@originator-profile/opvc 0.5.0-beta.2 → 0.5.0

package/README.md

@@ -122,7 +122,7 @@ FLAG DESCRIPTIONS
     }
 ```
 
-_See code: [src/commands/ca/sign.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0-beta.2/packages/opvc/src/commands/ca/sign.ts)_
+_See code: [src/commands/ca/sign.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0/packages/opvc/src/commands/ca/sign.ts)_
 
 ## `opvc ca:unsigned`
 
@@ -207,7 +207,7 @@ FLAG DESCRIPTIONS
     }
 ```
 
-_See code: [src/commands/ca/unsigned.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0-beta.2/packages/opvc/src/commands/ca/unsigned.ts)_
+_See code: [src/commands/ca/unsigned.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0/packages/opvc/src/commands/ca/unsigned.ts)_
 
 ## `opvc help [COMMAND]`
 
@@ -218,7 +218,7 @@ USAGE
   $ opvc help [COMMAND...] [-n]
 
 ARGUMENTS
-  COMMAND...  Command to show help for.
+  [COMMAND...]  Command to show help for.
 
 FLAGS
   -n, --nested-commands  Include all nested commands in the output.
@@ -227,7 +227,7 @@ DESCRIPTION
   Display help for opvc.
 ```
 
-_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/v6.2.37/src/commands/help.ts)_
+_See code: [@oclif/plugin-help](https://github.com/oclif/plugin-help/blob/6.2.41/src/commands/help.ts)_
 
 ## `opvc key-gen`
 
@@ -245,7 +245,7 @@ DESCRIPTION
   鍵ペアの生成
 ```
 
-_See code: [src/commands/key-gen/index.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0-beta.2/packages/opvc/src/commands/key-gen/index.ts)_
+_See code: [src/commands/key-gen/index.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0/packages/opvc/src/commands/key-gen/index.ts)_
 
 ## `opvc sign`
 
@@ -412,7 +412,7 @@ FLAG DESCRIPTIONS
     }
 ```
 
-_See code: [src/commands/sign.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0-beta.2/packages/opvc/src/commands/sign.ts)_
+_See code: [src/commands/sign.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0/packages/opvc/src/commands/sign.ts)_
 
 ## `opvc wsp:unsigned`
 
@@ -477,10 +477,56 @@ FLAG DESCRIPTIONS
     }
 ```
 
-_See code: [src/commands/wsp/unsigned.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0-beta.2/packages/opvc/src/commands/wsp/unsigned.ts)_
+_See code: [src/commands/wsp/unsigned.ts](https://github.com/originator-profile/originator-profile/blob/v0.5.0/packages/opvc/src/commands/wsp/unsigned.ts)_
 <!-- commandsstop -->
 <!-- prettier-ignore-end -->
 
+## Node.js から利用する
+
+`@originator-profile/opvc` は TypeScript/JavaScript からも利用できます。
+
+### ローカル環境でのContent Attestationの署名
+
+ローカルのプライベート鍵で署名する場合は `ContentAttestation.sign()` を使います。
+
+```ts
+import { ContentAttestation } from "@originator-profile/opvc";
+
+const jwt = await ContentAttestation.sign(input, privateKey, {
+  issuedAt: new Date(),
+  expiredAt: "2027-03-31",
+});
+```
+
+### 未署名 Content Attestation の取得
+
+未署名の Content Attestation が必要な場合は `ContentAttestation.unsignedCa()` を使えます。
+
+```ts
+import { ContentAttestation } from "@originator-profile/opvc";
+
+const uca = await ContentAttestation.unsignedCa(input, {
+  issuedAt: new Date(),
+  expiredAt: "2027-03-31",
+});
+```
+
+### CA Server経由での署名
+
+CA Server で署名する場合は `ContentAttestation.signByServer()` を使います。
+内部では未署名 Content Attestation を組み立てて CA server に送信し、返却された JWT を受け取ります。
+
+```ts
+import { ContentAttestation } from "@originator-profile/opvc";
+
+const jwt = await ContentAttestation.signByServer(input, {
+  endpoint: "https://example.com/ca",
+  accessToken: process.env.CA_SERVER_ACCESS_TOKEN!,
+  issuedAt: new Date(),
+  expiredAt: "2027-03-31",
+});
+```
+
 ## Development
 
 ```sh

package/dist/chunk-CfYAbeIz.mjs

@@ -0,0 +1,13 @@
+//#region \0rolldown/runtime.js
+var __defProp = Object.defineProperty;
+var __exportAll = (all, no_symbols) => {
+	let target = {};
+	for (var name in all) __defProp(target, name, {
+		get: all[name],
+		enumerable: true
+	});
+	if (!no_symbols) __defProp(target, Symbol.toStringTag, { value: "Module" });
