agent-passport-system 2.0.0 → 2.2.0

package/dist/src/v2/cognitive-attestation/verify.d.ts

@@ -0,0 +1,67 @@
+import type { CognitiveAttestation, SignerRole } from './types.js';
+/**
+ * Verify that at least one signature entry for `signerDid` validates against
+ * `publicKey`. Returns false on tamper, wrong DID, malformed signature, or
+ * key mismatch.
+ */
+export declare function verifySignature(att: CognitiveAttestation, publicKey: Uint8Array, signerDid: string): boolean;
+export interface RequiredRoleCoverage {
+    ok: boolean;
+    missing: SignerRole[];
+    present: SignerRole[];
+}
+/**
+ * Confirm every role in `aggregation_policy.required_signer_roles` is
+ * represented by at least one signature entry with that role. Structural
+ * check only — does NOT verify signature cryptographically. Callers should
+ * pair this with `verifySignature` per signer for full Stage 1.
+ */
+export declare function verifyRequiredSignerRoles(att: CognitiveAttestation): RequiredRoleCoverage;
+export interface RegistryResolver {
+    /** Return true if the model_version_hash is known to the caller's model registry. */
+    isKnownModel(modelId: string, modelVersionHash: string): Promise<boolean>;
+    /** Return true if the dictionary_version_hash is known to the caller's SAE/feature-dict registry. */
+    isKnownDictionary(dictionaryId: string, dictionaryVersionHash: string): Promise<boolean>;
+}
+export interface RegistryVerificationResult {
+    ok: boolean;
+    model_known: boolean;
+    dictionary_known: boolean;
+    errors: string[];
+}
+/**
+ * Stage 2. Checks that the referenced model and dictionary versions exist in
+ * the resolver's registry view. The SDK ships no registry client — integrators
+ * (or the private gateway) implement `RegistryResolver`.
+ */
+export declare function verifyAgainstRegistry(att: CognitiveAttestation, registryResolver: RegistryResolver): Promise<RegistryVerificationResult>;
+export interface ReplayBackend {
+    /**
+     * Replay the attested token range through the referenced model + SAE and
+     * compare feature activations against the envelope within the policy's
+     * attestation_epsilon. Implementations live outside the SDK.
+     */
+    replay(att: CognitiveAttestation): Promise<ReplayVerificationResult>;
+}
+export interface ReplayVerificationResult {
+    ok: boolean;
+    /** Per-feature deltas keyed by feature_id. */
+    per_feature_delta: Record<number, number>;
+    /** Features whose |delta| exceeded aggregation_policy.attestation_epsilon. */
+    over_epsilon: number[];
+    /** Features claimed by the envelope but not observed during replay. */
+    missing_from_replay: number[];
+    /** Features observed above threshold during replay but absent from the envelope. */
+    unexpected_in_replay: number[];
+}
+/**
+ * Stage 3. Requires an injected `ReplayBackend`. Running an SAE live is
+ * outside what a pure SDK primitive should bundle — use a private backend
+ * or the gateway's replay service.
+ *
+ * TODO: Once a reference replay backend exists (gateway-side, not SDK),
+ *       document its contract here and ship test vectors covering
+ *       threshold-delta, missing-feature, and unexpected-feature cases.
+ */
+export declare function verifyByReplay(att: CognitiveAttestation, replayer: ReplayBackend): Promise<ReplayVerificationResult>;
+//# sourceMappingURL=verify.d.ts.map

package/dist/src/v2/cognitive-attestation/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../../../src/v2/cognitive-attestation/verify.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,YAAY,CAAA;AAoBlE;;;;GAIG;AACH,wBAAgB,eAAe,CAC7B,GAAG,EAAE,oBAAoB,EACzB,SAAS,EAAE,UAAU,EACrB,SAAS,EAAE,MAAM,GAChB,OAAO,CAgBT;AAMD,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,OAAO,CAAA;IACX,OAAO,EAAE,UAAU,EAAE,CAAA;IACrB,OAAO,EAAE,UAAU,EAAE,CAAA;CACtB;AAED;;;;;GAKG;AACH,wBAAgB,yBAAyB,CAAC,GAAG,EAAE,oBAAoB,GAAG,oBAAoB,CAUzF;AAMD,MAAM,WAAW,gBAAgB;IAC/B,qFAAqF;IACrF,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IACzE,qGAAqG;IACrG,iBAAiB,CAAC,YAAY,EAAE,MAAM,EAAE,qBAAqB,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACzF;AAED,MAAM,WAAW,0BAA0B;IACzC,EAAE,EAAE,OAAO,CAAA;IACX,WAAW,EAAE,OAAO,CAAA;IACpB,gBAAgB,EAAE,OAAO,CAAA;IACzB,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED;;;;GAIG;AACH,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,oBAAoB,EACzB,gBAAgB,EAAE,gBAAgB,GACjC,OAAO,CAAC,0BAA0B,CAAC,CAuCrC;AAMD,MAAM,WAAW,aAAa;IAC5B;;;;OAIG;IACH,MAAM,CAAC,GAAG,EAAE,oBAAoB,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAAA;CACrE;AAED,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,OAAO,CAAA;IACX,8CAA8C;IAC9C,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IACzC,8EAA8E;IAC9E,YAAY,EAAE,MAAM,EAAE,CAAA;IACtB,uEAAuE;IACvE,mBAAmB,EAAE,MAAM,EAAE,CAAA;IAC7B,oFAAoF;IACpF,oBAAoB,EAAE,MAAM,EAAE,CAAA;CAC/B;AAED;;;;;;;;GAQG;AACH,wBAAsB,cAAc,CAClC,GAAG,EAAE,oBAAoB,EACzB,QAAQ,EAAE,aAAa,GACtB,OAAO,CAAC,wBAAwB,CAAC,CAQnC"}

package/dist/src/v2/cognitive-attestation/verify.js

@@ -0,0 +1,125 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// ══════════════════════════════════════════════════════════════════
+// Cognitive Attestation — three-stage verification
+// ══════════════════════════════════════════════════════════════════
+// Paper: "Cognitive Attestation" — Zenodo DOI 10.5281/zenodo.19646276, §4
+//
+// Stage 1 (cryptographic): verifySignature + verifyRequiredSignerRoles — ships.
+// Stage 2 (registry):      verifyAgainstRegistry — interface + basic impl;
+//                          concrete resolvers injected by integrators/gateway.
+// Stage 3 (replay):        verifyByReplay — typed shape only; the SDK does
+//                          not bundle a running SAE. Throws "not implemented"
+//                          until a ReplayBackend is wired.
+// ══════════════════════════════════════════════════════════════════
+import { verify as edVerifyHex } from '../../crypto/keys.js';
+import { canonicalizeAttestation } from './envelope.js';
+function bytesToHex(bytes) {
+    let out = '';
+    for (let i = 0; i < bytes.length; i++)
+        out += bytes[i].toString(16).padStart(2, '0');
+    return out;
+}
+function base64ToHex(b64) {
+    try {
+        return Buffer.from(b64, 'base64').toString('hex');
+    }
+    catch {
+        return null;
+    }
+}
+// ──────────────────────────────────────────────────────────────────
+// Stage 1a — cryptographic single-signer check.
+// ──────────────────────────────────────────────────────────────────
+/**
+ * Verify that at least one signature entry for `signerDid` validates against
+ * `publicKey`. Returns false on tamper, wrong DID, malformed signature, or
+ * key mismatch.
+ */
+export function verifySignature(att, publicKey, signerDid) {
+    if (!(publicKey instanceof Uint8Array) || publicKey.length !== 32)
+        return false;
+    const canonicalBytes = canonicalizeAttestation(att);
+    const canonicalString = new TextDecoder().decode(canonicalBytes);
+    const publicKeyHex = bytesToHex(publicKey);
+    const matches = att.signatures.filter((s) => s.signer_did === signerDid);
+    if (matches.length === 0)
+        return false;
+    for (const entry of matches) {
+        const sigHex = base64ToHex(entry.signature);
+        if (!sigHex)
+            continue;
+        if (edVerifyHex(canonicalString, sigHex, publicKeyHex))
+            return true;
+    }
+    return false;
+}
+/**
+ * Confirm every role in `aggregation_policy.required_signer_roles` is
+ * represented by at least one signature entry with that role. Structural
+ * check only — does NOT verify signature cryptographically. Callers should
+ * pair this with `verifySignature` per signer for full Stage 1.
+ */
+export function verifyRequiredSignerRoles(att) {
+    const required = new Set(att.aggregation_policy.required_signer_roles);
+    const presentRoles = new Set(att.signatures.map((s) => s.signer_role));
+    const missing = [];
+    for (const role of required)
+        if (!presentRoles.has(role))
+            missing.push(role);
+    return {
+        ok: missing.length === 0,
+        missing,
+        present: Array.from(presentRoles),
+    };
+}
+/**
+ * Stage 2. Checks that the referenced model and dictionary versions exist in
+ * the resolver's registry view. The SDK ships no registry client — integrators
+ * (or the private gateway) implement `RegistryResolver`.
+ */
+export async function verifyAgainstRegistry(att, registryResolver) {
+    const errors = [];
+    let model_known = false;
+    let dictionary_known = false;
+    try {
+        model_known = await registryResolver.isKnownModel(att.model_ref.model_id, att.model_ref.model_version_hash);
+        if (!model_known) {
+            errors.push(`unknown model_version_hash for model_id="${att.model_ref.model_id}"`);
+        }
+    }
+    catch (e) {
+        errors.push(`model resolver error: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    try {
+        dictionary_known = await registryResolver.isKnownDictionary(att.dictionary_ref.dictionary_id, att.dictionary_ref.dictionary_version_hash);
+        if (!dictionary_known) {
+            errors.push(`unknown dictionary_version_hash for dictionary_id="${att.dictionary_ref.dictionary_id}"`);
+        }
+    }
+    catch (e) {
+        errors.push(`dictionary resolver error: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    return {
+        ok: errors.length === 0 && model_known && dictionary_known,
+        model_known,
+        dictionary_known,
+        errors,
+    };
+}
+/**
+ * Stage 3. Requires an injected `ReplayBackend`. Running an SAE live is
+ * outside what a pure SDK primitive should bundle — use a private backend
+ * or the gateway's replay service.
+ *
+ * TODO: Once a reference replay backend exists (gateway-side, not SDK),
+ *       document its contract here and ship test vectors covering
+ *       threshold-delta, missing-feature, and unexpected-feature cases.
+ */
+export async function verifyByReplay(att, replayer) {
+    if (!replayer || typeof replayer.replay !== 'function') {
+        throw new Error('verifyByReplay: not implemented in SDK. Inject a ReplayBackend ' +
+            'or use a private backend (e.g. gateway replay service).');
+    }
+    return replayer.replay(att);
+}
+//# sourceMappingURL=verify.js.map

