@originator-profile/opvc 0.4.0-beta.1

package/README.md

@@ -0,0 +1,485 @@
+# opvc - Originator Profile Verifiable Credential command line tool
+
+Originator Profile (OP) 仕様に準拠した Verifiable Credential (VC) を作成・管理するためのツールです。
+
+## Installation
+
+### From source
+
+```sh
+git clone https://github.com/originator-profile/profile-share.git
+cd profile-share/packages/opvc
+pnpm install
+npm i -g .
+opvc
+```
+
+### Using `npx` / `npm`
+
+GitHub Packages にアクセスするため .npmrc 設定が必要です。
+
+1. GitHub の [Personal Access Token (classic)](https://github.com/settings/tokens) を発行
+   - 必要なスコープ:
+     - `read:packages`
+     - `repo`
+2. GitHub Packages のレジストリと認証トークンを設定
+
+```sh
+npm config set @originator-profile:registry https://npm.pkg.github.com
+npm config set //npm.pkg.github.com/:_authToken YOUR_PERSONAL_ACCESS_TOKEN
+```
+
+```sh
+# npx
+npx -y @originator-profile/opvc
+
+# npm
+npm i -g @originator-profile/opvc
+opvc
+```
+
+## Commands
+
+<!-- prettier-ignore-start -->
+<!-- commands -->
+* [`opvc ca:sign`](#opvc-casign)
+* [`opvc ca:unsigned`](#opvc-caunsigned)
+* [`opvc help [COMMAND]`](#opvc-help-command)
+* [`opvc key-gen`](#opvc-key-gen)
+* [`opvc sign`](#opvc-sign)
+* [`opvc wsp:unsigned`](#opvc-wspunsigned)
+
+## `opvc ca:sign`
+
+Content Attestation の作成
+
+```
+USAGE
+  $ opvc ca:sign -i <value> --input <filepath> [--issued-at <value>] [--expired-at <value>]
+
+FLAGS
+  -i, --identity=<value>    (required) プライベート鍵のファイルパス
+      --expired-at=<value>  有効期限 (ISO 8601)
+      --input=<filepath>    (required) 入力ファイルのパス (JSON 形式)
+      --issued-at=<value>   発行日時 (ISO 8601)
+
+DESCRIPTION
+  Content Attestation の作成
+
+  標準出力に Content Attestation を出力します。
+
+EXAMPLES
+  $ opvc ca:sign \
+      -i account-key.example.priv.json \
+      --input article-content-attestation.example.json
+
+FLAG DESCRIPTIONS
+  -i, --identity=<value>  プライベート鍵のファイルパス
+
+    プライベート鍵のファイルパスを渡してください。プライベート鍵は JWK 形式か、PEM base64 でエンコードされた PKCS #8
+    形式にしてください。
+
+  --expired-at=<value>  有効期限 (ISO 8601)
+
+    日付のみの場合、その日の 24:00:00.000 より前まで有効、それ以外の場合、期限切れとなる日付・時刻・秒を指定します。
+
+  --input=<filepath>  入力ファイルのパス (JSON 形式)
+
+    Article Content Attestation の例:
+
+    {
+    "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+    "@language": "ja"
+    }
+    ],
+    "type": [
+    "VerifiableCredential",
+    "ContentAttestation"
+    ],
+    "issuer": "dns:example.com",
+    "credentialSubject": {
+    "id": "urn:uuid:78550fa7-f846-4e0f-ad5c-8d34461cb95b",
+    "type": "Article",
+    "headline": "<Webページのタイトル>",
+    "image": {
+    "id": "<サムネイル画像URL>",
+    "content": [
+    "<コンテンツ (data:// 形式URL)>"
+    ]
+    },
+    "description": "<Webページの説明>",
+    "author": [
+    "山田花子"
+    ],
+    "editor": [
+    "山田太郎"
+    ],
+    "datePublished": "2023-07-04T19:14:00Z",
+    "dateModified": "2023-07-04T19:14:00Z",
+    "genre": "Arts & Entertainment"
+    },
+    "allowedUrl": "https://media.example.com/articles/2024-06-30",
+    "target": [
+    {
+    "type": "<Target Integrityの種別>",
+    "content": [
+    "<コンテンツ本体 (text/html or URL)>"
+    ],
+    "cssSelector": "<CSS セレクター (optional)>"
+    }
+    ]
+    }
+```
+
+## `opvc ca:unsigned`
+
+未署名 Content Attestation の取得
+
+```
+USAGE
+  $ opvc ca:unsigned --input <filepath> [--issued-at <value>] [--expired-at <value>]
+
+FLAGS
+  --expired-at=<value>  有効期限 (ISO 8601)
+  --input=<filepath>    (required) 入力ファイルのパス (JSON 形式)
+  --issued-at=<value>   発行日時 (ISO 8601)
+
+DESCRIPTION
+  未署名 Content Attestation の取得
+
+  標準出力に未署名 Content Attestation を出力します。
+  target[].integrity を省略した場合、type に準じて content から integrity を計算します。
+  一方、target[].integrity が含まれる場合、その値をそのまま使用します。
+  なお、いずれも target[].content プロパティが削除される点にご注意ください。
+  これにより入力ファイルの target[] と異なる結果が含まれますが、これは正しい動作です。
+
+EXAMPLES
+  $ opvc ca:unsigned \
+      --input article-content-attestation.example.json
+
+FLAG DESCRIPTIONS
+  --expired-at=<value>  有効期限 (ISO 8601)
+
+    日付のみの場合、その日の 24:00:00.000 より前まで有効、それ以外の場合、期限切れとなる日付・時刻・秒を指定します。
+
+  --input=<filepath>  入力ファイルのパス (JSON 形式)
+
+    Article Content Attestation の例:
+
+    {
+    "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+    "@language": "<言語・地域コード>"
+    }
+    ],
+    "type": [
+    "VerifiableCredential",
+    "ContentAttestation"
+    ],
+    "issuer": "<OP ID>",
+    "credentialSubject": {
+    "id": "<CA ID>",
+    "type": "Article",
+    "headline": "<コンテンツのタイトル>",
+    "description": "<コンテンツの説明>",
+    "image": {
+    "id": "<サムネイル画像URL>",
+    "content": [
+    "<コンテンツ (data:// 形式URL)>"
+    ]
+    },
+    "datePublished": "<公開日時>",
+    "dateModified": "<最終更新日時>",
+    "author": [
+    "<著者名>"
+    ],
+    "editor": [
+    "<編集者名>"
+    ],
+    "genre": "<ジャンル>"
+    },
+    "allowedUrl": "<CAの使用を許可するWebページのURL Pattern>",
+    "target": [
+    {
+    "type": "<Target Integrityの種別>",
+    "content": [
+    "<コンテンツ本体 (text/html or URL)>"
+    ],
+    "cssSelector": "<CSS セレクター (optional)>"
+    }
+    ]
+    }
+```
+
+## `opvc help [COMMAND]`
+
+Display help for opvc.
+
+```
+USAGE
+  $ opvc help [COMMAND...] [-n]
+
+ARGUMENTS
+  COMMAND...  Command to show help for.
+
+FLAGS
+  -n, --nested-commands  Include all nested commands in the output.
+
+DESCRIPTION
+  Display help for opvc.
+```
+
+_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.29/src/commands/help.ts)_
