@openvtc/pnm-core 0.1.0

package/dist/siop/login-client.js

@@ -0,0 +1,79 @@
+// SIOPv2 login client for a Trust-Tasks Relying Party (the DID hosting
+// service). Drives the RP's challenge → authenticate flow: fetch a
+// nonce, self-issue an `id_token` signed by the holder's Ed25519
+// `did:key`, wrap it in the RP's authenticate Trust-Task envelope, and
+// exchange it for a session JWT. No passkey, no DIDComm to the RP — the
+// RP verifies by resolving the holder DID.
+import { createStopwatch } from "../util/timing.js";
+import { issueIdToken } from "./self-issued.js";
+/** The canonical authenticate Trust-Task type from trusttasks-tf.
+ *  did-hosting + VTA + VTC all dispatch on this same URI. */
+const TASK_AUTH_AUTHENTICATE = "https://trusttasks.org/spec/auth/authenticate/0.1";
+/**
+ * Log into a Trust-Tasks RP via SIOPv2 self-issuance. Returns the
+ * RP-issued session tokens. Throws on a transport error or an RP
+ * rejection (the error message carries the RP's response body).
+ */
+export async function loginViaSiop(opts) {
+    const fetchFn = opts.fetch ?? fetch.bind(globalThis);
+    const base = opts.baseUrl.replace(/\/+$/, "");
+    const sw = createStopwatch();
+    // 1. Request a challenge nonce for the holder DID.
+    const challengeRes = await fetchFn(`${base}/auth/challenge`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify({ did: opts.signing.did }),
+    });
+    if (!challengeRes.ok) {
+        throw new Error(`siop login: challenge failed (${challengeRes.status}): ${await challengeRes.text()}`);
+    }
+    // Canonical wire (spec/auth/challenge/0.1#response): flat
+    // { challenge, sessionId, expiresAt }. No `data` envelope.
+    const challenge = (await challengeRes.json());
+    sw.mark("challenge");
+    // 2. Self-issue the id_token — aud = the RP's DID, nonce = the challenge.
+    const idToken = issueIdToken({
+        identity: opts.signing,
+        audience: opts.rpDid,
+        nonce: challenge.challenge,
+    });
+    sw.mark("id_token signed");
+    // 3. Wrap in the RP's authenticate Trust-Task envelope.
+    const envelope = {
+        id: `urn:uuid:${globalThis.crypto.randomUUID()}`,
+        type: TASK_AUTH_AUTHENTICATE,
+        issuer: opts.signing.did,
+        issuedAt: new Date().toISOString(),
+        payload: {
+            id_token: idToken,
+            session_id: challenge.sessionId,
+            ...(opts.sessionPubkeyB58btc
+                ? { session_pubkey_b58btc: opts.sessionPubkeyB58btc }
+                : {}),
+        },
+    };
+    // 4. Exchange for a session JWT.
+    const authRes = await fetchFn(`${base}/auth/`, {
+        method: "POST",
+        headers: { "content-type": "application/json" },
+        body: JSON.stringify(envelope),
+    });
+    if (!authRes.ok) {
+        throw new Error(`siop login: authenticate failed (${authRes.status}): ${await authRes.text()}`);
+    }
+    // Canonical wire (spec/auth/authenticate/0.1#response):
+    // { session: Session, tokens: TokenBundle }. Session.id is the
+    // session identifier; tokens.{accessToken, refreshToken} carry
+    // the bearer material. `expiresIn` is seconds-from-issuance per
+    // RFC 6749 §5.1 — clients compute the absolute moment as
+    // Date.parse(session.issuedAt) + tokens.expiresIn * 1000.
+    const r = (await authRes.json());
+    sw.mark("authenticate");
+    return {
+        timings: sw.marks,
+        accessToken: r.tokens.accessToken,
+        refreshToken: r.tokens.refreshToken ?? "",
+        sessionId: r.session.id,
+    };
+}
+//# sourceMappingURL=login-client.js.map

package/dist/siop/login-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"login-client.js","sourceRoot":"","sources":["../../src/siop/login-client.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,mEAAmE;AACnE,iEAAiE;AACjE,uEAAuE;AACvE,wEAAwE;AACxE,2CAA2C;AAE3C,OAAO,EAAE,eAAe,EAAmB,MAAM,mBAAmB,CAAC;AACrE,OAAO,EAAE,YAAY,EAAwB,MAAM,kBAAkB,CAAC;AAEtE;6DAC6D;AAC7D,MAAM,sBAAsB,GAAG,mDAAmD,CAAC;AAwBnF;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,IAAsB;IAEtB,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrD,MAAM,IAAI,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,eAAe,EAAE,CAAC;IAE7B,mDAAmD;IACnD,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,IAAI,iBAAiB,EAAE;QAC3D,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC;KAChD,CAAC,CAAC;IACH,IAAI,CAAC,YAAY,CAAC,EAAE,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,iCAAiC,YAAY,CAAC,MAAM,MAAM,MAAM,YAAY,CAAC,IAAI,EAAE,EAAE,CACtF,CAAC;IACJ,CAAC;IACD,0DAA0D;IAC1D,2DAA2D;IAC3D,MAAM,SAAS,GAAG,CAAC,MAAM,YAAY,CAAC,IAAI,EAAE,CAI3C,CAAC;IACF,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IAErB,0EAA0E;IAC1E,MAAM,OAAO,GAAG,YAAY,CAAC;QAC3B,QAAQ,EAAE,IAAI,CAAC,OAAO;QACtB,QAAQ,EAAE,IAAI,CAAC,KAAK;QACpB,KAAK,EAAE,SAAS,CAAC,SAAS;KAC3B,CAAC,CAAC;IACH,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;IAE3B,wDAAwD;IACxD,MAAM,QAAQ,GAAG;QACf,EAAE,EAAE,YAAY,UAAU,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE;QAChD,IAAI,EAAE,sBAAsB;QAC5B,MAAM,