npm - @sphereon/ssi-sdk.siopv2-oid4vp-op-auth - Versions diffs - 0.34.1-feature.merge.crypto.extensions.modules.39 → 0.34.1-fix.79 - Mend

@sphereon/ssi-sdk.siopv2-oid4vp-op-auth 0.34.1-feature.merge.crypto.extensions.modules.39 → 0.34.1-fix.79

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/dist/index.cjs +592 -1115
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +709 -111
package/dist/index.d.ts +709 -111
package/dist/index.js +518 -1041
package/dist/index.js.map +1 -1
package/package.json +24 -24
package/src/agent/DidAuthSiopOpAuthenticator.ts +18 -136
package/src/index.ts +2 -1
package/src/machine/Siopv2Machine.ts +4 -4
package/src/services/Siopv2MachineService.ts +97 -203
package/src/session/OID4VP.ts +310 -299
package/src/session/OpSession.ts +22 -114
package/src/types/IDidAuthSiopOpAuthenticator.ts +5 -58
package/src/types/identifier/index.ts +0 -4
package/src/types/siop-service/index.ts +1 -3
package/src/utils/CredentialUtils.ts +1 -39
package/src/utils/dcql.ts +21 -19

package/dist/index.js CHANGED Viewed

@@ -35,343 +35,339 @@ var require_nl = __commonJS({
 });
 // plugin.schema.json
-var require_plugin_schema = __commonJS({
-  "plugin.schema.json"(exports, module) {
-    module.exports = {
-      IDidAuthSiopOpAuthenticator: {
-        components: {
-          schemas: {
-            IGetSiopSessionArgs: {
-              type: "object",
-              properties: {
-                sessionId: {
-                  type: "string"
-                },
-                additionalProperties: false
-              },
-              required: ["sessionId"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
+var plugin_schema_default = {
+  IDidAuthSiopOpAuthenticator: {
+    components: {
+      schemas: {
+        IGetSiopSessionArgs: {
+          type: "object",
+          properties: {
+            sessionId: {
+              type: "string"
             },
-            IRegisterSiopSessionArgs: {
+            additionalProperties: false
+          },
+          required: ["sessionId"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSessionForSiop } "
+        },
+        IRegisterSiopSessionArgs: {
+          type: "object",
+          properties: {
+            identifier: {
               type: "object",
               properties: {
-                identifier: {
-                  type: "object",
-                  properties: {
-                    did: {
-                      type: "string"
-                    },
-                    alias: {
-                      type: "string"
-                    },
-                    provider: {
-                      type: "string"
-                    },
-                    controllerKeyId: {
-                      type: "string"
-                    },
-                    keys: {
-                      type: "array",
-                      items: {
-                        type: "object",
-                        properties: {
-                          additionalProperties: true
-                        }
-                      }
-                    },
-                    services: {
-                      type: "array",
-                      items: {
-                        type: "object",
-                        properties: {
-                          additionalProperties: true
-                        }
-                      }
-                    }
-                  },
-                  additionalProperties: false,
-                  required: ["did", "provider", "keys", "services"]
-                },
-                sessionId: {
+                did: {
                   type: "string"
                 },
-                expiresIn: {
-                  type: "number"
-                },
-                additionalProperties: false
-              },
-              required: ["identifier"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
-            },
-            IRemoveSiopSessionArgs: {
-              type: "object",
-              properties: {
-                sessionId: {
+                alias: {
                   type: "string"
                 },
-                additionalProperties: false
-              },
-              required: ["sessionId"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
-            },
-            IAuthenticateWithSiopArgs: {
-              type: "object",
-              properties: {
-                sessionId: {
+                provider: {
                   type: "string"
                 },
-                stateId: {
+                controllerKeyId: {
                   type: "string"
                 },
-                redirectUrl: {
-                  type: "string"
+                keys: {
+                  type: "array",
+                  items: {
+                    type: "object",
+                    properties: {
+                      additionalProperties: true
+                    }
+                  }
                 },
-                additionalProperties: false
+                services: {
+                  type: "array",
+                  items: {
+                    type: "object",
+                    properties: {
+                      additionalProperties: true
+                    }
+                  }
+                }
               },
-              required: ["sessionId", "stateId", "redirectUrl"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
+              additionalProperties: false,
+              required: ["did", "provider", "keys", "services"]
             },
-            IResponse: {
+            sessionId: {
+              type: "string"
+            },
+            expiresIn: {
+              type: "number"
+            },
+            additionalProperties: false
+          },
+          required: ["identifier"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.registerSessionForSiop } "
+        },
+        IRemoveSiopSessionArgs: {
+          type: "object",
+          properties: {
+            sessionId: {
+              type: "string"
+            },
+            additionalProperties: false
+          },
+          required: ["sessionId"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.removeSessionForSiop } "
+        },
+        IAuthenticateWithSiopArgs: {
+          type: "object",
+          properties: {
+            sessionId: {
+              type: "string"
+            },
+            stateId: {
+              type: "string"
+            },
+            redirectUrl: {
+              type: "string"
+            },
+            additionalProperties: false
+          },
+          required: ["sessionId", "stateId", "redirectUrl"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.authenticateWithSiop } "
+        },
+        IResponse: {
+          type: "object",
+          properties: {
+            status: {
+              type: "number"
+            },
+            additionalProperties: true
+          },
+          required: ["status"],
+          description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
+        },
+        IGetSiopAuthenticationRequestFromRpArgs: {
+          type: "object",
+          properties: {
+            sessionId: {
+              type: "string"
+            },
+            stateId: {
+              type: "string"
+            },
+            redirectUrl: {
+              type: "string"
+            },
+            additionalProperties: false
+          },
+          required: ["sessionId", "stateId", "redirectUrl"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
+        },
+        ParsedAuthenticationRequestURI: {
+          type: "object",
+          properties: {
+            jwt: {
+              type: "string"
+            },
+            requestPayload: {
               type: "object",
               properties: {
-                status: {
-                  type: "number"
-                },
                 additionalProperties: true
-              },
-              required: ["status"],
-              description: "Result of {@link DidAuthSiopOpAuthenticator.authenticateWithSiop & DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
+              }
             },
-            IGetSiopAuthenticationRequestFromRpArgs: {
+            registration: {
               type: "object",
               properties: {
-                sessionId: {
-                  type: "string"
-                },
-                stateId: {
-                  type: "string"
-                },
-                redirectUrl: {
-                  type: "string"
-                },
-                additionalProperties: false
-              },
-              required: ["sessionId", "stateId", "redirectUrl"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
+                additionalProperties: true
+              }
             },
-            ParsedAuthenticationRequestURI: {
+            additionalProperties: false
+          },
+          required: ["jwt", "requestPayload", "registration"],
+          description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
+        },
+        IGetSiopAuthenticationRequestDetailsArgs: {
+          type: "object",
+          properties: {
+            sessionId: {
+              type: "string"
+            },
+            verifiedAuthenticationRequest: {
               type: "object",
               properties: {
-                jwt: {
-                  type: "string"
-                },
-                requestPayload: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                registration: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                additionalProperties: false
-              },
-              required: ["jwt", "requestPayload", "registration"],
-              description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestFromRP } "
+                additionalProperties: true
+              }
             },
-            IGetSiopAuthenticationRequestDetailsArgs: {
+            credentialFilter: {
