@openvtc/pnm-core 0.1.0

package/dist/vta/bridge-memory.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bridge-memory.js","sourceRoot":"","sources":["../../src/vta/bridge-memory.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EACR,aAAa,GAEd,MAAM,qBAAqB,CAAC;AAG7B;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACxC,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;YAAE,OAAO,SAAS,CAAC;QACpE,MAAM,YAAY,GAAI,MAAkC,CAAC,SAAS,CAAC;QACnE,IAAI,OAAO,YAAY,KAAK,QAAQ;YAAE,OAAO,SAAS,CAAC;QACvD,MAAM,UAAU,GAAG,IAAI,CACrB,YAAY,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,GAAG,EAAE,GAAG,CAAC,CACvD,CAAC;QACF,MAAM,MAAM,GAAY,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAC/C,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,MAAM,KAAK,IAAI;YAAE,OAAO,SAAS,CAAC;QACpE,MAAM,IAAI,GAAI,MAA6B,CAAC,IAAI,CAAC;QACjD,OAAO,OAAO,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC;IACrD,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,MAAM,YAAY,GAAG,yCAAyC,CAAC;AAqD/D;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,OAAO,qBAAqB;IACf,GAAG,CAAY;IACf,QAAQ,CAAY;IACpB,eAAe,CAAkC;IACjD,WAAW,CAAkC;IAC7C,gBAAgB,CAAkC;IAEnE,YAAY,IAAkC;QAC5C,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS;YAAE,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QAChD,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC/D,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,eAAe,CAAC;QAC5C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,WAAW,IAAI,EAAE,CAAC;QAC1C,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC,gBAAgB,IAAI,EAAE,CAAC;IACtD,CAAC;IAED,KAAK,CAAC,iBAAiB,CACrB,cAAsB,EACtB,eAAuB,EACvB,QAAiC;QAEjC,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QACjD,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CACb,yEAAyE,CAC1E,CAAC;QACJ,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,cAAsB;QAC/B,6DAA6D;QAC7D,6DAA6D;QAC7D,6DAA6D;QAC7D,+BAA+B;QAC/B,MAAM,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACrC,CAAC;IAED;8EAC0E;IAClE,KAAK,CAAC,OAAO,CAAC,cAAsB;QAC1C,oEAAoE;QACpE,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAClB,MAAM,gBAAgB,GAAG,gBAAgB,CAAC,cAAc,CAAC,KAAK,SAAS,CAAC;YACxE,MAAM,SAAS,GAAG,MAAM,aAAa,CACnC;gBACE,KAAK,EAAE,cAAc;gBACrB,GAAG,CAAC,gBAAgB;oBAClB,CAAC,CAAC,EAAE,iBAAiB,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE;oBACjD,CAAC,CAAC,EAAE,CAAC;aACR,EACD,IAAI,CAAC,QAAQ,CACd,CAAC;YACF,IAAI,SAAS,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;gBACnC,MAAM,IAAI,KAAK,CACb,iCAAiC,SAAS,CAAC,IAAI,sBAAsB,CACtE,CAAC;YACJ,CAAC;YACD,MAAM,KAAK,GAAG,SAAS,CAAC,OACV,CAAC;YAEf,IAAI,KAAK,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gBAChC,OAAO,IAAI,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;YACrC,CAAC;YACD,OAAO,IAAI,CAAC,oBAAoB,CAAC,KAAK,CAAC,CAAC;QAC1C,CAAC;QAED,iEAAiE;QACjE,OAAO,IAAI,CAAC,eAAe,CAAC,cAAc,CAAC,CAAC;IAC9C,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,KAAsB;QAClD,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,kEAAkE,CAAC,CAAC;QACtF,CAAC;QACD,MAAM,SAAS,GAAG,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC;QACrD,IAAI,SAAS,KAAK,SAAS,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;QACvE,CAAC;QACD,MAAM,QAAQ,GACZ,OAAO,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACxE,OAAO,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,CAAC;IACxC,CAAC;IAEO,KAAK,CAAC,eAAe,CAAC,QAAgB;QAC5C,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,aAAa,CAC/B,EAAE,KAAK,EAAE,QAAQ,EAAE,iBAAiB,EAAE,IAAI,CAAC,eAAe,CAAC,GAAG,EAAE,EAChE,IAAI,CAAC,GAAG,CACT,CAAC;QACF,IAAI,KAAK,CAAC,IAAI,KAAK,WAAW,EAAE,CAAC;YAC/B,MAAM,IAAI,KAAK,CAAC,yCAAyC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC;YACzB,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;QAC1E,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAClB,KAAK,CAAC,OAAkC,EACxC,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,GAAG,CACT,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,oBAAoB,CAAC,SAAuB;QACxD,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,IAAI,CAAC,gBAAgB,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC;IACxE,CAAC;IAEO,KAAK,CAAC,QAAQ,CACpB,GAAiB,EACjB,QAAyC,EACzC,OAAiB;QAEjB,IAAI,CAAC,GAAG,CAAC,IAAI;YAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACjE,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QAC7D,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;YACd,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QACD,MAAM,OAAO,GAAG,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,KAAK,CAAC,0BAA0B,GAAG,CAAC,IAAI,EAAE,CAAC,CAAC;QACxD,CAAC;QACD,MAAM,KAAK,GAAG,MAAM,OAAO,CAAC;YAC1B,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,IAAI,EAAE,GAAG,CAAC,IAAI,IAAI,EAAE;YACpB,EAAE,EAAE,GAAG,CAAC,EAAE;SACX,CAAC,CAAC;QACH,IAAI,KAAK,IAAI,IAAI;YAAE,OAAO,IAAI,CAAC;QAC/B,qEAAqE;QACrE,gEAAgE;QAChE,iEAAiE;QACjE,sCAAsC;QACtC,OAAO;YACL,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,IAAI,EAAE,OAAO,CAAC,GAAG;YACjB,IAAI,EAAE,GAAG,CAAC,EAAE;YACZ,IAAI,EAAE,KAAK,CAAC,IAAI;SACjB,CAAC;IACJ,CAAC;CACF"}

