@peac/protocol 0.12.0-preview.1 → 0.12.0-preview.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (15) hide show
  1. package/dist/index.cjs +9 -93
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.mjs +9 -93
  4. package/dist/index.mjs.map +1 -1
  5. package/dist/issue.d.ts +4 -1
  6. package/dist/issue.d.ts.map +1 -1
  7. package/dist/verify-local-wire01.d.ts +45 -0
  8. package/dist/verify-local-wire01.d.ts.map +1 -0
  9. package/dist/verify-local.cjs +8 -92
  10. package/dist/verify-local.cjs.map +1 -1
  11. package/dist/verify-local.d.ts +30 -78
  12. package/dist/verify-local.d.ts.map +1 -1
  13. package/dist/verify-local.mjs +8 -92
  14. package/dist/verify-local.mjs.map +1 -1
  15. package/package.json +4 -4
package/dist/issue.d.ts CHANGED
@@ -97,7 +97,10 @@ export declare class IssueError extends Error {
97
97
  constructor(peacError: PEACError);
98
98
  }
99
99
  /**
100
- * Issue a PEAC receipt
100
+ * Issue a Wire 0.1 PEAC receipt.
101
+ *
102
+ * @deprecated Use {@link issueWire02} for Wire 0.2 receipts. Wire 0.1 issuance is deprecated
103
+ * and will be removed in a future major version.
101
104
  *
102
105
  * @param options - Receipt options
103
106
  * @returns Issue result with JWS and optional subject_snapshot
package/dist/issue.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3E,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAOtB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAKlB,KAAK,eAAe,EAQrB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAkC,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAEpF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAElB,4FAA4F;IAC5F,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAEtB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,SAAS,CAAC;IAErB,iCAAiC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE/B,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iEAAiE;IACjE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C;;;;;OAKG;IACH,OAAO,CAAC,EAAE,YAAY,GAAG,YAAY,EAAE,CAAC;IAExC;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;OAIG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC;IAE/B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,eAAe,CAAC;IAEnC,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IAEvB,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IAEZ,iDAAiD;IACjD,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IAEZ,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED;;;;GAIG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC,+BAA+B;IAC/B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;gBAElB,SAAS,EAAE,SAAS;CAMjC;AAED;;;;;;GAMG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAmLvE;AAED;;;;;;;;GAQG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAGrE;AAMD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ,iDAAiD;IACjD,IAAI,EAAE,UAAU,GAAG,WAAW,CAAC;IAE/B;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IAEvB,sDAAsD;IACtD,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,oDAAoD;IACpD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,OAAO,CAAC,EAAE,cAAc,EAAE,CAAC;IAE3B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;OAGG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC;IAErB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,WAAW,CAAC,CAyDnF"}
1
+ {"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAE3E,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAOtB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAKlB,KAAK,eAAe,EAQrB,MAAM,cAAc,CAAC;AACtB,OAAO,EAAkC,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAEpF;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAElB,4FAA4F;IAC5F,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAEtB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,SAAS,CAAC;IAErB,iCAAiC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE/B,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iEAAiE;IACjE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C;;;;;OAKG;IACH,OAAO,CAAC,EAAE,YAAY,GAAG,YAAY,EAAE,CAAC;IAExC;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;OAIG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC;IAE/B;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,eAAe,CAAC;IAEnC,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IAEvB,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IAEZ,iDAAiD;IACjD,SAAS,CAAC,EAAE,aAAa,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IAEZ,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED;;;;GAIG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC,+BAA+B;IAC/B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;gBAElB,SAAS,EAAE,SAAS;CAMjC;AAED;;;;;;;;;GASG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAmLvE;AAED;;;;;;;;GAQG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAGrE;AAMD;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAC;IAEZ,iDAAiD;IACjD,IAAI,EAAE,UAAU,GAAG,WAAW,CAAC;IAE/B;;;OAGG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IAEvB,sDAAsD;IACtD,GAAG,EAAE,MAAM,CAAC;IAEZ;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,oDAAoD;IACpD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,OAAO,CAAC,EAAE,cAAc,EAAE,CAAC;IAE3B;;;OAGG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB,wDAAwD;IACxD,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAE1B;;;OAGG;IACH,MAAM,CAAC,EAAE,WAAW,CAAC;IAErB,mEAAmE;IACnE,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACtC;AAED;;;;;;;;;GASG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,WAAW,CAAC,CAyDnF"}
package/dist/verify-local-wire01.d.ts ADDED
@@ -0,0 +1,45 @@
1
+ /**
2
+ * Wire 0.1 receipt verification (internal-only)
3
+ *
4
+ * Extracted from verify-local.ts for Wire 0.1 isolation.
5
+ * This function is NOT exported from @peac/protocol barrel (src/index.ts).
6
+ * It exists for internal test migration and programmatic migration tooling only.
7
+ *
8
+ * For new code, use verifyLocal() which is Wire 0.2 only.
9
+ */
10
+ import type { VerificationWarning } from '@peac/kernel';
11
+ import { type ReceiptClaimsType, type AttestationReceiptClaims } from '@peac/schema';
12
+ import type { PolicyBindingStatus } from './verifier-types';
13
+ import type { VerifyLocalFailure, VerifyLocalOptions } from './verify-local';
14
+ /**
15
+ * Result of successful Wire 0.1 local verification
16
+ */
17
+ export type VerifyLocalWire01Success = {
18
+ valid: true;
19
+ variant: 'commerce';
20
+ claims: ReceiptClaimsType;
21
+ kid: string;
22
+ wireVersion: '0.1';
23
+ warnings: VerificationWarning[];
24
+ policy_binding: PolicyBindingStatus;
25
+ } | {
26
+ valid: true;
27
+ variant: 'attestation';
28
+ claims: AttestationReceiptClaims;
29
+ kid: string;
30
+ wireVersion: '0.1';
31
+ warnings: VerificationWarning[];
32
+ policy_binding: PolicyBindingStatus;
33
+ };
34
+ /**
35
+ * Union type for Wire 0.1 local verification result
36
+ */
37
+ export type VerifyLocalWire01Result = VerifyLocalWire01Success | VerifyLocalFailure;
38
+ /**
39
+ * Verify a Wire 0.1 PEAC receipt locally with a known public key.
40
+ *
41
+ * Internal-only: NOT barrel-exported from @peac/protocol.
42
+ * For new code, use verifyLocal() (Wire 0.2 only).
43
+ */
44
+ export declare function verifyLocalWire01(jws: string, publicKey: Uint8Array, options?: VerifyLocalOptions): Promise<VerifyLocalWire01Result>;
45
+ //# sourceMappingURL=verify-local-wire01.d.ts.map
package/dist/verify-local-wire01.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"verify-local-wire01.d.ts","sourceRoot":"","sources":["../src/verify-local-wire01.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,EAA0B,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAChF,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,wBAAwB,EAC9B,MAAM,cAAc,CAAC;AACtB,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AAC5D,OAAO,KAAK,EAAwB,kBAAkB,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAC;AAEnG;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAChC;IACE,KAAK,EAAE,IAAI,CAAC;IACZ,OAAO,EAAE,UAAU,CAAC;IACpB,MAAM,EAAE,iBAAiB,CAAC;IAC1B,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,KAAK,CAAC;IACnB,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,cAAc,EAAE,mBAAmB,CAAC;CACrC,GACD;IACE,KAAK,EAAE,IAAI,CAAC;IACZ,OAAO,EAAE,aAAa,CAAC;IACvB,MAAM,EAAE,wBAAwB,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,WAAW,EAAE,KAAK,CAAC;IACnB,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,cAAc,EAAE,mBAAmB,CAAC;CACrC,CAAC;AAEN;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG,wBAAwB,GAAG,kBAAkB,CAAC;AAoDpF;;;;;GAKG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,UAAU,EACrB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CAqNlC"}
package/dist/verify-local.cjs CHANGED
@@ -30,16 +30,7 @@ function sanitizeParseIssues(issues) {
30
30
  }));
31
31
  }
32
32
  async function verifyLocal(jws, publicKey, options = {}) {
33
- const {
34
- issuer,
35
- audience,
36
- subjectUri,
37
- rid,
38
- requireExp = false,
39
- maxClockSkew = 300,
40
- strictness = "strict",
41
- policyDigest
42
- } = options;
33
+ const { issuer, subjectUri, maxClockSkew = 300, strictness = "strict", policyDigest } = options;
43
34
  const now = options.now ?? Math.floor(Date.now() / 1e3);
44
35
  try {
45
36
  const result = await crypto.verify(jws, publicKey);
@@ -171,86 +162,11 @@ async function verifyLocal(jws, publicKey, options = {}) {
171
162
  policy_binding: bindingStatus
172
163
  };
173
164
  }
174
- const w01 = pr.claims;
175
- if (issuer !== void 0 && w01.iss !== issuer) {
176
- return {
177
- valid: false,
178
- code: "E_INVALID_ISSUER",
179
- message: `Issuer mismatch: expected "${issuer}", got "${w01.iss}"`
180
- };
181
- }
182
- if (audience !== void 0 && w01.aud !== audience) {
183
- return {
184
- valid: false,
185
- code: "E_INVALID_AUDIENCE",
186
- message: `Audience mismatch: expected "${audience}", got "${w01.aud}"`
187
- };
188
- }
189
- if (rid !== void 0 && w01.rid !== rid) {
190
- return {
191
- valid: false,
192
- code: "E_INVALID_RECEIPT_ID",
193
- message: `Receipt ID mismatch: expected "${rid}", got "${w01.rid}"`
194
- };
195
- }
196
- if (requireExp && w01.exp === void 0) {
197
- return {
198
- valid: false,
199
- code: "E_MISSING_EXP",
200
- message: "Receipt missing required exp claim"
201
- };
202
- }
203
- if (w01.iat > now + maxClockSkew) {
204
- return {
205
- valid: false,
206
- code: "E_NOT_YET_VALID",
207
- message: `Receipt not yet valid: issued at ${new Date(w01.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
208
- };
209
- }
210
- if (w01.exp !== void 0 && w01.exp < now - maxClockSkew) {
211
- return {
212
- valid: false,
213
- code: "E_EXPIRED",
214
- message: `Receipt expired at ${new Date(w01.exp * 1e3).toISOString()}`
215
- };
216
- }
217
- if (pr.variant === "commerce") {
218
- const claims = pr.claims;
219
- if (subjectUri !== void 0 && claims.subject?.uri !== subjectUri) {
220
- return {
221
- valid: false,
222
- code: "E_INVALID_SUBJECT",
223
- message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? "undefined"}"`
224
- };
225
- }
226
- return {
227
- valid: true,
228
- variant: "commerce",
229
- claims,
230
- kid: result.header.kid,
231
- wireVersion: "0.1",
232
- warnings: [],
233
- policy_binding: "unavailable"
234
- };
235
- } else {
236
- const claims = pr.claims;
237
- if (subjectUri !== void 0 && claims.sub !== subjectUri) {
238
- return {
239
- valid: false,
240
- code: "E_INVALID_SUBJECT",
241
- message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
242
- };
243
- }
244
- return {
245
- valid: true,
246
- variant: "attestation",
247
- claims,
248
- kid: result.header.kid,
249
- wireVersion: "0.1",
250
- warnings: [],
251
- policy_binding: "unavailable"
252
- };
253
- }
165
+ return {
166
+ valid: false,
167
+ code: "E_UNSUPPORTED_WIRE_VERSION",
168
+ message: "Wire 0.1 receipts are not supported. Re-issue as Wire 0.2 using issueWire02()."
