinnedKey.jwk_thumbprint_sha256) {
+        builder.fail("key.resolve", "E_VERIFY_POLICY_VIOLATION", {
+          error: "Pinned JWK thumbprint does not match declared thumbprint",
+          expected: pinnedKey.jwk_thumbprint_sha256,
+          actual: actualThumbprint
+        });
+        builder.failure("policy_violation", normalizedIssuer, kid);
+        return {
+          valid: false,
+          report: includeMeta ? builder.addTimestamp().build() : builder.build()
+        };
+      }
+      publicKey = jwkToPublicKeyBytes(pinnedKey.jwk);
+      keySource = "pinned_keys";
+      keyThumbprint = actualThumbprint;
+      builder.pass("key.resolve", {
+        source: keySource,
+        kid,
+        thumbprint_verified: true,
+        offline: true
+      });
+    } else if (pinnedKey.public_key) {
+      try {
+        publicKey = base64urlDecode(pinnedKey.public_key);
+        if (publicKey.length !== 32) {
+          throw new Error(`Expected 32 bytes, got ${publicKey.length}`);
+        }
+        keySource = "pinned_keys";
+        keyThumbprint = pinnedKey.jwk_thumbprint_sha256;
+        builder.pass("key.resolve", {
+          source: keySource,
+          kid,
+          offline: true,
+          thumbprint_verified: false
+        });
+      } catch (err) {
+        builder.fail("key.resolve", "E_VERIFY_KEY_NOT_FOUND", {
+          error: `Invalid pinned public_key: ${err instanceof Error ? err.message : String(err)}`
+        });
+        builder.failure("key_not_found", normalizedIssuer, kid);
+        return {
+          valid: false,
+          report: includeMeta ? builder.addTimestamp().build() : builder.build()
+        };
+      }
+    } else if (policy.mode === "offline_only") {
+      builder.fail("key.resolve", "E_VERIFY_KEY_NOT_FOUND", {
+        error: "Offline mode requires key material (jwk or public_key) in pinned_keys"
+      });
+      builder.failure("key_not_found", normalizedIssuer, kid);
+      return {
+        valid: false,
+        report: includeMeta ? builder.addTimestamp().build() : builder.build()
+      };
+    } else {
+      const jwksResult = await fetchIssuerJWKS(normalizedIssuer);
+      if ("error" in jwksResult) {
+        const reason = ssrfErrorToReasonCode(jwksResult.error.reason, "key");
+        builder.fail("issuer.discovery", reasonCodeToErrorCode(reason), {
+          error: jwksResult.error.message,
+          url: jwksResult.error.blockedUrl
+        });
+        builder.failure(reason, normalizedIssuer, kid);
+        return {
+          valid: false,
+          report: includeMeta ? builder.addTimestamp().build() : builder.build()
+        };
+      }
+      if (jwksResult.rawBytes) {
+        jwksRawBytes = jwksResult.rawBytes;
+      }
+      builder.pass("issuer.discovery", {
+        from_cache: jwksResult.fromCache,
+        keys_count: jwksResult.jwks.keys.length
+      });
+      const jwk = jwksResult.jwks.keys.find((k) => k.kid === kid);
+      if (!jwk) {
+        builder.fail("key.resolve", "E_VERIFY_KEY_NOT_FOUND", {
+          kid,
+          available_kids: jwksResult.jwks.keys.map((k) => k.kid)
+        });
+        builder.failure("key_not_found", normalizedIssuer, kid);
+        return {
+          valid: false,
+          report: includeMeta ? builder.addTimestamp().build() : builder.build()
+        };
+      }
+      const actualThumbprint = await computeJwkThumbprint(jwk);
+      if (actualThumbprint !== pinnedKey.jwk_thumbprint_sha256) {
+        builder.fail("key.resolve", "E_VERIFY_POLICY_VIOLATION", {
+          error: "JWK thumbprint does not match pinned key",
+          expected: pinnedKey.jwk_thumbprint_sha256,
+          actual: actualThumbprint
+        });
+        builder.failure("policy_violation", normalizedIssuer, kid);
+        return {
+          valid: false,
+          report: includeMeta ? builder.addTimestamp().build() : builder.build()
+        };
+      }
+      publicKey = jwkToPublicKeyBytes(jwk);
