@vess-id/status-list 0.1.0

package/dist/index.cjs

@@ -0,0 +1,1576 @@
+'use strict';
+
+var pako = require('pako');
+var jose = require('jose');
+var cbor = require('cbor');
+var crypto = require('crypto');
+
+function _interopNamespace(e) {
+  if (e && e.__esModule) return e;
+  var n = Object.create(null);
+  if (e) {
+    Object.keys(e).forEach(function (k) {
+      if (k !== 'default') {
+        var d = Object.getOwnPropertyDescriptor(e, k);
+        Object.defineProperty(n, k, d.get ? d : {
+          enumerable: true,
+          get: function () { return e[k]; }
+        });
+      }
+    });
+  }
+  n.default = e;
+  return Object.freeze(n);
+}
+
+var pako__namespace = /*#__PURE__*/_interopNamespace(pako);
+var cbor__namespace = /*#__PURE__*/_interopNamespace(cbor);
+
+// lib/types/errors.ts
+var StatusListError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "StatusListError";
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, this.constructor);
+    }
+  }
+};
+var IndexOutOfBoundsError = class extends StatusListError {
+  constructor(index, maxIndex) {
+    super(`Index ${index} is out of bounds. Valid range: 0-${maxIndex}`);
+    this.name = "IndexOutOfBoundsError";
+  }
+};
+var InvalidBitSizeError = class extends StatusListError {
+  constructor(bits) {
+    super(`Invalid bit size: ${bits}. Must be one of: 1, 2, 4, or 8`);
+    this.name = "InvalidBitSizeError";
+  }
+};
+var InvalidStatusValueError = class extends StatusListError {
+  constructor(value, maxValue, bitsPerStatus) {
+    super(`Invalid status value: ${value}. For ${bitsPerStatus}-bit status, valid range is 0-${maxValue}`);
+    this.name = "InvalidStatusValueError";
+  }
+};
+var InvalidTokenFormatError = class extends StatusListError {
+  constructor(message) {
+    super(`Invalid token format: ${message}`);
+    this.name = "InvalidTokenFormatError";
+  }
+};
+var StatusListExpiredError = class extends StatusListError {
+  constructor(exp, currentTime) {
+    super(`Status list expired at ${exp} (current time: ${currentTime})`);
+    this.name = "StatusListExpiredError";
+  }
+};
+var FetchError = class extends StatusListError {
+  constructor(message) {
+    super(message);
+    this.name = "FetchError";
+  }
+};
+var MissingStatusListUriError = class extends StatusListError {
+  constructor(message = "Status list URI is missing from token") {
+    super(message);
+    this.name = "MissingStatusListUriError";
+  }
+};
+var CompressionError = class extends StatusListError {
+  constructor(message, cause) {
+    const fullMessage = cause ? `${message}: ${cause.message}` : message;
+    super(fullMessage);
+    this.name = "CompressionError";
+    this.cause = cause;
+  }
+};
+var ValidationError = class extends StatusListError {
+  errors;
+  constructor(errors) {
+    super(`Validation failed: ${errors.join(", ")}`);
+    this.name = "ValidationError";
+    this.errors = errors;
+  }
+};
+
+// lib/core/bitpack.ts
+function validateBitSize(bits) {
+  if (bits !== 1 && bits !== 2 && bits !== 4 && bits !== 8) {
+    throw new InvalidBitSizeError(bits);
+  }
+}
+function validateStatusValue(value, bitsPerStatus) {
+  const maxValue = (1 << bitsPerStatus) - 1;
+  if (value < 0 || value > maxValue) {
+    throw new InvalidStatusValueError(value, maxValue, bitsPerStatus);
+  }
+}
+function packBits(statuses, bitsPerStatus) {
+  validateBitSize(bitsPerStatus);
+  const totalBits = statuses.length * bitsPerStatus;
+  const byteLength = Math.ceil(totalBits / 8);
+  const bytes = new Uint8Array(byteLength);
+  for (let i = 0; i < statuses.length; i++) {
+    const value = statuses[i];
+    validateStatusValue(value, bitsPerStatus);
+    const bitOffset = i * bitsPerStatus;
+    const byteIndex = Math.floor(bitOffset / 8);
+    const bitPosition = bitOffset % 8;
+    bytes[byteIndex] |= value << bitPosition;
+    if (bitPosition + bitsPerStatus > 8) {
+      const bitsInNextByte = bitPosition + bitsPerStatus - 8;
+      bytes[byteIndex + 1] |= value >> bitsPerStatus - bitsInNextByte;
+    }
+  }
+  return bytes;
+}
+function unpackBits(bytes, bitsPerStatus) {
+  validateBitSize(bitsPerStatus);
+  const totalBits = bytes.length * 8;
+  const statusCount = Math.floor(totalBits / bitsPerStatus);
+  const statuses = new Array(statusCount);
+  const mask = (1 << bitsPerStatus) - 1;
+  for (let i = 0; i < statusCount; i++) {
+    statuses[i] = getBitValue(bytes, i, bitsPerStatus, mask);
+  }
+  return statuses;
+}
+function getBitValue(bytes, index, bitsPerStatus, mask) {
+  validateBitSize(bitsPerStatus);
+  const totalBits = bytes.length * 8;
+  const maxIndex = Math.floor(totalBits / bitsPerStatus) - 1;
+  if (index < 0 || index > maxIndex) {
+    throw new IndexOutOfBoundsError(index, maxIndex);
+  }
+  const jump = bitsPerStatus * index;
+  const byteIndex = Math.floor(jump / 8);
+  const bitOffset = jump % 8;
+  const calculatedMask = mask ?? (1 << bitsPerStatus) - 1;
+  let value = bytes[byteIndex] >> bitOffset & calculatedMask;
+  if (bitOffset + bitsPerStatus > 8) {
+    const bitsInNextByte = bitOffset + bitsPerStatus - 8;
+    const nextByteBits = bytes[byteIndex + 1] & (1 << bitsInNextByte) - 1;
+    value |= nextByteBits << bitsPerStatus - bitsInNextByte;
+  }
+  return value;
+}
+function setBitValue(bytes, index, value, bitsPerStatus) {
+  validateBitSize(bitsPerStatus);
+  validateStatusValue(value, bitsPerStatus);
+  const totalBits = bytes.length * 8;
+  const maxIndex = Math.floor(totalBits / bitsPerStatus) - 1;
+  if (index < 0 || index > maxIndex) {
+    throw new IndexOutOfBoundsError(index, maxIndex);
+  }
+  const jump = bitsPerStatus * index;
+  const byteIndex = Math.floor(jump / 8);
+  const bitOffset = jump % 8;
+  const mask = (1 << bitsPerStatus) - 1;
+  bytes[byteIndex] &= ~(mask << bitOffset);
+  bytes[byteIndex] |= (value & mask) << bitOffset;
+  if (bitOffset + bitsPerStatus > 8) {
+    const bitsInNextByte = bitOffset + bitsPerStatus - 8;
+    const nextByteMask = (1 << bitsInNextByte) - 1;
+    bytes[byteIndex + 1] &= ~nextByteMask;
+    bytes[byteIndex + 1] |= value >> bitsPerStatus - bitsInNextByte & nextByteMask;
+  }
+}
+function calculateCapacity(byteLength, bitsPerStatus) {
+  validateBitSize(bitsPerStatus);
+  return Math.floor(byteLength * 8 / bitsPerStatus);
+}
+function compress(data) {
+  try {
+    return pako__namespace.deflate(data, { level: 9 });
+  } catch (error) {
+    throw new CompressionError("Failed to compress data", error);
+  }
+}
+function decompress(compressed) {
+  try {
+    return pako__namespace.inflate(compressed);
+  } catch (error) {
+    throw new CompressionError("Failed to decompress data", error);
+  }
+}
+function compressToBase64URL(data) {
+  const compressed = compress(data);
+  return base64UrlEncode(compressed);
+}
+function decompressFromBase64URL(base64url) {
+  try {
+    const compressed = base64UrlDecode(base64url);
+    return decompress(compressed);
+  } catch (error) {
+    if (error instanceof CompressionError) {
+      throw error;
+    }
+    throw new CompressionError("Failed to decode or decompress base64url data", error);
+  }
+}
+function base64UrlEncode(bytes) {
+  let base64 = "";
+  if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(bytes).toString("base64");
+  } else {
+    const binary = String.fromCharCode(...bytes);
+    base64 = btoa(binary);
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+function base64UrlDecode(base64url) {
+  let base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = base64.length % 4;
+  if (padding > 0) {
+    base64 += "=".repeat(4 - padding);
+  }
+  if (typeof Buffer !== "undefined") {
+    return new Uint8Array(Buffer.from(base64, "base64"));
+  } else {
+    const binary = atob(base64);
+    const bytes = new Uint8Array(binary.length);
+    for (let i = 0; i < binary.length; i++) {
+      bytes[i] = binary.charCodeAt(i);
+    }
+    return bytes;
+  }
+}
+
+// lib/core/StatusList.ts
+var StatusList = class _StatusList {
+  statusArray;
+  bitsPerStatus;
+  /**
+   * Creates a StatusList from a byte array.
