@twin.org/trust-verifiers 0.0.3-next.2 → 0.0.3-next.20

package/README.md

@@ -1,6 +1,6 @@
 # TWIN Trust Verifiers
 
-Verifiers for trust.
+This package is part of the trust repository and provides reusable trust building blocks so applications can issue, validate, and orchestrate trust artefacts with consistent behaviour.
 
 ## Installation
 

package/dist/es/index.js

@@ -1,5 +1,8 @@
 // Copyright 2025 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
+export * from "./models/IIdentityAllowDenyVerifierConfig.js";
+export * from "./models/IIdentityAllowDenyVerifierConstructorOptions.js";
 export * from "./models/IJwtVerifiableCredentialVerifierConstructorOptions.js";
+export * from "./verifiers/identityAllowDenyVerifier.js";
 export * from "./verifiers/jwtVerifiableCredentialVerifier.js";
 //# sourceMappingURL=index.js.map

package/dist/es/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,gEAAgE,CAAC;AAC/E,cAAc,gDAAgD,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./models/IJwtVerifiableCredentialVerifierConstructorOptions.js\";\nexport * from \"./verifiers/jwtVerifiableCredentialVerifier.js\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,cAAc,8CAA8C,CAAC;AAC7D,cAAc,0DAA0D,CAAC;AACzE,cAAc,gEAAgE,CAAC;AAC/E,cAAc,0CAA0C,CAAC;AACzD,cAAc,gDAAgD,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nexport * from \"./models/IIdentityAllowDenyVerifierConfig.js\";\nexport * from \"./models/IIdentityAllowDenyVerifierConstructorOptions.js\";\nexport * from \"./models/IJwtVerifiableCredentialVerifierConstructorOptions.js\";\nexport * from \"./verifiers/identityAllowDenyVerifier.js\";\nexport * from \"./verifiers/jwtVerifiableCredentialVerifier.js\";\n"]}

package/dist/es/models/IIdentityAllowDenyVerifierConfig.js

@@ -0,0 +1,4 @@
+// Copyright 2025 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+export {};
+//# sourceMappingURL=IIdentityAllowDenyVerifierConfig.js.map

package/dist/es/models/IIdentityAllowDenyVerifierConfig.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IIdentityAllowDenyVerifierConfig.js","sourceRoot":"","sources":["../../../src/models/IIdentityAllowDenyVerifierConfig.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * Configuration for the Identity Allow/Deny Verifier.\n */\nexport interface IIdentityAllowDenyVerifierConfig {\n\t/**\n\t * Identities that are permitted; all others are rejected.\n\t * Skipped when empty or absent.\n\t */\n\tallowIdentities?: string[];\n\n\t/**\n\t * Identities that are explicitly rejected.\n\t * Skipped when empty or absent.\n\t */\n\tdenyIdentities?: string[];\n}\n"]}

package/dist/es/models/IIdentityAllowDenyVerifierConstructorOptions.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=IIdentityAllowDenyVerifierConstructorOptions.js.map

package/dist/es/models/IIdentityAllowDenyVerifierConstructorOptions.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"IIdentityAllowDenyVerifierConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IIdentityAllowDenyVerifierConstructorOptions.ts"],"names":[],"mappings":"","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport type { IIdentityAllowDenyVerifierConfig } from \"./IIdentityAllowDenyVerifierConfig.js\";\n\n/**\n * The options for the Identity Allow/Deny Verifier.\n */\nexport interface IIdentityAllowDenyVerifierConstructorOptions {\n\t/**\n\t * The allow/deny configuration for the verifier.\n\t */\n\tconfig?: IIdentityAllowDenyVerifierConfig;\n}\n"]}

package/dist/es/models/IJwtVerifiableCredentialVerifierConstructorOptions.js.map

@@ -1 +1 @@
-{"version":3,"file":"IJwtVerifiableCredentialVerifierConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IJwtVerifiableCredentialVerifierConstructorOptions.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * The options for the JWT Verifiable Credential Verifier.\n */\nexport interface IJwtVerifiableCredentialVerifierConstructorOptions {\n\t/**\n\t * The logging component type.\n\t * @default logging\n\t */\n\tloggingComponentType?: string;\n\n\t/**\n\t * The identity component type.\n\t * @default identity\n\t */\n\tidentityComponentType?: string;\n}\n"]}
+{"version":3,"file":"IJwtVerifiableCredentialVerifierConstructorOptions.js","sourceRoot":"","sources":["../../../src/models/IJwtVerifiableCredentialVerifierConstructorOptions.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\n\n/**\n * The options for the JWT Verifiable Credential Verifier.\n */\nexport interface IJwtVerifiableCredentialVerifierConstructorOptions {\n\t/**\n\t * The identity component type.\n\t * @default identity\n\t */\n\tidentityComponentType?: string;\n}\n"]}

package/dist/es/verifiers/identityAllowDenyVerifier.js

@@ -0,0 +1,70 @@
+// Copyright 2025 IOTA Stiftung.
+// SPDX-License-Identifier: Apache-2.0.
+import { GeneralError, Is } from "@twin.org/core";
+/**
+ * Class to gate verification based on allowed and denied identity lists.
+ */
+export class IdentityAllowDenyVerifier {
+    /**
+     * Runtime name for the class.
+     */
+    static CLASS_NAME = "IdentityAllowDenyVerifier";
+    /**
+     * The identities that are permitted.
+     * @internal
+     */
+    _allowIdentities;
+    /**
+     * The identities that are explicitly rejected.
+     * @internal
+     */
+    _denyIdentities;
+    /**
+     * Create a new instance of IdentityAllowDenyVerifier.
+     * @param options The options for the verifier.
+     */
+    constructor(options) {
+        this._allowIdentities = options?.config?.allowIdentities;
+        this._denyIdentities = options?.config?.denyIdentities;
+    }
+    /**
+     * Returns the class name of the component.
+     * @returns The class name of the component.
+     */
+    className() {
+        return IdentityAllowDenyVerifier.CLASS_NAME;
+    }
+    /**
+     * Verify a payload by checking the validity of its structure and content.
+     * @param payload The payload to verify.
+     * @param info Information extracted from previous verifiers and to be added by this verifier.
+     * @param info.identity The identity associated with the payload.
+     * @param errors Array to collect verification errors.
+     * @returns Whether the payload is verified, returns undefined if payload was not processed.
+     */
+    async verify(payload, info, errors) {
+        const hasAllow = Is.arrayValue(this._allowIdentities);
+        const hasDeny = Is.arrayValue(this._denyIdentities);
+        if (!hasAllow && !hasDeny) {
+            return undefined;
+        }
+        if (!Is.stringValue(info.identity)) {
+            errors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, "identityMissing"));
+            return false;
+        }
+        if (hasAllow && !this._allowIdentities?.includes(info.identity)) {
+            errors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, "identityNotAllowed", {
+                identity: info.identity
+            }));
+            return false;
+        }
+        if (hasDeny && this._denyIdentities?.includes(info.identity)) {
+            errors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, "identityDenied", {
+                identity: info.identity
+            }));
+            return false;
+        }
+        return true;
+    }
+}
+//# sourceMappingURL=identityAllowDenyVerifier.js.map

