@oma3/omatrust 0.1.0-alpha.10 → 0.1.0-alpha.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/identity/index.cjs +543 -0
- package/dist/identity/index.cjs.map +1 -1
- package/dist/identity/index.d.cts +2 -1
- package/dist/identity/index.d.ts +2 -1
- package/dist/identity/index.js +527 -1
- package/dist/identity/index.js.map +1 -1
- package/dist/index-BOvk-7Ku.d.cts +235 -0
- package/dist/index-C2w5EvFH.d.ts +329 -0
- package/dist/index-QueRiudB.d.cts +329 -0
- package/dist/index-R78TpAhN.d.ts +235 -0
- package/dist/index.cjs +1475 -165
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +4 -3
- package/dist/index.d.ts +4 -3
- package/dist/index.js +1476 -166
- package/dist/index.js.map +1 -1
- package/dist/reputation/index.browser.cjs +943 -66
- package/dist/reputation/index.browser.cjs.map +1 -1
- package/dist/reputation/index.browser.d.cts +2 -2
- package/dist/reputation/index.browser.d.ts +2 -2
- package/dist/reputation/index.browser.js +941 -66
- package/dist/reputation/index.browser.js.map +1 -1
- package/dist/reputation/index.cjs +1393 -217
- package/dist/reputation/index.cjs.map +1 -1
- package/dist/reputation/index.d.cts +3 -2
- package/dist/reputation/index.d.ts +3 -2
- package/dist/reputation/index.js +1378 -217
- package/dist/reputation/index.js.map +1 -1
- package/dist/{subject-ownership-CXvzEjpH.d.cts → subject-ownership-B7cFlm8c.d.cts} +256 -26
- package/dist/{subject-ownership-CXvzEjpH.d.ts → subject-ownership-B7cFlm8c.d.ts} +256 -26
- package/dist/types-dpYxRq8N.d.cts +281 -0
- package/dist/types-dpYxRq8N.d.ts +281 -0
- package/dist/widgets/index.cjs +70 -27
- package/dist/widgets/index.cjs.map +1 -1
- package/dist/widgets/index.d.cts +42 -18
- package/dist/widgets/index.d.ts +42 -18
- package/dist/widgets/index.js +67 -26
- package/dist/widgets/index.js.map +1 -1
- package/package.json +3 -2
- package/dist/index-B9KW02US.d.cts +0 -119
- package/dist/index-DXrwBex9.d.ts +0 -119
- package/dist/index-QZDExA4I.d.cts +0 -90
- package/dist/index-QZDExA4I.d.ts +0 -90
|
@@ -169,10 +169,23 @@ type SubmitDelegatedAttestationParams = {
|
|
|
169
169
|
signature: Hex | string;
|
|
170
170
|
attester?: Hex;
|
|
171
171
|
};
|
|
172
|
+
type RelayMetadata = {
|
|
173
|
+
blockNumber?: number;
|
|
174
|
+
chain?: string;
|
|
175
|
+
success?: boolean;
|
|
176
|
+
[key: string]: unknown;
|
|
177
|
+
};
|
|
178
|
+
type RelayErrorDetails = {
|
|
179
|
+
httpStatus: number;
|
|
180
|
+
code?: string;
|
|
181
|
+
error?: string;
|
|
182
|
+
payload?: Record<string, unknown>;
|
|
183
|
+
};
|
|
172
184
|
type SubmitDelegatedAttestationResult = {
|
|
173
185
|
uid: Hex;
|
|
174
186
|
txHash?: Hex;
|
|
175
187
|
status: "submitted" | "confirmed";
|
|
188
|
+
relay?: RelayMetadata;
|
|
176
189
|
};
|
|
177
190
|
type GetAttestationParams = {
|
|
178
191
|
uid: Hex;
|
|
@@ -181,7 +194,7 @@ type GetAttestationParams = {
|
|
|
181
194
|
schema?: SchemaField[] | string;
|
|
182
195
|
};
|
|
183
196
|
type ListAttestationsParams = {
|
|
184
|
-
|
|
197
|
+
subjectDid: Did;
|
|
185
198
|
provider: unknown;
|
|
186
199
|
easContractAddress: Hex;
|
|
187
200
|
schemas?: Hex[];
|
|
@@ -227,14 +240,111 @@ type CallControllerWitnessResult = {
|
|
|
227
240
|
type VerifyProofParams = {
|
|
228
241
|
proof: ProofWrapper;
|
|
229
242
|
provider?: unknown;
|
|
230
|
-
|
|
231
|
-
|
|
243
|
+
expectedSubjectDid?: Did;
|
|
244
|
+
expectedControllerDid?: Did;
|
|
232
245
|
};
|
|
233
246
|
type VerifyProofResult = {
|
|
234
247
|
valid: boolean;
|
|
235
248
|
proofType: ProofType;
|
|
236
249
|
reason?: string;
|
|
237
250
|
};
|
|
251
|
+
type RequestControllerWitnessParams = {
|
|
252
|
+
/** Subject DID (e.g., did:web:example.com) */
|
|
253
|
+
subjectDid: Did;
|
|
254
|
+
/** Controller DID (e.g., did:pkh:eip155:66238:0xabc...) */
|
|
255
|
+
controllerDid: Did;
|
|
256
|
+
/** Override the default controller witness API URL. If omitted, uses the OMATrust production endpoint. */
|
|
257
|
+
gatewayUrl?: string;
|
|
258
|
+
/** Optional chain ID — defaults to the API's active chain if omitted */
|
|
259
|
+
chainId?: number;
|
|
260
|
+
/** Request timeout in milliseconds (default: 15000) */
|
|
261
|
+
timeoutMs?: number;
|
|
262
|
+
};
|
|
263
|
+
type RequestControllerWitnessResult = {
|
|
264
|
+
success: boolean;
|
|
265
|
+
uid: string | null;
|
|
266
|
+
txHash: string;
|
|
267
|
+
blockNumber: number;
|
|
268
|
+
observedAt: number;
|
|
269
|
+
method: string;
|
|
270
|
+
};
|
|
271
|
+
