@openid4vc/openid4vci 0.3.0-alpha-20251017102623 → 0.3.0-alpha-20251017122507

package/dist/index.mjs

@@ -17,23 +17,23 @@ const zTxCode = z.object({
 	input_mode: z.union([z.literal("numeric"), z.literal("text")]).optional(),
 	length: z.number().int().optional(),
 	description: z.string().max(300).optional()
-}).passthrough();
+}).loose();
 const zCredentialOfferGrants = z.object({
 	authorization_code: z.object({
 		issuer_state: z.string().optional(),
 		authorization_server: zHttpsUrl.optional()
-	}).passthrough().optional(),
+	}).loose().optional(),
 	[preAuthorizedCodeGrantIdentifier]: z.object({
 		"pre-authorized_code": z.string(),
 		tx_code: zTxCode.optional(),
 		authorization_server: zHttpsUrl.optional()
-	}).passthrough().optional()
-}).passthrough();
+	}).loose().optional()
+}).loose();
 const zCredentialOfferObjectDraft14 = z.object({
 	credential_issuer: zHttpsUrl,
 	credential_configuration_ids: z.array(z.string()),
 	grants: z.optional(zCredentialOfferGrants)
-}).passthrough();
+}).loose();
 const zCredentialOfferObjectDraft11To14 = z.object({
 	credential_issuer: zHttpsUrl,
 	credentials: z.array(z.string({ message: "Only string credential identifiers are supported for draft 11 credential offers" })),
@@ -42,9 +42,9 @@ const zCredentialOfferObjectDraft11To14 = z.object({
 		[preAuthorizedCodeGrantIdentifier]: z.object({
 			"pre-authorized_code": z.string(),
 			user_pin_required: z.optional(z.boolean())
-		}).passthrough().optional()
+		}).loose().optional()
 	}))
-}).passthrough().transform(({ credentials, grants,...rest }) => {
+}).loose().transform(({ credentials, grants,...rest }) => {
 	const v14 = {
 		...rest,
 		credential_configuration_ids: credentials
@@ -151,14 +151,15 @@ const zCredentialConfigurationSupportedClaimsDescriptionDraft14 = z.object({
 	display: z.array(z.object({
 		name: z.string().optional(),
 		locale: z.string().optional()
-	}).passthrough()).optional()
-}).passthrough();
+	}).loose()).optional()
+}).loose();
 const zCredentialConfigurationSupportedClaimsDraft14 = z.record(z.string(), z.union([zCredentialConfigurationSupportedClaimsDescriptionDraft14, z.lazy(() => zCredentialConfigurationSupportedClaimsDraft14)]));
-const zClaimsDescriptionPath = z.array(z.union([
+const zClaimDescriptionPathValue = z.union([
 	z.string(),
 	z.number().int().nonnegative(),
 	z.null()
-])).nonempty();
+]);
+const zClaimsDescriptionPath = z.tuple([zClaimDescriptionPathValue], zClaimDescriptionPathValue);
 const zMsoMdocClaimsDescriptionPath = z.tuple([z.string(), z.string()], { message: "mso_mdoc claims description path MUST be an array with exactly two string elements, pointing to the namespace and element identifier within an mdoc credential" });
 const zIssuerMetadataClaimsDescription = z.object({
 	path: zClaimsDescriptionPath,
@@ -166,8 +167,8 @@ const zIssuerMetadataClaimsDescription = z.object({
 	display: z.array(z.object({
 		name: z.string().optional(),
 		locale: z.string().optional()
-	}).passthrough()).optional()
-}).passthrough();
+	}).loose()).optional()
+}).loose();
 const zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription.extend({ path: zMsoMdocClaimsDescriptionPath });
 
 //#endregion
@@ -175,7 +176,7 @@ const zMsoMdocIssuerMetadataClaimsDescription = zIssuerMetadataClaimsDescription
 const zKeyAttestationJwtHeader = z.object({
