@openvtc/pnm-core 0.1.0

package/dist/provision/open.js

@@ -0,0 +1,224 @@
+// Orchestrate the sealed-bundle open pipeline.
+//
+// armored text → SealedBundle → (per chunk) CBOR(HpkeSealed) → HPKE open →
+// CBOR(ChunkPlaintext) → reassemble fragments → CBOR(SealedPayloadV1) →
+// AdminRotationPayload | TemplateBootstrapPayload | other variant.
+//
+// Mirrors `open_bundle` in `vta-sdk/src/sealed_transfer/mod.rs`. The wallet
+// only needs the `AdminRotation` variant for M2C; the `TemplateBootstrap`
+// case is typed-through for future integration use (mobile companion, etc.)
+// and any unknown variant lands in the `other` slot for the caller to
+// reject with a clear error.
+import { ed25519 } from "@noble/curves/ed25519.js";
+import { Decoder } from "cbor-x";
+import { buildChunkAad, decodeArmor } from "./armor.js";
+import { hpkeOpen } from "./hpke.js";
+const CHUNK_VERSION = 1;
+// One shared decoder. `copyBuffers: true` so the returned Uint8Arrays own
+// independent storage — we slice into byte fields and don't want surprise
+// aliasing into the original bundle bytes.
+const cbor = new Decoder({ mapsAsObjects: true, copyBuffers: true });
+/** Open the first bundle in `armored` using the recipient's Ed25519 seed.
+ *
+ *  The seed is converted to its X25519 secret via Montgomery clamping
+ *  (same derivation the Rust side uses; see
+ *  `affinidi_crypto::ed25519::ed25519_private_to_x25519`). The wallet's
+ *  ephemeral Ed25519 seed produced at onboarding is what gets passed here.
+ *
+ *  If the armored input contains multiple bundles (different Bundle-Ids),
+ *  this opens only the first. The provision-integration reply has exactly
+ *  one bundle today; multi-bundle armored payloads are reserved for future
+ *  flows.
+ */
+export async function openSealedBundle(armored, edSeed) {
+    if (edSeed.length !== 32) {
+        throw new Error(`openSealedBundle: edSeed must be 32 bytes (got ${edSeed.length})`);
+    }
+    const x25519Secret = ed25519.utils.toMontgomerySecret(edSeed);
+    const bundles = decodeArmor(armored);
+    const first = bundles[0];
+    return openBundle(first, x25519Secret);
+}
+/** Lower-level: open a pre-parsed SealedBundle with an X25519 secret. */
+export async function openBundle(bundle, x25519Secret) {
+    if (bundle.chunks.length === 0) {
+        throw new Error("openBundle: no chunks");
+    }
+    // 1. Per chunk: CBOR(HpkeSealed) → HPKE open → CBOR(ChunkPlaintext).
+    const plaintexts = [];
+    for (const chunk of bundle.chunks) {
+        const sealed = decodeHpkeSealed(chunk.sealedBytes);
+        const aad = buildChunkAad({
+            version: CHUNK_VERSION,
+            bundleId: bundle.bundleId,
+            chunkIndex: chunk.chunkIndex,
+            totalChunks: chunk.totalChunks,
+            digestAlgo: bundle.digestAlgo,
+        });
+        const ptBytes = await hpkeOpen({
+            recipientSecret: x25519Secret,
+            kemEncap: sealed.kem_encap,
+            ciphertext: sealed.aead_ciphertext,
+            aad,
+        });
+        const pt = decodeChunkPlaintext(ptBytes);
+        if (!bytesEqual(pt.bundle_id, bundle.bundleId) ||
+            pt.chunk_index !== chunk.chunkIndex ||
+            pt.total_chunks !== chunk.totalChunks ||
+            pt.version !== CHUNK_VERSION) {
+            throw new Error("openBundle: inner ChunkPlaintext header disagrees with armor header");
+        }
+        plaintexts.push(pt);
+    }
+    // 2. Reassemble in chunk-index order. Duplicate/missing detection:
+    //    after sorting, chunk_index[i] must equal i.
+    plaintexts.sort((a, b) => a.chunk_index - b.chunk_index);
+    const total = plaintexts[0].total_chunks;
+    if (plaintexts.length !== total) {
+        throw new Error(`openBundle: have ${plaintexts.length} chunks, expected ${total}`);
+    }
+    for (let i = 0; i < plaintexts.length; i++) {
+        if (plaintexts[i].chunk_index !== i) {
+            throw new Error(`openBundle: chunk index gap or duplicate at position ${i}`);
+        }
+    }
+    const totalLen = plaintexts.reduce((sum, p) => sum + p.payload_fragment.length, 0);
+    const payloadBytes = new Uint8Array(totalLen);
+    let off = 0;
+    for (const p of plaintexts) {
+        payloadBytes.set(p.payload_fragment, off);
+        off += p.payload_fragment.length;
+    }
+    // 3. CBOR(SealedPayloadV1). External tagging: a 1-key map whose key is
+    //    the variant tag in snake_case.
+    const raw = cbor.decode(payloadBytes);
+    const payload = parseSealedPayload(raw);
+    return {
+        bundleId: bundle.bundleId,
+        digestAlgo: bundle.digestAlgo,
+        payload,
+    };
+}
+/** Convenience: open the bundle and assert it carries an `AdminRotation`
+ *  variant, returning the typed payload. Throws if any other variant. */
+export async function openAdminRotationBundle(armored, edSeed) {
+    const opened = await openSealedBundle(armored, edSeed);
+    if (opened.payload.kind !== "admin_rotation") {
+        const tag = opened.payload.kind === "other" ? opened.payload.tag : opened.payload.kind;
+        throw new Error(`openAdminRotationBundle: expected admin_rotation variant, got '${tag}'`);
+    }
+    return { bundleId: opened.bundleId, payload: opened.payload.body };
+}
+// ─── CBOR parsing of inner structs ───
+//
+// `cbor-x` returns plain JS objects with the field names from the CBOR map.
+// We assert the field shapes by hand here rather than blanket-cast — a
+// malformed bundle should fail with a clear error, not crash later on a
+// missing field.
+//
+// Byte-field caveat: ciborium serialises `Vec<u8>` and `[u8; N]` through
+// serde's default `serialize_seq` / `serialize_tuple`, which become CBOR
+// **arrays of integers** (major type 4) — NOT CBOR byte strings (major
+// type 2). cbor-x decodes major type 4 to `Array<number>`, not
+// `Uint8Array`. The Rust structs we receive (HpkeSealed, ChunkPlaintext)
+// don't use `#[serde(with = "serde_bytes")]`, so every byte-typed field
+// arrives as a JS number array.
+//
+// `asBytes` is forgiving: it accepts an already-Uint8Array (in case a
+// future Rust change adds `serde_bytes` annotations) AND the canonical
+// number-array shape. That keeps the decoder robust to a wire-shape
+// upgrade without re-shipping the wallet.
+/** Coerce a CBOR-decoded byte-typed field to a `Uint8Array`. Handles
+ *  both the canonical ciborium shape (CBOR array of u8 → JS number
+ *  array) and the future byte-string shape (CBOR byte string →
+ *  Uint8Array). Other shapes throw with a clear field-name in the
+ *  message. */
+function asBytes(v, label) {
+    if (v instanceof Uint8Array)
+        return v;
+    if (Array.isArray(v)) {
+        const out = new Uint8Array(v.length);
+        for (let i = 0; i < v.length; i++) {
+            const n = v[i];
+            if (typeof n !== "number" || !Number.isInteger(n) || n < 0 || n > 255) {
+                throw new Error(`${label}: array entry ${i} is not a byte (got ${typeof n} ${String(n)})`);
+            }
+            out[i] = n;
+        }
+        return out;
+    }
+    throw new Error(`${label}: expected CBOR bytes or array of u8, got ${typeof v}`);
+}
+function decodeHpkeSealed(bytes) {
+    const v = cbor.decode(bytes);
+    const kemEncap = asBytes(v["kem_encap"], "HpkeSealed.kem_encap");
+    const aeadCiphertext = asBytes(v["aead_ciphertext"], "HpkeSealed.aead_ciphertext");
+    if (kemEncap.length !== 32) {
+        throw new Error(`HpkeSealed.kem_encap: must be 32 bytes (got ${kemEncap.length})`);
+    }
+    return { kem_encap: kemEncap, aead_ciphertext: aeadCiphertext };
+}
+function decodeChunkPlaintext(bytes) {
+    const v = cbor.decode(bytes);
+    const version = v["version"];
+    const chunkIndex = v["chunk_index"];
+    const totalChunks = v["total_chunks"];
+    if (typeof version !== "number")
+        throw new Error("ChunkPlaintext: version missing/wrong");
+    if (typeof chunkIndex !== "number")
+        throw new Error("ChunkPlaintext: chunk_index missing");
+    if (typeof totalChunks !== "number")
+        throw new Error("ChunkPlaintext: total_chunks missing");
+    const bundleId = asBytes(v["bundle_id"], "ChunkPlaintext.bundle_id");
+    if (bundleId.length !== 16) {
+        throw new Error(`ChunkPlaintext.bundle_id: must be 16 bytes (got ${bundleId.length})`);
+    }
+    const payloadFragment = asBytes(v["payload_fragment"], "ChunkPlaintext.payload_fragment");
+    const out = {
+        version,
+        bundle_id: bundleId,
+        chunk_index: chunkIndex,
+        total_chunks: totalChunks,
+        payload_fragment: payloadFragment,
+    };
+    if (typeof v["producer_did"] === "string") {
+        out.producer_did = v["producer_did"];
+    }
+    const pa = v["producer_assertion"];
+    if (pa !== undefined) {
+        out.producer_assertion = pa;
+    }
+    return out;
+}
+function parseSealedPayload(raw) {
+    const keys = Object.keys(raw);
+    if (keys.length !== 1) {
+        throw new Error(`SealedPayloadV1: expected externally-tagged map with one key, got ${keys.length}`);
+    }
+    const tag = keys[0];
+    const body = raw[tag];
+    if (!body || typeof body !== "object") {
+        throw new Error(`SealedPayloadV1: body for tag '${tag}' is not an object`);
+    }
+    switch (tag) {
+        case "admin_rotation":
+            return { kind: "admin_rotation", body: body };
+        case "template_bootstrap":
+            return {
+                kind: "template_bootstrap",
+                body: body,
+            };
+        default:
+            return { kind: "other", tag, body };
+    }
+}
+function bytesEqual(a, b) {
+    if (a.length !== b.length)
+        return false;
+    for (let i = 0; i < a.length; i++) {
+        if (a[i] !== b[i])
+            return false;
+    }
+    return true;
+}
+//# sourceMappingURL=open.js.map

