@openvtc/pnm-core 0.1.0

package/README.md

@@ -0,0 +1,129 @@
+# @openvtc/pnm-core
+
+Browser-side bridge between **WebAuthn passkeys** and **VTA-managed
+DIDs**. Lets a relying party prove the user controls a DID hosted in
+a remote Verifiable Trust Agent (VTA) by performing a passkey
+ceremony in the browser — no DID private keys ever leave the VTA,
+and no long-lived bearer token sits in browser storage. Speaks both
+REST and **full DIDComm v2** to the VTA, including when the VTA is
+private-network and only reachable via a mediator.
+
+This package is the shared TypeScript library that backs the
+[Personal Network Manager browser
+plugin](https://github.com/OpenVTC/vta-browser-plugin): both the
+[PWA](https://github.com/OpenVTC/vta-browser-plugin/tree/main/packages/pwa)
+and the
+[Manifest v3 extension](https://github.com/OpenVTC/vta-browser-plugin/tree/main/packages/extension)
+are thin shells over it. External consumers can use it directly to
+build mobile companions, desktop wallets, or RP-side integrations
+that need the same flows without the bundled UI.
+
+## Install
+
+```sh
+npm install @openvtc/pnm-core
+```
+
+## What it gives you
+
+| Sub-module | Surface |
+|---|---|
+| **`@openvtc/pnm-core/webauthn`** | Passkey enrol / login ceremonies, COSE-key extraction, DID `verificationMethod` builder, PRF-derived secret-wrap helpers. |
+| **`@openvtc/pnm-core/did`** | Multikey ↔ JWK conversion, DID-URL parsing, did:webvh log resolution. |
+| **`@openvtc/pnm-core/vta`** | Typed REST + DIDComm transports against a VTA daemon. Mirrors the [`vta-sdk`](https://crates.io/crates/vta-sdk) Rust client's surface. |
+| Plus modules for | SIOPv2 / OpenID4VP RP-side helpers, sealed-bootstrap provisioning, vault proxy-login flows, Trust-Task envelope construction, indexed-DB key/value persistence. |
+
+The package's [`src/index.ts`](https://github.com/OpenVTC/vta-browser-plugin/blob/main/packages/core/src/index.ts)
+re-exports everything from a single entry; the slash-suffixed
+sub-entries above are an optional convenience for callers who only
+want a slice of the surface.
+
+## Minimal example — passkey enrolment
+
+```ts
+import {
+  beginEnrolment,
+  finishEnrolment,
+  type WebauthnEnrolmentChallenge,
+} from "@openvtc/pnm-core";
+
+// 1. Ask the VTA for an enrolment challenge for the named DID.
+const challenge: WebauthnEnrolmentChallenge = await vtaClient.enrolBegin({
+  did: "did:webvh:example.com:alice",
+});
+
+// 2. Run the WebAuthn create() ceremony in the browser.
+const credential = await beginEnrolment(challenge);
+
+// 3. Submit the assertion. The VTA verifies it, appends the COSE
+//    public key as a `verificationMethod` on the WebVH log, and
+//    publishes the new DID-document revision.
+const result = await finishEnrolment(credential, challenge.session_id);
+```
+
+## Wire compatibility
+
+This package is byte-compatible with:
+
+- The Rust [`vta-sdk`](https://crates.io/crates/vta-sdk) — typed VTA client used by the `pnm` CLI and other server-side consumers.
+- The Rust [`did-hosting-client`](https://github.com/affinidi/affinidi-webvh-service/tree/main/did-hosting-client) — typed WebVH hosting client.
+- The TypeScript [`@openvtc/vti-didcomm-js`](https://www.npmjs.com/package/@openvtc/vti-didcomm-js) — DIDComm v2 framing helpers (a runtime dependency of this package).
+- The TypeScript [`@openvtc/trust-tasks`](https://www.npmjs.com/package/@openvtc/trust-tasks) — generated payload types for the [Trust Tasks framework](https://trusttasks.org).
+
+A change to the wire surface is made in [`dtgwg-trust-tasks-tf`](https://github.com/trustoverip/dtgwg-trust-tasks-tf)
+first, regenerates the Rust + TS bindings, and only then lands in
+this package — see the project's spec-first development discipline.
+
+## Architecture
+
+```
+┌──────────────┐  WebAuthn        ┌────────────────┐
+│   Browser    │ ───────────────▶ │  Authenticator │ (Touch ID,
+│ (PWA / ext)  │ ◀─────────────── │   / Passkey    │  Windows Hello,
+└──────┬───────┘   pubkey + sig   └────────────────┘  YubiKey, …)
+       │
+       │ enrol(passkey_pubkey)         verify(assertion)
+       ▼                                       ▲
+┌──────────────┐                       ┌───────┴────────┐
+│      VTA     │ ── WebVH update ─────▶│ Public DID doc │
+│   (remote)   │                       │ (resolvable by │
+└──────────────┘                       │  any verifier) │
+                                       └────────────────┘
+```
+
+A passkey is enrolled as a `verificationMethod` (purpose:
+`authentication`) in the DID document the VTA publishes via WebVH.
+Any verifier that resolves the DID can then validate a WebAuthn
+assertion against the embedded public key without ever talking to
+the VTA — the DID document *is* the trust anchor.
+
+## Browser / runtime support
+
+- Modern browsers with WebAuthn level 2 + WebCrypto (Chrome 108+,
+  Safari 17+, Firefox 122+).
+- Node 20+ for server-side use (the WebAuthn-specific entry points
+  are no-ops in non-browser contexts; the DID / VTA / DIDComm
+  transports work everywhere).
+
+ESM-only — no CommonJS build.
+
+## Versioning
+
+Pre-1.0 (`0.x`) — breaking changes may land in minor bumps. The
+internal contract this package depends on (`@openvtc/vti-didcomm-js`,
+`@openvtc/trust-tasks`) follows the same cadence. Once the
+underlying `SPEC.md` reaches 1.0 this package will follow.
+
+## License
+
+Apache-2.0. See [LICENSE](https://github.com/OpenVTC/vta-browser-plugin/blob/main/LICENSE)
+at the repo root.
+
+## Contributing
+
+Source lives in
+[`OpenVTC/vta-browser-plugin`](https://github.com/OpenVTC/vta-browser-plugin)
+under `packages/core/`. See the
+[root README](https://github.com/OpenVTC/vta-browser-plugin#readme)
+for the workspace layout, development setup, and the smoke-test
+harness.

