@originals/sdk 1.4.3 → 1.4.5

package/dist/did/KeyManager.js

@@ -0,0 +1,207 @@
+// Initialize noble crypto libraries first (idempotent - safe to import multiple times)
+import '../crypto/noble-init.js';
+import * as secp256k1 from '@noble/secp256k1';
+import * as ed25519 from '@noble/ed25519';
+import { p256 } from '@noble/curves/p256';
+import { multikey } from '../crypto/Multikey';
+function toMultikeyType(type) {
+    if (type === 'ES256K')
+        return 'Secp256k1';
+    if (type === 'Ed25519')
+        return 'Ed25519';
+    if (type === 'ES256')
+        return 'P256';
+    throw new Error(`Unsupported key type: ${type}`);
+}
+function fromMultikeyType(type) {
+    if (type === 'Secp256k1')
+        return 'ES256K';
+    if (type === 'Ed25519')
+        return 'Ed25519';
+    if (type === 'P256')
+        return 'ES256';
+    throw new Error('Unsupported key type');
+}
+export class KeyManager {
+    constructor() {
+        // Noble crypto libraries are initialized via noble-init.ts (imported at SDK entry point)
+        // No initialization needed here
+    }
+    async generateKeyPair(type) {
+        if (type === 'ES256K') {
+            const privateKeyBytes = secp256k1.utils.randomPrivateKey();
+            const publicKeyBytes = secp256k1.getPublicKey(privateKeyBytes, true);
+            return {
+                privateKey: multikey.encodePrivateKey(privateKeyBytes, 'Secp256k1'),
+                publicKey: multikey.encodePublicKey(publicKeyBytes, 'Secp256k1')
+            };
+        }
+        if (type === 'Ed25519') {
+            const privateKeyBytes = ed25519.utils.randomPrivateKey();
+            const publicKeyBytes = await ed25519.getPublicKeyAsync(privateKeyBytes);
+            return {
+                privateKey: multikey.encodePrivateKey(privateKeyBytes, 'Ed25519'),
+                publicKey: multikey.encodePublicKey(publicKeyBytes, 'Ed25519')
+            };
+        }
+        if (type === 'ES256') {
+            const privateKeyBytes = p256.utils.randomPrivateKey();
+            const publicKeyBytes = p256.getPublicKey(privateKeyBytes, true);
+            return {
+                privateKey: multikey.encodePrivateKey(privateKeyBytes, 'P256'),
+                publicKey: multikey.encodePublicKey(publicKeyBytes, 'P256')
+            };
+        }
+        throw new Error(`Unsupported key type: ${type}`);
+    }
+    async rotateKeys(didDoc, newKeyPair) {
+        const multikeyContext = 'https://w3id.org/security/multikey/v1';
+        const securityContext = 'https://w3id.org/security/v1';
+        // Ensure required contexts are present
+        const updatedContext = [...didDoc['@context']];
+        if (!updatedContext.includes(multikeyContext)) {
+            updatedContext.push(multikeyContext);
+        }
+        if (!updatedContext.includes(securityContext)) {
+            updatedContext.push(securityContext);
+        }
+        // Generate new key ID
+        const existingKeys = didDoc.verificationMethod || [];
+        const keyIndex = existingKeys.length;
+        const newKeyId = `${didDoc.id}#keys-${keyIndex}`;
+        // Mark all existing verification methods as revoked with current timestamp
+        const revokedTimestamp = new Date().toISOString();
+        const revokedVerificationMethods = existingKeys.map(vm => ({
+            ...vm,
+            revoked: revokedTimestamp
+        }));
+        // Create new verification method
+        const newVerificationMethod = {
+            id: newKeyId,
+            type: 'Multikey',
+            controller: didDoc.id,
+            publicKeyMultibase: newKeyPair.publicKey
+        };
+        // Update authentication and assertionMethod arrays to reference only the new key
+        const newKeyReference = newKeyId;
+        const updated = {
+            ...didDoc,
+            '@context': updatedContext,
+            verificationMethod: [...revokedVerificationMethods, newVerificationMethod],
+            authentication: [newKeyReference],
+            assertionMethod: [newKeyReference]
+        };
+        // Preserve other properties if they exist
+        if (didDoc.keyAgreement) {
+            updated.keyAgreement = didDoc.keyAgreement;