 	...zJwtHeader.shape,
 	typ: z.literal("keyattestation+jwt").or(z.literal("key-attestation+jwt"))
-}).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
+}).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
 const zIso18045 = z.enum([
 	"iso_18045_high",
 	"iso_18045_moderate",
@@ -189,13 +190,13 @@ const zKeyAttestationJwtPayload = z.object({
 	attested_keys: z.array(zJwk),
 	key_storage: z.optional(zIso18045OrStringArray),
 	user_authentication: z.optional(zIso18045OrStringArray),
-	certification: z.optional(z.string().url())
-}).passthrough();
+	certification: z.optional(z.url())
+}).loose();
 const zKeyAttestationJwtPayloadForUse = (use) => z.object({
 	...zKeyAttestationJwtPayload.shape,
 	nonce: use === "proof_type.attestation" ? z.string({ message: `Nonce must be defined when key attestation is used as 'proof_type.attestation' directly` }) : z.optional(z.string()),
 	exp: use === "proof_type.jwt" ? zInteger : z.optional(zInteger)
-}).passthrough();
+}).loose();
 
 //#endregion
 //#region src/metadata/credential-issuer/z-credential-configuration-supported-common.ts
@@ -205,12 +206,12 @@ const zCredentialConfigurationSupportedDisplayEntry = z.object({
 	logo: z.object({
 		uri: z.string().optional(),
 		alt_text: z.string().optional()
-	}).passthrough().optional(),
+	}).loose().optional(),
 	description: z.string().optional(),
 	background_color: z.string().optional(),
-	background_image: z.object({ uri: z.string().optional() }).passthrough().optional(),
+	background_image: z.object({ uri: z.string().optional() }).loose().optional(),
 	text_color: z.string().optional()
-}).passthrough();
+}).loose();
 const zCredentialConfigurationSupportedCommonCredentialMetadata = z.object({ display: z.array(zCredentialConfigurationSupportedDisplayEntry).optional() });
 const zCredentialConfigurationSupportedCommon = z.object({
 	format: z.string(),
@@ -226,11 +227,11 @@ const zCredentialConfigurationSupportedCommon = z.object({
 		key_attestations_required: z.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
-		}).passthrough().optional()
+		}).loose().optional()
 	})).optional(),
 	credential_metadata: zCredentialConfigurationSupportedCommonCredentialMetadata.optional(),
 	claims: z.optional(z.never())
-}).passthrough();
+}).loose();
 const zCredentialConfigurationSupportedCommonDraft15 = z.object({
 	format: z.string(),
 	scope: z.string().optional(),
@@ -245,11 +246,11 @@ const zCredentialConfigurationSupportedCommonDraft15 = z.object({
 		key_attestations_required: z.object({
 			key_storage: zIso18045OrStringArray.optional(),
 			user_authentication: zIso18045OrStringArray.optional()
-		}).passthrough().optional()
+		}).loose().optional()
 	})).optional(),
 	display: z.array(zCredentialConfigurationSupportedDisplayEntry).optional(),
 	credential_metadata: z.optional(z.never())
-}).passthrough();
+}).loose();
 
 //#endregion
 //#region src/formats/credential/mso-mdoc/z-mso-mdoc.ts
@@ -342,8 +343,8 @@ const zCredentialSubjectLeafTypeDraft14 = z.object({
 	display: z.array(z.object({
 		name: z.string().optional(),
 		locale: z.string().optional()
-	}).passthrough()).optional()
-}).passthrough();
+	}).loose()).optional()
+}).loose();
 const zClaimValueSchemaDraft14 = z.union([
 	z.array(z.any()),
 	z.record(z.string(), z.any()),
@@ -352,14 +353,14 @@ const zClaimValueSchemaDraft14 = z.union([
