@civiwave/vineyard-id 0.1.1

package/dist/index.cjs

@@ -0,0 +1,277 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  authenticate: () => authenticate,
+  constructMessage: () => constructMessage,
+  extractNetworkId: () => extractNetworkId,
+  generateChallenge: () => generateChallenge,
+  issueToken: () => issueToken,
+  requestChallenge: () => requestChallenge,
+  signChallenge: () => signChallenge,
+  validateToken: () => validateToken,
+  validateTokenLite: () => validateTokenLite,
+  verifyDIDSignature: () => verifyDIDSignature
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/challenge.ts
+var import_crypto = __toESM(require("crypto"), 1);
+var DEFAULT_TTL_SECONDS = 300;
+function generateChallenge(did, ttlSeconds = DEFAULT_TTL_SECONDS) {
+  const nonce = import_crypto.default.randomBytes(32).toString("hex");
+  const expiresAt = Date.now() + ttlSeconds * 1e3;
+  return { nonce, expiresAt, did };
+}
+function extractNetworkId(did) {
+  const parts = did.split(":");
+  if (parts.length < 4 || parts[0] !== "did" || parts[1] !== "vineyard") {
+    throw new Error(`Invalid did:vineyard format: ${did}`);
+  }
+  return parts[2];
+}
+function constructMessage(nonce, timestamp, origin, network = "0") {
+  return JSON.stringify({
+    domain: "civiwave:did:auth-challenge",
+    network,
+    nonce,
+    timestamp,
+    origin
+  });
+}
+
+// src/verify.ts
+var import_util_crypto = require("@polkadot/util-crypto");
+var import_util = require("@polkadot/util");
+var DEFAULT_RESOLVER_ENDPOINT = "http://localhost:8080";
+function decodePublicKeyMultibase(multibase) {
+  if (!multibase.startsWith("z")) {
+    throw new Error("Only base58btc (z-prefix) multibase is supported");
+  }
+  const encoded = multibase.slice(1);
+  const alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  let num = BigInt(0);
+  for (const char of encoded) {
+    const idx = alphabet.indexOf(char);
+    if (idx === -1) throw new Error(`Invalid base58 character: ${char}`);
+    num = num * BigInt(58) + BigInt(idx);
+  }
+  const hex = num.toString(16).padStart(2, "0");
+  const bytes = new Uint8Array(
+    (hex.length % 2 === 0 ? hex : "0" + hex).match(/.{2}/g).map((b) => parseInt(b, 16))
+  );
+  const rawKey = bytes.slice(2);
+  return (0, import_util.u8aToHex)(rawKey);
+}
+async function resolveViaHttp(did, resolverEndpoint) {
+  const url = `${resolverEndpoint}/1.0/identifiers/${encodeURIComponent(did)}`;
+  const response = await fetch(url, {
+    headers: { Accept: "application/did+ld+json" }
+  });
+  if (!response.ok) {
+    return {
+      didDocument: null,
+      didResolutionMetadata: { error: "notFound" }
+    };
+  }
+  return await response.json();
+}
+function extractPublicKey(didDocument) {
+  if (!didDocument?.verificationMethod?.length) {
+    return null;
+  }
+  for (const vm of didDocument.verificationMethod) {
+    if (vm.publicKeyMultibase) {
+      const publicKeyHex = decodePublicKeyMultibase(vm.publicKeyMultibase);
+      return { publicKeyHex, keyType: vm.type };
+    }
+  }
+  return null;
+}
+async function verifyDIDSignature(request, resolverEndpoint = DEFAULT_RESOLVER_ENDPOINT) {
+  try {
+    const resolution = await resolveViaHttp(request.did, resolverEndpoint);
+    if (resolution.didResolutionMetadata.error || !resolution.didDocument) {
+      return { valid: false };
+    }
+    const keyInfo = extractPublicKey(resolution.didDocument);
+    if (!keyInfo) {
+      return { valid: false };
+    }
+    const network = extractNetworkId(request.did);
+    const message = constructMessage(
+      request.nonce,
+      request.timestamp,
+      request.origin,
+      network
+    );
