@semiotic-labs/agentium-sdk 0.2.1 → 0.4.0

package/dist/index.d.ts

@@ -1,3 +1,6 @@
+import type { VcStorage, VerificationResult, DidDocument, JwtHeader } from './vc/index.js';
+export * from './vc/index.js';
+export { ensureWasmReady, initLogging, verifyJwt, generateKeypair, getPublicKey } from './wasm.js';
 /**
  * Options for configuring the AgentiumClient.
  */
@@ -8,6 +11,36 @@ export interface AgentiumClientOptions {
      */
     baseURL?: string;
 }
+/**
+ * Supported OAuth grant types for token exchange.
+ */
+export type GrantType = 'api_key' | 'refresh_token' | 'privy_id_token' | 'google_id_token' | 'external_google';
+/**
+ * OAuth 2.0 token response from the backend.
+ */
+export interface OAuthTokenResponse {
+    /**
+     * JWT access token for authenticated API calls.
+     */
+    access_token: string;
+    /**
+     * JWT refresh token for obtaining new access tokens.
+     */
+    refresh_token: string;
+    /**
+     * Token type (always "Bearer").
+     */
+    token_type: string;
+    /**
+     * Token expiration time in seconds.
+     */
+    expires_in: number;
+    /**
+     * Space-separated scope string containing user info and DID.
+     * Format: "user did:pkh:eip155:1:0x... [new_user]"
+     */
+    scope: string;
+}
 /**
  * Represents the status of a user's badge.
  */
@@ -16,12 +49,9 @@ export interface Badge {
 }
 /**
  * The response payload from a successful connect identity call.
+ * Extends OAuth token response with parsed identity information.
  */
 export interface ConnectIdentityResponse {
-    /**
-     * The user's Privy ID.
-     */
-    privy_user_id: string;
     /**
      * The user's Decentralized Identifier (DID).
      */
@@ -30,6 +60,34 @@ export interface ConnectIdentityResponse {
      * Information about the user's badge status.
      */
     badge: Badge;
+    /**
+     * Whether this is a newly created identity.
+     */
+    isNew: boolean;
+    /**
+     * JWT access token for authenticated API calls.
+     */
+    accessToken: string;
+    /**
+     * JWT refresh token for obtaining new access tokens.
+     */
+    refreshToken: string;
+    /**
+     * Token expiration time in seconds.
+     */
+    expiresIn: number;
+}
+/**
+ * Options for connecting a Google identity.
+ */
+export interface ConnectGoogleIdentityOptions {
+    /**
+     * Skip audience validation for the Google token.
+     * Set to `true` when using tokens from external OAuth clients (e.g., zkLogin)
+     * that have a different Google Client ID than the backend.
+     * @default false
+     */
+    skipAudienceValidation?: boolean;
 }
 /**
  * Custom error class for API-related errors from the AgentiumClient.
@@ -44,7 +102,8 @@ export declare class AgentiumApiError extends Error {
 export declare class AgentiumClient {
     private readonly axiosInstance;
     private readonly DEFAULT_BASE_URL;
-    private readonly CONNECT_PATH;
+    private readonly OAUTH_TOKEN_PATH;
+    private vcStorage;
     /**
      * Creates an instance of the AgentiumClient.
      * @param options - Configuration options for the client.
@@ -53,12 +112,102 @@ export declare class AgentiumClient {
     /**
      * Connects a Google identity to an Agentium identity.
      * @param googleToken - The JWT token obtained from Google Sign-In.
-     * @returns A promise that resolves with the connection response, containing the user's DID and Privy ID.
+     * @param options - Optional configuration for the connection.
+     * @returns A promise that resolves with the connection response, containing the user's DID and tokens.
      * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
-     *  - **400 (Bad Request):** The request was malformed (e.g., missing `id_token`).
+     *  - **400 (Bad Request):** The request was malformed or unsupported grant type.
      *  - **401 (Unauthorized):** The provided JWT token is invalid or expired.
      *  - **500 (Internal Server Error):** An unexpected error occurred on the server.
      */
-    connectGoogleIdentity(googleToken: string): Promise<ConnectIdentityResponse>;
+    connectGoogleIdentity(googleToken: string, options?: ConnectGoogleIdentityOptions): Promise<ConnectIdentityResponse>;
+    /**
+     * Exchanges an API key for JWT tokens (M2M authentication).
+     * @param apiKey - The API key to exchange.
+     * @returns A promise that resolves with the OAuth token response.
+     * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
+     */
+    exchangeApiKey(apiKey: string): Promise<OAuthTokenResponse>;
+    /**
+     * Refreshes an access token using a refresh token.
+     * @param refreshTokenValue - The refresh token to use.
+     * @returns A promise that resolves with the new OAuth token response.
+     * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
+     */
+    refreshToken(refreshTokenValue: string): Promise<OAuthTokenResponse>;
+    /**
+     * Exchanges a Privy ID token for JWT tokens.
+     * @param idToken - The Privy ID token to exchange.
+     * @returns A promise that resolves with the OAuth token response.
+     * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
+     */
+    exchangePrivyToken(idToken: string): Promise<OAuthTokenResponse>;
+    /**
+     * Configures VC storage for persisting membership credentials.
+     * Call this with `createBrowserStorage()` in browser environments.
+     *
+     * @param storage - Storage implementation to use
+     */
+    setVcStorage(storage: VcStorage): void;
+    /**
+     * Retrieves the stored VC from storage (if any).
+     *
+     * @returns The stored JWT string, or null if none exists
+     */
+    getStoredCredential(): string | null;
+    /**
+     * Fetches the issuer's DID document from /.well-known/did.json.
+     * The DID document contains the public key used to verify VCs.
+     *
+     * @returns The issuer's DID document
+     * @throws {AgentiumApiError} If the request fails
+     */
+    fetchIssuerDidDocument(): Promise<DidDocument>;
+    /**
+     * Parses a JWT to extract the header (without verification).
+     *
+     * @param jwt - The JWT string
+     * @returns Parsed JWT header
+     * @throws {AgentiumApiError} If JWT format is invalid
+     */
+    parseJwtHeader(jwt: string): JwtHeader;
+    /**
+     * Extracts the public key JWK from a DID document.
+     * If a key ID (kid) is provided, finds the matching verification method.
+     * Otherwise, uses the first verification method.
+     *
+     * @param didDocument - The DID document to extract from
+     * @param kid - Optional key ID to match (from JWT header)
+     * @returns The public key as a JSON string
+     * @throws {AgentiumApiError} If no matching public key is found
+     */
+    extractPublicKeyJwk(didDocument: DidDocument, kid?: string): string;
+    /**
+     * Fetches a membership credential from the backend.
+     * Uses Privy auth token for authentication.
+     *
+     * @param privyToken - Privy auth token (NOT the accessToken from OAuth)
+     * @returns Raw JWT string
+     * @throws {AgentiumApiError} 401 if token invalid/expired, 403 if user banned
+     */
+    fetchMembershipCredential(privyToken: string): Promise<string>;
+    /**
+     * Verifies a JWT-VC against the issuer's public key.
+     * Extracts the key ID from the JWT header, fetches the DID document,
+     * finds the matching public key, and uses WASM for Ed25519 verification.
+     *
+     * @param jwt - The JWT-VC to verify
+     * @returns Verification result with validity status, decoded claims, and structured error if invalid
+     */
+    verifyCredential(jwt: string): Promise<VerificationResult>;
+    /**
+     * Full flow: fetch, verify, and store membership credential.
+     * Called immediately after identity connection ("Shadow Launch" mode).
+     *
+     * Per spec: errors are logged but user sees no change (silent failure).
+     *
+     * @param privyToken - Privy auth token
+     * @returns Verification result (always returns, never throws)
+     */
+    connectAndStoreMembership(privyToken: string): Promise<VerificationResult>;
 }
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACtC;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,KAAK,EAAE,KAAK,CAAC;CACd;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,SAAgB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEnC,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM;CAKjD;AAED;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgB;IAC9C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAkC;IACnE,OAAO,CAAC,QAAQ,CAAC,YAAY,CAA0B;IAEvD;;;OAGG;gBACS,OAAO,GAAE,qBAA0B;IAO/C;;;;;;;;OAQG;IACG,qBAAqB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,uBAAuB,CAAC;CAcnF"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,SAAS,EAAE,kBAAkB,EAAE,WAAW,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAG3F,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,SAAS,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEnG;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,MAAM,SAAS,GACjB,SAAS,GACT,eAAe,GACf,gBAAgB,GAChB,iBAAiB,GACjB,iBAAiB,CAAC;AAEtB;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,aAAa,EAAE,MAAM,CAAC;IACtB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;OAEG;IACH,UAAU,EAAE,MAAM,CAAC;IACnB;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;CACf;AAED;;GAEG;AACH,MAAM,WAAW,KAAK;IACpB,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,MAAM,WAAW,uBAAuB;IACtC;;OAEG;IACH,GAAG,EAAE,MAAM,CAAC;IACZ;;OAEG;IACH,KAAK,EAAE,KAAK,CAAC;IACb;;OAEG;IACH,KAAK,EAAE,OAAO,CAAC;IACf;;OAEG;IACH,WAAW,EAAE,MAAM,CAAC;IACpB;;OAEG;IACH,YAAY,EAAE,MAAM,CAAC;IACrB;;OAEG;IACH,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC3C;;;;;OAKG;IACH,sBAAsB,CAAC,EAAE,OAAO,CAAC;CAClC;AAED;;GAEG;AACH,qBAAa,gBAAiB,SAAQ,KAAK;IACzC,SAAgB,UAAU,EAAE,MAAM,GAAG,SAAS,CAAC;gBAEnC,OAAO,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,MAAM;CAKjD;AAaD;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAgB;IAC9C,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAkC;IACnE,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAkB;IACnD,OAAO,CAAC,SAAS,CAA0B;IAE3C;;;OAGG;gBACS,OAAO,GAAE,qBAA0B;IAO/C;;;;;;;;;OASG;IACG,qBAAqB,CACzB,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,4BAAiC,GACzC,OAAO,CAAC,uBAAuB,CAAC;IA6BnC;;;;;OAKG;IACG,cAAc,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAejE;;;;;OAKG;IACG,YAAY,CAAC,iBAAiB,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAe1E;;;;;OAKG;IACG,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAmBtE;;;;;OAKG;IACH,YAAY,CAAC,OAAO,EAAE,SAAS,GAAG,IAAI;IAItC;;;;OAIG;IACH,mBAAmB,IAAI,MAAM,GAAG,IAAI;IAIpC;;;;;;OAMG;IACG,sBAAsB,IAAI,OAAO,CAAC,WAAW,CAAC;IAYpD;;;;;;OAMG;IACH,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS;IAiBtC;;;;;;;;;OASG;IACH,mBAAmB,CAAC,WAAW,EAAE,WAAW,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM;IAgCnE;;;;;;;OAOG;IACG,yBAAyB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAgBpE;;;;;;;OAOG;IACG,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IAQhE;;;;;;;;OAQG;IACG,yBAAyB,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;CA2BjF"}