type W3CKeyPurpose = "authentication" | "assertionMethod" | "keyAgreement";
|
|
272
|
+
type GetControllerAuthorizationParams = {
|
|
273
|
+
/**
|
|
274
|
+
* Controller identifier. Can be:
|
|
275
|
+
* - An EVM wallet address (Hex) for did:pkh controllers
|
|
276
|
+
* - A did:pkh DID string
|
|
277
|
+
* - A did:jwk DID string
|
|
278
|
+
*/
|
|
279
|
+
controllerDid: string;
|
|
280
|
+
/** Subject DID the controller claims to control */
|
|
281
|
+
subjectDid: Did;
|
|
282
|
+
/** ethers v6 Provider for on-chain reads */
|
|
283
|
+
provider: unknown;
|
|
284
|
+
/** CAIP-2 chain identifier. Defaults to "eip155:6623" (OMAChain). */
|
|
285
|
+
chain?: string;
|
|
286
|
+
/** EAS contract address. If omitted, resolved from trust anchors. */
|
|
287
|
+
easContractAddress?: Hex;
|
|
288
|
+
/** How far back to scan for controller witnesses. Defaults to 0 (full history). */
|
|
289
|
+
fromBlock?: number;
|
|
290
|
+
/** DNS resolution function for did:web live check */
|
|
291
|
+
resolveTxt?: (host: string) => Promise<string[][]>;
|
|
292
|
+
/** DID document fetcher for did:web live check */
|
|
293
|
+
fetchDidDocument?: (domain: string) => Promise<Record<string, unknown>>;
|
|
294
|
+
/**
|
|
295
|
+
* W3C DID verification relationship purposes to require.
|
|
296
|
+
* Key bindings are only considered valid if their keyPurpose includes all requested purposes.
|
|
297
|
+
* Defaults to ["authentication", "assertionMethod"].
|
|
298
|
+
*/
|
|
299
|
+
purpose?: W3CKeyPurpose[];
|
|
300
|
+
};
|
|
301
|
+
type ControllerWitnessEvidence = {
|
|
302
|
+
/** Attestation UID */
|
|
303
|
+
uid: Hex;
|
|
304
|
+
/** Timestamp when the controller witness was issued (unix seconds) */
|
|
305
|
+
issuedAt: bigint;
|
|
306
|
+
/** EAS-level attester address (typically the OMA3 server wallet) */
|
|
307
|
+
attester: string;
|
|
308
|
+
/** Verification method used by the witness service */
|
|
309
|
+
method?: "dns" | "did-document" | "manual" | "other";
|
|
310
|
+
};
|
|
311
|
+
type ControllerAuthorizationResult = {
|
|
312
|
+
/** Whether the controller has any authorization for this subject */
|
|
313
|
+
authorized: boolean;
|
|
314
|
+
/**
|
|
315
|
+
* Earliest timestamp of durable authorization evidence, usually the first
|
|
316
|
+
* Controller Witness. Null when authorization is only currently verified
|
|
317
|
+
* by live DNS/did.json.
|
|
318
|
+
*/
|
|
319
|
+
anchoredFrom: bigint | null;
|
|
320
|
+
/**
|
|
321
|
+
* End of the authorization window. Set when a relevant key binding revocation
|
|
322
|
+
* closes the window. Null if the window is still open.
|
|
323
|
+
*/
|
|
324
|
+
until: bigint | null;
|
|
325
|
+
/** Whether live DNS/did.json or contract ownership currently confirms control */
|
|
326
|
+
currentlyVerified: boolean;
|
|
327
|
+
/** Verification method for live check */
|
|
328
|
+
liveMethod: "dns" | "did-document" | "contract-ownership" | null;
|
|
329
|
+
/** Controller witness attestations found (oldest first) */
|
|
330
|
+
controllerWitnesses: ControllerWitnessEvidence[];
|
|
331
|
+
/** Key binding attestation UID if one exists */
|
|
332
|
+
keyBindingUid: Hex | null;
|
|
333
|
+
/**
|
|
334
|
+
* Whether the key binding's keyPurpose matched the requested purposes.
|
|
335
|
+
* - "matched": key binding exists and its purposes satisfy the request
|
|
336
|
+
* - "unknown": key binding exists but has no keyPurpose field
|
|
337
|
+
* - "mismatch": key binding exists but does not satisfy the requested purposes
|
|
338
|
+
* - "not-required": no key binding exists or no purpose filter was applied
|
|
339
|
+
*/
|
|
340
|
+
keyPurposeStatus: "matched" | "unknown" | "mismatch" | "not-required";
|
|
341
|
+
/**
|
|
342
|
+
* Whether the key binding includes a verified transfer proof.
|
|
343
|
+
* Only relevant for did:pkh subjects where the controller is authorized
|
|
344
|
+
* via a key binding backed by a deterministic native transfer.
|
|
345
|
+
*/
|
|
346
|
+
transferProofVerified?: boolean;
|
|
347
|
+
};
|
|
238
348
|
|
|
239
349
|
declare function submitAttestation(params: SubmitAttestationParams): Promise<SubmitAttestationResult>;
|
|
240
350
|
|
|
@@ -295,6 +405,96 @@ declare function formatSchemaUid(schemaUid: string): Hex;
|
|
|
295
405
|
|
|
296
406
|
declare function callControllerWitness(params: CallControllerWitnessParams): Promise<CallControllerWitnessResult>;
|
|
297
407
|
|
|
408
|
+
/**
|
|
409
|
+
* Request a controller witness attestation from the OMATrust backend.
