@openmobilehub/attestomcp-gate 0.1.0

package/dist/ceremony/credential-gate/page.js

@@ -0,0 +1,136 @@
+import { pageHead, brandHeader, progressRail, trustFooter } from "../theme.js";
+function escapeHtml(s) {
+    return s.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+}
+export function renderCredentialPage(args) {
+    const minimumAge = args.minimumAge ?? 21;
+    const percent = args.percent ?? 10;
+    const isAge = args.kind === "age";
+    const title = isAge ? `Verify your age (${minimumAge}+)` : "Apply membership discount";
+    const lede = isAge
+        ? `Your cart contains age-restricted items. Present a digital ID so we can confirm you are ${minimumAge} or older. Nothing is stored — only an over-${minimumAge} check.`
+        : `Present your membership credential to take ${percent}% off your cart. Optional — your purchase works without it.`;
+    const cta = isAge ? `Verify with my digital ID` : `Present membership credential`;
+    const demoCta = isAge ? `Verify age (instant demo)` : `Apply membership (instant demo)`;
+    // The canonical positive claim the instant-demo button presents — it goes
+    // through the SAME server-side explicit-positive-claim check as a real wallet.
+    const demoClaims = isAge ? { [`age_over_${minimumAge}`]: true } : { membership_number: "DEMO-MEMBER-0001" };
+    const totalLine = args.total != null ? `<p class="small amount">Order ${escapeHtml(args.order)} · ${escapeHtml(args.currency ?? "USD")} ${args.total}</p>` : "";
+    const returnUrl = args.returnUrl ?? `/checkout?order=${encodeURIComponent(args.order)}`;
+    // Identity-first tagline + the progress rail with THIS gate marked current. The age
+    // gate is step 0 (Age) of Age · Membership · Pay; membership is the middle step.
+    const tagline = isAge ? "Present a digital ID" : "Present a membership credential";
+    const rail = isAge
+        ? progressRail([{ label: "Age" }, { label: "Membership" }, { label: "Pay" }], 0)
+        : progressRail([{ label: "Age", done: true }, { label: "Membership" }, { label: "Pay" }], 1);
+    // The PAGE-LOCAL extra styles: the calm gate-page chrome (verify log + the success
+    // banner) layered over the shared design system. The verify-progress rows reuse the
+    // shared `.step` styling; only the `#done` banner is page-specific.
+    const extraCss = `
+  .amount { font-variant-numeric: tabular-nums; }
+  #done { display:none; margin-top:16px; background:var(--accent); color:#fff; font-weight:700; padding:16px; border-radius:12px; text-align:center; }
+  #done a { color:#fff; text-decoration:underline; }`;
+    return `<!doctype html>
+<html lang="en">
+${pageHead(title, extraCss)}
+<body>
+  <div class="wrap">
+  ${brandHeader({ h1: title, tagline })}
+  ${rail}
+  <div class="card">
+    <p class="lede">${escapeHtml(lede)}</p>
+    ${totalLine}
+    <button id="go-dc" class="btn btn-primary">${escapeHtml(cta)}</button>
+    <button id="go" class="btn btn-secondary">${escapeHtml(demoCta)}</button>
+    <div id="log"></div>
+  </div>
+  <div id="done">✓ Done — returning to checkout… <a id="back" href="${escapeHtml(returnUrl)}">continue now ›</a></div>
+  ${trustFooter()}
+  <script type="module">
+    const ORDER = ${JSON.stringify(args.order)};
+    const CRED = ${JSON.stringify(args.kind)};
+    const DEMO_CLAIMS = ${JSON.stringify(demoClaims)};
+    const RETURN_URL = ${JSON.stringify(returnUrl)};
+    const log = document.getElementById("log");
+    const goDc = document.getElementById("go-dc");
+    const go = document.getElementById("go");
+    const doneEl = document.getElementById("done");
+    const step = (t, c = "") => { const d = document.createElement("div"); d.className = "step " + c; d.textContent = t; log.appendChild(d); };
+    function notice(html) { const d = document.createElement("div"); d.className = "notice"; d.innerHTML = html; log.appendChild(d); }
+    function done() {
+      goDc.disabled = true; go.disabled = true;
+      doneEl.style.display = "block";
+      // Return to the checkout hub so the next gate is one tap away (no manual
+      // browser-back). The hub re-reads verification state and shows this gate ✓.
+      setTimeout(() => { window.location.assign(RETURN_URL); }, 650);
+    }
+
+    // Pre-fetch the REAL OpenID4VP + org-iso-mdoc request so navigator.credentials.get()
+    // can be called SYNCHRONOUSLY inside the tap. iOS WebKit drops the transient user
+    // activation across an await, so we must not fetch between the click and get(). We
+    // keep a fresh pre-fetched request ready at all times. location.search carries the
+    // order + cred this gate is scoped to, so /request re-prices THIS order.
+    let reqData = null;
+    function prefetch() {
+      reqData = null;
+      fetch("/attestomcp/credential/request" + location.search).then((r) => r.json()).then((d) => { reqData = d; }).catch(() => {});
+    }
+
+    if (!navigator.credentials || !navigator.credentials.get) {
+      goDc.disabled = true;
+      notice("This browser doesn't support the Digital Credentials API (needs Chrome 141+/Android or iOS 18+). Use the <strong>instant demo</strong> button.");
+    } else {
+      prefetch();
+    }
+
+    goDc.addEventListener("click", () => {
+      if (!navigator.credentials || !navigator.credentials.get) {
+        notice("This browser doesn't support the Digital Credentials API. Use the instant-demo button.");
+        return;
+      }
+      if (!reqData || !reqData.requests) { notice("Preparing the request — tap again in a second."); prefetch(); return; }
+      goDc.disabled = true;
+      const rd = reqData;
+      step("→ navigator.credentials.get({digital}) — choose your wallet…");
+      // Called synchronously (no await before it) to keep the user activation.
+      navigator.credentials.get({ digital: { requests: rd.requests }, mediation: "required" })
+        .then(async (result) => {
+          let data = result && result.data != null ? result.data : null;
+          if (typeof data === "string") { try { data = JSON.parse(data); } catch (e) {} }
+          step("→ verify (" + ((result && result.protocol) || "?") + ")");
+          const out = await fetch("/attestomcp/credential/verify", {
+            method: "POST", headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ order: ORDER, cred: CRED, readerContextToken: rd.readerContextToken, mdocContextToken: rd.mdocContextToken, result: { protocol: (result && result.protocol) || null, data } }),
+          }).then((r) => r.json());
+          if (!out.verified) throw new Error(out.error || "not verified");
+          step("✓ verified (" + out.trust_level + ")", "ok");
+          done();
+        })
+        .catch((err) => {
+          step("✗ " + ((err && err.message) || String(err)), "err");
+          goDc.disabled = false;
+          prefetch(); // fresh request for the next attempt
+        });
+    });
+
+    go.addEventListener("click", async () => {
+      go.disabled = true;
+      try {
+        step("→ verify (presence-only)");
+        const out = await fetch("/attestomcp/credential/verify", {
+          method: "POST", headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ order: ORDER, cred: CRED, claims: DEMO_CLAIMS }),
+        }).then((r) => r.json());
+        if (!out.verified) throw new Error(out.error || "not verified");
+        step("✓ verified (" + out.trust_level + ")", "ok");
+        done();
+      } catch (err) {
+        step("✗ " + (err?.message ?? String(err)), "err");
+        go.disabled = false;
+      }
+    });
+  </script>
+  </div>
+</body>
+</html>`;
+}

