npm - @openvtc/pnm-core - Versions diffs - 0.1.0 - Mend

@openvtc/pnm-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (250) hide show

package/README.md +129 -0
package/dist/did/derive-signing-key.d.ts +19 -0
package/dist/did/derive-signing-key.d.ts.map +1 -0
package/dist/did/derive-signing-key.js +96 -0
package/dist/did/derive-signing-key.js.map +1 -0
package/dist/did/index.d.ts +5 -0
package/dist/did/index.d.ts.map +1 -0
package/dist/did/index.js +5 -0
package/dist/did/index.js.map +1 -0
package/dist/did/peer.d.ts +37 -0
package/dist/did/peer.d.ts.map +1 -0
package/dist/did/peer.js +49 -0
package/dist/did/peer.js.map +1 -0
package/dist/did/verification-method.d.ts +43 -0
package/dist/did/verification-method.d.ts.map +1 -0
package/dist/did/verification-method.js +32 -0
package/dist/did/verification-method.js.map +1 -0
package/dist/did/verify.d.ts +49 -0
package/dist/did/verify.d.ts.map +1 -0
package/dist/did/verify.js +89 -0
package/dist/did/verify.js.map +1 -0
package/dist/didcomm/index.d.ts +235 -0
package/dist/didcomm/index.d.ts.map +1 -0
package/dist/didcomm/index.js +415 -0
package/dist/didcomm/index.js.map +1 -0
package/dist/inbound/confirm.d.ts +50 -0
package/dist/inbound/confirm.d.ts.map +1 -0
package/dist/inbound/confirm.js +64 -0
package/dist/inbound/confirm.js.map +1 -0
package/dist/inbound/dedup.d.ts +9 -0
package/dist/inbound/dedup.d.ts.map +1 -0
package/dist/inbound/dedup.js +31 -0
package/dist/inbound/dedup.js.map +1 -0
package/dist/inbound/index.d.ts +3 -0
package/dist/inbound/index.d.ts.map +1 -0
package/dist/inbound/index.js +3 -0
package/dist/inbound/index.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +14 -0
package/dist/index.js.map +1 -0
package/dist/onboarding/index.d.ts +2 -0
package/dist/onboarding/index.d.ts.map +1 -0
package/dist/onboarding/index.js +2 -0
package/dist/onboarding/index.js.map +1 -0
package/dist/onboarding/swap.d.ts +60 -0
package/dist/onboarding/swap.d.ts.map +1 -0
package/dist/onboarding/swap.js +148 -0
package/dist/onboarding/swap.js.map +1 -0
package/dist/provision/adopt.d.ts +31 -0
package/dist/provision/adopt.d.ts.map +1 -0
package/dist/provision/adopt.js +114 -0
package/dist/provision/adopt.js.map +1 -0
package/dist/provision/armor.d.ts +19 -0
package/dist/provision/armor.d.ts.map +1 -0
package/dist/provision/armor.js +243 -0
package/dist/provision/armor.js.map +1 -0
package/dist/provision/crc24.d.ts +5 -0
package/dist/provision/crc24.d.ts.map +1 -0
package/dist/provision/crc24.js +30 -0
package/dist/provision/crc24.js.map +1 -0
package/dist/provision/hpke.d.ts +17 -0
package/dist/provision/hpke.d.ts.map +1 -0
package/dist/provision/hpke.js +60 -0
package/dist/provision/hpke.js.map +1 -0
package/dist/provision/index.d.ts +10 -0
package/dist/provision/index.d.ts.map +1 -0
package/dist/provision/index.js +16 -0
package/dist/provision/index.js.map +1 -0
package/dist/provision/open.d.ts +28 -0
package/dist/provision/open.d.ts.map +1 -0
package/dist/provision/open.js +224 -0
package/dist/provision/open.js.map +1 -0
package/dist/provision/request.d.ts +65 -0
package/dist/provision/request.d.ts.map +1 -0
package/dist/provision/request.js +53 -0
package/dist/provision/request.js.map +1 -0
package/dist/provision/run.d.ts +76 -0
package/dist/provision/run.d.ts.map +1 -0
package/dist/provision/run.js +110 -0
package/dist/provision/run.js.map +1 -0
package/dist/provision/send.d.ts +85 -0
package/dist/provision/send.d.ts.map +1 -0
package/dist/provision/send.js +87 -0
package/dist/provision/send.js.map +1 -0
package/dist/provision/types.d.ts +110 -0
package/dist/provision/types.d.ts.map +1 -0
package/dist/provision/types.js +17 -0
package/dist/provision/types.js.map +1 -0
package/dist/rp-login/didcomm.d.ts +34 -0
package/dist/rp-login/didcomm.d.ts.map +1 -0
package/dist/rp-login/didcomm.js +72 -0
package/dist/rp-login/didcomm.js.map +1 -0
package/dist/rp-login/index.d.ts +3 -0
package/dist/rp-login/index.d.ts.map +1 -0
package/dist/rp-login/index.js +3 -0
package/dist/rp-login/index.js.map +1 -0
package/dist/rp-login/step-up.d.ts +43 -0
package/dist/rp-login/step-up.d.ts.map +1 -0
package/dist/rp-login/step-up.js +118 -0
package/dist/rp-login/step-up.js.map +1 -0
package/dist/siop/index.d.ts +3 -0
package/dist/siop/index.d.ts.map +1 -0
package/dist/siop/index.js +3 -0
package/dist/siop/index.js.map +1 -0
package/dist/siop/login-client.d.ts +29 -0
package/dist/siop/login-client.d.ts.map +1 -0
package/dist/siop/login-client.js +79 -0
package/dist/siop/login-client.js.map +1 -0
package/dist/siop/self-issued.d.ts +96 -0
package/dist/siop/self-issued.d.ts.map +1 -0
package/dist/siop/self-issued.js +162 -0
package/dist/siop/self-issued.js.map +1 -0
package/dist/store/holder-identity.d.ts +241 -0
package/dist/store/holder-identity.d.ts.map +1 -0
package/dist/store/holder-identity.js +441 -0
package/dist/store/holder-identity.js.map +1 -0
package/dist/store/index.d.ts +4 -0
package/dist/store/index.d.ts.map +1 -0
package/dist/store/index.js +4 -0
package/dist/store/index.js.map +1 -0
package/dist/store/kv-store.d.ts +51 -0
package/dist/store/kv-store.d.ts.map +1 -0
package/dist/store/kv-store.js +100 -0
