@vallum/registry 0.0.0-prerelease

package/dist/a2aDiscoveryBundle.js

@@ -0,0 +1,326 @@
+import { isIP } from "node:net";
+import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { dirname, join } from "node:path";
+import { A2A_AGENT_CARD_WELL_KNOWN_PATH, } from "./a2aCard.js";
+import { A2A_JWKS_WELL_KNOWN_PATH, } from "./a2aJwks.js";
+export function createA2APublicDiscoveryBundle(options) {
+    const publicBaseUrl = publicHttpsUrl(options.publicBaseUrl, "A2A public base URL");
+    const publicJwksUrl = publicHttpsUrl(options.publicJwksUrl, "A2A public JWKS URL");
+    const agentCard = sanitizeAgentCard(options.agentCard, publicBaseUrl, publicJwksUrl);
+    const jwks = sanitizeJwks(options.jwks);
+    const signingKeyIds = signatureKeyIds(agentCard.signatures);
+    const jwksKeyIds = new Set(jwks.body.keys.map((key) => key.kid).filter((kid) => typeof kid === "string"));
+    for (const keyId of signingKeyIds) {
+        if (!jwksKeyIds.has(keyId)) {
+            throw new Error("A2A public discovery bundle signing key is missing from JWKS.");
+        }
+    }
+    const cacheControl = options.cacheControl ?? "no-store";
+    return {
+        publicBaseUrl,
+        publicJwksUrl,
+        files: [
+            {
+                path: A2A_AGENT_CARD_WELL_KNOWN_PATH,
+                headers: {
+                    "content-type": "application/a2a+json; charset=utf-8",
+                    "cache-control": cacheControl,
+                },
+                json: `${JSON.stringify(agentCard, null, 2)}\n`,
+            },
+            {
+                path: A2A_JWKS_WELL_KNOWN_PATH,
+                headers: {
+                    "content-type": "application/jwk-set+json; charset=utf-8",
+                    "cache-control": cacheControl,
+                },
+                json: jwks.json.endsWith("\n") ? jwks.json : `${jwks.json}\n`,
+            },
+        ],
+    };
+}
+export async function writeA2APublicDiscoveryBundle(options) {
+    const outDir = options.outDir.trim();
+    if (outDir === "")
+        throw new Error("A2A public discovery bundle output directory is required.");
+    const expectedPaths = new Set([A2A_AGENT_CARD_WELL_KNOWN_PATH, A2A_JWKS_WELL_KNOWN_PATH]);
+    const seenPaths = new Set();
+    const writtenFiles = [];
+    for (const file of options.bundle.files) {
+        if (!expectedPaths.has(file.path) || seenPaths.has(file.path)) {
+            throw new Error("A2A public discovery bundle contains an unexpected static file path.");
+        }
+        seenPaths.add(file.path);
+        const absolutePath = join(outDir, file.path.slice(1));
+        await mkdir(dirname(absolutePath), { recursive: true });
+        await writeFile(absolutePath, file.json, { encoding: "utf8", mode: 0o644 });
+        writtenFiles.push({
+            path: absolutePath,
+            sourcePath: file.path,
+            headers: { ...file.headers },
+        });
+    }
+    if (seenPaths.size !== expectedPaths.size) {
+        throw new Error("A2A public discovery bundle is missing required static files.");
+    }
+    const manifestPath = join(outDir, options.manifestFileName ?? "a2a-discovery-bundle-manifest.json");
+    await writeFile(manifestPath, `${JSON.stringify({
+        schemaVersion: 1,
+        kind: "vallum.a2a-static-discovery-bundle",
+        publicBaseUrl: options.bundle.publicBaseUrl,
+        publicJwksUrl: options.bundle.publicJwksUrl,
+        files: writtenFiles.map((file) => ({
+            path: file.sourcePath,
+            headers: file.headers,
+        })),
+    }, null, 2)}\n`, { encoding: "utf8", mode: 0o644 });
+    return {
+        outDir,
