dcql 0.3.1-alpha-20250624142312 → 0.4.0-alpha-20250704223931

package/dist/index.js

@@ -177,8 +177,11 @@ var v2 = __toESM(require("valibot"));
 // src/u-dcql.ts
 var v = __toESM(require("valibot"));
 var idRegex = /^[a-zA-Z0-9_-]+$/;
-var vNonEmptyArray = () => {
-  return v.custom((input) => input.length > 0);
+var vNonEmptyArray = (item) => {
+  return v.pipe(
+    v.array(item),
+    v.custom((input) => input.length > 0)
+  );
 };
 var vIncludesAll = (subset) => {
   return v.custom(
@@ -252,6 +255,24 @@ var vStringToJson = v.rawTransform(({ dataset, addIssue, NEVER }) => {
 });
 
 // src/dcql-query/m-dcql-trusted-authorities.ts
+var getTrustedAuthorityParser = (trustedAuthority) => v2.object(
+  {
+    type: v2.literal(
+      trustedAuthority.type,
+      (i) => `Expected trusted authority type to be '${trustedAuthority.type}' but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
+    ),
+    value: v2.union(
+      trustedAuthority.values.map(
+        (value) => v2.literal(
+          value,
+          (i) => `Expected trusted authority value to be '${value}' but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
+        )
+      ),
+      (i) => `Expected trusted authority value to be '${trustedAuthority.values.join("' | '")}' but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
+    )
+  },
+  `Expected trusted authority object with type '${trustedAuthority.type}' to be defined, but received undefined`
+);
 var vAuthorityKeyIdentifier = v2.object({
   type: v2.literal("aki"),
   value: v2.pipe(
@@ -303,8 +324,7 @@ var DcqlTrustedAuthoritiesQuery;
         )
       ),
       values: v2.pipe(
-        v2.array(authority.entries.value),
-        vNonEmptyArray(),
+        vNonEmptyArray(authority.entries.value),
         v2.description(
           "REQUIRED. An array of strings, where each string (value) contains information specific to the used Trusted Authorities Query type that allows to identify an issuer, trust framework, or a federation that an issuer belongs to."
         )
@@ -397,22 +417,6 @@ var DcqlCredential;
     DcqlSdJwtVcCredential.vModel,
     DcqlW3cVcCredential.vModel
   ]);
-  DcqlCredential2.vParseSuccess = v4.object({
-    success: v4.literal(true),
-    typed: v4.literal(true),
-    issues: v4.optional(v4.undefined()),
-    input_credential_index: v4.number(),
-    claim_set_index: v4.union([v4.number(), v4.undefined()]),
-    output: DcqlCredential2.vModel
-  });
-  DcqlCredential2.vParseFailure = v4.object({
-    success: v4.literal(false),
-    typed: v4.boolean(),
-    output: v4.unknown(),
-    issues: v4.pipe(v4.array(v4.unknown()), vNonEmptyArray()),
-    input_credential_index: v4.number(),
-    claim_set_index: v4.union([v4.number(), v4.undefined()])
-  });
   DcqlCredential2.model = new Model({ vModel: DcqlCredential2.vModel });
 })(DcqlCredential || (DcqlCredential = {}));
 
@@ -444,10 +448,7 @@ var DcqlCredentialPresentation;
 })(DcqlCredentialPresentation || (DcqlCredentialPresentation = {}));
 
 // src/dcql-presentation/m-dcql-presentation-result.ts
-var v12 = __toESM(require("valibot"));
-
-// src/dcql-parser/dcql-credential-query-result.ts
-var v8 = __toESM(require("valibot"));
+var v16 = __toESM(require("valibot"));
 
 // src/dcql-parser/dcql-claims-query-result.ts
 var v7 = __toESM(require("valibot"));
@@ -466,8 +467,7 @@ var DcqlClaimsQuery;
       )
     ),
     path: v6.pipe(
-      v6.array(DcqlClaimsQuery2.vPath),
-      vNonEmptyArray(),
+      vNonEmptyArray(DcqlClaimsQuery2.vPath),
       v6.description(
         "A non-empty array representing a claims path pointer that specifies the path to a claim within the Verifiable Credential."
       )
@@ -540,304 +540,521 @@ var DcqlClaimsQuery;
   DcqlClaimsQuery2.vModel = v6.union([DcqlClaimsQuery2.vMdoc, DcqlClaimsQuery2.vW3cSdJwtVc]);
 })(DcqlClaimsQuery || (DcqlClaimsQuery = {}));
 