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;QACxB,QAAQ,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QAClC,OAAO,EAAE;YACP,QAAQ,EAAE,OAAO;YACjB,UAAU,EAAE,SAAS,CAAC,SAAS;YAC/B,GAAG,CAAC,IAAI,CAAC,mBAAmB;gBAC1B,CAAC,CAAC,EAAE,qBAAqB,EAAE,IAAI,CAAC,mBAAmB,EAAE;gBACrD,CAAC,CAAC,EAAE,CAAC;SACR;KACF,CAAC;IAEF,iCAAiC;IACjC,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,GAAG,IAAI,QAAQ,EAAE;QAC7C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC;KAC/B,CAAC,CAAC;IACH,IAAI,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QAChB,MAAM,IAAI,KAAK,CACb,oCAAoC,OAAO,CAAC,MAAM,MAAM,MAAM,OAAO,CAAC,IAAI,EAAE,EAAE,CAC/E,CAAC;IACJ,CAAC;IACD,wDAAwD;IACxD,+DAA+D;IAC/D,+DAA+D;IAC/D,gEAAgE;IAChE,yDAAyD;IACzD,0DAA0D;IAC1D,MAAM,CAAC,GAAG,CAAC,MAAM,OAAO,CAAC,IAAI,EAAE,CAgB9B,CAAC;IACF,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACxB,OAAO;QACL,OAAO,EAAE,EAAE,CAAC,KAAK;QACjB,WAAW,EAAE,CAAC,CAAC,MAAM,CAAC,WAAW;QACjC,YAAY,EAAE,CAAC,CAAC,MAAM,CAAC,YAAY,IAAI,EAAE;QACzC,SAAS,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE;KACxB,CAAC;AACJ,CAAC"}

package/dist/siop/self-issued.d.ts

@@ -0,0 +1,96 @@
+/** An Ed25519 `did:key` signing identity. `privateKey` is held in JS
+ *  memory (the accepted trade-off for the no-passkey path — see the
+ *  step-up flow for hardware-backed signing). */
+export interface SigningIdentity {
+    /** `did:key:z6Mk…` */
+    did: string;
+    /** Verification-method id for the signing key (`<did>#z6Mk…`). */
+    kid: string;
+    privateKey: Uint8Array;
+    publicKey: Uint8Array;
+}
+/** Mint a fresh Ed25519 `did:key` signing identity. */
+export declare function generateSigningIdentity(): SigningIdentity;
+/** Reconstruct a signing identity from a stored Ed25519 private key. */
+export declare function signingIdentityFromSecret(privateKey: Uint8Array): SigningIdentity;
+export interface IssueIdTokenOptions {
+    identity: SigningIdentity;
+    /** RP identifier the token is bound to (`aud`) — its DID or client_id. */
+    audience: string;
+    /** RP-supplied nonce echoed in the token (replay protection). */
+    nonce: string;
+    /** Token lifetime in seconds (default 300). */
+    ttlSeconds?: number;
+}
+/**
+ * Issue a self-issued `id_token` (compact EdDSA JWS). `iss` and `sub`
+ * are the holder DID; the RP verifies by resolving that DID and checking
+ * the signature against its authentication key.
+ */
+export declare function issueIdToken(opts: IssueIdTokenOptions): string;
+export interface IssueSwapPresentationOptions {
+    /** The signing identity proving control of the **new** DID (the wallet's
+     *  long-term holder did:peer, `#key-2`). The presentation's `holder` is its
+     *  DID — what the swap creates the new ACL entry for. */
+    holder: SigningIdentity;
+    /** The VTA's DID — bound as `aud` so the proof can't be replayed elsewhere. */
+    audience: string;
+    /** Lifetime in seconds (default 300). */
+    ttlSeconds?: number;
+    /** Optional explicit nonce; a random one is generated when omitted. */
+    nonce?: string;
+}
+/**
+ * Issue a swap-acl presentation: a W3C Verifiable Presentation secured as a
+ * compact EdDSA JWS (VP-JWT), proving control of the holder DID. The VTA's
+ * `swap-acl` handler resolves `iss` and verifies this signature against the
+ * holder's key, then moves the caller's ACL entry onto it. Same signing
+ * primitive as {@link issueIdToken} — just a VP envelope instead of an
+ * id_token.
+ */
+export declare function issueSwapPresentation(opts: IssueSwapPresentationOptions): string;
+export interface VerifiedIdToken {
+    /** The holder DID that signed the token (`iss`/`sub`). */
+    did: string;
+    claims: {
+        iss: string;
+        sub: string;
+        aud: string;
+        nonce: string;
+        iat: number;
+        exp: number;
+    };
+}
+/**
+ * Verify a self-issued `id_token`: resolve the `did:key`, check the
+ * EdDSA signature against its authentication VM, and enforce
+ * `aud` / `nonce` / `exp`. Throws on any failure.
+ */
+export declare function verifyIdToken(jwt: string, expect: {
+    audience: string;
+    nonce: string;
+    now?: number;
+}): VerifiedIdToken;
+/** The X25519 keyAgreement material derived from an Ed25519 signing
+ *  identity, ready to build a DIDComm `Identity`. */
+export interface DidcommKeyAgreement {
+    /** keyAgreement VM id (`<did>#<x25519-multibase>`), as the did:key resolver emits it. */
+    keyAgreementKid: string;
+    /** X25519 secret JWK ({kty:OKP, crv:X25519, x, d}). */
+    secretJwk: {
+        kty: "OKP";
+        crv: "X25519";
+        x: string;
+        d: string;
+    };
+}
+/**
+ * Derive the DIDComm X25519 keyAgreement material from an Ed25519
+ * {@link SigningIdentity}. The X25519 key is the Montgomery form of the
+ * same key — exactly as the `did:key` resolver derives the keyAgreement
+ * VM — so one Ed25519 `did:key` serves both login (signing) and DIDComm
+ * (authcrypt) under a single DID. The kid is taken from the resolver so
+ * it matches byte-for-byte what counterparties address replies to.
