dcql 0.4.3-alpha-20250706143223 → 0.5.0-alpha-20250724114402

package/dist/index.js

@@ -177,10 +177,19 @@ var v2 = __toESM(require("valibot"));
 // src/u-dcql.ts
 var v = __toESM(require("valibot"));
 var idRegex = /^[a-zA-Z0-9_-]+$/;
+function asNonEmptyArrayOrUndefined(array8) {
+  return array8.length > 0 ? array8 : void 0;
+}
+function isNonEmptyArray(array8) {
+  return array8.length > 0;
+}
 var vNonEmptyArray = (item) => {
   return v.pipe(
-    v.array(item),
-    v.custom((input) => input.length > 0)
+    v.array(item, (i) => `Expected input to be an array, but received '${i.received}'`),
+    v.custom(
+      (input) => input.length > 0,
+      "Array must be non-empty and have length of at least 1"
+    )
   );
 };
 var vIncludesAll = (subset) => {
@@ -255,60 +264,71 @@ var vStringToJson = v.rawTransform(({ dataset, addIssue, NEVER }) => {
 });
 
 // src/dcql-query/m-dcql-trusted-authorities.ts
-var getTrustedAuthorityParser = (trustedAuthority) => v2.object(
-  {
-    type: v2.literal(
-      trustedAuthority.type,
-      (i) => `Expected trusted authority type to be '${trustedAuthority.type}' but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
-    ),
-    value: v2.union(
-      trustedAuthority.values.map(
-        (value) => v2.literal(
-          value,
-          (i) => `Expected trusted authority value to be '${value}' but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
-        )
+var getTrustedAuthorityParser = (trustedAuthority) => v2.pipe(
+  v2.object(
+    {
+      type: v2.literal(
+        trustedAuthority.type,
+        (i) => `Expected trusted authority type to be '${trustedAuthority.type}' but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
       ),
-      (i) => `Expected trusted authority value to be '${trustedAuthority.values.join("' | '")}' but received ${typeof i.input === "string" ? `'${i.input}'` : i.input}`
-    )
-  },
-  `Expected trusted authority object with type '${trustedAuthority.type}' to be defined, but received undefined`
+      // Some trusted authorities support an array as input type
+      values: v2.pipe(
+        vNonEmptyArray(v2.string()),
+        v2.someItem(
+          (item) => trustedAuthority.values.includes(item),
+          (i) => `Expected one of the trusted authority values to be '${trustedAuthority.values.join("' | '")}' but received '${i.input.join("' , '")}'`
+        )
+      )
+    },
+    `Expected trusted authority object with type '${trustedAuthority.type}' to be defined, but received undefined`
+  ),
+  v2.transform(({ values, ...rest }) => ({
+    ...rest,
+    value: values.find((value) => trustedAuthority.values.includes(value))
+  }))
 );
 var vAuthorityKeyIdentifier = v2.object({
   type: v2.literal("aki"),
-  value: v2.pipe(
-    v2.string(),
-    vBase64url,
-    v2.description(
-      "Contains the KeyIdentifier of the AuthorityKeyIdentifier as defined in Section 4.2.1.1 of [RFC5280], encoded as base64url. The raw byte representation of this element MUST match with the AuthorityKeyIdentifier element of an X.509 certificate in the certificate chain present in the credential (e.g., in the header of an mdoc or SD-JWT). Note that the chain can consist of a single certificate and the credential can include the entire X.509 chain or parts of it."
+  values: vNonEmptyArray(
+    v2.pipe(
+      v2.string("aki trusted authority value must be a string"),
+      vBase64url,
+      v2.description(
+        "Contains a list of KeyIdentifier entries of the AuthorityKeyIdentifier as defined in Section 4.2.1.1 of [RFC5280], encoded as base64url. The raw byte representation of one of the elements MUST match with the AuthorityKeyIdentifier element of an X.509 certificate in the certificate chain present in the credential (e.g., in the header of an mdoc or SD-JWT). Note that the chain can consist of a single certificate and the credential can include the entire X.509 chain or parts of it."
+      )
     )
   )
 });
 var vEtsiTrustedList = v2.object({
   type: v2.literal("etsi_tl"),
-  value: v2.pipe(
-    v2.string(),
-    v2.url(),
-    v2.check(
-      (url2) => url2.startsWith("http://") || url2.startsWith("https://"),
-      "etsi_tl trusted authority value must be a valid https url"
-    ),
-    v2.description(
-      "The identifier of a Trusted List as specified in ETSI TS 119 612 [ETSI.TL]. An ETSI Trusted List contains references to other Trusted Lists, creating a list of trusted lists, or entries for Trust Service Providers with corresponding service description and X.509 Certificates. The trust chain of a matching Credential MUST contain at least one X.509 Certificate that matches one of the entries of the Trusted List or its cascading Trusted Lists."