package/dist/src/v2/cognitive-attestation/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../../../src/v2/cognitive-attestation/verify.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,qEAAqE;AACrE,mDAAmD;AACnD,qEAAqE;AACrE,0EAA0E;AAC1E,EAAE;AACF,gFAAgF;AAChF,2EAA2E;AAC3E,+EAA+E;AAC/E,2EAA2E;AAC3E,8EAA8E;AAC9E,2DAA2D;AAC3D,qEAAqE;AAErE,OAAO,EAAE,MAAM,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAC5D,OAAO,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AAGvD,SAAS,UAAU,CAAC,KAAiB;IACnC,IAAI,GAAG,GAAG,EAAE,CAAA;IACZ,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;IACpF,OAAO,GAAG,CAAA;AACZ,CAAC;AAED,SAAS,WAAW,CAAC,GAAW;IAC9B,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,gDAAgD;AAChD,qEAAqE;AAErE;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAC7B,GAAyB,EACzB,SAAqB,EACrB,SAAiB;IAEjB,IAAI,CAAC,CAAC,SAAS,YAAY,UAAU,CAAC,IAAI,SAAS,CAAC,MAAM,KAAK,EAAE;QAAE,OAAO,KAAK,CAAA;IAE/E,MAAM,cAAc,GAAG,uBAAuB,CAAC,GAAG,CAAC,CAAA;IACnD,MAAM,eAAe,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAA;IAChE,MAAM,YAAY,GAAG,UAAU,CAAC,SAAS,CAAC,CAAA;IAE1C,MAAM,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,SAAS,CAAC,CAAA;IACxE,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAA;IAEtC,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;QAC3C,IAAI,CAAC,MAAM;YAAE,SAAQ;QACrB,IAAI,WAAW,CAAC,eAAe,EAAE,MAAM,EAAE,YAAY,CAAC;YAAE,OAAO,IAAI,CAAA;IACrE,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAYD;;;;;GAKG;AACH,MAAM,UAAU,yBAAyB,CAAC,GAAyB;IACjE,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAa,GAAG,CAAC,kBAAkB,CAAC,qBAAqB,CAAC,CAAA;IAClF,MAAM,YAAY,GAAG,IAAI,GAAG,CAAa,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAA;IAClF,MAAM,OAAO,GAAiB,EAAE,CAAA;IAChC,KAAK,MAAM,IAAI,IAAI,QAAQ;QAAE,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,IAAI,CAAC;YAAE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;IAC5E,OAAO;QACL,EAAE,EAAE,OAAO,CAAC,MAAM,KAAK,CAAC;QACxB,OAAO;QACP,OAAO,EAAE,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC;KAClC,CAAA;AACH,CAAC;AAoBD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,GAAyB,EACzB,gBAAkC;IAElC,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,IAAI,WAAW,GAAG,KAAK,CAAA;IACvB,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAE5B,IAAI,CAAC;QACH,WAAW,GAAG,MAAM,gBAAgB,CAAC,YAAY,CAC/C,GAAG,CAAC,SAAS,CAAC,QAAQ,EACtB,GAAG,CAAC,SAAS,CAAC,kBAAkB,CACjC,CAAA;QACD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CACT,4CAA4C,GAAG,CAAC,SAAS,CAAC,QAAQ,GAAG,CACtE,CAAA;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;IACpF,CAAC;IAED,IAAI,CAAC;QACH,gBAAgB,GAAG,MAAM,gBAAgB,CAAC,iBAAiB,CACzD,GAAG,CAAC,cAAc,CAAC,aAAa,EAChC,GAAG,CAAC,cAAc,CAAC,uBAAuB,CAC3C,CAAA;QACD,IAAI,CAAC,gBAAgB,EAAE,CAAC;YACtB,MAAM,CAAC,IAAI,CACT,sDAAsD,GAAG,CAAC,cAAc,CAAC,aAAa,GAAG,CAC1F,CAAA;QACH,CAAC;IACH,CAAC;IAAC,OAAO,CAAU,EAAE,CAAC;QACpB,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAA;IACzF,CAAC;IAED,OAAO;QACL,EAAE,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,IAAI,WAAW,IAAI,gBAAgB;QAC1D,WAAW;QACX,gBAAgB;QAChB,MAAM;KACP,CAAA;AACH,CAAC;AA2BD;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,GAAyB,EACzB,QAAuB;IAEvB,IAAI,CAAC,QAAQ,IAAI,OAAO,QAAQ,CAAC,MAAM,KAAK,UAAU,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CACb,iEAAiE;YAC/D,yDAAyD,CAC5D,CAAA;IACH,CAAC;IACD,OAAO,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;AAC7B,CAAC"}

package/dist/src/v2/index.d.ts

@@ -27,6 +27,8 @@ export { checkEscalationRequired, requestOwnerConfirmation, recordOwnerConfirmat
 export type { EscalationAction, EscalationCheck, RecordConfirmationParams, ConfirmationVerdict, VerifyForActionResult, } from './human-escalation.js';
 export { bindWallet, unbindWallet, verifyBoundWallet, verifyUnbindEvent, } from "./wallet-binding/index.js";
 export type { BoundWallet, WalletChain, WalletVerificationChallenge, UnbindEvent, } from "./wallet-binding/index.js";
+export { buildAttestation, canonicalizeAttestation, signAttestation as signCognitiveAttestation, cognitiveAttestationDigest, sortFeatureActivations, validateAttestationShape, verifySignature as verifyCognitiveAttestationSignature, verifyRequiredSignerRoles, verifyAgainstRegistry, verifyByReplay, } from './cognitive-attestation/index.js';
+export type { CognitiveAttestation, ModelRef, DictionaryRef, TokenRange, FeatureActivation, AggregationPolicy, Signature as CognitiveAttestationSignature, SignerRole as CognitiveAttestationSignerRole, ExecutionEnvironment, Precision, AttachmentPoint, SAEType, ActivationStatistic, CompletenessClaim, TiebreakerRule, BuildAttestationInput, RequiredRoleCoverage, RegistryResolver, RegistryVerificationResult, ReplayBackend, ReplayVerificationResult, ThresholdDispute, ExclusionDispute, ComputationalDispute, DecompositionAdequacyDispute, FacetedReinterpretationDispute, InterpretiveDispute, Dispute, } from './cognitive-attestation/index.js';
 export { verifyOnAccept, evaluateCredentialCheck, resolveCheckMode, } from "./credential-check-policy/index.js";
 export type { CredentialCheckMode, CredentialCheckPolicy, CredentialCheckResult, CredentialCheckDenialCode, AcceptanceStamp, } from "./credential-check-policy/index.js";
 export { createAttributionReceipt, signAttributionConsent, verifyAttributionConsent, checkArtifactCitations, receiptCore, } from './attribution-consent/index.js';

