agent-passport-system 2.7.0 → 2.9.0

package/dist/src/v2/regulated-action/types.d.ts

@@ -0,0 +1,142 @@
+export declare const REGULATED_ACTION_PROFILE: "aps-regulated-action-v0";
+export declare const ACTION_CLASS_RANK: {
+    readonly read: 0;
+    readonly internal_write: 1;
+    readonly external_message: 2;
+    readonly financial_movement: 3;
+    readonly regulated_decision: 4;
+    readonly irreversible_action: 5;
+};
+export type ActionClass = keyof typeof ACTION_CLASS_RANK;
+export declare const RAPV0_TAG: {
+    readonly actor: "APS-RAPV0-ACTOR";
+    readonly intent: "APS-RAPV0-INTENT";
+    readonly policy: "APS-RAPV0-POLICY";
+    readonly resource: "APS-RAPV0-RESOURCE-CONFIRMATION";
+    readonly authority: "APS-RAPV0-AUTHORITY";
+    readonly lifecycle: "APS-RAPV0-LIFECYCLE";
+};
+export interface SignatureBlock {
+    alg: string;
+    key_id: string;
+    sig: string;
+}
+export interface AuthorityRef {
+    type: 'id_jag' | 'ema';
+    issuer: string;
+    subject: string;
+    audience: string;
+    scope_hash: string;
+    issued_at: string;
+    expires_at: string;
+    assertion_hash: string;
+    jti: string;
+    assertion_sig: string;
+}
+export interface IntentCommitment {
+    created_before_execution: true;
+    intent_hash: string;
+    expected_effect_hash: string;
+    gateway_nonce: string;
+    timestamp_ms: number;
+    scope: string;
+    signature: string;
+}
+export type DecisionBasisLeaf = 'input_artifact_hashes' | 'policy_version_hash' | 'tool_call_refs' | 'risk_flags' | 'approval_state' | 'model_runtime_context_summary_hash' | 'uncertainty_band' | 'resource_correlation_ref';
+export interface DecisionBasisCommitment {
+    root_hash: string;
+    leaves_schema: DecisionBasisLeaf[];
+    raw_chain_of_thought_included: false;
+}
+export interface GatewayPolicyDecision {
+    policy_version_hash: string;
+    decision: 'allow' | 'deny' | 'hold';
+    action_class_assigned: ActionClass;
+    signer: string;
+    signature: string;
+}
+export type ResourceConfirmationType = 'native_resource_signed' | 'boundary_attested' | 'boundary_attested_weak' | 'channel_authenticated' | 'manual_reconciliation' | 'missing';
+export type RealizedEffectProvenance = 'ban_derived' | 'echoed';
+export interface ResourceConfirmationRef {
+    type: ResourceConfirmationType;
+    resource_transaction_id: string;
+    correlation_id: string;
+    gateway_nonce_echo: string;
+    realized_effect_hash: string;
+    realized_effect_provenance: RealizedEffectProvenance;
+    status: string;
+    timestamp_ms: number;
+    signer_key_id: string;
+    signature: string;
+}
+export interface TransparencyRef {
+    type: 'scitt' | 'enterprise_merkle_log';
+    log_id: string;
+    inclusion_proof: InclusionStep[];
+    anchored_at_state: string;
+    tree_size: number;
+    leaf_hash: string;
+}
+export interface InclusionStep {
+    dir: 'L' | 'R';
+    hash: string;
+}
+export interface RegulatedActionReceiptV0 {
+    profile: typeof REGULATED_ACTION_PROFILE;
+    receipt_id: string;
+    action_class: ActionClass;
+    actor_signature: SignatureBlock;
+    aps_delegation_ref?: string;
+    authority_ref?: AuthorityRef;
+    intent_commitment?: IntentCommitment;
+    decision_basis_commitment?: DecisionBasisCommitment;
+    gateway_policy_decision?: GatewayPolicyDecision;
+    resource_confirmation_ref?: ResourceConfirmationRef;
+    transparency_ref?: TransparencyRef;
+}
+export interface RegisteredResourceKey {
+    publicKey: string;
+    registered_by_operator: boolean;
+}
+export interface VerificationContext {
+    idp_keyset: Record<string, string>;
+    operator_anchored_idp_copy?: Record<string, string>;
+    registered_resource_keys: Record<string, RegisteredResourceKey>;
+    operator_domain_registry: Record<string, {
+        publicKey: string;
+        identity: string;
+    }>;
+    operator_identity_id: string;
+    gateway_key_id?: string;
+    registered_log_roots: Record<string, string>;
+    allowed_clock_skew_ms?: number;
+    reserved_ts: number;
+    submitted_ts: number;
+    max_authority_execution_window_ms: number;
+    per_class_required_fields?: Partial<Record<ActionClass, string[]>>;
+    completeness_match?: boolean;
+    anchor_orders_intent_before_resource?: boolean;
+    non_equivocation_ok?: boolean;
+}
+export type Disposition = 'void' | 'void_policy_violation' | 'void_temporal_violation' | 'void_reconciliation_mismatch' | 'resource_unbound' | 'authority_invalid' | 'self_attested' | 'regulator_grade_for_class' | 'reconciled' | 'intent_precommitted' | 'authority_bound' | 'incomplete_for_class';
+export type IncompleteReason = 'policy_denied_no_execution' | 'missing_authority' | 'missing_transparency_anchor' | 'execution_unconfirmed';
+export type AuthorityBasis = 'external_idp' | 'operator_anchored_copy_weak';
+export interface TrustDomainSeparation {
+    computed_domains: number;
+    idp_counts: boolean;
+    resource_counts: boolean;
+    operator_identity: string;
+    separation_ok: boolean;
+}
+export interface RegulatedVerifyResult {
+    profile: typeof REGULATED_ACTION_PROFILE;
+    disposition: Disposition;
+    incomplete_reason?: IncompleteReason;
+    violations: Disposition[];
+    missing_evidence: string[];
+    trust_domain_separation: TrustDomainSeparation;
+    authority_basis?: AuthorityBasis;
+    authority_replay: 'not_evaluated' | 'pass' | 'fail';
+    judgment_correctness: 'not_claimed';
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/src/v2/regulated-action/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../src/v2/regulated-action/types.ts"],"names":[],"mappings":"AAaA,eAAO,MAAM,wBAAwB,EAAG,yBAAkC,CAAA;AAI1E,eAAO,MAAM,iBAAiB;;;;;;;CAOpB,CAAA;AACV,MAAM,MAAM,WAAW,GAAG,MAAM,OAAO,iBAAiB,CAAA;AAIxD,eAAO,MAAM,SAAS;;;;;;;CAOZ,CAAA;AAEV,MAAM,WAAW,cAAc;IAC7B,GAAG,EAAE,MAAM,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,GAAG,EAAE,MAAM,CAAA;CACZ;AAKD,MAAM,WAAW,YAAY;IAC3B,IAAI,EAAE,QAAQ,GAAG,KAAK,CAAA;IACtB,MAAM,EAAE,MAAM,CAAA;IACd,OAAO,EAAE,MAAM,CAAA;IACf,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,cAAc,EAAE,MAAM,CAAA;IACtB,GAAG,EAAE,MAAM,CAAA;IAKX,aAAa,EAAE,MAAM,CAAA;CACtB;AAID,MAAM,WAAW,gBAAgB;IAC/B,wBAAwB,EAAE,IAAI,CAAA;IAC9B,WAAW,EAAE,MAAM,CAAA;IACnB,oBAAoB,EAAE,MAAM,CAAA;IAC5B,aAAa,EAAE,MAAM,CAAA;IACrB,YAAY,EAAE,MAAM,CAAA;IACpB,KAAK,EAAE,MAAM,CAAA;IACb,SAAS,EAAE,MAAM,CAAA;CAClB;AAKD,MAAM,MAAM,iBAAiB,GACzB,uBAAuB,GACvB,qBAAqB,GACrB,gBAAgB,GAChB,YAAY,GACZ,gBAAgB,GAChB,oCAAoC,GACpC,kBAAkB,GAClB,0BAA0B,CAAA;AAE9B,MAAM,WAAW,uBAAuB;IACtC,SAAS,EAAE,MAAM,CAAA;IACjB,aAAa,EAAE,iBAAiB,EAAE,CAAA;IAClC,6BAA6B,EAAE,KAAK,CAAA;CACrC;AAED,MAAM,WAAW,qBAAqB;IACpC,mBAAmB,EAAE,MAAM,CAAA;IAC3B,QAAQ,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAA;IACnC,qBAAqB,EAAE,WAAW,CAAA;IAClC,MAAM,EAAE,MAAM,CAAA;IACd,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,MAAM,wBAAwB,GAChC,wBAAwB,GACxB,mBAAmB,GACnB,wBAAwB,GACxB,uBAAuB,GACvB,uBAAuB,GACvB,SAAS,CAAA;AAEb,MAAM,MAAM,wBAAwB,GAAG,aAAa,GAAG,QAAQ,CAAA;AAK/D,MAAM,WAAW,uBAAuB;IACtC,IAAI,EAAE,wBAAwB,CAAA;IAC9B,uBAAuB,EAAE,MAAM,CAAA;IAC/B,cAAc,EAAE,MAAM,CAAA;IACtB,kBAAkB,EAAE,MAAM,CAAA;IAC1B,oBAAoB,EAAE,MAAM,CAAA;IAC5B,0BAA0B,EAAE,wBAAwB,CAAA;IACpD,MAAM,EAAE,MAAM,CAAA;IACd,YAAY,EAAE,MAAM,CAAA;IACpB,aAAa,EAAE,MAAM,CAAA;IACrB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,OAAO,GAAG,uBAAuB,CAAA;IACvC,MAAM,EAAE,MAAM,CAAA;IACd,eAAe,EAAE,aAAa,EAAE,CAAA;IAChC,iBAAiB,EAAE,MAAM,CAAA;IACzB,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,aAAa;IAC5B,GAAG,EAAE,GAAG,GAAG,GAAG,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;CACb;AAED,MAAM,WAAW,wBAAwB;IACvC,OAAO,EAAE,OAAO,wBAAwB,CAAA;IACxC,UAAU,EAAE,MAAM,CAAA;IAClB,YAAY,EAAE,WAAW,CAAA;IACzB,eAAe,EAAE,cAAc,CAAA;IAC/B,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,aAAa,CAAC,EAAE,YAAY,CAAA;IAC5B,iBAAiB,CAAC,EAAE,gBAAgB,CAAA;IACpC,yBAAyB,CAAC,EAAE,uBAAuB,CAAA;IACnD,uBAAuB,CAAC,EAAE,qBAAqB,CAAA;IAC/C,yBAAyB,CAAC,EAAE,uBAAuB,CAAA;IACnD,gBAAgB,CAAC,EAAE,eAAe,CAAA;CAGnC;AAID,MAAM,WAAW,qBAAqB;IACpC,SAAS,EAAE,MAAM,CAAA;IAGjB,sBAAsB,EAAE,OAAO,CAAA;CAChC;AAED,MAAM,WAAW,mBAAmB;IAGlC,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAGlC,0BAA0B,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAEnD,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE,qBAAqB,CAAC,CAAA;IAI/D,wBAAwB,EAAE,MAAM,CAAC,MAAM,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IACjF,oBAAoB,EAAE,MAAM,CAAA;IAI5B,cAAc,CAAC,EAAE,MAAM,CAAA;IAEvB,oBAAoB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;IAK5C,qBAAqB,CAAC,EAAE,MAAM,CAAA;IAE9B,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,iCAAiC,EAAE,MAAM,CAAA;IAEzC,yBAAyB,CAAC,EAAE,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,MAAM,EAAE,CAAC,CAAC,CAAA;IAGlE,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAG5B,oCAAoC,CAAC,EAAE,OAAO,CAAA;IAI9C,mBAAmB,CAAC,EAAE,OAAO,CAAA;CAC9B;AAGD,MAAM,MAAM,WAAW,GACnB,MAAM,GACN,uBAAuB,GACvB,yBAAyB,GACzB,8BAA8B,GAC9B,kBAAkB,GAClB,mBAAmB,GACnB,eAAe,GACf,2BAA2B,GAC3B,YAAY,GACZ,qBAAqB,GACrB,iBAAiB,GACjB,sBAAsB,CAAA;AAE1B,MAAM,MAAM,gBAAgB,GACxB,4BAA4B,GAC5B,mBAAmB,GACnB,6BAA6B,GAC7B,uBAAuB,CAAA;AAE3B,MAAM,MAAM,cAAc,GAAG,cAAc,GAAG,6BAA6B,CAAA;AAE3E,MAAM,WAAW,qBAAqB;IACpC,gBAAgB,EAAE,MAAM,CAAA;IACxB,UAAU,EAAE,OAAO,CAAA;IACnB,eAAe,EAAE,OAAO,CAAA;IACxB,iBAAiB,EAAE,MAAM,CAAA;IACzB,aAAa,EAAE,OAAO,CAAA;CACvB;AAED,MAAM,WAAW,qBAAqB;IACpC,OAAO,EAAE,OAAO,wBAAwB,CAAA;IACxC,WAAW,EAAE,WAAW,CAAA;IACxB,iBAAiB,CAAC,EAAE,gBAAgB,CAAA;IAGpC,UAAU,EAAE,WAAW,EAAE,CAAA;IACzB,gBAAgB,EAAE,MAAM,EAAE,CAAA;IAC1B,uBAAuB,EAAE,qBAAqB,CAAA;IAC9C,eAAe,CAAC,EAAE,cAAc,CAAA;IAGhC,gBAAgB,EAAE,eAAe,GAAG,MAAM,GAAG,MAAM,CAAA;IAEnD,oBAAoB,EAAE,aAAa,CAAA;CACpC"}

