@peac/schema 0.11.2 → 0.12.0-preview.1

package/dist/validators.d.ts

@@ -27,6 +27,22 @@ export declare const Extensions: z.ZodObject<{
         hash: z.ZodString;
     }, z.core.$strict>>;
 }, z.core.$catchall<z.ZodUnknown>>;
+/**
+ * Wire 0.1 JWS header Zod schema (canonical name, v0.12.0-preview.1+).
+ *
+ * Note: `@peac/crypto` exports a TypeScript discriminated-union type also
+ * named `JWSHeader` that covers Wire 0.1, Wire 0.2, and UnTyped variants.
+ * This schema validates the runtime shape of Wire 0.1 headers only.
+ */
+export declare const Wire01JWSHeaderSchema: z.ZodObject<{
+    typ: z.ZodLiteral<"peac-receipt/0.1">;
+    alg: z.ZodLiteral<"EdDSA">;
+    kid: z.ZodString;
+}, z.core.$strict>;
+/**
+ * @deprecated Use `Wire01JWSHeaderSchema`. Kept for backward compatibility;
+ * will be removed at v1.0.
+ */
 export declare const JWSHeader: z.ZodObject<{
     typ: z.ZodLiteral<"peac-receipt/0.1">;
     alg: z.ZodLiteral<"EdDSA">;

package/dist/validators.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../src/validators.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAIL,KAAK,kBAAkB,EACxB,MAAM,QAAQ,CAAC;AAChB,OAAO,EAA8B,KAAK,SAAS,EAAE,MAAM,UAAU,CAAC;AAYtE,eAAO,MAAM,iBAAiB;;;;;;;;;kBAWnB,CAAC;AAEZ,eAAO,MAAM,OAAO;;kBAAuC,CAAC;AAE5D,eAAO,MAAM,cAAc;;;kBAKhB,CAAC;AAIZ,eAAO,MAAM,UAAU;;;;;kCAKC,CAAC;AAEzB,eAAO,MAAM,SAAS;;;;kBAMX,CAAC;AAcZ,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAoBrB,CAAC;AAEZ;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAAsB,CAAC;AAEjD,eAAO,MAAM,aAAa;;kBAIf,CAAC;AAMZ;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;EAS/B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;EAIrC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;EAAsC,CAAC;AAEzE;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAW5B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA4B5B,CAAC;AAMJ;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,aAO3B,CAAC;AAEL;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB;;;;;;EAMjC,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,mBAAmB;;;;;;;EAO9B,CAAC;AAMH;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;kBAa3B,CAAC;AAEL;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB;;;;EAAyC,CAAC;AAE3E;;;;GAIG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAevB,CAAC;AAMZ;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;EAAoC,CAAC;AAEnE;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;kBAOtB,CAAC;AAEZ;;;;;;;GAOG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;kBAO9B,CAAC;AAMZ;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,qJAG5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB;;;;;;;kBASnB,CAAC;AAwBZ;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,OAAO,GAChB,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,GAAG,IAAI,CAmBrD;AAMD;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAChC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,OAAO,CAAA;CAAE,GAC5B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,SAAS,CAAA;CAAE,CAAC;AAEpC;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,OAAO,EACjB,MAAM,CAAC,EAAE,kBAAkB,GAC1B,wBAAwB,CAW1B"}
+{"version":3,"file":"validators.d.ts","sourceRoot":"","sources":["../src/validators.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,OAAO,EAIL,KAAK,kBAAkB,EACxB,MAAM,QAAQ,CAAC;AAChB,OAAO,EAA8B,KAAK,SAAS,EAAE,MAAM,UAAU,CAAC;AAYtE,eAAO,MAAM,iBAAiB;;;;;;;;;kBAWnB,CAAC;AAEZ,eAAO,MAAM,OAAO;;kBAAuC,CAAC;AAE5D,eAAO,MAAM,cAAc;;;kBAKhB,CAAC;AAIZ,eAAO,MAAM,UAAU;;;;;kCAKC,CAAC;AAEzB;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB;;;;kBAMvB,CAAC;AAEZ;;;GAGG;AACH,eAAO,MAAM,SAAS;;;;kBAAwB,CAAC;AAc/C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAoBrB,CAAC;AAEZ;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEpE;;GAEG;AACH,eAAO,MAAM,aAAa;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAAsB,CAAC;AAEjD,eAAO,MAAM,aAAa;;kBAIf,CAAC;AAMZ;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;EAS/B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,0BAA0B;;;;EAIrC,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;EAAsC,CAAC;AAEzE;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAW5B,CAAC;AAEH;;GAEG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBA4B5B,CAAC;AAMJ;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,aAO3B,CAAC;AAEL;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB;;;;;;EAMjC,CAAC;AAEH;;;;GAIG;AACH,eAAO,MAAM,mBAAmB;;;;;;;EAO9B,CAAC;AAMH;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB;;;;;;;;kBAa3B,CAAC;AAEL;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB;;;;EAAyC,CAAC;AAE3E;;;;GAIG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAevB,CAAC;AAMZ;;GAEG;AACH,eAAO,MAAM,iBAAiB;;;;EAAoC,CAAC;AAEnE;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB;;;;;;;;;kBAOtB,CAAC;AAEZ;;;;;;;GAOG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;kBAO9B,CAAC;AAMZ;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,qJAG5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB;;;;;;;kBASnB,CAAC;AAwBZ;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,OAAO,GAChB,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,GAAG,IAAI,CAmBrD;AAMD;;GAEG;AACH,MAAM,MAAM,wBAAwB,GAChC;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,OAAO,CAAA;CAAE,GAC5B;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,SAAS,CAAA;CAAE,CAAC;AAEpC;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,gBAAgB,CAC9B,QAAQ,EAAE,OAAO,EACjB,MAAM,CAAC,EAAE,kBAAkB,GAC1B,wBAAwB,CAW1B"}

