@gramota/verifier 0.1.0

package/LICENSE

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,31 @@
+# @gramota/verifier
+
+> Relying-party verifier for the EU Digital Identity Wallet. One client, one method, full IETF SD-JWT-VC + KB-JWT spec compliance.
+
+Part of [Gramota](https://github.com/gramota-org/gramota) — the TypeScript
+SDK for the EU Digital Identity Wallet (EUDIW).
+
+## Install
+
+```bash
+pnpm add @gramota/verifier
+# or: npm install @gramota/verifier
+# or: yarn add @gramota/verifier
+```
+
+## Usage
+
+```ts
+import { Verifier } from "@gramota/verifier";
+
+const verifier = new Verifier({ audience, trustResolver });
+const result = await verifier.verify(presentationToken, { nonce });
+if (result.ok) console.log(result.claims);
+```
+
+For full docs, examples, and the high-level Verifier/Issuer/Holder API,
+see the [main repo](https://github.com/gramota-org/gramota).
+
+## License
+
+[Apache 2.0](https://github.com/gramota-org/gramota/blob/main/LICENSE)

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export { Verifier, verify } from "./verifier.js";
+export type { PresentationRequestOptions, PresentationRequest, VerifyResponseOptions, VerifyResponseResult, } from "./verifier.js";
+export { inspect } from "./inspect.js";
+export { VerificationError } from "./types.js";
+export type { VerifierConfig, VerifyOptions, VerifyResult, SuccessResult, FailureResult, SecurityCheck, SecurityCheckName, VerificationMetadata, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AACjD,YAAY,EACV,0BAA0B,EAC1B,mBAAmB,EACnB,qBAAqB,EACrB,oBAAoB,GACrB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAC/C,YAAY,EACV,cAAc,EACd,aAAa,EACb,YAAY,EACZ,aAAa,EACb,aAAa,EACb,aAAa,EACb,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,YAAY,CAAC"}

package/dist/index.js

@@ -0,0 +1,4 @@
+export { Verifier, verify } from "./verifier.js";
+export { inspect } from "./inspect.js";
+export { VerificationError } from "./types.js";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE,MAAM,eAAe,CAAC;AAOjD,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAC;AACvC,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC"}

package/dist/inspect.d.ts

@@ -0,0 +1,8 @@
+import { type ParsedSdJwt } from "@gramota/sd-jwt";
+/**
+ * Parse an SD-JWT-VC presentation token without verifying anything.
+ * Useful for debug UIs, CLI tools, and admin dashboards. Never use the
+ * output to make trust decisions — that's `verifier.verify()`'s job.
+ */
+export declare function inspect(presentationToken: string): ParsedSdJwt;
+//# sourceMappingURL=inspect.d.ts.map

package/dist/inspect.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"inspect.d.ts","sourceRoot":"","sources":["../src/inspect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAE/D;;;;GAIG;AACH,wBAAgB,OAAO,CAAC,iBAAiB,EAAE,MAAM,GAAG,WAAW,CAE9D"}

package/dist/inspect.js

@@ -0,0 +1,10 @@
+import { parseSdJwt } from "@gramota/sd-jwt";
+/**
+ * Parse an SD-JWT-VC presentation token without verifying anything.
+ * Useful for debug UIs, CLI tools, and admin dashboards. Never use the
+ * output to make trust decisions — that's `verifier.verify()`'s job.
+ */
+export function inspect(presentationToken) {
+    return parseSdJwt(presentationToken);
+}
+//# sourceMappingURL=inspect.js.map

package/dist/inspect.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inspect.js","sourceRoot":"","sources":["../src/inspect.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAoB,MAAM,iBAAiB,CAAC;AAE/D;;;;GAIG;AACH,MAAM,UAAU,OAAO,CAAC,iBAAyB;IAC/C,OAAO,UAAU,CAAC,iBAAiB,CAAC,CAAC;AACvC,CAAC"}

