npm - @lindorm/aegis - Versions diffs - 0.6.0 → 0.7.1 - Mend

@lindorm/aegis 0.6.0 → 0.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (308) hide show

package/CHANGELOG.md +17 -0
package/README.md +142 -180
package/__tests__/jwe-interop.test.ts +3 -2
package/__tests__/jwt-interop.test.ts +4 -7
package/dist/classes/Aegis.d.ts +5 -5
package/dist/classes/Aegis.d.ts.map +1 -1
package/dist/classes/Aegis.js +35 -39
package/dist/classes/Aegis.js.map +1 -1
package/dist/classes/JweKit.d.ts +2 -2
package/dist/classes/JweKit.d.ts.map +1 -1
package/dist/classes/JweKit.js +47 -51
package/dist/classes/JweKit.js.map +1 -1
package/dist/classes/JwsKit.d.ts +2 -2
package/dist/classes/JwsKit.d.ts.map +1 -1
package/dist/classes/JwsKit.js +32 -36
package/dist/classes/JwsKit.js.map +1 -1
package/dist/classes/JwtKit.d.ts +3 -3
package/dist/classes/JwtKit.d.ts.map +1 -1
package/dist/classes/JwtKit.js +50 -54
package/dist/classes/JwtKit.js.map +1 -1
package/dist/classes/SignatureKit.d.ts +2 -2
package/dist/classes/SignatureKit.d.ts.map +1 -1
package/dist/classes/SignatureKit.js +13 -17
package/dist/classes/SignatureKit.js.map +1 -1
package/dist/classes/index.d.ts +5 -5
package/dist/classes/index.d.ts.map +1 -1
package/dist/classes/index.js +5 -21
package/dist/classes/index.js.map +1 -1
package/dist/constants/token-type.js +2 -5
package/dist/constants/token-type.js.map +1 -1
package/dist/errors/AegisError.js +2 -6
package/dist/errors/AegisError.js.map +1 -1
package/dist/errors/JweError.js +2 -6
package/dist/errors/JweError.js.map +1 -1
package/dist/errors/JwsError.js +2 -6
package/dist/errors/JwsError.js.map +1 -1
package/dist/errors/JwtError.js +2 -6
package/dist/errors/JwtError.js.map +1 -1
package/dist/errors/index.d.ts +4 -4
package/dist/errors/index.d.ts.map +1 -1
package/dist/errors/index.js +4 -20
package/dist/errors/index.js.map +1 -1
package/dist/guards/index.d.ts +2 -2
package/dist/guards/index.d.ts.map +1 -1
package/dist/guards/index.js +2 -18
package/dist/guards/index.js.map +1 -1
package/dist/guards/is-parsed-jws.d.ts +1 -1
package/dist/guards/is-parsed-jws.d.ts.map +1 -1
package/dist/guards/is-parsed-jws.js +1 -5
package/dist/guards/is-parsed-jws.js.map +1 -1
package/dist/guards/is-parsed-jwt.d.ts +1 -1
package/dist/guards/is-parsed-jwt.d.ts.map +1 -1
package/dist/guards/is-parsed-jwt.js +1 -5
package/dist/guards/is-parsed-jwt.js.map +1 -1
package/dist/index.d.ts +6 -7
package/dist/index.d.ts.map +1 -1
package/dist/index.js +5 -22
package/dist/index.js.map +1 -1
package/dist/interfaces/Aegis.d.ts +3 -3
package/dist/interfaces/Aegis.d.ts.map +1 -1
package/dist/interfaces/Aegis.js +1 -2
package/dist/interfaces/JweKit.d.ts +1 -1
package/dist/interfaces/JweKit.d.ts.map +1 -1
package/dist/interfaces/JweKit.js +1 -2
package/dist/interfaces/JwsKit.d.ts +1 -1
package/dist/interfaces/JwsKit.d.ts.map +1 -1
package/dist/interfaces/JwsKit.js +1 -2
package/dist/interfaces/JwtKit.d.ts +2 -2
package/dist/interfaces/JwtKit.d.ts.map +1 -1
package/dist/interfaces/JwtKit.js +1 -2
package/dist/interfaces/index.d.ts +4 -4
package/dist/interfaces/index.d.ts.map +1 -1
package/dist/interfaces/index.js +4 -20
package/dist/interfaces/index.js.map +1 -1
package/dist/internal/constants/aegis-profile-keys.js +1 -4
package/dist/internal/constants/aegis-profile-keys.js.map +1 -1
package/dist/internal/constants/format.js +1 -4
package/dist/internal/constants/format.js.map +1 -1
package/dist/internal/constants/header.js +13 -16
package/dist/internal/constants/header.js.map +1 -1
package/dist/internal/utils/compute-jwk-thumbprint.js +5 -9
package/dist/internal/utils/compute-jwk-thumbprint.js.map +1 -1
package/dist/internal/utils/compute-typ-header.d.ts +2 -2
package/dist/internal/utils/compute-typ-header.d.ts.map +1 -1
package/dist/internal/utils/compute-typ-header.js +6 -12
package/dist/internal/utils/compute-typ-header.js.map +1 -1
package/dist/internal/utils/create-hash.d.ts +1 -1
package/dist/internal/utils/create-hash.d.ts.map +1 -1
package/dist/internal/utils/create-hash.js +10 -17
package/dist/internal/utils/create-hash.js.map +1 -1
package/dist/internal/utils/extract-aegis-profile.d.ts +2 -2
package/dist/internal/utils/extract-aegis-profile.d.ts.map +1 -1
package/dist/internal/utils/extract-aegis-profile.js +6 -10
package/dist/internal/utils/extract-aegis-profile.js.map +1 -1
package/dist/internal/utils/extract-claims.d.ts +7 -7
package/dist/internal/utils/extract-claims.d.ts.map +1 -1
