npm - @peac/schema - Versions diffs - 0.11.2 → 0.12.0-preview.1 - Mend

@peac/schema 0.11.2 → 0.12.0-preview.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/README.md +64 -3
package/dist/actor-binding.d.ts +148 -0
package/dist/actor-binding.d.ts.map +1 -0
package/dist/dispute.d.ts +4 -4
package/dist/errors.d.ts +2 -1
package/dist/errors.d.ts.map +1 -1
package/dist/extensions/control-action.d.ts +68 -0
package/dist/extensions/control-action.d.ts.map +1 -0
package/dist/extensions/credential-event.d.ts +53 -0
package/dist/extensions/credential-event.d.ts.map +1 -0
package/dist/extensions/fingerprint-ref.d.ts +50 -0
package/dist/extensions/fingerprint-ref.d.ts.map +1 -0
package/dist/extensions/index.d.ts +16 -0
package/dist/extensions/index.d.ts.map +1 -0
package/dist/extensions/tool-registry.d.ts +32 -0
package/dist/extensions/tool-registry.d.ts.map +1 -0
package/dist/extensions/treaty.d.ts +55 -0
package/dist/extensions/treaty.d.ts.map +1 -0
package/dist/index.cjs +883 -5
package/dist/index.cjs.map +1 -1
package/dist/index.d.ts +24 -3
package/dist/index.d.ts.map +1 -1
package/dist/index.mjs +803 -7
package/dist/index.mjs.map +1 -1
package/dist/issuer-config.d.ts +61 -0
package/dist/issuer-config.d.ts.map +1 -0
package/dist/policy-binding.d.ts +24 -0
package/dist/policy-binding.d.ts.map +1 -0
package/dist/receipt-parser.cjs +492 -3
package/dist/receipt-parser.cjs.map +1 -1
package/dist/receipt-parser.d.ts +36 -14
package/dist/receipt-parser.d.ts.map +1 -1
package/dist/receipt-parser.mjs +493 -5
package/dist/receipt-parser.mjs.map +1 -1
package/dist/types.d.ts +17 -0
package/dist/types.d.ts.map +1 -1
package/dist/validators.d.ts +16 -0
package/dist/validators.d.ts.map +1 -1
package/dist/wire-02-envelope.d.ts +152 -0
package/dist/wire-02-envelope.d.ts.map +1 -0
package/dist/wire-02-extensions.d.ts +216 -0
package/dist/wire-02-extensions.d.ts.map +1 -0
package/dist/wire-02-registries.d.ts +21 -0
package/dist/wire-02-registries.d.ts.map +1 -0
package/dist/wire-02-representation.d.ts +49 -0
package/dist/wire-02-representation.d.ts.map +1 -0
package/dist/wire-02-warnings.d.ts +29 -0
package/dist/wire-02-warnings.d.ts.map +1 -0
package/package.json +2 -2

package/dist/issuer-config.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+/**
+ * Issuer Configuration Schema Extensions (v0.11.3+, DD-148)
+ *
+ * Zod schemas for revoked_keys field in peac-issuer.json.
+ * Reason values aligned with RFC 5280 CRLReason subset
+ * (only values meaningful for receipt signing keys).
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+/**
+ * Revocation reasons: RFC 5280 CRLReason subset relevant to receipt signing keys.
+ */
+export declare const REVOCATION_REASONS: readonly ["key_compromise", "superseded", "cessation_of_operation", "privilege_withdrawn"];
+export type RevocationReason = (typeof REVOCATION_REASONS)[number];
+/**
+ * Schema for a single revoked key entry.
