@interop/did-cli 0.6.0

package/dist/zcap/delegate.d.ts

@@ -0,0 +1,44 @@
+import type { IDelegatedZcap, IZcap } from '@interop/data-integrity-core/zcap';
+/**
+ * Signs a delegated capability.
+ *
+ * Exactly one of `url` (first-level delegation from the root capability for that
+ * target) or `capability` (further delegation of an existing capability) drives
+ * the parent; `invocationTarget` narrows the target when delegating an existing
+ * capability. Expiration is `expires` (an ISO 8601 date) when given, otherwise
+ * derived from `ttl`.
+ *
+ * @param options {object}
+ * @param [options.did] {string}   The id of a stored DID to sign with.
+ * @param [options.controller] {string}   The expected controller DID, when
+ *   signing via `ZCAP_CONTROLLER_KEY_SEED`.
+ * @param options.delegatee {string}   The DID to delegate to (the new
+ *   capability's controller).
+ * @param [options.url] {string}   The invocation target for a first-level
+ *   delegation from the root capability.
+ * @param [options.capability] {IZcap}   A parent capability to delegate (already
+ *   decoded from its multibase string or a JSON file).
+ * @param [options.invocationTarget] {string}   An attenuated invocation target.
+ * @param [options.allow] {string[]}   Allowed actions; omitted inherits the
+ *   parent's actions.
+ * @param [options.ttl] {string}   Time-to-live for expiration (default `1y`).
+ * @param [options.expires] {string}   Explicit ISO 8601 expiration (overrides
+ *   `ttl`).
+ * @returns {Promise<{delegatedCapability: IDelegatedZcap, encoded: string}>}
+ *   The signed delegated capability and its multibase (base58btc) encoding.
+ */
+export declare function delegateCapability({ did, controller, delegatee, url, capability, invocationTarget, allow, ttl, expires }: {
+    did?: string;
+    controller?: string;
+    delegatee: string;
+    url?: string;
+    capability?: IZcap;
+    invocationTarget?: string;
+    allow?: string[];
+    ttl?: string;
+    expires?: string;
+}): Promise<{
+    delegatedCapability: IDelegatedZcap;
+    encoded: string;
+}>;
+//# sourceMappingURL=delegate.d.ts.map

package/dist/zcap/delegate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegate.d.ts","sourceRoot":"","sources":["../../src/zcap/delegate.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,MAAM,mCAAmC,CAAA;AAW9E;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,wBAAsB,kBAAkB,CAAC,EACvC,GAAG,EACH,UAAU,EACV,SAAS,EACT,GAAG,EACH,UAAU,EACV,gBAAgB,EAChB,KAAK,EACL,GAAU,EACV,OAAO,EACR,EAAE;IACD,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB,SAAS,EAAE,MAAM,CAAA;IACjB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,UAAU,CAAC,EAAE,KAAK,CAAA;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;IAChB,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB,GAAG,OAAO,CAAC;IAAE,mBAAmB,EAAE,cAAc,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC,CAuBpE"}

