@peac/schema 0.11.3 → 0.12.0-preview.1

package/dist/policy-binding.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Policy binding comparison (Layer 1, DD-49, DD-151)
+ *
+ * Pure string comparison with no I/O and no crypto imports (DD-141).
+ * The digest format is 'sha256:<64 lowercase hex>'.
+ *
+ * This function handles only the binary match/mismatch decision. The full
+ * 3-state result ('verified' | 'failed' | 'unavailable') is computed by
+ * checkPolicyBinding() in @peac/protocol (Layer 3), which handles the
+ * absent-digest case and invokes computePolicyDigestJcs() for hashing.
+ */
+/**
+ * Compare a receipt policy digest against a locally-computed digest.
+ *
+ * Returns 'verified' if the two digests match exactly, 'failed' otherwise.
+ * Both arguments must be present; callers must handle the absent-digest case
+ * (producing 'unavailable') before calling this function.
+ *
+ * @param receiptDigest - policy.digest from the receipt claims
+ * @param localDigest - digest computed from the caller's local policy bytes
+ * @returns 'verified' on exact match, 'failed' on mismatch
+ */
+export declare function verifyPolicyBinding(receiptDigest: string, localDigest: string): 'verified' | 'failed';
+//# sourceMappingURL=policy-binding.d.ts.map

package/dist/policy-binding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"policy-binding.d.ts","sourceRoot":"","sources":["../src/policy-binding.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH;;;;;;;;;;GAUG;AACH,wBAAgB,mBAAmB,CACjC,aAAa,EAAE,MAAM,EACrB,WAAW,EAAE,MAAM,GAClB,UAAU,GAAG,QAAQ,CAEvB"}

package/dist/receipt-parser.cjs

@@ -45,6 +45,10 @@ var JsonObjectSchema = PlainObjectSchema.transform(
   (obj) => obj
 ).pipe(zod.z.record(zod.z.string(), JsonValueSchema));
 zod.z.array(JsonValueSchema);
+var ERROR_CODES = {
+  // Wire 0.2 extension errors (400, DD-153/DD-156)
+  E_INVALID_EXTENSION_KEY: "E_INVALID_EXTENSION_KEY"
+};
 
 // src/purpose.ts
 var PURPOSE_TOKEN_REGEX = /^[a-z](?:[a-z0-9_-]*[a-z0-9])?(?::[a-z](?:[a-z0-9_-]*[a-z0-9])?)?$/;
@@ -274,15 +278,465 @@ var AttestationReceiptClaimsSchema = zod.z.object({
   /** Extensions (optional) */
   ext: AttestationExtensionsSchema.optional()
 }).strict();
+var PROOF_TYPES = [
+  "ed25519-cert-chain",
+  "eat-passport",
+  "eat-background-check",
+  "sigstore-oidc",
+  "did",
+  "spiffe",
+  "x509-pki",
+  "custom"
+];
+var ProofTypeSchema = zod.z.enum(PROOF_TYPES);
+function isOriginOnly(value) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+      return false;
+    }
+    if (url.pathname !== "/") {
+      return false;
+    }
+    if (url.search !== "") {
+      return false;
+    }
+    if (url.hash !== "" || value.includes("#")) {
+      return false;
+    }
+    if (url.username !== "" || url.password !== "") {
+      return false;
+    }
+    if (url.hostname.endsWith(".")) {
+      return false;
+    }
+    const hostPart = value.replace(/^https?:\/\//, "").split(/[/:]/)[0];
+    if (hostPart.endsWith(".")) {
+      return false;
+    }
+    if (url.hostname.includes("%")) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+var ActorBindingSchema = zod.z.object({
+  /** Stable actor identifier (opaque, no PII) */
+  id: zod.z.string().min(1).max(256),
+  /** Proof type from DD-143 multi-root vocabulary */
+  proof_type: ProofTypeSchema,
+  /** URI or hash of external proof artifact */
+  proof_ref: zod.z.string().max(2048).optional(),
+  /** Origin-only URL: scheme + host + optional port; NO path, query, or fragment */
+  origin: zod.z.string().max(2048).refine(isOriginOnly, {
