@peac/schema 0.12.1 → 0.12.3

package/dist/wire-02-extensions/limits.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Wire 0.2 Extension Group Limits
+ *
+ * Centralized per-field bounds for all Wire 0.2 extension group fields.
+ * Prevents magic numbers and allows external reference.
+ * Follows repo _LIMITS convention.
+ *
+ * Byte-budget constants are normative and live in @peac/kernel
+ * (EXTENSION_BUDGET). Re-exported here for schema-layer convenience.
+ */
+export { EXTENSION_BUDGET } from '@peac/kernel';
+/**
+ * Normative per-field bounds for Wire 0.2 extension group fields.
+ */
+export declare const EXTENSION_LIMITS: {
+    readonly maxExtensionKeyLength: 512;
+    readonly maxDnsLabelLength: 63;
+    readonly maxDnsDomainLength: 253;
+    readonly maxPaymentRailLength: 128;
+    readonly maxCurrencyLength: 16;
+    readonly maxAmountMinorLength: 64;
+    readonly maxReferenceLength: 256;
+    readonly maxAssetLength: 256;
+    readonly maxCommerceEventLength: 64;
+    readonly maxResourceLength: 2048;
+    readonly maxActionLength: 256;
+    readonly maxProblemTypeLength: 2048;
+    readonly maxProblemTitleLength: 256;
+    readonly maxProblemDetailLength: 4096;
+    readonly maxProblemInstanceLength: 2048;
+    readonly maxProofRefLength: 256;
+    readonly maxTraceIdLength: 32;
+    readonly maxSpanIdLength: 16;
+    readonly maxWorkflowIdLength: 256;
+    readonly maxParentJtiLength: 256;
+    readonly maxDependsOnLength: 64;
+    readonly maxConsentBasisLength: 128;
+    readonly maxConsentMethodLength: 128;
+    readonly maxDataCategoriesCount: 64;
+    readonly maxDataCategoryLength: 128;
+    readonly maxConsentScopeLength: 256;
+    readonly maxJurisdictionLength: 16;
+    readonly maxFrameworkLength: 256;
+    readonly maxAuditRefLength: 256;
+    readonly maxAuditorLength: 256;
+    readonly maxComplianceScopeLength: 512;
+    readonly maxDataClassificationLength: 128;
+    readonly maxProcessingBasisLength: 128;
+    readonly maxAnonymizationMethodLength: 128;
+    readonly maxDataSubjectCategoryLength: 128;
+    readonly maxTransferMechanismLength: 128;
+    readonly maxAssessmentMethodLength: 256;
+    readonly maxSafetyMeasuresCount: 32;
+    readonly maxSafetyMeasureLength: 256;
+    readonly maxIncidentRefLength: 256;
+    readonly maxModelRefLength: 256;
+    readonly maxSafetyCategoryLength: 128;
+    readonly maxSourceTypeLength: 128;
+    readonly maxSourceRefLength: 256;
+    readonly maxVerificationMethodLength: 128;
+    readonly maxCustodyChainCount: 16;
+    readonly maxCustodianLength: 256;
+    readonly maxCustodyActionLength: 128;
+    readonly maxSlsaTrackLength: 64;
+    readonly maxSlsaVersionLength: 16;
+    readonly maxCreatorRefLength: 256;
+    readonly maxObligationTypeLength: 128;
+    readonly maxAttributionTextLength: 1024;
+    readonly maxContentSignalSourceLength: 128;
+    readonly maxExternalPurposesCount: 32;
+    readonly maxExternalPurposeLength: 128;
+    readonly maxPurposeBasisLength: 128;
+    readonly maxCompatiblePurposesCount: 32;
+    readonly maxHttpsUriLength: 2048;
+    readonly maxSha256DigestLength: 71;
+    readonly maxIso8601DurationLength: 64;
+    readonly maxIso8601DateLength: 10;
+    readonly maxSpdxExpressionLength: 128;
+};
+//# sourceMappingURL=limits.d.ts.map

package/dist/wire-02-extensions/limits.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"limits.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/limits.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAEhD;;GAEG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA2FnB,CAAC"}

