dcql 0.3.0-alpha-20250501093131 → 0.3.0-alpha-20250527162348

package/dist/index.js

@@ -36,6 +36,7 @@ __export(index_exports, {
   DcqlCredentialPresentation: () => DcqlCredentialPresentation,
   DcqlCredentialQuery: () => DcqlCredentialQuery,
   DcqlCredentialSetError: () => DcqlCredentialSetError,
+  DcqlCredentialTrustedAuthority: () => DcqlCredentialTrustedAuthority,
   DcqlError: () => DcqlError,
   DcqlInvalidClaimsQueryIdError: () => DcqlInvalidClaimsQueryIdError,
   DcqlInvalidPresentationRecordError: () => DcqlInvalidPresentationRecordError,
@@ -51,6 +52,7 @@ __export(index_exports, {
   DcqlQueryResult: () => DcqlQueryResult,
   DcqlSdJwtVcCredential: () => DcqlSdJwtVcCredential,
   DcqlSdJwtVcPresentation: () => DcqlSdJwtVcPresentation,
+  DcqlTrustedAuthoritiesQuery: () => DcqlTrustedAuthoritiesQuery,
   DcqlUndefinedClaimSetIdError: () => DcqlUndefinedClaimSetIdError,
   DcqlW3cVcCredential: () => DcqlW3cVcCredential,
   DcqlW3cVcPresentation: () => DcqlW3cVcPresentation,
@@ -164,10 +166,13 @@ var DcqlPresentationResultError = class extends DcqlError {
 };
 
 // src/dcql-presentation/m-dcql-credential-presentation.ts
-var v4 = __toESM(require("valibot"));
+var v5 = __toESM(require("valibot"));
 
 // src/u-dcql-credential.ts
-var v3 = __toESM(require("valibot"));
+var v4 = __toESM(require("valibot"));
+
+// src/dcql-query/m-dcql-trusted-authorities.ts
+var v2 = __toESM(require("valibot"));
 
 // src/u-dcql.ts
 var v = __toESM(require("valibot"));
@@ -185,6 +190,7 @@ var vIncludesAll = (subset) => {
   );
 };
 var vIdString = v.pipe(v.string(), v.regex(idRegex), v.nonEmpty());
+var vBase64url = v.regex(/^(?:[\w-]{4})*(?:[\w-]{2}(?:==)?|[\w-]{3}=?)?$/iu, "must be base64url");
 function isToJsonable(value) {
   if (value === null || typeof value !== "object") return false;
   const toJsonFn = value.toJson;
@@ -245,8 +251,75 @@ var vStringToJson = v.rawTransform(({ dataset, addIssue, NEVER }) => {
   }
 });
 
+// src/dcql-query/m-dcql-trusted-authorities.ts
+var vAuthorityKeyIdentifier = v2.object({
+  type: v2.literal("aki"),
+  value: v2.pipe(
+    v2.string(),
+    vBase64url,
+    v2.description(
+      "Contains the KeyIdentifier of the AuthorityKeyIdentifier as defined in Section 4.2.1.1 of [RFC5280], encoded as base64url. The raw byte representation of this element MUST match with the AuthorityKeyIdentifier element of an X.509 certificate in the certificate chain present in the credential (e.g., in the header of an mdoc or SD-JWT). Note that the chain can consist of a single certificate and the credential can include the entire X.509 chain or parts of it."
+    )
+  )
+});
+var vEtsiTrustedList = v2.object({
+  type: v2.literal("etsi_tl"),
+  value: v2.pipe(
+    v2.string(),
+    v2.url(),
+    v2.check(
+      (url2) => url2.startsWith("http://") || url2.startsWith("https://"),
+      "etsi_tl trusted authority value must be a valid https url"
+    ),
+    v2.description(
+      "The identifier of a Trusted List as specified in ETSI TS 119 612 [ETSI.TL]. An ETSI Trusted List contains references to other Trusted Lists, creating a list of trusted lists, or entries for Trust Service Providers with corresponding service description and X.509 Certificates. The trust chain of a matching Credential MUST contain at least one X.509 Certificate that matches one of the entries of the Trusted List or its cascading Trusted Lists."
+    )
+  )
+});
+var vOpenidFederation = v2.object({
+  type: v2.literal("openid_federation"),
+  value: v2.pipe(
+    v2.string(),
+    v2.url(),
+    // TODO: should we have a config similar to oid4vc-ts to support http for development?
+    v2.check(
+      (url2) => url2.startsWith("http://") || url2.startsWith("https://"),
+      "openid_federation trusted authority value must be a valid https url"
+    ),
+    v2.description(
+      "The Entity Identifier as defined in Section 1 of [OpenID.Federation] that is bound to an entity in a federation. While this Entity Identifier could be any entity in that ecosystem, this entity would usually have the Entity Configuration of a Trust Anchor. A valid trust path, including the given Entity Identifier, must be constructible from a matching credential."
+    )
+  )
+});
+var vTrustedAuthorities = [vAuthorityKeyIdentifier, vEtsiTrustedList, vOpenidFederation];
+var DcqlTrustedAuthoritiesQuery;
+((DcqlTrustedAuthoritiesQuery2) => {
+  const vTrustedAuthoritiesQuery = vTrustedAuthorities.map(
+    (authority) => v2.object({
+      type: v2.pipe(
+        authority.entries.type,
+        v2.description(
+          "REQUIRED. A string uniquely identifying the type of information about the issuer trust framework."
+        )
+      ),
+      values: v2.pipe(
+        v2.array(authority.entries.value),
+        vNonEmptyArray(),
+        v2.description(
+          "REQUIRED. An array of strings, where each string (value) contains information specific to the used Trusted Authorities Query type that allows to identify an issuer, trust framework, or a federation that an issuer belongs to."
+        )
+      )
+    })
+  );
+  DcqlTrustedAuthoritiesQuery2.vModel = v2.variant("type", vTrustedAuthoritiesQuery);
+})(DcqlTrustedAuthoritiesQuery || (DcqlTrustedAuthoritiesQuery = {}));
+var DcqlCredentialTrustedAuthority;
+((DcqlCredentialTrustedAuthority2) => {
+  DcqlCredentialTrustedAuthority2.vModel = v2.variant("type", vTrustedAuthorities);
+})(DcqlCredentialTrustedAuthority || (DcqlCredentialTrustedAuthority = {}));
+
 // src/u-model.ts
-var v2 = __toESM(require("valibot"));
+var v3 = __toESM(require("valibot"));
 var Model = class {
   constructor(input) {
     this.input = input;
@@ -265,28 +338,32 @@ var Model = class {
     });
   }
   safeParse(input) {
-    const res = v2.safeParse(this.input.vModel, input);
+    const res = v3.safeParse(this.input.vModel, input);
     if (res.success) {
       return { success: true, output: res.output };
     }
     return {
       success: false,
-      error: new v2.ValiError(res.issues),
-      flattened: v2.flatten(res.issues)
+      error: new v3.ValiError(res.issues),
+      flattened: v3.flatten(res.issues)
     };
   }
   is(input) {
-    return v2.is(this.v, input);
+    return v3.is(this.v, input);
   }
 };
 
