@interop/did-cli 0.6.0

package/dist/vc/fixtures/welcomeCredential.js

@@ -0,0 +1,25 @@
+/**
+ * A sample Verifiable Credential used as test input. Copied from freewallet's
+ * `welcomeCredential` fixture. The `proof` block is retained for reference but
+ * sign tests strip it and override `issuer` with a freshly generated test DID.
+ */
+export const welcomeCredential = {
+    '@context': [
+        'https://www.w3.org/ns/credentials/v2',
+        'https://w3id.org/security/suites/ed25519-2020/v1'
+    ],
+    type: ['VerifiableCredential'],
+    issuer: 'did:key:z6MkhVTX9BF3NGYX6cc7jWpbNnR7cAjH8LUffabZP8Qu4ysC',
+    name: 'Your First Credential',
+    credentialSubject: {
+        description: 'You have successfully set up your credentials wallet!'
+    },
+    proof: {
+        type: 'Ed25519Signature2020',
+        created: '2025-08-19T06:55:17Z',
+        verificationMethod: 'did:key:z6MkhVTX9BF3NGYX6cc7jWpbNnR7cAjH8LUffabZP8Qu4ysC#z6MkhVTX9BF3NGYX6cc7jWpbNnR7cAjH8LUffabZP8Qu4ysC',
+        proofPurpose: 'assertionMethod',
+        proofValue: 'z4EiTbmC79r4dRaqLQZr2yxQASoMKneHVNHVaWh1xcDoPG2eTwYjKoYaku1Canb7a6Xp5fSogKJyEhkZCaqQ6Y5nw'
+    }
+};
+//# sourceMappingURL=welcomeCredential.js.map

package/dist/vc/fixtures/welcomeCredential.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"welcomeCredential.js","sourceRoot":"","sources":["../../../src/vc/fixtures/welcomeCredential.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,UAAU,EAAE;QACV,sCAAsC;QACtC,kDAAkD;KACnD;IACD,IAAI,EAAE,CAAC,sBAAsB,CAAC;IAC9B,MAAM,EAAE,0DAA0D;IAClE,IAAI,EAAE,uBAAuB;IAC7B,iBAAiB,EAAE;QACjB,WAAW,EAAE,uDAAuD;KACrE;IACD,KAAK,EAAE;QACL,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,sBAAsB;QAC/B,kBAAkB,EAChB,2GAA2G;QAC7G,YAAY,EAAE,iBAAiB;QAC/B,UAAU,EACR,2FAA2F;KAC9F;CACF,CAAA"}

package/dist/vc/issue.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Issues (signs) a credential with a locally-stored DID's assertionMethod key.
+ *
+ * When `keyId` is given it must be authorized by the DID's `assertionMethod`
+ * relationship; otherwise the first `assertionMethod` key is used. The matching
+ * secret key is loaded from the DID's `<did>.keys.json` file. The credential's
+ * `issuer` is set to the signing DID when absent, and must match it when present.
+ *
+ * @param options {object}
+ * @param options.credential {object}   The unsigned credential to issue.
+ * @param options.did {string}   The id of the stored DID to issue (sign) with.
+ * @param [options.keyId] {string}   The verification method id to use.
+ * @param [options.suite] {string}   The signature suite. Defaults to the signing
+ *   key type's default (`eddsa-rdfc-2022` for ed25519, `ecdsa-rdfc-2019` for
+ *   ecdsa).
+ * @returns {Promise<object>}   The issued credential.
+ */
+export declare function issueCredential({ credential, did, keyId, suite }: {
+    credential: object;
+    did: string;
+    keyId?: string;
+    suite?: string;
+}): Promise<object>;
+//# sourceMappingURL=issue.d.ts.map

package/dist/vc/issue.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue.d.ts","sourceRoot":"","sources":["../../src/vc/issue.ts"],"names":[],"mappings":"AAoPA;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,eAAe,CAAC,EACpC,UAAU,EACV,GAAG,EACH,KAAK,EACL,KAAK,EACN,EAAE;IACD,UAAU,EAAE,MAAM,CAAA;IAClB,GAAG,EAAE,MAAM,CAAA;IACX,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,MAAM,CAAA;CACf,GAAG,OAAO,CAAC,MAAM,CAAC,CAuClB"}