+	return target;
+};
+//#endregion
+export { __exportAll as t };

package/dist/commands/ca/sign.d.mts

@@ -1,12 +1,12 @@
 import { Command } from "@oclif/core";
-import * as _oclif_core_interfaces5 from "@oclif/core/interfaces";
+import * as _$_oclif_core_interfaces0 from "@oclif/core/interfaces";
 
 //#region src/commands/ca/sign.d.ts
 declare class CaSign extends Command {
   static summary: string;
   static description: string;
   static flags: {
-    identity: _oclif_core_interfaces5.OptionFlag<{
+    identity: _$_oclif_core_interfaces0.OptionFlag<{
       [x: string]: unknown;
       kty: string;
       kid: string;
@@ -17,10 +17,10 @@ declare class CaSign extends Command {
       x5c?: string[] | undefined;
       x5t?: string | undefined;
       "x5t#S256"?: string | undefined;
-    }, _oclif_core_interfaces5.CustomOptions>;
-    input: _oclif_core_interfaces5.OptionFlag<string, _oclif_core_interfaces5.CustomOptions>;
-    "issued-at": _oclif_core_interfaces5.OptionFlag<string | undefined, _oclif_core_interfaces5.CustomOptions>;
-    "expired-at": _oclif_core_interfaces5.OptionFlag<Date | undefined, _oclif_core_interfaces5.CustomOptions>;
+    }, _$_oclif_core_interfaces0.CustomOptions>;
+    input: _$_oclif_core_interfaces0.OptionFlag<string, _$_oclif_core_interfaces0.CustomOptions>;
+    "issued-at": _$_oclif_core_interfaces0.OptionFlag<string | undefined, _$_oclif_core_interfaces0.CustomOptions>;
+    "expired-at": _$_oclif_core_interfaces0.OptionFlag<Date | undefined, _$_oclif_core_interfaces0.CustomOptions>;
   };
   static examples: string[];
   run(): Promise<void>;

package/dist/commands/ca/sign.mjs

@@ -1,8 +1,7 @@
-import { n as sign } from "../../content-attestation-rNiF6uH4.mjs";
-import { r as privateKey, t as expirationDate } from "../../flags-CFmMpf5A.mjs";
+import { n as sign } from "../../content-attestation-duY49Hxp.mjs";
+import { r as privateKey, t as expirationDate } from "../../flags-BGhMpQzg.mjs";
 import { Command, Flags } from "@oclif/core";
 import fs from "node:fs/promises";
-
 //#region src/commands/ca/sign.ts
 const exampleArticleContentAttestation = {
 	"@context": [
@@ -66,6 +65,5 @@ $ <%= config.bin %> <%= command.id %> \\
 		this.log(ca);
 	}
 };
-
 //#endregion
-export { CaSign };
+export { CaSign };

package/dist/commands/ca/unsigned.d.mts

@@ -1,14 +1,14 @@
 import { Command } from "@oclif/core";
-import * as _oclif_core_interfaces13 from "@oclif/core/interfaces";
+import * as _$_oclif_core_interfaces0 from "@oclif/core/interfaces";
 
 //#region src/commands/ca/unsigned.d.ts
 declare class CaUnsigned extends Command {
   static summary: string;
   static description: string;
   static flags: {
-    input: _oclif_core_interfaces13.OptionFlag<string, _oclif_core_interfaces13.CustomOptions>;
-    "issued-at": _oclif_core_interfaces13.OptionFlag<string | undefined, _oclif_core_interfaces13.CustomOptions>;
-    "expired-at": _oclif_core_interfaces13.OptionFlag<Date | undefined, _oclif_core_interfaces13.CustomOptions>;
+    input: _$_oclif_core_interfaces0.OptionFlag<string, _$_oclif_core_interfaces0.CustomOptions>;
+    "issued-at": _$_oclif_core_interfaces0.OptionFlag<string | undefined, _$_oclif_core_interfaces0.CustomOptions>;
+    "expired-at": _$_oclif_core_interfaces0.OptionFlag<Date | undefined, _$_oclif_core_interfaces0.CustomOptions>;
   };
   static examples: string[];
   run(): Promise<void>;

package/dist/commands/ca/unsigned.mjs

@@ -1,8 +1,7 @@
-import { r as unsignedCa } from "../../content-attestation-rNiF6uH4.mjs";
-import { t as expirationDate } from "../../flags-CFmMpf5A.mjs";
+import { r as unsignedCa } from "../../content-attestation-duY49Hxp.mjs";
+import { t as expirationDate } from "../../flags-BGhMpQzg.mjs";
 import { Command, Flags } from "@oclif/core";
 import fs from "node:fs/promises";
-
 //#region src/commands/ca/unsigned.ts
 const exampleArticleContentAttestation = {