+ */
+export declare const RevokedKeyEntrySchema: z.ZodObject<{
+    kid: z.ZodString;
+    revoked_at: z.ZodString;
+    reason: z.ZodOptional<z.ZodEnum<{
+        key_compromise: "key_compromise";
+        superseded: "superseded";
+        cessation_of_operation: "cessation_of_operation";
+        privilege_withdrawn: "privilege_withdrawn";
+    }>>;
+}, z.core.$strict>;
+export type RevokedKeyEntryInput = z.input<typeof RevokedKeyEntrySchema>;
+export type RevokedKeyEntryOutput = z.output<typeof RevokedKeyEntrySchema>;
+/**
+ * Schema for the revoked_keys array in issuer configuration.
+ * Maximum 100 entries to prevent unbounded growth.
+ */
+export declare const RevokedKeysArraySchema: z.ZodArray<z.ZodObject<{
+    kid: z.ZodString;
+    revoked_at: z.ZodString;
+    reason: z.ZodOptional<z.ZodEnum<{
+        key_compromise: "key_compromise";
+        superseded: "superseded";
+        cessation_of_operation: "cessation_of_operation";
+        privilege_withdrawn: "privilege_withdrawn";
+    }>>;
+}, z.core.$strict>>;
+/**
+ * Validate a revoked_keys array.
+ * Returns a discriminated result (no exceptions).
+ */
+export declare function validateRevokedKeys(data: unknown): {
+    ok: true;
+    value: RevokedKeyEntryOutput[];
+} | {
+    ok: false;
+    error: string;
+};
+/**
+ * Check if a kid is present in a revoked_keys array.
+ * Returns the revocation entry if found, null otherwise.
+ */
+export declare function findRevokedKey(revokedKeys: RevokedKeyEntryOutput[], kid: string): RevokedKeyEntryOutput | null;
+//# sourceMappingURL=issuer-config.d.ts.map

package/dist/issuer-config.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"issuer-config.d.ts","sourceRoot":"","sources":["../src/issuer-config.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB;;GAEG;AACH,eAAO,MAAM,kBAAkB,4FAKrB,CAAC;AAEX,MAAM,MAAM,gBAAgB,GAAG,CAAC,OAAO,kBAAkB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEnE;;GAEG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;kBASvB,CAAC;AAEZ,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACzE,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,MAAM,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE3E;;;GAGG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;mBAA0C,CAAC;AAE9E;;;GAGG;AACH,wBAAgB,mBAAmB,CACjC,IAAI,EAAE,OAAO,GACZ;IAAE,EAAE,EAAE,IAAI,CAAC;IAAC,KAAK,EAAE,qBAAqB,EAAE,CAAA;CAAE,GAAG;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAM7E;AAED;;;GAGG;AACH,wBAAgB,cAAc,CAC5B,WAAW,EAAE,qBAAqB,EAAE,EACpC,GAAG,EAAE,MAAM,GACV,qBAAqB,GAAG,IAAI,CAE9B"}

package/dist/policy-binding.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+/**
+ * Policy binding comparison (Layer 1, DD-49, DD-151)
+ *
+ * Pure string comparison with no I/O and no crypto imports (DD-141).
+ * The digest format is 'sha256:<64 lowercase hex>'.
+ *
+ * This function handles only the binary match/mismatch decision. The full
+ * 3-state result ('verified' | 'failed' | 'unavailable') is computed by
+ * checkPolicyBinding() in @peac/protocol (Layer 3), which handles the
+ * absent-digest case and invokes computePolicyDigestJcs() for hashing.
+ */
+/**
+ * Compare a receipt policy digest against a locally-computed digest.
+ *
+ * Returns 'verified' if the two digests match exactly, 'failed' otherwise.
+ * Both arguments must be present; callers must handle the absent-digest case
+ * (producing 'unavailable') before calling this function.
