@primethoughts/credence-sdk 1.0.0-rc.1

package/dist/index.cjs

@@ -0,0 +1,1112 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ComplianceModule: () => ComplianceModule,
+  CredenceApiError: () => CredenceApiError,
+  CredenceAuthError: () => CredenceAuthError,
+  CredenceAuthorizationError: () => CredenceAuthorizationError,
+  CredenceClient: () => CredenceClient,
+  CredenceError: () => CredenceError,
+  CredenceNetworkError: () => CredenceNetworkError,
+  CredenceValidationError: () => CredenceValidationError,
+  CredentialsModule: () => CredentialsModule,
+  DEFAULT_RETRY_CONFIG: () => DEFAULT_RETRY_CONFIG,
+  EvidenceModule: () => EvidenceModule,
+  HttpClient: () => HttpClient,
+  IdentityModule: () => IdentityModule,
+  MessagingModule: () => MessagingModule,
+  Oid4vciModule: () => Oid4vciModule,
+  PaymentModule: () => PaymentModule,
+  PresentationsModule: () => PresentationsModule,
+  RegistryAdminModule: () => RegistryAdminModule,
+  RegistryModule: () => RegistryModule,
+  VdrModule: () => VdrModule,
+  isKeyMaterial: () => isKeyMaterial,
+  rejectKeyMaterial: () => rejectKeyMaterial,
+  toQueryParams: () => toQueryParams,
+  validateDid: () => validateDid,
+  validateRequired: () => validateRequired
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/utils/correlation.ts
+function generateCorrelationId() {
+  if (typeof globalThis !== "undefined" && globalThis.crypto?.randomUUID) {
+    return globalThis.crypto.randomUUID();
+  }
+  return require("crypto").randomUUID();
+}
+
+// src/errors.ts
+var CredenceError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CredenceError";
+  }
+};
+var CredenceApiError = class extends CredenceError {
+  status;
+  title;
+  detail;
+  type;
+  instance;
+  correlationId;
+  method;
+  path;
+  constructor(params) {
+    const msg = `${params.method} ${params.path} failed with ${params.status}: ${params.title}${params.detail ? ` \u2014 ${params.detail}` : ""}${params.correlationId ? ` [correlationId=${params.correlationId}]` : ""}`;
+    super(msg);
+    this.name = "CredenceApiError";
+    this.status = params.status;
+    this.title = params.title;
+    this.detail = params.detail ?? null;
+    this.type = params.type ?? null;
+    this.instance = params.instance ?? null;
+    this.correlationId = params.correlationId ?? null;
+    this.method = params.method;
+    this.path = params.path;
+  }
+};
+var CredenceAuthError = class extends CredenceApiError {
+  constructor(params) {
+    super({
+      status: 401,
+      title: "Unauthorized",
+      detail: "Authentication required or token expired",
+      method: params.method,
+      path: params.path,
+      correlationId: params.correlationId
+    });
+    this.name = "CredenceAuthError";
+  }
+};
+var CredenceAuthorizationError = class extends CredenceApiError {
+  constructor(params) {
+    super({
+      status: 403,
+      title: "Forbidden",
+      detail: params.detail ?? "Insufficient permissions for this operation",
+      method: params.method,
+      path: params.path,
+      correlationId: params.correlationId
+    });
+    this.name = "CredenceAuthorizationError";
+  }
+};
+var CredenceNetworkError = class extends CredenceError {
+  cause;
+  constructor(message, cause) {
+    super(message);
+    this.name = "CredenceNetworkError";
+    this.cause = cause;
+  }
+};
+var CredenceValidationError = class extends CredenceError {
+  field;
+  constructor(field, message) {
+    super(`Validation error on '${field}': ${message}`);
+    this.name = "CredenceValidationError";
+    this.field = field;
+  }
+};
+
+// src/http/retry.ts
+var DEFAULT_RETRY_CONFIG = {
+  maxRetries: 3,
+  baseDelay: 1e3,
+  maxDelay: 3e4
+};
+var RETRYABLE_STATUS_CODES = /* @__PURE__ */ new Set([429, 502, 503, 504]);
+function isRetryable(status) {
+  return RETRYABLE_STATUS_CODES.has(status);
+}
+function calculateDelay(attempt, config) {
+  const exponentialDelay = config.baseDelay * Math.pow(2, attempt);
+  const cappedDelay = Math.min(exponentialDelay, config.maxDelay);
+  const jitter = cappedDelay * (0.5 + Math.random() * 0.5);
+  return Math.floor(jitter);
+}
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
+// src/http/interceptors.ts
+var InterceptorChain = class {
+  requestInterceptors = [];
+  responseInterceptors = [];
+  addRequestInterceptor(fn) {
+    this.requestInterceptors.push(fn);
+  }
+  addResponseInterceptor(fn) {
+    this.responseInterceptors.push(fn);
+  }
+  async onRequest(info) {
+    for (const interceptor of this.requestInterceptors) {
+      await interceptor(info);
+    }
+  }
+  async onResponse(info) {
+    for (const interceptor of this.responseInterceptors) {
+      await interceptor(info);
+    }
+  }
+};
+
+// src/http/http-client.ts
+var HttpClient = class {
+  baseUrl;
+  token;
+  retryConfig;
+  timeout;
+  correlationId;
+  interceptors;
+  constructor(config) {
