@nuggetslife/vc 0.0.21 → 0.0.24

package/test-data/golden/inputDocument-minimal.json

@@ -0,0 +1,17 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/minimal-001",
+  "type": ["VerifiableCredential", "PermanentResidentCard"],
+  "issuer": "did:example:489398593",
+  "issuanceDate": "2024-01-15T10:00:00Z",
+  "credentialSubject": {
+    "id": "did:example:user123",
+    "type": ["PermanentResident", "Person"],
+    "givenName": "Alice",
+    "familyName": "Johnson"
+  }
+}

package/test-data/golden/inputDocument-rich.json

@@ -0,0 +1,29 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/rich-001",
+  "type": ["VerifiableCredential", "PermanentResidentCard"],
+  "issuer": "did:example:489398593",
+  "identifier": "RICH-001",
+  "name": "Extended Resident Card",
+  "description": "Credential with many fields to test BBS+ signatures over larger statement counts.",
+  "issuanceDate": "2023-06-20T08:30:00Z",
+  "expirationDate": "2033-06-20T08:30:00Z",
+  "credentialSubject": {
+    "id": "did:example:user456",
+    "type": ["PermanentResident", "Person"],
+    "givenName": "Robert",
+    "familyName": "Williams",
+    "gender": "Male",
+    "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
+    "residentSince": "2018-03-15",
+    "lprCategory": "C12",
+    "lprNumber": "888-777-666",
+    "commuterClassification": "C2",
+    "birthCountry": "Canada",
+    "birthDate": "1985-11-23"
+  }
+}

package/test-data/golden/mattrglobal-derived-prc.json

@@ -0,0 +1,36 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.oidp.uscis.gov/credentials/83627465",
+  "type": [
+    "PermanentResidentCard",
+    "VerifiableCredential"
+  ],
+  "description": "Government of Example Permanent Resident Card.",
+  "identifier": "83627465",
+  "name": "Permanent Resident Card",
+  "credentialSubject": {
+    "id": "did:example:b34ca6cd37bbf23",
+    "type": [
+      "Person",
+      "PermanentResident"
+    ],
+    "familyName": "SMITH",
+    "gender": "Male",
+    "givenName": "JOHN"
+  },
+  "expirationDate": "2029-12-03T12:19:52Z",
+  "issuanceDate": "2019-12-03T12:19:52Z",
+  "issuer": "did:example:489398593",
+  "proof": {
+    "type": "BbsBlsSignatureProof2020",
+    "created": "2026-02-24T18:31:50Z",
+    "nonce": "Mb2PKdz8oLnBh2DaIYDN2qp0B/BzqlZ0bomtWLnPkCuUX+LOLozA67gzRX8IFW+prJ4=",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "ABkB/wbvlXznxDJB6mUBWnQAVCFn1BOG3oGhhrmH4CkfgHwIko6cE2ib8BSnHoIgsvxJbf8ql85AoX28XZNkogIRP9k1rvTS0TN1OBMx20q0+4FQX/jhGs7tVgXoeDJsTIe/kFtOhpoixTV0hNpMpwR3/zF+npQFipsk3Awc0v0Ne/Xc5ExLytwpS+UdtYnCBZWbgTAfAAAAdK8ARGBjzOUY0MsGvW37vMsegFaUHN8iu+vjk/RSzcb45sCwzA3I/dZIfonaPMKmBQAAAAIdxKYEnrgvyA3UPoQR6yAx9mBquPkFq8y9EnMloOj6eVi3eLIrFfaChASa2INbf43O09CGGXcC7ocGmG6GEg8GrgHAIPHm7ecOwUFEhJT8CC5j7t2z4MFrltfk1xW+PD+gsZ4WSjuTuqhHOBJNWXMcAAAACT/T2kIOroFI9tWJrprwQ+NK9W59cgn7V6UV/ynxlhBnDvFcCd7hYv5yDUuQuz9AiSxEveiMViWkHTBDFZ/Z/LhKYHOGGCKG9CJ9OVstwzzfe1jpfTYy4ZnLuuoJCSvcOm72DGumCHr2JVolSYEv5WKxXbN4MY46zL7hLBY6p88zXi7wzo8Odj+jMcptD0vLsKv0FjdSRK4XVXW2FEIy4IASrRFPuZo0Pb30wG3MzFnq7c17sSLUz/2EA929J2YxfmzulFTvsJm4LfwCJ7VA0iY6Suq1qBVy+fJnFMlqDwGoBl4izvhq9J9jBFVysZBdKlK4rwJtj0WqY75lnCPT/30ap7eC0YNnULtSHn3aYNF2JlO8wyu8zDODuXvRF2i5Kw==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test-data/golden/mattrglobal-signed-minimal.json