package/dist/vc/issue.js

@@ -0,0 +1,211 @@
+/**
+ * Credential issuance (signing) adapter over @interop/vc.
+ *
+ * `issueCredential` loads a locally-stored DID and one of its assertionMethod
+ * keys, builds a signature suite, and hands an unsigned credential to
+ * @interop/vc's `issue()`, which returns the credential with a proof attached.
+ * If the input already carries a proof, `issue()` appends an additional one.
+ * The credential's `issuer` is set to the signing DID when absent, and must
+ * match the signing DID when present (otherwise issuance is aborted) -- a
+ * credential cannot be issued by a DID other than the one named as its issuer.
+ * The signing key is read from the DID's `<did>.keys.json` file (the secret key
+ * store written by `id create --save`). All knowledge of the @interop/vc and
+ * suite contracts is isolated to this file.
+ */
+import { driver } from '@interop/did-method-key';
+import { Ed25519VerificationKey } from '@interop/ed25519-verification-key';
+import { Ed25519Signature2020, createSigner, eddsaRdfc2022 } from '@interop/ed25519-signature';
+import * as EcdsaMultikey from '@interop/ecdsa-multikey';
+import { ecdsaRdfc2019 } from '@interop/ecdsa-signature';
+import { DataIntegrityProof } from '@interop/data-integrity-proof';
+import { issue } from '@interop/vc';
+import { securityLoader } from '@interop/security-document-loader';
+import { loadDidDocument, loadDidKeys } from '../storage.js';
+import { isEcdsaPublicKeyMultibase } from '../keys/ecdsa.js';
+/**
+ * Offline document loader for signing: bundles the VC / Data Integrity / suite
+ * contexts (including the `ed25519-2020` suite context) and a did:key resolver.
+ * Built once and reused across calls.
+ */
+const documentLoader = securityLoader().build();
+/**
+ * The supported `--suite` values per key type. The signing key's type (read
+ * from its multibase header) determines which suites are usable; an ed25519 key
+ * cannot sign with an ecdsa cryptosuite and vice versa.
+ */
+const SUPPORTED_SUITES = {
+    ed25519: ['eddsa-rdfc-2022', 'Ed25519Signature2020'],
+    ecdsa: ['ecdsa-rdfc-2019']
+};
+/**
+ * The default `--suite` for each key type, used when no `--suite` is given.
+ */
+const DEFAULT_SUITE = {
+    ed25519: 'eddsa-rdfc-2022',
+    ecdsa: 'ecdsa-rdfc-2019'
+};
+/**
+ * Reconciles a credential's existing `issuer` property with the signing DID.
+ * When the credential has no `issuer`, the signing DID is set as the issuer.
+ * When it already has one, it must match the signing DID, otherwise issuance is
+ * aborted -- a credential must be issued by the DID named as its issuer.
+ *
+ * @param options {object}
+ * @param options.credential {object}   The credential being issued (mutated in
+ *   place when the issuer is absent).
+ * @param options.did {string}   The id of the DID issuing (signing) the
+ *   credential.
+ */
+function reconcileIssuer({ credential, did }) {
+    const issuer = credential.issuer;
+    if (issuer === undefined) {
+        credential.issuer = did;
+        return;
+    }
+    const issuerId = typeof issuer === 'string' ? issuer : issuer?.id;
+    if (issuerId !== did) {
+        throw new Error("Signing DID does not match the existing 'issuer' property. " +
+            'Remove existing issuer, or pass in a matching DID.');
+    }
+}
+/**
+ * Resolves the exported key pair for `keyId` out of a loaded `<did>.keys.json`,
+ * accommodating both the single-key (did:key) and the keyed-map (did:web)
+ * storage shapes.
+ *
+ * @param options {object}
+ * @param options.keysData {StoredKeys}   The parsed key file contents.
+ * @param options.keyId {string}   The verification method id to find.
+ * @returns {StoredKeyPair | undefined}   The matching key pair, or undefined.
+ */
+function selectStoredKey({ keysData, keyId }) {
+    if (keysData.id === keyId) {
+        return keysData;
+    }
+    const entry = keysData[keyId];
+    return entry?.id === keyId ? entry : undefined;
+}
+/**
+ * Returns whether the given key id appears in the DID document's
+ * `assertionMethod` relationship, matching either a string reference or the
+ * `id` of an embedded verification method object.
+ *
+ * @param options {object}
+ * @param options.didDocument {DidDocument}
+ * @param options.keyId {string}
+ * @returns {boolean}
+ */
+function isAuthorizedForAssertion({ didDocument, keyId }) {
+    const assertionMethod = didDocument.assertionMethod;
+    const entries = Array.isArray(assertionMethod)
+        ? assertionMethod
+        : assertionMethod
+            ? [assertionMethod]
+            : [];
+    return entries.some(entry => typeof entry === 'string' ? entry === keyId : entry.id === keyId);
+}
+/**
+ * Detects a stored key's type from its `publicKeyMultibase` header. Both
+ * ed25519 and ecdsa keys export with `type: "Multikey"`, so the multibase
+ * prefix is what distinguishes them: ecdsa P-256/P-384/P-521 keys carry the
+ * ecdsa-multikey headers, and everything else is treated as ed25519.
+ *
+ * @param options {object}
+ * @param options.storedKey {StoredKeyPair}   The exported key pair.
+ * @returns {KeyType}
+ */
+function detectKeyType({ storedKey }) {
+    return isEcdsaPublicKeyMultibase({
+        publicKeyMultibase: storedKey.publicKeyMultibase
+    })
+        ? 'ecdsa'
+        : 'ed25519';
+}
+/**
+ * Builds the @interop/vc signature suite for a stored key, loading the matching
+ * key pair, deriving a signer, and wiring the requested (or default) cryptosuite.
+ * The signing key's type selects the available suites: ed25519 keys sign with
+ * `eddsa-rdfc-2022` (default) or `Ed25519Signature2020`, and ecdsa keys sign
+ * with `ecdsa-rdfc-2019`.
+ *
+ * @param options {object}
+ * @param options.storedKey {StoredKeyPair}   The exported signing key pair.
+ * @param [options.suite] {string}   The requested suite, or undefined to use
+ *   the key type's default.
+ * @returns {Promise<DataIntegrityProof | Ed25519Signature2020>}
+ */
+async function buildSuite({ storedKey, suite }) {
+    const keyType = detectKeyType({ storedKey });
+    const resolvedSuite = suite ?? DEFAULT_SUITE[keyType];
+    const supported = SUPPORTED_SUITES[keyType];
+    if (!supported.includes(resolvedSuite)) {
+        throw new Error(`Suite ${resolvedSuite} is not supported for ${keyType} keys. ` +
+            `Supported: ${supported.join(', ')}`);
+    }
+    if (keyType === 'ecdsa') {
+        const keyPair = await EcdsaMultikey.from(storedKey);
+        const signer = keyPair.signer();
+        return new DataIntegrityProof({ signer, cryptosuite: ecdsaRdfc2019 });
+    }
+    const keyPair = await Ed25519VerificationKey.from(storedKey);
+    const signer = createSigner(keyPair);
+    switch (resolvedSuite) {
+        case 'eddsa-rdfc-2022':
+            return new DataIntegrityProof({ signer, cryptosuite: eddsaRdfc2022 });
+        case 'Ed25519Signature2020':
+            return new Ed25519Signature2020({ signer });
+        default:
+            // Unreachable: resolvedSuite was validated against SUPPORTED_SUITES above.
+            throw new Error(`Unknown suite: ${resolvedSuite}`);
+    }
+}
+/**
+ * Issues (signs) a credential with a locally-stored DID's assertionMethod key.
+ *
+ * When `keyId` is given it must be authorized by the DID's `assertionMethod`
+ * relationship; otherwise the first `assertionMethod` key is used. The matching
+ * secret key is loaded from the DID's `<did>.keys.json` file. The credential's
+ * `issuer` is set to the signing DID when absent, and must match it when present.
+ *
+ * @param options {object}
+ * @param options.credential {object}   The unsigned credential to issue.
+ * @param options.did {string}   The id of the stored DID to issue (sign) with.
+ * @param [options.keyId] {string}   The verification method id to use.
+ * @param [options.suite] {string}   The signature suite. Defaults to the signing
+ *   key type's default (`eddsa-rdfc-2022` for ed25519, `ecdsa-rdfc-2019` for
+ *   ecdsa).
+ * @returns {Promise<object>}   The issued credential.
+ */
+export async function issueCredential({ credential, did, keyId, suite }) {
+    const didDocument = await loadDidDocument(did);
+    reconcileIssuer({
+        credential: credential,
+        did: didDocument.id
+    });
+    let selectedKeyId;
+    if (keyId) {
+        if (!isAuthorizedForAssertion({ didDocument, keyId })) {
+            throw new Error("Specified key is not authorized by the DID's assertionMethod array");
+        }
+        selectedKeyId = keyId;
+    }
+    else {
+        const method = driver().publicMethodFor({
+            didDocument: didDocument,
+            purpose: 'assertionMethod'
+        });
+        selectedKeyId = method.id;
+    }
+    const keysData = await loadDidKeys(did);
+    const storedKey = selectStoredKey({ keysData, keyId: selectedKeyId });
+    if (!storedKey) {
+        throw new Error(`No stored secret key found for key id ${selectedKeyId} in DID ${did}`);
+    }
+    const signatureSuite = await buildSuite({ storedKey, suite });
+    return issue({
+        credential: credential,
+        suite: signatureSuite,
+        documentLoader: documentLoader
+    });
+}
+//# sourceMappingURL=issue.js.map

