npm - @vess-id/ai-identity - Versions diffs - 0.0.1 - Mend

@vess-id/ai-identity 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js ADDED Viewed

@@ -0,0 +1,4573 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  ACTION_REGISTRY: () => ACTION_REGISTRY,
+  AIdentityClient: () => AIdentityClient,
+  APIVCManager: () => APIVCManager,
+  AgentDIDManager: () => AgentDIDManager,
+  AgentManager: () => AgentManager,
+  AllowAllAbac: () => AllowAllAbac,
+  ConstraintEvaluator: () => ConstraintEvaluator,
+  DisclosureConfigManager: () => DisclosureConfigManager,
+  DummyCreds: () => DummyCreds,
+  DummyVpVerifier: () => DummyVpVerifier,
+  FilesystemKeyStorage: () => FilesystemKeyStorage,
+  KeyManager: () => KeyManager,
+  KeyRotationManager: () => KeyRotationManager,
+  MemoryKeyStorage: () => MemoryKeyStorage,
+  MemoryManager: () => MemoryManager,
+  MetricsManager: () => MetricsManager,
+  RevocationManager: () => RevocationManager,
+  SDJwtClient: () => SDJwtClient,
+  SimpleRebac: () => SimpleRebac,
+  ToolManager: () => ToolManager,
+  UserIdentityManager: () => UserIdentityManager,
+  VCManager: () => VCManager,
+  VPManager: () => VPManager,
+  checkPermissionWithVP: () => checkPermissionWithVP,
+  configure: () => configure,
+  createAjv: () => createAjv,
+  defaultConstraintEvaluator: () => defaultConstraintEvaluator,
+  evaluateConstraints: () => evaluateConstraints,
+  generateKeyPair: () => generateKeyPair,
+  generateNonce: () => generateNonce,
+  getClient: () => getClient,
+  getRequiredRelations: () => getRequiredRelations,
+  getRequiredScopes: () => getRequiredScopes,
+  indexActions: () => indexActions,
+  indexCapabilities: () => indexCapabilities,
+  loadActionRegistryFromFile: () => loadActionRegistryFromFile,
+  loadActionRegistryFromObject: () => loadActionRegistryFromObject,
+  planDelegationForVC: () => planDelegationForVC,
+  resolveActionsFromSelection: () => resolveActionsFromSelection,
+  signJWT: () => signJWT,
+  validateRegistryObject: () => validateRegistryObject,
+  verifyJWT: () => verifyJWT,
+  version: () => version
+});
+module.exports = __toCommonJS(index_exports);
+// src/client.ts
+var client_exports = {};
+__export(client_exports, {
+  AIdentityClient: () => AIdentityClient,
+  configure: () => configure,
+  getClient: () => getClient
+});
+// src/config/index.ts
+var globalConfig = {};
+function configure(config) {
+  globalConfig = { ...globalConfig, ...config };
+}
+function getConfig() {
+  return globalConfig;
+}
+function getDidApiUrl(path3) {
+  const baseUrl = globalConfig.didApi?.baseUrl || process.env.DID_API_BASE_URL;
+  if (!baseUrl) {
+    throw new Error("DID API base URL not configured");
+  }
+  return `${baseUrl}${path3}`;
+}
+function getIssuerApiUrl(path3) {
+  const baseUrl = globalConfig.issuerApi?.baseUrl || process.env.ISSUER_API_BASE_URL;
+  if (!baseUrl) {
+    throw new Error("Issuer API base URL not configured");
+  }
+  return `${baseUrl}${path3}`;
+}
+function getVerifierApiUrl(path3) {
+  const baseUrl = globalConfig.verifierApi?.baseUrl || process.env.VERIFIER_API_BASE_URL;
+  if (!baseUrl) {
+    throw new Error("Verifier API base URL not configured");
+  }
+  return `${baseUrl}${path3}`;
+}
+function getApiHeaders(apiType) {
+  const headers = {
+    "Content-Type": "application/json"
+  };
+  let apiKey;
+  let bearerToken;
+  switch (apiType) {
+    case "did":
+      apiKey = globalConfig.didApi?.apiKey || process.env.DID_API_KEY;
+      bearerToken = globalConfig.didApi?.bearerToken;
+      break;
+    case "issuer":
+      apiKey = globalConfig.issuerApi?.apiKey || process.env.ISSUER_API_KEY;
+      bearerToken = globalConfig.issuerApi?.bearerToken;
+      break;
+    case "verifier":
+      apiKey = globalConfig.verifierApi?.apiKey || process.env.VERIFIER_API_KEY;
+      bearerToken = globalConfig.verifierApi?.bearerToken;
+      break;
+  }
+  if (apiKey) {
+    headers["x-api-key"] = apiKey;
+  }
+  if (bearerToken) {
+    headers["Authorization"] = `Bearer ${bearerToken}`;
+  }
+  return headers;
+}
+// src/did/key-manager.ts
+var crypto = __toESM(require("crypto"));
+// src/storage/filesystem-key-storage.ts
+var fs = __toESM(require("fs/promises"));
+var path = __toESM(require("path"));
+var os = __toESM(require("os"));
+var FilesystemKeyStorage = class {
+  keyStorePath;
+  constructor(config) {
+    this.keyStorePath = config?.options?.path || path.join(os.homedir(), ".vess", "keys");
+  }
+  async store(id, encryptedKey) {
+    await this.ensureKeyStoreExists();
+    const keyPath = this.getKeyPath(id);
+    await fs.writeFile(keyPath, encryptedKey, "utf-8");
+  }
+  async retrieve(id) {
+    const keyPath = this.getKeyPath(id);
+    try {
+      return await fs.readFile(keyPath, "utf-8");
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        return null;
+      }
+      throw error;
+    }
+  }
+  async delete(id) {
+    const keyPath = this.getKeyPath(id);
+    try {
+      await fs.unlink(keyPath);
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error;
+      }
+    }
+  }
+  async list() {
+    await this.ensureKeyStoreExists();
+    const files = await fs.readdir(this.keyStorePath);
+    return files.filter((f) => f.endsWith(".key")).map((f) => f.replace(".key", ""));
+  }
+  async isAvailable() {
+    try {
+      await this.ensureKeyStoreExists();
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  async ensureKeyStoreExists() {
+    try {
+      await fs.access(this.keyStorePath);
+    } catch {
+      await fs.mkdir(this.keyStorePath, { recursive: true });
+    }
+  }
+  getKeyPath(id) {
+    return path.join(this.keyStorePath, `${id}.key`);
+  }
+};
+// src/storage/memory-key-storage.ts
+var MemoryKeyStorage = class {
+  keys = /* @__PURE__ */ new Map();
+  async store(id, encryptedKey) {
+    this.keys.set(id, encryptedKey);
+  }
+  async retrieve(id) {
+    return this.keys.get(id) || null;
+  }
+  async delete(id) {
+    this.keys.delete(id);
+  }
+  async list() {
+    return Array.from(this.keys.keys());
+  }
+  async isAvailable() {
+    return true;
+  }
+  /**
+   * Clear all stored keys (for testing)
+   */
+  clear() {
+    this.keys.clear();
+  }
+};
+// src/did/key-manager.ts
+var KeyManager = class {
+  encryptionKey;
+  storageProvider;
+  constructor(password, storageProvider) {
+    if (password) {
+      this.encryptionKey = crypto.scryptSync(password, "aidentity-salt", 32);
+    }
+    this.storageProvider = storageProvider || this.createDefaultStorageProvider();
+  }
+  createDefaultStorageProvider() {
+    const config = getConfig();
+    return new FilesystemKeyStorage({
+      type: "filesystem",
+      options: {
+        path: config.storage?.keyStorePath
+      }
+    });
+  }
+  async storeKey(did, privateKey) {
+    const keyData = JSON.stringify(privateKey);
+    const encrypted = this.encrypt(keyData);
+    await this.storageProvider.store(did, encrypted);
+  }
+  async getKey(did) {
+    const encrypted = await this.storageProvider.retrieve(did);
+    if (!encrypted) {
+      return null;
+    }
+    const decrypted = this.decrypt(encrypted);
+    return JSON.parse(decrypted);
+  }
+  async deleteKey(did) {
+    await this.storageProvider.delete(did);
+  }
+  async listDids() {
+    const keyIds = await this.storageProvider.list();
+    return keyIds.map((keyId) => this.didFromKeyId(keyId));
+  }
+  /**
+   * Check if storage is available
+   */
+  async isAvailable() {
+    return this.storageProvider.isAvailable();
+  }
+  // private getKeyId(did: string): string {
+  //   // Use SHA256 hash to create short, storage-safe identifier
+  //   return crypto.createHash('sha256').update(did).digest('hex').substring(0, 16)
+  // }
+  didFromKeyId(keyId) {
+    return keyId;
+  }
+  encrypt(data) {
+    if (!this.encryptionKey) {
+      return Buffer.from(data).toString("base64");
+    }
+    const iv = crypto.randomBytes(16);
+    const cipher = crypto.createCipheriv("aes-256-gcm", this.encryptionKey, iv);
+    let encrypted = cipher.update(data, "utf8", "base64");
+    encrypted += cipher.final("base64");
+    const authTag = cipher.getAuthTag();
+    const combined = Buffer.concat([iv, authTag, Buffer.from(encrypted, "base64")]);
+    return combined.toString("base64");
+  }
+  decrypt(encrypted) {
+    if (!this.encryptionKey) {
+      return Buffer.from(encrypted, "base64").toString("utf-8");
+    }
+    const combined = Buffer.from(encrypted, "base64");
+    const iv = combined.subarray(0, 16);
+    const authTag = combined.subarray(16, 32);
+    const encryptedData = combined.subarray(32);
+    const decipher = crypto.createDecipheriv("aes-256-gcm", this.encryptionKey, iv);
+    decipher.setAuthTag(authTag);
+    let decrypted = decipher.update(encryptedData, void 0, "utf8");
+    decrypted += decipher.final("utf8");
+    return decrypted;
+  }
+};
+// src/utils/sdjwt-client.ts
+var import_sd_jwt_vc = require("@sd-jwt/sd-jwt-vc");
+var import_crypto_nodejs = require("@sd-jwt/crypto-nodejs");
+// src/utils/crypto.ts
+var jose = __toESM(require("jose"));
+var import_uuid = require("uuid");
+var import_node_crypto = require("crypto");
+async function generateKeyPair() {
+  const keyPair = await import_node_crypto.subtle.generateKey(
+    {
+      name: "ECDSA",
+      namedCurve: "P-256"
+    },
+    true,
+    // extractable
+    ["sign", "verify"]
+  );
+  const publicJwk = await import_node_crypto.subtle.exportKey("jwk", keyPair.publicKey);
+  const privateJwk = await import_node_crypto.subtle.exportKey("jwk", keyPair.privateKey);
+  const kid = (0, import_uuid.v4)();
+  publicJwk.kid = kid;
+  privateJwk.kid = kid;
+  publicJwk.alg = "ES256";
+  privateJwk.alg = "ES256";
+  return {
+    publicKey: publicJwk,
+    privateKey: privateJwk
+  };
+}
+async function signJWT(payload, privateKey, options) {
+  const alg = privateKey.alg || "ES256";
+  const key = await jose.importJWK(privateKey, alg);
+  const jwt = new jose.SignJWT(payload).setProtectedHeader({ alg, kid: privateKey.kid }).setIssuedAt().setJti(options?.jti ?? (0, import_uuid.v4)());
+  if (options?.issuer) jwt.setIssuer(options.issuer);
+  if (options?.audience) jwt.setAudience(options.audience);
+  if (options?.expiresIn) jwt.setExpirationTime(options.expiresIn);
+  if (options?.notBefore) jwt.setNotBefore(options.notBefore);
+  if (options?.subject) jwt.setSubject(options.subject);
+  return await jwt.sign(key);
+}
+async function verifyJWT(jwt, publicKey, options) {
+  const alg = publicKey.alg || "ES256";
+  const key = await jose.importJWK(publicKey, alg);
+  const verifyOptions = {};
+  if (options?.issuer) verifyOptions.issuer = options.issuer;
+  if (options?.audience) verifyOptions.audience = options.audience;
+  const { payload } = await jose.jwtVerify(jwt, key, verifyOptions);
+  return payload;
+}
+function generateNonce() {
+  return (0, import_uuid.v4)();
+}
+async function getSigner(privateKey) {
+  try {
+    const key = await import_node_crypto.subtle.importKey(
+      "jwk",
+      privateKey,
+      {
+        name: "ECDSA",
+        namedCurve: "P-256"
+      },
+      true,
+      ["sign"]
+    );
+    return async (data) => {
+      const encoder = new TextEncoder();
+      const signature = await import_node_crypto.subtle.sign(
+        {
+          name: "ECDSA",
+          hash: { name: "SHA-256" }
+        },
+        key,
+        encoder.encode(data)
+      );
+      const result = btoa(String.fromCharCode(...new Uint8Array(signature))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+      return result;
+    };
+  } catch (error) {
+    console.error("Error in getSigner:", error instanceof Error ? error.message : "Unknown error");
+    console.error("Key algorithm:", privateKey?.alg || "unknown");
+    console.error("Key type:", privateKey?.kty || "unknown");
+    throw error;
+  }
+}
+async function getVerifier(publicKey) {
+  const key = await import_node_crypto.subtle.importKey(
+    "jwk",
+    publicKey,
+    {
+      name: "ECDSA",
+      namedCurve: "P-256"
+    },
+    true,
+    ["verify"]
+  );
+  return async (data, signatureBase64url) => {
+    const encoder = new TextEncoder();
+    const signature = Uint8Array.from(
+      atob(signatureBase64url.replace(/-/g, "+").replace(/_/g, "/")),
+      (c) => c.charCodeAt(0)
+    );
+    const isValid = await import_node_crypto.subtle.verify(
+      {
+        name: "ECDSA",
+        hash: { name: "SHA-256" }
+      },
+      key,
+      signature,
+      encoder.encode(data)
+    );
+    return isValid;
+  };
+}
+// src/utils/sdjwt-client.ts
+var SDJwtClient = class {
+  static instances = /* @__PURE__ */ new Map();
+  static keyManager;
+  static signerCache = /* @__PURE__ */ new Map();
+  static verifierCache = /* @__PURE__ */ new Map();
+  constructor() {
+  }
+  /**
+   * Initialize with KeyManager for DID-based key management
+   */
+  static setKeyManager(keyManager) {
+    this.keyManager = keyManager;
+  }
+  /**
+   * Get SDJwtVcInstance for issuer role (VC issuance)
+   */
+  static async getIssuerInstance(issuerDid) {
+    const cacheKey = `${issuerDid}:issuer`;
+    if (!this.instances.has(cacheKey)) {
+      const instance = await this.createInstance(issuerDid, "issuer");
+      this.instances.set(cacheKey, instance);
+    }
+    return this.instances.get(cacheKey);
+  }
+  /**
+   * Get SDJwtVcInstance for holder role (VP presentation)
+   */
+  static async getHolderInstance(holderDid) {
+    const cacheKey = `${holderDid}:holder`;
+    if (!this.instances.has(cacheKey)) {
+      const instance = await this.createInstance(holderDid, "holder");
+      this.instances.set(cacheKey, instance);
+    }
+    return this.instances.get(cacheKey);
+  }
+  /**
+   * Get SDJwtVcInstance with specified role (backward compatibility)
+   */
+  static async getSDJwtInstance(did, options) {
+    const role = options?.role || "issuer";
+    return role === "holder" ? this.getHolderInstance(did) : this.getIssuerInstance(did);
+  }
+  /**
+   * Create a new SDJwtVcInstance with DID-based keys and role
+   */
+  static async createInstance(did, role) {
+    if (!this.keyManager) {
+      this.keyManager = new KeyManager();
+    }
+    const privateKey = await this.keyManager.getKey(did);
+    if (!privateKey) {
+      throw new Error(`Private key not found for ${role}: ${did}`);
+    }
+    try {
+      const signerCacheKey = `signer:${did}`;
+      const verifierCacheKey = `verifier:${did}`;
+      let signer = this.signerCache.get(signerCacheKey);
+      let verifier = this.verifierCache.get(verifierCacheKey);
+      if (!signer) {
+        signer = await getSigner(privateKey);
+        this.signerCache.set(signerCacheKey, signer);
+      }
+      if (!verifier) {
+        const { d, key_ops, ...publicKey } = privateKey;
+        const publicKeyForVerifier = {
+          ...publicKey,
+          key_ops: ["verify"]
+          // Set correct key operations for verifier
+        };
+        verifier = await getVerifier(publicKeyForVerifier);
+        this.verifierCache.set(verifierCacheKey, verifier);
+      }
+      const config = {
+        signer,
+        verifier,
+        signAlg: import_crypto_nodejs.ES256.alg,
+        hasher: import_crypto_nodejs.digest,
+        hashAlg: "sha-256",
+        saltGenerator: import_crypto_nodejs.generateSalt
+      };
+      if (role === "holder") {
+        config.kbSigner = signer;
+        config.kbSignAlg = import_crypto_nodejs.ES256.alg;
+      }
+      return new import_sd_jwt_vc.SDJwtVcInstance(config);
+    } catch (error) {
+      console.error("\u274C Error creating SDJwtVcInstance:", error);
+      throw error;
+    }
+  }
+  /**
+   * Create disclosure frame for selective disclosure
+   */
+  static createDisclosureFrame(claims, selectivelyDisclosable = []) {
+    const frame = {};
+    const existingDisclosableFields = selectivelyDisclosable.filter(
+      (field) => claims.hasOwnProperty(field)
+    );
+    if (existingDisclosableFields.length > 0) {
+      frame._sd = existingDisclosableFields;
+      frame._sd_decoy = Math.max(0, Math.floor(existingDisclosableFields.length * 0.1));
+    }
+    for (const [key, value] of Object.entries(claims)) {
+      if (typeof value === "object" && value !== null && !Array.isArray(value)) {
+        const nestedKeys = Object.keys(value);
+        const nestedFrame = this.createDisclosureFrame(
+          value,
+          nestedKeys
+          // Make all nested fields disclosable
+        );
+        frame[key] = nestedFrame;
