gdc-common-utils-ts 1.24.3 → 2.0.2

package/dist/examples/lifecycle.js

@@ -2,7 +2,7 @@
 import { ClaimsOrganizationSchemaorg, ClaimsPersonSchemaorg, } from '../constants/schemaorg.js';
 import { LifecycleRequestType } from '../constants/lifecycle.js';
 import { ClaimConsent } from '../models/consent-rule.js';
-import { IndividualOrganizationLifecycleDraft, IndividualOrganizationLifecycleOperations, } from '../utils/individual-organization-lifecycle.js';
+import { IndividualOrganizationLifecycleEditor, IndividualOrganizationLifecycleOperations, } from '../utils/individual-organization-lifecycle.js';
 import { EXAMPLE_EMAIL_CONTROLLER_INDIVIDUAL, EXAMPLE_EMAIL_CONTROLLER_ORG, EXAMPLE_CLINICAL_SECTION_ALLERGIES, EXAMPLE_CONSENT_PURPOSE_TREATMENT, EXAMPLE_HEALTHCARE_ACTOR_ROLE_PHYSICIAN, EXAMPLE_JURISDICTION, EXAMPLE_SECTOR, EXAMPLE_TENANT_IDENTIFIER, } from './shared.js';
 /**
  * Canonical lifecycle naming for `v1`.
@@ -190,12 +190,12 @@ export const EXAMPLE_INDIVIDUAL_DISABLE_MESSAGE = {
         erasesPersonalDataImmediately: false,
     },
 };
-export const EXAMPLE_INDIVIDUAL_ORGANIZATION_DISABLE_ENTRY = new IndividualOrganizationLifecycleDraft()
+export const EXAMPLE_INDIVIDUAL_ORGANIZATION_DISABLE_ENTRY = new IndividualOrganizationLifecycleEditor()
     .setClaims(EXAMPLE_INDIVIDUAL_DISABLE_MESSAGE.claims)
     .setOperation(IndividualOrganizationLifecycleOperations.Disable)
     .setRequestType(EXAMPLE_INDIVIDUAL_ORGANIZATION_DISABLE_REQUEST_TYPE)
     .buildCurrentGwDataEntry();
-export const EXAMPLE_INDIVIDUAL_ORGANIZATION_DISABLE_PAYLOAD = new IndividualOrganizationLifecycleDraft()
+export const EXAMPLE_INDIVIDUAL_ORGANIZATION_DISABLE_PAYLOAD = new IndividualOrganizationLifecycleEditor()
     .setClaims(EXAMPLE_INDIVIDUAL_DISABLE_MESSAGE.claims)
     .setOperation(IndividualOrganizationLifecycleOperations.Disable)
     .setRequestType(EXAMPLE_INDIVIDUAL_ORGANIZATION_DISABLE_REQUEST_TYPE)
@@ -221,12 +221,12 @@ export const EXAMPLE_INDIVIDUAL_DELETE_MESSAGE = {
         keepsMinimumAuditTrailRequiredByLaw: true,
     },
 };
-export const EXAMPLE_INDIVIDUAL_ORGANIZATION_PURGE_ENTRY = new IndividualOrganizationLifecycleDraft()
+export const EXAMPLE_INDIVIDUAL_ORGANIZATION_PURGE_ENTRY = new IndividualOrganizationLifecycleEditor()
     .setClaims(EXAMPLE_INDIVIDUAL_DISABLE_MESSAGE.claims)
     .setOperation(IndividualOrganizationLifecycleOperations.Purge)
     .setRequestType(EXAMPLE_INDIVIDUAL_ORGANIZATION_PURGE_REQUEST_TYPE)
     .buildCurrentGwDataEntry();
-export const EXAMPLE_INDIVIDUAL_ORGANIZATION_PURGE_PAYLOAD = new IndividualOrganizationLifecycleDraft()
+export const EXAMPLE_INDIVIDUAL_ORGANIZATION_PURGE_PAYLOAD = new IndividualOrganizationLifecycleEditor()
     .setClaims(EXAMPLE_INDIVIDUAL_DISABLE_MESSAGE.claims)
     .setOperation(IndividualOrganizationLifecycleOperations.Purge)
     .setRequestType(EXAMPLE_INDIVIDUAL_ORGANIZATION_PURGE_REQUEST_TYPE)

package/dist/examples/organization-controller.d.ts

@@ -32,7 +32,6 @@ export declare const EXAMPLE_ACTIVATE_ORGANIZATION_FROM_ICA_PROOF_INPUT: {
         };
     };
     readonly additionalClaims: {
-        readonly "org.schema.Organization.alternateName": "acme";
         readonly "org.schema.Organization.legalName": "ACME HEALTH SL";
         readonly "org.schema.Organization.identifier.additionalType": "taxID";
         readonly "org.schema.Organization.identifier.value": "VATES-B00112233";