+ */
+export declare function didcommKeyAgreementFromSigning(identity: SigningIdentity): DidcommKeyAgreement;
+//# sourceMappingURL=self-issued.d.ts.map

package/dist/siop/self-issued.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"self-issued.d.ts","sourceRoot":"","sources":["../../src/siop/self-issued.ts"],"names":[],"mappings":"AAkBA;;iDAEiD;AACjD,MAAM,WAAW,eAAe;IAC9B,sBAAsB;IACtB,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,UAAU,CAAC;IACvB,SAAS,EAAE,UAAU,CAAC;CACvB;AAED,uDAAuD;AACvD,wBAAgB,uBAAuB,IAAI,eAAe,CAIzD;AAED,wEAAwE;AACxE,wBAAgB,yBAAyB,CAAC,UAAU,EAAE,UAAU,GAAG,eAAe,CAEjF;AAWD,MAAM,WAAW,mBAAmB;IAClC,QAAQ,EAAE,eAAe,CAAC;IAC1B,0EAA0E;IAC1E,QAAQ,EAAE,MAAM,CAAC;IACjB,iEAAiE;IACjE,KAAK,EAAE,MAAM,CAAC;IACd,+CAA+C;IAC/C,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,mBAAmB,GAAG,MAAM,CAc9D;AAED,MAAM,WAAW,4BAA4B;IAC3C;;6DAEyD;IACzD,MAAM,EAAE,eAAe,CAAC;IACxB,+EAA+E;IAC/E,QAAQ,EAAE,MAAM,CAAC;IACjB,yCAAyC;IACzC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,uEAAuE;IACvE,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,IAAI,EAAE,4BAA4B,GAAG,MAAM,CAoBhF;AAED,MAAM,WAAW,eAAe;IAC9B,0DAA0D;IAC1D,GAAG,EAAE,MAAM,CAAC;IACZ,MAAM,EAAE;QACN,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;QACZ,KAAK,EAAE,MAAM,CAAC;QACd,GAAG,EAAE,MAAM,CAAC;QACZ,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;CACH;AAED;;;;GAIG;AACH,wBAAgB,aAAa,CAC3B,GAAG,EAAE,MAAM,EACX,MAAM,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,GAAG,CAAC,EAAE,MAAM,CAAA;CAAE,GACxD,eAAe,CAkCjB;AAqBD;qDACqD;AACrD,MAAM,WAAW,mBAAmB;IAClC,yFAAyF;IACzF,eAAe,EAAE,MAAM,CAAC;IACxB,uDAAuD;IACvD,SAAS,EAAE;QAAE,GAAG,EAAE,KAAK,CAAC;QAAC,GAAG,EAAE,QAAQ,CAAC;QAAC,CAAC,EAAE,MAAM,CAAC;QAAC,CAAC,EAAE,MAAM,CAAA;KAAE,CAAC;CAChE;AAED;;;;;;;GAOG;AACH,wBAAgB,8BAA8B,CAC5C,QAAQ,EAAE,eAAe,GACxB,mBAAmB,CAmBrB"}

package/dist/siop/self-issued.js

@@ -0,0 +1,162 @@
+// Self-Issued OpenID Provider v2 (SIOPv2) — the wallet self-issues an
+// `id_token` proving control of its `did:key`, which a Relying Party
+// verifies by resolving the DID. No passwords, no per-site passkey, no
+// round-trip to the VTA: the holder key signs locally and the DID is
+// self-certifying (resolvable without any server).
+//
+// This is the base login primitive. A `did:key` here is an **Ed25519**
+// key (multicodec 0xed01) because the credential must SIGN — an
+// X25519-only `did:key` can only do ECDH (DIDComm authcrypt) and cannot
+// produce a JWS. The same Ed25519 key also yields a derived X25519
+// keyAgreement key for DIDComm (see did:key resolution), so one identity
+// covers both login and DIDComm.
+import { ed25519, x25519 } from "@noble/curves/ed25519.js";
+import { base64url, didKey, multibase } from "@openvtc/vti-didcomm-js";
+const ED25519_PUB = multibase.MULTICODEC.ED25519_PUB;
+/** Mint a fresh Ed25519 `did:key` signing identity. */
+export function generateSigningIdentity() {
+    const privateKey = ed25519.utils.randomSecretKey();
+    const publicKey = ed25519.getPublicKey(privateKey);
+    return signingIdentityFromKeys(privateKey, publicKey);
+}
+/** Reconstruct a signing identity from a stored Ed25519 private key. */
+export function signingIdentityFromSecret(privateKey) {
+    return signingIdentityFromKeys(privateKey, ed25519.getPublicKey(privateKey));
+}
+function signingIdentityFromKeys(privateKey, publicKey) {
+    const mb = multibase.encodeMultikey(ED25519_PUB, publicKey);
+    const did = `did:key:${mb}`;
+    return { did, kid: `${did}#${mb}`, privateKey, publicKey };
+}
+/**
+ * Issue a self-issued `id_token` (compact EdDSA JWS). `iss` and `sub`
+ * are the holder DID; the RP verifies by resolving that DID and checking
+ * the signature against its authentication key.
