@primust/verifier 1.0.1 → 1.2.0

package/dist/{chunk-LTWQK3HT.js → chunk-BWJUVMT7.js}

@@ -2,6 +2,7 @@
 import { createHash, createPublicKey, verify as cryptoVerify } from "crypto";
 var ENVELOPE_VERSION = "v0.1";
 var ALLOWED_KINDS = /* @__PURE__ */ new Set([
+  // v1.0 kinds (DECOMPOSITION_PROOF_SPEC v1.0 — locked Apr 26):
   "governance_check",
   "outbound_action",
   "token_authority_snapshot",
@@ -10,8 +11,14 @@ var ALLOWED_KINDS = /* @__PURE__ */ new Set([
   "scope_claim_lifecycle",
   "scope_claim_emitted",
   "turn_context",
-  "tool_execution"
+  "tool_execution",
+  // v1.1 additions (Controls Harness Execution Mode, mig 156).
+  // See docs/v29/foundation/CONTROLS_HARNESS_EXECUTION_SPEC_v0_1.md §2.4.
+  "enforcement_action",
+  "redaction",
+  "notification"
 ]);
+var ALLOWED_PROVENANCE = /* @__PURE__ */ new Set(["host_captured", "customer_supplied"]);
 var ALLOWED_TRUST_EDGES = /* @__PURE__ */ new Set(["A2T", "A2M", "A2H", "A2A", "A2S", "A2D"]);
 var PROOF_TIER_HIERARCHY = [
   "attestation",
@@ -412,6 +419,7 @@ function verifyV29(opts) {
 export {
   ENVELOPE_VERSION,
   ALLOWED_KINDS,
+  ALLOWED_PROVENANCE,
   ALLOWED_TRUST_EDGES,
   PROOF_TIER_HIERARCHY,
   v29Pass,

