@peac/protocol 0.11.0 → 0.11.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,88 @@
1
+ /**
2
+ * Shared JWKS Resolver
3
+ *
4
+ * Centralizes JWKS resolution for both verify.ts and verifier-core.ts:
5
+ * 1. Fetch peac-issuer.json from issuer origin (SSRF-safe)
6
+ * 2. Validate issuer config (schema, issuer match)
7
+ * 3. Validate jwks_uri is HTTPS (protocol-level enforcement)
8
+ * 4. Fetch JWKS from jwks_uri (SSRF-safe, 64KB cap)
9
+ * 5. Validate JWKS shape
10
+ *
11
+ * No fallback paths: peac-issuer.json with jwks_uri is the only
12
+ * supported key discovery mechanism.
13
+ *
14
+ * @packageDocumentation
15
+ */
16
+ import type { SSRFFetchError } from './ssrf-safe-fetch.js';
17
+ /**
18
+ * JWK structure for Ed25519 keys
19
+ */
20
+ export interface JWK {
21
+ kty: string;
22
+ crv: string;
23
+ x: string;
24
+ kid: string;
25
+ }
26
+ /**
27
+ * JWKS document
28
+ */
29
+ export interface JWKS {
30
+ keys: JWK[];
31
+ }
32
+ /**
33
+ * Successful JWKS resolution
34
+ */
35
+ export interface JWKSResolveSuccess {
36
+ ok: true;
37
+ jwks: JWKS;
38
+ fromCache: boolean;
39
+ /** Raw JWKS bytes for digest computation (only present when not from cache) */
40
+ rawBytes?: Uint8Array;
41
+ }
42
+ /**
43
+ * JWKS resolution error
44
+ */
45
+ export interface JWKSResolveError {
46
+ ok: false;
47
+ /** Kernel error code */
48
+ code: string;
49
+ /** Human-readable message */
50
+ message: string;
51
+ /** Original SSRF reason (preserved for diagnostic fidelity) */
52
+ reason?: SSRFFetchError['reason'];
53
+ /** Blocked URL (if applicable) */
54
+ blockedUrl?: string;
55
+ }
56
+ export type JWKSResolveResult = JWKSResolveSuccess | JWKSResolveError;
57
+ /**
58
+ * Options for JWKS resolution
59
+ */
60
+ export interface ResolveJWKSOptions {
61
+ /** Cache TTL in milliseconds (default: 300000 = 5 minutes) */
62
+ cacheTtlMs?: number;
63
+ /** Maximum cache entries before LRU eviction (default: 1000) */
64
+ maxCacheEntries?: number;
65
+ /** Bypass cache entirely (default: false) */
66
+ noCache?: boolean;
67
+ }
68
+ /**
69
+ * Clear the shared JWKS cache
70
+ */
71
+ export declare function clearJWKSCache(): void;
72
+ /**
73
+ * Get JWKS cache size (for testing)
74
+ * @internal
75
+ */
76
+ export declare function getJWKSCacheSize(): number;
77
+ /**
78
+ * Resolve JWKS for an issuer using strict discovery:
79
+ * peac-issuer.json -> jwks_uri -> JWKS
80
+ *
81
+ * No fallback to direct JWKS or peac.txt key discovery.
