@peac/protocol 0.9.18 → 0.9.31
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +190 -0
- package/dist/headers.d.ts +38 -1
- package/dist/headers.d.ts.map +1 -1
- package/dist/headers.js +65 -1
- package/dist/headers.js.map +1 -1
- package/dist/index.d.ts +2 -0
- package/dist/index.d.ts.map +1 -1
- package/dist/index.js +6 -0
- package/dist/index.js.map +1 -1
- package/dist/issue.d.ts +35 -3
- package/dist/issue.d.ts.map +1 -1
- package/dist/issue.js +91 -2
- package/dist/issue.js.map +1 -1
- package/dist/telemetry.d.ts +11 -0
- package/dist/telemetry.d.ts.map +1 -0
- package/dist/telemetry.js +18 -0
- package/dist/telemetry.js.map +1 -0
- package/dist/verify-local.d.ts +125 -0
- package/dist/verify-local.d.ts.map +1 -0
- package/dist/verify-local.js +189 -0
- package/dist/verify-local.js.map +1 -0
- package/dist/verify.d.ts.map +1 -1
- package/dist/verify.js +33 -0
- package/dist/verify.js.map +1 -1
- package/package.json +14 -11
package/LICENSE
ADDED
|
@@ -0,0 +1,190 @@
|
|
|
1
|
+
Apache License
|
|
2
|
+
Version 2.0, January 2004
|
|
3
|
+
http://www.apache.org/licenses/
|
|
4
|
+
|
|
5
|
+
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
6
|
+
|
|
7
|
+
1. Definitions.
|
|
8
|
+
|
|
9
|
+
"License" shall mean the terms and conditions for use, reproduction,
|
|
10
|
+
and distribution as defined by Sections 1 through 9 of this document.
|
|
11
|
+
|
|
12
|
+
"Licensor" shall mean the copyright owner or entity authorized by
|
|
13
|
+
the copyright owner that is granting the License.
|
|
14
|
+
|
|
15
|
+
"Legal Entity" shall mean the union of the acting entity and all
|
|
16
|
+
other entities that control, are controlled by, or are under common
|
|
17
|
+
control with that entity. For the purposes of this definition,
|
|
18
|
+
"control" means (i) the power, direct or indirect, to cause the
|
|
19
|
+
direction or management of such entity, whether by contract or
|
|
20
|
+
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
21
|
+
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
22
|
+
|
|
23
|
+
"You" (or "Your") shall mean an individual or Legal Entity
|
|
24
|
+
exercising permissions granted by this License.
|
|
25
|
+
|
|
26
|
+
"Source" form shall mean the preferred form for making modifications,
|
|
27
|
+
including but not limited to software source code, documentation
|
|
28
|
+
source, and configuration files.
|
|
29
|
+
|
|
30
|
+
"Object" form shall mean any form resulting from mechanical
|
|
31
|
+
transformation or translation of a Source form, including but
|
|
32
|
+
not limited to compiled object code, generated documentation,
|
|
33
|
+
and conversions to other media types.
|
|
34
|
+
|
|
35
|
+
"Work" shall mean the work of authorship, whether in Source or
|
|
36
|
+
Object form, made available under the License, as indicated by a
|
|
37
|
+
copyright notice that is included in or attached to the work
|
|
38
|
+
(an example is provided in the Appendix below).
|
|
39
|
+
|
|
40
|
+
"Derivative Works" shall mean any work, whether in Source or Object
|
|
41
|
+
form, that is based on (or derived from) the Work and for which the
|
|
42
|
+
editorial revisions, annotations, elaborations, or other modifications
|
|
43
|
+
represent, as a whole, an original work of authorship. For the purposes
|
|
44
|
+
of this License, Derivative Works shall not include works that remain
|
|
45
|
+
separable from, or merely link (or bind by name) to the interfaces of,
|
|
46
|
+
the Work and Derivative Works thereof.
|
|
47
|
+
|
|
48
|
+
"Contribution" shall mean any work of authorship, including
|
|
49
|
+
the original version of the Work and any modifications or additions
|
|
50
|
+
to that Work or Derivative Works thereof, that is intentionally
|
|
51
|
+
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
52
|
+
or by an individual or Legal Entity authorized to submit on behalf of
|
|
53
|
+
the copyright owner. For the purposes of this definition, "submitted"
|
|
54
|
+
means any form of electronic, verbal, or written communication sent
|
|
55
|
+
to the Licensor or its representatives, including but not limited to
|
|
56
|
+
communication on electronic mailing lists, source code control systems,
|
|
57
|
+
and issue tracking systems that are managed by, or on behalf of, the
|
|
58
|
+
Licensor for the purpose of discussing and improving the Work, but
|
|
59
|
+
excluding communication that is conspicuously marked or otherwise
|
|
60
|
+
designated in writing by the copyright owner as "Not a Contribution."
|
|
61
|
+
|
|
62
|
+
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
63
|
+
on behalf of whom a Contribution has been received by Licensor and
|
|
64
|
+
subsequently incorporated within the Work.
|
|
65
|
+
|
|
66
|
+
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
67
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
68
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
69
|
+
copyright license to reproduce, prepare Derivative Works of,
|
|
70
|
+
publicly display, publicly perform, sublicense, and distribute the
|
|
71
|
+
Work and such Derivative Works in Source or Object form.
|
|
72
|
+
|
|
73
|
+
3. Grant of Patent License. Subject to the terms and conditions of
|
|
74
|
+
this License, each Contributor hereby grants to You a perpetual,
|
|
75
|
+
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
76
|
+
(except as stated in this section) patent license to make, have made,
|
|
77
|
+
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
78
|
+
where such license applies only to those patent claims licensable
|
|
79
|
+
by such Contributor that are necessarily infringed by their
|
|
80
|
+
Contribution(s) alone or by combination of their Contribution(s)
|
|
81
|
+
with the Work to which such Contribution(s) was submitted. If You
|
|
82
|
+
institute patent litigation against any entity (including a
|
|
83
|
+
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
84
|
+
or a Contribution incorporated within the Work constitutes direct
|
|
85
|
+
or contributory patent infringement, then any patent licenses
|
|
86
|
+
granted to You under this License for that Work shall terminate
|
|
87
|
+
as of the date such litigation is filed.
|
|
88
|
+
|
|
89
|
+
4. Redistribution. You may reproduce and distribute copies of the
|
|
90
|
+
Work or Derivative Works thereof in any medium, with or without
|
|
91
|
+
modifications, and in Source or Object form, provided that You
|
|
92
|
+
meet the following conditions:
|
|
93
|
+
|
|
94
|
+
(a) You must give any other recipients of the Work or
|
|
95
|
+
Derivative Works a copy of this License; and
|
|
96
|
+
|
|
97
|
+
(b) You must cause any modified files to carry prominent notices
|
|
98
|
+
stating that You changed the files; and
|
|
99
|
+
|
|
100
|
+
(c) You must retain, in the Source form of any Derivative Works
|
|
101
|
+
that You distribute, all copyright, patent, trademark, and
|
|
102
|
+
attribution notices from the Source form of the Work,
|
|
103
|
+
excluding those notices that do not pertain to any part of
|
|
104
|
+
the Derivative Works; and
|
|
105
|
+
|
|
106
|
+
(d) If the Work includes a "NOTICE" text file as part of its
|
|
107
|
+
distribution, then any Derivative Works that You distribute must
|
|
108
|
+
include a readable copy of the attribution notices contained
|
|
109
|
+
within such NOTICE file, excluding those notices that do not
|
|
110
|
+
pertain to any part of the Derivative Works, in at least one
|
|
111
|
+
of the following places: within a NOTICE text file distributed
|
|
112
|
+
as part of the Derivative Works; within the Source form or
|
|
113
|
+
documentation, if provided along with the Derivative Works; or,
|
|
114
|
+
within a display generated by the Derivative Works, if and
|
|
115
|
+
wherever such third-party notices normally appear. The contents
|
|
116
|
+
of the NOTICE file are for informational purposes only and
|
|
117
|
+
do not modify the License. You may add Your own attribution
|
|
118
|
+
notices within Derivative Works that You distribute, alongside
|
|
119
|
+
or as an addendum to the NOTICE text from the Work, provided
|
|
120
|
+
that such additional attribution notices cannot be construed
|
|
121
|
+
as modifying the License.
|
|
122
|
+
|
|
123
|
+
You may add Your own copyright statement to Your modifications and
|
|
124
|
+
may provide additional or different license terms and conditions
|
|
125
|
+
for use, reproduction, or distribution of Your modifications, or
|
|
126
|
+
for any such Derivative Works as a whole, provided Your use,
|
|
127
|
+
reproduction, and distribution of the Work otherwise complies with
|
|
128
|
+
the conditions stated in this License.
|
|
129
|
+
|
|
130
|
+
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
131
|
+
any Contribution intentionally submitted for inclusion in the Work
|
|
132
|
+
by You to the Licensor shall be under the terms and conditions of
|
|
133
|
+
this License, without any additional terms or conditions.
|
|
134
|
+
Notwithstanding the above, nothing herein shall supersede or modify
|
|
135
|
+
the terms of any separate license agreement you may have executed
|
|
136
|
+
with Licensor regarding such Contributions.
|
|
137
|
+
|
|
138
|
+
6. Trademarks. This License does not grant permission to use the trade
|
|
139
|
+
names, trademarks, service marks, or product names of the Licensor,
|
|
140
|
+
except as required for reasonable and customary use in describing the
|
|
141
|
+
origin of the Work and reproducing the content of the NOTICE file.
|
|
142
|
+
|
|
143
|
+
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
144
|
+
agreed to in writing, Licensor provides the Work (and each
|
|
145
|
+
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
146
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
147
|
+
implied, including, without limitation, any warranties or conditions
|
|
148
|
+
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
149
|
+
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
150
|
+
appropriateness of using or redistributing the Work and assume any
|
|
151
|
+
risks associated with Your exercise of permissions under this License.
|
|
152
|
+
|
|
153
|
+
8. Limitation of Liability. In no event and under no legal theory,
|
|
154
|
+
whether in tort (including negligence), contract, or otherwise,
|
|
155
|
+
unless required by applicable law (such as deliberate and grossly
|
|
156
|
+
negligent acts) or agreed to in writing, shall any Contributor be
|
|
157
|
+
liable to You for damages, including any direct, indirect, special,
|
|
158
|
+
incidental, or consequential damages of any character arising as a
|
|
159
|
+
result of this License or out of the use or inability to use the
|
|
160
|
+
Work (including but not limited to damages for loss of goodwill,
|
|
161
|
+
work stoppage, computer failure or malfunction, or any and all
|
|
162
|
+
other commercial damages or losses), even if such Contributor
|
|
163
|
+
has been advised of the possibility of such damages.