+    const messageU8a = (0, import_util.stringToU8a)(message);
+    const result = (0, import_util_crypto.signatureVerify)(
+      messageU8a,
+      request.signature,
+      keyInfo.publicKeyHex
+    );
+    return {
+      valid: result.isValid,
+      publicKey: keyInfo.publicKeyHex,
+      keyType: keyInfo.keyType
+    };
+  } catch (error) {
+    console.error("[did-auth] Signature verification error:", error);
+    return { valid: false };
+  }
+}
+
+// src/session.ts
+var import_jsonwebtoken = __toESM(require("jsonwebtoken"), 1);
+var DEFAULT_EXPIRES_IN = "7d";
+function issueToken(did, ss58, tier, secret, expiresIn = DEFAULT_EXPIRES_IN) {
+  return import_jsonwebtoken.default.sign(
+    {
+      sub: did,
+      ss58,
+      tier
+    },
+    secret,
+    { expiresIn }
+  );
+}
+function validateToken(token, secret) {
+  try {
+    const payload = import_jsonwebtoken.default.verify(token, secret);
+    if (!payload.sub || !payload.ss58) {
+      return null;
+    }
+    return {
+      did: payload.sub,
+      ss58: payload.ss58,
+      tier: payload.tier || "member",
+      iat: payload.iat ?? 0,
+      exp: payload.exp ?? 0
+    };
+  } catch {
+    return null;
+  }
+}
+function validateTokenLite(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    if (!payload.sub || !payload.ss58) return null;
+    if (payload.exp && payload.exp * 1e3 < Date.now()) return null;
+    return {
+      did: payload.sub,
+      ss58: payload.ss58,
+      tier: payload.tier || "member",
+      iat: payload.iat ?? 0,
+      exp: payload.exp ?? 0
+    };
+  } catch {
+    return null;
+  }
+}
+
+// src/client.ts
+async function requestChallenge(serverUrl, did) {
+  const response = await fetch(`${serverUrl}/auth/did/challenge`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ did })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ error: "Challenge request failed" }));
+    throw new Error(error.error || "Challenge request failed");
+  }
+  const data = await response.json();
+  return {
+    nonce: data.nonce,
+    expiresAt: data.expiresAt,
+    did
+  };
+}
+async function signChallenge(nonce, timestamp, origin, signer, address, network = "0") {
+  if (!signer.signRaw) {
+    throw new Error("Signer does not support signRaw");
+  }
+  const message = constructMessage(nonce, timestamp, origin, network);
+  const result = await signer.signRaw({
+    address,
+    data: message,
+    type: "bytes"
+  });
+  return { signature: result.signature };
+}
+async function authenticate(serverUrl, did, signer, address) {
+  const challenge = await requestChallenge(serverUrl, did);
+  const timestamp = Date.now();
+  const origin = typeof window !== "undefined" ? window.location.origin : "";
+  const network = extractNetworkId(did);
+  const { signature } = await signChallenge(
+    challenge.nonce,
+    timestamp,
+    origin,
+    signer,
+    address,
+    network
+  );
+  const response = await fetch(`${serverUrl}/auth/did/verify`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      did,
+      nonce: challenge.nonce,
+      signature,
+      timestamp,
+      origin
+    })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ error: "Verification failed" }));
+    throw new Error(error.error || "DID authentication failed");
+  }
+  return await response.json();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  authenticate,
+  constructMessage,
+  extractNetworkId,
+  generateChallenge,
+  issueToken,
+  requestChallenge,
+  signChallenge,
+  validateToken,
+  validateTokenLite,
+  verifyDIDSignature
+});

package/dist/index.d.cts

@@ -0,0 +1,208 @@
+/**
+ * DID Authentication types for the sign-in-with-DID protocol.
