@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.33.1-next.2 → 0.33.1-next.68

package/dist/index.cjs

@@ -0,0 +1,2451 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
+var __commonJS = (cb, mod) => function __require() {
+  return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/localization/translations/en.json
+var require_en = __commonJS({
+  "src/localization/translations/en.json"(exports, module2) {
+    module2.exports = {
+      siopv2_machine_identifier_error_title: "Getting identifier",
+      siopv2_machine_create_config_error_title: "Creating siopV2 config",
+      siopv2_machine_get_request_error_title: "Getting siopV2 request",
+      siopv2_machine_get_selectable_credentials_error_title: "Getting siopV2 selectable credentials",
+      siopv2_machine_retrieve_contact_error_title: "Retrieve contact",
+      siopv2_machine_add_contact_identity_error_title: "Add contact identity",
+      siopv2_machine_send_response_error_title: "Sending siopV2 response"
+    };
+  }
+});
+
+// src/localization/translations/nl.json
+var require_nl = __commonJS({
+  "src/localization/translations/nl.json"(exports, module2) {
+    module2.exports = {
+      siopv2_machine_identifier_error_title: "Identifier ophalen",
+      siopv2_machine_create_config_error_title: "SiopV2 configuratie maken",
+      siopv2_machine_get_request_error_title: "SiopV2 verzoek ophalen",
+      siopv2_machine_retrieve_contact_error_title: "Ophalen credential",
+      siopv2_machine_add_contact_identity_error_title: "Toevoegen identiteit contact",
+      siopv2_machine_send_response_error_title: "SiopV2 antwoord verzenden"
+    };
+  }
+});
+
+// plugin.schema.json
+var require_plugin_schema = __commonJS({
+  "plugin.schema.json"(exports, module2) {
+    module2.exports = {
+      IDidAuthSiopOpAuthenticator: {
+        components: {
+          schemas: {
+            IGetSiopSessionArgs: {
+              type: "object",
+              properties: {
+                sessionId: {
+                  type: "string"
+                },
+                additionalProperties: false
+              },
+              required: ["sessionId"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
+            },
+            IRegisterSiopSessionArgs: {
+              type: "object",
+              properties: {
+                identifier: {
+                  type: "object",
+                  properties: {
+                    did: {
+                      type: "string"
+                    },
+                    alias: {
+                      type: "string"
+                    },
+                    provider: {
+                      type: "string"
+                    },
+                    controllerKeyId: {
+                      type: "string"
+                    },
+                    keys: {
+                      type: "array",
+                      items: {
+                        type: "object",
+                        properties: {
+                          additionalProperties: true
+                        }
+                      }
+                    },
+                    services: {
+                      type: "array",
+                      items: {
+                        type: "object",
+                        properties: {
+                          additionalProperties: true
+                        }
+                      }
+                    }
+                  },
+                  additionalProperties: false,
+                  required: ["did", "provider", "keys", "services"]
+                },
+                sessionId: {
+                  type: "string"
+                },
+                expiresIn: {
+                  type: "number"
+                },
+                additionalProperties: false
+              },
+              required: ["identifier"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
+            },
+            IRemoveSiopSessionArgs: {
+              type: "object",
+              properties: {
+                sessionId: {
+                  type: "string"
+                },
+                additionalProperties: false
+              },
+              required: ["sessionId"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
+            },
+            IAuthenticateWithSiopArgs: {
+              type: "object",
+              properties: {
+                sessionId: {
+                  type: "string"
+                },
+                stateId: {
+                  type: "string"
+                },
+                redirectUrl: {
+                  type: "string"
+                },
+                additionalProperties: false
+              },
+              required: ["sessionId", "stateId", "redirectUrl"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
+            },
+            IResponse: {
+              type: "object",
+              properties: {
+                status: {
+                  type: "number"
+                },
+                additionalProperties: true
+              },
+              required: ["status"],
+              description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
+            },
+            IGetSiopAuthenticationRequestFromRpArgs: {
+              type: "object",
+              properties: {
+                sessionId: {
+                  type: "string"
+                },
+                stateId: {
+                  type: "string"
+                },
+                redirectUrl: {
+                  type: "string"
+                },
+                additionalProperties: false
+              },
+              required: ["sessionId", "stateId", "redirectUrl"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
+            },
+            ParsedAuthenticationRequestURI: {
+              type: "object",
+              properties: {
+                jwt: {
+                  type: "string"
+                },
+                requestPayload: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                registration: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                additionalProperties: false
+              },
+              required: ["jwt", "requestPayload", "registration"],
+              description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
+            },
+            IGetSiopAuthenticationRequestDetailsArgs: {
+              type: "object",
+              properties: {
+                sessionId: {
+                  type: "string"
+                },
+                verifiedAuthenticationRequest: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                credentialFilter: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                additionalProperties: false
+              },
+              required: ["sessionId", "verifiedAuthenticationRequest"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
+            },
+            IAuthRequestDetails: {
+              type: "object",
+              properties: {
+                id: {
+                  type: "string"
+                },
+                alsoKnownAs: {
+                  type: "array",
+                  items: {
+                    type: "string"
+                  }
+                },
+                vpResponseOpts: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                additionalProperties: false
+              },
+              required: ["id", "vpResponseOpts"],
+              description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
+            },
+            IVerifySiopAuthenticationRequestUriArgs: {
+              type: "object",
+              properties: {
+                sessionId: {
+                  type: "string"
+                },
+                ParsedAuthenticationRequestURI: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                additionalProperties: false
+              },
+              required: ["sessionId", "ParsedAuthenticationRequestURI"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
+            },
+            VerifiedAuthorizationRequest: {
+              type: "object",
+              properties: {
+                payload: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                presentationDefinitions: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                verifyOpts: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                additionalProperties: false
+              },
+              required: ["payload", "verifyOpts"],
+              description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
+            },
+            ISendSiopAuthenticationResponseArgs: {
+              type: "object",
+              properties: {
+                sessionId: {
+                  type: "string"
+                },
+                verifiedAuthenticationRequest: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                verifiablePresentationResponse: {
+                  type: "object",
+                  properties: {
+                    additionalProperties: true
+                  }
+                },
+                additionalProperties: false
+              },
+              required: ["sessionId", "verifiedAuthenticationRequest"],
+              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
+            }
+          },
+          methods: {
+            getSessionForSiop: {
+              description: "Get SIOP session",
+              arguments: {
+                $ref: "#/components/schemas/IGetSiopSessionArgs"
+              },
+              returnType: "object"
+            },
+            registerSessionForSiop: {
+              description: "Register SIOP session",
+              arguments: {
+                $ref: "#/components/schemas/IRegisterSiopSessionArgs"
+              },
+              returnType: "object"
+            },
+            removeSessionForSiop: {
+              description: "Remove SIOP session",
+              arguments: {
+                $ref: "#/components/schemas/IRemoveSiopSessionArgs"
+              },
+              returnType: "boolean"
+            },
+            authenticateWithSiop: {
+              description: "Authenticate using DID Auth SIOP",
+              arguments: {
+                $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
+              },
+              returnType: {
+                $ref: "#/components/schemas/Response"
+              }
+            },
+            getSiopAuthenticationRequestFromRP: {
+              description: "Get authentication request from RP",
+              arguments: {
+                $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
+              },
+              returnType: {
+                $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
+              }
+            },
+            getSiopAuthenticationRequestDetails: {
+              description: "Get authentication request details",
+              arguments: {
+                $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
+              },
+              returnType: {
+                $ref: "#/components/schemas/IAuthRequestDetails"
+              }
+            },
+            verifySiopAuthenticationRequestURI: {
+              description: "Verify authentication request URI",
+              arguments: {
+                $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
