@peac/schema 0.11.2 → 0.12.0-preview.1

package/dist/index.mjs

@@ -1,5 +1,5 @@
 import * as kernel from '@peac/kernel';
-import { ALGORITHMS, HEADERS, POLICY, ISSUER_CONFIG, DISCOVERY, WIRE_TYPE } from '@peac/kernel';
+import { ALGORITHMS, HEADERS, POLICY, ISSUER_CONFIG, DISCOVERY, WIRE_TYPE, TYPE_GRAMMAR, ISS_CANONICAL, POLICY_BLOCK, HASH, OCCURRED_AT_TOLERANCE_SECONDS } from '@peac/kernel';
 import { z } from 'zod';
 
 // src/errors.ts
@@ -34,7 +34,9 @@ var ERROR_CODES = {
   E_WORKFLOW_SUMMARY_INVALID: "E_WORKFLOW_SUMMARY_INVALID",
   E_WORKFLOW_CYCLE_DETECTED: "E_WORKFLOW_CYCLE_DETECTED",
   // Constraint errors (400, DD-121)
-  E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION"
+  E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION",
+  // Wire 0.2 extension errors (400, DD-153/DD-156)
+  E_INVALID_EXTENSION_KEY: "E_INVALID_EXTENSION_KEY"
 };
 function createPEACError(code, category, severity, retryable, options) {
   return {
@@ -943,11 +945,12 @@ var Extensions = z.object({
   aipref_snapshot: AIPREFSnapshot.optional()
   // control block validated via ControlBlockSchema when present
 }).catchall(z.unknown());
-var JWSHeader = z.object({
+var Wire01JWSHeaderSchema = z.object({
   typ: z.literal(PEAC_WIRE_TYP),
   alg: z.literal(PEAC_ALG),
   kid: z.string().min(8)
 }).strict();
+var JWSHeader = Wire01JWSHeaderSchema;
 var CanonicalPurposeValues = ["train", "search", "user_action", "inference", "index"];
 var PurposeReasonValues = [
   "allowed",
@@ -1135,6 +1138,306 @@ function validateEvidence(evidence, limits) {
   }
   return { ok: true, value: evidence };
 }
+var PROOF_TYPES = [
+  "ed25519-cert-chain",
+  "eat-passport",
+  "eat-background-check",
+  "sigstore-oidc",
+  "did",
+  "spiffe",
+  "x509-pki",
+  "custom"
+];
+var ProofTypeSchema = z.enum(PROOF_TYPES);
+function isOriginOnly(value) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+      return false;
+    }
+    if (url.pathname !== "/") {
+      return false;
+    }
+    if (url.search !== "") {
+      return false;
+    }
+    if (url.hash !== "" || value.includes("#")) {
+      return false;
+    }
+    if (url.username !== "" || url.password !== "") {
+      return false;
+    }
+    if (url.hostname.endsWith(".")) {
+      return false;
+    }
+    const hostPart = value.replace(/^https?:\/\//, "").split(/[/:]/)[0];
+    if (hostPart.endsWith(".")) {
+      return false;
+    }
+    if (url.hostname.includes("%")) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+var ACTOR_BINDING_EXTENSION_KEY = "org.peacprotocol/actor_binding";
+var ActorBindingSchema = z.object({
+  /** Stable actor identifier (opaque, no PII) */
+  id: z.string().min(1).max(256),
+  /** Proof type from DD-143 multi-root vocabulary */
+  proof_type: ProofTypeSchema,
+  /** URI or hash of external proof artifact */
+  proof_ref: z.string().max(2048).optional(),
+  /** Origin-only URL: scheme + host + optional port; NO path, query, or fragment */
+  origin: z.string().max(2048).refine(isOriginOnly, {
+    message: "origin must be an origin-only URL (scheme + host + optional port; no path, query, or fragment)"
+  }),
+  /** SHA-256 hash of the intent (hash-first per DD-138) */
+  intent_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "intent_hash must match sha256:<64 hex chars>"
+  }).optional()
+}).strict();
+var MVISTimeBoundsSchema = z.object({
+  /** Earliest valid time (RFC 3339) */
+  not_before: z.string().datetime(),
+  /** Latest valid time (RFC 3339) */
+  not_after: z.string().datetime()
+}).strict();
+var MVISReplayProtectionSchema = z.object({
+  /** Unique token identifier (jti from JWT or equivalent) */
+  jti: z.string().min(1).max(256),
+  /** Optional nonce for additional replay protection */
+  nonce: z.string().max(256).optional()
+}).strict();
+var MVISFieldsSchema = z.object({
+  /** Who issued the identity assertion */
+  issuer: z.string().min(1).max(2048),
+  /** Who the identity is about (opaque identifier, no PII) */
+  subject: z.string().min(1).max(256),
+  /** Cryptographic binding: kid or JWK thumbprint */
+  key_binding: z.string().min(1).max(256),
+  /** Validity period */
+  time_bounds: MVISTimeBoundsSchema,
+  /** Replay protection */
+  replay_protection: MVISReplayProtectionSchema
+}).strict();
+function validateActorBinding(data) {
+  const result = ActorBindingSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+function validateMVIS(data) {
+  const result = MVISFieldsSchema.safeParse(data);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  const notBefore = new Date(result.data.time_bounds.not_before).getTime();
+  const notAfter = new Date(result.data.time_bounds.not_after).getTime();
+  if (notBefore >= notAfter) {
+    return { ok: false, error: "not_before must be before not_after" };
+  }
+  const MAX_DURATION_MS = 100 * 365.25 * 24 * 60 * 60 * 1e3;
+  if (notAfter - notBefore > MAX_DURATION_MS) {
+    return { ok: false, error: "time_bounds duration must not exceed 100 years" };
+  }
+  return { ok: true, value: result.data };
+}
+var CREDENTIAL_EVENT_EXTENSION_KEY = "org.peacprotocol/credential_event";
+var CREDENTIAL_EVENTS = ["issued", "leased", "rotated", "revoked", "expired"];
+var CredentialEventTypeSchema = z.enum(CREDENTIAL_EVENTS);
+var FINGERPRINT_REF_PATTERN = /^(sha256|hmac-sha256):[a-f0-9]{64}$/;
+var CredentialRefSchema = z.string().max(256).regex(FINGERPRINT_REF_PATTERN, {
+  message: "credential_ref must be an opaque fingerprint reference: (sha256|hmac-sha256):<64 hex chars>"
+});
+var CredentialEventSchema = z.object({
+  /** Lifecycle event type */
+  event: CredentialEventTypeSchema,
+  /** Opaque fingerprint reference of the credential (format validation only) */
+  credential_ref: CredentialRefSchema,
+  /** Authority that performed the action (HTTPS URL) */
+  authority: z.string().url().max(2048).refine((v) => v.startsWith("https://"), {
+    message: "authority must be an HTTPS URL"
+  }),
+  /** When the credential expires (RFC 3339, optional) */
+  expires_at: z.string().datetime().optional(),
+  /** Previous credential reference for rotation chains (optional) */
+  previous_ref: CredentialRefSchema.optional()
+}).strict();
