{"version":3,"sources":["../src/constants.ts"],"names":[],"mappings":";AAWO,IAAM,SAAA,GAAY;AASlB,IAAM,YAAA,GAAe;AAKrB,IAAM,UAAA,GAAa;AAAA,EACxB,SAAA,EAAW,CAAC,OAAO,CAAA;AAAA,EACnB,OAAA,EAAS;AACX;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,IAAA,EAAM,MAAA;AAAA;AAAA,EAEN,OAAA,EAAS,cAAA;AAAA,EACT,cAAA,EAAgB,sBAAA;AAAA,EAChB,aAAA,EAAe;AACjB;AAQO,IAAM,MAAA,GAAS;AAAA,EACpB,YAAA,EAAc,uBAAA;AAAA,EACd,YAAA,EAAc,WAAA;AAAA,EACd,eAAA,EAAiB,iBAAA;AAAA,EACjB,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,MAAA;AAAA;AAAA,EACV,QAAA,EAAU;AACZ;AAQO,IAAM,aAAA,GAAgB;AAAA,EAC3B,UAAA,EAAY,+BAAA;AAAA,EACZ,aAAA,EAAe,iBAAA;AAAA,EACf,eAAA,EAAiB,IAAA;AAAA,EACjB,QAAA,EAAU,KAAA;AAAA;AAAA,EACV,QAAA,EAAU,CAAA;AAAA,EACV,cAAA,EAAgB;AAClB;AAKO,IAAM,SAAA,GAAY;AAAA,EACvB,cAAc,MAAA,CAAO,YAAA;AAAA,EACrB,eAAA,EAAiB,UAAA;AAAA,EACjB,iBAAiB,MAAA,CAAO;AAC1B;AAKO,IAAM,IAAA,GAAO;AAAA,EAClB,YAAA,EAAc,EAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA,EACb,wBAAA,EAA0B;AAC5B;AAKO,IAAM,OAAA,GAAU;AAAA,EACrB,kBAAA,EAAoB,EAAA;AAAA,EACpB,kBAAA,EAAoB,EAAA;AAAA,EACpB,iBAAA,EAAmB;AAAA;AACrB;AAKO,IAAM,MAAA,GAAS;AAAA,EACpB,cAAA,EAAgB,YAAA;AAAA,EAChB,cAAA,EAAgB;AAClB;AAMO,IAAM,cAAA,GAAiB;AAKvB,IAAM,2BAAA,GAA8B;AAMpC,IAAM,IAAA,GAAO;AAAA;AAAA,EAElB,SAAA,EAAW,QAAA;AAAA;AAAA,EAGX,MAAA,EAAQ,SAAA;AAAA;AAAA,EAGR,OAAA,EAAS,uBAAA;AAAA;AAAA,EAGT,UAAA,EAAY;AACd;AASO,SAAS,UAAU,IAAA,EAAqD;AAC7E,EAAA,IAAI,CAAC,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA,EAAG;AAC5B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO;AAAA,IACL,GAAA,EAAK,QAAA;AAAA,IACL,GAAA,EAAK,IAAA,CAAK,KAAA,CAAM,CAAC;AAAA;AAAA,GACnB;AACF;AASO,SAAS,WAAW,GAAA,EAA4B;AACrD,EAAA,IAAI,CAAC,IAAA,CAAK,UAAA,CAAW,IAAA,CAAK,GAAG,CAAA,EAAG;AAC9B,IAAA,OAAO,IAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAU,GAAG,CAAA,CAAA;AACtB;AAQO,SAAS,YAAY,IAAA,EAAuB;AACjD,EAAA,OAAO,IAAA,CAAK,OAAA,CAAQ,IAAA,CAAK,IAAI,CAAA;AAC/B;AAKO,IAAM,eAAA,GAAkB;AAAA;AAAA,EAE7B,eAAA,EAAiB,MAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,iBAAA,EAAmB,KAAA;AAAA;AAAA,EAEnB,eAAA,EAAiB,KAAA;AAAA;AAAA,EAEjB,YAAA,EAAc,KAAA;AAAA;AAAA,EAEd,WAAA,EAAa,EAAA;AAAA;AAAA,EAEb,UAAA,EAAY,IAAA;AAAA;AAAA,EAEZ,cAAA,EAAgB,GAAA;AAAA;AAAA,EAEhB,YAAA,EAAc,CAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAKO,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,SAAA,EAAW,IAAA;AAAA;AAAA,EAEX,eAAA,EAAiB,IAAA;AAAA;AAAA,EAEjB,cAAA,EAAgB;AAClB;AAKO,IAAM,iBAAA,GAAoB;AAAA;AAAA,EAE/B,OAAA,EAAS,CAAC,YAAA,EAAc,eAAA,EAAiB,gBAAgB,CAAA;AAAA;AAAA,EAEzD,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA;AAAA,EAE5B,QAAA,EAAU,CAAC,aAAa,CAAA;AAAA;AAAA,EAExB,YAAA,EAAc,CAAC,SAAS,CAAA;AAAA;AAAA,EAExB,aAAA,EAAe,CAAC,WAAW;AAC7B;AAKO,IAAM,uBAAA,GAA0B;AAKhC,IAAM,kBAAA,GAAqB;AAAA;AAAA,EAEhC,UAAA,EAAY,aAAA;AAAA;AAAA,EAEZ,WAAA,EAAa,cAAA;AAAA;AAAA,EAEb,gBAAA,EAAkB,mBAAA;AAAA;AAAA,EAElB,cAAA,EAAgB;AAClB;AAYO,IAAM,eAAA,GAAkB;AAQxB,IAAM,eAAA,GAAkB;AAOxB,IAAM,sBAAA,GAAyB;AAAA,EACpC,wBAAA;AAAA,EACA;AACF;AAMO,IAAM,eAAA,GAAkB;AAKxB,IAAM,aAAA,GAAgB,CAAC,KAAA,EAAO,KAAK;AAYnC,IAAM,aAAA,GAAgB;AAAA,EAC3B,SAAA,EAAW,IAAA;AAAA,EACX,gBAAA,EAAkB,CAAC,OAAA,EAAS,KAAK,CAAA;AAAA;AAAA,EAEjC,YAAA,EAAc,EAAE,KAAA,EAAO,GAAA;AACzB;AAKO,IAAM,YAAA,GAAe,EAAE,SAAA,EAAW,GAAA;AAMlC,IAAM,YAAA,GAAe;AAAA;AAAA,EAE1B,YAAA,EAAc,IAAA;AAAA;AAAA,EAEd,gBAAA,EAAkB;AACpB;AAOO,IAAM,6BAAA,GAAgC;AAetC,IAAM,WAAW,UAAA,CAAW;AA6B5B,IAAM,gBAAA,GAAmB;AAAA;AAAA,EAE9B,aAAA,EAAe,KAAA;AAAA;AAAA,EAGf,aAAA,EAAe,MAAA;AAAA;AAAA,EAGf,oBAAA,EAAsB;AACxB;AASO,IAAM,SAAA,GAAY;AAAA,EACvB,SAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,IAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,cAAA;AAAA,EACA,2BAAA;AAAA,EACA,IAAA;AAAA,EACA,eAAA;AAAA,EACA,gBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF","file":"constants.mjs","sourcesContent":["/**\n * PEAC Protocol Constants\n */\n\n/**\n * Wire 0.1 JWS `typ` claim (legacy constant name).