package/dist/{chunk-ZADQUKKN.js → chunk-UB2YSMJ6.js}

@@ -1220,7 +1220,11 @@ function verify2(document, signatureEnvelope, publicKeyB64Url) {
   } catch {
     return false;
   }
-  for (const canonFn of [canonical, canonicalLegacy]) {
+  const LEGACY_CUTOFF = "2026-04-19";
+  const signedAt = signatureEnvelope.signed_at ?? "";
+  const legacyAllowed = signedAt !== "" && signedAt.slice(0, 10) < LEGACY_CUTOFF;
+  const candidates = legacyAllowed ? [canonical, canonicalLegacy] : [canonical];
+  for (const canonFn of candidates) {
     try {
       const canonicalStr = canonFn(document);
       const hashBytes = sha2562(new TextEncoder().encode(canonicalStr));
@@ -2308,14 +2312,32 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
   }
   const tsAnchor = artifact.timestamp_anchor;
   if (tsAnchor && tsAnchor.type === "rfc3161" && typeof tsAnchor.value === "string") {
-    result.timestamp_anchor_valid = verifyTimestampImprint(
+    const imprintOk = verifyTimestampImprint(
       tsAnchor.value,
       timestampBody(artifact)
     );
-    if (result.timestamp_anchor_valid === false) {
+    if (imprintOk === false) {
+      result.timestamp_anchor_valid = false;
       result.warnings.push("rfc3161_imprint_mismatch");
-    } else if (result.timestamp_anchor_valid === true) {
-      result.warnings.push("rfc3161_tsa_cert_chain_not_verified");
+    } else if (imprintOk === true) {
+      let chain = null;
+      try {
+        const { verifyTsaChain } = await import("./tsa-chain-7KSQ5LAH.js");
+        chain = verifyTsaChain(tsAnchor.value);
+      } catch {
+        chain = null;
+      }
+      if (chain === null) {
+        result.timestamp_anchor_valid = true;
+        result.warnings.push("rfc3161_tsa_chain_verifier_unavailable");
+      } else if (chain.ok) {
+        result.timestamp_anchor_valid = true;
+      } else {
+        result.timestamp_anchor_valid = false;
+        result.warnings.push(`rfc3161_tsa_chain_invalid:${chain.reason}`);
+      }
+    } else {
+      result.timestamp_anchor_valid = null;
     }
   } else {
     result.timestamp_anchor_valid = null;
@@ -2423,14 +2445,22 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
     const failedArtifacts = proofArtifacts.filter(
       (artifactEntry) => artifactEntry.verification_status === "failed"
     ).length;
+    const unresolvedArtifacts = proofArtifacts.filter(
+      (artifactEntry) => artifactEntry.verification_status === "unresolved_at_seal"
+    ).length;
     const verifiedArtifacts = proofArtifacts.filter(
       (artifactEntry) => artifactEntry.verification_status === "verified"
     ).length;
+    if (failedArtifacts > 0) {
+      result.errors.push(`proof_artifacts_failed:${failedArtifacts}`);
+    }
     if (pendingArtifacts > 0) {
-      result.warnings.push(`proof_artifacts_pending:${pendingArtifacts}`);
+      result.errors.push(`proof_artifacts_pending:${pendingArtifacts}`);
     }
-    if (failedArtifacts > 0) {
-      result.warnings.push(`proof_artifacts_failed:${failedArtifacts}`);
+    if (unresolvedArtifacts > 0) {
+      result.errors.push(
+        `proof_artifacts_unresolved_at_seal:${unresolvedArtifacts}; proof unresolved at seal; counterparty must consult live API to determine status`
+      );
     }
     if (!artifact.zk_proof) {
       result.warnings.push(`proof_artifacts_present:${verifiedArtifacts}`);
@@ -2459,7 +2489,7 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
   }
   if (artifact.envelope_version != null && (artifact.run_header || artifact.records)) {
     try {
-      const { verifyV29 } = await import("./v29-envelope-GFVVA2S6.js");
+      const { verifyV29 } = await import("./v29-envelope-JVSI5N3L.js");
       const shapeEnvelope = {
         envelope_version: artifact.envelope_version,
         run_header: artifact.run_header ?? {},
@@ -2485,9 +2515,38 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
       result.warnings.push(`v29_conformance_error:${e.message}`);
     }
   }
+  if (options.revocation_check_url && result.vpec_id) {
+    await checkRevocationOnline(
+      result,
+      options.revocation_check_url.replace(/\/+$/, ""),
+      options.revocation_check_timeout_ms ?? 5e3
+    );
+  }
   result.valid = result.errors.length === 0;
   return result;
 }
+async function checkRevocationOnline(result, baseUrl, timeoutMs) {
+  const url = `${baseUrl}/api/v1/vpecs/${result.vpec_id}/revocation`;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const resp = await fetch(url, { signal: controller.signal });
+    if (!resp.ok) {
+      result.warnings.push(`revocation_check_http_${resp.status}`);
+      return;
+    }
+    const body = await resp.json();
+    if (body.revoked === true) {
+      const reason = body.revocation_reason ?? "unspecified";
+      result.errors.push(`credential_revoked: ${reason}`);
+    }
+  } catch (e) {
+    const msg = e.message ?? String(e);
+    result.warnings.push(`revocation_check_unavailable: ${msg}`);
+  } finally {
+    clearTimeout(timer);
+  }
+}
 function computeMerkleRoot(hashes) {
   let leaves = hashes.map((h2) => {
     const hex = h2.startsWith("sha256:") ? h2.slice(7) : h2;
@@ -2829,23 +2888,54 @@ function findBuffer(haystack, needle) {
   return -1;
 }
 var REKOR_API = "https://rekor.sigstore.dev/api/v1";
+var DEFAULT_REVOKED_KEYS_URLS = [
+  "https://keys.primust.com/.well-known/primust-pubkeys/revoked.json",
+  "https://keys.eu.primust.com/.well-known/primust-pubkeys/revoked.json"
+];
+function revokedKeysUrls() {
+  const env = globalThis.process?.env?.PRIMUST_REVOKED_KEYS_URLS;
+  if (!env || !env.trim()) return DEFAULT_REVOKED_KEYS_URLS;
+  return env.split(",").map((s) => s.trim()).filter(Boolean);
+}
+async function isKeyRevoked(fingerprintHex) {
+  for (const url of revokedKeysUrls()) {
+    try {
+      const resp = await fetch(url, {
+        headers: { Accept: "application/json" },
+        signal: AbortSignal.timeout(3e3)
+      });
+      if (!resp.ok) continue;
+      const body = await resp.json();
+      const list = Array.isArray(body) ? body : Array.isArray(body.revoked) ? body.revoked : [];
+      const needle = fingerprintHex.toLowerCase();
+      for (const entry of list) {
+        if (typeof entry === "string" && entry.toLowerCase().replace(/^sha256:/, "") === needle) {
+          return true;
+        }
+      }
+      return false;
+    } catch {
+      continue;
+    }
+  }
+  return null;
+}
 async function checkRekor(publicKeyB64Url, kid) {
+  void kid;
   try {
     const keyBytes = fromBase64Url(publicKeyB64Url);
     const fingerprint = createHash("sha256").update(Buffer.from(keyBytes)).digest("hex");
+    const revoked = await isKeyRevoked(fingerprint);
+    if (revoked === true) return "revoked";
     const resp = await fetch(`${REKOR_API}/index/retrieve`, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ hash: `sha256:${fingerprint}` }),
       signal: AbortSignal.timeout(5e3)
     });
-    if (!resp.ok) {
-      return "unavailable";
-    }
+    if (!resp.ok) return "unavailable";
     const entries = await resp.json();
-    if (!entries || entries.length === 0) {
-      return "not_found";
-    }
+    if (!entries || entries.length === 0) return "not_found";
     return "active";
   } catch {
     return "unavailable";