package/dist/es/verifiers/identityAllowDenyVerifier.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identityAllowDenyVerifier.js","sourceRoot":"","sources":["../../../src/verifiers/identityAllowDenyVerifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,YAAY,EAAE,EAAE,EAAe,MAAM,gBAAgB,CAAC;AAK/D;;GAEG;AACH,MAAM,OAAO,yBAAyB;IACrC;;OAEG;IACI,MAAM,CAAU,UAAU,+BAA+C;IAEhF;;;OAGG;IACc,gBAAgB,CAAY;IAE7C;;;OAGG;IACc,eAAe,CAAY;IAE5C;;;OAGG;IACH,YAAY,OAAsD;QACjE,IAAI,CAAC,gBAAgB,GAAG,OAAO,EAAE,MAAM,EAAE,eAAe,CAAC;QACzD,IAAI,CAAC,eAAe,GAAG,OAAO,EAAE,MAAM,EAAE,cAAc,CAAC;IACxD,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,yBAAyB,CAAC,UAAU,CAAC;IAC7C,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,MAAM,CAClB,OAAgB,EAChB,IAA4B,EAC5B,MAAgB;QAEhB,MAAM,QAAQ,GAAG,EAAE,CAAC,UAAU,CAAS,IAAI,CAAC,gBAAgB,CAAC,CAAC;QAC9D,MAAM,OAAO,GAAG,EAAE,CAAC,UAAU,CAAS,IAAI,CAAC,eAAe,CAAC,CAAC;QAE5D,IAAI,CAAC,QAAQ,IAAI,CAAC,OAAO,EAAE,CAAC;YAC3B,OAAO,SAAS,CAAC;QAClB,CAAC;QAED,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,MAAM,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,yBAAyB,CAAC,UAAU,EAAE,iBAAiB,CAAC,CAAC,CAAC;YACvF,OAAO,KAAK,CAAC;QACd,CAAC;QAED,IAAI,QAAQ,IAAI,CAAC,IAAI,CAAC,gBAAgB,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACjE,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,yBAAyB,CAAC,UAAU,EAAE,oBAAoB,EAAE;gBAC5E,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACvB,CAAC,CACF,CAAC;YACF,OAAO,KAAK,CAAC;QACd,CAAC;QAED,IAAI,OAAO,IAAI,IAAI,CAAC,eAAe,EAAE,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC9D,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,yBAAyB,CAAC,UAAU,EAAE,gBAAgB,EAAE;gBACxE,QAAQ,EAAE,IAAI,CAAC,QAAQ;aACvB,CAAC,CACF,CAAC;YACF,OAAO,KAAK,CAAC;QACd,CAAC;QAED,OAAO,IAAI,CAAC;IACb,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { GeneralError, Is, type IError } from \"@twin.org/core\";\nimport { nameof } from \"@twin.org/nameof\";\nimport type { ITrustVerificationInfo, ITrustVerifier } from \"@twin.org/trust-models\";\nimport type { IIdentityAllowDenyVerifierConstructorOptions } from \"../models/IIdentityAllowDenyVerifierConstructorOptions.js\";\n\n/**\n * Class to gate verification based on allowed and denied identity lists.\n */\nexport class IdentityAllowDenyVerifier implements ITrustVerifier {\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<IdentityAllowDenyVerifier>();\n\n\t/**\n\t * The identities that are permitted.\n\t * @internal\n\t */\n\tprivate readonly _allowIdentities?: string[];\n\n\t/**\n\t * The identities that are explicitly rejected.\n\t * @internal\n\t */\n\tprivate readonly _denyIdentities?: string[];\n\n\t/**\n\t * Create a new instance of IdentityAllowDenyVerifier.\n\t * @param options The options for the verifier.\n\t */\n\tconstructor(options?: IIdentityAllowDenyVerifierConstructorOptions) {\n\t\tthis._allowIdentities = options?.config?.allowIdentities;\n\t\tthis._denyIdentities = options?.config?.denyIdentities;\n\t}\n\n\t/**\n\t * Returns the class name of the component.\n\t * @returns The class name of the component.\n\t */\n\tpublic className(): string {\n\t\treturn IdentityAllowDenyVerifier.CLASS_NAME;\n\t}\n\n\t/**\n\t * Verify a payload by checking the validity of its structure and content.\n\t * @param payload The payload to verify.\n\t * @param info Information extracted from previous verifiers and to be added by this verifier.\n\t * @param info.identity The identity associated with the payload.\n\t * @param errors Array to collect verification errors.\n\t * @returns Whether the payload is verified, returns undefined if payload was not processed.\n\t */\n\tpublic async verify(\n\t\tpayload: unknown,\n\t\tinfo: ITrustVerificationInfo,\n\t\terrors: IError[]\n\t): Promise<boolean | undefined> {\n\t\tconst hasAllow = Is.arrayValue<string>(this._allowIdentities);\n\t\tconst hasDeny = Is.arrayValue<string>(this._denyIdentities);\n\n\t\tif (!hasAllow && !hasDeny) {\n\t\t\treturn undefined;\n\t\t}\n\n\t\tif (!Is.stringValue(info.identity)) {\n\t\t\terrors.push(new GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, \"identityMissing\"));\n\t\t\treturn false;\n\t\t}\n\n\t\tif (hasAllow && !this._allowIdentities?.includes(info.identity)) {\n\t\t\terrors.push(\n\t\t\t\tnew GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, \"identityNotAllowed\", {\n\t\t\t\t\tidentity: info.identity\n\t\t\t\t})\n\t\t\t);\n\t\t\treturn false;\n\t\t}\n\n\t\tif (hasDeny && this._denyIdentities?.includes(info.identity)) {\n\t\t\terrors.push(\n\t\t\t\tnew GeneralError(IdentityAllowDenyVerifier.CLASS_NAME, \"identityDenied\", {\n\t\t\t\t\tidentity: info.identity\n\t\t\t\t})\n\t\t\t);\n\t\t\treturn false;\n\t\t}\n\n\t\treturn true;\n\t}\n}\n"]}

