npm - @peac/schema - Versions diffs - 0.11.2 → 0.12.0-preview.1 - Mend

@peac/schema 0.11.2 → 0.12.0-preview.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/README.md +64 -3
package/dist/actor-binding.d.ts +148 -0
package/dist/actor-binding.d.ts.map +1 -0
package/dist/dispute.d.ts +4 -4
package/dist/errors.d.ts +2 -1
package/dist/errors.d.ts.map +1 -1
package/dist/extensions/control-action.d.ts +68 -0
package/dist/extensions/control-action.d.ts.map +1 -0
package/dist/extensions/credential-event.d.ts +53 -0
package/dist/extensions/credential-event.d.ts.map +1 -0
package/dist/extensions/fingerprint-ref.d.ts +50 -0
package/dist/extensions/fingerprint-ref.d.ts.map +1 -0
package/dist/extensions/index.d.ts +16 -0
package/dist/extensions/index.d.ts.map +1 -0
package/dist/extensions/tool-registry.d.ts +32 -0
package/dist/extensions/tool-registry.d.ts.map +1 -0
package/dist/extensions/treaty.d.ts +55 -0
package/dist/extensions/treaty.d.ts.map +1 -0
package/dist/index.cjs +883 -5
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +24 -3
package/dist/index.d.ts.map +1 -1
package/dist/index.mjs +803 -7
package/dist/index.mjs.map +1 -1
package/dist/issuer-config.d.ts +61 -0
package/dist/issuer-config.d.ts.map +1 -0
package/dist/policy-binding.d.ts +24 -0
package/dist/policy-binding.d.ts.map +1 -0
package/dist/receipt-parser.cjs +492 -3
package/dist/receipt-parser.cjs.map +1 -1
package/dist/receipt-parser.d.ts +36 -14
package/dist/receipt-parser.d.ts.map +1 -1
package/dist/receipt-parser.mjs +493 -5
package/dist/receipt-parser.mjs.map +1 -1
package/dist/types.d.ts +17 -0
package/dist/types.d.ts.map +1 -1
package/dist/validators.d.ts +16 -0
package/dist/validators.d.ts.map +1 -1
package/dist/wire-02-envelope.d.ts +152 -0
package/dist/wire-02-envelope.d.ts.map +1 -0
package/dist/wire-02-extensions.d.ts +216 -0
package/dist/wire-02-extensions.d.ts.map +1 -0
package/dist/wire-02-registries.d.ts +21 -0
package/dist/wire-02-registries.d.ts.map +1 -0
package/dist/wire-02-representation.d.ts +49 -0
package/dist/wire-02-representation.d.ts.map +1 -0
package/dist/wire-02-warnings.d.ts +29 -0
package/dist/wire-02-warnings.d.ts.map +1 -0
package/package.json +2 -2

package/dist/index.cjs CHANGED Viewed

@@ -55,7 +55,9 @@ var ERROR_CODES = {
   E_WORKFLOW_SUMMARY_INVALID: "E_WORKFLOW_SUMMARY_INVALID",
   E_WORKFLOW_CYCLE_DETECTED: "E_WORKFLOW_CYCLE_DETECTED",
   // Constraint errors (400, DD-121)
-  E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION"
+  E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION",
+  // Wire 0.2 extension errors (400, DD-153/DD-156)
+  E_INVALID_EXTENSION_KEY: "E_INVALID_EXTENSION_KEY"
 };
 function createPEACError(code, category, severity, retryable, options) {
   return {
@@ -964,11 +966,12 @@ var Extensions = zod.z.object({
   aipref_snapshot: AIPREFSnapshot.optional()
   // control block validated via ControlBlockSchema when present
 }).catchall(zod.z.unknown());
-var JWSHeader = zod.z.object({
+var Wire01JWSHeaderSchema = zod.z.object({
   typ: zod.z.literal(PEAC_WIRE_TYP),
   alg: zod.z.literal(PEAC_ALG),
   kid: zod.z.string().min(8)
 }).strict();
+var JWSHeader = Wire01JWSHeaderSchema;
 var CanonicalPurposeValues = ["train", "search", "user_action", "inference", "index"];
 var PurposeReasonValues = [
   "allowed",
@@ -1156,6 +1159,306 @@ function validateEvidence(evidence, limits) {
   }
   return { ok: true, value: evidence };
 }
+var PROOF_TYPES = [
+  "ed25519-cert-chain",
+  "eat-passport",
+  "eat-background-check",
+  "sigstore-oidc",
+  "did",
+  "spiffe",
+  "x509-pki",
+  "custom"
+];
+var ProofTypeSchema = zod.z.enum(PROOF_TYPES);
+function isOriginOnly(value) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+      return false;
+    }
+    if (url.pathname !== "/") {
+      return false;
+    }
+    if (url.search !== "") {
+      return false;
+    }
+    if (url.hash !== "" || value.includes("#")) {
+      return false;
+    }
+    if (url.username !== "" || url.password !== "") {
+      return false;
+    }
+    if (url.hostname.endsWith(".")) {
+      return false;
+    }
+    const hostPart = value.replace(/^https?:\/\//, "").split(/[/:]/)[0];
+    if (hostPart.endsWith(".")) {
+      return false;
+    }
+    if (url.hostname.includes("%")) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+var ACTOR_BINDING_EXTENSION_KEY = "org.peacprotocol/actor_binding";
+var ActorBindingSchema = zod.z.object({
+  /** Stable actor identifier (opaque, no PII) */
+  id: zod.z.string().min(1).max(256),
+  /** Proof type from DD-143 multi-root vocabulary */
+  proof_type: ProofTypeSchema,
+  /** URI or hash of external proof artifact */
+  proof_ref: zod.z.string().max(2048).optional(),
+  /** Origin-only URL: scheme + host + optional port; NO path, query, or fragment */
+  origin: zod.z.string().max(2048).refine(isOriginOnly, {
+    message: "origin must be an origin-only URL (scheme + host + optional port; no path, query, or fragment)"
+  }),
+  /** SHA-256 hash of the intent (hash-first per DD-138) */
+  intent_hash: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "intent_hash must match sha256:<64 hex chars>"
+  }).optional()
+}).strict();
+var MVISTimeBoundsSchema = zod.z.object({
+  /** Earliest valid time (RFC 3339) */
+  not_before: zod.z.string().datetime(),
+  /** Latest valid time (RFC 3339) */
+  not_after: zod.z.string().datetime()
+}).strict();
+var MVISReplayProtectionSchema = zod.z.object({
+  /** Unique token identifier (jti from JWT or equivalent) */
+  jti: zod.z.string().min(1).max(256),
+  /** Optional nonce for additional replay protection */
+  nonce: zod.z.string().max(256).optional()
+}).strict();
+var MVISFieldsSchema = zod.z.object({
+  /** Who issued the identity assertion */
+  issuer: zod.z.string().min(1).max(2048),
+  /** Who the identity is about (opaque identifier, no PII) */
+  subject: zod.z.string().min(1).max(256),
+  /** Cryptographic binding: kid or JWK thumbprint */
+  key_binding: zod.z.string().min(1).max(256),
+  /** Validity period */
+  time_bounds: MVISTimeBoundsSchema,
+  /** Replay protection */
+  replay_protection: MVISReplayProtectionSchema
+}).strict();
+function validateActorBinding(data) {
+  const result = ActorBindingSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+function validateMVIS(data) {
+  const result = MVISFieldsSchema.safeParse(data);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  const notBefore = new Date(result.data.time_bounds.not_before).getTime();
+  const notAfter = new Date(result.data.time_bounds.not_after).getTime();
+  if (notBefore >= notAfter) {
+    return { ok: false, error: "not_before must be before not_after" };
+  }
+  const MAX_DURATION_MS = 100 * 365.25 * 24 * 60 * 60 * 1e3;
+  if (notAfter - notBefore > MAX_DURATION_MS) {
+    return { ok: false, error: "time_bounds duration must not exceed 100 years" };
+  }
+  return { ok: true, value: result.data };
+}
+var CREDENTIAL_EVENT_EXTENSION_KEY = "org.peacprotocol/credential_event";
+var CREDENTIAL_EVENTS = ["issued", "leased", "rotated", "revoked", "expired"];
+var CredentialEventTypeSchema = zod.z.enum(CREDENTIAL_EVENTS);
