npm - @openvtc/pnm-core - Versions diffs - 0.1.0 - Mend

@openvtc/pnm-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (250) hide show

package/README.md +129 -0
package/dist/did/derive-signing-key.d.ts +19 -0
package/dist/did/derive-signing-key.d.ts.map +1 -0
package/dist/did/derive-signing-key.js +96 -0
package/dist/did/derive-signing-key.js.map +1 -0
package/dist/did/index.d.ts +5 -0
package/dist/did/index.d.ts.map +1 -0
package/dist/did/index.js +5 -0
package/dist/did/index.js.map +1 -0
package/dist/did/peer.d.ts +37 -0
package/dist/did/peer.d.ts.map +1 -0
package/dist/did/peer.js +49 -0
package/dist/did/peer.js.map +1 -0
package/dist/did/verification-method.d.ts +43 -0
package/dist/did/verification-method.d.ts.map +1 -0
package/dist/did/verification-method.js +32 -0
package/dist/did/verification-method.js.map +1 -0
package/dist/did/verify.d.ts +49 -0
package/dist/did/verify.d.ts.map +1 -0
package/dist/did/verify.js +89 -0
package/dist/did/verify.js.map +1 -0
package/dist/didcomm/index.d.ts +235 -0
package/dist/didcomm/index.d.ts.map +1 -0
package/dist/didcomm/index.js +415 -0
package/dist/didcomm/index.js.map +1 -0
package/dist/inbound/confirm.d.ts +50 -0
package/dist/inbound/confirm.d.ts.map +1 -0
package/dist/inbound/confirm.js +64 -0
package/dist/inbound/confirm.js.map +1 -0
package/dist/inbound/dedup.d.ts +9 -0
package/dist/inbound/dedup.d.ts.map +1 -0
package/dist/inbound/dedup.js +31 -0
package/dist/inbound/dedup.js.map +1 -0
package/dist/inbound/index.d.ts +3 -0
package/dist/inbound/index.d.ts.map +1 -0
package/dist/inbound/index.js +3 -0
package/dist/inbound/index.js.map +1 -0
package/dist/index.d.ts +14 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +14 -0
package/dist/index.js.map +1 -0
package/dist/onboarding/index.d.ts +2 -0
package/dist/onboarding/index.d.ts.map +1 -0
package/dist/onboarding/index.js +2 -0
package/dist/onboarding/index.js.map +1 -0
package/dist/onboarding/swap.d.ts +60 -0
package/dist/onboarding/swap.d.ts.map +1 -0
package/dist/onboarding/swap.js +148 -0
package/dist/onboarding/swap.js.map +1 -0
package/dist/provision/adopt.d.ts +31 -0
package/dist/provision/adopt.d.ts.map +1 -0
package/dist/provision/adopt.js +114 -0
package/dist/provision/adopt.js.map +1 -0
package/dist/provision/armor.d.ts +19 -0
package/dist/provision/armor.d.ts.map +1 -0
package/dist/provision/armor.js +243 -0
package/dist/provision/armor.js.map +1 -0
package/dist/provision/crc24.d.ts +5 -0
package/dist/provision/crc24.d.ts.map +1 -0
package/dist/provision/crc24.js +30 -0
package/dist/provision/crc24.js.map +1 -0
package/dist/provision/hpke.d.ts +17 -0
package/dist/provision/hpke.d.ts.map +1 -0
package/dist/provision/hpke.js +60 -0
package/dist/provision/hpke.js.map +1 -0
package/dist/provision/index.d.ts +10 -0
package/dist/provision/index.d.ts.map +1 -0
package/dist/provision/index.js +16 -0
package/dist/provision/index.js.map +1 -0
package/dist/provision/open.d.ts +28 -0
package/dist/provision/open.d.ts.map +1 -0
package/dist/provision/open.js +224 -0
package/dist/provision/open.js.map +1 -0
package/dist/provision/request.d.ts +65 -0
package/dist/provision/request.d.ts.map +1 -0
package/dist/provision/request.js +53 -0
package/dist/provision/request.js.map +1 -0
package/dist/provision/run.d.ts +76 -0
package/dist/provision/run.d.ts.map +1 -0
package/dist/provision/run.js +110 -0
package/dist/provision/run.js.map +1 -0
package/dist/provision/send.d.ts +85 -0
package/dist/provision/send.d.ts.map +1 -0
package/dist/provision/send.js +87 -0
package/dist/provision/send.js.map +1 -0
package/dist/provision/types.d.ts +110 -0
package/dist/provision/types.d.ts.map +1 -0
package/dist/provision/types.js +17 -0
package/dist/provision/types.js.map +1 -0
package/dist/rp-login/didcomm.d.ts +34 -0
package/dist/rp-login/didcomm.d.ts.map +1 -0
package/dist/rp-login/didcomm.js +72 -0
package/dist/rp-login/didcomm.js.map +1 -0
package/dist/rp-login/index.d.ts +3 -0
package/dist/rp-login/index.d.ts.map +1 -0
package/dist/rp-login/index.js +3 -0
package/dist/rp-login/index.js.map +1 -0
package/dist/rp-login/step-up.d.ts +43 -0
package/dist/rp-login/step-up.d.ts.map +1 -0
package/dist/rp-login/step-up.js +118 -0
package/dist/rp-login/step-up.js.map +1 -0
package/dist/siop/index.d.ts +3 -0
package/dist/siop/index.d.ts.map +1 -0
package/dist/siop/index.js +3 -0
package/dist/siop/index.js.map +1 -0
package/dist/siop/login-client.d.ts +29 -0
package/dist/siop/login-client.d.ts.map +1 -0
package/dist/siop/login-client.js +79 -0
package/dist/siop/login-client.js.map +1 -0
package/dist/siop/self-issued.d.ts +96 -0
package/dist/siop/self-issued.d.ts.map +1 -0
package/dist/siop/self-issued.js +162 -0
package/dist/siop/self-issued.js.map +1 -0
package/dist/store/holder-identity.d.ts +241 -0
package/dist/store/holder-identity.d.ts.map +1 -0
package/dist/store/holder-identity.js +441 -0
package/dist/store/holder-identity.js.map +1 -0
package/dist/store/index.d.ts +4 -0
package/dist/store/index.d.ts.map +1 -0
package/dist/store/index.js +4 -0
package/dist/store/index.js.map +1 -0
package/dist/store/kv-store.d.ts +51 -0
package/dist/store/kv-store.d.ts.map +1 -0
