@peac/adapter-did 0.12.6

package/LICENSE

@@ -0,0 +1,190 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+   "License" shall mean the terms and conditions for use, reproduction,
+   and distribution as defined by Sections 1 through 9 of this document.
+
+   "Licensor" shall mean the copyright owner or entity authorized by
+   the copyright owner that is granting the License.
+
+   "Legal Entity" shall mean the union of the acting entity and all
+   other entities that control, are controlled by, or are under common
+   control with that entity. For the purposes of this definition,
+   "control" means (i) the power, direct or indirect, to cause the
+   direction or management of such entity, whether by contract or
+   otherwise, or (ii) ownership of fifty percent (50%) or more of the
+   outstanding shares, or (iii) beneficial ownership of such entity.
+
+   "You" (or "Your") shall mean an individual or Legal Entity
+   exercising permissions granted by this License.
+
+   "Source" form shall mean the preferred form for making modifications,
+   including but not limited to software source code, documentation
+   source, and configuration files.
+
+   "Object" form shall mean any form resulting from mechanical
+   transformation or translation of a Source form, including but
+   not limited to compiled object code, generated documentation,
+   and conversions to other media types.
+
+   "Work" shall mean the work of authorship, whether in Source or
+   Object form, made available under the License, as indicated by a
+   copyright notice that is included in or attached to the work
+   (an example is provided in the Appendix below).
+
+   "Derivative Works" shall mean any work, whether in Source or Object
+   form, that is based on (or derived from) the Work and for which the
+   editorial revisions, annotations, elaborations, or other modifications
+   represent, as a whole, an original work of authorship. For the purposes
+   of this License, Derivative Works shall not include works that remain
+   separable from, or merely link (or bind by name) to the interfaces of,
+   the Work and Derivative Works thereof.
+
+   "Contribution" shall mean any work of authorship, including
+   the original version of the Work and any modifications or additions
+   to that Work or Derivative Works thereof, that is intentionally
+   submitted to Licensor for inclusion in the Work by the copyright owner
+   or by an individual or Legal Entity authorized to submit on behalf of
+   the copyright owner. For the purposes of this definition, "submitted"
+   means any form of electronic, verbal, or written communication sent
+   to the Licensor or its representatives, including but not limited to
+   communication on electronic mailing lists, source code control systems,
+   and issue tracking systems that are managed by, or on behalf of, the
+   Licensor for the purpose of discussing and improving the Work, but
+   excluding communication that is conspicuously marked or otherwise
+   designated in writing by the copyright owner as "Not a Contribution."
+
+   "Contributor" shall mean Licensor and any individual or Legal Entity
+   on behalf of whom a Contribution has been received by Licensor and
+   subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   copyright license to reproduce, prepare Derivative Works of,
+   publicly display, publicly perform, sublicense, and distribute the
+   Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+   this License, each Contributor hereby grants to You a perpetual,
+   worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+   (except as stated in this section) patent license to make, have made,
+   use, offer to sell, sell, import, and otherwise transfer the Work,
+   where such license applies only to those patent claims licensable
+   by such Contributor that are necessarily infringed by their
+   Contribution(s) alone or by combination of their Contribution(s)
+   with the Work to which such Contribution(s) was submitted. If You
+   institute patent litigation against any entity (including a
+   cross-claim or counterclaim in a lawsuit) alleging that the Work
+   or a Contribution incorporated within the Work constitutes direct
+   or contributory patent infringement, then any patent licenses
+   granted to You under this License for that Work shall terminate
+   as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+   Work or Derivative Works thereof in any medium, with or without
+   modifications, and in Source or Object form, provided that You
+   meet the following conditions:
+
+   (a) You must give any other recipients of the Work or
+       Derivative Works a copy of this License; and
+
+   (b) You must cause any modified files to carry prominent notices
+       stating that You changed the files; and
+
+   (c) You must retain, in the Source form of any Derivative Works
+       that You distribute, all copyright, patent, trademark, and
+       attribution notices from the Source form of the Work,
+       excluding those notices that do not pertain to any part of
+       the Derivative Works; and
+
+   (d) If the Work includes a "NOTICE" text file as part of its
+       distribution, then any Derivative Works that You distribute must
+       include a readable copy of the attribution notices contained
+       within such NOTICE file, excluding those notices that do not
+       pertain to any part of the Derivative Works, in at least one
+       of the following places: within a NOTICE text file distributed
+       as part of the Derivative Works; within the Source form or
+       documentation, if provided along with the Derivative Works; or,
+       within a display generated by the Derivative Works, if and
+       wherever such third-party notices normally appear. The contents
+       of the NOTICE file are for informational purposes only and
+       do not modify the License. You may add Your own attribution
+       notices within Derivative Works that You distribute, alongside
+       or as an addendum to the NOTICE text from the Work, provided
+       that such additional attribution notices cannot be construed
+       as modifying the License.
+
+   You may add Your own copyright statement to Your modifications and
+   may provide additional or different license terms and conditions
+   for use, reproduction, or distribution of Your modifications, or
+   for any such Derivative Works as a whole, provided Your use,
+   reproduction, and distribution of the Work otherwise complies with
+   the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+   any Contribution intentionally submitted for inclusion in the Work
+   by You to the Licensor shall be under the terms and conditions of
+   this License, without any additional terms or conditions.
+   Notwithstanding the above, nothing herein shall supersede or modify
+   the terms of any separate license agreement you may have executed
+   with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+   names, trademarks, service marks, or product names of the Licensor,
+   except as required for reasonable and customary use in describing the
+   origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+   agreed to in writing, Licensor provides the Work (and each
+   Contributor provides its Contributions) on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+   implied, including, without limitation, any warranties or conditions
+   of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+   PARTICULAR PURPOSE. You are solely responsible for determining the
+   appropriateness of using or redistributing the Work and assume any
+   risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+   whether in tort (including negligence), contract, or otherwise,
+   unless required by applicable law (such as deliberate and grossly
+   negligent acts) or agreed to in writing, shall any Contributor be
+   liable to You for damages, including any direct, indirect, special,
+   incidental, or consequential damages of any character arising as a
+   result of this License or out of the use or inability to use the
+   Work (including but not limited to damages for loss of goodwill,
+   work stoppage, computer failure or malfunction, or any and all
+   other commercial damages or losses), even if such Contributor
+   has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+   the Work or Derivative Works thereof, You may choose to offer,
+   and charge a fee for, acceptance of support, warranty, indemnity,
+   or other liability obligations and/or rights consistent with this
+   License. However, in accepting such obligations, You may act only
+   on Your own behalf and on Your sole responsibility, not on behalf
+   of any other Contributor, and only if You agree to indemnify,
+   defend, and hold each Contributor harmless for any liability
+   incurred by, or claims asserted against, such Contributor by reason
+   of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+Copyright 2025-2026 PEAC Protocol Contributors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

