@primust/artifact-core 1.0.0 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (54) hide show
  1. package/LICENSE +93 -0
  2. package/dist/canonical.d.ts +11 -0
  3. package/dist/canonical.d.ts.map +1 -1
  4. package/dist/canonical.js +92 -0
  5. package/dist/canonical.js.map +1 -1
  6. package/dist/commitment.d.ts +29 -8
  7. package/dist/commitment.d.ts.map +1 -1
  8. package/dist/commitment.js +45 -17
  9. package/dist/commitment.js.map +1 -1
  10. package/dist/commitment.test.js +14 -3
  11. package/dist/commitment.test.js.map +1 -1
  12. package/dist/index.d.ts +8 -1
  13. package/dist/index.d.ts.map +1 -1
  14. package/dist/index.js +4 -1
  15. package/dist/index.js.map +1 -1
  16. package/dist/metadata_source.d.ts +4 -0
  17. package/dist/metadata_source.d.ts.map +1 -0
  18. package/dist/metadata_source.js +54 -0
  19. package/dist/metadata_source.js.map +1 -0
  20. package/dist/metadata_source.test.d.ts +2 -0
  21. package/dist/metadata_source.test.d.ts.map +1 -0
  22. package/dist/metadata_source.test.js +29 -0
  23. package/dist/metadata_source.test.js.map +1 -0
  24. package/dist/reversibility_taxonomy.d.ts +23 -0
  25. package/dist/reversibility_taxonomy.d.ts.map +1 -0
  26. package/dist/reversibility_taxonomy.js +208 -0
  27. package/dist/reversibility_taxonomy.js.map +1 -0
  28. package/dist/reversibility_taxonomy.test.d.ts +2 -0
  29. package/dist/reversibility_taxonomy.test.d.ts.map +1 -0
  30. package/dist/reversibility_taxonomy.test.js +146 -0
  31. package/dist/reversibility_taxonomy.test.js.map +1 -0
  32. package/dist/signing.d.ts.map +1 -1
  33. package/dist/signing.js +30 -6
  34. package/dist/signing.js.map +1 -1
  35. package/dist/trust_edge_mapping.d.ts +12 -0
  36. package/dist/trust_edge_mapping.d.ts.map +1 -0
  37. package/dist/trust_edge_mapping.js +88 -0
  38. package/dist/trust_edge_mapping.js.map +1 -0
  39. package/dist/trust_edge_mapping.test.d.ts +2 -0
  40. package/dist/trust_edge_mapping.test.d.ts.map +1 -0
  41. package/dist/trust_edge_mapping.test.js +86 -0
  42. package/dist/trust_edge_mapping.test.js.map +1 -0
  43. package/dist/types/artifact.d.ts +65 -4
  44. package/dist/types/artifact.d.ts.map +1 -1
  45. package/dist/types/proof_artifact.d.ts +52 -0
  46. package/dist/types/proof_artifact.d.ts.map +1 -0
  47. package/dist/types/proof_artifact.js +12 -0
  48. package/dist/types/proof_artifact.js.map +1 -0
  49. package/dist/validate-artifact.d.ts.map +1 -1
  50. package/dist/validate-artifact.js +88 -10
  51. package/dist/validate-artifact.js.map +1 -1
  52. package/dist/validate-artifact.test.js +16 -2
  53. package/dist/validate-artifact.test.js.map +1 -1
  54. package/package.json +13 -7
package/dist/trust_edge_mapping.js ADDED
@@ -0,0 +1,88 @@
1
+ // Trust-edge mapping for outbound-action records.
2
+ //
3
+ // TypeScript sibling of
4
+ // `packages/primust-checks/src/primust_checks/trust_edge_mapping.py`.
5
+ //
6
+ // Maps `(target_system_kind, operation)` to one of the six trust edges
7
+ // defined in `docs/v30/foundation/OUTBOUND_ACTION_EVIDENCE_SPEC_v0_1.md` §1.2.
8
+ //
9
+ // SI-1: this module emits only enum values. The mapping itself is content-free.
10
+ export const MAPPING_VERSION = '1.0.0';
11
+ export const TRUST_EDGES = ['A2T', 'A2M', 'A2H', 'A2A', 'A2S', 'A2D'];
12
+ // Primary mapping. Two kinds (mcp_tool, governance_config_surface) are
13
+ // contextual and resolved in `classify` below.
14
+ const PRIMARY = {
15
+ // A2T
16
+ sdk_tool: 'A2T',
17
+ cli_subprocess: 'A2T',
18
+ // A2M
19
+ anthropic_messages: 'A2M',
20
+ openai_chat: 'A2M',
21
+ bedrock_invoke: 'A2M',
22
+ calibrated_profile: 'A2M',
23
+ // A2H
24
+ approval_gate: 'A2H',
25
+ cli_prompt: 'A2H',
26
+ dashboard_escalation: 'A2H',
27
+ // A2A
28
+ subagent_spawn: 'A2A',
29
+ mcp_sampling: 'A2A',
30
+ cross_org_delegation: 'A2A',
31
+ // A2S
32
+ aws_api: 'A2S',
33
+ salesforce_rest: 'A2S',
34
+ stripe_api: 'A2S',
35
+ github_api: 'A2S',
36
+ fly_api: 'A2S',
37
+ servicenow_api: 'A2S',
38
+ slack: 'A2S',
39
+ k8s: 'A2S',
40
+ generic_http: 'A2S',
41
+ // A2D
42
+ postgres: 'A2D',
43
+ snowflake: 'A2D',
44
+ pinecone: 'A2D',
45
+ s3: 'A2D',
46
+ filesystem: 'A2D',
47
+ vector_store: 'A2D',
48
+ };
49
+ const MCP_DATA_METHODS = [
50
+ 'resources/read',
51
+ 'resources/list',
52
+ 'prompts/get',
53
+ 'prompts/list',
54
+ ];
55
+ const HTTP_METHOD_PREFIXES = [
56
+ 'GET ',
57
+ 'POST ',
58
+ 'PUT ',
59
+ 'PATCH ',
60
+ 'DELETE ',
61
+ 'HEAD ',
62
+ 'OPTIONS ',
63
+ ];
64
+ /**
65
+ * Resolve the trust edge for a `(target_system_kind, operation)` pair.
66
+ * Returns `null` if the kind is not recognized — callers MUST treat
67
+ * this as a gap (record the kind, do not invent a trust edge).
