/** * PEAC Protocol Constants */ /** * Wire 0.1 JWS `typ` claim (legacy constant name). * * @deprecated Use `WIRE_01_JWS_TYP` for new code. `WIRE_TYPE` and * `WIRE_01_JWS_TYP` resolve to the same string; `WIRE_01_JWS_TYP` is the * canonical name at the JWS layer (v0.12.0-preview.1+, Wire 0.2 dual-stack). */ export declare const WIRE_TYPE: "peac-receipt/0.1"; /** * Wire 0.1 version string (legacy constant name). * * @deprecated Use `WIRE_VERSIONS` or compare against `WIRE_02_VERSION` for * dual-stack version detection. `WIRE_VERSION` remains valid for Wire 0.1 * but does not participate in the Wire 0.2 version model. */ export declare const WIRE_VERSION: "0.1"; /** * Supported cryptographic algorithms */ export declare const ALGORITHMS: { readonly supported: readonly ["EdDSA"]; readonly default: "EdDSA"; }; /** * HTTP header names for PEAC protocol */ export declare const HEADERS: { readonly receipt: "PEAC-Receipt"; readonly receiptPointer: "PEAC-Receipt-Pointer"; readonly dpop: "DPoP"; readonly purpose: "PEAC-Purpose"; readonly purposeApplied: "PEAC-Purpose-Applied"; readonly purposeReason: "PEAC-Purpose-Reason"; }; /** * Policy manifest settings (/.well-known/peac.txt) * * Policy documents declare access terms for agents and gateways. * @see docs/specs/PEAC-TXT.md */ export declare const POLICY: { readonly manifestPath: "/.well-known/peac.txt"; readonly fallbackPath: "/peac.txt"; readonly manifestVersion: "peac-policy/0.1"; readonly cacheTtlSeconds: 3600; readonly maxBytes: 262144; readonly maxDepth: 8; }; /** * Issuer configuration settings (/.well-known/peac-issuer.json) * * Issuer config enables verifiers to discover JWKS and verification endpoints. * @see docs/specs/PEAC-ISSUER.md */ export declare const ISSUER_CONFIG: { readonly configPath: "/.well-known/peac-issuer.json"; readonly configVersion: "peac-issuer/0.1"; readonly cacheTtlSeconds: 3600; readonly maxBytes: 65536; readonly maxDepth: 4; readonly fetchTimeoutMs: 10000; }; /** * @deprecated Use POLICY instead. Will be removed in v1.0. */ export declare const DISCOVERY: { readonly manifestPath: "/.well-known/peac.txt"; readonly manifestVersion: "peac/0.9"; readonly cacheTtlSeconds: 3600; }; /** * JWKS rotation and revocation settings */ export declare const JWKS: { readonly rotationDays: 90; /** Normative minimum overlap period (v0.11.3+) */ readonly overlapDays: 30; readonly emergencyRevocationHours: 24; }; /** * Receipt validation constants */ export declare const RECEIPT: { readonly minReceiptIdLength: 16; readonly maxReceiptIdLength: 64; readonly defaultTtlSeconds: 86400; }; /** * Payment amount validation limits (in cents/smallest currency unit) */ export declare const LIMITS: { readonly maxAmountCents: 999999999999; readonly minAmountCents: 1; }; /** * Bundle format version. * Used in dispute bundles, audit bundles, and archive bundles. */ export declare const BUNDLE_VERSION: "peac-bundle/0.1"; /** * Verification report format version. */ export declare const VERIFICATION_REPORT_VERSION: "peac-verification-report/0.1"; /** * Hash format constants and utilities. * All hashes use the self-describing format: sha256:<64 lowercase hex chars> */ export declare const HASH: { /** Canonical hash algorithm */ algorithm: "sha256"; /** Hash prefix pattern */ prefix: "sha256:"; /** Valid hash regex: sha256:<64 lowercase hex> */ pattern: RegExp; /** Hex-only pattern for legacy comparison */ hexPattern: RegExp; }; /** * Parse a sha256: hash string into components. * Returns null if the format is invalid. * * @param hash - Hash string