@interop/did-method-webvh 3.2.0 → 3.3.0

package/dist/utils/iso8601-datetime.d.ts

@@ -0,0 +1,55 @@
+/**
+ * ISO 8601 DateTime Validation
+ *
+ * Inlined from iso-8601-regex (https://github.com/lightningspirit/iso-8601-regex-ts)
+ * Licensed under MIT by lightningspirit
+ *
+ * Enforces strict calendar correctness including leap-year rules and valid day ranges.
+ */
+/**
+ * Strict ISO 8601 datetime regex with full calendar validation.
+ *
+ * Enforces:
+ * - Year: 0000–9999
+ * - Month: 01–12
+ * - Day: per month (01–31, 30-day months restricted, Feb 29 allowed only on leap years)
+ * - Hour: 00–23
+ * - Minute: 00–59
+ * - Second: 00–59
+ * - Milliseconds: optional, 1–3 digits
+ * - Timezone: "Z" (UTC) or ±HH:MM (offset -12:00…+14:00)
+ *
+ * Leap-year logic (Gregorian calendar):
+ * - Divisible by 4 → leap year
+ * - Divisible by 100 → not a leap year
+ * - Divisible by 400 → leap year again
+ *
+ * Format: YYYY-MM-DDTHH:mm:ss(.SSS)?(Z|±HH:MM)
+ *
+ * Valid examples:
+ * - "2025-11-02T10:20:30Z"           // UTC
+ * - "2025-11-02T10:20:30.123Z"       // With milliseconds
+ * - "2025-11-02T10:20:30+01:00"      // With positive offset
+ * - "2024-02-29T12:00:00Z"           // Leap year (Feb 29 allowed)
+ *
+ * Invalid examples:
+ * - "2025-11-02T10:20:30"            // Missing timezone
+ * - "2025-04-31T12:00:00Z"           // Invalid day for April
+ * - "1900-02-29T00:00:00Z"           // 1900 not a leap year
+ * - "2025-11-02T24:00:00Z"           // Invalid hour
+ */
+export declare const ISO8601_DATETIME_REGEX: RegExp;
+/**
+ * Parse and validate UTC ISO8601 versionTime per did:webvh spec.
+ *
+ * Enforces:
+ * - Strict ISO 8601 format with calendar correctness (via regex)
+ * - Timezone MUST be explicit Z or +00:00 (per normative spec language)
+ * - Semantic date validity (via Date.parse)
+ *
+ * Spec reference: did:webvh v1.0 §3.5 and §3.6.2 (`versionTime` in UTC ISO8601)
+ * https://identity.foundation/didwebvh/v1.0/
+ */
+export declare function parseUtcIso8601VersionTime(value: string, context: string): Date;
+export declare function validateUtcIso8601NotInFuture(value: string, context: string, maxFutureSkewMs?: number, now?: Date): Date;
+export declare function createNextVersionTime(previousVersionTime: string, requestedVersionTime: string | undefined, formatDate: (value: string | Date) => string): string;

package/dist/utils/iso8601-datetime.js

@@ -0,0 +1,116 @@
+/**
+ * ISO 8601 DateTime Validation
+ *
+ * Inlined from iso-8601-regex (https://github.com/lightningspirit/iso-8601-regex-ts)
+ * Licensed under MIT by lightningspirit
+ *
+ * Enforces strict calendar correctness including leap-year rules and valid day ranges.
+ */
+/**
+ * Strict ISO 8601 datetime regex with full calendar validation.
