@peac/protocol 0.9.18 → 0.10.0

package/dist/issue.d.ts

@@ -2,7 +2,8 @@
  * Receipt issuance
  * Validates input, generates UUIDv7 rid, and signs with Ed25519
  */
-import { PEACReceiptClaims, SubjectProfileSnapshot } from '@peac/schema';
+import type { JsonValue } from '@peac/kernel';
+import { PEACReceiptClaims, SubjectProfileSnapshot, type PEACError, type PurposeToken, type CanonicalPurpose, type PurposeReason } from '@peac/schema';
 /**
  * Options for issuing a receipt
  */
@@ -27,8 +28,8 @@ export interface IssueOptions {
     network?: string;
     /** Facilitator reference (optional) */
     facilitator_ref?: string;
-    /** Rail-specific evidence (opaque) - defaults to empty object if not provided */
-    evidence?: unknown;
+    /** Rail-specific evidence (JSON-safe) - defaults to empty object if not provided */
+    evidence?: JsonValue;
     /** Idempotency key (optional) */
     idempotency_key?: string;
     /** Rail-specific metadata (optional) */
@@ -41,6 +42,26 @@ export interface IssueOptions {
     exp?: number;
     /** Subject profile snapshot for envelope (v0.9.17+, optional) */
     subject_snapshot?: SubjectProfileSnapshot;
+    /**
+     * Purposes declared by the requesting agent (v0.9.24+, optional)
+     *
+     * From PEAC-Purpose request header. Accepts single token or array.
+     * Unknown tokens are preserved for forward compatibility.
+     */
+    purpose?: PurposeToken | PurposeToken[];
+    /**
+     * Single purpose enforced by policy (v0.9.24+, optional)
+     *
+     * MUST be one of declared purposes OR a more restrictive downgrade.
+     * Only canonical purposes have enforcement semantics.
+     */
+    purpose_enforced?: CanonicalPurpose;
+    /**
+     * Reason for enforcement decision (v0.9.24+, optional)
+     *
+     * The audit spine - explains WHY purpose was enforced as it was.
+     */
+    purpose_reason?: PurposeReason;
     /** Ed25519 private key (32 bytes) */
     privateKey: Uint8Array;
     /** Key ID (ISO 8601 timestamp) */
@@ -55,11 +76,22 @@ export interface IssueResult {
     /** Validated subject snapshot (if provided) */
     subject_snapshot?: SubjectProfileSnapshot;
 }
+/**
+ * Error thrown during receipt issuance
+ *
+ * Wraps a structured PEACError for programmatic handling.
+ */
+export declare class IssueError extends Error {
+    /** Structured error details */
+    readonly peacError: PEACError;
+    constructor(peacError: PEACError);
+}
 /**
  * Issue a PEAC receipt
  *
  * @param options - Receipt options
  * @returns Issue result with JWS and optional subject_snapshot
+ * @throws IssueError if evidence contains non-JSON-safe values
  */
 export declare function issue(options: IssueOptions): Promise<IssueResult>;
 /**

package/dist/issue.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAEvB,MAAM,cAAc,CAAC;AAEtB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAElB,4FAA4F;IAC5F,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAEtB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,iFAAiF;IACjF,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB,iCAAiC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE/B,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iEAAiE;IACjE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IAEvB,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IAEZ,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED;;;;;GAKG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA2EvE;AAED;;;;;;;;GAQG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAGrE"}
+{"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAGtB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAInB,MAAM,cAAc,CAAC;AAItB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAElB,4FAA4F;IAC5F,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAEtB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,SAAS,CAAC;IAErB,iCAAiC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE/B,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iEAAiE;IACjE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C;;;;;OAKG;IACH,OAAO,CAAC,EAAE,YAAY,GAAG,YAAY,EAAE,CAAC;IAExC;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;OAIG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC;IAE/B,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IAEvB,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IAEZ,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED;;;;GAIG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC,+BAA+B;IAC/B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;gBAElB,SAAS,EAAE,SAAS;CAMjC;AAED;;;;;;GAMG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA0JvE;AAED;;;;;;;;GAQG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAGrE"}

