@peac/protocol 0.11.0 → 0.11.1

package/dist/jwks-resolver.d.ts

@@ -0,0 +1,88 @@
+/**
+ * Shared JWKS Resolver
+ *
+ * Centralizes JWKS resolution for both verify.ts and verifier-core.ts:
+ * 1. Fetch peac-issuer.json from issuer origin (SSRF-safe)
+ * 2. Validate issuer config (schema, issuer match)
+ * 3. Validate jwks_uri is HTTPS (protocol-level enforcement)
+ * 4. Fetch JWKS from jwks_uri (SSRF-safe, 64KB cap)
+ * 5. Validate JWKS shape
+ *
+ * No fallback paths: peac-issuer.json with jwks_uri is the only
+ * supported key discovery mechanism.
+ *
+ * @packageDocumentation
+ */
+import type { SSRFFetchError } from './ssrf-safe-fetch.js';
+/**
+ * JWK structure for Ed25519 keys
+ */
+export interface JWK {
+    kty: string;
+    crv: string;
+    x: string;
+    kid: string;
+}
+/**
+ * JWKS document
+ */
+export interface JWKS {
+    keys: JWK[];
+}
+/**
+ * Successful JWKS resolution
+ */
+export interface JWKSResolveSuccess {
+    ok: true;
+    jwks: JWKS;
+    fromCache: boolean;
+    /** Raw JWKS bytes for digest computation (only present when not from cache) */
+    rawBytes?: Uint8Array;
+}
+/**
+ * JWKS resolution error
+ */
+export interface JWKSResolveError {
+    ok: false;
+    /** Kernel error code */
+    code: string;
+    /** Human-readable message */
+    message: string;
+    /** Original SSRF reason (preserved for diagnostic fidelity) */
+    reason?: SSRFFetchError['reason'];
+    /** Blocked URL (if applicable) */
+    blockedUrl?: string;
+}
+export type JWKSResolveResult = JWKSResolveSuccess | JWKSResolveError;
+/**
+ * Options for JWKS resolution
+ */
+export interface ResolveJWKSOptions {
+    /** Cache TTL in milliseconds (default: 300000 = 5 minutes) */
+    cacheTtlMs?: number;
+    /** Maximum cache entries before LRU eviction (default: 1000) */
+    maxCacheEntries?: number;
+    /** Bypass cache entirely (default: false) */
+    noCache?: boolean;
+}
+/**
+ * Clear the shared JWKS cache
+ */
+export declare function clearJWKSCache(): void;
+/**
+ * Get JWKS cache size (for testing)
+ * @internal
+ */
+export declare function getJWKSCacheSize(): number;
+/**
+ * Resolve JWKS for an issuer using strict discovery:
+ * peac-issuer.json -> jwks_uri -> JWKS
+ *
+ * No fallback to direct JWKS or peac.txt key discovery.
+ *
+ * @param issuerUrl - Issuer origin URL (e.g. "https://api.example.com")
+ * @param options - Cache and resolution options
+ * @returns Resolved JWKS or error
+ */
+export declare function resolveJWKS(issuerUrl: string, options?: ResolveJWKSOptions): Promise<JWKSResolveResult>;
+//# sourceMappingURL=jwks-resolver.d.ts.map

package/dist/jwks-resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwks-resolver.d.ts","sourceRoot":"","sources":["../src/jwks-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAKH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAO3D;;GAEG;AACH,MAAM,WAAW,GAAG;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,GAAG,EAAE,MAAM,CAAC;IACZ,CAAC,EAAE,MAAM,CAAC;IACV,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,IAAI;IACnB,IAAI,EAAE,GAAG,EAAE,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,IAAI,CAAC;IACX,SAAS,EAAE,OAAO,CAAC;IACnB,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,UAAU,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,EAAE,EAAE,KAAK,CAAC;IACV,wBAAwB;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,+DAA+D;IAC/D,MAAM,CAAC,EAAE,cAAc,CAAC,QAAQ,CAAC,CAAC;IAClC,kCAAkC;IAClC,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,MAAM,iBAAiB,GAAG,kBAAkB,GAAG,gBAAgB,CAAC;AAEtE;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,8DAA8D;IAC9D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,6CAA6C;IAC7C,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AA6CD;;GAEG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAErC;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC;AAyFD;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE,kBAAkB,GAC3B,OAAO,CAAC,iBAAiB,CAAC,CAoJ5B"}