package/dist/cli.js

@@ -2,7 +2,7 @@
 import {
   createUpstreamRootResolver,
   verify
-} from "./chunk-ZADQUKKN.js";
+} from "./chunk-UB2YSMJ6.js";
 
 // src/cli.ts
 import { readFileSync } from "fs";
@@ -64,7 +64,7 @@ function formatHumanCertificate(artifact, result) {
   const ps = artifact.provable_surface;
   lines.push(`  Provable surface: ${ps != null ? `${(ps * 100).toFixed(1)}%` : "\u2014"}`);
   const records = artifact.records ?? [];
-  lines.push(`  Checks run:     ${records.length}`);
+  lines.push(`  Controls run:   ${records.length}`);
   lines.push(`  Open gaps:      ${result.gaps.length}`);
   const ac = artifact.action_coverage;
   if (ac) {
@@ -88,7 +88,7 @@ function formatHumanCertificate(artifact, result) {
         const tname = u.tool_name;
         let label = `  #${idx}   ${atype}`;
         if (tname) label += `: ${tname}`;
-        label += cuIndices.includes(idx) ? "     \u26A0 consequential \u2014 no check ran" : "     \u2014 no check ran";
+        label += cuIndices.includes(idx) ? "     \u26A0 consequential \u2014 no control ran" : "     \u2014 no control ran";
         lines.push(label);
       }
     }
@@ -106,14 +106,14 @@ function formatHumanCertificate(artifact, result) {
   const metadataMode = artifact.metadata_mode;
   if (records.length > 0 && metadataMode === "rich") {
     lines.push("");
-    lines.push("GOVERNANCE CHECKS");
+    lines.push("CONTROLS RUN");
     const shown = records.slice(0, 10);
     for (const r of shown) {
-      let checkId = r.manifest_id ?? r.check_id ?? "unknown";
-      if (checkId.includes("@")) checkId = checkId.split("@")[0];
-      const checkResult = r.check_result ?? "unknown";
+      let controlId = r.manifest_id ?? r.control_id ?? r.check_id ?? "unknown";
+      if (controlId.includes("@")) controlId = controlId.split("@")[0];
+      const controlResult = r.control_result ?? r.check_result ?? "unknown";
       const em = r.evidence_metadata;
-      let line = `  ${checkId}: ${checkResult}`;
+      let line = `  ${controlId}: ${controlResult}`;
       if (em) {
         const details = [];
         if ("entity_count" in em) details.push(`${em.entity_count} entities`);
@@ -124,17 +124,17 @@ function formatHumanCertificate(artifact, result) {
       lines.push(line);
     }
     if (records.length > 10) {
-      lines.push(`  ... and ${records.length - 10} more checks`);
+      lines.push(`  ... and ${records.length - 10} more controls`);
     }
   }
   lines.push("");
   lines.push("WHAT THIS PROVES");
-  lines.push("  Governance checks ran on the actions listed in this credential");
-  lines.push("  at the stated proof levels. This credential was issued at the");
-  lines.push("  time of the governed run and has not been altered since.");
+  lines.push("  Controls ran on the actions listed in this credential at the");
+  lines.push("  stated proof levels. This credential was issued at the time");
+  lines.push("  of the governed run and has not been altered since.");
   lines.push("");
   lines.push("WHAT THIS DOES NOT PROVE");
-  lines.push("  That the checks run constitute sufficient evidence for any");
+  lines.push("  That the controls run constitute sufficient evidence for any");
   lines.push("  specific regulatory requirement. That determination belongs");
   lines.push("  to the customer, their compliance function, and their auditors.");
   lines.push("");

