@dwk/vc 0.1.0-beta.0

package/dist/data-integrity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-integrity.d.ts","sourceRoot":"","sources":["../src/data-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAGH,OAAO,EAAqC,KAAK,QAAQ,EAAE,MAAM,OAAO,CAAC;AAQzE,6EAA6E;AAC7E,MAAM,MAAM,UAAU,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,QAAQ,GAAG,SAAS,CAAA;CAAE,CAAC;AAEjE,+DAA+D;AAC/D,MAAM,MAAM,WAAW,GAAG,gBAAgB,GAAG,gBAAgB,CAAC;AAE9D,qDAAqD;AACrD,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,OAAO,GAAG,KAAK,IAAI,WAAW,CAE3E;AAED,KAAK,aAAa,GAAG,SAAS,GAAG,SAAS,CAAC;AAK3C,UAAU,SAAS;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,CAAC,EAAE,MAAM,CAAC;CACf;AACD,KAAK,gBAAgB,GAAG,SAAS,CAAC;AAElC,yEAAyE;AACzE,MAAM,WAAW,MAAM;IACrB,QAAQ,CAAC,GAAG,EAAE,SAAS,CAAC;IACxB,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,aAAa,EAAE,aAAa,CAAC;IACtC,QAAQ,CAAC,MAAM,EAAE,gBAAgB,CAAC;CACnC;AA0BD;;;;GAIG;AACH,wBAAsB,YAAY,CAAC,GAAG,EAAE,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAmCnE;AA8BD,kEAAkE;AAClE,MAAM,WAAW,eAAe;IAC9B,8EAA8E;IAC9E,QAAQ,CAAC,kBAAkB,EAAE,MAAM,CAAC;IACpC,sDAAsD;IACtD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;IAC/B,gFAAgF;IAChF,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,GAAG,MAAM,CAAC;CAClC;AAED,6DAA6D;AAC7D,MAAM,MAAM,eAAe,GAAG,UAAU,GAAG;IAAE,KAAK,EAAE,UAAU,CAAA;CAAE,CAAC;AAEjE;;;;GAIG;AACH,wBAAsB,QAAQ,CAC5B,QAAQ,EAAE,UAAU,EACpB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,eAAe,GACvB,OAAO,CAAC,eAAe,CAAC,CAwB1B;AAED,4DAA4D;AAC5D,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;IAC7B,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,YAAY,CAAC,EAAE,UAAU,CAAC;CACpC;AAED,mFAAmF;AACnF,MAAM,MAAM,0BAA0B,GAAG,CACvC,EAAE,EAAE,MAAM,KACP,kBAAkB,GAAG,SAAS,GAAG,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC,CAAC;AAiE9E,uCAAuC;AACvC,MAAM,WAAW,kBAAkB;IACjC,mEAAmE;IACnE,QAAQ,CAAC,yBAAyB,EAAE,0BAA0B,CAAC;IAC/D,+DAA+D;IAC/D,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACxC;AAED,qEAAqE;AACrE,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC;IAC3B,wEAAwE;IACxE,QAAQ,CAAC,MAAM,EAAE,SAAS,MAAM,EAAE,CAAC;CACpC;AA6GD;;;;GAIG;AACH,wBAAsB,WAAW,CAC/B,QAAQ,EAAE,UAAU,EACpB,OAAO,EAAE,kBAAkB,GAC1B,OAAO,CAAC,iBAAiB,CAAC,CAW5B"}

package/dist/data-integrity.js

@@ -0,0 +1,253 @@
+/**
+ * Data Integrity proofs over JSON credentials, using the JCS cryptosuites.
+ *
+ * Implements `eddsa-jcs-2022` (Ed25519) and `ecdsa-jcs-2019` (ECDSA P-256 /
+ * P-384) from the W3C Data Integrity specs. The proof pipeline is:
+ *
+ * 1. Build a **proof configuration** (the proof object minus `proofValue`),
+ *    copying the document's `@context`.
+ * 2. JCS-canonicalize the proof config and the document-without-proof, hash each
+ *    with the cryptosuite's digest, and concatenate `proofConfigHash ‖ docHash`.
+ * 3. Sign (or verify) that concatenation with the verification key.
+ *
+ * The proof value is multibase base58-btc. ECDSA signatures use the IEEE P1363
+ * (`r ‖ s`) form Web Crypto produces, which is exactly what the cryptosuite
+ * expects. Signing/verification mirror the `@dwk/dpop` and `@dwk/http-signatures`
+ * posture — asymmetric only, an explicit cryptosuite allow-list, and the key is
+ * validated against the claimed cryptosuite.
+ *
+ * Pure aside from Web Crypto: plain-data in, plain-data out, no runtime bindings.
