@peac/schema 0.12.1 → 0.12.3

package/dist/index.cjs

@@ -54,9 +54,9 @@ var ERROR_CODES = {
   E_WORKFLOW_PARENT_NOT_FOUND: "E_WORKFLOW_PARENT_NOT_FOUND",
   E_WORKFLOW_SUMMARY_INVALID: "E_WORKFLOW_SUMMARY_INVALID",
   E_WORKFLOW_CYCLE_DETECTED: "E_WORKFLOW_CYCLE_DETECTED",
-  // Constraint errors (400, DD-121)
+  // Constraint errors (400)
   E_CONSTRAINT_VIOLATION: "E_CONSTRAINT_VIOLATION",
-  // Wire 0.2 extension errors (400, DD-153/DD-156)
+  // Wire 0.2 extension errors (400/)
   E_INVALID_EXTENSION_KEY: "E_INVALID_EXTENSION_KEY"
 };
 function createPEACError(code, category, severity, retryable, options) {
@@ -324,7 +324,7 @@ var KERNEL_CONSTRAINTS = {
   MAX_STRING_LENGTH: 65536,
   /** Maximum total nodes to visit during traversal */
   MAX_TOTAL_NODES: 1e5,
-  /** Temporal validity clock skew tolerance in seconds (DD-8) */
+  /** Temporal validity clock skew tolerance in seconds */
   CLOCK_SKEW_SECONDS: 60
 };
 function validateKernelConstraints(claims) {
@@ -595,7 +595,10 @@ var BindingDetailsSchema = zod.z.object({
   signed_at: zod.z.string().datetime()
 }).strict();
 var AgentProofSchema = zod.z.object({
-  /** Proof method used */
+  /**
+   * Proof method used.
+   * @see ProofMethodSchema - deprecated in v0.12.2; will migrate in v0.13.0
+   */
   method: ProofMethodSchema,
   /** Key ID (matches kid in JWS header or JWKS) */
   key_id: zod.z.string().min(1).max(256),
@@ -1207,7 +1210,7 @@ var ACTOR_BINDING_EXTENSION_KEY = "org.peacprotocol/actor_binding";
 var ActorBindingSchema = zod.z.object({
   /** Stable actor identifier (opaque, no PII) */
   id: zod.z.string().min(1).max(256),
-  /** Proof type from DD-143 multi-root vocabulary */
+  /** Proof type from multi-root vocabulary */
   proof_type: ProofTypeSchema,
   /** URI or hash of external proof artifact */
   proof_ref: zod.z.string().max(2048).optional(),
@@ -1215,7 +1218,7 @@ var ActorBindingSchema = zod.z.object({
   origin: zod.z.string().max(2048).refine(isOriginOnly, {
     message: "origin must be an origin-only URL (scheme + host + optional port; no path, query, or fragment)"
   }),
-  /** SHA-256 hash of the intent (hash-first per DD-138) */
+  /** SHA-256 hash of the intent (hash-first per ) */
   intent_hash: zod.z.string().regex(/^sha256:[a-f0-9]{64}$/, {
     message: "intent_hash must match sha256:<64 hex chars>"
   }).optional()
@@ -3123,6 +3126,7 @@ var EXTENSION_LIMITS = {
   maxAmountMinorLength: 64,
   maxReferenceLength: 256,
   maxAssetLength: 256,
+  maxCommerceEventLength: 64,
   // Access
   maxResourceLength: 2048,
   maxActionLength: 256,
@@ -3138,8 +3142,61 @@ var EXTENSION_LIMITS = {
   maxSpanIdLength: 16,
   maxWorkflowIdLength: 256,
   maxParentJtiLength: 256,
-  maxDependsOnLength: 64
+  maxDependsOnLength: 64,
+  // Consent
+  maxConsentBasisLength: 128,
+  maxConsentMethodLength: 128,
+  maxDataCategoriesCount: 64,
+  maxDataCategoryLength: 128,
+  maxConsentScopeLength: 256,
+  maxJurisdictionLength: 16,
+  // Compliance
+  maxFrameworkLength: 256,
+  maxAuditRefLength: 256,
+  maxAuditorLength: 256,
+  maxComplianceScopeLength: 512,
+  // Privacy
+  maxDataClassificationLength: 128,
+  maxProcessingBasisLength: 128,
+  maxAnonymizationMethodLength: 128,
+  maxDataSubjectCategoryLength: 128,
+  maxTransferMechanismLength: 128,
+  // Safety
+  maxAssessmentMethodLength: 256,
+  maxSafetyMeasuresCount: 32,
+  maxSafetyMeasureLength: 256,
+  maxIncidentRefLength: 256,
+  maxModelRefLength: 256,
+  maxSafetyCategoryLength: 128,
+  // Provenance
+  maxSourceTypeLength: 128,
+  maxSourceRefLength: 256,
+  maxVerificationMethodLength: 128,
+  maxCustodyChainCount: 16,
+  maxCustodianLength: 256,
+  maxCustodyActionLength: 128,
+  maxSlsaTrackLength: 64,
+  maxSlsaVersionLength: 16,
+  // Attribution
+  maxCreatorRefLength: 256,
+  maxObligationTypeLength: 128,
+  maxAttributionTextLength: 1024,
+  maxContentSignalSourceLength: 128,
+  // Purpose
+  maxExternalPurposesCount: 32,
+  maxExternalPurposeLength: 128,
+  maxPurposeBasisLength: 128,
+  maxCompatiblePurposesCount: 32,
+  // Shared field bounds
+  maxHttpsUriLength: 2048,
+  maxSha256DigestLength: 71,
+  // "sha256:" (7) + 64 hex = 71 chars
+  maxIso8601DurationLength: 64,
+  maxIso8601DateLength: 10,
+  maxSpdxExpressionLength: 128
 };
+
+// src/wire-02-extensions/grammar.ts
 var DNS_LABEL = /^[a-z0-9](?:[a-z0-9-]*[a-z0-9])?$/;
 var SEGMENT_PATTERN = /^[a-z0-9][a-z0-9_-]*$/;
 function isValidExtensionKey(key) {
@@ -3159,11 +3216,6 @@ function isValidExtensionKey(key) {
   }
   return true;
 }
-var COMMERCE_EXTENSION_KEY = "org.peacprotocol/commerce";
-var ACCESS_EXTENSION_KEY = "org.peacprotocol/access";
-var CHALLENGE_EXTENSION_KEY = "org.peacprotocol/challenge";
-var IDENTITY_EXTENSION_KEY = "org.peacprotocol/identity";
-var CORRELATION_EXTENSION_KEY = "org.peacprotocol/correlation";
 function escapePointerSegment(s) {
   return s.replace(/~/g, "~0").replace(/\//g, "~1");
 }
@@ -3172,6 +3224,7 @@ function zodPathToPointer(groupKey, zodPath) {
   const segments = zodPath.map((s) => escapePointerSegment(String(s)));
   return `/extensions/${escaped}` + (segments.length > 0 ? "/" + segments.join("/") : "");
 }
+var COMMERCE_EXTENSION_KEY = "org.peacprotocol/commerce";
 var AMOUNT_MINOR_PATTERN = /^-?[0-9]+$/;
 var CommerceExtensionSchema = zod.z.object({
   /** Payment rail identifier (e.g., 'stripe', 'x402', 'lightning') */
@@ -3192,8 +3245,11 @@ var CommerceExtensionSchema = zod.z.object({
   /** Asset identifier for non-fiat (e.g., token address) */
   asset: zod.z.string().max(EXTENSION_LIMITS.maxAssetLength).optional(),
   /** Environment discriminant */
-  env: zod.z.enum(["live", "test"]).optional()
+  env: zod.z.enum(["live", "test"]).optional(),