+      keySource = "pinned_keys";
+      keyThumbprint = actualThumbprint;
+      builder.pass("key.resolve", { source: keySource, kid, thumbprint_verified: true });
+    }
+  } else {
+    if (policy.mode === "offline_only") {
+      builder.fail("issuer.discovery", "E_VERIFY_KEY_NOT_FOUND", {
+        error: "Offline mode requires pinned keys"
+      });
+      builder.failure("key_not_found", normalizedIssuer, kid);
+      return {
+        valid: false,
+        report: includeMeta ? builder.addTimestamp().build() : builder.build()
+      };
+    }
+    const jwksResult = await fetchIssuerJWKS(normalizedIssuer);
+    if ("error" in jwksResult) {
+      const reason = ssrfErrorToReasonCode(jwksResult.error.reason, "key");
+      builder.fail("issuer.discovery", reasonCodeToErrorCode(reason), {
+        error: jwksResult.error.message,
+        url: jwksResult.error.blockedUrl
+      });
+      builder.failure(reason, normalizedIssuer, kid);
+      return {
+        valid: false,
+        report: includeMeta ? builder.addTimestamp().build() : builder.build()
+      };
+    }
+    if (jwksResult.rawBytes) {
+      jwksRawBytes = jwksResult.rawBytes;
+    }
+    builder.pass("issuer.discovery", {
+      from_cache: jwksResult.fromCache,
+      keys_count: jwksResult.jwks.keys.length
+    });
+    const jwk = jwksResult.jwks.keys.find((k) => k.kid === kid);
+    if (!jwk) {
+      builder.fail("key.resolve", "E_VERIFY_KEY_NOT_FOUND", {
+        kid,
+        available_kids: jwksResult.jwks.keys.map((k) => k.kid)
+      });
+      builder.failure("key_not_found", normalizedIssuer, kid);
+      return {
+        valid: false,
+        report: includeMeta ? builder.addTimestamp().build() : builder.build()
+      };
+    }
+    publicKey = jwkToPublicKeyBytes(jwk);
+    keySource = "jwks_discovery";
+    keyThumbprint = await computeJwkThumbprint(jwk);
+    builder.pass("key.resolve", { source: keySource, kid, thumbprint: keyThumbprint });
+  }
+  try {
+    const result = await verify(receiptJws, publicKey);
+    if (!result.valid) {
+      builder.fail("jws.signature", "E_VERIFY_SIGNATURE_INVALID", {
+        error: "Ed25519 signature verification failed"
+      });
+      builder.failure("signature_invalid", normalizedIssuer, kid);
+      return {
+        valid: false,
+        report: includeMeta ? builder.addTimestamp().build() : builder.build()
+      };
+    }
+    parsedClaims = result.payload;
+    builder.pass("jws.signature");
+  } catch (err) {
+    builder.fail("jws.signature", "E_VERIFY_SIGNATURE_INVALID", {
+      error: err instanceof Error ? err.message : String(err)
+    });
+    builder.failure("signature_invalid", normalizedIssuer, kid);
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  const iatTolerance = 60;
+  if (parsedClaims.iat > nowSeconds + iatTolerance) {
+    builder.fail("claims.time_window", "E_VERIFY_NOT_YET_VALID", {
+      error: "Receipt issued in the future",
+      iat: parsedClaims.iat,
+      now: nowSeconds,
+      tolerance: iatTolerance
+    });
+    builder.failure("not_yet_valid", normalizedIssuer, kid);
+    return { valid: false, report: includeMeta ? builder.addTimestamp().build() : builder.build() };
+  }
+  if (parsedClaims.exp) {
+    if (parsedClaims.exp < nowSeconds) {
+      builder.fail("claims.time_window", "E_VERIFY_EXPIRED", {
+        error: "Receipt expired",
+        exp: parsedClaims.exp,
+        now: nowSeconds
+      });
+      builder.failure("expired", normalizedIssuer, kid);
+      return {
+        valid: false,
+        report: includeMeta ? builder.addTimestamp().build() : builder.build()
+      };
+    }
+  }
+  builder.pass("claims.time_window", {
+    iat: parsedClaims.iat,
+    exp: parsedClaims.exp,
+    now: nowSeconds
+  });
+  if (parsedClaims.ext) {
+    for (const [extKey, extValue] of Object.entries(parsedClaims.ext)) {
+      if (extValue !== void 0) {
+        const extJson = JSON.stringify(extValue);
+        if (extJson.length > policy.limits.max_extension_bytes) {