+function validateCredentialEvent(data) {
+  const result = CredentialEventSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var TOOL_REGISTRY_EXTENSION_KEY = "org.peacprotocol/tool_registry";
+function isAllowedRegistryUri(value) {
+  if (value.startsWith("urn:")) {
+    return true;
+  }
+  try {
+    const url = new URL(value);
+    return url.protocol === "https:";
+  } catch {
+    return false;
+  }
+}
+var ToolRegistrySchema = z.object({
+  /** Tool identifier */
+  tool_id: z.string().min(1).max(256),
+  /** Registry URI (HTTPS or URN only; no file:// or data:// for SSRF prevention) */
+  registry_uri: z.string().max(2048).refine(isAllowedRegistryUri, {
+    message: "registry_uri must be an HTTPS URL or URN (file:// and data:// are prohibited)"
+  }),
+  /** Tool version (optional, semver-like) */
+  version: z.string().max(64).optional(),
+  /** Tool capabilities (optional) */
+  capabilities: z.array(z.string().max(64)).max(32).optional()
+}).strict();
+function validateToolRegistry(data) {
+  const result = ToolRegistrySchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var CONTROL_ACTION_EXTENSION_KEY = "org.peacprotocol/control_action";
+var CONTROL_ACTIONS = ["grant", "deny", "escalate", "delegate", "audit"];
+var ControlActionTypeSchema = z.enum(CONTROL_ACTIONS);
+var CONTROL_TRIGGERS = [
+  "policy_evaluation",
+  "manual_review",
+  "anomaly_detection",
+  "scheduled",
+  "event_driven"
+];
+var ControlTriggerSchema = z.enum(CONTROL_TRIGGERS);
+var ControlActionSchema = z.object({
+  /** Action taken */
+  action: ControlActionTypeSchema,
+  /** What triggered the action */
+  trigger: ControlTriggerSchema,
+  /** Resource or scope the action applies to (optional) */
+  resource: z.string().max(2048).optional(),
+  /** Reason for the action (optional, human-readable) */
+  reason: z.string().max(1024).optional(),
+  /** Policy identifier that was evaluated (optional) */
+  policy_ref: z.string().max(2048).optional(),
+  /** When the action was taken (RFC 3339, optional; defaults to receipt iat) */
+  action_at: z.string().datetime().optional()
+}).strict();
+function validateControlAction(data) {
+  const result = ControlActionSchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.message };
+}
+var TREATY_EXTENSION_KEY = "org.peacprotocol/treaty";
+var COMMITMENT_CLASSES = ["informational", "operational", "financial", "legal"];
+var CommitmentClassSchema = z.enum(COMMITMENT_CLASSES);
+var TreatySchema = z.object({
+  /** Commitment level */
+  commitment_class: CommitmentClassSchema,
+  /** URL to full terms document (optional) */
+  terms_ref: z.string().url().max(2048).optional(),
+  /** SHA-256 hash of terms document for integrity verification (optional) */
+  terms_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "terms_hash must match sha256:<64 hex chars>"
+  }).optional(),
+  /** Counterparty identifier (optional) */
+  counterparty: z.string().max(256).optional(),
+  /** When the treaty becomes effective (RFC 3339, optional) */
+  effective_at: z.string().datetime().optional(),
+  /** When the treaty expires (RFC 3339, optional) */
+  expires_at: z.string().datetime().optional()
+}).strict();
+function validateTreaty(data) {
+  const result = TreatySchema.safeParse(data);
+  if (!result.success) {
+    return { ok: false, error: result.error.message };
+  }
+  if (result.data.effective_at && result.data.expires_at) {
+    const effectiveMs = new Date(result.data.effective_at).getTime();
+    const expiresMs = new Date(result.data.expires_at).getTime();
+    if (effectiveMs > expiresMs) {
+      return { ok: false, error: "effective_at must not be after expires_at" };
+    }
+  }
+  return { ok: true, value: result.data };
+}
+
+// src/extensions/fingerprint-ref.ts
+function hexToBase64url(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(bytes).toString("base64");
+  } else {
+    base64 = btoa(String.fromCharCode(...bytes));
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64urlToHex(b64url) {
+  let base64 = b64url.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4 !== 0) {
+    base64 += "=";
+  }
+  let bytes;
+  if (typeof Buffer !== "undefined") {
+    bytes = Buffer.from(base64, "base64");
+  } else {
+    const binary = atob(base64);
+    bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+  }
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+}
+var VALID_ALGS = ["sha256", "hmac-sha256"];
+var STRING_FORM_PATTERN = /^(sha256|hmac-sha256):([a-f0-9]{64})$/;
+var MAX_FINGERPRINT_REF_LENGTH = 76;
+var BASE64URL_PATTERN = /^[A-Za-z0-9_-]+$/;
+function stringToFingerprintRef(s) {
+  if (s.length > MAX_FINGERPRINT_REF_LENGTH) {
+    return null;
+  }
+  const match = STRING_FORM_PATTERN.exec(s);
+  if (!match) {
+    return null;
+  }
+  const alg = match[1];
+  const hex = match[2];
+  return {
+    alg,
+    value: hexToBase64url(hex)
+  };
+}
+function fingerprintRefToString(obj) {
+  if (!VALID_ALGS.includes(obj.alg)) {
+    return null;
+  }
+  if (!BASE64URL_PATTERN.test(obj.value)) {
+    return null;
+  }
+  try {
+    const hex = base64urlToHex(obj.value);
+    if (hex.length !== 64) {
+      return null;
+    }
+    return `${obj.alg}:${hex}`;
+  } catch {
+    return null;
+  }
+}
 var DISPUTE_LIMITS = {
   /** Maximum grounds per dispute */
   maxGrounds: 10,
@@ -2751,15 +3054,404 @@ async function verifyReceiptRefConsistency(carrier) {
   }
   return null;
 }
+function isValidContentHash(s) {
+  const ref = stringToFingerprintRef(s);
+  if (ref === null) return false;
+  return ref.alg === "sha256";
+}
+var MIME_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*\/[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*(;\s*[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*=[^\s;]+)*$/;
+function isValidMimeType(s) {
+  return MIME_PATTERN.test(s);
+}
+var REPRESENTATION_LIMITS = {
+  /** Max content_hash string length (sha256:<64 hex> = 71 chars, capped at FingerprintRef max) */
+  maxContentHashLength: MAX_FINGERPRINT_REF_LENGTH,
+  /** Max content_type string length */
+  maxContentTypeLength: 256
+};
+var Wire02RepresentationFieldsSchema = z.object({
+  /**
+   * FingerprintRef of the served content body.