+ *
+ * @param receiptDigest - policy.digest from the receipt claims
+ * @param localDigest - digest computed from the caller's local policy bytes
+ * @returns 'verified' on exact match, 'failed' on mismatch
+ */
+export declare function verifyPolicyBinding(receiptDigest: string, localDigest: string): 'verified' | 'failed';
+//# sourceMappingURL=policy-binding.d.ts.map

package/dist/policy-binding.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"policy-binding.d.ts","sourceRoot":"","sources":["../src/policy-binding.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,UAAU,GAAG,QAAQ,CAEvB"}

package/dist/receipt-parser.cjs CHANGED Viewed

@@ -45,6 +45,10 @@ var JsonObjectSchema = PlainObjectSchema.transform(
   (obj) => obj
 ).pipe(zod.z.record(zod.z.string(), JsonValueSchema));
 zod.z.array(JsonValueSchema);
+var ERROR_CODES = {
+  // Wire 0.2 extension errors (400, DD-153/DD-156)
+  E_INVALID_EXTENSION_KEY: "E_INVALID_EXTENSION_KEY"
+};
 // src/purpose.ts
 var PURPOSE_TOKEN_REGEX = /^[a-z](?:[a-z0-9_-]*[a-z0-9])?(?::[a-z](?:[a-z0-9_-]*[a-z0-9])?)?$/;
@@ -274,15 +278,465 @@ var AttestationReceiptClaimsSchema = zod.z.object({
   /** Extensions (optional) */
   ext: AttestationExtensionsSchema.optional()
 }).strict();
+var PROOF_TYPES = [
+  "ed25519-cert-chain",
+  "eat-passport",
+  "eat-background-check",
+  "sigstore-oidc",
+  "did",
+  "spiffe",
+  "x509-pki",
+  "custom"
+];
+var ProofTypeSchema = zod.z.enum(PROOF_TYPES);
+function isOriginOnly(value) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+      return false;
+    }
+    if (url.pathname !== "/") {
+      return false;
+    }
+    if (url.search !== "") {
+      return false;
+    }
+    if (url.hash !== "" || value.includes("#")) {
+      return false;
+    }
+    if (url.username !== "" || url.password !== "") {
+      return false;
+    }
+    if (url.hostname.endsWith(".")) {
+      return false;
+    }
+    const hostPart = value.replace(/^https?:\/\//, "").split(/[/:]/)[0];
+    if (hostPart.endsWith(".")) {
+      return false;
+    }
+    if (url.hostname.includes("%")) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+var ActorBindingSchema = zod.z.object({
+  /** Stable actor identifier (opaque, no PII) */
+  id: zod.z.string().min(1).max(256),
+  /** Proof type from DD-143 multi-root vocabulary */
+  proof_type: ProofTypeSchema,
+  /** URI or hash of external proof artifact */
+  proof_ref: zod.z.string().max(2048).optional(),
+  /** Origin-only URL: scheme + host + optional port; NO path, query, or fragment */
+  origin: zod.z.string().max(2048).refine(isOriginOnly, {
+    message: "origin must be an origin-only URL (scheme + host + optional port; no path, query, or fragment)"
+  }),
+  /** SHA-256 hash of the intent (hash-first per DD-138) */
+  intent_hash: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "intent_hash must match sha256:<64 hex chars>"
+  }).optional()
+}).strict();
+var MVISTimeBoundsSchema = zod.z.object({
+  /** Earliest valid time (RFC 3339) */
+  not_before: zod.z.string().datetime(),
+  /** Latest valid time (RFC 3339) */