package/dist/src/v2/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/v2/index.ts"],"names":[],"mappings":"AACA;;;GAGG;AAGH,YAAY,EACV,aAAa,EAAE,YAAY,EAAE,iBAAiB,EAAE,kBAAkB,EAClE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,cAAc,EACjE,SAAS,EAAE,qBAAqB,EAAE,UAAU,EAAE,WAAW,EACzD,gBAAgB,EAAE,kBAAkB,EAAE,aAAa,EACnD,kBAAkB,EAAE,0BAA0B,EAC9C,SAAS,EAAE,YAAY,EACvB,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAC/C,gBAAgB,EAAE,eAAe,EACjC,mBAAmB,EAAE,qBAAqB,EAC1C,SAAS,EAAE,WAAW,EAAE,kBAAkB,EAC1C,cAAc,EAAE,gBAAgB,EAAE,cAAc,EAAE,kBAAkB,EACpE,iBAAiB,EAAE,kBAAkB,EAAE,aAAa,EACpD,qBAAqB,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,iBAAiB,EAChF,kBAAkB,EAAE,aAAa,EAAE,oBAAoB,EAAE,aAAa,EACtE,eAAe,EAAE,uBAAuB,EACxC,oBAAoB,EAAE,mBAAmB,EACzC,cAAc,EAAE,mBAAmB,GACpC,MAAM,YAAY,CAAA;AAGnB,OAAO,EACL,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAC5C,mBAAmB,EAAE,qBAAqB,EAAE,sBAAsB,EAClE,gBAAgB,EAAE,gBAAgB,EAClC,wBAAwB,EAAE,uBAAuB,EACjD,oBAAoB,EACpB,0BAA0B,EAAE,uBAAuB,EACnD,kBAAkB,GACnB,MAAM,aAAa,CAAA;AAGpB,OAAO,EACL,kBAAkB,EAAE,qBAAqB,EAAE,iBAAiB,EAC5D,kBAAkB,EAAE,oBAAoB,EACxC,eAAe,EAAE,mBAAmB,EAAE,qBAAqB,EAC3D,wBAAwB,EAAE,wBAAwB,EAClD,oBAAoB,EAAE,sBAAsB,EAC5C,gBAAgB,EAAE,gBAAgB,GACnC,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EAAE,wBAAwB,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAA;AAG/F,OAAO,EACL,qBAAqB,EAAE,oBAAoB,EAAE,sBAAsB,EACnE,kBAAkB,EAAE,qBAAqB,EACzC,wBAAwB,EAAE,2BAA2B,EACrD,qBAAqB,EAAE,yBAAyB,EAChD,mBAAmB,GACpB,MAAM,iBAAiB,CAAA;AAKxB,OAAO,EACL,+BAA+B,GAChC,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EACL,wBAAwB,EAAE,mBAAmB,EAC7C,oBAAoB,EAAE,iBAAiB,EACvC,YAAY,EAAE,0BAA0B,EACxC,eAAe,EAAE,sBAAsB,EACvC,mBAAmB,EAAE,sBAAsB,GAC5C,MAAM,mBAAmB,CAAA;AAC1B,YAAY,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAA;AAKlF,OAAO,EACL,6BAA6B,GAC9B,MAAM,mBAAmB,CAAA;AAK1B,OAAO,EACL,eAAe,EAAE,0BAA0B,GAC5C,MAAM,qBAAqB,CAAA;AAM5B,OAAO,EACL,eAAe,EAAE,oBAAoB,GACtC,MAAM,qBAAqB,CAAA;AAG5B,OAAO,EACL,aAAa,EAAE,eAAe,EAAE,iBAAiB,EACjD,gBAAgB,EAAE,aAAa,EAAE,UAAU,EAC3C,6BAA6B,GAC9B,MAAM,0BAA0B,CAAA;AACjC,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AAG7F,OAAO,EACL,iBAAiB,EAAE,WAAW,EAAE,sBAAsB,EACtD,cAAc,EAAE,wBAAwB,GACzC,MAAM,qBAAqB,CAAA;AAC5B,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAKxD,OAAO,EACL,2BAA2B,GAC5B,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,kBAAkB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAG9F,OAAO,EACL,aAAa,EAAE,aAAa,EAAE,oBAAoB,EAClD,sBAAsB,EAAE,aAAa,EACrC,kBAAkB,EAAE,UAAU,EAAE,wBAAwB,GACzD,MAAM,sBAAsB,CAAA;AAC7B,YAAY,EAAE,iBAAiB,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AAG/F,OAAO,EACL,kBAAkB,EAAE,cAAc,EAClC,cAAc,EAAE,sBAAsB,GACvC,MAAM,2BAA2B,CAAA;AAClC,YAAY,EACV,yBAAyB,EAAE,qBAAqB,EAAE,oBAAoB,EACtE,cAAc,GACf,MAAM,2BAA2B,CAAA;AAIlC,OAAO,EACL,uBAAuB,EAAE,wBAAwB,EAAE,uBAAuB,EAC1E,uBAAuB,EAAE,mBAAmB,EAAE,2BAA2B,EACzE,iBAAiB,EAAE,8BAA8B,GAClD,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EACV,gBAAgB,EAAE,eAAe,EAAE,wBAAwB,EAC3D,mBAAmB,EAAE,qBAAqB,GAC3C,MAAM,uBAAuB,CAAA;AAI9B,OAAO,EACL,UAAU,EAAE,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,GAC/D,MAAM,2BAA2B,CAAA;AAClC,YAAY,EACV,WAAW,EAAE,WAAW,EAAE,2BAA2B,EAAE,WAAW,GACnE,MAAM,2BAA2B,CAAA;AAIlC,OAAO,EACL,cAAc,EAAE,uBAAuB,EAAE,gBAAgB,GAC1D,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EACV,mBAAmB,EAAE,qBAAqB,EAAE,qBAAqB,EACjE,yBAAyB,EAAE,eAAe,GAC3C,MAAM,oCAAoC,CAAA;AAI3C,OAAO,EACL,wBAAwB,EAAE,sBAAsB,EAChD,wBAAwB,EAAE,sBAAsB,EAAE,WAAW,GAC9D,MAAM,gCAAgC,CAAA;AACvC,YAAY,EACV,kBAAkB,EAAE,wBAAwB,EAAE,gBAAgB,EAC9D,cAAc,EAAE,8BAA8B,GAC/C,MAAM,gCAAgC,CAAA;AAIvC,OAAO,EACL,iBAAiB,EAAE,SAAS,EAAE,qBAAqB,EACnD,mBAAmB,EAAE,iBAAiB,EAAE,uBAAuB,EAC/D,gBAAgB,EAAE,cAAc,EAAE,uBAAuB,EACzD,eAAe,GAChB,MAAM,kCAAkC,CAAA;AACzC,YAAY,EACV,oBAAoB,EAAE,cAAc,EAAE,eAAe,EACrD,aAAa,EAAE,iBAAiB,EAAE,qBAAqB,EACvD,uBAAuB,GACxB,MAAM,kCAAkC,CAAA;AAMzC,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,yBAAyB,EACzB,sBAAsB,EACtB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,qBAAqB,GACtB,MAAM,gCAAgC,CAAA;AACvC,YAAY,EACV,qBAAqB,EACrB,eAAe,EACf,yBAAyB,EACzB,sBAAsB,EACtB,sBAAsB,EACtB,gBAAgB,EAChB,aAAa,GACd,MAAM,gCAAgC,CAAA;AAMvC,OAAO,EACL,8BAA8B,EAC9B,0BAA0B,EAC1B,6BAA6B,EAC7B,eAAe,IAAI,yBAAyB,EAC5C,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,gBAAgB,IAAI,0BAA0B,EAC9C,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,mCAAmC,CAAA;AAK1C,YAAY,EACV,gBAAgB,IAAI,qCAAqC,EACzD,wBAAwB,IAAI,mCAAmC,EAC/D,wBAAwB,IAAI,mCAAmC,EAC/D,mBAAmB,IAAI,8BAA8B,EACrD,qBAAqB,IAAI,gCAAgC,EACzD,gBAAgB,IAAI,2BAA2B,EAC/C,gBAAgB,IAAI,2BAA2B,EAC/C,wBAAwB,IAAI,mCAAmC,EAC/D,sBAAsB,IAAI,iCAAiC,EAC3D,sBAAsB,IAAI,iCAAiC,EAC3D,uBAAuB,IAAI,kCAAkC,GAC9D,MAAM,mCAAmC,CAAA;AAM1C,OAAO,EACL,qBAAqB,EAAE,kBAAkB,EACzC,oBAAoB,EAAE,iBAAiB,EAAE,qBAAqB,EAC9D,wBAAwB,EAAE,gBAAgB,EAC1C,kBAAkB,IAAI,6BAA6B,EACnD,gBAAgB,IAAI,2BAA2B,EAC/C,0BAA0B,EAAE,2BAA2B,EACvD,6BAA6B,EAAE,aAAa,EAC5C,YAAY,EAAE,QAAQ,EACtB,aAAa,EAAE,mBAAmB,EAClC,cAAc,EAAE,kBAAkB,EAAE,cAAc,EAClD,iBAAiB,EAAE,iBAAiB,EACpC,iBAAiB,EAAE,iBAAiB,EACpC,eAAe,EAAE,0BAA0B,EAC3C,eAAe,EAAE,YAAY,EAAE,gBAAgB,EAC/C,cAAc,EACd,0BAA0B,EAAE,2BAA2B,GACxD,MAAM,kCAAkC,CAAA;AACzC,YAAY,EACV,gBAAgB,EAAE,iBAAiB,EACnC,iBAAiB,EAAE,eAAe,EAAE,kBAAkB,EACtD,4BAA4B,EAAE,mBAAmB,EACjD,oBAAoB,EAAE,qBAAqB,EAAE,uBAAuB,EACpE,gBAAgB,EAAE,eAAe,EACjC,0BAA0B,EAC1B,aAAa,EAAE,YAAY,EAC3B,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EAAE,gBAAgB,EACnC,cAAc,GACf,MAAM,kCAAkC,CAAA"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/v2/index.ts"],"names":[],"mappings":"AACA;;;GAGG;AAGH,YAAY,EACV,aAAa,EAAE,YAAY,EAAE,iBAAiB,EAAE,kBAAkB,EAClE,cAAc,EAAE,mBAAmB,EAAE,YAAY,EAAE,cAAc,