68
+ */
69
+ export function classify(target_system_kind, operation) {
70
+ if (target_system_kind === 'mcp_tool') {
71
+ if (MCP_DATA_METHODS.some((p) => operation.startsWith(p)))
72
+ return 'A2D';
73
+ if (operation.includes('sampling'))
74
+ return 'A2M';
75
+ return 'A2T';
76
+ }
77
+ if (target_system_kind === 'governance_config_surface') {
78
+ if (HTTP_METHOD_PREFIXES.some((p) => operation.startsWith(p)))
79
+ return 'A2S';
80
+ return 'A2D';
81
+ }
82
+ return PRIMARY[target_system_kind] ?? null;
83
+ }
84
+ /** All target_system_kind values this mapping recognizes. */
85
+ export function knownKinds() {
86
+ return new Set([...Object.keys(PRIMARY), 'mcp_tool', 'governance_config_surface']);
87
+ }
88
+ //# sourceMappingURL=trust_edge_mapping.js.map
package/dist/trust_edge_mapping.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"trust_edge_mapping.js","sourceRoot":"","sources":["../src/trust_edge_mapping.ts"],"names":[],"mappings":"AAAA,kDAAkD;AAClD,EAAE;AACF,wBAAwB;AACxB,sEAAsE;AACtE,EAAE;AACF,uEAAuE;AACvE,+EAA+E;AAC/E,EAAE;AACF,gFAAgF;AAEhF,MAAM,CAAC,MAAM,eAAe,GAAG,OAAgB,CAAC;AAEhD,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,CAAU,CAAC;AAG/E,uEAAuE;AACvE,+CAA+C;AAC/C,MAAM,OAAO,GAA8B;IACzC,MAAM;IACN,QAAQ,EAAE,KAAK;IACf,cAAc,EAAE,KAAK;IAErB,MAAM;IACN,kBAAkB,EAAE,KAAK;IACzB,WAAW,EAAE,KAAK;IAClB,cAAc,EAAE,KAAK;IACrB,kBAAkB,EAAE,KAAK;IAEzB,MAAM;IACN,aAAa,EAAE,KAAK;IACpB,UAAU,EAAE,KAAK;IACjB,oBAAoB,EAAE,KAAK;IAE3B,MAAM;IACN,cAAc,EAAE,KAAK;IACrB,YAAY,EAAE,KAAK;IACnB,oBAAoB,EAAE,KAAK;IAE3B,MAAM;IACN,OAAO,EAAE,KAAK;IACd,eAAe,EAAE,KAAK;IACtB,UAAU,EAAE,KAAK;IACjB,UAAU,EAAE,KAAK;IACjB,OAAO,EAAE,KAAK;IACd,cAAc,EAAE,KAAK;IACrB,KAAK,EAAE,KAAK;IACZ,GAAG,EAAE,KAAK;IACV,YAAY,EAAE,KAAK;IAEnB,MAAM;IACN,QAAQ,EAAE,KAAK;IACf,SAAS,EAAE,KAAK;IAChB,QAAQ,EAAE,KAAK;IACf,EAAE,EAAE,KAAK;IACT,UAAU,EAAE,KAAK;IACjB,YAAY,EAAE,KAAK;CACpB,CAAC;AAEF,MAAM,gBAAgB,GAAG;IACvB,gBAAgB;IAChB,gBAAgB;IAChB,aAAa;IACb,cAAc;CACN,CAAC;AAEX,MAAM,oBAAoB,GAAG;IAC3B,MAAM;IACN,OAAO;IACP,MAAM;IACN,QAAQ;IACR,SAAS;IACT,OAAO;IACP,UAAU;CACF,CAAC;AAEX;;;;GAIG;AACH,MAAM,UAAU,QAAQ,CACtB,kBAA0B,EAC1B,SAAiB;IAEjB,IAAI,kBAAkB,KAAK,UAAU,EAAE,CAAC;QACtC,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QACxE,IAAI,SAAS,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,OAAO,KAAK,CAAC;QACjD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,kBAAkB,KAAK,2BAA2B,EAAE,CAAC;QACvD,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;QAC5E,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,OAAO,CAAC,kBAAkB,CAAC,IAAI,IAAI,CAAC;AAC7C,CAAC;AAED,6DAA6D;AAC7D,MAAM,UAAU,UAAU;IACxB,OAAO,IAAI,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,UAAU,EAAE,2BAA2B,CAAC,CAAC,CAAC;AACrF,CAAC"}
package/dist/trust_edge_mapping.test.d.ts ADDED
@@ -0,0 +1,2 @@
1
+ export {};
2
+ //# sourceMappingURL=trust_edge_mapping.test.d.ts.map
package/dist/trust_edge_mapping.test.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"trust_edge_mapping.test.d.ts","sourceRoot":"","sources":["../src/trust_edge_mapping.test.ts"],"names":[],"mappings":""}
package/dist/trust_edge_mapping.test.js ADDED
@@ -0,0 +1,86 @@
1
+ import { describe, it, expect } from 'vitest';
2
+ import { MAPPING_VERSION, TRUST_EDGES, classify, knownKinds, } from './trust_edge_mapping.js';
3
+ describe('trust_edge_mapping', () => {
4
+ describe('A2T — Agent → Tool', () => {
5
+ it('sdk_tool', () => expect(classify('sdk_tool', 'anyop')).toBe('A2T'));
6
+ it('cli_subprocess', () => expect(classify('cli_subprocess', 'exec')).toBe('A2T'));
7
+ it('mcp_tool tools/call', () => expect(classify('mcp_tool', 'tools/call:my_tool')).toBe('A2T'));
8
+ });
9
+ describe('A2M — Agent → Model', () => {
10
+ it('anthropic_messages', () => expect(classify('anthropic_messages', 'POST /v1/messages')).toBe('A2M'));
11
+ it('openai_chat', () => expect(classify('openai_chat', 'POST /v1/chat/completions')).toBe('A2M'));
12
+ it('bedrock_invoke', () => expect(classify('bedrock_invoke', 'InvokeModel')).toBe('A2M'));
13
+ it('mcp_tool sampling sub-LLM (spec §2.1)', () => expect(classify('mcp_tool', 'tools/call:sampling_proxy')).toBe('A2M'));
14
+ });
15
+ describe('A2H — Agent → Human', () => {
16
+ it('approval_gate', () => expect(classify('approval_gate', 'request')).toBe('A2H'));
17
+ it('cli_prompt', () => expect(classify('cli_prompt', 'ask')).toBe('A2H'));
18
+ it('dashboard_escalation', () => expect(classify('dashboard_escalation', 'notify')).toBe('A2H'));
19
+ });
20
+ describe('A2A — Agent → Agent', () => {
21
+ it('subagent_spawn', () => expect(classify('subagent_spawn', 'spawn')).toBe('A2A'));
22
+ it('cross_org_delegation', () => expect(classify('cross_org_delegation', 'delegate')).toBe('A2A'));
23
+ });
24
+ describe('A2S — Agent → System', () => {
25
+ it('aws_api', () => expect(classify('aws_api', 'DeleteBucket')).toBe('A2S'));
26
+ it('stripe_api', () => expect(classify('stripe_api', 'charges.create')).toBe('A2S'));
27
+ it('github_api', () => expect(classify('github_api', 'POST /repos/{owner}/{repo}/pulls')).toBe('A2S'));
28
+ it('salesforce_rest', () => expect(classify('salesforce_rest', 'POST /sobjects/Task')).toBe('A2S'));
29
+ it('slack', () => expect(classify('slack', 'chat.postMessage')).toBe('A2S'));
30
+ it('k8s', () => expect(classify('k8s', 'DELETE /apis/apps/v1/namespaces/{ns}/deployments/{name}')).toBe('A2S'));
31
+ it('generic_http', () => expect(classify('generic_http', 'POST /some/path')).toBe('A2S'));
32
+ });
33
+ describe('A2D — Agent → Data', () => {
34
+ it('postgres', () => expect(classify('postgres', 'SELECT')).toBe('A2D'));
35
+ it('snowflake', () => expect(classify('snowflake', 'INSERT')).toBe('A2D'));
36
+ it('pinecone', () => expect(classify('pinecone', 'upsert')).toBe('A2D'));
37
+ it('s3', () => expect(classify('s3', 'GetObject')).toBe('A2D'));
38
+ it('filesystem', () => expect(classify('filesystem', 'read')).toBe('A2D'));
39
+ it('vector_store', () => expect(classify('vector_store', 'query')).toBe('A2D'));
40
+ it('mcp_tool resources/read (spec §2.1)', () => expect(classify('mcp_tool', 'resources/read')).toBe('A2D'));
41
+ it('mcp_tool resources/list', () => expect(classify('mcp_tool', 'resources/list')).toBe('A2D'));
42
+ it('mcp_tool prompts/get', () => expect(classify('mcp_tool', 'prompts/get')).toBe('A2D'));
43
+ });
44
+ describe('contextual: governance_config_surface', () => {
45
+ it('file-path-shaped op → A2D', () => expect(classify('governance_config_surface', 'edit_settings_json')).toBe('A2D'));
46
+ it('POST op → A2S', () => expect(classify('governance_config_surface', 'POST /admin/branch-protection')).toBe('A2S'));
47
+ it('PATCH op → A2S', () => expect(classify('governance_config_surface', 'PATCH /admin/rules/{id}')).toBe('A2S'));
48
+ });
49
+ describe('unknown kind → null (gap, not invented)', () => {
50
+ it('returns null', () => {
51
+ expect(classify('not_a_real_kind', 'op')).toBe(null);
52
+ });
53
+ });
54
+ describe('knownKinds enumeration', () => {
55
+ it('includes mcp_tool and governance_config_surface', () => {
56
+ const kinds = knownKinds();
57
+ expect(kinds.has('mcp_tool')).toBe(true);
58
+ expect(kinds.has('governance_config_surface')).toBe(true);
59
+ });
60
+ it('covers all six edges (at least one kind each)', () => {
61
+ const kinds = knownKinds();
62
+ expect(kinds.has('sdk_tool')).toBe(true);
63
+ expect(kinds.has('anthropic_messages')).toBe(true);
64
+ expect(kinds.has('approval_gate')).toBe(true);
65
+ expect(kinds.has('subagent_spawn')).toBe(true);
66
+ expect(kinds.has('aws_api')).toBe(true);
67
+ expect(kinds.has('postgres')).toBe(true);
68
+ });
69
+ it('every known kind classifies to non-null', () => {
70
+ for (const kind of knownKinds()) {
71
+ expect(classify(kind, '')).not.toBe(null);
72
+ }
73
+ });
74
+ });
75
+ describe('versioning + SI-1 shape', () => {
76
+ it('MAPPING_VERSION is semver', () => {
77
+ expect(MAPPING_VERSION).toMatch(/^\d+\.\d+\.\d+$/);
78
+ });
79
+ it('all edge values use safe alphanum alphabet', () => {
80
+ for (const edge of TRUST_EDGES) {
81
+ expect(edge.replace(/_/g, '')).toMatch(/^[A-Za-z0-9]+$/);
82
+ }
83
+ });
84
+ });
85
+ });
86
+ //# sourceMappingURL=trust_edge_mapping.test.js.map