 const zW3cVcCredentialSubjectDraft14 = z.record(z.string(), zClaimValueSchemaDraft14);
 const zW3cVcJsonLdCredentialDefinition = z.object({
 	"@context": z.array(z.string()),
-	type: z.array(z.string()).nonempty()
-}).passthrough();
+	type: z.tuple([z.string()], z.string())
+}).loose();
 const zW3cVcJsonLdCredentialDefinitionDraft14 = zW3cVcJsonLdCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-jwt-vc-json.ts
 const zJwtVcJsonFormatIdentifier = z.literal("jwt_vc_json");
-const zJwtVcJsonCredentialDefinition = z.object({ type: z.array(z.string()).nonempty() }).passthrough();
+const zJwtVcJsonCredentialDefinition = z.object({ type: z.tuple([z.string()], z.string()) }).loose();
 const zJwtVcJsonCredentialDefinitionDraft14 = zJwtVcJsonCredentialDefinition.extend({ credentialSubject: zW3cVcCredentialSubjectDraft14.optional() });
 const zJwtVcJsonCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zJwtVcJsonFormatIdentifier,
@@ -379,9 +380,9 @@ const zJwtVcJsonCredentialIssuerMetadataDraft14 = zCredentialConfigurationSuppor
 const zJwtVcJsonCredentialIssuerMetadataDraft11 = z.object({
 	format: zJwtVcJsonFormatIdentifier,
 	order: z.array(z.string()).optional(),
-	types: z.array(z.string()),
+	types: z.tuple([z.string()], z.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
-}).passthrough();
+}).loose();
 const zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuerMetadataDraft11.transform(({ types, credentialSubject,...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -389,7 +390,7 @@ const zJwtVcJsonCredentialIssuerMetadataDraft11To14 = zJwtVcJsonCredentialIssuer
 		...credentialSubject ? { credentialSubject } : {}
 	}
 }));
-const zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zJwtVcJsonCredentialIssuerMetadataDraft14To11 = zJwtVcJsonCredentialIssuerMetadataDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	types: type,
 	...credentialDefinition
@@ -400,9 +401,9 @@ const zJwtVcJsonCredentialRequestFormatDraft14 = z.object({
 });
 const zJwtVcJsonCredentialRequestDraft11 = z.object({
 	format: zJwtVcJsonFormatIdentifier,
-	types: z.array(z.string()),
+	types: z.tuple([z.string()], z.string()),
 	credentialSubject: z.optional(zW3cVcCredentialSubjectDraft14)
-}).passthrough();
+}).loose();
 const zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft11.transform(({ types, credentialSubject,...rest }) => {
 	return {
 		...rest,
@@ -412,7 +413,7 @@ const zJwtVcJsonCredentialRequestDraft11To14 = zJwtVcJsonCredentialRequestDraft1
 		}
 	};
 });
-const zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zJwtVcJsonCredentialRequestDraft14To11 = zJwtVcJsonCredentialRequestFormatDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	types: type,
 	...credentialDefinition
@@ -440,9 +441,9 @@ const zJwtVcJsonLdCredentialIssuerMetadataDraft11 = z.object({
 	order: z.array(z.string()).optional(),
 	format: zJwtVcJsonLdFormatIdentifier,
 	"@context": z.array(z.string()),
-	types: z.array(z.string()),
+	types: z.tuple([z.string()], z.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
-}).passthrough();
+}).loose();
 const zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject,...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -451,7 +452,7 @@ const zJwtVcJsonLdCredentialIssuerMetadataDraft11To14 = zJwtVcJsonLdCredentialIs
 		...credentialSubject ? { credentialSubject } : {}