+ */
+export function issueIdToken(opts) {
+    const now = Math.floor(Date.now() / 1000);
+    const header = { alg: "EdDSA", typ: "JWT", kid: opts.identity.kid };
+    const payload = {
+        iss: opts.identity.did,
+        sub: opts.identity.did,
+        aud: opts.audience,
+        nonce: opts.nonce,
+        iat: now,
+        exp: now + (opts.ttlSeconds ?? 300),
+    };
+    const signingInput = `${b64uJson(header)}.${b64uJson(payload)}`;
+    const sig = ed25519.sign(new TextEncoder().encode(signingInput), opts.identity.privateKey);
+    return `${signingInput}.${base64url.encode(sig)}`;
+}
+/**
+ * Issue a swap-acl presentation: a W3C Verifiable Presentation secured as a
+ * compact EdDSA JWS (VP-JWT), proving control of the holder DID. The VTA's
+ * `swap-acl` handler resolves `iss` and verifies this signature against the
+ * holder's key, then moves the caller's ACL entry onto it. Same signing
+ * primitive as {@link issueIdToken} — just a VP envelope instead of an
+ * id_token.
+ */
+export function issueSwapPresentation(opts) {
+    const now = Math.floor(Date.now() / 1000);
+    const nonce = opts.nonce ?? base64url.encode(globalThis.crypto.getRandomValues(new Uint8Array(16)));
+    const header = { alg: "EdDSA", typ: "JWT", kid: opts.holder.kid };
+    const payload = {
+        iss: opts.holder.did,
+        aud: opts.audience,
+        iat: now,
+        exp: now + (opts.ttlSeconds ?? 300),
+        nonce,
+        vp: {
+            "@context": ["https://www.w3.org/ns/credentials/v2"],
+            type: ["VerifiablePresentation", "AclSwapRequest"],
+            holder: opts.holder.did,
+        },
+    };
+    const signingInput = `${b64uJson(header)}.${b64uJson(payload)}`;
+    const sig = ed25519.sign(new TextEncoder().encode(signingInput), opts.holder.privateKey);
+    return `${signingInput}.${base64url.encode(sig)}`;
+}
+/**
+ * Verify a self-issued `id_token`: resolve the `did:key`, check the
+ * EdDSA signature against its authentication VM, and enforce
+ * `aud` / `nonce` / `exp`. Throws on any failure.
+ */
+export function verifyIdToken(jwt, expect) {
+    const parts = jwt.split(".");
+    if (parts.length !== 3)
+        throw new Error("siop: malformed JWS (expected 3 parts)");
+    const [h, p, s] = parts;
+    const header = jsonFromB64u(h);
+    if (header.alg !== "EdDSA") {
+        throw new Error(`siop: unsupported alg ${JSON.stringify(header.alg)}; expected EdDSA`);
+    }
+    const claims = jsonFromB64u(p);
+    if (typeof claims.iss !== "string" || claims.iss !== claims.sub) {
+        throw new Error("siop: iss/sub missing or mismatched (must be the self-issued DID)");
+    }
+    // Resolve the DID and pull its authentication signing key.
+    const signingKey = ed25519AuthKey(claims.iss);
+    const ok = ed25519.verify(base64url.decode(s), new TextEncoder().encode(`${h}.${p}`), signingKey);
+    if (!ok)
+        throw new Error("siop: signature does not verify against the DID's key");
+    if (claims.aud !== expect.audience) {
+        throw new Error(`siop: aud ${JSON.stringify(claims.aud)} != ${JSON.stringify(expect.audience)}`);
+    }
+    if (claims.nonce !== expect.nonce) {
+        throw new Error("siop: nonce mismatch (possible replay)");
+    }
+    const now = expect.now ?? Math.floor(Date.now() / 1000);
+    if (typeof claims.exp !== "number" || claims.exp < now) {
+        throw new Error("siop: token expired");
+    }
+    return { did: claims.iss, claims };
+}
+/** Resolve a `did:key` and return its Ed25519 authentication key bytes. */
+function ed25519AuthKey(did) {
+    const doc = didKey.resolve(did).didDocument;
+    const authId = doc.authentication?.[0];
+    if (!authId)
+        throw new Error(`siop: ${did} has no authentication method (not a signing DID)`);
+    const vm = (doc.verificationMethod ?? []).find((v) => v.id === authId);
+    if (!vm?.publicKeyMultibase) {
+        throw new Error("siop: authentication VM missing publicKeyMultibase");
+    }
+    const { codec, key } = multibase.decodeMultikey(vm.publicKeyMultibase);
+    if (codec[0] !== ED25519_PUB[0] || codec[1] !== ED25519_PUB[1]) {
+        throw new Error("siop: authentication key is not Ed25519");
+    }
+    return key;
+}
+/**
+ * Derive the DIDComm X25519 keyAgreement material from an Ed25519
+ * {@link SigningIdentity}. The X25519 key is the Montgomery form of the
+ * same key — exactly as the `did:key` resolver derives the keyAgreement
+ * VM — so one Ed25519 `did:key` serves both login (signing) and DIDComm
+ * (authcrypt) under a single DID. The kid is taken from the resolver so
+ * it matches byte-for-byte what counterparties address replies to.
