-
-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathpackage.json
More file actions
203 lines (203 loc) · 17.8 KB
/
Copy pathpackage.json
File metadata and controls
203 lines (203 loc) · 17.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
{
"name": "@peac/monorepo",
"version": "0.16.2",
"private": true,
"description": "Portable signed records for agent, API, MCP, and cross-runtime interactions.",
"repository": {
"type": "git",
"url": "https://github.com/peacprotocol/peac.git"
},
"author": "jithinraj <7850727+jithinraj@users.noreply.github.com>",
"license": "Apache-2.0",
"workspaces": [
"packages/*",
"packages/rails/*",
"packages/mappings/*",
"packages/transport/*",
"packages/adapters/*/*",
"surfaces/workers/*",
"apps/*",
"examples/*"
],
"scripts": {
"prepare": "git config core.hooksPath .githooks 2>/dev/null || true",
"test": "vitest run",
"test:watch": "vitest",
"test:coverage": "vitest --coverage",
"test:core": "turbo run test --filter=@peac/crypto --filter=@peac/protocol --filter=@peac/policy-kit --filter=@peac/http-signatures --filter=@peac/jwks-cache --filter=@peac/mappings-mcp --filter=@peac/mappings-acp --filter=@peac/mappings-rsl --filter=@peac/mappings-tap --filter=@peac/rails-x402 --filter=@peac/rails-stripe --filter=@peac/rails-razorpay --filter=@peac/adapter-x402-daydreams --filter=@peac/adapter-x402-fluora --filter=@peac/adapter-x402-pinata --filter=@peac/worker-fastly --filter=@peac/worker-akamai --filter=@peac/transport-grpc",
"test:conformance": "vitest run tests/conformance/",
"test:tooling": "vitest run tests/tooling/",
"conformance:test": "vitest run tests/conformance/",
"schemas:lint": "pnpm format:check -- 'specs/wire/*.json' && node scripts/lint-schemas.js",
"lint": "eslint .",
"lint:fix": "eslint . --fix",
"lint:deps": "depcruise packages/ --config .dependency-cruiser.json",
"format": "prettier \"**/*.{ts,tsx,js,jsx,json,md,yml,yaml}\" --write --ignore-path .prettierignore",
"format:check": "prettier \"**/*.{ts,tsx,js,jsx,json,md,yml,yaml}\" --check --ignore-path .prettierignore",
"typecheck": "pnpm typecheck:core",
"typecheck:core": "tsc -p tsconfig.core.json --noEmit",
"typecheck:legacy": "tsc -p tsconfig.legacy.json --noEmit",
"typecheck:apps": "pnpm --filter @peac/app-sandbox-issuer typecheck && pnpm --filter @peac/app-verifier typecheck && pnpm --filter @peac/app-api typecheck",
"build": "turbo run build",
"dev": "turbo run dev",
"clean": "turbo run clean && rm -rf node_modules",
"ci:guards": "bash scripts/ci/forbid-strings.sh",
"ci:surface": "bash scripts/ci/surface-validator.sh",
"ci:all": "pnpm run ci:guards && pnpm run ci:surface && pnpm run lint && pnpm run check:unicode && pnpm run typecheck && pnpm test",
"examples:check": "pnpm --filter './examples/*' exec tsc --noEmit",
"demo:all": "pnpm --filter @peac/example-hello-world... --filter @peac/example-minimal... --filter @peac/example-mcp-tool-call... --filter @peac/example-mcp-gateway-receipts... --filter @peac/example-x402-node-server... --filter @peac/example-managed-agents-export... --filter @peac/example-commerce-evidence-bundle... --filter @peac/example-mpp-payment-record... build && pnpm --filter @peac/example-hello-world demo && pnpm --filter @peac/example-minimal demo && pnpm --filter @peac/example-mcp-tool-call demo && pnpm --filter @peac/example-mcp-gateway-receipts demo && pnpm --filter @peac/example-x402-node-server demo && pnpm --filter @peac/example-managed-agents-export demo && pnpm --filter @peac/example-commerce-evidence-bundle demo && pnpm --filter @peac/example-mpp-payment-record demo",