 	}
 }));
-const zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zJwtVcJsonLdCredentialIssuerMetadataDraft14To11 = zJwtVcJsonLdCredentialIssuerMetadataDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	...credentialDefinition,
 	types: type
@@ -464,10 +465,10 @@ const zJwtVcJsonLdCredentialRequestDraft11 = z.object({
 	format: zJwtVcJsonLdFormatIdentifier,
 	credential_definition: z.object({
 		"@context": z.array(z.string()),
-		types: z.array(z.string()),
+		types: z.tuple([z.string()], z.string()),
 		credentialSubject: z.optional(zW3cVcCredentialSubjectDraft14)
-	}).passthrough()
-}).passthrough();
+	}).loose()
+}).loose();
 const zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDraft11.transform(({ credential_definition: { types,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -475,7 +476,7 @@ const zJwtVcJsonLdCredentialRequestDraft11To14 = zJwtVcJsonLdCredentialRequestDr
 		type: types
 	}
 }));
-const zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
+const zJwtVcJsonLdCredentialRequestDraft14To11 = zJwtVcJsonLdCredentialRequestFormatDraft14.loose().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
 		...restCredentialDefinition,
@@ -505,9 +506,9 @@ const zLdpVcCredentialIssuerMetadataDraft11 = z.object({
 	order: z.array(z.string()).optional(),
 	format: zLdpVcFormatIdentifier,
 	"@context": z.array(z.string()),
-	types: z.array(z.string()),
+	types: z.tuple([z.string()], z.string()),
 	credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
-}).passthrough();
+}).loose();
 const zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadataDraft11.transform(({ "@context": context, types, credentialSubject,...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -516,7 +517,7 @@ const zLdpVcCredentialIssuerMetadataDraft11To14 = zLdpVcCredentialIssuerMetadata
 		...credentialSubject ? { credentialSubject } : {}
 	}
 }));
-const zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.passthrough().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
+const zLdpVcCredentialIssuerMetadataDraft14To11 = zLdpVcCredentialIssuerMetadataDraft14.loose().transform(({ credential_definition: { type,...credentialDefinition },...rest }) => ({
 	...rest,
 	...credentialDefinition,
 	types: type
@@ -529,10 +530,10 @@ const zLdpVcCredentialRequestDraft11 = z.object({
 	format: zLdpVcFormatIdentifier,
 	credential_definition: z.object({
 		"@context": z.array(z.string()),
-		types: z.array(z.string()),
+		types: z.tuple([z.string()], z.string()),
 		credentialSubject: zW3cVcCredentialSubjectDraft14.optional()
 	})
-}).passthrough();
+}).loose();
 const zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transform(({ credential_definition: { types,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
@@ -540,7 +541,7 @@ const zLdpVcCredentialRequestDraft11To14 = zLdpVcCredentialRequestDraft11.transf
 		type: types
 	}
 }));
-const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.passthrough().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
+const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.loose().transform(({ credential_definition: { type,...restCredentialDefinition },...rest }) => ({
 	...rest,
 	credential_definition: {
 		...restCredentialDefinition,
@@ -551,7 +552,7 @@ const zLdpVcCredentialRequestDraft14To11 = zLdpVcCredentialRequestFormatDraft14.