 // src/u-dcql-credential.ts
+var vCredentialModelBase = v4.object({
+  authority: v4.optional(DcqlCredentialTrustedAuthority.vModel)
+});
 var DcqlMdocCredential;
 ((DcqlMdocCredential2) => {
-  DcqlMdocCredential2.vNamespaces = v3.record(v3.string(), v3.record(v3.string(), v3.unknown()));
-  DcqlMdocCredential2.vModel = v3.object({
-    credential_format: v3.literal("mso_mdoc"),
-    doctype: v3.string(),
+  DcqlMdocCredential2.vNamespaces = v4.record(v4.string(), v4.record(v4.string(), v4.unknown()));
+  DcqlMdocCredential2.vModel = v4.object({
+    ...vCredentialModelBase.entries,
+    credential_format: v4.literal("mso_mdoc"),
+    doctype: v4.string(),
     namespaces: DcqlMdocCredential2.vNamespaces
   });
   DcqlMdocCredential2.model = new Model({ vModel: DcqlMdocCredential2.vModel });
@@ -294,9 +371,10 @@ var DcqlMdocCredential;
 var DcqlSdJwtVcCredential;
 ((DcqlSdJwtVcCredential2) => {
   DcqlSdJwtVcCredential2.vClaims = vJsonRecord;
-  DcqlSdJwtVcCredential2.vModel = v3.object({
-    credential_format: v3.picklist(["vc+sd-jwt", "dc+sd-jwt"]),
-    vct: v3.string(),
+  DcqlSdJwtVcCredential2.vModel = v4.object({
+    ...vCredentialModelBase.entries,
+    credential_format: v4.picklist(["vc+sd-jwt", "dc+sd-jwt"]),
+    vct: v4.string(),
     claims: DcqlSdJwtVcCredential2.vClaims
   });
   DcqlSdJwtVcCredential2.model = new Model({ vModel: DcqlSdJwtVcCredential2.vModel });
@@ -304,35 +382,36 @@ var DcqlSdJwtVcCredential;
 var DcqlW3cVcCredential;
 ((DcqlW3cVcCredential2) => {
   DcqlW3cVcCredential2.vClaims = vJsonRecord;
-  DcqlW3cVcCredential2.vModel = v3.object({
-    credential_format: v3.picklist(["ldp_vc", "jwt_vc_json"]),
+  DcqlW3cVcCredential2.vModel = v4.object({
+    ...vCredentialModelBase.entries,
+    credential_format: v4.picklist(["ldp_vc", "jwt_vc_json"]),
     claims: DcqlW3cVcCredential2.vClaims,
-    type: v3.array(v3.string())
+    type: v4.array(v4.string())
   });
   DcqlW3cVcCredential2.model = new Model({ vModel: DcqlW3cVcCredential2.vModel });
 })(DcqlW3cVcCredential || (DcqlW3cVcCredential = {}));
 var DcqlCredential;
 ((DcqlCredential2) => {
-  DcqlCredential2.vModel = v3.variant("credential_format", [
+  DcqlCredential2.vModel = v4.variant("credential_format", [
     DcqlMdocCredential.vModel,
     DcqlSdJwtVcCredential.vModel,
     DcqlW3cVcCredential.vModel
   ]);
-  DcqlCredential2.vParseSuccess = v3.object({
-    success: v3.literal(true),
-    typed: v3.literal(true),
-    issues: v3.optional(v3.undefined()),
-    input_credential_index: v3.number(),
-    claim_set_index: v3.union([v3.number(), v3.undefined()]),
+  DcqlCredential2.vParseSuccess = v4.object({
+    success: v4.literal(true),
+    typed: v4.literal(true),
+    issues: v4.optional(v4.undefined()),
+    input_credential_index: v4.number(),
+    claim_set_index: v4.union([v4.number(), v4.undefined()]),
     output: DcqlCredential2.vModel
   });
-  DcqlCredential2.vParseFailure = v3.object({
-    success: v3.literal(false),
-    typed: v3.boolean(),
-    output: v3.unknown(),
-    issues: v3.pipe(v3.array(v3.unknown()), vNonEmptyArray()),
-    input_credential_index: v3.number(),
-    claim_set_index: v3.union([v3.number(), v3.undefined()])
+  DcqlCredential2.vParseFailure = v4.object({
+    success: v4.literal(false),
+    typed: v4.boolean(),
+    output: v4.unknown(),
+    issues: v4.pipe(v4.array(v4.unknown()), vNonEmptyArray()),
+    input_credential_index: v4.number(),
+    claim_set_index: v4.union([v4.number(), v4.undefined()])
   });
   DcqlCredential2.model = new Model({ vModel: DcqlCredential2.vModel });
 })(DcqlCredential || (DcqlCredential = {}));
@@ -356,7 +435,7 @@ var DcqlW3cVcPresentation;
 var DcqlCredentialPresentation;
 ((DcqlCredentialPresentation2) => {
   DcqlCredentialPresentation2.model = new Model({
-    vModel: v4.variant("credential_format", [
+    vModel: v5.variant("credential_format", [
       DcqlMdocPresentation.vModel,
       DcqlSdJwtVcPresentation.vModel,
       DcqlW3cVcPresentation.vModel
@@ -365,117 +444,126 @@ var DcqlCredentialPresentation;
 })(DcqlCredentialPresentation || (DcqlCredentialPresentation = {}));
 
