@twin.org/dlt-iota 0.0.3-next.13 → 0.0.3-next.15

package/dist/es/models/IMigrationStateFields.js.map

@@ -1 +1 @@
-{"version":3,"file":"IMigrationStateFields.js","sourceRoot":"","sources":["../../../src/models/IMigrationStateFields.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Generic interface representing the storage fields of a MigrationState object.\n */\nexport interface IMigrationStateFields {\n\t/**\n\t * The ID of the MigrationState object.\n\t */\n\tid: {\n\t\t/**\n\t\t * The ID of the MigrationState object.\n\t\t */\n\t\tid: string; // UID is an object with an 'id' field\n\t};\n\n\t/**\n\t * Whether migration is currently enabled.\n\t */\n\tenabled: boolean;\n}\n"]}
+{"version":3,"file":"IMigrationStateFields.js","sourceRoot":"","sources":["../../../src/models/IMigrationStateFields.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Generic interface representing the storage fields of a MigrationState object.\n */\nexport interface IMigrationStateFields {\n\t/**\n\t * The UID wrapper of the MigrationState object.\n\t */\n\tid: {\n\t\t/**\n\t\t * The hex string ID of the MigrationState object.\n\t\t */\n\t\tid: string;\n\t};\n\n\t/**\n\t * Whether migration is currently enabled.\n\t */\n\tenabled: boolean;\n}\n"]}

package/dist/es/models/ISmartContractObject.js.map

@@ -1 +1 @@
-{"version":3,"file":"ISmartContractObject.js","sourceRoot":"","sources":["../../../src/models/ISmartContractObject.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Base interface for all smart contract objects with versioning support.\n */\nexport interface ISmartContractObject {\n\t/**\n\t * The ID of the smart contract object.\n\t */\n\tid: {\n\t\t/**\n\t\t * The ID of the smart contract object.\n\t\t */\n\t\tid: string; // UID is an object with an 'id' field\n\t};\n\n\t/**\n\t * The version of the contract that created this object.\n\t */\n\tversion: string;\n}\n"]}
+{"version":3,"file":"ISmartContractObject.js","sourceRoot":"","sources":["../../../src/models/ISmartContractObject.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2024 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Base interface for all smart contract objects with versioning support.\n */\nexport interface ISmartContractObject {\n\t/**\n\t * The UID wrapper of the smart contract object.\n\t */\n\tid: {\n\t\t/**\n\t\t * The hex string ID of the smart contract object.\n\t\t */\n\t\tid: string;\n\t};\n\n\t/**\n\t * The version of the contract that created this object.\n\t */\n\tversion: string;\n}\n"]}

package/dist/es/models/ITransactionSigner.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=ITransactionSigner.js.map

package/dist/es/models/ITransactionSigner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ITransactionSigner.js","sourceRoot":"","sources":["../../../src/models/ITransactionSigner.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { PublicKey } from \"@iota/iota-sdk/cryptography\";\n\n/**\n * Interface for a transaction signer backed by a secure key store.\n */\nexport interface ITransactionSigner {\n\t/**\n\t * Sign the BCS-encoded transaction data and return a serialized IOTA signature string.\n\t * @param txDataBcs The raw transaction bytes to sign.\n\t * @returns The serialized signature string (scheme flag + signature + public key, base64-encoded).\n\t */\n\tsign(txDataBcs: Uint8Array): Promise<string>;\n\n\t/**\n\t * Get the public key for this signer.\n\t * @returns The public key.\n\t */\n\tpublicKey(): Promise<PublicKey>;\n\n\t/**\n\t * Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).\n\t * @returns The IOTA public key bytes.\n\t */\n\tiotaPublicKeyBytes(): Promise<Uint8Array>;\n\n\t/**\n\t * Get the key identifier for this signer.\n\t * @returns The key identifier.\n\t */\n\tkeyId(): string;\n}\n"]}

package/dist/es/vaultJwkStorage.js

@@ -0,0 +1,71 @@
+import { GeneralError } from "@twin.org/core";
+/**
+ * JwkStorage implementation that delegates the sign operation to the vault connector,
+ * keeping the private key inside the vault at all times.
+ */
+export class VaultJwkStorage {
+    /**
+     * Runtime name for the class.
+     */
+    static CLASS_NAME = "VaultJwkStorage";
+    /**
+     * The vault connector used to perform signing.
+     * @internal
+     */
+    _vaultConnector;
+    /**
+     * The vault key name to use when signing.
+     * @internal
+     */
+    _keyName;
+    /**
+     * Create a new VaultJwkStorage.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     */
+    constructor(vaultConnector, keyName) {
+        this._vaultConnector = vaultConnector;
+        this._keyName = keyName;
+    }
+    /**
+     * Sign data by delegating to the vault connector.
+     * @param keyId The key identifier (unused; the vault key name is used directly).
+     * @param data The data to sign.
+     * @param publicKey The public key JWK (unused; the vault connector handles key lookup).
+     * @returns The raw signature bytes.
+     */
+    async sign(keyId, data, publicKey) {
+        return this._vaultConnector.sign(this._keyName, data);
+    }
+    /**
+     * Accept a JWK entry and return the vault key name as the stable key identifier.
+     * @param jwk The JWK to register.
+     * @returns The key identifier.
+     */
+    async insert(jwk) {
+        return this._keyName;
+    }
+    /**
+     * Check whether the given key identifier is managed by this storage.
+     * @param keyId The key identifier to check.
+     * @returns True if the key exists in this storage.
+     */
+    async exists(keyId) {
+        return keyId === this._keyName;
+    }
+    /**
+     * Key generation is not supported; keys are managed entirely by the vault.
+     * @param keyType The key type requested.
+     * @param algorithm The JWS algorithm requested.
+     * @returns Never returns.
+     */
+    async generate(keyType, algorithm) {
+        throw new GeneralError(VaultJwkStorage.CLASS_NAME, "generateNotSupported");
+    }
+    /**
+     * Deletion is a no-op; keys are managed by the vault.
+     * @param keyId The key identifier to delete.
+     */
+    async delete(keyId) { }
+}
+//# sourceMappingURL=vaultJwkStorage.js.map