package/dist/issue.js

@@ -4,16 +4,37 @@
  * Validates input, generates UUIDv7 rid, and signs with Ed25519
  */
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.IssueError = void 0;
 exports.issue = issue;
 exports.issueJws = issueJws;
 const uuidv7_1 = require("uuidv7");
 const crypto_1 = require("@peac/crypto");
+const zod_1 = require("zod");
 const schema_1 = require("@peac/schema");
+const telemetry_1 = require("@peac/telemetry");
+const telemetry_js_1 = require("./telemetry.js");
+/**
+ * Error thrown during receipt issuance
+ *
+ * Wraps a structured PEACError for programmatic handling.
+ */
+class IssueError extends Error {
+    /** Structured error details */
+    peacError;
+    constructor(peacError) {
+        const details = peacError.details;
+        super(details?.message ?? peacError.code);
+        this.name = 'IssueError';
+        this.peacError = peacError;
+    }
+}
+exports.IssueError = IssueError;
 /**
  * Issue a PEAC receipt
  *
  * @param options - Receipt options
  * @returns Issue result with JWS and optional subject_snapshot
+ * @throws IssueError if evidence contains non-JSON-safe values
  */
 async function issue(options) {
     // Validate URLs
@@ -40,6 +61,39 @@ async function issue(options) {
             throw new Error('Expiry must be a non-negative integer');
         }
     }
+    // Normalize and validate purpose (v0.9.24+)
+    let purposeDeclared;
+    if (options.purpose !== undefined) {
+        // Normalize to array
+        const rawPurposes = Array.isArray(options.purpose) ? options.purpose : [options.purpose];
+        // Validate each token
+        const invalidTokens = [];
+        for (const token of rawPurposes) {
+            if (!(0, schema_1.isValidPurposeToken)(token)) {
+                invalidTokens.push(token);
+            }
+        }
+        if (invalidTokens.length > 0) {
+            throw new Error(`Invalid purpose tokens: ${invalidTokens.join(', ')}`);
+        }
+        // Check for explicit 'undeclared' which is invalid on wire
+        if (rawPurposes.includes('undeclared')) {
+            throw new Error("Explicit 'undeclared' is not a valid purpose token (internal-only)");
+        }
+        purposeDeclared = rawPurposes;
+    }
+    // Validate purpose_enforced (must be canonical)
+    if (options.purpose_enforced !== undefined) {
+        if (!(0, schema_1.isCanonicalPurpose)(options.purpose_enforced)) {
+            throw new Error(`purpose_enforced must be a canonical purpose, got: ${options.purpose_enforced}`);
+        }
+    }
+    // Validate purpose_reason
+    if (options.purpose_reason !== undefined) {
+        if (!(0, schema_1.isValidPurposeReason)(options.purpose_reason)) {
+            throw new Error(`Invalid purpose_reason: ${options.purpose_reason}`);
+        }
+    }
     // Generate UUIDv7 for receipt ID
     const rid = (0, uuidv7_1.uuidv7)();
     // Get current timestamp
@@ -68,14 +122,49 @@ async function issue(options) {
         ...(options.exp && { exp: options.exp }),
         ...(options.subject && { subject: { uri: options.subject } }),
         ...(options.ext && { ext: options.ext }),
+        // Purpose claims (v0.9.24+)
+        ...(purposeDeclared && { purpose_declared: purposeDeclared }),
+        ...(options.purpose_enforced && { purpose_enforced: options.purpose_enforced }),
+        ...(options.purpose_reason && { purpose_reason: options.purpose_reason }),
     };
-    // Validate claims with Zod
-    schema_1.ReceiptClaims.parse(claims);
+    // Validate claims with Zod - map evidence errors to typed error
+    try {
+        schema_1.ReceiptClaims.parse(claims);
+    }
+    catch (err) {
+        if (err instanceof zod_1.ZodError) {
+            // Check if any error path touches evidence
+            const evidenceIssue = err.issues.find((issue) => issue.path.some((p) => p === 'evidence' || p === 'payment'));
+            if (evidenceIssue && evidenceIssue.path.includes('evidence')) {
+                const peacError = (0, schema_1.createEvidenceNotJsonError)(evidenceIssue.message, evidenceIssue.path);
+                throw new IssueError(peacError);
+            }
+        }
+        throw err;
+    }
     // Validate subject_snapshot if provided (v0.9.17+)
     // This validates schema and logs advisory PII warning if applicable
     const validatedSnapshot = (0, schema_1.validateSubjectSnapshot)(options.subject_snapshot);
+    // Track start time for telemetry
+    const startTime = performance.now();
     // Sign with Ed25519
     const jws = await (0, crypto_1.sign)(claims, options.privateKey, options.kid);
+    // Emit telemetry (no-throw guard)
+    const p = telemetry_1.providerRef.current;
+    if (p) {
+        try {
+            const durationMs = performance.now() - startTime;
+            p.onReceiptIssued({
+                receiptHash: (0, telemetry_js_1.hashReceipt)(jws),
+                issuer: options.iss,
+                kid: options.kid,
+                durationMs,
+            });
+        }
+        catch {
+            // Telemetry MUST NOT break core flow
+        }
+    }
     return {
         jws,
         ...(validatedSnapshot && { subject_snapshot: validatedSnapshot }),