+   * Format: sha256:<64 lowercase hex>
+   * hmac-sha256 is NOT permitted for representation hashes.
+   */
+  content_hash: z.string().max(REPRESENTATION_LIMITS.maxContentHashLength).refine(isValidContentHash, {
+    message: "content_hash must be a valid sha256 FingerprintRef (sha256:<64 lowercase hex>)"
+  }).optional(),
+  /**
+   * MIME type of the served content (e.g., 'text/plain', 'application/json').
+   * Conservative pattern validation: type/subtype with optional parameters.
+   */
+  content_type: z.string().max(REPRESENTATION_LIMITS.maxContentTypeLength).refine(isValidMimeType, {
+    message: "content_type must be a valid MIME type (type/subtype with optional parameters)"
+  }).optional(),
+  /**
+   * Size of the served content in bytes.
+   * Non-negative integer, bounded by Number.MAX_SAFE_INTEGER.
+   */
+  content_length: z.number().int().finite().nonnegative().max(Number.MAX_SAFE_INTEGER).optional()
+}).strict();
+var EXTENSION_LIMITS = {
+  // Extension key grammar
+  maxExtensionKeyLength: 512,
+  maxDnsLabelLength: 63,
+  maxDnsDomainLength: 253,
+  // Commerce
+  maxPaymentRailLength: 128,
+  maxCurrencyLength: 16,
+  maxAmountMinorLength: 64,
+  maxReferenceLength: 256,
+  maxAssetLength: 256,
+  // Access
+  maxResourceLength: 2048,
+  maxActionLength: 256,
+  // Challenge
+  maxProblemTypeLength: 2048,
+  maxProblemTitleLength: 256,
+  maxProblemDetailLength: 4096,
+  maxProblemInstanceLength: 2048,
+  // Identity
+  maxProofRefLength: 256,
+  // Correlation
+  maxTraceIdLength: 32,
+  maxSpanIdLength: 16,
+  maxWorkflowIdLength: 256,
+  maxParentJtiLength: 256,
+  maxDependsOnLength: 64
+};
+var DNS_LABEL = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
+var SEGMENT_PATTERN = /^[a-z0-9][a-z0-9_-]*$/;
+function isValidExtensionKey(key) {
+  if (key.length === 0 || key.length > EXTENSION_LIMITS.maxExtensionKeyLength) return false;
+  const slashIdx = key.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = key.slice(0, slashIdx);
+  const segment = key.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (domain.length > EXTENSION_LIMITS.maxDnsDomainLength) return false;
+  if (segment.length === 0) return false;
+  if (!SEGMENT_PATTERN.test(segment)) return false;
+  const labels = domain.split(".");
+  for (const label of labels) {
+    if (label.length === 0 || label.length > EXTENSION_LIMITS.maxDnsLabelLength) return false;
+    if (!DNS_LABEL.test(label)) return false;
+  }
+  return true;
+}
+var COMMERCE_EXTENSION_KEY = "org.peacprotocol/commerce";
+var ACCESS_EXTENSION_KEY = "org.peacprotocol/access";
+var CHALLENGE_EXTENSION_KEY = "org.peacprotocol/challenge";
+var IDENTITY_EXTENSION_KEY = "org.peacprotocol/identity";
+var CORRELATION_EXTENSION_KEY = "org.peacprotocol/correlation";
+function escapePointerSegment(s) {
+  return s.replace(/~/g, "~0").replace(/\//g, "~1");
+}
+function zodPathToPointer(groupKey, zodPath) {
+  const escaped = escapePointerSegment(groupKey);
+  const segments = zodPath.map((s) => escapePointerSegment(String(s)));
+  return `/extensions/${escaped}` + (segments.length > 0 ? "/" + segments.join("/") : "");
+}
+var AMOUNT_MINOR_PATTERN = /^-?[0-9]+$/;
+var CommerceExtensionSchema = z.object({
+  /** Payment rail identifier (e.g., 'stripe', 'x402', 'lightning') */
+  payment_rail: z.string().min(1).max(EXTENSION_LIMITS.maxPaymentRailLength),
+  /**
+   * Amount in smallest currency unit as a string for arbitrary precision.
+   * Base-10 integer: optional leading minus, one or more digits.
+   * Decimals and empty strings are rejected.
+   */
+  amount_minor: z.string().min(1).max(EXTENSION_LIMITS.maxAmountMinorLength).regex(
+    AMOUNT_MINOR_PATTERN,
+    'amount_minor must be a base-10 integer string (e.g., "1000", "-50")'
+  ),
+  /** ISO 4217 currency code or asset identifier */
+  currency: z.string().min(1).max(EXTENSION_LIMITS.maxCurrencyLength),
+  /** Caller-assigned payment reference */
+  reference: z.string().max(EXTENSION_LIMITS.maxReferenceLength).optional(),
+  /** Asset identifier for non-fiat (e.g., token address) */
+  asset: z.string().max(EXTENSION_LIMITS.maxAssetLength).optional(),
+  /** Environment discriminant */
+  env: z.enum(["live", "test"]).optional()
+}).strict();
+var AccessExtensionSchema = z.object({
+  /** Resource being accessed (URI or identifier) */
+  resource: z.string().min(1).max(EXTENSION_LIMITS.maxResourceLength),
+  /** Action performed on the resource */
+  action: z.string().min(1).max(EXTENSION_LIMITS.maxActionLength),
+  /** Access decision */
+  decision: z.enum(["allow", "deny", "review"])
+}).strict();
+var CHALLENGE_TYPES = [
+  "payment_required",
+  "identity_required",
+  "consent_required",
+  "attestation_required",
+  "rate_limited",
+  "purpose_disallowed",
+  "custom"
+];
+var ChallengeTypeSchema = z.enum(CHALLENGE_TYPES);
+var ProblemDetailsSchema = z.object({
+  /** HTTP status code (100-599) */
+  status: z.number().int().min(100).max(599),
+  /** Problem type URI */
+  type: z.string().min(1).max(EXTENSION_LIMITS.maxProblemTypeLength).url(),
+  /** Short human-readable summary */
+  title: z.string().max(EXTENSION_LIMITS.maxProblemTitleLength).optional(),
+  /** Human-readable explanation specific to this occurrence */
+  detail: z.string().max(EXTENSION_LIMITS.maxProblemDetailLength).optional(),
+  /** URI reference identifying the specific occurrence */
+  instance: z.string().max(EXTENSION_LIMITS.maxProblemInstanceLength).optional()
+}).passthrough();
+var ChallengeExtensionSchema = z.object({
+  /** Challenge type (7 values) */
+  challenge_type: ChallengeTypeSchema,
+  /** RFC 9457 Problem Details */
+  problem: ProblemDetailsSchema,
+  /** Resource that triggered the challenge */
+  resource: z.string().max(EXTENSION_LIMITS.maxResourceLength).optional(),
+  /** Action that triggered the challenge */
+  action: z.string().max(EXTENSION_LIMITS.maxActionLength).optional(),
+  /** Caller-defined requirements for resolving the challenge */
+  requirements: z.record(z.string(), z.unknown()).optional()
