dataspace-client-sdk-node 0.2.1 → 0.2.3

package/artifacts/update-smart-wallet.js

@@ -1,1016 +0,0 @@
-const fs = require('fs');
-
-function replace(file, oldStr, newStr) {
-  const content = fs.readFileSync(file, 'utf8');
-  if (!content.includes(oldStr)) {
-    throw new Error(`Pattern not found in ${file}`);
-  }
-  fs.writeFileSync(file, content.replace(oldStr, newStr));
-}
-
-fs.writeFileSync('src/sdk/dataspace-wallet-sdk-node/types.ts', String.raw`export type WalletContext = {
-  tenantId: string;
-  jurisdiction: string;
-  sector: string;
-  walletId?: string;
-};
-
-export type PublicJwk = JsonWebKey & {
-  kid?: string;
-  alg?: string;
-  use?: string;
-  key_ops?: string[];
-};
-
-export type PrivateKeyRef = {
-  kid: string;
-  kind: 'managed';
-  algorithm: 'ES384' | 'RSA-OAEP-256/RS256';
-};
-
-export type SignOptions = {
-  keyId?: string;
-  algorithm?: 'ES384' | 'RS256';
-};
-
-export type VerifyOptions = {
-  algorithm?: 'ES384' | 'RS256';
-};
-
-export type EncryptOptions = {
-  keyId?: string;
-  algorithm?: 'RSA-OAEP-256';
-};
-
-export type DecryptOptions = {
-  keyId?: string;
-  algorithm?: 'RSA-OAEP-256';
-};
-
-export type WalletProviderKind = 'mem' | 'seed' | 'external';
-
-export type WalletInitOptions = {
-  contexts?: WalletContext[];
-};
-
-export type CompactJwsHeader = {
-  alg: string;
-  typ?: string;
-  kid?: string;
-  [key: string]: unknown;
-};
-`);
-
-fs.writeFileSync('src/sdk/dataspace-wallet-sdk-node/provider.ts', String.raw`import type {
-  CompactJwsHeader,
-  DecryptOptions,
-  EncryptOptions,
-  PublicJwk,
-  SignOptions,
-  VerifyOptions,
-  WalletContext,
-  WalletInitOptions,
-  WalletProviderKind,
-} from './types.js';
-
-export interface WalletProvider {
-  readonly kind: WalletProviderKind;
-  init?(options?: WalletInitOptions): Promise<void> | void;
-  getPublicJwks(context: WalletContext): Promise<PublicJwk[]>;
-  sign(payload: Uint8Array | string, context: WalletContext, options?: SignOptions): Promise<string>;
-  verify(
-    payload: Uint8Array | string,
-    signature: string,
-    jwk: PublicJwk,
-    options?: VerifyOptions,
-  ): Promise<boolean>;
-  signCompactJws(
-    context: WalletContext,
-    params: { header: CompactJwsHeader; claims: Record<string, unknown> },
-  ): Promise<string>;
-  encrypt(
-    plaintext: Uint8Array | string,
-    recipientJwk: PublicJwk,
-    options?: EncryptOptions,
-  ): Promise<string>;
-  decrypt(ciphertext: string, context: WalletContext, options?: DecryptOptions): Promise<Uint8Array>;
-}
-`);
-
-fs.writeFileSync('src/sdk/dataspace-wallet-sdk-node/WalletClient.ts', String.raw`import type { WalletProvider } from './provider.js';
-import type {
-  CompactJwsHeader,
-  DecryptOptions,
-  EncryptOptions,
-  PublicJwk,
-  SignOptions,
-  VerifyOptions,
-  WalletContext,
-} from './types.js';
-
-export class WalletClient {
-  public constructor(
-    private readonly provider: WalletProvider,
-    private readonly context: WalletContext,
-  ) {}
-
-  public getPublicJwks(): Promise<PublicJwk[]> {
-    return this.provider.getPublicJwks(this.context);
-  }
-
-  public sign(payload: Uint8Array | string, options?: SignOptions): Promise<string> {
-    return this.provider.sign(payload, this.context, options);
-  }
-
-  public verify(
-    payload: Uint8Array | string,
-    signature: string,
-    jwk: PublicJwk,
-    options?: VerifyOptions,
-  ): Promise<boolean> {
-    return this.provider.verify(payload, signature, jwk, options);
-  }
-
-  public signCompactJws(params: { header: CompactJwsHeader; claims: Record<string, unknown> }): Promise<string> {
-    return this.provider.signCompactJws(this.context, params);
-  }
-
-  public encrypt(plaintext: Uint8Array | string, recipientJwk: PublicJwk, options?: EncryptOptions): Promise<string> {
-    return this.provider.encrypt(plaintext, recipientJwk, options);
-  }
-
-  public decrypt(ciphertext: string, options?: DecryptOptions): Promise<Uint8Array> {
-    return this.provider.decrypt(ciphertext, this.context, options);
-  }
-}
-`);
-
-fs.writeFileSync('src/sdk/dataspace-wallet-sdk-node/providers/memory-provider.ts', String.raw`import {
-  constants as cryptoConstants,