package/dist/store/kv-store.js.map +1 -0
package/dist/store/secret-wrap.d.ts +109 -0
package/dist/store/secret-wrap.d.ts.map +1 -0
package/dist/store/secret-wrap.js +85 -0
package/dist/store/secret-wrap.js.map +1 -0
package/dist/trust-tasks/index.d.ts +2 -0
package/dist/trust-tasks/index.d.ts.map +1 -0
package/dist/trust-tasks/index.js +2 -0
package/dist/trust-tasks/index.js.map +1 -0
package/dist/trust-tasks/sign.d.ts +31 -0
package/dist/trust-tasks/sign.d.ts.map +1 -0
package/dist/trust-tasks/sign.js +141 -0
package/dist/trust-tasks/sign.js.map +1 -0
package/dist/util/timing.d.ts +14 -0
package/dist/util/timing.d.ts.map +1 -0
package/dist/util/timing.js +20 -0
package/dist/util/timing.js.map +1 -0
package/dist/vault/delete.d.ts +19 -0
package/dist/vault/delete.d.ts.map +1 -0
package/dist/vault/delete.js +35 -0
package/dist/vault/delete.js.map +1 -0
package/dist/vault/index.d.ts +8 -0
package/dist/vault/index.d.ts.map +1 -0
package/dist/vault/index.js +7 -0
package/dist/vault/index.js.map +1 -0
package/dist/vault/list.d.ts +96 -0
package/dist/vault/list.d.ts.map +1 -0
package/dist/vault/list.js +106 -0
package/dist/vault/list.js.map +1 -0
package/dist/vault/proxy-login.d.ts +100 -0
package/dist/vault/proxy-login.d.ts.map +1 -0
package/dist/vault/proxy-login.js +106 -0
package/dist/vault/proxy-login.js.map +1 -0
package/dist/vault/release.d.ts +33 -0
package/dist/vault/release.d.ts.map +1 -0
package/dist/vault/release.js +83 -0
package/dist/vault/release.js.map +1 -0
package/dist/vault/sign-trust-task.d.ts +26 -0
package/dist/vault/sign-trust-task.d.ts.map +1 -0
package/dist/vault/sign-trust-task.js +53 -0
package/dist/vault/sign-trust-task.js.map +1 -0
package/dist/vault/transport.d.ts +50 -0
package/dist/vault/transport.d.ts.map +1 -0
package/dist/vault/transport.js +118 -0
package/dist/vault/transport.js.map +1 -0
package/dist/vault/upsert.d.ts +102 -0
package/dist/vault/upsert.d.ts.map +1 -0
package/dist/vault/upsert.js +92 -0
package/dist/vault/upsert.js.map +1 -0
package/dist/vta/bridge-mediator-session.d.ts +26 -0
package/dist/vta/bridge-mediator-session.d.ts.map +1 -0
package/dist/vta/bridge-mediator-session.js +37 -0
package/dist/vta/bridge-mediator-session.js.map +1 -0
package/dist/vta/bridge-memory.d.ts +80 -0
package/dist/vta/bridge-memory.d.ts.map +1 -0
package/dist/vta/bridge-memory.js +162 -0
package/dist/vta/bridge-memory.js.map +1 -0
package/dist/vta/client.d.ts +40 -0
package/dist/vta/client.d.ts.map +1 -0
package/dist/vta/client.js +91 -0
package/dist/vta/client.js.map +1 -0
package/dist/vta/contexts.d.ts +60 -0
package/dist/vta/contexts.d.ts.map +1 -0
package/dist/vta/contexts.js +118 -0
package/dist/vta/contexts.js.map +1 -0
package/dist/vta/didcomm.d.ts +57 -0
package/dist/vta/didcomm.d.ts.map +1 -0
package/dist/vta/didcomm.js +138 -0
package/dist/vta/didcomm.js.map +1 -0
package/dist/vta/errors.d.ts +20 -0
package/dist/vta/errors.d.ts.map +1 -0
package/dist/vta/errors.js +64 -0
package/dist/vta/errors.js.map +1 -0
package/dist/vta/index.d.ts +15 -0
package/dist/vta/index.d.ts.map +1 -0
package/dist/vta/index.js +15 -0
package/dist/vta/index.js.map +1 -0
package/dist/vta/mediation.d.ts +80 -0
package/dist/vta/mediation.d.ts.map +1 -0
package/dist/vta/mediation.js +29 -0
package/dist/vta/mediation.js.map +1 -0
package/dist/vta/mediator-client.d.ts +66 -0
package/dist/vta/mediator-client.d.ts.map +1 -0
package/dist/vta/mediator-client.js +139 -0
package/dist/vta/mediator-client.js.map +1 -0
package/dist/vta/pickup.d.ts +81 -0
package/dist/vta/pickup.d.ts.map +1 -0
package/dist/vta/pickup.js +30 -0
package/dist/vta/pickup.js.map +1 -0
package/dist/vta/protocol.d.ts +76 -0
package/dist/vta/protocol.d.ts.map +1 -0
package/dist/vta/protocol.js +30 -0
package/dist/vta/protocol.js.map +1 -0
package/dist/vta/smoke.d.ts +59 -0
package/dist/vta/smoke.d.ts.map +1 -0
package/dist/vta/smoke.js +408 -0
package/dist/vta/smoke.js.map +1 -0
package/dist/vta/transport.d.ts +55 -0
package/dist/vta/transport.d.ts.map +1 -0
package/dist/vta/transport.js +2 -0
package/dist/vta/transport.js.map +1 -0
package/dist/vta/types.d.ts +50 -0
package/dist/vta/types.d.ts.map +1 -0
package/dist/vta/types.js +2 -0
package/dist/vta/types.js.map +1 -0
package/dist/vta/wallet-session.d.ts +87 -0
package/dist/vta/wallet-session.d.ts.map +1 -0
package/dist/vta/wallet-session.js +106 -0
package/dist/vta/wallet-session.js.map +1 -0
package/dist/webauthn/base64url.d.ts +3 -0
package/dist/webauthn/base64url.d.ts.map +1 -0
package/dist/webauthn/base64url.js +17 -0
package/dist/webauthn/base64url.js.map +1 -0
package/dist/webauthn/index.d.ts +4 -0
package/dist/webauthn/index.d.ts.map +1 -0
package/dist/webauthn/index.js +4 -0
package/dist/webauthn/index.js.map +1 -0
package/dist/webauthn/multikey.d.ts +26 -0
package/dist/webauthn/multikey.d.ts.map +1 -0
package/dist/webauthn/multikey.js +91 -0
package/dist/webauthn/multikey.js.map +1 -0
package/dist/webauthn/register.d.ts +36 -0
package/dist/webauthn/register.d.ts.map +1 -0
package/dist/webauthn/register.js +77 -0
package/dist/webauthn/register.js.map +1 -0
package/package.json +56 -0

