@gramota/issuer 0.1.0

package/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,30 @@
+# @gramota/issuer
+
+> EUDIW credential issuer — sign SD-JWT-VC credentials with selective disclosure and key binding.
+
+Part of [Gramota](https://github.com/gramota-org/gramota) — the TypeScript
+SDK for the EU Digital Identity Wallet (EUDIW).
+
+## Install
+
+```bash
+pnpm add @gramota/issuer
+# or: npm install @gramota/issuer
+# or: yarn add @gramota/issuer
+```
+
+## Usage
+
+```ts
+import { Issuer } from "@gramota/issuer";
+
+const issuer = new Issuer({ signer, issuerUri });
+const credential = await issuer.issue({ vct, claims, holderKey });
+```
+
+For full docs, examples, and the high-level Verifier/Issuer/Holder API,
+see the [main repo](https://github.com/gramota-org/gramota).
+
+## License
+
+[Apache 2.0](https://github.com/gramota-org/gramota/blob/main/LICENSE)

package/dist/index.d.ts

@@ -0,0 +1,3 @@
+export { Issuer } from "./issuer.js";
+export { IssuerError, type IssuerConfig, type IssuerErrorCode, type IssueOptions, type IssueResult, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EACL,WAAW,EACX,KAAK,YAAY,EACjB,KAAK,eAAe,EACpB,KAAK,YAAY,EACjB,KAAK,WAAW,GACjB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,3 @@
+export { Issuer } from "./issuer.js";
+export { IssuerError, } from "./types.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EACL,WAAW,GAKZ,MAAM,YAAY,CAAC"}

package/dist/issuer.d.ts

@@ -0,0 +1,32 @@
+import { type JsonWebKey } from "@gramota/jose";
+import { type IssueOptions, type IssueResult, type IssuerConfig } from "./types.js";
+/**
+ * The issuer role per IETF SD-JWT-VC §3.
+ *
+ * Wraps `issueSdJwt` (the low-level primitive in `@gramota/sd-jwt`) with:
+ *   - stateful config (signer, issuer id, optional kid/typ/hashAlg),
+ *   - holder-binding (cnf.jwk),
+ *   - sensible expiry handling (`expiresIn` or `expiresAt`),
+ *   - validation: every claim listed in `selectivelyDisclosable` must
+ *     appear in `subject`,
+ *   - {@link Signer} Strategy for signing — accepts raw JWKs (shorthand)
+ *     or production-grade Signers (HSM, KMS, custom backends).
+ */
+export declare class Issuer {
+    /** The issuer's signer. Either supplied directly via `config.signer`
+     * (production: HSM/KMS) or built from raw JWKs via {@link asSigner}. */
+    private readonly signer;
+    /** Stable issuer id (`iss` claim). */
+    private readonly issuerIdValue;
+    private readonly kid;
+    private readonly typ;
+    private readonly hashAlg;
+    constructor(config: IssuerConfig);
+    /** Issue a single SD-JWT-VC credential bound to a holder. */
+    issue(options: IssueOptions): Promise<IssueResult>;
+    /** The issuer's public JWK — useful to publish at /.well-known/jwks.json. */
+    get publicKey(): JsonWebKey;
+    /** The issuer's identifier — useful for downstream URLs. */
+    get issuerId(): string;
+}
+//# sourceMappingURL=issuer.d.ts.map

package/dist/issuer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuer.d.ts","sourceRoot":"","sources":["../src/issuer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAY,KAAK,UAAU,EAAe,MAAM,eAAe,CAAC;AACvE,OAAO,EAEL,KAAK,YAAY,EACjB,KAAK,WAAW,EAChB,KAAK,YAAY,EAClB,MAAM,YAAY,CAAC;AAKpB;;;;;;;;;;;GAWG;AACH,qBAAa,MAAM;IACjB;4EACwE;IACxE,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,sCAAsC;IACtC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAS;IACvC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAqB;IACzC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAqB;IACzC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAsB;gBAElC,MAAM,EAAE,YAAY;IAWhC,6DAA6D;IACvD,KAAK,CAAC,OAAO,EAAE,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;IAsDxD,6EAA6E;IAC7E,IAAI,SAAS,IAAI,UAAU,CAE1B;IAED,4DAA4D;IAC5D,IAAI,QAAQ,IAAI,MAAM,CAErB;CACF"}