package/dist/vc/issue.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"issue.js","sourceRoot":"","sources":["../../src/vc/issue.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,yBAAyB,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC1E,OAAO,EACL,oBAAoB,EACpB,YAAY,EACZ,aAAa,EACd,MAAM,4BAA4B,CAAA;AACnC,OAAO,KAAK,aAAa,MAAM,yBAAyB,CAAA;AACxD,OAAO,EAAE,aAAa,EAAE,MAAM,0BAA0B,CAAA;AACxD,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAA;AAClE,OAAO,EAAE,KAAK,EAAE,MAAM,aAAa,CAAA;AACnC,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAA;AAClE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAC5D,OAAO,EAAE,yBAAyB,EAAE,MAAM,kBAAkB,CAAA;AAE5D;;;;GAIG;AACH,MAAM,cAAc,GAAG,cAAc,EAAE,CAAC,KAAK,EAAE,CAAA;AAE/C;;;;GAIG;AACH,MAAM,gBAAgB,GAAG;IACvB,OAAO,EAAE,CAAC,iBAAiB,EAAE,sBAAsB,CAAC;IACpD,KAAK,EAAE,CAAC,iBAAiB,CAAC;CAClB,CAAA;AAEV;;GAEG;AACH,MAAM,aAAa,GAAG;IACpB,OAAO,EAAE,iBAAiB;IAC1B,KAAK,EAAE,iBAAiB;CAChB,CAAA;AAqBV;;;;;;;;;;;GAWG;AACH,SAAS,eAAe,CAAC,EACvB,UAAU,EACV,GAAG,EAIJ;IACC,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAA;IAChC,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,UAAU,CAAC,MAAM,GAAG,GAAG,CAAA;QACvB,OAAM;IACR,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE,EAAE,CAAA;IACjE,IAAI,QAAQ,KAAK,GAAG,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,6DAA6D;YAC3D,oDAAoD,CACvD,CAAA;IACH,CAAC;AACH,CAAC;AAqBD;;;;;;;;;GASG;AACH,SAAS,eAAe,CAAC,EACvB,QAAQ,EACR,KAAK,EAIN;IACC,IAAK,QAA0B,CAAC,EAAE,KAAK,KAAK,EAAE,CAAC;QAC7C,OAAO,QAAyB,CAAA;IAClC,CAAC;IACD,MAAM,KAAK,GAAI,QAA0C,CAAC,KAAK,CAAC,CAAA;IAChE,OAAO,KAAK,EAAE,EAAE,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAA;AAChD,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,wBAAwB,CAAC,EAChC,WAAW,EACX,KAAK,EAIN;IACC,MAAM,eAAe,GAAG,WAAW,CAAC,eAAe,CAAA;IACnD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC,eAAe,CAAC;QAC5C,CAAC,CAAC,eAAe;QACjB,CAAC,CAAC,eAAe;YACf,CAAC,CAAC,CAAC,eAAe,CAAC;YACnB,CAAC,CAAC,EAAE,CAAA;IACR,OAAO,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAC1B,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,KAAK,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,KAAK,KAAK,CACjE,CAAA;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,SAAS,aAAa,CAAC,EAAE,SAAS,EAAgC;IAChE,OAAO,yBAAyB,CAAC;QAC/B,kBAAkB,EAAE,SAAS,CAAC,kBAAkB;KACjD,CAAC;QACA,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,SAAS,CAAA;AACf,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,KAAK,UAAU,UAAU,CAAC,EACxB,SAAS,EACT,KAAK,EAIN;IACC,MAAM,OAAO,GAAG,aAAa,CAAC,EAAE,SAAS,EAAE,CAAC,CAAA;IAC5C,MAAM,aAAa,GAAG,KAAK,IAAI,aAAa,CAAC,OAAO,CAAC,CAAA;IACrD,MAAM,SAAS,GAAsB,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAC9D,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,SAAS,aAAa,yBAAyB,OAAO,SAAS;YAC7D,cAAc,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CACvC,CAAA;IACH,CAAC;IAED,IAAI,OAAO,KAAK,OAAO,EAAE,CAAC;QACxB,MAAM,OAAO,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QACnD,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAA;QAC/B,OAAO,IAAI,kBAAkB,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,CAAA;IACvE,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;IAC5D,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,CAAC,CAAA;IACpC,QAAQ,aAAa,EAAE,CAAC;QACtB,KAAK,iBAAiB;YACpB,OAAO,IAAI,kBAAkB,CAAC,EAAE,MAAM,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,CAAA;QACvE,KAAK,sBAAsB;YACzB,OAAO,IAAI,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC,CAAA;QAC7C;YACE,2EAA2E;YAC3E,MAAM,IAAI,KAAK,CAAC,kBAAkB,aAAa,EAAE,CAAC,CAAA;IACtD,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,EACpC,UAAU,EACV,GAAG,EACH,KAAK,EACL,KAAK,EAMN;IACC,MAAM,WAAW,GAAG,MAAM,eAAe,CAAc,GAAG,CAAC,CAAA;IAE3D,eAAe,CAAC;QACd,UAAU,EAAE,UAAyC;QACrD,GAAG,EAAE,WAAW,CAAC,EAAE;KACpB,CAAC,CAAA;IAEF,IAAI,aAAqB,CAAA;IACzB,IAAI,KAAK,EAAE,CAAC;QACV,IAAI,CAAC,wBAAwB,CAAC,EAAE,WAAW,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC;YACtD,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAA;QACH,CAAC;QACD,aAAa,GAAG,KAAK,CAAA;IACvB,CAAC;SAAM,CAAC;QACN,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,eAAe,CAAC;YACtC,WAAW,EAAE,WAAoB;YACjC,OAAO,EAAE,iBAAiB;SAC3B,CAAmB,CAAA;QACpB,aAAa,GAAG,MAAM,CAAC,EAAE,CAAA;IAC3B,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAa,GAAG,CAAC,CAAA;IACnD,MAAM,SAAS,GAAG,eAAe,CAAC,EAAE,QAAQ,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC,CAAA;IACrE,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CACb,yCAAyC,aAAa,WAAW,GAAG,EAAE,CACvE,CAAA;IACH,CAAC;IAED,MAAM,cAAc,GAAG,MAAM,UAAU,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAA;IAE7D,OAAO,KAAK,CAAC;QACX,UAAU,EAAE,UAAmB;QAC/B,KAAK,EAAE,cAAuB;QAC9B,cAAc,EAAE,cAAuB;KACxC,CAAC,CAAA;AACJ,CAAC"}

