npm - @peac/protocol - Versions diffs - 0.11.2 → 0.12.0-preview.1 - Mend

@peac/protocol 0.11.2 → 0.12.0-preview.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/README.md +68 -3
package/dist/discovery.d.ts.map +1 -1
package/dist/index.cjs +311 -16
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.mjs +309 -20
package/dist/index.mjs.map +1 -1
package/dist/issue.d.ts +60 -1
package/dist/issue.d.ts.map +1 -1
package/dist/jwks-resolver.d.ts +20 -0
package/dist/jwks-resolver.d.ts.map +1 -1
package/dist/policy-binding.d.ts +55 -0
package/dist/policy-binding.d.ts.map +1 -0
package/dist/verify-local.cjs +155 -12
package/dist/verify-local.cjs.map +1 -1
package/dist/verify-local.d.ts +94 -21
package/dist/verify-local.d.ts.map +1 -1
package/dist/verify-local.mjs +156 -14
package/dist/verify-local.mjs.map +1 -1
package/dist/verify.d.ts.map +1 -1
package/package.json +4 -4

package/dist/index.d.ts CHANGED Viewed

@@ -8,6 +8,7 @@ export * from './verify-local';
 export * from './headers';
 export * from './discovery';
 export * from './jwks-resolver';
+export { computePolicyDigestJcs, checkPolicyBinding } from './policy-binding';
 export * from './verifier-types';
 export * from './verifier-core';
 export * from './verification-report';

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAGhC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,MAAM,GACP,MAAM,cAAc,CAAC"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAG9E,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,MAAM,GACP,MAAM,cAAc,CAAC"}

package/dist/index.mjs CHANGED Viewed

@@ -1,10 +1,10 @@
 import { uuidv7 } from 'uuidv7';
-import { sign, decode, verify, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
+import { sign, signWire02, decode, verify, jcsHash, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
 export { base64urlDecode, base64urlEncode, computeJwkThumbprint, generateKeypair, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, verify } from '@peac/crypto';
 import { ZodError } from 'zod';
-import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER } from '@peac/schema';
+import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, isCanonicalIss, Wire02ClaimsSchema, PEAC_ISSUER_CONFIG_MAX_BYTES, validateRevokedKeys, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH, WARNING_TYP_MISSING, parseReceiptClaims, checkOccurredAtSkew, REGISTERED_RECEIPT_TYPES, WARNING_TYPE_UNREGISTERED, REGISTERED_EXTENSION_GROUP_KEYS, isValidExtensionKey, WARNING_UNKNOWN_EXTENSION, verifyPolicyBinding, sortWarnings, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER } from '@peac/schema';
 import { createHash } from 'crypto';
-import { VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
+import { VERIFIER_LIMITS, VERIFIER_NETWORK, HASH, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
 // src/issue.ts
 function fireTelemetryHook(fn, input) {
@@ -178,6 +178,52 @@ async function issueJws(options) {
   const result = await issue(options);
   return result.jws;
 }
+async function issueWire02(options) {
+  if (!isCanonicalIss(options.iss)) {
+    throw new IssueError({
+      code: "E_ISS_NOT_CANONICAL",
+      category: "validation",
+      severity: "error",
+      retryable: false,
+      http_status: 400,
+      details: {
+        message: `iss is not in canonical form: "${options.iss}". Use https:// origin or did: identifier.`
+      }
+    });
+  }
+  const jti = options.jti ?? uuidv7();
+  const iat = Math.floor(Date.now() / 1e3);
+  const claims = {
+    peac_version: "0.2",
+    kind: options.kind,
+    type: options.type,
+    iss: options.iss,
+    iat,
+    jti,
+    ...options.sub !== void 0 && { sub: options.sub },
+    ...options.pillars !== void 0 && { pillars: options.pillars },
+    ...options.occurred_at !== void 0 && { occurred_at: options.occurred_at },
+    ...options.purpose_declared !== void 0 && { purpose_declared: options.purpose_declared },
+    ...options.policy !== void 0 && { policy: options.policy },
