dosipas-ts 1.0.0 → 1.2.0

package/README.md

@@ -1,8 +1,12 @@
 # dosipas-ts
 
-Decode, encode, and verify UIC barcode tickets with Intercode 6 extensions in TypeScript.
+> **[Try the online playground](https://sysdevrun.github.io/dosipas-ts/)** — decode, encode, sign, verify, and control UIC barcode tickets in your browser.
 
-Handles the full UIC barcode envelope (header versions 1 and 2), FCB rail ticket data (versions 1, 2, and 3), Intercode 6 issuing extensions, dynamic data, and two-level ECDSA signature verification.
+Decode, encode, sign, verify, and control UIC barcode tickets with Intercode 6 extensions in TypeScript.
+
+Handles the full UIC barcode envelope (header versions 1 and 2), FCB rail ticket data (versions 1, 2, and 3), Intercode 6 issuing extensions, dynamic data (both Intercode ID1 and FDC1 formats), and two-level ECDSA signature verification and signing.
+
+ASN.1 PER unaligned payloads are parsed using [`asn1-per-ts`](https://github.com/sysdevrun/asn1-per-ts).
 
 ## Install
 
@@ -10,7 +14,10 @@ Handles the full UIC barcode envelope (header versions 1 and 2), FCB rail ticket
 npm install dosipas-ts
 ```
 
-Requires Node.js 18+. ESM-only.
+## Requirements
+
+- **Node.js >= 20** — Node 18 is not supported because `globalThis.crypto` (Web Crypto API) is not available as a stable global until Node 20. The `@noble/curves` and `@noble/hashes` dependencies rely on it for cryptographic operations.
+- **ESM-only** — this package uses `"type": "module"` and provides only ESM exports.
 
 ## Decoding
 
@@ -24,31 +31,57 @@ const ticket = decodeTicket('815563dd8e76...');
 const ticket = decodeTicketFromBytes(bytes);
 ```
 
-The returned `UicBarcodeTicket` object contains:
+The returned `UicBarcodeTicket` follows the UIC barcode ASN.1 schema hierarchy:
 
 ```ts
-ticket.format          // "U1" or "U2"
-ticket.headerVersion   // 1 or 2
-ticket.security        // SecurityInfo (provider, key IDs, algorithms, signatures)
-ticket.railTickets     // RailTicketData[] (FCB-decoded ticket data)
-ticket.otherDataBlocks // DataBlock[] (non-FCB data blocks)
-ticket.dynamicData     // IntercodeDynamicData (Intercode 6 Level 2, if present)
-ticket.level2Signature // Uint8Array (if present)
+ticket.format                          // "U1" or "U2"
+ticket.level2SignedData.level1Data     // security metadata + data sequence
+ticket.level2SignedData.level1Signature // Level 1 signature bytes
+ticket.level2SignedData.level2Data     // dynamic content block (FDC1 or Intercode ID1)
+ticket.level2Signature                 // Level 2 signature bytes
 ```
 
-Each rail ticket includes typed fields for issuing details, traveler info, transport documents, and control details:
+Security metadata and algorithm OIDs live on `level1Data`:
 
 ```ts
-const rt = ticket.railTickets[0];
+const l1 = ticket.level2SignedData.level1Data;
+
+l1.securityProviderNum   // RICS code of the security provider
+l1.keyId                 // key ID for signature lookup
+l1.level1KeyAlg          // Level 1 key algorithm OID
+l1.level1SigningAlg      // Level 1 signing algorithm OID
+l1.level2KeyAlg          // Level 2 key algorithm OID
+l1.level2SigningAlg      // Level 2 signing algorithm OID
+l1.level2PublicKey       // Level 2 public key bytes (embedded in barcode)
+l1.endOfValidityYear     // v2 headers only
+l1.endOfValidityDay      // v2 headers only
+l1.validityDuration      // seconds
+```
+
+Rail ticket data is in `level1Data.dataSequence`:
 
-rt.fcbVersion                              // 1, 2, or 3
+```ts
+const entry = ticket.level2SignedData.level1Data.dataSequence[0];
+
+entry.dataFormat          // "FCB1", "FCB2", or "FCB3"
+entry.data                // raw PER-encoded bytes
+
+const rt = entry.decoded; // UicRailTicketData (when dataFormat is FCBn)
 rt.issuingDetail?.issuerNum                // RICS code
 rt.issuingDetail?.issuingYear              // e.g. 2025
 rt.issuingDetail?.issuingDay               // day of year
 rt.issuingDetail?.intercodeIssuing         // Intercode 6 issuing extension
 rt.travelerDetail?.traveler?.[0].firstName // traveler name
-rt.transportDocument?.[0].ticketType       // e.g. "openTicket", "reservation"
-rt.raw                                     // full decoded object for fields not covered above
+rt.transportDocument?.[0].ticket           // { key: "openTicket", value: { ... } }
+```
+
+Dynamic content is in `level2Data`:
+
+```ts
+const l2 = ticket.level2SignedData.level2Data;
+
+l2.dataFormat  // "FDC1" or "_3703.ID1" (Intercode)
+l2.decoded     // UicDynamicContentData (FDC1) or IntercodeDynamicData (Intercode)
 ```
 