|
|
410
|
+
*
|
|
411
|
+
* This is the recommended function for requesting controller witnesses.
|
|
412
|
+
* It makes a single API call with the subject and controller DIDs.
|
|
413
|
+
* The backend handles evidence discovery, attestation submission, and
|
|
414
|
+
* write quota deduction.
|
|
415
|
+
*
|
|
416
|
+
* Requires an authenticated session (cookie-based for web clients).
|
|
417
|
+
* Future versions will support x402 and OAuth DCR 2.0 for agents.
|
|
418
|
+
*
|
|
419
|
+
* @deprecated callControllerWitness — use requestControllerWitness instead.
|
|
420
|
+
* callControllerWitness uses the legacy multi-call pattern and will be
|
|
421
|
+
* removed in a future SDK version.
|
|
422
|
+
*/
|
|
423
|
+
declare function requestControllerWitness(params: RequestControllerWitnessParams): Promise<RequestControllerWitnessResult>;
|
|
424
|
+
|
|
425
|
+
/**
|
|
426
|
+
* Contract Ownership — shared primitives for discovering contract owners
|
|
427
|
+
* and verifying transfer proofs.
|
|
428
|
+
*
|
|
429
|
+
* Used by:
|
|
430
|
+
* - subject-ownership.ts (full ownership verification flow)
|
|
431
|
+
* - attester-authorization.ts (authorization checks for did:pkh subjects)
|
|
432
|
+
*/
|
|
433
|
+
|
|
434
|
+
/**
|
|
435
|
+
* Minimal provider interface for contract ownership reads.
|
|
436
|
+
* Compatible with ethers v6 providers — consumers can pass their provider directly.
|
|
437
|
+
*/
|
|
438
|
+
interface ContractOwnershipProvider {
|
|
439
|
+
call(transaction: {
|
|
440
|
+
to: string;
|
|
441
|
+
data: string;
|
|
442
|
+
}): Promise<string>;
|
|
443
|
+
getCode(address: string): Promise<string>;
|
|
444
|
+
getStorage(address: string, slot: string): Promise<string>;
|
|
445
|
+
getTransaction(hash: string): Promise<{
|
|
446
|
+
from?: string | null;
|
|
447
|
+
to?: string | null;
|
|
448
|
+
value?: bigint | string | number | null;
|
|
449
|
+
blockNumber?: number | null;
|
|
450
|
+
} | null>;
|
|
451
|
+
}
|
|
452
|
+
declare const EIP1967_ADMIN_SLOT: "0xb53127684a568b3173ae13b9f8a6016e243e63b6e8ee1178d6a717850b5d6103";
|
|
453
|
+
declare const OWNERSHIP_PATTERNS: readonly [{
|
|
454
|
+
readonly method: "owner";
|
|
455
|
+
readonly signature: "function owner() view returns (address)";
|
|
456
|
+
}, {
|
|
457
|
+
readonly method: "admin";
|
|
458
|
+
readonly signature: "function admin() view returns (address)";
|
|
459
|
+
}, {
|
|
460
|
+
readonly method: "getOwner";
|
|
461
|
+
readonly signature: "function getOwner() view returns (address)";
|
|
462
|
+
}];
|
|
463
|
+
/**
|
|
464
|
+
* Read a single address-returning function from a contract.
|
|
465
|
+
* Returns the checksummed address or null if the call fails or returns zero.
|
|
466
|
+
*/
|
|
467
|
+
declare function readOwnerFromContract(provider: ContractOwnershipProvider, contractAddress: string, signature: string, method: string): Promise<string | null>;
|
|
468
|
+
/**
|
|
469
|
+
* Discover the controlling wallet address of a contract.
|
|
470
|
+
*
|
|
471
|
+
* Tries, in order:
|
|
472
|
+
* 1. `owner()` — OpenZeppelin Ownable
|
|
473
|
+
* 2. `admin()` — common admin pattern
|
|
474
|
+
* 3. `getOwner()` — alternative naming
|
|
475
|
+
* 4. EIP-1967 admin storage slot
|
|
476
|
+
*
|
|
477
|
+
* Returns the checksummed owner address, or null if not discoverable.
|
|
478
|
+
*/
|
|
479
|
+
declare function discoverContractOwner(provider: ContractOwnershipProvider, contractAddress: string): Promise<string | null>;
|
|
480
|
+
/**
|
|
481
|
+
* Discover the controlling wallet and return it as a did:pkh DID.
|
|
482
|
+
* Convenience wrapper over discoverContractOwner for DID-based flows.
|
|
483
|
+
*/
|
|
484
|
+
declare function discoverControllingWalletDid(provider: ContractOwnershipProvider, contractAddress: string, chainId: number): Promise<Did | null>;
|
|
485
|
+
/**
|
|
486
|
+
* Verify a transfer proof transaction.
|
|
487
|
+
*
|
|
488
|
+
* Checks:
|
|
489
|
+
* - Transaction exists and has from/to
|
|
490
|
+
* - Recipient matches the expected attester address
|
|
491
|
+
* - Transfer amount matches the deterministic proof amount for the subject-attester pair
|
|
492
|
+
*
|
|
493
|
+
* Does NOT verify the sender is the current contract owner — that's a separate
|
|
494
|
+
* concern (the sender may have been the owner at the time of transfer but not now).