+ *
+ * Enforces:
+ * - Year: 0000–9999
+ * - Month: 01–12
+ * - Day: per month (01–31, 30-day months restricted, Feb 29 allowed only on leap years)
+ * - Hour: 00–23
+ * - Minute: 00–59
+ * - Second: 00–59
+ * - Milliseconds: optional, 1–3 digits
+ * - Timezone: "Z" (UTC) or ±HH:MM (offset -12:00…+14:00)
+ *
+ * Leap-year logic (Gregorian calendar):
+ * - Divisible by 4 → leap year
+ * - Divisible by 100 → not a leap year
+ * - Divisible by 400 → leap year again
+ *
+ * Format: YYYY-MM-DDTHH:mm:ss(.SSS)?(Z|±HH:MM)
+ *
+ * Valid examples:
+ * - "2025-11-02T10:20:30Z"           // UTC
+ * - "2025-11-02T10:20:30.123Z"       // With milliseconds
+ * - "2025-11-02T10:20:30+01:00"      // With positive offset
+ * - "2024-02-29T12:00:00Z"           // Leap year (Feb 29 allowed)
+ *
+ * Invalid examples:
+ * - "2025-11-02T10:20:30"            // Missing timezone
+ * - "2025-04-31T12:00:00Z"           // Invalid day for April
+ * - "1900-02-29T00:00:00Z"           // 1900 not a leap year
+ * - "2025-11-02T24:00:00Z"           // Invalid hour
+ */
+export const ISO8601_DATETIME_REGEX = new RegExp('^' +
+    '(?<year>\\d{4})-' +
+    '(?<month>(?:0[1-9]|1[0-2]))-' +
+    '(?<day>' +
+    '(?:' +
+    '(?<=\\d{4}-(?:01|03|05|07|08|10|12)-)(?:0[1-9]|[12]\\d|3[01])|' + // 31-day months
+    '(?<=\\d{4}-(?:04|06|09|11)-)(?:0[1-9]|[12]\\d|30)|' + // 30-day months
+    '(?<=\\d{4}-02-)(?:0[1-9]|1\\d|2[0-8])|' + // Feb 01-28
+    '(?<=(' +
+    '(?:\\d{2}(?:0[48]|[2468][048]|[13579][26]))' + // yy % 4 == 0 (leap year non-century)
+    '|(?:(?:[02468][048]|[13579][26])00)' + // centuries % 400 == 0 (leap year century)
+    ')-02-)29' + // Feb 29 only if preceding matches leap year
+    ')' +
+    ')' +
+    'T' +
+    '(?<hour>(?:[01]\\d|2[0-3])):' +
+    '(?<minute>[0-5]\\d):' +
+    '(?<second>[0-5]\\d)' +
+    '(?:\\.(?<millisecond>\\d{1,3}))?' + // optional .sss
+    '(?<timezone>' +
+    'Z|' + // UTC
+    '(?:' +
+    '\\+(?:(?:0\\d|1[0-3]):[0-5]\\d|14:00)|' + // +00:00…+13:59 or +14:00
+    '-(?:(?:0\\d|1[01]):[0-5]\\d|12:00)' + // -00:00…-11:59 or -12:00
+    ')' +
+    ')' +
+    '$');
+/**
+ * Parse and validate UTC ISO8601 versionTime per did:webvh spec.
+ *
+ * Enforces:
+ * - Strict ISO 8601 format with calendar correctness (via regex)
+ * - Timezone MUST be explicit Z or +00:00 (per normative spec language)
+ * - Semantic date validity (via Date.parse)
+ *
+ * Spec reference: did:webvh v1.0 §3.5 and §3.6.2 (`versionTime` in UTC ISO8601)
+ * https://identity.foundation/didwebvh/v1.0/
+ */
+export function parseUtcIso8601VersionTime(value, context) {
+    const match = ISO8601_DATETIME_REGEX.exec(value);
+    const parsed = new Date(value);
+    if (!match || Number.isNaN(parsed.getTime())) {
+        throw new Error(`${context} must be a valid UTC ISO8601 timestamp`);
+    }
+    // Per spec, only Z or +00:00 (explicit UTC) are allowed
+    const timezone = match.groups?.timezone;
+    if (timezone && timezone !== 'Z' && timezone !== '+00:00') {
+        throw new Error(`${context} must be in UTC (Z or +00:00), found ${timezone}`);
+    }
+    return parsed;
+}
+export function validateUtcIso8601NotInFuture(value, context, maxFutureSkewMs = 0, now = new Date()) {
+    const parsed = parseUtcIso8601VersionTime(value, context);
+    if (parsed.getTime() > now.getTime() + maxFutureSkewMs) {