+ */
+export function didcommKeyAgreementFromSigning(identity) {
+    const xPriv = ed25519.utils.toMontgomerySecret(identity.privateKey);
+    const xPub = x25519.getPublicKey(xPriv);
+    const doc = didKey.resolve(identity.did).didDocument;
+    const keyAgreementKid = doc.keyAgreement?.[0];
+    if (!keyAgreementKid) {
+        throw new Error("siop: Ed25519 did:key has no keyAgreement VM");
+    }
+    return {
+        keyAgreementKid,
+        secretJwk: {
+            kty: "OKP",
+            crv: "X25519",
+            x: base64url.encode(xPub),
+            d: base64url.encode(xPriv),
+        },
+    };
+}
+function b64uJson(value) {
+    return base64url.encode(new TextEncoder().encode(JSON.stringify(value)));
+}
+function jsonFromB64u(segment) {
+    return JSON.parse(new TextDecoder().decode(base64url.decode(segment)));
+}
+//# sourceMappingURL=self-issued.js.map

package/dist/siop/self-issued.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"self-issued.js","sourceRoot":"","sources":["../../src/siop/self-issued.ts"],"names":[],"mappings":"AAAA,sEAAsE;AACtE,qEAAqE;AACrE,uEAAuE;AACvE,qEAAqE;AACrE,mDAAmD;AACnD,EAAE;AACF,uEAAuE;AACvE,gEAAgE;AAChE,wEAAwE;AACxE,mEAAmE;AACnE,yEAAyE;AACzE,iCAAiC;AAEjC,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,0BAA0B,CAAC;AAC3D,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAEvE,MAAM,WAAW,GAAG,SAAS,CAAC,UAAU,CAAC,WAAW,CAAC;AAcrD,uDAAuD;AACvD,MAAM,UAAU,uBAAuB;IACrC,MAAM,UAAU,GAAG,OAAO,CAAC,KAAK,CAAC,eAAe,EAAE,CAAC;IACnD,MAAM,SAAS,GAAG,OAAO,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC;IACnD,OAAO,uBAAuB,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;AACxD,CAAC;AAED,wEAAwE;AACxE,MAAM,UAAU,yBAAyB,CAAC,UAAsB;IAC9D,OAAO,uBAAuB,CAAC,UAAU,EAAE,OAAO,CAAC,YAAY,CAAC,UAAU,CAAC,CAAC,CAAC;AAC/E,CAAC;AAED,SAAS,uBAAuB,CAC9B,UAAsB,EACtB,SAAqB;IAErB,MAAM,EAAE,GAAG,SAAS,CAAC,cAAc,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IAC5D,MAAM,GAAG,GAAG,WAAW,EAAE,EAAE,CAAC;IAC5B,OAAO,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,GAAG,IAAI,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,CAAC;AAC7D,CAAC;AAYD;;;;GAIG;AACH,MAAM,UAAU,YAAY,CAAC,IAAyB;IACpD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;IACpE,MAAM,OAAO,GAAG;QACd,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG;QACtB,GAAG,EAAE,IAAI,CAAC,QAAQ,CAAC,GAAG;QACtB,GAAG,EAAE,IAAI,CAAC,QAAQ;QAClB,KAAK,EAAE,IAAI,CAAC,KAAK;QACjB,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC;KACpC,CAAC;IACF,MAAM,YAAY,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;IAChE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IAC3F,OAAO,GAAG,YAAY,IAAI,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;AACpD,CAAC;AAeD;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,IAAkC;IACtE,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,KAAK,GACT,IAAI,CAAC,KAAK,IAAI,SAAS,CAAC,MAAM,CAAC,UAAU,CAAC,MAAM,CAAC,eAAe,CAAC,IAAI,UAAU,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IACxF,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG;QACd,GAAG,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;QACpB,GAAG,EAAE,IAAI,CAAC,QAAQ;QAClB,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,UAAU,IAAI,GAAG,CAAC;QACnC,KAAK;QACL,EAAE,EAAE;YACF,UAAU,EAAE,CAAC,sCAAsC,CAAC;YACpD,IAAI,EAAE,CAAC,wBAAwB,EAAE,gBAAgB,CAAC;YAClD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;SACxB;KACF,CAAC;IACF,MAAM,YAAY,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;IAChE,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,YAAY,CAAC,EAAE,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;IACzF,OAAO,GAAG,YAAY,IAAI,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;AACpD,CAAC;AAeD;;;;GAIG;AACH,MAAM,UAAU,aAAa,CAC3B,GAAW,EACX,MAAyD;IAEzD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAClF,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,KAAiC,CAAC;IAEpD,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;IAC/B,IAAI,MAAM,CAAC,GAAG,KAAK,OAAO,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yBAAyB,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,kBAAkB,CAAC,CAAC;IACzF,CAAC;IACD,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,CAA8B,CAAC;IAC5D,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,GAAG,EAAE,CAAC;QAChE,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IAED,2DAA2D;IAC3D,MAAM,UAAU,GAAG,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CACvB,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EACnB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,EACrC,UAAU,CACX,CAAC;IACF,IAAI,CAAC,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;IAElF,IAAI,MAAM,CAAC,GAAG,KAAK,MAAM,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,aAAa,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC;IACnG,CAAC;IACD,IAAI,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,KAAK,EAAE,CAAC;QAClC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC5D,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IACxD,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,GAAG,GAAG,GAAG,EAAE,CAAC;QACvD,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;IACzC,CAAC;IACD,OAAO,EAAE,GAAG,EAAE,MAAM,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC;AACrC,CAAC;AAED,2EAA2E;AAC3E,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,WAG/B,CAAC;IACF,MAAM,MAAM,GAAG,GAAG,CAAC,cAAc,EAAE,CAAC,CAAC,CAAC,CAAC;IACvC,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,SAAS,GAAG,mDAAmD,CAAC,CAAC;IAC9F,MAAM,EAAE,GAAG,CAAC,GAAG,CAAC,kBAAkB,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC;IACvE,IAAI,CAAC,EAAE,EAAE,kBAAkB,EAAE,CAAC;QAC5B,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACxE,CAAC;IACD,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,SAAS,CAAC,cAAc,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC;IACvE,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,WAAW,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/D,MAAM,IAAI,KAAK,CAAC,yCAAyC,CAAC,CAAC;IAC7D,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAWD;;;;;;;GAOG;AACH,MAAM,UAAU,8BAA8B,CAC5C,QAAyB;IAEzB,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,kBAAkB,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACpE,MAAM,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC;IACxC,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,WAExC,CAAC;IACF,MAAM,eAAe,GAAG,GAAG,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,CAAC;IAC9C,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IACD,OAAO;QACL,eAAe;QACf,SAAS,EAAE;YACT,GAAG,EAAE,KAAK;YACV,GAAG,EAAE,QAAQ;YACb,CAAC,EAAE,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC;YACzB,CAAC,EAAE,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC;SAC3B;KACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,SAAS,CAAC,MAAM,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,YAAY,CAAC,OAAe;IACnC,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;AACzE,CAAC"}

package/dist/store/holder-identity.d.ts

@@ -0,0 +1,241 @@
+import { Identity } from "../didcomm/index.js";
+import type { SigningIdentity } from "../siop/index.js";
+import type { KVStore } from "./kv-store.js";
+import { type SecretWrap } from "./secret-wrap.js";
+export interface HolderIdentityResult {
+    /** DIDComm key-agreement identity (X25519, `#key-1`) — used for authcrypt. */
+    identity: Identity;
+    /** Signing identity (Ed25519, `#key-2`) — self-issues SIOPv2 login
+     *  `id_token`s and signs trust-task proofs. `.did` is the did:peer. */
+    signing: SigningIdentity;
+    /** True if this run minted a fresh identity (first launch); false if loaded. */
+    freshlyMinted: boolean;
+}
+export interface HolderIdentityOptions {
+    /** When set, the minted DID advertises a `DIDCommMessaging` service whose
+     *  endpoint is this mediator DID — making the wallet reachable for inbound
+     *  DIDComm. Only honoured on a FRESH mint (the persisted DID is immutable).
