agent-passport-system 1.31.0 → 1.33.0

package/README.md

@@ -2,19 +2,36 @@
 
 [![npm version](https://img.shields.io/npm/v/agent-passport-system)](https://www.npmjs.com/package/agent-passport-system)
 [![license](https://img.shields.io/npm/l/agent-passport-system)](https://github.com/aeoess/agent-passport-system/blob/main/LICENSE)
-[![tests](https://img.shields.io/badge/tests-1399%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
+[![tests](https://img.shields.io/badge/tests-2180%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.18749779.svg)](https://doi.org/10.5281/zenodo.18749779)
 
 > **For AI agents:** visit [aeoess.com/llms.txt](https://aeoess.com/llms.txt) for machine-readable docs or [llms-full.txt](https://aeoess.com/llms-full.txt) for the complete reference.
 
-**Governance, trust, and enforcement for AI agents. Not just identity.**
+**The enforcement and accountability layer for AI agents. Bring your own identity.**
 
-When an AI agent acts on your behalf, APS answers: what is it allowed to do? How much can it spend? Is it trustworthy? What happens when it violates a constraint? And can you prove all of this cryptographically?
+APS is not an identity system. It's the governance layer that sits on top of whatever identity the agent already has. Accepts did:key, did:web, SPIFFE SVIDs, OAuth tokens, and native did:aps. Identity is the input. Enforcement is the product.
+
+The gateway is both judge and executor. Authority can only decrease at each transfer point. Cascade revocation propagates through delegation chains. Every action produces a signed receipt. Every constraint is checked in under 2ms.
+
+Seven independent projects have cross-tested against these primitives. AgentID: 7/7. MolTrust: 5/5. Kanoniv delegation chains: verified. Three languages, three codebases, identical results.
 
 ```bash
 npm install agent-passport-system
 ```
 
+## Who's Building on APS
+
+| Project | What they do | What APS provides |
+|---------|-------------|-------------------|
+| [AgentID](https://github.com/haroldmalikfrimpong-ops/getagentid) | CA-issued identity, trust scoring | Self-sovereign identity, delegation chains |
+| [MolTrust](https://moltrust.ch) | On-chain constraint envelopes | Scope narrowing, spend limits, expiry |
+| [qntm](https://github.com/corpollc/qntm) | Encrypted relay transport | Identity keys, signed envelopes |
+| [Signet](https://github.com/Prismer-AI/signet) | MCP transport signing | Policy gate, execution attestation |
+| [ArkForge](https://arkforge.tech) | External proof anchoring | Receipts to anchor |
+| [Microsoft AGT](https://github.com/microsoft/agent-governance-toolkit) | Enterprise policy engine | Trust signals, scope verification |
+
+See [INTEGRATION.md](INTEGRATION.md) for how to compose your project with APS.
+
 ## What It Does
 
 **Enforce constraints on agent actions** — the ProxyGateway is an enforcement boundary that sits between the agent and any tool. Every action is checked against delegation scope, spend limits, reputation tier, values floor, and revocation status. The gateway executes the action, not the agent. The gateway generates the receipt, not the agent. Agents cannot bypass, forge, or skip enforcement.
@@ -90,7 +107,7 @@ const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floo
 
 ## The Stack
 
-42 core modules + 32 v2 constitutional modules. 1399 tests. Zero heavy dependencies.
+71 core modules + 32 v2 constitutional modules. 2,180 tests. Zero heavy dependencies.
 
 | Layer | What it does | Key primitive |
 |-------|-------------|---------------|
@@ -101,15 +118,15 @@ const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floo
 | **Intent & Policy** | Roles, tradeoff rules, deliberative consensus, 3-signature policy chain. | `ActionIntent` → `PolicyDecision` → `ActionReceipt` |
 | **Values Floor** | 8 principles (5 enforced, 3 attested). Graduated enforcement: inline/audit/warn. | `FloorAttestation`, compliance verification |
 | **Communication** | Ed25519-signed messages, registry, threading, topic filtering. | `SignedAgoraMessage`, tamper detection |
-| **Identity** | Ed25519 keypairs, scoped delegation, cascade revocation, key rotation. | `SignedPassport`, `Delegation`, `RevocationRecord` |
+| **Identity** | Bring your own: did:key, did:web, SPIFFE, OAuth, native did:aps. Ed25519 keypairs, scoped delegation, cascade revocation. | `toDIDKey`, `importSPIFFESVID`, `importOAuthToken`, `SignedPassport` |
 
-**Extended modules (9-42):** W3C DID (`did:aps`), Verifiable Credentials, A2A Bridge, EU AI Act Compliance, Agent Context, Task Routing, Cross-Chain Data Flow (taint tracking, confused deputy prevention), E2E Encrypted Messaging (X25519 + XSalsa20), Obligations, Governance Provenance, Identity Continuity & Key Rotation, Receipt Ledger (Merkle-committed audit batches), Feasibility Linting, Precedent Control, Re-anchoring, Bounded Escalation, Oracle Witness Diversity, Messaging Audit Bridge, Policy Conflict Detection, Data Source Registration, Decision Semantics, ProxyGateway.
+**Extended modules (9-71):** W3C DID (`did:aps`), DID Interop (`did:key`, `did:web`), Identity Bridge (SPIFFE SVID, OAuth tokens), VC Wrapper (W3C Verifiable Credentials with did:key + SPIFFE evidence), Credential Request Protocol (selective disclosure), Verifiable Credentials, A2A Bridge, EU AI Act Compliance, Agent Context, Task Routing, Cross-Chain Data Flow (taint tracking, confused deputy prevention), E2E Encrypted Messaging (X25519 + XSalsa20), Obligations, Governance Provenance, Identity Continuity & Key Rotation, Receipt Ledger (Merkle-committed audit batches), Feasibility Linting, Precedent Control, Re-anchoring, Bounded Escalation, Oracle Witness Diversity, Messaging Audit Bridge, Policy Conflict Detection, Data Source Registration, Decision Semantics, Decision Equivalence, Execution Attestation, Bilateral Receipts, Governance Blocks, aps.txt, Governance 360, Data Lifecycle, Persistent Passports, ProxyGateway.
 
 **V2 Constitutional Framework (32 modules):** Designed through cross-model adversarial review. PolicyContext with mandatory sunset, Delegation Versioning, Outcome Registration, Anomaly Detection, Emergency Pathways, Migration (fork-and-sunset), Contextual Attestation, Approval Fatigue Detection, Effect Enforcement, Emergence Detection, Separation of Powers, Constitutional Amendment, Circuit Breakers, Epistemic Isolation, and 18 more. Source: [`src/v2/`](src/v2/).
 
 ## MCP Server
 
-108 tools across all modules. Any MCP client connects agents directly.
+125 tools across all modules. Any MCP client connects agents directly.
 
 ```bash
 npm install -g agent-passport-system-mcp
@@ -144,7 +161,7 @@ npx agent-passport audit --floor values/floor.yaml
 
