@peac/protocol 0.11.3 → 0.12.0-preview.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/index.cjs +213 -12
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.ts +1 -0
  4. package/dist/index.d.ts.map +1 -1
  5. package/dist/index.mjs +213 -16
  6. package/dist/index.mjs.map +1 -1
  7. package/dist/issue.d.ts +60 -1
  8. package/dist/issue.d.ts.map +1 -1
  9. package/dist/policy-binding.d.ts +55 -0
  10. package/dist/policy-binding.d.ts.map +1 -0
  11. package/dist/verify-local.cjs +155 -12
  12. package/dist/verify-local.cjs.map +1 -1
  13. package/dist/verify-local.d.ts +94 -21
  14. package/dist/verify-local.d.ts.map +1 -1
  15. package/dist/verify-local.mjs +156 -14
  16. package/dist/verify-local.mjs.map +1 -1
  17. package/package.json +4 -4
package/dist/index.d.ts CHANGED
@@ -8,6 +8,7 @@ export * from './verify-local';
8
8
  export * from './headers';
9
9
  export * from './discovery';
10
10
  export * from './jwks-resolver';
11
+ export { computePolicyDigestJcs, checkPolicyBinding } from './policy-binding';
11
12
  export * from './verifier-types';
12
13
  export * from './verifier-core';
13
14
  export * from './verification-report';
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAGhC,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,MAAM,GACP,MAAM,cAAc,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EAAE,sBAAsB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAG9E,cAAc,kBAAkB,CAAC;AACjC,cAAc,iBAAiB,CAAC;AAChC,cAAc,uBAAuB,CAAC;AACtC,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,iBAAiB,CAAC;AAGhC,OAAO,EACL,eAAe,EACf,eAAe,EACf,oBAAoB,EACpB,eAAe,EACf,mBAAmB,EACnB,WAAW,EACX,SAAS,EACT,MAAM,GACP,MAAM,cAAc,CAAC"}
package/dist/index.mjs CHANGED
@@ -1,10 +1,10 @@
1
1
  import { uuidv7 } from 'uuidv7';
2
- import { sign, decode, verify, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
2
+ import { sign, signWire02, decode, verify, jcsHash, sha256Hex, computeJwkThumbprint, jwkToPublicKeyBytes, base64urlDecode } from '@peac/crypto';
3
3
  export { base64urlDecode, base64urlEncode, computeJwkThumbprint, generateKeypair, jwkToPublicKeyBytes, sha256Bytes, sha256Hex, verify } from '@peac/crypto';
4
4
  import { ZodError } from 'zod';
5
- import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, PEAC_ISSUER_CONFIG_MAX_BYTES, validateRevokedKeys, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH, parseReceiptClaims, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER } from '@peac/schema';
5
+ import { isValidPurposeToken, isCanonicalPurpose, isValidPurposeReason, isValidWorkflowContext, createWorkflowContextInvalidError, hasValidDagSemantics, createWorkflowDagInvalidError, WORKFLOW_EXTENSION_KEY, validateKernelConstraints, createConstraintViolationError, ReceiptClaims, createEvidenceNotJsonError, validateSubjectSnapshot, isCanonicalIss, Wire02ClaimsSchema, PEAC_ISSUER_CONFIG_MAX_BYTES, validateRevokedKeys, PEAC_ISSUER_CONFIG_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_POLICY_FALLBACK_PATH, WARNING_TYP_MISSING, parseReceiptClaims, checkOccurredAtSkew, REGISTERED_RECEIPT_TYPES, WARNING_TYPE_UNREGISTERED, REGISTERED_EXTENSION_GROUP_KEYS, isValidExtensionKey, WARNING_UNKNOWN_EXTENSION, verifyPolicyBinding, sortWarnings, PEAC_RECEIPT_HEADER, PEAC_PURPOSE_HEADER, parsePurposeHeader, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_REASON_HEADER } from '@peac/schema';
6
6
  import { createHash } from 'crypto';
7
- import { VERIFIER_LIMITS, VERIFIER_NETWORK, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
7