169
+ };
254
170
  } catch (err) {
255
171
  if (isCryptoError(err)) {
256
172
  if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {
@@ -299,10 +215,10 @@ async function verifyLocal(jws, publicKey, options = {}) {
299
215
  }
300
216
  }
301
217
  function isCommerceResult(r) {
302
- return r.valid === true && r.variant === "commerce";
218
+ return false;
303
219
  }
304
220
  function isAttestationResult(r) {
305
- return r.valid === true && r.variant === "attestation";
221
+ return false;
306
222
  }
307
223
  function isWire02Result(r) {
308
224
  return r.valid === true && r.variant === "wire-02";
package/dist/verify-local.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/verify-local.ts"],"names":["jwsVerify","WARNING_TYP_MISSING","validateKernelConstraints","parseReceiptClaims","checkOccurredAtSkew","REGISTERED_RECEIPT_TYPES","WARNING_TYPE_UNREGISTERED","REGISTERED_EXTENSION_GROUP_KEYS","isValidExtensionKey","WARNING_UNKNOWN_EXTENSION","HASH","verifyPolicyBinding","sortWarnings"],"mappings":";;;;;;;AAyCA,SAAS,cAAc,GAAA,EAAsC;AAC3D,EAAA,OACE,GAAA,KAAQ,IAAA,IACR,OAAO,GAAA,KAAQ,QAAA,IACf,UAAU,GAAA,IACV,GAAA,CAAI,IAAA,KAAS,aAAA,IACb,MAAA,IAAU,GAAA,IACV,OAAO,GAAA,CAAI,IAAA,KAAS,QAAA,IACpB,GAAA,CAAI,IAAA,CAAK,UAAA,CAAW,SAAS,CAAA,IAC7B,SAAA,IAAa,GAAA,IACb,OAAO,GAAA,CAAI,OAAA,KAAY,QAAA;AAE3B;AAsOA,IAAM,kBAAA,uBAAyB,GAAA,CAAI;AAAA,EACjC,2BAAA;AAAA,EACA,oBAAA;AAAA,EACA,oBAAA;AAAA,EACA;AACF,CAAC,CAAA;AASD,IAAM,aAAA,GAAsD;AAAA,EAC1D,uBAAA,EAAyB,oBAAA;AAAA,EACzB,wBAAA,EAA0B,qBAAA;AAAA,EAC1B,sBAAA,EAAwB,mBAAA;AAAA,EACxB,uBAAA,EAAyB,oBAAA;AAAA,EACzB,uBAAA,EAAyB;AAC3B,CAAA;AAGA,IAAM,gBAAA,GAAmB,EAAA;AAMzB,SAAS,oBACP,MAAA,EAC8D;AAC9D,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,MAAM,GAAG,OAAO,MAAA;AACnC,EAAA,OAAO,OAAO,KAAA,CAAM,CAAA,EAAG,gBAAgB,CAAA,CAAE,GAAA,CAAI,CAAC,KAAA,MAAW;AAAA,IACvD,IAAA,EAAM,KAAA,CAAM,OAAA,CAAQ,KAAA,EAAO,IAAI,IAAI,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,GAAI,EAAA;AAAA,IAC1D,OAAA,EAAS,OAAO,KAAA,EAAO,OAAA,KAAY,WAAW,KAAA,CAAM,OAAA,GAAU,OAAO,KAAK;AAAA,GAC5E,CAAE,CAAA;AACJ;AAiCA,eAAsB,WAAA,CACpB,GAAA,EACA,SAAA,EACA,OAAA,GAA8B,EAAC,EACH;AAC5B,EAAA,MAAM;AAAA,IACJ,MAAA;AAAA,IACA,QAAA;AAAA,IACA,UAAA;AAAA,IACA,GAAA;AAAA,IACA,UAAA,GAAa,KAAA;AAAA,IACb,YAAA,GAAe,GAAA;AAAA,IACf,UAAA,GAAa,QAAA;AAAA,IACb;AAAA,GACF,GAAI,OAAA;AACJ,EAAA,MAAM,GAAA,GAAM,QAAQ,GAAA,IAAO,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AAEvD,EAAA,IAAI;AAEF,IAAA,MAAM,MAAA,GAAS,MAAMA,aAAA,CAAmB,GAAA,EAAK,SAAS,CAAA;AAEtD,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AACjB,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,qBAAA;AAAA,QACN,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAGA,IAAA,MAAM,sBAA6C,EAAC;AAGpD,IAAA,IAAI,MAAA,CAAO,MAAA,CAAO,GAAA,KAAQ,KAAA,CAAA,EAAW;AACnC,MAAA,IAAI,eAAe,QAAA,EAAU;AAC3B,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAEA,MAAA,mBAAA,CAAoB,IAAA,CAAK;AAAA,QACvB,IAAA,EAAMC,0BAAA;AAAA,QACN,OAAA,EAAS;AAAA,OACV,CAAA;AAAA,IACH;AAGA,IAAA,MAAM,gBAAA,GAAmBC,gCAAA,CAA0B,MAAA,CAAO,OAAO,CAAA;AACjE,IAAA,IAAI,CAAC,iBAAiB,KAAA,EAAO;AAC3B,MAAA,MAAM,CAAA,GAAI,gBAAA,CAAiB,UAAA,CAAW,CAAC,CAAA;AACvC,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,wBAAA;AAAA,QACN,OAAA,EAAS,+BAA+B,CAAA,CAAE,UAAU,aAAa,CAAA,CAAE,MAAM,CAAA,SAAA,EAAY,CAAA,CAAE,KAAK,CAAA,CAAA;AAAA,OAC9F;AAAA,IACF;AAGA,IAAA,MAAM,EAAA,GAAKC,yBAAA,CAAmB,MAAA,CAAO,OAAO,CAAA;AAE5C,IAAA,IAAI,CAAC,GAAG,EAAA,EAAI;AACV,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,CAAA,kCAAA,EAAqC,EAAA,CAAG,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,QAC9D,OAAA,EAAS,EAAE,UAAA,EAAY,EAAA,CAAG,KAAA,CAAM,IAAA,EAAM,MAAA,EAAQ,mBAAA,CAAoB,EAAA,CAAG,KAAA,CAAM,MAAM,CAAA;AAAE,OACrF;AAAA,IACF;AAGA,IAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,EAAO;AAC5B,MAAA,mBAAA,CAAoB,IAAA,CAAK,GAAG,EAAA,CAAG,QAAQ,CAAA;AAAA,IACzC;AAGA,IAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,EAAO;AAC5B,MAAA,MAAM,SAAS,EAAA,CAAG,MAAA;AAGlB,MAAA,IAAI,MAAA,KAAW,KAAA,CAAA,IAAa,MAAA,CAAO,GAAA,KAAQ,MAAA,EAAQ;AACjD,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,OAAA,EAAS,CAAA,2BAAA,EAA8B,MAAM,CAAA,QAAA,EAAW,OAAO,GAAG,CAAA,CAAA;AAAA,SACpE;AAAA,MACF;AAGA,MAAA,IAAI,UAAA,KAAe,KAAA,CAAA,IAAa,MAAA,CAAO,GAAA,KAAQ,UAAA,EAAY;AACzD,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,mBAAA;AAAA,UACN,SAAS,CAAA,4BAAA,EAA+B,UAAU,CAAA,QAAA,EAAW,MAAA,CAAO,OAAO,WAAW,CAAA,CAAA;AAAA,SACxF;AAAA,MACF;AAGA,MAAA,IAAI,MAAA,CAAO,GAAA,GAAM,GAAA,GAAM,YAAA,EAAc;AACnC,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,iBAAA;AAAA,UACN,SAAS,CAAA,iCAAA,EAAoC,IAAI,IAAA,CAAK,MAAA,CAAO,MAAM,GAAI,CAAA,CAAE,WAAA,EAAa,YAAY,IAAI,IAAA,CAAK,MAAM,GAAI,CAAA,CAAE,aAAa,CAAA;AAAA,SACtI;AAAA,MACF;AAGA,MAAA,IAAI,MAAA,CAAO,SAAS,UAAA,EAAY;AAC9B,QAAA,MAAM,aAAaC,0BAAA,CAAoB,MAAA,CAAO,aAAa,MAAA,CAAO,GAAA,EAAK,KAAK,YAAY,CAAA;AACxF,QAAA,IAAI,eAAe,cAAA,EAAgB;AACjC,UAAA,OAAO;AAAA,YACL,KAAA,EAAO,KAAA;AAAA,YACP,IAAA,EAAM,sBAAA;AAAA,YACN,OAAA,EAAS,kDAAkD,YAAY,CAAA,EAAA;AAAA,WACzE;AAAA,QACF;AACA,QAAA,IAAI,eAAe,IAAA,EAAM;AACvB,UAAA,mBAAA,CAAoB,KAAK,UAAU,CAAA;AAAA,QACrC;AAAA,MACF;AAGA,MAAA,IAAI,CAACC,+BAAA,CAAyB,GAAA,CAAI,MAAA,CAAO,IAAI,CAAA,EAAG;AAC9C,QAAA,mBAAA,CAAoB,IAAA,CAAK;AAAA,UACvB,IAAA,EAAMC,gCAAA;AAAA,UACN,OAAA,EAAS,sDAAA;AAAA,UACT,OAAA,EAAS;AAAA,SACV,CAAA;AAAA,MACH;AAIA,MAAA,IAAI,MAAA,CAAO,eAAe,KAAA,CAAA,EAAW;AACnC,QAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAU,CAAA,EAAG;AAChD,UAAA,IAAI,CAACC,sCAAA,CAAgC,GAAA,CAAI,GAAG,CAAA,IAAKC,0BAAA,CAAoB,GAAG,CAAA,EAAG;AAEzE,YAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,IAAA,EAAM,IAAI,CAAA,CAAE,OAAA,CAAQ,OAAO,IAAI,CAAA;AAC9D,YAAA,mBAAA,CAAoB,IAAA,CAAK;AAAA,cACvB,IAAA,EAAMC,gCAAA;AAAA,cACN,OAAA,EAAS,2DAAA;AAAA,cACT,OAAA,EAAS,eAAe,UAAU,CAAA;AAAA,aACnC,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,KAAA,CAAA,IAAa,CAACC,YAAK,OAAA,CAAQ,IAAA,CAAK,YAAY,CAAA,EAAG;AAClE,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAKA,MAAA,MAAM,mBAAA,GAAsB,OAAO,MAAA,EAAQ,MAAA;AAC3C,MAAA,MAAM,aAAA,GACJ,wBAAwB,KAAA,CAAA,IAAa,YAAA,KAAiB,SAClD,aAAA,GACAC,0BAAA,CAAoB,qBAAqB,YAAY,CAAA;AAC3D,MAAA,IAAI,kBAAkB,QAAA,EAAU;AAC9B,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,yBAAA;AAAA,UACN,OAAA,EAAS,gFAAA;AAAA,UACT,OAAA,EAAS;AAAA,YACP,qBAAA,EAAuB,mBAAA;AAAA,YACvB,mBAAA,EAAqB,YAAA;AAAA,YACrB,GAAI,OAAO,MAAA,EAAQ,GAAA,KAAQ,UAAa,EAAE,UAAA,EAAY,MAAA,CAAO,MAAA,CAAO,GAAA;AAAI;AAC1E,SACF;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,IAAA;AAAA,QACP,OAAA,EAAS,SAAA;AAAA,QACT,MAAA;AAAA,QACA,GAAA,EAAK,OAAO,MAAA,CAAO,GAAA;AAAA,QACnB,WAAA,EAAa,KAAA;AAAA,QACb,QAAA,EAAUC,oBAAa,mBAAmB,CAAA;AAAA,QAC1C,cAAA,EAAgB;AAAA,OAClB;AAAA,IACF;AAOA,IAAA,MAAM,MAAM,EAAA,CAAG,MAAA;AAGf,IAAA,IAAI,MAAA,KAAW,KAAA,CAAA,IAAa,GAAA,CAAI,GAAA,KAAQ,MAAA,EAAQ;AAC9C,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,CAAA,2BAAA,EAA8B,MAAM,CAAA,QAAA,EAAW,IAAI,GAAG,CAAA,CAAA;AAAA,OACjE;AAAA,IACF;AAEA,IAAA,IAAI,QAAA,KAAa,KAAA,CAAA,IAAa,GAAA,CAAI,GAAA,KAAQ,QAAA,EAAU;AAClD,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,oBAAA;AAAA,QACN,OAAA,EAAS,CAAA,6BAAA,EAAgC,QAAQ,CAAA,QAAA,EAAW,IAAI,GAAG,CAAA,CAAA;AAAA,OACrE;AAAA,IACF;AAEA,IAAA,IAAI,GAAA,KAAQ,KAAA,CAAA,IAAa,GAAA,CAAI,GAAA,KAAQ,GAAA,EAAK;AACxC,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,sBAAA;AAAA,QACN,OAAA,EAAS,CAAA,+BAAA,EAAkC,GAAG,CAAA,QAAA,EAAW,IAAI,GAAG,CAAA,CAAA;AAAA,OAClE;AAAA,IACF;AAEA,IAAA,IAAI,UAAA,IAAc,GAAA,CAAI,GAAA,KAAQ,KAAA,CAAA,EAAW;AACvC,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,eAAA;AAAA,QACN,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAEA,IAAA,IAAI,GAAA,CAAI,GAAA,GAAM,GAAA,GAAM,YAAA,EAAc;AAChC,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,iBAAA;AAAA,QACN,SAAS,CAAA,iCAAA,EAAoC,IAAI,IAAA,CAAK,GAAA,CAAI,MAAM,GAAI,CAAA,CAAE,WAAA,EAAa,YAAY,IAAI,IAAA,CAAK,MAAM,GAAI,CAAA,CAAE,aAAa,CAAA;AAAA,OACnI;AAAA,IACF;AAEA,IAAA,IAAI,IAAI,GAAA,KAAQ,KAAA,CAAA,IAAa,GAAA,CAAI,GAAA,GAAM,MAAM,YAAA,EAAc;AACzD,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,WAAA;AAAA,QACN,OAAA,EAAS,sBAAsB,IAAI,IAAA,CAAK,IAAI,GAAA,GAAM,GAAI,CAAA,CAAE,WAAA,EAAa,CAAA;AAAA,OACvE;AAAA,IACF;AAGA,IAAA,IAAI,EAAA,CAAG,YAAY,UAAA,EAAY;AAC7B,MAAA,MAAM,SAAS,EAAA,CAAG,MAAA;AAClB,MAAA,IAAI,UAAA,KAAe,KAAA,CAAA,IAAa,MAAA,CAAO,OAAA,EAAS,QAAQ,UAAA,EAAY;AAClE,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,mBAAA;AAAA,UACN,SAAS,CAAA,4BAAA,EAA+B,UAAU,WAAW,MAAA,CAAO,OAAA,EAAS,OAAO,WAAW,CAAA,CAAA;AAAA,SACjG;AAAA,MACF;AACA,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,IAAA;AAAA,QACP,OAAA,EAAS,UAAA;AAAA,QACT,MAAA;AAAA,QACA,GAAA,EAAK,OAAO,MAAA,CAAO,GAAA;AAAA,QACnB,WAAA,EAAa,KAAA;AAAA,QACb,UAAU,EAAC;AAAA,QACX,cAAA,EAAgB;AAAA,OAClB;AAAA,IACF,CAAA,MAAO;AACL,MAAA,MAAM,SAAS,EAAA,CAAG,MAAA;AAClB,MAAA,IAAI,UAAA,KAAe,KAAA,CAAA,IAAa,MAAA,CAAO,GAAA,KAAQ,UAAA,EAAY;AACzD,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,mBAAA;AAAA,UACN,SAAS,CAAA,4BAAA,EAA+B,UAAU,CAAA,QAAA,EAAW,MAAA,CAAO,OAAO,WAAW,CAAA,CAAA;AAAA,SACxF;AAAA,MACF;AACA,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,IAAA;AAAA,QACP,OAAA,EAAS,aAAA;AAAA,QACT,MAAA;AAAA,QACA,GAAA,EAAK,OAAO,MAAA,CAAO,GAAA;AAAA,QACnB,WAAA,EAAa,KAAA;AAAA,QACb,UAAU,EAAC;AAAA,QACX,cAAA,EAAgB;AAAA,OAClB;AAAA,IACF;AAAA,EACF,SAAS,GAAA,EAAK;AAMZ,IAAA,IAAI,aAAA,CAAc,GAAG,CAAA,EAAG;AAEtB,MAAA,IAAI,OAAO,SAAA,CAAU,cAAA,CAAe,KAAK,aAAA,EAAe,GAAA,CAAI,IAAI,CAAA,EAAG;AACjE,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,aAAA,CAAc,GAAA,CAAI,IAAI,CAAA;AAAA,UAC5B,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AAEA,MAAA,IAAI,kBAAA,CAAmB,GAAA,CAAI,GAAA,CAAI,IAAI,CAAA,EAAG;AACpC,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AACA,MAAA,IAAI,GAAA,CAAI,SAAS,0BAAA,EAA4B;AAC3C,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,qBAAA;AAAA,UACN,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AACA,MAAA,IAAI,GAAA,CAAI,SAAS,8BAAA,EAAgC;AAC/C,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,yBAAA;AAAA,UACN,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AAAA,IACF;AAIA,IAAA,IACE,GAAA,KAAQ,QACR,OAAO,GAAA,KAAQ,YACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA0B,IAAA,KAAS,aAAA,EACpC;AACA,MAAA,MAAM,aAAA,GACJ,aAAa,GAAA,IAAO,OAAQ,IAA6B,OAAA,KAAY,QAAA,GAChE,IAA4B,OAAA,GAC7B,cAAA;AACN,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,4BAA4B,aAAa,CAAA;AAAA,OACpD;AAAA,IACF;AAIA,IAAA,MAAM,UAAU,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG,CAAA;AAC/D,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,kCAAkC,OAAO,CAAA;AAAA,KACpD;AAAA,EACF;AACF;AAQO,SAAS,iBACd,CAAA,EACmD;AACnD,EAAA,OAAO,CAAA,CAAE,KAAA,KAAU,IAAA,IAAQ,CAAA,CAAE,OAAA,KAAY,UAAA;AAC3C;AAQO,SAAS,oBACd,CAAA,EACsD;AACtD,EAAA,OAAO,CAAA,CAAE,KAAA,KAAU,IAAA,IAAQ,CAAA,CAAE,OAAA,KAAY,aAAA;AAC3C;AAQO,SAAS,eACd,CAAA,EACkD;AAClD,EAAA,OAAO,CAAA,CAAE,KAAA,KAAU,IAAA,IAAQ,CAAA,CAAE,OAAA,KAAY,SAAA;AAC3C","file":"verify-local.cjs","sourcesContent":["/**\n * Local receipt verification with schema validation\n *\n * Use this for verifying receipts when you have the public key locally,\n * without JWKS discovery.