+              },
+              returnType: {
+                $ref: "#/components/schemas/VerifiedAuthorizationRequest"
+              }
+            },
+            sendSiopAuthenticationResponse: {
+              description: "Send authentication response",
+              arguments: {
+                $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
+              },
+              returnType: {
+                $ref: "#/components/schemas/IRequiredContext"
+              }
+            }
+          }
+        }
+      }
+    };
+  }
+});
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  DEFAULT_JWT_PROOF_TYPE: () => DEFAULT_JWT_PROOF_TYPE,
+  DID_PREFIX: () => DID_PREFIX,
+  DidAuthSiopOpAuthenticator: () => DidAuthSiopOpAuthenticator,
+  LOGGER_NAMESPACE: () => LOGGER_NAMESPACE,
+  OID4VP: () => OID4VP,
+  OID4VPCallbackStateListener: () => OID4VPCallbackStateListener,
+  OpSession: () => OpSession,
+  Siopv2HolderEvent: () => Siopv2HolderEvent,
+  Siopv2Machine: () => Siopv2Machine,
+  Siopv2MachineAddContactStates: () => Siopv2MachineAddContactStates,
+  Siopv2MachineEvents: () => Siopv2MachineEvents,
+  Siopv2MachineGuards: () => Siopv2MachineGuards,
+  Siopv2MachineServices: () => Siopv2MachineServices,
+  Siopv2MachineStates: () => Siopv2MachineStates,
+  Siopv2OID4VPLinkHandler: () => Siopv2OID4VPLinkHandler,
+  SupportedLanguage: () => SupportedLanguage,
+  createJwtCallbackWithIdOpts: () => createJwtCallbackWithIdOpts,
+  createJwtCallbackWithOpOpts: () => createJwtCallbackWithOpOpts,
+  createOID4VPPresentationSignCallback: () => createOID4VPPresentationSignCallback,
+  createOP: () => createOP,
+  createOPBuilder: () => createOPBuilder,
+  didAuthSiopOpAuthenticatorMethods: () => didAuthSiopOpAuthenticatorMethods,
+  events: () => events,
+  getSigningAlgo: () => getSigningAlgo,
+  schema: () => schema
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/agent/DidAuthSiopOpAuthenticator.ts
+var import_did_auth_siop5 = require("@sphereon/did-auth-siop");
+var import_ssi_sdk8 = require("@sphereon/ssi-sdk.data-store");
+var import_ssi_types7 = require("@sphereon/ssi-types");
+var import_uuid2 = require("uuid");
+
+// src/session/functions.ts
+var import_did_auth_siop = require("@sphereon/did-auth-siop");
+var import_oid4vc_common = require("@sphereon/oid4vc-common");
+var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk = require("@sphereon/ssi-sdk.presentation-exchange");
+var import_events = require("events");
+async function createOID4VPPresentationSignCallback({ presentationSignCallback, idOpts: idOpts1, domain, fetchRemoteContexts, challenge, format, context, skipDidResolution }) {
+  if (typeof presentationSignCallback === "function") {
+    return presentationSignCallback;
+  }
+  return (0, import_ssi_sdk.createPEXPresentationSignCallback)({
+    idOpts: idOpts1,
+    fetchRemoteContexts,
+    domain,
+    challenge,
+    format,
+    skipDidResolution
+  }, context);
+}
+__name(createOID4VPPresentationSignCallback, "createOID4VPPresentationSignCallback");
+async function createOPBuilder({ opOptions, idOpts: idOpts1, context }) {
+  const eventEmitter = opOptions.eventEmitter ?? new import_events.EventEmitter();
+  const builder = import_did_auth_siop.OP.builder().withResponseMode(opOptions.responseMode ?? import_did_auth_siop.ResponseMode.DIRECT_POST).withSupportedVersions(opOptions.supportedVersions ?? [
+    import_did_auth_siop.SupportedVersion.SIOPv2_ID1,
+    import_did_auth_siop.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1,
+    import_did_auth_siop.SupportedVersion.SIOPv2_D11,
+    import_did_auth_siop.SupportedVersion.SIOPv2_D12_OID4VP_D18
+  ]).withExpiresIn(opOptions.expiresIn ?? 300).withEventEmitter(eventEmitter).withRegistration({
+    passBy: import_did_auth_siop.PassBy.VALUE
+  });
+  const wellknownDIDVerifyCallback = opOptions.wellknownDIDVerifyCallback ? opOptions.wellknownDIDVerifyCallback : async (args) => {
+    const result = await context.agent.cvVerifyCredential({
+      credential: args.credential,
+      fetchRemoteContexts: true
+    });
+    return {
+      verified: result.result
+    };
+  };
+  builder.withVerifyJwtCallback(opOptions.verifyJwtCallback ? opOptions.verifyJwtCallback : getVerifyJwtCallback({
+    verifyOpts: {
+      wellknownDIDVerifyCallback,
+      checkLinkedDomain: "if_present"
+    }
+  }, context));
+  if (idOpts1) {
+    if (opOptions.skipDidResolution && (0, import_ssi_sdk_ext.isManagedIdentifierDidOpts)(idOpts1)) {
+      idOpts1.offlineWhenNoDIDRegistered = true;
+    }
+    const createJwtCallback = createJwtCallbackWithIdOpts(idOpts1, context);
+    builder.withCreateJwtCallback(createJwtCallback);
+    builder.withPresentationSignCallback(await createOID4VPPresentationSignCallback({
+      presentationSignCallback: opOptions.presentationSignCallback,
+      skipDidResolution: opOptions.skipDidResolution ?? false,
+      idOpts: idOpts1,
+      context
+    }));
+  } else {
+    const createJwtCallback = createJwtCallbackWithOpOpts(opOptions, context);
+    builder.withCreateJwtCallback(createJwtCallback);
+  }
+  return builder;
+}
+__name(createOPBuilder, "createOPBuilder");
+function createJwtCallbackWithIdOpts(idOpts1, context) {
+  return async (jwtIssuer, jwt) => {
+    let issuer;
+    if ((0, import_ssi_sdk_ext.isManagedIdentifierDidOpts)(idOpts1)) {
+      issuer = {
+        ...idOpts1,
+        method: idOpts1.method,
+        noIdentifierInHeader: false
+      };
+    } else if ((0, import_ssi_sdk_ext.isManagedIdentifierX5cOpts)(idOpts1)) {
+      issuer = {
+        ...idOpts1,
+        method: idOpts1.method,
+        noIdentifierInHeader: false
+      };
+    } else {
+      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
+    }
+    const result = await context.agent.jwtCreateJwsCompactSignature({
+      issuer,
+      protectedHeader: jwt.header,
+      payload: jwt.payload
+    });
+    return result.jwt;
+  };
+}
+__name(createJwtCallbackWithIdOpts, "createJwtCallbackWithIdOpts");
+function createJwtCallbackWithOpOpts(opOpts, context) {
+  return async (jwtIssuer, jwt) => {
+    let identifier;
+    if (jwtIssuer.method == "did") {
+      identifier = jwtIssuer.didUrl;
+    } else if (jwtIssuer.method == "x5c") {
+      identifier = jwtIssuer.x5c;
+    } else {
+      return Promise.reject(Error(`JWT issuer method ${jwtIssuer.method} not yet supported`));
+    }
+    const result = await context.agent.jwtCreateJwsCompactSignature({
+      // FIXME fix cose-key inference
+      // @ts-ignore
+      issuer: {
+        identifier,
+        kmsKeyRef: idOpts.kmsKeyRef,
+        noIdentifierInHeader: false
+      },
+      // FIXME fix JWK key_ops
+      // @ts-ignore
+      protectedHeader: jwt.header,
+      payload: jwt.payload
+    });
+    return result.jwt;
+  };
+}
+__name(createJwtCallbackWithOpOpts, "createJwtCallbackWithOpOpts");
+function getVerifyJwtCallback(_opts, context) {
+  return async (_jwtVerifier, jwt) => {
+    const result = await context.agent.jwtVerifyJwsSignature({
+      jws: jwt.raw
+    });
+    console.log(result.message);
+    return !result.error;
+  };
+}
+__name(getVerifyJwtCallback, "getVerifyJwtCallback");
+async function createOP({ opOptions, idOpts: idOpts1, context }) {
+  return (await createOPBuilder({
+    opOptions,
+    idOpts: idOpts1,
+    context
+  })).build();
+}
+__name(createOP, "createOP");
+function getSigningAlgo(type) {
+  switch (type) {
+    case "Ed25519":
+      return import_oid4vc_common.SigningAlgo.EDDSA;
+    case "Secp256k1":
+      return import_oid4vc_common.SigningAlgo.ES256K;
+    case "Secp256r1":
+      return import_oid4vc_common.SigningAlgo.ES256;
+    // @ts-ignore
+    case "RSA":
+      return import_oid4vc_common.SigningAlgo.RS256;
+    default:
+      throw Error("Key type not yet supported");
+  }
+}
+__name(getSigningAlgo, "getSigningAlgo");
+
+// src/session/OID4VP.ts
+var import_did_auth_siop2 = require("@sphereon/did-auth-siop");
+var import_pex = require("@sphereon/pex");
+var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk2 = require("@sphereon/ssi-sdk.core");
+var import_ssi_sdk3 = require("@sphereon/ssi-sdk.credential-store");
+
+// src/types/IDidAuthSiopOpAuthenticator.ts
+var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
+var events = /* @__PURE__ */ function(events2) {
+  events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
+  return events2;
+}({});
+var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
+
+// src/types/siop-service/index.ts
+var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
+  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
+  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
+  return Siopv2HolderEvent2;
+}({});
+var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
+  SupportedLanguage2["ENGLISH"] = "en";
+  SupportedLanguage2["DUTCH"] = "nl";
+  return SupportedLanguage2;
+}({});
+
+// src/types/machine/index.ts
+var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
+  Siopv2MachineStates2["createConfig"] = "createConfig";
+  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
+  Siopv2MachineStates2["addContact"] = "addContact";
+  Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
+  Siopv2MachineStates2["sendResponse"] = "sendResponse";
+  Siopv2MachineStates2["handleError"] = "handleError";
+  Siopv2MachineStates2["aborted"] = "aborted";
+  Siopv2MachineStates2["declined"] = "declined";
+  Siopv2MachineStates2["error"] = "error";
+  Siopv2MachineStates2["done"] = "done";
+  return Siopv2MachineStates2;
+}({});
+var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
+  Siopv2MachineAddContactStates2["idle"] = "idle";
+  Siopv2MachineAddContactStates2["executing"] = "executing";
+  Siopv2MachineAddContactStates2["next"] = "next";
+  return Siopv2MachineAddContactStates2;
+}({});
+var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
+  Siopv2MachineEvents2["NEXT"] = "NEXT";
+  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
+  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
+  Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
+  Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
+  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
+  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
+  return Siopv2MachineEvents2;
+}({});
+var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
+  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
+  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
+  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
+  Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
+  Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
+  Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
+  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
+  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
+  return Siopv2MachineGuards2;
+}({});
+var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
+  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineServices2["sendResponse"] = "sendResponse";
+  Siopv2MachineServices2["createConfig"] = "createConfig";
+  return Siopv2MachineServices2;
+}({});
+
+// src/types/identifier/index.ts
+var DID_PREFIX = "did";
+
+// src/session/OID4VP.ts
+var OID4VP = class _OID4VP {
+  static {
+    __name(this, "OID4VP");
+  }
+  session;
+  allIdentifiers;
+  hasher;
+  constructor(args) {
