@pagopa/io-react-native-wallet 2.1.1 → 2.3.0

package/lib/typescript/credentials-catalogue/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/credentials-catalogue/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,CAAC,MAAM,KAAK,CAAC;AAmDzB,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAqB5B,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAatC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAC/C,OAAO,2BAA2B,CACnC,CAAC"}

package/lib/typescript/index.d.ts

@@ -2,8 +2,10 @@ import type { AuthorizationContext } from "./utils/auth";
 import { fixBase64EncodingOnKey } from "./utils/jwk";
 import "react-native-url-polyfill/auto";
 import * as Credential from "./credential";
+import * as CredentialsCatalogue from "./credentials-catalogue";
 import * as PID from "./pid";
 import * as SdJwt from "./sd-jwt";
+import * as Mdoc from "./mdoc";
 import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
 import * as Trust from "./trust";
@@ -12,6 +14,6 @@ import * as Logging from "./utils/logging";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 import type { IntegrityContext } from "./utils/integrity";
-export { SdJwt, PID, Credential, WalletInstanceAttestation, WalletInstance, Errors, Trust, createCryptoContextFor, AuthorizationDetail, AuthorizationDetails, fixBase64EncodingOnKey, Logging, };
+export { SdJwt, Mdoc, PID, Credential, CredentialsCatalogue, WalletInstanceAttestation, WalletInstance, Errors, Trust, createCryptoContextFor, AuthorizationDetail, AuthorizationDetails, fixBase64EncodingOnKey, Logging, };
 export type { IntegrityContext, AuthorizationContext };
 //# sourceMappingURL=index.d.ts.map

package/lib/typescript/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,gCAAgC,CAAC;AAExC,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,KAAK,GAAG,MAAM,OAAO,CAAC;AAC7B,OAAO,KAAK,KAAK,MAAM,UAAU,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,gBAAgB,CAAC;AACzC,OAAO,KAAK,yBAAyB,MAAM,+BAA+B,CAAC;AAC3E,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AACjC,OAAO,KAAK,cAAc,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,OAAO,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D,OAAO,EACL,KAAK,EACL,GAAG,EACH,UAAU,EACV,yBAAyB,EACzB,cAAc,EACd,MAAM,EACN,KAAK,EACL,sBAAsB,EACtB,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,OAAO,GACR,CAAC;AAEF,YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AACzD,OAAO,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAGrD,OAAO,gCAAgC,CAAC;AAExC,OAAO,KAAK,UAAU,MAAM,cAAc,CAAC;AAC3C,OAAO,KAAK,oBAAoB,MAAM,yBAAyB,CAAC;AAChE,OAAO,KAAK,GAAG,MAAM,OAAO,CAAC;AAC7B,OAAO,KAAK,KAAK,MAAM,UAAU,CAAC;AAClC,OAAO,KAAK,IAAI,MAAM,QAAQ,CAAC;AAC/B,OAAO,KAAK,MAAM,MAAM,gBAAgB,CAAC;AACzC,OAAO,KAAK,yBAAyB,MAAM,+BAA+B,CAAC;AAC3E,OAAO,KAAK,KAAK,MAAM,SAAS,CAAC;AACjC,OAAO,KAAK,cAAc,MAAM,mBAAmB,CAAC;AACpD,OAAO,KAAK,OAAO,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,sBAAsB,EAAE,MAAM,gBAAgB,CAAC;AACxD,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAE1D,OAAO,EACL,KAAK,EACL,IAAI,EACJ,GAAG,EACH,UAAU,EACV,oBAAoB,EACpB,yBAAyB,EACzB,cAAc,EACd,MAAM,EACN,KAAK,EACL,sBAAsB,EACtB,mBAAmB,EACnB,oBAAoB,EACpB,sBAAsB,EACtB,OAAO,GACR,CAAC;AAEF,YAAY,EAAE,gBAAgB,EAAE,oBAAoB,EAAE,CAAC"}

package/lib/typescript/mdoc/index.d.ts

@@ -1,4 +1,5 @@
 import { CBOR } from "@pagopa/io-react-native-iso18013";
+export * from "./utils";
 export declare const verify: (token: string, x509CertRoot: string) => Promise<{
     issuerSigned: CBOR.IssuerSigned;
 }>;