\n */\n\nimport { verify as jwsVerify } from '@peac/crypto';\nimport { type VerificationStrictness, type VerificationWarning, HASH } from '@peac/kernel';\nimport {\n parseReceiptClaims,\n validateKernelConstraints,\n type ReceiptClaimsType,\n type AttestationReceiptClaims,\n type Wire02Claims,\n checkOccurredAtSkew,\n sortWarnings,\n WARNING_TYP_MISSING,\n WARNING_TYPE_UNREGISTERED,\n WARNING_UNKNOWN_EXTENSION,\n REGISTERED_RECEIPT_TYPES,\n REGISTERED_EXTENSION_GROUP_KEYS,\n isValidExtensionKey,\n verifyPolicyBinding,\n} from '@peac/schema';\nimport type { PolicyBindingStatus } from './verifier-types';\n\n/**\n * Structural type for CryptoError\n * Used instead of instanceof for robustness across ESM/CJS boundaries\n */\ninterface CryptoErrorLike {\n name: 'CryptoError';\n code: string;\n message: string;\n}\n\n/**\n * Structural check for CryptoError\n * More robust than instanceof across module boundaries (ESM/CJS, duplicate packages)\n */\nfunction isCryptoError(err: unknown): err is CryptoErrorLike {\n return (\n err !== null &&\n typeof err === 'object' &&\n 'name' in err &&\n err.name === 'CryptoError' &&\n 'code' in err &&\n typeof err.code === 'string' &&\n err.code.startsWith('CRYPTO_') &&\n 'message' in err &&\n typeof err.message === 'string'\n );\n}\n\n/**\n * Canonical error codes for local verification\n *\n * These map to E_* codes in specs/kernel/errors.json.\n * JOSE hardening codes (E_JWS_*) are distinct from generic E_INVALID_FORMAT\n * so callers can distinguish key-injection, compression, and crit attacks from\n * ordinary format errors (v0.12.0-preview.1, DD-156).\n */\nexport type VerifyLocalErrorCode =\n | 'E_INVALID_SIGNATURE'\n | 'E_INVALID_FORMAT'\n | 'E_CONSTRAINT_VIOLATION'\n | 'E_EXPIRED'\n | 'E_NOT_YET_VALID'\n | 'E_INVALID_ISSUER'\n | 'E_INVALID_AUDIENCE'\n | 'E_INVALID_SUBJECT'\n | 'E_INVALID_RECEIPT_ID'\n | 'E_MISSING_EXP'\n | 'E_WIRE_VERSION_MISMATCH'\n | 'E_UNSUPPORTED_WIRE_VERSION'\n | 'E_OCCURRED_AT_FUTURE'\n // JOSE hardening codes (Wire 0.2, v0.12.0-preview.1, DD-156)\n | 'E_JWS_EMBEDDED_KEY'\n | 'E_JWS_CRIT_REJECTED'\n | 'E_JWS_MISSING_KID'\n | 'E_JWS_B64_REJECTED'\n | 'E_JWS_ZIP_REJECTED'\n // Policy binding (Wire 0.2, v0.12.0-preview.1, DD-151)\n | 'E_POLICY_BINDING_FAILED'\n | 'E_INTERNAL';\n\n/**\n * Options for local verification\n */\nexport interface VerifyLocalOptions {\n /**\n * Expected issuer URL\n *\n * If provided, verification fails if receipt.iss does not match.\n */\n issuer?: string;\n\n /**\n * Expected audience URL\n *\n * If provided, verification fails if receipt.aud does not match.\n */\n audience?: string;\n\n /**\n * Expected subject URI\n *\n * If provided, verification fails if receipt.subject.uri does not match.\n * Binds the receipt to a specific resource/interaction target.\n */\n subjectUri?: string;\n\n /**\n * Expected receipt ID (rid)\n *\n * If provided, verification fails if receipt.rid does not match.\n * Useful for idempotency checks or correlating with prior receipts.\n */\n rid?: string;\n\n /**\n * Require expiration claim\n *\n * If true, receipts without exp claim are rejected.\n * Defaults to false.\n */\n requireExp?: boolean;\n\n /**\n * Current timestamp (Unix seconds)\n *\n * Defaults to Date.now() / 1000. Override for testing.\n */\n now?: number;\n\n /**\n * Maximum clock skew tolerance (seconds)\n *\n * Allows for clock drift between issuer and verifier.\n * Defaults to 300 (5 minutes).\n */\n maxClockSkew?: number;\n\n /**\n * Verification strictness profile (v0.12.0-preview.1, DD-156).\n *\n * - 'strict' (default): missing typ is a hard error before schema validation.\n * - 'interop': missing typ emits a 'typ_missing' warning and routes by payload content.\n *\n * Strictness is EXCLUSIVELY controlled here (@peac/protocol). @peac/crypto has no strictness param.\n */\n strictness?: VerificationStrictness;\n\n /**\n * Pre-computed local policy digest for policy binding (Wire 0.2, v0.12.0-preview.1, DD-151).\n *\n * Must be in 'sha256:<64 lowercase hex>' format, computed via computePolicyDigestJcs()\n * from @peac/protocol. When provided alongside a receipt that contains a policy block\n * (policy.digest), the binding check is performed:\n * - Match: policy_binding = 'verified'\n * - Mismatch: hard fail with E_POLICY_BINDING_FAILED\n * - Either absent: policy_binding = 'unavailable'\n *\n * Always 'unavailable' for Wire 0.1 receipts regardless of this option.\n */\n policyDigest?: string;\n}\n\n/**\n * Result of successful local verification\n *\n * Discriminated union on `variant` -- callers narrow claims type via variant check:\n * if (result.valid && result.variant === 'commerce') { result.claims.amt }\n * if (result.valid && result.variant === 'wire-02') { result.claims.kind }\n */\nexport type VerifyLocalSuccess =\n | {\n /** Verification succeeded */\n valid: true;\n /** Receipt variant (commerce = payment receipt) */\n variant: 'commerce';\n /** Validated commerce receipt claims */\n claims: ReceiptClaimsType;\n /** Key ID from JWS header (for logging/indexing) */\n kid: string;\n /** Wire format version */\n wireVersion: '0.1';\n /** Verification warnings (always empty for Wire 0.1) */\n warnings: VerificationWarning[];\n /**\n * Policy binding status (DD-49).\n *\n * Always 'unavailable' for Wire 0.1 receipts (no policy digest on wire).\n */\n policy_binding: PolicyBindingStatus;\n }\n | {\n /** Verification succeeded */\n valid: true;\n /** Receipt variant (attestation = non-payment) */\n variant: 'attestation';\n /** Validated attestation receipt claims */\n claims: AttestationReceiptClaims;\n /** Key ID from JWS header (for logging/indexing) */\n kid: string;\n /** Wire format version */\n wireVersion: '0.1';\n /** Verification warnings (always empty for Wire 0.1) */\n warnings: VerificationWarning[];\n /**\n * Policy binding status (DD-49).\n *\n * Always 'unavailable' for Wire 0.1 receipts.\n */\n policy_binding: PolicyBindingStatus;\n }\n | {\n /** Verification succeeded */\n valid: true;\n /** Receipt variant (wire-02 = Wire 0.2 evidence or challenge) */\n variant: 'wire-02';\n /** Validated Wire 0.2 receipt claims */\n claims: Wire02Claims;\n /** Key ID from JWS header (for logging/indexing) */\n kid: string;\n /** Wire format version */\n wireVersion: '0.2';\n /** Verification warnings from schema parsing and strictness routing */\n warnings: VerificationWarning[];\n /**\n * Policy binding status (DD-49, DD-151).\n *\n * Three-state result:\n * - 'unavailable': either the receipt contains no policy block, or the\n * caller did not pass a policyDigest option to verifyLocal(). No check.\n * - 'verified': both digests present and match exactly.\n * - 'failed': not returned on success; verifyLocal() returns\n * E_POLICY_BINDING_FAILED (valid: false) before reaching this field.\n */\n policy_binding: PolicyBindingStatus;\n };\n\n/**\n * Result of failed local verification\n */\nexport interface VerifyLocalFailure {\n /** Verification failed */\n valid: false;\n\n /** Canonical error code (maps to specs/kernel/errors.json) */\n code: VerifyLocalErrorCode;\n\n /** Human-readable error message */\n message: string;\n\n /** Structured details for debugging (stable error code preserved in `code`) */\n details?: {\n /** Precise parse error code from unified parser (e.g. E_PARSE_COMMERCE_INVALID) */\n parse_code?: string;\n /** Zod validation issues (bounded, stable shape; non-normative, may change) */\n issues?: ReadonlyArray<{ path: string; message: string }>;\n /**\n * Policy digest from the receipt (present when code is E_POLICY_BINDING_FAILED).\n * Both are SHA-256 hashes; safe to log without leaking policy content.\n */\n receipt_policy_digest?: string;\n /** Caller-supplied policy digest (present when code is E_POLICY_BINDING_FAILED). */\n local_policy_digest?: string;\n /** policy.uri hint from the receipt (present when code is E_POLICY_BINDING_FAILED and uri set). */\n policy_uri?: string;\n };\n}\n\n/**\n * Union type for local verification result\n */\nexport type VerifyLocalResult = VerifyLocalSuccess | VerifyLocalFailure;\n\n/**\n * Internal CRYPTO_* codes that map to generic E_INVALID_FORMAT.\n * These are format/encoding errors not security-specific.\n */\nconst FORMAT_ERROR_CODES = new Set([\n 'CRYPTO_INVALID_JWS_FORMAT',\n 'CRYPTO_INVALID_TYP',\n 'CRYPTO_INVALID_ALG',\n 'CRYPTO_INVALID_KEY_LENGTH',\n]);\n\n/**\n * JOSE hardening code mapping: CRYPTO_JWS_* → specific E_JWS_* (v0.12.0-preview.1, DD-156).\n *\n * Each JOSE hazard code maps to its specific public E_JWS_* counterpart rather than\n * collapsing into the generic E_INVALID_FORMAT. This lets callers distinguish embedded-key\n * injection, crit-header abuse, and unencoded-payload attacks from ordinary format errors.\n */\nconst JOSE_CODE_MAP: Record<string, VerifyLocalErrorCode> = {\n CRYPTO_JWS_EMBEDDED_KEY: 'E_JWS_EMBEDDED_KEY',\n CRYPTO_JWS_CRIT_REJECTED: 'E_JWS_CRIT_REJECTED',\n CRYPTO_JWS_MISSING_KID: 'E_JWS_MISSING_KID',\n CRYPTO_JWS_B64_REJECTED: 'E_JWS_B64_REJECTED',\n CRYPTO_JWS_ZIP_REJECTED: 'E_JWS_ZIP_REJECTED',\n};\n\n/** Max parse issues to include in details (prevents log bloat) */\nconst MAX_PARSE_ISSUES = 25;\n\n/**\n * Sanitize Zod issues into a bounded, stable structure.\n * Avoids exposing raw Zod internals or unbounded arrays in the public API.\n */\nfunction sanitizeParseIssues(\n issues: unknown\n): ReadonlyArray<{ path: string; message: string }> | undefined {\n if (!Array.isArray(issues)) return undefined;\n return issues.slice(0, MAX_PARSE_ISSUES).map((issue) => ({\n path: Array.isArray(issue?.path) ? issue.path.join('.') : '',\n message: typeof issue?.message === 'string' ? issue.message : String(issue),\n }));\n}\n\n/**\n * Verify a PEAC receipt locally with a known public key\n *\n * This function:\n * 1. Verifies the Ed25519 signature and header (typ, alg)\n * 2. Applies strictness routing for missing typ (strict: hard error; interop: warning)\n * 3. Validates the receipt schema with Zod (Wire 0.1 or Wire 0.2)\n * 4. Checks issuer/audience/subject binding (if options provided)\n * 5. Checks time validity (exp/iat with clock skew tolerance)\n * 6. For Wire 0.2: checks occurred_at skew and collects parse warnings\n *\n * Use this when you have the issuer's public key and don't need JWKS discovery.