@peac/schema 0.11.3 → 0.12.0-preview.2

package/dist/receipt-parser.d.ts

@@ -2,20 +2,24 @@
  * Unified Receipt Parser
  *
  * Single entry point for classifying and validating receipt claims.
- * Supports both commerce (payment) and attestation receipt profiles.
+ * Supports Wire 0.1 (commerce and attestation) and Wire 0.2 receipts.
  *
- * Classification uses key presence ('amt' in obj), NOT truthy values.
+ * Wire 0.1 classification uses key presence ('amt' in obj), NOT truthy values.
  * If any of amt|cur|payment are present, the receipt is classified as commerce.
  * If commerce validation fails, it returns a commerce error -- never falls
  * through to attestation.
+ *
+ * Wire 0.2 detection uses the peac_version field (value '0.2').
  */
 import { ZodError } from 'zod';
+import type { VerificationWarning } from '@peac/kernel';
 import { type ReceiptClaimsType } from './validators.js';
 import { type AttestationReceiptClaims } from './attestation-receipt.js';
+import { type Wire02Claims } from './wire-02-envelope.js';
 /**
- * Receipt variant discriminator
+ * Receipt variant discriminator for Wire 0.1
  */
-export type ReceiptVariant = 'commerce' | 'attestation';
+export type ReceiptVariant = 'commerce' | 'attestation' | 'wire-02';
 /**
  * Parse error with canonical error code
  */
@@ -28,12 +32,16 @@ export interface PEACParseError {
     issues?: ZodError['issues'];
 }
 /**
- * Successful parse result
+ * Successful parse result (v0.12.0-preview.1: adds wireVersion and warnings)
  */
 export interface ParseSuccess {
     ok: true;
     variant: ReceiptVariant;
-    claims: ReceiptClaimsType | AttestationReceiptClaims;
+    /** Wire version of the parsed receipt */
+    wireVersion: '0.1' | '0.2';
+    /** Verification warnings collected during parsing (Wire 0.1: always []) */
+    warnings: VerificationWarning[];
+    claims: ReceiptClaimsType | AttestationReceiptClaims | Wire02Claims;
 }
 /**
  * Failed parse result
@@ -47,22 +55,36 @@ export interface ParseFailure {
  */
 export type ParseReceiptResult = ParseSuccess | ParseFailure;
 /**
- * Options for parseReceiptClaims (extensible for future wire versions)
+ * Options for parseReceiptClaims
  */
 export interface ParseReceiptOptions {
-    /** Reserved for future use (wire version discrimination in v0.12.0+) */
+    /** Wire version hint; if provided, skips auto-detection */
     wireVersion?: string;
 }
+/**
+ * Detect the wire version of a receipt payload.
+ *
+ * Wire 0.2 receipts contain a `peac_version: '0.2'` field.
+ * Wire 0.1 receipts have no `peac_version` field.
+ *
+ * @param obj - Raw claims object
+ * @returns '0.2' if Wire 0.2, '0.1' if Wire 0.1, null if indeterminate
+ */
+export declare function detectWireVersion(obj: unknown): '0.1' | '0.2' | null;
 /**
  * Parse and validate receipt claims.
  *
- * Unified entry point for both commerce and attestation receipt validation.
- * Classification is strict: if any commerce key (amt, cur, payment) is present,
- * the receipt MUST validate as commerce. There is no fallback to attestation.
+ * Unified entry point for Wire 0.1 (commerce + attestation) and Wire 0.2
+ * receipt validation. Wire version is auto-detected from the `peac_version`
+ * field unless `opts.wireVersion` overrides it.
+ *
+ * Wire 0.1 classification is strict: if any commerce key (amt, cur, payment)
+ * is present, the receipt MUST validate as commerce. There is no fallback to
+ * attestation for Wire 0.1.
  *
  * @param input - Raw claims object (typically decoded from JWS payload)
- * @param _opts - Reserved for future use
- * @returns Parse result with variant discrimination and validated claims, or error
+ * @param opts - Optional parse options
+ * @returns Parse result with variant discrimination, wireVersion, warnings, and validated claims
  */
-export declare function parseReceiptClaims(input: unknown, _opts?: ParseReceiptOptions): ParseReceiptResult;
+export declare function parseReceiptClaims(input: unknown, opts?: ParseReceiptOptions): ParseReceiptResult;
 //# sourceMappingURL=receipt-parser.d.ts.map

package/dist/receipt-parser.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"receipt-parser.d.ts","sourceRoot":"","sources":["../src/receipt-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAC;AAC/B,OAAO,EAAuB,KAAK,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAC9E,OAAO,EAEL,KAAK,wBAAwB,EAC9B,MAAM,0BAA0B,CAAC;AAElC;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,aAAa,CAAC;AAExD;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,cAAc,CAAC;IACxB,MAAM,EAAE,iBAAiB,GAAG,wBAAwB,CAAC;CACtD;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,KAAK,CAAC;IACV,KAAK,EAAE,cAAc,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,YAAY,GAAG,YAAY,CAAC;AAE7D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,wEAAwE;IACxE,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAeD;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,OAAO,EACd,KAAK,CAAC,EAAE,mBAAmB,GAC1B,kBAAkB,CAmDpB"}
+{"version":3,"file":"receipt-parser.d.ts","sourceRoot":"","sources":["../src/receipt-parser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,KAAK,CAAC;AAC/B,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC;AACxD,OAAO,EAAuB,KAAK,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAC9E,OAAO,EAEL,KAAK,wBAAwB,EAC9B,MAAM,0BAA0B,CAAC;AAClC,OAAO,EAAsB,KAAK,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAE9E;;GAEG;AACH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,aAAa,GAAG,SAAS,CAAC;AAEpE;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,yDAAyD;IACzD,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,+CAA+C;IAC/C,MAAM,CAAC,EAAE,QAAQ,CAAC,QAAQ,CAAC,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,cAAc,CAAC;IACxB,yCAAyC;IACzC,WAAW,EAAE,KAAK,GAAG,KAAK,CAAC;IAC3B,2EAA2E;IAC3E,QAAQ,EAAE,mBAAmB,EAAE,CAAC;IAChC,MAAM,EAAE,iBAAiB,GAAG,wBAAwB,GAAG,YAAY,CAAC;CACrE;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,KAAK,CAAC;IACV,KAAK,EAAE,cAAc,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAAG,YAAY,GAAG,YAAY,CAAC;AAE7D;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,2DAA2D;IAC3D,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAMD;;;;;;;;GAQG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,GAAG,KAAK,GAAG,KAAK,GAAG,IAAI,CAQpE;AAuBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,IAAI,CAAC,EAAE,mBAAmB,GAAG,kBAAkB,CAmGjG"}

package/dist/receipt-parser.mjs

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { ALGORITHMS, HEADERS, POLICY, ISSUER_CONFIG, DISCOVERY, WIRE_TYPE } from '@peac/kernel';
+import { ALGORITHMS, HEADERS, POLICY, ISSUER_CONFIG, DISCOVERY, WIRE_TYPE, TYPE_GRAMMAR, ISS_CANONICAL, POLICY_BLOCK, HASH } from '@peac/kernel';
 
 // src/validators.ts
 var PEAC_WIRE_TYP = WIRE_TYPE;
@@ -43,6 +43,10 @@ var JsonObjectSchema = PlainObjectSchema.transform(
   (obj) => obj
 ).pipe(z.record(z.string(), JsonValueSchema));
 z.array(JsonValueSchema);
+var ERROR_CODES = {
+  // Wire 0.2 extension errors (400, DD-153/DD-156)
+  E_INVALID_EXTENSION_KEY: "E_INVALID_EXTENSION_KEY"
+};
 
 // src/purpose.ts
 var PURPOSE_TOKEN_REGEX = /^[a-z](?:[a-z0-9_-]*[a-z0-9])?(?::[a-z](?:[a-z0-9_-]*[a-z0-9])?)?$/;
@@ -272,15 +276,465 @@ var AttestationReceiptClaimsSchema = z.object({
   /** Extensions (optional) */
   ext: AttestationExtensionsSchema.optional()
 }).strict();
+var PROOF_TYPES = [
+  "ed25519-cert-chain",
+  "eat-passport",
+  "eat-background-check",
+  "sigstore-oidc",
+  "did",
+  "spiffe",
+  "x509-pki",
+  "custom"
+];
+var ProofTypeSchema = z.enum(PROOF_TYPES);