package/dist/ceremony/credential-gate/request.d.ts

@@ -0,0 +1,15 @@
+import type { Origin } from "../origin.js";
+import { type CredentialDcqlOpts, type CredentialKind } from "./dcql.js";
+import type { DcqlQuery } from "../../types.js";
+export interface SignedCredentialRequest {
+    protocol: "openid4vp-v1-signed";
+    /** The ES256-signed OpenID4VP request JWT (real). */
+    request: string;
+    /** The DCQL embedded in the signed request (echoed for callers/tests). */
+    dcql_query: DcqlQuery;
+    /** Sealed reader context (ECDH key + nonce) carried to /verify. */
+    readerContextToken: string;
+    trust_level: "presence-only-demo";
+}
+/** Build the REAL signed OpenID4VP request descriptor for one credential kind. */
+export declare function buildCredentialRequest(kind: CredentialKind, origin: Origin, secret: string, opts?: CredentialDcqlOpts): Promise<SignedCredentialRequest>;

package/dist/ceremony/credential-gate/request.js

@@ -0,0 +1,43 @@
+// REAL signed OpenID4VP request for a credential (age / membership) gate. Faithfully
+// ported from the demo's payment-gate/credential-gate/request.ts — like the
+// dc-payment request but with NO transaction_data (age/membership is not a payment,
+// so there is no amount to bind). It mints a reader cert (@peculiar/x509), an
+// ephemeral ECDH response-encryption key, a fresh nonce, and ES256-signs the
+// verifier-bound request object (jose.SignJWT). The nonce is sealed alongside the
+// decryption key (sealReaderContext, a JWE) so /verify can require the wallet's
+// response to be bound to THIS request — not merely decryptable.
+//
+// The crypto here is REAL (signed request, origin/RP binding, sealed nonce + key);
+// the issuer TRUST ANCHOR is not (the reader cert is self-signed) — trust_level
+// stays presence-only-demo.
+import * as jose from "jose";
+import { makeReaderCert, makeEncryptionKey } from "../mdoc/reader.js";
+import { sealReaderContext } from "../mdoc/readerContext.js";
+import { buildCredentialDcql } from "./dcql.js";
+/** Build the REAL signed OpenID4VP request descriptor for one credential kind. */
+export async function buildCredentialRequest(kind, origin, secret, opts = {}) {
+    const { x5c, privateKey } = await makeReaderCert(origin.rpID);
+    const { encJwk, ecdhPrivateJwk } = await makeEncryptionKey();
+    const nonce = jose.base64url.encode(crypto.getRandomValues(new Uint8Array(16)));
+    const dcql = buildCredentialDcql(kind, opts);
+    const requestObject = {
+        response_type: "vp_token",
+        response_mode: "dc_api.jwt",
+        client_id: `x509_san_dns:${origin.rpID}`,
+        expected_origins: [origin.origin],
+        nonce,
+        dcql_query: dcql,
+        client_metadata: {
+            vp_formats_supported: { mso_mdoc: { issuerauth_alg_values: [-7], deviceauth_alg_values: [-7] } },
+            jwks: { keys: [encJwk] },
+        },
+    };
+    const request = await new jose.SignJWT(requestObject)
+        .setProtectedHeader({ alg: "ES256", typ: "oauth-authz-req+jwt", x5c: [x5c] })
+        .setIssuedAt()
+        .sign(privateKey);
+    // Seal the nonce alongside the decryption key so /verify can require the wallet's
+    // response to be bound to THIS request (apu/apv check), not just decrypt.
+    const readerContextToken = await sealReaderContext({ ecdhPrivateJwk, transactionDataB64: "", nonce }, secret);
+    return { protocol: "openid4vp-v1-signed", request, dcql_query: dcql, readerContextToken, trust_level: "presence-only-demo" };
+}

package/dist/ceremony/credential-gate/routes.d.ts

@@ -0,0 +1,2 @@
+import { type RailRegistrar } from "../mount.js";
+export declare const registerCredentialGate: RailRegistrar;