+var FINGERPRINT_REF_PATTERN = /^(sha256|hmac-sha256):[a-f0-9]{64}$/;
+var CredentialRefSchema = zod.z.string().max(256).regex(FINGERPRINT_REF_PATTERN, {
+  message: "credential_ref must be an opaque fingerprint reference: (sha256|hmac-sha256):<64 hex chars>"
+});
+var CredentialEventSchema = zod.z.object({
+  /** Lifecycle event type */
+  event: CredentialEventTypeSchema,
+  /** Opaque fingerprint reference of the credential (format validation only) */
+  credential_ref: CredentialRefSchema,
+  /** Authority that performed the action (HTTPS URL) */
+  authority: zod.z.string().url().max(2048).refine((v) => v.startsWith("https://"), {
+    message: "authority must be an HTTPS URL"
+  }),
+  /** When the credential expires (RFC 3339, optional) */
+  expires_at: zod.z.string().datetime().optional(),
+  /** Previous credential reference for rotation chains (optional) */
+  previous_ref: CredentialRefSchema.optional()
+}).strict();
+function validateCredentialEvent(data) {
+  const result = CredentialEventSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var TOOL_REGISTRY_EXTENSION_KEY = "org.peacprotocol/tool_registry";
+function isAllowedRegistryUri(value) {
+  if (value.startsWith("urn:")) {
+    return true;
+  }
+  try {
+    const url = new URL(value);
+    return url.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+var ToolRegistrySchema = zod.z.object({
+  /** Tool identifier */
+  tool_id: zod.z.string().min(1).max(256),
+  /** Registry URI (HTTPS or URN only; no file:// or data:// for SSRF prevention) */
+  registry_uri: zod.z.string().max(2048).refine(isAllowedRegistryUri, {
+    message: "registry_uri must be an HTTPS URL or URN (file:// and data:// are prohibited)"
+  }),
+  /** Tool version (optional, semver-like) */
+  version: zod.z.string().max(64).optional(),
+  /** Tool capabilities (optional) */
+  capabilities: zod.z.array(zod.z.string().max(64)).max(32).optional()
+}).strict();
+function validateToolRegistry(data) {
+  const result = ToolRegistrySchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var CONTROL_ACTION_EXTENSION_KEY = "org.peacprotocol/control_action";
+var CONTROL_ACTIONS = ["grant", "deny", "escalate", "delegate", "audit"];
+var ControlActionTypeSchema = zod.z.enum(CONTROL_ACTIONS);
+var CONTROL_TRIGGERS = [
+  "policy_evaluation",
+  "manual_review",
+  "anomaly_detection",
+  "scheduled",
+  "event_driven"
+];
+var ControlTriggerSchema = zod.z.enum(CONTROL_TRIGGERS);
+var ControlActionSchema = zod.z.object({
+  /** Action taken */
+  action: ControlActionTypeSchema,
+  /** What triggered the action */
+  trigger: ControlTriggerSchema,
+  /** Resource or scope the action applies to (optional) */
+  resource: zod.z.string().max(2048).optional(),
+  /** Reason for the action (optional, human-readable) */
+  reason: zod.z.string().max(1024).optional(),
+  /** Policy identifier that was evaluated (optional) */
+  policy_ref: zod.z.string().max(2048).optional(),
+  /** When the action was taken (RFC 3339, optional; defaults to receipt iat) */
+  action_at: zod.z.string().datetime().optional()
+}).strict();
+function validateControlAction(data) {
+  const result = ControlActionSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var TREATY_EXTENSION_KEY = "org.peacprotocol/treaty";
+var COMMITMENT_CLASSES = ["informational", "operational", "financial", "legal"];
+var CommitmentClassSchema = zod.z.enum(COMMITMENT_CLASSES);
+var TreatySchema = zod.z.object({
+  /** Commitment level */
+  commitment_class: CommitmentClassSchema,
+  /** URL to full terms document (optional) */
+  terms_ref: zod.z.string().url().max(2048).optional(),
+  /** SHA-256 hash of terms document for integrity verification (optional) */
+  terms_hash: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "terms_hash must match sha256:<64 hex chars>"
+  }).optional(),
+  /** Counterparty identifier (optional) */
+  counterparty: zod.z.string().max(256).optional(),
+  /** When the treaty becomes effective (RFC 3339, optional) */
+  effective_at: zod.z.string().datetime().optional(),
+  /** When the treaty expires (RFC 3339, optional) */
+  expires_at: zod.z.string().datetime().optional()
+}).strict();
+function validateTreaty(data) {
+  const result = TreatySchema.safeParse(data);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  if (result.data.effective_at && result.data.expires_at) {
+    const effectiveMs = new Date(result.data.effective_at).getTime();
+    const expiresMs = new Date(result.data.expires_at).getTime();
+    if (effectiveMs > expiresMs) {
+      return { ok: false, error: "effective_at must not be after expires_at" };
+    }
+  }
+  return { ok: true, value: result.data };
+}
+// src/extensions/fingerprint-ref.ts
+function hexToBase64url(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(bytes).toString("base64");
+  } else {
+    base64 = btoa(String.fromCharCode(...bytes));
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlToHex(b64url) {
+  let base64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4 !== 0) {
+    base64 += "=";
+  }
+  let bytes;
+  if (typeof Buffer !== "undefined") {
+    bytes = Buffer.from(base64, "base64");
+  } else {
+    const binary = atob(base64);
+    bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+  }
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var VALID_ALGS = ["sha256", "hmac-sha256"];
+var STRING_FORM_PATTERN = /^(sha256|hmac-sha256):([a-f0-9]{64})$/;
+var MAX_FINGERPRINT_REF_LENGTH = 76;
+var BASE64URL_PATTERN = /^[A-Za-z0-9_-]+$/;
+function stringToFingerprintRef(s) {
+  if (s.length > MAX_FINGERPRINT_REF_LENGTH) {
+    return null;
+  }
+  const match = STRING_FORM_PATTERN.exec(s);
+  if (!match) {
+    return null;
+  }
+  const alg = match[1];
+  const hex = match[2];
+  return {
+    alg,
+    value: hexToBase64url(hex)
+  };
+}
+function fingerprintRefToString(obj) {
+  if (!VALID_ALGS.includes(obj.alg)) {
+    return null;
+  }
+  if (!BASE64URL_PATTERN.test(obj.value)) {
+    return null;
+  }
+  try {
+    const hex = base64urlToHex(obj.value);
+    if (hex.length !== 64) {
+      return null;
+    }
+    return `${obj.alg}:${hex}`;
+  } catch {
+    return null;
+  }
+}
 var DISPUTE_LIMITS = {
   /** Maximum grounds per dispute */
   maxGrounds: 10,
@@ -2772,15 +3075,404 @@ async function verifyReceiptRefConsistency(carrier) {
   }
   return null;
 }
+function isValidContentHash(s) {
+  const ref = stringToFingerprintRef(s);
+  if (ref === null) return false;
+  return ref.alg === "sha256";
+}
+var MIME_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*\/[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*(;\s*[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*=[^\s;]+)*$/;
+function isValidMimeType(s) {
+  return MIME_PATTERN.test(s);
+}
+var REPRESENTATION_LIMITS = {
+  /** Max content_hash string length (sha256:<64 hex> = 71 chars, capped at FingerprintRef max) */
+  maxContentHashLength: MAX_FINGERPRINT_REF_LENGTH,
+  /** Max content_type string length */
+  maxContentTypeLength: 256
+};
+var Wire02RepresentationFieldsSchema = zod.z.object({
+  /**
+   * FingerprintRef of the served content body.