 // src/dcql-presentation/m-dcql-presentation-result.ts
-var v11 = __toESM(require("valibot"));
+var v12 = __toESM(require("valibot"));
 
 // src/dcql-parser/dcql-credential-query-result.ts
-var v7 = __toESM(require("valibot"));
+var v8 = __toESM(require("valibot"));
 
 // src/dcql-parser/dcql-claims-query-result.ts
-var v6 = __toESM(require("valibot"));
+var v7 = __toESM(require("valibot"));
 
 // src/dcql-query/m-dcql-claims-query.ts
-var v5 = __toESM(require("valibot"));
+var v6 = __toESM(require("valibot"));
 var DcqlClaimsQuery;
 ((DcqlClaimsQuery2) => {
-  DcqlClaimsQuery2.vValue = v5.union([v5.string(), v5.pipe(v5.number(), v5.integer()), v5.boolean()]);
-  DcqlClaimsQuery2.vPath = v5.union([v5.string(), v5.pipe(v5.number(), v5.integer(), v5.minValue(0)), v5.null()]);
-  DcqlClaimsQuery2.vW3cSdJwtVc = v5.object({
-    id: v5.pipe(
-      v5.optional(vIdString),
-      v5.description(
+  DcqlClaimsQuery2.vValue = v6.union([v6.string(), v6.pipe(v6.number(), v6.integer()), v6.boolean()]);
+  DcqlClaimsQuery2.vPath = v6.union([v6.string(), v6.pipe(v6.number(), v6.integer(), v6.minValue(0)), v6.null()]);
+  DcqlClaimsQuery2.vW3cSdJwtVc = v6.object({
+    id: v6.pipe(
+      v6.optional(vIdString),
+      v6.description(
         "A string identifying the particular claim. The value MUST be a non-empty string consisting of alphanumeric, underscore (_) or hyphen (-) characters. Within the particular claims array, the same id MUST NOT be present more than once."
       )
     ),
-    path: v5.pipe(
-      v5.array(DcqlClaimsQuery2.vPath),
+    path: v6.pipe(
+      v6.array(DcqlClaimsQuery2.vPath),
       vNonEmptyArray(),
-      v5.description(
+      v6.description(
         "A non-empty array representing a claims path pointer that specifies the path to a claim within the Verifiable Credential."
       )
     ),
-    values: v5.pipe(
-      v5.optional(v5.array(DcqlClaimsQuery2.vValue)),
-      v5.description(
+    values: v6.pipe(
+      v6.optional(v6.array(DcqlClaimsQuery2.vValue)),
+      v6.description(
         "An array of strings, integers or boolean values that specifies the expected values of the claim. If the values property is present, the Wallet SHOULD return the claim only if the type and value of the claim both match for at least one of the elements in the array."
       )
     )
   });
-  const vMdocBase = v5.object({
-    id: v5.pipe(
-      v5.optional(vIdString),
-      v5.description(
+  const vMdocBase = v6.object({
+    id: v6.pipe(
+      v6.optional(vIdString),
+      v6.description(
         "A string identifying the particular claim. The value MUST be a non-empty string consisting of alphanumeric, underscore (_) or hyphen (-) characters. Within the particular claims array, the same id MUST NOT be present more than once."
       )
     ),
-    values: v5.pipe(
-      v5.optional(v5.array(DcqlClaimsQuery2.vValue)),
-      v5.description(
+    values: v6.pipe(
+      v6.optional(v6.array(DcqlClaimsQuery2.vValue)),
+      v6.description(
         "An array of strings, integers or boolean values that specifies the expected values of the claim. If the values property is present, the Wallet SHOULD return the claim only if the type and value of the claim both match for at least one of the elements in the array."
       )
     )
   });
-  DcqlClaimsQuery2.vMdocNamespace = v5.object({
+  DcqlClaimsQuery2.vMdocNamespace = v6.object({
     ...vMdocBase.entries,
-    namespace: v5.pipe(
-      v5.string(),
-      v5.description(
+    namespace: v6.pipe(
+      v6.string(),
+      v6.description(
         "A string that specifies the namespace of the data element within the mdoc, e.g., org.iso.18013.5.1."
       )
     ),
-    claim_name: v5.pipe(
-      v5.string(),
-      v5.description(
+    claim_name: v6.pipe(
+      v6.string(),
+      v6.description(
         "A string that specifies the data element identifier of the data element within the provided namespace in the mdoc, e.g., first_name."
       )
     )
   });
-  DcqlClaimsQuery2.vMdocPath = v5.object({
+  DcqlClaimsQuery2.vMdocPath = v6.object({
     ...vMdocBase.entries,
-    intent_to_retain: v5.pipe(
-      v5.optional(v5.boolean()),
-      v5.description(
+    intent_to_retain: v6.pipe(
+      v6.optional(v6.boolean()),
+      v6.description(
         "A boolean that is equivalent to `IntentToRetain` variable defined in Section 8.3.2.1.2.1 of [@ISO.18013-5]."
       )
     ),
-    path: v5.pipe(
-      v5.tuple([
-        v5.pipe(
-          v5.string(),
-          v5.description(
+    path: v6.pipe(
+      v6.tuple([
+        v6.pipe(
+          v6.string(),
+          v6.description(
             "A string that specifies the namespace of the data element within the mdoc, e.g., org.iso.18013.5.1."
           )
         ),
-        v5.pipe(
-          v5.string(),
-          v5.description(
+        v6.pipe(
+          v6.string(),
+          v6.description(
             "A string that specifies the data element identifier of the data element within the provided namespace in the mdoc, e.g., first_name."
           )
         )
       ]),
-      v5.description(
+      v6.description(
         "An array defining a claims path pointer into an mdoc. It must contain two elements of type string. The first element refers to a namespace and the second element refers to a data element identifier."
       )
     )
   });
-  DcqlClaimsQuery2.vMdoc = v5.union([DcqlClaimsQuery2.vMdocNamespace, DcqlClaimsQuery2.vMdocPath]);
-  DcqlClaimsQuery2.vModel = v5.union([DcqlClaimsQuery2.vMdoc, DcqlClaimsQuery2.vW3cSdJwtVc]);
+  DcqlClaimsQuery2.vMdoc = v6.union([DcqlClaimsQuery2.vMdocNamespace, DcqlClaimsQuery2.vMdocPath]);
+  DcqlClaimsQuery2.vModel = v6.union([DcqlClaimsQuery2.vMdoc, DcqlClaimsQuery2.vW3cSdJwtVc]);
 })(DcqlClaimsQuery || (DcqlClaimsQuery = {}));
 