package/README.md

@@ -0,0 +1,71 @@
+# @peac/adapter-did
+
+DID document resolution for PEAC receipt verification. Supports did:key with zero network I/O.
+
+## Installation
+
+```bash
+pnpm add @peac/adapter-did
+```
+
+## What It Does
+
+`@peac/adapter-did` is a Layer 4 adapter that resolves W3C Decentralized Identifiers (DIDs) to Ed25519 public keys for use with `verifyLocal()`. It implements the DID Verification Method Selection Policy (DD-202) for deterministic key extraction.
+
+Supports `did:key` (Ed25519, zero network I/O) and `did:web` (caller-provided SSRF-hardened HTTPS fetch). Includes TTL-based caching and composite resolver for multi-method support.
+
+## How Do I Use It?
+
+### Resolve a did:key and extract the public key
+
+```typescript
+import { DidKeyResolver, extractVerificationKey } from '@peac/adapter-did';
+import { verifyLocal } from '@peac/protocol';
+
+const resolver = new DidKeyResolver();
+const result = await resolver.resolve('did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK');
+const publicKey = extractVerificationKey(result.didDocument!);
+
+const verification = await verifyLocal(receiptJws, publicKey!, {
+  strictness: 'strict',
+});
+```
+
+### Use a composite resolver for multiple DID methods
+
+```typescript
+import { createCompositeResolver, DidKeyResolver } from '@peac/adapter-did';
+
+const resolver = createCompositeResolver([
+  new DidKeyResolver(),
+  // add DidWebResolver here when available
+]);
+
+const result = await resolver.resolve('did:key:z6Mk...');
+```
+
+## Integrates With
+
+- `@peac/kernel` (Layer 0): Error codes (E*DID*\*) and types
+- `@peac/schema` (Layer 1): Schema validation
+- `@peac/protocol` (Layer 3): `verifyLocal()` accepts the extracted public key directly
+
+## Supported Key Types
+
+Only Ed25519 keys are extracted. Other key types are silently skipped to prevent key-type oracle attacks. Both multibase encodings from the did:key spec are supported: `z` (base58btc) and `u` (base64url).
+
+## Standards
+
+- W3C DID Core v1.0 (Recommendation 2022): baseline type model
+- did:key (W3C CCG v0.9): method-specific resolution as interoperability adapter
+- did:web (W3C CCG draft): HTTPS resolution as interoperability adapter, not a normative dependency
+
+## License
+
+Apache-2.0
+
+---
+
+PEAC Protocol is an open source project stewarded by Originary and community contributors.
+
+[Docs](https://www.peacprotocol.org) | [GitHub](https://github.com/peacprotocol/peac) | [Originary](https://www.originary.xyz)

