agent-passport-system 1.31.0 → 1.32.0

package/README.md

@@ -2,19 +2,36 @@
 
 [![npm version](https://img.shields.io/npm/v/agent-passport-system)](https://www.npmjs.com/package/agent-passport-system)
 [![license](https://img.shields.io/npm/l/agent-passport-system)](https://github.com/aeoess/agent-passport-system/blob/main/LICENSE)
-[![tests](https://img.shields.io/badge/tests-1399%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
+[![tests](https://img.shields.io/badge/tests-2180%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.18749779.svg)](https://doi.org/10.5281/zenodo.18749779)
 
 > **For AI agents:** visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable docs or [llms-full.txt](https://aeoess.com/llms-full.txt) for the complete reference.
 
-**Governance, trust, and enforcement for AI agents. Not just identity.**
+**The enforcement and accountability layer for AI agents. Bring your own identity.**
 
-When an AI agent acts on your behalf, APS answers: what is it allowed to do? How much can it spend? Is it trustworthy? What happens when it violates a constraint? And can you prove all of this cryptographically?
+APS is not an identity system. It's the governance layer that sits on top of whatever identity the agent already has. Accepts did:key, did:web, SPIFFE SVIDs, OAuth tokens, and native did:aps. Identity is the input. Enforcement is the product.
+
+The gateway is both judge and executor. Authority can only decrease at each transfer point. Cascade revocation propagates through delegation chains. Every action produces a signed receipt. Every constraint is checked in under 2ms.
+
+Seven independent projects have cross-tested against these primitives. AgentID: 7/7. MolTrust: 5/5. Kanoniv delegation chains: verified. Three languages, three codebases, identical results.
 
 ```bash
 npm install agent-passport-system
 ```
 
+## Who's Building on APS
+
+| Project | What they do | What APS provides |
+|---------|-------------|-------------------|
+| [AgentID](https://github.com/haroldmalikfrimpong-ops/getagentid) | CA-issued identity, trust scoring | Self-sovereign identity, delegation chains |
+| [MolTrust](https://moltrust.ch) | On-chain constraint envelopes | Scope narrowing, spend limits, expiry |
+| [qntm](https://github.com/corpollc/qntm) | Encrypted relay transport | Identity keys, signed envelopes |
+| [Signet](https://github.com/Prismer-AI/signet) | MCP transport signing | Policy gate, execution attestation |
+| [ArkForge](https://arkforge.tech) | External proof anchoring | Receipts to anchor |
+| [Microsoft AGT](https://github.com/microsoft/agent-governance-toolkit) | Enterprise policy engine | Trust signals, scope verification |
+
+See [INTEGRATION.md](INTEGRATION.md) for how to compose your project with APS.
+
 ## What It Does
 
 **Enforce constraints on agent actions** — the ProxyGateway is an enforcement boundary that sits between the agent and any tool. Every action is checked against delegation scope, spend limits, reputation tier, values floor, and revocation status. The gateway executes the action, not the agent. The gateway generates the receipt, not the agent. Agents cannot bypass, forge, or skip enforcement.
@@ -90,7 +107,7 @@ const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floo
 
 ## The Stack
 
-42 core modules + 32 v2 constitutional modules. 1399 tests. Zero heavy dependencies.
+71 core modules + 32 v2 constitutional modules. 2,180 tests. Zero heavy dependencies.
 
 | Layer | What it does | Key primitive |
 |-------|-------------|---------------|
@@ -101,15 +118,15 @@ const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floo
 | **Intent & Policy** | Roles, tradeoff rules, deliberative consensus, 3-signature policy chain. | `ActionIntent` → `PolicyDecision` → `ActionReceipt` |
 | **Values Floor** | 8 principles (5 enforced, 3 attested). Graduated enforcement: inline/audit/warn. | `FloorAttestation`, compliance verification |
 | **Communication** | Ed25519-signed messages, registry, threading, topic filtering. | `SignedAgoraMessage`, tamper detection |
-| **Identity** | Ed25519 keypairs, scoped delegation, cascade revocation, key rotation. | `SignedPassport`, `Delegation`, `RevocationRecord` |
+| **Identity** | Bring your own: did:key, did:web, SPIFFE, OAuth, native did:aps. Ed25519 keypairs, scoped delegation, cascade revocation. | `toDIDKey`, `importSPIFFESVID`, `importOAuthToken`, `SignedPassport` |
 
-**Extended modules (9-42):** W3C DID (`did:aps`), Verifiable Credentials, A2A Bridge, EU AI Act Compliance, Agent Context, Task Routing, Cross-Chain Data Flow (taint tracking, confused deputy prevention), E2E Encrypted Messaging (X25519 + XSalsa20), Obligations, Governance Provenance, Identity Continuity & Key Rotation, Receipt Ledger (Merkle-committed audit batches), Feasibility Linting, Precedent Control, Re-anchoring, Bounded Escalation, Oracle Witness Diversity, Messaging Audit Bridge, Policy Conflict Detection, Data Source Registration, Decision Semantics, ProxyGateway.
+**Extended modules (9-71):** W3C DID (`did:aps`), DID Interop (`did:key`, `did:web`), Identity Bridge (SPIFFE SVID, OAuth tokens), VC Wrapper (W3C Verifiable Credentials with did:key + SPIFFE evidence), Credential Request Protocol (selective disclosure), Verifiable Credentials, A2A Bridge, EU AI Act Compliance, Agent Context, Task Routing, Cross-Chain Data Flow (taint tracking, confused deputy prevention), E2E Encrypted Messaging (X25519 + XSalsa20), Obligations, Governance Provenance, Identity Continuity & Key Rotation, Receipt Ledger (Merkle-committed audit batches), Feasibility Linting, Precedent Control, Re-anchoring, Bounded Escalation, Oracle Witness Diversity, Messaging Audit Bridge, Policy Conflict Detection, Data Source Registration, Decision Semantics, Decision Equivalence, Execution Attestation, Bilateral Receipts, Governance Blocks, aps.txt, Governance 360, Data Lifecycle, Persistent Passports, ProxyGateway.
 
