npm - @nuggetslife/vc - Versions diffs - 0.0.23 → 0.0.24 - Mend

@nuggetslife/vc 0.0.23 → 0.0.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/generate_golden_files.mjs +181 -0
package/index.d.ts +40 -0
package/index.js +12 -1
package/package.json +7 -7
package/src/bbs_2023.rs +71 -0
package/src/bbs_ietf.rs +255 -0
package/src/lib.rs +3 -0
package/src/sd_jwt.rs +133 -0
package/test-data/golden/inputDocument-minimal.json +17 -0
package/test-data/golden/inputDocument-rich.json +29 -0
package/test-data/golden/mattrglobal-derived-prc.json +36 -0
package/test-data/golden/mattrglobal-signed-minimal.json +30 -0
package/test-data/golden/mattrglobal-signed-prc.json +42 -0
package/test-data/golden/mattrglobal-signed-rich.json +42 -0
package/test_backward_compat.mjs +287 -0
package/test_bbs_2023.mjs +195 -0
package/test_bbs_ietf.mjs +168 -0
package/test_sd_jwt.mjs +197 -0

package/src/sd_jwt.rs ADDED Viewed

@@ -0,0 +1,133 @@
+use serde_json::Value;
+use vc::sd_jwt::holder::sd_jwt_present;
+use vc::sd_jwt::issuer::sd_jwt_issue;
+use vc::sd_jwt::verifier::sd_jwt_verify;
+// ---------------------------------------------------------------------------
+// Result types
+// ---------------------------------------------------------------------------
+#[napi(object)]
+pub struct SdJwtDisclosure {
+    pub salt: String,
+    pub claim_name: String,
+    pub claim_value: Value,
+    pub encoded: String,
+    pub digest: String,
+}
+#[napi(object)]
+pub struct SdJwtIssueOutput {
+    pub sd_jwt: String,
+    pub disclosures: Vec<SdJwtDisclosure>,
+}
+#[napi(object)]
+pub struct SdJwtPresentOutput {
+    pub presentation: String,
+}
+#[napi(object)]
+pub struct SdJwtVerifyOutput {
+    pub verified: bool,
+    pub claims: Value,
+    pub error: Option<String>,
+}
+// ---------------------------------------------------------------------------
+// SD-JWT Issue
+// ---------------------------------------------------------------------------
+#[napi(js_name = "sdJwtIssue")]
+pub fn sd_jwt_issue_napi(
+    claims: Value,
+    disclosable: Vec<String>,
+    jwk: Value,
+    alg: String,
+    holder_jwk: Option<Value>,
+    decoy_count: Option<u32>,
+) -> napi::Result<SdJwtIssueOutput> {
+    let jwk_str = serde_json::to_string(&jwk)
+        .map_err(|e| napi::Error::from_reason(format!("sdJwtIssue serialize jwk: {e}")))?;
+    let result = sd_jwt_issue(
+        claims,
+        disclosable,
+        jwk_str,
+        alg,
+        holder_jwk,
+        decoy_count.unwrap_or(0) as usize,
+    )
+    .map_err(|e| napi::Error::from_reason(format!("sdJwtIssue failed: {e}")))?;
+    Ok(SdJwtIssueOutput {
+        sd_jwt: result.sd_jwt,
+        disclosures: result
+            .disclosures
+            .into_iter()
+            .map(|d| SdJwtDisclosure {
+                salt: d.salt,
+                claim_name: d.claim_name,
+                claim_value: d.claim_value,
+                encoded: d.encoded,
+                digest: d.digest,
+            })
+            .collect(),
+    })
+}
+// ---------------------------------------------------------------------------
+// SD-JWT Present
+// ---------------------------------------------------------------------------
+#[napi(js_name = "sdJwtPresent")]
+pub fn sd_jwt_present_napi(
+    sd_jwt: String,
+    disclosures_to_reveal: Vec<String>,
+    kb_jwk: Option<Value>,
+    kb_alg: Option<String>,
+    audience: Option<String>,
+    nonce: Option<String>,
+) -> napi::Result<SdJwtPresentOutput> {
+    let kb_jwk_str = kb_jwk
+        .map(|v| serde_json::to_string(&v))
+        .transpose()
+        .map_err(|e| napi::Error::from_reason(format!("sdJwtPresent serialize kbJwk: {e}")))?;
+    let result = sd_jwt_present(sd_jwt, disclosures_to_reveal, kb_jwk_str, kb_alg, audience, nonce)
+        .map_err(|e| napi::Error::from_reason(format!("sdJwtPresent failed: {e}")))?;
+    Ok(SdJwtPresentOutput {
+        presentation: result.presentation,
+    })
+}
+// ---------------------------------------------------------------------------
+// SD-JWT Verify
+// ---------------------------------------------------------------------------
+#[napi(js_name = "sdJwtVerify")]
+pub fn sd_jwt_verify_napi(
+    presentation: String,
+    issuer_jwk: Value,
+    holder_jwk: Option<Value>,
+    audience: Option<String>,
+    nonce: Option<String>,
+) -> napi::Result<SdJwtVerifyOutput> {
+    let issuer_jwk_str = serde_json::to_string(&issuer_jwk)
+        .map_err(|e| napi::Error::from_reason(format!("sdJwtVerify serialize issuerJwk: {e}")))?;
+    let holder_jwk_str = holder_jwk
+        .map(|v| serde_json::to_string(&v))
+        .transpose()
+        .map_err(|e| napi::Error::from_reason(format!("sdJwtVerify serialize holderJwk: {e}")))?;
+    let result = sd_jwt_verify(presentation, issuer_jwk_str, holder_jwk_str, audience, nonce)
+        .map_err(|e| napi::Error::from_reason(format!("sdJwtVerify failed: {e}")))?;
+    Ok(SdJwtVerifyOutput {
+        verified: result.verified,
+        claims: result.claims,
+        error: result.error,
+    })
+}