+      }
+    }
+    return frame;
+  }
+  /**
+   * Issue an SD-JWT with selective disclosure
+   */
+  static async issueSDJWT(payload, _privateKey, selectiveDisclosureFields = []) {
+    const issuerDid = payload.iss || "unknown";
+    const sdjwtInstance = await this.getIssuerInstance(issuerDid);
+    const vcPayload = {
+      vct: "IdentityCredential",
+      // Default VC type
+      ...payload
+    };
+    const disclosureFrame = this.createDisclosureFrame(vcPayload, selectiveDisclosureFields);
+    return await sdjwtInstance.issue(vcPayload, disclosureFrame);
+  }
+  /**
+   * Verify an SD-JWT
+   */
+  static async verifySDJWT(credential) {
+    try {
+      const parts = credential.split("~");
+      if (parts.length === 0) {
+        return { valid: false, error: "Invalid SD-JWT format" };
+      }
+      const jwt = parts[0];
+      const jwtParts = jwt.split(".");
+      if (jwtParts.length !== 3) {
+        return { valid: false, error: "Invalid JWT format in SD-JWT" };
+      }
+      const payload = JSON.parse(Buffer.from(jwtParts[1], "base64url").toString());
+      const issuerDid = payload.iss;
+      if (!issuerDid) {
+        return { valid: false, error: "Issuer DID not found in SD-JWT" };
+      }
+      const sdjwtInstance = await this.getIssuerInstance(issuerDid);
+      const verificationResult = await sdjwtInstance.verify(credential);
+      const claims = await sdjwtInstance.getClaims(credential);
+      return {
+        valid: true,
+        payload: {
+          ...verificationResult.payload,
+          claims
+        }
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: error.message
+      };
+    }
+  }
+  /**
+   * Legacy methods for backward compatibility
+   */
+  static async createSignerVerifier() {
+    const { privateKey, publicKey } = await this.generateKeyPair();
+    return {
+      signer: await getSigner(privateKey),
+      verifier: await getVerifier(publicKey)
+    };
+  }
+  static async generateKeyPair() {
+    return await generateKeyPair();
+  }
+  /**
+   * Clear caches for optimization
+   */
+  static clearCaches() {
+    this.instances.clear();
+    this.signerCache.clear();
+    this.verifierCache.clear();
+  }
+  /**
+   * Clear cache for specific issuer
+   */
+  static clearIssuerCache(issuerDid) {
+    this.instances.delete(issuerDid);
+    this.signerCache.delete(`signer:${issuerDid}`);
+    this.verifierCache.delete(`verifier:${issuerDid}`);
+  }
+  /**
+   * Get cache statistics
+   */
+  static getCacheStats() {
+    return {
+      instanceCount: this.instances.size,
+      signerCount: this.signerCache.size,
+      verifierCount: this.verifierCache.size
+    };
+  }
+};
+// src/agent/agent-did-manager.ts
+var AgentDIDManager = class {
+  keyManager;
+  agentDIDMap = /* @__PURE__ */ new Map();
+  // agentId -> DID mapping
+  constructor(keyManager) {
+    this.keyManager = keyManager || new KeyManager();
+  }
+  /**
+   * Generate a new DID for an AI Agent
+   */
+  async generateAgentDID(agentId) {
+    const keyPair = await SDJwtClient.generateKeyPair();
+    const did = this.createDidJwk(keyPair.publicKey);
+    await this.keyManager.storeKey(did, keyPair.privateKey);
+    this.agentDIDMap.set(agentId, did);
+    await this.saveAgentDIDMapping(agentId, did);
+    return did;
+  }
+  /**
+   * Get DID for a specific agent
+   */
+  async getAgentDID(agentId) {
+    if (this.agentDIDMap.has(agentId)) {
+      return this.agentDIDMap.get(agentId);
+    }
+    const did = await this.loadAgentDIDMapping(agentId);
+    if (did) {
+      this.agentDIDMap.set(agentId, did);
+      return did;
+    }
+    throw new Error(`No DID found for agent: ${agentId}`);
+  }
+  /**
+   * Check if agent has a DID
+   */
+  async hasAgentDID(agentId) {
+    try {
+      await this.getAgentDID(agentId);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get agent's key pair
+   */
+  async getAgentKeyPair(agentId) {
+    const did = await this.getAgentDID(agentId);
+    const privateKey = await this.keyManager.getKey(did);
+    if (!privateKey) {
+      throw new Error(`Private key not found for agent: ${agentId}`);
+    }
+    return {
+      privateKey,
+      publicKey: this.extractPublicKey(privateKey)
+    };
+  }
+  /**
+   * Delete agent DID and associated keys
+   */
+  async deleteAgentDID(agentId) {
+    try {
+      const did = await this.getAgentDID(agentId);
+      await this.keyManager.deleteKey(did);
+      this.agentDIDMap.delete(agentId);
+      await this.deleteAgentDIDMapping(agentId);
+    } catch (error) {
+      throw new Error(`Failed to delete agent DID: ${error}`);
+    }
+  }
+  /**
+   * List all agent DIDs
+   */
+  async listAgentDIDs() {
+    const fs3 = await import("fs/promises");
+    const path3 = await import("path");
+    const os2 = await import("os");
+    const mappingDir = path3.join(os2.homedir(), ".vess", "agent-dids");
+    try {
+      const files = await fs3.readdir(mappingDir);
+      const results = [];
+      for (const file of files) {
+        if (file.endsWith(".did")) {
+          const agentId = file.replace(".did", "");
+          try {
+            const did = await this.getAgentDID(agentId);
+            results.push({ agentId, did });
+          } catch {
+          }
+        }
+      }
+      return results;
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Create did:jwk from public key
+   */
+  createDidJwk(publicKey) {
+    const publicJwk = {
+      kty: publicKey.kty,
+      crv: publicKey.crv,
+      x: publicKey.x,
+      y: publicKey.y,
+      use: publicKey.use,
+      alg: publicKey.alg
+    };
+    const encoded = Buffer.from(JSON.stringify(publicJwk)).toString("base64url");
+    return `did:jwk:${encoded}`;
+  }
+  /**
+   * Extract public key from private key
+   */
+  extractPublicKey(privateKey) {
+    const { d, key_ops, ...publicKey } = privateKey;
+    return {
+      ...publicKey
+      // Remove key_ops for public key
+    };
+  }
+  /**
+   * Save agent ID -> DID mapping to persistent storage
+   */
+  async saveAgentDIDMapping(agentId, did) {
+    const fs3 = await import("fs/promises");
+    const path3 = await import("path");
+    const os2 = await import("os");
+    const mappingDir = path3.join(os2.homedir(), ".vess", "agent-dids");
+    await fs3.mkdir(mappingDir, { recursive: true });
+    const mappingFile = path3.join(mappingDir, `${agentId}.did`);
+    await fs3.writeFile(mappingFile, did, "utf-8");
+  }
+  /**
+   * Load agent ID -> DID mapping from persistent storage
+   */
+  async loadAgentDIDMapping(agentId) {
+    const fs3 = await import("fs/promises");
+    const path3 = await import("path");
+    const os2 = await import("os");
+    const mappingFile = path3.join(os2.homedir(), ".vess", "agent-dids", `${agentId}.did`);
+    try {
+      return await fs3.readFile(mappingFile, "utf-8");
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Delete agent ID -> DID mapping from persistent storage
+   */
+  async deleteAgentDIDMapping(agentId) {
+    const fs3 = await import("fs/promises");
+    const path3 = await import("path");
+    const os2 = await import("os");
+    const mappingFile = path3.join(os2.homedir(), ".vess", "agent-dids", `${agentId}.did`);
+    try {
+      await fs3.unlink(mappingFile);
+    } catch {
+    }
+  }
+};
+// src/did/agent.ts
+var import_uuid2 = require("uuid");
+var AgentManager = class {
+  keyManager;
+  agentDIDManager;
+  constructor(keyManager) {
+    this.keyManager = keyManager || new KeyManager();
+    this.agentDIDManager = new AgentDIDManager(this.keyManager);
+  }
+  /**
+   * Create a new AI agent with unique ID and DID
+   */
+  async create(metadata) {
+    const agentId = (0, import_uuid2.v4)();
+    const agentDid = await this.agentDIDManager.generateAgentDID(agentId);
+    const didDocument = this.resolveDidJwkLocally(agentDid);
+    const agent = {
+      id: agentId,
+      did: agentDid,
+      didDocument,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      metadata
+    };
+    try {
+      await this.registerDid(agent);
+    } catch (error) {
+      console.warn("Failed to register DID with API:", error);
+    }
+    return agent;
+  }
+  /**
+   * Get agent DID by agent ID
+   */
+  async getAgentDID(agentId) {
+    return await this.agentDIDManager.getAgentDID(agentId);
+  }
+  /**
+   * Get agent by ID
+   */
+  async getAgent(agentId) {
+    const agentDid = await this.agentDIDManager.getAgentDID(agentId);
+    const didDocument = await this.resolve(agentDid);
+    return {
+      id: agentId,
+      did: agentDid,
+      didDocument,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      // TODO: Store actual creation time
+    };
+  }
+  /**
+   * Delete an agent and its DID
+   */
+  async deleteAgent(agentId) {
+    await this.agentDIDManager.deleteAgentDID(agentId);
+  }
+  /**
+   * Resolve a DID to get DID Document
+   */
+  async resolve(did) {
+    if (did.startsWith("did:jwk:")) {
+      return this.resolveDidJwkLocally(did);
+    }
+    try {
+      const response = await fetch(getDidApiUrl(`/api/v1/did/${encodeURIComponent(did)}`), {
+        headers: getApiHeaders("did")
+      });
+      if (!response.ok) {
+        throw new Error(`Failed to resolve DID: ${response.statusText}`);
+      }
+      const data = await response.json();
+      return data.didDocument;
+    } catch (error) {
+      throw new Error(`Failed to resolve DID: ${error}`);
+    }
+  }
+  /**
+   * Export agent with private key (for backup)
+   */
+  async export(did) {
+    const didDocument = await this.resolve(did);
+    const privateKey = await this.keyManager.getKey(did);
+    if (!privateKey) {
+      throw new Error(`Private key not found for DID: ${did}`);
+    }
+    const agent = {
+      did,
+      didDocument,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    return { agent, privateKey };
+  }
+  /**
+   * Import agent from backup
+   */
+  async import(agent, privateKey) {
+    await this.keyManager.storeKey(agent.did, privateKey);
+  }
+  /**
+   * List all locally stored agents
+   */
+  async list() {
+    const agentDIDs = await this.agentDIDManager.listAgentDIDs();
+    const agents = [];
+    for (const { agentId, did } of agentDIDs) {
+      try {
+        const didDocument = await this.resolve(did);
+        agents.push({
+          id: agentId,
+          did,
+          didDocument,
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+          // TODO: Store actual creation time
+        });
+      } catch (error) {
+        console.warn(`Failed to resolve Agent DID ${did}:`, error);
+      }
+    }
+    return agents;
+  }
+  createDidDocument(did, publicKey) {
+    const verificationMethodId = `${did}#0`;
+    return {
+      "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/jws-2020/v1"],
+      id: did,
+      verificationMethod: [
+        {
+          id: verificationMethodId,
+          type: "JsonWebKey2020",
+          controller: did,
+          publicKeyJwk: publicKey
+        }
+      ],
+      authentication: [verificationMethodId],
+      assertionMethod: [verificationMethodId],
+      capabilityInvocation: [verificationMethodId],
+      capabilityDelegation: [verificationMethodId]
+    };
+  }
+  resolveDidJwkLocally(did) {
+    const encoded = did.replace("did:jwk:", "");
+    const publicJwk = JSON.parse(Buffer.from(encoded, "base64url").toString());
+    return this.createDidDocument(did, publicJwk);
+  }
+  async registerDid(_agent) {
+  }
+};
+// src/identity/user-identity-manager.ts
+var UserIdentityManager = class {
+  keyManager;
+  currentUserDID = null;
+  constructor(keyManager) {
+    this.keyManager = keyManager || new KeyManager();
+  }
+  /**
+   * Get or create current user DID
+   * This represents the user who will be the issuer of VCs
+   */
+  async getCurrentUserDID() {
+    if (this.currentUserDID) {
+      return this.currentUserDID;
+    }
+    const existingDID = await this.loadUserDID();
+    if (existingDID) {
+      this.currentUserDID = existingDID;
+      return existingDID;
+    }
+    return await this.createUserDID();
+  }
+  /**
+   * Create a new user DID (for issuing VCs)
+   */
+  async createUserDID() {
+    const keyPair = await SDJwtClient.generateKeyPair();
+    const did = this.createDidJwk(keyPair.publicKey);
+    await this.keyManager.storeKey(did, keyPair.privateKey);
+    await this.saveUserDID(did);
+    this.currentUserDID = did;
+    return did;
+  }
+  /**
+   * Get user's key pair
+   */
+  async getUserKeyPair() {
+    const did = await this.getCurrentUserDID();
+    const privateKey = await this.keyManager.getKey(did);
+    if (!privateKey) {
+      throw new Error("User private key not found");
+    }
+    return {
+      privateKey,
+      publicKey: this.extractPublicKey(privateKey)
+    };
+  }
+  /**
+   * Resolve user DID to DID Document
+   */
+  async resolveUserDID(did) {
+    const userDid = did || await this.getCurrentUserDID();
+    if (!userDid.startsWith("did:jwk:")) {
+      throw new Error("Only did:jwk supported for user identity");
+    }
+    return this.resolveDidJwkLocally(userDid);
+  }
+  /**
+   * Export user identity for backup
+   */
+  async exportUserIdentity() {
+    const did = await this.getCurrentUserDID();
+    const privateKey = await this.keyManager.getKey(did);
+    const didDocument = await this.resolveUserDID(did);
+    if (!privateKey) {
+      throw new Error("User private key not found");
+    }
+    return { did, privateKey, didDocument };
+  }
+  /**
+   * Import user identity from backup
+   */
+  async importUserIdentity(backup) {
+    await this.keyManager.storeKey(backup.did, backup.privateKey);
+    await this.saveUserDID(backup.did);
+    this.currentUserDID = backup.did;
+  }
+  /**
+   * Reset user identity (create new DID)
+   */
+  async resetUserIdentity() {
+    this.currentUserDID = null;
+    await this.clearUserDID();
+    return await this.createUserDID();
+  }
+  /**
+   * Create did:jwk from public key
+   */
+  createDidJwk(publicKey) {
+    const publicJwk = {
+      kty: publicKey.kty,
+      crv: publicKey.crv,
+      x: publicKey.x,
+      y: publicKey.y,
+      use: publicKey.use,
+      alg: publicKey.alg
+    };
+    const encoded = Buffer.from(JSON.stringify(publicJwk)).toString("base64url");
+    return `did:jwk:${encoded}`;
+  }
+  /**
+   * Extract public key from private key
+   */
+  extractPublicKey(privateKey) {
+    const { d, key_ops, ...publicKey } = privateKey;
+    return publicKey;
+  }
+  /**
+   * Resolve did:jwk locally
+   */
+  resolveDidJwkLocally(did) {
+    const encoded = did.replace("did:jwk:", "");
+    const publicJwk = JSON.parse(Buffer.from(encoded, "base64url").toString());
+    return this.createDidDocument(did, publicJwk);
+  }
+  /**
+   * Create DID Document
+   */
+  createDidDocument(did, publicKey) {
+    const verificationMethodId = `${did}#0`;
+    return {
+      "@context": ["https://www.w3.org/ns/did/v1", "https://w3id.org/security/suites/jws-2020/v1"],
+      id: did,
+      verificationMethod: [
+        {
+          id: verificationMethodId,
+          type: "JsonWebKey2020",
+          controller: did,
+          publicKeyJwk: publicKey
+        }
+      ],
+      authentication: [verificationMethodId],
+      assertionMethod: [verificationMethodId],
+      capabilityInvocation: [verificationMethodId],
+      capabilityDelegation: [verificationMethodId]
+    };
+  }
+  /**
+   * Save current user DID to persistent storage
+   */
+  async saveUserDID(did) {
+    const fs3 = await import("fs/promises");
+    const path3 = await import("path");
+    const os2 = await import("os");
+    const configDir = path3.join(os2.homedir(), ".vess");
+    await fs3.mkdir(configDir, { recursive: true });
+    const userDIDFile = path3.join(configDir, "user-did.txt");
+    await fs3.writeFile(userDIDFile, did, "utf-8");
+  }
+  /**
+   * Load current user DID from persistent storage
+   */
+  async loadUserDID() {
+    const fs3 = await import("fs/promises");
+    const path3 = await import("path");
+    const os2 = await import("os");
+    const userDIDFile = path3.join(os2.homedir(), ".vess", "user-did.txt");
+    try {
+      return await fs3.readFile(userDIDFile, "utf-8");
+    } catch {
+      return null;
+    }
+  }
+  /**
+   * Clear saved user DID
+   */
+  async clearUserDID() {
+    const fs3 = await import("fs/promises");
+    const path3 = await import("path");
+    const os2 = await import("os");
