@interop/zcap 9.0.3

package/lib/zcap-types.d.ts

@@ -0,0 +1,72 @@
+/*!
+ * Copyright (c) 2018-2026 Digital Bazaar, Inc. All rights reserved.
+ */
+
+// Hand-authored object shapes for zcaps. These live in a `.d.ts` (rather than
+// as JSDoc `@typedef`s in `utils.js`) because TypeScript's JSDoc parser cannot
+// express a property named `@context` -- the leading `@` is mangled to an
+// empty-string key (`""`). `utils.js` re-exports these via `@typedef
+// {import('./zcap-types.js').X} X` so the public type names are unchanged.
+
+/**
+ * A root authorization capability (zcap). Root zcaps are unsigned, have no
+ * `expires` field and no delegation proof.
+ */
+export interface RootZcap {
+  /** The zcap JSON-LD context URL. */
+  '@context': string;
+  /** Capability ID (`urn:zcap:root:<encodedTarget>`). */
+  id: string;
+  /** The DID(s) authorized to invoke. */
+  controller: string | string[];
+  /** Resource URI this capability grants access to (absolute URI). */
+  invocationTarget: string;
+}
+
+/** A proof attached to a delegated capability. */
+export interface CapabilityDelegationProof {
+  /** The cryptographic suite type (e.g. `'Ed25519Signature2020'`). */
+  type: string;
+  /** ISO 8601 date-time the proof was created. */
+  created: string;
+  /** Verification method URI used to sign. */
+  verificationMethod: string;
+  /** Always `'capabilityDelegation'`. */
+  proofPurpose: 'capabilityDelegation';
+  /**
+   * Ordered capability chain (root > parent). All entries are string IDs
+   * except the last delegated zcap, which is embedded as an object.
+   */
+  capabilityChain: (string | DelegatedZcap)[];
+  /** The encoded proof value. */
+  proofValue: string;
+}
+
+/**
+ * A delegated authorization capability (zcap). Delegated capabilities narrow
+ * a parent capability and must carry exactly one `capabilityDelegation` proof.
+ */
+export interface DelegatedZcap {
+  /** JSON-LD context array; first entry MUST be the zcap context URL. */
+  '@context': string[];
+  /** Capability ID (absolute URI). */
+  id: string;
+  /** Parent capability ID (absolute URI). */
+  parentCapability: string;
+  /** The DID(s) authorized to invoke. */
+  controller: string | string[];
+  /** Resource URI this capability grants access to (absolute URI). */
+  invocationTarget: string;
+  /**
+   * The action(s) the controller may perform; if absent, no actions are
+   * allowed (except for the root zcap).
+   */
+  allowedAction?: string | string[];
+  /** ISO 8601 date-time when this capability expires. */
+  expires: string;
+  /** The capability delegation proof(s). */
+  proof: CapabilityDelegationProof | CapabilityDelegationProof[];
+}
+
+/** A zcap is either a root or a delegated capability. */
+export type Zcap = RootZcap | DelegatedZcap;