package/dist/src/v2/regulated-action/types.js

@@ -0,0 +1,34 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// APS Regulated Action Profile v0. Principle: Reconciled Action Attestation.
+//
+// Public primitive. Profile types per RAPV0-FROZEN-CONTRACT.md section A. A regulated
+// action (class rank >= 3) reaches finality only when a pre-committed intent reconciles
+// against two anchors OUTSIDE the operator trust domain: the IdP authority (EMA/ID-JAG)
+// and the resource system of record. The verifier counts trust DOMAINS, not signatures.
+//
+// This module ships the receipt shape, the VerificationContext, and the disposition
+// vocabulary. The deterministic verifier is in ./verify.ts. Product intelligence
+// (reconciliation engine, chokepoint, BAN, transparency service, completeness layer)
+// is NOT here; it is the private gateway. judgment_correctness is always not_claimed.
+export const REGULATED_ACTION_PROFILE = 'aps-regulated-action-v0';
+// Rank map. action_class is SET BY GATEWAY POLICY, never the agent. Compare via this
+// map, never enum order. Rank >= 3 is "regulated" for the finality gate.
+export const ACTION_CLASS_RANK = {
+    read: 0,
+    internal_write: 1,
+    external_message: 2,
+    financial_movement: 3,
+    regulated_decision: 4,
+    irreversible_action: 5,
+};
+// Domain-separation tags. Each signature signs a canonical subobject prefixed by its tag,
+// never the whole mutable receipt.
+export const RAPV0_TAG = {
+    actor: 'APS-RAPV0-ACTOR',
+    intent: 'APS-RAPV0-INTENT',
+    policy: 'APS-RAPV0-POLICY',
+    resource: 'APS-RAPV0-RESOURCE-CONFIRMATION',
+    authority: 'APS-RAPV0-AUTHORITY',
+    lifecycle: 'APS-RAPV0-LIFECYCLE',
+};
+//# sourceMappingURL=types.js.map

package/dist/src/v2/regulated-action/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../../src/v2/regulated-action/types.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,6EAA6E;AAC7E,EAAE;AACF,sFAAsF;AACtF,wFAAwF;AACxF,wFAAwF;AACxF,wFAAwF;AACxF,EAAE;AACF,oFAAoF;AACpF,iFAAiF;AACjF,qFAAqF;AACrF,sFAAsF;AAEtF,MAAM,CAAC,MAAM,wBAAwB,GAAG,yBAAkC,CAAA;AAE1E,qFAAqF;AACrF,yEAAyE;AACzE,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,IAAI,EAAE,CAAC;IACP,cAAc,EAAE,CAAC;IACjB,gBAAgB,EAAE,CAAC;IACnB,kBAAkB,EAAE,CAAC;IACrB,kBAAkB,EAAE,CAAC;IACrB,mBAAmB,EAAE,CAAC;CACd,CAAA;AAGV,0FAA0F;AAC1F,mCAAmC;AACnC,MAAM,CAAC,MAAM,SAAS,GAAG;IACvB,KAAK,EAAE,iBAAiB;IACxB,MAAM,EAAE,kBAAkB;IAC1B,MAAM,EAAE,kBAAkB;IAC1B,QAAQ,EAAE,iCAAiC;IAC3C,SAAS,EAAE,qBAAqB;IAChC,SAAS,EAAE,qBAAqB;CACxB,CAAA"}

package/dist/src/v2/regulated-action/verify.d.ts

@@ -0,0 +1,10 @@
+import { ACTION_CLASS_RANK } from './types.js';
+import type { RegulatedActionReceiptV0, VerificationContext, RegulatedVerifyResult } from './types.js';
+/**
+ * Verify a RegulatedActionReceiptV0 against a VerificationContext. Returns the disposition,
+ * every terminal condition that held (violations[]), missing evidence, the computed
+ * trust-domain separation, the authority basis, and judgment_correctness: not_claimed.
+ */
+export declare function verifyRegulatedAction(receipt: RegulatedActionReceiptV0, ctx: VerificationContext): RegulatedVerifyResult;
+export declare function actionClassRank(c: keyof typeof ACTION_CLASS_RANK): number;
+//# sourceMappingURL=verify.d.ts.map

package/dist/src/v2/regulated-action/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../../../src/v2/regulated-action/verify.ts"],"names":[],"mappings":"AAYA,OAAO,EAGL,iBAAiB,EAClB,MAAM,YAAY,CAAA;AACnB,OAAO,KAAK,EACV,wBAAwB,EACxB,mBAAmB,EACnB,qBAAqB,EAItB,MAAM,YAAY,CAAA;AAsBnB;;;;GAIG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,wBAAwB,EACjC,GAAG,EAAE,mBAAmB,GACvB,qBAAqB,CA2NvB;AAGD,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,OAAO,iBAAiB,GAAG,MAAM,CAEzE"}

