@primust/artifact-core 1.0.0

package/dist/index.js

@@ -0,0 +1,6 @@
+// @primust/artifact-core — Canonical JSON, hashing, signing, commitments, artifact types
+export { canonical } from './canonical.js';
+export { generateKeyPair, sign, verify, rotateKey, toBase64Url, fromBase64Url } from './signing.js';
+export { commit, commitOutput, buildCommitmentRoot, selectProofLevel, ZK_IS_BLOCKING, } from './commitment.js';
+export { validateArtifact } from './validate-artifact.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,yFAAyF;AACzF,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAC3C,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AACpG,OAAO,EACL,MAAM,EACN,YAAY,EACZ,mBAAmB,EACnB,gBAAgB,EAChB,cAAc,GACf,MAAM,iBAAiB,CAAC;AAEzB,OAAO,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC"}

package/dist/signing.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Primust Signing — Ed25519 key generation, signing, verification, rotation
+ *
+ * Signing process (spec):
+ *   1. canonical(document) → string
+ *   2. SHA-256(canonical_string) → bytes
+ *   3. Ed25519.sign(hash_bytes, private_key) → signature_bytes
+ *   4. base64url(signature_bytes) → signature field
+ *
+ * Key identity invariants (SIGNER_TRUST_POLICY.md):
+ *   - signer_id: stable logical identifier, survives rotation
+ *   - kid: specific key version, unique per generation
+ *   - Both required in every SignatureEnvelope
+ *   - Rotation creates new kid, same signer_id
+ *   - Rotation does NOT invalidate prior signatures (Q2 quarantine)
+ *
+ * Libraries: @noble/ed25519 + @noble/hashes
+ */
+import type { SignerRecord, SignatureEnvelope, SignerType } from './types.js';
+/** Encode bytes to base64url (no padding) */
+declare function toBase64Url(bytes: Uint8Array): string;
+/** Decode base64url to bytes */
+declare function fromBase64Url(b64url: string): Uint8Array;
+/**
+ * Generate a new Ed25519 key pair and produce a SignerRecord.
+ *
+ * Each call produces a distinct kid. No silent auto-generation (Q4 quarantine).
+ */
+export declare function generateKeyPair(signerId: string, orgId: string, signerType: SignerType): {
+    signerRecord: SignerRecord;
+    privateKey: Uint8Array;
+};
+/**
+ * Sign a document.
+ *
+ * Process:
+ *   1. canonical(document) → deterministic JSON string
+ *   2. SHA-256(canonical_string) → 32-byte hash
+ *   3. Ed25519.sign(hash, privateKey) → 64-byte signature
+ *   4. base64url(signature) → string
+ *
+ * @param document - The document to sign (must contain only JSON-native types)
+ * @param privateKey - Ed25519 private key bytes
+ * @param signerRecord - The signer's active record (must have status 'active')
+ * @returns The original document and its signature envelope
+ */
+export declare function sign(document: Record<string, unknown>, privateKey: Uint8Array, signerRecord: SignerRecord): {
+    document: Record<string, unknown>;
+    signatureEnvelope: SignatureEnvelope;
+};
+/**
+ * Verify a document's signature.
+ *
+ * Recomputes canonical(document) → SHA-256 → verifies Ed25519 signature.
+ * Does NOT evaluate key status — that is the verifier's responsibility
+ * (SIGNER_TRUST_POLICY.md §3–4).
+ *
+ * @param document - The document that was signed
+ * @param signatureEnvelope - The signature envelope
+ * @param publicKeyB64Url - Base64url-encoded Ed25519 public key
+ * @returns true if the cryptographic signature is valid
+ */
+export declare function verify(document: Record<string, unknown>, signatureEnvelope: SignatureEnvelope, publicKeyB64Url: string): boolean;
+/**
+ * Rotate a key: create a new kid under the same signer_id.
+ *
+ * The existing record transitions to 'rotated'. A new record is created
+ * with status 'active'. Prior signatures remain valid against the old kid
+ * (SIGNER_TRUST_POLICY.md §2, Q2 quarantine).
+ *
+ * @param existingRecord - The current active SignerRecord
+ * @returns Updated old record (rotated) and new active record + private key
+ */
+export declare function rotateKey(existingRecord: SignerRecord): {
+    updatedRecord: SignerRecord;
+    newRecord: SignerRecord;
+    newPrivateKey: Uint8Array;
+};
+export { toBase64Url, fromBase64Url };
+//# sourceMappingURL=signing.d.ts.map

package/dist/signing.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.d.ts","sourceRoot":"","sources":["../src/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAMH,OAAO,KAAK,EAAE,YAAY,EAAE,iBAAiB,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAa9E,6CAA6C;AAC7C,iBAAS,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,MAAM,CAM9C;AAED,gCAAgC;AAChC,iBAAS,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,UAAU,CASjD;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,EACb,UAAU,EAAE,UAAU,GACrB;IAAE,YAAY,EAAE,YAAY,CAAC;IAAC,UAAU,EAAE,UAAU,CAAA;CAAE,CAsBxD;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAgB,IAAI,CAClB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,UAAU,EAAE,UAAU,EACtB,YAAY,EAAE,YAAY,GACzB;IAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAAC,iBAAiB,EAAE,iBAAiB,CAAA;CAAE,CAkB7E;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,MAAM,CACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACjC,iBAAiB,EAAE,iBAAiB,EACpC,eAAe,EAAE,MAAM,GACtB,OAAO,CAWT;AAED;;;;;;;;;GASG;AACH,wBAAgB,SAAS,CAAC,cAAc,EAAE,YAAY,GAAG;IACvD,aAAa,EAAE,YAAY,CAAC;IAC5B,SAAS,EAAE,YAAY,CAAC;IACxB,aAAa,EAAE,UAAU,CAAC;CAC3B,CAyBA;AAGD,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC"}