|
|
164
|
+
|
|
165
|
+
9. Accepting Warranty or Additional Liability. While redistributing
|
|
166
|
+
the Work or Derivative Works thereof, You may choose to offer,
|
|
167
|
+
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
168
|
+
or other liability obligations and/or rights consistent with this
|
|
169
|
+
License. However, in accepting such obligations, You may act only
|
|
170
|
+
on Your own behalf and on Your sole responsibility, not on behalf
|
|
171
|
+
of any other Contributor, and only if You agree to indemnify,
|
|
172
|
+
defend, and hold each Contributor harmless for any liability
|
|
173
|
+
incurred by, or claims asserted against, such Contributor by reason
|
|
174
|
+
of your accepting any such warranty or additional liability.
|
|
175
|
+
|
|
176
|
+
END OF TERMS AND CONDITIONS
|
|
177
|
+
|
|
178
|
+
Copyright 2025 PEAC Protocol Contributors
|
|
179
|
+
|
|
180
|
+
Licensed under the Apache License, Version 2.0 (the "License");
|
|
181
|
+
you may not use this file except in compliance with the License.
|
|
182
|
+
You may obtain a copy of the License at
|
|
183
|
+
|
|
184
|
+
http://www.apache.org/licenses/LICENSE-2.0
|
|
185
|
+
|
|
186
|
+
Unless required by applicable law or agreed to in writing, software
|
|
187
|
+
distributed under the License is distributed on an "AS IS" BASIS,
|
|
188
|
+
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
189
|
+
See the License for the specific language governing permissions and
|
|
190
|
+
limitations under the License.
|
package/dist/headers.d.ts
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* HTTP header utilities for PEAC receipts
|
|
2
|
+
* HTTP header utilities for PEAC receipts and purpose
|
|
3
3
|
*/
|
|
4
|
+
import { type PurposeToken, type CanonicalPurpose, type PurposeReason } from '@peac/schema';
|
|
4
5
|
/**
|
|
5
6
|
* Set PEAC-Receipt header on a response
|
|
6
7
|
*
|
|
@@ -21,4 +22,40 @@ export declare function getReceiptHeader(headers: Headers): string | null;
|
|
|
21
22
|
* @param headers - Response headers
|
|
22
23
|
*/
|
|
23
24
|
export declare function setVaryHeader(headers: Headers): void;
|
|
25
|
+
/**
|
|
26
|
+
* Get PEAC-Purpose header from a request
|
|
27
|
+
*
|
|
28
|
+
* Parses the comma-separated purpose token list into an array.
|
|
29
|
+
* Normalizes tokens (lowercase, trim whitespace), deduplicates.
|
|
30
|
+
*
|
|
31
|
+
* @param headers - Request headers
|
|
32
|
+
* @returns Array of normalized PurposeToken values, empty if header missing
|
|
33
|
+
*/
|
|
34
|
+
export declare function getPurposeHeader(headers: Headers): PurposeToken[];
|
|
35
|
+
/**
|
|
36
|
+
* Set PEAC-Purpose-Applied header on a response
|
|
37
|
+
*
|
|
38
|
+
* Indicates which purpose(s) were enforced for this request.
|
|
39
|
+
*
|
|
40
|
+
* @param headers - Response headers
|
|
41
|
+
* @param purpose - Single canonical purpose that was enforced
|
|
42
|
+
*/
|
|
43
|
+
export declare function setPurposeAppliedHeader(headers: Headers, purpose: CanonicalPurpose): void;
|
|
44
|
+
/**
|
|
45
|
+
* Set PEAC-Purpose-Reason header on a response
|
|
46
|
+
*
|
|
47
|
+
* Explains WHY the purpose was enforced as it was (audit trail).
|
|
48
|
+
*
|
|
49
|
+
* @param headers - Response headers
|
|
50
|
+
* @param reason - Purpose reason enum value
|
|
51
|
+
*/
|
|
52
|
+
export declare function setPurposeReasonHeader(headers: Headers, reason: PurposeReason): void;
|
|
53
|
+
/**
|
|
54
|
+
* Set Vary: PEAC-Purpose header for caching
|
|
55
|
+
*
|
|
56
|
+
* If response behavior varies by declared purpose, MUST set this header.
|
|
57
|
+
*
|
|
58
|
+
* @param headers - Response headers
|
|
59
|
+
*/
|
|
60
|
+
export declare function setVaryPurposeHeader(headers: Headers): void;
|
|
24
61
|
//# sourceMappingURL=headers.d.ts.map
|
package/dist/headers.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":"AAAA;;GAEG;
|
|
1
|
+
{"version":3,"file":"headers.d.ts","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAML,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,cAAc,CAAC;AAEtB;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,MAAM,GAAG,IAAI,CAE3E;AAED;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,MAAM,GAAG,IAAI,CAEhE;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAWpD;AAMD;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,OAAO,GAAG,YAAY,EAAE,CAMjE;AAED;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,gBAAgB,GAAG,IAAI,CAEzF;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,aAAa,GAAG,IAAI,CAEpF;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,OAAO,GAAG,IAAI,CAU3D"}
|
package/dist/headers.js
CHANGED
|
@@ -1,11 +1,15 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/**
|
|
3
|
-
* HTTP header utilities for PEAC receipts
|
|
3
|
+
* HTTP header utilities for PEAC receipts and purpose
|
|
4
4
|
*/
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
exports.setReceiptHeader = setReceiptHeader;
|
|
7
7
|
exports.getReceiptHeader = getReceiptHeader;
|
|
8
8
|
exports.setVaryHeader = setVaryHeader;
|
|
9
|
+
exports.getPurposeHeader = getPurposeHeader;
|
|
10
|
+
exports.setPurposeAppliedHeader = setPurposeAppliedHeader;
|
|
11
|
+
exports.setPurposeReasonHeader = setPurposeReasonHeader;
|
|
12
|
+
exports.setVaryPurposeHeader = setVaryPurposeHeader;
|
|
9
13
|
const schema_1 = require("@peac/schema");
|
|
10
14
|
/**
|
|
11
15
|
* Set PEAC-Receipt header on a response
|
|
@@ -43,4 +47,64 @@ function setVaryHeader(headers) {
|
|
|
43
47
|
headers.set('Vary', schema_1.PEAC_RECEIPT_HEADER);
|
|
44
48
|
}
|
|
45
49
|
}
|
|
50
|
+
// -----------------------------------------------------------------------------
|
|
51
|
+
// Purpose Header Utilities (v0.9.24+)
|
|
52
|
+
// -----------------------------------------------------------------------------
|
|
53
|
+
/**
|
|
54
|
+
* Get PEAC-Purpose header from a request
|
|
55
|
+
*
|
|
56
|
+
* Parses the comma-separated purpose token list into an array.
|
|
57
|
+
* Normalizes tokens (lowercase, trim whitespace), deduplicates.
|
|
58
|
+
*
|
|
59
|
+
* @param headers - Request headers
|
|
60
|
+
* @returns Array of normalized PurposeToken values, empty if header missing
|
|
61
|
+
*/
|
|
62
|
+
function getPurposeHeader(headers) {
|
|
63
|
+
const value = headers.get(schema_1.PEAC_PURPOSE_HEADER);
|
|
64
|
+
if (!value) {
|
|
65
|
+
return [];
|
|
66
|
+
}
|
|
67
|
+
return (0, schema_1.parsePurposeHeader)(value);
|
|
68
|
+
}
|
|
69
|
+
/**
|
|
70
|
+
* Set PEAC-Purpose-Applied header on a response
|
|
71
|
+
*
|
|
72
|
+
* Indicates which purpose(s) were enforced for this request.
|
|
73
|
+
*
|
|
74
|
+
* @param headers - Response headers
|
|
75
|
+
* @param purpose - Single canonical purpose that was enforced
|
|
76
|
+
*/
|
|
77
|
+
function setPurposeAppliedHeader(headers, purpose) {
|
|
78
|
+
headers.set(schema_1.PEAC_PURPOSE_APPLIED_HEADER, purpose);
|
|
79
|
+
}
|
|
80
|
+
/**
|
|
81
|
+
* Set PEAC-Purpose-Reason header on a response
|
|
82
|
+
*
|
|
83
|
+
* Explains WHY the purpose was enforced as it was (audit trail).
|
|
84
|
+
*
|
|
85
|
+
* @param headers - Response headers
|
|
86
|
+
* @param reason - Purpose reason enum value
|
|
87
|
+
*/
|
|
88
|
+
function setPurposeReasonHeader(headers, reason) {
|
|
89
|
+
headers.set(schema_1.PEAC_PURPOSE_REASON_HEADER, reason);
|
|
90
|
+
}
|
|
91
|
+
/**
|
|
92
|
+
* Set Vary: PEAC-Purpose header for caching
|
|
93
|
+
*
|
|
94
|
+
* If response behavior varies by declared purpose, MUST set this header.
