@blamejs/core 0.7.106 → 0.7.107

package/CHANGELOG.md

@@ -8,6 +8,8 @@ upgrading across more than a few patches at a time.
 
 ## v0.7.x
 
+- **0.7.107** (2026-05-06) — `b.auth.sdJwtVc` — Selective Disclosure JWT for Verifiable Credentials per [draft-ietf-oauth-sd-jwt-vc](https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/), aligned with the EU Digital Identity Wallet (EUDI) roll-out and EU AI Act Art. 50 disclosure requirements. **`b.auth.sdJwtVc.issue({ issuer, vct, claims, selectivelyDisclosed, issuerKey, ... })`** mints an SD-JWT VC: per-claim disclosures (base64url-encoded `[salt, name, value]` JSON arrays) with their SHA-256 (or SHA3-256 / SHA-512 / SHA3-512) digests pinned in the issuer-signed `_sd` array; selectively-disclosed claims hidden from the issuer payload, plain claims passthrough; optional `cnf` claim pins the holder's public JWK for key-binding. Supported algorithms: ES256 (default per spec), ES384, EdDSA, ML-DSA-87 (PQC, framework's default), ML-DSA-65. **`present({ sdJwt, disclosedClaimNames, audience, nonce, holderKey })`** builds a holder presentation by selecting which disclosures to reveal; signs an optional Key Binding JWT (typ=`kb+jwt`) carrying the audience, nonce, iat, and an sd_hash binding it to the specific presentation. **`verify(presentation, { issuerKeyResolver, audience, nonce, expectedVct, requireKeyBinding })`** runs the full verification pipeline: issuer JWT signature, iat / exp / vct, per-disclosure digest match against the issuer's `_sd` array, optional KB-JWT signature + audience + nonce + sd_hash check. **`b.auth.sdJwtVc.issuer.create({ issuerUrl, keys, activeKid })`** — operator-side issuer factory with key-management + kid stamping + per-issuance audit emission + `rotateKey` support. **`b.auth.sdJwtVc.holder.create({ storage, holderKey })`** — wallet helper with operator-pluggable storage (production wires `b.db` / `b.objectStore`; built-in `memoryStorage()` for dev / tests); `store` / `present` / `list` / `get` / `delete` covers the full wallet lifecycle. **`b.auth.sdJwtVc.disclosure.encode / decode`** — pure helpers for the SD-JWT disclosure format. Audit emissions on every state transition (`auth.sdJwtVc.issued` / `auth.sdJwtVc.holder.stored` / `presented` / `deleted` / `auth.sdJwtVc.key_rotated`). 32 test cases covering disclosure round-trip, issue/verify happy path, signature tamper, expiration, vct mismatch, disclosure tamper, present subset, key binding (audience + nonce + sd_hash + replay defense), issuer factory + key rotation, holder factory + storage round-trip, hash-algorithm switching, plain-only credential.
+
 - **0.7.106** (2026-05-06) — `b.guardHtml.wcag` — WCAG 2.2 audit-only accessibility scanner. Pure static analysis (no rendering, no JS execution) emitting structured findings the operator wires into a CI gate / audit log / dev warning. **`b.guardHtml.wcag.audit(html, { level, ignore, allowedRoles, allowedAutocomplete, ... })`** returns `{ findings: [{ sc, level, severity, element, line, column, message, remediation }], summary: { error, warning, info }, score, totalFindings, scopeUrl, scannedAt }`. Page-level checks: `<html lang>` (3.1.1), `<title>` (2.4.2), skip-link (2.4.1). Element-level checks: `<img alt>` (1.1.1), input labels (3.3.2), input names (4.1.2), button text (4.1.2), anchor accessible name (2.4.4), heading order + empty heading (1.3.1). **`b.guardHtml.wcag.aria.audit(html)`** — WAI-ARIA 1.2 validation: unknown role values, missing required ARIA properties (e.g. `role="checkbox"` without `aria-checked`), aria-* values outside the spec value set (`aria-checked` ∉ `{true, false, mixed}`), unresolved `aria-labelledby` / `aria-controls` / `aria-describedby` references, and `aria-hidden="true"` on interactive elements. Operators with custom design systems extend the role registry via `allowedRoles`. **`b.guardHtml.wcag.tables.audit(html)`** — Table semantics: `<table>` without `<caption>` (data tables only — layout tables with `role="presentation"` skip the check), `<th>` without scope or with invalid scope value, `<tr>` outside table-context wrappers. **`b.guardHtml.wcag.forms.audit(html)`** — Form-specific: `<fieldset>` without `<legend>` (1.3.1), input `autocomplete=` value against the HTML 5.3 token registry (1.3.5), password input with `autocomplete="off"` (3.3.8 blocks password managers), input/email without autocomplete (3.3.7 redundant entry), `<textarea>` without label. Conformance level filter (`A` / `AA` / `AAA`); `ignore: ["1.4.3"]` for SC-by-SC opt-out; `skipAria` / `skipTables` / `skipForms` for module-level opt-out. Heuristic score (1 - weighted-violations / heuristic-max) for quick gauge. 51 test cases.
 
 - **0.7.105** (2026-05-06) — `b.compliance.sanctions` — sanctions-list screening primitive. Operators handling KYC / payment / customer-onboarding flows screen names against the U.S. Treasury OFAC SDN list, EU CSL, UK HMT consolidated list, UN 1267 list, or operator-defined lists. The framework owns indexing + match algorithm; the operator owns the daily fetch + format-specific parsing (the framework intentionally does not vendor the list — it changes daily and has legal-distribution implications). **`b.compliance.sanctions.create({ entries, algorithm, fuzzy, ... })`** returns a screener with `screen(input)` (single record), `screenBulk(inputs)` (batch), `snapshot()` (rule-version digest for audit trails), `reload(newEntries)` (atomic index swap with diff), `entryById(id)` (lookup), and `size()`. Three match strategies: `exact` (fastest, no fuzz), `jaro-winkler` (default, threshold 0.85), `levenshtein` (edit-distance with cap). Match output: `{ match: bool, hits: [{ entryId, name, matchedOn, score, reason, listed, programs }], algorithm, ruleVersion, screenedAt }`. **`b.compliance.sanctions.fuzzy`** — pure algorithmic core: `normalize` (Unicode diacritic strip + lowercase + whitespace collapse), `tokenize`, `levenshtein` (cap + early-exit), `jaro` / `jaroWinkler`, `tokenSetSimilarity` (order-invariant bag-of-tokens), `substringContains` (token-bounded), `initialsMatch`. **`b.compliance.sanctions.aliases.expand(name, opts)`** — alias-expansion helper covering nicknames (Bill ↔ William, Mike ↔ Michael), transliteration variants (Mohamed ↔ Mohammed), reverse-order forms (Smith John / Smith, John), and initials (J. Smith). 32 built-in name pairs plus operator-extensible `extraPairs`. **`b.compliance.sanctions.fetcher.create({ screener, fetch, intervalMs, onRefreshed, onError })`** — periodic refresh worker that runs the operator's `fetch` callback, validates a non-empty result, and atomically reloads the screener via `screener.reload`. Audit emissions on every refresh state (`compliance.sanctions.refresh.started` / `completed` / `skipped` / `failed`). **Parser shims** for the canonical public list formats: `parseOfacCsvRow` / `parseOfacAliasRow` / `mergeAliases` (OFAC SDN), `parseEuCslEntry` (EU Consolidated Sanctions List XML), `parseUn1267Entry` (UN Security Council XML). Audit emissions: `compliance.sanctions.screened` (every screen call), `compliance.sanctions.matched` (when hits > 0). Test coverage: 39 cases across normalize / tokenize / Levenshtein / Jaro-Winkler / token-set / substring / initials / screen exact + jw + levenshtein / type filter / bulk / snapshot / reload / alias expansion / fetcher tick + failure modes.