\n * For JWKS-based verification, use `verifyReceipt()` instead.\n *\n * @param jws - JWS compact serialization\n * @param publicKey - Ed25519 public key (32 bytes)\n * @param options - Optional verification options (issuer, audience, subject, clock skew, strictness)\n * @returns Typed verification result\n *\n * @example\n * ```typescript\n * const result = await verifyLocal(jws, publicKey, {\n * issuer: 'https://api.example.com',\n * strictness: 'strict',\n * });\n * if (result.valid && result.variant === 'wire-02') {\n * console.log('Kind:', result.claims.kind);\n * console.log('Warnings:', result.warnings);\n * }\n * ```\n */\nexport async function verifyLocal(\n jws: string,\n publicKey: Uint8Array,\n options: VerifyLocalOptions = {}\n): Promise<VerifyLocalResult> {\n const {\n issuer,\n audience,\n subjectUri,\n rid,\n requireExp = false,\n maxClockSkew = 300,\n strictness = 'strict',\n policyDigest,\n } = options;\n const now = options.now ?? Math.floor(Date.now() / 1000);\n\n try {\n // 1. Verify signature and header (typ, alg validated by @peac/crypto)\n const result = await jwsVerify<unknown>(jws, publicKey);\n\n if (!result.valid) {\n return {\n valid: false,\n code: 'E_INVALID_SIGNATURE',\n message: 'Ed25519 signature verification failed',\n };\n }\n\n // Accumulated warnings for Wire 0.2 path\n const accumulatedWarnings: VerificationWarning[] = [];\n\n // 2. Strictness routing for missing typ (Correction 1, DD-156)\n if (result.header.typ === undefined) {\n if (strictness === 'strict') {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: 'Missing JWS typ header: strict mode requires typ to be present',\n };\n }\n // interop mode: emit warning and continue\n accumulatedWarnings.push({\n code: WARNING_TYP_MISSING,\n message: 'JWS typ header is absent; accepted in interop mode',\n });\n }\n\n // 3. Validate structural kernel constraints (DD-121, fail-closed)\n const constraintResult = validateKernelConstraints(result.payload);\n if (!constraintResult.valid) {\n const v = constraintResult.violations[0];\n return {\n valid: false,\n code: 'E_CONSTRAINT_VIOLATION',\n message: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`,\n };\n }\n\n // 4. Validate schema (unified parser supports Wire 0.1 and Wire 0.2)\n const pr = parseReceiptClaims(result.payload);\n\n if (!pr.ok) {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: `Receipt schema validation failed: ${pr.error.message}`,\n details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) },\n };\n }\n\n // 5. Collect parser warnings (Wire 0.2 parser may emit type/extension warnings)\n if (pr.wireVersion === '0.2') {\n accumulatedWarnings.push(...pr.warnings);\n }\n\n // Wire 0.2 path\n if (pr.wireVersion === '0.2') {\n const claims = pr.claims as Wire02Claims;\n\n // Issuer check\n if (issuer !== undefined && claims.iss !== issuer) {\n return {\n valid: false,\n code: 'E_INVALID_ISSUER',\n message: `Issuer mismatch: expected \"${issuer}\", got \"${claims.iss}\"`,\n };\n }\n\n // Subject check\n if (subjectUri !== undefined && claims.sub !== subjectUri) {\n return {\n valid: false,\n code: 'E_INVALID_SUBJECT',\n message: `Subject mismatch: expected \"${subjectUri}\", got \"${claims.sub ?? 'undefined'}\"`,\n };\n }\n\n // iat: not-yet-valid check (with clock skew)\n if (claims.iat > now + maxClockSkew) {\n return {\n valid: false,\n code: 'E_NOT_YET_VALID',\n message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1000).toISOString()}, now is ${new Date(now * 1000).toISOString()}`,\n };\n }\n\n // occurred_at skew check (evidence kind only)\n if (claims.kind === 'evidence') {\n const skewResult = checkOccurredAtSkew(claims.occurred_at, claims.iat, now, maxClockSkew);\n if (skewResult === 'future_error') {\n return {\n valid: false,\n code: 'E_OCCURRED_AT_FUTURE',\n message: `occurred_at is in the future beyond tolerance (${maxClockSkew}s)`,\n };\n }\n if (skewResult !== null) {\n accumulatedWarnings.push(skewResult);\n }\n }\n\n // Emit type_unregistered warning for valid-but-unregistered type values (DD-155)\n if (!REGISTERED_RECEIPT_TYPES.has(claims.type)) {\n accumulatedWarnings.push({\n code: WARNING_TYPE_UNREGISTERED,\n message: 'Receipt type is not in the recommended type registry',\n pointer: '/type',\n });\n }\n\n // Emit unknown_extension_preserved warnings for unrecognized-but-well-formed keys (DD-155)\n // Malformed keys are already hard errors (E_INVALID_EXTENSION_KEY) at schema layer.\n if (claims.extensions !== undefined) {\n for (const key of Object.keys(claims.extensions)) {\n if (!REGISTERED_EXTENSION_GROUP_KEYS.has(key) && isValidExtensionKey(key)) {\n // RFC 6901: '~' -> '~0', '/' -> '~1'\n const escapedKey = key.replace(/~/g, '~0').replace(/\\//g, '~1');\n accumulatedWarnings.push({\n code: WARNING_UNKNOWN_EXTENSION,\n message: 'Unknown extension key preserved without schema validation',\n pointer: `/extensions/${escapedKey}`,\n });\n }\n }\n }\n\n // Validate policyDigest option format (DD-151): must be sha256:<64 lowercase hex> if provided.\n if (policyDigest !== undefined && !HASH.pattern.test(policyDigest)) {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: 'policyDigest option must be in sha256:<64 lowercase hex> format',\n };\n }\n\n // Policy binding check (DD-151): 3-state result.\n // 'unavailable' when either receipt has no policy block or caller omitted policyDigest.\n // 'verified' / 'failed' when both are present; 'failed' is a hard verification error.\n const receiptPolicyDigest = claims.policy?.digest;\n const bindingStatus: PolicyBindingStatus =\n receiptPolicyDigest === undefined || policyDigest === undefined\n ? 'unavailable'\n : verifyPolicyBinding(receiptPolicyDigest, policyDigest);\n if (bindingStatus === 'failed') {\n return {\n valid: false,\n code: 'E_POLICY_BINDING_FAILED',\n message: 'Policy binding check failed: receipt policy digest does not match local policy',\n details: {\n receipt_policy_digest: receiptPolicyDigest,\n local_policy_digest: policyDigest,\n ...(claims.policy?.uri !== undefined && { policy_uri: claims.policy.uri }),\n },\n };\n }\n\n return {\n valid: true,\n variant: 'wire-02',\n claims,\n kid: result.header.kid,\n wireVersion: '0.2',\n warnings: sortWarnings(accumulatedWarnings),\n policy_binding: bindingStatus,\n };\n }\n\n // Wire 0.1 path (commerce or attestation)\n // Wire 0.2 receipts returned early above.\n // Both ReceiptClaimsType and AttestationReceiptClaims have: iss, aud, rid, iat, exp\n // TypeScript cannot narrow the union via wireVersion so we use a typed assertion.\n type Wire01CommonClaims = { iss: string; aud: string; rid: string; iat: number; exp?: number };\n const w01 = pr.claims as Wire01CommonClaims;\n\n // Shared binding checks (iss, aud, rid, iat, exp exist on both receipt types)\n if (issuer !== undefined && w01.iss !== issuer) {\n return {\n valid: false,\n code: 'E_INVALID_ISSUER',\n message: `Issuer mismatch: expected \"${issuer}\", got \"${w01.iss}\"`,\n };\n }\n\n if (audience !== undefined && w01.aud !== audience) {\n return {\n valid: false,\n code: 'E_INVALID_AUDIENCE',\n message: `Audience mismatch: expected \"${audience}\", got \"${w01.aud}\"`,\n };\n }\n\n if (rid !== undefined && w01.rid !== rid) {\n return {\n valid: false,\n code: 'E_INVALID_RECEIPT_ID',\n message: `Receipt ID mismatch: expected \"${rid}\", got \"${w01.rid}\"`,\n };\n }\n\n if (requireExp && w01.exp === undefined) {\n return {\n valid: false,\n code: 'E_MISSING_EXP',\n message: 'Receipt missing required exp claim',\n };\n }\n\n if (w01.iat > now + maxClockSkew) {\n return {\n valid: false,\n code: 'E_NOT_YET_VALID',\n message: `Receipt not yet valid: issued at ${new Date(w01.iat * 1000).toISOString()}, now is ${new Date(now * 1000).toISOString()}`,\n };\n }\n\n if (w01.exp !== undefined && w01.exp < now - maxClockSkew) {\n return {\n valid: false,\n code: 'E_EXPIRED',\n message: `Receipt expired at ${new Date(w01.exp * 1000).toISOString()}`,\n };\n }\n\n // Subject binding + typed return (variant-branched, no unsafe casts)\n if (pr.variant === 'commerce') {\n const claims = pr.claims as ReceiptClaimsType;\n if (subjectUri !== undefined && claims.subject?.uri !== subjectUri) {\n return {\n valid: false,\n code: 'E_INVALID_SUBJECT',\n message: `Subject mismatch: expected \"${subjectUri}\", got \"${claims.subject?.uri ?? 'undefined'}\"`,\n };\n }\n return {\n valid: true,\n variant: 'commerce',\n claims,\n kid: result.header.kid,\n wireVersion: '0.1',\n warnings: [],\n policy_binding: 'unavailable',\n };\n } else {\n const claims = pr.claims as AttestationReceiptClaims;\n if (subjectUri !== undefined && claims.sub !== subjectUri) {\n return {\n valid: false,\n code: 'E_INVALID_SUBJECT',\n message: `Subject mismatch: expected \"${subjectUri}\", got \"${claims.sub ?? 'undefined'}\"`,\n };\n }\n return {\n valid: true,\n variant: 'attestation',\n claims,\n kid: result.header.kid,\n wireVersion: '0.1',\n warnings: [],\n policy_binding: 'unavailable',\n };\n }\n } catch (err) {\n // Handle typed CryptoError from @peac/crypto\n // Use structural check instead of instanceof for robustness across ESM/CJS boundaries\n // Map internal CRYPTO_* codes to canonical E_* codes.\n // JOSE hardening codes get specific E_JWS_* (not generic E_INVALID_FORMAT) so callers\n // can distinguish key-injection attacks from ordinary encoding errors.\n if (isCryptoError(err)) {\n // 1. JOSE hardening: specific E_JWS_* codes (checked first)\n if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {\n return {\n valid: false,\n code: JOSE_CODE_MAP[err.code]!,\n message: err.message,\n };\n }\n // 2. Generic format errors\n if (FORMAT_ERROR_CODES.has(err.code)) {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: err.message,\n };\n }\n if (err.code === 'CRYPTO_INVALID_SIGNATURE') {\n return {\n valid: false,\n code: 'E_INVALID_SIGNATURE',\n message: err.message,\n };\n }\n if (err.code === 'CRYPTO_WIRE_VERSION_MISMATCH') {\n return {\n valid: false,\n code: 'E_WIRE_VERSION_MISMATCH',\n message: err.message,\n };\n }\n }\n\n // Handle JSON parse errors from malformed payloads\n // Use structural check for cross-boundary robustness (consistent with isCryptoError pattern)\n if (\n err !