package/dist/trust_edge_mapping.test.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"trust_edge_mapping.test.js","sourceRoot":"","sources":["../src/trust_edge_mapping.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EACL,eAAe,EACf,WAAW,EACX,QAAQ,EACR,UAAU,GACX,MAAM,yBAAyB,CAAC;AAEjC,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACxE,EAAE,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACnF,EAAE,CAAC,qBAAqB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAClG,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,oBAAoB,EAAE,GAAG,EAAE,CAC5B,MAAM,CAAC,QAAQ,CAAC,oBAAoB,EAAE,mBAAmB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3E,EAAE,CAAC,aAAa,EAAE,GAAG,EAAE,CACrB,MAAM,CAAC,QAAQ,CAAC,aAAa,EAAE,2BAA2B,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC5E,EAAE,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,EAAE,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1F,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE,CAC/C,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,2BAA2B,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,eAAe,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,eAAe,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACpF,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1E,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE,CAC9B,MAAM,CAAC,QAAQ,CAAC,sBAAsB,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,qBAAqB,EAAE,GAAG,EAAE;QACnC,EAAE,CAAC,gBAAgB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACpF,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE,CAC9B,MAAM,CAAC,QAAQ,CAAC,sBAAsB,EAAE,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IACtE,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,sBAAsB,EAAE,GAAG,EAAE;QACpC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7E,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACrF,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE,CACpB,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,kCAAkC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAClF,EAAE,CAAC,iBAAiB,EAAE,GAAG,EAAE,CACzB,MAAM,CAAC,QAAQ,CAAC,iBAAiB,EAAE,qBAAqB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC1E,EAAE,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,EAAE,kBAAkB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC7E,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE,CACb,MAAM,CAAC,QAAQ,CAAC,KAAK,EAAE,yDAAyD,CAAC,CAAC,CAAC,IAAI,CACrF,KAAK,CACN,CAAC,CAAC;QACL,EAAE,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;QAClC,EAAE,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACzE,EAAE,CAAC,WAAW,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3E,EAAE,CAAC,UAAU,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACzE,EAAE,CAAC,IAAI,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChE,EAAE,CAAC,YAAY,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC3E,EAAE,CAAC,cAAc,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAChF,EAAE,CAAC,qCAAqC,EAAE,GAAG,EAAE,CAC7C,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9D,EAAE,CAAC,yBAAyB,EAAE,GAAG,EAAE,CACjC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QAC9D,EAAE,CAAC,sBAAsB,EAAE,GAAG,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC5F,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uCAAuC,EAAE,GAAG,EAAE;QACrD,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE,CACnC,MAAM,CAAC,QAAQ,CAAC,2BAA2B,EAAE,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;QACnF,EAAE,CAAC,eAAe,EAAE,GAAG,EAAE,CACvB,MAAM,CAAC,QAAQ,CAAC,2BAA2B,EAAE,+BAA+B,CAAC,CAAC,CAAC,IAAI,CACjF,KAAK,CACN,CAAC,CAAC;QACL,EAAE,CAAC,gBAAgB,EAAE,GAAG,EAAE,CACxB,MAAM,CAAC,QAAQ,CAAC,2BAA2B,EAAE,yBAAyB,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yCAAyC,EAAE,GAAG,EAAE;QACvD,EAAE,CAAC,cAAc,EAAE,GAAG,EAAE;YACtB,MAAM,CAAC,QAAQ,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvD,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,wBAAwB,EAAE,GAAG,EAAE;QACtC,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;YAC3B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,2BAA2B,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;QACH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,KAAK,GAAG,UAAU,EAAE,CAAC;YAC3B,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACzC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,oBAAoB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnD,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC9C,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/C,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACxC,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3C,CAAC,CAAC,CAAC;QACH,EAAE,CAAC,yCAAyC,EAAE,GAAG,EAAE;YACjD,KAAK,MAAM,IAAI,IAAI,UAAU,EAAE,EAAE,CAAC;gBAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC5C,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,2BAA2B,EAAE,GAAG,EAAE;YACnC,MAAM,CAAC,eAAe,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QACH,EAAE,CAAC,4CAA4C,EAAE,GAAG,EAAE;YACpD,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;gBAC/B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;YAC3D,CAAC;QACH,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
package/dist/types/artifact.d.ts CHANGED
@@ -14,7 +14,8 @@
14
14
  * 7. issuer.public_key_url must match primust.com/.well-known/ pattern
15
15
  * 8. test_mode: true rejected by primust-verify in --production mode
16
16
  */
17
- export type ProofLevel = 'mathematical' | 'verifiable_inference' | 'execution' | 'witnessed' | 'attestation';
17
+ import type { ProofArtifact } from './proof_artifact.js';
18
+ export type ProofLevel = 'mathematical' | 'verifiable_inference' | 'operator_bound' | 'execution' | 'witnessed' | 'attestation';
18
19
  export type SurfaceType = 'in_process_adapter' | 'middleware_interceptor' | 'platform_event_feed' | 'audit_log_ingest' | 'manual_assertion';
19
20
  export type ObservationMode = 'pre_action' | 'in_flight' | 'post_action_realtime' | 'post_action_batch';
20
21
  export type ScopeType = 'full_workflow' | 'orchestration_boundary' | 'platform_logged_events' | 'component_scope' | 'partial_unknown';
@@ -22,11 +23,11 @@ export type PolicyBasis = 'P1_self_declared' | 'P2_baseline_aligned' | 'P3_basel
22
23
  export type ArtifactState = 'provisional' | 'signed' | 'final';
23
24
  export type CommitmentAlgorithm = 'poseidon2' | 'sha256';
24
25
  export type Prover = 'local' | 'modal_cpu' | 'modal_gpu';
25
- export type ProverSystem = 'ultrahonk' | 'ezkl' | 'groth16_bionetta';
26
+ export type ProverSystem = 'ultrahonk' | 'ezkl' | 'groth16_bionetta' | 'sp1';
26
27
  export type TsaProvider = 'digicert_us' | 'digicert_eu' | 'none';
27
28
  export type OrgRegion = 'us' | 'eu';
28
29
  export type GapSeverity = 'Critical' | 'High' | 'Medium' | 'Low' | 'Informational';
29
- export type GapType = 'check_not_executed' | 'enforcement_override' | 'engine_error' | 'check_degraded' | 'external_boundary_traversal' | 'lineage_token_missing' | 'admission_gate_override' | 'check_timing_suspect' | 'reviewer_credential_invalid' | 'witnessed_display_missing' | 'witnessed_rationale_missing' | 'deterministic_consistency_violation' | 'skip_rationale_missing' | 'policy_config_drift' | 'zkml_proof_pending_timeout' | 'zkml_proof_failed' | 'explanation_missing' | 'bias_audit_missing';
30
+ export type GapType = 'check_not_executed' | 'enforcement_override' | 'engine_error' | 'check_degraded' | 'external_boundary_traversal' | 'lineage_token_missing' | 'admission_gate_override' | 'check_timing_suspect' | 'reviewer_credential_invalid' | 'witnessed_display_missing' | 'witnessed_rationale_missing' | 'witnessed_timestamp_invalid' | 'deterministic_consistency_violation' | 'skip_rationale_missing' | 'policy_config_drift' | 'proof_level_floor_breach' | 'zkml_proof_pending_timeout' | 'zkml_proof_failed' | 'system_error' | 'sla_breach' | 'explanation_missing' | 'bias_audit_missing' | 'system_unavailable' | 'archetype_unmapped' | 'upstream_vpec_invalid_signature' | 'upstream_vpec_sandbox' | 'upstream_vpec_key_revoked' | 'upstream_vpec_insufficient_proof_level' | 'upstream_vpec_missing_claim' | 'upstream_vpec_issuer_mismatch' | 'upstream_vpec_missing' | 'model_profile_missing' | 'missing_executor' | 'complyadvantage_api_error' | 'complyadvantage_auth_failure' | 'actimize_api_error' | 'actimize_auth_failure' | 'blaze_api_error' | 'blaze_auth_failure' | 'odm_api_error' | 'odm_auth_failure' | 'falcon_api_error' | 'falcon_auth_failure' | 'pega_api_error' | 'pega_auth_failure' | 'wolters_kluwer_api_error' | 'wolters_kluwer_auth_failure' | 'guidewire_api_error' | 'guidewire_auth_failure';
30
31
  export interface SurfaceEntry {
31
32
  surface_id: string;
32
33
  surface_type: SurfaceType;
@@ -39,6 +40,8 @@ export interface SurfaceEntry {
39
40
  export interface ProofDistribution {
40
41
  mathematical: number;
41
42
  verifiable_inference: number;
43
+ /** Optional until all issuers emit six-way distributions. */
44
+ operator_bound?: number;
42
45
  execution: number;
43
46
  witnessed: number;
44
47
  attestation: number;
@@ -121,7 +124,21 @@ export interface VPECArtifact {
121
124
  surface_summary: SurfaceEntry[];
122
125
  /** MUST equal proof_distribution.weakest_link. Computed — never set manually. */
123
126
  proof_level: ProofLevel;
127
+ /** Integer count per proof level. Canonical wire field (TECH_SPEC §3.5 field 15). */
124
128
  proof_distribution: ProofDistribution;
129
+ /**
130
+ * API-enriched distribution (same shape as ProofDistribution, plus fractional
131
+ * _count fields in the richer API response). Emitted alongside proof_distribution;
132
+ * not a replacement (TECH_SPEC §3.5 field 16, §3.7.2 dual naming is intentional).