package/package.json

@@ -0,0 +1,81 @@
+{
+  "name": "@interop/zcap",
+  "version": "9.0.3",
+  "description": "Authorization Capabilities reference implementation.",
+  "homepage": "https://github.com/interop-alliance/zcap",
+  "author": {
+    "name": "Digital Bazaar, Inc.",
+    "email": "support@digitalbazaar.com",
+    "url": "https://digitalbazaar.com/"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/interop-alliance/zcap"
+  },
+  "bugs": {
+    "url": "https://github.com/interop-alliance/zcap/issues/"
+  },
+  "license": "BSD-3-Clause",
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./types/lib/index.d.ts",
+      "default": "./lib/index.js"
+    }
+  },
+  "types": "./types/lib/index.d.ts",
+  "files": [
+    "lib/**/*.js",
+    "lib/**/*.d.ts",
+    "types/**/*.d.ts",
+    "types/**/*.d.ts.map"
+  ],
+  "dependencies": {
+    "@digitalbazaar/zcap-context": "^2.0.1",
+    "@interop/jsonld-signatures": "^11.6.1"
+  },
+  "devDependencies": {
+    "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
+    "@digitalcredentials/ed25519-verification-key-2020": "^5.0.0",
+    "chai": "^4.3.6",
+    "cross-env": "^7.0.3",
+    "eslint": "^8.17.0",
+    "eslint-config-digitalbazaar": "^5.0.1",
+    "eslint-plugin-jsdoc": "^48.2.2",
+    "eslint-plugin-unicorn": "^51.0.1",
+    "karma": "^6.3.20",
+    "karma-chrome-launcher": "^3.1.1",
+    "karma-mocha": "^2.0.1",
+    "karma-mocha-reporter": "^2.2.5",
+    "karma-sourcemap-loader": "^0.4.0",
+    "karma-webpack": "^5.0.0",
+    "mocha": "^10.0.0",
+    "typescript": "^6.0.3",
+    "webpack": "^5.73.0"
+  },
+  "scripts": {
+    "test": "npm run test-node",
+    "__test-node": "cross-env NODE_ENV=test mocha --delay -t 30000 -A -R ${REPORTER:-spec} tests/test.js",
+    "test-node": "cross-env NODE_ENV=test mocha -t 30000 -A -R ${REPORTER:-spec} tests/test.js",
+    "test-karma": "cross-env NODE_ENV=test karma start karma.conf.cjs",
+    "build:types": "tsc",
+    "lint": "eslint ."
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "keywords": [
+    "Authorization Capability",
+    "Authorization Capabilities",
+    "JSON",
+    "JSON-LD",
+    "Linked Data",
+    "OCAP",
+    "OCAP-LD",
+    "Semantic Web",
+    "ZCAP",
+    "ZCAP-LD",
+    "digital signatures",
+    "object capabilities"
+  ]
+}

package/types/lib/CapabilityDelegation.d.ts

@@ -0,0 +1,101 @@
+/**
+ * @typedef {import('./utils.js').InspectCapabilityChain} InspectCapabilityChain
+ * @typedef {import('./utils.js').Zcap} Zcap
+ * @typedef {import('./utils.js').DelegatedZcap} DelegatedZcap
+ */
+export class CapabilityDelegation extends CapabilityProofPurpose {
+    /**
+     * @param {object} options - The options.
+     * @param {string|Zcap} [options.parentCapability] - An alternative to
+     *   passing `capabilityChain` when creating a proof; passing
+     *   `parentCapability` will enable the capability chain to be auto-computed.
+     *   Pass a root zcap ID string, or a full root or delegated zcap object.
+     * @param {boolean} [options.allowTargetAttenuation=false] - Allow the
+     *   invocationTarget of a delegation chain to be increasingly restrictive
+     *   based on a hierarchical RESTful URL structure.
+     * @param {string|Date|number} [options.date] - Used during proof
+     *   verification as the expected date for the creation of the proof
+     *   (within a maximum timestamp delta) and for checking to see if a
+     *   capability has expired; if not passed the current date will be used.
+     * @param {string|string[]} [options.expectedRootCapability] - The expected
+     *   root capability for the delegation chain (a single root capability ID
+     *   string, or an array of acceptable root capability ID strings).
+     * @param {object} [options.controller] - The description of the controller,
+     *   if it is not to be dereferenced via a `documentLoader`.
+     * @param {InspectCapabilityChain} [options.inspectCapabilityChain] - An
+     *   async function that can be used to check for revocations related to any
+     *   of verified capabilities.
+     * @param {number} [options.maxChainLength=10] - The maximum length of the
+     *   capability delegation chain.
+     * @param {number} [options.maxClockSkew=300] - A maximum number of seconds
+     *   that clocks may be skewed when checking capability expiration date-times
+     *   against `date`.
+     * @param {number} [options.maxDelegationTtl=Infinity] - The maximum
+     *   milliseconds to live for a delegated zcap as measured by the time
+     *   difference between `expires` and `created` on the delegation proof.
+     * @param {object|object[]} [options.suite] - The jsonld-signature suite(s) to
+     *   use to verify the capability chain. Required only in verify-proof mode;
+     *   unused (and omitted) when creating a delegation proof.
+     * @param {Zcap} [options._verifiedParentCapability] - Private.
+     * @param {Array<string|DelegatedZcap>} [options._capabilityChain] - Private.
+     * @param {boolean} [options._skipLocalValidationForTesting] - Private.
+     */
+    constructor({ parentCapability, allowTargetAttenuation, controller, date, expectedRootCapability, inspectCapabilityChain, maxChainLength, maxClockSkew, maxDelegationTtl, suite, _verifiedParentCapability, _capabilityChain, _skipLocalValidationForTesting }?: {
+        parentCapability?: string | Zcap;
+        allowTargetAttenuation?: boolean;
+        date?: string | Date | number;
+        expectedRootCapability?: string | string[];
+        controller?: object;
+        inspectCapabilityChain?: InspectCapabilityChain;
+        maxChainLength?: number;
+        maxClockSkew?: number;
+        maxDelegationTtl?: number;
+        suite?: object | object[];
+        _verifiedParentCapability?: Zcap;
+        _capabilityChain?: Array<string | DelegatedZcap>;
+        _skipLocalValidationForTesting?: boolean;
+    });
+    parentCapability: string | import("./zcap-types.js").Zcap;
+    _capabilityChain: (string | import("./zcap-types.js").DelegatedZcap)[];
+    _skipLocalValidationForTesting: boolean;
+    _verifiedParentCapability: import("./zcap-types.js").Zcap;
+    update(proof: any, { document }: {
+        document: any;
+    }): Promise<any>;
+    match(proof: any, { document, documentLoader }: {
+        document: any;
+        documentLoader: any;
+    }): Promise<boolean>;
+    _getCapabilityDelegationClass(): typeof CapabilityDelegation;
+    _getTailCapability({ document, proof }: {
+        document: any;
+        proof: any;
+    }): {
+        capability: any;
+    };
+    _runChecksBeforeChainVerification(): Promise<{
+        capabilityChainMeta: {
+            verifyResult: {};
+        }[];
+    }>;
+    _runChecksAfterChainVerification({ capabilityChainMeta, dereferencedChain, proof, validateOptions }: {
+        capabilityChainMeta: any;
+        dereferencedChain: any;
+        proof: any;
+        validateOptions: any;
+    }): Promise<import("@interop/jsonld-signatures").ProofValidateResult>;
+    _shortCircuitValidate({ proof, validateOptions }: {
+        proof: any;
+        validateOptions: any;
+    }): Promise<import("@interop/jsonld-signatures").ProofValidateResult>;
+    _validateAgainstParent({ proof, verifiedParentCapability, validateOptions }: {
+        proof: any;
+        verifiedParentCapability: any;
+        validateOptions: any;
+    }): Promise<import("@interop/jsonld-signatures").ProofValidateResult>;
+}
+export type InspectCapabilityChain = import("./utils.js").InspectCapabilityChain;
+export type Zcap = import("./utils.js").Zcap;
+export type DelegatedZcap = import("./utils.js").DelegatedZcap;
+import { CapabilityProofPurpose } from './CapabilityProofPurpose.js';
+//# sourceMappingURL=CapabilityDelegation.d.ts.map