 **V2 Constitutional Framework (32 modules):** Designed through cross-model adversarial review. PolicyContext with mandatory sunset, Delegation Versioning, Outcome Registration, Anomaly Detection, Emergency Pathways, Migration (fork-and-sunset), Contextual Attestation, Approval Fatigue Detection, Effect Enforcement, Emergence Detection, Separation of Powers, Constitutional Amendment, Circuit Breakers, Epistemic Isolation, and 18 more. Source: [`src/v2/`](src/v2/).
 
 ## MCP Server
 
-108 tools across all modules. Any MCP client connects agents directly.
+125 tools across all modules. Any MCP client connects agents directly.
 
 ```bash
 npm install -g agent-passport-system-mcp
@@ -144,7 +161,7 @@ npx agent-passport audit --floor values/floor.yaml
 
 ```bash
 npm test
-# 1399 tests across 71 files, 370 suites, 0 failures
+# 2,180 tests, 0 failures
 ```
 
 50 adversarial tests: Merkle tampering, attribution gaming, compliance violations, floor negotiation attacks, cross-chain confused deputy, taint laundering, authority probing.
@@ -162,16 +179,17 @@ npm test
 | Signed receipts | 3-sig chain | Proposed | Logs | General | — |
 | Values enforcement | 8 principles, graduated | — | Rules | — | — |
 | Coordination | Task lifecycle + MCP | — | — | — | — |
-| Tests | 1399 (50 adversarial) | None | Limited | None | None |
+| Tests | 2,180 (50 adversarial) | None | Limited | None | None |
 
 ## Recognition
 
-- Integrated into [Microsoft agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) (PR #274)
-- Public comment submitted to NIST NCCoE on AI Agent Identity and Authorization standards
-- Collaboration with IETF DAAP draft author (draft-mishra-oauth-agent-grants-01) on delegation spec
-- Listed on [MCP Registry](https://registry.modelcontextprotocol.io)
+- **Working Group** with 4 founding members: APS, AgentID, qntm, OATR. Cross-protocol interop proven across three languages.
+- Integrated into [Microsoft agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) (PR #598)
+- Referenced in [MITRE ATLAS](https://github.com/mitre-atlas/atlas-data/issues/11) agent security techniques
+- Referenced in [MCP SEP-1763](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1763) interceptor framework
+- NIST NCCoE public comment on AI Agent Identity and Authorization
+- Collaboration with IETF DAAP draft author on delegation spec
 - Endorsed by Garry Tan (CEO, Y Combinator)
-- [AMCS — AI-Native Media Credentialing Standard](https://aeoess.com/amcs.html) published
 
 ## Paper
 
@@ -179,9 +197,9 @@ npm test
 
 ## Authorship
 
-Designed and built by **Tymofii Pidlisnyi** with AI assistance from **Claude** (Anthropic).
+Built by **Tymofii Pidlisnyi** ([@tima](https://github.com/aeoess)). Protocol designed with AI assistance from Claude (Anthropic), GPT (OpenAI), and Gemini (Google) through adversarial cross-model review.
 
-Protocol: [aeoess.com/protocol.html](https://aeoess.com/protocol.html) · Agora: [aeoess.com/agora.html](https://aeoess.com/agora.html) · npm: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) · MCP: [agent-passport-system-mcp](https://www.npmjs.com/package/agent-passport-system-mcp)
+Website: [aeoess.com](https://aeoess.com) · npm: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) · MCP: [agent-passport-system-mcp](https://www.npmjs.com/package/agent-passport-system-mcp)
 
 ## LLM Documentation
 

package/dist/src/core/credential-request.d.ts

@@ -0,0 +1,62 @@
+import type { VerifiablePresentation } from '../types/did.js';
+import type { ProviderAttestation } from '../types/attestation.js';
+export interface CredentialRequest {
+    /** Unique request ID */
+    id: string;
+    /** Claims the verifier wants (e.g., ["grade", "capabilities", "delegationScope"]) */
+    requestedClaims: string[];
+    /** DID of the verifier making the request */
+    verifierDID: string;
+    /** Challenge nonce for replay protection */
+    challenge: string;
+    /** When this request was created */
+    createdAt: string;
+}
+export interface CredentialResponseResult {
+    valid: boolean;
+    /** Extracted claims that the verifier requested */
+    claims: Record<string, unknown>;
+    /** Detailed checks */
+    checks: string[];
+}
+export interface SelectivePassport {
+    agentId: string;
+    publicKey: string;
+    agentName?: string;
+    mission?: string;
+    capabilities?: string[];
+    grade?: number;
+    delegationScope?: string[];
+    createdAt?: string;
+    expiresAt?: string;
+    evidence?: ProviderAttestation[];
+}
+/**
+ * Create a credential request specifying which claims the verifier needs.
+ * The challenge provides replay protection: the agent must bind the VP
+ * to this specific challenge.
+ */
+export declare function createCredentialRequest(claims: string[], verifierDID: string, challenge?: string): CredentialRequest;
+/**
+ * Fulfill a credential request by creating a VP that contains only
+ * the requested claims. This is selective disclosure: the agent
+ * reveals only what the verifier asked for.
+ *
+ * The VC's credentialSubject will contain:
+ * - id (always included, the agent's did:key)
+ * - agentId (always included for APS correlation)
+ * - only the fields listed in request.requestedClaims
