-
-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathpackage.json
More file actions
189 lines (189 loc) · 13.9 KB
/
package.json
File metadata and controls
189 lines (189 loc) · 13.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
{
"name": "@peac/monorepo",
"version": "0.13.1",
"private": true,
"description": "Portable signed records for agent, API, MCP, and cross-runtime interactions.",
"repository": {
"type": "git",
"url": "https://github.com/peacprotocol/peac.git"
},
"author": "jithinraj <7850727+jithinraj@users.noreply.github.com>",
"license": "Apache-2.0",
"workspaces": [
"packages/*",
"packages/rails/*",
"packages/mappings/*",
"packages/transport/*",
"packages/adapters/*/*",
"surfaces/workers/*",
"apps/*",
"examples/*"
],
"scripts": {
"prepare": "git config core.hooksPath .githooks 2>/dev/null || true",
"test": "vitest run",
"test:watch": "vitest",
"test:coverage": "vitest --coverage",
"test:core": "turbo run test --filter=@peac/crypto --filter=@peac/protocol --filter=@peac/policy-kit --filter=@peac/http-signatures --filter=@peac/jwks-cache --filter=@peac/mappings-mcp --filter=@peac/mappings-acp --filter=@peac/mappings-rsl --filter=@peac/mappings-tap --filter=@peac/rails-x402 --filter=@peac/rails-stripe --filter=@peac/rails-razorpay --filter=@peac/adapter-x402-daydreams --filter=@peac/adapter-x402-fluora --filter=@peac/adapter-x402-pinata --filter=@peac/worker-fastly --filter=@peac/worker-akamai --filter=@peac/transport-grpc",
"test:conformance": "vitest run tests/conformance/",
"conformance:test": "vitest run tests/conformance/",
"schemas:lint": "pnpm format:check -- 'specs/wire/*.json' && node scripts/lint-schemas.js",
"lint": "eslint .",
"lint:fix": "eslint . --fix",
"lint:deps": "depcruise packages/ --config .dependency-cruiser.json",
"format": "prettier \"**/*.{ts,tsx,js,jsx,json,md,yml,yaml}\" --write --ignore-path .prettierignore",
"format:check": "prettier \"**/*.{ts,tsx,js,jsx,json,md,yml,yaml}\" --check --ignore-path .prettierignore",
"typecheck": "pnpm typecheck:core",
"typecheck:core": "tsc -p tsconfig.core.json --noEmit",
"typecheck:legacy": "tsc -p tsconfig.legacy.json --noEmit",
"typecheck:apps": "pnpm --filter @peac/app-sandbox-issuer typecheck && pnpm --filter @peac/app-verifier typecheck && pnpm --filter @peac/app-api typecheck",
"build": "turbo run build",
"dev": "turbo run dev",
"clean": "turbo run clean && rm -rf node_modules",
"ci:guards": "bash scripts/ci/forbid-strings.sh",
"ci:surface": "bash scripts/ci/surface-validator.sh",
"ci:all": "pnpm run ci:guards && pnpm run ci:surface && pnpm run lint && pnpm run check:unicode && pnpm run typecheck && pnpm test",
"examples:check": "pnpm --filter './examples/*' exec tsc --noEmit",
"verify:examples-commerce": "pnpm --filter @peac/example-paymentauth-evidence build && pnpm --filter @peac/example-paymentauth-jsonrpc build && pnpm --filter @peac/example-acp-session-lifecycle build && pnpm --filter @peac/example-stripe-spt-evidence build && pnpm --filter @peac/example-commerce-evidence-bundle build && pnpm --filter @peac/example-x402-dual-header-read build && pnpm --filter @peac/example-paymentauth-evidence demo && pnpm --filter @peac/example-paymentauth-jsonrpc demo && pnpm --filter @peac/example-acp-session-lifecycle demo && pnpm --filter @peac/example-stripe-spt-evidence demo && pnpm --filter @peac/example-commerce-evidence-bundle demo && pnpm --filter @peac/example-x402-dual-header-read demo",