package/dist/src/v2/regulated-action/verify.js

@@ -0,0 +1,252 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// APS Regulated Action Profile v0: the deterministic disposition verifier (A2).
+//
+// This is the canonical truth-table from RAPV0-FROZEN-CONTRACT.md section B (amended order).
+// It is total, deterministic from explicit inputs, most-dangerous-first, first match wins.
+// It is STATELESS and PURE: no network, no wall-clock read, no replay state. Every input
+// comes from the caller via VerificationContext. Replay/jti/nonce uniqueness is reported as
+// authority_replay: not_evaluated and is computed by the PRIVATE gateway, never here.
+// judgment_correctness is always not_claimed: we never certify a discretionary judgment.
+import { canonicalizeJCS, canonicalHashJCS } from '../../core/canonical-jcs.js';
+import { verify as edVerify } from '../../crypto/keys.js';
+import { REGULATED_ACTION_PROFILE, RAPV0_TAG, ACTION_CLASS_RANK, } from './types.js';
+const RESOURCE_VALID_TYPES = new Set(['native_resource_signed', 'boundary_attested']);
+const RESOURCE_VALID_STATUS = new Set(['accepted', 'settled']);
+function sigOk(payload, sig, pubkey) {
+    if (!sig || !pubkey)
+        return false;
+    try {
+        return edVerify(payload, sig, pubkey);
+    }
+    catch {
+        return false;
+    }
+}
+// Canonical signed payload for a domain-separated subobject: tag, then strict JCS of the
+// subobject with its own signature field removed.
+function signedPayload(tag, subobject, sigField) {
+    const copy = { ...subobject };
+    delete copy[sigField];
+    return `${tag}.${canonicalizeJCS(copy)}`;
+}
+/**
+ * Verify a RegulatedActionReceiptV0 against a VerificationContext. Returns the disposition,
+ * every terminal condition that held (violations[]), missing evidence, the computed
+ * trust-domain separation, the authority basis, and judgment_correctness: not_claimed.
+ */
+export function verifyRegulatedAction(receipt, ctx) {
+    const missing = [];
+    // ── crypto_ok: operator-domain and resource-domain sigs only (NOT the authority sig). ──
+    const opReg = ctx.operator_domain_registry || {};
+    const actorKey = opReg[receipt.actor_signature?.key_id]?.publicKey;
+    let cryptoOk = sigOk(signedPayload(RAPV0_TAG.actor, { profile: receipt.profile, receipt_id: receipt.receipt_id, action_class: receipt.action_class, key_id: receipt.actor_signature?.key_id }, 'sig'), receipt.actor_signature?.sig, actorKey);
+    const intentPresent = !!receipt.intent_commitment;
+    if (intentPresent) {
+        const ic = receipt.intent_commitment;
+        const intentSignerId = receipt.gateway_policy_decision?.signer ?? ctx.gateway_key_id;
+        const intentKey = intentSignerId ? opReg[intentSignerId]?.publicKey : undefined;
+        const intentSigOk = sigOk(signedPayload(RAPV0_TAG.intent, ic, 'signature'), ic.signature, intentKey);
+        cryptoOk = cryptoOk && intentSigOk;
+    }
+    const policyPresent = !!receipt.gateway_policy_decision;
+    if (policyPresent) {
+        const pd = receipt.gateway_policy_decision;
+        const policyKey = opReg[pd.signer]?.publicKey;
+        const policySigOk = sigOk(signedPayload(RAPV0_TAG.policy, pd, 'signature'), pd.signature, policyKey);
+        cryptoOk = cryptoOk && policySigOk;
+    }
+    // crypto_ok covers ONLY the operator envelope (actor/intent/policy). It deliberately EXCLUDES
+    // the resource sig and the authority sig: a forged/unverifiable EXTERNAL resource confirmation
+    // must not void the operator's receipt, it must fail to establish the resource domain
+    // (resource_present_valid=false), dropping below reconciled. Only a tampered OPERATOR sig voids.
+    if (!cryptoOk)
+        missing.push('crypto');
+    // resource signature: evaluated for resource_present_valid / independence only.
+    const rc = receipt.resource_confirmation_ref;
+    let resourceSigVerifies = false;
+    let resourceKeyIndependent = false;
+    if (rc) {
+        const rk = ctx.registered_resource_keys?.[rc.signer_key_id];
+        resourceSigVerifies = sigOk(signedPayload(RAPV0_TAG.resource, rc, 'signature'), rc.signature, rk?.publicKey);
+        resourceKeyIndependent = !!rk && rk.registered_by_operator === false;
+    }
+    // ── authority trichotomy: ok / weak_basis / invalid ──
+    const ar = receipt.authority_ref;
+    const authorityPresent = !!ar;
+    let authorityOk = false;
+    let authorityWeakBasis = false;
+    let authorityInvalid = false;
+    let authorityBasis;
+    if (ar) {
+        const claims = { ...ar };
+        delete claims.assertion_sig;
+        const authPayload = `${RAPV0_TAG.authority}.${canonicalizeJCS(claims)}`;
+        const extVerifies = sigOk(authPayload, ar.assertion_sig, ctx.idp_keyset?.[ar.issuer]);
+        const opVerifies = sigOk(authPayload, ar.assertion_sig, ctx.operator_anchored_idp_copy?.[ar.issuer]);
+        const issuedMs = Date.parse(ar.issued_at);
+        const expiresMs = Date.parse(ar.expires_at);
+        const validAcross = Number.isFinite(issuedMs) && Number.isFinite(expiresMs) &&
+            issuedMs <= ctx.reserved_ts && expiresMs >= ctx.submitted_ts;
+        const withinWindow = ctx.submitted_ts - ctx.reserved_ts <= ctx.max_authority_execution_window_ms;
+        const freshnessOk = validAcross && withinWindow;
+        authorityOk = extVerifies && freshnessOk;
+        authorityWeakBasis = !authorityOk && !extVerifies && opVerifies && freshnessOk;
+        authorityInvalid = !authorityOk && !authorityWeakBasis;
+        authorityBasis = authorityOk ? 'external_idp' : authorityWeakBasis ? 'operator_anchored_copy_weak' : undefined;
+        if (authorityInvalid)
+            missing.push('authority');
+    }
+    else {
+        missing.push('authority');
+    }
+    // ── intent ──
+    let intentOk = false;
+    if (receipt.intent_commitment) {
+        const ic = receipt.intent_commitment;
+        const recomputed = canonicalHashJCS({
+            action_class: receipt.action_class,
+            scope: ic.scope,
+            authority_assertion_hash: ar?.assertion_hash ?? '',
+            decision_basis_root_hash: receipt.decision_basis_commitment?.root_hash ?? '',
+            expected_effect_hash: ic.expected_effect_hash,
+        });
+        intentOk = ic.created_before_execution === true && recomputed === ic.intent_hash;
+    }
+    // ── policy ──
+    const pd = receipt.gateway_policy_decision;
+    const policyAllow = !!pd && pd.decision === 'allow' && pd.action_class_assigned === receipt.action_class;
+    const policyDeny = !!pd && (pd.decision === 'deny' || pd.decision === 'hold');
+    // ── resource ──
+    const resourcePresentValid = !!rc &&
+        RESOURCE_VALID_TYPES.has(rc.type) &&
+        rc.realized_effect_provenance === 'ban_derived' &&
+        resourceSigVerifies &&
+        resourceKeyIndependent &&
+        RESOURCE_VALID_STATUS.has(rc.status);
+    const resourceMatches = intentOk && !!rc && !!receipt.intent_commitment &&
+        rc.gateway_nonce_echo === receipt.intent_commitment.gateway_nonce &&
+        rc.realized_effect_hash === receipt.intent_commitment.expected_effect_hash;
+    const resourceOk = resourcePresentValid && resourceMatches;
+    const executed = resourcePresentValid || ctx.completeness_match === true;
+    // ── transparency anchor ──
+    let anchorPresent = false;
+    if (receipt.transparency_ref) {
+        const tr = receipt.transparency_ref;
+        const root = ctx.registered_log_roots?.[tr.log_id];
+        let proofOk = false;
+        if (root) {
+            // Recompute the Merkle root from leaf_hash + inclusion_proof; compare to registered root.
+            let acc = tr.leaf_hash;
+            try {
+                for (const step of tr.inclusion_proof) {
+                    acc = step.dir === 'L' ? canonicalHashJCS({ l: step.hash, r: acc }) : canonicalHashJCS({ l: acc, r: step.hash });
+                }
+                proofOk = acc === root;
+            }
+            catch {
+                proofOk = false;
+            }
+        }
+        anchorPresent = proofOk && tr.anchored_at_state === 'reserved';
+    }
+    if (!anchorPresent)
+        missing.push('transparency_anchor');
+    const temporalViolation = anchorPresent && ctx.anchor_orders_intent_before_resource === false;
+    const temporalConsistent = anchorPresent && ctx.anchor_orders_intent_before_resource === true;
+    const noneqOk = anchorPresent && ctx.non_equivocation_ok !== false;
+    // ── domains and separation ──
+    const idpCounts = authorityOk;
+    const resourceCounts = resourceOk && resourceKeyIndependent;
+    const domains = (idpCounts ? 1 : 0) + (resourceCounts ? 1 : 0);
+    const operatorKeyIds = [];
+    if (receipt.actor_signature?.key_id)
+        operatorKeyIds.push(receipt.actor_signature.key_id);
+    if (pd?.signer)
+        operatorKeyIds.push(pd.signer);
+    if (receipt.intent_commitment) {
+        const intentSignerId = pd?.signer ?? ctx.gateway_key_id;
+        if (intentSignerId)
+            operatorKeyIds.push(intentSignerId);
+    }
+    const separationOk = operatorKeyIds.every((kid) => opReg[kid]?.identity === ctx.operator_identity_id);
+    // ── per-class required fields (regulator_grade tier) ──
+    // regulator_grade_for_class is an opt-in STRICTER tier: reachable only when the caller
+    // supplies a per-class bar (non-empty) AND every required field is present. Without a defined
+    // bar for the class, the strongest honest claim is reconciled, never regulator_grade.
+    const requiredFields = ctx.per_class_required_fields?.[receipt.action_class] ?? [];
+    const perClassOk = requiredFields.length > 0 &&
+        requiredFields.every((f) => receipt[f] !== undefined);
+    // ── terminal-condition flags (guards 1-7), most-dangerous-first ──
+    const terminal = [
+        [!cryptoOk, 'void'],
+        [policyDeny && executed, 'void_policy_violation'],
+        [resourcePresentValid && intentPresent && temporalViolation, 'void_temporal_violation'],
+        [resourcePresentValid && intentOk && !resourceMatches, 'void_reconciliation_mismatch'],
+        [resourcePresentValid && !intentOk, 'resource_unbound'],
+        [authorityInvalid, 'authority_invalid'],
+        [!authorityPresent && !resourcePresentValid, 'self_attested'],
+    ];
+    const violations = terminal.filter(([held]) => held).map(([, d]) => d);
+    // ── first match wins ──
+    let disposition;
+    let incompleteReason;
+    const firstTerminal = terminal.find(([held]) => held);
+    if (firstTerminal) {
+        disposition = firstTerminal[1];
+    }
+    else if (authorityOk && intentOk && policyAllow && resourceOk && domains >= 2 &&
+        temporalConsistent && noneqOk && perClassOk && separationOk) {
+        disposition = 'regulator_grade_for_class';
+    }
+    else if (authorityOk && intentOk && policyAllow && resourceOk && domains >= 2 && temporalConsistent) {
+        disposition = 'reconciled';
+    }
+    else if (authorityOk && intentOk && policyAllow && !resourceOk) {
+        disposition = 'intent_precommitted';
+    }
+    else if (authorityOk && !intentOk) {
+        disposition = 'authority_bound';
+    }
+    else {
+        disposition = 'incomplete_for_class';
+        // deterministic reason precedence (AP-6)
+        if (policyDeny)
+            incompleteReason = 'policy_denied_no_execution';
+        else if (!authorityOk)
+            incompleteReason = 'missing_authority';
+        else if (!anchorPresent)
+            incompleteReason = 'missing_transparency_anchor';
+        else
+            incompleteReason = 'execution_unconfirmed';
+    }
+    // INVARIANT assertions (defense in depth; never reached if the table is correct).
+    if ((disposition === 'reconciled' || disposition === 'regulator_grade_for_class') &&
+        !(domains >= 2 && resourceOk && temporalConsistent)) {
+        throw new Error('RAPV0 invariant breach: reconciled/regulator_grade without domains>=2 AND resource_ok AND temporal_consistent');
+    }
+    const result = {
+        profile: REGULATED_ACTION_PROFILE,
+        disposition,
+        violations,
+        missing_evidence: missing,
+        trust_domain_separation: {
+            computed_domains: domains,
+            idp_counts: idpCounts,
+            resource_counts: resourceCounts,
+            operator_identity: ctx.operator_identity_id,
+            separation_ok: separationOk,
+        },
+        authority_replay: 'not_evaluated',
+        judgment_correctness: 'not_claimed',
+    };
+    if (incompleteReason)
+        result.incomplete_reason = incompleteReason;
+    if (authorityBasis)
+        result.authority_basis = authorityBasis;
+    return result;
+}
+// Convenience: rank lookup for callers gating on class >= 3 (regulated).
+export function actionClassRank(c) {
+    return ACTION_CLASS_RANK[c];
+}
+//# sourceMappingURL=verify.js.map