-// src/dcql-parser/dcql-claims-query-result.ts
-var getTrustedAuthorityValue = (credentialQuery) => v7.object({
-  authority: credentialQuery.trusted_authorities ? v7.variant(
-    "type",
-    credentialQuery.trusted_authorities.map(
-      (t) => v7.object({ type: v7.literal(t.type), value: v7.union(t.values.map((value) => v7.literal(value))) })
-    ),
-    `Credential query '${credentialQuery.id}' requires the credential to be issued by a trusted authority of type ${credentialQuery.trusted_authorities.map((t) => t.type).join(" | ")}, but none of the type or values match.`
-  ) : v7.optional(DcqlCredentialTrustedAuthority.vModel)
-});
-var getClaimParser = (input) => {
-  const { value, values } = input;
-  if (value) {
-    return vWithJT(v7.literal(value));
+// src/util/deep-merge.ts
+function deepMerge(source, target) {
+  let newTarget = target;
+  if (Object.getPrototypeOf(source) !== Object.prototype && !Array.isArray(source)) {
+    throw new DcqlError({
+      message: "source value provided to deepMerge is neither an array or object.",
+      code: "PARSE_ERROR"
+    });
   }
-  if (values) {
-    return vWithJT(v7.union(values.map((val) => v7.literal(val))));
+  if (Object.getPrototypeOf(target) !== Object.prototype && !Array.isArray(target)) {
+    throw new DcqlError({
+      message: "target value provided to deepMerge is neither an array or object.",
+      code: "PARSE_ERROR"
+    });
   }
-  return v7.nonNullish(v7.any());
-};
-var getNamespacesParser = (claimsQueries) => {
-  const claimsForNamespace = {};
-  for (const claimQuery of claimsQueries) {
-    const mdocPathQuery = v7.is(DcqlClaimsQuery.vMdocNamespace, claimQuery) ? {
-      id: claimQuery.id,
-      path: [claimQuery.namespace, claimQuery.claim_name],
-      values: claimQuery.values
-    } : claimQuery;
-    const namespace = mdocPathQuery.path[0];
-    if (claimsForNamespace[namespace]) {
-      claimsForNamespace[namespace]?.push({ ...mdocPathQuery });
-    } else {
-      claimsForNamespace[namespace] = [{ ...mdocPathQuery }];
+  for (const [key, val] of Object.entries(source)) {
+    if (val !== null && typeof val === "object" && (Object.getPrototypeOf(val) === Object.prototype || Array.isArray(val))) {
+      const newValue = deepMerge(
+        val,
+        newTarget[key] ?? new (Object.getPrototypeOf(val)).constructor()
+      );
+      newTarget = setValue(newTarget, key, newValue);
+    } else if (val != null) {
+      newTarget = setValue(newTarget, key, val);
     }
   }
-  const parsersForNamespaces = Object.entries(claimsForNamespace).map(([namespace, claims]) => {
-    const claimParsers = Object.fromEntries(claims.map((claim) => [claim.path[1], getClaimParser(claim)]));
-    return [namespace, v7.object(claimParsers)];
-  });
-  return v7.object(Object.fromEntries(parsersForNamespaces));
+  return newTarget;
+}
+function setValue(target, key, value) {
+  let newTarget = target;
+  if (Array.isArray(newTarget)) {
+    newTarget = [...newTarget];
+    newTarget[key] = value;
+  } else if (Object.getPrototypeOf(newTarget) === Object.prototype) {
+    newTarget = { ...newTarget, [key]: value };
+  } else {
+    throw new DcqlError({
+      message: "Unsupported type for deep merge. Only primitive types or Array and Object are supported",
+      code: "INTERNAL_SERVER_ERROR"
+    });
+  }
+  return newTarget;
+}
+
+// src/dcql-parser/dcql-claims-query-result.ts
+var pathToString = (path) => path.map((item) => typeof item === "string" ? `'${item}'` : `${item}`).join(".");
+var getClaimParser = (path, values) => {
+  if (values) {
+    return v7.union(
+      values.map(
+        (val) => v7.literal(
+          val,
+          (i) => `Expected claim ${pathToString(path)} to be ${typeof val === "string" ? `'${val}'` : val} but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
+        )
+      ),
+      (i) => `Expected claim ${pathToString(path)} to be ${values.map((v19) => typeof v19 === "string" ? `'${v19}'` : v19).join(" | ")} but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
+    );
+  }
+  return v7.pipe(
+    v7.unknown(),
+    v7.check((value) => value !== null && value !== void 0, `Expected claim '${path.join("'.'")}' to be defined`)
+  );
+};
+var getMdocClaimParser = (claimQuery) => {
+  const mdocPathQuery = v7.is(DcqlClaimsQuery.vMdocNamespace, claimQuery) ? {
+    id: claimQuery.id,
+    path: [claimQuery.namespace, claimQuery.claim_name],
+    values: claimQuery.values
+  } : claimQuery;
+  const namespace = mdocPathQuery.path[0];
+  const field = mdocPathQuery.path[1];
+  return v7.object(
+    {
+      [namespace]: v7.object(
+        {
+          [field]: getClaimParser(mdocPathQuery.path, claimQuery.values)
+        },
+        `Expected claim ${pathToString(mdocPathQuery.path)} to be defined`
+      )
+    },
+    `Expected claim ${pathToString(mdocPathQuery.path)} to be defined`
+  );
 };
-var getClaimQueryParser = (claimQuery, ctx) => {
+var getJsonClaimParser = (claimQuery, ctx) => {
   const { index, presentation } = ctx;
   const pathElement = claimQuery.path[index];
   const isLast = index === claimQuery.path.length - 1;
-  const vClaimParser = getClaimParser(claimQuery);
+  const vClaimParser = getClaimParser(claimQuery.path, claimQuery.values);
   if (typeof pathElement === "number") {
-    const elementParser = isLast ? vClaimParser : getClaimQueryParser(claimQuery, { ...ctx, index: index + 1 });
+    const elementParser = isLast ? vClaimParser : getJsonClaimParser(claimQuery, { ...ctx, index: index + 1 });
     if (presentation) {
-      return v7.union([
-        v7.pipe(
-          v7.array(vJson),
-          v7.length(1),
-          v7.transform((input) => input[0]),
-          elementParser
-        ),
-        elementParser
-      ]);
+      return v7.pipe(
+        v7.array(v7.any(), `Expected path ${pathToString(claimQuery.path.slice(0, index + 1))} to be an array`),
+        v7.rawTransform(({ dataset, addIssue }) => {
+          const issues = [];
+          for (const item of dataset.value) {
+            const itemResult = v7.safeParse(elementParser, item);
+            if (itemResult.success) {
+              return dataset.value;
+            }
+            issues.push(itemResult.issues[0]);
+          }
+          addIssue({
+            ...issues[0],
+            message: isLast ? issues[0].message : `Expected any element in array ${pathToString(claimQuery.path.slice(0, index + 1))} to match sub requirement but none matched: ${issues[0].message}`
+          });
+          return dataset.value;
+        })
+      );
     }
     return v7.pipe(
-      v7.array(vJson),
-      v7.transform((input) => input[pathElement]),
-      elementParser
+      v7.array(v7.any(), `Expected path ${pathToString(claimQuery.path.slice(0, index + 1))} to be an array`),
+      v7.rawTransform(({ addIssue, dataset, NEVER }) => {
+        const result = v7.safeParse(elementParser, dataset.value[pathElement]);
+        if (!result.success) {
+          addIssue(result.issues[0]);
+          return NEVER;
+        }
+        return [...dataset.value.slice(0, pathElement).map(() => null), result.output];
+      })
     );
   }
   if (typeof pathElement === "string") {
-    return v7.object({
-      [pathElement]: isLast ? vClaimParser : getClaimQueryParser(claimQuery, { ...ctx, index: index + 1 })
-    });
+    return v7.object(
+      {
+        [pathElement]: isLast ? vClaimParser : getJsonClaimParser(claimQuery, { ...ctx, index: index + 1 })
+      },
+      `Expected claim ${pathToString(claimQuery.path)} to be defined`
+    );
   }
-  return isLast ? v7.array(vClaimParser) : v7.array(getClaimQueryParser(claimQuery, { ...ctx, index: index + 1 }));
-};
-var getJsonClaimsParser = (claimsQueries, ctx) => {
-  const claimParser = v7.intersect(
-    claimsQueries.map(
-      (claimQuery) => getClaimQueryParser(claimQuery, {
-        ...ctx,
-        index: 0
-      })
-    )
+  return v7.pipe(
+    v7.array(v7.any(), `Expected path ${pathToString(claimQuery.path.slice(0, index + 1))} to be an array`),
+    v7.rawTransform(({ addIssue, dataset, NEVER }) => {
+      const mapped = dataset.value.map((item) => {
+        const parsed = v7.safeParse(
+          isLast ? vClaimParser : getJsonClaimParser(claimQuery, { ...ctx, index: index + 1 }),
+          item
+        );
+        return parsed;
+      });
+      if (mapped.every((parsed) => !parsed.success)) {
+        for (const parsed of mapped) {
+          for (const issue of parsed.issues) {
+            addIssue(issue);
+          }
+        }
+        return NEVER;
+      }
+      return mapped.map((parsed) => parsed.success ? parsed.output : null);
+    })
   );
-  return claimParser;
 };
-var getMdocClaimsQueriesForClaimSet = (claimsQueries, claimSet) => {
-  return claimSet.map((credential_id) => {
-    const query = claimsQueries.find((query2) => query2.id === credential_id);
-    if (!query) {
-      throw new DcqlInvalidClaimsQueryIdError({
-        message: `Claims-query with id '${credential_id}' not found.`
+var runClaimsQuery = (credentialQuery, ctx) => {
+  if (!credentialQuery.claims) {
+    return {
+      success: true,
+      valid_claims: [],
+      failed_claims: [],
+      valid_claim_sets: [
+        {
+          claim_set_index: void 0,
+          output: {},
+          success: true,
+          valid_claim_indexes: []
+        }
+      ],
+      failed_claim_sets: []
+    };
+  }
+  const failedClaims = [];
+  const validClaims = [];
+  for (const [claimIndex, claimQuery] of credentialQuery.claims.entries()) {
+    const parser = credentialQuery.format === "mso_mdoc" ? getMdocClaimParser(claimQuery) : getJsonClaimParser(claimQuery, {
+      index: 0,
+      presentation: ctx.presentation
+    });
