@peac/protocol 0.11.2 → 0.12.0-preview.1

package/README.md

@@ -1,6 +1,6 @@
 # @peac/protocol
 
-PEAC protocol implementation - receipt issuance and verification
+PEAC protocol implementation: receipt issuance, offline verification, and JWKS resolution.
 
 ## Installation
 
@@ -8,9 +8,74 @@ PEAC protocol implementation - receipt issuance and verification
 pnpm add @peac/protocol
 ```
 
-## Documentation
+## What It Does
 
-See [peacprotocol.org](https://www.peacprotocol.org) for full documentation.
+`@peac/protocol` is Layer 3 of the PEAC stack. It provides `issue()` for signing receipts and `verifyLocal()` for offline verification with Ed25519 public keys. No network calls needed for verification.
+
+## How Do I Issue a Receipt?
+
+```typescript
+import { generateKeypair } from '@peac/crypto';
+import { issue } from '@peac/protocol';
+
+const { publicKey, privateKey } = await generateKeypair();
+
+const { jws } = await issue({
+  iss: 'https://api.example.com',
+  aud: 'https://client.example.com',
+  amt: 100,
+  cur: 'USD',
+  rail: 'stripe',
+  reference: 'pi_abc123',
+  privateKey,
+  kid: 'key-2026-02',
+});
+```
+
+## How Do I Verify a Receipt?
+
+```typescript
+import { verifyLocal } from '@peac/protocol';
+
+const result = await verifyLocal(jws, publicKey);
+
+if (result.valid && result.variant === 'commerce') {
+  console.log(result.claims.iss); // issuer
+  console.log(result.claims.amt); // amount
+  console.log(result.claims.cur); // currency
+} else if (!result.valid) {
+  console.log(result.code, result.message);
+}
+```
+
+## How Do I Verify with JWKS Discovery?
+
+```typescript
+import { verifyReceipt } from '@peac/protocol';
+
+// Resolves issuer's /.well-known/peac-issuer.json -> jwks_uri -> public key
+const result = await verifyReceipt(jws);
+
+if (result.ok) {
+  console.log('Issuer:', result.claims.iss);
+} else {
+  console.log(result.reason, result.details);
+}
+```
+
+## Integrates With
+
+- `@peac/crypto` (Layer 2): Ed25519 key generation and JWS encoding
+- `@peac/kernel` (Layer 0): Error codes and wire format constants
+- `@peac/schema` (Layer 1): Receipt claim validation
+- `@peac/mcp-server` (Layer 5): MCP tool server using protocol functions
+- `@peac/middleware-express` (Layer 3.5): Express middleware for automatic receipt issuance
+
+## Security
+
+- Verification is offline and deterministic: no network calls for `verifyLocal()`
+- Fail-closed: invalid or missing evidence always produces a verification failure
+- JWKS resolution (when used) is SSRF-hardened with HTTPS-only, private IP denial
 
 ## License
 

package/dist/discovery.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../src/discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,aAAa,EAMd,MAAM,cAAc,CAAC;AAMtB;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,gBAAgB,CAsFzE;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAsCpF;AAiBD;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,kBAAkB,CAoD1F;AAkFD;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA+CtF;AAMD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAkD1D;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CA2B9E"}
+{"version":3,"file":"discovery.d.ts","sourceRoot":"","sources":["../src/discovery.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EAClB,aAAa,EAOd,MAAM,cAAc,CAAC;AAMtB;;;;;;GAMG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,gBAAgB,CAoGzE;AAED;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAsCpF;AAiBD;;;;;;;GAOG;AACH,wBAAgB,mBAAmB,CAAC,IAAI,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,MAAM,GAAG,kBAAkB,CAoD1F;AAkFD;;;;;;GAMG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA+CtF;AAMD;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,MAAM,GAAG,aAAa,CAkD1D;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CA2B9E"}