+     *  Omit to mint a keys-only did:peer (sufficient for outbound login). */
+    mediatorDid?: string;
+    /**
+     * H1: encryption wrapper for the persisted Ed25519 secret.
+     * When supplied, fresh mints write `wrappedSecret` instead of
+     * `edSecretB64u`, and existing wallets stored with a matching
+     * wrap require the wrap on load to decrypt.
+     *
+     * Omit (or supply `PassthroughWrap`) for tests and legacy
+     * callers. Production extension wrappers supply a
+     * `WebAuthnPrfSecretWrap` so an exfiltrated IndexedDB row is
+     * useless without the operator's authenticator.
+     *
+     * Backward compatibility: a record written before this option
+     * landed (no `wrappedSecret`, plaintext `edSecretB64u`) loads
+     * regardless of whether a wrap is supplied — the loader
+     * detects the legacy shape and reads the plaintext. The
+     * **next save** (e.g. mediator-DID rotation, future schema
+     * upgrade) will re-persist using the wrap, migrating the
+     * record forward.
+     */
+    secretWrap?: SecretWrap;
+}
+/**
+ * Generate-or-load the wallet's holder identity (a `did:peer:2`) from a
+ * `KVStore`. Only the Ed25519 secret is persisted; the DID + kids are
+ * persisted alongside it (the DID is immutable once minted), and the X25519
+ * keyAgreement key is re-derived on every load.
+ *
+ * Persistence is wrapped via the optional [`HolderIdentityOptions.secretWrap`]
+ * — production extensions supply a `WebAuthnPrfSecretWrap` so storage
+ * exfil yields ciphertext, not the wallet's signing key. Callers that
+ * omit the wrap fall back to plaintext (legacy behaviour); the
+ * loader handles both shapes for backward compatibility.
+ */
+export declare function generateOrLoadHolderIdentity(store: KVStore, opts?: HolderIdentityOptions): Promise<HolderIdentityResult>;
+/** Forget every persisted holder identity. Mostly for tests / hard
+ *  reset (the options page "wipe wallet" button). Clears the v3 row,
+ *  the legacy single-VTA v4 row, AND every per-vta v4 record. After
+ *  this the wallet looks freshly installed at every VTA. */
+export declare function clearHolderIdentity(store: KVStore): Promise<void>;
+/** Thrown by `loadHolderStrict` when neither a v3 nor a v4 holder record
+ *  exists — the wallet is on a fresh install and the operator should
+ *  proceed with onboarding. */
+export declare class NoHolderError extends Error {
+    constructor();
+}
+/** Thrown by `loadHolderStrict` when a v3 (self-derived did:peer) record
+ *  exists but no v4 (VTA-minted did:key) record. The wallet was built
+ *  before the M2C identity migration; the operator must re-onboard so the
+ *  VTA mints a fresh long-term DID. The old did:peer is unusable as the
+ *  wallet's holder going forward — every RP that recognised it must be
+ *  re-granted with the new VTA-minted DID.
+ *
+ *  `previousDid` is the v3 DID, surfaced for the migration UI so the
+ *  operator can audit what they're abandoning. */
+export declare class RequiresReonboardError extends Error {
+    readonly previousDid: string;
+    constructor(previousDid: string);
+}
+export interface LoadHolderStrictOptions {
+    /** Which VTA's holder identity to load. Each VTA the wallet has been
+     *  onboarded at has its own per-VTA holder record (the v4 schema is
+     *  multi-instance — one record per VTA). Pass the VTA DID the
+     *  operation is targeting; the store contains exactly one v4 record
+     *  per `(vtaDid)` pair. */
+    vtaDid: string;
+    /** Wrap that decrypts the persisted Ed25519 seed. Same semantics as
+     *  `HolderIdentityOptions.secretWrap` — omit for plaintext (tests /
+     *  legacy), supply a `WebAuthnPrfSecretWrap` in production. */
+    secretWrap?: SecretWrap;
+}
+/** Load the wallet's holder identity for the given VTA, strictly
+ *  preferring v4.
+ *
+ *  - v4 record for `vtaDid` present → return the VTA-minted holder.
+ *  - no v4 record for `vtaDid` but a legacy single-VTA v4 record
+ *    exists → migrate it to the per-vta path (transparently) and
+ *    return if its `vtaDid` matches the requested one.
+ *  - no v4 (for `vtaDid` or legacy) but v3 present → throw
+ *    `RequiresReonboardError` (the operator needs to re-onboard so the
+ *    VTA mints a v4 identity).