EACjE,SAAS,EAAE,qBAAqB,EAAE,UAAU,EAAE,WAAW,EACzD,gBAAgB,EAAE,kBAAkB,EAAE,aAAa,EACnD,kBAAkB,EAAE,0BAA0B,EAC9C,SAAS,EAAE,YAAY,EACvB,YAAY,EAAE,WAAW,EAAE,oBAAoB,EAC/C,gBAAgB,EAAE,eAAe,EACjC,mBAAmB,EAAE,qBAAqB,EAC1C,SAAS,EAAE,WAAW,EAAE,kBAAkB,EAC1C,cAAc,EAAE,gBAAgB,EAAE,cAAc,EAAE,kBAAkB,EACpE,iBAAiB,EAAE,kBAAkB,EAAE,aAAa,EACpD,qBAAqB,EAAE,mBAAmB,EAAE,iBAAiB,EAAE,iBAAiB,EAChF,kBAAkB,EAAE,aAAa,EAAE,oBAAoB,EAAE,aAAa,EACtE,eAAe,EAAE,uBAAuB,EACxC,oBAAoB,EAAE,mBAAmB,EACzC,cAAc,EAAE,mBAAmB,GACpC,MAAM,YAAY,CAAA;AAGnB,OAAO,EACL,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAC5C,mBAAmB,EAAE,qBAAqB,EAAE,sBAAsB,EAClE,gBAAgB,EAAE,gBAAgB,EAClC,wBAAwB,EAAE,uBAAuB,EACjD,oBAAoB,EACpB,0BAA0B,EAAE,uBAAuB,EACnD,kBAAkB,GACnB,MAAM,aAAa,CAAA;AAGpB,OAAO,EACL,kBAAkB,EAAE,qBAAqB,EAAE,iBAAiB,EAC5D,kBAAkB,EAAE,oBAAoB,EACxC,eAAe,EAAE,mBAAmB,EAAE,qBAAqB,EAC3D,wBAAwB,EAAE,wBAAwB,EAClD,oBAAoB,EAAE,sBAAsB,EAC5C,gBAAgB,EAAE,gBAAgB,GACnC,MAAM,oBAAoB,CAAA;AAC3B,YAAY,EAAE,wBAAwB,EAAE,2BAA2B,EAAE,MAAM,oBAAoB,CAAA;AAG/F,OAAO,EACL,qBAAqB,EAAE,oBAAoB,EAAE,sBAAsB,EACnE,kBAAkB,EAAE,qBAAqB,EACzC,wBAAwB,EAAE,2BAA2B,EACrD,qBAAqB,EAAE,yBAAyB,EAChD,mBAAmB,GACpB,MAAM,iBAAiB,CAAA;AAKxB,OAAO,EACL,+BAA+B,GAChC,MAAM,iBAAiB,CAAA;AAGxB,OAAO,EACL,wBAAwB,EAAE,mBAAmB,EAC7C,oBAAoB,EAAE,iBAAiB,EACvC,YAAY,EAAE,0BAA0B,EACxC,eAAe,EAAE,sBAAsB,EACvC,mBAAmB,EAAE,sBAAsB,GAC5C,MAAM,mBAAmB,CAAA;AAC1B,YAAY,EAAE,kBAAkB,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAA;AAKlF,OAAO,EACL,6BAA6B,GAC9B,MAAM,mBAAmB,CAAA;AAK1B,OAAO,EACL,eAAe,EAAE,0BAA0B,GAC5C,MAAM,qBAAqB,CAAA;AAM5B,OAAO,EACL,eAAe,EAAE,oBAAoB,GACtC,MAAM,qBAAqB,CAAA;AAG5B,OAAO,EACL,aAAa,EAAE,eAAe,EAAE,iBAAiB,EACjD,gBAAgB,EAAE,aAAa,EAAE,UAAU,EAC3C,6BAA6B,GAC9B,MAAM,0BAA0B,CAAA;AACjC,YAAY,EAAE,iBAAiB,EAAE,WAAW,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AAG7F,OAAO,EACL,iBAAiB,EAAE,WAAW,EAAE,sBAAsB,EACtD,cAAc,EAAE,wBAAwB,GACzC,MAAM,qBAAqB,CAAA;AAC5B,YAAY,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAKxD,OAAO,EACL,2BAA2B,GAC5B,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EAAE,kBAAkB,EAAE,aAAa,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAA;AAG9F,OAAO,EACL,aAAa,EAAE,aAAa,EAAE,oBAAoB,EAClD,sBAAsB,EAAE,aAAa,EACrC,kBAAkB,EAAE,UAAU,EAAE,wBAAwB,GACzD,MAAM,sBAAsB,CAAA;AAC7B,YAAY,EAAE,iBAAiB,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,sBAAsB,CAAA;AAG/F,OAAO,EACL,kBAAkB,EAAE,cAAc,EAClC,cAAc,EAAE,sBAAsB,GACvC,MAAM,2BAA2B,CAAA;AAClC,YAAY,EACV,yBAAyB,EAAE,qBAAqB,EAAE,oBAAoB,EACtE,cAAc,GACf,MAAM,2BAA2B,CAAA;AAIlC,OAAO,EACL,uBAAuB,EAAE,wBAAwB,EAAE,uBAAuB,EAC1E,uBAAuB,EAAE,mBAAmB,EAAE,2BAA2B,EACzE,iBAAiB,EAAE,8BAA8B,GAClD,MAAM,uBAAuB,CAAA;AAC9B,YAAY,EACV,gBAAgB,EAAE,eAAe,EAAE,wBAAwB,EAC3D,mBAAmB,EAAE,qBAAqB,GAC3C,MAAM,uBAAuB,CAAA;AAI9B,OAAO,EACL,UAAU,EAAE,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,GAC/D,MAAM,2BAA2B,CAAA;AAClC,YAAY,EACV,WAAW,EAAE,WAAW,EAAE,2BAA2B,EAAE,WAAW,GACnE,MAAM,2BAA2B,CAAA;AAQlC,OAAO,EACL,gBAAgB,EAAE,uBAAuB,EACzC,eAAe,IAAI,wBAAwB,EAC3C,0BAA0B,EAAE,sBAAsB,EAAE,wBAAwB,EAC5E,eAAe,IAAI,mCAAmC,EACtD,yBAAyB,EACzB,qBAAqB,EAAE,cAAc,GACtC,MAAM,kCAAkC,CAAA;AACzC,YAAY,EACV,oBAAoB,EAAE,QAAQ,EAAE,aAAa,EAAE,UAAU,EACzD,iBAAiB,EAAE,iBAAiB,EAAE,SAAS,IAAI,6BAA6B,EAChF,UAAU,IAAI,8BAA8B,EAAE,oBAAoB,EAClE,SAAS,EAAE,eAAe,EAAE,OAAO,EAAE,mBAAmB,EACxD,iBAAiB,EAAE,cAAc,EAAE,qBAAqB,EACxD,oBAAoB,EAAE,gBAAgB,EAAE,0BAA0B,EAClE,aAAa,EAAE,wBAAwB,EACvC,gBAAgB,EAAE,gBAAgB,EAAE,oBAAoB,EACxD,4BAA4B,EAAE,8BAA8B,EAC5D,mBAAmB,EAAE,OAAO,GAC7B,MAAM,kCAAkC,CAAA;AAIzC,OAAO,EACL,cAAc,EAAE,uBAAuB,EAAE,gBAAgB,GAC1D,MAAM,oCAAoC,CAAA;AAC3C,YAAY,EACV,mBAAmB,EAAE,qBAAqB,EAAE,qBAAqB,EACjE,yBAAyB,EAAE,eAAe,GAC3C,MAAM,oCAAoC,CAAA;AAI3C,OAAO,EACL,wBAAwB,EAAE,sBAAsB,EAChD,wBAAwB,EAAE,sBAAsB,EAAE,WAAW,GAC9D,MAAM,gCAAgC,CAAA;AACvC,YAAY,EACV,kBAAkB,EAAE,wBAAwB,EAAE,gBAAgB,EAC9D,cAAc,EAAE,8BAA8B,GAC/C,MAAM,gCAAgC,CAAA;AAIvC,OAAO,EACL,iBAAiB,EAAE,SAAS,EAAE,qBAAqB,EACnD,mBAAmB,EAAE,iBAAiB,EAAE,uBAAuB,EAC/D,gBAAgB,EAAE,cAAc,EAAE,uBAAuB,EACzD,eAAe,GAChB,MAAM,kCAAkC,CAAA;AACzC,YAAY,EACV,oBAAoB,EAAE,cAAc,EAAE,eAAe,EACrD,aAAa,EAAE,iBAAiB,EAAE,qBAAqB,EACvD,uBAAuB,GACxB,MAAM,kCAAkC,CAAA;AAMzC,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,yBAAyB,EACzB,sBAAsB,EACtB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,qBAAqB,GACtB,MAAM,gCAAgC,CAAA;AACvC,YAAY,EACV,qBAAqB,EACrB,eAAe,EACf,yBAAyB,EACzB,sBAAsB,EACtB,sBAAsB,EACtB,gBAAgB,EAChB,aAAa,GACd,MAAM,gCAAgC,CAAA;AAMvC,OAAO,EACL,8BAA8B,EAC9B,0BAA0B,EAC1B,6BAA6B,EAC7B,eAAe,IAAI,yBAAyB,EAC5C,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,gBAAgB,IAAI,0BAA0B,EAC9C,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,mCAAmC,CAAA;AAK1C,YAAY,EACV,gBAAgB,IAAI,qCAAqC,EACzD,wBAAwB,IAAI,mCAAmC,EAC/D,wBAAwB,IAAI,mCAAmC,EAC/D,mBAAmB,IAAI,8BAA8B,EACrD,qBAAqB,IAAI,gCAAgC,EACzD,gBAAgB,IAAI,2BAA2B,EAC/C,gBAAgB,IAAI,2BAA2B,EAC/C,wBAAwB,IAAI,mCAAmC,EAC/D,sBAAsB,IAAI,iCAAiC,EAC3D,sBAAsB,IAAI,iCAAiC,EAC3D,uBAAuB,IAAI,kCAAkC,GAC9D,MAAM,mCAAmC,CAAA;AAM1C,OAAO,EACL,qBAAqB,EAAE,kBAAkB,EACzC,oBAAoB,EAAE,iBAAiB,EAAE,qBAAqB,EAC9D,wBAAwB,EAAE,gBAAgB,EAC1C,kBAAkB,IAAI,6BAA6B,EACnD,gBAAgB,IAAI,2BAA2B,EAC/C,0BAA0B,EAAE,2BAA2B,EACvD,6BAA6B,EAAE,aAAa,EAC5C,YAAY,EAAE,QAAQ,EACtB,aAAa,EAAE,mBAAmB,EAClC,cAAc,EAAE,kBAAkB,EAAE,cAAc,EAClD,iBAAiB,EAAE,iBAAiB,EACpC,iBAAiB,EAAE,iBAAiB,EACpC,eAAe,EAAE,0BAA0B,EAC3C,eAAe,EAAE,YAAY,EAAE,gBAAgB,EAC/C,cAAc,EACd,0BAA0B,EAAE,2BAA2B,GACxD,MAAM,kCAAkC,CAAA;AACzC,YAAY,EACV,gBAAgB,EAAE,iBAAiB,EACnC,iBAAiB,EAAE,eAAe,EAAE,kBAAkB,EACtD,4BAA4B,EAAE,mBAAmB,EACjD,oBAAoB,EAAE,qBAAqB,EAAE,uBAAuB,EACpE,gBAAgB,EAAE,eAAe,EACjC,0BAA0B,EAC1B,aAAa,EAAE,YAAY,EAC3B,mBAAmB,EACnB,WAAW,EACX,iBAAiB,EAAE,gBAAgB,EACnC,cAAc,GACf,MAAM,kCAAkC,CAAA"}