package/dist/es/verifiers/jwtVerifiableCredentialVerifier.js

@@ -1,6 +1,7 @@
 // Copyright 2025 IOTA Stiftung.
 // SPDX-License-Identifier: Apache-2.0.
 import { BaseError, Coerce, ComponentFactory, GeneralError, Is } from "@twin.org/core";
+import { JsonLdHelper } from "@twin.org/data-json-ld";
 import { Jwt } from "@twin.org/web";
 /**
  * Class to verify a JWT Verifiable Credential.
@@ -10,11 +11,6 @@ export class JwtVerifiableCredentialVerifier {
      * Runtime name for the class.
      */
     static CLASS_NAME = "JwtVerifiableCredentialVerifier";
-    /**
-     * The logging component.
-     * @internal
-     */
-    _loggingComponent;
     /**
      * The identity component.
      * @internal
@@ -25,7 +21,6 @@ export class JwtVerifiableCredentialVerifier {
      * @param options The options for the service.
      */
     constructor(options) {
-        this._loggingComponent = ComponentFactory.getIfExists(options?.loggingComponentType ?? "logging");
         this._identityComponent = ComponentFactory.get(options?.identityComponentType ?? "identity");
     }
     /**
@@ -39,50 +34,66 @@ export class JwtVerifiableCredentialVerifier {
      * Verify a payload by checking the validity of its structure and content.
      * @param payload The payload to verify.
      * @param info Information extracted from previous verifiers and to be added by this verifier.
-     * @returns Whether the payload is verified and possible verification failures, returns undefined if payload not processed.
+     * @param info.identity The identity associated with the payload.
+     * @param errors Array to collect verification errors.
+     * @returns Whether the payload is verified, returns undefined if payload was not processed.
      */
-    async verify(payload, info) {
-        const failures = [];
+    async verify(payload, info, errors) {
         if (Is.stringValue(payload)) {
             const jwt = await Jwt.decode(payload);
-            if (Is.objectValue(jwt.header) &&
-                Is.objectValue(jwt.payload) &&
-                Is.uint8Array(jwt.signature)) {
+            if (Is.objectValue(jwt.header) && Is.object(jwt.payload) && Is.uint8Array(jwt.signature)) {
+                let isVerified = true;
                 try {
                     const expiredMs = (Coerce.number(jwt.payload.exp) ?? 0) * 1000;
                     if (expiredMs > 0 && expiredMs < Date.now()) {
-                        failures.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenExpired"));
+                        errors.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenExpired"));
+                        isVerified = false;
                     }
                     const verificationResult = await this._identityComponent.verifiableCredentialVerify(payload);
                     const verifiableCredential = verificationResult.verifiableCredential;
                     if (Is.empty(verifiableCredential)) {
-                        failures.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenMissingCredential"));
+                        errors.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenMissingCredential"));
+                        isVerified = false;
                     }
                     else {
-                        info.push(verifiableCredential);
+                        info.data ??= {};
+                        info.data.verifiableCredential = JsonLdHelper.toNodeObject(verifiableCredential);
                     }
                     const issuer = Is.stringValue(verifiableCredential?.issuer)
                         ? verifiableCredential?.issuer
                         : undefined;
                     if (Is.empty(issuer)) {
-                        failures.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenMissingIssuer"));
+                        errors.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenMissingIssuer"));
+                        isVerified = false;
+                    }
+                    else {
+                        info.identity = issuer;
                     }
                     const subject = verifiableCredential?.credentialSubject;
                     if (Is.empty(subject)) {
-                        failures.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenMissingSubject"));
+                        errors.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenMissingSubject"));
+                        isVerified = false;
                     }
                     else {
-                        const subjectArray = Array.isArray(subject) ? subject : [subject];
-                        info.push(...subjectArray);
+                        info.data ??= {};
+                        info.data.subject = JsonLdHelper.toNodeObject(subject);
+                    }
+                    // Multi-tenancy claims (`tid`, `org`) are JWT-level fields injected via
+                    // `jwtPayloadFields` by the generator.
+                    const payloadTenantId = jwt.payload.tid;
+                    if (Is.stringValue(payloadTenantId)) {
+                        info.tenantId = payloadTenantId;
+                    }
+                    const payloadOrganizationId = jwt.payload.org;
+                    if (Is.stringValue(payloadOrganizationId)) {
+                        info.organizationId = payloadOrganizationId;
                     }
                 }
                 catch (err) {
-                    failures.push(BaseError.fromError(err));
+                    isVerified = false;
+                    errors.push(new GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, "tokenDecodingFailed", undefined, BaseError.fromError(err)));
                 }
-                return {
-                    verified: failures.length === 0,
-                    failures
-                };
+                return isVerified;
             }
         }
     }