+  /** Commerce lifecycle phase. Observational metadata only: does not encode settlement finality or protocol state transitions */
+  event: zod.z.enum(["authorization", "capture", "settlement", "refund", "void", "chargeback"]).optional()
 }).strict();
+var ACCESS_EXTENSION_KEY = "org.peacprotocol/access";
 var AccessExtensionSchema = zod.z.object({
   /** Resource being accessed (URI or identifier) */
   resource: zod.z.string().min(1).max(EXTENSION_LIMITS.maxResourceLength),
@@ -3202,6 +3258,7 @@ var AccessExtensionSchema = zod.z.object({
   /** Access decision */
   decision: zod.z.enum(["allow", "deny", "review"])
 }).strict();
+var CHALLENGE_EXTENSION_KEY = "org.peacprotocol/challenge";
 var CHALLENGE_TYPES = [
   "payment_required",
   "identity_required",
@@ -3236,10 +3293,12 @@ var ChallengeExtensionSchema = zod.z.object({
   /** Caller-defined requirements for resolving the challenge */
   requirements: zod.z.record(zod.z.string(), zod.z.unknown()).optional()
 }).strict();
+var IDENTITY_EXTENSION_KEY = "org.peacprotocol/identity";
 var IdentityExtensionSchema = zod.z.object({
   /** Proof reference (opaque string; no actor_binding: top-level actor is sole location) */
   proof_ref: zod.z.string().max(EXTENSION_LIMITS.maxProofRefLength).optional()
 }).strict();
+var CORRELATION_EXTENSION_KEY = "org.peacprotocol/correlation";
 var TRACE_ID_PATTERN = /^[0-9a-f]{32}$/;
 var SPAN_ID_PATTERN = /^[0-9a-f]{16}$/;
 var CorrelationExtensionSchema = zod.z.object({
@@ -3254,12 +3313,497 @@ var CorrelationExtensionSchema = zod.z.object({
   /** JTIs this receipt depends on */
   depends_on: zod.z.array(zod.z.string().min(1).max(EXTENSION_LIMITS.maxParentJtiLength)).max(EXTENSION_LIMITS.maxDependsOnLength).optional()
 }).strict();
-var EXTENSION_SCHEMA_MAP = /* @__PURE__ */ new Map();
-EXTENSION_SCHEMA_MAP.set(COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
-EXTENSION_SCHEMA_MAP.set(ACCESS_EXTENSION_KEY, AccessExtensionSchema);
-EXTENSION_SCHEMA_MAP.set(CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
-EXTENSION_SCHEMA_MAP.set(IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
-EXTENSION_SCHEMA_MAP.set(CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+var Sha256DigestSchema = zod.z.string().max(71).regex(kernel.HASH.pattern, "must be a valid SHA-256 digest (sha256:<64 lowercase hex>)");
+var CONTROL_CHAR_PATTERN = /[\x00-\x1f\x7f]/;
+var HttpsUriHintSchema = zod.z.string().min(1).max(2048).refine(
+  (value) => {
+    if (CONTROL_CHAR_PATTERN.test(value)) return false;
+    if (value.includes("#")) return false;
+    try {
+      const url = new URL(value);
+      if (url.protocol !== "https:") return false;
+      if (url.username !== "" || url.password !== "") return false;
+      if (!url.hostname) return false;
+      return true;
+    } catch {
+      return false;
+    }
+  },
+  {
+    message: "must be a valid HTTPS URI (no credentials, no fragments, no control characters)"
+  }
+);
+var DATE_DESIGNATOR_ORDER = ["Y", "M", "W", "D"];
+var TIME_DESIGNATOR_ORDER = ["H", "M", "S"];
+function parseIso8601Duration(value) {
+  if (typeof value !== "string" || value.length === 0 || value.length > 64) {
+    return null;
+  }
+  if (value.charAt(0) !== "P") return null;
+  let pos = 1;
+  const len = value.length;
+  if (pos >= len) return null;
+  const result = {
+    years: 0,
+    months: 0,
+    weeks: 0,
+    days: 0,
+    hours: 0,
+    minutes: 0,
+    seconds: 0
+  };
+  let inTimePart = false;
+  let hasAnyComponent = false;
+  const seenDesignators = /* @__PURE__ */ new Set();
+  let dateOrderIdx = 0;
+  let timeOrderIdx = 0;
+  while (pos < len) {
+    if (value.charAt(pos) === "T") {
+      if (inTimePart) return null;
+      inTimePart = true;
+      pos++;
+      if (pos >= len) return null;
+      continue;
+    }
+    const numStart = pos;
+    while (pos < len && value.charAt(pos) >= "0" && value.charAt(pos) <= "9") {
+      pos++;
+    }
+    if (pos === numStart) return null;
+    const digits = value.slice(numStart, pos);
+    if (digits.length > 15) return null;
+    const num = parseInt(digits, 10);
+    if (!Number.isFinite(num) || num < 0) return null;
+    if (pos >= len) return null;
+    const designator = value.charAt(pos);
+    pos++;
+    const designatorKey = (inTimePart ? "T" : "") + designator;
+    if (seenDesignators.has(designatorKey)) return null;
+    seenDesignators.add(designatorKey);
+    if (inTimePart) {
+      const timeIdx = TIME_DESIGNATOR_ORDER.indexOf(designator);
+      if (timeIdx === -1) return null;
+      if (timeIdx < timeOrderIdx) return null;
+      timeOrderIdx = timeIdx + 1;
+      switch (designator) {
+        case "H":
+          result.hours = num;
+          break;
+        case "M":
+          result.minutes = num;
+          break;
+        case "S":
+          result.seconds = num;
+          break;
+      }
+    } else {
+      const dateIdx = DATE_DESIGNATOR_ORDER.indexOf(designator);
+      if (dateIdx === -1) return null;
+      if (dateIdx < dateOrderIdx) return null;
+      dateOrderIdx = dateIdx + 1;
+      switch (designator) {
+        case "Y":
+          result.years = num;
+          break;
+        case "M":
+          result.months = num;
+          break;
+        case "W":
+          result.weeks = num;
+          break;
+        case "D":
+          result.days = num;
+          break;
+      }
+    }
+    hasAnyComponent = true;
+  }
+  if (!hasAnyComponent) return null;
+  if (result.weeks > 0 && (result.years > 0 || result.months > 0 || result.days > 0)) {
+    return null;
+  }
+  return result;
+}
+var Iso8601DurationSchema = zod.z.string().min(2).max(64).refine((value) => parseIso8601Duration(value) !== null, {