+    this.baseUrl = config.baseUrl.replace(/\/+$/, "");
+    this.token = config.token;
+    this.retryConfig = { ...DEFAULT_RETRY_CONFIG, ...config.retry };
+    this.timeout = config.timeout ?? 3e4;
+    this.correlationId = config.correlationId ?? generateCorrelationId();
+    this.interceptors = new InterceptorChain();
+  }
+  /** Updates the JWT token for subsequent requests. */
+  setToken(token) {
+    this.token = token;
+  }
+  addRequestInterceptor(fn) {
+    this.interceptors.addRequestInterceptor(fn);
+  }
+  addResponseInterceptor(fn) {
+    this.interceptors.addResponseInterceptor(fn);
+  }
+  /** Performs a GET request. */
+  async get(path, queryParams) {
+    const url = this.buildUrl(path, queryParams);
+    return this.executeWithRetry("GET", url);
+  }
+  /** Performs a POST request with JSON body. */
+  async post(path, body) {
+    const url = this.buildUrl(path);
+    return this.executeWithRetry("POST", url, body);
+  }
+  /** Performs a PUT request with JSON body. */
+  async put(path, body) {
+    const url = this.buildUrl(path);
+    return this.executeWithRetry("PUT", url, body);
+  }
+  /** Performs a DELETE request. Returns void. */
+  async delete(path) {
+    const url = this.buildUrl(path);
+    await this.executeWithRetry("DELETE", url);
+  }
+  /** Performs a POST with multipart/form-data (for evidence upload). */
+  async upload(path, formData) {
+    const url = this.buildUrl(path);
+    return this.executeWithRetry("POST", url, formData, true);
+  }
+  /** Performs a POST with application/x-www-form-urlencoded body. */
+  async postForm(path, body) {
+    const url = this.buildUrl(path);
+    return this.executeWithRetry("POST", url, body, false, "application/x-www-form-urlencoded");
+  }
+  /** Performs a POST with a custom Bearer token (not the SDK's JWT). */
+  async postWithToken(path, body, token) {
+    const url = this.buildUrl(path);
+    return this.executeWithRetry("POST", url, body, false, void 0, token);
+  }
+  buildUrl(path, queryParams) {
+    if (!this.baseUrl) {
+      if (!queryParams || Object.keys(queryParams).length === 0) {
+        return path;
+      }
+      const params = new URLSearchParams(queryParams).toString();
+      return `${path}?${params}`;
+    }
+    const url = new URL(path, this.baseUrl);
+    if (queryParams) {
+      for (const [key, value] of Object.entries(queryParams)) {
+        url.searchParams.set(key, value);
+      }
+    }
+    return url.toString();
+  }
+  async executeWithRetry(method, url, body, isMultipart = false, contentType, tokenOverride) {
+    let lastError;
+    for (let attempt = 0; attempt <= this.retryConfig.maxRetries; attempt++) {
+      try {
+        return await this.execute(method, url, body, isMultipart, contentType, tokenOverride);
+      } catch (error) {
+        lastError = error;
+        if (error instanceof CredenceApiError && isRetryable(error.status)) {
+          if (attempt < this.retryConfig.maxRetries) {
+            const delay = calculateDelay(attempt, this.retryConfig);
+            await sleep(delay);
+            continue;
+          }
+        }
+        throw error;
+      }
+    }
+    throw lastError;
+  }
+  async execute(method, url, body, isMultipart = false, contentType, tokenOverride) {
+    const headers = {
+      "Authorization": `Bearer ${tokenOverride ?? this.token}`,
+      "X-Correlation-ID": this.correlationId
+    };
+    if (!isMultipart && body !== void 0) {
+      headers["Content-Type"] = contentType ?? "application/json";
+    }
+    let path;
+    try {
+      path = new URL(url).pathname;
+    } catch {
+      path = url.split("?")[0] ?? url;
+    }
+    const sanitizedHeaders = { ...headers };
+    delete sanitizedHeaders["Authorization"];
+    await this.interceptors.onRequest({ method, url, headers: sanitizedHeaders });
+    const startTime = Date.now();
+    let response;
+    try {
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+      response = await fetch(url, {
+        method,
+        headers,
+        body: isMultipart ? body : typeof body === "string" ? body : body !== void 0 ? JSON.stringify(body) : void 0,
+        signal: controller.signal
+      });
+      clearTimeout(timeoutId);
+    } catch (error) {
+      const durationMs2 = Date.now() - startTime;
+      await this.interceptors.onResponse({ status: 0, url, correlationId: this.correlationId, durationMs: durationMs2 });
+      if (error instanceof DOMException && error.name === "AbortError") {
+        throw new CredenceNetworkError(`Request timeout after ${this.timeout}ms: ${method} ${path}`, error);
+      }
+      throw new CredenceNetworkError(`Network error: ${method} ${path}`, error);
+    }
+    const durationMs = Date.now() - startTime;
+    const responseCorrelationId = response.headers.get("X-Correlation-ID") ?? this.correlationId;
+    await this.interceptors.onResponse({