package/dist/index.d.ts

@@ -28,6 +28,20 @@ interface VerifyOptions {
     skip_network?: boolean;
     /** Path to custom public key PEM (for enterprise self-hosting). */
     trust_root?: string;
+    /**
+     * CRL: when set, the verifier consults the public revocation endpoint
+     * and treats revoked credentials as invalid. Default undefined preserves
+     * the offline-first invariant — verify() makes no network calls unless
+     * this is provided. Pass e.g. "https://primust-api.fly.dev" (no trailing
+     * slash); the verifier appends "/api/v1/vpecs/{vpec_id}/revocation".
+     */
+    revocation_check_url?: string;
+    /**
+     * Timeout for the CRL fetch in milliseconds. On timeout or network
+     * error the verifier adds a warning but does NOT fail (revocation
+     * check is advisory; absence of a record is the default state).
+     */
+    revocation_check_timeout_ms?: number;
 }
 interface VerificationResult {
     vpec_id: string;

package/dist/index.js

@@ -3,7 +3,7 @@ import {
   createUpstreamRootResolver,
   seedKeyCache,
   verify
-} from "./chunk-ZADQUKKN.js";
+} from "./chunk-UB2YSMJ6.js";
 import {
   ALLOWED_KINDS,
   ALLOWED_TRUST_EDGES,
@@ -20,9 +20,15 @@ import {
   validateRecordsAgainstHarness,
   validateRuntimeBindingHash,
   verifyV29
-} from "./chunk-LTWQK3HT.js";
+} from "./chunk-BWJUVMT7.js";
 
 // src/verify-html-template.ts
+function escapeHtml(value) {
+  return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function safePackJson(packData) {
+  return JSON.stringify(packData).replace(/</g, "\\u003c");
+}
 function generateVerifyHtml(options) {
   const { publicKeyB64, packData } = options;
   return `<!DOCTYPE html>
@@ -61,7 +67,7 @@ function generateVerifyHtml(options) {
 </head>
 <body>
   <h1>Primust Evidence Pack Verification</h1>
-  <div class="subtitle">Pack: ${packData.pack_id} &middot; Period: ${packData.period_start} to ${packData.period_end}</div>
+  <div class="subtitle">Pack: ${escapeHtml(packData.pack_id)} &middot; Period: ${escapeHtml(packData.period_start)} to ${escapeHtml(packData.period_end)}</div>
 
   <div id="status" class="status loading">Verifying...</div>
 
@@ -106,8 +112,8 @@ function generateVerifyHtml(options) {
   </div>
 
   <script>
-    const PRIMUST_PUBLIC_KEY_B64 = "${publicKeyB64}";
-    const PACK_DATA = ${JSON.stringify(packData)};
+    const PRIMUST_PUBLIC_KEY_B64 = "${escapeHtml(publicKeyB64)}";
+    const PACK_DATA = ${safePackJson(packData)};
 
     async function importKey(b64) {
       const raw = Uint8Array.from(atob(b64), c => c.charCodeAt(0));
@@ -139,20 +145,49 @@ function generateVerifyHtml(options) {
           if (!valid) allValid = false;
 
