@attestry/sdk 0.6.0 → 0.7.0

package/dist/annex-iv-verify/verify.d.ts

@@ -0,0 +1,164 @@
+import { type PublicKeyResolver } from "./data-integrity.js";
+import { BITSTRING_STATUS_LIST_ENTRY, type CredentialStatusEntry, type RevocationCheck } from "./status-list.js";
+import { type Ed25519PublicJwk } from "./resolver.js";
+/** The domain-separation tag — verifier-ENFORCED (step 0). */
+export declare const ANNEX_IV_BIND_TYPE = "ANNEX-IV-BIND-v1";
+/** The JWS protected-header `typ` — a second, header-level domain tag. */
+export declare const ANNEX_IV_BIND_JWS_TYP = "application/annex-iv-bind-v1+jws";
+/** The JWS signature algorithm (Ed25519). */
+export declare const ANNEX_IV_BIND_ALG = "EdDSA";
+/** The honest temporal label for the JWS path (declared N/A by design). */
+export declare const ANNEX_IV_BIND_SIGNING_TIME_LABEL = "issuer-asserted signing time, not independently timestamped";
+/** The signed `ANNEX-IV-BIND-v1` payload — the full triple + binding fields. */
+export interface AnnexIvBindPayload {
+    /** Domain-separation tag (literal {@link ANNEX_IV_BIND_TYPE}). */
+    type: typeof ANNEX_IV_BIND_TYPE;
+    /** The Attestry issuer id (the same value the status-list VC carries). */
+    issuer: string;
+    /** `"sha256:" + 64hex` of the EXACT emitted PDF Buffer. */
+    pdf_byte_sha256: string;
+    /** `attestations.certificateHash` for the file's current attestation cert. */
+    attestation_certificate_hash: string;
+    /** `evidencePacks.contentHash[]` (`sha256:<hex>`) — DEDUPED then sorted ascending. */
+    evidence_pack_content_hashes: string[];
+    /** The file's `signedAt`, ISO-8601 UTC second-precision (issuer-asserted signing time). */
+    issued_at: string;
+    /** The active signing-key id. */
+    kid: string;
+    /** The FULL `verificationMethod` URL: `<keysBaseUrl>#<kid>`. */
+    verificationMethod: string;
+    /** The published status-list VC URL. */
+    status_list_ref: string;
+    /** The per-file UNIQUE revocation index. */
+    status_list_index: number;
+    /** A `BitstringStatusListEntry`-shaped object driving offline revocation. */
+    credentialStatus: CredentialStatusEntry;
+}
+/** A parsed compact JWS (the three base64url segments + decoded header/payload). */
+export interface ParsedAnnexIvBindJws {
+    protectedB64: string;
+    payloadB64: string;
+    signatureB64: string;
+    header: Record<string, unknown>;
+    payload: AnnexIvBindPayload;
+}
+/**
+ * Parse a compact `ANNEX-IV-BIND-v1` JWS into its segments + decoded
+ * header/payload. Fails closed on a malformed serialization, wrong segment
+ * count, or absent domain tags. Does NOT verify the signature.
+ */
+export declare function parseAnnexIvBindJws(jws: string): ParsedAnnexIvBindJws;
+/**
+ * The MINIMAL internal signature verify: `ed25519Verify` over the RECEIVED
+ * `protected_b64 ‖ "." ‖ payload_b64` octets (RFC-7515 §5.2 — NEVER
+ * re-canonicalize/re-encode at verify), against the resolver-supplied public
+ * key. Returns a boolean; never throws.
+ */
+export declare function verifyAnnexIvBindReceivedOctets(parsed: ParsedAnnexIvBindJws, publicKey: Uint8Array | null | undefined): boolean;
+/** The structured, fail-closed result of {@link verifyAnnexIvBindOffline}. */
+export interface VerifyAnnexIvBindResult {
+    /** Overall verdict: tag ∧ fields ∧ signature ∧ byte-hash ∧ not-a-confirmed-revocation. */
+    valid: boolean;
+    /** The first failing step (0–4) or "revocation" — for diagnostics. */
+    reason?: string;
+    /** True once the protected-header + payload domain tags both matched (step 0). */
+    tagOk: boolean;
+    /** True once every bind field was present + well-typed (step 1). */
+    fieldsOk: boolean;
+    /** True once `ed25519Verify` over the RECEIVED octets passed (step 3). */
+    signatureOk: boolean;
+    /** True once `sha256(suppliedPdfBytes) === payload.pdf_byte_sha256` (step 4). */
+    byteBindingOk: boolean;
+    /**
+     * The two-check revocation result (step 6). `checked:false` is the honest
+     * "status not evaluated" label (no cached list / offline) — never a false
+     * "not revoked".
+     */
+    revocation: RevocationCheck;
+    /**
+     * Temporal is declared N/A for the JWS path: a 10-yr Art-18 artifact has no
+     * validity window — invalidation is revocation, and `issued_at` is the
+     * labelled issuer-asserted signing time, not a window.
+     */
+    temporal: {
+        applicable: false;
+        issuedAt: string | null;
+        /** {@link ANNEX_IV_BIND_SIGNING_TIME_LABEL}. */
+        label: string;
+    };
+}
+/**
+ * Inputs to {@link verifyAnnexIvBindOffline} — sidecar + PDF bytes + key
+ * material, NO DB, NO network.
+ *
+ * Key resolution precedence: `resolvePublicKey` (if given) → else a resolver
+ * built from `jwks` → else a typed `AttestryError` (missing key material).
+ */
+export interface VerifyAnnexIvBindOfflineInput {
+    /** The compact RFC-7515 sidecar JWS (the `bind_artifact` / `sidecarJws`). */
+    sidecarJws: string;
+    /** The PDF bytes to byte-bind against `payload.pdf_byte_sha256` (step 4). */
+    pdfBytes: Uint8Array;
+    /**
+     * A cached/out-of-band status-list VC for the two-check revocation (step 6).
+     * Omitted ⇒ `revocation.checked = false` (honest "status not evaluated").
+     */
+    cachedStatusListCredential?: unknown;
+    /**
+     * How the envelope's FULL `verificationMethod` URL resolves to a raw public
+     * key (step 2). Takes precedence over `jwks`. A resolver that returns
+     * null/undefined ⇒ fail-closed `valid:false`. A resolver that THROWS
+     * PROPAGATES (verdict-identity with the kernel — it calls the resolver bare).
+     */
+    resolvePublicKey?: PublicKeyResolver;
+    /**
+     * A JWKS (an array of public JWKs, or a `{ keys }` object). When
+     * `resolvePublicKey` is absent, a fail-closed resolver is built from this via
+     * `makeJwksResolver` (kid-match → `null` on a bad/absent entry, never throws).
+     */
+    jwks?: Ed25519PublicJwk[] | {
+        keys: Ed25519PublicJwk[];
+    };
+}
+/**
+ * The OFFLINE Annex IV bind verifier: sidecar + PDF bytes + key material →
+ * valid/invalid, **NO DB, NO network**. The faithful SDK port of the kernel's
+ * `verifyAnnexIvBind` (same ordered, fail-closed steps; the kernel is the
+ * source of truth and the golden cross-vectors break first on divergence):
+ *
+ *   0. Domain-tag assert — the protected-header `typ` AND the payload `type`
+ *      both match (parse fails closed otherwise). A validly-signed attestation /
+ *      status-list VC fed here is rejected ON THE TAG, not the hash.
+ *   1. Every bind field present + well-typed — fail-closed on ANY absence.
+ *   2. Resolve the key OFFLINE from the envelope's FULL `verificationMethod` URL
+ *      (precedence: `resolvePublicKey` → `jwks`→`makeJwksResolver` → typed throw).
+ *   3. `ed25519Verify` over the RECEIVED `protected_b64 ‖ "." ‖ payload_b64`
+ *      octets — NEVER re-canonicalize/re-encode at verify (RFC-7515 §5.2).
+ *   4. Byte-binding (AFTER 0–3): `sha256(suppliedPdfBytes)` vs `pdf_byte_sha256`.
+ *   5. Temporal — declared N/A (10-yr artifact; invalidation = revocation).
+ *   6. Two-check revocation — `checkRevocationOffline(credentialStatus, cached,
+ *      resolver, issuer)`; VALID requires signature-valid AND bit-not-revoked;
+ *      no cached list ⇒ `checked:false`.
+ *
+ * THROW/NEVER-THROW CONTRACT (the single source of truth):
+ *   - Throws ONLY the typed missing-key-material precondition (`AttestryError`)
+ *     — a usage error, NOT a verification failure.
+ *   - NEVER throws on a malformed/forged JSON ARTIFACT (sidecar / pdf /
+ *     statusList → fail-closed `valid:false`; the per-guard hostile table pins
+ *     the tampered-list cases). CAVEAT: a `cachedStatusListCredential` HAND-BUILT
+ *     with a non-JSON-representable value (NaN / Infinity / BigInt / a circular
+ *     ref) in a canonicalized field propagates the JCS `canonicalize` throw —
+ *     verdict-IDENTICAL with the kernel oracle (a JSON-sourced cached VC, the
+ *     documented path, cannot carry these); a loud catchable error, NEVER a
+ *     false `valid:true`.
+ *   - A caller-supplied `resolvePublicKey` that THROWS **propagates** (the
+ *     kernel calls the resolver bare at both the signature leg and the
+ *     revocation leg — the SDK re-throws to stay verdict-identical). This is
+ *     DISTINCT from a resolver that RETURNS null (→ `valid:false` "public key
+ *     did not resolve offline") and from `makeJwksResolver`'s deliberate
+ *     fail-closed-to-null on a bad/absent jwks entry.
+ */
+export declare function verifyAnnexIvBindOffline(input: VerifyAnnexIvBindOfflineInput): VerifyAnnexIvBindResult;
+export { BITSTRING_STATUS_LIST_ENTRY };
+export type { CredentialStatusEntry, RevocationCheck };
+//# sourceMappingURL=verify.d.ts.map