package/index.js

@@ -140,6 +140,7 @@ var auth = {
   dpop:     require("./lib/auth/dpop"),
   aal:      require("./lib/auth/aal"),
   statusList: require("./lib/auth/status-list"),
+  sdJwtVc:    require("./lib/auth/sd-jwt-vc"),
 };
 var template = require("./lib/template");
 var render = require("./lib/render");

package/lib/auth/sd-jwt-vc-disclosure.js

@@ -0,0 +1,95 @@
+"use strict";
+/**
+ * SD-JWT VC disclosure encoding/decoding helper.
+ *
+ * Per draft-ietf-oauth-sd-jwt-vc §4.1, a disclosure is the
+ * base64url-encoded JSON serialisation of one of:
+ *
+ *   For object members:    [<salt>, <claim_name>, <claim_value>]
+ *   For array elements:    [<salt>, <array_element>]
+ *
+ * The salt is a 128-bit random value (base64url) preventing dictionary
+ * attacks on the disclosure digests. Operators that need deterministic
+ * salt for testing pass opts.saltSource.
+ */
+
+var nodeCrypto = require("node:crypto");
+var safeJson = require("../safe-json");
+var { AuthError } = require("../framework-error");
+
+var DEFAULT_SALT_BYTES = 16;          // allow:raw-byte-literal — 128-bit salt per spec recommendation
+
+function _newSalt(opts) {
+  if (opts && opts.saltSource && typeof opts.saltSource === "function") {
+    var s = opts.saltSource();
+    if (typeof s !== "string" || s.length === 0) {
+      throw new AuthError("auth-sd-jwt-vc/bad-salt",
+        "saltSource must return a non-empty string");
+    }
+    return s;
+  }
+  var bytes = nodeCrypto.randomBytes(DEFAULT_SALT_BYTES);
+  return bytes.toString("base64url");
+}
+
+function encode(claimName, claimValue, opts) {
+  if (typeof claimName !== "string" || claimName.length === 0) {
+    throw new AuthError("auth-sd-jwt-vc/bad-claim-name",
+      "encode: claimName must be a non-empty string");
+  }
+  if (claimValue === undefined) {
+    throw new AuthError("auth-sd-jwt-vc/bad-claim-value",
+      "encode: claimValue must not be undefined");
+  }
+  var salt = _newSalt(opts);
+  var arr = [salt, claimName, claimValue];
+  var jsonStr = safeJson.stringify(arr);
+  return Buffer.from(jsonStr, "utf8").toString("base64url");
+}
+
+function encodeArrayElement(elementValue, opts) {
+  if (elementValue === undefined) {
+    throw new AuthError("auth-sd-jwt-vc/bad-element-value",
+      "encodeArrayElement: elementValue must not be undefined");
+  }
+  var salt = _newSalt(opts);
+  var arr = [salt, elementValue];
+  var jsonStr = safeJson.stringify(arr);
+  return Buffer.from(jsonStr, "utf8").toString("base64url");
+}
+
+function decode(disclosureStr) {
+  if (typeof disclosureStr !== "string" || disclosureStr.length === 0) {
+    return null;
+  }
+  var jsonStr;
+  try { jsonStr = Buffer.from(disclosureStr, "base64url").toString("utf8"); }
+  catch (_e) { return null; }
+  var parsed;
+  try { parsed = safeJson.parse(jsonStr, { maxBytes: 64 * 1024 }); }                // allow:raw-byte-literal — disclosure cap (64 KB)
+  catch (_e) { return null; }
+  if (!Array.isArray(parsed)) return null;
+  if (parsed.length === 3) {
+    return {
+      salt:       parsed[0],
+      name:       parsed[1],
+      value:      parsed[2],
+      isElement:  false,
+    };
+  }
+  if (parsed.length === 2) {
+    return {
+      salt:       parsed[0],
+      value:      parsed[1],
+      isElement:  true,
+    };
+  }
+  return null;
+}
+
+module.exports = {
+  encode:             encode,
+  encodeArrayElement: encodeArrayElement,
+  decode:             decode,
+  DEFAULT_SALT_BYTES: DEFAULT_SALT_BYTES,
+};