               type: "object",
               properties: {
-                sessionId: {
-                  type: "string"
-                },
-                verifiedAuthenticationRequest: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                credentialFilter: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                additionalProperties: false
-              },
-              required: ["sessionId", "verifiedAuthenticationRequest"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
+                additionalProperties: true
+              }
             },
-            IAuthRequestDetails: {
+            additionalProperties: false
+          },
+          required: ["sessionId", "verifiedAuthenticationRequest"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
+        },
+        IAuthRequestDetails: {
+          type: "object",
+          properties: {
+            id: {
+              type: "string"
+            },
+            alsoKnownAs: {
+              type: "array",
+              items: {
+                type: "string"
+              }
+            },
+            vpResponseOpts: {
               type: "object",
               properties: {
-                id: {
-                  type: "string"
-                },
-                alsoKnownAs: {
-                  type: "array",
-                  items: {
-                    type: "string"
-                  }
-                },
-                vpResponseOpts: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                additionalProperties: false
-              },
-              required: ["id", "vpResponseOpts"],
-              description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
+                additionalProperties: true
+              }
+            },
+            additionalProperties: false
+          },
+          required: ["id", "vpResponseOpts"],
+          description: "Result of {@link DidAuthSiopOpAuthenticator.getSiopAuthenticationRequestDetails } "
+        },
+        IVerifySiopAuthenticationRequestUriArgs: {
+          type: "object",
+          properties: {
+            sessionId: {
+              type: "string"
             },
-            IVerifySiopAuthenticationRequestUriArgs: {
+            ParsedAuthenticationRequestURI: {
               type: "object",
               properties: {
-                sessionId: {
-                  type: "string"
-                },
-                ParsedAuthenticationRequestURI: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                additionalProperties: false
-              },
-              required: ["sessionId", "ParsedAuthenticationRequestURI"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
+                additionalProperties: true
+              }
             },
-            VerifiedAuthorizationRequest: {
+            additionalProperties: false
+          },
+          required: ["sessionId", "ParsedAuthenticationRequestURI"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
+        },
+        VerifiedAuthorizationRequest: {
+          type: "object",
+          properties: {
+            payload: {
               type: "object",
               properties: {
-                payload: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                presentationDefinitions: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                verifyOpts: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                additionalProperties: false
-              },
-              required: ["payload", "verifyOpts"],
-              description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
+                additionalProperties: true
+              }
             },
-            ISendSiopAuthenticationResponseArgs: {
+            presentationDefinitions: {
               type: "object",
               properties: {
-                sessionId: {
-                  type: "string"
-                },
-                verifiedAuthenticationRequest: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                verifiablePresentationResponse: {
-                  type: "object",
-                  properties: {
-                    additionalProperties: true
-                  }
-                },
-                additionalProperties: false
-              },
-              required: ["sessionId", "verifiedAuthenticationRequest"],
-              description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
-            }
-          },
-          methods: {
-            getSessionForSiop: {
-              description: "Get SIOP session",
-              arguments: {
-                $ref: "#/components/schemas/IGetSiopSessionArgs"
-              },
-              returnType: "object"
-            },
-            registerSessionForSiop: {
-              description: "Register SIOP session",
-              arguments: {
-                $ref: "#/components/schemas/IRegisterSiopSessionArgs"
-              },
-              returnType: "object"
-            },
-            removeSessionForSiop: {
-              description: "Remove SIOP session",
-              arguments: {
-                $ref: "#/components/schemas/IRemoveSiopSessionArgs"
-              },
-              returnType: "boolean"
-            },
-            authenticateWithSiop: {
-              description: "Authenticate using DID Auth SIOP",
-              arguments: {
-                $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
-              },
-              returnType: {
-                $ref: "#/components/schemas/Response"
+                additionalProperties: true
               }
             },
-            getSiopAuthenticationRequestFromRP: {
-              description: "Get authentication request from RP",
-              arguments: {
-                $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
-              },
-              returnType: {
-                $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
+            verifyOpts: {
+              type: "object",
+              properties: {
+                additionalProperties: true
               }
             },
-            getSiopAuthenticationRequestDetails: {
-              description: "Get authentication request details",
-              arguments: {
-                $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
-              },
-              returnType: {
-                $ref: "#/components/schemas/IAuthRequestDetails"
-              }
+            additionalProperties: false
+          },
+          required: ["payload", "verifyOpts"],
+          description: "Result of {@link DidAuthSiopOpAuthenticator.verifySiopAuthenticationRequestURI } "
+        },
+        ISendSiopAuthenticationResponseArgs: {
+          type: "object",
+          properties: {
+            sessionId: {
+              type: "string"
             },
-            verifySiopAuthenticationRequestURI: {
-              description: "Verify authentication request URI",
-              arguments: {
-                $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
-              },
-              returnType: {
-                $ref: "#/components/schemas/VerifiedAuthorizationRequest"
+            verifiedAuthenticationRequest: {
+              type: "object",
+              properties: {
+                additionalProperties: true
               }
             },
-            sendSiopAuthenticationResponse: {
-              description: "Send authentication response",
-              arguments: {
-                $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
-              },
-              returnType: {
-                $ref: "#/components/schemas/IRequiredContext"
+            verifiablePresentationResponse: {
+              type: "object",
+              properties: {
+                additionalProperties: true
               }
-            }
+            },
+            additionalProperties: false
+          },
+          required: ["sessionId", "verifiedAuthenticationRequest"],
+          description: "Arguments needed for {@link DidAuthSiopOpAuthenticator.sendSiopAuthenticationResponse } "
+        }
+      },
+      methods: {
+        getSessionForSiop: {
+          description: "Get SIOP session",
+          arguments: {
+            $ref: "#/components/schemas/IGetSiopSessionArgs"
+          },
+          returnType: "object"
+        },
+        registerSessionForSiop: {
+          description: "Register SIOP session",
+          arguments: {
+            $ref: "#/components/schemas/IRegisterSiopSessionArgs"
+          },
+          returnType: "object"
+        },
+        removeSessionForSiop: {
+          description: "Remove SIOP session",
+          arguments: {
+            $ref: "#/components/schemas/IRemoveSiopSessionArgs"
+          },
+          returnType: "boolean"
+        },
+        authenticateWithSiop: {
+          description: "Authenticate using DID Auth SIOP",
+          arguments: {
+            $ref: "#/components/schemas/IAuthenticateWithSiopArgs"
+          },
+          returnType: {
+            $ref: "#/components/schemas/Response"
+          }
+        },
+        getSiopAuthenticationRequestFromRP: {
+          description: "Get authentication request from RP",
+          arguments: {
+            $ref: "#/components/schemas/IGetSiopAuthenticationRequestFromRpArgs"
+          },
+          returnType: {
+            $ref: "#/components/schemas/ParsedAuthenticationRequestURI"
+          }
+        },
+        getSiopAuthenticationRequestDetails: {
+          description: "Get authentication request details",
+          arguments: {
+            $ref: "#/components/schemas/IGetSiopAuthenticationRequestDetailsArgs"
+          },
+          returnType: {
+            $ref: "#/components/schemas/IAuthRequestDetails"
+          }
+        },
+        verifySiopAuthenticationRequestURI: {