package/dist/issuer.js

@@ -0,0 +1,171 @@
+import { randomUUID } from "node:crypto";
+import { issueSdJwt } from "@gramota/sd-jwt";
+import { asSigner } from "@gramota/jose";
+import { IssuerError, } from "./types.js";
+const DEFAULT_TYP = "vc+sd-jwt";
+const DEFAULT_HASH_ALG = "sha-256";
+/**
+ * The issuer role per IETF SD-JWT-VC §3.
+ *
+ * Wraps `issueSdJwt` (the low-level primitive in `@gramota/sd-jwt`) with:
+ *   - stateful config (signer, issuer id, optional kid/typ/hashAlg),
+ *   - holder-binding (cnf.jwk),
+ *   - sensible expiry handling (`expiresIn` or `expiresAt`),
+ *   - validation: every claim listed in `selectivelyDisclosable` must
+ *     appear in `subject`,
+ *   - {@link Signer} Strategy for signing — accepts raw JWKs (shorthand)
+ *     or production-grade Signers (HSM, KMS, custom backends).
+ */
+export class Issuer {
+    /** The issuer's signer. Either supplied directly via `config.signer`
+     * (production: HSM/KMS) or built from raw JWKs via {@link asSigner}. */
+    signer;
+    /** Stable issuer id (`iss` claim). */
+    issuerIdValue;
+    kid;
+    typ;
+    hashAlg;
+    constructor(config) {
+        if (typeof config.issuerId !== "string" || config.issuerId.length === 0) {
+            throw new TypeError("Issuer: issuerId is required (a stable URL)");
+        }
+        this.signer = normalizeIssuerSigner(config);
+        this.issuerIdValue = config.issuerId;
+        this.kid = config.kid;
+        this.typ = config.typ;
+        this.hashAlg = config.hashAlg;
+    }
+    /** Issue a single SD-JWT-VC credential bound to a holder. */
+    async issue(options) {
+        validate(options);
+        const issuedAt = options.issuedAt ?? Math.floor(Date.now() / 1000);
+        const expiresAt = computeExpiry(options, issuedAt);
+        const credentialId = options.credentialId ?? randomUUID();
+        // Split subject claims: SD ones become `sdClaims`, the rest are inlined
+        // directly in the JWT payload.
+        const sdNames = new Set(options.selectivelyDisclosable ?? []);
+        const sdClaims = {};
+        const directClaims = {};
+        for (const [k, v] of Object.entries(options.subject)) {
+            if (sdNames.has(k))
+                sdClaims[k] = v;
+            else
+                directClaims[k] = v;
+        }
+        const payload = {
+            iss: this.issuerIdValue,
+            iat: issuedAt,
+            vct: options.vct,
+            cnf: { jwk: options.holderKey },
+            ...directClaims,
+        };
+        if (expiresAt !== undefined)
+            payload["exp"] = expiresAt;
+        if (options.notBefore !== undefined)
+            payload["nbf"] = options.notBefore;
+        if (options.status !== undefined)
+            payload["status"] = options.status;
+        // Adapt the Signer to issueSdJwt's `signer: (s) => Promise<sig>` shape.
+        const signFn = (signedPayload) => this.signer.sign(signedPayload);
+        const issueOpts = {
+            payload,
+            sdClaims,
+            alg: this.signer.alg,
+            typ: this.typ ?? DEFAULT_TYP,
+            signer: signFn,
+            hashAlg: this.hashAlg ?? DEFAULT_HASH_ALG,
+        };
+        if (this.kid !== undefined) {
+            issueOpts.extraHeader = { kid: this.kid };
+        }
+        const result = await issueSdJwt(issueOpts);
+        return {
+            token: result.token,
+            credentialId,
+            disclosures: result.disclosures,
+            expiresAt,
+        };
+    }
+    /** The issuer's public JWK — useful to publish at /.well-known/jwks.json. */