== null &&\n typeof err === 'object' &&\n 'name' in err &&\n (err as { name: unknown }).name === 'SyntaxError'\n ) {\n const syntaxMessage =\n 'message' in err && typeof (err as { message: unknown }).message === 'string'\n ? (err as { message: string }).message\n : 'Invalid JSON';\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: `Invalid receipt payload: ${syntaxMessage}`,\n };\n }\n\n // All other errors -> E_INTERNAL\n // No message parsing - code-based mapping only\n const message = err instanceof Error ? err.message : String(err);\n return {\n valid: false,\n code: 'E_INTERNAL',\n message: `Unexpected verification error: ${message}`,\n };\n }\n}\n\n/**\n * Type guard: narrows a VerifyLocalResult to a commerce success.\n *\n * Use instead of manual `result.valid && result.variant === 'commerce'` checks\n * to get proper claims narrowing to ReceiptClaimsType.\n */\nexport function isCommerceResult(\n r: VerifyLocalResult\n): r is VerifyLocalSuccess & { variant: 'commerce' } {\n return r.valid === true && r.variant === 'commerce';\n}\n\n/**\n * Type guard: narrows a VerifyLocalResult to an attestation success.\n *\n * Use instead of manual `result.valid && result.variant === 'attestation'` checks\n * to get proper claims narrowing to AttestationReceiptClaims.\n */\nexport function isAttestationResult(\n r: VerifyLocalResult\n): r is VerifyLocalSuccess & { variant: 'attestation' } {\n return r.valid === true && r.variant === 'attestation';\n}\n\n/**\n * Type guard: narrows a VerifyLocalResult to a Wire 0.2 success (v0.12.0-preview.1).\n *\n * Use instead of manual `result.valid && result.variant === 'wire-02'` checks\n * to get proper claims narrowing to Wire02Claims.\n */\nexport function isWire02Result(\n r: VerifyLocalResult\n): r is VerifyLocalSuccess & { variant: 'wire-02' } {\n return r.valid === true && r.variant === 'wire-02';\n}\n"]}
1
+ {"version":3,"sources":["../src/verify-local.ts"],"names":["jwsVerify","WARNING_TYP_MISSING","validateKernelConstraints","parseReceiptClaims","checkOccurredAtSkew","REGISTERED_RECEIPT_TYPES","WARNING_TYPE_UNREGISTERED","REGISTERED_EXTENSION_GROUP_KEYS","isValidExtensionKey","WARNING_UNKNOWN_EXTENSION","HASH","verifyPolicyBinding","sortWarnings"],"mappings":";;;;;;;AAuCA,SAAS,cAAc,GAAA,EAAsC;AAC3D,EAAA,OACE,GAAA,KAAQ,IAAA,IACR,OAAO,GAAA,KAAQ,QAAA,IACf,UAAU,GAAA,IACV,GAAA,CAAI,IAAA,KAAS,aAAA,IACb,MAAA,IAAU,GAAA,IACV,OAAO,GAAA,CAAI,IAAA,KAAS,QAAA,IACpB,GAAA,CAAI,IAAA,CAAK,UAAA,CAAW,SAAS,CAAA,IAC7B,SAAA,IAAa,GAAA,IACb,OAAO,GAAA,CAAI,OAAA,KAAY,QAAA;AAE3B;AAuLA,IAAM,kBAAA,uBAAyB,GAAA,CAAI;AAAA,EACjC,2BAAA;AAAA,EACA,oBAAA;AAAA,EACA,oBAAA;AAAA,EACA;AACF,CAAC,CAAA;AASD,IAAM,aAAA,GAAsD;AAAA,EAC1D,uBAAA,EAAyB,oBAAA;AAAA,EACzB,wBAAA,EAA0B,qBAAA;AAAA,EAC1B,sBAAA,EAAwB,mBAAA;AAAA,EACxB,uBAAA,EAAyB,oBAAA;AAAA,EACzB,uBAAA,EAAyB;AAC3B,CAAA;AAGA,IAAM,gBAAA,GAAmB,EAAA;AAMzB,SAAS,oBACP,MAAA,EAC8D;AAC9D,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,MAAM,GAAG,OAAO,MAAA;AACnC,EAAA,OAAO,OAAO,KAAA,CAAM,CAAA,EAAG,gBAAgB,CAAA,CAAE,GAAA,CAAI,CAAC,KAAA,MAAW;AAAA,IACvD,IAAA,EAAM,KAAA,CAAM,OAAA,CAAQ,KAAA,EAAO,IAAI,IAAI,KAAA,CAAM,IAAA,CAAK,IAAA,CAAK,GAAG,CAAA,GAAI,EAAA;AAAA,IAC1D,OAAA,EAAS,OAAO,KAAA,EAAO,OAAA,KAAY,WAAW,KAAA,CAAM,OAAA,GAAU,OAAO,KAAK;AAAA,GAC5E,CAAE,CAAA;AACJ;AAiCA,eAAsB,WAAA,CACpB,GAAA,EACA,SAAA,EACA,OAAA,GAA8B,EAAC,EACH;AAC5B,EAAA,MAAM,EAAE,QAAQ,UAAA,EAAY,YAAA,GAAe,KAAK,UAAA,GAAa,QAAA,EAAU,cAAa,GAAI,OAAA;AACxF,EAAA,MAAM,GAAA,GAAM,QAAQ,GAAA,IAAO,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,KAAQ,GAAI,CAAA;AAEvD,EAAA,IAAI;AAEF,IAAA,MAAM,MAAA,GAAS,MAAMA,aAAA,CAAmB,GAAA,EAAK,SAAS,CAAA;AAEtD,IAAA,IAAI,CAAC,OAAO,KAAA,EAAO;AACjB,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,qBAAA;AAAA,QACN,OAAA,EAAS;AAAA,OACX;AAAA,IACF;AAGA,IAAA,MAAM,sBAA6C,EAAC;AAGpD,IAAA,IAAI,MAAA,CAAO,MAAA,CAAO,GAAA,KAAQ,KAAA,CAAA,EAAW;AACnC,MAAA,IAAI,eAAe,QAAA,EAAU;AAC3B,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAEA,MAAA,mBAAA,CAAoB,IAAA,CAAK;AAAA,QACvB,IAAA,EAAMC,0BAAA;AAAA,QACN,OAAA,EAAS;AAAA,OACV,CAAA;AAAA,IACH;AAGA,IAAA,MAAM,gBAAA,GAAmBC,gCAAA,CAA0B,MAAA,CAAO,OAAO,CAAA;AACjE,IAAA,IAAI,CAAC,iBAAiB,KAAA,EAAO;AAC3B,MAAA,MAAM,CAAA,GAAI,gBAAA,CAAiB,UAAA,CAAW,CAAC,CAAA;AACvC,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,wBAAA;AAAA,QACN,OAAA,EAAS,+BAA+B,CAAA,CAAE,UAAU,aAAa,CAAA,CAAE,MAAM,CAAA,SAAA,EAAY,CAAA,CAAE,KAAK,CAAA,CAAA;AAAA,OAC9F;AAAA,IACF;AAGA,IAAA,MAAM,EAAA,GAAKC,yBAAA,CAAmB,MAAA,CAAO,OAAO,CAAA;AAE5C,IAAA,IAAI,CAAC,GAAG,EAAA,EAAI;AACV,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,CAAA,kCAAA,EAAqC,EAAA,CAAG,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,QAC9D,OAAA,EAAS,EAAE,UAAA,EAAY,EAAA,CAAG,KAAA,CAAM,IAAA,EAAM,MAAA,EAAQ,mBAAA,CAAoB,EAAA,CAAG,KAAA,CAAM,MAAM,CAAA;AAAE,OACrF;AAAA,IACF;AAGA,IAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,EAAO;AAC5B,MAAA,mBAAA,CAAoB,IAAA,CAAK,GAAG,EAAA,CAAG,QAAQ,CAAA;AAAA,IACzC;AAGA,IAAA,IAAI,EAAA,CAAG,gBAAgB,KAAA,EAAO;AAC5B,MAAA,MAAM,SAAS,EAAA,CAAG,MAAA;AAGlB,MAAA,IAAI,MAAA,KAAW,KAAA,CAAA,IAAa,MAAA,CAAO,GAAA,KAAQ,MAAA,EAAQ;AACjD,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,OAAA,EAAS,CAAA,2BAAA,EAA8B,MAAM,CAAA,QAAA,EAAW,OAAO,GAAG,CAAA,CAAA;AAAA,SACpE;AAAA,MACF;AAGA,MAAA,IAAI,UAAA,KAAe,KAAA,CAAA,IAAa,MAAA,CAAO,GAAA,KAAQ,UAAA,EAAY;AACzD,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,mBAAA;AAAA,UACN,SAAS,CAAA,4BAAA,EAA+B,UAAU,CAAA,QAAA,EAAW,MAAA,CAAO,OAAO,WAAW,CAAA,CAAA;AAAA,SACxF;AAAA,MACF;AAGA,MAAA,IAAI,MAAA,CAAO,GAAA,GAAM,GAAA,GAAM,YAAA,EAAc;AACnC,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,iBAAA;AAAA,UACN,SAAS,CAAA,iCAAA,EAAoC,IAAI,IAAA,CAAK,MAAA,CAAO,MAAM,GAAI,CAAA,CAAE,WAAA,EAAa,YAAY,IAAI,IAAA,CAAK,MAAM,GAAI,CAAA,CAAE,aAAa,CAAA;AAAA,SACtI;AAAA,MACF;AAGA,MAAA,IAAI,MAAA,CAAO,SAAS,UAAA,EAAY;AAC9B,QAAA,MAAM,aAAaC,0BAAA,CAAoB,MAAA,CAAO,aAAa,MAAA,CAAO,GAAA,EAAK,KAAK,YAAY,CAAA;AACxF,QAAA,IAAI,eAAe,cAAA,EAAgB;AACjC,UAAA,OAAO;AAAA,YACL,KAAA,EAAO,KAAA;AAAA,YACP,IAAA,EAAM,sBAAA;AAAA,YACN,OAAA,EAAS,kDAAkD,YAAY,CAAA,EAAA;AAAA,WACzE;AAAA,QACF;AACA,QAAA,IAAI,eAAe,IAAA,EAAM;AACvB,UAAA,mBAAA,CAAoB,KAAK,UAAU,CAAA;AAAA,QACrC;AAAA,MACF;AAGA,MAAA,IAAI,CAACC,+BAAA,CAAyB,GAAA,CAAI,MAAA,CAAO,IAAI,CAAA,EAAG;AAC9C,QAAA,mBAAA,CAAoB,IAAA,CAAK;AAAA,UACvB,IAAA,EAAMC,gCAAA;AAAA,UACN,OAAA,EAAS,sDAAA;AAAA,UACT,OAAA,EAAS;AAAA,SACV,CAAA;AAAA,MACH;AAIA,MAAA,IAAI,MAAA,CAAO,eAAe,KAAA,CAAA,EAAW;AACnC,QAAA,KAAA,MAAW,GAAA,IAAO,MAAA,CAAO,IAAA,CAAK,MAAA,CAAO,UAAU,CAAA,EAAG;AAChD,UAAA,IAAI,CAACC,sCAAA,CAAgC,GAAA,CAAI,GAAG,CAAA,IAAKC,0BAAA,CAAoB,GAAG,CAAA,EAAG;AAEzE,YAAA,MAAM,UAAA,GAAa,IAAI,OAAA,CAAQ,IAAA,EAAM,IAAI,CAAA,CAAE,OAAA,CAAQ,OAAO,IAAI,CAAA;AAC9D,YAAA,mBAAA,CAAoB,IAAA,CAAK;AAAA,cACvB,IAAA,EAAMC,gCAAA;AAAA,cACN,OAAA,EAAS,2DAAA;AAAA,cACT,OAAA,EAAS,eAAe,UAAU,CAAA;AAAA,aACnC,CAAA;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAGA,MAAA,IAAI,iBAAiB,KAAA,CAAA,IAAa,CAACC,YAAK,OAAA,CAAQ,IAAA,CAAK,YAAY,CAAA,EAAG;AAClE,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,OAAA,EAAS;AAAA,SACX;AAAA,MACF;AAKA,MAAA,MAAM,mBAAA,GAAsB,OAAO,MAAA,EAAQ,MAAA;AAC3C,MAAA,MAAM,aAAA,GACJ,wBAAwB,KAAA,CAAA,IAAa,YAAA,KAAiB,SAClD,aAAA,GACAC,0BAAA,CAAoB,qBAAqB,YAAY,CAAA;AAC3D,MAAA,IAAI,kBAAkB,QAAA,EAAU;AAC9B,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,yBAAA;AAAA,UACN,OAAA,EAAS,gFAAA;AAAA,UACT,OAAA,EAAS;AAAA,YACP,qBAAA,EAAuB,mBAAA;AAAA,YACvB,mBAAA,EAAqB,YAAA;AAAA,YACrB,GAAI,OAAO,MAAA,EAAQ,GAAA,KAAQ,UAAa,EAAE,UAAA,EAAY,MAAA,CAAO,MAAA,CAAO,GAAA;AAAI;AAC1E,SACF;AAAA,MACF;AAEA,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,IAAA;AAAA,QACP,OAAA,EAAS,SAAA;AAAA,QACT,MAAA;AAAA,QACA,GAAA,EAAK,OAAO,MAAA,CAAO,GAAA;AAAA,QACnB,WAAA,EAAa,KAAA;AAAA,QACb,QAAA,EAAUC,oBAAa,mBAAmB,CAAA;AAAA,QAC1C,cAAA,EAAgB;AAAA,OAClB;AAAA,IACF;AAGA,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,4BAAA;AAAA,MACN,OAAA,EAAS;AAAA,KACX;AAAA,EACF,SAAS,GAAA,EAAK;AAMZ,IAAA,IAAI,aAAA,CAAc,GAAG,CAAA,EAAG;AAEtB,MAAA,IAAI,OAAO,SAAA,CAAU,cAAA,CAAe,KAAK,aAAA,EAAe,GAAA,CAAI,IAAI,CAAA,EAAG;AACjE,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,aAAA,CAAc,GAAA,CAAI,IAAI,CAAA;AAAA,UAC5B,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AAEA,MAAA,IAAI,kBAAA,CAAmB,GAAA,CAAI,GAAA,CAAI,IAAI,CAAA,EAAG;AACpC,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,kBAAA;AAAA,UACN,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AACA,MAAA,IAAI,GAAA,CAAI,SAAS,0BAAA,EAA4B;AAC3C,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,qBAAA;AAAA,UACN,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AACA,MAAA,IAAI,GAAA,CAAI,SAAS,8BAAA,EAAgC;AAC/C,QAAA,OAAO;AAAA,UACL,KAAA,EAAO,KAAA;AAAA,UACP,IAAA,EAAM,yBAAA;AAAA,UACN,SAAS,GAAA,CAAI;AAAA,SACf;AAAA,MACF;AAAA,IACF;AAIA,IAAA,IACE,GAAA,KAAQ,QACR,OAAO,GAAA,KAAQ,YACf,MAAA,IAAU,GAAA,IACT,GAAA,CAA0B,IAAA,KAAS,aAAA,EACpC;AACA,MAAA,MAAM,aAAA,GACJ,aAAa,GAAA,IAAO,OAAQ,IAA6B,OAAA,KAAY,QAAA,GAChE,IAA4B,OAAA,GAC7B,cAAA;AACN,MAAA,OAAO;AAAA,QACL,KAAA,EAAO,KAAA;AAAA,QACP,IAAA,EAAM,kBAAA;AAAA,QACN,OAAA,EAAS,4BAA4B,aAAa,CAAA;AAAA,OACpD;AAAA,IACF;AAIA,IAAA,MAAM,UAAU,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU,OAAO,GAAG,CAAA;AAC/D,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,IAAA,EAAM,YAAA;AAAA,MACN,OAAA,EAAS,kCAAkC,OAAO,CAAA;AAAA,KACpD;AAAA,EACF;AACF;AAMO,SAAS,iBACd,CAAA,EACkD;AAElD,EAAA,OAAO,KAAA;AACT;AAMO,SAAS,oBACd,CAAA,EACkD;AAElD,EAAA,OAAO,KAAA;AACT;AAQO,SAAS,eACd,CAAA,EACkD;AAClD,EAAA,OAAO,CAAA,CAAE,KAAA,KAAU,IAAA,IAAQ,CAAA,CAAE,OAAA,KAAY,SAAA;AAC3C","file":"verify-local.cjs","sourcesContent":["/**\n * Local receipt verification with schema validation\n *\n * Use this for verifying receipts when you have the public key locally,\n * without JWKS discovery.\n */\n\nimport { verify as jwsVerify } from '@peac/crypto';\nimport { type VerificationStrictness, type VerificationWarning, HASH } from '@peac/kernel';\nimport {\n parseReceiptClaims,\n validateKernelConstraints,\n type Wire02Claims,\n checkOccurredAtSkew,\n sortWarnings,\n WARNING_TYP_MISSING,\n WARNING_TYPE_UNREGISTERED,\n WARNING_UNKNOWN_EXTENSION,\n REGISTERED_RECEIPT_TYPES,\n REGISTERED_EXTENSION_GROUP_KEYS,\n isValidExtensionKey,\n verifyPolicyBinding,\n} from '@peac/schema';\nimport type { PolicyBindingStatus } from './verifier-types';\n\n/**\n * Structural type for CryptoError\n * Used instead of instanceof for robustness across ESM/CJS boundaries\n */\ninterface CryptoErrorLike {\n name: 'CryptoError';\n code: string;\n message: string;\n}\n\n/**\n * Structural check for CryptoError\n * More robust than instanceof across module boundaries (ESM/CJS, duplicate packages)\n */\nfunction isCryptoError(err: unknown): err is CryptoErrorLike {\n return (\n err !