+   * Format: sha256:<64 lowercase hex>
+   * hmac-sha256 is NOT permitted for representation hashes.
+   */
+  content_hash: zod.z.string().max(REPRESENTATION_LIMITS.maxContentHashLength).refine(isValidContentHash, {
+    message: "content_hash must be a valid sha256 FingerprintRef (sha256:<64 lowercase hex>)"
+  }).optional(),
+  /**
+   * MIME type of the served content (e.g., 'text/plain', 'application/json').
+   * Conservative pattern validation: type/subtype with optional parameters.
+   */
+  content_type: zod.z.string().max(REPRESENTATION_LIMITS.maxContentTypeLength).refine(isValidMimeType, {
+    message: "content_type must be a valid MIME type (type/subtype with optional parameters)"
+  }).optional(),
+  /**
+   * Size of the served content in bytes.
+   * Non-negative integer, bounded by Number.MAX_SAFE_INTEGER.
+   */
+  content_length: zod.z.number().int().finite().nonnegative().max(Number.MAX_SAFE_INTEGER).optional()
+}).strict();
+var EXTENSION_LIMITS = {
+  // Extension key grammar
+  maxExtensionKeyLength: 512,
+  maxDnsLabelLength: 63,
+  maxDnsDomainLength: 253,
+  // Commerce
+  maxPaymentRailLength: 128,
+  maxCurrencyLength: 16,
+  maxAmountMinorLength: 64,
+  maxReferenceLength: 256,
+  maxAssetLength: 256,
+  // Access
+  maxResourceLength: 2048,
+  maxActionLength: 256,
+  // Challenge
+  maxProblemTypeLength: 2048,
+  maxProblemTitleLength: 256,
+  maxProblemDetailLength: 4096,
+  maxProblemInstanceLength: 2048,
+  // Identity
+  maxProofRefLength: 256,
+  // Correlation
+  maxTraceIdLength: 32,
+  maxSpanIdLength: 16,
+  maxWorkflowIdLength: 256,
+  maxParentJtiLength: 256,
+  maxDependsOnLength: 64
+};
+var DNS_LABEL = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
+var SEGMENT_PATTERN = /^[a-z0-9][a-z0-9_-]*$/;
+function isValidExtensionKey(key) {
+  if (key.length === 0 || key.length > EXTENSION_LIMITS.maxExtensionKeyLength) return false;
+  const slashIdx = key.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = key.slice(0, slashIdx);
+  const segment = key.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (domain.length > EXTENSION_LIMITS.maxDnsDomainLength) return false;
+  if (segment.length === 0) return false;
+  if (!SEGMENT_PATTERN.test(segment)) return false;
+  const labels = domain.split(".");
+  for (const label of labels) {
+    if (label.length === 0 || label.length > EXTENSION_LIMITS.maxDnsLabelLength) return false;
+    if (!DNS_LABEL.test(label)) return false;
+  }
+  return true;
+}
+var COMMERCE_EXTENSION_KEY = "org.peacprotocol/commerce";
+var ACCESS_EXTENSION_KEY = "org.peacprotocol/access";
+var CHALLENGE_EXTENSION_KEY = "org.peacprotocol/challenge";
+var IDENTITY_EXTENSION_KEY = "org.peacprotocol/identity";
+var CORRELATION_EXTENSION_KEY = "org.peacprotocol/correlation";
+function escapePointerSegment(s) {
+  return s.replace(/~/g, "~0").replace(/\//g, "~1");
+}
+function zodPathToPointer(groupKey, zodPath) {
+  const escaped = escapePointerSegment(groupKey);
+  const segments = zodPath.map((s) => escapePointerSegment(String(s)));
+  return `/extensions/${escaped}` + (segments.length > 0 ? "/" + segments.join("/") : "");
+}
+var AMOUNT_MINOR_PATTERN = /^-?[0-9]+$/;
+var CommerceExtensionSchema = zod.z.object({
+  /** Payment rail identifier (e.g., 'stripe', 'x402', 'lightning') */
+  payment_rail: zod.z.string().min(1).max(EXTENSION_LIMITS.maxPaymentRailLength),
+  /**
+   * Amount in smallest currency unit as a string for arbitrary precision.
+   * Base-10 integer: optional leading minus, one or more digits.
+   * Decimals and empty strings are rejected.