package/dist/index.js

@@ -2,6 +2,10 @@
 //
 // SPDX-License-Identifier: MIT
 import axios, { isAxiosError } from 'axios';
+import { verifyJwt } from './wasm.js';
+// Re-export VC module types and utilities
+export * from './vc/index.js';
+export { ensureWasmReady, initLogging, verifyJwt, generateKeypair, getPublicKey } from './wasm.js';
 /**
  * Custom error class for API-related errors from the AgentiumClient.
  */
@@ -13,13 +17,24 @@ export class AgentiumApiError extends Error {
         this.statusCode = statusCode;
     }
 }
+/**
+ * Parses the OAuth scope string to extract the DID and new_user flag.
+ * Scope format: "user did:pkh:eip155:1:0x... [new_user]"
+ */
+function parseScopeForIdentity(scope) {
+    const parts = scope.split(/\s+/);
+    const did = parts.find((part) => part.startsWith('did:pkh:')) || '';
+    const isNew = parts.includes('new_user');
+    return { did, isNew };
+}
 /**
  * A client for interacting with the Agentium API.
  */
 export class AgentiumClient {
     axiosInstance;
     DEFAULT_BASE_URL = 'https://api.agentium.network';
-    CONNECT_PATH = '/v1/identity/connect';
+    OAUTH_TOKEN_PATH = '/oauth/token';
+    vcStorage = null;
     /**
      * Creates an instance of the AgentiumClient.
      * @param options - Configuration options for the client.
@@ -33,26 +48,270 @@ export class AgentiumClient {
     /**
      * Connects a Google identity to an Agentium identity.
      * @param googleToken - The JWT token obtained from Google Sign-In.
-     * @returns A promise that resolves with the connection response, containing the user's DID and Privy ID.
+     * @param options - Optional configuration for the connection.
+     * @returns A promise that resolves with the connection response, containing the user's DID and tokens.
      * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
-     *  - **400 (Bad Request):** The request was malformed (e.g., missing `id_token`).
+     *  - **400 (Bad Request):** The request was malformed or unsupported grant type.
      *  - **401 (Unauthorized):** The provided JWT token is invalid or expired.
      *  - **500 (Internal Server Error):** An unexpected error occurred on the server.
      */
-    async connectGoogleIdentity(googleToken) {
+    async connectGoogleIdentity(googleToken, options = {}) {
+        const grantType = options.skipAudienceValidation
+            ? 'external_google'
+            : 'google_id_token';
         try {
-            const response = await this.axiosInstance.post(this.CONNECT_PATH, {
+            const response = await this.axiosInstance.post(this.OAUTH_TOKEN_PATH, {
+                grant_type: grantType,
                 id_token: googleToken,
             });
+            const { did, isNew } = parseScopeForIdentity(response.data.scope);
+            return {
+                did,
+                badge: { status: isNew ? 'Active' : 'Existing' },
+                isNew,
+                accessToken: response.data.access_token,
+                refreshToken: response.data.refresh_token,
+                expiresIn: response.data.expires_in,
+            };
+        }
+        catch (error) {
+            if (isAxiosError(error)) {
+                throw new AgentiumApiError(error.message, error.response?.status);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Exchanges an API key for JWT tokens (M2M authentication).
+     * @param apiKey - The API key to exchange.
+     * @returns A promise that resolves with the OAuth token response.
+     * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
+     */
+    async exchangeApiKey(apiKey) {
+        try {
+            const response = await this.axiosInstance.post(this.OAUTH_TOKEN_PATH, {
+                grant_type: 'api_key',
+                api_key: apiKey,
+            });
             return response.data;
         }
         catch (error) {
             if (isAxiosError(error)) {
                 throw new AgentiumApiError(error.message, error.response?.status);
             }
-            // Re-throw other unexpected errors
             throw error;
         }
     }
+    /**
+     * Refreshes an access token using a refresh token.
+     * @param refreshTokenValue - The refresh token to use.
+     * @returns A promise that resolves with the new OAuth token response.
+     * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
+     */
+    async refreshToken(refreshTokenValue) {
+        try {
+            const response = await this.axiosInstance.post(this.OAUTH_TOKEN_PATH, {
+                grant_type: 'refresh_token',
+                refresh_token: refreshTokenValue,
+            });
+            return response.data;
+        }
+        catch (error) {
+            if (isAxiosError(error)) {
+                throw new AgentiumApiError(error.message, error.response?.status);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Exchanges a Privy ID token for JWT tokens.
+     * @param idToken - The Privy ID token to exchange.
+     * @returns A promise that resolves with the OAuth token response.
+     * @throws {AgentiumApiError} Will throw a custom API error if the call fails.
+     */
+    async exchangePrivyToken(idToken) {
+        try {
+            const response = await this.axiosInstance.post(this.OAUTH_TOKEN_PATH, {
+                grant_type: 'privy_id_token',
+                id_token: idToken,
+            });
+            return response.data;
+        }
+        catch (error) {
+            if (isAxiosError(error)) {
+                throw new AgentiumApiError(error.message, error.response?.status);
+            }
+            throw error;
+        }
+    }
+    // ─────────────────────────────────────────────────────────────────────────────
+    // Verifiable Credentials (VC) Methods
+    // ─────────────────────────────────────────────────────────────────────────────
+    /**
+     * Configures VC storage for persisting membership credentials.
+     * Call this with `createBrowserStorage()` in browser environments.
+     *
+     * @param storage - Storage implementation to use
+     */
+    setVcStorage(storage) {
+        this.vcStorage = storage;
+    }
+    /**
+     * Retrieves the stored VC from storage (if any).
+     *
+     * @returns The stored JWT string, or null if none exists
+     */
+    getStoredCredential() {
+        return this.vcStorage?.get() ?? null;
+    }
+    /**
+     * Fetches the issuer's DID document from /.well-known/did.json.
+     * The DID document contains the public key used to verify VCs.
+     *
+     * @returns The issuer's DID document
+     * @throws {AgentiumApiError} If the request fails
+     */
+    async fetchIssuerDidDocument() {
+        try {
+            const response = await this.axiosInstance.get('/.well-known/did.json');
+            return response.data;
+        }
+        catch (error) {
+            if (isAxiosError(error)) {
+                throw new AgentiumApiError(error.message, error.response?.status);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Parses a JWT to extract the header (without verification).
+     *
+     * @param jwt - The JWT string
+     * @returns Parsed JWT header
+     * @throws {AgentiumApiError} If JWT format is invalid
+     */
+    parseJwtHeader(jwt) {
+        const parts = jwt.split('.');
+        if (parts.length !== 3) {
+            throw new AgentiumApiError('Invalid JWT format: expected 3 parts');
+        }
+        const headerPart = parts[0];
+        if (!headerPart) {
+            throw new AgentiumApiError('Invalid JWT format: missing header');
+        }
+        try {
+            const headerJson = atob(headerPart.replace(/-/g, '+').replace(/_/g, '/'));
+            return JSON.parse(headerJson);
+        }
+        catch {
+            throw new AgentiumApiError('Invalid JWT header encoding');
+        }
+    }
+    /**
+     * Extracts the public key JWK from a DID document.
+     * If a key ID (kid) is provided, finds the matching verification method.
+     * Otherwise, uses the first verification method.
+     *
+     * @param didDocument - The DID document to extract from
+     * @param kid - Optional key ID to match (from JWT header)
+     * @returns The public key as a JSON string
+     * @throws {AgentiumApiError} If no matching public key is found
+     */
+    extractPublicKeyJwk(didDocument, kid) {
+        const methods = didDocument.verificationMethod;
+        if (!methods || methods.length === 0) {
+            throw new AgentiumApiError('No verification methods found in DID document');
+        }
+        let verificationMethod = methods[0];
+        // If kid is provided, find the matching verification method
+        if (kid) {
+            const matched = methods.find((m) => m.id === kid);
+            if (matched) {
+                verificationMethod = matched;
+            }
+            else {
+                // kid might be just the fragment (e.g., "key-1"), try matching suffix
+                const matchedByFragment = methods.find((m) => m.id.endsWith(`#${kid}`) || m.id === kid);
+                if (matchedByFragment) {
+                    verificationMethod = matchedByFragment;
+                }
+            }
+        }
+        if (!verificationMethod?.publicKeyJwk) {
+            throw new AgentiumApiError(kid ? `No public key found for kid: ${kid}` : 'No public key found in DID document');
+        }
+        return JSON.stringify(verificationMethod.publicKeyJwk);
+    }
+    /**
+     * Fetches a membership credential from the backend.
+     * Uses Privy auth token for authentication.
+     *
+     * @param privyToken - Privy auth token (NOT the accessToken from OAuth)
+     * @returns Raw JWT string
