attestix 0.4.0

package/dist/index.js

@@ -0,0 +1,893 @@
+// src/errors.ts
+var AttestixError = class extends Error {
+  statusCode;
+  detail;
+  constructor(message, statusCode, detail) {
+    super(message);
+    this.name = "AttestixError";
+    this.statusCode = statusCode;
+    this.detail = detail ?? message;
+    const ErrorWithCapture = Error;
+    if (ErrorWithCapture.captureStackTrace) {
+      ErrorWithCapture.captureStackTrace(this, this.constructor);
+    }
+  }
+};
+var AttestixAuthError = class extends AttestixError {
+  constructor(detail) {
+    super(
+      detail ?? "Authentication failed - check your API key",
+      401,
+      detail
+    );
+    this.name = "AttestixAuthError";
+  }
+};
+var AttestixNotFoundError = class extends AttestixError {
+  constructor(detail) {
+    super(
+      detail ?? "Resource not found",
+      404,
+      detail
+    );
+    this.name = "AttestixNotFoundError";
+  }
+};
+var AttestixValidationError = class extends AttestixError {
+  constructor(detail) {
+    super(
+      detail ?? "Validation error - check your request parameters",
+      400,
+      detail
+    );
+    this.name = "AttestixValidationError";
+  }
+};
+var AttestixRateLimitError = class extends AttestixError {
+  retryAfter;
+  constructor(detail, retryAfter) {
+    super(
+      detail ?? "Rate limit exceeded - try again later",
+      429,
+      detail
+    );
+    this.name = "AttestixRateLimitError";
+    this.retryAfter = retryAfter ?? null;
+  }
+};
+
+// src/client.ts
+var DEFAULT_TIMEOUT = 3e4;
+var RETRY_STATUS_CODES = /* @__PURE__ */ new Set([429, 503]);
+var MAX_RETRIES = 1;
+var BASE_RETRY_DELAY = 1e3;
+var AttestixClient = class {
+  baseUrl;
+  apiKey;
+  timeout;
+  constructor(options) {
+    this.baseUrl = options.baseUrl.replace(/\/+$/, "");
+    this.apiKey = options.apiKey;
+    this.timeout = options.timeout ?? DEFAULT_TIMEOUT;
+  }
+  // ========================================================================
+  // Identity
+  // ========================================================================
+  async createIdentity(params) {
+    return this.request("POST", "/identities", params);
+  }
+  async getIdentity(agentId) {
+    return this.request("GET", `/identities/${encodeURIComponent(agentId)}`);
+  }
+  async listIdentities(params) {
+    const query = this.buildQuery(params);
+    return this.request("GET", `/identities${query}`);
+  }
+  async verifyIdentity(agentId) {
+    return this.request("POST", `/identities/${encodeURIComponent(agentId)}/verify`);
+  }
+  async translateIdentity(agentId, format) {
+    const query = this.buildQuery({ format });
+    return this.request("GET", `/identities/${encodeURIComponent(agentId)}/translate${query}`);
+  }
+  async revokeIdentity(agentId, reason) {
+    return this.request("POST", `/identities/${encodeURIComponent(agentId)}/revoke`, { reason });
+  }
+  async purgeAgentData(agentId) {
+    return this.request("DELETE", `/identities/${encodeURIComponent(agentId)}/purge`);
+  }
+  // ========================================================================
+  // Credentials
+  // ========================================================================
+  async issueCredential(params) {
+    return this.request("POST", "/credentials", params);
+  }
+  async getCredential(credentialId) {
+    return this.request("GET", `/credentials/${encodeURIComponent(credentialId)}`);
+  }
+  async listCredentials(params) {
+    const query = this.buildQuery(params);
+    return this.request("GET", `/credentials${query}`);
+  }
+  async verifyCredential(credentialId) {