package/lib/auth/sd-jwt-vc-holder.js

@@ -0,0 +1,203 @@
+"use strict";
+/**
+ * b.auth.sdJwtVc.holder — operator-side holder/wallet helper.
+ *
+ * Wraps the lower-level present() function with key-management +
+ * stored-credential lookup + per-presentation audit emission.
+ * Operators running a wallet (mobile app backend, OIDC4VP relying
+ * party with holder role) instantiate one of these per holder.
+ *
+ *   var holder = b.auth.sdJwtVc.holder.create({
+ *     storage:       holderStorageBackend,    // operator-side persistence
+ *     holderKey:     keyPemOrJwk,
+ *     algorithm:     "ES256",
+ *     auditOn:       true,
+ *   });
+ *
+ *   // Save a credential the wallet just received from an issuer
+ *   await holder.store({
+ *     id:    "cred-1",
+ *     sdJwt: receivedFromIssuer.token,
+ *     vct:   "https://example.com/vct/identity",
+ *     issuer: "https://issuer.example.com",
+ *   });
+ *
+ *   // Build a presentation for a verifier request
+ *   var presentation = await holder.present({
+ *     credentialId:        "cred-1",
+ *     disclosedClaimNames: ["given_name"],
+ *     audience:            "https://verifier.example.com",
+ *     nonce:               nonceFromVerifier,
+ *   });
+ *
+ *   // List stored credentials
+ *   var creds = await holder.list();
+ *
+ *   // Delete a credential (on revocation / user request / DSR erasure)
+ *   await holder.delete("cred-1");
+ *
+ * Storage shape (operator implements):
+ *   { put(id, record), get(id), list(), delete(id) }
+ *
+ * The framework also ships `memoryStorage()` for development /
+ * tests — production operators wire b.db / b.objectStore.
+ */
+
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+var { AuthError } = require("../framework-error");
+
+var sdJwtVcCore = lazyRequire(function () { return require("./sd-jwt-vc"); });
+var audit = lazyRequire(function () { return require("../audit"); });
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function _validateStorage(storage) {
+  if (!storage || typeof storage !== "object") return false;
+  return ["put", "get", "list", "delete"].every(function (m) {
+    return typeof storage[m] === "function";
+  });
+}
+
+function memoryStorage() {
+  var byId = new Map();
+  return {
+    put: async function (id, record) {
+      byId.set(id, Object.assign({}, record, { id: id }));
+    },
+    get: async function (id) {
+      var r = byId.get(id);
+      return r ? Object.assign({}, r) : null;
+    },
+    list: async function () {
+      return Array.from(byId.values()).map(function (r) {
+        return Object.assign({}, r);
+      });
+    },
+    delete: async function (id) {
+      var existed = byId.has(id);
+      byId.delete(id);
+      return existed;
+    },
+    _size: function () { return byId.size; },
+  };
+}
+
+function create(opts) {
+  validateOpts.requireObject(opts, "auth.sdJwtVc.holder.create", AuthError);
+  validateOpts(opts, [
+    "storage", "holderKey", "algorithm", "auditOn",
+  ], "auth.sdJwtVc.holder.create");
+
+  if (!_validateStorage(opts.storage)) {
+    throw new AuthError("auth-sd-jwt-vc/bad-storage",
+      "holder.create: storage must implement { put, get, list, delete }");
+  }
+  if (!opts.holderKey) {
+    throw new AuthError("auth-sd-jwt-vc/no-key",
+      "holder.create: holderKey required");
+  }
+  var algorithm = opts.algorithm || "ES256";
+  var auditOn = opts.auditOn !== false;
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  function _emitMetric(verb) {
+    try { observability().safeEvent("auth.sdJwtVc.holder." + verb, 1, {}); }
+    catch (_e) { /* drop-silent */ }
+  }
+
+  async function store(spec) {
+    if (!spec || typeof spec !== "object") {
+      throw new AuthError("auth-sd-jwt-vc/bad-spec",
+        "holder.store: spec must be an object");
+    }
+    if (typeof spec.id !== "string" || spec.id.length === 0) {
+      throw new AuthError("auth-sd-jwt-vc/bad-id",
+        "holder.store: id is required");
+    }
+    if (typeof spec.sdJwt !== "string") {
+      throw new AuthError("auth-sd-jwt-vc/bad-token",
+        "holder.store: sdJwt is required");
+    }
+    var record = {
+      id:        spec.id,
+      sdJwt:     spec.sdJwt,
+      vct:       spec.vct || null,
+      issuer:    spec.issuer || null,
+      receivedAt: Date.now(),
+    };
+    await opts.storage.put(spec.id, record);
+    _emitAudit("auth.sdJwtVc.holder.stored", "success", {
+      id: spec.id, vct: record.vct, issuer: record.issuer,
+    });
+    _emitMetric("stored");
+    return record;
+  }
+
+  async function present(spec) {
+    if (!spec || typeof spec !== "object") {
+      throw new AuthError("auth-sd-jwt-vc/bad-spec",
+        "holder.present: spec must be an object");
+    }
+    var record = await opts.storage.get(spec.credentialId);
+    if (!record) {
+      throw new AuthError("auth-sd-jwt-vc/credential-not-found",
+        "holder.present: credentialId \"" + spec.credentialId + "\" not found in storage");
+    }
+    var presentation = sdJwtVcCore().present({
+      sdJwt:               record.sdJwt,
+      disclosedClaimNames: spec.disclosedClaimNames || [],
+      audience:            spec.audience || null,
+      nonce:               spec.nonce || null,
+      holderKey:           opts.holderKey,
+      algorithm:           algorithm,
+    });
+    _emitAudit("auth.sdJwtVc.holder.presented", "success", {
+      credentialId: spec.credentialId,
+      audience:     spec.audience || null,
+      disclosed:    (spec.disclosedClaimNames || []).length,
+    });
+    _emitMetric("presented");
+    return presentation;
+  }
+
+  async function list() {
+    var rows = await opts.storage.list();
+    return Array.isArray(rows) ? rows : [];
+  }
+
+  async function get(id) {
+    return await opts.storage.get(id);
+  }
+
+  async function _delete(id) {
+    var existed = await opts.storage.delete(id);
+    if (existed) {
+      _emitAudit("auth.sdJwtVc.holder.deleted", "success", { id: id });
+      _emitMetric("deleted");
+    }
+    return existed;
+  }
+
+  return {
+    store:    store,
+    present:  present,
+    list:     list,
+    get:      get,
+    delete:   _delete,
+  };
+}
+
+module.exports = {
+  create:        create,
+  memoryStorage: memoryStorage,
+};

