npm - payment-kit - Versions diffs - 1.29.5 → 1.29.7 - Mend

payment-kit 1.29.5 → 1.29.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (25) hide show

package/api/src/integrations/app-store/signed-data-verifier.ts CHANGED Viewed

@@ -1,49 +1,30 @@
-// Real signature verification for App Store JWS payloads.
+// Signature verification for App Store JWS payloads — native (node:crypto +
+// crypto.subtle), no external dependency. The Apple JWS chain/signature logic
+// lives in native-jws.ts (verifyAppleJws); the App Store Server API client lives
+// in native-api.ts (nativeGetAllSubscriptionStatuses). The legacy
+// `@apple/app-store-server-library` path was removed once native became the only
+// path (design §10 Phase 3) — that evicts jsrsasign + the whole apple cluster
+// from both payment-core bundles.
 //
-// Wraps Apple's official `@apple/app-store-server-library` SignedDataVerifier:
-//   1. Loads bundled Apple Root CAs (vendored as base64 constants in
-//      apple-root-certs.ts so tsc compiles to dist without copying assets)
-//   2. Caches a per-(bundleId, environment) verifier instance — Apple SDK keeps
-//      a public-key cache inside each verifier, so reusing is much faster than
-//      constructing per-call
-//   3. Provides verifyTransaction / verifyNotification that throw on bad signatures
-//
-// Env var `APP_STORE_SKIP_SIGNATURE_VERIFY=true` bypasses the SDK entirely
-// (decode-only). Use for unit tests and sandbox debugging — never in production.
-// NOTE: @apple/app-store-server-library has top-level side-effects (jsrsasign
-// initializes RNG in global scope, see https://github.com/apple/app-store-server-library-node).
-// Cloudflare Workers forbid I/O / random / setTimeout in global scope, so we
-// **lazy-load** the SDK inside the first call to getVerifier. This keeps the
-// worker startup clean and lets non-Apple endpoints (Google Play, entitlements,
-// etc.) mount even when Apple SDK is present in the deps.
-import type {
-  AppStoreServerAPIClient,
-  JWSTransactionDecodedPayload,
-  ResponseBodyV2DecodedPayload,
-  SignedDataVerifier,
-  StatusResponse,
-} from '@apple/app-store-server-library';
+// Env var `APP_STORE_SKIP_SIGNATURE_VERIFY=true` bypasses verification
+// (decode-only) — for unit tests / sandbox debugging, fail-closed in production.
 import logger from '../../libs/logger';
 import { appStoreSkipSignatureVerify, isProduction } from '../../libs/env';
-import { APPLE_ROOT_CERTS } from './apple-root-certs';
-const verifierCache = new Map<string, SignedDataVerifier>();
+import { JwsNotificationPayload, JwsTransactionPayload, verifyAppleJws } from './native-jws';
+import { nativeGetAllSubscriptionStatuses } from './native-api';
-async function getVerifier(bundleId: string, environment: 'production' | 'sandbox'): Promise<SignedDataVerifier> {
-  const key = `${bundleId}:${environment}`;
-  const cached = verifierCache.get(key);
-  if (cached) return cached;
-  // Dynamic import — keeps the SDK out of the worker bundle's global scope.
-  const mod = await import('@apple/app-store-server-library');
-  const env = environment === 'production' ? mod.Environment.PRODUCTION : mod.Environment.SANDBOX;
-  // enableOnlineChecks=false — turning this on does OCSP revocation lookups on
-  // every verify, which adds latency + network dependency. Apple's published
-  // recommendation is to leave it off unless you specifically need it.
-  const verifier = new mod.SignedDataVerifier(APPLE_ROOT_CERTS, false, env, bundleId);
-  verifierCache.set(key, verifier);
-  return verifier;
+/**
+ * Minimal local shape of Apple's App Store Server API StatusResponse — only the
+ * fields `AppStoreClient.getSubscriptionStatus` reads (client.ts:337-339).
+ */
+export interface StatusResponse {
+  data?: Array<{
+    lastTransactions?: Array<{
+      originalTransactionId?: string;
+      signedTransactionInfo?: string;
+    }>;
+  }>;
 }
 export function isSignatureVerificationSkipped(): boolean {
@@ -64,28 +45,29 @@ export function isSignatureVerificationSkipped(): boolean {
 export async function verifySignedTransaction(