+    message: "origin must be an origin-only URL (scheme + host + optional port; no path, query, or fragment)"
+  }),
+  /** SHA-256 hash of the intent (hash-first per DD-138) */
+  intent_hash: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "intent_hash must match sha256:<64 hex chars>"
+  }).optional()
+}).strict();
+var MVISTimeBoundsSchema = zod.z.object({
+  /** Earliest valid time (RFC 3339) */
+  not_before: zod.z.string().datetime(),
+  /** Latest valid time (RFC 3339) */
+  not_after: zod.z.string().datetime()
+}).strict();
+var MVISReplayProtectionSchema = zod.z.object({
+  /** Unique token identifier (jti from JWT or equivalent) */
+  jti: zod.z.string().min(1).max(256),
+  /** Optional nonce for additional replay protection */
+  nonce: zod.z.string().max(256).optional()
+}).strict();
+zod.z.object({
+  /** Who issued the identity assertion */
+  issuer: zod.z.string().min(1).max(2048),
+  /** Who the identity is about (opaque identifier, no PII) */
+  subject: zod.z.string().min(1).max(256),
+  /** Cryptographic binding: kid or JWK thumbprint */
+  key_binding: zod.z.string().min(1).max(256),
+  /** Validity period */
+  time_bounds: MVISTimeBoundsSchema,
+  /** Replay protection */
+  replay_protection: MVISReplayProtectionSchema
+}).strict();
+
+// src/extensions/fingerprint-ref.ts
+function hexToBase64url(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(bytes).toString("base64");
+  } else {
+    base64 = btoa(String.fromCharCode(...bytes));
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var STRING_FORM_PATTERN = /^(sha256|hmac-sha256):([a-f0-9]{64})$/;
+var MAX_FINGERPRINT_REF_LENGTH = 76;
+function stringToFingerprintRef(s) {
+  if (s.length > MAX_FINGERPRINT_REF_LENGTH) {
+    return null;
+  }
+  const match = STRING_FORM_PATTERN.exec(s);
+  if (!match) {
+    return null;
+  }
+  const alg = match[1];
+  const hex = match[2];
+  return {
+    alg,
+    value: hexToBase64url(hex)
+  };
+}
+
+// src/wire-02-representation.ts
+function isValidContentHash(s) {
+  const ref = stringToFingerprintRef(s);
+  if (ref === null) return false;
+  return ref.alg === "sha256";
+}
+var MIME_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*\/[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*(;\s*[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*=[^\s;]+)*$/;
+function isValidMimeType(s) {
+  return MIME_PATTERN.test(s);
+}
+var REPRESENTATION_LIMITS = {
+  /** Max content_hash string length (sha256:<64 hex> = 71 chars, capped at FingerprintRef max) */
+  maxContentHashLength: MAX_FINGERPRINT_REF_LENGTH,
+  /** Max content_type string length */
+  maxContentTypeLength: 256
+};
+var Wire02RepresentationFieldsSchema = zod.z.object({
+  /**
+   * FingerprintRef of the served content body.
+   * Format: sha256:<64 lowercase hex>
+   * hmac-sha256 is NOT permitted for representation hashes.
+   */
+  content_hash: zod.z.string().max(REPRESENTATION_LIMITS.maxContentHashLength).refine(isValidContentHash, {
+    message: "content_hash must be a valid sha256 FingerprintRef (sha256:<64 lowercase hex>)"
+  }).optional(),
+  /**
+   * MIME type of the served content (e.g., 'text/plain', 'application/json').
+   * Conservative pattern validation: type/subtype with optional parameters.
+   */
+  content_type: zod.z.string().max(REPRESENTATION_LIMITS.maxContentTypeLength).refine(isValidMimeType, {
+    message: "content_type must be a valid MIME type (type/subtype with optional parameters)"
+  }).optional(),
+  /**
+   * Size of the served content in bytes.
+   * Non-negative integer, bounded by Number.MAX_SAFE_INTEGER.