"verify:examples-commerce": "pnpm --filter @peac/example-paymentauth-evidence build && pnpm --filter @peac/example-paymentauth-jsonrpc build && pnpm --filter @peac/example-acp-session-lifecycle build && pnpm --filter @peac/example-stripe-spt-evidence build && pnpm --filter @peac/example-commerce-evidence-bundle build && pnpm --filter @peac/example-x402-dual-header-read build && pnpm --filter @peac/example-paymentauth-evidence demo && pnpm --filter @peac/example-paymentauth-jsonrpc demo && pnpm --filter @peac/example-acp-session-lifecycle demo && pnpm --filter @peac/example-stripe-spt-evidence demo && pnpm --filter @peac/example-commerce-evidence-bundle demo && pnpm --filter @peac/example-x402-dual-header-read demo",
"verify:commerce-coverage": "node scripts/conformance/check-commerce-coverage.mjs",
"verify:protocol-strings": "node scripts/verify-protocol-strings.mjs",
"verify:no-network-in-parsers": "node scripts/verify-no-network-in-content-signal-parsers.mjs",
"verify:no-bidi-controls": "node scripts/verify-no-bidi-controls.mjs",
"verify:spec-drift": "node scripts/verify-spec-drift.mjs",
"verify:docs-examples": "node scripts/verify-docs-examples.mjs",
"verify:bundle-drift": "node scripts/verify-bundle-drift.mjs",
"codegen:errors": "tsx scripts/codegen-errors.ts",
"codegen:registries": "tsx scripts/codegen-registries.ts",
"verify:registries-schema": "node scripts/validate-registries-schema.mjs",
"verify:codegen-drift": "bash scripts/verify-codegen-drift.sh",
"verify:example-source-gate": "node scripts/verify-example-source-gate.mjs",
"verify:distribution": "node scripts/verify-distribution.mjs",
"verify:release": "node scripts/verify-release.mjs",
"verify:no-widening": "node scripts/verify-no-semantic-widening.mjs",
"api-contract:extract": "tsx scripts/extract-api-contract.ts",
"api-contract:check": "tsx scripts/extract-api-contract.ts --check",
"verify:contracts:drift": "tsx scripts/extract-api-contract.ts --check",
"verify:surface-status": "node scripts/generate-surface-status.mjs --check",
"verify:openapi:drift": "node scripts/verify-openapi-drift.mjs",
"verify:openapi:drift:test": "node scripts/verify-openapi-drift.test.mjs",
"verify:shadow-redaction": "node scripts/verify-shadow-redaction.mjs",
"verify:shadow-redaction:test": "node scripts/verify-shadow-redaction.test.mjs",
"verify:error-path-hygiene": "node scripts/verify-error-path-hygiene.mjs",
"verify:error-path-hygiene:test": "node scripts/tests/verify-error-path-hygiene.test.mjs",
"test:error-path-hygiene": "node scripts/tests/verify-error-path-hygiene.test.mjs",
"verify:wire-language": "node scripts/verify-wire-language.mjs",
"verify:trust-artifacts": "node scripts/verify-trust-artifacts.mjs",
"verify:public-surface-names": "node scripts/verify-public-surface-names.mjs",
"verify:compliance-mappings": "node scripts/verify-compliance-mappings.mjs",
"verify:compliance-mappings:test": "node scripts/verify-compliance-mappings.test.mjs",
"verify:privacy-boundary": "node scripts/verify-privacy-boundary-block.mjs",
"audit:errors": "node scripts/audit-error-emissions.mjs",
"audit:errors:write": "node scripts/audit-error-emissions.mjs --write",
"release:deprecate:v0.13.0:dry-run": "NPM_DEPRECATE_DRY_RUN=1 bash scripts/release/npm-deprecate-v0.13.0.sh",
"mutation:baseline": "pnpm dlx -p @stryker-mutator/core@^9 -p @stryker-mutator/vitest-runner@^9 stryker run --config-file stryker.conf.json",
"verify:release-closeout": "node scripts/verify-release-closeout.mjs",