   signedTransaction: string,
-  bundleId: string,
-  environment: 'production' | 'sandbox'
-): Promise<JWSTransactionDecodedPayload> {
+  _bundleId: string,
+  _environment: 'production' | 'sandbox'
+): Promise<JwsTransactionPayload> {
   if (isSignatureVerificationSkipped()) {
     logger.warn('app_store: signature verification skipped via APP_STORE_SKIP_SIGNATURE_VERIFY');
-    return decodeUnsafe<JWSTransactionDecodedPayload>(signedTransaction);
+    return decodeUnsafe<JwsTransactionPayload>(signedTransaction);
   }
-  const verifier = await getVerifier(bundleId, environment);
-  return verifier.verifyAndDecodeTransaction(signedTransaction);
+  // Stateless native verify — anchors to vendored Apple roots, validates against
+  // the payload's signedDate. bundleId/environment stay in the signature for
+  // caller-layer enforcement (client.ts) + API parity.
+  return verifyAppleJws<JwsTransactionPayload>(signedTransaction);
 }
 export async function verifySignedNotification(
   signedPayload: string,
-  bundleId: string,
-  environment: 'production' | 'sandbox'
-): Promise<ResponseBodyV2DecodedPayload> {
+  _bundleId: string,
+  _environment: 'production' | 'sandbox'
+): Promise<JwsNotificationPayload> {
   if (isSignatureVerificationSkipped()) {
     logger.warn('app_store: signature verification skipped via APP_STORE_SKIP_SIGNATURE_VERIFY');
-    return decodeUnsafe<ResponseBodyV2DecodedPayload>(signedPayload);
+    return decodeUnsafe<JwsNotificationPayload>(signedPayload);
   }
-  const verifier = await getVerifier(bundleId, environment);
-  return verifier.verifyAndDecodeNotification(signedPayload);
+  return verifyAppleJws<JwsNotificationPayload>(signedPayload);
 }
 /** Decode-only fallback for when signature verification is intentionally bypassed. */
@@ -101,13 +83,6 @@ function decodeUnsafe<T>(jws: string): T {
   }
 }
-// Exposed for tests — reset module-level caches between tests.
-// eslint-disable-next-line @typescript-eslint/naming-convention
-export function __resetVerifierCachesForTests(): void {
-  verifierCache.clear();
-  apiClientCache.clear();
-}
 // ============================================================================
 // App Store Server API client — for pulling fresh state (subscription status,
 // transaction history) when our local cache might be stale (e.g. at renewal,
@@ -123,29 +98,15 @@ export type AppStoreApiCredentials = {
   environment: 'production' | 'sandbox';
 };
-const apiClientCache = new Map<string, AppStoreServerAPIClient>();
-async function getApiClient(creds: AppStoreApiCredentials): Promise<AppStoreServerAPIClient> {
-  const key = `${creds.bundleId}:${creds.environment}:${creds.keyId}`;
-  const cached = apiClientCache.get(key);
-  if (cached) return cached;
-  // Lazy import — same reason as getVerifier (global-scope I/O ban in CF Workers).
-  const mod = await import('@apple/app-store-server-library');
-  const env = creds.environment === 'production' ? mod.Environment.PRODUCTION : mod.Environment.SANDBOX;
-  const client = new mod.AppStoreServerAPIClient(creds.privateKeyPem, creds.keyId, creds.issuerId, creds.bundleId, env);
-  apiClientCache.set(key, client);
-  return client;
-}
 /**
- * Fetch all subscription statuses for a given originalTransactionId.
- * Returns Apple's StatusResponse which contains `signedTransactionInfo` /
- * `signedRenewalInfo` JWS strings — verify those with the SignedDataVerifier
- * if you want decoded payloads.
+ * Fetch all subscription statuses for a given originalTransactionId via the
+ * native App Store Server API client (ES256 JWT bearer + fetch). Returns Apple's
+ * StatusResponse, whose `signedTransactionInfo` JWS strings are verified by the
+ * caller (client.ts) with verifyAppleJws.
  */
 export async function getAllSubscriptionStatuses(
   originalTransactionId: string,
   creds: AppStoreApiCredentials
 ): Promise<StatusResponse> {
-  const client = await getApiClient(creds);
-  return client.getAllSubscriptionStatuses(originalTransactionId);
+  return nativeGetAllSubscriptionStatuses(originalTransactionId, creds);
 }