+    const parseResult = v7.safeParse(
+      parser,
+      ctx.credential.credential_format === "mso_mdoc" ? ctx.credential.namespaces : ctx.credential.claims
+    );
+    if (parseResult.success) {
+      validClaims.push({
+        success: true,
+        claim_index: claimIndex,
+        claim_id: claimQuery.id,
+        output: parseResult.output,
+        parser
+      });
+    } else {
+      const flattened = v7.flatten(parseResult.issues);
+      failedClaims.push({
+        success: false,
+        issues: flattened.nested ?? flattened,
+        claim_index: claimIndex,
+        claim_id: claimQuery.id,
+        output: parseResult.output,
+        parser
       });
     }
-    return query;
-  });
-};
-var getJsonClaimsQueriesForClaimSet = (claimsQueries, claimSet) => {
-  return claimSet.map((credential_id) => {
-    const query = claimsQueries.find((query2) => query2.id === credential_id);
-    if (!query) {
-      throw new DcqlInvalidClaimsQueryIdError({
-        message: `Claims-query with id '${credential_id}' not found.`
+  }
+  const failedClaimSets = [];
+  const validClaimSets = [];
+  for (const [claimSetIndex, claimSet] of credentialQuery.claim_sets?.entries() ?? [[void 0, void 0]]) {
+    const claims = claimSet?.map((id) => {
+      const claim = validClaims.find((claim2) => claim2.claim_id === id) ?? failedClaims.find((claim2) => claim2.claim_id === id);
+      if (!claim) {
+        throw new DcqlParseError({
+          message: `Claim with id '${id}' in query '${credentialQuery.id}' from claim set with index '${claimSetIndex}' not found in claims of claim`
+        });
+      }
+      return claim;
+    }) ?? [...validClaims, ...failedClaims];
+    if (claims.every((claim) => claim.success)) {
+      const output = claims.reduce((merged, claim) => deepMerge(claim.output, merged), {});
+      validClaimSets.push({
+        success: true,
+        claim_set_index: claimSetIndex,
+        output,
+        valid_claim_indexes: validClaims.map((claim) => claim.claim_index)
+      });
+    } else {
+      const issues = failedClaims.reduce((merged, claim) => deepMerge(claim.issues, merged), {});
+      failedClaimSets.push({
+        success: false,
+        issues,
+        claim_set_index: claimSetIndex,
+        failed_claim_indexes: failedClaims.map((claim) => claim.claim_index),
+        valid_claim_indexes: validClaims.map((claim) => claim.claim_index)
       });
     }
-    return query;
-  });
+  }
+  if (validClaimSets.length === 0) {
+    return {
+      success: false,
+      failed_claim_sets: failedClaimSets,
+      failed_claims: failedClaims.map(({ parser, ...rest }) => rest),
+      valid_claims: validClaims.map(({ parser, ...rest }) => rest)
+    };
+  }
+  return {
+    success: true,
+    failed_claim_sets: failedClaimSets,
+    valid_claim_sets: validClaimSets,
+    valid_claims: validClaims.map(({ parser, ...rest }) => rest),
+    failed_claims: failedClaims.map(({ parser, ...rest }) => rest)
+  };
 };
-var getMdocParser = (credentialQuery, ctx) => {
-  const { claimSet } = ctx;
-  const vDoctype = credentialQuery.meta?.doctype_value ? v7.literal(credentialQuery.meta.doctype_value) : v7.string();
-  const claimSetQueries = credentialQuery.claims && claimSet ? getMdocClaimsQueriesForClaimSet(credentialQuery.claims, claimSet) : credentialQuery.claims;
-  const credentialParser = v7.object({
-    credential_format: v7.literal("mso_mdoc"),
-    doctype: vDoctype,
-    namespaces: claimSetQueries ? getNamespacesParser(claimSetQueries) : v7.record(v7.string(), v7.record(v7.string(), v7.unknown())),
-    ...getTrustedAuthorityValue(credentialQuery).entries
+
+// src/dcql-parser/dcql-meta-query-result.ts
+var v8 = __toESM(require("valibot"));
+var getMdocMetaParser = (credentialQuery) => {
+  const vDoctype = credentialQuery.meta?.doctype_value ? v8.literal(
+    credentialQuery.meta.doctype_value,
+    (i) => `Expected doctype to be '${credentialQuery.meta?.doctype_value}' but received '${i.input}'`
+  ) : v8.string("Expected doctype to be defined");
+  const credentialParser = v8.object({
+    credential_format: v8.literal(
+      "mso_mdoc",
+      (i) => `Expected credential format to be 'mso_mdoc' but received '${i.input}'`
+    ),
+    doctype: vDoctype
   });
   return credentialParser;
 };
-var getW3cVcSdJwtVcParser = (credentialQuery, ctx) => {
-  const { claimSet } = ctx;
-  const claimSetQueries = credentialQuery.claims && claimSet ? getJsonClaimsQueriesForClaimSet(credentialQuery.claims, claimSet) : credentialQuery.claims;
-  if (credentialQuery.format === "vc+sd-jwt" || credentialQuery.format === "dc+sd-jwt") {
-    return v7.object({
-      credential_format: v7.literal(credentialQuery.format),
-      vct: credentialQuery.meta?.vct_values ? v7.picklist(credentialQuery.meta.vct_values) : v7.string(),
-      claims: claimSetQueries ? getJsonClaimsParser(claimSetQueries, ctx) : vJsonRecord,
-      // TODO: we should split up the:
-      // - vct
-      // - claim value
-      // - trusted authorities
-      // into separate validations so we can make the match result richer with specifically
-      // which steps failed, also we should look at showing exactly which claim paths failed.
-      ...getTrustedAuthorityValue(credentialQuery).entries
-    });
+var getSdJwtVcMetaParser = (credentialQuery) => {
+  return v8.object({
+    credential_format: v8.literal(
+      credentialQuery.format,
+      (i) => `Expected credential format to be '${credentialQuery.format}' but received '${i.input}'`
+    ),
+    vct: credentialQuery.meta?.vct_values ? v8.picklist(
+      credentialQuery.meta.vct_values,
+      (i) => `Expected vct to be '${credentialQuery.meta?.vct_values?.join("' | '")}' but received '${i.input}'`
+    ) : v8.string("Expected vct to be defined")
+  });
+};
+var getW3cVcMetaParser = (credentialQuery) => {
+  return v8.object({
+    credential_format: v8.literal(
+      credentialQuery.format,
+      (i) => `Expected credential format to be '${credentialQuery.format}' but received '${i.input}'`
+    ),
+    type: credentialQuery.meta?.type_values ? v8.union(
+      credentialQuery.meta.type_values.map((values) => vIncludesAll(values)),
+      `Expected type to include all values from one of the following subsets: ${credentialQuery.meta.type_values.map((values) => `[${values.join(", ")}]`).join(" | ")}`
+    ) : vNonEmptyArray(v8.string())
+  });
+};
+var getMetaParser = (credentialQuery) => {
+  if (credentialQuery.format === "mso_mdoc") {
+    return getMdocMetaParser(credentialQuery);
   }
-  if (credentialQuery.format === "jwt_vc_json" || credentialQuery.format === "ldp_vc") {
-    return v7.object({
-      credential_format: v7.literal(credentialQuery.format),
-      claims: claimSetQueries ? getJsonClaimsParser(claimSetQueries, ctx) : vJsonRecord,
-      type: credentialQuery.meta?.type_values ? v7.union(
-        credentialQuery.meta.type_values.map((values) => vIncludesAll(values)),
-        `Type must include at least all values from one of the following subsets: ${credentialQuery.meta.type_values.map((values) => `[${values.join(", ")}]`).join(" | ")}`
-      ) : v7.array(v7.string()),
-      ...getTrustedAuthorityValue(credentialQuery).entries
-    });
+  if (credentialQuery.format === "dc+sd-jwt" || credentialQuery.format === "vc+sd-jwt") {
+    return getSdJwtVcMetaParser(credentialQuery);
+  }
+  if (credentialQuery.format === "ldp_vc" || credentialQuery.format === "jwt_vc_json") {
+    return getW3cVcMetaParser(credentialQuery);
   }
   throw new DcqlError({
     code: "NOT_IMPLEMENTED",
     message: `Usupported format '${credentialQuery.format}'`
   });
 };
-var getCredentialQueryParser = (credentialQuery, ctx) => {
-  if (credentialQuery.claim_sets && !ctx.claimSet) {
-    throw new DcqlMissingClaimSetParseError({
-      message: "credentialQuery specifies claim_sets but no claim_set for parsing is provided."
-    });
+var runMetaQuery = (credentialQuery, credential) => {
+  const metaParser = getMetaParser(credentialQuery);
+  const parseResult = v8.safeParse(metaParser, credential);
+  if (!parseResult.success) {
+    const issues = v8.flatten(parseResult.issues);
+    return {
+      success: false,
+      issues: issues.nested ?? issues,
+      output: parseResult.output
+    };
   }
-  if (credentialQuery.format === "mso_mdoc") {
-    return getMdocParser(credentialQuery, ctx);
+  return {
+    success: true,
+    output: parseResult.output
+  };
+};
+
+// src/dcql-parser/dcql-trusted-authorities-result.ts
+var v9 = __toESM(require("valibot"));
+var runTrustedAuthoritiesQuery = (credentialQuery, credential) => {
+  if (!credentialQuery.trusted_authorities) {
+    return {
+      success: true
+    };
   }
-  return getW3cVcSdJwtVcParser(credentialQuery, ctx);
+  const failedTrustedAuthorities = [];
+  for (const [trustedAuthorityIndex, trustedAuthority] of credentialQuery.trusted_authorities.entries()) {
+    const trustedAuthorityParser = getTrustedAuthorityParser(trustedAuthority);
+    const parseResult = v9.safeParse(trustedAuthorityParser, credential.authority);
+    if (parseResult.success) {
+      return {
+        success: true,
+        valid_trusted_authority: {
+          success: true,
+          trusted_authority_index: trustedAuthorityIndex,
+          output: parseResult.output
+        },
+        failed_trusted_authorities: failedTrustedAuthorities
+      };
+    }
+    const issues = v9.flatten(parseResult.issues);
+    failedTrustedAuthorities.push({
+      success: false,
+      trusted_authority_index: trustedAuthorityIndex,
+      issues: issues.nested ?? issues,
+      output: parseResult.output
+    });
+  }
+  return {
+    success: false,
+    failed_trusted_authorities: failedTrustedAuthorities
+  };
 };
 