package/dist/store/kv-store.js +100 -0
package/dist/store/kv-store.js.map +1 -0
package/dist/store/secret-wrap.d.ts +109 -0
package/dist/store/secret-wrap.d.ts.map +1 -0
package/dist/store/secret-wrap.js +85 -0
package/dist/store/secret-wrap.js.map +1 -0
package/dist/trust-tasks/index.d.ts +2 -0
package/dist/trust-tasks/index.d.ts.map +1 -0
package/dist/trust-tasks/index.js +2 -0
package/dist/trust-tasks/index.js.map +1 -0
package/dist/trust-tasks/sign.d.ts +31 -0
package/dist/trust-tasks/sign.d.ts.map +1 -0
package/dist/trust-tasks/sign.js +141 -0
package/dist/trust-tasks/sign.js.map +1 -0
package/dist/util/timing.d.ts +14 -0
package/dist/util/timing.d.ts.map +1 -0
package/dist/util/timing.js +20 -0
package/dist/util/timing.js.map +1 -0
package/dist/vault/delete.d.ts +19 -0
package/dist/vault/delete.d.ts.map +1 -0
package/dist/vault/delete.js +35 -0
package/dist/vault/delete.js.map +1 -0
package/dist/vault/index.d.ts +8 -0
package/dist/vault/index.d.ts.map +1 -0
package/dist/vault/index.js +7 -0
package/dist/vault/index.js.map +1 -0
package/dist/vault/list.d.ts +96 -0
package/dist/vault/list.d.ts.map +1 -0
package/dist/vault/list.js +106 -0
package/dist/vault/list.js.map +1 -0
package/dist/vault/proxy-login.d.ts +100 -0
package/dist/vault/proxy-login.d.ts.map +1 -0
package/dist/vault/proxy-login.js +106 -0
package/dist/vault/proxy-login.js.map +1 -0
package/dist/vault/release.d.ts +33 -0
package/dist/vault/release.d.ts.map +1 -0
package/dist/vault/release.js +83 -0
package/dist/vault/release.js.map +1 -0
package/dist/vault/sign-trust-task.d.ts +26 -0
package/dist/vault/sign-trust-task.d.ts.map +1 -0
package/dist/vault/sign-trust-task.js +53 -0
package/dist/vault/sign-trust-task.js.map +1 -0
package/dist/vault/transport.d.ts +50 -0
package/dist/vault/transport.d.ts.map +1 -0
package/dist/vault/transport.js +118 -0
package/dist/vault/transport.js.map +1 -0
package/dist/vault/upsert.d.ts +102 -0
package/dist/vault/upsert.d.ts.map +1 -0
package/dist/vault/upsert.js +92 -0
package/dist/vault/upsert.js.map +1 -0
package/dist/vta/bridge-mediator-session.d.ts +26 -0
package/dist/vta/bridge-mediator-session.d.ts.map +1 -0
package/dist/vta/bridge-mediator-session.js +37 -0
package/dist/vta/bridge-mediator-session.js.map +1 -0
package/dist/vta/bridge-memory.d.ts +80 -0
package/dist/vta/bridge-memory.d.ts.map +1 -0
package/dist/vta/bridge-memory.js +162 -0
package/dist/vta/bridge-memory.js.map +1 -0
package/dist/vta/client.d.ts +40 -0
package/dist/vta/client.d.ts.map +1 -0
package/dist/vta/client.js +91 -0
package/dist/vta/client.js.map +1 -0
package/dist/vta/contexts.d.ts +60 -0
package/dist/vta/contexts.d.ts.map +1 -0
package/dist/vta/contexts.js +118 -0
package/dist/vta/contexts.js.map +1 -0
package/dist/vta/didcomm.d.ts +57 -0
package/dist/vta/didcomm.d.ts.map +1 -0
package/dist/vta/didcomm.js +138 -0
package/dist/vta/didcomm.js.map +1 -0
package/dist/vta/errors.d.ts +20 -0
package/dist/vta/errors.d.ts.map +1 -0
package/dist/vta/errors.js +64 -0
package/dist/vta/errors.js.map +1 -0
package/dist/vta/index.d.ts +15 -0
package/dist/vta/index.d.ts.map +1 -0
package/dist/vta/index.js +15 -0
package/dist/vta/index.js.map +1 -0
package/dist/vta/mediation.d.ts +80 -0
package/dist/vta/mediation.d.ts.map +1 -0
package/dist/vta/mediation.js +29 -0
package/dist/vta/mediation.js.map +1 -0
package/dist/vta/mediator-client.d.ts +66 -0
package/dist/vta/mediator-client.d.ts.map +1 -0
package/dist/vta/mediator-client.js +139 -0
package/dist/vta/mediator-client.js.map +1 -0
package/dist/vta/pickup.d.ts +81 -0
package/dist/vta/pickup.d.ts.map +1 -0
package/dist/vta/pickup.js +30 -0
package/dist/vta/pickup.js.map +1 -0
package/dist/vta/protocol.d.ts +76 -0
package/dist/vta/protocol.d.ts.map +1 -0
package/dist/vta/protocol.js +30 -0
package/dist/vta/protocol.js.map +1 -0
package/dist/vta/smoke.d.ts +59 -0
package/dist/vta/smoke.d.ts.map +1 -0
package/dist/vta/smoke.js +408 -0
package/dist/vta/smoke.js.map +1 -0
package/dist/vta/transport.d.ts +55 -0
package/dist/vta/transport.d.ts.map +1 -0
package/dist/vta/transport.js +2 -0
package/dist/vta/transport.js.map +1 -0
package/dist/vta/types.d.ts +50 -0
package/dist/vta/types.d.ts.map +1 -0
package/dist/vta/types.js +2 -0
package/dist/vta/types.js.map +1 -0
package/dist/vta/wallet-session.d.ts +87 -0
package/dist/vta/wallet-session.d.ts.map +1 -0
package/dist/vta/wallet-session.js +106 -0
package/dist/vta/wallet-session.js.map +1 -0
package/dist/webauthn/base64url.d.ts +3 -0
package/dist/webauthn/base64url.d.ts.map +1 -0
package/dist/webauthn/base64url.js +17 -0
package/dist/webauthn/base64url.js.map +1 -0
package/dist/webauthn/index.d.ts +4 -0
package/dist/webauthn/index.d.ts.map +1 -0
package/dist/webauthn/index.js +4 -0
package/dist/webauthn/index.js.map +1 -0
package/dist/webauthn/multikey.d.ts +26 -0
package/dist/webauthn/multikey.d.ts.map +1 -0
package/dist/webauthn/multikey.js +91 -0
package/dist/webauthn/multikey.js.map +1 -0
package/dist/webauthn/register.d.ts +36 -0
package/dist/webauthn/register.d.ts.map +1 -0
package/dist/webauthn/register.js +77 -0
package/dist/webauthn/register.js.map +1 -0
package/package.json +56 -0