+      status: response.status,
+      url,
+      correlationId: responseCorrelationId,
+      durationMs
+    });
+    if (response.status === 204) {
+      return void 0;
+    }
+    if (!response.ok) {
+      await this.handleError(response, method, path, responseCorrelationId);
+    }
+    return await response.json();
+  }
+  async handleError(response, method, path, correlationId) {
+    let problemDetail = {};
+    try {
+      problemDetail = await response.json();
+    } catch {
+    }
+    const params = {
+      status: problemDetail.status ?? response.status,
+      title: problemDetail.title ?? response.statusText,
+      detail: problemDetail.detail,
+      type: problemDetail.type,
+      instance: problemDetail.instance,
+      correlationId,
+      method,
+      path
+    };
+    if (response.status === 401) {
+      throw new CredenceAuthError({ method, path, correlationId });
+    }
+    if (response.status === 403) {
+      throw new CredenceAuthorizationError({ method, path, correlationId, detail: problemDetail.detail });
+    }
+    throw new CredenceApiError(params);
+  }
+};
+
+// src/types/common.ts
+function toQueryParams(params) {
+  if (!params) return {};
+  const result = {};
+  if (params.page !== void 0) result["page"] = String(params.page);
+  if (params.size !== void 0) result["size"] = String(params.size);
+  if (params.sort !== void 0) result["sort"] = params.sort;
+  return result;
+}
+
+// src/modules/identity.ts
+var IdentityModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  // --- Authentication ---
+  /**
+   * Registers a new user. Creates a Credence tenant, ACA-Py sub-wallet, and bootstrap DID.
+   * Returns a JWT for immediate authenticated access. (SCF Phase 3a FR-1)
+   */
+  async register(request) {
+    return this.http.post("/api/v1/auth/register", request);
+  }
+  /**
+   * Authenticates with email and password. Returns a JWT with tenantId and roles.
+   * Returns 401 for invalid credentials, 429 if the account is locked. (SCF Phase 3a FR-2)
+   */
+  async login(request) {
+    return this.http.post("/api/v1/auth/login", request);
+  }
+  /**
+   * Initiates a password reset flow. A single-use reset token is generated
+   * (MVP: logged to server console, no email sent). (SCF Phase 3a FR-3)
+   */
+  async forgotPassword(request) {
+    await this.http.post("/api/v1/auth/forgot-password", request);
+  }
+  /**
+   * Resets a user's password using a single-use token. Token expires after 1 hour.
+   * Returns 400 for expired or already-used tokens. (SCF Phase 3a FR-3)
+   */
+  async resetPassword(request) {
+    await this.http.post("/api/v1/auth/reset-password", request);
+  }
+  /**
+   * Refreshes a JWT before expiry. Requires a valid (non-expired) JWT.
+   * Returns a fresh JWT with the same claims and a new expiry. (SCF Phase 3a FR-2)
+   */
+  async refresh() {
+    return this.http.post("/api/v1/auth/refresh", {});
+  }
+  // --- Tenant lifecycle ---
+  /** Creates a new tenant with ACA-Py sub-wallet provisioning. (FR-8) */
+  async createTenant(request) {
+    return this.http.post("/api/v1/tenants", request);
+  }
+  /** Retrieves tenant details by ID. (FR-9) */
+  async getTenant(id) {
+    return this.http.get(`/api/v1/tenants/${encodeURIComponent(id)}`);
+  }
+  /** Lists tenants with pagination. (FR-10) */
+  async listTenants(params) {
+    return this.http.get("/api/v1/tenants", toQueryParams(params));
+  }
+  // --- Citizen Registration ---
+  /**
+   * Registers a citizen (Individual tenant). Creates a tenant with type=INDIVIDUAL,
+   * ACA-Py sub-wallet, and bootstrap did:key. Returns JWT with tenantType=INDIVIDUAL.
+   *
+   * @example
+   * ```typescript
+   * const auth = await credence.identity.registerCitizen({
+   *   name: 'Jane Doe',
+   *   email: 'jane@example.com',
+   *   password: 'SecurePass123!',
+   *   phone: '+91-9876543210',
+   * });
+   * ```
+   */
+  async registerCitizen(request) {
+    return this.http.post("/api/v1/auth/register/citizen", request);
+  }
+  // --- FIDO2 / WebAuthn ---
+  /**
+   * Begins FIDO2 passkey registration. Returns challenge and options for the authenticator.
+   * Requires JWT authentication (user must be logged in first).
+   */
+  async fido2BeginRegistration() {
+    return this.http.post("/api/v1/auth/fido2/register/begin", {});
+  }
+  /**
+   * Completes FIDO2 passkey registration with the authenticator's response.
+   */
+  async fido2CompleteRegistration(response) {
+    await this.http.post("/api/v1/auth/fido2/register/complete", response);
+  }
+  /**
+   * Begins FIDO2 passkey login. Returns challenge and allowed credentials.
+   * Public endpoint — no JWT required.
+   */
+  async fido2BeginLogin(request) {
+    return this.http.post("/api/v1/auth/fido2/login/begin", request);
+  }
+  /**
+   * Completes FIDO2 passkey login. Returns JWT on success.