           const row = document.createElement('tr');
-          row.innerHTML =
-            '<td><span class="badge ' + (valid ? 'badge-pass' : 'badge-fail') + '">' + (valid ? 'VERIFIED' : 'NOT VERIFIED') + '</span></td>' +
-            '<td><code>' + vpec.vpec_id + '</code></td>' +
-            '<td>' + vpec.proof_level_floor + '</td>' +
-            '<td>' + (vpec.provable_surface * 100).toFixed(0) + '%</td>' +
-            '<td>' + vpec.gap_count + '</td>' +
-            '<td>' + vpec.issued_at + '</td>';
+
+          const statusTd = document.createElement('td');
+          const statusBadge = document.createElement('span');
+          statusBadge.className = 'badge ' + (valid ? 'badge-pass' : 'badge-fail');
+          statusBadge.textContent = valid ? 'VERIFIED' : 'NOT VERIFIED';
+          statusTd.appendChild(statusBadge);
+          row.appendChild(statusTd);
+
+          const idTd = document.createElement('td');
+          const idCode = document.createElement('code');
+          idCode.textContent = vpec.vpec_id;
+          idTd.appendChild(idCode);
+          row.appendChild(idTd);
+
+          const proofTd = document.createElement('td');
+          proofTd.textContent = vpec.proof_level_floor;
+          row.appendChild(proofTd);
+
+          const surfaceTd = document.createElement('td');
+          surfaceTd.textContent = (vpec.provable_surface * 100).toFixed(0) + '%';
+          row.appendChild(surfaceTd);
+
+          const gapsTd = document.createElement('td');
+          gapsTd.textContent = String(vpec.gap_count);
+          row.appendChild(gapsTd);
+
+          const issuedTd = document.createElement('td');
+          issuedTd.textContent = vpec.issued_at;
+          row.appendChild(issuedTd);
+
           tbody.appendChild(row);
         }
 
         // Render upstream chain if present
         if (PACK_DATA.upstream_vpecs && PACK_DATA.upstream_vpecs.length > 0) {
           const container = document.getElementById('chain-container');
-          container.innerHTML = '<h2 style="font-size:1.1rem;margin-bottom:1rem;">Cross-Organization Chain</h2>';
+
+          // Chain header (static, no PACK_DATA \u2014 safe to construct directly).
+          const heading = document.createElement('h2');
+          heading.style.fontSize = '1.1rem';
+          heading.style.marginBottom = '1rem';
+          heading.textContent = 'Cross-Organization Chain';
+          container.appendChild(heading);
 
           for (const uv of PACK_DATA.upstream_vpecs) {
             let uvValid = false;
@@ -162,9 +197,25 @@ function generateVerifyHtml(options) {
 
             const node = document.createElement('div');
             node.className = 'chain-node';
-            node.innerHTML =
-              '<span class="badge ' + (uvValid ? 'badge-pass' : 'badge-fail') + '">' + (uvValid ? 'VERIFIED' : 'NOT VERIFIED') + '</span> ' +
-              '<strong>' + uv.org_id + '</strong> &mdash; <code>' + uv.vpec_id + '</code> (' + uv.proof_level_floor + ')';
+
+            const badge = document.createElement('span');
+            badge.className = 'badge ' + (uvValid ? 'badge-pass' : 'badge-fail');
+            badge.textContent = uvValid ? 'VERIFIED' : 'NOT VERIFIED';
+            node.appendChild(badge);
+            node.appendChild(document.createTextNode(' '));
+
+            const orgStrong = document.createElement('strong');
+            orgStrong.textContent = uv.org_id;
+            node.appendChild(orgStrong);
+
+            node.appendChild(document.createTextNode(' \\u2014 '));
+
+            const idCode = document.createElement('code');
+            idCode.textContent = uv.vpec_id;
+            node.appendChild(idCode);
+
+            node.appendChild(document.createTextNode(' (' + uv.proof_level_floor + ')'));
+
             container.appendChild(node);
 
             const arrow = document.createElement('div');
@@ -175,7 +226,17 @@ function generateVerifyHtml(options) {
 
           const currentNode = document.createElement('div');
           currentNode.className = 'chain-node current';
-          currentNode.innerHTML = '<strong>This Pack</strong> &mdash; <code>' + PACK_DATA.pack_id + '</code>';
+
+          const labelStrong = document.createElement('strong');
+          labelStrong.textContent = 'This Pack';
+          currentNode.appendChild(labelStrong);
+
+          currentNode.appendChild(document.createTextNode(' \\u2014 '));
+
+          const packCode = document.createElement('code');
+          packCode.textContent = PACK_DATA.pack_id;
+          currentNode.appendChild(packCode);
+
           container.appendChild(currentNode);
         }
 

