@gramota/issuer 0.1.0 → 0.3.0

package/README.md

@@ -1,6 +1,6 @@
 # @gramota/issuer
 
-> EUDIW credential issuer — sign SD-JWT-VC credentials with selective disclosure and key binding.
+> EUDIW credential issuer — sign SD-JWT-VC credentials with selective disclosure and holder-key binding (cnf claim). One method, fully configurable, ES256 by default.
 
 Part of [Gramota](https://github.com/gramota-org/gramota) — the TypeScript
 SDK for the EU Digital Identity Wallet (EUDIW).
@@ -13,17 +13,50 @@ pnpm add @gramota/issuer
 # or: yarn add @gramota/issuer
 ```
 
-## Usage
+## Quick example
 
 ```ts
 import { Issuer } from "@gramota/issuer";
-
-const issuer = new Issuer({ signer, issuerUri });
-const credential = await issuer.issue({ vct, claims, holderKey });
+import { exportJWK, generateKeyPair } from "jose";
+
+// Issuer's signing keypair (production: HSM / KMS — use makeSigner from @gramota/jose)
+const { publicKey, privateKey } = await generateKeyPair("ES256", { extractable: true });
+
+const issuer = new Issuer({
+  issuerId: "https://issuer.example",
+  publicKey: await exportJWK(publicKey),
+  privateKey: await exportJWK(privateKey),
+  alg: "ES256",
+});
+
+const result = await issuer.issue({
+  vct: "urn:eudi:pid:1",
+  subject: {
+    given_name: "Greta",
+    family_name: "Smith",
+    birth_date: "1990-04-15",
+  },
+  selectivelyDisclosable: ["given_name", "family_name", "birth_date"],
+  holderKey: holderJwk,                  // binds the credential to the holder
+  expiresIn: 365 * 24 * 3600,            // 1 year
+});
+
+console.log(result.token); // SD-JWT-VC compact-serialised string
 ```
 
-For full docs, examples, and the high-level Verifier/Issuer/Holder API,
-see the [main repo](https://github.com/gramota-org/gramota).
+## What's inside
+
+- `Issuer` — single class, stateless, configured once
+- Two equivalent call shapes for the same operation:
+  - `issuer.credentials.issue(options)` — Stripe-style namespacing, symmetric with `holder.credentials.*`, forward-compatible with future ops (revoke, suspend, list)
+  - `issuer.issue(options)` — flat shorthand for the common case
+- `IssuerError` with stable `code` for failure cases (`issuer.holder_key_required`, `issuer.vct_required`, `issuer.expiry_invalid`, ...)
+
+The `cnf.jwk` claim is set automatically from `holderKey`, binding the
+credential to the holder's key for the KB-JWT proof during presentation.
+
+For the high-level Holder / Verifier API, see the
+[main repo](https://github.com/gramota-org/gramota).
 
 ## License
 

package/dist/index.d.ts

@@ -1,3 +1,3 @@
-export { Issuer } from "./issuer.js";
-export { IssuerError, type IssuerConfig, type IssuerErrorCode, type IssueOptions, type IssueResult, } from "./types.js";
+export { Issuer, type IssuerCredentialsApi } from "./issuer.js";
+export { IssuerError, type BatchIssueEntry, type BatchIssueOptions, type IssuerConfig, type IssuerErrorCode, type IssueOptions, type IssueResult, } from "./types.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EACL,WAAW,EACX,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,WAAW,GACjB,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,KAAK,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAChE,OAAO,EACL,WAAW,EACX,KAAK,eAAe,EACpB,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,WAAW,GACjB,MAAM,YAAY,CAAC"}

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EACL,WAAW,GAKZ,MAAM,YAAY,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAA6B,MAAM,aAAa,CAAC;AAChE,OAAO,EACL,WAAW,GAOZ,MAAM,YAAY,CAAC"}

package/dist/issuer.d.ts

@@ -1,5 +1,17 @@
 import { type JsonWebKey } from "@gramota/jose";
-import { type IssueOptions, type IssueResult, type IssuerConfig } from "./types.js";
+import { type BatchIssueOptions, type IssueOptions, type IssueResult, type IssuerConfig } from "./types.js";
+/** Stripe-style sub-API for credential operations.