package/dist/ceremony/credential-gate/routes.js

@@ -0,0 +1,200 @@
+// The credential-gate rail (age + membership) — the GDC-hero MVP. Registers its
+// routes onto the host app through the Foundational mount() seam:
+//   GET  /attestomcp/credential?order=<id>&cred=<age|membership>  → the gate page
+//   GET  /attestomcp/credential/request?order=<id>&cred=<…>       → REAL OpenID4VP + org-iso-mdoc requests
+//   POST /attestomcp/credential/verify                            → instant-demo claims OR a real presentation
+//
+// Dependency-free (no `express` import — invariant from mount.ts): the handlers are
+// registered against the structural CeremonyApp.get/post, and the verify body is
+// read either from a host-installed body parser (`req.body`) or straight off the
+// request stream — so the rail works whether or not the host mounts express.json().
+//
+// EVERY route resolves the order by id THROUGH `resolveOrder` (catalog re-pricing;
+// a tampered/unknown id is refused — CT3, invariant 2), and the age threshold is
+// re-derived from the catalog-priced lines, never the token (T013, invariant 5).
+//
+// Verification has TWO paths feeding ONE policy (evaluateCredential):
+//   • instant-demo  — body carries `claims` directly (no wallet round-trip; the
+//                     tested default for the e2e + bypass suite).
+//   • real presentation — body carries `result` from navigator.credentials.get; the
+//                     wallet's response is JWE/HPKE-decrypted, nonce/origin-bound,
+//                     and the ISO-mdoc DeviceResponse parsed before the same policy
+//                     runs. Dispatched by the wallet's `result.protocol`
+//                     (openid4vp → verifyCredentialPresentation; org-iso-mdoc →
+//                     verifyMdocPresentation). The wire crypto is REAL; the issuer
+//                     trust anchor is not (trust_level presence-only-demo).
+//
+// Enforcement (CT9 / invariant 1): the verify handler grants age ONLY on the
+// explicit positive claim at the order's threshold; the OTHER half — refusing an
+// unverified age-restricted order — lives in the shared `completeOrder` seam
+// (completion.ts), so every payment rail honors it.
+import { resolveOrder } from "../mount.js";
+import { buildCredentialRequest } from "./request.js";
+import { evaluateCredential, requiredAgeForOrder, verifyCredentialPresentation } from "./verify.js";
+import { verifyMdocPresentation } from "./mdoc-verify.js";
+import { buildMdocRequestParts, sealMdocContext } from "../mdoc/mdoc-iso.js";
+import { mdocDocSpec } from "./doc-spec.js";
+import { renderCredentialPage } from "./page.js";
+function parseKind(raw) {
+    const value = Array.isArray(raw) ? raw[0] : raw;
+    return value === "age" || value === "membership" ? value : null;
+}
+function firstHeader(value) {
+    return Array.isArray(value) ? value[0] : value;
+}
+function originOf(ctx, req) {
+    const reqLike = { headers: req.headers, host: firstHeader(req.headers.host) ?? "localhost", protocol: req.protocol };
+    return ctx.origin(reqLike);
+}
+// Read the JSON body from a host-installed parser, or straight off the stream when
+// no parser ran (so the rail is self-contained — it doesn't require the host to
+// mount express.json()).
+async function readJsonBody(req) {
+    if (req.body && typeof req.body === "object")
+        return req.body;
+    try {
+        const chunks = [];
+        for await (const chunk of req) {
+            chunks.push(typeof chunk === "string" ? Buffer.from(chunk) : chunk);
+        }
+        if (chunks.length === 0)
+            return {};
+        return JSON.parse(Buffer.concat(chunks).toString("utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+// Persist a successful verification, scoped to THIS order (never process-global —
+// invariant 4). Age writes the positive over-threshold claim; membership marks the
+// loyalty discount, which resolveOrder/completeOrder then re-derive exactly once.
+async function recordVerified(ctx, orderId, kind, membershipNumber) {
+    const prev = (await ctx.verificationStore.read(orderId)) ?? {};
+    if (kind === "age") {
+        await ctx.verificationStore.write(orderId, { ...prev, ageVerified: true });
+    }
+    else {
+        await ctx.verificationStore.write(orderId, { ...prev, loyalty: { applied: true, membershipNumber } });
+    }
+}
+// The membership discount percent the order applies, re-derived from the re-priced
+// order (never the token) — used to surface the membership detail.
+function percentFor(order) {
+    return order.discount > 0 && order.subtotal > 0 ? Math.round((order.discount / order.subtotal) * 100) : undefined;
+}
+export const registerCredentialGate = (app, ctx) => {
+    // The Foundational fail-fast tests mount() with a route-less app shape; only
+    // attach when the host app can actually route (CeremonyApp.get/post are optional).
+    const get = app.get?.bind(app);
+    const post = app.post?.bind(app);
+    if (!get || !post)
+        return;
+    // GET the gate page — re-priced order, presence-only honesty banner.
+    get("/attestomcp/credential", async (req, res) => {
+        const kind = parseKind(req.query.cred);
+        if (!kind) {
+            res.status(404).type("html").send("<!doctype html><h1>Unknown credential</h1>");