+  not_after: zod.z.string().datetime()
+}).strict();
+var MVISReplayProtectionSchema = zod.z.object({
+  /** Unique token identifier (jti from JWT or equivalent) */
+  jti: zod.z.string().min(1).max(256),
+  /** Optional nonce for additional replay protection */
+  nonce: zod.z.string().max(256).optional()
+}).strict();
+zod.z.object({
+  /** Who issued the identity assertion */
+  issuer: zod.z.string().min(1).max(2048),
+  /** Who the identity is about (opaque identifier, no PII) */
+  subject: zod.z.string().min(1).max(256),
+  /** Cryptographic binding: kid or JWK thumbprint */
+  key_binding: zod.z.string().min(1).max(256),
+  /** Validity period */
+  time_bounds: MVISTimeBoundsSchema,
+  /** Replay protection */
+  replay_protection: MVISReplayProtectionSchema
+}).strict();
+// src/extensions/fingerprint-ref.ts
+function hexToBase64url(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(bytes).toString("base64");
+  } else {
+    base64 = btoa(String.fromCharCode(...bytes));
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var STRING_FORM_PATTERN = /^(sha256|hmac-sha256):([a-f0-9]{64})$/;
+var MAX_FINGERPRINT_REF_LENGTH = 76;
+function stringToFingerprintRef(s) {
+  if (s.length > MAX_FINGERPRINT_REF_LENGTH) {
+    return null;
+  }
+  const match = STRING_FORM_PATTERN.exec(s);
+  if (!match) {
+    return null;
+  }
+  const alg = match[1];
+  const hex = match[2];
+  return {
+    alg,
+    value: hexToBase64url(hex)
+  };
+}
+// src/wire-02-representation.ts
+function isValidContentHash(s) {
+  const ref = stringToFingerprintRef(s);
+  if (ref === null) return false;
+  return ref.alg === "sha256";
+}
+var MIME_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*\/[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*(;\s*[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*=[^\s;]+)*$/;
+function isValidMimeType(s) {
+  return MIME_PATTERN.test(s);
+}
+var REPRESENTATION_LIMITS = {
+  /** Max content_hash string length (sha256:<64 hex> = 71 chars, capped at FingerprintRef max) */
+  maxContentHashLength: MAX_FINGERPRINT_REF_LENGTH,
+  /** Max content_type string length */
+  maxContentTypeLength: 256
+};
+var Wire02RepresentationFieldsSchema = zod.z.object({
+  /**
+   * FingerprintRef of the served content body.
+   * Format: sha256:<64 lowercase hex>
+   * hmac-sha256 is NOT permitted for representation hashes.
+   */
+  content_hash: zod.z.string().max(REPRESENTATION_LIMITS.maxContentHashLength).refine(isValidContentHash, {
+    message: "content_hash must be a valid sha256 FingerprintRef (sha256:<64 lowercase hex>)"
+  }).optional(),
+  /**
+   * MIME type of the served content (e.g., 'text/plain', 'application/json').
+   * Conservative pattern validation: type/subtype with optional parameters.
+   */
+  content_type: zod.z.string().max(REPRESENTATION_LIMITS.maxContentTypeLength).refine(isValidMimeType, {
+    message: "content_type must be a valid MIME type (type/subtype with optional parameters)"
+  }).optional(),
+  /**
+   * Size of the served content in bytes.
+   * Non-negative integer, bounded by Number.MAX_SAFE_INTEGER.