 ## Encoding
@@ -97,6 +130,52 @@ const hex = encodeTicket({
 const bytes = encodeTicketToBytes({ /* same input */ });
 ```
 
+## Signing
+
+Sign tickets with ECDSA using the two-pass signing flow (Level 1, then Level 2):
+
+```ts
+import { signAndEncodeTicket, generateKeyPair } from 'dosipas-ts';
+
+const level1Key = generateKeyPair('P-256');
+const level2Key = generateKeyPair('P-256');
+
+const ticketBytes = signAndEncodeTicket(
+  {
+    headerVersion: 2,
+    fcbVersion: 2,
+    securityProviderNum: 3703,
+    keyId: 1,
+    railTicket: {
+      issuingDetail: {
+        issuerNum: 3703,
+        issuingYear: 2025,
+        issuingDay: 44,
+        activated: true,
+      },
+      transportDocument: [
+        { ticketType: 'openTicket', ticket: { /* ... */ } },
+      ],
+    },
+  },
+  level1Key,
+  level2Key, // omit for static barcodes (Level 1 only)
+);
+```
+
+For finer control, sign each level independently:
+
+```ts
+import { signLevel1, signLevel2 } from 'dosipas-ts';
+
+const level1Sig = signLevel1(input, privateKey, 'P-256');
+const level2Sig = signLevel2(
+  { ...input, level1Signature: level1Sig },
+  level2PrivateKey,
+  'P-256',
+);
+```
+
 ## Signature verification
 
 UIC barcodes use a two-level signature scheme:
@@ -154,6 +233,39 @@ import { verifyLevel1Signature } from 'dosipas-ts';
 const result = await verifyLevel1Signature(barcodeBytes, publicKeyBytes);
 ```
 
+## Ticket control
+
+Perform comprehensive validation of a ticket in a single call:
+
+```ts
+import { controlTicket } from 'dosipas-ts';
+
+const result = await controlTicket(hexPayload, {
+  level1KeyProvider: provider,
+  expectedIntercodeNetworkIds: new Set(['250502']),
+});
+
+result.valid   // true only if all error-severity checks passed
+result.ticket  // decoded UicBarcodeTicket
+result.checks  // individual check results keyed by name
+```
+
+Checks performed: decode, header format, security info, Level 1 signature, Level 2 signature, expiry, specimen flag, activated flag, issuing detail, transport document, Intercode extension (with optional network ID validation), dynamic data format, and dynamic content freshness.
+
+## Time helpers
+
+Compute UTC timestamps from ticket fields:
+
+```ts
+import { getIssuingTime, getEndOfValidityTime, getDynamicContentTime } from 'dosipas-ts';
+
+const ticket = decodeTicket(hex);
+
+getIssuingTime(ticket)         // Date from issuingYear + issuingDay + issuingTime
+getEndOfValidityTime(ticket)   // Date from v2 endOfValidity fields or v1 issuing + duration
+getDynamicContentTime(ticket)  // Date from FDC1 timestamp or Intercode ID1 dynamic fields
+```
+
 ## Extracting signed data
 