package/dist/tsa-chain-7KSQ5LAH.js

@@ -0,0 +1,235 @@
+// src/tsa-chain.ts
+import { X509Certificate, createHash } from "crypto";
+var DIGICERT_TRUSTED_ROOT_G4_FPR_HEX = "552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988";
+var TIME_STAMPING_EKU_OID = "1.3.6.1.5.5.7.3.8";
+var DIGICERT_TRUSTED_ROOT_G4_PEM = `-----BEGIN CERTIFICATE-----
+MIIFkDCCA3igAwIBAgIQBZsbV56OITLiOQe9p3d1XDANBgkqhkiG9w0BAQwFADBi
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3Qg
+RzQwHhcNMTMwODAxMTIwMDAwWhcNMzgwMTE1MTIwMDAwWjBiMQswCQYDVQQGEwJV
+UzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3d3cuZGlnaWNlcnQu
+Y29tMSEwHwYDVQQDExhEaWdpQ2VydCBUcnVzdGVkIFJvb3QgRzQwggIiMA0GCSqG
+SIb3DQEBAQUAA4ICDwAwggIKAoICAQC/5pBzaN675F1KPDAiMGkz7MKnJS7JIT3y
+ithZwuEppz1Yq3aaza57G4QNxDAf8xukOBbrVsaXbR2rsnnyyhHS5F/WBTxSD1If
+xp4VpX6+n6lXFllVcq9ok3DCsrp1mWpzMpTREEQQLt+C8weE5nQ7bXHiLQwb7iDV
+ySAdYyktzuxeTsiT+CFhmzTrBcZe7FsavOvJz82sNEBfsXpm7nfISKhmV1efVFiO
+DCu3T6cw2Vbuyntd463JT17lNecxy9qTXtyOj4DatpGYQJB5w3jHtrHEtWoYOAMQ
+jdjUN6QuBX2I9YI+EJFwq1WCQTLX2wRzKm6RAXwhTNS8rhsDdV14Ztk6MUSaM0C/
+CNdaSaTC5qmgZ92kJ7yhTzm1EVgX9yRcRo9k98FpiHaYdj1ZXUJ2h4mXaXpI8OCi
+EhtmmnTK3kse5w5jrubU75KSOp493ADkRSWJtppEGSt+wJS00mFt6zPZxd9LBADM
+fRyVw4/3IbKyEbe7f/LVjHAsQWCqsWMYRJUadmJ+9oCw++hkpjPRiQfhvbfmQ6QY
+uKZ3AeEPlAwhHbJUKSWJbOUOUlFHdL4mrLZBdd56rF+NP8m800ERElvlEFDrMcXK
+chYiCd98THU/Y+whX8QgUWtvsauGi0/C1kVfnSD8oR7FwI+isX4KJpn15GkvmB0t
+9dmpsh3lGwIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIB
+hjAdBgNVHQ4EFgQU7NfjgtJxXWRM3y5nP+e6mK4cD08wDQYJKoZIhvcNAQEMBQAD
+ggIBALth2X2pbL4XxJEbw6GiAI3jZGgPVs93rnD5/ZpKmbnJeFwMDF/k5hQpVgs2
+SV1EY+CtnJYYZhsjDT156W1r1lT40jzBQ0CuHVD1UvyQO7uYmWlrx8GnqGikJ9yd
++SeuMIW59mdNOj6PWTkiU0TryF0Dyu1Qen1iIQqAyHNm0aAFYF/opbSnr6j3bTWc
+fFqK1qI4mfN4i/RN0iAL3gTujJtHgXINwBQy7zBZLq7gcfJW5GqXb5JQbZaNaHqa
+sjYUegbyJLkJEVDXCLG4iXqEI2FCKeWjzaIgQdfRnGTZ6iahixTXTBmyUEFxPT9N
+cCOGDErcgdLMMpSEDQgJlxxPwO5rIHQw0uA5NBCFIRUBCOhVMt5xSdkoF1BN5r5N
+0XWs0Mr7QbhDparTwwVETyw2m+L64kW4I1NsBm9nVX9GtUw/bihaeSbSpKhil9Ie
+4u1Ki7wb/UdKDd9nZn6yW0HQO+T0O/QEY+nvwlQAUaCKKsnOeMzV6ocEGLPOr0mI
+r/OSmbaz5mEP0oUA51Aa5BuVnRmhuZyxm7EAHu/QD09CbMkKvO5D+jpxpchNJqU1
+/YldvIViHTLSoCtU7ZpXwdv6EM8Zt4tKG48BtieVU+i2iW1bvGjUI+iLUaJW+fCm
+gKDWHrO8Dw9TdSmq6hN35N6MgSGtBxBHEa2HPQfRdbzP82Z+
+-----END CERTIFICATE-----`;
+function loadBundledRoots() {
+  const out = [];
+  try {
+    out.push(new X509Certificate(DIGICERT_TRUSTED_ROOT_G4_PEM));
+  } catch {
+  }
+  return out;
+}
+var BUNDLED_ROOTS = loadBundledRoots();
+function trustedRootFprs() {
+  const env = globalThis.process?.env?.PRIMUST_TSA_ROOT_FPR;
+  if (!env || !env.trim()) {
+    return /* @__PURE__ */ new Set([DIGICERT_TRUSTED_ROOT_G4_FPR_HEX]);
+  }
+  return new Set(
+    env.split(",").map((f) => f.trim().toLowerCase().replace(/:/g, "")).filter(Boolean)
+  );
+}
+function verifyTsaChain(tsTokenB64) {
+  let tokenDer;
+  try {
+    tokenDer = Buffer.from(tsTokenB64, "base64");
+  } catch {
+    return { ok: false, reason: "parse_error" };
+  }
+  let certs;
+  try {
+    certs = extractCertificates(tokenDer);
+  } catch {
+    return { ok: false, reason: "parse_error" };
+  }
+  if (certs.length === 0) {
+    return { ok: false, reason: "no_certs" };
+  }
+  const trusted = trustedRootFprs();
+  let leaf = null;
+  for (const c of certs) {
+    if (hasTimeStampingEku(c)) {
+      leaf = c;
+      break;
+    }
+  }
+  if (!leaf) {
+    const subjects = new Set(certs.map((c) => c.subject));
+    const issuers = new Set(certs.map((c) => c.issuer));
+    for (const c of certs) {
+      if (subjects.has(c.subject) && !issuers.has(c.subject)) {
+        leaf = c;
+        break;
+      }
+    }
+  }
+  if (!leaf) {
+    return { ok: false, reason: "leaf_not_found" };
+  }
+  if (!hasTimeStampingEku(leaf)) {
+    return { ok: false, reason: "missing_eku" };
+  }
+  if (!isWithinValidity(leaf)) {
+    return { ok: false, reason: "expired" };
+  }
+  const candidateRoots = BUNDLED_ROOTS.filter(
+    (r) => trusted.has(certFingerprint(r))
+  );
+  const opRootPem = globalThis.process?.env?.PRIMUST_TSA_ROOT_PEM;
+  if (opRootPem) {
+    try {