 // src/dcql-parser/dcql-credential-query-result.ts
 var runCredentialQuery = (credentialQuery, ctx) => {
   const { credentials, presentation } = ctx;
-  const claimSets = credentialQuery.claim_sets ?? [void 0];
-  const credentialQueryResult = [];
-  for (const [claimSetIndex, claim_set] of claimSets.entries()) {
-    const credentialParser = getCredentialQueryParser(credentialQuery, {
-      claimSet: claim_set,
-      presentation
+  if (ctx.credentials.length === 0) {
+    throw new DcqlError({
+      message: "Credentials array provided to credential query has length of 0, unable to match credentials against credential query.",
+      code: "BAD_REQUEST"
     });
-    const claimSetResult = [];
-    for (const [credentialIndex, credential] of credentials.entries()) {
-      if (claimSetIndex > 0) {
-        const previous = credentialQueryResult[claimSetIndex - 1][credentialIndex];
-        if (previous?.success || !previous) {
-          claimSetResult[credentialIndex] = void 0;
-          continue;
-        }
-      }
-      const parseResult = v8.safeParse(credentialParser, credential);
-      claimSetResult.push({
-        ...parseResult,
-        ...parseResult.issues && {
-          flattened: v8.flatten(parseResult.issues)
-        },
+  }
+  const validCredentials = [];
+  const failedCredentials = [];
+  for (const [credentialIndex, credential] of credentials.entries()) {
+    const trustedAuthorityResult = runTrustedAuthoritiesQuery(credentialQuery, credential);
+    const claimsResult = runClaimsQuery(credentialQuery, { credential, presentation });
+    const metaResult = runMetaQuery(credentialQuery, credential);
+    if (claimsResult.success && trustedAuthorityResult.success && metaResult.success) {
+      validCredentials.push({
+        success: true,
+        input_credential_index: credentialIndex,
+        trusted_authorities: trustedAuthorityResult,
+        meta: metaResult,
+        claims: claimsResult
+      });
+    } else {
+      failedCredentials.push({
+        success: false,
         input_credential_index: credentialIndex,
-        claim_set_index: credentialQuery.claim_sets ? claimSetIndex : void 0
+        trusted_authorities: trustedAuthorityResult,
+        meta: metaResult,
+        claims: claimsResult
       });
     }
-    credentialQueryResult.push(claimSetResult);
   }
-  return credentialQueryResult;
+  if (!validCredentials.length) {
+    return {
+      success: false,
+      credential_query_id: credentialQuery.id,
+      // We now for sure that there's at least one invalid credential if there's no valid one.
+      failed_credentials: failedCredentials,
+      valid_credentials: void 0
+    };
+  }
+  return {
+    success: true,
+    credential_query_id: credentialQuery.id,
+    failed_credentials: failedCredentials,
+    // We now for sure that there's at least one valid credential due to the length check
+    valid_credentials: validCredentials
+  };
 };
 
