@primust/verifier 1.1.0 → 1.3.0

package/dist/{chunk-LTWQK3HT.js → chunk-BWJUVMT7.js}

@@ -2,6 +2,7 @@
 import { createHash, createPublicKey, verify as cryptoVerify } from "crypto";
 var ENVELOPE_VERSION = "v0.1";
 var ALLOWED_KINDS = /* @__PURE__ */ new Set([
+  // v1.0 kinds (DECOMPOSITION_PROOF_SPEC v1.0 — locked Apr 26):
   "governance_check",
   "outbound_action",
   "token_authority_snapshot",
@@ -10,8 +11,14 @@ var ALLOWED_KINDS = /* @__PURE__ */ new Set([
   "scope_claim_lifecycle",
   "scope_claim_emitted",
   "turn_context",
-  "tool_execution"
+  "tool_execution",
+  // v1.1 additions (Controls Harness Execution Mode, mig 156).
+  // See docs/v29/foundation/CONTROLS_HARNESS_EXECUTION_SPEC_v0_1.md §2.4.
+  "enforcement_action",
+  "redaction",
+  "notification"
 ]);
+var ALLOWED_PROVENANCE = /* @__PURE__ */ new Set(["host_captured", "customer_supplied"]);
 var ALLOWED_TRUST_EDGES = /* @__PURE__ */ new Set(["A2T", "A2M", "A2H", "A2A", "A2S", "A2D"]);
 var PROOF_TIER_HIERARCHY = [
   "attestation",
@@ -412,6 +419,7 @@ function verifyV29(opts) {
 export {
   ENVELOPE_VERSION,
   ALLOWED_KINDS,
+  ALLOWED_PROVENANCE,
   ALLOWED_TRUST_EDGES,
   PROOF_TIER_HIERARCHY,
   v29Pass,

package/dist/{chunk-NOADQWB6.js → chunk-XDQXBEIS.js}

@@ -1220,7 +1220,11 @@ function verify2(document, signatureEnvelope, publicKeyB64Url) {
   } catch {
     return false;
   }
-  for (const canonFn of [canonical, canonicalLegacy]) {
+  const LEGACY_CUTOFF = "2026-04-19";
+  const signedAt = signatureEnvelope.signed_at ?? "";
+  const legacyAllowed = signedAt !== "" && signedAt.slice(0, 10) < LEGACY_CUTOFF;
+  const candidates = legacyAllowed ? [canonical, canonicalLegacy] : [canonical];
+  for (const canonFn of candidates) {
     try {
       const canonicalStr = canonFn(document);
       const hashBytes = sha2562(new TextEncoder().encode(canonicalStr));
@@ -1957,6 +1961,9 @@ var F3 = getPoseidon2BN254().primeField;
 // ../artifact-core/dist/commitment.js
 var BN254_MODULUS = 21888242871839275222246405745257275088548364400416034343698204186575808495617n;
 