+    const { session, allIdentifiers, hasher = import_ssi_sdk2.defaultHasher } = args;
+    this.session = session;
+    this.allIdentifiers = allIdentifiers ?? [];
+    this.hasher = hasher;
+  }
+  static async init(session, allIdentifiers, hasher) {
+    return new _OID4VP({
+      session,
+      allIdentifiers: allIdentifiers ?? await session.getSupportedDIDs(),
+      hasher
+    });
+  }
+  async getPresentationDefinitions() {
+    const definitions = await this.session.getPresentationDefinitions();
+    if (definitions) {
+      import_did_auth_siop2.PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
+    }
+    return definitions;
+  }
+  getPresentationExchange(args) {
+    const { verifiableCredentials, allIdentifiers, hasher } = args;
+    return new import_did_auth_siop2.PresentationExchange({
+      allDIDs: allIdentifiers ?? this.allIdentifiers,
+      allVerifiableCredentials: verifiableCredentials,
+      hasher: hasher ?? this.hasher
+    });
+  }
+  async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
+    return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
+  }
+  async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
+    const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
+      ...opts
+    };
+    if (subjectIsHolder && holder) {
+      throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
+    }
+    if (forceNoCredentialsInVP) {
+      selectedVerifiableCredentials.credentials = [];
+    } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
+      throw Error("No verifiable verifiableCredentials provided for presentation definition");
+    }
+    const proofOptions = {
+      ...opts?.proofOpts,
+      challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
+      domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
+    };
+    let idOpts2 = opts?.idOpts;
+    if (!idOpts2) {
+      if (opts?.subjectIsHolder) {
+        if (forceNoCredentialsInVP) {
+          return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
+        }
+        const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
+        if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
+          return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
+        }
+        idOpts2 = (0, import_ssi_sdk_ext2.isOID4VCIssuerIdentifier)(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
+          identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+        }) : await this.session.context.agent.identifierManagedGetByKid({
+          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
+          kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
+        });
+      } else if (opts?.holder) {
+        idOpts2 = {
+          identifier: opts.holder
+        };
+      }
+    }
+    const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
+      restrictToFormats: opts?.restrictToFormats,
+      restrictToDIDMethods: opts?.restrictToDIDMethods,
+      filterOpts: {
+        verifiableCredentials: selectedVerifiableCredentials.credentials
+      }
+    }) : {
+      definition: selectedVerifiableCredentials.definition,
+      credentials: selectedVerifiableCredentials.credentials
+    };
+    if (!idOpts2) {
+      return Promise.reject(Error(`No identifier options present at this point`));
+    }
+    const signCallback = await createOID4VPPresentationSignCallback({
+      presentationSignCallback: this.session.options.presentationSignCallback,
+      idOpts: idOpts2,
+      context: this.session.context,
+      domain: proofOptions.domain,
+      challenge: proofOptions.challenge,
+      format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
+      skipDidResolution: opts?.skipDidResolution ?? false
+    });
+    const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
+    const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
+    const presentationResult = await this.getPresentationExchange({
+      verifiableCredentials,
+      allIdentifiers: this.allIdentifiers,
+      hasher: opts?.hasher
+    }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
+      proofOptions,
+      // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
+      ...identifier && (0, import_ssi_sdk_ext2.isManagedIdentifierDidResult)(identifier) && {
+        holderDID: identifier.did
+      }
+    });
+    const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
+    return {
+      ...presentationResult,
+      verifiablePresentations,
+      verifiableCredentials,
+      definition: selectedVerifiableCredentials.definition,
+      idOpts: idOpts2
+    };
+  }
+  async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
+    const defs = await this.getPresentationDefinitions();
+    const result = [];
+    if (defs) {
+      for (const definition of defs) {
+        result.push(await this.filterCredentials(credentialRole, definition, opts));
+      }
+    }
+    return result;
+  }
+  async filterCredentials(credentialRole, presentationDefinition, opts) {
+    const udcMap = /* @__PURE__ */ new Map();
+    opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
+      if (typeof credential === "object" && "digitalCredential" in credential) {
+        udcMap.set(credential.originalVerifiableCredential, credential);
+      } else {
+        udcMap.set(credential, credential);
+      }
+    });
+    const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
+      ...opts,
+      filterOpts: {
+        verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
+          if (typeof credential === "object" && "digitalCredential" in credential) {
+            return credential.originalVerifiableCredential;
+          } else {
+            return credential;
+          }
+        })
+      }
+    })).verifiableCredential;
+    return {
+      definition: presentationDefinition,
+      credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
+    };
+  }
+  async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
+    const selectionResults = await this.getPresentationExchange({
+      verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
+    }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
+    if (selectionResults.errors && selectionResults.errors.length > 0) {
+      throw Error(JSON.stringify(selectionResults.errors));
+    } else if (selectionResults.areRequiredCredentialsPresent === import_pex.Status.ERROR) {
+      throw Error(`Not all required credentials are available to satisfy the relying party's request`);
+    }
+    const matches = selectionResults.matches;
+    if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
+      throw Error(JSON.stringify(selectionResults.errors));
+    }
+    return selectionResults;
+  }
+  async getCredentials(credentialRole, filterOpts) {
+    if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
+      return filterOpts.verifiableCredentials;
+    }
+    const filter = (0, import_ssi_sdk3.verifiableCredentialForRoleFilter)(credentialRole, filterOpts?.filter);
+    const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
+      filter
+    });
+    return uniqueCredentials.map((uniqueVC) => {
+      const vc = uniqueVC.uniformVerifiableCredential;
+      const proof = Array.isArray(vc.proof) ? vc.proof : [
+        vc.proof
+      ];
+      const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
+      return jwtProof ? jwtProof.jwt : vc;
+    });
+  }
+};
+
+// src/session/OpSession.ts
+var import_did_auth_siop3 = require("@sphereon/did-auth-siop");
+var import_ssi_sdk_ext3 = require("@sphereon/ssi-sdk-ext.did-utils");
+var import_ssi_sdk4 = require("@sphereon/ssi-sdk.core");
+var import_ssi_types = require("@sphereon/ssi-types");
+var import_uuid = require("uuid");
+var import_pex2 = require("@sphereon/pex");
+var import_ssi_types2 = require("@sphereon/ssi-types");
+var logger = import_ssi_types2.Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
+var OpSession = class _OpSession {
+  static {
+    __name(this, "OpSession");
+  }
+  ts = (/* @__PURE__ */ new Date()).getDate();
+  id;
+  options;
+  context;
+  requestJwtOrUri;
+  verifiedAuthorizationRequest;
+  _nonce;
+  _state;
+  _providedPresentationDefinitions;
+  constructor(options) {
+    this.id = options.sessionId;
+    this.options = options.op;
+    this.context = options.context;
+    this.requestJwtOrUri = options.requestJwtOrUri;
+    this._providedPresentationDefinitions = options.providedPresentationDefinitions;
+  }
+  static async init(options) {
+    return new _OpSession(options);
+  }
+  async getAuthorizationRequest() {
+    if (!this.verifiedAuthorizationRequest) {
+      const op = await createOP({
+        opOptions: this.options,
+        context: this.context
+      });
+      this.verifiedAuthorizationRequest = await op.verifyAuthorizationRequest(this.requestJwtOrUri);
+      this._nonce = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("nonce");
+      this._state = await this.verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("state");
+      await this.getSupportedDIDMethods();
+    }
+    return this.verifiedAuthorizationRequest;
+  }
+  async getAuthorizationRequestURI() {
+    return await import_did_auth_siop3.URI.fromAuthorizationRequest((await this.getAuthorizationRequest()).authorizationRequest);
+  }
+  get nonce() {
+    if (!this._nonce) {
+      throw Error("No nonce available. Please get authorization request first");
+    }
+    return this._nonce;
+  }
+  get state() {
+    if (!this._state) {
+      throw Error("No state available. Please get authorization request first");
+    }
+    return this._state;
+  }
+  clear() {
+    this._nonce = void 0;
+    this._state = void 0;
+    this.verifiedAuthorizationRequest = void 0;
+    return this;
+  }
+  async getSupportedDIDMethods(didPrefix) {
+    const agentMethods = this.getAgentDIDMethodsSupported({
+      didPrefix
+    });
+    let rpMethods = await this.getRPDIDMethodsSupported({
+      didPrefix,
+      agentMethods
+    });
+    logger.debug(`RP supports subject syntax types: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+    if (rpMethods.dids.length === 0) {
+      logger.debug(`RP does not support DIDs. Supported: ${JSON.stringify(this.getSubjectSyntaxTypesSupported())}`);
+      return [];
+    }
+    let intersection;
+    if (rpMethods.dids.includes("did")) {
+      intersection = agentMethods && agentMethods.length > 0 ? agentMethods : (await (0, import_ssi_sdk_ext3.getAgentDIDMethods)(this.context)).map((method) => convertDidMethod(method, didPrefix));
+    } else if (!agentMethods || agentMethods.length === 0) {
+      intersection = rpMethods.dids?.map((method) => convertDidMethod(method, didPrefix));
+    } else {
+      intersection = agentMethods.filter((value) => rpMethods.dids.includes(value));
+    }
+    if (intersection.length === 0) {
+      throw Error("No matching DID methods between agent and relying party");
+    }
+    return intersection.map((value) => convertDidMethod(value, didPrefix));
+  }
+  getAgentDIDMethodsSupported(opts) {
+    const agentMethods = this.options.supportedDIDMethods?.map((method) => convertDidMethod(method, opts.didPrefix));
+    logger.debug(`agent methods: ${JSON.stringify(agentMethods)}`);
+    return agentMethods;
+  }
+  async getSubjectSyntaxTypesSupported() {
+    const authReq = await this.getAuthorizationRequest();
+    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported;