+    return this.request("POST", `/credentials/${encodeURIComponent(credentialId)}/verify`);
+  }
+  async verifyExternalCredential(credential) {
+    return this.request("POST", "/credentials/verify-external", credential);
+  }
+  async revokeCredential(credentialId, reason) {
+    return this.request("POST", `/credentials/${encodeURIComponent(credentialId)}/revoke`, { reason });
+  }
+  async createPresentation(params) {
+    return this.request("POST", "/credentials/presentations", params);
+  }
+  // ========================================================================
+  // Compliance
+  // ========================================================================
+  async createComplianceProfile(params) {
+    return this.request("POST", "/compliance/profiles", params);
+  }
+  async getComplianceProfile(profileId) {
+    return this.request("GET", `/compliance/profiles/${encodeURIComponent(profileId)}`);
+  }
+  async listComplianceProfiles() {
+    return this.request("GET", "/compliance/profiles");
+  }
+  async getComplianceStatus(profileId) {
+    return this.request("GET", `/compliance/profiles/${encodeURIComponent(profileId)}/status`);
+  }
+  async recordAssessment(params) {
+    return this.request("POST", "/compliance/assessments", params);
+  }
+  async generateDeclaration(params) {
+    return this.request("POST", "/compliance/declarations", params);
+  }
+  // ========================================================================
+  // Reputation
+  // ========================================================================
+  async recordInteraction(params) {
+    await this.request("POST", "/reputation/interactions", params);
+  }
+  async getReputation(agentId) {
+    return this.request("GET", `/reputation/${encodeURIComponent(agentId)}`);
+  }
+  async queryReputation(params) {
+    const query = this.buildQuery(params);
+    return this.request("GET", `/reputation${query}`);
+  }
+  // ========================================================================
+  // Provenance
+  // ========================================================================
+  async recordTrainingData(params) {
+    return this.request("POST", "/provenance/training-data", params);
+  }
+  async recordModelLineage(params) {
+    return this.request("POST", "/provenance/model-lineage", params);
+  }
+  async logAction(params) {
+    return this.request("POST", "/provenance/actions", params);
+  }
+  async getProvenance(agentId) {
+    return this.request("GET", `/provenance/${encodeURIComponent(agentId)}`);
+  }
+  async getAuditTrail(params) {
+    const query = this.buildQuery(params);
+    return this.request("GET", `/provenance/audit${query}`);
+  }
+  // ========================================================================
+  // Delegation
+  // ========================================================================
+  async createDelegation(params) {
+    return this.request("POST", "/delegations", params);
+  }
+  async listDelegations(params) {
+    const query = this.buildQuery(params);
+    return this.request("GET", `/delegations${query}`);
+  }
+  async verifyDelegation(token) {
+    return this.request("POST", "/delegations/verify", { token });
+  }
+  async revokeDelegation(delegationId) {
+    await this.request("POST", `/delegations/${encodeURIComponent(delegationId)}/revoke`);
+  }
+  // ========================================================================
+  // DID
+  // ========================================================================
+  async createDidKey() {
+    return this.request("POST", "/did/key");
+  }
+  async createDidWeb(domain) {
