@peac/protocol 0.11.3 → 0.12.0-preview.1

package/dist/index.cjs

@@ -179,6 +179,52 @@ async function issueJws(options) {
   const result = await issue(options);
   return result.jws;
 }
+async function issueWire02(options) {
+  if (!schema.isCanonicalIss(options.iss)) {
+    throw new IssueError({
+      code: "E_ISS_NOT_CANONICAL",
+      category: "validation",
+      severity: "error",
+      retryable: false,
+      http_status: 400,
+      details: {
+        message: `iss is not in canonical form: "${options.iss}". Use https:// origin or did: identifier.`
+      }
+    });
+  }
+  const jti = options.jti ?? uuidv7.uuidv7();
+  const iat = Math.floor(Date.now() / 1e3);
+  const claims = {
+    peac_version: "0.2",
+    kind: options.kind,
+    type: options.type,
+    iss: options.iss,
+    iat,
+    jti,
+    ...options.sub !== void 0 && { sub: options.sub },
+    ...options.pillars !== void 0 && { pillars: options.pillars },
+    ...options.occurred_at !== void 0 && { occurred_at: options.occurred_at },
+    ...options.purpose_declared !== void 0 && { purpose_declared: options.purpose_declared },
+    ...options.policy !== void 0 && { policy: options.policy },
+    ...options.extensions !== void 0 && { extensions: options.extensions }
+  };
+  const parseResult = schema.Wire02ClaimsSchema.safeParse(claims);
+  if (!parseResult.success) {
+    const firstIssue = parseResult.error.issues[0];
+    throw new IssueError({
+      code: "E_INVALID_FORMAT",
+      category: "validation",
+      severity: "error",
+      retryable: false,
+      http_status: 400,
+      details: {
+        message: `Wire 0.2 claims schema validation failed: ${firstIssue?.message ?? "unknown"}`
+      }
+    });
+  }
+  const jws = await crypto.signWire02(claims, options.privateKey, options.kid);
+  return { jws };
+}
 function parseIssuerConfig(json) {
   let config;
   if (typeof json === "string") {
@@ -1353,6 +1399,13 @@ var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
   "CRYPTO_INVALID_ALG",
   "CRYPTO_INVALID_KEY_LENGTH"
 ]);
+var JOSE_CODE_MAP = {
+  CRYPTO_JWS_EMBEDDED_KEY: "E_JWS_EMBEDDED_KEY",
+  CRYPTO_JWS_CRIT_REJECTED: "E_JWS_CRIT_REJECTED",
+  CRYPTO_JWS_MISSING_KID: "E_JWS_MISSING_KID",
+  CRYPTO_JWS_B64_REJECTED: "E_JWS_B64_REJECTED",
+  CRYPTO_JWS_ZIP_REJECTED: "E_JWS_ZIP_REJECTED"
+};
 var MAX_PARSE_ISSUES = 25;
 function sanitizeParseIssues(issues) {
   if (!Array.isArray(issues)) return void 0;
@@ -1362,7 +1415,16 @@ function sanitizeParseIssues(issues) {
   }));
 }
 async function verifyLocal(jws, publicKey, options = {}) {
-  const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
+  const {
+    issuer,
+    audience,
+    subjectUri,
+    rid,
+    requireExp = false,
+    maxClockSkew = 300,
+    strictness = "strict",
+    policyDigest
+  } = options;
   const now = options.now ?? Math.floor(Date.now() / 1e3);
   try {
     const result = await crypto.verify(jws, publicKey);
@@ -1373,6 +1435,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
         message: "Ed25519 signature verification failed"
       };
     }
+    const accumulatedWarnings = [];
+    if (result.header.typ === void 0) {
+      if (strictness === "strict") {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: "Missing JWS typ header: strict mode requires typ to be present"
+        };
+      }
+      accumulatedWarnings.push({
+        code: schema.WARNING_TYP_MISSING,
+        message: "JWS typ header is absent; accepted in interop mode"
+      });
+    }
     const constraintResult = schema.validateKernelConstraints(result.payload);
     if (!constraintResult.valid) {
       const v = constraintResult.violations[0];
@@ -1391,46 +1467,136 @@ async function verifyLocal(jws, publicKey, options = {}) {
         details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
       };
     }
-    if (issuer !== void 0 && pr.claims.iss !== issuer) {
+    if (pr.wireVersion === "0.2") {
+      accumulatedWarnings.push(...pr.warnings);
+    }
+    if (pr.wireVersion === "0.2") {
+      const claims = pr.claims;
+      if (issuer !== void 0 && claims.iss !== issuer) {
+        return {
+          valid: false,
+          code: "E_INVALID_ISSUER",
+          message: `Issuer mismatch: expected "${issuer}", got "${claims.iss}"`