+// ../artifact-core/dist/hierarchical_leaf.js
+var _utf8Encoder = new TextEncoder();
+
 // ../artifact-core/dist/validate-artifact.js
 var PROOF_LEVELS = [
   "mathematical",
@@ -2441,14 +2448,22 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
     const failedArtifacts = proofArtifacts.filter(
       (artifactEntry) => artifactEntry.verification_status === "failed"
     ).length;
+    const unresolvedArtifacts = proofArtifacts.filter(
+      (artifactEntry) => artifactEntry.verification_status === "unresolved_at_seal"
+    ).length;
     const verifiedArtifacts = proofArtifacts.filter(
       (artifactEntry) => artifactEntry.verification_status === "verified"
     ).length;
+    if (failedArtifacts > 0) {
+      result.errors.push(`proof_artifacts_failed:${failedArtifacts}`);
+    }
     if (pendingArtifacts > 0) {
-      result.warnings.push(`proof_artifacts_pending:${pendingArtifacts}`);
+      result.errors.push(`proof_artifacts_pending:${pendingArtifacts}`);
     }
-    if (failedArtifacts > 0) {
-      result.warnings.push(`proof_artifacts_failed:${failedArtifacts}`);
+    if (unresolvedArtifacts > 0) {
+      result.errors.push(
+        `proof_artifacts_unresolved_at_seal:${unresolvedArtifacts}; proof unresolved at seal; counterparty must consult live API to determine status`
+      );
     }
     if (!artifact.zk_proof) {
       result.warnings.push(`proof_artifacts_present:${verifiedArtifacts}`);
@@ -2477,7 +2492,7 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
   }
   if (artifact.envelope_version != null && (artifact.run_header || artifact.records)) {
     try {
-      const { verifyV29 } = await import("./v29-envelope-GFVVA2S6.js");
+      const { verifyV29 } = await import("./v29-envelope-JVSI5N3L.js");
       const shapeEnvelope = {
         envelope_version: artifact.envelope_version,
         run_header: artifact.run_header ?? {},
@@ -2503,9 +2518,38 @@ async function verify3(artifact, options = {}, upstreamRootResolver) {
       result.warnings.push(`v29_conformance_error:${e.message}`);
     }
   }
+  if (options.revocation_check_url && result.vpec_id) {
+    await checkRevocationOnline(
+      result,
+      options.revocation_check_url.replace(/\/+$/, ""),
+      options.revocation_check_timeout_ms ?? 5e3
+    );
+  }
   result.valid = result.errors.length === 0;
   return result;
 }
+async function checkRevocationOnline(result, baseUrl, timeoutMs) {
+  const url = `${baseUrl}/api/v1/vpecs/${result.vpec_id}/revocation`;
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const resp = await fetch(url, { signal: controller.signal });
+    if (!resp.ok) {
+      result.warnings.push(`revocation_check_http_${resp.status}`);
+      return;
+    }
+    const body = await resp.json();
+    if (body.revoked === true) {
+      const reason = body.revocation_reason ?? "unspecified";
+      result.errors.push(`credential_revoked: ${reason}`);
+    }
+  } catch (e) {
+    const msg = e.message ?? String(e);
+    result.warnings.push(`revocation_check_unavailable: ${msg}`);
+  } finally {
+    clearTimeout(timer);
+  }
+}
 function computeMerkleRoot(hashes) {
   let leaves = hashes.map((h2) => {
     const hex = h2.startsWith("sha256:") ? h2.slice(7) : h2;

package/dist/cli.js

@@ -2,7 +2,7 @@
 import {
   createUpstreamRootResolver,
   verify
-} from "./chunk-NOADQWB6.js";
+} from "./chunk-XDQXBEIS.js";
 