+ */
+/** A challenge issued to a DID holder for authentication. */
+interface DIDChallenge {
+    nonce: string;
+    expiresAt: number;
+    did: string;
+}
+/** A signed authentication request from the client. */
+interface DIDAuthRequest {
+    did: string;
+    nonce: string;
+    signature: string;
+    timestamp: number;
+    origin: string;
+}
+/** A validated DID session stored in a JWT. */
+interface DIDSession {
+    did: string;
+    ss58: string;
+    tier: string;
+    iat: number;
+    exp: number;
+}
+/** Result of DID signature verification. */
+interface DIDVerifyResult {
+    valid: boolean;
+    publicKey?: string;
+    keyType?: string;
+}
+/** Minimal DID Document shape needed for verification. */
+interface DIDDocumentLike {
+    id: string;
+    verificationMethod?: Array<{
+        id: string;
+        type: string;
+        controller: string;
+        publicKeyMultibase?: string;
+    }>;
+}
+/** DID resolution result shape (subset of DIF Universal Resolver). */
+interface DIDResolutionResultLike {
+    didDocument: DIDDocumentLike | null;
+    didResolutionMetadata: {
+        error?: string;
+    };
+}
+
+/**
+ * Challenge generation and message construction for DID auth.
+ */
+
+/**
+ * Generate a cryptographic challenge for DID authentication.
+ *
+ * @param did - The DID requesting authentication
+ * @param ttlSeconds - Challenge time-to-live in seconds (default: 300)
+ * @returns A DIDChallenge with a random nonce and expiration timestamp
+ */
+declare function generateChallenge(did: string, ttlSeconds?: number): DIDChallenge;
+/**
+ * Extract the network ID from a did:vineyard DID.
+ * Format: did:vineyard:<networkId>:<ss58Address>
+ *
+ * @param did - A did:vineyard DID string
+ * @returns The network ID string (e.g., "0" for devnet, "1" for mainnet)
+ */
+declare function extractNetworkId(did: string): string;
+/**
+ * Construct the canonical message to be signed by the wallet.
+ *
+ * The message is a JSON string with domain separation to prevent
+ * signature replay across different protocols and chains. The network
+ * field binds the signature to a specific chain (devnet/testnet/mainnet),
+ * preventing cross-chain replay attacks.
+ *
+ * @param nonce - The challenge nonce
+ * @param timestamp - Client-provided timestamp
+ * @param origin - The requesting origin (e.g., "https://axis.civiwave.network")
+ * @param network - Chain network ID from the DID (e.g., "0" for devnet)
+ * @returns The canonical message string to be signed
+ */
+declare function constructMessage(nonce: string, timestamp: number, origin: string, network?: string): string;
+
+/**
+ * DID signature verification for authentication.
+ *
+ * Resolves the DID to obtain the public key, then verifies the signature
+ * against the constructed message using @polkadot/util-crypto.
+ */
+
+/**
+ * Verify a DID authentication signature.
+ *
+ * 1. Resolves the DID to obtain the public key
+ * 2. Constructs the canonical message from the request parameters
+ * 3. Verifies the signature using @polkadot/util-crypto signatureVerify
+ *
+ * @param request - The authentication request containing DID, nonce, signature, etc.
+ * @param resolverEndpoint - Optional HTTP resolver endpoint URL
+ * @returns Verification result with validity flag and key info
+ */
+declare function verifyDIDSignature(request: DIDAuthRequest, resolverEndpoint?: string): Promise<DIDVerifyResult>;
+
+/**
+ * JWT session management for DID authentication.
+ *
+ * Issues and validates JWTs containing DID session information.
+ */
+
+/**
+ * Issue a JWT token for an authenticated DID session.