 // src/dcql-parser/dcql-claims-query-result.ts
+var getTrustedAuthorityValue = (credentialQuery) => v7.object({
+  authority: credentialQuery.trusted_authorities ? v7.variant(
+    "type",
+    credentialQuery.trusted_authorities.map(
+      (t) => v7.object({ type: v7.literal(t.type), value: v7.union(t.values.map((value) => v7.literal(value))) })
+    ),
+    `Credential query '${credentialQuery.id}' requires the credential to be issued by a trusted authority of type ${credentialQuery.trusted_authorities.map((t) => t.type).join(" | ")}, but none of the type or values match.`
+  ) : v7.optional(DcqlCredentialTrustedAuthority.vModel)
+});
 var getClaimParser = (input) => {
   const { value, values } = input;
   if (value) {
-    return vWithJT(v6.literal(value));
+    return vWithJT(v7.literal(value));
   }
   if (values) {
-    return vWithJT(v6.union(values.map((val) => v6.literal(val))));
+    return vWithJT(v7.union(values.map((val) => v7.literal(val))));
   }
-  return v6.nonNullish(v6.any());
+  return v7.nonNullish(v7.any());
 };
 var getNamespacesParser = (claimsQueries) => {
   const claimsForNamespace = {};
   for (const claimQuery of claimsQueries) {
-    const mdocPathQuery = v6.is(DcqlClaimsQuery.vMdocNamespace, claimQuery) ? {
+    const mdocPathQuery = v7.is(DcqlClaimsQuery.vMdocNamespace, claimQuery) ? {
       id: claimQuery.id,
       path: [claimQuery.namespace, claimQuery.claim_name],
       values: claimQuery.values
@@ -489,9 +577,9 @@ var getNamespacesParser = (claimsQueries) => {
   }
   const parsersForNamespaces = Object.entries(claimsForNamespace).map(([namespace, claims]) => {
     const claimParsers = Object.fromEntries(claims.map((claim) => [claim.path[1], getClaimParser(claim)]));
-    return [namespace, v6.object(claimParsers)];
+    return [namespace, v7.object(claimParsers)];
   });
-  return v6.object(Object.fromEntries(parsersForNamespaces));
+  return v7.object(Object.fromEntries(parsersForNamespaces));
 };
 var getClaimQueryParser = (claimQuery, ctx) => {
   const { index, presentation } = ctx;
@@ -501,31 +589,31 @@ var getClaimQueryParser = (claimQuery, ctx) => {
   if (typeof pathElement === "number") {
     const elementParser = isLast ? vClaimParser : getClaimQueryParser(claimQuery, { ...ctx, index: index + 1 });
     if (presentation) {
-      return v6.union([
-        v6.pipe(
-          v6.array(vJson),
-          v6.length(1),
-          v6.transform((input) => input[0]),
+      return v7.union([
+        v7.pipe(
+          v7.array(vJson),
+          v7.length(1),
+          v7.transform((input) => input[0]),
           elementParser
         ),
         elementParser
       ]);
     }
-    return v6.pipe(
-      v6.array(vJson),
-      v6.transform((input) => input[pathElement]),
+    return v7.pipe(
+      v7.array(vJson),
+      v7.transform((input) => input[pathElement]),
       elementParser
     );
   }
   if (typeof pathElement === "string") {
-    return v6.object({
+    return v7.object({
       [pathElement]: isLast ? vClaimParser : getClaimQueryParser(claimQuery, { ...ctx, index: index + 1 })
     });
   }
-  return isLast ? v6.array(vClaimParser) : v6.array(getClaimQueryParser(claimQuery, { ...ctx, index: index + 1 }));
+  return isLast ? v7.array(vClaimParser) : v7.array(getClaimQueryParser(claimQuery, { ...ctx, index: index + 1 }));
 };
 var getJsonClaimsParser = (claimsQueries, ctx) => {
-  const claimParser = v6.intersect(
+  const claimParser = v7.intersect(
     claimsQueries.map(
       (claimQuery) => getClaimQueryParser(claimQuery, {
         ...ctx,
@@ -559,12 +647,13 @@ var getJsonClaimsQueriesForClaimSet = (claimsQueries, claimSet) => {
 };
 var getMdocParser = (credentialQuery, ctx) => {
   const { claimSet } = ctx;