package/dist/store/secret-wrap.d.ts ADDED Viewed

@@ -0,0 +1,109 @@
+/**
+ * Pluggable encryption wrapper for the holder's Ed25519 root
+ * secret.
+ *
+ * The wallet's persisted holder identity is keyed by an Ed25519
+ * scalar that IS the authentication key — anyone with that
+ * secret can impersonate the wallet at every RP. The bare
+ * IndexedDB store keeps it as plaintext base64url; an attacker
+ * with origin-scoped storage access (a malicious extension with
+ * matching permissions, a same-origin XSS in the extension's
+ * pages, or device-level exfil) walks away with the wallet.
+ *
+ * The H1 fix wraps the secret with a key derived from a user-
+ * gesture authenticator (WebAuthn PRF in the extension build),
+ * so storage exfil yields ciphertext that's useless without
+ * the operator's biometric / FIDO2 device.
+ *
+ * This module is the abstraction; concrete implementations live
+ * in the extension (`webauthn-prf-wrap.ts`) and in the PWA. The
+ * core stays platform-agnostic.
+ */
+/**
+ * Trait every wallet-secret wrap implements.
+ *
+ * Wraps a fresh-minted secret on first persistence; unwraps it
+ * on every subsequent load. Implementations cache derived keys
+ * across calls (e.g. `chrome.storage.session`) so the operator
+ * doesn't have to tap their authenticator for every wallet
+ * operation — only when the cache is cold (first load after
+ * browser restart).
+ *
+ * `wrap` is called exactly once per persisted identity (at
+ * mint time). `unwrap` is called every load.
+ *
+ * Returning `null` from either side is a non-fatal signal that
+ * the wrapper is unavailable (e.g. authenticator declined,
+ * platform doesn't support PRF, operator hasn't enrolled);
+ * the caller falls back to plaintext persistence with a `warn`.
+ * This keeps existing plaintext-stored wallets loadable through
+ * an OS upgrade or browser change that breaks the wrapper.
+ */
+export interface SecretWrap {
+    /** Short identifier persisted alongside the wrap metadata so
+     *  a future unwrap can pick the right implementation. */
+    readonly algorithm: string;
+    /**
+     * Encrypt `secret` and return the wire envelope. Returning
+     * `null` lets the caller fall back to plaintext (with a
+     * warning).
+     */
+    wrap(secret: Uint8Array): Promise<WrappedSecret | null>;
+    /**
+     * Decrypt `wrapped.ciphertext` and return the original
+     * secret bytes. Returning `null` lets the caller surface a
+     * "wallet locked; tap your authenticator" UX without
+     * crashing the load path.
+     */
+    unwrap(wrapped: WrappedSecret): Promise<Uint8Array | null>;
+}
+/**
+ * On-disk envelope for a wrapped secret. Persisted as part of
+ * the holder record; the wrap implementation reads `params`
+ * to reconstitute its derived key.
+ */
+export interface WrappedSecret {
+    /** Matches [`SecretWrap.algorithm`] of the wrap that produced
+     *  it; the loader looks up the right implementation. */
+    algorithm: string;
+    /** AES-GCM ciphertext of the original secret, base64url. */
+    ciphertextB64u: string;
+    /** Initialisation vector / nonce, base64url. AES-GCM
+     *  recommends 96 bits = 12 bytes. */
+    ivB64u: string;
+    /** Free-form opaque params the wrap needs at unwrap time
+     *  (credentialId, PRF salt, KDF salt, etc.). The core treats
+     *  this as opaque; only the matching wrap implementation
+     *  reads it. */
+    params: Record<string, string>;
+}
+/**
+ * No-op wrap. Used in tests, in non-extension callers that
+ * don't have a wrap available, and as the explicit "I know
+ * this is plaintext" fallback. The wrap helper still records
+ * a `passthrough` algorithm tag so an upgrade path can detect
+ * "this record predates the encrypted-secret flow."
+ */
+export declare class PassthroughWrap implements SecretWrap {
+    readonly algorithm = "passthrough";
+    wrap(secret: Uint8Array): Promise<WrappedSecret>;
+    unwrap(wrapped: WrappedSecret): Promise<Uint8Array>;
+}
+/**
+ * Apply the wrap when present, fall back to a passthrough wrap
+ * otherwise. Centralised so the [`generateOrLoadHolderIdentity`]
+ * path doesn't have to branch.
+ */
+export declare function wrapSecret(secret: Uint8Array, wrap?: SecretWrap): Promise<WrappedSecret>;
+/**
+ * Unwrap a persisted secret. The wrap is selected by
+ * `wrapped.algorithm`:
+ *
+ * - `"passthrough"` → use [`PassthroughWrap`] (no-op).
+ * - Anything else → require the caller-supplied `wrap` to
+ *   match. A mismatch (`wrap.algorithm !== wrapped.algorithm`)
+ *   throws; the caller is responsible for picking the right
+ *   wrap impl for the persisted record.
+ */
+export declare function unwrapSecret(wrapped: WrappedSecret, wrap?: SecretWrap): Promise<Uint8Array>;
+//# sourceMappingURL=secret-wrap.d.ts.map

package/dist/store/secret-wrap.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secret-wrap.d.ts","sourceRoot":"","sources":["../../src/store/secret-wrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAIH;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,WAAW,UAAU;IACzB;6DACyD;IACzD,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC;IAE3B;;;;OAIG;IACH,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;IAExD;;;;;OAKG;IACH,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;CAC5D;AAED;;;;GAIG;AACH,MAAM,WAAW,aAAa;IAC5B;4DACwD;IACxD,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,cAAc,EAAE,MAAM,CAAC;IACvB;yCACqC;IACrC,MAAM,EAAE,MAAM,CAAC;IACf;;;oBAGgB;IAChB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAChC;AAED;;;;;;GAMG;AACH,qBAAa,eAAgB,YAAW,UAAU;IAChD,QAAQ,CAAC,SAAS,iBAAiB;IAE7B,IAAI,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,aAAa,CAAC;IAShD,MAAM,CAAC,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,UAAU,CAAC;CAG1D;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,UAAU,EAClB,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC,aAAa,CAAC,CAaxB;AAED;;;;;;;;;GASG;AACH,wBAAsB,YAAY,CAChC,OAAO,EAAE,aAAa,EACtB,IAAI,CAAC,EAAE,UAAU,GAChB,OAAO,CAAC,UAAU,CAAC,CAgBrB"}