 	"@context": [
@@ -69,6 +68,5 @@ $ <%= config.bin %> <%= command.id %> \\
 		this.logJson(uca);
 	}
 };
-
 //#endregion
-export { CaUnsigned };
+export { CaUnsigned };

package/dist/commands/key-gen/index.d.mts

@@ -1,11 +1,11 @@
 import { Command } from "@oclif/core";
-import * as _oclif_core_interfaces29 from "@oclif/core/interfaces";
+import * as _$_oclif_core_interfaces0 from "@oclif/core/interfaces";
 
 //#region src/commands/key-gen/index.d.ts
 declare class KeyGen extends Command {
   static description: string;
   static flags: {
-    output: _oclif_core_interfaces29.OptionFlag<string, _oclif_core_interfaces29.CustomOptions>;
+    output: _$_oclif_core_interfaces0.OptionFlag<string, _$_oclif_core_interfaces0.CustomOptions>;
   };
   run(): Promise<void>;
 }

package/dist/commands/key-gen/index.mjs

@@ -1,7 +1,6 @@
 import { Command, Flags } from "@oclif/core";
 import fs from "node:fs/promises";
 import { generateKey } from "@originator-profile/cryptography";
-
 //#region src/commands/key-gen/index.ts
 var KeyGen = class KeyGen extends Command {
 	static description = "鍵ペアの生成";
@@ -19,6 +18,5 @@ var KeyGen = class KeyGen extends Command {
 		await fs.writeFile(privateKeyFilename, JSON.stringify(privateKey, null, 2));
 	}
 };
-
 //#endregion
-export { KeyGen };
+export { KeyGen };

package/dist/commands/sign.d.mts

@@ -1,12 +1,12 @@
 import { Command } from "@oclif/core";
-import * as _oclif_core_interfaces19 from "@oclif/core/interfaces";
+import * as _$_oclif_core_interfaces0 from "@oclif/core/interfaces";
 
 //#region src/commands/sign.d.ts
 declare class VcSign extends Command {
   static summary: string;
   static description: string;
   static flags: {
-    identity: _oclif_core_interfaces19.OptionFlag<{
+    identity: _$_oclif_core_interfaces0.OptionFlag<{
       [x: string]: unknown;
       kty: string;
       kid: string;
@@ -17,11 +17,11 @@ declare class VcSign extends Command {
       x5c?: string[] | undefined;
       x5t?: string | undefined;
       "x5t#S256"?: string | undefined;
-    }, _oclif_core_interfaces19.CustomOptions>;
-    id: _oclif_core_interfaces19.OptionFlag<string | undefined, _oclif_core_interfaces19.CustomOptions>;
-    input: _oclif_core_interfaces19.OptionFlag<string, _oclif_core_interfaces19.CustomOptions>;
-    "issued-at": _oclif_core_interfaces19.OptionFlag<string | undefined, _oclif_core_interfaces19.CustomOptions>;
-    "expired-at": _oclif_core_interfaces19.OptionFlag<Date | undefined, _oclif_core_interfaces19.CustomOptions>;
+    }, _$_oclif_core_interfaces0.CustomOptions>;
+    id: _$_oclif_core_interfaces0.OptionFlag<string | undefined, _$_oclif_core_interfaces0.CustomOptions>;
+    input: _$_oclif_core_interfaces0.OptionFlag<string, _$_oclif_core_interfaces0.CustomOptions>;
+    "issued-at": _$_oclif_core_interfaces0.OptionFlag<string | undefined, _$_oclif_core_interfaces0.CustomOptions>;
+    "expired-at": _$_oclif_core_interfaces0.OptionFlag<Date | undefined, _$_oclif_core_interfaces0.CustomOptions>;
   };
   static examples: string[];
   run(): Promise<void>;

package/dist/commands/sign.mjs

@@ -1,10 +1,9 @@
-import { n as opId, r as privateKey, t as expirationDate } from "../flags-CFmMpf5A.mjs";
+import { n as opId, r as privateKey, t as expirationDate } from "../flags-BGhMpQzg.mjs";
 import { fetchAndSetDigestSri } from "@originator-profile/sign";
 import { addYears } from "date-fns";
 import { Command, Flags } from "@oclif/core";
 import { signJwtVc } from "@originator-profile/securing-mechanism";
 import fs from "node:fs/promises";
-
 //#region src/commands/sign.ts
 function isValidVc(vc) {
 	return typeof vc === "object" && vc !== null && "credentialSubject" in vc && typeof vc.credentialSubject === "object" && vc.credentialSubject !== null;
@@ -153,6 +152,5 @@ $ <%= config.bin %> <%= command.id %> \\
 		this.log(vc);
 	}
 };
-
 //#endregion
-export { VcSign };
+export { VcSign };