package/types/lib/CapabilityDelegation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CapabilityDelegation.d.ts","sourceRoot":"","sources":["../../lib/CapabilityDelegation.js"],"names":[],"mappings":"AAMA;;;;GAIG;AAEH;IACE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAmCG;IACH,iQAlCG;QAA8B,gBAAgB,GAAtC,MAAM,GAAC,IAAI;QAIO,sBAAsB,GAAxC,OAAO;QAGsB,IAAI,GAAjC,MAAM,GAAC,IAAI,GAAC,MAAM;QAIQ,sBAAsB,GAAhD,MAAM,GAAC,MAAM,EAAE;QAGE,UAAU,GAA3B,MAAM;QAE2B,sBAAsB,GAAvD,sBAAsB;QAGL,cAAc,GAA/B,MAAM;QAEW,YAAY,GAA7B,MAAM;QAGW,gBAAgB,GAAjC,MAAM;QAGoB,KAAK,GAA/B,MAAM,GAAC,MAAM,EAAE;QAGA,yBAAyB,GAAxC,IAAI;QACkC,gBAAgB,GAAtD,KAAK,CAAC,MAAM,GAAC,aAAa,CAAC;QACT,8BAA8B,GAAhD,OAAO;KACjB,EA0EA;IAbG,0DAAwC;IAKtC,uEAAwC;IAGxC,wCAAoE;IAGtE,0DAA0D;IAI9D;;qBAiFC;IAED;;;yBAUC;IAED,6DAEC;IAED;;;;;MAIC;IAED;;;;OAOC;IAED;;;;;0EAsBC;IAED;;;0EAgBC;IAED;;;;0EA8BC;CACF;qCAhTY,OAAO,YAAY,EAAE,sBAAsB;mBAC3C,OAAO,YAAY,EAAE,IAAI;4BACzB,OAAO,YAAY,EAAE,aAAa;uCALV,6BAA6B"}