package/dist/vta/client.d.ts

@@ -0,0 +1,40 @@
+import type { PasskeyEnrollmentResult } from "../webauthn/register.js";
+import type { VtaTransport } from "./transport.js";
+import type { EnrollmentChallengeResponse, EnrollmentSubmitRequest, EnrollmentSubmitResponse, PasskeyList } from "./types.js";
+export type { EnrollmentChallengeResponse, EnrollmentSubmitRequest, EnrollmentSubmitResponse, PasskeyList, };
+export interface VtaClientConfig {
+    /** Base URL of the VTA, e.g. `https://vta.example.com`. */
+    baseUrl: string;
+    /** Bearer token. See README — initial enrollment uses a short-lived
+     *  token minted by the `pnm` CLI; later requests use a passkey-derived JWT. */
+    accessToken: string;
+    /** Optional override for the global fetch. Useful for tests. */
+    fetch?: typeof fetch;
+}
+export declare class VtaClient implements VtaTransport {
+    private readonly baseUrl;
+    private readonly accessToken;
+    private readonly fetchImpl;
+    constructor(cfg: VtaClientConfig);
+    private request;
+    /**
+     * Step 1 of the enrollment ceremony: ask the VTA for a challenge.
+     * The challenge is stored server-side and verified against the
+     * `clientDataJSON.challenge` value the authenticator signs.
+     */
+    requestEnrollmentChallenge(did: string): Promise<EnrollmentChallengeResponse>;
+    /**
+     * Step 2: submit the credential. The VTA verifies the
+     * attestation, derives the VM `id`, appends a WebVH LogEntry, and
+     * returns the canonical VM as published.
+     */
+    submitPasskeyEnrollment(payload: EnrollmentSubmitRequest): Promise<EnrollmentSubmitResponse>;
+    listPasskeys(did: string): Promise<PasskeyList>;
+    removePasskey(did: string, fragment: string): Promise<void>;
+}
+/**
+ * Convenience: wire a `PasskeyEnrollmentResult` straight into the
+ * VTA's submit-enrollment request shape.
+ */
+export declare function enrollmentSubmitFromResult(did: string, result: PasskeyEnrollmentResult, ceremonyId: string, label?: string): EnrollmentSubmitRequest;
+//# sourceMappingURL=client.d.ts.map

package/dist/vta/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../src/vta/client.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,yBAAyB,CAAC;AAEvE,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,KAAK,EACV,2BAA2B,EAC3B,uBAAuB,EACvB,wBAAwB,EACxB,WAAW,EACZ,MAAM,YAAY,CAAC;AAEpB,YAAY,EACV,2BAA2B,EAC3B,uBAAuB,EACvB,wBAAwB,EACxB,WAAW,GACZ,CAAC;AAEF,MAAM,WAAW,eAAe;IAC9B,2DAA2D;IAC3D,OAAO,EAAE,MAAM,CAAC;IAChB;mFAC+E;IAC/E,WAAW,EAAE,MAAM,CAAC;IACpB,gEAAgE;IAChE,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED,qBAAa,SAAU,YAAW,YAAY;IAC5C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAS;IACjC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAe;gBAE7B,GAAG,EAAE,eAAe;YAMlB,OAAO;IA0BrB;;;;OAIG;IACH,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAO7E;;;;OAIG;IACH,uBAAuB,CACrB,OAAO,EAAE,uBAAuB,GAC/B,OAAO,CAAC,wBAAwB,CAAC;IAOpC,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAK/C,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;CAO5D;AAED;;;GAGG;AACH,wBAAgB,0BAA0B,CACxC,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,uBAAuB,EAC/B,UAAU,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,MAAM,GACb,uBAAuB,CAczB"}

package/dist/vta/client.js

@@ -0,0 +1,91 @@
+import { errorFromResponse, VtaClientError } from "./errors.js";
+export class VtaClient {
+    baseUrl;
+    accessToken;
+    fetchImpl;
+    constructor(cfg) {
+        this.baseUrl = cfg.baseUrl.replace(/\/$/, "");
+        this.accessToken = cfg.accessToken;
+        this.fetchImpl = cfg.fetch ?? fetch.bind(globalThis);
+    }
+    async request(path, init = {}) {
+        let res;
+        try {
+            res = await this.fetchImpl(`${this.baseUrl}${path}`, {
+                ...init,
+                headers: {
+                    accept: "application/json",
+                    authorization: `Bearer ${this.accessToken}`,
+                    ...(init.body ? { "content-type": "application/json" } : {}),
+                    ...(init.headers ?? {}),
+                },
+            });
+        }
+        catch (err) {
+            throw new VtaClientError("e.client.network", err.message);
+        }
+        if (!res.ok)
+            throw await errorFromResponse(res);
+        if (res.status === 204)
+            return undefined;
+        try {
+            return (await res.json());
+        }
+        catch (err) {
+            throw new VtaClientError("e.client.parse", err.message, {
+                status: res.status,
+            });
+        }
+    }
+    /**
+     * Step 1 of the enrollment ceremony: ask the VTA for a challenge.
+     * The challenge is stored server-side and verified against the
+     * `clientDataJSON.challenge` value the authenticator signs.
+     */
+    requestEnrollmentChallenge(did) {
+        const qs = new URLSearchParams({ did }).toString();
+        return this.request(`/did/verification-methods/passkey/challenge?${qs}`, {
+            method: "POST",
+        });
+    }
+    /**
+     * Step 2: submit the credential. The VTA verifies the
+     * attestation, derives the VM `id`, appends a WebVH LogEntry, and
+     * returns the canonical VM as published.
+     */
+    submitPasskeyEnrollment(payload) {
+        return this.request("/did/verification-methods/passkey", {
+            method: "POST",
+            body: JSON.stringify(payload),
+        });
+    }
+    listPasskeys(did) {
+        const qs = new URLSearchParams({ did }).toString();
+        return this.request(`/did/verification-methods/passkey?${qs}`);
+    }
+    removePasskey(did, fragment) {
+        const qs = new URLSearchParams({ did }).toString();
+        return this.request(`/did/verification-methods/passkey/${encodeURIComponent(fragment)}?${qs}`, { method: "DELETE" });
+    }
+}
+/**
+ * Convenience: wire a `PasskeyEnrollmentResult` straight into the
+ * VTA's submit-enrollment request shape.
+ */
+export function enrollmentSubmitFromResult(did, result, ceremonyId, label) {
+    const req = {
+        did,
+        ceremonyId,
+        credentialId: result.credentialId,
+        publicKeyMultibase: result.publicKeyMultikey,
+        coseAlgorithm: result.coseAlg,
+        attestationObject: result.attestationObjectB64u,
+        clientDataJson: result.clientDataJsonB64u,
+        authenticatorData: result.authenticatorDataB64u,
+        transports: result.transports,
+    };
+    if (label !== undefined)
+        req.label = label;
+    return req;
+}
+//# sourceMappingURL=client.js.map