package/dist/cache.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Caching resolver wrapper.
+ *
+ * Wraps any DIDResolver with TTL-based in-memory caching.
+ * Cache entries expire after configurable TTL and are evicted
+ * when maxEntries is reached (oldest-first).
+ *
+ * The cache key is the full DID string.
+ */
+import type { DIDResolutionResult } from './types.js';
+import type { DIDResolver } from './resolver.js';
+export interface CachingResolverOptions {
+    /** Time-to-live in milliseconds (default: 300000 = 5 minutes) */
+    ttlMs?: number;
+    /** Maximum number of cached entries (default: 1000) */
+    maxEntries?: number;
+}
+/**
+ * Caching wrapper for any DIDResolver.
+ *
+ * - TTL-based expiry: entries older than ttlMs are evicted on access
+ * - Max entries: oldest entries evicted when capacity is reached
+ * - Only successful resolutions are cached (didDocument !== null)
+ * - Failed resolutions are NOT cached (each attempt is fresh)
+ *
+ * @example
+ * ```typescript
+ * const inner = new DidKeyResolver();
+ * const cached = new CachingResolver(inner, { ttlMs: 60000 });
+ * const result = await cached.resolve('did:key:z6Mk...');
+ * ```
+ */
+export declare class CachingResolver implements DIDResolver {
+    readonly methods: readonly string[];
+    private readonly inner;
+    private readonly ttlMs;
+    private readonly maxEntries;
+    private readonly cache;
+    constructor(inner: DIDResolver, options?: CachingResolverOptions);
+    resolve(did: string): Promise<DIDResolutionResult>;
+    /** Invalidate a specific cached entry */
+    invalidate(did: string): void;
+    /** Clear the entire cache */
+    clear(): void;
+    /** Current number of cached entries */
+    get size(): number;
+}
+//# sourceMappingURL=cache.d.ts.map

package/dist/cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cache.d.ts","sourceRoot":"","sources":["../src/cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAMjD,MAAM,WAAW,sBAAsB;IACrC,iEAAiE;IACjE,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAkBD;;;;;;;;;;;;;;GAcG;AACH,qBAAa,eAAgB,YAAW,WAAW;IACjD,QAAQ,CAAC,OAAO,EAAE,SAAS,MAAM,EAAE,CAAC;IAEpC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAc;IACpC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAS;IAC/B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAiC;gBAE3C,KAAK,EAAE,WAAW,EAAE,OAAO,CAAC,EAAE,sBAAsB;IAO1D,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;IAoCxD,yCAAyC;IACzC,UAAU,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI;IAI7B,6BAA6B;IAC7B,KAAK,IAAI,IAAI;IAIb,uCAAuC;IACvC,IAAI,IAAI,IAAI,MAAM,CAEjB;CACF"}