+     * @throws {AgentiumApiError} 401 if token invalid/expired, 403 if user banned
+     */
+    async fetchMembershipCredential(privyToken) {
+        try {
+            const response = await this.axiosInstance.post('/v1/credentials/membership', {}, { headers: { Authorization: `Bearer ${privyToken}` } });
+            return response.data.vc;
+        }
+        catch (error) {
+            if (isAxiosError(error)) {
+                throw new AgentiumApiError(error.message, error.response?.status);
+            }
+            throw error;
+        }
+    }
+    /**
+     * Verifies a JWT-VC against the issuer's public key.
+     * Extracts the key ID from the JWT header, fetches the DID document,
+     * finds the matching public key, and uses WASM for Ed25519 verification.
+     *
+     * @param jwt - The JWT-VC to verify
+     * @returns Verification result with validity status, decoded claims, and structured error if invalid
+     */
+    async verifyCredential(jwt) {
+        // Extract kid from JWT header to find the correct key
+        const header = this.parseJwtHeader(jwt);
+        const didDocument = await this.fetchIssuerDidDocument();
+        const publicKeyJwk = this.extractPublicKeyJwk(didDocument, header.kid);
+        return verifyJwt(jwt, publicKeyJwk);
+    }
+    /**
+     * Full flow: fetch, verify, and store membership credential.
+     * Called immediately after identity connection ("Shadow Launch" mode).
+     *
+     * Per spec: errors are logged but user sees no change (silent failure).
+     *
+     * @param privyToken - Privy auth token
+     * @returns Verification result (always returns, never throws)
+     */
+    async connectAndStoreMembership(privyToken) {
+        try {
+            const jwt = await this.fetchMembershipCredential(privyToken);
+            const result = await this.verifyCredential(jwt);
+            if (result.valid && this.vcStorage) {
+                this.vcStorage.set(jwt);
+                // TODO: Log analytics: "VC Success"
+            }
+            else if (!result.valid) {
+                // TODO: Log analytics: "VC Verification Failed"
+                console.warn('[Agentium] VC verification failed:', result.error);
+            }
+            return result;
+        }
+        catch (error) {
+            // Silent failure per spec - log but don't throw
+            // Note: verifyJwt no longer throws; this only catches fetch/DID errors
+            console.warn('[Agentium] VC fetch/verify error:', error);
+            return {
+                valid: false,
+                error: {
+                    code: 'VERIFICATION_FAILED',
+                    message: error instanceof Error ? error.message : String(error),
+                },
+            };
+        }
+    }
 }
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+BAA+B;AAE/B,OAAO,KAAK,EAAE,EAAE,YAAY,EAAsB,MAAM,OAAO,CAAC;AAsChE;;GAEG;AACH,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzB,UAAU,CAAqB;IAE/C,YAAY,OAAe,EAAE,UAAmB;QAC9C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,OAAO,cAAc;IACR,aAAa,CAAgB;IAC7B,gBAAgB,GAAG,8BAA8B,CAAC;IAClD,YAAY,GAAG,sBAAsB,CAAC;IAEvD;;;OAGG;IACH,YAAY,UAAiC,EAAE;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,CAAC;QACzD,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC;YAChC,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,qBAAqB,CAAC,WAAmB;QAC7C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAA0B,IAAI,CAAC,YAAY,EAAE;gBACzF,QAAQ,EAAE,WAAW;aACtB,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YACD,mCAAmC;YACnC,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;CACF"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+BAA+B;AAE/B,OAAO,KAAK,EAAE,EAAE,YAAY,EAAsB,MAAM,OAAO,CAAC;AAChE,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAGtC,0CAA0C;AAC1C,cAAc,eAAe,CAAC;AAC9B,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,SAAS,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAqGnG;;GAEG;AACH,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IACzB,UAAU,CAAqB;IAE/C,YAAY,OAAe,EAAE,UAAmB;QAC9C,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,UAAU,CAAC;IAC/B,CAAC;CACF;AAED;;;GAGG;AACH,SAAS,qBAAqB,CAAC,KAAa;IAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IACjC,MAAM,GAAG,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,IAAI,EAAE,CAAC;IACpE,MAAM,KAAK,GAAG,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;IACzC,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;AACxB,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,cAAc;IACR,aAAa,CAAgB;IAC7B,gBAAgB,GAAG,8BAA8B,CAAC;IAClD,gBAAgB,GAAG,cAAc,CAAC;IAC3C,SAAS,GAAqB,IAAI,CAAC;IAE3C;;;OAGG;IACH,YAAY,UAAiC,EAAE;QAC7C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,CAAC;QACzD,IAAI,CAAC,aAAa,GAAG,KAAK,CAAC,MAAM,CAAC;YAChC,OAAO,EAAE,OAAO;SACjB,CAAC,CAAC;IACL,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,qBAAqB,CACzB,WAAmB,EACnB,UAAwC,EAAE;QAE1C,MAAM,SAAS,GAAc,OAAO,CAAC,sBAAsB;YACzD,CAAC,CAAC,iBAAiB;YACnB,CAAC,CAAC,iBAAiB,CAAC;QAEtB,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAqB,IAAI,CAAC,gBAAgB,EAAE;gBACxF,UAAU,EAAE,SAAS;gBACrB,QAAQ,EAAE,WAAW;aACtB,CAAC,CAAC;YAEH,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,qBAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAElE,OAAO;gBACL,GAAG;gBACH,KAAK,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,EAAE;gBAChD,KAAK;gBACL,WAAW,EAAE,QAAQ,CAAC,IAAI,CAAC,YAAY;gBACvC,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,aAAa;gBACzC,SAAS,EAAE,QAAQ,CAAC,IAAI,CAAC,UAAU;aACpC,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,cAAc,CAAC,MAAc;QACjC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAqB,IAAI,CAAC,gBAAgB,EAAE;gBACxF,UAAU,EAAE,SAAsB;gBAClC,OAAO,EAAE,MAAM;aAChB,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,YAAY,CAAC,iBAAyB;QAC1C,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAqB,IAAI,CAAC,gBAAgB,EAAE;gBACxF,UAAU,EAAE,eAA4B;gBACxC,aAAa,EAAE,iBAAiB;aACjC,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,kBAAkB,CAAC,OAAe;QACtC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAqB,IAAI,CAAC,gBAAgB,EAAE;gBACxF,UAAU,EAAE,gBAA6B;gBACzC,QAAQ,EAAE,OAAO;aAClB,CAAC,CAAC;YACH,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,gFAAgF;IAChF,sCAAsC;IACtC,gFAAgF;IAEhF;;;;;OAKG;IACH,YAAY,CAAC,OAAkB;QAC7B,IAAI,CAAC,SAAS,GAAG,OAAO,CAAC;IAC3B,CAAC;IAED;;;;OAIG;IACH,mBAAmB;QACjB,OAAO,IAAI,CAAC,SAAS,EAAE,GAAG,EAAE,IAAI,IAAI,CAAC;IACvC,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,sBAAsB;QAC1B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAAc,uBAAuB,CAAC,CAAC;YACpF,OAAO,QAAQ,CAAC,IAAI,CAAC;QACvB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,cAAc,CAAC,GAAW;QACxB,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,gBAAgB,CAAC,sCAAsC,CAAC,CAAC;QACrE,CAAC;QACD,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAC5B,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,gBAAgB,CAAC,oCAAoC,CAAC,CAAC;QACnE,CAAC;QACD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,CAAC;YAC1E,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAc,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,IAAI,gBAAgB,CAAC,6BAA6B,CAAC,CAAC;QAC5D,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACH,mBAAmB,CAAC,WAAwB,EAAE,GAAY;QACxD,MAAM,OAAO,GAAG,WAAW,CAAC,kBAAkB,CAAC;QAE/C,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrC,MAAM,IAAI,gBAAgB,CAAC,+CAA+C,CAAC,CAAC;QAC9E,CAAC;QAED,IAAI,kBAAkB,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC;QAEpC,4DAA4D;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,MAAM,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC;YAClD,IAAI,OAAO,EAAE,CAAC;gBACZ,kBAAkB,GAAG,OAAO,CAAC;YAC/B,CAAC;iBAAM,CAAC;gBACN,sEAAsE;gBACtE,MAAM,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,QAAQ,CAAC,IAAI,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC;gBACxF,IAAI,iBAAiB,EAAE,CAAC;oBACtB,kBAAkB,GAAG,iBAAiB,CAAC;gBACzC,CAAC;YACH,CAAC;QACH,CAAC;QAED,IAAI,CAAC,kBAAkB,EAAE,YAAY,EAAE,CAAC;YACtC,MAAM,IAAI,gBAAgB,CACxB,GAAG,CAAC,CAAC,CAAC,gCAAgC,GAAG,EAAE,CAAC,CAAC,CAAC,qCAAqC,CACpF,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,SAAS,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;IACzD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,yBAAyB,CAAC,UAAkB;QAChD,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAC5C,4BAA4B,EAC5B,EAAE,EACF,EAAE,OAAO,EAAE,EAAE,aAAa,EAAE,UAAU,UAAU,EAAE,EAAE,EAAE,CACvD,CAAC;YACF,OAAO,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC;gBACxB,MAAM,IAAI,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACpE,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,gBAAgB,CAAC,GAAW;QAChC,sDAAsD;QACtD,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;QACxC,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,sBAAsB,EAAE,CAAC;QACxD,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,WAAW,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC;QACvE,OAAO,SAAS,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IACtC,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,yBAAyB,CAAC,UAAkB;QAChD,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,yBAAyB,CAAC,UAAU,CAAC,CAAC;YAC7D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YAEhD,IAAI,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;gBACnC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBACxB,oCAAoC;YACtC,CAAC;iBAAM,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBACzB,gDAAgD;gBAChD,OAAO,CAAC,IAAI,CAAC,oCAAoC,EAAE,MAAM,CAAC,KAAK,CAAC,CAAC;YACnE,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,gDAAgD;YAChD,uEAAuE;YACvE,OAAO,CAAC,IAAI,CAAC,mCAAmC,EAAE,KAAK,CAAC,CAAC;YACzD,OAAO;gBACL,KAAK,EAAE,KAAK;gBACZ,KAAK,EAAE;oBACL,IAAI,EAAE,qBAAqB;oBAC3B,OAAO,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;iBAChE;aACF,CAAC;QACJ,CAAC;IACH,CAAC;CACF"}

