npm - @peac/schema - Versions diffs - 0.11.1 → 0.11.3 - Mend

@peac/schema 0.11.1 → 0.11.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (35) hide show

package/README.md +64 -3
package/dist/actor-binding.d.ts +148 -0
package/dist/actor-binding.d.ts.map +1 -0
package/dist/carrier.d.ts +6 -0
package/dist/carrier.d.ts.map +1 -1
package/dist/dispute.d.ts +4 -4
package/dist/extensions/control-action.d.ts +68 -0
package/dist/extensions/control-action.d.ts.map +1 -0
package/dist/extensions/credential-event.d.ts +53 -0
package/dist/extensions/credential-event.d.ts.map +1 -0
package/dist/extensions/fingerprint-ref.d.ts +50 -0
package/dist/extensions/fingerprint-ref.d.ts.map +1 -0
package/dist/extensions/index.d.ts +16 -0
package/dist/extensions/index.d.ts.map +1 -0
package/dist/extensions/tool-registry.d.ts +32 -0
package/dist/extensions/tool-registry.d.ts.map +1 -0
package/dist/extensions/treaty.d.ts +55 -0
package/dist/extensions/treaty.d.ts.map +1 -0
package/dist/index.cjs +390 -1
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +7 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.mjs +352 -2
package/dist/index.mjs.map +1 -1
package/dist/interaction.cjs +2 -1
package/dist/interaction.cjs.map +1 -1
package/dist/interaction.d.ts +1 -1
package/dist/interaction.d.ts.map +1 -1
package/dist/interaction.mjs +2 -1
package/dist/interaction.mjs.map +1 -1
package/dist/issuer-config.d.ts +61 -0
package/dist/issuer-config.d.ts.map +1 -0
package/dist/types.d.ts +17 -0
package/dist/types.d.ts.map +1 -1
package/package.json +2 -2

package/dist/index.cjs CHANGED Viewed

@@ -1156,6 +1156,306 @@ function validateEvidence(evidence, limits) {
   }
   return { ok: true, value: evidence };
 }
+var PROOF_TYPES = [
+  "ed25519-cert-chain",
+  "eat-passport",
+  "eat-background-check",
+  "sigstore-oidc",
+  "did",
+  "spiffe",
+  "x509-pki",
+  "custom"
+];
+var ProofTypeSchema = zod.z.enum(PROOF_TYPES);
+function isOriginOnly(value) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+      return false;
+    }
+    if (url.pathname !== "/") {
+      return false;
+    }
+    if (url.search !== "") {
+      return false;
+    }
+    if (url.hash !== "" || value.includes("#")) {
+      return false;
+    }
+    if (url.username !== "" || url.password !== "") {
+      return false;
+    }
+    if (url.hostname.endsWith(".")) {
+      return false;
+    }
+    const hostPart = value.replace(/^https?:\/\//, "").split(/[/:]/)[0];
+    if (hostPart.endsWith(".")) {
+      return false;
+    }
+    if (url.hostname.includes("%")) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+var ACTOR_BINDING_EXTENSION_KEY = "org.peacprotocol/actor_binding";
+var ActorBindingSchema = zod.z.object({
+  /** Stable actor identifier (opaque, no PII) */
+  id: zod.z.string().min(1).max(256),
+  /** Proof type from DD-143 multi-root vocabulary */
+  proof_type: ProofTypeSchema,
+  /** URI or hash of external proof artifact */
+  proof_ref: zod.z.string().max(2048).optional(),
+  /** Origin-only URL: scheme + host + optional port; NO path, query, or fragment */
+  origin: zod.z.string().max(2048).refine(isOriginOnly, {
+    message: "origin must be an origin-only URL (scheme + host + optional port; no path, query, or fragment)"
+  }),
+  /** SHA-256 hash of the intent (hash-first per DD-138) */