+   */
+  content_length: zod.z.number().int().finite().nonnegative().max(Number.MAX_SAFE_INTEGER).optional()
+}).strict();
+var EXTENSION_LIMITS = {
+  // Extension key grammar
+  maxExtensionKeyLength: 512,
+  maxDnsLabelLength: 63,
+  maxDnsDomainLength: 253,
+  // Commerce
+  maxPaymentRailLength: 128,
+  maxCurrencyLength: 16,
+  maxAmountMinorLength: 64,
+  maxReferenceLength: 256,
+  maxAssetLength: 256,
+  // Access
+  maxResourceLength: 2048,
+  maxActionLength: 256,
+  // Challenge
+  maxProblemTypeLength: 2048,
+  maxProblemTitleLength: 256,
+  maxProblemDetailLength: 4096,
+  maxProblemInstanceLength: 2048,
+  // Identity
+  maxProofRefLength: 256,
+  // Correlation
+  maxTraceIdLength: 32,
+  maxSpanIdLength: 16,
+  maxWorkflowIdLength: 256,
+  maxParentJtiLength: 256,
+  maxDependsOnLength: 64
+};
+var DNS_LABEL = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
+var SEGMENT_PATTERN = /^[a-z0-9][a-z0-9_-]*$/;
+function isValidExtensionKey(key) {
+  if (key.length === 0 || key.length > EXTENSION_LIMITS.maxExtensionKeyLength) return false;
+  const slashIdx = key.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = key.slice(0, slashIdx);
+  const segment = key.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (domain.length > EXTENSION_LIMITS.maxDnsDomainLength) return false;
+  if (segment.length === 0) return false;
+  if (!SEGMENT_PATTERN.test(segment)) return false;
+  const labels = domain.split(".");
+  for (const label of labels) {
+    if (label.length === 0 || label.length > EXTENSION_LIMITS.maxDnsLabelLength) return false;
+    if (!DNS_LABEL.test(label)) return false;
+  }
+  return true;
+}
+var COMMERCE_EXTENSION_KEY = "org.peacprotocol/commerce";
+var ACCESS_EXTENSION_KEY = "org.peacprotocol/access";
+var CHALLENGE_EXTENSION_KEY = "org.peacprotocol/challenge";
+var IDENTITY_EXTENSION_KEY = "org.peacprotocol/identity";
+var CORRELATION_EXTENSION_KEY = "org.peacprotocol/correlation";
+var AMOUNT_MINOR_PATTERN = /^-?[0-9]+$/;
+var CommerceExtensionSchema = zod.z.object({
+  /** Payment rail identifier (e.g., 'stripe', 'x402', 'lightning') */
+  payment_rail: zod.z.string().min(1).max(EXTENSION_LIMITS.maxPaymentRailLength),
+  /**
+   * Amount in smallest currency unit as a string for arbitrary precision.
+   * Base-10 integer: optional leading minus, one or more digits.
+   * Decimals and empty strings are rejected.
+   */
+  amount_minor: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAmountMinorLength).regex(
+    AMOUNT_MINOR_PATTERN,
+    'amount_minor must be a base-10 integer string (e.g., "1000", "-50")'
+  ),
+  /** ISO 4217 currency code or asset identifier */
+  currency: zod.z.string().min(1).max(EXTENSION_LIMITS.maxCurrencyLength),
+  /** Caller-assigned payment reference */
+  reference: zod.z.string().max(EXTENSION_LIMITS.maxReferenceLength).optional(),
+  /** Asset identifier for non-fiat (e.g., token address) */
+  asset: zod.z.string().max(EXTENSION_LIMITS.maxAssetLength).optional(),
+  /** Environment discriminant */
+  env: zod.z.enum(["live", "test"]).optional()
+}).strict();
+var AccessExtensionSchema = zod.z.object({
+  /** Resource being accessed (URI or identifier) */
+  resource: zod.z.string().min(1).max(EXTENSION_LIMITS.maxResourceLength),
+  /** Action performed on the resource */
+  action: zod.z.string().min(1).max(EXTENSION_LIMITS.maxActionLength),
+  /** Access decision */
+  decision: zod.z.enum(["allow", "deny", "review"])
+}).strict();
+var CHALLENGE_TYPES = [
+  "payment_required",
+  "identity_required",
+  "consent_required",
+  "attestation_required",
+  "rate_limited",