package/lib/typescript/mdoc/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/mdoc/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAQ,MAAM,kCAAkC,CAAC;AAY9D,eAAO,MAAM,MAAM,UACV,MAAM,gBACC,MAAM;kBACK,KAAK,YAAY;EA6B3C,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/mdoc/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAQ,MAAM,kCAAkC,CAAC;AAW9D,cAAc,SAAS,CAAC;AAExB,eAAO,MAAM,MAAM,UACV,MAAM,gBACC,MAAM;kBACK,KAAK,YAAY;EA6B3C,CAAC"}

package/lib/typescript/mdoc/utils.d.ts

@@ -1,7 +1,57 @@
+import type { VerifyAndParseCredential } from "../credential/issuance";
+import type { Out } from "../utils/misc";
 /**
  * @param namespace The mdoc credential `namespace`
  * @param key The claim attribute key
  * @returns A string consisting of the concatenation of the namespace and the claim key, separated by a colon
  */
 export declare const getParsedCredentialClaimKey: (namespace: string, key: string) => string;
+/**
+ * Extract and validate the `verification` claim from an mdoc parsed credential.
+ *
+ * This method is **synchronous**, so it requires a credential that was already parsed.
+ *
+ * @param parsedCredential The parsed mdoc credential
+ * @returns The verification claim or undefined if it wasn't found
+ */
+export declare const getVerificationFromParsedCredential: (parsedCredential: Out<VerifyAndParseCredential>["parsedCredential"]) => {
+    trust_framework: string;
+    assurance_level: string;
+    evidence: {
+        type: "vouch";
+        time: string | number;
+        attestation: {
+            type: "digital_attestation";
+            reference_number: string;
+            date_of_issuance: string;
+            voucher: {
+                organization: string;
+            };
+        };
+    }[];
+} | undefined;
+/**
+ * Extract and validate the `verification` claim from an MDOC credential.
+ *
+ * This method is **asynchronous**. See {@link getVerificationFromParsedCredential} for the synchronous version.
+ *
+ * @param token The raw MDOC credential
+ * @returns The verification claim or undefined if it wasn't found
+ */
+export declare const getVerification: (token: string) => Promise<{
+    trust_framework: string;
+    assurance_level: string;
+    evidence: {
+        type: "vouch";
+        time: string | number;
+        attestation: {
+            type: "digital_attestation";
+            reference_number: string;
+            date_of_issuance: string;
+            voucher: {
+                organization: string;
+            };
+        };
+    }[];
+} | undefined>;
 //# sourceMappingURL=utils.d.ts.map

package/lib/typescript/mdoc/utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/mdoc/utils.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,cAAe,MAAM,OAAO,MAAM,WACnD,CAAC"}
+{"version":3,"file":"utils.d.ts","sourceRoot":"","sources":["../../../src/mdoc/utils.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,wBAAwB,EAAE,MAAM,wBAAwB,CAAC;AACvE,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AAGzC;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,cAAe,MAAM,OAAO,MAAM,WACnD,CAAC;AAExB;;;;;;;GAOG;AACH,eAAO,MAAM,mCAAmC,qBAC5B,IAAI,wBAAwB,CAAC,CAAC,kBAAkB,CAAC;;;;;;;;;;;;;;;aAQpE,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,UAAiB,MAAM;;;;;;;;;;;;;;;cAQlD,CAAC"}

package/lib/typescript/utils/nestedProperty.d.ts

@@ -16,8 +16,9 @@ type NodeOrStructure = Partial<PropertyNode<any>> | Record<string, any> | any[];
  * @param path - The path segments to follow.
  * @param sourceValue - The raw value to place at the end of the path.
  * @param displayData - The data for generating localized names.
+ * @param skipMissingLeaves - If true, skips optional keys when mapping over arrays.
  * @returns The new object or array structure.
  */
-export declare const createNestedProperty: (currentObject: NodeOrStructure, path: Path, sourceValue: unknown, displayData: DisplayData) => NodeOrStructure;
+export declare const createNestedProperty: (currentObject: NodeOrStructure, path: Path, sourceValue: unknown, displayData: DisplayData, skipMissingLeaves?: boolean) => NodeOrStructure;
 export {};
 //# sourceMappingURL=nestedProperty.d.ts.map