+        if (maxFutureSkewMs > 0) {
+            throw new Error(`${context} must not be more than ${maxFutureSkewMs / 60000} minutes in the future`);
+        }
+        throw new Error(`${context} must not be in the future`);
+    }
+    return parsed;
+}
+export function createNextVersionTime(previousVersionTime, requestedVersionTime, formatDate) {
+    const previous = parseUtcIso8601VersionTime(previousVersionTime, 'previous versionTime');
+    if (requestedVersionTime) {
+        const requested = parseUtcIso8601VersionTime(requestedVersionTime, 'requested versionTime');
+        if (requested.getTime() <= previous.getTime()) {
+            throw new Error('versionTime must be greater than previous versionTime');
+        }
+        return formatDate(requestedVersionTime);
+    }
+    const now = new Date();
+    if (now.getTime() <= previous.getTime()) {
+        return formatDate(new Date(previous.getTime() + 1));
+    }
+    return formatDate(now);
+}

package/dist/utils/multiformats.d.ts

@@ -98,3 +98,5 @@ export declare function decodeMultihashFromMultibase(str: string): {
     digest: Uint8Array;
     encoding: MultibaseEncoding;
 };
+/** Multicodec prefix (`0xed 0x01`) for an Ed25519 public key multikey. */
+export declare function isEd25519Multikey(keyBytes: Uint8Array): boolean;

package/dist/utils/multiformats.js

@@ -281,3 +281,7 @@ export function decodeMultihashFromMultibase(str) {
         encoding,
     };
 }
+/** Multicodec prefix (`0xed 0x01`) for an Ed25519 public key multikey. */
+export function isEd25519Multikey(keyBytes) {
+    return keyBytes.length >= 2 && keyBytes[0] === 0xed && keyBytes[1] === 0x01;
+}

package/dist/utils.d.ts

@@ -1,4 +1,4 @@
-import type { CreateDIDInterface, DIDDoc, DIDLog, ParsedDidKeyVerificationMethod, VerificationMethod, WitnessProofFileEntry } from './interfaces.js';
+import type { CreateDIDInterface, DIDDoc, DIDLog, ParsedDidKeyVerificationMethod, ServiceEndpoint, VerificationMethod, WitnessProofFileEntry } from './interfaces.js';
 export declare function parseDidKeyDid(input: string): {
     did: string;
     keyMultibase: string;
@@ -10,7 +10,15 @@ interface ParsedAddress {
     didDomainComponent: string;
     paths?: string[];
 }
+export interface ParsedDidWebvhIdentifier {
+    scid: string;
+    didDomainComponent: string;
+    paths?: string[];
+    locationKey: string;
+}
+export declare function validateMethodSpecificPathSegments(pathSegments: string[], context: string): void;
 export declare function parseCanonicalAddress(input: string): ParsedAddress;
+export declare function parseDidWebvhIdentifier(did: string, context: string): ParsedDidWebvhIdentifier;
 export declare const DID_PLACEHOLDER = "{DID}";
 export declare function validateCreateDidDocument(didDocument: DIDDoc): void;
 export declare function replaceCreateDidPlaceholders<T>(input: T, scid: string, did: string): T;
@@ -18,6 +26,11 @@ export declare function convertWebvhIdToWebId(id: string): string;
 export declare function enrichAlsoKnownAs(doc: DIDDoc, did: string, opts: {
     alsoKnownAsWeb?: boolean;
 }): DIDDoc;
+/**
+ * Check if a service with the given fragment exists in the service array.
+ * Matches both fragment form (e.g., '#files') and absolute form (e.g., 'did:webvh:...#files').