 For custom verification workflows, extract the exact signed bytes from a barcode:
@@ -193,6 +305,9 @@ import {
   SOLEA_TICKET_HEX,
   CTS_TICKET_HEX,
   GRAND_EST_U1_FCB3_HEX,
+  BUS_ARDECHE_TICKET_HEX,
+  BUS_AIN_TICKET_HEX,
+  DROME_BUS_TICKET_HEX,
 } from 'dosipas-ts';
 ```
 
@@ -204,8 +319,8 @@ import { SNCF_TER_SIGNATURES, SOLEA_SIGNATURES, CTS_SIGNATURES } from 'dosipas-t
 
 ## Supported algorithms
 
-| Algorithm | Signing | Key verification |
-|-----------|---------|-----------------|
+| Algorithm | Signing | Verification |
+|-----------|---------|--------------|
 | ECDSA P-256 with SHA-256 | Yes | Yes |
 | ECDSA P-384 with SHA-384 | Yes | Yes |
 | ECDSA P-521 with SHA-512 | Yes | Yes |

package/dist/control.d.ts

@@ -0,0 +1,15 @@
+import type { ControlResult, ControlOptions } from './types';
+/**
+ * Perform comprehensive validation of a dosipas ticket.
+ *
+ * Decodes the ticket from hex, then runs a series of check functions covering
+ * header format, security metadata, signatures, expiry, specimen/activated
+ * flags, issuing details, transport documents, Intercode extensions, and
+ * dynamic content freshness.
+ *
+ * @param hex - Hex-encoded barcode payload.
+ * @param options - Control options (reference time, key provider, expected networks).
+ * @returns Aggregated control result with individual check results.
+ */
+export declare function controlTicket(hex: string, options?: ControlOptions): Promise<ControlResult>;
+//# sourceMappingURL=control.d.ts.map

package/dist/control.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"control.d.ts","sourceRoot":"","sources":["../src/control.ts"],"names":[],"mappings":"AAUA,OAAO,KAAK,EAMV,aAAa,EACb,cAAc,EACf,MAAM,SAAS,CAAC;AAmajB;;;;;;;;;;;GAWG;AACH,wBAAsB,aAAa,CACjC,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE,cAAc,GACvB,OAAO,CAAC,aAAa,CAAC,CAqExB"}

package/dist/control.js

@@ -0,0 +1,445 @@
+/**
+ * Ticket validity control helpers.
+ *
+ * Performs comprehensive validation of a dosipas ticket by decoding it once
+ * and running a series of focused check functions — each responsible for
+ * verifying one specific aspect of the ticket.
+ */
+import { decodeTicket } from './decoder';
+import { verifyLevel1Signature, verifyLevel2Signature } from './verifier';
+import { getEndOfValidityTime, getDynamicContentTime } from './time-helpers';
+// ---------------------------------------------------------------------------
+// Hex helpers
+// ---------------------------------------------------------------------------
+function hexToBytes(hex) {
+    const clean = hex.replace(/\s+/g, '').replace(/h$/i, '').toLowerCase();
+    return new Uint8Array(clean.match(/.{1,2}/g).map(b => parseInt(b, 16)));
+}
+// ---------------------------------------------------------------------------
+// Accessor helpers — resolve new schema hierarchy
+// ---------------------------------------------------------------------------
+/** Infer header version from format string (U1→1, U2→2). */
+function headerVersion(ticket) {
+    const m = ticket.format.match(/^U(\d)$/);
+    return m ? parseInt(m[1], 10) : 0;
+}
+/** Get the first decoded UicRailTicketData from dataSequence, if any. */
+function firstRailTicket(ticket) {
+    for (const entry of ticket.level2SignedData.level1Data.dataSequence) {
+        if (entry.decoded)
+            return entry.decoded;
+    }
+    return undefined;
+}
+/** Get decoded level2 dynamic content, narrowed to FDC1. */
+function fdc1Data(ticket) {
+    const l2 = ticket.level2SignedData.level2Data;
+    if (!l2 || l2.dataFormat !== 'FDC1')
+        return undefined;
+    return l2.decoded;
+}
+/** Get decoded level2 dynamic content, narrowed to Intercode. */
+function intercodeDynamic(ticket) {
+    const l2 = ticket.level2SignedData.level2Data;
+    if (!l2 || !/^_\d+\.ID1$/.test(l2.dataFormat))
+        return undefined;
+    return l2.decoded;
+}
+// ---------------------------------------------------------------------------
+// Check helpers
+// ---------------------------------------------------------------------------
+function checkHeader(ticket) {
+    const formatOk = ticket.format === 'U1' || ticket.format === 'U2';
+    return {
+        name: 'Header',
+        passed: formatOk,
+        severity: 'error',
+        message: formatOk
+            ? undefined
+            : `Unrecognized header format: ${ticket.format}`,
+    };
+}
+function checkSecurityInfo(ticket) {
+    const l1 = ticket.level2SignedData.level1Data;
+    const issues = [];