package/dist/issue.js.map

@@ -1 +1 @@
-{"version":3,"file":"issue.js","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA0FH,sBA2EC;AAWD,4BAGC;AAjLD,mCAAgC;AAChC,yCAAoC;AACpC,yCAKsB;AA2EtB;;;;;GAKG;AACI,KAAK,UAAU,KAAK,CAAC,OAAqB;IAC/C,gBAAgB;IAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,gCAAgC;IAChC,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,MAAM,GAAG,GAAG,IAAA,eAAM,GAAE,CAAC;IAErB,wBAAwB;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE1C,uBAAuB;IACvB,MAAM,MAAM,GAAsB;QAChC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG;QACH,GAAG;QACH,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,GAAG;YACnB,QAAQ,EAAE,OAAO,CAAC,GAAG;YACrB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,EAAE,uDAAuD;YAC5F,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,MAAM,EAAE,yDAAyD;YACrF,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE,EAAE,qDAAqD;YACvF,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;YACpD,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5E,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5E,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC;SACxD;QACD,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7D,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;KACzC,CAAC;IAEF,2BAA2B;IAC3B,sBAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAE5B,mDAAmD;IACnD,oEAAoE;IACpE,MAAM,iBAAiB,GAAG,IAAA,gCAAuB,EAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAE5E,oBAAoB;IACpB,MAAM,GAAG,GAAG,MAAM,IAAA,aAAI,EAAC,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAEhE,OAAO;QACL,GAAG;QACH,GAAG,CAAC,iBAAiB,IAAI,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,QAAQ,CAAC,OAAqB;IAClD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,GAAG,CAAC;AACpB,CAAC"}
+{"version":3,"file":"issue.js","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AA+IH,sBA0JC;AAWD,4BAGC;AArTD,mCAAgC;AAChC,yCAAoC;AAEpC,6BAA+B;AAC/B,yCAasB;AACtB,+CAA8C;AAC9C,iDAA6C;AAkG7C;;;;GAIG;AACH,MAAa,UAAW,SAAQ,KAAK;IACnC,+BAA+B;IACtB,SAAS,CAAY;IAE9B,YAAY,SAAoB;QAC9B,MAAM,OAAO,GAAG,SAAS,CAAC,OAA2C,CAAC;QACtE,KAAK,CAAC,OAAO,EAAE,OAAO,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;QACzB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAVD,gCAUC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,KAAK,CAAC,OAAqB;IAC/C,gBAAgB;IAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,gCAAgC;IAChC,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,eAA2C,CAAC;IAChD,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAClC,qBAAqB;QACrB,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAEzF,sBAAsB;QACtB,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,IAAA,4BAAmB,EAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,2BAA2B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,2DAA2D;QAC3D,IAAI,WAAW,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QAED,eAAe,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,gDAAgD;IAChD,IAAI,OAAO,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAA,2BAAkB,EAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CACb,sDAAsD,OAAO,CAAC,gBAAgB,EAAE,CACjF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,IAAI,OAAO,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,CAAC,IAAA,6BAAoB,EAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,MAAM,GAAG,GAAG,IAAA,eAAM,GAAE,CAAC;IAErB,wBAAwB;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE1C,uBAAuB;IACvB,MAAM,MAAM,GAAsB;QAChC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG;QACH,GAAG;QACH,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,GAAG;YACnB,QAAQ,EAAE,OAAO,CAAC,GAAG;YACrB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,EAAE,uDAAuD;YAC5F,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,MAAM,EAAE,yDAAyD;YACrF,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE,EAAE,qDAAqD;YACvF,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;YACpD,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5E,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5E,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC;SACxD;QACD,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7D,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,4BAA4B;QAC5B,GAAG,CAAC,eAAe,IAAI,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;QAC7D,GAAG,CAAC,OAAO,CAAC,gBAAgB,IAAI,EAAE,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC/E,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,cAAc,EAAE,OAAO,CAAC,cAAc,EAAE,CAAC;KAC1E,CAAC;IAEF,gEAAgE;IAChE,IAAI,CAAC;QACH,sBAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,GAAG,YAAY,cAAQ,EAAE,CAAC;YAC5B,2CAA2C;YAC3C,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CACnC,CAAC,KAAqD,EAAE,EAAE,CACxD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAkB,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,SAAS,CAAC,CAC/E,CAAC;YACF,IAAI,aAAa,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC7D,MAAM,SAAS,GAAG,IAAA,mCAA0B,EAAC,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;gBACxF,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,mDAAmD;IACnD,oEAAoE;IACpE,MAAM,iBAAiB,GAAG,IAAA,gCAAuB,EAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAE5E,iCAAiC;IACjC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEpC,oBAAoB;IACpB,MAAM,GAAG,GAAG,MAAM,IAAA,aAAI,EAAC,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAEhE,kCAAkC;IAClC,MAAM,CAAC,GAAG,uBAAW,CAAC,OAAO,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC;QACN,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,CAAC,CAAC,eAAe,CAAC;gBAChB,WAAW,EAAE,IAAA,0BAAW,EAAC,GAAG,CAAC;gBAC7B,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,UAAU;aACX,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;IAED,OAAO;QACL,GAAG;QACH,GAAG,CAAC,iBAAiB,IAAI,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,QAAQ,CAAC,OAAqB;IAClD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,GAAG,CAAC;AACpB,CAAC"}

package/dist/telemetry.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Telemetry utilities for protocol package
+ */
+/**
+ * Compute a SHA-256 hash of a receipt JWS
+ *
+ * Returns format: sha256:{hex prefix}
+ * Uses first 16 chars of hex for brevity in logs/spans.
+ */
+export declare function hashReceipt(jws: string): string;
+//# sourceMappingURL=telemetry.d.ts.map

package/dist/telemetry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG/C"}

package/dist/telemetry.js

@@ -0,0 +1,18 @@
+"use strict";
+/**
+ * Telemetry utilities for protocol package
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hashReceipt = hashReceipt;
+const node_crypto_1 = require("node:crypto");
+/**
+ * Compute a SHA-256 hash of a receipt JWS
+ *
+ * Returns format: sha256:{hex prefix}
+ * Uses first 16 chars of hex for brevity in logs/spans.
+ */
+function hashReceipt(jws) {
+    const hash = (0, node_crypto_1.createHash)('sha256').update(jws).digest('hex');
+    return `sha256:${hash.slice(0, 16)}`;
+}
+//# sourceMappingURL=telemetry.js.map