+ *
+ * @see https://www.w3.org/TR/vc-di-eddsa/
+ * @see https://www.w3.org/TR/vc-di-ecdsa/
+ */
+import { toXsdDateTime } from "./datetime";
+import { canonicalize, canonicalizeToBytes } from "./jcs";
+import { base58btcDecode, decodeMultikey, encodeMultibaseBase58btc, MULTIBASE_BASE58BTC, } from "./multibase";
+/** Whether `value` names a supported cryptosuite. */
+export function isSupportedCryptosuite(value) {
+    return value === "eddsa-jcs-2022" || value === "ecdsa-jcs-2019";
+}
+function ecParamsForCurve(curve) {
+    if (curve === "P-256") {
+        return {
+            cryptosuite: "ecdsa-jcs-2019",
+            componentHash: "SHA-256",
+            params: { name: "ECDSA", hash: "SHA-256" },
+        };
+    }
+    if (curve === "P-384") {
+        return {
+            cryptosuite: "ecdsa-jcs-2019",
+            componentHash: "SHA-384",
+            params: { name: "ECDSA", hash: "SHA-384" },
+        };
+    }
+    throw new Error(`@dwk/vc: unsupported EC curve "${curve}" for ecdsa-jcs-2019`);
+}
+/**
+ * Import a private signing key from a JWK and resolve the cryptosuite it
+ * implies: `OKP`/`Ed25519` → `eddsa-jcs-2022`; `EC`/`P-256`|`P-384` →
+ * `ecdsa-jcs-2019`. Throws for unsupported or non-private keys.
+ */
+export async function importSigner(jwk) {
+    if (jwk.d === undefined) {
+        throw new Error("@dwk/vc: signing key JWK is missing the private `d` member");
+    }
+    if (jwk.kty === "OKP" && jwk.crv === "Ed25519") {
+        const key = await crypto.subtle.importKey("jwk", jwk, { name: "Ed25519" }, false, ["sign"]);
+        return {
+            key,
+            cryptosuite: "eddsa-jcs-2022",
+            componentHash: "SHA-256",
+            params: { name: "Ed25519" },
+        };
+    }
+    if (jwk.kty === "EC" && typeof jwk.crv === "string") {
+        const ec = ecParamsForCurve(jwk.crv);
+        const key = await crypto.subtle.importKey("jwk", jwk, { name: "ECDSA", namedCurve: jwk.crv }, false, ["sign"]);
+        return { key, ...ec };
+    }
+    throw new Error(`@dwk/vc: unsupported signing key (kty=${String(jwk.kty)}, crv=${String(jwk.crv)})`);
+}
+async function digest(hash, bytes) {
+    const out = await crypto.subtle.digest(hash, bytes);
+    return new Uint8Array(out);
+}
+/** `proofConfigHash ‖ documentHash`, the bytes a JCS cryptosuite signs. */
+async function hashData(proofConfig, document, componentHash) {
+    const proofConfigHash = await digest(componentHash, canonicalizeToBytes(proofConfig));
+    const documentHash = await digest(componentHash, canonicalizeToBytes(document));
+    const out = new Uint8Array(proofConfigHash.length + documentHash.length);
+    out.set(proofConfigHash, 0);
+    out.set(documentHash, proofConfigHash.length);
+    return out;
+}
+/**
+ * Attach a Data Integrity proof to `document`, returning a new secured document.
+ * Any existing `proof` on the input is excluded from the signed payload (a proof
+ * never signs over itself).
+ */
+export async function addProof(document, signer, options) {
+    const proofConfig = {
+        type: "DataIntegrityProof",
+        cryptosuite: signer.cryptosuite,
+        created: toXsdDateTime(options.created ?? new Date()),
+        verificationMethod: options.verificationMethod,
+        proofPurpose: options.proofPurpose ?? "assertionMethod",
+    };
+    // The proof config's `@context` MUST match the document's, when present.