+    const userDIDFile = path3.join(os2.homedir(), ".vess", "user-did.txt");
+    try {
+      await fs3.unlink(userDIDFile);
+    } catch {
+    }
+  }
+};
+// src/vc/vc-manager.ts
+var VCManager = class {
+  keyManager;
+  templates = /* @__PURE__ */ new Map();
+  agentManager;
+  userIdentityManager;
+  constructor(keyManager, agentManager, userIdentityManager) {
+    this.keyManager = keyManager || new KeyManager();
+    this.agentManager = agentManager || new AgentManager(this.keyManager);
+    this.userIdentityManager = userIdentityManager || new UserIdentityManager(this.keyManager);
+    this.registerDefaultTemplates();
+  }
+  /**
+   * Get fields that should be selectively disclosable based on VC type
+   */
+  getSelectivelyDisclosableFields(template) {
+    switch (template) {
+      case "ToolPermissionVC":
+        return ["tool", "action", "scope", "conditions"];
+      case "DataAccessVC":
+        return ["resource", "actions", "scope", "conditions"];
+      case "OrganizationVC":
+        return ["organizationId", "employeeId", "department", "role", "permissions"];
+      default:
+        return [];
+    }
+  }
+  /**
+   * Issue a Verifiable Credential as SD-JWT VC
+   * Enhanced to support User/Agent DID separation
+   */
+  async issue(template, claims, options) {
+    const vcTemplate = this.templates.get(template);
+    if (!vcTemplate) {
+      throw new Error(`Unknown VC template: ${template}`);
+    }
+    const issuerDid = options.issuerDid || await this.userIdentityManager.getCurrentUserDID();
+    let subjectDid;
+    if (options.agentId) {
+      subjectDid = await this.agentManager.getAgentDID(options.agentId);
+    } else if (options.subjectDid) {
+      subjectDid = options.subjectDid;
+    } else {
+      subjectDid = issuerDid;
+    }
+    const now = /* @__PURE__ */ new Date();
+    const iat = Math.floor(now.getTime() / 1e3);
+    const credentialSubject = {
+      id: subjectDid,
+      ...claims
+    };
+    if (vcTemplate.defaults) {
+      Object.assign(credentialSubject, vcTemplate.defaults);
+    }
+    const vcPayload = {
+      // SD-JWT VC specific fields
+      vct: vcTemplate.type,
+      iss: issuerDid,
+      iat,
+      cnf: {
+        // Confirmation method - binding to subject's key
+        jwk: await this.getSubjectPublicKey(subjectDid)
+      },
+      // Standard VC fields
+      credentialSubject
+    };
+    if (options.expiresIn) {
+      const expDate = this.calculateExpirationDate(options.expiresIn);
+      vcPayload.exp = Math.floor(expDate.getTime() / 1e3);
+    }
+    const vc = {
+      ...vcPayload,
+      "@context": ["https://www.w3.org/ns/credentials/v2"],
+      issuer: issuerDid,
+      validFrom: now.toISOString()
+    };
+    if (vcTemplate.validate && !vcTemplate.validate(vc)) {
+      throw new Error("VC validation failed");
+    }
+    SDJwtClient.setKeyManager(this.keyManager);
+    const sdjwtInstance = await SDJwtClient.getIssuerInstance(issuerDid);
+    const selectivelyDisclosableFields = this.getSelectivelyDisclosableFields(template);
+    const credentialSubjectFrame = SDJwtClient.createDisclosureFrame(
+      credentialSubject,
+      selectivelyDisclosableFields
+    );
+    const disclosureFrame = {
+      credentialSubject: credentialSubjectFrame
+    };
+    const sdjwtVc = await sdjwtInstance.issue(
+      vcPayload,
+      disclosureFrame
+    );
+    return sdjwtVc;
+  }
+  /**
+   * Get subject's public key for cnf claim
+   */
+  async getSubjectPublicKey(subjectDid) {
+    if (!subjectDid.startsWith("did:jwk:")) {
+      throw new Error(`Unsupported DID method. Expected did:jwk, got: ${subjectDid}`);
+    }
+    try {
+      const jwkEncoded = subjectDid.replace("did:jwk:", "");
+      const jwkJson = Buffer.from(jwkEncoded, "base64url").toString("utf-8");
+      const jwk = JSON.parse(jwkJson);
+      const { d, key_ops, ...publicJwk } = jwk;
+      const publicKeyForCnf = {
+        ...publicJwk
+        // Remove key_ops entirely for cnf claim as it's not needed there
+      };
+      return publicKeyForCnf;
+    } catch (error) {
+      throw new Error(
+        `Failed to extract JWK from did:jwk: ${error instanceof Error ? error.message : "Unknown error"}`
+      );
+    }
+  }
+  /**
+   * Issue using existing Issuer API (OID4VCI)
+   */
+  async issueViaAPI(credentialType, claims, options) {
+    const offerResponse = await fetch(getIssuerApiUrl("/api/v1/credential/offer"), {
+      method: "POST",
+      headers: getApiHeaders("issuer"),
+      body: JSON.stringify({
+        credentialType,
+        claims,
+        subjectDid: options.subjectDid
+      })
+    });
+    if (!offerResponse.ok) {
+      throw new Error(`Failed to get credential offer: ${offerResponse.statusText}`);
+    }
+    const offer = await offerResponse.json();
+    const acquireResponse = await fetch(getIssuerApiUrl("/api/v1/credential/acquire"), {
+      method: "POST",
+      headers: getApiHeaders("issuer"),
+      body: JSON.stringify({
+        offerId: offer.id,
+        holderDid: options.subjectDid
+      })
+    });
+    if (!acquireResponse.ok) {
+      throw new Error(`Failed to acquire credential: ${acquireResponse.statusText}`);
+    }
+    const credential = await acquireResponse.json();
+    return credential.jwt;
+  }
+  /**
+   * Verify a SD-JWT VC
+   */
+  async verify(sdjwtVc, options) {
+    const parts = sdjwtVc.split("~");
+    const jwt = parts[0];
+    const jwtParts = jwt.split(".");
+    const payload = JSON.parse(Buffer.from(jwtParts[1], "base64url").toString());
+    const issuerDid = payload.iss;
+    if (!issuerDid) {
+      throw new Error("Issuer DID not found in SD-JWT VC");
+    }
+    if (options?.expectedIssuer && issuerDid !== options.expectedIssuer) {
+      throw new Error(`Issuer mismatch: expected ${options.expectedIssuer}, got ${issuerDid}`);
+    }
+    SDJwtClient.setKeyManager(this.keyManager);
+    const sdjwtInstance = await SDJwtClient.getIssuerInstance(issuerDid);
+    const { payload: verifiedPayload } = await sdjwtInstance.verify(
+      sdjwtVc,
+      options?.requiredClaims ? { requiredClaimKeys: options?.requiredClaims } : void 0
+    );
+    const disclosures = await sdjwtInstance.getClaims(sdjwtVc);
+    const subjectId = verifiedPayload?.credentialSubject?.id || verifiedPayload.sub;
+    if (options?.expectedSubject) {
+      if (subjectId !== options.expectedSubject) {
+        throw new Error(`Subject mismatch: expected ${options.expectedSubject}, got ${subjectId}`);
+      }
+    }
+    return {
+      payload: verifiedPayload,
+      disclosures,
+      issuer: issuerDid,
+      subject: subjectId,
+      issuedAt: verifiedPayload?.iat && new Date(verifiedPayload.iat * 1e3),
+      expiresAt: verifiedPayload.exp ? new Date(verifiedPayload.exp * 1e3) : null
+    };
+  }
+  /**
+   * Revoke a Verifiable Credential
+   */
+  async revoke(_vcId, _issuerDid) {
+    throw new Error("VC revocation not yet implemented");
+  }
+  /**
+   * Register a custom VC template
+   */
+  registerTemplate(template) {
+    this.templates.set(template.name, template);
+  }
+  registerDefaultTemplates() {
+    this.templates.set("ToolPermissionVC", {
+      type: "ToolPermissionVC",
+      name: "ToolPermissionVC",
+      description: "Permission to use a specific tool",
+      validate: (vc) => {
+        const toolVc = vc;
+        return !!(toolVc.credentialSubject.tool && toolVc.credentialSubject.aud);
+      }
+    });
+    this.templates.set("DataAccessVC", {
+      type: "DataAccessVC",
+      name: "DataAccessVC",
+      description: "Permission to access data resources",
+      validate: (vc) => {
+        const dataVc = vc;
+        return !!(dataVc.credentialSubject.resource && dataVc.credentialSubject.actions && dataVc.credentialSubject.actions.length > 0);
+      }
+    });
+  }
+  calculateExpirationDate(expiresIn) {
+    const now = /* @__PURE__ */ new Date();
+    const match = expiresIn.match(/^(\d+)([hdm])$/);
+    if (!match) {
+      throw new Error(`Invalid expiresIn format: ${expiresIn}`);
+    }
+    const value = parseInt(match[1]);
+    const unit = match[2];
+    switch (unit) {
+      case "h":
+        now.setHours(now.getHours() + value);
+        break;
+      case "d":
+        now.setDate(now.getDate() + value);
+        break;
+      case "m":
+        now.setMinutes(now.getMinutes() + value);
+        break;
+      default:
+        throw new Error(`Unknown time unit: ${unit}`);
+    }
+    return now;
+  }
+};
+// src/vp/vp-manager.ts
+var import_crypto_nodejs2 = require("@sd-jwt/crypto-nodejs");
+var VPManager = class {
+  keyManager;
+  constructor(keyManager) {
+    this.keyManager = keyManager || new KeyManager();
+    SDJwtClient.setKeyManager(this.keyManager);
+  }
+  /**
+   * Create a SD-JWT presentation using the present() method
+   * This properly binds the holder's key to the SD-JWT VC
+   */
+  async create(vcs, options) {
+    if (vcs.length === 0) {
+      throw new Error("At least one SD-JWT VC is required for presentation");
+    }
+    const sdJwtInstance = await SDJwtClient.getHolderInstance(options.holderDid);
+    const sdJwtVC = vcs[0];
+    try {
+      const decodedVC = await sdJwtInstance.decode(sdJwtVC);
+      const presentableKeys = await decodedVC.presentableKeys(import_crypto_nodejs2.digest);
+      const presentationFrame = {};
+      presentableKeys.forEach((key) => {
+        presentationFrame[key] = true;
+      });
+      const kbJwtPayload = {
+        aud: options.domain,
+        nonce: options.challenge,
+        iat: Math.floor(Date.now() / 1e3)
+      };
+      const presentation = await sdJwtInstance.present(sdJwtVC, presentationFrame, {
+        kb: { payload: kbJwtPayload }
+      });
+      return presentation;
+    } catch (error) {
+      console.error("ERROR: Error creating SD-JWT presentation:", error);
+      throw new Error(`Failed to create SD-JWT presentation: ${error.message}`);
+    }
+  }
+  /**
+   * Verify a Verifiable Presentation
+   */
+  async verify(vpJwt, options) {
+    const response = await fetch(getVerifierApiUrl("/api/v1/vp/verify"), {
+      method: "POST",
+      headers: getApiHeaders("verifier"),
+      body: JSON.stringify({
+        vp: vpJwt,
+        challenge: options.expectedChallenge,
+        domain: options.expectedDomain
+      })
+    });
+    if (!response.ok) {
+      throw new Error(`VP verification failed: ${response.statusText}`);
+    }
+    const result = await response.json();
+    if (!result?.valid) {
+      throw new Error(`VP verification failed: ${result?.error}`);
+    }
+    const vp = result?.verifiablePresentation;
+    if (options.expectedHolder && vp.holder !== options.expectedHolder) {
+      throw new Error(`Holder mismatch. Expected: ${options.expectedHolder}, Got: ${vp.holder}`);
+    }
+    if (vp.proof?.challenge !== options.expectedChallenge) {
+      throw new Error("Challenge mismatch");
+    }
+    if (vp.proof?.domain !== options.expectedDomain) {
+      throw new Error("Domain mismatch");
+    }
+    return vp;
+  }
+  /**
+   * Create a VP request
+   */
+  createRequest(domain, query) {
+    return {
+      challenge: generateNonce(),
+      domain,
+      query
+    };
+  }
+  /**
+   * Submit VP to a verifier
+   */
+  async submit(vpJwt, verifierEndpoint) {
+    const response = await fetch(verifierEndpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json"
+      },
+      body: JSON.stringify({ vp: vpJwt })
+    });
+    if (!response.ok) {
+      throw new Error(`Failed to submit VP: ${response.statusText}`);
+    }
+    return response.json();
+  }
+};
+// src/tool/tool-manager.ts
+var ToolManager = class {
+  vpManager;
+  tools = /* @__PURE__ */ new Map();
+  proxyApiUrl;
+  constructor(vpManager) {
+    this.vpManager = vpManager || new VPManager();
+    const config = getConfig();
+    this.proxyApiUrl = config.proxyApi?.baseUrl || "http://localhost:3000";
+    this.registerDefaultTools();
+  }
+  /**
+   * Invoke a tool action with VC authorization
+   */
+  async invoke(tool, action, params, options) {
+    const toolDef = this.tools.get(tool);
+    if (!toolDef) {
+      throw new Error(`Unknown tool: ${tool}`);
+    }
+    const actionDef = toolDef.actions.find((a) => a.name === action);
+    if (!actionDef) {
+      throw new Error(`Unknown action ${action} for tool ${tool}`);
+    }
+    const domain = new URL(this.proxyApiUrl).hostname;
+    const challenge = this.generateChallenge();
+    const vpJwt = await this.vpManager.create(options.vcs, {
+      holderDid: options.holderDid,
+      challenge,
+      domain,
+      purpose: "invocation"
+    });
+    if (this.proxyApiUrl === "mock://demo") {
+      const mockResponse = {
+        success: true,
+        data: {
+          message: "Mock Slack response - message posted successfully!",
+          channel: params.channel || "#general",
+          text: params.text || "Hello from AIdentity!",
+          ts: Date.now().toString(),
+          ok: true
+        },
+        metadata: {
+          tool,
+          action,
+          holder: options.holderDid,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+          mock: true
+        }
+      };
+      await new Promise((resolve) => setTimeout(resolve, 500));
+      return mockResponse;
+    }
+    const headers = {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${vpJwt}`,
+      "X-Holder-DID": options.holderDid,
+      "X-Auth-Challenge": challenge
+    };
+    if (!vpJwt.includes("~")) {
+      headers["X-VCs"] = JSON.stringify(options.vcs);
+    }
+    const response = await fetch(`${this.proxyApiUrl}/api/v1/tool/invoke`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        tool,
+        action,
+        params,
+        challenge
+      })
+    });
+    if (!response.ok) {
+      const contentType = response.headers.get("content-type");
+      if (contentType && contentType.includes("application/json")) {
+        try {
+          const errorResponse = await response.json();
+          if (errorResponse.success === false) {
+            return errorResponse;
+          }
+          return {
+            success: false,
+            error: errorResponse.message || errorResponse.error || "Tool invocation failed",
+            metadata: errorResponse.metadata
+          };
+        } catch (parseError) {
+          const error = await response.text();
+          return {
+            success: false,
+            error: `Tool invocation failed: ${error}`
+          };
+        }
+      } else {
+        const error = await response.text();
+        return {
+          success: false,
+          error: `Tool invocation failed: ${error}`
+        };
+      }
+    }
+    const result = await response.json();
+    return result;
+  }
+  /**
+   * List available tools
+   */
+  list() {
+    return Array.from(this.tools.values());
+  }
+  /**
+   * Get a specific tool definition
+   */
+  getTool(name) {
+    return this.tools.get(name);
+  }
+  /**
+   * Register a custom tool
+   */
+  registerTool(tool) {
+    this.tools.set(tool.name, tool);
+  }
+  /**
+   * Check if VCs authorize a tool action
+   */
+  async checkAuthorization(vcs, tool, action, resourceScope) {
+    for (const vcJwt of vcs) {
+      try {
+        const parts = vcJwt.split(".");
+        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+        if (payload.credentialSubject?.tool === `${tool}.${action}`) {
+          if (resourceScope) {
+            const vcScope = payload.credentialSubject.resourceScope;
+            if (!this.matchScope(vcScope, resourceScope)) {
+              continue;
+            }
+          }
+          return true;
+        }
+      } catch {
+        continue;
+      }
+    }
+    return false;
+  }
+  matchScope(vcScope, requiredScope) {
+    for (const [key, value] of Object.entries(requiredScope)) {
+      if (vcScope[key] !== value && vcScope[key] !== "*") {
+        return false;
+      }
+    }
+    return true;
+  }
+  generateChallenge() {
+    return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
+  }
+  registerDefaultTools() {
+    this.tools.set("slack", {
+      name: "slack",
+      description: "Slack workspace operations",
+      actions: [
+        {
+          name: "postMessage",
+          description: "Post a message to a channel",
+          parameters: {
+            channel: "string",
+            text: "string",
+            thread_ts: "string?"