+   */
+  async fido2CompleteLogin(response) {
+    return this.http.post("/api/v1/auth/fido2/login/complete", response);
+  }
+};
+
+// src/modules/messaging.ts
+var MessagingModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Creates an OOB DIDComm invitation. (FR-11) */
+  async createInvitation(request) {
+    return this.http.post("/api/v1/connections/create-invitation", request ?? {});
+  }
+  /**
+   * Accepts an OOB DIDComm invitation from a DIA authority or anchor buyer.
+   * Parses the invitation URL and calls ACA-Py receive-invitation.
+   * Returns the new connection record. (SCF Phase 3a FR-5, FR-13)
+   */
+  async acceptInvitation(request) {
+    return this.http.post("/api/v1/connections/accept-invitation", request);
+  }
+  /** Retrieves a connection by ID (tenant-scoped). (FR-12) */
+  async getConnection(id) {
+    return this.http.get(`/api/v1/connections/${encodeURIComponent(id)}`);
+  }
+  /** Lists connections with pagination (tenant-scoped). (FR-13) */
+  async listConnections(params) {
+    return this.http.get("/api/v1/connections", toQueryParams(params));
+  }
+};
+
+// src/modules/credentials.ts
+var CredentialsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Issues a verifiable credential. (FR-14) */
+  async issue(request) {
+    return this.http.post("/api/v1/credentials", request);
+  }
+  /** Retrieves credential details by ID (tenant-scoped). (FR-15) */
+  async get(id) {
+    return this.http.get(`/api/v1/credentials/${encodeURIComponent(id)}`);
+  }
+  /** Lists credentials with pagination (tenant-scoped). (FR-16) */
+  async list(params) {
+    return this.http.get("/api/v1/credentials", toQueryParams(params));
+  }
+  /** Revokes a credential by ID. (FR-17) */
+  async revoke(id) {
+    await this.http.post(`/api/v1/credentials/${encodeURIComponent(id)}/revoke`);
+  }
+  /** Verifies a credential using legacy 3-check. (FR-18) */
+  async verify(request) {
+    return this.http.post("/api/v1/credentials/verify", request);
+  }
+  /** Verifies a credential using 5-check policy engine. (FR-19) */
+  async verifyV2(request) {
+    return this.http.post("/api/v1/credentials/verify/v2", request);
+  }
+};
+
+// src/modules/presentations.ts
+var PresentationsModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Creates a presentation request (DIDComm or OID4VP). (FR-20) */
+  async createRequest(request) {
+    return this.http.post("/api/v1/presentations/request", request);
+  }
+  /** Retrieves a presentation exchange by ID (returns full detail). (FR-21) */
+  async get(id) {
+    return this.http.get(`/api/v1/presentations/${encodeURIComponent(id)}`);
+  }
+  /** Lists presentation exchanges with pagination (returns summaries). (FR-22) */
+  async list(params) {
+    return this.http.get("/api/v1/presentations", toQueryParams(params));
+  }
+  /**
+   * Verifies a received presentation using the 5-check engine. (FR-23)
+   *
+   * Returns the full PresentationDetailExchangeResponse with updated
+   * verificationContext containing the 5-check results.
+   */
+  async verify(id) {
+    return this.http.post(`/api/v1/presentations/${encodeURIComponent(id)}/verify`);
+  }
+  /** Generates an OID4VP authorization URL. (FR-24) */
+  async generateOid4vpUrl(request) {
+    const result = await this.http.post("/api/v1/presentations/oid4vp/authorize", request);
+    return result.authorizationUrl;
+  }
+  /**
+   * Checks issuance prerequisite status for a credential type on a connection/context.
+   *
+   * Returns whether governance-driven prerequisites (e.g., verified presentation)
+   * are met. This is a lightweight read-only check; full cryptographic re-verification
+   * happens at actual issuance time.