+    if (document["@context"] !== undefined) {
+        proofConfig["@context"] = document["@context"];
+    }
+    const { proof: _existing, ...unsigned } = document;
+    void _existing;
+    const data = await hashData(proofConfig, unsigned, signer.componentHash);
+    const signature = await crypto.subtle.sign(signer.params, signer.key, data);
+    const proof = {
+        ...proofConfig,
+        proofValue: encodeMultibaseBase58btc(new Uint8Array(signature)),
+    };
+    return { ...unsigned, proof };
+}
+/** Import a public verification key, requiring it to match `cryptosuite`. */
+async function importVerifier(vm, cryptosuite) {
+    if (vm.publicKeyMultibase !== undefined) {
+        if (cryptosuite !== "eddsa-jcs-2022") {
+            throw new Error("@dwk/vc: publicKeyMultibase (Multikey) requires the eddsa-jcs-2022 cryptosuite");
+        }
+        const { rawPublicKey } = decodeMultikey(vm.publicKeyMultibase);
+        const key = await crypto.subtle.importKey("raw", rawPublicKey, { name: "Ed25519" }, false, ["verify"]);
+        return { key, componentHash: "SHA-256", params: { name: "Ed25519" } };
+    }
+    if (vm.publicKeyJwk !== undefined) {
+        const jwk = vm.publicKeyJwk;
+        if (cryptosuite === "eddsa-jcs-2022") {
+            if (jwk.kty !== "OKP" || jwk.crv !== "Ed25519") {
+                throw new Error("@dwk/vc: eddsa-jcs-2022 requires an Ed25519 key");
+            }
+            const key = await crypto.subtle.importKey("jwk", jwk, { name: "Ed25519" }, false, ["verify"]);
+            return { key, componentHash: "SHA-256", params: { name: "Ed25519" } };
+        }
+        // ecdsa-jcs-2019
+        if (jwk.kty !== "EC" || typeof jwk.crv !== "string") {
+            throw new Error("@dwk/vc: ecdsa-jcs-2019 requires an EC key");
+        }
+        const ec = ecParamsForCurve(jwk.crv);
+        const key = await crypto.subtle.importKey("jwk", jwk, { name: "ECDSA", namedCurve: jwk.crv }, false, ["verify"]);
+        return { key, componentHash: ec.componentHash, params: ec.params };
+    }
+    throw new Error("@dwk/vc: verification method has neither publicKeyMultibase nor publicKeyJwk");
+}
+function isJsonObject(value) {
+    return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+function asProofArray(proof) {
+    if (proof === undefined || proof === null)
+        return [];
+    if (Array.isArray(proof))
+        return proof.filter(isJsonObject);
+    return isJsonObject(proof) ? [proof] : [];
+}
+function asContextArray(context) {
+    if (context === undefined)
+        return [];
+    return Array.isArray(context) ? context : [context];
+}
+/**
+ * Whether the document's `@context` begins with every value in the proof's
+ * `@context`, in order (vc-di-eddsa §3.3.2 step 4.1). A proof without an
+ * `@context` imposes no constraint. Values are compared by JCS canonical form,
+ * so embedded context objects match structurally regardless of key order.
+ */
+function contextStartsWith(documentContext, proofContext) {
+    const proofArr = asContextArray(proofContext);
+    if (proofArr.length === 0)
+        return true;
+    const docArr = asContextArray(documentContext);
+    if (docArr.length < proofArr.length)
+        return false;
+    for (let i = 0; i < proofArr.length; i++) {
+        if (canonicalize(proofArr[i]) !== canonicalize(docArr[i]))
+            return false;
+    }
+    return true;
+}
+async function verifySingleProof(document, proof, options) {
+    if (proof.type !== "DataIntegrityProof") {
+        return `unsupported proof type "${String(proof.type)}"`;
+    }
+    if (!isSupportedCryptosuite(proof.cryptosuite)) {
+        return `unsupported cryptosuite "${String(proof.cryptosuite)}"`;
+    }
+    const expectedPurpose = options.expectedProofPurpose ?? "assertionMethod";
+    if (proof.proofPurpose !== expectedPurpose) {
+        return `proof purpose "${String(proof.proofPurpose)}" does not match expected "${expectedPurpose}"`;
+    }
+    if (typeof proof.verificationMethod !== "string") {
+        return "proof is missing a string verificationMethod";
+    }
+    if (typeof proof.proofValue !== "string") {
+        return "proof is missing a string proofValue";
+    }
+    // vc-di-eddsa §3.3.2 step 4.1: the secured document's `@context` MUST begin
+    // with the proof's `@context` values, in order, or verification fails.
+    if (!contextStartsWith(document["@context"], proof["@context"])) {
+        return "document @context does not start with the proof's @context values, in order";
+    }
+    // Both JCS cryptosuites mandate a base58-btc (`z`) proofValue; reject any
+    // other multibase encoding (e.g. base64url) rather than silently decoding it.
+    if (proof.proofValue[0] !== MULTIBASE_BASE58BTC) {
+        return `proofValue must be base58-btc multibase (a "${MULTIBASE_BASE58BTC}" prefix), got "${proof.proofValue[0] ?? ""}"`;
+    }
+    let signature;
+    try {
+        signature = base58btcDecode(proof.proofValue.slice(1));
+    }
+    catch (error) {
+        return `proofValue is not valid base58-btc: ${error.message}`;
+    }
+    const vm = await options.resolveVerificationMethod(proof.verificationMethod);
+    if (vm === undefined) {
+        return `could not resolve verification method "${proof.verificationMethod}"`;
+    }
+    let verifier;
+    try {
+        verifier = await importVerifier(vm, proof.cryptosuite);
+    }
+    catch (error) {
+        return error.message;
+    }
+    const { proofValue: _pv, ...proofConfig } = proof;
+    void _pv;
+    const { proof: _existing, ...unsigned } = document;
+    void _existing;
+    const data = await hashData(proofConfig, unsigned, verifier.componentHash);
+    let ok;
+    try {
+        ok = await crypto.subtle.verify(verifier.params, verifier.key, signature, data);
+    }
+    catch (error) {
+        return `signature verification threw: ${error.message}`;
+    }
+    return ok ? null : "signature verification failed";
+}
+/**
+ * Verify the Data Integrity proof(s) on `document`. A document with no proof, or
+ * any proof that fails, yields `verified: false` with the reasons collected in
+ * `errors`. Never throws — verification failures are returned, not raised.