package/dist/signing.js

@@ -0,0 +1,159 @@
+/**
+ * Primust Signing — Ed25519 key generation, signing, verification, rotation
+ *
+ * Signing process (spec):
+ *   1. canonical(document) → string
+ *   2. SHA-256(canonical_string) → bytes
+ *   3. Ed25519.sign(hash_bytes, private_key) → signature_bytes
+ *   4. base64url(signature_bytes) → signature field
+ *
+ * Key identity invariants (SIGNER_TRUST_POLICY.md):
+ *   - signer_id: stable logical identifier, survives rotation
+ *   - kid: specific key version, unique per generation
+ *   - Both required in every SignatureEnvelope
+ *   - Rotation creates new kid, same signer_id
+ *   - Rotation does NOT invalidate prior signatures (Q2 quarantine)
+ *
+ * Libraries: @noble/ed25519 + @noble/hashes
+ */
+import * as ed from '@noble/ed25519';
+import { sha512 } from '@noble/hashes/sha512';
+import { sha256 } from '@noble/hashes/sha256';
+import { canonical } from './canonical.js';
+// Configure ed25519 to use sha512
+ed.etc.sha512Sync = (...m) => sha512(ed.etc.concatBytes(...m));
+/** Generate a cryptographically random hex string */
+function randomHex(bytes) {
+    const buf = ed.utils.randomPrivateKey().slice(0, bytes);
+    return Array.from(buf)
+        .map((b) => b.toString(16).padStart(2, '0'))
+        .join('');
+}
+/** Encode bytes to base64url (no padding) */
+function toBase64Url(bytes) {
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+/** Decode base64url to bytes */
+function fromBase64Url(b64url) {
+    const b64 = b64url.replace(/-/g, '+').replace(/_/g, '/');
+    const padded = b64 + '='.repeat((4 - (b64.length % 4)) % 4);
+    const binary = atob(padded);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+        bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+}
+/**
+ * Generate a new Ed25519 key pair and produce a SignerRecord.
+ *
+ * Each call produces a distinct kid. No silent auto-generation (Q4 quarantine).
+ */
+export function generateKeyPair(signerId, orgId, signerType) {
+    const privateKey = ed.utils.randomPrivateKey();
+    const publicKey = ed.getPublicKey(privateKey);
+    const kid = `kid_${randomHex(8)}`;
+    const now = new Date().toISOString();
+    const signerRecord = {
+        signer_id: signerId,
+        kid,
+        public_key_b64url: toBase64Url(publicKey),
+        algorithm: 'Ed25519',
+        status: 'active',
+        revocation_reason: null,
+        revoked_at: null,
+        superseded_by_kid: null,
+        activated_at: now,
+        deactivated_at: null,
+        org_id: orgId,
+        signer_type: signerType,
+    };
+    return { signerRecord, privateKey };
+}
+/**
+ * Sign a document.
+ *
+ * Process:
+ *   1. canonical(document) → deterministic JSON string
+ *   2. SHA-256(canonical_string) → 32-byte hash
+ *   3. Ed25519.sign(hash, privateKey) → 64-byte signature
+ *   4. base64url(signature) → string
+ *
+ * @param document - The document to sign (must contain only JSON-native types)
+ * @param privateKey - Ed25519 private key bytes
+ * @param signerRecord - The signer's active record (must have status 'active')
+ * @returns The original document and its signature envelope
+ */
+export function sign(document, privateKey, signerRecord) {
+    if (signerRecord.status !== 'active') {
+        throw new Error(`Cannot sign with ${signerRecord.status} key (kid: ${signerRecord.kid})`);
+    }
+    const canonicalStr = canonical(document);
+    const hashBytes = sha256(new TextEncoder().encode(canonicalStr));
+    const signatureBytes = ed.sign(hashBytes, privateKey);
+    const signatureEnvelope = {
+        signer_id: signerRecord.signer_id,
+        kid: signerRecord.kid,
+        algorithm: 'Ed25519',
+        signature: toBase64Url(signatureBytes),
+        signed_at: new Date().toISOString(),
+    };
+    return { document, signatureEnvelope };
+}
+/**
+ * Verify a document's signature.
+ *
+ * Recomputes canonical(document) → SHA-256 → verifies Ed25519 signature.
+ * Does NOT evaluate key status — that is the verifier's responsibility
+ * (SIGNER_TRUST_POLICY.md §3–4).
+ *
+ * @param document - The document that was signed
+ * @param signatureEnvelope - The signature envelope
+ * @param publicKeyB64Url - Base64url-encoded Ed25519 public key
+ * @returns true if the cryptographic signature is valid
+ */
+export function verify(document, signatureEnvelope, publicKeyB64Url) {
+    try {
+        const canonicalStr = canonical(document);
+        const hashBytes = sha256(new TextEncoder().encode(canonicalStr));
+        const signatureBytes = fromBase64Url(signatureEnvelope.signature);
+        const publicKeyBytes = fromBase64Url(publicKeyB64Url);
+        return ed.verify(signatureBytes, hashBytes, publicKeyBytes);
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Rotate a key: create a new kid under the same signer_id.
+ *
+ * The existing record transitions to 'rotated'. A new record is created
+ * with status 'active'. Prior signatures remain valid against the old kid
+ * (SIGNER_TRUST_POLICY.md §2, Q2 quarantine).
+ *
+ * @param existingRecord - The current active SignerRecord
+ * @returns Updated old record (rotated) and new active record + private key
+ */
+export function rotateKey(existingRecord) {
+    if (existingRecord.status !== 'active') {
+        throw new Error(`Cannot rotate ${existingRecord.status} key (kid: ${existingRecord.kid}). Only active keys can be rotated.`);
+    }
+    // Generate new key pair under the same signer_id
+    const { signerRecord: newRecord, privateKey: newPrivateKey } = generateKeyPair(existingRecord.signer_id, existingRecord.org_id, existingRecord.signer_type);
+    const now = new Date().toISOString();
+    // Transition old record to rotated
+    const updatedRecord = {
+        ...existingRecord,
+        status: 'rotated',
+        superseded_by_kid: newRecord.kid,
+        deactivated_at: now,
+    };
+    return { updatedRecord, newRecord, newPrivateKey };
+}
+// Re-export utilities for consumer use
+export { toBase64Url, fromBase64Url };
+//# sourceMappingURL=signing.js.map

