npm - @peac/protocol - Versions diffs - 0.11.0 → 0.11.2 - Mend

@peac/protocol 0.11.0 → 0.11.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/discovery.d.ts.map +1 -1
package/dist/index.cjs +1276 -1179
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.mjs +1277 -1181
package/dist/index.mjs.map +1 -1
package/dist/jwks-resolver.d.ts +88 -0
package/dist/jwks-resolver.d.ts.map +1 -0
package/dist/verifier-core.d.ts +0 -8
package/dist/verifier-core.d.ts.map +1 -1
package/dist/verify.d.ts +8 -1
package/dist/verify.d.ts.map +1 -1
package/package.json +4 -4

package/dist/index.mjs CHANGED Viewed

@@ -2,7 +2,7 @@ import { uuidv7 } from 'uuidv7';
 import { sign, decode, verify, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
 export { base64urlDecode, base64urlEncode, computeJwkThumbprint, generateKeypair, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, verify } from '@peac/crypto';
 import { ZodError } from 'zod';
-import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH } from '@peac/schema';
+import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER } from '@peac/schema';
 import { createHash } from 'crypto';
 import { VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
@@ -178,1234 +178,1390 @@ async function issueJws(options) {
   const result = await issue(options);
   return result.jws;
 }
-var jwksCache = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS = 5 * 60 * 1e3;
-async function fetchJWKS(issuerUrl) {
-  if (!issuerUrl.startsWith("https://")) {
-    throw new Error("Issuer URL must be https://");
+function parseIssuerConfig(json) {
+  let config;
+  if (typeof json === "string") {
+    const bytes = new TextEncoder().encode(json).length;
+    if (bytes > PEAC_ISSUER_CONFIG_MAX_BYTES) {
+      throw new Error(`Issuer config exceeds ${PEAC_ISSUER_CONFIG_MAX_BYTES} bytes (got ${bytes})`);
+    }
+    try {
+      config = JSON.parse(json);
+    } catch {
+      throw new Error("Issuer config is not valid JSON");
+    }
+  } else {
+    config = json;
+  }
+  if (typeof config !== "object" || config === null) {
+    throw new Error("Issuer config must be an object");
+  }
+  const obj = config;
+  if (typeof obj.version !== "string" || !obj.version) {
+    throw new Error("Missing required field: version");
+  }
+  if (typeof obj.issuer !== "string" || !obj.issuer) {
+    throw new Error("Missing required field: issuer");
+  }
+  if (typeof obj.jwks_uri !== "string" || !obj.jwks_uri) {
+    throw new Error("Missing required field: jwks_uri");
+  }
+  if (!obj.issuer.startsWith("https://")) {
+    throw new Error("issuer must be an HTTPS URL");
   }
-  const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
   try {
-    const discoveryResp = await fetch(discoveryUrl, {
-      headers: { Accept: "text/plain" },
-      // Timeout after 5 seconds
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!discoveryResp.ok) {
-      throw new Error(`Discovery fetch failed: ${discoveryResp.status}`);
+    new URL(obj.jwks_uri);
+  } catch {
+    throw new Error("jwks_uri must be a valid URL");
+  }
+  if (obj.verify_endpoint !== void 0) {
+    if (typeof obj.verify_endpoint !== "string") {
+      throw new Error("verify_endpoint must be a string");
+    }
+    if (!obj.verify_endpoint.startsWith("https://")) {
+      throw new Error("verify_endpoint must be an HTTPS URL");
+    }
+  }
+  if (obj.receipt_versions !== void 0) {
+    if (!Array.isArray(obj.receipt_versions)) {
+      throw new Error("receipt_versions must be an array");
     }
-    const discoveryText = await discoveryResp.text();
-    const jwksLine = discoveryText.split("\n").find((line) => line.startsWith("jwks:"));
-    if (!jwksLine) {
-      throw new Error("No jwks field in discovery");
+  }
+  if (obj.algorithms !== void 0) {
+    if (!Array.isArray(obj.algorithms)) {
+      throw new Error("algorithms must be an array");
     }
-    const jwksUrl = jwksLine.replace("jwks:", "").trim();
-    if (!jwksUrl.startsWith("https://")) {
-      throw new Error("JWKS URL must be https://");
+  }
+  if (obj.payment_rails !== void 0) {
+    if (!Array.isArray(obj.payment_rails)) {
+      throw new Error("payment_rails must be an array");
     }
-    const jwksResp = await fetch(jwksUrl, {
+  }
+  return {
+    version: obj.version,
+    issuer: obj.issuer,
+    jwks_uri: obj.jwks_uri,
+    verify_endpoint: obj.verify_endpoint,
+    receipt_versions: obj.receipt_versions,
+    algorithms: obj.algorithms,
+    payment_rails: obj.payment_rails,
+    security_contact: obj.security_contact
+  };
+}
+async function fetchIssuerConfig(issuerUrl) {
+  if (!issuerUrl.startsWith("https://")) {
+    throw new Error("Issuer URL must be https://");
+  }
+  const baseUrl = issuerUrl.replace(/\/$/, "");
+  const configUrl = `${baseUrl}${PEAC_ISSUER_CONFIG_PATH}`;
+  try {
+    const resp = await fetch(configUrl, {
       headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(5e3)
+      signal: AbortSignal.timeout(1e4)
     });
-    if (!jwksResp.ok) {
-      throw new Error(`JWKS fetch failed: ${jwksResp.status}`);
+    if (!resp.ok) {
+      throw new Error(`Issuer config fetch failed: ${resp.status}`);
+    }
+    const text = await resp.text();
+    const config = parseIssuerConfig(text);
+    const normalizedExpected = baseUrl.replace(/\/$/, "");
+    const normalizedActual = config.issuer.replace(/\/$/, "");
+    if (normalizedActual !== normalizedExpected) {
+      throw new Error(`Issuer mismatch: expected ${normalizedExpected}, got ${normalizedActual}`);
     }
-    const jwks = await jwksResp.json();
-    return jwks;
+    return config;
   } catch (err) {
-    throw new Error(`JWKS fetch failed: ${err instanceof Error ? err.message : String(err)}`, {
-      cause: err
-    });
+    throw new Error(
+      `Failed to fetch issuer config from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
   }
 }
-async function getJWKS(issuerUrl) {
-  const now = Date.now();
-  const cached = jwksCache.get(issuerUrl);
-  if (cached && cached.expiresAt > now) {
-    return { jwks: cached.keys, fromCache: true };
-  }
-  const jwks = await fetchJWKS(issuerUrl);
-  jwksCache.set(issuerUrl, {
-    keys: jwks,
-    expiresAt: now + CACHE_TTL_MS
-  });
-  return { jwks, fromCache: false };
+function isJsonContent(text, contentType) {
+  if (contentType?.includes("application/json")) {
+    return true;
+  }
+  const firstChar = text.trimStart()[0];
+  return firstChar === "{";
 }
-function jwkToPublicKey(jwk) {
-  if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") {
-    throw new Error("Only Ed25519 keys (OKP/Ed25519) are supported");
+function parsePolicyManifest(text, contentType) {
+  const bytes = new TextEncoder().encode(text).length;
+  if (bytes > PEAC_POLICY_MAX_BYTES) {
+    throw new Error(`Policy manifest exceeds ${PEAC_POLICY_MAX_BYTES} bytes (got ${bytes})`);
   }
-  const xBytes = Buffer.from(jwk.x, "base64url");
-  if (xBytes.length !== 32) {
-    throw new Error("Ed25519 public key must be 32 bytes");
+  let manifest;
+  if (isJsonContent(text, contentType)) {
+    try {
+      manifest = JSON.parse(text);
+    } catch {
+      throw new Error("Policy manifest is not valid JSON");
+    }
+  } else {
+    manifest = parseSimpleYaml(text);
   }
-  return new Uint8Array(xBytes);
+  if (typeof manifest.version !== "string" || !manifest.version) {
+    throw new Error("Missing required field: version");
+  }
+  if (!manifest.version.startsWith("peac-policy/")) {
+    throw new Error(
+      `Invalid version format: "${manifest.version}". Must start with "peac-policy/" (e.g., "peac-policy/0.1")`
+    );
+  }
+  if (manifest.usage !== "open" && manifest.usage !== "conditional") {
+    throw new Error('Missing or invalid field: usage (must be "open" or "conditional")');
+  }
+  return {
+    version: manifest.version,
+    usage: manifest.usage,
+    purposes: manifest.purposes,
+    receipts: manifest.receipts,
+    attribution: manifest.attribution,
+    rate_limit: manifest.rate_limit,
+    daily_limit: manifest.daily_limit,
+    negotiate: manifest.negotiate,
+    contact: manifest.contact,
+    license: manifest.license,
+    price: manifest.price,
+    currency: manifest.currency,
+    payment_methods: manifest.payment_methods,
+    payment_endpoint: manifest.payment_endpoint
+  };
 }
-async function verifyReceipt(optionsOrJws) {
-  const receiptJws = typeof optionsOrJws === "string" ? optionsOrJws : optionsOrJws.receiptJws;
-  const inputSnapshot = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.subject_snapshot;
-  const telemetry = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.telemetry;
-  const startTime = performance.now();
-  let jwksFetchTime;
+function parseSimpleYaml(text) {
+  const lines = text.split("\n");
+  const result = {};
+  if (text.includes("<<:")) {
+    throw new Error("YAML merge keys are not allowed");
+  }
+  if (text.includes("&") || text.includes("*")) {
+    throw new Error("YAML anchors and aliases are not allowed");
+  }
+  if (/!\w+/.test(text)) {
+    throw new Error("YAML custom tags are not allowed");
+  }
+  const docSeparators = text.match(/^---$/gm);
+  if (docSeparators && docSeparators.length > 1) {
+    throw new Error("Multi-document YAML is not allowed");
+  }
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#") || trimmed === "---") {
+      continue;
+    }
+    const colonIndex = trimmed.indexOf(":");
+    if (colonIndex === -1) continue;
+    const key = trimmed.slice(0, colonIndex).trim();
+    let value = trimmed.slice(colonIndex + 1).trim();
+    if (value === "") {
+      value = void 0;
+    } else if (typeof value === "string") {
+      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
+        value = value.slice(1, -1);
+      } else if (value.startsWith("[") && value.endsWith("]")) {
+        const inner = value.slice(1, -1);
+        value = inner.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
+      } else if (/^-?\d+(\.\d+)?$/.test(value)) {
+        value = parseFloat(value);
+      } else if (value === "true") {
+        value = true;
+      } else if (value === "false") {
+        value = false;
+      }
+    }
+    if (value !== void 0) {
+      result[key] = value;
+    }
+  }
+  return result;
+}
+async function fetchPolicyManifest(baseUrl) {
+  if (!baseUrl.startsWith("https://") && !baseUrl.startsWith("http://localhost")) {
+    throw new Error("Base URL must be https://");
+  }
+  const normalizedBase = baseUrl.replace(/\/$/, "");
+  const primaryUrl = `${normalizedBase}${PEAC_POLICY_PATH}`;
+  const fallbackUrl = `${normalizedBase}${PEAC_POLICY_FALLBACK_PATH}`;
   try {
-    const { header, payload } = decode(receiptJws);
-    const constraintResult = validateKernelConstraints(payload);
-    if (!constraintResult.valid) {
-      const v = constraintResult.violations[0];
-      return {
-        ok: false,
-        reason: "constraint_violation",
-        details: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
-      };
+    const resp = await fetch(primaryUrl, {
+      headers: { Accept: "text/plain, application/json" },