-  const vDoctype = credentialQuery.meta?.doctype_value ? v6.literal(credentialQuery.meta.doctype_value) : v6.string();
+  const vDoctype = credentialQuery.meta?.doctype_value ? v7.literal(credentialQuery.meta.doctype_value) : v7.string();
   const claimSetQueries = credentialQuery.claims && claimSet ? getMdocClaimsQueriesForClaimSet(credentialQuery.claims, claimSet) : credentialQuery.claims;
-  const credentialParser = v6.object({
-    credential_format: v6.literal("mso_mdoc"),
+  const credentialParser = v7.object({
+    credential_format: v7.literal("mso_mdoc"),
     doctype: vDoctype,
-    namespaces: claimSetQueries ? getNamespacesParser(claimSetQueries) : v6.record(v6.string(), v6.record(v6.string(), v6.unknown()))
+    namespaces: claimSetQueries ? getNamespacesParser(claimSetQueries) : v7.record(v7.string(), v7.record(v7.string(), v7.unknown())),
+    ...getTrustedAuthorityValue(credentialQuery).entries
   });
   return credentialParser;
 };
@@ -572,20 +661,28 @@ var getW3cVcSdJwtVcParser = (credentialQuery, ctx) => {
   const { claimSet } = ctx;
   const claimSetQueries = credentialQuery.claims && claimSet ? getJsonClaimsQueriesForClaimSet(credentialQuery.claims, claimSet) : credentialQuery.claims;
   if (credentialQuery.format === "vc+sd-jwt" || credentialQuery.format === "dc+sd-jwt") {
-    return v6.object({
-      credential_format: v6.literal(credentialQuery.format),
-      vct: credentialQuery.meta?.vct_values ? v6.picklist(credentialQuery.meta.vct_values) : v6.string(),
-      claims: claimSetQueries ? getJsonClaimsParser(claimSetQueries, ctx) : vJsonRecord
+    return v7.object({
+      credential_format: v7.literal(credentialQuery.format),
+      vct: credentialQuery.meta?.vct_values ? v7.picklist(credentialQuery.meta.vct_values) : v7.string(),
+      claims: claimSetQueries ? getJsonClaimsParser(claimSetQueries, ctx) : vJsonRecord,
+      // TODO: we should split up the:
+      // - vct
+      // - claim value
+      // - trusted authorities
+      // into separate validations so we can make the match result richer with specifically
+      // which steps failed, also we should look at showing exactly which claim paths failed.
+      ...getTrustedAuthorityValue(credentialQuery).entries
     });
   }
   if (credentialQuery.format === "jwt_vc_json" || credentialQuery.format === "ldp_vc") {
-    return v6.object({
-      credential_format: v6.literal(credentialQuery.format),
+    return v7.object({
+      credential_format: v7.literal(credentialQuery.format),
       claims: claimSetQueries ? getJsonClaimsParser(claimSetQueries, ctx) : vJsonRecord,
-      type: credentialQuery.meta?.type_values ? v6.union(
+      type: credentialQuery.meta?.type_values ? v7.union(
         credentialQuery.meta.type_values.map((values) => vIncludesAll(values)),
         `Type must include at least all values from one of the following subsets: ${credentialQuery.meta.type_values.map((values) => `[${values.join(", ")}]`).join(" | ")}`
-      ) : v6.array(v6.string())
+      ) : v7.array(v7.string()),
+      ...getTrustedAuthorityValue(credentialQuery).entries
     });
   }
   throw new DcqlError({
@@ -624,11 +721,11 @@ var runCredentialQuery = (credentialQuery, ctx) => {
           continue;
         }
       }
-      const parseResult = v7.safeParse(credentialParser, credential);
+      const parseResult = v8.safeParse(credentialParser, credential);
       claimSetResult.push({
         ...parseResult,
         ...parseResult.issues && {
-          flattened: v7.flatten(parseResult.issues)
+          flattened: v8.flatten(parseResult.issues)
         },
         input_credential_index: credentialIndex,
         claim_set_index: credentialQuery.claim_sets ? claimSetIndex : void 0
@@ -640,101 +737,107 @@ var runCredentialQuery = (credentialQuery, ctx) => {
 };
 