+ */
+export async function verifyProof(document, options) {
+    const proofs = asProofArray(document.proof);
+    if (proofs.length === 0) {
+        return { verified: false, errors: ["document has no proof"] };
+    }
+    const errors = [];
+    for (const proof of proofs) {
+        const error = await verifySingleProof(document, proof, options);
+        if (error !== null)
+            errors.push(error);
+    }
+    return { verified: errors.length === 0, errors };
+}
+//# sourceMappingURL=data-integrity.js.map

package/dist/data-integrity.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"data-integrity.js","sourceRoot":"","sources":["../src/data-integrity.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,mBAAmB,EAAiB,MAAM,OAAO,CAAC;AACzE,OAAO,EACL,eAAe,EACf,cAAc,EACd,wBAAwB,EACxB,mBAAmB,GACpB,MAAM,aAAa,CAAC;AAQrB,qDAAqD;AACrD,MAAM,UAAU,sBAAsB,CAAC,KAAc;IACnD,OAAO,KAAK,KAAK,gBAAgB,IAAI,KAAK,KAAK,gBAAgB,CAAC;AAClE,CAAC;AAsBD,SAAS,gBAAgB,CAAC,KAAa;IAKrC,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,OAAO;YACL,WAAW,EAAE,gBAAgB;YAC7B,aAAa,EAAE,SAAS;YACxB,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;SAC3C,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,KAAK,OAAO,EAAE,CAAC;QACtB,OAAO;YACL,WAAW,EAAE,gBAAgB;YAC7B,aAAa,EAAE,SAAS;YACxB,MAAM,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;SAC3C,CAAC;IACJ,CAAC;IACD,MAAM,IAAI,KAAK,CACb,kCAAkC,KAAK,sBAAsB,CAC9D,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,GAAe;IAChD,IAAI,GAAG,CAAC,CAAC,KAAK,SAAS,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CACb,4DAA4D,CAC7D,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;QAC/C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,OAAO;YACL,GAAG;YACH,WAAW,EAAE,gBAAgB;YAC7B,aAAa,EAAE,SAAS;YACxB,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE;SAC5B,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpD,MAAM,EAAE,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,GAAG,EAAE,EACtC,KAAK,EACL,CAAC,MAAM,CAAC,CACT,CAAC;QACF,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE,CAAC;IACxB,CAAC;IACD,MAAM,IAAI,KAAK,CACb,yCAAyC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,CACpF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,MAAM,CACnB,IAAmB,EACnB,KAAiB;IAEjB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACpD,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC;AAC7B,CAAC;AAED,2EAA2E;AAC3E,KAAK,UAAU,QAAQ,CACrB,WAAuB,EACvB,QAAoB,EACpB,aAA4B;IAE5B,MAAM,eAAe,GAAG,MAAM,MAAM,CAClC,aAAa,EACb,mBAAmB,CAAC,WAAW,CAAC,CACjC,CAAC;IACF,MAAM,YAAY,GAAG,MAAM,MAAM,CAC/B,aAAa,EACb,mBAAmB,CAAC,QAAQ,CAAC,CAC9B,CAAC;IACF,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC;IACzE,GAAG,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IAC5B,GAAG,CAAC,GAAG,CAAC,YAAY,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IAC9C,OAAO,GAAG,CAAC;AACb,CAAC;AAeD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,QAAoB,EACpB,MAAc,EACd,OAAwB;IAExB,MAAM,WAAW,GAAe;QAC9B,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,OAAO,EAAE,aAAa,CAAC,OAAO,CAAC,OAAO,IAAI,IAAI,IAAI,EAAE,CAAC;QACrD,kBAAkB,EAAE,OAAO,CAAC,kBAAkB;QAC9C,YAAY,EAAE,OAAO,CAAC,YAAY,IAAI,iBAAiB;KACxD,CAAC;IACF,yEAAyE;IACzE,IAAI,QAAQ,CAAC,UAAU,CAAC,KAAK,SAAS,EAAE,CAAC;QACvC,WAAW,CAAC,UAAU,CAAC,GAAG,QAAQ,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,QAAQ,CAAC;IACnD,KAAK,SAAS,CAAC;IAEf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,QAAQ,EAAE,MAAM,CAAC,aAAa,CAAC,CAAC;IACzE,MAAM,SAAS,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAE5E,MAAM,KAAK,GAAe;QACxB,GAAG,WAAW;QACd,UAAU,EAAE,wBAAwB,CAAC,IAAI,UAAU,CAAC,SAAS,CAAC,CAAC;KAChE,CAAC;IACF,OAAO,EAAE,GAAG,QAAQ,EAAE,KAAK,EAAE,CAAC;AAChC,CAAC;AAsBD,6EAA6E;AAC7E,KAAK,UAAU,cAAc,CAC3B,EAAsB,EACtB,WAAwB;IAExB,IAAI,EAAE,CAAC,kBAAkB,KAAK,SAAS,EAAE,CAAC;QACxC,IAAI,WAAW,KAAK,gBAAgB,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CACb,gFAAgF,CACjF,CAAC;QACJ,CAAC;QACD,MAAM,EAAE,YAAY,EAAE,GAAG,cAAc,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC;QAC/D,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,YAAY,EACZ,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,EAAE,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,CAAC;IACxE,CAAC;IAED,IAAI,EAAE,CAAC,YAAY,KAAK,SAAS,EAAE,CAAC;QAClC,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC;QAC5B,IAAI,WAAW,KAAK,gBAAgB,EAAE,CAAC;YACrC,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;gBAC/C,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;YACrE,CAAC;YACD,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,SAAS,EAAE,EACnB