package/dist/did/derive-signing-key.d.ts

@@ -0,0 +1,19 @@
+export interface DeriveSigningKeyIdResult {
+    /** The DID the caller asked us to derive for. Echoed for symmetry. */
+    did: string;
+    /** Plausible verification-method ids the holder could sign with.
+     *  Empty when resolution failed; one entry for the trivial case
+     *  (did:key or single-key DIDs); multiple for DIDs with several
+     *  authentication keys. The popup auto-fills only on
+     *  `candidates.length === 1`. */
+    candidates: string[];
+    /** Human-readable resolution error (network / structural / hash
+     *  chain), if any. Surfaces to the operator so they know whether
+     *  to type the kid by hand or fix the DID. */
+    error?: string;
+}
+/** Derive the verification-method id (`signingKeyId`) candidates from
+ *  the given DID. Never throws — failures land as `candidates: []` +
+ *  an `error` string. */
+export declare function deriveSigningKeyId(did: string): Promise<DeriveSigningKeyIdResult>;
+//# sourceMappingURL=derive-signing-key.d.ts.map

package/dist/did/derive-signing-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive-signing-key.d.ts","sourceRoot":"","sources":["../../src/did/derive-signing-key.ts"],"names":[],"mappings":"AAkCA,MAAM,WAAW,wBAAwB;IACvC,sEAAsE;IACtE,GAAG,EAAE,MAAM,CAAC;IACZ;;;;qCAIiC;IACjC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB;;kDAE8C;IAC9C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;yBAEyB;AACzB,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,wBAAwB,CAAC,CAkDvF"}