+    return this.request("POST", "/did/web", { domain });
+  }
+  async resolveDid(did) {
+    return this.request("GET", `/did/${encodeURIComponent(did)}`);
+  }
+  // ========================================================================
+  // Blockchain Anchoring
+  // ========================================================================
+  async anchorIdentity(agentId) {
+    return this.request("POST", `/anchoring/identities/${encodeURIComponent(agentId)}`);
+  }
+  async anchorCredential(credentialId) {
+    return this.request("POST", `/anchoring/credentials/${encodeURIComponent(credentialId)}`);
+  }
+  async anchorAuditBatch(entryIds) {
+    return this.request("POST", "/anchoring/audit-batch", { entry_ids: entryIds });
+  }
+  async verifyAnchor(anchorId) {
+    return this.request("POST", `/anchoring/${encodeURIComponent(anchorId)}/verify`);
+  }
+  async getAnchorStatus(anchorId) {
+    return this.request("GET", `/anchoring/${encodeURIComponent(anchorId)}`);
+  }
+  async estimateAnchorCost() {
+    return this.request("GET", "/anchoring/estimate");
+  }
+  // ========================================================================
+  // Internal
+  // ========================================================================
+  async request(method, path, body) {
+    return this.requestWithRetry(method, path, body, 0);
+  }
+  async requestWithRetry(method, path, body, attempt) {
+    const controller = new AbortController();
+    const timeoutId = setTimeout(() => controller.abort(), this.timeout);
+    const url = `${this.baseUrl}${path}`;
+    const headers = {
+      "Authorization": `Bearer ${this.apiKey}`,
+      "Accept": "application/json"
+    };
+    const init = {
+      method,
+      headers,
+      signal: controller.signal
+    };
+    if (body !== void 0 && method !== "GET") {
+      headers["Content-Type"] = "application/json";
+      init.body = JSON.stringify(body);
+    }
+    let response;
+    try {
+      response = await fetch(url, init);
+    } catch (error) {
+      clearTimeout(timeoutId);
+      if (error instanceof DOMException && error.name === "AbortError") {
+        throw new AttestixError(
+          `Request timed out after ${this.timeout}ms`,
+          0,
+          "Request timeout"
+        );
+      }
+      throw new AttestixError(
+        `Network error: ${error instanceof Error ? error.message : String(error)}`,
+        0,
+        "Network error"
+      );
+    } finally {
+      clearTimeout(timeoutId);
+    }
+    if (RETRY_STATUS_CODES.has(response.status) && attempt < MAX_RETRIES) {
+      const retryAfter = response.headers.get("Retry-After");
+      const delay = retryAfter ? parseInt(retryAfter, 10) * 1e3 : BASE_RETRY_DELAY * Math.pow(2, attempt);
+      await this.sleep(delay);
+      return this.requestWithRetry(method, path, body, attempt + 1);
+    }
+    if (!response.ok) {
+      await this.handleErrorResponse(response);
+    }
+    if (response.status === 204) {
+      return void 0;
+    }
+    const text = await response.text();
+    if (!text) {
+      return void 0;
+    }
+    return JSON.parse(text);
+  }
+  async handleErrorResponse(response) {
+    let detail;
+    try {
+      const body = await response.json();
+      detail = body.detail ?? body.message ?? JSON.stringify(body);
+    } catch {
+      detail = `HTTP ${response.status}: ${response.statusText}`;
+    }
+    switch (response.status) {
+      case 400:
+        throw new AttestixValidationError(detail);
+      case 401:
+      case 403:
+        throw new AttestixAuthError(detail);
+      case 404:
+        throw new AttestixNotFoundError(detail);
+      case 429: {