package/dist/vault/list.js ADDED Viewed

@@ -0,0 +1,106 @@
+// Vault — list (M1).
+//
+// Posts a `https://trusttasks.org/spec/vault/list/0.1` envelope to the VTA's
+// trust-task dispatcher (`POST /api/trust-tasks`) and returns the metadata
+// view of stored credentials. Read-only — secret material never crosses the
+// wire (it's only released by `vault/release/0.1`, which lands in M2).
+//
+// Authentication: the wallet authcrypts a `atm/1.0/authenticate` DIDComm
+// message to the VTA's keyAgreement key (same primitive `swapAclRest` uses)
+// to obtain a short-lived bearer token, then attaches the token to the
+// trust-tasks POST. No token caching in M1 — every list call does a fresh
+// auth round-trip. Caching can land in M2 alongside vault/sync.
+//
+// Holder authentication: the wallet's holder did:peer must be in the VTA's
+// ACL (placed there by the M0.7 swap-acl flow) and must carry the derived
+// `VaultRead` capability — Admin / Initiator / Application / Reader pass;
+// Monitor is denied.
+import { packAuthcrypt } from "../didcomm/index.js";
+const TASK_VAULT_LIST_0_1 = "https://trusttasks.org/spec/vault/list/0.1";
+const TASK_VAULT_LIST_0_1_RESPONSE = "https://trusttasks.org/spec/vault/list/0.1#response";
+const VTA_AUTHENTICATE = "https://affinidi.com/atm/1.0/authenticate";
+/**
+ * Authenticate to the VTA over REST + DIDComm-authcrypt, then post the
+ * canonical vault/list/0.1 Trust Task envelope and return the parsed
+ * entries. Single round-trip's worth of auth — no token cache in M1.
+ */
+export async function vaultListRest(opts) {
+    const { baseUrl, holder, service, filter } = opts;
+    const f = opts.fetch ?? fetch.bind(globalThis);
+    const base = baseUrl.replace(/\/+$/, "");
+    // 1. /auth/challenge → flat { challenge, sessionId, expiresAt } per
+    //    `vti_common::auth::handlers::challenge::ChallengeResponse`. Fields
+    //    are top-level, NOT nested under a `data` envelope.
+    const cRes = await f(`${base}/auth/challenge`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ did: holder.did }),
+    });
+    if (!cRes.ok) {
+        throw new Error(`vta /auth/challenge failed (${cRes.status}): ${await cRes.text()}`);
+    }
+    const cBody = (await cRes.json());
+    if (!cBody.sessionId || !cBody.challenge) {
+        throw new Error(`vta /auth/challenge: malformed response: ${JSON.stringify(cBody)}`);
+    }
+    // 2. Authcrypt an `atm/1.0/authenticate` message to the VTA.
+    const authMsg = {
+        id: globalThis.crypto.randomUUID(),
+        type: VTA_AUTHENTICATE,
+        from: holder.did,
+        to: [service.did],
+        body: { challenge: cBody.challenge, session_id: cBody.sessionId },
+    };
+    const packed = await packAuthcrypt(authMsg, holder, [
+        { kid: service.keyAgreementKid, jwk: service.keyAgreementPublicJwk },
+    ]);
+    // 3. POST the packed JWE to /auth/ → AuthenticateResponse with
+    //    { session, tokens: { accessToken, ... } } per vta-sdk's
+    //    `protocols::auth::AuthenticateResponse`. Tokens are nested under
+    //    `tokens`, NOT `data`.
+    const aRes = await f(`${base}/auth/`, {
+        method: "POST",
+        headers: { "content-type": "application/didcomm-encrypted+json" },
+        body: packed,
+    });
+    if (!aRes.ok) {
+        throw new Error(`vta /auth/ failed (${aRes.status}): ${await aRes.text()}`);
+    }
+    const aBody = (await aRes.json());
+    const accessToken = aBody.tokens?.accessToken;
+    if (!accessToken) {
+        throw new Error(`vta /auth/: malformed response: ${JSON.stringify(aBody)}`);
+    }
+    // 4. POST /api/trust-tasks with the vault/list/0.1 envelope.
+    const envelope = {
+        id: globalThis.crypto.randomUUID(),
+        type: TASK_VAULT_LIST_0_1,
+        issuer: holder.did,
+        recipient: service.did,
+        issuedAt: new Date().toISOString(),
+        payload: filter ?? {},
+    };
+    const tRes = await f(`${base}/api/trust-tasks`, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            authorization: `Bearer ${accessToken}`,
+        },
+        body: JSON.stringify(envelope),
+    });
+    if (!tRes.ok) {
+        throw new Error(`vta /api/trust-tasks vault/list failed (${tRes.status}): ${await tRes.text()}`);
+    }
+    const tBody = (await tRes.json());
+    if (tBody.type !== TASK_VAULT_LIST_0_1_RESPONSE) {
+        throw new Error(`vault/list: unexpected response type ${tBody.type ?? "(none)"} — ${JSON.stringify(tBody)}`);
+    }
+    const entries = tBody.payload?.entries ?? [];
+    return {
+        entries,
+        truncated: tBody.payload?.truncated ?? false,
+        ...(tBody.payload?.cursor ? { cursor: tBody.payload.cursor } : {}),
+        ...(tBody.payload?.redactedFields ? { redactedFields: tBody.payload.redactedFields } : {}),
+    };
+}
+//# sourceMappingURL=list.js.map

package/dist/vault/list.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"list.js","sourceRoot":"","sources":["../../src/vault/list.ts"],"names":[],"mappings":"AAAA,qBAAqB;AACrB,EAAE;AACF,6EAA6E;AAC7E,2EAA2E;AAC3E,4EAA4E;AAC5E,uEAAuE;AACvE,EAAE;AACF,yEAAyE;AACzE,4EAA4E;AAC5E,uEAAuE;AACvE,0EAA0E;AAC1E,gEAAgE;AAChE,EAAE;AACF,2EAA2E;AAC3E,0EAA0E;AAC1E,0EAA0E;AAC1E,qBAAqB;AAErB,OAAO,EAAE,aAAa,EAAiB,MAAM,qBAAqB,CAAC;AAGnE,MAAM,mBAAmB,GAAG,4CAA4C,CAAC;AACzE,MAAM,4BAA4B,GAAG,qDAAqD,CAAC;AAC3F,MAAM,gBAAgB,GAAG,2CAA2C,CAAC;AA6FrE;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,IAA0B;IAC5D,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,IAAI,CAAC;IAClD,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAEzC,oEAAoE;IACpE,wEAAwE;IACxE,wDAAwD;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,iBAAiB,EAAE;QAC7C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;KAC1C,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+BAA+B,IAAI,CAAC,MAAM,MAAM,MAAM,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvF,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA+C,CAAC;IAChF,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,4CAA4C,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,6DAA6D;IAC7D,MAAM,OAAO,GAAG;QACd,EAAE,EAAE,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE;QAClC,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,MAAM,CAAC,GAAG;QAChB,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;QACjB,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,SAAS,EAAE;KAClE,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE;QAClD,EAAE,GAAG,EAAE,OAAO,CAAC,eAAe,EAAE,GAAG,EAAE,OAAO,CAAC,qBAAqB,EAAE;KACrE,CAAC,CAAC;IAEH,+DAA+D;IAC/D,6DAA6D;IAC7D,sEAAsE;IACtE,2BAA2B;IAC3B,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,QAAQ,EAAE;QACpC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,oCAAoC,EAAE;QACjE,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,CAAC,MAAM,MAAM,MAAM,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA0C,CAAC;IAC3E,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,EAAE,WAAW,CAAC;IAC9C,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,6DAA6D;IAC7D,MAAM,QAAQ,GAAG;QACf,EAAE,EAAE,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE;QAClC,IAAI,EAAE,mBAAmB;QACzB,MAAM,EAAE,MAAM,CAAC,GAAG;QAClB,SAAS,EAAE,OAAO,CAAC,GAAG;QACtB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAClC,OAAO,EAAE,MAAM,IAAI,EAAE;KACtB,CAAC;IACF,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,kBAAkB,EAAE;QAC9C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,WAAW,EAAE;SACvC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;KAC/B,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,2CAA2C,IAAI,CAAC,MAAM,MAAM,MAAM,IAAI,CAAC,IAAI,EAAE,EAAE,CAChF,CAAC;IACJ,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAQ/B,CAAC;IAEF,IAAI,KAAK,CAAC,IAAI,KAAK,4BAA4B,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,wCAAwC,KAAK,CAAC,IAAI,IAAI,QAAQ,MAAM,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAC5F,CAAC;IACJ,CAAC;IACD,MAAM,OAAO,GAAG,KAAK,CAAC,OAAO,EAAE,OAAO,IAAI,EAAE,CAAC;IAC7C,OAAO;QACL,OAAO;QACP,SAAS,EAAE,KAAK,CAAC,OAAO,EAAE,SAAS,IAAI,KAAK;QAC5C,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,GAAG,CAAC,KAAK,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,KAAK,CAAC,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3F,CAAC;AACJ,CAAC"}