+
+## `opvc key-gen`
+
+鍵ペアの生成
+
+```
+USAGE
+  $ opvc key-gen -o <value>
+
+FLAGS
+  -o, --output=<value>  (required) 鍵を保存するファイル名（拡張子除く）。<output>.priv.json と <output>.pub.json
+                        を出力します。
+
+DESCRIPTION
+  鍵ペアの生成
+```
+
+## `opvc sign`
+
+VC の作成
+
+```
+USAGE
+  $ opvc sign -i <value> --input <filepath> [--id <value>] [--issued-at <value>] [--expired-at <value>]
+
+FLAGS
+  -i, --identity=<value>    (required) プライベート鍵のファイルパス
+      --expired-at=<value>  有効期限 (ISO 8601)
+      --id=<value>          OP ID (ドメイン名)
+      --input=<filepath>    (required) 入力ファイルのパス (JSON 形式)
+      --issued-at=<value>   発行日時 (ISO 8601)
+
+DESCRIPTION
+  VC の作成
+
+  VC に署名します。
+  標準出力に VC を出力します。
+
+EXAMPLES
+  $ opvc sign \
+      -i example.priv.json \
+      --id example.com \
+      --input core-profile.json
+
+  $ opvc sign \
+      -i example.priv.json \
+      --id example.org \
+      --input web-media-profile.json
+
+  $ opvc sign \
+      -i account-key.example.priv.json \
+      --input website-profile.example.json
+
+FLAG DESCRIPTIONS
+  -i, --identity=<value>  プライベート鍵のファイルパス
+
+    プライベート鍵のファイルパスを渡してください。プライベート鍵は JWK 形式か、PEM base64 でエンコードされた PKCS #8
+    形式にしてください。
+
+  --expired-at=<value>  有効期限 (ISO 8601)
+
+    日付のみの場合、その日の 24:00:00.000 より前まで有効、それ以外の場合、期限切れとなる日付・時刻・秒を指定します。
+
+  --id=<value>  OP ID (ドメイン名)
+
+    ドメイン名 (RFC 4501) を指定します。
+
+  --input=<filepath>  入力ファイルのパス (JSON 形式)
+
+    コアプロファイル (CP) の例:
+
+    {
+    "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1"
+    ],
+    "type": [
+    "VerifiableCredential",
+    "CoreProfile"
+    ],
+    "issuer": "dns:example.org",
+    "credentialSubject": {
+    "id": "dns:example.jp",
+    "type": "Core",
+    "jwks": {
+    "keys": [
+    {
+    "kid": "LIstkoCvByn4jk8oZPvigQkzTzO9UwnGnE-VMlkZvYQ",
+    "kty": "EC",
+    "crv": "P-256",
+    "x": "QiVI-I-3gv-17KN0RFLHKh5Vj71vc75eSOkyMsxFxbE",
+    "y": "bEzRDEy41bihcTnpSILImSVymTQl9BQZq36QpCpJQnI"
+    }
+    ]
+    }
+    }
+    }
+
+    ウェブメディアプロファイル (WMP) の例:
+
+    {
+    "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+    "@language": "ja"
+    }
+    ],
+    "type": [
+    "VerifiableCredential",
+    "WebMediaProfile"
+    ],
+    "issuer": "dns:wmp-issuer.example.org",
+    "credentialSubject": {
+    "id": "dns:wmp-holder.example.jp",
+    "type": "OnlineBusiness",
+    "url": "https://www.wmp-holder.example.jp/",
+    "name": "○○メディア (※開発用サンプル)",
+    "logo": {
+    "id": "https://www.wmp-holder.example.jp/image.png",
+    "digestSRI": "sha256-Upwn7gYMuRmJlD1ZivHk876vXHzokXrwXj50VgfnMnY="
+    },
+    "email": "contact@wmp-holder.example.jp",
+    "telephone": "0000000000",
+    "contactPoint": {
+    "id": "https://wmp-holder.example.jp/contact",
+    "name": "お問い合わせ"
+    },
+    "informationTransmissionPolicy": {
+    "id": "https://wmp-holder.example.jp/statement",
+    "name": "情報発信ポリシー"
+    },
+    "privacyPolicy": {
+    "id": "https://wmp-holder.example.jp/privacy",
+    "name": "プライバシーポリシー"
+    },
+    "description": "この文章はこの Web メディアに関する補足情報です。"
+    }
+    }
+
+    Website Profile (WSP) の例:
+
+    {
+    "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+    "@language": "ja"
+    }
+    ],
+    "type": [
+    "VerifiableCredential",
+    "WebsiteProfile"
+    ],
+    "issuer": "dns:example.com",
+    "credentialSubject": {
+    "id": "https://media.example.com/",
+    "type": "WebSite",
+    "name": "<Webサイトのタイトル>",
+    "description": "<Webサイトの説明>",
+    "image": {
+    "id": "https://media.example.com/image.png",
+    "digestSRI": "sha256-Upwn7gYMuRmJlD1ZivHk876vXHzokXrwXj50VgfnMnY="
+    },
+    "allowedOrigin": [
+    "https://media.example.com"
+    ]
+    }
+    }
+```
+
+## `opvc wsp:unsigned`
+
+未署名 Website Profile の取得
+
+```
+USAGE
+  $ opvc wsp:unsigned --input <filepath> [--issued-at <value>] [--expired-at <value>]
+
+FLAGS
+  --expired-at=<value>  有効期限 (ISO 8601)
+  --input=<filepath>    (required) 入力ファイルのパス (JSON 形式)
+  --issued-at=<value>   発行日時 (ISO 8601)
+
+DESCRIPTION
+  未署名 Website Profile の取得
+
+  標準出力に未署名 Website Profile を出力します。
+
+EXAMPLES
+  $ opvc wsp:unsigned \
+      --input website-profile.example.json
+
+FLAG DESCRIPTIONS
+  --expired-at=<value>  有効期限 (ISO 8601)
+
+    日付のみの場合、その日の 24:00:00.000 より前まで有効、それ以外の場合、期限切れとなる日付・時刻・秒を指定します。
+
+  --input=<filepath>  入力ファイルのパス (JSON 形式)
+
+    Website Profile の例:
+
+    {
+    "@context": [
+    "https://www.w3.org/ns/credentials/v2",
+    "https://originator-profile.org/ns/credentials/v1",
+    "https://originator-profile.org/ns/cip/v1",
+    {
+    "@language": "<言語・地域コード>"
+    }
+    ],
+    "type": [
+    "VerifiableCredential",
+    "WebsiteProfile"
+    ],
+    "issuer": "<OP ID>",
+    "credentialSubject": {
+    "id": "<Web サイトのオリジン (形式: https://<ホスト名>)>",
+    "type": "WebSite",
+    "name": "<Web サイトの名称>",
+    "description": "<Web サイトの説明>",
+    "image": {
+    "id": "<サムネイル画像URL>",
+    "content": [
+    "<コンテンツ (data:// 形式URL)>"
+    ]
+    },
+    "allowedOrigin": [
+    "<Web サイトのオリジン (形式: https://<ホスト名>)>"
+    ]
+    }
+    }
+```
+<!-- commandsstop -->
+<!-- prettier-ignore-end -->
+
+## Development
+
+```sh
+git clone https://github.com/originator-profile/profile-share.git
+cd profile-share/packages/opvc
+pnpm install
+bin/dev.ts
+```