82
+ *
83
+ * @param issuerUrl - Issuer origin URL (e.g. "https://api.example.com")
84
+ * @param options - Cache and resolution options
85
+ * @returns Resolved JWKS or error
86
+ */
87
+ export declare function resolveJWKS(issuerUrl: string, options?: ResolveJWKSOptions): Promise<JWKSResolveResult>;
88
+ //# sourceMappingURL=jwks-resolver.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"jwks-resolver.d.ts","sourceRoot":"","sources":["../src/jwks-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAO3D;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,IAAI,CAAC;IACX,SAAS,EAAE,OAAO,CAAC;IACnB,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,UAAU,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,KAAK,CAAC;IACV,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,MAAM,CAAC,EAAE,cAAc,CAAC,QAAQ,CAAC,CAAC;IAClC,kCAAkC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,iBAAiB,GAAG,kBAAkB,GAAG,gBAAgB,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AA6CD;;GAEG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAErC;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAyFD;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CAoJ5B"}
@@ -51,12 +51,4 @@ export interface VerifyCoreResult {
51
51
  * 10. extensions.limits - Check extension sizes
52
52
  */
53
53
  export declare function verifyReceiptCore(options: VerifyCoreOptions): Promise<VerifyCoreResult>;
54
- /**
55
- * Clear the JWKS cache
56
- */
57
- export declare function clearJWKSCache(): void;
58
- /**
59
- * Get JWKS cache size (for testing)
60
- */
61
- export declare function getJWKSCacheSize(): number;
62
54
  //# sourceMappingURL=verifier-core.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"verifier-core.d.ts","sourceRoot":"","sources":["../src/verifier-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAWH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,cAAc,CAAC;AAIhE,OAAO,KAAK,EAAa,kBAAkB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAqCzF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,OAAO,EAAE,MAAM,GAAG,UAAU,CAAC;IAC7B,0BAA0B;IAC1B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mDAAmD;IACnD,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,0BAA0B;IAC1B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B;AAmLD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAob7F;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAErC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC"}
1
+ {"version":3,"file":"verifier-core.d.ts","sourceRoot":"","sources":["../src/verifier-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAWH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,cAAc,CAAC;AAIhE,OAAO,KAAK,EAAa,kBAAkB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAqCzF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,OAAO,EAAE,MAAM,GAAG,UAAU,CAAC;IAC7B,0BAA0B;IAC1B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mDAAmD;IACnD,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,0BAA0B;IAC1B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B;AA+FD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAob7F"}
package/dist/verify.d.ts CHANGED
@@ -1,5 +1,9 @@
1
1
  /**
2
- * Receipt verification with JWKS fetching and caching
2
+ * Receipt verification with strict issuer-config-based JWKS discovery
3
+ *
4
+ * Key discovery uses peac-issuer.json -> jwks_uri exclusively.
5
+ * No legacy fallbacks (peac.txt, direct JWKS).
6
+ * JWKS caching is centralized in jwks-resolver.ts.
3
7
  */
4
8
  import { PEACReceiptClaims, SubjectProfileSnapshot } from '@peac/schema';
5
9
  import { type TelemetryHook } from './telemetry.js';
@@ -44,6 +48,9 @@ export interface VerifyOptions {
44
48
  /**
45
49
  * Verify a PEAC receipt JWS
46
50
  *
51
+ * Uses strict issuer-config discovery: peac-issuer.json -> jwks_uri -> JWKS.
52
+ * No fallback to peac.txt or direct JWKS endpoints.
53
+ *
47
54
  * @param optionsOrJws - Verify options or JWS compact serialization (for backwards compatibility)
48
55
  * @returns Verification result or failure
49
56
  */
@@ -1 +1 @@
1
- {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAGvB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAkC,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AA8BpF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,EAAE,EAAE,IAAI,CAAC;IAET,qBAAqB;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAE1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,0BAA0B;IAC1B,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,EAAE,EAAE,KAAK,CAAC;IAEV,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IAEf,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAqGD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,iDAAiD;IACjD,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,GAAG,aAAa,GACnC,OAAO,CAAC,YAAY,GAAG,aAAa,CAAC,CAoIvC"}
1
+ {"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAGvB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAkC,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAmBpF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,EAAE,EAAE,IAAI,CAAC;IAET,qBAAqB;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAE1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,0BAA0B;IAC1B,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,EAAE,EAAE,KAAK,CAAC;IAEV,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IAEf,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,iDAAiD;IACjD,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,GAAG,aAAa,GACnC,OAAO,CAAC,YAAY,GAAG,aAAa,CAAC,CA6IvC"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@peac/protocol",
3
- "version": "0.11.0",
3
+ "version": "0.11.1",
4
4
  "description": "PEAC protocol implementation - receipt issuance and verification",
5
5
  "main": "dist/index.cjs",
6
6
  "types": "dist/index.d.ts",
@@ -39,9 +39,9 @@
39
39
  "dependencies": {
40
40
  "uuidv7": "^0.6.3",
41
41
  "zod": "^4.3.6",
42
- "@peac/kernel": "0.11.0",
43
- "@peac/schema": "0.11.0",
44
- "@peac/crypto": "0.11.0"
42
+ "@peac/schema": "0.11.1",
43
+ "@peac/kernel": "0.11.1",
44
+ "@peac/crypto": "0.11.1"
45
45
  },
46
46
  "devDependencies": {
47
47
  "@types/node": "^22.19.11",