package/dist/wire-02-extensions/privacy.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Privacy Extension Group (org.peacprotocol/privacy)
+ *
+ * Records data classification and handling observations.
+ * Aligned with ISO/IEC 27701 concepts.
+ *
+ * Design:
+ *   - Open taxonomy for data_classification, processing_basis, methods
+ *   - Closed enums for retention_mode, recipient_scope (universal categories)
+ *   - retention_period (ISO 8601 duration) and retention_mode are separate fields
+ *     to keep duration grammar and non-duration semantics distinct
+ *   - Observation-only semantics: records events, never enforces policy
+ *
+ * @see docs/specs/WIRE-0.2.md Section 12.11
+ */
+import { z } from 'zod';
+export declare const PRIVACY_EXTENSION_KEY: "org.peacprotocol/privacy";
+/**
+ * Retention mode: non-duration retention semantics.
+ * Separate from retention_period to keep duration grammar distinct.
+ *
+ * Closed enum: 3 values cover all non-duration retention patterns.
+ */
+export declare const RETENTION_MODES: readonly ["time_bound", "indefinite", "session_only"];
+export declare const RetentionModeSchema: z.ZodEnum<{
+    time_bound: "time_bound";
+    indefinite: "indefinite";
+    session_only: "session_only";
+}>;
+export type RetentionMode = z.infer<typeof RetentionModeSchema>;
+/**
+ * Recipient scope: aligned with GDPR Art 13-14 disclosure categories.
+ *
+ * Closed enum: 4 values cover standard data recipient classifications.
+ */
+export declare const RECIPIENT_SCOPES: readonly ["internal", "processor", "third_party", "public"];
+export declare const RecipientScopeSchema: z.ZodEnum<{
+    internal: "internal";
+    processor: "processor";
+    third_party: "third_party";
+    public: "public";
+}>;
+export type RecipientScope = z.infer<typeof RecipientScopeSchema>;
+export declare const PrivacyExtensionSchema: z.ZodObject<{
+    data_classification: z.ZodString;
+    processing_basis: z.ZodOptional<z.ZodString>;
+    retention_period: z.ZodOptional<z.ZodString>;
+    retention_mode: z.ZodOptional<z.ZodEnum<{
+        time_bound: "time_bound";
+        indefinite: "indefinite";
+        session_only: "session_only";
+    }>>;
+    recipient_scope: z.ZodOptional<z.ZodEnum<{
+        internal: "internal";
+        processor: "processor";
+        third_party: "third_party";
+        public: "public";
+    }>>;
+    anonymization_method: z.ZodOptional<z.ZodString>;
+    data_subject_category: z.ZodOptional<z.ZodString>;
+    transfer_mechanism: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type PrivacyExtension = z.infer<typeof PrivacyExtensionSchema>;
+//# sourceMappingURL=privacy.d.ts.map

package/dist/wire-02-extensions/privacy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"privacy.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/privacy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,qBAAqB,EAAG,0BAAmC,CAAC;AAEzE;;;;;GAKG;AACH,eAAO,MAAM,eAAe,uDAAwD,CAAC;AACrF,eAAO,MAAM,mBAAmB;;;;EAA0B,CAAC;AAC3D,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEhE;;;;GAIG;AACH,eAAO,MAAM,gBAAgB,6DAA8D,CAAC;AAC5F,eAAO,MAAM,oBAAoB;;;;;EAA2B,CAAC;AAC7D,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAElE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;kBAgExB,CAAC;AAEZ,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/dist/wire-02-extensions/provenance.d.ts