+          }
+        },
+        {
+          name: "getChannels",
+          description: "List channels",
+          parameters: {}
+        },
+        {
+          name: "getUserInfo",
+          description: "Get user information",
+          parameters: {
+            userId: "string"
+          }
+        },
+        {
+          name: "getChannelHistory",
+          description: "Get channel history",
+          parameters: {
+            channel: "string",
+            latest: "string?",
+            oldest: "string?",
+            limit: "number?",
+            inclusive: "boolean?"
+          }
+        }
+      ]
+    });
+    this.tools.set("github", {
+      name: "github",
+      description: "GitHub repository operations",
+      actions: [
+        {
+          name: "createIssue",
+          description: "Create a new issue",
+          parameters: {
+            owner: "string",
+            repo: "string",
+            title: "string",
+            body: "string",
+            labels: "string[]?"
+          }
+        },
+        {
+          name: "listIssues",
+          description: "List repository issues",
+          parameters: {
+            owner: "string",
+            repo: "string",
+            state: "string?"
+          }
+        },
+        {
+          name: "getRepo",
+          description: "Get repository information",
+          parameters: {
+            owner: "string",
+            repo: "string"
+          }
+        }
+      ]
+    });
+    this.tools.set("gmail", {
+      name: "gmail",
+      description: "Gmail operations",
+      actions: [
+        {
+          name: "sendMessage",
+          description: "Send an email message",
+          parameters: {
+            to: "string",
+            subject: "string",
+            body: "string",
+            cc: "string[]?",
+            bcc: "string[]?",
+            format: "string?"
+          }
+        },
+        {
+          name: "getMessages",
+          description: "Get email messages",
+          parameters: {
+            query: "string?",
+            maxResults: "number?",
+            pageToken: "string?",
+            labelIds: "string[]?"
+          }
+        },
+        {
+          name: "getMessage",
+          description: "Get a specific email message",
+          parameters: {
+            messageId: "string",
+            format: "string?"
+          }
+        },
+        {
+          name: "getLabels",
+          description: "Get available labels",
+          parameters: {}
+        },
+        {
+          name: "searchMessages",
+          description: "Search email messages",
+          parameters: {
+            query: "string",
+            maxResults: "number?",
+            pageToken: "string?"
+          }
+        },
+        {
+          name: "modifyMessage",
+          description: "Modify message labels",
+          parameters: {
+            messageId: "string",
+            addLabelIds: "string[]?",
+            removeLabelIds: "string[]?"
+          }
+        },
+        {
+          name: "createDraft",
+          description: "Create a draft email",
+          parameters: {
+            to: "string",
+            subject: "string",
+            body: "string",
+            cc: "string[]?",
+            bcc: "string[]?",
+            format: "string?"
+          }
+        }
+      ]
+    });
+    this.tools.set("drive", {
+      name: "drive",
+      description: "Google Drive operations",
+      actions: [
+        {
+          name: "listFiles",
+          description: "List files in folder",
+          parameters: {
+            folderId: "string?",
+            query: "string?",
+            maxResults: "number?",
+            pageToken: "string?",
+            orderBy: "string?"
+          }
+        },
+        {
+          name: "getFile",
+          description: "Get file information",
+          parameters: {
+            fileId: "string",
+            fields: "string?"
+          }
+        },
+        {
+          name: "createFile",
+          description: "Create a new file",
+          parameters: {
+            name: "string",
+            content: "string",
+            mimeType: "string?",
+            parents: "string[]?",
+            description: "string?"
+          }
+        },
+        {
+          name: "updateFile",
+          description: "Update an existing file",
+          parameters: {
+            fileId: "string",
+            name: "string?",
+            content: "string?",
+            description: "string?"
+          }
+        },
+        {
+          name: "deleteFile",
+          description: "Delete a file",
+          parameters: {
+            fileId: "string"
+          }
+        },
+        {
+          name: "getFolders",
+          description: "List folders",
+          parameters: {
+            parentId: "string?"
+          }
+        },
+        {
+          name: "createFolder",
+          description: "Create a new folder",
+          parameters: {
+            name: "string",
+            parentId: "string?",
+            description: "string?"
+          }
+        },
+        {
+          name: "downloadFile",
+          description: "Download file content",
+          parameters: {
+            fileId: "string",
+            mimeType: "string?"
+          }
+        },
+        {
+          name: "shareFile",
+          description: "Share file with permissions",
+          parameters: {
+            fileId: "string",
+            type: "string",
+            role: "string",
+            emailAddress: "string?",
+            domain: "string?"
+          }
+        }
+      ]
+    });
+    this.tools.set("jira", {
+      name: "jira",
+      description: "Jira project and issue management",
+      actions: [
+        {
+          name: "getProjects",
+          description: "List all Jira projects",
+          parameters: {
+            recent: "number?"
+          }
+        },
+        {
+          name: "getBoard",
+          description: "Get Jira board details",
+          parameters: {
+            boardId: "number"
+          }
+        },
+        {
+          name: "getBoards",
+          description: "List all Jira boards",
+          parameters: {
+            projectKeyOrId: "string?",
+            type: "string?"
+          }
+        },
+        {
+          name: "getSprints",
+          description: "Get sprints for a Jira board",
+          parameters: {
+            boardId: "number",
+            state: "string?"
+          }
+        },
+        {
+          name: "getSprintIssues",
+          description: "Get issues in a specific sprint",
+          parameters: {
+            sprintId: "number",
+            maxResults: "number?"
+          }
+        },
+        {
+          name: "searchIssues",
+          description: "Search for Jira issues using JQL",
+          parameters: {
+            jql: "string",
+            maxResults: "number?",
+            startAt: "number?"
+          }
+        },
+        {
+          name: "getIssue",
+          description: "Get a specific Jira issue",
+          parameters: {
+            issueIdOrKey: "string"
+          }
+        },
+        {
+          name: "getIssueWorklogs",
+          description: "Get worklogs for a specific issue",
+          parameters: {
+            issueKey: "string"
+          }
+        },
+        {
+          name: "createIssue",
+          description: "Create a new Jira issue",
+          parameters: {
+            projectKey: "string",
+            summary: "string",
+            description: "string?",
+            issueType: "string",
+            priority: "string?",
+            assignee: "string?"
+          }
+        }
+      ]
+    });
+  }
+};
+// src/memory/memory-manager.ts
+var MemoryManager = class {
+  vpManager;
+  proxyApiUrl;
+  constructor(vpManager) {
+    this.vpManager = vpManager || new VPManager();
+    const config = getConfig();
+    this.proxyApiUrl = config.proxyApi?.baseUrl || "http://localhost:3000";
+  }
+  /**
+   * Write a document to memory
+   */
+  async write(content, options) {
+    const domain = new URL(this.proxyApiUrl).hostname;
+    const challenge = this.generateChallenge();
+    const vpJwt = await this.vpManager.create(options.vcs, {
+      holderDid: options.holderDid,
+      challenge,
+      domain,
+      purpose: "write"
+    });
+    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${options.namespace}/doc`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${vpJwt}`
+      },
+      body: JSON.stringify({
+        content,
+        metadata: options.metadata,
+        challenge
+      })
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Failed to write to memory: ${error}`);
+    }
+    return response.json();
+  }
+  /**
+   * Query memory with vector search
+   */
+  async query(query, options) {
+    const domain = new URL(this.proxyApiUrl).hostname;
+    const challenge = this.generateChallenge();
+    const vpJwt = await this.vpManager.create(options.vcs, {
+      holderDid: options.holderDid,
+      challenge,
+      domain,
+      purpose: "read"
+    });
+    const queryParams = {
+      query,
+      namespace: options.namespace,
+      limit: options.limit || 10,
+      filter: options.filter
+    };
+    const namespace = options.namespace || "default";
+    const response = await fetch(`${this.proxyApiUrl}/api/v1/memory/${namespace}/query`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${vpJwt}`
+      },
+      body: JSON.stringify({
+        ...queryParams,
+        challenge
+      })
+    });
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Failed to query memory: ${error}`);
+    }
+    return response.json();
+  }
+  /**
+   * Delete a document from memory
+   */
+  async delete(documentId, options) {
+    const domain = new URL(this.proxyApiUrl).hostname;
+    const challenge = this.generateChallenge();
+    const vpJwt = await this.vpManager.create(options.vcs, {
+      holderDid: options.holderDid,
+      challenge,
+      domain,
+      purpose: "delete"
+    });
+    const response = await fetch(
+      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/${documentId}`,
+      {
+        method: "DELETE",
+        headers: {
+          Authorization: `Bearer ${vpJwt}`,
+          "X-Challenge": challenge
+        }
+      }
+    );
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Failed to delete from memory: ${error}`);
+    }
+  }
+  /**
+   * List documents in a namespace
+   */
+  async list(options) {
+    const domain = new URL(this.proxyApiUrl).hostname;
+    const challenge = this.generateChallenge();
+    const vpJwt = await this.vpManager.create(options.vcs, {
+      holderDid: options.holderDid,
+      challenge,
+      domain,
+      purpose: "read"
+    });
+    const params = new URLSearchParams({
+      limit: (options.limit || 100).toString(),
+      offset: (options.offset || 0).toString()
+    });
+    const response = await fetch(
+      `${this.proxyApiUrl}/api/v1/memory/${options.namespace}/list?${params}`,
+      {
+        headers: {
+          Authorization: `Bearer ${vpJwt}`,
+          "X-Challenge": challenge
+        }
+      }
+    );
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Failed to list memory documents: ${error}`);
+    }
+    return response.json();
+  }
+  /**
+   * Check if VCs authorize memory access
+   */
+  async checkAuthorization(vcs, action, resource) {
+    for (const vcJwt of vcs) {
+      try {
+        const parts = vcJwt.split(".");
+        const payload = JSON.parse(Buffer.from(parts[1], "base64url").toString());
+        const vcResource = payload.credentialSubject?.resource;
+        const vcActions = payload.credentialSubject?.actions || [];
+        if (this.matchResource(vcResource, resource)) {
+          if (vcActions.includes(action)) {
+            return true;
+          }
+        }
+      } catch {
+        continue;
+      }
+    }
+    return false;
+  }
+  matchResource(vcResource, requiredResource) {
+    if (vcResource.endsWith("/*")) {
+      const prefix = vcResource.slice(0, -2);
+      return requiredResource.startsWith(prefix);
+    }
+    return vcResource === requiredResource;
+  }
+  generateChallenge() {
+    return Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15);
+  }
+};
+// src/organization/organization-manager.ts
+var OrganizationManager = class {
+  vpManager;
+  vcManager;
+  apiBaseUrl;
+  constructor(vpManager, vcManager) {
+    this.vpManager = vpManager || new VPManager();
+    this.vcManager = vcManager || new VCManager();
+    const config = getConfig();
+    this.apiBaseUrl = config.proxyApi?.baseUrl || "http://localhost:3000";
+  }
+  /**
+   * Request tool permissions using employee VC
+   */
+  async requestToolPermissions(employeeVCJWT, requestedTools, holderDid) {
+    const challenge = this.generateChallenge();
+    const vpRequest = {
+      employeeVC: employeeVCJWT,
+      requestedTools,
+      challenge,
+      domain: new URL(this.apiBaseUrl).hostname
+    };
+    const response = await fetch(`${this.apiBaseUrl}/api/organization/employee/permissions`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(vpRequest)
+    });
+    if (!response.ok) {
+      throw new Error(`Permission request failed: ${response.statusText}`);
+    }
+    const result = await response.json();
+    if (!result.success) {
+      throw new Error(`Permission denied: ${result.error}`);
+    }
+    return {
+      permittedPermissions: result.permittedPermissions,
+      employee: result.employee
+    };
+  }
+  /**
+   * Issue tool permissions to AI Agent based on organization approval
+   */
+  async issueOrganizationDelegatedPermissions(agentDid, employeeVCJWT, requestedTools, issuerDid) {
+    const { permittedPermissions } = await this.requestToolPermissions(
+      employeeVCJWT,
+      requestedTools,
+      issuerDid
+    );
+    const issuedVCs = [];
+    for (const permission of permittedPermissions) {
+      for (const action of permission.actions) {
+        const vc = await this.vcManager.issue(
+          "ToolPermissionVC",
+          {
+            tool: `${permission.tool}.${action}`,
+            aud: permission.tool,
+            organizationDelegated: true,
+            sourceEmployeeVC: employeeVCJWT
+            // Include reference to source employee VC
+          },
+          {
+            issuerDid,
+            subjectDid: agentDid,
+            expiresIn: permission.duration || "8h"
+          }
+        );
+        issuedVCs.push(vc);
+      }
+    }
+    return issuedVCs;
+  }
+  /**
+   * Create simplified workflow for employee to AI Agent delegation
+   */
+  async delegateToAIAgent(employeeVCJWT, agentDid, tools, issuerDid, options) {
+    const requestedTools = tools.map((tool) => ({
+      tool,
+      actions: ["read", "write"],
+      // Request common actions
+      duration: options?.duration,
+      justification: options?.justification
+    }));
+    const issuedVCs = await this.issueOrganizationDelegatedPermissions(
+      agentDid,
+      employeeVCJWT,
+      requestedTools,
+      issuerDid
+    );
+    const permissionSummary = {};
+    for (const tool of tools) {
+      const relatedVCs = issuedVCs.filter((vc) => vc.includes(tool));
+      permissionSummary[tool] = relatedVCs.map((vc) => this.extractActionFromVC(vc));
+    }
+    return {
+      issuedVCs,
+      permissionSummary
+    };
+  }
+  /**
+   * Register organization with AIdentity
+   */
+  async registerOrganization(config) {
+    const response = await fetch(`${this.apiBaseUrl}/api/organization/register`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify(config)
+    });
+    if (!response.ok) {
+      throw new Error(`Organization registration failed: ${response.statusText}`);
+    }
+  }
+  generateChallenge() {
+    return `challenge_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+  }
+  extractActionFromVC(vcJWT) {
+    try {
+      const [, payload] = vcJWT.split(".");
+      const vc = JSON.parse(Buffer.from(payload, "base64url").toString());
+      return vc.credentialSubject.tool.split(".").pop() || "unknown";
+    } catch {
+      return "unknown";
+    }
+  }
+};
+// src/grant/grant-manager.ts
+var GrantManager = class {
+  constructor(_vpManager) {
+  }
+  /**
+   * Grant提案を取得
+   * @param options - 提案オプション
+   * @param options.oauthTokenId - OAuthトークンID
+   * @param options.targetUserId - 対象ユーザーID
+   * @param options.projectId - プロジェクトID
+   * @param authOptions - 認証オプション（VP or issuerDid）
+   */
+  async suggest(options, authOptions) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (authOptions.vpJwt) {
+      headers["Authorization"] = `Bearer ${authOptions.vpJwt}`;
+    } else if (authOptions.issuerDid) {
+      headers["x-issuer-did"] = authOptions.issuerDid;
+    } else {
+      throw new Error("Either vpJwt or issuerDid is required for authentication");
+    }
+    const response = await fetch(getDidApiUrl("/api/v1/grants/suggest"), {
+      method: "POST",
+      headers,
+      body: JSON.stringify(options)
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to get grant suggestion: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * Grant提案を確認して作成
+   * @param request - 確認リクエスト
+   * @param authOptions - 認証オプション
+   */