+ *
+ * @param did - The authenticated DID (e.g., "did:vineyard:0:<ss58>")
+ * @param ss58 - The SS58 address extracted from the DID
+ * @param tier - The user's tier/role (e.g., "member", "validator")
+ * @param secret - JWT signing secret (from DID_AUTH_SECRET env var)
+ * @param expiresIn - JWT expiration (default: "7d")
+ * @returns Signed JWT string
+ */
+declare function issueToken(did: string, ss58: string, tier: string, secret: string, expiresIn?: string): string;
+/**
+ * Validate a DID JWT token and extract the session payload.
+ *
+ * @param token - The JWT string to validate
+ * @param secret - JWT signing secret (must match issuing secret)
+ * @returns The DIDSession if valid, or null if invalid/expired
+ */
+declare function validateToken(token: string, secret: string): DIDSession | null;
+/**
+ * Lightweight JWT validation without full jsonwebtoken dependency.
+ * Suitable for Edge runtime (Next.js middleware) where jsonwebtoken isn't available.
+ *
+ * WARNING: This only validates structure and expiration, NOT the signature.
+ * Use validateToken() for full server-side validation.
+ *
+ * @param token - The JWT string
+ * @returns Parsed session or null
+ */
+declare function validateTokenLite(token: string): DIDSession | null;
+
+/**
+ * Client-side DID authentication helpers.
+ *
+ * Used in browser contexts to perform the challenge-response flow
+ * with a Polkadot wallet extension signer.
+ */
+
+/**
+ * Request a challenge from the server for DID authentication.
+ *
+ * @param serverUrl - The base server URL (e.g., "/api" or "http://localhost:3001/api")
+ * @param did - The DID to authenticate
+ * @returns The challenge containing nonce and expiration
+ */
+declare function requestChallenge(serverUrl: string, did: string): Promise<DIDChallenge>;
+/**
+ * Sign a challenge using a Polkadot wallet extension signer.
+ *
+ * @param nonce - The challenge nonce from the server
+ * @param timestamp - Current timestamp
+ * @param origin - The current page origin
+ * @param signer - The signer from @polkadot/extension-dapp web3FromSource()
+ * @param address - The SS58 address to sign with
+ * @returns The hex-encoded signature
+ */
+declare function signChallenge(nonce: string, timestamp: number, origin: string, signer: {
+    signRaw?: (payload: {
+        address: string;
+        data: string;
+        type: string;
+    }) => Promise<{
+        signature: string;
+    }>;
+}, address: string, network?: string): Promise<{
+    signature: string;
+}>;
+/**
+ * Perform the full DID authentication flow.
+ *
+ * 1. Request challenge from server
+ * 2. Sign challenge with wallet
+ * 3. Submit signed challenge for verification
+ * 4. Return the JWT token on success
+ *
+ * @param serverUrl - Base server URL for API calls
+ * @param did - The DID to authenticate
+ * @param signer - Polkadot wallet signer
+ * @param address - SS58 address for signing
+ * @returns Authentication result with token and session info
+ */
+declare function authenticate(serverUrl: string, did: string, signer: {
+    signRaw?: (payload: {
+        address: string;
+        data: string;
+        type: string;
+    }) => Promise<{
+        signature: string;
+    }>;
+}, address: string): Promise<{
+    token: string;
+    did: string;
+    ss58: string;
+    tier: string;
+}>;
+
+export { type DIDAuthRequest, type DIDChallenge, type DIDDocumentLike, type DIDResolutionResultLike, type DIDSession, type DIDVerifyResult, authenticate, constructMessage, extractNetworkId, generateChallenge, issueToken, requestChallenge, signChallenge, validateToken, validateTokenLite, verifyDIDSignature };

package/dist/index.d.ts

@@ -0,0 +1,208 @@
+/**
+ * DID Authentication types for the sign-in-with-DID protocol.