+  message: "must be a valid ISO 8601 duration (e.g., P30D, P1Y6M, PT1H30M)"
+});
+var Iso8601DateStringSchema = zod.z.string().length(10).regex(/^\d{4}-(?:0[1-9]|1[0-2])-(?:0[1-9]|[12]\d|3[01])$/, {
+  message: "must be a structurally valid date string (YYYY-MM-DD)"
+});
+var Iso8601DateSchema = Iso8601DateStringSchema;
+var Iso8601OffsetDateTimeSchema = zod.z.iso.datetime({ offset: true });
+var RFC3339_SECONDS_PATTERN = /T\d{2}:\d{2}:\d{2}/;
+var Rfc3339DateTimeSchema = zod.z.iso.datetime({ offset: true }).refine((value) => RFC3339_SECONDS_PATTERN.test(value), {
+  message: "RFC 3339 requires seconds precision (e.g., 2026-03-14T12:00:00Z)"
+});
+var Rfc3339TimestampSchema = Iso8601OffsetDateTimeSchema;
+function isValidSpdxSubsetExpression(expr) {
+  if (typeof expr !== "string" || expr.length === 0 || expr.length > 128) {
+    return false;
+  }
+  const tokens = [];
+  let current = "";
+  for (let i = 0; i < expr.length; i++) {
+    const ch = expr.charAt(i);
+    if (ch === "(" || ch === ")") {
+      if (current.length > 0) {
+        tokens.push(current);
+        current = "";
+      }
+      tokens.push(ch);
+    } else if (ch === " " || ch === "	") {
+      if (current.length > 0) {
+        tokens.push(current);
+        current = "";
+      }
+    } else {
+      current += ch;
+    }
+  }
+  if (current.length > 0) {
+    tokens.push(current);
+  }
+  if (tokens.length === 0) return false;
+  let pos = 0;
+  function peek() {
+    return tokens[pos];
+  }
+  function advance() {
+    return tokens[pos++];
+  }
+  function isLicenseId(token) {
+    const base = token.endsWith("+") ? token.slice(0, -1) : token;
+    if (base.length === 0) return false;
+    if (base.startsWith("LicenseRef-")) {
+      const ref = base.slice(11);
+      return ref.length > 0 && /^[A-Za-z0-9][A-Za-z0-9._-]*$/.test(ref);
+    }
+    return /^[A-Za-z0-9][A-Za-z0-9._-]*$/.test(base);
+  }
+  function isExceptionId(token) {
+    return /^[A-Za-z0-9][A-Za-z0-9._-]*$/.test(token);
+  }
+  function parseExpr() {
+    if (!parseTerm()) return false;
+    while (pos < tokens.length) {
+      const op = peek();
+      if (op === "AND" || op === "OR") {
+        advance();
+        if (!parseTerm()) return false;
+      } else {
+        break;
+      }
+    }
+    return true;
+  }
+  function parseTerm() {
+    if (!parseAtom()) return false;
+    if (peek() === "WITH") {
+      advance();
+      const exception = peek();
+      if (exception === void 0 || !isExceptionId(exception)) return false;
+      advance();
+    }
+    return true;
+  }
+  function parseAtom() {
+    const token = peek();
+    if (token === void 0) return false;
+    if (token === "(") {
+      advance();
+      if (!parseExpr()) return false;
+      if (peek() !== ")") return false;
+      advance();
+      return true;
+    }
+    if (token === ")" || token === "AND" || token === "OR" || token === "WITH") {
+      return false;
+    }
+    if (!isLicenseId(token)) return false;
+    advance();
+    return true;
+  }
+  const result = parseExpr();
+  return result && pos === tokens.length;
+}
+var SpdxExpressionSchema = zod.z.string().min(1).max(128).refine(isValidSpdxSubsetExpression, {
+  message: "must be a valid SPDX license expression (e.g., MIT, Apache-2.0, MIT AND Apache-2.0). DocumentRef-* not yet supported."
+});
+
+// src/wire-02-extensions/consent.ts
+var CONSENT_EXTENSION_KEY = "org.peacprotocol/consent";
+var CONSENT_STATUSES = ["granted", "withdrawn", "denied", "expired"];
+var ConsentStatusSchema = zod.z.enum(CONSENT_STATUSES);
+var ConsentExtensionSchema = zod.z.object({
+  /**
+   * Legal basis identifier for consent.
+   * Open string: jurisdictions define different bases
+   * (e.g., explicit, implied, opt_out, legitimate_interest, contractual, legal_obligation).
+   */
+  consent_basis: zod.z.string().min(1).max(EXTENSION_LIMITS.maxConsentBasisLength),
+  /** Consent lifecycle state (closed vocabulary) */
+  consent_status: ConsentStatusSchema,
+  /**
+   * Data categories covered by this consent.
+   * Open vocabulary (e.g., personal, sensitive, biometric).
+   */
+  data_categories: zod.z.array(zod.z.string().min(1).max(EXTENSION_LIMITS.maxDataCategoryLength)).max(EXTENSION_LIMITS.maxDataCategoriesCount).optional(),
+  /** Data retention period as ISO 8601 duration. */
+  retention_period: Iso8601DurationSchema.optional(),
+  /**
+   * How consent was collected.
+   * Open vocabulary (e.g., click_through, double_opt_in, verbal, written).
+   */
+  consent_method: zod.z.string().min(1).max(EXTENSION_LIMITS.maxConsentMethodLength).optional(),
+  /**
+   * HTTPS URI hint for consent withdrawal.
+   * Locator hint only: callers MUST NOT auto-fetch.
+   * Rejects non-HTTPS, embedded credentials, fragments, control chars.
+   */
+  withdrawal_uri: HttpsUriHintSchema.optional(),
+  /** Free-text scope description */
+  scope: zod.z.string().min(1).max(EXTENSION_LIMITS.maxConsentScopeLength).optional(),
+  /**
+   * Jurisdiction code: ISO 3166-1 alpha-2 or composite.
+   * Examples: EU, US-CA, BR, GB, DE, JP, IN.
+   */
+  jurisdiction: zod.z.string().min(1).max(EXTENSION_LIMITS.maxJurisdictionLength).optional()
+}).strict();
+var PRIVACY_EXTENSION_KEY = "org.peacprotocol/privacy";
+var RETENTION_MODES = ["time_bound", "indefinite", "session_only"];
+var RetentionModeSchema = zod.z.enum(RETENTION_MODES);
+var RECIPIENT_SCOPES = ["internal", "processor", "third_party", "public"];
+var RecipientScopeSchema = zod.z.enum(RECIPIENT_SCOPES);
+var PrivacyExtensionSchema = zod.z.object({
+  /**
+   * Data classification level.
+   * Open taxonomy (e.g., public, internal, confidential, restricted, pii, sensitive_pii).