package/dist/es/vaultJwkStorage.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vaultJwkStorage.js","sourceRoot":"","sources":["../../src/vaultJwkStorage.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAI9C;;;GAGG;AACH,MAAM,OAAO,eAAe;IAC3B;;OAEG;IACI,MAAM,CAAU,UAAU,qBAAqC;IAEtE;;;OAGG;IACc,eAAe,CAAkB;IAElD;;;OAGG;IACc,QAAQ,CAAS;IAElC;;;;OAIG;IACH,YAAY,cAA+B,EAAE,OAAe;QAC3D,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;QACtC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;IACzB,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,IAAI,CAAC,KAAa,EAAE,IAAgB,EAAE,SAAc;QAChE,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IACvD,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,GAAQ;QAC3B,OAAO,IAAI,CAAC,QAAQ,CAAC;IACtB,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,MAAM,CAAC,KAAa;QAChC,OAAO,KAAK,KAAK,IAAI,CAAC,QAAQ,CAAC;IAChC,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,QAAQ,CAAC,OAAe,EAAE,SAAuB;QAC7D,MAAM,IAAI,YAAY,CAAC,eAAe,CAAC,UAAU,EAAE,sBAAsB,CAAC,CAAC;IAC5E,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,MAAM,CAAC,KAAa,IAAkB,CAAC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { Jwk, JwkStorage, JwsAlgorithm } from \"@iota/identity-wasm/node/index.js\";\nimport { GeneralError } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport type { IVaultConnector } from \"@twin.org/vault-models\";\n\n/**\n * JwkStorage implementation that delegates the sign operation to the vault connector,\n * keeping the private key inside the vault at all times.\n */\nexport class VaultJwkStorage implements JwkStorage {\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<VaultJwkStorage>();\n\n\t/**\n\t * The vault connector used to perform signing.\n\t * @internal\n\t */\n\tprivate readonly _vaultConnector: IVaultConnector;\n\n\t/**\n\t * The vault key name to use when signing.\n\t * @internal\n\t */\n\tprivate readonly _keyName: string;\n\n\t/**\n\t * Create a new VaultJwkStorage.\n\t * @param vaultConnector The vault connector used to perform signing operations.\n\t * @param keyName The name of the key in the vault to use for signing.\n\t */\n\tconstructor(vaultConnector: IVaultConnector, keyName: string) {\n\t\tthis._vaultConnector = vaultConnector;\n\t\tthis._keyName = keyName;\n\t}\n\n\t/**\n\t * Sign data by delegating to the vault connector.\n\t * @param keyId The key identifier (unused; the vault key name is used directly).\n\t * @param data The data to sign.\n\t * @param publicKey The public key JWK (unused; the vault connector handles key lookup).\n\t * @returns The raw signature bytes.\n\t */\n\tpublic async sign(keyId: string, data: Uint8Array, publicKey: Jwk): Promise<Uint8Array> {\n\t\treturn this._vaultConnector.sign(this._keyName, data);\n\t}\n\n\t/**\n\t * Accept a JWK entry and return the vault key name as the stable key identifier.\n\t * @param jwk The JWK to register.\n\t * @returns The key identifier.\n\t */\n\tpublic async insert(jwk: Jwk): Promise<string> {\n\t\treturn this._keyName;\n\t}\n\n\t/**\n\t * Check whether the given key identifier is managed by this storage.\n\t * @param keyId The key identifier to check.\n\t * @returns True if the key exists in this storage.\n\t */\n\tpublic async exists(keyId: string): Promise<boolean> {\n\t\treturn keyId === this._keyName;\n\t}\n\n\t/**\n\t * Key generation is not supported; keys are managed entirely by the vault.\n\t * @param keyType The key type requested.\n\t * @param algorithm The JWS algorithm requested.\n\t * @returns Never returns.\n\t */\n\tpublic async generate(keyType: string, algorithm: JwsAlgorithm): Promise<never> {\n\t\tthrow new GeneralError(VaultJwkStorage.CLASS_NAME, \"generateNotSupported\");\n\t}\n\n\t/**\n\t * Deletion is a no-op; keys are managed by the vault.\n\t * @param keyId The key identifier to delete.\n\t */\n\tpublic async delete(keyId: string): Promise<void> {}\n}\n"]}