 ```bash
 npm test
-# 1399 tests across 71 files, 370 suites, 0 failures
+# 2,180 tests, 0 failures
 ```
 
 50 adversarial tests: Merkle tampering, attribution gaming, compliance violations, floor negotiation attacks, cross-chain confused deputy, taint laundering, authority probing.
@@ -162,16 +179,17 @@ npm test
 | Signed receipts | 3-sig chain | Proposed | Logs | General | — |
 | Values enforcement | 8 principles, graduated | — | Rules | — | — |
 | Coordination | Task lifecycle + MCP | — | — | — | — |
-| Tests | 1399 (50 adversarial) | None | Limited | None | None |
+| Tests | 2,180 (50 adversarial) | None | Limited | None | None |
 
 ## Recognition
 
-- Integrated into [Microsoft agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) (PR #274)
-- Public comment submitted to NIST NCCoE on AI Agent Identity and Authorization standards
-- Collaboration with IETF DAAP draft author (draft-mishra-oauth-agent-grants-01) on delegation spec
-- Listed on [MCP Registry](https://registry.modelcontextprotocol.io)
+- **Working Group** with 4 founding members: APS, AgentID, qntm, OATR. Cross-protocol interop proven across three languages.
+- Integrated into [Microsoft agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) (PR #598)
+- Referenced in [MITRE ATLAS](https://github.com/mitre-atlas/atlas-data/issues/11) agent security techniques
+- Referenced in [MCP SEP-1763](https://github.com/modelcontextprotocol/modelcontextprotocol/issues/1763) interceptor framework
+- NIST NCCoE public comment on AI Agent Identity and Authorization
+- Collaboration with IETF DAAP draft author on delegation spec
 - Endorsed by Garry Tan (CEO, Y Combinator)
-- [AMCS — AI-Native Media Credentialing Standard](https://aeoess.com/amcs.html) published
 
 ## Paper
 
@@ -179,9 +197,9 @@ npm test
 
 ## Authorship
 
-Designed and built by **Tymofii Pidlisnyi** with AI assistance from **Claude** (Anthropic).
+Built by **Tymofii Pidlisnyi** ([@tima](https://github.com/aeoess)). Protocol designed with AI assistance from Claude (Anthropic), GPT (OpenAI), and Gemini (Google) through adversarial cross-model review.
 
-Protocol: [aeoess.com/protocol.html](https://aeoess.com/protocol.html) · Agora: [aeoess.com/agora.html](https://aeoess.com/agora.html) · npm: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) · MCP: [agent-passport-system-mcp](https://www.npmjs.com/package/agent-passport-system-mcp)
+Website: [aeoess.com](https://aeoess.com) · npm: [agent-passport-system](https://www.npmjs.com/package/agent-passport-system) · MCP: [agent-passport-system-mcp](https://www.npmjs.com/package/agent-passport-system-mcp)
 
 ## LLM Documentation
 

package/dist/src/core/action-ref.d.ts

@@ -0,0 +1,17 @@
+import type { ActionIntent } from '../types/policy.js';
+/**
+ * Compute the content-addressed request identity for an ActionIntent.
+ *
+ * Inputs hashed: agentId, action.type, action.scopeRequired, normalized timestamp.
+ * Timestamp defaults to intent.createdAt; falls back to current time.
+ *
+ * Returns: lowercase hex SHA-256 digest.
+ */
+export declare function computeActionRef(intent: Pick<ActionIntent, 'agentId' | 'action' | 'createdAt'>): string;
+/**
+ * Two receipts with the same action_ref describe the same request.
+ * Simple equality check — provided as a named predicate so the semantic
+ * intent is explicit at the call site.
+ */
+export declare function actionRefsMatch(a: string, b: string): boolean;
+//# sourceMappingURL=action-ref.d.ts.map

package/dist/src/core/action-ref.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-ref.d.ts","sourceRoot":"","sources":["../../../src/core/action-ref.ts"],"names":[],"mappings":"AAmBA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAA;AAEtD;;;;;;;GAOG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,YAAY,EAAE,SAAS,GAAG,QAAQ,GAAG,WAAW,CAAC,GAAG,MAAM,CAQvG;AAED;;;;GAIG;AACH,wBAAgB,eAAe,CAAC,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,GAAG,OAAO,CAE7D"}

package/dist/src/core/action-ref.js

@@ -0,0 +1,44 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+// ══════════════════════════════════════════════════════════════════
+// action_ref — Content-Addressed Request Identity
+// ══════════════════════════════════════════════════════════════════
+// Thread claim (A2A#1672, xsa520/desiorac):
+//   action_ref     = request identity = SHA-256(canonical(agentId + actionType + scope + timestamp))
+//   compoundDigest = decision identity (evaluated) — already on PolicyReceipt
+//
+// Two receipts with the same action_ref describe the same request.
+// Two receipts with the same compound_digest describe the same evaluated
+// decision. Equivalence for cross-verifier replay is over compound_digest,
+// invariant to verification method.
+//
+// Timestamps are normalized to ISO 8601 second-precision UTC so that two
+// systems independently hashing the same request within the same second
+// produce the same action_ref.
+// ══════════════════════════════════════════════════════════════════
+import { canonicalHash, normalizeTimestamp } from './canonical.js';
+/**
+ * Compute the content-addressed request identity for an ActionIntent.
+ *
+ * Inputs hashed: agentId, action.type, action.scopeRequired, normalized timestamp.
+ * Timestamp defaults to intent.createdAt; falls back to current time.
+ *
+ * Returns: lowercase hex SHA-256 digest.
+ */
+export function computeActionRef(intent) {
+    const ts = intent.createdAt ?? new Date().toISOString();
+    return canonicalHash({
+        agentId: intent.agentId,
+        actionType: intent.action.type,
+        scopeRequired: intent.action.scopeRequired,
+        timestamp: normalizeTimestamp(ts),
+    });
+}
+/**
+ * Two receipts with the same action_ref describe the same request.
+ * Simple equality check — provided as a named predicate so the semantic
+ * intent is explicit at the call site.
+ */
+export function actionRefsMatch(a, b) {
+    return typeof a === 'string' && typeof b === 'string' && a.length > 0 && a === b;
+}
+//# sourceMappingURL=action-ref.js.map

package/dist/src/core/action-ref.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-ref.js","sourceRoot":"","sources":["../../../src/core/action-ref.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,qEAAqE;AACrE,kDAAkD;AAClD,qEAAqE;AACrE,4CAA4C;AAC5C,qGAAqG;AACrG,8EAA8E;AAC9E,EAAE;AACF,mEAAmE;AACnE,yEAAyE;AACzE,2EAA2E;AAC3E,oCAAoC;AACpC,EAAE;AACF,yEAAyE;AACzE,wEAAwE;AACxE,+BAA+B;AAC/B,qEAAqE;AAErE,OAAO,EAAE,aAAa,EAAE,kBAAkB,EAAE,MAAM,gBAAgB,CAAA;AAGlE;;;;;;;GAOG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAA8D;IAC7F,MAAM,EAAE,GAAG,MAAM,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IACvD,OAAO,aAAa,CAAC;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,UAAU,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI;QAC9B,aAAa,EAAE,MAAM,CAAC,MAAM,CAAC,aAAa;QAC1C,SAAS,EAAE,kBAAkB,CAAC,EAAE,CAAC;KAClC,CAAC,CAAA;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,eAAe,CAAC,CAAS,EAAE,CAAS;IAClD,OAAO,OAAO,CAAC,KAAK,QAAQ,IAAI,OAAO,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;AAClF,CAAC"}