+  "purpose_disallowed",
+  "custom"
+];
+var ChallengeTypeSchema = zod.z.enum(CHALLENGE_TYPES);
+var ProblemDetailsSchema = zod.z.object({
+  /** HTTP status code (100-599) */
+  status: zod.z.number().int().min(100).max(599),
+  /** Problem type URI */
+  type: zod.z.string().min(1).max(EXTENSION_LIMITS.maxProblemTypeLength).url(),
+  /** Short human-readable summary */
+  title: zod.z.string().max(EXTENSION_LIMITS.maxProblemTitleLength).optional(),
+  /** Human-readable explanation specific to this occurrence */
+  detail: zod.z.string().max(EXTENSION_LIMITS.maxProblemDetailLength).optional(),
+  /** URI reference identifying the specific occurrence */
+  instance: zod.z.string().max(EXTENSION_LIMITS.maxProblemInstanceLength).optional()
+}).passthrough();
+var ChallengeExtensionSchema = zod.z.object({
+  /** Challenge type (7 values) */
+  challenge_type: ChallengeTypeSchema,
+  /** RFC 9457 Problem Details */
+  problem: ProblemDetailsSchema,
+  /** Resource that triggered the challenge */
+  resource: zod.z.string().max(EXTENSION_LIMITS.maxResourceLength).optional(),
+  /** Action that triggered the challenge */
+  action: zod.z.string().max(EXTENSION_LIMITS.maxActionLength).optional(),
+  /** Caller-defined requirements for resolving the challenge */
+  requirements: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
+}).strict();
+var IdentityExtensionSchema = zod.z.object({
+  /** Proof reference (opaque string; no actor_binding: top-level actor is sole location) */
+  proof_ref: zod.z.string().max(EXTENSION_LIMITS.maxProofRefLength).optional()
+}).strict();
+var TRACE_ID_PATTERN = /^[0-9a-f]{32}$/;
+var SPAN_ID_PATTERN = /^[0-9a-f]{16}$/;
+var CorrelationExtensionSchema = zod.z.object({
+  /** OpenTelemetry-compatible trace ID (32 lowercase hex chars) */
+  trace_id: zod.z.string().length(EXTENSION_LIMITS.maxTraceIdLength).regex(TRACE_ID_PATTERN, "trace_id must be 32 lowercase hex characters").optional(),
+  /** OpenTelemetry-compatible span ID (16 lowercase hex chars) */
+  span_id: zod.z.string().length(EXTENSION_LIMITS.maxSpanIdLength).regex(SPAN_ID_PATTERN, "span_id must be 16 lowercase hex characters").optional(),
+  /** Workflow identifier */
+  workflow_id: zod.z.string().min(1).max(EXTENSION_LIMITS.maxWorkflowIdLength).optional(),
+  /** Parent receipt JTI for causal chains */
+  parent_jti: zod.z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength).optional(),
+  /** JTIs this receipt depends on */
+  depends_on: zod.z.array(zod.z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength)).max(EXTENSION_LIMITS.maxDependsOnLength).optional()
+}).strict();
+var EXTENSION_SCHEMA_MAP = /* @__PURE__ */ new Map();
+EXTENSION_SCHEMA_MAP.set(COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+function validateKnownExtensions(extensions, ctx) {
+  if (extensions === void 0) return;
+  for (const key of Object.keys(extensions)) {
+    if (!isValidExtensionKey(key)) {
+      ctx.addIssue({
+        code: "custom",
+        message: ERROR_CODES.E_INVALID_EXTENSION_KEY,
+        path: ["extensions", key]
+      });
+      continue;
+    }
+    const schema = EXTENSION_SCHEMA_MAP.get(key);
+    if (schema !== void 0) {
+      const result = schema.safeParse(extensions[key]);
+      if (!result.success) {
+        const firstIssue = result.error.issues[0];
+        const issuePath = firstIssue?.path ?? [];
+        ctx.addIssue({
+          code: "custom",
+          message: firstIssue?.message ?? "Invalid extension value",
+          path: ["extensions", key, ...issuePath]
+        });
+      }
+    }
+  }
+}
+// src/wire-02-envelope.ts