== null &&\n typeof err === 'object' &&\n 'name' in err &&\n err.name === 'CryptoError' &&\n 'code' in err &&\n typeof err.code === 'string' &&\n err.code.startsWith('CRYPTO_') &&\n 'message' in err &&\n typeof err.message === 'string'\n );\n}\n\n/**\n * Canonical error codes for local verification\n *\n * These map to E_* codes in specs/kernel/errors.json.\n * JOSE hardening codes (E_JWS_*) are distinct from generic E_INVALID_FORMAT\n * so callers can distinguish key-injection, compression, and crit attacks from\n * ordinary format errors (v0.12.0-preview.1, DD-156).\n */\nexport type VerifyLocalErrorCode =\n | 'E_INVALID_SIGNATURE'\n | 'E_INVALID_FORMAT'\n | 'E_CONSTRAINT_VIOLATION'\n | 'E_EXPIRED'\n | 'E_NOT_YET_VALID'\n | 'E_INVALID_ISSUER'\n | 'E_INVALID_AUDIENCE'\n | 'E_INVALID_SUBJECT'\n | 'E_INVALID_RECEIPT_ID'\n | 'E_MISSING_EXP'\n | 'E_WIRE_VERSION_MISMATCH'\n | 'E_UNSUPPORTED_WIRE_VERSION'\n | 'E_OCCURRED_AT_FUTURE'\n // JOSE hardening codes (Wire 0.2, v0.12.0-preview.1, DD-156)\n | 'E_JWS_EMBEDDED_KEY'\n | 'E_JWS_CRIT_REJECTED'\n | 'E_JWS_MISSING_KID'\n | 'E_JWS_B64_REJECTED'\n | 'E_JWS_ZIP_REJECTED'\n // Policy binding (Wire 0.2, v0.12.0-preview.1, DD-151)\n | 'E_POLICY_BINDING_FAILED'\n | 'E_INTERNAL';\n\n/**\n * Options for local verification\n */\nexport interface VerifyLocalOptions {\n /**\n * Expected issuer URL\n *\n * If provided, verification fails if receipt.iss does not match.\n */\n issuer?: string;\n\n /**\n * @deprecated Wire 0.2 does not have an `aud` claim. This option is ignored.\n * Retained for source compatibility during migration; will be removed in v1.0.\n */\n audience?: string;\n\n /**\n * Expected subject URI\n *\n * If provided, verification fails if receipt.sub does not match.\n * Binds the receipt to a specific resource/interaction target.\n */\n subjectUri?: string;\n\n /**\n * @deprecated Wire 0.2 does not have a `rid` claim. Use `jti` for receipt identification.\n * This option is ignored. Retained for source compatibility; will be removed in v1.0.\n */\n rid?: string;\n\n /**\n * @deprecated Wire 0.2 receipts do not expire (permanent evidence by design).\n * This option is ignored. Retained for source compatibility; will be removed in v1.0.\n */\n requireExp?: boolean;\n\n /**\n * Current timestamp (Unix seconds)\n *\n * Defaults to Date.now() / 1000. Override for testing.\n */\n now?: number;\n\n /**\n * Maximum clock skew tolerance (seconds)\n *\n * Allows for clock drift between issuer and verifier.\n * Defaults to 300 (5 minutes).\n */\n maxClockSkew?: number;\n\n /**\n * Verification strictness profile (v0.12.0-preview.1, DD-156).\n *\n * - 'strict' (default): missing typ is a hard error before schema validation.\n * - 'interop': missing typ emits a 'typ_missing' warning and routes by payload content.\n *\n * Strictness is EXCLUSIVELY controlled here (@peac/protocol). @peac/crypto has no strictness param.\n */\n strictness?: VerificationStrictness;\n\n /**\n * Pre-computed local policy digest for policy binding (Wire 0.2, v0.12.0-preview.1, DD-151).\n *\n * Must be in 'sha256:<64 lowercase hex>' format, computed via computePolicyDigestJcs()\n * from @peac/protocol. When provided alongside a receipt that contains a policy block\n * (policy.digest), the binding check is performed:\n * - Match: policy_binding = 'verified'\n * - Mismatch: hard fail with E_POLICY_BINDING_FAILED\n * - Either absent: policy_binding = 'unavailable'\n *\n * Always 'unavailable' for Wire 0.1 receipts regardless of this option.\n */\n policyDigest?: string;\n}\n\n/**\n * Result of successful local verification (Wire 0.2 only)\n *\n * Wire 0.1 receipts are no longer accepted by verifyLocal() and return\n * E_UNSUPPORTED_WIRE_VERSION. Re-issue as Wire 0.2 using issueWire02().\n */\nexport interface VerifyLocalSuccess {\n /** Verification succeeded */\n valid: true;\n /** Receipt variant (always 'wire-02') */\n variant: 'wire-02';\n /** Validated Wire 0.2 receipt claims */\n claims: Wire02Claims;\n /** Key ID from JWS header (for logging/indexing) */\n kid: string;\n /** Wire format version */\n wireVersion: '0.2';\n /** Verification warnings from schema parsing and strictness routing */\n warnings: VerificationWarning[];\n /**\n * Policy binding status (DD-49, DD-151).\n *\n * Three-state result:\n * - 'unavailable': either the receipt contains no policy block, or the\n * caller did not pass a policyDigest option to verifyLocal(). No check.\n * - 'verified': both digests present and match exactly.\n * - 'failed': not returned on success; verifyLocal() returns\n * E_POLICY_BINDING_FAILED (valid: false) before reaching this field.\n */\n policy_binding: PolicyBindingStatus;\n}\n\n/**\n * Result of failed local verification\n */\nexport interface VerifyLocalFailure {\n /** Verification failed */\n valid: false;\n\n /** Canonical error code (maps to specs/kernel/errors.json) */\n code: VerifyLocalErrorCode;\n\n /** Human-readable error message */\n message: string;\n\n /** Structured details for debugging (stable error code preserved in `code`) */\n details?: {\n /** Precise parse error code from unified parser (e.g. E_PARSE_COMMERCE_INVALID) */\n parse_code?: string;\n /** Zod validation issues (bounded, stable shape; non-normative, may change) */\n issues?: ReadonlyArray<{ path: string; message: string }>;\n /**\n * Policy digest from the receipt (present when code is E_POLICY_BINDING_FAILED).\n * Both are SHA-256 hashes; safe to log without leaking policy content.\n */\n receipt_policy_digest?: string;\n /** Caller-supplied policy digest (present when code is E_POLICY_BINDING_FAILED). */\n local_policy_digest?: string;\n /** policy.uri hint from the receipt (present when code is E_POLICY_BINDING_FAILED and uri set). */\n policy_uri?: string;\n };\n}\n\n/**\n * Union type for local verification result\n */\nexport type VerifyLocalResult = VerifyLocalSuccess | VerifyLocalFailure;\n\n/**\n * Internal CRYPTO_* codes that map to generic E_INVALID_FORMAT.\n * These are format/encoding errors not security-specific.\n */\nconst FORMAT_ERROR_CODES = new Set([\n 'CRYPTO_INVALID_JWS_FORMAT',\n 'CRYPTO_INVALID_TYP',\n 'CRYPTO_INVALID_ALG',\n 'CRYPTO_INVALID_KEY_LENGTH',\n]);\n\n/**\n * JOSE hardening code mapping: CRYPTO_JWS_* → specific E_JWS_* (v0.12.0-preview.1, DD-156).\n *\n * Each JOSE hazard code maps to its specific public E_JWS_* counterpart rather than\n * collapsing into the generic E_INVALID_FORMAT. This lets callers distinguish embedded-key\n * injection, crit-header abuse, and unencoded-payload attacks from ordinary format errors.\n */\nconst JOSE_CODE_MAP: Record<string, VerifyLocalErrorCode> = {\n CRYPTO_JWS_EMBEDDED_KEY: 'E_JWS_EMBEDDED_KEY',\n CRYPTO_JWS_CRIT_REJECTED: 'E_JWS_CRIT_REJECTED',\n CRYPTO_JWS_MISSING_KID: 'E_JWS_MISSING_KID',\n CRYPTO_JWS_B64_REJECTED: 'E_JWS_B64_REJECTED',\n CRYPTO_JWS_ZIP_REJECTED: 'E_JWS_ZIP_REJECTED',\n};\n\n/** Max parse issues to include in details (prevents log bloat) */\nconst MAX_PARSE_ISSUES = 25;\n\n/**\n * Sanitize Zod issues into a bounded, stable structure.\n * Avoids exposing raw Zod internals or unbounded arrays in the public API.\n */\nfunction sanitizeParseIssues(\n issues: unknown\n): ReadonlyArray<{ path: string; message: string }> | undefined {\n if (!Array.isArray(issues)) return undefined;\n return issues.slice(0, MAX_PARSE_ISSUES).map((issue) => ({\n path: Array.isArray(issue?.path) ? issue.path.join('.') : '',\n message: typeof issue?.message === 'string' ? issue.message : String(issue),\n }));\n}\n\n/**\n * Verify a Wire 0.2 PEAC receipt locally with a known public key.\n *\n * Wire 0.2 only: Wire 0.1 receipts return E_UNSUPPORTED_WIRE_VERSION.\n * Re-issue Wire 0.1 receipts as Wire 0.2 using issueWire02().\n *\n * This function:\n * 1. Verifies the Ed25519 signature and header (typ, alg)\n * 2. Applies strictness routing for missing typ (strict: hard error; interop: warning)\n * 3. Validates the receipt schema with Zod (Wire 0.2 only)\n * 4. Checks issuer/subject binding (if options provided)\n * 5. Checks time validity (iat with clock skew tolerance)\n * 6. Checks occurred_at skew and collects parse warnings\n *\n * @param jws - JWS compact serialization\n * @param publicKey - Ed25519 public key (32 bytes)\n * @param options - Optional verification options (issuer, subject, clock skew, strictness, policyDigest)\n * @returns Typed verification result\n *\n * @example\n * ```typescript\n * const result = await verifyLocal(jws, publicKey, {\n * issuer: 'https://api.example.com',\n * strictness: 'strict',\n * });\n * if (result.valid) {\n * console.log('Kind:', result.claims.kind);\n * console.log('Warnings:', result.warnings);\n * }\n * ```\n */\nexport async function verifyLocal(\n jws: string,\n publicKey: Uint8Array,\n options: VerifyLocalOptions = {}\n): Promise<VerifyLocalResult> {\n const { issuer, subjectUri, maxClockSkew = 300, strictness = 'strict', policyDigest } = options;\n const now = options.now ?? Math.floor(Date.now() / 1000);\n\n try {\n // 1. Verify signature and header (typ, alg validated by @peac/crypto)\n const result = await jwsVerify<unknown>(jws, publicKey);\n\n if (!result.valid) {\n return {\n valid: false,\n code: 'E_INVALID_SIGNATURE',\n message: 'Ed25519 signature verification failed',\n };\n }\n\n // Accumulated warnings for Wire 0.2 path\n const accumulatedWarnings: VerificationWarning[] = [];\n\n // 2. Strictness routing for missing typ (Correction 1, DD-156)\n if (result.header.typ === undefined) {\n if (strictness === 'strict') {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: 'Missing JWS typ header: strict mode requires typ to be present',\n };\n }\n // interop mode: emit warning and continue\n accumulatedWarnings.push({\n code: WARNING_TYP_MISSING,\n message: 'JWS typ header is absent; accepted in interop mode',\n });\n }\n\n // 3. Validate structural kernel constraints (DD-121, fail-closed)\n const constraintResult = validateKernelConstraints(result.payload);\n if (!constraintResult.valid) {\n const v = constraintResult.violations[0];\n return {\n valid: false,\n code: 'E_CONSTRAINT_VIOLATION',\n message: `Kernel constraint violated: ${v.constraint} (actual: ${v.actual}, limit: ${v.limit})`,\n };\n }\n\n // 4. Validate schema (unified parser supports Wire 0.1 and Wire 0.2)\n const pr = parseReceiptClaims(result.payload);\n\n if (!pr.ok) {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: `Receipt schema validation failed: ${pr.error.message}`,\n details: { parse_code: pr.error.code, issues: sanitizeParseIssues(pr.error.issues) },\n };\n }\n\n // 5. Collect parser warnings (Wire 0.2 parser may emit type/extension warnings)\n if (pr.wireVersion === '0.2') {\n accumulatedWarnings.push(...pr.warnings);\n }\n\n // Wire 0.2 path\n if (pr.wireVersion === '0.2') {\n const claims = pr.claims as Wire02Claims;\n\n // Issuer check\n if (issuer !