package/dist/src/core/attestation.d.ts

@@ -1,10 +1,32 @@
-import type { PassportGrade, AttestationFlag, IssuanceChallenge, IssuanceEvidenceRecord, IssuanceContext, PassportAttestationSummary, RuntimeAttestation, ProviderAttestation, ObservedContext, SignalVerificationResult, DerivedSignal, AttestationClass, WorkspaceManifest } from '../types/attestation.js';
+import type { PassportGrade, AttestationFlag, EvidenceQuality, IssuanceChallenge, IssuanceEvidenceRecord, IssuanceContext, PassportAttestationSummary, RuntimeAttestation, ProviderAttestation, ObservedContext, SignalVerificationResult, DerivedSignal, AttestationClass, WorkspaceManifest } from '../types/attestation.js';
 import type { SignedPassport } from '../types/passport.js';
 export declare function createIssuanceChallenge(publicKeyHash: string, options?: {
     requestedClasses?: AttestationClass[];
     expiresInSeconds?: number;
 }): IssuanceChallenge;
 export declare function verifyRuntimeAttestation(attestation: RuntimeAttestation, challenge: IssuanceChallenge, trustedAttesterKeys: Map<string, string>): SignalVerificationResult;
+/** Map evidence quality level to passport grade number. */
+export declare function evidenceQualityToGrade(quality: EvidenceQuality): PassportGrade;
+/**
+ * Classify evidence quality from attestation metadata.
+ *
+ * Precedence (highest to lowest):
+ *   1. Principal binding → 'principal_bound'
+ *   2. Infrastructure evidence (SPIFFE method, TPM quote, hardware attestation,
+ *      TEE proof, or any known infrastructure-binding key in evidence) → 'infrastructure'
+ *   3. Issuer signature → 'issuer_vouched'
+ *   4. None
+ *
+ * This is where a did:key with TPM evidence gets elevated to Grade 2.
+ */
+export declare function classifyEvidenceQuality(opts: {
+    /** Identity method prefix (e.g. "did:key", "spiffe", "oauth"). Fallback signal. */
+    method?: string;
+    hasIssuerSignature?: boolean;
+    hasPrincipalBinding?: boolean;
+    /** Raw evidence payload — checked loosely for infrastructure-binding keys. */
+    evidence?: Record<string, unknown>;
+}): EvidenceQuality;
 export declare function computePassportGrade(evidence: IssuanceEvidenceRecord, options?: {
     hasIssuerSignature?: boolean;
     hasVerifiedRuntime?: boolean;
@@ -41,6 +63,8 @@ export declare function importProviderAttestation(input: {
     subjectClass?: string;
     /** Verification method used by the provider */
     verificationMethod?: string;
+    /** Typed staleness metadata (A2A#1712): snapshot (TPM) vs rotating (SPIFFE) vs static. */
+    freshness?: import('../types/passport.js').AttestationFreshness;
 }): ProviderAttestation;
 export declare function addIdentityBoundary<T extends Record<string, unknown>>(obj: T, fields?: string[]): T & {
     _identityBoundary: string[];

package/dist/src/core/attestation.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../../src/core/attestation.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,aAAa,EAAE,eAAe,EAC9B,iBAAiB,EACjB,sBAAsB,EACtB,eAAe,EAAE,0BAA0B,EAC3C,kBAAkB,EAAE,mBAAmB,EACvB,eAAe,EAC/B,wBAAwB,EAAE,aAAa,EACvC,gBAAgB,EAChB,iBAAiB,EAElB,MAAM,yBAAyB,CAAA;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAU1D,wBAAgB,uBAAuB,CACrC,aAAa,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE;IACR,gBAAgB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACtC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GACA,iBAAiB,CAYnB;AAKD,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,kBAAkB,EAC/B,SAAS,EAAE,iBAAiB,EAC5B,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACvC,wBAAwB,CA0E1B;AAQD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,sBAAsB,EAChC,OAAO,CAAC,EAAE;IACR,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC,GACA,aAAa,CAmBf;AAID,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,aAAa,EACpB,QAAQ,EAAE,sBAAsB,GAC/B,eAAe,EAAE,CAWnB;AAKD,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,sBAAsB,GAAG,MAAM,CAErF;AAID,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,sBAAsB,EAChC,OAAO,CAAC,EAAE;IACR,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,mBAAmB,CAAC,EAAE,wBAAwB,EAAE,CAAC;IACjD,cAAc,CAAC,EAAE,aAAa,EAAE,CAAC;CAClC,GACA,eAAe,CAgBjB;AAKD,wBAAgB,eAAe,CAC7B,cAAc,EAAE,cAAc,EAC9B,OAAO,EAAE,eAAe,GACvB,cAAc,GAAG;IAAE,WAAW,EAAE,0BAA0B,CAAA;CAAE,CAU9D;AAMD,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,IAAI,CAAA;CAAE,CAAC,GACtE,iBAAiB,CA0BnB;AAID,wBAAgB,yBAAyB,CACvC,QAAQ,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAClC,sBAAsB,CAaxB;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAEtE;AAID,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,aAAa,GAAG,OAAO,CAEpF;AAOD,wBAAgB,yBAAyB,CACvC,KAAK,EAAE;IACL,wFAAwF;IACxF,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC7C,sFAAsF;IACtF,QAAQ,EAAE,MAAM,CAAA;IAChB,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,MAAM,CAAA;CAC5B,GACA,mBAAmB,CAwCrB;AAMD,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnE,GAAG,EAAE,CAAC,EACN,MAAM,CAAC,EAAE,MAAM,EAAE,GAChB,CAAC,GAAG;IAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAW3D"}
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../../src/core/attestation.