@primust/verifier 1.0.0 → 1.1.0

package/dist/key-cache.js

@@ -1,68 +0,0 @@
-/**
- * Public key cache for VPEC signature verification.
- *
- * Fetches public keys from trust anchor URLs and caches by key ID.
- * Supports pinned trust roots for offline/air-gapped verification.
- */
-import { readFileSync, existsSync } from 'node:fs';
-// In-memory cache: kid → base64url public key
-const cache = new Map();
-/**
- * Resolve a public key by key ID.
- *
- * @param kid - Key identifier from VPEC signature field
- * @param publicKeyUrl - URL to fetch the PEM/base64url key
- * @param trustRoot - Optional local PEM file path or content for offline mode
- */
-/**
- * Pre-seed the in-memory key cache. Used by evidence-pack assembler
- * to inject the signer's public key before verification runs.
- */
-export function seedKeyCache(kid, publicKey) {
-    cache.set(kid, publicKey);
-}
-export async function getKey(kid, publicKeyUrl, trustRoot) {
-    // Pinned trust root — zero network calls
-    if (trustRoot) {
-        // If it looks like a file path, read it
-        if (existsSync(trustRoot)) {
-            return readFileSync(trustRoot, 'utf-8').trim();
-        }
-        // Otherwise treat as inline key content
-        return trustRoot.trim();
-    }
-    // Check cache
-    const cached = cache.get(kid);
-    if (cached)
-        return cached;
-    // Fetch from URL with retries
-    if (!publicKeyUrl) {
-        throw new Error(`No public_key_url for kid=${kid}`);
-    }
-    let lastError = null;
-    for (let attempt = 0; attempt < 3; attempt++) {
-        try {
-            const resp = await fetch(publicKeyUrl, {
-                headers: { Accept: 'application/x-pem-file' },
-                signal: AbortSignal.timeout(10_000),
-            });
-            if (!resp.ok) {
-                throw new Error(`HTTP ${resp.status}`);
-            }
-            const pem = (await resp.text()).trim();
-            if (!pem) {
-                throw new Error('Empty response');
-            }
-            cache.set(kid, pem);
-            return pem;
-        }
-        catch (e) {
-            lastError = e instanceof Error ? e : new Error(String(e));
-            if (attempt < 2) {
-                await new Promise(r => setTimeout(r, 500 * (attempt + 1)));
-            }
-        }
-    }
-    throw new Error(`Failed to fetch key from ${publicKeyUrl} after 3 attempts: ${lastError?.message}`);
-}
-//# sourceMappingURL=key-cache.js.map

package/dist/key-cache.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"key-cache.js","sourceRoot":"","sources":["../src/key-cache.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AAEnD,8CAA8C;AAC9C,MAAM,KAAK,GAAG,IAAI,GAAG,EAAkB,CAAC;AAExC;;;;;;GAMG;AACH;;;GAGG;AACH,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,SAAiB;IACzD,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;AAC5B,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,GAAW,EACX,YAAoB,EACpB,SAAkB;IAElB,yCAAyC;IACzC,IAAI,SAAS,EAAE,CAAC;QACd,wCAAwC;QACxC,IAAI,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;YAC1B,OAAO,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,IAAI,EAAE,CAAC;QACjD,CAAC;QACD,wCAAwC;QACxC,OAAO,SAAS,CAAC,IAAI,EAAE,CAAC;IAC1B,CAAC;IAED,cAAc;IACd,MAAM,MAAM,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,MAAM;QAAE,OAAO,MAAM,CAAC;IAE1B,8BAA8B;IAC9B,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,6BAA6B,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,IAAI,SAAS,GAAiB,IAAI,CAAC;IACnC,KAAK,IAAI,OAAO,GAAG,CAAC,EAAE,OAAO,GAAG,CAAC,EAAE,OAAO,EAAE,EAAE,CAAC;QAC7C,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,YAAY,EAAE;gBACrC,OAAO,EAAE,EAAE,MAAM,EAAE,wBAAwB,EAAE;gBAC7C,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;aACpC,CAAC,CAAC;YAEH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,QAAQ,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;YACzC,CAAC;YAED,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;YACvC,IAAI,CAAC,GAAG,EAAE,CAAC;gBACT,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;YACpC,CAAC;YAED,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;YACpB,OAAO,GAAG,CAAC;QACb,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,SAAS,GAAG,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1D,IAAI,OAAO,GAAG,CAAC,EAAE,CAAC;gBAChB,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,UAAU,CAAC,CAAC,EAAE,GAAG,GAAG,CAAC,OAAO,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YAC7D,CAAC;QACH,CAAC;IACH,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,4BAA4B,YAAY,sBAAsB,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;AACtG,CAAC"}

package/dist/scoped.d.ts

@@ -1,35 +0,0 @@
-/**
- * Reference TypeScript verifier for the `scoped_certificates` VPEC section.