package/dist/es/verifiers/jwtVerifiableCredentialVerifier.js.map

@@ -1 +1 @@
-{"version":3,"file":"jwtVerifiableCredentialVerifier.js","sourceRoot":"","sources":["../../../src/verifiers/jwtVerifiableCredentialVerifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAe,EAAE,EAAE,MAAM,gBAAgB,CAAC;AAMpG,OAAO,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AAGpC;;GAEG;AACH,MAAM,OAAO,+BAA+B;IAC3C;;OAEG;IACI,MAAM,CAAU,UAAU,qCAAqD;IAEtF;;;OAGG;IACc,iBAAiB,CAAqB;IAEvD;;;OAGG;IACc,kBAAkB,CAAqB;IAExD;;;OAGG;IACH,YAAY,OAA4D;QACvE,IAAI,CAAC,iBAAiB,GAAG,gBAAgB,CAAC,WAAW,CACpD,OAAO,EAAE,oBAAoB,IAAI,SAAS,CAC1C,CAAC;QAEF,IAAI,CAAC,kBAAkB,GAAG,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,qBAAqB,IAAI,UAAU,CAAC,CAAC;IAC9F,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,+BAA+B,CAAC,UAAU,CAAC;IACnD,CAAC;IAED;;;;;OAKG;IACI,KAAK,CAAC,MAAM,CAClB,OAAgB,EAChB,IAAyB;QAQzB,MAAM,QAAQ,GAAa,EAAE,CAAC;QAE9B,IAAI,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEtC,IACC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC;gBAC1B,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,OAAO,CAAC;gBAC3B,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAC3B,CAAC;gBACF,IAAI,CAAC;oBACJ,MAAM,SAAS,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;oBAC/D,IAAI,SAAS,GAAG,CAAC,IAAI,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;wBAC7C,QAAQ,CAAC,IAAI,CACZ,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,cAAc,CAAC,CAC5E,CAAC;oBACH,CAAC;oBAED,MAAM,kBAAkB,GACvB,MAAM,IAAI,CAAC,kBAAkB,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;oBAEnE,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,oBAAoB,CAAC;oBACrE,IAAI,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;wBACpC,QAAQ,CAAC,IAAI,CACZ,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,wBAAwB,CAAC,CACtF,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACP,IAAI,CAAC,IAAI,CAAC,oBAAoD,CAAC,CAAC;oBACjE,CAAC;oBAED,MAAM,MAAM,GAAuB,EAAE,CAAC,WAAW,CAAC,oBAAoB,EAAE,MAAM,CAAC;wBAC9E,CAAC,CAAC,oBAAoB,EAAE,MAAM;wBAC9B,CAAC,CAAC,SAAS,CAAC;oBACb,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;wBACtB,QAAQ,CAAC,IAAI,CACZ,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAClF,CAAC;oBACH,CAAC;oBAED,MAAM,OAAO,GAAG,oBAAoB,EAAE,iBAAiB,CAAC;oBACxD,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CACZ,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,qBAAqB,CAAC,CACnF,CAAC;oBACH,CAAC;yBAAM,CAAC;wBACP,MAAM,YAAY,GAAG,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;wBAClE,IAAI,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;oBAC5B,CAAC;gBACF,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACd,QAAQ,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;gBACzC,CAAC;gBAED,OAAO;oBACN,QAAQ,EAAE,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAC/B,QAAQ;iBACR,CAAC;YACH,CAAC;QACF,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { BaseError, Coerce, ComponentFactory, GeneralError, type IError, Is } from \"@twin.org/core\";\nimport type { IJsonLdNodeObject } from \"@twin.org/data-json-ld\";\nimport type { IIdentityComponent } from \"@twin.org/identity-models\";\nimport type { ILoggingComponent } from \"@twin.org/logging-models\";\nimport { nameof } from \"@twin.org/nameof\";\nimport type { ITrustVerifier } from \"@twin.org/trust-models\";\nimport { Jwt } from \"@twin.org/web\";\nimport type { IJwtVerifiableCredentialVerifierConstructorOptions } from \"../models/IJwtVerifiableCredentialVerifierConstructorOptions.js\";\n\n/**\n * Class to verify a JWT Verifiable Credential.\n */\nexport class JwtVerifiableCredentialVerifier implements ITrustVerifier {\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<JwtVerifiableCredentialVerifier>();\n\n\t/**\n\t * The logging component.\n\t * @internal\n\t */\n\tprivate readonly _loggingComponent?: ILoggingComponent;\n\n\t/**\n\t * The identity component.\n\t * @internal\n\t */\n\tprivate readonly _identityComponent: IIdentityComponent;\n\n\t/**\n\t * Create a new instance of JwtVerifiableCredentialVerifier.\n\t * @param options The options for the service.\n\t */\n\tconstructor(options?: IJwtVerifiableCredentialVerifierConstructorOptions) {\n\t\tthis._loggingComponent = ComponentFactory.getIfExists(\n\t\t\toptions?.loggingComponentType ?? \"logging\"\n\t\t);\n\n\t\tthis._identityComponent = ComponentFactory.get(options?.identityComponentType ?? \"identity\");\n\t}\n\n\t/**\n\t * Returns the class name of the component.\n\t * @returns The class name of the component.\n\t */\n\tpublic className(): string {\n\t\treturn JwtVerifiableCredentialVerifier.CLASS_NAME;\n\t}\n\n\t/**\n\t * Verify a payload by checking the validity of its structure and content.\n\t * @param payload The payload to verify.\n\t * @param info Information extracted from previous verifiers and to be added by this verifier.\n\t * @returns Whether the payload is verified and possible verification failures, returns undefined if payload not processed.\n\t */\n\tpublic async verify(\n\t\tpayload: unknown,\n\t\tinfo: IJsonLdNodeObject[]\n\t): Promise<\n\t\t| {\n\t\t\t\tverified: boolean;\n\t\t\t\tfailures?: IError[];\n\t\t  }\n\t\t| undefined\n\t> {\n\t\tconst failures: IError[] = [];\n\n\t\tif (Is.stringValue(payload)) {\n\t\t\tconst jwt = await Jwt.decode(payload);\n\n\t\t\tif (\n\t\t\t\tIs.objectValue(jwt.header) &&\n\t\t\t\tIs.objectValue(jwt.payload) &&\n\t\t\t\tIs.uint8Array(jwt.signature)\n\t\t\t) {\n\t\t\t\ttry {\n\t\t\t\t\tconst expiredMs = (Coerce.number(jwt.payload.exp) ?? 0) * 1000;\n\t\t\t\t\tif (expiredMs > 0 && expiredMs < Date.now()) {\n\t\t\t\t\t\tfailures.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenExpired\")\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst verificationResult =\n\t\t\t\t\t\tawait this._identityComponent.verifiableCredentialVerify(payload);\n\n\t\t\t\t\tconst verifiableCredential = verificationResult.verifiableCredential;\n\t\t\t\t\tif (Is.empty(verifiableCredential)) {\n\t\t\t\t\t\tfailures.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenMissingCredential\")\n\t\t\t\t\t\t);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tinfo.push(verifiableCredential as unknown as IJsonLdNodeObject);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst issuer: string | undefined = Is.stringValue(verifiableCredential?.issuer)\n\t\t\t\t\t\t? verifiableCredential?.issuer\n\t\t\t\t\t\t: undefined;\n\t\t\t\t\tif (Is.empty(issuer)) {\n\t\t\t\t\t\tfailures.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenMissingIssuer\")\n\t\t\t\t\t\t);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst subject = verifiableCredential?.credentialSubject;\n\t\t\t\t\tif (Is.empty(subject)) {\n\t\t\t\t\t\tfailures.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenMissingSubject\")\n\t\t\t\t\t\t);\n\t\t\t\t\t} else {\n\t\t\t\t\t\tconst subjectArray = Array.isArray(subject) ? subject : [subject];\n\t\t\t\t\t\tinfo.push(...subjectArray);\n\t\t\t\t\t}\n\t\t\t\t} catch (err) {\n\t\t\t\t\tfailures.push(BaseError.fromError(err));\n\t\t\t\t}\n\n\t\t\t\treturn {\n\t\t\t\t\tverified: failures.length === 0,\n\t\t\t\t\tfailures\n\t\t\t\t};\n\t\t\t}\n\t\t}\n\t}\n}\n"]}