package/dist/vault/proxy-login.d.ts ADDED Viewed

@@ -0,0 +1,100 @@
+import { type Identity } from "../didcomm/index.js";
+import type { SiteTarget } from "./list.js";
+import { type VtaAuthInputs } from "./transport.js";
+/** Refresh hint the maintainer attaches to the SessionBlob — the holder
+ *  uses this to decide whether to background-refresh, refresh on 401, or
+ *  wait for the maintainer to drive renewal. Mirrors
+ *  `vault/_shared/0.1/session-blob#/$defs/RefreshHint`. */
+export type SessionRefreshHint = "maintainer-only" | "on-401" | "before-expiry";
+/** A single cookie returned in a SessionBlob. Mirrors
+ *  `vault/_shared/0.1/session-blob#/$defs/CookieJarEntry`. */
+export interface SessionCookie {
+    name: string;
+    value: string;
+    domain: string;
+    path: string;
+    /** RFC 3339 — cookie's own expiry as the third party set it. The
+     *  holder MUST treat the blob-level `expiresAt` as an outer bound
+     *  regardless of this field. */
+    expires?: string;
+    secure?: boolean;
+    httpOnly?: boolean;
+    sameSite?: "Strict" | "Lax" | "None";
+}
+/** A request header the holder attaches to outbound requests to the
+ *  bound origin. Typically `Authorization: Bearer <id_token>` for the
+ *  SIOP path. */
+export interface SessionHeader {
+    name: string;
+    value: string;
+}
+/** A storage entry (localStorage / sessionStorage) the holder writes
+ *  into the bound origin. */
+export interface SessionStorageItem {
+    key: string;
+    value: string;
+}
+/** The cleartext payload of a successful `vault/proxy-login/0.1`
+ *  response. Mirrors `vault/_shared/0.1/session-blob`. */
+export interface SessionBlob {
+    /** Maintainer-assigned opaque id. Echoed at the response root for
+     *  audit logging without unsealing. */
+    sessionId: string;
+    /** RFC 3339. Holder MUST discard the blob at this time. */
+    expiresAt: string;
+    cookies?: SessionCookie[];
+    headers?: SessionHeader[];
+    localStorage?: SessionStorageItem[];
+    sessionStorage?: SessionStorageItem[];
+    /** Web origin this session is for. Holder MUST refuse to inject the
+     *  session into any other origin. Absent only for pure-DIDComm RPs
+     *  (no browser origin to bind to). */
+    bindOrigin?: string;
+    refreshHint?: SessionRefreshHint;
+}
+export interface VaultProxyLoginRestOptions extends VtaAuthInputs {
+    entryId: string;
+    /** When the entry has multiple targets, names which one to log in
+     *  against. The maintainer falls back to the entry's first DID-shaped
+     *  or web-origin target if omitted. */
+    target?: SiteTarget;
+    /** Caller-supplied nonce, embedded verbatim by the maintainer as the
+     *  SIOP id_token's `nonce` claim. The canonical use is threading the
+     *  RP's `/auth/challenge` value through so the resulting id_token
+     *  passes the RP's exact-match nonce check. Drivers without a nonce
+     *  concept (Password POST, OAuth refresh) ignore. Bounded
+     *  `[1, 512]` chars by the canonical schema; longer values would fail
+     *  server-side validation. */
+    nonce?: string;
+    /** Caller-supplied TTL ceiling in seconds; the maintainer caps further.
+     *  Honoured up to the server's cap (300 s in M2B.2b). */
+    ttlSecondsHint?: number;
+}
+export interface VaultProxyLoginResponse {
+    /** Cleartext session material. The caller MUST schedule a wipe at
+     *  `expiresAt` and MUST NOT inject the session into any origin other
+     *  than `sessionBlob.bindOrigin`. */
+    sessionBlob: SessionBlob;
+    /** Mirrors `sessionBlob.sessionId` — exposed for audit logging before
+     *  unsealing. */
+    sessionId: string;
+    /** Mirrors `sessionBlob.expiresAt`. */
+    expiresAt: string;
+}
+/**
+ * Ask the VTA to perform a login at the bound third party using the
+ * vault entry's secret material; receive an authcrypt-sealed
+ * `SessionBlob` (cookies / headers) that lets the holder operate the
+ * resulting session WITHOUT ever holding the long-term credential.
+ *
+ * The unpacked SessionBlob is returned in plaintext — callers MUST:
+ *   1. Schedule a wipe at `expiresAt` (setTimeout in the popup; the
+ *      countdown pattern in `vault/release` is the reference).
+ *   2. Refuse to inject the session into any origin other than
+ *      `sessionBlob.bindOrigin` (the holder's content script / DNR
+ *      rules enforce this — @openvtc/pnm-core is browser-agnostic and only
+ *      surfaces the constraint).
+ */
+export declare function vaultProxyLoginRest(opts: VaultProxyLoginRestOptions): Promise<VaultProxyLoginResponse>;
+export type { Identity };
+//# sourceMappingURL=proxy-login.d.ts.map

package/dist/vault/proxy-login.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"proxy-login.d.ts","sourceRoot":"","sources":["../../src/vault/proxy-login.ts"],"names":[],"mappings":"AA0BA,OAAO,EAAiB,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAEnE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAA+B,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAMjF;;;2DAG2D;AAC3D,MAAM,MAAM,kBAAkB,GAAG,iBAAiB,GAAG,QAAQ,GAAG,eAAe,CAAC;AAEhF;8DAC8D;AAC9D,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;oCAEgC;IAChC,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;CACtC;AAED;;iBAEiB;AACjB,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACf;AAED;6BAC6B;AAC7B,MAAM,WAAW,kBAAkB;IACjC,GAAG,EAAE,MAAM,CAAC;IACZ,KAAK,EAAE,MAAM,CAAC;CACf;AAED;0DAC0D;AAC1D,MAAM,WAAW,WAAW;IAC1B;2CACuC;IACvC,SAAS,EAAE,MAAM,CAAC;IAClB,2DAA2D;IAC3D,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;IAC1B,OAAO,CAAC,EAAE,aAAa,EAAE,CAAC;IAC1B,YAAY,CAAC,EAAE,kBAAkB,EAAE,CAAC;IACpC,cAAc,CAAC,EAAE,kBAAkB,EAAE,CAAC;IACtC;;0CAEsC;IACtC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,kBAAkB,CAAC;CAClC;AAED,MAAM,WAAW,0BAA2B,SAAQ,aAAa;IAC/D,OAAO,EAAE,MAAM,CAAC;IAChB;;2CAEuC;IACvC,MAAM,CAAC,EAAE,UAAU,CAAC;IACpB;;;;;;kCAM8B;IAC9B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;6DACyD;IACzD,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,uBAAuB;IACtC;;yCAEqC;IACrC,WAAW,EAAE,WAAW,CAAC;IACzB;qBACiB;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,uCAAuC;IACvC,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,mBAAmB,CACvC,IAAI,EAAE,0BAA0B,GAC/B,OAAO,CAAC,uBAAuB,CAAC,CA0FlC;AAED,YAAY,EAAE,QAAQ,EAAE,CAAC"}