package/dist/vc/registries.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Trusted DID registry configuration for credential verification.
+ *
+ * Provides the DCC "known registries" list consumed by both
+ * @interop/verifier-core (the `registries` option) and
+ * @digitalcredentials/issuer-registry-client. `loadKnownRegistries` fetches
+ * the canonical remote list at runtime and falls back to a bundled set of
+ * `dcc-legacy` entries when the network is unavailable.
+ */
+import type { EntityIdentityRegistry } from '@interop/verifier-core';
+/**
+ * Canonical DCC known-did-registries list. An array of EntityIdentityRegistry
+ * entries published by the Digital Credentials Consortium.
+ */
+export declare const KNOWN_REGISTRIES_URL = "https://digitalcredentials.github.io/dcc-known-registries/known-did-registries.json";
+/**
+ * Legacy DID registry URLs, used as a fallback when KNOWN_REGISTRIES_URL
+ * cannot be fetched. Each entry is tagged `type: 'dcc-legacy'` so it satisfies
+ * the EntityIdentityRegistry contract consumed by @interop/verifier-core and
+ * @digitalcredentials/issuer-registry-client.
+ */
+export declare const KnownDidRegistries: EntityIdentityRegistry[];
+/**
+ * Fetches the remote DCC known registries list, falling back to the bundled
+ * KnownDidRegistries const on any failure (logged to stderr).
+ *
+ * @returns {Promise<EntityIdentityRegistry[]>}
+ */
+export declare function loadKnownRegistries(): Promise<EntityIdentityRegistry[]>;
+//# sourceMappingURL=registries.d.ts.map