+ *  `issuer.credentials.X(...)`. */
+export interface IssuerCredentialsApi {
+    /** Issue a single SD-JWT-VC credential bound to a holder. */
+    issue(options: IssueOptions): Promise<IssueResult>;
+    /** Issue N credentials in a batch, one per holder-key entry — the
+     * OID4VCI Draft 14/15 batch flow. The EU reference wallet asks for
+     * `numberOfCredentials = 10` so it can use a fresh credential per
+     * presentation (one-time use, unlinkable). Each entry gets its own
+     * `cnf.jwk`, fresh disclosure salts, and a distinct credentialId. */
+    issueBatch(options: BatchIssueOptions): Promise<readonly IssueResult[]>;
+}
 /**
  * The issuer role per IETF SD-JWT-VC §3.
  *
@@ -11,6 +23,12 @@ import { type IssueOptions, type IssueResult, type IssuerConfig } from "./types.
  *     appear in `subject`,
  *   - {@link Signer} Strategy for signing — accepts raw JWKs (shorthand)
  *     or production-grade Signers (HSM, KMS, custom backends).
+ *
+ * Two API shapes resolve to the same code path:
+ *   - `issuer.credentials.issue(...)` — Stripe-style namespacing,
+ *     symmetric with `holder.credentials.*` and forward-compatible
+ *     with future operations (revoke, suspend, list).
+ *   - `issuer.issue(...)` — flat shorthand for the common case.
  */
 export declare class Issuer {
     /** The issuer's signer. Either supplied directly via `config.signer`
@@ -21,9 +39,30 @@ export declare class Issuer {
     private readonly kid;
     private readonly typ;
     private readonly hashAlg;
+    /** Credential operations. `issuer.credentials.{issue,issueBatch}(...)`.
+     * Mirrors `holder.credentials.*` for stylistic symmetry across the SDK. */
+    readonly credentials: IssuerCredentialsApi;
     constructor(config: IssuerConfig);
-    /** Issue a single SD-JWT-VC credential bound to a holder. */
+    /** Issue a single SD-JWT-VC credential bound to a holder.
+     *
+     * Equivalent to `issuer.credentials.issue(options)`. Both shapes are
+     * stable; pick whichever reads better at the call site. */
     issue(options: IssueOptions): Promise<IssueResult>;
+    /** Issue N credentials in a batch — OID4VCI Draft 14/15 batch flow.
+     *
+     * Equivalent to `issuer.credentials.issueBatch(options)`. Each entry in
+     * `options.credentials` produces one independent credential bound to
+     * that entry's `holderKey`, with fresh disclosure salts (so two
+     * credentials over the same claims are unlinkable on the wire) and a
+     * distinct credentialId. Shared options (subject, vct, expiry, …)
+     * apply to every credential.
+     *
+     * The EU reference wallet uses this to mint pools of one-time-use
+     * credentials so each presentation reveals a fresh token rather than
+     * a long-lived one. */
+    issueBatch(options: BatchIssueOptions): Promise<readonly IssueResult[]>;
+    private issueBatchImpl;
+    private issueImpl;
     /** The issuer's public JWK — useful to publish at /.well-known/jwks.json. */
     get publicKey(): JsonWebKey;
     /** The issuer's identifier — useful for downstream URLs. */

package/dist/issuer.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../src/issuer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAY,KAAK,UAAU,EAAe,MAAM,eAAe,CAAC;AACvE,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,YAAY,EAClB,MAAM,YAAY,CAAC;AAKpB;;;;;;;;;;;GAWG;AACH,qBAAa,MAAM;IACjB;4EACwE;IACxE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,sCAAsC;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAqB;IACzC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAqB;IACzC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsB;gBAElC,MAAM,EAAE,YAAY;IAWhC,6DAA6D;IACvD,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;IAsDxD,6EAA6E;IAC7E,IAAI,SAAS,IAAI,UAAU,CAE1B;IAED,4DAA4D;IAC5D,IAAI,QAAQ,IAAI,MAAM,CAErB;CACF"}
+{"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../src/issuer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAY,KAAK,UAAU,EAAe,MAAM,eAAe,CAAC;AACvE,OAAO,EAGL,KAAK,iBAAiB,EACtB,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,YAAY,EAClB,MAAM,YAAY,CAAC;AAKpB;mCACmC;AACnC,MAAM,WAAW,oBAAoB;IACnC,6DAA6D;IAC7D,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC;IACnD;;;;yEAIqE;IACrE,UAAU,CAAC,OAAO,EAAE,iBAAiB,GAAG,OAAO,CAAC,SAAS,WAAW,EAAE,CAAC,CAAC;CACzE;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,qBAAa,MAAM;IACjB;4EACwE;IACxE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,sCAAsC;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAqB;IACzC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAqB;IACzC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsB;IAE9C;+EAC2E;IAC3E,QAAQ,CAAC,WAAW,EAAE,oBAAoB,CAAC;gBAE/B,MAAM,EAAE,YAAY;IAkBhC;;;+DAG2D;IACrD,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;IAIxD;;;;;;;;;;;2BAWuB;IACjB,UAAU,CACd,OAAO,EAAE,iBAAiB,GACzB,OAAO,CAAC,SAAS,WAAW,EAAE,CAAC;YAIpB,cAAc;YAiCd,SAAS;IAsDvB,6EAA6E;IAC7E,IAAI,SAAS,IAAI,UAAU,CAE1B;IAED,4DAA4D;IAC5D,IAAI,QAAQ,IAAI,MAAM,CAErB;CACF"}

package/dist/issuer.js

@@ -15,6 +15,12 @@ const DEFAULT_HASH_ALG = "sha-256";
  *     appear in `subject`,
  *   - {@link Signer} Strategy for signing — accepts raw JWKs (shorthand)
  *     or production-grade Signers (HSM, KMS, custom backends).