+ */
+export declare function fulfillCredentialRequest(request: CredentialRequest, passport: SelectivePassport, privateKey: string): Promise<VerifiablePresentation>;
+/**
+ * Verify a credential response VP and extract the requested claims.
+ *
+ * Checks:
+ * 1. VP proof is valid
+ * 2. Challenge matches (replay protection)
+ * 3. Each contained VC proof is valid
+ * 4. Credential is not expired
+ * 5. Extracts claims from credentialSubject
+ */
+export declare function verifyCredentialResponse(vp: VerifiablePresentation, expectedChallenge?: string): Promise<CredentialResponseResult>;
+//# sourceMappingURL=credential-request.d.ts.map

package/dist/src/core/credential-request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-request.d.ts","sourceRoot":"","sources":["../../../src/core/credential-request.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAwB,sBAAsB,EAAmB,MAAM,iBAAiB,CAAA;AACpG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAA;AAIlE,MAAM,WAAW,iBAAiB;IAChC,wBAAwB;IACxB,EAAE,EAAE,MAAM,CAAA;IACV,qFAAqF;IACrF,eAAe,EAAE,MAAM,EAAE,CAAA;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAA;IACnB,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAA;IACjB,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAA;IACd,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC/B,sBAAsB;IACtB,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,mBAAmB,EAAE,CAAA;CACjC;AAYD;;;;GAIG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,GACjB,iBAAiB,CAenB;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,iBAAiB,EAC1B,QAAQ,EAAE,iBAAiB,EAC3B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,sBAAsB,CAAC,CA8EjC;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,EAAE,EAAE,sBAAsB,EAC1B,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,wBAAwB,CAAC,CA0FnC"}

package/dist/src/core/credential-request.js

@@ -0,0 +1,243 @@
+// Agent Passport System — Credential Request Protocol
+// Selective disclosure: verifier requests specific claims,
+// agent presents a VC containing only those claims.
+import { canonicalize } from './canonical.js';
+import { sign, verify, publicKeyFromPrivate } from '../crypto/keys.js';
+import { toDIDKey, fromDIDKey } from './did-interop.js';
+import { hexToMultibase } from './did.js';
+// ── Constants ──
+const VC_CONTEXT = [
+    'https://www.w3.org/ns/credentials/v2',
+    'https://w3id.org/security/suites/ed25519-2020/v1',
+];
+const APS_CONTEXT = 'https://aeoess.com/ns/agent-passport/v1';
+// ── Credential Request Protocol ──
+/**
+ * Create a credential request specifying which claims the verifier needs.
+ * The challenge provides replay protection: the agent must bind the VP
+ * to this specific challenge.
+ */
+export function createCredentialRequest(claims, verifierDID, challenge) {
+    if (!claims || claims.length === 0) {
+        throw new Error('Credential request must specify at least one claim');
+    }
+    if (!verifierDID) {
+        throw new Error('Verifier DID is required');
+    }
+    return {
+        id: `creq_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
+        requestedClaims: claims,
+        verifierDID,
+        challenge: challenge || crypto.randomUUID(),
+        createdAt: new Date().toISOString(),
+    };
+}
+/**
+ * Fulfill a credential request by creating a VP that contains only
+ * the requested claims. This is selective disclosure: the agent
+ * reveals only what the verifier asked for.
+ *
+ * The VC's credentialSubject will contain:
+ * - id (always included, the agent's did:key)
+ * - agentId (always included for APS correlation)
+ * - only the fields listed in request.requestedClaims
+ */
+export async function fulfillCredentialRequest(request, passport, privateKey) {
+    const publicKey = publicKeyFromPrivate(privateKey);
+    const subjectDIDKey = toDIDKey(passport.publicKey);
+    const issuerDIDKey = toDIDKey(publicKey);
+    const now = new Date().toISOString();
+    // Build selective credentialSubject
+    const fullSubject = {
+        id: subjectDIDKey,
+        agentId: passport.agentId,
+        publicKey: subjectDIDKey,
+        publicKeyMultibase: hexToMultibase(passport.publicKey),
+        agentName: passport.agentName,
+        mission: passport.mission,
+        capabilities: passport.capabilities,
+        grade: passport.grade,
+        delegationScope: passport.delegationScope,
+    };
+    // Filter to only requested claims + mandatory fields
+    const selective = {
+        id: fullSubject.id,
+        agentId: fullSubject.agentId,
+    };
+    for (const claim of request.requestedClaims) {
+        if (claim in fullSubject && fullSubject[claim] !== undefined) {
+            selective[claim] = fullSubject[claim];
+        }
+    }
+    // Build the VC
+    const credential = {
+        '@context': [...VC_CONTEXT, APS_CONTEXT],
+        id: `urn:aps:credential:selective:${passport.agentId}:${request.id}`,
+        type: ['VerifiableCredential', 'AgentPassportCredential'],
+        issuer: issuerDIDKey,
+        issuanceDate: passport.createdAt || now,
+        credentialSubject: selective,
+    };
+    if (passport.expiresAt) {
+        credential.expirationDate = passport.expiresAt;
+    }