package/dist/wire-02-envelope.d.ts

@@ -0,0 +1,152 @@
+/**
+ * Wire 0.2 Zod schemas and types (v0.12.0-preview.1, DD-156)
+ *
+ * This file contains:
+ *   - Wire02ClaimsSchema: the canonical Zod schema for Wire 0.2 envelopes
+ *   - Wire02Claims: inferred TypeScript type (z.infer<typeof Wire02ClaimsSchema>)
+ *   - Supporting schemas: EvidencePillarSchema, PillarsSchema, Wire02KindSchema,
+ *     ReceiptTypeSchema, CanonicalIssSchema, PolicyBlockSchema
+ *   - isCanonicalIss(): exported canonical-iss validator
+ *   - isValidReceiptType(): exported type-grammar validator
+ *   - checkOccurredAtSkew(): cross-field skew check helper
+ *
+ * Wire02Claims does NOT live in @peac/kernel (layer violation);
+ * it lives here because it references schema-layer types (Correction 4, DD-156).
+ */
+import { z } from 'zod';
+import type { VerificationWarning } from '@peac/kernel';
+/**
+ * Validate that an issuer (iss) claim is in canonical form.
+ *
+ * Accepted schemes:
+ *   - `https://`: ASCII origin (lowercase scheme+host, no explicit default port
+ *     (:443 rejected), origin-only, no path/query/fragment/userinfo).
+ *     Raw Unicode hosts are rejected; punycode (xn--...) is accepted.
+ *   - `did:`: DID Core identifier (`did:<method>:<id>`) where method is
+ *     `[a-z0-9]+` and the method-specific-id contains no `#`, `?`, or `/`.
+ *
+ * All other schemes produce E_ISS_NOT_CANONICAL.
+ *
+ * @param iss - Issuer claim value to validate
+ * @returns true if canonical form; false otherwise
+ */
+export declare function isCanonicalIss(iss: string): boolean;
+/**
+ * Validate that a type claim conforms to the Wire 0.2 type grammar.
+ *
+ * Accepted forms:
+ *   - Reverse-DNS notation: `<domain>/<segment>` where `<domain>` has at
+ *     least one dot (e.g., `org.peacprotocol/commerce`, `com.example/flow`)
+ *   - Absolute URI: starts with `scheme://` (e.g., `https://example.com/type`)
+ *
+ * @param value - Type claim value to validate
+ * @returns true if valid type grammar; false otherwise
+ */
+export declare function isValidReceiptType(value: string): boolean;
+export declare const EvidencePillarSchema: z.ZodEnum<{
+    attribution: "attribution";
+    identity: "identity";
+    purpose: "purpose";
+    access: "access";
+    commerce: "commerce";
+    compliance: "compliance";
+    consent: "consent";
+    privacy: "privacy";
+    provenance: "provenance";
+    safety: "safety";
+}>;
+export declare const PillarsSchema: z.ZodArray<z.ZodEnum<{
+    attribution: "attribution";
+    identity: "identity";
+    purpose: "purpose";
+    access: "access";
+    commerce: "commerce";
+    compliance: "compliance";
+    consent: "consent";
+    privacy: "privacy";
+    provenance: "provenance";
+    safety: "safety";
+}>>;
+export declare const Wire02KindSchema: z.ZodEnum<{
+    evidence: "evidence";
+    challenge: "challenge";
+}>;
+export declare const ReceiptTypeSchema: z.ZodString;
+export declare const CanonicalIssSchema: z.ZodString;
+export declare const PolicyBlockSchema: z.ZodObject<{
+    digest: z.ZodString;
+    uri: z.ZodOptional<z.ZodString>;
+    version: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+export declare const Wire02ClaimsSchema: z.ZodObject<{
+    peac_version: z.ZodLiteral<"0.2">;
+    kind: z.ZodEnum<{
+        evidence: "evidence";
+        challenge: "challenge";
+    }>;
+    type: z.ZodString;
+    iss: z.ZodString;
+    iat: z.ZodNumber;
+    jti: z.ZodString;
+    sub: z.ZodOptional<z.ZodString>;
+    pillars: z.ZodOptional<z.ZodArray<z.ZodEnum<{
+        attribution: "attribution";
+        identity: "identity";
+        purpose: "purpose";
+        access: "access";
+        commerce: "commerce";
+        compliance: "compliance";
+        consent: "consent";
+        privacy: "privacy";
+        provenance: "provenance";
+        safety: "safety";
+    }>>>;
+    actor: z.ZodOptional<z.ZodObject<{
+        id: z.ZodString;
+        proof_type: z.ZodEnum<{
+            "ed25519-cert-chain": "ed25519-cert-chain";
+            "eat-passport": "eat-passport";
+            "eat-background-check": "eat-background-check";
+            "sigstore-oidc": "sigstore-oidc";
+            did: "did";
+            spiffe: "spiffe";
+            "x509-pki": "x509-pki";
+            custom: "custom";
+        }>;
+        proof_ref: z.ZodOptional<z.ZodString>;
+        origin: z.ZodString;
+        intent_hash: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>>;
+    policy: z.ZodOptional<z.ZodObject<{
+        digest: z.ZodString;
+        uri: z.ZodOptional<z.ZodString>;
+        version: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+    representation: z.ZodOptional<z.ZodObject<{
+        content_hash: z.ZodOptional<z.ZodString>;
+        content_type: z.ZodOptional<z.ZodString>;
+        content_length: z.ZodOptional<z.ZodNumber>;
+    }, z.core.$strict>>;
+    occurred_at: z.ZodOptional<z.ZodString>;
+    purpose_declared: z.ZodOptional<z.ZodString>;
+    extensions: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+/** Inferred type for Wire 0.2 receipt claims */
+export type Wire02Claims = z.infer<typeof Wire02ClaimsSchema>;
+/**
+ * Check the occurred_at field for temporal consistency.
+ *
+ * Rules (evidence kind only; caller must not call for challenge kind):
+ *   - If occurred_at > now + tolerance: hard error (E_OCCURRED_AT_FUTURE)
+ *   - If occurred_at > iat (within tolerance): warning (occurred_at_skew)
+ *   - If occurred_at <= iat: valid, no warning
+ *   - If occurred_at is undefined: no check performed
+ *
+ * @param occurredAt - Value of the occurred_at claim, or undefined
+ * @param iat - iat claim value (Unix seconds)
+ * @param now - Current time (Unix seconds)
+ * @param tolerance - Allowed future skew in seconds (default: OCCURRED_AT_TOLERANCE_SECONDS)
+ * @returns 'future_error' for hard error, VerificationWarning for skew warning, null for valid
+ */
+export declare function checkOccurredAtSkew(occurredAt: string | undefined, iat: number, now: number, tolerance?: number): VerificationWarning | 'future_error' | null;
+//# sourceMappingURL=wire-02-envelope.d.ts.map