package/bin/dev.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node --experimental-strip-types --no-warnings=ExperimentalWarning "%~dp0\dev.ts" %*

package/bin/dev.ts

@@ -0,0 +1,5 @@
+#!/usr/bin/env -S node --experimental-strip-types --disable-warning=ExperimentalWarning
+
+import { execute } from "@oclif/core";
+
+await execute({ development: true, dir: import.meta.url });

package/bin/run.cmd

@@ -0,0 +1,3 @@
+@echo off
+
+node "%~dp0\run.js" %*

package/bin/run.js

@@ -0,0 +1,5 @@
+#!/usr/bin/env node
+
+import { execute } from "@oclif/core";
+
+await execute({ dir: import.meta.url });

package/dist/chunk-Bp6m_JJh.js

@@ -0,0 +1,13 @@
+//#region rolldown:runtime
+var __defProp = Object.defineProperty;
+var __export = (all) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	return target;
+};
+
+//#endregion
+export { __export as t };

package/dist/commands/ca/sign.d.ts

@@ -0,0 +1,29 @@
+import { Command } from "@oclif/core";
+import * as _oclif_core_interfaces15 from "@oclif/core/interfaces";
+
+//#region src/commands/ca/sign.d.ts
+declare class CaSign extends Command {
+  static summary: string;
+  static description: string;
+  static flags: {
+    identity: _oclif_core_interfaces15.OptionFlag<{
+      [x: string]: unknown;
+      use?: string | undefined;
+      key_ops?: string[] | undefined;
+      alg?: string | undefined;
+      x5u?: string | undefined;
+      x5c?: string[] | undefined;
+      x5t?: string | undefined;
+      "x5t#S256"?: string | undefined;
+      kty: string;
+      kid: string;
+    }, _oclif_core_interfaces15.CustomOptions>;
+    input: _oclif_core_interfaces15.OptionFlag<string, _oclif_core_interfaces15.CustomOptions>;
+    "issued-at": _oclif_core_interfaces15.OptionFlag<string | undefined, _oclif_core_interfaces15.CustomOptions>;
+    "expired-at": _oclif_core_interfaces15.OptionFlag<Date | undefined, _oclif_core_interfaces15.CustomOptions>;
+  };
+  static examples: string[];
+  run(): Promise<void>;
+}
+//#endregion
+export { CaSign };