package/dist/index.cjs

@@ -179,6 +179,52 @@ async function issueJws(options) {
   const result = await issue(options);
   return result.jws;
 }
+async function issueWire02(options) {
+  if (!schema.isCanonicalIss(options.iss)) {
+    throw new IssueError({
+      code: "E_ISS_NOT_CANONICAL",
+      category: "validation",
+      severity: "error",
+      retryable: false,
+      http_status: 400,
+      details: {
+        message: `iss is not in canonical form: "${options.iss}". Use https:// origin or did: identifier.`
+      }
+    });
+  }
+  const jti = options.jti ?? uuidv7.uuidv7();
+  const iat = Math.floor(Date.now() / 1e3);
+  const claims = {
+    peac_version: "0.2",
+    kind: options.kind,
+    type: options.type,
+    iss: options.iss,
+    iat,
+    jti,
+    ...options.sub !== void 0 && { sub: options.sub },
+    ...options.pillars !== void 0 && { pillars: options.pillars },
+    ...options.occurred_at !== void 0 && { occurred_at: options.occurred_at },
+    ...options.purpose_declared !== void 0 && { purpose_declared: options.purpose_declared },
+    ...options.policy !== void 0 && { policy: options.policy },
+    ...options.extensions !== void 0 && { extensions: options.extensions }
+  };
+  const parseResult = schema.Wire02ClaimsSchema.safeParse(claims);
+  if (!parseResult.success) {
+    const firstIssue = parseResult.error.issues[0];
+    throw new IssueError({
+      code: "E_INVALID_FORMAT",
+      category: "validation",
+      severity: "error",
+      retryable: false,
+      http_status: 400,
+      details: {
+        message: `Wire 0.2 claims schema validation failed: ${firstIssue?.message ?? "unknown"}`
+      }
+    });
+  }
+  const jws = await crypto.signWire02(claims, options.privateKey, options.kid);
+  return { jws };
+}
 function parseIssuerConfig(json) {
   let config;
   if (typeof json === "string") {
@@ -238,6 +284,17 @@ function parseIssuerConfig(json) {
       throw new Error("payment_rails must be an array");
     }
   }
+  let revokedKeys;
+  if (obj.revoked_keys !== void 0) {
+    if (!Array.isArray(obj.revoked_keys)) {
+      throw new Error("revoked_keys must be an array");
+    }
+    const result = schema.validateRevokedKeys(obj.revoked_keys);
+    if (!result.ok) {
+      throw new Error(`Invalid revoked_keys: ${result.error}`);
+    }
+    revokedKeys = result.value;
+  }
   return {
     version: obj.version,
     issuer: obj.issuer,
@@ -246,7 +303,8 @@ function parseIssuerConfig(json) {
     receipt_versions: obj.receipt_versions,
     algorithms: obj.algorithms,
     payment_rails: obj.payment_rails,
-    security_contact: obj.security_contact
+    security_contact: obj.security_contact,
+    revoked_keys: revokedKeys
   };
 }
 async function fetchIssuerConfig(issuerUrl) {
@@ -933,6 +991,53 @@ async function fetchPointerSafe(pointerUrl, options) {
 var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
 var DEFAULT_MAX_CACHE_ENTRIES = 1e3;
 var jwksCache = /* @__PURE__ */ new Map();
+var KID_RETENTION_MS = 30 * 24 * 60 * 60 * 1e3;
+var MAX_KID_THUMBPRINT_ENTRIES = 1e4;
+var kidThumbprints = /* @__PURE__ */ new Map();
+function pruneExpiredKidEntries(now) {
+  for (const [key, entry] of kidThumbprints) {
+    if (now - entry.firstSeen >= KID_RETENTION_MS) {
+      kidThumbprints.delete(key);
+    }
+  }
+}
+function evictOldestKidEntries() {
+  if (kidThumbprints.size <= MAX_KID_THUMBPRINT_ENTRIES) return;
+  const entries = Array.from(kidThumbprints.entries()).sort(