- *
- * Ported from verifier-py/src/primust_verify/scoped.py. Validates the
- * top-level `scoped_certificates` array + matching
- * `scoped_certificates_commitment` emitted by the SDK's
- * `primust.scoped.bundle` module (SCOPED_CERT_SPEC_v27 §14).
- *
- * Trust-chain scope:
- *   1. Every entry carries a known `certificate_type` discriminator.
- *   2. Every entry has the required structural fields for its type.
- *   3. The array is in canonical order: lexicographic by
- *      (certificate_type, canonical_sha256(payload)).
- *   4. The declared commitment byte-matches the recomputed Merkle root
- *      over the ordered canonical-JSON leaves. Empty bundle uses the
- *      well-known `sha256(canonical({scoped_certificates: []}))`.
- *
- * SI-3 (VPEC verifiability): this module's output MUST agree with the
- * Python reference (`primust_verify.scoped`) byte-for-byte across the
- * shared fixture corpus at
- * packages/verifier-py/tests/fixtures/scoped_v1/. The conformance runner
- * in scripts/scoped_conformance.py gates that in CI.
- */
-import { buildMerkleRoot, canonicalJson, canonicalJsonString } from "./bounded-trace";
-export declare const SCOPED_REASONS: readonly ["ok", "missing_section", "malformed_section", "missing_commitment", "malformed_commitment", "missing_discriminator", "unknown_certificate_type", "schema_validation_failed", "ordering_violation", "commitment_mismatch"];
-export type ScopedReason = (typeof SCOPED_REASONS)[number];
-export interface ScopedCertificatesResult {
-    valid: boolean;
-    reason: ScopedReason;
-    entry_count: number;
-    details: Record<string, unknown>;
-}
-export declare function verifyScopedCertificates(vpecLike: Record<string, unknown>): ScopedCertificatesResult;
-export { canonicalJson, canonicalJsonString, buildMerkleRoot };
-//# sourceMappingURL=scoped.d.ts.map

package/dist/scoped.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"scoped.d.ts","sourceRoot":"","sources":["../src/scoped.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAIH,OAAO,EACL,eAAe,EACf,aAAa,EACb,mBAAmB,EACpB,MAAM,iBAAiB,CAAC;AAmazB,eAAO,MAAM,cAAc,qOAWjB,CAAC;AAEX,MAAM,MAAM,YAAY,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAE3D,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAC;IACf,MAAM,EAAE,YAAY,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AA+DD,wBAAgB,wBAAwB,CACtC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAChC,wBAAwB,CA8F1B;AAGD,OAAO,EAAE,aAAa,EAAE,mBAAmB,EAAE,eAAe,EAAE,CAAC"}

package/dist/scoped.js

@@ -1,582 +0,0 @@
-/**
- * Reference TypeScript verifier for the `scoped_certificates` VPEC section.
- *
- * Ported from verifier-py/src/primust_verify/scoped.py. Validates the
- * top-level `scoped_certificates` array + matching
- * `scoped_certificates_commitment` emitted by the SDK's
- * `primust.scoped.bundle` module (SCOPED_CERT_SPEC_v27 §14).
- *
- * Trust-chain scope:
- *   1. Every entry carries a known `certificate_type` discriminator.
- *   2. Every entry has the required structural fields for its type.