package/lib/typescript/utils/nestedProperty.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"nestedProperty.d.ts","sourceRoot":"","sources":["../../../src/utils/nestedProperty.ts"],"names":[],"mappings":"AAGA,KAAK,WAAW,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,EAAE,CAAC;AAGtD,KAAK,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAG7C,KAAK,YAAY,CAAC,CAAC,IAAI;IACrB,KAAK,EAAE,CAAC,CAAC;IACT,IAAI,EAAE,cAAc,CAAC;CACtB,CAAC;AAGF,KAAK,IAAI,GAAG,CAAC,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;AAGvC,KAAK,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC;AA6GhF;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,kBAChB,eAAe,2BAEjB,OAAO,+BAEnB,eA4BF,CAAC"}
+{"version":3,"file":"nestedProperty.d.ts","sourceRoot":"","sources":["../../../src/utils/nestedProperty.ts"],"names":[],"mappings":"AAGA,KAAK,WAAW,GAAG;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,EAAE,CAAC;AAGtD,KAAK,cAAc,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAG7C,KAAK,YAAY,CAAC,CAAC,IAAI;IACrB,KAAK,EAAE,CAAC,CAAC;IACT,IAAI,EAAE,cAAc,CAAC;CACtB,CAAC;AAGF,KAAK,IAAI,GAAG,CAAC,MAAM,GAAG,MAAM,GAAG,IAAI,CAAC,EAAE,CAAC;AAGvC,KAAK,eAAe,GAAG,OAAO,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GAAG,GAAG,EAAE,CAAC;AAkIhF;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,kBAChB,eAAe,2BAEjB,OAAO,gDAED,OAAO,KACzB,eA6BF,CAAC"}

package/lib/typescript/utils/zod.d.ts

@@ -0,0 +1,15 @@
+/**
+ * @see https://github.com/JacobWeisenburger/zod_utilz/blob/main/src/stringToJSON.ts
+ */
+import { z } from "zod";
+declare const literalSchema: z.ZodUnion<[z.ZodString, z.ZodNumber, z.ZodBoolean, z.ZodNull]>;
+type Literal = z.infer<typeof literalSchema>;
+type Json = Literal | {
+    [key: string]: Json;
+} | Json[];
+export declare const json: () => z.ZodType<Json, z.ZodTypeDef, Json>;
+export declare const stringToJSONSchema: z.ZodEffects<z.ZodString, string | number | boolean | {
+    [key: string]: Json;
+} | Json[] | null, string>;
+export {};
+//# sourceMappingURL=zod.d.ts.map

package/lib/typescript/utils/zod.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"zod.d.ts","sourceRoot":"","sources":["../../../src/utils/zod.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,QAAA,MAAM,aAAa,iEAA2D,CAAC;AAE/E,KAAK,OAAO,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAE7C,KAAK,IAAI,GAAG,OAAO,GAAG;IAAE,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,GAAG,IAAI,EAAE,CAAC;AAMvD,eAAO,MAAM,IAAI,2CAAmB,CAAC;AAErC,eAAO,MAAM,kBAAkB;;0BAS3B,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pagopa/io-react-native-wallet",
-  "version": "2.1.1",
+  "version": "2.3.0",
   "description": "Provide data structures, helpers and API for IO Wallet",
   "main": "lib/commonjs/index",
   "module": "lib/module/index",
@@ -64,6 +64,7 @@
     "@types/react": "^19.0.0",
     "@types/react-native": "0.70.0",
     "@types/url-parse": "^1.4.11",
+    "auto-changelog": "^2.5.0",
     "del-cli": "^5.0.0",
     "eslint": "^8.4.1",
     "eslint-plugin-prettier": "^5.2.3",
@@ -73,12 +74,13 @@
     "react": "19.0.0",
     "react-native": "0.78.3",
     "react-native-builder-bob": "^0.20.0",
+    "release-it": "^15.0.0",
     "typed-openapi": "^0.4.1",
     "typescript": "5.0.4"
   },
   "peerDependencies": {
-    "@pagopa/io-react-native-iso18013": "*",
     "@pagopa/io-react-native-crypto": "*",
+    "@pagopa/io-react-native-iso18013": "*",
     "@pagopa/io-react-native-jwt": "*",
     "react": "*",
     "react-native": "*"
@@ -87,6 +89,23 @@
     "node": ">= 16.0.0"
   },
   "packageManager": "yarn@1.22.19",
+  "release-it": {
+    "git": {
+      "commitMessage": "chore: release version ${version}",
+      "tagName": "v${version}",
+      "changelog": "yarn auto-changelog --stdout --commit-limit false -u --template https://raw.githubusercontent.com/release-it/release-it/master/templates/changelog-compact.hbs"
+    },
+    "hooks": {
+      "after:bump": "yarn auto-changelog -p && git add ."
+    },
+    "npm": {
+      "publish": false
+    },
+    "github": {
+      "release": true
+    },
+    "plugins": {}
+  },
   "jest": {
     "preset": "react-native",
     "modulePathIgnorePatterns": [