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EACV,aAAa,EAAE,eAAe,EAAE,eAAe,EAC/C,iBAAiB,EACjB,sBAAsB,EACtB,eAAe,EAAE,0BAA0B,EAC3C,kBAAkB,EAAE,mBAAmB,EACvB,eAAe,EAC/B,wBAAwB,EAAE,aAAa,EACvC,gBAAgB,EAChB,iBAAiB,EAElB,MAAM,yBAAyB,CAAA;AAChC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAA;AAU1D,wBAAgB,uBAAuB,CACrC,aAAa,EAAE,MAAM,EACrB,OAAO,CAAC,EAAE;IACR,gBAAgB,CAAC,EAAE,gBAAgB,EAAE,CAAC;IACtC,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC3B,GACA,iBAAiB,CAYnB;AAKD,wBAAgB,wBAAwB,CACtC,WAAW,EAAE,kBAAkB,EAC/B,SAAS,EAAE,iBAAiB,EAC5B,mBAAmB,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACvC,wBAAwB,CA0E1B;AAWD,2DAA2D;AAC3D,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,eAAe,GAAG,aAAa,CAO9E;AAcD;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CAAC,IAAI,EAAE;IAC5C,mFAAmF;IACnF,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,mBAAmB,CAAC,EAAE,OAAO,CAAA;IAC7B,8EAA8E;IAC9E,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC,GAAG,eAAe,CAuBlB;AAQD,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,sBAAsB,EAChC,OAAO,CAAC,EAAE;IACR,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;CACnC,GACA,aAAa,CAmBf;AAID,wBAAgB,uBAAuB,CACrC,KAAK,EAAE,aAAa,EACpB,QAAQ,EAAE,sBAAsB,GAC/B,eAAe,EAAE,CAWnB;AAKD,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,sBAAsB,GAAG,MAAM,CAErF;AAID,wBAAgB,qBAAqB,CACnC,QAAQ,EAAE,sBAAsB,EAChC,OAAO,CAAC,EAAE;IACR,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,kBAAkB,CAAC,EAAE,OAAO,CAAC;IAC7B,mBAAmB,CAAC,EAAE,OAAO,CAAC;IAC9B,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,mBAAmB,CAAC,EAAE,wBAAwB,EAAE,CAAC;IACjD,cAAc,CAAC,EAAE,aAAa,EAAE,CAAC;CAClC,GACA,eAAe,CAgBjB;AAKD,wBAAgB,eAAe,CAC7B,cAAc,EAAE,cAAc,EAC9B,OAAO,EAAE,eAAe,GACvB,cAAc,GAAG;IAAE,WAAW,EAAE,0BAA0B,CAAA;CAAE,CAU9D;AAMD,wBAAgB,uBAAuB,CACrC,OAAO,EAAE,KAAK,CAAC;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,IAAI,CAAA;CAAE,CAAC,GACtE,iBAAiB,CA0BnB;AAID,wBAAgB,yBAAyB,CACvC,QAAQ,CAAC,EAAE,OAAO,CAAC,eAAe,CAAC,GAClC,sBAAsB,CAaxB;AAID,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,iBAAiB,GAAG,OAAO,CAEtE;AAID,wBAAgB,cAAc,CAAC,KAAK,EAAE,aAAa,EAAE,OAAO,EAAE,aAAa,GAAG,OAAO,CAEpF;AAOD,wBAAgB,yBAAyB,CACvC,KAAK,EAAE;IACL,wFAAwF;IACxF,WAAW,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC7C,sFAAsF;IACtF,QAAQ,EAAE,MAAM,CAAA;IAChB,wCAAwC;IACxC,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,0FAA0F;IAC1F,SAAS,CAAC,EAAE,OAAO,sBAAsB,EAAE,oBAAoB,CAAA;CAChE,GACA,mBAAmB,CAyCrB;AAMD,wBAAgB,mBAAmB,CAAC,CAAC,SAAS,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EACnE,GAAG,EAAE,CAAC,EACN,MAAM,CAAC,EAAE,MAAM,EAAE,GAChB,CAAC,GAAG;IAAE,iBAAiB,EAAE,MAAM,EAAE,CAAC;IAAC,YAAY,EAAE,MAAM,CAAA;CAAE,CAW3D"}

package/dist/src/core/attestation.js

@@ -95,6 +95,69 @@ export function verifyRuntimeAttestation(attestation, challenge, trustedAttester
         verifiedAt: now.toISOString(),
     };
 }
+// ── Evidence-Based Grade Assignment (A2A#1712 — VCOne-AI) ──
+// VCOne-AI flagged on A2A#1712: the original grade mapping was method-prefix
+// driven. A TPM-backed did:key was Grade 0 because it's did:key; a SPIFFE SVID
+// from a misconfigured cluster was Grade 2 because it's SPIFFE. That's backwards.
+//
+// The fix: classify by EVIDENCE QUALITY, not identity method. A did:key with
+// TPM attestation evidence reaches Grade 2, same as a verified SPIFFE SVID.
+// Evidence quality determines grade; method is only a fallback signal.
+/** Map evidence quality level to passport grade number. */
+export function evidenceQualityToGrade(quality) {
+    switch (quality) {
+        case 'none': return 0;
+        case 'issuer_vouched': return 1;
+        case 'infrastructure': return 2;
+        case 'principal_bound': return 3;
+    }
+}
+// Evidence field keys that indicate infrastructure/hardware binding.
+// External attestations come in many shapes — check loosely.
+const INFRASTRUCTURE_EVIDENCE_KEYS = [
+    'tpm_quote', 'tpmQuote',
+    'hardware_attestation', 'hardwareAttestation',
+    'tee_proof', 'teeProof',
+    'infrastructure_binding', 'infrastructureBinding',
+    'sgx_quote', 'sgxQuote',
+    'sev_attestation', 'sevAttestation',
+    'workload_attestation', 'workloadAttestation',
+];
+/**
+ * Classify evidence quality from attestation metadata.
+ *
+ * Precedence (highest to lowest):
+ *   1. Principal binding → 'principal_bound'
+ *   2. Infrastructure evidence (SPIFFE method, TPM quote, hardware attestation,
+ *      TEE proof, or any known infrastructure-binding key in evidence) → 'infrastructure'
+ *   3. Issuer signature → 'issuer_vouched'
+ *   4. None
+ *
+ * This is where a did:key with TPM evidence gets elevated to Grade 2.
+ */
+export function classifyEvidenceQuality(opts) {
+    // Principal binding takes precedence
+    if (opts.hasPrincipalBinding)
+        return 'principal_bound';
+    // Infrastructure evidence: method-based signal for SPIFFE, plus evidence-key detection
+    if (opts.method) {
+        const m = opts.method.toLowerCase();
+        if (m === 'spiffe' || m.startsWith('spiffe:') || m.startsWith('spiffe://')) {
+            return 'infrastructure';
+        }
+    }
+    if (opts.evidence) {
+        for (const key of INFRASTRUCTURE_EVIDENCE_KEYS) {
+            if (opts.evidence[key] !== undefined && opts.evidence[key] !== null) {
+                return 'infrastructure';
+            }
+        }
+    }
+    // Issuer vouched
+    if (opts.hasIssuerSignature)
+        return 'issuer_vouched';
+    return 'none';
+}
 // ── computePassportGrade ──
 // Determines grade from available verified attestations.
 // Grade 0: self-signed (bare keypair)
@@ -272,6 +335,7 @@ export function importProviderAttestation(input) {
         issuedAt: String(payload.iat ? new Date(Number(payload.iat) * 1000).toISOString() : payload.issued_at || new Date().toISOString()),
         expiresAt: payload.exp ? new Date(Number(payload.exp) * 1000).toISOString() : (payload.expires_at ? String(payload.expires_at) : undefined),
         signature,
+        freshness: input.freshness,
     };
 }
 // ── addIdentityBoundary ──

package/dist/src/core/attestation.js.map

@@ -1 +1 @@
-{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../../src/core/attestation.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,kDAAkD;AAClD,2FAA2F;AAE3F,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AACnC,OAAO,EAAQ,MAAM,EAAwB,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAe7C,uBAAuB;AACvB,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACzD,CAAC;AAED,gCAAgC;AAChC,wCAAwC;AACxC,4DAA4D;AAC5D,MAAM,UAAU,uBAAuB,CACrC,aAAqB,EACrB,OAGC;IAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IACtB,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,gBAAgB,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,CAAA;IAElF,OAAO;QACL,WAAW,EAAE,MAAM,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;QAC7F,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QAC/E,qBAAqB,EAAE,aAAa;QACpC,2BAA2B,EAAE,OAAO,EAAE,gBAAgB,IAAI,CAAC,SAAS,CAAC;QACrE,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE;QAC/B,QAAQ,EAAE,GAAG,CAAC,WAAW,EAAE;KAC5B,CAAA;AACH,CAAC;AAED,iCAAiC;AACjC,iDAAiD;AACjD,kFAAkF;AAClF,MAAM,UAAU,wBAAwB,CACtC,WAA+B,EAC/B,SAA4B,EAC5B,mBAAwC,CAAC,6BAA6B;;IAEtE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IAEtB,kBAAkB;IAClB,IAAI,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,GAAG,EAAE,CAAC;QAC1C,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,iCAAiC;YACzC,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,WAAW,CAAC,KAAK,KAAK,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1C,