package/dist/telemetry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAUH,kCAGC;AAXD,6CAAyC;AAEzC;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,GAAW;IACrC,MAAM,IAAI,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5D,OAAO,UAAU,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;AACvC,CAAC"}

package/dist/verify-local.d.ts

@@ -0,0 +1,125 @@
+/**
+ * Local receipt verification with schema validation
+ *
+ * Use this for verifying receipts when you have the public key locally,
+ * without JWKS discovery.
+ */
+import { type ReceiptClaimsType } from '@peac/schema';
+/**
+ * Canonical error codes for local verification
+ *
+ * These map to E_* codes in specs/kernel/errors.json
+ */
+export type VerifyLocalErrorCode = 'E_INVALID_SIGNATURE' | 'E_INVALID_FORMAT' | 'E_EXPIRED' | 'E_NOT_YET_VALID' | 'E_INVALID_ISSUER' | 'E_INVALID_AUDIENCE' | 'E_INVALID_SUBJECT' | 'E_INVALID_RECEIPT_ID' | 'E_MISSING_EXP' | 'E_INTERNAL';
+/**
+ * Options for local verification
+ */
+export interface VerifyLocalOptions {
+    /**
+     * Expected issuer URL
+     *
+     * If provided, verification fails if receipt.iss does not match.
+     */
+    issuer?: string;
+    /**
+     * Expected audience URL
+     *
+     * If provided, verification fails if receipt.aud does not match.
+     */
+    audience?: string;
+    /**
+     * Expected subject URI
+     *
+     * If provided, verification fails if receipt.subject.uri does not match.
+     * Binds the receipt to a specific resource/interaction target.
+     */
+    subjectUri?: string;
+    /**
+     * Expected receipt ID (rid)
+     *
+     * If provided, verification fails if receipt.rid does not match.
+     * Useful for idempotency checks or correlating with prior receipts.
+     */
+    rid?: string;
+    /**
+     * Require expiration claim
+     *
+     * If true, receipts without exp claim are rejected.
+     * Defaults to false.
+     */
+    requireExp?: boolean;
+    /**
+     * Current timestamp (Unix seconds)
+     *
+     * Defaults to Date.now() / 1000. Override for testing.
+     */
+    now?: number;
+    /**
+     * Maximum clock skew tolerance (seconds)
+     *
+     * Allows for clock drift between issuer and verifier.
+     * Defaults to 300 (5 minutes).
+     */
+    maxClockSkew?: number;
+}
+/**
+ * Result of successful local verification
+ */
+export interface VerifyLocalSuccess {
+    /** Verification succeeded */
+    valid: true;
+    /** Validated receipt claims (schema-derived type) */
+    claims: ReceiptClaimsType;
+    /** Key ID from JWS header (for logging/indexing) */
+    kid: string;
+}
+/**
+ * Result of failed local verification
+ */
+export interface VerifyLocalFailure {
+    /** Verification failed */
+    valid: false;
+    /** Canonical error code (maps to specs/kernel/errors.json) */
+    code: VerifyLocalErrorCode;
+    /** Human-readable error message */
+    message: string;
+}
+/**
+ * Union type for local verification result
+ */
+export type VerifyLocalResult = VerifyLocalSuccess | VerifyLocalFailure;
+/**
+ * Verify a PEAC receipt locally with a known public key
+ *
+ * This function:
+ * 1. Verifies the Ed25519 signature and header (typ, alg)
+ * 2. Validates the receipt schema with Zod
+ * 3. Checks issuer/audience/subject binding (if options provided)
+ * 4. Checks time validity (exp/iat with clock skew tolerance)
+ *
+ * Use this when you have the issuer's public key and don't need JWKS discovery.
+ * For JWKS-based verification, use `verifyReceipt()` instead.
+ *
+ * @param jws - JWS compact serialization
+ * @param publicKey - Ed25519 public key (32 bytes)
+ * @param options - Optional verification options (issuer, audience, subject, clock skew)
+ * @returns Typed verification result
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyLocal(jws, publicKey, {
+ *   issuer: 'https://api.example.com',
+ *   audience: 'https://client.example.com',
+ *   subjectUri: 'https://api.example.com/inference/v1',
+ * });
+ * if (result.valid) {
+ *   console.log('Issuer:', result.claims.iss);
+ *   console.log('Amount:', result.claims.amt, result.claims.cur);
+ *   console.log('Key ID:', result.kid);
+ * } else {
+ *   console.error('Verification failed:', result.code, result.message);
+ * }
+ * ```
+ */
+export declare function verifyLocal(jws: string, publicKey: Uint8Array, options?: VerifyLocalOptions): Promise<VerifyLocalResult>;
+//# sourceMappingURL=verify-local.d.ts.map