+    ...options.extensions !== void 0 && { extensions: options.extensions }
+  };
+  const parseResult = Wire02ClaimsSchema.safeParse(claims);
+  if (!parseResult.success) {
+    const firstIssue = parseResult.error.issues[0];
+    throw new IssueError({
+      code: "E_INVALID_FORMAT",
+      category: "validation",
+      severity: "error",
+      retryable: false,
+      http_status: 400,
+      details: {
+        message: `Wire 0.2 claims schema validation failed: ${firstIssue?.message ?? "unknown"}`
+      }
+    });
+  }
+  const jws = await signWire02(claims, options.privateKey, options.kid);
+  return { jws };
+}
 function parseIssuerConfig(json) {
   let config;
   if (typeof json === "string") {
@@ -237,6 +283,17 @@ function parseIssuerConfig(json) {
       throw new Error("payment_rails must be an array");
     }
   }
+  let revokedKeys;
+  if (obj.revoked_keys !== void 0) {
+    if (!Array.isArray(obj.revoked_keys)) {
+      throw new Error("revoked_keys must be an array");
+    }
+    const result = validateRevokedKeys(obj.revoked_keys);
+    if (!result.ok) {
+      throw new Error(`Invalid revoked_keys: ${result.error}`);
+    }
+    revokedKeys = result.value;
+  }
   return {
     version: obj.version,
     issuer: obj.issuer,
@@ -245,7 +302,8 @@ function parseIssuerConfig(json) {
     receipt_versions: obj.receipt_versions,
     algorithms: obj.algorithms,
     payment_rails: obj.payment_rails,
-    security_contact: obj.security_contact
+    security_contact: obj.security_contact,
+    revoked_keys: revokedKeys
   };
 }
 async function fetchIssuerConfig(issuerUrl) {
@@ -932,6 +990,53 @@ async function fetchPointerSafe(pointerUrl, options) {
 var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
 var DEFAULT_MAX_CACHE_ENTRIES = 1e3;
 var jwksCache = /* @__PURE__ */ new Map();
+var KID_RETENTION_MS = 30 * 24 * 60 * 60 * 1e3;
+var MAX_KID_THUMBPRINT_ENTRIES = 1e4;
+var kidThumbprints = /* @__PURE__ */ new Map();
+function pruneExpiredKidEntries(now) {
+  for (const [key, entry] of kidThumbprints) {
+    if (now - entry.firstSeen >= KID_RETENTION_MS) {
+      kidThumbprints.delete(key);
+    }
+  }
+}
+function evictOldestKidEntries() {
+  if (kidThumbprints.size <= MAX_KID_THUMBPRINT_ENTRIES) return;
+  const entries = Array.from(kidThumbprints.entries()).sort(
+    (a, b) => a[1].firstSeen - b[1].firstSeen
+  );
+  const toRemove = kidThumbprints.size - MAX_KID_THUMBPRINT_ENTRIES;
+  for (let i = 0; i < toRemove; i++) {
+    kidThumbprints.delete(entries[i][0]);
+  }
+}
+function checkKidReuse(issuer, jwks, now) {
+  pruneExpiredKidEntries(now);
+  for (const key of jwks.keys) {
+    if (!key.kid || !key.x) continue;
+    const mapKey = `${issuer}|${key.kid}`;
+    const existing = kidThumbprints.get(mapKey);
+    if (existing) {
+      if (now - existing.firstSeen < KID_RETENTION_MS) {
+        if (existing.thumbprint !== key.x) {
+          return `Kid reuse detected: kid=${key.kid} for issuer ${issuer} maps to different key material`;
+        }
+      } else {
+        kidThumbprints.set(mapKey, { thumbprint: key.x, firstSeen: now });
+      }
+    } else {
+      kidThumbprints.set(mapKey, { thumbprint: key.x, firstSeen: now });
+    }
+  }
+  evictOldestKidEntries();
+  return null;
+}
+function clearKidThumbprints() {
+  kidThumbprints.clear();
+}
+function getKidThumbprintSize() {
+  return kidThumbprints.size;
+}
 function cacheGet(key, now) {
   const entry = jwksCache.get(key);
   if (!entry) return void 0;
@@ -1020,7 +1125,7 @@ async function resolveJWKS(issuerUrl, options) {
   if (!noCache) {
     const cached = cacheGet(normalizedIssuer, now);
     if (cached) {
-      return { ok: true, jwks: cached.jwks, fromCache: true };
+      return { ok: true, jwks: cached.jwks, fromCache: true, revokedKeys: cached.revokedKeys };
     }
   }
   if (!normalizedIssuer.startsWith("https://")) {
@@ -1115,14 +1220,28 @@ async function resolveJWKS(issuerUrl, options) {
       message: `JWKS has too many keys: ${jwks.keys.length} > ${VERIFIER_LIMITS.maxJwksKeys}`