@@ -0,0 +1,58 @@
+/**
+ * Provenance Extension Group (org.peacprotocol/provenance)
+ *
+ * Records origin tracking and chain of custody as observations.
+ *
+ * Design:
+ *   - source_type required, open vocabulary for derivation categories
+ *   - custody_chain: ordered array of strict nested entries
+ *   - slsa: structured object recording SLSA-aligned metadata
+ *     (track-based model; does not certify SLSA compliance)
+ *   - URI fields are locator hints only; callers MUST NOT auto-fetch
+ *   - Observation-only semantics: records events, never enforces policy
+ */
+import { z } from 'zod';
+export declare const PROVENANCE_EXTENSION_KEY: "org.peacprotocol/provenance";
+/**
+ * A single entry in the custody chain.
+ *
+ * Records one transfer-of-custody event: who held it, what action
+ * occurred, and when. Ordered within the custody_chain array.
+ */
+export declare const CustodyEntrySchema: z.ZodObject<{
+    custodian: z.ZodString;
+    action: z.ZodString;
+    timestamp: z.ZodISODateTime;
+}, z.core.$strict>;
+export type CustodyEntry = z.infer<typeof CustodyEntrySchema>;
+/**
+ * Structured SLSA-aligned provenance metadata.
+ *
+ * Uses a track-based model rather than a flat scalar.
+ * Records metadata; does not certify compliance.
+ */
+export declare const SlsaLevelSchema: z.ZodObject<{
+    track: z.ZodString;
+    level: z.ZodNumber;
+    version: z.ZodString;
+}, z.core.$strict>;
+export type SlsaLevel = z.infer<typeof SlsaLevelSchema>;
+export declare const ProvenanceExtensionSchema: z.ZodObject<{
+    source_type: z.ZodString;
+    source_ref: z.ZodOptional<z.ZodString>;
+    source_uri: z.ZodOptional<z.ZodString>;
+    build_provenance_uri: z.ZodOptional<z.ZodString>;
+    verification_method: z.ZodOptional<z.ZodString>;
+    custody_chain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        custodian: z.ZodString;
+        action: z.ZodString;
+        timestamp: z.ZodISODateTime;
+    }, z.core.$strict>>>;
+    slsa: z.ZodOptional<z.ZodObject<{
+        track: z.ZodString;
+        level: z.ZodNumber;
+        version: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type ProvenanceExtension = z.infer<typeof ProvenanceExtensionSchema>;
+//# sourceMappingURL=provenance.d.ts.map

package/dist/wire-02-extensions/provenance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provenance.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/provenance.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,wBAAwB,EAAG,6BAAsC,CAAC;AAM/E;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB;;;;kBAWpB,CAAC;AAEZ,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,eAAe;;;;kBAWjB,CAAC;AAEZ,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAMxD,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;kBAiD3B,CAAC;AAEZ,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC"}

package/dist/wire-02-extensions/purpose-extension.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Purpose Extension Group (org.peacprotocol/purpose)
+ *
+ * Records external/legal/business purpose declarations as observations.
+ * Explicitly separated from PEAC operational purpose tokens
+ * (CanonicalPurpose in purpose.ts).
+ *
+ * Design:
+ *   - external_purposes: token-based array (machine-safe, bounded, unique)
+ *   - peac_purpose_mapping: optional bridge to PEAC operational tokens
+ *     via PURPOSE_TOKEN_REGEX
+ *   - No prose-heavy fields at schema layer
+ *   - Observation-only semantics: records events, never enforces policy
+ */
+import { z } from 'zod';
+export declare const PURPOSE_EXTENSION_KEY: "org.peacprotocol/purpose";
+export declare const PurposeExtensionSchema: z.ZodObject<{
+    external_purposes: z.ZodArray<z.ZodString>;
+    purpose_basis: z.ZodOptional<z.ZodString>;
+    purpose_limitation: z.ZodOptional<z.ZodBoolean>;
+    data_minimization: z.ZodOptional<z.ZodBoolean>;
+    compatible_purposes: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    peac_purpose_mapping: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type PurposeExtension = z.infer<typeof PurposeExtensionSchema>;
+//# sourceMappingURL=purpose-extension.d.ts.map

package/dist/wire-02-extensions/purpose-extension.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"purpose-extension.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/purpose-extension.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,qBAAqB,EAAG,0BAAmC,CAAC;AAsBzE,eAAO,MAAM,sBAAsB;;;;;;;kBAkDxB,CAAC;AAEZ,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/dist/wire-02-extensions/safety.d.ts

