npm - @openid4vc/openid4vci - Versions diffs - 0.3.0-alpha-20251017102623 → 0.3.0-alpha-20251017122507 - Mend

@openid4vc/openid4vci 0.3.0-alpha-20251017102623 → 0.3.0-alpha-20251017122507

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -43,23 +43,23 @@ const zTxCode = zod.default.object({
 	input_mode: zod.default.union([zod.default.literal("numeric"), zod.default.literal("text")]).optional(),
 	length: zod.default.number().int().optional(),
 	description: zod.default.string().max(300).optional()
-}).passthrough();
+}).loose();
 const zCredentialOfferGrants = zod.default.object({
 	authorization_code: zod.default.object({
 		issuer_state: zod.default.string().optional(),
 		authorization_server: __openid4vc_utils.zHttpsUrl.optional()
-	}).passthrough().optional(),
+	}).loose().optional(),
 	[__openid4vc_oauth2.preAuthorizedCodeGrantIdentifier]: zod.default.object({
 		"pre-authorized_code": zod.default.string(),
 		tx_code: zTxCode.optional(),
 		authorization_server: __openid4vc_utils.zHttpsUrl.optional()
-	}).passthrough().optional()
-}).passthrough();
+	}).loose().optional()
+}).loose();
 const zCredentialOfferObjectDraft14 = zod.default.object({
 	credential_issuer: __openid4vc_utils.zHttpsUrl,
 	credential_configuration_ids: zod.default.array(zod.default.string()),
 	grants: zod.default.optional(zCredentialOfferGrants)
-}).passthrough();
+}).loose();
 const zCredentialOfferObjectDraft11To14 = zod.default.object({
 	credential_issuer: __openid4vc_utils.zHttpsUrl,
 	credentials: zod.default.array(zod.default.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })),
@@ -68,9 +68,9 @@ const zCredentialOfferObjectDraft11To14 = zod.default.object({
 		[__openid4vc_oauth2.preAuthorizedCodeGrantIdentifier]: zod.default.object({
 			"pre-authorized_code": zod.default.string(),
 			user_pin_required: zod.default.optional(zod.default.boolean())
-		}).passthrough().optional()
+		}).loose().optional()
 	}))
-}).passthrough().transform(({ credentials, grants,...rest }) => {
+}).loose().transform(({ credentials, grants,...rest }) => {
 	const v14 = {
 		...rest,
 		credential_configuration_ids: credentials
@@ -177,14 +177,15 @@ const zCredentialConfigurationSupportedClaimsDescriptionDraft14 = zod.default.ob
 	display: zod.default.array(zod.default.object({
 		name: zod.default.string().optional(),
 		locale: zod.default.string().optional()
-	}).passthrough()).optional()
-}).passthrough();
+	}).loose()).optional()
+}).loose();
 const zCredentialConfigurationSupportedClaimsDraft14 = zod.default.record(zod.default.string(), zod.default.union([zCredentialConfigurationSupportedClaimsDescriptionDraft14, zod.default.lazy(() => zCredentialConfigurationSupportedClaimsDraft14)]));
-const zClaimsDescriptionPath = zod.default.array(zod.default.union([
+const zClaimDescriptionPathValue = zod.default.union([
 	zod.default.string(),
 	zod.default.number().int().nonnegative(),
 	zod.default.null()
-])).nonempty();
+]);
+const zClaimsDescriptionPath = zod.default.tuple([zClaimDescriptionPathValue], zClaimDescriptionPathValue);
 const zMsoMdocClaimsDescriptionPath = zod.default.tuple([zod.default.string(), zod.default.string()], { message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential" });
 const zIssuerMetadataClaimsDescription = zod.default.object({
 	path: zClaimsDescriptionPath,
@@ -192,8 +193,8 @@ const zIssuerMetadataClaimsDescription = zod.default.object({
 	display: zod.default.array(zod.default.object({
 		name: zod.default.string().optional(),
 		locale: zod.default.string().optional()
-	}).passthrough()).optional()
-}).passthrough();
+	}).loose()).optional()
+}).loose();
 const zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({ path: zMsoMdocClaimsDescriptionPath });
 //#endregion
@@ -201,7 +202,7 @@ const zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription
 const zKeyAttestationJwtHeader = zod.default.object({
 	...__openid4vc_oauth2.zJwtHeader.shape,
 	typ: zod.default.literal("keyattestation+jwt").or(zod.default.literal("key-attestation+jwt"))
-}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
+}).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
 const zIso18045 = zod.default.enum([