to parse (e.g., "sha256:abc123...") * @returns Parsed hash or null if invalid */ export declare function parseHash(hash: string): { alg: 'sha256'; hex: string; } | null; /** * Format a hex string as a sha256: hash. * Validates that the hex is exactly 64 lowercase characters. * * @param hex - Hex string (64 lowercase characters) * @returns Formatted hash or null if invalid */ export declare function formatHash(hex: string): string | null; /** * Validate a hash string is in the correct format. * * @param hash - Hash string to validate * @returns true if valid sha256:<64 hex> format */ export declare function isValidHash(hash: string): boolean; /** * Verifier security limits per VERIFIER-SECURITY-MODEL.md */ export declare const VERIFIER_LIMITS: { /** Maximum receipt size in bytes (256 KB) */ readonly maxReceiptBytes: 262144; /** Maximum number of claims in a receipt */ readonly maxClaimsCount: 100; /** Maximum extension size in bytes (64 KB) */ readonly maxExtensionBytes: 65536; /** Maximum string length for individual claims (64 KB) */ readonly maxStringLength: 65536; /** Maximum JWKS document size in bytes (64 KB) */ readonly maxJwksBytes: 65536; /** Maximum number of keys in a JWKS */ readonly maxJwksKeys: 20; /** Maximum individual key size in bytes */ readonly maxKeySize: 4096; /** Network fetch timeout in milliseconds */ readonly fetchTimeoutMs: 5000; /** Maximum number of redirects to follow */ readonly maxRedirects: 3; /** Maximum network response size in bytes (256 KB) */ readonly maxResponseBytes: 262144; }; /** * Verifier network security settings per VERIFIER-SECURITY-MODEL.md */ export declare const VERIFIER_NETWORK: { /** Only allow HTTPS URLs */ readonly httpsOnly: true; /** Block requests to private IP ranges */ readonly blockPrivateIps: true; /** Default redirect policy (false = no redirects) */ readonly allowRedirects: false; }; /** * Private IPv4 CIDR blocks to block for SSRF protection */ export declare const PRIVATE_IP_RANGES: { /** RFC 1918 private ranges */ readonly rfc1918: readonly ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]; /** Link-local addresses */ readonly linkLocal: readonly ["169.254.0.0/16"]; /** Loopback addresses */ readonly loopback: readonly ["127.0.0.0/8"]; /** IPv6 loopback */ readonly ipv6Loopback: readonly ["::1/128"]; /** IPv6 link-local */ readonly ipv6LinkLocal: readonly ["fe80::/10"]; }; /** * Verifier policy version */ export declare const VERIFIER_POLICY_VERSION: "peac-verifier-policy/0.1"; /** * Verification modes per VERIFIER-SECURITY-MODEL.md */ export declare const VERIFICATION_MODES: { /** All verification in browser/client, may fetch JWKS */ readonly clientSide: "client_side"; /** No network access, uses bundled/pinned keys */ readonly offlineOnly: "offline_only"; /** Prefer offline, fallback to network */ readonly offlinePreferred: "offline_preferred"; /** Allow network fetches for key discovery */ readonly networkAllowed: "network_allowed"; }; /** * JWS header typ value for Wire 0.1 receipts. * Canonical location: @peac/kernel (layer correction from @peac/schema). * The existing WIRE_TYPE constant is unchanged; both resolve to the same string. * @peac/schema re-exports this as PEAC_WIRE_TYP for backward compatibility. */ export declare const WIRE_01_JWS_TYP: "peac-receipt/0.1"; /** * JWS header typ value for Wire 0.2 records (compact form). * Per RFC 7515 Section 4.1.9, the full media type form * 'application/interaction-record+jwt' is also accepted by verifiers and * normalized to this compact form before returning the