package/dist/wire-02-envelope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-02-envelope.d.ts","sourceRoot":"","sources":["../src/wire-02-envelope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAQxB,OAAO,KAAK,EAAkB,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAwBxE;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAmCnD;AASD;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CA4BzD;AAoBD,eAAO,MAAM,oBAAoB;;;;;;;;;;;EAEhC,CAAC;AAMF,eAAO,MAAM,aAAa;;;;;;;;;;;GAUtB,CAAC;AAML,eAAO,MAAM,gBAAgB;;;EAAoC,CAAC;AAMlE,eAAO,MAAM,iBAAiB,aAE5B,CAAC;AAMH,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AAMH,eAAO,MAAM,iBAAiB;;;;iBAgB5B,CAAC;AAQH,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBA0CpB,CAAC;AAEZ,gDAAgD;AAChD,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAM9D;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CACjC,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,GAAG,EAAE,MAAM,EACX,GAAG,EAAE,MAAM,EACX,SAAS,GAAE,MAAsC,GAChD,mBAAmB,GAAG,cAAc,GAAG,IAAI,CAiB7C"}

package/dist/wire-02-extensions.d.ts

@@ -0,0 +1,216 @@
+/**
+ * Wire 0.2 Typed Extension Group Schemas and Accessors (DD-153 revised)
+ *
+ * This file contains:
+ *   - EXTENSION_LIMITS: centralized bounds for extension field lengths
+ *   - isValidExtensionKey(): grammar validator for reverse-DNS extension keys
+ *   - 5 extension group Zod schemas (.strict()):
+ *       CommerceExtensionSchema, AccessExtensionSchema, ChallengeExtensionSchema,
+ *       IdentityExtensionSchema, CorrelationExtensionSchema
+ *   - 5 extension key constants (org.peacprotocol/*)
+ *   - 5 typed accessor helpers (getCommerceExtension, etc.)
+ *   - validateKnownExtensions(): superRefine helper for Wire02ClaimsSchema
+ *
+ * Schema validates known extension groups against their Zod schemas and rejects
+ * malformed extension key grammar with hard Zod issues. Schema does NOT emit
+ * warnings; the unknown_extension_preserved warning belongs in
+ * @peac/protocol.verifyLocal() (Layer 3).
+ *
+ * All 5 group schemas use .strict() (reject unknown keys). The RFC 9457
+ * problem nested object uses .passthrough() per RFC 9457 Section 6.2.
+ *
+ * Layer 1 (@peac/schema): pure Zod validation, zero I/O (DD-141).
+ */
+import { z } from 'zod';
+/**
+ * Normative bounds for Wire 0.2 extension group fields.
+ *
+ * Centralised to prevent magic numbers and allow external reference.
+ * Follows repo _LIMITS convention.
+ */
+export declare const EXTENSION_LIMITS: {
+    readonly maxExtensionKeyLength: 512;
+    readonly maxDnsLabelLength: 63;
+    readonly maxDnsDomainLength: 253;
+    readonly maxPaymentRailLength: 128;
+    readonly maxCurrencyLength: 16;
+    readonly maxAmountMinorLength: 64;
+    readonly maxReferenceLength: 256;
+    readonly maxAssetLength: 256;
+    readonly maxResourceLength: 2048;
+    readonly maxActionLength: 256;
+    readonly maxProblemTypeLength: 2048;
+    readonly maxProblemTitleLength: 256;
+    readonly maxProblemDetailLength: 4096;
+    readonly maxProblemInstanceLength: 2048;
+    readonly maxProofRefLength: 256;
+    readonly maxTraceIdLength: 32;
+    readonly maxSpanIdLength: 16;
+    readonly maxWorkflowIdLength: 256;
+    readonly maxParentJtiLength: 256;
+    readonly maxDependsOnLength: 64;
+};
+/**
+ * Validate that an extension key conforms to the Wire 0.2 extension key
+ * grammar: `<domain>/<segment>`.
+ *
+ * Domain rules:
+ *   - At least one dot (distinguishes from single-label paths)
+ *   - Each label matches [a-z0-9]([a-z0-9-]*[a-z0-9])? (lowercase only)