package/dist/did-key.d.ts

@@ -0,0 +1,31 @@
+/**
+ * did:key resolver (Ed25519, zero network I/O).
+ *
+ * Implements the did:key method spec (W3C CCG v0.9).
+ * Parses the multicodec-encoded Ed25519 public key directly from
+ * the DID string. No network requests, no ambient discovery.
+ *
+ * Only Ed25519 keys (multicodec 0xed01) are supported.
+ * Non-Ed25519 did:key DIDs produce an error without revealing
+ * the actual key type (no oracle).
+ */
+import type { DIDResolutionResult } from './types.js';
+import type { DIDResolver } from './resolver.js';
+/**
+ * Resolver for the did:key method.
+ *
+ * did:key encodes the public key directly in the DID string.
+ * Resolution is pure computation with zero network I/O.
+ *
+ * @example
+ * ```typescript
+ * const resolver = new DidKeyResolver();
+ * const result = await resolver.resolve('did:key:z6MkhaXgBZDvotDkL...');
+ * const key = extractVerificationKey(result.didDocument!);
+ * ```
+ */
+export declare class DidKeyResolver implements DIDResolver {
+    readonly methods: readonly ["key"];
+    resolve(did: string): Promise<DIDResolutionResult>;
+}
+//# sourceMappingURL=did-key.d.ts.map

package/dist/did-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-key.d.ts","sourceRoot":"","sources":["../src/did-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAQjD;;;;;;;;;;;;GAYG;AACH,qBAAa,cAAe,YAAW,WAAW;IAChD,QAAQ,CAAC,OAAO,mBAAoB;IAE9B,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;CAoEzD"}

package/dist/did-key.js

@@ -0,0 +1,97 @@
+"use strict";
+/**
+ * did:key resolver (Ed25519, zero network I/O).
+ *
+ * Implements the did:key method spec (W3C CCG v0.9).
+ * Parses the multicodec-encoded Ed25519 public key directly from
+ * the DID string. No network requests, no ambient discovery.
+ *
+ * Only Ed25519 keys (multicodec 0xed01) are supported.
+ * Non-Ed25519 did:key DIDs produce an error without revealing
+ * the actual key type (no oracle).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DidKeyResolver = void 0;
+const multicodec_js_1 = require("./multicodec.js");
+const errors_js_1 = require("./errors.js");
+// ---------------------------------------------------------------------------
+// did:key Resolver
+// ---------------------------------------------------------------------------
+/**
+ * Resolver for the did:key method.
+ *
+ * did:key encodes the public key directly in the DID string.
+ * Resolution is pure computation with zero network I/O.
+ *
+ * @example
+ * ```typescript
+ * const resolver = new DidKeyResolver();
+ * const result = await resolver.resolve('did:key:z6MkhaXgBZDvotDkL...');
+ * const key = extractVerificationKey(result.didDocument!);
+ * ```
+ */
+class DidKeyResolver {
+    methods = ['key'];
+    async resolve(did) {
+        // Validate DID format
+        if (!did.startsWith('did:key:')) {
+            return {
+                didDocument: null,
+                didResolutionMetadata: { error: 'invalidDid' },
+                didDocumentMetadata: {},
+            };
+        }
+        const multibaseValue = did.slice('did:key:'.length);
+        if (!multibaseValue) {
+            return {
+                didDocument: null,
+                didResolutionMetadata: { error: 'invalidDid' },
+                didDocumentMetadata: {},
+            };
+        }
+        // Extract Ed25519 public key (validates multicodec prefix)
+        let publicKeyBytes;
+        try {
+            publicKeyBytes = (0, multicodec_js_1.extractEd25519FromMultibase)(multibaseValue);
+        }
+        catch (e) {
+            if (e instanceof errors_js_1.DIDError) {
+                return {
+                    didDocument: null,
+                    didResolutionMetadata: { error: e.code },
+                    didDocumentMetadata: {},
+                };
+            }
+            return {
+                didDocument: null,
+                didResolutionMetadata: { error: 'invalidDid' },
+                didDocumentMetadata: {},
+            };
+        }
+        // Build DID Document with the extracted key
+        const keyId = `${did}#${multibaseValue}`;
+        const verificationMethod = {
+            id: keyId,
+            type: 'Ed25519VerificationKey2020',
+            controller: did,
+            publicKeyMultibase: multibaseValue,
+        };
+        const document = {
+            '@context': [
+                'https://www.w3.org/ns/did/v1',
+                'https://w3id.org/security/suites/ed25519-2020/v1',
+            ],
+            id: did,
+            verificationMethod: [verificationMethod],
+            authentication: [keyId],
+            assertionMethod: [keyId],
+        };
+        return {
+            didDocument: document,
+            didResolutionMetadata: { contentType: 'application/did+json' },
+            didDocumentMetadata: {},
+        };
+    }
+}
+exports.DidKeyResolver = DidKeyResolver;
+//# sourceMappingURL=did-key.js.map