package/dist/signing.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.js","sourceRoot":"","sources":["../src/signing.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,KAAK,EAAE,MAAM,gBAAgB,CAAC;AACrC,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,MAAM,EAAE,MAAM,sBAAsB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,gBAAgB,CAAC;AAG3C,kCAAkC;AAClC,EAAE,CAAC,GAAG,CAAC,UAAU,GAAG,CAAC,GAAG,CAAe,EAAE,EAAE,CAAC,MAAM,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;AAE7E,qDAAqD;AACrD,SAAS,SAAS,CAAC,KAAa;IAC9B,MAAM,GAAG,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;IACxD,OAAO,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;SACnB,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;SAC3C,IAAI,CAAC,EAAE,CAAC,CAAC;AACd,CAAC;AAED,6CAA6C;AAC7C,SAAS,WAAW,CAAC,KAAiB;IACpC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACjF,CAAC;AAED,gCAAgC;AAChC,SAAS,aAAa,CAAC,MAAc;IACnC,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACzD,MAAM,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IAC5D,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC;IAC5B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;IAClC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAC7B,QAAgB,EAChB,KAAa,EACb,UAAsB;IAEtB,MAAM,UAAU,GAAG,EAAE,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;IAC/C,MAAM,SAAS,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,OAAO,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,MAAM,YAAY,GAAiB;QACjC,SAAS,EAAE,QAAQ;QACnB,GAAG;QACH,iBAAiB,EAAE,WAAW,CAAC,SAAS,CAAC;QACzC,SAAS,EAAE,SAAS;QACpB,MAAM,EAAE,QAAQ;QAChB,iBAAiB,EAAE,IAAI;QACvB,UAAU,EAAE,IAAI;QAChB,iBAAiB,EAAE,IAAI;QACvB,YAAY,EAAE,GAAG;QACjB,cAAc,EAAE,IAAI;QACpB,MAAM,EAAE,KAAK;QACb,WAAW,EAAE,UAAU;KACxB,CAAC;IAEF,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,CAAC;AACtC,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,IAAI,CAClB,QAAiC,EACjC,UAAsB,EACtB,YAA0B;IAE1B,IAAI,YAAY,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,oBAAoB,YAAY,CAAC,MAAM,cAAc,YAAY,CAAC,GAAG,GAAG,CAAC,CAAC;IAC5F,CAAC;IAED,MAAM,YAAY,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;IACjE,MAAM,cAAc,GAAG,EAAE,CAAC,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;IAEtD,MAAM,iBAAiB,GAAsB;QAC3C,SAAS,EAAE,YAAY,CAAC,SAAS;QACjC,GAAG,EAAE,YAAY,CAAC,GAAG;QACrB,SAAS,EAAE,SAAS;QACpB,SAAS,EAAE,WAAW,CAAC,cAAc,CAAC;QACtC,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC;IAEF,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,CAAC;AACzC,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,MAAM,CACpB,QAAiC,EACjC,iBAAoC,EACpC,eAAuB;IAEvB,IAAI,CAAC;QACH,MAAM,YAAY,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;QACjE,MAAM,cAAc,GAAG,aAAa,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC;QAClE,MAAM,cAAc,GAAG,aAAa,CAAC,eAAe,CAAC,CAAC;QAEtD,OAAO,EAAE,CAAC,MAAM,CAAC,cAAc,EAAE,SAAS,EAAE,cAAc,CAAC,CAAC;IAC9D,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,SAAS,CAAC,cAA4B;IAKpD,IAAI,cAAc,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,iBAAiB,cAAc,CAAC,MAAM,cAAc,cAAc,CAAC,GAAG,qCAAqC,CAC5G,CAAC;IACJ,CAAC;IAED,iDAAiD;IACjD,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,UAAU,EAAE,aAAa,EAAE,GAAG,eAAe,CAC5E,cAAc,CAAC,SAAS,EACxB,cAAc,CAAC,MAAM,EACrB,cAAc,CAAC,WAAW,CAC3B,CAAC;IAEF,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IAErC,mCAAmC;IACnC,MAAM,aAAa,GAAiB;QAClC,GAAG,cAAc;QACjB,MAAM,EAAE,SAAS;QACjB,iBAAiB,EAAE,SAAS,CAAC,GAAG;QAChC,cAAc,EAAE,GAAG;KACpB,CAAC;IAEF,OAAO,EAAE,aAAa,EAAE,SAAS,EAAE,aAAa,EAAE,CAAC;AACrD,CAAC;AAED,uCAAuC;AACvC,OAAO,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC"}

package/dist/signing.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=signing.test.d.ts.map