-  createHash,
-  createPublicKey,
-  generateKeyPairSync,
-  privateDecrypt,
-  publicEncrypt,
-  sign as cryptoSign,
-  verify as cryptoVerify,
-  type KeyObject,
-} from 'node:crypto';
-import type {
-  CompactJwsHeader,
-  DecryptOptions,
-  EncryptOptions,
-  PrivateKeyRef,
-  PublicJwk,
-  SignOptions,
-  VerifyOptions,
-  WalletContext,
-  WalletInitOptions,
-  WalletProviderKind,
-} from '../types.js';
-import type { WalletProvider } from '../provider.js';
-
-type StoredKeyPair = {
-  signingPublicJwk: PublicJwk;
-  signingPublicKey: KeyObject;
-  signingPrivateKey: KeyObject;
-  signingPrivateKeyRef: PrivateKeyRef;
-  encryptionPublicJwk: PublicJwk;
-  encryptionPublicKey: KeyObject;
-  encryptionPrivateKey: KeyObject;
-  encryptionPrivateKeyRef: PrivateKeyRef;
-};
-
-function contextKey(context: WalletContext): string {
-  return [context.tenantId, context.jurisdiction, context.sector, context.walletId ?? 'default'].join(':');
-}
-
-function normalizeBytes(input: Uint8Array | string): Uint8Array {
-  return typeof input === 'string' ? Buffer.from(input, 'utf8') : input;
-}
-
-function toBase64Url(buffer: Uint8Array): string {
-  return Buffer.from(buffer).toString('base64url');
-}
-
-function fromBase64Url(value: string): Buffer {
-  return Buffer.from(value, 'base64url');
-}
-
-function encodeJsonBase64Url(value: Record<string, unknown>): string {
-  return toBase64Url(Buffer.from(JSON.stringify(value), 'utf8'));
-}
-
-function buildKid(context: WalletContext, jwk: PublicJwk): string {
-  const thumbprint = createHash('sha256')
-    .update(JSON.stringify({
-      crv: jwk.crv,
-      e: jwk.e,
-      kty: jwk.kty,
-      n: jwk.n,
-      x: jwk.x,
-      y: jwk.y,
-    }))
-    .digest('base64url')
-    .slice(0, 16);
-
-  return `wallet:${context.tenantId}:${context.jurisdiction}:${context.sector}:${thumbprint}`;
-}
-
-function buildPrivateKeyRef(kid: string, algorithm: PrivateKeyRef['algorithm']): PrivateKeyRef {
-  return {
-    kid,
-    kind: 'managed',
-    algorithm,
-  };
-}
-
-function buildSigningKeyPair(context: WalletContext): {
-  publicJwk: PublicJwk;
-  publicKey: KeyObject;
-  privateKey: KeyObject;
-  privateKeyRef: PrivateKeyRef;
-} {
-  const generated = generateKeyPairSync('ec', {
-    namedCurve: 'secp384r1',
-  });
-  const publicJwk = generated.publicKey.export({ format: 'jwk' }) as PublicJwk;
-  const kid = buildKid(context, publicJwk);
-  const normalizedPublicJwk: PublicJwk = {
-    ...publicJwk,
-    kid,
-    alg: 'ES384',
-    use: 'sig',
-    key_ops: ['verify'],
-  };
-
-  return {
-    publicJwk: normalizedPublicJwk,
-    publicKey: createPublicKey({ key: normalizedPublicJwk, format: 'jwk' }),
-    privateKey: generated.privateKey,
-    privateKeyRef: buildPrivateKeyRef(kid, 'ES384'),
-  };
-}
-
-function buildEncryptionKeyPair(context: WalletContext): {
-  publicJwk: PublicJwk;
-  publicKey: KeyObject;
-  privateKey: KeyObject;
-  privateKeyRef: PrivateKeyRef;
-} {
-  const generated = generateKeyPairSync('rsa', {
-    modulusLength: 2048,
-    publicExponent: 0x10001,
-  });
-  const publicJwk = generated.publicKey.export({ format: 'jwk' }) as PublicJwk;
-  const kid = buildKid(context, publicJwk);
-  const normalizedPublicJwk: PublicJwk = {
-    ...publicJwk,
-    kid,
-    alg: 'RSA-OAEP-256',
-    use: 'enc',
-    key_ops: ['encrypt'],
-  };
-
-  return {
-    publicJwk: normalizedPublicJwk,
-    publicKey: createPublicKey({ key: normalizedPublicJwk, format: 'jwk' }),
-    privateKey: generated.privateKey,
-    privateKeyRef: buildPrivateKeyRef(kid, 'RSA-OAEP-256/RS256'),
-  };
-}
-
-export class MemoryWalletProvider implements WalletProvider {
-  public readonly kind: WalletProviderKind = 'mem';
-  private readonly keysByContext = new Map<string, StoredKeyPair>();
-
-  public init(options?: WalletInitOptions): void {
-    for (const context of options?.contexts ?? []) {
-      this.ensureKeyPair(context);
-    }
-  }
-
-  public async getPublicJwks(context: WalletContext): Promise<PublicJwk[]> {
-    const pair = this.ensureKeyPair(context);
-    return [pair.signingPublicJwk, pair.encryptionPublicJwk];
-  }
-