+            return;
+        }
+        const order = await resolveOrder(ctx, typeof req.query.order === "string" ? req.query.order : undefined);
+        if (!order) {
+            res.status(404).type("html").send("<!doctype html><h1>Order not found</h1>");
+            return;
+        }
+        res.status(200).type("html").send(renderCredentialPage({
+            kind,
+            order: order.id,
+            minimumAge: requiredAgeForOrder(order) ?? undefined,
+            total: order.total,
+            currency: order.currency,
+            percent: percentFor(order),
+        }));
+    });
+    // GET the REAL request. Offer BOTH protocols; the platform's DC API self-selects
+    // the one it supports (Android Chrome → openid4vp, iOS WebKit → org-iso-mdoc).
+    get("/attestomcp/credential/request", async (req, res) => {
+        const kind = parseKind(req.query.cred);
+        if (!kind) {
+            res.status(404).json({ error: "unknown credential" });
+            return;
+        }
+        const order = await resolveOrder(ctx, typeof req.query.order === "string" ? req.query.order : undefined);
+        if (!order) {
+            res.status(404).json({ error: "order not found" });
+            return;
+        }
+        try {
+            const minimumAge = kind === "age" ? requiredAgeForOrder(order) ?? 21 : undefined;
+            const reqOrigin = originOf(ctx, req);
+            const oid = await buildCredentialRequest(kind, reqOrigin, ctx.signingKey, { minimumAge });
+            // Signed (reader-authenticated) by default — required by iOS. ?signed=0 forces
+            // the unsigned path for diagnostics.
+            const signed = req.query.signed !== "0";
+            const mdoc = await buildMdocRequestParts(mdocDocSpec(kind, minimumAge ?? 21), reqOrigin.origin, signed);
+            const mdocContextToken = await sealMdocContext({ readerPrivateJwk: mdoc.readerPrivateJwk, base64EncryptionInfo: mdoc.base64EncryptionInfo }, ctx.signingKey);
+            res.json({
+                requests: [
+                    { protocol: "openid4vp-v1-signed", data: { request: oid.request } },
+                    { protocol: "org-iso-mdoc", data: mdoc.data },
+                ],
+                dcql_query: oid.dcql_query,
+                readerContextToken: oid.readerContextToken,
+                mdocContextToken,
+                trust_level: oid.trust_level,
+            });
+        }
+        catch (err) {
+            res.status(500).json({ error: err.message });
+        }
+    });
+    // POST verify — instant-demo claims OR a real wallet presentation. Resolve +
+    // re-price the order (CT3), evaluate the disclosed claims (explicit positive claim
+    // — CT4/CT5), write the per-order record on success.
+    post("/attestomcp/credential/verify", async (req, res) => {
+        const body = await readJsonBody(req);
+        const kind = parseKind(body.cred);
+        if (!kind) {
+            res.status(404).json({ verified: false, error: "unknown credential" });
+            return;
+        }
+        const order = await resolveOrder(ctx, typeof body.order === "string" ? body.order : undefined);
+        if (!order) {
+            res.status(400).json({ verified: false, error: "missing or invalid order" });
+            return;
+        }
+        const minimumAge = kind === "age" ? requiredAgeForOrder(order) ?? 21 : undefined;
+        const percent = kind === "membership" ? percentFor(order) : undefined;
+        try {
+            let out;
+            const result = body.result;
+            if (result && typeof result === "object") {
+                // REAL wallet presentation — dispatch by the protocol the wallet used.
+                if (result.protocol === "org-iso-mdoc") {
+                    if (typeof body.mdocContextToken !== "string") {
+                        res.status(400).json({ verified: false, error: "missing mdocContextToken for org-iso-mdoc" });
+                        return;
+                    }
+                    out = await verifyMdocPresentation({ kind, result, mdocContextToken: body.mdocContextToken, origin: originOf(ctx, req), secret: ctx.signingKey, minimumAge, percent });
+                }
+                else {
+                    if (typeof body.readerContextToken !== "string") {
+                        res.status(400).json({ verified: false, error: "missing readerContextToken for openid4vp presentation" });
+                        return;
+                    }
+                    out = await verifyCredentialPresentation({ kind, result, readerContextToken: body.readerContextToken, secret: ctx.signingKey, minimumAge, percent });
+                }
+            }
+            else {
+                // Instant-demo claims path (the tested default).
+                const claims = (body.claims && typeof body.claims === "object" ? body.claims : {});
+                out = evaluateCredential(kind, claims, { minimumAge, percent });
+            }
+            if (out.verified)
+                await recordVerified(ctx, order.id, kind, out.membershipNumber);
+            res.json(out);
+        }
+        catch (err) {
+            res.status(400).json({ verified: false, error: err.message, trust_level: "presence-only-demo" });
+        }
+    });
+};