 	"iso_18045_high",
 	"iso_18045_moderate",
@@ -215,13 +216,13 @@ const zKeyAttestationJwtPayload = zod.default.object({
 	attested_keys: zod.default.array(__openid4vc_oauth2.zJwk),
 	key_storage: zod.default.optional(zIso18045OrStringArray),
 	user_authentication: zod.default.optional(zIso18045OrStringArray),
-	certification: zod.default.optional(zod.default.string().url())
-}).passthrough();
+	certification: zod.default.optional(zod.default.url())
+}).loose();
 const zKeyAttestationJwtPayloadForUse = (use) => zod.default.object({
 	...zKeyAttestationJwtPayload.shape,
 	nonce: use === "proof_type.attestation" ? zod.default.string({ message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly` }) : zod.default.optional(zod.default.string()),
 	exp: use === "proof_type.jwt" ? __openid4vc_utils.zInteger : zod.default.optional(__openid4vc_utils.zInteger)
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
@@ -231,12 +232,12 @@ const zCredentialConfigurationSupportedDisplayEntry = zod.default.object({
 	logo: zod.default.object({
 		uri: zod.default.string().optional(),
 		alt_text: zod.default.string().optional()
-	}).passthrough().optional(),
+	}).loose().optional(),
 	description: zod.default.string().optional(),
 	background_color: zod.default.string().optional(),
-	background_image: zod.default.object({ uri: zod.default.string().optional() }).passthrough().optional(),
+	background_image: zod.default.object({ uri: zod.default.string().optional() }).loose().optional(),
 	text_color: zod.default.string().optional()
-}).passthrough();
+}).loose();
 const zCredentialConfigurationSupportedCommonCredentialMetadata = zod.default.object({ display: zod.default.array(zCredentialConfigurationSupportedDisplayEntry).optional() });
 const zCredentialConfigurationSupportedCommon = zod.default.object({
 	format: zod.default.string(),
@@ -252,11 +253,11 @@ const zCredentialConfigurationSupportedCommon = zod.default.object({
 		key_attestations_required: zod.default.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
-		}).passthrough().optional()
+		}).loose().optional()
 	})).optional(),
 	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.optional(),
 	claims: zod.default.optional(zod.default.never())
-}).passthrough();
+}).loose();
 const zCredentialConfigurationSupportedCommonDraft15 = zod.default.object({
 	format: zod.default.string(),
 	scope: zod.default.string().optional(),
@@ -271,11 +272,11 @@ const zCredentialConfigurationSupportedCommonDraft15 = zod.default.object({
 		key_attestations_required: zod.default.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
-		}).passthrough().optional()
+		}).loose().optional()
 	})).optional(),
 	display: zod.default.array(zCredentialConfigurationSupportedDisplayEntry).optional(),
 	credential_metadata: zod.default.optional(zod.default.never())
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/formats/credential/mso-mdoc/z-mso-mdoc.ts
@@ -368,8 +369,8 @@ const zCredentialSubjectLeafTypeDraft14 = zod.default.object({
 	display: zod.default.array(zod.default.object({
 		name: zod.default.string().optional(),
 		locale: zod.default.string().optional()
-	}).passthrough()).optional()
-}).passthrough();
+	}).loose()).optional()
+}).loose();
 const zClaimValueSchemaDraft14 = zod.default.union([
 	zod.default.array(zod.default.any()),
 	zod.default.record(zod.default.string(), zod.default.any()),
@@ -378,14 +379,14 @@ const zClaimValueSchemaDraft14 = zod.default.union([
 const zW3cVcCredentialSubjectDraft14 = zod.default.record(zod.default.string(), zClaimValueSchemaDraft14);
 const zW3cVcJsonLdCredentialDefinition = zod.default.object({
 	"@context": zod.default.array(zod.default.string()),
-	type: zod.default.array(zod.default.string()).nonempty()
-}).passthrough();
+	type: zod.default.tuple([zod.default.string()], zod.default.string())
+}).loose();
 const zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
 const zJwtVcJsonFormatIdentifier = zod.default.literal("jwt_vc_json");
-const zJwtVcJsonCredentialDefinition = zod.default.object({ type: zod.default.array(zod.default.string()).nonempty() }).passthrough();
+const zJwtVcJsonCredentialDefinition = zod.default.object({ type: zod.default.tuple([zod.default.string()], zod.default.string()) }).loose();