package/dist/did/derive-signing-key.js

@@ -0,0 +1,96 @@
+// Derive a candidate `signingKeyId` (verification-method id) from a
+// DID. Used by the popup's AddEntryForm to auto-fill the field when
+// the operator types a principal DID — saves them looking up
+// `<did>#key-0` style fragments by hand.
+//
+// Resolution strategy per method:
+//
+//   - **did:key**: lexical. `did:key:zXxx` decomposes to
+//     `did:key:zXxx#zXxx` — the multibase tag IS the verification-
+//     method fragment. No network round-trip.
+//
+//   - **did:peer:2**: self-resolving from the DID identifier
+//     itself; the keys are inline-encoded. The wallet's existing
+//     resolver in `vti-didcomm-js` handles this offline.
+//
+//   - **did:webvh** / **did:web**: requires resolving the DID
+//     document over the network. The resolver in `vti-didcomm-js`
+//     walks the webvh log + verifies every Data Integrity proof,
+//     so a successful resolve is a real attestation.
+//
+// Selection: when the resolved DID document has a single
+// `authentication` (or `assertionMethod`) entry, return its id and
+// `candidates.length === 1` so the popup can auto-fill the field.
+// When multiple are present, return them all so the popup can offer
+// a picker — the operator picks which key signs.
+//
+// `verifyDid` already exists for the consent-prompt's DID resolution
+// path; this file is a parallel surface focused on extracting the
+// VM id rather than just validating resolution.
+import { resolve as vtiResolve } from "@openvtc/vti-didcomm-js";
+import { didMethod } from "./verify.js";
+/** Derive the verification-method id (`signingKeyId`) candidates from
+ *  the given DID. Never throws — failures land as `candidates: []` +
+ *  an `error` string. */
+export async function deriveSigningKeyId(did) {
+    const method = didMethod(did);
+    if (method === "key") {
+        // did:key:zXxx → did:key:zXxx#zXxx. The multibase tag (after
+        // `did:key:`) IS the fragment by convention.
+        const mb = did.slice("did:key:".length);
+        if (!mb.startsWith("z")) {
+            return { did, candidates: [], error: "did:key identifier is not base58btc multibase" };
+        }
+        return { did, candidates: [`${did}#${mb}`] };
+    }
+    if (method === "unknown") {
+        return { did, candidates: [], error: "Unrecognised DID method" };
+    }
+    // did:peer, did:webvh: full resolution. did:peer is offline; webvh
+    // hits the network and verifies the log.
+    try {
+        const resolution = (await vtiResolve(did, {}));
+        const resolverError = resolution.didResolutionMetadata?.error;
+        if (resolverError) {
+            return { did, candidates: [], error: resolverError };
+        }
+        const doc = resolution.didDocument;
+        if (!doc) {
+            return { did, candidates: [], error: "Resolver returned no DID document" };
+        }
+        // Prefer `authentication` (the signing-purpose-correct list for
+        // SIOP-style id_tokens). Fall back to `assertionMethod` if absent.
+        // Final fallback: enumerate `verificationMethod` ids — better to
+        // give the operator something than nothing.
+        const candidates = collectVmIds(doc.authentication) ||
+            collectVmIds(doc.assertionMethod) ||
+            collectVmIds(doc.verificationMethod) ||
+            [];
+        if (candidates.length === 0) {
+            return { did, candidates: [], error: "DID document has no usable verification methods" };
+        }
+        return { did, candidates };
+    }
+    catch (e) {
+        return { did, candidates: [], error: e instanceof Error ? e.message : String(e) };
+    }
+}
+/** Extract the `id` string of every verification-method reference,
+ *  whether stored as a bare URL string or an embedded VM object.
+ *  Returns `null` (not `[]`) when the input is `undefined` so the
+ *  caller can short-circuit the `||` chain to the next purpose
+ *  rather than landing on an empty list it would otherwise treat as
+ *  authoritative. */
+function collectVmIds(vms) {
+    if (!vms || vms.length === 0)
+        return null;
+    const out = [];
+    for (const entry of vms) {
+        if (typeof entry === "string")
+            out.push(entry);
+        else if (entry && typeof entry === "object" && typeof entry.id === "string")
+            out.push(entry.id);
+    }
+    return out.length > 0 ? out : null;
+}
+//# sourceMappingURL=derive-signing-key.js.map

package/dist/did/derive-signing-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"derive-signing-key.js","sourceRoot":"","sources":["../../src/did/derive-signing-key.ts"],"names":[],"mappings":"AAAA,oEAAoE;AACpE,oEAAoE;AACpE,6DAA6D;AAC7D,yCAAyC;AACzC,EAAE;AACF,kCAAkC;AAClC,EAAE;AACF,yDAAyD;AACzD,mEAAmE;AACnE,8CAA8C;AAC9C,EAAE;AACF,6DAA6D;AAC7D,iEAAiE;AACjE,yDAAyD;AACzD,EAAE;AACF,8DAA8D;AAC9D,kEAAkE;AAClE,iEAAiE;AACjE,qDAAqD;AACrD,EAAE;AACF,yDAAyD;AACzD,mEAAmE;AACnE,kEAAkE;AAClE,oEAAoE;AACpE,iDAAiD;AACjD,EAAE;AACF,qEAAqE;AACrE,kEAAkE;AAClE,gDAAgD;AAEhD,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAEhE,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAiBxC;;yBAEyB;AACzB,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,GAAW;IAClD,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;QACrB,6DAA6D;QAC7D,6CAA6C;QAC7C,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QACxC,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;YACxB,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,+CAA+C,EAAE,CAAC;QACzF,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,GAAG,GAAG,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;IAC/C,CAAC;IACD,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IACnE,CAAC;IACD,mEAAmE;IACnE,yCAAyC;IACzC,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,CAAC,MAAM,UAAU,CAAC,GAAG,EAAE,EAAE,CAAC,CAQ5C,CAAC;QACF,MAAM,aAAa,GAAG,UAAU,CAAC,qBAAqB,EAAE,KAAK,CAAC;QAC9D,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;QACvD,CAAC;QACD,MAAM,GAAG,GAAG,UAAU,CAAC,WAAW,CAAC;QACnC,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;QAC7E,CAAC;QACD,gEAAgE;QAChE,mEAAmE;QACnE,iEAAiE;QACjE,4CAA4C;QAC5C,MAAM,UAAU,GACd,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC;YAChC,YAAY,CAAC,GAAG,CAAC,eAAe,CAAC;YACjC,YAAY,CAAC,GAAG,CAAC,kBAAkB,CAAC;YACpC,EAAE,CAAC;QACL,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC5B,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,iDAAiD,EAAE,CAAC;QAC3F,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC;IAC7B,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IACpF,CAAC;AACH,CAAC;AAED;;;;;qBAKqB;AACrB,SAAS,YAAY,CACnB,GAAgD;IAEhD,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC1C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;aAC1C,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;YACzE,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvB,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC;AACrC,CAAC"}