+{"version":3,"file":"jwtVerifiableCredentialVerifier.js","sourceRoot":"","sources":["../../../src/verifiers/jwtVerifiableCredentialVerifier.ts"],"names":[],"mappings":"AAAA,gCAAgC;AAChC,uCAAuC;AACvC,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,gBAAgB,EAAE,YAAY,EAAE,EAAE,EAAe,MAAM,gBAAgB,CAAC;AACpG,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAItD,OAAO,EAAE,GAAG,EAAE,MAAM,eAAe,CAAC;AAGpC;;GAEG;AACH,MAAM,OAAO,+BAA+B;IAC3C;;OAEG;IACI,MAAM,CAAU,UAAU,qCAAqD;IAEtF;;;OAGG;IACc,kBAAkB,CAAqB;IAExD;;;OAGG;IACH,YAAY,OAA4D;QACvE,IAAI,CAAC,kBAAkB,GAAG,gBAAgB,CAAC,GAAG,CAAC,OAAO,EAAE,qBAAqB,IAAI,UAAU,CAAC,CAAC;IAC9F,CAAC;IAED;;;OAGG;IACI,SAAS;QACf,OAAO,+BAA+B,CAAC,UAAU,CAAC;IACnD,CAAC;IAED;;;;;;;OAOG;IACI,KAAK,CAAC,MAAM,CAClB,OAAgB,EAChB,IAA4B,EAC5B,MAAgB;QAEhB,IAAI,EAAE,CAAC,WAAW,CAAC,OAAO,CAAC,EAAE,CAAC;YAC7B,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAEtC,IAAI,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,UAAU,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC1F,IAAI,UAAU,GAAG,IAAI,CAAC;gBACtB,IAAI,CAAC;oBACJ,MAAM,SAAS,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC;oBAC/D,IAAI,SAAS,GAAG,CAAC,IAAI,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;wBAC7C,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,cAAc,CAAC,CAC5E,CAAC;wBACF,UAAU,GAAG,KAAK,CAAC;oBACpB,CAAC;oBAED,MAAM,kBAAkB,GACvB,MAAM,IAAI,CAAC,kBAAkB,CAAC,0BAA0B,CAAC,OAAO,CAAC,CAAC;oBAEnE,MAAM,oBAAoB,GAAG,kBAAkB,CAAC,oBAAoB,CAAC;oBACrE,IAAI,EAAE,CAAC,KAAK,CAAC,oBAAoB,CAAC,EAAE,CAAC;wBACpC,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,wBAAwB,CAAC,CACtF,CAAC;wBACF,UAAU,GAAG,KAAK,CAAC;oBACpB,CAAC;yBAAM,CAAC;wBACP,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;wBACjB,IAAI,CAAC,IAAI,CAAC,oBAAoB,GAAG,YAAY,CAAC,YAAY,CAAC,oBAAoB,CAAC,CAAC;oBAClF,CAAC;oBAED,MAAM,MAAM,GAAuB,EAAE,CAAC,WAAW,CAAC,oBAAoB,EAAE,MAAM,CAAC;wBAC9E,CAAC,CAAC,oBAAoB,EAAE,MAAM;wBAC9B,CAAC,CAAC,SAAS,CAAC;oBACb,IAAI,EAAE,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;wBACtB,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,oBAAoB,CAAC,CAClF,CAAC;wBACF,UAAU,GAAG,KAAK,CAAC;oBACpB,CAAC;yBAAM,CAAC;wBACP,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC;oBACxB,CAAC;oBAED,MAAM,OAAO,GAAG,oBAAoB,EAAE,iBAAiB,CAAC;oBACxD,IAAI,EAAE,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;wBACvB,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CAAC,+BAA+B,CAAC,UAAU,EAAE,qBAAqB,CAAC,CACnF,CAAC;wBACF,UAAU,GAAG,KAAK,CAAC;oBACpB,CAAC;yBAAM,CAAC;wBACP,IAAI,CAAC,IAAI,KAAK,EAAE,CAAC;wBACjB,IAAI,CAAC,IAAI,CAAC,OAAO,GAAG,YAAY,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;oBACxD,CAAC;oBAED,wEAAwE;oBACxE,uCAAuC;oBACvC,MAAM,eAAe,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC;oBACxC,IAAI,EAAE,CAAC,WAAW,CAAC,eAAe,CAAC,EAAE,CAAC;wBACrC,IAAI,CAAC,QAAQ,GAAG,eAAe,CAAC;oBACjC,CAAC;oBACD,MAAM,qBAAqB,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC;oBAC9C,IAAI,EAAE,CAAC,WAAW,CAAC,qBAAqB,CAAC,EAAE,CAAC;wBAC3C,IAAI,CAAC,cAAc,GAAG,qBAAqB,CAAC;oBAC7C,CAAC;gBACF,CAAC;gBAAC,OAAO,GAAG,EAAE,CAAC;oBACd,UAAU,GAAG,KAAK,CAAC;oBACnB,MAAM,CAAC,IAAI,CACV,IAAI,YAAY,CACf,+BAA+B,CAAC,UAAU,EAC1C,qBAAqB,EACrB,SAAS,EACT,SAAS,CAAC,SAAS,CAAC,GAAG,CAAC,CACxB,CACD,CAAC;gBACH,CAAC;gBAED,OAAO,UAAU,CAAC;YACnB,CAAC;QACF,CAAC;IACF,CAAC","sourcesContent":["// Copyright 2025 IOTA Stiftung.\n// SPDX-License-Identifier: Apache-2.0.\nimport { BaseError, Coerce, ComponentFactory, GeneralError, Is, type IError } from \"@twin.org/core\";\nimport { JsonLdHelper } from \"@twin.org/data-json-ld\";\nimport type { IIdentityComponent } from \"@twin.org/identity-models\";\nimport { nameof } from \"@twin.org/nameof\";\nimport type { ITrustVerificationInfo, ITrustVerifier } from \"@twin.org/trust-models\";\nimport { Jwt } from \"@twin.org/web\";\nimport type { IJwtVerifiableCredentialVerifierConstructorOptions } from \"../models/IJwtVerifiableCredentialVerifierConstructorOptions.js\";\n\n/**\n * Class to verify a JWT Verifiable Credential.\n */\nexport class JwtVerifiableCredentialVerifier implements ITrustVerifier {\n\t/**\n\t * Runtime name for the class.\n\t */\n\tpublic static readonly CLASS_NAME: string = nameof<JwtVerifiableCredentialVerifier>();\n\n\t/**\n\t * The identity component.\n\t * @internal\n\t */\n\tprivate readonly _identityComponent: IIdentityComponent;\n\n\t/**\n\t * Create a new instance of JwtVerifiableCredentialVerifier.\n\t * @param options The options for the service.\n\t */\n\tconstructor(options?: IJwtVerifiableCredentialVerifierConstructorOptions) {\n\t\tthis._identityComponent = ComponentFactory.get(options?.identityComponentType ?? \"identity\");\n\t}\n\n\t/**\n\t * Returns the class name of the component.\n\t * @returns The class name of the component.\n\t */\n\tpublic className(): string {\n\t\treturn JwtVerifiableCredentialVerifier.CLASS_NAME;\n\t}\n\n\t/**\n\t * Verify a payload by checking the validity of its structure and content.\n\t * @param payload The payload to verify.\n\t * @param info Information extracted from previous verifiers and to be added by this verifier.\n\t * @param info.identity The identity associated with the payload.\n\t * @param errors Array to collect verification errors.\n\t * @returns Whether the payload is verified, returns undefined if payload was not processed.\n\t */\n\tpublic async verify(\n\t\tpayload: unknown,\n\t\tinfo: ITrustVerificationInfo,\n\t\terrors: IError[]\n\t): Promise<boolean | undefined> {\n\t\tif (Is.stringValue(payload)) {\n\t\t\tconst jwt = await Jwt.decode(payload);\n\n\t\t\tif (Is.objectValue(jwt.header) && Is.object(jwt.payload) && Is.uint8Array(jwt.signature)) {\n\t\t\t\tlet isVerified = true;\n\t\t\t\ttry {\n\t\t\t\t\tconst expiredMs = (Coerce.number(jwt.payload.exp) ?? 0) * 1000;\n\t\t\t\t\tif (expiredMs > 0 && expiredMs < Date.now()) {\n\t\t\t\t\t\terrors.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenExpired\")\n\t\t\t\t\t\t);\n\t\t\t\t\t\tisVerified = false;\n\t\t\t\t\t}\n\n\t\t\t\t\tconst verificationResult =\n\t\t\t\t\t\tawait this._identityComponent.verifiableCredentialVerify(payload);\n\n\t\t\t\t\tconst verifiableCredential = verificationResult.verifiableCredential;\n\t\t\t\t\tif (Is.empty(verifiableCredential)) {\n\t\t\t\t\t\terrors.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenMissingCredential\")\n\t\t\t\t\t\t);\n\t\t\t\t\t\tisVerified = false;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tinfo.data ??= {};\n\t\t\t\t\t\tinfo.data.verifiableCredential = JsonLdHelper.toNodeObject(verifiableCredential);\n\t\t\t\t\t}\n\n\t\t\t\t\tconst issuer: string | undefined = Is.stringValue(verifiableCredential?.issuer)\n\t\t\t\t\t\t? verifiableCredential?.issuer\n\t\t\t\t\t\t: undefined;\n\t\t\t\t\tif (Is.empty(issuer)) {\n\t\t\t\t\t\terrors.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenMissingIssuer\")\n\t\t\t\t\t\t);\n\t\t\t\t\t\tisVerified = false;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tinfo.identity = issuer;\n\t\t\t\t\t}\n\n\t\t\t\t\tconst subject = verifiableCredential?.credentialSubject;\n\t\t\t\t\tif (Is.empty(subject)) {\n\t\t\t\t\t\terrors.push(\n\t\t\t\t\t\t\tnew GeneralError(JwtVerifiableCredentialVerifier.CLASS_NAME, \"tokenMissingSubject\")\n\t\t\t\t\t\t);\n\t\t\t\t\t\tisVerified = false;\n\t\t\t\t\t} else {\n\t\t\t\t\t\tinfo.data ??= {};\n\t\t\t\t\t\tinfo.data.subject = JsonLdHelper.toNodeObject(subject);\n\t\t\t\t\t}\n\n\t\t\t\t\t// Multi-tenancy claims (`tid`, `org`) are JWT-level fields injected via\n\t\t\t\t\t// `jwtPayloadFields` by the generator.\n\t\t\t\t\tconst payloadTenantId = jwt.payload.tid;\n\t\t\t\t\tif (Is.stringValue(payloadTenantId)) {\n\t\t\t\t\t\tinfo.tenantId = payloadTenantId;\n\t\t\t\t\t}\n\t\t\t\t\tconst payloadOrganizationId = jwt.payload.org;\n\t\t\t\t\tif (Is.stringValue(payloadOrganizationId)) {\n\t\t\t\t\t\tinfo.organizationId = payloadOrganizationId;\n\t\t\t\t\t}\n\t\t\t\t} catch (err) {\n\t\t\t\t\tisVerified = false;\n\t\t\t\t\terrors.push(\n\t\t\t\t\t\tnew GeneralError(\n\t\t\t\t\t\t\tJwtVerifiableCredentialVerifier.CLASS_NAME,\n\t\t\t\t\t\t\t\"tokenDecodingFailed\",\n\t\t\t\t\t\t\tundefined,\n\t\t\t\t\t\t\tBaseError.fromError(err)\n\t\t\t\t\t\t)\n\t\t\t\t\t);\n\t\t\t\t}\n\n\t\t\t\treturn isVerified;\n\t\t\t}\n\t\t}\n\t}\n}\n"]}