 // src/cli.ts
 import { readFileSync } from "fs";
@@ -64,7 +64,7 @@ function formatHumanCertificate(artifact, result) {
   const ps = artifact.provable_surface;
   lines.push(`  Provable surface: ${ps != null ? `${(ps * 100).toFixed(1)}%` : "\u2014"}`);
   const records = artifact.records ?? [];
-  lines.push(`  Checks run:     ${records.length}`);
+  lines.push(`  Controls run:   ${records.length}`);
   lines.push(`  Open gaps:      ${result.gaps.length}`);
   const ac = artifact.action_coverage;
   if (ac) {
@@ -88,7 +88,7 @@ function formatHumanCertificate(artifact, result) {
         const tname = u.tool_name;
         let label = `  #${idx}   ${atype}`;
         if (tname) label += `: ${tname}`;
-        label += cuIndices.includes(idx) ? "     \u26A0 consequential \u2014 no check ran" : "     \u2014 no check ran";
+        label += cuIndices.includes(idx) ? "     \u26A0 consequential \u2014 no control ran" : "     \u2014 no control ran";
         lines.push(label);
       }
     }
@@ -106,14 +106,14 @@ function formatHumanCertificate(artifact, result) {
   const metadataMode = artifact.metadata_mode;
   if (records.length > 0 && metadataMode === "rich") {
     lines.push("");
-    lines.push("GOVERNANCE CHECKS");
+    lines.push("CONTROLS RUN");
     const shown = records.slice(0, 10);
     for (const r of shown) {
-      let checkId = r.manifest_id ?? r.check_id ?? "unknown";
-      if (checkId.includes("@")) checkId = checkId.split("@")[0];
-      const checkResult = r.check_result ?? "unknown";
+      let controlId = r.manifest_id ?? r.control_id ?? r.check_id ?? "unknown";
+      if (controlId.includes("@")) controlId = controlId.split("@")[0];
+      const controlResult = r.control_result ?? r.check_result ?? "unknown";
       const em = r.evidence_metadata;
-      let line = `  ${checkId}: ${checkResult}`;
+      let line = `  ${controlId}: ${controlResult}`;
       if (em) {
         const details = [];
         if ("entity_count" in em) details.push(`${em.entity_count} entities`);
@@ -124,17 +124,17 @@ function formatHumanCertificate(artifact, result) {
       lines.push(line);
     }
     if (records.length > 10) {
-      lines.push(`  ... and ${records.length - 10} more checks`);
+      lines.push(`  ... and ${records.length - 10} more controls`);
     }
   }
   lines.push("");
   lines.push("WHAT THIS PROVES");
-  lines.push("  Governance checks ran on the actions listed in this credential");
-  lines.push("  at the stated proof levels. This credential was issued at the");
-  lines.push("  time of the governed run and has not been altered since.");
+  lines.push("  Controls ran on the actions listed in this credential at the");
+  lines.push("  stated proof levels. This credential was issued at the time");
+  lines.push("  of the governed run and has not been altered since.");
   lines.push("");
   lines.push("WHAT THIS DOES NOT PROVE");
-  lines.push("  That the checks run constitute sufficient evidence for any");
+  lines.push("  That the controls run constitute sufficient evidence for any");
   lines.push("  specific regulatory requirement. That determination belongs");
   lines.push("  to the customer, their compliance function, and their auditors.");
   lines.push("");

package/dist/index.d.ts

@@ -28,6 +28,20 @@ interface VerifyOptions {
     skip_network?: boolean;
     /** Path to custom public key PEM (for enterprise self-hosting). */
     trust_root?: string;
+    /**
+     * CRL: when set, the verifier consults the public revocation endpoint
+     * and treats revoked credentials as invalid. Default undefined preserves
+     * the offline-first invariant — verify() makes no network calls unless
+     * this is provided. Pass e.g. "https://primust-api.fly.dev" (no trailing
+     * slash); the verifier appends "/api/v1/vpecs/{vpec_id}/revocation".
+     */
+    revocation_check_url?: string;
+    /**
+     * Timeout for the CRL fetch in milliseconds. On timeout or network
+     * error the verifier adds a warning but does NOT fail (revocation
+     * check is advisory; absence of a record is the default state).
+     */
+    revocation_check_timeout_ms?: number;
 }
 interface VerificationResult {
     vpec_id: string;

package/dist/index.js

@@ -3,7 +3,7 @@ import {
   createUpstreamRootResolver,
   seedKeyCache,
   verify
-} from "./chunk-NOADQWB6.js";
+} from "./chunk-XDQXBEIS.js";
 import {
   ALLOWED_KINDS,
   ALLOWED_TRUST_EDGES,
@@ -20,9 +20,15 @@ import {
   validateRecordsAgainstHarness,
   validateRuntimeBindingHash,
   verifyV29
-} from "./chunk-LTWQK3HT.js";
+} from "./chunk-BWJUVMT7.js";
 