package/dist/verify-local.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-local.d.ts","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAuB,KAAK,iBAAiB,EAAE,MAAM,cAAc,CAAC;AA8B3E;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,GAC5B,qBAAqB,GACrB,kBAAkB,GAClB,WAAW,GACX,iBAAiB,GACjB,kBAAkB,GAClB,oBAAoB,GACpB,mBAAmB,GACnB,sBAAsB,GACtB,eAAe,GACf,YAAY,CAAC;AAEjB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;OAKG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,6BAA6B;IAC7B,KAAK,EAAE,IAAI,CAAC;IAEZ,qDAAqD;IACrD,MAAM,EAAE,iBAAiB,CAAC;IAE1B,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,0BAA0B;IAC1B,KAAK,EAAE,KAAK,CAAC;IAEb,8DAA8D;IAC9D,IAAI,EAAE,oBAAoB,CAAC;IAE3B,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,kBAAkB,GAAG,kBAAkB,CAAC;AAaxE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,UAAU,EACrB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,iBAAiB,CAAC,CAmI5B"}

package/dist/verify-local.js

@@ -0,0 +1,189 @@
+"use strict";
+/**
+ * Local receipt verification with schema validation
+ *
+ * Use this for verifying receipts when you have the public key locally,
+ * without JWKS discovery.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifyLocal = verifyLocal;
+const crypto_1 = require("@peac/crypto");
+const schema_1 = require("@peac/schema");
+/**
+ * Structural check for CryptoError
+ * More robust than instanceof across module boundaries (ESM/CJS, duplicate packages)
+ */
+function isCryptoError(err) {
+    return (err !== null &&
+        typeof err === 'object' &&
+        'name' in err &&
+        err.name === 'CryptoError' &&
+        'code' in err &&
+        typeof err.code === 'string' &&
+        err.code.startsWith('CRYPTO_') &&
+        'message' in err &&
+        typeof err.message === 'string');
+}
+/**
+ * Crypto error codes that indicate format/validation issues
+ * These are CRYPTO_* internal codes from @peac/crypto, mapped to canonical E_* codes
+ */
+const FORMAT_ERROR_CODES = new Set([
+    'CRYPTO_INVALID_JWS_FORMAT',
+    'CRYPTO_INVALID_TYP',
+    'CRYPTO_INVALID_ALG',
+    'CRYPTO_INVALID_KEY_LENGTH',
+]);
+/**
+ * Verify a PEAC receipt locally with a known public key
+ *
+ * This function:
+ * 1. Verifies the Ed25519 signature and header (typ, alg)
+ * 2. Validates the receipt schema with Zod
+ * 3. Checks issuer/audience/subject binding (if options provided)
+ * 4. Checks time validity (exp/iat with clock skew tolerance)
+ *
+ * Use this when you have the issuer's public key and don't need JWKS discovery.
+ * For JWKS-based verification, use `verifyReceipt()` instead.
+ *
+ * @param jws - JWS compact serialization
+ * @param publicKey - Ed25519 public key (32 bytes)
+ * @param options - Optional verification options (issuer, audience, subject, clock skew)
+ * @returns Typed verification result
+ *
+ * @example
+ * ```typescript
+ * const result = await verifyLocal(jws, publicKey, {
+ *   issuer: 'https://api.example.com',
+ *   audience: 'https://client.example.com',
+ *   subjectUri: 'https://api.example.com/inference/v1',
+ * });
+ * if (result.valid) {
+ *   console.log('Issuer:', result.claims.iss);
+ *   console.log('Amount:', result.claims.amt, result.claims.cur);
+ *   console.log('Key ID:', result.kid);
+ * } else {
+ *   console.error('Verification failed:', result.code, result.message);
+ * }
+ * ```
+ */
+async function verifyLocal(jws, publicKey, options = {}) {
+    const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
+    const now = options.now ?? Math.floor(Date.now() / 1000);
+    try {
+        // 1. Verify signature and header (typ, alg validated by @peac/crypto)
+        const result = await (0, crypto_1.verify)(jws, publicKey);
+        if (!result.valid) {
+            return {
+                valid: false,
+                code: 'E_INVALID_SIGNATURE',
+                message: 'Ed25519 signature verification failed',
+            };
+        }
+        // 2. Validate schema
+        const parseResult = schema_1.ReceiptClaimsSchema.safeParse(result.payload);