|
|
95
|
+
*
|
|
96
|
+
* @param headers - Response headers
|
|
97
|
+
*/
|
|
98
|
+
function setVaryPurposeHeader(headers) {
|
|
99
|
+
const existing = headers.get('Vary');
|
|
100
|
+
if (existing) {
|
|
101
|
+
const varies = existing.split(',').map((v) => v.trim());
|
|
102
|
+
if (!varies.includes(schema_1.PEAC_PURPOSE_HEADER)) {
|
|
103
|
+
headers.set('Vary', `${existing}, ${schema_1.PEAC_PURPOSE_HEADER}`);
|
|
104
|
+
}
|
|
105
|
+
}
|
|
106
|
+
else {
|
|
107
|
+
headers.set('Vary', schema_1.PEAC_PURPOSE_HEADER);
|
|
108
|
+
}
|
|
109
|
+
}
|
|
46
110
|
//# sourceMappingURL=headers.js.map
|
package/dist/headers.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"headers.js","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":";AAAA;;GAEG;;
|
|
1
|
+
{"version":3,"file":"headers.js","sourceRoot":"","sources":["../src/headers.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAmBH,4CAEC;AAQD,4CAEC;AAOD,sCAWC;AAeD,4CAMC;AAUD,0DAEC;AAUD,wDAEC;AASD,oDAUC;AA/GD,yCASsB;AAEtB;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,OAAgB,EAAE,UAAkB;IACnE,OAAO,CAAC,GAAG,CAAC,4BAAmB,EAAE,UAAU,CAAC,CAAC;AAC/C,CAAC;AAED;;;;;GAKG;AACH,SAAgB,gBAAgB,CAAC,OAAgB;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,4BAAmB,CAAC,CAAC;AAC1C,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,OAAgB;IAC5C,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,QAAQ,EAAE,CAAC;QACb,iCAAiC;QACjC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,4BAAmB,CAAC,EAAE,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,QAAQ,KAAK,4BAAmB,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,4BAAmB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC;AAED,gFAAgF;AAChF,sCAAsC;AACtC,gFAAgF;AAEhF;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAAC,OAAgB;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,4BAAmB,CAAC,CAAC;IAC/C,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,IAAA,2BAAkB,EAAC,KAAK,CAAC,CAAC;AACnC,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,uBAAuB,CAAC,OAAgB,EAAE,OAAyB;IACjF,OAAO,CAAC,GAAG,CAAC,oCAA2B,EAAE,OAAO,CAAC,CAAC;AACpD,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,sBAAsB,CAAC,OAAgB,EAAE,MAAqB;IAC5E,OAAO,CAAC,GAAG,CAAC,mCAA0B,EAAE,MAAM,CAAC,CAAC;AAClD,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,oBAAoB,CAAC,OAAgB;IACnD,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IACrC,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,4BAAmB,CAAC,EAAE,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,QAAQ,KAAK,4BAAmB,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,4BAAmB,CAAC,CAAC;IAC3C,CAAC;AACH,CAAC"}
|
package/dist/index.d.ts
CHANGED
package/dist/index.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC;AACzB,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAG5B,OAAO,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC"}
|
package/dist/index.js
CHANGED
|
@@ -18,8 +18,14 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
|
|
|
18
18
|
for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
|
|
19
19
|
};
|
|
20
20
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
21
|
+
exports.verify = exports.generateKeypair = void 0;
|
|
21
22
|
__exportStar(require("./issue"), exports);
|
|
22
23
|
__exportStar(require("./verify"), exports);
|
|
24
|
+
__exportStar(require("./verify-local"), exports);
|
|
23
25
|
__exportStar(require("./headers"), exports);
|
|
24
26
|
__exportStar(require("./discovery"), exports);
|
|
27
|
+
// Re-export crypto utilities for single-package quickstart
|
|
28
|
+
var crypto_1 = require("@peac/crypto");
|
|
29
|
+
Object.defineProperty(exports, "generateKeypair", { enumerable: true, get: function () { return crypto_1.generateKeypair; } });
|
|
30
|
+
Object.defineProperty(exports, "verify", { enumerable: true, get: function () { return crypto_1.verify; } });
|
|
25
31
|
//# sourceMappingURL=index.js.map
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;GAGG
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;AAEH,0CAAwB;AACxB,2CAAyB;AACzB,iDAA+B;AAC/B,4CAA0B;AAC1B,8CAA4B;AAE5B,2DAA2D;AAC3D,uCAAuD;AAA9C,yGAAA,eAAe,OAAA;AAAE,gGAAA,MAAM,OAAA"}
|
package/dist/issue.d.ts
CHANGED
|
@@ -2,7 +2,8 @@
|
|
|
2
2
|
* Receipt issuance
|
|
3
3
|
* Validates input, generates UUIDv7 rid, and signs with Ed25519
|
|
4
4
|
*/
|
|
5
|
-
import {
|
|
5
|
+
import type { JsonValue } from '@peac/kernel';
|
|
6
|
+
import { PEACReceiptClaims, SubjectProfileSnapshot, type PEACError, type PurposeToken, type CanonicalPurpose, type PurposeReason } from '@peac/schema';
|
|
6
7
|
/**
|
|
7
8
|
* Options for issuing a receipt
|
|
8
9
|
*/
|
|
@@ -27,8 +28,8 @@ export interface IssueOptions {
|
|
|
27
28
|
network?: string;
|
|
28
29
|
/** Facilitator reference (optional) */
|
|
29
30
|
facilitator_ref?: string;
|
|
30
|
-
/** Rail-specific evidence (
|
|
31
|
-
evidence?:
|
|
31
|
+
/** Rail-specific evidence (JSON-safe) - defaults to empty object if not provided */
|
|
32
|
+
evidence?: JsonValue;
|
|
32
33
|
/** Idempotency key (optional) */
|
|
33
34
|
idempotency_key?: string;
|
|
34
35
|
/** Rail-specific metadata (optional) */
|
|
@@ -41,6 +42,26 @@ export interface IssueOptions {
|
|
|
41
42
|
exp?: number;
|
|
42
43
|
/** Subject profile snapshot for envelope (v0.9.17+, optional) */
|
|
43
44
|
subject_snapshot?: SubjectProfileSnapshot;
|
|
45
|
+
/**
|
|
46
|
+
* Purposes declared by the requesting agent (v0.9.24+, optional)
|
|
47
|
+
*
|
|
48
|
+
* From PEAC-Purpose request header. Accepts single token or array.
|
|
49
|
+
* Unknown tokens are preserved for forward compatibility.
|
|
50
|
+
*/
|
|
51
|
+
purpose?: PurposeToken | PurposeToken[];
|
|
52
|
+
/**
|
|
53
|
+
* Single purpose enforced by policy (v0.9.24+, optional)
|
|
54
|
+
*
|
|
55
|
+
* MUST be one of declared purposes OR a more restrictive downgrade.
|
|
56
|
+
* Only canonical purposes have enforcement semantics.
|
|
57
|
+
*/
|
|
58
|
+
purpose_enforced?: CanonicalPurpose;
|
|
59
|
+
/**
|
|
60
|
+
* Reason for enforcement decision (v0.9.24+, optional)
|
|
61
|
+
*
|
|
62
|
+
* The audit spine - explains WHY purpose was enforced as it was.
|
|
63
|
+
*/
|
|
64
|
+
purpose_reason?: PurposeReason;
|
|
44
65
|
/** Ed25519 private key (32 bytes) */
|
|
45
66
|
privateKey: Uint8Array;
|
|
46
67
|
/** Key ID (ISO 8601 timestamp) */
|
|
@@ -55,11 +76,22 @@ export interface IssueResult {
|
|
|
55
76
|
/** Validated subject snapshot (if provided) */
|
|
56
77
|
subject_snapshot?: SubjectProfileSnapshot;
|
|
57
78
|
}
|
|
79
|
+
/**
|
|
80
|
+
* Error thrown during receipt issuance
|
|
81
|
+
*
|
|
82
|
+
* Wraps a structured PEACError for programmatic handling.
|
|
83
|
+
*/
|
|
84
|
+
export declare class IssueError extends Error {
|
|
85
|
+
/** Structured error details */
|
|
86
|
+
readonly peacError: PEACError;
|
|
87
|
+
constructor(peacError: PEACError);
|
|
88
|
+
}
|
|
58
89
|
/**
|
|
59
90
|
* Issue a PEAC receipt
|
|
60
91
|
*
|
|
61
92
|
* @param options - Receipt options
|
|
62
93
|
* @returns Issue result with JWS and optional subject_snapshot
|
|
94
|
+
* @throws IssueError if evidence contains non-JSON-safe values
|
|
63
95
|
*/
|
|
64
96
|
export declare function issue(options: IssueOptions): Promise<IssueResult>;
|
|
65
97
|
/**
|
package/dist/issue.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,
|
|
1
|
+
{"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAIH,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAE9C,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAGtB,KAAK,SAAS,EACd,KAAK,YAAY,EACjB,KAAK,gBAAgB,EACrB,KAAK,aAAa,EAInB,MAAM,cAAc,CAAC;AAItB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,4BAA4B;IAC5B,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IAEZ,yCAAyC;IACzC,GAAG,EAAE,MAAM,CAAC;IAEZ,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,sCAAsC;IACtC,SAAS,EAAE,MAAM,CAAC;IAElB,4FAA4F;IAC5F,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,CAAC;IAEtB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,oFAAoF;IACpF,QAAQ,CAAC,EAAE,SAAS,CAAC;IAErB,iCAAiC;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,wCAAwC;IACxC,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAEnC,6BAA6B;IAC7B,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,4BAA4B;IAC5B,GAAG,CAAC,EAAE,iBAAiB,CAAC,KAAK,CAAC,CAAC;IAE/B,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iEAAiE;IACjE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C;;;;;OAKG;IACH,OAAO,CAAC,EAAE,YAAY,GAAG,YAAY,EAAE,CAAC;IAExC;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAEpC;;;;OAIG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC;IAE/B,qCAAqC;IACrC,UAAU,EAAE,UAAU,CAAC;IAEvB,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IAEZ,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AAED;;;;GAIG;AACH,qBAAa,UAAW,SAAQ,KAAK;IACnC,+BAA+B;IAC/B,QAAQ,CAAC,SAAS,EAAE,SAAS,CAAC;gBAElB,SAAS,EAAE,SAAS;CAMjC;AAED;;;;;;GAMG;AACH,wBAAsB,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CA0JvE;AAED;;;;;;;;GAQG;AACH,wBAAsB,QAAQ,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,MAAM,CAAC,CAGrE"}
|
package/dist/issue.js
CHANGED
|
@@ -4,16 +4,37 @@
|
|
|
4
4
|
* Validates input, generates UUIDv7 rid, and signs with Ed25519
|
|
5
5
|
*/
|
|
6
6
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
7
|
+
exports.IssueError = void 0;
|
|
7
8
|
exports.issue = issue;
|
|
8
9
|
exports.issueJws = issueJws;
|
|
9
10
|
const uuidv7_1 = require("uuidv7");
|
|
10
11
|
const crypto_1 = require("@peac/crypto");
|
|
12
|
+
const zod_1 = require("zod");
|
|
11
13
|
const schema_1 = require("@peac/schema");
|
|
14
|
+
const telemetry_1 = require("@peac/telemetry");
|
|
15
|
+
const telemetry_js_1 = require("./telemetry.js");
|
|
16
|
+
/**
|
|
17
|
+
* Error thrown during receipt issuance
|
|
18
|
+
*
|
|
19
|
+
* Wraps a structured PEACError for programmatic handling.