package/test-data/golden/inputDocument-minimal.json ADDED Viewed

@@ -0,0 +1,17 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/minimal-001",
+  "type": ["VerifiableCredential", "PermanentResidentCard"],
+  "issuer": "did:example:489398593",
+  "issuanceDate": "2024-01-15T10:00:00Z",
+  "credentialSubject": {
+    "id": "did:example:user123",
+    "type": ["PermanentResident", "Person"],
+    "givenName": "Alice",
+    "familyName": "Johnson"
+  }
+}

package/test-data/golden/inputDocument-rich.json ADDED Viewed

@@ -0,0 +1,29 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/rich-001",
+  "type": ["VerifiableCredential", "PermanentResidentCard"],
+  "issuer": "did:example:489398593",
+  "identifier": "RICH-001",
+  "name": "Extended Resident Card",
+  "description": "Credential with many fields to test BBS+ signatures over larger statement counts.",
+  "issuanceDate": "2023-06-20T08:30:00Z",
+  "expirationDate": "2033-06-20T08:30:00Z",
+  "credentialSubject": {
+    "id": "did:example:user456",
+    "type": ["PermanentResident", "Person"],
+    "givenName": "Robert",
+    "familyName": "Williams",
+    "gender": "Male",
+    "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
+    "residentSince": "2018-03-15",
+    "lprCategory": "C12",
+    "lprNumber": "888-777-666",
+    "commuterClassification": "C2",
+    "birthCountry": "Canada",
+    "birthDate": "1985-11-23"
+  }
+}