+    // Level 1 (mandatory)
+    if (l1.securityProviderNum == null && !l1.securityProviderIA5) {
+        issues.push('missing security provider');
+    }
+    if (l1.keyId == null) {
+        issues.push('missing keyId');
+    }
+    // level1SigningAlg is only available in v2 headers; v1 headers don't include OID fields
+    if (headerVersion(ticket) >= 2 && !l1.level1SigningAlg) {
+        issues.push('missing level1SigningAlg');
+    }
+    if (!ticket.level2SignedData.level1Signature) {
+        issues.push('missing level1Signature');
+    }
+    // Level 2 (conditional)
+    if (l1.level2SigningAlg) {
+        if (!l1.level2KeyAlg)
+            issues.push('level2SigningAlg set but missing level2KeyAlg');
+        if (!l1.level2PublicKey)
+            issues.push('level2SigningAlg set but missing level2PublicKey');
+        if (!ticket.level2Signature)
+            issues.push('level2SigningAlg set but missing level2Signature');
+    }
+    return {
+        name: 'Security Info',
+        passed: issues.length === 0,
+        severity: 'error',
+        message: issues.length > 0 ? issues.join('; ') : undefined,
+    };
+}
+async function checkLevel1Signature(bytes, ticket, options) {
+    if (!options.level1KeyProvider) {
+        return {
+            name: 'Level 1 Signature',
+            passed: false,
+            severity: 'error',
+            message: 'No level 1 key provider — cannot verify mandatory level 1 signature',
+        };
+    }
+    try {
+        const l1 = ticket.level2SignedData.level1Data;
+        const pubKey = await options.level1KeyProvider.getPublicKey({ num: l1.securityProviderNum, ia5: l1.securityProviderIA5 }, l1.keyId ?? 0, l1.level1KeyAlg);
+        const result = await verifyLevel1Signature(bytes, pubKey);
+        return {
+            name: 'Level 1 Signature',
+            passed: result.valid,
+            severity: 'error',
+            message: result.valid ? undefined : (result.error ?? 'Verification failed'),
+        };
+    }
+    catch (e) {
+        return {
+            name: 'Level 1 Signature',
+            passed: false,
+            severity: 'error',
+            message: e instanceof Error ? e.message : 'Key provider error',
+        };
+    }
+}
+async function checkLevel2Signature(bytes, ticket) {
+    if (!ticket.level2SignedData.level1Data.level2SigningAlg) {
+        return {
+            name: 'Level 2 Signature',
+            passed: true,
+            severity: 'info',
+            message: 'Level 2 signature not required — level2SigningAlg not set',
+        };
+    }
+    try {
+        const result = await verifyLevel2Signature(bytes);
+        return {
+            name: 'Level 2 Signature',
+            passed: result.valid,
+            severity: 'error',
+            message: result.valid ? undefined : (result.error ?? 'Verification failed'),
+        };
+    }
+    catch (e) {
+        return {
+            name: 'Level 2 Signature',
+            passed: false,
+            severity: 'error',
+            message: e instanceof Error ? e.message : 'Verification failed',
+        };
+    }
+}
+function checkNotExpired(ticket, now) {
+    const expiry = getEndOfValidityTime(ticket);
+    if (!expiry) {
+        return {
+            name: 'Not Expired',
+            passed: true,
+            severity: 'info',
+            message: 'Cannot determine expiry — no validity duration available',
+        };
+    }
+    const passed = now < expiry;
+    return {
+        name: 'Not Expired',
+        passed,
+        severity: 'error',
+        message: passed ? undefined : `Ticket expired at ${expiry.toISOString()}`,
+    };
+}
+function checkNotSpecimen(ticket) {
+    const specimen = firstRailTicket(ticket)?.issuingDetail?.specimen;
+    return {
+        name: 'Not Specimen',
+        passed: !specimen,
+        severity: 'error',
+        message: specimen ? 'Ticket is a specimen/test ticket' : undefined,
+    };
+}
+function checkActivated(ticket) {
+    const activated = firstRailTicket(ticket)?.issuingDetail?.activated;
+    return {
+        name: 'Activated',
+        passed: !!activated,
+        severity: 'error',
+        message: activated ? undefined : 'Ticket is not activated',
+    };
+}
+function checkIssuingDetail(ticket) {
+    const issues = [];
+    const rt = firstRailTicket(ticket);
+    if (!rt) {
+        issues.push('no decoded rail ticket present');
+    }
+    else {
+        if (!rt.issuingDetail) {
+            issues.push('missing issuingDetail');