package/dist/store/secret-wrap.js ADDED Viewed

@@ -0,0 +1,85 @@
+/**
+ * Pluggable encryption wrapper for the holder's Ed25519 root
+ * secret.
+ *
+ * The wallet's persisted holder identity is keyed by an Ed25519
+ * scalar that IS the authentication key — anyone with that
+ * secret can impersonate the wallet at every RP. The bare
+ * IndexedDB store keeps it as plaintext base64url; an attacker
+ * with origin-scoped storage access (a malicious extension with
+ * matching permissions, a same-origin XSS in the extension's
+ * pages, or device-level exfil) walks away with the wallet.
+ *
+ * The H1 fix wraps the secret with a key derived from a user-
+ * gesture authenticator (WebAuthn PRF in the extension build),
+ * so storage exfil yields ciphertext that's useless without
+ * the operator's biometric / FIDO2 device.
+ *
+ * This module is the abstraction; concrete implementations live
+ * in the extension (`webauthn-prf-wrap.ts`) and in the PWA. The
+ * core stays platform-agnostic.
+ */
+import { base64url } from "@openvtc/vti-didcomm-js";
+/**
+ * No-op wrap. Used in tests, in non-extension callers that
+ * don't have a wrap available, and as the explicit "I know
+ * this is plaintext" fallback. The wrap helper still records
+ * a `passthrough` algorithm tag so an upgrade path can detect
+ * "this record predates the encrypted-secret flow."
+ */
+export class PassthroughWrap {
+    algorithm = "passthrough";
+    async wrap(secret) {
+        return {
+            algorithm: this.algorithm,
+            ciphertextB64u: base64url.encode(secret),
+            ivB64u: "",
+            params: {},
+        };
+    }
+    async unwrap(wrapped) {
+        return base64url.decode(wrapped.ciphertextB64u);
+    }
+}
+/**
+ * Apply the wrap when present, fall back to a passthrough wrap
+ * otherwise. Centralised so the [`generateOrLoadHolderIdentity`]
+ * path doesn't have to branch.
+ */
+export async function wrapSecret(secret, wrap) {
+    if (wrap) {
+        const wrapped = await wrap.wrap(secret);
+        if (wrapped)
+            return wrapped;
+        // Wrapper available but declined (operator cancelled the
+        // authenticator prompt, etc.). The caller may decide
+        // separately whether to proceed plaintext; we surface the
+        // signal as a thrown error so the choice is explicit.
+        throw new Error(`SecretWrap '${wrap.algorithm}' declined to wrap (operator cancelled?)`);
+    }
+    return new PassthroughWrap().wrap(secret);
+}
+/**
+ * Unwrap a persisted secret. The wrap is selected by
+ * `wrapped.algorithm`:
+ *
+ * - `"passthrough"` → use [`PassthroughWrap`] (no-op).
+ * - Anything else → require the caller-supplied `wrap` to
+ *   match. A mismatch (`wrap.algorithm !== wrapped.algorithm`)
+ *   throws; the caller is responsible for picking the right
+ *   wrap impl for the persisted record.
+ */
+export async function unwrapSecret(wrapped, wrap) {
+    if (wrapped.algorithm === "passthrough") {
+        return new PassthroughWrap().unwrap(wrapped);
+    }
+    if (!wrap || wrap.algorithm !== wrapped.algorithm) {
+        throw new Error(`wallet is wrapped with '${wrapped.algorithm}' but no matching SecretWrap was supplied`);
+    }
+    const secret = await wrap.unwrap(wrapped);
+    if (!secret) {
+        throw new Error(`SecretWrap '${wrap.algorithm}' declined to unwrap (operator cancelled?)`);
+    }
+    return secret;
+}
+//# sourceMappingURL=secret-wrap.js.map

package/dist/store/secret-wrap.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"secret-wrap.js","sourceRoot":"","sources":["../../src/store/secret-wrap.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,yBAAyB,CAAC;AAgEpD;;;;;;GAMG;AACH,MAAM,OAAO,eAAe;IACjB,SAAS,GAAG,aAAa,CAAC;IAEnC,KAAK,CAAC,IAAI,CAAC,MAAkB;QAC3B,OAAO;YACL,SAAS,EAAE,IAAI,CAAC,SAAS;YACzB,cAAc,EAAE,SAAS,CAAC,MAAM,CAAC,MAAM,CAAC;YACxC,MAAM,EAAE,EAAE;YACV,MAAM,EAAE,EAAE;SACX,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAsB;QACjC,OAAO,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAClD,CAAC;CACF;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,MAAkB,EAClB,IAAiB;IAEjB,IAAI,IAAI,EAAE,CAAC;QACT,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QACxC,IAAI,OAAO;YAAE,OAAO,OAAO,CAAC;QAC5B,yDAAyD;QACzD,qDAAqD;QACrD,0DAA0D;QAC1D,sDAAsD;QACtD,MAAM,IAAI,KAAK,CACb,eAAe,IAAI,CAAC,SAAS,0CAA0C,CACxE,CAAC;IACJ,CAAC;IACD,OAAO,IAAI,eAAe,EAAE,CAAC,IAAI,CAAC,MAAM,CAA2B,CAAC;AACtE,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAsB,EACtB,IAAiB;IAEjB,IAAI,OAAO,CAAC,SAAS,KAAK,aAAa,EAAE,CAAC;QACxC,OAAO,IAAI,eAAe,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC/C,CAAC;IACD,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CACb,2BAA2B,OAAO,CAAC,SAAS,2CAA2C,CACxF,CAAC;IACJ,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CACb,eAAe,IAAI,CAAC,SAAS,4CAA4C,CAC1E,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/trust-tasks/index.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export * from "./sign.js";
2	+ //# sourceMappingURL=index.d.ts.map

package/dist/trust-tasks/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/trust-tasks/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}

package/dist/trust-tasks/index.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export * from "./sign.js";
2	+ //# sourceMappingURL=index.js.map

package/dist/trust-tasks/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/trust-tasks/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC"}

package/dist/trust-tasks/sign.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import type { SigningIdentity } from "../siop/self-issued.js";
+/** A Trust-Task envelope before signing — anything serializable to JSON.
+ *  `proof` is the only field this module reads/writes. */
+export type TrustTaskEnvelope = Record<string, unknown> & {
+    proof?: unknown;
+};
+export interface SignTrustTaskOptions {
+    /** Envelope to sign in place. The function returns the same reference for
+     *  ergonomics; mutates `envelope.proof` and leaves every other field
+     *  byte-identical (the JCS canonical form must round-trip exactly). */
+    envelope: TrustTaskEnvelope;
+    /** Holder signing identity — its DID is what the RP attributes the
+     *  request to, and its `kid` becomes the proof's `verificationMethod`. */
+    signing: SigningIdentity;
+    /** Proof purpose written into the Data Integrity proof.
+     *
+     *  Defaults to `"assertionMethod"` — the right choice for trust-task
+     *  envelopes vouching for a claim. Set to `"authentication"` when the
+     *  signature *is* the holder proving control of an identity rather than
+     *  attesting to a separate claim — e.g. a VP-framed bootstrap request
+     *  (the provision-integration flow) or a SIOP-shaped self-attestation. */
+    proofPurpose?: "assertionMethod" | "authentication";
+}
+/**
+ * Attach an `eddsa-jcs-2022` Data Integrity proof to a Trust-Task envelope
+ * and return the same envelope. The signed input is the concatenation of
+ * SHA-256(JCS(proofConfig)) and SHA-256(JCS(envelope minus proof)), per
+ * https://www.w3.org/TR/vc-di-eddsa/#eddsa-jcs-2022.
+ */
+export declare function signTrustTask({ envelope, signing, proofPurpose, }: SignTrustTaskOptions): Promise<TrustTaskEnvelope>;
+//# sourceMappingURL=sign.d.ts.map