+  values: vNonEmptyArray(
+    v2.pipe(
+      v2.string("etsi_tl trusted authority value must be a string"),
+      v2.url("etsi_tl trusted authority value must be a valid https url"),
+      v2.check(
+        (url2) => url2.startsWith("http://") || url2.startsWith("https://"),
+        "etsi_tl trusted authority value must be a valid https url"
+      ),
+      v2.description(
+        "The identifier of a Trusted List as specified in ETSI TS 119 612 [ETSI.TL]. An ETSI Trusted List contains references to other Trusted Lists, creating a list of trusted lists, or entries for Trust Service Providers with corresponding service description and X.509 Certificates. The trust chain of a matching Credential MUST contain at least one X.509 Certificate that matches one of the entries of the Trusted List or its cascading Trusted Lists."
+      )
     )
   )
 });
 var vOpenidFederation = v2.object({
   type: v2.literal("openid_federation"),
-  value: v2.pipe(
-    v2.string(),
-    v2.url(),
-    // TODO: should we have a config similar to oid4vc-ts to support http for development?
-    v2.check(
-      (url2) => url2.startsWith("http://") || url2.startsWith("https://"),
-      "openid_federation trusted authority value must be a valid https url"
-    ),
-    v2.description(
-      "The Entity Identifier as defined in Section 1 of [OpenID.Federation] that is bound to an entity in a federation. While this Entity Identifier could be any entity in that ecosystem, this entity would usually have the Entity Configuration of a Trust Anchor. A valid trust path, including the given Entity Identifier, must be constructible from a matching credential."
+  values: vNonEmptyArray(
+    v2.pipe(
+      v2.string("openid_federation trusted authority value must be a string"),
+      v2.url("openid_federation trusted authority value must be a valid https url"),
+      // TODO: should we have a config similar to oid4vc-ts to support http for development?
+      v2.check(
+        (url2) => url2.startsWith("http://") || url2.startsWith("https://"),
+        "openid_federation trusted authority value must be a valid https url"
+      ),
+      v2.description(
+        "The Entity Identifier as defined in Section 1 of [OpenID.Federation] that is bound to an entity in a federation. While this Entity Identifier could be any entity in that ecosystem, this entity would usually have the Entity Configuration of a Trust Anchor. A valid trust path, including the given Entity Identifier, must be constructible from a matching credential."
+      )
     )
   )
 });
@@ -324,7 +344,7 @@ var DcqlTrustedAuthoritiesQuery;
         )
       ),
       values: v2.pipe(
-        vNonEmptyArray(authority.entries.value),
+        vNonEmptyArray(authority.entries.values.item),
         v2.description(
           "REQUIRED. An array of strings, where each string (value) contains information specific to the used Trusted Authorities Query type that allows to identify an issuer, trust framework, or a federation that an issuer belongs to."
         )
@@ -710,17 +730,17 @@ var runClaimsQuery = (credentialQuery, ctx) => {
   if (!credentialQuery.claims) {
     return {
       success: true,
-      valid_claims: [],
-      failed_claims: [],
+      valid_claims: void 0,
+      failed_claims: void 0,
       valid_claim_sets: [
         {
           claim_set_index: void 0,
           output: {},
           success: true,
-          valid_claim_indexes: []
+          valid_claim_indexes: void 0
         }
       ],
-      failed_claim_sets: []
+      failed_claim_sets: void 0
     };
   }
   const failedClaims = [];
@@ -772,7 +792,7 @@ var runClaimsQuery = (credentialQuery, ctx) => {
         success: true,
         claim_set_index: claimSetIndex,
         output,
-        valid_claim_indexes: claims.map((claim) => claim.claim_index)
+        valid_claim_indexes: asNonEmptyArrayOrUndefined(claims.map((claim) => claim.claim_index))
       });
     } else {
       const issues = failedClaims.reduce((merged, claim) => deepMerge(claim.issues, merged), {});
@@ -781,24 +801,26 @@ var runClaimsQuery = (credentialQuery, ctx) => {
         issues,
         claim_set_index: claimSetIndex,
         failed_claim_indexes: claims.filter((claim) => !claim.success).map((claim) => claim.claim_index),