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,yCAAyC;YACjD,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,WAAW,CAAC,aAAa,KAAK,SAAS,CAAC,qBAAqB,EAAE,CAAC;QAClE,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,sDAAsD;YAC9D,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;IACjE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,YAAY,WAAW,CAAC,QAAQ,6BAA6B;YACrE,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,OAAO,GAAG,YAAY,CAAC;QAC3B,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,KAAK,EAAE,WAAW,CAAC,KAAK;QACxB,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,SAAS,EAAE,WAAW,CAAC,SAAS;QAChC,qBAAqB,EAAE,WAAW,CAAC,qBAAqB;QACxD,mBAAmB,EAAE,WAAW,CAAC,mBAAmB;QACpD,mBAAmB,EAAE,WAAW,CAAC,mBAAmB;QACpD,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,SAAS,EAAE,WAAW,CAAC,SAAS;KACjC,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE,WAAW,CAAC,CAAA;IACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,wCAAwC;YAChD,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,qBAAqB;QAChC,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,gCAAgC,WAAW,CAAC,QAAQ,EAAE;QAC9D,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;KAC9B,CAAA;AACH,CAAC;AAED,6BAA6B;AAC7B,yDAAyD;AACzD,sCAAsC;AACtC,gCAAgC;AAChC,6EAA6E;AAC7E,qCAAqC;AACrC,MAAM,UAAU,oBAAoB,CAClC,QAAgC,EAChC,OAKC;IAED,MAAM,GAAG,GAAG,OAAO,IAAI,EAAE,CAAA;IAEzB,+BAA+B;IAC/B,IAAI,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,uBAAuB,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACpF,OAAO,CAAC,CAAA;IACV,CAAC;IACD,IAAI,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACrD,OAAO,CAAC,CAAA;IACV,CAAC;IACD,4DAA4D;IAC5D,iEAAiE;IACjE,IAAI,GAAG,CAAC,mBAAmB,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACtD,OAAO,CAAC,CAAA;IACV,CAAC;IACD,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QAC3B,OAAO,CAAC,CAAA;IACV,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,gCAAgC;AAChC,+CAA+C;AAC/C,MAAM,UAAU,uBAAuB,CACrC,KAAoB,EACpB,QAAgC;IAEhC,MAAM,KAAK,GAAsB,EAAE,CAAA;IAEnC,IAAI,KAAK,IAAI,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IAC1C,IAAI,KAAK,IAAI,CAAC,IAAI,QAAQ,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;IACtF,IAAI,KAAK,IAAI,CAAC,IAAI,QAAQ,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IACxF,IAAI,KAAK,IAAI,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;IAC7C,IAAI,QAAQ,CAAC,gBAAgB;QAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;IAC5D,IAAI,QAAQ,CAAC,oBAAoB;QAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAA;IAElE,OAAO,KAAK,CAAA;AACd,CAAC;AAED,qCAAqC;AACrC,wEAAwE;AACxE,wFAAwF;AACxF,MAAM,UAAU,4BAA4B,CAAC,QAAgC;IAC3E,OAAO,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAA;AAC1C,CAAC;AAED,8BAA8B;AAC9B,iEAAiE;AACjE,MAAM,UAAU,qBAAqB,CACnC,QAAgC,EAChC,OAOC;IAED,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IACrD,MAAM,KAAK,GAAG,uBAAuB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAA;IACtD,MAAM,UAAU,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAA;IAEzD,OAAO;QACL,QAAQ;QACR,UAAU,EAAE;YACV,aAAa,EAAE,KAAK;YACpB,qBAAqB,EAAE,UAAU;YACjC,KAAK;YACL,mBAAmB,EAAE,OAAO,EAAE,mBAAmB,IAAI,EAAE;YACvD,cAAc,EAAE,OAAO,EAAE,cAAc;YACvC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC;KACF,CAAA;AACH,CAAC;AAED,wBAAwB;AACxB,yDAAyD;AACzD,kEAAkE;AAClE,MAAM,UAAU,eAAe,CAC7B,cAA8B,EAC9B,OAAwB;IAExB,MAAM,OAAO,GAA+B;QAC1C,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,aAAa;QAC/C,qBAAqB,EAAE,OAAO,CAAC,UAAU,CAAC,qBAAqB;QAC/D,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,KAAK;KAChC,CAAA;IACD,OAAO;QACL,GAAG,cAAc;QACjB,WAAW,EAAE,OAAO;KACrB,CAAA;AACH,CAAC;AAED,gCAAgC;AAChC,kDAAkD;AAClD,qEAAqE;AACrE,8BAA8B;AAC9B,MAAM,UAAU,uBAAuB,CACrC,OAAuE;IAEvE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IAEtB,8CAA8C;IAC9C,MAAM,eAAe,GAA6B,OAAO;SACtD,GAAG,CAAC,CAAC,CAAC,EAAE;QACP,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAA;QAC1C,SAAS,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;QAC7B,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;YAC3B,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,kBAAkB,EAAE,SAAS,CAAC,WAAW,EAAE;SAC5C,CAAA;IACH,CAAC,CAAC;SACD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAA;IAEvD,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAA;IAC1E,MAAM,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAA;IAE7D,OAAO;QACL,OAAO,EAAE,eAAe;QACxB,UAAU,EAAE,eAAe,CAAC,MAAM;QAClC,cAAc,EAAE,SAAS;QACzB,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;QAC7B,YAAY;KACb,CAAA;AACH,CAAC;AAED,kCAAkC;AAClC,kFAAkF;AAClF,MAAM,UAAU,yBAAyB,CACvC,QAAmC;IAEnC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IACtB,OAAO;QACL,SAAS,EAAE,OAAO,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;QAC5F,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE;QAC9B,QAAQ,EAAE;YACR,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;YAC7B,GAAG,QAAQ;SACZ;QACD,mBAAmB,EAAE,EAAE;QACvB,oBAAoB,EAAE,EAAE;QACxB,mBAAmB,EAAE,EAAE;KACxB,CAAA;AACH,CAAC;AAED,yBAAyB;AACzB,iDAAiD;AACjD,MAAM,UAAU,gBAAgB,CAAC,SAA4B;IAC3D,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,CAAA;AACnD,CAAC;AAED,uBAAuB;AACvB,yDAAyD;AACzD,MAAM,UAAU,cAAc,CAAC,KAAoB,EAAE,OAAsB;IACzE,OAAO,KAAK,IAAI,OAAO,CAAA;AACzB,CAAC;AAED,kCAAkC;AAClC,4FAA4F;AAC5F,0FAA0F;AAC1F,gFAAgF;AAChF,0EAA0E;AAC1E,MAAM,UAAU,yBAAyB,CACvC,KASC;IAED,IAAI,OAAgC,CAAA;IACpC,IAAI,SAA6B,CAAA;IAEjC,IAAI,OAAO,KAAK,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,wCAAwC;YACxC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;gBACpE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;gBAC7B,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACtB,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;gBACnC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAA;YACzC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAA;QACzC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,KAAK,CAAC,WAAW,CAAA;IAC7B,CAAC;IAED,yCAAyC;IACzC,MAAM,SAAS,GAAG,MAAM,CACtB,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,IAAI,EAAE,CAC/E,CAAA;IACD,MAAM,aAAa,GAAG,SAAS,CAAC,SAAS,CAAC,CAAA;IAE1C,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC;QAC5E,aAAa;QACb,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QACxD,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;QACrF,kBAAkB,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,IAAI,KAAK,CAAC;QAC5F,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAClI,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3I,SAAS;KACV,CAAA;AACH,CAAC;AAED,4BAA4B;AAC5B,qFAAqF;AACrF,oFAAoF;AACpF,8FAA8F;AAC9F,MAAM,UAAU,mBAAmB,CACjC,GAAM,EACN,MAAiB;IAEjB,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;IACpF,MAAM,SAAS,GAA4B,EAAE,iBAAiB,EAAE,QAAQ,EAAE,CAAA;IAC1E,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,GAAG;YAAE,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAA;IACrC,CAAC;IACD,OAAO;QACL,GAAG,GAAG;QACN,iBAAiB,EAAE,QAAQ;QAC3B,YAAY,EAAE,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;KACnD,CAAA;AACH,CAAC"}