package/dist/annex-iv-verify/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/annex-iv-verify/verify.ts"],"names":[],"mappings":"AAyBA,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC7D,OAAO,EACL,2BAA2B,EAE3B,KAAK,qBAAqB,EAC1B,KAAK,eAAe,EACrB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAoB,KAAK,gBAAgB,EAAE,MAAM,eAAe,CAAC;AAIxE,8DAA8D;AAC9D,eAAO,MAAM,kBAAkB,qBAAqB,CAAC;AACrD,0EAA0E;AAC1E,eAAO,MAAM,qBAAqB,qCAAqC,CAAC;AACxE,6CAA6C;AAC7C,eAAO,MAAM,iBAAiB,UAAU,CAAC;AACzC,2EAA2E;AAC3E,eAAO,MAAM,gCAAgC,gEACkB,CAAC;AAmBhE,gFAAgF;AAChF,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,IAAI,EAAE,OAAO,kBAAkB,CAAC;IAChC,0EAA0E;IAC1E,MAAM,EAAE,MAAM,CAAC;IACf,2DAA2D;IAC3D,eAAe,EAAE,MAAM,CAAC;IACxB,8EAA8E;IAC9E,4BAA4B,EAAE,MAAM,CAAC;IACrC,sFAAsF;IACtF,4BAA4B,EAAE,MAAM,EAAE,CAAC;IACvC,2FAA2F;IAC3F,SAAS,EAAE,MAAM,CAAC;IAClB,iCAAiC;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,gEAAgE;IAChE,kBAAkB,EAAE,MAAM,CAAC;IAC3B,wCAAwC;IACxC,eAAe,EAAE,MAAM,CAAC;IACxB,4CAA4C;IAC5C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,6EAA6E;IAC7E,gBAAgB,EAAE,qBAAqB,CAAC;CACzC;AAED,oFAAoF;AACpF,MAAM,WAAW,oBAAoB;IACnC,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChC,OAAO,EAAE,kBAAkB,CAAC;CAC7B;AAgBD;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,oBAAoB,CAwBrE;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,CAC7C,MAAM,EAAE,oBAAoB,EAC5B,SAAS,EAAE,UAAU,GAAG,IAAI,GAAG,SAAS,GACvC,OAAO,CAUT;AAID,8EAA8E;AAC9E,MAAM,WAAW,uBAAuB;IACtC,0FAA0F;IAC1F,KAAK,EAAE,OAAO,CAAC;IACf,sEAAsE;IACtE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kFAAkF;IAClF,KAAK,EAAE,OAAO,CAAC;IACf,oEAAoE;IACpE,QAAQ,EAAE,OAAO,CAAC;IAClB,0EAA0E;IAC1E,WAAW,EAAE,OAAO,CAAC;IACrB,iFAAiF;IACjF,aAAa,EAAE,OAAO,CAAC;IACvB;;;;OAIG;IACH,UAAU,EAAE,eAAe,CAAC;IAC5B;;;;OAIG;IACH,QAAQ,EAAE;QACR,UAAU,EAAE,KAAK,CAAC;QAClB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,gDAAgD;QAChD,KAAK,EAAE,MAAM,CAAC;KACf,CAAC;CACH;AAED;;;;;;GAMG;AACH,MAAM,WAAW,6BAA6B;IAC5C,6EAA6E;IAC7E,UAAU,EAAE,MAAM,CAAC;IACnB,6EAA6E;IAC7E,QAAQ,EAAE,UAAU,CAAC;IACrB;;;OAGG;IACH,0BAA0B,CAAC,EAAE,OAAO,CAAC;IACrC;;;;;OAKG;IACH,gBAAgB,CAAC,EAAE,iBAAiB,CAAC;IACrC;;;;OAIG;IACH,IAAI,CAAC,EAAE,gBAAgB,EAAE,GAAG;QAAE,IAAI,EAAE,gBAAgB,EAAE,CAAA;KAAE,CAAC;CAC1D;AAkDD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,wBAAwB,CACtC,KAAK,EAAE,6BAA6B,GACnC,uBAAuB,CA4FzB;AAID,OAAO,EAAE,2BAA2B,EAAE,CAAC;AACvC,YAAY,EAAE,qBAAqB,EAAE,eAAe,EAAE,CAAC"}