+function isOriginOnly(value) {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") {
+      return false;
+    }
+    if (url.pathname !== "/") {
+      return false;
+    }
+    if (url.search !== "") {
+      return false;
+    }
+    if (url.hash !== "" || value.includes("#")) {
+      return false;
+    }
+    if (url.username !== "" || url.password !== "") {
+      return false;
+    }
+    if (url.hostname.endsWith(".")) {
+      return false;
+    }
+    const hostPart = value.replace(/^https?:\/\//, "").split(/[/:]/)[0];
+    if (hostPart.endsWith(".")) {
+      return false;
+    }
+    if (url.hostname.includes("%")) {
+      return false;
+    }
+    return true;
+  } catch {
+    return false;
+  }
+}
+var ActorBindingSchema = z.object({
+  /** Stable actor identifier (opaque, no PII) */
+  id: z.string().min(1).max(256),
+  /** Proof type from DD-143 multi-root vocabulary */
+  proof_type: ProofTypeSchema,
+  /** URI or hash of external proof artifact */
+  proof_ref: z.string().max(2048).optional(),
+  /** Origin-only URL: scheme + host + optional port; NO path, query, or fragment */
+  origin: z.string().max(2048).refine(isOriginOnly, {
+    message: "origin must be an origin-only URL (scheme + host + optional port; no path, query, or fragment)"
+  }),
+  /** SHA-256 hash of the intent (hash-first per DD-138) */
+  intent_hash: z.string().regex(/^sha256:[a-f0-9]{64}$/, {
+    message: "intent_hash must match sha256:<64 hex chars>"
+  }).optional()
+}).strict();
+var MVISTimeBoundsSchema = z.object({
+  /** Earliest valid time (RFC 3339) */
+  not_before: z.string().datetime(),
+  /** Latest valid time (RFC 3339) */
+  not_after: z.string().datetime()
+}).strict();
+var MVISReplayProtectionSchema = z.object({
+  /** Unique token identifier (jti from JWT or equivalent) */
+  jti: z.string().min(1).max(256),
+  /** Optional nonce for additional replay protection */
+  nonce: z.string().max(256).optional()
+}).strict();
+z.object({
+  /** Who issued the identity assertion */
+  issuer: z.string().min(1).max(2048),
+  /** Who the identity is about (opaque identifier, no PII) */
+  subject: z.string().min(1).max(256),
+  /** Cryptographic binding: kid or JWK thumbprint */
+  key_binding: z.string().min(1).max(256),
+  /** Validity period */
+  time_bounds: MVISTimeBoundsSchema,
+  /** Replay protection */
+  replay_protection: MVISReplayProtectionSchema
+}).strict();
+
+// src/extensions/fingerprint-ref.ts
+function hexToBase64url(hex) {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  let base64;
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(bytes).toString("base64");
+  } else {
+    base64 = btoa(String.fromCharCode(...bytes));
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+var STRING_FORM_PATTERN = /^(sha256|hmac-sha256):([a-f0-9]{64})$/;
+var MAX_FINGERPRINT_REF_LENGTH = 76;
+function stringToFingerprintRef(s) {
+  if (s.length > MAX_FINGERPRINT_REF_LENGTH) {
+    return null;
+  }
+  const match = STRING_FORM_PATTERN.exec(s);
+  if (!match) {
+    return null;
+  }
+  const alg = match[1];
+  const hex = match[2];
+  return {
+    alg,
+    value: hexToBase64url(hex)
+  };
+}
+
+// src/wire-02-representation.ts
+function isValidContentHash(s) {
+  const ref = stringToFingerprintRef(s);
+  if (ref === null) return false;
+  return ref.alg === "sha256";
+}
+var MIME_PATTERN = /^[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*\/[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*(;\s*[a-zA-Z0-9][a-zA-Z0-9!#$&\-^_.+]*=[^\s;]+)*$/;
+function isValidMimeType(s) {
+  return MIME_PATTERN.test(s);
+}
+var REPRESENTATION_LIMITS = {
+  /** Max content_hash string length (sha256:<64 hex> = 71 chars, capped at FingerprintRef max) */
+  maxContentHashLength: MAX_FINGERPRINT_REF_LENGTH,
+  /** Max content_type string length */
+  maxContentTypeLength: 256
+};
+var Wire02RepresentationFieldsSchema = z.object({
+  /**
+   * FingerprintRef of the served content body.
+   * Format: sha256:<64 lowercase hex>
+   * hmac-sha256 is NOT permitted for representation hashes.