-        valid_claim_indexes: claims.filter((claim) => claim.success).map((claim) => claim.claim_index)
+        valid_claim_indexes: asNonEmptyArrayOrUndefined(
+          claims.filter((claim) => claim.success).map((claim) => claim.claim_index)
+        )
       });
     }
   }
-  if (validClaimSets.length === 0) {
+  if (isNonEmptyArray(validClaimSets)) {
     return {
-      success: false,
-      failed_claim_sets: failedClaimSets,
-      failed_claims: failedClaims.map(({ parser, ...rest }) => rest),
-      valid_claims: validClaims.map(({ parser, ...rest }) => rest)
+      success: true,
+      failed_claim_sets: asNonEmptyArrayOrUndefined(failedClaimSets),
+      valid_claim_sets: validClaimSets,
+      valid_claims: asNonEmptyArrayOrUndefined(validClaims.map(({ parser, ...rest }) => rest)),
+      failed_claims: asNonEmptyArrayOrUndefined(failedClaims.map(({ parser, ...rest }) => rest))
     };
   }
   return {
-    success: true,
+    success: false,
     failed_claim_sets: failedClaimSets,
-    valid_claim_sets: validClaimSets,
-    valid_claims: validClaims.map(({ parser, ...rest }) => rest),
-    failed_claims: failedClaims.map(({ parser, ...rest }) => rest)
+    failed_claims: failedClaims.map(({ parser, ...rest }) => rest),
+    valid_claims: asNonEmptyArrayOrUndefined(validClaims.map(({ parser, ...rest }) => rest))
   };
 };
 
@@ -903,7 +925,7 @@ var runTrustedAuthoritiesQuery = (credentialQuery, credential) => {
           trusted_authority_index: trustedAuthorityIndex,
           output: parseResult.output
         },
-        failed_trusted_authorities: failedTrustedAuthorities
+        failed_trusted_authorities: asNonEmptyArrayOrUndefined(failedTrustedAuthorities)
       };
     }
     const issues = v9.flatten(parseResult.issues);
@@ -923,12 +945,6 @@ var runTrustedAuthoritiesQuery = (credentialQuery, credential) => {
 // src/dcql-parser/dcql-credential-query-result.ts
 var runCredentialQuery = (credentialQuery, ctx) => {
   const { credentials, presentation } = ctx;
-  if (ctx.credentials.length === 0) {
-    throw new DcqlError({
-      message: "Credentials array provided to credential query has length of 0, unable to match credentials against credential query.",
-      code: "BAD_REQUEST"
-    });
-  }
   const validCredentials = [];
   const failedCredentials = [];
   for (const [credentialIndex, credential] of credentials.entries()) {
@@ -953,21 +969,20 @@ var runCredentialQuery = (credentialQuery, ctx) => {
       });
     }
   }
-  if (!validCredentials.length) {
+  if (isNonEmptyArray(validCredentials)) {
     return {
-      success: false,
+      success: true,
       credential_query_id: credentialQuery.id,
-      // We now for sure that there's at least one invalid credential if there's no valid one.
-      failed_credentials: failedCredentials,
-      valid_credentials: void 0
+      failed_credentials: asNonEmptyArrayOrUndefined(failedCredentials),
+      valid_credentials: validCredentials
     };
   }
   return {
-    success: true,
+    success: false,
     credential_query_id: credentialQuery.id,
-    failed_credentials: failedCredentials,
-    // We now for sure that there's at least one valid credential due to the length check
-    valid_credentials: validCredentials
+    // Can be undefined if no credentials were provided to the query
+    failed_credentials: asNonEmptyArrayOrUndefined(failedCredentials),
+    valid_credentials: void 0
   };
 };
 
@@ -1158,7 +1173,7 @@ var DcqlClaimsResult;
     claim_set_index: v12.union([v12.number(), v12.undefined()]),
     // We use indexes because if there are no claim sets, the ids can be undefined
     // Can be empty array in case there are no claims
-    valid_claim_indexes: v12.array(v12.number()),
+    valid_claim_indexes: v12.optional(vNonEmptyArray(v12.number())),
     failed_claim_indexes: v12.optional(v12.undefined()),
     output: vClaimsOutput
   });
@@ -1167,20 +1182,20 @@ var DcqlClaimsResult;
     // Undefined in case of no claim set
     claim_set_index: v12.union([v12.number(), v12.undefined()]),
     // We use indexes because if there are no claim sets, the ids can be undefined
-    valid_claim_indexes: v12.array(v12.number()),
+    valid_claim_indexes: v12.optional(vNonEmptyArray(v12.number())),
     failed_claim_indexes: vNonEmptyArray(v12.number()),
     issues: v12.record(v12.string(), v12.unknown())