+   *
+   * @param statusArray - Byte array containing packed status values
+   * @param bitsPerStatus - Number of bits per status entry
+   *
+   * @private Use static factory methods instead: fromArray(), decompressFromBase64URL(), decompressFromBytes()
+   */
+  constructor(statusArray, bitsPerStatus) {
+    this.statusArray = statusArray;
+    this.bitsPerStatus = bitsPerStatus;
+  }
+  /**
+   * Gets the status value at a specific index.
+   *
+   * @param index - Index of the status entry (0-based)
+   * @returns Status value at the given index
+   * @throws {IndexOutOfBoundsError} If index is out of bounds
+   *
+   * @example
+   * ```typescript
+   * const status = list.getStatus(42);
+   * if (status === StandardStatusValues.INVALID) {
+   *   console.log('Credential is revoked');
+   * }
+   * ```
+   */
+  getStatus(index) {
+    return getBitValue(this.statusArray, index, this.bitsPerStatus);
+  }
+  /**
+   * Sets the status value at a specific index.
+   *
+   * Note: This modifies the status list in place. After modifying statuses,
+   * you'll need to recompress and re-sign the status list token.
+   *
+   * @param index - Index of the status entry (0-based)
+   * @param value - New status value
+   * @throws {IndexOutOfBoundsError} If index is out of bounds
+   * @throws {InvalidStatusValueError} If value exceeds the maximum for the bit size
+   *
+   * @example
+   * ```typescript
+   * // Revoke credential at index 42
+   * list.setStatus(42, StandardStatusValues.INVALID);
+   *
+   * // Suspend credential at index 100
+   * list.setStatus(100, StandardStatusValues.SUSPENDED);
+   * ```
+   */
+  setStatus(index, value) {
+    setBitValue(this.statusArray, index, value, this.bitsPerStatus);
+  }
+  /**
+   * Gets the number of bits used per status entry.
+   *
+   * @returns Number of bits per status (1, 2, 4, or 8)
+   */
+  getBitsPerStatus() {
+    return this.bitsPerStatus;
+  }
+  /**
+   * Gets the total number of status entries in this list.
+   *
+   * @returns Total capacity of the status list
+   */
+  getSize() {
+    return calculateCapacity(this.statusArray.length, this.bitsPerStatus);
+  }
+  /**
+   * Gets the raw byte array (for internal use).
+   *
+   * @returns The underlying byte array
+   */
+  getBytes() {
+    return this.statusArray;
+  }
+  /**
+   * Compresses the status list to base64url format (for JWT).
+   *
+   * @returns Base64URL-encoded compressed status list
+   *
+   * @example
+   * ```typescript
+   * const lst = list.compressToBase64URL();
+   * // Use in JWT payload: { status_list: { bits: 1, lst } }
+   * ```
+   */
+  compressToBase64URL() {
+    return compressToBase64URL(this.statusArray);
+  }
+  /**
+   * Compresses the status list to raw bytes (for CWT).
+   *
+   * @returns Compressed status list as bytes
+   *
+   * @example
+   * ```typescript
+   * const lst = list.compressToBytes();
+   * // Use in CWT payload: { 65533: { bits: 1, lst } }
+   * ```
+   */
+  compressToBytes() {
+    return compress(this.statusArray);
+  }
+  // ===== Static Factory Methods =====
+  /**
+   * Creates a StatusList from an array of status values.
+   *
+   * @param statuses - Array of status values
+   * @param bitsPerStatus - Number of bits per status entry (1, 2, 4, or 8)
+   * @returns New StatusList instance
+   * @throws {InvalidBitSizeError} If bitsPerStatus is not 1, 2, 4, or 8
+   * @throws {InvalidStatusValueError} If any status value exceeds the maximum for the bit size
+   *
+   * @example
+   * ```typescript
+   * // Create list with 1-bit statuses (valid/invalid)
+   * const statuses = new Array(10000).fill(0); // All valid
+   * statuses[42] = 1; // Revoke one credential
+   * const list = StatusList.fromArray(statuses, 1);
+   *
+   * // Create list with 2-bit statuses (valid/invalid/suspended/custom)
+   * const statuses2 = [0, 1, 2, 0, 1, 3];
+   * const list2 = StatusList.fromArray(statuses2, 2);
+   * ```
+   */
+  static fromArray(statuses, bitsPerStatus) {
+    const bytes = packBits(statuses, bitsPerStatus);
+    return new _StatusList(bytes, bitsPerStatus);
+  }
+  /**
+   * Creates a StatusList by decompressing a base64url-encoded string (from JWT).
+   *
+   * @param compressed - Base64URL-encoded compressed status list
+   * @param bitsPerStatus - Number of bits per status entry
+   * @returns New StatusList instance
+   * @throws {CompressionError} If decompression fails
+   *
+   * @example
+   * ```typescript
+   * // From JWT payload
+   * const payload = parseJWT(token);
+   * const list = StatusList.decompressFromBase64URL(
+   *   payload.status_list.lst,
+   *   payload.status_list.bits
+   * );
+   * ```
+   */
+  static decompressFromBase64URL(compressed, bitsPerStatus) {
+    const bytes = decompressFromBase64URL(compressed);
+    return new _StatusList(bytes, bitsPerStatus);
+  }
+  /**
+   * Creates a StatusList by decompressing raw bytes (from CWT).
+   *
+   * @param compressed - Compressed status list as bytes
+   * @param bitsPerStatus - Number of bits per status entry
+   * @returns New StatusList instance
+   * @throws {CompressionError} If decompression fails
+   *
+   * @example
+   * ```typescript
+   * // From CWT payload
+   * const payload = parseCWT(token);
+   * const statusListData = payload[65533]; // status_list claim
+   * const list = StatusList.decompressFromBytes(
+   *   statusListData.lst,
+   *   statusListData.bits
+   * );
+   * ```
+   */
+  static decompressFromBytes(compressed, bitsPerStatus) {
+    const bytes = decompress(compressed);
+    return new _StatusList(bytes, bitsPerStatus);
+  }
+  /**
+   * Creates an empty StatusList with a specified capacity.