package/dist/vc/index.d.ts

@@ -0,0 +1,4 @@
+export type { CredentialSubject, VerifiableCredential, VcJwtClaims, VerificationResult, VerificationError, DidDocument, VerificationMethod, JsonWebKey, JwtHeader, KeyPair, VcErrorCode, WasmVcError, } from './types.js';
+export { isWasmVcError } from './types.js';
+export { type VcStorage, createBrowserStorage, createMemoryStorage } from './storage.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/vc/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/vc/index.ts"],"names":[],"mappings":"AAIA,YAAY,EACV,iBAAiB,EACjB,oBAAoB,EACpB,WAAW,EACX,kBAAkB,EAClB,iBAAiB,EACjB,WAAW,EACX,kBAAkB,EAClB,UAAU,EACV,SAAS,EACT,OAAO,EACP,WAAW,EACX,WAAW,GACZ,MAAM,YAAY,CAAC;AACpB,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,EAAE,KAAK,SAAS,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC"}

package/dist/vc/index.js

@@ -0,0 +1,6 @@
+// SPDX-FileCopyrightText: 2025 Semiotic AI, Inc.
+//
+// SPDX-License-Identifier: MIT
+export { isWasmVcError } from './types.js';
+export { createBrowserStorage, createMemoryStorage } from './storage.js';
+//# sourceMappingURL=index.js.map

package/dist/vc/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vc/index.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+BAA+B;AAgB/B,OAAO,EAAE,aAAa,EAAE,MAAM,YAAY,CAAC;AAE3C,OAAO,EAAkB,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAC"}