+    return subjectSyntaxTypesSupported ?? [];
+  }
+  async getRPDIDMethodsSupported(opts) {
+    let keyType;
+    const agentMethods = (opts.agentMethods ?? this.getAgentDIDMethodsSupported(opts))?.map((method) => convertDidMethod(method, opts.didPrefix)) ?? [];
+    logger.debug(`agent methods supported: ${JSON.stringify(agentMethods)}`);
+    const authReq = await this.getAuthorizationRequest();
+    const subjectSyntaxTypesSupported = authReq.registrationMetadataPayload?.subject_syntax_types_supported?.map((method) => convertDidMethod(method, opts.didPrefix)).filter((val) => !val.startsWith("did"));
+    logger.debug(`subject syntax types supported in rp method supported: ${JSON.stringify(subjectSyntaxTypesSupported)}`);
+    const aud = await authReq.authorizationRequest.getMergedProperty("aud");
+    let rpMethods = [];
+    if (aud && aud.startsWith("did:")) {
+      const didMethod = convertDidMethod((0, import_ssi_types.parseDid)(aud).method, opts.didPrefix);
+      logger.debug(`aud did method: ${didMethod}`);
+      if (subjectSyntaxTypesSupported && subjectSyntaxTypesSupported.length > 0 && !subjectSyntaxTypesSupported.includes("did") && !subjectSyntaxTypesSupported.includes(didMethod)) {
+        throw Error(`The aud DID method ${didMethod} is not in the supported types ${subjectSyntaxTypesSupported}`);
+      }
+      rpMethods = [
+        didMethod
+      ];
+    } else if (subjectSyntaxTypesSupported) {
+      rpMethods = (Array.isArray(subjectSyntaxTypesSupported) ? subjectSyntaxTypesSupported : [
+        subjectSyntaxTypesSupported
+      ]).map((method) => convertDidMethod(method, opts.didPrefix));
+    }
+    const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
+    let codecName = void 0;
+    if (isEBSI && (!aud || !aud.startsWith("http"))) {
+      logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
+      const didKeyMethod = convertDidMethod("did:key", opts.didPrefix);
+      if (!agentMethods?.includes(didKeyMethod)) {
+        throw Error(`EBSI detected, but agent did not support did:key. Please reconfigure agent`);
+      }
+      rpMethods = [
+        didKeyMethod
+      ];
+      keyType = "Secp256r1";
+      codecName = "jwk_jcs-pub";
+    }
+    return {
+      dids: rpMethods,
+      codecName,
+      keyType
+    };
+  }
+  async getSupportedIdentifiers(opts) {
+    const methods = await this.getSupportedDIDMethods(true);
+    logger.debug(`supported DID methods (did: prefix = true): ${JSON.stringify(methods)}`);
+    if (methods.length === 0) {
+      throw Error(`No DID methods are supported`);
+    }
+    const identifiers = await this.context.agent.didManagerFind().then((ids) => ids.filter((id) => methods.includes(id.provider)));
+    if (identifiers.length === 0) {
+      logger.debug(`No identifiers available in agent supporting methods ${JSON.stringify(methods)}`);
+      if (opts?.createInCaseNoDIDFound !== false) {
+        const { codecName, keyType } = await this.getRPDIDMethodsSupported({
+          didPrefix: true,
+          agentMethods: methods
+        });
+        const identifier = await this.context.agent.didManagerCreate({
+          provider: methods[0],
+          options: {
+            codecName,
+            keyType,
+            type: keyType
+          }
+        });
+        logger.debug(`Created a new identifier for the SIOP interaction: ${identifier.did}`);
+        identifiers.push(identifier);
+      }
+    }
+    logger.debug(`supported identifiers: ${JSON.stringify(identifiers.map((id) => id.did))}`);
+    return identifiers;
+  }
+  async getSupportedDIDs() {
+    return (await this.getSupportedIdentifiers()).map((id) => id.did);
+  }
+  async getRedirectUri() {
+    return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
+  }
+  async hasPresentationDefinitions() {
+    const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
+    return defs !== void 0 && defs.length > 0;
+  }
+  async getPresentationDefinitions() {
+    if (!await this.hasPresentationDefinitions()) {
+      throw Error(`No presentation definitions found`);
+    }
+    return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
+  }
+  async getOID4VP(args) {
+    return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
+  }
+  createPresentationVerificationCallback(context) {
+    async function presentationVerificationCallback(args, presentationSubmission) {
+      let result;
+      if (import_ssi_types.CredentialMapper.isSdJwtEncoded(args)) {
+        try {
+          const sdJwtResult = await context.agent.verifySdJwtPresentation({
+            presentation: args
+          });
+          result = {
+            verified: "header" in sdJwtResult,
+            error: "header" in sdJwtResult ? void 0 : {
+              message: "could not verify SD JWT presentation"
+            }
+          };
+        } catch (error) {
+          result = {
+            verified: false,
+            error: {
+              message: error.message
+            }
+          };
+        }
+      } else {
+        result = await context.agent.verifyPresentation({
+          presentation: args
+        });
+      }
+      return result;
+    }
+    __name(presentationVerificationCallback, "presentationVerificationCallback");
+    return presentationVerificationCallback;
+  }
+  async createJarmResponseCallback({ responseOpts }) {
+    const agent = this.context.agent;
+    return /* @__PURE__ */ __name(async function jarmResponse(opts) {
+      const { clientMetadata, requestObjectPayload, authorizationResponsePayload: authResponse } = opts;
+      const jwk = await import_did_auth_siop3.OP.extractEncJwksFromClientMetadata(clientMetadata);
+      const recipientKey = await agent.identifierExternalResolveByJwk({
+        identifier: jwk
+      });
+      return await agent.jwtEncryptJweCompactJwt({
+        recipientKey,
+        protectedHeader: {},
+        alg: requestObjectPayload.client_metadata.authorization_encrypted_response_alg ?? "ECDH-ES",
+        enc: requestObjectPayload.client_metadata.authorization_encrypted_response_enc ?? "A256GCM",
+        apv: (0, import_ssi_sdk4.encodeBase64url)(opts.requestObjectPayload.nonce),
+        apu: (0, import_ssi_sdk4.encodeBase64url)((0, import_uuid.v4)()),
+        payload: authResponse,
+        issuer: responseOpts.issuer,
+        audience: responseOpts.audience
+      }).then((result) => {
+        return {
+          response: result.jwt
+        };
+      });
+    }, "jarmResponse");
+  }
+  async sendAuthorizationResponse(args) {
+    const resolveOpts = this.options.resolveOpts ?? {
+      resolver: (0, import_ssi_sdk_ext3.getAgentResolver)(this.context, {
+        uniresolverResolution: true,
+        localResolution: true,
+        resolverResolution: true
+      })
+    };
+    if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
+      resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
+    }
+    const verification = {
+      presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
+    };
+    const request = await this.getAuthorizationRequest();
+    const hasDefinitions = await this.hasPresentationDefinitions();
+    if (hasDefinitions) {
+      const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
+        return sum + pd.definition.input_descriptors.length;
+      }, 0);
+      const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
+      if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
+        throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
+      } else if (!args.presentationSubmission) {
+        throw Error(`Presentation submission is required when verifiable presentations are required`);
+      }
+    }
+    const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => import_ssi_types.CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
+    const op = await createOP({
+      opOptions: {
+        ...this.options,
+        resolveOpts: {
+          ...this.options.resolveOpts
+        },
+        eventEmitter: this.options.eventEmitter,
+        presentationSignCallback: this.options.presentationSignCallback,
+        wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
+        supportedVersions: request.versions
+      },
+      idOpts: args.responseSignerOpts,
+      context: this.context
+    });
+    let issuer = args.responseSignerOpts.issuer;
+    const responseOpts = {
+      verification,
+      issuer,
+      ...args.isFirstParty && {
+        isFirstParty: args.isFirstParty
+      },
+      ...args.verifiablePresentations && {
+        presentationExchange: {
+          verifiablePresentations,
+          presentationSubmission: args.presentationSubmission
+        }
+      },
+      dcqlQuery: args.dcqlResponse
+    };
+    const authResponse = await op.createAuthorizationResponse(request, responseOpts);
+    const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
+      responseOpts
+    }));
+    if (response.status >= 400) {
+      throw Error(`Error ${response.status}: ${response.statusText || await response.text()}`);
+    } else {
+      return response;
+    }
+  }
+  countVCsInAllVPs(verifiablePresentations, hasher) {
+    return verifiablePresentations.reduce((sum, vp) => {
+      if (import_ssi_types.CredentialMapper.isMsoMdocDecodedPresentation(vp) || import_ssi_types.CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
+        return sum + 1;
+      }
+      const uvp = import_ssi_types.CredentialMapper.toUniformPresentation(vp, {
+        hasher: hasher ?? this.options.hasher
+      });
+      if (uvp.verifiableCredential?.length) {
+        return sum + uvp.verifiableCredential?.length;
+      }
+      const isSdJWT = import_ssi_types.CredentialMapper.isSdJwtDecodedCredential(uvp);
+      if (isSdJWT || uvp.verifiableCredential && !import_pex2.PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
+        return sum + 1;
+      }
+      return sum;
+    }, 0);
+  }
+};
+function convertDidMethod(didMethod, didPrefix) {
+  if (didPrefix === false) {
+    return didMethod.startsWith("did:") ? didMethod.toLowerCase().replace("did:", "") : didMethod.toLowerCase();
+  }
+  return didMethod.startsWith("did:") ? didMethod.toLowerCase() : `did:${didMethod.toLowerCase().replace("did:", "")}`;
+}
+__name(convertDidMethod, "convertDidMethod");
+
+// src/agent/DidAuthSiopOpAuthenticator.ts
+var import_pex4 = require("@sphereon/pex");
+var import_utils = require("@veramo/utils");
+var import_dcql3 = require("dcql");
+
+// src/machine/Siopv2Machine.ts
+var import_xstate = require("xstate");
+
+// src/localization/Localization.ts
+var import_i18n_js = __toESM(require("i18n-js"), 1);
+var import_lodash = __toESM(require("lodash.memoize"), 1);
+var Localization = class Localization2 {
+  static {
+    __name(this, "Localization");
+  }
+  static translationGetters = {
+    [SupportedLanguage.ENGLISH]: () => require_en(),
+    [SupportedLanguage.DUTCH]: () => require_nl()
+  };
+  static translate = (0, import_lodash.default)((key, config) => {
+    if (Object.keys(import_i18n_js.default.translations).length === 0) {
+      import_i18n_js.default.translations = {
+        [SupportedLanguage.ENGLISH]: Localization2.translationGetters[SupportedLanguage.ENGLISH]()
+      };
+      import_i18n_js.default.locale = SupportedLanguage.ENGLISH;
+    } else {
+      import_i18n_js.default.translations = {