+          description: "Verify authentication request URI",
+          arguments: {
+            $ref: "#/components/schemas/IVerifySiopAuthenticationRequestUriArgs"
+          },
+          returnType: {
+            $ref: "#/components/schemas/VerifiedAuthorizationRequest"
+          }
+        },
+        sendSiopAuthenticationResponse: {
+          description: "Send authentication response",
+          arguments: {
+            $ref: "#/components/schemas/ISendSiopAuthenticationResponseArgs"
+          },
+          returnType: {
+            $ref: "#/components/schemas/IRequiredContext"
           }
         }
       }
-    };
+    }
   }
-});
+};
 // src/agent/DidAuthSiopOpAuthenticator.ts
-import { decodeUriAsJson, SupportedVersion as SupportedVersion3 } from "@sphereon/did-auth-siop";
-import { ConnectionType as ConnectionType2, CorrelationIdentifierType, CredentialDocumentFormat, CredentialRole as CredentialRole2, DocumentType, IdentityOrigin } from "@sphereon/ssi-sdk.data-store";
+import { decodeUriAsJson } from "@sphereon/did-auth-siop";
+import { ConnectionType as ConnectionType2, CorrelationIdentifierType, CredentialRole as CredentialRole2, IdentityOrigin } from "@sphereon/ssi-sdk.data-store";
 import { Loggers as Loggers4 } from "@sphereon/ssi-types";
 import { v4 as uuidv4 } from "uuid";
@@ -528,104 +524,15 @@ function getSigningAlgo(type) {
 }
 __name(getSigningAlgo, "getSigningAlgo");
-// src/session/OID4VP.ts
-import { PresentationExchange } from "@sphereon/did-auth-siop";
-import { Status } from "@sphereon/pex";
-import { isManagedIdentifierDidResult, isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
-import { defaultHasher } from "@sphereon/ssi-sdk.core";
-import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
-// src/types/IDidAuthSiopOpAuthenticator.ts
-var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
-var events = /* @__PURE__ */ (function(events2) {
-  events2["DID_SIOP_AUTHENTICATED"] = "didSiopAuthenticated";
-  return events2;
-})({});
-var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
-// src/types/siop-service/index.ts
-var Siopv2HolderEvent = /* @__PURE__ */ (function(Siopv2HolderEvent2) {
-  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
-  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
-  return Siopv2HolderEvent2;
-})({});
-var SupportedLanguage = /* @__PURE__ */ (function(SupportedLanguage2) {
-  SupportedLanguage2["ENGLISH"] = "en";
-  SupportedLanguage2["DUTCH"] = "nl";
-  return SupportedLanguage2;
-})({});
-// src/types/machine/index.ts
-var Siopv2MachineStates = /* @__PURE__ */ (function(Siopv2MachineStates2) {
-  Siopv2MachineStates2["createConfig"] = "createConfig";
-  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
-  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
-  Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
-  Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
-  Siopv2MachineStates2["addContact"] = "addContact";
-  Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
-  Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
-  Siopv2MachineStates2["sendResponse"] = "sendResponse";
-  Siopv2MachineStates2["handleError"] = "handleError";
-  Siopv2MachineStates2["aborted"] = "aborted";
-  Siopv2MachineStates2["declined"] = "declined";
-  Siopv2MachineStates2["error"] = "error";
-  Siopv2MachineStates2["done"] = "done";
-  return Siopv2MachineStates2;
-})({});
-var Siopv2MachineAddContactStates = /* @__PURE__ */ (function(Siopv2MachineAddContactStates2) {
-  Siopv2MachineAddContactStates2["idle"] = "idle";
-  Siopv2MachineAddContactStates2["executing"] = "executing";
-  Siopv2MachineAddContactStates2["next"] = "next";
-  return Siopv2MachineAddContactStates2;
-})({});
-var Siopv2MachineEvents = /* @__PURE__ */ (function(Siopv2MachineEvents2) {
-  Siopv2MachineEvents2["NEXT"] = "NEXT";
-  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
-  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
-  Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
-  Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
-  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
-  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
-  return Siopv2MachineEvents2;
-})({});
-var Siopv2MachineGuards = /* @__PURE__ */ (function(Siopv2MachineGuards2) {
-  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
-  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
-  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
-  Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
-  Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
-  Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
-  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
-  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
-  return Siopv2MachineGuards2;
-})({});
-var Siopv2MachineServices = /* @__PURE__ */ (function(Siopv2MachineServices2) {
-  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
-  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
-  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
-  Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
-  Siopv2MachineServices2["sendResponse"] = "sendResponse";
-  Siopv2MachineServices2["createConfig"] = "createConfig";
-  return Siopv2MachineServices2;
-})({});
-// src/types/identifier/index.ts
-var DID_PREFIX = "did";
 // src/session/OID4VP.ts
 var OID4VP = class _OID4VP {
   static {
     __name(this, "OID4VP");
   }
-  session;
-  allIdentifiers;
-  hasher;
+  //private readonly session: OpSession
+  // private readonly allIdentifiers: string[]
+  // private readonly hasher?: HasherSync
   constructor(args) {
-    const { session, allIdentifiers, hasher = defaultHasher } = args;
-    this.session = session;
-    this.allIdentifiers = allIdentifiers ?? [];
-    this.hasher = hasher;
   }
   static async init(session, allIdentifiers, hasher) {
     return new _OID4VP({
@@ -634,184 +541,14 @@ var OID4VP = class _OID4VP {
       hasher
     });
   }
-  async getPresentationDefinitions() {
-    const definitions = await this.session.getPresentationDefinitions();
-    if (definitions) {
-      PresentationExchange.assertValidPresentationDefinitionWithLocations(definitions);
-    }
-    return definitions;
-  }
-  getPresentationExchange(args) {
-    const { verifiableCredentials, allIdentifiers, hasher } = args;
-    return new PresentationExchange({
-      allDIDs: allIdentifiers ?? this.allIdentifiers,
-      allVerifiableCredentials: verifiableCredentials,
-      hasher: hasher ?? this.hasher
-    });
-  }
-  async createVerifiablePresentations(credentialRole, credentialsWithDefinitions, opts) {
-    return await Promise.all(credentialsWithDefinitions.map((cred) => this.createVerifiablePresentation(credentialRole, cred, opts)));
-  }
-  async createVerifiablePresentation(credentialRole, selectedVerifiableCredentials, opts) {
-    const { subjectIsHolder, holder, forceNoCredentialsInVP = false } = {
-      ...opts
-    };
-    if (subjectIsHolder && holder) {
-      throw Error("Cannot both have subject is holder and a holderDID value at the same time (programming error)");
-    }
-    if (forceNoCredentialsInVP) {
-      selectedVerifiableCredentials.credentials = [];
-    } else if (!selectedVerifiableCredentials?.credentials || selectedVerifiableCredentials.credentials.length === 0) {
-      throw Error("No verifiable verifiableCredentials provided for presentation definition");
-    }
-    const proofOptions = {
-      ...opts?.proofOpts,
-      challenge: opts?.proofOpts?.nonce ?? opts?.proofOpts?.challenge ?? this.session.nonce,
-      domain: opts?.proofOpts?.domain ?? await this.session.getRedirectUri()
-    };
-    let idOpts2 = opts?.idOpts;
-    if (!idOpts2) {
-      if (opts?.subjectIsHolder) {
-        if (forceNoCredentialsInVP) {
-          return Promise.reject(Error(`Cannot have subject is holder, when force no credentials is being used, as we could never determine the holder then. Please provide holderDID`));
-        }
-        const firstUniqueDC = selectedVerifiableCredentials.credentials[0];
-        if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
-          return Promise.reject(Error("If no opts provided, credentials should be of type UniqueDigitalCredential"));
-        }
-        idOpts2 = isOID4VCIssuerIdentifier(firstUniqueDC.digitalCredential.kmsKeyRef) ? await this.session.context.agent.identifierManagedGetByIssuer({
-          identifier: firstUniqueDC.digitalCredential.kmsKeyRef
-        }) : await this.session.context.agent.identifierManagedGetByKid({
-          identifier: firstUniqueDC.digitalCredential.kmsKeyRef,
-          kmsKeyRef: firstUniqueDC.digitalCredential.kmsKeyRef
-        });
-      } else if (opts?.holder) {
-        idOpts2 = {
-          identifier: opts.holder
-        };
-      }
-    }
-    const vcs = forceNoCredentialsInVP ? selectedVerifiableCredentials : opts?.applyFilter ? await this.filterCredentials(credentialRole, selectedVerifiableCredentials.definition, {
-      restrictToFormats: opts?.restrictToFormats,
-      restrictToDIDMethods: opts?.restrictToDIDMethods,
-      filterOpts: {
-        verifiableCredentials: selectedVerifiableCredentials.credentials
-      }
-    }) : {
-      definition: selectedVerifiableCredentials.definition,
-      credentials: selectedVerifiableCredentials.credentials
-    };
-    if (!idOpts2) {
-      return Promise.reject(Error(`No identifier options present at this point`));
-    }
-    const signCallback = await createOID4VPPresentationSignCallback({
-      presentationSignCallback: this.session.options.presentationSignCallback,
-      idOpts: idOpts2,
-      context: this.session.context,
-      domain: proofOptions.domain,
-      challenge: proofOptions.challenge,
-      format: opts?.restrictToFormats ?? selectedVerifiableCredentials.definition.definition.format,
-      skipDidResolution: opts?.skipDidResolution ?? false
-    });
-    const identifier = await this.session.context.agent.identifierManagedGet(idOpts2);