+ */
+/** A challenge issued to a DID holder for authentication. */
+interface DIDChallenge {
+    nonce: string;
+    expiresAt: number;
+    did: string;
+}
+/** A signed authentication request from the client. */
+interface DIDAuthRequest {
+    did: string;
+    nonce: string;
+    signature: string;
+    timestamp: number;
+    origin: string;
+}
+/** A validated DID session stored in a JWT. */
+interface DIDSession {
+    did: string;
+    ss58: string;
+    tier: string;
+    iat: number;
+    exp: number;
+}
+/** Result of DID signature verification. */
+interface DIDVerifyResult {
+    valid: boolean;
+    publicKey?: string;
+    keyType?: string;
+}
+/** Minimal DID Document shape needed for verification. */
+interface DIDDocumentLike {
+    id: string;
+    verificationMethod?: Array<{
+        id: string;
+        type: string;
+        controller: string;
+        publicKeyMultibase?: string;
+    }>;
+}
+/** DID resolution result shape (subset of DIF Universal Resolver). */
+interface DIDResolutionResultLike {
+    didDocument: DIDDocumentLike | null;
+    didResolutionMetadata: {
+        error?: string;
+    };
+}
+
+/**
+ * Challenge generation and message construction for DID auth.
+ */
+
+/**
+ * Generate a cryptographic challenge for DID authentication.
+ *
+ * @param did - The DID requesting authentication
+ * @param ttlSeconds - Challenge time-to-live in seconds (default: 300)
+ * @returns A DIDChallenge with a random nonce and expiration timestamp
+ */
+declare function generateChallenge(did: string, ttlSeconds?: number): DIDChallenge;
+/**
+ * Extract the network ID from a did:vineyard DID.
+ * Format: did:vineyard:<networkId>:<ss58Address>
+ *
+ * @param did - A did:vineyard DID string
+ * @returns The network ID string (e.g., "0" for devnet, "1" for mainnet)
+ */
+declare function extractNetworkId(did: string): string;
+/**
+ * Construct the canonical message to be signed by the wallet.
+ *
+ * The message is a JSON string with domain separation to prevent
+ * signature replay across different protocols and chains. The network
+ * field binds the signature to a specific chain (devnet/testnet/mainnet),
+ * preventing cross-chain replay attacks.
+ *
+ * @param nonce - The challenge nonce
+ * @param timestamp - Client-provided timestamp
+ * @param origin - The requesting origin (e.g., "https://axis.civiwave.network")
+ * @param network - Chain network ID from the DID (e.g., "0" for devnet)
+ * @returns The canonical message string to be signed
+ */
+declare function constructMessage(nonce: string, timestamp: number, origin: string, network?: string): string;
+
+/**
+ * DID signature verification for authentication.
+ *
+ * Resolves the DID to obtain the public key, then verifies the signature
+ * against the constructed message using @polkadot/util-crypto.
+ */
+
+/**
+ * Verify a DID authentication signature.
+ *
+ * 1. Resolves the DID to obtain the public key
+ * 2. Constructs the canonical message from the request parameters
+ * 3. Verifies the signature using @polkadot/util-crypto signatureVerify
+ *
+ * @param request - The authentication request containing DID, nonce, signature, etc.
+ * @param resolverEndpoint - Optional HTTP resolver endpoint URL
+ * @returns Verification result with validity flag and key info
+ */
+declare function verifyDIDSignature(request: DIDAuthRequest, resolverEndpoint?: string): Promise<DIDVerifyResult>;
+
+/**
+ * JWT session management for DID authentication.
+ *
+ * Issues and validates JWTs containing DID session information.
+ */
+
+/**
+ * Issue a JWT token for an authenticated DID session.
+ *
+ * @param did - The authenticated DID (e.g., "did:vineyard:0:<ss58>")
+ * @param ss58 - The SS58 address extracted from the DID
+ * @param tier - The user's tier/role (e.g., "member", "validator")
+ * @param secret - JWT signing secret (from DID_AUTH_SECRET env var)
+ * @param expiresIn - JWT expiration (default: "7d")
+ * @returns Signed JWT string
+ */
+declare function issueToken(did: string, ss58: string, tier: string, secret: string, expiresIn?: string): string;
+/**
+ * Validate a DID JWT token and extract the session payload.