+    get publicKey() {
+        return this.signer.publicKey;
+    }
+    /** The issuer's identifier — useful for downstream URLs. */
+    get issuerId() {
+        return this.issuerIdValue;
+    }
+}
+/**
+ * Normalize the Issuer config into a Signer (raw JWKs OR Signer).
+ */
+function normalizeIssuerSigner(config) {
+    if ("signer" in config &&
+        config.signer !== undefined &&
+        typeof config.signer.sign === "function") {
+        return config.signer;
+    }
+    if ("privateKey" in config &&
+        "publicKey" in config &&
+        "alg" in config &&
+        config.privateKey !== null &&
+        typeof config.privateKey === "object" &&
+        config.publicKey !== null &&
+        typeof config.publicKey === "object" &&
+        typeof config.alg === "string" &&
+        config.alg.length > 0) {
+        return asSigner({
+            publicKey: config.publicKey,
+            privateKey: config.privateKey,
+            alg: config.alg,
+        });
+    }
+    throw new TypeError("Issuer: pass either { privateKey, publicKey, alg } (raw shorthand) or { signer } (production)");
+}
+// ---------------------------------------------------------------------------
+// validation
+// ---------------------------------------------------------------------------
+function validate(options) {
+    if (options.subject === null ||
+        typeof options.subject !== "object" ||
+        Array.isArray(options.subject)) {
+        throw new IssuerError("issuer.subject_invalid", "issue: subject must be a non-null object");
+    }
+    if (options.holderKey === null || typeof options.holderKey !== "object") {
+        throw new IssuerError("issuer.holder_key_required", "issue: holderKey is required (a JsonWebKey)");
+    }
+    if (typeof options.vct !== "string" || options.vct.length === 0) {
+        throw new IssuerError("issuer.vct_required", "issue: vct is required per IETF SD-JWT-VC §3.2.2.1");
+    }
+    if (options.expiresIn !== undefined && options.expiresAt !== undefined) {
+        throw new IssuerError("issuer.expiry_conflict", "issue: expiresIn and expiresAt are mutually exclusive");
+    }
+    if (options.selectivelyDisclosable !== undefined) {
+        for (const name of options.selectivelyDisclosable) {
+            if (!Object.prototype.hasOwnProperty.call(options.subject, name)) {
+                throw new IssuerError("issuer.disclosable_missing", `issue: selectively disclosable claim '${name}' is not present in subject`);
+            }
+        }
+    }
+    // Reserved payload claims must NOT come from the subject.
+    for (const reserved of ["iss", "iat", "exp", "nbf", "cnf", "vct", "status"]) {
+        if (Object.prototype.hasOwnProperty.call(options.subject, reserved)) {
+            throw new IssuerError("issuer.reserved_claim_in_subject", `issue: subject must not contain reserved JWT claim '${reserved}' — pass via options instead`);
+        }
+    }
+}
+function computeExpiry(options, issuedAt) {
+    if (options.expiresAt !== undefined) {
+        if (options.expiresAt <= issuedAt) {
+            throw new IssuerError("issuer.expiry_invalid", `issue: expiresAt (${options.expiresAt}) must be > issuedAt (${issuedAt})`);
+        }
+        return options.expiresAt;
+    }
+    if (options.expiresIn !== undefined) {
+        if (options.expiresIn <= 0) {
+            throw new IssuerError("issuer.expiry_invalid", "issue: expiresIn must be > 0 seconds");
+        }
+        return issuedAt + options.expiresIn;
+    }
+    return undefined;
+}
+//# sourceMappingURL=issuer.js.map