+        const retryAfter = response.headers.get("Retry-After");
+        throw new AttestixRateLimitError(
+          detail,
+          retryAfter ? parseInt(retryAfter, 10) : void 0
+        );
+      }
+      default:
+        throw new AttestixError(detail, response.status, detail);
+    }
+  }
+  buildQuery(params) {
+    if (!params) return "";
+    const searchParams = new URLSearchParams();
+    const entries = Object.entries(params);
+    for (const [key, value] of entries) {
+      if (value !== void 0 && value !== null) {
+        searchParams.set(key, String(value));
+      }
+    }
+    const queryString = searchParams.toString();
+    return queryString ? `?${queryString}` : "";
+  }
+  sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+  }
+};
+
+// src/verify/jcs.ts
+var JcsUnsupportedValueError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "JcsUnsupportedValueError";
+  }
+};
+function canonicalizeToString(value) {
+  return serialize(value);
+}
+function canonicalize(value) {
+  return new TextEncoder().encode(serialize(value));
+}
+function serialize(value) {
+  if (value === null) {
+    return "null";
+  }
+  const t = typeof value;
+  if (t === "boolean") {
+    return value ? "true" : "false";
+  }
+  if (t === "string") {
+    return serializeString(value);
+  }
+  if (t === "number") {
+    return serializeNumber(value);
+  }
+  if (Array.isArray(value)) {
+    return "[" + value.map((v) => serialize(v)).join(",") + "]";
+  }
+  if (t === "object") {
+    const obj = value;
+    const keys = Object.keys(obj).sort(compareByCodePoint);
+    const parts = [];
+    for (const k of keys) {
+      parts.push(serializeString(k) + ":" + serialize(obj[k]));
+    }
+    return "{" + parts.join(",") + "}";
+  }
+  throw new JcsUnsupportedValueError(
+    `Cannot canonicalize value of type ${t}`
+  );
+}
+function compareByCodePoint(a, b) {
+  const ai = a[Symbol.iterator]();
+  const bi = b[Symbol.iterator]();
+  for (; ; ) {
+    const an = ai.next();
+    const bn = bi.next();
+    if (an.done && bn.done) return 0;
+    if (an.done) return -1;
+    if (bn.done) return 1;
+    const ac = an.value.codePointAt(0);
+    const bc = bn.value.codePointAt(0);
+    if (ac !== bc) return ac - bc;
+  }
+}
+function serializeNumber(n) {
+  if (!Number.isFinite(n)) {
+    throw new JcsUnsupportedValueError(
+      `Non-finite number (${n}) cannot be canonicalized`
+    );
+  }
+  if (n === 0 && 1 / n === -Infinity) {
+    throw new JcsUnsupportedValueError(
+      "Signed zero (-0) cannot be canonicalized (Python emits -0.0)"
+    );
+  }
+  if (Number.isInteger(n)) {
+    const s2 = String(n);
+    if (s2.includes("e") || s2.includes("E")) {
+      throw new JcsUnsupportedValueError(
+        `Integer ${n} would serialize in exponential notation; use a string field instead`
+      );
+    }
+    return s2;
+  }
+  const s = String(n);
+  if (s.includes("e") || s.includes("E")) {
+    throw new JcsUnsupportedValueError(
+      `Float ${n} requires exponential notation; not supported for cross-engine canonicalization`
+    );
+  }
+  return s;
+}
+var ESCAPE_MAP = {
+  8: "\\b",
+  9: "\\t",
+  10: "\\n",
+  12: "\\f",
+  13: "\\r",
+  34: '\\"',
+  92: "\\\\"
+};
+function serializeString(raw) {
+  const s = raw.normalize("NFC");
+  let out = '"';
+  for (const ch of s) {
+    const code = ch.codePointAt(0);
+    const mapped = ESCAPE_MAP[code];
+    if (mapped !== void 0) {
+      out += mapped;
+    } else if (code < 32) {
+      out += "\\u" + code.toString(16).padStart(4, "0");
+    } else {
+      out += ch;
+    }
+  }
+  out += '"';
+  return out;