package/dist/src/v2/index.js

@@ -43,6 +43,13 @@ export { subDelegateAdvisor, consultAdvisor, getAdvisorUses, clearAdvisorUseTrac
 export { checkEscalationRequired, requestOwnerConfirmation, recordOwnerConfirmation, verifyOwnerConfirmation, isConfirmationValid, verifyV2DelegationForAction, hashActionDetails, DEFAULT_FLAGGED_ACTION_CLASSES, } from './human-escalation.js';
 // Wallet Binding (agent-native structural attestation)
 export { bindWallet, unbindWallet, verifyBoundWallet, verifyUnbindEvent, } from "./wallet-binding/index.js";
+// Cognitive Attestation (Paper 7 — Zenodo DOI 10.5281/zenodo.19646276)
+// Signed declarations of feature-level model computation. SDK ships the
+// envelope, JCS canonicalization, Ed25519 signing, Stage 1 verification,
+// Stage 2 registry interface, Stage 3 replay stub, typed dispute primitives.
+// Dispute resolution / transparency logs / cross-tenant correlation live
+// in @aeoess/gateway.
+export { buildAttestation, canonicalizeAttestation, signAttestation as signCognitiveAttestation, cognitiveAttestationDigest, sortFeatureActivations, validateAttestationShape, verifySignature as verifyCognitiveAttestationSignature, verifyRequiredSignerRoles, verifyAgainstRegistry, verifyByReplay, } from './cognitive-attestation/index.js';
 // Credential Check Policy (verification timing for governance metadata)
 // Proposed by @piiiico on a2aproject/A2A governance metadata thread.
 export { verifyOnAccept, evaluateCredentialCheck, resolveCheckMode, } from "./credential-check-policy/index.js";