package/dist/ceremony/credential-gate/verify.d.ts

@@ -0,0 +1,51 @@
+import type { CeremonyOrder } from "../types.js";
+import type { CredentialKind } from "./dcql.js";
+import { type DisclosedEntry } from "../mdoc/mdoc.js";
+export type { CredentialKind } from "./dcql.js";
+export interface GateResult {
+    gate: string;
+    pass: boolean;
+    detail: string;
+}
+export interface CredGateResult {
+    verified: boolean;
+    /** Membership id when a membership gate verified; null otherwise. */
+    membershipNumber: string | null;
+    gates: GateResult[];
+    /** Honesty axis — stated in the receipt, not buried in prose. */
+    trust_level: "presence-only-demo";
+}
+export interface EvaluateOpts {
+    /** The minimum age the order's products demand (age gate only; default 21). */
+    minimumAge?: number;
+    /** The membership discount percent surfaced in the gate detail (default 10). */
+    percent?: number;
+}
+/**
+ * Re-derive the age threshold this order requires from its catalog-priced lines —
+ * the strictest `minimumAge` present, or `null` when nothing is age-restricted.
+ * Always read from the (re-priced) lines, never the order token (invariant 2).
+ */
+export declare function requiredAgeForOrder(order: CeremonyOrder): number | null;
+/** True iff this order is age-restricted but carries no positive per-order age claim. */
+export declare function isAgeUnsatisfied(order: CeremonyOrder, verification: {
+    ageVerified?: boolean;
+} | undefined | null): boolean;
+/**
+ * Evaluate disclosed claims (PRESENCE-ONLY) for one credential kind. Reuses the
+ * package's `age.over(N)` / `membership.discount()` `verify()` so the positive-claim
+ * rule has a single definition.
+ */
+export declare function evaluateCredential(kind: CredentialKind, claims: Record<string, unknown>, opts?: EvaluateOpts): CredGateResult;
+export declare function verifyCredentialPresentation(args: {
+    kind: CredentialKind;
+    result: {
+        protocol?: string;
+        data?: unknown;
+    };
+    readerContextToken: string;
+    secret: string;
+    minimumAge?: number;
+    percent?: number;
+}): Promise<CredGateResult>;
+export declare function evaluateDisclosed(kind: CredentialKind, disclosed: DisclosedEntry[], opts?: EvaluateOpts): CredGateResult;