+          builder.fail("extensions.limits", "E_VERIFY_EXTENSION_TOO_LARGE", {
+            extension: extKey,
+            size: extJson.length,
+            limit: policy.limits.max_extension_bytes
+          });
+          builder.failure("extension_too_large", normalizedIssuer, kid);
+          return {
+            valid: false,
+            report: includeMeta ? builder.addTimestamp().build() : builder.build()
+          };
+        }
+      }
+    }
+  }
+  builder.pass("extensions.limits");
+  builder.success(normalizedIssuer, kid);
+  const artifactKeySource = keySource === "pinned_keys" ? "pinned" : "jwks_fetch";
+  builder.addArtifact("issuer_key_source", artifactKeySource);
+  if (keyThumbprint) {
+    builder.addArtifact("issuer_key_thumbprint", keyThumbprint);
+  }
+  if (jwksRawBytes) {
+    const jwksDigestHex = await sha256Hex(jwksRawBytes);
+    builder.addArtifact("issuer_jwks_digest", createDigest(jwksDigestHex));
+  }
+  const report = includeMeta ? builder.addTimestamp().build() : builder.build();
+  return {
+    valid: true,
+    report,
+    claims: parsedClaims
+  };
+}
+function clearJWKSCache() {
+  jwksCache2.clear();
+}
+function getJWKSCacheSize() {
+  return jwksCache2.size;
+}
+
+// src/transport-profiles.ts
+function parseHeaderProfile(headerValue) {
+  if (headerValue === void 0 || headerValue === "") {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "PEAC-Receipt header is missing"
+    };
+  }
+  if (Array.isArray(headerValue)) {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "Multiple PEAC-Receipt headers are not allowed"
+    };
+  }
+  if (headerValue.includes(",")) {
+    const parts = headerValue.split(".");
+    if (parts.length !== 3 || parts.some((p) => p.includes(","))) {
+      return {
+        ok: false,
+        reason: "invalid_transport",
+        errorCode: "E_VERIFY_INVALID_TRANSPORT",
+        message: "Comma-separated PEAC-Receipt values are not allowed"
+      };
+    }
+  }
+  const segments = headerValue.split(".");
+  if (segments.length !== 3) {
+    return {
+      ok: false,
+      reason: "malformed_receipt",
+      errorCode: "E_VERIFY_MALFORMED_RECEIPT",
+      message: `Invalid JWS compact serialization: expected 3 segments, got ${segments.length}`
+    };
+  }
+  const base64urlRegex = /^[A-Za-z0-9_-]*$/;
+  for (let i = 0; i < segments.length; i++) {
+    const segment = segments[i];
+    if (segment.length === 0) {
+      return {
+        ok: false,
+        reason: "malformed_receipt",
+        errorCode: "E_VERIFY_MALFORMED_RECEIPT",
+        message: `Invalid JWS compact serialization: segment ${i + 1} is empty`
+      };
+    }
+    if (!base64urlRegex.test(segment)) {
+      return {
+        ok: false,
+        reason: "malformed_receipt",
+        errorCode: "E_VERIFY_MALFORMED_RECEIPT",
+        message: `Invalid JWS compact serialization: segment ${i + 1} contains invalid characters`
+      };
+    }
+  }
+  return {
+    ok: true,
+    result: {
+      profile: "header",
+      receipt: headerValue
+    }
+  };
+}
+function parsePointerProfile(headerValue) {
+  if (headerValue === void 0 || headerValue === "") {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "PEAC-Receipt-Pointer header is missing"
+    };
+  }
+  if (Array.isArray(headerValue)) {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "Multiple PEAC-Receipt-Pointer headers are not allowed"
+    };
+  }
+  const parseResult = parseSimpleDictionary(headerValue);
+  if (parseResult.duplicates.length > 0) {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: `PEAC-Receipt-Pointer has duplicate parameter: ${parseResult.duplicates[0]}`
+    };
+  }
+  const ALLOWED_KEYS = /* @__PURE__ */ new Set(["sha256", "url"]);
+  const unknownKeys = parseResult.keys.filter((k) => !ALLOWED_KEYS.has(k) && !k.startsWith("ext_"));
+  if (unknownKeys.length > 0) {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: `PEAC-Receipt-Pointer has unknown parameter: ${unknownKeys[0]}`