package/dist/types.d.ts

@@ -0,0 +1,120 @@
+import type { JsonWebKey, SupportedAlg } from "@gramota/jose";
+import type { TrustResolver } from "@gramota/trust";
+import type { CredentialStatusResult, StatusResolver } from "@gramota/status-list";
+/** Configuration for a Verifier instance. */
+export interface VerifierConfig {
+    /** The verifier's identifier. The KB-JWT's `aud` claim MUST equal this.
+     * Cross-verifier replay protection — pick a stable, app-specific URL. */
+    audience: string;
+    /** Exactly one of `issuerKey` (shorthand) OR `trust` (full resolver) is
+     * required. */
+    issuerKey?: JsonWebKey;
+    /** Pluggable trust resolution. Use `StaticTrustResolver` for hard-coded
+     * keys, `JwksUrlTrustResolver` for runtime JWKS fetching, or any custom
+     * implementation of the `TrustResolver` interface. */
+    trust?: TrustResolver;
+    /**
+     * Pluggable revocation/suspension resolution (Strategy pattern).
+     *
+     * When set, the verifier runs a 10th security check ("status.check")
+     * after all crypto checks pass. Default: omitted — no status check.
+     *
+     * Use `StatusListResolver` for IETF Token Status List (the typical EU
+     * choice). Custom resolvers (CRL, OCSP, EU Trusted Issuers Registry,
+     * deny-lists) implement the `StatusResolver` interface and plug in here.
+     */
+    statusResolver?: StatusResolver;
+    /** JWS algorithm allowlist for both issuer and KB-JWT signatures.
+     * Default: every IETF asymmetric algorithm we support.
+     * `alg=none` is *never* permitted, regardless of this list. */
+    algorithms?: readonly SupportedAlg[];
+    /** Maximum acceptable age of the KB-JWT, in seconds. Default 60. */
+    maxKbJwtAgeSeconds?: number;
+    /** Maximum acceptable clock skew (KB-JWT `iat` in the future), in seconds.
+     * Default 30. */
+    maxClockSkewSeconds?: number;
+}
+/** Per-call options for `verifier.verify(...)`. */
+export interface VerifyOptions {
+    /** The challenge the verifier sent to the wallet. The KB-JWT's `nonce`
+     * claim MUST equal this. Within-verifier replay protection. */
+    nonce: string;
+    /** Override "now" — used for tests and time-frozen environments. Returns
+     * Unix seconds. Default: `Math.floor(Date.now() / 1000)`. */
+    now?: () => number;
+    /**
+     * Status-check policy for THIS verification.
+     *
+     * - When `false`/omitted, the configured `statusResolver` (if any)
+     *   is still consulted; "skipped" is acceptable.
+     * - When `true`, a credential with no resolvable status fails the
+     *   "status.check" gate. Useful for high-assurance flows where
+     *   non-revocable credentials are unacceptable.
+     *
+     * Has no effect when no `statusResolver` is configured on the Verifier.
+     */
+    requireStatus?: boolean;
+}
+/** A single security check, recorded for observability. Every check is
+ * present in the result regardless of pass/fail, so customers can build
+ * audit dashboards. */
+export interface SecurityCheck {
+    /** Stable identifier — useful for logs and dashboards. */
+    name: SecurityCheckName;
+    passed: boolean;
+    /** Human-readable detail when the check fails. */
+    message?: string;
+}
+/** Stable identifiers for the security checks we run, in execution order. */
+export type SecurityCheckName = "structure.parse" | "trust.resolution" | "issuer.signature" | "hash-binding.disclosures" | "kb-jwt.present" | "kb-jwt.cnf-binding" | "kb-jwt.signature" | "kb-jwt.audience" | "kb-jwt.nonce" | "kb-jwt.time" | "kb-jwt.transcript" | "status.check";
+/** Protocol metadata extracted alongside the user-facing claims. */
+export interface VerificationMetadata {
+    issuer: string;
+    audience: string;
+    issuedAt: number | undefined;
+    expiresAt: number | undefined;
+    /** The holder's bound public JWK from cnf.jwk in the parent SD-JWT. After
+     * verification this is guaranteed to be a well-formed JWK that successfully
+     * verified the KB-JWT signature. */
+    holderKey: Readonly<Record<string, unknown>>;
+}
+export type VerifyResult<TClaims = Record<string, unknown>> = SuccessResult<TClaims> | FailureResult;
+export interface SuccessResult<TClaims = Record<string, unknown>> {
+    ok: true;
+    /** The selectively-disclosed user claims with `_sd` / `_sd_alg` / `cnf`
+     * stripped — this is what the application actually consumes. */
+    claims: TClaims;
+    /** Protocol-level metadata that's not part of the user claims. */
+    metadata: VerificationMetadata;
+    /** Every check we ran, all passed. Useful for audit trails. */
+    checks: readonly SecurityCheck[];
+    /** When `options.status` was supplied, the resolved status (or
+     * "skipped" if the credential carried no status reference). Absent
+     * when status checking wasn't requested. */
+    status?: CredentialStatusResult | "skipped";
+    /** Returns claims; never throws on success. */
+    unwrap(): TClaims;
+}
+export interface FailureResult {
+    ok: false;
+    /** Human-readable reason — surfaces the message from the failed check. */
+    reason: string;
+    /** Stable identifier of the first check that failed. */
+    failedCheck: SecurityCheckName;
+    /** Every check up to and including the one that failed. */
+    checks: readonly SecurityCheck[];
+    /** Throws `VerificationError` carrying this result. */
+    unwrap(): never;
+}
+export declare class VerificationError extends Error {
+    /** The full failure record — stable for logging. */
+    readonly result: FailureResult;
+    readonly name = "VerificationError";
+    /** Equal to `result.failedCheck` — stable identifier for log filters,
+     * alerts, and dashboards. Same shape as the codes used by other packages. */
+    readonly code: SecurityCheckName;
+    constructor(message: string, 
+    /** The full failure record — stable for logging. */
+    result: FailureResult);
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC9D,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACpD,OAAO,KAAK,EACV,sBAAsB,EACtB,cAAc,EACf,MAAM,sBAAsB,CAAC;AAE9B,6CAA6C;AAC7C,MAAM,WAAW,cAAc;IAC7B;6EACyE;IACzE,QAAQ,EAAE,MAAM,CAAC;IAEjB;mBACe;IACf,SAAS,CAAC,EAAE,UAAU,CAAC;IAEvB;;0DAEsD;IACtD,KAAK,CAAC,EAAE,aAAa,CAAC;IAEtB;;;;;;;;;OASG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;mEAE+D;IAC/D,UAAU,CAAC,EAAE,SAAS,YAAY,EAAE,CAAC;IAErC,oEAAoE;IACpE,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAE5B;qBACiB;IACjB,mBAAmB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED,mDAAmD;AACnD,MAAM,WAAW,aAAa;IAC5B;mEAC+D;IAC/D,KAAK,EAAE,MAAM,CAAC;IAEd;iEAC6D;IAC7D,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IAEnB;;;;;;;;;;OAUG;IACH,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;;uBAEuB;AACvB,MAAM,WAAW,aAAa;IAC5B,0DAA0D;IAC1D,IAAI,EAAE,iBAAiB,CAAC;IACxB,MAAM,EAAE,OAAO,CAAC;IAChB,kDAAkD;IAClD,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED,6EAA6E;AAC7E,MAAM,MAAM,iBAAiB,GACzB,iBAAiB,GACjB,kBAAkB,GAClB,kBAAkB,GAClB,0BAA0B,GAC1B,gBAAgB,GAChB,oBAAoB,GACpB,kBAAkB,GAClB,iBAAiB,GACjB,cAAc,GACd,aAAa,GACb,mBAAmB,GACnB,cAAc,CAAC;AAEnB,oEAAoE;AACpE,MAAM,WAAW,oBAAoB;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,SAAS,EAAE,MAAM,GAAG,SAAS,CAAC;IAC9B;;wCAEoC;IACpC,SAAS,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;CAC9C;AAED,MAAM,MAAM,YAAY,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IACtD,aAAa,CAAC,OAAO,CAAC,GACtB,aAAa,CAAC;AAElB,MAAM,WAAW,aAAa,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC;IAC9D,EAAE,EAAE,IAAI,CAAC;IACT;oEACgE;IAChE,MAAM,EAAE,OAAO,CAAC;IAChB,kEAAkE;IAClE,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,+DAA+D;IAC/D,MAAM,EAAE,SAAS,aAAa,EAAE,CAAC;IACjC;;gDAE4C;IAC5C,MAAM,CAAC,EAAE,sBAAsB,GAAG,SAAS,CAAC;IAC5C,+CAA+C;IAC/C,MAAM,IAAI,OAAO,CAAC;CACnB;AAED,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,KAAK,CAAC;IACV,0EAA0E;IAC1E,MAAM,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,WAAW,EAAE,iBAAiB,CAAC;IAC/B,2DAA2D;IAC3D,MAAM,EAAE,SAAS,aAAa,EAAE,CAAC;IACjC,uDAAuD;IACvD,MAAM,IAAI,KAAK,CAAC;CACjB;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAOxC,oDAAoD;IACpD,QAAQ,CAAC,MAAM,EAAE,aAAa;IAPhC,SAAkB,IAAI,uBAAuB;IAC7C;iFAC6E;IAC7E,QAAQ,CAAC,IAAI,EAAE,iBAAiB,CAAC;gBAE/B,OAAO,EAAE,MAAM;IACf,oDAAoD;IAC3C,MAAM,EAAE,aAAa;CAKjC"}

package/dist/types.js

@@ -0,0 +1,15 @@
+export class VerificationError extends Error {
+    result;
+    name = "VerificationError";
+    /** Equal to `result.failedCheck` — stable identifier for log filters,
+     * alerts, and dashboards. Same shape as the codes used by other packages. */
+    code;
+    constructor(message, 
+    /** The full failure record — stable for logging. */
+    result) {
+        super(message);
+        this.result = result;
+        this.code = result.failedCheck;
+    }
+}
+//# sourceMappingURL=types.js.map

package/dist/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AA8IA,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAQ/B;IAPO,IAAI,GAAG,mBAAmB,CAAC;IAC7C;iFAC6E;IACpE,IAAI,CAAoB;IACjC,YACE,OAAe;IACf,oDAAoD;IAC3C,MAAqB;QAE9B,KAAK,CAAC,OAAO,CAAC,CAAC;QAFN,WAAM,GAAN,MAAM,CAAe;QAG9B,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,WAAW,CAAC;IACjC,CAAC;CACF"}