,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;YACF,OAAO,EAAE,GAAG,EAAE,aAAa,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,CAAC;QACxE,CAAC;QACD,iBAAiB;QACjB,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;QAChE,CAAC;QACD,MAAM,EAAE,GAAG,gBAAgB,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,GAAG,CAAC,GAAG,EAAE,EACtC,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;QACF,OAAO,EAAE,GAAG,EAAE,aAAa,EAAE,EAAE,CAAC,aAAa,EAAE,MAAM,EAAE,EAAE,CAAC,MAAM,EAAE,CAAC;IACrE,CAAC;IAED,MAAM,IAAI,KAAK,CACb,8EAA8E,CAC/E,CAAC;AACJ,CAAC;AAiBD,SAAS,YAAY,CAAC,KAA2B;IAC/C,OAAO,KAAK,KAAK,IAAI,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED,SAAS,YAAY,CAAC,KAA2B;IAC/C,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,EAAE,CAAC;IACrD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IAC5D,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;AAC5C,CAAC;AAED,SAAS,cAAc,CAAC,OAA6B;IACnD,IAAI,OAAO,KAAK,SAAS;QAAE,OAAO,EAAE,CAAC;IACrC,OAAO,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;AACtD,CAAC;AAED;;;;;GAKG;AACH,SAAS,iBAAiB,CACxB,eAAqC,EACrC,YAAkC;IAElC,MAAM,QAAQ,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;IAC9C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,MAAM,GAAG,cAAc,CAAC,eAAe,CAAC,CAAC;IAC/C,IAAI,MAAM,CAAC,MAAM,GAAG,QAAQ,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IAClD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,QAAQ,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACzC,IAAI,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAE,CAAC,KAAK,YAAY,CAAC,MAAM,CAAC,CAAC,CAAE,CAAC;YAAE,OAAO,KAAK,CAAC;IAC5E,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,QAAoB,EACpB,KAAiB,EACjB,OAA2B;IAE3B,IAAI,KAAK,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;QACxC,OAAO,2BAA2B,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC;IAC1D,CAAC;IACD,IAAI,CAAC,sBAAsB,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,CAAC;QAC/C,OAAO,4BAA4B,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC;IAClE,CAAC;IACD,MAAM,eAAe,GAAG,OAAO,CAAC,oBAAoB,IAAI,iBAAiB,CAAC;IAC1E,IAAI,KAAK,CAAC,YAAY,KAAK,eAAe,EAAE,CAAC;QAC3C,OAAO,kBAAkB,MAAM,CAAC,KAAK,CAAC,YAAY,CAAC,8BAA8B,eAAe,GAAG,CAAC;IACtG,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,kBAAkB,KAAK,QAAQ,EAAE,CAAC;QACjD,OAAO,8CAA8C,CAAC;IACxD,CAAC;IACD,IAAI,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACzC,OAAO,sCAAsC,CAAC;IAChD,CAAC;IAED,4EAA4E;IAC5E,uEAAuE;IACvE,IAAI,CAAC,iBAAiB,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;QAChE,OAAO,6EAA6E,CAAC;IACvF,CAAC;IAED,0EAA0E;IAC1E,8EAA8E;IAC9E,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,mBAAmB,EAAE,CAAC;QAChD,OAAO,+CAA+C,mBAAmB,mBAAmB,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,EAAE,GAAG,CAAC;IAC3H,CAAC;IACD,IAAI,SAAqB,CAAC;IAC1B,IAAI,CAAC;QACH,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,uCAAwC,KAAe,CAAC,OAAO,EAAE,CAAC;IAC3E,CAAC;IAED,MAAM,EAAE,GAAG,MAAM,OAAO,CAAC,yBAAyB,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;IAC7E,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;QACrB,OAAO,0CAA0C,KAAK,CAAC,kBAAkB,GAAG,CAAC;IAC/E,CAAC;IAED,IAAI,QAA0B,CAAC;IAC/B,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,cAAc,CAAC,EAAE,EAAE,KAAK,CAAC,WAAW,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAQ,KAAe,CAAC,OAAO,CAAC;IAClC,CAAC;IAED,MAAM,EAAE,UAAU,EAAE,GAAG,EAAE,GAAG,WAAW,EAAE,GAAG,KAAK,CAAC;IAClD,KAAK,GAAG,CAAC;IACT,MAAM,EAAE,KAAK,EAAE,SAAS,EAAE,GAAG,QAAQ,EAAE,GAAG,QAAQ,CAAC;IACnD,KAAK,SAAS,CAAC;IAEf,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,WAAW,EAAE,QAAQ,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAC;IAC3E,IAAI,EAAW,CAAC;IAChB,IAAI,CAAC;QACH,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAC7B,QAAQ,CAAC,MAAM,EACf,QAAQ,CAAC,GAAG,EACZ,SAAS,EACT,IAAI,CACL,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,iCAAkC,KAAe,CAAC,OAAO,EAAE,CAAC;IACrE,CAAC;IACD,OAAO,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,+BAA+B,CAAC;AACrD,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,QAAoB,EACpB,OAA2B;IAE3B,MAAM,MAAM,GAAG,YAAY,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAC5C,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,uBAAuB,CAAC,EAAE,CAAC;IAChE,CAAC;IACD,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,QAAQ,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;QAChE,IAAI,KAAK,KAAK,IAAI;YAAE,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAC;AACnD,CAAC"}

package/dist/datetime.d.ts

@@ -0,0 +1,26 @@
+/**
+ * XSD `dateTimeStamp` validation and canonicalization for VC date fields.