+   */
+  async getPrerequisiteStatus(credentialType, connectionId, contextId) {
+    return this.http.get(
+      "/api/v1/presentations/prerequisites/status",
+      {
+        credentialType,
+        connectionId,
+        contextId
+      }
+    );
+  }
+};
+
+// src/modules/registry-admin.ts
+var RegistryAdminModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Creates a trust framework in DRAFT state. (FR-36) */
+  async createFramework(request) {
+    return this.http.post("/api/v1/admin/governance/frameworks", request);
+  }
+  /** Updates framework metadata. (FR-37) */
+  async updateFramework(id, request) {
+    return this.http.put(`/api/v1/admin/governance/frameworks/${encodeURIComponent(id)}`, request);
+  }
+  /** Activates a framework. (FR-38) */
+  async activateFramework(id) {
+    return this.http.post(`/api/v1/admin/governance/frameworks/${encodeURIComponent(id)}/activate`);
+  }
+  /** Deprecates a framework. (FR-39) */
+  async deprecateFramework(id) {
+    return this.http.post(`/api/v1/admin/governance/frameworks/${encodeURIComponent(id)}/deprecate`);
+  }
+  /** Archives a framework. (FR-40) */
+  async archiveFramework(id) {
+    return this.http.post(`/api/v1/admin/governance/frameworks/${encodeURIComponent(id)}/archive`);
+  }
+  /** Registers a trusted issuer. (FR-41) */
+  async registerIssuer(request) {
+    return this.http.post("/api/v1/admin/issuers", request);
+  }
+  /** Lists issuers (admin view). (FR-42) */
+  async listIssuers() {
+    return this.http.get("/api/v1/admin/issuers");
+  }
+  /** Revokes issuer authorization. (FR-43) */
+  async revokeIssuer(id) {
+    await this.http.delete(`/api/v1/admin/issuers/${encodeURIComponent(id)}`);
+  }
+  /** Registers a credential schema. (FR-44) */
+  async registerSchema(request) {
+    return this.http.post("/api/v1/admin/schemas", request);
+  }
+  /** Registers a verifier policy. (FR-45) */
+  async registerPolicy(request) {
+    return this.http.post("/api/v1/admin/policies", request);
+  }
+  /** Creates a governance VC in DRAFT state. (FR-46) */
+  async createGovernanceVc(request) {
+    return this.http.post("/api/v1/admin/governance/vcs", request);
+  }
+  /** Submits governance VC for review. (FR-47) */
+  async submitForReview(id, request) {
+    return this.http.post(`/api/v1/admin/governance/vcs/${encodeURIComponent(id)}/submit-for-review`, request);
+  }
+  /** Activates a governance VC. (FR-48) */
+  async activateGovernanceVc(id, request) {
+    return this.http.post(`/api/v1/admin/governance/vcs/${encodeURIComponent(id)}/activate`, request);
+  }
+  /** Suspends a governance VC. (FR-49) */
+  async suspendGovernanceVc(id, request) {
+    return this.http.post(`/api/v1/admin/governance/vcs/${encodeURIComponent(id)}/suspend`, request);
+  }
+  /** Reinstates a governance VC from SUSPENDED to ACTIVE. (FR-50) */
+  async reinstateGovernanceVc(id, request) {
+    return this.http.post(`/api/v1/admin/governance/vcs/${encodeURIComponent(id)}/reinstate`, request);
+  }
+  /** Revokes a governance VC (terminal state). (FR-51) */
+  async revokeGovernanceVc(id, request) {
+    return this.http.post(`/api/v1/admin/governance/vcs/${encodeURIComponent(id)}/revoke`, request);
+  }
+  /** Records a Fabric anchor hash for a governance VC. (FR-52) */
+  async anchorGovernanceVc(id, request) {
+    return this.http.post(`/api/v1/admin/governance/vcs/${encodeURIComponent(id)}/anchor`, request);
+  }
+};
+
+// src/modules/registry.ts
+var RegistryModule = class {
+  constructor(http) {
+    this.http = http;
+    this.admin = new RegistryAdminModule(http);
+  }
+  /** Admin sub-module for write operations (PLATFORM_ADMIN role required). */
+  admin;
+  /** Lists active trust frameworks. (FR-25) */
+  async listFrameworks() {
+    return this.http.get("/api/v1/registry/governance/frameworks");
+  }
+  /** Retrieves a framework by ID. (FR-26) */
+  async getFramework(id) {
+    return this.http.get(`/api/v1/registry/governance/frameworks/${encodeURIComponent(id)}`);
+  }
+  /** Finds frameworks associated with a DID. (FR-27) */
+  async findFrameworksByDid(did) {
+    return this.http.get("/api/v1/registry/governance/frameworks/by-did", { did });
+  }
+  /** Lists authorized issuers with optional filters. (FR-28) */
+  async listIssuers(params) {
+    const query = {};
+    if (params?.credentialType) query["credentialType"] = params.credentialType;
+    if (params?.frameworkId) query["frameworkId"] = params.frameworkId;
+    return this.http.get("/api/v1/registry/issuers", query);
+  }
+  /** Retrieves a registered schema. (FR-29) */
+  async getSchema(schemaId) {
+    return this.http.get(`/api/v1/registry/schemas/${encodeURIComponent(schemaId)}`);
+  }
+  /** Retrieves a verifier policy. (FR-30) */
+  async getPolicy(policyId) {
+    return this.http.get(`/api/v1/registry/policies/${encodeURIComponent(policyId)}`);
+  }
+  /** Lists governance VCs with pagination and filters. (FR-31) */