package/dist/vc/storage.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Storage interface for persisting membership VCs.
+ */
+export interface VcStorage {
+    /** Retrieve the stored VC JWT, or null if none exists */
+    get(): string | null;
+    /** Store a VC JWT */
+    set(jwt: string): void;
+    /** Remove the stored VC */
+    clear(): void;
+}
+/**
+ * Creates a browser storage implementation using LocalStorage.
+ * Use this in browser environments.
+ *
+ * @returns VcStorage implementation backed by LocalStorage
+ */
+export declare function createBrowserStorage(): VcStorage;
+/**
+ * Creates an in-memory storage implementation.
+ * Use this for Node.js environments or testing.
+ *
+ * @returns VcStorage implementation backed by memory
+ */
+export declare function createMemoryStorage(): VcStorage;
+//# sourceMappingURL=storage.d.ts.map

package/dist/vc/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../../src/vc/storage.ts"],"names":[],"mappings":"AAMA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,yDAAyD;IACzD,GAAG,IAAI,MAAM,GAAG,IAAI,CAAC;IACrB,qBAAqB;IACrB,GAAG,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,2BAA2B;IAC3B,KAAK,IAAI,IAAI,CAAC;CACf;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,IAAI,SAAS,CAMhD;AAED;;;;;GAKG;AACH,wBAAgB,mBAAmB,IAAI,SAAS,CAW/C"}

package/dist/vc/storage.js

@@ -0,0 +1,36 @@
+// SPDX-FileCopyrightText: 2025 Semiotic AI, Inc.
+//
+// SPDX-License-Identifier: MIT
+const STORAGE_KEY = 'agentium:membership_vc';
+/**
+ * Creates a browser storage implementation using LocalStorage.
+ * Use this in browser environments.
+ *
+ * @returns VcStorage implementation backed by LocalStorage
+ */
+export function createBrowserStorage() {
+    return {
+        get: () => localStorage.getItem(STORAGE_KEY),
+        set: (jwt) => localStorage.setItem(STORAGE_KEY, jwt),
+        clear: () => localStorage.removeItem(STORAGE_KEY),
+    };
+}
+/**
+ * Creates an in-memory storage implementation.
+ * Use this for Node.js environments or testing.
+ *
+ * @returns VcStorage implementation backed by memory
+ */
+export function createMemoryStorage() {
+    let stored = null;
+    return {
+        get: () => stored,
+        set: (jwt) => {
+            stored = jwt;
+        },
+        clear: () => {
+            stored = null;
+        },
+    };
+}
+//# sourceMappingURL=storage.js.map

package/dist/vc/storage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.js","sourceRoot":"","sources":["../../src/vc/storage.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+BAA+B;AAE/B,MAAM,WAAW,GAAG,wBAAwB,CAAC;AAc7C;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB;IAClC,OAAO;QACL,GAAG,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC;QAC5C,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,YAAY,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC;QACpD,KAAK,EAAE,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,WAAW,CAAC;KAClD,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,OAAO;QACL,GAAG,EAAE,GAAG,EAAE,CAAC,MAAM;QACjB,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE;YACX,MAAM,GAAG,GAAG,CAAC;QACf,CAAC;QACD,KAAK,EAAE,GAAG,EAAE;YACV,MAAM,GAAG,IAAI,CAAC;QAChB,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/vc/test-helpers.d.ts

@@ -0,0 +1,56 @@
+import type { DidDocument } from './types.js';
+/**
+ * Test keypair with JWK strings (matching WASM output format).
+ */
+export interface TestKeyPair {
+    privateJwk: string;
+    publicJwk: string;
+}
+/**
+ * Options for issuing a test JWT-VC.
+ */
+export interface IssueJwtOptions {
+    /** Issuer DID (e.g., did:web:api.agentium.network) */
+    issuerDid: string;
+    /** Subject DID (e.g., did:pkh:eip155:1:0x...) */
+    subjectDid: string;
+    /** Enrollment time (ISO 8601 format) */
+    enrollmentTime?: string;
+    privateJwk: string;
+    /** Hours until expiration (default: 24). Use negative for expired JWTs. */
+    expiresInHours?: number;
+    /** Key ID to include in JWT header (for DID resolution) */
+    kid?: string;
+}
+/**
+ * Generate an Ed25519 keypair for testing.
+ * Returns JWK strings matching the WASM generate_keypair() output format.
+ */
+export declare function generateTestKeypair(): Promise<TestKeyPair>;
+/**
+ * Issue a W3C-compliant JWT-VC matching backend SSI structure.
+ */
+export declare function issueTestJwt(options: IssueJwtOptions): Promise<string>;
+/**
+ * Generate a DID document for testing.
+ * Uses camelCase field names matching W3C spec and backend.
+ */
+export declare function generateTestDidDocument(did: string, publicJwk: string, keyId?: string): DidDocument;
+/**
+ * Create a complete test fixture with keypair, DID document, and JWT.
+ */
+export declare function createTestFixture(options?: {
+    did?: string;
+    subjectDid?: string;
+    enrollmentTime?: string;
+    keyId?: string;
+    expiresInHours?: number;
+}): Promise<{
+    keypair: TestKeyPair;
+    didDocument: DidDocument;
+    jwt: string;
+    did: string;
+    subjectDid: string;
+    enrollmentTime: string;
+}>;
+//# sourceMappingURL=test-helpers.d.ts.map

package/dist/vc/test-helpers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-helpers.d.ts","sourceRoot":"","sources":["../../src/vc/test-helpers.ts"],"names":[],"mappings":"AAWA,OAAO,KAAK,EAAE,WAAW,EAAuD,MAAM,YAAY,CAAC;AAEnG;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sDAAsD;IACtD,SAAS,EAAE,MAAM,CAAC;IAClB,iDAAiD;IACjD,UAAU,EAAE,MAAM,CAAC;IACnB,wCAAwC;IACxC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,2EAA2E;IAC3E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,2DAA2D;IAC3D,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;GAGG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,WAAW,CAAC,CAahE;AAED;;GAEG;AACH,wBAAsB,YAAY,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC,CAwC5E;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,KAAK,GAAE,MAAgB,GACtB,WAAW,CAgBb;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,OAAO,CAAC,EAAE;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;;;;;;;GA6BA"}

package/dist/vc/test-helpers.js

@@ -0,0 +1,101 @@
+// SPDX-FileCopyrightText: 2025 Semiotic AI, Inc.
+//
+// SPDX-License-Identifier: MIT
+/**
+ * Test helpers for VC integration tests.
+ * Uses jose library for Ed25519 JWT signing.
+ * Generates W3C-compliant VCs matching backend SSI implementation.
+ */
+import * as jose from 'jose';
+/**
+ * Generate an Ed25519 keypair for testing.
+ * Returns JWK strings matching the WASM generate_keypair() output format.
+ */
+export async function generateTestKeypair() {
+    const { privateKey, publicKey } = await jose.generateKeyPair('EdDSA', {
+        crv: 'Ed25519',
+        extractable: true,
+    });
+    const privateJwk = await jose.exportJWK(privateKey);
+    const publicJwk = await jose.exportJWK(publicKey);
+    return {
+        privateJwk: JSON.stringify(privateJwk),
+        publicJwk: JSON.stringify(publicJwk),
+    };
+}
+/**
+ * Issue a W3C-compliant JWT-VC matching backend SSI structure.
+ */
+export async function issueTestJwt(options) {
+    const { issuerDid, subjectDid, enrollmentTime = new Date().toISOString(), privateJwk, expiresInHours = 24, kid, } = options;
+    const jwk = JSON.parse(privateJwk);
+    const privateKey = await jose.importJWK(jwk, 'EdDSA');
+    const now = Math.floor(Date.now() / 1000);
+    const exp = now + expiresInHours * 3600;
+    // Build W3C VC structure matching backend SSI output
+    const credentialSubject = {
+        id: subjectDid,
+        enrollmentTime: enrollmentTime,
+    };
+    const vc = {
+        '@context': ['https://www.w3.org/2018/credentials/v1'],
+        type: ['VerifiableCredential'],
+        issuer: { id: issuerDid },
+        issuanceDate: enrollmentTime,
+        credentialSubject: credentialSubject,
+    };
+    // JWT claims with nested VC (W3C JWT-VC format)
+    const builder = new jose.SignJWT({
+        vc,
+    })
+        .setProtectedHeader({ alg: 'EdDSA', typ: 'JWT', ...(kid ? { kid } : {}) })
+        .setSubject(subjectDid)
+        .setIssuedAt(now)
+        .setExpirationTime(exp);
+    return builder.sign(privateKey);
+}
+/**
+ * Generate a DID document for testing.
+ * Uses camelCase field names matching W3C spec and backend.
+ */
+export function generateTestDidDocument(did, publicJwk, keyId = 'key-1') {
+    const publicKey = JSON.parse(publicJwk);
+    const fullKeyId = `${did}#${keyId}`;
+    return {
+        id: did,
+        verificationMethod: [
+            {
+                id: fullKeyId,
+                type: 'JsonWebKey2020',
+                controller: did,
+                publicKeyJwk: publicKey,
+            },
+        ],
+        authentication: [fullKeyId],
+    };
+}
+/**
+ * Create a complete test fixture with keypair, DID document, and JWT.
+ */
+export async function createTestFixture(options) {
+    const { did = 'did:web:test.example', subjectDid = 'did:pkh:eip155:1:0x1234567890abcdef', enrollmentTime = new Date().toISOString(), keyId = 'key-1', expiresInHours = 24, } = options ?? {};
+    const keypair = await generateTestKeypair();
+    const didDocument = generateTestDidDocument(did, keypair.publicJwk, keyId);
+    const jwt = await issueTestJwt({
+        issuerDid: did,
+        subjectDid,
+        enrollmentTime,
+        privateJwk: keypair.privateJwk,
+        expiresInHours,
+        kid: `${did}#${keyId}`,
+    });
+    return {
+        keypair,
+        didDocument,
+        jwt,
+        did,
+        subjectDid,
+        enrollmentTime,
+    };
+}
+//# sourceMappingURL=test-helpers.js.map