-    const verifiableCredentials = vcs.credentials.map((credential) => typeof credential === "object" && "digitalCredential" in credential ? credential.originalVerifiableCredential : credential);
-    const presentationResult = await this.getPresentationExchange({
-      verifiableCredentials,
-      allIdentifiers: this.allIdentifiers,
-      hasher: opts?.hasher
-    }).createVerifiablePresentation(vcs.definition.definition, verifiableCredentials, signCallback, {
-      proofOptions,
-      // fixme: Update to newer siop-vp to not require dids here. But when Veramo is creating the VP it's still looking at this field to pass into didManagerGet
-      ...identifier && isManagedIdentifierDidResult(identifier) && {
-        holderDID: identifier.did
-      }
-    });
-    const verifiablePresentations = presentationResult.verifiablePresentations.map((verifiablePresentation) => typeof verifiablePresentation !== "string" && "proof" in verifiablePresentation && "jwt" in verifiablePresentation.proof && verifiablePresentation.proof.jwt ? verifiablePresentation.proof.jwt : verifiablePresentation);
-    return {
-      ...presentationResult,
-      verifiablePresentations,
-      verifiableCredentials,
-      definition: selectedVerifiableCredentials.definition,
-      idOpts: idOpts2
-    };
-  }
-  async filterCredentialsAgainstAllDefinitions(credentialRole, opts) {
-    const defs = await this.getPresentationDefinitions();
-    const result = [];
-    if (defs) {
-      for (const definition of defs) {
-        result.push(await this.filterCredentials(credentialRole, definition, opts));
-      }
-    }
-    return result;
-  }
-  async filterCredentials(credentialRole, presentationDefinition, opts) {
-    const udcMap = /* @__PURE__ */ new Map();
-    opts?.filterOpts?.verifiableCredentials?.forEach((credential) => {
-      if (typeof credential === "object" && "digitalCredential" in credential) {
-        udcMap.set(credential.originalVerifiableCredential, credential);
-      } else {
-        udcMap.set(credential, credential);
-      }
-    });
-    const credentials = (await this.filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, {
-      ...opts,
-      filterOpts: {
-        verifiableCredentials: opts?.filterOpts?.verifiableCredentials?.map((credential) => {
-          if (typeof credential === "object" && "digitalCredential" in credential) {
-            return credential.originalVerifiableCredential;
-          } else {
-            return credential;
-          }
-        })
-      }
-    })).verifiableCredential;
-    return {
-      definition: presentationDefinition,
-      credentials: credentials?.map((vc) => udcMap.get(vc)) ?? []
-    };
-  }
-  async filterCredentialsWithSelectionStatus(credentialRole, presentationDefinition, opts) {
-    const selectionResults = await this.getPresentationExchange({
-      verifiableCredentials: await this.getCredentials(credentialRole, opts?.filterOpts)
-    }).selectVerifiableCredentialsForSubmission(presentationDefinition.definition, opts);
-    if (selectionResults.errors && selectionResults.errors.length > 0) {
-      throw Error(JSON.stringify(selectionResults.errors));
-    } else if (selectionResults.areRequiredCredentialsPresent === Status.ERROR) {
-      throw Error(`Not all required credentials are available to satisfy the relying party's request`);
-    }
-    const matches = selectionResults.matches;
-    if (!matches || matches.length === 0 || !selectionResults.verifiableCredential || selectionResults.verifiableCredential.length === 0) {
-      throw Error(JSON.stringify(selectionResults.errors));
-    }
-    return selectionResults;
-  }
-  async getCredentials(credentialRole, filterOpts) {
-    if (filterOpts?.verifiableCredentials && filterOpts.verifiableCredentials.length > 0) {
-      return filterOpts.verifiableCredentials;
-    }
-    const filter = verifiableCredentialForRoleFilter(credentialRole, filterOpts?.filter);
-    const uniqueCredentials = await this.session.context.agent.crsGetUniqueCredentials({
-      filter
-    });
-    return uniqueCredentials.map((uniqueVC) => {
-      const vc = uniqueVC.uniformVerifiableCredential;
-      const proof = Array.isArray(vc.proof) ? vc.proof : [
-        vc.proof
-      ];
-      const jwtProof = proof.find((p) => p?.type === DEFAULT_JWT_PROOF_TYPE);
-      return jwtProof ? jwtProof.jwt : vc;
-    });
-  }
 };
 // src/session/OpSession.ts
 import { OP as OP2, URI } from "@sphereon/did-auth-siop";
 import { getAgentDIDMethods, getAgentResolver } from "@sphereon/ssi-sdk-ext.did-utils";
 import { encodeBase64url } from "@sphereon/ssi-sdk.core";
-import { CredentialMapper, parseDid } from "@sphereon/ssi-types";
+import { parseDid } from "@sphereon/ssi-types";
 import { v4 } from "uuid";
-import { PEX } from "@sphereon/pex";
 import { Loggers } from "@sphereon/ssi-types";
 var logger = Loggers.DEFAULT.get("sphereon:oid4vp:OpSession");
 var OpSession = class _OpSession {
@@ -826,13 +563,11 @@ var OpSession = class _OpSession {
   verifiedAuthorizationRequest;
   _nonce;
   _state;
-  _providedPresentationDefinitions;
   constructor(options) {
     this.id = options.sessionId;
     this.options = options.op;
     this.context = options.context;
     this.requestJwtOrUri = options.requestJwtOrUri;
-    this._providedPresentationDefinitions = options.providedPresentationDefinitions;
   }
   static async init(options) {
     return new _OpSession(options);
@@ -930,7 +665,7 @@ var OpSession = class _OpSession {
         subjectSyntaxTypesSupported
       ]).map((method) => convertDidMethod(method, opts.didPrefix));
     }
-    const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || (await authReq.authorizationRequest.getMergedProperty("client_id"))?.includes(".ebsi.eu"));
+    const isEBSI = rpMethods.length === 0 && (authReq.issuer?.includes(".ebsi.eu") || authReq.authorizationRequest.getMergedProperty("client_id")?.includes(".ebsi.eu"));
     let codecName = void 0;
     if (isEBSI && (!aud || !aud.startsWith("http"))) {
       logger.debug(`EBSI detected, adding did:key to supported DID methods for RP`);
@@ -985,51 +720,9 @@ var OpSession = class _OpSession {
   async getRedirectUri() {
     return Promise.resolve(this.verifiedAuthorizationRequest.responseURI);
   }
-  async hasPresentationDefinitions() {
-    const defs = this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
-    return defs !== void 0 && defs.length > 0;
-  }
-  async getPresentationDefinitions() {
-    if (!await this.hasPresentationDefinitions()) {
-      throw Error(`No presentation definitions found`);
-    }
-    return this._providedPresentationDefinitions ?? (await this.getAuthorizationRequest()).presentationDefinitions;
-  }
   async getOID4VP(args) {
     return await OID4VP.init(this, args.allIdentifiers ?? [], args.hasher);
   }
-  createPresentationVerificationCallback(context) {
-    async function presentationVerificationCallback(args, presentationSubmission) {
-      let result;
-      if (CredentialMapper.isSdJwtEncoded(args)) {
-        try {
-          const sdJwtResult = await context.agent.verifySdJwtPresentation({
-            presentation: args
-          });
-          result = {
-            verified: "header" in sdJwtResult,
-            error: "header" in sdJwtResult ? void 0 : {
-              message: "could not verify SD JWT presentation"
-            }
-          };
-        } catch (error) {
-          result = {
-            verified: false,
-            error: {
-              message: error.message
-            }
-          };
-        }
-      } else {
-        result = await context.agent.verifyPresentation({
-          presentation: args
-        });
-      }
-      return result;
-    }
-    __name(presentationVerificationCallback, "presentationVerificationCallback");
-    return presentationVerificationCallback;
-  }
   async createJarmResponseCallback({ responseOpts }) {
     const agent = this.context.agent;
     return /* @__PURE__ */ __name(async function jarmResponse(opts) {
@@ -1056,6 +749,7 @@ var OpSession = class _OpSession {
     }, "jarmResponse");
   }
   async sendAuthorizationResponse(args) {
+    const { responseSignerOpts, dcqlResponse, isFirstParty } = args;
     const resolveOpts = this.options.resolveOpts ?? {
       resolver: getAgentResolver(this.context, {
         uniresolverResolution: true,
@@ -1066,23 +760,7 @@ var OpSession = class _OpSession {
     if (!resolveOpts.subjectSyntaxTypesSupported || resolveOpts.subjectSyntaxTypesSupported.length === 0) {
       resolveOpts.subjectSyntaxTypesSupported = await this.getSupportedDIDMethods(true);
     }
-    const verification = {
-      presentationVerificationCallback: this.createPresentationVerificationCallback(this.context)
-    };
     const request = await this.getAuthorizationRequest();
-    const hasDefinitions = await this.hasPresentationDefinitions();
-    if (hasDefinitions) {
-      const totalInputDescriptors = request.presentationDefinitions?.reduce((sum, pd) => {
-        return sum + pd.definition.input_descriptors.length;
-      }, 0);
-      const totalVCs = args.verifiablePresentations ? this.countVCsInAllVPs(args.verifiablePresentations, args.hasher) : 0;
-      if (!request.presentationDefinitions || !args.verifiablePresentations || totalVCs !== totalInputDescriptors) {
-        throw Error(`Amount of presentations ${args.verifiablePresentations?.length}, doesn't match expected ${request.presentationDefinitions?.length}`);
-      } else if (!args.presentationSubmission) {
-        throw Error(`Presentation submission is required when verifiable presentations are required`);
-      }
-    }
-    const verifiablePresentations = args.verifiablePresentations ? args.verifiablePresentations.map((vp) => CredentialMapper.storedPresentationToOriginalFormat(vp)) : [];
     const op = await createOP({
       opOptions: {
         ...this.options,
@@ -1094,23 +772,16 @@ var OpSession = class _OpSession {