package/dist/did-key.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-key.js","sourceRoot":"","sources":["../src/did-key.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;GAUG;;;AAKH,mDAA8D;AAC9D,2CAAuC;AAEvC,8EAA8E;AAC9E,mBAAmB;AACnB,8EAA8E;AAE9E;;;;;;;;;;;;GAYG;AACH,MAAa,cAAc;IAChB,OAAO,GAAG,CAAC,KAAK,CAAU,CAAC;IAEpC,KAAK,CAAC,OAAO,CAAC,GAAW;QACvB,sBAAsB;QACtB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAChC,OAAO;gBACL,WAAW,EAAE,IAAI;gBACjB,qBAAqB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE;gBAC9C,mBAAmB,EAAE,EAAE;aACxB,CAAC;QACJ,CAAC;QAED,MAAM,cAAc,GAAG,GAAG,CAAC,KAAK,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;QACpD,IAAI,CAAC,cAAc,EAAE,CAAC;YACpB,OAAO;gBACL,WAAW,EAAE,IAAI;gBACjB,qBAAqB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE;gBAC9C,mBAAmB,EAAE,EAAE;aACxB,CAAC;QACJ,CAAC;QAED,2DAA2D;QAC3D,IAAI,cAA0B,CAAC;QAC/B,IAAI,CAAC;YACH,cAAc,GAAG,IAAA,2CAA2B,EAAC,cAAc,CAAC,CAAC;QAC/D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,IAAI,CAAC,YAAY,oBAAQ,EAAE,CAAC;gBAC1B,OAAO;oBACL,WAAW,EAAE,IAAI;oBACjB,qBAAqB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,IAAI,EAAE;oBACxC,mBAAmB,EAAE,EAAE;iBACxB,CAAC;YACJ,CAAC;YACD,OAAO;gBACL,WAAW,EAAE,IAAI;gBACjB,qBAAqB,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE;gBAC9C,mBAAmB,EAAE,EAAE;aACxB,CAAC;QACJ,CAAC;QAED,4CAA4C;QAC5C,MAAM,KAAK,GAAG,GAAG,GAAG,IAAI,cAAc,EAAE,CAAC;QAEzC,MAAM,kBAAkB,GAAuB;YAC7C,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,4BAA4B;YAClC,UAAU,EAAE,GAAG;YACf,kBAAkB,EAAE,cAAc;SACnC,CAAC;QAEF,MAAM,QAAQ,GAAgB;YAC5B,UAAU,EAAE;gBACV,8BAA8B;gBAC9B,kDAAkD;aACnD;YACD,EAAE,EAAE,GAAG;YACP,kBAAkB,EAAE,CAAC,kBAAkB,CAAC;YACxC,cAAc,EAAE,CAAC,KAAK,CAAC;YACvB,eAAe,EAAE,CAAC,KAAK,CAAC;SACzB,CAAC;QAEF,OAAO;YACL,WAAW,EAAE,QAAQ;YACrB,qBAAqB,EAAE,EAAE,WAAW,EAAE,sBAAsB,EAAE;YAC9D,mBAAmB,EAAE,EAAE;SACxB,CAAC;IACJ,CAAC;CACF;AApED,wCAoEC"}