+    (a, b) => a[1].firstSeen - b[1].firstSeen
+  );
+  const toRemove = kidThumbprints.size - MAX_KID_THUMBPRINT_ENTRIES;
+  for (let i = 0; i < toRemove; i++) {
+    kidThumbprints.delete(entries[i][0]);
+  }
+}
+function checkKidReuse(issuer, jwks, now) {
+  pruneExpiredKidEntries(now);
+  for (const key of jwks.keys) {
+    if (!key.kid || !key.x) continue;
+    const mapKey = `${issuer}|${key.kid}`;
+    const existing = kidThumbprints.get(mapKey);
+    if (existing) {
+      if (now - existing.firstSeen < KID_RETENTION_MS) {
+        if (existing.thumbprint !== key.x) {
+          return `Kid reuse detected: kid=${key.kid} for issuer ${issuer} maps to different key material`;
+        }
+      } else {
+        kidThumbprints.set(mapKey, { thumbprint: key.x, firstSeen: now });
+      }
+    } else {
+      kidThumbprints.set(mapKey, { thumbprint: key.x, firstSeen: now });
+    }
+  }
+  evictOldestKidEntries();
+  return null;
+}
+function clearKidThumbprints() {
+  kidThumbprints.clear();
+}
+function getKidThumbprintSize() {
+  return kidThumbprints.size;
+}
 function cacheGet(key, now) {
   const entry = jwksCache.get(key);
   if (!entry) return void 0;
@@ -1021,7 +1126,7 @@ async function resolveJWKS(issuerUrl, options) {
   if (!noCache) {
     const cached = cacheGet(normalizedIssuer, now);
     if (cached) {
-      return { ok: true, jwks: cached.jwks, fromCache: true };
+      return { ok: true, jwks: cached.jwks, fromCache: true, revokedKeys: cached.revokedKeys };
     }
   }
   if (!normalizedIssuer.startsWith("https://")) {
@@ -1116,14 +1221,28 @@ async function resolveJWKS(issuerUrl, options) {
       message: `JWKS has too many keys: ${jwks.keys.length} > ${kernel.VERIFIER_LIMITS.maxJwksKeys}`
     };
   }
+  const kidReuseError = checkKidReuse(normalizedIssuer, jwks, now);
+  if (kidReuseError) {
+    return {
+      ok: false,
+      code: "E_KID_REUSE_DETECTED",
+      message: kidReuseError
+    };
+  }
+  const revokedKeys = issuerConfig.revoked_keys?.map((entry) => ({
+    kid: entry.kid,
+    revoked_at: entry.revoked_at,
+    reason: entry.reason
+  }));
   if (!noCache) {
-    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs }, maxCacheEntries);
+    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs, revokedKeys }, maxCacheEntries);
   }
   return {
     ok: true,
     jwks,
     fromCache: false,
-    rawBytes: jwksResult.rawBytes
+    rawBytes: jwksResult.rawBytes,
+    revokedKeys
   };
 }
 
@@ -1184,6 +1303,25 @@ async function verifyReceipt(optionsOrJws) {
     if (!jwksResult.fromCache) {
       jwksFetchTime = performance.now() - jwksFetchStart;
     }
+    if (jwksResult.revokedKeys) {
+      const revokedEntry = jwksResult.revokedKeys.find((rk) => rk.kid === header.kid);
+      if (revokedEntry) {
+        const durationMs = performance.now() - startTime;
+        fireTelemetryHook(telemetry?.onReceiptVerified, {
+          receiptHash: hashReceipt(receiptJws),
+          valid: false,
+          reasonCode: "key_revoked",
+          issuer: payload.iss,
+          kid: header.kid,
+          durationMs
+        });
+        return {
+          ok: false,
+          reason: "key_revoked",
+          details: `Key kid=${header.kid} was revoked at ${revokedEntry.revoked_at}${revokedEntry.reason ? ` (reason: ${revokedEntry.reason})` : ""}`
+        };
+      }
+    }
     const jwk = jwksResult.jwks.keys.find((k) => k.kid === header.kid);
     if (!jwk) {
       const durationMs = performance.now() - startTime;
@@ -1261,6 +1399,13 @@ var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
   "CRYPTO_INVALID_ALG",