package/dist/ceremony/credential-gate/verify.js

@@ -0,0 +1,146 @@
+// Map a wallet's disclosed mdoc claims to a verified boolean for the age /
+// membership gate, and re-derive an order's age restriction from its catalog-priced
+// lines.
+//
+// TWO verification entry points, ONE policy:
+//   • evaluateCredential(kind, claims, …) — the instant-demo path. Disclosed claims
+//     are passed in directly (no wallet round-trip). The explicit-positive-claim
+//     control (Security invariant 5) still runs.
+//   • verifyCredentialPresentation(…) — the REAL OpenID4VP path. The wallet's
+//     JWE-encrypted response is decrypted (jose ECDH-ES compactDecrypt), nonce-bound
+//     to THIS request (apu/apv echo check), the ISO 18013-5 mdoc DeviceResponse is
+//     parsed, and the disclosed claims are flattened into the SAME policy check.
+//   • verifyMdocPresentation(…) (mdoc-verify.ts) — the REAL iOS org-iso-mdoc path:
+//     HPKE-decrypt the DeviceResponse bound to the web origin, then the same policy.
+//
+// TRUST_LEVEL stays "presence-only-demo" (Principle VII / FR-011). The wire crypto
+// (JWE/HPKE decryption, ECDH-ES, nonce binding, ISO-mdoc CBOR parsing) is REAL and
+// verified; what is NOT yet real is the issuer TRUST ANCHOR — the mdoc's issuer /
+// device COSE signatures are not checked against a real CA (main self-signs its
+// mdoc certs), so a self-crafted mdoc would still parse. That hardening is the
+// acknowledged future work, shared with dc-payment.
+//
+// The policy itself (what claims pass) reuses the package's own age.over(N) /
+// membership.discount() builders so the threshold + membership rules have a single
+// definition:
+//   • age      — requires the positive over-age claim AT THE ORDER'S THRESHOLD
+//                (age_over_21 === true for a 21+ gate; an age_over_18 proof is refused).
+//   • membership — requires a real, non-empty membership id. A bare token or an
+//                unrelated claim must NOT grant the discount (it lowers the bound
+//                amount, so a forged loyalty state would reduce the charge).
+import * as jose from "jose";
+import { age, membership } from "../../credentials.js";
+import { DEFAULT_LOYALTY_DISCOUNT_PCT } from "../mandate.js";
+import { openReaderContext } from "../mdoc/readerContext.js";
+import { decodeVpToken } from "../mdoc/mdoc.js";
+/**
+ * Re-derive the age threshold this order requires from its catalog-priced lines —
+ * the strictest `minimumAge` present, or `null` when nothing is age-restricted.
+ * Always read from the (re-priced) lines, never the order token (invariant 2).
+ */
+export function requiredAgeForOrder(order) {
+    const ages = order.lines
+        .map((l) => l.minimumAge)
+        .filter((a) => typeof a === "number" && a > 0);
+    return ages.length ? Math.max(...ages) : null;
+}
+/** True iff this order is age-restricted but carries no positive per-order age claim. */
+export function isAgeUnsatisfied(order, verification) {
+    return requiredAgeForOrder(order) != null && verification?.ageVerified !== true;
+}
+/**
+ * Evaluate disclosed claims (PRESENCE-ONLY) for one credential kind. Reuses the
+ * package's `age.over(N)` / `membership.discount()` `verify()` so the positive-claim
+ * rule has a single definition.
+ */
+export function evaluateCredential(kind, claims, opts = {}) {
+    if (kind === "age") {
+        const minimumAge = opts.minimumAge ?? 21;
+        // age.over(N).verify checks claims[`age_over_${N}`] === true — an explicit
+        // positive at THIS threshold (a lower-threshold proof does not satisfy it).
+        const verified = age.over(minimumAge).verify(claims);
+        return {
+            verified,
+            membershipNumber: null,
+            gates: [{ gate: `Age over ${minimumAge}`, pass: verified, detail: verified ? `age_over_${minimumAge} disclosed true` : `age_over_${minimumAge} not disclosed as true` }],
+            trust_level: "presence-only-demo",
+        };
+    }
+    const percent = opts.percent ?? DEFAULT_LOYALTY_DISCOUNT_PCT;
+    const verified = membership.discount(percent).verify(claims);