     };
   }
+  const kidReuseError = checkKidReuse(normalizedIssuer, jwks, now);
+  if (kidReuseError) {
+    return {
+      ok: false,
+      code: "E_KID_REUSE_DETECTED",
+      message: kidReuseError
+    };
+  }
+  const revokedKeys = issuerConfig.revoked_keys?.map((entry) => ({
+    kid: entry.kid,
+    revoked_at: entry.revoked_at,
+    reason: entry.reason
+  }));
   if (!noCache) {
-    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs }, maxCacheEntries);
+    cacheSet(normalizedIssuer, { jwks, expiresAt: now + cacheTtlMs, revokedKeys }, maxCacheEntries);
   }
   return {
     ok: true,
     jwks,
     fromCache: false,
-    rawBytes: jwksResult.rawBytes
+    rawBytes: jwksResult.rawBytes,
+    revokedKeys
   };
 }
@@ -1183,6 +1302,25 @@ async function verifyReceipt(optionsOrJws) {
     if (!jwksResult.fromCache) {
       jwksFetchTime = performance.now() - jwksFetchStart;
     }
+    if (jwksResult.revokedKeys) {
+      const revokedEntry = jwksResult.revokedKeys.find((rk) => rk.kid === header.kid);
+      if (revokedEntry) {
+        const durationMs = performance.now() - startTime;
+        fireTelemetryHook(telemetry?.onReceiptVerified, {
+          receiptHash: hashReceipt(receiptJws),
+          valid: false,
+          reasonCode: "key_revoked",
+          issuer: payload.iss,
+          kid: header.kid,
+          durationMs
+        });
+        return {
+          ok: false,
+          reason: "key_revoked",
+          details: `Key kid=${header.kid} was revoked at ${revokedEntry.revoked_at}${revokedEntry.reason ? ` (reason: ${revokedEntry.reason})` : ""}`
+        };
+      }
+    }
     const jwk = jwksResult.jwks.keys.find((k) => k.kid === header.kid);
     if (!jwk) {
       const durationMs = performance.now() - startTime;
@@ -1260,6 +1398,13 @@ var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
   "CRYPTO_INVALID_ALG",
   "CRYPTO_INVALID_KEY_LENGTH"
 ]);
+var JOSE_CODE_MAP = {
+  CRYPTO_JWS_EMBEDDED_KEY: "E_JWS_EMBEDDED_KEY",
+  CRYPTO_JWS_CRIT_REJECTED: "E_JWS_CRIT_REJECTED",
+  CRYPTO_JWS_MISSING_KID: "E_JWS_MISSING_KID",
+  CRYPTO_JWS_B64_REJECTED: "E_JWS_B64_REJECTED",
+  CRYPTO_JWS_ZIP_REJECTED: "E_JWS_ZIP_REJECTED"
+};
 var MAX_PARSE_ISSUES = 25;
 function sanitizeParseIssues(issues) {
   if (!Array.isArray(issues)) return void 0;
@@ -1269,7 +1414,16 @@ function sanitizeParseIssues(issues) {
   }));
 }
 async function verifyLocal(jws, publicKey, options = {}) {
-  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
+  const {
+    issuer,
+    audience,
+    subjectUri,
+    rid,
+    requireExp = false,
+    maxClockSkew = 300,
+    strictness = "strict",
+    policyDigest
+  } = options;
   const now = options.now ?? Math.floor(Date.now() / 1e3);
   try {
     const result = await verify(jws, publicKey);
@@ -1280,6 +1434,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
         message: "Ed25519 signature verification failed"
       };
     }
+    const accumulatedWarnings = [];
+    if (result.header.typ === void 0) {
+      if (strictness === "strict") {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: "Missing JWS typ header: strict mode requires typ to be present"
+        };
+      }
+      accumulatedWarnings.push({
+        code: WARNING_TYP_MISSING,
+        message: "JWS typ header is absent; accepted in interop mode"
+      });
+    }
     const constraintResult = validateKernelConstraints(result.payload);
     if (!constraintResult.valid) {
       const v = constraintResult.violations[0];
@@ -1298,46 +1466,136 @@ async function verifyLocal(jws, publicKey, options = {}) {
         details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
       };
     }
-    if (issuer !== void 0 && pr.claims.iss !== issuer) {
+    if (pr.wireVersion === "0.2") {
+      accumulatedWarnings.push(...pr.warnings);
+    }
+    if (pr.wireVersion === "0.2") {
+      const claims = pr.claims;
+      if (issuer !== void 0 && claims.iss !== issuer) {
+        return {
+          valid: false,