+ *   - No uppercase letters anywhere in the domain
+ *
+ * Segment rules:
+ *   - Matches [a-z0-9][a-z0-9_-]* (lowercase only)
+ *   - Underscores are permitted (for extension names like credential_event)
+ *
+ * @param key - Extension key to validate
+ * @returns true if valid extension key grammar; false otherwise
+ */
+export declare function isValidExtensionKey(key: string): boolean;
+export declare const COMMERCE_EXTENSION_KEY: "org.peacprotocol/commerce";
+export declare const ACCESS_EXTENSION_KEY: "org.peacprotocol/access";
+export declare const CHALLENGE_EXTENSION_KEY: "org.peacprotocol/challenge";
+export declare const IDENTITY_EXTENSION_KEY: "org.peacprotocol/identity";
+export declare const CORRELATION_EXTENSION_KEY: "org.peacprotocol/correlation";
+export declare const CommerceExtensionSchema: z.ZodObject<{
+    payment_rail: z.ZodString;
+    amount_minor: z.ZodString;
+    currency: z.ZodString;
+    reference: z.ZodOptional<z.ZodString>;
+    asset: z.ZodOptional<z.ZodString>;
+    env: z.ZodOptional<z.ZodEnum<{
+        live: "live";
+        test: "test";
+    }>>;
+}, z.core.$strict>;
+export type CommerceExtension = z.infer<typeof CommerceExtensionSchema>;
+export declare const AccessExtensionSchema: z.ZodObject<{
+    resource: z.ZodString;
+    action: z.ZodString;
+    decision: z.ZodEnum<{
+        allow: "allow";
+        deny: "deny";
+        review: "review";
+    }>;
+}, z.core.$strict>;
+export type AccessExtension = z.infer<typeof AccessExtensionSchema>;
+/**
+ * Challenge type values (7 total, P0-6).
+ * Includes purpose_disallowed (reviewer fix: 7 not 6).
+ */
+export declare const CHALLENGE_TYPES: readonly ["payment_required", "identity_required", "consent_required", "attestation_required", "rate_limited", "purpose_disallowed", "custom"];
+export declare const ChallengeTypeSchema: z.ZodEnum<{
+    custom: "custom";
+    payment_required: "payment_required";
+    identity_required: "identity_required";
+    consent_required: "consent_required";
+    attestation_required: "attestation_required";
+    rate_limited: "rate_limited";
+    purpose_disallowed: "purpose_disallowed";
+}>;
+export type ChallengeType = z.infer<typeof ChallengeTypeSchema>;
+/**
+ * RFC 9457 Problem Details schema (P0-5).
+ *
+ * Uses .passthrough() for extension members per RFC 9457 Section 6.2.
+ * Required fields: status (HTTP status code), type (problem type URI).
+ * Optional fields: title, detail, instance.
+ */
+export declare const ProblemDetailsSchema: z.ZodObject<{
+    status: z.ZodNumber;
+    type: z.ZodString;
+    title: z.ZodOptional<z.ZodString>;
+    detail: z.ZodOptional<z.ZodString>;
+    instance: z.ZodOptional<z.ZodString>;
+}, z.core.$loose>;
+export declare const ChallengeExtensionSchema: z.ZodObject<{
+    challenge_type: z.ZodEnum<{
+        custom: "custom";
+        payment_required: "payment_required";
+        identity_required: "identity_required";
+        consent_required: "consent_required";
+        attestation_required: "attestation_required";
+        rate_limited: "rate_limited";
+        purpose_disallowed: "purpose_disallowed";
+    }>;
+    problem: z.ZodObject<{
+        status: z.ZodNumber;
+        type: z.ZodString;
+        title: z.ZodOptional<z.ZodString>;
+        detail: z.ZodOptional<z.ZodString>;
+        instance: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+    resource: z.ZodOptional<z.ZodString>;
+    action: z.ZodOptional<z.ZodString>;
+    requirements: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, z.core.$strict>;