+   */
+  content_length: zod.z.number().int().finite().nonnegative().max(Number.MAX_SAFE_INTEGER).optional()
+}).strict();
+var EXTENSION_LIMITS = {
+  // Extension key grammar
+  maxExtensionKeyLength: 512,
+  maxDnsLabelLength: 63,
+  maxDnsDomainLength: 253,
+  // Commerce
+  maxPaymentRailLength: 128,
+  maxCurrencyLength: 16,
+  maxAmountMinorLength: 64,
+  maxReferenceLength: 256,
+  maxAssetLength: 256,
+  // Access
+  maxResourceLength: 2048,
+  maxActionLength: 256,
+  // Challenge
+  maxProblemTypeLength: 2048,
+  maxProblemTitleLength: 256,
+  maxProblemDetailLength: 4096,
+  maxProblemInstanceLength: 2048,
+  // Identity
+  maxProofRefLength: 256,
+  // Correlation
+  maxTraceIdLength: 32,
+  maxSpanIdLength: 16,
+  maxWorkflowIdLength: 256,
+  maxParentJtiLength: 256,
+  maxDependsOnLength: 64
+};
+var DNS_LABEL = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
+var SEGMENT_PATTERN = /^[a-z0-9][a-z0-9_-]*$/;
+function isValidExtensionKey(key) {
+  if (key.length === 0 || key.length > EXTENSION_LIMITS.maxExtensionKeyLength) return false;
+  const slashIdx = key.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = key.slice(0, slashIdx);
+  const segment = key.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (domain.length > EXTENSION_LIMITS.maxDnsDomainLength) return false;
+  if (segment.length === 0) return false;
+  if (!SEGMENT_PATTERN.test(segment)) return false;
+  const labels = domain.split(".");
+  for (const label of labels) {
+    if (label.length === 0 || label.length > EXTENSION_LIMITS.maxDnsLabelLength) return false;
+    if (!DNS_LABEL.test(label)) return false;
+  }
+  return true;
+}
+var COMMERCE_EXTENSION_KEY = "org.peacprotocol/commerce";
+var ACCESS_EXTENSION_KEY = "org.peacprotocol/access";
+var CHALLENGE_EXTENSION_KEY = "org.peacprotocol/challenge";
+var IDENTITY_EXTENSION_KEY = "org.peacprotocol/identity";
+var CORRELATION_EXTENSION_KEY = "org.peacprotocol/correlation";
+var AMOUNT_MINOR_PATTERN = /^-?[0-9]+$/;
+var CommerceExtensionSchema = zod.z.object({
+  /** Payment rail identifier (e.g., 'stripe', 'x402', 'lightning') */
+  payment_rail: zod.z.string().min(1).max(EXTENSION_LIMITS.maxPaymentRailLength),
+  /**
+   * Amount in smallest currency unit as a string for arbitrary precision.
+   * Base-10 integer: optional leading minus, one or more digits.
+   * Decimals and empty strings are rejected.
+   */
+  amount_minor: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAmountMinorLength).regex(
+    AMOUNT_MINOR_PATTERN,
+    'amount_minor must be a base-10 integer string (e.g., "1000", "-50")'
+  ),
+  /** ISO 4217 currency code or asset identifier */
+  currency: zod.z.string().min(1).max(EXTENSION_LIMITS.maxCurrencyLength),
+  /** Caller-assigned payment reference */
+  reference: zod.z.string().max(EXTENSION_LIMITS.maxReferenceLength).optional(),
+  /** Asset identifier for non-fiat (e.g., token address) */
+  asset: zod.z.string().max(EXTENSION_LIMITS.maxAssetLength).optional(),
+  /** Environment discriminant */
+  env: zod.z.enum(["live", "test"]).optional()
+}).strict();
+var AccessExtensionSchema = zod.z.object({
+  /** Resource being accessed (URI or identifier) */
+  resource: zod.z.string().min(1).max(EXTENSION_LIMITS.maxResourceLength),