+  async confirm(request, authOptions) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (authOptions.vpJwt) {
+      headers["Authorization"] = `Bearer ${authOptions.vpJwt}`;
+    } else if (authOptions.issuerDid) {
+      headers["x-issuer-did"] = authOptions.issuerDid;
+    } else {
+      throw new Error("Either vpJwt or issuerDid is required for authentication");
+    }
+    const response = await fetch(getDidApiUrl("/api/v1/grants/confirm"), {
+      method: "POST",
+      headers,
+      body: JSON.stringify(request)
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to confirm grant: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * Grantを直接作成
+   * @param request - Grant作成リクエスト
+   * @param authOptions - 認証オプション
+   */
+  async create(request, authOptions) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (authOptions.vpJwt) {
+      headers["Authorization"] = `Bearer ${authOptions.vpJwt}`;
+    } else if (authOptions.issuerDid) {
+      headers["x-issuer-did"] = authOptions.issuerDid;
+    } else {
+      throw new Error("Either vpJwt or issuerDid is required for authentication");
+    }
+    const response = await fetch(getDidApiUrl("/api/v1/grants"), {
+      method: "POST",
+      headers,
+      body: JSON.stringify(request)
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to create grant: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * ユーザー用のGrant一覧を取得
+   * @param userId - ユーザーID
+   * @param status - フィルタするステータス（オプション）
+   */
+  async listForUser(userId, status) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    const encodedUserId = encodeURIComponent(userId);
+    const url = status ? getDidApiUrl(`/api/v1/grants/user/${encodedUserId}?status=${status}`) : getDidApiUrl(`/api/v1/grants/user/${encodedUserId}`);
+    const response = await fetch(url, {
+      method: "GET",
+      headers
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to list grants for user: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * Issuer用のGrant一覧を取得
+   * @param issuerDid - IssuerのDID
+   * @param status - フィルタするステータス（オプション）
+   */
+  async listForIssuer(issuerDid, status) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    const encodedDid = encodeURIComponent(issuerDid);
+    const url = status ? getDidApiUrl(`/api/v1/grants/issuer/${encodedDid}?status=${status}`) : getDidApiUrl(`/api/v1/grants/issuer/${encodedDid}`);
+    const response = await fetch(url, {
+      method: "GET",
+      headers
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to list grants for issuer: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * Grantを取得
+   * @param grantId - GrantのID
+   */
+  async get(grantId) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    const response = await fetch(getDidApiUrl(`/api/v1/grants/${grantId}`), {
+      method: "GET",
+      headers
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to get grant: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * Grantを取り消し
+   * @param grantId - GrantのID
+   * @param reason - 取り消し理由
+   * @param authOptions - 認証オプション
+   */
+  async revoke(grantId, reason, authOptions) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (authOptions.vpJwt) {
+      headers["Authorization"] = `Bearer ${authOptions.vpJwt}`;
+    } else if (authOptions.issuerDid) {
+      headers["x-issuer-did"] = authOptions.issuerDid;
+    } else {
+      throw new Error("Either vpJwt or issuerDid is required for authentication");
+    }
+    const response = await fetch(getDidApiUrl(`/api/v1/grants/${grantId}`), {
+      method: "DELETE",
+      headers,
+      body: JSON.stringify({ reason })
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to revoke grant: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * Grant権限をチェック
+   * @param request - 権限チェックリクエスト
+   */
+  async checkPermission(request) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    const response = await fetch(getDidApiUrl("/api/v1/grants/check"), {
+      method: "POST",
+      headers,
+      body: JSON.stringify(request)
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to check grant permission: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+  /**
+   * Grant更新
+   * @param grantId - GrantのID
+   * @param request - 更新リクエスト
+   * @param authOptions - 認証オプション
+   */
+  async update(grantId, request, authOptions) {
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (authOptions.vpJwt) {
+      headers["Authorization"] = `Bearer ${authOptions.vpJwt}`;
+    } else if (authOptions.issuerDid) {
+      headers["x-issuer-did"] = authOptions.issuerDid;
+    } else {
+      throw new Error("Either vpJwt or issuerDid is required for authentication");
+    }
+    const response = await fetch(getDidApiUrl(`/api/v1/grants/${grantId}`), {
+      method: "PUT",
+      headers,
+      body: JSON.stringify(request)
+    });
+    if (!response.ok) {
+      const error = await response.json();
+      throw new Error(error.error || `Failed to update grant: ${response.statusText}`);
+    }
+    const result = await response.json();
+    return result.data;
+  }
+};
+// src/client.ts
+__reExport(client_exports, require("@vess-id/ai-identity-types"));
+var AIdentityClient = class {
+  agent;
+  user;
+  vc;
+  vp;
+  tool;
+  memory;
+  organization;
+  grant;
+  keyManager;
+  currentAgent;
+  constructor(config, password) {
+    if (config) {
+      configure(config);
+    }
+    this.keyManager = new KeyManager(password);
+    this.agent = new AgentManager(this.keyManager);
+    this.user = new UserIdentityManager(this.keyManager);
+    this.vc = new VCManager(this.keyManager, this.agent, this.user);
+    this.vp = new VPManager(this.keyManager);
+    this.tool = new ToolManager(this.vp);
+    this.memory = new MemoryManager(this.vp);
+    this.organization = new OrganizationManager(this.vp, this.vc);
+    this.grant = new GrantManager(this.vp);
+  }
+  /**
+   * Quick setup: Create or load an agent
+   */
+  async setup(did) {
+    if (did) {
+      this.currentAgent = await this.agent.export(did).then(({ agent }) => agent);
+    } else {
+      this.currentAgent = await this.agent.create();
+    }
+    return this.currentAgent;
+  }
+  /**
+   * Get current agent
+   */
+  getCurrentAgent() {
+    return this.currentAgent;
+  }
+  /**
+   * Get current user DID
+   */
+  async getCurrentUserDID() {
+    return this.user.getCurrentUserDID();
+  }
+  /**
+   * Create or reset user identity
+   */
+  async resetUserIdentity() {
+    return this.user.resetUserIdentity();
+  }
+  /**
+   * Issue a VC for tool permission
+   * Enhanced to support User → Agent delegation pattern
+   */
+  async issueToolPermission(tool, action, options) {
+    return this.vc.issue(
+      "ToolPermissionVC",
+      {
+        tool: `${tool}.${action}`,
+        resourceScope: options.resourceScope,
+        aud: tool
+      },
+      {
+        issuerDid: options.issuerDid,
+        subjectDid: options.subjectDid,
+        agentId: options.agentId,
+        expiresIn: options.expiresIn || "1h"
+      }
+    );
+  }
+  /**
+   * Issue a VC for data access
+   * Enhanced to support User → Agent delegation pattern
+   */
+  async issueDataAccess(resource, actions, options) {
+    return this.vc.issue(
+      "DataAccessVC",
+      {
+        resource,
+        actions
+      },
+      {
+        issuerDid: options.issuerDid,
+        subjectDid: options.subjectDid,
+        agentId: options.agentId,
+        expiresIn: options.expiresIn || "24h"
+      }
+    );
+  }
+  /**
+   * Invoke a tool with automatic VP creation
+   */
+  async invokeTool(tool, action, params, vcs) {
+    const holderDid = this.currentAgent?.did;
+    if (!holderDid) {
+      throw new Error("No current agent available");
+    }
+    return this.tool.invoke(tool, action, params, {
+      vcs,
+      holderDid
+    });
+  }
+  /**
+   * Write to memory with automatic VP creation
+   */
+  async writeMemory(content, namespace, vcs, metadata) {
+    const holderDid = this.currentAgent?.did;
+    if (!holderDid) {
+      throw new Error("No current agent available");
+    }
+    return this.memory.write(content, {
+      namespace,
+      metadata,
+      vcs,
+      holderDid
+    });
+  }
+  /**
+   * Query memory with automatic VP creation
+   */
+  async queryMemory(query, vcs, options) {
+    const holderDid = this.currentAgent?.did;
+    if (!holderDid) {
+      throw new Error("No current agent available");
+    }
+    return this.memory.query(query, {
+      ...options,
+      vcs,
+      holderDid
+    });
+  }
+};
+var defaultClient;
+function getClient(config, password) {
+  if (!defaultClient) {
+    defaultClient = new AIdentityClient(config, password);
+  }
+  return defaultClient;
+}
+// src/vc/api-vc-manager.ts
+var import_ai_identity_types2 = require("@vess-id/ai-identity-types");
+// src/organization/disclosure-config-manager.ts
+var import_ai_identity_types = require("@vess-id/ai-identity-types");
+var DisclosureConfigManager = class {
+  configs = /* @__PURE__ */ new Map();
+  /**
+   * Set disclosure configuration for an organization
+   */
+  async setOrganizationConfig(organizationDid, config) {
+    const existingConfig = this.configs.get(organizationDid);
+    const now = /* @__PURE__ */ new Date();
+    const newConfig = {
+      organizationDid,
+      defaultFields: config.defaultFields || [],
+      credentialTypeConfigs: config.credentialTypeConfigs || /* @__PURE__ */ new Map(),
+      createdAt: existingConfig?.createdAt || now,
+      updatedAt: now
+    };
+    this.configs.set(organizationDid, newConfig);
+  }
+  /**
+   * Get disclosure configuration for an organization
+   */
+  async getOrganizationConfig(organizationDid) {
+    return this.configs.get(organizationDid) || null;
+  }
+  /**
+   * Set credential type specific disclosure configuration
+   */
+  async setCredentialTypeConfig(organizationDid, credentialType, config) {
+    let orgConfig = this.configs.get(organizationDid);
+    if (!orgConfig) {
+      const now = /* @__PURE__ */ new Date();
+      orgConfig = {
+        organizationDid,
+        defaultFields: [],
+        credentialTypeConfigs: /* @__PURE__ */ new Map(),
+        createdAt: now,
+        updatedAt: now
+      };
+    }
+    orgConfig.credentialTypeConfigs.set(credentialType, config);
+    orgConfig.updatedAt = /* @__PURE__ */ new Date();
+    this.configs.set(organizationDid, orgConfig);
+  }
+  /**
+   * Get selective disclosure fields for a specific credential type and organization
+   */
+  async getSelectiveDisclosureFields(organizationDid, credentialType, requestedFields) {
+    const orgConfig = this.configs.get(organizationDid);
+    if (!orgConfig) {
+      return this.getDefaultConfiguration(credentialType, requestedFields);
+    }
+    const typeConfig = orgConfig.credentialTypeConfigs.get(credentialType);
+    if (!typeConfig) {
+      return {
+        selectiveFields: requestedFields || orgConfig.defaultFields,
+        mandatoryFields: [],
+        neverDisclose: [],
+        decoyCount: 0
+      };
+    }
+    let selectiveFields = requestedFields || typeConfig.selectiveFields;
+    selectiveFields = selectiveFields.filter(
+      (field) => !typeConfig.neverDisclose.includes(field)
+    );
+    return {
+      selectiveFields,
+      mandatoryFields: typeConfig.mandatoryFields,
+      neverDisclose: typeConfig.neverDisclose,
+      decoyCount: typeConfig.decoyFields || 0
+    };
+  }
+  /**
+   * Get default configuration for credential types
+   */
+  getDefaultConfiguration(credentialType, requestedFields) {
+    const defaultConfigs = {
+      [import_ai_identity_types.CredentialType.PROJECT_ACCESS]: {
+        selectiveFields: ["permissions", "projectId"],
+        mandatoryFields: ["role"],
+        neverDisclose: ["privateKey", "secret"]
+      },
+      [import_ai_identity_types.CredentialType.TOOL_ACCESS]: {
+        selectiveFields: ["actions", "tool", "resourceScope"],
+        mandatoryFields: [],
+        neverDisclose: ["privateKey", "secret"]
+      },
+      [import_ai_identity_types.CredentialType.ADMIN]: {
+        selectiveFields: ["adminLevel", "scope"],
+        mandatoryFields: ["authorizedBy"],
+        neverDisclose: ["privateKey", "secret", "internalId"]
+      },
+      [import_ai_identity_types.CredentialType.DEVELOPER]: {
+        selectiveFields: ["skills", "experience", "projects"],
+        mandatoryFields: ["name"],
+        neverDisclose: ["salary", "privateInfo"]
+      },
+      [import_ai_identity_types.CredentialType.TEMPORARY]: {
+        selectiveFields: requestedFields || [],
+        mandatoryFields: [],
+        neverDisclose: ["privateKey", "secret"]
+      },
+      [import_ai_identity_types.CredentialType.RECEIPT]: {
+        selectiveFields: ["action", "resource", "outcome", "amount", "description", "date", "transactionId"],
+        mandatoryFields: ["grantId", "auditEventId", "receiptType"],
+        neverDisclose: ["signature", "privateKey", "secret", "internalReference"]
+      }
+    };
+    const config = defaultConfigs[credentialType] || defaultConfigs[import_ai_identity_types.CredentialType.TEMPORARY];
+    return {
+      selectiveFields: requestedFields || config.selectiveFields || [],
+      mandatoryFields: config.mandatoryFields || [],
+      neverDisclose: config.neverDisclose || [],
+      decoyCount: 0
+    };
+  }
+  /**
+   * Validate disclosure request against organization policy
+   */
+  async validateDisclosureRequest(organizationDid, credentialType, requestedFields) {
+    const config = await this.getSelectiveDisclosureFields(organizationDid, credentialType, requestedFields);
+    const errors = [];
+    const rejectedFields = [];
+    const forbiddenFields = requestedFields.filter(
+      (field) => config.neverDisclose.includes(field)
+    );
+    if (forbiddenFields.length > 0) {
+      rejectedFields.push(...forbiddenFields);
+      errors.push(`Fields not allowed for disclosure: ${forbiddenFields.join(", ")}`);
+    }
+    const allowedFields = requestedFields.filter(
+      (field) => !config.neverDisclose.includes(field)
+    );
+    return {
+      valid: errors.length === 0,
+      allowedFields,
+      rejectedFields,
+      errors
+    };
+  }
+  /**
+   * Get all organization configurations (for admin purposes)
+   */
+  async getAllConfigurations() {
+    return Array.from(this.configs.values());
+  }
+  /**
+   * Delete organization configuration
+   */
+  async deleteOrganizationConfig(organizationDid) {
+    return this.configs.delete(organizationDid);
+  }
+};
+// src/vc/api-vc-manager.ts
+var APIVCManager = class {
+  keyManager;
+  disclosureManager;
+  constructor(keyManager, disclosureManager) {
+    this.keyManager = keyManager || new KeyManager();
+    this.disclosureManager = disclosureManager || new DisclosureConfigManager();
+    SDJwtClient.setKeyManager(this.keyManager);
+  }
+  /**
+   * Issue an SD-JWT VC with selective disclosure
+   */
+  async issueSDJWTVC(request) {
+    if (!request.issuer || !request.subject) {
+      throw new Error("Issuer and subject DIDs are required");
+    }
+    const privateKey = await this.keyManager.getKey(request.issuer);
+    if (!privateKey) {
+      throw new Error(`Private key not found for issuer: ${request.issuer}`);
+    }
+    const now = /* @__PURE__ */ new Date();
+    const iat = Math.floor(now.getTime() / 1e3);
+    const expirationDate = request.expirationDate || new Date(now.getTime() + 24 * 60 * 60 * 1e3);
+    const exp = Math.floor(expirationDate.getTime() / 1e3);
+    const vcPayload = {
+      iss: request.issuer,
+      sub: request.subject,
+      iat,
+      exp,
+      vct: request.type || import_ai_identity_types2.CredentialType.TEMPORARY,
+      // IETF SD-JWT VC credential type
+      // Direct claims (can be selectively disclosed)
+      ...request.claims
+    };
+    const disclosureConfig = await this.disclosureManager.getSelectiveDisclosureFields(
+      request.issuer,
+      request.type || import_ai_identity_types2.CredentialType.TEMPORARY,
+      request.selectiveDisclosureFields
+    );
+    const credential = await SDJwtClient.issueSDJWT(
+      vcPayload,
+      privateKey,
+      disclosureConfig.selectiveFields
+    );
+    return {
+      credential,
+      issuer: request.issuer,
+      subject: request.subject,
+      type: request.type || import_ai_identity_types2.CredentialType.TEMPORARY,
+      expiresAt: expirationDate
+    };
+  }
+  /**
+   * Verify an SD-JWT VC
+   */
+  async verifySDJWTVC(credential) {
+    try {
+      if (!credential || typeof credential !== "string") {
+        return {
+          valid: false,
+          error: "Invalid credential format"
+        };
+      }
+      const result = await SDJwtClient.verifySDJWT(credential);
+      if (!result.valid || !result.payload) {
+        return {
+          valid: false,
+          error: result.error || "Verification failed"
+        };
+      }
+      return {
+        valid: true,
+        payload: {
+          iss: result.payload.iss,
+          sub: result.payload.sub,
+          vct: result.payload.vct,
+          exp: result.payload.exp,
+          iat: result.payload.iat,
+          // Include any other claims from the payload
+          ...Object.fromEntries(
+            Object.entries(result.payload).filter(
+              ([key]) => !["iss", "sub", "vct", "exp", "iat"].includes(key)
+            )
+          )
+        }
+      };