package/dist/vault/proxy-login.js ADDED Viewed

@@ -0,0 +1,106 @@
+// Vault — proxy-login (M2B.3).
+//
+// Posts a `https://trusttasks.org/spec/vault/proxy-login/0.1` envelope.
+// The VTA performs the login at the bound third-party site on the
+// holder's behalf, returns a `SessionBlob` (cookies + headers needed to
+// operate the resulting session) inside a `didcomm-authcrypt` JWE, and
+// the holder unpacks it locally — exactly the same outer machinery as
+// `vault/release`, just with a `SessionBlob` cleartext payload instead
+// of a `VaultSecret`.
+//
+// The long-term credential (the entry's password, DID signing key, or
+// OAuth refresh token) never leaves the VTA in this flow. The holder
+// only ever sees the short-lived session material — a SIOPv2 id_token
+// for DID-self-issued entries (M2B.2b), a cookie jar for Password POST
+// (M2B.5), etc.
+//
+// Callers MUST treat the returned `sessionBlob` like a release secret:
+// in-memory only, wiped no later than `expiresAt`. The maintainer caps
+// `expiresAt` server-side; the wallet honours it via a setTimeout that
+// clears the in-memory copy.
+//
+// M2B.3 implements the response side; the actual injection of cookies /
+// headers into the page lives in the extension (declarativeNetRequest
+// for headers, chrome.cookies.set for cookies) — those bindings live in
+// the extension layer because @openvtc/pnm-core is browser-agnostic.
+import { unpackMessage } from "../didcomm/index.js";
+import { getVtaBearer, postTrustTask } from "./transport.js";
+const TASK_VAULT_PROXY_LOGIN = "https://trusttasks.org/spec/vault/proxy-login/0.1";
+const TASK_VAULT_PROXY_LOGIN_RESPONSE = "https://trusttasks.org/spec/vault/proxy-login/0.1#response";
+/**
+ * Ask the VTA to perform a login at the bound third party using the
+ * vault entry's secret material; receive an authcrypt-sealed
+ * `SessionBlob` (cookies / headers) that lets the holder operate the
+ * resulting session WITHOUT ever holding the long-term credential.
+ *
+ * The unpacked SessionBlob is returned in plaintext — callers MUST:
+ *   1. Schedule a wipe at `expiresAt` (setTimeout in the popup; the
+ *      countdown pattern in `vault/release` is the reference).
+ *   2. Refuse to inject the session into any origin other than
+ *      `sessionBlob.bindOrigin` (the holder's content script / DNR
+ *      rules enforce this — @openvtc/pnm-core is browser-agnostic and only
+ *      surfaces the constraint).
+ */
+export async function vaultProxyLoginRest(opts) {
+    const bearer = await getVtaBearer({
+        baseUrl: opts.baseUrl,
+        holder: opts.holder,
+        service: opts.service,
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+    const wire = await postTrustTask({
+        baseUrl: opts.baseUrl,
+        bearer,
+        envelope: {
+            type: TASK_VAULT_PROXY_LOGIN,
+            payload: {
+                entryId: opts.entryId,
+                ...(opts.target !== undefined ? { target: opts.target } : {}),
+                ...(opts.nonce !== undefined ? { nonce: opts.nonce } : {}),
+                ...(opts.ttlSecondsHint !== undefined
+                    ? { ttlSecondsHint: opts.ttlSecondsHint }
+                    : {}),
+            },
+            issuer: opts.holder.did,
+            recipient: opts.service.did,
+        },
+        expectedResponseType: TASK_VAULT_PROXY_LOGIN_RESPONSE,
+        operationLabel: "vault/proxy-login/0.1",
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+    if (wire.sealedSessionBlob.envelope !== "didcomm-authcrypt") {
+        throw new Error(`vault/proxy-login: unsupported envelope ${wire.sealedSessionBlob.envelope} — this wallet only understands didcomm-authcrypt`);
+    }
+    // The VTA authcrypts the SessionBlob to the holder; the unpacker
+    // needs the VTA's keyAgreement public JWK to verify the sender
+    // binding (the `skid` in the JWE's protected header). Without it,
+    // vti-didcomm-js raises "sender.publicJwk required for authcrypt".
+    // The service endpoint structure carries the resolved VTA pubkey
+    // from the holder's onboarding handshake.
+    const unpacked = await unpackMessage({
+        input: wire.sealedSessionBlob.jwe,
+        sender_public_jwk: opts.service.keyAgreementPublicJwk,
+    }, opts.holder);
+    if (unpacked.kind !== "encrypted") {
+        throw new Error(`vault/proxy-login: unpacked JWE was not authcrypt-encrypted (kind=${unpacked.kind})`);
+    }
+    // Defence-in-depth: anoncrypt-only would be a downgrade — the VTA
+    // MUST authenticate as the signer so a relay can't substitute a
+    // different SessionBlob.
+    if (!unpacked.authenticated) {
+        throw new Error("vault/proxy-login: unpacked JWE was not authenticated (anoncrypt downgrade)");
+    }
+    const body = unpacked.message.body;
+    if (!body || typeof body !== "object") {
+        throw new Error("vault/proxy-login: unpacked DIDComm message has no body");
+    }
+    // Cast at the wire boundary — the server has already canonical-schema-
+    // validated the SessionBlob shape before sealing it.
+    const sessionBlob = body;
+    return {
+        sessionBlob,
+        sessionId: wire.sessionId,
+        expiresAt: wire.expiresAt,
+    };
+}
+//# sourceMappingURL=proxy-login.js.map