+    const membershipNumber = verified ? String(claims.membership_number) : null;
+    return {
+        verified,
+        membershipNumber,
+        gates: [{ gate: "Membership", pass: verified, detail: verified ? `member ${membershipNumber}` : "no membership id disclosed" }],
+        trust_level: "presence-only-demo",
+    };
+}
+// ── Disclosed mdoc DeviceResponse → the flat `claims` record `evaluateCredential`
+//    reads. mdoc.ts labels each claim "<namespace> / <elementId>"; we key by the
+//    bare elementId. Values can be raw or {_tag, value} (sanitized dates etc.) — a
+//    boolean (e.g. age_over_21) is preserved as a boolean so the strict
+//    `=== true` check holds; everything else is surfaced as-is. The SAME
+//    evaluateCredential policy then runs — no second source of truth for "verified".
+function flattenDisclosed(disclosed) {
+    const claims = {};
+    for (const entry of disclosed) {
+        for (const c of entry.claims) {
+            const elementId = c.label.split(" / ").pop();
+            if (!elementId)
+                continue;
+            const v = c.value;
+            claims[elementId] = v && typeof v === "object" && "value" in v
+                ? v.value
+                : v;
+        }
+    }
+    return claims;
+}
+// ── REAL OpenID4VP path (Android Chrome). Open the sealed reader context, decrypt
+//    the wallet's JWE response (jose ECDH-ES compactDecrypt), enforce nonce binding,
+//    parse the ISO 18013-5 mdoc vp_token, and run the SAME evaluateCredential policy.
+//    Faithfully ported from the demo's payment-gate/credential-gate/verify.ts. The
+//    issuer/device signature (trust anchor) is the acknowledged future work —
+//    trust_level stays presence-only-demo. ──────────────────────────────────────
+export async function verifyCredentialPresentation(args) {
+    const { kind, result, readerContextToken, secret, minimumAge, percent } = args;
+    const ctx = await openReaderContext(readerContextToken, secret);
+    let data = result?.data;
+    if (typeof data === "string") {
+        try {
+            data = JSON.parse(data);
+        }
+        catch { /* leave as string */ }
+    }
+    const jwe = data?.response;
+    if (!jwe)
+        throw new Error("no .response (JWE) in result.data");
+    // Nonce binding — reject on contradiction, accept on absence. OpenID4VP 1.0
+    // makes the apu/apv key-agreement parameters optional (the Multipaz test app
+    // sends them empty cross-device; some same-device paths echo the request nonce
+    // in apu; pre-1.0 drafts used apv), so their absence proves nothing — but a
+    // NON-EMPTY value bound to a DIFFERENT nonce is a response produced for another
+    // request, and is refused. Request-binding doesn't rest on this echo: every
+    // /request seals a fresh ephemeral decryption key with a short TTL, so a captured
+    // response only ever decrypts under the request that produced it.
+    if (!ctx.nonce)
+        throw new Error("reader context has no nonce to check");
+    const { apu, apv } = jose.decodeProtectedHeader(jwe);
+    const nonceForms = [jose.base64url.encode(ctx.nonce), ctx.nonce];
+    const echoed = [apu, apv].filter((p) => typeof p === "string" && p.length > 0);
+    if (echoed.length > 0 && !echoed.some((p) => nonceForms.includes(p))) {
+        throw new Error("nonce mismatch: response is not bound to this request");
+    }
+    const encPrivKey = await jose.importJWK(ctx.ecdhPrivateJwk, "ECDH-ES");
+    const { plaintext } = await jose.compactDecrypt(jwe, encPrivKey);
+    const openid4vpResponse = JSON.parse(new TextDecoder().decode(plaintext));
+    const vpToken = openid4vpResponse.vp_token;
+    const disclosed = vpToken ? decodeVpToken(vpToken) : [];
+    return evaluateCredential(kind, flattenDisclosed(disclosed), { minimumAge, percent });
+}
+// Shared by mdoc-verify.ts: a decoded DeviceResponse → the evaluateCredential
+// policy, flattening the disclosed claims into the common record shape.
+export function evaluateDisclosed(kind, disclosed, opts = {}) {
+    return evaluateCredential(kind, flattenDisclosed(disclosed), opts);
+}