package/dist/vta/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../src/vta/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AA0BhE,MAAM,OAAO,SAAS;IACH,OAAO,CAAS;IAChB,WAAW,CAAS;IACpB,SAAS,CAAe;IAEzC,YAAY,GAAoB;QAC9B,IAAI,CAAC,OAAO,GAAG,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;QAC9C,IAAI,CAAC,WAAW,GAAG,GAAG,CAAC,WAAW,CAAC;QACnC,IAAI,CAAC,SAAS,GAAG,GAAG,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACvD,CAAC;IAEO,KAAK,CAAC,OAAO,CAAI,IAAY,EAAE,OAAoB,EAAE;QAC3D,IAAI,GAAa,CAAC;QAClB,IAAI,CAAC;YACH,GAAG,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,EAAE;gBACnD,GAAG,IAAI;gBACP,OAAO,EAAE;oBACP,MAAM,EAAE,kBAAkB;oBAC1B,aAAa,EAAE,UAAU,IAAI,CAAC,WAAW,EAAE;oBAC3C,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;oBAC5D,GAAG,CAAC,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;iBACxB;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,cAAc,CAAC,kBAAkB,EAAG,GAAa,CAAC,OAAO,CAAC,CAAC;QACvE,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,EAAE;YAAE,MAAM,MAAM,iBAAiB,CAAC,GAAG,CAAC,CAAC;QAChD,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,OAAO,SAAc,CAAC;QAC9C,IAAI,CAAC;YACH,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAM,CAAC;QACjC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,IAAI,cAAc,CAAC,gBAAgB,EAAG,GAAa,CAAC,OAAO,EAAE;gBACjE,MAAM,EAAE,GAAG,CAAC,MAAM;aACnB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED;;;;OAIG;IACH,0BAA0B,CAAC,GAAW;QACpC,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC,OAAO,CAAC,+CAA+C,EAAE,EAAE,EAAE;YACvE,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED;;;;OAIG;IACH,uBAAuB,CACrB,OAAgC;QAEhC,OAAO,IAAI,CAAC,OAAO,CAAC,mCAAmC,EAAE;YACvD,MAAM,EAAE,MAAM;YACd,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;SAC9B,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CAAC,GAAW;QACtB,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC,OAAO,CAAC,qCAAqC,EAAE,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,aAAa,CAAC,GAAW,EAAE,QAAgB;QACzC,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC;QACnD,OAAO,IAAI,CAAC,OAAO,CACjB,qCAAqC,kBAAkB,CAAC,QAAQ,CAAC,IAAI,EAAE,EAAE,EACzE,EAAE,MAAM,EAAE,QAAQ,EAAE,CACrB,CAAC;IACJ,CAAC;CACF;AAED;;;GAGG;AACH,MAAM,UAAU,0BAA0B,CACxC,GAAW,EACX,MAA+B,EAC/B,UAAkB,EAClB,KAAc;IAEd,MAAM,GAAG,GAA4B;QACnC,GAAG;QACH,UAAU;QACV,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,kBAAkB,EAAE,MAAM,CAAC,iBAAiB;QAC5C,aAAa,EAAE,MAAM,CAAC,OAAO;QAC7B,iBAAiB,EAAE,MAAM,CAAC,qBAAqB;QAC/C,cAAc,EAAE,MAAM,CAAC,kBAAkB;QACzC,iBAAiB,EAAE,MAAM,CAAC,qBAAqB;QAC/C,UAAU,EAAE,MAAM,CAAC,UAAU;KAC9B,CAAC;IACF,IAAI,KAAK,KAAK,SAAS;QAAE,GAAG,CAAC,KAAK,GAAG,KAAK,CAAC;IAC3C,OAAO,GAAG,CAAC;AACb,CAAC"}

package/dist/vta/contexts.d.ts

@@ -0,0 +1,60 @@
+import type { Identity } from "../didcomm/index.js";
+import type { RemoteDidcommEndpoint } from "./didcomm.js";
+/** One context record as returned by `GET /contexts` and `POST /contexts`.
+ *  Field naming mirrors the VTA's `CreateContextResultBody` exactly. */
+export interface ContextRecord {
+    id: string;
+    name: string;
+    did: string | null;
+    description: string | null;
+    base_path: string;
+    created_at: string;
+    updated_at: string;
+}
+export interface VtaListContextsOptions {
+    /** VTA REST base URL (from `#vta-rest`, e.g. `http://localhost:8100`). */
+    baseUrl: string;
+    /** The wallet's holder identity — its DID must be in the VTA's ACL
+     *  with any role (`/contexts` is `AuthClaims`-gated, not admin-only).
+     *  The DID is also the authcrypt sender. */
+    holder: Identity;
+    /** The VTA's DID + keyAgreement key (inner authcrypt recipient). */
+    service: RemoteDidcommEndpoint;
+    /** fetch impl override (defaults to global). */
+    fetch?: typeof fetch;
+}
+/** List the contexts the holder has access to.
+ *
+ *  Super-admins see every context; context-admins see only the contexts
+ *  they're scoped into. Per-context Reader/Application/Initiator roles
+ *  also see their own contexts (the `/contexts` route is gated by any
+ *  authenticated user; the operation filters by `has_context_access`).
+ *
+ *  Same auth shape as `vaultListRest` — challenge → authcrypt → bearer.
+ *  No token caching: each call does a fresh round-trip. Acceptable for
+ *  the AddEntryForm's on-mount fetch; can grow a cache layer later. */
+export declare function vtaListContexts(opts: VtaListContextsOptions): Promise<ContextRecord[]>;
+export interface VtaCreateContextOptions extends VtaListContextsOptions {
+    /** Context id — the operator-chosen short name (e.g. `work`,
+     *  `openvtc-glenn`). Must be unique on the VTA; conflict surfaces as
+     *  HTTP 409 / Conflict. */
+    id: string;
+    /** Human-readable name; the VTA records this verbatim for audit /
+     *  display. Defaults to `id` if omitted. */
+    name?: string;
+    /** Optional free-form description. */
+    description?: string;
+}
+/** Create a new context on the VTA.
+ *
+ *  Auth: **super-admin only** (`/contexts` POST is gated by
+ *  `SuperAdminAuth` server-side). The wallet's holder must be a global
+ *  admin (Admin role with empty `allowed_contexts`); context-admins
+ *  surface as `Forbidden` and the popup should refuse to enter this
+ *  path for them.
+ *
+ *  Returns the freshly-created context record (the VTA echoes back
+ *  `base_path`, `created_at`, etc.) so the caller can use the new id
+ *  immediately without a second list call. */
+export declare function vtaCreateContext(opts: VtaCreateContextOptions): Promise<ContextRecord>;
+//# sourceMappingURL=contexts.d.ts.map