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (resp.ok) {
+      const text = await resp.text();
+      const contentType = resp.headers.get("content-type") || void 0;
+      return parsePolicyManifest(text, contentType);
     }
-    ReceiptClaims.parse(payload);
-    if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
-      const durationMs = performance.now() - startTime;
-      fireTelemetryHook(telemetry?.onReceiptVerified, {
-        receiptHash: hashReceipt(receiptJws),
-        valid: false,
-        reasonCode: "expired",
-        issuer: payload.iss,
-        kid: header.kid,
-        durationMs
+    if (resp.status === 404) {
+      const fallbackResp = await fetch(fallbackUrl, {
+        headers: { Accept: "text/plain, application/json" },
+        signal: AbortSignal.timeout(5e3)
       });
-      return {
-        ok: false,
-        reason: "expired",
-        details: `Receipt expired at ${new Date(payload.exp * 1e3).toISOString()}`
-      };
-    }
-    const jwksFetchStart = performance.now();
-    const { jwks, fromCache } = await getJWKS(payload.iss);
-    if (!fromCache) {
-      jwksFetchTime = performance.now() - jwksFetchStart;
+      if (fallbackResp.ok) {
+        const text = await fallbackResp.text();
+        const contentType = fallbackResp.headers.get("content-type") || void 0;
+        return parsePolicyManifest(text, contentType);
+      }
+      throw new Error("Policy manifest not found at primary or fallback location");
     }
-    const jwk = jwks.keys.find((k) => k.kid === header.kid);
-    if (!jwk) {
-      const durationMs = performance.now() - startTime;
-      fireTelemetryHook(telemetry?.onReceiptVerified, {
-        receiptHash: hashReceipt(receiptJws),
-        valid: false,
-        reasonCode: "unknown_key",
-        issuer: payload.iss,
-        kid: header.kid,
-        durationMs
-      });
-      return {
-        ok: false,
-        reason: "unknown_key",
-        details: `No key found with kid=${header.kid}`
-      };
+    throw new Error(`Policy manifest fetch failed: ${resp.status}`);
+  } catch (err) {
+    throw new Error(
+      `Failed to fetch policy manifest from ${baseUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
+  }
+}
+function parseDiscovery(text) {
+  const bytes = new TextEncoder().encode(text).length;
+  if (bytes > 2e3) {
+    throw new Error(`Discovery manifest exceeds 2000 bytes (got ${bytes})`);
+  }
+  const lines = text.trim().split("\n");
+  if (lines.length > 20) {
+    throw new Error(`Discovery manifest exceeds 20 lines (got ${lines.length})`);
+  }
+  const discovery = {};
+  for (const line of lines) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) {
+      continue;
     }
-    const publicKey = jwkToPublicKey(jwk);
-    const result = await verify(receiptJws, publicKey);
-    if (!result.valid) {
-      const durationMs = performance.now() - startTime;
-      fireTelemetryHook(telemetry?.onReceiptVerified, {
-        receiptHash: hashReceipt(receiptJws),
-        valid: false,
-        reasonCode: "invalid_signature",
-        issuer: payload.iss,
-        kid: header.kid,
-        durationMs
-      });
-      return {
-        ok: false,
-        reason: "invalid_signature",
-        details: "Ed25519 signature verification failed"
-      };
+    if (trimmed.includes(":")) {
+      const [key, ...valueParts] = trimmed.split(":");
+      const value = valueParts.join(":").trim();
+      switch (key.trim()) {
+        case "version":
+          discovery.version = value;
+          break;
+        case "issuer":
+          discovery.issuer = value;
+          break;
+        case "verify":
+          discovery.verify_endpoint = value;
+          break;
+        case "jwks":
+          discovery.jwks_uri = value;
+          break;
+        case "security":
+          discovery.security_contact = value;
+          break;
+      }
     }
-    const validatedSnapshot = validateSubjectSnapshot(inputSnapshot);
-    const verifyTime = performance.now() - startTime;
-    fireTelemetryHook(telemetry?.onReceiptVerified, {
-      receiptHash: hashReceipt(receiptJws),
-      valid: true,
-      issuer: payload.iss,
-      kid: header.kid,
-      durationMs: verifyTime
+  }
+  if (!discovery.version) throw new Error("Missing required field: version");
+  if (!discovery.issuer) throw new Error("Missing required field: issuer");
+  if (!discovery.verify_endpoint) throw new Error("Missing required field: verify");
+  if (!discovery.jwks_uri) throw new Error("Missing required field: jwks");
+  return discovery;
+}
+async function fetchDiscovery(issuerUrl) {
+  if (!issuerUrl.startsWith("https://")) {
+    throw new Error("Issuer URL must be https://");
+  }
+  const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
+  try {
+    const resp = await fetch(discoveryUrl, {
+      headers: { Accept: "text/plain" },
+      signal: AbortSignal.timeout(5e3)
     });
+    if (!resp.ok) {
+      throw new Error(`Discovery fetch failed: ${resp.status}`);
+    }
+    const text = await resp.text();
+    return parseDiscovery(text);
+  } catch (err) {
+    throw new Error(
+      `Failed to fetch discovery from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
+      { cause: err }
+    );
+  }
+}
+var cachedCapabilities = null;
+function getSSRFCapabilities() {
+  if (cachedCapabilities) {
+    return cachedCapabilities;
+  }
+  cachedCapabilities = detectCapabilities();
+  return cachedCapabilities;
+}
+function detectCapabilities() {
+  if (typeof process !== "undefined" && process.versions?.node) {
     return {
-      ok: true,
-      claims: payload,
-      ...validatedSnapshot && { subject_snapshot: validatedSnapshot },
-      perf: {
-        verify_ms: verifyTime,
-        ...jwksFetchTime && { jwks_fetch_ms: jwksFetchTime }
-      }
+      runtime: "node",
+      dnsPreResolution: true,
+      ipBlocking: true,
+      networkIsolation: false,
+      protectionLevel: "full",
+      notes: [
+        "Full SSRF protection available via Node.js dns module",
+        "DNS resolution checked before HTTP connection",
+        "All RFC 1918 private ranges blocked"
+      ]
     };
-  } catch (err) {
-    const durationMs = performance.now() - startTime;
-    fireTelemetryHook(telemetry?.onReceiptVerified, {
-      receiptHash: hashReceipt(receiptJws),
-      valid: false,
-      reasonCode: "verification_error",
-      durationMs
-    });
+  }
+  if (typeof process !== "undefined" && process.versions?.bun) {
     return {
-      ok: false,
-      reason: "verification_error",
-      details: err instanceof Error ? err.message : String(err)
+      runtime: "bun",
+      dnsPreResolution: true,
+      ipBlocking: true,
+      networkIsolation: false,
+      protectionLevel: "full",
+      notes: [
+        "Full SSRF protection available via Bun dns compatibility",
+        "DNS resolution checked before HTTP connection"
+      ]
+    };
+  }
+  if (typeof globalThis !== "undefined" && "Deno" in globalThis) {
+    return {
+      runtime: "deno",
+      dnsPreResolution: false,
+      ipBlocking: false,
+      networkIsolation: false,
+      protectionLevel: "partial",
+      notes: [
+        "DNS pre-resolution not available in Deno by default",
+        "SSRF protection limited to URL validation and response limits",
+        "Consider using Deno.connect with hostname resolution for enhanced protection"
+      ]
+    };
+  }
+  if (typeof globalThis !== "undefined" && typeof globalThis.caches !== "undefined" && typeof globalThis.HTMLRewriter !== "undefined") {
+    return {
+      runtime: "cloudflare-workers",
+      dnsPreResolution: false,
+      ipBlocking: false,
+      networkIsolation: true,
+      protectionLevel: "partial",
+      notes: [
+        "Cloudflare Workers provide network-level isolation",
+        "DNS pre-resolution not available in Workers runtime",
+        "CF network blocks many SSRF vectors at infrastructure level",
+        "SSRF protection supplemented by URL validation and response limits"
+      ]
+    };
+  }
+  const g = globalThis;
+  if (typeof g.window !== "undefined" || typeof g.document !== "undefined") {
+    return {
+      runtime: "browser",
+      dnsPreResolution: false,
+      ipBlocking: false,
+      networkIsolation: false,
+      protectionLevel: "minimal",
+      notes: [
+        "Browser environment detected; DNS pre-resolution not available",
+        "SSRF protection limited to URL scheme validation",
+        "Consider validating URLs server-side before browser fetch",
+        "Same-origin policy provides some protection against SSRF"
+      ]
     };
   }
+  return {
+    runtime: "edge-generic",
+    dnsPreResolution: false,
+    ipBlocking: false,
+    networkIsolation: false,
+    protectionLevel: "partial",
+    notes: [
+      "Edge runtime detected; DNS pre-resolution may not be available",
+      "SSRF protection limited to URL validation and response limits",
+      "Verify runtime provides additional network-level protections"
+    ]
+  };
 }
-function isCryptoError(err) {
-  return err !== null && typeof err === "object" && "name" in err && err.name === "CryptoError" && "code" in err && typeof err.code === "string" && err.code.startsWith("CRYPTO_") && "message" in err && typeof err.message === "string";
+function resetSSRFCapabilitiesCache() {
+  cachedCapabilities = null;
 }
-var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
-  "CRYPTO_INVALID_JWS_FORMAT",
-  "CRYPTO_INVALID_TYP",
-  "CRYPTO_INVALID_ALG",
-  "CRYPTO_INVALID_KEY_LENGTH"
-]);
-var MAX_PARSE_ISSUES = 25;
-function sanitizeParseIssues(issues) {
-  if (!Array.isArray(issues)) return void 0;
-  return issues.slice(0, MAX_PARSE_ISSUES).map((issue2) => ({
-    path: Array.isArray(issue2?.path) ? issue2.path.join(".") : "",
-    message: typeof issue2?.message === "string" ? issue2.message : String(issue2)
-  }));
+function parseIPv4(ip) {
+  const parts = ip.split(".");
+  if (parts.length !== 4) return null;
+  const octets = [];
+  for (const part of parts) {
+    const num = parseInt(part, 10);
+    if (isNaN(num) || num < 0 || num > 255) return null;
+    octets.push(num);
+  }
+  return { octets };
 }
-async function verifyLocal(jws, publicKey, options = {}) {
-  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
-  const now = options.now ?? Math.floor(Date.now() / 1e3);
-  try {
-    const result = await verify(jws, publicKey);
-    if (!result.valid) {
-      return {
-        valid: false,
-        code: "E_INVALID_SIGNATURE",
-        message: "Ed25519 signature verification failed"
-      };
-    }
-    const constraintResult = validateKernelConstraints(result.payload);
-    if (!constraintResult.valid) {
-      const v = constraintResult.violations[0];
-      return {
-        valid: false,
-        code: "E_CONSTRAINT_VIOLATION",
-        message: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
-      };
-    }
-    const pr = parseReceiptClaims(result.payload);
-    if (!pr.ok) {
-      return {
-        valid: false,
-        code: "E_INVALID_FORMAT",
-        message: `Receipt schema validation failed: ${pr.error.message}`,