+   *
+   * All status entries are initialized to 0 (VALID).
+   *
+   * @param capacity - Number of status entries
+   * @param bitsPerStatus - Number of bits per status entry (1, 2, 4, or 8)
+   * @returns New StatusList instance
+   *
+   * @example
+   * ```typescript
+   * // Create empty list for 100,000 credentials
+   * const list = StatusList.create(100000, 1);
+   * ```
+   */
+  static create(capacity, bitsPerStatus) {
+    const totalBits = capacity * bitsPerStatus;
+    const byteLength = Math.ceil(totalBits / 8);
+    const bytes = new Uint8Array(byteLength);
+    return new _StatusList(bytes, bitsPerStatus);
+  }
+  /**
+   * Converts the status list to an array of status values (for debugging/testing).
+   *
+   * Warning: For large status lists, this can be memory-intensive.
+   *
+   * @returns Array of all status values
+   */
+  toArray() {
+    return unpackBits(this.statusArray, this.bitsPerStatus);
+  }
+};
+
+// lib/types/common.ts
+var StandardStatusValues = /* @__PURE__ */ ((StandardStatusValues2) => {
+  StandardStatusValues2[StandardStatusValues2["VALID"] = 0] = "VALID";
+  StandardStatusValues2[StandardStatusValues2["INVALID"] = 1] = "INVALID";
+  StandardStatusValues2[StandardStatusValues2["SUSPENDED"] = 2] = "SUSPENDED";
+  StandardStatusValues2[StandardStatusValues2["APPLICATION_SPECIFIC"] = 3] = "APPLICATION_SPECIFIC";
+  return StandardStatusValues2;
+})(StandardStatusValues || {});
+
+// lib/formats/jwt/StatusListJWT.ts
+function createJWTStatusListPayload(options) {
+  const {
+    iss,
+    sub,
+    lst,
+    bits,
+    iat = Math.floor(Date.now() / 1e3),
+    exp,
+    ttl,
+    aggregation_uri,
+    additionalClaims = {}
+  } = options;
+  const header = {
+    typ: "statuslist+jwt",
+    alg: "ES256"
+    // Default algorithm, can be overridden when signing
+  };
+  const payload = {
+    iss,
+    sub,
+    iat,
+    status_list: {
+      bits,
+      lst,
+      ...aggregation_uri && { aggregation_uri }
+    },
+    ...additionalClaims
+  };
+  if (exp !== void 0) {
+    payload.exp = exp;
+  }
+  if (ttl !== void 0) {
+    payload.ttl = ttl;
+  }
+  return { header, payload };
+}
+function parseJWTStatusList(jwt) {
+  const parts = jwt.split(".");
+  if (parts.length !== 3) {
+    throw new InvalidTokenFormatError("JWT must have 3 parts separated by dots");
+  }
+  try {
+    const headerJson = base64UrlDecode2(parts[0]);
+    const header = JSON.parse(headerJson);
+    if (header.typ !== "statuslist+jwt") {
+      throw new InvalidTokenFormatError(`Invalid typ header: expected "statuslist+jwt", got "${header.typ}"`);
+    }
+    const payloadJson = base64UrlDecode2(parts[1]);
+    const payload = JSON.parse(payloadJson);
+    validateJWTPayload(payload);
+    const statusList = StatusList.decompressFromBase64URL(payload.status_list.lst, payload.status_list.bits);
+    return {
+      header,
+      payload,
+      jwt,
+      statusList
+    };
+  } catch (error) {
+    if (error instanceof InvalidTokenFormatError) {
+      throw error;
+    }
+    throw new InvalidTokenFormatError(`Failed to parse JWT: ${error.message}`);
+  }
+}
+function extractStatusListReference(credentialJWT) {
+  const parts = credentialJWT.split(".");
+  if (parts.length !== 3) {
+    throw new InvalidTokenFormatError("JWT must have 3 parts");
+  }
+  try {
+    const payloadJson = base64UrlDecode2(parts[1]);
+    const payload = JSON.parse(payloadJson);
+    if (!payload.status || typeof payload.status !== "object") {
+      throw new InvalidTokenFormatError("Missing status claim in credential");
+    }
+    const status = payload.status;
+    if (!status.status_list || typeof status.status_list !== "object") {
+      throw new InvalidTokenFormatError("Missing status_list in status claim");
+    }
+    const statusList = status.status_list;
+    if (typeof statusList.idx !== "number" || statusList.idx < 0) {
+      throw new InvalidTokenFormatError("Invalid or missing idx in status_list");
+    }
+    if (typeof statusList.uri !== "string" || !statusList.uri) {
+      throw new InvalidTokenFormatError("Invalid or missing uri in status_list");
+    }
+    return {
+      idx: statusList.idx,
+      uri: statusList.uri
+    };
+  } catch (error) {
+    if (error instanceof InvalidTokenFormatError) {
+      throw error;
+    }
+    throw new InvalidTokenFormatError(`Failed to extract status reference: ${error.message}`);
+  }
+}
+function validateJWTPayload(payload) {
+  if (!payload.iss || typeof payload.iss !== "string") {
+    throw new InvalidTokenFormatError('Missing or invalid "iss" claim');
+  }
+  if (!payload.sub || typeof payload.sub !== "string") {
+    throw new InvalidTokenFormatError('Missing or invalid "sub" claim');
+  }
+  if (typeof payload.iat !== "number") {
+    throw new InvalidTokenFormatError('Missing or invalid "iat" claim');
+  }
+  if (!payload.status_list || typeof payload.status_list !== "object") {
+    throw new InvalidTokenFormatError('Missing or invalid "status_list" claim');
+  }
+  const { bits, lst } = payload.status_list;
+  if (![1, 2, 4, 8].includes(bits)) {
+    throw new InvalidTokenFormatError(`Invalid "bits" value: must be 1, 2, 4, or 8, got ${bits}`);
+  }
+  if (!lst || typeof lst !== "string") {
+    throw new InvalidTokenFormatError('Missing or invalid "lst" field in status_list');
+  }
+  if (payload.exp !== void 0 && typeof payload.exp !== "number") {
+    throw new InvalidTokenFormatError('Invalid "exp" claim: must be a number');
+  }
+  if (payload.ttl !== void 0 && typeof payload.ttl !== "number") {
+    throw new InvalidTokenFormatError('Invalid "ttl" claim: must be a number');
+  }
+}
+function base64UrlDecode2(base64url) {
+  let base64 = base64url.replace(/-/g, "+").replace(/_/g, "/");
+  const padding = base64.length % 4;
+  if (padding > 0) {
+    base64 += "=".repeat(4 - padding);
+  }
+  if (typeof Buffer !== "undefined") {
+    return Buffer.from(base64, "base64").toString("utf-8");
+  } else {
+    return decodeURIComponent(
+      atob(base64).split("").map((c) => "%" + ("00" + c.charCodeAt(0).toString(16)).slice(-2)).join("")
+    );
+  }
+}
+async function signStatusListJWT(payload, privateKey, options) {
+  const { alg = "ES256", kid, additionalHeaders = {} } = options || {};
+  const jwt = new jose.SignJWT(payload).setProtectedHeader({
+    typ: "statuslist+jwt",