package/test-data/golden/mattrglobal-derived-prc.json ADDED Viewed

@@ -0,0 +1,36 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.oidp.uscis.gov/credentials/83627465",
+  "type": [
+    "PermanentResidentCard",
+    "VerifiableCredential"
+  ],
+  "description": "Government of Example Permanent Resident Card.",
+  "identifier": "83627465",
+  "name": "Permanent Resident Card",
+  "credentialSubject": {
+    "id": "did:example:b34ca6cd37bbf23",
+    "type": [
+      "Person",
+      "PermanentResident"
+    ],
+    "familyName": "SMITH",
+    "gender": "Male",
+    "givenName": "JOHN"
+  },
+  "expirationDate": "2029-12-03T12:19:52Z",
+  "issuanceDate": "2019-12-03T12:19:52Z",
+  "issuer": "did:example:489398593",
+  "proof": {
+    "type": "BbsBlsSignatureProof2020",
+    "created": "2026-02-24T18:31:50Z",
+    "nonce": "Mb2PKdz8oLnBh2DaIYDN2qp0B/BzqlZ0bomtWLnPkCuUX+LOLozA67gzRX8IFW+prJ4=",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "ABkB/wbvlXznxDJB6mUBWnQAVCFn1BOG3oGhhrmH4CkfgHwIko6cE2ib8BSnHoIgsvxJbf8ql85AoX28XZNkogIRP9k1rvTS0TN1OBMx20q0+4FQX/jhGs7tVgXoeDJsTIe/kFtOhpoixTV0hNpMpwR3/zF+npQFipsk3Awc0v0Ne/Xc5ExLytwpS+UdtYnCBZWbgTAfAAAAdK8ARGBjzOUY0MsGvW37vMsegFaUHN8iu+vjk/RSzcb45sCwzA3I/dZIfonaPMKmBQAAAAIdxKYEnrgvyA3UPoQR6yAx9mBquPkFq8y9EnMloOj6eVi3eLIrFfaChASa2INbf43O09CGGXcC7ocGmG6GEg8GrgHAIPHm7ecOwUFEhJT8CC5j7t2z4MFrltfk1xW+PD+gsZ4WSjuTuqhHOBJNWXMcAAAACT/T2kIOroFI9tWJrprwQ+NK9W59cgn7V6UV/ynxlhBnDvFcCd7hYv5yDUuQuz9AiSxEveiMViWkHTBDFZ/Z/LhKYHOGGCKG9CJ9OVstwzzfe1jpfTYy4ZnLuuoJCSvcOm72DGumCHr2JVolSYEv5WKxXbN4MY46zL7hLBY6p88zXi7wzo8Odj+jMcptD0vLsKv0FjdSRK4XVXW2FEIy4IASrRFPuZo0Pb30wG3MzFnq7c17sSLUz/2EA929J2YxfmzulFTvsJm4LfwCJ7VA0iY6Suq1qBVy+fJnFMlqDwGoBl4izvhq9J9jBFVysZBdKlK4rwJtj0WqY75lnCPT/30ap7eC0YNnULtSHn3aYNF2JlO8wyu8zDODuXvRF2i5Kw==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test-data/golden/mattrglobal-signed-minimal.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/minimal-001",
+  "type": [
+    "VerifiableCredential",
+    "PermanentResidentCard"
+  ],
+  "issuer": "did:example:489398593",
+  "issuanceDate": "2024-01-15T10:00:00Z",
+  "credentialSubject": {
+    "id": "did:example:user123",
+    "type": [
+      "PermanentResident",
+      "Person"
+    ],
+    "givenName": "Alice",
+    "familyName": "Johnson"
+  },
+  "proof": {
+    "type": "BbsBlsSignature2020",
+    "created": "2026-02-24T18:31:50Z",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "h9O11RGxkmaZQhOZQQRkuy0mGJ+1krOlSO9UMAc1zQf8O7wv2Fi3Ev8UMZxmX2Q4MKVg9X44OT7IyqxonIH7xLuNJjBkG7KYma9urLMBCo4x5JoTWPaG1p7URXapIpy1ng+avITVXJin9XQoxPxyNA==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test-data/golden/mattrglobal-signed-prc.json ADDED Viewed

@@ -0,0 +1,42 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.oidp.uscis.gov/credentials/83627465",
+  "type": [
+    "VerifiableCredential",
+    "PermanentResidentCard"
+  ],
+  "issuer": "did:example:489398593",
+  "identifier": "83627465",
+  "name": "Permanent Resident Card",
+  "description": "Government of Example Permanent Resident Card.",
+  "issuanceDate": "2019-12-03T12:19:52Z",
+  "expirationDate": "2029-12-03T12:19:52Z",
+  "credentialSubject": {
+    "id": "did:example:b34ca6cd37bbf23",
+    "type": [
+      "PermanentResident",
+      "Person"
+    ],
+    "givenName": "JOHN",
+    "familyName": "SMITH",
+    "gender": "Male",
+    "image": "data:image/png;base64,iVBORw0KGgokJggg==",
+    "residentSince": "2015-01-01",
+    "lprCategory": "C09",
+    "lprNumber": "999-999-999",
+    "commuterClassification": "C1",
+    "birthCountry": "Bahamas",
+    "birthDate": "1958-07-17"
+  },
+  "proof": {
+    "type": "BbsBlsSignature2020",
+    "created": "2026-02-24T18:31:50Z",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "lvx5LJssQ6BVqMX3931+8EApBMmkYwydWl7xUeNBMnVNZSamwHmS5WLlqicauVofYUHlKfzccE4m7waZyoLEkBLFiK2g54Q2i+CdtYBgDdkUDsoULSBMcH1MwGHwdjfXpldFNFrHFx/IAvLVniyeMQ==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test-data/golden/mattrglobal-signed-rich.json ADDED Viewed