"verify:release-closeout:test": "node scripts/verify-release-closeout.test.mjs",
"verify:changelog-entry:test": "node scripts/extract-changelog-entry.test.mjs",
"verify:stamp-only-pr:test": "node scripts/ci/check-stamp-only-pr.test.mjs",
"verify:go-bench-gate:test": "node scripts/go-bench-gate.test.mjs",
"verify:bench-baseline:test": "node scripts/update-bench-baseline.test.mjs",
"fixtures:new": "node scripts/fixtures-new.mjs",
"conformance:regen:bundle": "tsx scripts/generate-bundle-vectors.ts",
"bench": "pnpm --filter @peac/crypto bench && pnpm --filter @peac/schema bench && pnpm --filter @peac/protocol bench",
"bench:capture": "node scripts/bench-capture.mjs",
"bench:legacy": "tsx scripts/bench-protocol.ts all",
"bench:verify": "tsx scripts/bench-protocol.ts verify",
"bench:issue": "tsx scripts/bench-protocol.ts issue",
"build:apps": "pnpm --filter @peac/app-sandbox-issuer build && pnpm --filter @peac/app-verifier build && pnpm --filter @peac/app-api build",
"test:apps": "pnpm --filter @peac/app-sandbox-issuer test && pnpm --filter @peac/app-verifier test && pnpm --filter @peac/app-api test",
"test:exports": "node scripts/test-package-exports.mjs",
"check:unicode": "bash scripts/check-unicode.sh",
"sanitize:unicode": "node scripts/sanitize-unicode.mjs --fix",
"version:check": "node scripts/check-version-sync.mjs",
"version:bump": "node scripts/bump-version.mjs",
"release:stamp:publish": "node scripts/stamp-release-state.mjs --publish",
"release:stamp:promote": "node scripts/stamp-release-state.mjs --promote",
"release:stamp:check:publish": "node scripts/stamp-release-state.mjs --check --mode publish",
"release:stamp:check:promote": "node scripts/stamp-release-state.mjs --check --mode promote",
"check:zod-major": "node scripts/check-zod-single-major.mjs",
"gate": "bash scripts/gate.sh",
"gate:fast": "bash scripts/gate.sh --fast",
"ci:prepush-fast": "PEAC_FAST=1 bash scripts/guard.sh && pnpm format:check",
"ci:local-parity": "bash scripts/gate.sh",
"evidence-pack": "node scripts/build-submission-pack.mjs",
"release:gate:0.11.3": "bash scripts/release-gate-0.11.3.sh",
"test:property": "vitest run packages/schema/__tests__/json.property.test.ts packages/schema/__tests__/workflow.property.test.ts packages/schema/__tests__/constraints.property.test.ts packages/schema/__tests__/constraints.fuzz.test.ts packages/schema/__tests__/wire02-claims.property.test.ts packages/crypto/__tests__/jws.property.test.ts packages/protocol/__tests__/jti-collision.property.test.ts packages/protocol/__tests__/policy-binding.property.test.ts packages/protocol/__tests__/strictness.property.test.ts packages/protocol/__tests__/verify-local.property.test.ts packages/net/node/tests/jcs-property.test.ts"
},
"devDependencies": {
"@eslint/js": "^10.0.1",
"@peac/adapter-x402": "workspace:*",
"@peac/mappings-acp": "workspace:*",
"@peac/mappings-paymentauth": "workspace:*",
"@peac/mappings-ucp": "workspace:*",
"@peac/rails-stripe": "workspace:*",
"@types/js-yaml": "^4.0.9",
"@types/node": "^22.19.11",
"@vitest/coverage-v8": "^4.1.0",
"ajv": "^8.18.0",
"ajv-formats": "^3.0.1",
"dependency-cruiser": "^17.3.0",
"eslint": "^10.0.1",
"fast-check": "^4.5.3",
"globals": "^17.4.0",
"js-yaml": "^4.1.1",
"lint-staged": "^16.3.1",
"prettier": "^3.8.1",
"semver": "^7.7.0",
"tsx": "^4.21.0",
"turbo": "^2.8.10",
"typescript": "^5.3.3",
"typescript-eslint": "^8.56.0",
"vitest": "^4.1.0",
"yaml": "^2.3.4"
},
"engines": {
"node": ">=22.13.0",
"pnpm": ">=8.0.0"
},
"packageManager": "pnpm@8.15.0",
"pnpm": {
"overrides": {
"minimatch": "10.2.4",