package/dist/trust-tasks/sign.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sign.d.ts","sourceRoot":"","sources":["../../src/trust-tasks/sign.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,wBAAwB,CAAC;AAE9D;0DAC0D;AAC1D,MAAM,MAAM,iBAAiB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG;IAAE,KAAK,CAAC,EAAE,OAAO,CAAA;CAAE,CAAC;AAE9E,MAAM,WAAW,oBAAoB;IACnC;;2EAEuE;IACvE,QAAQ,EAAE,iBAAiB,CAAC;IAC5B;8EAC0E;IAC1E,OAAO,EAAE,eAAe,CAAC;IACzB;;;;;;8EAM0E;IAC1E,YAAY,CAAC,EAAE,iBAAiB,GAAG,gBAAgB,CAAC;CACrD;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,EAClC,QAAQ,EACR,OAAO,EACP,YAAgC,GACjC,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA2BnD"}

package/dist/trust-tasks/sign.js ADDED Viewed

@@ -0,0 +1,141 @@
+// Sign a Trust-Task envelope with a W3C Data Integrity proof
+// (`eddsa-jcs-2022`). The wallet uses this to sign on-behalf-of operations
+// at a Relying Party that authenticates the wallet by its holder did:peer
+// — the proof's `verificationMethod` is the holder's `#key-2` URL, and the
+// RP's server resolves the did:peer to verify.
+//
+// Same signing primitive (Ed25519) and same canonicalization (JCS / RFC
+// 8785) the did-hosting UI uses for its session-key signed trust tasks, so
+// a single AffinidiVerifier on the server-side accepts both flows.
+import { ed25519 } from "@noble/curves/ed25519.js";
+/**
+ * Attach an `eddsa-jcs-2022` Data Integrity proof to a Trust-Task envelope
+ * and return the same envelope. The signed input is the concatenation of
+ * SHA-256(JCS(proofConfig)) and SHA-256(JCS(envelope minus proof)), per
+ * https://www.w3.org/TR/vc-di-eddsa/#eddsa-jcs-2022.
+ */
+export async function signTrustTask({ envelope, signing, proofPurpose = "assertionMethod", }) {
+    const proofConfig = {
+        type: "DataIntegrityProof",
+        cryptosuite: "eddsa-jcs-2022",
+        verificationMethod: signing.kid,
+        created: new Date().toISOString(),
+        proofPurpose,
+    };
+    const docCopy = { ...envelope };
+    delete docCopy.proof;
+    const proofConfigHash = await sha256(jcsCanonicalize(proofConfig));
+    const docHash = await sha256(jcsCanonicalize(docCopy));
+    const toSign = new Uint8Array(proofConfigHash.length + docHash.length);
+    toSign.set(proofConfigHash, 0);
+    toSign.set(docHash, proofConfigHash.length);
+    const sig = ed25519.sign(toSign, signing.privateKey);
+    if (sig.length !== 64) {
+        throw new Error(`unexpected Ed25519 signature length: ${sig.length} bytes`);
+    }
+    proofConfig.proofValue = "z" + base58btcEncode(sig);
+    envelope.proof = proofConfig;
+    return envelope;
+}
+// ─── JCS (RFC 8785) ───
+// Minified JSON, object keys sorted lexicographically by UTF-16 code unit,
+// strict JSON-only string escaping per ECMA-404. Mirrors the did-hosting-ui
+// `session-key.ts` implementation so wallet-signed and session-signed
+// envelopes hash identically when given equivalent input.
+function jcsCanonicalize(value) {
+    const seen = new WeakSet();
+    return enc(value);
+    function enc(v) {
+        if (v === null)
+            return "null";
+        if (v === true)
+            return "true";
+        if (v === false)
+            return "false";
+        if (typeof v === "number") {
+            if (!Number.isFinite(v))
+                throw new Error("JCS rejects non-finite numbers");
+            if (Object.is(v, -0))
+                return "0";
+            return String(v);
+        }
+        if (typeof v === "string")
+            return encString(v);
+        if (Array.isArray(v)) {
+            if (seen.has(v))
+                throw new Error("circular reference in JCS input");
+            seen.add(v);
+            const out = "[" + v.map(enc).join(",") + "]";
+            seen.delete(v);
+            return out;
+        }
+        if (typeof v === "object" && v !== null) {
+            if (seen.has(v))
+                throw new Error("circular reference in JCS input");
+            seen.add(v);
+            const obj = v;
+            const keys = Object.keys(obj).sort();
+            const parts = keys.map((k) => encString(k) + ":" + enc(obj[k]));
+            seen.delete(v);
+            return "{" + parts.join(",") + "}";
+        }
+        throw new Error(`JCS cannot encode value of type ${typeof v}`);
+    }
+    function encString(s) {
+        let out = '"';
+        for (let i = 0; i < s.length; i++) {
+            const ch = s.charCodeAt(i);
+            if (ch === 0x22)
+                out += '\\"';
+            else if (ch === 0x5c)
+                out += "\\\\";
+            else if (ch === 0x08)
+                out += "\\b";
+            else if (ch === 0x0c)
+                out += "\\f";
+            else if (ch === 0x0a)
+                out += "\\n";
+            else if (ch === 0x0d)
+                out += "\\r";
+            else if (ch === 0x09)
+                out += "\\t";
+            else if (ch < 0x20)
+                out += "\\u" + ch.toString(16).padStart(4, "0");
+            else
+                out += s[i];
+        }
+        return out + '"';
+    }
+}
+// ─── base58btc (Bitcoin alphabet) ───
+// Used as the `z`-prefixed multibase encoding for the Ed25519 `proofValue`.
+const B58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+function base58btcEncode(bytes) {
+    let zeros = 0;
+    while (zeros < bytes.length && bytes[zeros] === 0)
+        zeros++;
+    const digits = [];
+    for (let i = 0; i < bytes.length; i++) {
+        let carry = bytes[i];
+        for (let j = 0; j < digits.length; j++) {
+            carry += digits[j] << 8;
+            digits[j] = carry % 58;
+            carry = (carry / 58) | 0;
+        }
+        while (carry > 0) {
+            digits.push(carry % 58);
+            carry = (carry / 58) | 0;
+        }
+    }
+    let out = "";
+    for (let z = 0; z < zeros; z++)
+        out += "1";
+    for (let i = digits.length - 1; i >= 0; i--)
+        out += B58_ALPHABET[digits[i]];
+    return out;
+}
+async function sha256(input) {
+    const buf = new TextEncoder().encode(input);
+    return new Uint8Array(await crypto.subtle.digest("SHA-256", buf));
+}
+//# sourceMappingURL=sign.js.map