+ *
+ * VCDM 2.0 and the Data Integrity suites express temporal values — a
+ * credential's `validFrom`/`validUntil` and a proof's `created` — as XSD
+ * `dateTimeStamp` strings: an `xsd:dateTime` with a **mandatory** timezone
+ * offset. vc-di-eddsa §3.3.5 step 3 requires erroring on an invalid `created`,
+ * and a verifier must not silently treat a malformed `validUntil` as "no
+ * expiry". These pure helpers gate both, so unparseable datetimes fail loudly
+ * (at signing) or fail closed (at verification) rather than slipping through.
+ *
+ * @see https://www.w3.org/TR/xmlschema11-2/#dateTimeStamp
+ */
+/**
+ * Whether `value` is a valid XSD `dateTimeStamp`: a well-formed `xsd:dateTime`
+ * carrying a mandatory timezone that also denotes a real calendar date (so
+ * lexically-shaped-but-impossible dates like `2026-02-30` are rejected).
+ */
+export declare function isValidXsdDateTimeStamp(value: string): boolean;
+/**
+ * Canonicalize a date value to a second-precision XSD `dateTimeStamp`. A `Date`
+ * is rendered in UTC (milliseconds dropped); a string is validated and passed
+ * through unchanged. Throws when a string is not a valid XSD `dateTimeStamp`.
+ */
+export declare function toXsdDateTime(value: Date | string): string;
+//# sourceMappingURL=datetime.d.ts.map

package/dist/datetime.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"datetime.d.ts","sourceRoot":"","sources":["../src/datetime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAgBH;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAO9D;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,IAAI,GAAG,MAAM,GAAG,MAAM,CAS1D"}

package/dist/datetime.js

@@ -0,0 +1,54 @@
+/**
+ * XSD `dateTimeStamp` validation and canonicalization for VC date fields.
+ *
+ * VCDM 2.0 and the Data Integrity suites express temporal values — a
+ * credential's `validFrom`/`validUntil` and a proof's `created` — as XSD
+ * `dateTimeStamp` strings: an `xsd:dateTime` with a **mandatory** timezone
+ * offset. vc-di-eddsa §3.3.5 step 3 requires erroring on an invalid `created`,
+ * and a verifier must not silently treat a malformed `validUntil` as "no
+ * expiry". These pure helpers gate both, so unparseable datetimes fail loudly
+ * (at signing) or fail closed (at verification) rather than slipping through.
+ *
+ * @see https://www.w3.org/TR/xmlschema11-2/#dateTimeStamp
+ */
+// xsd:dateTimeStamp — an xsd:dateTime that REQUIRES an explicit timezone (`Z`
+// or `±HH:MM`). Mirrors the W3C XML Schema 1.1 lexical space. The day-of-month
+// upper bound (28–31) is checked separately against the actual month/year.
+const XSD_DATE_TIME_STAMP = /^(-?(?:[1-9][0-9]{3,}|0[0-9]{3}))-(0[1-9]|1[0-2])-(0[1-9]|[12][0-9]|3[01])T(?:([01][0-9]|2[0-3]):[0-5][0-9]:[0-5][0-9](?:\.[0-9]+)?|24:00:00(?:\.0+)?)(?:Z|[+-](?:(?:0[0-9]|1[0-3]):[0-5][0-9]|14:00))$/;
+function daysInMonth(year, month) {
+    if (month === 2) {
+        const leap = year % 4 === 0 && (year % 100 !== 0 || year % 400 === 0);
+        return leap ? 29 : 28;
+    }
+    return month === 4 || month === 6 || month === 9 || month === 11 ? 30 : 31;
+}
+/**
+ * Whether `value` is a valid XSD `dateTimeStamp`: a well-formed `xsd:dateTime`
+ * carrying a mandatory timezone that also denotes a real calendar date (so
+ * lexically-shaped-but-impossible dates like `2026-02-30` are rejected).