+export type ChallengeExtension = z.infer<typeof ChallengeExtensionSchema>;
+export declare const IdentityExtensionSchema: z.ZodObject<{
+    proof_ref: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type IdentityExtension = z.infer<typeof IdentityExtensionSchema>;
+export declare const CorrelationExtensionSchema: z.ZodObject<{
+    trace_id: z.ZodOptional<z.ZodString>;
+    span_id: z.ZodOptional<z.ZodString>;
+    workflow_id: z.ZodOptional<z.ZodString>;
+    parent_jti: z.ZodOptional<z.ZodString>;
+    depends_on: z.ZodOptional<z.ZodArray<z.ZodString>>;
+}, z.core.$strict>;
+export type CorrelationExtension = z.infer<typeof CorrelationExtensionSchema>;
+/**
+ * Get the commerce extension group from a Wire 0.2 receipt's extensions.
+ *
+ * @param extensions - Wire 0.2 extensions record (or undefined)
+ * @returns Parsed CommerceExtension, or undefined if key absent
+ * @throws PEACError with RFC 6901 pointer if present but invalid
+ */
+export declare function getCommerceExtension(extensions?: Record<string, unknown>): CommerceExtension | undefined;
+/**
+ * Get the access extension group from a Wire 0.2 receipt's extensions.
+ *
+ * @param extensions - Wire 0.2 extensions record (or undefined)
+ * @returns Parsed AccessExtension, or undefined if key absent
+ * @throws PEACError with RFC 6901 pointer if present but invalid
+ */
+export declare function getAccessExtension(extensions?: Record<string, unknown>): AccessExtension | undefined;
+/**
+ * Get the challenge extension group from a Wire 0.2 receipt's extensions.
+ *
+ * @param extensions - Wire 0.2 extensions record (or undefined)
+ * @returns Parsed ChallengeExtension, or undefined if key absent
+ * @throws PEACError with RFC 6901 pointer if present but invalid
+ */
+export declare function getChallengeExtension(extensions?: Record<string, unknown>): ChallengeExtension | undefined;
+/**
+ * Get the identity extension group from a Wire 0.2 receipt's extensions.
+ *
+ * @param extensions - Wire 0.2 extensions record (or undefined)
+ * @returns Parsed IdentityExtension, or undefined if key absent
+ * @throws PEACError with RFC 6901 pointer if present but invalid
+ */
+export declare function getIdentityExtension(extensions?: Record<string, unknown>): IdentityExtension | undefined;
+/**
+ * Get the correlation extension group from a Wire 0.2 receipt's extensions.
+ *
+ * @param extensions - Wire 0.2 extensions record (or undefined)
+ * @returns Parsed CorrelationExtension, or undefined if key absent
+ * @throws PEACError with RFC 6901 pointer if present but invalid
+ */
+export declare function getCorrelationExtension(extensions?: Record<string, unknown>): CorrelationExtension | undefined;
+/**
+ * Validate extensions record in Wire02ClaimsSchema.superRefine().
+ *
+ * For each key in the extensions record:
+ *   1. Check key grammar via isValidExtensionKey(): if malformed,
+ *      add hard Zod issue (ERROR_CODES.E_INVALID_EXTENSION_KEY)
+ *   2. If key matches a known group, validate value against its schema;
+ *      if invalid, add Zod issue with message from first schema error
+ *
+ * Schema does NOT emit unknown_extension_preserved warning for
+ * unrecognized keys (that belongs in @peac/protocol.verifyLocal()).
+ *
+ * @param extensions - The extensions record from Wire 0.2 claims
+ * @param ctx - Zod refinement context
+ */
+export declare function validateKnownExtensions(extensions: Record<string, unknown> | undefined, ctx: z.RefinementCtx): void;
+//# sourceMappingURL=wire-02-extensions.d.ts.map