133
+ */
134
+ provable_surface_breakdown?: ProofDistribution;
135
+ /**
136
+ * Scalar fraction 0.0-1.0 — aggregate proof quality (mathematical/total ratio).
137
+ * PS-INV-1: sub-fields of provable_surface_breakdown sum to this value (±0.0001).
138
+ * Distinct from proof_distribution and provable_surface_breakdown
139
+ * (TECH_SPEC §3.5 field 17).
140
+ */
141
+ provable_surface?: number | null;
125
142
  state: ArtifactState;
126
143
  coverage: Coverage;
127
144
  gaps: GapEntry[];
@@ -130,14 +147,58 @@ export interface VPECArtifact {
130
147
  /** Merkle root over all CheckExecutionRecord commitment_hashes. null when zero records. */
131
148
  commitment_root: string | null;
132
149
  commitment_algorithm: CommitmentAlgorithm;
150
+ /**
151
+ * Additive Poseidon2 Merkle root over the same `commitment_hashes`
152
+ * (BN254 field-element tree), emitted alongside the legacy SHA-256
153
+ * `commitment_root` for ZK-bearing artifacts.
154
+ *
155
+ * The primary `commitment_root` is SHA-256 (preserves SI-3 backward
156
+ * compatibility — ten years of consumers do `computeMerkleRoot` over
157
+ * the artifact's record commitment_hash list with SHA-256). ZK circuits
158
+ * operate over BN254 field elements with Poseidon2; their public-input
159
+ * `commitment_root` cannot be a SHA-256 digest. To anchor ZK proof
160
+ * commitment_roots to the same record list independently of the
161
+ * legacy SHA-256 root, ZK-bearing artifacts also publish this Poseidon2
162
+ * root.
163
+ *
164
+ * Used by:
165
+ * - `verifySkipConditionProofAnchoring` (Finding 5 follow-up): reproduces
166
+ * the modified record-tree root the proof's `commitment_root` public
167
+ * input claims.
168
+ * - `governance_upstream_vpec_inclusion` (Finding C corrective): downstream
169
+ * run's lineage commitment is included in this tree without re-hashing
170
+ * 32-byte SHA-256 leaves inside the circuit.
171
+ *
172
+ * Format: `'poseidon2:<64-hex>'` matching the rest of the codebase's
173
+ * Poseidon2 commitment string convention.
174
+ *
175
+ * Convention:
176
+ * - null for legacy artifacts and any ZK-less artifact (omitted on
177
+ * older VPECs entirely).
178
+ * - `'poseidon2:<64-hex>'` for artifacts that requested ZK proofs.
179
+ *
180
+ * Optional / additive — pre-fix VPECs predate this field. Verifiers must
181
+ * tolerate its absence on legacy artifacts.
182
+ */
183
+ commitment_root_poseidon2?: string | null;
133
184
  zk_proof: ZkProof | null;
185
+ /** GD-2: individual proof artifacts. Optional — absent on legacy VPECs. */
186
+ proof_artifacts?: ProofArtifact[];
134
187
  issuer: ArtifactIssuer;
135
188
  signature: ArtifactSignature;
136
189
  timestamp_anchor: TimestampAnchor;
137
190
  transparency_log: TransparencyLog;
138
191
  issued_at: string;
139
192
  pending_flags: PendingFlags;
140
- /** true when issued with pk_test_xxx key. Rejected by primust-verify in --production. */
193
+ /** true when issued with pk_test_xxx or pk_sb_xxx key. Rejected by primust-verify in --production. */
141
194
  test_mode: boolean;
195
+ /** Hash of the active ControlPlan at issuance. null/absent for pre-v21 VPECs. */
196
+ control_plan_hash?: string | null;
197
+ /** Hash of the ObligationPlan linked to the active ControlPlan. */
198
+ obligation_plan_hash?: string | null;
199
+ /** ID of the active compliance approval on the ControlPlan. */
200
+ approval_id?: string | null;
201
+ /** Hash of the ApplicabilitySnapshot anchoring the governance chain. */
202
+ applicability_snapshot_hash?: string | null;
142
203
  }
143
204
  //# sourceMappingURL=artifact.d.ts.map
package/dist/types/artifact.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"artifact.d.ts","sourceRoot":"","sources":["../../src/types/artifact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,MAAM,MAAM,UAAU,GAClB,cAAc,GACd,sBAAsB,GACtB,WAAW,GACX,WAAW,GACX,aAAa,CAAC;AAElB,MAAM,MAAM,WAAW,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,qBAAqB,GACrB,kBAAkB,GAClB,kBAAkB,CAAC;AAEvB,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,WAAW,GACX,sBAAsB,GACtB,mBAAmB,CAAC;AAExB,MAAM,MAAM,SAAS,GACjB,eAAe,GACf,wBAAwB,GACxB,wBAAwB,GACxB,iBAAiB,GACjB,iBAAiB,CAAC;AAEtB,MAAM,MAAM,WAAW,GACnB,kBAAkB,GAClB,qBAAqB,GACrB,6BAA6B,CAAC;AAElC,MAAM,MAAM,aAAa,GAAG,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE/D,MAAM,MAAM,mBAAmB,GAAG,WAAW,GAAG,QAAQ,CAAC;AAEzD,MAAM,MAAM,MAAM,GAAG,OAAO,GAAG,WAAW,GAAG,WAAW,CAAC;AAEzD,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,MAAM,GAAG,kBAAkB,CAAC;AAErE,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,aAAa,GAAG,MAAM,CAAC;AAEjE,MAAM,MAAM,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;AAEpC,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,eAAe,CAAC;AAEnF,MAAM,MAAM,OAAO,GACf,oBAAoB,GACpB,sBAAsB,GACtB,cAAc,GACd,gBAAgB,GAChB,6BAA6B,GAC7B,uBAAuB,GACvB,yBAAyB,GACzB,sBAAsB,GACtB,6BAA6B,GAC7B,2BAA2B,GAC3B,6BAA6B,GAC7B,qCAAqC,GACrC,wBAAwB,GACxB,qBAAqB,GACrB,4BAA4B,GAC5B,mBAAmB,GACnB,qBAAqB,GACrB,oBAAoB,CAAC;AAIzB,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,WAAW,CAAC;IAC1B,gBAAgB,EAAE,eAAe,CAAC;IAClC,aAAa,EAAE,UAAU,CAAC;IAC1B,UAAU,EAAE,SAAS,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0BAA0B,EAAE,MAAM,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,UAAU,CAAC;IACzB,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,QAAQ;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,mBAAmB,EAAE,MAAM,CAAC;IAC5B,gJAAgJ;IAChJ,2BAA2B,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3C,0EAA0E;IAC1E,6BAA6B,EAAE,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;CACvB;AAED,MAAM,WAAW,OAAO;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,YAAY,CAAC;IAC5B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,SAAS,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,SAAS,CAAC;CACvB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,SAAS,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,SAAS,GAAG,MAAM,CAAC;IACzB,GAAG,EAAE,WAAW,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,YAAY;IAC3B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,+CAA+C;IAC/C,aAAa,EAAE,OAAO,CAAC;IACvB,uDAAuD;IACvD,kBAAkB,EAAE,OAAO,CAAC;IAC5B,kBAAkB,EAAE,OAAO,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,OAAO,CAAC;CACxB;AAID,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IAExB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IAEpB,mEAAmE;IACnE,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IAEpC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,WAAW,CAAC;IAE1B,+EAA+E;IAC/E,OAAO,EAAE,OAAO,CAAC;IAEjB,eAAe,EAAE,YAAY,EAAE,CAAC;IAEhC,iFAAiF;IACjF,WAAW,EAAE,UAAU,CAAC;IACxB,kBAAkB,EAAE,iBAAiB,CAAC;IAEtC,KAAK,EAAE,aAAa,CAAC;IAErB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,QAAQ,EAAE,CAAC;IAEjB,0DAA0D;IAC1D,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAExC,2FAA2F;IAC3F,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,oBAAoB,EAAE,mBAAmB,CAAC;IAE1C,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IAEzB,MAAM,EAAE,cAAc,CAAC;IACvB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,gBAAgB,EAAE,eAAe,CAAC;IAElC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,YAAY,CAAC;IAE5B,yFAAyF;IACzF,SAAS,EAAE,OAAO,CAAC;CACpB"}