package/dist/verifier.d.ts

@@ -0,0 +1,83 @@
+import { type AuthorizationRequest, type AuthorizationResponse } from "@gramota/oid4vp";
+import { type VerifierConfig, type VerifyOptions, type VerifyResult } from "./types.js";
+export declare class Verifier {
+    private readonly audience;
+    private readonly trust;
+    private readonly statusResolver;
+    private readonly algorithms;
+    private readonly maxKbJwtAgeSeconds;
+    private readonly maxClockSkewSeconds;
+    constructor(config: VerifierConfig);
+    /**
+     * Verify an SD-JWT-VC presentation token end-to-end.
+     *
+     * Runs 9 security checks in order; stops at the first failure and reports
+     * which check failed. On success, returns the disclosed claims plus
+     * protocol metadata plus the full audit trail of checks performed.
+     */
+    verify<TClaims = Record<string, unknown>>(presentationToken: string, options: VerifyOptions): Promise<VerifyResult<TClaims>>;
+    /** Build an OID4VP Authorization Request URL to share with the wallet. */
+    request(options: PresentationRequestOptions): PresentationRequest;
+    /**
+     * Process an OID4VP Authorization Response body end-to-end:
+     * parse the form body, enforce CSRF state matching, and verify the
+     * vp_token cryptographically. Returns the same result shape as `verify()`
+     * plus the parsed transport envelope.
+     */
+    response<TClaims = Record<string, unknown>>(rawBody: string | URLSearchParams | Record<string, string>, options: VerifyResponseOptions): Promise<VerifyResponseResult<TClaims>>;
+}
+/** Result of `verifier.responses.verify()` — same shape as `VerifyResult`
+ * plus the parsed OID4VP transport envelope. */
+export type VerifyResponseResult<TClaims = Record<string, unknown>> = VerifyResult<TClaims> & {
+    response?: AuthorizationResponse;
+};
+/** Options for `verifier.request()`. */
+export interface PresentationRequestOptions {
+    /** Base URL or scheme: `openid4vp://authorize`, `https://wallet.example.com/...` */
+    baseUrl: string;
+    /** OID4VP nonce. */
+    nonce: string;
+    /** Optional opaque CSRF state echoed back unchanged in the response. */
+    state?: string;
+    /** `direct_post` callback URL (required when response_mode=direct_post). */
+    responseUri?: string;
+    /** Inline DIF Presentation Definition. */
+    presentationDefinition?: Readonly<Record<string, unknown>>;
+    /** Or a URL the wallet can fetch the PD from. Mutually exclusive with above. */
+    presentationDefinitionUri?: string;
+    /** Override response_mode (default: direct_post when responseUri is set,
+     * otherwise undefined). */
+    responseMode?: "direct_post" | "direct_post.jwt" | "fragment" | "query";
+    /** client_id_scheme (default: redirect_uri). */
+    clientIdScheme?: string;
+    /** Override the client_id (defaults to the verifier's audience). */
+    clientId?: string;
+}
+/** Result of `verifier.request()`. */
+export interface PresentationRequest {
+    /** The full URL to share with the wallet (QR / deep link). */
+    url: string;
+    /** The structured AuthorizationRequest, useful for storage and logging. */
+    request: AuthorizationRequest;
+    /** Echoes the nonce so callers can persist it for later verification. */
+    nonce: string;
+    /** Echoes the state if one was supplied. */
+    state: string | undefined;
+}
+/** Options for `verifier.response()`. */
+export interface VerifyResponseOptions {
+    /** Required — the nonce used in the original request. */
+    expectedNonce: string;
+    /** Optional — when supplied, response.state MUST equal this. */
+    expectedState?: string;
+    /** Override "now" — for tests. */
+    now?: () => number;
+    /** Forwarded to `verify()` — fail when credential has no resolvable
+     * status. Has effect only when the Verifier was constructed with a
+     * `statusResolver`. */
+    requireStatus?: boolean;
+}
+/** Standalone one-off verification — same semantics as Verifier.verify, but
+ * no instance to keep around. Pass everything inline. */
+export declare function verify<TClaims = Record<string, unknown>>(presentationToken: string, options: VerifyOptions & VerifierConfig): Promise<VerifyResult<TClaims>>;
+//# sourceMappingURL=verifier.d.ts.map

package/dist/verifier.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.d.ts","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAoBA,OAAO,EAGL,KAAK,oBAAoB,EACzB,KAAK,qBAAqB,EAC3B,MAAM,iBAAiB,CAAC;AAKzB,OAAO,EAML,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,YAAY,EAClB,MAAM,YAAY,CAAC;AAKpB,qBAAa,QAAQ;IACnB,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAS;IAClC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAgB;IACtC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA6B;IAC5D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAsC;IACjE,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAS;IAC5C,OAAO,CAAC,QAAQ,CAAC,mBAAmB,CAAS;gBAEjC,MAAM,EAAE,cAAc;IAkClC;;;;;;OAMG;IACG,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5C,iBAAiB,EAAE,MAAM,EACzB,OAAO,EAAE,aAAa,GACrB,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;IAgMjC,0EAA0E;IAC1E,OAAO,CAAC,OAAO,EAAE,0BAA0B,GAAG,mBAAmB;IAgDjE;;;;;OAKG;IACG,QAAQ,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC9C,OAAO,EAAE,MAAM,GAAG,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,EAC1D,OAAO,EAAE,qBAAqB,GAC7B,OAAO,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;CA6D1C;AAED;gDACgD;AAChD,MAAM,MAAM,oBAAoB,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,IAChE,YAAY,CAAC,OAAO,CAAC,GAAG;IAAE,QAAQ,CAAC,EAAE,qBAAqB,CAAA;CAAE,CAAC;AAE/D,wCAAwC;AACxC,MAAM,WAAW,0BAA0B;IACzC,oFAAoF;IACpF,OAAO,EAAE,MAAM,CAAC;IAChB,oBAAoB;IACpB,KAAK,EAAE,MAAM,CAAC;IACd,wEAAwE;IACxE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,4EAA4E;IAC5E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,sBAAsB,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IAC3D,gFAAgF;IAChF,yBAAyB,CAAC,EAAE,MAAM,CAAC;IACnC;+BAC2B;IAC3B,YAAY,CAAC,EAAE,aAAa,GAAG,iBAAiB,GAAG,UAAU,GAAG,OAAO,CAAC;IACxE,gDAAgD;IAChD,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,oEAAoE;IACpE,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,sCAAsC;AACtC,MAAM,WAAW,mBAAmB;IAClC,8DAA8D;IAC9D,GAAG,EAAE,MAAM,CAAC;IACZ,2EAA2E;IAC3E,OAAO,EAAE,oBAAoB,CAAC;IAC9B,yEAAyE;IACzE,KAAK,EAAE,MAAM,CAAC;IACd,4CAA4C;IAC5C,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;CAC3B;AAED,yCAAyC;AACzC,MAAM,WAAW,qBAAqB;IACpC,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,gEAAgE;IAChE,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kCAAkC;IAClC,GAAG,CAAC,EAAE,MAAM,MAAM,CAAC;IACnB;;2BAEuB;IACvB,aAAa,CAAC,EAAE,OAAO,CAAC;CACzB;AAED;yDACyD;AACzD,wBAAsB,MAAM,CAAC,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5D,iBAAiB,EAAE,MAAM,EACzB,OAAO,EAAE,aAAa,GAAG,cAAc,GACtC,OAAO,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,CAKhC"}