+}
+
+// src/verify/base64url.ts
+var STD_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+var DECODE = (() => {
+  const table = new Int16Array(128).fill(-1);
+  for (let i = 0; i < STD_ALPHABET.length; i++) {
+    table[STD_ALPHABET.charCodeAt(i)] = i;
+  }
+  table["-".charCodeAt(0)] = 62;
+  table["_".charCodeAt(0)] = 63;
+  return table;
+})();
+function base64urlDecode(input) {
+  const s = input.replace(/=+$/g, "").trim();
+  const len = s.length;
+  const outLen = Math.floor(len * 6 / 8);
+  const out = new Uint8Array(outLen);
+  let buffer = 0;
+  let bits = 0;
+  let pos = 0;
+  for (let i = 0; i < len; i++) {
+    const c = s.charCodeAt(i);
+    const val = c < 128 ? DECODE[c] : -1;
+    if (val === -1) {
+      throw new Error(`Invalid base64url character at index ${i}`);
+    }
+    buffer = buffer << 6 | val;
+    bits += 6;
+    if (bits >= 8) {
+      bits -= 8;
+      out[pos++] = buffer >> bits & 255;
+    }
+  }
+  return out;
+}
+
+// src/verify/didkey.ts
+var ED25519_MULTICODEC_PREFIX = new Uint8Array([237, 1]);
+var BASE58_ALPHABET = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz";
+var BASE58_MAP = (() => {
+  const map = new Int16Array(128).fill(-1);
+  for (let i = 0; i < BASE58_ALPHABET.length; i++) {
+    map[BASE58_ALPHABET.charCodeAt(i)] = i;
+  }
+  return map;
+})();
+function base58btcEncode(bytes) {
+  if (bytes.length === 0) return "";
+  let zeros = 0;
+  while (zeros < bytes.length && bytes[zeros] === 0) zeros++;
+  const digits = [0];
+  for (let i = zeros; i < bytes.length; i++) {
+    let carry = bytes[i];
+    for (let j = 0; j < digits.length; j++) {
+      carry += digits[j] << 8;
+      digits[j] = carry % 58;
+      carry = carry / 58 | 0;
+    }
+    while (carry > 0) {
+      digits.push(carry % 58);
+      carry = carry / 58 | 0;
+    }
+  }
+  let out = "1".repeat(zeros);
+  for (let i = digits.length - 1; i >= 0; i--) {
+    out += BASE58_ALPHABET[digits[i]];
+  }
+  return out;
+}
+function base58btcDecode(str) {
+  if (str.length === 0) return new Uint8Array(0);
+  let zeros = 0;
+  while (zeros < str.length && str[zeros] === "1") zeros++;
+  const bytes = [0];
+  for (let i = zeros; i < str.length; i++) {
+    const c = str.charCodeAt(i);
+    const val = c < 128 ? BASE58_MAP[c] : -1;
+    if (val === -1) {
+      throw new Error(`Invalid base58 character '${str[i]}' at index ${i}`);
+    }
+    let carry = val;
+    for (let j = 0; j < bytes.length; j++) {
+      carry += bytes[j] * 58;
+      bytes[j] = carry & 255;
+      carry >>= 8;
+    }
+    while (carry > 0) {
+      bytes.push(carry & 255);
+      carry >>= 8;
+    }
+  }
+  const out = new Uint8Array(zeros + bytes.length);
+  for (let i = 0; i < bytes.length; i++) {
+    out[zeros + i] = bytes[bytes.length - 1 - i];
+  }
+  return out;
+}
+function publicKeyToDidKey(rawPublicKey) {
+  if (rawPublicKey.length !== 32) {
+    throw new Error(
+      `Ed25519 public key must be 32 bytes, got ${rawPublicKey.length}`
+    );
+  }
+  const multicodec = new Uint8Array(2 + 32);
+  multicodec.set(ED25519_MULTICODEC_PREFIX, 0);
+  multicodec.set(rawPublicKey, 2);
+  return `did:key:z${base58btcEncode(multicodec)}`;
+}
+function didKeyToPublicKey(did) {
+  if (!did.startsWith("did:key:z")) {
+    throw new Error(`Invalid did:key format: ${did}`);
+  }
+  const encoded = did.slice("did:key:z".length);
+  const decoded = base58btcDecode(encoded);
+  if (decoded.length < 2 || decoded[0] !== ED25519_MULTICODEC_PREFIX[0] || decoded[1] !== ED25519_MULTICODEC_PREFIX[1]) {
+    throw new Error("Not an Ed25519 did:key (wrong multicodec prefix)");
+  }
+  const raw = decoded.slice(2);