   "CRYPTO_INVALID_KEY_LENGTH"
 ]);
+var JOSE_CODE_MAP = {
+  CRYPTO_JWS_EMBEDDED_KEY: "E_JWS_EMBEDDED_KEY",
+  CRYPTO_JWS_CRIT_REJECTED: "E_JWS_CRIT_REJECTED",
+  CRYPTO_JWS_MISSING_KID: "E_JWS_MISSING_KID",
+  CRYPTO_JWS_B64_REJECTED: "E_JWS_B64_REJECTED",
+  CRYPTO_JWS_ZIP_REJECTED: "E_JWS_ZIP_REJECTED"
+};
 var MAX_PARSE_ISSUES = 25;
 function sanitizeParseIssues(issues) {
   if (!Array.isArray(issues)) return void 0;
@@ -1270,7 +1415,16 @@ function sanitizeParseIssues(issues) {
   }));
 }
 async function verifyLocal(jws, publicKey, options = {}) {
-  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
+  const {
+    issuer,
+    audience,
+    subjectUri,
+    rid,
+    requireExp = false,
+    maxClockSkew = 300,
+    strictness = "strict",
+    policyDigest
+  } = options;
   const now = options.now ?? Math.floor(Date.now() / 1e3);
   try {
     const result = await crypto.verify(jws, publicKey);
@@ -1281,6 +1435,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
         message: "Ed25519 signature verification failed"
       };
     }
+    const accumulatedWarnings = [];
+    if (result.header.typ === void 0) {
+      if (strictness === "strict") {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: "Missing JWS typ header: strict mode requires typ to be present"
+        };
+      }
+      accumulatedWarnings.push({
+        code: schema.WARNING_TYP_MISSING,
+        message: "JWS typ header is absent; accepted in interop mode"
+      });
+    }
     const constraintResult = schema.validateKernelConstraints(result.payload);
     if (!constraintResult.valid) {
       const v = constraintResult.violations[0];
@@ -1299,46 +1467,136 @@ async function verifyLocal(jws, publicKey, options = {}) {
         details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
       };
     }
-    if (issuer !== void 0 && pr.claims.iss !== issuer) {
+    if (pr.wireVersion === "0.2") {
+      accumulatedWarnings.push(...pr.warnings);
+    }
+    if (pr.wireVersion === "0.2") {
+      const claims = pr.claims;
+      if (issuer !== void 0 && claims.iss !== issuer) {
+        return {
+          valid: false,
+          code: "E_INVALID_ISSUER",
+          message: `Issuer mismatch: expected "${issuer}", got "${claims.iss}"`
+        };
+      }
+      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
+        return {
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
+        };
+      }
+      if (claims.iat > now + maxClockSkew) {
+        return {
+          valid: false,
+          code: "E_NOT_YET_VALID",
+          message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+        };
+      }
+      if (claims.kind === "evidence") {
+        const skewResult = schema.checkOccurredAtSkew(claims.occurred_at, claims.iat, now, maxClockSkew);
+        if (skewResult === "future_error") {
+          return {
+            valid: false,
+            code: "E_OCCURRED_AT_FUTURE",
+            message: `occurred_at is in the future beyond tolerance (${maxClockSkew}s)`
+          };
+        }
+        if (skewResult !== null) {
+          accumulatedWarnings.push(skewResult);
+        }
+      }
+      if (!schema.REGISTERED_RECEIPT_TYPES.has(claims.type)) {
+        accumulatedWarnings.push({
+          code: schema.WARNING_TYPE_UNREGISTERED,
+          message: "Receipt type is not in the recommended type registry",
+          pointer: "/type"
+        });
+      }
+      if (claims.extensions !== void 0) {
+        for (const key of Object.keys(claims.extensions)) {
+          if (!schema.REGISTERED_EXTENSION_GROUP_KEYS.has(key) && schema.isValidExtensionKey(key)) {