         wellknownDIDVerifyCallback: this.options.wellknownDIDVerifyCallback,
         supportedVersions: request.versions
       },
-      idOpts: args.responseSignerOpts,
+      idOpts: responseSignerOpts,
       context: this.context
     });
-    let issuer = args.responseSignerOpts.issuer;
+    let issuer = responseSignerOpts.issuer;
     const responseOpts = {
-      verification,
       issuer,
-      ...args.isFirstParty && {
-        isFirstParty: args.isFirstParty
+      ...isFirstParty && {
+        isFirstParty
       },
-      ...args.verifiablePresentations && {
-        presentationExchange: {
-          verifiablePresentations,
-          presentationSubmission: args.presentationSubmission
-        }
-      },
-      dcqlQuery: args.dcqlResponse
+      dcqlResponse
     };
     const authResponse = await op.createAuthorizationResponse(request, responseOpts);
     const response = await op.submitAuthorizationResponse(authResponse, await this.createJarmResponseCallback({
@@ -1122,24 +793,6 @@ var OpSession = class _OpSession {
       return response;
     }
   }
-  countVCsInAllVPs(verifiablePresentations, hasher) {
-    return verifiablePresentations.reduce((sum, vp) => {
-      if (CredentialMapper.isMsoMdocDecodedPresentation(vp) || CredentialMapper.isMsoMdocOid4VPEncoded(vp)) {
-        return sum + 1;
-      }
-      const uvp = CredentialMapper.toUniformPresentation(vp, {
-        hasher: hasher ?? this.options.hasher
-      });
-      if (uvp.verifiableCredential?.length) {
-        return sum + uvp.verifiableCredential?.length;
-      }
-      const isSdJWT = CredentialMapper.isSdJwtDecodedCredential(uvp);
-      if (isSdJWT || uvp.verifiableCredential && !PEX.allowMultipleVCsPerPresentation(uvp.verifiableCredential)) {
-        return sum + 1;
-      }
-      return sum;
-    }, 0);
-  }
 };
 function convertDidMethod(didMethod, didPrefix) {
   if (didPrefix === false) {
@@ -1149,10 +802,79 @@ function convertDidMethod(didMethod, didPrefix) {
 }
 __name(convertDidMethod, "convertDidMethod");
-// src/agent/DidAuthSiopOpAuthenticator.ts
-import { PEX as PEX3, Status as Status2 } from "@sphereon/pex";
-import { computeEntryHash } from "@veramo/utils";
-import { DcqlQuery as DcqlQuery2 } from "dcql";
+// src/types/IDidAuthSiopOpAuthenticator.ts
+var LOGGER_NAMESPACE = "sphereon:siopv2-oid4vp:op-auth";
+var DEFAULT_JWT_PROOF_TYPE = "JwtProof2020";
+// src/types/siop-service/index.ts
+var Siopv2HolderEvent = /* @__PURE__ */ function(Siopv2HolderEvent2) {
+  Siopv2HolderEvent2["CONTACT_IDENTITY_CREATED"] = "contact_identity_created";
+  Siopv2HolderEvent2["IDENTIFIER_CREATED"] = "identifier_created";
+  return Siopv2HolderEvent2;
+}({});
+var SupportedLanguage = /* @__PURE__ */ function(SupportedLanguage2) {
+  SupportedLanguage2["ENGLISH"] = "en";
+  SupportedLanguage2["DUTCH"] = "nl";
+  return SupportedLanguage2;
+}({});
+// src/types/machine/index.ts
+var Siopv2MachineStates = /* @__PURE__ */ function(Siopv2MachineStates2) {
+  Siopv2MachineStates2["createConfig"] = "createConfig";
+  Siopv2MachineStates2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineStates2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineStates2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineStates2["transitionFromSetup"] = "transitionFromSetup";
+  Siopv2MachineStates2["addContact"] = "addContact";
+  Siopv2MachineStates2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineStates2["selectCredentials"] = "selectCredentials";
+  Siopv2MachineStates2["sendResponse"] = "sendResponse";
+  Siopv2MachineStates2["handleError"] = "handleError";
+  Siopv2MachineStates2["aborted"] = "aborted";
+  Siopv2MachineStates2["declined"] = "declined";
+  Siopv2MachineStates2["error"] = "error";
+  Siopv2MachineStates2["done"] = "done";
+  return Siopv2MachineStates2;
+}({});
+var Siopv2MachineAddContactStates = /* @__PURE__ */ function(Siopv2MachineAddContactStates2) {
+  Siopv2MachineAddContactStates2["idle"] = "idle";
+  Siopv2MachineAddContactStates2["executing"] = "executing";
+  Siopv2MachineAddContactStates2["next"] = "next";
+  return Siopv2MachineAddContactStates2;
+}({});
+var Siopv2MachineEvents = /* @__PURE__ */ function(Siopv2MachineEvents2) {
+  Siopv2MachineEvents2["NEXT"] = "NEXT";
+  Siopv2MachineEvents2["PREVIOUS"] = "PREVIOUS";
+  Siopv2MachineEvents2["DECLINE"] = "DECLINE";
+  Siopv2MachineEvents2["SET_CONTACT_ALIAS"] = "SET_CONTACT_ALIAS";
+  Siopv2MachineEvents2["SET_CONTACT_CONSENT"] = "SET_CONTACT_CONSENT";
+  Siopv2MachineEvents2["CREATE_CONTACT"] = "CREATE_CONTACT";
+  Siopv2MachineEvents2["SET_SELECTED_CREDENTIALS"] = "SET_SELECTED_CREDENTIALS";
+  return Siopv2MachineEvents2;
+}({});
+var Siopv2MachineGuards = /* @__PURE__ */ function(Siopv2MachineGuards2) {
+  Siopv2MachineGuards2["hasNoContactGuard"] = "Siopv2HasNoContactGuard";
+  Siopv2MachineGuards2["createContactGuard"] = "Siopv2CreateContactGuard";
+  Siopv2MachineGuards2["hasContactGuard"] = "Siopv2HasContactGuard";
+  Siopv2MachineGuards2["hasAuthorizationRequestGuard"] = "Siopv2HasAuthorizationRequestGuard";
+  Siopv2MachineGuards2["hasSelectableCredentialsAndContactGuard"] = "Siopv2HasSelectableCredentialsAndContactGuard";
+  Siopv2MachineGuards2["hasSelectedRequiredCredentialsGuard"] = "Siopv2HasSelectedRequiredCredentialsGuard";
+  Siopv2MachineGuards2["siopOnlyGuard"] = "Siopv2IsSiopOnlyGuard";
+  Siopv2MachineGuards2["siopWithOID4VPGuard"] = "Siopv2IsSiopWithOID4VPGuard";
+  return Siopv2MachineGuards2;
+}({});
+var Siopv2MachineServices = /* @__PURE__ */ function(Siopv2MachineServices2) {
+  Siopv2MachineServices2["getSiopRequest"] = "getSiopRequest";
+  Siopv2MachineServices2["getSelectableCredentials"] = "getSelectableCredentials";
+  Siopv2MachineServices2["retrieveContact"] = "retrieveContact";
+  Siopv2MachineServices2["addContactIdentity"] = "addContactIdentity";
+  Siopv2MachineServices2["sendResponse"] = "sendResponse";
+  Siopv2MachineServices2["createConfig"] = "createConfig";
+  return Siopv2MachineServices2;
+}({});
+// src/types/identifier/index.ts
+var DID_PREFIX = "did";
 // src/machine/Siopv2Machine.ts
 import { assign, createMachine, interpret } from "xstate";
@@ -1221,7 +943,7 @@ var Siopv2HasSelectableCredentialsAndContactGuard = /* @__PURE__ */ __name((_ctx
   if (!contact) {
     throw new Error("Missing contact request data in context");
   }
-  return authorizationRequestData.presentationDefinitions !== void 0;
+  return authorizationRequestData.dcqlQuery !== void 0;
 }, "Siopv2HasSelectableCredentialsAndContactGuard");
 var Siopv2CreateContactGuard = /* @__PURE__ */ __name((_ctx, _event) => {
   const { contactAlias, hasContactConsent } = _ctx;
@@ -1232,7 +954,7 @@ var Siopv2HasSelectedRequiredCredentialsGuard = /* @__PURE__ */ __name((_ctx, _e
   if (authorizationRequestData === void 0) {
     throw new Error("Missing authorization request data in context");
   }
-  if (authorizationRequestData.presentationDefinitions === void 0 || authorizationRequestData.presentationDefinitions.length === 0) {
+  if (authorizationRequestData.dcqlQuery === void 0) {
     throw Error("No presentation definitions present");
   }
   return _ctx.selectedCredentials.length > 0;
@@ -1242,7 +964,7 @@ var Siopv2IsSiopOnlyGuard = /* @__PURE__ */ __name((_ctx, _event) => {
   if (authorizationRequestData === void 0) {
     throw new Error("Missing authorization request data in context");
   }
-  return authorizationRequestData.presentationDefinitions === void 0;
+  return authorizationRequestData.dcqlQuery === void 0;
 }, "Siopv2IsSiopOnlyGuard");
 var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
   const { authorizationRequestData, selectableCredentialsMap } = _ctx;
@@ -1252,7 +974,7 @@ var Siopv2IsSiopWithOID4VPGuard = /* @__PURE__ */ __name((_ctx, _event) => {
   if (!selectableCredentialsMap) {
     throw new Error("Missing selectableCredentialsMap in context");
   }
-  return authorizationRequestData.presentationDefinitions !== void 0;
+  return authorizationRequestData.dcqlQuery !== void 0;
 }, "Siopv2IsSiopWithOID4VPGuard");
 var createSiopv2Machine = /* @__PURE__ */ __name((opts) => {
   const { url, idOpts: idOpts2 } = opts;
@@ -1568,114 +1290,56 @@ var Siopv2Machine = class {
 // src/services/Siopv2MachineService.ts
 import { SupportedVersion as SupportedVersion2 } from "@sphereon/did-auth-siop";
-import { PEX as PEX2 } from "@sphereon/pex";
-import { isOID4VCIssuerIdentifier as isOID4VCIssuerIdentifier2 } from "@sphereon/ssi-sdk-ext.identifier-resolution";
-import { verifiableCredentialForRoleFilter as verifiableCredentialForRoleFilter2 } from "@sphereon/ssi-sdk.credential-store";
+import { isOID4VCIssuerIdentifier } from "@sphereon/ssi-sdk-ext.identifier-resolution";
+import { verifiableCredentialForRoleFilter } from "@sphereon/ssi-sdk.credential-store";
 import { ConnectionType, CredentialRole } from "@sphereon/ssi-sdk.data-store";
-import { CredentialMapper as CredentialMapper4, Loggers as Loggers3 } from "@sphereon/ssi-types";
-import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
-import { defaultHasher as defaultHasher2, encodeJoseBlob } from "@sphereon/ssi-sdk.core";
+import { CredentialMapper as CredentialMapper3, Loggers as Loggers3 } from "@sphereon/ssi-types";
+import { encodeJoseBlob } from "@sphereon/ssi-sdk.core";
 import { DcqlPresentation, DcqlQuery } from "dcql";
 // src/utils/dcql.ts
-import { CredentialMapper as CredentialMapper3 } from "@sphereon/ssi-types";
+import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
+import { Dcql } from "@sphereon/did-auth-siop";
 // src/utils/CredentialUtils.ts
-import { CredentialMapper as CredentialMapper2 } from "@sphereon/ssi-types";
-var getOriginalVerifiableCredential = /* @__PURE__ */ __name((credential) => {
-  if (isUniqueDigitalCredential(credential)) {
-    if (!credential.originalVerifiableCredential) {
-      throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
-    }
-    return getCredentialFromProofOrWrapped(credential.originalVerifiableCredential);