package/dist/vc/registries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registries.d.ts","sourceRoot":"","sources":["../../src/vc/registries.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAA;AAEpE;;;GAGG;AACH,eAAO,MAAM,oBAAoB,wFACsD,CAAA;AAEvF;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,EAAE,sBAAsB,EAqBtD,CAAA;AAED;;;;;GAKG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,sBAAsB,EAAE,CAAC,CAW7E"}

package/dist/vc/registries.js

@@ -0,0 +1,53 @@
+/**
+ * Canonical DCC known-did-registries list. An array of EntityIdentityRegistry
+ * entries published by the Digital Credentials Consortium.
+ */
+export const KNOWN_REGISTRIES_URL = 'https://digitalcredentials.github.io/dcc-known-registries/known-did-registries.json';
+/**
+ * Legacy DID registry URLs, used as a fallback when KNOWN_REGISTRIES_URL
+ * cannot be fetched. Each entry is tagged `type: 'dcc-legacy'` so it satisfies
+ * the EntityIdentityRegistry contract consumed by @interop/verifier-core and
+ * @digitalcredentials/issuer-registry-client.
+ */
+export const KnownDidRegistries = [
+    {
+        type: 'dcc-legacy',
+        name: 'DCC Pilot Registry',
+        url: 'https://digitalcredentials.github.io/issuer-registry/registry.json'
+    },
+    {
+        type: 'dcc-legacy',
+        name: 'DCC Sandbox Registry',
+        url: 'https://digitalcredentials.github.io/sandbox-registry/registry.json'
+    },
+    {
+        type: 'dcc-legacy',
+        name: 'DCC Community Registry',
+        url: 'https://digitalcredentials.github.io/community-registry/registry.json'
+    },
+    {
+        type: 'dcc-legacy',
+        name: 'DCC Registry',
+        url: 'https://digitalcredentials.github.io/dcc-registry/registry.json'
+    }
+];
+/**
+ * Fetches the remote DCC known registries list, falling back to the bundled
+ * KnownDidRegistries const on any failure (logged to stderr).
+ *
+ * @returns {Promise<EntityIdentityRegistry[]>}
+ */
+export async function loadKnownRegistries() {
+    try {
+        const response = await fetch(KNOWN_REGISTRIES_URL);
+        if (!response.ok) {
+            throw new Error(`Registry fetch failed: ${response.status}`);
+        }
+        return (await response.json());
+    }
+    catch (err) {
+        console.error('Using fallback KnownDidRegistries:', err);
+        return KnownDidRegistries;
+    }
+}
+//# sourceMappingURL=registries.js.map

package/dist/vc/registries.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registries.js","sourceRoot":"","sources":["../../src/vc/registries.ts"],"names":[],"mappings":"AAWA;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAC/B,qFAAqF,CAAA;AAEvF;;;;;GAKG;AACH,MAAM,CAAC,MAAM,kBAAkB,GAA6B;IAC1D;QACE,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,oBAAoB;QAC1B,GAAG,EAAE,oEAAoE;KAC1E;IACD;QACE,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,sBAAsB;QAC5B,GAAG,EAAE,qEAAqE;KAC3E;IACD;QACE,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,wBAAwB;QAC9B,GAAG,EAAE,uEAAuE;KAC7E;IACD;QACE,IAAI,EAAE,YAAY;QAClB,IAAI,EAAE,cAAc;QACpB,GAAG,EAAE,iEAAiE;KACvE;CACF,CAAA;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,oBAAoB,CAAC,CAAA;QAClD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAA;QAC9D,CAAC;QACD,OAAO,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAA6B,CAAA;IAC5D,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,GAAG,CAAC,CAAA;QACxD,OAAO,kBAAkB,CAAA;IAC3B,CAAC;AACH,CAAC"}