package/types/lib/CapabilityInvocation.d.ts

@@ -0,0 +1,100 @@
+/**
+ * @typedef {import('./utils.js').InspectCapabilityChain} InspectCapabilityChain
+ * @typedef {import('./utils.js').DelegatedZcap} DelegatedZcap
+ */
+export class CapabilityInvocation extends CapabilityProofPurpose {
+    /**
+     * @param {object} options - The options.
+     * @param {string|DelegatedZcap} [options.capability] - The capability to
+     *   add/reference in a created proof. A root zcap MUST be passed as its ID
+     *   string; a delegated zcap must be passed as the full object.
+     * @param {string} [options.capabilityAction] - The capability action that is
+     *   to be added to a proof.
+     * @param {string} [options.invocationTarget] - The invocation target to
+     *   use; this is required and can be used to attenuate the capability's
+     *   invocation target if the verifier supports target attenuation.
+     * @param {boolean} [options.allowTargetAttenuation=false] - Allow the
+     *   invocationTarget of a delegation chain to be increasingly restrictive
+     *   based on a hierarchical RESTful URL structure.
+     * @param {object} [options.controller] - The description of the controller,
+     *   if it is not to be dereferenced via a `documentLoader`.
+     * @param {string|Date|number} [options.date] - Used during proof
+     *   verification as the expected date for the creation of the proof
+     *   (within a maximum timestamp delta) and for checking to see if a
+     *   capability has expired; if not passed the current date will be used.
+     * @param {string} [options.expectedAction] - The capability action that is
+     *   expected when validating a proof.
+     * @param {string|string[]} [options.expectedRootCapability] - The expected
+     *   root capability for the delegation chain (a single root capability ID
+     *   string, or an array of acceptable root capability ID strings).
+     * @param {string|string[]} [options.expectedTarget] - The target(s) we
+     *   expect a capability to apply to (absolute URI, or array of URIs).
+     * @param {InspectCapabilityChain} [options.inspectCapabilityChain] - An
+     *   async function that can be used to check for revocations related to any
+     *   of verified capabilities.
+     * @param {number} [options.maxChainLength=10] - The maximum length of the
+     *   capability delegation chain.
+     * @param {number} [options.maxClockSkew=300] - A maximum number of seconds
+     *   that clocks may be skewed when checking capability expiration date-times
+     *   against `date` and when comparing invocation proof creation time against
+     *   delegation proof creation time.
+     * @param {number} [options.maxDelegationTtl=Infinity] - The maximum
+     *   milliseconds to live for a delegated zcap as measured by the time
+     *   difference between `expires` and `created` on the delegation proof.
+     * @param {number} [options.maxTimestampDelta=Infinity] - A maximum number
+     *   of seconds that "created" date on the capability invocation proof can
+     *   deviate from `date`, defaults to `Infinity`.
+     * @param {object|object[]} [options.suite] - The jsonld-signature suite(s) to
+     *   use to verify the capability chain. Required only in verify-proof mode;
+     *   unused (and omitted) when creating an invocation proof.
+     */
+    constructor({ capability, capabilityAction, invocationTarget, allowTargetAttenuation, controller, date, expectedAction, expectedRootCapability, expectedTarget, inspectCapabilityChain, maxChainLength, maxClockSkew, maxDelegationTtl, maxTimestampDelta, suite }?: {
+        capability?: string | DelegatedZcap;
+        capabilityAction?: string;
+        invocationTarget?: string;
+        allowTargetAttenuation?: boolean;
+        controller?: object;
+        date?: string | Date | number;
+        expectedAction?: string;
+        expectedRootCapability?: string | string[];
+        expectedTarget?: string | string[];
+        inspectCapabilityChain?: InspectCapabilityChain;
+        maxChainLength?: number;
+        maxClockSkew?: number;
+        maxDelegationTtl?: number;
+        maxTimestampDelta?: number;
+        suite?: object | object[];
+    });
+    capability: string | import("./zcap-types.js").DelegatedZcap;
+    capabilityAction: string;
+    invocationTarget: string;
+    expectedTarget: string | string[];
+    expectedAction: string;
+    update(proof: any): Promise<any>;
+    match(proof: any, { document, documentLoader }: {
+        document: any;
+        documentLoader: any;
+    }): Promise<boolean>;
+    _getCapabilityDelegationClass(): typeof CapabilityDelegation;
+    _getTailCapability({ proof }: {
+        proof: any;
+    }): {
+        capability: any;
+    };
+    _runChecksBeforeChainVerification({ dereferencedChain, proof }: {
+        dereferencedChain: any;
+        proof: any;
+    }): Promise<{
+        capabilityChainMeta: any[];
+    }>;
+    _runChecksAfterChainVerification({ dereferencedChain, proof, validateOptions }: {
+        dereferencedChain: any;
+        proof: any;
+        validateOptions: any;
+    }): Promise<import("@interop/jsonld-signatures").ProofValidateResult>;
+}
+export type InspectCapabilityChain = import("./utils.js").InspectCapabilityChain;
+export type DelegatedZcap = import("./utils.js").DelegatedZcap;
+import { CapabilityProofPurpose } from './CapabilityProofPurpose.js';
+import { CapabilityDelegation } from './CapabilityDelegation.js';
+//# sourceMappingURL=CapabilityInvocation.d.ts.map