+        publicBaseUrl: options.bundle.publicBaseUrl,
+        publicJwksUrl: options.bundle.publicJwksUrl,
+        files: writtenFiles,
+        manifestPath,
+    };
+}
+export async function validateA2APublicDiscoveryBundleArtifacts(options) {
+    const outDir = options.outDir.trim();
+    if (outDir === "")
+        throw new Error("A2A public discovery bundle output directory is required.");
+    const manifestPath = join(outDir, options.manifestFileName ?? "a2a-discovery-bundle-manifest.json");
+    const manifest = parseManifest(await readFile(manifestPath, "utf8"));
+    if (manifest.schemaVersion !== 1 || manifest.kind !== "vallum.a2a-static-discovery-bundle") {
+        throw new Error("A2A public discovery bundle manifest is invalid.");
+    }
+    if (typeof manifest.publicBaseUrl !== "string" || typeof manifest.publicJwksUrl !== "string") {
+        throw new Error("A2A public discovery bundle manifest is missing public URLs.");
+    }
+    if (options.expectedPublicBaseUrl && publicHttpsUrl(options.expectedPublicBaseUrl, "A2A expected public base URL") !== manifest.publicBaseUrl) {
+        throw new Error("A2A public discovery bundle public base URL does not match the expected value.");
+    }
+    if (options.expectedPublicJwksUrl && publicHttpsUrl(options.expectedPublicJwksUrl, "A2A expected public JWKS URL") !== manifest.publicJwksUrl) {
+        throw new Error("A2A public discovery bundle public JWKS URL does not match the expected value.");
+    }
+    const manifestFiles = parseManifestFiles(manifest.files);
+    const agentCardJson = await readFile(join(outDir, A2A_AGENT_CARD_WELL_KNOWN_PATH.slice(1)), "utf8");
+    const jwksJson = await readFile(join(outDir, A2A_JWKS_WELL_KNOWN_PATH.slice(1)), "utf8");
+    const agentCard = JSON.parse(agentCardJson);
+    const jwksBody = JSON.parse(jwksJson);
+    const jwksHeaders = manifestFiles.find((file) => file.sourcePath === A2A_JWKS_WELL_KNOWN_PATH)?.headers ?? {};
+    const bundle = createA2APublicDiscoveryBundle({
+        agentCard,
+        jwks: {
+            path: A2A_JWKS_WELL_KNOWN_PATH,
+            status: 200,
+            headers: jwksHeaders,
+            body: jwksBody,
+            json: jwksJson,
+        },
+        publicBaseUrl: manifest.publicBaseUrl,
+        publicJwksUrl: manifest.publicJwksUrl,
+        cacheControl: sharedCacheControl(manifestFiles),
+    });
+    for (const file of bundle.files) {
+        const manifestFile = manifestFiles.find((candidate) => candidate.sourcePath === file.path);
+        if (!manifestFile) {
+            throw new Error("A2A public discovery bundle manifest is missing required static file metadata.");
+        }
+        assertContentType(file.path, manifestFile.headers);
+    }
+    return {
+        outDir,
+        publicBaseUrl: bundle.publicBaseUrl,
+        publicJwksUrl: bundle.publicJwksUrl,
+        files: manifestFiles.map((file) => ({
+            path: join(outDir, file.sourcePath.slice(1)),
+            sourcePath: file.sourcePath,
+            headers: file.headers,
+        })),
+        manifestPath,
+    };
+}
+function sanitizeAgentCard(card, publicBaseUrl, publicJwksUrl) {
+    if (containsSecretLikeField(card)) {
+        throw new Error("A2A public discovery bundle must not contain private Agent Card fields.");
+    }
+    if (!card.signatures || card.signatures.length === 0) {
+        throw new Error("A2A public discovery bundle requires a signed Agent Card.");
+    }
+    if (!card.supportedInterfaces.some((entry) => entry.url === publicBaseUrl && entry.protocolBinding === "HTTP+JSON")) {
+        throw new Error("A2A public discovery bundle Agent Card does not match the public base URL.");