package/lib/auth/sd-jwt-vc-issuer.js

@@ -0,0 +1,197 @@
+"use strict";
+/**
+ * b.auth.sdJwtVc.issuer — operator-side SD-JWT VC issuer factory.
+ *
+ * Wraps the lower-level issue() function with key-management + key-id
+ * (kid) + per-issuance audit emission. Operators running an issuer
+ * service (EUDI Wallet provider, OIDC4VCI issuer, internal credential
+ * service) instantiate one of these per signing key.
+ *
+ *   var issuer = b.auth.sdJwtVc.issuer.create({
+ *     issuerUrl:    "https://issuer.example.com",
+ *     keys: [
+ *       { kid: "issuer-2026-q2", privateKey: pem, algorithm: "ES256" },
+ *     ],
+ *     activeKid:    "issuer-2026-q2",
+ *     defaultTtlMs: C.TIME.days(90),
+ *     auditOn:      true,
+ *   });
+ *
+ *   var sdJwt = await issuer.issue({
+ *     vct:           "https://example.com/vct/identity",
+ *     subject:       "did:web:alice",
+ *     claims: {
+ *       given_name:    "Alice",
+ *       family_name:   "Smith",
+ *       birthdate:     "1990-01-15",
+ *     },
+ *     selectivelyDisclosed: ["given_name", "family_name", "birthdate"],
+ *     holderKey:     holderJwk,
+ *   });
+ *
+ *   // Key rollover (rotate to a new signing key)
+ *   issuer.rotateKey({ kid: "issuer-2026-q3", privateKey: pem2 });
+ *
+ *   // Operator-side audit / metering
+ *   var stats = issuer.stats();   // { issued, lastIssuedAt, keys: [...] }
+ *
+ * Audit emissions (audit namespace `auth`):
+ *   auth.sdJwtVc.issued        — every successful issue() call
+ *   auth.sdJwtVc.key_rotated   — every rotateKey() invocation
+ */
+
+var C = require("../constants");
+var lazyRequire = require("../lazy-require");
+var validateOpts = require("../validate-opts");
+var { AuthError } = require("../framework-error");
+
+// Lazy-required to avoid the issuer ↔ core circular load: sd-jwt-vc.js
+// requires sd-jwt-vc-issuer.js for its module.exports surface, and
+// the issuer needs sd-jwt-vc.js's issue() function for the actual
+// signing path.
+var sdJwtVcCore = lazyRequire(function () { return require("./sd-jwt-vc"); });
+
+var audit = lazyRequire(function () { return require("../audit"); });
+var observability = lazyRequire(function () { return require("../observability"); });
+
+function create(opts) {
+  validateOpts.requireObject(opts, "auth.sdJwtVc.issuer.create", AuthError);
+  validateOpts(opts, [
+    "issuerUrl", "keys", "activeKid",
+    "defaultTtlMs", "defaultHashAlg", "auditOn",
+  ], "auth.sdJwtVc.issuer.create");
+
+  validateOpts.requireNonEmptyString(opts.issuerUrl,
+    "issuer.create: issuerUrl", AuthError, "auth-sd-jwt-vc/bad-opts");
+  if (!Array.isArray(opts.keys) || opts.keys.length === 0) {
+    throw new AuthError("auth-sd-jwt-vc/no-keys",
+      "issuer.create: keys must be a non-empty array");
+  }
+  for (var i = 0; i < opts.keys.length; i++) {
+    var k = opts.keys[i];
+    if (!k || typeof k !== "object") {
+      throw new AuthError("auth-sd-jwt-vc/bad-key",
+        "issuer.create: keys[" + i + "] must be an object");
+    }
+    if (typeof k.kid !== "string" || k.kid.length === 0) {
+      throw new AuthError("auth-sd-jwt-vc/bad-key",
+        "issuer.create: keys[" + i + "].kid is required");
+    }
+    if (!k.privateKey) {
+      throw new AuthError("auth-sd-jwt-vc/bad-key",
+        "issuer.create: keys[" + i + "].privateKey is required");
+    }
+  }
+  validateOpts.optionalPositiveFinite(opts.defaultTtlMs,
+    "issuer.create: defaultTtlMs", AuthError, "auth-sd-jwt-vc/bad-opts");
+
+  var keysByKid = Object.create(null);
+  for (var j = 0; j < opts.keys.length; j++) {
+    keysByKid[opts.keys[j].kid] = opts.keys[j];
+  }
+  var activeKid = opts.activeKid || opts.keys[0].kid;
+  if (!keysByKid[activeKid]) {
+    throw new AuthError("auth-sd-jwt-vc/bad-active-kid",
+      "issuer.create: activeKid \"" + activeKid + "\" is not in the keys array");
+  }
+  var defaultTtlMs = opts.defaultTtlMs || C.TIME.days(90);
+  var defaultHashAlg = opts.defaultHashAlg || "sha-256";
+  var auditOn = opts.auditOn !== false;
+
+  var stats = {
+    issued:       0,
+    lastIssuedAt: null,
+    keysRotated:  0,
+  };
+
+  function _emitAudit(action, outcome, metadata) {
+    if (!auditOn) return;
+    try {
+      audit().safeEmit({
+        action:   action,
+        outcome:  outcome,
+        metadata: metadata || {},
+      });
+    } catch (_e) { /* drop-silent */ }
+  }
+
+  function _emitMetric(verb) {
+    try { observability().safeEvent("auth.sdJwtVc.issuer." + verb, 1, {}); }
+    catch (_e) { /* drop-silent */ }
+  }
+
+  async function issue(spec) {
+    if (!spec || typeof spec !== "object") {
+      throw new AuthError("auth-sd-jwt-vc/bad-spec",
+        "issuer.issue: spec must be an object");
+    }
+    if (typeof spec.vct !== "string") {
+      throw new AuthError("auth-sd-jwt-vc/bad-spec",
+        "issuer.issue: vct is required");
+    }
+    var key = keysByKid[activeKid];
+    var issued = sdJwtVcCore().issue({
+      issuer:               opts.issuerUrl,
+      subject:              spec.subject || null,
+      vct:                  spec.vct,
+      claims:               spec.claims || {},
+      selectivelyDisclosed: spec.selectivelyDisclosed || [],
+      issuerKey:            key.privateKey,
+      algorithm:            key.algorithm || "ES256",
+      hashAlg:              spec.hashAlg || defaultHashAlg,
+      ttlMs:                spec.ttlMs || defaultTtlMs,
+      holderKey:            spec.holderKey || null,
+      issuedAt:             spec.issuedAt,
+      extraHeader:          { kid: activeKid },
+    });
+    stats.issued += 1;
+    stats.lastIssuedAt = Date.now();
+    _emitAudit("auth.sdJwtVc.issued", "success", {
+      kid:       activeKid,
+      vct:       spec.vct,
+      subject:   spec.subject || null,
+      disclosed: (spec.selectivelyDisclosed || []).length,
+    });
+    _emitMetric("issued");
+    return issued;
+  }
+
+  function rotateKey(newKey) {
+    if (!newKey || typeof newKey !== "object" ||
+        typeof newKey.kid !== "string" || !newKey.privateKey) {
+      throw new AuthError("auth-sd-jwt-vc/bad-key",
+        "rotateKey: must pass { kid, privateKey, algorithm? }");
+    }
+    keysByKid[newKey.kid] = newKey;
+    activeKid = newKey.kid;
+    stats.keysRotated += 1;
+    _emitAudit("auth.sdJwtVc.key_rotated", "success", {
+      newKid: newKey.kid,
+    });
+    _emitMetric("key_rotated");
+  }
+
+  function listKids() { return Object.keys(keysByKid); }
+
+  function statsSnapshot() {
+    return {
+      issued:       stats.issued,
+      lastIssuedAt: stats.lastIssuedAt,
+      keysRotated:  stats.keysRotated,
+      activeKid:    activeKid,
+      kids:         listKids(),
+    };
+  }
+
+  return {
+    issue:      issue,
+    rotateKey:  rotateKey,
+    listKids:   listKids,
+    stats:      statsSnapshot,
+    issuerUrl:  opts.issuerUrl,
+  };
+}
+
+module.exports = {
+  create: create,
+};