+    if (passport.evidence && passport.evidence.length > 0) {
+        credential.evidence = passport.evidence.map(att => ({
+            type: 'InfrastructureAttestation',
+            provider: att.provider,
+            subjectClass: att.subjectClass,
+            verificationMethod: att.verificationMethod,
+            issuedAt: att.issuedAt,
+            expiresAt: att.expiresAt,
+        }));
+    }
+    const vcProof = await createProof(credential, privateKey, issuerDIDKey, 'assertionMethod');
+    const vc = { ...credential, proof: vcProof };
+    // Wrap in VP with the request's challenge
+    const holderDIDKey = toDIDKey(passport.publicKey);
+    const presentation = {
+        '@context': VC_CONTEXT,
+        id: `urn:aps:presentation:${request.id}`,
+        type: ['VerifiablePresentation'],
+        holder: holderDIDKey,
+        verifiableCredential: [vc],
+    };
+    const vpProof = await createProof(presentation, privateKey, holderDIDKey, 'authentication', { challenge: request.challenge, domain: request.verifierDID });
+    return { ...presentation, proof: vpProof };
+}
+/**
+ * Verify a credential response VP and extract the requested claims.
+ *
+ * Checks:
+ * 1. VP proof is valid
+ * 2. Challenge matches (replay protection)
+ * 3. Each contained VC proof is valid
+ * 4. Credential is not expired
+ * 5. Extracts claims from credentialSubject
+ */
+export async function verifyCredentialResponse(vp, expectedChallenge) {
+    const checks = [];
+    let valid = true;
+    // Check required fields
+    if (!vp.holder || !vp.proof || !vp.verifiableCredential) {
+        checks.push('FAIL: missing required VP fields');
+        return { valid: false, claims: {}, checks };
+    }
+    checks.push('PASS: required VP fields present');
+    // Verify challenge if expected
+    const proof = vp.proof;
+    if (expectedChallenge) {
+        if (proof.challenge === expectedChallenge) {
+            checks.push('PASS: challenge matches');
+        }
+        else {
+            checks.push(`FAIL: challenge mismatch — expected "${expectedChallenge}", got "${proof.challenge}"`);
+            valid = false;
+        }
+    }
+    // Verify VP proof
+    try {
+        const vmDID = vp.proof.verificationMethod.split('#')[0];
+        const publicKey = vmDID.startsWith('did:key:') ? fromDIDKey(vmDID) : vmDID.split(':').pop();
+        const { proof: vpProof, ...vpWithoutProof } = vp;
+        const canonical = canonicalize(vpWithoutProof);
+        const sigHex = base64urlToHex(vpProof.proofValue);
+        const sigValid = verify(canonical, sigHex, publicKey);
+        if (sigValid) {
+            checks.push('PASS: presentation signature valid');
+        }
+        else {
+            checks.push('FAIL: presentation signature invalid');
+            valid = false;
+        }
+    }
+    catch (err) {
+        checks.push(`FAIL: presentation signature error — ${err instanceof Error ? err.message : String(err)}`);
+        valid = false;
+    }
+    // Verify each credential and extract claims
+    const claims = {};
+    for (let i = 0; i < vp.verifiableCredential.length; i++) {
+        const vc = vp.verifiableCredential[i];
+        // Verify VC proof
+        try {
+            const vmDID = vc.proof.verificationMethod.split('#')[0];
+            const publicKey = vmDID.startsWith('did:key:') ? fromDIDKey(vmDID) : vmDID.split(':').pop();
+            const { proof: vcProof, ...vcWithoutProof } = vc;
+            const canonical = canonicalize(vcWithoutProof);
+            const sigHex = base64urlToHex(vcProof.proofValue);
+            const sigValid = verify(canonical, sigHex, publicKey);
+            if (sigValid) {
+                checks.push(`PASS: credential[${i}] signature valid`);
+            }
+            else {
+                checks.push(`FAIL: credential[${i}] signature invalid`);
+                valid = false;
+                continue;
+            }
+        }
+        catch (err) {
+            checks.push(`FAIL: credential[${i}] signature error — ${err instanceof Error ? err.message : String(err)}`);
+            valid = false;
+            continue;
+        }
+        // Check expiration
+        if (vc.expirationDate) {
+            if (new Date(vc.expirationDate) < new Date()) {
+                checks.push(`FAIL: credential[${i}] expired`);
+                valid = false;
+            }
+            else {
+                checks.push(`PASS: credential[${i}] not expired`);
+            }
+        }
+        // Extract claims
+        const subject = vc.credentialSubject;
+        for (const [key, value] of Object.entries(subject)) {
+            if (key !== 'id' && value !== undefined) {
+                claims[key] = value;
+            }
+        }
+    }
+    return { valid, claims, checks };
+}
+// ── Proof Helpers ──
+import crypto from 'node:crypto';
+async function createProof(data, privateKey, did, purpose, options) {
+    const canonical = canonicalize(data);
+    const sig = sign(canonical, privateKey);
+    const proof = {
+        type: 'Ed25519Signature2020',
+        created: new Date().toISOString(),
+        verificationMethod: `${did}#key-1`,
+        proofPurpose: purpose,