package/dist/src/v2/regulated-action/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../../../src/v2/regulated-action/verify.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,gFAAgF;AAChF,EAAE;AACF,6FAA6F;AAC7F,2FAA2F;AAC3F,yFAAyF;AACzF,4FAA4F;AAC5F,sFAAsF;AACtF,yFAAyF;AAEzF,OAAO,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,6BAA6B,CAAA;AAC/E,OAAO,EAAE,MAAM,IAAI,QAAQ,EAAE,MAAM,sBAAsB,CAAA;AACzD,OAAO,EACL,wBAAwB,EACxB,SAAS,EACT,iBAAiB,GAClB,MAAM,YAAY,CAAA;AAUnB,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC,CAAC,wBAAwB,EAAE,mBAAmB,CAAC,CAAC,CAAA;AACrF,MAAM,qBAAqB,GAAG,IAAI,GAAG,CAAC,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAA;AAE9D,SAAS,KAAK,CAAC,OAAe,EAAE,GAAuB,EAAE,MAA0B;IACjF,IAAI,CAAC,GAAG,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IACjC,IAAI,CAAC;QACH,OAAO,QAAQ,CAAC,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,CAAA;IACvC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAA;IACd,CAAC;AACH,CAAC;AAED,yFAAyF;AACzF,kDAAkD;AAClD,SAAS,aAAa,CAAC,GAAW,EAAE,SAAkC,EAAE,QAAgB;IACtF,MAAM,IAAI,GAA4B,EAAE,GAAG,SAAS,EAAE,CAAA;IACtD,OAAO,IAAI,CAAC,QAAQ,CAAC,CAAA;IACrB,OAAO,GAAG,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,EAAE,CAAA;AAC1C,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,qBAAqB,CACnC,OAAiC,EACjC,GAAwB;IAExB,MAAM,OAAO,GAAa,EAAE,CAAA;IAE5B,0FAA0F;IAC1F,MAAM,KAAK,GAAG,GAAG,CAAC,wBAAwB,IAAI,EAAE,CAAA;IAChD,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,EAAE,MAAM,CAAC,EAAE,SAAS,CAAA;IAClE,IAAI,QAAQ,GAAG,KAAK,CAClB,aAAa,CAAC,SAAS,CAAC,KAAK,EAAE,EAAE,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,UAAU,EAAE,OAAO,CAAC,UAAU,EAAE,YAAY,EAAE,OAAO,CAAC,YAAY,EAAE,MAAM,EAAE,OAAO,CAAC,eAAe,EAAE,MAAM,EAAE,EAAE,KAAK,CAAC,EAChL,OAAO,CAAC,eAAe,EAAE,GAAG,EAC5B,QAAQ,CACT,CAAA;IAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,iBAAiB,CAAA;IACjD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,EAAE,GAAG,OAAO,CAAC,iBAAkB,CAAA;QACrC,MAAM,cAAc,GAAG,OAAO,CAAC,uBAAuB,EAAE,MAAM,IAAI,GAAG,CAAC,cAAc,CAAA;QACpF,MAAM,SAAS,GAAG,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,cAAc,CAAC,EAAE,SAAS,CAAC,CAAC,CAAC,SAAS,CAAA;QAC/E,MAAM,WAAW,GAAG,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,EAAwC,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;QAC1I,QAAQ,GAAG,QAAQ,IAAI,WAAW,CAAA;IACpC,CAAC;IAED,MAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,uBAAuB,CAAA;IACvD,IAAI,aAAa,EAAE,CAAC;QAClB,MAAM,EAAE,GAAG,OAAO,CAAC,uBAAwB,CAAA;QAC3C,MAAM,SAAS,GAAG,KAAK,CAAC,EAAE,CAAC,MAAM,CAAC,EAAE,SAAS,CAAA;QAC7C,MAAM,WAAW,GAAG,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,MAAM,EAAE,EAAwC,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,SAAS,CAAC,CAAA;QAC1I,QAAQ,GAAG,QAAQ,IAAI,WAAW,CAAA;IACpC,CAAC;IAED,8FAA8F;IAC9F,+FAA+F;IAC/F,sFAAsF;IACtF,iGAAiG;IACjG,IAAI,CAAC,QAAQ;QAAE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;IAErC,gFAAgF;IAChF,MAAM,EAAE,GAAG,OAAO,CAAC,yBAAyB,CAAA;IAC5C,IAAI,mBAAmB,GAAG,KAAK,CAAA;IAC/B,IAAI,sBAAsB,GAAG,KAAK,CAAA;IAClC,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,EAAE,GAAG,GAAG,CAAC,wBAAwB,EAAE,CAAC,EAAE,CAAC,aAAa,CAAC,CAAA;QAC3D,mBAAmB,GAAG,KAAK,CAAC,aAAa,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAwC,EAAE,WAAW,CAAC,EAAE,EAAE,CAAC,SAAS,EAAE,EAAE,EAAE,SAAS,CAAC,CAAA;QAClJ,sBAAsB,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,sBAAsB,KAAK,KAAK,CAAA;IACtE,CAAC;IAED,wDAAwD;IACxD,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAA;IAChC,MAAM,gBAAgB,GAAG,CAAC,CAAC,EAAE,CAAA;IAC7B,IAAI,WAAW,GAAG,KAAK,CAAA;IACvB,IAAI,kBAAkB,GAAG,KAAK,CAAA;IAC9B,IAAI,gBAAgB,GAAG,KAAK,CAAA;IAC5B,IAAI,cAA0C,CAAA;IAC9C,IAAI,EAAE,EAAE,CAAC;QACP,MAAM,MAAM,GAAG,EAAE,GAAI,EAAyC,EAAE,CAAA;QAChE,OAAO,MAAM,CAAC,aAAa,CAAA;QAC3B,MAAM,WAAW,GAAG,GAAG,SAAS,CAAC,SAAS,IAAI,eAAe,CAAC,MAAM,CAAC,EAAE,CAAA;QACvE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC,aAAa,EAAE,GAAG,CAAC,UAAU,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;QACrF,MAAM,UAAU,GAAG,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC,aAAa,EAAE,GAAG,CAAC,0BAA0B,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,CAAA;QACpG,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,SAAS,CAAC,CAAA;QACzC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,UAAU,CAAC,CAAA;QAC3C,MAAM,WAAW,GACf,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC;YACvD,QAAQ,IAAI,GAAG,CAAC,WAAW,IAAI,SAAS,IAAI,GAAG,CAAC,YAAY,CAAA;QAC9D,MAAM,YAAY,GAAG,GAAG,CAAC,YAAY,GAAG,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,iCAAiC,CAAA;QAChG,MAAM,WAAW,GAAG,WAAW,IAAI,YAAY,CAAA;QAC/C,WAAW,GAAG,WAAW,IAAI,WAAW,CAAA;QACxC,kBAAkB,GAAG,CAAC,WAAW,IAAI,CAAC,WAAW,IAAI,UAAU,IAAI,WAAW,CAAA;QAC9E,gBAAgB,GAAG,CAAC,WAAW,IAAI,CAAC,kBAAkB,CAAA;QACtD,cAAc,GAAG,WAAW,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,kBAAkB,CAAC,CAAC,CAAC,6BAA6B,CAAC,CAAC,CAAC,SAAS,CAAA;QAC9G,IAAI,gBAAgB;YAAE,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IACjD,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,IAAI,CAAC,WAAW,CAAC,CAAA;IAC3B,CAAC;IAED,eAAe;IACf,IAAI,QAAQ,GAAG,KAAK,CAAA;IACpB,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,MAAM,EAAE,GAAG,OAAO,CAAC,iBAAiB,CAAA;QACpC,MAAM,UAAU,GAAG,gBAAgB,CAAC;YAClC,YAAY,EAAE,OAAO,CAAC,YAAY;YAClC,KAAK,EAAE,EAAE,CAAC,KAAK;YACf,wBAAwB,EAAE,EAAE,EAAE,cAAc,IAAI,EAAE;YAClD,wBAAwB,EAAE,OAAO,CAAC,yBAAyB,EAAE,SAAS,IAAI,EAAE;YAC5E,oBAAoB,EAAE,EAAE,CAAC,oBAAoB;SAC9C,CAAC,CAAA;QACF,QAAQ,GAAG,EAAE,CAAC,wBAAwB,KAAK,IAAI,IAAI,UAAU,KAAK,EAAE,CAAC,WAAW,CAAA;IAClF,CAAC;IAED,eAAe;IACf,MAAM,EAAE,GAAG,OAAO,CAAC,uBAAuB,CAAA;IAC1C,MAAM,WAAW,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,QAAQ,KAAK,OAAO,IAAI,EAAE,CAAC,qBAAqB,KAAK,OAAO,CAAC,YAAY,CAAA;IACxG,MAAM,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,EAAE,CAAC,QAAQ,KAAK,MAAM,IAAI,EAAE,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAA;IAE7E,iBAAiB;IACjB,MAAM,oBAAoB,GACxB,CAAC,CAAC,EAAE;QACJ,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC;QACjC,EAAE,CAAC,0BAA0B,KAAK,aAAa;QAC/C,mBAAmB;QACnB,sBAAsB;QACtB,qBAAqB,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,CAAA;IACtC,MAAM,eAAe,GACnB,QAAQ,IAAI,CAAC,CAAC,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,iBAAiB;QAC/C,EAAE,CAAC,kBAAkB,KAAK,OAAO,CAAC,iBAAiB,CAAC,aAAa;QACjE,EAAE,CAAC,oBAAoB,KAAK,OAAO,CAAC,iBAAiB,CAAC,oBAAoB,CAAA;IAC5E,MAAM,UAAU,GAAG,oBAAoB,IAAI,eAAe,CAAA;IAC1D,MAAM,QAAQ,GAAG,oBAAoB,IAAI,GAAG,CAAC,kBAAkB,KAAK,IAAI,CAAA;IAExE,4BAA4B;IAC5B,IAAI,aAAa,GAAG,KAAK,CAAA;IACzB,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,OAAO,CAAC,gBAAgB,CAAA;QACnC,MAAM,IAAI,GAAG,GAAG,CAAC,oBAAoB,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC,CAAA;QAClD,IAAI,OAAO,GAAG,KAAK,CAAA;QACnB,IAAI,IAAI,EAAE,CAAC;YACT,0FAA0F;YAC1F,IAAI,GAAG,GAAG,EAAE,CAAC,SAAS,CAAA;YACtB,IAAI,CAAC;gBACH,KAAK,MAAM,IAAI,IAAI,EAAE,CAAC,eAAe,EAAE,CAAC;oBACtC,GAAG,GAAG,IAAI,CAAC,GAAG,KAAK,GAAG,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAAE,CAAC,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,gBAAgB,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAA;gBAClH,CAAC;gBACD,OAAO,GAAG,GAAG,KAAK,IAAI,CAAA;YACxB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,KAAK,CAAA;YACjB,CAAC;QACH,CAAC;QACD,aAAa,GAAG,OAAO,IAAI,EAAE,CAAC,iBAAiB,KAAK,UAAU,CAAA;IAChE,CAAC;IACD,IAAI,CAAC,aAAa;QAAE,OAAO,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAA;IAEvD,MAAM,iBAAiB,GAAG,aAAa,IAAI,GAAG,CAAC,oCAAoC,KAAK,KAAK,CAAA;IAC7F,MAAM,kBAAkB,GAAG,aAAa,IAAI,GAAG,CAAC,oCAAoC,KAAK,IAAI,CAAA;IAC7F,MAAM,OAAO,GAAG,aAAa,IAAI,GAAG,CAAC,mBAAmB,KAAK,KAAK,CAAA;IAElE,+BAA+B;IAC/B,MAAM,SAAS,GAAG,WAAW,CAAA;IAC7B,MAAM,cAAc,GAAG,UAAU,IAAI,sBAAsB,CAAA;IAC3D,MAAM,OAAO,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;IAE9D,MAAM,cAAc,GAAa,EAAE,CAAA;IACnC,IAAI,OAAO,CAAC,eAAe,EAAE,MAAM;QAAE,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,eAAe,CAAC,MAAM,CAAC,CAAA;IACxF,IAAI,EAAE,EAAE,MAAM;QAAE,cAAc,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,CAAA;IAC9C,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC;QAC9B,MAAM,cAAc,GAAG,EAAE,EAAE,MAAM,IAAI,GAAG,CAAC,cAAc,CAAA;QACvD,IAAI,cAAc;YAAE,cAAc,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IACzD,CAAC;IACD,MAAM,YAAY,GAAG,cAAc,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,QAAQ,KAAK,GAAG,CAAC,oBAAoB,CAAC,CAAA;IAErG,yDAAyD;IACzD,uFAAuF;IACvF,8FAA8F;IAC9F,sFAAsF;IACtF,MAAM,cAAc,GAAG,GAAG,CAAC,yBAAyB,EAAE,CAAC,OAAO,CAAC,YAAY,CAAC,IAAI,EAAE,CAAA;IAClF,MAAM,UAAU,GACd,cAAc,CAAC,MAAM,GAAG,CAAC;QACzB,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAE,OAA8C,CAAC,CAAC,CAAC,KAAK,SAAS,CAAC,CAAA;IAE/F,oEAAoE;IACpE,MAAM,QAAQ,GAAkC;QAC9C,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC;QACnB,CAAC,UAAU,IAAI,QAAQ,EAAE,uBAAuB,CAAC;QACjD,CAAC,oBAAoB,IAAI,aAAa,IAAI,iBAAiB,EAAE,yBAAyB,CAAC;QACvF,CAAC,oBAAoB,IAAI,QAAQ,IAAI,CAAC,eAAe,EAAE,8BAA8B,CAAC;QACtF,CAAC,oBAAoB,IAAI,CAAC,QAAQ,EAAE,kBAAkB,CAAC;QACvD,CAAC,gBAAgB,EAAE,mBAAmB,CAAC;QACvC,CAAC,CAAC,gBAAgB,IAAI,CAAC,oBAAoB,EAAE,eAAe,CAAC;KAC9D,CAAA;IACD,MAAM,UAAU,GAAkB,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAA;IAErF,yBAAyB;IACzB,IAAI,WAAwB,CAAA;IAC5B,IAAI,gBAA8C,CAAA;IAClD,MAAM,aAAa,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAA;IACrD,IAAI,aAAa,EAAE,CAAC;QAClB,WAAW,GAAG,aAAa,CAAC,CAAC,CAAC,CAAA;IAChC,CAAC;SAAM,IACL,WAAW,IAAI,QAAQ,IAAI,WAAW,IAAI,UAAU,IAAI,OAAO,IAAI,CAAC;QACpE,kBAAkB,IAAI,OAAO,IAAI,UAAU,IAAI,YAAY,EAC3D,CAAC;QACD,WAAW,GAAG,2BAA2B,CAAA;IAC3C,CAAC;SAAM,IAAI,WAAW,IAAI,QAAQ,IAAI,WAAW,IAAI,UAAU,IAAI,OAAO,IAAI,CAAC,IAAI,kBAAkB,EAAE,CAAC;QACtG,WAAW,GAAG,YAAY,CAAA;IAC5B,CAAC;SAAM,IAAI,WAAW,IAAI,QAAQ,IAAI,WAAW,IAAI,CAAC,UAAU,EAAE,CAAC;QACjE,WAAW,GAAG,qBAAqB,CAAA;IACrC,CAAC;SAAM,IAAI,WAAW,IAAI,CAAC,QAAQ,EAAE,CAAC;QACpC,WAAW,GAAG,iBAAiB,CAAA;IACjC,CAAC;SAAM,CAAC;QACN,WAAW,GAAG,sBAAsB,CAAA;QACpC,yCAAyC;QACzC,IAAI,UAAU;YAAE,gBAAgB,GAAG,4BAA4B,CAAA;aAC1D,IAAI,CAAC,WAAW;YAAE,gBAAgB,GAAG,mBAAmB,CAAA;aACxD,IAAI,CAAC,aAAa;YAAE,gBAAgB,GAAG,6BAA6B,CAAA;;YACpE,gBAAgB,GAAG,uBAAuB,CAAA;IACjD,CAAC;IAED,kFAAkF;IAClF,IAAI,CAAC,WAAW,KAAK,YAAY,IAAI,WAAW,KAAK,2BAA2B,CAAC;QAC7E,CAAC,CAAC,OAAO,IAAI,CAAC,IAAI,UAAU,IAAI,kBAAkB,CAAC,EAAE,CAAC;QACxD,MAAM,IAAI,KAAK,CAAC,+GAA+G,CAAC,CAAA;IAClI,CAAC;IAED,MAAM,MAAM,GAA0B;QACpC,OAAO,EAAE,wBAAwB;QACjC,WAAW;QACX,UAAU;QACV,gBAAgB,EAAE,OAAO;QACzB,uBAAuB,EAAE;YACvB,gBAAgB,EAAE,OAAO;YACzB,UAAU,EAAE,SAAS;YACrB,eAAe,EAAE,cAAc;YAC/B,iBAAiB,EAAE,GAAG,CAAC,oBAAoB;YAC3C,aAAa,EAAE,YAAY;SAC5B;QACD,gBAAgB,EAAE,eAAe;QACjC,oBAAoB,EAAE,aAAa;KACpC,CAAA;IACD,IAAI,gBAAgB;QAAE,MAAM,CAAC,iBAAiB,GAAG,gBAAgB,CAAA;IACjE,IAAI,cAAc;QAAE,MAAM,CAAC,eAAe,GAAG,cAAc,CAAA;IAC3D,OAAO,MAAM,CAAA;AACf,CAAC;AAED,yEAAyE;AACzE,MAAM,UAAU,eAAe,CAAC,CAAiC;IAC/D,OAAO,iBAAiB,CAAC,CAAC,CAAC,CAAA;AAC7B,CAAC"}