package/dist/vc/registryManager.d.ts

@@ -0,0 +1,25 @@
+/**
+ * Shared issuer registry client. Holds a module-level singleton
+ * `RegistryClient` (from @digitalcredentials/issuer-registry-client) loaded
+ * once with the configured registries, so the issuer-details verification
+ * suite can look up rich issuer metadata without re-parsing the registry
+ * config on every credential. Keeps registry fetch/caching out of the hot
+ * path. Used by `issuerDetailsSuite`.
+ */
+import { RegistryClient } from '@digitalcredentials/issuer-registry-client';
+import type { EntityIdentityRegistry } from '@interop/verifier-core';
+/**
+ * Returns a process-wide singleton RegistryClient, loading it with the given
+ * registries on first call. Subsequent calls return the same instance and
+ * ignore their `registries` argument (the first caller wins) -- the registry
+ * config is app-wide and stable for the lifetime of the session.
+ *
+ * @param options {object}
+ * @param options.registries {EntityIdentityRegistry[]}   Registries to load on
+ *   first initialization.
+ * @returns {RegistryClient}
+ */
+export declare function getCachedRegistryClient({ registries }: {
+    registries: EntityIdentityRegistry[];
+}): RegistryClient;
+//# sourceMappingURL=registryManager.d.ts.map

package/dist/vc/registryManager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"registryManager.d.ts","sourceRoot":"","sources":["../../src/vc/registryManager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,cAAc,EAAE,MAAM,4CAA4C,CAAA;AAC3E,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAA;AAIpE;;;;;;;;;;GAUG;AACH,wBAAgB,uBAAuB,CAAC,EACtC,UAAU,EACX,EAAE;IACD,UAAU,EAAE,sBAAsB,EAAE,CAAA;CACrC,GAAG,cAAc,CAMjB"}

package/dist/vc/registryManager.js

@@ -0,0 +1,29 @@
+/**
+ * Shared issuer registry client. Holds a module-level singleton
+ * `RegistryClient` (from @digitalcredentials/issuer-registry-client) loaded
+ * once with the configured registries, so the issuer-details verification
+ * suite can look up rich issuer metadata without re-parsing the registry
+ * config on every credential. Keeps registry fetch/caching out of the hot
+ * path. Used by `issuerDetailsSuite`.
+ */
+import { RegistryClient } from '@digitalcredentials/issuer-registry-client';
+let cachedClient;
+/**
+ * Returns a process-wide singleton RegistryClient, loading it with the given
+ * registries on first call. Subsequent calls return the same instance and
+ * ignore their `registries` argument (the first caller wins) -- the registry
+ * config is app-wide and stable for the lifetime of the session.
+ *
+ * @param options {object}
+ * @param options.registries {EntityIdentityRegistry[]}   Registries to load on
+ *   first initialization.
+ * @returns {RegistryClient}
+ */
+export function getCachedRegistryClient({ registries }) {
+    if (!cachedClient) {
+        cachedClient = new RegistryClient();
+        cachedClient.use({ registries });
+    }
+    return cachedClient;
+}
+//# sourceMappingURL=registryManager.js.map

package/dist/vc/registryManager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"registryManager.js","sourceRoot":"","sources":["../../src/vc/registryManager.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AACH,OAAO,EAAE,cAAc,EAAE,MAAM,4CAA4C,CAAA;AAG3E,IAAI,YAAwC,CAAA;AAE5C;;;;;;;;;;GAUG;AACH,MAAM,UAAU,uBAAuB,CAAC,EACtC,UAAU,EAGX;IACC,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,YAAY,GAAG,IAAI,cAAc,EAAE,CAAA;QACnC,YAAY,CAAC,GAAG,CAAC,EAAE,UAAU,EAAE,CAAC,CAAA;IAClC,CAAC;IACD,OAAO,YAAY,CAAA;AACrB,CAAC"}

package/dist/vc/suites/expirationSuite.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Custom verification suite that re-adds the credential expiration check the
+ * un-bundled @interop/verifier-core removed ("to be added in future"). It is
+ * appended to the pipeline via `additionalSuites` and reads the credential's
+ * expiry off the verification subject, comparing it against the injected
+ * `timeService`. Kept deliberately small so it can be deleted in favor of the
+ * built-in check once expiration returns upstream.
+ *
+ * Severity: non-fatal (a warning), matching the model where expiration is a
+ * soft check rather than a hard cryptographic failure.
+ */
+import type { VerificationSuite } from '@interop/verifier-core';
+/**
+ * Own problem `type` URI for an expired credential. The fork has no built-in
+ * EXPIRED problem type, so we mint one in the did-cli namespace.
+ */
+export declare const EXPIRED_PROBLEM_TYPE = "urn:did-cli:problem:EXPIRED";
+/**
+ * The expiration suite, appended to the verifier pipeline via
+ * `additionalSuites`.
+ */
+export declare const expirationSuite: VerificationSuite;
+//# sourceMappingURL=expirationSuite.d.ts.map

package/dist/vc/suites/expirationSuite.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"expirationSuite.d.ts","sourceRoot":"","sources":["../../../src/vc/suites/expirationSuite.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,KAAK,EAKV,iBAAiB,EAClB,MAAM,wBAAwB,CAAA;AAE/B;;;GAGG;AACH,eAAO,MAAM,oBAAoB,gCAAgC,CAAA;AAqFjE;;;GAGG;AACH,eAAO,MAAM,eAAe,EAAE,iBAM7B,CAAA"}