-        details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
-      };
-    }
-    if (issuer !== void 0 && pr.claims.iss !== issuer) {
-      return {
-        valid: false,
-        code: "E_INVALID_ISSUER",
-        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
-      };
-    }
-    if (audience !== void 0 && pr.claims.aud !== audience) {
-      return {
-        valid: false,
-        code: "E_INVALID_AUDIENCE",
-        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
-      };
-    }
-    if (rid !== void 0 && pr.claims.rid !== rid) {
-      return {
-        valid: false,
-        code: "E_INVALID_RECEIPT_ID",
-        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
-      };
-    }
-    if (requireExp && pr.claims.exp === void 0) {
-      return {
-        valid: false,
-        code: "E_MISSING_EXP",
-        message: "Receipt missing required exp claim"
-      };
+function isInCIDR(ip, cidr) {
+  const [rangeStr, maskStr] = cidr.split("/");
+  const range = parseIPv4(rangeStr);
+  if (!range) return false;
+  const maskBits = parseInt(maskStr, 10);
+  if (isNaN(maskBits) || maskBits < 0 || maskBits > 32) return false;
+  const ipNum = ip.octets[0] << 24 | ip.octets[1] << 16 | ip.octets[2] << 8 | ip.octets[3];
+  const rangeNum = range.octets[0] << 24 | range.octets[1] << 16 | range.octets[2] << 8 | range.octets[3];
+  const mask = maskBits === 0 ? 0 : ~((1 << 32 - maskBits) - 1);
+  return (ipNum & mask) === (rangeNum & mask);
+}
+function isIPv6Loopback(ip) {
+  const normalized = ip.toLowerCase().replace(/^::ffff:/, "");
+  return normalized === "::1" || normalized === "0:0:0:0:0:0:0:1";
+}
+function isIPv6LinkLocal(ip) {
+  const normalized = ip.toLowerCase();
+  return normalized.startsWith("fe8") || normalized.startsWith("fe9") || normalized.startsWith("fea") || normalized.startsWith("feb");
+}
+function isBlockedIP(ip) {
+  const ipv4Match = ip.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i);
+  const effectiveIP = ipv4Match ? ipv4Match[1] : ip;
+  const ipv4 = parseIPv4(effectiveIP);
+  if (ipv4) {
+    if (isInCIDR(ipv4, "10.0.0.0/8") || isInCIDR(ipv4, "172.16.0.0/12") || isInCIDR(ipv4, "192.168.0.0/16")) {
+      return { blocked: true, reason: "private_ip" };
     }
-    if (pr.claims.iat > now + maxClockSkew) {
-      return {
-        valid: false,
-        code: "E_NOT_YET_VALID",
-        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
-      };
+    if (isInCIDR(ipv4, "127.0.0.0/8")) {
+      return { blocked: true, reason: "loopback" };
     }
-    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
-      return {
-        valid: false,
-        code: "E_EXPIRED",
-        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
-      };
+    if (isInCIDR(ipv4, "169.254.0.0/16")) {
+      return { blocked: true, reason: "link_local" };
     }
-    if (pr.variant === "commerce") {
-      const claims = pr.claims;
-      if (subjectUri !== void 0 && claims.subject?.uri !== subjectUri) {
-        return {
-          valid: false,
-          code: "E_INVALID_SUBJECT",
-          message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? "undefined"}"`
-        };
+    return { blocked: false };
+  }
+  if (isIPv6Loopback(ip)) {
+    return { blocked: true, reason: "loopback" };
+  }
+  if (isIPv6LinkLocal(ip)) {
+    return { blocked: true, reason: "link_local" };
+  }
+  return { blocked: false };
+}
+async function resolveHostname(hostname) {
+  if (typeof process !== "undefined" && process.versions?.node) {
+    try {
+      const dns = await import('dns');
+      const { promisify } = await import('util');
+      const resolve4 = promisify(dns.resolve4);
+      const resolve6 = promisify(dns.resolve6);
+      const results = [];
+      let ipv4Error = null;
+      let ipv6Error = null;
+      try {
+        const ipv4 = await resolve4(hostname);
+        results.push(...ipv4);
+      } catch (err) {
+        ipv4Error = err;
       }
-      return {
-        valid: true,
-        variant: "commerce",
-        claims,
-        kid: result.header.kid,
-        policy_binding: "unavailable"
-      };
-    } else {
-      const claims = pr.claims;
-      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
-        return {
-          valid: false,
-          code: "E_INVALID_SUBJECT",
-          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
-        };
+      try {
+        const ipv6 = await resolve6(hostname);
+        results.push(...ipv6);
+      } catch (err) {
+        ipv6Error = err;
       }
-      return {
-        valid: true,
-        variant: "attestation",
-        claims,
-        kid: result.header.kid,
-        policy_binding: "unavailable"
-      };
-    }
-  } catch (err) {
-    if (isCryptoError(err)) {
-      if (FORMAT_ERROR_CODES.has(err.code)) {
-        return {
-          valid: false,
-          code: "E_INVALID_FORMAT",
-          message: err.message
-        };
+      if (results.length > 0) {
+        return { ok: true, ips: results, browser: false };
       }
-      if (err.code === "CRYPTO_INVALID_SIGNATURE") {
+      if (ipv4Error && ipv6Error) {
         return {
-          valid: false,
-          code: "E_INVALID_SIGNATURE",
-          message: err.message
+          ok: false,
+          message: `DNS resolution failed for ${hostname}: ${ipv4Error.message}`
         };
       }
+      return { ok: true, ips: [], browser: false };
+    } catch (err) {
+      return {
+        ok: false,
+        message: `DNS resolution error: ${err instanceof Error ? err.message : String(err)}`
+      };
     }
-    if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
-      const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
+  }
+  return { ok: true, ips: [], browser: true };
+}
+async function ssrfSafeFetch(url, options = {}) {
+  const {
+    timeoutMs = VERIFIER_LIMITS.fetchTimeoutMs,
+    maxBytes = VERIFIER_LIMITS.maxResponseBytes,
+    maxRedirects = 0,
+    allowRedirects = VERIFIER_NETWORK.allowRedirects,
+    allowCrossOriginRedirects = true,
+    // Default: allow for CDN compatibility
+    dnsFailureBehavior = "block",
+    // Default: fail-closed for security
+    headers = {}
+  } = options;
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch {
+    return {
+      ok: false,
+      reason: "invalid_url",
+      message: `Invalid URL: ${url}`,
+      blockedUrl: url
+    };
+  }
+  if (parsedUrl.protocol !== "https:") {
+    return {
+      ok: false,
+      reason: "not_https",
+      message: `URL must use HTTPS: ${url}`,
+      blockedUrl: url
+    };
+  }
+  const dnsResult = await resolveHostname(parsedUrl.hostname);
+  if (!dnsResult.ok) {
+    if (dnsFailureBehavior === "block") {
       return {
-        valid: false,
-        code: "E_INVALID_FORMAT",
-        message: `Invalid receipt payload: ${syntaxMessage}`
+        ok: false,
+        reason: "dns_failure",
+        message: `DNS resolution blocked: ${dnsResult.message}`,
+        blockedUrl: url
       };
     }
-    const message = err instanceof Error ? err.message : String(err);
     return {
-      valid: false,
-      code: "E_INTERNAL",
-      message: `Unexpected verification error: ${message}`
+      ok: false,
+      reason: "network_error",
+      message: dnsResult.message,
+      blockedUrl: url
     };
   }
-}
-function isCommerceResult(r) {
-  return r.valid === true && r.variant === "commerce";
-}
-function isAttestationResult(r) {
-  return r.valid === true && r.variant === "attestation";
-}
-function setReceiptHeader(headers, receiptJws) {
-  headers.set(PEAC_RECEIPT_HEADER, receiptJws);
-}
-function getReceiptHeader(headers) {
-  return headers.get(PEAC_RECEIPT_HEADER);
-}
-function setVaryHeader(headers) {
-  const existing = headers.get("Vary");
-  if (existing) {
-    const varies = existing.split(",").map((v) => v.trim());
-    if (!varies.includes(PEAC_RECEIPT_HEADER)) {
-      headers.set("Vary", `${existing}, ${PEAC_RECEIPT_HEADER}`);
+  if (!dnsResult.browser) {
+    for (const ip of dnsResult.ips) {
+      const blockResult = isBlockedIP(ip);
+      if (blockResult.blocked) {
+        return {
+          ok: false,
+          reason: blockResult.reason,
+          message: `Blocked ${blockResult.reason} address: ${ip} for ${url}`,
+          blockedUrl: url
+        };
+      }
     }
-  } else {
-    headers.set("Vary", PEAC_RECEIPT_HEADER);
   }
-}
-function getPurposeHeader(headers) {
-  const value = headers.get(PEAC_PURPOSE_HEADER);
-  if (!value) {
-    return [];
-  }
-  return parsePurposeHeader(value);
-}
-function setPurposeAppliedHeader(headers, purpose) {
-  headers.set(PEAC_PURPOSE_APPLIED_HEADER, purpose);
-}
-function setPurposeReasonHeader(headers, reason) {
-  headers.set(PEAC_PURPOSE_REASON_HEADER, reason);
-}
-function setVaryPurposeHeader(headers) {
-  const existing = headers.get("Vary");
-  if (existing) {
-    const varies = existing.split(",").map((v) => v.trim());
-    if (!varies.includes(PEAC_PURPOSE_HEADER)) {
-      headers.set("Vary", `${existing}, ${PEAC_PURPOSE_HEADER}`);
-    }
-  } else {
-    headers.set("Vary", PEAC_PURPOSE_HEADER);
-  }
-}
-function parseIssuerConfig(json) {
-  let config;
-  if (typeof json === "string") {
-    const bytes = new TextEncoder().encode(json).length;
-    if (bytes > PEAC_ISSUER_CONFIG_MAX_BYTES) {
-      throw new Error(`Issuer config exceeds ${PEAC_ISSUER_CONFIG_MAX_BYTES} bytes (got ${bytes})`);
-    }
-    try {
-      config = JSON.parse(json);
-    } catch {
-      throw new Error("Issuer config is not valid JSON");
-    }
-  } else {
-    config = json;
-  }
-  if (typeof config !== "object" || config === null) {
-    throw new Error("Issuer config must be an object");
-  }
-  const obj = config;
-  if (typeof obj.version !== "string" || !obj.version) {
-    throw new Error("Missing required field: version");
-  }
-  if (typeof obj.issuer !== "string" || !obj.issuer) {
-    throw new Error("Missing required field: issuer");
-  }
-  if (typeof obj.jwks_uri !== "string" || !obj.jwks_uri) {
-    throw new Error("Missing required field: jwks_uri");
-  }
-  if (!obj.issuer.startsWith("https://")) {
-    throw new Error("issuer must be an HTTPS URL");
-  }
-  if (!obj.jwks_uri.startsWith("https://")) {
-    throw new Error("jwks_uri must be an HTTPS URL");
-  }
-  if (obj.verify_endpoint !== void 0) {
-    if (typeof obj.verify_endpoint !== "string") {
-      throw new Error("verify_endpoint must be a string");
-    }
-    if (!obj.verify_endpoint.startsWith("https://")) {
-      throw new Error("verify_endpoint must be an HTTPS URL");
-    }
-  }
-  if (obj.receipt_versions !== void 0) {
-    if (!Array.isArray(obj.receipt_versions)) {
-      throw new Error("receipt_versions must be an array");
-    }
-  }
-  if (obj.algorithms !== void 0) {
-    if (!Array.isArray(obj.algorithms)) {
-      throw new Error("algorithms must be an array");
-    }
-  }
-  if (obj.payment_rails !== void 0) {
-    if (!Array.isArray(obj.payment_rails)) {
-      throw new Error("payment_rails must be an array");
-    }
-  }
-  return {