+}).strict();
+var IdentityExtensionSchema = z.object({
+  /** Proof reference (opaque string; no actor_binding: top-level actor is sole location) */
+  proof_ref: z.string().max(EXTENSION_LIMITS.maxProofRefLength).optional()
+}).strict();
+var TRACE_ID_PATTERN = /^[0-9a-f]{32}$/;
+var SPAN_ID_PATTERN = /^[0-9a-f]{16}$/;
+var CorrelationExtensionSchema = z.object({
+  /** OpenTelemetry-compatible trace ID (32 lowercase hex chars) */
+  trace_id: z.string().length(EXTENSION_LIMITS.maxTraceIdLength).regex(TRACE_ID_PATTERN, "trace_id must be 32 lowercase hex characters").optional(),
+  /** OpenTelemetry-compatible span ID (16 lowercase hex chars) */
+  span_id: z.string().length(EXTENSION_LIMITS.maxSpanIdLength).regex(SPAN_ID_PATTERN, "span_id must be 16 lowercase hex characters").optional(),
+  /** Workflow identifier */
+  workflow_id: z.string().min(1).max(EXTENSION_LIMITS.maxWorkflowIdLength).optional(),
+  /** Parent receipt JTI for causal chains */
+  parent_jti: z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength).optional(),
+  /** JTIs this receipt depends on */
+  depends_on: z.array(z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength)).max(EXTENSION_LIMITS.maxDependsOnLength).optional()
+}).strict();
+var EXTENSION_SCHEMA_MAP = /* @__PURE__ */ new Map();
+EXTENSION_SCHEMA_MAP.set(COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+function getExtension(extensions, key, schema) {
+  if (extensions === void 0) return void 0;
+  if (!Object.prototype.hasOwnProperty.call(extensions, key)) return void 0;
+  const value = extensions[key];
+  const result = schema.safeParse(value);
+  if (result.success) {
+    return result.data;
+  }
+  const firstIssue = result.error.issues[0];
+  const pointer = zodPathToPointer(key, firstIssue?.path ?? []);
+  throw createPEACError(ERROR_CODES.E_INVALID_ENVELOPE, "validation", "error", false, {
+    http_status: 400,
+    pointer,
+    remediation: `Fix the ${key} extension group value`,
+    details: {
+      message: firstIssue?.message ?? "Invalid extension value",
+      issues: result.error.issues
+    }
+  });
+}
+function getCommerceExtension(extensions) {
+  return getExtension(extensions, COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+}
+function getAccessExtension(extensions) {
+  return getExtension(extensions, ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+}
+function getChallengeExtension(extensions) {
+  return getExtension(extensions, CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+}
+function getIdentityExtension(extensions) {
+  return getExtension(extensions, IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+}
+function getCorrelationExtension(extensions) {
+  return getExtension(extensions, CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+}
+function validateKnownExtensions(extensions, ctx) {
+  if (extensions === void 0) return;
+  for (const key of Object.keys(extensions)) {
+    if (!isValidExtensionKey(key)) {
+      ctx.addIssue({
+        code: "custom",
+        message: ERROR_CODES.E_INVALID_EXTENSION_KEY,
+        path: ["extensions", key]
+      });
+      continue;
+    }
+    const schema = EXTENSION_SCHEMA_MAP.get(key);
+    if (schema !== void 0) {
+      const result = schema.safeParse(extensions[key]);
+      if (!result.success) {
+        const firstIssue = result.error.issues[0];
+        const issuePath = firstIssue?.path ?? [];
+        ctx.addIssue({
+          code: "custom",
+          message: firstIssue?.message ?? "Invalid extension value",
+          path: ["extensions", key, ...issuePath]
+        });
+      }
+    }
+  }
+}
+
+// src/wire-02-envelope.ts
+function isSortedAndUnique(arr) {
+  for (let i = 1; i < arr.length; i++) {
+    if (arr[i] <= arr[i - 1]) return false;
+  }
+  return true;
+}
+function isCanonicalIss(iss) {
+  if (typeof iss !== "string" || iss.length === 0 || iss.length > ISS_CANONICAL.maxLength) {
+    return false;
+  }
+  if (iss.startsWith("did:")) {
+    return /^did:[a-z0-9]+:[^#?/]+$/.test(iss);
+  }
+  try {
+    const url = new URL(iss);
+    if (url.protocol !== "https:") return false;
+    if (!url.hostname) return false;
+    if (url.username !== "" || url.password !== "") return false;
+    const origin = `${url.protocol}//${url.host}`;
+    return iss === origin;
+  } catch {
+    return false;
+  }
+}
+var ABS_URI_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//;
+function isValidReceiptType(value) {
+  if (value.length === 0 || value.length > TYPE_GRAMMAR.maxLength) return false;
+  if (ABS_URI_PATTERN.test(value)) return true;
+  const slashIdx = value.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = value.slice(0, slashIdx);
+  const segment = value.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (segment.length === 0) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9.-]*$/.test(domain)) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(segment)) return false;
+  return true;
+}
+var EVIDENCE_PILLARS = [
+  "access",
+  "attribution",
+  "commerce",
+  "compliance",
+  "consent",
+  "identity",
+  "privacy",
+  "provenance",
+  "purpose",
+  "safety"
+];
+var EvidencePillarSchema = z.enum(
+  EVIDENCE_PILLARS
+);
+var PillarsSchema = z.array(EvidencePillarSchema).min(1).superRefine((arr, ctx) => {
+  if (!isSortedAndUnique(arr)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_PILLARS_NOT_SORTED"
+    });
+  }
+});
+var Wire02KindSchema = z.enum(["evidence", "challenge"]);
+var ReceiptTypeSchema = z.string().max(TYPE_GRAMMAR.maxLength).refine(isValidReceiptType, {
+  message: "type must be reverse-DNS notation (e.g., org.example/flow) or an absolute URI"
+});
+var CanonicalIssSchema = z.string().max(ISS_CANONICAL.maxLength).refine(isCanonicalIss, {
+  message: "E_ISS_NOT_CANONICAL"
+});
+var PolicyBlockSchema = z.object({
+  /** JCS+SHA-256 digest: 'sha256:<64 lowercase hex>' */
+  digest: z.string().regex(HASH.pattern, "digest must be sha256:<64 lowercase hex>"),
+  /**
+   * HTTPS locator hint for the policy document.