+   */
+  data_classification: zod.z.string().min(1).max(EXTENSION_LIMITS.maxDataClassificationLength),
+  /**
+   * Legal basis for data processing.
+   * Open vocabulary (e.g., consent, legitimate_interest, contract, legal_obligation).
+   */
+  processing_basis: zod.z.string().min(1).max(EXTENSION_LIMITS.maxProcessingBasisLength).optional(),
+  /**
+   * Data retention period as ISO 8601 duration.
+   * For non-duration retention semantics, use retention_mode instead.
+   */
+  retention_period: Iso8601DurationSchema.optional(),
+  /**
+   * Retention mode for non-duration semantics.
+   * Closed enum: time_bound, indefinite, session_only.
+   * When time_bound, retention_period SHOULD also be present.
+   */
+  retention_mode: RetentionModeSchema.optional(),
+  /**
+   * Data recipient classification.
+   * Closed enum aligned with GDPR Art 13-14 disclosure categories.
+   */
+  recipient_scope: RecipientScopeSchema.optional(),
+  /**
+   * Anonymization or pseudonymization method applied.
+   * Open vocabulary (e.g., k_anonymity, differential_privacy, pseudonymization,
+   * tokenization, aggregation).
+   */
+  anonymization_method: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAnonymizationMethodLength).optional(),
+  /**
+   * Data subject category.
+   * Open vocabulary (e.g., customer, employee, minor, patient, student).
+   */
+  data_subject_category: zod.z.string().min(1).max(EXTENSION_LIMITS.maxDataSubjectCategoryLength).optional(),
+  /**
+   * Cross-border data transfer mechanism.
+   * Open vocabulary (e.g., adequacy_decision, scc, bcr, derogation, consent).
+   */
+  transfer_mechanism: zod.z.string().min(1).max(EXTENSION_LIMITS.maxTransferMechanismLength).optional()
+}).strict();
+var SAFETY_EXTENSION_KEY = "org.peacprotocol/safety";
+var REVIEW_STATUSES = ["reviewed", "pending", "flagged", "not_applicable"];
+var ReviewStatusSchema = zod.z.enum(REVIEW_STATUSES);
+var RISK_LEVELS = ["unacceptable", "high", "limited", "minimal"];
+var RiskLevelSchema = zod.z.enum(RISK_LEVELS);
+var SafetyExtensionSchema = zod.z.object({
+  /** Safety review status (closed vocabulary, universal lifecycle) */
+  review_status: ReviewStatusSchema,
+  /**
+   * Risk classification level.
+   * Optional at schema level; usage profiles may require it.
+   * Converges across EU AI Act Art 6, NIST AI RMF, ISO 23894.
+   */
+  risk_level: RiskLevelSchema.optional(),
+  /**
+   * Assessment method used.
+   * Open vocabulary (e.g., automated_scan, human_review, red_team,
+   * penetration_test, static_analysis, model_evaluation).
+   */
+  assessment_method: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAssessmentMethodLength).optional(),
+  /**
+   * Safety measures applied.
+   * Open vocabulary. Array bounded by maxSafetyMeasuresCount.
+   */
+  safety_measures: zod.z.array(zod.z.string().min(1).max(EXTENSION_LIMITS.maxSafetyMeasureLength)).max(EXTENSION_LIMITS.maxSafetyMeasuresCount).optional(),
+  /** Incident report reference. Opaque identifier (e.g., ticket ID or digest). */
+  incident_ref: zod.z.string().min(1).max(EXTENSION_LIMITS.maxIncidentRefLength).optional(),
+  /** AI model reference. Opaque identifier (e.g., model version string). */
+  model_ref: zod.z.string().min(1).max(EXTENSION_LIMITS.maxModelRefLength).optional(),
+  /**
+   * Safety category.
+   * Open vocabulary (e.g., content_safety, bias, hallucination,
+   * toxicity, fairness, robustness, privacy_risk).
+   */
+  category: zod.z.string().min(1).max(EXTENSION_LIMITS.maxSafetyCategoryLength).optional()
+}).strict();
+var COMPLIANCE_EXTENSION_KEY = "org.peacprotocol/compliance";
+var COMPLIANCE_STATUSES = [
+  "compliant",
+  "non_compliant",
+  "partial",
+  "under_review",
+  "exempt"
+];
+var ComplianceStatusSchema = zod.z.enum(COMPLIANCE_STATUSES);
+var ComplianceExtensionSchema = zod.z.object({
+  /**
+   * Framework identifier evaluated.
+   * Open string: preferred grammar is lowercase slugs with hyphens
+   * (e.g., eu-ai-act, soc2-type2, iso-27001, nist-ai-rmf, gdpr, hipaa).
+   */
+  framework: zod.z.string().min(1).max(EXTENSION_LIMITS.maxFrameworkLength),
+  /** Observed compliance status (closed vocabulary) */
+  compliance_status: ComplianceStatusSchema,
+  /** Opaque reference to audit report or evidence (e.g., report ID, ticket number). */
+  audit_ref: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAuditRefLength).optional(),
+  /** Auditor identifier (organization name or DID). */
+  auditor: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAuditorLength).optional(),
+  /** Date the compliance check was performed (YYYY-MM-DD). */
+  audit_date: Iso8601DateStringSchema.optional(),
+  /** Scope of the compliance check. */
+  scope: zod.z.string().min(1).max(EXTENSION_LIMITS.maxComplianceScopeLength).optional(),
+  /** How long this finding remains valid as an ISO 8601 duration. */
+  validity_period: Iso8601DurationSchema.optional(),
+  /** SHA-256 digest of supporting evidence document. */
+  evidence_ref: Sha256DigestSchema.optional()
+}).strict();
+var PROVENANCE_EXTENSION_KEY = "org.peacprotocol/provenance";
+var CustodyEntrySchema = zod.z.object({
+  /** Custodian identifier (organization name, DID, or opaque ID). */
+  custodian: zod.z.string().min(1).max(EXTENSION_LIMITS.maxCustodianLength),
+  /** Action performed (e.g., received, transformed, verified, released). */
+  action: zod.z.string().min(1).max(EXTENSION_LIMITS.maxCustodyActionLength),
+  /** When the custody event occurred (RFC 3339 with seconds). */
+  timestamp: Rfc3339DateTimeSchema
+}).strict();
+var SlsaLevelSchema = zod.z.object({
+  /** SLSA track identifier (e.g., build, source). */
+  track: zod.z.string().min(1).max(EXTENSION_LIMITS.maxSlsaTrackLength),
+  /** SLSA level within the track (0-4). */
+  level: zod.z.number().int().min(0).max(4),
+  /** SLSA spec version this metadata references (e.g., 1.0, 1.2). */
+  version: zod.z.string().min(1).max(EXTENSION_LIMITS.maxSlsaVersionLength)
+}).strict();
+var ProvenanceExtensionSchema = zod.z.object({
+  /**
+   * Type of source or derivation.
+   * Open vocabulary (e.g., original, derived, curated, synthetic, aggregated, transformed).