+  if (raw.length !== 32) {
+    throw new Error(
+      `Decoded Ed25519 public key must be 32 bytes, got ${raw.length}`
+    );
+  }
+  return raw;
+}
+function didFromVerificationMethod(vm) {
+  const idx = vm.indexOf("#");
+  return idx === -1 ? vm : vm.slice(0, idx);
+}
+
+// src/verify/ed25519.ts
+import { ed25519 } from "@noble/curves/ed25519.js";
+function verifyEd25519(signature, message, publicKey) {
+  try {
+    if (signature.length !== 64 || publicKey.length !== 32) {
+      return false;
+    }
+    return ed25519.verify(signature, message, publicKey);
+  } catch {
+    return false;
+  }
+}
+
+// src/verify/credential.ts
+var VC_MUTABLE_FIELDS = ["proof", "credentialStatus"];
+function isObject(v) {
+  return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function stripFields(obj, fields) {
+  const out = {};
+  for (const k of Object.keys(obj)) {
+    if (!fields.includes(k)) out[k] = obj[k];
+  }
+  return out;
+}
+function verifyCredential(credential, options = {}) {
+  const checks = {
+    structure_valid: false,
+    signature_valid: false,
+    not_expired: false,
+    not_revoked: true
+  };
+  if (!isObject(credential)) {
+    return { valid: false, reason: "Credential is not an object", checks };
+  }
+  const type = credential.type;
+  const types = Array.isArray(type) ? type : [];
+  if (!types.includes("VerifiableCredential")) {
+    return { valid: false, reason: "Not a VerifiableCredential", checks };
+  }
+  checks.structure_valid = true;
+  const status = credential.credentialStatus;
+  if (isObject(status) && status.revoked === true) {
+    checks.not_revoked = false;
+  }
+  const checkExpiry = options.checkExpiry !== false;
+  const expStr = credential.expirationDate;
+  if (checkExpiry && typeof expStr === "string") {
+    const exp = Date.parse(expStr);
+    const now = options.now ?? Date.now();
+    checks.not_expired = Number.isNaN(exp) ? true : now < exp;
+  } else {
+    checks.not_expired = true;
+  }
+  const proof = credential.proof;
+  let issuer;
+  if (isObject(proof) && typeof proof.proofValue === "string") {
+    const vm = typeof proof.verificationMethod === "string" ? proof.verificationMethod : "";
+    let issuerDid = vm ? didFromVerificationMethod(vm) : "";
+    if (!issuerDid && isObject(credential.issuer)) {
+      const iid = credential.issuer.id;
+      if (typeof iid === "string") issuerDid = iid;
+    }
+    issuer = issuerDid;
+    try {
+      const payload = stripFields(credential, VC_MUTABLE_FIELDS);
+      const message = canonicalize(payload);
+      const sig = base64urlDecode(proof.proofValue);
+      const pub = didKeyToPublicKey(issuerDid);
+      checks.signature_valid = verifyEd25519(sig, message, pub);
+    } catch {
+      checks.signature_valid = false;
+    }
+  }
+  const subjectId = isObject(credential.credentialSubject) && typeof credential.credentialSubject.id === "string" ? credential.credentialSubject.id : void 0;
+  const valid = checks.structure_valid && checks.signature_valid && checks.not_expired && checks.not_revoked;
+  const result = {
+    valid,
+    checks,
+    type: types
+  };
+  if (issuer !== void 0) result.issuer = issuer;
+  if (subjectId !== void 0) result.subject = subjectId;
+  if (!valid) {
+    result.reason = !checks.signature_valid ? "Invalid signature" : !checks.not_expired ? "Credential expired" : !checks.not_revoked ? "Credential revoked" : "Verification failed";
+  }
+  return result;
+}
+function verifyPresentation(presentation, options = {}) {
+  const empty = {
+    valid: false,
+    vpSignatureValid: false,
+    credentialCount: 0,
+    credentialResults: []