package/api/tests/integrations/app-store/client.spec.ts CHANGED Viewed

@@ -8,18 +8,35 @@ process.env.APP_STORE_SKIP_SIGNATURE_VERIFY = 'true';
 import { AppStoreClient, AppStoreSettings } from '../../../src/integrations/app-store/client';
-const mockConfigApple = jest.fn();
-const mockValidateAppleReceipt = jest.fn();
-jest.mock('node-apple-receipt-verify', () => ({
-  config: (...args: any[]) => mockConfigApple(...args),
-  validate: (...args: any[]) => mockValidateAppleReceipt(...args),
-}));
-beforeEach(() => {
-  mockConfigApple.mockReset();
-  mockValidateAppleReceipt.mockReset();
+// Path C (verifyLegacyReceipt) is now native fetch — mock the verifyReceipt HTTP
+// call instead of the evicted node-apple-receipt-verify package.
+type LegacyCall = { url: string; body: any };
+let legacyCalls: LegacyCall[] = [];
+/** Mock Apple's verifyReceipt with one JSON response per call (production→sandbox). */
+function mockVerifyReceipt(responses: Array<{ status: number; latest_receipt_info?: any[]; receipt?: any }>): void {
+  let i = 0;
+  legacyCalls = [];
+  global.fetch = jest.fn(async (url: unknown, init?: unknown) => {
+    legacyCalls.push({ url: String(url), body: JSON.parse(String((init as RequestInit).body)) });
+    const r = responses[Math.min(i, responses.length - 1)]!;
+    i += 1;
+    return { ok: true, status: 200, json: async () => r } as unknown as Response;
+  }) as unknown as typeof fetch;
+}
+/** Apple verifyReceipt success body with snake_case item(s). */
+const legacyItem = (over: Record<string, unknown> = {}) => ({
+  product_id: 'sub_06',
+  transaction_id: 'txn_1',
+  original_transaction_id: 'orig_1',
+  purchase_date_ms: '1700000000000',
+  expires_date_ms: '1800000000000',
+  ...over,
 });
+afterEach(() => jest.restoreAllMocks());
 const baseSettings: AppStoreSettings = {
   bundle_id: 'com.example.app',
   environment: 'sandbox',
@@ -232,38 +249,20 @@ describe('AppStoreClient.verifyLegacyReceipt', () => {
     await expect(c.verifyLegacyReceipt('base64-receipt')).rejects.toThrow(/shared_secret is required/);
   });
-  it('configures node-apple-receipt-verify with provided secret + both envs', async () => {
-    mockValidateAppleReceipt.mockResolvedValue([
-      {
-        bundleId: 'com.example.app',
-        productId: 'sub_06',
-        transactionId: 'txn_1',
-        originalTransactionId: 'orig_1',
-        purchaseDate: 1700000000000,
-        expirationDate: 1800000000000,
-      },
-    ]);
+  it('POSTs receipt-data + secret + exclude-old-transactions to the production Apple host', async () => {
+    mockVerifyReceipt([{ status: 0, receipt: { bundle_id: 'com.example.app' }, latest_receipt_info: [legacyItem()] }]);
     const c = AppStoreClient.fromSettings(withSecret);
     await c.verifyLegacyReceipt('base64-receipt');
-    expect(mockConfigApple).toHaveBeenCalledWith(