|
|
20
|
+
*/
|
|
21
|
+
class IssueError extends Error {
|
|
22
|
+
/** Structured error details */
|
|
23
|
+
peacError;
|
|
24
|
+
constructor(peacError) {
|
|
25
|
+
const details = peacError.details;
|
|
26
|
+
super(details?.message ?? peacError.code);
|
|
27
|
+
this.name = 'IssueError';
|
|
28
|
+
this.peacError = peacError;
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
exports.IssueError = IssueError;
|
|
12
32
|
/**
|
|
13
33
|
* Issue a PEAC receipt
|
|
14
34
|
*
|
|
15
35
|
* @param options - Receipt options
|
|
16
36
|
* @returns Issue result with JWS and optional subject_snapshot
|
|
37
|
+
* @throws IssueError if evidence contains non-JSON-safe values
|
|
17
38
|
*/
|
|
18
39
|
async function issue(options) {
|
|
19
40
|
// Validate URLs
|
|
@@ -40,6 +61,39 @@ async function issue(options) {
|
|
|
40
61
|
throw new Error('Expiry must be a non-negative integer');
|
|
41
62
|
}
|
|
42
63
|
}
|
|
64
|
+
// Normalize and validate purpose (v0.9.24+)
|
|
65
|
+
let purposeDeclared;
|
|
66
|
+
if (options.purpose !== undefined) {
|
|
67
|
+
// Normalize to array
|
|
68
|
+
const rawPurposes = Array.isArray(options.purpose) ? options.purpose : [options.purpose];
|
|
69
|
+
// Validate each token
|
|
70
|
+
const invalidTokens = [];
|
|
71
|
+
for (const token of rawPurposes) {
|
|
72
|
+
if (!(0, schema_1.isValidPurposeToken)(token)) {
|
|
73
|
+
invalidTokens.push(token);
|
|
74
|
+
}
|
|
75
|
+
}
|
|
76
|
+
if (invalidTokens.length > 0) {
|
|
77
|
+
throw new Error(`Invalid purpose tokens: ${invalidTokens.join(', ')}`);
|
|
78
|
+
}
|
|
79
|
+
// Check for explicit 'undeclared' which is invalid on wire
|
|
80
|
+
if (rawPurposes.includes('undeclared')) {
|
|
81
|
+
throw new Error("Explicit 'undeclared' is not a valid purpose token (internal-only)");
|
|
82
|
+
}
|
|
83
|
+
purposeDeclared = rawPurposes;
|
|
84
|
+
}
|
|
85
|
+
// Validate purpose_enforced (must be canonical)
|
|
86
|
+
if (options.purpose_enforced !== undefined) {
|
|
87
|
+
if (!(0, schema_1.isCanonicalPurpose)(options.purpose_enforced)) {
|
|
88
|
+
throw new Error(`purpose_enforced must be a canonical purpose, got: ${options.purpose_enforced}`);
|
|
89
|
+
}
|
|
90
|
+
}
|
|
91
|
+
// Validate purpose_reason
|
|
92
|
+
if (options.purpose_reason !== undefined) {
|
|
93
|
+
if (!(0, schema_1.isValidPurposeReason)(options.purpose_reason)) {
|
|
94
|
+
throw new Error(`Invalid purpose_reason: ${options.purpose_reason}`);
|
|
95
|
+
}
|
|
96
|
+
}
|
|
43
97
|
// Generate UUIDv7 for receipt ID
|
|
44
98
|
const rid = (0, uuidv7_1.uuidv7)();
|
|
45
99
|
// Get current timestamp
|
|
@@ -68,14 +122,49 @@ async function issue(options) {
|
|
|
68
122
|
...(options.exp && { exp: options.exp }),
|
|
69
123
|
...(options.subject && { subject: { uri: options.subject } }),
|
|
70
124
|
...(options.ext && { ext: options.ext }),
|
|
125
|
+
// Purpose claims (v0.9.24+)
|
|
126
|
+
...(purposeDeclared && { purpose_declared: purposeDeclared }),
|
|
127
|
+
...(options.purpose_enforced && { purpose_enforced: options.purpose_enforced }),
|
|
128
|
+
...(options.purpose_reason && { purpose_reason: options.purpose_reason }),
|
|
71
129
|
};
|
|
72
|
-
// Validate claims with Zod
|
|
73
|
-
|
|
130
|
+
// Validate claims with Zod - map evidence errors to typed error
|
|
131
|
+
try {
|
|
132
|
+
schema_1.ReceiptClaims.parse(claims);
|
|
133
|
+
}
|
|
134
|
+
catch (err) {
|
|
135
|
+
if (err instanceof zod_1.ZodError) {
|
|
136
|
+
// Check if any error path touches evidence
|
|
137
|
+
const evidenceIssue = err.issues.find((issue) => issue.path.some((p) => p === 'evidence' || p === 'payment'));
|
|
138
|
+
if (evidenceIssue && evidenceIssue.path.includes('evidence')) {
|
|
139
|
+
const peacError = (0, schema_1.createEvidenceNotJsonError)(evidenceIssue.message, evidenceIssue.path);
|
|
140
|
+
throw new IssueError(peacError);
|
|
141
|
+
}
|
|
142
|
+
}
|
|
143
|
+
throw err;
|
|
144
|
+
}
|
|
74
145
|
// Validate subject_snapshot if provided (v0.9.17+)
|
|
75
146
|
// This validates schema and logs advisory PII warning if applicable
|
|
76
147
|
const validatedSnapshot = (0, schema_1.validateSubjectSnapshot)(options.subject_snapshot);
|
|
148
|
+
// Track start time for telemetry
|
|
149
|
+
const startTime = performance.now();
|
|
77
150
|
// Sign with Ed25519
|
|
78
151
|
const jws = await (0, crypto_1.sign)(claims, options.privateKey, options.kid);
|
|
152
|
+
// Emit telemetry (no-throw guard)
|
|
153
|
+
const p = telemetry_1.providerRef.current;
|
|
154
|
+
if (p) {
|
|
155
|
+
try {
|
|
156
|
+
const durationMs = performance.now() - startTime;
|
|
157
|
+
p.onReceiptIssued({
|
|
158
|
+
receiptHash: (0, telemetry_js_1.hashReceipt)(jws),
|
|
159
|
+
issuer: options.iss,
|
|
160
|
+
kid: options.kid,
|
|
161
|
+
durationMs,
|
|
162
|
+
});
|
|
163
|
+
}
|
|
164
|
+
catch {
|
|
165
|
+
// Telemetry MUST NOT break core flow
|
|
166
|
+
}
|
|
167
|
+
}
|
|
79
168
|
return {
|
|
80
169
|
jws,
|
|
81
170
|
...(validatedSnapshot && { subject_snapshot: validatedSnapshot }),
|
package/dist/issue.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"issue.js","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":";AAAA;;;GAGG
|
|
1
|
+
{"version":3,"file":"issue.js","sourceRoot":"","sources":["../src/issue.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AA+IH,sBA0JC;AAWD,4BAGC;AArTD,mCAAgC;AAChC,yCAAoC;AAEpC,6BAA+B;AAC/B,yCAasB;AACtB,+CAA8C;AAC9C,iDAA6C;AAkG7C;;;;GAIG;AACH,MAAa,UAAW,SAAQ,KAAK;IACnC,+BAA+B;IACtB,SAAS,CAAY;IAE9B,YAAY,SAAoB;QAC9B,MAAM,OAAO,GAAG,SAAS,CAAC,OAA2C,CAAC;QACtE,KAAK,CAAC,OAAO,EAAE,OAAO,IAAI,SAAS,CAAC,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;QACzB,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;CACF;AAVD,gCAUC;AAED;;;;;;GAMG;AACI,KAAK,UAAU,KAAK,CAAC,OAAqB;IAC/C,gBAAgB;IAChB,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,OAAO,CAAC,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC1D,CAAC;IAED,yBAAyB;IACzB,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;IACrE,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC3D,CAAC;IAED,gCAAgC;IAChC,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC9B,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,GAAG,GAAG,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC;IAED,4CAA4C;IAC5C,IAAI,eAA2C,CAAC;IAChD,IAAI,OAAO,CAAC,OAAO,KAAK,SAAS,EAAE,CAAC;QAClC,qBAAqB;QACrB,MAAM,WAAW,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAEzF,sBAAsB;QACtB,MAAM,aAAa,GAAa,EAAE,CAAC;QACnC,KAAK,MAAM,KAAK,IAAI,WAAW,EAAE,CAAC;YAChC,IAAI,CAAC,IAAA,4BAAmB,EAAC,KAAK,CAAC,EAAE,CAAC;gBAChC,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC5B,CAAC;QACH,CAAC;QACD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,IAAI,KAAK,CAAC,2BAA2B,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACzE,CAAC;QAED,2DAA2D;QAC3D,IAAI,WAAW,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC;QACxF,CAAC;QAED,eAAe,GAAG,WAAW,CAAC;IAChC,CAAC;IAED,gDAAgD;IAChD,IAAI,OAAO,CAAC,gBAAgB,KAAK,SAAS,EAAE,CAAC;QAC3C,IAAI,CAAC,IAAA,2BAAkB,EAAC,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CACb,sDAAsD,OAAO,CAAC,gBAAgB,EAAE,CACjF,CAAC;QACJ,CAAC;IACH,CAAC;IAED,0BAA0B;IAC1B,IAAI,OAAO,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;QACzC,IAAI,CAAC,IAAA,6BAAoB,EAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAClD,MAAM,IAAI,KAAK,CAAC,2BAA2B,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC;QACvE,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,MAAM,GAAG,GAAG,IAAA,eAAM,GAAE,CAAC;IAErB,wBAAwB;IACxB,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAE1C,uBAAuB;IACvB,MAAM,MAAM,GAAsB;QAChC,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG;QACH,GAAG;QACH,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,GAAG,EAAE,OAAO,CAAC,GAAG;QAChB,OAAO,EAAE;YACP,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,GAAG;YACnB,QAAQ,EAAE,OAAO,CAAC,GAAG;YACrB,KAAK,EAAE,OAAO,CAAC,KAAK,IAAI,OAAO,CAAC,GAAG,EAAE,uDAAuD;YAC5F,GAAG,EAAE,OAAO,CAAC,GAAG,IAAI,MAAM,EAAE,yDAAyD;YACrF,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,EAAE,EAAE,qDAAqD;YACvF,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;YACpD,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5E,GAAG,CAAC,OAAO,CAAC,eAAe,IAAI,EAAE,eAAe,EAAE,OAAO,CAAC,eAAe,EAAE,CAAC;YAC5E,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC;SACxD;QACD,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,OAAO,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC;QAC7D,GAAG,CAAC,OAAO,CAAC,GAAG,IAAI,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;QACxC,4BAA4B;QAC5B,GAAG,CAAC,eAAe,IAAI,EAAE,gBAAgB,EAAE,eAAe,EAAE,CAAC;QAC7D,GAAG,CAAC,OAAO,CAAC,gBAAgB,IAAI,EAAE,gBAAgB,EAAE,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC/E,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,cAAc,EAAE,OAAO,CAAC,cAAc,EAAE,CAAC;KAC1E,CAAC;IAEF,gEAAgE;IAChE,IAAI,CAAC;QACH,sBAAa,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,CAAC;IAAC,OAAO,GAAY,EAAE,CAAC;QACtB,IAAI,GAAG,YAAY,cAAQ,EAAE,CAAC;YAC5B,2CAA2C;YAC3C,MAAM,aAAa,GAAG,GAAG,CAAC,MAAM,CAAC,IAAI,CACnC,CAAC,KAAqD,EAAE,EAAE,CACxD,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAkB,EAAE,EAAE,CAAC,CAAC,KAAK,UAAU,IAAI,CAAC,KAAK,SAAS,CAAC,CAC/E,CAAC;YACF,IAAI,aAAa,IAAI,aAAa,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC7D,MAAM,SAAS,GAAG,IAAA,mCAA0B,EAAC,aAAa,CAAC,OAAO,EAAE,aAAa,CAAC,IAAI,CAAC,CAAC;gBACxF,MAAM,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;QACD,MAAM,GAAG,CAAC;IACZ,CAAC;IAED,mDAAmD;IACnD,oEAAoE;IACpE,MAAM,iBAAiB,GAAG,IAAA,gCAAuB,EAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IAE5E,iCAAiC;IACjC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IAEpC,oBAAoB;IACpB,MAAM,GAAG,GAAG,MAAM,IAAA,aAAI,EAAC,MAAM,EAAE,OAAO,CAAC,UAAU,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAEhE,kCAAkC;IAClC,MAAM,CAAC,GAAG,uBAAW,CAAC,OAAO,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC;QACN,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,CAAC,CAAC,eAAe,CAAC;gBAChB,WAAW,EAAE,IAAA,0BAAW,EAAC,GAAG,CAAC;gBAC7B,MAAM,EAAE,OAAO,CAAC,GAAG;gBACnB,GAAG,EAAE,OAAO,CAAC,GAAG;gBAChB,UAAU;aACX,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;IAED,OAAO;QACL,GAAG;QACH,GAAG,CAAC,iBAAiB,IAAI,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;KAClE,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACI,KAAK,UAAU,QAAQ,CAAC,OAAqB;IAClD,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,MAAM,CAAC,GAAG,CAAC;AACpB,CAAC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Telemetry utilities for protocol package
|
|
3
|
+
*/
|
|
4
|
+
/**
|
|
5
|
+
* Compute a SHA-256 hash of a receipt JWS
|
|
6
|
+
*
|
|
7
|
+
* Returns format: sha256:{hex prefix}
|
|
8
|
+
* Uses first 16 chars of hex for brevity in logs/spans.