package/dist/vta/contexts.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"contexts.d.ts","sourceRoot":"","sources":["../../src/vta/contexts.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,cAAc,CAAC;AAI1D;wEACwE;AACxE,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB;AAOD,MAAM,WAAW,sBAAsB;IACrC,0EAA0E;IAC1E,OAAO,EAAE,MAAM,CAAC;IAChB;;gDAE4C;IAC5C,MAAM,EAAE,QAAQ,CAAC;IACjB,oEAAoE;IACpE,OAAO,EAAE,qBAAqB,CAAC;IAC/B,gDAAgD;IAChD,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED;;;;;;;;;uEASuE;AACvE,wBAAsB,eAAe,CACnC,IAAI,EAAE,sBAAsB,GAC3B,OAAO,CAAC,aAAa,EAAE,CAAC,CAgB1B;AAED,MAAM,WAAW,uBAAwB,SAAQ,sBAAsB;IACrE;;+BAE2B;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX;gDAC4C;IAC5C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED;;;;;;;;;;8CAU8C;AAC9C,wBAAsB,gBAAgB,CACpC,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,aAAa,CAAC,CAwBxB"}

package/dist/vta/contexts.js

@@ -0,0 +1,118 @@
+// REST client for the VTA's contexts API.
+//
+// Used by the popup's AddEntryForm to fetch the operator's accessible
+// contexts (instead of guessing from the contexts already on loaded
+// vault entries) and to create a new context inline when the operator
+// picks "+ New context…" in the picker.
+//
+// Authentication: same primitive every authenticated REST call uses —
+// authcrypted `atm/1.0/authenticate` to the VTA's keyAgreement key,
+// followed by a bearer-token-authed JSON request. The auth round-trip
+// is identical to `vault/list/0.1` (no token cache).
+//
+// Mirrors `vta-sdk::protocols::context_management::{list, create}`
+// wire shapes — snake_case fields, no `data` envelope.
+import { packAuthcrypt } from "../didcomm/index.js";
+const VTA_AUTHENTICATE = "https://affinidi.com/atm/1.0/authenticate";
+/** List the contexts the holder has access to.
+ *
+ *  Super-admins see every context; context-admins see only the contexts
+ *  they're scoped into. Per-context Reader/Application/Initiator roles
+ *  also see their own contexts (the `/contexts` route is gated by any
+ *  authenticated user; the operation filters by `has_context_access`).
+ *
+ *  Same auth shape as `vaultListRest` — challenge → authcrypt → bearer.
+ *  No token caching: each call does a fresh round-trip. Acceptable for
+ *  the AddEntryForm's on-mount fetch; can grow a cache layer later. */
+export async function vtaListContexts(opts) {
+    const { baseUrl, holder, service } = opts;
+    const f = opts.fetch ?? fetch.bind(globalThis);
+    const base = baseUrl.replace(/\/+$/, "");
+    const accessToken = await authenticate(base, holder, service, f);
+    const res = await f(`${base}/contexts`, {
+        method: "GET",
+        headers: { authorization: `Bearer ${accessToken}` },
+    });
+    if (!res.ok) {
+        throw new Error(`vta /contexts failed (${res.status}): ${await res.text()}`);
+    }
+    const body = (await res.json());
+    return body.contexts ?? [];
+}
+/** Create a new context on the VTA.
+ *
+ *  Auth: **super-admin only** (`/contexts` POST is gated by
+ *  `SuperAdminAuth` server-side). The wallet's holder must be a global
+ *  admin (Admin role with empty `allowed_contexts`); context-admins
+ *  surface as `Forbidden` and the popup should refuse to enter this
+ *  path for them.
+ *
+ *  Returns the freshly-created context record (the VTA echoes back
+ *  `base_path`, `created_at`, etc.) so the caller can use the new id
+ *  immediately without a second list call. */
+export async function vtaCreateContext(opts) {
+    const { baseUrl, holder, service, id, name, description } = opts;
+    const f = opts.fetch ?? fetch.bind(globalThis);
+    const base = baseUrl.replace(/\/+$/, "");
+    const accessToken = await authenticate(base, holder, service, f);
+    const reqBody = {
+        id,
+        name: name ?? id,
+        ...(description ? { description } : {}),
+    };
+    const res = await f(`${base}/contexts`, {
+        method: "POST",
+        headers: {
+            "content-type": "application/json",
+            authorization: `Bearer ${accessToken}`,
+        },
+        body: JSON.stringify(reqBody),
+    });
+    if (!res.ok) {
+        throw new Error(`vta /contexts create failed (${res.status}): ${await res.text()}`);
+    }
+    return (await res.json());
+}
+/** Run the wallet's standard challenge + authcrypt + token round-trip
+ *  and return the access token. Same primitive every authenticated
+ *  REST call here uses; not exported because callers should pick a
+ *  domain-specific helper that runs this internally. */
+async function authenticate(base, holder, service, f) {
+    const cRes = await f(`${base}/auth/challenge`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ did: holder.did }),
+    });
+    if (!cRes.ok) {
+        throw new Error(`vta /auth/challenge failed (${cRes.status}): ${await cRes.text()}`);
+    }
+    const cBody = (await cRes.json());
+    if (!cBody.sessionId || !cBody.challenge) {
+        throw new Error(`vta /auth/challenge: malformed response: ${JSON.stringify(cBody)}`);
+    }
+    const authMsg = {
+        id: globalThis.crypto.randomUUID(),
+        type: VTA_AUTHENTICATE,
+        from: holder.did,
+        to: [service.did],
+        body: { challenge: cBody.challenge, session_id: cBody.sessionId },
+    };
+    const packed = await packAuthcrypt(authMsg, holder, [
+        { kid: service.keyAgreementKid, jwk: service.keyAgreementPublicJwk },
+    ]);
+    const aRes = await f(`${base}/auth/`, {
+        method: "POST",
+        headers: { "content-type": "application/didcomm-encrypted+json" },
+        body: packed,
+    });
+    if (!aRes.ok) {
+        throw new Error(`vta /auth/ failed (${aRes.status}): ${await aRes.text()}`);
+    }
+    const aBody = (await aRes.json());
+    const accessToken = aBody.tokens?.accessToken;
+    if (!accessToken) {
+        throw new Error(`vta /auth/: malformed response: ${JSON.stringify(aBody)}`);
+    }
+    return accessToken;
+}
+//# sourceMappingURL=contexts.js.map