+  intent_hash: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "intent_hash must match sha256:<64 hex chars>"
+  }).optional()
+}).strict();
+var MVISTimeBoundsSchema = zod.z.object({
+  /** Earliest valid time (RFC 3339) */
+  not_before: zod.z.string().datetime(),
+  /** Latest valid time (RFC 3339) */
+  not_after: zod.z.string().datetime()
+}).strict();
+var MVISReplayProtectionSchema = zod.z.object({
+  /** Unique token identifier (jti from JWT or equivalent) */
+  jti: zod.z.string().min(1).max(256),
+  /** Optional nonce for additional replay protection */
+  nonce: zod.z.string().max(256).optional()
+}).strict();
+var MVISFieldsSchema = zod.z.object({
+  /** Who issued the identity assertion */
+  issuer: zod.z.string().min(1).max(2048),
+  /** Who the identity is about (opaque identifier, no PII) */
+  subject: zod.z.string().min(1).max(256),
+  /** Cryptographic binding: kid or JWK thumbprint */
+  key_binding: zod.z.string().min(1).max(256),
+  /** Validity period */
+  time_bounds: MVISTimeBoundsSchema,
+  /** Replay protection */
+  replay_protection: MVISReplayProtectionSchema
+}).strict();
+function validateActorBinding(data) {
+  const result = ActorBindingSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+function validateMVIS(data) {
+  const result = MVISFieldsSchema.safeParse(data);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  const notBefore = new Date(result.data.time_bounds.not_before).getTime();
+  const notAfter = new Date(result.data.time_bounds.not_after).getTime();
+  if (notBefore >= notAfter) {
+    return { ok: false, error: "not_before must be before not_after" };
+  }
+  const MAX_DURATION_MS = 100 * 365.25 * 24 * 60 * 60 * 1e3;
+  if (notAfter - notBefore > MAX_DURATION_MS) {
+    return { ok: false, error: "time_bounds duration must not exceed 100 years" };
+  }
+  return { ok: true, value: result.data };
+}
+var CREDENTIAL_EVENT_EXTENSION_KEY = "org.peacprotocol/credential_event";
+var CREDENTIAL_EVENTS = ["issued", "leased", "rotated", "revoked", "expired"];
+var CredentialEventTypeSchema = zod.z.enum(CREDENTIAL_EVENTS);
+var FINGERPRINT_REF_PATTERN = /^(sha256|hmac-sha256):[a-f0-9]{64}$/;
+var CredentialRefSchema = zod.z.string().max(256).regex(FINGERPRINT_REF_PATTERN, {
+  message: "credential_ref must be an opaque fingerprint reference: (sha256|hmac-sha256):<64 hex chars>"
+});
+var CredentialEventSchema = zod.z.object({
+  /** Lifecycle event type */
+  event: CredentialEventTypeSchema,
+  /** Opaque fingerprint reference of the credential (format validation only) */
+  credential_ref: CredentialRefSchema,
+  /** Authority that performed the action (HTTPS URL) */
+  authority: zod.z.string().url().max(2048).refine((v) => v.startsWith("https://"), {
+    message: "authority must be an HTTPS URL"
+  }),
+  /** When the credential expires (RFC 3339, optional) */
+  expires_at: zod.z.string().datetime().optional(),
+  /** Previous credential reference for rotation chains (optional) */
+  previous_ref: CredentialRefSchema.optional()
+}).strict();
+function validateCredentialEvent(data) {
+  const result = CredentialEventSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var TOOL_REGISTRY_EXTENSION_KEY = "org.peacprotocol/tool_registry";
+function isAllowedRegistryUri(value) {
+  if (value.startsWith("urn:")) {