package/dist/zcap/delegate.js

@@ -0,0 +1,77 @@
+/**
+ * Delegated Authorization Capability (zcap) signing.
+ *
+ * `delegateCapability` signs a delegated capability using @interop/ezcap's
+ * `ZcapClient.delegate`, which builds the delegated zcap (id, controller,
+ * parent, invocation target, expiration, allowed actions), auto-computes the
+ * capability chain, and signs it with the delegator's `capabilityDelegation`
+ * key. For a first-level delegation the parent is the root capability generated
+ * from the invocation target; for further (attenuated) delegation a decoded
+ * parent capability is passed instead. The signing key is resolved from a stored
+ * DID or `ZCAP_CONTROLLER_KEY_SEED` (see `loadDelegationSigner`).
+ *
+ * The document loader is `@interop/security-document-loader`'s loader, which
+ * already bundles the zcap JSON-LD context (and the ed25519-2020 suite context),
+ * so it can be passed to `ZcapClient` as-is.
+ */
+import { Ed25519Signature2020 } from '@interop/ed25519-signature';
+import { ZcapClient } from '@interop/ezcap';
+import { securityLoader } from '@interop/security-document-loader';
+import { encodeCapability } from './encoding.js';
+import { expiresFromTtl } from './ttl.js';
+import { loadDelegationSigner } from './signer.js';
+/**
+ * Offline document loader for signing: bundles the zcap, VC, Data Integrity, and
+ * suite contexts plus a did:key resolver. Built once and reused across calls.
+ */
+const documentLoader = securityLoader().build();
+/**
+ * Signs a delegated capability.
+ *
+ * Exactly one of `url` (first-level delegation from the root capability for that
+ * target) or `capability` (further delegation of an existing capability) drives
+ * the parent; `invocationTarget` narrows the target when delegating an existing
+ * capability. Expiration is `expires` (an ISO 8601 date) when given, otherwise
+ * derived from `ttl`.
+ *
+ * @param options {object}
+ * @param [options.did] {string}   The id of a stored DID to sign with.
+ * @param [options.controller] {string}   The expected controller DID, when
+ *   signing via `ZCAP_CONTROLLER_KEY_SEED`.
+ * @param options.delegatee {string}   The DID to delegate to (the new
+ *   capability's controller).
+ * @param [options.url] {string}   The invocation target for a first-level
+ *   delegation from the root capability.
+ * @param [options.capability] {IZcap}   A parent capability to delegate (already
+ *   decoded from its multibase string or a JSON file).
+ * @param [options.invocationTarget] {string}   An attenuated invocation target.
+ * @param [options.allow] {string[]}   Allowed actions; omitted inherits the
+ *   parent's actions.
+ * @param [options.ttl] {string}   Time-to-live for expiration (default `1y`).
+ * @param [options.expires] {string}   Explicit ISO 8601 expiration (overrides
+ *   `ttl`).
+ * @returns {Promise<{delegatedCapability: IDelegatedZcap, encoded: string}>}
+ *   The signed delegated capability and its multibase (base58btc) encoding.
+ */
+export async function delegateCapability({ did, controller, delegatee, url, capability, invocationTarget, allow, ttl = '1y', expires }) {
+    const delegationSigner = await loadDelegationSigner({ did, controller });
+    const client = new ZcapClient({
+        SuiteClass: Ed25519Signature2020,
+        delegationSigner,
+        documentLoader
+    });
+    const expiresValue = expires ?? expiresFromTtl(ttl);
+    const target = invocationTarget ?? url;
+    const delegatedCapability = await client.delegate({
+        capability,
+        controller: delegatee,
+        invocationTarget: target,
+        expires: expiresValue,
+        allowedActions: allow
+    });
+    return {
+        delegatedCapability,
+        encoded: encodeCapability(delegatedCapability)
+    };
+}
+//# sourceMappingURL=delegate.js.map

package/dist/zcap/delegate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"delegate.js","sourceRoot":"","sources":["../../src/zcap/delegate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;GAeG;AACH,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAA;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAC3C,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAA;AAElE,OAAO,EAAE,gBAAgB,EAAE,MAAM,eAAe,CAAA;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AACzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AAElD;;;GAGG;AACH,MAAM,cAAc,GAAG,cAAc,EAAE,CAAC,KAAK,EAAE,CAAA;AAE/C;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,EACvC,GAAG,EACH,UAAU,EACV,SAAS,EACT,GAAG,EACH,UAAU,EACV,gBAAgB,EAChB,KAAK,EACL,GAAG,GAAG,IAAI,EACV,OAAO,EAWR;IACC,MAAM,gBAAgB,GAAG,MAAM,oBAAoB,CAAC,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAA;IACxE,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC;QAC5B,UAAU,EAAE,oBAAoB;QAChC,gBAAgB;QAChB,cAAc;KACf,CAAC,CAAA;IAEF,MAAM,YAAY,GAAG,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,CAAA;IACnD,MAAM,MAAM,GAAG,gBAAgB,IAAI,GAAG,CAAA;IAEtC,MAAM,mBAAmB,GAAG,MAAM,MAAM,CAAC,QAAQ,CAAC;QAChD,UAAU;QACV,UAAU,EAAE,SAAS;QACrB,gBAAgB,EAAE,MAAM;QACxB,OAAO,EAAE,YAAY;QACrB,cAAc,EAAE,KAAK;KACtB,CAAC,CAAA;IAEF,OAAO;QACL,mBAAmB;QACnB,OAAO,EAAE,gBAAgB,CAAC,mBAAmB,CAAC;KAC/C,CAAA;AACH,CAAC"}