+function isSortedAndUnique(arr) {
+  for (let i = 1; i < arr.length; i++) {
+    if (arr[i] <= arr[i - 1]) return false;
+  }
+  return true;
+}
+function isCanonicalIss(iss) {
+  if (typeof iss !== "string" || iss.length === 0 || iss.length > kernel.ISS_CANONICAL.maxLength) {
+    return false;
+  }
+  if (iss.startsWith("did:")) {
+    return /^did:[a-z0-9]+:[^#?/]+$/.test(iss);
+  }
+  try {
+    const url = new URL(iss);
+    if (url.protocol !== "https:") return false;
+    if (!url.hostname) return false;
+    if (url.username !== "" || url.password !== "") return false;
+    const origin = `${url.protocol}//${url.host}`;
+    return iss === origin;
+  } catch {
+    return false;
+  }
+}
+var ABS_URI_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//;
+function isValidReceiptType(value) {
+  if (value.length === 0 || value.length > kernel.TYPE_GRAMMAR.maxLength) return false;
+  if (ABS_URI_PATTERN.test(value)) return true;
+  const slashIdx = value.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = value.slice(0, slashIdx);
+  const segment = value.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (segment.length === 0) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9.-]*$/.test(domain)) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(segment)) return false;
+  return true;
+}
+var EVIDENCE_PILLARS = [
+  "access",
+  "attribution",
+  "commerce",
+  "compliance",
+  "consent",
+  "identity",
+  "privacy",
+  "provenance",
+  "purpose",
+  "safety"
+];
+var EvidencePillarSchema = zod.z.enum(
+  EVIDENCE_PILLARS
+);
+var PillarsSchema = zod.z.array(EvidencePillarSchema).min(1).superRefine((arr, ctx) => {
+  if (!isSortedAndUnique(arr)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_PILLARS_NOT_SORTED"
+    });
+  }
+});
+var Wire02KindSchema = zod.z.enum(["evidence", "challenge"]);
+var ReceiptTypeSchema = zod.z.string().max(kernel.TYPE_GRAMMAR.maxLength).refine(isValidReceiptType, {
+  message: "type must be reverse-DNS notation (e.g., org.example/flow) or an absolute URI"
+});
+var CanonicalIssSchema = zod.z.string().max(kernel.ISS_CANONICAL.maxLength).refine(isCanonicalIss, {
+  message: "E_ISS_NOT_CANONICAL"
+});
+var PolicyBlockSchema = zod.z.object({
+  /** JCS+SHA-256 digest: 'sha256:<64 lowercase hex>' */
+  digest: zod.z.string().regex(kernel.HASH.pattern, "digest must be sha256:<64 lowercase hex>"),
+  /**
+   * HTTPS locator hint for the policy document.
+   * MUST be an https:// URL (max 2048 chars).
+   * MUST NOT trigger auto-fetch; callers use this as a hint only (DD-55).
+   */
+  uri: zod.z.string().max(kernel.POLICY_BLOCK.uriMaxLength).url().refine((u) => u.startsWith("https://"), "policy.uri must be an https:// URL").optional(),
+  /** Caller-assigned version label (max 256 chars) */
+  version: zod.z.string().max(kernel.POLICY_BLOCK.versionMaxLength).optional()
+});
+var Wire02ClaimsSchema = zod.z.object({
+  /** Wire format version discriminant; always '0.2' for Wire 0.2 */
+  peac_version: zod.z.literal("0.2"),
+  /** Structural kind: 'evidence' or 'challenge' */
+  kind: Wire02KindSchema,
+  /** Open semantic type (reverse-DNS or absolute URI) */
+  type: ReceiptTypeSchema,
+  /** Canonical issuer (https:// ASCII origin or did: identifier) */
+  iss: CanonicalIssSchema,
+  /** Issued-at time (Unix seconds). REQUIRED. */
+  iat: zod.z.number().int(),
+  /** Unique receipt identifier; 1 to 256 chars */
+  jti: zod.z.string().min(1).max(256),
+  /** Subject identifier; max 2048 chars */
+  sub: zod.z.string().max(2048).optional(),
+  /** Evidence pillars (closed 10-value taxonomy); sorted ascending, unique */