+        proofValue: hexToBase64url(sig),
+    };
+    if (options?.challenge)
+        proof.challenge = options.challenge;
+    if (options?.domain)
+        proof.domain = options.domain;
+    return proof;
+}
+// ── Encoding ──
+function hexToBytes(hex) {
+    const bytes = new Uint8Array(hex.length / 2);
+    for (let i = 0; i < hex.length; i += 2) {
+        bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+    }
+    return bytes;
+}
+function bytesToHex(bytes) {
+    return Array.from(bytes).map(b => b.toString(16).padStart(2, '0')).join('');
+}
+function hexToBase64url(hex) {
+    const bytes = hexToBytes(hex);
+    const base64 = Buffer.from(bytes).toString('base64');
+    return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
+}
+function base64urlToHex(b64url) {
+    const base64 = b64url.replace(/-/g, '+').replace(/_/g, '/');
+    const buf = Buffer.from(base64, 'base64');
+    return bytesToHex(new Uint8Array(buf));
+}
+//# sourceMappingURL=credential-request.js.map

package/dist/src/core/credential-request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-request.js","sourceRoot":"","sources":["../../../src/core/credential-request.ts"],"names":[],"mappings":"AAAA,sDAAsD;AACtD,2DAA2D;AAC3D,oDAAoD;AAEpD,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAC7C,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,oBAAoB,EAAE,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAA;AACvD,OAAO,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAwCzC,kBAAkB;AAElB,MAAM,UAAU,GAAG;IACjB,sCAAsC;IACtC,kDAAkD;CACnD,CAAA;AACD,MAAM,WAAW,GAAG,yCAAyC,CAAA;AAE7D,oCAAoC;AAEpC;;;;GAIG;AACH,MAAM,UAAU,uBAAuB,CACrC,MAAgB,EAChB,WAAmB,EACnB,SAAkB;IAElB,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAA;IACvE,CAAC;IACD,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;IAC7C,CAAC;IAED,OAAO;QACL,EAAE,EAAE,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE;QAClE,eAAe,EAAE,MAAM;QACvB,WAAW;QACX,SAAS,EAAE,SAAS,IAAI,MAAM,CAAC,UAAU,EAAE;QAC3C,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAA;AACH,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,OAA0B,EAC1B,QAA2B,EAC3B,UAAkB;IAElB,MAAM,SAAS,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAA;IAClD,MAAM,aAAa,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IAClD,MAAM,YAAY,GAAG,QAAQ,CAAC,SAAS,CAAC,CAAA;IACxC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAEpC,oCAAoC;IACpC,MAAM,WAAW,GAA4B;QAC3C,EAAE,EAAE,aAAa;QACjB,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,SAAS,EAAE,aAAa;QACxB,kBAAkB,EAAE,cAAc,CAAC,QAAQ,CAAC,SAAS,CAAC;QACtD,SAAS,EAAE,QAAQ,CAAC,SAAS;QAC7B,OAAO,EAAE,QAAQ,CAAC,OAAO;QACzB,YAAY,EAAE,QAAQ,CAAC,YAAY;QACnC,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,eAAe,EAAE,QAAQ,CAAC,eAAe;KAC1C,CAAA;IAED,qDAAqD;IACrD,MAAM,SAAS,GAA4B;QACzC,EAAE,EAAE,WAAW,CAAC,EAAE;QAClB,OAAO,EAAE,WAAW,CAAC,OAAO;KAC7B,CAAA;IACD,KAAK,MAAM,KAAK,IAAI,OAAO,CAAC,eAAe,EAAE,CAAC;QAC5C,IAAI,KAAK,IAAI,WAAW,IAAI,WAAW,CAAC,KAAK,CAAC,KAAK,SAAS,EAAE,CAAC;YAC7D,SAAS,CAAC,KAAK,CAAC,GAAG,WAAW,CAAC,KAAK,CAAC,CAAA;QACvC,CAAC;IACH,CAAC;IAED,eAAe;IACf,MAAM,UAAU,GAA4B;QAC1C,UAAU,EAAE,CAAC,GAAG,UAAU,EAAE,WAAW,CAAC;QACxC,EAAE,EAAE,gCAAgC,QAAQ,CAAC,OAAO,IAAI,OAAO,CAAC,EAAE,EAAE;QACpE,IAAI,EAAE,CAAC,sBAAsB,EAAE,yBAAyB,CAAC;QACzD,MAAM,EAAE,YAAY;QACpB,YAAY,EAAE,QAAQ,CAAC,SAAS,IAAI,GAAG;QACvC,iBAAiB,EAAE,SAAS;KAC7B,CAAA;IAED,IAAI,QAAQ,CAAC,SAAS,EAAE,CAAC;QACvB,UAAU,CAAC,cAAc,GAAG,QAAQ,CAAC,SAAS,CAAA;IAChD,CAAC;IAED,IAAI,QAAQ,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACtD,UAAU,CAAC,QAAQ,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAClD,IAAI,EAAE,2BAA2B;YACjC,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,YAAY,EAAE,GAAG,CAAC,YAAY;YAC9B,kBAAkB,EAAE,GAAG,CAAC,kBAAkB;YAC1C,QAAQ,EAAE,GAAG,CAAC,QAAQ;YACtB,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB,CAAC,CAAC,CAAA;IACL,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAAC,UAAU,EAAE,UAAU,EAAE,YAAY,EAAE,iBAAiB,CAAC,CAAA;IAC1F,MAAM,EAAE,GAAG,EAAE,GAAG,UAAU,EAAE,KAAK,EAAE,OAAO,EAA0B,CAAA;IAEpE,0CAA0C;IAC1C,MAAM,YAAY,GAAG,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAA;IAEjD,MAAM,YAAY,GAA4B;QAC5C,UAAU,EAAE,UAAU;QACtB,EAAE,EAAE,wBAAwB,OAAO,CAAC,EAAE,EAAE;QACxC,IAAI,EAAE,CAAC,wBAAwB,CAAC;QAChC,MAAM,EAAE,YAAY;QACpB,oBAAoB,EAAE,CAAC,EAAE,CAAC;KAC3B,CAAA;IAED,MAAM,OAAO,GAAG,MAAM,WAAW,CAC/B,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,gBAAgB,EAChB,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,WAAW,EAAE,CAC9D,CAAA;IAED,OAAO,EAAE,GAAG,YAAY,EAAE,KAAK,EAAE,OAAO,EAAuC,CAAA;AACjF,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,EAA0B,EAC1B,iBAA0B;IAE1B,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,IAAI,KAAK,GAAG,IAAI,CAAA;IAEhB,wBAAwB;IACxB,IAAI,CAAC,EAAE,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC,KAAK,IAAI,CAAC,EAAE,CAAC,oBAAoB,EAAE,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;QAC/C,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAA;IAC7C,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,kCAAkC,CAAC,CAAA;IAE/C,+BAA+B;IAC/B,MAAM,KAAK,GAAG,EAAE,CAAC,KAAkE,CAAA;IACnF,IAAI,iBAAiB,EAAE,CAAC;QACtB,IAAI,KAAK,CAAC,SAAS,KAAK,iBAAiB,EAAE,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,yBAAyB,CAAC,CAAA;QACxC,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