+   * MUST be an https:// URL (max 2048 chars).
+   * MUST NOT trigger auto-fetch; callers use this as a hint only (DD-55).
+   */
+  uri: z.string().max(POLICY_BLOCK.uriMaxLength).url().refine((u) => u.startsWith("https://"), "policy.uri must be an https:// URL").optional(),
+  /** Caller-assigned version label (max 256 chars) */
+  version: z.string().max(POLICY_BLOCK.versionMaxLength).optional()
+});
+var Wire02ClaimsSchema = z.object({
+  /** Wire format version discriminant; always '0.2' for Wire 0.2 */
+  peac_version: z.literal("0.2"),
+  /** Structural kind: 'evidence' or 'challenge' */
+  kind: Wire02KindSchema,
+  /** Open semantic type (reverse-DNS or absolute URI) */
+  type: ReceiptTypeSchema,
+  /** Canonical issuer (https:// ASCII origin or did: identifier) */
+  iss: CanonicalIssSchema,
+  /** Issued-at time (Unix seconds). REQUIRED. */
+  iat: z.number().int(),
+  /** Unique receipt identifier; 1 to 256 chars */
+  jti: z.string().min(1).max(256),
+  /** Subject identifier; max 2048 chars */
+  sub: z.string().max(2048).optional(),
+  /** Evidence pillars (closed 10-value taxonomy); sorted ascending, unique */
+  pillars: PillarsSchema.optional(),
+  /** Top-level actor binding (sole location for ActorBinding in Wire 0.2) */
+  actor: ActorBindingSchema.optional(),
+  /** Policy binding block (DD-151) */
+  policy: PolicyBlockSchema.optional(),
+  /** Representation fields (DD-152): FingerprintRef validation, sha256-only, strict */
+  representation: Wire02RepresentationFieldsSchema.optional(),
+  /** ISO 8601 / RFC 3339 timestamp when the interaction occurred; evidence kind only */
+  occurred_at: z.string().datetime({ offset: true }).optional(),
+  /** Declared purpose string; max 256 chars */
+  purpose_declared: z.string().max(256).optional(),
+  /** Extension groups (open; known group keys validated by group schema) */
+  extensions: z.record(z.string(), z.unknown()).optional()
+}).superRefine((data, ctx) => {
+  if (data.kind === "challenge" && data.occurred_at !== void 0) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_OCCURRED_AT_ON_CHALLENGE"
+    });
+  }
+  validateKnownExtensions(data.extensions, ctx);
+}).strict();
+function checkOccurredAtSkew(occurredAt, iat, now, tolerance = OCCURRED_AT_TOLERANCE_SECONDS) {
+  if (occurredAt === void 0) return null;
+  const ts = Date.parse(occurredAt) / 1e3;
+  if (isNaN(ts)) return null;
+  if (ts > now + tolerance) return "future_error";
+  if (ts > iat) {
+    return {
+      code: "occurred_at_skew",
+      message: "occurred_at is after iat",
+      pointer: "/occurred_at"
+    };
+  }
+  return null;
+}
 
 // src/receipt-parser.ts
-function classifyReceipt(obj) {
+function detectWireVersion(obj) {
+  if (obj === null || obj === void 0 || typeof obj !== "object" || Array.isArray(obj)) {
+    return null;
+  }
+  const record = obj;
+  if (record.peac_version === "0.2") return "0.2";
+  if ("peac_version" in record) return null;
+  return "0.1";
+}
+function classifyWire01Receipt(obj) {
   if ("amt" in obj || "cur" in obj || "payment" in obj) {
     return "commerce";
   }
   return "attestation";
 }
-function parseReceiptClaims(input, _opts) {
+function parseReceiptClaims(input, opts) {
   if (input === null || input === void 0 || typeof input !== "object" || Array.isArray(input)) {
     return {
       ok: false,
@@ -2770,7 +3462,37 @@ function parseReceiptClaims(input, _opts) {
     };
   }
   const obj = input;
-  const variant = classifyReceipt(obj);
+  const wireVersion = opts?.wireVersion === "0.2" || opts?.wireVersion === "0.1" ? opts.wireVersion : detectWireVersion(obj);
+  if (wireVersion === null) {
+    return {
+      ok: false,
+      error: {
+        code: "E_UNSUPPORTED_WIRE_VERSION",
+        message: `Unsupported or unrecognized peac_version: ${JSON.stringify(obj["peac_version"])}`
+      }
+    };
+  }
+  if (wireVersion === "0.2") {
+    const result2 = Wire02ClaimsSchema.safeParse(obj);
+    if (!result2.success) {
+      return {
+        ok: false,
+        error: {
+          code: "E_INVALID_FORMAT",
+          message: `Wire 0.2 receipt validation failed: ${result2.error.issues.map((i) => i.message).join("; ")}`,
+          issues: result2.error.issues
+        }
+      };
+    }
+    return {
+      ok: true,
+      variant: "wire-02",
+      wireVersion: "0.2",
+      warnings: [],
+      claims: result2.data
+    };
+  }
+  const variant = classifyWire01Receipt(obj);
   if (variant === "commerce") {
     const result2 = ReceiptClaimsSchema.safeParse(obj);
     if (!result2.success) {
@@ -2786,6 +3508,8 @@ function parseReceiptClaims(input, _opts) {
     return {
       ok: true,
       variant: "commerce",
+      wireVersion: "0.1",
+      warnings: [],
       claims: result2.data
     };
   }
@@ -2803,10 +3527,82 @@ function parseReceiptClaims(input, _opts) {
   return {
     ok: true,
     variant: "attestation",
+    wireVersion: "0.1",
+    warnings: [],
     claims: result.data
   };
 }
 