package/lib/auth/sd-jwt-vc.js

@@ -0,0 +1,526 @@
+"use strict";
+/**
+ * b.auth.sdJwtVc — Selective Disclosure JWT for Verifiable Credentials
+ * (draft-ietf-oauth-sd-jwt-vc).
+ *
+ * SD-JWT VC is the IETF format aligned with the EU Digital Identity
+ * Wallet (EUDI Wallet) roll-out and the EU AI Act Article 50
+ * disclosure requirements. It allows an issuer to mint a credential
+ * containing selectively-disclosable claims; the holder presents only
+ * the subset they choose to a verifier; the verifier validates the
+ * issuer signature + the cryptographic binding between disclosures
+ * and the issuer's `_sd` digest array.
+ *
+ *   // Issuer side
+ *   var sdJwt = b.auth.sdJwtVc.issue({
+ *     issuer:        "https://issuer.example.com",
+ *     subject:       "did:web:alice.example.com",
+ *     vct:           "https://credentials.example.com/identity_credential",
+ *     claims: {
+ *       given_name:    "Alice",
+ *       family_name:   "Smith",
+ *       birthdate:     "1990-01-15",
+ *       nationality:   "US",
+ *     },
+ *     selectivelyDisclosed: ["given_name", "family_name", "birthdate"],
+ *     issuerKey:     issuerPrivKeyPem,
+ *     algorithm:     "ES256",
+ *     ttlMs:         C.TIME.days(30),
+ *     holderKey:     holderPubJwk,           // optional cnf binding
+ *   });
+ *
+ *   // Holder presents subset
+ *   var presentation = b.auth.sdJwtVc.present({
+ *     sdJwt:               sdJwt.token,
+ *     disclosedClaimNames: ["given_name"],     // selective release
+ *     audience:            "https://verifier.example.com",
+ *     nonce:               nonceFromVerifier,
+ *     holderKey:           holderPrivKeyPem,    // for KB-JWT signing
+ *     algorithm:           "ES256",
+ *   });
+ *
+ *   // Verifier validates
+ *   var result = await b.auth.sdJwtVc.verify(presentation, {
+ *     issuerKeyResolver: async function (header) { return issuerPubKeyPem; },
+ *     audience:          "https://verifier.example.com",
+ *     nonce:              nonceForReplayDefense,
+ *   });
+ *   // → { valid: true, claims: { vct, given_name }, holderKey, kbValidated }
+ *
+ * Supported signature algorithms (issuer + KB-JWT):
+ *   - ES256 (ECDSA + P-256 + SHA-256)         — default per spec
+ *   - ES384 (ECDSA + P-384 + SHA-384)
+ *   - EdDSA (Ed25519)
+ *   - ML-DSA-87 (PQC; framework's default)    — draft IETF allocation
+ *   - ML-DSA-65 (PQC; lighter)
+ *
+ * Hash algorithm for `_sd` digests: SHA-256 (spec default). Operators
+ * with PQC strict deployments specify "sha3-256" or "sha-512" via
+ * opts.hashAlg at issue time; verify() reads `_sd_alg` from the
+ * issuer payload to know how to recompute digests.
+ */
+
+var nodeCrypto = require("node:crypto");
+var safeBuffer = require("../safe-buffer");
+var safeJson = require("../safe-json");
+var validateOpts = require("../validate-opts");
+var disclosure = require("./sd-jwt-vc-disclosure");
+var sdJwtVcIssuer = require("./sd-jwt-vc-issuer");
+var sdJwtVcHolder = require("./sd-jwt-vc-holder");
+var { AuthError } = require("../framework-error");
+
+var SUPPORTED_ALGS = Object.freeze([
+  "ES256", "ES384", "EdDSA", "ML-DSA-87", "ML-DSA-65",
+]);
+
+var SUPPORTED_HASH_ALGS = Object.freeze({
+  "sha-256":  "sha256",
+  "sha-512":  "sha512",
+  "sha3-256": "sha3-256",
+  "sha3-512": "sha3-512",
+});
+
+var DEFAULT_ALG = "ES256";
+var DEFAULT_HASH_ALG = "sha-256";
+
+function _b64uEncode(str) {
+  return Buffer.from(str, "utf8").toString("base64url");
+}
+
+function _b64uEncodeBuf(buf) {
+  return buf.toString("base64url");
+}
+
+function _b64uDecodeStr(s) {
+  return Buffer.from(s, "base64url").toString("utf8");
+}
+
+function _b64uDecodeBuf(s) {
+  return Buffer.from(s, "base64url");
+}
+
+function _hashDisclosure(disclosureStr, hashAlg) {
+  var nodeAlg = SUPPORTED_HASH_ALGS[hashAlg];
+  if (!nodeAlg) {
+    throw new AuthError("auth-sd-jwt-vc/bad-hash",
+      "Unsupported hash algorithm: " + hashAlg);
+  }
+  var h = nodeCrypto.createHash(nodeAlg);
+  h.update(disclosureStr, "ascii");
+  return h.digest().toString("base64url");
+}
+
+function _signJwt(header, payload, privateKey, algorithm) {
+  var headerStr = _b64uEncode(safeJson.stringify(header));
+  var payloadStr = _b64uEncode(safeJson.stringify(payload));
+  var signingInput = headerStr + "." + payloadStr;
+  var sigAlgo = _resolveSigAlgo(algorithm);
+  var sig = nodeCrypto.sign(sigAlgo, Buffer.from(signingInput, "ascii"), privateKey);
+  return signingInput + "." + sig.toString("base64url");
+}
+
+function _verifyJwt(token, publicKey, algorithm) {
+  var parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new AuthError("auth-sd-jwt-vc/malformed-jwt",
+      "JWT must have 3 dot-separated parts");
+  }
+  var signingInput = parts[0] + "." + parts[1];
+  var sig = _b64uDecodeBuf(parts[2]);
+  var sigAlgo = _resolveSigAlgo(algorithm);
+  var ok = nodeCrypto.verify(sigAlgo, Buffer.from(signingInput, "ascii"), publicKey, sig);
+  if (!ok) {
+    throw new AuthError("auth-sd-jwt-vc/bad-signature",
+      "JWT signature verification failed");
+  }
+  var headerStr = _b64uDecodeStr(parts[0]);
+  var payloadStr = _b64uDecodeStr(parts[1]);
+  return {
+    header:  safeJson.parse(headerStr, { maxBytes: 64 * 1024 }),                    // allow:bare-json-parse — header from cryptographically-verified JWT; signature verifies the bytes // allow:raw-byte-literal — JWT header cap (64 KB)
+    payload: safeJson.parse(payloadStr, { maxBytes: 1024 * 1024 }),                 // allow:bare-json-parse — payload from cryptographically-verified JWT; signature verifies the bytes // allow:raw-byte-literal — JWT payload cap (1 MB)
+  };
+}
+
+function _resolveSigAlgo(algorithm) {
+  // Node 24+ accepts these algorithm hints; ES256 / ES384 use the
+  // EC private key's curve to dispatch. EdDSA + ML-DSA-* are
+  // signature-algorithm hints handled directly by Node.js crypto.
+  switch (algorithm) {
+    case "ES256":      return "sha256";
+    case "ES384":      return "sha384";
+    case "EdDSA":      return null;       // pass-through, Node infers
+    case "ML-DSA-87":  return null;
+    case "ML-DSA-65":  return null;
+    default:
+      throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
+        "Unsupported algorithm: " + algorithm);
+  }
+}
+
+// ---- issue ----
+
+function issue(opts) {
+  validateOpts.requireObject(opts, "auth.sdJwtVc.issue", AuthError);
+  validateOpts(opts, [
+    "issuer", "subject", "vct", "claims",
+    "selectivelyDisclosed", "issuerKey", "algorithm",
+    "hashAlg", "ttlMs", "issuedAt",
+    "holderKey", "extraHeader",
+  ], "auth.sdJwtVc.issue");
+
+  validateOpts.requireNonEmptyString(opts.issuer,
+    "issue: issuer", AuthError, "auth-sd-jwt-vc/bad-opts");
+  validateOpts.requireNonEmptyString(opts.vct,
+    "issue: vct", AuthError, "auth-sd-jwt-vc/bad-opts");
+  if (!opts.claims || typeof opts.claims !== "object" || Array.isArray(opts.claims)) {
+    throw new AuthError("auth-sd-jwt-vc/bad-opts",
+      "issue: claims must be a plain object");
+  }
+
+  var algorithm = opts.algorithm || DEFAULT_ALG;