@@ -0,0 +1,65 @@
+/**
+ * Safety Extension Group (org.peacprotocol/safety)
+ *
+ * Records safety assessment evidence. Jurisdiction-neutral design.
+ * Usage profiles decide when regulatory-specific fields become required.
+ *
+ * Design:
+ *   - review_status required (universal assessment lifecycle)
+ *   - risk_level optional at schema layer; usage profiles may require it
+ *   - Open taxonomy for assessment_method, safety_measures, category
+ *   - Observation-only semantics: records events, never enforces policy
+ *
+ * @see docs/specs/WIRE-0.2.md Section 12.12
+ */
+import { z } from 'zod';
+export declare const SAFETY_EXTENSION_KEY: "org.peacprotocol/safety";
+/**
+ * Review status: universal safety assessment lifecycle.
+ *
+ * Closed enum: 4 states cover the assessment lifecycle across
+ * EU AI Act, NIST AI RMF, ISO 23894, and general safety review.
+ */
+export declare const REVIEW_STATUSES: readonly ["reviewed", "pending", "flagged", "not_applicable"];
+export declare const ReviewStatusSchema: z.ZodEnum<{
+    reviewed: "reviewed";
+    pending: "pending";
+    flagged: "flagged";
+    not_applicable: "not_applicable";
+}>;
+export type ReviewStatus = z.infer<typeof ReviewStatusSchema>;
+/**
+ * Risk level: converges across EU AI Act Art 6, NIST AI RMF, ISO 23894.
+ *
+ * Closed enum: 4 risk tiers. Optional at schema level to maintain
+ * jurisdiction neutrality; usage profiles may require this field.
+ */
+export declare const RISK_LEVELS: readonly ["unacceptable", "high", "limited", "minimal"];
+export declare const RiskLevelSchema: z.ZodEnum<{
+    unacceptable: "unacceptable";
+    high: "high";
+    limited: "limited";
+    minimal: "minimal";
+}>;
+export type RiskLevel = z.infer<typeof RiskLevelSchema>;
+export declare const SafetyExtensionSchema: z.ZodObject<{
+    review_status: z.ZodEnum<{
+        reviewed: "reviewed";
+        pending: "pending";
+        flagged: "flagged";
+        not_applicable: "not_applicable";
+    }>;
+    risk_level: z.ZodOptional<z.ZodEnum<{
+        unacceptable: "unacceptable";
+        high: "high";
+        limited: "limited";
+        minimal: "minimal";
+    }>>;
+    assessment_method: z.ZodOptional<z.ZodString>;
+    safety_measures: z.ZodOptional<z.ZodArray<z.ZodString>>;
+    incident_ref: z.ZodOptional<z.ZodString>;
+    model_ref: z.ZodOptional<z.ZodString>;
+    category: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+export type SafetyExtension = z.infer<typeof SafetyExtensionSchema>;
+//# sourceMappingURL=safety.d.ts.map

package/dist/wire-02-extensions/safety.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"safety.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/safety.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAGxB,eAAO,MAAM,oBAAoB,EAAG,yBAAkC,CAAC;AAEvE;;;;;GAKG;AACH,eAAO,MAAM,eAAe,+DAAgE,CAAC;AAC7F,eAAO,MAAM,kBAAkB;;;;;EAA0B,CAAC;AAC1D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,WAAW,yDAA0D,CAAC;AACnF,eAAO,MAAM,eAAe;;;;;EAAsB,CAAC;AACnD,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAExD,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;kBAyCvB,CAAC;AAEZ,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC"}

package/dist/wire-02-extensions/schema-map.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Wire 0.2 Extension Schema Map
+ *
+ * Maps known extension group keys to their Zod schemas.
+ * Used by validateKnownExtensions() for group-level validation
+ * and by type-to-extension enforcement.
+ *
+ * This file is the single mutation point for group registration.
+ */
+import type { z } from 'zod';
+/** Map from known extension key to its Zod schema */
+export declare const EXTENSION_SCHEMA_MAP: Map<string, z.ZodType<unknown, unknown, z.core.$ZodTypeInternals<unknown, unknown>>>;
+//# sourceMappingURL=schema-map.d.ts.map

package/dist/wire-02-extensions/schema-map.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema-map.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/schema-map.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAe7B,qDAAqD;AACrD,eAAO,MAAM,oBAAoB,sFAAkC,CAAC"}