 const zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 const zJwtVcJsonCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zJwtVcJsonFormatIdentifier,
@@ -405,9 +406,9 @@ const zJwtVcJsonCredentialIssuerMetadataDraft14 = zCredentialConfigurationSuppor
 const zJwtVcJsonCredentialIssuerMetadataDraft11 = zod.default.object({
 	format: zJwtVcJsonFormatIdentifier,
 	order: zod.default.array(zod.default.string()).optional(),
-	types: zod.default.array(zod.default.string()),
+	types: zod.default.tuple([zod.default.string()], zod.default.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
-}).passthrough();
+}).loose();
 const zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(({ types, credentialSubject,...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -415,7 +416,7 @@ const zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuer
 		...credentialSubject ? { credentialSubject } : {}
 	}
 }));
-const zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	types: type,
 	...credentialDefinition
@@ -426,9 +427,9 @@ const zJwtVcJsonCredentialRequestFormatDraft14 = zod.default.object({
 });
 const zJwtVcJsonCredentialRequestDraft11 = zod.default.object({
 	format: zJwtVcJsonFormatIdentifier,
-	types: zod.default.array(zod.default.string()),
+	types: zod.default.tuple([zod.default.string()], zod.default.string()),
 	credentialSubject: zod.default.optional(zW3cVcCredentialSubjectDraft14)
-}).passthrough();
+}).loose();
 const zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(({ types, credentialSubject,...rest }) => {
 	return {
 		...rest,
@@ -438,7 +439,7 @@ const zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft1
 		}
 	};
 });
-const zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	types: type,
 	...credentialDefinition
@@ -466,9 +467,9 @@ const zJwtVcJsonLdCredentialIssuerMetadataDraft11 = zod.default.object({
 	order: zod.default.array(zod.default.string()).optional(),
 	format: zJwtVcJsonLdFormatIdentifier,
 	"@context": zod.default.array(zod.default.string()),
-	types: zod.default.array(zod.default.string()),
+	types: zod.default.tuple([zod.default.string()], zod.default.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
-}).passthrough();
+}).loose();
 const zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject,...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -477,7 +478,7 @@ const zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIs
 		...credentialSubject ? { credentialSubject } : {}
 	}
 }));
-const zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	...credentialDefinition,
 	types: type
@@ -490,10 +491,10 @@ const zJwtVcJsonLdCredentialRequestDraft11 = zod.default.object({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: zod.default.object({
 		"@context": zod.default.array(zod.default.string()),
-		types: zod.default.array(zod.default.string()),
+		types: zod.default.tuple([zod.default.string()], zod.default.string()),
 		credentialSubject: zod.default.optional(zW3cVcCredentialSubjectDraft14)
-	}).passthrough()
-}).passthrough();
+	}).loose()
+}).loose();
 const zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(({ credential_definition: { types,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -501,7 +502,7 @@ const zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDr
 		type: types
 	}
 }));
-const zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
+const zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.loose().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
 		...restCredentialDefinition,
@@ -531,9 +532,9 @@ const zLdpVcCredentialIssuerMetadataDraft11 = zod.default.object({
 	order: zod.default.array(zod.default.string()).optional(),
 	format: zLdpVcFormatIdentifier,
 	"@context": zod.default.array(zod.default.string()),
-	types: zod.default.array(zod.default.string()),
+	types: zod.default.tuple([zod.default.string()], zod.default.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
-}).passthrough();
+}).loose();
 const zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject,...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -542,7 +543,7 @@ const zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadata
 		...credentialSubject ? { credentialSubject } : {}
 	}
 }));
-const zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	...credentialDefinition,
 	types: type
@@ -555,10 +556,10 @@ const zLdpVcCredentialRequestDraft11 = zod.default.object({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: zod.default.object({
 		"@context": zod.default.array(zod.default.string()),
-		types: zod.default.array(zod.default.string()),
+		types: zod.default.tuple([zod.default.string()], zod.default.string()),
 		credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 	})
-}).passthrough();
+}).loose();
 const zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(({ credential_definition: { types,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -566,7 +567,7 @@ const zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transf
 		type: types
 	}
 }));
-const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
+const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.loose().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
 		...restCredentialDefinition,
@@ -577,7 +578,7 @@ const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-sd-jwt-vc.ts
 const zSdJwtW3VcFormatIdentifier = zod.default.literal("vc+sd-jwt");
-const zSdJwtW3VcCredentialDefinition = zod.default.object({ type: zod.default.array(zod.default.string()).nonempty() }).passthrough();
+const zSdJwtW3VcCredentialDefinition = zod.default.object({ type: zod.default.tuple([zod.default.string()], zod.default.string()) }).loose();
 const zSdJwtW3VcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
@@ -622,9 +623,12 @@ const allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadata
 const zCredentialConfigurationSupportedWithFormats = zod.default.union([zCredentialConfigurationSupportedCommon, zCredentialConfigurationSupportedCommonDraft15]).transform((data, ctx) => {
 	if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
 	const validators = allCredentialIssuerMetadataFormats.filter((formatValidator) => formatValidator.shape.format.value === data.format);
-	const result = zod.default.object({}).passthrough().and(validators.length > 1 ? zod.default.union(validators) : validators[0]).safeParse(data);
+	const result = zod.default.object({}).loose().and(validators.length > 1 ? zod.default.union(validators) : validators[0]).safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return zod.default.NEVER;
 });
 const zCredentialIssuerMetadataDisplayEntry = zod.default.object({
@@ -633,8 +637,8 @@ const zCredentialIssuerMetadataDisplayEntry = zod.default.object({
 	logo: zod.default.object({
 		uri: zod.default.string().optional(),
 		alt_text: zod.default.string().optional()
-	}).passthrough().optional()
-}).passthrough();
+	}).loose().optional()
+}).loose();
 const zCredentialIssuerMetadataDraft14Draft15Draft16 = zod.default.object({
 	credential_issuer: __openid4vc_utils.zHttpsUrl,
 	authorization_servers: zod.default.array(__openid4vc_utils.zHttpsUrl).optional(),
@@ -646,22 +650,22 @@ const zCredentialIssuerMetadataDraft14Draft15Draft16 = zod.default.object({
 		alg_values_supported: zod.default.array(zod.default.string()),
 		enc_values_supported: zod.default.array(zod.default.string()),
 		encryption_required: zod.default.boolean()
-	}).passthrough().optional(),
-	batch_credential_issuance: zod.default.object({ batch_size: zod.default.number().positive() }).passthrough().optional(),
+	}).loose().optional(),
+	batch_credential_issuance: zod.default.object({ batch_size: zod.default.number().positive() }).loose().optional(),
 	signed_metadata: __openid4vc_oauth2.zCompactJwt.optional(),
 	display: zod.default.array(zCredentialIssuerMetadataDisplayEntry).optional(),
 	credential_configurations_supported: zod.default.record(zod.default.string(), zCredentialConfigurationSupportedWithFormats)
-}).passthrough();
+}).loose();
 const zCredentialConfigurationSupportedDraft11To16 = zod.default.object({
 	id: zod.default.string().optional(),
 	format: zod.default.string(),
 	cryptographic_suites_supported: zod.default.array(zod.default.string()).optional(),
 	display: zod.default.array(zod.default.object({