"verify:commerce-coverage": "node scripts/conformance/check-commerce-coverage.mjs",
"verify:protocol-strings": "node scripts/verify-protocol-strings.mjs",
"verify:no-network-in-parsers": "node scripts/verify-no-network-in-content-signal-parsers.mjs",
"verify:no-bidi-controls": "node scripts/verify-no-bidi-controls.mjs",
"verify:spec-drift": "node scripts/verify-spec-drift.mjs",
"verify:docs-examples": "node scripts/verify-docs-examples.mjs",
"verify:bundle-drift": "node scripts/verify-bundle-drift.mjs",
"codegen:errors": "tsx scripts/codegen-errors.ts",
"codegen:registries": "tsx scripts/codegen-registries.ts",
"verify:registries-schema": "node scripts/validate-registries-schema.mjs",
"verify:codegen-drift": "bash scripts/verify-codegen-drift.sh",
"verify:distribution": "node scripts/verify-distribution.mjs",
"verify:release": "node scripts/verify-release.mjs",
"verify:no-widening": "node scripts/verify-no-semantic-widening.mjs",
"api-contract:extract": "tsx scripts/extract-api-contract.ts",
"api-contract:check": "tsx scripts/extract-api-contract.ts --check",
"verify:contracts:drift": "tsx scripts/extract-api-contract.ts --check",
"verify:surface-status": "node scripts/generate-surface-status.mjs --check",
"verify:openapi:drift": "node scripts/verify-openapi-drift.mjs",
"verify:openapi:drift:test": "node scripts/verify-openapi-drift.test.mjs",
"verify:shadow-redaction": "node scripts/verify-shadow-redaction.mjs",
"verify:shadow-redaction:test": "node scripts/verify-shadow-redaction.test.mjs",
"verify:error-path-hygiene": "node scripts/verify-error-path-hygiene.mjs",
"verify:error-path-hygiene:test": "node scripts/tests/verify-error-path-hygiene.test.mjs",
"test:error-path-hygiene": "node scripts/tests/verify-error-path-hygiene.test.mjs",
"verify:wire-language": "node scripts/verify-wire-language.mjs",
"verify:trust-artifacts": "node scripts/verify-trust-artifacts.mjs",
"verify:public-surface-names": "node scripts/verify-public-surface-names.mjs",
"verify:compliance-mappings": "node scripts/verify-compliance-mappings.mjs",
"verify:compliance-mappings:test": "node scripts/verify-compliance-mappings.test.mjs",
"verify:privacy-boundary": "node scripts/verify-privacy-boundary-block.mjs",
"audit:errors": "node scripts/audit-error-emissions.mjs",
"audit:errors:write": "node scripts/audit-error-emissions.mjs --write",
"release:deprecate:v0.13.0:dry-run": "NPM_DEPRECATE_DRY_RUN=1 bash scripts/release/npm-deprecate-v0.13.0.sh",
"mutation:baseline": "pnpm dlx -p @stryker-mutator/core@^9 -p @stryker-mutator/vitest-runner@^9 stryker run --config-file stryker.conf.json",
"verify:release-closeout": "node scripts/verify-release-closeout.mjs",
"verify:release-closeout:test": "node scripts/verify-release-closeout.test.mjs",
"verify:changelog-entry:test": "node scripts/extract-changelog-entry.test.mjs",
"verify:stamp-only-pr:test": "node scripts/ci/check-stamp-only-pr.test.mjs",
"verify:go-bench-gate:test": "node scripts/go-bench-gate.test.mjs",
"verify:bench-baseline:test": "node scripts/update-bench-baseline.test.mjs",
"fixtures:new": "node scripts/fixtures-new.mjs",
"conformance:regen:bundle": "tsx scripts/generate-bundle-vectors.ts",
"bench": "pnpm --filter @peac/crypto bench && pnpm --filter @peac/schema bench && pnpm --filter @peac/protocol bench",
"bench:capture": "node scripts/bench-capture.mjs",
"bench:legacy": "tsx scripts/bench-protocol.ts all",