package/dist/commands/wsp/unsigned.d.mts

@@ -1,14 +1,14 @@
 import { Command } from "@oclif/core";
-import * as _oclif_core_interfaces0 from "@oclif/core/interfaces";
+import * as _$_oclif_core_interfaces0 from "@oclif/core/interfaces";
 
 //#region src/commands/wsp/unsigned.d.ts
 declare class WspUnsigned extends Command {
   static summary: string;
   static description: string;
   static flags: {
-    input: _oclif_core_interfaces0.OptionFlag<string, _oclif_core_interfaces0.CustomOptions>;
-    "issued-at": _oclif_core_interfaces0.OptionFlag<string | undefined, _oclif_core_interfaces0.CustomOptions>;
-    "expired-at": _oclif_core_interfaces0.OptionFlag<Date | undefined, _oclif_core_interfaces0.CustomOptions>;
+    input: _$_oclif_core_interfaces0.OptionFlag<string, _$_oclif_core_interfaces0.CustomOptions>;
+    "issued-at": _$_oclif_core_interfaces0.OptionFlag<string | undefined, _$_oclif_core_interfaces0.CustomOptions>;
+    "expired-at": _$_oclif_core_interfaces0.OptionFlag<Date | undefined, _$_oclif_core_interfaces0.CustomOptions>;
   };
   static examples: string[];
   run(): Promise<void>;

package/dist/commands/wsp/unsigned.mjs

@@ -1,8 +1,7 @@
-import { t as unsignedWsp } from "../../website-profile-Dhto-mS2.mjs";
-import { t as expirationDate } from "../../flags-CFmMpf5A.mjs";
+import { t as unsignedWsp } from "../../website-profile-B3Q2-h2n.mjs";
+import { t as expirationDate } from "../../flags-BGhMpQzg.mjs";
 import { Command, Flags } from "@oclif/core";
 import fs from "node:fs/promises";
-
 //#region src/commands/wsp/unsigned.ts
 const exampleWebsiteProfile = {
 	"@context": [
@@ -54,6 +53,5 @@ $ <%= config.bin %> <%= command.id %> \\
 		this.logJson(uwsp);
 	}
 };
-
 //#endregion
-export { WspUnsigned };
+export { WspUnsigned };

package/dist/content-attestation-duY49Hxp.mjs

@@ -0,0 +1,129 @@
+import { t as __exportAll } from "./chunk-CfYAbeIz.mjs";
+import { JSDOM } from "jsdom";
+import { parseExpirationDate } from "@originator-profile/core";
+import { UnsignedContentAttestation } from "@originator-profile/model";
+import { fetchAndSetDigestSri, fetchAndSetTargetIntegrity, signCa } from "@originator-profile/sign";
+import { addYears, getUnixTime } from "date-fns";
+import { BadRequestError } from "http-errors-enhanced";
+//#region src/document-provider.ts
+async function documentProvider({ type, content = "" }) {
+	if (type === "ExternalResourceTargetIntegrity") throw new Error("ExternalResourceTargetIntegrity is not supported in this context.");
+	if (Array.isArray(content) && content.length > 1) throw new Error("Multiple contents are not supported in this context.");
+	[content] = [content].flat();
+	let url;
+	let html;
+	if (URL.canParse(content)) {
+		url = content;
+		html = await fetch(url).then((res) => res.text());
+	} else {
+		url = void 0;
+		html = content;
+	}
+	return new JSDOM(html, { url }).window.document;
+}
+//#endregion
+//#region src/content-attestation.ts
+var content_attestation_exports = /* @__PURE__ */ __exportAll({
+	sign: () => sign,
+	signByServer: () => signByServer,
+	unsignedCa: () => unsignedCa
+});
+function assertValidDate(value, fieldName) {
+	if (Number.isNaN(value.getTime())) throw new BadRequestError(`${fieldName} must be a valid date.`);
+}
+function parseDates({ issuedAt: issuedAtDateOrString = /* @__PURE__ */ new Date(), expiredAt: expiredAtDateOrString = addYears(/* @__PURE__ */ new Date(), 1) }) {
+	const issuedAt = new Date(issuedAtDateOrString);
+	const expiredAt = typeof expiredAtDateOrString === "string" ? parseExpirationDate(expiredAtDateOrString) : new Date(expiredAtDateOrString);
+	assertValidDate(issuedAt, "issuedAt");
+	assertValidDate(expiredAt, "expiredAt");
+	return {
+		issuedAt,
+		expiredAt
+	};
+}
+/**
+* 未署名 Content Attestation の取得
+* @param uca 未署名 Content Attestation オブジェクト
+* @throws {BadRequestError} 入力が UnsignedContentAttestation スキーマに適合しない場合/検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