package/dist/signing.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.test.d.ts","sourceRoot":"","sources":["../src/signing.test.ts"],"names":[],"mappings":""}

package/dist/signing.test.js

@@ -0,0 +1,153 @@
+import { describe, it, expect } from 'vitest';
+import { generateKeyPair, sign, verify, rotateKey } from './signing.js';
+describe('signing', () => {
+    const SIGNER_ID = 'signer_test_001';
+    const ORG_ID = 'org_test_001';
+    const SIGNER_TYPE = 'artifact_signer';
+    describe('generateKeyPair', () => {
+        it('produces a valid SignerRecord with distinct kid', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            expect(signerRecord.signer_id).toBe(SIGNER_ID);
+            expect(signerRecord.kid).toMatch(/^kid_[0-9a-f]{16}$/);
+            expect(signerRecord.algorithm).toBe('Ed25519');
+            expect(signerRecord.status).toBe('active');
+            expect(signerRecord.revocation_reason).toBeNull();
+            expect(signerRecord.revoked_at).toBeNull();
+            expect(signerRecord.superseded_by_kid).toBeNull();
+            expect(signerRecord.org_id).toBe(ORG_ID);
+            expect(signerRecord.signer_type).toBe(SIGNER_TYPE);
+            expect(signerRecord.public_key_b64url).toBeTypeOf('string');
+            expect(signerRecord.public_key_b64url.length).toBeGreaterThan(0);
+            expect(privateKey).toBeInstanceOf(Uint8Array);
+            expect(privateKey.length).toBe(32);
+        });
+        it('generates distinct kid on each call (signer_id ≠ kid)', () => {
+            const a = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const b = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            // Same signer_id
+            expect(a.signerRecord.signer_id).toBe(b.signerRecord.signer_id);
+            // Different kid
+            expect(a.signerRecord.kid).not.toBe(b.signerRecord.kid);
+            // Different key material
+            expect(a.signerRecord.public_key_b64url).not.toBe(b.signerRecord.public_key_b64url);
+        });
+    });
+    describe('sign → verify roundtrip', () => {
+        it('MUST PASS: sign → verify roundtrip', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const doc = { action: 'create', target: 'resource_42', ts: '2026-03-10T00:00:00Z' };
+            const { document, signatureEnvelope } = sign(doc, privateKey, signerRecord);
+            expect(signatureEnvelope.signer_id).toBe(SIGNER_ID);
+            expect(signatureEnvelope.kid).toBe(signerRecord.kid);
+            expect(signatureEnvelope.algorithm).toBe('Ed25519');
+            expect(signatureEnvelope.signature).toBeTypeOf('string');
+            expect(signatureEnvelope.signed_at).toMatch(/^\d{4}-/);
+            const valid = verify(document, signatureEnvelope, signerRecord.public_key_b64url);
+            expect(valid).toBe(true);
+        });
+        it('MUST PASS: tampered document fails verify', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const doc = { action: 'create', target: 'resource_42' };
+            const { signatureEnvelope } = sign(doc, privateKey, signerRecord);
+            // Tamper with the document
+            const tampered = { action: 'delete', target: 'resource_42' };
+            const valid = verify(tampered, signatureEnvelope, signerRecord.public_key_b64url);
+            expect(valid).toBe(false);
+        });
+        it('wrong public key fails verify', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const other = generateKeyPair('signer_other', ORG_ID, SIGNER_TYPE);
+            const doc = { msg: 'hello' };
+            const { document, signatureEnvelope } = sign(doc, privateKey, signerRecord);
+            const valid = verify(document, signatureEnvelope, other.signerRecord.public_key_b64url);
+            expect(valid).toBe(false);
+        });
+        it('corrupted signature fails verify', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const doc = { data: 'test' };
+            const { document, signatureEnvelope } = sign(doc, privateKey, signerRecord);
+            const corrupted = { ...signatureEnvelope, signature: 'AAAA_bad_signature' };
+            const valid = verify(document, corrupted, signerRecord.public_key_b64url);
+            expect(valid).toBe(false);
+        });
+    });
+    describe('sign guards', () => {
+        it('refuses to sign with a rotated key', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const rotatedRecord = { ...signerRecord, status: 'rotated' };