+          code: "E_INVALID_ISSUER",
+          message: `Issuer mismatch: expected "${issuer}", got "${claims.iss}"`
+        };
+      }
+      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
+        return {
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
+        };
+      }
+      if (claims.iat > now + maxClockSkew) {
+        return {
+          valid: false,
+          code: "E_NOT_YET_VALID",
+          message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+        };
+      }
+      if (claims.kind === "evidence") {
+        const skewResult = checkOccurredAtSkew(claims.occurred_at, claims.iat, now, maxClockSkew);
+        if (skewResult === "future_error") {
+          return {
+            valid: false,
+            code: "E_OCCURRED_AT_FUTURE",
+            message: `occurred_at is in the future beyond tolerance (${maxClockSkew}s)`
+          };
+        }
+        if (skewResult !== null) {
+          accumulatedWarnings.push(skewResult);
+        }
+      }
+      if (!REGISTERED_RECEIPT_TYPES.has(claims.type)) {
+        accumulatedWarnings.push({
+          code: WARNING_TYPE_UNREGISTERED,
+          message: "Receipt type is not in the recommended type registry",
+          pointer: "/type"
+        });
+      }
+      if (claims.extensions !== void 0) {
+        for (const key of Object.keys(claims.extensions)) {
+          if (!REGISTERED_EXTENSION_GROUP_KEYS.has(key) && isValidExtensionKey(key)) {
+            const escapedKey = key.replace(/~/g, "~0").replace(/\//g, "~1");
+            accumulatedWarnings.push({
+              code: WARNING_UNKNOWN_EXTENSION,
+              message: "Unknown extension key preserved without schema validation",
+              pointer: `/extensions/${escapedKey}`
+            });
+          }
+        }
+      }
+      if (policyDigest !== void 0 && !HASH.pattern.test(policyDigest)) {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: "policyDigest option must be in sha256:<64 lowercase hex> format"
+        };
+      }
+      const receiptPolicyDigest = claims.policy?.digest;
+      const bindingStatus = receiptPolicyDigest === void 0 || policyDigest === void 0 ? "unavailable" : verifyPolicyBinding(receiptPolicyDigest, policyDigest);
+      if (bindingStatus === "failed") {
+        return {
+          valid: false,
+          code: "E_POLICY_BINDING_FAILED",
+          message: "Policy binding check failed: receipt policy digest does not match local policy",
+          details: {
+            receipt_policy_digest: receiptPolicyDigest,
+            local_policy_digest: policyDigest,
+            ...claims.policy?.uri !== void 0 && { policy_uri: claims.policy.uri }
+          }
+        };
+      }
+      return {
+        valid: true,
+        variant: "wire-02",
+        claims,
+        kid: result.header.kid,
+        wireVersion: "0.2",
+        warnings: sortWarnings(accumulatedWarnings),
+        policy_binding: bindingStatus
+      };
+    }
+    const w01 = pr.claims;
+    if (issuer !== void 0 && w01.iss !== issuer) {
       return {
         valid: false,
         code: "E_INVALID_ISSUER",
-        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
+        message: `Issuer mismatch: expected "${issuer}", got "${w01.iss}"`
       };
     }
-    if (audience !== void 0 && pr.claims.aud !== audience) {
+    if (audience !== void 0 && w01.aud !== audience) {
       return {
         valid: false,
         code: "E_INVALID_AUDIENCE",
-        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
+        message: `Audience mismatch: expected "${audience}", got "${w01.aud}"`
       };
     }
-    if (rid !== void 0 && pr.claims.rid !== rid) {
+    if (rid !== void 0 && w01.rid !== rid) {
       return {
         valid: false,
         code: "E_INVALID_RECEIPT_ID",
-        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
+        message: `Receipt ID mismatch: expected "${rid}", got "${w01.rid}"`
       };
     }
-    if (requireExp && pr.claims.exp === void 0) {