package/dist/internal/utils/extract-claims.js +47 -51
package/dist/internal/utils/extract-claims.js.map +1 -1
package/dist/internal/utils/extract-token-delegation.d.ts +2 -2
package/dist/internal/utils/extract-token-delegation.d.ts.map +1 -1
package/dist/internal/utils/extract-token-delegation.js +3 -7
package/dist/internal/utils/extract-token-delegation.js.map +1 -1
package/dist/internal/utils/generate-token-id.js +4 -8
package/dist/internal/utils/generate-token-id.js.map +1 -1
package/dist/internal/utils/jose-header.d.ts +1 -1
package/dist/internal/utils/jose-header.d.ts.map +1 -1
package/dist/internal/utils/jose-header.js +14 -19
package/dist/internal/utils/jose-header.js.map +1 -1
package/dist/internal/utils/jose-signature.d.ts +1 -1
package/dist/internal/utils/jose-signature.d.ts.map +1 -1
package/dist/internal/utils/jose-signature.js +7 -12
package/dist/internal/utils/jose-signature.js.map +1 -1
package/dist/internal/utils/jwt-payload.d.ts +3 -3
package/dist/internal/utils/jwt-payload.d.ts.map +1 -1
package/dist/internal/utils/jwt-payload.js +79 -86
package/dist/internal/utils/jwt-payload.js.map +1 -1
package/dist/internal/utils/jwt-validate.d.ts +2 -2
package/dist/internal/utils/jwt-validate.d.ts.map +1 -1
package/dist/internal/utils/jwt-validate.js +13 -17
package/dist/internal/utils/jwt-validate.js.map +1 -1
package/dist/internal/utils/jwt-verify.d.ts +3 -3
package/dist/internal/utils/jwt-verify.d.ts.map +1 -1
package/dist/internal/utils/jwt-verify.js +18 -22
package/dist/internal/utils/jwt-verify.js.map +1 -1
package/dist/internal/utils/parse-introspection.d.ts +2 -2
package/dist/internal/utils/parse-introspection.d.ts.map +1 -1
package/dist/internal/utils/parse-introspection.js +12 -16
package/dist/internal/utils/parse-introspection.js.map +1 -1
package/dist/internal/utils/parse-userinfo.d.ts +2 -2
package/dist/internal/utils/parse-userinfo.d.ts.map +1 -1
package/dist/internal/utils/parse-userinfo.js +10 -14
package/dist/internal/utils/parse-userinfo.js.map +1 -1
package/dist/internal/utils/resolve-cert-binding.d.ts +2 -2
package/dist/internal/utils/resolve-cert-binding.d.ts.map +1 -1
package/dist/internal/utils/resolve-cert-binding.js +3 -7
package/dist/internal/utils/resolve-cert-binding.js.map +1 -1
package/dist/internal/utils/token-header.d.ts +1 -1
package/dist/internal/utils/token-header.d.ts.map +1 -1
package/dist/internal/utils/token-header.js +15 -20
package/dist/internal/utils/token-header.js.map +1 -1
package/dist/internal/utils/validate-actor.d.ts +1 -1
package/dist/internal/utils/validate-actor.d.ts.map +1 -1
package/dist/internal/utils/validate-actor.js +1 -5
package/dist/internal/utils/validate-actor.js.map +1 -1
package/dist/internal/utils/validate-crit.js +1 -5
package/dist/internal/utils/validate-crit.js.map +1 -1
package/dist/internal/utils/validate.d.ts +1 -1
package/dist/internal/utils/validate.d.ts.map +1 -1
package/dist/internal/utils/validate.js +6 -10
package/dist/internal/utils/validate.js.map +1 -1
package/dist/internal/utils/verify-cert-binding.d.ts +3 -3
package/dist/internal/utils/verify-cert-binding.d.ts.map +1 -1
package/dist/internal/utils/verify-cert-binding.js +4 -8
package/dist/internal/utils/verify-cert-binding.js.map +1 -1
package/dist/internal/utils/verify-dpop-proof.d.ts +1 -1
package/dist/internal/utils/verify-dpop-proof.d.ts.map +1 -1
package/dist/internal/utils/verify-dpop-proof.js +23 -27
package/dist/internal/utils/verify-dpop-proof.js.map +1 -1
package/dist/mocks/create-mock-aegis.d.ts +3 -3
package/dist/mocks/create-mock-aegis.d.ts.map +1 -1
package/dist/mocks/create-mock-aegis.js +20 -20
package/dist/mocks/create-mock-aegis.js.map +1 -1
package/dist/mocks/jest.d.ts +5 -0
package/dist/mocks/jest.d.ts.map +1 -0
package/dist/mocks/jest.js +4 -0
package/dist/mocks/jest.js.map +1 -0
package/dist/mocks/vitest.d.ts +6 -0
package/dist/mocks/vitest.d.ts.map +1 -0
package/dist/mocks/vitest.js +5 -0
package/dist/mocks/vitest.js.map +1 -0
package/dist/types/aegis.d.ts +5 -5
package/dist/types/aegis.d.ts.map +1 -1
package/dist/types/aegis.js +1 -2
package/dist/types/claims/act-claim.js +1 -2
package/dist/types/claims/aegis-introspection.d.ts +6 -6
package/dist/types/claims/aegis-introspection.d.ts.map +1 -1
package/dist/types/claims/aegis-introspection.js +1 -2
package/dist/types/claims/aegis-profile.js +1 -2
package/dist/types/claims/aegis-userinfo.d.ts +1 -1
package/dist/types/claims/aegis-userinfo.d.ts.map +1 -1