+            expect(() => sign({ data: 'test' }, privateKey, rotatedRecord)).toThrow(/rotated/);
+        });
+        it('refuses to sign with a revoked key', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const revokedRecord = { ...signerRecord, status: 'revoked' };
+            expect(() => sign({ data: 'test' }, privateKey, revokedRecord)).toThrow(/revoked/);
+        });
+    });
+    describe('rotateKey', () => {
+        it('MUST PASS: rotated kid still verifies historical document', () => {
+            const { signerRecord: original, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const doc = { historical: true, version: 1 };
+            // Sign with original key
+            const { document, signatureEnvelope } = sign(doc, privateKey, original);
+            // Rotate the key
+            const { updatedRecord, newRecord } = rotateKey(original);
+            // Original record is now rotated
+            expect(updatedRecord.status).toBe('rotated');
+            expect(updatedRecord.kid).toBe(original.kid);
+            expect(updatedRecord.signer_id).toBe(SIGNER_ID);
+            // New record is active under the same signer_id
+            expect(newRecord.status).toBe('active');
+            expect(newRecord.signer_id).toBe(SIGNER_ID);
+            expect(newRecord.kid).not.toBe(original.kid);
+            // Historical document STILL verifies against the original public key
+            const valid = verify(document, signatureEnvelope, updatedRecord.public_key_b64url);
+            expect(valid).toBe(true);
+        });
+        it('MUST PASS: rotateKey sets superseded_by_kid on old record', () => {
+            const { signerRecord } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const { updatedRecord, newRecord } = rotateKey(signerRecord);
+            expect(updatedRecord.superseded_by_kid).toBe(newRecord.kid);
+            expect(updatedRecord.deactivated_at).toMatch(/^\d{4}-/);
+        });
+        it('rotateKey preserves signer_id across rotation', () => {
+            const { signerRecord } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const { updatedRecord, newRecord } = rotateKey(signerRecord);
+            expect(updatedRecord.signer_id).toBe(SIGNER_ID);
+            expect(newRecord.signer_id).toBe(SIGNER_ID);
+        });
+        it('cannot rotate an already-rotated key', () => {
+            const { signerRecord } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const { updatedRecord } = rotateKey(signerRecord);
+            expect(() => rotateKey(updatedRecord)).toThrow(/rotated/);
+        });
+    });
+    describe('quarantine compliance', () => {
+        it('MUST PASS: no hardcoded keys anywhere', () => {
+            // Generate multiple keypairs and verify they are all unique
+            const keys = Array.from({ length: 5 }, () => generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE));
+            const publicKeys = new Set(keys.map((k) => k.signerRecord.public_key_b64url));
+            const kids = new Set(keys.map((k) => k.signerRecord.kid));
+            expect(publicKeys.size).toBe(5);
+            expect(kids.size).toBe(5);
+        });
+        it('signature envelope always contains both signer_id and kid', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            const doc = { test: true };
+            const { signatureEnvelope } = sign(doc, privateKey, signerRecord);
+            expect(signatureEnvelope.signer_id).toBe(SIGNER_ID);
+            expect(signatureEnvelope.kid).toBe(signerRecord.kid);
+            expect(signatureEnvelope.signer_id).not.toBe(signatureEnvelope.kid);
+        });
+        it('canonical serialization is recursive (Q1 enforcement)', () => {
+            const { signerRecord, privateKey } = generateKeyPair(SIGNER_ID, ORG_ID, SIGNER_TYPE);
+            // Two documents with same data but different nested key order
+            const doc1 = { outer: { z: 1, a: 2 }, id: 'test' };
+            const doc2 = { id: 'test', outer: { a: 2, z: 1 } };
+            const { signatureEnvelope: sig1 } = sign(doc1, privateKey, signerRecord);
+            // doc2 should verify against sig1 because canonical form is identical
+            const valid = verify(doc2, sig1, signerRecord.public_key_b64url);
+            expect(valid).toBe(true);
+        });
+    });
+});
+//# sourceMappingURL=signing.test.js.map