-  }
-  return getCredentialFromProofOrWrapped(credential);
-}, "getOriginalVerifiableCredential");
-var getCredentialFromProofOrWrapped = /* @__PURE__ */ __name((cred, hasher) => {
-  if (typeof cred === "object" && "proof" in cred && "jwt" in cred.proof && CredentialMapper2.isSdJwtEncoded(cred.proof.jwt)) {
-    return cred.proof.jwt;
-  }
-  return CredentialMapper2.toWrappedVerifiableCredential(cred, {
-    hasher
-  }).original;
-}, "getCredentialFromProofOrWrapped");
+import { CredentialMapper } from "@sphereon/ssi-types";
 var isUniqueDigitalCredential = /* @__PURE__ */ __name((credential) => {
   return credential.digitalCredential !== void 0;
 }, "isUniqueDigitalCredential");
 // src/utils/dcql.ts
 function convertToDcqlCredentials(credential, hasher) {
-  let payload;
+  let originalVerifiableCredential;
   if (isUniqueDigitalCredential(credential)) {
     if (!credential.originalVerifiableCredential) {
       throw new Error("originalVerifiableCredential is not defined in UniqueDigitalCredential");
     }
-    payload = CredentialMapper3.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
+    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential.originalVerifiableCredential, hasher);
   } else {
-    payload = CredentialMapper3.decodeVerifiableCredential(credential, hasher);
+    originalVerifiableCredential = CredentialMapper2.decodeVerifiableCredential(credential, hasher);
   }
-  if (!payload) {
+  if (!originalVerifiableCredential) {
     throw new Error("No payload found");
   }
-  if ("decodedPayload" in payload && payload.decodedPayload) {
-    payload = payload.decodedPayload;
-  }
-  if ("vct" in payload) {
-    return {
-      vct: payload.vct,
-      claims: payload,
-      credential_format: "vc+sd-jwt"
-    };
-  } else if ("docType" in payload && "namespaces" in payload) {
-    return {
-      docType: payload.docType,
-      namespaces: payload.namespaces,
-      claims: payload
-    };
-  } else {
-    return {
-      claims: payload,
-      credential_format: "jwt_vc_json"
-    };
+  if (CredentialMapper2.isJwtDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper2.isSdJwtDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlSdJwtCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper2.isMsoMdocDecodedCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlMdocCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
+  } else if (CredentialMapper2.isW3cCredential(originalVerifiableCredential)) {
+    return Dcql.toDcqlJsonLdCredential(CredentialMapper2.toWrappedVerifiableCredential(originalVerifiableCredential));
   }
+  throw Error(`Unable to map credential to DCQL credential. Credential: ${JSON.stringify(originalVerifiableCredential)}`);
 }
 __name(convertToDcqlCredentials, "convertToDcqlCredentials");
 // src/services/Siopv2MachineService.ts
+import { getOrCreatePrimaryIdentifier, SupportedDidMethodEnum } from "@sphereon/ssi-sdk-ext.did-utils";
 var logger3 = Loggers3.DEFAULT.get(LOGGER_NAMESPACE);
-var createEbsiIdentifier = /* @__PURE__ */ __name(async (agentContext) => {
-  logger3.log(`No EBSI key present yet. Creating a new one...`);
-  const { result: newIdentifier, created } = await getOrCreatePrimaryIdentifier(agentContext, {
-    method: SupportedDidMethodEnum.DID_KEY,
-    createOpts: {
-      options: {
-        codecName: "jwk_jcs-pub",
-        type: "Secp256r1"
-      }
-    }
-  });
-  logger3.log(`EBSI key created: ${newIdentifier.did}`);
-  if (created) {
-    await agentContext.agent.emit(Siopv2HolderEvent.IDENTIFIER_CREATED, {
-      result: newIdentifier
-    });
-  }
-  return await agentContext.agent.identifierManagedGetByDid({
-    identifier: newIdentifier.did
-  });
-}, "createEbsiIdentifier");
-var hasEbsiClient = /* @__PURE__ */ __name(async (authorizationRequest) => {
-  const clientId = await authorizationRequest.getMergedProperty("client_id");
-  const redirectUri = await authorizationRequest.getMergedProperty("redirect_uri");
-  return clientId?.toLowerCase().includes(".ebsi.eu") || redirectUri?.toLowerCase().includes(".ebsi.eu");
-}, "hasEbsiClient");
 var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType, args, context) => {
   const { agent } = context;
-  const agentContext = {
-    ...context,
-    agent: context.agent
-  };
-  let { idOpts: idOpts2, isFirstParty, hasher = defaultHasher2 } = args;
+  const { credentials } = args;
   if (connectionType !== ConnectionType.SIOPv2_OpenID4VP) {
     return Promise.reject(Error(`No supported authentication provider for type: ${connectionType}`));
   }
@@ -1683,252 +1347,148 @@ var siopSendAuthorizationResponse = /* @__PURE__ */ __name(async (connectionType
     sessionId: args.sessionId
   });
   const request = await session.getAuthorizationRequest();
-  const aud = await request.authorizationRequest.getMergedProperty("aud");
+  const aud = request.authorizationRequest.getMergedProperty("aud");
   logger3.debug(`AUD: ${aud}`);
   logger3.debug(JSON.stringify(request.authorizationRequest));
-  let presentationsAndDefs;
-  let presentationSubmission;
-  if (await session.hasPresentationDefinitions()) {
-    const oid4vp = await session.getOID4VP({
-      hasher
-    });
-    const credentialsAndDefinitions = args.verifiableCredentialsWithDefinition ? args.verifiableCredentialsWithDefinition : await oid4vp.filterCredentialsAgainstAllDefinitions(CredentialRole.HOLDER);
-    const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
-    logger3.log(`NONCE: ${session.nonce}, domain: ${domain}`);
-    const firstUniqueDC = credentialsAndDefinitions[0].credentials[0];
-    if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
-      return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
-    }
-    let identifier;
-    const digitalCredential = firstUniqueDC.digitalCredential;
-    const firstVC = firstUniqueDC.uniformVerifiableCredential;
-    const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
-      //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-      `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-    ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
-    if (!digitalCredential.kmsKeyRef) {
-      if (!holder) {
-        return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
-      }
-      try {
-        identifier = await session.context.agent.identifierManagedGet({
-          identifier: holder
-        });
-      } catch (e) {
-        logger3.debug(`Holder DID not found: ${holder}`);
-        throw e;
-      }
-    } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
-      identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-        identifier: firstUniqueDC.digitalCredential.kmsKeyRef
+  const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
+  logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
+  const firstUniqueDC = credentials[0];
+  if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
+    return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+  }
+  let identifier;
+  const digitalCredential = firstUniqueDC.digitalCredential;
+  const firstVC = firstUniqueDC.uniformVerifiableCredential;
+  const holder = CredentialMapper3.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
+    //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
+    `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
+  ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
+  if (!digitalCredential.kmsKeyRef) {
+    if (!holder) {
+      return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
+    }
+    try {
+      identifier = await session.context.agent.identifierManagedGet({
+        identifier: holder
       });
-    } else {
-      switch (digitalCredential.subjectCorrelationType) {
-        case "DID":
-          identifier = await session.context.agent.identifierManagedGetByDid({
-            identifier: digitalCredential.subjectCorrelationId ?? holder,
-            kmsKeyRef: digitalCredential.kmsKeyRef
-          });
-          break;
-        // TODO other implementations?
-        default:
-          if (digitalCredential.subjectCorrelationId?.startsWith("did:") || holder?.startsWith("did:")) {
-            identifier = await session.context.agent.identifierManagedGetByDid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder,
-              kmsKeyRef: digitalCredential.kmsKeyRef
-            });
-          } else {
-            identifier = await session.context.agent.identifierManagedGetByKid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-              kmsKeyRef: digitalCredential.kmsKeyRef
-            });
-          }
-      }
-    }
-    if (identifier === void 0 && idOpts2 !== void 0 && await hasEbsiClient(request.authorizationRequest)) {
-      identifier = await createEbsiIdentifier(agentContext);
+    } catch (e) {
+      logger3.debug(`Holder DID not found: ${holder}`);
+      throw e;
     }
-    logger3.debug(`Identifier`, identifier);
-    presentationsAndDefs = await oid4vp.createVerifiablePresentations(CredentialRole.HOLDER, credentialsAndDefinitions, {
-      idOpts: identifier,
-      proofOpts: {
-        nonce: session.nonce,
-        domain
-      }
+  } else if (isOID4VCIssuerIdentifier(digitalCredential.kmsKeyRef)) {
+    identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
+      identifier: firstUniqueDC.digitalCredential.kmsKeyRef
     });
-    if (!presentationsAndDefs || presentationsAndDefs.length === 0) {
-      throw Error("No verifiable presentations could be created");
-    } else if (presentationsAndDefs.length > 1) {
-      throw Error(`Only one verifiable presentation supported for now. Got ${presentationsAndDefs.length}`);
+  } else {
+    switch (digitalCredential.subjectCorrelationType) {
+      case "DID":
+        identifier = await session.context.agent.identifierManagedGetByDid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder,
+          kmsKeyRef: digitalCredential.kmsKeyRef
+        });
+        break;
+      // TODO other implementations?