package/dist/provision/open.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"open.js","sourceRoot":"","sources":["../../src/provision/open.ts"],"names":[],"mappings":"AAAA,+CAA+C;AAC/C,EAAE;AACF,2EAA2E;AAC3E,wEAAwE;AACxE,mEAAmE;AACnE,EAAE;AACF,4EAA4E;AAC5E,0EAA0E;AAC1E,4EAA4E;AAC5E,sEAAsE;AACtE,6BAA6B;AAE7B,OAAO,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,QAAQ,CAAC;AAEjC,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AACxD,OAAO,EAAE,QAAQ,EAAE,MAAM,WAAW,CAAC;AAUrC,MAAM,aAAa,GAAG,CAAC,CAAC;AAExB,0EAA0E;AAC1E,0EAA0E;AAC1E,2CAA2C;AAC3C,MAAM,IAAI,GAAG,IAAI,OAAO,CAAC,EAAE,aAAa,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;AAQrE;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAe,EACf,MAAkB;IAElB,IAAI,MAAM,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,kDAAkD,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;IACtF,CAAC;IACD,MAAM,YAAY,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC,CAAC;IAC9D,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAC,CAAC;IACrC,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC;IAC1B,OAAO,UAAU,CAAC,KAAK,EAAE,YAAY,CAAC,CAAC;AACzC,CAAC;AAED,yEAAyE;AACzE,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAoB,EACpB,YAAwB;IAExB,IAAI,MAAM,CAAC,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,qEAAqE;IACrE,MAAM,UAAU,GAAqB,EAAE,CAAC;IACxC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,aAAa,CAAC;YACxB,OAAO,EAAE,aAAa;YACtB,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,WAAW,EAAE,KAAK,CAAC,WAAW;YAC9B,UAAU,EAAE,MAAM,CAAC,UAAU;SAC9B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC;YAC7B,eAAe,EAAE,YAAY;YAC7B,QAAQ,EAAE,MAAM,CAAC,SAAS;YAC1B,UAAU,EAAE,MAAM,CAAC,eAAe;YAClC,GAAG;SACJ,CAAC,CAAC;QACH,MAAM,EAAE,GAAG,oBAAoB,CAAC,OAAO,CAAC,CAAC;QACzC,IACE,CAAC,UAAU,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,CAAC,QAAQ,CAAC;YAC1C,EAAE,CAAC,WAAW,KAAK,KAAK,CAAC,UAAU;YACnC,EAAE,CAAC,YAAY,KAAK,KAAK,CAAC,WAAW;YACrC,EAAE,CAAC,OAAO,KAAK,aAAa,EAC5B,CAAC;YACD,MAAM,IAAI,KAAK,CAAC,qEAAqE,CAAC,CAAC;QACzF,CAAC;QACD,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACtB,CAAC;IAED,mEAAmE;IACnE,iDAAiD;IACjD,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC;IACzD,MAAM,KAAK,GAAG,UAAU,CAAC,CAAC,CAAE,CAAC,YAAY,CAAC;IAC1C,IAAI,UAAU,CAAC,MAAM,KAAK,KAAK,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CACb,oBAAoB,UAAU,CAAC,MAAM,qBAAqB,KAAK,EAAE,CAClE,CAAC;IACJ,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,UAAU,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3C,IAAI,UAAU,CAAC,CAAC,CAAE,CAAC,WAAW,KAAK,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,KAAK,CAAC,wDAAwD,CAAC,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IACD,MAAM,QAAQ,GAAG,UAAU,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,gBAAgB,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IACnF,MAAM,YAAY,GAAG,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC;IAC9C,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;QAC3B,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,gBAAgB,EAAE,GAAG,CAAC,CAAC;QAC1C,GAAG,IAAI,CAAC,CAAC,gBAAgB,CAAC,MAAM,CAAC;IACnC,CAAC;IAED,uEAAuE;IACvE,oCAAoC;IACpC,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAA4B,CAAC;IACjE,MAAM,OAAO,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAExC,OAAO;QACL,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,OAAO;KACR,CAAC;AACJ,CAAC;AAED;yEACyE;AACzE,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAe,EACf,MAAkB;IAElB,MAAM,MAAM,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACvD,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC7C,MAAM,GAAG,GACP,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;QAC7E,MAAM,IAAI,KAAK,CACb,kEAAkE,GAAG,GAAG,CACzE,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;AACrE,CAAC;AAED,wCAAwC;AACxC,EAAE;AACF,4EAA4E;AAC5E,uEAAuE;AACvE,wEAAwE;AACxE,iBAAiB;AACjB,EAAE;AACF,yEAAyE;AACzE,yEAAyE;AACzE,uEAAuE;AACvE,+DAA+D;AAC/D,yEAAyE;AACzE,wEAAwE;AACxE,gCAAgC;AAChC,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,oEAAoE;AACpE,0CAA0C;AAE1C;;;;eAIe;AACf,SAAS,OAAO,CAAC,CAAU,EAAE,KAAa;IACxC,IAAI,CAAC,YAAY,UAAU;QAAE,OAAO,CAAC,CAAC;IACtC,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;QACrB,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;YACf,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,EAAE,CAAC;gBACtE,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,iBAAiB,CAAC,uBAAuB,OAAO,CAAC,IAAI,MAAM,CAAC,CAAC,CAAC,GAAG,CAC1E,CAAC;YACJ,CAAC;YACD,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC;QACb,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC;IACD,MAAM,IAAI,KAAK,CACb,GAAG,KAAK,6CAA6C,OAAO,CAAC,EAAE,CAChE,CAAC;AACJ,CAAC;AAED,SAAS,gBAAgB,CAAC,KAAiB;IACzC,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAA4B,CAAC;IACxD,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,sBAAsB,CAAC,CAAC;IACjE,MAAM,cAAc,GAAG,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,EAAE,4BAA4B,CAAC,CAAC;IACnF,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,+CAA+C,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACrF,CAAC;IACD,OAAO,EAAE,SAAS,EAAE,QAAQ,EAAE,eAAe,EAAE,cAAc,EAAE,CAAC;AAClE,CAAC;AAED,SAAS,oBAAoB,CAAC,KAAiB;IAC7C,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,KAAK,CAA4B,CAAC;IACxD,MAAM,OAAO,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;IAC7B,MAAM,UAAU,GAAG,CAAC,CAAC,aAAa,CAAC,CAAC;IACpC,MAAM,WAAW,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC;IACtC,IAAI,OAAO,OAAO,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,uCAAuC,CAAC,CAAC;IAC1F,IAAI,OAAO,UAAU,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IAC3F,IAAI,OAAO,WAAW,KAAK,QAAQ;QAAE,MAAM,IAAI,KAAK,CAAC,sCAAsC,CAAC,CAAC;IAC7F,MAAM,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,WAAW,CAAC,EAAE,0BAA0B,CAAC,CAAC;IACrE,IAAI,QAAQ,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,mDAAmD,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC;IACzF,CAAC;IACD,MAAM,eAAe,GAAG,OAAO,CAAC,CAAC,CAAC,kBAAkB,CAAC,EAAE,iCAAiC,CAAC,CAAC;IAC1F,MAAM,GAAG,GAAmB;QAC1B,OAAO;QACP,SAAS,EAAE,QAAQ;QACnB,WAAW,EAAE,UAAU;QACvB,YAAY,EAAE,WAAW;QACzB,gBAAgB,EAAE,eAAe;KAClC,CAAC;IACF,IAAI,OAAO,CAAC,CAAC,cAAc,CAAC,KAAK,QAAQ,EAAE,CAAC;QAC1C,GAAG,CAAC,YAAY,GAAG,CAAC,CAAC,cAAc,CAAC,CAAC;IACvC,CAAC;IACD,MAAM,EAAE,GAAG,CAAC,CAAC,oBAAoB,CAAC,CAAC;IACnC,IAAI,EAAE,KAAK,SAAS,EAAE,CAAC;QACrB,GAAG,CAAC,kBAAkB,GAAG,EAAuD,CAAC;IACnF,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,kBAAkB,CAAC,GAA4B;IACtD,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9B,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CACb,qEAAqE,IAAI,CAAC,MAAM,EAAE,CACnF,CAAC;IACJ,CAAC;IACD,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAW,CAAC;IAC9B,MAAM,IAAI,GAAG,GAAG,CAAC,GAAG,CAAwC,CAAC;IAC7D,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,oBAAoB,CAAC,CAAC;IAC7E,CAAC;IACD,QAAQ,GAAG,EAAE,CAAC;QACZ,KAAK,gBAAgB;YACnB,OAAO,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,IAAuC,EAAE,CAAC;QACnF,KAAK,oBAAoB;YACvB,OAAO;gBACL,IAAI,EAAE,oBAAoB;gBAC1B,IAAI,EAAE,IAA2C;aAClD,CAAC;QACJ;YACE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,CAAC;IACxC,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,CAAa,EAAE,CAAa;IAC9C,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;QAAE,OAAO,KAAK,CAAC;IACxC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QAClC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAClC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/provision/request.d.ts