package/dist/wire-02-extensions/shared-validators.d.ts

@@ -0,0 +1,192 @@
+/**
+ * Wire 0.2 Shared Validator Schemas
+ *
+ * Protocol-grade Zod validators for common field patterns reused across
+ * multiple extension groups. Consolidated to prevent drift, improve interop,
+ * and keep Layer 1 clean.
+ *
+ * All validators are pure Zod schemas with zero I/O.
+ *
+ * @see HASH.pattern from @peac/kernel for SHA-256 digest grammar
+ * @see PolicyBlockSchema.uri for HTTPS URI hint pattern origin
+ */
+import { z } from 'zod';
+/**
+ * Validates a SHA-256 digest string in the canonical PEAC format.
+ *
+ * Format: `sha256:<64 lowercase hex chars>`
+ * Max length: 71 chars ("sha256:" = 7 chars + 64 hex chars = 71 total)
+ *
+ * Reuses `HASH.pattern` from `@peac/kernel` (same regex used in
+ * `PolicyBlockSchema.digest` and `ReceiptRefSchema`).
+ *
+ * INTEROPERABILITY NOTE: This is a PEAC-internal self-describing digest
+ * string grammar. It is NOT the same as:
+ *   - RFC 9530 `Content-Digest` / `Repr-Digest`, which use structured
+ *     HTTP fields with base64 encoding (e.g., `sha-256=:base64:`)
+ *   - RFC 9421 HTTP Message Signatures digest components
+ * PEAC digest strings are used within JWS payloads and extension fields,
+ * not as HTTP headers. When bridging to HTTP digest headers, adapters
+ * (Layer 4+) must convert between formats.
+ */
+export declare const Sha256DigestSchema: z.ZodString;
+/**
+ * Validates an HTTPS URI hint field.
+ *
+ * Security hardening beyond basic URL validation:
+ * - MUST be https:// scheme (rejects http, ftp, data, javascript, file)
+ * - MUST NOT contain embedded credentials (userinfo@)
+ * - MUST NOT contain fragment identifiers (#)
+ * - MUST NOT contain ASCII control characters (U+0000-U+001F, U+007F)
+ * - Max 2048 chars (aligned with POLICY_BLOCK.uriMaxLength)
+ *
+ * These are locator hints only: callers MUST NOT auto-fetch.
+ *
+ * NORMATIVE: Localhost and private-network hosts (e.g., 10.x, 192.168.x,
+ * localhost) are intentionally accepted at Layer 1 (schema). URI hints
+ * are metadata, not fetch targets; restricting to public hosts would
+ * break enterprise/internal deployments without improving security at
+ * this layer. SSRF prevention is enforced by the non-fetch invariant
+ *, not by host filtering in schema validation.
+ *
+ * Test suite covers: IDN/punycode, IPv6 literals, localhost-style
+ * hosts, percent-encoded confusion, and parser ambiguity cases.
+ */
+export declare const HttpsUriHintSchema: z.ZodString;
+/**
+ * ISO 8601 duration component descriptor.
+ */
+interface DurationComponents {
+    years: number;
+    months: number;
+    weeks: number;
+    days: number;
+    hours: number;
+    minutes: number;
+    seconds: number;
+}
+/**
+ * Parse an ISO 8601 duration string into components.
+ *
+ * Enforces:
+ * - No duplicate designators (P1Y2Y rejected)
+ * - Canonical component ordering (P1D1Y rejected; must be P1Y1D)
+ * - Weeks cannot be combined with other date components (ISO 8601)
+ * - At least one component must be present (bare P rejected)
+ * - At least one time component after T (bare PT rejected)
+ * - Zero-value durations are accepted (P0D, PT0S are valid ISO 8601)
+ *
+ * Zero durations: P0D and PT0S are valid per ISO 8601. The spec says
+ * "a zero duration" is representable. Consumers decide if a zero
+ * duration is semantically meaningful for their use case.
+ *
+ * @param value - String to parse
+ * @returns Parsed components, or null if invalid
+ */
+export declare function parseIso8601Duration(value: string): DurationComponents | null;
+/**
+ * Validates an ISO 8601 duration string.
+ *
+ * Parser-grade strict validation:
+ * - Rejects bare P, bare PT
+ * - Rejects duplicate designators (P1Y2Y)
+ * - Enforces canonical component ordering (P1D1Y rejected)
+ * - Rejects mixed weeks and other date components
+ * - Accepts zero-value durations (P0D, PT0S are valid ISO 8601)
+ * - Only non-negative integer components (no decimals, no negatives)
+ *
+ * Examples:
+ *   Valid: "P30D", "P1Y", "P1Y6M", "PT1H30M", "P1W", "P0D", "PT0S"
+ *   Invalid: "P", "PT", "30D", "", "P1D1Y", "P1Y2Y", "P1WD3", "P-1D"