package/types/lib/CapabilityInvocation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CapabilityInvocation.d.ts","sourceRoot":"","sources":["../../lib/CapabilityInvocation.js"],"names":[],"mappings":"AAOA;;;GAGG;AAEH;IACE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OA4CG;IACH,qQA3CG;QAAuC,UAAU,GAAzC,MAAM,GAAC,aAAa;QAGH,gBAAgB,GAAjC,MAAM;QAEW,gBAAgB,GAAjC,MAAM;QAGY,sBAAsB,GAAxC,OAAO;QAGU,UAAU,GAA3B,MAAM;QAEuB,IAAI,GAAjC,MAAM,GAAC,IAAI,GAAC,MAAM;QAID,cAAc,GAA/B,MAAM;QAEoB,sBAAsB,GAAhD,MAAM,GAAC,MAAM,EAAE;QAGW,cAAc,GAAxC,MAAM,GAAC,MAAM,EAAE;QAEkB,sBAAsB,GAAvD,sBAAsB;QAGL,cAAc,GAA/B,MAAM;QAEW,YAAY,GAA7B,MAAM;QAIW,gBAAgB,GAAjC,MAAM;QAGW,iBAAiB,GAAlC,MAAM;QAGoB,KAAK,GAA/B,MAAM,GAAC,MAAM,EAAE;KAGzB,EA8FA;IAxBG,6DAA4B;IAC5B,yBAAwC;IACxC,yBAAwC;IAmBxC,kCAAoC;IACpC,uBAAoC;IAIxC,iCAOC;IAED;;;yBA2BC;IAED,6DAEC;IAED;;;;MAEC;IAED;;;;;OA4FC;IAED;;;;0EAgDC;CACF;qCA9UY,OAAO,YAAY,EAAE,sBAAsB;4BAC3C,OAAO,YAAY,EAAE,aAAa;uCAJV,6BAA6B;qCAD/B,2BAA2B"}