+   */
+  content_hash: z.string().max(REPRESENTATION_LIMITS.maxContentHashLength).refine(isValidContentHash, {
+    message: "content_hash must be a valid sha256 FingerprintRef (sha256:<64 lowercase hex>)"
+  }).optional(),
+  /**
+   * MIME type of the served content (e.g., 'text/plain', 'application/json').
+   * Conservative pattern validation: type/subtype with optional parameters.
+   */
+  content_type: z.string().max(REPRESENTATION_LIMITS.maxContentTypeLength).refine(isValidMimeType, {
+    message: "content_type must be a valid MIME type (type/subtype with optional parameters)"
+  }).optional(),
+  /**
+   * Size of the served content in bytes.
+   * Non-negative integer, bounded by Number.MAX_SAFE_INTEGER.
+   */
+  content_length: z.number().int().finite().nonnegative().max(Number.MAX_SAFE_INTEGER).optional()
+}).strict();
+var EXTENSION_LIMITS = {
+  // Extension key grammar
+  maxExtensionKeyLength: 512,
+  maxDnsLabelLength: 63,
+  maxDnsDomainLength: 253,
+  // Commerce
+  maxPaymentRailLength: 128,
+  maxCurrencyLength: 16,
+  maxAmountMinorLength: 64,
+  maxReferenceLength: 256,
+  maxAssetLength: 256,
+  // Access
+  maxResourceLength: 2048,
+  maxActionLength: 256,
+  // Challenge
+  maxProblemTypeLength: 2048,
+  maxProblemTitleLength: 256,
+  maxProblemDetailLength: 4096,
+  maxProblemInstanceLength: 2048,
+  // Identity
+  maxProofRefLength: 256,
+  // Correlation
+  maxTraceIdLength: 32,
+  maxSpanIdLength: 16,
+  maxWorkflowIdLength: 256,
+  maxParentJtiLength: 256,
+  maxDependsOnLength: 64
+};
+var DNS_LABEL = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
+var SEGMENT_PATTERN = /^[a-z0-9][a-z0-9_-]*$/;
+function isValidExtensionKey(key) {
+  if (key.length === 0 || key.length > EXTENSION_LIMITS.maxExtensionKeyLength) return false;
+  const slashIdx = key.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = key.slice(0, slashIdx);
+  const segment = key.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (domain.length > EXTENSION_LIMITS.maxDnsDomainLength) return false;
+  if (segment.length === 0) return false;
+  if (!SEGMENT_PATTERN.test(segment)) return false;
+  const labels = domain.split(".");
+  for (const label of labels) {
+    if (label.length === 0 || label.length > EXTENSION_LIMITS.maxDnsLabelLength) return false;
+    if (!DNS_LABEL.test(label)) return false;
+  }
+  return true;
+}
+var COMMERCE_EXTENSION_KEY = "org.peacprotocol/commerce";
+var ACCESS_EXTENSION_KEY = "org.peacprotocol/access";
+var CHALLENGE_EXTENSION_KEY = "org.peacprotocol/challenge";
+var IDENTITY_EXTENSION_KEY = "org.peacprotocol/identity";
+var CORRELATION_EXTENSION_KEY = "org.peacprotocol/correlation";
+var AMOUNT_MINOR_PATTERN = /^-?[0-9]+$/;
+var CommerceExtensionSchema = z.object({
+  /** Payment rail identifier (e.g., 'stripe', 'x402', 'lightning') */
+  payment_rail: z.string().min(1).max(EXTENSION_LIMITS.maxPaymentRailLength),
+  /**
+   * Amount in smallest currency unit as a string for arbitrary precision.
+   * Base-10 integer: optional leading minus, one or more digits.
+   * Decimals and empty strings are rejected.