-  public async sign(payload: Uint8Array | string, context: WalletContext, options?: SignOptions): Promise<string> {
-    const pair = this.selectSigningKeyPair(context, options?.keyId);
-    const signature = cryptoSign('sha384', normalizeBytes(payload), pair.signingPrivateKey);
-    return toBase64Url(signature);
-  }
-
-  public async verify(
-    payload: Uint8Array | string,
-    signature: string,
-    jwk: PublicJwk,
-    _options?: VerifyOptions,
-  ): Promise<boolean> {
-    const publicKey = createPublicKey({ key: jwk, format: 'jwk' });
-    return cryptoVerify('sha384', normalizeBytes(payload), publicKey, fromBase64Url(signature));
-  }
-
-  public async signCompactJws(
-    context: WalletContext,
-    params: { header: CompactJwsHeader; claims: Record<string, unknown> },
-  ): Promise<string> {
-    const pair = this.selectSigningKeyPair(context, params.header.kid);
-    const header: CompactJwsHeader = {
-      ...params.header,
-      alg: params.header.alg || 'ES384',
-      kid: params.header.kid || pair.signingPublicJwk.kid,
-    };
-    const signingInput = `${encodeJsonBase64Url(header as Record<string, unknown>)}.${encodeJsonBase64Url(params.claims)}`;
-    const signature = cryptoSign('sha384', Buffer.from(signingInput, 'ascii'), pair.signingPrivateKey);
-    return `${signingInput}.${toBase64Url(signature)}`;
-  }
-
-  public async encrypt(
-    plaintext: Uint8Array | string,
-    recipientJwk: PublicJwk,
-    _options?: EncryptOptions,
-  ): Promise<string> {
-    const recipientKey = createPublicKey({ key: recipientJwk, format: 'jwk' });
-    const ciphertext = publicEncrypt(
-      {
-        key: recipientKey,
-        oaepHash: 'sha256',
-        padding: cryptoConstants.RSA_PKCS1_OAEP_PADDING,
-      },
-      normalizeBytes(plaintext),
-    );
-    return toBase64Url(ciphertext);
-  }
-
-  public async decrypt(ciphertext: string, context: WalletContext, options?: DecryptOptions): Promise<Uint8Array> {
-    const pair = this.selectEncryptionKeyPair(context, options?.keyId);
-    return privateDecrypt(
-      {
-        key: pair.encryptionPrivateKey,
-        oaepHash: 'sha256',
-        padding: cryptoConstants.RSA_PKCS1_OAEP_PADDING,
-      },
-      fromBase64Url(ciphertext),
-    );
-  }
-
-  protected ensureKeyPair(context: WalletContext): StoredKeyPair {
-    const key = contextKey(context);
-    const existing = this.keysByContext.get(key);
-    if (existing) {
-      return existing;
-    }
-
-    const signingKeyPair = buildSigningKeyPair(context);
-    const encryptionKeyPair = buildEncryptionKeyPair(context);
-
-    const pair: StoredKeyPair = {
-      signingPublicJwk: signingKeyPair.publicJwk,
-      signingPublicKey: signingKeyPair.publicKey,
-      signingPrivateKey: signingKeyPair.privateKey,
-      signingPrivateKeyRef: signingKeyPair.privateKeyRef,
-      encryptionPublicJwk: encryptionKeyPair.publicJwk,
-      encryptionPublicKey: encryptionKeyPair.publicKey,
-      encryptionPrivateKey: encryptionKeyPair.privateKey,
-      encryptionPrivateKeyRef: encryptionKeyPair.privateKeyRef,
-    };
-
-    this.keysByContext.set(key, pair);
-    return pair;
-  }
-
-  protected selectSigningKeyPair(context: WalletContext, keyId?: string): StoredKeyPair {
-    const pair = this.ensureKeyPair(context);
-    if (keyId && pair.signingPrivateKeyRef.kid !== keyId) {
-      throw new Error(`Wallet key not found for kid: ${keyId}`);
-    }
-    return pair;
-  }
-
-  protected selectEncryptionKeyPair(context: WalletContext, keyId?: string): StoredKeyPair {
-    const pair = this.ensureKeyPair(context);
-    if (keyId && pair.encryptionPrivateKeyRef.kid !== keyId) {
-      throw new Error(`Wallet key not found for kid: ${keyId}`);
-    }
-    return pair;
-  }
-}
-`);
-
-replace(
-  'src/types.ts',
-  `export type BackendPkceAuthResult = {
-  /** \`fetched\`: new token obtained. \`cached\`: valid token already in cache. \`failed\`: flow error. */
-  status: 'fetched' | 'cached' | 'failed';
-  endpointId: string;
-  accessToken: string;
-  tokenType: string;
-  scopes: string[];
-  /** Present on failure: name of the step that failed (\`_dcr\`, \`_code\`, \`_token\`, \`_exchange\`). */