+      const opRoot = new X509Certificate(opRootPem);
+      if (trusted.has(certFingerprint(opRoot))) {
+        candidateRoots.push(opRoot);
+      }
+    } catch {
+      return { ok: false, reason: "parse_error" };
+    }
+  }
+  if (candidateRoots.length === 0) {
+    return { ok: false, reason: "root_not_trusted" };
+  }
+  const bySubject = /* @__PURE__ */ new Map();
+  for (const c of certs) bySubject.set(c.subject, c);
+  const byRootSubject = /* @__PURE__ */ new Map();
+  for (const r of candidateRoots) byRootSubject.set(r.subject, r);
+  let current = leaf;
+  const seen = /* @__PURE__ */ new Set();
+  for (let hop = 0; hop < 8; hop++) {
+    if (seen.has(current.subject)) {
+      return { ok: false, reason: "chain_incomplete" };
+    }
+    seen.add(current.subject);
+    const rootCert = byRootSubject.get(current.issuer);
+    if (rootCert) {
+      if (!current.verify(rootCert.publicKey)) {
+        return { ok: false, reason: "signature_invalid" };
+      }
+      if (!isWithinValidity(rootCert)) {
+        return { ok: false, reason: "expired" };
+      }
+      return { ok: true, reason: "ok" };
+    }
+    const issuerCert = bySubject.get(current.issuer);
+    if (issuerCert && issuerCert !== current) {
+      if (!current.verify(issuerCert.publicKey)) {
+        return { ok: false, reason: "signature_invalid" };
+      }
+      if (!isWithinValidity(issuerCert)) {
+        return { ok: false, reason: "expired" };
+      }
+      if (issuerCert.subject === issuerCert.issuer) {
+        if (trusted.has(certFingerprint(issuerCert))) {
+          return { ok: true, reason: "ok" };
+        }
+        return { ok: false, reason: "root_not_trusted" };
+      }
+      current = issuerCert;
+      continue;
+    }
+    return { ok: false, reason: "chain_incomplete" };
+  }
+  return { ok: false, reason: "chain_incomplete" };
+}
+function certFingerprint(cert) {
+  return createHash("sha256").update(cert.raw).digest("hex");
+}
+function hasTimeStampingEku(cert) {
+  const info = cert.toString();
+  return info.includes(TIME_STAMPING_EKU_OID) || info.includes("Time Stamping");
+}
+function isWithinValidity(cert) {
+  const now = Date.now();
+  const nb = Date.parse(cert.validFrom);
+  const na = Date.parse(cert.validTo);
+  if (Number.isNaN(nb) || Number.isNaN(na)) return false;
+  return nb <= now && now <= na;
+}
+function extractCertificates(tokenDer) {
+  const signedDataOid = Buffer.from([
+    6,
+    9,
+    42,
+    134,
+    72,
+    134,
+    247,
+    13,
+    1,
+    7,
+    2
+  ]);
+  const oidIdx = tokenDer.indexOf(signedDataOid);
+  if (oidIdx === -1) return [];
+  const scanStart = oidIdx + signedDataOid.length;
+  const limit = tokenDer.length;
+  for (let i = scanStart; i < limit - 2; i++) {
+    if (tokenDer[i] === 160) {
+      const lenInfo = parseDerLength(tokenDer, i + 1);
+      if (!lenInfo) continue;
+      const { length, headerLen } = lenInfo;
+      const setStart = i + 1 + headerLen;
+      const setEnd = setStart + length;
+      if (setEnd > limit) continue;
+      const certs = [];
+      let p = setStart;
+      while (p < setEnd) {
+        if (tokenDer[p] !== 48) break;
+        const li = parseDerLength(tokenDer, p + 1);
+        if (!li) break;
+        const certLen = li.length;
+        const certHdr = li.headerLen;
+        const certEnd = p + 1 + certHdr + certLen;
+        if (certEnd > setEnd) break;
+        const certDer = tokenDer.subarray(p, certEnd);
+        try {
+          certs.push(new X509Certificate(certDer));
+        } catch {
+        }
+        p = certEnd;
+      }
+      if (certs.length > 0) return certs;
+    }
+  }
+  return [];
+}
+function parseDerLength(buf, offset) {
+  if (offset >= buf.length) return null;
+  const first = buf[offset];
+  if ((first & 128) === 0) {
+    return { length: first, headerLen: 1 };
+  }
+  const n = first & 127;
+  if (n === 0 || n > 4 || offset + n >= buf.length) return null;
+  let val = 0;
+  for (let i = 0; i < n; i++) {
+    val = val << 8 | buf[offset + 1 + i];
+  }
+  return { length: val, headerLen: 1 + n };
+}
+export {
+  verifyTsaChain
+};