+    if (requireExp && w01.exp === void 0) {
       return {
         valid: false,
         code: "E_MISSING_EXP",
         message: "Receipt missing required exp claim"
       };
     }
-    if (pr.claims.iat > now + maxClockSkew) {
+    if (w01.iat > now + maxClockSkew) {
       return {
         valid: false,
         code: "E_NOT_YET_VALID",
-        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+        message: `Receipt not yet valid: issued at ${new Date(w01.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
       };
     }
-    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
+    if (w01.exp !== void 0 && w01.exp < now - maxClockSkew) {
       return {
         valid: false,
         code: "E_EXPIRED",
-        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
+        message: `Receipt expired at ${new Date(w01.exp * 1e3).toISOString()}`
       };
     }
     if (pr.variant === "commerce") {
@@ -1354,6 +1612,8 @@ async function verifyLocal(jws, publicKey, options = {}) {
         variant: "commerce",
         claims,
         kid: result.header.kid,
+        wireVersion: "0.1",
+        warnings: [],
         policy_binding: "unavailable"
       };
     } else {
@@ -1370,11 +1630,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
         variant: "attestation",
         claims,
         kid: result.header.kid,
+        wireVersion: "0.1",
+        warnings: [],
         policy_binding: "unavailable"
       };
     }
   } catch (err) {
     if (isCryptoError(err)) {
+      if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {
+        return {
+          valid: false,
+          code: JOSE_CODE_MAP[err.code],
+          message: err.message
+        };
+      }
       if (FORMAT_ERROR_CODES.has(err.code)) {
         return {
           valid: false,
@@ -1389,6 +1658,13 @@ async function verifyLocal(jws, publicKey, options = {}) {
           message: err.message
         };
       }
+      if (err.code === "CRYPTO_WIRE_VERSION_MISMATCH") {
+        return {
+          valid: false,
+          code: "E_WIRE_VERSION_MISMATCH",
+          message: err.message
+        };
+      }
     }
     if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
       const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
@@ -1412,6 +1688,9 @@ function isCommerceResult(r) {
 function isAttestationResult(r) {
   return r.valid === true && r.variant === "attestation";
 }
+function isWire02Result(r) {
+  return r.valid === true && r.variant === "wire-02";
+}
 function setReceiptHeader(headers, receiptJws) {
   headers.set(PEAC_RECEIPT_HEADER, receiptJws);
 }
@@ -1453,6 +1732,16 @@ function setVaryPurposeHeader(headers) {
     headers.set("Vary", PEAC_PURPOSE_HEADER);
   }
 }
+async function computePolicyDigestJcs(policy) {
+  const hex = await jcsHash(policy);
+  return `${HASH.prefix}${hex}`;
+}
+function checkPolicyBinding(receiptDigest, localDigest) {
+  if (receiptDigest === void 0 || localDigest === void 0) {
+    return "unavailable";
+  }
+  return verifyPolicyBinding(receiptDigest, localDigest);
+}
 var DEFAULT_VERIFIER_LIMITS = {
   max_receipt_bytes: VERIFIER_LIMITS.maxReceiptBytes,
   max_jwks_bytes: VERIFIER_LIMITS.maxJwksBytes,
@@ -2728,6 +3017,6 @@ async function verifyAndFetchPointer(pointerHeader, fetchOptions) {
   });
 }
-export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, clearJWKSCache, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, issue, issueJws, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, resolveJWKS, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
+export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, checkPolicyBinding, clearJWKSCache, clearKidThumbprints, computePolicyDigestJcs, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getKidThumbprintSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, isWire02Result, issue, issueJws, issueWire02, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, resolveJWKS, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map