+      default:
+        identifier = await session.context.agent.identifierManagedGetByKid({
+          identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
+          kmsKeyRef: digitalCredential.kmsKeyRef
+        });
     }
-    idOpts2 = presentationsAndDefs[0].idOpts;
-    presentationSubmission = presentationsAndDefs[0].presentationSubmission;
-    logger3.log(`Definitions and locations:`, JSON.stringify(presentationsAndDefs?.[0]?.verifiablePresentations, null, 2));
-    logger3.log(`Presentation Submission:`, JSON.stringify(presentationSubmission, null, 2));
-    const mergedVerifiablePresentations = presentationsAndDefs?.flatMap((pd) => pd.verifiablePresentations) || [];
-    return await session.sendAuthorizationResponse({
-      ...presentationsAndDefs && {
-        verifiablePresentations: mergedVerifiablePresentations
-      },
-      ...presentationSubmission && {
-        presentationSubmission
-      },
-      // todo: Change issuer value in case we do not use identifier. Use key.meta.jwkThumbprint then
-      responseSignerOpts: idOpts2,
-      isFirstParty
-    });
-  } else if (request.dcqlQuery) {
-    if (args.verifiableCredentialsWithDefinition !== void 0 && args.verifiableCredentialsWithDefinition !== null) {
-      const vcs = args.verifiableCredentialsWithDefinition.flatMap((vcd) => vcd.credentials);
-      const domain = await request.authorizationRequest.getMergedProperty("client_id") ?? request.issuer ?? (request.versions.includes(SupportedVersion2.JWT_VC_PRESENTATION_PROFILE_v1) ? "https://self-issued.me/v2/openid-vc" : "https://self-issued.me/v2");
-      logger3.debug(`NONCE: ${session.nonce}, domain: ${domain}`);
-      const firstUniqueDC = vcs[0];
-      if (typeof firstUniqueDC !== "object" || !("digitalCredential" in firstUniqueDC)) {
-        return Promise.reject(Error("SiopMachine only supports UniqueDigitalCredentials for now"));
+  }
+  const dcqlCredentialsWithCredentials = new Map(credentials.map((vc) => [
+    convertToDcqlCredentials(vc),
+    vc
+  ]));
+  const queryResult = DcqlQuery.query(request.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
+  if (!queryResult.can_be_satisfied) {
+    return Promise.reject(Error("Credentials do not match required query request"));
+  }
+  const presentation = {};
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (value.success) {
+      const matchedCredentials = value.valid_credentials.map((cred) => uniqueCredentials[cred.input_credential_index]);
+      const vc = matchedCredentials[0];
+      if (!vc) {
+        continue;
       }
-      let identifier;
-      const digitalCredential = firstUniqueDC.digitalCredential;
-      const firstVC = firstUniqueDC.uniformVerifiableCredential;
-      const holder = CredentialMapper4.isSdJwtDecodedCredential(firstVC) ? firstVC.decodedPayload.cnf?.jwk ? (
-        //doesn't apply to did:jwk only, as you can represent any DID key as a JWK. So whenever you encounter a JWK it doesn't mean it had to come from a did:jwk in the system. It just can always be represented as a did:jwk
-        `did:jwk:${encodeJoseBlob(firstVC.decodedPayload.cnf?.jwk)}#0`
-      ) : firstVC.decodedPayload.sub : Array.isArray(firstVC.credentialSubject) ? firstVC.credentialSubject[0].id : firstVC.credentialSubject.id;
-      if (!digitalCredential.kmsKeyRef) {
-        if (!holder) {
-          return Promise.reject(`No holder found and no kmsKeyRef in DB. Cannot determine identifier to use`);
-        }
-        try {
-          identifier = await session.context.agent.identifierManagedGet({
-            identifier: holder
-          });
-        } catch (e) {
-          logger3.debug(`Holder DID not found: ${holder}`);
-          throw e;
-        }
-      } else if (isOID4VCIssuerIdentifier2(digitalCredential.kmsKeyRef)) {
-        identifier = await session.context.agent.identifierManagedGetByOID4VCIssuer({
-          identifier: firstUniqueDC.digitalCredential.kmsKeyRef
-        });
-      } else {
-        switch (digitalCredential.subjectCorrelationType) {
-          case "DID":
-            identifier = await session.context.agent.identifierManagedGetByDid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder,
-              kmsKeyRef: digitalCredential.kmsKeyRef
-            });
-            break;
-          // TODO other implementations?
-          default:
-            identifier = await session.context.agent.identifierManagedGetByKid({
-              identifier: digitalCredential.subjectCorrelationId ?? holder ?? digitalCredential.kmsKeyRef,
-              kmsKeyRef: digitalCredential.kmsKeyRef
-            });
-        }
+      const originalVc = retrieveEncodedCredential(vc);
+      if (!originalVc) {
+        continue;
       }
-      console.log(`Identifier`, identifier);
-      const dcqlRepresentations = [];
-      vcs.forEach((vc) => {
-        const rep = convertToDcqlCredentials(vc, args.hasher);
-        if (rep) {
-          dcqlRepresentations.push(rep);
-        }
-      });
-      const queryResult = DcqlQuery.query(request.dcqlQuery, dcqlRepresentations);
-      const presentation = {};
-      for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-        const allMatches = Array.isArray(value) ? value : [
-          value
-        ];
-        allMatches.forEach((match) => {
-          if (match.success) {
-            const originalCredential = getOriginalVerifiableCredential(vcs[match.input_credential_index]);
-            if (!originalCredential) {
-              throw new Error(`Index ${match.input_credential_index} out of range in credentials array`);
-            }
-            presentation[key] = originalCredential["compactSdJwtVc"] !== void 0 ? originalCredential.compactSdJwtVc : originalCredential;
-          }
-        });
+      if (originalVc) {
+        presentation[key] = originalVc;
       }
-      const response = session.sendAuthorizationResponse({
-        responseSignerOpts: identifier,
-        ...{
-          dcqlQuery: {
-            dcqlPresentation: DcqlPresentation.parse(presentation)
-          }
-        }
-      });
-      logger3.debug(`Response: `, response);
-      return response;
     }
   }
-  throw Error("Presentation Definition or DCQL is required");
+  const dcqlPresentation = DcqlPresentation.parse(presentation);
+  const response = session.sendAuthorizationResponse({
+    responseSignerOpts: identifier,
+    dcqlResponse: {
+      dcqlPresentation
+    }
+  });
+  logger3.debug(`Response: `, response);
+  return response;
 }, "siopSendAuthorizationResponse");
-function buildPartialPD(inputDescriptor, presentationDefinition) {
-  return {
-    ...presentationDefinition,
-    input_descriptors: [
-      inputDescriptor
-    ]
-  };
-}
-__name(buildPartialPD, "buildPartialPD");
-var getSelectableCredentials = /* @__PURE__ */ __name(async (presentationDefinition, context) => {
+var retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
+  return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
+}, "retrieveEncodedCredential");
+var getSelectableCredentials = /* @__PURE__ */ __name(async (dcqlQuery, context) => {
   const agentContext = {
     ...context,
     agent: context.agent
   };
   const { agent } = agentContext;
-  const pex = new PEX2();
   const uniqueVerifiableCredentials = await agent.crsGetUniqueCredentials({
-    filter: verifiableCredentialForRoleFilter2(CredentialRole.HOLDER)
+    filter: verifiableCredentialForRoleFilter(CredentialRole.HOLDER)
   });
-  const credentialBranding = await agent.ibGetCredentialBranding();
+  const branding = await agent.ibGetCredentialBranding();
+  const dcqlCredentialsWithCredentials = new Map(uniqueVerifiableCredentials.map((vc) => [
+    convertToDcqlCredentials(vc),
+    vc
+  ]));
+  const queryResult = DcqlQuery.query(dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
+  const uniqueCredentials = Array.from(dcqlCredentialsWithCredentials.values());
   const selectableCredentialsMap = /* @__PURE__ */ new Map();
-  for (const inputDescriptor of presentationDefinition.input_descriptors) {
-    const partialPD = buildPartialPD(inputDescriptor, presentationDefinition);
-    const originalCredentials = uniqueVerifiableCredentials.map((uniqueVC) => {
-      return CredentialMapper4.storedCredentialToOriginalFormat(uniqueVC.originalVerifiableCredential);
-    });
-    const selectionResults = pex.selectFrom(partialPD, originalCredentials);
-    const selectableCredentials = [];
-    for (const selectedCredential of selectionResults.verifiableCredential || []) {
-      const filteredUniqueVC = uniqueVerifiableCredentials.find((uniqueVC) => {
-        const proof = uniqueVC.uniformVerifiableCredential.proof;
-        return Array.isArray(proof) ? proof.some((proofItem) => proofItem.jwt === selectedCredential) : proof.jwt === selectedCredential;
-      });
-      if (filteredUniqueVC) {
-        const filteredCredentialBrandings = credentialBranding.filter((cb) => cb.vcHash === filteredUniqueVC.hash);
-        const issuerPartyIdentity = await agent.cmGetContacts({
-          filter: [
-            {
-              identities: {
-                identifier: {
-                  correlationId: filteredUniqueVC.uniformVerifiableCredential.issuerDid
-                }
+  for (const [key, value] of Object.entries(queryResult.credential_matches)) {
+    if (!value.valid_credentials) {
+      continue;
+    }
+    const mapSelectableCredentialPromises = value.valid_credentials.map(async (cred) => {
+      const matchedCredential = uniqueCredentials[cred.input_credential_index];
+      const credentialBranding = branding.filter((cb) => cb.vcHash === matchedCredential.hash);
+      const issuerPartyIdentity = await agent.cmGetContacts({
+        filter: [
+          {
+            identities: {
+              identifier: {
+                correlationId: matchedCredential.uniformVerifiableCredential.issuerDid
               }
             }
-          ]
-        });