package/dist/{v29-envelope-GFVVA2S6.js → v29-envelope-JVSI5N3L.js}

@@ -1,5 +1,6 @@
 import {
   ALLOWED_KINDS,
+  ALLOWED_PROVENANCE,
   ALLOWED_TRUST_EDGES,
   ENVELOPE_VERSION,
   PROOF_TIER_HIERARCHY,
@@ -18,9 +19,10 @@ import {
   validateRuntimeBindingHash,
   validateRuntimeBindingSignature,
   verifyV29
-} from "./chunk-LTWQK3HT.js";
+} from "./chunk-BWJUVMT7.js";
 export {
   ALLOWED_KINDS,
+  ALLOWED_PROVENANCE,
   ALLOWED_TRUST_EDGES,
   ENVELOPE_VERSION,
   PROOF_TIER_HIERARCHY,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@primust/verifier",
-  "version": "1.0.1",
+  "version": "1.2.0",
   "description": "Offline and CLI verifier for Primust VPECs. Free forever. No account required.",
   "homepage": "https://primust.com",
   "repository": {
@@ -34,7 +34,7 @@
     "tsx": "^4.19.0",
     "typescript": "^5.6.0",
     "vitest": "^3.0.0",
-    "@primust/artifact-core": "^1.0.0",
+    "@primust/artifact-core": "workspace:*",
     "@noble/hashes": "^1.8.0",
     "@zkpassport/poseidon2": "^0.6.2"
   },
@@ -42,6 +42,9 @@
     "dist"
   ],
   "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public"
+  },
   "exports": {
     ".": {
       "import": "./dist/index.js",