+    }
+    for (const signature of card.signatures) {
+        const protectedHeader = protectedHeaderJson(signature);
+        if (protectedHeader.jku !== publicJwksUrl) {
+            throw new Error("A2A public discovery bundle Agent Card signature JWKS URL does not match.");
+        }
+    }
+    return JSON.parse(JSON.stringify(card));
+}
+function parseManifest(json) {
+    const parsed = JSON.parse(json);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+        throw new Error("A2A public discovery bundle manifest is invalid.");
+    }
+    if (containsSecretLikeField(parsed)) {
+        throw new Error("A2A public discovery bundle manifest must not contain private fields.");
+    }
+    return parsed;
+}
+function parseManifestFiles(value) {
+    if (!Array.isArray(value)) {
+        throw new Error("A2A public discovery bundle manifest files are invalid.");
+    }
+    const expectedPaths = new Set([A2A_AGENT_CARD_WELL_KNOWN_PATH, A2A_JWKS_WELL_KNOWN_PATH]);
+    const seenPaths = new Set();
+    const files = [];
+    for (const entry of value) {
+        if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
+            throw new Error("A2A public discovery bundle manifest file entry is invalid.");
+        }
+        const path = entry.path;
+        const headers = entry.headers;
+        if (typeof path !== "string" || !expectedPaths.has(path) || seenPaths.has(path)) {
+            throw new Error("A2A public discovery bundle manifest contains an unexpected static file path.");
+        }
+        if (!headers || typeof headers !== "object" || Array.isArray(headers) || containsSecretLikeField(headers)) {
+            throw new Error("A2A public discovery bundle manifest headers are invalid.");
+        }
+        if (!Object.entries(headers).every(([key, nested]) => typeof key === "string" && typeof nested === "string")) {
+            throw new Error("A2A public discovery bundle manifest headers are invalid.");
+        }
+        seenPaths.add(path);
+        files.push({
+            path,
+            sourcePath: path,
+            headers: { ...headers },
+        });
+    }
+    if (seenPaths.size !== expectedPaths.size) {
+        throw new Error("A2A public discovery bundle manifest is missing required static file metadata.");
+    }
+    return files;
+}
+function assertContentType(path, headers) {
+    const contentType = headers["content-type"];
+    if (path === A2A_AGENT_CARD_WELL_KNOWN_PATH && typeof contentType === "string" && contentType.includes("application/a2a+json"))
+        return;
+    if (path === A2A_JWKS_WELL_KNOWN_PATH && typeof contentType === "string" && contentType.includes("application/jwk-set+json"))
+        return;
+    throw new Error("A2A public discovery bundle manifest has invalid content-type metadata.");
+}
+function sharedCacheControl(files) {
+    const values = files.map((file) => file.headers["cache-control"]).filter((value) => typeof value === "string" && value.trim() !== "");
+    if (values.length === 0)
+        return undefined;
+    const [first] = values;
+    return values.every((value) => value === first) ? first : undefined;
+}
+function sanitizeJwks(jwks) {
+    if (jwks.path !== A2A_JWKS_WELL_KNOWN_PATH) {
+        throw new Error("A2A public discovery bundle JWKS path must be canonical.");
+    }
+    if (jwks.status !== 200 || !Array.isArray(jwks.body.keys) || jwks.body.keys.length === 0) {
+        throw new Error("A2A public discovery bundle JWKS is invalid.");
+    }
+    if (containsSecretLikeField(jwks.body)) {
+        throw new Error("A2A public discovery bundle JWKS must not contain private key material.");
+    }