-      expect.objectContaining({
-        secret: 'sk_test_secret',
-        environment: ['production', 'sandbox'],
-      })
-    );
+    expect(legacyCalls[0]!.url).toBe('https://buy.itunes.apple.com/verifyReceipt');
+    expect(legacyCalls[0]!.body).toEqual({
+      'receipt-data': 'base64-receipt',
+      password: 'sk_test_secret',
+      'exclude-old-transactions': true,
+    });
   });
   it('normalizes one-item receipt to AppStoreTransactionPayload', async () => {
-    mockValidateAppleReceipt.mockResolvedValue([
-      {
-        bundleId: 'com.example.app',
-        productId: 'sub_06',
-        transactionId: 'txn_1',
-        originalTransactionId: 'orig_1',
-        purchaseDate: 1700000000000,
-        expirationDate: 1800000000000,
-      },
-    ]);
+    mockVerifyReceipt([{ status: 0, receipt: { bundle_id: 'com.example.app' }, latest_receipt_info: [legacyItem()] }]);
     const c = AppStoreClient.fromSettings(withSecret);
     const result = await c.verifyLegacyReceipt('base64-receipt');
     expect(result).toEqual({
@@ -280,10 +279,16 @@ describe('AppStoreClient.verifyLegacyReceipt', () => {
   });
   it('picks the item with the latest expirationDate when receipt contains multiple', async () => {
-    mockValidateAppleReceipt.mockResolvedValue([
-      { productId: 'sub_06', transactionId: 'old', expirationDate: 1500000000000 },
-      { productId: 'sub_06', transactionId: 'new', expirationDate: 1800000000000 },
-      { productId: 'sub_06', transactionId: 'mid', expirationDate: 1600000000000 },
+    mockVerifyReceipt([
+      {
+        status: 0,
+        receipt: { bundle_id: 'com.example.app' },
+        latest_receipt_info: [
+          legacyItem({ transaction_id: 'old', expires_date_ms: '1500000000000' }),
+          legacyItem({ transaction_id: 'new', expires_date_ms: '1800000000000' }),
+          legacyItem({ transaction_id: 'mid', expires_date_ms: '1600000000000' }),
+        ],
+      },
     ]);
     const c = AppStoreClient.fromSettings(withSecret);
     const result = await c.verifyLegacyReceipt('base64-receipt');
@@ -291,9 +296,15 @@ describe('AppStoreClient.verifyLegacyReceipt', () => {
   });
   it('filters by expectedProductIds when provided', async () => {
-    mockValidateAppleReceipt.mockResolvedValue([
-      { productId: 'other_sku', transactionId: 'wrong', expirationDate: 1900000000000 },
-      { productId: 'sub_06', transactionId: 'right', expirationDate: 1800000000000 },
+    mockVerifyReceipt([
+      {
+        status: 0,
+        receipt: { bundle_id: 'com.example.app' },
+        latest_receipt_info: [
+          legacyItem({ product_id: 'other_sku', transaction_id: 'wrong', expires_date_ms: '1900000000000' }),
+          legacyItem({ product_id: 'sub_06', transaction_id: 'right', expires_date_ms: '1800000000000' }),