package/dist/examples/organization-controller.js

@@ -14,7 +14,6 @@ export const EXAMPLE_ACTIVATE_ORGANIZATION_FROM_ICA_PROOF_INPUT = {
     vpToken: '<ica-proof-token>',
     controller: EXAMPLE_CONTROLLER_BINDING,
     additionalClaims: {
-        [ClaimsOrganizationSchemaorg.alternateName]: 'acme',
         [ClaimsOrganizationSchemaorg.legalName]: 'ACME HEALTH SL',
         [ClaimsOrganizationSchemaorg.identifierType]: 'taxID',
         [ClaimsOrganizationSchemaorg.identifierValue]: 'VATES-B00112233',

package/dist/examples/profile-runtime.d.ts

@@ -0,0 +1,16 @@
+/**
+ * Shared fixtures for profile-runtime tests and 101 examples.
+ *
+ * Keep runtime-class, key-access, secret-kind, app-type, and local secret
+ * placeholders here so SDK packages do not re-inline them in their own tests.
+ */
+export declare const EXAMPLE_PROFILE_APP_TYPE_FAMILY: "Family";
+export declare const EXAMPLE_PROFILE_RUNTIME_CLASS_SERVER: "server";
+export declare const EXAMPLE_PROFILE_RUNTIME_CLASS_FRONTEND: "frontend";
+export declare const EXAMPLE_PROFILE_KEY_ACCESS_MODE_SERVER: "unlock-encrypted-keys";
+export declare const EXAMPLE_PROFILE_KEY_ACCESS_MODE_FRONTEND: "derive-from-seed";
+export declare const EXAMPLE_PROFILE_CONNECTION_SECRET_KIND_PIN_PASSWORD: "pin-password";
+export declare const EXAMPLE_PROFILE_LOCAL_PIN_PASSWORD_BACKEND: "local-backend-pin";
+export declare const EXAMPLE_PROFILE_LOCAL_PIN_PASSWORD_FRONTEND: "local-frontend-pin";
+export declare const EXAMPLE_PROFILE_CONNECTION_PIN_PASSWORD: "subject-channel-pin";
+export declare const EXAMPLE_PROFILE_RUNTIME_JOB_ID: "job-id";

package/dist/examples/profile-runtime.js

@@ -0,0 +1,18 @@
+// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
+import { ActorRuntimeClasses, ConnectionSecretKinds, KeyAccessModes, ProfileAppTypes, } from '../constants/profile-runtime.js';
+/**
+ * Shared fixtures for profile-runtime tests and 101 examples.
+ *
+ * Keep runtime-class, key-access, secret-kind, app-type, and local secret
+ * placeholders here so SDK packages do not re-inline them in their own tests.
+ */
+export const EXAMPLE_PROFILE_APP_TYPE_FAMILY = ProfileAppTypes.Family;
+export const EXAMPLE_PROFILE_RUNTIME_CLASS_SERVER = ActorRuntimeClasses.Server;
+export const EXAMPLE_PROFILE_RUNTIME_CLASS_FRONTEND = ActorRuntimeClasses.Frontend;
+export const EXAMPLE_PROFILE_KEY_ACCESS_MODE_SERVER = KeyAccessModes.UnlockEncryptedKeys;
+export const EXAMPLE_PROFILE_KEY_ACCESS_MODE_FRONTEND = KeyAccessModes.DeriveFromSeed;
+export const EXAMPLE_PROFILE_CONNECTION_SECRET_KIND_PIN_PASSWORD = ConnectionSecretKinds.PinPassword;
+export const EXAMPLE_PROFILE_LOCAL_PIN_PASSWORD_BACKEND = 'local-backend-pin';
+export const EXAMPLE_PROFILE_LOCAL_PIN_PASSWORD_FRONTEND = 'local-frontend-pin';
+export const EXAMPLE_PROFILE_CONNECTION_PIN_PASSWORD = 'subject-channel-pin';
+export const EXAMPLE_PROFILE_RUNTIME_JOB_ID = 'job-id';

package/dist/interfaces/Cryptography.types.d.ts

@@ -27,6 +27,17 @@ export type AlgMlDsa2 = "ML-DSA-44";
 export type AlgMlDsa3 = "ML-DSA-65";
 export type AlgMlDsa5 = "ML-DSA-87";
 export type MldsaAlg = AlgMlDsa2 | AlgMlDsa3 | AlgMlDsa5;
+/**
+ * Base JWKs used for RFC 7638 thumbprint calculation.
+ *
+ * Mapping used by this codebase:
+ * - ML-KEM uses `OKP` with `crv`
+ * - ML-DSA uses `AKP` with `alg` and `pub`
+ * - classical EC uses `EC` with `crv`, `x`, `y`
+ *
+ * Note that ML-DSA does not use `crv` here. The algorithm family/strength is
+ * captured by `alg` instead, for example `ML-DSA-44`.
+ */
 export type MlkemBaseJwk = {
     kty: "OKP";
     crv: MlkemCurve;
@@ -52,6 +63,10 @@ export interface MldsaPublicJwk extends MldsaBaseJwk {
 }
 /**
  * Represents a public key for classic cryptography algorithms like Elliptic Curve.
+ *
+ * The RFC 7638 thumbprint for these keys is derived from `kty`, `crv`, `x`,
+ * and `y`. This means curves such as `P-256`, `P-384`, and `secp256k1` are
+ * covered through the `crv` field.
  */
 export interface ClassicPublicJwk {
     kty: "EC";