+ *
+ * @param token - The JWT string to validate
+ * @param secret - JWT signing secret (must match issuing secret)
+ * @returns The DIDSession if valid, or null if invalid/expired
+ */
+declare function validateToken(token: string, secret: string): DIDSession | null;
+/**
+ * Lightweight JWT validation without full jsonwebtoken dependency.
+ * Suitable for Edge runtime (Next.js middleware) where jsonwebtoken isn't available.
+ *
+ * WARNING: This only validates structure and expiration, NOT the signature.
+ * Use validateToken() for full server-side validation.
+ *
+ * @param token - The JWT string
+ * @returns Parsed session or null
+ */
+declare function validateTokenLite(token: string): DIDSession | null;
+
+/**
+ * Client-side DID authentication helpers.
+ *
+ * Used in browser contexts to perform the challenge-response flow
+ * with a Polkadot wallet extension signer.
+ */
+
+/**
+ * Request a challenge from the server for DID authentication.
+ *
+ * @param serverUrl - The base server URL (e.g., "/api" or "http://localhost:3001/api")
+ * @param did - The DID to authenticate
+ * @returns The challenge containing nonce and expiration
+ */
+declare function requestChallenge(serverUrl: string, did: string): Promise<DIDChallenge>;
+/**
+ * Sign a challenge using a Polkadot wallet extension signer.
+ *
+ * @param nonce - The challenge nonce from the server
+ * @param timestamp - Current timestamp
+ * @param origin - The current page origin
+ * @param signer - The signer from @polkadot/extension-dapp web3FromSource()
+ * @param address - The SS58 address to sign with
+ * @returns The hex-encoded signature
+ */
+declare function signChallenge(nonce: string, timestamp: number, origin: string, signer: {
+    signRaw?: (payload: {
+        address: string;
+        data: string;
+        type: string;
+    }) => Promise<{
+        signature: string;
+    }>;
+}, address: string, network?: string): Promise<{
+    signature: string;
+}>;
+/**
+ * Perform the full DID authentication flow.
+ *
+ * 1. Request challenge from server
+ * 2. Sign challenge with wallet
+ * 3. Submit signed challenge for verification
+ * 4. Return the JWT token on success
+ *
+ * @param serverUrl - Base server URL for API calls
+ * @param did - The DID to authenticate
+ * @param signer - Polkadot wallet signer
+ * @param address - SS58 address for signing
+ * @returns Authentication result with token and session info
+ */
+declare function authenticate(serverUrl: string, did: string, signer: {
+    signRaw?: (payload: {
+        address: string;
+        data: string;
+        type: string;
+    }) => Promise<{
+        signature: string;
+    }>;
+}, address: string): Promise<{
+    token: string;
+    did: string;
+    ss58: string;
+    tier: string;
+}>;
+
+export { type DIDAuthRequest, type DIDChallenge, type DIDDocumentLike, type DIDResolutionResultLike, type DIDSession, type DIDVerifyResult, authenticate, constructMessage, extractNetworkId, generateChallenge, issueToken, requestChallenge, signChallenge, validateToken, validateTokenLite, verifyDIDSignature };

package/dist/index.js

@@ -0,0 +1,231 @@
+// src/challenge.ts
+import crypto from "crypto";
+var DEFAULT_TTL_SECONDS = 300;
+function generateChallenge(did, ttlSeconds = DEFAULT_TTL_SECONDS) {
+  const nonce = crypto.randomBytes(32).toString("hex");
+  const expiresAt = Date.now() + ttlSeconds * 1e3;
+  return { nonce, expiresAt, did };
+}
+function extractNetworkId(did) {
+  const parts = did.split(":");