+  /** Action performed on the resource */
+  action: zod.z.string().min(1).max(EXTENSION_LIMITS.maxActionLength),
+  /** Access decision */
+  decision: zod.z.enum(["allow", "deny", "review"])
+}).strict();
+var CHALLENGE_TYPES = [
+  "payment_required",
+  "identity_required",
+  "consent_required",
+  "attestation_required",
+  "rate_limited",
+  "purpose_disallowed",
+  "custom"
+];
+var ChallengeTypeSchema = zod.z.enum(CHALLENGE_TYPES);
+var ProblemDetailsSchema = zod.z.object({
+  /** HTTP status code (100-599) */
+  status: zod.z.number().int().min(100).max(599),
+  /** Problem type URI */
+  type: zod.z.string().min(1).max(EXTENSION_LIMITS.maxProblemTypeLength).url(),
+  /** Short human-readable summary */
+  title: zod.z.string().max(EXTENSION_LIMITS.maxProblemTitleLength).optional(),
+  /** Human-readable explanation specific to this occurrence */
+  detail: zod.z.string().max(EXTENSION_LIMITS.maxProblemDetailLength).optional(),
+  /** URI reference identifying the specific occurrence */
+  instance: zod.z.string().max(EXTENSION_LIMITS.maxProblemInstanceLength).optional()
+}).passthrough();
+var ChallengeExtensionSchema = zod.z.object({
+  /** Challenge type (7 values) */
+  challenge_type: ChallengeTypeSchema,
+  /** RFC 9457 Problem Details */
+  problem: ProblemDetailsSchema,
+  /** Resource that triggered the challenge */
+  resource: zod.z.string().max(EXTENSION_LIMITS.maxResourceLength).optional(),
+  /** Action that triggered the challenge */
+  action: zod.z.string().max(EXTENSION_LIMITS.maxActionLength).optional(),
+  /** Caller-defined requirements for resolving the challenge */
+  requirements: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
+}).strict();
+var IdentityExtensionSchema = zod.z.object({
+  /** Proof reference (opaque string; no actor_binding: top-level actor is sole location) */
+  proof_ref: zod.z.string().max(EXTENSION_LIMITS.maxProofRefLength).optional()
+}).strict();
+var TRACE_ID_PATTERN = /^[0-9a-f]{32}$/;
+var SPAN_ID_PATTERN = /^[0-9a-f]{16}$/;
+var CorrelationExtensionSchema = zod.z.object({
+  /** OpenTelemetry-compatible trace ID (32 lowercase hex chars) */
+  trace_id: zod.z.string().length(EXTENSION_LIMITS.maxTraceIdLength).regex(TRACE_ID_PATTERN, "trace_id must be 32 lowercase hex characters").optional(),
+  /** OpenTelemetry-compatible span ID (16 lowercase hex chars) */
+  span_id: zod.z.string().length(EXTENSION_LIMITS.maxSpanIdLength).regex(SPAN_ID_PATTERN, "span_id must be 16 lowercase hex characters").optional(),
+  /** Workflow identifier */
+  workflow_id: zod.z.string().min(1).max(EXTENSION_LIMITS.maxWorkflowIdLength).optional(),
+  /** Parent receipt JTI for causal chains */
+  parent_jti: zod.z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength).optional(),
+  /** JTIs this receipt depends on */
+  depends_on: zod.z.array(zod.z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength)).max(EXTENSION_LIMITS.maxDependsOnLength).optional()
+}).strict();
+var EXTENSION_SCHEMA_MAP = /* @__PURE__ */ new Map();
+EXTENSION_SCHEMA_MAP.set(COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+function validateKnownExtensions(extensions, ctx) {
+  if (extensions === void 0) return;
+  for (const key of Object.keys(extensions)) {
+    if (!isValidExtensionKey(key)) {