+        [import_i18n_js.default.locale]: {
+          ...import_i18n_js.default.translations[import_i18n_js.default.locale],
+          ...Localization2.translationGetters[this.findSupportedLanguage(import_i18n_js.default.locale) || SupportedLanguage.ENGLISH]()
+        }
+      };
+    }
+    return import_i18n_js.default.t(key, config);
+  }, (key, config) => config ? key + JSON.stringify(config) : key);
+  static findSupportedLanguage = /* @__PURE__ */ __name((locale) => {
+    for (const language of Object.values(SupportedLanguage)) {
+      if (language === locale) {
+        return language;
+      }
+    }
+    return void 0;
+  }, "findSupportedLanguage");
+  static getLocale = /* @__PURE__ */ __name(() => {
+    return import_i18n_js.default.locale || SupportedLanguage.ENGLISH;
+  }, "getLocale");
+};
+var translate = Localization.translate;
+
+// src/machine/Siopv2Machine.ts
+var import_ssi_types3 = require("@sphereon/ssi-types");
+var logger2 = import_ssi_types3.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
+var Siopv2HasNoContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { contact } = _ctx;
+  return contact === void 0;
+}, "Siopv2HasNoContactGuard");
+var Siopv2HasContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { contact } = _ctx;
+  return contact !== void 0;
+}, "Siopv2HasContactGuard");
+var Siopv2HasAuthorizationRequestGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData } = _ctx;
+  return authorizationRequestData !== void 0;
+}, "Siopv2HasAuthorizationRequestGuard");
+var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData, contact } = _ctx;
+  if (!authorizationRequestData) {
+    throw new Error("Missing authorization request data in context");
+  }
+  if (!contact) {
+    throw new Error("Missing contact request data in context");
+  }
+  return authorizationRequestData.presentationDefinitions !== void 0;
+}, "Siopv2HasSelectableCredentialsAndContactGuard");
+var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { contactAlias, hasContactConsent } = _ctx;
+  return hasContactConsent && contactAlias !== void 0 && contactAlias.length > 0;
+}, "Siopv2CreateContactGuard");
+var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData } = _ctx;
+  if (authorizationRequestData === void 0) {
+    throw new Error("Missing authorization request data in context");
+  }
+  if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
+    throw Error("No presentation definitions present");
+  }
+  return _ctx.selectedCredentials.length > 0;
+}, "Siopv2HasSelectedRequiredCredentialsGuard");
+var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData } = _ctx;
+  if (authorizationRequestData === void 0) {
+    throw new Error("Missing authorization request data in context");
+  }
+  return authorizationRequestData.presentationDefinitions === void 0;
+}, "Siopv2IsSiopOnlyGuard");
+var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
+  const { authorizationRequestData, selectableCredentialsMap } = _ctx;
+  if (!authorizationRequestData) {
+    throw new Error("Missing authorization request data in context");
+  }
+  if (!selectableCredentialsMap) {
+    throw new Error("Missing selectableCredentialsMap in context");
+  }
+  return authorizationRequestData.presentationDefinitions !== void 0;
+}, "Siopv2IsSiopWithOID4VPGuard");
+var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
+  const { url, idOpts: idOpts2 } = opts;
+  const initialContext = {
+    url: new URL(url).toString(),
+    hasContactConsent: true,
+    contactAlias: "",
+    selectedCredentials: [],
+    idOpts: idOpts2
+  };
+  return (0, import_xstate.createMachine)({
+    id: opts?.machineId ?? "Siopv2",
+    predictableActionArguments: true,
+    initial: Siopv2MachineStates.createConfig,
+    schema: {
+      events: {},
+      guards: {},
+      services: {}
+    },
+    context: initialContext,
+    states: {
+      [Siopv2MachineStates.createConfig]: {
+        id: Siopv2MachineStates.createConfig,
+        invoke: {
+          src: Siopv2MachineServices.createConfig,
+          onDone: {
+            target: Siopv2MachineStates.getSiopRequest,
+            actions: (0, import_xstate.assign)({
+              didAuthConfig: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "didAuthConfig")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_create_config_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.getSiopRequest]: {
+        id: Siopv2MachineStates.getSiopRequest,
+        invoke: {
+          src: Siopv2MachineServices.getSiopRequest,
+          onDone: {
+            target: Siopv2MachineStates.retrieveContact,
+            actions: (0, import_xstate.assign)({
+              authorizationRequestData: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationRequestData")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_get_request_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.retrieveContact]: {
+        id: Siopv2MachineStates.retrieveContact,
+        invoke: {
+          src: Siopv2MachineServices.retrieveContact,
+          onDone: {
+            target: Siopv2MachineStates.transitionFromSetup,
+            actions: (0, import_xstate.assign)({
+              contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_retrieve_contact_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.transitionFromSetup]: {
+        id: Siopv2MachineStates.transitionFromSetup,
+        always: [
+          {
+            target: Siopv2MachineStates.addContact,
+            cond: Siopv2MachineGuards.hasNoContactGuard
+          },
+          {
+            target: Siopv2MachineStates.sendResponse,
+            cond: Siopv2MachineGuards.siopOnlyGuard
+          },
+          {
+            target: Siopv2MachineStates.getSelectableCredentials,
+            cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
+          },
+          {
+            target: Siopv2MachineStates.selectCredentials,
+            cond: Siopv2MachineGuards.siopWithOID4VPGuard
+          }
+        ]
+      },
+      [Siopv2MachineStates.addContact]: {
+        id: Siopv2MachineStates.addContact,
+        initial: Siopv2MachineAddContactStates.idle,
+        on: {
+          [Siopv2MachineEvents.SET_CONTACT_CONSENT]: {
+            actions: (0, import_xstate.assign)({
+              hasContactConsent: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "hasContactConsent")
+            })
+          },
+          [Siopv2MachineEvents.SET_CONTACT_ALIAS]: {
+            actions: (0, import_xstate.assign)({
+              contactAlias: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contactAlias")
+            })
+          },
+          [Siopv2MachineEvents.CREATE_CONTACT]: {
+            target: `.${Siopv2MachineAddContactStates.next}`,
+            actions: (0, import_xstate.assign)({
+              contact: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "contact")
+            }),
+            cond: Siopv2MachineGuards.createContactGuard
+          },
+          [Siopv2MachineEvents.DECLINE]: {
+            target: Siopv2MachineStates.declined
+          },
+          [Siopv2MachineEvents.PREVIOUS]: {
+            target: Siopv2MachineStates.aborted
+          }
+        },
+        states: {
+          [Siopv2MachineAddContactStates.idle]: {},
+          [Siopv2MachineAddContactStates.next]: {
+            always: {
+              target: `#${Siopv2MachineStates.transitionFromSetup}`,
+              cond: Siopv2MachineGuards.hasContactGuard
+            }
+          }
+        }
+      },
+      [Siopv2MachineStates.addContactIdentity]: {
+        id: Siopv2MachineStates.addContactIdentity,
+        invoke: {
+          src: Siopv2MachineServices.addContactIdentity,
+          onDone: [
+            {
+              target: Siopv2MachineStates.getSelectableCredentials,
+              actions: /* @__PURE__ */ __name((_ctx, _event) => {
+                _ctx.contact?.identities.push(_event.data);
+              }, "actions"),
+              cond: Siopv2MachineGuards.hasSelectableCredentialsAndContactGuard
+            },
+            {
+              target: Siopv2MachineStates.sendResponse,
+              actions: /* @__PURE__ */ __name((_ctx, _event) => {
+                _ctx.contact?.identities.push(_event.data);
+              }, "actions"),
+              cond: Siopv2MachineGuards.siopOnlyGuard
+            }
+          ],
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_add_contact_identity_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.getSelectableCredentials]: {
+        id: Siopv2MachineStates.getSelectableCredentials,
+        invoke: {
+          src: Siopv2MachineServices.getSelectableCredentials,
+          onDone: {
+            target: Siopv2MachineStates.selectCredentials,
+            actions: (0, import_xstate.assign)({
+              selectableCredentialsMap: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectableCredentialsMap")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_get_selectable_credentials_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.selectCredentials]: {
+        id: Siopv2MachineStates.selectCredentials,
+        on: {
+          [Siopv2MachineEvents.SET_SELECTED_CREDENTIALS]: {
+            actions: (0, import_xstate.assign)({
+              selectedCredentials: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "selectedCredentials")
+            })
+          },
+          [Siopv2MachineEvents.NEXT]: {
+            target: Siopv2MachineStates.sendResponse,
+            cond: Siopv2MachineGuards.hasSelectedRequiredCredentialsGuard
+          },
+          [Siopv2MachineEvents.DECLINE]: {
+            target: Siopv2MachineStates.declined
+          },
+          [Siopv2MachineEvents.PREVIOUS]: {
+            target: Siopv2MachineStates.aborted
+          }
+        }
+      },
+      [Siopv2MachineStates.sendResponse]: {
+        id: Siopv2MachineStates.sendResponse,
+        invoke: {
+          src: Siopv2MachineServices.sendResponse,
+          onDone: {
+            target: Siopv2MachineStates.done,
+            actions: (0, import_xstate.assign)({
+              authorizationResponseData: /* @__PURE__ */ __name((_ctx, _event) => _event.data, "authorizationResponseData")
+            })
+          },
+          onError: {
+            target: Siopv2MachineStates.handleError,
+            actions: (0, import_xstate.assign)({
+              error: /* @__PURE__ */ __name((_ctx, _event) => ({
+                title: translate("siopv2_machine_send_response_error_title"),
+                message: _event.data.message,
+                stack: _event.data.stack
+              }), "error")
+            })
+          }
+        }
+      },
+      [Siopv2MachineStates.handleError]: {
+        id: Siopv2MachineStates.handleError,
+        on: {
+          [Siopv2MachineEvents.NEXT]: {
+            target: Siopv2MachineStates.error
+          },
+          [Siopv2MachineEvents.PREVIOUS]: {
+            target: Siopv2MachineStates.error
+          }
+        }
+      },
+      [Siopv2MachineStates.aborted]: {
+        id: Siopv2MachineStates.aborted,
+        type: "final"
+      },
+      [Siopv2MachineStates.declined]: {
+        id: Siopv2MachineStates.declined,
+        type: "final"
+      },
+      [Siopv2MachineStates.error]: {
+        id: Siopv2MachineStates.error,
+        type: "final"
+      },
+      [Siopv2MachineStates.done]: {