-export { AGENT_IDENTITY_TYPE, AIPREFSnapshot as AIPREFSnapshotSchema, ATTESTATION_LIMITS, ATTESTATION_RECEIPT_TYPE, ATTRIBUTION_LIMITS, ATTRIBUTION_TYPE, ATTRIBUTION_USAGES, AgentIdentityAttestationSchema, AgentIdentityEvidenceSchema, AgentIdentityVerifiedSchema, AgentProofSchema, AttestationExtensionsSchema, AttestationReceiptClaimsSchema, AttestationSchema, AttributionAttestationSchema, AttributionEvidenceSchema, AttributionSourceSchema, AttributionUsageSchema, BindingDetailsSchema, CANONICAL_DIGEST_ALGS, CANONICAL_PURPOSES, CARRIER_TRANSPORT_LIMITS, CONTRIBUTION_TYPES, CONTROL_TYPES, CREDIT_METHODS, CanonicalPurposeSchema, CarrierFormatSchema, CarrierMetaSchema, CompactJwsSchema, ContactMethodSchema, ContentHashSchema, ContributionObligationSchema, ContributionTypeSchema, ControlBlockSchema, ControlDecisionSchema, ControlLicensingModeSchema, ControlPurposeSchema, ControlStepSchema, ControlTypeSchema, CreditMethodSchema, CreditObligationSchema, DERIVATION_TYPES, DIGEST_SIZE_CONSTANTS, DIGEST_VALUE_PATTERN, DISPUTE_GROUNDS_CODES, DISPUTE_LIMITS, DISPUTE_OUTCOMES, DISPUTE_STATES, DISPUTE_TARGET_TYPES, DISPUTE_TRANSITIONS, DISPUTE_TYPE, DISPUTE_TYPES, DerivationTypeSchema, DigestAlgSchema, DigestSchema, DisputeAttestationSchema, DisputeContactSchema, DisputeEvidenceSchema, DisputeGroundsCodeSchema, DisputeGroundsSchema, DisputeIdSchema, DisputeOutcomeSchema, DisputeResolutionSchema, DisputeStateSchema, DisputeTargetTypeSchema, DisputeTypeSchema, DocumentRefSchema, ERROR_CATEGORIES_CANONICAL, ERROR_CODES, EXTENSION_KEY_PATTERN, ExecutorSchema, Extensions, ExtensionsSchema, HashAlgorithmSchema, HashEncodingSchema, INTERACTION_EXTENSION_KEY, INTERACTION_LIMITS, INTERNAL_PURPOSE_UNDECLARED, IdentityBindingSchema, InteractionEvidenceV01Schema, JSON_EVIDENCE_LIMITS, JWSHeader, JsonArraySchema, JsonObjectSchema, JsonPrimitiveSchema, JsonValueSchema, KERNEL_CONSTRAINTS, KIND_FORMAT_PATTERN, KindSchema, MAX_PURPOSE_TOKENS_PER_REQUEST, MAX_PURPOSE_TOKEN_LENGTH, MIDDLEWARE_INTERACTION_KEY, MinimalInteractionBindingSchema, NormalizedPayment, OBLIGATIONS_EXTENSION_KEY, ORCHESTRATION_FRAMEWORKS, ObligationsExtensionSchema, OrchestrationFrameworkSchema, PEAC_ALG, PEAC_DISCOVERY_MAX_BYTES, PEAC_DISCOVERY_PATH, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_ISSUER_CONFIG_VERSION, PEAC_POLICY_FALLBACK_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_HEADER, PEAC_PURPOSE_REASON_HEADER, PEAC_RECEIPT_HEADER, PEAC_RECEIPT_SCHEMA_URL, PEAC_WIRE_TYP, POLICY_DECISIONS, PROOF_METHODS, PURPOSE_REASONS, PURPOSE_TOKEN_REGEX, PayloadRefSchema, PaymentEvidenceSchema, PaymentRoutingSchema, PaymentSplitSchema, PeacEvidenceCarrierSchema, PolicyContextSchema, ProofMethodSchema, PurposeReasonSchema, PurposeTokenSchema, REDACTION_MODES, REMEDIATION_TYPES, RESERVED_KIND_PREFIXES, RESULT_STATUSES, ReceiptClaims, ReceiptClaimsSchema, ReceiptRefSchema2 as ReceiptRefSchema, ReceiptUrlSchema, RefsSchema, RemediationSchema, RemediationTypeSchema, ResourceTargetSchema, ResultSchema, STEP_ID_PATTERN, StepIdSchema, SubjectProfileSchema, SubjectProfileSnapshotSchema, Subject as SubjectSchema, SubjectTypeSchema, TERMINAL_STATES, ToolTargetSchema, VerifyRequest as VerifyRequestSchema, WELL_KNOWN_KINDS, WORKFLOW_EXTENSION_KEY, WORKFLOW_ID_PATTERN, WORKFLOW_LIMITS, WORKFLOW_STATUSES, WORKFLOW_SUMMARY_TYPE, WorkflowContextSchema, WorkflowErrorContextSchema, WorkflowIdSchema, WorkflowStatusSchema, WorkflowSummaryAttestationSchema, WorkflowSummaryEvidenceSchema, assertJsonSafeIterative, canTransitionTo, computeReceiptRef, computeTotalWeight, createAgentIdentityAttestation, createAttestationReceiptClaims, createAttributionAttestation, createConstraintViolationError, createContributionObligation, createCreditObligation, createDisputeAttestation, createEvidenceNotJsonError, createInteractionEvidence, createObligationsExtension, createPEACError, createReceiptView, createStepId, createWorkflowContext, createWorkflowContextInvalidError, createWorkflowDagInvalidError, createWorkflowId, createWorkflowSummaryAttestation, deriveKnownPurposes, detectCycleInSources, determinePurposeReason, extractObligationsExtension, getInteraction, getValidTransitions, hasInteraction, hasUnknownPurposeTokens, hasValidDagSemantics, isAgentIdentityAttestation, isAttestationExpired, isAttestationNotYetValid, isAttestationOnly, isAttestationReceiptClaims, isAttributionAttestation, isAttributionExpired, isAttributionNotYetValid, isCanonicalPurpose, isContributionRequired, isCreditRequired, isDigestTruncated, isDisputeAttestation, isDisputeExpired, isDisputeNotYetValid, isLegacyPurpose, isMinimalInteractionBinding, isPaymentReceipt, isReservedKindPrefix, isTerminalState, isTerminalWorkflowStatus, isUndeclaredPurpose, isValidDisputeAttestation, isValidInteractionEvidence, isValidPurposeReason, isValidPurposeToken, isValidWorkflowContext, isWellKnownKind, isWorkflowSummaryAttestation, mapLegacyToCanonical, normalizePurposeToken, normalizeToCanonicalOrPreserve, parsePurposeHeader, parseReceiptClaims, setInteraction, toCoreClaims, transitionDisputeState, validateAgentIdentityAttestation, validateAttestationReceiptClaims, validateAttributionAttestation, validateAttributionSource, validateCarrierConstraints, validateContentHash, validateContributionObligation, validateCreditObligation, validateDisputeAttestation, validateDisputeContact, validateDisputeResolution, validateEvidence, validateIdentityBinding, validateInteraction, validateInteractionEvidence, validateInteractionOrdered, validateKernelConstraints, validateMinimalInteractionBinding, validateObligationsExtension, validatePurposeTokens, validateSubjectSnapshot, validateWorkflowContext, validateWorkflowContextOrdered, validateWorkflowSummaryAttestation, verifyReceiptRefConsistency };