package/dist/src/v2/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/index.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E;;;GAGG;AAuBH,8DAA8D;AAC9D,OAAO,EACL,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAC5C,mBAAmB,EAAE,qBAAqB,EAAE,sBAAsB,EAClE,gBAAgB,EAAE,gBAAgB,EAClC,wBAAwB,EAAE,uBAAuB,EACjD,oBAAoB,EACpB,0BAA0B,EAAE,uBAAuB,EACnD,kBAAkB,GACnB,MAAM,aAAa,CAAA;AAEpB,2BAA2B;AAC3B,OAAO,EACL,kBAAkB,EAAE,qBAAqB,EAAE,iBAAiB,EAC5D,kBAAkB,EAAE,oBAAoB,EACxC,eAAe,EAAE,mBAAmB,EAAE,qBAAqB,EAC3D,wBAAwB,EAAE,wBAAwB,EAClD,oBAAoB,EAAE,sBAAsB,EAC5C,gBAAgB,EAAE,gBAAgB,GACnC,MAAM,oBAAoB,CAAA;AAG3B,0BAA0B;AAC1B,OAAO,EACL,qBAAqB,EAAE,oBAAoB,EAAE,sBAAsB,EACnE,kBAAkB,EAAE,qBAAqB,EACzC,wBAAwB,EAAE,2BAA2B,EACrD,qBAAqB,EAAE,yBAAyB,EAChD,mBAAmB,GACpB,MAAM,iBAAiB,CAAA;AAExB,sEAAsE;AACtE,kEAAkE;AAClE,yEAAyE;AACzE,OAAO,EACL,+BAA+B,GAChC,MAAM,iBAAiB,CAAA;AAExB,wBAAwB;AACxB,OAAO,EACL,wBAAwB,EAAE,mBAAmB,EAC7C,oBAAoB,EAAE,iBAAiB,EACvC,YAAY,EAAE,0BAA0B,EACxC,eAAe,EAAE,sBAAsB,EACvC,mBAAmB,EAAE,sBAAsB,GAC5C,MAAM,mBAAmB,CAAA;AAG1B,qEAAqE;AACrE,sEAAsE;AACtE,gEAAgE;AAChE,OAAO,EACL,6BAA6B,GAC9B,MAAM,mBAAmB,CAAA;AAE1B,4DAA4D;AAC5D,wEAAwE;AACxE,iBAAiB;AACjB,OAAO,EACL,eAAe,EAAE,0BAA0B,GAC5C,MAAM,qBAAqB,CAAA;AAG5B,+DAA+D;AAC/D,8DAA8D;AAC9D,iCAAiC;AACjC,OAAO,EACL,eAAe,EAAE,oBAAoB,GACtC,MAAM,qBAAqB,CAAA;AAE5B,kDAAkD;AAClD,OAAO,EACL,aAAa,EAAE,eAAe,EAAE,iBAAiB,EACjD,gBAAgB,EAAE,aAAa,EAAE,UAAU,EAC3C,6BAA6B,GAC9B,MAAM,0BAA0B,CAAA;AAGjC,oEAAoE;AACpE,OAAO,EACL,iBAAiB,EAAE,WAAW,EAAE,sBAAsB,EACtD,cAAc,EAAE,wBAAwB,GACzC,MAAM,qBAAqB,CAAA;AAG5B,sEAAsE;AACtE,qEAAqE;AACrE,iCAAiC;AACjC,OAAO,EACL,2BAA2B,GAC5B,MAAM,uBAAuB,CAAA;AAG9B,oCAAoC;AACpC,OAAO,EACL,aAAa,EAAE,aAAa,EAAE,oBAAoB,EAClD,sBAAsB,EAAE,aAAa,EACrC,kBAAkB,EAAE,UAAU,EAAE,wBAAwB,GACzD,MAAM,sBAAsB,CAAA;AAG7B,oEAAoE;AACpE,OAAO,EACL,kBAAkB,EAAE,cAAc,EAClC,cAAc,EAAE,sBAAsB,GACvC,MAAM,2BAA2B,CAAA;AAOlC,+DAA+D;AAC/D,OAAO,EACL,uBAAuB,EAAE,wBAAwB,EAAE,uBAAuB,EAC1E,uBAAuB,EAAE,mBAAmB,EAAE,2BAA2B,EACzE,iBAAiB,EAAE,8BAA8B,GAClD,MAAM,uBAAuB,CAAA;AAO9B,uDAAuD;AACvD,OAAO,EACL,UAAU,EAAE,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,GAC/D,MAAM,2BAA2B,CAAA;AAKlC,wEAAwE;AACxE,qEAAqE;AACrE,OAAO,EACL,cAAc,EAAE,uBAAuB,EAAE,gBAAgB,GAC1D,MAAM,oCAAoC,CAAA;AAM3C,mEAAmE;AACnE,4CAA4C;AAC5C,OAAO,EACL,wBAAwB,EAAE,sBAAsB,EAChD,wBAAwB,EAAE,sBAAsB,EAAE,WAAW,GAC9D,MAAM,gCAAgC,CAAA;AAMvC,6EAA6E;AAC7E,gFAAgF;AAChF,OAAO,EACL,iBAAiB,EAAE,SAAS,EAAE,qBAAqB,EACnD,mBAAmB,EAAE,iBAAiB,EAAE,uBAAuB,EAC/D,gBAAgB,EAAE,cAAc,EAAE,uBAAuB,EACzD,eAAe,GAChB,MAAM,kCAAkC,CAAA;AAOzC,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,+EAA+E;AAC/E,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,yBAAyB,EACzB,sBAAsB,EACtB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,qBAAqB,GACtB,MAAM,gCAAgC,CAAA;AAWvC,uEAAuE;AACvE,iEAAiE;AACjE,wEAAwE;AACxE,wDAAwD;AACxD,OAAO,EACL,8BAA8B,EAC9B,0BAA0B,EAC1B,6BAA6B,EAC7B,eAAe,IAAI,yBAAyB,EAC5C,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,gBAAgB,IAAI,0BAA0B,EAC9C,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,mCAAmC,CAAA;AAmB1C,uEAAuE;AACvE,8DAA8D;AAC9D,uEAAuE;AACvE,uEAAuE;AACvE,OAAO,EACL,qBAAqB,EAAE,kBAAkB,EACzC,oBAAoB,EAAE,iBAAiB,EAAE,qBAAqB,EAC9D,wBAAwB,EAAE,gBAAgB,EAC1C,kBAAkB,IAAI,6BAA6B,EACnD,gBAAgB,IAAI,2BAA2B,EAC/C,0BAA0B,EAAE,2BAA2B,EACvD,6BAA6B,EAAE,aAAa,EAC5C,YAAY,EAAE,QAAQ,EACtB,aAAa,EAAE,mBAAmB,EAClC,cAAc,EAAE,kBAAkB,EAAE,cAAc,EAClD,iBAAiB,EAAE,iBAAiB,EACpC,iBAAiB,EAAE,iBAAiB,EACpC,eAAe,EAAE,0BAA0B,EAC3C,eAAe,EAAE,YAAY,EAAE,gBAAgB,EAC/C,cAAc,EACd,0BAA0B,EAAE,2BAA2B,GACxD,MAAM,kCAAkC,CAAA"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/v2/index.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E;;;GAGG;AAuBH,8DAA8D;AAC9D,OAAO,EACL,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,YAAY,EAC5C,mBAAmB,EAAE,qBAAqB,EAAE,sBAAsB,EAClE,gBAAgB,EAAE,gBAAgB,EAClC,wBAAwB,EAAE,uBAAuB,EACjD,oBAAoB,EACpB,0BAA0B,EAAE,uBAAuB,EACnD,kBAAkB,GACnB,MAAM,aAAa,CAAA;AAEpB,2BAA2B;AAC3B,OAAO,EACL,kBAAkB,EAAE,qBAAqB,EAAE,iBAAiB,EAC5D,kBAAkB,EAAE,oBAAoB,EACxC,eAAe,EAAE,mBAAmB,EAAE,qBAAqB,EAC3D,wBAAwB,EAAE,wBAAwB,EAClD,oBAAoB,EAAE,sBAAsB,EAC5C,gBAAgB,EAAE,gBAAgB,GACnC,MAAM,oBAAoB,CAAA;AAG3B,0BAA0B;AAC1B,OAAO,EACL,qBAAqB,EAAE,oBAAoB,EAAE,sBAAsB,EACnE,kBAAkB,EAAE,qBAAqB,EACzC,wBAAwB,EAAE,2BAA2B,EACrD,qBAAqB,EAAE,yBAAyB,EAChD,mBAAmB,GACpB,MAAM,iBAAiB,CAAA;AAExB,sEAAsE;AACtE,kEAAkE;AAClE,yEAAyE;AACzE,OAAO,EACL,+BAA+B,GAChC,MAAM,iBAAiB,CAAA;AAExB,wBAAwB;AACxB,OAAO,EACL,wBAAwB,EAAE,mBAAmB,EAC7C,oBAAoB,EAAE,iBAAiB,EACvC,YAAY,EAAE,0BAA0B,EACxC,eAAe,EAAE,sBAAsB,EACvC,mBAAmB,EAAE,sBAAsB,GAC5C,MAAM,mBAAmB,CAAA;AAG1B,qEAAqE;AACrE,sEAAsE;AACtE,gEAAgE;AAChE,OAAO,EACL,6BAA6B,GAC9B,MAAM,mBAAmB,CAAA;AAE1B,4DAA4D;AAC5D,wEAAwE;AACxE,iBAAiB;AACjB,OAAO,EACL,eAAe,EAAE,0BAA0B,GAC5C,MAAM,qBAAqB,CAAA;AAG5B,+DAA+D;AAC/D,8DAA8D;AAC9D,iCAAiC;AACjC,OAAO,EACL,eAAe,EAAE,oBAAoB,GACtC,MAAM,qBAAqB,CAAA;AAE5B,kDAAkD;AAClD,OAAO,EACL,aAAa,EAAE,eAAe,EAAE,iBAAiB,EACjD,gBAAgB,EAAE,aAAa,EAAE,UAAU,EAC3C,6BAA6B,GAC9B,MAAM,0BAA0B,CAAA;AAGjC,oEAAoE;AACpE,OAAO,EACL,iBAAiB,EAAE,WAAW,EAAE,sBAAsB,EACtD,cAAc,EAAE,wBAAwB,GACzC,MAAM,qBAAqB,CAAA;AAG5B,sEAAsE;AACtE,qEAAqE;AACrE,iCAAiC;AACjC,OAAO,EACL,2BAA2B,GAC5B,MAAM,uBAAuB,CAAA;AAG9B,oCAAoC;AACpC,OAAO,EACL,aAAa,EAAE,aAAa,EAAE,oBAAoB,EAClD,sBAAsB,EAAE,aAAa,EACrC,kBAAkB,EAAE,UAAU,EAAE,wBAAwB,GACzD,MAAM,sBAAsB,CAAA;AAG7B,oEAAoE;AACpE,OAAO,EACL,kBAAkB,EAAE,cAAc,EAClC,cAAc,EAAE,sBAAsB,GACvC,MAAM,2BAA2B,CAAA;AAOlC,+DAA+D;AAC/D,OAAO,EACL,uBAAuB,EAAE,wBAAwB,EAAE,uBAAuB,EAC1E,uBAAuB,EAAE,mBAAmB,EAAE,2BAA2B,EACzE,iBAAiB,EAAE,8BAA8B,GAClD,MAAM,uBAAuB,CAAA;AAO9B,uDAAuD;AACvD,OAAO,EACL,UAAU,EAAE,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,GAC/D,MAAM,2BAA2B,CAAA;AAKlC,uEAAuE;AACvE,wEAAwE;AACxE,yEAAyE;AACzE,6EAA6E;AAC7E,yEAAyE;AACzE,sBAAsB;AACtB,OAAO,EACL,gBAAgB,EAAE,uBAAuB,EACzC,eAAe,IAAI,wBAAwB,EAC3C,0BAA0B,EAAE,sBAAsB,EAAE,wBAAwB,EAC5E,eAAe,IAAI,mCAAmC,EACtD,yBAAyB,EACzB,qBAAqB,EAAE,cAAc,GACtC,MAAM,kCAAkC,CAAA;AAczC,wEAAwE;AACxE,qEAAqE;AACrE,OAAO,EACL,cAAc,EAAE,uBAAuB,EAAE,gBAAgB,GAC1D,MAAM,oCAAoC,CAAA;AAM3C,mEAAmE;AACnE,4CAA4C;AAC5C,OAAO,EACL,wBAAwB,EAAE,sBAAsB,EAChD,wBAAwB,EAAE,sBAAsB,EAAE,WAAW,GAC9D,MAAM,gCAAgC,CAAA;AAMvC,6EAA6E;AAC7E,gFAAgF;AAChF,OAAO,EACL,iBAAiB,EAAE,SAAS,EAAE,qBAAqB,EACnD,mBAAmB,EAAE,iBAAiB,EAAE,uBAAuB,EAC/D,gBAAgB,EAAE,cAAc,EAAE,uBAAuB,EACzD,eAAe,GAChB,MAAM,kCAAkC,CAAA;AAOzC,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,+EAA+E;AAC/E,OAAO,EACL,iBAAiB,EACjB,sBAAsB,EACtB,yBAAyB,EACzB,sBAAsB,EACtB,mBAAmB,EACnB,iBAAiB,EACjB,YAAY,EACZ,UAAU,EACV,qBAAqB,GACtB,MAAM,gCAAgC,CAAA;AAWvC,uEAAuE;AACvE,iEAAiE;AACjE,wEAAwE;AACxE,wDAAwD;AACxD,OAAO,EACL,8BAA8B,EAC9B,0BAA0B,EAC1B,6BAA6B,EAC7B,eAAe,IAAI,yBAAyB,EAC5C,sBAAsB,EACtB,mBAAmB,EACnB,sBAAsB,EACtB,mBAAmB,EACnB,kBAAkB,EAClB,oBAAoB,EACpB,wBAAwB,EACxB,oBAAoB,EACpB,8BAA8B,EAC9B,gBAAgB,IAAI,0BAA0B,EAC9C,sBAAsB,EACtB,yBAAyB,GAC1B,MAAM,mCAAmC,CAAA;AAmB1C,uEAAuE;AACvE,8DAA8D;AAC9D,uEAAuE;AACvE,uEAAuE;AACvE,OAAO,EACL,qBAAqB,EAAE,kBAAkB,EACzC,oBAAoB,EAAE,iBAAiB,EAAE,qBAAqB,EAC9D,wBAAwB,EAAE,gBAAgB,EAC1C,kBAAkB,IAAI,6BAA6B,EACnD,gBAAgB,IAAI,2BAA2B,EAC/C,0BAA0B,EAAE,2BAA2B,EACvD,6BAA6B,EAAE,aAAa,EAC5C,YAAY,EAAE,QAAQ,EACtB,aAAa,EAAE,mBAAmB,EAClC,cAAc,EAAE,kBAAkB,EAAE,cAAc,EAClD,iBAAiB,EAAE,iBAAiB,EACpC,iBAAiB,EAAE,iBAAiB,EACpC,eAAe,EAAE,0BAA0B,EAC3C,eAAe,EAAE,YAAY,EAAE,gBAAgB,EAC/C,cAAc,EACd,0BAA0B,EAAE,2BAA2B,GACxD,MAAM,kCAAkC,CAAA"}