+ */
+export declare function serviceFragmentExists(services: ServiceEndpoint[], fragment: string, did: string): boolean;
 export declare function generateParallelDidWeb(didwebvhDid: string, didwebvhDoc: DIDDoc): DIDDoc;
 export declare const readLogFromDisk: (path: string) => Promise<DIDLog>;
 export declare const readLogFromString: (str: string) => DIDLog;
@@ -43,7 +56,7 @@ export declare const normalizeVMs: (verificationMethod: VerificationMethod[] | u
 export declare const resolveVM: (vm: string) => Promise<VerificationMethod | {
     publicKeyMultibase: string;
 } | null>;
-export declare const findVerificationMethod: (doc: any, vmId: string) => VerificationMethod | null;
+export declare const findVerificationMethod: (doc: DIDDoc, vmId: string) => VerificationMethod | null;
 export declare function fetchWitnessProofs(did: string): Promise<WitnessProofFileEntry[]>;
 export declare function replaceValueInObject(obj: any, searchValue: string, replaceValue: string): any;
 export {};

package/dist/utils.js

@@ -1,5 +1,5 @@
 import { config } from './config.js';
-import { BASE_CONTEXT } from './constants.js';
+import { BASE_CONTEXT, CONTEXT_LINKED_VP, METHOD, SERVICE_TYPE_LINKED_VP, SERVICE_TYPE_RELATIVE_REF, } from './constants.js';
 import { resolveDIDFromLog } from './method.js';
 import { bufferToString, createBuffer } from './utils/buffer.js';
 import { canonicalizeStrict } from './utils/canonicalize.js';
@@ -14,7 +14,8 @@ function validateDidKeyMultibase(keyMultibase) {
         multibaseDecode(keyMultibase);
     }
     catch (error) {
-        throw new Error(`Malformed did:key identifier: ${error.message}`);
+        const message = error instanceof Error ? error.message : String(error);
+        throw new Error(`Malformed did:key identifier: ${message}`);
     }
 }
 export function parseDidKeyDid(input) {
@@ -45,6 +46,11 @@ export function parseDidKeyVerificationMethod(input) {
     }
     const parsedDid = parseDidKeyDid(`${DID_KEY_PREFIX}${match[1]}`);
     const fragment = match[2];
+    // If fragment is present, it MUST equal the body multibase exactly
+    if (fragment && fragment !== parsedDid.keyMultibase) {
+        throw new Error(`did:key verificationMethod fragment must equal body multibase. ` +
+            `Expected fragment '${parsedDid.keyMultibase}' but got '${fragment}'`);
+    }
     return {
         did: parsedDid.did,
         fragment,
@@ -65,44 +71,120 @@ function isDoubleEncoded(value) {
     // Detect %25 (which is percent-encoded %)
     return value.includes('%25');
 }
+function hasFragmentOrQuery(value) {
+    return value.includes('#') || value.includes('?');
+}
+function decodeHostComponent(host) {
+    try {
+        return decodeURIComponent(host);
+    }
+    catch {
+        throw new Error(`Invalid percent-encoding in host: ${host}`);
+    }
+}
+function parsePortNumber(rawPort) {
+    const portNum = parseInt(rawPort, 10);
+    if (Number.isNaN(portNum) || portNum <= 0 || portNum > 65535) {
+        throw new Error(`Invalid port number: ${rawPort}`);
+    }
+    return portNum;
+}
+function toOptionalPaths(pathSegments) {
+    return pathSegments.length > 0 ? pathSegments : undefined;
+}
+function toDidDomainComponent(host, port) {
+    return port ? `${host}%3A${port}` : host;
+}
+function toParsedAddress(host, port, paths = []) {
+    return {
+        canonicalHost: host,
+        canonicalPort: port,
+        didDomainComponent: toDidDomainComponent(host, port),
+        paths: toOptionalPaths(paths),
+    };
+}
+function parseRawHostPort(input) {
+    if (!input.includes(':')) {
+        return { host: input };
+    }
+    const parts = input.split(':');
+    if (parts.length !== 2) {
+        throw new Error('Invalid host:port format');
+    }
+    return {
+        host: parts[0],
+        port: parsePortNumber(parts[1]),
+    };
+}
+function parseEncodedPortComponent(value) {
+    const encodedSeparator = /%3a/i;
+    if (!encodedSeparator.test(value)) {
+        return { host: value };
+    }
+    const parts = value.split(encodedSeparator);
+    if (parts.length !== 2) {
+        throw new Error('Invalid pre-encoded port separator');
+    }
+    const [host, rawPort] = parts;
+    return { host, port: parsePortNumber(rawPort) };
+}
+export function validateMethodSpecificPathSegments(pathSegments, context) {
+    for (const segment of pathSegments) {
+        let decodedSegment;
+        try {
+            decodedSegment = decodeURIComponent(segment);
+        }
+        catch {
+            throw new Error(`${context} contains invalid percent-encoding in path segment '${segment}'`);
+        }
+        if (decodedSegment === '.' || decodedSegment === '..') {