+        }
+        else {
+            const iss = rt.issuingDetail;
+            if (iss.issuingYear < 2016)
+                issues.push(`implausible issuingYear: ${iss.issuingYear}`);
+            if (iss.issuingDay < 1 || iss.issuingDay > 366)
+                issues.push(`implausible issuingDay: ${iss.issuingDay}`);
+        }
+    }
+    return {
+        name: 'Issuing Detail',
+        passed: issues.length === 0,
+        severity: 'error',
+        message: issues.length > 0 ? issues.join('; ') : undefined,
+    };
+}
+function checkTransportDocument(ticket) {
+    const docs = firstRailTicket(ticket)?.transportDocument;
+    if (!docs || docs.length === 0) {
+        return {
+            name: 'Transport Document',
+            passed: false,
+            severity: 'error',
+            message: 'No transport document present',
+        };
+    }
+    // In new structure, each doc has ticket: { key, value } — check that key exists
+    const invalid = docs.filter(d => !d.ticket?.key);
+    if (invalid.length > 0) {
+        return {
+            name: 'Transport Document',
+            passed: false,
+            severity: 'error',
+            message: `${invalid.length} transport document(s) missing ticket type`,
+        };
+    }
+    return {
+        name: 'Transport Document',
+        passed: true,
+        severity: 'error',
+    };
+}
+function checkIntercodeExtension(ticket, options) {
+    const iss = firstRailTicket(ticket)?.issuingDetail;
+    if (iss?.intercodeIssuing) {
+        // Extension decoded successfully — check network ID if expected
+        if (options.expectedIntercodeNetworkIds) {
+            const networkHex = Array.from(iss.intercodeIssuing.networkId)
+                .map(b => b.toString(16).padStart(2, '0'))
+                .join('');
+            if (!options.expectedIntercodeNetworkIds.has(networkHex)) {
+                return {
+                    name: 'Intercode Extension',
+                    passed: false,
+                    severity: 'error',
+                    message: `Network ID ${networkHex} not in expected set: ${[...options.expectedIntercodeNetworkIds].join(', ')}`,
+                };
+            }
+        }
+        return {
+            name: 'Intercode Extension',
+            passed: true,
+            severity: options.expectedIntercodeNetworkIds ? 'error' : 'warning',
+        };
+    }
+    if (iss?.extension) {
+        const extId = iss.extension.extensionId;
+        if (/^[_+](\d+|[A-Z]{2})II1$/.test(extId)) {
+            return {
+                name: 'Intercode Extension',
+                passed: false,
+                severity: options.expectedIntercodeNetworkIds ? 'error' : 'warning',
+                message: `Extension ${extId} looks like Intercode but was not decoded`,
+            };
+        }
+    }
+    if (options.expectedIntercodeNetworkIds) {
+        return {
+            name: 'Intercode Extension',
+            passed: false,
+            severity: 'error',
+            message: 'Intercode issuing data required but absent',
+        };
+    }
+    return {
+        name: 'Intercode Extension',
+        passed: true,
+        severity: 'info',
+        message: 'No issuing extension present',
+    };
+}
+function checkDynamicData(ticket) {
+    const l2 = ticket.level2SignedData.level2Data;
+    if (!l2) {
+        return {
+            name: 'Dynamic Data',
+            passed: true,
+            severity: 'info',
+            message: 'No level 2 data block present',
+        };
+    }
+    // FDC1 format
+    if (l2.dataFormat === 'FDC1') {
+        if (!l2.decoded) {
+            return {
+                name: 'Dynamic Data',
+                passed: false,
+                severity: 'warning',
+                message: 'FDC1 data block present but decoding failed',
+            };
+        }
+        return { name: 'Dynamic Data', passed: true, severity: 'warning' };
+    }
+    // Intercode _RICS.ID1 format
+    if (/^_\d+\.ID1$/.test(l2.dataFormat)) {
+        if (!l2.decoded) {
+            return {
+                name: 'Dynamic Data',
+                passed: false,
+                severity: 'warning',
+                message: `${l2.dataFormat} data block present but decoding failed`,
+            };
+        }
+        return { name: 'Dynamic Data', passed: true, severity: 'warning' };
+    }
+    return {
+        name: 'Dynamic Data',
+        passed: true,
+        severity: 'info',