"bench:verify": "tsx scripts/bench-protocol.ts verify",
"bench:issue": "tsx scripts/bench-protocol.ts issue",
"build:apps": "pnpm --filter @peac/app-sandbox-issuer build && pnpm --filter @peac/app-verifier build && pnpm --filter @peac/app-api build",
"test:apps": "pnpm --filter @peac/app-sandbox-issuer test && pnpm --filter @peac/app-verifier test && pnpm --filter @peac/app-api test",
"test:exports": "node scripts/test-package-exports.mjs",
"check:unicode": "bash scripts/check-unicode.sh",
"sanitize:unicode": "node scripts/sanitize-unicode.mjs --fix",
"version:check": "node scripts/check-version-sync.mjs",
"version:bump": "node scripts/bump-version.mjs",
"release:stamp:publish": "node scripts/stamp-release-state.mjs --publish",
"release:stamp:promote": "node scripts/stamp-release-state.mjs --promote",
"release:stamp:check:publish": "node scripts/stamp-release-state.mjs --check --mode publish",
"release:stamp:check:promote": "node scripts/stamp-release-state.mjs --check --mode promote",
"check:zod-major": "node scripts/check-zod-single-major.mjs",
"gate": "bash scripts/gate.sh",
"gate:fast": "bash scripts/gate.sh --fast",
"ci:prepush-fast": "PEAC_FAST=1 bash scripts/guard.sh && pnpm format:check",
"ci:local-parity": "bash scripts/gate.sh",
"evidence-pack": "node scripts/build-submission-pack.mjs",
"release:gate:0.11.3": "bash scripts/release-gate-0.11.3.sh",
"test:property": "vitest run packages/schema/__tests__/json.property.test.ts packages/schema/__tests__/workflow.property.test.ts packages/schema/__tests__/constraints.property.test.ts packages/schema/__tests__/constraints.fuzz.test.ts packages/schema/__tests__/wire02-claims.property.test.ts packages/crypto/__tests__/jws.property.test.ts packages/protocol/__tests__/jti-collision.property.test.ts packages/protocol/__tests__/policy-binding.property.test.ts packages/protocol/__tests__/strictness.property.test.ts packages/protocol/__tests__/verify-local.property.test.ts packages/net/node/tests/jcs-property.test.ts"
},
"devDependencies": {
"@eslint/js": "^10.0.1",
"@peac/adapter-x402": "workspace:*",
"@peac/mappings-acp": "workspace:*",
"@peac/mappings-paymentauth": "workspace:*",
"@peac/mappings-ucp": "workspace:*",
"@peac/rails-stripe": "workspace:*",
"@types/js-yaml": "^4.0.9",
"@types/node": "^22.19.11",
"@vitest/coverage-v8": "^4.1.0",
"ajv": "^8.18.0",
"ajv-formats": "^3.0.1",
"dependency-cruiser": "^17.3.0",
"eslint": "^10.0.1",
"fast-check": "^4.5.3",
"globals": "^17.4.0",
"js-yaml": "^4.1.1",
"lint-staged": "^16.3.1",
"prettier": "^3.8.1",
"semver": "^7.7.0",
"tsx": "^4.21.0",
"turbo": "^2.8.10",
"typescript": "^5.3.3",
"typescript-eslint": "^8.56.0",
"vitest": "^4.1.0",
"yaml": "^2.3.4"
},
"engines": {
"node": ">=22.0.0",
"pnpm": ">=8.0.0"
},
"packageManager": "pnpm@8.15.0",
"pnpm": {
"overrides": {
"minimatch": "10.2.4",
"picomatch": ">=4.0.4",
"qs@>=6.7.0 <=6.14.1": "6.14.2",
"zod": "^4.3.6",
"rollup": ">=4.59.0",
"express-rate-limit": ">=8.2.2",
"flatted": "3.4.2",
"path-to-regexp@>=8.0.0": ">=8.4.0",
"yaml": "2.8.3",
"@hono/node-server": ">=1.19.13",
"hono": ">=4.12.12",
"protobufjs": ">=8.0.1",
"defu": ">=6.1.5",
"esbuild@<0.25.0": ">=0.25.0",
"undici@<6.24.0": ">=6.24.0",
"postcss@<8.5.10": ">=8.5.10",
"vite@<6.4.2": ">=6.4.2"
},
"overridesComments": {
"minimatch": "Cross-major pin to 10.2.4: typescript-estree requires ^9.0.4 but 9.x has no patch for GHSA-3ppc-4f35-3m26. minimatch 10.x is API-compatible (same globbing interface). 10.2.4 patches GHSA-7r86-cg39-jmmj and GHSA-23c5-xmqv-rm74 (ReDoS). Drops Node 18 (fine: repo baseline is >=22.0.0). Lint verified clean.",