|
|
495
|
+
*/
|
|
496
|
+
declare function verifyTransferProof(provider: ContractOwnershipProvider, txHash: Hex, subjectDid: Did, attesterAddress: string, chainId: number): Promise<boolean>;
|
|
497
|
+
|
|
298
498
|
declare function getSupportedChainIds(): number[];
|
|
299
499
|
declare function isChainSupported(chainId: number): boolean;
|
|
300
500
|
declare function getChainConstants(chainId: number, purpose: ProofPurpose): ChainConstants;
|
|
@@ -336,18 +536,65 @@ declare function createX402OfferProof(offer: Record<string, unknown>): X402Offer
|
|
|
336
536
|
|
|
337
537
|
declare function createEvidencePointerProof(url: string): EvidencePointerProof;
|
|
338
538
|
|
|
339
|
-
|
|
539
|
+
interface VerifyDnsTxtControllerDidOptions {
|
|
540
|
+
resolveTxt?: (host: string) => Promise<string[][]>;
|
|
541
|
+
recordPrefix?: string;
|
|
542
|
+
}
|
|
543
|
+
|
|
544
|
+
interface DnsTxtRecordResult {
|
|
340
545
|
version?: string;
|
|
546
|
+
/**
|
|
547
|
+
* @deprecated Use `controllers` instead. This field only returns the first
|
|
548
|
+
* controller value and will be removed in a future release.
|
|
549
|
+
*/
|
|
341
550
|
controller?: Did;
|
|
342
|
-
|
|
343
|
-
|
|
551
|
+
/**
|
|
552
|
+
* All controller DIDs found in the record.
|
|
553
|
+
* A DNS TXT record may contain multiple controller= entries.
|
|
554
|
+
*/
|
|
555
|
+
controllers: Did[];
|
|
556
|
+
}
|
|
557
|
+
declare function parseDnsTxtRecord(record: string): DnsTxtRecordResult;
|
|
344
558
|
declare function buildDnsTxtRecord(controllerDid: Did): string;
|
|
345
559
|
|
|
560
|
+
/**
|
|
561
|
+
* DID Document Fetching — shared utility
|
|
562
|
+
*
|
|
563
|
+
* Fetches did:web DID documents from the well-known endpoint.
|
|
564
|
+
* Used by identity/resolve-key and reputation/proof/did-json.
|
|
565
|
+
*/
|
|
566
|
+
/**
|
|
567
|
+
* Fetch a DID document for a did:web domain.
|
|
568
|
+
*
|
|
569
|
+
* Resolves `https://<domain>/.well-known/did.json` and returns the parsed JSON.
|
|
570
|
+
*
|
|
571
|
+
* @param domain - The domain to fetch the DID document from
|
|
572
|
+
* @returns The parsed DID document
|
|
573
|
+
* @throws OmaTrustError with code NETWORK_ERROR if fetch fails
|
|
574
|
+
*/
|
|
346
575
|
declare function fetchDidDocument(domain: string): Promise<Record<string, unknown>>;
|
|
576
|
+
|
|
347
577
|
interface VerifyDidJsonControllerDidOptions {
|
|
348
578
|
fetchDidDocument?: (domain: string) => Promise<Record<string, unknown>>;
|
|
349
579
|
}
|
|
350
|
-
|
|
580
|
+
/**
|
|
581
|
+
* Extract EVM addresses from a DID document's verification methods.
|
|
582
|
+
* Looks at blockchainAccountId and publicKeyHex fields.
|
|
583
|
+
*/
|
|
584
|
+
declare function extractEvmAddressesFromDidDocument(didDocument: Record<string, unknown>): string[];
|
|
585
|
+
/**
|
|
586
|
+
* Extract public JWKs from a DID document's verification methods.
|
|
587
|
+
*/
|
|
588
|
+
declare function extractJwksFromDidDocument(didDocument: Record<string, unknown>): Array<Record<string, unknown>>;
|
|
589
|
+
/**
|
|
590
|
+
* Verify that a controller DID is present in a DID document.
|
|
591
|
+
*
|
|
592
|
+
* Matching strategies:
|
|
593
|
+
* - did:pkh (EVM): extract address and compare against blockchainAccountId / publicKeyHex
|
|
594
|
+
* in verification methods. Chain ID is ignored (same address across all EVM chains).
|
|
595
|
+
* - did:jwk: decode the JWK from the DID and compare against publicKeyJwk fields
|
|
596
|
+
* in verification methods.