+      ctx.addIssue({
+        code: "custom",
+        message: ERROR_CODES.E_INVALID_EXTENSION_KEY,
+        path: ["extensions", key]
+      });
+      continue;
+    }
+    const schema = EXTENSION_SCHEMA_MAP.get(key);
+    if (schema !== void 0) {
+      const result = schema.safeParse(extensions[key]);
+      if (!result.success) {
+        const firstIssue = result.error.issues[0];
+        const issuePath = firstIssue?.path ?? [];
+        ctx.addIssue({
+          code: "custom",
+          message: firstIssue?.message ?? "Invalid extension value",
+          path: ["extensions", key, ...issuePath]
+        });
+      }
+    }
+  }
+}
+
+// src/wire-02-envelope.ts
+function isSortedAndUnique(arr) {
+  for (let i = 1; i < arr.length; i++) {
+    if (arr[i] <= arr[i - 1]) return false;
+  }
+  return true;
+}
+function isCanonicalIss(iss) {
+  if (typeof iss !== "string" || iss.length === 0 || iss.length > kernel.ISS_CANONICAL.maxLength) {
+    return false;
+  }
+  if (iss.startsWith("did:")) {
+    return /^did:[a-z0-9]+:[^#?/]+$/.test(iss);
+  }
+  try {
+    const url = new URL(iss);
+    if (url.protocol !== "https:") return false;
+    if (!url.hostname) return false;
+    if (url.username !== "" || url.password !== "") return false;
+    const origin = `${url.protocol}//${url.host}`;
+    return iss === origin;
+  } catch {
+    return false;
+  }
+}
+var ABS_URI_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//;
+function isValidReceiptType(value) {
+  if (value.length === 0 || value.length > kernel.TYPE_GRAMMAR.maxLength) return false;
+  if (ABS_URI_PATTERN.test(value)) return true;
+  const slashIdx = value.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = value.slice(0, slashIdx);
+  const segment = value.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (segment.length === 0) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9.-]*$/.test(domain)) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(segment)) return false;
+  return true;
+}
+var EVIDENCE_PILLARS = [
+  "access",
+  "attribution",
+  "commerce",
+  "compliance",
+  "consent",
+  "identity",
+  "privacy",
+  "provenance",
+  "purpose",
+  "safety"
+];
+var EvidencePillarSchema = zod.z.enum(
+  EVIDENCE_PILLARS
+);
+var PillarsSchema = zod.z.array(EvidencePillarSchema).min(1).superRefine((arr, ctx) => {
+  if (!isSortedAndUnique(arr)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_PILLARS_NOT_SORTED"
+    });
+  }
+});
+var Wire02KindSchema = zod.z.enum(["evidence", "challenge"]);
+var ReceiptTypeSchema = zod.z.string().max(kernel.TYPE_GRAMMAR.maxLength).refine(isValidReceiptType, {
+  message: "type must be reverse-DNS notation (e.g., org.example/flow) or an absolute URI"
+});
+var CanonicalIssSchema = zod.z.string().max(kernel.ISS_CANONICAL.maxLength).refine(isCanonicalIss, {
+  message: "E_ISS_NOT_CANONICAL"
+});
+var PolicyBlockSchema = zod.z.object({
+  /** JCS+SHA-256 digest: 'sha256:<64 lowercase hex>' */
+  digest: zod.z.string().regex(kernel.HASH.pattern, "digest must be sha256:<64 lowercase hex>"),
+  /**
+   * HTTPS locator hint for the policy document.
+   * MUST be an https:// URL (max 2048 chars).
+   * MUST NOT trigger auto-fetch; callers use this as a hint only (DD-55).