-  step?: string;
-};
-`,
-  `export type BackendPkceAuthResult = {
-  /** \`fetched\`: new token obtained. \`cached\`: valid token already in cache. \`failed\`: flow error. */
-  status: 'fetched' | 'cached' | 'failed';
-  endpointId: string;
-  accessToken: string;
-  tokenType: string;
-  scopes: string[];
-  /** Present on failure: name of the step that failed (\`_dcr\`, \`_code\`, \`_token\`, \`_exchange\`). */
-  step?: string;
-};
-
-export type BackendSmartAuthOptions = {
-  clientId: string;
-  scopes: string[];
-  endpointId?: string;
-  tokenUrl?: string;
-  tokenPath?: string;
-  audience?: string;
-  assertionTtlSeconds?: number;
-  additionalTokenFields?: Record<string, string>;
-  publicJwk?: PublicJwk | Record<string, unknown>;
-  walletContext?: WalletContext;
-};
-
-export type BackendSmartAuthResult = {
-  status: 'fetched' | 'cached' | 'failed';
-  profile: 'smart-backend.v1';
-  endpointId: string;
-  accessToken?: string;
-  tokenType?: string;
-  scopes?: string[];
-  expiresAt?: string;
-  statusCode?: number;
-  response?: unknown;
-};
-`
-);
-
-replace(
-  'src/client.ts',
-  `  BackendPkceAuthOptions,
-  BackendPkceAuthResult,
-  ClientOptions,
-`,
-  `  BackendPkceAuthOptions,
-  BackendPkceAuthResult,
-  BackendSmartAuthOptions,
-  BackendSmartAuthResult,
-  ClientOptions,
-`
-);
-
-replace(
-  'src/client.ts',
-  `  public getCachedBearerToken(endpointId: string): string | undefined {
-    const cached = this._tokenCache.get(endpointId);
-    if (cached && cached.expiresAt > Date.now() + 30_000) {
-      return cached.accessToken;
-    }
-    return undefined;
-  }
-
-  // ---- Private auth helpers ----------------------------------------------
-`,
-  `  public getCachedBearerToken(endpointId: string): string | undefined {
-    const cached = this._tokenCache.get(endpointId);
-    if (cached && cached.expiresAt > Date.now() + 30_000) {
-      return cached.accessToken;
-    }
-    return undefined;
-  }
-
-  /**
-   * smart-backend.v1: obtain an OAuth2 backend token using client_credentials + private_key_jwt.
-   */
-  public async authenticateBackendSmartStandard(
-    options: BackendSmartAuthOptions,
-  ): Promise<BackendSmartAuthResult> {
-    const {
-      clientId,
-      scopes,
-      endpointId = `smart-backend:${clientId}`,
-      tokenUrl,
-      tokenPath = '/token',
-      audience,
-      assertionTtlSeconds = 300,
-      additionalTokenFields,
-    } = options;
-
-    const cached = this._tokenCache.get(endpointId);
-    if (cached && cached.expiresAt > Date.now() + 30_000) {
-      return {
-        status: 'cached',
-        profile: 'smart-backend.v1',
-        endpointId,
-        accessToken: cached.accessToken,
-        tokenType: cached.tokenType,
-        scopes: cached.scopes,
-        expiresAt: new Date(cached.expiresAt).toISOString(),
-      };
-    }
-
-    const resolvedTokenUrl = this.resolveStandardTokenUrl(tokenUrl, tokenPath);
-    const publicJwk = await this.resolveSmartAuthPublicJwk(options);
-    const clientAssertion = await this.signSmartBackendClientAssertion({
-      clientId,
-      audience: audience ?? resolvedTokenUrl,
-      publicJwk,
-      ttlSeconds: assertionTtlSeconds,
-      walletContext: options.walletContext,
-    });
-
-    const tokenRequest: Record<string, string> = {
-      grant_type: 'client_credentials',
-      client_id: clientId,
-      scope: scopes.join(' '),
-      client_assertion_type: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer',
-      client_assertion: clientAssertion,
-      ...(additionalTokenFields ?? {}),
-    };
-    const response = await this.postJson(tokenUrl ?? tokenPath, tokenRequest);
-    const body = (response.body as Record<string, unknown>) ?? {};
-    const accessToken = String(body.access_token ?? '').trim();
-
-    if (response.status >= 400 || !accessToken) {
-      return {
-        status: 'failed',
-        profile: 'smart-backend.v1',
-        endpointId,
-        statusCode: response.status,
-        response,
-      };
-    }
-
-    const tokenType = String(body.token_type ?? 'Bearer');
-    const grantedScope = String(body.scope ?? '').trim();