,wCAAwC,iBAAiB,WAAW,KAAK,CAAC,SAAS,GAAG,CAAC,CAAA;YACnG,KAAK,GAAG,KAAK,CAAA;QACf,CAAC;IACH,CAAC;IAED,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;QACvD,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAA;QAC5F,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,cAAc,EAAE,GAAG,EAAE,CAAA;QAChD,MAAM,SAAS,GAAG,YAAY,CAAC,cAAoD,CAAC,CAAA;QACpF,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;QACjD,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,CAAA;QAErD,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,oCAAoC,CAAC,CAAA;QACnD,CAAC;aAAM,CAAC;YACN,MAAM,CAAC,IAAI,CAAC,sCAAsC,CAAC,CAAA;YACnD,KAAK,GAAG,KAAK,CAAA;QACf,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,wCAAwC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;QACvG,KAAK,GAAG,KAAK,CAAA;IACf,CAAC;IAED,4CAA4C;IAC5C,MAAM,MAAM,GAA4B,EAAE,CAAA;IAE1C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,oBAAoB,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACxD,MAAM,EAAE,GAAG,EAAE,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAA;QAErC,kBAAkB;QAClB,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,EAAE,CAAC,KAAK,CAAC,kBAAkB,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;YACvD,MAAM,SAAS,GAAG,KAAK,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAG,CAAA;YAC5F,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,cAAc,EAAE,GAAG,EAAE,CAAA;YAChD,MAAM,SAAS,GAAG,YAAY,CAAC,cAAoD,CAAC,CAAA;YACpF,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC,CAAA;YACjD,MAAM,QAAQ,GAAG,MAAM,CAAC,SAAS,EAAE,MAAM,EAAE,SAAS,CAAC,CAAA;YAErD,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,mBAAmB,CAAC,CAAA;YACvD,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,qBAAqB,CAAC,CAAA;gBACvD,KAAK,GAAG,KAAK,CAAA;gBACb,SAAQ;YACV,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,uBAAuB,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAA;YAC3G,KAAK,GAAG,KAAK,CAAA;YACb,SAAQ;QACV,CAAC;QAED,mBAAmB;QACnB,IAAI,EAAE,CAAC,cAAc,EAAE,CAAC;YACtB,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC,cAAc,CAAC,GAAG,IAAI,IAAI,EAAE,EAAE,CAAC;gBAC7C,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,WAAW,CAAC,CAAA;gBAC7C,KAAK,GAAG,KAAK,CAAA;YACf,CAAC;iBAAM,CAAC;gBACN,MAAM,CAAC,IAAI,CAAC,oBAAoB,CAAC,eAAe,CAAC,CAAA;YACnD,CAAC;QACH,CAAC;QAED,iBAAiB;QACjB,MAAM,OAAO,GAAG,EAAE,CAAC,iBAA4C,CAAA;QAC/D,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACnD,IAAI,GAAG,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;gBACxC,MAAM,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,CAAA;AAClC,CAAC;AAED,sBAAsB;AAEtB,OAAO,MAAM,MAAM,aAAa,CAAA;AAEhC,KAAK,UAAU,WAAW,CACxB,IAA6B,EAC7B,UAAkB,EAClB,GAAW,EACX,OAAwC,EACxC,OAAiD;IAEjD,MAAM,SAAS,GAAG,YAAY,CAAC,IAA+B,CAAC,CAAA;IAC/D,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,EAAE,UAAU,CAAC,CAAA;IAEvC,MAAM,KAAK,GAA8D;QACvE,IAAI,EAAE,sBAAsB;QAC5B,OAAO,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACjC,kBAAkB,EAAE,GAAG,GAAG,QAAQ;QAClC,YAAY,EAAE,OAAO;QACrB,UAAU,EAAE,cAAc,CAAC,GAAG,CAAC;KAChC,CAAA;IAED,IAAI,OAAO,EAAE,SAAS;QAAE,KAAK,CAAC,SAAS,GAAG,OAAO,CAAC,SAAS,CAAA;IAC3D,IAAI,OAAO,EAAE,MAAM;QAAE,KAAK,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAA;IAElD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,iBAAiB;AAEjB,SAAS,UAAU,CAAC,GAAW;IAC7B,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAA;IAC5C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,GAAG,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACvC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,QAAQ,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IACtD,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAED,SAAS,UAAU,CAAC,KAAiB;IACnC,OAAO,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;AAC7E,CAAC;AAED,SAAS,cAAc,CAAC,GAAW;IACjC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,CAAC,CAAA;IAC7B,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IACpD,OAAO,MAAM,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAA;AAC1E,CAAC;AAED,SAAS,cAAc,CAAC,MAAc;IACpC,MAAM,MAAM,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAA;IAC3D,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAA;IACzC,OAAO,UAAU,CAAC,IAAI,UAAU,CAAC,GAAG,CAAC,CAAC,CAAA;AACxC,CAAC"}

package/dist/src/core/did-interop.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Convert an Ed25519 public key (hex) to did:key format.
+ * Format: did:key:z6Mk... (multicodec 0xed01 + base58btc)
+ *
+ * The multibase value is the same encoding used in did:aps multibase
+ * identifiers — Ed25519 multicodec prefix (0xed, 0x01) + raw key bytes,
+ * base58btc encoded with z-prefix.
+ */
+export declare function toDIDKey(ed25519PublicKeyHex: string): string;
+/**
+ * Parse a did:key back to a raw Ed25519 public key (hex).
+ * Validates the did:key prefix and multicodec bytes.
+ */
+export declare function fromDIDKey(didKey: string): string;
+/**
+ * Construct the HTTPS URL for a did:web DID document.
+ *
+ * did:web:example.com         → https://example.com/.well-known/did.json
+ * did:web:example.com:users:1 → https://example.com/users/1/did.json
+ * did:web:example.com%3A8443  → https://example.com:8443/.well-known/did.json
+ */
+export declare function didWebToUrl(didWeb: string): string;
+/**
+ * Resolve a did:web DID by fetching the DID document over HTTPS.