package/dist/vault/proxy-login.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"proxy-login.js","sourceRoot":"","sources":["../../src/vault/proxy-login.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,EAAE;AACF,wEAAwE;AACxE,kEAAkE;AAClE,wEAAwE;AACxE,uEAAuE;AACvE,sEAAsE;AACtE,uEAAuE;AACvE,sBAAsB;AACtB,EAAE;AACF,sEAAsE;AACtE,qEAAqE;AACrE,sEAAsE;AACtE,uEAAuE;AACvE,gBAAgB;AAChB,EAAE;AACF,uEAAuE;AACvE,uEAAuE;AACvE,uEAAuE;AACvE,6BAA6B;AAC7B,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,wEAAwE;AACxE,qEAAqE;AAErE,OAAO,EAAE,aAAa,EAAiB,MAAM,qBAAqB,CAAC;AAGnE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAsB,MAAM,gBAAgB,CAAC;AAEjF,MAAM,sBAAsB,GAAG,mDAAmD,CAAC;AACnF,MAAM,+BAA+B,GACnC,4DAA4D,CAAC;AAyF/D;;;;;;;;;;;;;GAaG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,IAAgC;IAEhC,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC;QAChC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAeH,MAAM,IAAI,GAAG,MAAM,aAAa,CAAe;QAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM;QACN,QAAQ,EAAE;YACR,IAAI,EAAE,sBAAsB;YAC5B,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,GAAG,CAAC,IAAI,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC7D,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1D,GAAG,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS;oBACnC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE;oBACzC,CAAC,CAAC,EAAE,CAAC;aACR;YACD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;SAC5B;QACD,oBAAoB,EAAE,+BAA+B;QACrD,cAAc,EAAE,uBAAuB;QACvC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAEH,IAAI,IAAI,CAAC,iBAAiB,CAAC,QAAQ,KAAK,mBAAmB,EAAE,CAAC;QAC5D,MAAM,IAAI,KAAK,CACb,2CAA2C,IAAI,CAAC,iBAAiB,CAAC,QAAQ,mDAAmD,CAC9H,CAAC;IACJ,CAAC;IAED,iEAAiE;IACjE,+DAA+D;IAC/D,kEAAkE;IAClE,mEAAmE;IACnE,iEAAiE;IACjE,0CAA0C;IAC1C,MAAM,QAAQ,GAAG,MAAM,aAAa,CAClC;QACE,KAAK,EAAE,IAAI,CAAC,iBAAiB,CAAC,GAAG;QACjC,iBAAiB,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;KACtD,EACD,IAAI,CAAC,MAAM,CACZ,CAAC;IACF,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,qEAAqE,QAAQ,CAAC,IAAI,GAAG,CACtF,CAAC;IACJ,CAAC;IACD,kEAAkE;IAClE,gEAAgE;IAChE,yBAAyB;IACzB,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CACb,6EAA6E,CAC9E,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAI,QAAQ,CAAC,OAAmC,CAAC,IAE9C,CAAC;IACd,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAC;IAC7E,CAAC;IACD,uEAAuE;IACvE,qDAAqD;IACrD,MAAM,WAAW,GAAG,IAA8B,CAAC;IAEnD,OAAO;QACL,WAAW;QACX,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,IAAI,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC"}

package/dist/vault/release.d.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import { type Identity } from "../didcomm/index.js";
+import type { SecretKind } from "./list.js";
+import { type VtaAuthInputs } from "./transport.js";
+import type { VaultSecret } from "./upsert.js";
+export interface VaultReleaseRestOptions extends VtaAuthInputs {
+    entryId: string;
+    /** Caller's preferred cache TTL in seconds. The maintainer caps
+     *  server-side (M2A.3 ceiling is 60 s); honoured up to the cap. */
+    ttlSecondsHint?: number;
+}
+export interface VaultReleaseResponse {
+    /** Unpacked secret material. Caller MUST wipe / zero this reference
+     *  no later than `ttlSeconds` after the release call returned. */
+    secret: VaultSecret;
+    /** Maintainer-declared discriminator — mirrors `secret.kind`. */
+    secretKind: SecretKind;
+    /** Enforced cache TTL. Already capped by the maintainer; the caller
+     *  MUST honour it. */
+    ttlSeconds: number;
+}
+/**
+ * Release the cleartext secret material of a vault entry. The
+ * maintainer authcrypts the secret to the holder's keyAgreement key;
+ * this helper unpacks the resulting JWE locally.
+ *
+ * The unpacked secret is returned in plaintext — callers MUST schedule
+ * a wipe at `ttlSeconds` (e.g. via `setTimeout`) and MUST NOT persist
+ * the cleartext beyond that window (no disk, no logs, no syncing
+ * storage).
+ */
+export declare function vaultReleaseRest(opts: VaultReleaseRestOptions): Promise<VaultReleaseResponse>;
+export type { Identity };
+//# sourceMappingURL=release.d.ts.map

package/dist/vault/release.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"release.d.ts","sourceRoot":"","sources":["../../src/vault/release.ts"],"names":[],"mappings":"AAUA,OAAO,EAAiB,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AAEnE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AAC5C,OAAO,EAA+B,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AACjF,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAK/C,MAAM,WAAW,uBAAwB,SAAQ,aAAa;IAC5D,OAAO,EAAE,MAAM,CAAC;IAChB;uEACmE;IACnE,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC;sEACkE;IAClE,MAAM,EAAE,WAAW,CAAC;IACpB,iEAAiE;IACjE,UAAU,EAAE,UAAU,CAAC;IACvB;0BACsB;IACtB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,oBAAoB,CAAC,CAoF/B;AAKD,YAAY,EAAE,QAAQ,EAAE,CAAC"}

package/dist/vault/release.js ADDED Viewed

@@ -0,0 +1,83 @@
+// Vault — release (M2A.5).
+//
+// Posts a `https://trusttasks.org/spec/vault/release/0.1` envelope and
+// unpacks the maintainer's authcrypt-sealed response into the cleartext
+// `VaultSecret`. The secret bytes only ever live in the holder's local
+// memory for the duration of the `ttlSeconds` the maintainer caps; the
+// caller MUST wipe them at TTL even if the user hasn't finished
+// interacting (in practice: a `setTimeout` that clears the popup's
+// "reveal" state).
+import { unpackMessage } from "../didcomm/index.js";
+import { getVtaBearer, postTrustTask } from "./transport.js";
+const TASK_VAULT_RELEASE = "https://trusttasks.org/spec/vault/release/0.1";
+const TASK_VAULT_RELEASE_RESPONSE = "https://trusttasks.org/spec/vault/release/0.1#response";
+/**
+ * Release the cleartext secret material of a vault entry. The
+ * maintainer authcrypts the secret to the holder's keyAgreement key;
+ * this helper unpacks the resulting JWE locally.
+ *
+ * The unpacked secret is returned in plaintext — callers MUST schedule
+ * a wipe at `ttlSeconds` (e.g. via `setTimeout`) and MUST NOT persist
+ * the cleartext beyond that window (no disk, no logs, no syncing
+ * storage).
+ */
+export async function vaultReleaseRest(opts) {
+    const bearer = await getVtaBearer({
+        baseUrl: opts.baseUrl,
+        holder: opts.holder,
+        service: opts.service,
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+    const wire = await postTrustTask({
+        baseUrl: opts.baseUrl,
+        bearer,
+        envelope: {
+            type: TASK_VAULT_RELEASE,
+            payload: {
+                entryId: opts.entryId,
+                ...(opts.ttlSecondsHint !== undefined
+                    ? { ttlSecondsHint: opts.ttlSecondsHint }
+                    : {}),
+            },
+            issuer: opts.holder.did,
+            recipient: opts.service.did,
+        },
+        expectedResponseType: TASK_VAULT_RELEASE_RESPONSE,
+        operationLabel: "vault/release/0.1",
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+    if (wire.sealedSecret.envelope !== "didcomm-authcrypt") {
+        throw new Error(`vault/release: unsupported envelope ${wire.sealedSecret.envelope} — this wallet only understands didcomm-authcrypt`);
+    }
+    // The VTA authcrypts the secret to the holder; the unpacker needs
+    // the VTA's keyAgreement public JWK to verify the sender binding.
+    // Same shape as vault/proxy-login — see that file for the longer
+    // explanation. Latent in this file since M2A.3 (release was never
+    // end-to-end tested with a real VTA before M2B.4 demos exposed
+    // the failure on the parallel proxy-login path).
+    const unpacked = await unpackMessage({
+        input: wire.sealedSecret.jwe,
+        sender_public_jwk: opts.service.keyAgreementPublicJwk,
+    }, opts.holder);
+    if (unpacked.kind !== "encrypted") {
+        throw new Error(`vault/release: unpacked JWE was not authcrypt-encrypted (kind=${unpacked.kind})`);
+    }
+    // Defence-in-depth: the unpacked message MUST be authenticated (the
+    // VTA's signature verified) — anoncrypt-only would be a downgrade.
+    if (!unpacked.authenticated) {
+        throw new Error("vault/release: unpacked JWE was not authenticated (anoncrypt downgrade)");
+    }
+    // The cleartext body IS the VaultSecret JSON. Cast it directly — the
+    // server-side validation already ensured the variant discriminator
+    // matches `secretKind`.
+    const body = unpacked.message.body;
+    if (!body || typeof body !== "object") {
+        throw new Error("vault/release: unpacked DIDComm message has no body");
+    }
+    return {
+        secret: body,
+        secretKind: wire.secretKind,
+        ttlSeconds: wire.ttlSeconds,
+    };
+}
+//# sourceMappingURL=release.js.map