+    return jwks;
+}
+function signatureKeyIds(signatures) {
+    if (!signatures || signatures.length === 0) {
+        throw new Error("A2A public discovery bundle requires a signed Agent Card.");
+    }
+    return signatures.map((signature) => {
+        const kid = protectedHeaderJson(signature).kid;
+        if (typeof kid !== "string" || kid.trim() === "") {
+            throw new Error("A2A public discovery bundle signature key id is invalid.");
+        }
+        return kid;
+    });
+}
+function protectedHeaderJson(signature) {
+    try {
+        const parsed = JSON.parse(Buffer.from(signature.protected, "base64url").toString("utf8"));
+        if (parsed && typeof parsed === "object" && !Array.isArray(parsed))
+            return parsed;
+    }
+    catch {
+        // handled below
+    }
+    throw new Error("A2A public discovery bundle signature is malformed.");
+}
+function publicHttpsUrl(value, label) {
+    try {
+        const url = new URL(value);
+        if (url.protocol === "https:"
+            && url.hostname
+            && !url.username
+            && !url.password
+            && !url.search
+            && !url.hash
+            && !isUnsafePublicHost(url.hostname))
+            return url.toString();
+    }
+    catch {
+        // handled below
+    }
+    throw new Error(`${label} must be public HTTPS without credentials, query strings, or fragments.`);
+}
+function containsSecretLikeField(value) {
+    const stack = [value];
+    while (stack.length > 0) {
+        const current = stack.pop();
+        if (!current || typeof current !== "object")
+            continue;
+        for (const [key, nested] of Object.entries(current)) {
+            const normalized = key.toLowerCase();
+            if (normalized.includes("private")
+                || normalized.includes("secret")
+                || normalized.includes("token")
+                || normalized.includes("credential")
+                || normalized.includes("signer")
+                || normalized.includes("mnemonic")
+                || normalized.includes("seed")
+                || normalized === "d"
+                || normalized === "p"
+                || normalized === "q"
+                || normalized === "dp"
+                || normalized === "dq"
+                || normalized === "qi"
+                || normalized === "oth") {
+                return true;
+            }
+            if (nested && typeof nested === "object")
+                stack.push(nested);
+        }
+    }
+    return false;
+}
+function isUnsafePublicHost(hostname) {
+    const normalized = hostname.trim().toLowerCase();
+    if (normalized === "localhost" || normalized.endsWith(".localhost") || normalized.endsWith(".local"))
+        return true;
+    const ipVersion = isIP(normalized);
+    if (ipVersion === 4) {
+        const [first = 0, second = 0] = normalized.split(".").map((octet) => Number.parseInt(octet, 10));
+        return first === 0
+            || first === 10
+            || first === 127
+            || (first === 100 && second >= 64 && second <= 127)
+            || (first === 169 && second === 254)
+            || (first === 172 && second >= 16 && second <= 31)
+            || (first === 192 && second === 168)
+            || (first === 198 && (second === 18 || second === 19))
+            || first >= 224;
+    }
+    if (ipVersion === 6) {
+        return normalized === "::"
+            || normalized === "::1"
+            || normalized.startsWith("fc")
+            || normalized.startsWith("fd")
+            || normalized.startsWith("fe80:");
+    }
+    return false;
+}
+//# sourceMappingURL=a2aDiscoveryBundle.js.map