package/dist/annex-iv-verify/verify.js

@@ -0,0 +1,273 @@
+// VERIFY-only faithful port of the bind verify-core of
+// `src/lib/annex-iv/cryptobind.ts` — the kernel `verifyAnnexIvBind` is the
+// source of truth; the golden cross-vectors (`__tests__/golden-vectors.json`)
+// break first on any divergence. Do NOT edit semantics independently.
+//
+// This is the ONE HAND-WRITTEN file in the port (the 5 crypto files are
+// verbatim copies). It carries the verify-core ONLY — the sign-side
+// (`signAnnexIvBind`, `buildAnnexIvBindPayload`, `cryptobindTechnicalFilePdf`,
+// the renderer, the key-registry) is NOT ported; the SDK never mints. Imports
+// are rewritten to explicit `.js` extensions (the SDK is `module:"Node16"`).
+//
+// Two intentional divergences from the kernel SOURCE TEXT that are NOT semantic
+// divergences (verdict-identity is preserved — the probe proved it):
+//   1. `AnnexIvBindError` is a LOCAL `class extends Error` (the kernel's extends
+//      the abstract `AnnexIvError` with `code`/`httpStatus`; the verify path
+//      reads ONLY `e.message` via the step-0 catch, never class identity / code /
+//      httpStatus). Every thrown MESSAGE string is preserved VERBATIM.
+//   2. `verifyAnnexIvBindOffline` has NO env-registry default resolver — it
+//      requires caller-supplied key material (`resolvePublicKey` or `jwks`) per
+//      the SDK contract; the kernel's default `resolvePublicKeyByVerificationMethod`
+//      is server-only.
+import { AttestryError } from "../errors.js";
+import { base64urlToBytes } from "./jwk.js";
+import { ed25519Verify, sha256 } from "./ed25519.js";
+import { BITSTRING_STATUS_LIST_ENTRY, checkRevocationOffline, } from "./status-list.js";
+import { makeJwksResolver } from "./resolver.js";
+// ─── Constants (verbatim from cryptobind.ts) ───────────────────────────────--
+/** The domain-separation tag — verifier-ENFORCED (step 0). */
+export const ANNEX_IV_BIND_TYPE = "ANNEX-IV-BIND-v1";
+/** The JWS protected-header `typ` — a second, header-level domain tag. */
+export const ANNEX_IV_BIND_JWS_TYP = "application/annex-iv-bind-v1+jws";
+/** The JWS signature algorithm (Ed25519). */
+export const ANNEX_IV_BIND_ALG = "EdDSA";
+/** The honest temporal label for the JWS path (declared N/A by design). */
+export const ANNEX_IV_BIND_SIGNING_TIME_LABEL = "issuer-asserted signing time, not independently timestamped";
+// ─── Local typed error (C-C-1) ──────────────────────────────────────────────-
+//
+// The kernel's `AnnexIvBindError extends AnnexIvError` (an abstract base with
+// `code`/`httpStatus`, used by the route mapper). The verify path NEVER reads
+// class identity / `code` / `httpStatus` — only `e.message` (via the step-0
+// catch below) — so a minimal local `extends Error` is verdict-identical. The
+// thrown message strings are preserved verbatim from `parseAnnexIvBindJws`.
+class AnnexIvBindError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "AnnexIvBindError";
+        Object.setPrototypeOf(this, new.target.prototype);
+    }
+}
+// ─── Internals (verbatim) ──────────────────────────────────────────────────--
+const SHA256_HEX_RE = /^sha256:[0-9a-f]{64}$/;
+const BIND_HASH_RE = /^sha256:[0-9a-f]{64}$/;
+const textEncoder = new TextEncoder();
+/** Lowercase 64-hex SHA-256 of `bytes`, prefixed `sha256:` (the repo convention). */
+function sha256Prefixed(bytes) {
+    const hashBytes = sha256(bytes);
+    let hex = "";
+    for (const b of hashBytes)
+        hex += b.toString(16).padStart(2, "0");
+    return `sha256:${hex}`;
+}
+/**
+ * Parse a compact `ANNEX-IV-BIND-v1` JWS into its segments + decoded
+ * header/payload. Fails closed on a malformed serialization, wrong segment
+ * count, or absent domain tags. Does NOT verify the signature.
+ */
+export function parseAnnexIvBindJws(jws) {
+    if (typeof jws !== "string") {
+        throw new AnnexIvBindError("JWS must be a string");
+    }
+    const parts = jws.split(".");
+    if (parts.length !== 3) {
+        throw new AnnexIvBindError(`compact JWS must have 3 segments, got ${parts.length}`);
+    }
+    const [protectedB64, payloadB64, signatureB64] = parts;
+    let header;
+    let payload;
+    try {
+        header = JSON.parse(Buffer.from(base64urlToBytes(protectedB64)).toString("utf8"));
+        payload = JSON.parse(Buffer.from(base64urlToBytes(payloadB64)).toString("utf8"));
+    }
+    catch (e) {
+        throw new AnnexIvBindError(`malformed JWS segment: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    if (header.typ !== ANNEX_IV_BIND_JWS_TYP) {
+        throw new AnnexIvBindError(`unexpected JWS typ: ${JSON.stringify(header.typ)}`);
+    }
+    if (payload?.type !== ANNEX_IV_BIND_TYPE) {
+        throw new AnnexIvBindError(`unexpected payload type: ${JSON.stringify(payload?.type)}`);
+    }
+    return { protectedB64, payloadB64, signatureB64, header, payload };
+}
+/**
+ * The MINIMAL internal signature verify: `ed25519Verify` over the RECEIVED
+ * `protected_b64 ‖ "." ‖ payload_b64` octets (RFC-7515 §5.2 — NEVER
+ * re-canonicalize/re-encode at verify), against the resolver-supplied public
+ * key. Returns a boolean; never throws.
+ */
+export function verifyAnnexIvBindReceivedOctets(parsed, publicKey) {
+    if (!publicKey)
+        return false;
+    let signature;
+    try {
+        signature = base64urlToBytes(parsed.signatureB64);
+    }
+    catch {
+        return false;
+    }
+    const signingInput = textEncoder.encode(`${parsed.protectedB64}.${parsed.payloadB64}`);
+    return ed25519Verify(signature, signingInput, publicKey);
+}
+// ─── Fail-closed result helpers (verbatim) ──────────────────────────────────-
+/** A fail-closed INVALID result carrying the failing step + the (partial) flags. */
+function bindInvalid(reason, flags = {}) {
+    return {
+        valid: false,
+        reason,
+        tagOk: false,
+        fieldsOk: false,
+        signatureOk: false,
+        byteBindingOk: false,
+        revocation: { checked: false, revoked: false, reason: "not evaluated" },
+        temporal: { applicable: false, issuedAt: null, label: ANNEX_IV_BIND_SIGNING_TIME_LABEL },
+        ...flags,
+    };
+}
+/** True iff every bind field on the parsed payload is present + well-typed (step 1). */
+function allBindFieldsWellTyped(p) {
+    return (typeof p.pdf_byte_sha256 === "string" &&
+        BIND_HASH_RE.test(p.pdf_byte_sha256) &&
+        typeof p.attestation_certificate_hash === "string" &&
+        p.attestation_certificate_hash.length > 0 &&
+        Array.isArray(p.evidence_pack_content_hashes) &&
+        p.evidence_pack_content_hashes.every((h) => typeof h === "string" && SHA256_HEX_RE.test(h)) &&
+        typeof p.issued_at === "string" &&
+        p.issued_at.length > 0 &&
+        typeof p.kid === "string" &&
+        p.kid.length > 0 &&