package/dist/zcap/encoding.d.ts

@@ -0,0 +1,17 @@
+import type { IZcap } from '@interop/data-integrity-core/zcap';
+/**
+ * Encodes a capability as a multibase (base58btc) string.
+ *
+ * @param capability {IZcap}   The root or delegated capability to encode.
+ * @returns {string}   The capability JSON, base58btc-encoded with a leading `z`.
+ */
+export declare function encodeCapability(capability: IZcap): string;
+/**
+ * Decodes a multibase (base58btc) capability string back into a capability.
+ *
+ * @param encoded {string}   A `z`-prefixed base58btc string from
+ *   `encodeCapability`.
+ * @returns {IZcap}   The decoded root or delegated capability.
+ */
+export declare function decodeCapability(encoded: string): IZcap;
+//# sourceMappingURL=encoding.d.ts.map

package/dist/zcap/encoding.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.d.ts","sourceRoot":"","sources":["../../src/zcap/encoding.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,mCAAmC,CAAA;AAE9D;;;;;GAKG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,KAAK,GAAG,MAAM,CAG1D;AAED;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,KAAK,CAQvD"}

package/dist/zcap/encoding.js

@@ -0,0 +1,37 @@
+/**
+ * Multibase (base58btc) encoding for Authorization Capabilities (zcaps).
+ *
+ * The CLI prints an `encoded` form alongside each capability: the capability's
+ * JSON serialized to UTF-8 bytes, base58btc-encoded, with a leading `z`
+ * multibase prefix (matching the legacy did-cli output). `decodeCapability`
+ * reverses this so a delegated capability can be passed back in via
+ * `zcap delegate --capability`. Uses `@scure/base`'s `base58` (the same base58
+ * implementation used by `@interop/ed25519-verification-key`), which operates on
+ * raw base58 without a multibase prefix, so the `z` is added/stripped here.
+ */
+import { base58 } from '@scure/base';
+/**
+ * Encodes a capability as a multibase (base58btc) string.
+ *
+ * @param capability {IZcap}   The root or delegated capability to encode.
+ * @returns {string}   The capability JSON, base58btc-encoded with a leading `z`.
+ */
+export function encodeCapability(capability) {
+    const bytes = new TextEncoder().encode(JSON.stringify(capability));
+    return `z${base58.encode(bytes)}`;
+}
+/**
+ * Decodes a multibase (base58btc) capability string back into a capability.
+ *
+ * @param encoded {string}   A `z`-prefixed base58btc string from
+ *   `encodeCapability`.
+ * @returns {IZcap}   The decoded root or delegated capability.
+ */
+export function decodeCapability(encoded) {
+    if (!encoded.startsWith('z')) {
+        throw new Error('Encoded capability must be a multibase base58btc string (leading "z").');
+    }
+    const bytes = base58.decode(encoded.slice(1));
+    return JSON.parse(new TextDecoder().decode(bytes));
+}
+//# sourceMappingURL=encoding.js.map

package/dist/zcap/encoding.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"encoding.js","sourceRoot":"","sources":["../../src/zcap/encoding.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAA;AAGpC;;;;;GAKG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAiB;IAChD,MAAM,KAAK,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAA;IAClE,OAAO,IAAI,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;AACnC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,IAAI,CAAC,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CACb,wEAAwE,CACzE,CAAA;IACH,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;IAC7C,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAU,CAAA;AAC7D,CAAC"}

package/dist/zcap/signer.d.ts

@@ -0,0 +1,20 @@
+import type { ISigner } from '@interop/data-integrity-core';
+/**
+ * Loads the delegation signer for `zcap delegate`.
+ *
+ * When `did` is given, the signer is loaded from the locally-stored DID and its
+ * secret key file. Otherwise the `ZCAP_CONTROLLER_KEY_SEED` environment variable
+ * is required and the `did:key` is regenerated from it, with `controller` used
+ * to verify the regenerated DID matches the caller's expectation.
+ *
+ * @param options {object}
+ * @param [options.did] {string}   The id of a locally-stored DID to sign with.
+ * @param [options.controller] {string}   The expected controller DID, required
+ *   (and verified) when signing via `ZCAP_CONTROLLER_KEY_SEED`.
+ * @returns {Promise<ISigner>}   The `capabilityDelegation` signer.
+ */
+export declare function loadDelegationSigner({ did, controller }: {
+    did?: string;
+    controller?: string;
+}): Promise<ISigner>;
+//# sourceMappingURL=signer.d.ts.map