+   */
+  amount_minor: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAmountMinorLength).regex(
+    AMOUNT_MINOR_PATTERN,
+    'amount_minor must be a base-10 integer string (e.g., "1000", "-50")'
+  ),
+  /** ISO 4217 currency code or asset identifier */
+  currency: zod.z.string().min(1).max(EXTENSION_LIMITS.maxCurrencyLength),
+  /** Caller-assigned payment reference */
+  reference: zod.z.string().max(EXTENSION_LIMITS.maxReferenceLength).optional(),
+  /** Asset identifier for non-fiat (e.g., token address) */
+  asset: zod.z.string().max(EXTENSION_LIMITS.maxAssetLength).optional(),
+  /** Environment discriminant */
+  env: zod.z.enum(["live", "test"]).optional()
+}).strict();
+var AccessExtensionSchema = zod.z.object({
+  /** Resource being accessed (URI or identifier) */
+  resource: zod.z.string().min(1).max(EXTENSION_LIMITS.maxResourceLength),
+  /** Action performed on the resource */
+  action: zod.z.string().min(1).max(EXTENSION_LIMITS.maxActionLength),
+  /** Access decision */
+  decision: zod.z.enum(["allow", "deny", "review"])
+}).strict();
+var CHALLENGE_TYPES = [
+  "payment_required",
+  "identity_required",
+  "consent_required",
+  "attestation_required",
+  "rate_limited",
+  "purpose_disallowed",
+  "custom"
+];
+var ChallengeTypeSchema = zod.z.enum(CHALLENGE_TYPES);
+var ProblemDetailsSchema = zod.z.object({
+  /** HTTP status code (100-599) */
+  status: zod.z.number().int().min(100).max(599),
+  /** Problem type URI */
+  type: zod.z.string().min(1).max(EXTENSION_LIMITS.maxProblemTypeLength).url(),
+  /** Short human-readable summary */
+  title: zod.z.string().max(EXTENSION_LIMITS.maxProblemTitleLength).optional(),
+  /** Human-readable explanation specific to this occurrence */
+  detail: zod.z.string().max(EXTENSION_LIMITS.maxProblemDetailLength).optional(),
+  /** URI reference identifying the specific occurrence */
+  instance: zod.z.string().max(EXTENSION_LIMITS.maxProblemInstanceLength).optional()
+}).passthrough();
+var ChallengeExtensionSchema = zod.z.object({
+  /** Challenge type (7 values) */
+  challenge_type: ChallengeTypeSchema,
+  /** RFC 9457 Problem Details */
+  problem: ProblemDetailsSchema,
+  /** Resource that triggered the challenge */
+  resource: zod.z.string().max(EXTENSION_LIMITS.maxResourceLength).optional(),
+  /** Action that triggered the challenge */
+  action: zod.z.string().max(EXTENSION_LIMITS.maxActionLength).optional(),
+  /** Caller-defined requirements for resolving the challenge */
+  requirements: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
+}).strict();
+var IdentityExtensionSchema = zod.z.object({
+  /** Proof reference (opaque string; no actor_binding: top-level actor is sole location) */
+  proof_ref: zod.z.string().max(EXTENSION_LIMITS.maxProofRefLength).optional()
+}).strict();
+var TRACE_ID_PATTERN = /^[0-9a-f]{32}$/;
+var SPAN_ID_PATTERN = /^[0-9a-f]{16}$/;
+var CorrelationExtensionSchema = zod.z.object({
+  /** OpenTelemetry-compatible trace ID (32 lowercase hex chars) */
+  trace_id: zod.z.string().length(EXTENSION_LIMITS.maxTraceIdLength).regex(TRACE_ID_PATTERN, "trace_id must be 32 lowercase hex characters").optional(),
+  /** OpenTelemetry-compatible span ID (16 lowercase hex chars) */
+  span_id: zod.z.string().length(EXTENSION_LIMITS.maxSpanIdLength).regex(SPAN_ID_PATTERN, "span_id must be 16 lowercase hex characters").optional(),
+  /** Workflow identifier */
+  workflow_id: zod.z.string().min(1).max(EXTENSION_LIMITS.maxWorkflowIdLength).optional(),
+  /** Parent receipt JTI for causal chains */
+  parent_jti: zod.z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength).optional(),
+  /** JTIs this receipt depends on */
+  depends_on: zod.z.array(zod.z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength)).max(EXTENSION_LIMITS.maxDependsOnLength).optional()
+}).strict();
+var EXTENSION_SCHEMA_MAP = /* @__PURE__ */ new Map();
+EXTENSION_SCHEMA_MAP.set(COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+function getExtension(extensions, key, schema) {
+  if (extensions === void 0) return void 0;
+  if (!Object.prototype.hasOwnProperty.call(extensions, key)) return void 0;
+  const value = extensions[key];
+  const result = schema.safeParse(value);
+  if (result.success) {
+    return result.data;
+  }
+  const firstIssue = result.error.issues[0];
+  const pointer = zodPathToPointer(key, firstIssue?.path ?? []);
+  throw createPEACError(ERROR_CODES.E_INVALID_ENVELOPE, "validation", "error", false, {
+    http_status: 400,
+    pointer,
+    remediation: `Fix the ${key} extension group value`,
+    details: {
+      message: firstIssue?.message ?? "Invalid extension value",
+      issues: result.error.issues
+    }
+  });
+}
+function getCommerceExtension(extensions) {
+  return getExtension(extensions, COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+}
+function getAccessExtension(extensions) {
+  return getExtension(extensions, ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+}
+function getChallengeExtension(extensions) {
+  return getExtension(extensions, CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+}
+function getIdentityExtension(extensions) {
+  return getExtension(extensions, IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+}
+function getCorrelationExtension(extensions) {
+  return getExtension(extensions, CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+}
+function validateKnownExtensions(extensions, ctx) {
+  if (extensions === void 0) return;
+  for (const key of Object.keys(extensions)) {
+    if (!isValidExtensionKey(key)) {
+      ctx.addIssue({
+        code: "custom",
+        message: ERROR_CODES.E_INVALID_EXTENSION_KEY,
+        path: ["extensions", key]
+      });
+      continue;
+    }
+    const schema = EXTENSION_SCHEMA_MAP.get(key);
+    if (schema !== void 0) {
+      const result = schema.safeParse(extensions[key]);
+      if (!result.success) {
+        const firstIssue = result.error.issues[0];
+        const issuePath = firstIssue?.path ?? [];
+        ctx.addIssue({
+          code: "custom",
+          message: firstIssue?.message ?? "Invalid extension value",
+          path: ["extensions", key, ...issuePath]
+        });
+      }
+    }
+  }
+}
+// src/wire-02-envelope.ts
+function isSortedAndUnique(arr) {
+  for (let i = 1; i < arr.length; i++) {
+    if (arr[i] <= arr[i - 1]) return false;
+  }
+  return true;
+}
+function isCanonicalIss(iss) {
+  if (typeof iss !== "string" || iss.length === 0 || iss.length > kernel.ISS_CANONICAL.maxLength) {
+    return false;
+  }
+  if (iss.startsWith("did:")) {
+    return /^did:[a-z0-9]+:[^#?/]+$/.test(iss);
+  }
+  try {
+    const url = new URL(iss);
+    if (url.protocol !== "https:") return false;
+    if (!url.hostname) return false;
+    if (url.username !== "" || url.password !== "") return false;
+    const origin = `${url.protocol}//${url.host}`;
+    return iss === origin;
+  } catch {
+    return false;
+  }
+}
+var ABS_URI_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//;
+function isValidReceiptType(value) {
+  if (value.length === 0 || value.length > kernel.TYPE_GRAMMAR.maxLength) return false;
+  if (ABS_URI_PATTERN.test(value)) return true;
+  const slashIdx = value.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = value.slice(0, slashIdx);
+  const segment = value.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (segment.length === 0) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9.-]*$/.test(domain)) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(segment)) return false;
+  return true;
+}
+var EVIDENCE_PILLARS = [
+  "access",
+  "attribution",
+  "commerce",
+  "compliance",
+  "consent",
+  "identity",
+  "privacy",
+  "provenance",
+  "purpose",
+  "safety"
+];
+var EvidencePillarSchema = zod.z.enum(
+  EVIDENCE_PILLARS
+);
+var PillarsSchema = zod.z.array(EvidencePillarSchema).min(1).superRefine((arr, ctx) => {
+  if (!isSortedAndUnique(arr)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_PILLARS_NOT_SORTED"
+    });
+  }
+});
+var Wire02KindSchema = zod.z.enum(["evidence", "challenge"]);
+var ReceiptTypeSchema = zod.z.string().max(kernel.TYPE_GRAMMAR.maxLength).refine(isValidReceiptType, {
+  message: "type must be reverse-DNS notation (e.g., org.example/flow) or an absolute URI"
+});
+var CanonicalIssSchema = zod.z.string().max(kernel.ISS_CANONICAL.maxLength).refine(isCanonicalIss, {
+  message: "E_ISS_NOT_CANONICAL"
+});
+var PolicyBlockSchema = zod.z.object({
+  /** JCS+SHA-256 digest: 'sha256:<64 lowercase hex>' */
+  digest: zod.z.string().regex(kernel.HASH.pattern, "digest must be sha256:<64 lowercase hex>"),
+  /**
+   * HTTPS locator hint for the policy document.