+        }
+        if (didDoc.capabilityInvocation) {
+            updated.capabilityInvocation = didDoc.capabilityInvocation;
+        }
+        if (didDoc.capabilityDelegation) {
+            updated.capabilityDelegation = didDoc.capabilityDelegation;
+        }
+        if (didDoc.service) {
+            updated.service = didDoc.service;
+        }
+        return updated;
+    }
+    async recoverFromCompromise(didDoc) {
+        // Determine key type from existing verification methods or default to Ed25519
+        let keyType = 'Ed25519';
+        if (didDoc.verificationMethod && didDoc.verificationMethod.length > 0) {
+            try {
+                const firstKey = didDoc.verificationMethod[0];
+                const decoded = multikey.decodePublicKey(firstKey.publicKeyMultibase);
+                keyType = fromMultikeyType(decoded.type);
+            }
+            catch (e) {
+                // If decoding fails, use default Ed25519
+            }
+        }
+        // Generate new key pair
+        const newKeyPair = await this.generateKeyPair(keyType);
+        // Ensure required contexts
+        const multikeyContext = 'https://w3id.org/security/multikey/v1';
+        const securityContext = 'https://w3id.org/security/v1';
+        const credentialsContext = 'https://www.w3.org/2018/credentials/v1';
+        const updatedContext = [...didDoc['@context']];
+        if (!updatedContext.includes(multikeyContext)) {
+            updatedContext.push(multikeyContext);
+        }
+        if (!updatedContext.includes(securityContext)) {
+            updatedContext.push(securityContext);
+        }
+        // Mark all existing verification methods as compromised
+        const compromisedTimestamp = new Date().toISOString();
+        const existingKeys = didDoc.verificationMethod || [];
+        const compromisedVerificationMethods = existingKeys.map(vm => ({
+            ...vm,
+            compromised: compromisedTimestamp
+        }));
+        // Collect IDs of compromised keys
+        const previousVerificationMethodIds = existingKeys.map(vm => vm.id);
+        // Generate new key ID
+        const keyIndex = existingKeys.length;
+        const newKeyId = `${didDoc.id}#keys-${keyIndex}`;
+        // Create new verification method
+        const newVerificationMethod = {
+            id: newKeyId,
+            type: 'Multikey',
+            controller: didDoc.id,
+            publicKeyMultibase: newKeyPair.publicKey
+        };
+        // Update DID document
+        const updatedDidDocument = {
+            ...didDoc,
+            '@context': updatedContext,
+            verificationMethod: [...compromisedVerificationMethods, newVerificationMethod],
+            authentication: [newKeyId],
+            assertionMethod: [newKeyId]
+        };
+        // Preserve other properties
+        if (didDoc.keyAgreement) {
+            updatedDidDocument.keyAgreement = didDoc.keyAgreement;
+        }
+        if (didDoc.capabilityInvocation) {
+            updatedDidDocument.capabilityInvocation = didDoc.capabilityInvocation;
+        }
+        if (didDoc.capabilityDelegation) {
+            updatedDidDocument.capabilityDelegation = didDoc.capabilityDelegation;
+        }
+        if (didDoc.service) {
+            updatedDidDocument.service = didDoc.service;
+        }
+        // Create recovery credential
+        const recoveryCredential = {
+            '@context': [credentialsContext, securityContext],
+            type: ['VerifiableCredential', 'KeyRecoveryCredential'],
+            issuer: didDoc.id,
+            issuanceDate: compromisedTimestamp,
+            credentialSubject: {
+                id: didDoc.id,
+                recoveredAt: compromisedTimestamp,
+                recoveryReason: 'key_compromise',
+                previousVerificationMethods: previousVerificationMethodIds,
+                newVerificationMethod: newKeyId
+            }
+        };
+        return { didDocument: updatedDidDocument, recoveryCredential, newKeyPair };
+    }
+    encodePublicKeyMultibase(publicKey, type) {
+        const mkType = toMultikeyType(type);