 // src/verify-html-template.ts
+function escapeHtml(value) {
+  return String(value).replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
+}
+function safePackJson(packData) {
+  return JSON.stringify(packData).replace(/</g, "\\u003c");
+}
 function generateVerifyHtml(options) {
   const { publicKeyB64, packData } = options;
   return `<!DOCTYPE html>
@@ -61,7 +67,7 @@ function generateVerifyHtml(options) {
 </head>
 <body>
   <h1>Primust Evidence Pack Verification</h1>
-  <div class="subtitle">Pack: ${packData.pack_id} &middot; Period: ${packData.period_start} to ${packData.period_end}</div>
+  <div class="subtitle">Pack: ${escapeHtml(packData.pack_id)} &middot; Period: ${escapeHtml(packData.period_start)} to ${escapeHtml(packData.period_end)}</div>
 
   <div id="status" class="status loading">Verifying...</div>
 
@@ -106,8 +112,8 @@ function generateVerifyHtml(options) {
   </div>
 
   <script>
-    const PRIMUST_PUBLIC_KEY_B64 = "${publicKeyB64}";
-    const PACK_DATA = ${JSON.stringify(packData)};
+    const PRIMUST_PUBLIC_KEY_B64 = "${escapeHtml(publicKeyB64)}";
+    const PACK_DATA = ${safePackJson(packData)};
 
     async function importKey(b64) {
       const raw = Uint8Array.from(atob(b64), c => c.charCodeAt(0));
@@ -139,20 +145,49 @@ function generateVerifyHtml(options) {
           if (!valid) allValid = false;
 
           const row = document.createElement('tr');
-          row.innerHTML =
-            '<td><span class="badge ' + (valid ? 'badge-pass' : 'badge-fail') + '">' + (valid ? 'VERIFIED' : 'NOT VERIFIED') + '</span></td>' +
-            '<td><code>' + vpec.vpec_id + '</code></td>' +
-            '<td>' + vpec.proof_level_floor + '</td>' +
-            '<td>' + (vpec.provable_surface * 100).toFixed(0) + '%</td>' +
-            '<td>' + vpec.gap_count + '</td>' +
-            '<td>' + vpec.issued_at + '</td>';
+
+          const statusTd = document.createElement('td');
+          const statusBadge = document.createElement('span');
+          statusBadge.className = 'badge ' + (valid ? 'badge-pass' : 'badge-fail');
+          statusBadge.textContent = valid ? 'VERIFIED' : 'NOT VERIFIED';
+          statusTd.appendChild(statusBadge);
+          row.appendChild(statusTd);
+
+          const idTd = document.createElement('td');
+          const idCode = document.createElement('code');
+          idCode.textContent = vpec.vpec_id;
+          idTd.appendChild(idCode);
+          row.appendChild(idTd);
+
+          const proofTd = document.createElement('td');
+          proofTd.textContent = vpec.proof_level_floor;
+          row.appendChild(proofTd);
+
+          const surfaceTd = document.createElement('td');
+          surfaceTd.textContent = (vpec.provable_surface * 100).toFixed(0) + '%';
+          row.appendChild(surfaceTd);
+
+          const gapsTd = document.createElement('td');
+          gapsTd.textContent = String(vpec.gap_count);
+          row.appendChild(gapsTd);
+
+          const issuedTd = document.createElement('td');
+          issuedTd.textContent = vpec.issued_at;
+          row.appendChild(issuedTd);
+
           tbody.appendChild(row);
         }
 
         // Render upstream chain if present
         if (PACK_DATA.upstream_vpecs && PACK_DATA.upstream_vpecs.length > 0) {
           const container = document.getElementById('chain-container');
-          container.innerHTML = '<h2 style="font-size:1.1rem;margin-bottom:1rem;">Cross-Organization Chain</h2>';
+
+          // Chain header (static, no PACK_DATA \u2014 safe to construct directly).
+          const heading = document.createElement('h2');
+          heading.style.fontSize = '1.1rem';
+          heading.style.marginBottom = '1rem';
+          heading.textContent = 'Cross-Organization Chain';
+          container.appendChild(heading);
 