+            throw new Error(`${context} must not contain dot-segments`);
+        }
+        if (decodedSegment.includes('/')) {
+            throw new Error(`${context} must not contain decoded slash within a single path segment`);
+        }
+        if (decodedSegment.includes('\\')) {
+            throw new Error(`${context} must not contain decoded backslash within a path segment`);
+        }
+        if (decodedSegment.includes('\u0000')) {
+            throw new Error(`${context} must not contain decoded NUL character within a path segment`);
+        }
+        if (decodedSegment !== decodedSegment.trim()) {
+            throw new Error(`${context} must not contain leading or trailing whitespace in decoded path segment`);
+        }
+    }
+}
 export function parseCanonicalAddress(input) {
     if (!input || typeof input !== 'string') {
         throw new Error('Address input must be a non-empty string');
     }
+    if (hasFragmentOrQuery(input) && !input.startsWith('http://') && !input.startsWith('https://')) {
+        throw new Error('Address input must not include query or fragment components');
+    }
     // Parse did:webvh form
     if (input.startsWith('did:webvh:')) {
         const parts = input.substring(10).split(':');
         if (parts.length < 2) {
             throw new Error('Invalid did:webvh identifier: must contain SCID (or {SCID} placeholder) and domain');
         }
-        const scid = parts[0];
         const domainPart = parts[1];
         const pathParts = parts.slice(2);
+        if (hasFragmentOrQuery(domainPart) || pathParts.some((segment) => hasFragmentOrQuery(segment))) {
+            throw new Error('did:webvh identifier must not include query or fragment components');
+        }
+        validateMethodSpecificPathSegments(pathParts, 'did:webvh identifier');
         // Detect double encoding
         if (isDoubleEncoded(domainPart)) {
             throw new Error('Domain is double-encoded (detected %25)');
         }
         // Extract port from domain if %3A-encoded
-        let host = domainPart;
-        let port;
-        if (domainPart.includes('%3A')) {
-            const [h, p] = domainPart.split('%3A');
-            host = h;
-            const portNum = parseInt(p, 10);
-            if (Number.isNaN(portNum) || portNum <= 0 || portNum > 65535) {
-                throw new Error(`Invalid port number: ${p}`);
-            }
-            port = portNum;
-        }
+        const parsedPort = parseEncodedPortComponent(domainPart);
+        const host = decodeHostComponent(parsedPort.host);
+        const port = parsedPort.port;
         if (isIPAddress(host)) {
             throw new Error('IP addresses are not allowed as hosts');
         }
-        return {
-            canonicalHost: host,
-            canonicalPort: port,
-            didDomainComponent: domainPart,
-            paths: pathParts.length > 0 ? pathParts : undefined,
-        };
+        return toParsedAddress(host, port, pathParts);
     }
     // Parse URL form: HTTPS everywhere, with localhost-only HTTP for local testing.
     if (input.startsWith('https://') || input.startsWith('http://')) {
@@ -111,35 +193,23 @@ export function parseCanonicalAddress(input) {
             if (url.protocol === 'http:' && url.hostname !== 'localhost') {
                 throw new Error('HTTP is only allowed for localhost; use HTTPS for non-local hosts');
             }
+            if (url.hash || url.search) {
+                throw new Error('URL input must not include query or fragment components');
+            }
             const host = url.hostname;
             const port = url.port ? parseInt(url.port, 10) : undefined;
             if (isIPAddress(host)) {
                 throw new Error('IP addresses are not allowed as hosts');
             }
-            let didDomainComponent = host;
-            if (port) {
-                didDomainComponent += `%3A${port}`;
-            }
-            const pathParts = [];
-            if (url.pathname && url.pathname !== '/') {
-                url.pathname
-                    .split('/')
-                    .filter((p) => p.length > 0)
-                    .forEach((p) => {
-                    pathParts.push(p);
-                });
-            }
-            return {
-                canonicalHost: host,
-                canonicalPort: port,
-                didDomainComponent,
-                paths: pathParts.length > 0 ? pathParts : undefined,
-            };
+            const pathParts = url.pathname && url.pathname !== '/' ? url.pathname.split('/').filter((p) => p.length > 0) : [];