 // src/dcql-query-result/m-dcql-query-result.ts
-var v10 = __toESM(require("valibot"));
+var v11 = __toESM(require("valibot"));
 
 // src/dcql-query/m-dcql-credential-query.ts
-var v8 = __toESM(require("valibot"));
+var v9 = __toESM(require("valibot"));
 var DcqlCredentialQuery;
 ((DcqlCredentialQuery2) => {
-  const vBase = v8.object({
-    id: v8.pipe(
-      v8.string(),
-      v8.regex(idRegex),
-      v8.description(
+  const vBase = v9.object({
+    id: v9.pipe(
+      v9.string(),
+      v9.regex(idRegex),
+      v9.description(
         `REQUIRED. A string identifying the Credential in the response and, if provided, the constraints in 'credential_sets'.`
       )
     ),
-    claim_sets: v8.pipe(
-      v8.optional(v8.pipe(v8.array(v8.pipe(v8.array(vIdString), vNonEmptyArray())), vNonEmptyArray())),
-      v8.description(
+    claim_sets: v9.pipe(
+      v9.optional(v9.pipe(v9.array(v9.pipe(v9.array(vIdString), vNonEmptyArray())), vNonEmptyArray())),
+      v9.description(
         `OPTIONAL. A non-empty array containing arrays of identifiers for elements in 'claims' that specifies which combinations of 'claims' for the Credential are requested.`
       )
+    ),
+    trusted_authorities: v9.pipe(
+      v9.optional(v9.pipe(v9.array(DcqlTrustedAuthoritiesQuery.vModel), vNonEmptyArray())),
+      v9.description(
+        "OPTIONAL. A non-empty array of objects as defined in Section 6.1.1 that specifies expected authorities or trust frameworks that certify Issuers, that the Verifier will accept. Every Credential returned by the Wallet SHOULD match at least one of the conditions present in the corresponding trusted_authorities array if present."
+      )
     )
   });
-  DcqlCredentialQuery2.vMdoc = v8.object({
+  DcqlCredentialQuery2.vMdoc = v9.object({
     ...vBase.entries,
-    format: v8.pipe(
-      v8.literal("mso_mdoc"),
-      v8.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
+    format: v9.pipe(
+      v9.literal("mso_mdoc"),
+      v9.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
     ),
-    claims: v8.pipe(
-      v8.optional(v8.pipe(v8.array(DcqlClaimsQuery.vMdoc), vNonEmptyArray())),
-      v8.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
+    claims: v9.pipe(
+      v9.optional(v9.pipe(v9.array(DcqlClaimsQuery.vMdoc), vNonEmptyArray())),
+      v9.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
     ),
-    meta: v8.pipe(
-      v8.optional(
-        v8.object({
-          doctype_value: v8.pipe(
-            v8.optional(v8.string()),
-            v8.description(
+    meta: v9.pipe(
+      v9.optional(
+        v9.object({
+          doctype_value: v9.pipe(
+            v9.optional(v9.string()),
+            v9.description(
               "OPTIONAL. String that specifies an allowed value for the doctype of the requested Verifiable Credential."
             )
           )
         })
       ),
-      v8.description(
+      v9.description(
         "OPTIONAL. An object defining additional properties requested by the Verifier that apply to the metadata and validity data of the Credential."
       )
     )
   });
-  DcqlCredentialQuery2.vSdJwtVc = v8.object({
+  DcqlCredentialQuery2.vSdJwtVc = v9.object({
     ...vBase.entries,
-    format: v8.pipe(
-      v8.picklist(["vc+sd-jwt", "dc+sd-jwt"]),
-      v8.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
+    format: v9.pipe(
+      v9.picklist(["vc+sd-jwt", "dc+sd-jwt"]),
+      v9.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
     ),
-    claims: v8.pipe(
-      v8.optional(v8.pipe(v8.array(DcqlClaimsQuery.vW3cSdJwtVc), vNonEmptyArray())),
-      v8.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
+    claims: v9.pipe(
+      v9.optional(v9.pipe(v9.array(DcqlClaimsQuery.vW3cSdJwtVc), vNonEmptyArray())),
+      v9.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
     ),
-    meta: v8.pipe(
-      v8.optional(
-        v8.pipe(
-          v8.object({
-            vct_values: v8.optional(v8.array(v8.string()))
+    meta: v9.pipe(
+      v9.optional(
+        v9.pipe(
+          v9.object({
+            vct_values: v9.optional(v9.array(v9.string()))
           }),
-          v8.description(
+          v9.description(
             "OPTIONAL. An array of strings that specifies allowed values for the type of the requested Verifiable Credential."
           )
         )
       ),
-      v8.description(
+      v9.description(
         "OPTIONAL. An object defining additional properties requested by the Verifier that apply to the metadata and validity data of the Credential."
       )
     )
   });
-  DcqlCredentialQuery2.vW3cVc = v8.object({
+  DcqlCredentialQuery2.vW3cVc = v9.object({
     ...vBase.entries,
-    format: v8.picklist(["jwt_vc_json", "ldp_vc"]),
-    claims: v8.optional(v8.pipe(v8.array(DcqlClaimsQuery.vW3cSdJwtVc), vNonEmptyArray())),
-    meta: v8.pipe(
-      v8.pipe(
-        v8.object({
-          type_values: v8.pipe(
-            v8.array(v8.pipe(v8.array(v8.string()), vNonEmptyArray())),
+    format: v9.picklist(["jwt_vc_json", "ldp_vc"]),
+    claims: v9.optional(v9.pipe(v9.array(DcqlClaimsQuery.vW3cSdJwtVc), vNonEmptyArray())),
+    meta: v9.pipe(
+      v9.pipe(
+        v9.object({
+          type_values: v9.pipe(
+            v9.array(v9.pipe(v9.array(v9.string()), vNonEmptyArray())),
             vNonEmptyArray(),
-            v8.description(
+            v9.description(
               "REQUIRED. An array of string arrays that specifies the fully expanded types (IRIs) after the @context was applied that the Verifier accepts to be presented in the Presentation. Each of the top-level arrays specifies one alternative to match the type values of the Verifiable Credential against. Each inner array specifies a set of fully expanded types that MUST be present in the type property of the Verifiable Credential, regardless of order or the presence of additional types."
             )
           )
         })
       ),
-      v8.description(
+      v9.description(
         "REQUIRED. An object defining additional properties requested by the Verifier that apply to the metadata and validity data of the Credential."
       )
     )
   });
-  DcqlCredentialQuery2.vModel = v8.variant("format", [DcqlCredentialQuery2.vMdoc, DcqlCredentialQuery2.vSdJwtVc, DcqlCredentialQuery2.vW3cVc]);
+  DcqlCredentialQuery2.vModel = v9.variant("format", [DcqlCredentialQuery2.vMdoc, DcqlCredentialQuery2.vSdJwtVc, DcqlCredentialQuery2.vW3cVc]);
   DcqlCredentialQuery2.validate = (credentialQuery) => {
     claimSetIdsAreDefined(credentialQuery);
   };
@@ -758,26 +861,26 @@ var claimSetIdsAreDefined = (credentialQuery) => {
 };
 