package/dist/verifier-core.d.ts

@@ -51,12 +51,4 @@ export interface VerifyCoreResult {
  * 10. extensions.limits - Check extension sizes
  */
 export declare function verifyReceiptCore(options: VerifyCoreOptions): Promise<VerifyCoreResult>;
-/**
- * Clear the JWKS cache
- */
-export declare function clearJWKSCache(): void;
-/**
- * Get JWKS cache size (for testing)
- */
-export declare function getJWKSCacheSize(): number;
 //# sourceMappingURL=verifier-core.d.ts.map

package/dist/verifier-core.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verifier-core.d.ts","sourceRoot":"","sources":["../src/verifier-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAWH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,cAAc,CAAC;AAIhE,OAAO,KAAK,EAAa,kBAAkB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAqCzF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,OAAO,EAAE,MAAM,GAAG,UAAU,CAAC;IAC7B,0BAA0B;IAC1B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mDAAmD;IACnD,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,0BAA0B;IAC1B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B;AAmLD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAob7F;AAED;;GAEG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAErC;AAED;;GAEG;AACH,wBAAgB,gBAAgB,IAAI,MAAM,CAEzC"}
+{"version":3,"file":"verifier-core.d.ts","sourceRoot":"","sources":["../src/verifier-core.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAWH,OAAO,EAAE,iBAAiB,EAAiB,MAAM,cAAc,CAAC;AAIhE,OAAO,KAAK,EAAa,kBAAkB,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAqCzF;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,uDAAuD;IACvD,OAAO,EAAE,MAAM,GAAG,UAAU,CAAC;IAC7B,0BAA0B;IAC1B,MAAM,CAAC,EAAE,cAAc,CAAC;IACxB,0EAA0E;IAC1E,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,mDAAmD;IACnD,WAAW,CAAC,EAAE,OAAO,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,qCAAqC;IACrC,KAAK,EAAE,OAAO,CAAC;IACf,0BAA0B;IAC1B,MAAM,EAAE,kBAAkB,CAAC;IAC3B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC5B;AA+FD;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAob7F"}

package/dist/verify.d.ts

@@ -1,5 +1,9 @@
 /**
- * Receipt verification with JWKS fetching and caching
+ * Receipt verification with strict issuer-config-based JWKS discovery
+ *
+ * Key discovery uses peac-issuer.json -> jwks_uri exclusively.
+ * No legacy fallbacks (peac.txt, direct JWKS).
+ * JWKS caching is centralized in jwks-resolver.ts.
  */
 import { PEACReceiptClaims, SubjectProfileSnapshot } from '@peac/schema';
 import { type TelemetryHook } from './telemetry.js';
@@ -44,6 +48,9 @@ export interface VerifyOptions {
 /**
  * Verify a PEAC receipt JWS
  *
+ * Uses strict issuer-config discovery: peac-issuer.json -> jwks_uri -> JWKS.
+ * No fallback to peac.txt or direct JWKS endpoints.
+ *
  * @param optionsOrJws - Verify options or JWS compact serialization (for backwards compatibility)
  * @returns Verification result or failure
  */

package/dist/verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAGvB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAkC,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AA8BpF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,EAAE,EAAE,IAAI,CAAC;IAET,qBAAqB;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAE1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,0BAA0B;IAC1B,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,EAAE,EAAE,KAAK,CAAC;IAEV,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IAEf,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAqGD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,iDAAiD;IACjD,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,GAAG,aAAa,GACnC,OAAO,CAAC,YAAY,GAAG,aAAa,CAAC,CAoIvC"}
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAGvB,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAkC,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAmBpF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,EAAE,EAAE,IAAI,CAAC;IAET,qBAAqB;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAE1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,0BAA0B;IAC1B,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,EAAE,EAAE,KAAK,CAAC;IAEV,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IAEf,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,iDAAiD;IACjD,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,GAAG,aAAa,GACnC,OAAO,CAAC,YAAY,GAAG,aAAa,CAAC,CA6IvC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@peac/protocol",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "description": "PEAC protocol implementation - receipt issuance and verification",
   "main": "dist/index.cjs",
   "types": "dist/index.d.ts",
@@ -39,9 +39,9 @@
   "dependencies": {
     "uuidv7": "^0.6.3",
     "zod": "^4.3.6",
-    "@peac/kernel": "0.11.0",
-    "@peac/schema": "0.11.0",
-    "@peac/crypto": "0.11.0"
+    "@peac/schema": "0.11.1",
+    "@peac/kernel": "0.11.1",
+    "@peac/crypto": "0.11.1"
   },
   "devDependencies": {
     "@types/node": "^22.19.11",