package/dist/issuer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuer.js","sourceRoot":"","sources":["../src/issuer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,UAAU,EAAgB,MAAM,iBAAiB,CAAC;AAC3D,OAAO,EAAE,QAAQ,EAAgC,MAAM,eAAe,CAAC;AACvE,OAAO,EACL,WAAW,GAIZ,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,GAAG,WAAW,CAAC;AAChC,MAAM,gBAAgB,GAAY,SAAS,CAAC;AAE5C;;;;;;;;;;;GAWG;AACH,MAAM,OAAO,MAAM;IACjB;4EACwE;IACvD,MAAM,CAAS;IAChC,sCAAsC;IACrB,aAAa,CAAS;IACtB,GAAG,CAAqB;IACxB,GAAG,CAAqB;IACxB,OAAO,CAAsB;IAE9C,YAAY,MAAoB;QAC9B,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CAAC,6CAA6C,CAAC,CAAC;QACrE,CAAC;QACD,IAAI,CAAC,MAAM,GAAG,qBAAqB,CAAC,MAAM,CAAC,CAAC;QAC5C,IAAI,CAAC,aAAa,GAAG,MAAM,CAAC,QAAQ,CAAC;QACrC,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;QACtB,IAAI,CAAC,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAChC,CAAC;IAED,6DAA6D;IAC7D,KAAK,CAAC,KAAK,CAAC,OAAqB;QAC/B,QAAQ,CAAC,OAAO,CAAC,CAAC;QAElB,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;QACnE,MAAM,SAAS,GAAG,aAAa,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACnD,MAAM,YAAY,GAAG,OAAO,CAAC,YAAY,IAAI,UAAU,EAAE,CAAC;QAE1D,wEAAwE;QACxE,+BAA+B;QAC/B,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,OAAO,CAAC,sBAAsB,IAAI,EAAE,CAAC,CAAC;QAC9D,MAAM,QAAQ,GAA4B,EAAE,CAAC;QAC7C,MAAM,YAAY,GAA4B,EAAE,CAAC;QACjD,KAAK,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACrD,IAAI,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;;gBAC/B,YAAY,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QAED,MAAM,OAAO,GAA4B;YACvC,GAAG,EAAE,IAAI,CAAC,aAAa;YACvB,GAAG,EAAE,QAAQ;YACb,GAAG,EAAE,OAAO,CAAC,GAAG;YAChB,GAAG,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE;YAC/B,GAAG,YAAY;SAChB,CAAC;QACF,IAAI,SAAS,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,CAAC,GAAG,SAAS,CAAC;QACxD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,CAAC,GAAG,OAAO,CAAC,SAAS,CAAC;QACxE,IAAI,OAAO,CAAC,MAAM,KAAK,SAAS;YAAE,OAAO,CAAC,QAAQ,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC;QAErE,wEAAwE;QACxE,MAAM,MAAM,GAAG,CAAC,aAAqB,EAAmB,EAAE,CACxD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAElC,MAAM,SAAS,GAAqC;YAClD,OAAO;YACP,QAAQ;YACR,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACpB,GAAG,EAAE,IAAI,CAAC,GAAG,IAAI,WAAW;YAC5B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,IAAI,CAAC,OAAO,IAAI,gBAAgB;SAC1C,CAAC;QACF,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC3B,SAAS,CAAC,WAAW,GAAG,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,EAAE,CAAC;QAC5C,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,UAAU,CAAC,SAAS,CAAC,CAAC;QAE3C,OAAO;YACL,KAAK,EAAE,MAAM,CAAC,KAAK;YACnB,YAAY;YACZ,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS;SACV,CAAC;IACJ,CAAC;IAED,6EAA6E;IAC7E,IAAI,SAAS;QACX,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;IAC/B,CAAC;IAED,4DAA4D;IAC5D,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,aAAa,CAAC;IAC5B,CAAC;CACF;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,MAAoB;IACjD,IACE,QAAQ,IAAI,MAAM;QAClB,MAAM,CAAC,MAAM,KAAK,SAAS;QAC3B,OAAQ,MAAM,CAAC,MAAiB,CAAC,IAAI,KAAK,UAAU,EACpD,CAAC;QACD,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IACD,IACE,YAAY,IAAI,MAAM;QACtB,WAAW,IAAI,MAAM;QACrB,KAAK,IAAI,MAAM;QACf,MAAM,CAAC,UAAU,KAAK,IAAI;QAC1B,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ;QACrC,MAAM,CAAC,SAAS,KAAK,IAAI;QACzB,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;QACpC,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;QAC9B,MAAM,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,EACrB,CAAC;QACD,OAAO,QAAQ,CAAC;YACd,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,GAAG,EAAE,MAAM,CAAC,GAAG;SAChB,CAAC,CAAC;IACL,CAAC;IACD,MAAM,IAAI,SAAS,CACjB,+FAA+F,CAChG,CAAC;AACJ,CAAC;AAED,8EAA8E;AAC9E,aAAa;AACb,8EAA8E;AAE9E,SAAS,QAAQ,CAAC,OAAqB;IACrC,IACE,OAAO,CAAC,OAAO,KAAK,IAAI;QACxB,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ;QACnC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,EAC9B,CAAC;QACD,MAAM,IAAI,WAAW,CAAC,wBAAwB,EAAE,0CAA0C,CAAC,CAAC;IAC9F,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,IAAI,IAAI,OAAO,OAAO,CAAC,SAAS,KAAK,QAAQ,EAAE,CAAC;QACxE,MAAM,IAAI,WAAW,CAAC,4BAA4B,EAAE,6CAA6C,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,OAAO,OAAO,CAAC,GAAG,KAAK,QAAQ,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,IAAI,WAAW,CACnB,qBAAqB,EACrB,oDAAoD,CACrD,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACvE,MAAM,IAAI,WAAW,CACnB,wBAAwB,EACxB,uDAAuD,CACxD,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;QACjD,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,sBAAsB,EAAE,CAAC;YAClD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;gBACjE,MAAM,IAAI,WAAW,CACnB,4BAA4B,EAC5B,yCAAyC,IAAI,6BAA6B,CAC3E,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IACD,0DAA0D;IAC1D,KAAK,MAAM,QAAQ,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,EAAE,CAAC;QAC5E,IAAI,MAAM,CAAC,SAAS,CAAC,cAAc,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;YACpE,MAAM,IAAI,WAAW,CACnB,kCAAkC,EAClC,uDAAuD,QAAQ,8BAA8B,CAC9F,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CACpB,OAAqB,EACrB,QAAgB;IAEhB,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,SAAS,IAAI,QAAQ,EAAE,CAAC;YAClC,MAAM,IAAI,WAAW,CACnB,uBAAuB,EACvB,qBAAqB,OAAO,CAAC,SAAS,yBAAyB,QAAQ,GAAG,CAC3E,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,SAAS,KAAK,SAAS,EAAE,CAAC;QACpC,IAAI,OAAO,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC;YAC3B,MAAM,IAAI,WAAW,CAAC,uBAAuB,EAAE,sCAAsC,CAAC,CAAC;QACzF,CAAC;QACD,OAAO,QAAQ,GAAG,OAAO,CAAC,SAAS,CAAC;IACtC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,85 @@
+import type { JsonWebKey, Signer, SupportedAlg } from "@gramota/jose";
+import type { HashAlg, SdJwtDisclosure } from "@gramota/sd-jwt";
+/**
+ * Two equivalent ways to give the Issuer its signing capability:
+ *
+ *   - Raw form (shorthand for tests/dev):
+ *       { privateKey, publicKey, alg }
+ *   - Signer form (production with KMS / HSM / signing service):
+ *       { signer: Signer }
+ *
+ * Production issuers nearly always use the Signer form: their root-of-
+ * trust private key lives in an HSM / KMS and is RPC-signed.
+ */
+export type IssuerSignerInput = {
+    /** Issuer's PRIVATE JWK used to sign credentials. */
+    privateKey: JsonWebKey;
+    /** Issuer's PUBLIC JWK — used by holders to verify. */
+    publicKey: JsonWebKey;
+    /** JWS algorithm. Must be compatible with `privateKey`. */
+    alg: SupportedAlg;
+} | {
+    /** Production-grade signer Strategy (KMS, HSM, custom). */
+    signer: Signer;
+};
+/** Configuration for an Issuer instance — set once, used per `issue()`. */
+export type IssuerConfig = IssuerSignerInput & {
+    /** Issuer identifier (a stable URL). Becomes the `iss` claim. */
+    issuerId: string;
+    /** Hash algorithm for selective-disclosure digests. Default `sha-256`. */
+    hashAlg?: HashAlg;
+    /** JOSE `kid` header to set on every issued credential. Optional. */
+    kid?: string;
+    /** JOSE `typ` header. Default `vc+sd-jwt` (per SD-JWT-VC spec). */
+    typ?: string;
+};
+export interface IssueOptions {
+    /** All claims that will go into the credential. Top-level keys become
+     * either selectively-disclosable disclosures or directly-visible payload
+     * claims, controlled by `selectivelyDisclosable`. */
+    subject: Readonly<Record<string, unknown>>;
+    /** Names of `subject` keys to make selectively disclosable. Names that
+     * don't appear in `subject` cause an error. Default: empty (no SD). */
+    selectivelyDisclosable?: readonly string[];