   });
   DcqlClaimsResult2.vClaimsSuccessResult = v12.object({
     success: v12.literal(true),
-    valid_claims: v12.array(DcqlClaimsResult2.vClaimsEntrySuccessResult),
-    failed_claims: v12.array(DcqlClaimsResult2.vClaimsEntryFailureResult),
+    valid_claims: v12.optional(vNonEmptyArray(DcqlClaimsResult2.vClaimsEntrySuccessResult)),
+    failed_claims: v12.optional(vNonEmptyArray(DcqlClaimsResult2.vClaimsEntryFailureResult)),
     valid_claim_sets: vNonEmptyArray(DcqlClaimsResult2.vClaimSetSuccessResult),
-    failed_claim_sets: v12.array(DcqlClaimsResult2.vClaimSetFailureResult)
+    failed_claim_sets: v12.optional(vNonEmptyArray(DcqlClaimsResult2.vClaimSetFailureResult))
   });
   DcqlClaimsResult2.vClaimsFailureResult = v12.object({
     success: v12.literal(false),
-    valid_claims: v12.array(DcqlClaimsResult2.vClaimsEntrySuccessResult),
+    valid_claims: v12.optional(vNonEmptyArray(DcqlClaimsResult2.vClaimsEntrySuccessResult)),
     failed_claims: vNonEmptyArray(DcqlClaimsResult2.vClaimsEntryFailureResult),
     valid_claim_sets: v12.optional(v12.undefined()),
     failed_claim_sets: vNonEmptyArray(DcqlClaimsResult2.vClaimSetFailureResult)
@@ -1215,7 +1230,16 @@ var DcqlTrustedAuthoritiesResult;
   DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntrySuccessResult = v14.object({
     success: v14.literal(true),
     trusted_authority_index: v14.number(),
-    output: DcqlCredentialTrustedAuthority.vModel
+    // We map from values (multiple options for a credential/query) to value (the matching option)
+    output: v14.variant(
+      "type",
+      DcqlCredentialTrustedAuthority.vModel.options.map(
+        (o) => v14.object({
+          type: o.entries.type,
+          value: o.entries.values.item
+        })
+      )
+    )
   });
   DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntryFailureResult = v14.object({
     success: v14.literal(false),
@@ -1233,7 +1257,7 @@ var DcqlTrustedAuthoritiesResult;
     v14.object({
       success: v14.literal(true),
       valid_trusted_authority: DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntrySuccessResult,
-      failed_trusted_authorities: v14.array(DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntryFailureResult)
+      failed_trusted_authorities: v14.optional(vNonEmptyArray(DcqlTrustedAuthoritiesResult2.vTrustedAuthorityEntryFailureResult))
     })
   ]);
   DcqlTrustedAuthoritiesResult2.vTrustedAuthorityFailureResult = v14.object({
@@ -1267,13 +1291,13 @@ var DcqlQueryResult;
       success: v15.literal(true),
       credential_query_id: vIdString,
       valid_credentials: vNonEmptyArray(DcqlQueryResult2.vCredentialQueryItemCredentialSuccessResult),
-      failed_credentials: v15.array(DcqlQueryResult2.vCredentialQueryItemCredentialFailureResult)
+      failed_credentials: v15.optional(vNonEmptyArray(DcqlQueryResult2.vCredentialQueryItemCredentialFailureResult))
     }),
     v15.object({
       success: v15.literal(false),
       credential_query_id: vIdString,
       valid_credentials: v15.optional(v15.undefined()),
-      failed_credentials: vNonEmptyArray(DcqlQueryResult2.vCredentialQueryItemCredentialFailureResult)
+      failed_credentials: v15.optional(vNonEmptyArray(DcqlQueryResult2.vCredentialQueryItemCredentialFailureResult))
     })
   ]);
   DcqlQueryResult2.vCredentialQueryResult = v15.record(vIdString, DcqlQueryResult2.vCredentialQueryItemResult);
@@ -1349,7 +1373,7 @@ var DcqlPresentationResult;
     const dqclQueryMatched = (
       // We require that all the submitted presentations match with the queries
       // So we must have success for all queries, and we don't allow failed_credentials
-      queriesResults.every((result) => result.success && result.failed_credentials.length === 0) && (credentialSetResults ? credentialSetResults.every((set) => !set.required || set.matching_options) : (
+      queriesResults.every((result) => result.success && !result.failed_credentials) && (credentialSetResults ? credentialSetResults.every((set) => !set.required || set.matching_options) : (
         // If not credential_sets are used, we require that at least every credential has a match
         dcqlQuery.credentials.every(
           (credentialQuery) => queriesResults.find((result) => result.credential_query_id === credentialQuery.id)?.success