+ * Returns the parsed DID Document object.
+ *
+ * Throws on network errors, non-200 responses, and invalid JSON.
+ */
+export declare function resolveDIDWeb(didWeb: string): Promise<object>;
+/**
+ * Convert an APS passport to a W3C DID Document.
+ * Produces a document with did:key as the subject identifier
+ * and a single Ed25519VerificationKey2020 verification method.
+ *
+ * Accepts a minimal passport shape: { agent_id, public_key }.
+ * Optionally accepts created_at for the document timestamps.
+ */
+export declare function passportToDIDDocument(passport: {
+    agent_id: string;
+    public_key: string;
+    created_at?: string;
+}): object;
+//# sourceMappingURL=did-interop.d.ts.map

package/dist/src/core/did-interop.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-interop.d.ts","sourceRoot":"","sources":["../../../src/core/did-interop.ts"],"names":[],"mappings":"AAQA;;;;;;;GAOG;AACH,wBAAgB,QAAQ,CAAC,mBAAmB,EAAE,MAAM,GAAG,MAAM,CAM5D;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAajD;AAID;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,CAmBlD;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAcnE;AASD;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CAAC,QAAQ,EAAE;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB,UAAU,EAAE,MAAM,CAAA;IAClB,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB,GAAG,MAAM,CAuCT"}

package/dist/src/core/did-interop.js

@@ -0,0 +1,139 @@
+// Agent Passport System — DID Interop (did:key + did:web)
+// Translation layer between APS passports and W3C DID methods.
+// did:key for self-certifying identifiers, did:web for domain-linked.
+import { hexToMultibase, multibaseToHex } from './did.js';
+// ── did:key ──
+/**
+ * Convert an Ed25519 public key (hex) to did:key format.
+ * Format: did:key:z6Mk... (multicodec 0xed01 + base58btc)
+ *
+ * The multibase value is the same encoding used in did:aps multibase
+ * identifiers — Ed25519 multicodec prefix (0xed, 0x01) + raw key bytes,
+ * base58btc encoded with z-prefix.
+ */
+export function toDIDKey(ed25519PublicKeyHex) {
+    if (!ed25519PublicKeyHex || !/^[0-9a-f]{64}$/i.test(ed25519PublicKeyHex)) {
+        throw new Error('Invalid Ed25519 public key: expected 64-char hex string');
+    }
+    const multibase = hexToMultibase(ed25519PublicKeyHex);
+    return `did:key:${multibase}`;
+}
+/**
+ * Parse a did:key back to a raw Ed25519 public key (hex).
+ * Validates the did:key prefix and multicodec bytes.
+ */
+export function fromDIDKey(didKey) {
+    if (typeof didKey !== 'string') {
+        throw new Error('did:key must be a string');
+    }
+    const parts = didKey.split(':');
+    if (parts.length !== 3 || parts[0] !== 'did' || parts[1] !== 'key') {
+        throw new Error(`Invalid did:key format: ${didKey}`);
+    }
+    const multibase = parts[2];
+    if (!multibase.startsWith('z')) {
+        throw new Error('did:key identifier must use z-prefix (base58btc) multibase');
+    }
+    return multibaseToHex(multibase);
+}
+// ── did:web ──
+/**
+ * Construct the HTTPS URL for a did:web DID document.
+ *
+ * did:web:example.com         → https://example.com/.well-known/did.json
+ * did:web:example.com:users:1 → https://example.com/users/1/did.json
+ * did:web:example.com%3A8443  → https://example.com:8443/.well-known/did.json
+ */
+export function didWebToUrl(didWeb) {
+    if (typeof didWeb !== 'string') {
+        throw new Error('did:web must be a string');
+    }
+    const parts = didWeb.split(':');
+    if (parts.length < 3 || parts[0] !== 'did' || parts[1] !== 'web') {
+        throw new Error(`Invalid did:web format: ${didWeb}`);
+    }
+    // Everything after "did:web:" is the domain-and-path, colon-separated
+    const segments = parts.slice(2).map(s => decodeURIComponent(s));
+    const domain = segments[0];
+    if (!domain) {
+        throw new Error('did:web must include a domain');
+    }
+    if (segments.length === 1) {
+        return `https://${domain}/.well-known/did.json`;
+    }
+    const path = segments.slice(1).join('/');
+    return `https://${domain}/${path}/did.json`;
+}
+/**
+ * Resolve a did:web DID by fetching the DID document over HTTPS.
+ * Returns the parsed DID Document object.
+ *
+ * Throws on network errors, non-200 responses, and invalid JSON.
+ */
+export async function resolveDIDWeb(didWeb) {
+    const url = didWebToUrl(didWeb);
+    const response = await fetch(url, {
+        headers: { 'Accept': 'application/did+ld+json, application/json' },
+        signal: AbortSignal.timeout(10_000),
+    });
+    if (!response.ok) {
+        throw new Error(`did:web resolution failed: HTTP ${response.status} from ${url}`);
+    }
+    const doc = await response.json();
+    if (!doc || typeof doc !== 'object' || !('id' in doc)) {
+        throw new Error(`did:web resolution returned invalid DID Document from ${url}`);
+    }
+    return doc;
+}
+// ── Passport ↔ DID Document ──
+const DID_CONTEXT = [
+    'https://www.w3.org/ns/did/v1',
+    'https://w3id.org/security/suites/ed25519-2020/v1',
+];
+/**
+ * Convert an APS passport to a W3C DID Document.
+ * Produces a document with did:key as the subject identifier