+  async listGovernanceVcs(params) {
+    const query = {};
+    if (params?.page !== void 0) query["page"] = String(params.page);
+    if (params?.size !== void 0) query["size"] = String(params.size);
+    if (params?.frameworkId) query["frameworkId"] = params.frameworkId;
+    if (params?.vcType) query["vcType"] = params.vcType;
+    if (params?.status) query["status"] = params.status;
+    if (params?.issuerDid) query["issuerDid"] = params.issuerDid;
+    if (params?.subjectDid) query["subjectDid"] = params.subjectDid;
+    return this.http.get("/api/v1/registry/governance/vcs", query);
+  }
+  /** Retrieves a governance VC by ID. (FR-32) */
+  async getGovernanceVc(id) {
+    return this.http.get(`/api/v1/registry/governance/vcs/${encodeURIComponent(id)}`);
+  }
+  /** Retrieves the raw W3C VC JSON-LD for a governance VC. (FR-33) */
+  async getGovernanceVcJson(id) {
+    return this.http.get(`/api/v1/registry/governance/vcs/${encodeURIComponent(id)}/vc-json`);
+  }
+  /** Retrieves audit trail for a governance VC. (FR-34) */
+  async getGovernanceVcAudit(id) {
+    return this.http.get(`/api/v1/registry/governance/vcs/${encodeURIComponent(id)}/audit`);
+  }
+  /** Retrieves a BitstringStatusList credential. (FR-35) */
+  async getStatusList(statusListId) {
+    return this.http.get(`/api/v1/registry/status/${encodeURIComponent(statusListId)}`);
+  }
+};
+
+// src/modules/compliance.ts
+var ComplianceAdminModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Creates a compliance rule. (FR-57) */
+  async createRule(request) {
+    return this.http.post("/api/v1/admin/compliance/rules", request);
+  }
+  /** Deactivates a compliance rule. (FR-58) */
+  async deactivateRule(id) {
+    await this.http.delete(`/api/v1/admin/compliance/rules/${encodeURIComponent(id)}`);
+  }
+};
+var ComplianceModule = class {
+  constructor(http) {
+    this.http = http;
+    this.admin = new ComplianceAdminModule(http);
+  }
+  /** Admin sub-module for rule management (PLATFORM_ADMIN role required). */
+  admin;
+  /** Evaluates compliance, returning ALLOW/DENY/INCOMPLETE. (FR-53) */
+  async check(request) {
+    return this.http.post("/api/v1/compliance/check", request);
+  }
+  /** Creates an audit event. (FR-54) */
+  async createAuditEvent(request) {
+    return this.http.post("/api/v1/compliance/audit", request);
+  }
+  /** Lists audit events with pagination. (FR-55) */
+  async listAuditEvents(params) {
+    return this.http.get("/api/v1/compliance/audit", toQueryParams(params));
+  }
+  /** Retrieves a specific audit event. (FR-56) */
+  async getAuditEvent(id) {
+    return this.http.get(`/api/v1/compliance/audit/${encodeURIComponent(id)}`);
+  }
+};
+
+// src/modules/evidence.ts
+var EvidenceModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Uploads evidence as multipart/form-data. (FR-59) */
+  async upload(formData) {
+    return this.http.upload("/api/v1/evidence", formData);
+  }
+  /** Retrieves evidence metadata by ID. (FR-60) */
+  async get(id) {
+    return this.http.get(`/api/v1/evidence/${encodeURIComponent(id)}`);
+  }
+  /** Downloads evidence file content. (FR-61) */
+  async download(id) {
+    const response = await this.http.get(`/api/v1/evidence/${encodeURIComponent(id)}/content`);
+    return Buffer.from(response);
+  }
+  /** Lists evidence with pagination and filters. (FR-62) */
+  async list(params) {
+    const query = {};
+    if (params?.page !== void 0) query["page"] = String(params.page);
+    if (params?.size !== void 0) query["size"] = String(params.size);
+    if (params?.type) query["type"] = params.type;
+    if (params?.status) query["status"] = params.status;
+    return this.http.get("/api/v1/evidence", query);
+  }
+  /**
+   * Lists all evidence artifacts linked to a specific credential (reverse lookup).
+   *
+   * @param credentialId the credential ID to find linked evidence for
+   * @returns list of evidence summaries linked to the credential
+   */
+  async listByCredential(credentialId) {
+    return this.http.get(
+      `/api/v1/evidence/by-credential/${encodeURIComponent(credentialId)}`
+    );
+  }
+  /** Verifies evidence integrity (SHA-256 hash match). (FR-63) */
+  async verify(id) {
+    return this.http.post(`/api/v1/evidence/${encodeURIComponent(id)}/verify`);
+  }
+  /** Links a credential ID to an evidence record. (FR-64) */
+  async link(id, credentialId) {
+    await this.http.post(`/api/v1/evidence/${encodeURIComponent(id)}/link`, { credentialId });
+  }
+  /** Soft-deletes an evidence record. (FR-65) */
+  async delete(id) {
+    await this.http.delete(`/api/v1/evidence/${encodeURIComponent(id)}`);
+  }
+  /**
+   * Shares evidence over DIDComm to a connected peer.
+   *
+   * Issues an EvidenceSharingAttestation governance VC for provenance,
+   * then sends the evidence metadata via DIDComm basic message.
+   *
+   * @param evidenceId the evidence UUID to share
+   * @param request sharing parameters (connectionId, credentialId, etc.)