+    /** Holder's PUBLIC JWK — bound into `cnf.jwk`. Required by SD-JWT-VC for
+     * holder-binding (the security model collapses without it). */
+    holderKey: JsonWebKey;
+    /** SD-JWT-VC credential type identifier — required by the spec. Customers
+     * who really know what they're doing can pass an empty string to skip,
+     * but the default behaviour rejects missing `vct`. */
+    vct: string;
+    /** Seconds-until-expiry, relative to `issuedAt`. Mutually exclusive with
+     * `expiresAt`. */
+    expiresIn?: number;
+    /** Absolute expiry as Unix seconds. Mutually exclusive with `expiresIn`. */
+    expiresAt?: number;
+    /** Optional `nbf` (not-before) claim. */
+    notBefore?: number;
+    /** Override `iat` — defaults to `floor(Date.now()/1000)` at call time. */
+    issuedAt?: number;
+    /** Optional `status` claim for revocation tracking (Token Status List). */
+    status?: Readonly<Record<string, unknown>>;
+    /** Override the generated credential ID (default: random UUID v4). */
+    credentialId?: string;
+}
+/** Result of `issuer.issue()`. */
+export interface IssueResult {
+    /** The compact-serialised SD-JWT-VC token to send to the holder. */
+    token: string;
+    /** Issuer-side identifier for tracking. */
+    credentialId: string;
+    /** Disclosure objects — useful for the issuer's own records / audit logs. */
+    disclosures: readonly SdJwtDisclosure[];
+    /** Computed expiry (if `expiresIn` or `expiresAt` was set). */
+    expiresAt: number | undefined;
+}
+/** Stable codes for `IssuerError`. */
+export type IssuerErrorCode = "issuer.subject_invalid" | "issuer.holder_key_required" | "issuer.vct_required" | "issuer.expiry_conflict" | "issuer.expiry_invalid" | "issuer.disclosable_missing" | "issuer.reserved_claim_in_subject";
+export declare class IssuerError extends Error {
+    readonly name = "IssuerError";
+    readonly code: IssuerErrorCode;
+    constructor(code: IssuerErrorCode, message: string, options?: {
+        cause?: unknown;
+    });
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AACtE,OAAO,KAAK,EAAE,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAEhE;;;;;;;;;;GAUG;AACH,MAAM,MAAM,iBAAiB,GACzB;IACE,qDAAqD;IACrD,UAAU,EAAE,UAAU,CAAC;IACvB,uDAAuD;IACvD,SAAS,EAAE,UAAU,CAAC;IACtB,2DAA2D;IAC3D,GAAG,EAAE,YAAY,CAAC;CACnB,GACD;IACE,2DAA2D;IAC3D,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC;AAEN,2EAA2E;AAC3E,MAAM,MAAM,YAAY,GAAG,iBAAiB,GAAG;IAC7C,iEAAiE;IACjE,QAAQ,EAAE,MAAM,CAAC;IACjB,0EAA0E;IAC1E,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,qEAAqE;IACrE,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,mEAAmE;IACnE,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,WAAW,YAAY;IAC3B;;yDAEqD;IACrD,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3C;2EACuE;IACvE,sBAAsB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAC3C;mEAC+D;IAC/D,SAAS,EAAE,UAAU,CAAC;IACtB;;0DAEsD;IACtD,GAAG,EAAE,MAAM,CAAC;IACZ;sBACkB;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0EAA0E;IAC1E,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,2EAA2E;IAC3E,MAAM,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3C,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,kCAAkC;AAClC,MAAM,WAAW,WAAW;IAC1B,oEAAoE;IACpE,KAAK,EAAE,MAAM,CAAC;IACd,2CAA2C;IAC3C,YAAY,EAAE,MAAM,CAAC;IACrB,6EAA6E;IAC7E,WAAW,EAAE,SAAS,eAAe,EAAE,CAAC;IACxC,+DAA+D;IAC/D,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;CAC/B;AAED,sCAAsC;AACtC,MAAM,MAAM,eAAe,GACvB,wBAAwB,GACxB,4BAA4B,GAC5B,qBAAqB,GACrB,wBAAwB,GACxB,uBAAuB,GACvB,4BAA4B,GAC5B,kCAAkC,CAAC;AAEvC,qBAAa,WAAY,SAAQ,KAAK;IACpC,SAAkB,IAAI,iBAAiB;IACvC,QAAQ,CAAC,IAAI,EAAE,eAAe,CAAC;gBAE7B,IAAI,EAAE,eAAe,EACrB,OAAO,EAAE,MAAM,EACf,OAAO,CAAC,EAAE;QAAE,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAQhC"}