+        id: Siopv2MachineStates.done,
+        type: "final"
+      }
+    }
+  });
+}, "createSiopv2Machine");
+var Siopv2Machine = class {
+  static {
+    __name(this, "Siopv2Machine");
+  }
+  static newInstance(opts) {
+    logger2.info("New Siopv2Machine instance");
+    const interpreter = (0, import_xstate.interpret)(createSiopv2Machine(opts).withConfig({
+      services: {
+        ...opts?.services
+      },
+      guards: {
+        Siopv2HasNoContactGuard,
+        Siopv2HasContactGuard,
+        Siopv2HasAuthorizationRequestGuard,
+        Siopv2HasSelectableCredentialsAndContactGuard,
+        Siopv2HasSelectedRequiredCredentialsGuard,
+        Siopv2IsSiopOnlyGuard,
+        Siopv2IsSiopWithOID4VPGuard,
+        Siopv2CreateContactGuard,
+        ...opts?.guards
+      }
+    }));
+    if (typeof opts?.subscription === "function") {
+      interpreter.onTransition(opts.subscription);
+    }
+    if (opts?.requireCustomNavigationHook !== true) {
+      interpreter.onTransition((snapshot) => {
+        if (opts.stateNavigationListener !== void 0) {
+          void opts.stateNavigationListener(interpreter, snapshot);
+        }
+      });
+    }
+    interpreter.onTransition((snapshot) => {
+      logger2.info("onTransition to new state", snapshot.value);
+    });
+    return {
+      interpreter
+    };
+  }
+};
+
+// src/services/Siopv2MachineService.ts
+var import_did_auth_siop4 = require("@sphereon/did-auth-siop");
+var import_pex3 = require("@sphereon/pex");
+var import_ssi_sdk_ext4 = require("@sphereon/ssi-sdk-ext.identifier-resolution");
+var import_ssi_sdk5 = require("@sphereon/ssi-sdk.credential-store");
+var import_ssi_sdk6 = require("@sphereon/ssi-sdk.data-store");
+var import_ssi_types6 = require("@sphereon/ssi-types");
+var import_ssi_sdk_ext5 = require("@sphereon/ssi-sdk-ext.did-utils");
+var import_ssi_sdk7 = require("@sphereon/ssi-sdk.core");
+var import_dcql = require("dcql");
+
+// src/utils/dcql.ts
+var import_ssi_types5 = require("@sphereon/ssi-types");
+
+// src/utils/CredentialUtils.ts
+var import_ssi_types4 = require("@sphereon/ssi-types");
+var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
+    }
+    return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
+  }
+  return getCredentialFromProofOrWrapped(credential);
+}, "getOriginalVerifiableCredential");
+var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
+  if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && import_ssi_types4.CredentialMapper.isSdJwtEncoded(cred.proof.jwt)) {
+    return cred.proof.jwt;
+  }
+  return import_ssi_types4.CredentialMapper.toWrappedVerifiableCredential(cred, {
+    hasher
+  }).original;
+}, "getCredentialFromProofOrWrapped");
+var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
+  return credential.digitalCredential !== void 0;
+}, "isUniqueDigitalCredential");
+
+// src/utils/dcql.ts
+function convertToDcqlCredentials(credential, hasher) {
+  let payload;
+  if (isUniqueDigitalCredential(credential)) {
+    if (!credential.originalVerifiableCredential) {
+      throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
+    }
+    payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
+  } else {
+    payload = import_ssi_types5.CredentialMapper.decodeVerifiableCredential(credential, hasher);
+  }
+  if (!payload) {
+    throw new Error("No payload found");
+  }
+  if ("decodedPayload" in payload && payload.decodedPayload) {
+    payload = payload.decodedPayload;
+  }
+  if ("vct" in payload) {
+    return {
+      vct: payload.vct,
+      claims: payload,
+      credential_format: "vc+sd-jwt"
+    };
+  } else if ("docType" in payload && "namespaces" in payload) {
+    return {
+      docType: payload.docType,
+      namespaces: payload.namespaces,
+      claims: payload
+    };
+  } else {
+    return {
+      claims: payload,
+      credential_format: "jwt_vc_json"
+    };
+  }
+}
+__name(convertToDcqlCredentials, "convertToDcqlCredentials");
+
+// src/services/Siopv2MachineService.ts
+var logger3 = import_ssi_types6.Loggers.DEFAULT.get(LOGGER_NAMESPACE);
+var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
+  logger3.log(`No EBSI key present yet. Creating a new one...`);
+  const { result: newIdentifier, created } = await (0, import_ssi_sdk_ext5.getOrCreatePrimaryIdentifier)(agentContext, {
+    method: import_ssi_sdk_ext5.SupportedDidMethodEnum.DID_KEY,
+    createOpts: {
+      options: {
+        codecName: "jwk_jcs-pub",
+        type: "Secp256r1"
+      }
+    }
+  });
+  logger3.log(`EBSI key created: ${newIdentifier.did}`);
+  if (created) {
+    await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
+      result: newIdentifier
+    });
+  }
+  return await agentContext.agent.identifierManagedGetByDid({
+    identifier: newIdentifier.did
+  });
+}, "createEbsiIdentifier");
+var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
+  const clientId = await authorizationRequest.getMergedProperty("client_id");
+  const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
+  return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
+}, "hasEbsiClient");
+var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
+  const { agent } = context;
+  const agentContext = {
+    ...context,
+    agent: context.agent
+  };
+  let { idOpts: idOpts2, isFirstParty, hasher = import_ssi_sdk7.defaultHasher } = args;
+  if (connectionType !== import_ssi_sdk6.ConnectionType.SIOPv2_OpenID4VP) {
+    return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
+  }
+  const session = await agent.siopGetOPSession({
+    sessionId: args.sessionId
+  });
+  const request = await session.getAuthorizationRequest();
+  const aud = await request.authorizationRequest.getMergedProperty("aud");
+  logger3.debug(`AUD: ${aud}`);
+  logger3.debug(JSON.stringify(request.authorizationRequest));
+  let presentationsAndDefs;
+  let presentationSubmission;
+  if (await session.hasPresentationDefinitions()) {
+    const oid4vp = await session.getOID4VP({
+      hasher
+    });
+    const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(import_ssi_sdk6.CredentialRole.HOLDER);
+    const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+    logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
+    const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
+    if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
+      return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+    }
+    let identifier;
+    const digitalCredential = firstUniqueDC.digitalCredential;
+    const firstVC = firstUniqueDC.uniformVerifiableCredential;
+    const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
+      //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+      `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
+    ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
+    if (!digitalCredential.kmsKeyRef) {
+      if (!holder) {
+        return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
+      }
+      try {
+        identifier = await session.context.agent.identifierManagedGet({
+          identifier: holder
+        });
+      } catch (e) {
+        logger3.debug(`Holder DID not found: ${holder}`);
+        throw e;
+      }
+    } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
+      identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+        identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+      });
+    } else {
+      switch (digitalCredential.subjectCorrelationType) {
+        case "DID":
+          identifier = await session.context.agent.identifierManagedGetByDid({
+            identifier: digitalCredential.subjectCorrelationId ?? holder,
+            kmsKeyRef: digitalCredential.kmsKeyRef
+          });
+          break;
+        // TODO other implementations?
+        default:
+          if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef
+            });
+          } else {
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef
+            });
+          }
+      }
+    }
+    if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
+      identifier = await createEbsiIdentifier(agentContext);
+    }
+    logger3.debug(`Identifier`, identifier);
+    presentationsAndDefs = await oid4vp.createVerifiablePresentations(import_ssi_sdk6.CredentialRole.HOLDER, credentialsAndDefinitions, {
+      idOpts: identifier,
+      proofOpts: {
+        nonce: session.nonce,
+        domain
+      }
+    });
+    if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
+      throw Error("No verifiable presentations could be created");
+    } else if (presentationsAndDefs.length > 1) {
+      throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
+    }
+    idOpts2 = presentationsAndDefs[0].idOpts;
+    presentationSubmission = presentationsAndDefs[0].presentationSubmission;
+    logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
+    logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
+    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
+    return await session.sendAuthorizationResponse({
+      ...presentationsAndDefs && {
+        verifiablePresentations: mergedVerifiablePresentations
+      },
+      ...presentationSubmission && {
+        presentationSubmission
+      },
+      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
+      responseSignerOpts: idOpts2,
+      isFirstParty
+    });
+  } else if (request.dcqlQuery) {
+    if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
+      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
+      const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(import_did_auth_siop4.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+      logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
+      const firstUniqueDC = vcs[0];
+      if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
+        return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+      }
+      let identifier;
+      const digitalCredential = firstUniqueDC.digitalCredential;
+      const firstVC = firstUniqueDC.uniformVerifiableCredential;
+      const holder = import_ssi_types6.CredentialMapper.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
+        //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+        `did:jwk:${(0, import_ssi_sdk7.encodeJoseBlob)(firstVC.decodedPayload.cnf?.jwk)}#0`
+      ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
+      if (!digitalCredential.kmsKeyRef) {
+        if (!holder) {
+          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
+        }
+        try {
+          identifier = await session.context.agent.identifierManagedGet({
+            identifier: holder
+          });
+        } catch (e) {
+          logger3.debug(`Holder DID not found: ${holder}`);
+          throw e;
+        }
+      } else if ((0, import_ssi_sdk_ext4.isOID4VCIssuerIdentifier)(digitalCredential.kmsKeyRef)) {
+        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+          identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+        });
+      } else {
+        switch (digitalCredential.subjectCorrelationType) {
+          case "DID":
+            identifier = await session.context.agent.identifierManagedGetByDid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder,
+              kmsKeyRef: digitalCredential.kmsKeyRef
+            });
+            break;
+          // TODO other implementations?