@@ -0,0 +1,30 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/minimal-001",
+  "type": [
+    "VerifiableCredential",
+    "PermanentResidentCard"
+  ],
+  "issuer": "did:example:489398593",
+  "issuanceDate": "2024-01-15T10:00:00Z",
+  "credentialSubject": {
+    "id": "did:example:user123",
+    "type": [
+      "PermanentResident",
+      "Person"
+    ],
+    "givenName": "Alice",
+    "familyName": "Johnson"
+  },
+  "proof": {
+    "type": "BbsBlsSignature2020",
+    "created": "2026-02-24T18:31:50Z",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "h9O11RGxkmaZQhOZQQRkuy0mGJ+1krOlSO9UMAc1zQf8O7wv2Fi3Ev8UMZxmX2Q4MKVg9X44OT7IyqxonIH7xLuNJjBkG7KYma9urLMBCo4x5JoTWPaG1p7URXapIpy1ng+avITVXJin9XQoxPxyNA==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test-data/golden/mattrglobal-signed-prc.json

@@ -0,0 +1,42 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.oidp.uscis.gov/credentials/83627465",
+  "type": [
+    "VerifiableCredential",
+    "PermanentResidentCard"
+  ],
+  "issuer": "did:example:489398593",
+  "identifier": "83627465",
+  "name": "Permanent Resident Card",
+  "description": "Government of Example Permanent Resident Card.",
+  "issuanceDate": "2019-12-03T12:19:52Z",
+  "expirationDate": "2029-12-03T12:19:52Z",
+  "credentialSubject": {
+    "id": "did:example:b34ca6cd37bbf23",
+    "type": [
+      "PermanentResident",
+      "Person"
+    ],
+    "givenName": "JOHN",
+    "familyName": "SMITH",
+    "gender": "Male",
+    "image": "data:image/png;base64,iVBORw0KGgokJggg==",
+    "residentSince": "2015-01-01",
+    "lprCategory": "C09",
+    "lprNumber": "999-999-999",
+    "commuterClassification": "C1",
+    "birthCountry": "Bahamas",
+    "birthDate": "1958-07-17"
+  },
+  "proof": {
+    "type": "BbsBlsSignature2020",
+    "created": "2026-02-24T18:31:50Z",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "lvx5LJssQ6BVqMX3931+8EApBMmkYwydWl7xUeNBMnVNZSamwHmS5WLlqicauVofYUHlKfzccE4m7waZyoLEkBLFiK2g54Q2i+CdtYBgDdkUDsoULSBMcH1MwGHwdjfXpldFNFrHFx/IAvLVniyeMQ==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test-data/golden/mattrglobal-signed-rich.json

@@ -0,0 +1,42 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/rich-001",
+  "type": [
+    "VerifiableCredential",
+    "PermanentResidentCard"
+  ],
+  "issuer": "did:example:489398593",
+  "identifier": "RICH-001",
+  "name": "Extended Resident Card",
+  "description": "Credential with many fields to test BBS+ signatures over larger statement counts.",
+  "issuanceDate": "2023-06-20T08:30:00Z",
+  "expirationDate": "2033-06-20T08:30:00Z",
+  "credentialSubject": {
+    "id": "did:example:user456",
+    "type": [
+      "PermanentResident",
+      "Person"
+    ],
+    "givenName": "Robert",
+    "familyName": "Williams",
+    "gender": "Male",
+    "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
+    "residentSince": "2018-03-15",
+    "lprCategory": "C12",
+    "lprNumber": "888-777-666",
+    "commuterClassification": "C2",
+    "birthCountry": "Canada",
+    "birthDate": "1985-11-23"
+  },
+  "proof": {
+    "type": "BbsBlsSignature2020",
+    "created": "2026-02-24T18:31:50Z",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "h9Ax+SZHQsWCv0rXIFglLNAIJSNXF8yp7+MC+tlZsSzp2CWFPhRv8/dkgLTt9DRdBZv2+0Ch0WCIYewp/jE2bGDy4XALHFGj8hM5lW5hB4kio0Kglkol4OlKw+eZ8ujstHAB9XhFu7/XwAcKOB02TQ==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test.mjs