+    };
+  }
+  const params = parseResult.params;
+  if (!params.sha256) {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "PEAC-Receipt-Pointer missing sha256 parameter"
+    };
+  }
+  if (!params.url) {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "PEAC-Receipt-Pointer missing url parameter"
+    };
+  }
+  const hexRegex = /^[0-9a-f]{64}$/;
+  if (!hexRegex.test(params.sha256)) {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "PEAC-Receipt-Pointer sha256 must be 64 lowercase hex characters"
+    };
+  }
+  try {
+    const url = new URL(params.url);
+    if (url.protocol !== "https:") {
+      return {
+        ok: false,
+        reason: "pointer_fetch_blocked",
+        errorCode: "E_VERIFY_POINTER_FETCH_BLOCKED",
+        message: "Pointer URL must use HTTPS"
+      };
+    }
+  } catch {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "PEAC-Receipt-Pointer url is not a valid URL"
+    };
+  }
+  const extensions = {};
+  for (const key of parseResult.keys) {
+    if (key.startsWith("ext_")) {
+      extensions[key] = params[key];
+    }
+  }
+  return {
+    ok: true,
+    result: {
+      profile: "pointer",
+      digestAlg: "sha256",
+      digestValue: params.sha256,
+      url: params.url,
+      ...Object.keys(extensions).length > 0 && { extensions }
+    }
+  };
+}
+function parseSimpleDictionary(input) {
+  const params = {};
+  const duplicates = [];
+  const keys = [];
+  let i = 0;
+  const len = input.length;
+  while (i < len) {
+    while (i < len && (input[i] === " " || input[i] === "," || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len) break;
+    const keyStart = i;
+    while (i < len && /\w/.test(input[i])) {
+      i++;
+    }
+    const key = input.slice(keyStart, i);
+    if (!key) break;
+    while (i < len && input[i] === " ") i++;
+    if (i >= len || input[i] !== "=") break;
+    i++;
+    while (i < len && input[i] === " ") i++;
+    let value;
+    if (input[i] === '"') {
+      i++;
+      const valueStart = i;
+      while (i < len && input[i] !== '"') {
+        i++;
+      }
+      value = input.slice(valueStart, i);
+      if (i < len) i++;
+    } else {
+      const valueStart = i;
+      while (i < len && input[i] !== "," && input[i] !== " " && input[i] !== "	") {
+        i++;
+      }
+      value = input.slice(valueStart, i);
+    }
+    keys.push(key);
+    if (key in params) {
+      duplicates.push(key);
+    }
+    params[key] = value;
+  }
+  return { params, duplicates, keys };
+}
+function parseBodyProfile(body) {
+  if (body === null || typeof body !== "object") {
+    return {
+      ok: false,
+      reason: "invalid_transport",
+      errorCode: "E_VERIFY_INVALID_TRANSPORT",
+      message: "Body must be a JSON object"
+    };
+  }
+  const obj = body;
+  if ("peac_receipts" in obj) {
+    if (!Array.isArray(obj.peac_receipts)) {
+      return {
+        ok: false,
+        reason: "invalid_transport",
+        errorCode: "E_VERIFY_INVALID_TRANSPORT",
+        message: "peac_receipts must be an array"
+      };
+    }
+    const receipts = [];
+    for (let i = 0; i < obj.peac_receipts.length; i++) {
+      const receipt = obj.peac_receipts[i];
+      if (typeof receipt !== "string") {
+        return {
+          ok: false,
+          reason: "invalid_transport",
+          errorCode: "E_VERIFY_INVALID_TRANSPORT",
+          message: `peac_receipts[${i}] must be a string`
+        };
+      }
+      receipts.push(receipt);
+    }
+    if (receipts.length === 0) {
+      return {
+        ok: false,
+        reason: "invalid_transport",
+        errorCode: "E_VERIFY_INVALID_TRANSPORT",
+        message: "peac_receipts array is empty"
+      };
+    }
+    return {
+      ok: true,
+      result: {
+        profile: "body",
+        receipts
+      }
+    };
+  }
+  if ("peac_receipt" in obj) {
+    if (typeof obj.peac_receipt !== "string") {
+      return {
+        ok: false,
+        reason: "invalid_transport",