package/dist/verifier.js

@@ -0,0 +1,381 @@
+import { parseSdJwt, verifyHashBinding, verifyKeyBinding, SdJwtParseError, SdJwtVerificationError, SdJwtKeyBindingError, } from "@gramota/sd-jwt";
+import { verifyJws, JoseVerificationError, } from "@gramota/jose";
+import { StaticTrustResolver, TrustResolutionError, } from "@gramota/trust";
+import { buildAuthorizationRequestUrl, parseAuthorizationResponseBody, } from "@gramota/oid4vp";
+import { VerificationError, } from "./types.js";
+const DEFAULT_MAX_AGE_S = 60;
+const DEFAULT_CLOCK_SKEW_S = 30;
+export class Verifier {
+    audience;
+    trust;
+    statusResolver;
+    algorithms;
+    maxKbJwtAgeSeconds;
+    maxClockSkewSeconds;
+    constructor(config) {
+        if (typeof config.audience !== "string" || config.audience.length === 0) {
+            throw new TypeError("Verifier: audience is required");
+        }
+        const hasKey = config.issuerKey !== undefined &&
+            config.issuerKey !== null &&
+            typeof config.issuerKey === "object";
+        const hasTrust = config.trust !== undefined;
+        if (hasKey && hasTrust) {
+            throw new TypeError("Verifier: pass exactly one of issuerKey (shorthand) OR trust (resolver), not both");
+        }
+        if (!hasKey && !hasTrust) {
+            throw new TypeError("Verifier: one of issuerKey (shorthand) or trust (resolver) is required");
+        }
+        this.audience = config.audience;
+        this.trust = hasTrust
+            ? config.trust
+            : new StaticTrustResolver([config.issuerKey]);
+        this.statusResolver = config.statusResolver;
+        this.algorithms = config.algorithms;
+        this.maxKbJwtAgeSeconds =
+            config.maxKbJwtAgeSeconds ?? DEFAULT_MAX_AGE_S;
+        this.maxClockSkewSeconds =
+            config.maxClockSkewSeconds ?? DEFAULT_CLOCK_SKEW_S;
+    }
+    /**
+     * Verify an SD-JWT-VC presentation token end-to-end.
+     *
+     * Runs 9 security checks in order; stops at the first failure and reports
+     * which check failed. On success, returns the disclosed claims plus
+     * protocol metadata plus the full audit trail of checks performed.
+     */
+    async verify(presentationToken, options) {
+        if (typeof options.nonce !== "string" || options.nonce.length === 0) {
+            throw new TypeError("verify: options.nonce is required");
+        }
+        const checks = [];
+        // 1. Parse the token
+        let parsed;
+        try {
+            parsed = parseSdJwt(presentationToken);
+            record(checks, "structure.parse", true);
+        }
+        catch (err) {
+            return makeFailure(checks, "structure.parse", describe(err));
+        }
+        // 2a. Resolve trusted issuer keys via the configured TrustResolver
+        let candidateKeys;
+        try {
+            const iss = typeof parsed.payload["iss"] === "string"
+                ? parsed.payload["iss"]
+                : undefined;
+            const kid = typeof parsed.header["kid"] === "string"
+                ? parsed.header["kid"]
+                : undefined;
+            const trustContext = {
+                iss,
+                kid,
+                header: parsed.header,
+            };
+            candidateKeys = await this.trust.resolveIssuerKeys(trustContext);
+            if (candidateKeys.length === 0) {
+                return makeFailure(checks, "trust.resolution", "trust resolver returned no candidate keys");
+            }
+            record(checks, "trust.resolution", true);
+        }
+        catch (err) {
+            return makeFailure(checks, "trust.resolution", describe(err));
+        }
+        // 2b. Verify the issuer signature against any of the candidate keys
+        const issuerJws = `${parsed.signedPayload}.${parsed.signature}`;
+        const verifyOpts = {};
+        if (this.algorithms !== undefined) {
+            verifyOpts.algorithms = this.algorithms;
+        }
+        let verifiedAny = false;
+        let lastSignatureError;
+        for (const key of candidateKeys) {
+            try {
+                await verifyJws(issuerJws, key, verifyOpts);
+                verifiedAny = true;
+                break;
+            }
+            catch (err) {
+                lastSignatureError = err;
+            }
+        }
+        if (!verifiedAny) {
+            return makeFailure(checks, "issuer.signature", describe(lastSignatureError));
+        }
+        record(checks, "issuer.signature", true);
+        // 3. Verify hash binding (disclosures match _sd digests, no forgery)
+        let verifiedSdJwt;
+        try {
+            verifiedSdJwt = verifyHashBinding(parsed);
+            if (verifiedSdJwt.unmatchedDisclosures.length > 0) {
+                const names = verifiedSdJwt.unmatchedDisclosures
+                    .map((d) => d.name ?? "<array element>")
+                    .join(", ");
+                return makeFailure(checks, "hash-binding.disclosures", `forged disclosures detected: ${names}`);
+            }
+            record(checks, "hash-binding.disclosures", true);
+        }
+        catch (err) {
+            return makeFailure(checks, "hash-binding.disclosures", describe(err));
+        }
+        // 4-9. KB-JWT (presence, cnf, signature, aud, nonce, time, transcript)
+        let verifiedKb;
+        try {
+            const kbOpts = {
+                expectedAudience: this.audience,
+                expectedNonce: options.nonce,
+                maxAgeSeconds: this.maxKbJwtAgeSeconds,
+                maxClockSkewSeconds: this.maxClockSkewSeconds,
+            };
+            if (this.algorithms !== undefined) {
+                kbOpts.algorithms = this.algorithms;
+            }
+            if (options.now !== undefined) {
+                kbOpts.now = options.now;
+            }
+            verifiedKb = await verifyKeyBinding(parsed, kbOpts);
+            // KB-JWT verifyKeyBinding short-circuits on first failure; if it
+            // returns successfully, all six sub-checks passed.
+            record(checks, "kb-jwt.present", true);
+            record(checks, "kb-jwt.cnf-binding", true);
+            record(checks, "kb-jwt.signature", true);
+            record(checks, "kb-jwt.audience", true);
+            record(checks, "kb-jwt.nonce", true);
+            record(checks, "kb-jwt.time", true);
+            record(checks, "kb-jwt.transcript", true);
+        }
+        catch (err) {
+            return makeFailure(checks, classifyKbFailure(err), describe(err));
+        }
+        // 10. Optional status check — delegated to the configured StatusResolver
+        // Strategy. The verifier knows POLICY (requireStatus); the resolver
+        // knows MECHANISM (status list, CRL, OCSP, ...).
+        let statusResult;
+        if (this.statusResolver !== undefined) {
+            const resolveOpts = {};
+            if (options.now !== undefined)
+                resolveOpts.now = options.now;
+            try {
+                statusResult = await this.statusResolver.resolveStatus(parsed, resolveOpts);
+            }
+            catch (err) {
+                return makeFailure(checks, "status.check", describe(err));
+            }
+            if (statusResult === "skipped") {
+                if (options.requireStatus) {
+                    return makeFailure(checks, "status.check", "credential has no resolvable status but requireStatus=true");
+                }
+                record(checks, "status.check", true, "credential status was skipped (no reference resolved)");
+            }
+            else if (statusResult.state !== "valid") {
+                return makeFailure(checks, "status.check", `credential status is '${statusResult.state}' (code=${statusResult.code})`);
+            }
+            else {
+                record(checks, "status.check", true);
+            }
+        }
+        // All checks passed — assemble the success result.
+        const claims = stripMetadata(verifiedSdJwt.claims);
+        const metadata = extractMetadata(parsed, verifiedSdJwt.claims, this.audience, verifiedKb.holderKey);
+        const success = {