+ *
+ * Two API shapes resolve to the same code path:
+ *   - `issuer.credentials.issue(...)` — Stripe-style namespacing,
+ *     symmetric with `holder.credentials.*` and forward-compatible
+ *     with future operations (revoke, suspend, list).
+ *   - `issuer.issue(...)` — flat shorthand for the common case.
  */
 export class Issuer {
     /** The issuer's signer. Either supplied directly via `config.signer`
@@ -25,6 +31,9 @@ export class Issuer {
     kid;
     typ;
     hashAlg;
+    /** Credential operations. `issuer.credentials.{issue,issueBatch}(...)`.
+     * Mirrors `holder.credentials.*` for stylistic symmetry across the SDK. */
+    credentials;
     constructor(config) {
         if (typeof config.issuerId !== "string" || config.issuerId.length === 0) {
             throw new TypeError("Issuer: issuerId is required (a stable URL)");
@@ -34,9 +43,59 @@ export class Issuer {
         this.kid = config.kid;
         this.typ = config.typ;
         this.hashAlg = config.hashAlg;
+        // Build the namespaced sub-API. `issuer.credentials.{issue,issueBatch}`
+        // and `issuer.{issue,issueBatch}` both resolve here — single impl per op.
+        this.credentials = {
+            issue: (options) => this.issueImpl(options),
+            issueBatch: (options) => this.issueBatchImpl(options),
+        };
     }
-    /** Issue a single SD-JWT-VC credential bound to a holder. */
+    /** Issue a single SD-JWT-VC credential bound to a holder.
+     *
+     * Equivalent to `issuer.credentials.issue(options)`. Both shapes are
+     * stable; pick whichever reads better at the call site. */
     async issue(options) {
+        return this.issueImpl(options);
+    }
+    /** Issue N credentials in a batch — OID4VCI Draft 14/15 batch flow.
+     *
+     * Equivalent to `issuer.credentials.issueBatch(options)`. Each entry in
+     * `options.credentials` produces one independent credential bound to
+     * that entry's `holderKey`, with fresh disclosure salts (so two
+     * credentials over the same claims are unlinkable on the wire) and a
+     * distinct credentialId. Shared options (subject, vct, expiry, …)
+     * apply to every credential.
+     *
+     * The EU reference wallet uses this to mint pools of one-time-use
+     * credentials so each presentation reveals a fresh token rather than
+     * a long-lived one. */
+    async issueBatch(options) {
+        return this.issueBatchImpl(options);
+    }
+    async issueBatchImpl(options) {
+        if (!Array.isArray(options.credentials) || options.credentials.length === 0) {
+            throw new IssuerError("issuer.batch_empty", "issueBatch: credentials must be a non-empty array");
+        }
+        // Pin `issuedAt` once so every credential in the batch reports the same
+        // iat. Without this, two credentials issued in the same logical batch
+        // could differ by a second — fine for spec, awkward for audit logs.
+        const sharedIssuedAt = options.issuedAt ?? Math.floor(Date.now() / 1000);
+        // Validate shared shape once via a representative `IssueOptions` (with
+        // a placeholder holderKey from the first entry) so errors like
+        // `disclosable_missing` and `expiry_conflict` surface once with a
+        // clean stack, not N times wrapped in batch noise.