+        return multikey.encodePublicKey(new Uint8Array(publicKey), mkType);
+    }
+    decodePublicKeyMultibase(encoded) {
+        if (!encoded || typeof encoded !== 'string') {
+            throw new Error('Invalid multibase string');
+        }
+        try {
+            const decoded = multikey.decodePublicKey(encoded);
+            return { key: Buffer.from(decoded.key), type: fromMultikeyType(decoded.type) };
+        }
+        catch {
+            throw new Error('Invalid multibase string');
+        }
+    }
+}

package/dist/did/WebVHManager.d.ts

@@ -0,0 +1,100 @@
+import { DIDDocument, KeyPair, ExternalSigner, ExternalVerifier } from '../types';
+interface VerificationMethod {
+    id?: string;
+    type: string;
+    controller?: string;
+    publicKeyMultibase: string;
+    secretKeyMultibase?: string;
+    purpose?: 'authentication' | 'assertionMethod' | 'keyAgreement' | 'capabilityInvocation' | 'capabilityDelegation';
+}
+interface DIDLogEntry {
+    versionId: string;
+    versionTime: string;
+    parameters: Record<string, unknown>;
+    state: Record<string, unknown>;
+    proof?: Record<string, unknown>[];
+}
+type DIDLog = DIDLogEntry[];
+export interface CreateWebVHOptions {
+    domain: string;
+    keyPair?: KeyPair;
+    paths?: string[];
+    portable?: boolean;
+    outputDir?: string;
+    externalSigner?: ExternalSigner;
+    externalVerifier?: ExternalVerifier;
+    verificationMethods?: VerificationMethod[];
+    updateKeys?: string[];
+}
+export interface CreateWebVHResult {
+    did: string;
+    didDocument: DIDDocument;
+    log: DIDLog;
+    keyPair: KeyPair;
+    logPath?: string;
+}
+/**
+ * WebVH DID Manager for creating and managing did:webvh identifiers
+ */
+export declare class WebVHManager {
+    private keyManager;
+    constructor();
+    /**
+     * Creates a new did:webvh DID with proper cryptographic signing
+     * @param options - Creation options including domain and optional key pair or external signer
+     * @returns The created DID, document, log, and key pair (if generated)
+     */
+    createDIDWebVH(options: CreateWebVHOptions): Promise<CreateWebVHResult>;
+    /**
+     * Validates a path segment to prevent directory traversal attacks
+     * @param segment - Path segment to validate
+     * @returns true if valid, false otherwise
+     */
+    private isValidPathSegment;
+    /**
+     * Type guard to validate a DID document structure
+     * @param doc - Object to validate
+     * @returns true if the object is a valid DIDDocument
+     */
+    private isDIDDocument;
+    /**
+     * Saves the DID log to the appropriate did.jsonl path
+     * @param did - The DID identifier
+     * @param log - The DID log to save
+     * @param baseDir - Base directory for saving (e.g., public/.well-known)
+     * @returns The full path where the log was saved
+     */
+    saveDIDLog(did: string, log: DIDLog, baseDir: string): Promise<string>;
+    /**
+     * Loads a DID log from a did.jsonl file
+     * @param logPath - Path to the did.jsonl file
+     * @returns The loaded DID log
+     */
+    loadDIDLog(logPath: string): Promise<DIDLog>;
+    /**
+     * Updates a DID:WebVH document
+     * @param did - The DID to update
+     * @param currentLog - The current DID log
+     * @param updates - Updates to apply to the DID document
+     * @param signer - The signer to use (must be authorized in updateKeys)
+     * @param verifier - Optional verifier
+     * @param outputDir - Optional directory to save the updated log
+     * @returns Updated DID document and log
+     */
+    updateDIDWebVH(options: {
+        did: string;
+        currentLog: DIDLog;
+        updates: Partial<DIDDocument>;
+        signer: ExternalSigner | {
+            privateKey: string;
+            publicKey: string;
+        };
+        verifier?: ExternalVerifier;
+        outputDir?: string;
+    }): Promise<{
+        didDocument: DIDDocument;
+        log: DIDLog;
+        logPath?: string;
+    }>;
+}
+export {};

package/dist/did/WebVHManager.js

@@ -0,0 +1,312 @@
+import { KeyManager } from './KeyManager';
+import { multikey } from '../crypto/Multikey';
+import { Ed25519Signer } from '../crypto/Signer';