+  if (SUPPORTED_ALGS.indexOf(algorithm) === -1) {
+    throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
+      "issue: algorithm must be one of " + SUPPORTED_ALGS.join(", "));
+  }
+  var hashAlg = opts.hashAlg || DEFAULT_HASH_ALG;
+  if (!SUPPORTED_HASH_ALGS[hashAlg]) {
+    throw new AuthError("auth-sd-jwt-vc/bad-hash",
+      "issue: hashAlg must be one of " + Object.keys(SUPPORTED_HASH_ALGS).join(", "));
+  }
+
+  if (!opts.issuerKey) {
+    throw new AuthError("auth-sd-jwt-vc/no-key", "issue: issuerKey required");
+  }
+
+  var sdNames = Array.isArray(opts.selectivelyDisclosed)
+    ? opts.selectivelyDisclosed.slice() : [];
+  var unknownSdNames = sdNames.filter(function (n) {
+    return !(n in opts.claims);
+  });
+  if (unknownSdNames.length > 0) {
+    throw new AuthError("auth-sd-jwt-vc/unknown-claim",
+      "issue: selectivelyDisclosed includes claim(s) not present in claims: " +
+      unknownSdNames.join(", "));
+  }
+
+  // Build disclosures + digest array
+  var disclosures = [];
+  var sdDigests = [];
+  var plainClaims = {};
+  var allClaimNames = Object.keys(opts.claims);
+  for (var i = 0; i < allClaimNames.length; i++) {
+    var name = allClaimNames[i];
+    var value = opts.claims[name];
+    if (sdNames.indexOf(name) !== -1) {
+      var d = disclosure.encode(name, value);
+      disclosures.push(d);
+      sdDigests.push(_hashDisclosure(d, hashAlg));
+    } else {
+      plainClaims[name] = value;
+    }
+  }
+  // Spec: shuffle digests so order doesn't leak claim order
+  sdDigests.sort();
+
+  var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
+    ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);             // allow:raw-byte-literal — ms→s conversion factor
+  var ttlSec = opts.ttlMs ? Math.floor(opts.ttlMs / 1000) : 30 * 24 * 60 * 60;       // allow:raw-byte-literal — ms→s conversion + 30-day default in seconds
+
+  var payload = Object.assign({}, plainClaims, {
+    iss:       opts.issuer,
+    iat:       now,
+    exp:       now + ttlSec,
+    vct:       opts.vct,
+    _sd:       sdDigests,
+    _sd_alg:   hashAlg,
+  });
+  if (opts.subject) payload.sub = opts.subject;
+  if (opts.holderKey) {
+    // Holder binding via cnf claim per draft §4.2.2
+    if (typeof opts.holderKey !== "object" || !opts.holderKey.kty) {
+      throw new AuthError("auth-sd-jwt-vc/bad-cnf",
+        "issue: holderKey must be a JWK with kty");
+    }
+    payload.cnf = { jwk: opts.holderKey };
+  }
+  var header = Object.assign({}, opts.extraHeader || {}, {
+    alg: algorithm,
+    typ: "vc+sd-jwt",
+  });
+
+  var jwt = _signJwt(header, payload, opts.issuerKey, algorithm);
+  var token = jwt + "~" + disclosures.join("~") + "~";
+  return {
+    token:        token,
+    jwt:          jwt,
+    disclosures:  disclosures,
+    payload:      payload,
+    header:       header,
+  };
+}
+
+// ---- present (holder side) ----
+
+function present(opts) {
+  validateOpts.requireObject(opts, "auth.sdJwtVc.present", AuthError);
+  validateOpts(opts, [
+    "sdJwt", "disclosedClaimNames", "audience",
+    "nonce", "holderKey", "algorithm", "issuedAt",
+  ], "auth.sdJwtVc.present");
+
+  validateOpts.requireNonEmptyString(opts.sdJwt,
+    "present: sdJwt", AuthError, "auth-sd-jwt-vc/no-token");
+  var parts = opts.sdJwt.split("~");
+  if (parts.length < 2) {
+    throw new AuthError("auth-sd-jwt-vc/malformed",
+      "present: sdJwt must contain at least one ~-separator");
+  }
+  var jwt = parts[0];
+  var allDisclosures = parts.slice(1).filter(function (p) { return p.length > 0; });
+
+  // Decode disclosures + filter by name
+  var disclosedNames = Array.isArray(opts.disclosedClaimNames)
+    ? opts.disclosedClaimNames.slice() : [];
+  var releasedDisclosures = [];
+  for (var i = 0; i < allDisclosures.length; i++) {
+    try {
+      var decoded = disclosure.decode(allDisclosures[i]);
+      if (decoded && disclosedNames.indexOf(decoded.name) !== -1) {
+        releasedDisclosures.push(allDisclosures[i]);
+      }
+    } catch (_e) { /* malformed — skip */ }
+  }
+
+  // Build presentation
+  var presentation = jwt + "~";
+  if (releasedDisclosures.length > 0) {
+    presentation += releasedDisclosures.join("~") + "~";
+  }
+
+  // Optional Key Binding JWT
+  if (opts.audience && opts.nonce && opts.holderKey) {
+    var algorithm = opts.algorithm || DEFAULT_ALG;
+    if (SUPPORTED_ALGS.indexOf(algorithm) === -1) {
+      throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
+        "present: algorithm must be one of " + SUPPORTED_ALGS.join(", "));
+    }
+    var now = (typeof opts.issuedAt === "number" && isFinite(opts.issuedAt))
+      ? Math.floor(opts.issuedAt / 1000) : Math.floor(Date.now() / 1000);           // allow:raw-byte-literal — ms→s conversion factor
+    // The KB-JWT's hash binds it to the specific SD-JWT + presentation
+    var kbHashInput = presentation;     // jwt~d1~d2~ (without KB)
+    var sdHash = nodeCrypto.createHash("sha256")
+                           .update(kbHashInput, "ascii")
+                           .digest()
+                           .toString("base64url");
+    var kbPayload = {
+      nonce:    opts.nonce,
+      aud:      opts.audience,
+      iat:      now,
+      sd_hash:  sdHash,
+    };
+    var kbHeader = { alg: algorithm, typ: "kb+jwt" };
+    var kbJwt = _signJwt(kbHeader, kbPayload, opts.holderKey, algorithm);
+    presentation += kbJwt;
+  }
+
+  return {
+    presentation: presentation,
+    jwt:          jwt,
+    disclosures:  releasedDisclosures,
+  };
+}
+
+// ---- verify ----
+
+async function verify(presentation, opts) {
+  validateOpts.requireObject(opts, "auth.sdJwtVc.verify", AuthError);
+  validateOpts(opts, [
+    "issuerKeyResolver", "audience", "nonce",
+    "now", "expectedVct", "maxClockSkewSec",
+    "requireKeyBinding",
+  ], "auth.sdJwtVc.verify");
+
+  if (typeof presentation !== "string" || presentation.length === 0) {
+    throw new AuthError("auth-sd-jwt-vc/no-token",
+      "verify: presentation must be a non-empty string");
+  }
+  if (typeof opts.issuerKeyResolver !== "function") {
+    throw new AuthError("auth-sd-jwt-vc/no-resolver",
+      "verify: issuerKeyResolver must be an async function");
+  }
+  var parts = presentation.split("~");
+  if (parts.length < 2) {
+    throw new AuthError("auth-sd-jwt-vc/malformed",
+      "verify: presentation must contain at least one ~-separator");
+  }
+  var jwt = parts[0];
+  // Last part is empty (trailing ~) or KB-JWT (3-dot-separated)
+  var maybeKbJwt = null;
+  var lastPart = parts[parts.length - 1];
+  if (lastPart && lastPart.split(".").length === 3) {
+    maybeKbJwt = lastPart;
+  }
+  var disclosureParts = parts.slice(1, parts.length - (maybeKbJwt ? 1 : 0))
+                             .filter(function (p) { return p.length > 0; });
+
+  // 1. Verify issuer JWT signature
+  var jwtParts = jwt.split(".");
+  if (jwtParts.length !== 3) {
+    throw new AuthError("auth-sd-jwt-vc/malformed-jwt",
+      "verify: JWT must have 3 dot-separated parts");
+  }
+  var headerObj;