package/dist/commands/ca/sign.js

@@ -0,0 +1,71 @@
+import { n as sign } from "../../content-attestation-2NuarC85.js";
+import { r as privateKey, t as expirationDate } from "../../flags-BuWTYwYw.js";
+import { Command, Flags } from "@oclif/core";
+import fs from "node:fs/promises";
+
+//#region src/commands/ca/sign.ts
+const exampleArticleContentAttestation = {
+	"@context": [
+		"https://www.w3.org/ns/credentials/v2",
+		"https://originator-profile.org/ns/credentials/v1",
+		"https://originator-profile.org/ns/cip/v1",
+		{ "@language": "ja" }
+	],
+	type: ["VerifiableCredential", "ContentAttestation"],
+	issuer: "dns:example.com",
+	credentialSubject: {
+		id: "urn:uuid:78550fa7-f846-4e0f-ad5c-8d34461cb95b",
+		type: "Article",
+		headline: "<Webページのタイトル>",
+		image: {
+			id: "<サムネイル画像URL>",
+			content: ["<コンテンツ (data:// 形式URL)>"]
+		},
+		description: "<Webページの説明>",
+		author: ["山田花子"],
+		editor: ["山田太郎"],
+		datePublished: "2023-07-04T19:14:00Z",
+		dateModified: "2023-07-04T19:14:00Z",
+		genre: "Arts & Entertainment"
+	},
+	allowedUrl: "https://media.example.com/articles/2024-06-30",
+	target: [{
+		type: "<Target Integrityの種別>",
+		content: ["<コンテンツ本体 (text/html or URL)>"],
+		cssSelector: "<CSS セレクター (optional)>"
+	}]
+};
+var CaSign = class CaSign extends Command {
+	static summary = "Content Attestation の作成";
+	static description = "標準出力に Content Attestation を出力します。";
+	static flags = {
+		identity: privateKey({ required: true }),
+		input: Flags.string({
+			summary: "入力ファイルのパス (JSON 形式)",
+			helpValue: "<filepath>",
+			description: `\
+Article Content Attestation の例:
+
+${JSON.stringify(exampleArticleContentAttestation, null, "  ")}`,
+			required: true
+		}),
+		"issued-at": Flags.string({ description: "発行日時 (ISO 8601)" }),
+		"expired-at": expirationDate()
+	};
+	static examples = [`\
+$ <%= config.bin %> <%= command.id %> \\
+    -i account-key.example.priv.json \\
+    --input article-content-attestation.example.json`];
+	async run() {
+		const { flags } = await this.parse(CaSign);
+		const inputBuffer = await fs.readFile(flags.input);
+		const ca = await sign(JSON.parse(inputBuffer.toString()), flags.identity, {
+			issuedAt: flags["issued-at"],
+			expiredAt: flags["expired-at"]
+		});
+		this.log(ca);
+	}
+};
+
+//#endregion
+export { CaSign };

package/dist/commands/ca/unsigned.d.ts

@@ -0,0 +1,17 @@
+import { Command } from "@oclif/core";
+import * as _oclif_core_interfaces0 from "@oclif/core/interfaces";
+
+//#region src/commands/ca/unsigned.d.ts
+declare class CaUnsigned extends Command {
+  static summary: string;
+  static description: string;
+  static flags: {
+    input: _oclif_core_interfaces0.OptionFlag<string, _oclif_core_interfaces0.CustomOptions>;
+    "issued-at": _oclif_core_interfaces0.OptionFlag<string | undefined, _oclif_core_interfaces0.CustomOptions>;
+    "expired-at": _oclif_core_interfaces0.OptionFlag<Date | undefined, _oclif_core_interfaces0.CustomOptions>;
+  };
+  static examples: string[];
+  run(): Promise<void>;
+}
+//#endregion
+export { CaUnsigned };

package/dist/commands/ca/unsigned.js

@@ -0,0 +1,74 @@
+import { r as unsignedCa } from "../../content-attestation-2NuarC85.js";
+import { t as expirationDate } from "../../flags-BuWTYwYw.js";
+import { Command, Flags } from "@oclif/core";
+import fs from "node:fs/promises";
+
+//#region src/commands/ca/unsigned.ts
+const exampleArticleContentAttestation = {
+	"@context": [
+		"https://www.w3.org/ns/credentials/v2",
+		"https://originator-profile.org/ns/credentials/v1",
+		"https://originator-profile.org/ns/cip/v1",
+		{ "@language": "<言語・地域コード>" }
+	],
+	type: ["VerifiableCredential", "ContentAttestation"],
+	issuer: "<OP ID>",
+	credentialSubject: {
+		id: "<CA ID>",
+		type: "Article",
+		headline: "<コンテンツのタイトル>",
+		description: "<コンテンツの説明>",
+		image: {
+			id: "<サムネイル画像URL>",
+			content: ["<コンテンツ (data:// 形式URL)>"]
+		},
+		datePublished: "<公開日時>",
+		dateModified: "<最終更新日時>",
+		author: ["<著者名>"],
+		editor: ["<編集者名>"],
+		genre: "<ジャンル>"
+	},
+	allowedUrl: "<CAの使用を許可するWebページのURL Pattern>",
+	target: [{
+		type: "<Target Integrityの種別>",
+		content: ["<コンテンツ本体 (text/html or URL)>"],
+		cssSelector: "<CSS セレクター (optional)>"
+	}]
+};
+var CaUnsigned = class CaUnsigned extends Command {
+	static summary = "未署名 Content Attestation の取得";
+	static description = `\
+標準出力に未署名 Content Attestation を出力します。
+target[].integrity を省略した場合、type に準じて content から integrity を計算します。
+一方、target[].integrity が含まれる場合、その値をそのまま使用します。
+なお、いずれも target[].content プロパティが削除される点にご注意ください。
+これにより入力ファイルの target[] と異なる結果が含まれますが、これは正しい動作です。`;
+	static flags = {
+		input: Flags.string({
+			summary: "入力ファイルのパス (JSON 形式)",
+			helpValue: "<filepath>",
+			description: `\
+Article Content Attestation の例:
+
+${JSON.stringify(exampleArticleContentAttestation, null, "  ")}`,
+			required: true
+		}),
+		"issued-at": Flags.string({ description: "発行日時 (ISO 8601)" }),
+		"expired-at": expirationDate()
+	};
+	static examples = [`\
+$ <%= config.bin %> <%= command.id %> \\
+    --input article-content-attestation.example.json`];
+	async run() {
+		const { flags } = await this.parse(CaUnsigned);
+		const inputBuffer = await fs.readFile(flags.input);
+		const uca = await unsignedCa(JSON.parse(inputBuffer.toString()), {
+			issuedAt: flags["issued-at"],
+			expiredAt: flags["expired-at"]
+		});
+		this.logJson(uca);
+	}
+};
+
+//#endregion
+export { CaUnsigned };