package/dist/types/claims/aegis-userinfo.js +1 -2
package/dist/types/claims/confirmation-claim.d.ts +1 -1
package/dist/types/claims/confirmation-claim.d.ts.map +1 -1
package/dist/types/claims/confirmation-claim.js +1 -2
package/dist/types/claims/delegation-claims.d.ts +1 -1
package/dist/types/claims/delegation-claims.d.ts.map +1 -1
package/dist/types/claims/delegation-claims.js +1 -2
package/dist/types/claims/index.d.ts +12 -12
package/dist/types/claims/index.d.ts.map +1 -1
package/dist/types/claims/index.js +12 -28
package/dist/types/claims/index.js.map +1 -1
package/dist/types/claims/jwt/act-claim-wire.js +1 -2
package/dist/types/claims/jwt/confirmation-claim-wire.d.ts +1 -1
package/dist/types/claims/jwt/confirmation-claim-wire.d.ts.map +1 -1
package/dist/types/claims/jwt/confirmation-claim-wire.js +1 -2
package/dist/types/claims/jwt/delegation-claims-wire.d.ts +1 -1
package/dist/types/claims/jwt/delegation-claims-wire.d.ts.map +1 -1
package/dist/types/claims/jwt/delegation-claims-wire.js +1 -2
package/dist/types/claims/jwt/index.d.ts +9 -9
package/dist/types/claims/jwt/index.d.ts.map +1 -1
package/dist/types/claims/jwt/index.js +9 -25
package/dist/types/claims/jwt/index.js.map +1 -1
package/dist/types/claims/jwt/jwt-claims.d.ts +6 -6
package/dist/types/claims/jwt/jwt-claims.d.ts.map +1 -1
package/dist/types/claims/jwt/jwt-claims.js +1 -2
package/dist/types/claims/jwt/lindorm-claims-wire.d.ts +2 -2
package/dist/types/claims/jwt/lindorm-claims-wire.d.ts.map +1 -1
package/dist/types/claims/jwt/lindorm-claims-wire.js +1 -2
package/dist/types/claims/jwt/oauth-claims-wire.js +1 -2
package/dist/types/claims/jwt/oidc-claims-wire.js +1 -2
package/dist/types/claims/jwt/pop-claims-wire.d.ts +1 -1
package/dist/types/claims/jwt/pop-claims-wire.d.ts.map +1 -1
package/dist/types/claims/jwt/pop-claims-wire.js +1 -2
package/dist/types/claims/jwt/std-claims-wire.js +1 -2
package/dist/types/claims/lindorm-claims.d.ts +1 -1
package/dist/types/claims/lindorm-claims.d.ts.map +1 -1
package/dist/types/claims/lindorm-claims.js +1 -2
package/dist/types/claims/oauth-claims.js +1 -2
package/dist/types/claims/oidc-claims.js +1 -2
package/dist/types/claims/pop-claims.d.ts +1 -1
package/dist/types/claims/pop-claims.d.ts.map +1 -1
package/dist/types/claims/pop-claims.js +1 -2
package/dist/types/claims/std-claims.js +1 -2
package/dist/types/header.d.ts +3 -3
package/dist/types/header.d.ts.map +1 -1
package/dist/types/header.js +1 -2
package/dist/types/header.js.map +1 -1
package/dist/types/index.d.ts +9 -9
package/dist/types/index.d.ts.map +1 -1
package/dist/types/index.js +9 -25
package/dist/types/index.js.map +1 -1
package/dist/types/jwe/index.d.ts +4 -4
package/dist/types/jwe/index.d.ts.map +1 -1
package/dist/types/jwe/index.js +4 -20
package/dist/types/jwe/index.js.map +1 -1
package/dist/types/jwe/jwe-decode.d.ts +1 -1
package/dist/types/jwe/jwe-decode.d.ts.map +1 -1
package/dist/types/jwe/jwe-decode.js +1 -2
package/dist/types/jwe/jwe-decrypt.d.ts +3 -3
package/dist/types/jwe/jwe-decrypt.d.ts.map +1 -1
package/dist/types/jwe/jwe-decrypt.js +1 -2
package/dist/types/jwe/jwe-encrypt.d.ts +2 -2
package/dist/types/jwe/jwe-encrypt.d.ts.map +1 -1
package/dist/types/jwe/jwe-encrypt.js +1 -2
package/dist/types/jwe/jwe-kit.d.ts +1 -1
package/dist/types/jwe/jwe-kit.d.ts.map +1 -1
package/dist/types/jwe/jwe-kit.js +1 -2
package/dist/types/jws/index.d.ts +4 -4
package/dist/types/jws/index.d.ts.map +1 -1
package/dist/types/jws/index.js +4 -20
package/dist/types/jws/index.js.map +1 -1
package/dist/types/jws/jws-decode.d.ts +1 -1
package/dist/types/jws/jws-decode.d.ts.map +1 -1
package/dist/types/jws/jws-decode.js +1 -2
package/dist/types/jws/jws-kit.d.ts +1 -1
package/dist/types/jws/jws-kit.d.ts.map +1 -1
package/dist/types/jws/jws-kit.js +1 -2
package/dist/types/jws/jws-parse.d.ts +3 -3
package/dist/types/jws/jws-parse.d.ts.map +1 -1
package/dist/types/jws/jws-parse.js +1 -2
package/dist/types/jws/jws-sign.d.ts +2 -2
package/dist/types/jws/jws-sign.d.ts.map +1 -1
package/dist/types/jws/jws-sign.js +1 -2
package/dist/types/jwt/index.d.ts +9 -9
package/dist/types/jwt/index.d.ts.map +1 -1
package/dist/types/jwt/index.js +9 -25
package/dist/types/jwt/index.js.map +1 -1
package/dist/types/jwt/jwt-claim-matchers.d.ts +1 -1
package/dist/types/jwt/jwt-claim-matchers.d.ts.map +1 -1
package/dist/types/jwt/jwt-claim-matchers.js +1 -2
package/dist/types/jwt/jwt-decode.d.ts +3 -3
package/dist/types/jwt/jwt-decode.d.ts.map +1 -1