package/dist/did/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./derive-signing-key.js";
+export * from "./verification-method.js";
+export * from "./peer.js";
+export * from "./verify.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/did/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/did/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC;AACxC,cAAc,0BAA0B,CAAC;AACzC,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}

package/dist/did/index.js

@@ -0,0 +1,5 @@
+export * from "./derive-signing-key.js";
+export * from "./verification-method.js";
+export * from "./peer.js";
+export * from "./verify.js";
+//# sourceMappingURL=index.js.map

package/dist/did/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/did/index.ts"],"names":[],"mappings":"AAAA,cAAc,yBAAyB,CAAC;AACxC,cAAc,0BAA0B,CAAC;AACzC,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC"}

package/dist/did/peer.d.ts

@@ -0,0 +1,37 @@
+/** Abbreviated DIDComm service for a `did:peer:2` `S` segment. The
+ *  abbreviation (`t`/`s`/`r`/`a`) is the did:peer:2 convention the resolver
+ *  decodes back to a `DIDCommMessaging` service. */
+export interface DidPeerService {
+    /** Service type. `"dm"` abbreviates `DIDCommMessaging` (the default). */
+    type?: string;
+    /** serviceEndpoint URI — for mediator-routed delivery this is the
+     *  mediator's DID. */
+    serviceEndpoint: string;
+    /** Optional routing keys. */
+    routingKeys?: string[];
+    /** Accepted profiles (default `["didcomm/v2"]`). */
+    accept?: string[];
+}
+export interface DidPeer2 {
+    /** The full `did:peer:2` string. */
+    did: string;
+    /** Ed25519 authentication VM id — `<did>#key-2`. The SIOP `id_token` `kid`. */
+    authKid: string;
+    /** X25519 keyAgreement VM id — `<did>#key-1`. Used for DIDComm authcrypt. */
+    keyAgreementKid: string;
+}
+export interface CreateDidPeer2Args {
+    /** Ed25519 public key (authentication / signing). */
+    ed25519PublicKey: Uint8Array;
+    /** X25519 public key (keyAgreement / authcrypt). */
+    x25519PublicKey: Uint8Array;
+    /** Optional DIDComm service to advertise (e.g. the wallet's mediator). */
+    service?: DidPeerService;
+}
+/**
+ * Build a `did:peer:2` from an Ed25519 (auth) + X25519 (keyAgreement) key
+ * pair and an optional DIDComm service. Returns the DID plus the
+ * deterministic VM ids (`#key-1` = keyAgreement, `#key-2` = authentication).
+ */
+export declare function createDidPeer2(args: CreateDidPeer2Args): DidPeer2;
+//# sourceMappingURL=peer.d.ts.map

package/dist/did/peer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"peer.d.ts","sourceRoot":"","sources":["../../src/did/peer.ts"],"names":[],"mappings":"AAqBA;;oDAEoD;AACpD,MAAM,WAAW,cAAc;IAC7B,yEAAyE;IACzE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;0BACsB;IACtB,eAAe,EAAE,MAAM,CAAC;IACxB,6BAA6B;IAC7B,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,oDAAoD;IACpD,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;CACnB;AAED,MAAM,WAAW,QAAQ;IACvB,oCAAoC;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,+EAA+E;IAC/E,OAAO,EAAE,MAAM,CAAC;IAChB,6EAA6E;IAC7E,eAAe,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,qDAAqD;IACrD,gBAAgB,EAAE,UAAU,CAAC;IAC7B,oDAAoD;IACpD,eAAe,EAAE,UAAU,CAAC;IAC5B,0EAA0E;IAC1E,OAAO,CAAC,EAAE,cAAc,CAAC;CAC1B;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,IAAI,EAAE,kBAAkB,GAAG,QAAQ,CA2BjE"}