+* @return 未署名 Content Attestation オブジェクト
+*/
+async function unsignedCa(uca, { integrityAlg = "sha256", documentProvider: documentProvider$1 = documentProvider, ...timingOptions }) {
+	const { issuedAt, expiredAt } = parseDates(timingOptions);
+	uca.credentialSubject.id ??= `urn:uuid:${crypto.randomUUID()}`;
+	try {
+		UnsignedContentAttestation.parse(uca);
+		await Promise.all([fetchAndSetDigestSri(integrityAlg, uca.credentialSubject.image), fetchAndSetTargetIntegrity(integrityAlg, uca, documentProvider$1)]);
+	} catch (e) {
+		throw new BadRequestError(e.message);
+	}
+	return {
+		...uca,
+		iss: uca.issuer,
+		sub: uca.credentialSubject.id,
+		iat: getUnixTime(issuedAt),
+		exp: getUnixTime(expiredAt)
+	};
+}
+/**
+* Content Attestation への署名
+* @param uca 未署名 Content Attestation オブジェクト
+* @param privateKey プライベート鍵
+* @throws {BadRequestError} 入力が UnsignedContentAttestation スキーマに適合しない場合/検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
+* @return Content Attestation
+*/
+async function sign(uca, privateKey, options = {}) {
+	const { issuedAt, expiredAt } = parseDates(options);
+	return await signCa(await unsignedCa(uca, {
+		issuedAt,
+		expiredAt
+	}), privateKey, {
+		issuedAt,
+		expiredAt,
+		documentProvider
+	});
+}
+/**
+* CA server 経由で Content Attestation を作成
+* @param uca 未署名 Content Attestation オブジェクト
+* @param options Content Attestation の生成オプション
+* @param options.endpoint CA server のエンドポイント URL
+* @param options.accessToken CA server 呼び出しに利用する Bearer トークン
+* @return JWT でエンコードされた Content Attestation
+*/
+async function signByServer(uca, { endpoint, accessToken, ...options }) {
+	const { issuedAt, expiredAt } = parseDates(options);
+	const payload = await unsignedCa(uca, {
+		...options,
+		issuedAt,
+		expiredAt
+	});
+	const response = await fetch(endpoint, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Authorization: `Bearer ${accessToken}`
+		},
+		body: JSON.stringify({
+			...payload,
+			issuedAt: issuedAt.toISOString(),
+			expiredAt: expiredAt.toISOString()
+		})
+	});
+	if (!response.ok) {
+		const responseBody = await response.text();
+		throw new Error(`CA API error: ${response.status} ${response.statusText}: ${responseBody}`);
+	}
+	const responseBody = (await response.text()).trim();
+	if (responseBody === "") throw new Error("CA API returned no JWT.");
+	let result;
+	try {
+		result = JSON.parse(responseBody);
+	} catch {
+		return responseBody;
+	}
+	if (typeof result === "string") return result;
+	if (Array.isArray(result) && typeof result[0] === "string") return result[0];
+	throw new Error("CA API returned no JWT.");
+}
+//#endregion
+export { documentProvider as i, sign as n, unsignedCa as r, content_attestation_exports as t };

package/dist/{flags-CFmMpf5A.mjs → flags-BGhMpQzg.mjs}

@@ -2,7 +2,6 @@ import { parseExpirationDate } from "@originator-profile/core";
 import { Flags } from "@oclif/core";
 import fs from "node:fs/promises";
 import { exportJWK, importPKCS8 } from "jose";
-
 //#region src/flags.ts
 const opId = Flags.custom({
 	summary: "OP ID (ドメイン名)",
@@ -33,6 +32,5 @@ const expirationDate = Flags.custom({
 		return parseExpirationDate(input);
 	}
 });
-
 //#endregion
-export { opId as n, privateKey as r, expirationDate as t };
+export { opId as n, privateKey as r, expirationDate as t };

package/dist/index.d.mts

@@ -1,45 +1,76 @@
 import { Jwk, RawTarget, UnsignedContentAttestation, UnsignedWebsiteProfile } from "@originator-profile/model";
+import { DocumentProvider } from "@originator-profile/sign";
 
 //#region src/document-provider.d.ts
-declare function documentProvider({
+declare function documentProvider$1({
   type,
   content
 }: RawTarget): Promise<Document>;
+//#endregion
+//#region ../../node_modules/.pnpm/websri@1.0.1/node_modules/websri/dist/index.d.ts
+/**
+ * Represents the available hash algorithms used for Subresource Integrity.