package/dist/vc/test-helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"test-helpers.js","sourceRoot":"","sources":["../../src/vc/test-helpers.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+BAA+B;AAE/B;;;;GAIG;AAEH,OAAO,KAAK,IAAI,MAAM,MAAM,CAAC;AA4B7B;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE;QACpE,GAAG,EAAE,SAAS;QACd,WAAW,EAAE,IAAI;KAClB,CAAC,CAAC;IAEH,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;IACpD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAElD,OAAO;QACL,UAAU,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC;QACtC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;KACrC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,OAAwB;IACzD,MAAM,EACJ,SAAS,EACT,UAAU,EACV,cAAc,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EACzC,UAAU,EACV,cAAc,GAAG,EAAE,EACnB,GAAG,GACJ,GAAG,OAAO,CAAC;IAEZ,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAa,CAAC;IAC/C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;IAEtD,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,GAAG,GAAG,cAAc,GAAG,IAAI,CAAC;IAExC,qDAAqD;IACrD,MAAM,iBAAiB,GAAsB;QAC3C,EAAE,EAAE,UAAU;QACd,cAAc,EAAE,cAAc;KAC/B,CAAC;IAEF,MAAM,EAAE,GAAyB;QAC/B,UAAU,EAAE,CAAC,wCAAwC,CAAC;QACtD,IAAI,EAAE,CAAC,sBAAsB,CAAC;QAC9B,MAAM,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE;QACzB,YAAY,EAAE,cAAc;QAC5B,iBAAiB,EAAE,iBAAiB;KACrC,CAAC;IAEF,gDAAgD;IAChD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC;QAC/B,EAAE;KACH,CAAC;SACC,kBAAkB,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;SACzE,UAAU,CAAC,UAAU,CAAC;SACtB,WAAW,CAAC,GAAG,CAAC;SAChB,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAE1B,OAAO,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;AAClC,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,uBAAuB,CACrC,GAAW,EACX,SAAiB,EACjB,QAAgB,OAAO;IAEvB,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,SAAS,CAAe,CAAC;IACtD,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,KAAK,EAAE,CAAC;IAEpC,OAAO;QACL,EAAE,EAAE,GAAG;QACP,kBAAkB,EAAE;YAClB;gBACE,EAAE,EAAE,SAAS;gBACb,IAAI,EAAE,gBAAgB;gBACtB,UAAU,EAAE,GAAG;gBACf,YAAY,EAAE,SAAS;aACxB;SACF;QACD,cAAc,EAAE,CAAC,SAAS,CAAC;KAC5B,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,OAMvC;IACC,MAAM,EACJ,GAAG,GAAG,sBAAsB,EAC5B,UAAU,GAAG,qCAAqC,EAClD,cAAc,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EACzC,KAAK,GAAG,OAAO,EACf,cAAc,GAAG,EAAE,GACpB,GAAG,OAAO,IAAI,EAAE,CAAC;IAElB,MAAM,OAAO,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC5C,MAAM,WAAW,GAAG,uBAAuB,CAAC,GAAG,EAAE,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IAE3E,MAAM,GAAG,GAAG,MAAM,YAAY,CAAC;QAC7B,SAAS,EAAE,GAAG;QACd,UAAU;QACV,cAAc;QACd,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,cAAc;QACd,GAAG,EAAE,GAAG,GAAG,IAAI,KAAK,EAAE;KACvB,CAAC,CAAC;IAEH,OAAO;QACL,OAAO;QACP,WAAW;QACX,GAAG;QACH,GAAG;QACH,UAAU;QACV,cAAc;KACf,CAAC;AACJ,CAAC"}

package/dist/vc/types.d.ts

@@ -0,0 +1,140 @@
+/**
+ * Credential subject containing user identity and enrollment info.
+ * Matches backend's MembershipCredentialSubject.
+ */
+export interface CredentialSubject {
+    /** User's DID (did:pkh) */
+    id: string;
+    /** Enrollment timestamp (ISO 8601 format) */
+    enrollmentTime: string;
+}
+/**
+ * W3C Verifiable Credential structure.
+ * Backend issues VCs using SSI library with this structure.
+ */
+export interface VerifiableCredential {
+    /** JSON-LD context */
+    '@context': string[];
+    /** Credential types */
+    type: string[];
+    /** Issuer DID (as object with id) */
+    issuer: {
+        id: string;
+    };
+    /** Issuance date (ISO 8601 format) */
+    issuanceDate: string;
+    /** Credential subject with user info */
+    credentialSubject: CredentialSubject;
+}
+/**
+ * JWT claims structure for W3C VC (as issued by backend).
+ * The VC is nested under the 'vc' claim per JWT-VC spec.
+ * This is returned directly from verification - matches backend exactly.
+ */
+export interface VcJwtClaims {
+    /** The Verifiable Credential */
+    vc: VerifiableCredential;
+    /** Subject (user DID) */
+    sub: string;
+    /** Expiration time (Unix timestamp) */
+    exp: number;
+    /** Issued at time (Unix timestamp, optional) */
+    iat?: number;
+}
+/**
+ * Structured error returned in VerificationResult when verification fails.
+ */
+export interface VerificationError {
+    /** Stable error code */
+    code: VcErrorCode;
+    /** Human-readable error message */
+    message: string;
+    /** Optional metadata (e.g., expiredAt for JWT_EXPIRED) */
+    data?: {
+        expiredAt?: string;
+    } | undefined;
+}
+/**
+ * Result of JWT-VC verification from WASM module.
+ */
+export interface VerificationResult {
+    /** Whether the signature is valid and claims passed validation */
+    valid: boolean;
+    /** JWT claims if verification succeeded (matches backend structure exactly) */
+    claims?: VcJwtClaims | undefined;
+    /** Structured error if verification failed */
+    error?: VerificationError | undefined;
+}
+/**
+ * W3C DID Document structure (subset of fields we need).
+ */
+export interface DidDocument {
+    /** DID identifier (e.g., "did:web:api.agentium.network") */
+    id: string;
+    /** Verification methods containing public keys (camelCase per W3C spec) */
+    verificationMethod: VerificationMethod[];
+    /** Authentication method references */
+    authentication?: string[];
+}
+/**
+ * Verification method within a DID Document.
+ */
+export interface VerificationMethod {
+    /** Full key ID (e.g., "did:web:api.agentium.network#key-1") */
+    id: string;
+    /** Key type (e.g., "JsonWebKey2020") */
+    type: string;
+    /** Controller DID */
+    controller: string;
+    /** Public key in JWK format */
+    publicKeyJwk: JsonWebKey;
+}
+/**
+ * JWT header structure for extracting key ID.
+ */
+export interface JwtHeader {
+    /** Algorithm (e.g., "EdDSA") */
+    alg: string;
+    /** Token type (usually "JWT") */
+    typ?: string;
+    /** Key ID - references verification method in DID document */
+    kid?: string;
+}
+/**
+ * JSON Web Key structure for Ed25519 keys.
+ */
+export interface JsonWebKey {
+    /** Key type (always "OKP" for Ed25519) */
+    kty: string;
+    /** Curve (always "Ed25519") */
+    crv: string;
+    /** Public key material (base64url encoded) */
+    x: string;
+    /** Private key material (base64url encoded) - only present in private keys */
+    d?: string | undefined;
+}
+/**
+ * Key pair returned from WASM generate_keypair().
+ */
+export interface KeyPair {
+    /** Full JWK with private key material (keep secret!) */
+    private_key: JsonWebKey;
+    /** Public JWK (safe to share) */
+    public_key: JsonWebKey;
+}
+export type VcErrorCode = 'JWT_EXPIRED' | 'INVALID_JWT_FORMAT' | 'INVALID_JWK' | 'VERIFICATION_FAILED' | 'CLAIMS_VALIDATION' | 'SERIALIZATION_ERROR' | 'DECODE_ERROR' | 'KEY_GENERATION' | 'SIGNING_FAILED';
+export interface JwtExpiredError {
+    code: 'JWT_EXPIRED';
+    message: string;
+    data: {
+        expiredAt: string;
+    };
+}
+export interface GenericVcError {
+    code: Exclude<VcErrorCode, 'JWT_EXPIRED'>;
+    message: string;
+    data?: undefined;
+}
+export type WasmVcError = JwtExpiredError | GenericVcError;
+export declare function isWasmVcError(e: unknown): e is WasmVcError;
+//# sourceMappingURL=types.d.ts.map