package/dist/did/peer.js

@@ -0,0 +1,49 @@
+// did:peer:2 (numalgo 2) generation for the wallet's holder identity.
+//
+// Unlike `did:key`, a `did:peer:2` can encode a service endpoint inline, so
+// the wallet can advertise its mediator and be *reachable* for inbound
+// DIDComm (RP-initiated confirm/approve requests) — see the RP→wallet
+// trigger design. The DID is self-contained and resolves with no network.
+//
+// Segment order is FIXED — keyAgreement (`E`, X25519) first, authentication
+// (`V`, Ed25519) second, service (`S`) last — because resolvers number
+// verification methods **positionally** (`#key-1`, `#key-2`, …) in the order
+// segments appear. Verified against the affinidi `DIDCacheClient` (the RP's
+// resolver): for `did:peer:2.E….V….S…` it emits `#key-1` = the X25519 KA
+// key and `#key-2` = the Ed25519 auth key, as `Multikey`/`publicKeyMultibase`.
+// So the SIOP `id_token` `kid` is `<did>#key-2` and the authcrypt
+// keyAgreement kid is `<did>#key-1`.
+import { base64url, multibase } from "@openvtc/vti-didcomm-js";
+const X25519_PUB = multibase.MULTICODEC.X25519_PUB;
+const ED25519_PUB = multibase.MULTICODEC.ED25519_PUB;
+/**
+ * Build a `did:peer:2` from an Ed25519 (auth) + X25519 (keyAgreement) key
+ * pair and an optional DIDComm service. Returns the DID plus the
+ * deterministic VM ids (`#key-1` = keyAgreement, `#key-2` = authentication).
+ */
+export function createDidPeer2(args) {
+    // E (keyAgreement, X25519) first → #key-1; V (authentication, Ed25519)
+    // second → #key-2. Order is load-bearing (positional VM numbering).
+    const kaMultibase = multibase.encodeMultikey(X25519_PUB, args.x25519PublicKey);
+    const authMultibase = multibase.encodeMultikey(ED25519_PUB, args.ed25519PublicKey);
+    let did = `did:peer:2.E${kaMultibase}.V${authMultibase}`;
+    if (args.service) {
+        const s = args.service;
+        // Abbreviated DIDComm service; key insertion order t,s,r,a matches the
+        // did:peer:2 convention. `r` omitted when there are no routing keys.
+        const abbreviated = {
+            t: s.type ?? "dm",
+            s: s.serviceEndpoint,
+            ...(s.routingKeys && s.routingKeys.length > 0 ? { r: s.routingKeys } : {}),
+            a: s.accept ?? ["didcomm/v2"],
+        };
+        const encoded = base64url.encode(new TextEncoder().encode(JSON.stringify(abbreviated)));
+        did += `.S${encoded}`;
+    }
+    return {
+        did,
+        authKid: `${did}#key-2`,
+        keyAgreementKid: `${did}#key-1`,
+    };
+}
+//# sourceMappingURL=peer.js.map

package/dist/did/peer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"peer.js","sourceRoot":"","sources":["../../src/did/peer.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,EAAE;AACF,4EAA4E;AAC5E,uEAAuE;AACvE,sEAAsE;AACtE,0EAA0E;AAC1E,EAAE;AACF,4EAA4E;AAC5E,uEAAuE;AACvE,6EAA6E;AAC7E,4EAA4E;AAC5E,yEAAyE;AACzE,+EAA+E;AAC/E,kEAAkE;AAClE,qCAAqC;AAErC,OAAO,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAE/D,MAAM,UAAU,GAAG,SAAS,CAAC,UAAU,CAAC,UAAU,CAAC;AACnD,MAAM,WAAW,GAAG,SAAS,CAAC,UAAU,CAAC,WAAW,CAAC;AAmCrD;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,IAAwB;IACrD,uEAAuE;IACvE,oEAAoE;IACpE,MAAM,WAAW,GAAG,SAAS,CAAC,cAAc,CAAC,UAAU,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;IAC/E,MAAM,aAAa,GAAG,SAAS,CAAC,cAAc,CAAC,WAAW,EAAE,IAAI,CAAC,gBAAgB,CAAC,CAAC;IAEnF,IAAI,GAAG,GAAG,eAAe,WAAW,KAAK,aAAa,EAAE,CAAC;IAEzD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,CAAC,GAAG,IAAI,CAAC,OAAO,CAAC;QACvB,uEAAuE;QACvE,qEAAqE;QACrE,MAAM,WAAW,GAA4B;YAC3C,CAAC,EAAE,CAAC,CAAC,IAAI,IAAI,IAAI;YACjB,CAAC,EAAE,CAAC,CAAC,eAAe;YACpB,GAAG,CAAC,CAAC,CAAC,WAAW,IAAI,CAAC,CAAC,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAC1E,CAAC,EAAE,CAAC,CAAC,MAAM,IAAI,CAAC,YAAY,CAAC;SAC9B,CAAC;QACF,MAAM,OAAO,GAAG,SAAS,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC;QACxF,GAAG,IAAI,KAAK,OAAO,EAAE,CAAC;IACxB,CAAC;IAED,OAAO;QACL,GAAG;QACH,OAAO,EAAE,GAAG,GAAG,QAAQ;QACvB,eAAe,EAAE,GAAG,GAAG,QAAQ;KAChC,CAAC;AACJ,CAAC"}