+ * @see {@link https://www.w3.org/TR/CSP2/#hash_algo}
+ */
+type HashAlgorithm = "sha256" | "sha384" | "sha512";
+/**
+ * A constant object defining the supported hash algorithms and their corresponding string
+ * representations for cryptographic operations. These algorithms are referenced by name when
+ * working with hashing functions in Web Crypto APIs.
+ */
 declare namespace content_attestation_d_exports {
-  export { sign, unsignedCa };
+  export { sign, signByServer, unsignedCa };
 }
+type ContentAttestationTimingOptions = {
+  issuedAt?: Date | string;
+  expiredAt?: Date | string;
+};
+type UnsignedCaOptions = ContentAttestationTimingOptions & {
+  integrityAlg?: HashAlgorithm;
+  documentProvider?: DocumentProvider;
+};
+/**
+ * 未署名 Content Attestation の取得
+ * @param uca 未署名 Content Attestation オブジェクト
+ * @throws {BadRequestError} 入力が UnsignedContentAttestation スキーマに適合しない場合/検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
+ * @return 未署名 Content Attestation オブジェクト
+ */
+declare function unsignedCa(uca: UnsignedContentAttestation, {
+  integrityAlg,
+  documentProvider,
+  ...timingOptions
+}: UnsignedCaOptions): Promise<UnsignedContentAttestation>;
 /**
  * Content Attestation への署名
  * @param uca 未署名 Content Attestation オブジェクト
  * @param privateKey プライベート鍵
+ * @throws {BadRequestError} 入力が UnsignedContentAttestation スキーマに適合しない場合/検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
  * @return Content Attestation
  */
-declare function sign(uca: UnsignedContentAttestation, privateKey: Jwk, {
-  issuedAt: issuedAtDateOrString,
-  expiredAt: expiredAtDateOrString
-}: {
-  issuedAt?: Date | string;
-  expiredAt?: Date | string;
-}): Promise<string>;
+declare function sign(uca: UnsignedContentAttestation, privateKey: Jwk, options?: ContentAttestationTimingOptions): Promise<string>;
 /**
- * 未署名 Content Attestation の取得
+ * CA server 経由で Content Attestation を作成
  * @param uca 未署名 Content Attestation オブジェクト
- * @throws {BadRequestError} 検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
- * @return 未署名 Content Attestation オブジェクト
+ * @param options Content Attestation の生成オプション
+ * @param options.endpoint CA server のエンドポイント URL
+ * @param options.accessToken CA server 呼び出しに利用する Bearer トークン
+ * @return JWT でエンコードされた Content Attestation
  */
-declare function unsignedCa(uca: UnsignedContentAttestation, {
-  issuedAt: issuedAtDateOrString,
-  expiredAt: expiredAtDateOrString
-}: {
-  issuedAt?: Date | string;
-  expiredAt?: Date | string;
-}): Promise<UnsignedContentAttestation>;
+declare function signByServer(uca: UnsignedContentAttestation, {
+  endpoint,
+  accessToken,
+  ...options
+}: UnsignedCaOptions & {
+  endpoint: string;
+  accessToken: string;
+}): Promise<string>;
 declare namespace website_profile_d_exports {
   export { unsignedWsp };
 }
 /**
  * 未署名 Website Profile の取得
  * @param uwsp 未署名 Website Profile オブジェクト
+ * @throws {Error} 入力が UnsignedWebsiteProfile スキーマに適合しない場合
  * @return 未署名 Website Profile オブジェクト
  */
 declare function unsignedWsp(uwsp: UnsignedWebsiteProfile, {
@@ -50,4 +81,4 @@ declare function unsignedWsp(uwsp: UnsignedWebsiteProfile, {
   expiredAt?: Date | string;
 }): Promise<UnsignedWebsiteProfile>;
 //#endregion
-export { content_attestation_d_exports as ContentAttestation, website_profile_d_exports as WebsiteProfile, documentProvider };
+export { content_attestation_d_exports as ContentAttestation, website_profile_d_exports as WebsiteProfile, documentProvider$1 as documentProvider };

package/dist/index.mjs

@@ -1,4 +1,3 @@
-import { i as documentProvider, t as content_attestation_exports } from "./content-attestation-rNiF6uH4.mjs";