|
|
597
|
+
*/
|
|
351
598
|
declare function verifyDidDocumentControllerDid(didDocument: Record<string, unknown>, expectedControllerDid: Did): {
|
|
352
599
|
valid: boolean;
|
|
353
600
|
reason?: string;
|
|
@@ -379,11 +626,6 @@ declare function verifyEip712Signature(typedData: {
|
|
|
379
626
|
signer?: string;
|
|
380
627
|
};
|
|
381
628
|
|
|
382
|
-
interface VerifyDnsTxtControllerDidOptions {
|
|
383
|
-
resolveTxt?: (host: string) => Promise<string[][]>;
|
|
384
|
-
recordPrefix?: string;
|
|
385
|
-
}
|
|
386
|
-
|
|
387
629
|
type SubjectOwnershipVerificationMethod = "dns" | "did-document" | "wallet" | "contract" | "minting-wallet" | "transfer";
|
|
388
630
|
interface SubjectOwnershipVerificationResult {
|
|
389
631
|
valid: boolean;
|
|
@@ -394,19 +636,7 @@ interface SubjectOwnershipVerificationResult {
|
|
|
394
636
|
connectedWalletDid: Did;
|
|
395
637
|
controllingWalletDid?: Did;
|
|
396
638
|
}
|
|
397
|
-
interface EvmOwnershipProvider {
|
|
398
|
-
call(transaction: {
|
|
399
|
-
to: string;
|
|
400
|
-
data: string;
|
|
401
|
-
}): Promise<string>;
|
|
402
|
-
getCode(address: string): Promise<string>;
|
|
403
|
-
getStorage(address: string, slot: string): Promise<string>;
|
|
404
|
-
getTransaction(hash: string): Promise<{
|
|
405
|
-
from?: string | null;
|
|
406
|
-
to?: string | null;
|
|
407
|
-
value?: bigint | string | number | null;
|
|
408
|
-
blockNumber?: number | null;
|
|
409
|
-
} | null>;
|
|
639
|
+
interface EvmOwnershipProvider extends ContractOwnershipProvider {
|
|
410
640
|
getTransactionReceipt(hash: string): Promise<{
|
|
411
641
|
blockNumber: number;
|
|
412
642
|
} | null>;
|
|
@@ -431,4 +661,4 @@ declare function verifyDidWebOwnership(params: VerifyDidWebOwnershipParams): Pro
|
|
|
431
661
|
declare function verifyDidPkhOwnership(params: VerifyDidPkhOwnershipParams): Promise<SubjectOwnershipVerificationResult>;
|
|
432
662
|
declare function verifySubjectOwnership(params: VerifySubjectOwnershipParams): Promise<SubjectOwnershipVerificationResult>;
|
|
433
663
|
|
|
434
|
-
export {
|
|
664
|
+
export { buildDelegatedAttestationTypedData as $, type AttestationQueryResult as A, type BuildDelegatedTypedDataFromEncodedParams as B, type CallControllerWitnessParams as C, type Did as D, type EvidencePointerProof as E, type SubmitAttestationResult as F, type GetAttestationParams as G, type Hex as H, type SubmitDelegatedAttestationParams as I, type SubmitDelegatedAttestationResult as J, type TxInteractionProof as K, type ListAttestationsParams as L, type VerifyAttestationResult as M, type VerifyDidJsonControllerDidOptions as N, type VerifyDidPkhOwnershipParams as O, type PopEip712Proof as P, type VerifyDidWebOwnershipParams as Q, type RelayErrorDetails as R, type SchemaField as S, type TxEncodedValueProof as T, type VerifyProofParams as U, type VerifyAttestationParams as V, type VerifyProofResult as W, type VerifySubjectOwnershipParams as X, type W3CKeyPurpose as Y, type X402OfferProof as Z, type X402ReceiptProof as _, type AttestationValidationError as a, readOwnerFromContract as a$, buildDelegatedTypedDataFromEncoded as a0, buildDnsTxtRecord as a1, buildEip712Domain as a2, calculateAverageUserReviewRating as a3, calculateTransferAmount as a4, calculateTransferAmountFromAddresses as a5, callControllerWitness as a6, constructSeed as a7, createEvidencePointerProof as a8, createPopEip712Proof as a9, isChainSupported as aA, listAttestations as aB, normalizeSchema as aC, parseDnsTxtRecord as aD, prepareDelegatedAttestation as aE, requestControllerWitness as aF, revokeAttestation as aG, schemaToString as aH, splitSignature as aI, submitAttestation as aJ, submitDelegatedAttestation as aK, validateAttestationData as aL, verifyAttestation as aM, verifyDidDocumentControllerDid as aN, verifyDidJsonControllerDid as aO, verifyDidPkhOwnership as aP, verifyDidWebOwnership as aQ, verifyEip712Signature as aR, verifyProof as aS, verifySchemaExists as aT, verifySubjectOwnership as aU, type VerifyDnsTxtControllerDidOptions as aV, type ContractOwnershipProvider as aW, EIP1967_ADMIN_SLOT as aX, OWNERSHIP_PATTERNS as aY, discoverContractOwner as aZ, discoverControllingWalletDid as a_, createPopJwsProof as aa, createTxEncodedValueProof as ab, createTxInteractionProof as ac, createX402OfferProof as ad, createX402ReceiptProof as ae, decodeAttestationData as af, deduplicateReviews as ag, encodeAttestationData as ah, extractEvmAddressesFromDidDocument as ai, extractExpirationTime as aj, extractJwksFromDidDocument as ak, fetchDidDocument as al, formatSchemaUid as am, formatTransferAmount as an, getAttestation as ao, getAttestationsByAttester as ap, getAttestationsForDid as aq, getChainConstants as ar, getExplorerAddressUrl as as, getExplorerTxUrl as at, getLatestAttestations as au, getMajorVersion as av, getOmaTrustProofEip712Types as aw, getSchemaDetails as ax, getSupportedChainIds as ay, hashSeed as az, type CallControllerWitnessResult as b, verifyTransferProof as b0, type ChainConstants as c, type ControllerAuthorizationResult as d, type ControllerWitnessEvidence as e, type CreatePopEip712ProofParams as f, type CreatePopJwsProofParams as g, type DnsTxtRecordResult as h, type EvmOwnershipProvider as i, type GetAttestationsByAttesterParams as j, type GetControllerAuthorizationParams as k, type GetLatestAttestationsParams as l, type PopJwsProof as m, type PrepareDelegatedAttestationParams as n, type PrepareDelegatedAttestationResult as o, type ProofPurpose as p, type ProofType as q, type ProofWrapper as r, type RelayMetadata as s, type RequestControllerWitnessParams as t, type RequestControllerWitnessResult as u, type RevokeAttestationParams as v, type RevokeAttestationResult as w, type SubjectOwnershipVerificationMethod as x, type SubjectOwnershipVerificationResult as y, type SubmitAttestationParams as z };
|
|
@@ -0,0 +1,281 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* JWK and did:jwk Helpers — Phase 2
|
|
3
|
+
*
|
|
4
|
+
* Provides conversion between public JWKs and did:jwk DIDs,
|
|
5
|
+
* deterministic JWK comparison, and public JWK validation.