+        const head = options.credentials[0];
+        validate(toIssueOptions(options, head, sharedIssuedAt));
+        // Issue each credential. We do this sequentially rather than via
+        // Promise.all to keep error reporting deterministic — a failure on
+        // entry 5 reports as "entry 5" and we stop, rather than racing.
+        const results = [];
+        for (const entry of options.credentials) {
+            results.push(await this.issueImpl(toIssueOptions(options, entry, sharedIssuedAt)));
+        }
+        return results;
+    }
+    async issueImpl(options) {
         validate(options);
         const issuedAt = options.issuedAt ?? Math.floor(Date.now() / 1000);
         const expiresAt = computeExpiry(options, issuedAt);
@@ -121,6 +180,32 @@ function normalizeIssuerSigner(config) {
     }
     throw new TypeError("Issuer: pass either { privateKey, publicKey, alg } (raw shorthand) or { signer } (production)");
 }
+/**
+ * Merge shared batch options with one per-credential entry into the
+ * `IssueOptions` shape that `issueImpl` consumes. Pure function — no
+ * side effects — so it's safe to call once per entry in a tight loop.
+ *
+ * Conditional spreads honour `exactOptionalPropertyTypes`: a property is
+ * either set (with a defined value) or absent, never `undefined`.
+ */
+function toIssueOptions(shared, entry, sharedIssuedAt) {
+    return {
+        subject: shared.subject,
+        vct: shared.vct,
+        holderKey: entry.holderKey,
+        issuedAt: sharedIssuedAt,
+        ...(shared.selectivelyDisclosable !== undefined
+            ? { selectivelyDisclosable: shared.selectivelyDisclosable }
+            : {}),
+        ...(shared.expiresIn !== undefined ? { expiresIn: shared.expiresIn } : {}),
+        ...(shared.expiresAt !== undefined ? { expiresAt: shared.expiresAt } : {}),
+        ...(shared.notBefore !== undefined ? { notBefore: shared.notBefore } : {}),
+        ...(entry.credentialId !== undefined
+            ? { credentialId: entry.credentialId }
+            : {}),
+        ...(entry.status !== undefined ? { status: entry.status } : {}),
+    };
+}
 // ---------------------------------------------------------------------------
 // validation
 // ---------------------------------------------------------------------------

package/dist/issuer.js.map

@@ -1 +1 @@
-{"version":3,"file":"issuer.js","sourceRoot":"","sources":["../src/issuer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAgB,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAgC,MAAM,eAAe,CAAC;AACvE,OAAO,EACL,WAAW,GAIZ,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,GAAG,WAAW,CAAC;AAChC,MAAM,gBAAgB,GAAY,SAAS,CAAC;AAE5C;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,MAAM;IACjB;4EACwE;IACvD,MAAM,CAAS;IAChC,sCAAsC;IACrB,aAAa,CAAS;IACtB,GAAG,CAAqB;IACxB,GAAG,CAAqB;IACxB,OAAO,CAAsB;IAE9C,YAAY,MAAoB;QAC9B,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;QACrC,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAChC,CAAC;IAED,6DAA6D;IAC7D,KAAK,CAAC,KAAK,CAAC,OAAqB;QAC/B,QAAQ,CAAC,OAAO,CAAC,CAAC;QAElB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,UAAU,EAAE,CAAC;QAE1D,wEAAwE;QACxE,+BAA+B;QAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAA4B,EAAE,CAAC;QAC7C,MAAM,YAAY,GAA4B,EAAE,CAAC;QACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;;gBAC/B,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAED,MAAM,OAAO,GAA4B;YACvC,GAAG,EAAE,IAAI,CAAC,aAAa;YACvB,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE;YAC/B,GAAG,YAAY;SAChB,CAAC;QACF,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC;QACxD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC;QACxE,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;QAErE,wEAAwE;QACxE,MAAM,MAAM,GAAG,CAAC,aAAqB,EAAmB,EAAE,CACxD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAElC,MAAM,SAAS,GAAqC;YAClD,OAAO;YACP,QAAQ;YACR,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,WAAW;YAC5B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,gBAAgB;SAC1C,CAAC;QACF,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3B,SAAS,CAAC,WAAW,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,CAAC;QAE3C,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY;YACZ,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS;SACV,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;IAC/B,CAAC;IAED,4DAA4D;IAC5D,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;CACF;