package/dist/types/jwt/jwt-decode.js +1 -2
package/dist/types/jwt/jwt-delegation.d.ts +1 -1
package/dist/types/jwt/jwt-delegation.d.ts.map +1 -1
package/dist/types/jwt/jwt-delegation.js +1 -2
package/dist/types/jwt/jwt-dpop.js +1 -2
package/dist/types/jwt/jwt-kit.d.ts +1 -1
package/dist/types/jwt/jwt-kit.d.ts.map +1 -1
package/dist/types/jwt/jwt-kit.js +1 -2
package/dist/types/jwt/jwt-parse.d.ts +7 -7
package/dist/types/jwt/jwt-parse.d.ts.map +1 -1
package/dist/types/jwt/jwt-parse.js +1 -2
package/dist/types/jwt/jwt-sign.d.ts +4 -4
package/dist/types/jwt/jwt-sign.d.ts.map +1 -1
package/dist/types/jwt/jwt-sign.js +1 -2
package/dist/types/jwt/jwt-validate.d.ts +3 -3
package/dist/types/jwt/jwt-validate.d.ts.map +1 -1
package/dist/types/jwt/jwt-validate.js +1 -2
package/dist/types/jwt/jwt-verify.d.ts +2 -2
package/dist/types/jwt/jwt-verify.d.ts.map +1 -1
package/dist/types/jwt/jwt-verify.js +1 -2
package/dist/types/kit.d.ts +3 -3
package/dist/types/kit.d.ts.map +1 -1
package/dist/types/kit.js +1 -2
package/dist/types/level-of-assurance.js +1 -2
package/dist/types/signature-kit.d.ts +2 -2
package/dist/types/signature-kit.d.ts.map +1 -1
package/dist/types/signature-kit.js +1 -2
package/package.json +33 -33
package/vitest.config.mjs +6 -0
package/__tests__/__mocks__/cbor.ts +0 -17
package/dist/mocks/index.d.ts +0 -2
package/dist/mocks/index.d.ts.map +0 -1
package/dist/mocks/index.js +0 -6
package/dist/mocks/index.js.map +0 -1
package/jest.config.interop.mjs +0 -27
package/tsconfig.interop.json +0 -9

package/CHANGELOG.md CHANGED Viewed

@@ -3,6 +3,23 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
+## [0.7.1](https://github.com/lindorm-io/monorepo/compare/@lindorm/aegis@0.7.0...@lindorm/aegis@0.7.1) (2026-05-05)
+### Bug Fixes
+- **aegis:** extend timeout for RSA-OAEP-512 algorithm test ([b418307](https://github.com/lindorm-io/monorepo/commit/b4183075263fff656337663e8d0e0bcdb892309d))
+# [0.7.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aegis@0.6.0...@lindorm/aegis@0.7.0) (2026-05-02)
+### Bug Fixes
+- **aegis:** drop createRequire interop workaround in jwt-interop test ([492e3df](https://github.com/lindorm-io/monorepo/commit/492e3dff29971a3958b0628ce5465195f8a8cfe5))
+- widen @lindorm/\* peer ranges to unbounded >= ([f192b59](https://github.com/lindorm-io/monorepo/commit/f192b59107bf1f276d296837f40fa97765d9d2ba))
+### Features
+- migrate 20 packages from jest to vitest ([d8bfda8](https://github.com/lindorm-io/monorepo/commit/d8bfda8854dc1cb9537ba0b3e47ec4e4c7bded08))
 # [0.6.0](https://github.com/lindorm-io/monorepo/compare/@lindorm/aegis@0.5.0...@lindorm/aegis@0.6.0) (2026-04-19)
 ### Features

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # @lindorm/aegis
-Token operations for JWT, JWE, JWS, CWT (CBOR Web Token), CWS (COSE Sign1), and CWE (COSE Encrypt).
+JOSE token operations for JWT, JWS, and JWE backed by an Amphora key store.
 ## Installation
@@ -8,256 +8,186 @@ Token operations for JWT, JWE, JWS, CWT (CBOR Web Token), CWS (COSE Sign1), and
 npm install @lindorm/aegis
 ```
-## Overview
+This package is **ESM-only**. All examples use `import`; `require()` is not supported.
+The `Aegis` class requires `@lindorm/amphora` (key store) and `@lindorm/logger` (logger) instances at construction time:
+```bash
+npm install @lindorm/amphora @lindorm/logger
+```
-Aegis provides two usage patterns:
+## Overview
-- **Aegis class** — async wrapper that resolves keys from an `IAmphora` key store before delegating to Kit classes.
-- **Kit classes** (`JwtKit`, `CwtKit`, `CwsKit`, etc.) — synchronous, single-key operations. You supply an `IKryptos` key directly.
+Aegis exposes two layers:
-The Aegis class methods are **async** because they perform key lookups. All Kit class methods are **synchronous**.
+- **`Aegis`** — async façade that resolves keys from an `IAmphora` key store and delegates to the kit classes. Use this when you want JWT/JWS/JWE operations driven by a managed key store with `kid`-based lookup.
+- **Kit classes** (`JwtKit`, `JwsKit`, `JweKit`, `SignatureKit`) — synchronous, single-key primitives. You supply an `IKryptos` key directly. Use these when you already have the key in hand and don't need the Amphora layer.
-## Aegis Class
+The `Aegis` instance methods are async because they perform key lookups. All kit instance methods are synchronous.
-Async wrapper that resolves keys from an `IAmphora` key store. All operations are async.