+  if (parts.length < 4 || parts[0] !== "did" || parts[1] !== "vineyard") {
+    throw new Error(`Invalid did:vineyard format: ${did}`);
+  }
+  return parts[2];
+}
+function constructMessage(nonce, timestamp, origin, network = "0") {
+  return JSON.stringify({
+    domain: "civiwave:did:auth-challenge",
+    network,
+    nonce,
+    timestamp,
+    origin
+  });
+}
+
+// src/verify.ts
+import { signatureVerify } from "@polkadot/util-crypto";
+import { u8aToHex, stringToU8a } from "@polkadot/util";
+var DEFAULT_RESOLVER_ENDPOINT = "http://localhost:8080";
+function decodePublicKeyMultibase(multibase) {
+  if (!multibase.startsWith("z")) {
+    throw new Error("Only base58btc (z-prefix) multibase is supported");
+  }
+  const encoded = multibase.slice(1);
+  const alphabet = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+  let num = BigInt(0);
+  for (const char of encoded) {
+    const idx = alphabet.indexOf(char);
+    if (idx === -1) throw new Error(`Invalid base58 character: ${char}`);
+    num = num * BigInt(58) + BigInt(idx);
+  }
+  const hex = num.toString(16).padStart(2, "0");
+  const bytes = new Uint8Array(
+    (hex.length % 2 === 0 ? hex : "0" + hex).match(/.{2}/g).map((b) => parseInt(b, 16))
+  );
+  const rawKey = bytes.slice(2);
+  return u8aToHex(rawKey);
+}
+async function resolveViaHttp(did, resolverEndpoint) {
+  const url = `${resolverEndpoint}/1.0/identifiers/${encodeURIComponent(did)}`;
+  const response = await fetch(url, {
+    headers: { Accept: "application/did+ld+json" }
+  });
+  if (!response.ok) {
+    return {
+      didDocument: null,
+      didResolutionMetadata: { error: "notFound" }
+    };
+  }
+  return await response.json();
+}
+function extractPublicKey(didDocument) {
+  if (!didDocument?.verificationMethod?.length) {
+    return null;
+  }
+  for (const vm of didDocument.verificationMethod) {
+    if (vm.publicKeyMultibase) {
+      const publicKeyHex = decodePublicKeyMultibase(vm.publicKeyMultibase);
+      return { publicKeyHex, keyType: vm.type };
+    }
+  }
+  return null;
+}
+async function verifyDIDSignature(request, resolverEndpoint = DEFAULT_RESOLVER_ENDPOINT) {
+  try {
+    const resolution = await resolveViaHttp(request.did, resolverEndpoint);
+    if (resolution.didResolutionMetadata.error || !resolution.didDocument) {
+      return { valid: false };
+    }
+    const keyInfo = extractPublicKey(resolution.didDocument);
+    if (!keyInfo) {
+      return { valid: false };
+    }
+    const network = extractNetworkId(request.did);
+    const message = constructMessage(
+      request.nonce,
+      request.timestamp,
+      request.origin,
+      network
+    );
+    const messageU8a = stringToU8a(message);
+    const result = signatureVerify(
+      messageU8a,
+      request.signature,
+      keyInfo.publicKeyHex
+    );
+    return {
+      valid: result.isValid,
+      publicKey: keyInfo.publicKeyHex,
+      keyType: keyInfo.keyType
+    };
+  } catch (error) {
+    console.error("[did-auth] Signature verification error:", error);
+    return { valid: false };
+  }
+}
+
+// src/session.ts
+import jwt from "jsonwebtoken";
+var DEFAULT_EXPIRES_IN = "7d";
+function issueToken(did, ss58, tier, secret, expiresIn = DEFAULT_EXPIRES_IN) {
+  return jwt.sign(
+    {
+      sub: did,
+      ss58,
+      tier
+    },
+    secret,
+    { expiresIn }
+  );
+}
+function validateToken(token, secret) {
+  try {
+    const payload = jwt.verify(token, secret);
+    if (!payload.sub || !payload.ss58) {
+      return null;
+    }
+    return {