== undefined && claims.iss !== issuer) {\n return {\n valid: false,\n code: 'E_INVALID_ISSUER',\n message: `Issuer mismatch: expected \"${issuer}\", got \"${claims.iss}\"`,\n };\n }\n\n // Subject check\n if (subjectUri !== undefined && claims.sub !== subjectUri) {\n return {\n valid: false,\n code: 'E_INVALID_SUBJECT',\n message: `Subject mismatch: expected \"${subjectUri}\", got \"${claims.sub ?? 'undefined'}\"`,\n };\n }\n\n // iat: not-yet-valid check (with clock skew)\n if (claims.iat > now + maxClockSkew) {\n return {\n valid: false,\n code: 'E_NOT_YET_VALID',\n message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1000).toISOString()}, now is ${new Date(now * 1000).toISOString()}`,\n };\n }\n\n // occurred_at skew check (evidence kind only)\n if (claims.kind === 'evidence') {\n const skewResult = checkOccurredAtSkew(claims.occurred_at, claims.iat, now, maxClockSkew);\n if (skewResult === 'future_error') {\n return {\n valid: false,\n code: 'E_OCCURRED_AT_FUTURE',\n message: `occurred_at is in the future beyond tolerance (${maxClockSkew}s)`,\n };\n }\n if (skewResult !== null) {\n accumulatedWarnings.push(skewResult);\n }\n }\n\n // Emit type_unregistered warning for valid-but-unregistered type values (DD-155)\n if (!REGISTERED_RECEIPT_TYPES.has(claims.type)) {\n accumulatedWarnings.push({\n code: WARNING_TYPE_UNREGISTERED,\n message: 'Receipt type is not in the recommended type registry',\n pointer: '/type',\n });\n }\n\n // Emit unknown_extension_preserved warnings for unrecognized-but-well-formed keys (DD-155)\n // Malformed keys are already hard errors (E_INVALID_EXTENSION_KEY) at schema layer.\n if (claims.extensions !== undefined) {\n for (const key of Object.keys(claims.extensions)) {\n if (!REGISTERED_EXTENSION_GROUP_KEYS.has(key) && isValidExtensionKey(key)) {\n // RFC 6901: '~' -> '~0', '/' -> '~1'\n const escapedKey = key.replace(/~/g, '~0').replace(/\\//g, '~1');\n accumulatedWarnings.push({\n code: WARNING_UNKNOWN_EXTENSION,\n message: 'Unknown extension key preserved without schema validation',\n pointer: `/extensions/${escapedKey}`,\n });\n }\n }\n }\n\n // Validate policyDigest option format (DD-151): must be sha256:<64 lowercase hex> if provided.\n if (policyDigest !== undefined && !HASH.pattern.test(policyDigest)) {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: 'policyDigest option must be in sha256:<64 lowercase hex> format',\n };\n }\n\n // Policy binding check (DD-151): 3-state result.\n // 'unavailable' when either receipt has no policy block or caller omitted policyDigest.\n // 'verified' / 'failed' when both are present; 'failed' is a hard verification error.\n const receiptPolicyDigest = claims.policy?.digest;\n const bindingStatus: PolicyBindingStatus =\n receiptPolicyDigest === undefined || policyDigest === undefined\n ? 'unavailable'\n : verifyPolicyBinding(receiptPolicyDigest, policyDigest);\n if (bindingStatus === 'failed') {\n return {\n valid: false,\n code: 'E_POLICY_BINDING_FAILED',\n message: 'Policy binding check failed: receipt policy digest does not match local policy',\n details: {\n receipt_policy_digest: receiptPolicyDigest,\n local_policy_digest: policyDigest,\n ...(claims.policy?.uri !== undefined && { policy_uri: claims.policy.uri }),\n },\n };\n }\n\n return {\n valid: true,\n variant: 'wire-02',\n claims,\n kid: result.header.kid,\n wireVersion: '0.2',\n warnings: sortWarnings(accumulatedWarnings),\n policy_binding: bindingStatus,\n };\n }\n\n // Wire 0.1 receipts: reject with E_UNSUPPORTED_WIRE_VERSION.\n return {\n valid: false,\n code: 'E_UNSUPPORTED_WIRE_VERSION',\n message: 'Wire 0.1 receipts are not supported. Re-issue as Wire 0.2 using issueWire02().',\n };\n } catch (err) {\n // Handle typed CryptoError from @peac/crypto\n // Use structural check instead of instanceof for robustness across ESM/CJS boundaries\n // Map internal CRYPTO_* codes to canonical E_* codes.\n // JOSE hardening codes get specific E_JWS_* (not generic E_INVALID_FORMAT) so callers\n // can distinguish key-injection attacks from ordinary encoding errors.\n if (isCryptoError(err)) {\n // 1. JOSE hardening: specific E_JWS_* codes (checked first)\n if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {\n return {\n valid: false,\n code: JOSE_CODE_MAP[err.code]!,\n message: err.message,\n };\n }\n // 2. Generic format errors\n if (FORMAT_ERROR_CODES.has(err.code)) {\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: err.message,\n };\n }\n if (err.code === 'CRYPTO_INVALID_SIGNATURE') {\n return {\n valid: false,\n code: 'E_INVALID_SIGNATURE',\n message: err.message,\n };\n }\n if (err.code === 'CRYPTO_WIRE_VERSION_MISMATCH') {\n return {\n valid: false,\n code: 'E_WIRE_VERSION_MISMATCH',\n message: err.message,\n };\n }\n }\n\n // Handle JSON parse errors from malformed payloads\n // Use structural check for cross-boundary robustness (consistent with isCryptoError pattern)\n if (\n err !== null &&\n typeof err === 'object' &&\n 'name' in err &&\n (err as { name: unknown }).name === 'SyntaxError'\n ) {\n const syntaxMessage =\n 'message' in err && typeof (err as { message: unknown }).message === 'string'\n ? (err as { message: string }).message\n : 'Invalid JSON';\n return {\n valid: false,\n code: 'E_INVALID_FORMAT',\n message: `Invalid receipt payload: ${syntaxMessage}`,\n };\n }\n\n // All other errors -> E_INTERNAL\n // No message parsing - code-based mapping only\n const message = err instanceof Error ? err.message : String(err);\n return {\n valid: false,\n code: 'E_INTERNAL',\n message: `Unexpected verification error: ${message}`,\n };\n }\n}\n\n/**\n * @deprecated Removed: verifyLocal() is Wire 0.2 only and always returns variant 'wire-02'.\n * This guard always returns false. Remove usage and use isWire02Result() instead.\n */\nexport function isCommerceResult(\n r: VerifyLocalResult\n): r is VerifyLocalSuccess & { variant: 'wire-02' } {\n // Always false: verifyLocal() only returns variant 'wire-02'\n return false;\n}\n\n/**\n * @deprecated Removed: verifyLocal() is Wire 0.2 only and always returns variant 'wire-02'.\n * This guard always returns false. Remove usage and use isWire02Result() instead.\n */\nexport function isAttestationResult(\n r: VerifyLocalResult\n): r is VerifyLocalSuccess & { variant: 'wire-02' } {\n // Always false: verifyLocal() only returns variant 'wire-02'\n return false;\n}\n\n/**\n * Type guard: narrows a VerifyLocalResult to a Wire 0.2 success (v0.12.0-preview.1).\n *\n * Use instead of manual `result.valid && result.variant === 'wire-02'` checks\n * to get proper claims narrowing to Wire02Claims.\n */\nexport function isWire02Result(\n r: VerifyLocalResult\n): r is VerifyLocalSuccess & { variant: 'wire-02' } {\n return r.valid === true && r.variant === 'wire-02';\n}\n"]}
package/dist/verify-local.d.ts CHANGED
@@ -5,7 +5,7 @@
5
5
  * without JWKS discovery.
6
6
  */
7
7
  import { type VerificationStrictness, type VerificationWarning } from '@peac/kernel';
8
- import { type ReceiptClaimsType, type AttestationReceiptClaims, type Wire02Claims } from '@peac/schema';
8
+ import { type Wire02Claims } from '@peac/schema';
9
9
  import type { PolicyBindingStatus } from './verifier-types';
10
10
  /**
11
11
  * Canonical error codes for local verification
@@ -27,30 +27,25 @@ export interface VerifyLocalOptions {
27
27
  */
28
28
  issuer?: string;
29
29
  /**
30
- * Expected audience URL
31
- *
32
- * If provided, verification fails if receipt.aud does not match.
30
+ * @deprecated Wire 0.2 does not have an `aud` claim. This option is ignored.
31
+ * Retained for source compatibility during migration; will be removed in v1.0.
33
32
  */
34
33
  audience?: string;
35
34
  /**
36
35
  * Expected subject URI
37
36
  *
38
- * If provided, verification fails if receipt.subject.uri does not match.
37
+ * If provided, verification fails if receipt.sub does not match.
39
38
  * Binds the receipt to a specific resource/interaction target.
40
39
  */
41
40
  subjectUri?: string;
42
41
  /**
43
- * Expected receipt ID (rid)
44
- *
45
- * If provided, verification fails if receipt.rid does not match.
46
- * Useful for idempotency checks or correlating with prior receipts.
42
+ * @deprecated Wire 0.2 does not have a `rid` claim. Use `jti` for receipt identification.
43
+ * This option is ignored. Retained for source compatibility; will be removed in v1.0.
47
44
  */
48
45
  rid?: string;
49
46
  /**
50
- * Require expiration claim
51
- *
52
- * If true, receipts without exp claim are rejected.
53
- * Defaults to false.
47
+ * @deprecated Wire 0.2 receipts do not expire (permanent evidence by design).
48
+ * This option is ignored. Retained for source compatibility; will be removed in v1.0.
54
49
  */
55
50
  requireExp?: boolean;
56
51
  /**
@@ -90,54 +85,15 @@ export interface VerifyLocalOptions {
90
85
  policyDigest?: string;
91
86
  }
92
87
  /**
93
- * Result of successful local verification
88
+ * Result of successful local verification (Wire 0.2 only)
94
89
  *
95
- * Discriminated union on `variant` -- callers narrow claims type via variant check:
96
- * if (result.valid && result.variant === 'commerce') { result.claims.amt }
97
- * if (result.valid && result.variant === 'wire-02') { result.claims.kind }
90
+ * Wire 0.1 receipts are no longer accepted by verifyLocal() and return
91
+ * E_UNSUPPORTED_WIRE_VERSION. Re-issue as Wire 0.2 using issueWire02().