+            const escapedKey = key.replace(/~/g, "~0").replace(/\//g, "~1");
+            accumulatedWarnings.push({
+              code: schema.WARNING_UNKNOWN_EXTENSION,
+              message: "Unknown extension key preserved without schema validation",
+              pointer: `/extensions/${escapedKey}`
+            });
+          }
+        }
+      }
+      if (policyDigest !== void 0 && !kernel.HASH.pattern.test(policyDigest)) {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: "policyDigest option must be in sha256:<64 lowercase hex> format"
+        };
+      }
+      const receiptPolicyDigest = claims.policy?.digest;
+      const bindingStatus = receiptPolicyDigest === void 0 || policyDigest === void 0 ? "unavailable" : schema.verifyPolicyBinding(receiptPolicyDigest, policyDigest);
+      if (bindingStatus === "failed") {
+        return {
+          valid: false,
+          code: "E_POLICY_BINDING_FAILED",
+          message: "Policy binding check failed: receipt policy digest does not match local policy",
+          details: {
+            receipt_policy_digest: receiptPolicyDigest,
+            local_policy_digest: policyDigest,
+            ...claims.policy?.uri !== void 0 && { policy_uri: claims.policy.uri }
+          }
+        };
+      }
+      return {
+        valid: true,
+        variant: "wire-02",
+        claims,
+        kid: result.header.kid,
+        wireVersion: "0.2",
+        warnings: schema.sortWarnings(accumulatedWarnings),
+        policy_binding: bindingStatus
+      };
+    }
+    const w01 = pr.claims;
+    if (issuer !== void 0 && w01.iss !== issuer) {
       return {
         valid: false,
         code: "E_INVALID_ISSUER",
-        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
+        message: `Issuer mismatch: expected "${issuer}", got "${w01.iss}"`
       };
     }
-    if (audience !== void 0 && pr.claims.aud !== audience) {
+    if (audience !== void 0 && w01.aud !== audience) {
       return {
         valid: false,
         code: "E_INVALID_AUDIENCE",
-        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
+        message: `Audience mismatch: expected "${audience}", got "${w01.aud}"`
       };
     }
-    if (rid !== void 0 && pr.claims.rid !== rid) {
+    if (rid !== void 0 && w01.rid !== rid) {
       return {
         valid: false,
         code: "E_INVALID_RECEIPT_ID",
-        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
+        message: `Receipt ID mismatch: expected "${rid}", got "${w01.rid}"`
       };
     }
-    if (requireExp && pr.claims.exp === void 0) {
+    if (requireExp && w01.exp === void 0) {
       return {
         valid: false,
         code: "E_MISSING_EXP",
         message: "Receipt missing required exp claim"
       };
     }
-    if (pr.claims.iat > now + maxClockSkew) {
+    if (w01.iat > now + maxClockSkew) {
       return {
         valid: false,
         code: "E_NOT_YET_VALID",
-        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+        message: `Receipt not yet valid: issued at ${new Date(w01.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
       };
     }
-    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
+    if (w01.exp !== void 0 && w01.exp < now - maxClockSkew) {
       return {
         valid: false,
         code: "E_EXPIRED",
-        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
+        message: `Receipt expired at ${new Date(w01.exp * 1e3).toISOString()}`
       };
     }
     if (pr.variant === "commerce") {
@@ -1355,6 +1613,8 @@ async function verifyLocal(jws, publicKey, options = {}) {
         variant: "commerce",
         claims,