+            ok: true,
+            claims,
+            metadata,
+            checks: Object.freeze(checks),
+            unwrap: () => claims,
+        };
+        if (statusResult !== undefined)
+            success.status = statusResult;
+        return success;
+    }
+    /** Build an OID4VP Authorization Request URL to share with the wallet. */
+    request(options) {
+        if (typeof options.baseUrl !== "string" || options.baseUrl.length === 0) {
+            throw new TypeError("verifier.request: baseUrl is required");
+        }
+        if (typeof options.nonce !== "string" || options.nonce.length === 0) {
+            throw new TypeError("verifier.request: nonce is required");
+        }
+        if (options.presentationDefinition !== undefined &&
+            options.presentationDefinitionUri !== undefined) {
+            throw new TypeError("presentationDefinition and presentationDefinitionUri are mutually exclusive");
+        }
+        const responseMode = options.responseMode ??
+            (options.responseUri !== undefined ? "direct_post" : undefined);
+        const request = {
+            response_type: "vp_token",
+            client_id: options.clientId ?? this.audience,
+            client_id_scheme: options.clientIdScheme ?? "redirect_uri",
+            nonce: options.nonce,
+        };
+        if (options.state !== undefined)
+            request.state = options.state;
+        if (responseMode !== undefined)
+            request.response_mode = responseMode;
+        if (options.responseUri !== undefined) {
+            request.response_uri = options.responseUri;
+        }
+        if (options.presentationDefinition !== undefined) {
+            request.presentation_definition = options.presentationDefinition;
+        }
+        if (options.presentationDefinitionUri !== undefined) {
+            request.presentation_definition_uri = options.presentationDefinitionUri;
+        }
+        const url = buildAuthorizationRequestUrl(options.baseUrl, request);
+        return {
+            url,
+            request,
+            nonce: options.nonce,
+            state: options.state,
+        };
+    }
+    /**
+     * Process an OID4VP Authorization Response body end-to-end:
+     * parse the form body, enforce CSRF state matching, and verify the
+     * vp_token cryptographically. Returns the same result shape as `verify()`
+     * plus the parsed transport envelope.
+     */
+    async response(rawBody, options) {
+        if (typeof options.expectedNonce !== "string" ||
+            options.expectedNonce.length === 0) {
+            throw new TypeError("verifier.response: expectedNonce is required");
+        }
+        let response;
+        try {
+            response =
+                typeof rawBody === "string"
+                    ? parseAuthorizationResponseBody(rawBody)
+                    : (await import("@gramota/oid4vp")).parseAuthorizationResponseFromParams(rawBody);
+        }
+        catch (err) {
+            const checks = [];
+            return makeFailure(checks, "structure.parse", err instanceof Error ? err.message : String(err));
+        }
+        // CSRF state matching is application-level but we offer it as a default
+        // safety belt — opt out by omitting expectedState.
+        if (options.expectedState !== undefined &&
+            response.state !== options.expectedState) {
+            const checks = [];
+            return makeFailure(checks, "structure.parse", `OID4VP state mismatch — expected '${options.expectedState}', got '${response.state ?? "<missing>"}'`);
+        }
+        // v1 supports single-token responses; multi-token coming with full DIF PE.
+        if (typeof response.vp_token !== "string") {
+            const checks = [];
+            return makeFailure(checks, "structure.parse", "multi-credential vp_token arrays are not yet supported in v1");
+        }
+        const vpToken = response.vp_token;
+        const verifyOpts = { nonce: options.expectedNonce };
+        if (options.now !== undefined)
+            verifyOpts.now = options.now;
+        if (options.requireStatus !== undefined) {
+            verifyOpts.requireStatus = options.requireStatus;
+        }
+        const baseResult = await this.verify(vpToken, verifyOpts);
+        return Object.assign({}, baseResult, {
+            response,
+        });
+    }
+}
+/** Standalone one-off verification — same semantics as Verifier.verify, but
+ * no instance to keep around. Pass everything inline. */
+export async function verify(presentationToken, options) {
+    const { nonce, ...config } = options;
+    const verifyOpts = { nonce };
+    if (options.now !== undefined)
+        verifyOpts.now = options.now;
+    return new Verifier(config).verify(presentationToken, verifyOpts);
+}
+// ---------------------------------------------------------------------------
+// helpers
+// ---------------------------------------------------------------------------
+function record(checks, name, passed, message) {
+    const c = { name, passed };
+    if (message !== undefined)
+        c.message = message;
+    checks.push(c);
+}
+function makeFailure(checksSoFar, failedCheck, reason) {
+    const checks = [...checksSoFar];
+    checks.push({ name: failedCheck, passed: false, message: reason });
+    const failure = {
+        ok: false,
+        reason,
+        failedCheck,
+        checks: Object.freeze(checks),
+        unwrap: () => {
+            throw new VerificationError(reason, failure);
+        },
+    };
+    return failure;
+}
+/** Map a thrown error from verifyKeyBinding to a specific check name based on
+ * its message. We do this because verifyKeyBinding is a single function that
+ * checks 6 things; we want to surface the precise step that failed. */
+function classifyKbFailure(err) {
+    const m = err instanceof Error ? err.message : String(err);
+    if (/required but absent/.test(m))
+        return "kb-jwt.present";
+    if (/cnf/.test(m))
+        return "kb-jwt.cnf-binding";
+    if (/aud/.test(m) && !/audi(en)?ce/i.test("audience"))
+        return "kb-jwt.audience";
+    if (/aud/.test(m))
+        return "kb-jwt.audience";
+    if (/nonce/.test(m))
+        return "kb-jwt.nonce";
+    if (/iat|future|old/i.test(m))
+        return "kb-jwt.time";
+    if (/sd_hash|transcript/i.test(m))
+        return "kb-jwt.transcript";
+    // Default: signature/typ/alg failures bucketed under signature.
+    return "kb-jwt.signature";
+}
+function describe(err) {
+    if (err instanceof SdJwtParseError ||
+        err instanceof SdJwtVerificationError ||
+        err instanceof SdJwtKeyBindingError ||
+        err instanceof JoseVerificationError ||
+        err instanceof TrustResolutionError ||
+        err instanceof Error) {
+        return err.message;
+    }
+    return String(err);
+}
+function stripMetadata(claims) {
+    const out = {};
+    for (const [key, value] of Object.entries(claims)) {
+        if (key === "iss" ||
+            key === "iat" ||
+            key === "exp" ||
+            key === "nbf" ||
+            key === "cnf" ||
+            key === "vct" ||
+            key === "status") {
+            continue;
+        }
+        out[key] = value;
+    }
+    return out;
+}
+function extractMetadata(parsed, resolvedClaims, audience, holderKey) {
+    return {
+        issuer: typeof resolvedClaims["iss"] === "string"
+            ? resolvedClaims["iss"]
+            : typeof parsed.payload["iss"] === "string"
+                ? parsed.payload["iss"]
+                : "<unknown>",
+        audience,
+        issuedAt: typeof resolvedClaims["iat"] === "number"
+            ? resolvedClaims["iat"]
+            : typeof parsed.payload["iat"] === "number"
+                ? parsed.payload["iat"]
+                : undefined,
+        expiresAt: typeof resolvedClaims["exp"] === "number"
+            ? resolvedClaims["exp"]
+            : typeof parsed.payload["exp"] === "number"
+                ? parsed.payload["exp"]
+                : undefined,
+        holderKey,
+    };
+}
+//# sourceMappingURL=verifier.js.map