package/dist/zcap/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/zcap/signer.ts"],"names":[],"mappings":"AAkBA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,8BAA8B,CAAA;AAqB3D;;;;;;;;;;;;;GAaG;AACH,wBAAsB,oBAAoB,CAAC,EACzC,GAAG,EACH,UAAU,EACX,EAAE;IACD,GAAG,CAAC,EAAE,MAAM,CAAA;IACZ,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GAAG,OAAO,CAAC,OAAO,CAAC,CAoCnB"}

package/dist/zcap/signer.js

@@ -0,0 +1,62 @@
+/**
+ * Loads the `capabilityDelegation` signer used to sign delegated capabilities.
+ *
+ * Two key-sourcing modes are supported, mirroring the rest of the CLI and the
+ * legacy did-cli respectively:
+ *
+ * - Stored DID (`--did`): the DID document and its secret key are read from
+ *   local storage (`~/.config/did-cli-wallet/dids/`, the store written by `id create --save`),
+ *   exactly as `vc issue` loads its signing key. For `did:key` the single key
+ *   serves the `capabilityDelegation` relationship.
+ * - Env seed (`ZCAP_CONTROLLER_KEY_SEED` + `--controller`): the `did:key` is
+ *   regenerated from the seed, its id is checked against `--controller`, and the
+ *   `capabilityDelegation` key is used to sign.
+ */
+import { decodeSecretKeySeed } from '@digitalcredentials/bnid';
+import { driver } from '@interop/did-method-key';
+import { Ed25519VerificationKey } from '@interop/ed25519-verification-key';
+import { createSigner } from '@interop/ed25519-signature';
+import { loadDidDocument, loadDidKeys } from '../storage.js';
+/**
+ * Loads the delegation signer for `zcap delegate`.
+ *
+ * When `did` is given, the signer is loaded from the locally-stored DID and its
+ * secret key file. Otherwise the `ZCAP_CONTROLLER_KEY_SEED` environment variable
+ * is required and the `did:key` is regenerated from it, with `controller` used
+ * to verify the regenerated DID matches the caller's expectation.
+ *
+ * @param options {object}
+ * @param [options.did] {string}   The id of a locally-stored DID to sign with.
+ * @param [options.controller] {string}   The expected controller DID, required
+ *   (and verified) when signing via `ZCAP_CONTROLLER_KEY_SEED`.
+ * @returns {Promise<ISigner>}   The `capabilityDelegation` signer.
+ */
+export async function loadDelegationSigner({ did, controller }) {
+    if (did) {
+        await loadDidDocument(did);
+        const keysData = await loadDidKeys(did);
+        const keyPair = await Ed25519VerificationKey.from(keysData);
+        return createSigner(keyPair);
+    }
+    const secretKeySeed = process.env.ZCAP_CONTROLLER_KEY_SEED;
+    if (!secretKeySeed) {
+        throw new Error('Provide --did (a stored DID) or set ZCAP_CONTROLLER_KEY_SEED with ' +
+            '--controller to sign the delegation.');
+    }
+    if (!controller) {
+        throw new Error('--controller is required when signing via ZCAP_CONTROLLER_KEY_SEED.');
+    }
+    const seedBytes = decodeSecretKeySeed({ secretKeySeed });
+    const didDriver = driver();
+    didDriver.use({ keyPairClass: Ed25519VerificationKey });
+    const { didDocument, methodFor } = await didDriver.generate({
+        seed: seedBytes
+    });
+    if (didDocument.id !== controller) {
+        throw new Error(`The DID generated from ZCAP_CONTROLLER_KEY_SEED (${didDocument.id}) ` +
+            `does not match --controller (${controller}).`);
+    }
+    const delegationKey = methodFor({ purpose: 'capabilityDelegation' });
+    return createSigner(delegationKey);
+}
+//# sourceMappingURL=signer.js.map