+   * MUST be an https:// URL (max 2048 chars).
+   * MUST NOT trigger auto-fetch; callers use this as a hint only (DD-55).
+   */
+  uri: zod.z.string().max(kernel.POLICY_BLOCK.uriMaxLength).url().refine((u) => u.startsWith("https://"), "policy.uri must be an https:// URL").optional(),
+  /** Caller-assigned version label (max 256 chars) */
+  version: zod.z.string().max(kernel.POLICY_BLOCK.versionMaxLength).optional()
+});
+var Wire02ClaimsSchema = zod.z.object({
+  /** Wire format version discriminant; always '0.2' for Wire 0.2 */
+  peac_version: zod.z.literal("0.2"),
+  /** Structural kind: 'evidence' or 'challenge' */
+  kind: Wire02KindSchema,
+  /** Open semantic type (reverse-DNS or absolute URI) */
+  type: ReceiptTypeSchema,
+  /** Canonical issuer (https:// ASCII origin or did: identifier) */
+  iss: CanonicalIssSchema,
+  /** Issued-at time (Unix seconds). REQUIRED. */
+  iat: zod.z.number().int(),
+  /** Unique receipt identifier; 1 to 256 chars */
+  jti: zod.z.string().min(1).max(256),
+  /** Subject identifier; max 2048 chars */
+  sub: zod.z.string().max(2048).optional(),
+  /** Evidence pillars (closed 10-value taxonomy); sorted ascending, unique */
+  pillars: PillarsSchema.optional(),
+  /** Top-level actor binding (sole location for ActorBinding in Wire 0.2) */
+  actor: ActorBindingSchema.optional(),
+  /** Policy binding block (DD-151) */
+  policy: PolicyBlockSchema.optional(),
+  /** Representation fields (DD-152): FingerprintRef validation, sha256-only, strict */
+  representation: Wire02RepresentationFieldsSchema.optional(),
+  /** ISO 8601 / RFC 3339 timestamp when the interaction occurred; evidence kind only */
+  occurred_at: zod.z.string().datetime({ offset: true }).optional(),
+  /** Declared purpose string; max 256 chars */
+  purpose_declared: zod.z.string().max(256).optional(),
+  /** Extension groups (open; known group keys validated by group schema) */
+  extensions: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
+}).superRefine((data, ctx) => {
+  if (data.kind === "challenge" && data.occurred_at !== void 0) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_OCCURRED_AT_ON_CHALLENGE"
+    });
+  }
+  validateKnownExtensions(data.extensions, ctx);
+}).strict();
+function checkOccurredAtSkew(occurredAt, iat, now, tolerance = kernel.OCCURRED_AT_TOLERANCE_SECONDS) {
+  if (occurredAt === void 0) return null;
+  const ts = Date.parse(occurredAt) / 1e3;
+  if (isNaN(ts)) return null;
+  if (ts > now + tolerance) return "future_error";
+  if (ts > iat) {
+    return {
+      code: "occurred_at_skew",
+      message: "occurred_at is after iat",
+      pointer: "/occurred_at"
+    };
+  }
+  return null;
+}
 // src/receipt-parser.ts
-function classifyReceipt(obj) {
+function detectWireVersion(obj) {
+  if (obj === null || obj === void 0 || typeof obj !== "object" || Array.isArray(obj)) {
+    return null;
+  }
+  const record = obj;
+  if (record.peac_version === "0.2") return "0.2";
+  if ("peac_version" in record) return null;
+  return "0.1";
+}
+function classifyWire01Receipt(obj) {
   if ("amt" in obj || "cur" in obj || "payment" in obj) {
     return "commerce";
   }
   return "attestation";
 }
-function parseReceiptClaims(input, _opts) {
+function parseReceiptClaims(input, opts) {
   if (input === null || input === void 0 || typeof input !== "object" || Array.isArray(input)) {
     return {
       ok: false,
@@ -2791,7 +3483,37 @@ function parseReceiptClaims(input, _opts) {
     };
   }
   const obj = input;
-  const variant = classifyReceipt(obj);
+  const wireVersion = opts?.wireVersion === "0.2" || opts?.wireVersion === "0.1" ? opts.wireVersion : detectWireVersion(obj);
+  if (wireVersion === null) {
+    return {
+      ok: false,
+      error: {
+        code: "E_UNSUPPORTED_WIRE_VERSION",
+        message: `Unsupported or unrecognized peac_version: ${JSON.stringify(obj["peac_version"])}`
+      }
+    };
+  }
+  if (wireVersion === "0.2") {
+    const result2 = Wire02ClaimsSchema.safeParse(obj);
+    if (!result2.success) {
+      return {
+        ok: false,
+        error: {
+          code: "E_INVALID_FORMAT",
+          message: `Wire 0.2 receipt validation failed: ${result2.error.issues.map((i) => i.message).join("; ")}`,
+          issues: result2.error.issues
+        }
+      };
+    }
+    return {
+      ok: true,
+      variant: "wire-02",
+      wireVersion: "0.2",
+      warnings: [],
+      claims: result2.data
+    };
+  }
+  const variant = classifyWire01Receipt(obj);
   if (variant === "commerce") {
     const result2 = ReceiptClaimsSchema.safeParse(obj);
     if (!result2.success) {
@@ -2807,6 +3529,8 @@ function parseReceiptClaims(input, _opts) {
     return {
       ok: true,
       variant: "commerce",
+      wireVersion: "0.1",
+      warnings: [],
       claims: result2.data
     };
   }
@@ -2824,10 +3548,84 @@ function parseReceiptClaims(input, _opts) {
   return {
     ok: true,
     variant: "attestation",
+    wireVersion: "0.1",
+    warnings: [],
     claims: result.data
   };
 }
+// src/wire-02-warnings.ts
+var WARNING_TYPE_UNREGISTERED = "type_unregistered";
+var WARNING_UNKNOWN_EXTENSION = "unknown_extension_preserved";
+var WARNING_OCCURRED_AT_SKEW = "occurred_at_skew";
+var WARNING_TYP_MISSING = "typ_missing";
+function sortWarnings(warnings) {
+  return [...warnings].sort((a, b) => {