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../../src/core/attestation.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E,kDAAkD;AAClD,2FAA2F;AAE3F,OAAO,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAA;AACnC,OAAO,EAAQ,MAAM,EAAwB,MAAM,mBAAmB,CAAA;AACtE,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAA;AAe7C,uBAAuB;AACvB,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACzD,CAAC;AAED,gCAAgC;AAChC,wCAAwC;AACxC,4DAA4D;AAC5D,MAAM,UAAU,uBAAuB,CACrC,aAAqB,EACrB,OAGC;IAED,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IACtB,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,EAAE,gBAAgB,IAAI,GAAG,CAAC,GAAG,IAAI,CAAC,CAAA;IAElF,OAAO;QACL,WAAW,EAAE,MAAM,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;QAC7F,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;QAC/E,qBAAqB,EAAE,aAAa;QACpC,2BAA2B,EAAE,OAAO,EAAE,gBAAgB,IAAI,CAAC,SAAS,CAAC;QACrE,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE;QAC/B,QAAQ,EAAE,GAAG,CAAC,WAAW,EAAE;KAC5B,CAAA;AACH,CAAC;AAED,iCAAiC;AACjC,iDAAiD;AACjD,kFAAkF;AAClF,MAAM,UAAU,wBAAwB,CACtC,WAA+B,EAC/B,SAA4B,EAC5B,mBAAwC,CAAC,6BAA6B;;IAEtE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IAEtB,kBAAkB;IAClB,IAAI,IAAI,IAAI,CAAC,WAAW,CAAC,SAAS,CAAC,GAAG,GAAG,EAAE,CAAC;QAC1C,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,iCAAiC;YACzC,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,sBAAsB;IACtB,IAAI,WAAW,CAAC,KAAK,KAAK,SAAS,CAAC,KAAK,EAAE,CAAC;QAC1C,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,yCAAyC;YACjD,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,oBAAoB;IACpB,IAAI,WAAW,CAAC,aAAa,KAAK,SAAS,CAAC,qBAAqB,EAAE,CAAC;QAClE,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,sDAAsD;YAC9D,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAG,mBAAmB,CAAC,GAAG,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAA;IACjE,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,UAAU;YAClB,MAAM,EAAE,YAAY,WAAW,CAAC,QAAQ,6BAA6B;YACrE,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,4BAA4B;IAC5B,MAAM,OAAO,GAAG,YAAY,CAAC;QAC3B,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,KAAK,EAAE,WAAW,CAAC,KAAK;QACxB,aAAa,EAAE,WAAW,CAAC,aAAa;QACxC,YAAY,EAAE,WAAW,CAAC,YAAY;QACtC,SAAS,EAAE,WAAW,CAAC,SAAS;QAChC,qBAAqB,EAAE,WAAW,CAAC,qBAAqB;QACxD,mBAAmB,EAAE,WAAW,CAAC,mBAAmB;QACpD,mBAAmB,EAAE,WAAW,CAAC,mBAAmB;QACpD,QAAQ,EAAE,WAAW,CAAC,QAAQ;QAC9B,SAAS,EAAE,WAAW,CAAC,SAAS;KACjC,CAAC,CAAA;IAEF,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,WAAW,CAAC,SAAS,EAAE,WAAW,CAAC,CAAA;IACpE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO;YACL,SAAS,EAAE,qBAAqB;YAChC,MAAM,EAAE,QAAQ;YAChB,MAAM,EAAE,wCAAwC;YAChD,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;SAC9B,CAAA;IACH,CAAC;IAED,OAAO;QACL,SAAS,EAAE,qBAAqB;QAChC,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,gCAAgC,WAAW,CAAC,QAAQ,EAAE;QAC9D,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;KAC9B,CAAA;AACH,CAAC;AAED,8DAA8D;AAC9D,6EAA6E;AAC7E,+EAA+E;AAC/E,kFAAkF;AAClF,EAAE;AACF,6EAA6E;AAC7E,4EAA4E;AAC5E,uEAAuE;AAEvE,2DAA2D;AAC3D,MAAM,UAAU,sBAAsB,CAAC,OAAwB;IAC7D,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,MAAM,CAAC,CAAC,OAAO,CAAC,CAAA;QACrB,KAAK,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAA;QAC/B,KAAK,gBAAgB,CAAC,CAAC,OAAO,CAAC,CAAA;QAC/B,KAAK,iBAAiB,CAAC,CAAC,OAAO,CAAC,CAAA;IAClC,CAAC;AACH,CAAC;AAED,qEAAqE;AACrE,6DAA6D;AAC7D,MAAM,4BAA4B,GAAG;IACnC,WAAW,EAAE,UAAU;IACvB,sBAAsB,EAAE,qBAAqB;IAC7C,WAAW,EAAE,UAAU;IACvB,wBAAwB,EAAE,uBAAuB;IACjD,WAAW,EAAE,UAAU;IACvB,iBAAiB,EAAE,gBAAgB;IACnC,sBAAsB,EAAE,qBAAqB;CACrC,CAAA;AAEV;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,uBAAuB,CAAC,IAOvC;IACC,qCAAqC;IACrC,IAAI,IAAI,CAAC,mBAAmB;QAAE,OAAO,iBAAiB,CAAA;IAEtD,uFAAuF;IACvF,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAA;QACnC,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;YAC3E,OAAO,gBAAgB,CAAA;QACzB,CAAC;IACH,CAAC;IACD,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,KAAK,MAAM,GAAG,IAAI,4BAA4B,EAAE,CAAC;YAC/C,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,SAAS,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,IAAI,EAAE,CAAC;gBACpE,OAAO,gBAAgB,CAAA;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAED,iBAAiB;IACjB,IAAI,IAAI,CAAC,kBAAkB;QAAE,OAAO,gBAAgB,CAAA;IAEpD,OAAO,MAAM,CAAA;AACf,CAAC;AAED,6BAA6B;AAC7B,yDAAyD;AACzD,sCAAsC;AACtC,gCAAgC;AAChC,6EAA6E;AAC7E,qCAAqC;AACrC,MAAM,UAAU,oBAAoB,CAClC,QAAgC,EAChC,OAKC;IAED,MAAM,GAAG,GAAG,OAAO,IAAI,EAAE,CAAA;IAEzB,+BAA+B;IAC/B,IAAI,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,uBAAuB,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACpF,OAAO,CAAC,CAAA;IACV,CAAC;IACD,IAAI,GAAG,CAAC,kBAAkB,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACrD,OAAO,CAAC,CAAA;IACV,CAAC;IACD,4DAA4D;IAC5D,iEAAiE;IACjE,IAAI,GAAG,CAAC,mBAAmB,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QACtD,OAAO,CAAC,CAAA;IACV,CAAC;IACD,IAAI,GAAG,CAAC,kBAAkB,EAAE,CAAC;QAC3B,OAAO,CAAC,CAAA;IACV,CAAC;IACD,OAAO,CAAC,CAAA;AACV,CAAC;AAED,gCAAgC;AAChC,+CAA+C;AAC/C,MAAM,UAAU,uBAAuB,CACrC,KAAoB,EACpB,QAAgC;IAEhC,MAAM,KAAK,GAAsB,EAAE,CAAA;IAEnC,IAAI,KAAK,IAAI,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;IAC1C,IAAI,KAAK,IAAI,CAAC,IAAI,QAAQ,CAAC,mBAAmB,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAA;IACtF,IAAI,KAAK,IAAI,CAAC,IAAI,QAAQ,CAAC,oBAAoB,CAAC,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;IACxF,IAAI,KAAK,IAAI,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;IAC7C,IAAI,QAAQ,CAAC,gBAAgB;QAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;IAC5D,IAAI,QAAQ,CAAC,oBAAoB;QAAE,KAAK,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAA;IAElE,OAAO,KAAK,CAAA;AACd,CAAC;AAED,qCAAqC;AACrC,wEAAwE;AACxE,wFAAwF;AACxF,MAAM,UAAU,4BAA4B,CAAC,QAAgC;IAC3E,OAAO,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,CAAA;AAC1C,CAAC;AAED,8BAA8B;AAC9B,iEAAiE;AACjE,MAAM,UAAU,qBAAqB,CACnC,QAAgC,EAChC,OAOC;IAED,MAAM,KAAK,GAAG,oBAAoB,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAA;IACrD,MAAM,KAAK,GAAG,uBAAuB,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAA;IACtD,MAAM,UAAU,GAAG,4BAA4B,CAAC,QAAQ,CAAC,CAAA;IAEzD,OAAO;QACL,QAAQ;QACR,UAAU,EAAE;YACV,aAAa,EAAE,KAAK;YACpB,qBAAqB,EAAE,UAAU;YACjC,KAAK;YACL,mBAAmB,EAAE,OAAO,EAAE,mBAAmB,IAAI,EAAE;YACvD,cAAc,EAAE,OAAO,EAAE,cAAc;YACvC,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC;KACF,CAAA;AACH,CAAC;AAED,wBAAwB;AACxB,yDAAyD;AACzD,kEAAkE;AAClE,MAAM,UAAU,eAAe,CAC7B,cAA8B,EAC9B,OAAwB;IAExB,MAAM,OAAO,GAA+B;QAC1C,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,aAAa;QAC/C,qBAAqB,EAAE,OAAO,CAAC,UAAU,CAAC,qBAAqB;QAC/D,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,KAAK;KAChC,CAAA;IACD,OAAO;QACL,GAAG,cAAc;QACjB,WAAW,EAAE,OAAO;KACrB,CAAA;AACH,CAAC;AAED,gCAAgC;AAChC,kDAAkD;AAClD,qEAAqE;AACrE,8BAA8B;AAC9B,MAAM,UAAU,uBAAuB,CACrC,OAAuE;IAEvE,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IAEtB,8CAA8C;IAC9C,MAAM,eAAe,GAA6B,OAAO;SACtD,GAAG,CAAC,CAAC,CAAC,EAAE;QACP,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,CAAC,CAAC,YAAY,CAAC,CAAA;QAC1C,SAAS,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;QAC7B,OAAO;YACL,QAAQ,EAAE,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC;YAC3B,SAAS,EAAE,CAAC,CAAC,SAAS;YACtB,kBAAkB,EAAE,SAAS,CAAC,WAAW,EAAE;SAC5C,CAAA;IACH,CAAC,CAAC;SACD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAA;IAEvD,MAAM,SAAS,GAAG,eAAe,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,SAAS,EAAE,CAAC,CAAC,CAAA;IAC1E,MAAM,YAAY,GAAG,SAAS,CAAC,YAAY,CAAC,eAAe,CAAC,CAAC,CAAA;IAE7D,OAAO;QACL,OAAO,EAAE,eAAe;QACxB,UAAU,EAAE,eAAe,CAAC,MAAM;QAClC,cAAc,EAAE,SAAS;QACzB,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;QAC7B,YAAY;KACb,CAAA;AACH,CAAC;AAED,kCAAkC;AAClC,kFAAkF;AAClF,MAAM,UAAU,yBAAyB,CACvC,QAAmC;IAEnC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAA;IACtB,OAAO;QACL,SAAS,EAAE,OAAO,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE;QAC5F,WAAW,EAAE,GAAG,CAAC,WAAW,EAAE;QAC9B,QAAQ,EAAE;YACR,UAAU,EAAE,GAAG,CAAC,WAAW,EAAE;YAC7B,GAAG,QAAQ;SACZ;QACD,mBAAmB,EAAE,EAAE;QACvB,oBAAoB,EAAE,EAAE;QACxB,mBAAmB,EAAE,EAAE;KACxB,CAAA;AACH,CAAC;AAED,yBAAyB;AACzB,iDAAiD;AACjD,MAAM,UAAU,gBAAgB,CAAC,SAA4B;IAC3D,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,GAAG,IAAI,IAAI,EAAE,CAAA;AACnD,CAAC;AAED,uBAAuB;AACvB,yDAAyD;AACzD,MAAM,UAAU,cAAc,CAAC,KAAoB,EAAE,OAAsB;IACzE,OAAO,KAAK,IAAI,OAAO,CAAA;AACzB,CAAC;AAED,kCAAkC;AAClC,4FAA4F;AAC5F,0FAA0F;AAC1F,gFAAgF;AAChF,0EAA0E;AAC1E,MAAM,UAAU,yBAAyB,CACvC,KAWC;IAED,IAAI,OAAgC,CAAA;IACpC,IAAI,SAA6B,CAAA;IAEjC,IAAI,OAAO,KAAK,CAAC,WAAW,KAAK,QAAQ,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,CAAA;QAC1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,wCAAwC;YACxC,IAAI,CAAC;gBACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;gBACpE,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;gBAC7B,SAAS,GAAG,KAAK,CAAC,CAAC,CAAC,CAAA;YACtB,CAAC;YAAC,MAAM,CAAC;gBACP,mCAAmC;gBACnC,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAA;YACzC,CAAC;QACH,CAAC;aAAM,CAAC;YACN,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,WAAW,CAAC,CAAA;QACzC,CAAC;IACH,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,KAAK,CAAC,WAAW,CAAA;IAC7B,CAAC;IAED,yCAAyC;IACzC,MAAM,SAAS,GAAG,MAAM,CACtB,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,OAAO,IAAI,OAAO,CAAC,QAAQ,IAAI,EAAE,CAC/E,CAAA;IACD,MAAM,aAAa,GAAG,SAAS,CAAC,SAAS,CAAC,CAAA;IAE1C,OAAO;QACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;QACxB,YAAY,EAAE,KAAK,CAAC,YAAY,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,IAAI,OAAO,CAAC;QAC5E,aAAa;QACb,KAAK,EAAE,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS;QACxD,aAAa,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;QACrF,kBAAkB,EAAE,KAAK,CAAC,kBAAkB,IAAI,MAAM,CAAC,OAAO,CAAC,mBAAmB,IAAI,KAAK,CAAC;QAC5F,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;QAClI,SAAS,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAC3I,SAAS;QACT,SAAS,EAAE,KAAK,CAAC,SAAS;KAC3B,CAAA;AACH,CAAC;AAED,4BAA4B;AAC5B,qFAAqF;AACrF,oFAAoF;AACpF,8FAA8F;AAC9F,MAAM,UAAU,mBAAmB,CACjC,GAAM,EACN,MAAiB;IAEjB,MAAM,QAAQ,GAAG,CAAC,MAAM,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,CAAA;IACpF,MAAM,SAAS,GAA4B,EAAE,iBAAiB,EAAE,QAAQ,EAAE,CAAA;IAC1E,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,GAAG;YAAE,SAAS,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAA;IACrC,CAAC;IACD,OAAO;QACL,GAAG,GAAG;QACN,iBAAiB,EAAE,QAAQ;QAC3B,YAAY,EAAE,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;KACnD,CAAA;AACH,CAAC"}

package/dist/src/core/canonical.d.ts

@@ -1,2 +1,5 @@
 export declare function canonicalize(obj: unknown): string;
+export declare function canonicalJson(obj: Record<string, unknown>): string;
+export declare function canonicalHash(obj: Record<string, unknown>): string;
+export declare function normalizeTimestamp(ts: string): string;
 //# sourceMappingURL=canonical.d.ts.map

package/dist/src/core/canonical.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../../../src/core/canonical.ts"],"names":[],"mappings":"AAGA,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAkBjD"}
+{"version":3,"file":"canonical.d.ts","sourceRoot":"","sources":["../../../src/core/canonical.ts"],"names":[],"mappings":"AAKA,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAkBjD;AAKD,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAElE;AAGD,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAElE;AAMD,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,MAAM,GAAG,MAAM,CAOrD"}

package/dist/src/core/canonical.js

@@ -1,5 +1,6 @@
 // Canonical JSON — deterministic serialization for signing
 // Sorts keys alphabetically, omits null/undefined in object keys (not arrays)
+import { createHash } from 'node:crypto';
 export function canonicalize(obj) {
     if (obj === null || obj === undefined)
         return 'null';
@@ -22,4 +23,26 @@ export function canonicalize(obj) {
     });
     return '{' + sorted.join(',') + '}';
 }
+// canonicalJson — deterministic JSON serialization of an object.
+// Same semantics as canonicalize() but typed to objects for cross-system
+// receipt comparison (action_ref, compound_digest, etc.)
+export function canonicalJson(obj) {
+    return canonicalize(obj);
+}
+// canonicalHash — SHA-256 of canonicalJson(obj), returned as lowercase hex.
+export function canonicalHash(obj) {
+    return createHash('sha256').update(canonicalJson(obj)).digest('hex');
+}
+// normalizeTimestamp — force ISO 8601 second-precision UTC.
+// Accepts any parseable timestamp; returns format: YYYY-MM-DDTHH:mm:ssZ
+// Strips fractional seconds and normalizes timezone offsets to UTC.
+// Thread claim (A2A#1672): action_ref timestamps are second-precision.
+export function normalizeTimestamp(ts) {
+    const d = new Date(ts);
+    if (Number.isNaN(d.getTime())) {
+        throw new Error(`normalizeTimestamp: invalid timestamp "${ts}"`);
+    }
+    // ISO with milliseconds: 2026-04-05T03:39:31.123Z → strip ms
+    return d.toISOString().replace(/\.\d{3}Z$/, 'Z');
+}
 //# sourceMappingURL=canonical.js.map

package/dist/src/core/canonical.js.map