+    return true;
+  }
+  try {
+    const url = new URL(value);
+    return url.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+var ToolRegistrySchema = zod.z.object({
+  /** Tool identifier */
+  tool_id: zod.z.string().min(1).max(256),
+  /** Registry URI (HTTPS or URN only; no file:// or data:// for SSRF prevention) */
+  registry_uri: zod.z.string().max(2048).refine(isAllowedRegistryUri, {
+    message: "registry_uri must be an HTTPS URL or URN (file:// and data:// are prohibited)"
+  }),
+  /** Tool version (optional, semver-like) */
+  version: zod.z.string().max(64).optional(),
+  /** Tool capabilities (optional) */
+  capabilities: zod.z.array(zod.z.string().max(64)).max(32).optional()
+}).strict();
+function validateToolRegistry(data) {
+  const result = ToolRegistrySchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var CONTROL_ACTION_EXTENSION_KEY = "org.peacprotocol/control_action";
+var CONTROL_ACTIONS = ["grant", "deny", "escalate", "delegate", "audit"];
+var ControlActionTypeSchema = zod.z.enum(CONTROL_ACTIONS);
+var CONTROL_TRIGGERS = [
+  "policy_evaluation",
+  "manual_review",
+  "anomaly_detection",
+  "scheduled",
+  "event_driven"
+];
+var ControlTriggerSchema = zod.z.enum(CONTROL_TRIGGERS);
+var ControlActionSchema = zod.z.object({
+  /** Action taken */
+  action: ControlActionTypeSchema,
+  /** What triggered the action */
+  trigger: ControlTriggerSchema,
+  /** Resource or scope the action applies to (optional) */
+  resource: zod.z.string().max(2048).optional(),
+  /** Reason for the action (optional, human-readable) */
+  reason: zod.z.string().max(1024).optional(),
+  /** Policy identifier that was evaluated (optional) */
+  policy_ref: zod.z.string().max(2048).optional(),
+  /** When the action was taken (RFC 3339, optional; defaults to receipt iat) */
+  action_at: zod.z.string().datetime().optional()
+}).strict();
+function validateControlAction(data) {
+  const result = ControlActionSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var TREATY_EXTENSION_KEY = "org.peacprotocol/treaty";
+var COMMITMENT_CLASSES = ["informational", "operational", "financial", "legal"];
+var CommitmentClassSchema = zod.z.enum(COMMITMENT_CLASSES);
+var TreatySchema = zod.z.object({
+  /** Commitment level */
+  commitment_class: CommitmentClassSchema,
+  /** URL to full terms document (optional) */
+  terms_ref: zod.z.string().url().max(2048).optional(),
+  /** SHA-256 hash of terms document for integrity verification (optional) */
+  terms_hash: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "terms_hash must match sha256:<64 hex chars>"
+  }).optional(),
+  /** Counterparty identifier (optional) */
+  counterparty: zod.z.string().max(256).optional(),
+  /** When the treaty becomes effective (RFC 3339, optional) */
+  effective_at: zod.z.string().datetime().optional(),
+  /** When the treaty expires (RFC 3339, optional) */
+  expires_at: zod.z.string().datetime().optional()
+}).strict();
+function validateTreaty(data) {
+  const result = TreatySchema.safeParse(data);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  if (result.data.effective_at && result.data.expires_at) {
+    const effectiveMs = new Date(result.data.effective_at).getTime();
+    const expiresMs = new Date(result.data.expires_at).getTime();