@@ -240,6 +240,44 @@ test('full demo_single flow: sign → verify → derive → verify derived', asy
     assert.equal(derivedVerifyResult.verified, true, `derived verify failed: ${derivedVerifyResult.error}`);
 });
 
+test('demo_multi flow: sign twice → verify → derive → verify derived', async () => {
+    // Step 1: First sign
+    const signed = await ldSign({
+        document: inputDocument,
+        keyPair,
+        contexts,
+    });
+    assert.ok(signed.proof, 'signed document has proof');
+    assert.ok(!Array.isArray(signed.proof), 'single sign produces a single proof (not array)');
+
+    // Step 2: Second sign (creates multi-proof array)
+    const multiSigned = await ldSign({
+        document: signed,
+        keyPair,
+        contexts,
+    });
+    assert.ok(Array.isArray(multiSigned.proof), 'double sign produces proof array');
+    assert.equal(multiSigned.proof.length, 2, 'proof array has 2 proofs');
+    assert.equal(multiSigned.proof[0].type, 'BbsBlsSignature2020');
+    assert.equal(multiSigned.proof[1].type, 'BbsBlsSignature2020');
+
+    // Step 3: Verify multi-proof document
+    const verifyResult = await ldVerify({ document: multiSigned, contexts });
+    assert.equal(verifyResult.verified, true, `multi-proof verify failed: ${verifyResult.error}`);
+
+    // Step 4: Derive selective disclosure from multi-proof document
+    const derived = await ldDeriveProof({
+        document: multiSigned,
+        revealDocument,
+        contexts,
+    });
+    assert.ok(derived.proof, 'derived document has proof');
+
+    // Step 5: Verify derived proof
+    const derivedVerifyResult = await ldVerify({ document: derived, contexts });
+    assert.equal(derivedVerifyResult.verified, true, `multi-proof derived verify failed: ${derivedVerifyResult.error}`);
+});
+
 