 //#endregion
 //#region src/formats/credential/w3c-vc/z-w3c-sd-jwt-vc.ts
 const zSdJwtW3VcFormatIdentifier = z.literal("vc+sd-jwt");
-const zSdJwtW3VcCredentialDefinition = z.object({ type: z.array(z.string()).nonempty() }).passthrough();
+const zSdJwtW3VcCredentialDefinition = z.object({ type: z.tuple([z.string()], z.string()) }).loose();
 const zSdJwtW3VcCredentialIssuerMetadata = zCredentialConfigurationSupportedCommon.extend({
 	format: zSdJwtW3VcFormatIdentifier,
 	credential_definition: zSdJwtW3VcCredentialDefinition,
@@ -596,9 +597,12 @@ const allCredentialIssuerMetadataFormatIdentifiers = allCredentialIssuerMetadata
 const zCredentialConfigurationSupportedWithFormats = z.union([zCredentialConfigurationSupportedCommon, zCredentialConfigurationSupportedCommonDraft15]).transform((data, ctx) => {
 	if (!allCredentialIssuerMetadataFormatIdentifiers.includes(data.format)) return data;
 	const validators = allCredentialIssuerMetadataFormats.filter((formatValidator) => formatValidator.shape.format.value === data.format);
-	const result = z.object({}).passthrough().and(validators.length > 1 ? z.union(validators) : validators[0]).safeParse(data);
+	const result = z.object({}).loose().and(validators.length > 1 ? z.union(validators) : validators[0]).safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return z.NEVER;
 });
 const zCredentialIssuerMetadataDisplayEntry = z.object({
@@ -607,8 +611,8 @@ const zCredentialIssuerMetadataDisplayEntry = z.object({
 	logo: z.object({
 		uri: z.string().optional(),
 		alt_text: z.string().optional()
-	}).passthrough().optional()
-}).passthrough();
+	}).loose().optional()
+}).loose();
 const zCredentialIssuerMetadataDraft14Draft15Draft16 = z.object({
 	credential_issuer: zHttpsUrl,
 	authorization_servers: z.array(zHttpsUrl).optional(),
@@ -620,22 +624,22 @@ const zCredentialIssuerMetadataDraft14Draft15Draft16 = z.object({
 		alg_values_supported: z.array(z.string()),
 		enc_values_supported: z.array(z.string()),
 		encryption_required: z.boolean()
-	}).passthrough().optional(),
-	batch_credential_issuance: z.object({ batch_size: z.number().positive() }).passthrough().optional(),
+	}).loose().optional(),
+	batch_credential_issuance: z.object({ batch_size: z.number().positive() }).loose().optional(),
 	signed_metadata: zCompactJwt.optional(),
 	display: z.array(zCredentialIssuerMetadataDisplayEntry).optional(),
 	credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedWithFormats)
-}).passthrough();
+}).loose();
 const zCredentialConfigurationSupportedDraft11To16 = z.object({
 	id: z.string().optional(),
 	format: z.string(),
 	cryptographic_suites_supported: z.array(z.string()).optional(),
 	display: z.array(z.object({
-		logo: z.object({ url: z.string().url().optional() }).passthrough().optional(),
-		background_image: z.object({ url: z.string().url().optional() }).passthrough().optional()
-	}).passthrough()).optional(),
+		logo: z.object({ url: z.url().optional() }).loose().optional(),
+		background_image: z.object({ url: z.url().optional() }).loose().optional()
+	}).loose()).optional(),
 	claims: z.any().optional()
-}).passthrough().transform(({ cryptographic_suites_supported, display, claims, id,...rest }) => ({
+}).loose().transform(({ cryptographic_suites_supported, display, claims, id,...rest }) => ({
 	...rest,
 	...cryptographic_suites_supported ? { credential_signing_alg_values_supported: cryptographic_suites_supported } : {},
 	...claims || display ? { credential_metadata: {
@@ -655,13 +659,16 @@ const zCredentialConfigurationSupportedDraft11To16 = z.object({
 	if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
 	const result = formatSpecificTransformations[data.format].safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return z.NEVER;
 }).pipe(zCredentialConfigurationSupportedWithFormats);