package/dist/vta/contexts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contexts.js","sourceRoot":"","sources":["../../src/vta/contexts.ts"],"names":[],"mappings":"AAAA,0CAA0C;AAC1C,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AACpE,sEAAsE;AACtE,wCAAwC;AACxC,EAAE;AACF,sEAAsE;AACtE,oEAAoE;AACpE,sEAAsE;AACtE,qDAAqD;AACrD,EAAE;AACF,mEAAmE;AACnE,uDAAuD;AAEvD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AAIpD,MAAM,gBAAgB,GAAG,2CAA2C,CAAC;AAgCrE;;;;;;;;;uEASuE;AACvE,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAA4B;IAE5B,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAC1C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAEzC,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAEjE,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,WAAW,EAAE;QACtC,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,WAAW,EAAE,EAAE;KACpD,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC/E,CAAC;IACD,MAAM,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAqB,CAAC;IACpD,OAAO,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;AAC7B,CAAC;AAcD;;;;;;;;;;8CAU8C;AAC9C,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAA6B;IAE7B,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,GAAG,IAAI,CAAC;IACjE,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAEzC,MAAM,WAAW,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAEjE,MAAM,OAAO,GAAuD;QAClE,EAAE;QACF,IAAI,EAAE,IAAI,IAAI,EAAE;QAChB,GAAG,CAAC,WAAW,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACxC,CAAC;IACF,MAAM,GAAG,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,WAAW,EAAE;QACtC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,cAAc,EAAE,kBAAkB;YAClC,aAAa,EAAE,UAAU,WAAW,EAAE;SACvC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;KAC9B,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,GAAG,CAAC,MAAM,MAAM,MAAM,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACtF,CAAC;IACD,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAkB,CAAC;AAC7C,CAAC;AAED;;;wDAGwD;AACxD,KAAK,UAAU,YAAY,CACzB,IAAY,EACZ,MAAgB,EAChB,OAA8B,EAC9B,CAAe;IAEf,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,iBAAiB,EAAE;QAC7C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,CAAC;KAC1C,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,+BAA+B,IAAI,CAAC,MAAM,MAAM,MAAM,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IACvF,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA+C,CAAC;IAChF,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,CAAC,KAAK,CAAC,SAAS,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,4CAA4C,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IACvF,CAAC;IAED,MAAM,OAAO,GAAG;QACd,EAAE,EAAE,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE;QAClC,IAAI,EAAE,gBAAgB;QACtB,IAAI,EAAE,MAAM,CAAC,GAAG;QAChB,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC;QACjB,IAAI,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE,UAAU,EAAE,KAAK,CAAC,SAAS,EAAE;KAClE,CAAC;IACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE;QAClD,EAAE,GAAG,EAAE,OAAO,CAAC,eAAe,EAAE,GAAG,EAAE,OAAO,CAAC,qBAAqB,EAAE;KACrE,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,GAAG,IAAI,QAAQ,EAAE;QACpC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,oCAAoC,EAAE;QACjE,IAAI,EAAE,MAAM;KACb,CAAC,CAAC;IACH,IAAI,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,sBAAsB,IAAI,CAAC,MAAM,MAAM,MAAM,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,MAAM,KAAK,GAAG,CAAC,MAAM,IAAI,CAAC,IAAI,EAAE,CAA0C,CAAC;IAC3E,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,EAAE,WAAW,CAAC;IAC9C,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAC9E,CAAC;IACD,OAAO,WAAW,CAAC;AACrB,CAAC"}

package/dist/vta/didcomm.d.ts

@@ -0,0 +1,57 @@
+import { Identity, type PublicJwk } from "../didcomm/index.js";
+import type { DidcommMessageBridge, VtaTransport } from "./transport.js";
+import type { EnrollmentChallengeResponse, EnrollmentSubmitRequest, EnrollmentSubmitResponse, PasskeyList } from "./types.js";
+export interface RemoteDidcommEndpoint {
+    did: string;
+    keyAgreementKid: string;
+    keyAgreementPublicJwk: PublicJwk;
+}
+export interface DidcommVtaTransportOptions {
+    bridge: DidcommMessageBridge;
+    holder: Identity;
+    vta: RemoteDidcommEndpoint;
+    /** Optional mediator. When set, every outbound message gets wrapped
+     *  in a routing/2.0/forward envelope and anoncrypt'd to the mediator. */
+    mediator?: RemoteDidcommEndpoint;
+    /** Per-request timeout (default 30s). */
+    timeoutMs?: number;
+}
+/**
+ * VTA transport over DIDComm v2. Authcrypts every request from the
+ * holder to the VTA, optionally wraps in a `routing/2.0/forward`
+ * envelope for a mediator, and dispatches via an injected
+ * `DidcommMessageBridge`. The bridge owns the actual network IO
+ * (WebSocket, HTTPS, etc.) — keeping this class transport-pure makes
+ * it directly testable with an in-memory bridge.
+ */
+export declare class DidcommVtaTransport implements VtaTransport {
+    private readonly bridge;
+    private readonly holder;
+    private readonly vta;
+    private readonly mediator?;
+    private readonly timeoutMs;
+    constructor(opts: DidcommVtaTransportOptions);
+    requestEnrollmentChallenge(did: string): Promise<EnrollmentChallengeResponse>;
+    submitPasskeyEnrollment(req: EnrollmentSubmitRequest): Promise<EnrollmentSubmitResponse>;
+    listPasskeys(did: string): Promise<PasskeyList>;
+    removePasskey(did: string, fragment: string): Promise<void>;
+    /**
+     * Build, transmit, and unwrap a Trust-Task request/response exchange.
+     * The reply is a binding envelope whose body is a `TrustTask`
+     * document — either the operation's success response (return its
+     * `payload`) or a `trust-task-error/0.1` (throw a mapped error).
+     */
+    private exchange;
+    /**
+     * Build the wire form: a `TrustTask` envelope (the request) carried as
+     * the body of a binding-typed DIDComm message, authcrypt'd to the VTA
+     * and (when a mediator is configured) wrapped in a routing/2.0/forward.
+     * Public-ish so the smoke helper can introspect the envelope.
+     */
+    buildOutbound<Req extends object>(taskUri: string, payload: Req): Promise<{
+        outer: string;
+        inner: string;
+        requestId: string;
+    }>;
+}
+//# sourceMappingURL=didcomm.d.ts.map