package/dist/signing.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signing.test.js","sourceRoot":"","sources":["../src/signing.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,cAAc,CAAC;AAExE,QAAQ,CAAC,SAAS,EAAE,GAAG,EAAE;IACvB,MAAM,SAAS,GAAG,iBAAiB,CAAC;IACpC,MAAM,MAAM,GAAG,cAAc,CAAC;IAC9B,MAAM,WAAW,GAAG,iBAA0B,CAAC;IAE/C,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,EAAE,CAAC,iDAAiD,EAAE,GAAG,EAAE;YACzD,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YAErF,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;YACvD,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC/C,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YAC3C,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,QAAQ,EAAE,CAAC;YAClD,MAAM,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,QAAQ,EAAE,CAAC;YAC3C,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,QAAQ,EAAE,CAAC;YAClD,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACzC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YACnD,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YAC5D,MAAM,CAAC,YAAY,CAAC,iBAAiB,CAAC,MAAM,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,CAAC;YACjE,MAAM,CAAC,UAAU,CAAC,CAAC,cAAc,CAAC,UAAU,CAAC,CAAC;YAC9C,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrC,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;YAC/D,MAAM,CAAC,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YAC1D,MAAM,CAAC,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YAE1D,iBAAiB;YACjB,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC;YAChE,gBAAgB;YAChB,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YACxD,yBAAyB;YACzB,MAAM,CAAC,CAAC,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;QACtF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,yBAAyB,EAAE,GAAG,EAAE;QACvC,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,EAAE,EAAE,sBAAsB,EAAE,CAAC;YAEpF,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;YAE5E,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YACrD,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;YACzD,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;YAEvD,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,iBAAiB,EAAE,YAAY,CAAC,iBAAiB,CAAC,CAAC;YAClF,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2CAA2C,EAAE,GAAG,EAAE;YACnD,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,GAAG,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;YAExD,MAAM,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;YAElE,2BAA2B;YAC3B,MAAM,QAAQ,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;YAC7D,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,iBAAiB,EAAE,YAAY,CAAC,iBAAiB,CAAC,CAAC;YAClF,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+BAA+B,EAAE,GAAG,EAAE;YACvC,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,KAAK,GAAG,eAAe,CAAC,cAAc,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACnE,MAAM,GAAG,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC;YAE7B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;YAE5E,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,iBAAiB,EAAE,KAAK,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC;YACxF,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,kCAAkC,EAAE,GAAG,EAAE;YAC1C,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;YAE7B,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;YAE5E,MAAM,SAAS,GAAG,EAAE,GAAG,iBAAiB,EAAE,SAAS,EAAE,oBAAoB,EAAE,CAAC;YAC5E,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,SAAS,EAAE,YAAY,CAAC,iBAAiB,CAAC,CAAC;YAC1E,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;QAC3B,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,aAAa,GAAG,EAAE,GAAG,YAAY,EAAE,MAAM,EAAE,SAAkB,EAAE,CAAC;YAEtE,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;YAC5C,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,aAAa,GAAG,EAAE,GAAG,YAAY,EAAE,MAAM,EAAE,SAAkB,EAAE,CAAC;YAEtE,MAAM,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACrF,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,WAAW,EAAE,GAAG,EAAE;QACzB,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;YACnE,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE,UAAU,EAAE,GAAG,eAAe,CAC5D,SAAS,EACT,MAAM,EACN,WAAW,CACZ,CAAC;YACF,MAAM,GAAG,GAAG,EAAE,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;YAE7C,yBAAyB;YACzB,MAAM,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;YAExE,iBAAiB;YACjB,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;YAEzD,iCAAiC;YACjC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC7C,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAC7C,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAEhD,gDAAgD;YAChD,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACxC,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC5C,MAAM,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YAE7C,qEAAqE;YACrE,MAAM,KAAK,GAAG,MAAM,CAAC,QAAQ,EAAE,iBAAiB,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;YACnF,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;YACnE,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YAEzE,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;YAE7D,MAAM,CAAC,aAAa,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;YAC5D,MAAM,CAAC,aAAa,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC1D,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;YACvD,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YAEzE,MAAM,EAAE,aAAa,EAAE,SAAS,EAAE,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;YAE7D,MAAM,CAAC,aAAa,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAChD,MAAM,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC9C,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,sCAAsC,EAAE,GAAG,EAAE;YAC9C,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACzE,MAAM,EAAE,aAAa,EAAE,GAAG,SAAS,CAAC,YAAY,CAAC,CAAC;YAElD,MAAM,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;QACrC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;YAC/C,4DAA4D;YAC5D,MAAM,IAAI,GAAG,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,CAC1C,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAChD,CAAC;YACF,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,iBAAiB,CAAC,CAAC,CAAC;YAC9E,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;YAE1D,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,2DAA2D,EAAE,GAAG,EAAE;YACnE,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,GAAG,GAAG,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;YAE3B,MAAM,EAAE,iBAAiB,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;YAElE,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACpD,MAAM,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC;YACrD,MAAM,CAAC,iBAAiB,CAAC,SAAS,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,iBAAiB,CAAC,GAAG,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;QAEH,EAAE,CAAC,uDAAuD,EAAE,GAAG,EAAE;YAC/D,MAAM,EAAE,YAAY,EAAE,UAAU,EAAE,GAAG,eAAe,CAAC,SAAS,EAAE,MAAM,EAAE,WAAW,CAAC,CAAC;YAErF,8DAA8D;YAC9D,MAAM,IAAI,GAAG,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;YACnD,MAAM,IAAI,GAAG,EAAE,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;YAEnD,MAAM,EAAE,iBAAiB,EAAE,IAAI,EAAE,GAAG,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,YAAY,CAAC,CAAC;YAEzE,sEAAsE;YACtE,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,YAAY,CAAC,iBAAiB,CAAC,CAAC;YACjE,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC3B,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/types/artifact.d.ts