"picomatch": ">=4.0.4",
"qs@>=6.7.0 <=6.14.1": "6.14.2",
"zod": "^4.3.6",
"rollup": ">=4.59.0",
"express-rate-limit": ">=8.2.2",
"flatted": "3.4.2",
"path-to-regexp@>=8.0.0": ">=8.4.0",
"yaml": "2.8.3",
"@hono/node-server": ">=1.19.13",
"hono": ">=4.12.25",
"fast-uri@<3.1.2": ">=3.1.2",
"ip-address@<=10.1.0": ">=10.1.1",
"protobufjs": "8.0.2",
"@protobufjs/utf8": "1.1.1",
"defu": ">=6.1.5",
"esbuild@<0.25.0": ">=0.25.0",
"undici@<6.27.0": "6.27.0",
"postcss@<8.5.10": ">=8.5.10",
"form-data@<4.0.6": ">=4.0.6",
"vite@<6.4.2": ">=8.0.16",
"ws@>=8.0.0 <8.21.0": "8.21.0"
},
"overridesComments": {
"minimatch": "Cross-major pin to 10.2.4: typescript-estree requires ^9.0.4 but 9.x has no patch for GHSA-3ppc-4f35-3m26. minimatch 10.x is API-compatible (same globbing interface). 10.2.4 patches GHSA-7r86-cg39-jmmj and GHSA-23c5-xmqv-rm74 (ReDoS). Drops Node 18 (fine: repo baseline is >=22.0.0). Lint verified clean.",
"picomatch": "Override to >=4.0.4: patches GHSA-c2c7-rcm5-vvqj (ReDoS via extglob quantifiers). Dev-only via vitest/vite/dependency-cruiser.",
"qs": "Range-scoped: only overrides vulnerable 6.7.0-6.14.1 to 6.14.2 (fixes GHSA-w7fw-mjwx-w883 arrayLimit bypass). Minimal blast radius.",
"zod": "Workspace-wide Zod 4 enforcement: prevents mixed Zod 3/4 which causes runtime TypeError (incompatible internal _parse API). All workspace packages must use Zod 4.",
"rollup": "Override vulnerable 4.53.2 to >=4.59.0 (fixes GHSA-mw96-cpmx-2vgc path traversal). Dev-only via vitest/vite/tsup.",
"express-rate-limit": "Override 8.2.1 to >=8.2.2 (fixes GHSA-46wh-pxpv-q5gq IPv4-mapped IPv6 bypass). Prod dep via @modelcontextprotocol/sdk.",
"flatted": "Override to >=3.4.2 (fixes GHSA-25h7-pfq9-p65f unbounded recursion DoS + GHSA-rf6f-7fwh-wjgh prototype pollution via parse()). Dev-only via eslint -> file-entry-cache -> flat-cache.",
"path-to-regexp@>=8.0.0": "Override to >=8.4.0 (fixes GHSA-j3q9-mxjg-w52f sequential optional groups DoS). Prod dep via @modelcontextprotocol/sdk -> express@5 -> router. path-to-regexp@0.1.12 in express@4 (examples only, not published) is not overridden because 0.1.13 breaks express@4 internal API.",
"yaml": "Pin to 2.8.3 (fixes GHSA-48c2-rrv3-qjmp). Dep via @peac/policy-kit.",
"protobufjs": "Pinned to 8.0.2 (fixes GHSA-xq3m-2v4x-88gg arbitrary code execution in protobufjs@8.0.0 + GHSA-66ff-xgx4-vchm + GHSA-75px-5xx7-5xc7 + GHSA-jvwf-75h9-cwgg + GHSA-685m-2w69-288q + GHSA-2pr8-phx7-x9h3 + GHSA-fx83-v9x8-x52w + GHSA-q6x5-8v7m-xcrf across the 8.0.0..8.0.1 range). Transitive dep via examples/telemetry-otel -> @opentelemetry/otlp-transformer@0.212.0. Examples are private (never published); override protects local eval flows and unblocks CI prod-audit gate. Minimal patched version pin (not >= bound) keeps lockfile diff narrow and reproducible.",
"@protobufjs/utf8": "Defensive pin to 1.1.1 (fixes GHSA-q6x5-8v7m-xcrf in @protobufjs/utf8@<=1.1.0). protobufjs@8.0.2 no longer resolves the prior @protobufjs/* subtree in the current lockfile; this override prevents the vulnerable utf8 helper from re-entering through another transitive path. No published runtime package depends on it.",
"defu": "Override to >=6.1.5 (fixes GHSA-737v-mqg7-c878 prototype pollution via __proto__ in defaults argument). Dev-only via wrangler -> @cloudflare/unenv-preset / unenv. Wrangler 3.x bundles defu 6.1.4; Wrangler 4 (latest) is a major bump deferred for separate review.",