@@ -0,0 +1,65 @@
+import type { SigningIdentity } from "../siop/self-issued.js";
+/** A reference to a DID template the maintainer has registered. Inline
+ *  template definitions are rejected — the operator uploads via
+ *  `pnm did-templates create` first, then names the template here. */
+export interface DidTemplateRef {
+    name: string;
+    vars?: Record<string, unknown>;
+}
+/** What the holder is asking the VTA to do. Tagged on `type`.
+ *
+ *  `TemplateBootstrap` is for full integration bootstrap (mediator,
+ *  did-hosting host, etc.). `AdminRotation` is what the wallet uses — it
+ *  asks the VTA to mint a fresh long-term admin DID + keys without
+ *  rendering any integration template. The browser plugin has no
+ *  integration-side identity to advertise, so AdminRotation is the right
+ *  ask for M2C. */
+export type BootstrapAsk = {
+    type: "TemplateBootstrap";
+    contextHint?: string;
+    template: DidTemplateRef;
+    adminTemplate?: DidTemplateRef;
+    note?: string;
+} | {
+    type: "AdminRotation";
+    contextHint?: string;
+    adminTemplate: DidTemplateRef;
+    note?: string;
+};
+/** The signed VP the wallet ships in the provision-integration message body. */
+export interface BootstrapRequestVp {
+    "@context": string[];
+    type: string[];
+    id: string;
+    holder: string;
+    /** 16 random bytes, base64url-no-pad (22 chars). Re-decoded by the VTA
+     *  and used as the sealed-bundle `bundleId`. */
+    nonce: string;
+    validUntil: string;
+    label?: string;
+    ask: BootstrapAsk;
+    proof: unknown;
+}
+export interface BuildBootstrapRequestOptions {
+    /** Ephemeral signing identity — the operator-granted `did:key` whose
+     *  Ed25519 private key signs the proof. The matching X25519 derivation
+     *  is the bundle's HPKE recipient. */
+    ephemeral: SigningIdentity;
+    /** Tagged-union intent. */
+    ask: BootstrapAsk;
+    /** Validity window in milliseconds. Default 15 minutes — matches the
+     *  Rust default; the VTA enforces ±5min skew on validUntil. */
+    validityMs?: number;
+    /** Optional human-readable label written into the maintainer's audit log. */
+    label?: string;
+}
+/** Build a 16-byte nonce + signed BootstrapRequest VP, returning both.
+ *
+ *  The caller persists the nonce alongside the bundle so it can verify
+ *  `summary.bundleIdHex` (the VTA echoes the nonce back as the bundle id
+ *  in hex) on the reply. */
+export declare function buildBootstrapRequest(opts: BuildBootstrapRequestOptions): Promise<{
+    vp: BootstrapRequestVp;
+    nonce: Uint8Array;
+}>;
+//# sourceMappingURL=request.d.ts.map