\n *\n * @deprecated Use `WIRE_01_JWS_TYP` for new code. `WIRE_TYPE` and\n * `WIRE_01_JWS_TYP` resolve to the same string; `WIRE_01_JWS_TYP` is the\n * canonical name at the JWS layer (v0.12.0-preview.1+, Wire 0.2 dual-stack).\n */\nexport const WIRE_TYPE = 'peac-receipt/0.1' as const;\n\n/**\n * Wire 0.1 version string (legacy constant name).\n *\n * @deprecated Use `WIRE_VERSIONS` or compare against `WIRE_02_VERSION` for\n * dual-stack version detection. `WIRE_VERSION` remains valid for Wire 0.1\n * but does not participate in the Wire 0.2 version model.\n */\nexport const WIRE_VERSION = '0.1' as const;\n\n/**\n * Supported cryptographic algorithms\n */\nexport const ALGORITHMS = {\n  supported: ['EdDSA'] as const,\n  default: 'EdDSA' as const,\n} as const;\n\n/**\n * HTTP header names for PEAC protocol\n */\nexport const HEADERS = {\n  receipt: 'PEAC-Receipt' as const,\n  receiptPointer: 'PEAC-Receipt-Pointer' as const,\n  dpop: 'DPoP' as const,\n  // Purpose headers (v0.9.24+)\n  purpose: 'PEAC-Purpose' as const,\n  purposeApplied: 'PEAC-Purpose-Applied' as const,\n  purposeReason: 'PEAC-Purpose-Reason' as const,\n} as const;\n\n/**\n * Policy manifest settings (/.well-known/peac.txt)\n *\n * Policy documents declare access terms for agents and gateways.\n * @see docs/specs/PEAC-TXT.md\n */\nexport const POLICY = {\n  manifestPath: '/.well-known/peac.txt' as const,\n  fallbackPath: '/peac.txt' as const,\n  manifestVersion: 'peac-policy/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 262144, // 256 KiB\n  maxDepth: 8,\n} as const;\n\n/**\n * Issuer configuration settings (/.well-known/peac-issuer.json)\n *\n * Issuer config enables verifiers to discover JWKS and verification endpoints.\n * @see docs/specs/PEAC-ISSUER.md\n */\nexport const ISSUER_CONFIG = {\n  configPath: '/.well-known/peac-issuer.json' as const,\n  configVersion: 'peac-issuer/0.1' as const,\n  cacheTtlSeconds: 3600,\n  maxBytes: 65536, // 64 KiB\n  maxDepth: 4,\n  fetchTimeoutMs: 10000,\n} as const;\n\n/**\n * @deprecated Use POLICY instead. Will be removed in v1.0.\n */\nexport const DISCOVERY = {\n  manifestPath: POLICY.manifestPath,\n  manifestVersion: 'peac/0.9' as const,\n  cacheTtlSeconds: POLICY.cacheTtlSeconds,\n} as const;\n\n/**\n * JWKS rotation and revocation settings\n */\nexport const JWKS = {\n  rotationDays: 90,\n  /** Normative minimum overlap period (v0.11.3+) */\n  overlapDays: 30,\n  emergencyRevocationHours: 24,\n} as const;\n\n/**\n * Receipt validation constants\n */\nexport const RECEIPT = {\n  minReceiptIdLength: 16,\n  maxReceiptIdLength: 64,\n  defaultTtlSeconds: 86400, // 24 hours\n} as const;\n\n/**\n * Payment amount validation limits (in cents/smallest currency unit)\n */\nexport const LIMITS = {\n  maxAmountCents: 999999999999,\n  minAmountCents: 1,\n} as const;\n\n/**\n * Bundle format version.\n * Used in dispute bundles, audit bundles, and archive bundles.