+   */
+  source_type: zod.z.string().min(1).max(EXTENSION_LIMITS.maxSourceTypeLength),
+  /** Opaque source reference identifier (e.g., commit hash, artifact ID). */
+  source_ref: zod.z.string().min(1).max(EXTENSION_LIMITS.maxSourceRefLength).optional(),
+  /**
+   * HTTPS URI hint for the source artifact.
+   * Locator hint only: callers MUST NOT auto-fetch.
+   */
+  source_uri: HttpsUriHintSchema.optional(),
+  /**
+   * HTTPS URI hint for build provenance metadata.
+   * Locator hint only: callers MUST NOT auto-fetch.
+   */
+  build_provenance_uri: HttpsUriHintSchema.optional(),
+  /**
+   * How provenance was verified.
+   * Open vocabulary (e.g., signature_check, hash_chain,
+   * manual_attestation, transparency_log).
+   */
+  verification_method: zod.z.string().min(1).max(EXTENSION_LIMITS.maxVerificationMethodLength).optional(),
+  /**
+   * Ordered custody chain entries.
+   * Each entry records a custodian, action, and timestamp.
+   */
+  custody_chain: zod.z.array(CustodyEntrySchema).max(EXTENSION_LIMITS.maxCustodyChainCount).optional(),
+  /**
+   * Structured SLSA-aligned provenance metadata.
+   * Records track, level, and spec version.
+   */
+  slsa: SlsaLevelSchema.optional()
+}).strict();
+var ATTRIBUTION_EXTENSION_KEY = "org.peacprotocol/attribution";
+var CONTENT_SIGNAL_SOURCES = [
+  "tdmrep_json",
+  "content_signal_header",
+  "content_usage_header",
+  "robots_txt",
+  "custom"
+];
+var ContentSignalSourceSchema = zod.z.enum(CONTENT_SIGNAL_SOURCES);
+var AttributionExtensionSchema = zod.z.object({
+  /**
+   * Creator identifier (DID, URI, or opaque ID).
+   * Not an identity attestation; records observed attribution metadata.
+   */
+  creator_ref: zod.z.string().min(1).max(EXTENSION_LIMITS.maxCreatorRefLength),
+  /** SPDX license expression (parser-grade structural subset validator). */
+  license_spdx: SpdxExpressionSchema.optional(),
+  /**
+   * Obligation type.
+   * Open vocabulary (e.g., attribution_required, share_alike, non_commercial).
+   */
+  obligation_type: zod.z.string().min(1).max(EXTENSION_LIMITS.maxObligationTypeLength).optional(),
+  /** Required attribution text. */
+  attribution_text: zod.z.string().min(1).max(EXTENSION_LIMITS.maxAttributionTextLength).optional(),
+  /** Content signal observation source (closed vocabulary). */
+  content_signal_source: ContentSignalSourceSchema.optional(),
+  /** SHA-256 digest of the attributed content. */
+  content_digest: Sha256DigestSchema.optional()
+}).strict();
+var PURPOSE_EXTENSION_KEY = "org.peacprotocol/purpose";
+var MachineSafePurposeTokenSchema = zod.z.string().min(1).max(EXTENSION_LIMITS.maxExternalPurposeLength).regex(PURPOSE_TOKEN_REGEX, "must be a machine-safe lowercase token");
+function hasUniqueItems(items) {
+  return new Set(items).size === items.length;
+}
+var PurposeExtensionSchema = zod.z.object({
+  /**
+   * External/legal/business purpose labels.
+   * Machine-safe tokens: lowercase alphanumeric with underscores, hyphens,
+   * and optional vendor prefix (e.g., ai_training, analytics, marketing).
+   * Not PEAC operational tokens; use peac_purpose_mapping for bridging.
+   * Items must be unique.
+   */
+  external_purposes: zod.z.array(MachineSafePurposeTokenSchema).min(1).max(EXTENSION_LIMITS.maxExternalPurposesCount).refine(hasUniqueItems, { message: "external_purposes must contain unique items" }),
+  /**
+   * Legal or policy basis for the declared purposes.
+   * Open vocabulary (e.g., consent, legitimate_interest, contract).
+   */
+  purpose_basis: zod.z.string().min(1).max(EXTENSION_LIMITS.maxPurposeBasisLength).optional(),
+  /** Whether purpose limitation applies. */
+  purpose_limitation: zod.z.boolean().optional(),
+  /** Whether data minimization was applied. */
+  data_minimization: zod.z.boolean().optional(),
+  /**
+   * Compatible purposes for secondary use.
+   * Same machine-safe token grammar as external_purposes.
+   * Items must be unique.
+   */
+  compatible_purposes: zod.z.array(MachineSafePurposeTokenSchema).max(EXTENSION_LIMITS.maxCompatiblePurposesCount).refine(hasUniqueItems, { message: "compatible_purposes must contain unique items" }).optional(),
+  /**
+   * Explicit mapping to a PEAC operational CanonicalPurpose token.
+   * Validated against PURPOSE_TOKEN_REGEX from purpose.ts.
+   * Bridges external purpose vocabulary to operational tokens.