+    alg,
+    ...kid && { kid },
+    ...additionalHeaders
+  }).setIssuer(payload.iss).setSubject(payload.sub).setIssuedAt(payload.iat);
+  if (payload.exp !== void 0) {
+    jwt.setExpirationTime(payload.exp);
+  }
+  return await jwt.sign(privateKey);
+}
+async function verifyStatusListJWT(jwt, publicKey, options) {
+  const { issuer, subject, currentTime, clockTolerance = 0 } = options || {};
+  try {
+    const result = await jose.jwtVerify(jwt, publicKey, {
+      typ: "statuslist+jwt",
+      ...issuer && { issuer },
+      ...subject && { subject },
+      ...currentTime && { currentDate: new Date(currentTime * 1e3) },
+      clockTolerance
+    });
+    const header = result.protectedHeader;
+    const payload = result.payload;
+    if (header.typ !== "statuslist+jwt") {
+      throw new InvalidTokenFormatError(`Invalid typ header: expected "statuslist+jwt", got "${header.typ}"`);
+    }
+    if (!payload.iss || typeof payload.iss !== "string") {
+      throw new InvalidTokenFormatError('Missing or invalid "iss" claim');
+    }
+    if (!payload.sub || typeof payload.sub !== "string") {
+      throw new InvalidTokenFormatError('Missing or invalid "sub" claim');
+    }
+    if (typeof payload.iat !== "number") {
+      throw new InvalidTokenFormatError('Missing or invalid "iat" claim');
+    }
+    if (!payload.status_list || typeof payload.status_list !== "object") {
+      throw new InvalidTokenFormatError('Missing or invalid "status_list" claim');
+    }
+    const { bits, lst } = payload.status_list;
+    if (![1, 2, 4, 8].includes(bits)) {
+      throw new InvalidTokenFormatError(`Invalid "bits" value: must be 1, 2, 4, or 8, got ${bits}`);
+    }
+    if (!lst || typeof lst !== "string") {
+      throw new InvalidTokenFormatError('Missing or invalid "lst" field in status_list');
+    }
+    return {
+      header,
+      payload
+    };
+  } catch (error) {
+    if (error instanceof InvalidTokenFormatError) {
+      throw error;
+    }
+    const message = error.message;
+    throw new InvalidTokenFormatError(`JWT verification failed: ${message}`);
+  }
+}
+async function verifySignatureOnly(jwt, publicKey) {
+  try {
+    const result = await jose.jwtVerify(jwt, publicKey, {
+      typ: "statuslist+jwt"
+    });
+    return {
+      header: result.protectedHeader,
+      payload: result.payload
+    };
+  } catch (error) {
+    throw new InvalidTokenFormatError(`Signature verification failed: ${error.message}`);
+  }
+}
+
+// lib/formats/cwt/types.ts
+var CWT_CLAIMS = {
+  /** Issuer (iss) - Claim key 1 */
+  ISS: 1,
+  /** Subject (sub) - Claim key 2 */
+  SUB: 2,
+  /** Expiration Time (exp) - Claim key 4 */
+  EXP: 4,
+  /** Issued At (iat) - Claim key 6 */
+  IAT: 6,
+  /** Time to Live (ttl) - Claim key 65534 (custom) */
+  TTL: 65534,
+  /** Status List - Claim key 65533 (custom) */
+  STATUS_LIST: 65533
+};
+var COSE_HEADERS = {
+  /** Algorithm - Header parameter 1 */
+  ALG: 1,
+  /** Content Type - Header parameter 16 */
+  CONTENT_TYPE: 16,
+  /** Key ID - Header parameter 4 */
+  KID: 4
+};
+var COSE_ALGORITHMS = {
+  /** ES256 - ECDSA with SHA-256 */
+  ES256: -7,
+  /** ES384 - ECDSA with SHA-384 */
+  ES384: -35,
+  /** ES512 - ECDSA with SHA-512 */
+  ES512: -36,
+  /** EdDSA */
+  EdDSA: -8
+};
+var COSE_SIGN1_TAG = 18;
+var ALGORITHM_MAP = {
+  "-7": { hash: "sha256", curve: "prime256v1" },
+  // ES256
+  "-35": { hash: "sha384", curve: "secp384r1" },
+  // ES384
+  "-36": { hash: "sha512", curve: "secp521r1" },
+  // ES512
+  "-8": { hash: "sha512" }
+  // EdDSA (Ed25519)
+};
+function signCOSE(payload, protectedHeader, privateKey) {
+  const protectedHeaderEncoded = cbor__namespace.encode(protectedHeader);
+  const sigStructure = cbor__namespace.encode([
+    "Signature1",
+    // Context
+    protectedHeaderEncoded,
+    new Uint8Array(0),
+    // External AAD (empty)
+    payload
+  ]);
+  const alg = protectedHeader.get(1);
+  if (!alg) {
+    throw new InvalidTokenFormatError("Algorithm (alg) must be specified in protected header");
+  }
+  const signature = signData(sigStructure, alg, privateKey);
+  const coseSign1 = [
+    protectedHeaderEncoded,
+    // Protected header (encoded)
+    {},
+    // Unprotected header (empty map)
+    payload,
+    // Payload
+    signature
+    // Signature
+  ];
+  const tagged = new cbor__namespace.Tagged(COSE_SIGN1_TAG, coseSign1);
+  return cbor__namespace.encode(tagged);
+}
+function verifyCOSE(coseSign1, publicKey) {
+  try {
+    const decoded = cbor__namespace.decode(coseSign1);
+    if (!(decoded instanceof cbor__namespace.Tagged) || decoded.tag !== COSE_SIGN1_TAG) {
+      throw new InvalidTokenFormatError("Invalid COSE Sign1 structure: missing tag 18");
+    }
+    const [protectedHeaderEncoded, , payload, signature] = decoded.value;
+    const protectedHeader = cbor__namespace.decode(protectedHeaderEncoded);
+    const alg = protectedHeader.get(1);
+    if (!alg) {
+      throw new InvalidTokenFormatError("Missing algorithm in protected header");
+    }
+    const sigStructure = cbor__namespace.encode([
+      "Signature1",
+      protectedHeaderEncoded,
+      new Uint8Array(0),
+      // External AAD
+      payload
+    ]);
+    const valid = verifySignature(sigStructure, signature, alg, publicKey);
+    if (!valid) {
+      throw new InvalidTokenFormatError("Invalid COSE Sign1 signature");
+    }
+    return payload;
+  } catch (error) {
+    if (error instanceof InvalidTokenFormatError) {
+      throw error;
+    }
+    throw new InvalidTokenFormatError(`Failed to verify COSE Sign1: ${error.message}`);
+  }
+}
+function signData(data, alg, privateKey) {
+  const algInfo = ALGORITHM_MAP[alg.toString()];
+  if (!algInfo) {
+    throw new InvalidTokenFormatError(`Unsupported algorithm: ${alg}`);
+  }
+  if (privateKey.kty === "EC2") {
+    if (!privateKey.d) {
+      throw new InvalidTokenFormatError("Private key (d) is required for signing");
+    }
+    const pemKey = ec2KeyToPEM();
+    const sign = crypto.createSign(`RSA-SHA${algInfo.hash.replace("sha", "")}`);
+    sign.update(data);
+    const signature = sign.sign(pemKey);
+    return derToRaw(signature, getSignatureLength(alg));
+  } else if (privateKey.kty === "OKP") {
+    if (!privateKey.d) {
+      throw new InvalidTokenFormatError("Private key (d) is required for signing");
+    }
+    const pemKey = okpKeyToPEM();