+  };
+  if (!isObject(presentation)) {
+    return { ...empty, reason: "Presentation is not an object" };
+  }
+  const types = Array.isArray(presentation.type) ? presentation.type : [];
+  if (!types.includes("VerifiablePresentation")) {
+    return { ...empty, reason: "Not a VerifiablePresentation" };
+  }
+  const holder = typeof presentation.holder === "string" ? presentation.holder : void 0;
+  let vpSignatureValid = false;
+  const proof = presentation.proof;
+  if (isObject(proof) && typeof proof.proofValue === "string") {
+    const vm = typeof proof.verificationMethod === "string" ? proof.verificationMethod : "";
+    const issuerDid = vm ? didFromVerificationMethod(vm) : holder ?? "";
+    try {
+      const payload = stripFields(presentation, ["proof"]);
+      const message = canonicalize(payload);
+      const sig = base64urlDecode(proof.proofValue);
+      const pub = didKeyToPublicKey(issuerDid);
+      vpSignatureValid = verifyEd25519(sig, message, pub);
+    } catch {
+      vpSignatureValid = false;
+    }
+  }
+  const creds = Array.isArray(presentation.verifiableCredential) ? presentation.verifiableCredential : [];
+  const credentialResults = creds.map((c) => verifyCredential(c, options));
+  const credsValid = credentialResults.every((r) => r.valid);
+  const valid = vpSignatureValid && credsValid;
+  const result = {
+    valid,
+    vpSignatureValid,
+    credentialCount: creds.length,
+    credentialResults
+  };
+  if (holder !== void 0) result.holder = holder;
+  if (!valid) {
+    result.reason = !vpSignatureValid ? "Invalid presentation signature" : "One or more embedded credentials failed verification";
+  }
+  return result;
+}
+
+// src/verify/delegation.ts
+function decodeJwt(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) {
+    throw new Error("Malformed JWT (expected 3 dot-separated segments)");
+  }
+  const [h, p, s] = parts;
+  const payloadJson = new TextDecoder().decode(base64urlDecode(p));
+  const claims = JSON.parse(payloadJson);
+  if (!Array.isArray(claims.att)) claims.att = [];
+  if (!Array.isArray(claims.prf)) claims.prf = [];
+  const signingInput = new TextEncoder().encode(`${h}.${p}`);
+  const signature = base64urlDecode(s);
+  return { claims, signingInput, signature };
+}
+function isSubset(child, parent) {
+  const parentSet = new Set(parent);
+  return child.every((c) => parentSet.has(c));
+}
+function verifyDelegationChain(token, options = {}) {
+  const now = options.now ?? Math.floor(Date.now() / 1e3);
+  const tol = options.clockToleranceSeconds ?? 0;
+  const links = [];
+  if (Array.isArray(token)) {
+    if (token.length === 0) {
+      return {
+        valid: false,
+        reason: "Empty delegation chain",
+        links,
+        capabilities: []
+      };
+    }
+    const decoded = [];
+    for (const t of token) {
+      let d;
+      try {
+        d = decodeJwt(t);
+      } catch (e) {
+        return {
+          valid: false,
+          reason: `Malformed token in chain: ${e.message}`,
+          links,
+          capabilities: []
+        };
+      }
+      decoded.push(d);
+    }
+    for (const d of decoded) {
+      const link = verifySingle(d, now, tol);
+      links.push(link);
+      if (!link.signatureValid) {
+        return { valid: false, reason: "Invalid signature in chain", links, capabilities: [] };
+      }
+      if (link.expired) {
+        return { valid: false, reason: "A delegation in the chain has expired", links, capabilities: [] };
+      }
+      if (link.notYetValid) {
+        return { valid: false, reason: "A delegation in the chain is not yet valid (nbf)", links, capabilities: [] };