 const zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSupportedWithFormats.transform(({ credential_metadata,...rest }) => ({
 	...credential_metadata,
 	...rest
-})).and(z.object({ id: z.string() }).passthrough()).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope,...rest }) => ({
+})).and(z.object({ id: z.string() }).loose()).transform(({ id, credential_signing_alg_values_supported, display, proof_types_supported, scope,...rest }) => ({
 	...rest,
 	...credential_signing_alg_values_supported ? { cryptographic_suites_supported: credential_signing_alg_values_supported } : {},
 	...display ? { display: display.map(({ logo, background_image,...displayRest }) => {
@@ -688,18 +695,18 @@ const zCredentialConfigurationSupportedDraft16To11 = zCredentialConfigurationSup
 		zLdpVcFormatIdentifier.value,
 		zJwtVcJsonFormatIdentifier.value,
 		zJwtVcJsonLdFormatIdentifier.value
-	].includes(input)) }).passthrough()
+	].includes(input)) }).loose()
 ]));
 const zCredentialIssuerMetadataDraft11To16 = z.object({
 	authorization_server: z.string().optional(),
-	credentials_supported: z.array(z.object({ id: z.string().optional() }).passthrough())
-}).passthrough().transform(({ authorization_server, credentials_supported,...rest }) => {
+	credentials_supported: z.array(z.object({ id: z.string().optional() }).loose())
+}).loose().transform(({ authorization_server, credentials_supported,...rest }) => {
 	return {
 		...rest,
 		...authorization_server ? { authorization_servers: [authorization_server] } : {},
 		credential_configurations_supported: Object.fromEntries(credentials_supported.map((supported) => supported.id ? [supported.id, supported] : void 0).filter((i) => i !== void 0))
 	};
-}).pipe(z.object({ credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedDraft11To16) }).passthrough()).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
+}).pipe(z.object({ credential_configurations_supported: z.record(z.string(), zCredentialConfigurationSupportedDraft11To16) }).loose()).pipe(zCredentialIssuerMetadataDraft14Draft15Draft16);
 const zCredentialIssuerMetadataWithDraft11 = zCredentialIssuerMetadataDraft14Draft15Draft16.transform((issuerMetadata) => ({
 	...issuerMetadata,
 	...issuerMetadata.authorization_servers ? { authorization_server: issuerMetadata.authorization_servers[0] } : {},
@@ -736,8 +743,11 @@ const wellKnownCredentialIssuerSuffix = ".well-known/openid-credential-issuer";
 * @inheritdoc {@link fetchWellKnownMetadata}
 */
 async function fetchCredentialIssuerMetadata(credentialIssuer, fetch) {
-	const wellKnownMetadataUrl = joinUriParts(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
-	const result = await fetchWellKnownMetadata(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
+	const parsedIssuerUrl = new URL(credentialIssuer);
+	const legacyWellKnownMetadataUrl = joinUriParts(credentialIssuer, [wellKnownCredentialIssuerSuffix]);
+	const wellKnownMetadataUrl = joinUriParts(parsedIssuerUrl.origin, [wellKnownCredentialIssuerSuffix, parsedIssuerUrl.pathname]);
+	let result = await fetchWellKnownMetadata(wellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
+	if (!result && legacyWellKnownMetadataUrl !== wellKnownMetadataUrl) result = await fetchWellKnownMetadata(legacyWellKnownMetadataUrl, zCredentialIssuerMetadataWithDraftVersion, fetch);
 	if (result && result.credentialIssuerMetadata.credential_issuer !== credentialIssuer) throw new Oauth2Error(`The 'credential_issuer' parameter '${result.credentialIssuerMetadata.credential_issuer}' in the well known credential issuer metadata at '${wellKnownMetadataUrl}' does not match the provided credential issuer '${credentialIssuer}'.`);
 	return result;
 }
@@ -953,16 +963,16 @@ const zCredentialRequestProofJwt = z.object({
 const zCredentialRequestJwtProofTypeHeader = zJwtHeader.merge(z.object({