         kid: result.header.kid,
+        wireVersion: "0.1",
+        warnings: [],
         policy_binding: "unavailable"
       };
     } else {
@@ -1371,11 +1631,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
         variant: "attestation",
         claims,
         kid: result.header.kid,
+        wireVersion: "0.1",
+        warnings: [],
         policy_binding: "unavailable"
       };
     }
   } catch (err) {
     if (isCryptoError(err)) {
+      if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {
+        return {
+          valid: false,
+          code: JOSE_CODE_MAP[err.code],
+          message: err.message
+        };
+      }
       if (FORMAT_ERROR_CODES.has(err.code)) {
         return {
           valid: false,
@@ -1390,6 +1659,13 @@ async function verifyLocal(jws, publicKey, options = {}) {
           message: err.message
         };
       }
+      if (err.code === "CRYPTO_WIRE_VERSION_MISMATCH") {
+        return {
+          valid: false,
+          code: "E_WIRE_VERSION_MISMATCH",
+          message: err.message
+        };
+      }
     }
     if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
       const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
@@ -1413,6 +1689,9 @@ function isCommerceResult(r) {
 function isAttestationResult(r) {
   return r.valid === true && r.variant === "attestation";
 }
+function isWire02Result(r) {
+  return r.valid === true && r.variant === "wire-02";
+}
 function setReceiptHeader(headers, receiptJws) {
   headers.set(schema.PEAC_RECEIPT_HEADER, receiptJws);
 }
@@ -1454,6 +1733,16 @@ function setVaryPurposeHeader(headers) {
     headers.set("Vary", schema.PEAC_PURPOSE_HEADER);
   }
 }
+async function computePolicyDigestJcs(policy) {
+  const hex = await crypto.jcsHash(policy);
+  return `${kernel.HASH.prefix}${hex}`;
+}
+function checkPolicyBinding(receiptDigest, localDigest) {
+  if (receiptDigest === void 0 || localDigest === void 0) {
+    return "unavailable";
+  }
+  return schema.verifyPolicyBinding(receiptDigest, localDigest);
+}
 var DEFAULT_VERIFIER_LIMITS = {
   max_receipt_bytes: kernel.VERIFIER_LIMITS.maxReceiptBytes,
   max_jwks_bytes: kernel.VERIFIER_LIMITS.maxJwksBytes,
@@ -2769,7 +3058,10 @@ exports.NON_DETERMINISTIC_ARTIFACT_KEYS = NON_DETERMINISTIC_ARTIFACT_KEYS;
 exports.VerificationReportBuilder = VerificationReportBuilder;
 exports.buildFailureReport = buildFailureReport;
 exports.buildSuccessReport = buildSuccessReport;
+exports.checkPolicyBinding = checkPolicyBinding;
 exports.clearJWKSCache = clearJWKSCache;
+exports.clearKidThumbprints = clearKidThumbprints;
+exports.computePolicyDigestJcs = computePolicyDigestJcs;
 exports.computeReceiptDigest = computeReceiptDigest;
 exports.createDefaultPolicy = createDefaultPolicy;
 exports.createDigest = createDigest;
@@ -2782,14 +3074,17 @@ exports.fetchPointerSafe = fetchPointerSafe;
 exports.fetchPointerWithDigest = fetchPointerWithDigest;
 exports.fetchPolicyManifest = fetchPolicyManifest;
 exports.getJWKSCacheSize = getJWKSCacheSize;
+exports.getKidThumbprintSize = getKidThumbprintSize;
 exports.getPurposeHeader = getPurposeHeader;
 exports.getReceiptHeader = getReceiptHeader;
 exports.getSSRFCapabilities = getSSRFCapabilities;
 exports.isAttestationResult = isAttestationResult;
 exports.isBlockedIP = isBlockedIP;
 exports.isCommerceResult = isCommerceResult;
+exports.isWire02Result = isWire02Result;
 exports.issue = issue;
 exports.issueJws = issueJws;
+exports.issueWire02 = issueWire02;
 exports.parseBodyProfile = parseBodyProfile;
 exports.parseDiscovery = parseDiscovery;
 exports.parseHeaderProfile = parseHeaderProfile;