@@ -1 +1 @@
-{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../../src/core/canonical.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,8EAA8E;AAE9E,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,MAAM,CAAA;IACpD,IAAI,GAAG,YAAY,IAAI;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IACnD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IACvD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;IAClE,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC;SACvD,IAAI,EAAE;SACN,MAAM,CAAC,GAAG,CAAC,EAAE;QACZ,MAAM,GAAG,GAAI,GAA+B,CAAC,GAAG,CAAC,CAAA;QACjD,OAAO,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,CAAA;IAC1C,CAAC,CAAC;SACD,GAAG,CAAC,GAAG,CAAC,EAAE;QACT,MAAM,GAAG,GAAI,GAA+B,CAAC,GAAG,CAAC,CAAA;QACjD,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAA;IACtD,CAAC,CAAC,CAAA;IACJ,OAAO,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;AACrC,CAAC"}
+{"version":3,"file":"canonical.js","sourceRoot":"","sources":["../../../src/core/canonical.ts"],"names":[],"mappings":"AAAA,2DAA2D;AAC3D,8EAA8E;AAE9E,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AAExC,MAAM,UAAU,YAAY,CAAC,GAAY;IACvC,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,MAAM,CAAA;IACpD,IAAI,GAAG,YAAY,IAAI;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IACnD,IAAI,OAAO,GAAG,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAA;IACvD,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACvB,OAAO,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;IAClE,CAAC;IACD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAA8B,CAAC;SACvD,IAAI,EAAE;SACN,MAAM,CAAC,GAAG,CAAC,EAAE;QACZ,MAAM,GAAG,GAAI,GAA+B,CAAC,GAAG,CAAC,CAAA;QACjD,OAAO,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,SAAS,CAAA;IAC1C,CAAC,CAAC;SACD,GAAG,CAAC,GAAG,CAAC,EAAE;QACT,MAAM,GAAG,GAAI,GAA+B,CAAC,GAAG,CAAC,CAAA;QACjD,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,YAAY,CAAC,GAAG,CAAC,EAAE,CAAA;IACtD,CAAC,CAAC,CAAA;IACJ,OAAO,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,GAAG,CAAA;AACrC,CAAC;AAED,iEAAiE;AACjE,yEAAyE;AACzE,yDAAyD;AACzD,MAAM,UAAU,aAAa,CAAC,GAA4B;IACxD,OAAO,YAAY,CAAC,GAAG,CAAC,CAAA;AAC1B,CAAC;AAED,4EAA4E;AAC5E,MAAM,UAAU,aAAa,CAAC,GAA4B;IACxD,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAA;AACtE,CAAC;AAED,4DAA4D;AAC5D,wEAAwE;AACxE,oEAAoE;AACpE,uEAAuE;AACvE,MAAM,UAAU,kBAAkB,CAAC,EAAU;IAC3C,MAAM,CAAC,GAAG,IAAI,IAAI,CAAC,EAAE,CAAC,CAAA;IACtB,IAAI,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,KAAK,CAAC,0CAA0C,EAAE,GAAG,CAAC,CAAA;IAClE,CAAC;IACD,6DAA6D;IAC7D,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC,CAAA;AAClD,CAAC"}

package/dist/src/core/credential-request.d.ts

@@ -0,0 +1,62 @@
+import type { VerifiablePresentation } from '../types/did.js';
+import type { ProviderAttestation } from '../types/attestation.js';
+export interface CredentialRequest {
+    /** Unique request ID */
+    id: string;
+    /** Claims the verifier wants (e.g., ["grade", "capabilities", "delegationScope"]) */
+    requestedClaims: string[];
+    /** DID of the verifier making the request */
+    verifierDID: string;
+    /** Challenge nonce for replay protection */
+    challenge: string;
+    /** When this request was created */
+    createdAt: string;
+}
+export interface CredentialResponseResult {
+    valid: boolean;
+    /** Extracted claims that the verifier requested */
+    claims: Record<string, unknown>;
+    /** Detailed checks */
+    checks: string[];
+}
+export interface SelectivePassport {
+    agentId: string;
+    publicKey: string;
+    agentName?: string;
+    mission?: string;
+    capabilities?: string[];
+    grade?: number;
+    delegationScope?: string[];
+    createdAt?: string;
+    expiresAt?: string;
+    evidence?: ProviderAttestation[];
+}
+/**
+ * Create a credential request specifying which claims the verifier needs.
+ * The challenge provides replay protection: the agent must bind the VP
+ * to this specific challenge.
+ */
+export declare function createCredentialRequest(claims: string[], verifierDID: string, challenge?: string): CredentialRequest;
+/**
+ * Fulfill a credential request by creating a VP that contains only
+ * the requested claims. This is selective disclosure: the agent
+ * reveals only what the verifier asked for.
+ *
+ * The VC's credentialSubject will contain:
+ * - id (always included, the agent's did:key)
+ * - agentId (always included for APS correlation)
+ * - only the fields listed in request.requestedClaims
+ */
+export declare function fulfillCredentialRequest(request: CredentialRequest, passport: SelectivePassport, privateKey: string): Promise<VerifiablePresentation>;
+/**
+ * Verify a credential response VP and extract the requested claims.
+ *
+ * Checks:
+ * 1. VP proof is valid
+ * 2. Challenge matches (replay protection)
+ * 3. Each contained VC proof is valid
+ * 4. Credential is not expired
+ * 5. Extracts claims from credentialSubject
+ */
+export declare function verifyCredentialResponse(vp: VerifiablePresentation, expectedChallenge?: string): Promise<CredentialResponseResult>;
+//# sourceMappingURL=credential-request.d.ts.map

package/dist/src/core/credential-request.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-request.d.ts","sourceRoot":"","sources":["../../../src/core/credential-request.ts"],"names":[],"mappings":"AAQA,OAAO,KAAK,EAAwB,sBAAsB,EAAmB,MAAM,iBAAiB,CAAA;AACpG,OAAO,KAAK,EAAE,mBAAmB,EAAE,MAAM,yBAAyB,CAAA;AAIlE,MAAM,WAAW,iBAAiB;IAChC,wBAAwB;IACxB,EAAE,EAAE,MAAM,CAAA;IACV,qFAAqF;IACrF,eAAe,EAAE,MAAM,EAAE,CAAA;IACzB,6CAA6C;IAC7C,WAAW,EAAE,MAAM,CAAA;IACnB,4CAA4C;IAC5C,SAAS,EAAE,MAAM,CAAA;IACjB,oCAAoC;IACpC,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,wBAAwB;IACvC,KAAK,EAAE,OAAO,CAAA;IACd,mDAAmD;IACnD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC/B,sBAAsB;IACtB,MAAM,EAAE,MAAM,EAAE,CAAA;CACjB;AAED,MAAM,WAAW,iBAAiB;IAChC,OAAO,EAAE,MAAM,CAAA;IACf,SAAS,EAAE,MAAM,CAAA;IACjB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,YAAY,CAAC,EAAE,MAAM,EAAE,CAAA;IACvB,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,eAAe,CAAC,EAAE,MAAM,EAAE,CAAA;IAC1B,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,QAAQ,CAAC,EAAE,mBAAmB,EAAE,CAAA;CACjC;AAYD;;;;GAIG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,MAAM,EAAE,EAChB,WAAW,EAAE,MAAM,EACnB,SAAS,CAAC,EAAE,MAAM,GACjB,iBAAiB,CAenB;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,iBAAiB,EAC1B,QAAQ,EAAE,iBAAiB,EAC3B,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,sBAAsB,CAAC,CA8EjC;AAED;;;;;;;;;GASG;AACH,wBAAsB,wBAAwB,CAC5C,EAAE,EAAE,sBAAsB,EAC1B,iBAAiB,CAAC,EAAE,MAAM,GACzB,OAAO,CAAC,wBAAwB,CAAC,CA0FnC"}