-    const grantedScopes = grantedScope ? grantedScope.split(' ').filter(Boolean) : scopes;
-    const expiresIn = Number(body.expires_in ?? 0);
-    const expiresAt = Date.now() + expiresIn * 1000;
-
-    this._tokenCache.set(endpointId, {
-      accessToken,
-      tokenType,
-      scopes: grantedScopes,
-      expiresAt,
-    });
-
-    return {
-      status: 'fetched',
-      profile: 'smart-backend.v1',
-      endpointId,
-      statusCode: response.status,
-      accessToken,
-      tokenType,
-      scopes: grantedScopes,
-      expiresAt: new Date(expiresAt).toISOString(),
-      response,
-    };
-  }
-
-  // ---- Private auth helpers ----------------------------------------------
-`
-);
-
-replace(
-  'src/client.ts',
-  `  private async resolveControllerPublicJwk(
-    options: BackendPkceAuthOptions,
-  ): Promise<PublicJwk | Record<string, unknown>> {
-    if (options.controllerPublicJwk) {
-      return options.controllerPublicJwk;
-    }
-
-    if (!this.wallet) {
-      throw new Error('authenticateBackendPkceAndExchange requires controllerPublicJwk or a configured wallet provider.');
-    }
-
-    const walletContext: WalletContext = options.walletContext ?? {
-      tenantId: options.ctx.tenantId,
-      jurisdiction: options.ctx.jurisdiction,
-      sector: options.ctx.sector,
-    };
-    const publicJwks = await this.wallet.getPublicJwks(walletContext);
-    const controllerPublicJwk = publicJwks[0];
-
-    if (!controllerPublicJwk) {
-      throw new Error('Wallet provider returned no public JWKs for the requested context.');
-    }
-
-    return controllerPublicJwk;
-  }
-
-  // ---- Generic batch API --------------------------------------------------
-`,
-  `  private async resolveControllerPublicJwk(
-    options: BackendPkceAuthOptions,
-  ): Promise<PublicJwk | Record<string, unknown>> {
-    if (options.controllerPublicJwk) {
-      return options.controllerPublicJwk;
-    }
-
-    if (!this.wallet) {
-      throw new Error('authenticateBackendPkceAndExchange requires controllerPublicJwk or a configured wallet provider.');
-    }
-
-    const walletContext: WalletContext = options.walletContext ?? {
-      tenantId: options.ctx.tenantId,
-      jurisdiction: options.ctx.jurisdiction,
-      sector: options.ctx.sector,
-    };
-    const publicJwks = await this.wallet.getPublicJwks(walletContext);
-    const controllerPublicJwk = publicJwks.find((jwk) => jwk.use === 'sig' || jwk.alg === 'ES384') ?? publicJwks[0];
-
-    if (!controllerPublicJwk) {
-      throw new Error('Wallet provider returned no public JWKs for the requested context.');
-    }
-
-    return controllerPublicJwk;
-  }
-
-  private resolveStandardTokenUrl(tokenUrl: string | undefined, tokenPath: string): string {
-    if (tokenUrl && tokenUrl.trim()) {
-      return tokenUrl.trim();
-    }
-    return `${this.baseUrl}${tokenPath.startsWith('/') ? tokenPath : `/${tokenPath}`}`;
-  }
-
-  private async resolveSmartAuthPublicJwk(
-    options: BackendSmartAuthOptions,
-  ): Promise<PublicJwk | Record<string, unknown>> {
-    if (options.publicJwk) {
-      return options.publicJwk;
-    }
-
-    if (!this.wallet) {
-      throw new Error('authenticateBackendSmartStandard requires publicJwk or a configured wallet provider.');
-    }
-
-    const walletContext: WalletContext = options.walletContext ?? {
-      tenantId: options.clientId,
-      jurisdiction: 'global',
-      sector: 'backend',
-    };
-    const publicJwks = await this.wallet.getPublicJwks(walletContext);
-    const signingJwk = publicJwks.find((jwk) => jwk.use === 'sig' || jwk.alg === 'ES384') ?? publicJwks[0];
-
-    if (!signingJwk) {
-      throw new Error('Wallet provider returned no public JWKs for smart-backend.v1.');
-    }
-
-    return signingJwk;
-  }
-
-  private async signSmartBackendClientAssertion(params: {
-    clientId: string;
-    audience: string;
-    publicJwk: PublicJwk | Record<string, unknown>;
-    ttlSeconds: number;
-    walletContext?: WalletContext;
-  }): Promise<string> {
-    if (!this.wallet) {
-      throw new Error('smart-backend.v1 signing requires a configured wallet provider.');
-    }
-