+        if (!parseResult.success) {
+            const firstIssue = parseResult.error.issues[0];
+            return {
+                valid: false,
+                code: 'E_INVALID_FORMAT',
+                message: `Receipt schema validation failed: ${firstIssue?.message ?? 'unknown error'}`,
+            };
+        }
+        const claims = parseResult.data;
+        // 3. Check issuer binding
+        if (issuer !== undefined && claims.iss !== issuer) {
+            return {
+                valid: false,
+                code: 'E_INVALID_ISSUER',
+                message: `Issuer mismatch: expected "${issuer}", got "${claims.iss}"`,
+            };
+        }
+        // 4. Check audience binding
+        if (audience !== undefined && claims.aud !== audience) {
+            return {
+                valid: false,
+                code: 'E_INVALID_AUDIENCE',
+                message: `Audience mismatch: expected "${audience}", got "${claims.aud}"`,
+            };
+        }
+        // 5. Check subject binding
+        if (subjectUri !== undefined) {
+            const actualSubjectUri = claims.subject?.uri;
+            if (actualSubjectUri !== subjectUri) {
+                return {
+                    valid: false,
+                    code: 'E_INVALID_SUBJECT',
+                    message: `Subject mismatch: expected "${subjectUri}", got "${actualSubjectUri ?? 'undefined'}"`,
+                };
+            }
+        }
+        // 6. Check receipt ID binding
+        if (rid !== undefined && claims.rid !== rid) {
+            return {
+                valid: false,
+                code: 'E_INVALID_RECEIPT_ID',
+                message: `Receipt ID mismatch: expected "${rid}", got "${claims.rid}"`,
+            };
+        }
+        // 7. Check requireExp
+        if (requireExp && claims.exp === undefined) {
+            return {
+                valid: false,
+                code: 'E_MISSING_EXP',
+                message: 'Receipt missing required exp claim',
+            };
+        }
+        // 8. Check not-yet-valid (iat with clock skew)
+        if (claims.iat > now + maxClockSkew) {
+            return {
+                valid: false,
+                code: 'E_NOT_YET_VALID',
+                message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1000).toISOString()}, now is ${new Date(now * 1000).toISOString()}`,
+            };
+        }
+        // 9. Check expiry (with clock skew tolerance)
+        if (claims.exp !== undefined && claims.exp < now - maxClockSkew) {
+            return {
+                valid: false,
+                code: 'E_EXPIRED',
+                message: `Receipt expired at ${new Date(claims.exp * 1000).toISOString()}`,
+            };
+        }
+        return {
+            valid: true,
+            claims,
+            kid: result.header.kid,
+        };
+    }
+    catch (err) {
+        // Handle typed CryptoError from @peac/crypto
+        // Use structural check instead of instanceof for robustness across ESM/CJS boundaries
+        // Map internal CRYPTO_* codes to canonical E_* codes
+        if (isCryptoError(err)) {
+            if (FORMAT_ERROR_CODES.has(err.code)) {
+                return {
+                    valid: false,
+                    code: 'E_INVALID_FORMAT',
+                    message: err.message,
+                };
+            }
+            if (err.code === 'CRYPTO_INVALID_SIGNATURE') {
+                return {
+                    valid: false,
+                    code: 'E_INVALID_SIGNATURE',
+                    message: err.message,
+                };
+            }
+        }
+        // All other errors (JSON parse, unexpected) -> E_INTERNAL
+        // No message parsing - code-based mapping only
+        const message = err instanceof Error ? err.message : String(err);
+        return {
+            valid: false,
+            code: 'E_INTERNAL',
+            message: `Unexpected verification error: ${message}`,
+        };
+    }
+}
+//# sourceMappingURL=verify-local.js.map