+// src/wire-02-warnings.ts
+var WARNING_TYPE_UNREGISTERED = "type_unregistered";
+var WARNING_UNKNOWN_EXTENSION = "unknown_extension_preserved";
+var WARNING_OCCURRED_AT_SKEW = "occurred_at_skew";
+var WARNING_TYP_MISSING = "typ_missing";
+function sortWarnings(warnings) {
+  return [...warnings].sort((a, b) => {
+    const aHasPtr = a.pointer !== void 0;
+    const bHasPtr = b.pointer !== void 0;
+    if (!aHasPtr && bHasPtr) return -1;
+    if (aHasPtr && !bHasPtr) return 1;
+    if (aHasPtr && bHasPtr) {
+      const cmp = a.pointer.localeCompare(b.pointer);
+      if (cmp !== 0) return cmp;
+    }
+    return a.code.localeCompare(b.code);
+  });
+}
+
+// src/wire-02-registries.ts
+var REGISTERED_RECEIPT_TYPES = /* @__PURE__ */ new Set([
+  "org.peacprotocol/payment",
+  "org.peacprotocol/access-decision",
+  "org.peacprotocol/identity-attestation",
+  "org.peacprotocol/consent-record",
+  "org.peacprotocol/compliance-check",
+  "org.peacprotocol/privacy-signal",
+  "org.peacprotocol/safety-review",
+  "org.peacprotocol/provenance-record",
+  "org.peacprotocol/attribution-event",
+  "org.peacprotocol/purpose-declaration"
+]);
+var REGISTERED_EXTENSION_GROUP_KEYS = /* @__PURE__ */ new Set([
+  "org.peacprotocol/commerce",
+  "org.peacprotocol/access",
+  "org.peacprotocol/challenge",
+  "org.peacprotocol/identity",
+  "org.peacprotocol/correlation"
+]);
+
+// src/policy-binding.ts
+function verifyPolicyBinding(receiptDigest, localDigest) {
+  return receiptDigest === localDigest ? "verified" : "failed";
+}
+var REVOCATION_REASONS = [
+  "key_compromise",
+  "superseded",
+  "cessation_of_operation",
+  "privilege_withdrawn"
+];
+var RevokedKeyEntrySchema = z.object({
+  /** Key ID that was revoked */
+  kid: z.string().min(1).max(256),
+  /** ISO 8601 timestamp of revocation */
+  revoked_at: z.string().datetime(),
+  /** Revocation reason (optional, RFC 5280 CRLReason subset) */
+  reason: z.enum(REVOCATION_REASONS).optional()
+}).strict();
+var RevokedKeysArraySchema = z.array(RevokedKeyEntrySchema).max(100);
+function validateRevokedKeys(data) {
+  const result = RevokedKeysArraySchema.safeParse(data);
+  if (result.success) {
+    return { ok: true, value: result.data };
+  }
+  return { ok: false, error: result.error.issues.map((i) => i.message).join("; ") };
+}
+function findRevokedKey(revokedKeys, kid) {
+  return revokedKeys.find((entry) => entry.kid === kid) ?? null;
+}
+
+export { ACCESS_EXTENSION_KEY, ACTOR_BINDING_EXTENSION_KEY, AGENT_IDENTITY_TYPE, AIPREFSnapshot as AIPREFSnapshotSchema, ATTESTATION_LIMITS, ATTESTATION_RECEIPT_TYPE, ATTRIBUTION_LIMITS, ATTRIBUTION_TYPE, ATTRIBUTION_USAGES, AccessExtensionSchema, ActorBindingSchema, AgentIdentityAttestationSchema, AgentIdentityEvidenceSchema, AgentIdentityVerifiedSchema, AgentProofSchema, AttestationExtensionsSchema, AttestationReceiptClaimsSchema, AttestationSchema, AttributionAttestationSchema, AttributionEvidenceSchema, AttributionSourceSchema, AttributionUsageSchema, BindingDetailsSchema, CANONICAL_DIGEST_ALGS, CANONICAL_PURPOSES, CARRIER_TRANSPORT_LIMITS, CHALLENGE_EXTENSION_KEY, CHALLENGE_TYPES, COMMERCE_EXTENSION_KEY, COMMITMENT_CLASSES, CONTRIBUTION_TYPES, CONTROL_ACTIONS, CONTROL_ACTION_EXTENSION_KEY, CONTROL_TRIGGERS, CONTROL_TYPES, CORRELATION_EXTENSION_KEY, CREDENTIAL_EVENTS, CREDENTIAL_EVENT_EXTENSION_KEY, CREDIT_METHODS, CanonicalIssSchema, CanonicalPurposeSchema, CarrierFormatSchema, CarrierMetaSchema, ChallengeExtensionSchema, ChallengeTypeSchema, CommerceExtensionSchema, CommitmentClassSchema, CompactJwsSchema, ContactMethodSchema, ContentHashSchema, ContributionObligationSchema, ContributionTypeSchema, ControlActionSchema, ControlActionTypeSchema, ControlBlockSchema, ControlDecisionSchema, ControlLicensingModeSchema, ControlPurposeSchema, ControlStepSchema, ControlTriggerSchema, ControlTypeSchema, CorrelationExtensionSchema, CredentialEventSchema, CredentialEventTypeSchema, CredentialRefSchema, CreditMethodSchema, CreditObligationSchema, DERIVATION_TYPES, DIGEST_SIZE_CONSTANTS, DIGEST_VALUE_PATTERN, DISPUTE_GROUNDS_CODES, DISPUTE_LIMITS, DISPUTE_OUTCOMES, DISPUTE_STATES, DISPUTE_TARGET_TYPES, DISPUTE_TRANSITIONS, DISPUTE_TYPE, DISPUTE_TYPES, DerivationTypeSchema, DigestAlgSchema, DigestSchema, DisputeAttestationSchema, DisputeContactSchema, DisputeEvidenceSchema, DisputeGroundsCodeSchema, DisputeGroundsSchema, DisputeIdSchema, DisputeOutcomeSchema, DisputeResolutionSchema, DisputeStateSchema, DisputeTargetTypeSchema, DisputeTypeSchema, DocumentRefSchema, ERROR_CATEGORIES_CANONICAL, ERROR_CODES, EXTENSION_KEY_PATTERN, EXTENSION_LIMITS, EvidencePillarSchema, ExecutorSchema, Extensions, ExtensionsSchema, HashAlgorithmSchema, HashEncodingSchema, IDENTITY_EXTENSION_KEY, INTERACTION_EXTENSION_KEY, INTERACTION_LIMITS, INTERNAL_PURPOSE_UNDECLARED, IdentityBindingSchema, IdentityExtensionSchema, InteractionEvidenceV01Schema, JSON_EVIDENCE_LIMITS, JWSHeader, JsonArraySchema, JsonObjectSchema, JsonPrimitiveSchema, JsonValueSchema, KERNEL_CONSTRAINTS, KIND_FORMAT_PATTERN, KindSchema, MAX_PURPOSE_TOKENS_PER_REQUEST, MAX_PURPOSE_TOKEN_LENGTH, MIDDLEWARE_INTERACTION_KEY, MVISFieldsSchema, MVISReplayProtectionSchema, MVISTimeBoundsSchema, MinimalInteractionBindingSchema, NormalizedPayment, OBLIGATIONS_EXTENSION_KEY, ORCHESTRATION_FRAMEWORKS, ObligationsExtensionSchema, OrchestrationFrameworkSchema, PEAC_ALG, PEAC_DISCOVERY_MAX_BYTES, PEAC_DISCOVERY_PATH, PEAC_ISSUER_CONFIG_MAX_BYTES, PEAC_ISSUER_CONFIG_PATH, PEAC_ISSUER_CONFIG_VERSION, PEAC_POLICY_FALLBACK_PATH, PEAC_POLICY_MAX_BYTES, PEAC_POLICY_PATH, PEAC_PURPOSE_APPLIED_HEADER, PEAC_PURPOSE_HEADER, PEAC_PURPOSE_REASON_HEADER, PEAC_RECEIPT_HEADER, PEAC_RECEIPT_SCHEMA_URL, PEAC_WIRE_TYP, POLICY_DECISIONS, PROOF_METHODS, PROOF_TYPES, PURPOSE_REASONS, PURPOSE_TOKEN_REGEX, PayloadRefSchema, PaymentEvidenceSchema, PaymentRoutingSchema, PaymentSplitSchema, PeacEvidenceCarrierSchema, PillarsSchema, PolicyBlockSchema, PolicyContextSchema, ProblemDetailsSchema, ProofMethodSchema, ProofTypeSchema, PurposeReasonSchema, PurposeTokenSchema, REDACTION_MODES, REGISTERED_EXTENSION_GROUP_KEYS, REGISTERED_RECEIPT_TYPES, REMEDIATION_TYPES, REPRESENTATION_LIMITS, RESERVED_KIND_PREFIXES, RESULT_STATUSES, REVOCATION_REASONS, ReceiptClaims, ReceiptClaimsSchema, ReceiptRefSchema2 as ReceiptRefSchema, ReceiptTypeSchema, ReceiptUrlSchema, RefsSchema, RemediationSchema, RemediationTypeSchema, Wire02RepresentationFieldsSchema as RepresentationFieldsSchema, ResourceTargetSchema, ResultSchema, RevokedKeyEntrySchema, RevokedKeysArraySchema, STEP_ID_PATTERN, StepIdSchema, SubjectProfileSchema, SubjectProfileSnapshotSchema, Subject as SubjectSchema, SubjectTypeSchema, TERMINAL_STATES, TOOL_REGISTRY_EXTENSION_KEY, TREATY_EXTENSION_KEY, ToolRegistrySchema, ToolTargetSchema, TreatySchema, VerifyRequest as VerifyRequestSchema, WARNING_OCCURRED_AT_SKEW, WARNING_TYPE_UNREGISTERED, WARNING_TYP_MISSING, WARNING_UNKNOWN_EXTENSION, WELL_KNOWN_KINDS, WORKFLOW_EXTENSION_KEY, WORKFLOW_ID_PATTERN, WORKFLOW_LIMITS, WORKFLOW_STATUSES, WORKFLOW_SUMMARY_TYPE, Wire01JWSHeaderSchema, Wire02ClaimsSchema, Wire02KindSchema, Wire02RepresentationFieldsSchema, WorkflowContextSchema, WorkflowErrorContextSchema, WorkflowIdSchema, WorkflowStatusSchema, WorkflowSummaryAttestationSchema, WorkflowSummaryEvidenceSchema, assertJsonSafeIterative, canTransitionTo, checkOccurredAtSkew, computeReceiptRef, computeTotalWeight, createAgentIdentityAttestation, createAttestationReceiptClaims, createAttributionAttestation, createConstraintViolationError, createContributionObligation, createCreditObligation, createDisputeAttestation, createEvidenceNotJsonError, createInteractionEvidence, createObligationsExtension, createPEACError, createReceiptView, createStepId, createWorkflowContext, createWorkflowContextInvalidError, createWorkflowDagInvalidError, createWorkflowId, createWorkflowSummaryAttestation, deriveKnownPurposes, detectCycleInSources, detectWireVersion, determinePurposeReason, extractObligationsExtension, findRevokedKey, fingerprintRefToString, getAccessExtension, getChallengeExtension, getCommerceExtension, getCorrelationExtension, getIdentityExtension, getInteraction, getValidTransitions, hasInteraction, hasUnknownPurposeTokens, hasValidDagSemantics, isAgentIdentityAttestation, isAttestationExpired, isAttestationNotYetValid, isAttestationOnly, isAttestationReceiptClaims, isAttributionAttestation, isAttributionExpired, isAttributionNotYetValid, isCanonicalIss, isCanonicalPurpose, isContributionRequired, isCreditRequired, isDigestTruncated, isDisputeAttestation, isDisputeExpired, isDisputeNotYetValid, isLegacyPurpose, isMinimalInteractionBinding, isOriginOnly, isPaymentReceipt, isReservedKindPrefix, isTerminalState, isTerminalWorkflowStatus, isUndeclaredPurpose, isValidDisputeAttestation, isValidExtensionKey, isValidInteractionEvidence, isValidPurposeReason, isValidPurposeToken, isValidReceiptType, isValidWorkflowContext, isWellKnownKind, isWorkflowSummaryAttestation, mapLegacyToCanonical, normalizePurposeToken, normalizeToCanonicalOrPreserve, parsePurposeHeader, parseReceiptClaims, setInteraction, sortWarnings, stringToFingerprintRef, toCoreClaims, transitionDisputeState, validateActorBinding, validateAgentIdentityAttestation, validateAttestationReceiptClaims, validateAttributionAttestation, validateAttributionSource, validateCarrierConstraints, validateContentHash, validateContributionObligation, validateControlAction, validateCredentialEvent, validateCreditObligation, validateDisputeAttestation, validateDisputeContact, validateDisputeResolution, validateEvidence, validateIdentityBinding, validateInteraction, validateInteractionEvidence, validateInteractionOrdered, validateKernelConstraints, validateKnownExtensions, validateMVIS, validateMinimalInteractionBinding, validateObligationsExtension, validatePurposeTokens, validateRevokedKeys, validateSubjectSnapshot, validateToolRegistry, validateTreaty, validateWorkflowContext, validateWorkflowContextOrdered, validateWorkflowSummaryAttestation, verifyPolicyBinding, verifyReceiptRefConsistency };
 //# sourceMappingURL=index.mjs.map
 //# sourceMappingURL=index.mjs.map