package/dist/es/vaultJwtSigner.js

@@ -0,0 +1,49 @@
+// Copyright 2026 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+import { Jwk, KeyIdMemStore, Storage, StorageSigner } from "@iota/identity-wasm/node/index.js";
+import { Base64Url, Guards } from "@twin.org/core";
+import { Iota } from "./iota.js";
+import { VaultJwkStorage } from "./vaultJwkStorage.js";
+/**
+ * Factory that creates a vault-backed StorageSigner for IOTA Identity operations.
+ * The private key never leaves the vault — only the raw signing operation is delegated.
+ *
+ * The returned StorageSigner is a genuine WASM object, satisfying the internal validation
+ * that IdentityClient.create() performs on the signer's iotaPublicKeyBytes() path.
+ */
+export class VaultJwtSigner {
+    /**
+     * Runtime name for the class.
+     */
+    static CLASS_NAME = "VaultJwtSigner";
+    /**
+     * Create a StorageSigner whose cryptographic operations are backed by the vault connector.
+     * @param vaultConnector The vault connector.
+     * @param config The configuration.
+     * @param identity The identity of the user to access the vault keys.
+     * @param accountIndex The account index.
+     * @param addressIndex The address index within the account.
+     * @returns A StorageSigner backed by the vault for the specified key.
+     */
+    static async create(vaultConnector, config, identity, accountIndex, addressIndex) {
+        Guards.object(VaultJwtSigner.CLASS_NAME, "vaultConnector", vaultConnector);
+        Guards.object(VaultJwtSigner.CLASS_NAME, "config", config);
+        Guards.stringValue(VaultJwtSigner.CLASS_NAME, "identity", identity);
+        Guards.integer(VaultJwtSigner.CLASS_NAME, "accountIndex", accountIndex);
+        Guards.integer(VaultJwtSigner.CLASS_NAME, "addressIndex", addressIndex);
+        const transactionSigner = await Iota.getTransactionSigner(vaultConnector, config, identity, accountIndex, addressIndex);
+        const keyName = transactionSigner.keyId();
+        const publicKey = await transactionSigner.publicKey();
+        const publicJwk = new Jwk({
+            kty: "OKP" /* JwkType.Okp */,
+            crv: "Ed25519",
+            alg: "EdDSA" /* JwsAlgorithm.EdDSA */,
+            x: Base64Url.encode(publicKey.toRawBytes())
+        });
+        const vaultJwkStorage = new VaultJwkStorage(vaultConnector, keyName);
+        const keyId = await vaultJwkStorage.insert(publicJwk);
+        const storage = new Storage(vaultJwkStorage, new KeyIdMemStore());
+        return new StorageSigner(storage, keyId, publicJwk);
+    }
+}
+//# sourceMappingURL=vaultJwtSigner.js.map

package/dist/es/vaultJwtSigner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vaultJwtSigner.js","sourceRoot":"","sources":["../../src/vaultJwtSigner.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EACN,GAAG,EAGH,aAAa,EACb,OAAO,EACP,aAAa,EACb,MAAM,mCAAmC,CAAC;AAC3C,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,gBAAgB,CAAC;AAGnD,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AAEjC,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD;;;;;;GAMG;AACH,MAAM,OAAO,cAAc;IAC1B;;OAEG;IACI,MAAM,CAAU,UAAU,oBAAoC;IAErE;;;;;;;;OAQG;IACI,MAAM,CAAC,KAAK,CAAC,MAAM,CACzB,cAA+B,EAC/B,MAAmB,EACnB,QAAgB,EAChB,YAAoB,EACpB,YAAoB;QAEpB,MAAM,CAAC,MAAM,CAAC,cAAc,CAAC,UAAU,oBAA0B,cAAc,CAAC,CAAC;QACjF,MAAM,CAAC,MAAM,CAAc,cAAc,CAAC,UAAU,YAAkB,MAAM,CAAC,CAAC;QAC9E,MAAM,CAAC,WAAW,CAAC,cAAc,CAAC,UAAU,cAAoB,QAAQ,CAAC,CAAC;QAC1E,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,UAAU,kBAAwB,YAAY,CAAC,CAAC;QAC9E,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,UAAU,kBAAwB,YAAY,CAAC,CAAC;QAE9E,MAAM,iBAAiB,GAAG,MAAM,IAAI,CAAC,oBAAoB,CACxD,cAAc,EACd,MAAM,EACN,QAAQ,EACR,YAAY,EACZ,YAAY,CACZ,CAAC;QAEF,MAAM,OAAO,GAAG,iBAAiB,CAAC,KAAK,EAAE,CAAC;QAC1C,MAAM,SAAS,GAAG,MAAM,iBAAiB,CAAC,SAAS,EAAE,CAAC;QAEtD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC;YACzB,GAAG,yBAAa;YAChB,GAAG,EAAE,SAAS;YACd,GAAG,kCAAoB;YACvB,CAAC,EAAE,SAAS,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,EAAE,CAAC;SAC3C,CAAC,CAAC;QAEH,MAAM,eAAe,GAAG,IAAI,eAAe,CAAC,cAAc,EAAE,OAAO,CAAC,CAAC;QACrE,MAAM,KAAK,GAAG,MAAM,eAAe,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,eAAe,EAAE,IAAI,aAAa,EAAE,CAAC,CAAC;QAElE,OAAO,IAAI,aAAa,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,CAAC,CAAC;IACrD,CAAC","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport {\n\tJwk,\n\tJwkType,\n\tJwsAlgorithm,\n\tKeyIdMemStore,\n\tStorage,\n\tStorageSigner\n} from \"@iota/identity-wasm/node/index.js\";\nimport { Base64Url, Guards } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport type { IVaultConnector } from \"@twin.org/vault-models\";\nimport { Iota } from \"./iota.js\";\nimport type { IIotaConfig } from \"./models/IIotaConfig.js\";\nimport { VaultJwkStorage } from \"./vaultJwkStorage.js\";\n\n/**\n * Factory that creates a vault-backed StorageSigner for IOTA Identity operations.\n * The private key never leaves the vault — only the raw signing operation is delegated.\n *\n * The returned StorageSigner is a genuine WASM object, satisfying the internal validation\n * that IdentityClient.create() performs on the signer's iotaPublicKeyBytes() path.\n */\nexport class VaultJwtSigner {\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<VaultJwtSigner>();\n\n\t/**\n\t * Create a StorageSigner whose cryptographic operations are backed by the vault connector.\n\t * @param vaultConnector The vault connector.\n\t * @param config The configuration.\n\t * @param identity The identity of the user to access the vault keys.\n\t * @param accountIndex The account index.\n\t * @param addressIndex The address index within the account.\n\t * @returns A StorageSigner backed by the vault for the specified key.\n\t */\n\tpublic static async create(\n\t\tvaultConnector: IVaultConnector,\n\t\tconfig: IIotaConfig,\n\t\tidentity: string,\n\t\taccountIndex: number,\n\t\taddressIndex: number\n\t): Promise<StorageSigner> {\n\t\tGuards.object(VaultJwtSigner.CLASS_NAME, nameof(vaultConnector), vaultConnector);\n\t\tGuards.object<IIotaConfig>(VaultJwtSigner.CLASS_NAME, nameof(config), config);\n\t\tGuards.stringValue(VaultJwtSigner.CLASS_NAME, nameof(identity), identity);\n\t\tGuards.integer(VaultJwtSigner.CLASS_NAME, nameof(accountIndex), accountIndex);\n\t\tGuards.integer(VaultJwtSigner.CLASS_NAME, nameof(addressIndex), addressIndex);\n\n\t\tconst transactionSigner = await Iota.getTransactionSigner(\n\t\t\tvaultConnector,\n\t\t\tconfig,\n\t\t\tidentity,\n\t\t\taccountIndex,\n\t\t\taddressIndex\n\t\t);\n\n\t\tconst keyName = transactionSigner.keyId();\n\t\tconst publicKey = await transactionSigner.publicKey();\n\n\t\tconst publicJwk = new Jwk({\n\t\t\tkty: JwkType.Okp,\n\t\t\tcrv: \"Ed25519\",\n\t\t\talg: JwsAlgorithm.EdDSA,\n\t\t\tx: Base64Url.encode(publicKey.toRawBytes())\n\t\t});\n\n\t\tconst vaultJwkStorage = new VaultJwkStorage(vaultConnector, keyName);\n\t\tconst keyId = await vaultJwkStorage.insert(publicJwk);\n\t\tconst storage = new Storage(vaultJwkStorage, new KeyIdMemStore());\n\n\t\treturn new StorageSigner(storage, keyId, publicJwk);\n\t}\n}\n"]}