- *   3. The array is in canonical order: lexicographic by
- *      (certificate_type, canonical_sha256(payload)).
- *   4. The declared commitment byte-matches the recomputed Merkle root
- *      over the ordered canonical-JSON leaves. Empty bundle uses the
- *      well-known `sha256(canonical({scoped_certificates: []}))`.
- *
- * SI-3 (VPEC verifiability): this module's output MUST agree with the
- * Python reference (`primust_verify.scoped`) byte-for-byte across the
- * shared fixture corpus at
- * packages/verifier-py/tests/fixtures/scoped_v1/. The conformance runner
- * in scripts/scoped_conformance.py gates that in CI.
- */
-import { createHash } from "node:crypto";
-import { buildMerkleRoot, canonicalJson, canonicalJsonString, } from "./bounded-trace";
-// ── Per-certificate-type strict schema (mirrors verifier-py/scoped.py) ──
-//
-// Mirrors primust.scoped.schemas.py structurally. Zero SDK dep: schema
-// values are duplicated into this file so the verifier package stays
-// self-contained. When the SDK schemas change, update this table AND
-// primust_verify/scoped.py in lockstep — the scoped_conformance.py CI
-// gate catches drift via shared fixtures.
-// ── Helpers ──
-function canonicalSha256(obj) {
-    const h = createHash("sha256");
-    h.update(canonicalJson(obj));
-    return "sha256:" + h.digest("hex");
-}
-const HASH_RE = /^sha256:[0-9a-f]{64}$/;
-function isCommitment(s) {
-    return typeof s === "string" && HASH_RE.test(s);
-}
-const SURFACE_SCHEMA = {
-    required: {
-        kind: { enum: ["field", "field_group", "document", "process", "workflow_step"] },
-        id: { type: "string" },
-    },
-    optional: {
-        path: { type: "string", nullable: true },
-    },
-};
-const SUPPORT_REF_SCHEMA = {
-    required: {
-        doc_id: { type: "string" },
-        span_commitment: { type: "string", pattern: "commitment" },
-    },
-    optional: {},
-};
-const SHADOW_RESULT_SCHEMA = {
-    required: {
-        shadow_id: { type: "string" },
-        result: { enum: ["certified", "not_certified", "abstain"] },
-    },
-    optional: {
-        shadow_type: {
-            enum: ["quantized", "distilled", "architecture_diverse", "base"],
-            nullable: true,
-        },
-        score: { type: "number", nullable: true },
-    },
-};
-const RETRIEVAL_REF_SCHEMA = {
-    required: {
-        chunk_id: { type: "string" },
-        span_commitment: { type: "string", pattern: "commitment" },
-    },
-    optional: {},
-};
-const NAMED_SCHEMAS = {
-    _surface: SURFACE_SCHEMA,
-    _support_ref: SUPPORT_REF_SCHEMA,
-    _shadow_result: SHADOW_RESULT_SCHEMA,
-    _retrieval_ref: RETRIEVAL_REF_SCHEMA,
-};
-const CERTIFICATE_LEVELS = [
-    "scoped_weak",
-    "scoped_moderate",
-    "scoped_strong",
-    "scoped_asymptotic",
-    "bounded_agreement",
-];
-const ARTIFACT_SCHEMAS = {
-    local_manifold: {
-        required: {
-            certificate_type: { literal: "local_manifold" },
-            certificate_level: { enum: CERTIFICATE_LEVELS },
-            calibration_epoch: { type: "string" },
-            localizer_id: { type: "string" },
-            manifold_id: { type: "string" },
-            neighborhood_commitment: { type: "string", pattern: "commitment" },
-            local_threshold: { type: "number", min: 0.0, max: 1.0 },
-            surface: { schema: "_surface" },
-            result: { enum: ["certified", "not_certified", "abstain"] },
-        },
-        optional: {
-            fallback_to_global: { type: "boolean" },
-            signature: { type: "string", nullable: true },
-        },
-    },
-    hierarchical_output: {
-        required: {
-            certificate_type: { literal: "hierarchical_output" },
-            hierarchy_id: { type: "string" },
-            certified_paths: {
-                type: "array",
-                items: {
-                    type: "array",
-                    items: { type: "array", items: { type: "string" } },
-                },
-            },
-            uncertified_paths: {
-                type: "array",
-                items: {
-                    type: "array",
-                    items: { type: "array", items: { type: "string" } },
-                },
-            },
-        },
-        optional: {
-            uncertified_remainder: { type: "object", nullable: true },