+    const aHasPtr = a.pointer !== void 0;
+    const bHasPtr = b.pointer !== void 0;
+    if (!aHasPtr && bHasPtr) return -1;
+    if (aHasPtr && !bHasPtr) return 1;
+    if (aHasPtr && bHasPtr) {
+      const cmp = a.pointer.localeCompare(b.pointer);
+      if (cmp !== 0) return cmp;
+    }
+    return a.code.localeCompare(b.code);
+  });
+}
+// src/wire-02-registries.ts
+var REGISTERED_RECEIPT_TYPES = /* @__PURE__ */ new Set([
+  "org.peacprotocol/payment",
+  "org.peacprotocol/access-decision",
+  "org.peacprotocol/identity-attestation",
+  "org.peacprotocol/consent-record",
+  "org.peacprotocol/compliance-check",
+  "org.peacprotocol/privacy-signal",
+  "org.peacprotocol/safety-review",
+  "org.peacprotocol/provenance-record",
+  "org.peacprotocol/attribution-event",
+  "org.peacprotocol/purpose-declaration"
+]);
+var REGISTERED_EXTENSION_GROUP_KEYS = /* @__PURE__ */ new Set([
+  "org.peacprotocol/commerce",
+  "org.peacprotocol/access",
+  "org.peacprotocol/challenge",
+  "org.peacprotocol/identity",
+  "org.peacprotocol/correlation"
+]);
+// src/policy-binding.ts
+function verifyPolicyBinding(receiptDigest, localDigest) {
+  return receiptDigest === localDigest ? "verified" : "failed";
+}
+var REVOCATION_REASONS = [
+  "key_compromise",
+  "superseded",
+  "cessation_of_operation",
+  "privilege_withdrawn"
+];
+var RevokedKeyEntrySchema = zod.z.object({
+  /** Key ID that was revoked */
+  kid: zod.z.string().min(1).max(256),
+  /** ISO 8601 timestamp of revocation */
+  revoked_at: zod.z.string().datetime(),
+  /** Revocation reason (optional, RFC 5280 CRLReason subset) */
+  reason: zod.z.enum(REVOCATION_REASONS).optional()
+}).strict();
+var RevokedKeysArraySchema = zod.z.array(RevokedKeyEntrySchema).max(100);
+function validateRevokedKeys(data) {
+  const result = RevokedKeysArraySchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.issues.map((i) => i.message).join("; ") };
+}
+function findRevokedKey(revokedKeys, kid) {
+  return revokedKeys.find((entry) => entry.kid === kid) ?? null;
+}
+exports.ACCESS_EXTENSION_KEY = ACCESS_EXTENSION_KEY;
+exports.ACTOR_BINDING_EXTENSION_KEY = ACTOR_BINDING_EXTENSION_KEY;
 exports.AGENT_IDENTITY_TYPE = AGENT_IDENTITY_TYPE;
 exports.AIPREFSnapshotSchema = AIPREFSnapshot;
 exports.ATTESTATION_LIMITS = ATTESTATION_LIMITS;
@@ -2835,6 +3633,8 @@ exports.ATTESTATION_RECEIPT_TYPE = ATTESTATION_RECEIPT_TYPE;
 exports.ATTRIBUTION_LIMITS = ATTRIBUTION_LIMITS;
 exports.ATTRIBUTION_TYPE = ATTRIBUTION_TYPE;
 exports.ATTRIBUTION_USAGES = ATTRIBUTION_USAGES;
+exports.AccessExtensionSchema = AccessExtensionSchema;
+exports.ActorBindingSchema = ActorBindingSchema;
 exports.AgentIdentityAttestationSchema = AgentIdentityAttestationSchema;
 exports.AgentIdentityEvidenceSchema = AgentIdentityEvidenceSchema;
 exports.AgentIdentityVerifiedSchema = AgentIdentityVerifiedSchema;
@@ -2850,23 +3650,45 @@ exports.BindingDetailsSchema = BindingDetailsSchema;
 exports.CANONICAL_DIGEST_ALGS = CANONICAL_DIGEST_ALGS;
 exports.CANONICAL_PURPOSES = CANONICAL_PURPOSES;
 exports.CARRIER_TRANSPORT_LIMITS = CARRIER_TRANSPORT_LIMITS;
+exports.CHALLENGE_EXTENSION_KEY = CHALLENGE_EXTENSION_KEY;
+exports.CHALLENGE_TYPES = CHALLENGE_TYPES;
+exports.COMMERCE_EXTENSION_KEY = COMMERCE_EXTENSION_KEY;
+exports.COMMITMENT_CLASSES = COMMITMENT_CLASSES;
 exports.CONTRIBUTION_TYPES = CONTRIBUTION_TYPES;
+exports.CONTROL_ACTIONS = CONTROL_ACTIONS;
+exports.CONTROL_ACTION_EXTENSION_KEY = CONTROL_ACTION_EXTENSION_KEY;
+exports.CONTROL_TRIGGERS = CONTROL_TRIGGERS;
 exports.CONTROL_TYPES = CONTROL_TYPES;
+exports.CORRELATION_EXTENSION_KEY = CORRELATION_EXTENSION_KEY;
+exports.CREDENTIAL_EVENTS = CREDENTIAL_EVENTS;
+exports.CREDENTIAL_EVENT_EXTENSION_KEY = CREDENTIAL_EVENT_EXTENSION_KEY;
 exports.CREDIT_METHODS = CREDIT_METHODS;
+exports.CanonicalIssSchema = CanonicalIssSchema;
 exports.CanonicalPurposeSchema = CanonicalPurposeSchema;
 exports.CarrierFormatSchema = CarrierFormatSchema;
 exports.CarrierMetaSchema = CarrierMetaSchema;
+exports.ChallengeExtensionSchema = ChallengeExtensionSchema;
+exports.ChallengeTypeSchema = ChallengeTypeSchema;
+exports.CommerceExtensionSchema = CommerceExtensionSchema;
+exports.CommitmentClassSchema = CommitmentClassSchema;
 exports.CompactJwsSchema = CompactJwsSchema;
 exports.ContactMethodSchema = ContactMethodSchema;
 exports.ContentHashSchema = ContentHashSchema;
 exports.ContributionObligationSchema = ContributionObligationSchema;
 exports.ContributionTypeSchema = ContributionTypeSchema;
+exports.ControlActionSchema = ControlActionSchema;
+exports.ControlActionTypeSchema = ControlActionTypeSchema;
 exports.ControlBlockSchema = ControlBlockSchema;
 exports.ControlDecisionSchema = ControlDecisionSchema;
 exports.ControlLicensingModeSchema = ControlLicensingModeSchema;
 exports.ControlPurposeSchema = ControlPurposeSchema;
 exports.ControlStepSchema = ControlStepSchema;
+exports.ControlTriggerSchema = ControlTriggerSchema;
 exports.ControlTypeSchema = ControlTypeSchema;
+exports.CorrelationExtensionSchema = CorrelationExtensionSchema;
+exports.CredentialEventSchema = CredentialEventSchema;
+exports.CredentialEventTypeSchema = CredentialEventTypeSchema;
+exports.CredentialRefSchema = CredentialRefSchema;
 exports.CreditMethodSchema = CreditMethodSchema;
 exports.CreditObligationSchema = CreditObligationSchema;
 exports.DERIVATION_TYPES = DERIVATION_TYPES;