+      did: payload.sub,
+      ss58: payload.ss58,
+      tier: payload.tier || "member",
+      iat: payload.iat ?? 0,
+      exp: payload.exp ?? 0
+    };
+  } catch {
+    return null;
+  }
+}
+function validateTokenLite(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const payload = JSON.parse(
+      Buffer.from(parts[1], "base64url").toString("utf-8")
+    );
+    if (!payload.sub || !payload.ss58) return null;
+    if (payload.exp && payload.exp * 1e3 < Date.now()) return null;
+    return {
+      did: payload.sub,
+      ss58: payload.ss58,
+      tier: payload.tier || "member",
+      iat: payload.iat ?? 0,
+      exp: payload.exp ?? 0
+    };
+  } catch {
+    return null;
+  }
+}
+
+// src/client.ts
+async function requestChallenge(serverUrl, did) {
+  const response = await fetch(`${serverUrl}/auth/did/challenge`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ did })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ error: "Challenge request failed" }));
+    throw new Error(error.error || "Challenge request failed");
+  }
+  const data = await response.json();
+  return {
+    nonce: data.nonce,
+    expiresAt: data.expiresAt,
+    did
+  };
+}
+async function signChallenge(nonce, timestamp, origin, signer, address, network = "0") {
+  if (!signer.signRaw) {
+    throw new Error("Signer does not support signRaw");
+  }
+  const message = constructMessage(nonce, timestamp, origin, network);
+  const result = await signer.signRaw({
+    address,
+    data: message,
+    type: "bytes"
+  });
+  return { signature: result.signature };
+}
+async function authenticate(serverUrl, did, signer, address) {
+  const challenge = await requestChallenge(serverUrl, did);
+  const timestamp = Date.now();
+  const origin = typeof window !== "undefined" ? window.location.origin : "";
+  const network = extractNetworkId(did);
+  const { signature } = await signChallenge(
+    challenge.nonce,
+    timestamp,
+    origin,
+    signer,
+    address,
+    network
+  );
+  const response = await fetch(`${serverUrl}/auth/did/verify`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      did,
+      nonce: challenge.nonce,
+      signature,
+      timestamp,
+      origin
+    })
+  });
+  if (!response.ok) {
+    const error = await response.json().catch(() => ({ error: "Verification failed" }));
+    throw new Error(error.error || "DID authentication failed");
+  }
+  return await response.json();
+}
+export {
+  authenticate,
+  constructMessage,
+  extractNetworkId,
+  generateChallenge,
+  issueToken,
+  requestChallenge,
+  signChallenge,
+  validateToken,
+  validateTokenLite,
+  verifyDIDSignature
+};

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "@civiwave/vineyard-id",
+  "description": "Sovereign Identity SDK for Civiwave — DID authentication, resolution, and verifiable credential verification against the civiwave identity-hub",
+  "version": "0.1.1",
+  "type": "module",
+  "main": "dist/index.cjs",
+  "module": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "require": "./dist/index.cjs"
+    }
+  },
+  "scripts": {
+    "build": "tsup",
+    "typecheck": "tsc --noEmit",
+    "test": "echo \"No tests yet\""
+  },
+  "dependencies": {
+    "@polkadot/util": "^14.0.1",
+    "@polkadot/util-crypto": "^14.0.1",
+    "jsonwebtoken": "^9.0.2"
+  },
+  "devDependencies": {
+    "@types/jsonwebtoken": "9.0.5",
+    "@types/node": "^20.11.30",
+    "tsup": "^8.5.1",
+    "typescript": "^5.4.5"
+  },
+  "files": [
+    "dist"
+  ]
+}