+ import { VERIFIER_LIMITS, VERIFIER_NETWORK, HASH, VERIFIER_POLICY_VERSION, VERIFICATION_REPORT_VERSION, WIRE_TYPE } from '@peac/kernel';
8
8
 
9
9
  // src/issue.ts
10
10
  function fireTelemetryHook(fn, input) {
@@ -178,6 +178,52 @@ async function issueJws(options) {
178
178
  const result = await issue(options);
179
179
  return result.jws;
180
180
  }
181
+ async function issueWire02(options) {
182
+ if (!isCanonicalIss(options.iss)) {
183
+ throw new IssueError({
184
+ code: "E_ISS_NOT_CANONICAL",
185
+ category: "validation",
186
+ severity: "error",
187
+ retryable: false,
188
+ http_status: 400,
189
+ details: {
190
+ message: `iss is not in canonical form: "${options.iss}". Use https:// origin or did: identifier.`
191
+ }
192
+ });
193
+ }
194
+ const jti = options.jti ?? uuidv7();
195
+ const iat = Math.floor(Date.now() / 1e3);
196
+ const claims = {
197
+ peac_version: "0.2",
198
+ kind: options.kind,
199
+ type: options.type,
200
+ iss: options.iss,
201
+ iat,
202
+ jti,
203
+ ...options.sub !== void 0 && { sub: options.sub },
204
+ ...options.pillars !== void 0 && { pillars: options.pillars },
205
+ ...options.occurred_at !== void 0 && { occurred_at: options.occurred_at },
206
+ ...options.purpose_declared !== void 0 && { purpose_declared: options.purpose_declared },
207
+ ...options.policy !== void 0 && { policy: options.policy },
208
+ ...options.extensions !== void 0 && { extensions: options.extensions }
209
+ };
210
+ const parseResult = Wire02ClaimsSchema.safeParse(claims);
211
+ if (!parseResult.success) {
212
+ const firstIssue = parseResult.error.issues[0];
213
+ throw new IssueError({
214
+ code: "E_INVALID_FORMAT",
215
+ category: "validation",
216
+ severity: "error",
217
+ retryable: false,
218
+ http_status: 400,
219
+ details: {
220
+ message: `Wire 0.2 claims schema validation failed: ${firstIssue?.message ?? "unknown"}`
221
+ }
222
+ });
223
+ }
224
+ const jws = await signWire02(claims, options.privateKey, options.kid);
225
+ return { jws };
226
+ }
181
227
  function parseIssuerConfig(json) {
182
228
  let config;
183
229
  if (typeof json === "string") {
@@ -1352,6 +1398,13 @@ var FORMAT_ERROR_CODES = /* @__PURE__ */ new Set([
1352
1398
  "CRYPTO_INVALID_ALG",
1353
1399
  "CRYPTO_INVALID_KEY_LENGTH"
1354
1400
  ]);
1401
+ var JOSE_CODE_MAP = {
1402
+ CRYPTO_JWS_EMBEDDED_KEY: "E_JWS_EMBEDDED_KEY",
1403
+ CRYPTO_JWS_CRIT_REJECTED: "E_JWS_CRIT_REJECTED",
1404
+ CRYPTO_JWS_MISSING_KID: "E_JWS_MISSING_KID",
1405
+ CRYPTO_JWS_B64_REJECTED: "E_JWS_B64_REJECTED",
1406
+ CRYPTO_JWS_ZIP_REJECTED: "E_JWS_ZIP_REJECTED"
1407
+ };
1355
1408
  var MAX_PARSE_ISSUES = 25;
1356
1409
  function sanitizeParseIssues(issues) {
1357
1410
  if (!Array.isArray(issues)) return void 0;
@@ -1361,7 +1414,16 @@ function sanitizeParseIssues(issues) {
1361
1414
  }));
1362
1415
  }
1363
1416
  async function verifyLocal(jws, publicKey, options = {}) {
1364
- const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
1417
+ const {
1418
+ issuer,
1419
+ audience,
1420
+ subjectUri,
1421
+ rid,
1422
+ requireExp = false,
1423
+ maxClockSkew = 300,
1424
+ strictness = "strict",
1425
+ policyDigest
1426
+ } = options;
1365
1427
  const now = options.now ?? Math.floor(Date.now() / 1e3);
1366
1428
  try {
1367
1429
  const result = await verify(jws, publicKey);
@@ -1372,6 +1434,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
1372
1434
  message: "Ed25519 signature verification failed"
1373
1435
  };
1374
1436
  }
1437
+ const accumulatedWarnings = [];
1438