-    version: obj.version,
-    issuer: obj.issuer,
-    jwks_uri: obj.jwks_uri,
-    verify_endpoint: obj.verify_endpoint,
-    receipt_versions: obj.receipt_versions,
-    algorithms: obj.algorithms,
-    payment_rails: obj.payment_rails,
-    security_contact: obj.security_contact
-  };
-}
-async function fetchIssuerConfig(issuerUrl) {
-  if (!issuerUrl.startsWith("https://")) {
-    throw new Error("Issuer URL must be https://");
-  }
-  const baseUrl = issuerUrl.replace(/\/$/, "");
-  const configUrl = `${baseUrl}${PEAC_ISSUER_CONFIG_PATH}`;
-  try {
-    const resp = await fetch(configUrl, {
-      headers: { Accept: "application/json" },
-      signal: AbortSignal.timeout(1e4)
-    });
-    if (!resp.ok) {
-      throw new Error(`Issuer config fetch failed: ${resp.status}`);
-    }
-    const text = await resp.text();
-    const config = parseIssuerConfig(text);
-    const normalizedExpected = baseUrl.replace(/\/$/, "");
-    const normalizedActual = config.issuer.replace(/\/$/, "");
-    if (normalizedActual !== normalizedExpected) {
-      throw new Error(`Issuer mismatch: expected ${normalizedExpected}, got ${normalizedActual}`);
-    }
-    return config;
-  } catch (err) {
-    throw new Error(
-      `Failed to fetch issuer config from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
-      { cause: err }
-    );
-  }
-}
-function isJsonContent(text, contentType) {
-  if (contentType?.includes("application/json")) {
-    return true;
-  }
-  const firstChar = text.trimStart()[0];
-  return firstChar === "{";
-}
-function parsePolicyManifest(text, contentType) {
-  const bytes = new TextEncoder().encode(text).length;
-  if (bytes > PEAC_POLICY_MAX_BYTES) {
-    throw new Error(`Policy manifest exceeds ${PEAC_POLICY_MAX_BYTES} bytes (got ${bytes})`);
-  }
-  let manifest;
-  if (isJsonContent(text, contentType)) {
+  let redirectCount = 0;
+  let currentUrl = url;
+  const originalOrigin = parsedUrl.origin;
+  while (true) {
     try {
-      manifest = JSON.parse(text);
-    } catch {
-      throw new Error("Policy manifest is not valid JSON");
-    }
-  } else {
-    manifest = parseSimpleYaml(text);
-  }
-  if (typeof manifest.version !== "string" || !manifest.version) {
-    throw new Error("Missing required field: version");
-  }
-  if (!manifest.version.startsWith("peac-policy/")) {
-    throw new Error(
-      `Invalid version format: "${manifest.version}". Must start with "peac-policy/" (e.g., "peac-policy/0.1")`
-    );
-  }
-  if (manifest.usage !== "open" && manifest.usage !== "conditional") {
-    throw new Error('Missing or invalid field: usage (must be "open" or "conditional")');
-  }
-  return {
-    version: manifest.version,
-    usage: manifest.usage,
-    purposes: manifest.purposes,
-    receipts: manifest.receipts,
-    attribution: manifest.attribution,
-    rate_limit: manifest.rate_limit,
-    daily_limit: manifest.daily_limit,
-    negotiate: manifest.negotiate,
-    contact: manifest.contact,
-    license: manifest.license,
-    price: manifest.price,
-    currency: manifest.currency,
-    payment_methods: manifest.payment_methods,
-    payment_endpoint: manifest.payment_endpoint
-  };
-}
-function parseSimpleYaml(text) {
-  const lines = text.split("\n");
-  const result = {};
-  if (text.includes("<<:")) {
-    throw new Error("YAML merge keys are not allowed");
-  }
-  if (text.includes("&") || text.includes("*")) {
-    throw new Error("YAML anchors and aliases are not allowed");
-  }
-  if (/!\w+/.test(text)) {
-    throw new Error("YAML custom tags are not allowed");
-  }
-  const docSeparators = text.match(/^---$/gm);
-  if (docSeparators && docSeparators.length > 1) {
-    throw new Error("Multi-document YAML is not allowed");
-  }
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#") || trimmed === "---") {
-      continue;
-    }
-    const colonIndex = trimmed.indexOf(":");
-    if (colonIndex === -1) continue;
-    const key = trimmed.slice(0, colonIndex).trim();
-    let value = trimmed.slice(colonIndex + 1).trim();
-    if (value === "") {
-      value = void 0;
-    } else if (typeof value === "string") {
-      if (value.startsWith('"') && value.endsWith('"') || value.startsWith("'") && value.endsWith("'")) {
-        value = value.slice(1, -1);
-      } else if (value.startsWith("[") && value.endsWith("]")) {
-        const inner = value.slice(1, -1);
-        value = inner.split(",").map((s) => s.trim()).filter((s) => s.length > 0);
-      } else if (/^-?\d+(\.\d+)?$/.test(value)) {
-        value = parseFloat(value);
-      } else if (value === "true") {
-        value = true;
-      } else if (value === "false") {
-        value = false;
-      }
-    }
-    if (value !== void 0) {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-async function fetchPolicyManifest(baseUrl) {
-  if (!baseUrl.startsWith("https://") && !baseUrl.startsWith("http://localhost")) {
-    throw new Error("Base URL must be https://");
-  }
-  const normalizedBase = baseUrl.replace(/\/$/, "");
-  const primaryUrl = `${normalizedBase}${PEAC_POLICY_PATH}`;
-  const fallbackUrl = `${normalizedBase}${PEAC_POLICY_FALLBACK_PATH}`;
-  try {
-    const resp = await fetch(primaryUrl, {
-      headers: { Accept: "text/plain, application/json" },
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (resp.ok) {
-      const text = await resp.text();
-      const contentType = resp.headers.get("content-type") || void 0;
-      return parsePolicyManifest(text, contentType);
-    }
-    if (resp.status === 404) {
-      const fallbackResp = await fetch(fallbackUrl, {
-        headers: { Accept: "text/plain, application/json" },
-        signal: AbortSignal.timeout(5e3)
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+      const response = await fetch(currentUrl, {
+        headers: {
+          Accept: "application/json, text/plain",
+          ...headers
+        },
+        signal: controller.signal,
+        redirect: "manual"
+        // Handle redirects manually for security
       });
-      if (fallbackResp.ok) {
-        const text = await fallbackResp.text();
-        const contentType = fallbackResp.headers.get("content-type") || void 0;
-        return parsePolicyManifest(text, contentType);
+      clearTimeout(timeoutId);
+      if (response.status >= 300 && response.status < 400) {
+        const location = response.headers.get("location");
+        if (!location) {
+          return {
+            ok: false,
+            reason: "network_error",
+            message: `Redirect without Location header from ${currentUrl}`
+          };
+        }
+        if (!allowRedirects) {
+          return {
+            ok: false,
+            reason: "too_many_redirects",
+            message: `Redirects not allowed: ${currentUrl} -> ${location}`,
+            blockedUrl: location
+          };
+        }
+        redirectCount++;
+        if (redirectCount > maxRedirects) {
+          return {
+            ok: false,
+            reason: "too_many_redirects",
+            message: `Too many redirects (${redirectCount} > ${maxRedirects})`,
+            blockedUrl: location
+          };
+        }
+        let redirectUrl;
+        try {
+          redirectUrl = new URL(location, currentUrl);
+        } catch {
+          return {
+            ok: false,
+            reason: "invalid_url",
+            message: `Invalid redirect URL: ${location}`,
+            blockedUrl: location
+          };
+        }
+        if (redirectUrl.protocol !== "https:") {
+          return {
+            ok: false,
+            reason: "scheme_downgrade",
+            message: `HTTPS to HTTP downgrade not allowed: ${currentUrl} -> ${redirectUrl.href}`,
+            blockedUrl: redirectUrl.href
+          };
+        }
+        if (redirectUrl.origin !== originalOrigin && !allowCrossOriginRedirects) {
+          return {
+            ok: false,
+            reason: "cross_origin_redirect",
+            message: `Cross-origin redirect not allowed: ${originalOrigin} -> ${redirectUrl.origin}`,
+            blockedUrl: redirectUrl.href
+          };
+        }
+        const redirectDnsResult = await resolveHostname(redirectUrl.hostname);
+        if (!redirectDnsResult.ok) {
+          if (dnsFailureBehavior === "block") {
+            return {
+              ok: false,
+              reason: "dns_failure",
+              message: `Redirect DNS resolution blocked: ${redirectDnsResult.message}`,
+              blockedUrl: redirectUrl.href
+            };
+          }
+          return {
+            ok: false,
+            reason: "network_error",
+            message: redirectDnsResult.message,
+            blockedUrl: redirectUrl.href
+          };
+        }
+        if (!redirectDnsResult.browser) {
+          for (const ip of redirectDnsResult.ips) {
+            const blockResult = isBlockedIP(ip);
+            if (blockResult.blocked) {
+              return {
+                ok: false,
+                reason: blockResult.reason,
+                message: `Redirect to blocked ${blockResult.reason} address: ${ip}`,
+                blockedUrl: redirectUrl.href
+              };
+            }
+          }
+        }
+        currentUrl = redirectUrl.href;
+        continue;
       }
-      throw new Error("Policy manifest not found at primary or fallback location");
+      const contentLength = response.headers.get("content-length");
+      if (contentLength && parseInt(contentLength, 10) > maxBytes) {
+        return {
+          ok: false,
+          reason: "response_too_large",
+          message: `Response too large: ${contentLength} bytes > ${maxBytes} max`
+        };
+      }
+      const reader = response.body?.getReader();
+      if (!reader) {
+        const body2 = await response.text();
+        if (body2.length > maxBytes) {
+          return {
+            ok: false,
+            reason: "response_too_large",
+            message: `Response too large: ${body2.length} bytes > ${maxBytes} max`
+          };
+        }
+        const rawBytes2 = new TextEncoder().encode(body2);
+        return {
+          ok: true,
+          status: response.status,
+          body: body2,
+          rawBytes: rawBytes2,
+          contentType: response.headers.get("content-type") ?? void 0
+        };
+      }
+      const chunks = [];
+      let totalSize = 0;
+      while (true) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        totalSize += value.length;
+        if (totalSize > maxBytes) {
+          reader.cancel();
+          return {
+            ok: false,
+            reason: "response_too_large",
+            message: `Response too large: ${totalSize} bytes > ${maxBytes} max`
+          };
+        }
+        chunks.push(value);
+      }
+      const rawBytes = chunks.reduce((acc, chunk) => {
+        const result = new Uint8Array(acc.length + chunk.length);
+        result.set(acc);
+        result.set(chunk, acc.length);
+        return result;
+      }, new Uint8Array());
+      const body = new TextDecoder().decode(rawBytes);
+      return {
+        ok: true,
+        status: response.status,