\n */\nexport const BUNDLE_VERSION = 'peac-bundle/0.1' as const;\n\n/**\n * Verification report format version.\n */\nexport const VERIFICATION_REPORT_VERSION = 'peac-verification-report/0.1' as const;\n\n/**\n * Hash format constants and utilities.\n * All hashes use the self-describing format: sha256:<64 lowercase hex chars>\n */\nexport const HASH = {\n  /** Canonical hash algorithm */\n  algorithm: 'sha256' as const,\n\n  /** Hash prefix pattern */\n  prefix: 'sha256:' as const,\n\n  /** Valid hash regex: sha256:<64 lowercase hex> */\n  pattern: /^sha256:[0-9a-f]{64}$/,\n\n  /** Hex-only pattern for legacy comparison */\n  hexPattern: /^[0-9a-f]{64}$/,\n};\n\n/**\n * Parse a sha256:<hex> hash string into components.\n * Returns null if the format is invalid.\n *\n * @param hash - Hash string to parse (e.g., \"sha256:abc123...\")\n * @returns Parsed hash or null if invalid\n */\nexport function parseHash(hash: string): { alg: 'sha256'; hex: string } | null {\n  if (!HASH.pattern.test(hash)) {\n    return null;\n  }\n  return {\n    alg: 'sha256',\n    hex: hash.slice(7), // Remove 'sha256:' prefix\n  };\n}\n\n/**\n * Format a hex string as a sha256:<hex> hash.\n * Validates that the hex is exactly 64 lowercase characters.\n *\n * @param hex - Hex string (64 lowercase characters)\n * @returns Formatted hash or null if invalid\n */\nexport function formatHash(hex: string): string | null {\n  if (!HASH.hexPattern.test(hex)) {\n    return null;\n  }\n  return `sha256:${hex}`;\n}\n\n/**\n * Validate a hash string is in the correct format.\n *\n * @param hash - Hash string to validate\n * @returns true if valid sha256:<64 hex> format\n */\nexport function isValidHash(hash: string): boolean {\n  return HASH.pattern.test(hash);\n}\n\n/**\n * Verifier security limits per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_LIMITS = {\n  /** Maximum receipt size in bytes (256 KB) */\n  maxReceiptBytes: 262144,\n  /** Maximum number of claims in a receipt */\n  maxClaimsCount: 100,\n  /** Maximum extension size in bytes (64 KB) */\n  maxExtensionBytes: 65536,\n  /** Maximum string length for individual claims (64 KB) */\n  maxStringLength: 65536,\n  /** Maximum JWKS document size in bytes (64 KB) */\n  maxJwksBytes: 65536,\n  /** Maximum number of keys in a JWKS */\n  maxJwksKeys: 20,\n  /** Maximum individual key size in bytes */\n  maxKeySize: 4096,\n  /** Network fetch timeout in milliseconds */\n  fetchTimeoutMs: 5000,\n  /** Maximum number of redirects to follow */\n  maxRedirects: 3,\n  /** Maximum network response size in bytes (256 KB) */\n  maxResponseBytes: 262144,\n} as const;\n\n/**\n * Verifier network security settings per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFIER_NETWORK = {\n  /** Only allow HTTPS URLs */\n  httpsOnly: true,\n  /** Block requests to private IP ranges */\n  blockPrivateIps: true,\n  /** Default redirect policy (false = no redirects) */\n  allowRedirects: false,\n} as const;\n\n/**\n * Private IPv4 CIDR blocks to block for SSRF protection\n */\nexport const PRIVATE_IP_RANGES = {\n  /** RFC 1918 private ranges */\n  rfc1918: ['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16'] as const,\n  /** Link-local addresses */\n  linkLocal: ['169.254.0.0/16'] as const,\n  /** Loopback addresses */\n  loopback: ['127.0.0.0/8'] as