package/dist/src/v2/transport/rfc9421/profile.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"profile.d.ts","sourceRoot":"","sources":["../../../../../src/v2/transport/rfc9421/profile.ts"],"names":[],"mappings":"AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAKH,OAAO,KAAK,EACV,gBAAgB,EAChB,qBAAqB,EACrB,cAAc,EAEd,eAAe,EACf,SAAS,EACT,WAAW,EACX,YAAY,EACZ,YAAY,EACb,MAAM,YAAY,CAAA;AACnB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE,6EAA6E;AAC7E,eAAO,MAAM,uBAAuB,mCAAmC,CAAA;AAEvE,gCAAgC;AAChC,eAAO,MAAM,2BAA2B,EAAG,gCAAyC,CAAA;AAEpF,gFAAgF;AAChF,eAAO,MAAM,eAAe,EAAE,gBAAgB,EAAuC,CAAA;AAErF;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,YAAY,CAclD;AAsBD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,cAAc,CAAA;IACvB,MAAM,EAAE,SAAS,CAAA;IACjB,0EAA0E;IAC1E,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,OAAO,GAAG,KAAK,CAAC,GAAG;QAC/C,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,GAAG,CAAC,EAAE,MAAM,CAAA;KACb,CAAA;IACD,uEAAuE;IACvE,OAAO,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAC5B,qEAAqE;IACrE,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,sEAAsE;IACtE,YAAY,CAAC,EAAE,YAAY,CAAA;CAC5B;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,qBAAqB,CAiD1E;AAED;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB,kEAAkE;IAClE,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAA;IAC5B,iCAAiC;IACjC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;CAC5B;AAED,+EAA+E;AAC/E,qBAAa,kBAAmB,YAAW,UAAU;IACnD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAoB;IACxC,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAG5B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;CAG5B;AAED,MAAM,WAAW,kBAAkB;IACjC,qDAAqD;IACrD,OAAO,EAAE,qBAAqB,CAAA;IAC9B,oEAAoE;IACpE,OAAO,EAAE,cAAc,CAAA;IACvB,oDAAoD;IACpD,IAAI,EAAE,WAAW,EAAE,CAAA;IACnB,yBAAyB;IACzB,MAAM,EAAE,YAAY,CAAA;IACpB,0EAA0E;IAC1E,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,YAAY,CAoFrE"}
+{"version":3,"file":"profile.d.ts","sourceRoot":"","sources":["../../../../../src/v2/transport/rfc9421/profile.ts"],"names":[],"mappings":"AACA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAKH,OAAO,KAAK,EACV,gBAAgB,EAChB,qBAAqB,EACrB,cAAc,EAEd,eAAe,EACf,SAAS,EACT,WAAW,EACX,YAAY,EACZ,YAAY,EACb,MAAM,YAAY,CAAA;AACnB,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE,6EAA6E;AAC7E,eAAO,MAAM,uBAAuB,mCAAmC,CAAA;AAEvE,gCAAgC;AAChC,eAAO,MAAM,2BAA2B,EAAG,gCAAyC,CAAA;AAEpF,gFAAgF;AAChF,eAAO,MAAM,eAAe,EAAE,gBAAgB,EAAuC,CAAA;AAErF;;;;GAIG;AACH,wBAAgB,mBAAmB,IAAI,YAAY,CAclD;AAsBD,MAAM,WAAW,gBAAgB;IAC/B,OAAO,EAAE,cAAc,CAAA;IACvB,MAAM,EAAE,SAAS,CAAA;IACjB,0EAA0E;IAC1E,MAAM,EAAE,IAAI,CAAC,eAAe,EAAE,OAAO,GAAG,KAAK,CAAC,GAAG;QAC/C,KAAK,CAAC,EAAE,MAAM,CAAA;QACd,GAAG,CAAC,EAAE,MAAM,CAAA;KACb,CAAA;IACD,uEAAuE;IACvE,OAAO,CAAC,EAAE,gBAAgB,EAAE,CAAA;IAC5B,qEAAqE;IACrE,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,uEAAuE;IACvE,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,sEAAsE;IACtE,YAAY,CAAC,EAAE,YAAY,CAAA;CAC5B;AAED;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,gBAAgB,GAAG,qBAAqB,CAiD1E;AAED;;;;GAIG;AACH,MAAM,WAAW,UAAU;IACzB,kEAAkE;IAClE,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAA;IAC5B,iCAAiC;IACjC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAA;CAC5B;AAED,+EAA+E;AAC/E,qBAAa,kBAAmB,YAAW,UAAU;IACnD,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAoB;IACxC,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO;IAG5B,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI;CAG5B;AAED,MAAM,WAAW,kBAAkB;IACjC,qDAAqD;IACrD,OAAO,EAAE,qBAAqB,CAAA;IAC9B,oEAAoE;IACpE,OAAO,EAAE,cAAc,CAAA;IACvB,oDAAoD;IACpD,IAAI,EAAE,WAAW,EAAE,CAAA;IACnB,yBAAyB;IACzB,MAAM,EAAE,YAAY,CAAA;IACpB,0EAA0E;IAC1E,UAAU,CAAC,EAAE,UAAU,CAAA;CACxB;AAED;;;;;;;;GAQG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,kBAAkB,GAAG,YAAY,CAsGrE"}