package/types/lib/CapabilityProofPurpose.d.ts

@@ -0,0 +1,126 @@
+/**
+ * @typedef {import('./utils.js').InspectCapabilityChain} InspectCapabilityChain
+ * @typedef {import('./utils.js').CapabilityMeta} CapabilityMeta
+ */
+export class CapabilityProofPurpose extends jsigs.ControllerProofPurpose {
+    /**
+     * @param {object} options - The options.
+     * @param {boolean} [options.allowTargetAttenuation=false] - Allow the
+     *   invocationTarget of a delegation chain to be increasingly restrictive
+     *   based on a hierarchical RESTful URL structure.
+     * @param {object} [options.controller] - The description of the controller,
+     *   if it is not to be dereferenced via a `documentLoader`.
+     * @param {string|Date|number} [options.date] - Used during proof
+     *   verification as the expected date for the creation of the proof
+     *   (within a maximum timestamp delta) and for checking to see if a
+     *   capability has expired; if not passed the current date will be used.
+     * @param {string|string[]} [options.expectedRootCapability] - The expected
+     *   root capability for the delegation chain (a single root capability ID
+     *   string, or an array of acceptable root capability ID strings).
+     * @param {InspectCapabilityChain} [options.inspectCapabilityChain] - An
+     *   async function that can be used to check for revocations related to any
+     *   of verified capabilities.
+     * @param {number} [options.maxChainLength=10] - The maximum length of the
+     *   capability delegation chain.
+     * @param {number} [options.maxClockSkew=300] - A maximum number of seconds
+     *   that clocks may be skewed checking capability expiration date-times
+     *   against `date` and when comparing invocation proof creation time against
+     *   delegation proof creation time.
+     * @param {number} [options.maxDelegationTtl=Infinity] - The maximum
+     *   milliseconds to live for a delegated zcap as measured by the time
+     *   difference between `expires` and `created` on the delegation proof.
+     * @param {number} [options.maxTimestampDelta=Infinity] - A maximum number
+     *   of seconds that a capability invocation proof (only used by this proof
+     *   type) "created" date can deviate from `date`, defaults to `Infinity`.
+     * @param {object|object[]} [options.suite] - The jsonld-signature suite(s) to
+     *   use to verify the capability chain. Required only when verifying a proof;
+     *   unused (and omitted) when creating a delegation proof.
+     * @param {string} options.term - The term `capabilityInvocation` or
+     *   `capabilityDelegation` to look for in an LD proof.
+     */
+    constructor({ allowTargetAttenuation, controller, date, expectedRootCapability, inspectCapabilityChain, maxChainLength, maxDelegationTtl, maxTimestampDelta, maxClockSkew, suite, term }?: {
+        allowTargetAttenuation?: boolean;
+        controller?: object;
+        date?: string | Date | number;
+        expectedRootCapability?: string | string[];
+        inspectCapabilityChain?: InspectCapabilityChain;
+        maxChainLength?: number;
+        maxClockSkew?: number;
+        maxDelegationTtl?: number;
+        maxTimestampDelta?: number;
+        suite?: object | object[];
+        term: string;
+    });
+    allowTargetAttenuation: boolean;
+    expectedRootCapability: string | string[];
+    inspectCapabilityChain: Function;
+    maxChainLength: number;
+    maxClockSkew: number;
+    maxDelegationTtl: number;
+    suite: any;
+    /**
+     * Validates a capability proof by verifying its capability delegation chain
+     * from the root outward. Overrides
+     * {@link jsigs.ControllerProofPurpose#validate} and is structurally
+     * compatible with it.
+     *
+     * @param {object} proof - The proof to validate.
+     * @param {object} validateOptions - The validation options (passed through
+     *   from `jsigs`), including `document` and `documentLoader`.
+     *
+     * @returns {Promise<import('@interop/jsonld-signatures').
+     *   ProofValidateResult>} Resolves to `{valid, error?}` (plus an internal
+     *   `dereferencedChain` on success).
+     */
+    validate(proof: object, validateOptions: object): Promise<import("@interop/jsonld-signatures").ProofValidateResult>;
+    _dereferenceChain({ document, documentLoader, proof }: {
+        document: any;
+        documentLoader: any;
+        proof: any;
+    }): Promise<{
+        dereferencedChain: import("./zcap-types.js").Zcap[];
+    }>;
+    _getCapabilityDelegationClass(): void;
+    _getTailCapability(): Promise<void>;
+    _runChecksBeforeChainVerification(): Promise<void>;
+    _runChecksAfterChainVerification(): Promise<void>;
+    _runBaseProofValidation({ proof, validateOptions }: {
+        proof: any;
+        validateOptions: any;
+    }): Promise<jsigs.ProofValidateResult>;
+    _shortCircuitValidate(): Promise<void>;
+    /**
+     * Verifies the given dereferenced capability chain. This involves ensuring
+     * that the root zcap in the chain is as expected (for the endpoint where an
+     * invocation or a simple chain chain is occurring) and that every other zcap
+     * in the chain (including any invoked one), has been properly delegated.
+     *
+     * @param {object} options - The options.
+     * @param {Function} options.CapabilityDelegation - The CapabilityDelegation
+     *   class; this must be passed to avoid circular references in this module.
+     * @param {CapabilityMeta[]} options.capabilityChainMeta - The array of
+     *   results for inspecting the capability chain; if this has a value when
+     *   passed, then it is presumed to be the verify result for the tail
+     *   capability and that tail capability will not be verified internally by
+     *   this function to avoid duplicating work; all verification results
+     *   (including the tail's -- either computed locally or reused from what
+     *   was passed) will be added to this array in order from root => tail.
+     * @param {Array} options.dereferencedChain - The dereferenced capability
+     *   chain for `capability`, starting at the root capability and ending at
+     *   `capability`.
+     * @param {Function} options.documentLoader - A configured jsonld
+     *   documentLoader.
+     *
+     * @returns {object} An object with `{verified, error}`.
+     */
+    _verifyCapabilityChain({ CapabilityDelegation, capabilityChainMeta, dereferencedChain, documentLoader }: {
+        CapabilityDelegation: Function;
+        capabilityChainMeta: CapabilityMeta[];
+        dereferencedChain: any[];
+        documentLoader: Function;
+    }): object;
+}
+export type InspectCapabilityChain = import("./utils.js").InspectCapabilityChain;
+export type CapabilityMeta = import("./utils.js").CapabilityMeta;
+import jsigs from '@interop/jsonld-signatures';
+//# sourceMappingURL=CapabilityProofPurpose.d.ts.map