 	key_attestation: z.optional(zCompactJwt),
 	typ: z.literal("openid4vci-proof+jwt")
-})).passthrough().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
+})).loose().refine(({ kid, jwk }) => jwk === void 0 || kid === void 0, { message: `Both 'jwk' and 'kid' are defined. Only one is allowed` }).refine(({ trust_chain, kid }) => !trust_chain || !kid, { message: `When 'trust_chain' is provided, 'kid' is required` });
 const zCredentialRequestJwtProofTypePayload = z.object({
 	...zJwtPayload.shape,
 	aud: zHttpsUrl,
 	iat: zInteger
-}).passthrough();
+}).loose();
 
 //#endregion
 //#region src/credential-request/z-credential-request-common.ts
-const zCredentialRequestProofCommon = z.object({ proof_type: z.string() }).passthrough();
+const zCredentialRequestProofCommon = z.object({ proof_type: z.string() }).loose();
 const allCredentialRequestProofs = [zCredentialRequestProofJwt, zCredentialRequestProofAttestation];
 const zCredentialRequestProof = z.union([zCredentialRequestProofCommon, z.discriminatedUnion("proof_type", allCredentialRequestProofs)]);
 const zCredentialRequestProofsCommon = z.record(z.string(), z.array(z.unknown()));
@@ -977,8 +987,8 @@ const zCredentialRequestCommon = z.object({
 		jwk: zJwk,
 		alg: z.string(),
 		enc: z.string()
-	}).passthrough().optional()
-}).passthrough().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), { message: `Both 'proof' and 'proofs' are defined. Only one is allowed` });
+	}).loose().optional()
+}).loose().refine(({ proof, proofs }) => !(proof !== void 0 && proofs !== void 0), { message: `Both 'proof' and 'proofs' are defined. Only one is allowed` });
 
 //#endregion
 //#region src/credential-request/z-credential-request.ts
@@ -1005,12 +1015,15 @@ const zCredentialRequestFormat = z.object({
 	format: z.string(),
 	credential_identifier: z.never({ message: "'credential_identifier' cannot be defined when 'format' is set." }).optional(),
 	credential_configuration_id: z.never({ message: "'credential_configuration_id' cannot be defined when 'format' is set." }).optional()
-}).passthrough();
+}).loose();
 const zCredentialRequestDraft14WithFormat = zCredentialRequestCommon.and(zCredentialRequestFormat).transform((data, ctx) => {
 	if (!allCredentialRequestFormatIdentifiers.includes(data.format)) return data;
-	const result = z.object({}).passthrough().and(z.union(allCredentialRequestFormats)).safeParse(data);
+	const result = z.object({}).loose().and(z.union(allCredentialRequestFormats)).safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return z.NEVER;
 });
 const zCredentialRequestDraft15 = z.union([zCredentialRequestCommon.and(zAuthorizationDetailsCredentialRequest), zCredentialRequestCommon.and(zCredentialRequestCredentialConfigurationId)]);
@@ -1024,10 +1037,22 @@ const zCredentialRequestDraft11To14 = zCredentialRequestCommon.and(zCredentialRe
 	if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
 	const result = formatSpecificTransformations[data.format].safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return z.NEVER;
 }).pipe(zCredentialRequestDraft14);
-const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine((data) => data.credential_identifier === void 0, `'credential_identifier' is not supported in OpenID4VCI draft 11`).transform((data, ctx) => {
+const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.transform((data, ctx) => {
+	if (data.credential_identifier !== void 0) {
+		ctx.addIssue({
+			code: "custom",
+			continue: false,
+			message: `'credential_identifier' is not supported in OpenID4VCI draft 11`,
+			path: ["credential_identifier"]
+		});
+		return z.NEVER;
+	}
 	const formatSpecificTransformations = {
 		[zLdpVcFormatIdentifier.value]: zLdpVcCredentialRequestDraft14To11,
 		[zJwtVcJsonFormatIdentifier.value]: zJwtVcJsonCredentialRequestDraft14To11,