|
|
9
|
+
*/
|
|
10
|
+
export declare function hashReceipt(jws: string): string;
|
|
11
|
+
//# sourceMappingURL=telemetry.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"telemetry.d.ts","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAG/C"}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Telemetry utilities for protocol package
|
|
4
|
+
*/
|
|
5
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
|
+
exports.hashReceipt = hashReceipt;
|
|
7
|
+
const node_crypto_1 = require("node:crypto");
|
|
8
|
+
/**
|
|
9
|
+
* Compute a SHA-256 hash of a receipt JWS
|
|
10
|
+
*
|
|
11
|
+
* Returns format: sha256:{hex prefix}
|
|
12
|
+
* Uses first 16 chars of hex for brevity in logs/spans.
|
|
13
|
+
*/
|
|
14
|
+
function hashReceipt(jws) {
|
|
15
|
+
const hash = (0, node_crypto_1.createHash)('sha256').update(jws).digest('hex');
|
|
16
|
+
return `sha256:${hash.slice(0, 16)}`;
|
|
17
|
+
}
|
|
18
|
+
//# sourceMappingURL=telemetry.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"telemetry.js","sourceRoot":"","sources":["../src/telemetry.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAUH,kCAGC;AAXD,6CAAyC;AAEzC;;;;;GAKG;AACH,SAAgB,WAAW,CAAC,GAAW;IACrC,MAAM,IAAI,GAAG,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5D,OAAO,UAAU,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC;AACvC,CAAC"}
|
|
@@ -0,0 +1,125 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Local receipt verification with schema validation
|
|
3
|
+
*
|
|
4
|
+
* Use this for verifying receipts when you have the public key locally,
|
|
5
|
+
* without JWKS discovery.
|
|
6
|
+
*/
|
|
7
|
+
import { type ReceiptClaimsType } from '@peac/schema';
|
|
8
|
+
/**
|
|
9
|
+
* Canonical error codes for local verification
|
|
10
|
+
*
|
|
11
|
+
* These map to E_* codes in specs/kernel/errors.json
|
|
12
|
+
*/
|
|
13
|
+
export type VerifyLocalErrorCode = 'E_INVALID_SIGNATURE' | 'E_INVALID_FORMAT' | 'E_EXPIRED' | 'E_NOT_YET_VALID' | 'E_INVALID_ISSUER' | 'E_INVALID_AUDIENCE' | 'E_INVALID_SUBJECT' | 'E_INVALID_RECEIPT_ID' | 'E_MISSING_EXP' | 'E_INTERNAL';
|
|
14
|
+
/**
|
|
15
|
+
* Options for local verification
|
|
16
|
+
*/
|
|
17
|
+
export interface VerifyLocalOptions {
|
|
18
|
+
/**
|
|
19
|
+
* Expected issuer URL
|
|
20
|
+
*
|
|
21
|
+
* If provided, verification fails if receipt.iss does not match.
|
|
22
|
+
*/
|
|
23
|
+
issuer?: string;
|
|
24
|
+
/**
|
|
25
|
+
* Expected audience URL
|
|
26
|
+
*
|
|
27
|
+
* If provided, verification fails if receipt.aud does not match.
|
|
28
|
+
*/
|
|
29
|
+
audience?: string;
|
|
30
|
+
/**
|
|
31
|
+
* Expected subject URI
|
|
32
|
+
*
|
|
33
|
+
* If provided, verification fails if receipt.subject.uri does not match.
|
|
34
|
+
* Binds the receipt to a specific resource/interaction target.
|
|
35
|
+
*/
|
|
36
|
+
subjectUri?: string;
|
|
37
|
+
/**
|
|
38
|
+
* Expected receipt ID (rid)
|
|
39
|
+
*
|
|
40
|
+
* If provided, verification fails if receipt.rid does not match.
|
|
41
|
+
* Useful for idempotency checks or correlating with prior receipts.
|
|
42
|
+
*/
|
|
43
|
+
rid?: string;
|
|
44
|
+
/**
|
|
45
|
+
* Require expiration claim
|
|
46
|
+
*
|
|
47
|
+
* If true, receipts without exp claim are rejected.
|
|
48
|
+
* Defaults to false.
|
|
49
|
+
*/
|
|
50
|
+
requireExp?: boolean;
|
|
51
|
+
/**
|
|
52
|
+
* Current timestamp (Unix seconds)
|
|
53
|
+
*
|
|
54
|
+
* Defaults to Date.now() / 1000. Override for testing.
|
|
55
|
+
*/
|
|
56
|
+
now?: number;
|
|
57
|
+
/**
|
|
58
|
+
* Maximum clock skew tolerance (seconds)
|
|
59
|
+
*
|
|
60
|
+
* Allows for clock drift between issuer and verifier.
|
|
61
|
+
* Defaults to 300 (5 minutes).
|
|
62
|
+
*/
|
|
63
|
+
maxClockSkew?: number;
|
|
64
|
+
}
|
|
65
|
+
/**
|
|
66
|
+
* Result of successful local verification
|
|
67
|
+
*/
|
|
68
|
+
export interface VerifyLocalSuccess {
|
|
69
|
+
/** Verification succeeded */
|
|
70
|
+
valid: true;
|
|
71
|
+
/** Validated receipt claims (schema-derived type) */
|
|
72
|
+
claims: ReceiptClaimsType;
|
|
73
|
+
/** Key ID from JWS header (for logging/indexing) */
|
|
74
|
+
kid: string;
|
|
75
|
+
}
|
|
76
|
+
/**
|
|
77
|
+
* Result of failed local verification
|
|
78
|
+
*/
|
|
79
|
+
export interface VerifyLocalFailure {
|
|
80
|
+
/** Verification failed */
|
|
81
|
+
valid: false;
|
|
82
|
+
/** Canonical error code (maps to specs/kernel/errors.json) */
|
|
83
|
+
code: VerifyLocalErrorCode;
|
|
84
|
+
/** Human-readable error message */
|
|
85
|
+
message: string;
|
|
86
|
+
}
|
|
87
|
+
/**
|
|
88
|
+
* Union type for local verification result
|
|
89
|
+
*/
|
|
90
|
+
export type VerifyLocalResult = VerifyLocalSuccess | VerifyLocalFailure;
|
|
91
|
+
/**
|
|
92
|
+
* Verify a PEAC receipt locally with a known public key
|
|
93
|
+
*
|
|
94
|
+
* This function:
|
|
95
|
+
* 1. Verifies the Ed25519 signature and header (typ, alg)
|
|
96
|
+
* 2. Validates the receipt schema with Zod
|
|
97
|
+
* 3. Checks issuer/audience/subject binding (if options provided)
|
|
98
|
+
* 4. Checks time validity (exp/iat with clock skew tolerance)
|
|
99
|
+
*
|
|
100
|
+
* Use this when you have the issuer's public key and don't need JWKS discovery.
|
|
101
|
+
* For JWKS-based verification, use `verifyReceipt()` instead.