package/types/lib/CapabilityProofPurpose.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"CapabilityProofPurpose.d.ts","sourceRoot":"","sources":["../../lib/CapabilityProofPurpose.js"],"names":[],"mappings":"AAUA;;;GAGG;AAEH;IACE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,2LAjCG;QAA0B,sBAAsB,GAAxC,OAAO;QAGU,UAAU,GAA3B,MAAM;QAEuB,IAAI,GAAjC,MAAM,GAAC,IAAI,GAAC,MAAM;QAIQ,sBAAsB,GAAhD,MAAM,GAAC,MAAM,EAAE;QAGkB,sBAAsB,GAAvD,sBAAsB;QAGL,cAAc,GAA/B,MAAM;QAEW,YAAY,GAA7B,MAAM;QAIW,gBAAgB,GAAjC,MAAM;QAGW,iBAAiB,GAAlC,MAAM;QAGoB,KAAK,GAA/B,MAAM,GAAC,MAAM,EAAE;QAGC,IAAI,EAApB,MAAM;KAEhB,EAiDA;IARG,gCAAoD;IACpD,0CAAoD;IACpD,iCAAoD;IACpD,uBAAoC;IACpC,qBAAgC;IAChC,yBAAwC;IACxC,WAAkB;IAItB;;;;;;;;;;;;;OAaG;IACH,gBARW,MAAM,mBACN,MAAM,GAGJ,OAAO,CAAC,OAAO,4BAA4B,EACnD,mBAAmB,CAAC,CAmIxB;IAED;;;;;;OA+BC;IAED,sCAEC;IAED,oCAEC;IAGD,mDAA4C;IAG5C,kDAA2C;IAE3C;;;2CAOC;IAGD,uCAAgC;IAEhC;;;;;;;;;;;;;;;;;;;;;;;OAuBG;IACH,yGAjBG;QAA0B,oBAAoB;QAEZ,mBAAmB,EAA7C,cAAc,EAAE;QAOD,iBAAiB;QAGd,cAAc;KAGxC,GAAU,MAAM,CAkNlB;CACF;qCA9gBY,OAAO,YAAY,EAAE,sBAAsB;6BAC3C,OAAO,YAAY,EAAE,cAAc;kBAR9B,4BAA4B"}

package/types/lib/constants.d.ts

@@ -0,0 +1,15 @@
+/** @type {object} The zcap JSON-LD context document. */
+export const ZCAP_CONTEXT: object;
+/** @type {string} The zcap JSON-LD context URL (`https://w3id.org/zcap/v1`). */
+export const ZCAP_CONTEXT_URL: string;
+/** @type {string} The base URL for the zcap security vocabulary. */
+export const CAPABILITY_VOCAB_URL: string;
+/** @type {string} URI prefix for root capability IDs (`urn:zcap:root:`). */
+export const ZCAP_ROOT_PREFIX: string;
+/**
+ * Default maximum capability delegation chain length (inclusive of the tail).
+ *
+ * @type {number}
+ */
+export const MAX_CHAIN_LENGTH: number;
+//# sourceMappingURL=constants.d.ts.map