package/dist/vta/didcomm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"didcomm.d.ts","sourceRoot":"","sources":["../../src/vta/didcomm.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EAIR,KAAK,SAAS,EACf,MAAM,qBAAqB,CAAC;AAa7B,OAAO,KAAK,EAAE,oBAAoB,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AACzE,OAAO,KAAK,EACV,2BAA2B,EAC3B,uBAAuB,EACvB,wBAAwB,EACxB,WAAW,EACZ,MAAM,YAAY,CAAC;AAEpB,MAAM,WAAW,qBAAqB;IACpC,GAAG,EAAE,MAAM,CAAC;IACZ,eAAe,EAAE,MAAM,CAAC;IACxB,qBAAqB,EAAE,SAAS,CAAC;CAClC;AAED,MAAM,WAAW,0BAA0B;IACzC,MAAM,EAAE,oBAAoB,CAAC;IAC7B,MAAM,EAAE,QAAQ,CAAC;IACjB,GAAG,EAAE,qBAAqB,CAAC;IAC3B;6EACyE;IACzE,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IACjC,yCAAyC;IACzC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAQD;;;;;;;GAOG;AACH,qBAAa,mBAAoB,YAAW,YAAY;IACtD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAuB;IAC9C,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAW;IAClC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAwB;IAC5C,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAwB;IAClD,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;gBAEvB,IAAI,EAAE,0BAA0B;IAQ5C,0BAA0B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,2BAA2B,CAAC;IAO7E,uBAAuB,CAAC,GAAG,EAAE,uBAAuB,GAAG,OAAO,CAAC,wBAAwB,CAAC;IAmBxF,YAAY,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;IAIzC,aAAa,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAOjE;;;;;OAKG;YACW,QAAQ;IA4CtB;;;;;OAKG;IACG,aAAa,CAAC,GAAG,SAAS,MAAM,EACpC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,GAAG,GACX,OAAO,CAAC;QAAE,KAAK,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;CAqChE"}

package/dist/vta/didcomm.js

@@ -0,0 +1,138 @@
+import { Identity, packAuthcrypt, packAuthcryptJson, wrapForward, } from "../didcomm/index.js";
+import { VtaClientError } from "./errors.js";
+import { PasskeyVmTask, TRUST_TASK_ENVELOPE_TYPE, TRUST_TASK_ERROR_TYPE, } from "./protocol.js";
+const DEFAULT_TIMEOUT_MS = 30_000;
+function newMessageId() {
+    return globalThis.crypto.randomUUID();
+}
+/**
+ * VTA transport over DIDComm v2. Authcrypts every request from the
+ * holder to the VTA, optionally wraps in a `routing/2.0/forward`
+ * envelope for a mediator, and dispatches via an injected
+ * `DidcommMessageBridge`. The bridge owns the actual network IO
+ * (WebSocket, HTTPS, etc.) — keeping this class transport-pure makes
+ * it directly testable with an in-memory bridge.
+ */
+export class DidcommVtaTransport {
+    bridge;
+    holder;
+    vta;
+    mediator;
+    timeoutMs;
+    constructor(opts) {
+        this.bridge = opts.bridge;
+        this.holder = opts.holder;
+        this.vta = opts.vta;
+        if (opts.mediator !== undefined)
+            this.mediator = opts.mediator;
+        this.timeoutMs = opts.timeoutMs ?? DEFAULT_TIMEOUT_MS;
+    }
+    requestEnrollmentChallenge(did) {
+        return this.exchange(PasskeyVmTask.enrollChallenge, { did });
+    }
+    submitPasskeyEnrollment(req) {
+        const payload = {
+            did: req.did,
+            ceremonyId: req.ceremonyId,
+            credentialId: req.credentialId,
+            publicKeyMultibase: req.publicKeyMultibase,
+            coseAlgorithm: req.coseAlgorithm,
+            attestationObject: req.attestationObject,
+            clientDataJson: req.clientDataJson,
+            authenticatorData: req.authenticatorData,
+            transports: req.transports,
+            ...(req.label !== undefined ? { label: req.label } : {}),
+        };
+        return this.exchange(PasskeyVmTask.enrollSubmit, payload);
+    }
+    listPasskeys(did) {
+        return this.exchange(PasskeyVmTask.list, { did });
+    }
+    async removePasskey(did, fragment) {
+        await this.exchange(PasskeyVmTask.revoke, {
+            did,
+            fragment,
+        });
+    }
+    /**
+     * Build, transmit, and unwrap a Trust-Task request/response exchange.
+     * The reply is a binding envelope whose body is a `TrustTask`
+     * document — either the operation's success response (return its
+     * `payload`) or a `trust-task-error/0.1` (throw a mapped error).
+     */
+    async exchange(taskUri, payload) {
+        const packed = await this.buildOutbound(taskUri, payload);
+        // The bridge returns the decrypted, sender-authenticated reply (it
+        // owns unpacking; only authenticated authcrypt frames are surfaced).
+        const msg = await this.bridge.sendAndAwaitReply(packed.outer, packed.requestId, { timeoutMs: this.timeoutMs });
+        if (msg.type !== TRUST_TASK_ENVELOPE_TYPE) {
+            throw new VtaClientError("e.client.parse", `reply type ${msg.type ?? "(none)"} != Trust-Task binding envelope`);
+        }
+        if (msg.thid !== packed.requestId) {
+            throw new VtaClientError("e.client.parse", `reply thid ${msg.thid ?? "(none)"} != request id ${packed.requestId}`);
+        }
+        if (msg.from !== this.vta.did) {
+            throw new VtaClientError("e.p.msg.unauthorized", `reply from ${msg.from ?? "(none)"} != VTA ${this.vta.did}`);
+        }
+        const doc = (msg.body ?? {});
+        if (doc.type === TRUST_TASK_ERROR_TYPE) {
+            const err = (doc.payload ?? {});
+            throw new VtaClientError(coerceTrustTaskCode(err.code), err.message ?? err.code ?? "trust-task error", { details: err });
+        }
+        return (doc.payload ?? {});
+    }
+    /**
+     * Build the wire form: a `TrustTask` envelope (the request) carried as
+     * the body of a binding-typed DIDComm message, authcrypt'd to the VTA
+     * and (when a mediator is configured) wrapped in a routing/2.0/forward.
+     * Public-ish so the smoke helper can introspect the envelope.
+     */
+    async buildOutbound(taskUri, payload) {
+        const requestId = newMessageId();
+        const envelope = {
+            id: requestId,
+            type: taskUri,
+            issuer: this.holder.did,
+            issuedAt: new Date().toISOString(),
+            payload,
+        };
+        const message = {
+            id: requestId,
+            type: TRUST_TASK_ENVELOPE_TYPE,
+            from: this.holder.did,
+            to: [this.vta.did],
+            body: envelope,
+        };
+        const inner = await packAuthcrypt(message, this.holder, [
+            { kid: this.vta.keyAgreementKid, jwk: this.vta.keyAgreementPublicJwk },
+        ]);
+        if (!this.mediator)
+            return { outer: inner, inner, requestId };
+        const forwardJson = wrapForward(this.vta.did, this.holder.did, this.mediator.did, inner);
+        const outer = await packAuthcryptJson(forwardJson, this.holder, [
+            {
+                kid: this.mediator.keyAgreementKid,
+                jwk: this.mediator.keyAgreementPublicJwk,
+            },
+        ]);
+        return { outer, inner, requestId };
+    }
+}
+/** Map a framework Trust-Task status `code` to a typed `VtaErrorCode`
+ *  so the CLI/UI layer can give targeted guidance. */
+function coerceTrustTaskCode(code) {
+    switch (code) {
+        case "permission_denied":
+            return "e.p.msg.forbidden";
+        case "internal_error":
+        case "unavailable":
+            return "e.p.msg.internal";
+        case "malformed_request":
+        case "unsupported_type":
+        case "task_failed":
+            return "e.p.msg.bad_request";
+        default:
+            return "e.p.msg.bad_request";
+    }
+}
+//# sourceMappingURL=didcomm.js.map