 // src/dcql-query-result/m-dcql-query-result.ts
-var v11 = __toESM(require("valibot"));
+var v15 = __toESM(require("valibot"));
 
 // src/dcql-query/m-dcql-credential-query.ts
-var v9 = __toESM(require("valibot"));
+var v10 = __toESM(require("valibot"));
 var DcqlCredentialQuery;
 ((DcqlCredentialQuery2) => {
-  const vBase = v9.object({
-    id: v9.pipe(
-      v9.string(),
-      v9.regex(idRegex),
-      v9.description(
+  const vBase = v10.object({
+    id: v10.pipe(
+      v10.string(),
+      v10.regex(idRegex),
+      v10.description(
         `REQUIRED. A string identifying the Credential in the response and, if provided, the constraints in 'credential_sets'.`
       )
     ),
-    claim_sets: v9.pipe(
-      v9.optional(v9.pipe(v9.array(v9.pipe(v9.array(vIdString), vNonEmptyArray())), vNonEmptyArray())),
-      v9.description(
+    multiple: v10.pipe(
+      v10.optional(v10.boolean(), false),
+      v10.description(
+        "OPTIONAL. A boolean which indicates whether multiple Credentials can be returned for this Credential Query. If omitted, the default value is false."
+      )
+    ),
+    claim_sets: v10.pipe(
+      v10.optional(vNonEmptyArray(vNonEmptyArray(vIdString))),
+      v10.description(
         `OPTIONAL. A non-empty array containing arrays of identifiers for elements in 'claims' that specifies which combinations of 'claims' for the Credential are requested.`
       )
     ),
-    trusted_authorities: v9.pipe(
-      v9.optional(v9.pipe(v9.array(DcqlTrustedAuthoritiesQuery.vModel), vNonEmptyArray())),
-      v9.description(
+    trusted_authorities: v10.pipe(
+      v10.optional(vNonEmptyArray(DcqlTrustedAuthoritiesQuery.vModel)),
+      v10.description(
         "OPTIONAL. A non-empty array of objects as defined in Section 6.1.1 that specifies expected authorities or trust frameworks that certify Issuers, that the Verifier will accept. Every Credential returned by the Wallet SHOULD match at least one of the conditions present in the corresponding trusted_authorities array if present."
       )
     )
   });
-  DcqlCredentialQuery2.vMdoc = v9.object({
+  DcqlCredentialQuery2.vMdoc = v10.object({
     ...vBase.entries,
-    format: v9.pipe(
-      v9.literal("mso_mdoc"),
-      v9.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
+    format: v10.pipe(
+      v10.literal("mso_mdoc"),
+      v10.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
     ),
-    claims: v9.pipe(
-      v9.optional(v9.pipe(v9.array(DcqlClaimsQuery.vMdoc), vNonEmptyArray())),
-      v9.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
+    claims: v10.pipe(
+      v10.optional(vNonEmptyArray(DcqlClaimsQuery.vMdoc)),
+      v10.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
     ),
-    meta: v9.pipe(
-      v9.optional(
-        v9.object({
-          doctype_value: v9.pipe(
-            v9.optional(v9.string()),
-            v9.description(
+    meta: v10.pipe(
+      v10.optional(
+        v10.object({
+          doctype_value: v10.pipe(
+            v10.optional(v10.string()),
+            v10.description(
               "OPTIONAL. String that specifies an allowed value for the doctype of the requested Verifiable Credential."
             )
           )
         })
       ),
-      v9.description(
+      v10.description(
         "OPTIONAL. An object defining additional properties requested by the Verifier that apply to the metadata and validity data of the Credential."
       )
     )
   });
-  DcqlCredentialQuery2.vSdJwtVc = v9.object({
+  DcqlCredentialQuery2.vSdJwtVc = v10.object({
     ...vBase.entries,
-    format: v9.pipe(
-      v9.picklist(["vc+sd-jwt", "dc+sd-jwt"]),
-      v9.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
+    format: v10.pipe(
+      v10.picklist(["vc+sd-jwt", "dc+sd-jwt"]),
+      v10.description("REQUIRED. A string that specifies the format of the requested Verifiable Credential.")
     ),
-    claims: v9.pipe(
-      v9.optional(v9.pipe(v9.array(DcqlClaimsQuery.vW3cSdJwtVc), vNonEmptyArray())),
-      v9.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
+    claims: v10.pipe(
+      v10.optional(vNonEmptyArray(DcqlClaimsQuery.vW3cSdJwtVc)),
+      v10.description("OPTIONAL. A non-empty array of objects as that specifies claims in the requested Credential.")
     ),
-    meta: v9.pipe(
-      v9.optional(
-        v9.pipe(
-          v9.object({
-            vct_values: v9.optional(v9.array(v9.string()))
+    meta: v10.pipe(
+      v10.optional(
+        v10.pipe(
+          v10.object({
+            vct_values: v10.optional(v10.array(v10.string()))
           }),
-          v9.description(
+          v10.description(
             "OPTIONAL. An array of strings that specifies allowed values for the type of the requested Verifiable Credential."
           )
         )
       ),
-      v9.description(
+      v10.description(
         "OPTIONAL. An object defining additional properties requested by the Verifier that apply to the metadata and validity data of the Credential."
       )
     )
   });
-  DcqlCredentialQuery2.vW3cVc = v9.object({
+  DcqlCredentialQuery2.vW3cVc = v10.object({
     ...vBase.entries,
-    format: v9.picklist(["jwt_vc_json", "ldp_vc"]),
-    claims: v9.optional(v9.pipe(v9.array(DcqlClaimsQuery.vW3cSdJwtVc), vNonEmptyArray())),
-    meta: v9.pipe(
-      v9.pipe(
-        v9.object({
-          type_values: v9.pipe(
-            v9.array(v9.pipe(v9.array(v9.string()), vNonEmptyArray())),
-            vNonEmptyArray(),
-            v9.description(
+    format: v10.picklist(["jwt_vc_json", "ldp_vc"]),
+    claims: v10.optional(vNonEmptyArray(DcqlClaimsQuery.vW3cSdJwtVc)),
+    meta: v10.pipe(
+      v10.pipe(
+        v10.object({
+          type_values: v10.pipe(
+            vNonEmptyArray(vNonEmptyArray(v10.string())),
+            v10.description(
               "REQUIRED. An array of string arrays that specifies the fully expanded types (IRIs) after the @context was applied that the Verifier accepts to be presented in the Presentation. Each of the top-level arrays specifies one alternative to match the type values of the Verifiable Credential against. Each inner array specifies a set of fully expanded types that MUST be present in the type property of the Verifiable Credential, regardless of order or the presence of additional types."
             )
           )
         })
       ),
-      v9.description(
+      v10.description(
         "REQUIRED. An object defining additional properties requested by the Verifier that apply to the metadata and validity data of the Credential."
       )
     )
   });
-  DcqlCredentialQuery2.vModel = v9.variant("format", [DcqlCredentialQuery2.vMdoc, DcqlCredentialQuery2.vSdJwtVc, DcqlCredentialQuery2.vW3cVc]);
+  DcqlCredentialQuery2.vModel = v10.variant("format", [DcqlCredentialQuery2.vMdoc, DcqlCredentialQuery2.vSdJwtVc, DcqlCredentialQuery2.vW3cVc]);
   DcqlCredentialQuery2.validate = (credentialQuery) => {
     claimSetIdsAreDefined(credentialQuery);
   };
@@ -861,177 +1078,264 @@ var claimSetIdsAreDefined = (credentialQuery) => {
 };
 
 // src/dcql-query/m-dcql-credential-set-query.ts
-var v10 = __toESM(require("valibot"));
+var v11 = __toESM(require("valibot"));
 var CredentialSetQuery;
 ((CredentialSetQuery2) => {
-  CredentialSetQuery2.vModel = v10.object({
-    options: v10.pipe(
-      v10.array(v10.array(vIdString)),
-      vNonEmptyArray(),
-      v10.description(
+  CredentialSetQuery2.vModel = v11.object({
+    options: v11.pipe(
+      vNonEmptyArray(v11.array(vIdString)),
+      v11.description(
         "REQUIRED. A non-empty array, where each value in the array is a list of Credential Query identifiers representing one set of Credentials that satisfies the use case."
       )
     ),
-    required: v10.pipe(
-      v10.optional(v10.boolean(), true),
-      v10.description(
+    required: v11.pipe(
+      v11.optional(v11.boolean(), true),
+      v11.description(
         `OPTIONAL. Boolean which indicates whether this set of Credentials is required to satisfy the particular use case at the Verifier. If omitted, the default value is 'true'.`
       )
     ),
-    purpose: v10.pipe(
-      v10.optional(v10.union([v10.string(), v10.number(), v10.record(v10.string(), v10.unknown())])),
-      v10.description("OPTIONAL. A string, number or object specifying the purpose of the query.")
+    purpose: v11.pipe(
+      v11.optional(v11.union([v11.string(), v11.number(), v11.record(v11.string(), v11.unknown())])),
+      v11.description("OPTIONAL. A string, number or object specifying the purpose of the query.")
     )
   });
 })(CredentialSetQuery || (CredentialSetQuery = {}));
 