+ */
+export function isValidXsdDateTimeStamp(value) {
+    const match = XSD_DATE_TIME_STAMP.exec(value);
+    if (match === null)
+        return false;
+    const year = Number(match[1]);
+    const month = Number(match[2]);
+    const day = Number(match[3]);
+    return day <= daysInMonth(year, month);
+}
+/**
+ * Canonicalize a date value to a second-precision XSD `dateTimeStamp`. A `Date`
+ * is rendered in UTC (milliseconds dropped); a string is validated and passed
+ * through unchanged. Throws when a string is not a valid XSD `dateTimeStamp`.
+ */
+export function toXsdDateTime(value) {
+    if (typeof value === "string") {
+        if (!isValidXsdDateTimeStamp(value)) {
+            throw new Error(`@dwk/vc: "${value}" is not a valid XSD dateTimeStamp`);
+        }
+        return value;
+    }
+    // Drop milliseconds for the canonical, second-precision VC form.
+    return value.toISOString().replace(/\.\d{3}Z$/, "Z");
+}
+//# sourceMappingURL=datetime.js.map

package/dist/datetime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"datetime.js","sourceRoot":"","sources":["../src/datetime.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,8EAA8E;AAC9E,+EAA+E;AAC/E,2EAA2E;AAC3E,MAAM,mBAAmB,GACvB,yMAAyM,CAAC;AAE5M,SAAS,WAAW,CAAC,IAAY,EAAE,KAAa;IAC9C,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,MAAM,IAAI,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,KAAK,CAAC,IAAI,IAAI,GAAG,GAAG,KAAK,CAAC,CAAC,CAAC;QACtE,OAAO,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IACxB,CAAC;IACD,OAAO,KAAK,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,KAAK,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC7E,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAa;IACnD,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9C,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACjC,MAAM,IAAI,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9B,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC/B,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,OAAO,GAAG,IAAI,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;AACzC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAAC,KAAoB;IAChD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,IAAI,CAAC,uBAAuB,CAAC,KAAK,CAAC,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,aAAa,KAAK,oCAAoC,CAAC,CAAC;QAC1E,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IACD,iEAAiE;IACjE,OAAO,KAAK,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAC;AACvD,CAAC"}

package/dist/did-web.d.ts

@@ -0,0 +1,93 @@
+/**
+ * `did:web` ↔ URL mapping, DID-document construction, and verification-method
+ * resolution.
+ *
+ * The DID document itself (`/.well-known/did.json`) is a static artifact a static
+ * host can serve — {@link buildDidDocument} produces it — so this package does
+ * not need a Worker to *resolve* a DID. The Worker side uses
+ * {@link createDidWebResolver} during VC verification to fetch a credential
+ * issuer's DID document and locate the verification key referenced by a proof.
+ *
+ * Method/URL mapping follows the did:web rules: the first colon-separated
+ * component is the host (with a `%3A`-encoded port), remaining components are
+ * path segments, and a bare host resolves under `/.well-known/`.
+ *
+ * @see https://w3c-ccg.github.io/did-method-web/
+ */
+import type { JsonObject, VerificationMethod } from "./data-integrity";
+/** The default did:web context documents emitted by {@link buildDidDocument}. */
+export declare const DID_CONTEXT_V1 = "https://www.w3.org/ns/did/v1";
+export declare const MULTIKEY_CONTEXT_V1 = "https://w3id.org/security/multikey/v1";
+export declare const JWK_CONTEXT_V1 = "https://w3id.org/security/jwk/v1";
+/**
+ * Convert a `did:web` identifier to the URL of its DID document. Throws if the
+ * input is not a `did:web` identifier.
+ */
+export declare function didWebToUrl(did: string): string;
+/**
+ * Derive the `did:web` identifier a URL (or host) would publish. A bare origin
+ * (or one whose path is `/.well-known/did.json`) maps to `did:web:<host>`; a
+ * deeper path maps its segments to colon-separated components.