+        body,
+        rawBytes,
+        contentType: response.headers.get("content-type") ?? void 0
+      };
+    } catch (err) {
+      if (err instanceof Error) {
+        if (err.name === "AbortError" || err.message.includes("timeout")) {
+          return {
+            ok: false,
+            reason: "timeout",
+            message: `Fetch timeout after ${timeoutMs}ms: ${currentUrl}`
+          };
+        }
+      }
+      return {
+        ok: false,
+        reason: "network_error",
+        message: `Network error: ${err instanceof Error ? err.message : String(err)}`
+      };
     }
-    throw new Error(`Policy manifest fetch failed: ${resp.status}`);
-  } catch (err) {
-    throw new Error(
-      `Failed to fetch policy manifest from ${baseUrl}: ${err instanceof Error ? err.message : String(err)}`,
-      { cause: err }
-    );
   }
 }
-function parseDiscovery(text) {
-  const bytes = new TextEncoder().encode(text).length;
-  if (bytes > 2e3) {
-    throw new Error(`Discovery manifest exceeds 2000 bytes (got ${bytes})`);
-  }
-  const lines = text.trim().split("\n");
-  if (lines.length > 20) {
-    throw new Error(`Discovery manifest exceeds 20 lines (got ${lines.length})`);
-  }
-  const discovery = {};
-  for (const line of lines) {
-    const trimmed = line.trim();
-    if (!trimmed || trimmed.startsWith("#")) {
-      continue;
+async function fetchJWKSSafe(jwksUrl, options) {
+  return ssrfSafeFetch(jwksUrl, {
+    ...options,
+    maxBytes: VERIFIER_LIMITS.maxJwksBytes,
+    headers: {
+      Accept: "application/json",
+      ...options?.headers
     }
-    if (trimmed.includes(":")) {
-      const [key, ...valueParts] = trimmed.split(":");
-      const value = valueParts.join(":").trim();
-      switch (key.trim()) {
-        case "version":
-          discovery.version = value;
-          break;
-        case "issuer":
-          discovery.issuer = value;
-          break;
-        case "verify":
-          discovery.verify_endpoint = value;
-          break;
-        case "jwks":
-          discovery.jwks_uri = value;
-          break;
-        case "security":
-          discovery.security_contact = value;
-          break;
-      }
+  });
+}
+async function fetchPointerSafe(pointerUrl, options) {
+  return ssrfSafeFetch(pointerUrl, {
+    ...options,
+    maxBytes: VERIFIER_LIMITS.maxReceiptBytes,
+    headers: {
+      Accept: "application/jose, application/json",
+      ...options?.headers
     }
-  }
-  if (!discovery.version) throw new Error("Missing required field: version");
-  if (!discovery.issuer) throw new Error("Missing required field: issuer");
-  if (!discovery.verify_endpoint) throw new Error("Missing required field: verify");
-  if (!discovery.jwks_uri) throw new Error("Missing required field: jwks");
-  return discovery;
+  });
 }
-async function fetchDiscovery(issuerUrl) {
-  if (!issuerUrl.startsWith("https://")) {
-    throw new Error("Issuer URL must be https://");
+// src/jwks-resolver.ts
+var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
+var DEFAULT_MAX_CACHE_ENTRIES = 1e3;
+var jwksCache = /* @__PURE__ */ new Map();
+function cacheGet(key, now) {
+  const entry = jwksCache.get(key);
+  if (!entry) return void 0;
+  if (entry.expiresAt <= now) {
+    jwksCache.delete(key);
+    return void 0;
   }
-  const discoveryUrl = `${issuerUrl}/.well-known/peac.txt`;
-  try {
-    const resp = await fetch(discoveryUrl, {
-      headers: { Accept: "text/plain" },
-      signal: AbortSignal.timeout(5e3)
-    });
-    if (!resp.ok) {
-      throw new Error(`Discovery fetch failed: ${resp.status}`);
-    }
-    const text = await resp.text();
-    return parseDiscovery(text);
-  } catch (err) {
-    throw new Error(
-      `Failed to fetch discovery from ${issuerUrl}: ${err instanceof Error ? err.message : String(err)}`,
-      { cause: err }
-    );
+  jwksCache.delete(key);
+  jwksCache.set(key, entry);
+  return entry;
+}
+function cacheSet(key, entry, maxEntries) {
+  if (jwksCache.has(key)) jwksCache.delete(key);
+  jwksCache.set(key, entry);
+  while (jwksCache.size > maxEntries) {
+    const oldestKey = jwksCache.keys().next().value;
+    if (oldestKey !== void 0) jwksCache.delete(oldestKey);
   }
 }
-var DEFAULT_VERIFIER_LIMITS = {
-  max_receipt_bytes: VERIFIER_LIMITS.maxReceiptBytes,
-  max_jwks_bytes: VERIFIER_LIMITS.maxJwksBytes,
-  max_jwks_keys: VERIFIER_LIMITS.maxJwksKeys,
-  max_redirects: VERIFIER_LIMITS.maxRedirects,
-  fetch_timeout_ms: VERIFIER_LIMITS.fetchTimeoutMs,
-  max_extension_bytes: VERIFIER_LIMITS.maxExtensionBytes
-};
-var DEFAULT_NETWORK_SECURITY = {
-  https_only: VERIFIER_NETWORK.httpsOnly,
-  block_private_ips: VERIFIER_NETWORK.blockPrivateIps,
-  allow_redirects: VERIFIER_NETWORK.allowRedirects,
-  allow_cross_origin_redirects: true,
-  // Allow for CDN compatibility
-  dns_failure_behavior: "block"
-  // Fail-closed by default
-};
-function createDefaultPolicy(mode) {
-  return {
-    policy_version: VERIFIER_POLICY_VERSION,
-    mode,
-    limits: { ...DEFAULT_VERIFIER_LIMITS },
-    network: { ...DEFAULT_NETWORK_SECURITY }
-  };
+function clearJWKSCache() {
+  jwksCache.clear();
 }
-var CHECK_IDS = [
-  "jws.parse",
-  "limits.receipt_bytes",
-  "jws.protected_header",
-  "claims.schema_unverified",
-  "issuer.trust_policy",
-  "issuer.discovery",
-  "key.resolve",
-  "jws.signature",
-  "claims.time_window",
-  "extensions.limits",
-  "transport.profile_binding",
-  "policy.binding"
-];
-var NON_DETERMINISTIC_ARTIFACT_KEYS = [
-  "issuer_jwks_digest"
-];
-function createDigest(hexValue) {
-  return {
-    alg: "sha-256",
-    value: hexValue.toLowerCase()
-  };
+function getJWKSCacheSize() {
+  return jwksCache.size;
 }
-function createEmptyReport(policy) {
-  return {
-    report_version: VERIFICATION_REPORT_VERSION,
-    policy
-  };
+function canonicalizeIssuerOrigin(issuerUrl) {
+  try {
+    const origin = new URL(issuerUrl).origin;
+    if (origin === "null") {
+      return { ok: false, message: `Issuer URL has no valid origin: ${issuerUrl}` };
+    }
+    return { ok: true, origin };
+  } catch {
+    return { ok: false, message: `Issuer URL is not a valid URL: ${issuerUrl}` };
+  }
 }
-function ssrfErrorToReasonCode(ssrfReason, fetchType) {
-  const prefix = fetchType === "key" ? "key_fetch" : "pointer_fetch";
-  switch (ssrfReason) {
+function mapSSRFError(reason, context) {
+  let code;
+  switch (reason) {
     case "not_https":
+      code = "E_VERIFY_INSECURE_SCHEME_BLOCKED";
+      break;
     case "private_ip":
     case "loopback":
     case "link_local":
-    case "cross_origin_redirect":
-    case "dns_failure":
-      return `${prefix}_blocked`;
+      code = "E_VERIFY_KEY_FETCH_BLOCKED";
+      break;
     case "timeout":
-      return `${prefix}_timeout`;
+      code = "E_VERIFY_KEY_FETCH_TIMEOUT";
+      break;
     case "response_too_large":
-      return fetchType === "pointer" ? "pointer_fetch_too_large" : "jwks_too_large";
-    case "jwks_too_many_keys":
-      return "jwks_too_many_keys";
+      code = context === "jwks" ? "E_VERIFY_JWKS_TOO_LARGE" : "E_VERIFY_KEY_FETCH_FAILED";
+      break;
+    case "dns_failure":
+    case "network_error":
     case "too_many_redirects":
     case "scheme_downgrade":
-    case "network_error":
+    case "cross_origin_redirect":
     case "invalid_url":
+      code = context === "issuer_config" ? "E_VERIFY_ISSUER_CONFIG_MISSING" : "E_VERIFY_KEY_FETCH_FAILED";
+      break;
+    case "jwks_too_many_keys":
+      code = "E_VERIFY_JWKS_TOO_MANY_KEYS";
+      break;
     default:
-      return `${prefix}_failed`;
+      code = "E_VERIFY_KEY_FETCH_FAILED";
+      break;
   }
+  return { code, reason };
 }
-function reasonCodeToSeverity(reason) {
-  if (reason === "ok") return "info";
-  return "error";
-}
-function reasonCodeToErrorCode(reason) {
-  const mapping = {
-    ok: "",
-    receipt_too_large: "E_VERIFY_RECEIPT_TOO_LARGE",
-    malformed_receipt: "E_VERIFY_MALFORMED_RECEIPT",
-    signature_invalid: "E_VERIFY_SIGNATURE_INVALID",
-    issuer_not_allowed: "E_VERIFY_ISSUER_NOT_ALLOWED",
-    key_not_found: "E_VERIFY_KEY_NOT_FOUND",
-    key_fetch_blocked: "E_VERIFY_KEY_FETCH_BLOCKED",
-    key_fetch_failed: "E_VERIFY_KEY_FETCH_FAILED",
-    key_fetch_timeout: "E_VERIFY_KEY_FETCH_TIMEOUT",
-    pointer_fetch_blocked: "E_VERIFY_POINTER_FETCH_BLOCKED",
-    pointer_fetch_failed: "E_VERIFY_POINTER_FETCH_FAILED",
-    pointer_fetch_timeout: "E_VERIFY_POINTER_FETCH_TIMEOUT",
-    pointer_fetch_too_large: "E_VERIFY_POINTER_FETCH_TOO_LARGE",
-    pointer_digest_mismatch: "E_VERIFY_POINTER_DIGEST_MISMATCH",
-    jwks_too_large: "E_VERIFY_JWKS_TOO_LARGE",
-    jwks_too_many_keys: "E_VERIFY_JWKS_TOO_MANY_KEYS",
-    expired: "E_VERIFY_EXPIRED",
-    not_yet_valid: "E_VERIFY_NOT_YET_VALID",
-    audience_mismatch: "E_VERIFY_AUDIENCE_MISMATCH",
-    schema_invalid: "E_VERIFY_SCHEMA_INVALID",
-    policy_violation: "E_VERIFY_POLICY_VIOLATION",
-    extension_too_large: "E_VERIFY_EXTENSION_TOO_LARGE",
-    invalid_transport: "E_VERIFY_INVALID_TRANSPORT"
-  };
-  return mapping[reason] || "E_VERIFY_POLICY_VIOLATION";
-}
-var cachedCapabilities = null;
-function getSSRFCapabilities() {
-  if (cachedCapabilities) {
-    return cachedCapabilities;
+async function resolveJWKS(issuerUrl, options) {
+  const cacheTtlMs = options?.cacheTtlMs ?? DEFAULT_CACHE_TTL_MS;
+  const maxCacheEntries = options?.maxCacheEntries ?? DEFAULT_MAX_CACHE_ENTRIES;
+  const noCache = options?.noCache ?? false;
+  const normalized = canonicalizeIssuerOrigin(issuerUrl);
+  if (!normalized.ok) {
+    return {
+      ok: false,
+      code: "E_VERIFY_ISSUER_CONFIG_INVALID",
+      message: normalized.message,
+      blockedUrl: issuerUrl
+    };
   }
-  cachedCapabilities = detectCapabilities();
-  return cachedCapabilities;
-}
-function detectCapabilities() {
-  if (typeof process !== "undefined" && process.versions?.node) {
+  const normalizedIssuer = normalized.origin;
+  const now = Date.now();
+  if (!noCache) {
+    const cached = cacheGet(normalizedIssuer, now);
+    if (cached) {
+      return { ok: true, jwks: cached.jwks, fromCache: true };
+    }
+  }
+  if (!normalizedIssuer.startsWith("https://")) {
     return {
-      runtime: "node",
-      dnsPreResolution: true,
-      ipBlocking: true,
-      networkIsolation: false,
-      protectionLevel: "full",
-      notes: [
-        "Full SSRF protection available via Node.js dns module",
-        "DNS resolution checked before HTTP connection",
-        "All RFC 1918 private ranges blocked"
-      ]
+      ok: false,
+      code: "E_VERIFY_INSECURE_SCHEME_BLOCKED",
+      message: `Issuer URL must be HTTPS: ${normalizedIssuer}`,
+      blockedUrl: normalizedIssuer
     };
   }
-  if (typeof process !== "undefined" && process.versions?.bun) {
+  const configUrl = `${normalizedIssuer}/.well-known/peac-issuer.json`;
+  const configResult = await ssrfSafeFetch(configUrl, {
+    maxBytes: PEAC_ISSUER_CONFIG_MAX_BYTES,
+    headers: { Accept: "application/json" }
+  });
+  if (!configResult.ok) {
+    const mapped = mapSSRFError(configResult.reason, "issuer_config");
     return {