-        const subjectPartyIdentity = await agent.cmGetContacts({
-          filter: [
-            {
-              identities: {
-                identifier: {
-                  correlationId: filteredUniqueVC.uniformVerifiableCredential.subjectDid
-                }
+          }
+        ]
+      });
+      const subjectPartyIdentity = await agent.cmGetContacts({
+        filter: [
+          {
+            identities: {
+              identifier: {
+                correlationId: matchedCredential.uniformVerifiableCredential.subjectDid
               }
             }
-          ]
-        });
-        selectableCredentials.push({
-          credential: filteredUniqueVC,
-          credentialBranding: filteredCredentialBrandings[0]?.localeBranding,
-          issuerParty: issuerPartyIdentity?.[0],
-          subjectParty: subjectPartyIdentity?.[0]
-        });
-      }
-    }
-    selectableCredentialsMap.set(inputDescriptor.id, selectableCredentials);
+          }
+        ]
+      });
+      return {
+        credential: matchedCredential,
+        credentialBranding: credentialBranding[0]?.localeBranding,
+        issuerParty: issuerPartyIdentity?.[0],
+        subjectParty: subjectPartyIdentity?.[0]
+      };
+    });
+    const selectableCredentials = await Promise.all(mapSelectableCredentialPromises);
+    selectableCredentialsMap.set(key, selectableCredentials);
   }
   return selectableCredentialsMap;
 }, "getSelectableCredentials");
@@ -1969,7 +1529,7 @@ var DidAuthSiopOpAuthenticator = class {
   static {
     __name(this, "DidAuthSiopOpAuthenticator");
   }
-  schema = schema.IDidAuthSiopOpAuthenticator;
+  schema = plugin_schema_default.IDidAuthSiopOpAuthenticator;
   methods = {
     siopGetOPSession: this.siopGetOPSession.bind(this),
     siopRegisterOPSession: this.siopRegisterOPSession.bind(this),
@@ -2112,7 +1672,7 @@ var DidAuthSiopOpAuthenticator = class {
     const url = verifiedAuthorizationRequest.responseURI ?? (args.url.includes("request_uri") ? decodeURIComponent(args.url.split("?request_uri=")[1].trim()) : verifiedAuthorizationRequest.issuer ?? verifiedAuthorizationRequest.registrationMetadataPayload?.client_id);
     const uri = url.includes("://") ? new URL(url) : void 0;
     const correlationId = uri?.hostname ?? await this.determineCorrelationId(uri, verifiedAuthorizationRequest, clientName, context);
-    const clientId = await verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
+    const clientId = verifiedAuthorizationRequest.authorizationRequest.getMergedProperty("client_id");
     return {
       issuer: verifiedAuthorizationRequest.issuer,
       correlationId,
@@ -2120,7 +1680,6 @@ var DidAuthSiopOpAuthenticator = class {
       uri,
       name: clientName,
       clientId,
-      presentationDefinitions: await verifiedAuthorizationRequest.authorizationRequest.containsResponseType("vp_token") || verifiedAuthorizationRequest.versions.every((version) => version <= SupportedVersion3.JWT_VC_PRESENTATION_PROFILE_v1) && verifiedAuthorizationRequest.presentationDefinitions && verifiedAuthorizationRequest.presentationDefinitions.length > 0 ? verifiedAuthorizationRequest.presentationDefinitions : void 0,
       dcqlQuery: verifiedAuthorizationRequest.dcqlQuery
     };
   }
@@ -2197,75 +1756,14 @@ var DidAuthSiopOpAuthenticator = class {
     if (authorizationRequestData === void 0) {
       return Promise.reject(Error("Missing authorization request data in context"));
     }
-    const pex = new PEX3({
-      hasher: this.hasher
-    });
-    const verifiableCredentialsWithDefinition = [];
-    const dcqlCredentialsWithCredentials = /* @__PURE__ */ new Map();
-    if (Array.isArray(authorizationRequestData.presentationDefinitions) && authorizationRequestData?.presentationDefinitions.length > 0) {
-      try {
-        authorizationRequestData.presentationDefinitions?.forEach((presentationDefinition) => {
-          const { areRequiredCredentialsPresent, verifiableCredential: verifiableCredentials } = pex.selectFrom(presentationDefinition.definition, selectedCredentials.map((udc) => udc.originalVerifiableCredential));
-          if (areRequiredCredentialsPresent !== Status2.ERROR && verifiableCredentials) {
-            let uniqueDigitalCredentials = [];
-            uniqueDigitalCredentials = verifiableCredentials.map((vc) => {
-              const hash = typeof vc === "string" ? computeEntryHash(vc.split("~"[0])) : computeEntryHash(vc);
-              const udc = selectedCredentials.find((udc2) => udc2.hash == hash || udc2.originalVerifiableCredential == vc);
-              if (!udc) {
-                throw Error(`UniqueDigitalCredential could not be found in store. Either the credential is not present in the store or the hash is not correct.`);
-              }
-              return udc;
-            });
-            verifiableCredentialsWithDefinition.push({
-              definition: presentationDefinition,
-              credentials: uniqueDigitalCredentials
-            });
-          }
-        });
-      } catch (e) {
-        return Promise.reject(e);
-      }
-      if (verifiableCredentialsWithDefinition.length === 0) {
-        return Promise.reject(Error("None of the selected credentials match any of the presentation definitions."));
-      }
-    } else if (authorizationRequestData.dcqlQuery) {
-      if (this.hasMDocCredentials(selectedCredentials) || this.hasSdJwtCredentials(selectedCredentials)) {
-        try {
-          selectedCredentials.forEach((vc) => {
-            if (this.isSdJwtCredential(vc)) {
-              const payload = vc.originalVerifiableCredential.decodedPayload;
-              const result = {
-                claims: payload,
-                vct: payload.vct,
-                credential_format: "vc+sd-jwt"
-              };
-              dcqlCredentialsWithCredentials.set(result, vc);
-            } else {
-              throw Error(`Invalid credential format: ${vc.digitalCredential.documentFormat}`);
-            }
-          });
-        } catch (e) {
-          return Promise.reject(e);
-        }
-        const dcqlPresentationRecord = {};
-        const queryResult = DcqlQuery2.query(authorizationRequestData.dcqlQuery, Array.from(dcqlCredentialsWithCredentials.keys()));
-        for (const [key, value] of Object.entries(queryResult.credential_matches)) {
-          if (value.success) {
-            dcqlPresentationRecord[key] = this.retrieveEncodedCredential(dcqlCredentialsWithCredentials.get(value.output));
-          }
-        }
-      }
-    }
     const response = await siopSendAuthorizationResponse(ConnectionType2.SIOPv2_OpenID4VP, {
       sessionId: didAuthConfig.sessionId,
       ...args.idOpts && {
         idOpts: args.idOpts
       },
-      ...authorizationRequestData.presentationDefinitions !== void 0 && {
-        verifiableCredentialsWithDefinition
-      },
       isFirstParty,
-      hasher: this.hasher
+      hasher: this.hasher,
+      credentials: selectedCredentials
     }, context);
     const contentType = response.headers.get("content-type") || "";
     let responseBody = null;
@@ -2279,30 +1777,12 @@ var DidAuthSiopOpAuthenticator = class {
       queryParams: decodeUriAsJson(response?.url)
     };
   }
-  hasMDocCredentials = /* @__PURE__ */ __name((credentials) => {
-    return credentials.some(this.isMDocCredential);
-  }, "hasMDocCredentials");
-  isMDocCredential = /* @__PURE__ */ __name((credential) => {
-    return credential.digitalCredential.documentFormat === CredentialDocumentFormat.MSO_MDOC && credential.digitalCredential.documentType === DocumentType.VC;
-  }, "isMDocCredential");
-  hasSdJwtCredentials = /* @__PURE__ */ __name((credentials) => {
-    return credentials.some(this.isSdJwtCredential);
-  }, "hasSdJwtCredentials");
-  isSdJwtCredential = /* @__PURE__ */ __name((credential) => {
-    return credential.digitalCredential.documentFormat === CredentialDocumentFormat.SD_JWT && credential.digitalCredential.documentType === DocumentType.VC;
-  }, "isSdJwtCredential");
-  retrieveEncodedCredential = /* @__PURE__ */ __name((credential) => {
-    return credential.originalVerifiableCredential !== void 0 && credential.originalVerifiableCredential !== null && credential?.originalVerifiableCredential?.compactSdJwtVc !== void 0 && credential?.originalVerifiableCredential?.compactSdJwtVc !== null ? credential.originalVerifiableCredential.compactSdJwtVc : credential.originalVerifiableCredential;
-  }, "retrieveEncodedCredential");
   async siopGetSelectableCredentials(args, context) {
     const { authorizationRequestData } = args;
-    if (!authorizationRequestData || !authorizationRequestData.presentationDefinitions || authorizationRequestData.presentationDefinitions.length === 0) {
-      return Promise.reject(Error("Missing required fields in arguments or context"));
-    }
-    if (authorizationRequestData.presentationDefinitions.length > 1) {
-      return Promise.reject(Error("Multiple presentation definitions present"));
+    if (!authorizationRequestData?.dcqlQuery) {
+      return Promise.reject(Error("Missing required dcql query in context"));
     }
-    return getSelectableCredentials(authorizationRequestData.presentationDefinitions[0].definition, context);
+    return getSelectableCredentials(authorizationRequestData?.dcqlQuery, context);
   }
 };
@@ -2388,9 +1868,6 @@ var Siopv2OID4VPLinkHandler = class extends LinkHandlerAdapter {
     }
   }
 };
-// src/index.ts
-var schema = require_plugin_schema();
 export {
   DEFAULT_JWT_PROOF_TYPE,
   DID_PREFIX,
@@ -2408,14 +1885,14 @@ export {
   Siopv2MachineStates,
   Siopv2OID4VPLinkHandler,
   SupportedLanguage,
+  convertToDcqlCredentials,
   createJwtCallbackWithIdOpts,
   createJwtCallbackWithOpOpts,
   createOID4VPPresentationSignCallback,
   createOP,
   createOPBuilder,
   didAuthSiopOpAuthenticatorMethods,
-  events,
   getSigningAlgo,
-  schema
+  plugin_schema_default as schema
 };
 //# sourceMappingURL=index.js.map