+import * as fs from 'fs';
+import * as path from 'path';
+/**
+ * Adapter to use Originals SDK signers with didwebvh-ts
+ */
+class OriginalsWebVHSigner {
+    constructor(privateKeyMultibase, verificationMethod, prepareDataForSigning, options = {}) {
+        this.privateKeyMultibase = privateKeyMultibase;
+        this.verificationMethod = options.verificationMethod || verificationMethod;
+        this.useStaticId = options.useStaticId || false;
+        this.signer = new Ed25519Signer();
+        this.prepareDataForSigning = prepareDataForSigning;
+    }
+    async sign(input) {
+        // Prepare the data for signing using didwebvh-ts's canonical approach
+        const dataToSign = await this.prepareDataForSigning(input.document, input.proof);
+        // Sign using our Ed25519 signer
+        const signature = await this.signer.sign(Buffer.from(dataToSign), this.privateKeyMultibase);
+        // Encode signature as multibase
+        const proofValue = multikey.encodeMultibase(signature);
+        return { proofValue };
+    }
+    async verify(signature, message, publicKey) {
+        // Decode the public key to multibase format
+        const publicKeyMultibase = multikey.encodePublicKey(publicKey, 'Ed25519');
+        // Verify using our Ed25519 signer
+        const messageBuffer = Buffer.from(message);
+        const signatureBuffer = Buffer.from(signature);
+        return this.signer.verify(messageBuffer, signatureBuffer, publicKeyMultibase);
+    }
+    getVerificationMethodId() {
+        // didwebvh-ts requires verification method to be a did:key: identifier
+        // Extract the multibase key from the verification method
+        const publicKeyMultibase = this.verificationMethod?.publicKeyMultibase;
+        if (!publicKeyMultibase) {
+            throw new Error('Verification method must have publicKeyMultibase');
+        }
+        // Return as did:key format which didwebvh-ts expects
+        return `did:key:${publicKeyMultibase}`;
+    }
+}
+/**
+ * WebVH DID Manager for creating and managing did:webvh identifiers
+ */
+export class WebVHManager {
+    constructor() {
+        this.keyManager = new KeyManager();
+    }
+    /**
+     * Creates a new did:webvh DID with proper cryptographic signing
+     * @param options - Creation options including domain and optional key pair or external signer
+     * @returns The created DID, document, log, and key pair (if generated)
+     */
+    async createDIDWebVH(options) {
+        const { domain, keyPair: providedKeyPair, paths = [], portable = false, outputDir, externalSigner, externalVerifier, verificationMethods: providedVerificationMethods, updateKeys: providedUpdateKeys } = options;
+        // Validate path segments before creating DID to prevent directory traversal
+        if (paths && paths.length > 0) {
+            for (const segment of paths) {
+                if (!this.isValidPathSegment(segment)) {
+                    throw new Error(`Invalid path segment in DID: "${segment}". Path segments cannot contain '.', '..', path separators, or be absolute paths.`);
+                }
+            }
+        }
+        // Dynamically import didwebvh-ts to avoid module resolution issues
+        const mod = await import('didwebvh-ts');
+        const { createDID, prepareDataForSigning } = mod;
+        // Runtime validation of imported module
+        if (typeof createDID !== 'function' || typeof prepareDataForSigning !== 'function') {
+            throw new Error('Failed to load didwebvh-ts: invalid module exports');
+        }
+        let signer;
+        let verifier;
+        let keyPair;
+        let verificationMethods;
+        let updateKeys;
+        // Use external signer if provided (e.g., Turnkey integration)
+        if (externalSigner) {
+            if (!providedVerificationMethods || providedVerificationMethods.length === 0) {
+                throw new Error('verificationMethods are required when using externalSigner');
+            }
+            if (!providedUpdateKeys || providedUpdateKeys.length === 0) {
+                throw new Error('updateKeys are required when using externalSigner');
+            }