+   */
+  peac_purpose_mapping: zod.z.string().min(1).max(MAX_PURPOSE_TOKEN_LENGTH).regex(PURPOSE_TOKEN_REGEX, "must be a valid PEAC purpose token").optional()
+}).strict();
+
+// src/wire-02-extensions/accessors.ts
 function getExtension(extensions, key, schema) {
   if (extensions === void 0) return void 0;
   if (!Object.prototype.hasOwnProperty.call(extensions, key)) return void 0;
@@ -3295,9 +3839,88 @@ function getIdentityExtension(extensions) {
 function getCorrelationExtension(extensions) {
   return getExtension(extensions, CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
 }
+function getConsentExtension(extensions) {
+  return getExtension(extensions, CONSENT_EXTENSION_KEY, ConsentExtensionSchema);
+}
+function getPrivacyExtension(extensions) {
+  return getExtension(extensions, PRIVACY_EXTENSION_KEY, PrivacyExtensionSchema);
+}
+function getSafetyExtension(extensions) {
+  return getExtension(extensions, SAFETY_EXTENSION_KEY, SafetyExtensionSchema);
+}
+function getComplianceExtension(extensions) {
+  return getExtension(extensions, COMPLIANCE_EXTENSION_KEY, ComplianceExtensionSchema);
+}
+function getProvenanceExtension(extensions) {
+  return getExtension(extensions, PROVENANCE_EXTENSION_KEY, ProvenanceExtensionSchema);
+}
+function getAttributionExtension(extensions) {
+  return getExtension(extensions, ATTRIBUTION_EXTENSION_KEY, AttributionExtensionSchema);
+}
+function getPurposeExtension(extensions) {
+  return getExtension(extensions, PURPOSE_EXTENSION_KEY, PurposeExtensionSchema);
+}
+
+// src/wire-02-extensions/schema-map.ts
+var EXTENSION_SCHEMA_MAP = /* @__PURE__ */ new Map();
+EXTENSION_SCHEMA_MAP.set(COMMERCE_EXTENSION_KEY, CommerceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(ACCESS_EXTENSION_KEY, AccessExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CHALLENGE_EXTENSION_KEY, ChallengeExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(IDENTITY_EXTENSION_KEY, IdentityExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CORRELATION_EXTENSION_KEY, CorrelationExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(CONSENT_EXTENSION_KEY, ConsentExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(PRIVACY_EXTENSION_KEY, PrivacyExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(SAFETY_EXTENSION_KEY, SafetyExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(COMPLIANCE_EXTENSION_KEY, ComplianceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(PROVENANCE_EXTENSION_KEY, ProvenanceExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(ATTRIBUTION_EXTENSION_KEY, AttributionExtensionSchema);
+EXTENSION_SCHEMA_MAP.set(PURPOSE_EXTENSION_KEY, PurposeExtensionSchema);
+
+// src/wire-02-extensions/validation.ts
+var textEncoder = new TextEncoder();
+function jsonUtf8ByteLength(value) {
+  try {
+    return textEncoder.encode(JSON.stringify(value)).byteLength;
+  } catch {
+    return Infinity;
+  }
+}
+var MAX_JSON_GUARD_DEPTH = 64;
+function isPlainJsonValueRecursive(value, depth, seen) {
+  if (depth > MAX_JSON_GUARD_DEPTH) return false;
+  if (value === null) return true;
+  const t = typeof value;
+  if (t === "string" || t === "boolean") return true;
+  if (t === "number") return Number.isFinite(value);
+  if (t === "function" || t === "symbol" || t === "bigint" || t === "undefined") return false;
+  if (t !== "object") return false;
+  const obj = value;
+  if (seen.has(obj)) return false;
+  seen.add(obj);
+  if (Array.isArray(obj)) {
+    for (let i = 0; i < obj.length; i++) {
+      if (!isPlainJsonValueRecursive(obj[i], depth + 1, seen)) return false;
+    }
+    return true;
+  }
+  const proto = Object.getPrototypeOf(obj);
+  if (proto !== Object.prototype && proto !== null) return false;
+  if (typeof obj.toJSON === "function") return false;
+  const keys = Object.keys(obj);
+  for (const key of keys) {
+    if (!isPlainJsonValueRecursive(obj[key], depth + 1, seen)) {
+      return false;
+    }
+  }
+  return true;
+}
+function isPlainJsonValue(value) {
+  return isPlainJsonValueRecursive(value, 0, /* @__PURE__ */ new WeakSet());
+}
 function validateKnownExtensions(extensions, ctx) {
   if (extensions === void 0) return;
-  for (const key of Object.keys(extensions)) {
+  const keys = Object.keys(extensions);
+  for (const key of keys) {
     if (!isValidExtensionKey(key)) {
       ctx.addIssue({
         code: "custom",
@@ -3306,6 +3929,14 @@ function validateKnownExtensions(extensions, ctx) {
       });
       continue;
     }
+    if (!isPlainJsonValue(extensions[key])) {
+      ctx.addIssue({
+        code: "custom",
+        message: kernel.ERROR_CODES.E_EXTENSION_NON_JSON_VALUE,
+        path: ["extensions", key]
+      });
+      continue;
+    }
     const schema = EXTENSION_SCHEMA_MAP.get(key);
     if (schema !== void 0) {
       const result = schema.safeParse(extensions[key]);
@@ -3320,6 +3951,25 @@ function validateKnownExtensions(extensions, ctx) {
       }
     }
   }
+  const totalBytes = jsonUtf8ByteLength(extensions);
+  if (totalBytes > kernel.EXTENSION_BUDGET.maxTotalBytes) {
+    ctx.addIssue({
+      code: "custom",
+      message: kernel.ERROR_CODES.E_EXTENSION_SIZE_EXCEEDED,
+      path: ["extensions"]
+    });
+    return;
+  }
+  for (const key of keys) {
+    const groupBytes = jsonUtf8ByteLength(extensions[key]);
+    if (groupBytes > kernel.EXTENSION_BUDGET.maxGroupBytes) {
+      ctx.addIssue({
+        code: "custom",
+        message: kernel.ERROR_CODES.E_EXTENSION_SIZE_EXCEEDED,
+        path: ["extensions", key]
+      });
+    }
+  }
 }
 
 // src/wire-02-envelope.ts
@@ -3397,7 +4047,7 @@ var PolicyBlockSchema = zod.z.object({
   /**
    * HTTPS locator hint for the policy document.
    * MUST be an https:// URL (max 2048 chars).
-   * MUST NOT trigger auto-fetch; callers use this as a hint only (DD-55).
+   * MUST NOT trigger auto-fetch; callers use this as a hint only.
    */