+        ],
+      },
     ]);
     const c = AppStoreClient.fromSettings(withSecret);
     const result = await c.verifyLegacyReceipt('base64-receipt', { expectedProductIds: ['sub_06'] });
@@ -301,8 +312,12 @@ describe('AppStoreClient.verifyLegacyReceipt', () => {
   });
   it('throws when no item matches expectedProductIds', async () => {
-    mockValidateAppleReceipt.mockResolvedValue([
-      { productId: 'unknown_sku', transactionId: 'x', expirationDate: 1800000000000 },
+    mockVerifyReceipt([
+      {
+        status: 0,
+        receipt: { bundle_id: 'com.example.app' },
+        latest_receipt_info: [legacyItem({ product_id: 'unknown_sku', transaction_id: 'x' })],
+      },
     ]);
     const c = AppStoreClient.fromSettings(withSecret);
     await expect(c.verifyLegacyReceipt('base64-receipt', { expectedProductIds: ['sub_06'] })).rejects.toThrow(
@@ -311,25 +326,36 @@ describe('AppStoreClient.verifyLegacyReceipt', () => {
   });
   it('rejects when receipt bundleId disagrees with configured bundle_id', async () => {
-    mockValidateAppleReceipt.mockResolvedValue([
-      {
-        bundleId: 'com.evil.app',
-        productId: 'sub_06',
-        transactionId: 'txn_1',
-        originalTransactionId: 'orig_1',
-        expirationDate: 1800000000000,
-      },
-    ]);
+    mockVerifyReceipt([{ status: 0, receipt: { bundle_id: 'com.evil.app' }, latest_receipt_info: [legacyItem()] }]);
     const c = AppStoreClient.fromSettings(withSecret);
     await expect(c.verifyLegacyReceipt('base64-receipt')).rejects.toThrow(/bundleId mismatch/);
   });
   it('falls back to transactionId when originalTransactionId is absent', async () => {
-    mockValidateAppleReceipt.mockResolvedValue([
-      { productId: 'sub_06', transactionId: 'txn_only', expirationDate: 1800000000000 },
+    mockVerifyReceipt([
+      {
+        status: 0,
+        receipt: { bundle_id: 'com.example.app' },
+        latest_receipt_info: [legacyItem({ transaction_id: 'txn_only', original_transaction_id: undefined })],
+      },
     ]);
     const c = AppStoreClient.fromSettings(withSecret);
     const result = await c.verifyLegacyReceipt('base64-receipt');
     expect(result.originalTransactionId).toBe('txn_only');
   });
+  it('retries the sandbox host when production returns 21007', async () => {
+    mockVerifyReceipt([
+      { status: 21007 },
+      {
+        status: 0,
+        receipt: { bundle_id: 'com.example.app' },
+        latest_receipt_info: [legacyItem({ transaction_id: 'sb' })],
+      },
+    ]);
+    const c = AppStoreClient.fromSettings(withSecret);
+    const result = await c.verifyLegacyReceipt('base64-receipt');
+    expect(legacyCalls.map((x) => new URL(x.url).host)).toEqual(['buy.itunes.apple.com', 'sandbox.itunes.apple.com']);
+    expect(result.transactionId).toBe('sb');
+  });
 });