package/dist/vc/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/vc/types.ts"],"names":[],"mappings":"AAIA;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,2BAA2B;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,6CAA6C;IAC7C,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;;GAGG;AACH,MAAM,WAAW,oBAAoB;IACnC,sBAAsB;IACtB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,uBAAuB;IACvB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,qCAAqC;IACrC,MAAM,EAAE;QAAE,EAAE,EAAE,MAAM,CAAA;KAAE,CAAC;IACvB,sCAAsC;IACtC,YAAY,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,iBAAiB,EAAE,iBAAiB,CAAC;CACtC;AAED;;;;GAIG;AACH,MAAM,WAAW,WAAW;IAC1B,gCAAgC;IAChC,EAAE,EAAE,oBAAoB,CAAC;IACzB,yBAAyB;IACzB,GAAG,EAAE,MAAM,CAAC;IACZ,uCAAuC;IACvC,GAAG,EAAE,MAAM,CAAC;IACZ,gDAAgD;IAChD,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,wBAAwB;IACxB,IAAI,EAAE,WAAW,CAAC;IAClB,mCAAmC;IACnC,OAAO,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,IAAI,CAAC,EAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS,CAAC;CAC3C;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,kEAAkE;IAClE,KAAK,EAAE,OAAO,CAAC;IACf,+EAA+E;IAC/E,MAAM,CAAC,EAAE,WAAW,GAAG,SAAS,CAAC;IACjC,8CAA8C;IAC9C,KAAK,CAAC,EAAE,iBAAiB,GAAG,SAAS,CAAC;CACvC;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,4DAA4D;IAC5D,EAAE,EAAE,MAAM,CAAC;IACX,2EAA2E;IAC3E,kBAAkB,EAAE,kBAAkB,EAAE,CAAC;IACzC,uCAAuC;IACvC,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;GAEG;AACH,MAAM,WAAW,kBAAkB;IACjC,+DAA+D;IAC/D,EAAE,EAAE,MAAM,CAAC;IACX,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb,qBAAqB;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,+BAA+B;IAC/B,YAAY,EAAE,UAAU,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB,gCAAgC;IAChC,GAAG,EAAE,MAAM,CAAC;IACZ,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,8DAA8D;IAC9D,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,0CAA0C;IAC1C,GAAG,EAAE,MAAM,CAAC;IACZ,+BAA+B;IAC/B,GAAG,EAAE,MAAM,CAAC;IACZ,8CAA8C;IAC9C,CAAC,EAAE,MAAM,CAAC;IACV,8EAA8E;IAC9E,CAAC,CAAC,EAAE,MAAM,GAAG,SAAS,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,OAAO;IACtB,wDAAwD;IACxD,WAAW,EAAE,UAAU,CAAC;IACxB,iCAAiC;IACjC,UAAU,EAAE,UAAU,CAAC;CACxB;AAKD,MAAM,MAAM,WAAW,GACnB,aAAa,GACb,oBAAoB,GACpB,aAAa,GACb,qBAAqB,GACrB,mBAAmB,GACnB,qBAAqB,GACrB,cAAc,GACd,gBAAgB,GAChB,gBAAgB,CAAC;AAErB,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,aAAa,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE;QAAE,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC;CAC7B;AAED,MAAM,WAAW,cAAc;IAC7B,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,aAAa,CAAC,CAAC;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,SAAS,CAAC;CAClB;AAED,MAAM,MAAM,WAAW,GAAG,eAAe,GAAG,cAAc,CAAC;AAE3D,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,CAAC,IAAI,WAAW,CAI1D"}

package/dist/vc/types.js

@@ -0,0 +1,10 @@
+// SPDX-FileCopyrightText: 2025 Semiotic AI, Inc.
+//
+// SPDX-License-Identifier: MIT
+export function isWasmVcError(e) {
+    if (typeof e !== 'object' || e === null)
+        return false;
+    const anyE = e;
+    return typeof anyE.code === 'string' && typeof anyE.message === 'string';
+}
+//# sourceMappingURL=types.js.map

package/dist/vc/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/vc/types.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+BAA+B;AAgK/B,MAAM,UAAU,aAAa,CAAC,CAAU;IACtC,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,IAAI;QAAE,OAAO,KAAK,CAAC;IACtD,MAAM,IAAI,GAAG,CAA0C,CAAC;IACxD,OAAO,OAAO,IAAI,CAAC,IAAI,KAAK,QAAQ,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC;AAC3E,CAAC"}

package/dist/wasm.d.ts

@@ -0,0 +1,48 @@
+import { type InitInput } from '@semiotic-labs/agentium-sdk-wasm';
+import type { VerificationResult, KeyPair } from './vc/types.js';
+/**
+ * Ensures the WASM module is loaded and ready.
+ * Uses lazy initialization - only loads on first call.
+ *
+ * @param wasmUrl - Optional URL/path to the WASM binary. If not provided,
+ *                  defaults to resolving `wasm_bg.wasm` relative to the JS module.
+ *                  For browser usage with bundlers like Vite, you may need:
+ *                  ```ts
+ *                  import wasmUrl from 'wasm/wasm_bg.wasm?url';
+ *                  await ensureWasmReady(wasmUrl);
+ *                  ```
+ * @returns Promise that resolves when WASM is ready
+ */
+export declare function ensureWasmReady(wasmUrl?: InitInput): Promise<void>;
+/**
+ * Initialize WASM logging to browser console.
+ * Call once after ensureWasmReady() to enable debug output.
+ */
+export declare function initLogging(): void;
+/**
+ * Verify a JWT-VC against a public key.
+ *
+ * @param jwt - The JWT string to verify (compact format: header.payload.signature)
+ * @param publicKeyJwk - The public key as JWK JSON string
+ * @returns Verification result with validity status, decoded claims if valid, and structured error if invalid.
+ *          On failure: `{ valid: false, error: { code, message, data? } }`.
+ *          Error codes: `JWT_EXPIRED` (with `data.expiredAt`), `INVALID_JWT_FORMAT`, `INVALID_JWK`,
+ *          `VERIFICATION_FAILED`, `CLAIMS_VALIDATION`, `SERIALIZATION_ERROR`, `DECODE_ERROR`.
+ */
+export declare function verifyJwt(jwt: string, publicKeyJwk: string): Promise<VerificationResult>;
+/**
+ * Generate a new Ed25519 key pair.
+ *
+ * @returns Key pair with private and public JWK strings
+ * @throws {WasmVcError} If key generation or serialization fails.
+ */
+export declare function generateKeypair(): Promise<KeyPair>;
+/**
+ * Extract public key from a private JWK.
+ *
+ * @param privateKeyJwk - The private key as JWK JSON string
+ * @returns The public key as JWK JSON string
+ * @throws {WasmVcError} If the private key JWK is invalid or serialization fails.
+ */
+export declare function getPublicKey(privateKeyJwk: string): Promise<string>;
+//# sourceMappingURL=wasm.d.ts.map