package/dist/did-web.d.ts

@@ -0,0 +1,73 @@
+/**
+ * did:web resolver using a caller-provided SSRF-hardened fetch.
+ *
+ * Implements the did:web method spec (W3C CCG draft).
+ * Resolves did:web DIDs to DID Documents via HTTPS fetch.
+ *
+ * Callers MUST provide a hardened fetch function (e.g., safeFetchJson
+ * from @peac/net-node) that enforces:
+ * - HTTPS only
+ * - No redirects
+ * - Private-IP / DNS-rebinding protections
+ * - Timeout
+ * - Response size limit
+ *
+ * This resolver adds:
+ * - did:web authority/path validation (no userinfo, no query/fragment,
+ *   no empty segments, no IP literals)
+ * - Content-type enforcement (application/did+json or application/json)
+ * - Exact DID Document id match (DD-203)
+ * - Domain allowlist (optional)
+ *
+ * URL transformation rules:
+ * - did:web:example.com -> https://example.com/.well-known/did.json
+ * - did:web:example.com:path:to -> https://example.com/path/to/did.json
+ * - did:web:example.com%3A8443 -> https://example.com:8443/.well-known/did.json
+ */
+import type { DIDResolutionResult } from './types.js';
+import type { DIDResolver } from './resolver.js';
+/**
+ * Result shape for the caller-provided hardened fetch function.
+ *
+ * Callers should use safeFetchJson from @peac/net-node, which returns
+ * this shape. The resolver uses contentType and finalUrl for additional
+ * validation beyond what the fetch function itself enforces.
+ */
+export interface HardenedFetchResult<T = unknown> {
+    ok: boolean;
+    data?: T;
+    code?: string;
+    error?: string;
+    /** Content-Type of the response (for validation) */
+    contentType?: string;
+    /** Final URL after any processing (for redirect detection) */
+    finalUrl?: string;
+}
+export type HardenedFetchFn = <T = unknown>(url: string, options?: {
+    timeoutMs?: number;
+    maxResponseBytes?: number;
+    maxRedirects?: number;
+}) => Promise<HardenedFetchResult<T>>;
+export interface DidWebResolverOptions {
+    /** Request timeout in milliseconds (default: 5000) */
+    timeoutMs?: number;
+    /**
+     * Optional domain allowlist (lowercase). If set, only these domains
+     * are permitted. Comparison is case-insensitive.
+     */
+    allowedDomains?: string[];
+    /**
+     * SSRF-hardened fetch function. Required.
+     * Use safeFetchJson from @peac/net-node for production.
+     */
+    fetchFn: HardenedFetchFn;
+}
+export declare class DidWebResolver implements DIDResolver {
+    readonly methods: readonly ["web"];
+    private readonly timeoutMs;
+    private readonly allowedDomains;
+    private readonly fetchFn;
+    constructor(options: DidWebResolverOptions);
+    resolve(did: string): Promise<DIDResolutionResult>;
+}
+//# sourceMappingURL=did-web.d.ts.map

package/dist/did-web.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-web.d.ts","sourceRoot":"","sources":["../src/did-web.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAGH,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AACtD,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAMjD;;;;;;GAMG;AACH,MAAM,WAAW,mBAAmB,CAAC,CAAC,GAAG,OAAO;IAC9C,EAAE,EAAE,OAAO,CAAC;IACZ,IAAI,CAAC,EAAE,CAAC,CAAC;IACT,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,8DAA8D;IAC9D,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,GAAG,OAAO,EACxC,GAAG,EAAE,MAAM,EACX,OAAO,CAAC,EAAE;IAAE,SAAS,CAAC,EAAE,MAAM,CAAC;IAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,KAC/E,OAAO,CAAC,mBAAmB,CAAC,CAAC,CAAC,CAAC,CAAC;AAMrC,MAAM,WAAW,qBAAqB;IACpC,sDAAsD;IACtD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B;;;OAGG;IACH,OAAO,EAAE,eAAe,CAAC;CAC1B;AAgBD,qBAAa,cAAe,YAAW,WAAW;IAChD,QAAQ,CAAC,OAAO,mBAAoB;IAEpC,OAAO,CAAC,QAAQ,CAAC,SAAS,CAAS;IACnC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAuB;IACtD,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAkB;gBAE9B,OAAO,EAAE,qBAAqB;IAMpC,OAAO,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,mBAAmB,CAAC;CA8EzD"}