+    if (effectiveMs > expiresMs) {
+      return { ok: false, error: "effective_at must not be after expires_at" };
+    }
+  }
+  return { ok: true, value: result.data };
+}
+// src/extensions/fingerprint-ref.ts
+function hexToBase64url(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(bytes).toString("base64");
+  } else {
+    base64 = btoa(String.fromCharCode(...bytes));
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlToHex(b64url) {
+  let base64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4 !== 0) {
+    base64 += "=";
+  }
+  let bytes;
+  if (typeof Buffer !== "undefined") {
+    bytes = Buffer.from(base64, "base64");
+  } else {
+    const binary = atob(base64);
+    bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+  }
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var VALID_ALGS = ["sha256", "hmac-sha256"];
+var STRING_FORM_PATTERN = /^(sha256|hmac-sha256):([a-f0-9]{64})$/;
+var MAX_FINGERPRINT_REF_LENGTH = 76;
+var BASE64URL_PATTERN = /^[A-Za-z0-9_-]+$/;
+function stringToFingerprintRef(s) {
+  if (s.length > MAX_FINGERPRINT_REF_LENGTH) {
+    return null;
+  }
+  const match = STRING_FORM_PATTERN.exec(s);
+  if (!match) {
+    return null;
+  }
+  const alg = match[1];
+  const hex = match[2];
+  return {
+    alg,
+    value: hexToBase64url(hex)
+  };
+}
+function fingerprintRefToString(obj) {
+  if (!VALID_ALGS.includes(obj.alg)) {
+    return null;
+  }
+  if (!BASE64URL_PATTERN.test(obj.value)) {
+    return null;
+  }
+  try {
+    const hex = base64urlToHex(obj.value);
+    if (hex.length !== 64) {
+      return null;
+    }
+    return `${obj.alg}:${hex}`;
+  } catch {
+    return null;
+  }
+}
 var DISPUTE_LIMITS = {
   /** Maximum grounds per dispute */
   maxGrounds: 10,
@@ -1872,7 +2172,8 @@ var WELL_KNOWN_KINDS = [
   "http.request",
   "fs.read",
   "fs.write",
-  "message"
+  "message",
+  "inference.chat_completion"
 ];
 var RESERVED_KIND_PREFIXES = ["peac.", "org.peacprotocol."];
 var INTERACTION_LIMITS = {
@@ -2672,9 +2973,25 @@ var CompactJwsSchema = zod.z.string().regex(
   "receipt_jws must be a valid compact JWS (header.payload.signature)"
 );
 var CarrierFormatSchema = zod.z.enum(["embed", "reference"]);
+var ReceiptUrlSchema = zod.z.string().url().max(2048).refine((url) => url.startsWith("https://"), {
+  message: "receipt_url must use HTTPS scheme"
+}).refine(
+  (url) => {
+    try {
+      const parsed = new URL(url);
+      return !parsed.username && !parsed.password;
+    } catch {
+      return false;
+    }
+  },
+  {
+    message: "receipt_url must not contain credentials"
+  }
+);
 var PeacEvidenceCarrierSchema = zod.z.object({
   receipt_ref: ReceiptRefSchema2,
   receipt_jws: CompactJwsSchema.optional(),
+  receipt_url: ReceiptUrlSchema.optional(),
   policy_binding: zod.z.string().max(KERNEL_CONSTRAINTS.MAX_STRING_LENGTH).optional(),
   actor_binding: zod.z.string().max(KERNEL_CONSTRAINTS.MAX_STRING_LENGTH).optional(),
   request_nonce: zod.z.string().max(KERNEL_CONSTRAINTS.MAX_STRING_LENGTH).optional(),
@@ -2719,6 +3036,14 @@ function validateCarrierConstraints(carrier, meta) {
       `carrier size ${sizeBytes} bytes exceeds transport limit ${meta.max_size} bytes for ${meta.transport}`
     );
   }
+  if (carrier.receipt_url !== void 0) {
+    const urlResult = ReceiptUrlSchema.safeParse(carrier.receipt_url);