package/api/tests/integrations/app-store/fixtures/README.md ADDED Viewed

@@ -0,0 +1,54 @@
+# App Store native-verify test fixtures
+## `make-chain.ts` — synthetic chain generator (0.1)
+Generates a self-signed Apple-style 3-cert chain (root → CA intermediate w/ Apple
+OID `1.2.840.113635.100.6.2.1` → leaf w/ Apple OID `1.2.840.113635.100.6.11.1`)
+plus an ES256 `header.payload.p1363sig` JWS signed by the leaf key, and a
+`crossSignedLeaf` (same subject DN, different key) for chain-failure negatives.
+Cert validity windows are pinned via `certValidFrom`/`certValidTo` so skew
+boundary tests can position `signedDate` precisely. See the file header for the
+full contract — chiefly: **`signedDate` is the `effectiveDate`, never `Date.now()`.**
+**Determinism:** the EC P-256 signing keys are committed under `keys/`
+(`{root,int,leaf,wrongint}.key.pem`, synthetic + test-only) and certs are derived
+from them at runtime with pinned windows — so value assertions are stable and the
+certs never expire. Pass `freshKeys: true` for unique per-call keys. These keys
+are test-only and **must never be imported by `src/`** — `make-chain.spec.ts`
+asserts that structurally (a data-leak regression fails CI).
+## `real-sandbox.jws` / `real-sandbox.json` — real Apple fixture (0.4)
+A genuine Apple-signed (ES256) sandbox `signedTransactionInfo`, fetched via the
+App Store Server API `getTransactionInfo()` (`bundle_id: io.arcblock.ai.stro`,
+`transaction_id: 2000001186283296`). The real x5c chain is:
+```
+leaf:  Prod ECC Mac App Store and iTunes Store Receipt Signing (expires 2027-10-13)
+int:   Apple Worldwide Developer Relations Certification Authority G6
+root:  Apple Root CA - G3 (expires 2039-04-30)
+```
+This is **public, Apple-signed data — it contains no credentials** (a JWS is the
+signed transaction itself; the signing keys stay at Apple). Committing it is safe
+and it is the golden vector that exercises Apple's **real** OID + 3-cert chain
+end-to-end — the gap synthetic self-signed chains cannot close (design §11).
+`real-sandbox.json` carries the decoded header/payload + provenance `_meta` for
+reference; tests assert against `real-sandbox.jws`.
+**Maintenance:** the leaf cert expires 2027-10-13. After that, `verifyAppleJws`
+will reject this fixture on the validity check unless tests pin `signedDate` to
+the original `2026-06-15T11:02:14.379Z` (`payload.signedDate = 1781521334379`),
+which is what the native-jws spec does — so the fixture stays valid indefinitely
+for the algorithm assertions.
+## 0.3 — OID-encoding contract (production vs probe)
+Production code (`native-asn1.ts`, Phase 1) matches the **FULL DER OID tag**
+`[0x06, len, ...content]` against `cert.raw`. This is intentionally STRICTER than
+the workerd probe's content-only `oidContentHex` scan (`x509-probe.mjs`), which
+stays looser because a probe only needs a presence signal. Defense-in-depth: the
+OID marker is **not** the trust anchor — the chain-to-pinned-Apple-root is
+(design §4/§5.5). Both certs in `make-chain.ts` carry the OIDs as `DER:0500`
+extensions so the full-tag scan finds them.

package/api/tests/integrations/app-store/fixtures/keys/int.key.pem ADDED Viewed

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIOLX/gC4P1qjaOE/Ed/QHleT9P2Ib5bQ9YOZP8SXpFuNoAoGCCqGSM49
+AwEHoUQDQgAEnIlK3BCZxjk0kCXqbaNe/BYVG4VQ69YAkENkl9sL8sjDZGVwasEa
+OmnFMayUJIJPhfs+GyfSeY4p6m9kMiojrg==
+-----END EC PRIVATE KEY-----

package/api/tests/integrations/app-store/fixtures/keys/leaf.key.pem ADDED Viewed

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFKVpAVLag9q7o02jUj0hsrZs2+Wp9VlZ1rvvXAdRDnNoAoGCCqGSM49
+AwEHoUQDQgAEi6jIb2EAAEGl8zcWyBd1No5Qz6wyZJLTS5sjbAA04FPX1FDlxReK
+X7q8vLFRhtkiR8OYnpCfLAeFng0rNi6Vdw==
+-----END EC PRIVATE KEY-----

package/api/tests/integrations/app-store/fixtures/keys/root.key.pem ADDED Viewed

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIG+D+QBzI7gMWT4Zuk9iqw663wEtMWol4ccQfydNehdNoAoGCCqGSM49
+AwEHoUQDQgAE7hyZ2JQcvmLQIrzj8j5UUSl/tOBgJG5bhFRwMu3isC8xibmLb/cj
+P2IIOGfGAXz0Iu5NLEm7etUmR3HKvQlKTg==
+-----END EC PRIVATE KEY-----

package/api/tests/integrations/app-store/fixtures/keys/wrongint.key.pem ADDED Viewed

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIB4LVWQHO0Sx74I6JjkEmglD6b5sfnt+CmU6Tf711WNtoAoGCCqGSM49
+AwEHoUQDQgAE3fF1vJNolgjgt+rIqLDQCzZ1Irrr4VKxwxTwNzTD4p16sa5U6DOR
+qPd67ubvIOmQldtn4DJ8yi+sAxNjLVevGA==
+-----END EC PRIVATE KEY-----

package/api/tests/integrations/app-store/fixtures/make-chain.spec.ts ADDED Viewed