@@ -2898,15 +3720,19 @@ exports.DocumentRefSchema = DocumentRefSchema;
 exports.ERROR_CATEGORIES_CANONICAL = ERROR_CATEGORIES_CANONICAL;
 exports.ERROR_CODES = ERROR_CODES;
 exports.EXTENSION_KEY_PATTERN = EXTENSION_KEY_PATTERN;
+exports.EXTENSION_LIMITS = EXTENSION_LIMITS;
+exports.EvidencePillarSchema = EvidencePillarSchema;
 exports.ExecutorSchema = ExecutorSchema;
 exports.Extensions = Extensions;
 exports.ExtensionsSchema = ExtensionsSchema;
 exports.HashAlgorithmSchema = HashAlgorithmSchema;
 exports.HashEncodingSchema = HashEncodingSchema;
+exports.IDENTITY_EXTENSION_KEY = IDENTITY_EXTENSION_KEY;
 exports.INTERACTION_EXTENSION_KEY = INTERACTION_EXTENSION_KEY;
 exports.INTERACTION_LIMITS = INTERACTION_LIMITS;
 exports.INTERNAL_PURPOSE_UNDECLARED = INTERNAL_PURPOSE_UNDECLARED;
 exports.IdentityBindingSchema = IdentityBindingSchema;
+exports.IdentityExtensionSchema = IdentityExtensionSchema;
 exports.InteractionEvidenceV01Schema = InteractionEvidenceV01Schema;
 exports.JSON_EVIDENCE_LIMITS = JSON_EVIDENCE_LIMITS;
 exports.JWSHeader = JWSHeader;
@@ -2920,6 +3746,9 @@ exports.KindSchema = KindSchema;
 exports.MAX_PURPOSE_TOKENS_PER_REQUEST = MAX_PURPOSE_TOKENS_PER_REQUEST;
 exports.MAX_PURPOSE_TOKEN_LENGTH = MAX_PURPOSE_TOKEN_LENGTH;
 exports.MIDDLEWARE_INTERACTION_KEY = MIDDLEWARE_INTERACTION_KEY;
+exports.MVISFieldsSchema = MVISFieldsSchema;
+exports.MVISReplayProtectionSchema = MVISReplayProtectionSchema;
+exports.MVISTimeBoundsSchema = MVISTimeBoundsSchema;
 exports.MinimalInteractionBindingSchema = MinimalInteractionBindingSchema;
 exports.NormalizedPayment = NormalizedPayment;
 exports.OBLIGATIONS_EXTENSION_KEY = OBLIGATIONS_EXTENSION_KEY;
@@ -2943,6 +3772,7 @@ exports.PEAC_RECEIPT_SCHEMA_URL = PEAC_RECEIPT_SCHEMA_URL;
 exports.PEAC_WIRE_TYP = PEAC_WIRE_TYP;
 exports.POLICY_DECISIONS = POLICY_DECISIONS;
 exports.PROOF_METHODS = PROOF_METHODS;
+exports.PROOF_TYPES = PROOF_TYPES;
 exports.PURPOSE_REASONS = PURPOSE_REASONS;
 exports.PURPOSE_TOKEN_REGEX = PURPOSE_TOKEN_REGEX;
 exports.PayloadRefSchema = PayloadRefSchema;
@@ -2950,23 +3780,35 @@ exports.PaymentEvidenceSchema = PaymentEvidenceSchema;
 exports.PaymentRoutingSchema = PaymentRoutingSchema;
 exports.PaymentSplitSchema = PaymentSplitSchema;
 exports.PeacEvidenceCarrierSchema = PeacEvidenceCarrierSchema;
+exports.PillarsSchema = PillarsSchema;
+exports.PolicyBlockSchema = PolicyBlockSchema;
 exports.PolicyContextSchema = PolicyContextSchema;
+exports.ProblemDetailsSchema = ProblemDetailsSchema;
 exports.ProofMethodSchema = ProofMethodSchema;
+exports.ProofTypeSchema = ProofTypeSchema;
 exports.PurposeReasonSchema = PurposeReasonSchema;
 exports.PurposeTokenSchema = PurposeTokenSchema;
 exports.REDACTION_MODES = REDACTION_MODES;
+exports.REGISTERED_EXTENSION_GROUP_KEYS = REGISTERED_EXTENSION_GROUP_KEYS;
+exports.REGISTERED_RECEIPT_TYPES = REGISTERED_RECEIPT_TYPES;
 exports.REMEDIATION_TYPES = REMEDIATION_TYPES;
+exports.REPRESENTATION_LIMITS = REPRESENTATION_LIMITS;
 exports.RESERVED_KIND_PREFIXES = RESERVED_KIND_PREFIXES;
 exports.RESULT_STATUSES = RESULT_STATUSES;
+exports.REVOCATION_REASONS = REVOCATION_REASONS;
 exports.ReceiptClaims = ReceiptClaims;
 exports.ReceiptClaimsSchema = ReceiptClaimsSchema;
 exports.ReceiptRefSchema = ReceiptRefSchema2;
+exports.ReceiptTypeSchema = ReceiptTypeSchema;
 exports.ReceiptUrlSchema = ReceiptUrlSchema;
 exports.RefsSchema = RefsSchema;
 exports.RemediationSchema = RemediationSchema;
 exports.RemediationTypeSchema = RemediationTypeSchema;
+exports.RepresentationFieldsSchema = Wire02RepresentationFieldsSchema;
 exports.ResourceTargetSchema = ResourceTargetSchema;
 exports.ResultSchema = ResultSchema;
+exports.RevokedKeyEntrySchema = RevokedKeyEntrySchema;
+exports.RevokedKeysArraySchema = RevokedKeysArraySchema;
 exports.STEP_ID_PATTERN = STEP_ID_PATTERN;
 exports.StepIdSchema = StepIdSchema;
 exports.SubjectProfileSchema = SubjectProfileSchema;
@@ -2974,14 +3816,26 @@ exports.SubjectProfileSnapshotSchema = SubjectProfileSnapshotSchema;
 exports.SubjectSchema = Subject;
 exports.SubjectTypeSchema = SubjectTypeSchema;
 exports.TERMINAL_STATES = TERMINAL_STATES;
+exports.TOOL_REGISTRY_EXTENSION_KEY = TOOL_REGISTRY_EXTENSION_KEY;
+exports.TREATY_EXTENSION_KEY = TREATY_EXTENSION_KEY;
+exports.ToolRegistrySchema = ToolRegistrySchema;
 exports.ToolTargetSchema = ToolTargetSchema;
+exports.TreatySchema = TreatySchema;
 exports.VerifyRequestSchema = VerifyRequest;
+exports.WARNING_OCCURRED_AT_SKEW = WARNING_OCCURRED_AT_SKEW;
+exports.WARNING_TYPE_UNREGISTERED = WARNING_TYPE_UNREGISTERED;
+exports.WARNING_TYP_MISSING = WARNING_TYP_MISSING;
+exports.WARNING_UNKNOWN_EXTENSION = WARNING_UNKNOWN_EXTENSION;
 exports.WELL_KNOWN_KINDS = WELL_KNOWN_KINDS;
 exports.WORKFLOW_EXTENSION_KEY = WORKFLOW_EXTENSION_KEY;
 exports.WORKFLOW_ID_PATTERN = WORKFLOW_ID_PATTERN;
 exports.WORKFLOW_LIMITS = WORKFLOW_LIMITS;
 exports.WORKFLOW_STATUSES = WORKFLOW_STATUSES;
 exports.WORKFLOW_SUMMARY_TYPE = WORKFLOW_SUMMARY_TYPE;
+exports.Wire01JWSHeaderSchema = Wire01JWSHeaderSchema;
+exports.Wire02ClaimsSchema = Wire02ClaimsSchema;
+exports.Wire02KindSchema = Wire02KindSchema;
+exports.Wire02RepresentationFieldsSchema = Wire02RepresentationFieldsSchema;
 exports.WorkflowContextSchema = WorkflowContextSchema;
 exports.WorkflowErrorContextSchema = WorkflowErrorContextSchema;
 exports.WorkflowIdSchema = WorkflowIdSchema;