package/dist/vta/didcomm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"didcomm.js","sourceRoot":"","sources":["../../src/vta/didcomm.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,QAAQ,EACR,aAAa,EACb,iBAAiB,EACjB,WAAW,GAEZ,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,cAAc,EAAqB,MAAM,aAAa,CAAC;AAChE,OAAO,EACL,aAAa,EACb,wBAAwB,EACxB,qBAAqB,GAOtB,MAAM,eAAe,CAAC;AA0BvB,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAElC,SAAS,YAAY;IACnB,OAAO,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;AACxC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,OAAO,mBAAmB;IACb,MAAM,CAAuB;IAC7B,MAAM,CAAW;IACjB,GAAG,CAAwB;IAC3B,QAAQ,CAAyB;IACjC,SAAS,CAAS;IAEnC,YAAY,IAAgC;QAC1C,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;QAC1B,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC;QACpB,IAAI,IAAI,CAAC,QAAQ,KAAK,SAAS;YAAE,IAAI,CAAC,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC;QAC/D,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,SAAS,IAAI,kBAAkB,CAAC;IACxD,CAAC;IAED,0BAA0B,CAAC,GAAW;QACpC,OAAO,IAAI,CAAC,QAAQ,CAClB,aAAa,CAAC,eAAe,EAC7B,EAAE,GAAG,EAAE,CACR,CAAC;IACJ,CAAC;IAED,uBAAuB,CAAC,GAA4B;QAClD,MAAM,OAAO,GAAwB;YACnC,GAAG,EAAE,GAAG,CAAC,GAAG;YACZ,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,kBAAkB,EAAE,GAAG,CAAC,kBAAkB;YAC1C,aAAa,EAAE,GAAG,CAAC,aAAa;YAChC,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,cAAc,EAAE,GAAG,CAAC,cAAc;YAClC,iBAAiB,EAAE,GAAG,CAAC,iBAAiB;YACxC,UAAU,EAAE,GAAG,CAAC,UAAU;YAC1B,GAAG,CAAC,GAAG,CAAC,KAAK,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACzD,CAAC;QACF,OAAO,IAAI,CAAC,QAAQ,CAClB,aAAa,CAAC,YAAY,EAC1B,OAAO,CACR,CAAC;IACJ,CAAC;IAED,YAAY,CAAC,GAAW;QACtB,OAAO,IAAI,CAAC,QAAQ,CAA2B,aAAa,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;IAC9E,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,GAAW,EAAE,QAAgB;QAC/C,MAAM,IAAI,CAAC,QAAQ,CAAyB,aAAa,CAAC,MAAM,EAAE;YAChE,GAAG;YACH,QAAQ;SACT,CAAC,CAAC;IACL,CAAC;IAED;;;;;OAKG;IACK,KAAK,CAAC,QAAQ,CACpB,OAAe,EACf,OAAY;QAEZ,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAE1D,mEAAmE;QACnE,qEAAqE;QACrE,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAC7C,MAAM,CAAC,KAAK,EACZ,MAAM,CAAC,SAAS,EAChB,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAC9B,CAAC;QACF,IAAI,GAAG,CAAC,IAAI,KAAK,wBAAwB,EAAE,CAAC;YAC1C,MAAM,IAAI,cAAc,CACtB,gBAAgB,EAChB,cAAc,GAAG,CAAC,IAAI,IAAI,QAAQ,iCAAiC,CACpE,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,IAAI,KAAK,MAAM,CAAC,SAAS,EAAE,CAAC;YAClC,MAAM,IAAI,cAAc,CACtB,gBAAgB,EAChB,cAAc,GAAG,CAAC,IAAI,IAAI,QAAQ,kBAAkB,MAAM,CAAC,SAAS,EAAE,CACvE,CAAC;QACJ,CAAC;QACD,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;YAC9B,MAAM,IAAI,cAAc,CACtB,sBAAsB,EACtB,cAAc,GAAG,CAAC,IAAI,IAAI,QAAQ,WAAW,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAC5D,CAAC;QACJ,CAAC;QAED,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAuB,CAAC;QACnD,IAAI,GAAG,CAAC,IAAI,KAAK,qBAAqB,EAAE,CAAC;YACvC,MAAM,GAAG,GAAG,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAA0B,CAAC;YACzD,MAAM,IAAI,cAAc,CACtB,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,EAC7B,GAAG,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,IAAI,kBAAkB,EAC7C,EAAE,OAAO,EAAE,GAAG,EAAE,CACjB,CAAC;QACJ,CAAC;QACD,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAQ,CAAC;IACpC,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,aAAa,CACjB,OAAe,EACf,OAAY;QAEZ,MAAM,SAAS,GAAG,YAAY,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAmB;YAC/B,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,OAAO;YACb,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACvB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAClC,OAAO;SACR,CAAC;QACF,MAAM,OAAO,GAAG;YACd,EAAE,EAAE,SAAS;YACb,IAAI,EAAE,wBAAwB;YAC9B,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACrB,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC;YAClB,IAAI,EAAE,QAAQ;SACf,CAAC;QAEF,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,OAAO,EAAE,IAAI,CAAC,MAAM,EAAE;YACtD,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,qBAAqB,EAAE;SACvE,CAAC,CAAC;QAEH,IAAI,CAAC,IAAI,CAAC,QAAQ;YAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;QAE9D,MAAM,WAAW,GAAG,WAAW,CAC7B,IAAI,CAAC,GAAG,CAAC,GAAG,EACZ,IAAI,CAAC,MAAM,CAAC,GAAG,EACf,IAAI,CAAC,QAAQ,CAAC,GAAG,EACjB,KAAK,CACN,CAAC;QACF,MAAM,KAAK,GAAG,MAAM,iBAAiB,CAAC,WAAW,EAAE,IAAI,CAAC,MAAM,EAAE;YAC9D;gBACE,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,eAAe;gBAClC,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,qBAAqB;aACzC;SACF,CAAC,CAAC;QACH,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,SAAS,EAAE,CAAC;IACrC,CAAC;CACF;AAED;sDACsD;AACtD,SAAS,mBAAmB,CAAC,IAAwB;IACnD,QAAQ,IAAI,EAAE,CAAC;QACb,KAAK,mBAAmB;YACtB,OAAO,mBAAmB,CAAC;QAC7B,KAAK,gBAAgB,CAAC;QACtB,KAAK,aAAa;YAChB,OAAO,kBAAkB,CAAC;QAC5B,KAAK,mBAAmB,CAAC;QACzB,KAAK,kBAAkB,CAAC;QACxB,KAAK,aAAa;YAChB,OAAO,qBAAqB,CAAC;QAC/B;YACE,OAAO,qBAAqB,CAAC;IACjC,CAAC;AACH,CAAC"}