@@ -0,0 +1,152 @@
+// Structural coverage for the synthetic chain generator (Phase 0, task 0.1).
+// These assertions ARE the fixtures' contract: if they hold, the negative
+// vectors the Phase 1 verifier specs rely on are sound.
+import { X509Certificate } from 'node:crypto';
+import { readdirSync, readFileSync, statSync } from 'node:fs';
+import path from 'node:path';
+import { APPLE_INT_OID, APPLE_LEAF_OID, buildJws, makeChain } from './make-chain';
+// Full DER OID tag (mirrors native-asn1.ts, see 0.3) — the strict form.
+function oidToDerTag(oid: string): Buffer {
+  const parts = oid.split('.').map(Number);
+  const body = [40 * parts[0]! + parts[1]!];
+  for (let i = 2; i < parts.length; i++) {
+    let v = parts[i]!;
+    const stack = [v & 0x7f];
+    v = Math.floor(v / 128);
+    while (v > 0) {
+      stack.unshift((v & 0x7f) | 0x80);
+      v = Math.floor(v / 128);
+    }
+    body.push(...stack);
+  }
+  return Buffer.from([0x06, body.length, ...body]);
+}
+const certOf = (b64: string): X509Certificate => new X509Certificate(Buffer.from(b64, 'base64'));
+describe('make-chain — happy path', () => {
+  const chain = makeChain({ signedDate: 1_781_521_334_379 });
+  it('leaf verifies against intermediate, intermediate against root', () => {
+    expect(chain.certs.leaf.verify(chain.certs.intermediate.publicKey)).toBe(true);
+    expect(chain.certs.intermediate.verify(chain.certs.root.publicKey)).toBe(true);
+  });
+  it('issuer/subject equality holds up the chain', () => {
+    expect(chain.certs.leaf.issuer).toBe(chain.certs.intermediate.subject);
+    expect(chain.certs.intermediate.issuer).toBe(chain.certs.root.subject);
+    expect(chain.certs.root.issuer).toBe(chain.certs.root.subject); // self-signed
+  });
+  it('intermediate is a CA and carries the Apple intermediate OID', () => {
+    expect(chain.certs.intermediate.ca).toBe(true);
+    expect(Buffer.from(chain.certs.intermediate.raw).includes(oidToDerTag(APPLE_INT_OID))).toBe(true);
+  });
+  it('leaf is not a CA and carries the Apple leaf OID', () => {
+    expect(chain.certs.leaf.ca).toBe(false);
+    expect(Buffer.from(chain.certs.leaf.raw).includes(oidToDerTag(APPLE_LEAF_OID))).toBe(true);
+  });
+  it('emits a 3-segment JWS with a 64-byte P1363 signature', () => {
+    expect(chain.jws.split('.')).toHaveLength(3);
+    expect(chain.p1363Sig).toHaveLength(64);
+    expect(chain.payload.signedDate).toBe(1_781_521_334_379);
+  });
+});
+describe('make-chain — security negative controls', () => {
+  const chain = makeChain();
+  it('cross-signed leaf fails leaf.verify(intermediate.publicKey) but keeps issuer/subject equality', () => {
+    const cross = certOf(chain.crossSignedLeaf);
+    expect(cross.issuer).toBe(chain.certs.intermediate.subject); // same DN — isolates the signature failure
+    expect(cross.verify(chain.certs.intermediate.publicKey)).toBe(false);
+  });
+  it('an OID we did NOT add is not present (mirrors probe intOidPresent === false)', () => {
+    // The leaf carries the LEAF OID, not the INTERMEDIATE OID — negative control.
+    expect(Buffer.from(chain.certs.leaf.raw).includes(oidToDerTag(APPLE_INT_OID))).toBe(false);
+  });
+  it('omits the leaf OID on demand (leafOid: false)', () => {
+    const noOid = makeChain({ leafOid: false });