+    const sign = crypto.createSign("SHA512");
+    sign.update(data);
+    return sign.sign(pemKey);
+  }
+  const _exhaustiveCheck = privateKey;
+  throw new InvalidTokenFormatError(`Unsupported key type: ${_exhaustiveCheck.kty}`);
+}
+function verifySignature(data, signature, alg, publicKey) {
+  const algInfo = ALGORITHM_MAP[alg.toString()];
+  if (!algInfo) {
+    throw new InvalidTokenFormatError(`Unsupported algorithm: ${alg}`);
+  }
+  if (publicKey.kty === "EC2") {
+    const pemKey = ec2KeyToPEM();
+    const derSignature = rawToDer(signature);
+    const verify = crypto.createVerify(`RSA-SHA${algInfo.hash.replace("sha", "")}`);
+    verify.update(data);
+    return verify.verify(pemKey, derSignature);
+  } else if (publicKey.kty === "OKP") {
+    const pemKey = okpKeyToPEM();
+    const verify = crypto.createVerify("SHA512");
+    verify.update(data);
+    return verify.verify(pemKey, signature);
+  }
+  const _exhaustiveCheck = publicKey;
+  throw new InvalidTokenFormatError(`Unsupported key type: ${_exhaustiveCheck.kty}`);
+}
+function ec2KeyToPEM(_key, _isPrivate) {
+  throw new Error("EC2 to PEM conversion not fully implemented. Use a COSE library like @transmute/cose instead.");
+}
+function okpKeyToPEM(_key, _isPrivate) {
+  throw new Error("OKP to PEM conversion not fully implemented. Use a COSE library like @transmute/cose instead.");
+}
+function derToRaw(derSignature, length) {
+  let offset = 2;
+  const rLength = derSignature[offset + 1];
+  offset += 2;
+  const r = derSignature.slice(offset, offset + rLength);
+  offset += rLength;
+  const sLength = derSignature[offset + 1];
+  offset += 2;
+  const s = derSignature.slice(offset, offset + sLength);
+  const halfLength = length / 2;
+  const raw = new Uint8Array(length);
+  raw.set(r.slice(-halfLength), 0);
+  raw.set(s.slice(-halfLength), halfLength);
+  return raw;
+}
+function rawToDer(rawSignature) {
+  const halfLength = rawSignature.length / 2;
+  const r = rawSignature.slice(0, halfLength);
+  const s = rawSignature.slice(halfLength);
+  const derR = encodeDerInteger(r);
+  const derS = encodeDerInteger(s);
+  const sequence = new Uint8Array(2 + derR.length + derS.length);
+  sequence[0] = 48;
+  sequence[1] = derR.length + derS.length;
+  sequence.set(derR, 2);
+  sequence.set(derS, 2 + derR.length);
+  return sequence;
+}
+function encodeDerInteger(value) {
+  let i = 0;
+  while (i < value.length && value[i] === 0) {
+    i++;
+  }
+  value = value.slice(i);
+  const needsLeadingZero = value[0] >= 128;
+  const length = value.length + (needsLeadingZero ? 1 : 0);
+  const der = new Uint8Array(2 + length);
+  der[0] = 2;
+  der[1] = length;
+  if (needsLeadingZero) {
+    der[2] = 0;
+    der.set(value, 3);
+  } else {
+    der.set(value, 2);
+  }
+  return der;
+}
+function getSignatureLength(alg) {
+  switch (alg) {
+    case -7:
+      return 64;
+    case -35:
+      return 96;
+    case -36:
+      return 132;
+    case -8:
+      return 64;
+    default:
+      throw new InvalidTokenFormatError(`Unknown signature length for algorithm: ${alg}`);
+  }
+}
+
+// lib/formats/cwt/StatusListCWT.ts
+function createCWTStatusListPayload(options) {
+  const {
+    iss,
+    sub,
+    lst,
+    bits,
+    iat = Math.floor(Date.now() / 1e3),
+    exp,
+    ttl,
+    aggregation_uri,
+    additionalClaims = {}
+  } = options;
+  const payload = {
+    ...additionalClaims,
+    [CWT_CLAIMS.STATUS_LIST]: {
+      bits,
+      lst,
+      ...aggregation_uri && { aggregation_uri }
+    }
+  };
+  if (iss !== void 0) {
+    payload[CWT_CLAIMS.ISS] = iss;
+  }
+  if (sub !== void 0) {
+    payload[CWT_CLAIMS.SUB] = sub;
+  }
+  if (iat !== void 0) {
+    payload[CWT_CLAIMS.IAT] = iat;
+  }
+  if (exp !== void 0) {
+    payload[CWT_CLAIMS.EXP] = exp;
+  }
+  if (ttl !== void 0) {
+    payload[CWT_CLAIMS.TTL] = ttl;
+  }
+  return payload;
+}
+function encodeCWTPayload(payload) {
+  return cbor__namespace.encode(payload);
+}
+function parseCWTStatusList(cwtBytes) {
+  try {
+    const payload = cbor__namespace.decode(cwtBytes);
+    validateCWTPayload(payload);
+    const typedPayload = payload;
+    const statusListClaim = typedPayload[CWT_CLAIMS.STATUS_LIST];
+    const statusList = StatusList.decompressFromBytes(statusListClaim.lst, statusListClaim.bits);
+    return {
+      protectedHeader: /* @__PURE__ */ new Map(),
+      unprotectedHeader: /* @__PURE__ */ new Map(),
+      payload: typedPayload,
+      cwt: cwtBytes,
+      statusList
+    };
+  } catch (error) {
+    if (error instanceof InvalidTokenFormatError) {
+      throw error;
+    }
+    throw new InvalidTokenFormatError(`Failed to parse CWT: ${error.message}`);
+  }
+}
+function parseCWTStatusListSigned(cwtBytes, publicKey) {
+  try {
+    const payloadBytes = verifyCOSE(cwtBytes, publicKey);
+    const payload = cbor__namespace.decode(payloadBytes);
+    validateCWTPayload(payload);
+    const typedPayload = payload;
+    const statusListClaim = typedPayload[CWT_CLAIMS.STATUS_LIST];
+    const statusList = StatusList.decompressFromBytes(statusListClaim.lst, statusListClaim.bits);
+    const decoded = cbor__namespace.decode(cwtBytes);
+    const [protectedHeaderEncoded] = decoded.value;
+    const protectedHeader = cbor__namespace.decode(protectedHeaderEncoded);
+    return {
+      protectedHeader,
+      unprotectedHeader: /* @__PURE__ */ new Map(),
+      payload: typedPayload,
+      cwt: cwtBytes,
+      statusList
+    };
+  } catch (error) {
+    if (error instanceof InvalidTokenFormatError) {
+      throw error;
+    }
+    throw new InvalidTokenFormatError(`Failed to parse signed CWT: ${error.message}`);
+  }
+}
+function signCWTStatusList(payload, privateKey, options) {
+  const { alg = COSE_ALGORITHMS.ES256, kid, additionalHeaders = /* @__PURE__ */ new Map() } = options || {};
+  const protectedHeader = new Map([
+    [COSE_HEADERS.CONTENT_TYPE, "application/statuslist+cwt"],
+    [COSE_HEADERS.ALG, alg],
+    ...additionalHeaders
+  ]);
+  if (kid) {
+    protectedHeader.set(COSE_HEADERS.KID, kid);
+  }
+  const payloadBytes = cbor__namespace.encode(payload);
+  return signCOSE(payloadBytes, protectedHeader, privateKey);
+}
+function extractStatusListReferenceCBOR(credentialCBOR) {
+  try {
+    const credential = cbor__namespace.decode(credentialCBOR);
+    const status = credential.status || credential["status"];