package/dist/wasm.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"wasm.d.ts","sourceRoot":"","sources":["../src/wasm.ts"],"names":[],"mappings":"AAIA,OAAa,EAKX,KAAK,SAAS,EACf,MAAM,kCAAkC,CAAC;AAC1C,OAAO,KAAK,EAAE,kBAAkB,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AAKjE;;;;;;;;;;;;GAYG;AACH,wBAAsB,eAAe,CAAC,OAAO,CAAC,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAOxE;AAED;;;GAGG;AACH,wBAAgB,WAAW,IAAI,IAAI,CAKlC;AAED;;;;;;;;;GASG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAG9F;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC,CAGxD;AAED;;;;;;GAMG;AACH,wBAAsB,YAAY,CAAC,aAAa,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAGzE"}

package/dist/wasm.js

@@ -0,0 +1,73 @@
+// SPDX-FileCopyrightText: 2025 Semiotic AI, Inc.
+//
+// SPDX-License-Identifier: MIT
+import init, { verify_jwt as wasmVerifyJwt, generate_keypair as wasmGenerateKeypair, get_public_key as wasmGetPublicKey, init_logging as wasmInitLogging, } from '@semiotic-labs/agentium-sdk-wasm';
+let wasmInitialized = null;
+let loggingInitialized = false;
+/**
+ * Ensures the WASM module is loaded and ready.
+ * Uses lazy initialization - only loads on first call.
+ *
+ * @param wasmUrl - Optional URL/path to the WASM binary. If not provided,
+ *                  defaults to resolving `wasm_bg.wasm` relative to the JS module.
+ *                  For browser usage with bundlers like Vite, you may need:
+ *                  ```ts
+ *                  import wasmUrl from 'wasm/wasm_bg.wasm?url';
+ *                  await ensureWasmReady(wasmUrl);
+ *                  ```
+ * @returns Promise that resolves when WASM is ready
+ */
+export async function ensureWasmReady(wasmUrl) {
+    if (wasmInitialized === null) {
+        wasmInitialized = init(wasmUrl).then(() => {
+            // Module loaded successfully
+        });
+    }
+    await wasmInitialized;
+}
+/**
+ * Initialize WASM logging to browser console.
+ * Call once after ensureWasmReady() to enable debug output.
+ */
+export function initLogging() {
+    if (!loggingInitialized) {
+        wasmInitLogging();
+        loggingInitialized = true;
+    }
+}
+/**
+ * Verify a JWT-VC against a public key.
+ *
+ * @param jwt - The JWT string to verify (compact format: header.payload.signature)
+ * @param publicKeyJwk - The public key as JWK JSON string
+ * @returns Verification result with validity status, decoded claims if valid, and structured error if invalid.
+ *          On failure: `{ valid: false, error: { code, message, data? } }`.
+ *          Error codes: `JWT_EXPIRED` (with `data.expiredAt`), `INVALID_JWT_FORMAT`, `INVALID_JWK`,
+ *          `VERIFICATION_FAILED`, `CLAIMS_VALIDATION`, `SERIALIZATION_ERROR`, `DECODE_ERROR`.
+ */
+export async function verifyJwt(jwt, publicKeyJwk) {
+    await ensureWasmReady();
+    return wasmVerifyJwt(jwt, publicKeyJwk);
+}
+/**
+ * Generate a new Ed25519 key pair.
+ *
+ * @returns Key pair with private and public JWK strings
+ * @throws {WasmVcError} If key generation or serialization fails.
+ */
+export async function generateKeypair() {
+    await ensureWasmReady();
+    return wasmGenerateKeypair();
+}
+/**
+ * Extract public key from a private JWK.
+ *
+ * @param privateKeyJwk - The private key as JWK JSON string
+ * @returns The public key as JWK JSON string
+ * @throws {WasmVcError} If the private key JWK is invalid or serialization fails.
+ */
+export async function getPublicKey(privateKeyJwk) {
+    await ensureWasmReady();
+    return wasmGetPublicKey(privateKeyJwk);
+}
+//# sourceMappingURL=wasm.js.map

package/dist/wasm.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"wasm.js","sourceRoot":"","sources":["../src/wasm.ts"],"names":[],"mappings":"AAAA,iDAAiD;AACjD,EAAE;AACF,+BAA+B;AAE/B,OAAO,IAAI,EAAE,EACX,UAAU,IAAI,aAAa,EAC3B,gBAAgB,IAAI,mBAAmB,EACvC,cAAc,IAAI,gBAAgB,EAClC,YAAY,IAAI,eAAe,GAEhC,MAAM,kCAAkC,CAAC;AAG1C,IAAI,eAAe,GAAyB,IAAI,CAAC;AACjD,IAAI,kBAAkB,GAAG,KAAK,CAAC;AAE/B;;;;;;;;;;;;GAYG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,OAAmB;IACvD,IAAI,eAAe,KAAK,IAAI,EAAE,CAAC;QAC7B,eAAe,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;YACxC,6BAA6B;QAC/B,CAAC,CAAC,CAAC;IACL,CAAC;IACD,MAAM,eAAe,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,WAAW;IACzB,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,eAAe,EAAE,CAAC;QAClB,kBAAkB,GAAG,IAAI,CAAC;IAC5B,CAAC;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,YAAoB;IAC/D,MAAM,eAAe,EAAE,CAAC;IACxB,OAAO,aAAa,CAAC,GAAG,EAAE,YAAY,CAAuB,CAAC;AAChE,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe;IACnC,MAAM,eAAe,EAAE,CAAC;IACxB,OAAO,mBAAmB,EAAa,CAAC;AAC1C,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,aAAqB;IACtD,MAAM,eAAe,EAAE,CAAC;IACxB,OAAO,gBAAgB,CAAC,aAAa,CAAC,CAAC;AACzC,CAAC"}

package/package.json

@@ -1,16 +1,18 @@
 {
   "name": "@semiotic-labs/agentium-sdk",
-  "version": "0.2.1",
+  "version": "0.4.0",
   "type": "module",
   "description": "",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "files": [
-    "dist"
+    "dist",
+    "packages/agentium-native/wasm/pkg"
   ],
   "scripts": {
     "test": "vitest",
-    "build": "tsc",
+    "build:wasm": "cd packages/agentium-native/wasm && wasm-pack build --target web --scope semiotic-labs",
+    "build": "npm run build:wasm && tsc",
     "docs": "typedoc",
     "lint": "eslint src/**/*.ts",
     "format:check": "prettier --check .",
@@ -42,6 +44,7 @@
   "devDependencies": {
     "@types/node": "^24.10.1",
     "axios-mock-adapter": "^2.1.0",
+    "jose": "^6.0.10",
     "eslint": "^9.39.1",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.5.4",
@@ -53,6 +56,7 @@
     "vitest": "^4.0.15"
   },
   "dependencies": {
+    "@semiotic-labs/agentium-sdk-wasm": "file:./packages/agentium-native/wasm/pkg",
     "axios": "^1.13.2"
   }
 }