+    } catch (error) {
+      return {
+        valid: false,
+        error: `Verification error: ${error instanceof Error ? error.message : "Unknown error"}`
+      };
+    }
+  }
+  /**
+   * Issue a project access credential
+   */
+  async issueProjectAccessCredential(agentDid, projectId, permissions, issuerDid, expirationHours = 24) {
+    const expirationDate = new Date(Date.now() + expirationHours * 60 * 60 * 1e3);
+    return this.issueSDJWTVC({
+      issuer: issuerDid,
+      subject: agentDid,
+      type: import_ai_identity_types2.CredentialType.PROJECT_ACCESS,
+      claims: {
+        projectId,
+        permissions,
+        role: "developer"
+      },
+      expirationDate,
+      projectId,
+      selectiveDisclosureFields: ["permissions"]
+    });
+  }
+  /**
+   * Issue a tool access credential
+   */
+  async issueToolAccessCredential(agentDid, toolName, actions, projectId, issuerDid, expirationHours = 24) {
+    const expirationDate = new Date(Date.now() + expirationHours * 60 * 60 * 1e3);
+    return this.issueSDJWTVC({
+      issuer: issuerDid,
+      subject: agentDid,
+      type: import_ai_identity_types2.CredentialType.TOOL_ACCESS,
+      claims: {
+        tool: toolName,
+        actions,
+        projectId
+      },
+      expirationDate,
+      projectId,
+      selectiveDisclosureFields: ["actions", "tool"]
+    });
+  }
+  /**
+   * Issue a multi-tool access credential
+   */
+  async issueMultiToolCredential(agentDid, toolPermissions, projectId, issuerDid, expirationHours = 24) {
+    const expirationDate = new Date(Date.now() + expirationHours * 60 * 60 * 1e3);
+    return this.issueSDJWTVC({
+      issuer: issuerDid,
+      subject: agentDid,
+      type: import_ai_identity_types2.CredentialType.TOOL_ACCESS,
+      claims: {
+        toolPermissions,
+        projectId
+      },
+      expirationDate,
+      projectId,
+      selectiveDisclosureFields: ["toolPermissions"]
+    });
+  }
+  /**
+   * Issue an admin credential
+   */
+  async issueAdminCredential(agentDid, scope, projectId, issuerDid, expirationHours = 8) {
+    const expirationDate = new Date(Date.now() + expirationHours * 60 * 60 * 1e3);
+    return this.issueSDJWTVC({
+      issuer: issuerDid,
+      subject: agentDid,
+      type: import_ai_identity_types2.CredentialType.ADMIN,
+      claims: {
+        scope,
+        projectId,
+        adminLevel: scope === "global" ? "super" : "project"
+      },
+      expirationDate,
+      projectId,
+      selectiveDisclosureFields: ["adminLevel", "scope"]
+    });
+  }
+};
+// src/organization/key-rotation-manager.ts
+var KeyRotationManager = class {
+  keyManager;
+  config;
+  constructor(keyManager, config) {
+    this.keyManager = keyManager;
+    this.config = {
+      rotationInterval: 24 * 30,
+      // 30 days default
+      keepOldKeys: 5,
+      // Keep 5 old keys
+      warningThreshold: 24,
+      // Warn 1 day before
+      ...config
+    };
+  }
+  /**
+   * Check if organization keys need rotation
+   */
+  async checkRotationStatus(organizationDid) {
+    const now = /* @__PURE__ */ new Date();
+    const nextRotationDate = new Date(now.getTime() + this.config.rotationInterval * 60 * 60 * 1e3);
+    return {
+      currentKeyId: organizationDid,
+      nextRotationDate,
+      oldKeys: [],
+      needsRotation: false,
+      warningActive: false
+    };
+  }
+  /**
+   * Rotate organization keys
+   * NOTE: Currently not implemented for did:jwk
+   */
+  async rotateOrganizationKeys(organizationDid) {
+    throw new Error("Key rotation is not supported for did:jwk. Consider using did:web for production environments that require key rotation.");
+  }
+  /**
+   * Get old keys for verification (useful for grace periods)
+   */
+  async getOldKeysForVerification(organizationDid) {
+    return [];
+  }
+  /**
+   * Plan future key rotation (for did:web or other mutable DID methods)
+   */
+  async planKeyRotation(organizationDid) {
+    const now = /* @__PURE__ */ new Date();
+    const plannedRotationDate = new Date(now.getTime() + this.config.rotationInterval * 60 * 60 * 1e3);
+    const currentKeyAge = 0;
+    return {
+      plannedRotationDate,
+      currentKeyAge,
+      recommendedAction: "none"
+      // No rotation needed for did:jwk
+    };
+  }
+  /**
+   * Update rotation configuration
+   */
+  updateConfig(newConfig) {
+    this.config = {
+      ...this.config,
+      ...newConfig
+    };
+  }
+  /**
+   * Get current configuration
+   */
+  getConfig() {
+    return { ...this.config };
+  }
+};
+// src/monitoring/metrics-manager.ts
+var MetricsManager = class {
+  metrics = /* @__PURE__ */ new Map();
+  operations = [];
+  maxOperationHistory = 1e3;
+  /**
+   * Start tracking an operation
+   */
+  startOperation(operation, metadata) {
+    const operationId = `${operation}_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+    const startTime = performance.now();
+    this.operations.push({
+      operation,
+      startTime,
+      endTime: 0,
+      success: false,
+      ...metadata
+    });
+    return operationId;
+  }
+  /**
+   * End tracking an operation
+   */
+  endOperation(operationId, success, error) {
+    const endTime = performance.now();
+    const operation = this.operations[this.operations.length - 1];
+    if (operation) {
+      operation.endTime = endTime;
+      operation.success = success;
+      operation.error = error;
+      this.updateMetrics(operation);
+    }
+    if (this.operations.length > this.maxOperationHistory) {
+      this.operations = this.operations.slice(-this.maxOperationHistory);
+    }
+  }
+  /**
+   * Update aggregated metrics
+   */
+  updateMetrics(operation) {
+    const key = operation.issuerDid || "global";
+    let metrics = this.metrics.get(key);
+    if (!metrics) {
+      metrics = {
+        issuanceCount: 0,
+        verificationCount: 0,
+        failedIssuances: 0,
+        failedVerifications: 0,
+        averageIssuanceTime: 0,
+        averageVerificationTime: 0,
+        cacheHitRate: 0,
+        lastActivity: /* @__PURE__ */ new Date()
+      };
+    }
+    const duration = operation.endTime - operation.startTime;
+    if (operation.operation === "issue") {
+      metrics.issuanceCount++;
+      if (!operation.success) {
+        metrics.failedIssuances++;
+      }
+      metrics.averageIssuanceTime = (metrics.averageIssuanceTime * (metrics.issuanceCount - 1) + duration) / metrics.issuanceCount;
+    } else {
+      metrics.verificationCount++;
+      if (!operation.success) {
+        metrics.failedVerifications++;
+      }
+      metrics.averageVerificationTime = (metrics.averageVerificationTime * (metrics.verificationCount - 1) + duration) / metrics.verificationCount;
+    }
+    metrics.lastActivity = /* @__PURE__ */ new Date();
+    this.metrics.set(key, metrics);
+  }
+  /**
+   * Get metrics for a specific issuer or global
+   */
+  getMetrics(issuerDid) {
+    const key = issuerDid || "global";
+    return this.metrics.get(key) || null;
+  }
+  /**
+   * Get all metrics
+   */
+  getAllMetrics() {
+    return new Map(this.metrics);
+  }
+  /**
+   * Get recent operations
+   */
+  getRecentOperations(limit = 100) {
+    return this.operations.slice(-limit);
+  }
+  /**
+   * Get operation statistics
+   */
+  getOperationStats() {
+    const now = Date.now();
+    const oneMinuteAgo = now - 6e4;
+    const recentOps = this.operations.filter((op) => op.startTime > oneMinuteAgo);
+    const successfulOps = this.operations.filter((op) => op.success);
+    const totalDuration = this.operations.reduce((sum, op) => sum + (op.endTime - op.startTime), 0);
+    return {
+      totalOperations: this.operations.length,
+      successRate: this.operations.length > 0 ? successfulOps.length / this.operations.length : 0,
+      averageResponseTime: this.operations.length > 0 ? totalDuration / this.operations.length : 0,
+      operationsPerMinute: recentOps.length
+    };
+  }
+  /**
+   * Update cache hit rate
+   */
+  updateCacheHitRate(issuerDid, hit) {
+    const key = issuerDid || "global";
+    let metrics = this.metrics.get(key);
+    if (!metrics) {
+      metrics = {
+        issuanceCount: 0,
+        verificationCount: 0,
+        failedIssuances: 0,
+        failedVerifications: 0,
+        averageIssuanceTime: 0,
+        averageVerificationTime: 0,
+        cacheHitRate: 0,
+        lastActivity: /* @__PURE__ */ new Date()
+      };
+    }
+    const currentRate = metrics.cacheHitRate;
+    const newRate = hit ? Math.min(1, currentRate + 0.1) : Math.max(0, currentRate - 0.1);
+    metrics.cacheHitRate = newRate;
+    metrics.lastActivity = /* @__PURE__ */ new Date();
+    this.metrics.set(key, metrics);
+  }
+  /**
+   * Reset metrics
+   */
+  resetMetrics(issuerDid) {
+    if (issuerDid) {
+      this.metrics.delete(issuerDid);
+    } else {
+      this.metrics.clear();
+      this.operations = [];
+    }
+  }
+  /**
+   * Export metrics as JSON
+   */
+  exportMetrics() {
+    return {
+      aggregatedMetrics: Object.fromEntries(this.metrics),
+      recentOperations: this.getRecentOperations(50),
+      summary: this.getOperationStats()
+    };
+  }
+};
+// src/revocation/revocation-manager.ts
+var RevocationManager = class {
+  revocationLists = /* @__PURE__ */ new Map();
+  credentialStatuses = /* @__PURE__ */ new Map();
+  /**
+   * Create a new revocation list
+   */
+  async createRevocationList(issuer, type = "StatusList2021", purpose = "revocation") {
+    const id = `${issuer}#revocation-list-${Date.now()}`;
+    const now = /* @__PURE__ */ new Date();
+    const revocationList = {
+      id,
+      issuer,
+      type,
+      statusPurpose: purpose,
+      encodedList: this.createEmptyBitString(1e5),
+      // Start with 100k slots
+      entries: [],
+      createdAt: now,
+      updatedAt: now
+    };
+    this.revocationLists.set(id, revocationList);
+    return revocationList;
+  }
+  /**
+   * Add credential to revocation list
+   */
+  async addCredentialToRevocationList(credentialId, listId, statusIndex) {
+    const revocationList = this.revocationLists.get(listId);
+    if (!revocationList) {
+      throw new Error(`Revocation list not found: ${listId}`);
+    }
+    const index = statusIndex ?? this.findNextAvailableIndex(listId);
+    const statusInfo = {
+      id: `${credentialId}#status`,
+      type: "StatusList2021Entry",
+      statusListIndex: index,
+      statusListCredential: listId
+    };
+    this.credentialStatuses.set(credentialId, statusInfo);
+    return statusInfo;
+  }
+  /**
+   * Revoke a credential
+   */
+  async revokeCredential(credentialId, reason, revokedBy) {
+    const statusInfo = this.credentialStatuses.get(credentialId);
+    if (!statusInfo) {
+      throw new Error(`Credential not found in revocation tracking: ${credentialId}`);
+    }
+    const revocationList = this.revocationLists.get(statusInfo.statusListCredential);
+    if (!revocationList) {
+      throw new Error(`Revocation list not found: ${statusInfo.statusListCredential}`);
+    }
+    const updatedBitString = this.setBitInString(
+      revocationList.encodedList,
+      statusInfo.statusListIndex,
+      true
+    );
+    const revocationEntry = {
+      credentialId,
+      revocationDate: /* @__PURE__ */ new Date(),
+      reason,
+      revokedBy: revokedBy || "system"
+    };
+    revocationList.encodedList = updatedBitString;
+    revocationList.entries.push(revocationEntry);
+    revocationList.updatedAt = /* @__PURE__ */ new Date();
+    statusInfo.revocationReason = reason;
+    statusInfo.revocationDate = /* @__PURE__ */ new Date();
+    this.revocationLists.set(revocationList.id, revocationList);
+    this.credentialStatuses.set(credentialId, statusInfo);
+    return true;
+  }
+  /**
+   * Check if credential is revoked
+   */
+  async isCredentialRevoked(credentialId) {
+    const statusInfo = this.credentialStatuses.get(credentialId);
+    if (!statusInfo) {
+      return { revoked: false };
+    }
+    const revocationList = this.revocationLists.get(statusInfo.statusListCredential);
+    if (!revocationList) {
+      return { revoked: false };
+    }
+    const isRevoked = this.getBitFromString(
+      revocationList.encodedList,
+      statusInfo.statusListIndex
+    );
+    if (!isRevoked) {
+      return { revoked: false };
+    }
+    const entry = revocationList.entries.find((e) => e.credentialId === credentialId);
+    return {
+      revoked: true,
+      reason: entry?.reason,
+      revokedDate: entry?.revocationDate,
+      revokedBy: entry?.revokedBy
+    };
+  }
+  /**
+   * Get credential status info
+   */
+  async getCredentialStatus(credentialId) {
+    return this.credentialStatuses.get(credentialId) || null;
+  }
+  /**
+   * Get revocation list
+   */
+  async getRevocationList(listId) {
+    return this.revocationLists.get(listId) || null;
+  }
+  /**
+   * Get all revocation lists for an issuer
+   */
+  async getIssuerRevocationLists(issuer) {
+    return Array.from(this.revocationLists.values()).filter((list) => list.issuer === issuer);
+  }
+  /**
+   * Restore/unreovke a credential
+   */
+  async restoreCredential(credentialId) {
+    const statusInfo = this.credentialStatuses.get(credentialId);
+    if (!statusInfo) {
+      throw new Error(`Credential not found in revocation tracking: ${credentialId}`);
+    }
+    const revocationList = this.revocationLists.get(statusInfo.statusListCredential);
+    if (!revocationList) {
+      throw new Error(`Revocation list not found: ${statusInfo.statusListCredential}`);
+    }
+    const updatedBitString = this.setBitInString(
+      revocationList.encodedList,
+      statusInfo.statusListIndex,
+      false
+    );
+    revocationList.encodedList = updatedBitString;
+    revocationList.updatedAt = /* @__PURE__ */ new Date();
+    delete statusInfo.revocationReason;
+    delete statusInfo.revocationDate;
+    this.revocationLists.set(revocationList.id, revocationList);
+    this.credentialStatuses.set(credentialId, statusInfo);
+    return true;
+  }
+  /**
+   * Create empty bit string
+   */
+  createEmptyBitString(size) {
+    const bytes = Math.ceil(size / 8);
+    const buffer = Buffer.alloc(bytes, 0);
+    return buffer.toString("base64");
+  }
+  /**
+   * Set bit in encoded string
+   */
+  setBitInString(encodedString, index, value) {
+    const buffer = Buffer.from(encodedString, "base64");
+    const byteIndex = Math.floor(index / 8);
+    const bitIndex = index % 8;
+    if (byteIndex >= buffer.length) {
+      throw new Error(`Bit index ${index} is out of bounds for buffer of size ${buffer.length * 8}`);
+    }
+    if (value) {
+      buffer[byteIndex] |= 1 << 7 - bitIndex;
+    } else {
+      buffer[byteIndex] &= ~(1 << 7 - bitIndex);
+    }
+    return buffer.toString("base64");
+  }
+  /**
+   * Get bit from encoded string
+   */
+  getBitFromString(encodedString, index) {
+    const buffer = Buffer.from(encodedString, "base64");
+    const byteIndex = Math.floor(index / 8);
+    const bitIndex = index % 8;
+    if (byteIndex >= buffer.length) {
+      return false;
+    }
+    return (buffer[byteIndex] & 1 << 7 - bitIndex) !== 0;
+  }
+  /**
+   * Find next available index in revocation list
+   */
+  findNextAvailableIndex(listId) {
+    const usedIndices = Array.from(this.credentialStatuses.values()).filter((status) => status.statusListCredential === listId).map((status) => status.statusListIndex);
+    let index = 0;
+    while (usedIndices.includes(index)) {
+      index++;
+    }
+    return index;
+  }
+  /**
+   * Export revocation list in standard format
+   */
+  async exportRevocationList(listId) {
+    const list = this.revocationLists.get(listId);
+    if (!list) {
+      return null;
+    }
+    return {
+      "@context": [
+        "https://www.w3.org/2018/credentials/v1",
+        "https://w3id.org/vc/status-list/2021/v1"
+      ],
+      id: list.id,
+      type: ["VerifiableCredential", "StatusList2021Credential"],
+      issuer: list.issuer,
+      validFrom: list.createdAt.toISOString(),
+      credentialSubject: {
+        id: `${list.id}#list`,
+        type: list.type,
+        statusPurpose: list.statusPurpose,
+        encodedList: list.encodedList
+      }
+    };
+  }
+};
+// src/constraint/constraint-evaluator.ts
+var DEFAULT_OPTIONS = {
+  invocationWarningThreshold: 5,
+  riskWarningRatio: 0.8,
+  defaultTimezone: "UTC"
+};
+var ConstraintEvaluator = class {
+  options;
+  constructor(options) {
+    this.options = { ...DEFAULT_OPTIONS, ...options };
+  }
+  /**
+   * 制約を総合評価
+   */
+  evaluate(constraints, context, currentInvocations, expiresAt) {
+    const violations = [];
+    const warnings = [];
+    const expirationResult = this.checkExpiration(expiresAt, constraints.expiresAt);
+    if (expirationResult.violation) {
+      violations.push(expirationResult.violation);
+    }
+    const invocationResult = this.checkInvocationLimit(
+      constraints.maxInvocations,
+      currentInvocations
+    );
+    if (invocationResult.violation) {
+      violations.push(invocationResult.violation);
+    }
+    if (invocationResult.warning) {
+      warnings.push(invocationResult.warning);
+    }
+    if (constraints.timeWindow) {
+      const timeResult = this.checkTimeWindow(
+        constraints.timeWindow,
+        new Date(context.timestamp)
+      );
+      if (timeResult.violation) {