-            signature: { type: "string", nullable: true },
-        },
-    },
-    model_continuity: {
-        required: {
-            certificate_type: { literal: "model_continuity" },
-            service_id: { type: "string" },
-            continuity_epoch: { type: "string" },
-            envelope_id: { type: "string" },
-            continuity_state: {
-                enum: [
-                    "within_envelope",
-                    "outside_envelope",
-                    "epoch_change",
-                    "insufficient_probes",
-                ],
-            },
-            probe_suite_id: { type: "string" },
-            probe_suite_commitment: { type: "string", pattern: "commitment" },
-            probe_response_commitment: { type: "string", pattern: "commitment" },
-        },
-        optional: {
-            signature: { type: "string", nullable: true },
-        },
-    },
-    retrieval_grounding: {
-        required: {
-            certificate_type: { literal: "retrieval_grounding" },
-            surface: { schema: "_surface" },
-            support_set: { type: "array", items: { schema: "_support_ref" } },
-            grounded: { type: "boolean" },
-        },
-        optional: {
-            per_stage_fn_bounds: {
-                type: "array",
-                items: { type: "number", min: 0.0, max: 1.0 },
-                nullable: true,
-            },
-            aggregation_model: { type: "string", nullable: true },
-            signature: { type: "string", nullable: true },
-        },
-    },
-    workflow_composition: {
-        required: {
-            certificate_type: { literal: "workflow_composition" },
-            workflow_id: { type: "string" },
-            step_vpec_ids: { type: "array", items: { type: "string" } },
-            hard_relevant_steps: { type: "array", items: { type: "string" } },
-            composition_rule: { literal: "weakest_link_hard" },
-            composed_result: { enum: CERTIFICATE_LEVELS },
-        },
-        optional: {
-            informational_summary: { type: "object", nullable: true },
-            signature: { type: "string", nullable: true },
-        },
-    },
-    proof_of_absence: {
-        required: {
-            certificate_type: { literal: "proof_of_absence" },
-            surface: { schema: "_surface" },
-            absence_class: {
-                enum: [
-                    "no_phi",
-                    "no_restricted_identifier",
-                    "no_prohibited_financial_claim",
-                ],
-            },
-            result: { type: "boolean" },
-        },
-        optional: {
-            detector_family: { type: "string", nullable: true },
-            per_stage_fn_bounds: {
-                type: "array",
-                items: { type: "number", min: 0.0, max: 1.0 },
-                nullable: true,
-            },
-            signature: { type: "string", nullable: true },
-        },
-    },
-    calibration_epoch: {
-        required: {
-            certificate_type: { literal: "calibration_epoch" },
-            calibration_epoch: { type: "string" },
-            drift_state: { enum: ["stable", "drifting", "break"] },
-            source_mix: { type: "object" },
-        },
-        optional: {
-            parent_epoch: { type: "string", nullable: true },
-            signature: { type: "string", nullable: true },
-        },
-    },
-    shadow_committee: {
-        required: {
-            certificate_type: { literal: "shadow_committee" },
-            committee_rule: { type: "string" },
-            shadow_results: { type: "array", items: { schema: "_shadow_result" } },
-            committee_result: { enum: ["certified", "not_certified", "abstain"] },
-        },
-        optional: {
-            disagreement: { type: "boolean" },
-        },
-    },
-    decision_context: {
-        required: {
-            certificate_type: { literal: "decision_context" },
-            primitive_type: { literal: "DCE" },
-            scope: { type: "string" },
-            capture_mode: {
-                enum: [
-                    "reasoning_block",
-                    "planner_output",
-                    "prompt_and_output_binding",
-                    "declared_context_only",
-                ],
-            },