package/dist/commands/key-gen/index.d.ts

@@ -0,0 +1,13 @@
+import { Command } from "@oclif/core";
+import * as _oclif_core_interfaces23 from "@oclif/core/interfaces";
+
+//#region src/commands/key-gen/index.d.ts
+declare class KeyGen extends Command {
+  static description: string;
+  static flags: {
+    output: _oclif_core_interfaces23.OptionFlag<string, _oclif_core_interfaces23.CustomOptions>;
+  };
+  run(): Promise<void>;
+}
+//#endregion
+export { KeyGen };

package/dist/commands/key-gen/index.js

@@ -0,0 +1,24 @@
+import { Command, Flags } from "@oclif/core";
+import fs from "node:fs/promises";
+import { generateKey } from "@originator-profile/cryptography";
+
+//#region src/commands/key-gen/index.ts
+var KeyGen = class KeyGen extends Command {
+	static description = "鍵ペアの生成";
+	static flags = { output: Flags.string({
+		char: "o",
+		description: "鍵を保存するファイル名（拡張子除く）。<output>.priv.json と <output>.pub.json を出力します。",
+		required: true
+	}) };
+	async run() {
+		const { flags } = await this.parse(KeyGen);
+		const { publicKey, privateKey } = await generateKey();
+		const privateKeyFilename = `${flags.output}.priv.json`;
+		const publicKeyFilename = `${flags.output}.pub.json`;
+		await fs.writeFile(publicKeyFilename, JSON.stringify(publicKey, null, 2));
+		await fs.writeFile(privateKeyFilename, JSON.stringify(privateKey, null, 2));
+	}
+};
+
+//#endregion
+export { KeyGen };

package/dist/commands/sign.d.ts

@@ -0,0 +1,30 @@
+import { Command } from "@oclif/core";
+import * as _oclif_core_interfaces5 from "@oclif/core/interfaces";
+
+//#region src/commands/sign.d.ts
+declare class VcSign extends Command {
+  static summary: string;
+  static description: string;
+  static flags: {
+    identity: _oclif_core_interfaces5.OptionFlag<{
+      [x: string]: unknown;
+      use?: string | undefined;
+      key_ops?: string[] | undefined;
+      alg?: string | undefined;
+      x5u?: string | undefined;
+      x5c?: string[] | undefined;
+      x5t?: string | undefined;
+      "x5t#S256"?: string | undefined;
+      kty: string;
+      kid: string;
+    }, _oclif_core_interfaces5.CustomOptions>;
+    id: _oclif_core_interfaces5.OptionFlag<string | undefined, _oclif_core_interfaces5.CustomOptions>;
+    input: _oclif_core_interfaces5.OptionFlag<string, _oclif_core_interfaces5.CustomOptions>;
+    "issued-at": _oclif_core_interfaces5.OptionFlag<string | undefined, _oclif_core_interfaces5.CustomOptions>;
+    "expired-at": _oclif_core_interfaces5.OptionFlag<Date | undefined, _oclif_core_interfaces5.CustomOptions>;
+  };
+  static examples: string[];
+  run(): Promise<void>;
+}
+//#endregion
+export { VcSign };