package/dist/trust-tasks/sign.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"sign.js","sourceRoot":"","sources":["../../src/trust-tasks/sign.ts"],"names":[],"mappings":"AAAA,6DAA6D;AAC7D,2EAA2E;AAC3E,0EAA0E;AAC1E,2EAA2E;AAC3E,+CAA+C;AAC/C,EAAE;AACF,wEAAwE;AACxE,2EAA2E;AAC3E,mEAAmE;AAEnE,OAAO,EAAE,OAAO,EAAE,MAAM,0BAA0B,CAAC;AAyBnD;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,EAClC,QAAQ,EACR,OAAO,EACP,YAAY,GAAG,iBAAiB,GACX;IACrB,MAAM,WAAW,GAA4B;QAC3C,IAAI,EAAE,oBAAoB;QAC1B,WAAW,EAAE,gBAAgB;QAC7B,kBAAkB,EAAE,OAAO,CAAC,GAAG;QAC/B,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACjC,YAAY;KACb,CAAC;IAEF,MAAM,OAAO,GAAsB,EAAE,GAAG,QAAQ,EAAE,CAAC;IACnD,OAAO,OAAO,CAAC,KAAK,CAAC;IAErB,MAAM,eAAe,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,OAAO,CAAC,CAAC,CAAC;IAEvD,MAAM,MAAM,GAAG,IAAI,UAAU,CAAC,eAAe,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IACvE,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC;IAC/B,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC;IAE5C,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;IACrD,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,wCAAwC,GAAG,CAAC,MAAM,QAAQ,CAAC,CAAC;IAC9E,CAAC;IAED,WAAW,CAAC,UAAU,GAAG,GAAG,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;IACpD,QAAQ,CAAC,KAAK,GAAG,WAAW,CAAC;IAC7B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,yBAAyB;AACzB,2EAA2E;AAC3E,4EAA4E;AAC5E,sEAAsE;AACtE,0DAA0D;AAE1D,SAAS,eAAe,CAAC,KAAc;IACrC,MAAM,IAAI,GAAG,IAAI,OAAO,EAAU,CAAC;IACnC,OAAO,GAAG,CAAC,KAAK,CAAC,CAAC;IAElB,SAAS,GAAG,CAAC,CAAU;QACrB,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,MAAM,CAAC;QAC9B,IAAI,CAAC,KAAK,IAAI;YAAE,OAAO,MAAM,CAAC;QAC9B,IAAI,CAAC,KAAK,KAAK;YAAE,OAAO,OAAO,CAAC;QAChC,IAAI,OAAO,CAAC,KAAK,QAAQ,EAAE,CAAC;YAC1B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;YAC3E,IAAI,MAAM,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;gBAAE,OAAO,GAAG,CAAC;YACjC,OAAO,MAAM,CAAC,CAAC,CAAC,CAAC;QACnB,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;QAC/C,IAAI,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC;YACrB,IAAI,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YACpE,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACZ,MAAM,GAAG,GAAG,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;YAC7C,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACf,OAAO,GAAG,CAAC;QACb,CAAC;QACD,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC;YACxC,IAAI,IAAI,CAAC,GAAG,CAAC,CAAW,CAAC;gBAAE,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;YAC9E,IAAI,CAAC,GAAG,CAAC,CAAW,CAAC,CAAC;YACtB,MAAM,GAAG,GAAG,CAA4B,CAAC;YACzC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;YACrC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;YAChE,IAAI,CAAC,MAAM,CAAC,CAAW,CAAC,CAAC;YACzB,OAAO,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAC;QACrC,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,mCAAmC,OAAO,CAAC,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,SAAS,SAAS,CAAC,CAAS;QAC1B,IAAI,GAAG,GAAG,GAAG,CAAC;QACd,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YAClC,MAAM,EAAE,GAAG,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;YAC3B,IAAI,EAAE,KAAK,IAAI;gBAAE,GAAG,IAAI,KAAK,CAAC;iBACzB,IAAI,EAAE,KAAK,IAAI;gBAAE,GAAG,IAAI,MAAM,CAAC;iBAC/B,IAAI,EAAE,KAAK,IAAI;gBAAE,GAAG,IAAI,KAAK,CAAC;iBAC9B,IAAI,EAAE,KAAK,IAAI;gBAAE,GAAG,IAAI,KAAK,CAAC;iBAC9B,IAAI,EAAE,KAAK,IAAI;gBAAE,GAAG,IAAI,KAAK,CAAC;iBAC9B,IAAI,EAAE,KAAK,IAAI;gBAAE,GAAG,IAAI,KAAK,CAAC;iBAC9B,IAAI,EAAE,KAAK,IAAI;gBAAE,GAAG,IAAI,KAAK,CAAC;iBAC9B,IAAI,EAAE,GAAG,IAAI;gBAAE,GAAG,IAAI,KAAK,GAAG,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;;gBAC/D,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACnB,CAAC;QACD,OAAO,GAAG,GAAG,GAAG,CAAC;IACnB,CAAC;AACH,CAAC;AAED,uCAAuC;AACvC,4EAA4E;AAE5E,MAAM,YAAY,GAAG,4DAA4D,CAAC;AAElF,SAAS,eAAe,CAAC,KAAiB;IACxC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,OAAO,KAAK,GAAG,KAAK,CAAC,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC;QAAE,KAAK,EAAE,CAAC;IAC3D,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,KAAK,GAAG,KAAK,CAAC,CAAC,CAAW,CAAC;QAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;YACvC,KAAK,IAAK,MAAM,CAAC,CAAC,CAAY,IAAI,CAAC,CAAC;YACpC,MAAM,CAAC,CAAC,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;YACvB,KAAK,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;QACD,OAAO,KAAK,GAAG,CAAC,EAAE,CAAC;YACjB,MAAM,CAAC,IAAI,CAAC,KAAK,GAAG,EAAE,CAAC,CAAC;YACxB,KAAK,GAAG,CAAC,KAAK,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC;QAC3B,CAAC;IACH,CAAC;IACD,IAAI,GAAG,GAAG,EAAE,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,GAAG,CAAC;IAC3C,KAAK,IAAI,CAAC,GAAG,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE;QAAE,GAAG,IAAI,YAAY,CAAC,MAAM,CAAC,CAAC,CAAW,CAAC,CAAC;IACtF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,KAAK,UAAU,MAAM,CAAC,KAAa;IACjC,MAAM,GAAG,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC5C,OAAO,IAAI,UAAU,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC;AACpE,CAAC"}

package/dist/util/timing.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+export interface TimingMark {
+    label: string;
+    ms: number;
+}
+export interface Stopwatch {
+    /** Record a phase: ms elapsed since the previous mark (or creation). */
+    mark(label: string): void;
+    /** The recorded phase marks, in order. */
+    readonly marks: TimingMark[];
+    /** Total ms elapsed since the stopwatch was created. */
+    total(): number;
+}
+export declare function createStopwatch(): Stopwatch;
+//# sourceMappingURL=timing.d.ts.map