package/dist/types/index.d.ts

@@ -1,2 +1,5 @@
+export * from "./models/IIdentityAllowDenyVerifierConfig.js";
+export * from "./models/IIdentityAllowDenyVerifierConstructorOptions.js";
 export * from "./models/IJwtVerifiableCredentialVerifierConstructorOptions.js";
+export * from "./verifiers/identityAllowDenyVerifier.js";
 export * from "./verifiers/jwtVerifiableCredentialVerifier.js";

package/dist/types/models/IIdentityAllowDenyVerifierConfig.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Configuration for the Identity Allow/Deny Verifier.
+ */
+export interface IIdentityAllowDenyVerifierConfig {
+    /**
+     * Identities that are permitted; all others are rejected.
+     * Skipped when empty or absent.
+     */
+    allowIdentities?: string[];
+    /**
+     * Identities that are explicitly rejected.
+     * Skipped when empty or absent.
+     */
+    denyIdentities?: string[];
+}

package/dist/types/models/IIdentityAllowDenyVerifierConstructorOptions.d.ts

@@ -0,0 +1,10 @@
+import type { IIdentityAllowDenyVerifierConfig } from "./IIdentityAllowDenyVerifierConfig.js";
+/**
+ * The options for the Identity Allow/Deny Verifier.
+ */
+export interface IIdentityAllowDenyVerifierConstructorOptions {
+    /**
+     * The allow/deny configuration for the verifier.
+     */
+    config?: IIdentityAllowDenyVerifierConfig;
+}

package/dist/types/models/IJwtVerifiableCredentialVerifierConstructorOptions.d.ts

@@ -2,11 +2,6 @@
  * The options for the JWT Verifiable Credential Verifier.
  */
 export interface IJwtVerifiableCredentialVerifierConstructorOptions {
-    /**
-     * The logging component type.
-     * @default logging
-     */
-    loggingComponentType?: string;
     /**
      * The identity component type.
      * @default identity

package/dist/types/verifiers/identityAllowDenyVerifier.d.ts

@@ -0,0 +1,31 @@
+import { type IError } from "@twin.org/core";
+import type { ITrustVerificationInfo, ITrustVerifier } from "@twin.org/trust-models";
+import type { IIdentityAllowDenyVerifierConstructorOptions } from "../models/IIdentityAllowDenyVerifierConstructorOptions.js";
+/**
+ * Class to gate verification based on allowed and denied identity lists.
+ */
+export declare class IdentityAllowDenyVerifier implements ITrustVerifier {
+    /**
+     * Runtime name for the class.
+     */
+    static readonly CLASS_NAME: string;
+    /**
+     * Create a new instance of IdentityAllowDenyVerifier.
+     * @param options The options for the verifier.
+     */
+    constructor(options?: IIdentityAllowDenyVerifierConstructorOptions);
+    /**
+     * Returns the class name of the component.
+     * @returns The class name of the component.
+     */
+    className(): string;
+    /**
+     * Verify a payload by checking the validity of its structure and content.
+     * @param payload The payload to verify.
+     * @param info Information extracted from previous verifiers and to be added by this verifier.
+     * @param info.identity The identity associated with the payload.
+     * @param errors Array to collect verification errors.
+     * @returns Whether the payload is verified, returns undefined if payload was not processed.
+     */
+    verify(payload: unknown, info: ITrustVerificationInfo, errors: IError[]): Promise<boolean | undefined>;
+}

package/dist/types/verifiers/jwtVerifiableCredentialVerifier.d.ts

@@ -1,6 +1,5 @@
 import { type IError } from "@twin.org/core";
-import type { IJsonLdNodeObject } from "@twin.org/data-json-ld";
-import type { ITrustVerifier } from "@twin.org/trust-models";
+import type { ITrustVerificationInfo, ITrustVerifier } from "@twin.org/trust-models";
 import type { IJwtVerifiableCredentialVerifierConstructorOptions } from "../models/IJwtVerifiableCredentialVerifierConstructorOptions.js";
 /**
  * Class to verify a JWT Verifiable Credential.
@@ -24,10 +23,9 @@ export declare class JwtVerifiableCredentialVerifier implements ITrustVerifier {
      * Verify a payload by checking the validity of its structure and content.
      * @param payload The payload to verify.
      * @param info Information extracted from previous verifiers and to be added by this verifier.
-     * @returns Whether the payload is verified and possible verification failures, returns undefined if payload not processed.
+     * @param info.identity The identity associated with the payload.
+     * @param errors Array to collect verification errors.
+     * @returns Whether the payload is verified, returns undefined if payload was not processed.
      */
-    verify(payload: unknown, info: IJsonLdNodeObject[]): Promise<{
-        verified: boolean;
-        failures?: IError[];
-    } | undefined>;
+    verify(payload: unknown, info: ITrustVerificationInfo, errors: IError[]): Promise<boolean | undefined>;
 }