+ * and a single Ed25519VerificationKey2020 verification method.
+ *
+ * Accepts a minimal passport shape: { agent_id, public_key }.
+ * Optionally accepts created_at for the document timestamps.
+ */
+export function passportToDIDDocument(passport) {
+    if (!passport.public_key || !/^[0-9a-f]{64}$/i.test(passport.public_key)) {
+        throw new Error('Invalid passport: public_key must be 64-char hex');
+    }
+    if (!passport.agent_id) {
+        throw new Error('Invalid passport: agent_id is required');
+    }
+    const did = toDIDKey(passport.public_key);
+    const keyId = `${did}#key-1`;
+    const publicKeyMultibase = hexToMultibase(passport.public_key);
+    const now = passport.created_at || new Date().toISOString();
+    return {
+        '@context': DID_CONTEXT,
+        id: did,
+        controller: did,
+        alsoKnownAs: [`did:aps:${publicKeyMultibase}`],
+        verificationMethod: [{
+                id: keyId,
+                type: 'Ed25519VerificationKey2020',
+                controller: did,
+                publicKeyMultibase,
+            }],
+        authentication: [keyId],
+        assertionMethod: [keyId],
+        capabilityDelegation: [keyId],
+        service: [{
+                id: `${did}#aps`,
+                type: 'AgentPassportService',
+                serviceEndpoint: {
+                    agentId: passport.agent_id,
+                    protocol: 'aps',
+                    version: '1.0.0',
+                },
+            }],
+        created: now,
+        updated: now,
+    };
+}
+//# sourceMappingURL=did-interop.js.map

package/dist/src/core/did-interop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"did-interop.js","sourceRoot":"","sources":["../../../src/core/did-interop.ts"],"names":[],"mappings":"AAAA,0DAA0D;AAC1D,+DAA+D;AAC/D,sEAAsE;AAEtE,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,UAAU,CAAA;AAEzD,gBAAgB;AAEhB;;;;;;;GAOG;AACH,MAAM,UAAU,QAAQ,CAAC,mBAA2B;IAClD,IAAI,CAAC,mBAAmB,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,mBAAmB,CAAC,EAAE,CAAC;QACzE,MAAM,IAAI,KAAK,CAAC,yDAAyD,CAAC,CAAA;IAC5E,CAAC;IACD,MAAM,SAAS,GAAG,cAAc,CAAC,mBAAmB,CAAC,CAAA;IACrD,OAAO,WAAW,SAAS,EAAE,CAAA;AAC/B,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,UAAU,CAAC,MAAc;IACvC,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;IAC7C,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QACnE,MAAM,IAAI,KAAK,CAAC,2BAA2B,MAAM,EAAE,CAAC,CAAA;IACtD,CAAC;IACD,MAAM,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;IAC1B,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAA;IAC/E,CAAC;IACD,OAAO,cAAc,CAAC,SAAS,CAAC,CAAA;AAClC,CAAC;AAED,gBAAgB;AAEhB;;;;;;GAMG;AACH,MAAM,UAAU,WAAW,CAAC,MAAc;IACxC,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAA;IAC7C,CAAC;IACD,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,KAAK,KAAK,EAAE,CAAC;QACjE,MAAM,IAAI,KAAK,CAAC,2BAA2B,MAAM,EAAE,CAAC,CAAA;IACtD,CAAC;IACD,sEAAsE;IACtE,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAAA;IAC/D,MAAM,MAAM,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;IAC1B,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAA;IAClD,CAAC;IACD,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,WAAW,MAAM,uBAAuB,CAAA;IACjD,CAAC;IACD,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACxC,OAAO,WAAW,MAAM,IAAI,IAAI,WAAW,CAAA;AAC7C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CAAC,MAAc;IAChD,MAAM,GAAG,GAAG,WAAW,CAAC,MAAM,CAAC,CAAA;IAC/B,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;QAChC,OAAO,EAAE,EAAE,QAAQ,EAAE,2CAA2C,EAAE;QAClE,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACpC,CAAC,CAAA;IACF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,KAAK,CAAC,mCAAmC,QAAQ,CAAC,MAAM,SAAS,GAAG,EAAE,CAAC,CAAA;IACnF,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAA;IACjC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,CAAC,CAAC,IAAI,IAAI,GAAG,CAAC,EAAE,CAAC;QACtD,MAAM,IAAI,KAAK,CAAC,yDAAyD,GAAG,EAAE,CAAC,CAAA;IACjF,CAAC;IACD,OAAO,GAAa,CAAA;AACtB,CAAC;AAED,gCAAgC;AAEhC,MAAM,WAAW,GAAG;IAClB,8BAA8B;IAC9B,kDAAkD;CACnD,CAAA;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,QAIrC;IACC,IAAI,CAAC,QAAQ,CAAC,UAAU,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACzE,MAAM,IAAI,KAAK,CAAC,kDAAkD,CAAC,CAAA;IACrE,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,QAAQ,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAA;IAC3D,CAAC;IAED,MAAM,GAAG,GAAG,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;IACzC,MAAM,KAAK,GAAG,GAAG,GAAG,QAAQ,CAAA;IAC5B,MAAM,kBAAkB,GAAG,cAAc,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAA;IAC9D,MAAM,GAAG,GAAG,QAAQ,CAAC,UAAU,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAE3D,OAAO;QACL,UAAU,EAAE,WAAW;QACvB,EAAE,EAAE,GAAG;QACP,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,CAAC,WAAW,kBAAkB,EAAE,CAAC;QAC9C,kBAAkB,EAAE,CAAC;gBACnB,EAAE,EAAE,KAAK;gBACT,IAAI,EAAE,4BAA4B;gBAClC,UAAU,EAAE,GAAG;gBACf,kBAAkB;aACnB,CAAC;QACF,cAAc,EAAE,CAAC,KAAK,CAAC;QACvB,eAAe,EAAE,CAAC,KAAK,CAAC;QACxB,oBAAoB,EAAE,CAAC,KAAK,CAAC;QAC7B,OAAO,EAAE,CAAC;gBACR,EAAE,EAAE,GAAG,GAAG,MAAM;gBAChB,IAAI,EAAE,sBAAsB;gBAC5B,eAAe,EAAE;oBACf,OAAO,EAAE,QAAQ,CAAC,QAAQ;oBAC1B,QAAQ,EAAE,KAAK;oBACf,OAAO,EAAE,OAAO;iBACjB;aACF,CAAC;QACF,OAAO,EAAE,GAAG;QACZ,OAAO,EAAE,GAAG;KACb,CAAA;AACH,CAAC"}