+   */
+  amount_minor: z.string().min(1).max(EXTENSION_LIMITS.maxAmountMinorLength).regex(
+    AMOUNT_MINOR_PATTERN,
+    'amount_minor must be a base-10 integer string (e.g., "1000", "-50")'
+  ),
+  /** ISO 4217 currency code or asset identifier */
+  currency: z.string().min(1).max(EXTENSION_LIMITS.maxCurrencyLength),
+  /** Caller-assigned payment reference */
+  reference: z.string().max(EXTENSION_LIMITS.maxReferenceLength).optional(),
+  /** Asset identifier for non-fiat (e.g., token address) */
+  asset: z.string().max(EXTENSION_LIMITS.maxAssetLength).optional(),
+  /** Environment discriminant */
+  env: z.enum(["live", "test"]).optional()
+}).strict();
+var AccessExtensionSchema = z.object({
+  /** Resource being accessed (URI or identifier) */
+  resource: z.string().min(1).max(EXTENSION_LIMITS.maxResourceLength),
+  /** Action performed on the resource */
+  action: z.string().min(1).max(EXTENSION_LIMITS.maxActionLength),
+  /** Access decision */
+  decision: z.enum(["allow", "deny", "review"])
+}).strict();
+var CHALLENGE_TYPES = [
+  "payment_required",
+  "identity_required",
+  "consent_required",
+  "attestation_required",
+  "rate_limited",
+  "purpose_disallowed",
+  "custom"
+];
+var ChallengeTypeSchema = z.enum(CHALLENGE_TYPES);
+var ProblemDetailsSchema = z.object({
+  /** HTTP status code (100-599) */
+  status: z.number().int().min(100).max(599),
+  /** Problem type URI */
+  type: z.string().min(1).max(EXTENSION_LIMITS.maxProblemTypeLength).url(),
+  /** Short human-readable summary */
+  title: z.string().max(EXTENSION_LIMITS.maxProblemTitleLength).optional(),
+  /** Human-readable explanation specific to this occurrence */
+  detail: z.string().max(EXTENSION_LIMITS.maxProblemDetailLength).optional(),
+  /** URI reference identifying the specific occurrence */
+  instance: z.string().max(EXTENSION_LIMITS.maxProblemInstanceLength).optional()
+}).passthrough();
+var ChallengeExtensionSchema = z.object({
+  /** Challenge type (7 values) */
+  challenge_type: ChallengeTypeSchema,
+  /** RFC 9457 Problem Details */
+  problem: ProblemDetailsSchema,
+  /** Resource that triggered the challenge */
+  resource: z.string().max(EXTENSION_LIMITS.maxResourceLength).optional(),
+  /** Action that triggered the challenge */
+  action: z.string().max(EXTENSION_LIMITS.maxActionLength).optional(),
+  /** Caller-defined requirements for resolving the challenge */
+  requirements: z.record(z.string(), z.unknown()).optional()
+}).strict();
+var IdentityExtensionSchema = z.object({
+  /** Proof reference (opaque string; no actor_binding: top-level actor is sole location) */
+  proof_ref: z.string().max(EXTENSION_LIMITS.maxProofRefLength).optional()
+}).strict();
+var TRACE_ID_PATTERN = /^[0-9a-f]{32}$/;
+var SPAN_ID_PATTERN = /^[0-9a-f]{16}$/;
+var CorrelationExtensionSchema = z.object({
+  /** OpenTelemetry-compatible trace ID (32 lowercase hex chars) */
+  trace_id: z.string().length(EXTENSION_LIMITS.maxTraceIdLength).regex(TRACE_ID_PATTERN, "trace_id must be 32 lowercase hex characters").optional(),
+  /** OpenTelemetry-compatible span ID (16 lowercase hex chars) */
+  span_id: z.string().length(EXTENSION_LIMITS.maxSpanIdLength).regex(SPAN_ID_PATTERN, "span_id must be 16 lowercase hex characters").optional(),
+  /** Workflow identifier */
+  workflow_id: z.string().min(1).max(EXTENSION_LIMITS.maxWorkflowIdLength).optional(),
+  /** Parent receipt JTI for causal chains */
+  parent_jti: z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength).optional(),
+  /** JTIs this receipt depends on */