@@ -0,0 +1,42 @@
+{
+  "@context": [
+    "https://www.w3.org/2018/credentials/v1",
+    "https://w3id.org/citizenship/v1",
+    "https://w3id.org/security/bbs/v1"
+  ],
+  "id": "https://issuer.example.com/credentials/rich-001",
+  "type": [
+    "VerifiableCredential",
+    "PermanentResidentCard"
+  ],
+  "issuer": "did:example:489398593",
+  "identifier": "RICH-001",
+  "name": "Extended Resident Card",
+  "description": "Credential with many fields to test BBS+ signatures over larger statement counts.",
+  "issuanceDate": "2023-06-20T08:30:00Z",
+  "expirationDate": "2033-06-20T08:30:00Z",
+  "credentialSubject": {
+    "id": "did:example:user456",
+    "type": [
+      "PermanentResident",
+      "Person"
+    ],
+    "givenName": "Robert",
+    "familyName": "Williams",
+    "gender": "Male",
+    "image": "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==",
+    "residentSince": "2018-03-15",
+    "lprCategory": "C12",
+    "lprNumber": "888-777-666",
+    "commuterClassification": "C2",
+    "birthCountry": "Canada",
+    "birthDate": "1985-11-23"
+  },
+  "proof": {
+    "type": "BbsBlsSignature2020",
+    "created": "2026-02-24T18:31:50Z",
+    "proofPurpose": "assertionMethod",
+    "proofValue": "h9Ax+SZHQsWCv0rXIFglLNAIJSNXF8yp7+MC+tlZsSzp2CWFPhRv8/dkgLTt9DRdBZv2+0Ch0WCIYewp/jE2bGDy4XALHFGj8hM5lW5hB4kio0Kglkol4OlKw+eZ8ujstHAB9XhFu7/XwAcKOB02TQ==",
+    "verificationMethod": "did:example:489398593#test"
+  }
+}

