@peac/protocol 0.12.0-preview.1 → 0.12.0

package/README.md

@@ -22,11 +22,16 @@ const { publicKey, privateKey } = await generateKeypair();
 
 const { jws } = await issue({
   iss: 'https://api.example.com',
-  aud: 'https://client.example.com',
-  amt: 100,
-  cur: 'USD',
-  rail: 'stripe',
-  reference: 'pi_abc123',
+  kind: 'evidence',
+  type: 'org.peacprotocol/payment',
+  pillars: ['commerce'],
+  extensions: {
+    'org.peacprotocol/commerce': {
+      payment_rail: 'stripe',
+      amount_minor: '10000',
+      currency: 'USD',
+    },
+  },
   privateKey,
   kid: 'key-2026-02',
 });
@@ -39,10 +44,10 @@ import { verifyLocal } from '@peac/protocol';
 
 const result = await verifyLocal(jws, publicKey);
 
-if (result.valid && result.variant === 'commerce') {
+if (result.valid && result.wireVersion === '0.2') {
   console.log(result.claims.iss); // issuer
-  console.log(result.claims.amt); // amount
-  console.log(result.claims.cur); // currency
+  console.log(result.claims.kind); // evidence
+  console.log(result.claims.type); // org.peacprotocol/payment
 } else if (!result.valid) {
   console.log(result.code, result.message);
 }
@@ -50,16 +55,23 @@ if (result.valid && result.variant === 'commerce') {
 
 ## How Do I Verify with JWKS Discovery?
 
+> **Note:** `verifyReceipt()` is deprecated (Wire 0.1 only). For Wire 0.2 receipts,
+> resolve the issuer's JWKS manually and pass the public key to `verifyLocal()`.
+> Automated JWKS discovery for Wire 0.2 is planned for a future release.
+
 ```typescript
-import { verifyReceipt } from '@peac/protocol';
+import { verifyLocal } from '@peac/protocol';
 
-// Resolves issuer's /.well-known/peac-issuer.json -> jwks_uri -> public key
-const result = await verifyReceipt(jws);
+// 1. Resolve issuer's /.well-known/peac-issuer.json -> jwks_uri -> public key
+// 2. Pass the resolved key to verifyLocal()
+const result = await verifyLocal(jws, resolvedPublicKey, {
+  issuer: 'https://api.example.com',
+});
 
-if (result.ok) {
+if (result.valid) {
   console.log('Issuer:', result.claims.iss);
 } else {
-  console.log(result.reason, result.details);
+  console.log(result.code, result.message);
 }
 ```
 