+        errorCode: "E_VERIFY_INVALID_TRANSPORT",
+        message: "peac_receipt must be a string"
+      };
+    }
+    if (obj.peac_receipt.length === 0) {
+      return {
+        ok: false,
+        reason: "invalid_transport",
+        errorCode: "E_VERIFY_INVALID_TRANSPORT",
+        message: "peac_receipt is empty"
+      };
+    }
+    return {
+      ok: true,
+      result: {
+        profile: "body",
+        receipts: [obj.peac_receipt]
+      }
+    };
+  }
+  return {
+    ok: false,
+    reason: "invalid_transport",
+    errorCode: "E_VERIFY_INVALID_TRANSPORT",
+    message: "Body must contain peac_receipt or peac_receipts"
+  };
+}
+function parseTransportProfile(context) {
+  const peacReceipt = context.headers["peac-receipt"] ?? context.headers["PEAC-Receipt"];
+  const peacPointer = context.headers["peac-receipt-pointer"] ?? context.headers["PEAC-Receipt-Pointer"];
+  if (peacReceipt !== void 0) {
+    return parseHeaderProfile(peacReceipt);
+  }
+  if (peacPointer !== void 0) {
+    return parsePointerProfile(peacPointer);
+  }
+  if (context.body !== void 0) {
+    return parseBodyProfile(context.body);
+  }
+  return {
+    ok: false,
+    reason: "invalid_transport",
+    errorCode: "E_VERIFY_INVALID_TRANSPORT",
+    message: "No transport profile detected (missing PEAC-Receipt, PEAC-Receipt-Pointer, or body receipt)"
+  };
+}
+function mapSsrfError(ssrfError) {
+  const reason = ssrfError.reason;
+  switch (reason) {
+    case "not_https":
+    case "private_ip":
+    case "loopback":
+    case "link_local":
+    case "dns_failure":
+    case "cross_origin_redirect":
+      return {
+        ok: false,
+        reason: "pointer_fetch_blocked",
+        errorCode: "E_VERIFY_POINTER_FETCH_BLOCKED",
+        message: ssrfError.message
+      };
+    case "timeout":
+      return {
+        ok: false,
+        reason: "pointer_fetch_timeout",
+        errorCode: "E_VERIFY_POINTER_FETCH_TIMEOUT",
+        message: ssrfError.message
+      };
+    case "response_too_large":
+      return {
+        ok: false,
+        reason: "pointer_fetch_too_large",
+        errorCode: "E_VERIFY_POINTER_FETCH_TOO_LARGE",
+        message: ssrfError.message
+      };
+    default:
+      return {
+        ok: false,
+        reason: "pointer_fetch_failed",
+        errorCode: "E_VERIFY_POINTER_FETCH_FAILED",
+        message: ssrfError.message
+      };
+  }
+}
+async function fetchPointerWithDigest(options) {
+  const { url, expectedDigest, fetchOptions = {} } = options;
+  const hexRegex = /^[0-9a-f]{64}$/;
+  if (!hexRegex.test(expectedDigest)) {
+    return {
+      ok: false,
+      reason: "pointer_fetch_failed",
+      errorCode: "E_VERIFY_POINTER_FETCH_FAILED",
+      message: "Invalid expected digest: must be 64 lowercase hex characters"
+    };
+  }
+  try {
+    const parsedUrl = new URL(url);
+    if (parsedUrl.protocol !== "https:") {
+      return {
+        ok: false,
+        reason: "pointer_fetch_blocked",
+        errorCode: "E_VERIFY_POINTER_FETCH_BLOCKED",
+        message: "Pointer URL must use HTTPS"
+      };
+    }
+  } catch {
+    return {
+      ok: false,
+      reason: "pointer_fetch_failed",
+      errorCode: "E_VERIFY_POINTER_FETCH_FAILED",
+      message: "Invalid pointer URL"
+    };
+  }
+  const fetchResult = await ssrfSafeFetch(url, {
+    ...fetchOptions,
+    maxBytes: VERIFIER_LIMITS.maxReceiptBytes,
+    allowRedirects: false,
+    // Pointer URL must be direct - no redirects
+    timeoutMs: fetchOptions?.timeoutMs ?? VERIFIER_LIMITS.fetchTimeoutMs,
+    headers: {
+      Accept: "application/jose, application/json, text/plain",
+      ...fetchOptions.headers
+    }
+  });
+  if (!fetchResult.ok) {
+    return mapSsrfError(fetchResult);
+  }
+  const receipt = fetchResult.body;
+  const contentType = fetchResult.contentType;
+  const expectedContentTypes = ["application/jose", "application/json", "text/plain"];