package/dist/did/verification-method.d.ts

@@ -0,0 +1,43 @@
+/**
+ * A `verificationMethod` entry, in the shape we want appended to the
+ * VTA-managed DID document. Type `Multikey` is the W3C-recommended
+ * representation; `publicKeyMultibase` carries the base58btc-encoded
+ * multicodec-prefixed key.
+ *
+ * The `webauthn*` extensions are non-core but explicit: any verifier
+ * resolving the DID can find the VM by `credentialId` hash and verify
+ * a WebAuthn assertion against `publicKeyMultibase` directly — no
+ * round-trip to the VTA required.
+ */
+export interface PasskeyVerificationMethod {
+    id: string;
+    type: "Multikey";
+    controller: string;
+    publicKeyMultibase: string;
+    /** WebAuthn credential id, base64url-encoded. */
+    webauthnCredentialId: string;
+    /** Transport hints the authenticator reported (e.g. "internal", "hybrid"). */
+    webauthnTransports?: AuthenticatorTransport[];
+    /**
+     * Optional friendly label set by the operator (e.g. "MacBook Touch
+     * ID", "YubiKey 5C"). Surfaced in UI; not used for verification.
+     */
+    label?: string;
+}
+export interface BuildVerificationMethodArgs {
+    did: string;
+    credentialId: string;
+    credentialIdBytes: Uint8Array;
+    publicKeyMultikey: string;
+    transports?: AuthenticatorTransport[];
+    label?: string;
+}
+/**
+ * Derive the VM fragment from the credential id. SHA-256 keeps the
+ * fragment short and stable while still being deterministic — a
+ * verifier given a WebAuthn assertion can recompute the fragment
+ * from `credential.id` and look it up in the DID document.
+ */
+export declare function passkeyVerificationMethodFragment(credentialIdBytes: Uint8Array): Promise<string>;
+export declare function buildPasskeyVerificationMethod(args: BuildVerificationMethodArgs): Promise<PasskeyVerificationMethod>;
+//# sourceMappingURL=verification-method.d.ts.map

package/dist/did/verification-method.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification-method.d.ts","sourceRoot":"","sources":["../../src/did/verification-method.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;GAUG;AACH,MAAM,WAAW,yBAAyB;IACxC,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,UAAU,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iDAAiD;IACjD,oBAAoB,EAAE,MAAM,CAAC;IAC7B,8EAA8E;IAC9E,kBAAkB,CAAC,EAAE,sBAAsB,EAAE,CAAC;IAC9C;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,2BAA2B;IAC1C,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,UAAU,CAAC;IAC9B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,CAAC,EAAE,sBAAsB,EAAE,CAAC;IACtC,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAMD;;;;;GAKG;AACH,wBAAsB,iCAAiC,CACrD,iBAAiB,EAAE,UAAU,GAC5B,OAAO,CAAC,MAAM,CAAC,CAGjB;AAED,wBAAsB,8BAA8B,CAClD,IAAI,EAAE,2BAA2B,GAChC,OAAO,CAAC,yBAAyB,CAAC,CAgBpC"}

package/dist/did/verification-method.js

@@ -0,0 +1,32 @@
+import { bytesToBase64url } from "../webauthn/base64url.js";
+async function sha256(bytes) {
+    return new Uint8Array(await crypto.subtle.digest("SHA-256", bytes));
+}
+/**
+ * Derive the VM fragment from the credential id. SHA-256 keeps the
+ * fragment short and stable while still being deterministic — a
+ * verifier given a WebAuthn assertion can recompute the fragment
+ * from `credential.id` and look it up in the DID document.
+ */
+export async function passkeyVerificationMethodFragment(credentialIdBytes) {
+    const hash = await sha256(credentialIdBytes);
+    return `passkey-${bytesToBase64url(hash)}`;
+}
+export async function buildPasskeyVerificationMethod(args) {
+    const fragment = await passkeyVerificationMethodFragment(args.credentialIdBytes);
+    const vm = {
+        id: `${args.did}#${fragment}`,
+        type: "Multikey",
+        controller: args.did,
+        publicKeyMultibase: args.publicKeyMultikey,
+        webauthnCredentialId: args.credentialId,
+    };
+    if (args.transports && args.transports.length > 0) {
+        vm.webauthnTransports = args.transports;
+    }
+    if (args.label) {
+        vm.label = args.label;
+    }
+    return vm;
+}
+//# sourceMappingURL=verification-method.js.map

package/dist/did/verification-method.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verification-method.js","sourceRoot":"","sources":["../../src/did/verification-method.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,gBAAgB,EAAE,MAAM,0BAA0B,CAAC;AAsC5D,KAAK,UAAU,MAAM,CAAC,KAAiB;IACrC,OAAO,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,KAAqB,CAAC,CAAC,CAAC;AACtF,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iCAAiC,CACrD,iBAA6B;IAE7B,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,iBAAiB,CAAC,CAAC;IAC7C,OAAO,WAAW,gBAAgB,CAAC,IAAI,CAAC,EAAE,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,8BAA8B,CAClD,IAAiC;IAEjC,MAAM,QAAQ,GAAG,MAAM,iCAAiC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IACjF,MAAM,EAAE,GAA8B;QACpC,EAAE,EAAE,GAAG,IAAI,CAAC,GAAG,IAAI,QAAQ,EAAE;QAC7B,IAAI,EAAE,UAAU;QAChB,UAAU,EAAE,IAAI,CAAC,GAAG;QACpB,kBAAkB,EAAE,IAAI,CAAC,iBAAiB;QAC1C,oBAAoB,EAAE,IAAI,CAAC,YAAY;KACxC,CAAC;IACF,IAAI,IAAI,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAClD,EAAE,CAAC,kBAAkB,GAAG,IAAI,CAAC,UAAU,CAAC;IAC1C,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,EAAE,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;IACxB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/did/verify.d.ts