package/docs/changelog.md

@@ -1,11 +1,263 @@
 # Changelog
 
-## [0.0.3-next.2](https://github.com/twinfoundation/trust/compare/trust-verifiers-v0.0.3-next.1...trust-verifiers-v0.0.3-next.2) (2025-12-03)
+## [0.0.3-next.20](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.19...trust-verifiers-v0.0.3-next.20) (2026-06-10)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.19 to 0.0.3-next.20
+
+## [0.0.3-next.19](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.18...trust-verifiers-v0.0.3-next.19) (2026-06-05)
+
+
+### Features
+
+* remove logging component ([54b56cb](https://github.com/iotaledger/twin-trust/commit/54b56cb81a6cb0aac41e37e8edda9c36685f2adb))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.18 to 0.0.3-next.19
+
+## [0.0.3-next.18](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.17...trust-verifiers-v0.0.3-next.18) (2026-06-05)
+
+
+### Features
+
+* add allow deny verifier ([#32](https://github.com/iotaledger/twin-trust/issues/32)) ([daf5d03](https://github.com/iotaledger/twin-trust/commit/daf5d033ffbe82e2228c48ca7ffea870a1ce956e))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.17 to 0.0.3-next.18
+
+## [0.0.3-next.17](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.16...trust-verifiers-v0.0.3-next.17) (2026-06-02)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.16 to 0.0.3-next.17
+
+## [0.0.3-next.16](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.15...trust-verifiers-v0.0.3-next.16) (2026-05-27)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.15 to 0.0.3-next.16
+
+## [0.0.3-next.15](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.14...trust-verifiers-v0.0.3-next.15) (2026-05-26)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.14 to 0.0.3-next.15
+
+## [0.0.3-next.14](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.13...trust-verifiers-v0.0.3-next.14) (2026-05-22)
+
+
+### Features
+
+* add optional tenantId + organizationId to trust VC payload ([#19](https://github.com/iotaledger/twin-trust/issues/19)) ([1e93f6b](https://github.com/iotaledger/twin-trust/commit/1e93f6b0eacbfa725f3c3515d4255b39dd122ce7))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.13 to 0.0.3-next.14
+
+## [0.0.3-next.13](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.12...trust-verifiers-v0.0.3-next.13) (2026-05-20)
+
+
+### Features
+
+* update dependencies ([367d7fc](https://github.com/iotaledger/twin-trust/commit/367d7fc1f970522650c776d231bfacc84f97be67))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.12 to 0.0.3-next.13
+
+## [0.0.3-next.12](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.11...trust-verifiers-v0.0.3-next.12) (2026-05-11)
+
+
+### Features
+
+* typescript 6 update ([a232da2](https://github.com/iotaledger/twin-trust/commit/a232da293afbd3b42843e187e4952dabd7917397))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.11 to 0.0.3-next.12
+
+## [0.0.3-next.11](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.10...trust-verifiers-v0.0.3-next.11) (2026-03-04)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.10 to 0.0.3-next.11
+
+## [0.0.3-next.10](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.9...trust-verifiers-v0.0.3-next.10) (2026-02-27)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.9 to 0.0.3-next.10
+
+## [0.0.3-next.9](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.8...trust-verifiers-v0.0.3-next.9) (2026-02-26)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.8 to 0.0.3-next.9
+
+## [0.0.3-next.8](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.7...trust-verifiers-v0.0.3-next.8) (2026-01-30)
+
+
+### Features
+
+* verification info structure ([#10](https://github.com/iotaledger/twin-trust/issues/10)) ([8b09ec8](https://github.com/iotaledger/twin-trust/commit/8b09ec8128214b659f427fc3a985eb8ced9ed5dc))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.7 to 0.0.3-next.8
+
+## [0.0.3-next.7](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.6...trust-verifiers-v0.0.3-next.7) (2025-12-04)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.6 to 0.0.3-next.7
+
+## [0.0.3-next.6](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.5...trust-verifiers-v0.0.3-next.6) (2025-12-04)
+
+
+### Features
+
+* always include identity in verification info ([9594d19](https://github.com/iotaledger/twin-trust/commit/9594d19e9d718bd42b82964750ae3bcfb7df51bf))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.5 to 0.0.3-next.6
+
+## [0.0.3-next.5](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.4...trust-verifiers-v0.0.3-next.5) (2025-12-04)
+
+
+### Miscellaneous Chores
+
+* **trust-verifiers:** Synchronize repo versions
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.4 to 0.0.3-next.5
+
+## [0.0.3-next.4](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.3...trust-verifiers-v0.0.3-next.4) (2025-12-04)
+
+
+### Features
+
+* add generators ([6228c88](https://github.com/iotaledger/twin-trust/commit/6228c88a8f0244b7bdfc76b8624c427c81d23f7b))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.3 to 0.0.3-next.4
+
+## [0.0.3-next.3](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.2...trust-verifiers-v0.0.3-next.3) (2025-12-04)
+
+
+### Features
+
+* flatten error structure ([5fdd665](https://github.com/iotaledger/twin-trust/commit/5fdd665d0fc523a655563a0c20d1d82b634534e2))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @twin.org/trust-models bumped from 0.0.3-next.2 to 0.0.3-next.3
+
+## [0.0.3-next.2](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.1...trust-verifiers-v0.0.3-next.2) (2025-12-03)
 
 
 ### Features
 
-* support pass through of info between verifiers ([1ce64b9](https://github.com/twinfoundation/trust/commit/1ce64b97a949278b447cc12b576ce5de537f30f3))
+* support pass through of info between verifiers ([1ce64b9](https://github.com/iotaledger/twin-trust/commit/1ce64b97a949278b447cc12b576ce5de537f30f3))
 
 
 ### Dependencies
@@ -14,12 +266,12 @@
   * dependencies
     * @twin.org/trust-models bumped from 0.0.3-next.1 to 0.0.3-next.2
 
-## [0.0.3-next.1](https://github.com/twinfoundation/trust/compare/trust-verifiers-v0.0.3-next.0...trust-verifiers-v0.0.3-next.1) (2025-12-02)
+## [0.0.3-next.1](https://github.com/iotaledger/twin-trust/compare/trust-verifiers-v0.0.3-next.0...trust-verifiers-v0.0.3-next.1) (2025-12-02)
 
 
 ### Features
 
-* initial commit ([d378ef4](https://github.com/twinfoundation/trust/commit/d378ef4cd66c98fa188aaf3b23152d1e47d88a37))
+* initial commit ([d378ef4](https://github.com/iotaledger/twin-trust/commit/d378ef4cd66c98fa188aaf3b23152d1e47d88a37))
 
 
 ### Dependencies
@@ -28,4 +280,4 @@
   * dependencies
     * @twin.org/trust-models bumped from 0.0.3-next.0 to 0.0.3-next.1
 
-## @twin.org/trust-verifiers - Changelog
+## Changelog

package/docs/examples.md

@@ -1 +1,44 @@
-# @twin.org/trust-verifiers - Examples
+# Trust Verifiers Examples
+
+These snippets demonstrate how to initialise a JWT verifier and evaluate a token while collecting identity and subject details.
+
+## JwtVerifiableCredentialVerifier
+
+```typescript
+import { ComponentFactory, type IError } from '@twin.org/core';
+import type { IIdentityComponent } from '@twin.org/identity-models';
+import type { ITrustVerificationInfo } from '@twin.org/trust-models';
+import { JwtVerifiableCredentialVerifier } from '@twin.org/trust-verifiers';
+
+const identityComponent: IIdentityComponent = {
+  verifiableCredentialVerify: async () => ({
+    verifiableCredential: {
+      issuer: 'did:example:issuer',
+      credentialSubject: {
+        id: 'did:example:subject',
+        role: 'supplier'
+      }
+    }
+  })
+} as IIdentityComponent;
+
+ComponentFactory.register('identity', () => identityComponent);
+
+const verifier = new JwtVerifiableCredentialVerifier({
+  identityComponentType: 'identity'
+});
+
+console.log(verifier.className()); // JwtVerifiableCredentialVerifier
+
+const info: ITrustVerificationInfo = { identity: '' };
+const errors: IError[] = [];
+const verified = await verifier.verify(
+  'eyJhbGciOiJFZERTQSJ9.eyJleHAiOjQwMDAwMDAwMDB9.signature',
+  info,
+  errors
+);
+
+console.log(verified); // true
+console.log(info.identity); // did:example:issuer
+console.log(info.data?.subject); // { id: "did:example:subject", role: "supplier" }
+```