+## Aegis
 ```typescript
 import { Aegis } from "@lindorm/aegis";
 const aegis = new Aegis({
-  amphora,
-  logger,
-  issuer: "https://example.com",
-  clockTolerance: 30000, // ms, optional
+  amphora, // IAmphora — key store
+  logger, // ILogger
+  issuer: "https://example.com", // optional; falls back to amphora.domain
+  clockTolerance: 30, // optional, in seconds (default 0)
   encryption: "A256GCM", // optional, default "A256GCM"
-  encAlgorithm: "ECDH-ES", // optional, default encryption algorithm
-  sigAlgorithm: "ES256", // optional, default signing algorithm
+  encAlgorithm: "ECDH-ES", // optional — restricts encryption key selection
+  sigAlgorithm: "ES256", // optional — restricts signing key selection
+  certBindingMode: "strict", // optional, "strict" | "lax" (default "strict")
+  dpopMaxSkew: 60, // optional, in seconds (default 60)
 });
 ```
 ### Namespaced operations
 ```typescript
-// JWT
 const signed = await aegis.jwt.sign({
   expires: "1h",
-  subject: "u1",
+  subject: "user-123",
   tokenType: "access_token",
+  audience: ["https://api.example.com"],
+  scope: ["read", "write"],
+  claims: { role: "admin" },
 });
-const parsed = await aegis.jwt.verify(signed.token);
-// CWT
-const cwt = await aegis.cwt.sign({
-  expires: "1h",
-  subject: "u1",
-  tokenType: "access_token",
+const parsed = await aegis.jwt.verify(signed.token, {
+  audience: "https://api.example.com",
+  scope: ["read"],
 });
-const cwtParsed = await aegis.cwt.verify(cwt.token);
-// JWS / CWS — sign and verify arbitrary data
-const jws = await aegis.jws.sign("data");
-const cws = await aegis.cws.sign("data");
+const jws = await aegis.jws.sign("payload");
+const verifiedJws = await aegis.jws.verify(jws.token);
-// JWE / CWE — encrypt and decrypt
 const jwe = await aegis.jwe.encrypt("secret");
-const cwe = await aegis.cwe.encrypt("secret");
+const decrypted = await aegis.jwe.decrypt(jwe.token);
+```
-// AES — returns base64 encoded string by default
-const encoded = await aegis.aes.encrypt("data");
-const record = await aegis.aes.encrypt("data", "record");
-const serialised = await aegis.aes.encrypt("data", "serialised");
-const decrypted = await aegis.aes.decrypt(encoded);
+### AES helpers
+```typescript
+const encoded = await aegis.aes.encrypt("data"); // base64 string
+const record = await aegis.aes.encrypt("data", "record"); // AesEncryptionRecord
+const serialised = await aegis.aes.encrypt("data", "serialised"); // SerialisedAesEncryption
+const tokenised = await aegis.aes.encrypt("data", "tokenised"); // base64 string
+const plain = await aegis.aes.decrypt(encoded);
 ```
 ### Universal verification
-Automatically detects token type and verifies/decrypts accordingly.
+`aegis.verify` auto-detects JWT, JWS, and JWE compact serialisations. JWE inputs are decrypted first, then the inner payload is re-verified.
 ```typescript
 const result = await aegis.verify(anyToken, {
   audience: "https://api.example.com",
 });
-// Works with JWT, JWE, JWS, CWT, CWE, or CWS
-// JWE/CWE tokens are decrypted, then their inner payload is verified
 ```
-### Static methods
+### Static helpers
-No key or amphora required.
+These do not need a key or amphora.
 ```typescript
 Aegis.isJwt(token);
-Aegis.isCwt(token);
 Aegis.isJws(token);
-Aegis.isCws(token);
 Aegis.isJwe(token);
-Aegis.isCwe(token);
-Aegis.header(token); // TokenHeaderClaims (JOSE tokens only)
-Aegis.decode(token); // auto-detect and decode without verification
-Aegis.parse(token); // auto-detect, decode, and validate structure
-```
+Aegis.header(token); // decode the JOSE protected header
+Aegis.decode(token); // auto-detect, decode without verifying
+Aegis.parse(token); // auto-detect (JWT or JWS), validate structure
-## Kit Classes
+Aegis.parseUserinfo(claims); // → AegisUserinfo
+Aegis.parseIntrospection(claims); // → AegisIntrospection
+Aegis.validateClaims(claims, matchers); // throws on mismatch
+```
-### JwtKit
+## JwtKit
-Signs and verifies JSON Web Tokens.
+Synchronous JWT sign and verify against a single `IKryptos` key.
 ```typescript
 import { JwtKit } from "@lindorm/aegis";
-const kit = new JwtKit({ issuer: "https://example.com", logger, kryptos });
+const kit = new JwtKit({
+  issuer: "https://example.com",
+  kryptos,
+  logger,
+  clockTolerance: 30, // seconds, optional
+});
-// Sign — returns { token, expiresAt, expiresIn, expiresOn, objectId, tokenId }
 const signed = kit.sign({
   expires: "1h",
   subject: "user-123",
   tokenType: "access_token",
   audience: ["https://api.example.com"],
   claims: { role: "admin" },
-  scope: ["read", "write"],
 });
+// → { token, expiresAt, expiresIn, expiresOn, objectId, tokenId }
-// Verify — returns { decoded, header, payload, token }
 const parsed = kit.verify(signed.token, {
   audience: "https://api.example.com",
   scope: ["read"],
 });
-// Static methods (no key required)
-JwtKit.isJwt(token); // boolean
-JwtKit.decode(token); // { header, payload, signature }
-JwtKit.parse(token); // { decoded, header, payload, token }
-JwtKit.validate(payload, options); // throws on mismatch
-```
-### CwtKit
-Signs and verifies CBOR Web Tokens (RFC 8392). Uses COSE Sign1 structure with CBOR-encoded payloads and integer claim labels.