package/dist/a2aJwks.d.ts

@@ -0,0 +1,37 @@
+import type { JsonWebKey, KeyObject } from "node:crypto";
+export declare const A2A_JWKS_WELL_KNOWN_PATH: "/.well-known/jwks.json";
+export declare const A2A_JWKS_MEDIA_TYPE: "application/jwk-set+json";
+export interface A2APublicJwksKeyInput {
+    readonly keyId: string;
+    readonly publicKey?: KeyObject;
+    readonly jwk?: JsonWebKey;
+}
+export interface A2APublicJwksOptions {
+    readonly keys: readonly A2APublicJwksKeyInput[];
+    readonly cacheControl?: string;
+}
+export interface A2APublicJwksResponse {
+    readonly path: typeof A2A_JWKS_WELL_KNOWN_PATH;
+    readonly status: 200;
+    readonly headers: Record<string, string>;
+    readonly body: {
+        readonly keys: readonly JsonWebKey[];
+    };
+    readonly json: string;
+}
+export type A2APublicJwksErrorCode = "A2A_JWKS_NOT_FOUND" | "A2A_JWKS_METHOD_NOT_ALLOWED" | "A2A_JWKS_UNAVAILABLE";
+export interface A2APublicJwksErrorResponse {
+    readonly path: string;
+    readonly status: 404 | 405;
+    readonly headers: Record<string, string>;
+    readonly body?: undefined;
+    readonly json: string;
+}
+export type A2APublicJwksHandlerResponse = A2APublicJwksResponse | A2APublicJwksErrorResponse;
+export interface A2APublicJwksRequest {
+    readonly method?: string;
+    readonly path?: string;
+}
+export declare function createA2APublicJwksResponse(options: A2APublicJwksOptions): A2APublicJwksResponse;
+export declare function handleA2APublicJwksRequest(request: A2APublicJwksRequest, options: A2APublicJwksOptions): A2APublicJwksHandlerResponse;
+//# sourceMappingURL=a2aJwks.d.ts.map

package/dist/a2aJwks.js

@@ -0,0 +1,102 @@
+export const A2A_JWKS_WELL_KNOWN_PATH = "/.well-known/jwks.json";
+export const A2A_JWKS_MEDIA_TYPE = "application/jwk-set+json";
+const PRIVATE_JWK_FIELDS = new Set(["d", "p", "q", "dp", "dq", "qi", "oth"]);
+export function createA2APublicJwksResponse(options) {
+    if (options.keys.length === 0) {
+        throw new Error("A2A JWKS requires at least one public key.");
+    }
+    const keys = options.keys.map(sanitizePublicJwk);
+    const body = { keys };
+    return {
+        path: A2A_JWKS_WELL_KNOWN_PATH,
+        status: 200,
+        headers: successHeaders(options.cacheControl),
+        body,
+        json: `${JSON.stringify(body, null, 2)}\n`,
+    };
+}
+export function handleA2APublicJwksRequest(request, options) {
+    const path = normalizePath(request.path ?? A2A_JWKS_WELL_KNOWN_PATH);
+    if (path !== A2A_JWKS_WELL_KNOWN_PATH) {
+        return errorResponse(path, 404, "A2A_JWKS_NOT_FOUND", "A2A JWKS is not served at this path.");
+    }
+    const method = (request.method ?? "GET").trim().toUpperCase();
+    if (method !== "GET") {
+        return errorResponse(path, 405, "A2A_JWKS_METHOD_NOT_ALLOWED", "A2A JWKS only supports GET.", { allow: "GET" });
+    }
+    try {
+        return createA2APublicJwksResponse(options);
+    }
+    catch {
+        return errorResponse(path, 404, "A2A_JWKS_UNAVAILABLE", "A2A JWKS is unavailable.");
+    }
+}
+function sanitizePublicJwk(input) {
+    const keyId = input.keyId.trim();
+    if (keyId === "")
+        throw new Error("A2A JWKS key id is required.");
+    if (input.publicKey && input.jwk) {
+        throw new Error("A2A JWKS key input must provide either publicKey or jwk.");
+    }
+    if (!input.publicKey && !input.jwk) {
+        throw new Error("A2A JWKS key input requires public key material.");
+    }
+    if (input.publicKey && input.publicKey.type !== "public") {
+        throw new Error("A2A JWKS requires public key material.");
+    }
+    const jwk = input.publicKey
+        ? input.publicKey.export({ format: "jwk" })
+        : { ...input.jwk };
+    assertPublicJwk(jwk);
+    return {
+        ...jwk,
+        kid: keyId,
+        use: "sig",
+        alg: "EdDSA",
+    };
+}
+function assertPublicJwk(jwk) {
+    if (typeof jwk.kty !== "string" || jwk.kty.trim() === "") {
+        throw new Error("A2A JWKS key is missing public key metadata.");
+    }
+    for (const field of Object.keys(jwk)) {
+        if (field in jwk) {
+            const normalized = field.toLowerCase();
+            if (PRIVATE_JWK_FIELDS.has(field)
+                || normalized.includes("private")
+                || normalized.includes("secret")
+                || normalized.includes("token")
+                || normalized.includes("mnemonic")
+                || normalized.includes("seed")) {
+                throw new Error("A2A JWKS must not contain private key material.");
+            }
+        }
+    }
+}
+function successHeaders(cacheControl = "no-store") {
+    return {
+        "content-type": `${A2A_JWKS_MEDIA_TYPE}; charset=utf-8`,
+        "cache-control": cacheControl,
+    };
+}
+function errorResponse(path, status, code, message, headers = {}) {
+    return {
+        path,
+        status,
+        headers: {
+            "content-type": "application/json; charset=utf-8",
+            "cache-control": "no-store",
+            ...headers,
+        },
+        json: `${JSON.stringify({ error: { code, message } })}\n`,
+    };
+}
+function normalizePath(path) {
+    try {
+        return new URL(path, "https://agent.local").pathname;
+    }
+    catch {
+        return path;
+    }
+}
+//# sourceMappingURL=a2aJwks.js.map