package/src/credential/index.ts

@@ -2,5 +2,6 @@ import * as Issuance from "./issuance";
 import * as Presentation from "./presentation";
 import * as Status from "./status";
 import * as Trustmark from "./trustmark";
+import * as Offer from "./offer";
 
-export { Issuance, Presentation, Status, Trustmark };
+export { Issuance, Presentation, Status, Trustmark, Offer };

package/src/credential/issuance/01-start-flow.ts

@@ -1,7 +1,7 @@
 /**
  * WARNING: This is the first function to be called in the issuing flow. The next function to be called is {@link evaluateIssuerTrust}.
  * The beginning of the issuing flow.
- * To be implemented accordind to the user touchpoint
+ * To be implemented according to the user touchpoint
  *
  * @returns The configuration ID of the Credential to be issued and the url of the Issuer
  */

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -9,7 +9,7 @@ import type { ObtainCredential } from "./06-obtain-credential";
 import { verify as verifyMdoc } from "../../mdoc";
 import { MDOC_DEFAULT_NAMESPACE } from "../../mdoc/const";
 import { getParsedCredentialClaimKey } from "../../mdoc/utils";
-import { LogLevel, Logger } from "../../utils/logging";
+import { Logger, LogLevel } from "../../utils/logging";
 import { extractElementValueAsDate } from "../../mdoc/converter";
 import type { CBOR } from "@pagopa/io-react-native-iso18013";
 import type { PublicKey } from "@pagopa/io-react-native-crypto";
@@ -85,36 +85,69 @@ const parseCredentialSdJwt = (
 
   const attrDefinitions = credentialConfig.claims;
 
-  // Validate that all attributes from the config exist in the disclosures
-  const attrsNotInDisclosures = attrDefinitions.filter(
-    (definition) => !disclosures.some(([, name]) => name === definition.path[0])
-  );
+  // Validate that all attributes from the config exist in either disclosures OR payload
+  if (!ignoreMissingAttributes) {
+    const disclosedKeys = new Set(disclosures.map(([, name]) => name));
+    const payloadKeys = new Set(Object.keys(sdJwt.payload ?? {}));
 
-  if (attrsNotInDisclosures.length > 0 && !ignoreMissingAttributes) {
-    const missing = attrsNotInDisclosures.map((_) => _.path[0]).join(", ");
-    const received = disclosures.map((_) => _[1]).join(", ");
-    const message = `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`;
-    Logger.log(LogLevel.ERROR, message);
-    throw new IoWalletError(message);
+    const definedTopLevelKeys = new Set(
+      attrDefinitions.map((def) => def.path[0] as string)
+    );
+
+    const missingKeys = [...definedTopLevelKeys].filter(
+      (key) => !disclosedKeys.has(key) && !payloadKeys.has(key)
+    );
+
+    if (missingKeys.length > 0) {
+      throw new IoWalletError(
+        `Some attributes are missing in the credential. Missing: [${missingKeys.join(", ")}]`
+      );
+    }
   }
 
   const definedValues: ParsedCredential = {};
 
-  for (const { path, display } of attrDefinitions) {
-    const attrKey = path[0];
-    const disclosureValue = disclosures.find(
-      ([, name]) => name === attrKey
-    )?.[2];
-
-    if (disclosureValue !== undefined) {
-      const enriched = createNestedProperty(
-        definedValues,
-        path,
-        disclosureValue,
-        display
-      );
-      Object.assign(definedValues, enriched);
+  // Group all schema definitions by their top-level key
+  const groupedDefinitions = attrDefinitions.reduce(
+    (acc, def) => {
+      const key = def.path[0] as string;
+      const group = acc[key];
+      if (group) {
+        group.push(def);
+      } else {
+        acc[key] = [def];
+      }
+      return acc;
+    },
+    {} as Record<string, typeof attrDefinitions>
+  );
+
+  // Loop through each group
+  for (const topLevelKey in groupedDefinitions) {
+    const definitionsForThisKey = groupedDefinitions[topLevelKey];
+
+    if (!definitionsForThisKey) {
+      continue;
     }
+
+    const disclosureForThisKey = disclosures.find(
+      ([, name]) => name === topLevelKey
+    );
+
+    if (!disclosureForThisKey) {
+      continue;
+    }
+
+    const disclosureValue = disclosureForThisKey[2];
+
+    const tempObjectForGroup = definitionsForThisKey.reduce(
+      (acc, { path, display }) =>
+        createNestedProperty(acc, path, disclosureValue, display),
+      {}
+    );
+
+    // Merge the fully constructed object into the final result
+    Object.assign(definedValues, tempObjectForGroup);
   }
 