+  try { headerObj = safeJson.parse(_b64uDecodeStr(jwtParts[0]), { maxBytes: 64 * 1024 }); }  // allow:bare-json-parse — pre-verify header parse to look up the key resolver; checked again post-signature // allow:raw-byte-literal — JWT header cap (64 KB)
+  catch (e) {
+    throw new AuthError("auth-sd-jwt-vc/bad-header",
+      "verify: malformed JWT header: " + e.message);
+  }
+  var alg = headerObj.alg;
+  if (SUPPORTED_ALGS.indexOf(alg) === -1) {
+    throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
+      "verify: header alg \"" + alg + "\" not in supported set");
+  }
+  var typ = headerObj.typ;
+  if (typ && typ !== "vc+sd-jwt" && typ !== "JWT") {
+    throw new AuthError("auth-sd-jwt-vc/bad-typ",
+      "verify: header typ must be \"vc+sd-jwt\" (got \"" + typ + "\")");
+  }
+
+  var issuerKey = await opts.issuerKeyResolver(headerObj);
+  if (!issuerKey) {
+    throw new AuthError("auth-sd-jwt-vc/key-not-found",
+      "verify: issuerKeyResolver returned no key");
+  }
+  var jwtParsed = _verifyJwt(jwt, issuerKey, alg);
+
+  // 2. Validate iss / iat / exp / vct
+  var nowSec = (typeof opts.now === "number" && isFinite(opts.now))
+    ? Math.floor(opts.now / 1000) : Math.floor(Date.now() / 1000);                  // allow:raw-byte-literal — ms→s conversion factor
+  var skew = (typeof opts.maxClockSkewSec === "number") ? opts.maxClockSkewSec : 60; // allow:raw-time-literal — default 60s clock-skew tolerance
+  if (typeof jwtParsed.payload.iat === "number" && jwtParsed.payload.iat > nowSec + skew) {
+    throw new AuthError("auth-sd-jwt-vc/iat-future",
+      "verify: iat is in the future (clock skew?)");
+  }
+  if (typeof jwtParsed.payload.exp === "number" && jwtParsed.payload.exp < nowSec - skew) {
+    throw new AuthError("auth-sd-jwt-vc/expired",
+      "verify: token is expired");
+  }
+  if (opts.expectedVct && jwtParsed.payload.vct !== opts.expectedVct) {
+    throw new AuthError("auth-sd-jwt-vc/wrong-vct",
+      "verify: vct mismatch (got \"" + jwtParsed.payload.vct +
+      "\", expected \"" + opts.expectedVct + "\")");
+  }
+
+  // 3. Reconstruct disclosed claims from disclosures
+  var hashAlg = jwtParsed.payload._sd_alg || DEFAULT_HASH_ALG;
+  if (!SUPPORTED_HASH_ALGS[hashAlg]) {
+    throw new AuthError("auth-sd-jwt-vc/bad-hash",
+      "verify: _sd_alg \"" + hashAlg + "\" not supported");
+  }
+  var sdDigests = Array.isArray(jwtParsed.payload._sd) ? jwtParsed.payload._sd : [];
+  var disclosedClaims = {};
+  for (var i = 0; i < disclosureParts.length; i++) {
+    var d = disclosure.decode(disclosureParts[i]);
+    if (!d) continue;
+    var digest = _hashDisclosure(disclosureParts[i], hashAlg);
+    if (sdDigests.indexOf(digest) === -1) {
+      throw new AuthError("auth-sd-jwt-vc/disclosure-mismatch",
+        "verify: disclosure for claim \"" + d.name + "\" does not match any _sd digest");
+    }
+    disclosedClaims[d.name] = d.value;
+  }
+
+  // 4. Optionally verify Key Binding JWT
+  var kbValidated = false;
+  var holderKey = null;
+  if (jwtParsed.payload.cnf && jwtParsed.payload.cnf.jwk) {
+    holderKey = jwtParsed.payload.cnf.jwk;
+  }
+  if (maybeKbJwt) {
+    if (!holderKey) {
+      throw new AuthError("auth-sd-jwt-vc/no-cnf",
+        "verify: KB-JWT present but issuer payload has no cnf.jwk");
+    }
+    // Verify KB-JWT signature
+    var kbHeaderObj;
+    try { kbHeaderObj = safeJson.parse(_b64uDecodeStr(maybeKbJwt.split(".")[0]), { maxBytes: 4096 }); }  // allow:bare-json-parse — kb header from validated KB-JWT; signature verifies // allow:raw-byte-literal — kb-header cap (4 KB)
+    catch (e) {
+      throw new AuthError("auth-sd-jwt-vc/bad-kb-header",
+        "verify: malformed KB-JWT header: " + e.message);
+    }
+    if (kbHeaderObj.typ !== "kb+jwt") {
+      throw new AuthError("auth-sd-jwt-vc/bad-kb-typ",
+        "verify: KB-JWT typ must be \"kb+jwt\"");
+    }
+    var kbAlg = kbHeaderObj.alg;
+    if (SUPPORTED_ALGS.indexOf(kbAlg) === -1) {
+      throw new AuthError("auth-sd-jwt-vc/unsupported-alg",
+        "verify: KB-JWT alg unsupported");
+    }
+    var holderKeyObj = nodeCrypto.createPublicKey({ key: holderKey, format: "jwk" });
+    var kbParsed = _verifyJwt(maybeKbJwt, holderKeyObj, kbAlg);
+    if (opts.audience && kbParsed.payload.aud !== opts.audience) {
+      throw new AuthError("auth-sd-jwt-vc/wrong-audience",
+        "verify: KB-JWT aud mismatch");
+    }
+    if (opts.nonce && kbParsed.payload.nonce !== opts.nonce) {
+      throw new AuthError("auth-sd-jwt-vc/wrong-nonce",
+        "verify: KB-JWT nonce mismatch (replay defense)");
+    }
+    // Validate KB-JWT sd_hash matches the presentation
+    var kbHashInput = jwt + "~";
+    if (disclosureParts.length > 0) kbHashInput += disclosureParts.join("~") + "~";
+    var expectedSdHash = nodeCrypto.createHash("sha256")
+                                   .update(kbHashInput, "ascii")
+                                   .digest()
+                                   .toString("base64url");
+    if (kbParsed.payload.sd_hash !== expectedSdHash) {
+      throw new AuthError("auth-sd-jwt-vc/sd-hash-mismatch",
+        "verify: KB-JWT sd_hash does not match the presentation hash (presentation tampered with?)");
+    }
+    if (typeof kbParsed.payload.iat === "number" && kbParsed.payload.iat > nowSec + skew) {
+      throw new AuthError("auth-sd-jwt-vc/kb-iat-future",
+        "verify: KB-JWT iat is in the future");
+    }
+    kbValidated = true;
+  } else if (opts.requireKeyBinding) {
+    throw new AuthError("auth-sd-jwt-vc/missing-kb",
+      "verify: KB-JWT required (requireKeyBinding=true) but not present");
+  }
+
+  // 5. Build the resolved-claim set (issuer claims + disclosed)
+  var resolved = Object.assign({}, jwtParsed.payload);
+  delete resolved._sd;
+  delete resolved._sd_alg;
+  Object.keys(disclosedClaims).forEach(function (k) {
+    resolved[k] = disclosedClaims[k];
+  });
+
+  return {
+    valid:           true,
+    claims:          resolved,
+    disclosedClaims: disclosedClaims,
+    issuerHeader:    jwtParsed.header,
+    issuerPayload:   jwtParsed.payload,
+    holderKey:       holderKey,
+    kbValidated:     kbValidated,
+  };
+}
+
+module.exports = {
+  issue:               issue,
+  present:             present,
+  verify:              verify,
+  disclosure:          disclosure,
+  issuer:              sdJwtVcIssuer,
+  holder:              sdJwtVcHolder,
+  SUPPORTED_ALGS:      SUPPORTED_ALGS,
+  SUPPORTED_HASH_ALGS: Object.freeze(Object.keys(SUPPORTED_HASH_ALGS)),
+  DEFAULT_ALG:         DEFAULT_ALG,
+  DEFAULT_HASH_ALG:    DEFAULT_HASH_ALG,
+  // Test hooks
+  _hashDisclosure:     _hashDisclosure,
+  // unused-token tag so safeBuffer module isn't dropped from the
+  // bundle — we keep it imported for future signature-input bound checks.
+  _safeBufferRef:      safeBuffer,
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@blamejs/core",
-  "version": "0.7.106",
+  "version": "0.7.107",
   "description": "The Node framework that owns its stack.",
   "license": "Apache-2.0",
   "author": "blamejs contributors",