-import { n as website_profile_exports } from "./website-profile-Dhto-mS2.mjs";
-
-export { content_attestation_exports as ContentAttestation, website_profile_exports as WebsiteProfile, documentProvider };
+import { i as documentProvider, t as content_attestation_exports } from "./content-attestation-duY49Hxp.mjs";
+import { n as website_profile_exports } from "./website-profile-B3Q2-h2n.mjs";
+export { content_attestation_exports as ContentAttestation, website_profile_exports as WebsiteProfile, documentProvider };

package/dist/{website-profile-Dhto-mS2.mjs → website-profile-B3Q2-h2n.mjs}

@@ -1,16 +1,18 @@
-import { t as __export } from "./chunk-DJTHdtxa.mjs";
+import { t as __exportAll } from "./chunk-CfYAbeIz.mjs";
 import { parseExpirationDate } from "@originator-profile/core";
+import { UnsignedWebsiteProfile } from "@originator-profile/model";
 import { fetchAndSetDigestSri } from "@originator-profile/sign";
 import { addYears, getUnixTime } from "date-fns";
-
 //#region src/website-profile.ts
-var website_profile_exports = /* @__PURE__ */ __export({ unsignedWsp: () => unsignedWsp });
+var website_profile_exports = /* @__PURE__ */ __exportAll({ unsignedWsp: () => unsignedWsp });
 /**
 * 未署名 Website Profile の取得
 * @param uwsp 未署名 Website Profile オブジェクト
+* @throws {Error} 入力が UnsignedWebsiteProfile スキーマに適合しない場合
 * @return 未署名 Website Profile オブジェクト
 */
 async function unsignedWsp(uwsp, { issuedAt: issuedAtDateOrString = /* @__PURE__ */ new Date(), expiredAt: expiredAtDateOrString = addYears(/* @__PURE__ */ new Date(), 1) }) {
+	UnsignedWebsiteProfile.parse(uwsp);
 	const issuedAt = new Date(issuedAtDateOrString);
 	const expiredAt = typeof expiredAtDateOrString === "string" ? parseExpirationDate(expiredAtDateOrString) : expiredAtDateOrString;
 	await fetchAndSetDigestSri("sha256", uwsp.credentialSubject.image);
@@ -22,6 +24,5 @@ async function unsignedWsp(uwsp, { issuedAt: issuedAtDateOrString = /* @__PURE__
 		...uwsp
 	};
 }
-
 //#endregion
-export { website_profile_exports as n, unsignedWsp as t };
+export { website_profile_exports as n, unsignedWsp as t };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@originator-profile/opvc",
-  "version": "0.5.0-beta.2",
+  "version": "0.5.0",
   "license": "Apache-2.0",
   "homepage": "https://docs.originator-profile.org",
   "repository": {
@@ -33,27 +33,27 @@
     ]
   },
   "dependencies": {
-    "@oclif/core": "^4.4.0",
-    "@oclif/plugin-help": "^6.2.29",
+    "@oclif/core": "^4.10.3",
+    "@oclif/plugin-help": "^6.2.41",
     "date-fns": "^4.1.0",
-    "http-errors-enhanced": "^4.0.0",
-    "jose": "^6.0.11",
-    "jsdom": "^27.0.0",
-    "@originator-profile/core": "0.5.0-beta.2",
-    "@originator-profile/securing-mechanism": "0.5.0-beta.2",
-    "@originator-profile/cryptography": "0.5.0-beta.2",
-    "@originator-profile/sign": "0.5.0-beta.2",
-    "@originator-profile/model": "0.5.0-beta.2"
+    "http-errors-enhanced": "^4.0.2",
+    "jose": "^6.2.2",
+    "jsdom": "^29.0.1",
+    "@originator-profile/core": "0.5.0",
+    "@originator-profile/model": "0.5.0",
+    "@originator-profile/securing-mechanism": "0.5.0",
+    "@originator-profile/sign": "0.5.0",
+    "@originator-profile/cryptography": "0.5.0"
   },
   "devDependencies": {
-    "@types/node": "^24.3.1",
-    "eslint": "^9.25.1",
-    "oclif": "^4.20.1",
-    "tsdown": "^0.16.7",
-    "typescript": "^5.8.3",
+    "@types/node": "^25.5.0",
+    "eslint": "^10.1.0",
+    "oclif": "^4.22.96",
+    "tsdown": "^0.21.7",
+    "typescript": "^6.0.2",
     "websri": "^1.0.1",
-    "eslint-config-originator-profile": "0.5.0-beta.2",