+        message: `Unknown level 2 data format: ${l2.dataFormat}`,
+    };
+}
+function checkDynamicContentFreshness(ticket, now) {
+    const l1 = ticket.level2SignedData.level1Data;
+    const genTime = getDynamicContentTime(ticket);
+    if (!genTime) {
+        // No dynamic content or required fields missing
+        const l2 = ticket.level2SignedData.level2Data;
+        if (!l2?.decoded) {
+            return {
+                name: 'Dynamic Content Freshness',
+                passed: true,
+                severity: 'info',
+                message: 'No dynamic content present',
+            };
+        }
+        return {
+            name: 'Dynamic Content Freshness',
+            passed: true,
+            severity: 'info',
+            message: 'Cannot compute freshness — missing fields',
+        };
+    }
+    // Determine duration: for Intercode, prefer dynamicContentDuration, then validityDuration
+    let durationMs;
+    const dd = intercodeDynamic(ticket);
+    if (dd?.dynamicContentDuration != null) {
+        durationMs = dd.dynamicContentDuration * 1000;
+    }
+    else if (l1.validityDuration != null) {
+        durationMs = l1.validityDuration * 1000;
+    }
+    if (durationMs == null) {
+        return {
+            name: 'Dynamic Content Freshness',
+            passed: true,
+            severity: 'info',
+            message: 'Cannot compute freshness — no duration available',
+        };
+    }
+    const expiryTime = new Date(genTime.getTime() + durationMs);
+    const passed = now < expiryTime;
+    return {
+        name: 'Dynamic Content Freshness',
+        passed,
+        severity: 'error',
+        message: passed
+            ? undefined
+            : `Dynamic content expired at ${expiryTime.toISOString()}`,
+    };
+}
+// ---------------------------------------------------------------------------
+// Main entry point
+// ---------------------------------------------------------------------------
+/**
+ * Perform comprehensive validation of a dosipas ticket.
+ *
+ * Decodes the ticket from hex, then runs a series of check functions covering
+ * header format, security metadata, signatures, expiry, specimen/activated
+ * flags, issuing details, transport documents, Intercode extensions, and
+ * dynamic content freshness.
+ *
+ * @param hex - Hex-encoded barcode payload.
+ * @param options - Control options (reference time, key provider, expected networks).
+ * @returns Aggregated control result with individual check results.
+ */
+export async function controlTicket(hex, options) {
+    const checks = {};
+    const opts = options ?? {};
+    const now = opts.now ?? new Date();
+    // 1. Decode
+    let ticket;
+    try {
+        ticket = decodeTicket(hex);
+        checks.decode = {
+            name: 'Decode',
+            passed: true,
+            severity: 'error',
+        };
+    }
+    catch (e) {
+        checks.decode = {
+            name: 'Decode',
+            passed: false,
+            severity: 'error',
+            message: e instanceof Error ? e.message : 'Decode failed',
+        };
+        return { valid: false, checks };
+    }
+    // Convert hex to bytes for signature verification
+    const bytes = hexToBytes(hex);
+    // 2. Header
+    checks.header = checkHeader(ticket);
+    // 3. Security Info
+    checks.securityInfo = checkSecurityInfo(ticket);
+    // 4. Level 1 Signature (async)
+    checks.level1Signature = await checkLevel1Signature(bytes, ticket, opts);
+    // 5. Level 2 Signature (async)
+    checks.level2Signature = await checkLevel2Signature(bytes, ticket);
+    // 6. Not Expired
+    checks.notExpired = checkNotExpired(ticket, now);
+    // 7. Not Specimen
+    checks.notSpecimen = checkNotSpecimen(ticket);
+    // 8. Activated
+    checks.activated = checkActivated(ticket);
+    // 9. Issuing Detail
+    checks.issuingDetail = checkIssuingDetail(ticket);
+    // 10. Transport Document
+    checks.transportDocument = checkTransportDocument(ticket);
+    // 11. Intercode Extension
+    checks.intercodeExtension = checkIntercodeExtension(ticket, opts);
+    // 12. Dynamic Data
+    checks.dynamicData = checkDynamicData(ticket);
+    // 13. Dynamic Content Freshness
+    checks.dynamicContentFreshness = checkDynamicContentFreshness(ticket, now);
+    // Compute overall validity: all error-severity checks must pass
+    const valid = Object.values(checks).every(c => c.severity !== 'error' || c.passed);
+    return { valid, ticket, checks };
+}
+//# sourceMappingURL=control.js.map