+ if (result.header.typ === void 0) {
1439
+ if (strictness === "strict") {
1440
+ return {
1441
+ valid: false,
1442
+ code: "E_INVALID_FORMAT",
1443
+ message: "Missing JWS typ header: strict mode requires typ to be present"
1444
+ };
1445
+ }
1446
+ accumulatedWarnings.push({
1447
+ code: WARNING_TYP_MISSING,
1448
+ message: "JWS typ header is absent; accepted in interop mode"
1449
+ });
1450
+ }
1375
1451
  const constraintResult = validateKernelConstraints(result.payload);
1376
1452
  if (!constraintResult.valid) {
1377
1453
  const v = constraintResult.violations[0];
@@ -1390,46 +1466,136 @@ async function verifyLocal(jws, publicKey, options = {}) {
1390
1466
  details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) }
1391
1467
  };
1392
1468
  }
1393
- if (issuer !== void 0 && pr.claims.iss !== issuer) {
1469
+ if (pr.wireVersion === "0.2") {
1470
+ accumulatedWarnings.push(...pr.warnings);
1471
+ }
1472
+ if (pr.wireVersion === "0.2") {
1473
+ const claims = pr.claims;
1474
+ if (issuer !== void 0 && claims.iss !== issuer) {
1475
+ return {
1476
+ valid: false,
1477
+ code: "E_INVALID_ISSUER",
1478
+ message: `Issuer mismatch: expected "${issuer}", got "${claims.iss}"`
1479
+ };
1480
+ }
1481
+ if (subjectUri !== void 0 && claims.sub !== subjectUri) {
1482
+ return {
1483
+ valid: false,
1484
+ code: "E_INVALID_SUBJECT",
1485
+ message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
1486
+ };
1487
+ }
1488
+ if (claims.iat > now + maxClockSkew) {
1489
+ return {
1490
+ valid: false,
1491
+ code: "E_NOT_YET_VALID",
1492
+ message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
1493
+ };
1494
+ }
1495
+ if (claims.kind === "evidence") {
1496
+ const skewResult = checkOccurredAtSkew(claims.occurred_at, claims.iat, now, maxClockSkew);
1497
+ if (skewResult === "future_error") {
1498
+ return {
1499
+ valid: false,
1500
+ code: "E_OCCURRED_AT_FUTURE",
1501
+ message: `occurred_at is in the future beyond tolerance (${maxClockSkew}s)`
1502
+ };
1503
+ }
1504
+ if (skewResult !== null) {
1505
+ accumulatedWarnings.push(skewResult);
1506
+ }
1507
+ }
1508
+ if (!REGISTERED_RECEIPT_TYPES.has(claims.type)) {
1509
+ accumulatedWarnings.push({
1510
+ code: WARNING_TYPE_UNREGISTERED,
1511
+ message: "Receipt type is not in the recommended type registry",
1512
+ pointer: "/type"
1513
+ });
1514
+ }
1515
+ if (claims.extensions !== void 0) {
1516
+ for (const key of Object.keys(claims.extensions)) {
1517
+ if (!REGISTERED_EXTENSION_GROUP_KEYS.has(key) && isValidExtensionKey(key)) {
1518
+ const escapedKey = key.replace(/~/g, "~0").replace(/\//g, "~1");
1519
+ accumulatedWarnings.push({
1520
+ code: WARNING_UNKNOWN_EXTENSION,
1521
+ message: "Unknown extension key preserved without schema validation",
1522
+ pointer: `/extensions/${escapedKey}`
1523
+ });
1524
+ }
1525
+ }
1526
+ }
1527
+ if (policyDigest !== void 0 && !HASH.pattern.test(policyDigest)) {
1528
+ return {
1529
+ valid: false,
1530
+ code: "E_INVALID_FORMAT",
1531
+ message: "policyDigest option must be in sha256:<64 lowercase hex> format"
1532
+ };
1533
+ }
1534
+ const receiptPolicyDigest = claims.policy?.digest;
1535
+ const bindingStatus = receiptPolicyDigest === void 0 || policyDigest === void 0 ? "unavailable" : verifyPolicyBinding(receiptPolicyDigest, policyDigest);
1536
+ if (bindingStatus === "failed") {
1537
+ return {
1538
+ valid: false,
1539
+ code: "E_POLICY_BINDING_FAILED",
1540
+ message: "Policy binding check failed: receipt policy digest does not match local policy",
1541
+ details: {
1542