@@ -0,0 +1,49 @@
+export type DidMethod = "webvh" | "peer" | "key" | "unknown";
+export interface VerifyDidResult {
+    /** Canonical DID under verification. */
+    did: string;
+    /** Parsed DID method. `unknown` if the input is not a recognisable DID. */
+    method: DidMethod;
+    /** True if resolution succeeded. For did:webvh this implies the SCID + log
+     *  hash chain + every Data Integrity proof verified. For did:peer/did:key
+     *  it implies the identifier was structurally valid. */
+    resolved: boolean;
+    /** For did:webvh — the host the DID identifies (extracted from the DID,
+     *  not the resolved document, so the operator sees what the wallet asked
+     *  for). The DID is `did:webvh:<scid>:<host>[:<path>...]`. */
+    domain?: string;
+    /** Human-readable error if resolution failed. */
+    error?: string;
+}
+/**
+ * Parse the method of a DID string. Cheap, structural — does not resolve.
+ */
+export declare function didMethod(did: string): DidMethod;
+/**
+ * Extract the host portion of a `did:webvh:<scid>:<host>[:path:...]`. Returns
+ * `undefined` for non-webvh inputs. The path-style segments after the host
+ * are intentionally discarded — the operator-facing display only needs the
+ * host to compare against the page origin.
+ *
+ * webvh's wire format percent-encodes the host's `:` and `/`; we leave them
+ * encoded because the consent UI only matches on hostname (which never
+ * contains either).
+ */
+export declare function didWebvhDomain(did: string): string | undefined;
+/**
+ * Resolve and validate an RP DID. Never throws — failures are returned via
+ * `resolved: false` and `error`, because the consent UI wants to *render*
+ * the error rather than crash.
+ */
+export declare function verifyDid(did: string): Promise<VerifyDidResult>;
+/**
+ * Decide whether a page origin's hostname is consistent with a did:webvh
+ * domain. Exact match or proper subdomain count as consistent. Anything
+ * else (sibling subdomain, unrelated host, etc.) is flagged.
+ *
+ * For non-webvh DIDs this returns `"not-applicable"` — there's no domain
+ * encoded in the DID, so the wallet has nothing to compare against.
+ */
+export type OriginMatch = "match" | "subdomain" | "mismatch" | "not-applicable";
+export declare function compareOriginToDidDomain(originHost: string | undefined, didDomain: string | undefined): OriginMatch;
+//# sourceMappingURL=verify.d.ts.map

package/dist/did/verify.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.d.ts","sourceRoot":"","sources":["../../src/did/verify.ts"],"names":[],"mappings":"AAkBA,MAAM,MAAM,SAAS,GAAG,OAAO,GAAG,MAAM,GAAG,KAAK,GAAG,SAAS,CAAC;AAE7D,MAAM,WAAW,eAAe;IAC9B,wCAAwC;IACxC,GAAG,EAAE,MAAM,CAAC;IACZ,2EAA2E;IAC3E,MAAM,EAAE,SAAS,CAAC;IAClB;;4DAEwD;IACxD,QAAQ,EAAE,OAAO,CAAC;IAClB;;kEAE8D;IAC9D,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iDAAiD;IACjD,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAgB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,CAKhD;AAED;;;;;;;;;GASG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAK9D;AAED;;;;GAIG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CA4BrE;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,WAAW,GAAG,OAAO,GAAG,WAAW,GAAG,UAAU,GAAG,gBAAgB,CAAC;AAEhF,wBAAgB,wBAAwB,CACtC,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,SAAS,EAAE,MAAM,GAAG,SAAS,GAC5B,WAAW,CAMb"}