package/test_backward_compat.mjs ADDED Viewed

@@ -0,0 +1,287 @@
+// Backward compatibility tests: verify that VCs signed by the old @mattrglobal
+// library still verify correctly with the new NAPI implementation.
+//
+// These tests use static "golden file" fixtures generated by
+// generate_golden_files.mjs using @mattrglobal/jsonld-signatures-bbs.
+// The golden files represent VCs that may already exist in user wallets.
+//
+// Key findings:
+// - BbsBlsSignature2020 (original signed VCs) are fully cross-compatible
+// - BbsBlsSignatureProof2020 (derived proofs) are NOT cross-compatible between
+//   implementations, but this is acceptable because derived proofs are generated
+//   on-the-fly for presentations and never stored in wallets. The critical path
+//   is: load wallet VC → derive new proof with current implementation → verify.
+//
+// Run: cd vc/js && node test_backward_compat.mjs
+import test from 'node:test';
+import assert from 'node:assert';
+import { readFileSync } from 'node:fs';
+import { resolve, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+import { createRequire } from 'node:module';
+// NAPI binding (new implementation)
+import { ldVerify, ldDeriveProof } from './index.js';
+// @mattrglobal library (old implementation) — for generation verification
+const require = createRequire(import.meta.url);
+const { BbsBlsSignature2020 } = require('@mattrglobal/jsonld-signatures-bbs');
+const { verify: mattrVerify, purposes, extendContextLoader } = require('jsonld-signatures');
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const dataDir = resolve(__dirname, 'test-data');
+const goldenDir = resolve(dataDir, 'golden');
+const loadJson = (name) => JSON.parse(readFileSync(resolve(dataDir, name), 'utf8'));
+const loadGolden = (name) => JSON.parse(readFileSync(resolve(goldenDir, name), 'utf8'));
+// Load context files
+const keyPair = loadJson('keyPair.json');
+const controllerDocument = loadJson('controllerDocument.json');
+const citizenVocab = loadJson('citizenVocab.json');
+const bbsContext = loadJson('bbs.json');
+const credentialsContext = loadJson('credentialsContext.json');
+const suiteContext = loadJson('suiteContext.json');
+const revealDocument = loadJson('deriveProofFrame.json');
+// NAPI contexts map
+const napiContexts = {
+    "did:example:489398593#test": keyPair,
+    "did:example:489398593": controllerDocument,
+    "https://w3id.org/citizenship/v1": citizenVocab,
+    "https://w3id.org/security/bbs/v1": bbsContext,
+    "https://www.w3.org/2018/credentials/v1": credentialsContext,
+    "https://w3id.org/security/suites/jws-2020/v1": suiteContext,
+};
+// @mattrglobal document loader
+const customDocLoader = (url) => {
+    const context = napiContexts[url];
+    if (context) return { contextUrl: null, document: context, documentUrl: url };
+    throw new Error(`Attempted to remote load context: '${url}'`);
+};
+const documentLoader = extendContextLoader(customDocLoader);
+// Load golden files (signed by @mattrglobal)
+const signedPRC = loadGolden('mattrglobal-signed-prc.json');
+const signedMinimal = loadGolden('mattrglobal-signed-minimal.json');
+const signedRich = loadGolden('mattrglobal-signed-rich.json');
+//
+// Wallet VC verification — the critical path
+// VCs in user wallets have BbsBlsSignature2020 proofs signed by the old library.
+// The new NAPI implementation must verify these without re-signing.
+//
+test('wallet-compat: NAPI ldVerify accepts @mattrglobal-signed VC', async () => {
+    const result = await ldVerify({
+        document: signedPRC,
+        contexts: napiContexts,
+    });
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on @mattrglobal-signed VC: ${result.error || 'unknown error'}`);
+});
+test('wallet-compat: @mattrglobal verifies its own golden-file VC', async () => {
+    const result = await mattrVerify(signedPRC, {
+        suite: new BbsBlsSignature2020(),
+        purpose: new purposes.AssertionProofPurpose(),
+        documentLoader,
+    });
+    assert.equal(result.verified, true,
+        `@mattrglobal verify failed on its own golden-file VC: ${JSON.stringify(result.error)}`);
+});
+//
+// Selective disclosure — the real-world flow for wallet VCs:
+// 1. Load signed VC from wallet (signed by old library)
+// 2. Derive a proof using the current (NAPI) implementation
+// 3. Verify the derived proof using the current (NAPI) implementation
+//
+test('wallet-compat: NAPI ldDeriveProof works on @mattrglobal-signed VC', async () => {
+    const derived = await ldDeriveProof({
+        document: signedPRC,
+        revealDocument,
+        contexts: napiContexts,
+    });
+    assert.ok(derived, 'ldDeriveProof returned a result');
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.proof.type, 'BbsBlsSignatureProof2020');
+    // Verify selective disclosure: only requested fields present
+    assert.equal(derived.credentialSubject.givenName, 'JOHN');
+    assert.equal(derived.credentialSubject.familyName, 'SMITH');
+    assert.equal(derived.credentialSubject.gender, 'Male');
+    assert.equal(derived.credentialSubject.birthDate, undefined, 'birthDate should be hidden');
+    assert.equal(derived.credentialSubject.lprNumber, undefined, 'lprNumber should be hidden');
+});
+test('wallet-compat: NAPI verifies its own derived proof from @mattrglobal-signed VC', async () => {
+    const derived = await ldDeriveProof({
+        document: signedPRC,
+        revealDocument,
+        contexts: napiContexts,
+    });
+    const result = await ldVerify({
+        document: derived,
+        contexts: napiContexts,
+    });
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on NAPI-derived proof: ${result.error || 'unknown error'}`);