package/dist/provision/request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.d.ts","sourceRoot":"","sources":["../../src/provision/request.ts"],"names":[],"mappings":"AAeA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAM9D;;sEAEsE;AACtE,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAChC;AAED;;;;;;;mBAOmB;AACnB,MAAM,MAAM,YAAY,GACpB;IACE,IAAI,EAAE,mBAAmB,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,cAAc,CAAC;IACzB,aAAa,CAAC,EAAE,cAAc,CAAC;IAC/B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,GACD;IACE,IAAI,EAAE,eAAe,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,EAAE,cAAc,CAAC;IAC9B,IAAI,CAAC,EAAE,MAAM,CAAC;CACf,CAAC;AAEN,gFAAgF;AAChF,MAAM,WAAW,kBAAkB;IACjC,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,EAAE,EAAE,MAAM,CAAC;IACX,MAAM,EAAE,MAAM,CAAC;IACf;oDACgD;IAChD,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,YAAY,CAAC;IAClB,KAAK,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,4BAA4B;IAC3C;;0CAEsC;IACtC,SAAS,EAAE,eAAe,CAAC;IAC3B,2BAA2B;IAC3B,GAAG,EAAE,YAAY,CAAC;IAClB;mEAC+D;IAC/D,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,6EAA6E;IAC7E,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;4BAI4B;AAC5B,wBAAsB,qBAAqB,CACzC,IAAI,EAAE,4BAA4B,GACjC,OAAO,CAAC;IAAE,EAAE,EAAE,kBAAkB,CAAC;IAAC,KAAK,EAAE,UAAU,CAAA;CAAE,CAAC,CAiCxD"}