|
|
6
|
+
*
|
|
7
|
+
* did:jwk is the preferred durable DID representation for JWS/JWK public key
|
|
8
|
+
* material. It is immutable (the DID IS the key) and should be used as the
|
|
9
|
+
* controllerDid for authorization checks.
|
|
10
|
+
*
|
|
11
|
+
* Uses the `jose` library for base64url encoding/decoding and JWK thumbprints.
|
|
12
|
+
*/
|
|
13
|
+
/** Minimal public JWK structure */
|
|
14
|
+
interface PublicJwk {
|
|
15
|
+
kty: string;
|
|
16
|
+
[key: string]: unknown;
|
|
17
|
+
}
|
|
18
|
+
/** Result of JWK validation */
|
|
19
|
+
interface JwkValidationResult {
|
|
20
|
+
valid: boolean;
|
|
21
|
+
error?: string;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Validate that a JWK object is a well-formed public key.
|
|
25
|
+
*
|
|
26
|
+
* Requirements:
|
|
27
|
+
* - Must be a non-null object
|
|
28
|
+
* - Must have a valid `kty` (EC, OKP, RSA)
|
|
29
|
+
* - Must have required public key fields for its key type
|
|
30
|
+
* - Must NOT contain private key material (d, p, q, dp, dq, qi, oth)
|
|
31
|
+
*/
|
|
32
|
+
declare function validatePublicJwk(jwk: unknown): JwkValidationResult;
|
|
33
|
+
/**
|
|
34
|
+
* Convert a public JWK to a did:jwk DID.
|
|
35
|
+
*
|
|
36
|
+
* Uses deterministic (sorted-key) JSON serialization and base64url encoding.
|
|
37
|
+
* Rejects JWKs containing private key material.
|
|
38
|
+
*
|
|
39
|
+
* @param jwk - A public JWK object
|
|
40
|
+
* @returns The did:jwk DID string
|
|
41
|
+
* @throws OmaTrustError if the JWK is invalid or contains private key material
|
|
42
|
+
*/
|
|
43
|
+
declare function jwkToDidJwk(jwk: unknown): string;
|
|
44
|
+
/**
|
|
45
|
+
* Convert a did:jwk DID back to a public JWK object.
|
|
46
|
+
*
|
|
47
|
+
* Validates the DID structure, decodes the base64url payload,
|
|
48
|
+
* parses JSON, and validates the resulting JWK.
|
|
49
|
+
*
|
|
50
|
+
* @param didJwk - A did:jwk DID string
|
|
51
|
+
* @returns The decoded public JWK object
|
|
52
|
+
* @throws OmaTrustError if the DID is malformed or contains private key material
|
|
53
|
+
*/
|
|
54
|
+
declare function didJwkToJwk(didJwk: string): PublicJwk;
|
|
55
|
+
/**
|
|
56
|
+
* Compare two public JWKs for equality.
|
|
57
|
+
*
|
|
58
|
+
* Compares only the public key material fields (kty, crv, x, y, n, e, etc.).
|
|
59
|
+
* Ignores property order, metadata fields (kid, use, alg, key_ops, ext),
|
|
60
|
+
* and rejects/strips private key fields before comparison.
|
|
61
|
+
*
|
|
62
|
+
* @param a - First public JWK
|
|
63
|
+
* @param b - Second public JWK
|
|
64
|
+
* @returns true if both JWKs represent the same public key
|
|
65
|
+
* @throws OmaTrustError if either JWK contains private key material
|
|
66
|
+
*/
|
|
67
|
+
declare function publicJwkEquals(a: unknown, b: unknown): boolean;
|
|
68
|
+
/**
|
|
69
|
+
* Compute an RFC 7638 JWK Thumbprint for a public JWK.
|
|
70
|
+
*
|
|
71
|
+
* Returns the base64url-encoded SHA-256 thumbprint. This is a compact,
|
|
72
|
+
* deterministic fingerprint of the public key material.
|
|
73
|
+
*
|
|
74
|
+
* Used in OMATrust DNS TXT records as: `jkt=S256:<thumbprint>`
|
|
75
|
+
*
|
|
76
|
+
* @param jwk - A public JWK object
|
|
77
|
+
* @param digestAlgorithm - Hash algorithm (default: "sha256")
|
|
78
|
+
* @returns base64url-encoded thumbprint string
|
|
79
|
+
* @throws OmaTrustError if the JWK is invalid or contains private key material
|
|
80
|
+
*/
|
|
81
|
+
declare function computeJwkThumbprint(jwk: unknown, digestAlgorithm?: "sha256" | "sha384" | "sha512"): Promise<string>;
|
|
82
|
+
/**
|
|
83
|
+
* Format a JWK thumbprint as an OMATrust DNS TXT `jkt` value.
|
|
84
|
+
*
|
|
85
|
+
* Format: `jkt=S256:<base64url-thumbprint>`
|
|
86
|
+
*
|
|
87
|
+
* @param jwk - A public JWK object
|
|
88
|
+
* @returns Formatted jkt string for DNS TXT records
|
|
89
|
+
*/
|
|
90
|
+
declare function formatJktValue(jwk: unknown): Promise<string>;
|
|
91
|
+
|
|
92
|
+
/**
|
|
93
|
+
* DID URL Key Resolution — Phase 3
|
|
94
|
+
*
|
|
95
|
+
* Resolves DID URL key references (e.g. did:web:api.example.com#key-1) to
|
|
96
|
+
* public key material and derives durable did:jwk controller DIDs.