package/dist/commands/sign.js

@@ -0,0 +1,151 @@
+import { n as opId, r as privateKey, t as expirationDate } from "../flags-BuWTYwYw.js";
+import { fetchAndSetDigestSri } from "@originator-profile/sign";
+import { addYears } from "date-fns";
+import { Command, Flags } from "@oclif/core";
+import { signJwtVc } from "@originator-profile/securing-mechanism";
+import fs from "node:fs/promises";
+
+//#region src/commands/sign.ts
+function isValidVc(vc) {
+	return typeof vc === "object" && vc !== null && "credentialSubject" in vc && typeof vc.credentialSubject === "object" && vc.credentialSubject !== null;
+}
+async function addDigestSri(vc) {
+	if (!isValidVc(vc)) throw new Error("Invalid VC");
+	const credentialSubject = vc.credentialSubject;
+	await fetchAndSetDigestSri("sha256", credentialSubject.logo);
+	await fetchAndSetDigestSri("sha256", credentialSubject.image);
+	return Object.assign(vc, { credentialSubject });
+}
+const exampleCoreProfile = {
+	"@context": ["https://www.w3.org/ns/credentials/v2", "https://originator-profile.org/ns/credentials/v1"],
+	type: ["VerifiableCredential", "CoreProfile"],
+	issuer: "dns:example.org",
+	credentialSubject: {
+		id: "dns:example.jp",
+		type: "Core",
+		jwks: { keys: [{
+			kid: "LIstkoCvByn4jk8oZPvigQkzTzO9UwnGnE-VMlkZvYQ",
+			kty: "EC",
+			crv: "P-256",
+			x: "QiVI-I-3gv-17KN0RFLHKh5Vj71vc75eSOkyMsxFxbE",
+			y: "bEzRDEy41bihcTnpSILImSVymTQl9BQZq36QpCpJQnI"
+		}] }
+	}
+};
+const exampleWebMediaProfile = {
+	"@context": [
+		"https://www.w3.org/ns/credentials/v2",
+		"https://originator-profile.org/ns/credentials/v1",
+		"https://originator-profile.org/ns/cip/v1",
+		{ "@language": "ja" }
+	],
+	type: ["VerifiableCredential", "WebMediaProfile"],
+	issuer: "dns:wmp-issuer.example.org",
+	credentialSubject: {
+		id: "dns:wmp-holder.example.jp",
+		type: "OnlineBusiness",
+		url: "https://www.wmp-holder.example.jp/",
+		name: "○○メディア (※開発用サンプル)",
+		logo: {
+			id: "https://www.wmp-holder.example.jp/image.png",
+			digestSRI: "sha256-Upwn7gYMuRmJlD1ZivHk876vXHzokXrwXj50VgfnMnY="
+		},
+		email: "contact@wmp-holder.example.jp",
+		telephone: "0000000000",
+		contactPoint: {
+			id: "https://wmp-holder.example.jp/contact",
+			name: "お問い合わせ"
+		},
+		informationTransmissionPolicy: {
+			id: "https://wmp-holder.example.jp/statement",
+			name: "情報発信ポリシー"
+		},
+		privacyPolicy: {
+			id: "https://wmp-holder.example.jp/privacy",
+			name: "プライバシーポリシー"
+		},
+		description: "この文章はこの Web メディアに関する補足情報です。"
+	}
+};
+const exampleWebsiteProfile = {
+	"@context": [
+		"https://www.w3.org/ns/credentials/v2",
+		"https://originator-profile.org/ns/credentials/v1",
+		"https://originator-profile.org/ns/cip/v1",
+		{ "@language": "ja" }
+	],
+	type: ["VerifiableCredential", "WebsiteProfile"],
+	issuer: "dns:example.com",
+	credentialSubject: {
+		id: "https://media.example.com/",
+		type: "WebSite",
+		name: "<Webサイトのタイトル>",
+		description: "<Webサイトの説明>",
+		image: {
+			id: "https://media.example.com/image.png",
+			digestSRI: "sha256-Upwn7gYMuRmJlD1ZivHk876vXHzokXrwXj50VgfnMnY="
+		},
+		allowedOrigin: ["https://media.example.com"]
+	}
+};
+var VcSign = class VcSign extends Command {
+	static summary = "VC の作成";
+	static description = `\
+VC に署名します。
+標準出力に VC を出力します。`;
+	static flags = {
+		identity: privateKey({ required: true }),
+		id: opId(),
+		input: Flags.string({
+			summary: "入力ファイルのパス (JSON 形式)",
+			helpValue: "<filepath>",
+			description: `\
+コアプロファイル (CP) の例:
+
+${JSON.stringify(exampleCoreProfile, null, "  ")}
+
+ウェブメディアプロファイル (WMP) の例:
+
+${JSON.stringify(exampleWebMediaProfile, null, "  ")}
+
+Website Profile (WSP) の例:
+
+${JSON.stringify(exampleWebsiteProfile, null, "  ")}`,
+			required: true
+		}),
+		"issued-at": Flags.string({ description: "発行日時 (ISO 8601)" }),
+		"expired-at": expirationDate()
+	};
+	static examples = [
+		`\
+$ <%= config.bin %> <%= command.id %> \\
+    -i example.priv.json \\
+    --id example.com \\
+    --input core-profile.json`,
+		`\
+$ <%= config.bin %> <%= command.id %> \\
+    -i example.priv.json \\
+    --id example.org \\
+    --input web-media-profile.json`,
+		`\
+$ <%= config.bin %> <%= command.id %> \\
+    -i account-key.example.priv.json \\
+    --input website-profile.example.json`
+	];
+	async run() {
+		const { flags } = await this.parse(VcSign);
+		const inputBuffer = await fs.readFile(flags.input);
+		const input = JSON.parse(inputBuffer.toString());
+		const issuedAt = new Date(flags["issued-at"] ?? Date.now());
+		const expiredAt = flags["expired-at"] ?? addYears(/* @__PURE__ */ new Date(), 1);
+		if (flags.id) input.credentialSubject.id = flags.id;
+		const vc = await signJwtVc(await addDigestSri(input), flags.identity, {
+			issuedAt,
+			expiredAt
+		});
+		this.log(vc);
+	}
+};
+
+//#endregion
+export { VcSign };

package/dist/commands/wsp/unsigned.d.ts

@@ -0,0 +1,17 @@
+import { Command } from "@oclif/core";
+import * as _oclif_core_interfaces25 from "@oclif/core/interfaces";
+
+//#region src/commands/wsp/unsigned.d.ts
+declare class WspUnsigned extends Command {
+  static summary: string;
+  static description: string;
+  static flags: {
+    input: _oclif_core_interfaces25.OptionFlag<string, _oclif_core_interfaces25.CustomOptions>;
+    "issued-at": _oclif_core_interfaces25.OptionFlag<string | undefined, _oclif_core_interfaces25.CustomOptions>;
+    "expired-at": _oclif_core_interfaces25.OptionFlag<Date | undefined, _oclif_core_interfaces25.CustomOptions>;
+  };
+  static examples: string[];
+  run(): Promise<void>;
+}
+//#endregion
+export { WspUnsigned };

package/dist/commands/wsp/unsigned.js

@@ -0,0 +1,59 @@
+import { t as unsignedWsp } from "../../website-profile-D43BL7p3.js";
+import { t as expirationDate } from "../../flags-BuWTYwYw.js";
+import { Command, Flags } from "@oclif/core";
+import fs from "node:fs/promises";
+
+//#region src/commands/wsp/unsigned.ts
+const exampleWebsiteProfile = {
+	"@context": [
+		"https://www.w3.org/ns/credentials/v2",
+		"https://originator-profile.org/ns/credentials/v1",
+		"https://originator-profile.org/ns/cip/v1",
+		{ "@language": "<言語・地域コード>" }
+	],
+	type: ["VerifiableCredential", "WebsiteProfile"],
+	issuer: "<OP ID>",
+	credentialSubject: {
+		id: "<Web サイトのオリジン (形式: https://<ホスト名>)>",
+		type: "WebSite",
+		name: "<Web サイトの名称>",
+		description: "<Web サイトの説明>",
+		image: {
+			id: "<サムネイル画像URL>",
+			content: ["<コンテンツ (data:// 形式URL)>"]
+		},
+		allowedOrigin: ["<Web サイトのオリジン (形式: https://<ホスト名>)>"]
+	}
+};
+var WspUnsigned = class WspUnsigned extends Command {
+	static summary = "未署名 Website Profile の取得";
+	static description = "標準出力に未署名 Website Profile を出力します。";
+	static flags = {
+		input: Flags.string({
+			summary: "入力ファイルのパス (JSON 形式)",
+			helpValue: "<filepath>",
+			description: `\
+Website Profile の例:
+
+${JSON.stringify(exampleWebsiteProfile, null, "  ")}`,
+			required: true
+		}),
+		"issued-at": Flags.string({ description: "発行日時 (ISO 8601)" }),
+		"expired-at": expirationDate()
+	};
+	static examples = [`\
+$ <%= config.bin %> <%= command.id %> \\
+    --input website-profile.example.json`];
+	async run() {
+		const { flags } = await this.parse(WspUnsigned);
+		const inputBuffer = await fs.readFile(flags.input);
+		const uwsp = await unsignedWsp(JSON.parse(inputBuffer.toString()), {
+			issuedAt: flags["issued-at"],
+			expiredAt: flags["expired-at"]
+		});
+		this.logJson(uwsp);
+	}
+};
+
+//#endregion
+export { WspUnsigned };