 //
 // BbsBlsSignature2020 class-based API tests

package/test_backward_compat.mjs

@@ -0,0 +1,287 @@
+// Backward compatibility tests: verify that VCs signed by the old @mattrglobal
+// library still verify correctly with the new NAPI implementation.
+//
+// These tests use static "golden file" fixtures generated by
+// generate_golden_files.mjs using @mattrglobal/jsonld-signatures-bbs.
+// The golden files represent VCs that may already exist in user wallets.
+//
+// Key findings:
+// - BbsBlsSignature2020 (original signed VCs) are fully cross-compatible
+// - BbsBlsSignatureProof2020 (derived proofs) are NOT cross-compatible between
+//   implementations, but this is acceptable because derived proofs are generated
+//   on-the-fly for presentations and never stored in wallets. The critical path
+//   is: load wallet VC → derive new proof with current implementation → verify.
+//
+// Run: cd vc/js && node test_backward_compat.mjs
+
+import test from 'node:test';
+import assert from 'node:assert';
+import { readFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { createRequire } from 'node:module';
+
+// NAPI binding (new implementation)
+import { ldVerify, ldDeriveProof } from './index.js';
+
+// @mattrglobal library (old implementation) — for generation verification
+const require = createRequire(import.meta.url);
+const { BbsBlsSignature2020 } = require('@mattrglobal/jsonld-signatures-bbs');
+const { verify: mattrVerify, purposes, extendContextLoader } = require('jsonld-signatures');
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const dataDir = resolve(__dirname, 'test-data');
+const goldenDir = resolve(dataDir, 'golden');
+
+const loadJson = (name) => JSON.parse(readFileSync(resolve(dataDir, name), 'utf8'));
+const loadGolden = (name) => JSON.parse(readFileSync(resolve(goldenDir, name), 'utf8'));
+
+// Load context files
+const keyPair = loadJson('keyPair.json');
+const controllerDocument = loadJson('controllerDocument.json');
+const citizenVocab = loadJson('citizenVocab.json');
+const bbsContext = loadJson('bbs.json');
+const credentialsContext = loadJson('credentialsContext.json');
+const suiteContext = loadJson('suiteContext.json');
+const revealDocument = loadJson('deriveProofFrame.json');
+
+// NAPI contexts map
+const napiContexts = {
+    "did:example:489398593#test": keyPair,
+    "did:example:489398593": controllerDocument,
+    "https://w3id.org/citizenship/v1": citizenVocab,
+    "https://w3id.org/security/bbs/v1": bbsContext,
+    "https://www.w3.org/2018/credentials/v1": credentialsContext,
+    "https://w3id.org/security/suites/jws-2020/v1": suiteContext,
+};
+
+// @mattrglobal document loader
+const customDocLoader = (url) => {
+    const context = napiContexts[url];
+    if (context) return { contextUrl: null, document: context, documentUrl: url };
+    throw new Error(`Attempted to remote load context: '${url}'`);
+};
+const documentLoader = extendContextLoader(customDocLoader);
+
+// Load golden files (signed by @mattrglobal)
+const signedPRC = loadGolden('mattrglobal-signed-prc.json');
+const signedMinimal = loadGolden('mattrglobal-signed-minimal.json');
+const signedRich = loadGolden('mattrglobal-signed-rich.json');
+
+
+//
+// Wallet VC verification — the critical path
+// VCs in user wallets have BbsBlsSignature2020 proofs signed by the old library.
+// The new NAPI implementation must verify these without re-signing.
+//
+
+test('wallet-compat: NAPI ldVerify accepts @mattrglobal-signed VC', async () => {
+    const result = await ldVerify({
+        document: signedPRC,
+        contexts: napiContexts,
+    });
+
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on @mattrglobal-signed VC: ${result.error || 'unknown error'}`);
+});
+
+test('wallet-compat: @mattrglobal verifies its own golden-file VC', async () => {
+    const result = await mattrVerify(signedPRC, {
+        suite: new BbsBlsSignature2020(),
+        purpose: new purposes.AssertionProofPurpose(),
+        documentLoader,
+    });
+
+    assert.equal(result.verified, true,
+        `@mattrglobal verify failed on its own golden-file VC: ${JSON.stringify(result.error)}`);
+});
+
+
+//
+// Selective disclosure — the real-world flow for wallet VCs:
+// 1. Load signed VC from wallet (signed by old library)
+// 2. Derive a proof using the current (NAPI) implementation
+// 3. Verify the derived proof using the current (NAPI) implementation
+//
+
+test('wallet-compat: NAPI ldDeriveProof works on @mattrglobal-signed VC', async () => {
+    const derived = await ldDeriveProof({
+        document: signedPRC,
+        revealDocument,
+        contexts: napiContexts,
+    });
+
+    assert.ok(derived, 'ldDeriveProof returned a result');
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.proof.type, 'BbsBlsSignatureProof2020');
+
+    // Verify selective disclosure: only requested fields present
+    assert.equal(derived.credentialSubject.givenName, 'JOHN');
+    assert.equal(derived.credentialSubject.familyName, 'SMITH');
+    assert.equal(derived.credentialSubject.gender, 'Male');
+    assert.equal(derived.credentialSubject.birthDate, undefined, 'birthDate should be hidden');
+    assert.equal(derived.credentialSubject.lprNumber, undefined, 'lprNumber should be hidden');
+});
+
+test('wallet-compat: NAPI verifies its own derived proof from @mattrglobal-signed VC', async () => {
+    const derived = await ldDeriveProof({
+        document: signedPRC,
+        revealDocument,
+        contexts: napiContexts,
+    });
+
+    const result = await ldVerify({
+        document: derived,
+        contexts: napiContexts,
+    });
+
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on NAPI-derived proof: ${result.error || 'unknown error'}`);