-    const now = Math.floor(Date.now() / 1000);
-    const walletContext: WalletContext = params.walletContext ?? {
-      tenantId: params.clientId,
-      jurisdiction: 'global',
-      sector: 'backend',
-    };
-    const kid = String((params.publicJwk as { kid?: string }).kid ?? '').trim();
-
-    return this.wallet.signCompactJws(walletContext, {
-      header: {
-        typ: 'JWT',
-        alg: this.preferredJwtAlg(params.publicJwk),
-        ...(kid ? { kid } : {}),
-      },
-      claims: {
-        iss: params.clientId,
-        sub: params.clientId,
-        aud: params.audience,
-        iat: now,
-        exp: now + Math.max(params.ttlSeconds, 1),
-        jti: `jwt-${randomUUID()}`,
-      },
-    });
-  }
-
-  private preferredJwtAlg(publicJwk: PublicJwk | Record<string, unknown>): string {
-    const jwk = publicJwk as Record<string, unknown>;
-    const alg = String(jwk.alg ?? '').trim();
-    if (alg) {
-      return alg;
-    }
-    const kty = String(jwk.kty ?? '').toUpperCase();
-    const crv = String(jwk.crv ?? '').toUpperCase();
-    if (kty === 'EC' && crv === 'P-256') {
-      return 'ES256';
-    }
-    if (kty === 'EC' && crv === 'P-384') {
-      return 'ES384';
-    }
-    if (kty === 'RSA') {
-      return 'RS384';
-    }
-    return 'ES384';
-  }
-
-  // ---- Generic batch API --------------------------------------------------
-`
-);
-
-replace(
-  'src/client.ts',
-  "    const url = `${this.baseUrl}${path.startsWith('/') ? path : `/${path}`}`;\n\n    const headers: Record<string, string> = {\n",
-  "    const url = /^https?:\\/\\//.test(path)\n      ? path\n      : `${this.baseUrl}${path.startsWith('/') ? path : `/${path}`}`;\n\n    const headers: Record<string, string> = {\n"
-);
-
-replace(
-  'src/client.ts',
-  "    const url = `${this.baseUrl}${path.startsWith('/') ? path : `/${path}`}`;\n\n    const headers: Record<string, string> = {\n      ...this.defaultHeaders,\n      'Content-Type': contentType,\n",
-  "    const url = /^https?:\\/\\//.test(path)\n      ? path\n      : `${this.baseUrl}${path.startsWith('/') ? path : `/${path}`}`;\n\n    const headers: Record<string, string> = {\n      ...this.defaultHeaders,\n      'Content-Type': contentType,\n"
-);
-
-fs.writeFileSync('tests/client.test.mjs', String.raw`import test from 'node:test';
-import assert from 'node:assert/strict';
-import {
-  DataspaceNodeClient,
-  MemoryWalletProvider,
-  MultiWalletClient,
-  createDidcommPlainMessage,
-} from '../dist/index.js';
-
-function jsonResponse(body, status = 200) {
-  return new Response(JSON.stringify(body), {
-    status,
-    headers: { 'content-type': 'application/json' },
-  });
-}
-
-test('builds canonical v1 and host registry paths', () => {
-  const client = new DataspaceNodeClient({ baseUrl: 'http://localhost:3000' });
-  const ctx = { tenantId: 'acme', jurisdiction: 'ES', sector: 'health-care' };
-
-  assert.equal(
-    client.v1Path(ctx, 'individual', 'org.hl7.fhir.api', 'Task', '_batch'),
-    '/acme/cds-ES/v1/health-care/individual/org.hl7.fhir.api/Task/_batch',
-  );
-  assert.equal(
-    client.hostRegistryPath({ jurisdiction: 'ES', sector: 'test-network' }, 'Organization', '_activate'),
-    '/host/cds-ES/v1/test-network/registry/org.schema/Organization/_activate',
-  );
-  assert.equal(
-    client.identityDeviceDcrPath(ctx),
-    '/host/cds-ES/v1/health-care/acme/identity/auth/_dcr',
-  );
-  assert.equal(
-    client.conversionUploadPath(ctx, 'excel-adapter', 'xlsx'),
-    '/acme/cds-ES/v1/health-care/conversion/excel-adapter/xlsx/_upload',
-  );
-});
-
-test('accepts an optional wallet provider without breaking client construction', () => {
-  const wallet = new MemoryWalletProvider();
-  const client = new DataspaceNodeClient({
-    baseUrl: 'http://localhost:3000',
-    wallet,
-  });
-
-  assert.equal(client.getWallet(), wallet);
-});
-
-test('wallet provider supports ES384 sign/verify, compact JWS, and RSA encrypt/decrypt roundtrips', async () => {
-  const provider = new MemoryWalletProvider();
-  const wallets = new MultiWalletClient(provider);
-  const context = { tenantId: 'acme', jurisdiction: 'ES', sector: 'health-care' };