+ */
+export declare const Iso8601DurationSchema: z.ZodString;
+/**
+ * Validates a structurally valid ISO 8601 date string (YYYY-MM-DD).
+ *
+ * Structural validation only: checks 4-digit year, 2-digit month 01-12,
+ * 2-digit day 01-31. Does NOT validate calendar correctness (e.g.,
+ * Feb 30 or Jun 31 would pass structural check). Calendar validation
+ * is left to the application layer since this is an evidence record,
+ * not a scheduling system.
+ *
+ * Named "StructuralDate" to avoid implying full calendar validation.
+ */
+export declare const Iso8601DateStringSchema: z.ZodString;
+/**
+ * @deprecated Use Iso8601DateStringSchema. Alias preserved for backward compat.
+ */
+export declare const Iso8601DateSchema: z.ZodString;
+/**
+ * Validates an ISO 8601 datetime string with timezone offset.
+ *
+ * Uses Zod 4 top-level `z.iso.datetime({ offset: true })` (preferred
+ * over the deprecated method-style `z.string().datetime()`).
+ *
+ * This is NOT strictly RFC 3339: it accepts minute-precision timestamps
+ * (e.g., `2026-03-14T12:00+05:30` without seconds), which ISO 8601
+ * allows but RFC 3339 does not. Use Rfc3339DateTimeSchema for strict
+ * RFC 3339 compliance.
+ *
+ * Consistent with Wire 0.2 `occurred_at` field validation semantics.
+ */
+export declare const Iso8601OffsetDateTimeSchema: z.ZodISODateTime;
+/**
+ * Validates a datetime string against a practical strict RFC 3339 profile.
+ *
+ * Enforces the key RFC 3339 Section 5.6 constraints:
+ * - Timezone offset always present (Z or +/-HH:MM)
+ * - Seconds always present (minute-only timestamps rejected)
+ * - Fractional seconds optional (after the seconds component)
+ * - No local timestamps
+ *
+ * This is a practical strict profile, not a proven ABNF implementation.
+ * It uses `z.iso.datetime({ offset: true })` as the base (which handles
+ * most RFC 3339 grammar) plus a seconds-presence refine. Edge cases
+ * like leap seconds or two-digit year forms are not explicitly tested.
+ *
+ * @see https://www.rfc-editor.org/rfc/rfc3339#section-5.6
+ */
+export declare const Rfc3339DateTimeSchema: z.ZodISODateTime;
+/**
+ * @deprecated Use Iso8601OffsetDateTimeSchema or Rfc3339DateTimeSchema.
+ * This alias points to Iso8601OffsetDateTimeSchema (which accepts
+ * minute-precision and is therefore NOT strictly RFC 3339). Preserved
+ * for backward compatibility only. Remove-not-before: v0.13.0.
+ */
+export declare const Rfc3339TimestampSchema: z.ZodISODateTime;
+/**
+ * SPDX License Expression validator: documented structural subset.
+ *
+ * This is a structural subset validator for v0.12.2, NOT full SPDX 3.0.1
+ * support. It validates expression grammar without checking license IDs
+ * against the SPDX license list.
+ *
+ * Supported subset:
+ *   - Simple license IDs: MIT, Apache-2.0, GPL-3.0-only
+ *   - LicenseRef custom references: LicenseRef-custom
+ *   - Or-later suffix: GPL-2.0+
+ *   - Compound expressions: MIT AND Apache-2.0, MIT OR GPL-2.0-only
+ *   - Exception clauses: Apache-2.0 WITH Classpath-exception-2.0
+ *   - Parenthesized sub-expressions: (MIT OR Apache-2.0) AND GPL-3.0-only
+ *
+ * NOT supported (deferred to attribution extension PR, v0.12.2 PR 4):
+ *   - DocumentRef-*: prefixes (rare in practice; not seen in npm/PyPI/crates.io)
+ *
+ * @see https://spdx.github.io/spdx-spec/v3.0.1/annexes/spdx-license-expressions/
+ */
+declare function isValidSpdxSubsetExpression(expr: string): boolean;
+/**
+ * Validates an SPDX license expression (documented structural subset).
+ *
+ * Uses a recursive-descent parser for the supported grammar subset.
+ * Does NOT validate against the SPDX license list (structure only).
+ * Does NOT support DocumentRef-* prefixes (deferred).
+ *
+ * @see isValidSpdxSubsetExpression for the supported grammar
+ */
+export declare const SpdxExpressionSchema: z.ZodString;
+/** @internal Exported for testing only */
+export { parseIso8601Duration as _parseIso8601Duration };
+/** @internal Exported for testing only */
+export { isValidSpdxSubsetExpression as _isValidSpdxExpression };
+//# sourceMappingURL=shared-validators.d.ts.map