+        };
+      }
+      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
+        return {
+          valid: false,
+          code: "E_INVALID_SUBJECT",
+          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
+        };
+      }
+      if (claims.iat > now + maxClockSkew) {
+        return {
+          valid: false,
+          code: "E_NOT_YET_VALID",
+          message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+        };
+      }
+      if (claims.kind === "evidence") {
+        const skewResult = schema.checkOccurredAtSkew(claims.occurred_at, claims.iat, now, maxClockSkew);
+        if (skewResult === "future_error") {
+          return {
+            valid: false,
+            code: "E_OCCURRED_AT_FUTURE",
+            message: `occurred_at is in the future beyond tolerance (${maxClockSkew}s)`
+          };
+        }
+        if (skewResult !== null) {
+          accumulatedWarnings.push(skewResult);
+        }
+      }
+      if (!schema.REGISTERED_RECEIPT_TYPES.has(claims.type)) {
+        accumulatedWarnings.push({
+          code: schema.WARNING_TYPE_UNREGISTERED,
+          message: "Receipt type is not in the recommended type registry",
+          pointer: "/type"
+        });
+      }
+      if (claims.extensions !== void 0) {
+        for (const key of Object.keys(claims.extensions)) {
+          if (!schema.REGISTERED_EXTENSION_GROUP_KEYS.has(key) && schema.isValidExtensionKey(key)) {
+            const escapedKey = key.replace(/~/g, "~0").replace(/\//g, "~1");
+            accumulatedWarnings.push({
+              code: schema.WARNING_UNKNOWN_EXTENSION,
+              message: "Unknown extension key preserved without schema validation",
+              pointer: `/extensions/${escapedKey}`
+            });
+          }
+        }
+      }
+      if (policyDigest !== void 0 && !kernel.HASH.pattern.test(policyDigest)) {
+        return {
+          valid: false,
+          code: "E_INVALID_FORMAT",
+          message: "policyDigest option must be in sha256:<64 lowercase hex> format"
+        };
+      }
+      const receiptPolicyDigest = claims.policy?.digest;
+      const bindingStatus = receiptPolicyDigest === void 0 || policyDigest === void 0 ? "unavailable" : schema.verifyPolicyBinding(receiptPolicyDigest, policyDigest);
+      if (bindingStatus === "failed") {
+        return {
+          valid: false,
+          code: "E_POLICY_BINDING_FAILED",
+          message: "Policy binding check failed: receipt policy digest does not match local policy",
+          details: {
+            receipt_policy_digest: receiptPolicyDigest,
+            local_policy_digest: policyDigest,
+            ...claims.policy?.uri !== void 0 && { policy_uri: claims.policy.uri }
+          }
+        };
+      }
+      return {
+        valid: true,
+        variant: "wire-02",
+        claims,
+        kid: result.header.kid,
+        wireVersion: "0.2",
+        warnings: schema.sortWarnings(accumulatedWarnings),
+        policy_binding: bindingStatus
+      };
+    }
+    const w01 = pr.claims;
+    if (issuer !== void 0 && w01.iss !== issuer) {
       return {
         valid: false,
         code: "E_INVALID_ISSUER",
-        message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
+        message: `Issuer mismatch: expected "${issuer}", got "${w01.iss}"`
       };
     }
-    if (audience !== void 0 && pr.claims.aud !== audience) {
+    if (audience !== void 0 && w01.aud !== audience) {
       return {
         valid: false,
         code: "E_INVALID_AUDIENCE",
-        message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
+        message: `Audience mismatch: expected "${audience}", got "${w01.aud}"`
       };
     }
-    if (rid !== void 0 && pr.claims.rid !== rid) {
+    if (rid !== void 0 && w01.rid !== rid) {
       return {
         valid: false,
         code: "E_INVALID_RECEIPT_ID",
-        message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
+        message: `Receipt ID mismatch: expected "${rid}", got "${w01.rid}"`
       };
     }
-    if (requireExp && pr.claims.exp === void 0) {
+    if (requireExp && w01.exp === void 0) {
       return {
         valid: false,
         code: "E_MISSING_EXP",