|
|
97
|
+
*
|
|
98
|
+
* DID URLs are mutable key references. This module resolves them to the
|
|
99
|
+
* actual public key material they currently point to, then converts that
|
|
100
|
+
* material into an immutable did:jwk for use as a controller DID.
|
|
101
|
+
*/
|
|
102
|
+
|
|
103
|
+
/** Result of resolving a DID URL to public key material */
|
|
104
|
+
interface ResolvedPublicKey {
|
|
105
|
+
/** The original DID URL */
|
|
106
|
+
didUrl: string;
|
|
107
|
+
/** The base DID (without fragment) */
|
|
108
|
+
did: string;
|
|
109
|
+
/** The fragment identifier */
|
|
110
|
+
fragment: string | null;
|
|
111
|
+
/** The resolved public JWK */
|
|
112
|
+
publicKeyJwk: PublicJwk;
|
|
113
|
+
/** The verification method ID that matched */
|
|
114
|
+
verificationMethodId: string;
|
|
115
|
+
}
|
|
116
|
+
/** Result of resolving a DID URL to a durable controller DID */
|
|
117
|
+
interface ResolvedControllerDid extends ResolvedPublicKey {
|
|
118
|
+
/** The durable did:jwk derived from the resolved public key */
|
|
119
|
+
controllerDid: string;
|
|
120
|
+
}
|
|
121
|
+
/** Options for DID URL key resolution */
|
|
122
|
+
interface ResolveKeyOptions {
|
|
123
|
+
/**
|
|
124
|
+
* Custom DID document fetcher. If not provided, uses the shared
|
|
125
|
+
* fetchDidDocument which fetches from `/.well-known/did.json`.
|
|
126
|
+
*/
|
|
127
|
+
fetchDidDocument?: (domain: string) => Promise<Record<string, unknown>>;
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Resolve a DID URL to public key material.
|
|
131
|
+
*
|
|
132
|
+
* Currently supports:
|
|
133
|
+
* - did:web with fragment (e.g. did:web:api.example.com#key-1)
|
|
134
|
+
*
|
|
135
|
+
* Resolution steps:
|
|
136
|
+
* 1. Parse the DID URL
|
|
137
|
+
* 2. Resolve the base DID (fetch DID document)
|
|
138
|
+
* 3. Find the matching verification method
|
|
139
|
+
* 4. Extract and validate publicKeyJwk
|
|
140
|
+
*
|
|
141
|
+
* This function only obtains key material. It does not make authorization
|
|
142
|
+
* decisions or check Controller Witness / Key Binding records.
|
|
143
|
+
*
|
|
144
|
+
* @param didUrl - A DID URL string (e.g. "did:web:api.example.com#key-1")
|
|
145
|
+
* @param options - Optional configuration (custom fetcher, etc.)
|
|
146
|
+
* @returns Resolved public key information
|
|
147
|
+
* @throws OmaTrustError if resolution fails
|
|
148
|
+
*/
|
|
149
|
+
declare function resolveDidUrlToPublicKey(didUrl: string, options?: ResolveKeyOptions): Promise<ResolvedPublicKey>;
|
|
150
|
+
/**
|
|
151
|
+
* Resolve a DID URL to a durable controller DID.
|
|
152
|
+
*
|
|
153
|
+
* This wraps resolveDidUrlToPublicKey and adds the did:jwk conversion step.
|
|
154
|
+
* The returned controllerDid is the durable DID that callers should pass
|
|
155
|
+
* to getControllerAuthorization.
|
|
156
|
+
*
|
|
157
|
+
* @param didUrl - A DID URL string (e.g. "did:web:api.example.com#key-1")
|
|
158
|
+
* @param options - Optional configuration (custom fetcher, etc.)
|
|
159
|
+
* @returns Resolved public key plus derived did:jwk controller DID
|
|
160
|
+
* @throws OmaTrustError if resolution fails
|
|
161
|
+
*/
|
|
162
|
+
declare function resolveDidUrlToControllerDid(didUrl: string, options?: ResolveKeyOptions): Promise<ResolvedControllerDid>;
|
|
163
|
+
|
|
164
|
+
/**
|
|
165
|
+
* Identity Types — Phase 4
|
|
166
|
+
*
|
|
167
|
+
* Types for JWS verification results and authorization metadata.
|
|
168
|
+
* These define the contract between signature verification and
|
|
169
|
+
* downstream authorization checks via getControllerAuthorization.
|
|
170
|
+
*/
|
|
171
|
+
|
|
172
|
+
/** Source of the public key used for JWS signature verification */
|
|
173
|
+
type PublicKeySource = "embedded-jwk" | "kid-resolution";
|
|
174
|
+
/**
|
|
175
|
+
* Structured result of JWS signature verification.
|
|
176
|
+
*
|
|
177
|
+
* This result is NOT an authorization result. It does not determine whether
|
|
178
|
+
* the signing key was authorized to act for the service identified by resourceUrl.
|
|
179
|
+
*
|
|
180
|
+
* It provides enough information for callers to perform downstream authorization
|
|
181
|
+
* checks via getControllerAuthorization:
|
|
182
|
+
* - publicKeyDid (did:jwk) is the durable controller DID
|
|
183
|
+
* - resourceUrl identifies the service subject
|
|
184
|
+
* - issuedAt enables authorization-window checks for receipts
|
|
185
|
+
*/
|
|
186
|
+
interface JwsVerificationResult {
|
|
187
|
+
/** Whether the JWS signature is cryptographically valid */
|
|
188
|
+
valid: boolean;
|
|
189
|
+
/** Decoded JWS protected header */
|
|
190
|
+
header: Record<string, unknown>;
|
|
191
|
+
/** Decoded JWS payload */
|
|
192
|
+
payload: Record<string, unknown>;
|
|
193
|
+
/** kid from the JWS header (a key reference, NOT a controller DID) */
|
|
194
|
+
kid: string | null;
|
|
195
|
+
/** The public JWK used for signature verification */
|
|
196
|
+
publicKeyJwk: PublicJwk;
|
|
197
|
+
/** How the public key was obtained */
|
|
198
|
+
publicKeySource: PublicKeySource;
|
|
199
|
+
/**
|
|
200
|
+
* The durable did:jwk derived from the public key.