-            rationale_commitment: { type: "string", pattern: "commitment" },
-            context_commitment: { type: "string", pattern: "commitment" },
-            source_binding: { type: "string" },
-            proof_level_achieved: { enum: ["execution", "witnessed", "attestation"] },
-            scope_disclosure: { type: "string" },
-        },
-        optional: {
-            retrieval_references: { type: "array", items: { schema: "_retrieval_ref" } },
-            tool_output_commitments: {
-                type: "array",
-                items: { type: "string", pattern: "commitment" },
-            },
-            intent_declaration_ids: { type: "array", items: { type: "string" } },
-            constraints: { type: "array", items: { type: "string" } },
-        },
-    },
-    temporal_comparison: {
-        required: {
-            certificate_type: { literal: "temporal_comparison" },
-            pack_a_id: { type: "string" },
-            pack_b_id: { type: "string" },
-            pack_a_commitment: { type: "string", pattern: "commitment" },
-            pack_b_commitment: { type: "string", pattern: "commitment" },
-            pack_a_period_start: { type: "string" },
-            pack_a_period_end: { type: "string" },
-            pack_b_period_start: { type: "string" },
-            pack_b_period_end: { type: "string" },
-            checks_added: { type: "array", items: { type: "string" } },
-            checks_removed: { type: "array", items: { type: "string" } },
-            checks_retained_count: { type: "integer" },
-            coverage_changes_count: { type: "integer" },
-            performance_changes_count: { type: "integer" },
-            redaction_consistent: { type: "boolean" },
-            diff_commitment: { type: "string", pattern: "commitment" },
-        },
-        optional: {
-            redaction_profile_a: { type: "string", nullable: true },
-            redaction_profile_b: { type: "string", nullable: true },
-            signature: { type: "string", nullable: true },
-        },
-    },
-};
-function isPlainObject(v) {
-    return typeof v === "object" && v !== null && !Array.isArray(v);
-}
-function checkValue(value, spec) {
-    if (spec.nullable && value === null)
-        return null;
-    if ("literal" in spec && spec.literal !== undefined) {
-        if (value !== spec.literal)
-            return `expected literal ${JSON.stringify(spec.literal)}, got ${JSON.stringify(value)}`;
-        return null;
-    }
-    if (spec.enum) {
-        if (!spec.enum.includes(value)) {
-            return `value ${JSON.stringify(value)} not in enum ${JSON.stringify(spec.enum)}`;
-        }
-        return null;
-    }
-    if (spec.schema) {
-        const sub = NAMED_SCHEMAS[spec.schema];
-        return checkObject(value, sub);
-    }
-    switch (spec.type) {
-        case "string":
-            if (typeof value !== "string")
-                return `expected string, got ${typeof value}`;
-            if (spec.pattern === "commitment" && !isCommitment(value)) {
-                return "expected sha256:[64-hex] commitment";
-            }
-            return null;
-        case "number":
-            if (typeof value !== "number" || Number.isNaN(value))
-                return `expected number, got ${typeof value}`;
-            if (spec.min !== undefined && value < spec.min)
-                return `value ${value} below minimum ${spec.min}`;
-            if (spec.max !== undefined && value > spec.max)
-                return `value ${value} above maximum ${spec.max}`;
-            return null;
-        case "integer":
-            if (typeof value !== "number" || !Number.isInteger(value))
-                return `expected integer, got ${typeof value}`;
-            return null;
-        case "boolean":
-            if (typeof value !== "boolean")
-                return `expected boolean, got ${typeof value}`;
-            return null;
-        case "object":
-            if (!isPlainObject(value))
-                return `expected object, got ${Array.isArray(value) ? "array" : typeof value}`;
-            return null;
-        case "array":
-            if (!Array.isArray(value))
-                return `expected array, got ${typeof value}`;
-            if (spec.items) {
-                for (let i = 0; i < value.length; i++) {