-```typescript
-import { CwtKit } from "@lindorm/aegis";
-const kit = new CwtKit({ issuer: "https://example.com", logger, kryptos });
-// Sign — returns { buffer, token, expiresAt, expiresIn, expiresOn, objectId, tokenId }
-const signed = kit.sign({
-  expires: "1h",
-  subject: "user-123",
-  tokenType: "access_token",
-  claims: { 900: "custom-value", 901: 42 }, // integer labels >= 900
-});
-// Verify — accepts Buffer or base64url string
-const parsed = kit.verify(signed.token, {
-  tokenType: "access_token",
-});
-// Static methods
-CwtKit.isCwt(token);
-CwtKit.decode(token);
-CwtKit.parse(token);
-CwtKit.validate(payload, options);
+JwtKit.isJwt(token);
+JwtKit.decode(token);
+JwtKit.parse(token);
+JwtKit.validate(payload, matchers);
 ```
-**COSE target modes:** Pass `{ target: "external" }` to sign options to emit string keys for proprietary labels instead of integer CBOR labels. Standard RFC claims (iss, sub, exp, etc.) always use integer labels regardless of target.
+## JwsKit
-**Custom claim labels:** Numeric keys >= 900 in the `claims` object are encoded as compact integer CBOR labels. Keys below 900 are rejected to prevent collision with IANA-assigned (1-255) and Lindorm-reserved (400-599) ranges.
-### CwsKit
-Signs and verifies arbitrary data using COSE Sign1 (RFC 9052).
-```typescript
-import { CwsKit } from "@lindorm/aegis";
-const kit = new CwsKit({ logger, kryptos });
-// Sign string or Buffer — returns { buffer, objectId, token }
-const signed = kit.sign("hello world", {
-  objectId: "msg-001",
-  target: "internal", // or "external"
-});
-// Verify — returns { decoded, header, payload, token }
-const parsed = kit.verify(signed.token);
-// parsed.payload === "hello world"
-// Static methods
-CwsKit.isCws(token);
-CwsKit.decode(token);
-CwsKit.parse(token);
-```
-### CweKit
-Encrypts and decrypts data using COSE Encrypt (RFC 9052).
-```typescript
-import { CweKit } from "@lindorm/aegis";
-const kit = new CweKit({ logger, kryptos, encryption: "A256GCM" });
-// Encrypt string or Buffer — returns { buffer, token }
-const encrypted = kit.encrypt("secret data", {
-  objectId: "msg-002",
-  target: "internal",
-});
-// Decrypt — returns { decoded, header, payload, token }
-const decrypted = kit.decrypt(encrypted.token);
-// decrypted.payload === "secret data"
-// Static methods
-CweKit.isCwe(token);
-CweKit.decode(token);
-```
-### JwsKit
-Signs and verifies arbitrary data using JSON Web Signatures.
+Synchronous JWS sign and verify over arbitrary `string` or `Buffer` data.
 ```typescript
 import { JwsKit } from "@lindorm/aegis";
-const kit = new JwsKit({ logger, kryptos });
+const kit = new JwsKit({ kryptos, logger });
-// Sign string or Buffer — returns { objectId, token }
-const signed = kit.sign("hello world", { objectId: "msg-003" });
+const signed = kit.sign("hello world", { objectId: "msg-001" });
+// → { token, objectId }
-// Verify — returns { decoded, header, payload, token }
-const parsed = kit.verify(signed.token);
+const parsed = kit.verify<string>(signed.token);
+// parsed.payload === "hello world"
-// Static methods
 JwsKit.isJws(token);
 JwsKit.decode(token);
 JwsKit.parse(token);
 ```
-### JweKit
+## JweKit
-Encrypts and decrypts data using JSON Web Encryption.
+Synchronous JWE encrypt and decrypt over `string` data.
 ```typescript
 import { JweKit } from "@lindorm/aegis";
-const kit = new JweKit({ logger, kryptos, encryption: "A256GCM" });
+const kit = new JweKit({
+  kryptos,
+  logger,
+  encryption: "A256GCM", // optional; falls back to kryptos.encryption
+});
-// Encrypt string — returns { token }
-const encrypted = kit.encrypt("secret data", { objectId: "msg-004" });
+const encrypted = kit.encrypt("secret data", { objectId: "msg-002" });
+// → { token }
-// Decrypt — returns { decoded, header, payload, token }
 const decrypted = kit.decrypt(encrypted.token);
+// → { decoded, header, payload, token }
-// Static methods
 JweKit.isJwe(token);
 JweKit.decode(token);
 ```
-### SignatureKit
+Compressed payloads (`zip` header) are explicitly rejected.
+## SignatureKit
-Low-level signature operations over raw data.
+Low-level signature primitives over raw bytes. Dispatches to the appropriate driver kit based on `kryptos.type` (AKP / EC / OKP / RSA / oct).
 ```typescript
 import { SignatureKit } from "@lindorm/aegis";
@@ -266,27 +196,27 @@ const kit = new SignatureKit({ kryptos });
 const signature = kit.sign(data); // Buffer
 const valid = kit.verify(data, signature); // boolean
-kit.assert(data, signature); // throws if invalid
-kit.format(signature); // string
+kit.assert(data, signature); // throws on mismatch
+const formatted = kit.format(signature); // string
 ```
-## Sign Content
+## Sign content shape
-The `SignJwtContent` / `SignCwtContent` types share the same shape:
+`SignJwtContent` accepts the standard, OIDC, OAuth, PoP, delegation, and Lindorm claim families plus:
 ```typescript
 {
-  // Required
-  expires: string | Date;   // "1h", "30m", Date, etc.