package/dist/index.cjs

@@ -35,7 +35,7 @@ var IssueError = class extends Error {
     this.peacError = peacError;
   }
 };
-async function issue(options) {
+async function issueWire01(options) {
   if (!options.iss.startsWith("https://")) {
     throw new Error("Issuer URL must start with https://");
   }
@@ -176,9 +176,12 @@ async function issue(options) {
   };
 }
 async function issueJws(options) {
-  const result = await issue(options);
+  const result = await issueWire01(options);
   return result.jws;
 }
+async function issue(options) {
+  return issueWire02(options);
+}
 async function issueWire02(options) {
   if (!schema.isCanonicalIss(options.iss)) {
     throw new IssueError({
@@ -188,7 +191,7 @@ async function issueWire02(options) {
       retryable: false,
       http_status: 400,
       details: {
-        message: `iss is not in canonical form: "${options.iss}". Use https:// origin or did: identifier.`
+        message: `iss is not in canonical form: "${options.iss}". Use an https://<origin> or did:<method> identifier.`
       }
     });
   }
@@ -1415,16 +1418,7 @@ function sanitizeParseIssues(issues) {
   }));
 }
 async function verifyLocal(jws, publicKey, options = {}) {
-  const {
-    issuer,
-    audience,
-    subjectUri,
-    rid,
-    requireExp = false,
-    maxClockSkew = 300,
-    strictness = "strict",
-    policyDigest
-  } = options;
+  const { issuer, subjectUri, maxClockSkew = 300, strictness = "strict", policyDigest } = options;
   const now = options.now ?? Math.floor(Date.now() / 1e3);
   try {
     const result = await crypto.verify(jws, publicKey);
@@ -1556,86 +1550,11 @@ async function verifyLocal(jws, publicKey, options = {}) {
         policy_binding: bindingStatus
       };
     }
-    const w01 = pr.claims;
-    if (issuer !== void 0 && w01.iss !== issuer) {
-      return {
-        valid: false,
-        code: "E_INVALID_ISSUER",
-        message: `Issuer mismatch: expected "${issuer}", got "${w01.iss}"`
-      };
-    }
-    if (audience !== void 0 && w01.aud !== audience) {
-      return {
-        valid: false,
-        code: "E_INVALID_AUDIENCE",
-        message: `Audience mismatch: expected "${audience}", got "${w01.aud}"`
-      };
-    }
-    if (rid !== void 0 && w01.rid !== rid) {
-      return {
-        valid: false,
-        code: "E_INVALID_RECEIPT_ID",
-        message: `Receipt ID mismatch: expected "${rid}", got "${w01.rid}"`
-      };
-    }
-    if (requireExp && w01.exp === void 0) {
-      return {
-        valid: false,
-        code: "E_MISSING_EXP",
-        message: "Receipt missing required exp claim"
-      };
-    }
-    if (w01.iat > now + maxClockSkew) {
-      return {
-        valid: false,
-        code: "E_NOT_YET_VALID",
-        message: `Receipt not yet valid: issued at ${new Date(w01.iat * 1e3).toISOString()}, now is ${new Date(now * 1e3).toISOString()}`
-      };
-    }
-    if (w01.exp !== void 0 && w01.exp < now - maxClockSkew) {
-      return {
-        valid: false,
-        code: "E_EXPIRED",
-        message: `Receipt expired at ${new Date(w01.exp * 1e3).toISOString()}`
-      };
-    }
-    if (pr.variant === "commerce") {
-      const claims = pr.claims;
-      if (subjectUri !== void 0 && claims.subject?.uri !== subjectUri) {
-        return {
-          valid: false,
-          code: "E_INVALID_SUBJECT",
-          message: `Subject mismatch: expected "${subjectUri}", got "${claims.subject?.uri ?? "undefined"}"`
-        };
-      }
-      return {
-        valid: true,
-        variant: "commerce",
-        claims,
-        kid: result.header.kid,
-        wireVersion: "0.1",
-        warnings: [],
-        policy_binding: "unavailable"
-      };
-    } else {
-      const claims = pr.claims;
-      if (subjectUri !== void 0 && claims.sub !== subjectUri) {
-        return {
-          valid: false,
-          code: "E_INVALID_SUBJECT",
-          message: `Subject mismatch: expected "${subjectUri}", got "${claims.sub ?? "undefined"}"`
-        };
-      }
-      return {
-        valid: true,
-        variant: "attestation",
-        claims,
-        kid: result.header.kid,
-        wireVersion: "0.1",
-        warnings: [],
-        policy_binding: "unavailable"
-      };
-    }
+    return {
+      valid: false,
+      code: "E_UNSUPPORTED_WIRE_VERSION",
+      message: "Wire 0.1 receipts are not supported. Re-issue as Wire 0.2 using issue()."
+    };
   } catch (err) {
     if (isCryptoError(err)) {
       if (Object.prototype.hasOwnProperty.call(JOSE_CODE_MAP, err.code)) {
@@ -1684,10 +1603,10 @@ async function verifyLocal(jws, publicKey, options = {}) {
   }
 }
 function isCommerceResult(r) {
-  return r.valid === true && r.variant === "commerce";
+  return false;
 }
 function isAttestationResult(r) {
-  return r.valid === true && r.variant === "attestation";
+  return false;
 }
 function isWire02Result(r) {
   return r.valid === true && r.variant === "wire-02";
@@ -3084,6 +3003,7 @@ exports.isCommerceResult = isCommerceResult;
 exports.isWire02Result = isWire02Result;
 exports.issue = issue;
 exports.issueJws = issueJws;
+exports.issueWire01 = issueWire01;
 exports.issueWire02 = issueWire02;
 exports.parseBodyProfile = parseBodyProfile;
 exports.parseDiscovery = parseDiscovery;