package/dist/vault/release.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"release.js","sourceRoot":"","sources":["../../src/vault/release.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,EAAE;AACF,uEAAuE;AACvE,wEAAwE;AACxE,uEAAuE;AACvE,uEAAuE;AACvE,gEAAgE;AAChE,mEAAmE;AACnE,mBAAmB;AAEnB,OAAO,EAAE,aAAa,EAAiB,MAAM,qBAAqB,CAAC;AAGnE,OAAO,EAAE,YAAY,EAAE,aAAa,EAAsB,MAAM,gBAAgB,CAAC;AAGjF,MAAM,kBAAkB,GAAG,+CAA+C,CAAC;AAC3E,MAAM,2BAA2B,GAAG,wDAAwD,CAAC;AAoB7F;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAA6B;IAE7B,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC;QAChC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAeH,MAAM,IAAI,GAAG,MAAM,aAAa,CAAe;QAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM;QACN,QAAQ,EAAE;YACR,IAAI,EAAE,kBAAkB;YACxB,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,GAAG,CAAC,IAAI,CAAC,cAAc,KAAK,SAAS;oBACnC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE;oBACzC,CAAC,CAAC,EAAE,CAAC;aACR;YACD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;SAC5B;QACD,oBAAoB,EAAE,2BAA2B;QACjD,cAAc,EAAE,mBAAmB;QACnC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAEH,IAAI,IAAI,CAAC,YAAY,CAAC,QAAQ,KAAK,mBAAmB,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CACb,uCAAuC,IAAI,CAAC,YAAY,CAAC,QAAQ,mDAAmD,CACrH,CAAC;IACJ,CAAC;IAED,kEAAkE;IAClE,kEAAkE;IAClE,iEAAiE;IACjE,kEAAkE;IAClE,+DAA+D;IAC/D,iDAAiD;IACjD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAClC;QACE,KAAK,EAAE,IAAI,CAAC,YAAY,CAAC,GAAG;QAC5B,iBAAiB,EAAE,IAAI,CAAC,OAAO,CAAC,qBAAqB;KACtD,EACD,IAAI,CAAC,MAAM,CACZ,CAAC;IACF,IAAI,QAAQ,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CACb,iEAAiE,QAAQ,CAAC,IAAI,GAAG,CAClF,CAAC;IACJ,CAAC;IACD,oEAAoE;IACpE,mEAAmE;IACnE,IAAI,CAAC,QAAQ,CAAC,aAAa,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,yEAAyE,CAAC,CAAC;IAC7F,CAAC;IAED,qEAAqE;IACrE,mEAAmE;IACnE,wBAAwB;IACxB,MAAM,IAAI,GAAI,QAAQ,CAAC,OAAmC,CAAC,IAE9C,CAAC;IACd,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;IACD,OAAO;QACL,MAAM,EAAE,IAA8B;QACtC,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,UAAU,EAAE,IAAI,CAAC,UAAU;KAC5B,CAAC;AACJ,CAAC"}

package/dist/vault/sign-trust-task.d.ts ADDED Viewed

@@ -0,0 +1,26 @@
+import { type VtaAuthInputs } from "./transport.js";
+import type { TrustTaskEnvelope } from "../trust-tasks/sign.js";
+export interface VaultSignTrustTaskRestOptions extends VtaAuthInputs {
+    /** Identifier of the vault entry whose principal will sign. MUST
+     *  point at a `did-self-issued` or `didcomm-peer` entry — other
+     *  kinds reject with `vault/sign-trust-task:not_signable`. */
+    entryId: string;
+    /** The Trust Task document to sign. MUST have no `proof` field.
+     *  MUST set `issuer = <entry.principalDid>`. The VTA refuses to
+     *  silently rewrite issuer (`envelope_issuer_mismatch`). */
+    unsignedEnvelope: TrustTaskEnvelope;
+}
+export interface VaultSignTrustTaskResponse {
+    /** The supplied envelope with a `proof` field attached.
+     *  `proof.verificationMethod = <principalDid>#<signingKeyId>`;
+     *  `proof.cryptosuite = "eddsa-jcs-2022"`;
+     *  `proof.proofPurpose = "assertionMethod"`. */
+    signedEnvelope: TrustTaskEnvelope;
+}
+/**
+ * Ask the VTA to sign a Trust Task envelope as the principal of a
+ * vault entry. The returned `signedEnvelope` is byte-identical to
+ * the input except for the attached `proof` field.
+ */
+export declare function vaultSignTrustTaskRest(opts: VaultSignTrustTaskRestOptions): Promise<VaultSignTrustTaskResponse>;
+//# sourceMappingURL=sign-trust-task.d.ts.map

package/dist/vault/sign-trust-task.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sign-trust-task.d.ts","sourceRoot":"","sources":["../../src/vault/sign-trust-task.ts"],"names":[],"mappings":"AAoBA,OAAO,EAAiB,KAAK,aAAa,EAAgB,MAAM,gBAAgB,CAAC;AACjF,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAMhE,MAAM,WAAW,6BAA8B,SAAQ,aAAa;IAClE;;kEAE8D;IAC9D,OAAO,EAAE,MAAM,CAAC;IAChB;;gEAE4D;IAC5D,gBAAgB,EAAE,iBAAiB,CAAC;CACrC;AAED,MAAM,WAAW,0BAA0B;IACzC;;;oDAGgD;IAChD,cAAc,EAAE,iBAAiB,CAAC;CACnC;AAED;;;;GAIG;AACH,wBAAsB,sBAAsB,CAC1C,IAAI,EAAE,6BAA6B,GAClC,OAAO,CAAC,0BAA0B,CAAC,CA8BrC"}