package/dist/wire-02-extensions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-02-extensions.d.ts","sourceRoot":"","sources":["../src/wire-02-extensions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAOxB;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;CA2BnB,CAAC;AAkBX;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CA0BxD;AAMD,eAAO,MAAM,sBAAsB,EAAG,2BAAoC,CAAC;AAC3E,eAAO,MAAM,oBAAoB,EAAG,yBAAkC,CAAC;AACvE,eAAO,MAAM,uBAAuB,EAAG,4BAAqC,CAAC;AAC7E,eAAO,MAAM,sBAAsB,EAAG,2BAAoC,CAAC;AAC3E,eAAO,MAAM,yBAAyB,EAAG,8BAAuC,CAAC;AAkCjF,eAAO,MAAM,uBAAuB;;;;;;;;;;kBA0BzB,CAAC;AAEZ,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAMxE,eAAO,MAAM,qBAAqB;;;;;;;;kBASvB,CAAC;AAEZ,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAMpE;;;GAGG;AACH,eAAO,MAAM,eAAe,gJAQlB,CAAC;AAEX,eAAO,MAAM,mBAAmB;;;;;;;;EAA0B,CAAC;AAC3D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;;;;iBAajB,CAAC;AAEjB,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;;kBAa1B,CAAC;AAEZ,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAM1E,eAAO,MAAM,uBAAuB;;kBAKzB,CAAC;AAEZ,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAYxE,eAAO,MAAM,0BAA0B;;;;;;kBAwB5B,CAAC;AAEZ,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAuD9E;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,iBAAiB,GAAG,SAAS,CAE/B;AAED;;;;;;GAMG;AACH,wBAAgB,kBAAkB,CAChC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,eAAe,GAAG,SAAS,CAE7B;AAED;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CACnC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,kBAAkB,GAAG,SAAS,CAEhC;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,iBAAiB,GAAG,SAAS,CAE/B;AAED;;;;;;GAMG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GACnC,oBAAoB,GAAG,SAAS,CAElC;AAMD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EAC/C,GAAG,EAAE,CAAC,CAAC,aAAa,GACnB,IAAI,CA8BN"}