package/dist/src/v2/mutual-auth/certificate.d.ts

@@ -0,0 +1,39 @@
+import type { MutualAuthCertificate, MutualAuthRole, TrustAnchor } from './types.js';
+export interface BuildCertificateInput {
+    role: MutualAuthRole;
+    subject_id: string;
+    subject_pubkey_hex: string;
+    issuer_id: string;
+    issuer_role: MutualAuthRole | 'trust_anchor';
+    binding: string;
+    not_before: number;
+    not_after: number;
+    supported_versions: string[];
+    attestation_grade?: 0 | 1 | 2 | 3;
+    capabilities?: string[];
+}
+/** Build an unsigned certificate. Call signCertificate next. */
+export declare function buildCertificate(input: BuildCertificateInput, issuer_pubkey_hex: string): Omit<MutualAuthCertificate, 'signature_b64'>;
+/** Sign an unsigned certificate with the issuer's private key (hex). */
+export declare function signCertificate(unsigned: Omit<MutualAuthCertificate, 'signature_b64'>, issuer_sk_hex: string): MutualAuthCertificate;
+/** Stable content-hash identifier for a certificate (for session_id
+ *  derivation, audit references, etc.). Does not include the signature
+ *  so equivalent unsigned certificates produce the same id. */
+export declare function certificateId(cert: MutualAuthCertificate): string;
+export interface VerifyCertificateOutcome {
+    ok: boolean;
+    reason?: 'signature_invalid' | 'expired' | 'not_yet_valid' | 'version_empty';
+}
+export declare function verifyCertificateSignature(cert: MutualAuthCertificate): VerifyCertificateOutcome;
+/** Check validity window using a supplied now() (unix ms). */
+export declare function isCertificateTemporallyValid(cert: MutualAuthCertificate, now_ms: number, max_clock_skew_ms?: number): VerifyCertificateOutcome;
+export interface AnchorCheckOutcome {
+    ok: boolean;
+    anchor?: TrustAnchor;
+    reason?: 'unknown_issuer' | 'revoked_anchor' | 'binding_mismatch';
+}
+/** Given a certificate and a local trust-anchor list, determine if
+ *  the certificate was issued by a trusted anchor and whether the
+ *  anchor's binding constraints (if any) permit this cert's binding. */
+export declare function checkAnchor(cert: MutualAuthCertificate, anchors: TrustAnchor[], revoked_anchor_ids?: string[]): AnchorCheckOutcome;
+//# sourceMappingURL=certificate.d.ts.map

package/dist/src/v2/mutual-auth/certificate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"certificate.d.ts","sourceRoot":"","sources":["../../../../src/v2/mutual-auth/certificate.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EACV,qBAAqB,EACrB,cAAc,EACd,WAAW,EACZ,MAAM,YAAY,CAAA;AAMnB,MAAM,WAAW,qBAAqB;IACpC,IAAI,EAAE,cAAc,CAAA;IACpB,UAAU,EAAE,MAAM,CAAA;IAClB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,cAAc,GAAG,cAAc,CAAA;IAC5C,OAAO,EAAE,MAAM,CAAA;IACf,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,kBAAkB,EAAE,MAAM,EAAE,CAAA;IAC5B,iBAAiB,CAAC,EAAE,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;IACjC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;CACxB;AAED,gEAAgE;AAChE,wBAAgB,gBAAgB,CAC9B,KAAK,EAAE,qBAAqB,EAC5B,iBAAiB,EAAE,MAAM,GACxB,IAAI,CAAC,qBAAqB,EAAE,eAAe,CAAC,CAgB9C;AAED,wEAAwE;AACxE,wBAAgB,eAAe,CAC7B,QAAQ,EAAE,IAAI,CAAC,qBAAqB,EAAE,eAAe,CAAC,EACtD,aAAa,EAAE,MAAM,GACpB,qBAAqB,CAKvB;AAED;;+DAE+D;AAC/D,wBAAgB,aAAa,CAAC,IAAI,EAAE,qBAAqB,GAAG,MAAM,CAIjE;AAID,MAAM,WAAW,wBAAwB;IACvC,EAAE,EAAE,OAAO,CAAA;IACX,MAAM,CAAC,EAAE,mBAAmB,GAAG,SAAS,GAAG,eAAe,GAAG,eAAe,CAAA;CAC7E;AAED,wBAAgB,0BAA0B,CACxC,IAAI,EAAE,qBAAqB,GAC1B,wBAAwB,CAU1B;AAED,8DAA8D;AAC9D,wBAAgB,4BAA4B,CAC1C,IAAI,EAAE,qBAAqB,EAC3B,MAAM,EAAE,MAAM,EACd,iBAAiB,SAAI,GACpB,wBAAwB,CAQ1B;AAID,MAAM,WAAW,kBAAkB;IACjC,EAAE,EAAE,OAAO,CAAA;IACX,MAAM,CAAC,EAAE,WAAW,CAAA;IACpB,MAAM,CAAC,EAAE,gBAAgB,GAAG,gBAAgB,GAAG,kBAAkB,CAAA;CAClE;AAED;;wEAEwE;AACxE,wBAAgB,WAAW,CACzB,IAAI,EAAE,qBAAqB,EAC3B,OAAO,EAAE,WAAW,EAAE,EACtB,kBAAkB,GAAE,MAAM,EAAO,GAChC,kBAAkB,CAapB"}

package/dist/src/v2/mutual-auth/certificate.js

@@ -0,0 +1,89 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// ══════════════════════════════════════════════════════════════════
+// Mutual Authentication v1 — certificate build, sign, verify
+// ══════════════════════════════════════════════════════════════════
+import { createHash } from 'node:crypto';
+import { canonicalizeJCS } from '../../core/canonical-jcs.js';
+import { sign as edSignHex, verify as edVerifyHex } from '../../crypto/keys.js';
+const SPEC_VERSION = '1.0';
+/** Build an unsigned certificate. Call signCertificate next. */
+export function buildCertificate(input, issuer_pubkey_hex) {
+    return {
+        spec_version: SPEC_VERSION,
+        role: input.role,
+        subject_id: input.subject_id,
+        issuer_id: input.issuer_id,
+        issuer_role: input.issuer_role,
+        issuer_pubkey_hex,
+        subject_pubkey_hex: input.subject_pubkey_hex,
+        not_before: input.not_before,
+        not_after: input.not_after,
+        binding: input.binding,
+        attestation_grade: input.attestation_grade,
+        supported_versions: input.supported_versions,
+        capabilities: input.capabilities,
+    };
+}
+/** Sign an unsigned certificate with the issuer's private key (hex). */
+export function signCertificate(unsigned, issuer_sk_hex) {
+    const canonical = canonicalizeJCS(unsigned);
+    const sig_hex = edSignHex(canonical, issuer_sk_hex);
+    const sig_b64 = Buffer.from(sig_hex, 'hex').toString('base64');
+    return { ...unsigned, signature_b64: sig_b64 };
+}
+/** Stable content-hash identifier for a certificate (for session_id
+ *  derivation, audit references, etc.). Does not include the signature
+ *  so equivalent unsigned certificates produce the same id. */
+export function certificateId(cert) {
+    const { signature_b64: _sig, ...rest } = cert;
+    const canonical = canonicalizeJCS(rest);
+    return 'sha256:' + createHash('sha256').update(canonical).digest('hex');
+}
+export function verifyCertificateSignature(cert) {
+    if (!cert.supported_versions || cert.supported_versions.length === 0) {
+        return { ok: false, reason: 'version_empty' };
+    }
+    const { signature_b64, ...rest } = cert;
+    const canonical = canonicalizeJCS(rest);
+    const sig_hex = Buffer.from(signature_b64, 'base64').toString('hex');
+    const ok = edVerifyHex(canonical, sig_hex, cert.issuer_pubkey_hex);
+    if (!ok)
+        return { ok: false, reason: 'signature_invalid' };
+    return { ok: true };
+}
+/** Check validity window using a supplied now() (unix ms). */
+export function isCertificateTemporallyValid(cert, now_ms, max_clock_skew_ms = 0) {
+    if (now_ms + max_clock_skew_ms < cert.not_before) {
+        return { ok: false, reason: 'not_yet_valid' };
+    }
+    if (now_ms - max_clock_skew_ms > cert.not_after) {
+        return { ok: false, reason: 'expired' };
+    }
+    return { ok: true };
+}
+/** Given a certificate and a local trust-anchor list, determine if
+ *  the certificate was issued by a trusted anchor and whether the
+ *  anchor's binding constraints (if any) permit this cert's binding. */
+export function checkAnchor(cert, anchors, revoked_anchor_ids = []) {
+    const anchor = anchors.find((a) => a.pubkey_hex === cert.issuer_pubkey_hex);
+    if (!anchor)
+        return { ok: false, reason: 'unknown_issuer' };
+    if (revoked_anchor_ids.includes(anchor.anchor_id)) {
+        return { ok: false, anchor, reason: 'revoked_anchor' };
+    }
+    if (anchor.binding_constraints && anchor.binding_constraints.length > 0) {
+        const matched = anchor.binding_constraints.some((pat) => matchBinding(pat, cert.binding));
+        if (!matched)
+            return { ok: false, anchor, reason: 'binding_mismatch' };
+    }
+    return { ok: true, anchor };
+}
+function matchBinding(pattern, binding) {
+    if (pattern === binding)
+        return true;
+    if (pattern.endsWith('*')) {
+        return binding.startsWith(pattern.slice(0, -1));
+    }
+    return false;
+}
+//# sourceMappingURL=certificate.js.map