header. */ export declare const WIRE_02_JWS_TYP: "interaction-record+jwt"; /** * All accepted typ values for Wire 0.2 (compact + full media type form). * Used internally by @peac/crypto to fast-reject unrelated tokens. * Verifiers normalize the full form to WIRE_02_JWS_TYP before returning. */ export declare const WIRE_02_JWS_TYP_ACCEPT: readonly ["interaction-record+jwt", "application/interaction-record+jwt"]; /** * Wire 0.2 peac_version payload claim value. * Discriminates Wire 0.2 envelopes from Wire 0.1 (which have no peac_version field). */ export declare const WIRE_02_VERSION: "0.2"; /** * All supported wire version strings for dual-stack implementations. */ export declare const WIRE_VERSIONS: readonly ["0.1", "0.2"]; /** * TypeScript union type for supported wire version values. */ export type WireVersion = (typeof WIRE_VERSIONS)[number]; /** * Canonical issuer (iss) constraints for Wire 0.2. * Supported schemes: 'https' (RFC 3986 origin-only) and 'did' (DID Core). * All other schemes produce E_ISS_NOT_CANONICAL. */ export declare const ISS_CANONICAL: { readonly maxLength: 2048; readonly supportedSchemes: readonly ["https", "did"]; /** Default port for https (rejected if explicit in iss). */ readonly defaultPorts: Record; }; /** * type claim grammar constraints (open vocabulary: reverse-DNS or absolute URI). */ export declare const TYPE_GRAMMAR: { readonly maxLength: 256; }; /** * policy block field constraints (Wire 0.2). * Separate from ISS_CANONICAL to allow independent evolution of each limit. */ export declare const POLICY_BLOCK: { /** Maximum length of the policy.uri HTTPS hint (chars). */ readonly uriMaxLength: 2048; /** Maximum length of the policy.version label (chars). */ readonly versionMaxLength: 256; }; /** * Maximum tolerated skew between occurred_at and iat for evidence receipts (seconds). * If occurred_at > iat within this tolerance, a 'occurred_at_skew' warning is emitted. * If occurred_at > now + tolerance, E_OCCURRED_AT_FUTURE is a hard error. */ export declare const OCCURRED_AT_TOLERANCE_SECONDS = 300; /** * Verification strictness profiles for Wire 0.2. * Owned exclusively by @peac/protocol.verifyLocal(); @peac/crypto has no strictness parameter. * * - 'strict' (default): typ MUST be present and correct; missing typ is a hard error. * - 'interop': tolerates missing typ; emits 'typ_missing' warning; routes by peac_version. */ export type VerificationStrictness = 'strict' | 'interop'; /** * JOSE signature algorithm (EdDSA / Ed25519). Re-exported from kernel for layer * correctness: @peac/crypto imports all typ/alg constants from @peac/kernel only. */ export declare const PEAC_ALG: "EdDSA"; /** * Normative resource-budget limits for Wire 0.2 extension groups. * * These limits prevent DoS via formally valid but enormous multi-extension * receipts. Enforcement is unconditional in @peac/schema's * validateKnownExtensions() superRefine callback. * * MEASUREMENT BASIS (normative): Byte budgets are measured as the UTF-8 * byte length of the ECMAScript `JSON.stringify()` output on the plain * JSON data value. This means: * - Object key ordering affects byte count (implementation-defined). * - Objects with `toJSON()` methods produce their toJSON output. * - Circular references cause serialization failure (treated as over-budget). * - `undefined` values are omitted (not counted). * - Multi-byte UTF-8 characters (emoji, CJK, etc.) count their full * UTF-8 encoding, not JS string length. * * This is explicitly NOT canonical JSON (JCS/RFC 8785) or raw wire octets. * The choice