package/dist/es/vaultSigner.js

@@ -0,0 +1,60 @@
+// Copyright 2026 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+import { Signer } from "@iota/iota-sdk/cryptography";
+import { Ed25519PublicKey } from "@iota/iota-sdk/keypairs/ed25519";
+/**
+ * A signer that delegates all signing to the vault connector, ensuring the private key
+ * is never exposed to application code.
+ */
+export class VaultSigner extends Signer {
+    /**
+     * The vault connector used to perform signing.
+     * @internal
+     */
+    _vaultConnector;
+    /**
+     * The vault key name to use when signing.
+     * @internal
+     */
+    _keyName;
+    /**
+     * The public key for this signer.
+     * @internal
+     */
+    _publicKey;
+    /**
+     * Create a new VaultSigner.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     * @param publicKey The public key bytes corresponding to the vault key.
+     */
+    constructor(vaultConnector, keyName, publicKey) {
+        super();
+        this._vaultConnector = vaultConnector;
+        this._keyName = keyName;
+        this._publicKey = new Ed25519PublicKey(publicKey);
+    }
+    /**
+     * Get the key scheme.
+     * @returns The signature scheme.
+     */
+    getKeyScheme() {
+        return "ED25519";
+    }
+    /**
+     * Get the public key.
+     * @returns The Ed25519 public key.
+     */
+    getPublicKey() {
+        return this._publicKey;
+    }
+    /**
+     * Sign the provided bytes via the vault connector.
+     * @param bytes The bytes to sign.
+     * @returns The raw Ed25519 signature bytes.
+     */
+    async sign(bytes) {
+        return this._vaultConnector.sign(this._keyName, bytes);
+    }
+}
+//# sourceMappingURL=vaultSigner.js.map