 // src/dcql-query/m-dcql-credential-set-query.ts
-var v9 = __toESM(require("valibot"));
+var v10 = __toESM(require("valibot"));
 var CredentialSetQuery;
 ((CredentialSetQuery2) => {
-  CredentialSetQuery2.vModel = v9.object({
-    options: v9.pipe(
-      v9.array(v9.array(vIdString)),
+  CredentialSetQuery2.vModel = v10.object({
+    options: v10.pipe(
+      v10.array(v10.array(vIdString)),
       vNonEmptyArray(),
-      v9.description(
+      v10.description(
         "REQUIRED. A non-empty array, where each value in the array is a list of Credential Query identifiers representing one set of Credentials that satisfies the use case."
       )
     ),
-    required: v9.pipe(
-      v9.optional(v9.boolean(), true),
-      v9.description(
+    required: v10.pipe(
+      v10.optional(v10.boolean(), true),
+      v10.description(
         `OPTIONAL. Boolean which indicates whether this set of Credentials is required to satisfy the particular use case at the Verifier. If omitted, the default value is 'true'.`
       )
     ),
-    purpose: v9.pipe(
-      v9.optional(v9.union([v9.string(), v9.number(), v9.record(v9.string(), v9.unknown())])),
-      v9.description("OPTIONAL. A string, number or object specifying the purpose of the query.")
+    purpose: v10.pipe(
+      v10.optional(v10.union([v10.string(), v10.number(), v10.record(v10.string(), v10.unknown())])),
+      v10.description("OPTIONAL. A string, number or object specifying the purpose of the query.")
     )
   });
 })(CredentialSetQuery || (CredentialSetQuery = {}));
@@ -785,39 +888,39 @@ var CredentialSetQuery;
 // src/dcql-query-result/m-dcql-query-result.ts
 var DcqlQueryResult;
 ((DcqlQueryResult2) => {
-  DcqlQueryResult2.vCredentialQueryResult = v10.pipe(
-    v10.array(v10.array(v10.union([v10.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure]))),
+  DcqlQueryResult2.vCredentialQueryResult = v11.pipe(
+    v11.array(v11.array(v11.union([v11.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure]))),
     vNonEmptyArray()
   );
-  DcqlQueryResult2.vModel = v10.object({
-    credentials: v10.pipe(
-      v10.array(DcqlCredentialQuery.vModel),
+  DcqlQueryResult2.vModel = v11.object({
+    credentials: v11.pipe(
+      v11.array(DcqlCredentialQuery.vModel),
       vNonEmptyArray(),
-      v10.description(
+      v11.description(
         "REQUIRED. A non-empty array of Credential Queries that specify the requested Verifiable Credentials."
       )
     ),
-    credential_matches: v10.record(
-      v10.pipe(vIdString),
-      v10.union([
-        v10.object({
+    credential_matches: v11.record(
+      v11.pipe(vIdString),
+      v11.union([
+        v11.object({
           ...DcqlCredential.vParseSuccess.entries,
-          all: v10.pipe(
-            v10.array(
-              v10.pipe(
-                v10.array(v10.union([v10.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure])),
+          all: v11.pipe(
+            v11.array(
+              v11.pipe(
+                v11.array(v11.union([v11.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure])),
                 vNonEmptyArray()
               )
             ),
             vNonEmptyArray()
           )
         }),
-        v10.object({
+        v11.object({
           success: DcqlCredential.vParseFailure.entries.success,
-          all: v10.pipe(
-            v10.array(
-              v10.pipe(
-                v10.array(v10.union([v10.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure])),
+          all: v11.pipe(
+            v11.array(
+              v11.pipe(
+                v11.array(v11.union([v11.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure])),
                 vNonEmptyArray()
               )
             ),
@@ -826,49 +929,49 @@ var DcqlQueryResult;
         })
       ])
     ),
-    credential_sets: v10.optional(
-      v10.pipe(
-        v10.array(
-          v10.object({
+    credential_sets: v11.optional(
+      v11.pipe(
+        v11.array(
+          v11.object({
             ...CredentialSetQuery.vModel.entries,
-            matching_options: v10.union([v10.undefined(), v10.pipe(v10.array(v10.array(v10.string())), vNonEmptyArray())])
+            matching_options: v11.union([v11.undefined(), v11.pipe(v11.array(v11.array(v11.string())), vNonEmptyArray())])
           })
         ),
         vNonEmptyArray(),
-        v10.description(
+        v11.description(
           "OPTIONAL. A non-empty array of credential set queries that specifies additional constraints on which of the requested Verifiable Credentials to return."
         )
       )
     ),
-    canBeSatisfied: v10.boolean()
+    canBeSatisfied: v11.boolean()
   });
 })(DcqlQueryResult || (DcqlQueryResult = {}));
 