package/dist/wire-02-extensions/shared-validators.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"shared-validators.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/shared-validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAOxB;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,kBAAkB,aAGqD,CAAC;AAYrF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,kBAAkB,aAgC5B,CAAC;AAMJ;;GAEG;AACH,UAAU,kBAAkB;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB;AAcD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,MAAM,GAAG,kBAAkB,GAAG,IAAI,CAwH7E;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,qBAAqB,aAM9B,CAAC;AAML;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,aAKhC,CAAC;AAEL;;GAEG;AACH,eAAO,MAAM,iBAAiB,aAA0B,CAAC;AAMzD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,2BAA2B,kBAAmC,CAAC;AAa5E;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,qBAAqB,kBAI9B,CAAC;AAEL;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,kBAA8B,CAAC;AAMlE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,iBAAS,2BAA2B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAgH1D;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,aAG/B,CAAC;AAMH,0CAA0C;AAC1C,OAAO,EAAE,oBAAoB,IAAI,qBAAqB,EAAE,CAAC;AAEzD,0CAA0C;AAC1C,OAAO,EAAE,2BAA2B,IAAI,sBAAsB,EAAE,CAAC"}

package/dist/wire-02-extensions/validation.d.ts

@@ -0,0 +1,57 @@
+/**
+ * Wire 0.2 Extension Validation (envelope-level superRefine helper)
+ *
+ * Validates the extensions record inside Wire02ClaimsSchema.superRefine():
+ *   1. Extension key grammar validation
+ *   2. Recursive plain-JSON-value guard (rejects non-JSON-safe values)
+ *   3. Known extension group schema validation
+ *   4. Byte-budget enforcement
+ *
+ * NORMATIVE: Extension group values MUST be plain JSON values all the
+ * way down (objects, arrays, strings, finite numbers, booleans, null).
+ * Arbitrary JavaScript objects (functions, Symbols, Dates, BigInt,
+ * objects with toJSON(), circular references, non-finite numbers, etc.)
+ * are not a supported input class and are rejected at the validation
+ * boundary via E_EXTENSION_NON_JSON_VALUE. This ensures cross-language
+ * portability and reproducible byte-budget measurement.
+ *
+ * MEASUREMENT BASIS: Byte budgets are measured as the UTF-8 byte length
+ * of ECMAScript JSON.stringify() output on plain JSON data. This is
+ * explicitly ECMAScript-defined, not language-neutral canonical JSON.
+ * Equivalent objects with different member order can yield different
+ * byte counts; if cross-language reproducibility is needed in the
+ * future, a canonical JSON profile (e.g., JCS / RFC 8785) can be
+ * adopted via a future DD without changing the budget constants.
+ * See EXTENSION_BUDGET in @peac/kernel for the full specification.
+ *
+ * Schema does NOT emit warnings (unknown_extension_preserved belongs
+ * in @peac/protocol.verifyLocal(), Layer 3).
+ *
+ * Layer 1 (@peac/schema): pure Zod validation, zero I/O.
+ */
+import { z } from 'zod';
+/**
+ * Check whether a value is a plain JSON value all the way down.
+ *
+ * This is the public entry point for the recursive guard. It initializes
+ * the depth counter and circular-reference detection set.
+ *
+ * @param value - Value to check
+ * @returns true if the entire value tree is plain JSON
+ */
+declare function isPlainJsonValue(value: unknown): boolean;
+/**
+ * Validate extensions record in Wire02ClaimsSchema.superRefine().
+ *
+ * Steps:
+ *   1. Validate extension key grammar
+ *   2. Recursive guard: reject non-plain-JSON values (E_EXTENSION_NON_JSON_VALUE)
+ *   3. Validate known extension groups against their Zod schemas
+ *   4. Unconditional byte-budget enforcement
+ *
+ * @param extensions - The extensions record from Wire 0.2 claims
+ * @param ctx - Zod refinement context
+ */
+export declare function validateKnownExtensions(extensions: Record<string, unknown> | undefined, ctx: z.RefinementCtx): void;
+export { isPlainJsonValue as _isPlainJsonValue };
+//# sourceMappingURL=validation.d.ts.map

package/dist/wire-02-extensions/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/wire-02-extensions/validation.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAiHxB;;;;;;;;GAQG;AACH,iBAAS,gBAAgB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAEjD;AAMD;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CACrC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,SAAS,EAC/C,GAAG,EAAE,CAAC,CAAC,aAAa,GACnB,IAAI,CA+DN;AAGD,OAAO,EAAE,gBAAgB,IAAI,iBAAiB,EAAE,CAAC"}