+        violations.push(timeResult.violation);
+      }
+      if (timeResult.warning) {
+        warnings.push(timeResult.warning);
+      }
+    }
+    if (constraints.ipAllowlist && constraints.ipAllowlist.length > 0 && context.ipAddress) {
+      const ipResult = this.checkIpAllowlist(constraints.ipAllowlist, context.ipAddress);
+      if (ipResult.violation) {
+        violations.push(ipResult.violation);
+      }
+    }
+    if (constraints.riskThreshold !== void 0 && context.riskScore !== void 0) {
+      const riskResult = this.checkRiskThreshold(constraints.riskThreshold, context.riskScore);
+      if (riskResult.violation) {
+        violations.push(riskResult.violation);
+      }
+      if (riskResult.warning) {
+        warnings.push(riskResult.warning);
+      }
+    }
+    return {
+      allowed: violations.length === 0,
+      violations,
+      warnings,
+      evaluatedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      context
+    };
+  }
+  /**
+   * 期限チェック
+   */
+  checkExpiration(grantExpiresAt, constraintExpiresAt) {
+    const now = /* @__PURE__ */ new Date();
+    if (grantExpiresAt && new Date(grantExpiresAt) < now) {
+      return {
+        violation: {
+          type: "expired",
+          message: `Grant expired at ${grantExpiresAt.toISOString()}`,
+          details: { expiresAt: grantExpiresAt.toISOString(), now: now.toISOString() }
+        }
+      };
+    }
+    if (constraintExpiresAt && new Date(constraintExpiresAt) < now) {
+      return {
+        violation: {
+          type: "expired",
+          message: `Constraint expired at ${constraintExpiresAt}`,
+          details: { expiresAt: constraintExpiresAt, now: now.toISOString() }
+        }
+      };
+    }
+    return {};
+  }
+  /**
+   * 実行回数チェック
+   */
+  checkInvocationLimit(maxInvocations, currentInvocations) {
+    if (maxInvocations === void 0 || currentInvocations === void 0) {
+      return {};
+    }
+    const remaining = maxInvocations - currentInvocations;
+    if (remaining <= 0) {
+      return {
+        violation: {
+          type: "max_invocations",
+          message: `Invocation limit reached (${maxInvocations} max, ${currentInvocations} used)`,
+          details: { maxInvocations, currentInvocations, remaining: 0 }
+        }
+      };
+    }
+    if (remaining <= this.options.invocationWarningThreshold) {
+      return {
+        warning: {
+          type: "approaching_limit",
+          message: `Only ${remaining} invocations remaining out of ${maxInvocations}`,
+          details: { maxInvocations, currentInvocations, remaining }
+        }
+      };
+    }
+    return {};
+  }
+  /**
+   * 時間帯チェック
+   */
+  checkTimeWindow(timeWindow, currentTime) {
+    const timezone = timeWindow.timezone || this.options.defaultTimezone;
+    if (timeWindow.daysOfWeek && timeWindow.daysOfWeek.length > 0) {
+      const currentDay = this.getDayOfWeekInTimezone(currentTime, timezone);
+      if (!timeWindow.daysOfWeek.includes(currentDay)) {
+        return {
+          violation: {
+            type: "time_window",
+            message: `Current day (${this.getDayName(currentDay)}) is not in allowed days`,
+            details: {
+              currentDay,
+              allowedDays: timeWindow.daysOfWeek,
+              allowedDayNames: timeWindow.daysOfWeek.map((d) => this.getDayName(d))
+            }
+          }
+        };
+      }
+    }
+    if (timeWindow.start && timeWindow.end) {
+      const currentTimeStr = this.getTimeInTimezone(currentTime, timezone);
+      if (timeWindow.start <= timeWindow.end) {
+        if (currentTimeStr < timeWindow.start || currentTimeStr > timeWindow.end) {
+          return {
+            violation: {
+              type: "time_window",
+              message: `Current time (${currentTimeStr}) is outside allowed window (${timeWindow.start}-${timeWindow.end})`,
+              details: { currentTime: currentTimeStr, start: timeWindow.start, end: timeWindow.end, timezone }
+            }
+          };
+        }
+      } else {
+        if (currentTimeStr < timeWindow.start && currentTimeStr > timeWindow.end) {
+          return {
+            violation: {
+              type: "time_window",
+              message: `Current time (${currentTimeStr}) is outside allowed window (${timeWindow.start}-${timeWindow.end})`,
+              details: { currentTime: currentTimeStr, start: timeWindow.start, end: timeWindow.end, timezone }
+            }
+          };
+        }
+      }
+      const endMinutes = this.timeToMinutes(timeWindow.end);
+      const currentMinutes = this.timeToMinutes(currentTimeStr);
+      const minutesUntilEnd = endMinutes - currentMinutes;
+      if (minutesUntilEnd > 0 && minutesUntilEnd <= 60) {
+        return {
+          warning: {
+            type: "unusual_time",
+            message: `Only ${minutesUntilEnd} minutes remaining in allowed time window`,
+            details: { minutesUntilEnd, windowEnd: timeWindow.end }
+          }
+        };
+      }
+    }
+    return {};
+  }
+  /**
+   * IPアドレスチェック
+   */
+  checkIpAllowlist(allowlist, ipAddress) {
+    if (allowlist.includes("*")) {
+      return {};
+    }
+    if (allowlist.includes(ipAddress)) {
+      return {};
+    }
+    for (const entry of allowlist) {
+      if (entry.includes("/")) {
+        if (this.isIpInCidr(ipAddress, entry)) {
+          return {};
+        }
+      }
+    }
+    return {
+      violation: {
+        type: "ip_allowlist",
+        message: `IP address ${ipAddress} is not in the allowlist`,
+        details: { ipAddress, allowlist }
+      }
+    };
+  }
+  /**
+   * リスクスコアチェック
+   */
+  checkRiskThreshold(threshold, currentScore) {
+    if (currentScore > threshold) {
+      return {
+        violation: {
+          type: "risk_threshold",
+          message: `Risk score ${currentScore} exceeds threshold ${threshold}`,
+          details: { currentScore, threshold }
+        }
+      };
+    }
+    const warningThreshold = threshold * this.options.riskWarningRatio;
+    if (currentScore > warningThreshold) {
+      return {
+        warning: {
+          type: "high_risk",
+          message: `Risk score ${currentScore} is approaching threshold ${threshold}`,
+          details: { currentScore, threshold, warningThreshold }
+        }
+      };
+    }
+    return {};
+  }
+  // ============================================================================
+  // Helper Methods
+  // ============================================================================
+  getDayOfWeekInTimezone(date, timezone) {
+    try {
+      const options = { weekday: "short", timeZone: timezone };
+      const dayStr = date.toLocaleDateString("en-US", options);
+      const dayMap = { Sun: 0, Mon: 1, Tue: 2, Wed: 3, Thu: 4, Fri: 5, Sat: 6 };
+      return dayMap[dayStr] ?? date.getDay();
+    } catch {
+      return date.getDay();
+    }
+  }
+  getTimeInTimezone(date, timezone) {
+    try {
+      const options = {
+        hour: "2-digit",
+        minute: "2-digit",
+        hour12: false,
+        timeZone: timezone
+      };
+      return date.toLocaleTimeString("en-US", options);
+    } catch {
+      return date.toISOString().slice(11, 16);
+    }
+  }
+  getDayName(day) {
+    const names = ["Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"];
+    return names[day] || "Unknown";
+  }
+  timeToMinutes(time) {
+    const [hours, minutes] = time.split(":").map(Number);
+    return hours * 60 + minutes;
+  }
+  isIpInCidr(ip, cidr) {
+    try {
+      const [range, bits] = cidr.split("/");
+      const mask = parseInt(bits, 10);
+      const ipNum = this.ipToNumber(ip);
+      const rangeNum = this.ipToNumber(range);
+      const maskNum = ~(2 ** (32 - mask) - 1);
+      return (ipNum & maskNum) === (rangeNum & maskNum);
+    } catch {
+      return false;
+    }
+  }
+  ipToNumber(ip) {
+    const parts = ip.split(".").map(Number);
+    return (parts[0] << 24) + (parts[1] << 16) + (parts[2] << 8) + parts[3];
+  }
+};
+var defaultConstraintEvaluator = new ConstraintEvaluator();
+function evaluateConstraints(constraints, context, currentInvocations, expiresAt) {
+  return defaultConstraintEvaluator.evaluate(constraints, context, currentInvocations, expiresAt);
+}
+// src/registry/action-registry.ts
+var import_ajv = __toESM(require("ajv"));
+var import_ajv_formats = __toESM(require("ajv-formats"));
+var import_promises = __toESM(require("fs/promises"));
+var import_node_path = __toESM(require("path"));
+var actionMetaSchema = {
+  $id: "https://vess.ai/schemas/action-meta.json",
+  type: "object",
+  additionalProperties: false,
+  required: ["action", "resource_type", "required_relations", "required_scopes", "version"],
+  properties: {
+    action: { type: "string", minLength: 1 },
+    resource_type: {
+      type: "string",
+      enum: ["SlackChannel", "GitHubRepo", "DriveFile"]
+    },
+    required_relations: {
+      type: "array",
+      minItems: 1,
+      items: {
+        type: "string",
+        enum: ["viewer", "editor", "admin", "owner", "act_as"]
+      }
+    },
+    required_scopes: {
+      type: "array",
+      minItems: 1,
+      items: { type: "string", minLength: 1 }
+    },
+    capability: { type: "string" },
+    input_schema: { type: "object" },
+    // ← ここは後段で「JSON Schemaとして」別検証
+    constraints: { type: "object", additionalProperties: true },
+    effects: {
+      type: "array",
+      items: { type: "string", minLength: 1 }
+    },
+    risk: { type: "string", enum: ["low", "medium", "high"] },
+    version: { type: "string", minLength: 1 }
+  }
+};
+var capabilityMetaSchema = {
+  $id: "https://vess.ai/schemas/capability-meta.json",
+  type: "object",
+  additionalProperties: false,
+  required: ["capability", "includes", "version"],
+  properties: {
+    capability: { type: "string", minLength: 1 },
+    description: { type: "string" },
+    includes: {
+      type: "array",
+      minItems: 1,
+      items: { type: "string", minLength: 1 }
+    },
+    version: { type: "string", minLength: 1 }
+  }
+};
+var registrySchema = {
+  $id: "https://vess.ai/schemas/action-registry.json",
+  type: "object",
+  additionalProperties: false,
+  required: ["registry_version", "actions"],
+  properties: {
+    registry_version: { type: "string", minLength: 1 },
+    actions: {
+      type: "array",
+      minItems: 1,
+      items: { $ref: "https://vess.ai/schemas/action-meta.json" }
+    },
+    capabilities: {
+      type: "array",
+      items: { $ref: "https://vess.ai/schemas/capability-meta.json" }
+    }
+  }
+};
+function createAjv() {
+  const ajv = new import_ajv.default({
+    allErrors: true,
+    strict: true,
+    allowUnionTypes: true
+    // draft-2020-12 デフォルト。input_schema のメタ検証に使う。
+  });
+  (0, import_ajv_formats.default)(ajv);
+  ajv.addSchema(actionMetaSchema);
+  ajv.addSchema(capabilityMetaSchema);
+  ajv.addSchema(registrySchema);
+  return ajv;
+}
+function validateRegistryObject(registry) {
+  const ajv = createAjv();
+  const validate = ajv.getSchema("https://vess.ai/schemas/action-registry.json");
+  if (!validate) {
+    return { ok: false, errors: ["Ajv schema not loaded"] };
+  }
+  const valid = validate(registry);
+  if (!valid) {
+    return {
+      ok: false,
+      errors: validate.errors ? formatAjvErrors(validate.errors) : []
+    };
+  }
+  const typed = registry;
+  const schemaErrors = [];
+  for (const a of typed.actions) {
+    if (a.input_schema) {
+      try {
+        const local = new import_ajv.default({ strict: true, allErrors: true });
+        (0, import_ajv_formats.default)(local);
+        const compiled = local.compile(a.input_schema);
+        if (compiled.errors?.length) {
+          schemaErrors.push(
+            `[${a.action}] input_schema errors: ${formatAjvErrors(
+              compiled.errors
+            ).join("; ")}`
+          );
+        }
+      } catch (e) {
+        schemaErrors.push(`[${a.action}] input_schema invalid: ${e?.message ?? String(e)}`);
+      }
+    }
+  }
+  if (schemaErrors.length) {
+    return { ok: false, errors: schemaErrors };
+  }
+  if (typed.capabilities?.length) {
+    const actionsSet = new Set(typed.actions.map((x) => x.action));
+    for (const c of typed.capabilities) {
+      for (const act of c.includes) {
+        if (!actionsSet.has(act)) {
+          schemaErrors.push(`[capability:${c.capability}] includes unknown action: ${act}`);
+        }
+      }
+    }
+  }
+  if (schemaErrors.length) {
+    return { ok: false, errors: schemaErrors };
+  }
+  return { ok: true };
+}
+function formatAjvErrors(errors) {
+  if (!errors?.length) return [];
+  return errors.map((e) => {
+    const instancePath = e.instancePath || "/";
+    const msg = e.message || "invalid";
+    const params = e.params && Object.keys(e.params).length ? ` (${JSON.stringify(e.params)})` : "";
+    return `${instancePath}: ${msg}${params}`;
+  });
+}
+async function loadActionRegistryFromFile(filePath) {
+  const abs = import_node_path.default.resolve(filePath);
+  const raw = await import_promises.default.readFile(abs, "utf8");
+  const json = JSON.parse(raw);
+  const result = validateRegistryObject(json);
+  if (!result.ok) {
+    const errs = result.errors?.join("\n - ") || "";
+    throw new Error(`ActionRegistry validation failed:
+ - ${errs}`);
+  }
+  return json;
+}
+function loadActionRegistryFromObject(obj) {
+  const result = validateRegistryObject(obj);
+  if (!result.ok) {
+    const errs = result.errors?.join("\n - ") || "";
+    throw new Error(`ActionRegistry validation failed:
+ - ${errs}`);
+  }
+  return obj;
+}
+function indexActions(reg) {
+  const map = /* @__PURE__ */ new Map();
+  for (const a of reg.actions) map.set(a.action, a);
+  return map;
+}
+function indexCapabilities(reg) {
+  const map = /* @__PURE__ */ new Map();
+  for (const c of reg.capabilities ?? []) map.set(c.capability, c);
+  return map;
+}
+function getRequiredScopes(regIndex, action) {
+  return regIndex.get(action)?.required_scopes ?? [];
+}
+function getRequiredRelations(regIndex, action) {
+  return regIndex.get(action)?.required_relations ?? [];
+}
+// src/registry/access-orchestrator.ts
+function resolveActionsFromSelection(registry, selection) {
+  const aIndex = indexActions(registry);
+  const cIndex = indexCapabilities(registry);
+  const out = /* @__PURE__ */ new Set();
+  for (const item of selection) {
+    if (aIndex.has(item)) {
+      out.add(item);
+      continue;
+    }
+    const cap = cIndex.get(item);
+    if (cap) {
+      for (const act of cap.includes) out.add(act);
+      continue;
+    }
+  }
+  return [...out];
+}
+async function planDelegationForVC(input) {
+  const {
+    registry,
+    issuerUserDid,
+    requested,
+    resourceScope,
+    rebac,
+    abac,
+    creds,
+    providerByIa = {},
+    context
+  } = input;
+  const requestedActions = resolveActionsFromSelection(registry, requested);
+  const aIndex = indexActions(registry);
+  const granted = [];
+  const rejected = [];
+  const traceByAction = {};
+  const resourceScopes = resourceScope.filter((s) => s.kind === "Resource");
+  for (const action of requestedActions) {
+    const meta = aIndex.get(action);
+    const t = {};
+    traceByAction[action] = t;
+    if (!meta) {
+      rejected.push(action);
+      continue;
+    }
+    if (resourceScopes.length) {
+      let rebacOk = false;
+      for (const rs of resourceScopes) {
+        const rels = getRequiredRelations(aIndex, action);
+        const ok = await rebac.check(
+          issuerUserDid,
+          rels.length ? rels : ["owner", "admin", "editor", "viewer"],
+          {
+            id: rs.id,
+            type: rs.type,
+            iaId: ""
+            // 発行時点では空でもOK。持っているなら入れる。
+          }
+        );
+        if (ok) {
+          rebacOk = true;
+          break;
+        }
+      }
+      t.rebac = { ok: rebacOk, relations: getRequiredRelations(aIndex, action) };
+      if (!rebacOk) {
+        rejected.push(action);
+        continue;
+      }
+    }
+    const abacDec = await abac.evaluate({
+      principal: { id: issuerUserDid, roles: ["user"] },
+      resource: {
+        kind: resourceScopes[0]?.type ?? meta.resource_type,
+        id: resourceScopes[0]?.id ?? "SCOPE_ONLY",
+        attr: {}
+      },
+      action,
+      context
+    });
+    t.abac = { ok: abacDec.allow, ruleId: abacDec.ruleId, reason: abacDec.reason };
+    if (!abacDec.allow) {
+      rejected.push(action);
+      continue;
+    }
+    let scopeOk = true;
+    const required = getRequiredScopes(aIndex, action);
+    if (resourceScopes.length && required.length) {
+      scopeOk = false;
+      for (const rs of resourceScopes) {
+        const provider = inferProviderByResourceType(rs.type);
+        const cred = await creds.pickMinimal(provider, "", required, issuerUserDid);
+        if (cred) {
+          scopeOk = true;
+          break;
+        }
+      }
+    }
+    t.scope = { ok: scopeOk, required };
+    if (!scopeOk) {
+      rejected.push(action);
+      continue;
+    }
+    granted.push(action);
+  }
+  return { granted_actions: granted, rejected_actions: rejected, traceByAction };
+}
+function inferProviderByResourceType(rt) {
+  switch (rt) {
+    case "SlackChannel":
+      return "slack";
+    case "GitHubRepo":
+      return "github";
+    case "DriveFile":
+      return "google";
+  }
+}
+async function checkPermissionWithVP(input) {