+    expect(Buffer.from(noOid.certs.leaf.raw).includes(oidToDerTag(APPLE_LEAF_OID))).toBe(false);
+  });
+});
+describe('make-chain — data damage / round-trip', () => {
+  const chain = makeChain();
+  it('decode(x5c[i]) byte-equals the DER we encoded', () => {
+    expect(Buffer.from(chain.x5c[0]!, 'base64').equals(Buffer.from(chain.certs.leaf.raw))).toBe(true);
+    expect(Buffer.from(chain.x5c[1]!, 'base64').equals(Buffer.from(chain.certs.intermediate.raw))).toBe(true);
+    expect(Buffer.from(chain.x5c[2]!, 'base64').equals(Buffer.from(chain.certs.root.raw))).toBe(true);
+  });
+  it('the b64url JWS header round-trips to the header object', () => {
+    const [h] = chain.jws.split('.');
+    const header = JSON.parse(Buffer.from(h!, 'base64url').toString('utf8'));
+    expect(header.alg).toBe('ES256');
+    expect(header.x5c).toEqual(chain.x5c);
+  });
+});
+describe('make-chain — validity window pinning', () => {
+  it('pins notBefore/notAfter relative to signedDate', () => {
+    const signedDate = 1_700_000_000_000;
+    const chain = makeChain({
+      signedDate,
+      certValidFrom: new Date(signedDate - 86_400_000),
+      certValidTo: new Date(signedDate + 86_400_000),
+    });
+    const vf = Date.parse(chain.certs.leaf.validFrom);
+    const vt = Date.parse(chain.certs.leaf.validTo);
+    expect(vf).toBeLessThanOrEqual(signedDate);
+    expect(vt).toBeGreaterThanOrEqual(signedDate);
+    // window is ~2 days wide (second-granularity rounding aside)
+    expect(vt - vf).toBeGreaterThan(86_400_000);
+  });
+});
+describe('make-chain — data leak (committed test keys never reach src/)', () => {
+  // The synthetic signing keys under fixtures/keys/ are test-only. Production
+  // code must NEVER import the fixtures or the keys. This is a structural gate
+  // so a future regression (e.g. someone wiring a fixture into src) fails CI.
+  const srcDir = path.join(__dirname, '..', '..', '..', '..', 'src');
+  function walk(dir: string): string[] {
+    return readdirSync(dir).flatMap((name) => {
+      const full = path.join(dir, name);
+      if (statSync(full).isDirectory()) return walk(full);
+      return /\.(ts|tsx|js|jsx|mjs)$/.test(name) ? [full] : [];
+    });
+  }
+  it('no src/ file references the fixtures, the generator, or the test keys', () => {
+    const offenders = walk(srcDir).filter((file) => {
+      const text = readFileSync(file, 'utf8');
+      return /make-chain|app-store\/fixtures|fixtures\/keys|real-sandbox/.test(text);
+    });
+    expect(offenders).toEqual([]);
+  });
+});
+describe('make-chain — buildJws crafts variants', () => {
+  const chain = makeChain();
+  it('re-signs a custom header/payload with the leaf key', () => {
+    const { jws, p1363Sig } = buildJws({ alg: 'ES256', x5c: chain.x5c }, { foo: 'bar' }, chain.keys.leafKeyPem);
+    expect(jws.split('.')).toHaveLength(3);
+    expect(p1363Sig).toHaveLength(64);
+  });
+  it('can forge a wrong-length x5c header (negative vector source)', () => {
+    const { jws } = buildJws({ alg: 'ES256', x5c: chain.x5c.slice(0, 2) }, chain.payload, chain.keys.leafKeyPem);
+    const header = JSON.parse(Buffer.from(jws.split('.')[0]!, 'base64url').toString('utf8'));
+    expect(header.x5c).toHaveLength(2);
+  });
+});