package/dist/verify-local.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify-local.js","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAyLH,kCAuIC;AA9TD,yCAAmD;AACnD,yCAA2E;AAY3E;;;GAGG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,OAAO,CACL,GAAG,KAAK,IAAI;QACZ,OAAO,GAAG,KAAK,QAAQ;QACvB,MAAM,IAAI,GAAG;QACb,GAAG,CAAC,IAAI,KAAK,aAAa;QAC1B,MAAM,IAAI,GAAG;QACb,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;QAC5B,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC9B,SAAS,IAAI,GAAG;QAChB,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAChC,CAAC;AACJ,CAAC;AA8GD;;;GAGG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,2BAA2B;IAC3B,oBAAoB;IACpB,oBAAoB;IACpB,2BAA2B;CAC5B,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACI,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,SAAqB,EACrB,UAA8B,EAAE;IAEhC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,KAAK,EAAE,YAAY,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC;IAC9F,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,sEAAsE;QACtE,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAU,GAAG,EAAE,SAAS,CAAC,CAAC;QAExD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,WAAW,GAAG,4BAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAElE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YACzB,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC/C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC,UAAU,EAAE,OAAO,IAAI,eAAe,EAAE;aACvF,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC;QAEhC,0BAA0B;QAC1B,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,8BAA8B,MAAM,WAAW,MAAM,CAAC,GAAG,GAAG;aACtE,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACtD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,gCAAgC,QAAQ,WAAW,MAAM,CAAC,GAAG,GAAG;aAC1E,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC;YAC7C,IAAI,gBAAgB,KAAK,UAAU,EAAE,CAAC;gBACpC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,+BAA+B,UAAU,WAAW,gBAAgB,IAAI,WAAW,GAAG;iBAChG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,IAAI,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YAC5C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,kCAAkC,GAAG,WAAW,MAAM,CAAC,GAAG,GAAG;aACvE,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,IAAI,UAAU,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,oCAAoC;aAC9C,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,oCAAoC,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,YAAY,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aACvI,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YAChE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,sBAAsB,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC3E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,MAAM;YACN,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG;SACvB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,6CAA6C;QAC7C,sFAAsF;QACtF,qDAAqD;QACrD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,0BAA0B,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,+CAA+C;QAC/C,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,kCAAkC,OAAO,EAAE;SACrD,CAAC;IACJ,CAAC;AACH,CAAC"}

package/dist/verify.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAEvB,MAAM,cAAc,CAAC;AA8BtB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,EAAE,EAAE,IAAI,CAAC;IAET,qBAAqB;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAE1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,0BAA0B;IAC1B,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,EAAE,EAAE,KAAK,CAAC;IAEV,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IAEf,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAmGD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,GAAG,aAAa,GACnC,OAAO,CAAC,YAAY,GAAG,aAAa,CAAC,CA6EvC"}
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAEvB,MAAM,cAAc,CAAC;AAgCtB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,EAAE,EAAE,IAAI,CAAC;IAET,qBAAqB;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAE1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,0BAA0B;IAC1B,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,EAAE,EAAE,KAAK,CAAC;IAEV,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IAEf,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAmGD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AA8BD;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,GAAG,aAAa,GACnC,OAAO,CAAC,YAAY,GAAG,aAAa,CAAC,CA+FvC"}