package/dist/es/vaultSigner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vaultSigner.js","sourceRoot":"","sources":["../../src/vaultSigner.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAwB,MAAM,6BAA6B,CAAC;AAC3E,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAGnE;;;GAGG;AACH,MAAM,OAAO,WAAY,SAAQ,MAAM;IACtC;;;OAGG;IACc,eAAe,CAAkB;IAElD;;;OAGG;IACc,QAAQ,CAAS;IAElC;;;OAGG;IACc,UAAU,CAAmB;IAE9C;;;;;OAKG;IACH,YAAY,cAA+B,EAAE,OAAe,EAAE,SAAqB;QAClF,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;QACtC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,IAAI,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;IAED;;;OAGG;IACI,YAAY;QAClB,OAAO,SAAS,CAAC;IAClB,CAAC;IAED;;;OAGG;IACI,YAAY;QAClB,OAAO,IAAI,CAAC,UAAU,CAAC;IACxB,CAAC;IAED;;;;OAIG;IACI,KAAK,CAAC,IAAI,CAAC,KAAiB;QAClC,OAAO,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,KAAK,CAAC,CAAC;IACxD,CAAC;CACD","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { Signer, type SignatureScheme } from \"@iota/iota-sdk/cryptography\";\nimport { Ed25519PublicKey } from \"@iota/iota-sdk/keypairs/ed25519\";\nimport type { IVaultConnector } from \"@twin.org/vault-models\";\n\n/**\n * A signer that delegates all signing to the vault connector, ensuring the private key\n * is never exposed to application code.\n */\nexport class VaultSigner extends Signer {\n\t/**\n\t * The vault connector used to perform signing.\n\t * @internal\n\t */\n\tprivate readonly _vaultConnector: IVaultConnector;\n\n\t/**\n\t * The vault key name to use when signing.\n\t * @internal\n\t */\n\tprivate readonly _keyName: string;\n\n\t/**\n\t * The public key for this signer.\n\t * @internal\n\t */\n\tprivate readonly _publicKey: Ed25519PublicKey;\n\n\t/**\n\t * Create a new VaultSigner.\n\t * @param vaultConnector The vault connector used to perform signing operations.\n\t * @param keyName The name of the key in the vault to use for signing.\n\t * @param publicKey The public key bytes corresponding to the vault key.\n\t */\n\tconstructor(vaultConnector: IVaultConnector, keyName: string, publicKey: Uint8Array) {\n\t\tsuper();\n\t\tthis._vaultConnector = vaultConnector;\n\t\tthis._keyName = keyName;\n\t\tthis._publicKey = new Ed25519PublicKey(publicKey);\n\t}\n\n\t/**\n\t * Get the key scheme.\n\t * @returns The signature scheme.\n\t */\n\tpublic getKeyScheme(): SignatureScheme {\n\t\treturn \"ED25519\";\n\t}\n\n\t/**\n\t * Get the public key.\n\t * @returns The Ed25519 public key.\n\t */\n\tpublic getPublicKey(): Ed25519PublicKey {\n\t\treturn this._publicKey;\n\t}\n\n\t/**\n\t * Sign the provided bytes via the vault connector.\n\t * @param bytes The bytes to sign.\n\t * @returns The raw Ed25519 signature bytes.\n\t */\n\tpublic async sign(bytes: Uint8Array): Promise<Uint8Array> {\n\t\treturn this._vaultConnector.sign(this._keyName, bytes);\n\t}\n}\n"]}

package/dist/es/vaultTransactionSigner.js

@@ -0,0 +1,74 @@
+// Copyright 2026 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+import { Signer, toSerializedSignature } from "@iota/iota-sdk/cryptography";
+import { Ed25519PublicKey } from "@iota/iota-sdk/keypairs/ed25519";
+/**
+ * A transaction signer that delegates all signing operations to the vault connector,
+ * ensuring the private key is never exposed to application code.
+ */
+export class VaultTransactionSigner {
+    /**
+     * The vault connector used to perform signing.
+     * @internal
+     */
+    _vaultConnector;
+    /**
+     * The vault key name to use when signing.
+     * @internal
+     */
+    _keyName;
+    /**
+     * The public key for this signer.
+     * @internal
+     */
+    _publicKey;
+    /**
+     * Create a new VaultTransactionSigner.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     * @param publicKey The public key bytes corresponding to the vault key.
+     */
+    constructor(vaultConnector, keyName, publicKey) {
+        this._vaultConnector = vaultConnector;
+        this._keyName = keyName;
+        this._publicKey = new Ed25519PublicKey(publicKey);
+    }
+    /**
+     * Sign the BCS-encoded transaction data.
+     * Applies the TransactionData intent, hashes the result, signs via the vault,
+     * and returns a serialized IOTA signature string.
+     * @param txDataBcs The raw transaction bytes to sign.
+     * @returns The serialized signature string.
+     */
+    async sign(txDataBcs) {
+        const digest = Signer.signingDigest(txDataBcs, "TransactionData");
+        const rawSignature = await this._vaultConnector.sign(this._keyName, digest);
+        return toSerializedSignature({
+            signature: rawSignature,
+            signatureScheme: "ED25519",
+            publicKey: this._publicKey
+        });
+    }
+    /**
+     * Get the public key for this signer.
+     * @returns The Ed25519 public key.
+     */
+    async publicKey() {
+        return this._publicKey;
+    }
+    /**
+     * Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).
+     * @returns The IOTA public key bytes.
+     */
+    async iotaPublicKeyBytes() {
+        return this._publicKey.toIotaBytes();
+    }
+    /**
+     * Get the vault key name used by this signer.
+     * @returns The key name.
+     */
+    keyId() {
+        return this._keyName;
+    }
+}
+//# sourceMappingURL=vaultTransactionSigner.js.map