+ */
+export declare function urlToDidWeb(input: string): string;
+/** Input describing one verification method to publish in a DID document. */
+export interface VerificationMethodInput {
+    /** Method id. A bare fragment (`#key-0`) is resolved against the DID. */
+    readonly id: string;
+    /** Method type. Defaults to `"Multikey"` (or `"JsonWebKey"` for a JWK). */
+    readonly type?: string;
+    readonly publicKeyMultibase?: string;
+    readonly publicKeyJwk?: JsonWebKey;
+}
+/** Verification relationships a method can be referenced by. */
+export interface VerificationRelationships {
+    /** Reference under `assertionMethod` (issuing credentials). Default `true`. */
+    readonly assertionMethod?: boolean;
+    /** Reference under `authentication`. Default `false`. */
+    readonly authentication?: boolean;
+}
+/** Options for {@link buildDidDocument}. */
+export interface BuildDidDocumentOptions {
+    readonly did: string;
+    readonly verificationMethods: readonly VerificationMethodInput[];
+    /** Relationships applied to every supplied method. */
+    readonly relationships?: VerificationRelationships;
+    /** Optional `alsoKnownAs` identifiers (e.g. an `https:` WebID). */
+    readonly alsoKnownAs?: readonly string[];
+}
+/**
+ * Build a `did:web` DID document from public verification methods. Emits the
+ * DID, Multikey, and (when a JWK method is present) JWK context documents, the
+ * `verificationMethod` array, and the requested verification relationships
+ * (defaulting to `assertionMethod`). Suitable for serialization to
+ * `/.well-known/did.json`.
+ */
+export declare function buildDidDocument(options: BuildDidDocumentOptions): JsonObject;
+/**
+ * Locate a verification method in a DID document by its id. A method `id` that
+ * is a relative reference (`#key-0`) is resolved against the document's `id`
+ * before comparison, per DID Core — foreign documents commonly use relative ids.
+ */
+export declare function findVerificationMethod(didDocument: JsonObject, id: string): VerificationMethod | undefined;
+/** A minimal `fetch` used to retrieve DID documents. */
+export type FetchLike = (input: string, init?: {
+    headers?: Record<string, string>;
+}) => Promise<{
+    ok: boolean;
+    status: number;
+    json: () => Promise<unknown>;
+}>;
+/** Options for {@link createDidWebResolver}. */
+export interface DidWebResolverOptions {
+    /** Override the fetch implementation (defaults to the global `fetch`). */
+    readonly fetch?: FetchLike;
+}
+/**
+ * Build a {@link VerificationMethodResolver} that resolves a `did:web`
+ * verification-method id by fetching the controller's DID document over HTTPS
+ * and locating the referenced method. Returns `undefined` for non-`did:web`
+ * ids, fetch failures, and unknown methods — verification treats that as an
+ * unresolvable key rather than throwing.
+ */
+export declare function createDidWebResolver(options?: DidWebResolverOptions): (id: string) => Promise<VerificationMethod | undefined>;
+//# sourceMappingURL=did-web.d.ts.map

package/dist/did-web.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-web.d.ts","sourceRoot":"","sources":["../src/did-web.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AAEH,OAAO,KAAK,EAAE,UAAU,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAC;AAIvE,iFAAiF;AACjF,eAAO,MAAM,cAAc,iCAAiC,CAAC;AAC7D,eAAO,MAAM,mBAAmB,0CAA0C,CAAC;AAC3E,eAAO,MAAM,cAAc,qCAAqC,CAAC;AAEjE;;;GAGG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CA+B/C;AAED;;;;GAIG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBjD;AAED,6EAA6E;AAC7E,MAAM,WAAW,uBAAuB;IACtC,yEAAyE;IACzE,QAAQ,CAAC,EAAE,EAAE,MAAM,CAAC;IACpB,2EAA2E;IAC3E,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IACrC,QAAQ,CAAC,YAAY,CAAC,EAAE,UAAU,CAAC;CACpC;AAED,gEAAgE;AAChE,MAAM,WAAW,yBAAyB;IACxC,+EAA+E;IAC/E,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,yDAAyD;IACzD,QAAQ,CAAC,cAAc,CAAC,EAAE,OAAO,CAAC;CACnC;AAED,4CAA4C;AAC5C,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,GAAG,EAAE,MAAM,CAAC;IACrB,QAAQ,CAAC,mBAAmB,EAAE,SAAS,uBAAuB,EAAE,CAAC;IACjE,sDAAsD;IACtD,QAAQ,CAAC,aAAa,CAAC,EAAE,yBAAyB,CAAC;IACnD,mEAAmE;IACnE,QAAQ,CAAC,WAAW,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;CAC1C;AAMD;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,uBAAuB,GAAG,UAAU,CAkD7E;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,UAAU,EACvB,EAAE,EAAE,MAAM,GACT,kBAAkB,GAAG,SAAS,CAgBhC;AAED,wDAAwD;AACxD,MAAM,MAAM,SAAS,GAAG,CACtB,KAAK,EAAE,MAAM,EACb,IAAI,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAAE,KACxC,OAAO,CAAC;IAAE,EAAE,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,OAAO,CAAC,OAAO,CAAC,CAAA;CAAE,CAAC,CAAC;AAE5E,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACpC,0EAA0E;IAC1E,QAAQ,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC;CAC5B;AAED;;;;;;GAMG;AACH,wBAAgB,oBAAoB,CAClC,OAAO,GAAE,qBAA0B,GAClC,CAAC,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,kBAAkB,GAAG,SAAS,CAAC,CA8CzD"}