+});
+
+
+//
+// Tamper detection — NAPI must reject modified @mattrglobal-signed VCs
+//
+
+test('wallet-compat: NAPI rejects tampered @mattrglobal-signed VC', async () => {
+    const tampered = JSON.parse(JSON.stringify(signedPRC));
+    tampered.credentialSubject.givenName = 'TAMPERED';
+
+    const result = await ldVerify({
+        document: tampered,
+        contexts: napiContexts,
+    });
+
+    assert.equal(result.verified, false, 'tampered VC should not verify');
+});
+
+test('wallet-compat: NAPI rejects @mattrglobal-signed VC with altered proof', async () => {
+    const altered = JSON.parse(JSON.stringify(signedPRC));
+    // Flip a character in the proof value
+    altered.proof.proofValue = 'X' + altered.proof.proofValue.slice(1);
+
+    // The Rust BBS crate may panic on malformed proof data rather than returning
+    // verified: false. Both behaviors correctly reject the tampered proof.
+    try {
+        const result = await ldVerify({
+            document: altered,
+            contexts: napiContexts,
+        });
+        assert.equal(result.verified, false, 'altered proof should not verify');
+    } catch (err) {
+        // Panic or error thrown — proof was rejected, which is the correct behavior
+        assert.ok(true, `proof correctly rejected with error: ${err.message}`);
+    }
+});
+
+
+//
+// Multiple selective disclosure frames — verify different field combinations
+// work when deriving from an @mattrglobal-signed VC
+//
+
+test('wallet-compat: derive minimal proof (type only) from @mattrglobal-signed VC', async () => {
+    const minimalFrame = {
+        "@context": signedPRC["@context"],
+        "type": ["VerifiableCredential", "PermanentResidentCard"],
+        "credentialSubject": {
+            "@explicit": true,
+            "type": ["PermanentResident", "Person"],
+        }
+    };
+
+    const derived = await ldDeriveProof({
+        document: signedPRC,
+        revealDocument: minimalFrame,
+        contexts: napiContexts,
+    });
+
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.proof.type, 'BbsBlsSignatureProof2020');
+    // Only type should be present, no PII fields
+    assert.equal(derived.credentialSubject.givenName, undefined);
+    assert.equal(derived.credentialSubject.familyName, undefined);
+
+    // Verify the minimal derived proof
+    const result = await ldVerify({ document: derived, contexts: napiContexts });
+    assert.equal(result.verified, true,
+        `minimal derived proof failed verification: ${result.error || 'unknown error'}`);
+});
+
+
+//
+// VC variant tests — different field counts exercise different BBS+ statement counts.
+// BBS+ signatures encode each field as a separate "message" (statement). Verifying
+// VCs with different field counts ensures the NAPI implementation handles varying
+// statement counts correctly, matching the old library's behavior.
+//
+
+test('variant: NAPI ldVerify accepts @mattrglobal-signed minimal VC (few fields)', async () => {
+    const result = await ldVerify({
+        document: signedMinimal,
+        contexts: napiContexts,
+    });
+
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on minimal VC: ${result.error || 'unknown error'}`);
+});
+
+test('variant: NAPI ldVerify accepts @mattrglobal-signed rich VC (many fields)', async () => {
+    const result = await ldVerify({
+        document: signedRich,
+        contexts: napiContexts,
+    });
+
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on rich VC: ${result.error || 'unknown error'}`);
+});
+
+test('variant: NAPI ldDeriveProof + ldVerify on minimal VC', async () => {
+    // Minimal VC only has givenName and familyName — derive with type-only frame
+    const minimalFrame = {
+        "@context": signedMinimal["@context"],
+        "type": ["VerifiableCredential", "PermanentResidentCard"],
+        "credentialSubject": {
+            "@explicit": true,
+            "type": ["PermanentResident", "Person"],
+            "givenName": {},
+        }
+    };
+
+    const derived = await ldDeriveProof({
+        document: signedMinimal,
+        revealDocument: minimalFrame,
+        contexts: napiContexts,
+    });
+
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.credentialSubject.givenName, 'Alice');
+    assert.equal(derived.credentialSubject.familyName, undefined, 'familyName should be hidden');
+
+    const result = await ldVerify({ document: derived, contexts: napiContexts });
+    assert.equal(result.verified, true,
+        `minimal VC derived proof failed: ${result.error || 'unknown error'}`);
+});
+
+test('variant: NAPI ldDeriveProof + ldVerify on rich VC', async () => {
+    // Rich VC has many fields — derive revealing only a few
+    const derived = await ldDeriveProof({
+        document: signedRich,
+        revealDocument,
+        contexts: napiContexts,
+    });
+
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.credentialSubject.givenName, 'Robert');
+    assert.equal(derived.credentialSubject.familyName, 'Williams');
+    assert.equal(derived.credentialSubject.gender, 'Male');
+    // Fields not in reveal frame should be hidden
+    assert.equal(derived.credentialSubject.birthDate, undefined, 'birthDate should be hidden');
+    assert.equal(derived.credentialSubject.lprNumber, undefined, 'lprNumber should be hidden');
+    assert.equal(derived.credentialSubject.birthCountry, undefined, 'birthCountry should be hidden');
+
+    const result = await ldVerify({ document: derived, contexts: napiContexts });
+    assert.equal(result.verified, true,
+        `rich VC derived proof failed: ${result.error || 'unknown error'}`);
+});