+  depends_on: z.array(z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength)).max(EXTENSION_LIMITS.maxDependsOnLength).optional()
+}).strict();
+var EXTENSION_SCHEMA_MAP = /* @__PURE__ */ new Map();
+EXTENSION_SCHEMA_MAP.set(COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+function validateKnownExtensions(extensions, ctx) {
+  if (extensions === void 0) return;
+  for (const key of Object.keys(extensions)) {
+    if (!isValidExtensionKey(key)) {
+      ctx.addIssue({
+        code: "custom",
+        message: ERROR_CODES.E_INVALID_EXTENSION_KEY,
+        path: ["extensions", key]
+      });
+      continue;
+    }
+    const schema = EXTENSION_SCHEMA_MAP.get(key);
+    if (schema !== void 0) {
+      const result = schema.safeParse(extensions[key]);
+      if (!result.success) {
+        const firstIssue = result.error.issues[0];
+        const issuePath = firstIssue?.path ?? [];
+        ctx.addIssue({
+          code: "custom",
+          message: firstIssue?.message ?? "Invalid extension value",
+          path: ["extensions", key, ...issuePath]
+        });
+      }
+    }
+  }
+}
+
+// src/wire-02-envelope.ts
+function isSortedAndUnique(arr) {
+  for (let i = 1; i < arr.length; i++) {
+    if (arr[i] <= arr[i - 1]) return false;
+  }
+  return true;
+}
+function isCanonicalIss(iss) {
+  if (typeof iss !== "string" || iss.length === 0 || iss.length > ISS_CANONICAL.maxLength) {
+    return false;
+  }
+  if (iss.startsWith("did:")) {
+    return /^did:[a-z0-9]+:[^#?/]+$/.test(iss);
+  }
+  try {
+    const url = new URL(iss);
+    if (url.protocol !== "https:") return false;
+    if (!url.hostname) return false;
+    if (url.username !== "" || url.password !== "") return false;
+    const origin = `${url.protocol}//${url.host}`;
+    return iss === origin;
+  } catch {
+    return false;
+  }
+}
+var ABS_URI_PATTERN = /^[a-z][a-z0-9+.-]*:\/\//;
+function isValidReceiptType(value) {
+  if (value.length === 0 || value.length > TYPE_GRAMMAR.maxLength) return false;
+  if (ABS_URI_PATTERN.test(value)) return true;
+  const slashIdx = value.indexOf("/");
+  if (slashIdx <= 0) return false;
+  const domain = value.slice(0, slashIdx);
+  const segment = value.slice(slashIdx + 1);
+  if (!domain.includes(".")) return false;
+  if (segment.length === 0) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9.-]*$/.test(domain)) return false;
+  if (!/^[a-zA-Z0-9][a-zA-Z0-9._-]*$/.test(segment)) return false;
+  return true;
+}
+var EVIDENCE_PILLARS = [
+  "access",
+  "attribution",
+  "commerce",
+  "compliance",
+  "consent",
+  "identity",
+  "privacy",
+  "provenance",
+  "purpose",
+  "safety"
+];
+var EvidencePillarSchema = z.enum(
+  EVIDENCE_PILLARS
+);
+var PillarsSchema = z.array(EvidencePillarSchema).min(1).superRefine((arr, ctx) => {
+  if (!isSortedAndUnique(arr)) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_PILLARS_NOT_SORTED"
+    });
+  }
+});
+var Wire02KindSchema = z.enum(["evidence", "challenge"]);
+var ReceiptTypeSchema = z.string().max(TYPE_GRAMMAR.maxLength).refine(isValidReceiptType, {
+  message: "type must be reverse-DNS notation (e.g., org.example/flow) or an absolute URI"
+});
+var CanonicalIssSchema = z.string().max(ISS_CANONICAL.maxLength).refine(isCanonicalIss, {
+  message: "E_ISS_NOT_CANONICAL"
+});
+var PolicyBlockSchema = z.object({
+  /** JCS+SHA-256 digest: 'sha256:<64 lowercase hex>' */
+  digest: z.string().regex(HASH.pattern, "digest must be sha256:<64 lowercase hex>"),
+  /**
+   * HTTPS locator hint for the policy document.
+   * MUST be an https:// URL (max 2048 chars).
+   * MUST NOT trigger auto-fetch; callers use this as a hint only (DD-55).