package/sbom.cyclonedx.json

@@ -2,10 +2,10 @@
   "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
   "bomFormat": "CycloneDX",
   "specVersion": "1.5",
-  "serialNumber": "urn:uuid:7d9604c0-8d11-4b2c-bc59-69f6fcf1acf6",
+  "serialNumber": "urn:uuid:31469bcd-ab0f-4150-bfe2-c7d79a72a1c7",
   "version": 1,
   "metadata": {
-    "timestamp": "2026-05-06T11:52:08.561Z",
+    "timestamp": "2026-05-06T12:31:16.570Z",
     "lifecycles": [
       {
         "phase": "build"
@@ -19,14 +19,14 @@
       }
     ],
     "component": {
-      "bom-ref": "@blamejs/core@0.7.106",
+      "bom-ref": "@blamejs/core@0.7.107",
       "type": "library",
       "name": "blamejs",
-      "version": "0.7.106",
+      "version": "0.7.107",
       "scope": "required",
       "author": "blamejs contributors",
       "description": "The Node framework that owns its stack.",
-      "purl": "pkg:npm/%40blamejs/core@0.7.106",
+      "purl": "pkg:npm/%40blamejs/core@0.7.107",
       "properties": [],
       "externalReferences": [
         {
@@ -54,7 +54,7 @@
   "components": [],
   "dependencies": [
     {
-      "ref": "@blamejs/core@0.7.106",
+      "ref": "@blamejs/core@0.7.107",
       "dependsOn": []
     }
   ]