1
+ {"version":3,"file":"artifact.d.ts","sourceRoot":"","sources":["../../src/types/artifact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAIzD,MAAM,MAAM,UAAU,GAClB,cAAc,GACd,sBAAsB,GACtB,gBAAgB,GAChB,WAAW,GACX,WAAW,GACX,aAAa,CAAC;AAElB,MAAM,MAAM,WAAW,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,qBAAqB,GACrB,kBAAkB,GAClB,kBAAkB,CAAC;AAEvB,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,WAAW,GACX,sBAAsB,GACtB,mBAAmB,CAAC;AAExB,MAAM,MAAM,SAAS,GACjB,eAAe,GACf,wBAAwB,GACxB,wBAAwB,GACxB,iBAAiB,GACjB,iBAAiB,CAAC;AAEtB,MAAM,MAAM,WAAW,GACnB,kBAAkB,GAClB,qBAAqB,GACrB,6BAA6B,CAAC;AAElC,MAAM,MAAM,aAAa,GAAG,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE/D,MAAM,MAAM,mBAAmB,GAAG,WAAW,GAAG,QAAQ,CAAC;AAEzD,MAAM,MAAM,MAAM,GAAG,OAAO,GAAG,WAAW,GAAG,WAAW,CAAC;AAEzD,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,MAAM,GAAG,kBAAkB,GAAG,KAAK,CAAC;AAE7E,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,aAAa,GAAG,MAAM,CAAC;AAEjE,MAAM,MAAM,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;AAEpC,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,eAAe,CAAC;AAEnF,MAAM,MAAM,OAAO,GAEf,oBAAoB,GACpB,sBAAsB,GACtB,cAAc,GACd,gBAAgB,GAChB,6BAA6B,GAC7B,uBAAuB,GACvB,yBAAyB,GACzB,sBAAsB,GACtB,6BAA6B,GAC7B,2BAA2B,GAC3B,6BAA6B,GAC7B,6BAA6B,GAC7B,qCAAqC,GACrC,wBAAwB,GACxB,qBAAqB,GACrB,0BAA0B,GAC1B,4BAA4B,GAC5B,mBAAmB,GACnB,cAAc,GACd,YAAY,GACZ,qBAAqB,GACrB,oBAAoB,GAEpB,oBAAoB,GAEpB,oBAAoB,GAEpB,iCAAiC,GACjC,uBAAuB,GACvB,2BAA2B,GAC3B,wCAAwC,GACxC,6BAA6B,GAC7B,+BAA+B,GAC/B,uBAAuB,GAEvB,uBAAuB,GAEvB,kBAAkB,GAElB,2BAA2B,GAC3B,8BAA8B,GAC9B,oBAAoB,GACpB,uBAAuB,GACvB,iBAAiB,GACjB,oBAAoB,GACpB,eAAe,GACf,kBAAkB,GAClB,kBAAkB,GAClB,qBAAqB,GACrB,gBAAgB,GAChB,mBAAmB,GACnB,0BAA0B,GAC1B,6BAA6B,GAC7B,qBAAqB,GACrB,wBAAwB,CAAC;AAI7B,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,WAAW,CAAC;IAC1B,gBAAgB,EAAE,eAAe,CAAC;IAClC,aAAa,EAAE,UAAU,CAAC;IAC1B,UAAU,EAAE,SAAS,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0BAA0B,EAAE,MAAM,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,6DAA6D;IAC7D,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,UAAU,CAAC;IACzB,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,QAAQ;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,mBAAmB,EAAE,MAAM,CAAC;IAC5B,gJAAgJ;IAChJ,2BAA2B,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3C,0EAA0E;IAC1E,6BAA6B,EAAE,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;CACvB;AAED,MAAM,WAAW,OAAO;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,YAAY,CAAC;IAC5B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,SAAS,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,SAAS,CAAC;CACvB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,SAAS,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,SAAS,GAAG,MAAM,CAAC;IACzB,GAAG,EAAE,WAAW,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,YAAY;IAC3B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,+CAA+C;IAC/C,aAAa,EAAE,OAAO,CAAC;IACvB,uDAAuD;IACvD,kBAAkB,EAAE,OAAO,CAAC;IAC5B,kBAAkB,EAAE,OAAO,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,OAAO,CAAC;CACxB;AAID,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IAExB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IAEpB,mEAAmE;IACnE,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IAEpC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,WAAW,CAAC;IAE1B,+EAA+E;IAC/E,OAAO,EAAE,OAAO,CAAC;IAEjB,eAAe,EAAE,YAAY,EAAE,CAAC;IAEhC,iFAAiF;IACjF,WAAW,EAAE,UAAU,CAAC;IAExB,qFAAqF;IACrF,kBAAkB,EAAE,iBAAiB,CAAC;IAEtC;;;;OAIG;IACH,0BAA0B,CAAC,EAAE,iBAAiB,CAAC;IAE/C;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAEjC,KAAK,EAAE,aAAa,CAAC;IAErB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,QAAQ,EAAE,CAAC;IAEjB,0DAA0D;IAC1D,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAExC,2FAA2F;IAC3F,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,oBAAoB,EAAE,mBAAmB,CAAC;IAE1C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,yBAAyB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAE1C,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IAEzB,2EAA2E;IAC3E,eAAe,CAAC,EAAE,aAAa,EAAE,CAAC;IAElC,MAAM,EAAE,cAAc,CAAC;IACvB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,gBAAgB,EAAE,eAAe,CAAC;IAElC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,YAAY,CAAC;IAE5B,sGAAsG;IACtG,SAAS,EAAE,OAAO,CAAC;IAEnB,iFAAiF;IACjF,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,mEAAmE;IACnE,oBAAoB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrC,+DAA+D;IAC/D,WAAW,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,wEAAwE;IACxE,2BAA2B,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7C"}
package/dist/types/proof_artifact.d.ts ADDED
@@ -0,0 +1,52 @@
1
+ /**
2
+ * ProofArtifact — individual proof record within a VPEC.
3
+ *
4
+ * Append-only: once created, a ProofArtifact MUST NOT be mutated.
5
+ * Each artifact represents a single proof job (Noir circuit, EZKL proof, etc.)
6
+ * and its verification outcome.
7
+ *
8
+ * Added in GD-2. Lives alongside the legacy zk_proof field on VPECArtifact;
9
+ * both shapes are valid.
10
+ */
11
+ /**
12
+ * Verification status.
13
+ *
14
+ * Live DB row states (proof_artifacts.verification_status):
15
+ * - 'pending' — job submitted, awaiting webhook callback
16
+ * - 'verified' — terminal: proof verified
17
+ * - 'failed' — terminal: proof rejected or job errored
18
+ * - 'not_applicable' — terminal: backend did not run (e.g. test_mode)
19
+ *
20
+ * Envelope-only state (sealed VPECs only; never appears in DB):
21
+ * - 'unresolved_at_seal' — the proof job had not reached a terminal state
22
+ * when the VPEC was sealed. The envelope is sealed-once (Phase 5), so
23
+ * it can never observe the later verified|failed transition. Verifiers
24
+ * MUST treat this as a hard error: counterparties must consult the
25
+ * live API or treat the proof as unverified.