   uri: zod.z.string().max(kernel.POLICY_BLOCK.uriMaxLength).url().refine((u) => u.startsWith("https://"), "policy.uri must be an https:// URL").optional(),
   /** Caller-assigned version label (max 256 chars) */
@@ -3422,9 +4072,9 @@ var Wire02ClaimsSchema = zod.z.object({
   pillars: PillarsSchema.optional(),
   /** Top-level actor binding (sole location for ActorBinding in Wire 0.2) */
   actor: ActorBindingSchema.optional(),
-  /** Policy binding block (DD-151) */
+  /** Policy binding block */
   policy: PolicyBlockSchema.optional(),
-  /** Representation fields (DD-152): FingerprintRef validation, sha256-only, strict */
+  /** Representation fields: FingerprintRef validation, sha256-only, strict */
   representation: Wire02RepresentationFieldsSchema.optional(),
   /** ISO 8601 / RFC 3339 timestamp when the interaction occurred; evidence kind only */
   occurred_at: zod.z.string().datetime({ offset: true }).optional(),
@@ -3559,6 +4209,8 @@ var WARNING_TYPE_UNREGISTERED = "type_unregistered";
 var WARNING_UNKNOWN_EXTENSION = "unknown_extension_preserved";
 var WARNING_OCCURRED_AT_SKEW = "occurred_at_skew";
 var WARNING_TYP_MISSING = "typ_missing";
+var WARNING_EXTENSION_GROUP_MISSING = "extension_group_missing";
+var WARNING_EXTENSION_GROUP_MISMATCH = "extension_group_mismatch";
 function sortWarnings(warnings) {
   return [...warnings].sort((a, b) => {
     const aHasPtr = a.pointer !== void 0;
@@ -3572,27 +4224,12 @@ function sortWarnings(warnings) {
     return a.code.localeCompare(b.code);
   });
 }
-
-// src/wire-02-registries.ts
-var REGISTERED_RECEIPT_TYPES = /* @__PURE__ */ new Set([
-  "org.peacprotocol/payment",
-  "org.peacprotocol/access-decision",
-  "org.peacprotocol/identity-attestation",
-  "org.peacprotocol/consent-record",
-  "org.peacprotocol/compliance-check",
-  "org.peacprotocol/privacy-signal",
-  "org.peacprotocol/safety-review",
-  "org.peacprotocol/provenance-record",
-  "org.peacprotocol/attribution-event",
-  "org.peacprotocol/purpose-declaration"
-]);
-var REGISTERED_EXTENSION_GROUP_KEYS = /* @__PURE__ */ new Set([
-  "org.peacprotocol/commerce",
-  "org.peacprotocol/access",
-  "org.peacprotocol/challenge",
-  "org.peacprotocol/identity",
-  "org.peacprotocol/correlation"
-]);
+var REGISTERED_RECEIPT_TYPES = new Set(
+  kernel.RECEIPT_TYPES.map((entry) => entry.id)
+);
+var REGISTERED_EXTENSION_GROUP_KEYS = new Set(
+  kernel.EXTENSION_GROUPS.map((entry) => entry.id)
+);
 
 // src/policy-binding.ts
 function verifyPolicyBinding(receiptDigest, localDigest) {
@@ -3624,12 +4261,17 @@ function findRevokedKey(revokedKeys, kid) {
   return revokedKeys.find((entry) => entry.kid === kid) ?? null;
 }
 
+Object.defineProperty(exports, "EXTENSION_BUDGET", {
+  enumerable: true,
+  get: function () { return kernel.EXTENSION_BUDGET; }
+});
 exports.ACCESS_EXTENSION_KEY = ACCESS_EXTENSION_KEY;
 exports.ACTOR_BINDING_EXTENSION_KEY = ACTOR_BINDING_EXTENSION_KEY;
 exports.AGENT_IDENTITY_TYPE = AGENT_IDENTITY_TYPE;
 exports.AIPREFSnapshotSchema = AIPREFSnapshot;
 exports.ATTESTATION_LIMITS = ATTESTATION_LIMITS;
 exports.ATTESTATION_RECEIPT_TYPE = ATTESTATION_RECEIPT_TYPE;
+exports.ATTRIBUTION_EXTENSION_KEY = ATTRIBUTION_EXTENSION_KEY;
 exports.ATTRIBUTION_LIMITS = ATTRIBUTION_LIMITS;
 exports.ATTRIBUTION_TYPE = ATTRIBUTION_TYPE;
 exports.ATTRIBUTION_USAGES = ATTRIBUTION_USAGES;
@@ -3644,6 +4286,7 @@ exports.AttestationReceiptClaimsSchema = AttestationReceiptClaimsSchema;
 exports.AttestationSchema = AttestationSchema;
 exports.AttributionAttestationSchema = AttributionAttestationSchema;
 exports.AttributionEvidenceSchema = AttributionEvidenceSchema;
+exports.AttributionExtensionSchema = AttributionExtensionSchema;
 exports.AttributionSourceSchema = AttributionSourceSchema;
 exports.AttributionUsageSchema = AttributionUsageSchema;
 exports.BindingDetailsSchema = BindingDetailsSchema;
@@ -3654,6 +4297,11 @@ exports.CHALLENGE_EXTENSION_KEY = CHALLENGE_EXTENSION_KEY;
 exports.CHALLENGE_TYPES = CHALLENGE_TYPES;
 exports.COMMERCE_EXTENSION_KEY = COMMERCE_EXTENSION_KEY;
 exports.COMMITMENT_CLASSES = COMMITMENT_CLASSES;
+exports.COMPLIANCE_EXTENSION_KEY = COMPLIANCE_EXTENSION_KEY;
+exports.COMPLIANCE_STATUSES = COMPLIANCE_STATUSES;
+exports.CONSENT_EXTENSION_KEY = CONSENT_EXTENSION_KEY;
+exports.CONSENT_STATUSES = CONSENT_STATUSES;
+exports.CONTENT_SIGNAL_SOURCES = CONTENT_SIGNAL_SOURCES;
 exports.CONTRIBUTION_TYPES = CONTRIBUTION_TYPES;
 exports.CONTROL_ACTIONS = CONTROL_ACTIONS;
 exports.CONTROL_ACTION_EXTENSION_KEY = CONTROL_ACTION_EXTENSION_KEY;
@@ -3672,8 +4320,13 @@ exports.ChallengeTypeSchema = ChallengeTypeSchema;
 exports.CommerceExtensionSchema = CommerceExtensionSchema;
 exports.CommitmentClassSchema = CommitmentClassSchema;
 exports.CompactJwsSchema = CompactJwsSchema;
+exports.ComplianceExtensionSchema = ComplianceExtensionSchema;
+exports.ComplianceStatusSchema = ComplianceStatusSchema;
+exports.ConsentExtensionSchema = ConsentExtensionSchema;
+exports.ConsentStatusSchema = ConsentStatusSchema;
 exports.ContactMethodSchema = ContactMethodSchema;
 exports.ContentHashSchema = ContentHashSchema;
+exports.ContentSignalSourceSchema = ContentSignalSourceSchema;
 exports.ContributionObligationSchema = ContributionObligationSchema;
 exports.ContributionTypeSchema = ContributionTypeSchema;
 exports.ControlActionSchema = ControlActionSchema;
@@ -3691,6 +4344,7 @@ exports.CredentialEventTypeSchema = CredentialEventTypeSchema;
 exports.CredentialRefSchema = CredentialRefSchema;
 exports.CreditMethodSchema = CreditMethodSchema;
 exports.CreditObligationSchema = CreditObligationSchema;
+exports.CustodyEntrySchema = CustodyEntrySchema;
 exports.DERIVATION_TYPES = DERIVATION_TYPES;
 exports.DIGEST_SIZE_CONSTANTS = DIGEST_SIZE_CONSTANTS;
 exports.DIGEST_VALUE_PATTERN = DIGEST_VALUE_PATTERN;
@@ -3727,6 +4381,7 @@ exports.Extensions = Extensions;
 exports.ExtensionsSchema = ExtensionsSchema;