package/dist/a2aWellKnown.d.ts

@@ -0,0 +1,28 @@
+import { A2A_AGENT_CARD_WELL_KNOWN_PATH, type A2AAgentCard, type A2AAgentCardErrorCode, type CreateA2AAgentCardOptions } from "./a2aCard.js";
+export declare const A2A_AGENT_CARD_MEDIA_TYPE: "application/a2a+json";
+export type A2AWellKnownErrorCode = A2AAgentCardErrorCode | "A2A_WELL_KNOWN_NOT_FOUND" | "A2A_WELL_KNOWN_METHOD_NOT_ALLOWED" | "A2A_AGENT_CARD_UNAVAILABLE";
+export interface A2AAgentCardWellKnownResponse {
+    readonly path: typeof A2A_AGENT_CARD_WELL_KNOWN_PATH;
+    readonly status: 200;
+    readonly headers: Record<string, string>;
+    readonly body: A2AAgentCard;
+    readonly json: string;
+}
+export interface A2AWellKnownErrorResponse {
+    readonly path: string;
+    readonly status: 404 | 405 | 410;
+    readonly headers: Record<string, string>;
+    readonly body?: undefined;
+    readonly json: string;
+}
+export type A2AWellKnownResponse = A2AAgentCardWellKnownResponse | A2AWellKnownErrorResponse;
+export interface A2AWellKnownRequest {
+    readonly method?: string;
+    readonly path?: string;
+}
+export interface A2AAgentCardWellKnownOptions extends CreateA2AAgentCardOptions {
+    readonly cacheControl?: string;
+}
+export declare function createA2AAgentCardWellKnownResponse(profile: unknown, options?: A2AAgentCardWellKnownOptions): A2AAgentCardWellKnownResponse;
+export declare function handleA2AAgentCardWellKnownRequest(request: A2AWellKnownRequest, profile: unknown, options?: A2AAgentCardWellKnownOptions): A2AWellKnownResponse;
+//# sourceMappingURL=a2aWellKnown.d.ts.map