-		logo: zod.default.object({ url: zod.default.string().url().optional() }).passthrough().optional(),
-		background_image: zod.default.object({ url: zod.default.string().url().optional() }).passthrough().optional()
-	}).passthrough()).optional(),
+		logo: zod.default.object({ url: zod.default.url().optional() }).loose().optional(),
+		background_image: zod.default.object({ url: zod.default.url().optional() }).loose().optional()
+	}).loose()).optional(),
 	claims: zod.default.any().optional()
-}).passthrough().transform(({ cryptographic_suites_supported, display, claims, id,...rest }) => ({
+}).loose().transform(({ cryptographic_suites_supported, display, claims, id,...rest }) => ({
 	...rest,
 	...cryptographic_suites_supported ? { credential_signing_alg_values_supported: cryptographic_suites_supported } : {},
 	...claims || display ? { credential_metadata: {
@@ -681,13 +685,16 @@ const zCredentialConfigurationSupportedDraft11To16 = zod.default.object({
 	if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
 	const result = formatSpecificTransformations[data.format].safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return zod.default.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 const zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSupportedWithFormats.transform(({ credential_metadata,...rest }) => ({
 	...credential_metadata,
 	...rest
-})).and(zod.default.object({ id: zod.default.string() }).passthrough()).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope,...rest }) => ({
+})).and(zod.default.object({ id: zod.default.string() }).loose()).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope,...rest }) => ({
 	...rest,
 	...credential_signing_alg_values_supported ? { cryptographic_suites_supported: credential_signing_alg_values_supported } : {},
 	...display ? { display: display.map(({ logo, background_image,...displayRest }) => {
@@ -714,18 +721,18 @@ const zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSup
 		zLdpVcFormatIdentifier.value,
 		zJwtVcJsonFormatIdentifier.value,
 		zJwtVcJsonLdFormatIdentifier.value
-	].includes(input)) }).passthrough()
+	].includes(input)) }).loose()
 ]));
 const zCredentialIssuerMetadataDraft11To16 = zod.default.object({
 	authorization_server: zod.default.string().optional(),
-	credentials_supported: zod.default.array(zod.default.object({ id: zod.default.string().optional() }).passthrough())
-}).passthrough().transform(({ authorization_server, credentials_supported,...rest }) => {
+	credentials_supported: zod.default.array(zod.default.object({ id: zod.default.string().optional() }).loose())
+}).loose().transform(({ authorization_server, credentials_supported,...rest }) => {
 	return {
 		...rest,
 		...authorization_server ? { authorization_servers: [authorization_server] } : {},
 		credential_configurations_supported: Object.fromEntries(credentials_supported.map((supported) => supported.id ? [supported.id, supported] : void 0).filter((i) => i !== void 0))
 	};
-}).pipe(zod.default.object({ credential_configurations_supported: zod.default.record(zod.default.string(), zCredentialConfigurationSupportedDraft11To16) }).passthrough()).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
+}).pipe(zod.default.object({ credential_configurations_supported: zod.default.record(zod.default.string(), zCredentialConfigurationSupportedDraft11To16) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
 const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15Draft16.transform((issuerMetadata) => ({
 	...issuerMetadata,
 	...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
@@ -762,8 +769,11 @@ const wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
 * @inheritdoc {@link fetchWellKnownMetadata}
 */
 async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
-	const wellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
-	const result = await (0, __openid4vc_oauth2.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
+	const parsedIssuerUrl = new __openid4vc_utils.URL(credentialIssuer);
+	const legacyWellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
+	const wellKnownMetadataUrl = (0, __openid4vc_utils.joinUriParts)(parsedIssuerUrl.origin, [wellKnownCredentialIssuerSuffix, parsedIssuerUrl.pathname]);