package/types/lib/constants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.d.ts","sourceRoot":"","sources":["../../lib/constants.js"],"names":[],"mappings":"AAYA,wDAAwD;AACxD,2BADW,MAAM,CACmB;AAEpC,gFAAgF;AAChF,+BADW,MAAM,CAC2B;AAE5C,oEAAoE;AACpE,mCADW,MAAM,CACgD;AAEjE,4EAA4E;AAC5E,+BADW,MAAM,CACgC;AAEjD;;;;GAIG;AAGH,+BAJU,MAAM,CAImB"}

package/types/lib/index.d.ts

@@ -0,0 +1,50 @@
+/**
+ * @typedef {import('./utils.js').RootZcap} RootZcap
+ * @typedef {import('./utils.js').DelegatedZcap} DelegatedZcap
+ * @typedef {import('./utils.js').Zcap} Zcap
+ * @typedef {import('./utils.js').CapabilityDelegationProof} CapabilityDelegationProof
+ * @typedef {import('./utils.js').InspectCapabilityChain} InspectCapabilityChain
+ * @typedef {import('./utils.js').InspectResult} InspectResult
+ * @typedef {import('./utils.js').CapabilityChainDetails} CapabilityChainDetails
+ * @typedef {import('./utils.js').CapabilityMeta} CapabilityMeta
+ * @typedef {import('./utils.js').VerifyResult} VerifyResult
+ * @typedef {import('./utils.js').VerifyProofResult} VerifyProofResult
+ * @typedef {import('./utils.js').VerifyProofPurposeResult} VerifyProofPurposeResult
+ */
+/**
+ * Wraps an existing document loader so that it also serves the zcap JSON-LD
+ * context. The wrapped loader is called for all other URLs.
+ *
+ * @param {Function} documentLoader - An existing JSON-LD document loader to
+ *   extend.
+ *
+ * @returns {Function} A new document loader that handles the zcap context URL
+ *   and delegates all other URLs to the wrapped loader.
+ */
+export function extendDocumentLoader(documentLoader: Function): Function;
+export { CapabilityInvocation } from "./CapabilityInvocation.js";
+export { CapabilityDelegation } from "./CapabilityDelegation.js";
+export { createRootCapability } from "./utils.js";
+export { constants };
+/**
+ * A default JSON-LD document loader that serves only the zcap and
+ * jsonld-signatures contexts. Suitable for use when no other contexts are
+ * needed. Extend it with {@link extendDocumentLoader} if additional contexts
+ * are required.
+ *
+ * @type {Function}
+ */
+export const documentLoader: Function;
+export type RootZcap = import("./utils.js").RootZcap;
+export type DelegatedZcap = import("./utils.js").DelegatedZcap;
+export type Zcap = import("./utils.js").Zcap;
+export type CapabilityDelegationProof = import("./utils.js").CapabilityDelegationProof;
+export type InspectCapabilityChain = import("./utils.js").InspectCapabilityChain;
+export type InspectResult = import("./utils.js").InspectResult;
+export type CapabilityChainDetails = import("./utils.js").CapabilityChainDetails;
+export type CapabilityMeta = import("./utils.js").CapabilityMeta;
+export type VerifyResult = import("./utils.js").VerifyResult;
+export type VerifyProofResult = import("./utils.js").VerifyProofResult;
+export type VerifyProofPurposeResult = import("./utils.js").VerifyProofPurposeResult;
+import * as constants from './constants.js';
+//# sourceMappingURL=index.d.ts.map

package/types/lib/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/index.js"],"names":[],"mappings":"AAYA;;;;;;;;;;;;GAYG;AAEH;;;;;;;;;GASG;AACH,yEAYC;;;;;AAED;;;;;;;GAOG;AACH,sCAC8B;uBA9CjB,OAAO,YAAY,EAAE,QAAQ;4BAC7B,OAAO,YAAY,EAAE,aAAa;mBAClC,OAAO,YAAY,EAAE,IAAI;wCACzB,OAAO,YAAY,EAAE,yBAAyB;qCAC9C,OAAO,YAAY,EAAE,sBAAsB;4BAC3C,OAAO,YAAY,EAAE,aAAa;qCAClC,OAAO,YAAY,EAAE,sBAAsB;6BAC3C,OAAO,YAAY,EAAE,cAAc;2BACnC,OAAO,YAAY,EAAE,YAAY;gCACjC,OAAO,YAAY,EAAE,iBAAiB;uCACtC,OAAO,YAAY,EAAE,wBAAwB;2BAd/B,gBAAgB"}