+        typeof p.verificationMethod === "string" &&
+        p.verificationMethod.length > 0 &&
+        typeof p.status_list_ref === "string" &&
+        p.status_list_ref.length > 0 &&
+        Number.isInteger(p.status_list_index) &&
+        p.status_list_index >= 0 &&
+        typeof p.issuer === "string" &&
+        p.issuer.length > 0 &&
+        p.credentialStatus != null &&
+        typeof p.credentialStatus === "object");
+}
+// ─── The OFFLINE verifier (verbatim logic; SDK key-resolution) ──────────────--
+/**
+ * The OFFLINE Annex IV bind verifier: sidecar + PDF bytes + key material →
+ * valid/invalid, **NO DB, NO network**. The faithful SDK port of the kernel's
+ * `verifyAnnexIvBind` (same ordered, fail-closed steps; the kernel is the
+ * source of truth and the golden cross-vectors break first on divergence):
+ *
+ *   0. Domain-tag assert — the protected-header `typ` AND the payload `type`
+ *      both match (parse fails closed otherwise). A validly-signed attestation /
+ *      status-list VC fed here is rejected ON THE TAG, not the hash.
+ *   1. Every bind field present + well-typed — fail-closed on ANY absence.
+ *   2. Resolve the key OFFLINE from the envelope's FULL `verificationMethod` URL
+ *      (precedence: `resolvePublicKey` → `jwks`→`makeJwksResolver` → typed throw).
+ *   3. `ed25519Verify` over the RECEIVED `protected_b64 ‖ "." ‖ payload_b64`
+ *      octets — NEVER re-canonicalize/re-encode at verify (RFC-7515 §5.2).
+ *   4. Byte-binding (AFTER 0–3): `sha256(suppliedPdfBytes)` vs `pdf_byte_sha256`.
+ *   5. Temporal — declared N/A (10-yr artifact; invalidation = revocation).
+ *   6. Two-check revocation — `checkRevocationOffline(credentialStatus, cached,
+ *      resolver, issuer)`; VALID requires signature-valid AND bit-not-revoked;
+ *      no cached list ⇒ `checked:false`.
+ *
+ * THROW/NEVER-THROW CONTRACT (the single source of truth):
+ *   - Throws ONLY the typed missing-key-material precondition (`AttestryError`)
+ *     — a usage error, NOT a verification failure.
+ *   - NEVER throws on a malformed/forged JSON ARTIFACT (sidecar / pdf /
+ *     statusList → fail-closed `valid:false`; the per-guard hostile table pins
+ *     the tampered-list cases). CAVEAT: a `cachedStatusListCredential` HAND-BUILT
+ *     with a non-JSON-representable value (NaN / Infinity / BigInt / a circular
+ *     ref) in a canonicalized field propagates the JCS `canonicalize` throw —
+ *     verdict-IDENTICAL with the kernel oracle (a JSON-sourced cached VC, the
+ *     documented path, cannot carry these); a loud catchable error, NEVER a
+ *     false `valid:true`.
+ *   - A caller-supplied `resolvePublicKey` that THROWS **propagates** (the
+ *     kernel calls the resolver bare at both the signature leg and the
+ *     revocation leg — the SDK re-throws to stay verdict-identical). This is
+ *     DISTINCT from a resolver that RETURNS null (→ `valid:false` "public key
+ *     did not resolve offline") and from `makeJwksResolver`'s deliberate
+ *     fail-closed-to-null on a bad/absent jwks entry.
+ */
+export function verifyAnnexIvBindOffline(input) {
+    // Key-resolution precedence (C-D2). A missing-key-material precondition is a
+    // loud, typed usage error — never a bare TypeError, never a verification fail.
+    let resolvePublicKey;
+    if (input.resolvePublicKey) {
+        resolvePublicKey = input.resolvePublicKey;
+    }
+    else if (input.jwks) {
+        resolvePublicKey = makeJwksResolver(input.jwks);
+    }
+    else {
+        throw new AttestryError("verifyAnnexIvBindOffline requires key material: pass `resolvePublicKey` or `jwks`");
+    }
+    // Step 0 — parse + domain-tag assert. `parseAnnexIvBindJws` fails closed on a
+    // wrong segment count, malformed JSON, or a mismatched/absent `typ`/`type` tag.
+    let parsed;
+    try {
+        parsed = parseAnnexIvBindJws(input.sidecarJws);
+    }
+    catch (e) {
+        return bindInvalid(`domain tag / parse: ${e instanceof Error ? e.message : String(e)}`);
+    }
+    const payload = parsed.payload;
+    // Step 1 — every bind field present + well-typed (fail-closed on ANY absence).
+    if (!allBindFieldsWellTyped(payload)) {
+        return bindInvalid("missing or ill-typed bind field", {
+            tagOk: true,
+            temporal: {
+                applicable: false,
+                issuedAt: typeof payload.issued_at === "string" ? payload.issued_at : null,
+                label: ANNEX_IV_BIND_SIGNING_TIME_LABEL,
+            },
+        });
+    }
+    const temporal = {
+        applicable: false,
+        issuedAt: payload.issued_at,
+        label: ANNEX_IV_BIND_SIGNING_TIME_LABEL,
+    };
+    // Step 2 — resolve the key OFFLINE from the FULL verificationMethod URL. A
+    // caller-supplied resolver that throws PROPAGATES (bare call — verdict-identity).
+    const publicKey = resolvePublicKey(payload.verificationMethod);
+    if (!publicKey) {
+        return bindInvalid("public key did not resolve offline", { tagOk: true, fieldsOk: true, temporal });
+    }
+    // Step 3 — verify over the RECEIVED octets (no re-canonicalization).
+    const signatureOk = verifyAnnexIvBindReceivedOctets(parsed, publicKey);
+    if (!signatureOk) {
+        return bindInvalid("signature invalid over the received octets", {
+            tagOk: true,
+            fieldsOk: true,
+            temporal,
+        });
+    }
+    // Step 4 — byte-binding (AFTER 0–3): sha256(supplied bytes) vs pdf_byte_sha256.
+    const byteBindingOk = sha256Prefixed(input.pdfBytes) === payload.pdf_byte_sha256;
+    if (!byteBindingOk) {
+        return bindInvalid("PDF byte-hash does not match the signed pdf_byte_sha256", {
+            tagOk: true,
+            fieldsOk: true,
+            signatureOk: true,
+            temporal,
+        });
+    }
+    // Step 6 — two-check revocation (4-arg, incl. the issuer-binding leg). The
+    // revocation leg also calls the resolver bare (a throw propagates). A confirmed
+    // revocation (checked AND revoked) is the only revocation FAIL; an unchecked
+    // status leaves the verdict standing, honestly labelled `checked:false`.
+    const revocation = checkRevocationOffline(payload.credentialStatus, input.cachedStatusListCredential, resolvePublicKey, payload.issuer);
+    const confirmedRevoked = revocation.checked && revocation.revoked;
+    return {
+        valid: !confirmedRevoked,
+        reason: confirmedRevoked ? "revoked" : undefined,
+        tagOk: true,
+        fieldsOk: true,
+        signatureOk: true,
+        byteBindingOk: true,
+        revocation,
+        temporal,
+    };
+}
+// Re-export the entry-shaped type + the revocation-check shape for consumers
+// that want the full structured result types.
+export { BITSTRING_STATUS_LIST_ENTRY };
+//# sourceMappingURL=verify.js.map