+    if (!status || typeof status !== "object") {
+      throw new InvalidTokenFormatError("Missing status claim in credential");
+    }
+    const statusObj = status;
+    const statusList = statusObj.status_list || statusObj["status_list"];
+    if (!statusList || typeof statusList !== "object") {
+      throw new InvalidTokenFormatError("Missing status_list in status claim");
+    }
+    const statusListObj = statusList;
+    if (typeof statusListObj.idx !== "number" || statusListObj.idx < 0) {
+      throw new InvalidTokenFormatError("Invalid or missing idx in status_list");
+    }
+    if (typeof statusListObj.uri !== "string" || !statusListObj.uri) {
+      throw new InvalidTokenFormatError("Invalid or missing uri in status_list");
+    }
+    return {
+      idx: statusListObj.idx,
+      uri: statusListObj.uri
+    };
+  } catch (error) {
+    if (error instanceof InvalidTokenFormatError) {
+      throw error;
+    }
+    throw new InvalidTokenFormatError(`Failed to extract status reference: ${error.message}`);
+  }
+}
+function validateCWTPayload(payload) {
+  const statusList = payload[CWT_CLAIMS.STATUS_LIST];
+  if (!statusList || typeof statusList !== "object") {
+    throw new InvalidTokenFormatError(`Missing or invalid status_list claim (key ${CWT_CLAIMS.STATUS_LIST})`);
+  }
+  const statusListObj = statusList;
+  if (!statusListObj.bits || ![1, 2, 4, 8].includes(statusListObj.bits)) {
+    throw new InvalidTokenFormatError(`Invalid "bits" value: must be 1, 2, 4, or 8`);
+  }
+  if (!statusListObj.lst || !(statusListObj.lst instanceof Uint8Array)) {
+    throw new InvalidTokenFormatError('Missing or invalid "lst" field in status_list');
+  }
+  if (payload[CWT_CLAIMS.ISS] !== void 0 && typeof payload[CWT_CLAIMS.ISS] !== "string") {
+    throw new InvalidTokenFormatError(`Invalid "iss" claim (key ${CWT_CLAIMS.ISS}): must be a string`);
+  }
+  if (payload[CWT_CLAIMS.SUB] !== void 0 && typeof payload[CWT_CLAIMS.SUB] !== "string") {
+    throw new InvalidTokenFormatError(`Invalid "sub" claim (key ${CWT_CLAIMS.SUB}): must be a string`);
+  }
+  if (payload[CWT_CLAIMS.IAT] !== void 0 && typeof payload[CWT_CLAIMS.IAT] !== "number") {
+    throw new InvalidTokenFormatError(`Invalid "iat" claim (key ${CWT_CLAIMS.IAT}): must be a number`);
+  }
+  if (payload[CWT_CLAIMS.EXP] !== void 0 && typeof payload[CWT_CLAIMS.EXP] !== "number") {
+    throw new InvalidTokenFormatError(`Invalid "exp" claim (key ${CWT_CLAIMS.EXP}): must be a number`);
+  }
+  if (payload[CWT_CLAIMS.TTL] !== void 0 && typeof payload[CWT_CLAIMS.TTL] !== "number") {
+    throw new InvalidTokenFormatError(`Invalid "ttl" claim (key ${CWT_CLAIMS.TTL}): must be a number`);
+  }
+}
+
+// lib/helper/fetcher.ts
+var DEFAULT_TIMEOUT = 1e4;
+var DEFAULT_MAX_REDIRECTS = 3;
+var CONTENT_TYPES = {
+  JWT: "application/statuslist+jwt",
+  CWT: "application/statuslist+cwt"
+};
+async function fetchStatusListToken(uri, options = {}) {
+  if (!uri || typeof uri !== "string") {
+    throw new MissingStatusListUriError("Status list URI is required");
+  }
+  let parsedUri;
+  try {
+    parsedUri = new URL(uri);
+  } catch (error) {
+    throw new MissingStatusListUriError(`Invalid status list URI: ${uri}`);
+  }
+  if (!["http:", "https:"].includes(parsedUri.protocol)) {
+    throw new FetchError(`Unsupported protocol: ${parsedUri.protocol}. Only HTTP(S) is allowed.`);
+  }
+  const {
+    timeout = DEFAULT_TIMEOUT,
+    headers = {},
+    maxRedirects = DEFAULT_MAX_REDIRECTS,
+    fetchImpl = fetch
+  } = options;
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), timeout);
+  try {
+    const response = await fetchImpl(uri, {
+      method: "GET",
+      headers: {
+        Accept: `${CONTENT_TYPES.JWT}, ${CONTENT_TYPES.CWT}`,
+        ...headers
+      },
+      signal: controller.signal,
+      redirect: "follow",
+      // @ts-expect-error - maxRedirects is not in standard fetch but supported by undici
+      maxRedirects
+    });
+    clearTimeout(timeoutId);
+    if (!response.ok) {
+      throw new FetchError(
+        `HTTP ${response.status} ${response.statusText} while fetching status list from ${uri}`
+      );
+    }
+    const contentType = response.headers.get("content-type");
+    if (contentType?.includes(CONTENT_TYPES.JWT)) {
+      return await response.text();
+    }
+    if (contentType?.includes(CONTENT_TYPES.CWT)) {
+      const arrayBuffer2 = await response.arrayBuffer();
+      return new Uint8Array(arrayBuffer2);
+    }
+    const arrayBuffer = await response.arrayBuffer();
+    const bytes = new Uint8Array(arrayBuffer);
+    const text = new TextDecoder().decode(bytes.slice(0, 3));
+    if (text === "eyJ") {
+      return new TextDecoder().decode(bytes);
+    }
+    return bytes;
+  } catch (error) {
+    clearTimeout(timeoutId);
+    if (error instanceof FetchError || error instanceof MissingStatusListUriError) {
+      throw error;
+    }
+    if (error.name === "AbortError") {
+      throw new FetchError(`Request timeout after ${timeout}ms while fetching ${uri}`);
+    }
+    throw new FetchError(
+      `Failed to fetch status list from ${uri}: ${error.message}`
+    );
+  }
+}
+function isValidStatusListUri(uri) {
+  if (!uri || typeof uri !== "string") {
+    return false;
+  }
+  try {
+    const parsed = new URL(uri);
+    return ["http:", "https:"].includes(parsed.protocol);
+  } catch {
+    return false;
+  }
+}
+
+// lib/helper/validator.ts
+var MAX_TTL_SECONDS = 31536e3;
+var MIN_TTL_SECONDS = 60;
+function validateJWTPayload2(payload) {
+  const errors = [];
+  if (!payload.iss || typeof payload.iss !== "string") {
+    errors.push('Missing or invalid "iss" claim (must be a non-empty string)');
+  }
+  if (!payload.sub || typeof payload.sub !== "string") {
+    errors.push('Missing or invalid "sub" claim (must be a non-empty string)');
+  }
+  if (typeof payload.iat !== "number") {
+    errors.push('Missing or invalid "iat" claim (must be a number)');
+  } else if (payload.iat < 0) {
+    errors.push('"iat" claim must be a positive number');
+  }
+  if (!payload.status_list || typeof payload.status_list !== "object") {
+    errors.push('Missing or invalid "status_list" claim (must be an object)');
+  } else {
+    const { bits, lst } = payload.status_list;
+    if (![1, 2, 4, 8].includes(bits)) {