 // src/dcql-presentation/m-dcql-presentation-result.ts
 var DcqlPresentationResult;
 ((DcqlPresentationResult2) => {
-  DcqlPresentationResult2.vModel = v11.object({
-    ...v11.omit(DcqlQueryResult.vModel, ["credential_matches"]).entries,
-    invalid_matches: v11.union([
-      v11.record(
-        v11.pipe(vIdString),
-        v11.object({
-          ...v11.omit(DcqlCredential.vParseFailure, ["input_credential_index"]).entries,
-          presentation_id: v11.pipe(vIdString)
+  DcqlPresentationResult2.vModel = v12.object({
+    ...v12.omit(DcqlQueryResult.vModel, ["credential_matches"]).entries,
+    invalid_matches: v12.union([
+      v12.record(
+        v12.pipe(vIdString),
+        v12.object({
+          ...v12.omit(DcqlCredential.vParseFailure, ["input_credential_index"]).entries,
+          presentation_id: v12.pipe(vIdString)
         })
       ),
-      v11.undefined()
+      v12.undefined()
     ]),
-    valid_matches: v11.record(
-      v11.pipe(vIdString),
-      v11.object({
-        ...v11.omit(DcqlCredential.vParseSuccess, ["issues", "input_credential_index"]).entries,
-        presentation_id: v11.pipe(vIdString)
+    valid_matches: v12.record(
+      v12.pipe(vIdString),
+      v12.object({
+        ...v12.omit(DcqlCredential.vParseSuccess, ["issues", "input_credential_index"]).entries,
+        presentation_id: v12.pipe(vIdString)
       })
     )
   });
   DcqlPresentationResult2.parse = (input) => {
-    return v11.parse(DcqlPresentationResult2.vModel, input);
+    return v12.parse(DcqlPresentationResult2.vModel, input);
   };
   DcqlPresentationResult2.fromDcqlPresentation = (dcqlPresentation, ctx) => {
     const { dcqlQuery } = ctx;
@@ -923,7 +1026,7 @@ var DcqlPresentationResult;
       ...dcqlQuery,
       canBeSatisfied: dqclQueryMatched,
       valid_matches: validMatches,
-      invalid_matches: Object.keys(invalidMatches).length === 0 ? void 0 : {},
+      invalid_matches: Object.keys(invalidMatches).length === 0 ? void 0 : invalidMatches,
       credential_sets: credentialSetResults
     };
   };
@@ -939,15 +1042,15 @@ var DcqlPresentationResult;
 })(DcqlPresentationResult || (DcqlPresentationResult = {}));
 
 // src/dcql-presentation/m-dcql-presentation.ts
-var v12 = __toESM(require("valibot"));
+var v13 = __toESM(require("valibot"));
 var DcqlPresentation;
 ((DcqlPresentation2) => {
-  DcqlPresentation2.vModel = v12.record(vIdString, v12.union([v12.string(), vJsonRecord]));
+  DcqlPresentation2.vModel = v13.record(vIdString, v13.union([v13.string(), vJsonRecord]));
   DcqlPresentation2.parse = (input) => {
     if (typeof input === "string") {
-      return v12.parse(v12.pipe(v12.string(), vStringToJson, DcqlPresentation2.vModel), input);
+      return v13.parse(v13.pipe(v13.string(), vStringToJson, DcqlPresentation2.vModel), input);
     }
-    return v12.parse(DcqlPresentation2.vModel, input);
+    return v13.parse(DcqlPresentation2.vModel, input);
   };
   DcqlPresentation2.encode = (input) => {
     return JSON.stringify(input);
@@ -999,20 +1102,20 @@ var runDcqlQuery = (dcqlQuery, ctx) => {
 };
 
 // src/dcql-query/m-dcql-query.ts
-var v13 = __toESM(require("valibot"));
+var v14 = __toESM(require("valibot"));
 var DcqlQuery;
 ((DcqlQuery2) => {
-  DcqlQuery2.vModel = v13.object({
-    credentials: v13.pipe(
-      v13.array(DcqlCredentialQuery.vModel),
+  DcqlQuery2.vModel = v14.object({
+    credentials: v14.pipe(
+      v14.array(DcqlCredentialQuery.vModel),
       vNonEmptyArray(),
-      v13.description(
+      v14.description(
         "REQUIRED. A non-empty array of Credential Queries that specify the requested Verifiable Credentials."
       )
     ),
-    credential_sets: v13.pipe(
-      v13.optional(v13.pipe(v13.array(CredentialSetQuery.vModel), vNonEmptyArray())),
-      v13.description(
+    credential_sets: v14.pipe(
+      v14.optional(v14.pipe(v14.array(CredentialSetQuery.vModel), vNonEmptyArray())),
+      v14.description(
         "OPTIONAL. A non-empty array of credential set queries that specifies additional constraints on which of the requested Verifiable Credentials to return."
       )
     )
@@ -1026,7 +1129,7 @@ var DcqlQuery;
     return runDcqlQuery(dcqlQuery, { credentials, presentation: false });
   };
   DcqlQuery2.parse = (input) => {
-    return v13.parse(DcqlQuery2.vModel, input);
+    return v14.parse(DcqlQuery2.vModel, input);
   };
 })(DcqlQuery || (DcqlQuery = {}));
 var validateUniqueCredentialQueryIds = (query) => {
@@ -1065,6 +1168,7 @@ var validateCredentialSets = (query) => {
   DcqlCredentialPresentation,
   DcqlCredentialQuery,
   DcqlCredentialSetError,
+  DcqlCredentialTrustedAuthority,
   DcqlError,
   DcqlInvalidClaimsQueryIdError,
   DcqlInvalidPresentationRecordError,
@@ -1080,6 +1184,7 @@ var validateCredentialSets = (query) => {
   DcqlQueryResult,
   DcqlSdJwtVcCredential,
   DcqlSdJwtVcPresentation,
+  DcqlTrustedAuthoritiesQuery,
   DcqlUndefinedClaimSetIdError,
   DcqlW3cVcCredential,
   DcqlW3cVcPresentation,