package/dist/vault/sign-trust-task.js ADDED Viewed

@@ -0,0 +1,53 @@
+// Vault — sign-trust-task.
+//
+// Posts a `https://trusttasks.org/spec/vault/sign-trust-task/0.1`
+// envelope. The VTA attaches an eddsa-jcs-2022 Data Integrity proof
+// to the supplied envelope, signing as the principal DID of a
+// `did-self-issued` or `didcomm-peer` vault entry. The long-term
+// signing key never leaves the VTA.
+//
+// This is the per-envelope signing complement to `vault/proxy-login`:
+// proxy-login mints a session credential at session-start; sign-trust-
+// task signs individual follow-up tasks during that session so the
+// RP's `proof.verificationMethod == authenticated session DID` check
+// passes.
+//
+// Unlike `vault/release` / `vault/proxy-login`, the response is NOT
+// authcrypt-sealed — the signed envelope is destined for the RP
+// (which has to be able to verify it anyway) and carries no
+// long-term secret material. The proof itself is the only sensitive
+// output, and it's deliberately public.
+import { postTrustTask, getVtaBearer } from "./transport.js";
+const TASK_VAULT_SIGN_TRUST_TASK = "https://trusttasks.org/spec/vault/sign-trust-task/0.1";
+const TASK_VAULT_SIGN_TRUST_TASK_RESPONSE = "https://trusttasks.org/spec/vault/sign-trust-task/0.1#response";
+/**
+ * Ask the VTA to sign a Trust Task envelope as the principal of a
+ * vault entry. The returned `signedEnvelope` is byte-identical to
+ * the input except for the attached `proof` field.
+ */
+export async function vaultSignTrustTaskRest(opts) {
+    const bearer = await getVtaBearer({
+        baseUrl: opts.baseUrl,
+        holder: opts.holder,
+        service: opts.service,
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+    const wire = await postTrustTask({
+        baseUrl: opts.baseUrl,
+        bearer,
+        envelope: {
+            type: TASK_VAULT_SIGN_TRUST_TASK,
+            payload: {
+                entryId: opts.entryId,
+                unsignedEnvelope: opts.unsignedEnvelope,
+            },
+            issuer: opts.holder.did,
+            recipient: opts.service.did,
+        },
+        expectedResponseType: TASK_VAULT_SIGN_TRUST_TASK_RESPONSE,
+        operationLabel: "vault/sign-trust-task/0.1",
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+    return { signedEnvelope: wire.signedEnvelope };
+}
+//# sourceMappingURL=sign-trust-task.js.map

package/dist/vault/sign-trust-task.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sign-trust-task.js","sourceRoot":"","sources":["../../src/vault/sign-trust-task.ts"],"names":[],"mappings":"AAAA,2BAA2B;AAC3B,EAAE;AACF,kEAAkE;AAClE,oEAAoE;AACpE,8DAA8D;AAC9D,iEAAiE;AACjE,oCAAoC;AACpC,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,mEAAmE;AACnE,qEAAqE;AACrE,UAAU;AACV,EAAE;AACF,oEAAoE;AACpE,gEAAgE;AAChE,4DAA4D;AAC5D,oEAAoE;AACpE,wCAAwC;AAExC,OAAO,EAAE,aAAa,EAAsB,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAGjF,MAAM,0BAA0B,GAAG,uDAAuD,CAAC;AAC3F,MAAM,mCAAmC,GACvC,gEAAgE,CAAC;AAqBnE;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAmC;IAEnC,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC;QAChC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAMH,MAAM,IAAI,GAAG,MAAM,aAAa,CAAe;QAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM;QACN,QAAQ,EAAE;YACR,IAAI,EAAE,0BAA0B;YAChC,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;aACxC;YACD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;SAC5B;QACD,oBAAoB,EAAE,mCAAmC;QACzD,cAAc,EAAE,2BAA2B;QAC3C,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAEH,OAAO,EAAE,cAAc,EAAE,IAAI,CAAC,cAAc,EAAE,CAAC;AACjD,CAAC"}

package/dist/vault/transport.d.ts ADDED Viewed

@@ -0,0 +1,50 @@
+import { type Identity } from "../didcomm/index.js";
+import type { RemoteDidcommEndpoint } from "../vta/didcomm.js";
+export interface VtaAuthInputs {
+    /** VTA REST base URL — from the connection state's `restBaseUrl`. */
+    baseUrl: string;
+    /** Authcrypt sender — the holder's DIDComm identity post-onboarding. */
+    holder: Identity;
+    /** VTA's keyAgreement endpoint (resolved via `resolveKeyAgreement`). */
+    service: RemoteDidcommEndpoint;
+    /** fetch impl (defaults to global). */
+    fetch?: typeof fetch;
+}
+/**
+ * Run /auth/challenge → authcrypt /auth/ → bearer token. The token's
+ * 15-minute TTL is more than enough for a single trust-task POST; we
+ * don't cache because the next vault op happens whenever the user
+ * clicks something and would likely fall outside the cache window.
+ */
+export declare function getVtaBearer(opts: VtaAuthInputs): Promise<string>;
+export interface VaultTaskRequest {
+    /** Trust Task type URI (matches the request URI in the canonical spec). */
+    type: string;
+    /** Payload object — task-specific shape. */
+    payload: unknown;
+    /** Optional issuer DID; set when the consumer signs a `proof`. */
+    issuer?: string;
+    /** Optional recipient DID — the maintainer's DID. Audience-binds the doc. */
+    recipient?: string;
+}
+export interface PostTrustTaskOpts<R> {
+    baseUrl: string;
+    bearer: string;
+    envelope: VaultTaskRequest;
+    /** Expected response `type` URI (the `<request>#response` form). */
+    expectedResponseType: string;
+    fetch?: typeof fetch;
+    /** Internal: used to enrich error messages. */
+    operationLabel?: string;
+}
+/**
+ * POST an authenticated Trust Task envelope to /api/trust-tasks. The
+ * framework's dispatcher returns either a `<task>#response` document
+ * (success) or a `trust-task-error/0.1` document (reject). This helper
+ * differentiates the two: success returns the parsed `payload` cast as
+ * `R`; reject throws an `Error` carrying the framework's error code +
+ * comment so callers see "vault/upsert:version_conflict — ..." rather
+ * than a raw 400.
+ */
+export declare function postTrustTask<R>(opts: PostTrustTaskOpts<R>): Promise<R>;
+//# sourceMappingURL=transport.d.ts.map

package/dist/vault/transport.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"transport.d.ts","sourceRoot":"","sources":["../../src/vault/transport.ts"],"names":[],"mappings":"AAiBA,OAAO,EAAiB,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAI/D,MAAM,WAAW,aAAa;IAC5B,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAC;IAChB,wEAAwE;IACxE,MAAM,EAAE,QAAQ,CAAC;IACjB,wEAAwE;IACxE,OAAO,EAAE,qBAAqB,CAAC;IAC/B,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAAC,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAgDvE;AAED,MAAM,WAAW,gBAAgB;IAC/B,2EAA2E;IAC3E,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,OAAO,EAAE,OAAO,CAAC;IACjB,kEAAkE;IAClE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,6EAA6E;IAC7E,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,iBAAiB,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,oEAAoE;IACpE,oBAAoB,EAAE,MAAM,CAAC;IAC7B,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;IACrB,+CAA+C;IAC/C,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED;;;;;;;;GAQG;AACH,wBAAsB,aAAa,CAAC,CAAC,EAAE,IAAI,EAAE,iBAAiB,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAmD7E"}