package/dist/util/timing.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"timing.d.ts","sourceRoot":"","sources":["../../src/util/timing.ts"],"names":[],"mappings":"AAIA,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,EAAE,EAAE,MAAM,CAAC;CACZ;AAED,MAAM,WAAW,SAAS;IACxB,wEAAwE;IACxE,IAAI,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,0CAA0C;IAC1C,QAAQ,CAAC,KAAK,EAAE,UAAU,EAAE,CAAC;IAC7B,wDAAwD;IACxD,KAAK,IAAI,MAAM,CAAC;CACjB;AAED,wBAAgB,eAAe,IAAI,SAAS,CAe3C"}

package/dist/util/timing.js ADDED Viewed

@@ -0,0 +1,20 @@
+// Lightweight phase timing for the auth flows, so the demo can show how long
+// each step takes. Marks are wall-clock deltas (ms) between successive
+// `mark()` calls; `total()` is elapsed since creation.
+export function createStopwatch() {
+    const t0 = Date.now();
+    let last = t0;
+    const marks = [];
+    return {
+        marks,
+        mark(label) {
+            const now = Date.now();
+            marks.push({ label, ms: now - last });
+            last = now;
+        },
+        total() {
+            return Date.now() - t0;
+        },
+    };
+}
+//# sourceMappingURL=timing.js.map

package/dist/util/timing.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"timing.js","sourceRoot":"","sources":["../../src/util/timing.ts"],"names":[],"mappings":"AAAA,6EAA6E;AAC7E,uEAAuE;AACvE,uDAAuD;AAgBvD,MAAM,UAAU,eAAe;IAC7B,MAAM,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACtB,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,MAAM,KAAK,GAAiB,EAAE,CAAC;IAC/B,OAAO;QACL,KAAK;QACL,IAAI,CAAC,KAAa;YAChB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,KAAK,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,GAAG,GAAG,IAAI,EAAE,CAAC,CAAC;YACtC,IAAI,GAAG,GAAG,CAAC;QACb,CAAC;QACD,KAAK;YACH,OAAO,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,CAAC;QACzB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/vault/delete.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import { type VtaAuthInputs } from "./transport.js";
+export interface VaultDeleteRestOptions extends VtaAuthInputs {
+    id: string;
+    /** Observed `version` for optimistic concurrency. Strongly RECOMMENDED;
+     *  the maintainer rejects with `vault/delete:version_conflict` on
+     *  mismatch (with `details.currentVersion` for retry). */
+    expectedVersion?: number;
+    /** Human-readable rationale recorded in the audit trail. */
+    reason?: string;
+}
+export interface VaultDeleteResponse {
+    id: string;
+    deletedAt: string;
+    /** Equals `deletedAt` when the maintainer hard-deletes (M2A.2). Real
+     *  grace windows arrive with sync (M5). */
+    graceUntil: string;
+}
+export declare function vaultDeleteRest(opts: VaultDeleteRestOptions): Promise<VaultDeleteResponse>;
+//# sourceMappingURL=delete.d.ts.map

package/dist/vault/delete.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"delete.d.ts","sourceRoot":"","sources":["../../src/vault/delete.ts"],"names":[],"mappings":"AAOA,OAAO,EAA+B,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAKjF,MAAM,WAAW,sBAAuB,SAAQ,aAAa;IAC3D,EAAE,EAAE,MAAM,CAAC;IACX;;8DAE0D;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,4DAA4D;IAC5D,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB;+CAC2C;IAC3C,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAsB,eAAe,CACnC,IAAI,EAAE,sBAAsB,GAC3B,OAAO,CAAC,mBAAmB,CAAC,CAyB9B"}

package/dist/vault/delete.js ADDED Viewed

@@ -0,0 +1,35 @@
+// Vault — delete (M2A.5).
+//
+// Posts a `https://trusttasks.org/spec/vault/delete/0.1` envelope to the
+// VTA's trust-task dispatcher. No envelope / sealing — delete carries
+// only id + optimistic-concurrency token, all visible to anyone with the
+// bearer.
+import { getVtaBearer, postTrustTask } from "./transport.js";
+const TASK_VAULT_DELETE = "https://trusttasks.org/spec/vault/delete/0.1";
+const TASK_VAULT_DELETE_RESPONSE = "https://trusttasks.org/spec/vault/delete/0.1#response";
+export async function vaultDeleteRest(opts) {
+    const bearer = await getVtaBearer({
+        baseUrl: opts.baseUrl,
+        holder: opts.holder,
+        service: opts.service,
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+    return postTrustTask({
+        baseUrl: opts.baseUrl,
+        bearer,
+        envelope: {
+            type: TASK_VAULT_DELETE,
+            payload: {
+                id: opts.id,
+                ...(opts.expectedVersion !== undefined ? { expectedVersion: opts.expectedVersion } : {}),
+                ...(opts.reason ? { reason: opts.reason } : {}),
+            },
+            issuer: opts.holder.did,
+            recipient: opts.service.did,
+        },
+        expectedResponseType: TASK_VAULT_DELETE_RESPONSE,
+        operationLabel: "vault/delete/0.1",
+        ...(opts.fetch ? { fetch: opts.fetch } : {}),
+    });
+}
+//# sourceMappingURL=delete.js.map

package/dist/vault/delete.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"delete.js","sourceRoot":"","sources":["../../src/vault/delete.ts"],"names":[],"mappings":"AAAA,0BAA0B;AAC1B,EAAE;AACF,yEAAyE;AACzE,sEAAsE;AACtE,yEAAyE;AACzE,UAAU;AAEV,OAAO,EAAE,YAAY,EAAE,aAAa,EAAsB,MAAM,gBAAgB,CAAC;AAEjF,MAAM,iBAAiB,GAAG,8CAA8C,CAAC;AACzE,MAAM,0BAA0B,GAAG,uDAAuD,CAAC;AAoB3F,MAAM,CAAC,KAAK,UAAU,eAAe,CACnC,IAA4B;IAE5B,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC;QAChC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM,EAAE,IAAI,CAAC,MAAM;QACnB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;IAEH,OAAO,aAAa,CAAsB;QACxC,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,MAAM;QACN,QAAQ,EAAE;YACR,IAAI,EAAE,iBAAiB;YACvB,OAAO,EAAE;gBACP,EAAE,EAAE,IAAI,CAAC,EAAE;gBACX,GAAG,CAAC,IAAI,CAAC,eAAe,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,eAAe,EAAE,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;gBACxF,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aAChD;YACD,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,GAAG;YACvB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG;SAC5B;QACD,oBAAoB,EAAE,0BAA0B;QAChD,cAAc,EAAE,kBAAkB;QAClC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC7C,CAAC,CAAC;AACL,CAAC"}

package/dist/vault/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+export * from "./list.js";
+export * from "./upsert.js";
+export * from "./delete.js";
+export * from "./release.js";
+export * from "./proxy-login.js";
+export * from "./sign-trust-task.js";
+export type { VaultTaskRequest, VtaAuthInputs } from "./transport.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/vault/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,sBAAsB,CAAC;AACrC,YAAY,EAAE,gBAAgB,EAAE,aAAa,EAAE,MAAM,gBAAgB,CAAC"}