package/dist/annex-iv-verify/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/annex-iv-verify/verify.ts"],"names":[],"mappings":"AAAA,uDAAuD;AACvD,2EAA2E;AAC3E,8EAA8E;AAC9E,sEAAsE;AACtE,EAAE;AACF,wEAAwE;AACxE,oEAAoE;AACpE,+EAA+E;AAC/E,8EAA8E;AAC9E,6EAA6E;AAC7E,EAAE;AACF,gFAAgF;AAChF,qEAAqE;AACrE,iFAAiF;AACjF,6EAA6E;AAC7E,kFAAkF;AAClF,uEAAuE;AACvE,4EAA4E;AAC5E,gFAAgF;AAChF,qFAAqF;AACrF,uBAAuB;AAEvB,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAC5C,OAAO,EAAE,aAAa,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAErD,OAAO,EACL,2BAA2B,EAC3B,sBAAsB,GAGvB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAyB,MAAM,eAAe,CAAC;AAExE,gFAAgF;AAEhF,8DAA8D;AAC9D,MAAM,CAAC,MAAM,kBAAkB,GAAG,kBAAkB,CAAC;AACrD,0EAA0E;AAC1E,MAAM,CAAC,MAAM,qBAAqB,GAAG,kCAAkC,CAAC;AACxE,6CAA6C;AAC7C,MAAM,CAAC,MAAM,iBAAiB,GAAG,OAAO,CAAC;AACzC,2EAA2E;AAC3E,MAAM,CAAC,MAAM,gCAAgC,GAC3C,6DAA6D,CAAC;AAEhE,gFAAgF;AAChF,EAAE;AACF,8EAA8E;AAC9E,8EAA8E;AAC9E,4EAA4E;AAC5E,8EAA8E;AAC9E,4EAA4E;AAC5E,MAAM,gBAAiB,SAAQ,KAAK;IAClC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,GAAG,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;CACF;AAuCD,gFAAgF;AAEhF,MAAM,aAAa,GAAG,uBAAuB,CAAC;AAC9C,MAAM,YAAY,GAAG,uBAAuB,CAAC;AAC7C,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAEtC,qFAAqF;AACrF,SAAS,cAAc,CAAC,KAAiB;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;IAChC,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,MAAM,CAAC,IAAI,SAAS;QAAE,GAAG,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAClE,OAAO,UAAU,GAAG,EAAE,CAAC;AACzB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW;IAC7C,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,MAAM,IAAI,gBAAgB,CAAC,sBAAsB,CAAC,CAAC;IACrD,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,gBAAgB,CAAC,yCAAyC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,CAAC,YAAY,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,KAAK,CAAC;IACvD,IAAI,MAA+B,CAAC;IACpC,IAAI,OAA2B,CAAC;IAChC,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAA4B,CAAC;QAC7G,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAuB,CAAC;IACzG,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,gBAAgB,CAAC,0BAA0B,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,MAAM,CAAC,GAAG,KAAK,qBAAqB,EAAE,CAAC;QACzC,MAAM,IAAI,gBAAgB,CAAC,uBAAuB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IAClF,CAAC;IACD,IAAI,OAAO,EAAE,IAAI,KAAK,kBAAkB,EAAE,CAAC;QACzC,MAAM,IAAI,gBAAgB,CAAC,4BAA4B,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC,CAAC;IAC1F,CAAC;IACD,OAAO,EAAE,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,+BAA+B,CAC7C,MAA4B,EAC5B,SAAwC;IAExC,IAAI,CAAC,SAAS;QAAE,OAAO,KAAK,CAAC;IAC7B,IAAI,SAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,SAAS,GAAG,gBAAgB,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACpD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;IACD,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,GAAG,MAAM,CAAC,YAAY,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;IACvF,OAAO,aAAa,CAAC,SAAS,EAAE,YAAY,EAAE,SAAS,CAAC,CAAC;AAC3D,CAAC;AAqED,gFAAgF;AAEhF,oFAAoF;AACpF,SAAS,WAAW,CAClB,MAAc,EACd,QAA0C,EAAE;IAE5C,OAAO;QACL,KAAK,EAAE,KAAK;QACZ,MAAM;QACN,KAAK,EAAE,KAAK;QACZ,QAAQ,EAAE,KAAK;QACf,WAAW,EAAE,KAAK;QAClB,aAAa,EAAE,KAAK;QACpB,UAAU,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,eAAe,EAAE;QACvE,QAAQ,EAAE,EAAE,UAAU,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,KAAK,EAAE,gCAAgC,EAAE;QACxF,GAAG,KAAK;KACT,CAAC;AACJ,CAAC;AAED,wFAAwF;AACxF,SAAS,sBAAsB,CAAC,CAAqB;IACnD,OAAO,CACL,OAAO,CAAC,CAAC,eAAe,KAAK,QAAQ;QACrC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,eAAe,CAAC;QACpC,OAAO,CAAC,CAAC,4BAA4B,KAAK,QAAQ;QAClD,CAAC,CAAC,4BAA4B,CAAC,MAAM,GAAG,CAAC;QACzC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,4BAA4B,CAAC;QAC7C,CAAC,CAAC,4BAA4B,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,KAAK,QAAQ,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAC3F,OAAO,CAAC,CAAC,SAAS,KAAK,QAAQ;QAC/B,CAAC,CAAC,SAAS,CAAC,MAAM,GAAG,CAAC;QACtB,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;QACzB,CAAC,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC;QAChB,OAAO,CAAC,CAAC,kBAAkB,KAAK,QAAQ;QACxC,CAAC,CAAC,kBAAkB,CAAC,MAAM,GAAG,CAAC;QAC/B,OAAO,CAAC,CAAC,eAAe,KAAK,QAAQ;QACrC,CAAC,CAAC,eAAe,CAAC,MAAM,GAAG,CAAC;QAC5B,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,iBAAiB,CAAC;QACrC,CAAC,CAAC,iBAAiB,IAAI,CAAC;QACxB,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ;QAC5B,CAAC,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC;QACnB,CAAC,CAAC,gBAAgB,IAAI,IAAI;QAC1B,OAAO,CAAC,CAAC,gBAAgB,KAAK,QAAQ,CACvC,CAAC;AACJ,CAAC;AAED,iFAAiF;AAEjF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,MAAM,UAAU,wBAAwB,CACtC,KAAoC;IAEpC,6EAA6E;IAC7E,+EAA+E;IAC/E,IAAI,gBAAmC,CAAC;IACxC,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,gBAAgB,GAAG,KAAK,CAAC,gBAAgB,CAAC;IAC5C,CAAC;SAAM,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QACtB,gBAAgB,GAAG,gBAAgB,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAClD,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,aAAa,CACrB,mFAAmF,CACpF,CAAC;IACJ,CAAC;IAED,8EAA8E;IAC9E,gFAAgF;IAChF,IAAI,MAA4B,CAAC;IACjC,IAAI,CAAC;QACH,MAAM,GAAG,mBAAmB,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,WAAW,CAAC,uBAAuB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1F,CAAC;IACD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAE/B,+EAA+E;IAC/E,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,EAAE,CAAC;QACrC,OAAO,WAAW,CAAC,iCAAiC,EAAE;YACpD,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE;gBACR,UAAU,EAAE,KAAK;gBACjB,QAAQ,EAAE,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI;gBAC1E,KAAK,EAAE,gCAAgC;aACxC;SACF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,QAAQ,GAAG;QACf,UAAU,EAAE,KAAc;QAC1B,QAAQ,EAAE,OAAO,CAAC,SAAS;QAC3B,KAAK,EAAE,gCAAgC;KACxC,CAAC;IAEF,2EAA2E;IAC3E,kFAAkF;IAClF,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,CAAC,kBAAkB,CAAC,CAAC;IAC/D,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,WAAW,CAAC,oCAAoC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC;IACtG,CAAC;IAED,qEAAqE;IACrE,MAAM,WAAW,GAAG,+BAA+B,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IACvE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO,WAAW,CAAC,4CAA4C,EAAE;YAC/D,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,gFAAgF;IAChF,MAAM,aAAa,GAAG,cAAc,CAAC,KAAK,CAAC,QAAQ,CAAC,KAAK,OAAO,CAAC,eAAe,CAAC;IACjF,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,WAAW,CAAC,yDAAyD,EAAE;YAC5E,KAAK,EAAE,IAAI;YACX,QAAQ,EAAE,IAAI;YACd,WAAW,EAAE,IAAI;YACjB,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED,2EAA2E;IAC3E,gFAAgF;IAChF,6EAA6E;IAC7E,yEAAyE;IACzE,MAAM,UAAU,GAAG,sBAAsB,CACvC,OAAO,CAAC,gBAAgB,EACxB,KAAK,CAAC,0BAA0B,EAChC,gBAAgB,EAChB,OAAO,CAAC,MAAM,CACf,CAAC;IACF,MAAM,gBAAgB,GAAG,UAAU,CAAC,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC;IAElE,OAAO;QACL,KAAK,EAAE,CAAC,gBAAgB;QACxB,MAAM,EAAE,gBAAgB,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,SAAS;QAChD,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,IAAI;QACd,WAAW,EAAE,IAAI;QACjB,aAAa,EAAE,IAAI;QACnB,UAAU;QACV,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,6EAA6E;AAC7E,8CAA8C;AAC9C,OAAO,EAAE,2BAA2B,EAAE,CAAC"}