package/dist/zcap/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../src/zcap/signer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AACH,OAAO,EAAE,mBAAmB,EAAE,MAAM,0BAA0B,CAAA;AAC9D,OAAO,EAAE,MAAM,EAAE,MAAM,yBAAyB,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,mCAAmC,CAAA;AAC1E,OAAO,EAAE,YAAY,EAAE,MAAM,4BAA4B,CAAA;AAEzD,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAoB5D;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,EACzC,GAAG,EACH,UAAU,EAIX;IACC,IAAI,GAAG,EAAE,CAAC;QACR,MAAM,eAAe,CAAC,GAAG,CAAC,CAAA;QAC1B,MAAM,QAAQ,GAAG,MAAM,WAAW,CAAgB,GAAG,CAAC,CAAA;QACtD,MAAM,OAAO,GAAG,MAAM,sBAAsB,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QAC3D,OAAO,YAAY,CAAC,OAAO,CAAC,CAAA;IAC9B,CAAC;IAED,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAA;IAC1D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CACb,oEAAoE;YAClE,sCAAsC,CACzC,CAAA;IACH,CAAC;IACD,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,qEAAqE,CACtE,CAAA;IACH,CAAC;IACD,MAAM,SAAS,GAAG,mBAAmB,CAAC,EAAE,aAAa,EAAE,CAAC,CAAA;IACxD,MAAM,SAAS,GAAG,MAAM,EAAE,CAAA;IAC1B,SAAS,CAAC,GAAG,CAAC,EAAE,YAAY,EAAE,sBAAsB,EAAE,CAAC,CAAA;IACvD,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,MAAM,SAAS,CAAC,QAAQ,CAAC;QAC1D,IAAI,EAAE,SAAS;KAChB,CAAC,CAAA;IACF,IAAI,WAAW,CAAC,EAAE,KAAK,UAAU,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,oDAAoD,WAAW,CAAC,EAAE,IAAI;YACpE,gCAAgC,UAAU,IAAI,CACjD,CAAA;IACH,CAAC;IACD,MAAM,aAAa,GACjB,SACD,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAA;IACtC,OAAO,YAAY,CAAC,aAAa,CAAC,CAAA;AACpC,CAAC"}

package/dist/zcap/ttl.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Time-to-live parsing for delegated capability expiration.
+ *
+ * `expiresFromTtl` turns a short duration string (e.g. `1y`, `30d`, `24h`) into
+ * an absolute expiration `Date` relative to now, used as the default `expires`
+ * for `zcap delegate` when an explicit `--expires` ISO date is not given.
+ */
+/**
+ * Parses a time-to-live duration string into an absolute expiration date.
+ *
+ * The format is an integer followed by a unit: `s` (seconds), `m` (minutes),
+ * `h` (hours), `d` (days), `w` (weeks), or `y` (365 days), e.g. `1y`, `30d`,
+ * `24h`, `15m`.
+ *
+ * @param ttl {string}   The duration string.
+ * @returns {Date}   `now + ttl`.
+ */
+export declare function expiresFromTtl(ttl: string): Date;
+//# sourceMappingURL=ttl.d.ts.map

package/dist/zcap/ttl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ttl.d.ts","sourceRoot":"","sources":["../../src/zcap/ttl.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAeH;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAWhD"}

package/dist/zcap/ttl.js

@@ -0,0 +1,40 @@
+/**
+ * Time-to-live parsing for delegated capability expiration.
+ *
+ * `expiresFromTtl` turns a short duration string (e.g. `1y`, `30d`, `24h`) into
+ * an absolute expiration `Date` relative to now, used as the default `expires`
+ * for `zcap delegate` when an explicit `--expires` ISO date is not given.
+ */
+/**
+ * Supported duration units and their length in milliseconds. Note `m` is
+ * minutes (not months) and `y` is treated as 365 days.
+ */
+const UNIT_MS = {
+    s: 1000,
+    m: 60 * 1000,
+    h: 60 * 60 * 1000,
+    d: 24 * 60 * 60 * 1000,
+    w: 7 * 24 * 60 * 60 * 1000,
+    y: 365 * 24 * 60 * 60 * 1000
+};
+/**
+ * Parses a time-to-live duration string into an absolute expiration date.
+ *
+ * The format is an integer followed by a unit: `s` (seconds), `m` (minutes),
+ * `h` (hours), `d` (days), `w` (weeks), or `y` (365 days), e.g. `1y`, `30d`,
+ * `24h`, `15m`.
+ *
+ * @param ttl {string}   The duration string.
+ * @returns {Date}   `now + ttl`.
+ */
+export function expiresFromTtl(ttl) {
+    const match = /^(\d+)([smhdwy])$/.exec(ttl.trim());
+    if (!match) {
+        throw new Error(`Invalid --ttl value "${ttl}". Expected a number followed by a unit ` +
+            '(s, m, h, d, w, or y), e.g. 1y, 30d, 24h.');
+    }
+    const amount = Number(match[1]);
+    const unitMs = UNIT_MS[match[2]];
+    return new Date(Date.now() + amount * unitMs);
+}
+//# sourceMappingURL=ttl.js.map