 exports.HashAlgorithmSchema = HashAlgorithmSchema;
 exports.HashEncodingSchema = HashEncodingSchema;
+exports.HttpsUriHintSchema = HttpsUriHintSchema;
 exports.IDENTITY_EXTENSION_KEY = IDENTITY_EXTENSION_KEY;
 exports.INTERACTION_EXTENSION_KEY = INTERACTION_EXTENSION_KEY;
 exports.INTERACTION_LIMITS = INTERACTION_LIMITS;
@@ -3734,6 +4389,10 @@ exports.INTERNAL_PURPOSE_UNDECLARED = INTERNAL_PURPOSE_UNDECLARED;
 exports.IdentityBindingSchema = IdentityBindingSchema;
 exports.IdentityExtensionSchema = IdentityExtensionSchema;
 exports.InteractionEvidenceV01Schema = InteractionEvidenceV01Schema;
+exports.Iso8601DateSchema = Iso8601DateSchema;
+exports.Iso8601DateStringSchema = Iso8601DateStringSchema;
+exports.Iso8601DurationSchema = Iso8601DurationSchema;
+exports.Iso8601OffsetDateTimeSchema = Iso8601OffsetDateTimeSchema;
 exports.JSON_EVIDENCE_LIMITS = JSON_EVIDENCE_LIMITS;
 exports.JWSHeader = JWSHeader;
 exports.JsonArraySchema = JsonArraySchema;
@@ -3771,8 +4430,11 @@ exports.PEAC_RECEIPT_HEADER = PEAC_RECEIPT_HEADER;
 exports.PEAC_RECEIPT_SCHEMA_URL = PEAC_RECEIPT_SCHEMA_URL;
 exports.PEAC_WIRE_TYP = PEAC_WIRE_TYP;
 exports.POLICY_DECISIONS = POLICY_DECISIONS;
+exports.PRIVACY_EXTENSION_KEY = PRIVACY_EXTENSION_KEY;
 exports.PROOF_METHODS = PROOF_METHODS;
 exports.PROOF_TYPES = PROOF_TYPES;
+exports.PROVENANCE_EXTENSION_KEY = PROVENANCE_EXTENSION_KEY;
+exports.PURPOSE_EXTENSION_KEY = PURPOSE_EXTENSION_KEY;
 exports.PURPOSE_REASONS = PURPOSE_REASONS;
 exports.PURPOSE_TOKEN_REGEX = PURPOSE_TOKEN_REGEX;
 exports.PayloadRefSchema = PayloadRefSchema;
@@ -3783,11 +4445,15 @@ exports.PeacEvidenceCarrierSchema = PeacEvidenceCarrierSchema;
 exports.PillarsSchema = PillarsSchema;
 exports.PolicyBlockSchema = PolicyBlockSchema;
 exports.PolicyContextSchema = PolicyContextSchema;
+exports.PrivacyExtensionSchema = PrivacyExtensionSchema;
 exports.ProblemDetailsSchema = ProblemDetailsSchema;
 exports.ProofMethodSchema = ProofMethodSchema;
 exports.ProofTypeSchema = ProofTypeSchema;
+exports.ProvenanceExtensionSchema = ProvenanceExtensionSchema;
+exports.PurposeExtensionSchema = PurposeExtensionSchema;
 exports.PurposeReasonSchema = PurposeReasonSchema;
 exports.PurposeTokenSchema = PurposeTokenSchema;
+exports.RECIPIENT_SCOPES = RECIPIENT_SCOPES;
 exports.REDACTION_MODES = REDACTION_MODES;
 exports.REGISTERED_EXTENSION_GROUP_KEYS = REGISTERED_EXTENSION_GROUP_KEYS;
 exports.REGISTERED_RECEIPT_TYPES = REGISTERED_RECEIPT_TYPES;
@@ -3795,21 +4461,35 @@ exports.REMEDIATION_TYPES = REMEDIATION_TYPES;
 exports.REPRESENTATION_LIMITS = REPRESENTATION_LIMITS;
 exports.RESERVED_KIND_PREFIXES = RESERVED_KIND_PREFIXES;
 exports.RESULT_STATUSES = RESULT_STATUSES;
+exports.RETENTION_MODES = RETENTION_MODES;
+exports.REVIEW_STATUSES = REVIEW_STATUSES;
 exports.REVOCATION_REASONS = REVOCATION_REASONS;
+exports.RISK_LEVELS = RISK_LEVELS;
 exports.ReceiptClaims = ReceiptClaims;
 exports.ReceiptClaimsSchema = ReceiptClaimsSchema;
 exports.ReceiptRefSchema = ReceiptRefSchema2;
 exports.ReceiptTypeSchema = ReceiptTypeSchema;
 exports.ReceiptUrlSchema = ReceiptUrlSchema;
+exports.RecipientScopeSchema = RecipientScopeSchema;
 exports.RefsSchema = RefsSchema;
 exports.RemediationSchema = RemediationSchema;
 exports.RemediationTypeSchema = RemediationTypeSchema;
 exports.RepresentationFieldsSchema = Wire02RepresentationFieldsSchema;
 exports.ResourceTargetSchema = ResourceTargetSchema;
 exports.ResultSchema = ResultSchema;
+exports.RetentionModeSchema = RetentionModeSchema;
+exports.ReviewStatusSchema = ReviewStatusSchema;
 exports.RevokedKeyEntrySchema = RevokedKeyEntrySchema;
 exports.RevokedKeysArraySchema = RevokedKeysArraySchema;
+exports.Rfc3339DateTimeSchema = Rfc3339DateTimeSchema;
+exports.Rfc3339TimestampSchema = Rfc3339TimestampSchema;
+exports.RiskLevelSchema = RiskLevelSchema;
+exports.SAFETY_EXTENSION_KEY = SAFETY_EXTENSION_KEY;
 exports.STEP_ID_PATTERN = STEP_ID_PATTERN;
+exports.SafetyExtensionSchema = SafetyExtensionSchema;
+exports.Sha256DigestSchema = Sha256DigestSchema;
+exports.SlsaLevelSchema = SlsaLevelSchema;
+exports.SpdxExpressionSchema = SpdxExpressionSchema;
 exports.StepIdSchema = StepIdSchema;
 exports.SubjectProfileSchema = SubjectProfileSchema;
 exports.SubjectProfileSnapshotSchema = SubjectProfileSnapshotSchema;
@@ -3822,6 +4502,8 @@ exports.ToolRegistrySchema = ToolRegistrySchema;
 exports.ToolTargetSchema = ToolTargetSchema;
 exports.TreatySchema = TreatySchema;
 exports.VerifyRequestSchema = VerifyRequest;
+exports.WARNING_EXTENSION_GROUP_MISMATCH = WARNING_EXTENSION_GROUP_MISMATCH;
+exports.WARNING_EXTENSION_GROUP_MISSING = WARNING_EXTENSION_GROUP_MISSING;
 exports.WARNING_OCCURRED_AT_SKEW = WARNING_OCCURRED_AT_SKEW;
 exports.WARNING_TYPE_UNREGISTERED = WARNING_TYPE_UNREGISTERED;
 exports.WARNING_TYP_MISSING = WARNING_TYP_MISSING;
@@ -3873,11 +4555,18 @@ exports.extractObligationsExtension = extractObligationsExtension;
 exports.findRevokedKey = findRevokedKey;
 exports.fingerprintRefToString = fingerprintRefToString;
 exports.getAccessExtension = getAccessExtension;
+exports.getAttributionExtension = getAttributionExtension;
 exports.getChallengeExtension = getChallengeExtension;
 exports.getCommerceExtension = getCommerceExtension;
+exports.getComplianceExtension = getComplianceExtension;
+exports.getConsentExtension = getConsentExtension;
 exports.getCorrelationExtension = getCorrelationExtension;
 exports.getIdentityExtension = getIdentityExtension;
 exports.getInteraction = getInteraction;
+exports.getPrivacyExtension = getPrivacyExtension;
+exports.getProvenanceExtension = getProvenanceExtension;
+exports.getPurposeExtension = getPurposeExtension;
+exports.getSafetyExtension = getSafetyExtension;
 exports.getValidTransitions = getValidTransitions;
 exports.hasInteraction = hasInteraction;
 exports.hasUnknownPurposeTokens = hasUnknownPurposeTokens;