package/dist/provision/request.js

@@ -0,0 +1,53 @@
+// Build + sign the BootstrapRequest VP the wallet hands the VTA when
+// onboarding. The VP is a W3C VC Data Model 2.0 Verifiable Presentation
+// with `nonce` / `validUntil` / `label` / `ask` carried alongside the
+// standard VP fields and covered by the same `eddsa-jcs-2022` Data
+// Integrity proof.
+//
+// Wire shape mirrors
+// `verifiable-trust-infrastructure/vta-sdk/src/provision_integration/request.rs`
+// (`BootstrapRequest::sign`). Verifying against the existing FPN-private
+// URI works today; the canonical Trust Task URI
+// `https://trusttasks.org/spec/provision/integration/0.1` will start
+// validating once the VTA implementation migrates (separate downstream
+// work — this client targets the FPN URI for now).
+import { base64url } from "@openvtc/vti-didcomm-js";
+import { signTrustTask } from "../trust-tasks/sign.js";
+const VC_V2_CONTEXT_URL = "https://www.w3.org/ns/credentials/v2";
+const BOOTSTRAP_CONTEXT_URL = "https://openvtc.org/contexts/bootstrap-v1";
+/** Build a 16-byte nonce + signed BootstrapRequest VP, returning both.
+ *
+ *  The caller persists the nonce alongside the bundle so it can verify
+ *  `summary.bundleIdHex` (the VTA echoes the nonce back as the bundle id
+ *  in hex) on the reply. */
+export async function buildBootstrapRequest(opts) {
+    const nonce = new Uint8Array(16);
+    crypto.getRandomValues(nonce);
+    const now = new Date();
+    const validUntil = new Date(now.getTime() + (opts.validityMs ?? 15 * 60_000));
+    const vp = {
+        "@context": [VC_V2_CONTEXT_URL, BOOTSTRAP_CONTEXT_URL],
+        type: ["VerifiablePresentation", "BootstrapRequest"],
+        id: `urn:uuid:${crypto.randomUUID()}`,
+        holder: opts.ephemeral.did,
+        nonce: base64url.encode(nonce),
+        validUntil: validUntil.toISOString(),
+        ...(opts.label ? { label: opts.label } : {}),
+        ask: opts.ask,
+        proof: null,
+    };
+    // The wallet's existing eddsa-jcs-2022 signer covers JCS canonicalisation
+    // + SHA-256(proofConfig) || SHA-256(doc-minus-proof) + Ed25519 sign +
+    // multibase proofValue exactly as the Rust side does. Here we pass
+    // `authentication` rather than the default `assertionMethod` because the
+    // VP holder is proving CONTROL of the ephemeral did:key, not vouching
+    // for a claim about it — same distinction the Rust `BootstrapRequest::
+    // sign` makes via `SignOptions::with_proof_purpose("authentication")`.
+    await signTrustTask({
+        envelope: vp,
+        signing: opts.ephemeral,
+        proofPurpose: "authentication",
+    });
+    return { vp, nonce };
+}
+//# sourceMappingURL=request.js.map

package/dist/provision/request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.js","sourceRoot":"","sources":["../../src/provision/request.ts"],"names":[],"mappings":"AAAA,qEAAqE;AACrE,wEAAwE;AACxE,sEAAsE;AACtE,mEAAmE;AACnE,mBAAmB;AACnB,EAAE;AACF,qBAAqB;AACrB,iFAAiF;AACjF,yEAAyE;AACzE,gDAAgD;AAChD,qEAAqE;AACrE,uEAAuE;AACvE,mDAAmD;AAEnD,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAE,aAAa,EAAE,MAAM,wBAAwB,CAAC;AAEvD,MAAM,iBAAiB,GAAG,sCAAsC,CAAC;AACjE,MAAM,qBAAqB,GAAG,2CAA2C,CAAC;AA8D1E;;;;4BAI4B;AAC5B,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,IAAkC;IAElC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC;IACjC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAE9B,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,EAAE,GAAG,MAAM,CAAC,CAAC,CAAC;IAE9E,MAAM,EAAE,GAAuB;QAC7B,UAAU,EAAE,CAAC,iBAAiB,EAAE,qBAAqB,CAAC;QACtD,IAAI,EAAE,CAAC,wBAAwB,EAAE,kBAAkB,CAAC;QACpD,EAAE,EAAE,YAAY,MAAM,CAAC,UAAU,EAAE,EAAE;QACrC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,GAAG;QAC1B,KAAK,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC;QAC9B,UAAU,EAAE,UAAU,CAAC,WAAW,EAAE;QACpC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC5C,GAAG,EAAE,IAAI,CAAC,GAAG;QACb,KAAK,EAAE,IAAI;KACZ,CAAC;IAEF,0EAA0E;IAC1E,sEAAsE;IACtE,mEAAmE;IACnE,yEAAyE;IACzE,sEAAsE;IACtE,uEAAuE;IACvE,uEAAuE;IACvE,MAAM,aAAa,CAAC;QAClB,QAAQ,EAAE,EAAwC;QAClD,OAAO,EAAE,IAAI,CAAC,SAAS;QACvB,YAAY,EAAE,gBAAgB;KAC/B,CAAC,CAAC;IAEH,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;AACvB,CAAC"}