         message: "Receipt missing required exp claim"
       };
     }
-    if (pr.claims.iat > now + maxClockSkew) {
+    if (w01.iat > now + maxClockSkew) {
       return {
         valid: false,
         code: "E_NOT_YET_VALID",
-        message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
+        message: `Receipt not yet valid: issued at ${new Date(w01.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
       };
     }
-    if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
+    if (w01.exp !== void 0 && w01.exp < now - maxClockSkew) {
       return {
         valid: false,
         code: "E_EXPIRED",
-        message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
+        message: `Receipt expired at ${new Date(w01.exp * 1e3).toISOString()}`
       };
     }
     if (pr.variant === "commerce") {
@@ -1447,6 +1613,8 @@ async function verifyLocal(jws, publicKey, options = {}) {
         variant: "commerce",
         claims,
         kid: result.header.kid,
+        wireVersion: "0.1",
+        warnings: [],
         policy_binding: "unavailable"
       };
     } else {
@@ -1463,11 +1631,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
         variant: "attestation",
         claims,
         kid: result.header.kid,
+        wireVersion: "0.1",
+        warnings: [],
         policy_binding: "unavailable"
       };
     }
   } catch (err) {
     if (isCryptoError(err)) {
+      if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {
+        return {
+          valid: false,
+          code: JOSE_CODE_MAP[err.code],
+          message: err.message
+        };
+      }
       if (FORMAT_ERROR_CODES.has(err.code)) {
         return {
           valid: false,
@@ -1482,6 +1659,13 @@ async function verifyLocal(jws, publicKey, options = {}) {
           message: err.message
         };
       }
+      if (err.code === "CRYPTO_WIRE_VERSION_MISMATCH") {
+        return {
+          valid: false,
+          code: "E_WIRE_VERSION_MISMATCH",
+          message: err.message
+        };
+      }
     }
     if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
       const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
@@ -1505,6 +1689,9 @@ function isCommerceResult(r) {
 function isAttestationResult(r) {
   return r.valid === true && r.variant === "attestation";
 }
+function isWire02Result(r) {
+  return r.valid === true && r.variant === "wire-02";
+}
 function setReceiptHeader(headers, receiptJws) {
   headers.set(schema.PEAC_RECEIPT_HEADER, receiptJws);
 }
@@ -1546,6 +1733,16 @@ function setVaryPurposeHeader(headers) {
     headers.set("Vary", schema.PEAC_PURPOSE_HEADER);
   }
 }
+async function computePolicyDigestJcs(policy) {
+  const hex = await crypto.jcsHash(policy);
+  return `${kernel.HASH.prefix}${hex}`;
+}
+function checkPolicyBinding(receiptDigest, localDigest) {
+  if (receiptDigest === void 0 || localDigest === void 0) {
+    return "unavailable";
+  }
+  return schema.verifyPolicyBinding(receiptDigest, localDigest);
+}
 var DEFAULT_VERIFIER_LIMITS = {
   max_receipt_bytes: kernel.VERIFIER_LIMITS.maxReceiptBytes,
   max_jwks_bytes: kernel.VERIFIER_LIMITS.maxJwksBytes,
@@ -2861,8 +3058,10 @@ exports.NON_DETERMINISTIC_ARTIFACT_KEYS = NON_DETERMINISTIC_ARTIFACT_KEYS;
 exports.VerificationReportBuilder = VerificationReportBuilder;
 exports.buildFailureReport = buildFailureReport;
 exports.buildSuccessReport = buildSuccessReport;
+exports.checkPolicyBinding = checkPolicyBinding;
 exports.clearJWKSCache = clearJWKSCache;
 exports.clearKidThumbprints = clearKidThumbprints;
+exports.computePolicyDigestJcs = computePolicyDigestJcs;
 exports.computeReceiptDigest = computeReceiptDigest;
 exports.createDefaultPolicy = createDefaultPolicy;
 exports.createDigest = createDigest;
@@ -2882,8 +3081,10 @@ exports.getSSRFCapabilities = getSSRFCapabilities;
 exports.isAttestationResult = isAttestationResult;
 exports.isBlockedIP = isBlockedIP;
 exports.isCommerceResult = isCommerceResult;
+exports.isWire02Result = isWire02Result;
 exports.issue = issue;
 exports.issueJws = issueJws;
+exports.issueWire02 = issueWire02;
 exports.parseBodyProfile = parseBodyProfile;
 exports.parseDiscovery = parseDiscovery;
 exports.parseHeaderProfile = parseHeaderProfile;