package/dist/content-attestation-2NuarC85.js

@@ -0,0 +1,75 @@
+import { t as __export } from "./chunk-Bp6m_JJh.js";
+import { JSDOM } from "jsdom";
+import { parseExpirationDate } from "@originator-profile/core";
+import { fetchAndSetDigestSri, fetchAndSetTargetIntegrity, signCa } from "@originator-profile/sign";
+import { addYears, getUnixTime } from "date-fns";
+import { BadRequestError } from "http-errors-enhanced";
+
+//#region src/document-provider.ts
+async function documentProvider({ type, content = "" }) {
+	if (Array.isArray(content) && content.length > 1) throw new Error("Multiple contents are not supported in this context.");
+	[content] = [content].flat();
+	let url;
+	let html = "";
+	if (type === "ExternalResourceTargetIntegrity") {
+		url = URL.canParse(content) ? content : void 0;
+		html = "";
+	} else if (URL.canParse(content)) {
+		url = content;
+		html = await fetch(url).then((res) => res.text());
+	} else {
+		url = void 0;
+		html = content;
+	}
+	return new JSDOM(html, { url }).window.document;
+}
+
+//#endregion
+//#region src/content-attestation.ts
+var content_attestation_exports = /* @__PURE__ */ __export({
+	sign: () => sign,
+	unsignedCa: () => unsignedCa
+});
+/**
+* Content Attestation への署名
+* @param uca 未署名 Content Attestation オブジェクト
+* @param privateKey プライベート鍵
+* @return Content Attestation
+*/
+async function sign(uca, privateKey, { issuedAt: issuedAtDateOrString = /* @__PURE__ */ new Date(), expiredAt: expiredAtDateOrString = addYears(/* @__PURE__ */ new Date(), 1) }) {
+	const issuedAt = new Date(issuedAtDateOrString);
+	const expiredAt = typeof expiredAtDateOrString === "string" ? parseExpirationDate(expiredAtDateOrString) : expiredAtDateOrString;
+	uca.credentialSubject.id ??= `urn:uuid:${crypto.randomUUID()}`;
+	return await signCa(uca, privateKey, {
+		issuedAt,
+		expiredAt,
+		documentProvider
+	});
+}
+/**
+* 未署名 Content Attestation の取得
+* @param uca 未署名 Content Attestation オブジェクト
+* @throws {BadRequestError} 検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
+* @return 未署名 Content Attestation オブジェクト
+*/
+async function unsignedCa(uca, { issuedAt: issuedAtDateOrString = /* @__PURE__ */ new Date(), expiredAt: expiredAtDateOrString = addYears(/* @__PURE__ */ new Date(), 1) }) {
+	const issuedAt = new Date(issuedAtDateOrString);
+	const expiredAt = typeof expiredAtDateOrString === "string" ? parseExpirationDate(expiredAtDateOrString) : expiredAtDateOrString;
+	uca.credentialSubject.id ??= `urn:uuid:${crypto.randomUUID()}`;
+	try {
+		await fetchAndSetDigestSri("sha256", uca.credentialSubject.image);
+		await fetchAndSetTargetIntegrity("sha256", uca, documentProvider);
+	} catch (e) {
+		throw new BadRequestError(e.message);
+	}
+	return {
+		iss: uca.issuer,
+		sub: uca.credentialSubject.id,
+		iat: getUnixTime(issuedAt),
+		exp: getUnixTime(expiredAt),
+		...uca
+	};
+}
+
+//#endregion
+export { documentProvider as i, sign as n, unsignedCa as r, content_attestation_exports as t };

package/dist/flags-BuWTYwYw.js

@@ -0,0 +1,38 @@
+import { parseExpirationDate } from "@originator-profile/core";
+import { Flags } from "@oclif/core";
+import fs from "node:fs/promises";
+import { exportJWK, importPKCS8 } from "jose";
+
+//#region src/flags.ts
+const opId = Flags.custom({
+	summary: "OP ID (ドメイン名)",
+	description: `\
+ドメイン名 (RFC 4501) を指定します。`,
+	async parse(domainName) {
+		const id = domainName.toLowerCase();
+		return domainName.startsWith("dns:") ? id : `dns:${id}`;
+	}
+});
+const privateKey = Flags.custom({
+	char: "i",
+	summary: "プライベート鍵のファイルパス",
+	description: "プライベート鍵のファイルパスを渡してください。プライベート鍵は JWK 形式か、PEM base64 でエンコードされた PKCS #8 形式にしてください。",
+	async parse(filepath) {
+		const fileContent = (await fs.readFile(filepath)).toString();
+		try {
+			return await exportJWK(await importPKCS8(fileContent, "ES256", { extractable: true }));
+		} catch (e) {
+			return JSON.parse(fileContent);
+		}
+	}
+});
+const expirationDate = Flags.custom({
+	summary: "有効期限 (ISO 8601)",
+	description: "日付のみの場合、その日の 24:00:00.000 より前まで有効、それ以外の場合、期限切れとなる日付・時刻・秒を指定します。",
+	async parse(input) {
+		return parseExpirationDate(input);
+	}
+});
+
+//#endregion
+export { opId as n, privateKey as r, expirationDate as t };