package/dist/verifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verifier.js","sourceRoot":"","sources":["../src/verifier.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,UAAU,EACV,iBAAiB,EACjB,gBAAgB,EAChB,eAAe,EACf,sBAAsB,EACtB,oBAAoB,GAErB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EACL,SAAS,EACT,qBAAqB,GAGtB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,EACnB,oBAAoB,GAErB,MAAM,gBAAgB,CAAC;AACxB,OAAO,EACL,4BAA4B,EAC5B,8BAA8B,GAG/B,MAAM,iBAAiB,CAAC;AAKzB,OAAO,EACL,iBAAiB,GAQlB,MAAM,YAAY,CAAC;AAEpB,MAAM,iBAAiB,GAAG,EAAE,CAAC;AAC7B,MAAM,oBAAoB,GAAG,EAAE,CAAC;AAEhC,MAAM,OAAO,QAAQ;IACF,QAAQ,CAAS;IACjB,KAAK,CAAgB;IACrB,cAAc,CAA6B;IAC3C,UAAU,CAAsC;IAChD,kBAAkB,CAAS;IAC3B,mBAAmB,CAAS;IAE7C,YAAY,MAAsB;QAChC,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CAAC,gCAAgC,CAAC,CAAC;QACxD,CAAC;QAED,MAAM,MAAM,GACV,MAAM,CAAC,SAAS,KAAK,SAAS;YAC9B,MAAM,CAAC,SAAS,KAAK,IAAI;YACzB,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC;QACvC,MAAM,QAAQ,GAAG,MAAM,CAAC,KAAK,KAAK,SAAS,CAAC;QAE5C,IAAI,MAAM,IAAI,QAAQ,EAAE,CAAC;YACvB,MAAM,IAAI,SAAS,CACjB,mFAAmF,CACpF,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,MAAM,IAAI,CAAC,QAAQ,EAAE,CAAC;YACzB,MAAM,IAAI,SAAS,CACjB,wEAAwE,CACzE,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;QAChC,IAAI,CAAC,KAAK,GAAG,QAAQ;YACnB,CAAC,CAAE,MAAM,CAAC,KAAuB;YACjC,CAAC,CAAC,IAAI,mBAAmB,CAAC,CAAC,MAAM,CAAC,SAAuB,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,CAAC;QAC5C,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC;QACpC,IAAI,CAAC,kBAAkB;YACrB,MAAM,CAAC,kBAAkB,IAAI,iBAAiB,CAAC;QACjD,IAAI,CAAC,mBAAmB;YACtB,MAAM,CAAC,mBAAmB,IAAI,oBAAoB,CAAC;IACvD,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,MAAM,CACV,iBAAyB,EACzB,OAAsB;QAEtB,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpE,MAAM,IAAI,SAAS,CAAC,mCAAmC,CAAC,CAAC;QAC3D,CAAC;QAED,MAAM,MAAM,GAAoB,EAAE,CAAC;QAEnC,qBAAqB;QACrB,IAAI,MAAmB,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,EAAE,iBAAiB,EAAE,IAAI,CAAC,CAAC;QAC1C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,WAAW,CAAC,MAAM,EAAE,iBAAiB,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;QAC/D,CAAC;QAED,mEAAmE;QACnE,IAAI,aAAa,CAAC;QAClB,IAAI,CAAC;YACH,MAAM,GAAG,GACP,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;gBACvC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;gBACvB,CAAC,CAAC,SAAS,CAAC;YAChB,MAAM,GAAG,GACP,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,QAAQ;gBACtC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC;gBACtB,CAAC,CAAC,SAAS,CAAC;YAEhB,MAAM,YAAY,GAId;gBACF,GAAG;gBACH,GAAG;gBACH,MAAM,EAAE,MAAM,CAAC,MAAiC;aACjD,CAAC;YACF,aAAa,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,YAAY,CAAC,CAAC;YACjE,IAAI,aAAa,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/B,OAAO,WAAW,CAChB,MAAM,EACN,kBAAkB,EAClB,2CAA2C,CAC5C,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,WAAW,CAAC,MAAM,EAAE,kBAAkB,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;QAChE,CAAC;QAED,oEAAoE;QACpE,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,aAAa,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAChE,MAAM,UAAU,GAA6C,EAAE,CAAC;QAChE,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;YAClC,UAAU,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;QAC1C,CAAC;QACD,IAAI,WAAW,GAAG,KAAK,CAAC;QACxB,IAAI,kBAA2B,CAAC;QAChC,KAAK,MAAM,GAAG,IAAI,aAAa,EAAE,CAAC;YAChC,IAAI,CAAC;gBACH,MAAM,SAAS,CAAC,SAAS,EAAE,GAAG,EAAE,UAAU,CAAC,CAAC;gBAC5C,WAAW,GAAG,IAAI,CAAC;gBACnB,MAAM;YACR,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,kBAAkB,GAAG,GAAG,CAAC;YAC3B,CAAC;QACH,CAAC;QACD,IAAI,CAAC,WAAW,EAAE,CAAC;YACjB,OAAO,WAAW,CAChB,MAAM,EACN,kBAAkB,EAClB,QAAQ,CAAC,kBAAkB,CAAC,CAC7B,CAAC;QACJ,CAAC;QACD,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAAC;QAEzC,qEAAqE;QACrE,IAAI,aAAa,CAAC;QAClB,IAAI,CAAC;YACH,aAAa,GAAG,iBAAiB,CAAC,MAAM,CAAC,CAAC;YAC1C,IAAI,aAAa,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAClD,MAAM,KAAK,GAAG,aAAa,CAAC,oBAAoB;qBAC7C,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,iBAAiB,CAAC;qBACvC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACd,OAAO,WAAW,CAChB,MAAM,EACN,0BAA0B,EAC1B,gCAAgC,KAAK,EAAE,CACxC,CAAC;YACJ,CAAC;YACD,MAAM,CAAC,MAAM,EAAE,0BAA0B,EAAE,IAAI,CAAC,CAAC;QACnD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,WAAW,CAAC,MAAM,EAAE,0BAA0B,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;QACxE,CAAC;QAED,uEAAuE;QACvE,IAAI,UAAU,CAAC;QACf,IAAI,CAAC;YACH,MAAM,MAAM,GAA2C;gBACrD,gBAAgB,EAAE,IAAI,CAAC,QAAQ;gBAC/B,aAAa,EAAE,OAAO,CAAC,KAAK;gBAC5B,aAAa,EAAE,IAAI,CAAC,kBAAkB;gBACtC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;aAC9C,CAAC;YACF,IAAI,IAAI,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;gBAClC,MAAM,CAAC,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC;YACtC,CAAC;YACD,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;gBAC9B,MAAM,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YAC3B,CAAC;YAED,UAAU,GAAG,MAAM,