+   */
+  async share(evidenceId, request) {
+    await this.http.post(
+      `/api/v1/evidence/${encodeURIComponent(evidenceId)}/share`,
+      request
+    );
+  }
+};
+
+// src/modules/vdr.ts
+var VdrModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /** Writes a schema to the Indy VDR. (FR-66) */
+  async writeSchema(request) {
+    return this.http.post("/api/vdr/schemas", request);
+  }
+  /** Lists all registered schemas (merged ACA-Py + local). (FR-67) */
+  async listSchemas() {
+    return this.http.get("/api/vdr/schemas");
+  }
+  /** Retrieves a schema by ID. (FR-68) */
+  async getSchema(schemaId) {
+    return this.http.get(`/api/vdr/schemas/${encodeURIComponent(schemaId)}`);
+  }
+  /** Retrieves a schema using URL-safe query param. (FR-69) */
+  async lookupSchema(schemaId) {
+    return this.http.get("/api/vdr/schemas/lookup", { id: schemaId });
+  }
+  /** Writes a credential definition to Indy VDR. (FR-70) */
+  async writeCredentialDefinition(request) {
+    return this.http.post("/api/vdr/credential-definitions", request);
+  }
+  /** Lists all credential definitions. (FR-71) */
+  async listCredentialDefinitions() {
+    return this.http.get("/api/vdr/credential-definitions");
+  }
+  /** Retrieves a credential definition by ID. (FR-72) */
+  async getCredentialDefinition(credDefId) {
+    return this.http.get(`/api/vdr/credential-definitions/${encodeURIComponent(credDefId)}`);
+  }
+  /** Retrieves a credential definition using URL-safe query param. (FR-73) */
+  async lookupCredentialDefinition(credDefId) {
+    return this.http.get("/api/vdr/credential-definitions/lookup", { id: credDefId });
+  }
+  /** Writes a NYM transaction to Indy ledger. (FR-74) */
+  async writeNym(request) {
+    return this.http.post("/api/vdr/nyms", request);
+  }
+  /** Lists wallet DIDs (merged ACA-Py + local). (FR-75) */
+  async listNyms() {
+    return this.http.get("/api/vdr/nyms");
+  }
+  /** Resolves a NYM by DID. (FR-76) */
+  async resolveNym(did) {
+    return this.http.get(`/api/vdr/nyms/${encodeURIComponent(did)}`);
+  }
+  /** Creates a revocation registry. (FR-77) */
+  async createRevocationRegistry(request) {
+    return this.http.post("/api/vdr/revocation/registries", request);
+  }
+  /** Lists all revocation registries. (FR-78) */
+  async listRevocationRegistries() {
+    return this.http.get("/api/vdr/revocation/registries");
+  }
+  /** Retrieves a revocation registry. (FR-79) */
+  async getRevocationRegistry(revRegId) {
+    return this.http.get(`/api/vdr/revocation/registries/${encodeURIComponent(revRegId)}`);
+  }
+  /** Retrieves the revocation delta. (FR-80) */
+  async getRevocationDelta(revRegId) {
+    return this.http.get(`/api/vdr/revocation/registries/${encodeURIComponent(revRegId)}/delta`);
+  }
+  /** Publishes pending revocations to ledger. (FR-81) */
+  async publishRevocations() {
+    return this.http.post("/api/vdr/revocation/publish");
+  }
+};
+
+// src/modules/oid4vci.ts
+var Oid4vciModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Fetches the issuer metadata from the well-known endpoint.
+   * Public endpoint — no authentication required.
+   */
+  async getIssuerMetadata() {
+    return this.http.get("/.well-known/openid-credential-issuer");
+  }
+  /**
+   * Fetches the issuer's JSON Web Key Set (public keys for signature verification).
+   * Public endpoint — no authentication required.
+   */
+  async getJwks() {
+    return this.http.get("/.well-known/jwks.json");
+  }
+  /**
+   * Creates a credential offer for wallet scanning.
+   * Returns an offer URI suitable for QR code generation.
+   * Requires JWT authentication (issuer role).
+   *
+   * @example
+   * ```typescript
+   * const offer = await credence.oid4vci.createOffer({
+   *   credentialType: 'KycCredential',
+   *   claims: { name: 'Jane Doe', kycLevel: 'HIGH' },
+   *   selectiveDisclosureClaims: ['name'],
+   * });
+   * // Display offer.credentialOfferUri as QR code
+   * ```
+   */
+  async createOffer(request) {
+    return this.http.post("/api/v1/oid4vci/offers", request);
+  }
+  /**
+   * Exchanges a pre-authorized code for an access token.
+   * Public endpoint — called by the wallet after scanning the QR code.
+   *
+   * Note: This sends as application/x-www-form-urlencoded per OAuth2 spec.
+   */
+  async exchangeToken(preAuthorizedCode) {
+    const body = new URLSearchParams({
+      grant_type: "urn:ietf:params:oauth:grant-type:pre-authorized_code",
+      "pre-authorized_code": preAuthorizedCode
+    });
+    return this.http.postForm("/api/v1/oid4vci/token", body.toString());
+  }
+  /**
+   * Issues a credential using the access token from token exchange.
+   * Called by the wallet with the access token as Bearer authentication.
+   *
+   * @param accessToken - The access token from exchangeToken()
+   * @param request - Credential request with format and optional proof
+   */
+  async issueCredential(accessToken, request) {
+    return this.http.postWithToken(
+      "/api/v1/oid4vci/credential",
+      request,
+      accessToken
+    );
+  }
+};
+
+// src/modules/payment.ts
+var PaymentModule = class {
+  constructor(http) {
+    this.http = http;
+  }
+  /**
+   * Creates a new payment.