|
|
102
|
+
*
|
|
103
|
+
* @param jws - JWS compact serialization
|
|
104
|
+
* @param publicKey - Ed25519 public key (32 bytes)
|
|
105
|
+
* @param options - Optional verification options (issuer, audience, subject, clock skew)
|
|
106
|
+
* @returns Typed verification result
|
|
107
|
+
*
|
|
108
|
+
* @example
|
|
109
|
+
* ```typescript
|
|
110
|
+
* const result = await verifyLocal(jws, publicKey, {
|
|
111
|
+
* issuer: 'https://api.example.com',
|
|
112
|
+
* audience: 'https://client.example.com',
|
|
113
|
+
* subjectUri: 'https://api.example.com/inference/v1',
|
|
114
|
+
* });
|
|
115
|
+
* if (result.valid) {
|
|
116
|
+
* console.log('Issuer:', result.claims.iss);
|
|
117
|
+
* console.log('Amount:', result.claims.amt, result.claims.cur);
|
|
118
|
+
* console.log('Key ID:', result.kid);
|
|
119
|
+
* } else {
|
|
120
|
+
* console.error('Verification failed:', result.code, result.message);
|
|
121
|
+
* }
|
|
122
|
+
* ```
|
|
123
|
+
*/
|
|
124
|
+
export declare function verifyLocal(jws: string, publicKey: Uint8Array, options?: VerifyLocalOptions): Promise<VerifyLocalResult>;
|
|
125
|
+
//# sourceMappingURL=verify-local.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verify-local.d.ts","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAuB,KAAK,iBAAiB,EAAE,MAAM,cAAc,CAAC;AA8B3E;;;;GAIG;AACH,MAAM,MAAM,oBAAoB,GAC5B,qBAAqB,GACrB,kBAAkB,GAClB,WAAW,GACX,iBAAiB,GACjB,kBAAkB,GAClB,oBAAoB,GACpB,mBAAmB,GACnB,sBAAsB,GACtB,eAAe,GACf,YAAY,CAAC;AAEjB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;;;OAIG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB;;;;;OAKG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;OAKG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB;;;;OAIG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;OAKG;IACH,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,6BAA6B;IAC7B,KAAK,EAAE,IAAI,CAAC;IAEZ,qDAAqD;IACrD,MAAM,EAAE,iBAAiB,CAAC;IAE1B,oDAAoD;IACpD,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,0BAA0B;IAC1B,KAAK,EAAE,KAAK,CAAC;IAEb,8DAA8D;IAC9D,IAAI,EAAE,oBAAoB,CAAC;IAE3B,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,kBAAkB,GAAG,kBAAkB,CAAC;AAaxE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,UAAU,EACrB,OAAO,GAAE,kBAAuB,GAC/B,OAAO,CAAC,iBAAiB,CAAC,CAmI5B"}
|
|
@@ -0,0 +1,189 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Local receipt verification with schema validation
|
|
4
|
+
*
|
|
5
|
+
* Use this for verifying receipts when you have the public key locally,
|
|
6
|
+
* without JWKS discovery.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.verifyLocal = verifyLocal;
|
|
10
|
+
const crypto_1 = require("@peac/crypto");
|
|
11
|
+
const schema_1 = require("@peac/schema");
|
|
12
|
+
/**
|
|
13
|
+
* Structural check for CryptoError
|
|
14
|
+
* More robust than instanceof across module boundaries (ESM/CJS, duplicate packages)
|
|
15
|
+
*/
|
|
16
|
+
function isCryptoError(err) {
|
|
17
|
+
return (err !== null &&
|
|
18
|
+
typeof err === 'object' &&
|
|
19
|
+
'name' in err &&
|
|
20
|
+
err.name === 'CryptoError' &&
|
|
21
|
+
'code' in err &&
|
|
22
|
+
typeof err.code === 'string' &&
|
|
23
|
+
err.code.startsWith('CRYPTO_') &&
|
|
24
|
+
'message' in err &&
|
|
25
|
+
typeof err.message === 'string');
|
|
26
|
+
}
|
|
27
|
+
/**
|
|
28
|
+
* Crypto error codes that indicate format/validation issues
|
|
29
|
+
* These are CRYPTO_* internal codes from @peac/crypto, mapped to canonical E_* codes
|
|
30
|
+
*/
|
|
31
|
+
const FORMAT_ERROR_CODES = new Set([
|
|
32
|
+
'CRYPTO_INVALID_JWS_FORMAT',
|
|
33
|
+
'CRYPTO_INVALID_TYP',
|
|
34
|
+
'CRYPTO_INVALID_ALG',
|
|
35
|
+
'CRYPTO_INVALID_KEY_LENGTH',
|
|
36
|
+
]);
|
|
37
|
+
/**
|
|
38
|
+
* Verify a PEAC receipt locally with a known public key
|
|
39
|
+
*
|
|
40
|
+
* This function:
|
|
41
|
+
* 1. Verifies the Ed25519 signature and header (typ, alg)
|
|
42
|
+
* 2. Validates the receipt schema with Zod
|
|
43
|
+
* 3. Checks issuer/audience/subject binding (if options provided)
|
|
44
|
+
* 4. Checks time validity (exp/iat with clock skew tolerance)
|
|
45
|
+
*
|
|
46
|
+
* Use this when you have the issuer's public key and don't need JWKS discovery.
|
|
47
|
+
* For JWKS-based verification, use `verifyReceipt()` instead.
|
|
48
|
+
*
|
|
49
|
+
* @param jws - JWS compact serialization
|
|
50
|
+
* @param publicKey - Ed25519 public key (32 bytes)
|
|
51
|
+
* @param options - Optional verification options (issuer, audience, subject, clock skew)
|
|
52
|
+
* @returns Typed verification result
|
|
53
|
+
*
|
|
54
|
+
* @example
|
|
55
|
+
* ```typescript
|
|
56
|
+
* const result = await verifyLocal(jws, publicKey, {
|
|
57
|
+
* issuer: 'https://api.example.com',
|
|
58
|
+
* audience: 'https://client.example.com',
|
|
59
|
+
* subjectUri: 'https://api.example.com/inference/v1',
|
|
60
|
+
* });
|
|
61
|
+
* if (result.valid) {
|
|
62
|
+
* console.log('Issuer:', result.claims.iss);
|
|
63
|
+
* console.log('Amount:', result.claims.amt, result.claims.cur);
|
|
64
|
+
* console.log('Key ID:', result.kid);
|
|
65
|
+
* } else {
|
|
66
|
+
* console.error('Verification failed:', result.code, result.message);
|
|
67
|
+
* }
|
|
68
|
+
* ```
|
|
69
|
+
*/
|
|
70
|
+
async function verifyLocal(jws, publicKey, options = {}) {
|
|
71
|
+
const { issuer, audience, subjectUri, rid, requireExp = false, maxClockSkew = 300 } = options;
|
|
72
|
+
const now = options.now ?? Math.floor(Date.now() / 1000);
|
|
73
|
+
try {
|
|
74
|
+
// 1. Verify signature and header (typ, alg validated by @peac/crypto)
|
|
75
|
+
const result = await (0, crypto_1.verify)(jws, publicKey);
|
|
76
|
+
if (!result.valid) {
|
|
77
|
+
return {
|
|
78
|
+
valid: false,
|
|
79
|
+
code: 'E_INVALID_SIGNATURE',
|
|
80
|
+
message: 'Ed25519 signature verification failed',
|
|
81
|
+
};
|
|
82
|
+
}
|
|
83
|
+
// 2. Validate schema
|
|
84
|
+
const parseResult = schema_1.ReceiptClaimsSchema.safeParse(result.payload);
|
|
85
|
+
if (!parseResult.success) {
|
|
86
|
+
const firstIssue = parseResult.error.issues[0];
|
|
87
|
+
return {
|
|
88
|
+
valid: false,
|
|
89
|
+
code: 'E_INVALID_FORMAT',
|
|
90
|
+
message: `Receipt schema validation failed: ${firstIssue?.message ?? 'unknown error'}`,
|
|
91
|
+
};
|
|
92
|
+
}
|
|
93
|
+
const claims = parseResult.data;
|
|
94
|
+
// 3. Check issuer binding
|
|
95
|
+
if (issuer !== undefined && claims.iss !== issuer) {
|
|
96
|
+
return {
|
|
97
|
+
valid: false,
|
|
98
|
+
code: 'E_INVALID_ISSUER',
|
|
99
|
+
message: `Issuer mismatch: expected "${issuer}", got "${claims.iss}"`,
|
|
100
|
+
};
|
|
101
|
+
}
|
|
102
|
+
// 4. Check audience binding
|
|
103
|
+
if (audience !== undefined && claims.aud !== audience) {
|
|
104
|
+
return {
|
|
105
|
+
valid: false,
|
|
106
|
+
code: 'E_INVALID_AUDIENCE',
|
|
107
|
+
message: `Audience mismatch: expected "${audience}", got "${claims.aud}"`,
|
|
108
|
+
};
|
|
109
|
+
}
|
|
110
|
+
// 5. Check subject binding
|
|
111
|
+
if (subjectUri !== undefined) {
|
|
112
|
+
const actualSubjectUri = claims.subject?.uri;
|
|
113
|
+
if (actualSubjectUri !== subjectUri) {
|
|
114
|
+
return {
|
|
115
|
+
valid: false,
|
|
116
|
+
code: 'E_INVALID_SUBJECT',
|
|
117
|
+
message: `Subject mismatch: expected "${subjectUri}", got "${actualSubjectUri ?? 'undefined'}"`,
|
|
118
|
+
};
|
|
119
|
+
}
|
|
120
|
+
}
|
|
121
|
+
// 6. Check receipt ID binding
|
|
122
|
+
if (rid !== undefined && claims.rid !== rid) {
|
|
123
|
+
return {
|
|
124
|
+
valid: false,
|
|
125
|
+
code: 'E_INVALID_RECEIPT_ID',
|
|
126
|
+
message: `Receipt ID mismatch: expected "${rid}", got "${claims.rid}"`,
|
|
127
|
+
};
|
|
128
|
+
}
|
|
129
|
+
// 7. Check requireExp
|
|
130
|
+
if (requireExp && claims.exp === undefined) {
|
|
131
|
+
return {
|
|
132
|
+
valid: false,
|
|
133
|
+
code: 'E_MISSING_EXP',
|
|
134
|
+
message: 'Receipt missing required exp claim',
|
|
135
|
+
};
|
|
136
|
+
}
|
|
137
|
+
// 8. Check not-yet-valid (iat with clock skew)
|
|
138
|
+
if (claims.iat > now + maxClockSkew) {
|
|
139
|
+
return {
|
|
140
|
+
valid: false,
|
|
141
|
+
code: 'E_NOT_YET_VALID',
|
|
142
|
+
message: `Receipt not yet valid: issued at ${new Date(claims.iat * 1000).toISOString()}, now is ${new Date(now * 1000).toISOString()}`,
|
|
143
|
+
};
|
|
144
|
+
}
|
|
145
|
+
// 9. Check expiry (with clock skew tolerance)
|
|
146
|
+
if (claims.exp !== undefined && claims.exp < now - maxClockSkew) {
|
|
147
|
+
return {
|
|
148
|
+
valid: false,