26
+ */
27
+ export type VerificationStatus = 'verified' | 'pending' | 'failed' | 'not_applicable' | 'unresolved_at_seal';
28
+ export interface ProofArtifact {
29
+ /** Primary key. Prefix: pa_ */
30
+ proof_artifact_id: string;
31
+ /** The proof job that produced this artifact, if tracked. */
32
+ proof_job_id?: string;
33
+ /** Backend that generated the proof (e.g. NoirBackend, EZKLBackend). */
34
+ backend: string;
35
+ /** Mechanism used (e.g. noir_circuit, ezkl_proof, groth16_bionetta). */
36
+ proof_mechanism: string;
37
+ /** Maps to an AssuranceClass via the assurance mapper (e.g. mathematical, verifiable_inference). */
38
+ assurance_subtype: string;
39
+ /** Reference to the verification material (e.g. S3 key, IPFS CID). */
40
+ verification_material_ref?: string;
41
+ /** Version of the backend that produced this proof. */
42
+ backend_version?: string;
43
+ /** Control ID this proof satisfies, if applicable. */
44
+ control_id?: string;
45
+ /** Component ID this proof covers, if applicable. */
46
+ component_id?: string;
47
+ /** Terminal verification status. Append-only — never transition backwards. */
48
+ verification_status: VerificationStatus;
49
+ /** When verification completed. null while pending. */
50
+ completed_at?: string;
51
+ }
52
+ //# sourceMappingURL=proof_artifact.d.ts.map
package/dist/types/proof_artifact.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"proof_artifact.d.ts","sourceRoot":"","sources":["../../src/types/proof_artifact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH;;;;;;;;;;;;;;;GAeG;AACH,MAAM,MAAM,kBAAkB,GAC1B,UAAU,GACV,SAAS,GACT,QAAQ,GACR,gBAAgB,GAChB,oBAAoB,CAAC;AAEzB,MAAM,WAAW,aAAa;IAC5B,+BAA+B;IAC/B,iBAAiB,EAAE,MAAM,CAAC;IAE1B,6DAA6D;IAC7D,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAC;IAEhB,wEAAwE;IACxE,eAAe,EAAE,MAAM,CAAC;IAExB,oGAAoG;IACpG,iBAAiB,EAAE,MAAM,CAAC;IAE1B,sEAAsE;IACtE,yBAAyB,CAAC,EAAE,MAAM,CAAC;IAEnC,uDAAuD;IACvD,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,sDAAsD;IACtD,UAAU,CAAC,EAAE,MAAM,CAAC;IAEpB,qDAAqD;IACrD,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,8EAA8E;IAC9E,mBAAmB,EAAE,kBAAkB,CAAC;IAExC,uDAAuD;IACvD,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB"}
package/dist/types/proof_artifact.js ADDED
@@ -0,0 +1,12 @@
1
+ /**
2
+ * ProofArtifact — individual proof record within a VPEC.
3
+ *
4
+ * Append-only: once created, a ProofArtifact MUST NOT be mutated.
5
+ * Each artifact represents a single proof job (Noir circuit, EZKL proof, etc.)
6
+ * and its verification outcome.
7
+ *
8
+ * Added in GD-2. Lives alongside the legacy zk_proof field on VPECArtifact;
9
+ * both shapes are valid.
10
+ */
11
+ export {};
12
+ //# sourceMappingURL=proof_artifact.js.map
package/dist/types/proof_artifact.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"proof_artifact.js","sourceRoot":"","sources":["../../src/types/proof_artifact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG"}
package/dist/validate-artifact.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"validate-artifact.d.ts","sourceRoot":"","sources":["../src/validate-artifact.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,eAAe,EAAE,CAAC;CAC3B;AAiCD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,gBAAgB,CA6HpF"}
1
+ {"version":3,"file":"validate-artifact.d.ts","sourceRoot":"","sources":["../src/validate-artifact.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,eAAe,EAAE,CAAC;CAC3B;AA8GD;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,gBAAgB,CAgIpF"}
package/dist/validate-artifact.js CHANGED
@@ -7,30 +7,106 @@
7
7
  const PROOF_LEVELS = [
8
8
  'mathematical',
9
9
  'verifiable_inference',
10
+ 'operator_bound',
10
11
  'execution',
11
12
  'witnessed',
12
13
  'attestation',
13
14
  ];
15
+ // Authoritative list synced with packages/db/migrations/076_gap_type_allowlist_expansion.sql
16
+ // plus additional control-plan / GRT / action-level gap types that are emitted by
17
+ // code paths not yet represented in migration 076. Keep in lockstep with the
18
+ // Python sibling at packages/artifact-core-py/src/primust_artifact_core/validate_artifact.py.
14
19
  const GAP_TYPES = new Set([
20
+ // Original runtime-governance set (migration 019)
21
+ 'admission_gate_override',
22
+ 'check_degraded',
15
23
  'check_not_executed',
24
+ 'check_timing_suspect',
25
+ 'deterministic_consistency_violation',
16
26
  'enforcement_override',
17
27
  'engine_error',
18
- 'check_degraded',
19
28
  'external_boundary_traversal',
20
29
  'lineage_token_missing',
21
- 'admission_gate_override',
22
- 'check_timing_suspect',
30
+ 'policy_config_drift',
23
31
  'reviewer_credential_invalid',
32
+ 'skip_rationale_missing',
24
33
  'witnessed_display_missing',
25
34
  'witnessed_rationale_missing',
26
- 'deterministic_consistency_violation',
27
- 'skip_rationale_missing',
28
- 'policy_config_drift',
29
- 'zkml_proof_pending_timeout',
30
35
  'zkml_proof_failed',
36
+ 'zkml_proof_pending_timeout',
37
+ // Server-emitted during run enrichment / VPEC assembly (migration 076)
38
+ 'archetype_unmapped',
39
+ 'bias_audit_missing',
40
+ 'bounded_inference_downgrade',
41
+ 'explanation_missing',
42
+ 'manifest_metadata_missing',
43
+ 'model_profile_missing',
44
+ 'nesting_depth_exceeded',
45
+ 'orphan_run_gap',
46
+ 'parent_run_invalid',
47
+ 'partial_submission',
48
+ 'proof_level_floor_breach',
49
+ 'provable_surface_invariant_violation',
50
+ 'queue_drain_exhausted',
51
+ 'record_count_mismatch',
52
+ 'run_expired_without_close',
53
+ 'sla_breach',
54
+ 'stage_type_unresolved',
55
+ 'subagent_identity_ambiguous',
56
+ 'system_error',
57
+ 'system_unavailable',
58
+ 'witnessed_timestamp_invalid',
59
+ // Upstream VPEC verification failures
60
+ 'upstream_vpec_insufficient_proof_level',
61
+ 'upstream_vpec_invalid_signature',
62
+ 'upstream_vpec_issuer_mismatch',
63
+ 'upstream_vpec_key_revoked',
64
+ 'upstream_vpec_missing',
65
+ 'upstream_vpec_missing_claim',
66
+ 'upstream_vpec_sandbox',
67
+ // Connector adapter errors (per-vendor allowlist)
68
+ 'actimize_api_error',
69
+ 'actimize_auth_failure',
70
+ 'blaze_api_error',
71
+ 'blaze_auth_failure',
72
+ 'complyadvantage_api_error',
73
+ 'complyadvantage_auth_failure',
74
+ 'falcon_api_error',
75
+ 'falcon_auth_failure',
76
+ 'guidewire_api_error',
77
+ 'guidewire_auth_failure',
78
+ 'odm_api_error',
79
+ 'odm_auth_failure',
80
+ 'pega_api_error',
81
+ 'pega_auth_failure',
82
+ 'wolters_kluwer_api_error',
83
+ 'wolters_kluwer_auth_failure',
84
+ // Migration-tool error categories
85
+ 'migration_auth_failed',
86
+ 'migration_record_unmigratable',
87
+ // Control-plan binding gaps (not yet in migration 076 but emitted by runs.py / auto_dispatcher)
88
+ 'control_plan_binding_missing',
89
+ 'control_plan_hash_mismatch',
90
+ 'control_plan_system_mismatch',
91
+ // GRT / signing gaps
92
+ 'grt_signing_failed',
93
+ 'signing_delayed',
94
+ // Action-level gaps (ungoverned action discovery)
95
+ 'ungoverned_action',
96
+ 'consequential_ungoverned_action',
97
+ 'missing_executor',
98
+ // Phase 6 bridge taxonomy (migration 134; docs/v29/ZK_BRIDGE_BUILD_PLAN.md §3)
99
+ 'proof_dispatch_failure',
100
+ 'proof_timeout',
101
+ 'proof_verification_failure',
102
+ 'circuit_not_green_yellow_quarantined',
103
+ 'circuit_not_green_red_quarantined',
104
+ 'witness_build_failure',
105
+ // Pre-bridge proof-failed webhook emits this; was missing from earlier allowlists
106
+ 'proof_generation_failed',
31
107
  ]);
32
108
  const GAP_SEVERITIES = new Set(['Critical', 'High', 'Medium', 'Low', 'Informational']);
33
- const PUBLIC_KEY_URL_PATTERN = /^https:\/\/primust\.com\/\.well-known\/primust-pubkeys\/.+\.pem$/;
109
+ const PUBLIC_KEY_URL_PATTERN = /^https:\/\/(?:primust|keys\.primust)\.com\/\.well-known\/primust-pubkeys\/.+\.pem$/;
34
110
  /**
35
111
  * Validate a VPEC artifact against all critical invariants.