+      errors.push('"status_list.bits" must be 1, 2, 4, or 8');
+    }
+    if (!lst || typeof lst !== "string") {
+      errors.push('"status_list.lst" must be a non-empty base64url-encoded string');
+    }
+    if (payload.status_list.aggregation_uri !== void 0) {
+      if (typeof payload.status_list.aggregation_uri !== "string") {
+        errors.push('"status_list.aggregation_uri" must be a string');
+      }
+    }
+  }
+  if (payload.exp !== void 0) {
+    if (typeof payload.exp !== "number") {
+      errors.push('"exp" claim must be a number');
+    } else if (payload.exp < 0) {
+      errors.push('"exp" claim must be a positive number');
+    }
+  }
+  if (payload.ttl !== void 0) {
+    if (typeof payload.ttl !== "number") {
+      errors.push('"ttl" claim must be a number');
+    } else if (payload.ttl < 0) {
+      errors.push('"ttl" claim must be a positive number');
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+function validateCWTPayload2(payload) {
+  const errors = [];
+  const statusList = payload[CWT_CLAIMS.STATUS_LIST];
+  if (!statusList || typeof statusList !== "object") {
+    errors.push(`Missing or invalid status_list claim (key ${CWT_CLAIMS.STATUS_LIST})`);
+  } else {
+    const { bits, lst } = statusList;
+    if (![1, 2, 4, 8].includes(bits)) {
+      errors.push('"status_list.bits" must be 1, 2, 4, or 8');
+    }
+    if (!(lst instanceof Uint8Array)) {
+      errors.push('"status_list.lst" must be a Uint8Array');
+    } else if (lst.length === 0) {
+      errors.push('"status_list.lst" must not be empty');
+    }
+    if (statusList.aggregation_uri !== void 0) {
+      if (typeof statusList.aggregation_uri !== "string") {
+        errors.push('"status_list.aggregation_uri" must be a string');
+      }
+    }
+  }
+  if (payload[CWT_CLAIMS.ISS] !== void 0) {
+    if (typeof payload[CWT_CLAIMS.ISS] !== "string") {
+      errors.push(`"iss" claim (key ${CWT_CLAIMS.ISS}) must be a string`);
+    }
+  }
+  if (payload[CWT_CLAIMS.SUB] !== void 0) {
+    if (typeof payload[CWT_CLAIMS.SUB] !== "string") {
+      errors.push(`"sub" claim (key ${CWT_CLAIMS.SUB}) must be a string`);
+    }
+  }
+  if (payload[CWT_CLAIMS.EXP] !== void 0) {
+    const exp = payload[CWT_CLAIMS.EXP];
+    if (typeof exp !== "number") {
+      errors.push(`"exp" claim (key ${CWT_CLAIMS.EXP}) must be a number`);
+    } else if (exp < 0) {
+      errors.push(`"exp" claim must be a positive number`);
+    }
+  }
+  if (payload[CWT_CLAIMS.IAT] !== void 0) {
+    const iat = payload[CWT_CLAIMS.IAT];
+    if (typeof iat !== "number") {
+      errors.push(`"iat" claim (key ${CWT_CLAIMS.IAT}) must be a number`);
+    } else if (iat < 0) {
+      errors.push(`"iat" claim must be a positive number`);
+    }
+  }
+  if (payload[CWT_CLAIMS.TTL] !== void 0) {
+    const ttl = payload[CWT_CLAIMS.TTL];
+    if (typeof ttl !== "number") {
+      errors.push(`"ttl" claim (key ${CWT_CLAIMS.TTL}) must be a number`);
+    } else if (ttl < 0) {
+      errors.push(`"ttl" claim must be a positive number`);
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+function validateExpiry(exp, iat, ttl, currentTime = Math.floor(Date.now() / 1e3)) {
+  const errors = [];
+  if (iat !== void 0 && iat > currentTime) {
+    errors.push(`Token issued in the future (iat: ${iat}, current: ${currentTime})`);
+  }
+  if (exp !== void 0) {
+    if (exp < currentTime) {
+      errors.push(`Token expired (exp: ${exp}, current: ${currentTime})`);
+    }
+  }
+  if (ttl !== void 0 && iat !== void 0) {
+    const expirationTime = iat + ttl;
+    if (expirationTime < currentTime) {
+      errors.push(`Token expired by ttl (iat: ${iat}, ttl: ${ttl}, current: ${currentTime})`);
+    }
+  }
+  if (exp !== void 0 && ttl !== void 0 && iat !== void 0) {
+    const calculatedExp = iat + ttl;
+    if (Math.abs(exp - calculatedExp) > 1) {
+      errors.push(
+        `Inconsistent exp and ttl values (exp: ${exp}, iat + ttl: ${calculatedExp})`
+      );
+    }
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+function validateTTLBounds(ttl) {
+  const errors = [];
+  if (ttl === void 0) {
+    return { valid: true, errors: [] };
+  }
+  if (ttl < MIN_TTL_SECONDS) {
+    errors.push(
+      `TTL too short (${ttl} seconds). Recommended minimum: ${MIN_TTL_SECONDS} seconds (1 minute)`
+    );
+  }
+  if (ttl > MAX_TTL_SECONDS) {
+    errors.push(
+      `TTL too large (${ttl} seconds). Recommended maximum: ${MAX_TTL_SECONDS} seconds (1 year). Excessively large TTL values may be used for DoS attacks.`
+    );
+  }
+  return {
+    valid: errors.length === 0,
+    errors
+  };
+}
+function isExpired(exp, iat, ttl, currentTime = Math.floor(Date.now() / 1e3)) {
+  if (exp !== void 0 && exp < currentTime) {
+    return true;
+  }
+  if (ttl !== void 0 && iat !== void 0) {
+    const expirationTime = iat + ttl;
+    if (expirationTime < currentTime) {
+      return true;
+    }
+  }
+  return false;
+}
+
+// lib/helper/StatusListTokenHelper.ts
+var StatusListTokenHelper = class _StatusListTokenHelper {
+  constructor(header, payload, statusList, format) {
+    this.header = header;
+    this.payload = payload;
+    this.statusList = statusList;
+    this.format = format;
+  }
+  /**
+   * Creates a helper from a Status List Token (JWT or CWT).
+   *
+   * Automatically detects the format:
+   * - JWT: starts with "eyJ" (base64url-encoded header)
+   * - CWT: CBOR binary format
+   *
+   * @param token - JWT string or CWT Uint8Array
+   * @returns StatusListTokenHelper instance
+   * @throws {InvalidTokenFormatError} If token format is invalid
+   *
+   * @example
+   * ```typescript
+   * // From JWT
+   * const helper = StatusListTokenHelper.fromToken(jwtString);
+   *
+   * // From CWT
+   * const helper = StatusListTokenHelper.fromToken(cwtBytes);
+   * ```
+   */
+  static fromToken(token) {
+    if (typeof token === "string") {
+      const { header, payload: payload2, statusList: statusList2 } = parseJWTStatusList(token);
+      return new _StatusListTokenHelper(header, payload2, statusList2, "jwt");
+    }
+    const { protectedHeader, payload, statusList } = parseCWTStatusList(token);
+    return new _StatusListTokenHelper(protectedHeader, payload, statusList, "cwt");
+  }
+  /**
+   * Creates a helper by fetching a Status List Token from a URI.
+   *
+   * Fetches the token via HTTP GET and automatically detects the format.