   if (includeUndefinedAttributes) {
@@ -134,6 +167,7 @@ const parseCredentialSdJwt = (
 
   return definedValues;
 };
+
 const parseCredentialMDoc = (
   // the list of supported credentials, as defined in the issuer configuration
   credentialConfig: CredentialConf,
@@ -294,7 +328,7 @@ async function verifyCredentialSdJwt(
  * and it's bound to the given key
  *
  * @param rawCredential The received credential
- * @param issuerKeys The set of public keys of the issuer,
+ * @param x509CertRoot The root certificate of the issuer,
  * which will be used to verify the signature
  * @param holderBindingContext The access to the holder's key
  *

package/src/credential/offer/01-start-flow.ts

@@ -0,0 +1,89 @@
+import * as z from "zod";
+import { Logger, LogLevel } from "../../utils/logging";
+import { stringToJSONSchema } from "../../utils/zod";
+import { InvalidQRCodeError } from "./errors";
+import { CredentialOfferSchema } from "./types";
+
+const CREDENTIAL_OFFER_SCHEMES = ["openid-credential-offer://", "haip://"];
+const CREDENTIAL_OFFER_PARAM = "credential_offer";
+const CREDENTIAL_OFFER_URI_PARAM = "credential_offer_uri";
+
+const CredentialOfferParams = z.union([
+  z.object({
+    credential_offer: stringToJSONSchema.pipe(CredentialOfferSchema),
+    credential_offer_uri: z.undefined(),
+  }),
+  z.object({
+    credential_offer: z.undefined(),
+    credential_offer_uri: z.string().url(),
+  }),
+]);
+type CredentialOfferParams = z.infer<typeof CredentialOfferParams>;
+
+/**
+ * The beginning of the credential offer flow.
+ * To be implemented according to the user touchpoint
+ *
+ * @param params Credential offer encoded url
+ * @returns Object containing the credential offer by reference or by value
+ */
+export type StartFlow = (encodedUrl: string) => CredentialOfferParams;
+
+/**
+ * Start a credential offer flow by validating and parse an encoded url
+ * extracted from a QR code or a deep link.
+ *
+ * @param params The encoded url to be validated and parsed
+ * @returns Object containing the credential offer by reference or by value
+ * @throws If the provided encoded url is not valid
+ */
+export const startFlowFromQR: StartFlow = (encodedUrl) => {
+  const hasValidScheme = CREDENTIAL_OFFER_SCHEMES.some((prefix) =>
+    encodedUrl.startsWith(prefix)
+  );
+
+  if (!hasValidScheme) {
+    throw new InvalidQRCodeError("Url must have one of the supported schemes");
+  }
+
+  const url = new URL(encodedUrl);
+  const offerParam = url.searchParams.get(CREDENTIAL_OFFER_PARAM);
+  const offerUriParam = url.searchParams.get(CREDENTIAL_OFFER_URI_PARAM);
+
+  if (offerParam) {
+    const decoded = decodeURIComponent(offerParam);
+    const result = CredentialOfferParams.safeParse({
+      credential_offer: decoded,
+    });
+
+    if (result.success) {
+      return result.data;
+    }
+
+    Logger.log(
+      LogLevel.ERROR,
+      `Invalid credential offer object found in QR Code: ${result.error.message}`
+    );
+    throw new InvalidQRCodeError(result.error.message);
+  }
+
+  if (offerUriParam) {
+    const decoded = decodeURIComponent(offerUriParam);
+    const result = CredentialOfferParams.safeParse({
+      credential_offer_uri: decoded,
+    });
+
+    if (result.success) {
+      return result.data;
+    }
+
+    Logger.log(
+      LogLevel.ERROR,
+      `Invalid credential offer URI found in QR Code: ${result.error.message}`
+    );
+    throw new InvalidQRCodeError(result.error.message);
+  }
+
+  Logger.log(LogLevel.ERROR, `Invalid credential offer QR Code:`);
+  throw new InvalidQRCodeError("QR Code does not contain valid params");
+};