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAEpD,iEAAiE;YACjE,mDAAmD;YACnD,MAAM,CAAC,MAAM,EAAE,gBAAgB,EAAE,IAAI,CAAC,CAAC;YACvC,MAAM,CAAC,MAAM,EAAE,oBAAoB,EAAE,IAAI,CAAC,CAAC;YAC3C,MAAM,CAAC,MAAM,EAAE,kBAAkB,EAAE,IAAI,CAAC,CAAC;YACzC,MAAM,CAAC,MAAM,EAAE,iBAAiB,EAAE,IAAI,CAAC,CAAC;YACxC,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,EAAE,aAAa,EAAE,IAAI,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,EAAE,mBAAmB,EAAE,IAAI,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,OAAO,WAAW,CAChB,MAAM,EACN,iBAAiB,CAAC,GAAG,CAAC,EACtB,QAAQ,CAAC,GAAG,CAAC,CACd,CAAC;QACJ,CAAC;QAED,yEAAyE;QACzE,oEAAoE;QACpE,iDAAiD;QACjD,IAAI,YAA4D,CAAC;QACjE,IAAI,IAAI,CAAC,cAAc,KAAK,SAAS,EAAE,CAAC;YACtC,MAAM,WAAW,GAAmD,EAAE,CAAC;YACvE,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS;gBAAE,WAAW,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;YAE7D,IAAI,CAAC;gBACH,YAAY,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,aAAa,CACpD,MAAM,EACN,WAAW,CACZ,CAAC;YACJ,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,OAAO,WAAW,CAAC,MAAM,EAAE,cAAc,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5D,CAAC;YAED,IAAI,YAAY,KAAK,SAAS,EAAE,CAAC;gBAC/B,IAAI,OAAO,CAAC,aAAa,EAAE,CAAC;oBAC1B,OAAO,WAAW,CAChB,MAAM,EACN,cAAc,EACd,4DAA4D,CAC7D,CAAC;gBACJ,CAAC;gBACD,MAAM,CACJ,MAAM,EACN,cAAc,EACd,IAAI,EACJ,uDAAuD,CACxD,CAAC;YACJ,CAAC;iBAAM,IAAI,YAAY,CAAC,KAAK,KAAK,OAAO,EAAE,CAAC;gBAC1C,OAAO,WAAW,CAChB,MAAM,EACN,cAAc,EACd,yBAAyB,YAAY,CAAC,KAAK,WAAW,YAAY,CAAC,IAAI,GAAG,CAC3E,CAAC;YACJ,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,IAAI,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;QAED,mDAAmD;QACnD,MAAM,MAAM,GAAG,aAAa,CAAC,aAAa,CAAC,MAAM,CAAY,CAAC;QAC9D,MAAM,QAAQ,GAAG,eAAe,CAC9B,MAAM,EACN,aAAa,CAAC,MAAM,EACpB,IAAI,CAAC,QAAQ,EACb,UAAU,CAAC,SAAS,CACrB,CAAC;QAEF,MAAM,OAAO,GAA2B;YACtC,EAAE,EAAE,IAAI;YACR,MAAM;YACN,QAAQ;YACR,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;YAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,MAAM;SACrB,CAAC;QACF,IAAI,YAAY,KAAK,SAAS;YAAE,OAAO,CAAC,MAAM,GAAG,YAAY,CAAC;QAC9D,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,0EAA0E;IAC1E,OAAO,CAAC,OAAmC;QACzC,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,QAAQ,IAAI,OAAO,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,SAAS,CAAC,uCAAuC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,OAAO,OAAO,CAAC,KAAK,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACpE,MAAM,IAAI,SAAS,CAAC,qCAAqC,CAAC,CAAC;QAC7D,CAAC;QACD,IACE,OAAO,CAAC,sBAAsB,KAAK,SAAS;YAC5C,OAAO,CAAC,yBAAyB,KAAK,SAAS,EAC/C,CAAC;YACD,MAAM,IAAI,SAAS,CACjB,6EAA6E,CAC9E,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAChB,OAAO,CAAC,YAAY;YACpB,CAAC,OAAO,CAAC,WAAW,KAAK,SAAS,CAAC,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;QAElE,MAAM,OAAO,GAAyB;YACpC,aAAa,EAAE,UAAU;YACzB,SAAS,EAAE,OAAO,CAAC,QAAQ,IAAI,IAAI,CAAC,QAAQ;YAC5C,gBAAgB,EAAE,OAAO,CAAC,cAAc,IAAI,cAAc;YAC1D,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;QACF,IAAI,OAAO,CAAC,KAAK,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC;QAC/D,IAAI,YAAY,KAAK,SAAS;YAAE,OAAO,CAAC,aAAa,GAAG,YAAY,CAAC;QACrE,IAAI,OAAO,CAAC,WAAW,KAAK,SAAS,EAAE,CAAC;YACtC,OAAO,CAAC,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC;QAC7C,CAAC;QACD,IAAI,OAAO,CAAC,sBAAsB,KAAK,SAAS,EAAE,CAAC;YACjD,OAAO,CAAC,uBAAuB,GAAG,OAAO,CAAC,sBAAsB,CAAC;QACnE,CAAC;QACD,IAAI,OAAO,CAAC,yBAAyB,KAAK,SAAS,EAAE,CAAC;YACpD,OAAO,CAAC,2BAA2B,GAAG,OAAO,CAAC,yBAAyB,CAAC;QAC1E,CAAC;QAED,MAAM,GAAG,GAAG,4BAA4B,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEnE,OAAO;YACL,GAAG;YACH,OAAO;YACP,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC;IACJ,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,QAAQ,CACZ,OAA0D,EAC1D,OAA8B;QAE9B,IACE,OAAO,OAAO,CAAC,aAAa,KAAK,QAAQ;YACzC,OAAO,CAAC,aAAa,CAAC,MAAM,KAAK,CAAC,EAClC,CAAC;YACD,MAAM,IAAI,SAAS,CAAC,8CAA8C,CAAC,CAAC;QACtE,CAAC;QAED,IAAI,QAA+B,CAAC;QACpC,IAAI,CAAC;YACH,QAAQ;gBACN,OAAO,OAAO,KAAK,QAAQ;oBACzB,CAAC,CAAC,8BAA8B,CAAC,OAAO,CAAC;oBACzC,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC,CAAC,oCAAoC,CACpE,OAAO,CACR,CAAC;QACV,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,MAAM,GAAoB,EAAE,CAAC;YACnC,OAAO,WAAW,CAChB,MAAM,EACN,iBAAiB,EACjB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAChB,CAAC;QACrC,CAAC;QAED,wEAAwE;QACxE,mDAAmD;QACnD,IACE,OAAO,CAAC,aAAa,KAAK,SAAS;YACnC,QAAQ,CAAC,KAAK,KAAK,OAAO,CAAC,aAAa,EACxC,CAAC;YACD,MAAM,MAAM,GAAoB,EAAE,CAAC;YACnC,OAAO,WAAW,CAChB,MAAM,EACN,iBAAiB,EACjB,qCAAqC,OAAO,CAAC,aAAa,WAAW,QAAQ,CAAC,KAAK,IAAI,WAAW,GAAG,CACrE,CAAC;QACrC,CAAC;QAED,2EAA2E;QAC3E,IAAI,OAAO,QAAQ,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1C,MAAM,MAAM,GAAoB,EAAE,CAAC;YACnC,OAAO,WAAW,CAChB,MAAM,EACN,iBAAiB,EACjB,8DAA8D,CAC9B,CAAC;QACrC,CAAC;QACD,MAAM,OAAO,GAAG,QAAQ,CAAC,QAAQ,CAAC;QAElC,MAAM,UAAU,GAAkB,EAAE,KAAK,EAAE,OAAO,CAAC,aAAa,EAAE,CAAC;QACnE,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS;YAAE,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;QAC5D,IAAI,OAAO,CAAC,aAAa,KAAK,SAAS,EAAE,CAAC;YACxC,UAAU,CAAC,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC;QACnD,CAAC;QACD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,MAAM,CAAU,OAAO,EAAE,UAAU,CAAC,CAAC;QAEnE,OAAO,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,UAAU,EAAE;YACnC,QAAQ;SACT,CAAkC,CAAC;IACtC,CAAC;CACF;AAwDD;yDACyD;AACzD,MAAM,CAAC,KAAK,UAAU,MAAM,CAC1B,iBAAyB,EACzB,OAAuC;IAEvC,MAAM,EAAE,KAAK,EAAE,GAAG,MAAM,EAAE,GAAG,OAAO,CAAC;IACrC,MAAM,UAAU,GAAkB,EAAE,KAAK,EAAE,CAAC;IAC5C,IAAI,OAAO,CAAC,GAAG,KAAK,SAAS;QAAE,UAAU,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,CAAC;IAC5D,OAAO,IAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,MAAM,CAAU,iBAAiB,EAAE,UAAU,CAAC,CAAC;AAC7E,CAAC;AAED,8EAA8E;AAC9E,UAAU;AACV,8EAA8E;AAE9E,SAAS,MAAM,CACb,MAAuB,EACvB,IAAuB,EACvB,MAAe,EACf,OAAgB;IAEhB,MAAM,CAAC,GAAkB,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAC1C,IAAI,OAAO,KAAK,SAAS;QAAE,CAAC,CAAC,OAAO,GAAG,OAAO,CAAC;IAC/C,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACjB,CAAC;AAED,SAAS,WAAW,CAClB,WAA4B,EAC5B,WAA8B,EAC9B,MAAc;IAEd,MAAM,MAAM,GAAG,CAAC,GAAG,WAAW,CAAC,CAAC;IAChC,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,WAAW,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;IACnE,MAAM,OAAO,GAAkB;QAC7B,EAAE,EAAE,KAAK;QACT,MAAM;QACN,WAAW;QACX,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE;YACX,MAAM,IAAI,iBAAiB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC/C,CAAC;KACF,CAAC;IACF,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;uEAEuE;AACvE,SAAS,iBAAiB,CAAC,GAAY;IACrC,MAAM,CAAC,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC3D,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,gBAAgB,CAAC;IAC3D,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,oBAAoB,CAAC;IAC/C,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC;QAAE,OAAO,iBAAiB,CAAC;IAChF,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,iBAAiB,CAAC;IAC5C,IAAI,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,cAAc,CAAC;IAC3C,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,aAAa,CAAC;IACpD,IAAI,qBAAqB,CAAC,IAAI,CAAC,CAAC,CAAC;QAAE,OAAO,mBAAmB,CAAC;IAC9D,gEAAgE;IAChE,OAAO,kBAAkB,CAAC;AAC5B,CAAC;AAED,SAAS,QAAQ,CAAC,GAAY;IAC5B,IACE,GAAG,YAAY,eAAe;QAC9B,GAAG,YAAY,sBAAsB;QACrC,GAAG,YAAY,oBAAoB;QACnC,GAAG,YAAY,qBAAqB;QACpC,GAAG,YAAY,oBAAoB;QACnC,GAAG,YAAY,KAAK,EACpB,CAAC;QACD,OAAO,GAAG,CAAC,OAAO,CAAC;IACrB,CAAC;IACD,OAAO,MAAM,CAAC,GAAG,CAAC,CAAC;AACrB,CAAC;AAED,SAAS,aAAa,CAAC,MAA+B;IACpD,MAAM,GAAG,GAA4B,EAAE,CAAC;IACxC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,IACE,GAAG,KAAK,KAAK;YACb,GAAG,KAAK,KAAK;YACb,GAAG,KAAK,KAAK;YACb,GAAG,KAAK,KAAK;YACb,GAAG,KAAK,KAAK;YACb,GAAG,KAAK,KAAK;YACb,GAAG,KAAK,QAAQ,EAChB,CAAC;YACD,SAAS;QACX,CAAC;QACD,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;IACnB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,eAAe,CACtB,MAAmB,EACnB,cAAuC,EACvC,QAAgB,EAChB,SAA4C;IAQ5C,OAAO;QACL,MAAM,EACJ,OAAO,cAAc,CAAC,KAAK,CAAC,KAAK,QAAQ;YACvC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC;YACvB,CAAC,CAAC,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;gBACzC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;gBACvB,CAAC,CAAC,WAAW;QACnB,QAAQ;QACR,QAAQ,EACN,OAAO,cAAc,CAAC,KAAK,CAAC,KAAK,QAAQ;YACvC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC;YACvB,CAAC,CAAC,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;gBACzC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;gBACvB,CAAC,CAAC,SAAS;QACjB,SAAS,EACP,OAAO,cAAc,CAAC,KAAK,CAAC,KAAK,QAAQ;YACvC,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC;YACvB,CAAC,CAAC,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,QAAQ;gBACzC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;gBACvB,CAAC,CAAC,SAAS;QACjB,SAAS;KACV,CAAC;AACJ,CAAC"}

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@gramota/verifier",
+  "version": "0.1.0",
+  "description": "Relying-party verifier for the EU Digital Identity Wallet. One client, one method, full IETF SD-JWT-VC + KB-JWT spec compliance.",
+  "license": "Apache-2.0",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "@gramota/oid4vp": "0.1.0",
+    "@gramota/jose": "0.1.0",
+    "@gramota/status-list": "0.1.0",
+    "@gramota/sd-jwt": "0.1.0",
+    "@gramota/trust": "0.1.0"
+  },
+  "devDependencies": {
+    "jose": "^5.9.6",
+    "@gramota/issuer": "0.1.0"
+  },
+  "author": "Petromil Pavlov <petromilpavlov@gmail.com>",
+  "homepage": "https://github.com/gramota-org/gramota#readme",
+  "bugs": {
+    "url": "https://github.com/gramota-org/gramota/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
+  "keywords": [
+    "verifier",
+    "relying-party",
+    "oid4vp",
+    "sd-jwt-vc",
+    "eudi",
+    "verifiable-credentials",
+    "eidas"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/gramota-org/gramota.git",
+    "directory": "packages/verifier"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "typecheck": "tsc -p tsconfig.json --noEmit"
+  }
+}