-                    const err = checkValue(value[i], spec.items);
-                    if (err)
-                        return `[${i}]: ${err}`;
-                }
-            }
-            return null;
-    }
-    return `unknown field spec`;
-}
-function checkObject(value, schema) {
-    if (!isPlainObject(value)) {
-        return `expected object, got ${Array.isArray(value) ? "array" : typeof value}`;
-    }
-    const known = new Set([...Object.keys(schema.required), ...Object.keys(schema.optional)]);
-    const extras = Object.keys(value).filter((k) => !known.has(k));
-    if (extras.length > 0) {
-        extras.sort();
-        return `unexpected extra fields: ${JSON.stringify(extras)}`;
-    }
-    for (const [name, spec] of Object.entries(schema.required)) {
-        if (!(name in value))
-            return `missing required field '${name}'`;
-        const err = checkValue(value[name], spec);
-        if (err)
-            return `${name}: ${err}`;
-    }
-    for (const [name, spec] of Object.entries(schema.optional)) {
-        if (name in value) {
-            const err = checkValue(value[name], spec);
-            if (err)
-                return `${name}: ${err}`;
-        }
-    }
-    return null;
-}
-function checkWorkflowCompositionSubset(entry) {
-    // WorkflowCompositionArtifact.hard_relevant_steps must be a subset of
-    // step_vpec_ids (mirrors the SDK's model_validator + Python verifier's
-    // _check_workflow_composition_subset). Without this an artifact can
-    // declare a "hard relevant" step that isn't in the step list —
-    // structurally impossible since weakest-link-hard cannot evaluate it.
-    const stepIds = entry.step_vpec_ids;
-    const hard = entry.hard_relevant_steps;
-    if (!Array.isArray(stepIds) || !Array.isArray(hard))
-        return null;
-    const stepSet = new Set(stepIds);
-    const extras = hard.filter((s) => !stepSet.has(s));
-    if (extras.length > 0) {
-        return `hard_relevant_steps must be a subset of step_vpec_ids; unknown step ids: ${JSON.stringify(extras)}`;
-    }
-    return null;
-}
-function checkSourceMix(value) {
-    // CalibrationEpoch.source_mix must be dict[str, float] summing to
-    // 1.0 ± 1e-6 with every value FINITE and NON-NEGATIVE (mirrors SDK
-    // Pydantic validator + the post-Phase-1-#3 review hardening). Without
-    // the finite/non-negative checks {"a": 1.2, "b": -0.2} would sum to
-    // 1.0 but represent an invalid distribution.
-    if (!isPlainObject(value))
-        return "source_mix is not an object";
-    let total = 0;
-    for (const [k, v] of Object.entries(value)) {
-        if (typeof k !== "string")
-            return "source_mix has non-string key";
-        if (typeof v !== "number" || Number.isNaN(v)) {
-            return `source_mix[${JSON.stringify(k)}] is not a number`;
-        }
-        if (!Number.isFinite(v)) {
-            return `source_mix[${JSON.stringify(k)}] is not finite`;
-        }
-        if (v < 0) {
-            return `source_mix[${JSON.stringify(k)}] is negative`;
-        }
-        total += v;
-    }
-    if (Math.abs(total - 1.0) > 1e-6)
-        return `source_mix sums to ${total}, expected 1.0`;
-    return null;
-}
-// ── Result type + reason codes ──
-export const SCOPED_REASONS = [
-    "ok",
-    "missing_section",
-    "malformed_section",
-    "missing_commitment",
-    "malformed_commitment",
-    "missing_discriminator",
-    "unknown_certificate_type",
-    "schema_validation_failed",
-    "ordering_violation",
-    "commitment_mismatch",
-];
-// ── Verification ──
-function emptyBundleCommitment() {
-    return canonicalSha256({ scoped_certificates: [] });
-}
-function validateEntry(entry) {
-    if (!isPlainObject(entry)) {
-        return {
-            ok: false,
-            reason: "schema_validation_failed",
-            details: { detail: "entry is not an object" },
-        };
-    }
-    const ct = entry.certificate_type;
-    if (typeof ct !== "string" || ct.length === 0) {
-        return { ok: false, reason: "missing_discriminator", details: {} };
-    }
-    const schema = ARTIFACT_SCHEMAS[ct];
-    if (!schema) {
-        return {
-            ok: false,
-            reason: "unknown_certificate_type",
-            details: { certificate_type: ct },