package/dist/wire-02-registries.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Wire 0.2 recommended receipt type and extension group registries.
+ *
+ * These are pure constants derived from the single source of truth:
+ * specs/kernel/registries.json
+ *
+ * Used by @peac/protocol.verifyLocal() to emit type_unregistered and
+ * unknown_extension_preserved warnings for valid-but-unrecognized values.
+ */
+/**
+ * Recommended receipt type values from the receipt_types registry.
+ * A type NOT in this set triggers a type_unregistered warning (not an error).
+ */
+export declare const REGISTERED_RECEIPT_TYPES: ReadonlySet<string>;
+/**
+ * Core extension group keys that have typed schemas in @peac/schema.
+ * An extension key NOT in this set (but passing grammar validation)
+ * triggers an unknown_extension_preserved warning (not an error).
+ */
+export declare const REGISTERED_EXTENSION_GROUP_KEYS: ReadonlySet<string>;
+//# sourceMappingURL=wire-02-registries.d.ts.map

package/dist/wire-02-registries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-02-registries.d.ts","sourceRoot":"","sources":["../src/wire-02-registries.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAMH;;;GAGG;AACH,eAAO,MAAM,wBAAwB,EAAE,WAAW,CAAC,MAAM,CAWvD,CAAC;AAMH;;;;GAIG;AACH,eAAO,MAAM,+BAA+B,EAAE,WAAW,CAAC,MAAM,CAM9D,CAAC"}

package/dist/wire-02-representation.d.ts

@@ -0,0 +1,49 @@
+/**
+ * Wire 0.2 RepresentationFields schema (DD-152)
+ *
+ * Records metadata about the content representation that was observed or served,
+ * enabling reproducible content drift detection.
+ *
+ * Layer 1 (@peac/schema): pure Zod validation, zero I/O (DD-141).
+ *
+ * content_hash validation uses stringToFingerprintRef() as the parser gate
+ * and additionally requires alg === 'sha256'. The hmac-sha256 algorithm is
+ * not permitted for representation hashes (sha256-only by design).
+ */
+import { z } from 'zod';
+/**
+ * Normative bounds for Wire 0.2 representation fields.
+ *
+ * Centralised to prevent magic numbers and allow external reference.
+ */
+export declare const REPRESENTATION_LIMITS: {
+    /** Max content_hash string length (sha256:<64 hex> = 71 chars, capped at FingerprintRef max) */
+    readonly maxContentHashLength: 76;
+    /** Max content_type string length */
+    readonly maxContentTypeLength: 256;
+};
+/**
+ * Zod schema for Wire 0.2 representation fields (DD-152).
+ *
+ * All fields are optional; an empty object is valid.
+ * Unknown keys are rejected (.strict()).
+ *
+ * Bounds:
+ *   - content_hash: max 76 chars (MAX_FINGERPRINT_REF_LENGTH), sha256-only
+ *   - content_type: max 256 chars, conservative MIME pattern
+ *   - content_length: non-negative integer, <= Number.MAX_SAFE_INTEGER
+ */
+export declare const Wire02RepresentationFieldsSchema: z.ZodObject<{
+    content_hash: z.ZodOptional<z.ZodString>;
+    content_type: z.ZodOptional<z.ZodString>;
+    content_length: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strict>;
+/** Inferred type for Wire 0.2 representation fields */
+export type Wire02RepresentationFields = z.infer<typeof Wire02RepresentationFieldsSchema>;
+/**
+ * Public export alias.
+ * Internal name is Wire02RepresentationFieldsSchema to prevent wire-version
+ * collisions; exported as RepresentationFieldsSchema for ergonomic use.
+ */
+export { Wire02RepresentationFieldsSchema as RepresentationFieldsSchema };
+//# sourceMappingURL=wire-02-representation.d.ts.map