+  const { registry, actorDid, action, resource, vpToken, context, rebac, abac, creds, vpVerifier } = input;
+  const aIndex = indexActions(registry);
+  const meta = aIndex.get(action);
+  if (!meta) {
+    return { allow: false, reason: "unknown_action", trace: {} };
+  }
+  const trace = {};
+  const rels = getRequiredRelations(aIndex, action);
+  const rebacOk = await rebac.check(actorDid, rels.length ? rels : ["viewer"], resource);
+  trace.rebac = { ok: rebacOk, relations: rels };
+  if (!rebacOk) {
+    return { allow: false, reason: "rebac_denied", trace };
+  }
+  const vc = await vpVerifier.verifyAndExtractClaims(vpToken);
+  let matchedAction = vc.allowed_actions?.includes(action) ?? false;
+  let inScope = isResourceInScopes(resource, vc.resource_scope || []);
+  const notExpired = !vc.expires_at || new Date(vc.expires_at).getTime() > Date.now();
+  trace.delegation = {
+    ok: matchedAction && inScope && notExpired,
+    matched_action: matchedAction,
+    in_scope: inScope,
+    notExpired
+  };
+  if (!trace.delegation.ok) {
+    return { allow: false, reason: "delegation_denied", trace };
+  }
+  const abacDec = await abac.evaluate({
+    principal: {
+      id: actorDid,
+      roles: ["agent"],
+      claims: {
+        assurance_level: vc.assurance_level,
+        actor: vc.actor
+      }
+    },
+    resource: {
+      kind: resource.type,
+      id: resource.id,
+      attr: resource.attr || {}
+    },
+    action,
+    context
+  });
+  trace.abac = { ok: abacDec.allow, ruleId: abacDec.ruleId, reason: abacDec.reason };
+  if (!abacDec.allow) {
+    return { allow: false, reason: "abac_denied", trace };
+  }
+  const provider = inferProviderByResourceType(resource.type);
+  const requiredScopes = getRequiredScopes(aIndex, action);
+  const cred = await creds.pickMinimal(provider, resource.iaId, requiredScopes, actorDid);
+  trace.scope = {
+    ok: !!cred,
+    required: requiredScopes,
+    chosenCredentialId: cred?.id
+  };
+  if (!cred) {
+    return { allow: false, reason: "insufficient_scopes", trace, credential: null };
+  }
+  return { allow: true, trace, credential: cred };
+}
+function isResourceInScopes(resource, scopes) {
+  for (const s of scopes) {
+    if (s.kind === "Resource") {
+      if (s.type === resource.type && s.id === resource.id) return true;
+    } else if (s.kind === "IntegrationAccount") {
+      if (s.id === resource.iaId) return true;
+    } else if (s.kind === "Workspace") {
+      return true;
+    }
+  }
+  return false;
+}
+var AllowAllAbac = class {
+  async evaluate() {
+    return { allow: true, ruleId: "allow_all" };
+  }
+};
+var SimpleRebac = class {
+  constructor(allowRelations = ["viewer", "editor", "admin", "owner", "act_as"]) {
+    this.allowRelations = allowRelations;
+  }
+  async check(_sub, relations) {
+    return relations.some((r) => this.allowRelations.includes(r));
+  }
+};
+var DummyCreds = class {
+  async pickMinimal(provider, _iaId, requiredScopes) {
+    if (!requiredScopes.length) return { id: `${provider}-none`, provider, scopes: [] };
+    return { id: `${provider}-demo`, provider, scopes: requiredScopes };
+  }
+};
+var DummyVpVerifier = class {
+  constructor(vc) {
+    this.vc = vc;
+  }
+  async verifyAndExtractClaims() {
+    return this.vc;
+  }
+};
+// src/registry/action-registry-json.ts
+var ACTION_REGISTRY = {
+  registry_version: "2025-09-28",
+  actions: [
+    {
+      action: "slack:channel.post_message",
+      resource_type: "SlackChannel",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["chat:write"],
+      capability: "slack.messaging.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          text: { type: "string", minLength: 1, maxLength: 4e4 },
+          thread_ts: { type: "string" },
+          attachments: { type: "array" }
+        },
+        required: ["text"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "slack.post" },
+      effects: ["Create:Message"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "slack:channel.read",
+      resource_type: "SlackChannel",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["channels:history", "groups:history", "im:history", "mpim:history"],
+      capability: "slack.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          latest: { type: "string" },
+          oldest: { type: "string" },
+          limit: { type: "integer", minimum: 1, maximum: 1e3 }
+        },
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "slack.read" },
+      effects: ["Read:Message"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "slack:channel.add_reaction",
+      resource_type: "SlackChannel",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["reactions:write", "chat:write"],
+      capability: "slack.messaging.enhanced",
+      input_schema: {
+        type: "object",
+        properties: {
+          name: { type: "string", minLength: 1 },
+          timestamp: { type: "string" }
+        },
+        required: ["name", "timestamp"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "slack.post" },
+      effects: ["Update:MessageReaction"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "gh:repo.read",
+      resource_type: "GitHubRepo",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["repo", "public_repo"],
+      capability: "gh.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          path: { type: "string" },
+          ref: { type: "string" }
+        },
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "github.read" },
+      effects: ["Read:Repo"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "gh:repo.create_issue",
+      resource_type: "GitHubRepo",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["repo"],
+      capability: "gh.issues.triage",
+      input_schema: {
+        type: "object",
+        properties: {
+          title: { type: "string", minLength: 1 },
+          body: { type: "string" },
+          labels: { type: "array", items: { type: "string" } },
+          assignees: { type: "array", items: { type: "string" } }
+        },
+        required: ["title"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "github.write" },
+      effects: ["Create:Issue"],
+      risk: "medium",
+      version: "1.0.0"
+    },
+    {
+      action: "gh:repo.comment",
+      resource_type: "GitHubRepo",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["repo"],
+      capability: "gh.issues.triage",
+      input_schema: {
+        type: "object",
+        properties: {
+          issue_number: { type: "integer", minimum: 1 },
+          body: { type: "string", minLength: 1 }
+        },
+        required: ["issue_number", "body"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "github.write" },
+      effects: ["Create:IssueComment"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "gh:repo.create_pr",
+      resource_type: "GitHubRepo",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["repo"],
+      capability: "gh.code.collab",
+      input_schema: {
+        type: "object",
+        properties: {
+          title: { type: "string", minLength: 1 },
+          head: { type: "string", minLength: 1 },
+          base: { type: "string", minLength: 1 },
+          body: { type: "string" },
+          draft: { type: "boolean" }
+        },
+        required: ["title", "head", "base"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "github.write" },
+      effects: ["Create:PullRequest"],
+      risk: "medium",
+      version: "1.0.0"
+    },
+    {
+      action: "gh:repo.merge_pr",
+      resource_type: "GitHubRepo",
+      required_relations: ["admin", "owner"],
+      required_scopes: ["repo"],
+      capability: "gh.code.maintain",
+      input_schema: {
+        type: "object",
+        properties: {
+          pr_number: { type: "integer", minimum: 1 },
+          merge_method: { type: "string", enum: ["merge", "squash", "rebase"] }
+        },
+        required: ["pr_number"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "github.write", requires_reviews_passed: true },
+      effects: ["Update:PullRequestMerge"],
+      risk: "high",
+      version: "1.0.0"
+    },
+    {
+      action: "google:drive.file.read",
+      resource_type: "DriveFile",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["https://www.googleapis.com/auth/drive.readonly"],
+      capability: "gdrive.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          fields: { type: "string" }
+        },
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "gdrive.read" },
+      effects: ["Read:FileContent"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "google:drive.file.write",
+      resource_type: "DriveFile",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["https://www.googleapis.com/auth/drive.file"],
+      capability: "gdrive.write.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          mimeType: { type: "string" },
+          content_base64: { type: "string" }
+        },
+        required: ["content_base64"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "gdrive.write", max_size_mb: 50 },
+      effects: ["Update:FileContent"],
+      risk: "medium",
+      version: "1.0.0"
+    },
+    {
+      action: "google:drive.file.create",
+      resource_type: "DriveFile",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["https://www.googleapis.com/auth/drive.file"],
+      capability: "gdrive.write.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          name: { type: "string", minLength: 1 },
+          mimeType: { type: "string" },
+          parent_folder_id: { type: "string" },
+          content_base64: { type: "string" }
+        },
+        required: ["name"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "gdrive.write", max_size_mb: 50 },
+      effects: ["Create:File"],
+      risk: "medium",
+      version: "1.0.0"
+    },
+    {
+      action: "google:drive.file.list_in_folder",
+      resource_type: "DriveFile",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["https://www.googleapis.com/auth/drive.readonly"],
+      capability: "gdrive.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          folder_id: { type: "string" },
+          q: { type: "string" },
+          page_size: { type: "integer", minimum: 1, maximum: 1e3 }
+        },
+        required: ["folder_id"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "gdrive.read" },
+      effects: ["Read:FileList"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "jira:issue.search",
+      resource_type: "JiraIssue",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["read:jira-work", "read:jira-user"],
+      capability: "jira.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          jql: { type: "string", minLength: 1 },
+          maxResults: { type: "integer", minimum: 1, maximum: 100 },
+          startAt: { type: "integer", minimum: 0 }
+        },
+        required: ["jql"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "jira.read" },
+      effects: ["Read:IssueList"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "jira:issue.get",
+      resource_type: "JiraIssue",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["read:jira-work"],
+      capability: "jira.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          issueIdOrKey: { type: "string", minLength: 1 }
+        },
+        required: ["issueIdOrKey"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "jira.read" },
+      effects: ["Read:Issue"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "jira:project.list",
+      resource_type: "JiraProject",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["read:jira-work"],
+      capability: "jira.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          recent: { type: "number" }
+        },
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "jira.read" },
+      effects: ["Read:ProjectList"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "jira:board.list",
+      resource_type: "JiraBoard",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["read:jira-work"],
+      capability: "jira.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          projectKeyOrId: { type: "string" },
+          type: { type: "string" }
+        },
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "jira.read" },
+      effects: ["Read:BoardList"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "jira:sprint.list",
+      resource_type: "JiraSprint",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["read:jira-work"],
+      capability: "jira.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          boardId: { type: "number", minimum: 1 },
+          state: { type: "string" }
+        },
+        required: ["boardId"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "jira.read" },
+      effects: ["Read:SprintList"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "jira:sprint.get_issues",
+      resource_type: "JiraSprint",
+      required_relations: ["viewer", "editor", "admin", "owner"],
+      required_scopes: ["read:jira-work"],
+      capability: "jira.read.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          sprintId: { type: "number", minimum: 1 },
+          maxResults: { type: "number", minimum: 1, maximum: 100 }
+        },
+        required: ["sprintId"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "jira.read" },
+      effects: ["Read:IssueList"],
+      risk: "low",
+      version: "1.0.0"
+    },
+    {
+      action: "jira:issue.create",
+      resource_type: "JiraIssue",
+      required_relations: ["editor", "act_as"],
+      required_scopes: ["write:jira-work"],
+      capability: "jira.write.basic",
+      input_schema: {
+        type: "object",
+        properties: {
+          projectKey: { type: "string", minLength: 1 },
+          summary: { type: "string", minLength: 1 },
+          description: { type: "string" },
+          issueType: { type: "string", minLength: 1 },
+          priority: { type: "string" },
+          assignee: { type: "string" }
+        },
+        required: ["projectKey", "summary", "issueType"],
+        additionalProperties: false
+      },
+      constraints: { rate_bucket: "jira.write" },
+      effects: ["Create:Issue"],
+      risk: "medium",
+      version: "1.0.0"
+    }
+  ],
+  capabilities: [
+    {
+      capability: "slack.messaging.basic",
+      description: "Post and read messages in channels",
+      includes: ["slack:channel.post_message", "slack:channel.read"],
+      version: "1.0.0"
+    },
+    {
+      capability: "slack.messaging.enhanced",
+      description: "Reactions and advanced messaging",
+      includes: ["slack:channel.add_reaction"],
+      version: "1.0.0"
+    },
+    {
+      capability: "gh.read.basic",
+      description: "Read repository content and metadata",
+      includes: ["gh:repo.read"],
+      version: "1.0.0"
+    },
+    {
+      capability: "gh.issues.triage",
+      description: "Create and comment on issues",
+      includes: ["gh:repo.create_issue", "gh:repo.comment"],
+      version: "1.0.0"
+    },
+    {
+      capability: "gh.code.collab",
+      description: "Open pull requests for collaboration",
+      includes: ["gh:repo.create_pr"],
+      version: "1.0.0"
+    },
+    {
+      capability: "gh.code.maintain",
+      description: "Merge pull requests (high risk)",
+      includes: ["gh:repo.merge_pr"],
+      version: "1.0.0"
+    },
+    {
+      capability: "gdrive.read.basic",
+      description: "Read Drive files and listings",
+      includes: ["google:drive.file.read", "google:drive.file.list_in_folder"],
+      version: "1.0.0"
+    },
+    {
+      capability: "gdrive.write.basic",
+      description: "Create and update Drive files",
+      includes: ["google:drive.file.write", "google:drive.file.create"],
+      version: "1.0.0"
+    },
+    {
+      capability: "jira.read.basic",
+      description: "Read Jira issues, projects, boards, and sprints",
+      includes: ["jira:issue.search", "jira:issue.get", "jira:project.list", "jira:board.list", "jira:sprint.list", "jira:sprint.get_issues"],
+      version: "1.0.0"
+    },
+    {
+      capability: "jira.write.basic",
+      description: "Create Jira issues",
+      includes: ["jira:issue.create"],
+      version: "1.0.0"
+    }
+  ]
+};
+// src/index.ts
+__reExport(index_exports, require("@vess-id/ai-identity-types"), module.exports);
+var version = "0.0.1";
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  ACTION_REGISTRY,
+  AIdentityClient,
+  APIVCManager,
+  AgentDIDManager,
+  AgentManager,
+  AllowAllAbac,
+  ConstraintEvaluator,
+  DisclosureConfigManager,
+  DummyCreds,
+  DummyVpVerifier,
+  FilesystemKeyStorage,
+  KeyManager,
+  KeyRotationManager,
+  MemoryKeyStorage,
+  MemoryManager,
+  MetricsManager,
+  RevocationManager,
+  SDJwtClient,
+  SimpleRebac,
+  ToolManager,
+  UserIdentityManager,
+  VCManager,
+  VPManager,
+  checkPermissionWithVP,
+  configure,
+  createAjv,
+  defaultConstraintEvaluator,
+  evaluateConstraints,
+  generateKeyPair,
+  generateNonce,
+  getClient,
+  getRequiredRelations,
+  getRequiredScopes,
+  indexActions,
+  indexCapabilities,
+  loadActionRegistryFromFile,
+  loadActionRegistryFromObject,
+  planDelegationForVC,
+  resolveActionsFromSelection,
+  signJWT,
+  validateRegistryObject,
+  verifyJWT,
+  version,
+  ...require("@vess-id/ai-identity-types")
+});
+//# sourceMappingURL=index.js.map