@@ -2990,6 +3844,7 @@ exports.WorkflowSummaryAttestationSchema = WorkflowSummaryAttestationSchema;
 exports.WorkflowSummaryEvidenceSchema = WorkflowSummaryEvidenceSchema;
 exports.assertJsonSafeIterative = assertJsonSafeIterative;
 exports.canTransitionTo = canTransitionTo;
+exports.checkOccurredAtSkew = checkOccurredAtSkew;
 exports.computeReceiptRef = computeReceiptRef;
 exports.computeTotalWeight = computeTotalWeight;
 exports.createAgentIdentityAttestation = createAgentIdentityAttestation;
@@ -3012,8 +3867,16 @@ exports.createWorkflowId = createWorkflowId;
 exports.createWorkflowSummaryAttestation = createWorkflowSummaryAttestation;
 exports.deriveKnownPurposes = deriveKnownPurposes;
 exports.detectCycleInSources = detectCycleInSources;
+exports.detectWireVersion = detectWireVersion;
 exports.determinePurposeReason = determinePurposeReason;
 exports.extractObligationsExtension = extractObligationsExtension;
+exports.findRevokedKey = findRevokedKey;
+exports.fingerprintRefToString = fingerprintRefToString;
+exports.getAccessExtension = getAccessExtension;
+exports.getChallengeExtension = getChallengeExtension;
+exports.getCommerceExtension = getCommerceExtension;
+exports.getCorrelationExtension = getCorrelationExtension;
+exports.getIdentityExtension = getIdentityExtension;
 exports.getInteraction = getInteraction;
 exports.getValidTransitions = getValidTransitions;
 exports.hasInteraction = hasInteraction;
@@ -3027,6 +3890,7 @@ exports.isAttestationReceiptClaims = isAttestationReceiptClaims;
 exports.isAttributionAttestation = isAttributionAttestation;
 exports.isAttributionExpired = isAttributionExpired;
 exports.isAttributionNotYetValid = isAttributionNotYetValid;
+exports.isCanonicalIss = isCanonicalIss;
 exports.isCanonicalPurpose = isCanonicalPurpose;
 exports.isContributionRequired = isContributionRequired;
 exports.isCreditRequired = isCreditRequired;
@@ -3036,15 +3900,18 @@ exports.isDisputeExpired = isDisputeExpired;
 exports.isDisputeNotYetValid = isDisputeNotYetValid;
 exports.isLegacyPurpose = isLegacyPurpose;
 exports.isMinimalInteractionBinding = isMinimalInteractionBinding;
+exports.isOriginOnly = isOriginOnly;
 exports.isPaymentReceipt = isPaymentReceipt;
 exports.isReservedKindPrefix = isReservedKindPrefix;
 exports.isTerminalState = isTerminalState;
 exports.isTerminalWorkflowStatus = isTerminalWorkflowStatus;
 exports.isUndeclaredPurpose = isUndeclaredPurpose;
 exports.isValidDisputeAttestation = isValidDisputeAttestation;
+exports.isValidExtensionKey = isValidExtensionKey;
 exports.isValidInteractionEvidence = isValidInteractionEvidence;
 exports.isValidPurposeReason = isValidPurposeReason;
 exports.isValidPurposeToken = isValidPurposeToken;
+exports.isValidReceiptType = isValidReceiptType;
 exports.isValidWorkflowContext = isValidWorkflowContext;
 exports.isWellKnownKind = isWellKnownKind;
 exports.isWorkflowSummaryAttestation = isWorkflowSummaryAttestation;
@@ -3054,8 +3921,11 @@ exports.normalizeToCanonicalOrPreserve = normalizeToCanonicalOrPreserve;
 exports.parsePurposeHeader = parsePurposeHeader;
 exports.parseReceiptClaims = parseReceiptClaims;
 exports.setInteraction = setInteraction;
+exports.sortWarnings = sortWarnings;
+exports.stringToFingerprintRef = stringToFingerprintRef;
 exports.toCoreClaims = toCoreClaims;
 exports.transitionDisputeState = transitionDisputeState;
+exports.validateActorBinding = validateActorBinding;
 exports.validateAgentIdentityAttestation = validateAgentIdentityAttestation;
 exports.validateAttestationReceiptClaims = validateAttestationReceiptClaims;
 exports.validateAttributionAttestation = validateAttributionAttestation;
@@ -3063,6 +3933,8 @@ exports.validateAttributionSource = validateAttributionSource;
 exports.validateCarrierConstraints = validateCarrierConstraints;
 exports.validateContentHash = validateContentHash;
 exports.validateContributionObligation = validateContributionObligation;
+exports.validateControlAction = validateControlAction;
+exports.validateCredentialEvent = validateCredentialEvent;
 exports.validateCreditObligation = validateCreditObligation;
 exports.validateDisputeAttestation = validateDisputeAttestation;
 exports.validateDisputeContact = validateDisputeContact;
@@ -3073,13 +3945,19 @@ exports.validateInteraction = validateInteraction;
 exports.validateInteractionEvidence = validateInteractionEvidence;
 exports.validateInteractionOrdered = validateInteractionOrdered;
 exports.validateKernelConstraints = validateKernelConstraints;
+exports.validateKnownExtensions = validateKnownExtensions;
+exports.validateMVIS = validateMVIS;
 exports.validateMinimalInteractionBinding = validateMinimalInteractionBinding;
 exports.validateObligationsExtension = validateObligationsExtension;
 exports.validatePurposeTokens = validatePurposeTokens;
+exports.validateRevokedKeys = validateRevokedKeys;
 exports.validateSubjectSnapshot = validateSubjectSnapshot;
+exports.validateToolRegistry = validateToolRegistry;
+exports.validateTreaty = validateTreaty;
 exports.validateWorkflowContext = validateWorkflowContext;
 exports.validateWorkflowContextOrdered = validateWorkflowContextOrdered;
 exports.validateWorkflowSummaryAttestation = validateWorkflowSummaryAttestation;
+exports.verifyPolicyBinding = verifyPolicyBinding;
 exports.verifyReceiptRefConsistency = verifyReceiptRefConsistency;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map