"esbuild@<0.25.0": "Range-scoped to <0.25.0 only (forces patched 0.25.0+, fixes GHSA-67mh-4wv8-2f99 dev-server CORS bypass). Dev-only via wrangler / @esbuild-plugins/node-globals-polyfill peer / @esbuild-plugins/node-modules-polyfill peer (all ship esbuild 0.17.19). Newer esbuild instances at 0.25.12+ already pulled by vitest/tsx are unaffected.",
"undici@<6.27.0": "Range-scoped to <6.27.0 only, pinned to exact 6.27.0 to stay on the undici v6 line (avoids floating to v7/v8). Fixes GHSA-vxpw-j846-p89q (WebSocket client DoS via fragment count bypass, affects 6.17.0..<6.27.0) and retains the prior GHSA-4992-7rv2-5pvq (CRLF injection) and GHSA-2mjp-6q6p-2qxm (request/response smuggling) patches from the earlier <6.24.0 floor. Prod path: apps/api -> @peac/resolver-http -> @peac/net-node, which now declares undici ^6.27.0 directly; also forces the dev wrangler -> miniflare undici onto the patched 6.27.0.",
"postcss@<8.5.10": "Range-scoped to <8.5.10 only (forces patched 8.5.10+, fixes GHSA-qx2v-qp2m-jg93 XSS via unescaped </style> in CSS Stringify output). Dev-only via next 15.5.x (bundles postcss 8.4.31 internally) and vite. Workspace doesn't import postcss directly; affects build tooling only.",
"form-data@<4.0.6": "Range-scoped to <4.0.6 only (forces patched 4.0.6+, fixes GHSA-hmw2-7cc7-3qxx CRLF injection via unescaped multipart field/filename). Dev-only via the supertest/superagent HTTP test client used by @peac/middleware-express tests; not in any published package.",
"vite@<6.4.2": "Range-scoped to <6.4.2 only (forces patched, now floored at >=8.0.16, fixes GHSA-p9ff-h696-f583 arbitrary file read via dev server WebSocket, GHSA-4w7w-66w2-5vf9 path traversal in optimized deps .map handling, and GHSA-fx2h-pf6j-xcff server.fs.deny bypass on Windows alternate paths). Dev-only via vitest/@vitest/coverage-v8 and apps/verifier (internal app); pnpm resolves the override to vite 8.0.16; full test suite passes.",
"ws@>=8.0.0 <8.21.0": "Range-scoped to the v8 line below 8.21.0 only, pinned to exact 8.21.0 (the fixed v8 release). Fixes CVE-2026-48779 / GHSA-96hv-2xvq-fx4p (memory-exhaustion DoS from tiny fragments/data chunks) by resolving ws v8 to the patched 8.21.0 line. Dev/examples-only: resolves via dev wrangler -> miniflare -> ws and examples/erc8004-feedback -> isows; not in any published package. Exact pin (not a >= bound) keeps the lockfile diff narrow and stays on the v8 line.",
"hono": "Bumped to >=4.12.25 to pull patches for CVE-2026-44455 (bodyLimit() bypass for chunked / unknown-length requests), CVE-2026-44456 (hono/jsx unvalidated JSX tag names), CVE-2026-44457 (CSS declaration injection via Style Object Values in JSX SSR), CVE-2026-44458 (Cache Middleware ignores Vary: Authorization / Vary: Cookie), CVE-2026-44459 (improper validation of NumericDate JWT claims), and GHSA-88fw-hqm2-52qc (CORS Middleware reflects any Origin, patched in 4.12.25). Prod dep via apps/api, apps/sandbox-issuer, packages/mcp-server, packages/server.",
"fast-uri@<3.1.2": "Range-scoped to <3.1.2 only (forces patched 3.1.2+, fixes CVE-2026-6321 path traversal via percent-encoded dot segments and CVE-2026-6322 host confusion via percent-encoded authority delimiters). Transitive prod dep via ajv / ajv-formats (in @peac/protocol, @peac/receipts, apps/api) and @modelcontextprotocol/sdk (in @peac/mcp-server).",
"ip-address@<=10.1.0": "Range-scoped to <=10.1.0 only (forces patched 10.1.1+, fixes CVE-2026-42338 XSS in Address6 HTML-emitting methods). Transitive prod dep via @modelcontextprotocol/sdk -> express-rate-limit."
}
},
"lint-staged": {
"*.{ts,tsx,js,jsx,json,md,yml,yaml}": "prettier --write --ignore-unknown"
}
}