-  const wallet = wallets.forContext(context);
-  const publicJwks = await wallet.getPublicJwks();
-  const signingJwk = publicJwks.find((jwk) => jwk.use === 'sig');
-  const encryptionJwk = publicJwks.find((jwk) => jwk.use === 'enc');
-
-  assert.ok(signingJwk);
-  assert.ok(encryptionJwk);
-
-  const signature = await wallet.sign('hello-wallet');
-  assert.equal(await wallet.verify('hello-wallet', signature, signingJwk), true);
-  assert.equal(await wallet.verify('tampered', signature, signingJwk), false);
-
-  const compactJws = await wallet.signCompactJws({
-    header: { typ: 'JWT', alg: 'ES384' },
-    claims: { sub: 'acme-service', aud: 'https://gw.example.com/token' },
-  });
-  const [encodedHeader, encodedClaims, encodedSignature] = compactJws.split('.');
-  assert.ok(encodedHeader);
-  assert.ok(encodedClaims);
-  assert.ok(encodedSignature);
-  assert.equal(
-    await wallet.verify(`${encodedHeader}.${encodedClaims}`, encodedSignature, signingJwk),
-    true,
-  );
-
-  const ciphertext = await wallet.encrypt('secret-payload', encryptionJwk);
-  const plaintext = await wallet.decrypt(ciphertext);
-  assert.equal(Buffer.from(plaintext).toString('utf8'), 'secret-payload');
-});
-
-test('authenticateBackendPkceAndExchange resolves controller JWK from wallet when omitted', async () => {
-  const provider = new MemoryWalletProvider();
-  const client = new DataspaceNodeClient({
-    baseUrl: 'http://localhost:3000',
-    wallet: provider,
-  });
-  const ctx = { tenantId: 'acme', jurisdiction: 'ES', sector: 'health-care' };
-  const [walletJwk] = await provider.getPublicJwks(ctx);
-  const calls = [];
-  const originalFetch = globalThis.fetch;
-
-  globalThis.fetch = async (url, options) => {
-    calls.push({ url: String(url), options });
-
-    switch (calls.length) {
-      case 1:
-        return jsonResponse({ accepted: true }, 202);
-      case 2:
-        return jsonResponse({ status: 'COMPLETED' }, 200);
-      case 3:
-        return jsonResponse({ accepted: true }, 202);
-      case 4:
-        return jsonResponse({ code: 'pkce-code-001' }, 200);
-      case 5:
-        return jsonResponse({ accepted: true }, 202);
-      case 6:
-        return jsonResponse({ id_token: 'id-token-001' }, 200);
-      case 7:
-        return jsonResponse({ accepted: true }, 202);
-      default:
-        return jsonResponse({
-          access_token: 'access-token-001',
-          token_type: 'Bearer',
-          scope: 'onboarding family-registration',
-          expires_in: 3600,
-        }, 200);
-    }
-  };
-
-  try {
-    const auth = await client.authenticateBackendPkceAndExchange({
-      ctx,
-      apiKey: 'api-key-001',
-      scopes: ['onboarding', 'family-registration'],
-      endpointId: 'wallet-backed-auth',
-      codeVerifier: 'verifier-001',
-      pollOptions: { timeoutMs: 5000, intervalMs: 1 },
-    });
-
-    assert.equal(auth.status, 'fetched');
-    assert.equal(auth.accessToken, 'access-token-001');
-    assert.equal(calls[0].url, 'http://localhost:3000/host/cds-ES/v1/health-care/acme/identity/auth/_dcr');
-
-    const dcrPayload = JSON.parse(calls[0].options.body);
-    assert.deepEqual(dcrPayload.meta.jws.protected.jwk, walletJwk);
-  } finally {
-    globalThis.fetch = originalFetch;
-  }
-});
-
-test('authenticateBackendSmartStandard signs a private_key_jwt assertion with wallet ES384 key', async () => {
-  const provider = new MemoryWalletProvider();
-  const walletContext = { tenantId: 'service-a', jurisdiction: 'ES', sector: 'health-care' };
-  const [walletJwk] = await provider.getPublicJwks(walletContext);
-  const client = new DataspaceNodeClient({
-    baseUrl: 'http://localhost:3000',
-    wallet: provider,
-  });
-  const calls = [];
-  const originalFetch = globalThis.fetch;
-
-  globalThis.fetch = async (url, options) => {
-    calls.push({ url: String(url), options });
-    return jsonResponse({
-      access_token: 'smart-token-001',
-      token_type: 'Bearer',
-      scope: 'system/*.read system/*.write',
-      expires_in: 3600,
-    }, 200);
-  };
-
-  try {
-    const result = await client.authenticateBackendSmartStandard({
-      clientId: 'service-a',