+            validateMethodSpecificPathSegments(pathParts, 'URL pathname');
+            return toParsedAddress(host, port, pathParts);
         }
         catch (e) {
-            if (e.message?.includes('not allowed'))
+            const message = e instanceof Error ? e.message : String(e);
+            if (message.includes('not allowed'))
                 throw e;
-            throw new Error(`Invalid URL: ${e.message}`);
+            throw new Error(`Invalid URL: ${message}`);
         }
     }
     // Parse domain string form (host or host:port)
@@ -147,45 +217,35 @@ export function parseCanonicalAddress(input) {
     if (isDoubleEncoded(input)) {
         throw new Error('Domain is double-encoded (detected %25)');
     }
-    let host = input;
-    let port;
-    // Check if pre-encoded with %3A
-    if (input.includes('%3A')) {
-        const parts = input.split('%3A');
-        if (parts.length !== 2) {
-            throw new Error('Invalid pre-encoded port separator');
-        }
-        host = parts[0];
-        const portNum = parseInt(parts[1], 10);
-        if (Number.isNaN(portNum) || portNum <= 0 || portNum > 65535) {
-            throw new Error(`Invalid port number: ${parts[1]}`);
-        }
-        port = portNum;
-    }
-    else if (input.includes(':')) {
-        // Raw host:port form
-        const parts = input.split(':');
-        if (parts.length !== 2) {
-            throw new Error('Invalid host:port format');
-        }
-        host = parts[0];
-        const portNum = parseInt(parts[1], 10);
-        if (Number.isNaN(portNum) || portNum <= 0 || portNum > 65535) {
-            throw new Error(`Invalid port number: ${parts[1]}`);
-        }
-        port = portNum;
+    if (hasFragmentOrQuery(input)) {
+        throw new Error('Domain input must not include query or fragment components');
     }
+    const hostAndPort = /%3a/i.test(input) ? parseEncodedPortComponent(input) : parseRawHostPort(input);
+    const host = decodeHostComponent(hostAndPort.host);
+    const port = hostAndPort.port;
     if (isIPAddress(host)) {
         throw new Error('IP addresses are not allowed as hosts');
     }
-    let didDomainComponent = host;
-    if (port) {
-        didDomainComponent += `%3A${port}`;
-    }
+    return toParsedAddress(host, port);
+}
+export function parseDidWebvhIdentifier(did, context) {
+    const parsedAddress = parseCanonicalAddress(did);
+    const didParts = did.split(':');
+    if (didParts.length < 4 || didParts[0] !== 'did' || didParts[1] !== METHOD) {
+        throw new Error(`${context} must be a valid did:webvh identifier`);
+    }
+    const scid = didParts[2];
+    if (!scid) {
+        throw new Error(`${context} must include SCID segment`);
+    }
+    const locationKey = parsedAddress.paths?.length
+        ? `${parsedAddress.didDomainComponent}:${parsedAddress.paths.join(':')}`
+        : parsedAddress.didDomainComponent;
     return {
-        canonicalHost: host,
-        canonicalPort: port,
-        didDomainComponent,
+        scid,
+        didDomainComponent: parsedAddress.didDomainComponent,
+        paths: parsedAddress.paths,
+        locationKey,
     };
 }
 // Environment detection - treat React Native like a browser, but Bun as Node-like
@@ -252,6 +312,18 @@ export function enrichAlsoKnownAs(doc, did, opts) {
         alsoKnownAs: aliases,
     };
 }
+/**
+ * Check if a service with the given fragment exists in the service array.
+ * Matches both fragment form (e.g., '#files') and absolute form (e.g., 'did:webvh:...#files').
+ */
+export function serviceFragmentExists(services, fragment, did) {
+    const fragmentForm = `#${fragment}`;
+    const absoluteForm = `${did}#${fragment}`;
+    return services.some((s) => {
+        const serviceId = s.id || '';
+        return serviceId === fragmentForm || serviceId === absoluteForm;
+    });
+}
 export function generateParallelDidWeb(didwebvhDid, didwebvhDoc) {
     let webDoc = deepClone(didwebvhDoc);
     const domainPath = didwebvhDid.replace(/^did:webvh:[^:]+:/, '');
@@ -261,15 +333,15 @@ export function generateParallelDidWeb(didwebvhDid, didwebvhDoc) {
     if (!existingServiceIds.some((id) => id.endsWith('#files'))) {
         implicitServices.push({
             id: '#files',
-            type: 'relativeRef',
+            type: SERVICE_TYPE_RELATIVE_REF,
             serviceEndpoint: httpsBase,
         });
     }
     if (!existingServiceIds.some((id) => id.endsWith('#whois'))) {
         implicitServices.push({
-            '@context': 'https://identity.foundation/linked-vp/contexts/v1',
+            '@context': CONTEXT_LINKED_VP,
             id: '#whois',
-            type: 'LinkedVerifiablePresentation',