package/dist/index.d.ts

@@ -0,0 +1,48 @@
+import { t as __export } from "./chunk-Bp6m_JJh.js";
+import { Jwk, RawTarget, UnsignedContentAttestation, WebsiteProfile } from "@originator-profile/model";
+
+//#region src/document-provider.d.ts
+declare function documentProvider({
+  type,
+  content
+}: RawTarget): Promise<Document>;
+/**
+ * Content Attestation への署名
+ * @param uca 未署名 Content Attestation オブジェクト
+ * @param privateKey プライベート鍵
+ * @return Content Attestation
+ */
+declare function sign(uca: UnsignedContentAttestation, privateKey: Jwk, {
+  issuedAt: issuedAtDateOrString,
+  expiredAt: expiredAtDateOrString
+}: {
+  issuedAt?: Date | string;
+  expiredAt?: Date | string;
+}): Promise<string>;
+/**
+ * 未署名 Content Attestation の取得
+ * @param uca 未署名 Content Attestation オブジェクト
+ * @throws {BadRequestError} 検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
+ * @return 未署名 Content Attestation オブジェクト
+ */
+declare function unsignedCa(uca: UnsignedContentAttestation, {
+  issuedAt: issuedAtDateOrString,
+  expiredAt: expiredAtDateOrString
+}: {
+  issuedAt?: Date | string;
+  expiredAt?: Date | string;
+}): Promise<UnsignedContentAttestation>;
+/**
+ * 未署名 Website Profile の取得
+ * @param uwsp 未署名 Website Profile オブジェクト
+ * @return 未署名 Website Profile オブジェクト
+ */
+declare function unsignedWsp(uwsp: WebsiteProfile, {
+  issuedAt: issuedAtDateOrString,
+  expiredAt: expiredAtDateOrString
+}: {
+  issuedAt?: Date | string;
+  expiredAt?: Date | string;
+}): Promise<WebsiteProfile>;
+//#endregion
+export { content_attestation_d_exports as ContentAttestation, website_profile_d_exports as WebsiteProfile, documentProvider };

package/dist/index.js

@@ -0,0 +1,4 @@
+import { i as documentProvider, t as content_attestation_exports } from "./content-attestation-2NuarC85.js";
+import { n as website_profile_exports } from "./website-profile-D43BL7p3.js";
+
+export { content_attestation_exports as ContentAttestation, website_profile_exports as WebsiteProfile, documentProvider };

package/dist/website-profile-D43BL7p3.js

@@ -0,0 +1,27 @@
+import { t as __export } from "./chunk-Bp6m_JJh.js";
+import { parseExpirationDate } from "@originator-profile/core";
+import { fetchAndSetDigestSri } from "@originator-profile/sign";
+import { addYears, getUnixTime } from "date-fns";
+
+//#region src/website-profile.ts
+var website_profile_exports = /* @__PURE__ */ __export({ unsignedWsp: () => unsignedWsp });
+/**
+* 未署名 Website Profile の取得
+* @param uwsp 未署名 Website Profile オブジェクト
+* @return 未署名 Website Profile オブジェクト
+*/
+async function unsignedWsp(uwsp, { issuedAt: issuedAtDateOrString = /* @__PURE__ */ new Date(), expiredAt: expiredAtDateOrString = addYears(/* @__PURE__ */ new Date(), 1) }) {
+	const issuedAt = new Date(issuedAtDateOrString);
+	const expiredAt = typeof expiredAtDateOrString === "string" ? parseExpirationDate(expiredAtDateOrString) : expiredAtDateOrString;
+	await fetchAndSetDigestSri("sha256", uwsp.credentialSubject.image);
+	return {
+		iss: uwsp.issuer,
+		sub: uwsp.credentialSubject.id,
+		iat: getUnixTime(issuedAt),
+		exp: getUnixTime(expiredAt),
+		...uwsp
+	};
+}
+
+//#endregion
+export { website_profile_exports as n, unsignedWsp as t };

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@originator-profile/opvc",
+  "version": "0.4.0-beta.1",
+  "private": false,
+  "type": "module",
+  "files": [
+    "bin",
+    "dist"
+  ],
+  "bin": "bin/run.js",
+  "exports": {
+    "types": "./dist/index.d.ts",
+    "default": "./dist/index.js"
+  },
+  "oclif": {
+    "bin": "opvc",
+    "commands": "dist/commands",
+    "plugins": [
+      "@oclif/plugin-help"
+    ]
+  },
+  "dependencies": {
+    "@oclif/core": "^4.4.0",
+    "@oclif/plugin-help": "^6.2.29",
+    "date-fns": "^4.1.0",
+    "http-errors-enhanced": "^3.0.2",
+    "jose": "^6.0.11",
+    "jsdom": "^27.0.0",
+    "@originator-profile/core": "0.4.0-beta.1",
+    "@originator-profile/cryptography": "0.4.0-beta.1",
+    "@originator-profile/sign": "0.4.0-beta.1",
+    "@originator-profile/securing-mechanism": "0.4.0-beta.1",
+    "@originator-profile/model": "0.4.0-beta.1"
+  },
+  "devDependencies": {
+    "@types/node": "^24.3.1",
+    "eslint": "^9.25.1",
+    "oclif": "^4.20.1",
+    "tsdown": "^0.15.0",
+    "typescript": "^5.8.3",
+    "@originator-profile/tsconfig": "0.4.0-beta.1",
+    "eslint-config-originator-profile": "0.4.0-beta.1"
+  },
+  "scripts": {
+    "build": "tsdown && oclif manifest && oclif readme",
+    "lint": "eslint --fix .",
+    "type-check": "tsc",
+    "test": "node --experimental-strip-types --no-warnings=ExperimentalWarning --test"
+  }
+}