package/dist/provision/run.d.ts

@@ -0,0 +1,76 @@
+import type { Identity } from "../didcomm/index.js";
+import type { SigningIdentity } from "../siop/self-issued.js";
+import type { RemoteDidcommEndpoint } from "../vta/didcomm.js";
+import type { DidcommMessageBridge } from "../vta/transport.js";
+import { type ProvisionSummary } from "./send.js";
+import type { AdminRotationPayload } from "./types.js";
+export interface RunProvisionIntegrationOptions {
+    /** Mediator-backed DIDComm bridge for the round-trip. */
+    bridge: DidcommMessageBridge;
+    /** Authcrypt sender X25519 identity for the ephemeral did:key. */
+    ephemeral: Identity;
+    /** Signing identity for the SAME ephemeral did:key — used to sign the
+     *  BootstrapRequest VP. The Ed25519 seed in `signing.privateKey` is also
+     *  the recipient secret the wallet uses to open the sealed bundle. */
+    ephemeralSigning: SigningIdentity;
+    /** The VTA's DID + keyAgreement key (inner authcrypt recipient and
+     *  expected `from` on the reply). */
+    service: RemoteDidcommEndpoint;
+    /** The VTA's mediator (forward target). Omit for direct DIDComm. */
+    mediator?: RemoteDidcommEndpoint;
+    /** The VTA's DID — passed to send.ts for the reply sender assertion. */
+    vtaDid: string;
+    /** The maintainer context to provision the admin DID into. **Optional**
+     *  per the canonical Trust Task spec — when omitted, the VTA infers
+     *  from the relayer's ACL grant or its own contexts state (single-
+     *  context grant → that context; super-admin + single-context VTA →
+     *  that context; ambiguous → error). Wallet-class callers SHOULD
+     *  omit; integration-class callers SHOULD specify. */
+    context?: string;
+    /** Admin template the VTA renders. Default `vta-admin` — the built-in
+     *  no-frills `did:key` admin template every VTA ships with. Override if
+     *  the operator has uploaded a custom admin template. */
+    adminTemplateName?: string;
+    /** Free-form note for the VTA's audit log. */
+    note?: string;
+    /** When `true`, asks the VTA to provision the target context inline if
+     *  it does not already exist. Requires the relayer (the ephemeral
+     *  did:key after the operator's grant) to hold **super-admin** role at
+     *  the VTA — context-admin grants get rejected with
+     *  `provision/integration:forbidden`. Defaults to `false`; callers
+     *  that target an established context leave this off. */
+    createContext?: boolean;
+    /** Send-side timeout. Default 60s (sendProvisionIntegration). */
+    timeoutMs?: number;
+}
+/** Minimal admin material the wallet adopts after a successful onboarding.
+ *
+ *  The wallet stores `adminDid` as its new holder identity. The Ed25519
+ *  private key (multibase-encoded) is what signs subsequent trust tasks
+ *  + SIOP id_tokens; the X25519 private key is what unpacks DIDComm
+ *  authcrypt envelopes targeted at the wallet. The auth VC + VTA trust
+ *  bundle are NOT kept — the steady-state authority is the ACL row the
+ *  VTA wrote at provisioning, not the VC, and the wallet verifies the
+ *  VTA's identity via DID resolution on every subsequent connect rather
+ *  than caching the trust bundle. */
+export interface MinimalAdminReply {
+    /** The freshly-minted long-term admin DID (a `did:key:z6Mk…`). */
+    adminDid: string;
+    /** Multibase-encoded Ed25519 private key (`z`-prefixed multikey).
+     *  The wallet decodes this and stores it as the new holder's signing key. */
+    adminSigningPrivateMultibase: string;
+    /** Multibase-encoded X25519 private key. The wallet decodes + stores
+     *  this as the new holder's keyAgreement key. */
+    adminKaPrivateMultibase: string;
+    /** Echo of the VTA's own DID (cross-check vs `service.did`). */
+    vtaDid: string;
+    /** REST base URL the VTA advertised, if any. */
+    vtaUrl?: string;
+    /** Bundle metadata for audit / debug. */
+    summary: ProvisionSummary;
+}
+/** Drive the full provision-integration round-trip and return the minimal
+ *  admin material the wallet should adopt. */
+export declare function runProvisionIntegration(opts: RunProvisionIntegrationOptions): Promise<MinimalAdminReply>;
+export type { AdminRotationPayload };
+//# sourceMappingURL=run.d.ts.map

package/dist/provision/run.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.d.ts","sourceRoot":"","sources":["../../src/provision/run.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAC9D,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAC/D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAIhE,OAAO,EAA4B,KAAK,gBAAgB,EAAE,MAAM,WAAW,CAAC;AAC5E,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAEvD,MAAM,WAAW,8BAA8B;IAC7C,yDAAyD;IACzD,MAAM,EAAE,oBAAoB,CAAC;IAC7B,kEAAkE;IAClE,SAAS,EAAE,QAAQ,CAAC;IACpB;;0EAEsE;IACtE,gBAAgB,EAAE,eAAe,CAAC;IAClC;yCACqC;IACrC,OAAO,EAAE,qBAAqB,CAAC;IAC/B,oEAAoE;IACpE,QAAQ,CAAC,EAAE,qBAAqB,CAAC;IACjC,wEAAwE;IACxE,MAAM,EAAE,MAAM,CAAC;IACf;;;;;0DAKsD;IACtD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;6DAEyD;IACzD,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,8CAA8C;IAC9C,IAAI,CAAC,EAAE,MAAM,CAAC;IACd;;;;;6DAKyD;IACzD,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,iEAAiE;IACjE,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED;;;;;;;;;qCASqC;AACrC,MAAM,WAAW,iBAAiB;IAChC,kEAAkE;IAClE,QAAQ,EAAE,MAAM,CAAC;IACjB;iFAC6E;IAC7E,4BAA4B,EAAE,MAAM,CAAC;IACrC;qDACiD;IACjD,uBAAuB,EAAE,MAAM,CAAC;IAChC,gEAAgE;IAChE,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yCAAyC;IACzC,OAAO,EAAE,gBAAgB,CAAC;CAC3B;AAED;8CAC8C;AAC9C,wBAAsB,uBAAuB,CAC3C,IAAI,EAAE,8BAA8B,GACnC,OAAO,CAAC,iBAAiB,CAAC,CA+F5B;AAYD,YAAY,EAAE,oBAAoB,EAAE,CAAC"}