+      }
+    }
+    for (let i = 0; i < decoded.length - 1; i++) {
+      const child = decoded[i].claims;
+      const parent = decoded[i + 1].claims;
+      if (!isSubset(child.att, parent.att)) {
+        return {
+          valid: false,
+          reason: "Capability escalation: child att is not a subset of parent att",
+          links,
+          capabilities: []
+        };
+      }
+    }
+    return { valid: true, links, capabilities: decoded[0].claims.att };
+  }
+  const seen = /* @__PURE__ */ new Set();
+  const result = verifyRecursive(token, now, tol, seen, links, null);
+  if (!result.ok) {
+    return { valid: false, reason: result.reason, links, capabilities: [] };
+  }
+  return { valid: true, links, capabilities: links[0]?.capabilities ?? [] };
+}
+function verifyRecursive(token, now, tol, seen, links, childAtt) {
+  let decoded;
+  try {
+    decoded = decodeJwt(token);
+  } catch (e) {
+    return { ok: false, reason: `Malformed token: ${e.message}` };
+  }
+  const link = verifySingle(decoded, now, tol);
+  links.push(link);
+  if (link.jti) {
+    if (seen.has(link.jti)) {
+      return { ok: false, reason: "Cycle detected in delegation proof chain" };
+    }
+    seen.add(link.jti);
+  }
+  if (!link.signatureValid) {
+    return { ok: false, reason: "Invalid token signature" };
+  }
+  if (link.expired) {
+    return { ok: false, reason: "Token has expired" };
+  }
+  if (link.notYetValid) {
+    return { ok: false, reason: "Token is not yet valid (nbf)" };
+  }
+  const att = decoded.claims.att;
+  if (childAtt !== null && !isSubset(childAtt, att)) {
+    return {
+      ok: false,
+      reason: "Capability escalation: child att is not a subset of parent att"
+    };
+  }
+  for (const parentToken of decoded.claims.prf) {
+    if (typeof parentToken !== "string" || !parentToken) {
+      return { ok: false, reason: "Malformed parent token in proof chain" };
+    }
+    const parentResult = verifyRecursive(
+      parentToken,
+      now,
+      tol,
+      seen,
+      links,
+      att
+    );
+    if (!parentResult.ok) {
+      return {
+        ok: false,
+        reason: `Invalid parent in proof chain: ${parentResult.reason}`
+      };
+    }
+  }
+  return { ok: true, att };
+}
+function verifySingle(decoded, now, tol) {
+  const c = decoded.claims;
+  let signatureValid = false;
+  try {
+    const pub = didKeyToPublicKey(c.iss);
+    signatureValid = verifyEd25519(
+      decoded.signature,
+      decoded.signingInput,
+      pub
+    );
+  } catch {
+    signatureValid = false;
+  }
+  const expired = typeof c.exp === "number" ? c.exp + tol < now : false;
+  const notYetValid = typeof c.nbf === "number" ? c.nbf - tol > now : false;
+  const link = {
+    issuer: c.iss,
+    capabilities: c.att,
+    signatureValid,
+    expired,
+    notYetValid
+  };
+  if (c.jti !== void 0) link.jti = c.jti;
+  if (c.delegator !== void 0) link.delegator = c.delegator;
+  if (c.aud !== void 0) link.audience = c.aud;
+  return link;
+}
+function decodeDelegationUnsafe(token) {
+  return decodeJwt(token).claims;
+}
+export {
+  AttestixAuthError,
+  AttestixClient,
+  AttestixError,
+  AttestixNotFoundError,
+  AttestixRateLimitError,
+  AttestixValidationError,
+  ED25519_MULTICODEC_PREFIX,
+  JcsUnsupportedValueError,
+  base58btcDecode,
+  base58btcEncode,
+  base64urlDecode,
+  canonicalize,
+  canonicalizeToString,
+  decodeDelegationUnsafe,
+  didFromVerificationMethod,
+  didKeyToPublicKey,
+  publicKeyToDidKey,
+  verifyCredential,
+  verifyDelegationChain,
+  verifyEd25519,
+  verifyPresentation
+};
+//# sourceMappingURL=index.js.map