package/dist/vault/index.js ADDED Viewed

@@ -0,0 +1,7 @@
+export * from "./list.js";
+export * from "./upsert.js";
+export * from "./delete.js";
+export * from "./release.js";
+export * from "./proxy-login.js";
+export * from "./sign-trust-task.js";
+//# sourceMappingURL=index.js.map

package/dist/vault/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault/index.ts"],"names":[],"mappings":"AAAA,cAAc,WAAW,CAAC;AAC1B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,cAAc,CAAC;AAC7B,cAAc,kBAAkB,CAAC;AACjC,cAAc,sBAAsB,CAAC"}

package/dist/vault/list.d.ts ADDED Viewed

@@ -0,0 +1,96 @@
+import { type Identity } from "../didcomm/index.js";
+import type { RemoteDidcommEndpoint } from "../vta/didcomm.js";
+/** Discriminator that mirrors the canonical SecretKind enum. */
+export type SecretKind = "password" | "passkey" | "oauth-tokens" | "did-self-issued" | "didcomm-peer" | "bearer-token" | "ssh-key" | "custom";
+/** Tagged union — see `vault/_shared/0.1/vault-entry.schema.json` $defs/SiteTarget. */
+export type SiteTarget = {
+    kind: "web-origin";
+    origin: string;
+} | {
+    kind: "did";
+    did: string;
+} | {
+    kind: "ios-app";
+    bundleId: string;
+    teamId?: string;
+} | {
+    kind: "android-app";
+    packageName: string;
+    sha256CertFingerprints: string[];
+};
+/** Metadata view of a single vault entry. No secret bytes. */
+export interface VaultEntry {
+    id: string;
+    contextId: string;
+    targets: SiteTarget[];
+    label: string;
+    secretKind: SecretKind;
+    tags?: string[];
+    notes?: string;
+    favicon?: string;
+    selectors?: string[];
+    customFieldNames?: string[];
+    attachments?: Array<{
+        id: string;
+        name: string;
+        sizeBytes: number;
+        sha256: string;
+        contentType?: string;
+    }>;
+    expiresAt?: string;
+    breachedAt?: string;
+    passwordChangedAt?: string;
+    createdAt: string;
+    createdBy?: string;
+    updatedAt: string;
+    updatedBy?: string;
+    lastUsedAt?: string;
+    version: number;
+    /** Cached DID the entry acts AS for DID-shaped flows. Mirrors the
+     *  `did` field of `did-self-issued` / `didcomm-peer` secrets;
+     *  absent for kinds without a DID concept. Maintainer-derived from
+     *  the secret at every upsert — a producer-supplied value on the
+     *  wire is ignored. */
+    principalDid?: string;
+}
+/** Filters accepted by vault/list/0.1. All AND-combined. */
+export interface VaultListFilter {
+    contextId?: string;
+    targetOriginPrefix?: string;
+    targetDid?: string;
+    targetIosBundleId?: string;
+    targetAndroidPackage?: string;
+    secretKind?: SecretKind;
+    tag?: string;
+    usedSince?: string;
+    neverUsed?: boolean;
+    expiresBefore?: string;
+    breached?: boolean;
+    pageSize?: number;
+    cursor?: string;
+}
+export interface VaultListResponse {
+    entries: VaultEntry[];
+    truncated: boolean;
+    cursor?: string;
+    redactedFields?: string[];
+}
+export interface VaultListRestOptions {
+    /** VTA REST base URL — from the connection state's `restBaseUrl`. */
+    baseUrl: string;
+    /** Authcrypt sender (the holder's DIDComm identity post-onboarding swap). */
+    holder: Identity;
+    /** VTA's keyAgreement endpoint (resolved via `resolveKeyAgreement`). */
+    service: RemoteDidcommEndpoint;
+    /** Filters (omit for "all entries the caller can read"). */
+    filter?: VaultListFilter;
+    /** fetch impl (defaults to global). */
+    fetch?: typeof fetch;
+}
+/**
+ * Authenticate to the VTA over REST + DIDComm-authcrypt, then post the
+ * canonical vault/list/0.1 Trust Task envelope and return the parsed
+ * entries. Single round-trip's worth of auth — no token cache in M1.
+ */
+export declare function vaultListRest(opts: VaultListRestOptions): Promise<VaultListResponse>;
+//# sourceMappingURL=list.d.ts.map

package/dist/vault/list.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"list.d.ts","sourceRoot":"","sources":["../../src/vault/list.ts"],"names":[],"mappings":"AAkBA,OAAO,EAAiB,KAAK,QAAQ,EAAE,MAAM,qBAAqB,CAAC;AACnE,OAAO,KAAK,EAAE,qBAAqB,EAAE,MAAM,mBAAmB,CAAC;AAM/D,gEAAgE;AAChE,MAAM,MAAM,UAAU,GAClB,UAAU,GACV,SAAS,GACT,cAAc,GACd,iBAAiB,GACjB,cAAc,GACd,cAAc,GACd,SAAS,GACT,QAAQ,CAAC;AAEb,uFAAuF;AACvF,MAAM,MAAM,UAAU,GAClB;IAAE,IAAI,EAAE,YAAY,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,GACtC;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,GAAG,EAAE,MAAM,CAAA;CAAE,GAC5B;IAAE,IAAI,EAAE,SAAS,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,IAAI,EAAE,aAAa,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,sBAAsB,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC;AAEnF,8DAA8D;AAC9D,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,UAAU,CAAC;IACvB,IAAI,CAAC,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC5B,WAAW,CAAC,EAAE,KAAK,CAAC;QAClB,EAAE,EAAE,MAAM,CAAC;QACX,IAAI,EAAE,MAAM,CAAC;QACb,SAAS,EAAE,MAAM,CAAC;QAClB,MAAM,EAAE,MAAM,CAAC;QACf,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC,CAAC;IACH,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB;;;;2BAIuB;IACvB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,4DAA4D;AAC5D,MAAM,WAAW,eAAe;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B,UAAU,CAAC,EAAE,UAAU,CAAC;IACxB,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,UAAU,EAAE,CAAC;IACtB,SAAS,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,MAAM,WAAW,oBAAoB;IACnC,qEAAqE;IACrE,OAAO,EAAE,MAAM,CAAC;IAChB,6EAA6E;IAC7E,MAAM,EAAE,QAAQ,CAAC;IACjB,wEAAwE;IACxE,OAAO,EAAE,qBAAqB,CAAC;IAC/B,4DAA4D;IAC5D,MAAM,CAAC,EAAE,eAAe,CAAC;IACzB,uCAAuC;IACvC,KAAK,CAAC,EAAE,OAAO,KAAK,CAAC;CACtB;AAED;;;;GAIG;AACH,wBAAsB,aAAa,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,iBAAiB,CAAC,CA+F1F"}