package/dist/client.d.ts

@@ -1,4 +1,5 @@
 import { AbacPoliciesResource } from "./resources/abac-policies.js";
+import { AnnexIvResource } from "./resources/annex-iv.js";
 import { AuditLogResource } from "./resources/audit-log.js";
 import { BatchResource } from "./resources/batch.js";
 import { ChatResource } from "./resources/chat.js";
@@ -33,6 +34,7 @@ export declare class AttestryClient {
     readonly abacPolicies: AbacPoliciesResource;
     readonly evidencePack: EvidencePackResource;
     readonly vision: VisionResource;
+    readonly annexIv: AnnexIvResource;
     private readonly _config;
     constructor(options: AttestryClientOptions);
     /** Internal — resources call this to dispatch HTTP requests. */

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAMvD,OAAO,KAAK,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAExE,UAAU,mBAAmB;IAC3B,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;IACrE,OAAO,CAAC,EAAE,cAAc,CAAC;CAC1B;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,yBAAyB,CAAC;IACtD,QAAQ,CAAC,eAAe,EAAE,uBAAuB,CAAC;IAClD,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,CAAC;IACpC,QAAQ,CAAC,YAAY,EAAE,oBAAoB,CAAC;IAE5C,QAAQ,CAAC,YAAY,EAAE,oBAAoB,CAAC;IAC5C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAGhC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyC;gBAErD,OAAO,EAAE,qBAAqB;IAiB1C,gEAAgE;IAChE,QAAQ,CAAC,CAAC,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,CAAC,CAAC;IAIlD;;;;;;;;OAQG;IACH,cAAc,CAAC,IAAI,EAAE;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;QACrE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,OAAO,CAAC,EAAE,cAAc,CAAC;QACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;KAC9B,GAAG,OAAO,CAAC,QAAQ,CAAC;CAGtB"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAUA,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAMvD,OAAO,KAAK,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAExE,UAAU,mBAAmB;IAC3B,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAC;IAC5C,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;IACrE,OAAO,CAAC,EAAE,cAAc,CAAC;CAC1B;AAED,qBAAa,cAAc;IACzB,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,SAAS,EAAE,iBAAiB,CAAC;IACtC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,CAAC;IACpC,QAAQ,CAAC,iBAAiB,EAAE,yBAAyB,CAAC;IACtD,QAAQ,CAAC,eAAe,EAAE,uBAAuB,CAAC;IAClD,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,KAAK,EAAE,aAAa,CAAC;IAC9B,QAAQ,CAAC,QAAQ,EAAE,gBAAgB,CAAC;IACpC,QAAQ,CAAC,YAAY,EAAE,oBAAoB,CAAC;IAE5C,QAAQ,CAAC,YAAY,EAAE,oBAAoB,CAAC;IAC5C,QAAQ,CAAC,MAAM,EAAE,cAAc,CAAC;IAEhC,QAAQ,CAAC,OAAO,EAAE,eAAe,CAAC;IAGlC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAyC;gBAErD,OAAO,EAAE,qBAAqB;IAkB1C,gEAAgE;IAChE,QAAQ,CAAC,CAAC,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,CAAC,CAAC;IAIlD;;;;;;;;OAQG;IACH,cAAc,CAAC,IAAI,EAAE;QACnB,IAAI,EAAE,MAAM,CAAC;QACb,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,OAAO,GAAG,SAAS,GAAG,IAAI,CAAC,CAAC;QACrE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACjC,OAAO,CAAC,EAAE,cAAc,CAAC;QACzB,mBAAmB,CAAC,EAAE,MAAM,CAAC;KAC9B,GAAG,OAAO,CAAC,QAAQ,CAAC;CAGtB"}

package/dist/client.js

@@ -8,6 +8,7 @@
 // it's not literally private because TypeScript class-private fields
 // would also hide it from the resource modules in this codebase.
 import { AbacPoliciesResource } from "./resources/abac-policies.js";
+import { AnnexIvResource } from "./resources/annex-iv.js";
 import { AuditLogResource } from "./resources/audit-log.js";
 import { BatchResource } from "./resources/batch.js";
 import { ChatResource } from "./resources/chat.js";
@@ -36,6 +37,8 @@ export class AttestryClient {
     // 2.0 flagship resources (the ≥0.6.0 union — W1 deliverable 5)
     evidencePack;
     vision;
+    // Annex IV technical-file bind path (work-item C — the ≥0.7.0 surface).
+    annexIv;
     // Frozen at construction time; resources read this through `_request`.
     _config;
     constructor(options) {
@@ -53,6 +56,7 @@ export class AttestryClient {
         this.abacPolicies = new AbacPoliciesResource(this);
         this.evidencePack = new EvidencePackResource(this);
         this.vision = new VisionResource(this);
+        this.annexIv = new AnnexIvResource(this);
     }
     /** Internal — resources call this to dispatch HTTP requests. */
     _request(args) {

package/dist/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,EAAE;AACF,mEAAmE;AACnE,wEAAwE;AACxE,qEAAqE;AACrE,iEAAiE;AAEjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EACL,OAAO,IAAI,gBAAgB,EAC3B,mBAAmB,EACnB,aAAa,IAAI,sBAAsB,GACxC,MAAM,gBAAgB,CAAC;AAWxB,MAAM,OAAO,cAAc;IAChB,SAAS,CAAoB;IAC7B,SAAS,CAAoB;IAC7B,IAAI,CAAe;IACnB,QAAQ,CAAmB;IAC3B,iBAAiB,CAA4B;IAC7C,eAAe,CAA0B;IACzC,KAAK,CAAgB;IACrB,IAAI,CAAe;IACnB,KAAK,CAAgB;IACrB,QAAQ,CAAmB;IAC3B,YAAY,CAAuB;IAC5C,+DAA+D;IACtD,YAAY,CAAuB;IACnC,MAAM,CAAiB;IAEhC,uEAAuE;IACtD,OAAO,CAAyC;IAEjE,YAAY,OAA8B;QACxC,IAAI,CAAC,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,QAAQ,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,CAAC,iBAAiB,GAAG,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC;QAC7D,IAAI,CAAC,eAAe,GAAG,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,QAAQ,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;IACzC,CAAC;IAED,gEAAgE;IAChE,QAAQ,CAAI,IAAyB;QACnC,OAAO,gBAAgB,CAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;IAChE,CAAC;IAED;;;;;;;;OAQG;IACH,cAAc,CAAC,IAMd;QACC,OAAO,sBAAsB,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;CACF"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,EAAE;AACF,mEAAmE;AACnE,wEAAwE;AACxE,qEAAqE;AACrE,iEAAiE;AAEjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,eAAe,EAAE,MAAM,yBAAyB,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AACrD,OAAO,EAAE,uBAAuB,EAAE,MAAM,iCAAiC,CAAC;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,YAAY,EAAE,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,yBAAyB,EAAE,MAAM,mCAAmC,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAC5D,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EACL,OAAO,IAAI,gBAAgB,EAC3B,mBAAmB,EACnB,aAAa,IAAI,sBAAsB,GACxC,MAAM,gBAAgB,CAAC;AAWxB,MAAM,OAAO,cAAc;IAChB,SAAS,CAAoB;IAC7B,SAAS,CAAoB;IAC7B,IAAI,CAAe;IACnB,QAAQ,CAAmB;IAC3B,iBAAiB,CAA4B;IAC7C,eAAe,CAA0B;IACzC,KAAK,CAAgB;IACrB,IAAI,CAAe;IACnB,KAAK,CAAgB;IACrB,QAAQ,CAAmB;IAC3B,YAAY,CAAuB;IAC5C,+DAA+D;IACtD,YAAY,CAAuB;IACnC,MAAM,CAAiB;IAChC,wEAAwE;IAC/D,OAAO,CAAkB;IAElC,uEAAuE;IACtD,OAAO,CAAyC;IAEjE,YAAY,OAA8B;QACxC,IAAI,CAAC,OAAO,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,SAAS,GAAG,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC;QAC7C,IAAI,CAAC,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,QAAQ,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,CAAC,iBAAiB,GAAG,IAAI,yBAAyB,CAAC,IAAI,CAAC,CAAC;QAC7D,IAAI,CAAC,eAAe,GAAG,IAAI,uBAAuB,CAAC,IAAI,CAAC,CAAC;QACzD,IAAI,CAAC,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,IAAI,GAAG,IAAI,YAAY,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,KAAK,GAAG,IAAI,aAAa,CAAC,IAAI,CAAC,CAAC;QACrC,IAAI,CAAC,QAAQ,GAAG,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAC3C,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,YAAY,GAAG,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,CAAC,MAAM,GAAG,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,CAAC,OAAO,GAAG,IAAI,eAAe,CAAC,IAAI,CAAC,CAAC;IAC3C,CAAC;IAED,gEAAgE;IAChE,QAAQ,CAAI,IAAyB;QACnC,OAAO,gBAAgB,CAAI,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;IAChE,CAAC;IAED;;;;;;;;OAQG;IACH,cAAc,CAAC,IAMd;QACC,OAAO,sBAAsB,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,EAAE,CAAC,CAAC;IACnE,CAAC;CACF"}