package/docs/reference/classes/IdentityAllowDenyVerifier.md

@@ -0,0 +1,91 @@
+# Class: IdentityAllowDenyVerifier
+
+Class to gate verification based on allowed and denied identity lists.
+
+## Implements
+
+- `ITrustVerifier`
+
+## Constructors
+
+### Constructor
+
+> **new IdentityAllowDenyVerifier**(`options?`): `IdentityAllowDenyVerifier`
+
+Create a new instance of IdentityAllowDenyVerifier.
+
+#### Parameters
+
+##### options?
+
+[`IIdentityAllowDenyVerifierConstructorOptions`](../interfaces/IIdentityAllowDenyVerifierConstructorOptions.md)
+
+The options for the verifier.
+
+#### Returns
+
+`IdentityAllowDenyVerifier`
+
+## Properties
+
+### CLASS\_NAME {#class_name}
+
+> `readonly` `static` **CLASS\_NAME**: `string`
+
+Runtime name for the class.
+
+## Methods
+
+### className() {#classname}
+
+> **className**(): `string`
+
+Returns the class name of the component.
+
+#### Returns
+
+`string`
+
+The class name of the component.
+
+#### Implementation of
+
+`ITrustVerifier.className`
+
+***
+
+### verify() {#verify}
+
+> **verify**(`payload`, `info`, `errors`): `Promise`\<`boolean` \| `undefined`\>
+
+Verify a payload by checking the validity of its structure and content.
+
+#### Parameters
+
+##### payload
+
+`unknown`
+
+The payload to verify.
+
+##### info
+
+`ITrustVerificationInfo`
+
+Information extracted from previous verifiers and to be added by this verifier.
+
+##### errors
+
+`IError`[]
+
+Array to collect verification errors.
+
+#### Returns
+
+`Promise`\<`boolean` \| `undefined`\>
+
+Whether the payload is verified, returns undefined if payload was not processed.
+
+#### Implementation of
+
+`ITrustVerifier.verify`

package/docs/reference/classes/JwtVerifiableCredentialVerifier.md

@@ -28,7 +28,7 @@ The options for the service.
 
 ## Properties
 
-### CLASS\_NAME
+### CLASS\_NAME {#class_name}
 
 > `readonly` `static` **CLASS\_NAME**: `string`
 
@@ -36,7 +36,7 @@ Runtime name for the class.
 
 ## Methods
 
-### className()
+### className() {#classname}
 
 > **className**(): `string`
 
@@ -54,9 +54,9 @@ The class name of the component.
 
 ***
 
-### verify()
+### verify() {#verify}
 
-> **verify**(`payload`, `info`): `Promise`\<\{ `verified`: `boolean`; `failures?`: `IError`[]; \} \| `undefined`\>
+> **verify**(`payload`, `info`, `errors`): `Promise`\<`boolean` \| `undefined`\>
 
 Verify a payload by checking the validity of its structure and content.
 
@@ -70,15 +70,21 @@ The payload to verify.
 
 ##### info
 
-`IJsonLdNodeObject`[]
+`ITrustVerificationInfo`
 
 Information extracted from previous verifiers and to be added by this verifier.
 
+##### errors
+
+`IError`[]
+
+Array to collect verification errors.
+
 #### Returns
 
-`Promise`\<\{ `verified`: `boolean`; `failures?`: `IError`[]; \} \| `undefined`\>
+`Promise`\<`boolean` \| `undefined`\>
 
-Whether the payload is verified and possible verification failures, returns undefined if payload not processed.
+Whether the payload is verified, returns undefined if payload was not processed.
 
 #### Implementation of
 

package/docs/reference/index.md

@@ -2,8 +2,11 @@
 
 ## Classes
 
+- [IdentityAllowDenyVerifier](classes/IdentityAllowDenyVerifier.md)
 - [JwtVerifiableCredentialVerifier](classes/JwtVerifiableCredentialVerifier.md)
 
 ## Interfaces
 
+- [IIdentityAllowDenyVerifierConfig](interfaces/IIdentityAllowDenyVerifierConfig.md)
+- [IIdentityAllowDenyVerifierConstructorOptions](interfaces/IIdentityAllowDenyVerifierConstructorOptions.md)
 - [IJwtVerifiableCredentialVerifierConstructorOptions](interfaces/IJwtVerifiableCredentialVerifierConstructorOptions.md)

package/docs/reference/interfaces/IIdentityAllowDenyVerifierConfig.md

@@ -0,0 +1,21 @@
+# Interface: IIdentityAllowDenyVerifierConfig
+
+Configuration for the Identity Allow/Deny Verifier.
+
+## Properties
+
+### allowIdentities? {#allowidentities}
+
+> `optional` **allowIdentities?**: `string`[]
+
+Identities that are permitted; all others are rejected.
+Skipped when empty or absent.
+
+***
+
+### denyIdentities? {#denyidentities}
+
+> `optional` **denyIdentities?**: `string`[]
+
+Identities that are explicitly rejected.
+Skipped when empty or absent.

package/docs/reference/interfaces/IIdentityAllowDenyVerifierConstructorOptions.md

@@ -0,0 +1,11 @@
+# Interface: IIdentityAllowDenyVerifierConstructorOptions
+
+The options for the Identity Allow/Deny Verifier.
+
+## Properties
+
+### config? {#config}
+
+> `optional` **config?**: [`IIdentityAllowDenyVerifierConfig`](IIdentityAllowDenyVerifierConfig.md)
+
+The allow/deny configuration for the verifier.

package/docs/reference/interfaces/IJwtVerifiableCredentialVerifierConstructorOptions.md

@@ -4,23 +4,9 @@ The options for the JWT Verifiable Credential Verifier.
 
 ## Properties
 
-### loggingComponentType?
+### identityComponentType? {#identitycomponenttype}
 
-> `optional` **loggingComponentType**: `string`
-
-The logging component type.
-
-#### Default
-
-```ts
-logging
-```
-
-***
-
-### identityComponentType?
-
-> `optional` **identityComponentType**: `string`
+> `optional` **identityComponentType?**: `string`
 
 The identity component type.
 

package/locales/en.json

@@ -1,10 +1,16 @@
 {
 	"error": {
+		"identityAllowDenyVerifier": {
+			"identityMissing": "The identity is missing from the verification info.",
+			"identityNotAllowed": "The identity is not in the allowed identities list \"{identity}\".",
+			"identityDenied": "The identity is in the denied identities list \"{identity}\"."
+		},
 		"jwtVerifiableCredentialVerifier": {
 			"tokenMissingCredential": "The JWT token does not contain a verifiable credential.",
 			"tokenMissingIssuer": "The verifiable credential in the JWT does not contain an issuer.",
 			"tokenExpired": "The JWT token has expired.",
-			"tokenMissingSubject": "The verifiable credential in the JWT does not contain a subject."
+			"tokenMissingSubject": "The verifiable credential in the JWT does not contain a subject.",
+			"tokenDecodingFailed": "Failed to decode the JWT token."
 		}
 	}
 }

package/package.json

@@ -1,10 +1,10 @@
 {
 	"name": "@twin.org/trust-verifiers",
-	"version": "0.0.3-next.2",
-	"description": "Verifiers for trust",
+	"version": "0.0.3-next.20",
+	"description": "Implements trust verifiers that validate credentials and proofs against trust model requirements",
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/twinfoundation/trust.git",
+		"url": "git+https://github.com/iotaledger/twin-trust.git",
 		"directory": "packages/trust-verifiers"
 	},
 	"author": "martyn.janes@iota.org",
@@ -19,7 +19,7 @@
 		"@twin.org/identity-models": "next",
 		"@twin.org/logging-models": "next",
 		"@twin.org/nameof": "next",
-		"@twin.org/trust-models": "0.0.3-next.2",
+		"@twin.org/trust-models": "0.0.3-next.20",
 		"@twin.org/web": "next"
 	},
 	"main": "./dist/es/index.js",
@@ -50,7 +50,7 @@
 		"schemas"
 	],
 	"bugs": {
-		"url": "git+https://github.com/twinfoundation/trust/issues"
+		"url": "git+https://github.com/iotaledger/twin-trust/issues"
 	},
 	"homepage": "https://twindev.org"
 }