+    if (!urlResult.success) {
+      for (const issue of urlResult.error.issues) {
+        violations.push(`invalid receipt_url: ${issue.message}`);
+      }
+    }
+  }
   const stringFields = [
     ["policy_binding", carrier.policy_binding],
     ["actor_binding", carrier.actor_binding],
@@ -2802,7 +3127,33 @@ function parseReceiptClaims(input, _opts) {
     claims: result.data
   };
 }
+var REVOCATION_REASONS = [
+  "key_compromise",
+  "superseded",
+  "cessation_of_operation",
+  "privilege_withdrawn"
+];
+var RevokedKeyEntrySchema = zod.z.object({
+  /** Key ID that was revoked */
+  kid: zod.z.string().min(1).max(256),
+  /** ISO 8601 timestamp of revocation */
+  revoked_at: zod.z.string().datetime(),
+  /** Revocation reason (optional, RFC 5280 CRLReason subset) */
+  reason: zod.z.enum(REVOCATION_REASONS).optional()
+}).strict();
+var RevokedKeysArraySchema = zod.z.array(RevokedKeyEntrySchema).max(100);
+function validateRevokedKeys(data) {
+  const result = RevokedKeysArraySchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.issues.map((i) => i.message).join("; ") };
+}
+function findRevokedKey(revokedKeys, kid) {
+  return revokedKeys.find((entry) => entry.kid === kid) ?? null;
+}
+exports.ACTOR_BINDING_EXTENSION_KEY = ACTOR_BINDING_EXTENSION_KEY;
 exports.AGENT_IDENTITY_TYPE = AGENT_IDENTITY_TYPE;
 exports.AIPREFSnapshotSchema = AIPREFSnapshot;
 exports.ATTESTATION_LIMITS = ATTESTATION_LIMITS;
@@ -2810,6 +3161,7 @@ exports.ATTESTATION_RECEIPT_TYPE = ATTESTATION_RECEIPT_TYPE;
 exports.ATTRIBUTION_LIMITS = ATTRIBUTION_LIMITS;
 exports.ATTRIBUTION_TYPE = ATTRIBUTION_TYPE;
 exports.ATTRIBUTION_USAGES = ATTRIBUTION_USAGES;
+exports.ActorBindingSchema = ActorBindingSchema;
 exports.AgentIdentityAttestationSchema = AgentIdentityAttestationSchema;
 exports.AgentIdentityEvidenceSchema = AgentIdentityEvidenceSchema;
 exports.AgentIdentityVerifiedSchema = AgentIdentityVerifiedSchema;
@@ -2825,23 +3177,36 @@ exports.BindingDetailsSchema = BindingDetailsSchema;
 exports.CANONICAL_DIGEST_ALGS = CANONICAL_DIGEST_ALGS;
 exports.CANONICAL_PURPOSES = CANONICAL_PURPOSES;
 exports.CARRIER_TRANSPORT_LIMITS = CARRIER_TRANSPORT_LIMITS;
+exports.COMMITMENT_CLASSES = COMMITMENT_CLASSES;
 exports.CONTRIBUTION_TYPES = CONTRIBUTION_TYPES;
+exports.CONTROL_ACTIONS = CONTROL_ACTIONS;
+exports.CONTROL_ACTION_EXTENSION_KEY = CONTROL_ACTION_EXTENSION_KEY;
+exports.CONTROL_TRIGGERS = CONTROL_TRIGGERS;
 exports.CONTROL_TYPES = CONTROL_TYPES;
+exports.CREDENTIAL_EVENTS = CREDENTIAL_EVENTS;
+exports.CREDENTIAL_EVENT_EXTENSION_KEY = CREDENTIAL_EVENT_EXTENSION_KEY;
 exports.CREDIT_METHODS = CREDIT_METHODS;
 exports.CanonicalPurposeSchema = CanonicalPurposeSchema;
 exports.CarrierFormatSchema = CarrierFormatSchema;
 exports.CarrierMetaSchema = CarrierMetaSchema;
+exports.CommitmentClassSchema = CommitmentClassSchema;
 exports.CompactJwsSchema = CompactJwsSchema;
 exports.ContactMethodSchema = ContactMethodSchema;
 exports.ContentHashSchema = ContentHashSchema;
 exports.ContributionObligationSchema = ContributionObligationSchema;
 exports.ContributionTypeSchema = ContributionTypeSchema;
+exports.ControlActionSchema = ControlActionSchema;
+exports.ControlActionTypeSchema = ControlActionTypeSchema;
 exports.ControlBlockSchema = ControlBlockSchema;