|
|
149
|
+
code: 'E_EXPIRED',
|
|
150
|
+
message: `Receipt expired at ${new Date(claims.exp * 1000).toISOString()}`,
|
|
151
|
+
};
|
|
152
|
+
}
|
|
153
|
+
return {
|
|
154
|
+
valid: true,
|
|
155
|
+
claims,
|
|
156
|
+
kid: result.header.kid,
|
|
157
|
+
};
|
|
158
|
+
}
|
|
159
|
+
catch (err) {
|
|
160
|
+
// Handle typed CryptoError from @peac/crypto
|
|
161
|
+
// Use structural check instead of instanceof for robustness across ESM/CJS boundaries
|
|
162
|
+
// Map internal CRYPTO_* codes to canonical E_* codes
|
|
163
|
+
if (isCryptoError(err)) {
|
|
164
|
+
if (FORMAT_ERROR_CODES.has(err.code)) {
|
|
165
|
+
return {
|
|
166
|
+
valid: false,
|
|
167
|
+
code: 'E_INVALID_FORMAT',
|
|
168
|
+
message: err.message,
|
|
169
|
+
};
|
|
170
|
+
}
|
|
171
|
+
if (err.code === 'CRYPTO_INVALID_SIGNATURE') {
|
|
172
|
+
return {
|
|
173
|
+
valid: false,
|
|
174
|
+
code: 'E_INVALID_SIGNATURE',
|
|
175
|
+
message: err.message,
|
|
176
|
+
};
|
|
177
|
+
}
|
|
178
|
+
}
|
|
179
|
+
// All other errors (JSON parse, unexpected) -> E_INTERNAL
|
|
180
|
+
// No message parsing - code-based mapping only
|
|
181
|
+
const message = err instanceof Error ? err.message : String(err);
|
|
182
|
+
return {
|
|
183
|
+
valid: false,
|
|
184
|
+
code: 'E_INTERNAL',
|
|
185
|
+
message: `Unexpected verification error: ${message}`,
|
|
186
|
+
};
|
|
187
|
+
}
|
|
188
|
+
}
|
|
189
|
+
//# sourceMappingURL=verify-local.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"verify-local.js","sourceRoot":"","sources":["../src/verify-local.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAyLH,kCAuIC;AA9TD,yCAAmD;AACnD,yCAA2E;AAY3E;;;GAGG;AACH,SAAS,aAAa,CAAC,GAAY;IACjC,OAAO,CACL,GAAG,KAAK,IAAI;QACZ,OAAO,GAAG,KAAK,QAAQ;QACvB,MAAM,IAAI,GAAG;QACb,GAAG,CAAC,IAAI,KAAK,aAAa;QAC1B,MAAM,IAAI,GAAG;QACb,OAAO,GAAG,CAAC,IAAI,KAAK,QAAQ;QAC5B,GAAG,CAAC,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC;QAC9B,SAAS,IAAI,GAAG;QAChB,OAAO,GAAG,CAAC,OAAO,KAAK,QAAQ,CAChC,CAAC;AACJ,CAAC;AA8GD;;;GAGG;AACH,MAAM,kBAAkB,GAAG,IAAI,GAAG,CAAC;IACjC,2BAA2B;IAC3B,oBAAoB;IACpB,oBAAoB;IACpB,2BAA2B;CAC5B,CAAC,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACI,KAAK,UAAU,WAAW,CAC/B,GAAW,EACX,SAAqB,EACrB,UAA8B,EAAE;IAEhC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,EAAE,UAAU,GAAG,KAAK,EAAE,YAAY,GAAG,GAAG,EAAE,GAAG,OAAO,CAAC;IAC9F,MAAM,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAEzD,IAAI,CAAC;QACH,sEAAsE;QACtE,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAU,GAAG,EAAE,SAAS,CAAC,CAAC;QAExD,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,qBAAqB;gBAC3B,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QAED,qBAAqB;QACrB,MAAM,WAAW,GAAG,4BAAmB,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAElE,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,CAAC;YACzB,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC/C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,qCAAqC,UAAU,EAAE,OAAO,IAAI,eAAe,EAAE;aACvF,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,CAAC;QAEhC,0BAA0B;QAC1B,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;YAClD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,kBAAkB;gBACxB,OAAO,EAAE,8BAA8B,MAAM,WAAW,MAAM,CAAC,GAAG,GAAG;aACtE,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,IAAI,QAAQ,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACtD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,gCAAgC,QAAQ,WAAW,MAAM,CAAC,GAAG,GAAG;aAC1E,CAAC;QACJ,CAAC;QAED,2BAA2B;QAC3B,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;YAC7B,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,EAAE,GAAG,CAAC;YAC7C,IAAI,gBAAgB,KAAK,UAAU,EAAE,CAAC;gBACpC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE,+BAA+B,UAAU,WAAW,gBAAgB,IAAI,WAAW,GAAG;iBAChG,CAAC;YACJ,CAAC;QACH,CAAC;QAED,8BAA8B;QAC9B,IAAI,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YAC5C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,sBAAsB;gBAC5B,OAAO,EAAE,kCAAkC,GAAG,WAAW,MAAM,CAAC,GAAG,GAAG;aACvE,CAAC;QACJ,CAAC;QAED,sBAAsB;QACtB,IAAI,UAAU,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3C,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,eAAe;gBACrB,OAAO,EAAE,oCAAoC;aAC9C,CAAC;QACJ,CAAC;QAED,+CAA+C;QAC/C,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YACpC,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,iBAAiB;gBACvB,OAAO,EAAE,oCAAoC,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,YAAY,IAAI,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aACvI,CAAC;QACJ,CAAC;QAED,8CAA8C;QAC9C,IAAI,MAAM,CAAC,GAAG,KAAK,SAAS,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;YAChE,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,IAAI,EAAE,WAAW;gBACjB,OAAO,EAAE,sBAAsB,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC3E,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,IAAI;YACX,MAAM;YACN,GAAG,EAAE,MAAM,CAAC,MAAM,CAAC,GAAG;SACvB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,6CAA6C;QAC7C,sFAAsF;QACtF,qDAAqD;QACrD,IAAI,aAAa,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,kBAAkB,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACrC,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;YACD,IAAI,GAAG,CAAC,IAAI,KAAK,0BAA0B,EAAE,CAAC;gBAC5C,OAAO;oBACL,KAAK,EAAE,KAAK;oBACZ,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,GAAG,CAAC,OAAO;iBACrB,CAAC;YACJ,CAAC;QACH,CAAC;QAED,0DAA0D;QAC1D,+CAA+C;QAC/C,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO;YACL,KAAK,EAAE,KAAK;YACZ,IAAI,EAAE,YAAY;YAClB,OAAO,EAAE,kCAAkC,OAAO,EAAE;SACrD,CAAC;IACJ,CAAC;AACH,CAAC"}
|
package/dist/verify.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAEvB,MAAM,cAAc,CAAC;
|
|
1
|
+
{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EAEvB,MAAM,cAAc,CAAC;AAgCtB;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,6BAA6B;IAC7B,EAAE,EAAE,IAAI,CAAC;IAET,qBAAqB;IACrB,MAAM,EAAE,iBAAiB,CAAC;IAE1B,uDAAuD;IACvD,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;IAE1C,0BAA0B;IAC1B,IAAI,CAAC,EAAE;QACL,SAAS,EAAE,MAAM,CAAC;QAClB,aAAa,CAAC,EAAE,MAAM,CAAC;KACxB,CAAC;CACH;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,0BAA0B;IAC1B,EAAE,EAAE,KAAK,CAAC;IAEV,mBAAmB;IACnB,MAAM,EAAE,MAAM,CAAC;IAEf,oBAAoB;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAmGD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,gCAAgC;IAChC,UAAU,EAAE,MAAM,CAAC;IAEnB,sEAAsE;IACtE,gBAAgB,CAAC,EAAE,sBAAsB,CAAC;CAC3C;AA8BD;;;;;GAKG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,GAAG,aAAa,GACnC,OAAO,CAAC,YAAY,GAAG,aAAa,CAAC,CA+FvC"}
|
package/dist/verify.js
CHANGED
|
@@ -6,6 +6,8 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
6
6
|
exports.verifyReceipt = verifyReceipt;
|
|
7
7
|
const crypto_1 = require("@peac/crypto");
|
|
8
8
|
const schema_1 = require("@peac/schema");
|
|
9
|
+
const telemetry_1 = require("@peac/telemetry");
|
|
10
|
+
const telemetry_js_1 = require("./telemetry.js");
|
|
9
11
|
/**
|
|
10
12
|
* In-memory JWKS cache
|
|
11
13
|
* Maps issuer URL to { keys, expiresAt }
|
|
@@ -93,6 +95,27 @@ function jwkToPublicKey(jwk) {
|
|
|
93
95
|
}
|
|
94
96
|
return new Uint8Array(xBytes);
|
|
95
97
|
}
|
|
98
|
+
/**
|
|
99
|
+
* Emit verification telemetry (no-throw guard)
|
|
100
|
+
*/
|
|
101
|
+
function emitVerifyTelemetry(receiptJws, valid, reasonCode, issuer, kid, durationMs) {
|
|
102
|
+
const p = telemetry_1.providerRef.current;
|
|
103
|
+
if (p) {
|
|
104
|
+
try {
|
|
105
|
+
p.onReceiptVerified({
|
|
106
|
+
receiptHash: (0, telemetry_js_1.hashReceipt)(receiptJws),
|
|
107
|
+
valid,
|
|
108
|
+
reasonCode,
|
|
109
|
+
issuer,
|
|
110
|
+
kid,
|
|
111
|
+
durationMs,
|
|
112
|
+
});
|
|
113
|
+
}
|
|
114
|
+
catch {
|
|
115
|
+
// Telemetry MUST NOT break core flow
|
|
116
|
+
}
|
|
117
|
+
}
|
|
118
|
+
}
|
|
96
119
|
/**
|
|
97
120
|
* Verify a PEAC receipt JWS
|
|
98
121
|
*
|
|
@@ -112,6 +135,8 @@ async function verifyReceipt(optionsOrJws) {
|
|
|
112
135
|
schema_1.ReceiptClaims.parse(payload);
|
|
113
136
|
// Check expiry
|
|
114
137
|
if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
|
|
138
|
+
const durationMs = performance.now() - startTime;
|
|
139
|
+
emitVerifyTelemetry(receiptJws, false, 'expired', payload.iss, header.kid, durationMs);
|
|
115
140
|
return {
|
|
116
141
|
ok: false,
|
|
117
142
|
reason: 'expired',
|
|
@@ -127,6 +152,8 @@ async function verifyReceipt(optionsOrJws) {
|
|
|
127
152
|
// Find key by kid
|
|
128
153
|
const jwk = jwks.keys.find((k) => k.kid === header.kid);
|
|
129
154
|
if (!jwk) {
|
|
155
|
+