package/dist/index.d.ts

@@ -14,4 +14,8 @@ export { GateResource, type GateInput, type GateGap, type GateResponse, } from "
 export { BatchResource, BATCH_JOB_TYPES, BATCH_JOB_STATUSES, type BatchJobType, type BatchJobStatusValue, type BatchSystemResult, type BatchConfig, type BatchSubmitInput, type BatchSubmitResponse, type BatchJobStatus, } from "./resources/batch.js";
 export { ShipGateResource, type ShipGateInput, type ShipGateCheckResponse, type ShipGateReasonCode, type ShipGateState, } from "./resources/ship-gate.js";
 export { AbacPoliciesResource, ABAC_POLICY_RESOURCES, ABAC_POLICY_ACTIONS, ABAC_POLICY_EFFECTS, type AbacPolicy, type AbacPoliciesListResponse, type AbacPolicyCreateInput, type AbacPolicyUpdateInput, type AbacPolicyEffect, type AbacPolicyResource, type AbacPolicyAction, type AbacAttrRoot, type AbacAttrPath, type AbacAttrValue, type AbacLeafCondition, type AbacCompoundCondition, type AbacCondition, } from "./resources/abac-policies.js";
+export { EvidencePackResource, PACK_TYPES, PACK_STATUSES, EXPORT_FORMATS, type PackType, type PackStatus, type ExportFormat, type CreateEvidencePackInput, type GetEvidencePackInput, type ListEvidencePacksInput, type AddBundleInput, type SignEvidencePackInput, type SupersedeEvidencePackNewPack, type SupersedeEvidencePackInput, type RevokeEvidencePackInput, type ExportEvidencePackInput, type EvidencePack, type ReperformanceBundle, type GetEvidencePackResponse, type ListEvidencePacksResponse, type HashCollision, type AddBundleResponse, type SupersedeEvidencePackResponse, type EvidencePackExportResult, } from "./resources/evidence-pack.js";
+export { VisionResource, SUPPORTED_MEDIA_TYPES, SUPPORTED_DOCUMENT_TYPES, VISION_MODELS, PACK_INTEGRATION_STATUSES, type VisionSupportedMediaType, type VisionSupportedDocumentType, type VisionModelTier, type VisionPackIntegrationStatus, type VisionExtractInput, type VisionBatchDocument, type VisionBatchExtractInput, type VisionSchemaCompatibility, type VisionPackIntegrationHashCollision, type VisionPackIntegrationResult, type VisionTokensUsed, type VisionExtractResponse, type VisionBatchExtractResponse, type VisionJobStatus, } from "./resources/vision.js";
+export { AnnexIvResource, type AnnexIvGenerateResult, type AnnexIvBindResult, type AnnexIvDownloadPdfResult, type GenerateAnnexIvInput, type GetAnnexIvBindInput, type DownloadAnnexIvPdfInput, } from "./resources/annex-iv.js";
+export { verifyAnnexIvBindOffline, makeJwksResolver, type VerifyAnnexIvBindOfflineInput, type VerifyAnnexIvBindResult, type PublicKeyResolver, type Ed25519PublicJwk, type AnnexIvBindPayload, } from "./annex-iv-verify/index.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,EACf,KAAK,YAAY,EACjB,KAAK,QAAQ,EACb,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,qBAAqB,EACrB,SAAS,EACT,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,qBAAqB,EACrB,KAAK,YAAY,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,iBAAiB,EACjB,KAAK,QAAQ,EACb,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,6BAA6B,GACnC,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,OAAO,EACZ,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,gBAAgB,EACrB,KAAK,eAAe,GACrB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,4BAA4B,GAClC,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,0BAA0B,EAC1B,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,EAC3B,KAAK,gBAAgB,EACrB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,uBAAuB,EACvB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAC5B,KAAK,gCAAgC,GACtC,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,aAAa,EACb,KAAK,UAAU,EACf,KAAK,aAAa,GACnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,YAAY,EACZ,KAAK,SAAS,EACd,KAAK,OAAO,EACZ,KAAK,YAAY,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,cAAc,GACpB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,KAAK,aAAa,GACnB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,GACnB,MAAM,8BAA8B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,EACf,KAAK,YAAY,EACjB,KAAK,QAAQ,EACb,KAAK,aAAa,GACnB,MAAM,gBAAgB,CAAC;AAExB,YAAY,EACV,qBAAqB,EACrB,SAAS,EACT,cAAc,GACf,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,qBAAqB,EACrB,KAAK,YAAY,GAClB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,iBAAiB,EACjB,KAAK,QAAQ,EACb,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,oBAAoB,EACzB,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,sBAAsB,EAC3B,KAAK,eAAe,EACpB,KAAK,6BAA6B,GACnC,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,iBAAiB,EACjB,2BAA2B,EAC3B,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,KAAK,OAAO,EACZ,KAAK,iBAAiB,EACtB,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,YAAY,EACZ,kBAAkB,EAClB,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,KAAK,WAAW,EAChB,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,gBAAgB,EACrB,KAAK,eAAe,GACrB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,wBAAwB,EACxB,KAAK,oBAAoB,EACzB,KAAK,cAAc,EACnB,KAAK,mBAAmB,EACxB,KAAK,4BAA4B,GAClC,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,0BAA0B,EAC1B,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,EAC3B,KAAK,gBAAgB,EACrB,KAAK,0BAA0B,GAChC,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,uBAAuB,EACvB,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC1B,KAAK,uBAAuB,EAC5B,KAAK,gCAAgC,GACtC,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,aAAa,EACb,KAAK,UAAU,EACf,KAAK,aAAa,GACnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,YAAY,EACZ,KAAK,SAAS,EACd,KAAK,OAAO,EACZ,KAAK,YAAY,GAClB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,EAClB,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,KAAK,iBAAiB,EACtB,KAAK,WAAW,EAChB,KAAK,gBAAgB,EACrB,KAAK,mBAAmB,EACxB,KAAK,cAAc,GACpB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,gBAAgB,EAChB,KAAK,aAAa,EAClB,KAAK,qBAAqB,EAC1B,KAAK,kBAAkB,EACvB,KAAK,aAAa,GACnB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,mBAAmB,EACnB,KAAK,UAAU,EACf,KAAK,wBAAwB,EAC7B,KAAK,qBAAqB,EAC1B,KAAK,qBAAqB,EAC1B,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,EACvB,KAAK,gBAAgB,EACrB,KAAK,YAAY,EACjB,KAAK,YAAY,EACjB,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,qBAAqB,EAC1B,KAAK,aAAa,GACnB,MAAM,8BAA8B,CAAC;AAKtC,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,aAAa,EACb,cAAc,EACd,KAAK,QAAQ,EACb,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,EACzB,KAAK,sBAAsB,EAC3B,KAAK,cAAc,EACnB,KAAK,qBAAqB,EAC1B,KAAK,4BAA4B,EACjC,KAAK,0BAA0B,EAC/B,KAAK,uBAAuB,EAC5B,KAAK,uBAAuB,EAC5B,KAAK,YAAY,EACjB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,yBAAyB,EAC9B,KAAK,aAAa,EAClB,KAAK,iBAAiB,EACtB,KAAK,6BAA6B,EAClC,KAAK,wBAAwB,GAC9B,MAAM,8BAA8B,CAAC;AAItC,OAAO,EACL,cAAc,EACd,qBAAqB,EACrB,wBAAwB,EACxB,aAAa,EACb,yBAAyB,EACzB,KAAK,wBAAwB,EAC7B,KAAK,2BAA2B,EAChC,KAAK,eAAe,EACpB,KAAK,2BAA2B,EAChC,KAAK,kBAAkB,EACvB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,EAC5B,KAAK,yBAAyB,EAC9B,KAAK,kCAAkC,EACvC,KAAK,2BAA2B,EAChC,KAAK,gBAAgB,EACrB,KAAK,qBAAqB,EAC1B,KAAK,0BAA0B,EAC/B,KAAK,eAAe,GACrB,MAAM,uBAAuB,CAAC;AAG/B,OAAO,EACL,eAAe,EACf,KAAK,qBAAqB,EAC1B,KAAK,iBAAiB,EACtB,KAAK,wBAAwB,EAC7B,KAAK,oBAAoB,EACzB,KAAK,mBAAmB,EACxB,KAAK,uBAAuB,GAC7B,MAAM,yBAAyB,CAAC;AAIjC,OAAO,EACL,wBAAwB,EACxB,gBAAgB,EAChB,KAAK,6BAA6B,EAClC,KAAK,uBAAuB,EAC5B,KAAK,iBAAiB,EACtB,KAAK,gBAAgB,EACrB,KAAK,kBAAkB,GACxB,MAAM,4BAA4B,CAAC"}