package/dist/src/v2/transport/rfc9421/profile.js

@@ -169,6 +169,18 @@ export function verifyRequest(input) {
         if (Math.abs(now - profile.created) > policy.maxSkewSeconds) {
             return { valid: false, reason: 'stale_created' };
         }
+        // 4b. Expiry: a signer may declare an `expires` param (part of the signed params). The `created`
+        //     freshness check above does not cover it: a short-lived signature can sit inside the broader
+        //     skew window yet be past its own `expires`. Reject once it has passed. Read from the signed
+        //     Signature-Input so the check binds to the exact signed value.
+        const expiresRhs = stripLabel(profile.inner.signatureInput, profile.inner.label);
+        const expiresMatch = expiresRhs?.match(/;expires=(\d+)/);
+        if (expiresMatch) {
+            const expiresAt = Number(expiresMatch[1]);
+            if (Number.isFinite(expiresAt) && now > expiresAt) {
+                return { valid: false, reason: 'expired' };
+            }
+        }
         // 5. Resolve the verifying key for this verification method.
         const key = keys.find(k => k.verificationMethod === profile.verificationMethod);
         if (key === undefined) {
@@ -210,13 +222,18 @@ export function verifyRequest(input) {
         }
         // 9. Replay: reject a previously-seen nonce. Only consume the nonce after
         //    every other check passed, so failed attempts cannot poison the store.
+        //    When no nonceStore is supplied the request is NOT replay-checked: the
+        //    signature is valid but the same signed request can be presented again.
+        //    replayChecked surfaces this so a caller cannot mistake an unchecked pass
+        //    for a replay-enforced one. Supply a nonceStore for replay protection.
+        const replayChecked = input.nonceStore !== undefined;
         if (input.nonceStore !== undefined) {
             if (input.nonceStore.seen(profile.nonce)) {
                 return { valid: false, reason: 'replayed_nonce' };
             }
             input.nonceStore.record(profile.nonce);
         }
-        return { valid: true, verificationMethod: profile.verificationMethod };
+        return { valid: true, verificationMethod: profile.verificationMethod, replayChecked };
     }
     catch {
         return { valid: false, reason: 'malformed_input' };