-        };
-    }
-    const err = checkObject(entry, schema);
-    if (err) {
-        return {
-            ok: false,
-            reason: "schema_validation_failed",
-            details: { certificate_type: ct, detail: err },
-        };
-    }
-    if (ct === "calibration_epoch") {
-        const smErr = checkSourceMix(entry.source_mix);
-        if (smErr) {
-            return {
-                ok: false,
-                reason: "schema_validation_failed",
-                details: { certificate_type: ct, detail: smErr },
-            };
-        }
-    }
-    if (ct === "workflow_composition") {
-        const subErr = checkWorkflowCompositionSubset(entry);
-        if (subErr) {
-            return {
-                ok: false,
-                reason: "schema_validation_failed",
-                details: { certificate_type: ct, detail: subErr },
-            };
-        }
-    }
-    return { ok: true, certificateType: ct };
-}
-export function verifyScopedCertificates(vpecLike) {
-    if (!("scoped_certificates" in vpecLike)) {
-        return { valid: false, reason: "missing_section", entry_count: 0, details: {} };
-    }
-    const entries = vpecLike.scoped_certificates;
-    if (!Array.isArray(entries)) {
-        // Present-but-not-an-array is a malformed section, NOT informational.
-        // Returning missing_section here would let a credential with
-        // `scoped_certificates: "not-an-array"` slip past verification.
-        return {
-            valid: false,
-            reason: "malformed_section",
-            entry_count: 0,
-            details: {
-                detail: "scoped_certificates is not an array",
-                got_type: typeof entries,
-            },
-        };
-    }
-    if (!("scoped_certificates_commitment" in vpecLike)) {
-        return {
-            valid: false,
-            reason: "missing_commitment",
-            entry_count: entries.length,
-            details: {},
-        };
-    }
-    const declared = vpecLike.scoped_certificates_commitment;
-    if (!isCommitment(declared)) {
-        return {
-            valid: false,
-            reason: "malformed_commitment",
-            entry_count: entries.length,
-            details: { declared },
-        };
-    }
-    // Per-entry structural validation + discriminator check.
-    const orderKeys = [];
-    for (let i = 0; i < entries.length; i++) {
-        const res = validateEntry(entries[i]);
-        if (!res.ok) {
-            return {
-                valid: false,
-                reason: res.reason,
-                entry_count: entries.length,
-                details: { index: i, ...res.details },
-            };
-        }
-        const payloadHash = canonicalSha256(entries[i]);
-        orderKeys.push([res.certificateType, payloadHash]);
-    }
-    // Canonical ordering check.
-    const sortedKeys = [...orderKeys].sort((a, b) => {
-        if (a[0] !== b[0])
-            return a[0] < b[0] ? -1 : 1;
-        if (a[1] !== b[1])
-            return a[1] < b[1] ? -1 : 1;
-        return 0;
-    });
-    for (let i = 0; i < orderKeys.length; i++) {
-        if (orderKeys[i][0] !== sortedKeys[i][0] || orderKeys[i][1] !== sortedKeys[i][1]) {
-            return {
-                valid: false,
-                reason: "ordering_violation",
-                entry_count: entries.length,
-                details: {
-                    index: i,
-                    got: orderKeys[i],
-                    expected: sortedKeys[i],
-                },
-            };
-        }
-    }
-    // Commitment recomputation.
-    let recomputed;
-    if (entries.length === 0) {
-        recomputed = emptyBundleCommitment();
-    }
-    else {
-        const leaves = entries.map((e) => canonicalJson(e));
-        recomputed = buildMerkleRoot(leaves);
-    }
-    if (recomputed !== declared) {
-        return {
-            valid: false,
-            reason: "commitment_mismatch",
-            entry_count: entries.length,
-            details: { declared, recomputed },
-        };
-    }
-    return { valid: true, reason: "ok", entry_count: entries.length, details: {} };
-}
-// Re-export canonical helpers for consumers that want to compose them.
-export { canonicalJson, canonicalJsonString, buildMerkleRoot };
-//# sourceMappingURL=scoped.js.map