package/dist/types.js

@@ -0,0 +1,12 @@
+export class IssuerError extends Error {
+    name = "IssuerError";
+    code;
+    constructor(code, message, options) {
+        super(message);
+        this.code = code;
+        if (options?.cause !== undefined) {
+            this.cause = options.cause;
+        }
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AA4FA,MAAM,OAAO,WAAY,SAAQ,KAAK;IAClB,IAAI,GAAG,aAAa,CAAC;IAC9B,IAAI,CAAkB;IAC/B,YACE,IAAqB,EACrB,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,OAAO,EAAE,KAAK,KAAK,SAAS,EAAE,CAAC;YAChC,IAA4B,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QACtD,CAAC;IACH,CAAC;CACF"}

package/package.json

@@ -0,0 +1,55 @@
+{
+  "name": "@gramota/issuer",
+  "version": "0.1.0",
+  "description": "EUDIW credential issuer — sign SD-JWT-VC credentials with selective disclosure and key binding.",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@gramota/jose": "0.1.0",
+    "@gramota/sd-jwt": "0.1.0"
+  },
+  "devDependencies": {
+    "jose": "^5.9.6"
+  },
+  "author": "Petromil Pavlov <petromilpavlov@gmail.com>",
+  "homepage": "https://github.com/gramota-org/gramota#readme",
+  "bugs": {
+    "url": "https://github.com/gramota-org/gramota/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "keywords": [
+    "issuer",
+    "oid4vci",
+    "sd-jwt-vc",
+    "eudi",
+    "verifiable-credentials",
+    "credential-issuance"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/gramota-org/gramota.git",
+    "directory": "packages/issuer"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  }
+}