-  subject: string;
-  tokenType: string;
+  expires: string | Date;       // required, e.g. "1h", "30m", or a Date
+  subject: string;              // required
+  tokenType: string;            // required, e.g. "access_token"
-  // Optional
   audience?: string[];
-  claims?: Record<string, any>;  // custom claims (CWT supports integer keys >= 900)
+  claims?: Record<string, any>; // arbitrary custom claims
   scope?: string[];
   permissions?: string[];
   roles?: string[];
+  groups?: string[];
+  entitlements?: string[];
   clientId?: string;
   grantType?: string;
   tenantId?: string;
@@ -295,50 +225,82 @@ The `SignJwtContent` / `SignCwtContent` types share the same shape:
   notBefore?: Date;
   authTime?: Date;
   authContextClass?: string;
-  authFactor?: string;
+  authFactor?: string[];
   authMethods?: string[];
   authorizedParty?: string;
   adjustedAccessLevel?: number;
   levelOfAssurance?: number;
   sessionHint?: string;
   subjectHint?: string;
+  // …plus the rest of the StdClaims / OidcClaims / DelegationClaims surface
 }
 ```
-## Verify Options
+## Verify options
-All fields are optional and support `PredicateOperator` for flexible matching:
+`VerifyJwtOptions` extends the claim matcher set. Each field accepts either a literal value or a `PredicateOperator` for flexible matching:
 ```typescript
-kit.verify(token, {
-  audience: "https://api.example.com", // exact match
+await aegis.jwt.verify(token, {
+  audience: "https://api.example.com",
   scope: ["read", "write"], // array contains
-  tokenType: { $eq: "access_token" }, // predicate operator
-  subject: { $in: ["user-1", "user-2"] }, // set membership
-  levelOfAssurance: { $gte: 2 }, // numeric comparison
+  tokenType: "access_token",
+  subject: { $in: ["user-1", "user-2"] },
+  levelOfAssurance: { $gte: 2 },
+  authTime: { $gte: new Date("2024-01-01") },
 });
 ```
+Additional verify options:
+- `actor` — controls token-delegation (`act`) chain enforcement
+- `dpopProof` — when present, the verifier requires a `cnf.jkt` binding and validates the supplied DPoP proof
+- `trustBoundThumbprint` — when `true`, allow a bound token without an inline DPoP proof (for cases where the binding is enforced out-of-band)
+## Type guards
+```typescript
+import { isParsedJwt, isParsedJws } from "@lindorm/aegis";
+const parsed = await aegis.verify(token);
+if (isParsedJwt(parsed)) {
+  /* parsed.payload typed as ParsedJwtPayload */
+}
+if (isParsedJws(parsed)) {
+  /* parsed.payload typed as Buffer | string */
+}
+```
 ## Errors
 ```typescript
 import {
-  AegisError, // base error
+  AegisError, // base class
   JwtError,
   JwsError,
   JweError,
-  CwtError,
-  CoseSignError,
-  CoseEncryptError,
 } from "@lindorm/aegis";
 ```
+## Security notes
+- Signature/decryption keys are always sourced from the supplied `IAmphora`. The `jku`, `jwk`, `x5u`, `x5c`, `x5t`, and `x5t#S256` JOSE header parameters are never trusted as key sources during verification — only `kid` is used as a lookup key into Amphora.
+- JWE payload compression (`zip` header) is rejected outright.
+- Critical header parameters are enforced per RFC 7515 §4.1.11; unknown `crit` entries cause verification to fail.
+- DPoP-bound tokens (`cnf.jkt`) require either a matching DPoP proof or `trustBoundThumbprint: true` on verify.
 ## Testing
+The package ships pre-built mock factories for both Jest and Vitest. Import from the runner-specific subpath:
 ```typescript
-import { createMockAegis } from "@lindorm/aegis";
+// Jest
+import { createMockAegis } from "@lindorm/aegis/mocks/jest";
+// Vitest
+import { createMockAegis } from "@lindorm/aegis/mocks/vitest";
-const aegis = createMockAegis(); // fully mocked IAegis with jest.fn() stubs
+const aegis = createMockAegis(); // fully mocked IAegis
 ```
 ## License

package/__tests__/jwe-interop.test.ts CHANGED Viewed

@@ -1,7 +1,8 @@
 import { KryptosKit } from "@lindorm/kryptos";
-import { createMockLogger } from "@lindorm/logger";
+import { createMockLogger } from "@lindorm/logger/mocks/vitest";
 import { CompactEncrypt, compactDecrypt, importJWK } from "jose";
-import { JweKit } from "../src/classes/JweKit";
+import { JweKit } from "../src/classes/JweKit.js";
+import { describe, expect, test } from "vitest";
 // ---------------------------------------------------------------------------
 // Shared constants

package/__tests__/jwt-interop.test.ts CHANGED Viewed

@@ -1,12 +1,9 @@
 import { KryptosKit } from "@lindorm/kryptos";
-import { createMockLogger } from "@lindorm/logger";
+import { createMockLogger } from "@lindorm/logger/mocks/vitest";
 import { importJWK, jwtVerify, SignJWT } from "jose";
-import type { JwtPayload } from "jsonwebtoken";
-import { createRequire } from "module";
-import { JwtKit } from "../src/classes/JwtKit";
-const require = createRequire(import.meta.url);
-const jsonwebtoken = require("jsonwebtoken") as typeof import("jsonwebtoken");
+import jsonwebtoken, { type JwtPayload } from "jsonwebtoken";
+import { JwtKit } from "../src/classes/JwtKit.js";
+import { describe, expect, test } from "vitest";