const,\n  /** IPv6 loopback */\n  ipv6Loopback: ['::1/128'] as const,\n  /** IPv6 link-local */\n  ipv6LinkLocal: ['fe80::/10'] as const,\n} as const;\n\n/**\n * Verifier policy version\n */\nexport const VERIFIER_POLICY_VERSION = 'peac-verifier-policy/0.1' as const;\n\n/**\n * Verification modes per VERIFIER-SECURITY-MODEL.md\n */\nexport const VERIFICATION_MODES = {\n  /** All verification in browser/client, may fetch JWKS */\n  clientSide: 'client_side' as const,\n  /** No network access, uses bundled/pinned keys */\n  offlineOnly: 'offline_only' as const,\n  /** Prefer offline, fallback to network */\n  offlinePreferred: 'offline_preferred' as const,\n  /** Allow network fetches for key discovery */\n  networkAllowed: 'network_allowed' as const,\n} as const;\n\n// ---------------------------------------------------------------------------\n// Wire 0.2 constants (v0.12.0-preview.1)\n// ---------------------------------------------------------------------------\n\n/**\n * JWS header typ value for Wire 0.1 receipts.\n * Canonical location: @peac/kernel (layer correction from @peac/schema).\n * The existing WIRE_TYPE constant is unchanged; both resolve to the same string.\n * @peac/schema re-exports this as PEAC_WIRE_TYP for backward compatibility.\n */\nexport const WIRE_01_JWS_TYP = 'peac-receipt/0.1' as const;\n\n/**\n * JWS header typ value for Wire 0.2 records (compact form).\n * Per RFC 7515 Section 4.1.9, the full media type form\n * 'application/interaction-record+jwt' is also accepted by verifiers and\n * normalized to this compact form before returning the header.\n */\nexport const WIRE_02_JWS_TYP = 'interaction-record+jwt' as const;\n\n/**\n * All accepted typ values for Wire 0.2 (compact + full media type form).\n * Used internally by @peac/crypto to fast-reject unrelated tokens.\n * Verifiers normalize the full form to WIRE_02_JWS_TYP before returning.\n */\nexport const WIRE_02_JWS_TYP_ACCEPT = [\n  'interaction-record+jwt',\n  'application/interaction-record+jwt',\n] as const;\n\n/**\n * Wire 0.2 peac_version payload claim value.\n * Discriminates Wire 0.2 envelopes from Wire 0.1 (which have no peac_version field).\n */\nexport const WIRE_02_VERSION = '0.2' as const;\n\n/**\n * All supported wire version strings for dual-stack implementations.\n */\nexport const WIRE_VERSIONS = ['0.1', '0.2'] as const;\n\n/**\n * TypeScript union type for supported wire version values.\n */\nexport type WireVersion = (typeof WIRE_VERSIONS)[number];\n\n/**\n * Canonical issuer (iss) constraints for Wire 0.2.\n * Supported schemes: 'https' (RFC 3986 origin-only) and 'did' (DID Core).\n * All other schemes produce E_ISS_NOT_CANONICAL.\n */\nexport const ISS_CANONICAL = {\n  maxLength: 2048,\n  supportedSchemes: ['https', 'did'] as const,\n  /** Default port for https (rejected if explicit in iss). */\n  defaultPorts: { https: 443 } as Record<string, number>,\n} as const;\n\n/**\n * type claim grammar constraints (open vocabulary: reverse-DNS or absolute URI).\n */\nexport const TYPE_GRAMMAR = { maxLength: 256 } as const;\n\n/**\n * policy block field constraints (Wire 0.2).\n * Separate from ISS_CANONICAL to allow independent evolution of each limit.