+          default:
+            identifier = await session.context.agent.identifierManagedGetByKid({
+              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+              kmsKeyRef: digitalCredential.kmsKeyRef
+            });
+        }
+      }
+      console.log(`Identifier`, identifier);
+      const dcqlRepresentations = [];
+      vcs.forEach((vc) => {
+        const rep = convertToDcqlCredentials(vc, args.hasher);
+        if (rep) {
+          dcqlRepresentations.push(rep);
+        }
+      });
+      const queryResult = import_dcql.DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
+      const presentation = {};
+      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+        const allMatches = Array.isArray(value) ? value : [
+          value
+        ];
+        allMatches.forEach((match) => {
+          if (match.success) {
+            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
+            if (!originalCredential) {
+              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
+            }
+            presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
+          }
+        });
+      }
+      const response = session.sendAuthorizationResponse({
+        responseSignerOpts: identifier,
+        ...{
+          dcqlQuery: {
+            dcqlPresentation: import_dcql.DcqlPresentation.parse(presentation)
+          }
+        }
+      });
+      logger3.debug(`Response: `, response);
+      return response;
+    }
+  }
+  throw Error("Presentation Definition or DCQL is required");
+}, "siopSendAuthorizationResponse");
+function buildPartialPD(inputDescriptor, presentationDefinition) {
+  return {
+    ...presentationDefinition,
+    input_descriptors: [
+      inputDescriptor
+    ]
+  };
+}
+__name(buildPartialPD, "buildPartialPD");
+var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
+  const agentContext = {
+    ...context,
+    agent: context.agent
+  };
+  const { agent } = agentContext;
+  const pex = new import_pex3.PEX();
+  const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
+    filter: (0, import_ssi_sdk5.verifiableCredentialForRoleFilter)(import_ssi_sdk6.CredentialRole.HOLDER)
+  });
+  const credentialBranding = await agent.ibGetCredentialBranding();
+  const selectableCredentialsMap = /* @__PURE__ */ new Map();
+  for (const inputDescriptor of presentationDefinition.input_descriptors) {
+    const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
+    const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
+      return import_ssi_types6.CredentialMapper.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
+    });
+    const selectionResults = pex.selectFrom(partialPD, originalCredentials);
+    const selectableCredentials = [];
+    for (const selectedCredential of selectionResults.verifiableCredential || []) {
+      const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
+        const proof = uniqueVC.uniformVerifiableCredential.proof;
+        return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
+      });
+      if (filteredUniqueVC) {
+        const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
+        const issuerPartyIdentity = await agent.cmGetContacts({
+          filter: [
+            {
+              identities: {
+                identifier: {
+                  correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
+                }
+              }
+            }
+          ]
+        });
+        const subjectPartyIdentity = await agent.cmGetContacts({
+          filter: [
+            {
+              identities: {
+                identifier: {
+                  correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
+                }
+              }
+            }
+          ]
+        });
+        selectableCredentials.push({
+          credential: filteredUniqueVC,
+          credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
+          issuerParty: issuerPartyIdentity?.[0],
+          subjectParty: subjectPartyIdentity?.[0]
+        });
+      }
+    }
+    selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
+  }
+  return selectableCredentialsMap;
+}, "getSelectableCredentials");
+var translateCorrelationIdToName = /* @__PURE__ */ __name(async (correlationId, context) => {
+  const { agent } = context;
+  const contacts = await agent.cmGetContacts({
+    filter: [
+      {
+        identities: {
+          identifier: {
+            correlationId
+          }
+        }
+      }
+    ]
+  });
+  if (contacts.length === 0) {
+    return void 0;
+  }
+  return contacts[0].contact.displayName;
+}, "translateCorrelationIdToName");
+
+// src/agent/DidAuthSiopOpAuthenticator.ts
+var logger4 = import_ssi_types7.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
+var didAuthSiopOpAuthenticatorMethods = [
+  "cmGetContacts",
+  "cmGetContact",
+  "cmAddContact",
+  "cmAddIdentity",
+  "didManagerFind",
+  "didManagerGet",
+  "keyManagerSign",
+  "didManagerGetProviders",
+  "dataStoreORMGetVerifiableCredentials",
+  "createVerifiablePresentation"
+];
+var DidAuthSiopOpAuthenticator = class {
+  static {
+    __name(this, "DidAuthSiopOpAuthenticator");
+  }
+  schema = schema.IDidAuthSiopOpAuthenticator;
+  methods = {
+    siopGetOPSession: this.siopGetOPSession.bind(this),
+    siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
+    siopRemoveOPSession: this.siopRemoveOPSession.bind(this),
+    siopRegisterOPCustomApproval: this.siopRegisterOPCustomApproval.bind(this),
+    siopRemoveOPCustomApproval: this.siopRemoveOPCustomApproval.bind(this),
+    siopGetMachineInterpreter: this.siopGetMachineInterpreter.bind(this),
+    siopCreateConfig: this.siopCreateConfig.bind(this),
+    siopGetSiopRequest: this.siopGetSiopRequest.bind(this),
+    siopRetrieveContact: this.siopRetrieveContact.bind(this),
+    siopAddIdentity: this.siopAddContactIdentity.bind(this),
+    siopSendResponse: this.siopSendResponse.bind(this),
+    siopGetSelectableCredentials: this.siopGetSelectableCredentials.bind(this)
+  };
+  sessions;
+  customApprovals;
+  presentationSignCallback;
+  onContactIdentityCreated;
+  onIdentifierCreated;
+  eventEmitter;
+  hasher;
+  constructor(options) {
+    const { onContactIdentityCreated, onIdentifierCreated, hasher, customApprovals = {}, presentationSignCallback } = {
+      ...options
+    };
+    this.hasher = hasher;
+    this.onContactIdentityCreated = onContactIdentityCreated;
+    this.onIdentifierCreated = onIdentifierCreated;
+    this.presentationSignCallback = presentationSignCallback;
+    this.sessions = /* @__PURE__ */ new Map();
+    this.customApprovals = customApprovals;
+  }
+  async onEvent(event, context) {
+    switch (event.type) {
+      case Siopv2HolderEvent.CONTACT_IDENTITY_CREATED:
+        this.onContactIdentityCreated?.(event.data);
+        break;
+      case Siopv2HolderEvent.IDENTIFIER_CREATED:
+        this.onIdentifierCreated?.(event.data);
+        break;
+      default:
+        return Promise.reject(Error(`Event type ${event.type} not supported`));
+    }
+  }
+  async siopGetOPSession(args, context) {
+    if (!this.sessions.has(args.sessionId)) {
+      throw Error(`No session found for id: ${args.sessionId}`);
+    }
+    return this.sessions.get(args.sessionId);
+  }
+  async siopRegisterOPSession(args, context) {
+    const sessionId = args.sessionId || (0, import_uuid2.v4)();
+    if (this.sessions.has(sessionId)) {
+      return Promise.reject(new Error(`Session with id: ${args.sessionId} already present`));
+    }
+    const opts = {
+      ...args,
+      sessionId,
+      context
+    };
+    if (!opts.op?.presentationSignCallback) {
+      opts.op = {
+        ...opts.op,
+        presentationSignCallback: this.presentationSignCallback
+      };
+    }
+    const session = await OpSession.init(opts);
+    this.sessions.set(sessionId, session);
+    return session;
+  }
+  async siopRemoveOPSession(args, context) {
+    return this.sessions.delete(args.sessionId);
+  }
+  async siopRegisterOPCustomApproval(args, context) {
+    if (this.customApprovals[args.key] !== void 0) {
+      return Promise.reject(new Error(`Custom approval with key: ${args.key} already present`));
+    }
+    this.customApprovals[args.key] = args.customApproval;
+  }
+  async siopRemoveOPCustomApproval(args, context) {
+    return delete this.customApprovals[args.key];
+  }
+  async siopGetMachineInterpreter(opts, context) {
+    const { stateNavigationListener, url } = opts;
+    const services = {
+      createConfig: /* @__PURE__ */ __name((args) => this.siopCreateConfig(args), "createConfig"),
+      getSiopRequest: /* @__PURE__ */ __name((args) => this.siopGetSiopRequest(args, context), "getSiopRequest"),
+      getSelectableCredentials: /* @__PURE__ */ __name((args) => this.siopGetSelectableCredentials(args, context), "getSelectableCredentials"),
+      retrieveContact: /* @__PURE__ */ __name((args) => this.siopRetrieveContact(args, context), "retrieveContact"),
+      addContactIdentity: /* @__PURE__ */ __name((args) => this.siopAddContactIdentity(args, context), "addContactIdentity"),
+      sendResponse: /* @__PURE__ */ __name((args) => this.siopSendResponse(args, context), "sendResponse"),
+      ...opts?.services
+    };
+    const siopv2MachineOpts = {
+      ...opts,
+      url,
+      stateNavigationListener,
+      services: {
+        ...services,
+        ...opts.services
+      }
+    };
+    return Siopv2Machine.newInstance(siopv2MachineOpts);
+  }
+  async siopCreateConfig(context) {
+    const { url } = context;
+    if (!url) {
+      return Promise.reject(Error("Missing request uri in context"));
+    }
+    return {
+      id: (0, import_uuid2.v4)(),
+      // FIXME: Update these values in SSI-SDK. Only the URI (not a redirectURI) would be available at this point
+      sessionId: (0, import_uuid2.v4)(),
+      redirectUrl: url
+    };
+  }
+  async siopGetSiopRequest(args, context) {
+    const { agent } = context;
+    const { didAuthConfig } = args;
+    if (args.url === void 0) {
+      return Promise.reject(Error("Missing request uri in context"));
+    }
+    if (didAuthConfig === void 0) {
+      return Promise.reject(Error("Missing config in context"));
+    }
+    const { sessionId, redirectUrl } = didAuthConfig;
+    const session = await agent.siopGetOPSession({
+      sessionId
+    }).catch(async () => await agent.siopRegisterOPSession({
+      requestJwtOrUri: redirectUrl,
+      sessionId,
+      op: {
+        eventEmitter: this.eventEmitter,
+        hasher: this.hasher
+      }
+    }));
+    logger4.debug(`session: ${JSON.stringify(session.id, null, 2)}`);
+    const verifiedAuthorizationRequest = await session.getAuthorizationRequest();
+    const clientName = verifiedAuthorizationRequest.registrationMetadataPayload?.client_name;
+    const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
+    const uri = url.includes("://") ? new URL(url) : void 0;
+    const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
+    const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
+    return {
+      issuer: verifiedAuthorizationRequest.issuer,
+      correlationId,
+      registrationMetadataPayload: verifiedAuthorizationRequest.registrationMetadataPayload,
+      uri,
+      name: clientName,
+      clientId,