const durationMs = performance.now() - startTime;
|
|
156
|
+
emitVerifyTelemetry(receiptJws, false, 'unknown_key', payload.iss, header.kid, durationMs);
|
|
130
157
|
return {
|
|
131
158
|
ok: false,
|
|
132
159
|
reason: 'unknown_key',
|
|
@@ -138,6 +165,8 @@ async function verifyReceipt(optionsOrJws) {
|
|
|
138
165
|
// Verify signature
|
|
139
166
|
const result = await (0, crypto_1.verify)(receiptJws, publicKey);
|
|
140
167
|
if (!result.valid) {
|
|
168
|
+
const durationMs = performance.now() - startTime;
|
|
169
|
+
emitVerifyTelemetry(receiptJws, false, 'invalid_signature', payload.iss, header.kid, durationMs);
|
|
141
170
|
return {
|
|
142
171
|
ok: false,
|
|
143
172
|
reason: 'invalid_signature',
|
|
@@ -148,6 +177,8 @@ async function verifyReceipt(optionsOrJws) {
|
|
|
148
177
|
// This validates schema and logs advisory PII warning if applicable
|
|
149
178
|
const validatedSnapshot = (0, schema_1.validateSubjectSnapshot)(inputSnapshot);
|
|
150
179
|
const verifyTime = performance.now() - startTime;
|
|
180
|
+
// Emit success telemetry
|
|
181
|
+
emitVerifyTelemetry(receiptJws, true, undefined, payload.iss, header.kid, verifyTime);
|
|
151
182
|
return {
|
|
152
183
|
ok: true,
|
|
153
184
|
claims: payload,
|
|
@@ -159,6 +190,8 @@ async function verifyReceipt(optionsOrJws) {
|
|
|
159
190
|
};
|
|
160
191
|
}
|
|
161
192
|
catch (err) {
|
|
193
|
+
const durationMs = performance.now() - startTime;
|
|
194
|
+
emitVerifyTelemetry(receiptJws, false, 'verification_error', undefined, undefined, durationMs);
|
|
162
195
|
return {
|
|
163
196
|
ok: false,
|
|
164
197
|
reason: 'verification_error',
|
package/dist/verify.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AAAA;;GAEG;;
|
|
1
|
+
{"version":3,"file":"verify.js","sourceRoot":"","sources":["../src/verify.ts"],"names":[],"mappings":";AAAA;;GAEG;;AAwNH,sCAiGC;AAvTD,yCAA2D;AAC3D,yCAKsB;AACtB,+CAA8C;AAC9C,iDAA6C;AAmB7C;;;GAGG;AACH,MAAM,SAAS,GAAG,IAAI,GAAG,EAA6C,CAAC;AAEvE;;GAEG;AACH,MAAM,YAAY,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAoCnC;;GAEG;AACH,KAAK,UAAU,SAAS,CAAC,SAAiB;IACxC,uCAAuC;IACvC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;IACjD,CAAC;IAED,oCAAoC;IACpC,MAAM,YAAY,GAAG,GAAG,SAAS,uBAAuB,CAAC;IAEzD,IAAI,CAAC;QACH,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;YAC9C,OAAO,EAAE,EAAE,MAAM,EAAE,YAAY,EAAE;YACjC,0BAA0B;YAC1B,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,aAAa,CAAC,MAAM,EAAE,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,aAAa,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;QAEjD,wDAAwD;QACxD,MAAM,QAAQ,GAAG,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC;QACpF,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QAErD,oDAAoD;QACpD,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;QAC/C,CAAC;QAED,aAAa;QACb,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YACpC,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;SAClC,CAAC,CAAC;QAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,sBAAsB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAS,CAAC;QAE7C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,sBAAsB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;AACH,CAAC;AAED;;GAEG;AACH,KAAK,UAAU,OAAO,CAAC,SAAiB;IACtC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAEvB,cAAc;IACd,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;IACxC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;QACrC,OAAO,EAAE,IAAI,EAAE,MAAM,CAAC,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC;IAChD,CAAC;IAED,mBAAmB;IACnB,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,SAAS,CAAC,CAAC;IAExC,WAAW;IACX,SAAS,CAAC,GAAG,CAAC,SAAS,EAAE;QACvB,IAAI,EAAE,IAAI;QACV,SAAS,EAAE,GAAG,GAAG,YAAY;KAC9B,CAAC,CAAC;IAEH,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,GAAQ;IAC9B,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;IACnE,CAAC;IAED,gCAAgC;IAChC,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAaD;;GAEG;AACH,SAAS,mBAAmB,CAC1B,UAAkB,EAClB,KAAc,EACd,UAA8B,EAC9B,MAA0B,EAC1B,GAAuB,EACvB,UAAkB;IAElB,MAAM,CAAC,GAAG,uBAAW,CAAC,OAAO,CAAC;IAC9B,IAAI,CAAC,EAAE,CAAC;QACN,IAAI,CAAC;YACH,CAAC,CAAC,iBAAiB,CAAC;gBAClB,WAAW,EAAE,IAAA,0BAAW,EAAC,UAAU,CAAC;gBACpC,KAAK;gBACL,UAAU;gBACV,MAAM;gBACN,GAAG;gBACH,UAAU;aACX,CAAC,CAAC;QACL,CAAC;QAAC,MAAM,CAAC;YACP,qCAAqC;QACvC,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACI,KAAK,UAAU,aAAa,CACjC,YAAoC;IAEpC,qFAAqF;IACrF,MAAM,UAAU,GAAG,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,YAAY,CAAC,UAAU,CAAC;IAC7F,MAAM,aAAa,GACjB,OAAO,YAAY,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,YAAY,CAAC,gBAAgB,CAAC;IAC/E,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;IACpC,IAAI,aAAiC,CAAC;IAEtC,IAAI,CAAC;QACH,2BAA2B;QAC3B,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAA,eAAM,EAAoB,UAAU,CAAC,CAAC;QAElE,4BAA4B;QAC5B,sBAAa,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAE7B,eAAe;QACf,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,EAAE,CAAC;YAC/D,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YACvF,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,SAAS;gBACjB,OAAO,EAAE,sBAAsB,IAAI,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,EAAE;aAC5E,CAAC;QACJ,CAAC;QAED,aAAa;QACb,MAAM,cAAc,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QACzC,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,GAAG,MAAM,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACvD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,aAAa,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,cAAc,CAAC;QACrD,CAAC;QAED,kBAAkB;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,CAAC,CAAC;QACxD,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,aAAa,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;YAC3F,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,aAAa;gBACrB,OAAO,EAAE,yBAAyB,MAAM,CAAC,GAAG,EAAE;aAC/C,CAAC;QACJ,CAAC;QAED,4BAA4B;QAC5B,MAAM,SAAS,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC;QAEtC,mBAAmB;QACnB,MAAM,MAAM,GAAG,MAAM,IAAA,eAAS,EAAoB,UAAU,EAAE,SAAS,CAAC,CAAC;QAEzE,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;YAClB,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACjD,mBAAmB,CACjB,UAAU,EACV,KAAK,EACL,mBAAmB,EACnB,OAAO,CAAC,GAAG,EACX,MAAM,CAAC,GAAG,EACV,UAAU,CACX,CAAC;YACF,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,MAAM,EAAE,mBAAmB;gBAC3B,OAAO,EAAE,uCAAuC;aACjD,CAAC;QACJ,CAAC;QAED,mDAAmD;QACnD,oEAAoE;QACpE,MAAM,iBAAiB,GAAG,IAAA,gCAAuB,EAAC,aAAa,CAAC,CAAC;QAEjE,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAEjD,yBAAyB;QACzB,mBAAmB,CAAC,UAAU,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,CAAC,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;QAEtF,OAAO;YACL,EAAE,EAAE,IAAI;YACR,MAAM,EAAE,OAAO;YACf,GAAG,CAAC,iBAAiB,IAAI,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,CAAC;YACjE,IAAI,EAAE;gBACJ,SAAS,EAAE,UAAU;gBACrB,GAAG,CAAC,aAAa,IAAI,EAAE,aAAa,EAAE,aAAa,EAAE,CAAC;aACvD;SACF,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,UAAU,GAAG,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QACjD,mBAAmB,CAAC,UAAU,EAAE,KAAK,EAAE,oBAAoB,EAAE,SAAS,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAC/F,OAAO;YACL,EAAE,EAAE,KAAK;YACT,MAAM,EAAE,oBAAoB;YAC5B,OAAO,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SAC1D,CAAC;IACJ,CAAC;AACH,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@peac/protocol",
|
|
3
|
-
"version": "0.9.
|
|
3
|
+
"version": "0.9.31",
|
|
4
4
|
"description": "PEAC protocol implementation - receipt issuance and verification",
|
|
5
5
|
"main": "dist/index.js",
|
|
6
6
|
"types": "dist/index.d.ts",
|
|
@@ -22,20 +22,23 @@
|
|
|
22
22
|
"publishConfig": {
|
|
23
23
|
"access": "public"
|
|
24
24
|
},
|
|
25
|
-
"scripts": {
|
|
26
|
-
"build": "tsc",
|
|
27
|
-
"test": "vitest run",
|
|
28
|
-
"test:watch": "vitest",
|
|
29
|
-
"clean": "rm -rf dist"
|
|
30
|
-
},
|
|
31
25
|
"dependencies": {
|
|
32
|
-
"
|
|
33
|
-
"
|
|
34
|
-
"
|
|
26
|
+
"uuidv7": "^0.6.3",
|
|
27
|
+
"zod": "^3.22.4",
|
|
28
|
+
"@peac/kernel": "0.9.31",
|
|
29
|
+
"@peac/schema": "0.9.31",
|
|
30
|
+
"@peac/telemetry": "0.9.31",
|
|
31
|
+
"@peac/crypto": "0.9.31"
|
|
35
32
|
},
|
|
36
33
|
"devDependencies": {
|
|
37
34
|
"@types/node": "^20.10.0",
|
|
38
35
|
"typescript": "^5.3.3",
|
|
39
36
|
"vitest": "^1.1.0"
|
|
37
|
+
},
|
|
38
|
+
"scripts": {
|
|
39
|
+
"build": "tsc",
|
|
40
|
+
"test": "vitest run",
|
|
41
|
+
"test:watch": "vitest",
|
|
42
|
+
"clean": "rm -rf dist"
|
|
40
43
|
}
|
|
41
|
-
}
|
|
44
|
+
}
|