+ receipt_policy_digest: receiptPolicyDigest,
1543
+ local_policy_digest: policyDigest,
1544
+ ...claims.policy?.uri !== void 0 && { policy_uri: claims.policy.uri }
1545
+ }
1546
+ };
1547
+ }
1548
+ return {
1549
+ valid: true,
1550
+ variant: "wire-02",
1551
+ claims,
1552
+ kid: result.header.kid,
1553
+ wireVersion: "0.2",
1554
+ warnings: sortWarnings(accumulatedWarnings),
1555
+ policy_binding: bindingStatus
1556
+ };
1557
+ }
1558
+ const w01 = pr.claims;
1559
+ if (issuer !== void 0 && w01.iss !== issuer) {
1394
1560
  return {
1395
1561
  valid: false,
1396
1562
  code: "E_INVALID_ISSUER",
1397
- message: `Issuer mismatch: expected "${issuer}", got "${pr.claims.iss}"`
1563
+ message: `Issuer mismatch: expected "${issuer}", got "${w01.iss}"`
1398
1564
  };
1399
1565
  }
1400
- if (audience !== void 0 && pr.claims.aud !== audience) {
1566
+ if (audience !== void 0 && w01.aud !== audience) {
1401
1567
  return {
1402
1568
  valid: false,
1403
1569
  code: "E_INVALID_AUDIENCE",
1404
- message: `Audience mismatch: expected "${audience}", got "${pr.claims.aud}"`
1570
+ message: `Audience mismatch: expected "${audience}", got "${w01.aud}"`
1405
1571
  };
1406
1572
  }
1407
- if (rid !== void 0 && pr.claims.rid !== rid) {
1573
+ if (rid !== void 0 && w01.rid !== rid) {
1408
1574
  return {
1409
1575
  valid: false,
1410
1576
  code: "E_INVALID_RECEIPT_ID",
1411
- message: `Receipt ID mismatch: expected "${rid}", got "${pr.claims.rid}"`
1577
+ message: `Receipt ID mismatch: expected "${rid}", got "${w01.rid}"`
1412
1578
  };
1413
1579
  }
1414
- if (requireExp && pr.claims.exp === void 0) {
1580
+ if (requireExp && w01.exp === void 0) {
1415
1581
  return {
1416
1582
  valid: false,
1417
1583
  code: "E_MISSING_EXP",
1418
1584
  message: "Receipt missing required exp claim"
1419
1585
  };
1420
1586
  }
1421
- if (pr.claims.iat > now + maxClockSkew) {
1587
+ if (w01.iat > now + maxClockSkew) {
1422
1588
  return {
1423
1589
  valid: false,
1424
1590
  code: "E_NOT_YET_VALID",
1425
- message: `Receipt not yet valid: issued at ${new Date(pr.claims.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
1591
+ message: `Receipt not yet valid: issued at ${new Date(w01.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
1426
1592
  };
1427
1593
  }
1428
- if (pr.claims.exp !== void 0 && pr.claims.exp < now - maxClockSkew) {
1594
+ if (w01.exp !== void 0 && w01.exp < now - maxClockSkew) {
1429
1595
  return {
1430
1596
  valid: false,
1431
1597
  code: "E_EXPIRED",
1432
- message: `Receipt expired at ${new Date(pr.claims.exp * 1e3).toISOString()}`
1598
+ message: `Receipt expired at ${new Date(w01.exp * 1e3).toISOString()}`
1433
1599
  };
1434
1600
  }
1435
1601
  if (pr.variant === "commerce") {
@@ -1446,6 +1612,8 @@ async function verifyLocal(jws, publicKey, options = {}) {
1446
1612
  variant: "commerce",
1447
1613
  claims,
1448
1614
  kid: result.header.kid,
1615
+ wireVersion: "0.1",
1616
+ warnings: [],
1449
1617
  policy_binding: "unavailable"
1450
1618
  };
1451
1619
  } else {
@@ -1462,11 +1630,20 @@ async function verifyLocal(jws, publicKey, options = {}) {
1462
1630
  variant: "attestation",
1463
1631
  claims,
1464
1632
  kid: result.header.kid,
1633
+ wireVersion: "0.1",
1634
+ warnings: [],
1465
1635
  policy_binding: "unavailable"
1466
1636
  };
1467
1637
  }
1468
1638
  } catch (err) {
1469
1639
  if (isCryptoError(err)) {
1640
+ if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {
1641
+ return {
1642
+ valid: false,
1643
+ code: JOSE_CODE_MAP[err.code],