+	let result = await (0, __openid4vc_oauth2.fetchWellKnownMetadata)(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
+	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await (0, __openid4vc_oauth2.fetchWellKnownMetadata)(legacyWellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
 	if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new __openid4vc_oauth2.Oauth2Error(`The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
 	return result;
 }
@@ -979,16 +989,16 @@ const zCredentialRequestProofJwt = zod.default.object({
 const zCredentialRequestJwtProofTypeHeader = __openid4vc_oauth2.zJwtHeader.merge(zod.default.object({
 	key_attestation: zod.default.optional(__openid4vc_oauth2.zCompactJwt),
 	typ: zod.default.literal("openid4vci-proof+jwt")
-})).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
+})).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
 const zCredentialRequestJwtProofTypePayload = zod.default.object({
 	...__openid4vc_oauth2.zJwtPayload.shape,
 	aud: __openid4vc_utils.zHttpsUrl,
 	iat: __openid4vc_utils.zInteger
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/credential-request/z-credential-request-common.ts
-const zCredentialRequestProofCommon = zod.default.object({ proof_type: zod.default.string() }).passthrough();
+const zCredentialRequestProofCommon = zod.default.object({ proof_type: zod.default.string() }).loose();
 const allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
 const zCredentialRequestProof = zod.default.union([zCredentialRequestProofCommon, zod.default.discriminatedUnion("proof_type", allCredentialRequestProofs)]);
 const zCredentialRequestProofsCommon = zod.default.record(zod.default.string(), zod.default.array(zod.default.unknown()));
@@ -1003,8 +1013,8 @@ const zCredentialRequestCommon = zod.default.object({
 		jwk: __openid4vc_oauth2.zJwk,
 		alg: zod.default.string(),
 		enc: zod.default.string()
-	}).passthrough().optional()
-}).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), { message: `Both 'proof' and 'proofs' are defined. Only one is allowed` });
+	}).loose().optional()
+}).loose().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), { message: `Both 'proof' and 'proofs' are defined. Only one is allowed` });
 //#endregion
 //#region src/credential-request/z-credential-request.ts
@@ -1031,12 +1041,15 @@ const zCredentialRequestFormat = zod.default.object({
 	format: zod.default.string(),
 	credential_identifier: zod.default.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
 	credential_configuration_id: zod.default.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
-}).passthrough();
+}).loose();
 const zCredentialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
 	if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
-	const result = zod.default.object({}).passthrough().and(zod.default.union(allCredentialRequestFormats)).safeParse(data);
+	const result = zod.default.object({}).loose().and(zod.default.union(allCredentialRequestFormats)).safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return zod.default.NEVER;
 });
 const zCredentialRequestDraft15 = zod.default.union([zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest), zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)]);
@@ -1050,10 +1063,22 @@ const zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRe
 	if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
 	const result = formatSpecificTransformations[data.format].safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return zod.default.NEVER;
 }).pipe(zCredentialRequestDraft14);
-const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine((data) => data.credential_identifier === void 0, `'credential_identifier' is not supported in OpenID4VCI draft 11`).transform((data, ctx) => {
+const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data, ctx) => {
+	if (data.credential_identifier !== void 0) {
+		ctx.addIssue({
+			code: "custom",
+			continue: false,
+			message: `'credential_identifier' is not supported in OpenID4VCI draft 11`,
+			path: ["credential_identifier"]
+		});
+		return zod.default.NEVER;
+	}