package/dist/a2aWellKnown.js

@@ -0,0 +1,58 @@
+import { A2A_AGENT_CARD_WELL_KNOWN_PATH, A2AAgentCardError, createA2AAgentCardFromProfile, } from "./a2aCard.js";
+export const A2A_AGENT_CARD_MEDIA_TYPE = "application/a2a+json";
+export function createA2AAgentCardWellKnownResponse(profile, options = {}) {
+    const body = createA2AAgentCardFromProfile(profile, options);
+    return {
+        path: A2A_AGENT_CARD_WELL_KNOWN_PATH,
+        status: 200,
+        headers: successHeaders(options.cacheControl),
+        body,
+        json: `${JSON.stringify(body, null, 2)}\n`,
+    };
+}
+export function handleA2AAgentCardWellKnownRequest(request, profile, options = {}) {
+    const path = normalizePath(request.path ?? A2A_AGENT_CARD_WELL_KNOWN_PATH);
+    if (path !== A2A_AGENT_CARD_WELL_KNOWN_PATH) {
+        return errorResponse(path, 404, "A2A_WELL_KNOWN_NOT_FOUND", "A2A Agent Card is not served at this path.");
+    }
+    const method = (request.method ?? "GET").trim().toUpperCase();
+    if (method !== "GET") {
+        return errorResponse(path, 405, "A2A_WELL_KNOWN_METHOD_NOT_ALLOWED", "A2A Agent Card discovery only supports GET.", { allow: "GET" });
+    }
+    try {
+        return createA2AAgentCardWellKnownResponse(profile, options);
+    }
+    catch (error) {
+        if (error instanceof A2AAgentCardError) {
+            return errorResponse(path, error.code === "PROFILE_REVOKED" || error.code === "PROFILE_EXPIRED" ? 410 : 404, error.code, "A2A Agent Card is unavailable.");
+        }
+        return errorResponse(path, 404, "A2A_AGENT_CARD_UNAVAILABLE", "A2A Agent Card is unavailable.");
+    }
+}
+function successHeaders(cacheControl = "no-store") {
+    return {
+        "content-type": `${A2A_AGENT_CARD_MEDIA_TYPE}; charset=utf-8`,
+        "cache-control": cacheControl,
+    };
+}
+function errorResponse(path, status, code, message, headers = {}) {
+    return {
+        path,
+        status,
+        headers: {
+            "content-type": "application/json; charset=utf-8",
+            "cache-control": "no-store",
+            ...headers,
+        },
+        json: `${JSON.stringify({ error: { code, message } })}\n`,
+    };
+}
+function normalizePath(path) {
+    try {
+        return new URL(path, "https://agent.local").pathname;
+    }
+    catch {
+        return path;
+    }
+}
+//# sourceMappingURL=a2aWellKnown.js.map

package/dist/index.d.ts

@@ -0,0 +1,9 @@
+export * from "./profileSchema.js";
+export * from "./resolveAgent.js";
+export * from "./iotaIdentityAdapter.js";
+export * from "./iotaNamesAdapter.js";
+export * from "./a2aCard.js";
+export * from "./a2aWellKnown.js";
+export * from "./a2aJwks.js";
+export * from "./a2aDiscoveryBundle.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.js

@@ -0,0 +1,9 @@
+export * from "./profileSchema.js";
+export * from "./resolveAgent.js";
+export * from "./iotaIdentityAdapter.js";
+export * from "./iotaNamesAdapter.js";
+export * from "./a2aCard.js";
+export * from "./a2aWellKnown.js";
+export * from "./a2aJwks.js";
+export * from "./a2aDiscoveryBundle.js";
+//# sourceMappingURL=index.js.map