package/dist/es/vaultTransactionSigner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"vaultTransactionSigner.js","sourceRoot":"","sources":["../../src/vaultTransactionSigner.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,MAAM,EAAE,qBAAqB,EAAkB,MAAM,6BAA6B,CAAC;AAC5F,OAAO,EAAE,gBAAgB,EAAE,MAAM,iCAAiC,CAAC;AAInE;;;GAGG;AACH,MAAM,OAAO,sBAAsB;IAClC;;;OAGG;IACc,eAAe,CAAkB;IAElD;;;OAGG;IACc,QAAQ,CAAS;IAElC;;;OAGG;IACc,UAAU,CAAmB;IAE9C;;;;;OAKG;IACH,YAAY,cAA+B,EAAE,OAAe,EAAE,SAAqB;QAClF,IAAI,CAAC,eAAe,GAAG,cAAc,CAAC;QACtC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC;QACxB,IAAI,CAAC,UAAU,GAAG,IAAI,gBAAgB,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;IAED;;;;;;OAMG;IACI,KAAK,CAAC,IAAI,CAAC,SAAqB;QACtC,MAAM,MAAM,GAAG,MAAM,CAAC,aAAa,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QAClE,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;QAC5E,OAAO,qBAAqB,CAAC;YAC5B,SAAS,EAAE,YAAY;YACvB,eAAe,EAAE,SAAS;YAC1B,SAAS,EAAE,IAAI,CAAC,UAAU;SAC1B,CAAC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,SAAS;QACrB,OAAO,IAAI,CAAC,UAAU,CAAC;IACxB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,kBAAkB;QAC9B,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC;IACtC,CAAC;IAED;;;OAGG;IACI,KAAK;QACX,OAAO,IAAI,CAAC,QAAQ,CAAC;IACtB,CAAC;CACD","sourcesContent":["// Copyright 2026 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { Signer, toSerializedSignature, type PublicKey } from \"@iota/iota-sdk/cryptography\";\nimport { Ed25519PublicKey } from \"@iota/iota-sdk/keypairs/ed25519\";\nimport type { IVaultConnector } from \"@twin.org/vault-models\";\nimport type { ITransactionSigner } from \"./models/ITransactionSigner.js\";\n\n/**\n * A transaction signer that delegates all signing operations to the vault connector,\n * ensuring the private key is never exposed to application code.\n */\nexport class VaultTransactionSigner implements ITransactionSigner {\n\t/**\n\t * The vault connector used to perform signing.\n\t * @internal\n\t */\n\tprivate readonly _vaultConnector: IVaultConnector;\n\n\t/**\n\t * The vault key name to use when signing.\n\t * @internal\n\t */\n\tprivate readonly _keyName: string;\n\n\t/**\n\t * The public key for this signer.\n\t * @internal\n\t */\n\tprivate readonly _publicKey: Ed25519PublicKey;\n\n\t/**\n\t * Create a new VaultTransactionSigner.\n\t * @param vaultConnector The vault connector used to perform signing operations.\n\t * @param keyName The name of the key in the vault to use for signing.\n\t * @param publicKey The public key bytes corresponding to the vault key.\n\t */\n\tconstructor(vaultConnector: IVaultConnector, keyName: string, publicKey: Uint8Array) {\n\t\tthis._vaultConnector = vaultConnector;\n\t\tthis._keyName = keyName;\n\t\tthis._publicKey = new Ed25519PublicKey(publicKey);\n\t}\n\n\t/**\n\t * Sign the BCS-encoded transaction data.\n\t * Applies the TransactionData intent, hashes the result, signs via the vault,\n\t * and returns a serialized IOTA signature string.\n\t * @param txDataBcs The raw transaction bytes to sign.\n\t * @returns The serialized signature string.\n\t */\n\tpublic async sign(txDataBcs: Uint8Array): Promise<string> {\n\t\tconst digest = Signer.signingDigest(txDataBcs, \"TransactionData\");\n\t\tconst rawSignature = await this._vaultConnector.sign(this._keyName, digest);\n\t\treturn toSerializedSignature({\n\t\t\tsignature: rawSignature,\n\t\t\tsignatureScheme: \"ED25519\",\n\t\t\tpublicKey: this._publicKey\n\t\t});\n\t}\n\n\t/**\n\t * Get the public key for this signer.\n\t * @returns The Ed25519 public key.\n\t */\n\tpublic async publicKey(): Promise<PublicKey> {\n\t\treturn this._publicKey;\n\t}\n\n\t/**\n\t * Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).\n\t * @returns The IOTA public key bytes.\n\t */\n\tpublic async iotaPublicKeyBytes(): Promise<Uint8Array> {\n\t\treturn this._publicKey.toIotaBytes();\n\t}\n\n\t/**\n\t * Get the vault key name used by this signer.\n\t * @returns The key name.\n\t */\n\tpublic keyId(): string {\n\t\treturn this._keyName;\n\t}\n}\n"]}

package/dist/types/index.d.ts

@@ -9,13 +9,17 @@ export * from "./models/IGasStationExecuteResponse.js";
 export * from "./models/IGasStationReserveGasResponse.js";
 export * from "./models/IGasStationReserveGasResult.js";
 export * from "./models/IIotaClient.js";
-export * from "./models/IIotaControllerCapInfo.js";
-export * from "./models/IIotaTransaction.js";
-export * from "./models/IIotaTransactionBlockResponse.js";
 export * from "./models/IIotaConfig.js";
+export * from "./models/IIotaControllerCapInfo.js";
 export * from "./models/IIotaDryRun.js";
 export * from "./models/IIotaResponseOptions.js";
+export * from "./models/IIotaTransaction.js";
+export * from "./models/IIotaTransactionBlockResponse.js";
+export * from "./models/ITransactionSigner.js";
 export * from "./models/IMigrationStateFields.js";
 export * from "./models/ISmartContractDeployments.js";
 export * from "./models/ISmartContractObject.js";
 export * from "./models/networkTypes.js";
+export * from "./vaultJwtSigner.js";
+export * from "./vaultSigner.js";
+export * from "./vaultTransactionSigner.js";