package/dist/src/v2/transport/rfc9421/profile.js.map

@@ -1 +1 @@
-{"version":3,"file":"profile.js","sourceRoot":"","sources":["../../../../../src/v2/transport/rfc9421/profile.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAA;AAChC,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,IAAI,aAAa,EAAE,MAAM,yBAAyB,CAAA;AACtF,OAAO,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAA;AAcnF,6EAA6E;AAC7E,MAAM,CAAC,MAAM,uBAAuB,GAAG,gCAAgC,CAAA;AAEvE,gCAAgC;AAChC,MAAM,CAAC,MAAM,2BAA2B,GAAG,gCAAyC,CAAA;AAEpF,gFAAgF;AAChF,MAAM,CAAC,MAAM,eAAe,GAAuB,CAAC,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,CAAA;AAErF;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO;QACL,OAAO,EACL,mIAAmI;QACrI,eAAe,EAAE;YACf,uDAAuD;YACvD,yFAAyF;YACzF,+CAA+C;YAC/C,0FAA0F;SAC3F;QACD,YAAY,EAAE,eAAe;QAC7B,YAAY,EAAE,SAAS;QACvB,aAAa,EAAE,IAAI;KACpB,CAAA;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,cAAc,CAAC,WAAmB;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IAC9D,OAAO,IAAI,GAAG,GAAG,CAAA;AACnB,CAAC;AAED,+EAA+E;AAC/E,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAA;IAC5B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7E,OAAO,IAAI,CAAA;IACb,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAChC,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAoBD;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAAuB;IACjD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,eAAe,CAAA;IAChD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,yEAAyE;QACzE,2DAA2D;QAC3D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;IAC/D,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAA;IAClC,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,uBAAuB,CAAA;IACvD,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC,kBAAkB,CAAA;IAEnE,MAAM,MAAM,GAAoB;QAC9B,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO;QAC7B,KAAK;QACL,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,KAAK;QACzB,GAAG;QACH,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjF,CAAA;IAED,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAElF,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,CAAA;IAC5D,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;IAEvC,0EAA0E;IAC1E,qEAAqE;IACrE,MAAM,cAAc,GAAG,GAAG,KAAK,IAAI,yBAAyB,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAA;IAC/E,MAAM,cAAc,GAAG,GAAG,KAAK,IAAI,QAAQ,EAAE,CAAA;IAE7C,MAAM,KAAK,GAAqB;QAC9B,KAAK;QACL,cAAc;QACd,SAAS,EAAE,cAAc;QACzB,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzD,aAAa,EAAE,IAAI;KACpB,CAAA;IAED,OAAO;QACL,OAAO,EAAE,2BAA2B;QACpC,OAAO;QACP,KAAK;QACL,kBAAkB,EAAE,KAAK;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,GAAG;QACH,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9E,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,mBAAmB,EAAE;KAC1D,CAAA;AACH,CAAC;AAcD,+EAA+E;AAC/E,MAAM,OAAO,kBAAkB;IACZ,GAAG,GAAG,IAAI,GAAG,EAAU,CAAA;IACxC,IAAI,CAAC,KAAa;QAChB,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IAC5B,CAAC;IACD,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IACrB,CAAC;CACF;AAeD;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa,CAAC,KAAyB;IACrD,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,CAAA;IAEhD,IAAI,CAAC;QACH,yCAAyC;QACzC,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QACtD,CAAC;QAED,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,kBAAkB,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,CAAA;QAChF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAA;YAC/D,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,CAAC,WAAW,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QACjD,CAAC;QAED,0DAA0D;QAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QAC9D,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;YAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;QAClD,CAAC;QAED,6DAA6D;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,kBAAkB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAA;QAC/E,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAA;QAChE,CAAC;QAED,oEAAoE;QACpE,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC/C,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAA;YAC7C,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAA;YAC3D,CAAC;YACD,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAA;YAC5D,CAAC;YACD,MAAM,UAAU,GAAG,uBAAuB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;YACxD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;gBAC7B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAA;YAC5D,CAAC;QACH,CAAC;QAED,oEAAoE;QACpE,2EAA2E;QAC3E,wEAAwE;QACxE,0EAA0E;QAC1E,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvD,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;QACjE,CAAC;QACD,IAAI,aAAa,KAAK,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;QACjE,CAAC;QAED,0DAA0D;QAC1D,MAAM,MAAM,GAAG,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAChF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAA;QACpD,CAAC;QACD,MAAM,EAAE,GAAG,aAAa,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,CAAC,YAAY,CAAC,CAAA;QACjE,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QACtD,CAAC;QAED,0EAA0E;QAC1E,2EAA2E;QAC3E,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAA;YACnD,CAAC;YACD,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACxC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,EAAE,CAAA;IACxE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAA;IACpD,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,SAAS,uBAAuB,CAAC,IAAgB;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACnF,OAAO,YAAY,IAAI,GAAG,CAAA;AAC5B,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CACtB,OAA8B,EAC9B,OAAuB;IAEvB,MAAM,MAAM,GAAoB;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,KAAK,EAAE,OAAO,CAAC,kBAAkB;QACjC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,GAAG,EAAE,OAAO,CAAC,GAAG;KACjB,CAAA;IACD,2EAA2E;IAC3E,MAAM,GAAG,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IACzE,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAA;IAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAC5C,IAAI,QAAQ;QAAG,MAA0B,CAAC,GAAG,GAAG,QAAQ,CAAC,CAAC,CAA2B,CAAA;IACrF,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAChD,IAAI,YAAY;QAAG,MAA0B,CAAC,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAA;IAE/E,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;QACrE,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,SAAS,UAAU,CAAC,KAAa,EAAE,KAAa;IAC9C,MAAM,MAAM,GAAG,GAAG,KAAK,GAAG,CAAA;IAC1B,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAA;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;AACnC,CAAC;AAED,8EAA8E;AAC9E,SAAS,mBAAmB,CAAC,KAAa,EAAE,KAAa;IACvD,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;IACpC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAA;IAC7B,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAA;AAC9B,CAAC"}
+{"version":3,"file":"profile.js","sourceRoot":"","sources":["../../../../../src/v2/transport/rfc9421/profile.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,MAAM,MAAM,aAAa,CAAA;AAChC,OAAO,EAAE,IAAI,IAAI,WAAW,EAAE,MAAM,IAAI,aAAa,EAAE,MAAM,yBAAyB,CAAA;AACtF,OAAO,EAAE,kBAAkB,EAAE,yBAAyB,EAAE,MAAM,qBAAqB,CAAA;AAcnF,6EAA6E;AAC7E,MAAM,CAAC,MAAM,uBAAuB,GAAG,gCAAgC,CAAA;AAEvE,gCAAgC;AAChC,MAAM,CAAC,MAAM,2BAA2B,GAAG,gCAAyC,CAAA;AAEpF,gFAAgF;AAChF,MAAM,CAAC,MAAM,eAAe,GAAuB,CAAC,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,CAAA;AAErF;;;;GAIG;AACH,MAAM,UAAU,mBAAmB;IACjC,OAAO;QACL,OAAO,EACL,mIAAmI;QACrI,eAAe,EAAE;YACf,uDAAuD;YACvD,yFAAyF;YACzF,+CAA+C;YAC/C,0FAA0F;SAC3F;QACD,YAAY,EAAE,eAAe;QAC7B,YAAY,EAAE,SAAS;QACvB,aAAa,EAAE,IAAI;KACpB,CAAA;AACH,CAAC;AAED,uEAAuE;AACvE,SAAS,cAAc,CAAC,WAAmB;IACzC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IAC9D,OAAO,IAAI,GAAG,GAAG,CAAA;AACnB,CAAC;AAED,+EAA+E;AAC/E,SAAS,gBAAgB,CAAC,KAAa;IACrC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAA;IAC5B,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7E,OAAO,IAAI,CAAA;IACb,CAAC;IACD,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAA;IAChC,IAAI,CAAC;QACH,OAAO,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IACnD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAoBD;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAAuB;IACjD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,IAAI,eAAe,CAAA;IAChD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,yEAAyE;QACzE,2DAA2D;QAC3D,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAA;IAC/D,CAAC;IACD,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,KAAK,CAAA;IAClC,MAAM,GAAG,GAAG,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,uBAAuB,CAAA;IACvD,MAAM,KAAK,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC,kBAAkB,CAAA;IAEnE,MAAM,MAAM,GAAoB;QAC9B,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO;QAC7B,KAAK;QACL,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,KAAK;QACzB,GAAG;QACH,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpE,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACjF,CAAA;IAED,MAAM,EAAE,IAAI,EAAE,aAAa,EAAE,GAAG,kBAAkB,CAAC,OAAO,EAAE,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;IAElF,MAAM,MAAM,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,CAAA;IAC5D,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAA;IAEvC,0EAA0E;IAC1E,qEAAqE;IACrE,MAAM,cAAc,GAAG,GAAG,KAAK,IAAI,yBAAyB,CAAC,OAAO,EAAE,MAAM,CAAC,EAAE,CAAA;IAC/E,MAAM,cAAc,GAAG,GAAG,KAAK,IAAI,QAAQ,EAAE,CAAA;IAE7C,MAAM,KAAK,GAAqB;QAC9B,KAAK;QACL,cAAc;QACd,SAAS,EAAE,cAAc;QACzB,GAAG,CAAC,aAAa,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACzD,aAAa,EAAE,IAAI;KACpB,CAAA;IAED,OAAO;QACL,OAAO,EAAE,2BAA2B;QACpC,OAAO;QACP,KAAK;QACL,kBAAkB,EAAE,KAAK;QACzB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,GAAG;QACH,GAAG,CAAC,KAAK,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9E,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,mBAAmB,EAAE;KAC1D,CAAA;AACH,CAAC;AAcD,+EAA+E;AAC/E,MAAM,OAAO,kBAAkB;IACZ,GAAG,GAAG,IAAI,GAAG,EAAU,CAAA;IACxC,IAAI,CAAC,KAAa;QAChB,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IAC5B,CAAC;IACD,MAAM,CAAC,KAAa;QAClB,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,CAAA;IACrB,CAAC;CACF;AAeD;;;;;;;;GAQG;AACH,MAAM,UAAU,aAAa,CAAC,KAAyB;IACrD,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,KAAK,CAAA;IAEhD,IAAI,CAAC;QACH,yCAAyC;QACzC,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACjC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QACtD,CAAC;QAED,8CAA8C;QAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,kBAAkB,IAAI,CAAC,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,CAAA;QAChF,KAAK,MAAM,GAAG,IAAI,QAAQ,EAAE,CAAC;YAC3B,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;gBACnC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,4BAA4B,EAAE,CAAA;YAC/D,CAAC;QACH,CAAC;QAED,8CAA8C;QAC9C,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,CAAC,WAAW,EAAE,CAAC;YACvC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,EAAE,CAAA;QACjD,CAAC;QAED,0DAA0D;QAC1D,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAA;QAC9D,IAAI,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,MAAM,CAAC,cAAc,EAAE,CAAC;YAC5D,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE,CAAA;QAClD,CAAC;QAED,iGAAiG;QACjG,kGAAkG;QAClG,iGAAiG;QACjG,oEAAoE;QACpE,MAAM,UAAU,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAChF,MAAM,YAAY,GAAG,UAAU,EAAE,KAAK,CAAC,gBAAgB,CAAC,CAAA;QACxD,IAAI,YAAY,EAAE,CAAC;YACjB,MAAM,SAAS,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAA;YACzC,IAAI,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,GAAG,GAAG,SAAS,EAAE,CAAC;gBAClD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,CAAA;YAC5C,CAAC;QACH,CAAC;QAED,6DAA6D;QAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,kBAAkB,KAAK,OAAO,CAAC,kBAAkB,CAAC,CAAA;QAC/E,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;YACtB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,6BAA6B,EAAE,CAAA;QAChE,CAAC;QAED,oEAAoE;QACpE,IAAI,OAAO,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC,EAAE,CAAC;YAC/C,MAAM,SAAS,GAAG,OAAO,CAAC,KAAK,CAAC,aAAa,CAAA;YAC7C,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;gBAC5B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,wBAAwB,EAAE,CAAA;YAC3D,CAAC;YACD,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gBAC/B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAA;YAC5D,CAAC;YACD,MAAM,UAAU,GAAG,uBAAuB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAA;YACxD,IAAI,UAAU,KAAK,SAAS,EAAE,CAAC;gBAC7B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,yBAAyB,EAAE,CAAA;YAC5D,CAAC;QACH,CAAC;QAED,oEAAoE;QACpE,2EAA2E;QAC3E,wEAAwE;QACxE,0EAA0E;QAC1E,MAAM,aAAa,GAAG,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QACvD,IAAI,aAAa,KAAK,IAAI,EAAE,CAAC;YAC3B,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;QACjE,CAAC;QACD,IAAI,aAAa,KAAK,OAAO,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YAClD,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,8BAA8B,EAAE,CAAA;QACjE,CAAC;QAED,0DAA0D;QAC1D,MAAM,MAAM,GAAG,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;QAChF,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAA;QACpD,CAAC;QACD,MAAM,EAAE,GAAG,aAAa,CAAC,aAAa,EAAE,MAAM,EAAE,GAAG,CAAC,YAAY,CAAC,CAAA;QACjE,IAAI,CAAC,EAAE,EAAE,CAAC;YACR,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,mBAAmB,EAAE,CAAA;QACtD,CAAC;QAED,0EAA0E;QAC1E,2EAA2E;QAC3E,2EAA2E;QAC3E,4EAA4E;QAC5E,8EAA8E;QAC9E,2EAA2E;QAC3E,MAAM,aAAa,GAAG,KAAK,CAAC,UAAU,KAAK,SAAS,CAAA;QACpD,IAAI,KAAK,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YACnC,IAAI,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;gBACzC,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAA;YACnD,CAAC;YACD,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACxC,CAAC;QAED,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,EAAE,aAAa,EAAE,CAAA;IACvF,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAA;IACpD,CAAC;AACH,CAAC;AAED,8EAA8E;AAC9E,SAAS,uBAAuB,CAAC,IAAgB;IAC/C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAA;IACnF,OAAO,YAAY,IAAI,GAAG,CAAA;AAC5B,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAS,eAAe,CACtB,OAA8B,EAC9B,OAAuB;IAEvB,MAAM,MAAM,GAAoB;QAC9B,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,KAAK,EAAE,OAAO,CAAC,kBAAkB;QACjC,KAAK,EAAE,OAAO,CAAC,KAAK;QACpB,GAAG,EAAE,OAAO,CAAC,GAAG;KACjB,CAAA;IACD,2EAA2E;IAC3E,MAAM,GAAG,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IACzE,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAA;IAC7B,MAAM,QAAQ,GAAG,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAC5C,IAAI,QAAQ;QAAG,MAA0B,CAAC,GAAG,GAAG,QAAQ,CAAC,CAAC,CAA2B,CAAA;IACrF,MAAM,YAAY,GAAG,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAA;IAChD,IAAI,YAAY;QAAG,MAA0B,CAAC,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAA;IAE/E,IAAI,CAAC;QACH,MAAM,EAAE,IAAI,EAAE,GAAG,kBAAkB,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,MAAM,CAAC,CAAA;QACrE,OAAO,IAAI,CAAA;IACb,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAA;IACb,CAAC;AACH,CAAC;AAED,4EAA4E;AAC5E,SAAS,UAAU,CAAC,KAAa,EAAE,KAAa;IAC9C,MAAM,MAAM,GAAG,GAAG,KAAK,GAAG,CAAA;IAC1B,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC;QAAE,OAAO,IAAI,CAAA;IAC1C,OAAO,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAA;AACnC,CAAC;AAED,8EAA8E;AAC9E,SAAS,mBAAmB,CAAC,KAAa,EAAE,KAAa;IACvD,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,EAAE,KAAK,CAAC,CAAA;IACpC,IAAI,GAAG,KAAK,IAAI;QAAE,OAAO,IAAI,CAAA;IAC7B,OAAO,gBAAgB,CAAC,GAAG,CAAC,CAAA;AAC9B,CAAC"}