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,MAAoB;IACjD,IACE,QAAQ,IAAI,MAAM;QAClB,MAAM,CAAC,MAAM,KAAK,SAAS;QAC3B,OAAQ,MAAM,CAAC,MAAiB,CAAC,IAAI,KAAK,UAAU,EACpD,CAAC;QACD,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IACD,IACE,YAAY,IAAI,MAAM;QACtB,WAAW,IAAI,MAAM;QACrB,KAAK,IAAI,MAAM;QACf,MAAM,CAAC,UAAU,KAAK,IAAI;QAC1B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;QACrC,MAAM,CAAC,SAAS,KAAK,IAAI;QACzB,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;QACpC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EACrB,CAAC;QACD,OAAO,QAAQ,CAAC;YACd,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,GAAG,EAAE,MAAM,CAAC,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,IAAI,SAAS,CACjB,+FAA+F,CAChG,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,OAAqB;IACrC,IACE,OAAO,CAAC,OAAO,KAAK,IAAI;QACxB,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ;QACnC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAC9B,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,0CAA0C,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACxE,MAAM,IAAI,WAAW,CAAC,4BAA4B,EAAE,6CAA6C,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,WAAW,CACnB,qBAAqB,EACrB,oDAAoD,CACrD,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACvE,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,uDAAuD,CACxD,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;QACjD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,sBAAsB,EAAE,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;gBACjE,MAAM,IAAI,WAAW,CACnB,4BAA4B,EAC5B,yCAAyC,IAAI,6BAA6B,CAC3E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IACD,0DAA0D;IAC1D,KAAK,MAAM,QAAQ,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC5E,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;YACpE,MAAM,IAAI,WAAW,CACnB,kCAAkC,EAClC,uDAAuD,QAAQ,8BAA8B,CAC9F,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,OAAqB,EACrB,QAAgB;IAEhB,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,SAAS,IAAI,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,WAAW,CACnB,uBAAuB,EACvB,qBAAqB,OAAO,CAAC,SAAS,yBAAyB,QAAQ,GAAG,CAC3E,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,WAAW,CAAC,uBAAuB,EAAE,sCAAsC,CAAC,CAAC;QACzF,CAAC;QACD,OAAO,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
+{"version":3,"file":"issuer.js","sourceRoot":"","sources":["../src/issuer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAgB,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAgC,MAAM,eAAe,CAAC;AACvE,OAAO,EACL,WAAW,GAMZ,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,GAAG,WAAW,CAAC;AAChC,MAAM,gBAAgB,GAAY,SAAS,CAAC;AAe5C;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,OAAO,MAAM;IACjB;4EACwE;IACvD,MAAM,CAAS;IAChC,sCAAsC;IACrB,aAAa,CAAS;IACtB,GAAG,CAAqB;IACxB,GAAG,CAAqB;IACxB,OAAO,CAAsB;IAE9C;+EAC2E;IAClE,WAAW,CAAuB;IAE3C,YAAY,MAAoB;QAC9B,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;QACrC,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAE9B,wEAAwE;QACxE,0EAA0E;QAC1E,IAAI,CAAC,WAAW,GAAG;YACjB,KAAK,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;YAC3C,UAAU,EAAE,CAAC,OAAO,EAAE,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC;SACtD,CAAC;IACJ,CAAC;IAED;;;+DAG2D;IAC3D,KAAK,CAAC,KAAK,CAAC,OAAqB;QAC/B,OAAO,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACjC,CAAC;IAED;;;;;;;;;;;2BAWuB;IACvB,KAAK,CAAC,UAAU,CACd,OAA0B;QAE1B,OAAO,IAAI,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC;IAEO,KAAK,CAAC,cAAc,CAC1B,OAA0B;QAE1B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,IAAI,OAAO,CAAC,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5E,MAAM,IAAI,WAAW,CACnB,oBAAoB,EACpB,mDAAmD,CACpD,CAAC;QACJ,CAAC;QAED,wEAAwE;QACxE,sEAAsE;QACtE,oEAAoE;QACpE,MAAM,cAAc,GAClB,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QAEpD,uEAAuE;QACvE,+DAA+D;QAC/D,kEAAkE;QAClE,mDAAmD;QACnD,MAAM,IAAI,GAAG,OAAO,CAAC,WAAW,CAAC,CAAC,CAAE,CAAC;QACrC,QAAQ,CAAC,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC,CAAC;QAExD,iEAAiE;QACjE,mEAAmE;QACnE,gEAAgE;QAChE,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC;YACxC,OAAO,CAAC,IAAI,CAAC,MAAM,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,OAAO,EAAE,KAAK,EAAE,cAAc,CAAC,CAAC,CAAC,CAAC;QACrF,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,SAAS,CAAC,OAAqB;QAC3C,QAAQ,CAAC,OAAO,CAAC,CAAC;QAElB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,UAAU,EAAE,CAAC;QAE1D,wEAAwE;QACxE,+BAA+B;QAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAA4B,EAAE,CAAC;QAC7C,MAAM,YAAY,GAA4B,EAAE,CAAC;QACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;;gBAC/B,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAED,MAAM,OAAO,GAA4B;YACvC,GAAG,EAAE,IAAI,CAAC,aAAa;YACvB,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE;YAC/B,GAAG,YAAY;SAChB,CAAC;QACF,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC;QACxD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC;QACxE,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;QAErE,wEAAwE;QACxE,MAAM,MAAM,GAAG,CAAC,aAAqB,EAAmB,EAAE,CACxD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAElC,MAAM,SAAS,GAAqC;YAClD,OAAO;YACP,QAAQ;YACR,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,WAAW;YAC5B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,gBAAgB;SAC1C,CAAC;QACF,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3B,SAAS,CAAC,WAAW,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,CAAC;QAE3C,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY;YACZ,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS;SACV,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;IAC/B,CAAC;IAED,4DAA4D;IAC5D,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;CACF;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,MAAoB;IACjD,IACE,QAAQ,IAAI,MAAM;QAClB,MAAM,CAAC,MAAM,KAAK,SAAS;QAC3B,OAAQ,MAAM,CAAC,MAAiB,CAAC,IAAI,KAAK,UAAU,EACpD,CAAC;QACD,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IACD,IACE,YAAY,IAAI,MAAM;QACtB,WAAW,IAAI,MAAM;QACrB,KAAK,IAAI,MAAM;QACf,MAAM,CAAC,UAAU,KAAK,IAAI;QAC1B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;QACrC,MAAM,CAAC,SAAS,KAAK,IAAI;QACzB,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;QACpC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EACrB,CAAC;QACD,OAAO,QAAQ,CAAC;YACd,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,GAAG,EAAE,MAAM,CAAC,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,IAAI,SAAS,CACjB,+FAA+F,CAChG,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,cAAc,CACrB,MAAyB,EACzB,KAAsB,EACtB,cAAsB;IAEtB,OAAO;QACL,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,SAAS,EAAE,KAAK,CAAC,SAAS;QAC1B,QAAQ,EAAE,cAAc;QACxB,GAAG,CAAC,MAAM,CAAC,sBAAsB,KAAK,SAAS;YAC7C,CAAC,CAAC,EAAE,sBAAsB,EAAE,MAAM,CAAC,sBAAsB,EAAE;YAC3D,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,MAAM,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC1E,GAAG,CAAC,KAAK,CAAC,YAAY,KAAK,SAAS;YAClC,CAAC,CAAC,EAAE,YAAY,EAAE,KAAK,CAAC,YAAY,EAAE;YACtC,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAChE,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,OAAqB;IACrC,IACE,OAAO,CAAC,OAAO,KAAK,IAAI;QACxB,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ;QACnC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAC9B,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,0CAA0C,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACxE,MAAM,IAAI,WAAW,CAAC,4BAA4B,EAAE,6CAA6C,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,WAAW,CACnB,qBAAqB,EACrB,oDAAoD,CACrD,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACvE,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,uDAAuD,CACxD,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;QACjD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,sBAAsB,EAAE,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;gBACjE,MAAM,IAAI,WAAW,CACnB,4BAA4B,EAC5B,yCAAyC,IAAI,6BAA6B,CAC3E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IACD,0DAA0D;IAC1D,KAAK,MAAM,QAAQ,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC5E,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;YACpE,MAAM,IAAI,WAAW,CACnB,kCAAkC,EAClC,uDAAuD,QAAQ,8BAA8B,CAC9F,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,OAAqB,EACrB,QAAgB;IAEhB,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,SAAS,IAAI,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,WAAW,CACnB,uBAAuB,EACvB,qBAAqB,OAAO,CAAC,SAAS,yBAAyB,QAAQ,GAAG,CAC3E,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,WAAW,CAAC,uBAAuB,EAAE,sCAAsC,CAAC,CAAC;QACzF,CAAC;QACD,OAAO,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/types.d.ts

@@ -73,8 +73,56 @@ export interface IssueResult {
     /** Computed expiry (if `expiresIn` or `expiresAt` was set). */
     expiresAt: number | undefined;
 }
+/**
+ * Per-credential binding for `issueBatch`. Everything that varies *across*
+ * credentials in the batch goes here; everything shared (subject, vct,
+ * expiry, …) sits at the top level of {@link BatchIssueOptions}.