+            signer = externalSigner;
+            verifier = externalVerifier || externalSigner; // Use signer as verifier if not provided
+            verificationMethods = providedVerificationMethods;
+            updateKeys = providedUpdateKeys;
+            keyPair = undefined; // No key pair when using external signer
+        }
+        else {
+            // Generate or use provided key pair (Ed25519 for did:webvh)
+            keyPair = providedKeyPair || await this.keyManager.generateKeyPair('Ed25519');
+            // Create verification methods
+            verificationMethods = [
+                {
+                    type: 'Multikey',
+                    publicKeyMultibase: keyPair.publicKey,
+                }
+            ];
+            // Create signer using our adapter
+            const internalSigner = new OriginalsWebVHSigner(keyPair.privateKey, verificationMethods[0], prepareDataForSigning, { verificationMethod: verificationMethods[0] });
+            signer = internalSigner;
+            verifier = internalSigner; // Use the same signer as verifier
+            updateKeys = [`did:key:${keyPair.publicKey}`]; // Use did:key format for authorization
+        }
+        // Create the DID using didwebvh-ts
+        const result = await createDID({
+            domain,
+            signer,
+            verifier,
+            updateKeys,
+            verificationMethods,
+            context: [
+                'https://www.w3.org/ns/did/v1',
+                'https://w3id.org/security/multikey/v1'
+            ],
+            paths,
+            portable,
+            authentication: ['#key-0'],
+            assertionMethod: ['#key-0'],
+        });
+        // Validate the returned DID document
+        if (!this.isDIDDocument(result.doc)) {
+            throw new Error('Invalid DID document returned from createDID');
+        }
+        // Save the log to did.jsonl if output directory is provided
+        let logPath;
+        if (outputDir) {
+            logPath = await this.saveDIDLog(result.did, result.log, outputDir);
+        }
+        return {
+            did: result.did,
+            didDocument: result.doc,
+            log: result.log,
+            keyPair: keyPair || { publicKey: '', privateKey: '' }, // Return empty keypair if using external signer
+            logPath,
+        };
+    }
+    /**
+     * Validates a path segment to prevent directory traversal attacks
+     * @param segment - Path segment to validate
+     * @returns true if valid, false otherwise
+     */
+    isValidPathSegment(segment) {
+        // Reject empty segments, dots, or segments with path separators
+        if (!segment || segment === '.' || segment === '..') {
+            return false;
+        }
+        // Reject segments containing path separators or other dangerous characters
+        if (segment.includes('/') || segment.includes('\\') || segment.includes('\0')) {
+            return false;
+        }
+        // Reject absolute paths (starting with / or drive letter on Windows)
+        if (path.isAbsolute(segment)) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Type guard to validate a DID document structure
+     * @param doc - Object to validate
+     * @returns true if the object is a valid DIDDocument
+     */
+    isDIDDocument(doc) {
+        if (!doc || typeof doc !== 'object') {
+            return false;
+        }
+        const d = doc;
+        // Check required fields
+        if (!Array.isArray(d['@context']) || d['@context'].length === 0) {
+            return false;
+        }
+        if (typeof d.id !== 'string' || !d.id.startsWith('did:')) {
+            return false;
+        }
+        return true;
+    }
+    /**
+     * Saves the DID log to the appropriate did.jsonl path
+     * @param did - The DID identifier
+     * @param log - The DID log to save
+     * @param baseDir - Base directory for saving (e.g., public/.well-known)
+     * @returns The full path where the log was saved
+     */
+    async saveDIDLog(did, log, baseDir) {
+        // Parse the DID to extract domain and path components
+        // Format: did:webvh:domain[:port]:path1:path2...