+// src/dcql-query-result/m-claims-result.ts
+var v12 = __toESM(require("valibot"));
+var DcqlClaimsResult;
+((DcqlClaimsResult2) => {
+  const vClaimsOutput = v12.union([
+    DcqlMdocCredential.vModel.entries.namespaces,
+    DcqlSdJwtVcCredential.vModel.entries.claims,
+    DcqlW3cVcCredential.vModel.entries.claims
+  ]);
+  DcqlClaimsResult2.vClaimsEntrySuccessResult = v12.object({
+    success: v12.literal(true),
+    claim_index: v12.number(),
+    claim_id: v12.optional(vIdString),
+    output: vClaimsOutput
+  });
+  DcqlClaimsResult2.vClaimsEntryFailureResult = v12.object({
+    success: v12.literal(false),
+    claim_index: v12.number(),
+    claim_id: v12.optional(vIdString),
+    issues: v12.record(v12.string(), v12.unknown()),
+    output: v12.unknown()
+  });
+  DcqlClaimsResult2.vClaimSetSuccessResult = v12.object({
+    success: v12.literal(true),
+    // Undefined in case of no claim set
+    claim_set_index: v12.union([v12.number(), v12.undefined()]),
+    // We use indexes because if there are no claim sets, the ids can be undefined
+    // Can be empty array in case there are no claims
+    valid_claim_indexes: v12.array(v12.number()),
+    failed_claim_indexes: v12.optional(v12.undefined()),
+    output: vClaimsOutput
+  });
+  DcqlClaimsResult2.vClaimSetFailureResult = v12.object({
+    success: v12.literal(false),
+    // Undefined in case of no claim set
+    claim_set_index: v12.union([v12.number(), v12.undefined()]),
+    // We use indexes because if there are no claim sets, the ids can be undefined
+    valid_claim_indexes: v12.array(v12.number()),
+    failed_claim_indexes: vNonEmptyArray(v12.number()),
+    issues: v12.record(v12.string(), v12.unknown())
+  });
+  DcqlClaimsResult2.vClaimsSuccessResult = v12.object({
+    success: v12.literal(true),
+    valid_claims: v12.array(DcqlClaimsResult2.vClaimsEntrySuccessResult),
+    failed_claims: v12.array(DcqlClaimsResult2.vClaimsEntryFailureResult),
+    valid_claim_sets: vNonEmptyArray(DcqlClaimsResult2.vClaimSetSuccessResult),
+    failed_claim_sets: v12.array(DcqlClaimsResult2.vClaimSetFailureResult)
+  });
+  DcqlClaimsResult2.vClaimsFailureResult = v12.object({
+    success: v12.literal(false),
+    valid_claims: v12.array(DcqlClaimsResult2.vClaimsEntrySuccessResult),
+    failed_claims: vNonEmptyArray(DcqlClaimsResult2.vClaimsEntryFailureResult),
+    valid_claim_sets: v12.optional(v12.undefined()),
+    failed_claim_sets: vNonEmptyArray(DcqlClaimsResult2.vClaimSetFailureResult)
+  });
+  DcqlClaimsResult2.vModel = v12.union([DcqlClaimsResult2.vClaimsSuccessResult, DcqlClaimsResult2.vClaimsFailureResult]);
+})(DcqlClaimsResult || (DcqlClaimsResult = {}));
+
+// src/dcql-query-result/m-meta-result.ts
+var v13 = __toESM(require("valibot"));
+var DcqlMetaResult;
+((DcqlMetaResult2) => {
+  DcqlMetaResult2.vMetaSuccessResult = v13.object({
+    success: v13.literal(true),
+    // TODO: This needs to be format specific
+    output: v13.object({
+      credential_format: v13.string()
+    })
+  });
+  DcqlMetaResult2.vMetaFailureResult = v13.object({
+    success: v13.literal(false),
+    issues: v13.record(v13.string(), v13.unknown()),
+    output: v13.unknown()
+  });
+  DcqlMetaResult2.vModel = v13.union([DcqlMetaResult2.vMetaSuccessResult, DcqlMetaResult2.vMetaFailureResult]);
+})(DcqlMetaResult || (DcqlMetaResult = {}));
+
+// src/dcql-query-result/m-trusted-authorities-result.ts
+var v14 = __toESM(require("valibot"));
+var DcqlTrustedAuthoritiesResult;
+((DcqlTrustedAuthoritiesResult2) => {
+  DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntrySuccessResult = v14.object({
+    success: v14.literal(true),
+    trusted_authority_index: v14.number(),
+    output: DcqlCredentialTrustedAuthority.vModel
+  });
+  DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntryFailureResult = v14.object({
+    success: v14.literal(false),
+    trusted_authority_index: v14.number(),
+    issues: v14.record(v14.string(), v14.unknown()),
+    output: v14.unknown()
+  });
+  DcqlTrustedAuthoritiesResult2.vTrustedAuthoritySuccessResult = v14.union([
+    // In this case there is no trusted authority on the query
+    v14.object({
+      success: v14.literal(true),
+      valid_trusted_authority: v14.optional(v14.undefined()),
+      failed_trusted_authorities: v14.optional(v14.undefined())
+    }),
+    v14.object({
+      success: v14.literal(true),
+      valid_trusted_authority: DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntrySuccessResult,
+      failed_trusted_authorities: v14.array(DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntryFailureResult)
+    })
+  ]);
+  DcqlTrustedAuthoritiesResult2.vTrustedAuthorityFailureResult = v14.object({
+    success: v14.literal(false),
+    valid_trusted_authority: v14.optional(v14.undefined()),
+    failed_trusted_authorities: vNonEmptyArray(DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntryFailureResult)
+  });
+  DcqlTrustedAuthoritiesResult2.vModel = v14.union([...DcqlTrustedAuthoritiesResult2.vTrustedAuthoritySuccessResult.options, DcqlTrustedAuthoritiesResult2.vTrustedAuthorityFailureResult]);
+})(DcqlTrustedAuthoritiesResult || (DcqlTrustedAuthoritiesResult = {}));
+
 // src/dcql-query-result/m-dcql-query-result.ts
 var DcqlQueryResult;
 ((DcqlQueryResult2) => {
-  DcqlQueryResult2.vCredentialQueryResult = v11.pipe(
-    v11.array(v11.array(v11.union([v11.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure]))),
-    vNonEmptyArray()
-  );
-  DcqlQueryResult2.vModel = v11.object({
-    credentials: v11.pipe(
-      v11.array(DcqlCredentialQuery.vModel),
-      vNonEmptyArray(),
-      v11.description(
+  DcqlQueryResult2.vCredentialQueryItemCredentialSuccessResult = v15.object({
+    success: v15.literal(true),
+    input_credential_index: v15.number(),
+    trusted_authorities: DcqlTrustedAuthoritiesResult.vTrustedAuthoritySuccessResult,
+    // TODO: format specific (we should probably add format to this object, to differentiate?)
+    claims: DcqlClaimsResult.vClaimsSuccessResult,
+    meta: DcqlMetaResult.vMetaSuccessResult
+  });
+  DcqlQueryResult2.vCredentialQueryItemCredentialFailureResult = v15.object({
+    success: v15.literal(false),
+    input_credential_index: v15.number(),
+    trusted_authorities: DcqlTrustedAuthoritiesResult.vModel,
+    claims: DcqlClaimsResult.vModel,
+    meta: DcqlMetaResult.vModel
+  });
+  DcqlQueryResult2.vCredentialQueryItemResult = v15.union([
+    v15.object({
+      success: v15.literal(true),
+      credential_query_id: vIdString,
+      valid_credentials: vNonEmptyArray(DcqlQueryResult2.vCredentialQueryItemCredentialSuccessResult),
+      failed_credentials: v15.array(DcqlQueryResult2.vCredentialQueryItemCredentialFailureResult)
+    }),
+    v15.object({
+      success: v15.literal(false),
+      credential_query_id: vIdString,
+      valid_credentials: v15.optional(v15.undefined()),
+      failed_credentials: vNonEmptyArray(DcqlQueryResult2.vCredentialQueryItemCredentialFailureResult)
+    })
+  ]);
+  DcqlQueryResult2.vCredentialQueryResult = v15.record(vIdString, DcqlQueryResult2.vCredentialQueryItemResult);
+  DcqlQueryResult2.vModel = v15.object({
+    credentials: v15.pipe(
+      vNonEmptyArray(DcqlCredentialQuery.vModel),
+      v15.description(
         "REQUIRED. A non-empty array of Credential Queries that specify the requested Verifiable Credentials."
       )
     ),
-    credential_matches: v11.record(
-      v11.pipe(vIdString),
-      v11.union([
-        v11.object({
-          ...DcqlCredential.vParseSuccess.entries,
-          all: v11.pipe(
-            v11.array(
-              v11.pipe(
-                v11.array(v11.union([v11.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure])),
-                vNonEmptyArray()
-              )
-            ),
-            vNonEmptyArray()
-          )
-        }),
-        v11.object({
-          success: DcqlCredential.vParseFailure.entries.success,
-          all: v11.pipe(
-            v11.array(
-              v11.pipe(
-                v11.array(v11.union([v11.undefined(), DcqlCredential.vParseSuccess, DcqlCredential.vParseFailure])),
-                vNonEmptyArray()
-              )
-            ),
-            vNonEmptyArray()
-          )
-        })
-      ])
-    ),
-    credential_sets: v11.optional(
-      v11.pipe(
-        v11.array(
-          v11.object({
+    credential_matches: DcqlQueryResult2.vCredentialQueryResult,
+    credential_sets: v15.optional(
+      v15.pipe(
+        vNonEmptyArray(
+          v15.object({
             ...CredentialSetQuery.vModel.entries,
-            matching_options: v11.union([v11.undefined(), v11.pipe(v11.array(v11.array(v11.string())), vNonEmptyArray())])
+            matching_options: v15.union([v15.undefined(), vNonEmptyArray(v15.array(v15.string()))])
           })
         ),
-        vNonEmptyArray(),
-        v11.description(
+        v15.description(
           "OPTIONAL. A non-empty array of credential set queries that specifies additional constraints on which of the requested Verifiable Credentials to return."
         )
       )
     ),
-    canBeSatisfied: v11.boolean()
+    can_be_satisfied: v15.boolean()
   });
 })(DcqlQueryResult || (DcqlQueryResult = {}));
 