-      scopes: ['system/*.read', 'system/*.write'],
-      walletContext,
-    });
-
-    assert.equal(result.status, 'fetched');
-    assert.equal(result.profile, 'smart-backend.v1');
-    assert.equal(calls.length, 1);
-    assert.equal(calls[0].url, 'http://localhost:3000/token');
-
-    const tokenRequest = JSON.parse(calls[0].options.body);
-    assert.equal(tokenRequest.client_id, 'service-a');
-    assert.equal(tokenRequest.grant_type, 'client_credentials');
-    assert.ok(typeof tokenRequest.client_assertion === 'string');
-
-    const [encodedHeader, encodedClaims, encodedSignature] = tokenRequest.client_assertion.split('.');
-    const header = JSON.parse(Buffer.from(encodedHeader, 'base64url').toString('utf8'));
-    const claims = JSON.parse(Buffer.from(encodedClaims, 'base64url').toString('utf8'));
-    assert.equal(header.alg, 'ES384');
-    assert.equal(header.kid, walletJwk.kid);
-    assert.equal(claims.iss, 'service-a');
-    assert.equal(claims.sub, 'service-a');
-    assert.equal(claims.aud, 'http://localhost:3000/token');
-    assert.equal(await provider.verify(`${encodedHeader}.${encodedClaims}`, encodedSignature, walletJwk), true);
-  } finally {
-    globalThis.fetch = originalFetch;
-  }
-});
-
-test('submitAndPoll uses DIDComm plain submit and async poll until non-202', async () => {
-  const calls = [];
-  const originalFetch = globalThis.fetch;
-
-  globalThis.fetch = async (url, options) => {
-    calls.push({ url: String(url), options });
-    if (calls.length === 1) {
-      return jsonResponse({ accepted: true }, 202);
-    }
-    if (calls.length === 2) {
-      return jsonResponse({ thid: 'thid-001', status: 'PENDING' }, 202);
-    }
-    return jsonResponse({ thid: 'thid-001', status: 'COMPLETED', body: { ok: true } }, 200);
-  };
-
-  try {
-    const client = new DataspaceNodeClient({ baseUrl: 'http://localhost:3000', bearerToken: 'demo-token' });
-    const payload = createDidcommPlainMessage({
-      iss: 'issuer',
-      aud: 'audience',
-      thid: 'thid-001',
-      body: { data: [] },
-    });
-
-    const result = await client.submitAndPoll(
-      '/host/cds-ES/v1/test-network/registry/org.schema/Organization/_batch',
-      '/host/cds-ES/v1/test-network/registry/org.schema/Organization/_batch-response',
-      payload,
-      { timeoutMs: 5000, intervalMs: 1 },
-    );
-
-    assert.equal(result.submit.status, 202);
-    assert.equal(result.poll.status, 200);
-    assert.equal(result.poll.attempts, 2);
-
-    assert.equal(calls[0].options.method, 'POST');
-    assert.equal(calls[0].options.headers['Content-Type'], 'application/didcomm-plaintext+json');
-    assert.equal(calls[0].options.headers.Authorization, 'Bearer demo-token');
-
-    assert.equal(calls[1].options.headers['Content-Type'], 'application/json');
-    assert.equal(calls[2].options.headers['Content-Type'], 'application/json');
-  } finally {
-    globalThis.fetch = originalFetch;
-  }
-});
-
-test('uploadConversionFile sends multipart with file and fields', async () => {
-  const calls = [];
-  const originalFetch = globalThis.fetch;
-
-  globalThis.fetch = async (url, options) => {
-    calls.push({ url: String(url), options });
-    return jsonResponse({ thid: 'upload-thid-001', status: 'queued' }, 202);
-  };
-
-  try {
-    const client = new DataspaceNodeClient({ baseUrl: 'http://localhost:3000' });
-    const submit = await client.uploadConversionFile({
-      path: '/acme/cds-ES/v1/animal-care/conversion/excel-adapter/xlsx/_upload',
-      fileName: 'input.xlsx',
-      fileContent: new Uint8Array([0x01, 0x02, 0x03]),
-      fields: { mode: 'didcomm-plain' },
-    });
-
-    assert.equal(submit.status, 202);
-    assert.equal(calls.length, 1);
-    assert.equal(calls[0].options.method, 'POST');
-
-    const body = calls[0].options.body;
-    assert.ok(body instanceof FormData);
-
-    const modeValues = body.getAll('mode');
-    assert.equal(modeValues.length, 1);
-    assert.equal(modeValues[0], 'didcomm-plain');
-
-    const filePart = body.get('file');
-    assert.ok(filePart instanceof Blob);
-  } finally {
-    globalThis.fetch = originalFetch;
-  }
-});
-`);
-
-console.log('updated');