\n */\nexport const POLICY_BLOCK = {\n  /** Maximum length of the policy.uri HTTPS hint (chars). */\n  uriMaxLength: 2048,\n  /** Maximum length of the policy.version label (chars). */\n  versionMaxLength: 256,\n} as const;\n\n/**\n * Maximum tolerated skew between occurred_at and iat for evidence receipts (seconds).\n * If occurred_at > iat within this tolerance, a 'occurred_at_skew' warning is emitted.\n * If occurred_at > now + tolerance, E_OCCURRED_AT_FUTURE is a hard error.\n */\nexport const OCCURRED_AT_TOLERANCE_SECONDS = 300;\n\n/**\n * Verification strictness profiles for Wire 0.2.\n * Owned exclusively by @peac/protocol.verifyLocal(); @peac/crypto has no strictness parameter.\n *\n * - 'strict' (default): typ MUST be present and correct; missing typ is a hard error.\n * - 'interop': tolerates missing typ; emits 'typ_missing' warning; routes by peac_version.\n */\nexport type VerificationStrictness = 'strict' | 'interop';\n\n/**\n * JOSE signature algorithm (EdDSA / Ed25519). Re-exported from kernel for layer\n * correctness: @peac/crypto imports all typ/alg constants from @peac/kernel only.\n */\nexport const PEAC_ALG = ALGORITHMS.default;\n\n// ---------------------------------------------------------------------------\n// Extension byte-budget constants (v0.12.2)\n// ---------------------------------------------------------------------------\n\n/**\n * Normative resource-budget limits for Wire 0.2 extension groups.\n *\n * These limits prevent DoS via formally valid but enormous multi-extension\n * receipts. Enforcement is unconditional in @peac/schema's\n * validateKnownExtensions() superRefine callback.\n *\n * MEASUREMENT BASIS (normative): Byte budgets are measured as the UTF-8\n * byte length of the ECMAScript `JSON.stringify()` output on the plain\n * JSON data value. This means:\n *   - Object key ordering affects byte count (implementation-defined).\n *   - Objects with `toJSON()` methods produce their toJSON output.\n *   - Circular references cause serialization failure (treated as over-budget).\n *   - `undefined` values are omitted (not counted).\n *   - Multi-byte UTF-8 characters (emoji, CJK, etc.) count their full\n *     UTF-8 encoding, not JS string length.\n *\n * This is explicitly NOT canonical JSON (JCS/RFC 8785) or raw wire octets.\n * The choice of JSON.stringify is pragmatic: it matches the serialization\n * path used by all major JSON-based transports (MCP, A2A, HTTP). If\n * interop requires canonical measurement, a future DD can narrow this\n * to JCS; the current rule is a safe superset.\n */\nexport const EXTENSION_BUDGET = {\n  /** Max UTF-8 bytes per extension group after JSON.stringify (64 KB) */\n  maxGroupBytes: 65_536,\n\n  /** Max total UTF-8 bytes across all extensions after JSON.stringify (256 KB) */\n  maxTotalBytes: 262_144,\n\n  /** Max UTF-8 bytes for any single string array field (32 KB) */\n  maxArrayPayloadBytes: 32_768,\n} as const;\n\n// ---------------------------------------------------------------------------\n// Legacy aggregate export (unchanged)\n// ---------------------------------------------------------------------------\n\n/**\n * All constants export\n */\nexport const CONSTANTS = {\n  WIRE_TYPE,\n  WIRE_VERSION,\n  ALGORITHMS,\n  HEADERS,\n  DISCOVERY,\n  JWKS,\n  RECEIPT,\n  LIMITS,\n  BUNDLE_VERSION,\n  VERIFICATION_REPORT_VERSION,\n  HASH,\n  VERIFIER_LIMITS,\n  VERIFIER_NETWORK,\n  VERIFIER_POLICY_VERSION,\n  VERIFICATION_MODES,\n} as const;\n"]}