package/dist/zcap/ttl.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ttl.js","sourceRoot":"","sources":["../../src/zcap/ttl.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;GAGG;AACH,MAAM,OAAO,GAA2B;IACtC,CAAC,EAAE,IAAI;IACP,CAAC,EAAE,EAAE,GAAG,IAAI;IACZ,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,IAAI;IACjB,CAAC,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;IACtB,CAAC,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;IAC1B,CAAC,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI;CAC7B,CAAA;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,MAAM,KAAK,GAAG,mBAAmB,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC,CAAA;IAClD,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CACb,wBAAwB,GAAG,0CAA0C;YACnE,2CAA2C,CAC9C,CAAA;IACH,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;IAC/B,MAAM,MAAM,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAA;IAChC,OAAO,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,MAAM,GAAG,MAAM,CAAC,CAAA;AAC/C,CAAC"}

package/package.json

@@ -0,0 +1,64 @@
+{
+  "name": "@interop/did-cli",
+  "version": "0.6.0",
+  "description": "DID CLI tool for DIDs, Verifiable Credentials, key pairs, and zcaps",
+  "type": "module",
+  "main": "dist/index.js",
+  "bin": {
+    "di": "dist/index.js"
+  },
+  "files": [
+    "dist",
+    "CHANGELOG.md"
+  ],
+  "scripts": {
+    "build": "npm run clean && tsc",
+    "build:watch": "tsc --watch",
+    "clean": "rm -rf dist",
+    "fix": "eslint --fix src && npm run format",
+    "format": "prettier --write src",
+    "lint": "eslint src",
+    "prepublishOnly": "npm run build",
+    "start": "node --enable-source-maps dist/index.js",
+    "test": "npm run lint && npm run format && npm run test:node",
+    "test:node": "node --test --import tsx --enable-source-maps 'src/**/*.test.ts'"
+  },
+  "dependencies": {
+    "@digitalcredentials/bnid": "^5.0.0",
+    "@digitalcredentials/issuer-registry-client": "^4.0.0",
+    "@interop/data-integrity-core": "^7.0.0",
+    "@interop/data-integrity-proof": "^3.3.1",
+    "@interop/did-method-key": "^7.3.1",
+    "@interop/did-web-resolver": "^6.2.1",
+    "@interop/ecdsa-multikey": "^2.3.0",
+    "@interop/ecdsa-signature": "2.0.2",
+    "@interop/ed25519-signature": "^7.1.1",
+    "@interop/ed25519-verification-key": "^8.0.0",
+    "@interop/ezcap": "^7.2.0",
+    "@interop/security-document-loader": "^9.3.0",
+    "@interop/vc": "^11.0.3",
+    "@interop/verifier-core": "^3.2.0",
+    "@interop/was-client": "^0.3.0",
+    "@interop/zcap": "^11.0.2",
+    "@scure/base": "^2.2.0",
+    "commander": "^15.0.0"
+  },
+  "packageManager": "pnpm@11.5.0",
+  "engines": {
+    "node": ">=22"
+  },
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@types/node": "^25.6.0",
+    "eslint": "^10.2.0",
+    "eslint-config-prettier": "^10.1.8",
+    "globals": "^17.5.0",
+    "prettier": "^3.8.2",
+    "tsx": "^4.21.0",
+    "typescript": "^5.0.0",
+    "typescript-eslint": "^8.58.2"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}