package/dist/provision/run.js

@@ -0,0 +1,110 @@
+// Top-level orchestrator for the wallet's provision-integration flow.
+//
+// One call drives the full onboarding round-trip:
+//   1. Build + sign a BootstrapRequest VP for the AdminRotation ask.
+//   2. Ship it via DIDComm (authcrypt → forward via VTA's mediator).
+//   3. Open the HPKE-sealed reply with the wallet's ephemeral Ed25519 seed.
+//   4. Cross-check that the bundle's `bundleIdHex` matches the request nonce.
+//   5. Return the minimal admin reply (DID + private keys) the wallet adopts
+//      as its long-term holder identity.
+//
+// The wallet's existing onboarding code (`offscreen.ts`) currently calls
+// `swapAclDidcomm` here — M2C-C swaps that call site to `runProvisionIntegration`.
+import { openAdminRotationBundle } from "./open.js";
+import { buildBootstrapRequest } from "./request.js";
+import { sendProvisionIntegration } from "./send.js";
+/** Drive the full provision-integration round-trip and return the minimal
+ *  admin material the wallet should adopt. */
+export async function runProvisionIntegration(opts) {
+    // 1. Build + sign the VP with an AdminRotation ask. The wallet only
+    //    needs a long-term admin DID at this VTA; it does NOT need an
+    //    integration DID minted (TemplateBootstrap), which is what
+    //    mediator / did-hosting integrations consume.
+    const ask = {
+        type: "AdminRotation",
+        // contextHint is just a hint embedded in the VP — only meaningful
+        // when the caller actually knows the context. When omitted, the
+        // VTA's authoritative context resolution runs (inference rules).
+        ...(opts.context ? { contextHint: opts.context } : {}),
+        adminTemplate: { name: opts.adminTemplateName ?? "vta-admin", vars: {} },
+        ...(opts.note ? { note: opts.note } : {}),
+    };
+    const { vp, nonce } = await buildBootstrapRequest({
+        ephemeral: opts.ephemeralSigning,
+        ask,
+        ...(opts.note ? { label: opts.note } : {}),
+    });
+    // 2. DIDComm round-trip. Body field names are snake_case to match the
+    //    existing FPN protocol the VTA speaks today (see send.ts header for
+    //    the migration plan).
+    const reply = await sendProvisionIntegration({
+        bridge: opts.bridge,
+        ephemeral: opts.ephemeral,
+        service: opts.service,
+        ...(opts.mediator ? { mediator: opts.mediator } : {}),
+        vtaDid: opts.vtaDid,
+        body: {
+            request: vp,
+            // context is optional on the wire. When omitted, the VTA's
+            // inference rules pick the target context (single-context grant
+            // → use it; super-admin + single-context VTA → use it;
+            // ambiguous → e.p.msg.context_required). Wallet-class callers
+            // typically omit; integration-class callers send explicitly.
+            ...(opts.context ? { context: opts.context } : {}),
+            // create_context defaults to false on the wire; only emit when the
+            // caller actually asked for inline create so older VTAs that
+            // pre-date the field don't have to deal with an unexpected key.
+            ...(opts.createContext ? { create_context: true } : {}),
+        },
+        ...(opts.timeoutMs !== undefined ? { timeoutMs: opts.timeoutMs } : {}),
+    });
+    // 3. Cross-check the bundle id BEFORE opening. The maintainer echoes
+    //    the VP nonce as `summary.bundle_id_hex` (lowercase hex of the 16
+    //    nonce bytes); a mismatch means the bundle is for a different
+    //    request, which is a serious wire-shape failure. The HPKE open
+    //    would also fail (the AAD binds the bundle id), but catching it
+    //    here gives a cleaner error.
+    const expectedHex = toLowerHex(nonce);
+    if (reply.summary.bundle_id_hex !== expectedHex) {
+        throw new Error(`provision-integration: bundle_id_hex mismatch — expected ${expectedHex}, got ${reply.summary.bundle_id_hex}`);
+    }
+    // 4. Open the sealed bundle with the wallet's Ed25519 seed. The opener
+    //    derives the X25519 recipient secret via Montgomery clamping
+    //    (matching the Rust seal-side `ed25519_seed_to_x25519_secret`).
+    if (opts.ephemeralSigning.privateKey.length !== 32) {
+        throw new Error("provision-integration: ephemeral Ed25519 seed must be 32 bytes");
+    }
+    const opened = await openAdminRotationBundle(reply.bundle, opts.ephemeralSigning.privateKey);
+    // 5. Extract the minimal admin material the wallet keeps.
+    const admin = opened.payload.admin;
+    if (!admin || !admin.did) {
+        throw new Error("provision-integration: AdminRotation payload missing admin.did");
+    }
+    if (!admin.signing_key?.private_key_multibase || !admin.ka_key?.private_key_multibase) {
+        throw new Error("provision-integration: AdminRotation payload missing admin signing/ka private key");
+    }
+    // Defence-in-depth: the open-time digest check is the maintainer's
+    // contract, but verifying summary.admin_did matches what we extract
+    // catches the case where a malicious / buggy maintainer ships a
+    // summary that doesn't agree with the sealed bundle.
+    if (reply.summary.admin_did && reply.summary.admin_did !== admin.did) {
+        throw new Error(`provision-integration: summary.admin_did (${reply.summary.admin_did}) ` +
+            `disagrees with sealed admin.did (${admin.did})`);
+    }
+    return {
+        adminDid: admin.did,
+        adminSigningPrivateMultibase: admin.signing_key.private_key_multibase,
+        adminKaPrivateMultibase: admin.ka_key.private_key_multibase,
+        vtaDid: opened.payload.vta_trust?.vta_did ?? opts.vtaDid,
+        ...(opened.payload.vta_url ? { vtaUrl: opened.payload.vta_url } : {}),
+        summary: reply.summary,
+    };
+}
+function toLowerHex(bytes) {
+    let s = "";
+    for (let i = 0; i < bytes.length; i++) {
+        s += bytes[i].toString(16).padStart(2, "0");
+    }
+    return s;
+}
+//# sourceMappingURL=run.js.map

package/dist/provision/run.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"run.js","sourceRoot":"","sources":["../../src/provision/run.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,EAAE;AACF,kDAAkD;AAClD,qEAAqE;AACrE,qEAAqE;AACrE,4EAA4E;AAC5E,8EAA8E;AAC9E,6EAA6E;AAC7E,yCAAyC;AACzC,EAAE;AACF,yEAAyE;AACzE,mFAAmF;AAOnF,OAAO,EAAE,uBAAuB,EAAE,MAAM,WAAW,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAqB,MAAM,cAAc,CAAC;AACxE,OAAO,EAAE,wBAAwB,EAAyB,MAAM,WAAW,CAAC;AAsE5E;8CAC8C;AAC9C,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,IAAoC;IAEpC,oEAAoE;IACpE,kEAAkE;IAClE,+DAA+D;IAC/D,kDAAkD;IAClD,MAAM,GAAG,GAAiB;QACxB,IAAI,EAAE,eAAe;QACrB,kEAAkE;QAClE,gEAAgE;QAChE,iEAAiE;QACjE,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,WAAW,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACtD,aAAa,EAAE,EAAE,IAAI,EAAE,IAAI,CAAC,iBAAiB,IAAI,WAAW,EAAE,IAAI,EAAE,EAAE,EAAE;QACxE,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC1C,CAAC;IACF,MAAM,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,MAAM,qBAAqB,CAAC;QAChD,SAAS,EAAE,IAAI,CAAC,gBAAgB;QAChC,GAAG;QACH,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3C,CAAC,CAAC;IAEH,sEAAsE;IACtE,wEAAwE;IACxE,0BAA0B;IAC1B,MAAM,KAAK,GAAG,MAAM,wBAAwB,CAAC;QAC3C,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrD,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,IAAI,EAAE;YACJ,OAAO,EAAE,EAAE;YACX,2DAA2D;YAC3D,gEAAgE;YAChE,uDAAuD;YACvD,8DAA8D;YAC9D,6DAA6D;YAC7D,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YAClD,mEAAmE;YACnE,6DAA6D;YAC7D,gEAAgE;YAChE,GAAG,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,EAAE,cAAc,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACxD;QACD,GAAG,CAAC,IAAI,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACvE,CAAC,CAAC;IAEH,qEAAqE;IACrE,sEAAsE;IACtE,kEAAkE;IAClE,mEAAmE;IACnE,oEAAoE;IACpE,iCAAiC;IACjC,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IACtC,IAAI,KAAK,CAAC,OAAO,CAAC,aAAa,KAAK,WAAW,EAAE,CAAC;QAChD,MAAM,IAAI,KAAK,CACb,4DAA4D,WAAW,SAAS,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,CAC9G,CAAC;IACJ,CAAC;IAED,uEAAuE;IACvE,iEAAiE;IACjE,oEAAoE;IACpE,IAAI,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACnD,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,uBAAuB,CAAC,KAAK,CAAC,MAAM,EAAE,IAAI,CAAC,gBAAgB,CAAC,UAAU,CAAC,CAAC;IAE7F,0DAA0D;IAC1D,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;IACnC,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,KAAK,CAAC,gEAAgE,CAAC,CAAC;IACpF,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,qBAAqB,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,qBAAqB,EAAE,CAAC;QACtF,MAAM,IAAI,KAAK,CACb,mFAAmF,CACpF,CAAC;IACJ,CAAC;IACD,mEAAmE;IACnE,oEAAoE;IACpE,gEAAgE;IAChE,qDAAqD;IACrD,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC,OAAO,CAAC,SAAS,KAAK,KAAK,CAAC,GAAG,EAAE,CAAC;QACrE,MAAM,IAAI,KAAK,CACb,6CAA6C,KAAK,CAAC,OAAO,CAAC,SAAS,IAAI;YACtE,oCAAoC,KAAK,CAAC,GAAG,GAAG,CACnD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,GAAG;QACnB,4BAA4B,EAAE,KAAK,CAAC,WAAW,CAAC,qBAAqB;QACrE,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,qBAAqB;QAC3D,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,SAAS,EAAE,OAAO,IAAI,IAAI,CAAC,MAAM;QACxD,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrE,OAAO,EAAE,KAAK,CAAC,OAAO;KACvB,CAAC;AACJ,CAAC;AAED,SAAS,UAAU,CAAC,KAAiB;IACnC,IAAI,CAAC,GAAG,EAAE,CAAC;IACX,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,CAAC,IAAK,KAAK,CAAC,CAAC,CAAY,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;IAC1D,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC"}