+  const contentTypeWarning = contentType && !expectedContentTypes.some((expected) => contentType.startsWith(expected)) ? `Unexpected Content-Type: ${contentType}; expected application/jose, application/json, or text/plain` : void 0;
+  if (!receipt || receipt.trim().length === 0) {
+    return {
+      ok: false,
+      reason: "malformed_receipt",
+      errorCode: "E_VERIFY_MALFORMED_RECEIPT",
+      message: "Pointer target returned empty content"
+    };
+  }
+  const jwsValidation = validateJwsCompactStructure(receipt);
+  if (!jwsValidation.valid) {
+    return {
+      ok: false,
+      reason: "malformed_receipt",
+      errorCode: "E_VERIFY_MALFORMED_RECEIPT",
+      message: jwsValidation.message
+    };
+  }
+  const actualDigest = await sha256Hex(receipt);
+  if (actualDigest !== expectedDigest) {
+    return {
+      ok: false,
+      reason: "pointer_digest_mismatch",
+      errorCode: "E_VERIFY_POINTER_DIGEST_MISMATCH",
+      message: "Fetched receipt digest does not match expected digest",
+      actualDigest,
+      expectedDigest
+    };
+  }
+  return {
+    ok: true,
+    receipt,
+    actualDigest,
+    digestMatched: true,
+    contentType: fetchResult.contentType,
+    ...contentTypeWarning && { contentTypeWarning }
+  };
+}
+function validateJwsCompactStructure(value) {
+  const segments = value.split(".");
+  if (segments.length !== 3) {
+    return {
+      valid: false,
+      message: `Invalid JWS compact serialization: expected 3 segments, got ${segments.length}`
+    };
+  }
+  const base64urlRegex = /^[A-Za-z0-9_-]+$/;
+  for (let i = 0; i < segments.length; i++) {
+    const segment = segments[i];
+    if (segment.length === 0) {
+      return {
+        valid: false,
+        message: `Invalid JWS compact serialization: segment ${i + 1} is empty`
+      };
+    }
+    if (!base64urlRegex.test(segment)) {
+      return {
+        valid: false,
+        message: `Invalid JWS compact serialization: segment ${i + 1} contains invalid characters`
+      };
+    }
+  }
+  return { valid: true };
+}
+function parsePointerHeader(input) {
+  const params = {};
+  let i = 0;
+  const len = input.length;
+  while (i < len) {
+    while (i < len && (input[i] === " " || input[i] === "," || input[i] === "	")) {
+      i++;
+    }
+    if (i >= len) break;
+    const keyStart = i;
+    while (i < len && /\w/.test(input[i])) {
+      i++;
+    }
+    const key = input.slice(keyStart, i);
+    if (!key) break;
+    while (i < len && input[i] === " ") i++;
+    if (i >= len || input[i] !== "=") break;
+    i++;
+    while (i < len && input[i] === " ") i++;
+    let value;
+    if (input[i] === '"') {
+      i++;
+      const valueStart = i;
+      while (i < len && input[i] !== '"') {
+        i++;
+      }
+      value = input.slice(valueStart, i);
+      if (i < len) i++;
+    } else {
+      const valueStart = i;
+      while (i < len && input[i] !== "," && input[i] !== " " && input[i] !== "	") {
+        i++;
+      }
+      value = input.slice(valueStart, i);
+    }
+    params[key] = value;
+  }
+  return params;
+}
+async function verifyAndFetchPointer(pointerHeader, fetchOptions) {
+  const params = parsePointerHeader(pointerHeader);
+  if (!params.sha256) {
+    return {
+      ok: false,
+      reason: "pointer_fetch_failed",
+      errorCode: "E_VERIFY_POINTER_FETCH_FAILED",
+      message: "PEAC-Receipt-Pointer missing sha256 parameter"
+    };
+  }
+  if (!params.url) {
+    return {
+      ok: false,
+      reason: "pointer_fetch_failed",
+      errorCode: "E_VERIFY_POINTER_FETCH_FAILED",
+      message: "PEAC-Receipt-Pointer missing url parameter"
+    };
+  }
+  return fetchPointerWithDigest({
+    url: params.url,
+    expectedDigest: params.sha256,
+    fetchOptions
+  });
+}
+
+export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, clearJWKSCache, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, issue, issueJws, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
+//# sourceMappingURL=index.mjs.map
+//# sourceMappingURL=index.mjs.map