-    "@originator-profile/tsconfig": "0.5.0-beta.2"
+    "eslint-config-originator-profile": "0.5.0",
+    "@originator-profile/tsconfig": "0.5.0"
   },
   "scripts": {
     "build": "tsdown && oclif manifest && oclif readme",

package/dist/chunk-DJTHdtxa.mjs

@@ -1,18 +0,0 @@
-//#region rolldown:runtime
-var __defProp = Object.defineProperty;
-var __export = (all, symbols) => {
-	let target = {};
-	for (var name in all) {
-		__defProp(target, name, {
-			get: all[name],
-			enumerable: true
-		});
-	}
-	if (symbols) {
-		__defProp(target, Symbol.toStringTag, { value: "Module" });
-	}
-	return target;
-};
-
-//#endregion
-export { __export as t };

package/dist/content-attestation-rNiF6uH4.mjs

@@ -1,73 +0,0 @@
-import { t as __export } from "./chunk-DJTHdtxa.mjs";
-import { JSDOM } from "jsdom";
-import { parseExpirationDate } from "@originator-profile/core";
-import { fetchAndSetDigestSri, fetchAndSetTargetIntegrity, signCa } from "@originator-profile/sign";
-import { addYears, getUnixTime } from "date-fns";
-import { BadRequestError } from "http-errors-enhanced";
-
-//#region src/document-provider.ts
-async function documentProvider({ type, content = "" }) {
-	if (type === "ExternalResourceTargetIntegrity") throw new Error("ExternalResourceTargetIntegrity is not supported in this context.");
-	if (Array.isArray(content) && content.length > 1) throw new Error("Multiple contents are not supported in this context.");
-	[content] = [content].flat();
-	let url;
-	let html = "";
-	if (URL.canParse(content)) {
-		url = content;
-		html = await fetch(url).then((res) => res.text());
-	} else {
-		url = void 0;
-		html = content;
-	}
-	return new JSDOM(html, { url }).window.document;
-}
-
-//#endregion
-//#region src/content-attestation.ts
-var content_attestation_exports = /* @__PURE__ */ __export({
-	sign: () => sign,
-	unsignedCa: () => unsignedCa
-});
-/**
-* Content Attestation への署名
-* @param uca 未署名 Content Attestation オブジェクト
-* @param privateKey プライベート鍵
-* @return Content Attestation
-*/
-async function sign(uca, privateKey, { issuedAt: issuedAtDateOrString = /* @__PURE__ */ new Date(), expiredAt: expiredAtDateOrString = addYears(/* @__PURE__ */ new Date(), 1) }) {
-	const issuedAt = new Date(issuedAtDateOrString);
-	const expiredAt = typeof expiredAtDateOrString === "string" ? parseExpirationDate(expiredAtDateOrString) : expiredAtDateOrString;
-	uca.credentialSubject.id ??= `urn:uuid:${crypto.randomUUID()}`;
-	return await signCa(uca, privateKey, {
-		issuedAt,
-		expiredAt,
-		documentProvider
-	});
-}
-/**
-* 未署名 Content Attestation の取得
-* @param uca 未署名 Content Attestation オブジェクト
-* @throws {BadRequestError} 検証対象のコンテンツが存在しない/コンテンツにアクセスできない/Integrityの計算に失敗
-* @return 未署名 Content Attestation オブジェクト
-*/
-async function unsignedCa(uca, { issuedAt: issuedAtDateOrString = /* @__PURE__ */ new Date(), expiredAt: expiredAtDateOrString = addYears(/* @__PURE__ */ new Date(), 1) }) {
-	const issuedAt = new Date(issuedAtDateOrString);
-	const expiredAt = typeof expiredAtDateOrString === "string" ? parseExpirationDate(expiredAtDateOrString) : expiredAtDateOrString;
-	uca.credentialSubject.id ??= `urn:uuid:${crypto.randomUUID()}`;
-	try {
-		await fetchAndSetDigestSri("sha256", uca.credentialSubject.image);
-		await fetchAndSetTargetIntegrity("sha256", uca, documentProvider);
-	} catch (e) {
-		throw new BadRequestError(e.message);
-	}
-	return {
-		iss: uca.issuer,
-		sub: uca.credentialSubject.id,
-		iat: getUnixTime(issuedAt),
-		exp: getUnixTime(expiredAt),
-		...uca
-	};
-}
-
-//#endregion
-export { documentProvider as i, sign as n, unsignedCa as r, content_attestation_exports as t };