+ *  - none of the above → throw `NoHolderError` (fresh install). */
+export declare function loadHolderStrict(store: KVStore, opts: LoadHolderStrictOptions): Promise<HolderIdentityResult>;
+export interface InstallVtaMintedHolderOptions {
+    /** The freshly-minted did:key the VTA shipped (e.g. `did:key:z6Mk…`). */
+    did: string;
+    /** Ed25519 verification-method id (`<did>#<ed-mb>`). The VTA's
+     *  template renderer emits this; for `vta-admin` the fragment is the
+     *  Ed25519 public-key multibase. */
+    signingKid: string;
+    /** X25519 keyAgreement verification-method id (`<did>#<x-mb>`).
+     *  Derived from the Ed25519 pubkey via Montgomery clamping; the VTA
+     *  also emits this in the sealed bundle. */
+    keyAgreementKid: string;
+    /** 32-byte Ed25519 seed the VTA minted and shipped sealed. The wallet
+     *  decoded it from the bundle's `admin.signing_key.private_key_multibase`. */
+    edSeed: Uint8Array;
+    /** Provenance — the VTA that minted this identity. */
+    vtaDid: string;
+    /** VTA's REST base URL, if advertised. */
+    vtaUrl?: string;
+    /** Optional secret wrap. Production extensions supply a
+     *  WebAuthnPrfSecretWrap; tests omit. */
+    secretWrap?: SecretWrap;
+}
+/** Persist a freshly-minted VTA holder as the wallet's v4 identity.
+ *
+ *  Returns the rebuilt `HolderIdentityResult` so the caller can use the
+ *  identity immediately without an extra load. Clears any pre-existing
+ *  v3 record on a successful install — the migration is a one-way move
+ *  and a stale v3 record sitting alongside v4 is just a footgun for a
+ *  future loader. */
+export declare function installVtaMintedHolder(store: KVStore, opts: InstallVtaMintedHolderOptions): Promise<HolderIdentityResult>;
+export interface RewrapHolderV4Options {
+    /** Which VTA's holder record to re-wrap. Multi-VTA: each VTA has
+     *  its own v4 record; the rewrap targets exactly one. */
+    vtaDid: string;
+    /** Wrap that DECRYPTS the currently-persisted v4 record. Pass the
+     *  wrap the wallet was using before the migration. Pass `undefined`
+     *  when the existing record uses `PassthroughWrap` (plaintext),
+     *  which is the typical post-onboard state. */
+    fromWrap?: SecretWrap;
+    /** Wrap to apply on the re-persisted record. Pass the wrap the
+     *  wallet should use going forward (e.g. a `WebAuthnPrfSecretWrap`
+     *  in the popup's visible context). Pass `undefined` to switch
+     *  back to plaintext. */
+    toWrap?: SecretWrap;
+}
+/** Re-wrap the persisted v4 holder secret in place, preserving the
+ *  wallet's DID + verification-method ids + VTA provenance.
+ *
+ *  The canonical caller is the popup's post-onboard "Encrypt your
+ *  wallet?" prompt: the operator clicks the button, the popup runs
+ *  `navigator.credentials.create` (visible context, fresh user
+ *  gesture), and re-wraps the existing passthrough record under
+ *  the PRF-derived AES-GCM key. The wallet DID stays the same — no
+ *  re-grant in any RP ACL, no re-onboarding.
+ *
+ *  Mirrors the v3 `rewrapHolderSecret` but reads + writes the v4
+ *  record (`STORE_KEY_V4`). Future cleanup could consolidate the
+ *  two into one schema-version-aware function; kept separate for
+ *  now so the v3 path's legacy `edSecretB64u` fallback doesn't
+ *  leak into v4's cleaner shape.
+ *
+ *  Throws if no v4 record exists. The popup should only invoke this
+ *  AFTER `installVtaMintedHolder` has run. */
+export declare function rewrapHolderV4Secret(store: KVStore, opts: RewrapHolderV4Options): Promise<HolderIdentityResult>;
+export type HolderIdentityStateResult = {
+    kind: "none";
+} | {
+    kind: "v3";
+    did: string;
+} | {
+    kind: "v4";
+    did: string;
+    vtaDid: string;
+    wrapAlgorithm: string;
+};
+/** Inspect the persisted state without throwing. Used by the popup to
+ *  decide which onboarding screen to show.
+ *
+ *  For v4 records, `wrapAlgorithm` reveals whether the secret is
+ *  encrypted at rest. `"passthrough"` means plaintext (the operator
+ *  hasn't enabled encryption); anything else (currently only
+ *  `"webauthn-prf-aes-gcm"`) means the popup needs to run an
+ *  unlock ceremony before offscreen can load the holder identity.
+ *
+ *  When `vtaDid` is passed: returns the state for that specific
+ *  VTA's holder record. Used by the popup's active-VTA probe.
+ *  When `vtaDid` is omitted: returns the first v4 record found
+ *  (after migrating any legacy single-VTA row), else falls back to
+ *  v3 / none. Used for the initial fresh-install / migration-banner
+ *  decision before an active VTA has been selected. */
+export declare function holderIdentityState(store: KVStore, vtaDid?: string): Promise<HolderIdentityStateResult>;
+export interface HolderRecordSummary {
+    vtaDid: string;
+    did: string;
+    /** Encryption algorithm of the persisted secret. `"passthrough"` =
+     *  plaintext at rest. */
+    wrapAlgorithm: string;
+}
+/** Enumerate every v4 holder record on disk — one per VTA the wallet
+ *  has been onboarded at. Powers the popup's multi-VTA dropdown
+ *  (PR 2). Migrates the legacy single-VTA row inline so a wallet
+ *  upgraded from a single-VTA build surfaces its one wallet here. */
+export declare function listHolderRecords(store: KVStore): Promise<HolderRecordSummary[]>;
+/** Delete the v4 holder record for a specific VTA. Companion to
+ *  `installVtaMintedHolder`. Idempotent: a no-op when the record is
+ *  already gone. Other VTAs' records are left alone — call
+ *  `clearHolderIdentity` to wipe every wallet on this device. */
+export declare function forgetHolderRecord(store: KVStore, vtaDid: string): Promise<void>;
+export interface RewrapOptions {
+    /**
+     * Wrap that decrypts the currently-persisted secret. Pass the
+     * wrap the wallet was using before the migration (or `undefined`
+     * if it was plaintext).