package/dist/ceremony/dc-payment/dcql.d.ts

@@ -0,0 +1,5 @@
+import type { DcqlQuery } from "../../types.js";
+export declare const PAYMENT_DOCTYPE = "org.multipaz.payment.sca.1";
+export declare const PAYMENT_CLAIM_LEAVES: readonly ["issuer_name", "payment_instrument_id", "masked_account_reference", "holder_name", "issue_date", "expiry_date"];
+/** The DCQL the signed request embeds for the payment credential. */
+export declare function buildDcPaymentDcql(): DcqlQuery;

package/dist/ceremony/dc-payment/dcql.js

@@ -0,0 +1,23 @@
+export const PAYMENT_DOCTYPE = "org.multipaz.payment.sca.1";
+// The disclosed instrument leaves verify.ts reads back into the DC mandate.
+export const PAYMENT_CLAIM_LEAVES = [
+    "issuer_name",
+    "payment_instrument_id",
+    "masked_account_reference",
+    "holder_name",
+    "issue_date",
+    "expiry_date",
+];
+/** The DCQL the signed request embeds for the payment credential. */
+export function buildDcPaymentDcql() {
+    return {
+        credentials: [
+            {
+                id: "dpc",
+                format: "mso_mdoc",
+                meta: { doctype_value: PAYMENT_DOCTYPE },
+                claims: PAYMENT_CLAIM_LEAVES.map((leaf) => ({ path: [PAYMENT_DOCTYPE, leaf], intent_to_retain: false })),
+            },
+        ],
+    };
+}

package/dist/ceremony/dc-payment/page.d.ts

@@ -0,0 +1,18 @@
+export interface DcPaymentLine {
+    name: string;
+    quantity: number;
+    lineTotal: number;
+    currency: string;
+}
+export interface DcPaymentPageArgs {
+    /** Order id, echoed back so verify is scoped to one order. */
+    order: string;
+    /** Catalog-priced total (never the token's). */
+    total: number;
+    currency: string;
+    lines: DcPaymentLine[];
+    /** Where to send the buyer after payment — the checkout hub, which then shows the
+     *  paid confirmation. Defaults to this server's `/checkout?order=<id>`. */
+    returnUrl?: string;
+}
+export declare function renderDcPaymentPage(args: DcPaymentPageArgs): string;