-      runtime: "bun",
-      dnsPreResolution: true,
-      ipBlocking: true,
-      networkIsolation: false,
-      protectionLevel: "full",
-      notes: [
-        "Full SSRF protection available via Bun dns compatibility",
-        "DNS resolution checked before HTTP connection"
-      ]
+      ok: false,
+      code: mapped.code,
+      message: `Failed to fetch peac-issuer.json: ${configResult.message}`,
+      reason: mapped.reason,
+      blockedUrl: configResult.blockedUrl
     };
   }
-  if (typeof globalThis !== "undefined" && "Deno" in globalThis) {
+  let issuerConfig;
+  try {
+    issuerConfig = parseIssuerConfig(configResult.body);
+  } catch (err) {
     return {
-      runtime: "deno",
-      dnsPreResolution: false,
-      ipBlocking: false,
-      networkIsolation: false,
-      protectionLevel: "partial",
-      notes: [
-        "DNS pre-resolution not available in Deno by default",
-        "SSRF protection limited to URL validation and response limits",
-        "Consider using Deno.connect with hostname resolution for enhanced protection"
-      ]
+      ok: false,
+      code: "E_VERIFY_ISSUER_CONFIG_INVALID",
+      message: `Invalid peac-issuer.json: ${err instanceof Error ? err.message : String(err)}`
     };
   }
-  if (typeof globalThis !== "undefined" && typeof globalThis.caches !== "undefined" && typeof globalThis.HTMLRewriter !== "undefined") {
+  const configIssuerResult = canonicalizeIssuerOrigin(issuerConfig.issuer);
+  const configIssuer = configIssuerResult.ok ? configIssuerResult.origin : issuerConfig.issuer;
+  if (configIssuer !== normalizedIssuer) {
+    return {
+      ok: false,
+      code: "E_VERIFY_ISSUER_MISMATCH",
+      message: `Issuer mismatch: expected ${normalizedIssuer}, got ${configIssuer}`
+    };
+  }
+  if (!issuerConfig.jwks_uri) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_URI_INVALID",
+      message: "peac-issuer.json missing required jwks_uri field"
+    };
+  }
+  if (!issuerConfig.jwks_uri.startsWith("https://")) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_URI_INVALID",
+      message: `jwks_uri must be HTTPS: ${issuerConfig.jwks_uri}`,
+      blockedUrl: issuerConfig.jwks_uri
+    };
+  }
+  const jwksResult = await fetchJWKSSafe(issuerConfig.jwks_uri);
+  if (!jwksResult.ok) {
+    const mapped = mapSSRFError(jwksResult.reason, "jwks");
+    return {
+      ok: false,
+      code: mapped.code,
+      message: `Failed to fetch JWKS from ${issuerConfig.jwks_uri}: ${jwksResult.message}`,
+      reason: mapped.reason,
+      blockedUrl: jwksResult.blockedUrl
+    };
+  }
+  let jwks;
+  try {
+    jwks = JSON.parse(jwksResult.body);
+  } catch {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_INVALID",
+      message: "JWKS response is not valid JSON"
+    };
+  }
+  if (!jwks.keys || !Array.isArray(jwks.keys)) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_INVALID",
+      message: "JWKS missing required keys array"
+    };
+  }
+  if (jwks.keys.length > VERIFIER_LIMITS.maxJwksKeys) {
+    return {
+      ok: false,
+      code: "E_VERIFY_JWKS_TOO_MANY_KEYS",
+      message: `JWKS has too many keys: ${jwks.keys.length} > ${VERIFIER_LIMITS.maxJwksKeys}`
+    };
+  }
+  if (!noCache) {
+    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs }, maxCacheEntries);
+  }
+  return {
+    ok: true,
+    jwks,
+    fromCache: false,
+    rawBytes: jwksResult.rawBytes
+  };
+}
+// src/verify.ts
+function jwkToPublicKey(jwk) {
+  if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") {
+    throw new Error("Only Ed25519 keys (OKP/Ed25519) are supported");
+  }
+  const xBytes = Buffer.from(jwk.x, "base64url");
+  if (xBytes.length !== 32) {
+    throw new Error("Ed25519 public key must be 32 bytes");
+  }
+  return new Uint8Array(xBytes);
+}
+async function verifyReceipt(optionsOrJws) {
+  const receiptJws = typeof optionsOrJws === "string" ? optionsOrJws : optionsOrJws.receiptJws;
+  const inputSnapshot = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.subject_snapshot;
+  const telemetry = typeof optionsOrJws === "string" ? void 0 : optionsOrJws.telemetry;
+  const startTime = performance.now();
+  let jwksFetchTime;
+  try {
+    const { header, payload } = decode(receiptJws);
+    const constraintResult = validateKernelConstraints(payload);
+    if (!constraintResult.valid) {
+      const v = constraintResult.violations[0];
+      return {
+        ok: false,
+        reason: "constraint_violation",
+        details: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
+      };
+    }
+    ReceiptClaims.parse(payload);
+    if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "expired",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "expired",
+        details: `Receipt expired at ${new Date(payload.exp * 1e3).toISOString()}`
+      };
+    }
+    const jwksFetchStart = performance.now();
+    const jwksResult = await resolveJWKS(payload.iss);
+    if (!jwksResult.ok) {
+      return {
+        ok: false,
+        reason: jwksResult.code,
+        details: jwksResult.message
+      };
+    }
+    if (!jwksResult.fromCache) {
+      jwksFetchTime = performance.now() - jwksFetchStart;
+    }
+    const jwk = jwksResult.jwks.keys.find((k) => k.kid === header.kid);
+    if (!jwk) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "unknown_key",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "unknown_key",
+        details: `No key found with kid=${header.kid}`
+      };
+    }
+    const publicKey = jwkToPublicKey(jwk);
+    const result = await verify(receiptJws, publicKey);
+    if (!result.valid) {
+      const durationMs = performance.now() - startTime;
+      fireTelemetryHook(telemetry?.onReceiptVerified, {
+        receiptHash: hashReceipt(receiptJws),
+        valid: false,
+        reasonCode: "invalid_signature",
+        issuer: payload.iss,
+        kid: header.kid,
+        durationMs
+      });
+      return {
+        ok: false,
+        reason: "invalid_signature",
+        details: "Ed25519 signature verification failed"
+      };
+    }
+    const validatedSnapshot = validateSubjectSnapshot(inputSnapshot);
+    const verifyTime = performance.now() - startTime;
+    fireTelemetryHook(telemetry?.onReceiptVerified, {
+      receiptHash: hashReceipt(receiptJws),
+      valid: true,
+      issuer: payload.iss,
+      kid: header.kid,
+      durationMs: verifyTime
+    });
     return {
-      runtime: "cloudflare-workers",
-      dnsPreResolution: false,
-      ipBlocking: false,
-      networkIsolation: true,
-      protectionLevel: "partial",
-      notes: [
-        "Cloudflare Workers provide network-level isolation",
-        "DNS pre-resolution not available in Workers runtime",
-        "CF network blocks many SSRF vectors at infrastructure level",
-        "SSRF protection supplemented by URL validation and response limits"
-      ]
+      ok: true,
+      claims: payload,
+      ...validatedSnapshot && { subject_snapshot: validatedSnapshot },
+      perf: {
+        verify_ms: verifyTime,
+        ...jwksFetchTime && { jwks_fetch_ms: jwksFetchTime }
+      }
     };
-  }
-  const g = globalThis;
-  if (typeof g.window !== "undefined" || typeof g.document !== "undefined") {
+  } catch (err) {
+    const durationMs = performance.now() - startTime;
+    fireTelemetryHook(telemetry?.onReceiptVerified, {
+      receiptHash: hashReceipt(receiptJws),
+      valid: false,
+      reasonCode: "verification_error",
+      durationMs
+    });
     return {
-      runtime: "browser",
-      dnsPreResolution: false,
-      ipBlocking: false,
-      networkIsolation: false,
-      protectionLevel: "minimal",
-      notes: [
-        "Browser environment detected; DNS pre-resolution not available",
-        "SSRF protection limited to URL scheme validation",
-        "Consider validating URLs server-side before browser fetch",
-        "Same-origin policy provides some protection against SSRF"
-      ]
+      ok: false,
+      reason: "verification_error",
+      details: err instanceof Error ? err.message : String(err)
     };
   }
-  return {
-    runtime: "edge-generic",
-    dnsPreResolution: false,
-    ipBlocking: false,
-    networkIsolation: false,
-    protectionLevel: "partial",
-    notes: [
-      "Edge runtime detected; DNS pre-resolution may not be available",
-      "SSRF protection limited to URL validation and response limits",
-      "Verify runtime provides additional network-level protections"
-    ]
-  };
-}
-function resetSSRFCapabilitiesCache() {
-  cachedCapabilities = null;
-}
-function parseIPv4(ip) {
-  const parts = ip.split(".");
-  if (parts.length !== 4) return null;
-  const octets = [];
-  for (const part of parts) {
-    const num = parseInt(part, 10);
-    if (isNaN(num) || num < 0 || num > 255) return null;
-    octets.push(num);
-  }
-  return { octets };
-}
-function isInCIDR(ip, cidr) {
-  const [rangeStr, maskStr] = cidr.split("/");
-  const range = parseIPv4(rangeStr);
-  if (!range) return false;
-  const maskBits = parseInt(maskStr, 10);
-  if (isNaN(maskBits) || maskBits < 0 || maskBits > 32) return false;
-  const ipNum = ip.octets[0] << 24 | ip.octets[1] << 16 | ip.octets[2] << 8 | ip.octets[3];
-  const rangeNum = range.octets[0] << 24 | range.octets[1] << 16 | range.octets[2] << 8 | range.octets[3];
-  const mask = maskBits === 0 ? 0 : ~((1 << 32 - maskBits) - 1);
-  return (ipNum & mask) === (rangeNum & mask);
 }
-function isIPv6Loopback(ip) {
-  const normalized = ip.toLowerCase().replace(/^::ffff:/, "");
-  return normalized === "::1" || normalized === "0:0:0:0:0:0:0:1";
+function isCryptoError(err) {
+  return err !== null && typeof err === "object" && "name" in err && err.name === "CryptoError" && "code" in err && typeof err.code === "string" && err.code.startsWith("CRYPTO_") && "message" in err && typeof err.message === "string";
 }
-function isIPv6LinkLocal(ip) {
-  const normalized = ip.toLowerCase();
-  return normalized.startsWith("fe8") || normalized.startsWith("fe9") || normalized.startsWith("fea") || normalized.startsWith("feb");
+var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
+  "CRYPTO_INVALID_JWS_FORMAT",
+  "CRYPTO_INVALID_TYP",
+  "CRYPTO_INVALID_ALG",
+  "CRYPTO_INVALID_KEY_LENGTH"
+]);
+var MAX_PARSE_ISSUES = 25;
+function sanitizeParseIssues(issues) {
+  if (!Array.isArray(issues)) return void 0;
+  return issues.slice(0, MAX_PARSE_ISSUES).map((issue2) => ({
+    path: Array.isArray(issue2?.path) ? issue2.path.join(".") : "",
+    message: typeof issue2?.message === "string" ? issue2.message : String(issue2)
+  }));
 }
-function isBlockedIP(ip) {
-  const ipv4Match = ip.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/i);
-  const effectiveIP = ipv4Match ? ipv4Match[1] : ip;
-  const ipv4 = parseIPv4(effectiveIP);
-  if (ipv4) {
-    if (isInCIDR(ipv4, "10.0.0.0/8") || isInCIDR(ipv4, "172.16.0.0/12") || isInCIDR(ipv4, "192.168.0.0/16")) {
-      return { blocked: true, reason: "private_ip" };
+async function verifyLocal(jws, publicKey, options = {}) {
+  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  try {