36
112
  *
@@ -136,13 +212,15 @@ export function validateArtifact(artifact) {
136
212
  });
137
213
  }
138
214
  }
139
- // Invariant 7: issuer.public_key_url must match primust.com/.well-known/ pattern
215
+ // Invariant 7: issuer.public_key_url must match an approved Primust key host
140
216
  const issuer = artifact.issuer;
141
217
  if (issuer && typeof issuer.public_key_url === 'string') {
142
218
  if (!PUBLIC_KEY_URL_PATTERN.test(issuer.public_key_url)) {
143
219
  errors.push({
144
220
  code: 'ISSUER_URL_INVALID',
145
- message: `issuer.public_key_url must match https://primust.com/.well-known/primust-pubkeys/*.pem, got "${issuer.public_key_url}"`,
221
+ message: 'issuer.public_key_url must match ' +
222
+ 'https://primust.com/.well-known/primust-pubkeys/*.pem or ' +
223
+ `https://keys.primust.com/.well-known/primust-pubkeys/*.pem, got "${issuer.public_key_url}"`,
146
224
  path: 'issuer.public_key_url',
147
225
  });
148
226
  }
package/dist/validate-artifact.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"validate-artifact.js","sourceRoot":"","sources":["../src/validate-artifact.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,MAAM,YAAY,GAAiB;IACjC,cAAc;IACd,sBAAsB;IACtB,WAAW;IACX,WAAW;IACX,aAAa;CACd,CAAC;AAEF,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,oBAAoB;IACpB,sBAAsB;IACtB,cAAc;IACd,gBAAgB;IAChB,6BAA6B;IAC7B,uBAAuB;IACvB,yBAAyB;IACzB,sBAAsB;IACtB,6BAA6B;IAC7B,2BAA2B;IAC3B,6BAA6B;IAC7B,qCAAqC;IACrC,wBAAwB;IACxB,qBAAqB;IACrB,4BAA4B;IAC5B,mBAAmB;CACpB,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;AAEvF,MAAM,sBAAsB,GAAG,kEAAkE,CAAC;AAElG;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAiC;IAChE,MAAM,MAAM,GAAsB,EAAE,CAAC;IAErC,+DAA+D;IAC/D,IAAI,eAAe,IAAI,QAAQ,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,oDAAoD;YAC7D,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,uBAAuB,CAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IAE9C,+BAA+B;IAC/B,IAAI,QAAQ,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,wBAAwB;YAC9B,OAAO,EAAE,wCAAwC,QAAQ,CAAC,cAAc,GAAG;YAC3E,IAAI,EAAE,gBAAgB;SACvB,CAAC,CAAC;IACL,CAAC;IAED,sEAAsE;IACtE,MAAM,SAAS,GAAG,QAAQ,CAAC,kBAAyD,CAAC;IACrF,IAAI,SAAS,IAAI,QAAQ,CAAC,WAAW,KAAK,SAAS,CAAC,YAAY,EAAE,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EAAE,gBAAgB,QAAQ,CAAC,WAAW,qDAAqD,SAAS,CAAC,YAAY,GAAG;YAC3H,IAAI,EAAE,aAAa;SACpB,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,IAAI,QAAQ,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAyB,CAAC,EAAE,CAAC;QACvF,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,gBAAgB,QAAQ,CAAC,WAAW,8BAA8B;YAC3E,IAAI,EAAE,aAAa;SACpB,CAAC,CAAC;IACL,CAAC;IAED,+DAA+D;IAC/D,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,uDAAuD;YAChE,IAAI,EAAE,iBAAiB;SACxB,CAAC,CAAC;IACL,CAAC;IAED,8DAA8D;IAC9D,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;IAC3B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAA4B,CAAC;YAE/C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,iBAAiB;oBACvB,OAAO,EAAE,QAAQ,CAAC,mEAAmE;oBACrF,IAAI,EAAE,QAAQ,CAAC,GAAG;iBACnB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAC5C,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,QAAQ,CAAC,gDAAgD;oBAClE,IAAI,EAAE,QAAQ,CAAC,GAAG;iBACnB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACnC,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,oBAAoB;oBAC1B,OAAO,EAAE,QAAQ,CAAC,0CAA0C;oBAC5D,IAAI,EAAE,QAAQ,CAAC,GAAG;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,QAAkB,CAAC,EAAE,CAAC;gBAC3D,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,wBAAwB;oBAC9B,OAAO,EAAE,QAAQ,CAAC,eAAe,GAAG,CAAC,QAAQ,2BAA2B;oBACxE,IAAI,EAAE,QAAQ,CAAC,YAAY;iBAC5B,CAAC,CAAC;YACL,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,QAAkB,CAAC,EAAE,CAAC;gBAChE,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,sBAAsB;oBAC5B,OAAO,EAAE,QAAQ,CAAC,eAAe,GAAG,CAAC,QAAQ,2BAA2B;oBACxE,IAAI,EAAE,QAAQ,CAAC,YAAY;iBAC5B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAA+C,CAAC;IAC1E,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC1C,IAAI,OAAO,QAAQ,CAAC,mBAAmB,KAAK,QAAQ,IAAI,QAAQ,CAAC,mBAAmB,KAAK,CAAC,EAAE,CAAC;YAC3F,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,2BAA2B;gBACjC,OAAO,EAAE,2DAA2D,QAAQ,CAAC,mBAAmB,EAAE;gBAClG,IAAI,EAAE,8BAA8B;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,iFAAiF;IACjF,MAAM,MAAM,GAAG,QAAQ,CAAC,MAA6C,CAAC;IACtE,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;QACxD,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;YACxD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EAAE,gGAAgG,MAAM,CAAC,cAAc,GAAG;gBACjI,IAAI,EAAE,uBAAuB;aAC9B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC;AAED,+DAA+D;AAC/D,SAAS,uBAAuB,CAC9B,GAA4B,EAC5B,IAAY,EACZ,MAAyB;IAEzB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;QAClD,IAAI,GAAG,KAAK,eAAe,IAAI,WAAW,KAAK,eAAe,EAAE,CAAC;YAC/D,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,yBAAyB;gBAC/B,OAAO,EAAE,gEAAgE,WAAW,GAAG;gBACvF,IAAI,EAAE,WAAW;aAClB,CAAC,CAAC;QACL,CAAC;QACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChE,uBAAuB,CAAC,KAAgC,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;AACH,CAAC"}
1
+ {"version":3,"file":"validate-artifact.js","sourceRoot":"","sources":["../src/validate-artifact.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAeH,MAAM,YAAY,GAAiB;IACjC,cAAc;IACd,sBAAsB;IACtB,gBAAgB;IAChB,WAAW;IACX,WAAW;IACX,aAAa;CACd,CAAC;AAEF,6FAA6F;AAC7F,kFAAkF;AAClF,6EAA6E;AAC7E,8FAA8F;AAC9F,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;IACxB,kDAAkD;IAClD,yBAAyB;IACzB,gBAAgB;IAChB,oBAAoB;IACpB,sBAAsB;IACtB,qCAAqC;IACrC,sBAAsB;IACtB,cAAc;IACd,6BAA6B;IAC7B,uBAAuB;IACvB,qBAAqB;IACrB,6BAA6B;IAC7B,wBAAwB;IACxB,2BAA2B;IAC3B,6BAA6B;IAC7B,mBAAmB;IACnB,4BAA4B;IAC5B,uEAAuE;IACvE,oBAAoB;IACpB,oBAAoB;IACpB,6BAA6B;IAC7B,qBAAqB;IACrB,2BAA2B;IAC3B,uBAAuB;IACvB,wBAAwB;IACxB,gBAAgB;IAChB,oBAAoB;IACpB,oBAAoB;IACpB,0BAA0B;IAC1B,sCAAsC;IACtC,uBAAuB;IACvB,uBAAuB;IACvB,2BAA2B;IAC3B,YAAY;IACZ,uBAAuB;IACvB,6BAA6B;IAC7B,cAAc;IACd,oBAAoB;IACpB,6BAA6B;IAC7B,sCAAsC;IACtC,wCAAwC;IACxC,iCAAiC;IACjC,+BAA+B;IAC/B,2BAA2B;IAC3B,uBAAuB;IACvB,6BAA6B;IAC7B,uBAAuB;IACvB,kDAAkD;IAClD,oBAAoB;IACpB,uBAAuB;IACvB,iBAAiB;IACjB,oBAAoB;IACpB,2BAA2B;IAC3B,8BAA8B;IAC9B,kBAAkB;IAClB,qBAAqB;IACrB,qBAAqB;IACrB,wBAAwB;IACxB,eAAe;IACf,kBAAkB;IAClB,gBAAgB;IAChB,mBAAmB;IACnB,0BAA0B;IAC1B,6BAA6B;IAC7B,kCAAkC;IAClC,uBAAuB;IACvB,+BAA+B;IAC/B,gGAAgG;IAChG,8BAA8B;IAC9B,4BAA4B;IAC5B,8BAA8B;IAC9B,qBAAqB;IACrB,oBAAoB;IACpB,iBAAiB;IACjB,kDAAkD;IAClD,mBAAmB;IACnB,iCAAiC;IACjC,kBAAkB;IAClB,+EAA+E;IAC/E,wBAAwB;IACxB,eAAe;IACf,4BAA4B;IAC5B,sCAAsC;IACtC,mCAAmC;IACnC,uBAAuB;IACvB,kFAAkF;IAClF,yBAAyB;CAC1B,CAAC,CAAC;AAEH,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC;AAEvF,MAAM,sBAAsB,GAC1B,oFAAoF,CAAC;AAEvF;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAiC;IAChE,MAAM,MAAM,GAAsB,EAAE,CAAC;IAErC,+DAA+D;IAC/D,IAAI,eAAe,IAAI,QAAQ,EAAE,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,oDAAoD;YAC7D,IAAI,EAAE,eAAe;SACtB,CAAC,CAAC;IACL,CAAC;IACD,uBAAuB,CAAC,QAAQ,EAAE,EAAE,EAAE,MAAM,CAAC,CAAC;IAE9C,+BAA+B;IAC/B,IAAI,QAAQ,CAAC,cAAc,KAAK,OAAO,EAAE,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,wBAAwB;YAC9B,OAAO,EAAE,wCAAwC,QAAQ,CAAC,cAAc,GAAG;YAC3E,IAAI,EAAE,gBAAgB;SACvB,CAAC,CAAC;IACL,CAAC;IAED,sEAAsE;IACtE,MAAM,SAAS,GAAG,QAAQ,CAAC,kBAAyD,CAAC;IACrF,IAAI,SAAS,IAAI,QAAQ,CAAC,WAAW,KAAK,SAAS,CAAC,YAAY,EAAE,CAAC;QACjE,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EAAE,gBAAgB,QAAQ,CAAC,WAAW,qDAAqD,SAAS,CAAC,YAAY,GAAG;YAC3H,IAAI,EAAE,aAAa;SACpB,CAAC,CAAC;IACL,CAAC;IAED,6CAA6C;IAC7C,IAAI,QAAQ,CAAC,WAAW,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,QAAQ,CAAC,WAAyB,CAAC,EAAE,CAAC;QACvF,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,gBAAgB,QAAQ,CAAC,WAAW,8BAA8B;YAC3E,IAAI,EAAE,aAAa;SACpB,CAAC,CAAC;IACL,CAAC;IAED,+DAA+D;IAC/D,IAAI,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC;YACV,IAAI,EAAE,yBAAyB;YAC/B,OAAO,EAAE,uDAAuD;YAChE,IAAI,EAAE,iBAAiB;SACxB,CAAC,CAAC;IACL,CAAC;IAED,8DAA8D;IAC9D,MAAM,IAAI,GAAG,QAAQ,CAAC,IAAI,CAAC;IAC3B,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACxB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACrC,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAA4B,CAAC;YAE/C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;gBAC5B,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,iBAAiB;oBACvB,OAAO,EAAE,QAAQ,CAAC,mEAAmE;oBACrF,IAAI,EAAE,QAAQ,CAAC,GAAG;iBACnB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,IAAI,EAAE,CAAC;gBAC5C,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,kBAAkB;oBACxB,OAAO,EAAE,QAAQ,CAAC,gDAAgD;oBAClE,IAAI,EAAE,QAAQ,CAAC,GAAG;iBACnB,CAAC,CAAC;gBACH,SAAS;YACX,CAAC;YAED,IAAI,CAAC,GAAG,CAAC,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;gBACnC,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,oBAAoB;oBAC1B,OAAO,EAAE,QAAQ,CAAC,0CAA0C;oBAC5D,IAAI,EAAE,QAAQ,CAAC,GAAG;iBACnB,CAAC,CAAC;YACL,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,QAAkB,CAAC,EAAE,CAAC;gBAC3D,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,wBAAwB;oBAC9B,OAAO,EAAE,QAAQ,CAAC,eAAe,GAAG,CAAC,QAAQ,2BAA2B;oBACxE,IAAI,EAAE,QAAQ,CAAC,YAAY;iBAC5B,CAAC,CAAC;YACL,CAAC;YAED,IAAI,GAAG,CAAC,QAAQ,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC,QAAkB,CAAC,EAAE,CAAC;gBAChE,MAAM,CAAC,IAAI,CAAC;oBACV,IAAI,EAAE,sBAAsB;oBAC5B,OAAO,EAAE,QAAQ,CAAC,eAAe,GAAG,CAAC,QAAQ,2BAA2B;oBACxE,IAAI,EAAE,QAAQ,CAAC,YAAY;iBAC5B,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,6DAA6D;IAC7D,MAAM,QAAQ,GAAG,QAAQ,CAAC,QAA+C,CAAC;IAC1E,IAAI,QAAQ,CAAC,OAAO,KAAK,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC1C,IAAI,OAAO,QAAQ,CAAC,mBAAmB,KAAK,QAAQ,IAAI,QAAQ,CAAC,mBAAmB,KAAK,CAAC,EAAE,CAAC;YAC3F,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,2BAA2B;gBACjC,OAAO,EAAE,2DAA2D,QAAQ,CAAC,mBAAmB,EAAE;gBAClG,IAAI,EAAE,8BAA8B;aACrC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6EAA6E;IAC7E,MAAM,MAAM,GAAG,QAAQ,CAAC,MAA6C,CAAC;IACtE,IAAI,MAAM,IAAI,OAAO,MAAM,CAAC,cAAc,KAAK,QAAQ,EAAE,CAAC;QACxD,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC,EAAE,CAAC;YACxD,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,oBAAoB;gBAC1B,OAAO,EACL,mCAAmC;oBACnC,2DAA2D;oBAC3D,oEAAoE,MAAM,CAAC,cAAc,GAAG;gBAC9F,IAAI,EAAE,uBAAuB;aAC9B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AAChD,CAAC;AAED,+DAA+D;AAC/D,SAAS,uBAAuB,CAC9B,GAA4B,EAC5B,IAAY,EACZ,MAAyB;IAEzB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/C,MAAM,WAAW,GAAG,IAAI,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC;QAClD,IAAI,GAAG,KAAK,eAAe,IAAI,WAAW,KAAK,eAAe,EAAE,CAAC;YAC/D,MAAM,CAAC,IAAI,CAAC;gBACV,IAAI,EAAE,yBAAyB;gBAC/B,OAAO,EAAE,gEAAgE,WAAW,GAAG;gBACvF,IAAI,EAAE,WAAW;aAClB,CAAC,CAAC;QACL,CAAC;QACD,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YAChE,uBAAuB,CAAC,KAAgC,EAAE,WAAW,EAAE,MAAM,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;AACH,CAAC"}
package/dist/validate-artifact.test.js CHANGED
@@ -93,6 +93,19 @@ describe('validateArtifact', () => {
93
93
  expect(result.valid).toBe(true);
94
94
  expect(result.errors).toHaveLength(0);
95
95
  });
96
+ it('keys.primust.com public key URL passes validation', () => {
97
+ const result = validateArtifact(validArtifact({
98
+ issuer: {
99
+ signer_id: 'signer_test',
100
+ kid: 'kid_test',
101
+ algorithm: 'Ed25519',
102
+ public_key_url: 'https://keys.primust.com/.well-known/primust-pubkeys/abc123.pem',
103
+ org_region: 'us',
104
+ },
105
+ }));
106
+ expect(result.valid).toBe(true);
107
+ expect(result.errors).toHaveLength(0);
108
+ });
96
109
  describe('MUST PASS: invariant enforcement', () => {
97
110
  it('proof_level above weakest_link → validation error', () => {
98
111
  const artifact = validArtifact({
@@ -161,14 +174,15 @@ describe('validateArtifact', () => {
161
174
  expect(result.valid).toBe(false);
162
175
  expect(result.errors.some((e) => e.code === 'INVALID_SCHEMA_VERSION')).toBe(true);
163
176
  });
164
- it('all 5 proof levels valid in proof_level enum', () => {
165
- const levels = ['mathematical', 'verifiable_inference', 'execution', 'witnessed', 'attestation'];
177
+ it('all 6 proof levels valid in proof_level enum', () => {
178
+ const levels = ['mathematical', 'verifiable_inference', 'operator_bound', 'execution', 'witnessed', 'attestation'];
166
179
  for (const level of levels) {
167
180
  const artifact = validArtifact({
168
181
  proof_level: level,
169
182
  proof_distribution: {
170
183
  mathematical: 0,
171
184
  verifiable_inference: 0,
185
+ operator_bound: 0,
172
186
  execution: 0,
173
187
  witnessed: 0,
174
188
  attestation: 0,