+});
+//
+// Tamper detection — NAPI must reject modified @mattrglobal-signed VCs
+//
+test('wallet-compat: NAPI rejects tampered @mattrglobal-signed VC', async () => {
+    const tampered = JSON.parse(JSON.stringify(signedPRC));
+    tampered.credentialSubject.givenName = 'TAMPERED';
+    const result = await ldVerify({
+        document: tampered,
+        contexts: napiContexts,
+    });
+    assert.equal(result.verified, false, 'tampered VC should not verify');
+});
+test('wallet-compat: NAPI rejects @mattrglobal-signed VC with altered proof', async () => {
+    const altered = JSON.parse(JSON.stringify(signedPRC));
+    // Flip a character in the proof value
+    altered.proof.proofValue = 'X' + altered.proof.proofValue.slice(1);
+    // The Rust BBS crate may panic on malformed proof data rather than returning
+    // verified: false. Both behaviors correctly reject the tampered proof.
+    try {
+        const result = await ldVerify({
+            document: altered,
+            contexts: napiContexts,
+        });
+        assert.equal(result.verified, false, 'altered proof should not verify');
+    } catch (err) {
+        // Panic or error thrown — proof was rejected, which is the correct behavior
+        assert.ok(true, `proof correctly rejected with error: ${err.message}`);
+    }
+});
+//
+// Multiple selective disclosure frames — verify different field combinations
+// work when deriving from an @mattrglobal-signed VC
+//
+test('wallet-compat: derive minimal proof (type only) from @mattrglobal-signed VC', async () => {
+    const minimalFrame = {
+        "@context": signedPRC["@context"],
+        "type": ["VerifiableCredential", "PermanentResidentCard"],
+        "credentialSubject": {
+            "@explicit": true,
+            "type": ["PermanentResident", "Person"],
+        }
+    };
+    const derived = await ldDeriveProof({
+        document: signedPRC,
+        revealDocument: minimalFrame,
+        contexts: napiContexts,
+    });
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.proof.type, 'BbsBlsSignatureProof2020');
+    // Only type should be present, no PII fields
+    assert.equal(derived.credentialSubject.givenName, undefined);
+    assert.equal(derived.credentialSubject.familyName, undefined);
+    // Verify the minimal derived proof
+    const result = await ldVerify({ document: derived, contexts: napiContexts });
+    assert.equal(result.verified, true,
+        `minimal derived proof failed verification: ${result.error || 'unknown error'}`);
+});
+//
+// VC variant tests — different field counts exercise different BBS+ statement counts.
+// BBS+ signatures encode each field as a separate "message" (statement). Verifying
+// VCs with different field counts ensures the NAPI implementation handles varying
+// statement counts correctly, matching the old library's behavior.
+//
+test('variant: NAPI ldVerify accepts @mattrglobal-signed minimal VC (few fields)', async () => {
+    const result = await ldVerify({
+        document: signedMinimal,
+        contexts: napiContexts,
+    });
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on minimal VC: ${result.error || 'unknown error'}`);
+});
+test('variant: NAPI ldVerify accepts @mattrglobal-signed rich VC (many fields)', async () => {
+    const result = await ldVerify({
+        document: signedRich,
+        contexts: napiContexts,
+    });
+    assert.equal(result.verified, true,
+        `NAPI ldVerify failed on rich VC: ${result.error || 'unknown error'}`);
+});
+test('variant: NAPI ldDeriveProof + ldVerify on minimal VC', async () => {
+    // Minimal VC only has givenName and familyName — derive with type-only frame
+    const minimalFrame = {
+        "@context": signedMinimal["@context"],
+        "type": ["VerifiableCredential", "PermanentResidentCard"],
+        "credentialSubject": {
+            "@explicit": true,
+            "type": ["PermanentResident", "Person"],
+            "givenName": {},
+        }
+    };
+    const derived = await ldDeriveProof({
+        document: signedMinimal,
+        revealDocument: minimalFrame,
+        contexts: napiContexts,
+    });
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.credentialSubject.givenName, 'Alice');
+    assert.equal(derived.credentialSubject.familyName, undefined, 'familyName should be hidden');
+    const result = await ldVerify({ document: derived, contexts: napiContexts });
+    assert.equal(result.verified, true,
+        `minimal VC derived proof failed: ${result.error || 'unknown error'}`);
+});
+test('variant: NAPI ldDeriveProof + ldVerify on rich VC', async () => {
+    // Rich VC has many fields — derive revealing only a few
+    const derived = await ldDeriveProof({
+        document: signedRich,
+        revealDocument,
+        contexts: napiContexts,
+    });
+    assert.ok(derived.proof, 'derived document has a proof');
+    assert.equal(derived.credentialSubject.givenName, 'Robert');
+    assert.equal(derived.credentialSubject.familyName, 'Williams');
+    assert.equal(derived.credentialSubject.gender, 'Male');
+    // Fields not in reveal frame should be hidden
+    assert.equal(derived.credentialSubject.birthDate, undefined, 'birthDate should be hidden');
+    assert.equal(derived.credentialSubject.lprNumber, undefined, 'lprNumber should be hidden');
+    assert.equal(derived.credentialSubject.birthCountry, undefined, 'birthCountry should be hidden');
+    const result = await ldVerify({ document: derived, contexts: napiContexts });
+    assert.equal(result.verified, true,
+        `rich VC derived proof failed: ${result.error || 'unknown error'}`);
+});