package/dist/wire-02-representation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-02-representation.d.ts","sourceRoot":"","sources":["../src/wire-02-representation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AA4CxB;;;;GAIG;AACH,eAAO,MAAM,qBAAqB;IAChC,gGAAgG;;IAEhG,qCAAqC;;CAE7B,CAAC;AAMX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gCAAgC;;;;kBA+BlC,CAAC;AAEZ,uDAAuD;AACvD,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gCAAgC,CAAC,CAAC;AAE1F;;;;GAIG;AACH,OAAO,EAAE,gCAAgC,IAAI,0BAA0B,EAAE,CAAC"}

package/dist/wire-02-warnings.d.ts

@@ -0,0 +1,29 @@
+/**
+ * Wire 0.2 verification warning codes and collector (v0.12.0-preview.1, DD-155)
+ *
+ * Warning codes are append-only stable string literals. Warnings do NOT affect
+ * the allow/deny decision unless caller policy requires it.
+ *
+ * Warnings MUST be sorted by (pointer ascending, code ascending);
+ * undefined pointer sorts before any string value.
+ *
+ * RFC 6901 JSON Pointer escaping: '/' in keys is escaped as '~1', '~' as '~0'.
+ */
+import type { VerificationWarning } from '@peac/kernel';
+/** type claim does not match any registered type in the receipt_types registry */
+export declare const WARNING_TYPE_UNREGISTERED: "type_unregistered";
+/** Unknown extension key was encountered and preserved (no schema validation) */
+export declare const WARNING_UNKNOWN_EXTENSION: "unknown_extension_preserved";
+/** occurred_at is after iat by more than zero but within the tolerance window */
+export declare const WARNING_OCCURRED_AT_SKEW: "occurred_at_skew";
+/** JWS typ header was absent; interop mode accepted the token without typ */
+export declare const WARNING_TYP_MISSING: "typ_missing";
+/**
+ * Sort warnings by (pointer ascending, code ascending).
+ * Warnings with undefined pointer sort before those with a defined pointer.
+ *
+ * @param warnings - Array of VerificationWarning objects to sort
+ * @returns New array sorted in canonical order
+ */
+export declare function sortWarnings(warnings: VerificationWarning[]): VerificationWarning[];
+//# sourceMappingURL=wire-02-warnings.d.ts.map

package/dist/wire-02-warnings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wire-02-warnings.d.ts","sourceRoot":"","sources":["../src/wire-02-warnings.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AAMxD,kFAAkF;AAClF,eAAO,MAAM,yBAAyB,EAAG,mBAA4B,CAAC;AAEtE,iFAAiF;AACjF,eAAO,MAAM,yBAAyB,EAAG,6BAAsC,CAAC;AAEhF,iFAAiF;AACjF,eAAO,MAAM,wBAAwB,EAAG,kBAA2B,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,mBAAmB,EAAG,aAAsB,CAAC;AAM1D;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,mBAAmB,EAAE,GAAG,mBAAmB,EAAE,CAkBnF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@peac/schema",
-  "version": "0.11.2",
+  "version": "0.12.0-preview.1",
   "description": "PEAC Protocol JSON schemas, OpenAPI specs, and TypeScript types",
   "main": "dist/index.cjs",
   "types": "dist/index.d.ts",
@@ -63,7 +63,7 @@
   },
   "dependencies": {
     "zod": "^4.3.6",
-    "@peac/kernel": "0.11.2"
+    "@peac/kernel": "0.12.0-preview.1"
   },
   "devDependencies": {
     "@types/node": "^22.19.11",