1644
+ message: err.message
1645
+ };
1646
+ }
1470
1647
  if (FORMAT_ERROR_CODES.has(err.code)) {
1471
1648
  return {
1472
1649
  valid: false,
@@ -1481,6 +1658,13 @@ async function verifyLocal(jws, publicKey, options = {}) {
1481
1658
  message: err.message
1482
1659
  };
1483
1660
  }
1661
+ if (err.code === "CRYPTO_WIRE_VERSION_MISMATCH") {
1662
+ return {
1663
+ valid: false,
1664
+ code: "E_WIRE_VERSION_MISMATCH",
1665
+ message: err.message
1666
+ };
1667
+ }
1484
1668
  }
1485
1669
  if (err !== null && typeof err === "object" && "name" in err && err.name === "SyntaxError") {
1486
1670
  const syntaxMessage = "message" in err && typeof err.message === "string" ? err.message : "Invalid JSON";
@@ -1504,6 +1688,9 @@ function isCommerceResult(r) {
1504
1688
  function isAttestationResult(r) {
1505
1689
  return r.valid === true && r.variant === "attestation";
1506
1690
  }
1691
+ function isWire02Result(r) {
1692
+ return r.valid === true && r.variant === "wire-02";
1693
+ }
1507
1694
  function setReceiptHeader(headers, receiptJws) {
1508
1695
  headers.set(PEAC_RECEIPT_HEADER, receiptJws);
1509
1696
  }
@@ -1545,6 +1732,16 @@ function setVaryPurposeHeader(headers) {
1545
1732
  headers.set("Vary", PEAC_PURPOSE_HEADER);
1546
1733
  }
1547
1734
  }
1735
+ async function computePolicyDigestJcs(policy) {
1736
+ const hex = await jcsHash(policy);
1737
+ return `${HASH.prefix}${hex}`;
1738
+ }
1739
+ function checkPolicyBinding(receiptDigest, localDigest) {
1740
+ if (receiptDigest === void 0 || localDigest === void 0) {
1741
+ return "unavailable";
1742
+ }
1743
+ return verifyPolicyBinding(receiptDigest, localDigest);
1744
+ }
1548
1745
  var DEFAULT_VERIFIER_LIMITS = {
1549
1746
  max_receipt_bytes: VERIFIER_LIMITS.maxReceiptBytes,
1550
1747
  max_jwks_bytes: VERIFIER_LIMITS.maxJwksBytes,
@@ -2820,6 +3017,6 @@ async function verifyAndFetchPointer(pointerHeader, fetchOptions) {
2820
3017
  });
2821
3018
  }
2822
3019
 
2823
- export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, clearJWKSCache, clearKidThumbprints, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getKidThumbprintSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, issue, issueJws, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, resolveJWKS, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
3020
+ export { CHECK_IDS, DEFAULT_NETWORK_SECURITY, DEFAULT_VERIFIER_LIMITS, IssueError, NON_DETERMINISTIC_ARTIFACT_KEYS, VerificationReportBuilder, buildFailureReport, buildSuccessReport, checkPolicyBinding, clearJWKSCache, clearKidThumbprints, computePolicyDigestJcs, computeReceiptDigest, createDefaultPolicy, createDigest, createEmptyReport, createReportBuilder, fetchDiscovery, fetchIssuerConfig, fetchJWKSSafe, fetchPointerSafe, fetchPointerWithDigest, fetchPolicyManifest, getJWKSCacheSize, getKidThumbprintSize, getPurposeHeader, getReceiptHeader, getSSRFCapabilities, isAttestationResult, isBlockedIP, isCommerceResult, isWire02Result, issue, issueJws, issueWire02, parseBodyProfile, parseDiscovery, parseHeaderProfile, parseIssuerConfig, parsePointerProfile, parsePolicyManifest, parseTransportProfile, reasonCodeToErrorCode, reasonCodeToSeverity, resetSSRFCapabilitiesCache, resolveJWKS, setPurposeAppliedHeader, setPurposeReasonHeader, setReceiptHeader, setVaryHeader, setVaryPurposeHeader, ssrfErrorToReasonCode, ssrfSafeFetch, verifyAndFetchPointer, verifyLocal, verifyReceipt, verifyReceiptCore };
2824
3021
  //# sourceMappingURL=index.mjs.map
2825
3022
  //# sourceMappingURL=index.mjs.map