of JSON.stringify is pragmatic: it matches the serialization * path used by all major JSON-based transports (MCP, A2A, HTTP). If * interop requires canonical measurement, a future DD can narrow this * to JCS; the current rule is a safe superset. */ export declare const EXTENSION_BUDGET: { /** Max UTF-8 bytes per extension group after JSON.stringify (64 KB) */ readonly maxGroupBytes: 65536; /** Max total UTF-8 bytes across all extensions after JSON.stringify (256 KB) */ readonly maxTotalBytes: 262144; /** Max UTF-8 bytes for any single string array field (32 KB) */ readonly maxArrayPayloadBytes: 32768; }; /** * All constants export */ export declare const CONSTANTS: { readonly WIRE_TYPE: "peac-receipt/0.1"; readonly WIRE_VERSION: "0.1"; readonly ALGORITHMS: { readonly supported: readonly ["EdDSA"]; readonly default: "EdDSA"; }; readonly HEADERS: { readonly receipt: "PEAC-Receipt"; readonly receiptPointer: "PEAC-Receipt-Pointer"; readonly dpop: "DPoP"; readonly purpose: "PEAC-Purpose"; readonly purposeApplied: "PEAC-Purpose-Applied"; readonly purposeReason: "PEAC-Purpose-Reason"; }; readonly DISCOVERY: { readonly manifestPath: "/.well-known/peac.txt"; readonly manifestVersion: "peac/0.9"; readonly cacheTtlSeconds: 3600; }; readonly JWKS: { readonly rotationDays: 90; /** Normative minimum overlap period (v0.11.3+) */ readonly overlapDays: 30; readonly emergencyRevocationHours: 24; }; readonly RECEIPT: { readonly minReceiptIdLength: 16; readonly maxReceiptIdLength: 64; readonly defaultTtlSeconds: 86400; }; readonly LIMITS: { readonly maxAmountCents: 999999999999; readonly minAmountCents: 1; }; readonly BUNDLE_VERSION: "peac-bundle/0.1"; readonly VERIFICATION_REPORT_VERSION: "peac-verification-report/0.1"; readonly HASH: { /** Canonical hash algorithm */ algorithm: "sha256"; /** Hash prefix pattern */ prefix: "sha256:"; /** Valid hash regex: sha256:<64 lowercase hex> */ pattern: RegExp; /** Hex-only pattern for legacy comparison */ hexPattern: RegExp; }; readonly VERIFIER_LIMITS: { /** Maximum receipt size in bytes (256 KB) */ readonly maxReceiptBytes: 262144; /** Maximum number of claims in a receipt */ readonly maxClaimsCount: 100; /** Maximum extension size in bytes (64 KB) */ readonly maxExtensionBytes: 65536; /** Maximum string length for individual claims (64 KB) */ readonly maxStringLength: 65536; /** Maximum JWKS document size in bytes (64 KB) */ readonly maxJwksBytes: 65536; /** Maximum number of keys in a JWKS */ readonly maxJwksKeys: 20; /** Maximum individual key size in bytes */ readonly maxKeySize: 4096; /** Network fetch timeout in milliseconds */ readonly fetchTimeoutMs: 5000; /** Maximum number of redirects to follow */ readonly maxRedirects: 3; /** Maximum network response size in bytes (256 KB) */ readonly maxResponseBytes: 262144; }; readonly VERIFIER_NETWORK: { /** Only allow HTTPS URLs */ readonly httpsOnly: true; /** Block requests to private IP ranges */ readonly blockPrivateIps: true; /** Default redirect policy (false = no redirects) */ readonly allowRedirects: false; }; readonly VERIFIER_POLICY_VERSION: "peac-verifier-policy/0.1"; readonly VERIFICATION_MODES: { /** All verification in browser/client, may fetch JWKS */ readonly clientSide: "client_side"; /** No network access, uses bundled/pinned keys */ readonly offlineOnly: "offline_only"; /** Prefer offline, fallback to network */ readonly offlinePreferred: "offline_preferred"; /** Allow network fetches for key discovery */ readonly networkAllowed: "network_allowed"; }; }; //# sourceMappingURL=constants.d.ts.map