+      presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= import_did_auth_siop5.SupportedVersion.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
+      dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
+    };
+  }
+  async determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context) {
+    if (uri) {
+      return await translateCorrelationIdToName(uri.hostname, context) ?? uri.hostname;
+    }
+    if (verifiedAuthorizationRequest.issuer) {
+      const issuerHostname = verifiedAuthorizationRequest.issuer.split("://")[1];
+      return await translateCorrelationIdToName(issuerHostname, context) ?? issuerHostname;
+    }
+    if (clientName) {
+      return clientName;
+    }
+    throw new Error("Can't determine correlationId from request");
+  }
+  async siopRetrieveContact(args, context) {
+    const { authorizationRequestData } = args;
+    const { agent } = context;
+    if (authorizationRequestData === void 0) {
+      return Promise.reject(Error("Missing authorization request data in context"));
+    }
+    return agent.cmGetContacts({
+      filter: [
+        {
+          identities: {
+            identifier: {
+              correlationId: authorizationRequestData.correlationId
+            }
+          }
+        }
+      ]
+    }).then((contacts) => contacts.length === 1 ? contacts[0] : void 0);
+  }
+  async siopAddContactIdentity(args, context) {
+    const { agent } = context;
+    const { contact, authorizationRequestData } = args;
+    if (contact === void 0) {
+      return Promise.reject(Error("Missing contact in context"));
+    }
+    if (authorizationRequestData === void 0) {
+      return Promise.reject(Error("Missing authorization request data in context"));
+    }
+    const clientId = authorizationRequestData.clientId ?? authorizationRequestData.issuer;
+    const correlationId = clientId ? clientId.startsWith("did:") ? clientId : `${new URL(clientId).protocol}//${new URL(clientId).hostname}` : void 0;
+    if (correlationId) {
+      const identity = {
+        alias: correlationId,
+        origin: import_ssi_sdk8.IdentityOrigin.EXTERNAL,
+        roles: [
+          import_ssi_sdk8.CredentialRole.ISSUER
+        ],
+        identifier: {
+          type: correlationId.startsWith("did:") ? import_ssi_sdk8.CorrelationIdentifierType.DID : import_ssi_sdk8.CorrelationIdentifierType.URL,
+          correlationId
+        }
+      };
+      const addedIdentity = await agent.cmAddIdentity({
+        contactId: contact.id,
+        identity
+      });
+      await context.agent.emit(Siopv2HolderEvent.CONTACT_IDENTITY_CREATED, {
+        contactId: contact.id,
+        identity: addedIdentity
+      });
+      logger4.info(`Contact identity created: ${JSON.stringify(addedIdentity)}`);
+    }
+  }
+  async siopSendResponse(args, context) {
+    const { didAuthConfig, authorizationRequestData, selectedCredentials, isFirstParty } = args;
+    if (didAuthConfig === void 0) {
+      return Promise.reject(Error("Missing config in context"));
+    }
+    if (authorizationRequestData === void 0) {
+      return Promise.reject(Error("Missing authorization request data in context"));
+    }
+    const pex = new import_pex4.PEX({
+      hasher: this.hasher
+    });
+    const verifiableCredentialsWithDefinition = [];
+    const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
+    if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
+      try {
+        authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
+          const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
+          if (areRequiredCredentialsPresent !== import_pex4.Status.ERROR && verifiableCredentials) {
+            let uniqueDigitalCredentials = [];
+            uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
+              const hash = typeof vc === "string" ? (0, import_utils.computeEntryHash)(vc.split("~"[0])) : (0, import_utils.computeEntryHash)(vc);
+              const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
+              if (!udc) {
+                throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
+              }
+              return udc;
+            });
+            verifiableCredentialsWithDefinition.push({
+              definition: presentationDefinition,
+              credentials: uniqueDigitalCredentials
+            });
+          }
+        });
+      } catch (e) {
+        return Promise.reject(e);
+      }
+      if (verifiableCredentialsWithDefinition.length === 0) {
+        return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
+      }
+    } else if (authorizationRequestData.dcqlQuery) {
+      if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
+        try {
+          selectedCredentials.forEach((vc) => {
+            if (this.isSdJwtCredential(vc)) {
+              const payload = vc.originalVerifiableCredential.decodedPayload;
+              const result = {
+                claims: payload,
+                vct: payload.vct,
+                credential_format: "vc+sd-jwt"
+              };
+              dcqlCredentialsWithCredentials.set(result, vc);
+            } else {
+              throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
+            }
+          });
+        } catch (e) {
+          return Promise.reject(e);
+        }
+        const dcqlPresentationRecord = {};
+        const queryResult = import_dcql3.DcqlQuery.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
+        for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+          if (value.success) {
+            dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
+          }
+        }
+      }
+    }
+    const response = await siopSendAuthorizationResponse(import_ssi_sdk8.ConnectionType.SIOPv2_OpenID4VP, {
+      sessionId: didAuthConfig.sessionId,
+      ...args.idOpts && {
+        idOpts: args.idOpts
+      },
+      ...authorizationRequestData.presentationDefinitions !== void 0 && {
+        verifiableCredentialsWithDefinition
+      },
+      isFirstParty,
+      hasher: this.hasher
+    }, context);
+    const contentType = response.headers.get("content-type") || "";
+    let responseBody = null;
+    const text = await response.text();
+    if (text) {
+      responseBody = contentType.includes("application/json") || text.startsWith("{") ? JSON.parse(text) : text;
+    }
+    return {
+      body: responseBody,
+      url: response?.url,
+      queryParams: (0, import_did_auth_siop5.decodeUriAsJson)(response?.url)
+    };
+  }
+  hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
+    return credentials.some(this.isMDocCredential);
+  }, "hasMDocCredentials");
+  isMDocCredential = /* @__PURE__ */ __name((credential) => {
+    return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
+  }, "isMDocCredential");
+  hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
+    return credentials.some(this.isSdJwtCredential);
+  }, "hasSdJwtCredentials");
+  isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
+    return credential.digitalCredential.documentFormat === import_ssi_sdk8.CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === import_ssi_sdk8.DocumentType.VC;
+  }, "isSdJwtCredential");
+  retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
+    return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
+  }, "retrieveEncodedCredential");
+  async siopGetSelectableCredentials(args, context) {
+    const { authorizationRequestData } = args;
+    if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
+      return Promise.reject(Error("Missing required fields in arguments or context"));
+    }
+    if (authorizationRequestData.presentationDefinitions.length > 1) {
+      return Promise.reject(Error("Multiple presentation definitions present"));
+    }
+    return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
+  }
+};
+
+// src/machine/CallbackStateListener.ts
+var import_ssi_types8 = require("@sphereon/ssi-types");
+var logger5 = import_ssi_types8.Loggers.DEFAULT.options("sphereon:siopv2-oid4vp:op-auth", {
+  defaultLogLevel: import_ssi_types8.LogLevel.DEBUG,
+  methods: [
+    import_ssi_types8.LogMethod.CONSOLE
+  ]
+}).get("sphereon:siopv2-oid4vp:op-auth");
+var OID4VPCallbackStateListener = /* @__PURE__ */ __name((callbacks) => {
+  return async (oid4vciMachine, state) => {
+    if (state._event.type === "internal") {
+      logger5.debug("oid4vpCallbackStateListener: internal event");
+      return;
+    }
+    logger5.info(`VP state listener state: ${JSON.stringify(state.value)}`);
+    if (!callbacks || callbacks.size === 0) {
+      logger5.info(`VP no callbacks registered for state: ${JSON.stringify(state.value)}`);
+      return;
+    }
+    for (const [stateKey, callback] of callbacks) {
+      if (state.matches(stateKey)) {
+        logger5.log(`VP state callback for state: ${JSON.stringify(state.value)}, will execute...`);
+        await callback(oid4vciMachine, state).then(() => logger5.log(`VP state callback executed for state: ${JSON.stringify(state.value)}`)).catch((error) => {
+          logger5.error(`VP state callback failed for state: ${JSON.stringify(state.value)}, error: ${JSON.stringify(error?.message)}, ${JSON.stringify(state.event)}`);
+          if (error.stack) {
+            logger5.error(error.stack);
+          }
+        });
+        break;
+      }
+    }
+  };
+}, "OID4VPCallbackStateListener");
+
+// src/link-handler/index.ts
+var import_ssi_sdk9 = require("@sphereon/ssi-sdk.agent-config");
+var import_ssi_sdk10 = require("@sphereon/ssi-sdk.core");
+var import_ssi_sdk11 = require("@sphereon/ssi-sdk.xstate-machine-persistence");
+var import_ssi_types9 = require("@sphereon/ssi-types");
+var logger6 = import_ssi_types9.Loggers.DEFAULT.options(LOGGER_NAMESPACE, {}).get(LOGGER_NAMESPACE);
+var Siopv2OID4VPLinkHandler = class extends import_ssi_sdk10.LinkHandlerAdapter {
+  static {
+    __name(this, "Siopv2OID4VPLinkHandler");
+  }
+  context;
+  stateNavigationListener;
+  noStateMachinePersistence;
+  idOpts;
+  constructor(args) {
+    super({
+      ...args,
+      id: "Siopv2"
+    });
+    this.context = args.context;
+    this.noStateMachinePersistence = args.noStateMachinePersistence === true;
+    this.stateNavigationListener = args.stateNavigationListener;
+    this.idOpts = args.idOpts;
+  }
+  async handle(url, opts) {
+    logger6.debug(`handling SIOP link: ${url}`);
+    const siopv2Machine = await this.context.agent.siopGetMachineInterpreter({
+      url,
+      idOpts: opts?.idOpts ?? this.idOpts,
+      stateNavigationListener: this.stateNavigationListener
+    });
+    const interpreter = siopv2Machine.interpreter;
+    if (!this.noStateMachinePersistence && !opts?.machineState && (0, import_ssi_sdk9.contextHasPlugin)(this.context, "machineStatesFindActive")) {
+      const init = await (0, import_ssi_sdk11.interpreterStartOrResume)({
+        interpreter,
+        context: this.context,
+        cleanupAllOtherInstances: true,
+        cleanupOnFinalState: true,
+        singletonCheck: true,
+        noRegistration: this.noStateMachinePersistence
+      });
+      logger6.debug(`SIOP machine started for link: ${url}`, init);
+    } else {
+      interpreter.start(opts?.machineState);
+      logger6.debug(`SIOP machine started for link: ${url}`);
+    }
+  }
+};
+
+// src/index.ts
+var schema = require_plugin_schema();
+//# sourceMappingURL=index.cjs.map