 // ---------------------------------------------------------------------------
 // Shared constants

package/dist/classes/Aegis.d.ts CHANGED Viewed

@@ -1,8 +1,8 @@
-import { Dict } from "@lindorm/types";
-import { IAegis, IAegisAes, IAegisJwe, IAegisJws, IAegisJwt } from "../interfaces";
-import { AegisIntrospection, AegisOptions, AegisUserinfo, DecodedJwe, DecodedJws, DecodedJwt, ParsedJws, ParsedJwt, TokenHeaderClaims, ValidateJwtOptions, VerifyJwtOptions } from "../types";
-import { IntrospectClaimsInput } from "../internal/utils/parse-introspection";
-import { UserinfoClaimsInput } from "../internal/utils/parse-userinfo";
+import type { Dict } from "@lindorm/types";
+import type { IAegis, IAegisAes, IAegisJwe, IAegisJws, IAegisJwt } from "../interfaces/index.js";
+import type { AegisIntrospection, AegisOptions, AegisUserinfo, DecodedJwe, DecodedJws, DecodedJwt, ParsedJws, ParsedJwt, TokenHeaderClaims, ValidateJwtOptions, VerifyJwtOptions } from "../types/index.js";
+import { type IntrospectClaimsInput } from "../internal/utils/parse-introspection.js";
+import { type UserinfoClaimsInput } from "../internal/utils/parse-userinfo.js";
 export declare class Aegis implements IAegis {
     readonly issuer: string | null;
     private readonly amphora;

package/dist/classes/Aegis.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"Aegis.d.ts","sourceRoot":"","sources":["../../src/classes/Aegis.ts"],"names":[],"mappings":"AAgBA,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;~~AAEtC~~,OAAO,~~EAAE~~,MAAM,~~EAAE~~,SAAS,~~EAAE~~,SAAS,~~EAAE~~,SAAS,~~EAAE~~,SAAS,~~EAAE~~,MAAM,~~eAAe~~,CAAC;~~AACnF~~,OAAO,~~EACL~~,kBAAkB,EAClB,YAAY,EAEZ,aAAa,EAEb,UAAU,EACV,UAAU,EACV,UAAU,EAKV,SAAS,EACT,SAAS,EAMT,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,~~UAAU~~,CAAC;~~AAIlB~~,OAAO,EACL,qBAAqB,~~EAEtB~~,MAAM,~~uCAAuC~~,CAAC;~~AAC/C~~,OAAO,~~EAAiB~~,mBAAmB,~~EAAE~~,MAAM,~~kCAAkC~~,CAAC;~~AAqBtF~~,qBAAa,KAAM,YAAW,MAAM;IAClC,SAAgB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAEtC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;IACnC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAqB;IACjD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkC;IAC/D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAoB;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkC;gBAE5C,OAAO,EAAE,YAAY;IAaxC,IAAW,GAAG,IAAI,SAAS,CAK1B;IAED,IAAW,GAAG,IAAI,SAAS,CAK1B;IAED,IAAW,GAAG,IAAI,SAAS,CAK1B;IAED,IAAW,GAAG,IAAI,SAAS,CAK1B;IAEY,MAAM,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,EACtD,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,CAAC,CAAC;WAgBC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,iBAAiB;WAKxC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,MAAM,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,GAAG,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC;WAaxE,KAAK,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC;WAU7D,aAAa,CAAC,IAAI,EAAE,mBAAmB,GAAG,aAAa;WAIvD,kBAAkB,CAAC,IAAI,EAAE,qBAAqB,GAAG,kBAAkB;WAYnE,cAAc,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI;YAOhE,MAAM;YAMN,UAAU;YASV,UAAU;YAeV,MAAM;YAWN,UAAU;YASV,UAAU;YAaV,MAAM;YAUN,OAAO;YASP,SAAS;YAaT,MAAM;YAaN,OAAO;YASP,SAAS;YAgBT,UAAU;YA+BV,UAAU;CAgCzB"}
1	+ {"version":3,"file":"Aegis.d.ts","sourceRoot":"","sources":["../../src/classes/Aegis.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAE3C,OAAO,KAAK,EACV,MAAM,EACN,SAAS,EACT,SAAS,EACT,SAAS,EACT,SAAS,EACV,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EACV,kBAAkB,EAClB,YAAY,EAEZ,aAAa,EAEb,UAAU,EACV,UAAU,EACV,UAAU,EAKV,SAAS,EACT,SAAS,EAMT,iBAAiB,EACjB,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,mBAAmB,CAAC;AAI3B,OAAO,EACL,KAAK,qBAAqB,EAE3B,MAAM,0CAA0C,CAAC;AAClD,OAAO,EAEL,KAAK,mBAAmB,EACzB,MAAM,qCAAqC,CAAC;AAqB7C,qBAAa,KAAM,YAAW,MAAM;IAClC,SAAgB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IAEtC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;IACnC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAqB;IACjD,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkC;IAC/D,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAoB;IAC/C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAkC;gBAE5C,OAAO,EAAE,YAAY;IAaxC,IAAW,GAAG,IAAI,SAAS,CAK1B;IAED,IAAW,GAAG,IAAI,SAAS,CAK1B;IAED,IAAW,GAAG,IAAI,SAAS,CAK1B;IAED,IAAW,GAAG,IAAI,SAAS,CAK1B;IAEY,MAAM,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,EACtD,KAAK,EAAE,MAAM,EACb,OAAO,CAAC,EAAE,gBAAgB,GACzB,OAAO,CAAC,CAAC,CAAC;WAgBC,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,iBAAiB;WAKxC,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,MAAM,CAAC,CAAC,SAAS,UAAU,GAAG,UAAU,GAAG,UAAU,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC;WAaxE,KAAK,CAAC,CAAC,SAAS,SAAS,GAAG,SAAS,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,MAAM,GAAG,CAAC;WAU7D,aAAa,CAAC,IAAI,EAAE,mBAAmB,GAAG,aAAa;WAIvD,kBAAkB,CAAC,IAAI,EAAE,qBAAqB,GAAG,kBAAkB;WAYnE,cAAc,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,EAAE,kBAAkB,GAAG,IAAI;YAOhE,MAAM;YAMN,UAAU;YASV,UAAU;YAeV,MAAM;YAWN,UAAU;YASV,UAAU;YAaV,MAAM;YAUN,OAAO;YASP,SAAS;YAaT,MAAM;YAaN,OAAO;YASP,SAAS;YAgBT,UAAU;YA+BV,UAAU;CAgCzB"}