 exports.ControlDecisionSchema = ControlDecisionSchema;
 exports.ControlLicensingModeSchema = ControlLicensingModeSchema;
 exports.ControlPurposeSchema = ControlPurposeSchema;
 exports.ControlStepSchema = ControlStepSchema;
+exports.ControlTriggerSchema = ControlTriggerSchema;
 exports.ControlTypeSchema = ControlTypeSchema;
+exports.CredentialEventSchema = CredentialEventSchema;
+exports.CredentialEventTypeSchema = CredentialEventTypeSchema;
+exports.CredentialRefSchema = CredentialRefSchema;
 exports.CreditMethodSchema = CreditMethodSchema;
 exports.CreditObligationSchema = CreditObligationSchema;
 exports.DERIVATION_TYPES = DERIVATION_TYPES;
@@ -2895,6 +3260,9 @@ exports.KindSchema = KindSchema;
 exports.MAX_PURPOSE_TOKENS_PER_REQUEST = MAX_PURPOSE_TOKENS_PER_REQUEST;
 exports.MAX_PURPOSE_TOKEN_LENGTH = MAX_PURPOSE_TOKEN_LENGTH;
 exports.MIDDLEWARE_INTERACTION_KEY = MIDDLEWARE_INTERACTION_KEY;
+exports.MVISFieldsSchema = MVISFieldsSchema;
+exports.MVISReplayProtectionSchema = MVISReplayProtectionSchema;
+exports.MVISTimeBoundsSchema = MVISTimeBoundsSchema;
 exports.MinimalInteractionBindingSchema = MinimalInteractionBindingSchema;
 exports.NormalizedPayment = NormalizedPayment;
 exports.OBLIGATIONS_EXTENSION_KEY = OBLIGATIONS_EXTENSION_KEY;
@@ -2918,6 +3286,7 @@ exports.PEAC_RECEIPT_SCHEMA_URL = PEAC_RECEIPT_SCHEMA_URL;
 exports.PEAC_WIRE_TYP = PEAC_WIRE_TYP;
 exports.POLICY_DECISIONS = POLICY_DECISIONS;
 exports.PROOF_METHODS = PROOF_METHODS;
+exports.PROOF_TYPES = PROOF_TYPES;
 exports.PURPOSE_REASONS = PURPOSE_REASONS;
 exports.PURPOSE_TOKEN_REGEX = PURPOSE_TOKEN_REGEX;
 exports.PayloadRefSchema = PayloadRefSchema;
@@ -2927,20 +3296,25 @@ exports.PaymentSplitSchema = PaymentSplitSchema;
 exports.PeacEvidenceCarrierSchema = PeacEvidenceCarrierSchema;
 exports.PolicyContextSchema = PolicyContextSchema;
 exports.ProofMethodSchema = ProofMethodSchema;
+exports.ProofTypeSchema = ProofTypeSchema;
 exports.PurposeReasonSchema = PurposeReasonSchema;
 exports.PurposeTokenSchema = PurposeTokenSchema;
 exports.REDACTION_MODES = REDACTION_MODES;
 exports.REMEDIATION_TYPES = REMEDIATION_TYPES;
 exports.RESERVED_KIND_PREFIXES = RESERVED_KIND_PREFIXES;
 exports.RESULT_STATUSES = RESULT_STATUSES;
+exports.REVOCATION_REASONS = REVOCATION_REASONS;
 exports.ReceiptClaims = ReceiptClaims;
 exports.ReceiptClaimsSchema = ReceiptClaimsSchema;
 exports.ReceiptRefSchema = ReceiptRefSchema2;
+exports.ReceiptUrlSchema = ReceiptUrlSchema;
 exports.RefsSchema = RefsSchema;
 exports.RemediationSchema = RemediationSchema;
 exports.RemediationTypeSchema = RemediationTypeSchema;
 exports.ResourceTargetSchema = ResourceTargetSchema;
 exports.ResultSchema = ResultSchema;
+exports.RevokedKeyEntrySchema = RevokedKeyEntrySchema;
+exports.RevokedKeysArraySchema = RevokedKeysArraySchema;
 exports.STEP_ID_PATTERN = STEP_ID_PATTERN;
 exports.StepIdSchema = StepIdSchema;
 exports.SubjectProfileSchema = SubjectProfileSchema;
@@ -2948,7 +3322,11 @@ exports.SubjectProfileSnapshotSchema = SubjectProfileSnapshotSchema;
 exports.SubjectSchema = Subject;
 exports.SubjectTypeSchema = SubjectTypeSchema;
 exports.TERMINAL_STATES = TERMINAL_STATES;
+exports.TOOL_REGISTRY_EXTENSION_KEY = TOOL_REGISTRY_EXTENSION_KEY;
+exports.TREATY_EXTENSION_KEY = TREATY_EXTENSION_KEY;
+exports.ToolRegistrySchema = ToolRegistrySchema;