package/dist/vta/errors.d.ts

@@ -0,0 +1,20 @@
+/**
+ * Error code namespace mirrors the VTA's typed error variants. The
+ * server emits `{ "error": { "code": "e.p.msg.unauthorized", ... } }`
+ * and we lift the code into a typed JS error so the UI can switch on
+ * it instead of string-matching messages.
+ */
+export type VtaErrorCode = "e.p.msg.unauthorized" | "e.p.msg.forbidden" | "e.p.msg.notfound" | "e.p.msg.conflict" | "e.p.msg.rate_limited" | "e.p.msg.bad_request" | "e.p.msg.internal" | "e.client.network" | "e.client.parse" | "e.client.unsupported";
+export declare class VtaClientError extends Error {
+    readonly code: VtaErrorCode;
+    readonly status?: number;
+    readonly details?: unknown;
+    readonly suggestion?: string;
+    constructor(code: VtaErrorCode, message: string, opts?: {
+        status?: number;
+        details?: unknown;
+        suggestion?: string;
+    });
+}
+export declare function errorFromResponse(res: Response): Promise<VtaClientError>;
+//# sourceMappingURL=errors.d.ts.map

package/dist/vta/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/vta/errors.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AACH,MAAM,MAAM,YAAY,GACpB,sBAAsB,GACtB,mBAAmB,GACnB,kBAAkB,GAClB,kBAAkB,GAClB,sBAAsB,GACtB,qBAAqB,GACrB,kBAAkB,GAClB,kBAAkB,GAClB,gBAAgB,GAChB,sBAAsB,CAAC;AAE3B,qBAAa,cAAe,SAAQ,KAAK;IACvC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;IAC5B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,OAAO,CAAC,EAAE,OAAO,CAAC;IAC3B,QAAQ,CAAC,UAAU,CAAC,EAAE,MAAM,CAAC;gBAG3B,IAAI,EAAE,YAAY,EAClB,OAAO,EAAE,MAAM,EACf,IAAI,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,OAAO,CAAC;QAAC,UAAU,CAAC,EAAE,MAAM,CAAA;KAAO;CASzE;AA6BD,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,QAAQ,GAAG,OAAO,CAAC,cAAc,CAAC,CAe9E"}

package/dist/vta/errors.js

@@ -0,0 +1,64 @@
+export class VtaClientError extends Error {
+    code;
+    status;
+    details;
+    suggestion;
+    constructor(code, message, opts = {}) {
+        super(message);
+        this.name = "VtaClientError";
+        this.code = code;
+        if (opts.status !== undefined)
+            this.status = opts.status;
+        if (opts.details !== undefined)
+            this.details = opts.details;
+        if (opts.suggestion !== undefined)
+            this.suggestion = opts.suggestion;
+    }
+}
+const KNOWN_CODES = [
+    "e.p.msg.unauthorized",
+    "e.p.msg.forbidden",
+    "e.p.msg.notfound",
+    "e.p.msg.conflict",
+    "e.p.msg.rate_limited",
+    "e.p.msg.bad_request",
+    "e.p.msg.internal",
+];
+function coerceCode(raw, status) {
+    if (raw && KNOWN_CODES.includes(raw)) {
+        return raw;
+    }
+    if (status === 401)
+        return "e.p.msg.unauthorized";
+    if (status === 403)
+        return "e.p.msg.forbidden";
+    if (status === 404)
+        return "e.p.msg.notfound";
+    if (status === 409)
+        return "e.p.msg.conflict";
+    if (status === 429)
+        return "e.p.msg.rate_limited";
+    if (status >= 500)
+        return "e.p.msg.internal";
+    return "e.p.msg.bad_request";
+}
+export async function errorFromResponse(res) {
+    let body;
+    try {
+        body = (await res.json());
+    }
+    catch {
+        // fall through with no body
+    }
+    const code = coerceCode(body?.error?.code, res.status);
+    const message = body?.error?.message ?? `${res.status} ${res.statusText}`;
+    const opts = {
+        status: res.status,
+    };
+    if (body?.error?.details !== undefined)
+        opts.details = body.error.details;
+    if (body?.error?.suggestion !== undefined)
+        opts.suggestion = body.error.suggestion;
+    return new VtaClientError(code, message, opts);
+}
+//# sourceMappingURL=errors.js.map