+    const result = await verify(jws, publicKey);
+    if (!result.valid) {
+      return {
+        valid: false,
+        code: "E_INVALID_SIGNATURE",
+        message: "Ed25519 signature verification failed"
+      };
     }
-    if (isInCIDR(ipv4, "127.0.0.0/8")) {
-      return { blocked: true, reason: "loopback" };
+    const constraintResult = validateKernelConstraints(result.payload);
+    if (!constraintResult.valid) {
+      const v = constraintResult.violations[0];
+      return {
+        valid: false,
+        code: "E_CONSTRAINT_VIOLATION",
+        message: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`
+      };
     }
-    if (isInCIDR(ipv4, "169.254.0.0/16")) {
-      return { blocked: true, reason: "link_local" };
+    const pr = parseReceiptClaims(result.payload);
+    if (!pr.ok) {
+      return {
+        valid: false,
+        code: "E_INVALID_FORMAT",
+        message: `Receipt schema validation failed: ${pr.error.message}`,
+        details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
+      };
     }
-    return { blocked: false };
-  }
-  if (isIPv6Loopback(ip)) {
-    return { blocked: true, reason: "loopback" };
-  }
-  if (isIPv6LinkLocal(ip)) {
-    return { blocked: true, reason: "link_local" };
-  }
-  return { blocked: false };
-}
-async function resolveHostname(hostname) {
-  if (typeof process !== "undefined" && process.versions?.node) {
-    try {
-      const dns = await import('dns');
-      const { promisify } = await import('util');
-      const resolve4 = promisify(dns.resolve4);
-      const resolve6 = promisify(dns.resolve6);
-      const results = [];
-      let ipv4Error = null;
-      let ipv6Error = null;
-      try {
-        const ipv4 = await resolve4(hostname);
-        results.push(...ipv4);
-      } catch (err) {
-        ipv4Error = err;
-      }
-      try {
-        const ipv6 = await resolve6(hostname);
-        results.push(...ipv6);
-      } catch (err) {
-        ipv6Error = err;
-      }
-      if (results.length > 0) {
-        return { ok: true, ips: results, browser: false };
-      }
-      if (ipv4Error && ipv6Error) {
-        return {
-          ok: false,
-          message: `DNS resolution failed for ${hostname}: ${ipv4Error.message}`
-        };
-      }
-      return { ok: true, ips: [], browser: false };
-    } catch (err) {
+    if (issuer !== void 0 && pr.claims.iss !== issuer) {
+      return {
+        valid: false,
+        code: "E_INVALID_ISSUER",
+        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
+      };
+    }
+    if (audience !== void 0 && pr.claims.aud !== audience) {
       return {
-        ok: false,
-        message: `DNS resolution error: ${err instanceof Error ? err.message : String(err)}`
+        valid: false,
+        code: "E_INVALID_AUDIENCE",
+        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
       };
     }
-  }
-  return { ok: true, ips: [], browser: true };
-}
-async function ssrfSafeFetch(url, options = {}) {
-  const {
-    timeoutMs = VERIFIER_LIMITS.fetchTimeoutMs,
-    maxBytes = VERIFIER_LIMITS.maxResponseBytes,
-    maxRedirects = 0,
-    allowRedirects = VERIFIER_NETWORK.allowRedirects,
-    allowCrossOriginRedirects = true,
-    // Default: allow for CDN compatibility
-    dnsFailureBehavior = "block",
-    // Default: fail-closed for security
-    headers = {}
-  } = options;
-  let parsedUrl;
-  try {
-    parsedUrl = new URL(url);
-  } catch {
-    return {
-      ok: false,
-      reason: "invalid_url",
-      message: `Invalid URL: ${url}`,
-      blockedUrl: url
-    };
-  }
-  if (parsedUrl.protocol !== "https:") {
-    return {
-      ok: false,
-      reason: "not_https",
-      message: `URL must use HTTPS: ${url}`,
-      blockedUrl: url
-    };
-  }
-  const dnsResult = await resolveHostname(parsedUrl.hostname);
-  if (!dnsResult.ok) {
-    if (dnsFailureBehavior === "block") {
+    if (rid !== void 0 && pr.claims.rid !== rid) {
       return {
-        ok: false,
-        reason: "dns_failure",
-        message: `DNS resolution blocked: ${dnsResult.message}`,
-        blockedUrl: url
+        valid: false,
+        code: "E_INVALID_RECEIPT_ID",
+        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
       };
     }
-    return {
-      ok: false,
-      reason: "network_error",
-      message: dnsResult.message,
-      blockedUrl: url
-    };
-  }
-  if (!dnsResult.browser) {
-    for (const ip of dnsResult.ips) {
-      const blockResult = isBlockedIP(ip);
-      if (blockResult.blocked) {
-        return {
-          ok: false,
-          reason: blockResult.reason,
-          message: `Blocked ${blockResult.reason} address: ${ip} for ${url}`,
-          blockedUrl: url
-        };
-      }
+    if (requireExp && pr.claims.exp === void 0) {
+      return {
+        valid: false,
+        code: "E_MISSING_EXP",
+        message: "Receipt missing required exp claim"
+      };
     }
-  }
-  let redirectCount = 0;
-  let currentUrl = url;
-  const originalOrigin = parsedUrl.origin;
-  while (true) {
-    try {
-      const controller = new AbortController();
-      const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-      const response = await fetch(currentUrl, {
-        headers: {
-          Accept: "application/json, text/plain",
-          ...headers
-        },
-        signal: controller.signal,
-        redirect: "manual"
-        // Handle redirects manually for security
-      });
-      clearTimeout(timeoutId);
-      if (response.status >= 300 && response.status < 400) {
-        const location = response.headers.get("location");
-        if (!location) {
-          return {
-            ok: false,
-            reason: "network_error",
-            message: `Redirect without Location header from ${currentUrl}`
-          };
-        }
-        if (!allowRedirects) {
-          return {
-            ok: false,
-            reason: "too_many_redirects",
-            message: `Redirects not allowed: ${currentUrl} -> ${location}`,
-            blockedUrl: location
-          };
-        }
-        redirectCount++;
-        if (redirectCount > maxRedirects) {
-          return {
-            ok: false,
-            reason: "too_many_redirects",
-            message: `Too many redirects (${redirectCount} > ${maxRedirects})`,
-            blockedUrl: location
-          };
-        }
-        let redirectUrl;
-        try {
-          redirectUrl = new URL(location, currentUrl);
-        } catch {
-          return {
-            ok: false,
-            reason: "invalid_url",
-            message: `Invalid redirect URL: ${location}`,
-            blockedUrl: location
-          };
-        }
-        if (redirectUrl.protocol !== "https:") {
-          return {
-            ok: false,
-            reason: "scheme_downgrade",
-            message: `HTTPS to HTTP downgrade not allowed: ${currentUrl} -> ${redirectUrl.href}`,
-            blockedUrl: redirectUrl.href
-          };
-        }
-        if (redirectUrl.origin !== originalOrigin && !allowCrossOriginRedirects) {
-          return {
-            ok: false,
-            reason: "cross_origin_redirect",
-            message: `Cross-origin redirect not allowed: ${originalOrigin} -> ${redirectUrl.origin}`,
-            blockedUrl: redirectUrl.href
-          };
-        }
-        const redirectDnsResult = await resolveHostname(redirectUrl.hostname);
-        if (!redirectDnsResult.ok) {
-          if (dnsFailureBehavior === "block") {
-            return {
-              ok: false,
-              reason: "dns_failure",
-              message: `Redirect DNS resolution blocked: ${redirectDnsResult.message}`,
-              blockedUrl: redirectUrl.href
-            };
-          }
-          return {
-            ok: false,
-            reason: "network_error",
-            message: redirectDnsResult.message,
-            blockedUrl: redirectUrl.href
-          };
-        }
-        if (!redirectDnsResult.browser) {
-          for (const ip of redirectDnsResult.ips) {
-            const blockResult = isBlockedIP(ip);
-            if (blockResult.blocked) {
-              return {
-                ok: false,
-                reason: blockResult.reason,
-                message: `Redirect to blocked ${blockResult.reason} address: ${ip}`,
-                blockedUrl: redirectUrl.href
-              };
-            }
-          }
-        }
-        currentUrl = redirectUrl.href;
-        continue;
-      }
-      const contentLength = response.headers.get("content-length");
-      if (contentLength && parseInt(contentLength, 10) > maxBytes) {
+    if (pr.claims.iat > now + maxClockSkew) {
+      return {
+        valid: false,
+        code: "E_NOT_YET_VALID",
+        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+      };
+    }
+    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
+      return {
+        valid: false,
+        code: "E_EXPIRED",
+        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
+      };
+    }
+    if (pr.variant === "commerce") {
+      const claims = pr.claims;
+      if (subjectUri !== void 0 && claims.subject?.uri !== subjectUri) {
         return {
-          ok: false,
-          reason: "response_too_large",
-          message: `Response too large: ${contentLength} bytes > ${maxBytes} max`
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? "undefined"}"`
         };
       }
-      const reader = response.body?.getReader();
-      if (!reader) {
-        const body2 = await response.text();
-        if (body2.length > maxBytes) {
-          return {
-            ok: false,
-            reason: "response_too_large",
-            message: `Response too large: ${body2.length} bytes > ${maxBytes} max`
-          };
-        }
-        const rawBytes2 = new TextEncoder().encode(body2);
+      return {
+        valid: true,
+        variant: "commerce",
+        claims,
+        kid: result.header.kid,
+        policy_binding: "unavailable"
+      };
+    } else {
+      const claims = pr.claims;
+      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
         return {
-          ok: true,
-          status: response.status,
-          body: body2,
-          rawBytes: rawBytes2,
-          contentType: response.headers.get("content-type") ?? void 0
-        };
-      }
-      const chunks = [];
-      let totalSize = 0;
-      while (true) {
-        const { done, value } = await reader.read();
-        if (done) break;
-        totalSize += value.length;
-        if (totalSize > maxBytes) {
-          reader.cancel();
-          return {
-            ok: false,
-            reason: "response_too_large",
-            message: `Response too large: ${totalSize} bytes > ${maxBytes} max`
-          };
-        }
-        chunks.push(value);
-      }
-      const rawBytes = chunks.reduce((acc, chunk) => {
-        const result = new Uint8Array(acc.length + chunk.length);
-        result.set(acc);
-        result.set(chunk, acc.length);
-        return result;
-      }, new Uint8Array());
-      const body = new TextDecoder().decode(rawBytes);