package/dist/iotaIdentityAdapter.d.ts

@@ -0,0 +1,92 @@
+import type { AgentProfile } from "./profileSchema.js";
+import type { AgentResolver } from "./resolveAgent.js";
+export type IotaIdentityVerificationErrorCode = "PROFILE_UNVERIFIABLE" | "PROFILE_REVOKED" | "PROFILE_EXPIRED";
+export interface IotaIdentityVerificationError {
+    readonly code: IotaIdentityVerificationErrorCode;
+    readonly message: string;
+}
+export type IotaIdentityVerificationResult = {
+    readonly ok: true;
+    readonly agentDidDocument: unknown;
+    readonly ownerDidDocument: unknown;
+    readonly credentialRefsChecked: readonly string[];
+} | {
+    readonly ok: false;
+    readonly error: IotaIdentityVerificationError;
+};
+export type IotaIdentityVerificationCacheEntry = Extract<IotaIdentityVerificationResult, {
+    ok: true;
+}> & {
+    readonly cachedAt: string;
+    readonly expiresAt: string;
+};
+export interface IotaIdentityVerificationCache {
+    readonly get: (key: string) => IotaIdentityVerificationCacheEntry | undefined;
+    readonly set: (key: string, entry: IotaIdentityVerificationCacheEntry) => void;
+    readonly delete?: (key: string) => void;
+}
+export declare function createInMemoryIotaIdentityVerificationCache(): IotaIdentityVerificationCache;
+export interface IotaIdentityDidResolver {
+    /**
+     * Matches the current IOTA Identity read surfaces:
+     * IdentityClientReadOnly/IdentityClient expose resolveDid, while Resolver exposes
+     * resolve. Keep both dependency-injected so tests do not require live IOTA.
+     */
+    readonly resolveDid?: (did: string) => Promise<unknown>;
+    readonly resolve?: (did: string) => Promise<unknown>;
+}
+export interface IotaIdentityCredentialValidationContext {
+    readonly profile: AgentProfile;
+    readonly agentDidDocument: unknown;
+    readonly ownerDidDocument: unknown;
+}
+export type IotaIdentityCredentialValidationResult = {
+    readonly ok: true;
+    readonly evidence?: IotaIdentityCredentialEvidence;
+} | {
+    readonly ok: false;
+    readonly code: "CREDENTIAL_REVOKED" | "CREDENTIAL_EXPIRED" | "CREDENTIAL_UNVERIFIABLE";
+    readonly message: string;
+};
+export interface IotaIdentityCredentialEvidence {
+    readonly issuerDid: string;
+    readonly verificationMethod: string;
+    readonly credentialTypes?: readonly string[];
+    readonly credentialStatus?: IotaIdentityCredentialStatusEvidence;
+    readonly issuedAt?: string;
+    readonly expiresAt?: string;
+}
+export interface IotaIdentityCredentialStatusEvidence {
+    readonly id?: string;
+    readonly type: string;
+    readonly revoked?: boolean;
+}
+export interface IotaIdentityVcTrustPolicy {
+    readonly trustedIssuerDids: readonly string[];
+    readonly allowedVerificationMethods: readonly string[];
+    readonly requiredCredentialTypes?: readonly string[];
+    readonly acceptedCredentialStatusTypes?: readonly string[];
+    readonly requireCredentialStatus?: boolean;
+    readonly maxCredentialAgeMs?: number;
+}
+export interface IotaIdentityCredentialValidator {
+    /**
+     * Adapter boundary for the current IOTA Identity JWT credential validator.
+     * Concrete live implementations should resolve the issuer DID Document and use
+     * the official validator; local tests only need this deterministic interface.
+     */
+    readonly validateCredentialRef: (credentialRef: string, context: IotaIdentityCredentialValidationContext) => Promise<IotaIdentityCredentialValidationResult>;
+}
+export interface IotaIdentityVerificationOptions {
+    readonly didResolver: IotaIdentityDidResolver;
+    readonly credentialValidator?: IotaIdentityCredentialValidator;
+    readonly trustPolicy?: IotaIdentityVcTrustPolicy;
+    readonly verificationCache?: IotaIdentityVerificationCache;
+    readonly cacheTtlMs?: number;
+    readonly forceRefresh?: boolean;
+    readonly now?: () => Date;
+}
+export declare function createIotaIdentityVerifiedResolver(baseResolver: AgentResolver, options: IotaIdentityVerificationOptions): AgentResolver;
+export declare function verifyAgentProfileIdentity(profile: AgentProfile, options: IotaIdentityVerificationOptions): Promise<IotaIdentityVerificationResult>;
+export declare function evaluateIotaIdentityCredentialTrustPolicy(evidence: IotaIdentityCredentialEvidence | undefined, policy: IotaIdentityVcTrustPolicy | undefined, now?: Date): IotaIdentityCredentialValidationResult;
+//# sourceMappingURL=iotaIdentityAdapter.d.ts.map