package/dist/vc/suites/expirationSuite.js

@@ -0,0 +1,84 @@
+/**
+ * Own problem `type` URI for an expired credential. The fork has no built-in
+ * EXPIRED problem type, so we mint one in the did-cli namespace.
+ */
+export const EXPIRED_PROBLEM_TYPE = 'urn:did-cli:problem:EXPIRED';
+/**
+ * Reads the credential's expiry instant, preferring the VC 2.0 `validUntil`
+ * property and falling back to the VC 1.x `expirationDate`.
+ *
+ * @param credential {Record<string, unknown>}
+ * @returns {string | undefined}   The ISO date string, or undefined when none.
+ */
+function getExpirationIso(credential) {
+    const validUntil = credential.validUntil;
+    if (typeof validUntil === 'string' && validUntil) {
+        return validUntil;
+    }
+    const expirationDate = credential.expirationDate;
+    if (typeof expirationDate === 'string' && expirationDate) {
+        return expirationDate;
+    }
+    return undefined;
+}
+const expirationCheck = {
+    id: 'validity.expiration',
+    name: 'Credential Expiration Check',
+    description: 'Verifies the credential is within its validity period (validUntil / expirationDate).',
+    fatal: false,
+    appliesTo: ['verifiableCredential'],
+    execute: async (subject, context) => {
+        const credential = subject.verifiableCredential;
+        if (!credential) {
+            return {
+                status: 'skipped',
+                reason: 'No verifiable credential found in subject.'
+            };
+        }
+        const expirationIso = getExpirationIso(credential);
+        if (!expirationIso) {
+            return {
+                status: 'skipped',
+                reason: 'Credential has no expiration date.'
+            };
+        }
+        const expiresMs = new Date(expirationIso).getTime();
+        if (Number.isNaN(expiresMs)) {
+            return {
+                status: 'skipped',
+                reason: 'Credential expiration date is not a valid date.'
+            };
+        }
+        const nowMs = context.timeService
+            ? context.timeService.dateNowMs()
+            : Date.now();
+        if (expiresMs >= nowMs) {
+            return {
+                status: 'success',
+                message: `Credential is within its validity period (expires ${expirationIso}).`
+            };
+        }
+        return {
+            status: 'failure',
+            problems: [
+                {
+                    type: EXPIRED_PROBLEM_TYPE,
+                    title: 'Credential Expired',
+                    detail: `Credential expired on ${expirationIso}.`
+                }
+            ]
+        };
+    }
+};
+/**
+ * The expiration suite, appended to the verifier pipeline via
+ * `additionalSuites`.
+ */
+export const expirationSuite = {
+    id: 'validity',
+    name: 'Validity Period',
+    description: 'Checks the credential expiration / validity period.',
+    phase: 'cryptographic',
+    checks: [expirationCheck]
+};
+//# sourceMappingURL=expirationSuite.js.map

package/dist/vc/suites/expirationSuite.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"expirationSuite.js","sourceRoot":"","sources":["../../../src/vc/suites/expirationSuite.ts"],"names":[],"mappings":"AAmBA;;;GAGG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,6BAA6B,CAAA;AAEjE;;;;;;GAMG;AACH,SAAS,gBAAgB,CACvB,UAAmC;IAEnC,MAAM,UAAU,GAAG,UAAU,CAAC,UAAU,CAAA;IACxC,IAAI,OAAO,UAAU,KAAK,QAAQ,IAAI,UAAU,EAAE,CAAC;QACjD,OAAO,UAAU,CAAA;IACnB,CAAC;IACD,MAAM,cAAc,GAAG,UAAU,CAAC,cAAc,CAAA;IAChD,IAAI,OAAO,cAAc,KAAK,QAAQ,IAAI,cAAc,EAAE,CAAC;QACzD,OAAO,cAAc,CAAA;IACvB,CAAC;IACD,OAAO,SAAS,CAAA;AAClB,CAAC;AAED,MAAM,eAAe,GAAsB;IACzC,EAAE,EAAE,qBAAqB;IACzB,IAAI,EAAE,6BAA6B;IACnC,WAAW,EACT,sFAAsF;IACxF,KAAK,EAAE,KAAK;IACZ,SAAS,EAAE,CAAC,sBAAsB,CAAC;IACnC,OAAO,EAAE,KAAK,EACZ,OAA4B,EAC5B,OAA4B,EACL,EAAE;QACzB,MAAM,UAAU,GAAG,OAAO,CAAC,oBAEd,CAAA;QAEb,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,4CAA4C;aACrD,CAAA;QACH,CAAC;QAED,MAAM,aAAa,GAAG,gBAAgB,CAAC,UAAU,CAAC,CAAA;QAClD,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,oCAAoC;aAC7C,CAAA;QACH,CAAC;QAED,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE,CAAA;QACnD,IAAI,MAAM,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC5B,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,MAAM,EAAE,iDAAiD;aAC1D,CAAA;QACH,CAAC;QAED,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW;YAC/B,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,SAAS,EAAE;YACjC,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAAA;QAEd,IAAI,SAAS,IAAI,KAAK,EAAE,CAAC;YACvB,OAAO;gBACL,MAAM,EAAE,SAAS;gBACjB,OAAO,EAAE,qDAAqD,aAAa,IAAI;aAChF,CAAA;QACH,CAAC;QAED,OAAO;YACL,MAAM,EAAE,SAAS;YACjB,QAAQ,EAAE;gBACR;oBACE,IAAI,EAAE,oBAAoB;oBAC1B,KAAK,EAAE,oBAAoB;oBAC3B,MAAM,EAAE,yBAAyB,aAAa,GAAG;iBAClD;aACF;SACF,CAAA;IACH,CAAC;CACF,CAAA;AAED;;;GAGG;AACH,MAAM,CAAC,MAAM,eAAe,GAAsB;IAChD,EAAE,EAAE,UAAU;IACd,IAAI,EAAE,iBAAiB;IACvB,WAAW,EAAE,qDAAqD;IAClE,KAAK,EAAE,eAAe;IACtB,MAAM,EAAE,CAAC,eAAe,CAAC;CAC1B,CAAA"}