+   *
+   * @param reference - Status reference containing idx and uri
+   * @param options - Fetch options
+   * @returns StatusListTokenHelper instance
+   * @throws {FetchError} If HTTP request fails
+   * @throws {InvalidTokenFormatError} If token format is invalid
+   *
+   * @example
+   * ```typescript
+   * const reference = {
+   *   idx: 42,
+   *   uri: 'https://issuer.example.com/status/1'
+   * };
+   *
+   * const helper = await StatusListTokenHelper.fromStatusReference(reference);
+   * const status = helper.getStatus(reference.idx);
+   * ```
+   */
+  static async fromStatusReference(reference, options) {
+    const token = await fetchStatusListToken(reference.uri, options);
+    return _StatusListTokenHelper.fromToken(token);
+  }
+  /**
+   * Gets the status value at a specific index.
+   *
+   * @param index - Index in the status list
+   * @returns Status value (0-255 depending on bits per status)
+   * @throws {IndexOutOfBoundsError} If index is out of bounds
+   *
+   * @example
+   * ```typescript
+   * const status = helper.getStatus(42);
+   * if (status === StandardStatusValues.INVALID) {
+   *   console.log('Credential 42 is revoked');
+   * }
+   * ```
+   */
+  getStatus(index) {
+    return this.statusList.getStatus(index);
+  }
+  /**
+   * Checks if the status list token is expired.
+   *
+   * A token is expired if:
+   * - exp is set and is in the past, OR
+   * - ttl is set and iat + ttl is in the past
+   *
+   * @param currentTime - Current time (seconds since epoch). Defaults to now.
+   * @returns True if expired
+   *
+   * @example
+   * ```typescript
+   * if (helper.isExpired()) {
+   *   throw new Error('Status list expired - fetch a new one');
+   * }
+   * ```
+   */
+  isExpired(currentTime) {
+    return isExpired(this.exp, this.iat, this.ttl, currentTime);
+  }
+  /**
+   * Gets the issuer identifier (iss claim).
+   *
+   * @returns Issuer string or undefined if not set
+   */
+  get iss() {
+    if (this.format === "jwt") {
+      return this.payload.iss;
+    }
+    return this.payload[CWT_CLAIMS.ISS];
+  }
+  /**
+   * Gets the subject identifier (sub claim).
+   *
+   * @returns Subject string or undefined if not set
+   */
+  get sub() {
+    if (this.format === "jwt") {
+      return this.payload.sub;
+    }
+    return this.payload[CWT_CLAIMS.SUB];
+  }
+  /**
+   * Gets the issued at time (iat claim).
+   *
+   * @returns Timestamp in seconds since epoch, or undefined if not set
+   */
+  get iat() {
+    if (this.format === "jwt") {
+      return this.payload.iat;
+    }
+    return this.payload[CWT_CLAIMS.IAT];
+  }
+  /**
+   * Gets the expiration time (exp claim).
+   *
+   * @returns Timestamp in seconds since epoch, or undefined if not set
+   */
+  get exp() {
+    if (this.format === "jwt") {
+      return this.payload.exp;
+    }
+    return this.payload[CWT_CLAIMS.EXP];
+  }
+  /**
+   * Gets the time to live (ttl claim).
+   *
+   * @returns TTL in seconds, or undefined if not set
+   */
+  get ttl() {
+    if (this.format === "jwt") {
+      return this.payload.ttl;
+    }
+    return this.payload[CWT_CLAIMS.TTL];
+  }
+  /**
+   * Gets the number of bits per status entry.
+   *
+   * @returns Bits per status (1, 2, 4, or 8)
+   */
+  get bits() {
+    if (this.format === "jwt") {
+      return this.payload.status_list.bits;
+    }
+    return this.payload[CWT_CLAIMS.STATUS_LIST].bits;
+  }
+  /**
+   * Gets the aggregation URI if set.
+   *
+   * @returns Aggregation URI or undefined if not set
+   */
+  get aggregationUri() {
+    if (this.format === "jwt") {
+      return this.payload.status_list.aggregation_uri;
+    }
+    return this.payload[CWT_CLAIMS.STATUS_LIST].aggregation_uri;
+  }
+  /**
+   * Gets the format of the token.
+   *
+   * @returns 'jwt' or 'cwt'
+   */
+  get tokenFormat() {
+    return this.format;
+  }
+  /**
+   * Gets the size of the status list.
+   *
+   * @returns Number of status entries
+   */
+  get size() {
+    return this.statusList.getSize();
+  }
+  /**
+   * Gets the raw header.
+   *
+   * @returns Header as object (JWT) or Map (CWT)
+   */
+  getHeader() {
+    return this.header;
+  }
+  /**
+   * Gets the raw payload.
+   *
+   * @returns Payload object
+   */
+  getPayload() {
+    return this.payload;
+  }
+  /**
+   * Gets the underlying StatusList instance.
+   *
+   * @returns StatusList instance
+   */
+  getStatusList() {
+    return this.statusList;
+  }
+};
+
+exports.COSE_ALGORITHMS = COSE_ALGORITHMS;
+exports.COSE_HEADERS = COSE_HEADERS;
+exports.CWT_CLAIMS = CWT_CLAIMS;
+exports.CompressionError = CompressionError;
+exports.FetchError = FetchError;
+exports.IndexOutOfBoundsError = IndexOutOfBoundsError;
+exports.InvalidBitSizeError = InvalidBitSizeError;
+exports.InvalidStatusValueError = InvalidStatusValueError;
+exports.InvalidTokenFormatError = InvalidTokenFormatError;
+exports.MissingStatusListUriError = MissingStatusListUriError;
+exports.StandardStatusValues = StandardStatusValues;
+exports.StatusList = StatusList;
+exports.StatusListError = StatusListError;
+exports.StatusListExpiredError = StatusListExpiredError;
+exports.StatusListTokenHelper = StatusListTokenHelper;
+exports.ValidationError = ValidationError;
+exports.calculateCapacity = calculateCapacity;
+exports.compress = compress;
+exports.compressToBase64URL = compressToBase64URL;
+exports.createCWTStatusListPayload = createCWTStatusListPayload;
+exports.createJWTStatusListPayload = createJWTStatusListPayload;
+exports.decompress = decompress;
+exports.decompressFromBase64URL = decompressFromBase64URL;
+exports.encodeCWTPayload = encodeCWTPayload;
+exports.extractStatusListReference = extractStatusListReference;
+exports.extractStatusListReferenceCBOR = extractStatusListReferenceCBOR;
+exports.fetchStatusListToken = fetchStatusListToken;
+exports.getBitValue = getBitValue;
+exports.isExpired = isExpired;
+exports.isValidStatusListUri = isValidStatusListUri;
+exports.packBits = packBits;
+exports.parseCWTStatusList = parseCWTStatusList;
+exports.parseCWTStatusListSigned = parseCWTStatusListSigned;
+exports.parseJWTStatusList = parseJWTStatusList;
+exports.setBitValue = setBitValue;
+exports.signCOSE = signCOSE;
+exports.signCWTStatusList = signCWTStatusList;
+exports.signStatusListJWT = signStatusListJWT;
+exports.unpackBits = unpackBits;
+exports.validateCWTPayload = validateCWTPayload2;
+exports.validateExpiry = validateExpiry;
+exports.validateJWTPayload = validateJWTPayload2;
+exports.validateTTLBounds = validateTTLBounds;
+exports.verifyCOSE = verifyCOSE;
+exports.verifySignatureOnly = verifySignatureOnly;
+exports.verifyStatusListJWT = verifyStatusListJWT;
+//# sourceMappingURL=index.cjs.map
+//# sourceMappingURL=index.cjs.map