           for (const uv of PACK_DATA.upstream_vpecs) {
             let uvValid = false;
@@ -162,9 +197,25 @@ function generateVerifyHtml(options) {
 
             const node = document.createElement('div');
             node.className = 'chain-node';
-            node.innerHTML =
-              '<span class="badge ' + (uvValid ? 'badge-pass' : 'badge-fail') + '">' + (uvValid ? 'VERIFIED' : 'NOT VERIFIED') + '</span> ' +
-              '<strong>' + uv.org_id + '</strong> &mdash; <code>' + uv.vpec_id + '</code> (' + uv.proof_level_floor + ')';
+
+            const badge = document.createElement('span');
+            badge.className = 'badge ' + (uvValid ? 'badge-pass' : 'badge-fail');
+            badge.textContent = uvValid ? 'VERIFIED' : 'NOT VERIFIED';
+            node.appendChild(badge);
+            node.appendChild(document.createTextNode(' '));
+
+            const orgStrong = document.createElement('strong');
+            orgStrong.textContent = uv.org_id;
+            node.appendChild(orgStrong);
+
+            node.appendChild(document.createTextNode(' \\u2014 '));
+
+            const idCode = document.createElement('code');
+            idCode.textContent = uv.vpec_id;
+            node.appendChild(idCode);
+
+            node.appendChild(document.createTextNode(' (' + uv.proof_level_floor + ')'));
+
             container.appendChild(node);
 
             const arrow = document.createElement('div');
@@ -175,7 +226,17 @@ function generateVerifyHtml(options) {
 
           const currentNode = document.createElement('div');
           currentNode.className = 'chain-node current';
-          currentNode.innerHTML = '<strong>This Pack</strong> &mdash; <code>' + PACK_DATA.pack_id + '</code>';
+
+          const labelStrong = document.createElement('strong');
+          labelStrong.textContent = 'This Pack';
+          currentNode.appendChild(labelStrong);
+
+          currentNode.appendChild(document.createTextNode(' \\u2014 '));
+
+          const packCode = document.createElement('code');
+          packCode.textContent = PACK_DATA.pack_id;
+          currentNode.appendChild(packCode);
+
           container.appendChild(currentNode);
         }
 

package/dist/{v29-envelope-GFVVA2S6.js → v29-envelope-JVSI5N3L.js}

@@ -1,5 +1,6 @@
 import {
   ALLOWED_KINDS,
+  ALLOWED_PROVENANCE,
   ALLOWED_TRUST_EDGES,
   ENVELOPE_VERSION,
   PROOF_TIER_HIERARCHY,
@@ -18,9 +19,10 @@ import {
   validateRuntimeBindingHash,
   validateRuntimeBindingSignature,
   verifyV29
-} from "./chunk-LTWQK3HT.js";
+} from "./chunk-BWJUVMT7.js";
 export {
   ALLOWED_KINDS,
+  ALLOWED_PROVENANCE,
   ALLOWED_TRUST_EDGES,
   ENVELOPE_VERSION,
   PROOF_TIER_HIERARCHY,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@primust/verifier",
-  "version": "1.1.0",
-  "description": "Offline and CLI verifier for Primust VPECs. Free forever. No account required.",
+  "version": "1.3.0",
+  "description": "Offline and CLI verifier for Primust Governed-Execution Credentials. Free forever. No account required.",
   "homepage": "https://primust.com",
   "repository": {
     "type": "git",
@@ -34,7 +34,7 @@
     "tsx": "^4.19.0",
     "typescript": "^5.6.0",
     "vitest": "^3.0.0",
-    "@primust/artifact-core": "^1.0.0",
+    "@primust/artifact-core": "workspace:*",
     "@noble/hashes": "^1.8.0",
     "@zkpassport/poseidon2": "^0.6.2"
   },
@@ -42,6 +42,9 @@
     "dist"
   ],
   "license": "Apache-2.0",
+  "publishConfig": {
+    "access": "public"
+  },
   "exports": {
     ".": {
       "import": "./dist/index.js",