package/dist/src/v2/mutual-auth/certificate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"certificate.js","sourceRoot":"","sources":["../../../../src/v2/mutual-auth/certificate.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,qEAAqE;AACrE,6DAA6D;AAC7D,qEAAqE;AAErE,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAA;AAC7D,OAAO,EAAE,IAAI,IAAI,SAAS,EAAE,MAAM,IAAI,WAAW,EAAE,MAAM,sBAAsB,CAAA;AAO/E,MAAM,YAAY,GAAG,KAAc,CAAA;AAkBnC,gEAAgE;AAChE,MAAM,UAAU,gBAAgB,CAC9B,KAA4B,EAC5B,iBAAyB;IAEzB,OAAO;QACL,YAAY,EAAE,YAAY;QAC1B,IAAI,EAAE,KAAK,CAAC,IAAI;QAChB,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,WAAW,EAAE,KAAK,CAAC,WAAW;QAC9B,iBAAiB;QACjB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;QAC5C,UAAU,EAAE,KAAK,CAAC,UAAU;QAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,OAAO,EAAE,KAAK,CAAC,OAAO;QACtB,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;QAC1C,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;QAC5C,YAAY,EAAE,KAAK,CAAC,YAAY;KACjC,CAAA;AACH,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,eAAe,CAC7B,QAAsD,EACtD,aAAqB;IAErB,MAAM,SAAS,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAA;IAC3C,MAAM,OAAO,GAAG,SAAS,CAAC,SAAS,EAAE,aAAa,CAAC,CAAA;IACnD,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IAC9D,OAAO,EAAE,GAAG,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,CAAA;AAChD,CAAC;AAED;;+DAE+D;AAC/D,MAAM,UAAU,aAAa,CAAC,IAA2B;IACvD,MAAM,EAAE,aAAa,EAAE,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAA;IAC7C,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,CAAA;IACvC,OAAO,SAAS,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACzE,CAAC;AASD,MAAM,UAAU,0BAA0B,CACxC,IAA2B;IAE3B,IAAI,CAAC,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IAC/C,CAAC;IACD,MAAM,EAAE,aAAa,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAA;IACvC,MAAM,SAAS,GAAG,eAAe,CAAC,IAAI,CAAC,CAAA;IACvC,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACpE,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,iBAAiB,CAAC,CAAA;IAClE,IAAI,CAAC,EAAE;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;IAC1D,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;AACrB,CAAC;AAED,8DAA8D;AAC9D,MAAM,UAAU,4BAA4B,CAC1C,IAA2B,EAC3B,MAAc,EACd,iBAAiB,GAAG,CAAC;IAErB,IAAI,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAAC,UAAU,EAAE,CAAC;QACjD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;IAC/C,CAAC;IACD,IAAI,MAAM,GAAG,iBAAiB,GAAG,IAAI,CAAC,SAAS,EAAE,CAAC;QAChD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;IACzC,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAA;AACrB,CAAC;AAUD;;wEAEwE;AACxE,MAAM,UAAU,WAAW,CACzB,IAA2B,EAC3B,OAAsB,EACtB,qBAA+B,EAAE;IAEjC,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,KAAK,IAAI,CAAC,iBAAiB,CAAC,CAAA;IAC3E,IAAI,CAAC,MAAM;QAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAA;IAC3D,IAAI,kBAAkB,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC;QAClD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAA;IACxD,CAAC;IACD,IAAI,MAAM,CAAC,mBAAmB,IAAI,MAAM,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxE,MAAM,OAAO,GAAG,MAAM,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,GAAG,EAAE,EAAE,CACtD,YAAY,CAAC,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,CAChC,CAAA;QACD,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,kBAAkB,EAAE,CAAA;IACxE,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAA;AAC7B,CAAC;AAED,SAAS,YAAY,CAAC,OAAe,EAAE,OAAe;IACpD,IAAI,OAAO,KAAK,OAAO;QAAE,OAAO,IAAI,CAAA;IACpC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAA;IACjD,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/src/v2/mutual-auth/handshake.d.ts

@@ -0,0 +1,37 @@
+import type { MutualAuthAttest, MutualAuthCertificate, MutualAuthFailureReason, MutualAuthHello, MutualAuthPolicy, MutualAuthResult, MutualAuthRole, MutualAuthSession, TrustAnchor } from './types.js';
+export declare function newNonce(): string;
+export declare function buildHello(role: MutualAuthRole, supported_versions: string[], now_ms: number, nonce_b64?: string): MutualAuthHello;
+/** Choose the highest mutually supported version. Returns null if
+ *  there is no overlap. Both sides MUST run the same algorithm. */
+export declare function chooseVersion(peer_supported: string[], own_accepted: string[]): string | null;
+export interface BuildAttestInput {
+    role: MutualAuthRole;
+    chosen_version: string;
+    own_nonce_b64: string;
+    peer_nonce_b64: string;
+    certificate: MutualAuthCertificate;
+    now_ms: number;
+}
+export declare function buildAttest(input: BuildAttestInput, own_sk_hex: string): MutualAuthAttest;
+export interface VerifyAttestInput {
+    attest: MutualAuthAttest;
+    expected_peer_nonce_b64: string;
+    expected_own_nonce_b64: string;
+    policy: MutualAuthPolicy;
+    trust_anchors: TrustAnchor[];
+    revoked_anchor_ids?: string[];
+    now_ms: number;
+}
+export interface VerifyAttestOutcome {
+    ok: boolean;
+    reason?: MutualAuthFailureReason;
+    detail?: string;
+}
+export declare function verifyAttest(input: VerifyAttestInput): VerifyAttestOutcome;
+/** Derive the shared session record from both sides' Attests. Both
+ *  parties MUST compute identical session_id values given identical
+ *  inputs (canonical JCS + sha256). */
+export declare function deriveSession(agent_attest: MutualAuthAttest, is_attest: MutualAuthAttest, policy: MutualAuthPolicy, now_ms: number): MutualAuthResult;
+/** Check whether a MutualAuthSession is still alive. */
+export declare function isSessionActive(session: MutualAuthSession, now_ms: number): boolean;
+//# sourceMappingURL=handshake.d.ts.map

package/dist/src/v2/mutual-auth/handshake.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handshake.d.ts","sourceRoot":"","sources":["../../../../src/v2/mutual-auth/handshake.ts"],"names":[],"mappings":"AAqCA,OAAO,KAAK,EACV,gBAAgB,EAChB,qBAAqB,EACrB,uBAAuB,EACvB,eAAe,EACf,gBAAgB,EAChB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,EACjB,WAAW,EACZ,MAAM,YAAY,CAAA;AAMnB,wBAAgB,QAAQ,IAAI,MAAM,CAEjC;AAID,wBAAgB,UAAU,CACxB,IAAI,EAAE,cAAc,EACpB,kBAAkB,EAAE,MAAM,EAAE,EAC5B,MAAM,EAAE,MAAM,EACd,SAAS,SAAa,GACrB,eAAe,CAQjB;AAID;mEACmE;AACnE,wBAAgB,aAAa,CAC3B,cAAc,EAAE,MAAM,EAAE,EACxB,YAAY,EAAE,MAAM,EAAE,GACrB,MAAM,GAAG,IAAI,CAKf;AAID,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,cAAc,CAAA;IACpB,cAAc,EAAE,MAAM,CAAA;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,cAAc,EAAE,MAAM,CAAA;IACtB,WAAW,EAAE,qBAAqB,CAAA;IAClC,MAAM,EAAE,MAAM,CAAA;CACf;AAED,wBAAgB,WAAW,CACzB,KAAK,EAAE,gBAAgB,EACvB,UAAU,EAAE,MAAM,GACjB,gBAAgB,CAgBlB;AAID,MAAM,WAAW,iBAAiB;IAChC,MAAM,EAAE,gBAAgB,CAAA;IACxB,uBAAuB,EAAE,MAAM,CAAA;IAC/B,sBAAsB,EAAE,MAAM,CAAA;IAC9B,MAAM,EAAE,gBAAgB,CAAA;IACxB,aAAa,EAAE,WAAW,EAAE,CAAA;IAC5B,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAA;IAC7B,MAAM,EAAE,MAAM,CAAA;CACf;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,OAAO,CAAA;IACX,MAAM,CAAC,EAAE,uBAAuB,CAAA;IAChC,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB;AAED,wBAAgB,YAAY,CAAC,KAAK,EAAE,iBAAiB,GAAG,mBAAmB,CA6G1E;AAID;;uCAEuC;AACvC,wBAAgB,aAAa,CAC3B,YAAY,EAAE,gBAAgB,EAC9B,SAAS,EAAE,gBAAgB,EAC3B,MAAM,EAAE,gBAAgB,EACxB,MAAM,EAAE,MAAM,GACb,gBAAgB,CAsDlB;AAED,wDAAwD;AACxD,wBAAgB,eAAe,CAC7B,OAAO,EAAE,iBAAiB,EAC1B,MAAM,EAAE,MAAM,GACb,OAAO,CAOT"}