 	const formatSpecificTransformations = {
 		[zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft14To11,
 		[zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft14To11,
@@ -1062,7 +1087,10 @@ const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine((data) =>
 	if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
 	const result = formatSpecificTransformations[data.format].safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return zod.default.NEVER;
 });
 const zCredentialRequest = zod.default.union([
@@ -1076,7 +1104,7 @@ const zDeferredCredentialRequest = zod.default.object({
 		jwk: __openid4vc_oauth2.zJwk,
 		alg: zod.default.string(),
 		enc: zod.default.string()
-	}).passthrough().optional()
+	}).loose().optional()
 });
 //#endregion
@@ -1121,10 +1149,10 @@ let Oauth2ErrorCodes$2 = /* @__PURE__ */ function(Oauth2ErrorCodes$3) {
 	return Oauth2ErrorCodes$3;
 }({});
 const zOauth2ErrorResponse = zod.default.object({
-	error: zod.default.union([zod.default.nativeEnum(Oauth2ErrorCodes$2), zod.default.string()]),
+	error: zod.default.union([zod.default.enum(Oauth2ErrorCodes$2), zod.default.string()]),
 	error_description: zod.default.string().optional(),
 	error_uri: zod.default.string().optional()
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/credential-request/z-credential-response.ts
@@ -1133,28 +1161,28 @@ const zBaseCredentialResponse = zod.default.object({
 	credentials: zod.default.union([zod.default.array(zod.default.object({ credential: zCredentialEncoding })), zod.default.array(zCredentialEncoding)]).optional(),
 	interval: zod.default.number().int().positive().optional(),
 	notification_id: zod.default.string().optional()
-}).passthrough();
+}).loose();
 const zCredentialResponse = zBaseCredentialResponse.extend({
 	credential: zod.default.optional(zCredentialEncoding),
 	transaction_id: zod.default.string().optional(),
 	c_nonce: zod.default.string().optional(),
 	c_nonce_expires_in: zod.default.number().int().optional()
-}).passthrough().superRefine((value, ctx) => {
+}).loose().superRefine((value, ctx) => {
 	const { credential, credentials, transaction_id, interval, notification_id } = value;
 	if ([
 		credential,
 		credentials,
 		transaction_id
 	].filter((i) => i !== void 0).length !== 1) ctx.addIssue({
-		code: zod.default.ZodIssueCode.custom,
+		code: "custom",
 		message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
 	});
 	if (transaction_id && !interval) ctx.addIssue({
-		code: zod.default.ZodIssueCode.custom,
+		code: "custom",
 		message: `'interval' MUST be defined when 'transaction_id' is defined.`
 	});
 	if (notification_id && !(credentials || credential)) ctx.addIssue({
-		code: zod.default.ZodIssueCode.custom,
+		code: "custom",
 		message: `'notification_id' MUST NOT be defined when 'credential' or 'credentials' are not defined.`
 	});
 });
@@ -1162,7 +1190,7 @@ const zCredentialErrorResponse = zod.default.object({
 	...zOauth2ErrorResponse.shape,
 	c_nonce: zod.default.string().optional(),
 	c_nonce_expires_in: zod.default.number().int().optional()
-}).passthrough();
+}).loose();
 const zDeferredCredentialResponse = zBaseCredentialResponse.refine((value) => {
 	const { credentials, interval } = value;
 	return [credentials, interval].filter((i) => i !== void 0).length === 1;
@@ -1388,7 +1416,7 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 const zNonceResponse = zod.default.object({
 	c_nonce: zod.default.string(),
 	c_nonce_expires_in: zod.default.optional(__openid4vc_utils.zInteger)
-}).passthrough();
+}).loose();
 //#endregion
 //#region src/nonce/nonce-request.ts
@@ -1427,8 +1455,8 @@ const zNotificationRequest = zod.default.object({
 	notification_id: zod.default.string(),
 	event: zNotificationEvent,
 	event_description: zod.default.optional(zod.default.string())
-}).passthrough();
-const zNotificationErrorResponse = zod.default.object({ error: zod.default.enum(["invalid_notification_id", "invalid_notification_request"]) }).passthrough();
+}).loose();
+const zNotificationErrorResponse = zod.default.object({ error: zod.default.enum(["invalid_notification_id", "invalid_notification_request"]) }).loose();
 //#endregion
 //#region src/notification/notification.ts