98
92
  */
99
- export type VerifyLocalSuccess = {
100
- /** Verification succeeded */
101
- valid: true;
102
- /** Receipt variant (commerce = payment receipt) */
103
- variant: 'commerce';
104
- /** Validated commerce receipt claims */
105
- claims: ReceiptClaimsType;
106
- /** Key ID from JWS header (for logging/indexing) */
107
- kid: string;
108
- /** Wire format version */
109
- wireVersion: '0.1';
110
- /** Verification warnings (always empty for Wire 0.1) */
111
- warnings: VerificationWarning[];
112
- /**
113
- * Policy binding status (DD-49).
114
- *
115
- * Always 'unavailable' for Wire 0.1 receipts (no policy digest on wire).
116
- */
117
- policy_binding: PolicyBindingStatus;
118
- } | {
93
+ export interface VerifyLocalSuccess {
119
94
  /** Verification succeeded */
120
95
  valid: true;
121
- /** Receipt variant (attestation = non-payment) */
122
- variant: 'attestation';
123
- /** Validated attestation receipt claims */
124
- claims: AttestationReceiptClaims;
125
- /** Key ID from JWS header (for logging/indexing) */
126
- kid: string;
127
- /** Wire format version */
128
- wireVersion: '0.1';
129
- /** Verification warnings (always empty for Wire 0.1) */
130
- warnings: VerificationWarning[];
131
- /**
132
- * Policy binding status (DD-49).
133
- *
134
- * Always 'unavailable' for Wire 0.1 receipts.
135
- */
136
- policy_binding: PolicyBindingStatus;
137
- } | {
138
- /** Verification succeeded */
139
- valid: true;
140
- /** Receipt variant (wire-02 = Wire 0.2 evidence or challenge) */
96
+ /** Receipt variant (always 'wire-02') */
141
97
  variant: 'wire-02';
142
98
  /** Validated Wire 0.2 receipt claims */
143
99
  claims: Wire02Claims;
@@ -158,7 +114,7 @@ export type VerifyLocalSuccess = {
158
114
  * E_POLICY_BINDING_FAILED (valid: false) before reaching this field.
159
115
  */
160
116
  policy_binding: PolicyBindingStatus;
161
- };
117
+ }
162
118
  /**
163
119
  * Result of failed local verification
164
120
  */
@@ -194,22 +150,22 @@ export interface VerifyLocalFailure {
194
150
  */
195
151
  export type VerifyLocalResult = VerifyLocalSuccess | VerifyLocalFailure;
196
152
  /**
197
- * Verify a PEAC receipt locally with a known public key
153
+ * Verify a Wire 0.2 PEAC receipt locally with a known public key.
154
+ *
155
+ * Wire 0.2 only: Wire 0.1 receipts return E_UNSUPPORTED_WIRE_VERSION.
156
+ * Re-issue Wire 0.1 receipts as Wire 0.2 using issueWire02().
198
157
  *
199
158
  * This function:
200
159
  * 1. Verifies the Ed25519 signature and header (typ, alg)
201
160
  * 2. Applies strictness routing for missing typ (strict: hard error; interop: warning)
202
- * 3. Validates the receipt schema with Zod (Wire 0.1 or Wire 0.2)
203
- * 4. Checks issuer/audience/subject binding (if options provided)
204
- * 5. Checks time validity (exp/iat with clock skew tolerance)
205
- * 6. For Wire 0.2: checks occurred_at skew and collects parse warnings
206
- *
207
- * Use this when you have the issuer's public key and don't need JWKS discovery.
208
- * For JWKS-based verification, use `verifyReceipt()` instead.
161
+ * 3. Validates the receipt schema with Zod (Wire 0.2 only)
162
+ * 4. Checks issuer/subject binding (if options provided)
163
+ * 5. Checks time validity (iat with clock skew tolerance)
164
+ * 6. Checks occurred_at skew and collects parse warnings
209
165
  *
210
166
  * @param jws - JWS compact serialization
211
167
  * @param publicKey - Ed25519 public key (32 bytes)
212
- * @param options - Optional verification options (issuer, audience, subject, clock skew, strictness)
168
+ * @param options - Optional verification options (issuer, subject, clock skew, strictness, policyDigest)
213
169
  * @returns Typed verification result
214
170
  *
215
171
  * @example
@@ -218,7 +174,7 @@ export type VerifyLocalResult = VerifyLocalSuccess | VerifyLocalFailure;
218
174
  * issuer: 'https://api.example.com',
219
175
  * strictness: 'strict',
220
176
  * });
221
- * if (result.valid && result.variant === 'wire-02') {
177
+ * if (result.valid) {
222
178
  * console.log('Kind:', result.claims.kind);
223
179
  * console.log('Warnings:', result.warnings);
224
180
  * }
@@ -226,22 +182,18 @@ export type VerifyLocalResult = VerifyLocalSuccess | VerifyLocalFailure;
226
182
  */
227
183
  export declare function verifyLocal(jws: string, publicKey: Uint8Array, options?: VerifyLocalOptions): Promise<VerifyLocalResult>;
228
184
  /**
229
- * Type guard: narrows a VerifyLocalResult to a commerce success.
230
- *
231
- * Use instead of manual `result.valid && result.variant === 'commerce'` checks
232
- * to get proper claims narrowing to ReceiptClaimsType.
185
+ * @deprecated Removed: verifyLocal() is Wire 0.2 only and always returns variant 'wire-02'.
186
+ * This guard always returns false. Remove usage and use isWire02Result() instead.
233
187
  */
234
188
  export declare function isCommerceResult(r: VerifyLocalResult): r is VerifyLocalSuccess & {
235
- variant: 'commerce';
189
+ variant: 'wire-02';
236
190
  };
237
191
  /**
238
- * Type guard: narrows a VerifyLocalResult to an attestation success.
239
- *
240
- * Use instead of manual `result.valid && result.variant === 'attestation'` checks
241
- * to get proper claims narrowing to AttestationReceiptClaims.
192
+ * @deprecated Removed: verifyLocal() is Wire 0.2 only and always returns variant 'wire-02'.
193
+ * This guard always returns false. Remove usage and use isWire02Result() instead.
242
194
  */
243
195
  export declare function isAttestationResult(r: VerifyLocalResult): r is VerifyLocalSuccess & {
244
- variant: 'attestation';
196
+ variant: 'wire-02';
245
197
  };
246
198
  /**
247
199
  * Type guard: narrows a VerifyLocalResult to a Wire 0.2 success (v0.12.0-preview.1).
package/dist/verify-local.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"verify-local.d.ts","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,KAAK,sBAAsB,EAAE,KAAK,mBAAmB,EAAQ,MAAM,cAAc,CAAC;AAC3F,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,wBAAwB,EAC7B,KAAK,YAAY,EAUlB,MAAM,cAAc,CAAC;AACtB,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AA8B5D;;;;;;;GAOG;AACH,MAAM,MAAM,oBAAoB,GAC5B,qBAAqB,GACrB,kBAAkB,GAClB,wBAAwB,GACxB,WAAW,GACX,iBAAiB,GACjB,kBAAkB,GAClB,oBAAoB,GACpB,mBAAmB,GACnB,sBAAsB,GACtB,eAAe,GACf,yBAAyB,GACzB,4BAA4B,GAC5B,sBAAsB,GAEtB,oBAAoB,GACpB,qBAAqB,GACrB,mBAAmB,GACnB,oBAAoB,GACpB,oBAAoB,GAEpB,yBAAyB,GACzB,YAAY,CAAC;AAEjB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;OAKG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,sBAAsB,CAAC;IAEpC;;;;;;;;;;;OAWG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;GAMG;AACH,MAAM,MAAM,kBAAkB,GAC1B;IACE,6BAA6B;IAC7B,KAAK,EAAE,IAAI,CAAC;IACZ,mDAAmD;IACnD,OAAO,EAAE,UAAU,CAAC;IACpB,wCAAwC;IACxC,MAAM,EAAE,iBAAiB,CAAC;IAC1B,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,WAAW,EAAE,KAAK,CAAC;IACnB,wDAAwD;IACxD,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC;;;;OAIG;IACH,cAAc,EAAE,mBAAmB,CAAC;CACrC,GACD;IACE,6BAA6B;IAC7B,KAAK,EAAE,IAAI,CAAC;IACZ,kDAAkD;IAClD,OAAO,EAAE,aAAa,CAAC;IACvB,2CAA2C;IAC3C,MAAM,EAAE,wBAAwB,CAAC;IACjC,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,WAAW,EAAE,KAAK,CAAC;IACnB,wDAAwD;IACxD,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC;;;;OAIG;IACH,cAAc,EAAE,mBAAmB,CAAC;CACrC,GACD;IACE,6BAA6B;IAC7B,KAAK,EAAE,IAAI,CAAC;IACZ,iEAAiE;IACjE,OAAO,EAAE,SAAS,CAAC;IACnB,wCAAwC;IACxC,MAAM,EAAE,YAAY,CAAC;IACrB,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,WAAW,EAAE,KAAK,CAAC;IACnB,uEAAuE;IACvE,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC;;;;;;;;;OASG;IACH,cAAc,EAAE,mBAAmB,CAAC;CACrC,CAAC;AAEN;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,0BAA0B;IAC1B,KAAK,EAAE,KAAK,CAAC;IAEb,8DAA8D;IAC9D,IAAI,EAAE,oBAAoB,CAAC;IAE3B,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAEhB,+EAA+E;IAC/E,OAAO,CAAC,EAAE;QACR,mFAAmF;QACnF,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,+EAA+E;QAC/E,MAAM,CAAC,EAAE,aAAa,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAC1D;;;WAGG;QACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;QAC/B,oFAAoF;QACpF,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,mGAAmG;QACnG,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,kBAAkB,GAAG,kBAAkB,CAAC;AA6CxE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,UAAU,EACrB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,iBAAiB,CAAC,CAyV5B;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAC9B,CAAC,EAAE,iBAAiB,GACnB,CAAC,IAAI,kBAAkB,GAAG;IAAE,OAAO,EAAE,UAAU,CAAA;CAAE,CAEnD;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,CACjC,CAAC,EAAE,iBAAiB,GACnB,CAAC,IAAI,kBAAkB,GAAG;IAAE,OAAO,EAAE,aAAa,CAAA;CAAE,CAEtD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,CAAC,EAAE,iBAAiB,GACnB,CAAC,IAAI,kBAAkB,GAAG;IAAE,OAAO,EAAE,SAAS,CAAA;CAAE,CAElD"}
1
+ {"version":3,"file":"verify-local.d.ts","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,KAAK,sBAAsB,EAAE,KAAK,mBAAmB,EAAQ,MAAM,cAAc,CAAC;AAC3F,OAAO,EAGL,KAAK,YAAY,EAUlB,MAAM,cAAc,CAAC;AACtB,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,kBAAkB,CAAC;AA8B5D;;;;;;;GAOG;AACH,MAAM,MAAM,oBAAoB,GAC5B,qBAAqB,GACrB,kBAAkB,GAClB,wBAAwB,GACxB,WAAW,GACX,iBAAiB,GACjB,kBAAkB,GAClB,oBAAoB,GACpB,mBAAmB,GACnB,sBAAsB,GACtB,eAAe,GACf,yBAAyB,GACzB,4BAA4B,GAC5B,sBAAsB,GAEtB,oBAAoB,GACpB,qBAAqB,GACrB,mBAAmB,GACnB,oBAAoB,GACpB,oBAAoB,GAEpB,yBAAyB,GACzB,YAAY,CAAC;AAEjB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;OAGG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,sBAAsB,CAAC;IAEpC;;;;;;;;;;;OAWG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,6BAA6B;IAC7B,KAAK,EAAE,IAAI,CAAC;IACZ,yCAAyC;IACzC,OAAO,EAAE,SAAS,CAAC;IACnB,wCAAwC;IACxC,MAAM,EAAE,YAAY,CAAC;IACrB,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;IACZ,0BAA0B;IAC1B,WAAW,EAAE,KAAK,CAAC;IACnB,uEAAuE;IACvE,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC;;;;;;;;;OASG;IACH,cAAc,EAAE,mBAAmB,CAAC;CACrC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,0BAA0B;IAC1B,KAAK,EAAE,KAAK,CAAC;IAEb,8DAA8D;IAC9D,IAAI,EAAE,oBAAoB,CAAC;IAE3B,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAEhB,+EAA+E;IAC/E,OAAO,CAAC,EAAE;QACR,mFAAmF;QACnF,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,+EAA+E;QAC/E,MAAM,CAAC,EAAE,aAAa,CAAC;YAAE,IAAI,EAAE,MAAM,CAAC;YAAC,OAAO,EAAE,MAAM,CAAA;SAAE,CAAC,CAAC;QAC1D;;;WAGG;QACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;QAC/B,oFAAoF;QACpF,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,mGAAmG;QACnG,UAAU,CAAC,EAAE,MAAM,CAAC;KACrB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,kBAAkB,GAAG,kBAAkB,CAAC;AA6CxE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,UAAU,EACrB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,iBAAiB,CAAC,CAwP5B;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,CAAC,EAAE,iBAAiB,GACnB,CAAC,IAAI,kBAAkB,GAAG;IAAE,OAAO,EAAE,SAAS,CAAA;CAAE,CAGlD;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,CAAC,EAAE,iBAAiB,GACnB,CAAC,IAAI,kBAAkB,GAAG;IAAE,OAAO,EAAE,SAAS,CAAA;CAAE,CAGlD;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAC5B,CAAC,EAAE,iBAAiB,GACnB,CAAC,IAAI,kBAAkB,GAAG;IAAE,OAAO,EAAE,SAAS,CAAA;CAAE,CAElD"}