@@ -0,0 +1,143 @@
+/**
+ * Primust VPEC Artifact Schema — TypeScript types
+ *
+ * Provisional-frozen at schema_version 4.0.0
+ * Canonical source: schemas/json/artifact.schema.json
+ *
+ * INVARIANTS (enforced in validateArtifact):
+ * 1. proof_level MUST equal proof_distribution.weakest_link
+ * 2. reliance_mode field ANYWHERE → validation error
+ * 3. manifest_hashes MUST be object (map), not array
+ * 4. gaps[] entries MUST have gap_type + severity (not bare strings)
+ * 5. partial: true → policy_coverage_pct must be 0
+ * 6. instrumentation_surface_pct and policy_coverage_pct never collapsed
+ * 7. issuer.public_key_url must match primust.com/.well-known/ pattern
+ * 8. test_mode: true rejected by primust-verify in --production mode
+ */
+export type ProofLevel = 'mathematical' | 'verifiable_inference' | 'execution' | 'witnessed' | 'attestation';
+export type SurfaceType = 'in_process_adapter' | 'middleware_interceptor' | 'platform_event_feed' | 'audit_log_ingest' | 'manual_assertion';
+export type ObservationMode = 'pre_action' | 'in_flight' | 'post_action_realtime' | 'post_action_batch';
+export type ScopeType = 'full_workflow' | 'orchestration_boundary' | 'platform_logged_events' | 'component_scope' | 'partial_unknown';
+export type PolicyBasis = 'P1_self_declared' | 'P2_baseline_aligned' | 'P3_baseline_plus_deviations';
+export type ArtifactState = 'provisional' | 'signed' | 'final';
+export type CommitmentAlgorithm = 'poseidon2' | 'sha256';
+export type Prover = 'local' | 'modal_cpu' | 'modal_gpu';
+export type ProverSystem = 'ultrahonk' | 'ezkl' | 'groth16_bionetta';
+export type TsaProvider = 'digicert_us' | 'digicert_eu' | 'none';
+export type OrgRegion = 'us' | 'eu';
+export type GapSeverity = 'Critical' | 'High' | 'Medium' | 'Low' | 'Informational';
+export type GapType = 'check_not_executed' | 'enforcement_override' | 'engine_error' | 'check_degraded' | 'external_boundary_traversal' | 'lineage_token_missing' | 'admission_gate_override' | 'check_timing_suspect' | 'reviewer_credential_invalid' | 'witnessed_display_missing' | 'witnessed_rationale_missing' | 'deterministic_consistency_violation' | 'skip_rationale_missing' | 'policy_config_drift' | 'zkml_proof_pending_timeout' | 'zkml_proof_failed' | 'explanation_missing' | 'bias_audit_missing';
+export interface SurfaceEntry {
+    surface_id: string;
+    surface_type: SurfaceType;
+    observation_mode: ObservationMode;
+    proof_ceiling: ProofLevel;
+    scope_type: ScopeType;
+    scope_description: string;
+    surface_coverage_statement: string;
+}
+export interface ProofDistribution {
+    mathematical: number;
+    verifiable_inference: number;
+    execution: number;
+    witnessed: number;
+    attestation: number;
+    weakest_link: ProofLevel;
+    weakest_link_explanation: string;
+}
+export interface Coverage {
+    records_total: number;
+    records_pass: number;
+    records_fail: number;
+    records_degraded: number;
+    records_not_applicable: number;
+    /** DENOMINATOR 1: % of required checks (per PolicySnapshot) that ran. */
+    policy_coverage_pct: number;
+    /** DENOMINATOR 2: % of total workflow universe in instrumentation scope. null when partial_unknown. NEVER collapse with policy_coverage_pct. */
+    instrumentation_surface_pct: number | null;
+    /** Plain-English statement of what the surface denominator represents. */
+    instrumentation_surface_basis: string;
+}
+export interface GapEntry {
+    gap_id: string;
+    gap_type: GapType;
+    severity: GapSeverity;
+}
+export interface ZkProof {
+    circuit: string;
+    proof_bytes: string;
+    public_inputs: string[];
+    verified_at: string;
+    prover: Prover;
+    prover_system: ProverSystem;
+    nargo_version: string | null;
+}
+export interface ArtifactIssuer {
+    signer_id: string;
+    kid: string;
+    algorithm: 'Ed25519';
+    public_key_url: string;
+    org_region: OrgRegion;
+}
+export interface ArtifactSignature {
+    signer_id: string;
+    kid: string;
+    algorithm: 'Ed25519';
+    signature: string;
+    signed_at: string;
+}
+export interface TimestampAnchor {
+    type: 'rfc3161' | 'none';
+    tsa: TsaProvider;
+    value: string | null;
+}
+export interface TransparencyLog {
+    rekor_log_id: string | null;
+    rekor_entry_url: string | null;
+    published_at: string | null;
+}
+export interface PendingFlags {
+    signature_pending: boolean;
+    /** true when Noir/UltraHonk proof in-flight */
+    proof_pending: boolean;
+    /** true when EZKL/Bionetta proof in-flight (Tier 2) */
+    zkml_proof_pending: boolean;
+    submission_pending: boolean;
+    /** true until transparency_log.rekor_log_id populated */
+    rekor_pending: boolean;
+}
+export interface VPECArtifact {
+    vpec_id: string;
+    schema_version: '4.0.0';
+    org_id: string;
+    run_id: string;
+    workflow_id: string;
+    /** Customer-computed config epoch hash. null when not provided. */
+    process_context_hash: string | null;
+    policy_snapshot_hash: string;
+    policy_basis: PolicyBasis;
+    /** true when issued via p.close(partial=True). Coverage credit NOT awarded. */
+    partial: boolean;
+    surface_summary: SurfaceEntry[];
+    /** MUST equal proof_distribution.weakest_link. Computed — never set manually. */
+    proof_level: ProofLevel;
+    proof_distribution: ProofDistribution;
+    state: ArtifactState;
+    coverage: Coverage;
+    gaps: GapEntry[];
+    /** Map of manifest_id → sha256:hex. Object, not array. */
+    manifest_hashes: Record<string, string>;
+    /** Merkle root over all CheckExecutionRecord commitment_hashes. null when zero records. */
+    commitment_root: string | null;
+    commitment_algorithm: CommitmentAlgorithm;
+    zk_proof: ZkProof | null;
+    issuer: ArtifactIssuer;
+    signature: ArtifactSignature;
+    timestamp_anchor: TimestampAnchor;
+    transparency_log: TransparencyLog;
+    issued_at: string;
+    pending_flags: PendingFlags;
+    /** true when issued with pk_test_xxx key. Rejected by primust-verify in --production. */
+    test_mode: boolean;
+}
+//# sourceMappingURL=artifact.d.ts.map