 // src/dcql-presentation/m-dcql-presentation-result.ts
 var DcqlPresentationResult;
 ((DcqlPresentationResult2) => {
-  DcqlPresentationResult2.vModel = v12.object({
-    ...v12.omit(DcqlQueryResult.vModel, ["credential_matches"]).entries,
-    invalid_matches: v12.union([
-      v12.record(
-        v12.pipe(vIdString),
-        v12.object({
-          ...v12.omit(DcqlCredential.vParseFailure, ["input_credential_index"]).entries,
-          presentation_id: v12.pipe(vIdString)
-        })
-      ),
-      v12.undefined()
-    ]),
-    valid_matches: v12.record(
-      v12.pipe(vIdString),
-      v12.object({
-        ...v12.omit(DcqlCredential.vParseSuccess, ["issues", "input_credential_index"]).entries,
-        presentation_id: v12.pipe(vIdString)
-      })
-    )
-  });
+  DcqlPresentationResult2.vModel = v16.omit(DcqlQueryResult.vModel, ["credentials"]);
   DcqlPresentationResult2.parse = (input) => {
-    return v12.parse(DcqlPresentationResult2.vModel, input);
+    return v16.parse(DcqlPresentationResult2.vModel, input);
   };
   DcqlPresentationResult2.fromDcqlPresentation = (dcqlPresentation, ctx) => {
     const { dcqlQuery } = ctx;
-    const presentationQueriesResults = Object.fromEntries(
-      Object.entries(dcqlPresentation).map(([queryId, presentation]) => {
-        const credentialQuery = dcqlQuery.credentials.find((c) => c.id === queryId);
-        if (!credentialQuery) {
+    const queriesResults = Object.entries(dcqlPresentation).map(([credentialQueryId, presentations]) => {
+      const credentialQuery = dcqlQuery.credentials.find((c) => c.id === credentialQueryId);
+      if (!credentialQuery) {
+        throw new DcqlPresentationResultError({
+          message: `Query ${credentialQueryId} not found in the dcql query. Cannot validate presentation.`
+        });
+      }
+      if (Array.isArray(presentations)) {
+        if (presentations.length === 0) {
           throw new DcqlPresentationResultError({
-            message: `Query ${queryId} not found in the dcql query. Cannot validate presentation.`
+            message: `Query credential '${credentialQueryId}' is present in the presentations but the value is an empty array. Each entry must at least provide one presentation.`
           });
         }
-        return [
-          queryId,
-          runCredentialQuery(credentialQuery, {
-            presentation: true,
-            credentials: [presentation]
-          })
-        ];
-      })
-    );
-    let invalidMatches = {};
-    const validMatches = {};
-    for (const [queryId, presentationQueryResult] of Object.entries(presentationQueriesResults)) {
-      for (const presentationQueryResultForClaimSet of presentationQueryResult) {
-        const result = presentationQueryResultForClaimSet[0];
-        if (result?.success) {
-          const { issues, input_credential_index, ...rest } = result;
-          validMatches[queryId] = { ...rest, presentation_id: queryId };
-        } else if (result?.success === false) {
-          const { input_credential_index, ...rest } = result;
-          invalidMatches[queryId] = {
-            ...rest,
-            presentation_id: queryId
-          };
+        if (!credentialQuery.multiple && presentations.length > 1) {
+          throw new DcqlPresentationResultError({
+            message: `Query credential '${credentialQueryId}' has not enabled 'multiple', but multiple presentations were provided. Only a single presentation is allowed for each query credential when 'multiple' is not enabled on the query.`
+          });
         }
       }
-    }
-    invalidMatches = Object.fromEntries(
-      Object.entries(invalidMatches ?? {}).filter(([queryId]) => validMatches[queryId] === void 0)
-    );
+      return runCredentialQuery(credentialQuery, {
+        presentation: true,
+        credentials: presentations ? Array.isArray(presentations) ? presentations : [presentations] : []
+      });
+    });
     const credentialSetResults = dcqlQuery.credential_sets?.map((set) => {
       const matchingOptions = set.options.filter(
-        (option) => option.every((credentialQueryId) => validMatches[credentialQueryId]?.success)
+        (option) => option.every(
+          (credentialQueryId) => queriesResults.find((result) => result.credential_query_id === credentialQueryId)?.success
+        )
       );
       return {
         ...set,
         matching_options: matchingOptions.length > 0 ? matchingOptions : void 0
       };
     });
-    const dqclQueryMatched = credentialSetResults ? credentialSetResults.every((set) => !set.required || set.matching_options) : Object.keys(validMatches).length === ctx.dcqlQuery.credentials.length;
+    const dqclQueryMatched = (
+      // We require that all the submitted presentations match with the queries
+      // So we must have success for all queries, and we don't allow failed_credentials
+      queriesResults.every((result) => result.success && result.failed_credentials.length === 0) && (credentialSetResults ? credentialSetResults.every((set) => !set.required || set.matching_options) : (
+        // If not credential_sets are used, we require that at least every credential has a match
+        dcqlQuery.credentials.every(
+          (credentialQuery) => queriesResults.find((result) => result.credential_query_id === credentialQuery.id)?.success
+        )
+      ))
+    );
     return {
-      ...dcqlQuery,
-      canBeSatisfied: dqclQueryMatched,
-      valid_matches: validMatches,
-      invalid_matches: Object.keys(invalidMatches).length === 0 ? void 0 : invalidMatches,
-      credential_sets: credentialSetResults
+      // NOTE: can_be_satisfied is maybe not the best term, because we return false if it can be
+      // satisfied, but one of the provided presentations did not match
+      can_be_satisfied: dqclQueryMatched,
+      credential_sets: credentialSetResults,
+      credential_matches: Object.fromEntries(queriesResults.map((result) => [result.credential_query_id, result]))
     };
   };
   DcqlPresentationResult2.validate = (dcqlQueryResult) => {
-    if (!dcqlQueryResult.canBeSatisfied) {
+    if (!dcqlQueryResult.can_be_satisfied) {
       throw new DcqlInvalidPresentationRecordError({
         message: "Invalid Presentation record",
         cause: dcqlQueryResult
@@ -1042,15 +1346,28 @@ var DcqlPresentationResult;
 })(DcqlPresentationResult || (DcqlPresentationResult = {}));
 