package/dist/errors.d.ts

@@ -0,0 +1,15 @@
+/**
+ * DID adapter error types.
+ *
+ * Uses error codes registered in specs/kernel/errors.json (PR3 #571).
+ */
+/** DID-specific error codes (registered in kernel) */
+export type DIDErrorCode = 'E_DID_RESOLUTION_FAILED' | 'E_DID_DOCUMENT_INVALID' | 'E_DID_KEY_NOT_FOUND' | 'E_DID_UNSUPPORTED_METHOD' | 'E_DID_DEACTIVATED' | 'E_DID_KEY_AMBIGUOUS';
+/**
+ * Error thrown by DID adapter operations.
+ */
+export declare class DIDError extends Error {
+    readonly code: DIDErrorCode;
+    constructor(code: DIDErrorCode, message: string);
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,sDAAsD;AACtD,MAAM,MAAM,YAAY,GACpB,yBAAyB,GACzB,wBAAwB,GACxB,qBAAqB,GACrB,0BAA0B,GAC1B,mBAAmB,GACnB,qBAAqB,CAAC;AAE1B;;GAEG;AACH,qBAAa,QAAS,SAAQ,KAAK;IACjC,QAAQ,CAAC,IAAI,EAAE,YAAY,CAAC;gBAEhB,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM;CAKhD"}

package/dist/errors.js

@@ -0,0 +1,21 @@
+"use strict";
+/**
+ * DID adapter error types.
+ *
+ * Uses error codes registered in specs/kernel/errors.json (PR3 #571).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DIDError = void 0;
+/**
+ * Error thrown by DID adapter operations.
+ */
+class DIDError extends Error {
+    code;
+    constructor(code, message) {
+        super(message);
+        this.name = 'DIDError';
+        this.code = code;
+    }
+}
+exports.DIDError = DIDError;
+//# sourceMappingURL=errors.js.map

package/dist/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";AAAA;;;;GAIG;;;AAWH;;GAEG;AACH,MAAa,QAAS,SAAQ,KAAK;IACxB,IAAI,CAAe;IAE5B,YAAY,IAAkB,EAAE,OAAe;QAC7C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,UAAU,CAAC;QACvB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AARD,4BAQC"}

package/dist/extract-key.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Verification key extraction from DID Documents.
+ *
+ * Implements DD-202 (DID Verification Method Selection Policy):
+ * 1. Prefer methods referenced in authentication/assertionMethod
+ * 2. If multiple eligible Ed25519 methods remain, require caller keyId
+ *    or fail with E_DID_KEY_AMBIGUOUS
+ * 3. Only Ed25519 keys extracted; other types silently skipped
+ * 4. Iterates ALL methods regardless of match (no early-return oracle)
+ */
+import type { DIDDocument } from './types.js';
+export interface ExtractKeyOptions {
+    /**
+     * Explicit key ID to select.
+     * If provided, only methods with this ID are considered.
+     */
+    keyId?: string;
+    /**
+     * Which verification relationship to prefer.
+     * Default: 'authentication'
+     */
+    relationship?: 'authentication' | 'assertionMethod';
+}
+/**
+ * Extract an Ed25519 public key from a DID Document.
+ *
+ * Selection policy (DD-202):
+ * 1. Collect all verification methods from the document
+ * 2. Filter by keyId if provided
+ * 3. Filter by relationship references (authentication/assertionMethod)
+ * 4. Try to extract Ed25519 key from each eligible method
+ * 5. If exactly one Ed25519 key found: return it
+ * 6. If zero found: return null
+ * 7. If multiple found without keyId: throw E_DID_KEY_AMBIGUOUS
+ *
+ * All methods are iterated regardless of match to prevent key-type oracle.
+ *
+ * @param document - The resolved DID Document
+ * @param options - Key selection options
+ * @returns 32-byte Ed25519 public key, or null if no suitable key found
+ * @throws DIDError with E_DID_KEY_AMBIGUOUS if multiple eligible keys
+ */
+export declare function extractVerificationKey(document: DIDDocument, options?: ExtractKeyOptions): Uint8Array | null;
+//# sourceMappingURL=extract-key.d.ts.map

package/dist/extract-key.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"extract-key.d.ts","sourceRoot":"","sources":["../src/extract-key.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,WAAW,EAAsB,MAAM,YAAY,CAAC;AAQlE,MAAM,WAAW,iBAAiB;IAChC;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;IACf;;;OAGG;IACH,YAAY,CAAC,EAAE,gBAAgB,GAAG,iBAAiB,CAAC;CACrD;AAMD;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,WAAW,EACrB,OAAO,CAAC,EAAE,iBAAiB,GAC1B,UAAU,GAAG,IAAI,CAmDnB"}