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
+        };
+      }
       return {
-        ok: true,
-        status: response.status,
-        body,
-        rawBytes,
-        contentType: response.headers.get("content-type") ?? void 0
+        valid: true,
+        variant: "attestation",
+        claims,
+        kid: result.header.kid,
+        policy_binding: "unavailable"
       };
-    } catch (err) {
-      if (err instanceof Error) {
-        if (err.name === "AbortError" || err.message.includes("timeout")) {
-          return {
-            ok: false,
-            reason: "timeout",
-            message: `Fetch timeout after ${timeoutMs}ms: ${currentUrl}`
-          };
-        }
+    }
+  } catch (err) {
+    if (isCryptoError(err)) {
+      if (FORMAT_ERROR_CODES.has(err.code)) {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: err.message
+        };
+      }
+      if (err.code === "CRYPTO_INVALID_SIGNATURE") {
+        return {
+          valid: false,
+          code: "E_INVALID_SIGNATURE",
+          message: err.message
+        };
       }
+    }
+    if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
+      const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
       return {
-        ok: false,
-        reason: "network_error",
-        message: `Network error: ${err instanceof Error ? err.message : String(err)}`
+        valid: false,
+        code: "E_INVALID_FORMAT",
+        message: `Invalid receipt payload: ${syntaxMessage}`
       };
     }
+    const message = err instanceof Error ? err.message : String(err);
+    return {
+      valid: false,
+      code: "E_INTERNAL",
+      message: `Unexpected verification error: ${message}`
+    };
   }
 }
-async function fetchJWKSSafe(jwksUrl, options) {
-  return ssrfSafeFetch(jwksUrl, {
-    ...options,
-    maxBytes: VERIFIER_LIMITS.maxJwksBytes,
-    headers: {
-      Accept: "application/json",
-      ...options?.headers
+function isCommerceResult(r) {
+  return r.valid === true && r.variant === "commerce";
+}
+function isAttestationResult(r) {
+  return r.valid === true && r.variant === "attestation";
+}
+function setReceiptHeader(headers, receiptJws) {
+  headers.set(PEAC_RECEIPT_HEADER, receiptJws);
+}
+function getReceiptHeader(headers) {
+  return headers.get(PEAC_RECEIPT_HEADER);
+}
+function setVaryHeader(headers) {
+  const existing = headers.get("Vary");
+  if (existing) {
+    const varies = existing.split(",").map((v) => v.trim());
+    if (!varies.includes(PEAC_RECEIPT_HEADER)) {
+      headers.set("Vary", `${existing}, ${PEAC_RECEIPT_HEADER}`);
     }
-  });
+  } else {
+    headers.set("Vary", PEAC_RECEIPT_HEADER);
+  }
 }
-async function fetchPointerSafe(pointerUrl, options) {
-  return ssrfSafeFetch(pointerUrl, {
-    ...options,
-    maxBytes: VERIFIER_LIMITS.maxReceiptBytes,
-    headers: {
-      Accept: "application/jose, application/json",
-      ...options?.headers
+function getPurposeHeader(headers) {
+  const value = headers.get(PEAC_PURPOSE_HEADER);
+  if (!value) {
+    return [];
+  }
+  return parsePurposeHeader(value);
+}
+function setPurposeAppliedHeader(headers, purpose) {
+  headers.set(PEAC_PURPOSE_APPLIED_HEADER, purpose);
+}
+function setPurposeReasonHeader(headers, reason) {
+  headers.set(PEAC_PURPOSE_REASON_HEADER, reason);
+}
+function setVaryPurposeHeader(headers) {
+  const existing = headers.get("Vary");
+  if (existing) {
+    const varies = existing.split(",").map((v) => v.trim());
+    if (!varies.includes(PEAC_PURPOSE_HEADER)) {
+      headers.set("Vary", `${existing}, ${PEAC_PURPOSE_HEADER}`);
     }
-  });
+  } else {
+    headers.set("Vary", PEAC_PURPOSE_HEADER);
+  }
+}
+var DEFAULT_VERIFIER_LIMITS = {
+  max_receipt_bytes: VERIFIER_LIMITS.maxReceiptBytes,
+  max_jwks_bytes: VERIFIER_LIMITS.maxJwksBytes,
+  max_jwks_keys: VERIFIER_LIMITS.maxJwksKeys,
+  max_redirects: VERIFIER_LIMITS.maxRedirects,
+  fetch_timeout_ms: VERIFIER_LIMITS.fetchTimeoutMs,
+  max_extension_bytes: VERIFIER_LIMITS.maxExtensionBytes
+};
+var DEFAULT_NETWORK_SECURITY = {
+  https_only: VERIFIER_NETWORK.httpsOnly,
+  block_private_ips: VERIFIER_NETWORK.blockPrivateIps,
+  allow_redirects: VERIFIER_NETWORK.allowRedirects,
+  allow_cross_origin_redirects: true,
+  // Allow for CDN compatibility
+  dns_failure_behavior: "block"
+  // Fail-closed by default
+};
+function createDefaultPolicy(mode) {
+  return {
+    policy_version: VERIFIER_POLICY_VERSION,
+    mode,
+    limits: { ...DEFAULT_VERIFIER_LIMITS },
+    network: { ...DEFAULT_NETWORK_SECURITY }
+  };
+}
+var CHECK_IDS = [
+  "jws.parse",
+  "limits.receipt_bytes",
+  "jws.protected_header",
+  "claims.schema_unverified",
+  "issuer.trust_policy",
+  "issuer.discovery",
+  "key.resolve",
+  "jws.signature",
+  "claims.time_window",
+  "extensions.limits",
+  "transport.profile_binding",
+  "policy.binding"
+];
+var NON_DETERMINISTIC_ARTIFACT_KEYS = [
+  "issuer_jwks_digest"
+];
+function createDigest(hexValue) {
+  return {
+    alg: "sha-256",
+    value: hexValue.toLowerCase()
+  };
+}
+function createEmptyReport(policy) {
+  return {
+    report_version: VERIFICATION_REPORT_VERSION,
+    policy
+  };
+}
+function ssrfErrorToReasonCode(ssrfReason, fetchType) {
+  const prefix = fetchType === "key" ? "key_fetch" : "pointer_fetch";
+  switch (ssrfReason) {
+    case "not_https":
+    case "private_ip":
+    case "loopback":
+    case "link_local":
+    case "cross_origin_redirect":
+    case "dns_failure":
+      return `${prefix}_blocked`;
+    case "timeout":
+      return `${prefix}_timeout`;
+    case "response_too_large":
+      return fetchType === "pointer" ? "pointer_fetch_too_large" : "jwks_too_large";
+    case "jwks_too_many_keys":
+      return "jwks_too_many_keys";
+    case "too_many_redirects":
+    case "scheme_downgrade":
+    case "network_error":
+    case "invalid_url":
+    default:
+      return `${prefix}_failed`;
+  }
+}
+function reasonCodeToSeverity(reason) {
+  if (reason === "ok") return "info";
+  return "error";
+}
+function reasonCodeToErrorCode(reason) {
+  const mapping = {
+    ok: "",
+    receipt_too_large: "E_VERIFY_RECEIPT_TOO_LARGE",
+    malformed_receipt: "E_VERIFY_MALFORMED_RECEIPT",
+    signature_invalid: "E_VERIFY_SIGNATURE_INVALID",
+    issuer_not_allowed: "E_VERIFY_ISSUER_NOT_ALLOWED",
+    key_not_found: "E_VERIFY_KEY_NOT_FOUND",
+    key_fetch_blocked: "E_VERIFY_KEY_FETCH_BLOCKED",
+    key_fetch_failed: "E_VERIFY_KEY_FETCH_FAILED",
+    key_fetch_timeout: "E_VERIFY_KEY_FETCH_TIMEOUT",
+    pointer_fetch_blocked: "E_VERIFY_POINTER_FETCH_BLOCKED",
+    pointer_fetch_failed: "E_VERIFY_POINTER_FETCH_FAILED",
+    pointer_fetch_timeout: "E_VERIFY_POINTER_FETCH_TIMEOUT",
+    pointer_fetch_too_large: "E_VERIFY_POINTER_FETCH_TOO_LARGE",
+    pointer_digest_mismatch: "E_VERIFY_POINTER_DIGEST_MISMATCH",
+    jwks_too_large: "E_VERIFY_JWKS_TOO_LARGE",
+    jwks_too_many_keys: "E_VERIFY_JWKS_TOO_MANY_KEYS",
+    expired: "E_VERIFY_EXPIRED",
+    not_yet_valid: "E_VERIFY_NOT_YET_VALID",
+    audience_mismatch: "E_VERIFY_AUDIENCE_MISMATCH",
+    schema_invalid: "E_VERIFY_SCHEMA_INVALID",
+    policy_violation: "E_VERIFY_POLICY_VIOLATION",
+    extension_too_large: "E_VERIFY_EXTENSION_TOO_LARGE",
+    invalid_transport: "E_VERIFY_INVALID_TRANSPORT"
+  };
+  return mapping[reason] || "E_VERIFY_POLICY_VIOLATION";
 }
 var VerificationReportBuilder = class {
   state;
@@ -1674,8 +1830,6 @@ async function buildSuccessReport(policy, receiptBytes, issuer, kid, checkDetail
 }
 // src/verifier-core.ts
-var jwksCache2 = /* @__PURE__ */ new Map();
-var CACHE_TTL_MS2 = 5 * 60 * 1e3;
 function normalizeIssuer(issuer) {
   try {
     const url = new URL(issuer);
@@ -1701,75 +1855,23 @@ function findPinnedKey(issuer, kid, pinnedKeys) {
   const normalizedIssuer = normalizeIssuer(issuer);
   return pinnedKeys.find((pk) => normalizeIssuer(pk.issuer) === normalizedIssuer && pk.kid === kid);
 }
-async function fetchIssuerConfig2(issuerOrigin) {
-  const configUrl = `${issuerOrigin}/.well-known/peac-issuer.json`;
-  const result = await ssrfSafeFetch(configUrl, {
-    maxBytes: 65536,
-    // 64 KB
-    headers: { Accept: "application/json" }
-  });
-  if (!result.ok) {
-    return null;
-  }
-  try {
-    return JSON.parse(result.body);
-  } catch {
-    return null;
-  }
-}
 async function fetchIssuerJWKS(issuerOrigin) {
-  const now = Date.now();
-  const cached = jwksCache2.get(issuerOrigin);
-  if (cached && cached.expiresAt > now) {
-    return { jwks: cached.jwks, fromCache: true };
-  }
-  const config = await fetchIssuerConfig2(issuerOrigin);
-  if (!config?.jwks_uri) {
-    const fallbackUrl = `${issuerOrigin}/.well-known/jwks.json`;
-    const result2 = await fetchJWKSSafe(fallbackUrl);
-    if (!result2.ok) {
-      return { error: result2 };
-    }
-    try {
-      const jwks = JSON.parse(result2.body);
-      jwksCache2.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS2 });
-      return { jwks, fromCache: false, rawBytes: result2.rawBytes };
-    } catch {
-      return {
-        error: {
-          ok: false,
-          reason: "network_error",
-          message: "Invalid JWKS JSON"
-        }
-      };
-    }
-  }
-  const result = await fetchJWKSSafe(config.jwks_uri);
+  const result = await resolveJWKS(issuerOrigin);
   if (!result.ok) {
-    return { error: result };
-  }
-  try {
-    const jwks = JSON.parse(result.body);
-    if (jwks.keys.length > VERIFIER_LIMITS.maxJwksKeys) {
-      return {
-        error: {
-          ok: false,
-          reason: "jwks_too_many_keys",
-          message: `JWKS has too many keys: ${jwks.keys.length} > ${VERIFIER_LIMITS.maxJwksKeys}`
-        }
-      };
-    }
-    jwksCache2.set(issuerOrigin, { jwks, expiresAt: now + CACHE_TTL_MS2 });
-    return { jwks, fromCache: false, rawBytes: result.rawBytes };
-  } catch {
     return {
       error: {
         ok: false,
-        reason: "network_error",
-        message: "Invalid JWKS JSON"
+        reason: result.reason ?? "network_error",
+        message: result.message,
+        blockedUrl: result.blockedUrl
       }
     };
   }
+  return {
+    jwks: result.jwks,
+    fromCache: result.fromCache,
+    rawBytes: result.rawBytes
+  };
 }
 async function verifyReceiptCore(options) {
   const {
@@ -2106,12 +2208,6 @@ async function verifyReceiptCore(options) {
     claims: parsedClaims
   };
 }
-function clearJWKSCache() {
-  jwksCache2.clear();
-}
-function getJWKSCacheSize() {
-  return jwksCache2.size;
-}
 // src/transport-profiles.ts
 function parseHeaderProfile(headerValue) {
@@ -2632,6 +2728,6 @@ async function verifyAndFetchPointer(pointerHeader, fetchOptions) {
   });
 }
-export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, clearJWKSCache, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, issue, issueJws, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
+export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, clearJWKSCache, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, issue, issueJws, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, resolveJWKS, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map