+   */
+  uri: z.string().max(POLICY_BLOCK.uriMaxLength).url().refine((u) => u.startsWith("https://"), "policy.uri must be an https:// URL").optional(),
+  /** Caller-assigned version label (max 256 chars) */
+  version: z.string().max(POLICY_BLOCK.versionMaxLength).optional()
+});
+var Wire02ClaimsSchema = z.object({
+  /** Wire format version discriminant; always '0.2' for Wire 0.2 */
+  peac_version: z.literal("0.2"),
+  /** Structural kind: 'evidence' or 'challenge' */
+  kind: Wire02KindSchema,
+  /** Open semantic type (reverse-DNS or absolute URI) */
+  type: ReceiptTypeSchema,
+  /** Canonical issuer (https:// ASCII origin or did: identifier) */
+  iss: CanonicalIssSchema,
+  /** Issued-at time (Unix seconds). REQUIRED. */
+  iat: z.number().int(),
+  /** Unique receipt identifier; 1 to 256 chars */
+  jti: z.string().min(1).max(256),
+  /** Subject identifier; max 2048 chars */
+  sub: z.string().max(2048).optional(),
+  /** Evidence pillars (closed 10-value taxonomy); sorted ascending, unique */
+  pillars: PillarsSchema.optional(),
+  /** Top-level actor binding (sole location for ActorBinding in Wire 0.2) */
+  actor: ActorBindingSchema.optional(),
+  /** Policy binding block (DD-151) */
+  policy: PolicyBlockSchema.optional(),
+  /** Representation fields (DD-152): FingerprintRef validation, sha256-only, strict */
+  representation: Wire02RepresentationFieldsSchema.optional(),
+  /** ISO 8601 / RFC 3339 timestamp when the interaction occurred; evidence kind only */
+  occurred_at: z.string().datetime({ offset: true }).optional(),
+  /** Declared purpose string; max 256 chars */
+  purpose_declared: z.string().max(256).optional(),
+  /** Extension groups (open; known group keys validated by group schema) */
+  extensions: z.record(z.string(), z.unknown()).optional()
+}).superRefine((data, ctx) => {
+  if (data.kind === "challenge" && data.occurred_at !== void 0) {
+    ctx.addIssue({
+      code: "custom",
+      message: "E_OCCURRED_AT_ON_CHALLENGE"
+    });
+  }
+  validateKnownExtensions(data.extensions, ctx);
+}).strict();
 
 // src/receipt-parser.ts
-function classifyReceipt(obj) {
+function detectWireVersion(obj) {
+  if (obj === null || obj === void 0 || typeof obj !== "object" || Array.isArray(obj)) {
+    return null;
+  }
+  const record = obj;
+  if (record.peac_version === "0.2") return "0.2";
+  if ("peac_version" in record) return null;
+  return "0.1";
+}
+function classifyWire01Receipt(obj) {
   if ("amt" in obj || "cur" in obj || "payment" in obj) {
     return "commerce";
   }
   return "attestation";
 }
-function parseReceiptClaims(input, _opts) {
+function parseReceiptClaims(input, opts) {
   if (input === null || input === void 0 || typeof input !== "object" || Array.isArray(input)) {
     return {
       ok: false,
@@ -291,7 +745,37 @@ function parseReceiptClaims(input, _opts) {
     };
   }
   const obj = input;
-  const variant = classifyReceipt(obj);
+  const wireVersion = opts?.wireVersion === "0.2" || opts?.wireVersion === "0.1" ? opts.wireVersion : detectWireVersion(obj);
+  if (wireVersion === null) {
+    return {
+      ok: false,
+      error: {
+        code: "E_UNSUPPORTED_WIRE_VERSION",
+        message: `Unsupported or unrecognized peac_version: ${JSON.stringify(obj["peac_version"])}`
+      }
+    };
+  }
+  if (wireVersion === "0.2") {
+    const result2 = Wire02ClaimsSchema.safeParse(obj);
+    if (!result2.success) {
+      return {
+        ok: false,
+        error: {
+          code: "E_INVALID_FORMAT",
+          message: `Wire 0.2 receipt validation failed: ${result2.error.issues.map((i) => i.message).join("; ")}`,
+          issues: result2.error.issues
+        }
+      };
+    }
+    return {
+      ok: true,
+      variant: "wire-02",
+      wireVersion: "0.2",
+      warnings: [],
+      claims: result2.data
+    };
+  }
+  const variant = classifyWire01Receipt(obj);
   if (variant === "commerce") {
     const result2 = ReceiptClaimsSchema.safeParse(obj);
     if (!result2.success) {
@@ -307,6 +791,8 @@ function parseReceiptClaims(input, _opts) {
     return {
       ok: true,
       variant: "commerce",
+      wireVersion: "0.1",
+      warnings: [],
       claims: result2.data
     };
   }
@@ -324,10 +810,12 @@ function parseReceiptClaims(input, _opts) {
   return {
     ok: true,
     variant: "attestation",
+    wireVersion: "0.1",
+    warnings: [],
     claims: result.data
   };
 }
 
-export { parseReceiptClaims };
+export { detectWireVersion, parseReceiptClaims };
 //# sourceMappingURL=receipt-parser.mjs.map
 //# sourceMappingURL=receipt-parser.mjs.map