+     */
+    fromWrap?: SecretWrap;
+    /**
+     * Wrap to apply on the re-persisted record. Pass the wrap the
+     * wallet should use going forward (or `undefined` to switch back
+     * to plaintext).
+     */
+    toWrap?: SecretWrap;
+}
+/**
+ * Re-wrap the persisted holder secret in place, preserving the
+ * wallet's DID + verification-method ids + mediator endpoint.
+ *
+ * Used by the extension's settings UI when the operator flips
+ * the `encryptHolderSecret` toggle — the existing wallet keeps
+ * its identity (no re-grant in any RP ACL) but the on-disk
+ * secret transitions between plaintext and wrap-encrypted.
+ *
+ * Returns the rebuilt `HolderIdentityResult` so the caller can
+ * report the (unchanged) DID back to the operator immediately.
+ *
+ * Errors if no persisted record exists — caller should check
+ * `freshlyMinted` semantics first (a fresh-mint wallet has no
+ * pre-existing secret to re-wrap).
+ */
+export declare function rewrapHolderSecret(store: KVStore, opts: RewrapOptions): Promise<HolderIdentityResult>;
+//# sourceMappingURL=holder-identity.d.ts.map

package/dist/store/holder-identity.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"holder-identity.d.ts","sourceRoot":"","sources":["../../src/store/holder-identity.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,QAAQ,EAAkB,MAAM,qBAAqB,CAAC;AAC/D,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EACL,KAAK,UAAU,EAIhB,MAAM,kBAAkB,CAAC;AAwF1B,MAAM,WAAW,oBAAoB;IACnC,8EAA8E;IAC9E,QAAQ,EAAE,QAAQ,CAAC;IACnB;2EACuE;IACvE,OAAO,EAAE,eAAe,CAAC;IACzB,gFAAgF;IAChF,aAAa,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,qBAAqB;IACpC;;;6EAGyE;IACzE,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;;;;;;;;;;;;;;OAkBG;IACH,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,4BAA4B,CAChD,KAAK,EAAE,OAAO,EACd,IAAI,CAAC,EAAE,qBAAqB,GAC3B,OAAO,CAAC,oBAAoB,CAAC,CA8C/B;AAmCD;;;4DAG4D;AAC5D,wBAAsB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAOvE;AA8BD;;+BAE+B;AAC/B,qBAAa,aAAc,SAAQ,KAAK;;CAKvC;AAED;;;;;;;;kDAQkD;AAClD,qBAAa,sBAAuB,SAAQ,KAAK;IAC/C,QAAQ,CAAC,WAAW,EAAE,MAAM,CAAC;gBACjB,WAAW,EAAE,MAAM;CAQhC;AAED,MAAM,WAAW,uBAAuB;IACtC;;;;+BAI2B;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf;;mEAE+D;IAC/D,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAED;;;;;;;;;;mEAUmE;AACnE,wBAAsB,gBAAgB,CACpC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,oBAAoB,CAAC,CAwB/B;AAED,MAAM,WAAW,6BAA6B;IAC5C,yEAAyE;IACzE,GAAG,EAAE,MAAM,CAAC;IACZ;;wCAEoC;IACpC,UAAU,EAAE,MAAM,CAAC;IACnB;;gDAE4C;IAC5C,eAAe,EAAE,MAAM,CAAC;IACxB;kFAC8E;IAC9E,MAAM,EAAE,UAAU,CAAC;IACnB,sDAAsD;IACtD,MAAM,EAAE,MAAM,CAAC;IACf,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;6CACyC;IACzC,UAAU,CAAC,EAAE,UAAU,CAAC;CACzB;AAED;;;;;;qBAMqB;AACrB,wBAAsB,sBAAsB,CAC1C,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,6BAA6B,GAClC,OAAO,CAAC,oBAAoB,CAAC,CA8B/B;AAED,MAAM,WAAW,qBAAqB;IACpC;6DACyD;IACzD,MAAM,EAAE,MAAM,CAAC;IACf;;;mDAG+C;IAC/C,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB;;;6BAGyB;IACzB,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB;AAED;;;;;;;;;;;;;;;;;8CAiB8C;AAC9C,wBAAsB,oBAAoB,CACxC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,qBAAqB,GAC1B,OAAO,CAAC,oBAAoB,CAAC,CAwC/B;AAED,MAAM,MAAM,yBAAyB,GACjC;IAAE,IAAI,EAAE,MAAM,CAAA;CAAE,GAChB;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC3B;IAAE,IAAI,EAAE,IAAI,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAAE,CAAC;AAEvE;;;;;;;;;;;;;;uDAcuD;AACvD,wBAAsB,mBAAmB,CACvC,KAAK,EAAE,OAAO,EACd,MAAM,CAAC,EAAE,MAAM,GACd,OAAO,CAAC,yBAAyB,CAAC,CAmCpC;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;IACZ;6BACyB;IACzB,aAAa,EAAE,MAAM,CAAC;CACvB;AAED;;;qEAGqE;AACrE,wBAAsB,iBAAiB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAAC,mBAAmB,EAAE,CAAC,CActF;AAED;;;iEAGiE;AACjE,wBAAsB,kBAAkB,CAAC,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEtF;AAED,MAAM,WAAW,aAAa;IAC5B;;;;OAIG;IACH,QAAQ,CAAC,EAAE,UAAU,CAAC;IACtB;;;;OAIG;IACH,MAAM,CAAC,EAAE,UAAU,CAAC;CACrB;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,kBAAkB,CACtC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,aAAa,GAClB,OAAO,CAAC,oBAAoB,CAAC,CAkC/B"}