package/dist/index.js

@@ -17,4 +17,16 @@ export { GateResource, } from "./resources/gate.js";
 export { BatchResource, BATCH_JOB_TYPES, BATCH_JOB_STATUSES, } from "./resources/batch.js";
 export { ShipGateResource, } from "./resources/ship-gate.js";
 export { AbacPoliciesResource, ABAC_POLICY_RESOURCES, ABAC_POLICY_ACTIONS, ABAC_POLICY_EFFECTS, } from "./resources/abac-policies.js";
+// ─── Evidence packs (W1 deliverable 5 — the 24-symbol surface, C-D6/RD-C6) ──
+// 4 runtime-valued (EvidencePackResource + PACK_TYPES/PACK_STATUSES/EXPORT_FORMATS)
+// + 20 type-erased (17 interfaces + 3 types) = 24. (Pinned in public-api.test.ts.)
+export { EvidencePackResource, PACK_TYPES, PACK_STATUSES, EXPORT_FORMATS, } from "./resources/evidence-pack.js";
+// ─── Vision (W1 — the 19-symbol surface, C-D6) ──────────────────────────────
+// 5 runtime-valued + 14 type-erased = 19.
+export { VisionResource, SUPPORTED_MEDIA_TYPES, SUPPORTED_DOCUMENT_TYPES, VISION_MODELS, PACK_INTEGRATION_STATUSES, } from "./resources/vision.js";
+// ─── Annex IV technical-file bind path (work-item C — the ≥0.7.0 surface) ───
+export { AnnexIvResource, } from "./resources/annex-iv.js";
+// The bundled PURE offline verifier — a TOP-LEVEL export (no apiKey/transport/
+// network), NOT a client method (C-D5).
+export { verifyAnnexIvBindOffline, makeJwksResolver, } from "./annex-iv-verify/index.js";
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,EAAE;AACF,4EAA4E;AAC5E,uCAAuC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,GAIhB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,EACL,qBAAqB,GAEtB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,iBAAiB,GAUlB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,iBAAiB,EACjB,2BAA2B,GAsB5B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,YAAY,EACZ,kBAAkB,GAQnB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,wBAAwB,GAKzB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,0BAA0B,GAK3B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,uBAAuB,GAKxB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,aAAa,GAGd,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,YAAY,GAIb,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,GAQnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,gBAAgB,GAKjB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,mBAAmB,GAcpB,MAAM,8BAA8B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,EAAE;AACF,4EAA4E;AAC5E,uCAAuC;AAEvC,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,UAAU,EACV,eAAe,GAIhB,MAAM,gBAAgB,CAAC;AAQxB,OAAO,EACL,qBAAqB,GAEtB,MAAM,YAAY,CAAC;AAEpB,OAAO,EACL,iBAAiB,GAUlB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,iBAAiB,EACjB,2BAA2B,GAsB5B,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,YAAY,EACZ,kBAAkB,GAQnB,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,wBAAwB,GAKzB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,yBAAyB,EACzB,4BAA4B,EAC5B,0BAA0B,GAK3B,MAAM,mCAAmC,CAAC;AAE3C,OAAO,EACL,uBAAuB,GAKxB,MAAM,iCAAiC,CAAC;AAEzC,OAAO,EACL,aAAa,GAGd,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,YAAY,GAIb,MAAM,qBAAqB,CAAC;AAE7B,OAAO,EACL,aAAa,EACb,eAAe,EACf,kBAAkB,GAQnB,MAAM,sBAAsB,CAAC;AAE9B,OAAO,EACL,gBAAgB,GAKjB,MAAM,0BAA0B,CAAC;AAElC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,mBAAmB,EACnB,mBAAmB,GAcpB,MAAM,8BAA8B,CAAC;AAEtC,+EAA+E;AAC/E,oFAAoF;AACpF,mFAAmF;AACnF,OAAO,EACL,oBAAoB,EACpB,UAAU,EACV,aAAa,EACb,cAAc,GAqBf,MAAM,8BAA8B,CAAC;AAEtC,+EAA+E;AAC/E,0CAA0C;AAC1C,OAAO,EACL,cAAc,EACd,qBAAqB,EACrB,wBAAwB,EACxB,aAAa,EACb,yBAAyB,GAe1B,MAAM,uBAAuB,CAAC;AAE/B,+EAA+E;AAC/E,OAAO,EACL,eAAe,GAOhB,MAAM,yBAAyB,CAAC;AAEjC,+EAA+E;AAC/E,wCAAwC;AACxC,OAAO,EACL,wBAAwB,EACxB,gBAAgB,GAMjB,MAAM,4BAA4B,CAAC"}