+   */
+  uri: zod.z.string().max(kernel.POLICY_BLOCK.uriMaxLength).url().refine((u) => u.startsWith("https://"), "policy.uri must be an https:// URL").optional(),
+  /** Caller-assigned version label (max 256 chars) */
+  version: zod.z.string().max(kernel.POLICY_BLOCK.versionMaxLength).optional()
+});
+var Wire02ClaimsSchema = zod.z.object({
+  /** Wire format version discriminant; always '0.2' for Wire 0.2 */
+  peac_version: zod.z.literal("0.2"),
+  /** Structural kind: 'evidence' or 'challenge' */
+  kind: Wire02KindSchema,
+  /** Open semantic type (reverse-DNS or absolute URI) */
+  type: ReceiptTypeSchema,
+  /** Canonical issuer (https:// ASCII origin or did: identifier) */
+  iss: CanonicalIssSchema,
+  /** Issued-at time (Unix seconds). REQUIRED. */
+  iat: zod.z.number().int(),
+  /** Unique receipt identifier; 1 to 256 chars */
+  jti: zod.z.string().min(1).max(256),
+  /** Subject identifier; max 2048 chars */
+  sub: zod.z.string().max(2048).optional(),
+  /** Evidence pillars (closed 10-value taxonomy); sorted ascending, unique */
+  pillars: PillarsSchema.optional(),
+  /** Top-level actor binding (sole location for ActorBinding in Wire 0.2) */
+  actor: ActorBindingSchema.optional(),
+  /** Policy binding block (DD-151) */
+  policy: PolicyBlockSchema.optional(),
+  /** Representation fields (DD-152): FingerprintRef validation, sha256-only, strict */
+  representation: Wire02RepresentationFieldsSchema.optional(),
+  /** ISO 8601 / RFC 3339 timestamp when the interaction occurred; evidence kind only */
+  occurred_at: zod.z.string().datetime({ offset: true }).optional(),
+  /** Declared purpose string; max 256 chars */
+  purpose_declared: zod.z.string().max(256).optional(),
+  /** Extension groups (open; known group keys validated by group schema) */
+  extensions: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
+}).superRefine((data, ctx) => {
+  if (data.kind === "challenge" && data.occurred_at !== void 0) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_OCCURRED_AT_ON_CHALLENGE"
+    });
+  }
+  validateKnownExtensions(data.extensions, ctx);
+}).strict();
 
 // src/receipt-parser.ts
-function classifyReceipt(obj) {
+function detectWireVersion(obj) {
+  if (obj === null || obj === void 0 || typeof obj !== "object" || Array.isArray(obj)) {
+    return null;
+  }
+  const record = obj;
+  if (record.peac_version === "0.2") return "0.2";
+  if ("peac_version" in record) return null;
+  return "0.1";
+}
+function classifyWire01Receipt(obj) {
   if ("amt" in obj || "cur" in obj || "payment" in obj) {
     return "commerce";
   }
   return "attestation";
 }
-function parseReceiptClaims(input, _opts) {
+function parseReceiptClaims(input, opts) {
   if (input === null || input === void 0 || typeof input !== "object" || Array.isArray(input)) {
     return {
       ok: false,
@@ -293,7 +747,37 @@ function parseReceiptClaims(input, _opts) {
     };
   }
   const obj = input;
-  const variant = classifyReceipt(obj);
+  const wireVersion = opts?.wireVersion === "0.2" || opts?.wireVersion === "0.1" ? opts.wireVersion : detectWireVersion(obj);
+  if (wireVersion === null) {
+    return {
+      ok: false,
+      error: {
+        code: "E_UNSUPPORTED_WIRE_VERSION",
+        message: `Unsupported or unrecognized peac_version: ${JSON.stringify(obj["peac_version"])}`
+      }
+    };
+  }
+  if (wireVersion === "0.2") {
+    const result2 = Wire02ClaimsSchema.safeParse(obj);
+    if (!result2.success) {
+      return {
+        ok: false,
+        error: {
+          code: "E_INVALID_FORMAT",
+          message: `Wire 0.2 receipt validation failed: ${result2.error.issues.map((i) => i.message).join("; ")}`,
+          issues: result2.error.issues
+        }
+      };
+    }
+    return {
+      ok: true,
+      variant: "wire-02",
+      wireVersion: "0.2",
+      warnings: [],
+      claims: result2.data
+    };
+  }
+  const variant = classifyWire01Receipt(obj);
   if (variant === "commerce") {
     const result2 = ReceiptClaimsSchema.safeParse(obj);
     if (!result2.success) {
@@ -309,6 +793,8 @@ function parseReceiptClaims(input, _opts) {
     return {
       ok: true,
       variant: "commerce",
+      wireVersion: "0.1",
+      warnings: [],
       claims: result2.data
     };
   }
@@ -326,10 +812,13 @@ function parseReceiptClaims(input, _opts) {
   return {
     ok: true,
     variant: "attestation",
+    wireVersion: "0.1",
+    warnings: [],
     claims: result.data
   };
 }
 
+exports.detectWireVersion = detectWireVersion;
 exports.parseReceiptClaims = parseReceiptClaims;
 //# sourceMappingURL=receipt-parser.cjs.map
 //# sourceMappingURL=receipt-parser.cjs.map