package/dist/types/iota.d.ts

@@ -8,6 +8,7 @@ import type { IIotaDryRun } from "./models/IIotaDryRun.js";
 import type { IIotaResponseOptions } from "./models/IIotaResponseOptions.js";
 import type { IIotaTransaction } from "./models/IIotaTransaction.js";
 import type { IIotaTransactionBlockResponse } from "./models/IIotaTransactionBlockResponse.js";
+import { VaultTransactionSigner } from "./vaultTransactionSigner.js";
 /**
  * Class for performing operations on IOTA.
  */
@@ -79,19 +80,15 @@ export declare class Iota {
      */
     static getAddresses(vaultConnector: IVaultConnector, config: Pick<IIotaConfig, "coinType" | "vaultMnemonicId" | "vaultSeedId">, identity: string, accountIndex: number, startAddressIndex: number, count: number, isInternal?: boolean): Promise<string[]>;
     /**
-     * Get a key pair for the specified index.
+     * Get a vault-backed transaction signer for the given identity and key indices.
      * @param vaultConnector The vault connector.
      * @param config The configuration.
      * @param identity The identity of the user to access the vault keys.
-     * @param accountIndex The account index to get the key pair for.
-     * @param addressIndex The address index to get the key pair for.
-     * @param isInternal Whether the address is internal.
-     * @returns The key pair containing private key and public key.
+     * @param accountIndex The account index.
+     * @param addressIndex The address index within the account.
+     * @returns A VaultTransactionSigner for the specified key.
      */
-    static getKeyPair(vaultConnector: IVaultConnector, config: IIotaConfig, identity: string, accountIndex: number, addressIndex: number, isInternal?: boolean): Promise<{
-        privateKey: Uint8Array;
-        publicKey: Uint8Array;
-    }>;
+    static getTransactionSigner(vaultConnector: IVaultConnector, config: IIotaConfig, identity: string, accountIndex: number, addressIndex: number): Promise<VaultTransactionSigner>;
     /**
      * Create a new transaction instance.
      * @returns A new transaction instance.
@@ -124,24 +121,6 @@ export declare class Iota {
      * @returns The transaction response.
      */
     static prepareAndPostTransaction(config: IIotaConfig, vaultConnector: IVaultConnector, logging: ILoggingComponent | undefined, identity: string, client: IIotaClient, owner: string, transaction: IIotaTransaction, options?: IIotaResponseOptions): Promise<IIotaTransactionBlockResponse>;
-    /**
-     * Find the address in the seed.
-     * @param vaultConnector The vault connector to use.
-     * @param config The configuration to use.
-     * @param identity The identity of the user to access the vault keys.
-     * @param address The address to find.
-     * @param accountIndex The account index to search.
-     * @param isInternal Whether to search internal addresses.
-     * @param startScanIndex The address index to start scanning from.
-     * @param maxScanRange The maximum range to scan.
-     * @returns The address key pair.
-     * @throws Error if the address is not found.
-     */
-    static findAddress(vaultConnector: IVaultConnector, config: IIotaConfig, identity: string, address: string, accountIndex: number, isInternal?: boolean, startScanIndex?: number, maxScanRange?: number): Promise<{
-        address: string;
-        privateKey: Uint8Array;
-        publicKey: Uint8Array;
-    }>;
     /**
      * Extract error from SDK payload.
      * Errors from the IOTA SDK are usually not JSON strings but objects.
@@ -163,7 +142,7 @@ export declare class Iota {
      * @param txb The transaction to dry run.
      * @param sender The sender address.
      * @param operation The operation to log.
-     * @returns void.
+     * @returns The dry run result including status, costs, events, and object changes.
      */
     static dryRunTransaction(client: IIotaClient, logging: ILoggingComponent | undefined, txb: IIotaTransaction, sender: string, operation: string): Promise<IIotaDryRun>;
     /**
@@ -261,4 +240,10 @@ export declare class Iota {
      * @returns The balance of the given address.
      */
     static getBalance(config: IIotaConfig, address: string): Promise<bigint>;
+    /**
+     * Create a transaction instance from the given bytes.
+     * @param bytes The transaction bytes to create the transaction from.
+     * @returns The transaction instance created from the given bytes.
+     */
+    static transactionFromBytes(bytes: Uint8Array): IIotaTransaction;
 }

package/dist/types/iotaIdentityUtils.d.ts

@@ -1,8 +1,7 @@
 import type { IIotaClient } from "./models/IIotaClient.js";
 import type { IIotaControllerCapInfo } from "./models/IIotaControllerCapInfo.js";
 /**
- * Utility class for resolving IOTA Identity on-chain objects required by
- * the NFT mint_with_identity() Move contract function.
+ * Utility class for resolving IOTA Identity on-chain objects and controller tokens.
  */
 export declare class IotaIdentityUtils {
     /**
@@ -10,8 +9,7 @@ export declare class IotaIdentityUtils {
      */
     static readonly CLASS_NAME: string;
     /**
-     * Resolve the on-chain object IDs for an identity and its controller token.
-     * Returns the IDs needed to call mint_with_identity() on the NFT Move contract.
+     * Resolves the on-chain object IDs for an identity and its controller token.
      * @param identityId The DID of the identity (e.g. "did:iota:testnet:0x...").
      * @param controllerAddress The on-chain address of the controller wallet.
      * @param client The IOTA client instance.

package/dist/types/iotaSmartContractUtils.d.ts

@@ -5,7 +5,6 @@ import type { IIotaConfig } from "./models/IIotaConfig.js";
 import type { ISmartContractDeployments } from "./models/ISmartContractDeployments.js";
 /**
  * Utility class providing common smart contract operations for IOTA-based contracts.
- * This class uses composition pattern to provide shared functionality without inheritance complexity.
  */
 export declare class IotaSmartContractUtils {
     /**

package/dist/types/models/IAdminCapFields.d.ts

@@ -3,11 +3,11 @@
  */
 export interface IAdminCapFields {
     /**
-     * The ID of the AdminCap object.
+     * The UID wrapper of the AdminCap object.
      */
     id: {
         /**
-         * The ID of the AdminCap object.
+         * The hex string ID of the AdminCap object.
          */
         id: string;
     };

package/dist/types/models/IGasStationExecuteResponse.d.ts

@@ -4,12 +4,10 @@
 export interface IGasStationExecuteResponse {
     /**
      * The transaction effects from the IOTA network.
-     * This contains the full IOTA transaction effects object.
      */
     effects: {
         /**
-         * Additional effects data from the IOTA network.
-         * This includes messageVersion, status, executedEpoch, gasUsed, etc.
+         * Additional fields from the IOTA network effects object.
          */
         [key: string]: unknown;
         /**