package/src/credential/offer/02-fetch-credential-offer.ts

@@ -0,0 +1,54 @@
+import { IssuerResponseError } from "../../utils/errors";
+import { Logger, LogLevel } from "../../utils/logging";
+import { hasStatusOrThrow } from "../../utils/misc";
+import { InvalidCredentialOfferError } from "./errors";
+import type { CredentialOffer } from "./types";
+import { CredentialOfferSchema } from "./types";
+
+export type GetCredentialOffer = (
+  credentialOfferUri: string,
+  context: {
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<CredentialOffer>;
+
+/**
+ * Fetches and validates a credential offer from a given URI.
+ *
+ * This function performs an HTTP GET request to the specified `credentialOfferUri`,
+ * expecting a JSON response that matches the `CredentialOfferSchema`. If the response
+ * is invalid or does not conform to the schema, an error is logged and an
+ * `InvalidCredentialOfferError` is thrown.
+ *
+ * @param credentialOfferUri - The URI from which to fetch the credential offer.
+ * @param context - Optional context object that may provide a custom `appFetch` implementation.
+ * @returns The validated credential offer data.
+ * @throws {IssuerResponseError} If the HTTP response status is not 200.
+ * @throws {InvalidCredentialOfferError} If the response does not match the expected schema.
+ */
+export const fetchCredentialOffer: GetCredentialOffer = async (
+  uri: string,
+  context = {}
+) => {
+  const { appFetch = fetch } = context;
+
+  const response = await appFetch(uri, {
+    method: "GET",
+    headers: { Accept: "application/json" },
+  })
+    .then(hasStatusOrThrow(200, IssuerResponseError))
+    .then((reqUri) => reqUri.json());
+
+  const credentialOffer = CredentialOfferSchema.safeParse(response);
+  if (!credentialOffer.success) {
+    Logger.log(
+      LogLevel.ERROR,
+      `Invalid credential offer fetched from URI: ${uri} - ${credentialOffer.error.message}`
+    );
+    throw new InvalidCredentialOfferError(
+      `Invalid credential offer fetched from URI: ${uri} - ${credentialOffer.error.message}`
+    );
+  }
+
+  return credentialOffer.data;
+};