package/dist/vc/suites/issuerDetailsSuite.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Custom verification suite that surfaces rich issuer registry metadata.
+ *
+ * The un-bundled @interop/verifier-core gutted the registry check down to a
+ * boolean `{ found, matchingRegistries }` and discards the rich issuer
+ * payload (logo, legal name, homepage, registry org). This suite restores it:
+ * it calls @digitalcredentials/issuer-registry-client's `lookupIssuersFor`
+ * via the shared singleton client and returns the full `matchingIssuers`
+ * entries on the check `outcome.payload` -- the same channel the verifier's
+ * own `recognition.profile` uses. `verify.ts` reads this payload back into the
+ * `--summary` output's `matchingIssuers`.
+ *
+ * Severity: non-fatal (a warning) -- an unrecognized issuer is informational,
+ * not a hard cryptographic failure.
+ */
+import type { VerificationSuite } from '@interop/verifier-core';
+/**
+ * The issuer-details suite, appended to the verifier pipeline via
+ * `additionalSuites`. This is the authoritative source of rich issuer data.
+ */
+export declare const issuerDetailsSuite: VerificationSuite;
+//# sourceMappingURL=issuerDetailsSuite.d.ts.map

package/dist/vc/suites/issuerDetailsSuite.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"issuerDetailsSuite.d.ts","sourceRoot":"","sources":["../../../src/vc/suites/issuerDetailsSuite.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,OAAO,KAAK,EAKV,iBAAiB,EAClB,MAAM,wBAAwB,CAAA;AAyE/B;;;GAGG;AACH,eAAO,MAAM,kBAAkB,EAAE,iBAMhC,CAAA"}

package/dist/vc/suites/issuerDetailsSuite.js

@@ -0,0 +1,69 @@
+import { getCachedRegistryClient } from '../registryManager.js';
+/**
+ * Extracts the issuer DID from a credential, handling both the string and
+ * `{ id }` object forms of the `issuer` property.
+ *
+ * @param credential {Record<string, unknown>}
+ * @returns {string | undefined}
+ */
+function getIssuerDid(credential) {
+    const issuer = credential.issuer;
+    if (typeof issuer === 'string') {
+        return issuer;
+    }
+    if (issuer && typeof issuer === 'object' && typeof issuer.id === 'string') {
+        return issuer.id;
+    }
+    return undefined;
+}
+const issuerDetailsCheck = {
+    id: 'trust.issuer-details',
+    name: 'Issuer Registry Details',
+    description: 'Looks up rich issuer metadata for the credential issuer in the configured registries.',
+    fatal: false,
+    appliesTo: ['verifiableCredential'],
+    execute: async (subject, context) => {
+        const credential = subject.verifiableCredential;
+        if (!credential) {
+            return {
+                status: 'skipped',
+                reason: 'No verifiable credential found in subject.'
+            };
+        }
+        if (!context.registries || context.registries.length === 0) {
+            return {
+                status: 'skipped',
+                reason: 'No registries configured in verification context.'
+            };
+        }
+        const issuerDid = getIssuerDid(credential);
+        if (!issuerDid) {
+            return {
+                status: 'skipped',
+                reason: 'Credential has no issuer DID.'
+            };
+        }
+        const client = getCachedRegistryClient({ registries: context.registries });
+        const { matchingIssuers } = await client.lookupIssuersFor(issuerDid);
+        const count = matchingIssuers.length;
+        return {
+            status: 'success',
+            message: count > 0
+                ? `Issuer found in ${count} registr${count === 1 ? 'y' : 'ies'}.`
+                : 'Issuer not found in any configured registry.',
+            payload: { matchingIssuers }
+        };
+    }
+};
+/**
+ * The issuer-details suite, appended to the verifier pipeline via
+ * `additionalSuites`. This is the authoritative source of rich issuer data.
+ */
+export const issuerDetailsSuite = {
+    id: 'trust',
+    name: 'Issuer Trust',
+    description: 'Surfaces rich issuer registry metadata.',
+    phase: 'trust',
+    checks: [issuerDetailsCheck]
+};
+//# sourceMappingURL=issuerDetailsSuite.js.map