package/dist/types/models/IIotaControllerCapInfo.d.ts

@@ -1,16 +1,13 @@
 /**
- * On-chain object IDs needed to call mint_with_identity() on the NFT Move contract.
+ * On-chain object IDs for an identity and its associated controller token.
  */
 export interface IIotaControllerCapInfo {
     /**
-     * The on-chain Object ID of the Identity Move object (hex string, e.g. "0x...").
-     * Used as the Identity argument in mint_with_identity().
+     * The on-chain object ID of the Identity Move object (hex string, e.g. "0x...").
      */
     identityObjectId: string;
     /**
-     * The on-chain Object ID of the ControllerToken Move object (hex string, e.g. "0x...").
-     * Proves that the controller address controls identityObjectId.
-     * Used as the ControllerCap argument in mint_with_identity().
+     * The on-chain object ID of the ControllerToken Move object (hex string, e.g. "0x...").
      */
     controllerCapObjectId: string;
 }

package/dist/types/models/IIotaResponseOptions.d.ts

@@ -1,6 +1,6 @@
 import type { IotaTransactionBlockResponseOptions } from "@iota/iota-sdk/client";
 /**
- * Configuration for IOTA.
+ * Options for controlling transaction execution and response behaviour.
  */
 export interface IIotaResponseOptions extends IotaTransactionBlockResponseOptions {
     /**

package/dist/types/models/IMigrationStateFields.d.ts

@@ -3,11 +3,11 @@
  */
 export interface IMigrationStateFields {
     /**
-     * The ID of the MigrationState object.
+     * The UID wrapper of the MigrationState object.
      */
     id: {
         /**
-         * The ID of the MigrationState object.
+         * The hex string ID of the MigrationState object.
          */
         id: string;
     };

package/dist/types/models/ISmartContractObject.d.ts

@@ -3,11 +3,11 @@
  */
 export interface ISmartContractObject {
     /**
-     * The ID of the smart contract object.
+     * The UID wrapper of the smart contract object.
      */
     id: {
         /**
-         * The ID of the smart contract object.
+         * The hex string ID of the smart contract object.
          */
         id: string;
     };

package/dist/types/models/ITransactionSigner.d.ts

@@ -0,0 +1,27 @@
+import type { PublicKey } from "@iota/iota-sdk/cryptography";
+/**
+ * Interface for a transaction signer backed by a secure key store.
+ */
+export interface ITransactionSigner {
+    /**
+     * Sign the BCS-encoded transaction data and return a serialized IOTA signature string.
+     * @param txDataBcs The raw transaction bytes to sign.
+     * @returns The serialized signature string (scheme flag + signature + public key, base64-encoded).
+     */
+    sign(txDataBcs: Uint8Array): Promise<string>;
+    /**
+     * Get the public key for this signer.
+     * @returns The public key.
+     */
+    publicKey(): Promise<PublicKey>;
+    /**
+     * Get the IOTA-formatted public key bytes (scheme flag byte followed by the raw key bytes).
+     * @returns The IOTA public key bytes.
+     */
+    iotaPublicKeyBytes(): Promise<Uint8Array>;
+    /**
+     * Get the key identifier for this signer.
+     * @returns The key identifier.
+     */
+    keyId(): string;
+}

package/dist/types/vaultJwkStorage.d.ts

@@ -0,0 +1,50 @@
+import type { Jwk, JwkStorage, JwsAlgorithm } from "@iota/identity-wasm/node/index.js";
+import type { IVaultConnector } from "@twin.org/vault-models";
+/**
+ * JwkStorage implementation that delegates the sign operation to the vault connector,
+ * keeping the private key inside the vault at all times.
+ */
+export declare class VaultJwkStorage implements JwkStorage {
+    /**
+     * Runtime name for the class.
+     */
+    static readonly CLASS_NAME: string;
+    /**
+     * Create a new VaultJwkStorage.
+     * @param vaultConnector The vault connector used to perform signing operations.
+     * @param keyName The name of the key in the vault to use for signing.
+     */
+    constructor(vaultConnector: IVaultConnector, keyName: string);
+    /**
+     * Sign data by delegating to the vault connector.
+     * @param keyId The key identifier (unused; the vault key name is used directly).
+     * @param data The data to sign.
+     * @param publicKey The public key JWK (unused; the vault connector handles key lookup).
+     * @returns The raw signature bytes.
+     */
+    sign(keyId: string, data: Uint8Array, publicKey: Jwk): Promise<Uint8Array>;
+    /**
+     * Accept a JWK entry and return the vault key name as the stable key identifier.
+     * @param jwk The JWK to register.
+     * @returns The key identifier.
+     */
+    insert(jwk: Jwk): Promise<string>;
+    /**
+     * Check whether the given key identifier is managed by this storage.
+     * @param keyId The key identifier to check.
+     * @returns True if the key exists in this storage.
+     */
+    exists(keyId: string): Promise<boolean>;
+    /**
+     * Key generation is not supported; keys are managed entirely by the vault.
+     * @param keyType The key type requested.
+     * @param algorithm The JWS algorithm requested.
+     * @returns Never returns.
+     */
+    generate(keyType: string, algorithm: JwsAlgorithm): Promise<never>;
+    /**
+     * Deletion is a no-op; keys are managed by the vault.
+     * @param keyId The key identifier to delete.
+     */
+    delete(keyId: string): Promise<void>;
+}