+   *
+   * @example
+   * ```typescript
+   * const payment = await credence.payments.create({
+   *   amount: 50000,
+   *   currency: 'INR',
+   *   payerDid: 'did:key:z6Mk...',
+   *   payeeDid: 'did:key:z6Mn...',
+   *   contextId: 'credential-abc-123',
+   * });
+   * ```
+   */
+  async create(request) {
+    return this.http.post("/api/v1/payments", request);
+  }
+  /**
+   * Gets a payment by ID.
+   */
+  async get(paymentId) {
+    return this.http.get(`/api/v1/payments/${paymentId}`);
+  }
+  /**
+   * Lists payments with pagination. Tenant-scoped.
+   */
+  async list(params) {
+    const query = params ? `?${toQueryParams(params)}` : "";
+    return this.http.get(`/api/v1/payments${query}`);
+  }
+  /**
+   * Requests a refund for a completed payment.
+   */
+  async refund(paymentId) {
+    return this.http.post(`/api/v1/payments/${paymentId}/refund`, {});
+  }
+};
+
+// src/client.ts
+var CredenceClient = class {
+  http;
+  /** Tenant and DID lifecycle management. */
+  identity;
+  /** DIDComm connections and invitations. */
+  messaging;
+  /** VC issuance, verification, and revocation. */
+  credentials;
+  /** Presentation exchange and OID4VP. */
+  presentations;
+  /** Trust Registry TRQP queries + admin write operations. */
+  registry;
+  /** Compliance checks and audit events. */
+  compliance;
+  /** IPFS evidence upload, retrieval, and verification. */
+  evidence;
+  /** Indy VDR operations: schemas, credential definitions, NYMs, revocation. */
+  vdr;
+  /** OID4VCI credential issuance to wallets (SD-JWT VCs). */
+  oid4vci;
+  /** Payment lifecycle management (HatchPay integration). */
+  payments;
+  constructor(config) {
+    const httpConfig = {
+      baseUrl: config.baseUrl,
+      token: config.auth.token,
+      retry: config.retry,
+      timeout: config.timeout,
+      correlationId: config.correlationId
+    };
+    this.http = new HttpClient(httpConfig);
+    this.identity = new IdentityModule(this.http);
+    this.messaging = new MessagingModule(this.http);
+    this.credentials = new CredentialsModule(this.http);
+    this.presentations = new PresentationsModule(this.http);
+    this.registry = new RegistryModule(this.http);
+    this.compliance = new ComplianceModule(this.http);
+    this.evidence = new EvidenceModule(this.http);
+    this.vdr = new VdrModule(this.http);
+    this.oid4vci = new Oid4vciModule(this.http);
+    this.payments = new PaymentModule(this.http);
+  }
+  /** Updates the JWT token for all subsequent requests. */
+  setToken(token) {
+    this.http.setToken(token);
+  }
+  /** Adds a request interceptor for logging or telemetry. */
+  addRequestInterceptor(fn) {
+    this.http.addRequestInterceptor(fn);
+  }
+  /** Adds a response interceptor for logging or telemetry. */
+  addResponseInterceptor(fn) {
+    this.http.addResponseInterceptor(fn);
+  }
+};
+
+// src/validation.ts
+var DID_PATTERN = /^did:(key|peer|indy|web):[a-zA-Z0-9._:%-]+$/;
+var KEY_MATERIAL_PATTERNS = [
+  /^-----BEGIN\s+(RSA\s+)?(PRIVATE|PUBLIC)\s+KEY-----/,
+  /^\{"kty":/,
+  /^[123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz]{43,}$/
+];
+function validateDid(field, value) {
+  if (!DID_PATTERN.test(value)) {
+    throw new CredenceValidationError(
+      field,
+      `Invalid DID format or unsupported method. Supported: did:key, did:peer, did:indy, did:web. Got: ${value.substring(0, 30)}`
+    );
+  }
+}
+function validateRequired(field, value) {
+  if (value === null || value === void 0 || typeof value === "string" && value.trim() === "") {
+    throw new CredenceValidationError(field, "Required field is missing or empty");
+  }
+}
+function isKeyMaterial(value) {
+  return KEY_MATERIAL_PATTERNS.some((pattern) => pattern.test(value));
+}
+function rejectKeyMaterial(fields) {
+  for (const [key, value] of Object.entries(fields)) {
+    if (typeof value === "string" && isKeyMaterial(value)) {
+      throw new CredenceValidationError(
+        key,
+        "Field appears to contain key material (private key, JWK, or base58 key). SDK must not transmit key material."
+      );
+    }
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ComplianceModule,
+  CredenceApiError,
+  CredenceAuthError,
+  CredenceAuthorizationError,
+  CredenceClient,
+  CredenceError,
+  CredenceNetworkError,
+  CredenceValidationError,
+  CredentialsModule,
+  DEFAULT_RETRY_CONFIG,
+  EvidenceModule,
+  HttpClient,
+  IdentityModule,
+  MessagingModule,
+  Oid4vciModule,
+  PaymentModule,
+  PresentationsModule,
+  RegistryAdminModule,
+  RegistryModule,
+  VdrModule,
+  isKeyMaterial,
+  rejectKeyMaterial,
+  toQueryParams,
+  validateDid,
+  validateRequired
+});
+//# sourceMappingURL=index.cjs.map