+ */
+export interface BatchIssueEntry {
+    /** Holder's PUBLIC JWK — bound into this credential's `cnf.jwk`. Each
+     * entry must have a distinct holder key for one-time-use unlinkability. */
+    holderKey: JsonWebKey;
+    /** Override the generated credential ID (default: random UUID v4 per entry). */
+    credentialId?: string;
+    /** Per-credential `status` claim — typical use is to allocate a distinct
+     * Token Status List index for each one-time credential so they can be
+     * revoked independently. */
+    status?: Readonly<Record<string, unknown>>;
+}
+/**
+ * Options for `issuer.issueBatch()` (OID4VCI Draft 14/15 batch issuance).
+ *
+ * Shared across the batch: subject, vct, expiry, notBefore, issuedAt,
+ * selectivelyDisclosable.
+ *
+ * Per-credential: `credentials[i]` (holderKey, optional credentialId,
+ * optional status).
+ */
+export interface BatchIssueOptions {
+    /** Claims shared by every credential in the batch. Same semantics as
+     * {@link IssueOptions.subject}. */
+    subject: Readonly<Record<string, unknown>>;
+    /** SD-JWT-VC type identifier — shared across the batch. */
+    vct: string;
+    /** Names of `subject` keys to make selectively disclosable. Validated
+     * once against `subject`; applies to every credential. Each credential
+     * gets fresh random salts (so two credentials over the same data are
+     * unlinkable on the wire). */
+    selectivelyDisclosable?: readonly string[];
+    /** Shared `expiresIn`. Mutually exclusive with `expiresAt`. */
+    expiresIn?: number;
+    /** Shared absolute `expiresAt`. Mutually exclusive with `expiresIn`. */
+    expiresAt?: number;
+    /** Shared `nbf`. */
+    notBefore?: number;
+    /** Shared `iat`. Defaults to `floor(Date.now()/1000)` evaluated *once*
+     * for the whole batch (so every credential reports the same iat). */
+    issuedAt?: number;
+    /** One entry per credential to issue. Length ≥ 1. */
+    credentials: readonly BatchIssueEntry[];
+}
 /** Stable codes for `IssuerError`. */
-export type IssuerErrorCode = "issuer.subject_invalid" | "issuer.holder_key_required" | "issuer.vct_required" | "issuer.expiry_conflict" | "issuer.expiry_invalid" | "issuer.disclosable_missing" | "issuer.reserved_claim_in_subject";
+export type IssuerErrorCode = "issuer.subject_invalid" | "issuer.holder_key_required" | "issuer.vct_required" | "issuer.expiry_conflict" | "issuer.expiry_invalid" | "issuer.disclosable_missing" | "issuer.reserved_claim_in_subject" | "issuer.batch_empty";
 export declare class IssuerError extends Error {
     readonly name = "IssuerError";
     readonly code: IssuerErrorCode;

package/dist/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AACtE,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEhE;;;;;;;;;;GAUG;AACH,MAAM,MAAM,iBAAiB,GACzB;IACE,qDAAqD;IACrD,UAAU,EAAE,UAAU,CAAC;IACvB,uDAAuD;IACvD,SAAS,EAAE,UAAU,CAAC;IACtB,2DAA2D;IAC3D,GAAG,EAAE,YAAY,CAAC;CACnB,GACD;IACE,2DAA2D;IAC3D,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEN,2EAA2E;AAC3E,MAAM,MAAM,YAAY,GAAG,iBAAiB,GAAG;IAC7C,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,0EAA0E;IAC1E,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,qEAAqE;IACrE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,WAAW,YAAY;IAC3B;;yDAEqD;IACrD,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3C;2EACuE;IACvE,sBAAsB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C;mEAC+D;IAC/D,SAAS,EAAE,UAAU,CAAC;IACtB;;0DAEsD;IACtD,GAAG,EAAE,MAAM,CAAC;IACZ;sBACkB;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3C,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,kCAAkC;AAClC,MAAM,WAAW,WAAW;IAC1B,oEAAoE;IACpE,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