package/dist/did/verify.js

@@ -0,0 +1,89 @@
+// DID verification for the consent prompt.
+//
+// Before the wallet logs into an RP, the consent popup wants to tell the
+// operator whether the rpDid actually resolves — and, for did:webvh, whether
+// its declared domain is consistent with the page origin the request came
+// from. This is the operator-facing complement to origin pinning: pinning
+// catches "this site swapped which RP it points at"; verification catches
+// "this site is pointing at an RP whose DID does not resolve" or "claims an
+// RP whose domain has nothing to do with the page".
+//
+// did:webvh resolution is cryptographic (the library walks the log, verifies
+// the SCID/hash chain, and verifies every Data Integrity proof on each entry)
+// — a successful resolve is a real attestation, not just "fetch returned 200".
+// did:peer / did:key are self-certifying (the keys are encoded in the id), so
+// resolution is purely structural validation.
+import { resolve as vtiResolve } from "@openvtc/vti-didcomm-js";
+/**
+ * Parse the method of a DID string. Cheap, structural — does not resolve.
+ */
+export function didMethod(did) {
+    if (did.startsWith("did:webvh:"))
+        return "webvh";
+    if (did.startsWith("did:peer:"))
+        return "peer";
+    if (did.startsWith("did:key:"))
+        return "key";
+    return "unknown";
+}
+/**
+ * Extract the host portion of a `did:webvh:<scid>:<host>[:path:...]`. Returns
+ * `undefined` for non-webvh inputs. The path-style segments after the host
+ * are intentionally discarded — the operator-facing display only needs the
+ * host to compare against the page origin.
+ *
+ * webvh's wire format percent-encodes the host's `:` and `/`; we leave them
+ * encoded because the consent UI only matches on hostname (which never
+ * contains either).
+ */
+export function didWebvhDomain(did) {
+    if (!did.startsWith("did:webvh:"))
+        return undefined;
+    const parts = did.split(":");
+    // ["did", "webvh", "<scid>", "<host>", ...path]
+    return parts[3];
+}
+/**
+ * Resolve and validate an RP DID. Never throws — failures are returned via
+ * `resolved: false` and `error`, because the consent UI wants to *render*
+ * the error rather than crash.
+ */
+export async function verifyDid(did) {
+    const method = didMethod(did);
+    const domain = method === "webvh" ? didWebvhDomain(did) : undefined;
+    const base = {
+        did,
+        method,
+        resolved: false,
+        ...(domain ? { domain } : {}),
+    };
+    if (method === "unknown") {
+        return { ...base, error: "Unrecognised DID method" };
+    }
+    try {
+        const resolution = (await vtiResolve(did, {}));
+        const resolverError = resolution.didResolutionMetadata?.error;
+        if (resolverError) {
+            return { ...base, error: resolverError };
+        }
+        if (!resolution.didDocument?.id) {
+            return { ...base, error: "Resolver returned no DID document" };
+        }
+        return { ...base, resolved: true };
+    }
+    catch (e) {
+        return { ...base, error: e instanceof Error ? e.message : String(e) };
+    }
+}
+export function compareOriginToDidDomain(originHost, didDomain) {
+    if (!didDomain)
+        return "not-applicable";
+    if (!originHost)
+        return "mismatch";
+    if (originHost === didDomain)
+        return "match";
+    if (originHost.endsWith(`.${didDomain}`))
+        return "subdomain";
+    return "mismatch";
+}
+//# sourceMappingURL=verify.js.map

package/dist/did/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../src/did/verify.ts"],"names":[],"mappings":"AAAA,2CAA2C;AAC3C,EAAE;AACF,yEAAyE;AACzE,6EAA6E;AAC7E,0EAA0E;AAC1E,0EAA0E;AAC1E,0EAA0E;AAC1E,4EAA4E;AAC5E,oDAAoD;AACpD,EAAE;AACF,6EAA6E;AAC7E,8EAA8E;AAC9E,+EAA+E;AAC/E,8EAA8E;AAC9E,8CAA8C;AAE9C,OAAO,EAAE,OAAO,IAAI,UAAU,EAAE,MAAM,yBAAyB,CAAC;AAqBhE;;GAEG;AACH,MAAM,UAAU,SAAS,CAAC,GAAW;IACnC,IAAI,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,OAAO,CAAC;IACjD,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,MAAM,CAAC;IAC/C,IAAI,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC;QAAE,OAAO,KAAK,CAAC;IAC7C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,cAAc,CAAC,GAAW;IACxC,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,YAAY,CAAC;QAAE,OAAO,SAAS,CAAC;IACpD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,gDAAgD;IAChD,OAAO,KAAK,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW;IACzC,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IACpE,MAAM,IAAI,GAAoB;QAC5B,GAAG;QACH,MAAM;QACN,QAAQ,EAAE,KAAK;QACf,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC9B,CAAC;IACF,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QACzB,OAAO,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC;IACvD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,UAAU,GAAG,CAAC,MAAM,UAAU,CAAC,GAAG,EAAE,EAAE,CAAC,CAG5C,CAAC;QACF,MAAM,aAAa,GAAG,UAAU,CAAC,qBAAqB,EAAE,KAAK,CAAC;QAC9D,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;QAC3C,CAAC;QACD,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,EAAE,EAAE,CAAC;YAChC,OAAO,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,mCAAmC,EAAE,CAAC;QACjE,CAAC;QACD,OAAO,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IACrC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,OAAO,EAAE,GAAG,IAAI,EAAE,KAAK,EAAE,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IACxE,CAAC;AACH,CAAC;AAYD,MAAM,UAAU,wBAAwB,CACtC,UAA8B,EAC9B,SAA6B;IAE7B,IAAI,CAAC,SAAS;QAAE,OAAO,gBAAgB,CAAC;IACxC,IAAI,CAAC,UAAU;QAAE,OAAO,UAAU,CAAC;IACnC,IAAI,UAAU,KAAK,SAAS;QAAE,OAAO,OAAO,CAAC;IAC7C,IAAI,UAAU,CAAC,QAAQ,CAAC,IAAI,SAAS,EAAE,CAAC;QAAE,OAAO,WAAW,CAAC;IAC7D,OAAO,UAAU,CAAC;AACpB,CAAC"}