package/dist/types/artifact.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact.d.ts","sourceRoot":"","sources":["../../src/types/artifact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAIH,MAAM,MAAM,UAAU,GAClB,cAAc,GACd,sBAAsB,GACtB,WAAW,GACX,WAAW,GACX,aAAa,CAAC;AAElB,MAAM,MAAM,WAAW,GACnB,oBAAoB,GACpB,wBAAwB,GACxB,qBAAqB,GACrB,kBAAkB,GAClB,kBAAkB,CAAC;AAEvB,MAAM,MAAM,eAAe,GACvB,YAAY,GACZ,WAAW,GACX,sBAAsB,GACtB,mBAAmB,CAAC;AAExB,MAAM,MAAM,SAAS,GACjB,eAAe,GACf,wBAAwB,GACxB,wBAAwB,GACxB,iBAAiB,GACjB,iBAAiB,CAAC;AAEtB,MAAM,MAAM,WAAW,GACnB,kBAAkB,GAClB,qBAAqB,GACrB,6BAA6B,CAAC;AAElC,MAAM,MAAM,aAAa,GAAG,aAAa,GAAG,QAAQ,GAAG,OAAO,CAAC;AAE/D,MAAM,MAAM,mBAAmB,GAAG,WAAW,GAAG,QAAQ,CAAC;AAEzD,MAAM,MAAM,MAAM,GAAG,OAAO,GAAG,WAAW,GAAG,WAAW,CAAC;AAEzD,MAAM,MAAM,YAAY,GAAG,WAAW,GAAG,MAAM,GAAG,kBAAkB,CAAC;AAErE,MAAM,MAAM,WAAW,GAAG,aAAa,GAAG,aAAa,GAAG,MAAM,CAAC;AAEjE,MAAM,MAAM,SAAS,GAAG,IAAI,GAAG,IAAI,CAAC;AAEpC,MAAM,MAAM,WAAW,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,eAAe,CAAC;AAEnF,MAAM,MAAM,OAAO,GACf,oBAAoB,GACpB,sBAAsB,GACtB,cAAc,GACd,gBAAgB,GAChB,6BAA6B,GAC7B,uBAAuB,GACvB,yBAAyB,GACzB,sBAAsB,GACtB,6BAA6B,GAC7B,2BAA2B,GAC3B,6BAA6B,GAC7B,qCAAqC,GACrC,wBAAwB,GACxB,qBAAqB,GACrB,4BAA4B,GAC5B,mBAAmB,GACnB,qBAAqB,GACrB,oBAAoB,CAAC;AAIzB,MAAM,WAAW,YAAY;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,WAAW,CAAC;IAC1B,gBAAgB,EAAE,eAAe,CAAC;IAClC,aAAa,EAAE,UAAU,CAAC;IAC1B,UAAU,EAAE,SAAS,CAAC;IACtB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0BAA0B,EAAE,MAAM,CAAC;CACpC;AAED,MAAM,WAAW,iBAAiB;IAChC,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,UAAU,CAAC;IACzB,wBAAwB,EAAE,MAAM,CAAC;CAClC;AAED,MAAM,WAAW,QAAQ;IACvB,aAAa,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,CAAC;IACzB,sBAAsB,EAAE,MAAM,CAAC;IAC/B,yEAAyE;IACzE,mBAAmB,EAAE,MAAM,CAAC;IAC5B,gJAAgJ;IAChJ,2BAA2B,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3C,0EAA0E;IAC1E,6BAA6B,EAAE,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,QAAQ;IACvB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,WAAW,CAAC;CACvB;AAED,MAAM,WAAW,OAAO;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,MAAM,CAAC;IACf,aAAa,EAAE,YAAY,CAAC;IAC5B,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,SAAS,CAAC;IACrB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,SAAS,CAAC;CACvB;AAED,MAAM,WAAW,iBAAiB;IAChC,SAAS,EAAE,MAAM,CAAC;IAClB,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,EAAE,SAAS,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,SAAS,GAAG,MAAM,CAAC;IACzB,GAAG,EAAE,WAAW,CAAC;IACjB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,MAAM,WAAW,eAAe;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED,MAAM,WAAW,YAAY;IAC3B,iBAAiB,EAAE,OAAO,CAAC;IAC3B,+CAA+C;IAC/C,aAAa,EAAE,OAAO,CAAC;IACvB,uDAAuD;IACvD,kBAAkB,EAAE,OAAO,CAAC;IAC5B,kBAAkB,EAAE,OAAO,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,OAAO,CAAC;CACxB;AAID,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,OAAO,CAAC;IAExB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,WAAW,EAAE,MAAM,CAAC;IAEpB,mEAAmE;IACnE,oBAAoB,EAAE,MAAM,GAAG,IAAI,CAAC;IAEpC,oBAAoB,EAAE,MAAM,CAAC;IAC7B,YAAY,EAAE,WAAW,CAAC;IAE1B,+EAA+E;IAC/E,OAAO,EAAE,OAAO,CAAC;IAEjB,eAAe,EAAE,YAAY,EAAE,CAAC;IAEhC,iFAAiF;IACjF,WAAW,EAAE,UAAU,CAAC;IACxB,kBAAkB,EAAE,iBAAiB,CAAC;IAEtC,KAAK,EAAE,aAAa,CAAC;IAErB,QAAQ,EAAE,QAAQ,CAAC;IACnB,IAAI,EAAE,QAAQ,EAAE,CAAC;IAEjB,0DAA0D;IAC1D,eAAe,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAExC,2FAA2F;IAC3F,eAAe,EAAE,MAAM,GAAG,IAAI,CAAC;IAC/B,oBAAoB,EAAE,mBAAmB,CAAC;IAE1C,QAAQ,EAAE,OAAO,GAAG,IAAI,CAAC;IAEzB,MAAM,EAAE,cAAc,CAAC;IACvB,SAAS,EAAE,iBAAiB,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,gBAAgB,EAAE,eAAe,CAAC;IAElC,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,YAAY,CAAC;IAE5B,yFAAyF;IACzF,SAAS,EAAE,OAAO,CAAC;CACpB"}

package/dist/types/artifact.js

@@ -0,0 +1,18 @@
+/**
+ * Primust VPEC Artifact Schema — TypeScript types
+ *
+ * Provisional-frozen at schema_version 4.0.0
+ * Canonical source: schemas/json/artifact.schema.json
+ *
+ * INVARIANTS (enforced in validateArtifact):
+ * 1. proof_level MUST equal proof_distribution.weakest_link
+ * 2. reliance_mode field ANYWHERE → validation error
+ * 3. manifest_hashes MUST be object (map), not array
+ * 4. gaps[] entries MUST have gap_type + severity (not bare strings)
+ * 5. partial: true → policy_coverage_pct must be 0
+ * 6. instrumentation_surface_pct and policy_coverage_pct never collapsed
+ * 7. issuer.public_key_url must match primust.com/.well-known/ pattern
+ * 8. test_mode: true rejected by primust-verify in --production mode
+ */
+export {};
+//# sourceMappingURL=artifact.js.map

package/dist/types/artifact.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"artifact.js","sourceRoot":"","sources":["../../src/types/artifact.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG"}