,6EAA6E;IAC7E,WAAW,EAAE,SAAS,eAAe,EAAE,CAAC;IACxC,+DAA+D;IAC/D,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;CAC/B;AAED,sCAAsC;AACtC,MAAM,MAAM,eAAe,GACvB,wBAAwB,GACxB,4BAA4B,GAC5B,qBAAqB,GACrB,wBAAwB,GACxB,uBAAuB,GACvB,4BAA4B,GAC5B,kCAAkC,CAAC;AAEvC,qBAAa,WAAY,SAAQ,KAAK;IACpC,SAAkB,IAAI,iBAAiB;IACvC,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;gBAE7B,IAAI,EAAE,eAAe,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAQhC"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AACtE,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEhE;;;;;;;;;;GAUG;AACH,MAAM,MAAM,iBAAiB,GACzB;IACE,qDAAqD;IACrD,UAAU,EAAE,UAAU,CAAC;IACvB,uDAAuD;IACvD,SAAS,EAAE,UAAU,CAAC;IACtB,2DAA2D;IAC3D,GAAG,EAAE,YAAY,CAAC;CACnB,GACD;IACE,2DAA2D;IAC3D,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEN,2EAA2E;AAC3E,MAAM,MAAM,YAAY,GAAG,iBAAiB,GAAG;IAC7C,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,0EAA0E;IAC1E,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,qEAAqE;IACrE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,WAAW,YAAY;IAC3B;;yDAEqD;IACrD,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3C;2EACuE;IACvE,sBAAsB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C;mEAC+D;IAC/D,SAAS,EAAE,UAAU,CAAC;IACtB;;0DAEsD;IACtD,GAAG,EAAE,MAAM,CAAC;IACZ;sBACkB;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3C,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,kCAAkC;AAClC,MAAM,WAAW,WAAW;IAC1B,oEAAoE;IACpE,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,6EAA6E;IAC7E,WAAW,EAAE,SAAS,eAAe,EAAE,CAAC;IACxC,+DAA+D;IAC/D,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;CAC/B;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC9B;+EAC2E;IAC3E,SAAS,EAAE,UAAU,CAAC;IACtB,gFAAgF;IAChF,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB;;gCAE4B;IAC5B,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CAC5C;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IAChC;uCACmC;IACnC,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3C,2DAA2D;IAC3D,GAAG,EAAE,MAAM,CAAC;IACZ;;;kCAG8B;IAC9B,sBAAsB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,wEAAwE;IACxE,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,oBAAoB;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;yEACqE;IACrE,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,qDAAqD;IACrD,WAAW,EAAE,SAAS,eAAe,EAAE,CAAC;CACzC;AAED,sCAAsC;AACtC,MAAM,MAAM,eAAe,GACvB,wBAAwB,GACxB,4BAA4B,GAC5B,qBAAqB,GACrB,wBAAwB,GACxB,uBAAuB,GACvB,4BAA4B,GAC5B,kCAAkC,GAClC,oBAAoB,CAAC;AAEzB,qBAAa,WAAY,SAAQ,KAAK;IACpC,SAAkB,IAAI,iBAAiB;IACvC,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;gBAE7B,IAAI,EAAE,eAAe,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAQhC"}

package/dist/types.js.map

@@ -1 +1 @@
-{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AA4FA,MAAM,OAAO,WAAY,SAAQ,KAAK;IAClB,IAAI,GAAG,aAAa,CAAC;IAC9B,IAAI,CAAkB;IAC/B,YACE,IAAqB,EACrB,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;YAChC,IAA4B,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AA+IA,MAAM,OAAO,WAAY,SAAQ,KAAK;IAClB,IAAI,GAAG,aAAa,CAAC;IAC9B,IAAI,CAAkB;IAC/B,YACE,IAAqB,EACrB,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;YAChC,IAA4B,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gramota/issuer",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "description": "EUDIW credential issuer — sign SD-JWT-VC credentials with selective disclosure and key binding.",
   "license": "Apache-2.0",
   "type": "module",
@@ -16,8 +16,8 @@
     "dist"
   ],
   "dependencies": {
-    "@gramota/jose": "0.1.0",
-    "@gramota/sd-jwt": "0.1.0"
+    "@gramota/jose": "0.2.0",
+    "@gramota/sd-jwt": "0.2.0"
   },
   "devDependencies": {
     "jose": "^5.9.6"