+            type: SERVICE_TYPE_LINKED_VP,
             serviceEndpoint: `${httpsBase}whois.vp`,
         });
     }
@@ -345,7 +417,8 @@ export const writeVerificationMethodToEnv = async (verificationMethod) => {
             const match = envContent.match(/DID_VERIFICATION_METHODS=(.*)/);
             if (match?.[1]) {
                 const decodedData = bufferToString(createBuffer(match[1], 'base64'));
-                existingData = JSON.parse(decodedData);
+                const parsedData = JSON.parse(decodedData);
+                existingData = Array.isArray(parsedData) ? parsedData : [];
                 // Check if verification method with same ID already exists
                 const existingIndex = existingData.findIndex((vm) => vm.id === vmData.id);
                 if (existingIndex !== -1) {
@@ -398,17 +471,15 @@ export function deepClone(obj) {
     return cloned;
 }
 export const getBaseUrl = (id) => {
-    const parts = id.split(':');
-    if (!id.startsWith('did:webvh:') || parts.length < 4) {
-        throw new Error(`${id} is not a valid did:webvh identifier`);
-    }
-    const remainder = decodeURIComponent(parts.slice(3).join('/'));
-    const protocol = remainder.includes('localhost') ? 'http' : 'https';
-    const [hostPart, ...pathParts] = remainder.split('/');
-    let [host, port] = decodeURIComponent(hostPart).split(':');
-    host = toASCII(host.normalize('NFC'));
-    const normalizedHost = port ? `${host}:${port}` : host;
-    const path = pathParts.join('/');
+    if (hasFragmentOrQuery(id)) {
+        throw new Error('did:webvh identifier must not include query or fragment components');
+    }
+    const parsed = parseCanonicalAddress(id);
+    // This fork allows http for localhost (local testing); HTTPS everywhere else.
+    const protocol = parsed.canonicalHost === 'localhost' ? 'http' : 'https';
+    const host = toASCII(parsed.canonicalHost.normalize('NFC'));
+    const normalizedHost = parsed.canonicalPort ? `${host}:${parsed.canonicalPort}` : host;
+    const path = parsed.paths?.join('/') ?? '';
     return `${protocol}://${normalizedHost}${path ? `/${path}` : ''}`;
 };
 export const getFileUrl = (id) => {
@@ -437,7 +508,7 @@ export async function fetchLogFromIdentifier(identifier) {
         throw error;
     }
 }
-export const createDate = (created) => `${new Date(created ?? Date.now()).toISOString().slice(0, -5)}Z`;
+export const createDate = (created) => new Date(created ?? Date.now()).toISOString();
 export function bytesToHex(bytes) {
     return Array.from(bytes)
         .map((byte) => byte.toString(16).padStart(2, '0'))
@@ -608,6 +679,9 @@ export const resolveVM = async (vm) => {
                 .split('\n')
                 .map((l) => JSON.parse(l));
             const { doc } = await resolveDIDFromLog(logEntries, { verificationMethod: vm });
+            if (!doc) {
+                throw new Error(`Verification method ${vm} not found`);
+            }
             return findVerificationMethod(doc, vm);
         }
         throw new Error(`Verification method ${vm} not found`);
@@ -619,7 +693,7 @@ export const resolveVM = async (vm) => {
 export const findVerificationMethod = (doc, vmId) => {
     // Check in the verificationMethod array
     if (doc.verificationMethod?.some((vm) => vm.id === vmId)) {
-        return doc.verificationMethod.find((vm) => vm.id === vmId);
+        return doc.verificationMethod.find((vm) => vm.id === vmId) ?? null;
     }
     // Check in other verification method relationship arrays
     const vmRelationships = [
@@ -630,9 +704,22 @@ export const findVerificationMethod = (doc, vmId) => {
         'capabilityDelegation',
     ];
     for (const relationship of vmRelationships) {
-        if (doc[relationship]) {
-            if (doc[relationship].some((item) => item.id === vmId)) {
-                return doc[relationship].find((item) => item.id === vmId);
+        const relationshipValues = doc[relationship];
+        if (Array.isArray(relationshipValues) &&
+            relationshipValues.some((item) => {
+                if (typeof item !== 'object' || item === null)
+                    return false;
+                const maybeId = item.id;
+                return maybeId === vmId;
+            })) {
+            const match = relationshipValues.find((item) => {
+                if (typeof item !== 'object' || item === null)
+                    return false;
+                const maybeId = item.id;
+                return maybeId === vmId;
+            });
+            if (match && typeof match === 'object') {
+                return match;
             }
         }
     }