+        const didParts = did.split(':');
+        if (didParts.length < 3 || didParts[0] !== 'did' || didParts[1] !== 'webvh') {
+            throw new Error('Invalid did:webvh format');
+        }
+        // Extract path parts (everything after domain)
+        const pathParts = didParts.slice(3);
+        // Validate all path segments to prevent directory traversal
+        for (const segment of pathParts) {
+            if (!this.isValidPathSegment(segment)) {
+                throw new Error(`Invalid path segment in DID: "${segment}". Path segments cannot contain '.', '..', path separators, or be absolute paths.`);
+            }
+        }
+        // Extract and sanitize domain for filesystem safety
+        const rawDomain = decodeURIComponent(didParts[2]);
+        // Normalize: lowercase and replace any characters not in [a-z0-9._-] with '_'
+        const safeDomain = rawDomain
+            .toLowerCase()
+            .replace(/[^a-z0-9._-]/g, '_');
+        // Validate the sanitized domain (reject '..' and other dangerous patterns)
+        if (!this.isValidPathSegment(safeDomain)) {
+            throw new Error(`Invalid domain segment in DID: "${rawDomain}"`);
+        }
+        // Construct the file path with domain isolation
+        // For did:webvh:example.com:user:alice -> baseDir/did/example.com/user/alice/did.jsonl
+        // For did:webvh:example.com:alice -> baseDir/did/example.com/alice/did.jsonl
+        const segments = [safeDomain, ...pathParts];
+        const didPath = path.join(baseDir, 'did', ...segments, 'did.jsonl');
+        // Verify the resolved path is still within baseDir (defense in depth)
+        const resolvedBaseDir = path.resolve(baseDir);
+        const resolvedPath = path.resolve(didPath);
+        const relativePath = path.relative(resolvedBaseDir, resolvedPath);
+        if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
+            throw new Error('Invalid DID path: resolved path is outside base directory');
+        }
+        // Create directories if they don't exist
+        const dirPath = path.dirname(didPath);
+        await fs.promises.mkdir(dirPath, { recursive: true });
+        // Convert log to JSONL format (one JSON object per line)
+        const jsonlContent = log.map((entry) => JSON.stringify(entry)).join('\n');
+        // Write the log file
+        await fs.promises.writeFile(didPath, jsonlContent, 'utf8');
+        return didPath;
+    }
+    /**
+     * Loads a DID log from a did.jsonl file
+     * @param logPath - Path to the did.jsonl file
+     * @returns The loaded DID log
+     */
+    async loadDIDLog(logPath) {
+        const content = await fs.promises.readFile(logPath, 'utf8');
+        const lines = content.trim().split('\n');
+        return lines.map(line => JSON.parse(line));
+    }
+    /**
+     * Updates a DID:WebVH document
+     * @param did - The DID to update
+     * @param currentLog - The current DID log
+     * @param updates - Updates to apply to the DID document
+     * @param signer - The signer to use (must be authorized in updateKeys)
+     * @param verifier - Optional verifier
+     * @param outputDir - Optional directory to save the updated log
+     * @returns Updated DID document and log
+     */
+    async updateDIDWebVH(options) {
+        const { did, currentLog, updates, signer: providedSigner, verifier: providedVerifier, outputDir } = options;
+        // Dynamically import didwebvh-ts
+        const mod = await import('didwebvh-ts');
+        const { updateDID, prepareDataForSigning } = mod;
+        if (typeof updateDID !== 'function') {
+            throw new Error('Failed to load didwebvh-ts: invalid module exports');
+        }
+        let signer;
+        let verifier;
+        // Check if using external signer or internal keypair