 exports.ToolTargetSchema = ToolTargetSchema;
+exports.TreatySchema = TreatySchema;
 exports.VerifyRequestSchema = VerifyRequest;
 exports.WELL_KNOWN_KINDS = WELL_KNOWN_KINDS;
 exports.WORKFLOW_EXTENSION_KEY = WORKFLOW_EXTENSION_KEY;
@@ -2988,6 +3366,8 @@ exports.deriveKnownPurposes = deriveKnownPurposes;
 exports.detectCycleInSources = detectCycleInSources;
 exports.determinePurposeReason = determinePurposeReason;
 exports.extractObligationsExtension = extractObligationsExtension;
+exports.findRevokedKey = findRevokedKey;
+exports.fingerprintRefToString = fingerprintRefToString;
 exports.getInteraction = getInteraction;
 exports.getValidTransitions = getValidTransitions;
 exports.hasInteraction = hasInteraction;
@@ -3010,6 +3390,7 @@ exports.isDisputeExpired = isDisputeExpired;
 exports.isDisputeNotYetValid = isDisputeNotYetValid;
 exports.isLegacyPurpose = isLegacyPurpose;
 exports.isMinimalInteractionBinding = isMinimalInteractionBinding;
+exports.isOriginOnly = isOriginOnly;
 exports.isPaymentReceipt = isPaymentReceipt;
 exports.isReservedKindPrefix = isReservedKindPrefix;
 exports.isTerminalState = isTerminalState;
@@ -3028,8 +3409,10 @@ exports.normalizeToCanonicalOrPreserve = normalizeToCanonicalOrPreserve;
 exports.parsePurposeHeader = parsePurposeHeader;
 exports.parseReceiptClaims = parseReceiptClaims;
 exports.setInteraction = setInteraction;
+exports.stringToFingerprintRef = stringToFingerprintRef;
 exports.toCoreClaims = toCoreClaims;
 exports.transitionDisputeState = transitionDisputeState;
+exports.validateActorBinding = validateActorBinding;
 exports.validateAgentIdentityAttestation = validateAgentIdentityAttestation;
 exports.validateAttestationReceiptClaims = validateAttestationReceiptClaims;
 exports.validateAttributionAttestation = validateAttributionAttestation;
@@ -3037,6 +3420,8 @@ exports.validateAttributionSource = validateAttributionSource;
 exports.validateCarrierConstraints = validateCarrierConstraints;
 exports.validateContentHash = validateContentHash;
 exports.validateContributionObligation = validateContributionObligation;
+exports.validateControlAction = validateControlAction;
+exports.validateCredentialEvent = validateCredentialEvent;
 exports.validateCreditObligation = validateCreditObligation;
 exports.validateDisputeAttestation = validateDisputeAttestation;
 exports.validateDisputeContact = validateDisputeContact;
@@ -3047,10 +3432,14 @@ exports.validateInteraction = validateInteraction;
 exports.validateInteractionEvidence = validateInteractionEvidence;
 exports.validateInteractionOrdered = validateInteractionOrdered;
 exports.validateKernelConstraints = validateKernelConstraints;
+exports.validateMVIS = validateMVIS;
 exports.validateMinimalInteractionBinding = validateMinimalInteractionBinding;
 exports.validateObligationsExtension = validateObligationsExtension;
 exports.validatePurposeTokens = validatePurposeTokens;
+exports.validateRevokedKeys = validateRevokedKeys;
 exports.validateSubjectSnapshot = validateSubjectSnapshot;
+exports.validateToolRegistry = validateToolRegistry;
+exports.validateTreaty = validateTreaty;
 exports.validateWorkflowContext = validateWorkflowContext;
 exports.validateWorkflowContextOrdered = validateWorkflowContextOrdered;
 exports.validateWorkflowSummaryAttestation = validateWorkflowSummaryAttestation;