 // src/dcql-presentation/m-dcql-presentation.ts
-var v13 = __toESM(require("valibot"));
+var v17 = __toESM(require("valibot"));
 var DcqlPresentation;
 ((DcqlPresentation2) => {
-  DcqlPresentation2.vModel = v13.record(vIdString, v13.union([v13.string(), vJsonRecord]));
+  const vPresentationEntry = v17.union([v17.string(), vJsonRecord]);
+  DcqlPresentation2.vModel = v17.pipe(
+    v17.union([
+      v17.record(vIdString, vNonEmptyArray(vPresentationEntry)),
+      v17.record(
+        vIdString,
+        // We support presentation entry directly (not as array) to support older draft of DCQL
+        vPresentationEntry
+      )
+    ]),
+    v17.description(
+      "REQUIRED. This is a JSON-encoded object containing entries where the key is the id value used for a Credential Query in the DCQL query and the value is an array of one or more Presentations that match the respective Credential Query. When multiple is omitted, or set to false, the array MUST contain only one Presentation. There MUST NOT be any entry in the JSON-encoded object for optional Credential Queries when there are no matching Credentials for the respective Credential Query. Each Presentation is represented as a string or object, depending on the format as defined in Appendix B. The same rules as above apply for encoding the Presentations."
+    )
+  );
   DcqlPresentation2.parse = (input) => {
     if (typeof input === "string") {
-      return v13.parse(v13.pipe(v13.string(), vStringToJson, DcqlPresentation2.vModel), input);
+      return v17.parse(v17.pipe(v17.string(), vStringToJson, DcqlPresentation2.vModel), input);
     }
-    return v13.parse(DcqlPresentation2.vModel, input);
+    return v17.parse(DcqlPresentation2.vModel, input);
   };
   DcqlPresentation2.encode = (input) => {
     return JSON.stringify(input);
@@ -1062,60 +1379,41 @@ var runDcqlQuery = (dcqlQuery, ctx) => {
   const credentialQueriesResults = Object.fromEntries(
     dcqlQuery.credentials.map((credentialQuery) => [credentialQuery.id, runCredentialQuery(credentialQuery, ctx)])
   );
-  const credentialMatches = Object.fromEntries(
-    Object.entries(credentialQueriesResults).map(([key, credentialQueryResult]) => {
-      let bestMatch = void 0;
-      for (const credentialParseResult of credentialQueryResult) {
-        const bestMatchForCredential = credentialParseResult.find((result) => result?.success === true);
-        if (!bestMatch && bestMatchForCredential) {
-          const { issues, ...matchWithoutIssues } = bestMatchForCredential;
-          bestMatch = matchWithoutIssues;
-          continue;
-        }
-        if (bestMatchForCredential && bestMatchForCredential.claim_set_index < bestMatch?.claim_set_index) {
-          const { issues, ...matchWithoutIssues } = bestMatchForCredential;
-          bestMatch = matchWithoutIssues;
-        }
-      }
-      return [
-        key,
-        bestMatch ? { ...bestMatch, all: credentialQueryResult } : { success: false, all: credentialQueryResult }
-      ];
-    })
-  );
   const credentialSetResults = dcqlQuery.credential_sets?.map((set) => {
     const matchingOptions = set.options.filter(
-      (option) => option.every((credentialQueryId) => credentialMatches[credentialQueryId]?.success)
+      (option) => option.every((credentialQueryId) => credentialQueriesResults[credentialQueryId].success)
     );
     return {
       ...set,
       matching_options: matchingOptions.length > 0 ? matchingOptions : void 0
     };
   });
-  const dqclQueryMatched = credentialSetResults ? credentialSetResults.every((set) => !set.required || set.matching_options) : Object.values(credentialMatches).every((query) => query.success);
+  const dqclQueryMatched = credentialSetResults ? credentialSetResults.every((set) => !set.required || set.matching_options) : (
+    // If not credential_sets are used, we require that at least every credential has a match
+    dcqlQuery.credentials.every(({ id }) => credentialQueriesResults[id].success === true)
+  );
   return {
     ...dcqlQuery,
-    canBeSatisfied: dqclQueryMatched,
-    credential_matches: credentialMatches,
+    can_be_satisfied: dqclQueryMatched,
+    credential_matches: credentialQueriesResults,
     credential_sets: credentialSetResults
   };
 };
 
 // src/dcql-query/m-dcql-query.ts
-var v14 = __toESM(require("valibot"));
+var v18 = __toESM(require("valibot"));
 var DcqlQuery;
 ((DcqlQuery2) => {
-  DcqlQuery2.vModel = v14.object({
-    credentials: v14.pipe(
-      v14.array(DcqlCredentialQuery.vModel),
-      vNonEmptyArray(),
-      v14.description(
+  DcqlQuery2.vModel = v18.object({
+    credentials: v18.pipe(
+      vNonEmptyArray(DcqlCredentialQuery.vModel),
+      v18.description(
         "REQUIRED. A non-empty array of Credential Queries that specify the requested Verifiable Credentials."
       )
     ),
-    credential_sets: v14.pipe(
-      v14.optional(v14.pipe(v14.array(CredentialSetQuery.vModel), vNonEmptyArray())),
-      v14.description(
+    credential_sets: v18.pipe(
+      v18.optional(vNonEmptyArray(CredentialSetQuery.vModel)),
+      v18.description(
         "OPTIONAL. A non-empty array of credential set queries that specifies additional constraints on which of the requested Verifiable Credentials to return."
       )
     )
@@ -1129,7 +1427,7 @@ var DcqlQuery;
     return runDcqlQuery(dcqlQuery, { credentials, presentation: false });
   };
   DcqlQuery2.parse = (input) => {
-    return v14.parse(DcqlQuery2.vModel, input);
+    return v18.parse(DcqlQuery2.vModel, input);
   };
 })(DcqlQuery || (DcqlQuery = {}));
 var validateUniqueCredentialQueryIds = (query) => {