+        if ('sign' in providedSigner && 'getVerificationMethodId' in providedSigner) {
+            // External signer
+            signer = providedSigner;
+            verifier = providedVerifier;
+        }
+        else {
+            // Internal signer with keypair
+            const keyPair = providedSigner;
+            const verificationMethod = {
+                type: 'Multikey',
+                publicKeyMultibase: keyPair.publicKey,
+            };
+            const internalSigner = new OriginalsWebVHSigner(keyPair.privateKey, verificationMethod, prepareDataForSigning, { verificationMethod });
+            signer = internalSigner;
+            verifier = internalSigner;
+        }
+        // Get the current document from the log
+        const currentEntry = currentLog[currentLog.length - 1];
+        const currentDoc = currentEntry.state;
+        // Merge updates with current document
+        const updatedDoc = {
+            ...currentDoc,
+            ...updates,
+            id: did, // Ensure ID doesn't change
+        };
+        // Update the DID using didwebvh-ts
+        const result = await updateDID({
+            log: currentLog,
+            doc: updatedDoc,
+            signer,
+            verifier,
+        });
+        // Validate the returned DID document
+        if (!this.isDIDDocument(result.doc)) {
+            throw new Error('Invalid DID document returned from updateDID');
+        }
+        // Save the updated log if output directory is provided
+        let logPath;
+        if (outputDir) {
+            logPath = await this.saveDIDLog(did, result.log, outputDir);
+        }
+        return {
+            didDocument: result.doc,
+            log: result.log,
+            logPath,
+        };
+    }
+}

package/dist/did/createBtcoDidDocument.d.ts

@@ -0,0 +1,10 @@
+import { DIDDocument } from '../types/did';
+import { MultikeyType } from '../crypto/Multikey';
+export type BitcoinNetwork = 'mainnet' | 'regtest' | 'signet';
+interface CreateBtcoDidDocumentParams {
+    publicKey: Uint8Array;
+    keyType: MultikeyType;
+    controller?: string;
+}
+export declare function createBtcoDidDocument(satNumber: number | string, network: BitcoinNetwork, params: CreateBtcoDidDocumentParams): DIDDocument;
+export {};

package/dist/did/createBtcoDidDocument.js

@@ -0,0 +1,42 @@
+import { multikey } from '../crypto/Multikey';
+import { validateSatoshiNumber } from '../utils/satoshi-validation';
+function getDidPrefix(network) {
+    if (network === 'mainnet')
+        return 'did:btco';
+    if (network === 'signet')
+        return 'did:btco:sig';
+    if (network === 'regtest')
+        return 'did:btco:reg';
+    throw new Error(`Unsupported Bitcoin network: ${network}`);
+}
+function buildVerificationMethod(did, params) {
+    const fragment = '#0';
+    const id = `${did}${fragment}`;
+    const controller = params.controller ?? did;
+    return {
+        id,
+        type: 'Multikey',
+        controller,
+        publicKeyMultibase: multikey.encodePublicKey(params.publicKey, params.keyType)
+    };
+}
+export function createBtcoDidDocument(satNumber, network, params) {
+    // Validate satNumber parameter at entry
+    const validation = validateSatoshiNumber(satNumber);
+    if (!validation.valid) {
+        throw new Error(`Invalid satoshi number: ${validation.error}`);
+    }
+    const did = `${getDidPrefix(network)}:${String(satNumber)}`;
+    const vm = buildVerificationMethod(did, params);
+    const document = {
+        '@context': [
+            'https://www.w3.org/ns/did/v1',
+            'https://w3id.org/security/multikey/v1'
+        ],
+        id: did,
+        verificationMethod: [vm],
+        authentication: [vm.id],
+        assertionMethod: [vm.id]
+    };
+    return document;
+}