package/dist/provision/send.d.ts

@@ -0,0 +1,85 @@
+import { type Identity } from "../didcomm/index.js";
+import type { RemoteDidcommEndpoint } from "../vta/didcomm.js";
+import type { DidcommMessageBridge } from "../vta/transport.js";
+import type { BootstrapRequestVp } from "./request.js";
+/** Parsed DIDComm problem-report body. Mirrors the wire shape
+ *  emitted by the VTA's `app_err_to_response`. */
+export interface ProblemReportPayload {
+    code: string;
+    comment: string;
+    /** Structured arguments — task-specific. For
+     *  `provision/integration:context_required` this carries the
+     *  candidates list. */
+    args: string[];
+}
+/** Thrown by `sendProvisionIntegration` when the VTA replies with a
+ *  DIDComm problem-report rather than a success result. Carries the
+ *  structured fields so callers can branch on the code (e.g. the
+ *  popup's context-required recovery picker that reads
+ *  `report.args` as the candidates list). */
+export declare class ProvisionProblemReportError extends Error {
+    readonly report: ProblemReportPayload;
+    constructor(report: ProblemReportPayload);
+}
+/** Body of the inbound `provision-integration` message. Mirrors
+ *  `vta_sdk::provision_integration::http::ProvisionIntegrationRequest`. */
+export interface ProvisionIntegrationRequestBody {
+    request: BootstrapRequestVp;
+    /** Optional per the canonical Trust Task spec. When omitted, the VTA
+     *  infers the target context from the relayer's ACL grant + its own
+     *  contexts state. See vta-sdk's `ProvisionIntegrationRequest::context`
+     *  doc-comment for the full inference rules. */
+    context?: string;
+    assertion?: "did-signed" | "pinned-only";
+    /** Caller-preferred VC validity in seconds. Capped server-side. */
+    vc_validity_seconds?: number;
+    /** Super-admin only: create the context inline if missing. */
+    create_context?: boolean;
+}
+/** Body of the outbound `provision-integration-result` reply. Mirrors
+ *  `vta_sdk::provision_integration::http::ProvisionIntegrationResponse`. */
+export interface ProvisionIntegrationResponseBody {
+    bundle: string;
+    digest: string;
+    summary: ProvisionSummary;
+}
+export interface ProvisionSummary {
+    client_did: string;
+    admin_did?: string;
+    admin_rolled_over?: boolean;
+    integration_did?: string;
+    template_name?: string;
+    template_kind?: string;
+    admin_template_name?: string | null;
+    bundle_id_hex: string;
+    secret_count: number;
+    output_count: number;
+    webvh_server_id?: string | null;
+    context_created?: boolean;
+}
+export interface SendProvisionIntegrationOptions {
+    /** Mediator-backed bridge — ships the JWE and surfaces the decrypted,
+     *  sender-authenticated reply (keyed by `thid`). */
+    bridge: DidcommMessageBridge;
+    /** Authcrypt sender = the operator-granted ephemeral did:key (X25519
+     *  identity matching the BootstrapRequest's `holder`). */
+    ephemeral: Identity;
+    /** The VTA's DID + keyAgreement key (inner authcrypt recipient). */
+    service: RemoteDidcommEndpoint;
+    /** The VTA's mediator (forward target). Omit for direct, non-mediated send. */
+    mediator?: RemoteDidcommEndpoint;
+    /** The VTA's DID — the expected reply `from`. */
+    vtaDid: string;
+    /** The request body to ship. */
+    body: ProvisionIntegrationRequestBody;
+    /** Request-side timeout. Default 60s (matches the Rust SDK constant) —
+     *  the handler renders templates, mints keys, writes the webvh log, and
+     *  seals the bundle synchronously inside one handler call, so it needs
+     *  more headroom than a typical authenticate. */
+    timeoutMs?: number;
+}
+/** Pack + send the provision-integration request and return the reply
+ *  body. Throws on timeout, wrong reply type, sender mismatch, or any
+ *  problem-report from the VTA. */
+export declare function sendProvisionIntegration(opts: SendProvisionIntegrationOptions): Promise<ProvisionIntegrationResponseBody>;
+//# sourceMappingURL=send.d.ts.map