|
|
201
|
+
* This is the controller DID for downstream authorization checks.
|
|
202
|
+
* Pass this as controllerDid to getControllerAuthorization.
|
|
203
|
+
*/
|
|
204
|
+
publicKeyDid: string;
|
|
205
|
+
/** Error details when valid is false */
|
|
206
|
+
error?: JwsVerificationError;
|
|
207
|
+
}
|
|
208
|
+
/** Error details for failed JWS verification */
|
|
209
|
+
interface JwsVerificationError {
|
|
210
|
+
code: string;
|
|
211
|
+
message: string;
|
|
212
|
+
}
|
|
213
|
+
/**
|
|
214
|
+
* Failed JWS verification result.
|
|
215
|
+
* Returned when parsing, decoding, or signature verification fails.
|
|
216
|
+
*/
|
|
217
|
+
interface JwsVerificationFailure {
|
|
218
|
+
valid: false;
|
|
219
|
+
error: JwsVerificationError;
|
|
220
|
+
header?: Record<string, unknown>;
|
|
221
|
+
payload?: Record<string, unknown>;
|
|
222
|
+
kid?: string | null;
|
|
223
|
+
publicKeyJwk?: PublicJwk;
|
|
224
|
+
publicKeySource?: PublicKeySource;
|
|
225
|
+
publicKeyDid?: string;
|
|
226
|
+
}
|
|
227
|
+
/**
|
|
228
|
+
* Authorization metadata extracted from a verified JWS artifact.
|
|
229
|
+
*
|
|
230
|
+
* This is the information a caller needs to perform an authorization check
|
|
231
|
+
* after JWS signature verification succeeds.
|
|
232
|
+
*
|
|
233
|
+
* Usage:
|
|
234
|
+
* 1. Verify JWS → get JwsVerificationResult
|
|
235
|
+
* 2. Extract AuthorizationMetadata from the result
|
|
236
|
+
* 3. Call getControllerAuthorization({ subjectDid, controllerDid, purpose })
|
|
237
|
+
* 4. Evaluate the returned authorization window against policy
|
|
238
|
+
*/
|
|
239
|
+
interface AuthorizationMetadata {
|
|
240
|
+
/**
|
|
241
|
+
* The durable controller DID (did:jwk) derived from the verified public key.
|
|
242
|
+
* Pass this as controllerDid to getControllerAuthorization.
|
|
243
|
+
*/
|
|
244
|
+
controllerDid: string;
|
|
245
|
+
/**
|
|
246
|
+
* The subject DID derived from resourceUrl.
|
|
247
|
+
* For x402 artifacts, this is typically did:web:<domain-from-resourceUrl>.
|
|
248
|
+
* Pass this as subjectDid to getControllerAuthorization.
|
|
249
|
+
*/
|
|
250
|
+
subjectDid: string | null;
|
|
251
|
+
/**
|
|
252
|
+
* The resourceUrl from the signed payload.
|
|
253
|
+
* Identifies the service/resource the artifact is associated with.
|
|
254
|
+
*/
|
|
255
|
+
resourceUrl: string | null;
|
|
256
|
+
/**
|
|
257
|
+
* The issuedAt timestamp from the signed payload (receipts).
|
|
258
|
+
* Used for authorization-window checks — was the controller authorized at this time?
|
|
259
|
+
*/
|
|
260
|
+
issuedAt: string | null;
|
|
261
|
+
/**
|
|
262
|
+
* The kid from the JWS header (mutable key reference).
|
|
263
|
+
* Useful for key-pinning lookups but NOT a controller DID.
|
|
264
|
+
*/
|
|
265
|
+
kid: string | null;
|
|
266
|
+
/** The public JWK used for signature verification */
|
|
267
|
+
publicKeyJwk: PublicJwk;
|
|
268
|
+
}
|
|
269
|
+
/**
|
|
270
|
+
* Extract authorization metadata from a successful JWS verification result.
|
|
271
|
+
*
|
|
272
|
+
* Derives the subject DID from resourceUrl when possible (assumes did:web
|
|
273
|
+
* for HTTPS URLs). Returns null for subjectDid if resourceUrl is missing
|
|
274
|
+
* or cannot be parsed.
|
|
275
|
+
*
|
|
276
|
+
* @param result - A successful JwsVerificationResult (valid === true)
|
|
277
|
+
* @returns Authorization metadata for downstream getControllerAuthorization calls
|
|
278
|
+
*/
|
|
279
|
+
declare function extractAuthorizationMetadata(result: JwsVerificationResult): AuthorizationMetadata;
|
|
280
|
+
|
|
281
|
+
export { type AuthorizationMetadata as A, type JwkValidationResult as J, type PublicJwk as P, type ResolveKeyOptions as R, type JwsVerificationError as a, type JwsVerificationFailure as b, type JwsVerificationResult as c, type PublicKeySource as d, type ResolvedControllerDid as e, type ResolvedPublicKey as f, computeJwkThumbprint as g, didJwkToJwk as h, extractAuthorizationMetadata as i, formatJktValue as j, jwkToDidJwk as k, resolveDidUrlToPublicKey as l, publicJwkEquals as p, resolveDidUrlToControllerDid as r, validatePublicJwk as v };
|