package/src/credential/offer/README.md

@@ -0,0 +1,174 @@
+# Credential Offer
+
+This flow handles the initial step of credential issuance by processing Credential Offers from Credential Issuers. The Credential Offer contains information about what credentials are available and how they can be obtained. Each step in the flow is imported from the related file which is named with a sequential number.
+
+A Credential Offer can be received by the Wallet in two ways: **by value** (complete offer embedded in the URL) or **by reference** (URL pointing to the offer endpoint). The offer specifies which credentials are available and what authorization flows are supported by the issuer.
+
+The implementation follows the [OpenID for Verifiable Credential Issuance 1.0](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#name-credential-offer-endpoint) specification and supports both Authorization Code flow and Pre-Authorized Code flow.
+
+## Sequence Diagram
+
+```mermaid
+sequenceDiagram
+  autonumber
+  participant U as User
+  participant W as Wallet
+  participant CI as Credential Issuer
+
+  CI->>U: QR Code / Deep Link with Credential Offer
+  U->>W: Scan QR / Click Link
+  W->>W: startFlowFromQR: Parse offer parameters
+  alt Credential Offer by Reference
+    W->>CI: fetchCredentialOffer: Fetch offer from URI
+    CI->>W: Return Credential Offer JSON
+  end
+  W->>W: Validate Credential Offer schema
+  W->>W: Determine available grant types
+  Note over W: Flow continues with credential issuance
+```
+
+## Grant Types
+
+The Credential Offer supports two OAuth 2.0 grant types that determine how authorization is handled:
+
+### Authorization Code Flow
+
+Used for interactive flows where user authentication and consent are required at the Authorization Server.
+
+- **`issuer_state`** (optional): Binds the authorization request to a specific issuer context
+- **`authorization_server`** (optional): Identifies which authorization server to use when multiple are available
+
+### Pre-Authorized Code Flow
+
+Used when the user has already been authenticated and authorized out-of-band. The issuer provides a pre-authorized code that can be exchanged directly for credentials.
+
+- **`pre-authorized_code`**: Short-lived single-use authorization code
+- **`tx_code`** (optional): Additional transaction code requirements for security
+- **`authorization_server`** (optional): Identifies which authorization server to use
+
+## Transaction Code Requirements
+
+When a transaction code is required for Pre-Authorized Code flow, the following parameters control the user experience:
+
+| Parameter     | Type                    | Description                                          |
+| ------------- | ----------------------- | ---------------------------------------------------- |
+| `input_mode`  | `"numeric"` \| `"text"` | Character set for the code (default: `"numeric"`)    |
+| `length`      | number                  | Expected code length to optimize input UI            |
+| `description` | string                  | User guidance (max 300 chars) for obtaining the code |
+
+## Credential Offer Transmission
+
+### By Value
+
+The complete Credential Offer is embedded in the URL parameter:
+
+```
+openid-credential-offer://?credential_offer=%7B%22credential_issuer%22...
+```
+
+### By Reference
+
+A URL points to an endpoint serving the Credential Offer:
+
+```
+openid-credential-offer://?credential_offer_uri=https%3A%2F%2Fserver.example.com%2Foffer
+```
+
+When using by reference, the Wallet fetches the offer via HTTP GET with `Accept: application/json`.
+
+## Mapped Results
+
+The following errors are mapped during credential offer processing:
+
+| Error                         | Description                                                                        |
+| ----------------------------- | ---------------------------------------------------------------------------------- |
+| `InvalidQRCodeError`          | The QR code format is invalid or doesn't contain valid credential offer parameters |
+| `InvalidCredentialOfferError` | The credential offer schema validation failed or contains invalid data             |
+
+## Examples
+
+<details>
+  <summary>Credential Offer processing flow</summary>
+
+```ts
+// Parse QR code or deep link
+const qrCode =
+  "openid-credential-offer://?credential_offer_uri=https%3A%2F%2Fissuer.example.com%2Foffer";
+const { credential_offer_uri } = startFlowFromQR(qrCode);
+
+// Fetch the credential offer if by reference
+const offer = await fetchCredentialOffer(credential_offer_uri, { appFetch });
+
+console.log(offer);
+// {
+//   credential_issuer: "https://issuer.example.com",
+//   credential_configuration_ids: ["UniversityDegree", "DriverLicense"],
+//   grants: {
+//     authorization_code: {
+//       issuer_state: "xyz123"
+//     },
+//     "urn:ietf:params:oauth:grant-type:pre-authorized_code": {
+//       "pre-authorized_code": "SplxlOBeZQQYbYS6WxSbIA",
+//       tx_code: {
+//         length: 6,
+//         input_mode: "numeric",
+//         description: "Enter the code sent to your email"
+//       }
+//     }
+//   }
+// }
+```
+
+</details>
+
+<details>
+  <summary>Pre-Authorized Code with Transaction Code</summary>
+
+```ts
+const offer: CredentialOffer = {
+  credential_issuer: "https://university.example.edu",
+  credential_configuration_ids: ["DiplomaCredential"],
+  grants: {
+    "urn:ietf:params:oauth:grant-type:pre-authorized_code": {
+      "pre-authorized_code": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9",
+      tx_code: {
+        length: 4,
+        input_mode: "numeric",
+        description: "Check your email for the verification code",
+      },
+    },
+  },
+};
+
+// The user would need to:
+// 1. Check their email for a 4-digit numeric code
+// 2. Enter it in the wallet when prompted
+// 3. The wallet uses both pre-authorized_code and tx_code in the token request
+```
+
+</details>
+
+<details>
+  <summary>Authorization Code Flow</summary>
+
+```ts
+const offer: CredentialOffer = {
+  credential_issuer: "https://dmv.example.gov",
+  credential_configuration_ids: ["org.iso.18013.5.1.mDL"],
+  grants: {
+    authorization_code: {
+      issuer_state: "af0ifjsldkj",
+      authorization_server: "https://auth.dmv.example.gov",
+    },
+  },
+};
+
+// This would lead to:
+// 1. User authentication at the authorization server
+// 2. User consent for credential issuance
+// 3. Authorization code returned to wallet
+// 4. Wallet exchanges code for access token
+// 5. Wallet uses access token to request credential
+```
+
+</details>