package/dist/src/v2/transport/rfc9421/types.d.ts

@@ -195,12 +195,16 @@ export interface VerifyPolicy {
     nowSeconds?: number;
 }
 /** Reasons a verification can fail, for precise negative-path testing. */
-export type VerifyFailureReason = 'empty_covered_set' | 'missing_required_component' | 'tag_mismatch' | 'stale_created' | 'unknown_verification_method' | 'content_digest_missing' | 'content_digest_mismatch' | 'base_reconstruction_mismatch' | 'signature_invalid' | 'replayed_nonce' | 'malformed_input';
+export type VerifyFailureReason = 'empty_covered_set' | 'missing_required_component' | 'tag_mismatch' | 'stale_created' | 'expired' | 'unknown_verification_method' | 'content_digest_missing' | 'content_digest_mismatch' | 'base_reconstruction_mismatch' | 'signature_invalid' | 'replayed_nonce' | 'malformed_input';
 /** Result of verifying a request against a profile. */
 export interface VerifyResult {
     valid: boolean;
     reason?: VerifyFailureReason;
     /** The verification method whose key validated the signature, when valid. */
     verificationMethod?: string;
+    /** Whether replay was checked. False when no nonceStore was supplied: the signature is valid but
+     *  the request was NOT checked for nonce reuse, so it can be replayed. Require replayChecked when
+     *  replay protection matters. */
+    replayChecked?: boolean;
 }
 //# sourceMappingURL=types.d.ts.map

package/dist/src/v2/transport/rfc9421/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/v2/transport/rfc9421/types.ts"],"names":[],"mappings":"AACA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,YAAY,GAAG,OAAO,CAAA;AAEjE;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,gBAAgB,CAAA;AAE7C,6EAA6E;AAC7E,MAAM,MAAM,gBAAgB,GAAG,gBAAgB,GAAG,cAAc,CAAA;AAEhE;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAAG,SAAS,CAAA;AAE9C;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG,SAAS,CAAA;AAE1C;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,8DAA8D;IAC9D,MAAM,EAAE,MAAM,CAAA;IACd;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;OAGG;IACH,IAAI,CAAC,EAAE,UAAU,CAAA;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAA;IACf;;;;;OAKG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;OAGG;IACH,GAAG,CAAC,EAAE,kBAAkB,CAAA;IACxB,uEAAuE;IACvE,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,SAAS;IACxB,mEAAmE;IACnE,aAAa,EAAE,MAAM,CAAA;IACrB;;;;OAIG;IACH,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AAED,+EAA+E;AAC/E,MAAM,WAAW,WAAW;IAC1B,kEAAkE;IAClE,YAAY,EAAE,MAAM,CAAA;IACpB,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAA;IACb,yEAAyE;IACzE,cAAc,EAAE,MAAM,CAAA;IACtB,gEAAgE;IAChE,SAAS,EAAE,MAAM,CAAA;IACjB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAA;CACtB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,OAAO,EAAE,gCAAgC,CAAA;IACzC,8CAA8C;IAC9C,OAAO,EAAE,gBAAgB,EAAE,CAAA;IAC3B,kDAAkD;IAClD,KAAK,EAAE,gBAAgB,CAAA;IACvB,4DAA4D;IAC5D,kBAAkB,EAAE,MAAM,CAAA;IAC1B,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAA;IACf,mEAAmE;IACnE,KAAK,EAAE,MAAM,CAAA;IACb,wEAAwE;IACxE,GAAG,EAAE,MAAM,CAAA;IACX;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;OAGG;IACH,YAAY,EAAE,YAAY,CAAA;CAC3B;AAED,kCAAkC;AAClC,MAAM,WAAW,YAAY;IAC3B,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,cAAc,EAAE,MAAM,CAAA;IACtB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,CAAA;IACvC;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,0EAA0E;AAC1E,MAAM,MAAM,mBAAmB,GAC3B,mBAAmB,GACnB,4BAA4B,GAC5B,cAAc,GACd,eAAe,GACf,6BAA6B,GAC7B,wBAAwB,GACxB,yBAAyB,GACzB,8BAA8B,GAC9B,mBAAmB,GACnB,gBAAgB,GAChB,iBAAiB,CAAA;AAErB,uDAAuD;AACvD,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,6EAA6E;IAC7E,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAC5B"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../../../src/v2/transport/rfc9421/types.ts"],"names":[],"mappings":"AACA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oCAAoC,CAAA;AAEtE;;;;;;GAMG;AACH,MAAM,MAAM,gBAAgB,GAAG,SAAS,GAAG,YAAY,GAAG,OAAO,CAAA;AAEjE;;;GAGG;AACH,MAAM,MAAM,cAAc,GAAG,gBAAgB,CAAA;AAE7C,6EAA6E;AAC7E,MAAM,MAAM,gBAAgB,GAAG,gBAAgB,GAAG,cAAc,CAAA;AAEhE;;;GAGG;AACH,MAAM,MAAM,sBAAsB,GAAG,SAAS,CAAA;AAE9C;;;GAGG;AACH,MAAM,MAAM,kBAAkB,GAAG,SAAS,CAAA;AAE1C;;;GAGG;AACH,MAAM,WAAW,cAAc;IAC7B,8DAA8D;IAC9D,MAAM,EAAE,MAAM,CAAA;IACd;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;OAGG;IACH,IAAI,CAAC,EAAE,UAAU,CAAA;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAA;IACf;;;;;OAKG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAA;IACb;;;;OAIG;IACH,GAAG,EAAE,MAAM,CAAA;IACX;;;OAGG;IACH,GAAG,CAAC,EAAE,kBAAkB,CAAA;IACxB,uEAAuE;IACvE,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,SAAS;IACxB,mEAAmE;IACnE,aAAa,EAAE,MAAM,CAAA;IACrB;;;;OAIG;IACH,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AAED,+EAA+E;AAC/E,MAAM,WAAW,WAAW;IAC1B,kEAAkE;IAClE,YAAY,EAAE,MAAM,CAAA;IACpB,iEAAiE;IACjE,kBAAkB,EAAE,MAAM,CAAA;CAC3B;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oDAAoD;IACpD,KAAK,EAAE,MAAM,CAAA;IACb,yEAAyE;IACzE,cAAc,EAAE,MAAM,CAAA;IACtB,gEAAgE;IAChE,SAAS,EAAE,MAAM,CAAA;IACjB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,0EAA0E;IAC1E,aAAa,EAAE,MAAM,CAAA;CACtB;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,qBAAqB;IACpC,kDAAkD;IAClD,OAAO,EAAE,gCAAgC,CAAA;IACzC,8CAA8C;IAC9C,OAAO,EAAE,gBAAgB,EAAE,CAAA;IAC3B,kDAAkD;IAClD,KAAK,EAAE,gBAAgB,CAAA;IACvB,4DAA4D;IAC5D,kBAAkB,EAAE,MAAM,CAAA;IAC1B,wEAAwE;IACxE,OAAO,EAAE,MAAM,CAAA;IACf,mEAAmE;IACnE,KAAK,EAAE,MAAM,CAAA;IACb,wEAAwE;IACxE,GAAG,EAAE,MAAM,CAAA;IACX;;;;;OAKG;IACH,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB;;;OAGG;IACH,YAAY,EAAE,YAAY,CAAA;CAC3B;AAED,kCAAkC;AAClC,MAAM,WAAW,YAAY;IAC3B,2EAA2E;IAC3E,WAAW,EAAE,MAAM,CAAA;IACnB;;;;OAIG;IACH,cAAc,EAAE,MAAM,CAAA;IACtB;;;OAGG;IACH,kBAAkB,CAAC,EAAE,gBAAgB,EAAE,CAAA;IACvC;;;OAGG;IACH,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,0EAA0E;AAC1E,MAAM,MAAM,mBAAmB,GAC3B,mBAAmB,GACnB,4BAA4B,GAC5B,cAAc,GACd,eAAe,GACf,SAAS,GACT,6BAA6B,GAC7B,wBAAwB,GACxB,yBAAyB,GACzB,8BAA8B,GAC9B,mBAAmB,GACnB,gBAAgB,GAChB,iBAAiB,CAAA;AAErB,uDAAuD;AACvD,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,OAAO,CAAA;IACd,MAAM,CAAC,EAAE,mBAAmB,CAAA;IAC5B,6EAA6E;IAC7E,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B;;qCAEiC;IACjC,aAAa,CAAC,EAAE,OAAO,CAAA;CACxB"}