"picomatch": "Override to >=4.0.4: patches GHSA-c2c7-rcm5-vvqj (ReDoS via extglob quantifiers). Dev-only via vitest/vite/dependency-cruiser.",
"qs": "Range-scoped: only overrides vulnerable 6.7.0-6.14.1 to 6.14.2 (fixes GHSA-w7fw-mjwx-w883 arrayLimit bypass). Minimal blast radius.",
"zod": "Workspace-wide Zod 4 enforcement: prevents mixed Zod 3/4 which causes runtime TypeError (incompatible internal _parse API). All workspace packages must use Zod 4.",
"rollup": "Override vulnerable 4.53.2 to >=4.59.0 (fixes GHSA-mw96-cpmx-2vgc path traversal). Dev-only via vitest/vite/tsup.",
"express-rate-limit": "Override 8.2.1 to >=8.2.2 (fixes GHSA-46wh-pxpv-q5gq IPv4-mapped IPv6 bypass). Prod dep via @modelcontextprotocol/sdk.",
"flatted": "Override to >=3.4.2 (fixes GHSA-25h7-pfq9-p65f unbounded recursion DoS + GHSA-rf6f-7fwh-wjgh prototype pollution via parse()). Dev-only via eslint -> file-entry-cache -> flat-cache.",
"path-to-regexp@>=8.0.0": "Override to >=8.4.0 (fixes GHSA-j3q9-mxjg-w52f sequential optional groups DoS). Prod dep via @modelcontextprotocol/sdk -> express@5 -> router. path-to-regexp@0.1.12 in express@4 (examples only, not published) is not overridden because 0.1.13 breaks express@4 internal API.",
"yaml": "Pin to 2.8.3 (fixes GHSA-48c2-rrv3-qjmp). Dep via @peac/policy-kit.",
"protobufjs": "Override to >=8.0.1 (fixes GHSA-xq3m-2v4x-88gg arbitrary code execution in protobufjs@8.0.0). Transitive dep via examples/telemetry-otel -> @opentelemetry/otlp-transformer@0.212.0. Examples are private (never published); override protects local eval flows and unblocks CI prod-audit gate.",
"defu": "Override to >=6.1.5 (fixes GHSA-737v-mqg7-c878 prototype pollution via __proto__ in defaults argument). Dev-only via wrangler -> @cloudflare/unenv-preset / unenv. Wrangler 3.x bundles defu 6.1.4; Wrangler 4 (latest) is a major bump deferred for separate review.",
"esbuild@<0.25.0": "Range-scoped to <0.25.0 only (forces patched 0.25.0+, fixes GHSA-67mh-4wv8-2f99 dev-server CORS bypass). Dev-only via wrangler / @esbuild-plugins/node-globals-polyfill peer / @esbuild-plugins/node-modules-polyfill peer (all ship esbuild 0.17.19). Newer esbuild instances at 0.25.12+ already pulled by vitest/tsx are unaffected.",
"undici@<6.24.0": "Range-scoped to <6.24.0 only (forces patched 6.24.0+, fixes GHSA-4992-7rv2-5pvq CRLF injection via upgrade and GHSA-2mjp-6q6p-2qxm HTTP request/response smuggling). Dev-only via wrangler -> miniflare which bundles undici 5.29.0. @peac/net-node already uses undici 6.24.0+ (production path unaffected).",
"postcss@<8.5.10": "Range-scoped to <8.5.10 only (forces patched 8.5.10+, fixes GHSA-qx2v-qp2m-jg93 XSS via unescaped </style> in CSS Stringify output). Dev-only via next 15.5.x (bundles postcss 8.4.31 internally) and vite. Workspace doesn't import postcss directly; affects build tooling only.",
"vite@<6.4.2": "Range-scoped to <6.4.2 only (forces patched 6.4.2+, fixes GHSA-p9ff-h696-f583 arbitrary file read via dev server WebSocket and GHSA-4w7w-66w2-5vf9 path traversal in optimized deps .map handling). Dev-only via vitest/@vitest/coverage-v8. pnpm resolves the override to vite 8.0.10 in practice; full test suite passes."
}
},
"lint-staged": {
"*.{ts,tsx,js,jsx,json,md,yml,yaml}": "prettier --write --ignore-unknown"
}
}