@@ -1036,7 +1061,10 @@ const zCredentialRequestDraft14To11 = zCredentialRequestDraft14.refine((data) =>
 	if (!Object.keys(formatSpecificTransformations).includes(data.format)) return data;
 	const result = formatSpecificTransformations[data.format].safeParse(data);
 	if (result.success) return result.data;
-	for (const issue of result.error.issues) ctx.addIssue(issue);
+	for (const issue of result.error.issues) ctx.addIssue({
+		...issue,
+		code: issue.code
+	});
 	return z.NEVER;
 });
 const zCredentialRequest = z.union([
@@ -1050,7 +1078,7 @@ const zDeferredCredentialRequest = z.object({
 		jwk: zJwk,
 		alg: z.string(),
 		enc: z.string()
-	}).passthrough().optional()
+	}).loose().optional()
 });
 
 //#endregion
@@ -1095,10 +1123,10 @@ let Oauth2ErrorCodes$1 = /* @__PURE__ */ function(Oauth2ErrorCodes$2) {
 	return Oauth2ErrorCodes$2;
 }({});
 const zOauth2ErrorResponse = z.object({
-	error: z.union([z.nativeEnum(Oauth2ErrorCodes$1), z.string()]),
+	error: z.union([z.enum(Oauth2ErrorCodes$1), z.string()]),
 	error_description: z.string().optional(),
 	error_uri: z.string().optional()
-}).passthrough();
+}).loose();
 
 //#endregion
 //#region src/credential-request/z-credential-response.ts
@@ -1107,28 +1135,28 @@ const zBaseCredentialResponse = z.object({
 	credentials: z.union([z.array(z.object({ credential: zCredentialEncoding })), z.array(zCredentialEncoding)]).optional(),
 	interval: z.number().int().positive().optional(),
 	notification_id: z.string().optional()
-}).passthrough();
+}).loose();
 const zCredentialResponse = zBaseCredentialResponse.extend({
 	credential: z.optional(zCredentialEncoding),
 	transaction_id: z.string().optional(),
 	c_nonce: z.string().optional(),
 	c_nonce_expires_in: z.number().int().optional()
-}).passthrough().superRefine((value, ctx) => {
+}).loose().superRefine((value, ctx) => {
 	const { credential, credentials, transaction_id, interval, notification_id } = value;
 	if ([
 		credential,
 		credentials,
 		transaction_id
 	].filter((i) => i !== void 0).length !== 1) ctx.addIssue({
-		code: z.ZodIssueCode.custom,
+		code: "custom",
 		message: `Exactly one of 'credential', 'credentials', or 'transaction_id' MUST be defined.`
 	});
 	if (transaction_id && !interval) ctx.addIssue({
-		code: z.ZodIssueCode.custom,
+		code: "custom",
 		message: `'interval' MUST be defined when 'transaction_id' is defined.`
 	});
 	if (notification_id && !(credentials || credential)) ctx.addIssue({
-		code: z.ZodIssueCode.custom,
+		code: "custom",
 		message: `'notification_id' MUST NOT be defined when 'credential' or 'credentials' are not defined.`
 	});
 });
@@ -1136,7 +1164,7 @@ const zCredentialErrorResponse = z.object({
 	...zOauth2ErrorResponse.shape,
 	c_nonce: z.string().optional(),
 	c_nonce_expires_in: z.number().int().optional()
-}).passthrough();
+}).loose();
 const zDeferredCredentialResponse = zBaseCredentialResponse.refine((value) => {
 	const { credentials, interval } = value;
 	return [credentials, interval].filter((i) => i !== void 0).length === 1;
@@ -1362,7 +1390,7 @@ async function resolveIssuerMetadata(credentialIssuer, options) {
 const zNonceResponse = z.object({
 	c_nonce: z.string(),
 	c_nonce_expires_in: z.optional(zInteger)
-}).passthrough();
+}).loose();
 
 //#endregion
 //#region src/nonce/nonce-request.ts
@@ -1401,8 +1429,8 @@ const zNotificationRequest = z.object({
 	notification_id: z.string(),
 	event: zNotificationEvent,
 	event_description: z.optional(z.string())
-}).passthrough();
-const zNotificationErrorResponse = z.object({ error: z.enum(["invalid_notification_id", "invalid_notification_request"]) }).passthrough();
+}).loose();
+const zNotificationErrorResponse = z.object({ error: z.enum(["invalid_notification_id", "invalid_notification_request"]) }).loose();
 
 //#endregion
 //#region src/notification/notification.ts