+  pillars: PillarsSchema.optional(),
+  /** Top-level actor binding (sole location for ActorBinding in Wire 0.2) */
+  actor: ActorBindingSchema.optional(),
+  /** Policy binding block (DD-151) */
+  policy: PolicyBlockSchema.optional(),
+  /** Representation fields (DD-152): FingerprintRef validation, sha256-only, strict */
+  representation: Wire02RepresentationFieldsSchema.optional(),
+  /** ISO 8601 / RFC 3339 timestamp when the interaction occurred; evidence kind only */
+  occurred_at: zod.z.string().datetime({ offset: true }).optional(),
+  /** Declared purpose string; max 256 chars */
+  purpose_declared: zod.z.string().max(256).optional(),
+  /** Extension groups (open; known group keys validated by group schema) */
+  extensions: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
+}).superRefine((data, ctx) => {
+  if (data.kind === "challenge" && data.occurred_at !== void 0) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_OCCURRED_AT_ON_CHALLENGE"
+    });
+  }
+  validateKnownExtensions(data.extensions, ctx);
+}).strict();
 // src/receipt-parser.ts
-function classifyReceipt(obj) {
+function detectWireVersion(obj) {
+  if (obj === null || obj === void 0 || typeof obj !== "object" || Array.isArray(obj)) {
+    return null;
+  }
+  const record = obj;
+  if (record.peac_version === "0.2") return "0.2";
+  if ("peac_version" in record) return null;
+  return "0.1";
+}
+function classifyWire01Receipt(obj) {
   if ("amt" in obj || "cur" in obj || "payment" in obj) {
     return "commerce";
   }
   return "attestation";
 }
-function parseReceiptClaims(input, _opts) {
+function parseReceiptClaims(input, opts) {
   if (input === null || input === void 0 || typeof input !== "object" || Array.isArray(input)) {
     return {
       ok: false,
@@ -293,7 +747,37 @@ function parseReceiptClaims(input, _opts) {
     };
   }
   const obj = input;
-  const variant = classifyReceipt(obj);
+  const wireVersion = opts?.wireVersion === "0.2" || opts?.wireVersion === "0.1" ? opts.wireVersion : detectWireVersion(obj);
+  if (wireVersion === null) {
+    return {
+      ok: false,
+      error: {
+        code: "E_UNSUPPORTED_WIRE_VERSION",
+        message: `Unsupported or unrecognized peac_version: ${JSON.stringify(obj["peac_version"])}`
+      }
+    };
+  }
+  if (wireVersion === "0.2") {
+    const result2 = Wire02ClaimsSchema.safeParse(obj);
+    if (!result2.success) {
+      return {
+        ok: false,
+        error: {
+          code: "E_INVALID_FORMAT",
+          message: `Wire 0.2 receipt validation failed: ${result2.error.issues.map((i) => i.message).join("; ")}`,
+          issues: result2.error.issues
+        }
+      };
+    }
+    return {
+      ok: true,
+      variant: "wire-02",
+      wireVersion: "0.2",
+      warnings: [],
+      claims: result2.data
+    };
+  }
+  const variant = classifyWire01Receipt(obj);
   if (variant === "commerce") {
     const result2 = ReceiptClaimsSchema.safeParse(obj);
     if (!result2.success) {
@@ -309,6 +793,8 @@ function parseReceiptClaims(input, _opts) {
     return {
       ok: true,
       variant: "commerce",
+      wireVersion: "0.1",
+      warnings: [],
       claims: result2.data
     };
   }
@@ -326,10 +812,13 @@ function parseReceiptClaims(input, _opts) {
   return {
     ok: true,
     variant: "attestation",
+    wireVersion: "0.1",
+    warnings: [],
     claims: result.data
   };
 }
+exports.detectWireVersion = detectWireVersion;
 exports.parseReceiptClaims = parseReceiptClaims;
 //# sourceMappingURL=receipt-parser.cjs.map
 //# sourceMappingURL=receipt-parser.cjs.map