package/dist/models/identity-bootstrap.d.ts

@@ -1,6 +1,7 @@
 import { PublicJwk } from '../interfaces/Cryptography.types';
 import { type IssueSeverityAttentionCode } from './issue';
 import { JwkSet } from './jwk';
+import { DidCommDecodedMetadata } from './confidential-message';
 /**
  * Public key binding for a human actor/controller identity.
  *
@@ -79,6 +80,14 @@ export interface OrganizationActivationRequest extends ActivationProofInput {
      */
     representativeCredential?: unknown;
 }
+/**
+ * Technical metadata mirrored into plaintext DIDComm payloads when no real
+ * outer JWS/JWE envelope is present on the wire.
+ *
+ * This must be treated as transport compatibility metadata only. It does not
+ * replace canonical activation fields such as `vp_token` or `controller.*`.
+ */
+export type DidcommPlaintextTransportMetadata = DidCommDecodedMetadata;
 /**
  * Structured validation issue emitted by bootstrap validators.
  */

package/dist/utils/activation-policy.d.ts

@@ -48,6 +48,14 @@ export declare function hasRoleCode(roleCode: string | undefined, requiredCode?:
 /**
  * Extracts representative signing/binding continuity data from `credentialSubject.hasCredential`.
  *
+ * Security note:
+ * - this field proves continuity of the controller signing/binding key
+ * - it is intentionally different from `credentialSubject.sameAs`, which
+ *   proves continuity of the representative public identity alias (for example
+ *   email-derived `urn:multibase:z...`)
+ * - production-grade activation flows are strongest when both dimensions are
+ *   present in the ICA-issued representative VC
+ *
  * Compatibility rules:
  * - legacy VC payloads may still carry `hasCredential.material`
  * - newer payloads may carry the same semantic value in `hasCredential.value`
@@ -60,9 +68,12 @@ export declare function extractRepresentativeCredentialBinding(representativeCre
  * Extracts the representative subject identifier from `credentialSubject.id`.
  *
  * ICA currently models the natural person with a stable person URN while the
- * controller/bootstrap continuity is carried in sibling claims such as
- * `sameAs` and `hasCredential`. Activation policy must therefore accept the
- * canonical person URN form and must not require a representative `did:web`.
+ * controller/bootstrap continuity is carried in sibling claims:
+ * - `sameAs` for public identity continuity
+ * - `hasCredential` for key-binding continuity
+ *
+ * Activation policy must therefore accept the canonical person URN form and
+ * must not require a representative `did:web`.
  *
  * @param representativeCredential Candidate representative credential.
  */
@@ -148,6 +159,14 @@ export declare function isMemberDidWebUnderOwner(memberDidWeb: string, ownerDidW
 /**
  * Validates the activation representative policy against organization and representative credentials.
  *
+ * The representative proof model is intentionally two-dimensional:
+ * - `credentialSubject.sameAs` expresses public identity continuity
+ * - `credentialSubject.hasCredential.material` expresses signing-key continuity
+ *
+ * For GW activation, the key-binding dimension is the hard requirement
+ * enforced here. The public-identity dimension may still be used by higher
+ * layers for stronger demo/production matching and auditability.
+ *
  * @param input.organizationCredential Candidate organization credential.
  * @param input.representativeCredential Candidate representative credential.
  * @param input.requiredRoleCode Required representative role, defaults to `RESPRSN`.

package/dist/utils/activation-policy.js

@@ -106,6 +106,14 @@ export function hasRoleCode(roleCode, requiredCode = 'RESPRSN') {
 /**
  * Extracts representative signing/binding continuity data from `credentialSubject.hasCredential`.
  *
+ * Security note:
+ * - this field proves continuity of the controller signing/binding key
+ * - it is intentionally different from `credentialSubject.sameAs`, which
+ *   proves continuity of the representative public identity alias (for example
+ *   email-derived `urn:multibase:z...`)
+ * - production-grade activation flows are strongest when both dimensions are
+ *   present in the ICA-issued representative VC
+ *
  * Compatibility rules:
  * - legacy VC payloads may still carry `hasCredential.material`
  * - newer payloads may carry the same semantic value in `hasCredential.value`
@@ -145,9 +153,12 @@ function extractCredentialBindingValue(value) {
  * Extracts the representative subject identifier from `credentialSubject.id`.
  *
  * ICA currently models the natural person with a stable person URN while the
- * controller/bootstrap continuity is carried in sibling claims such as
- * `sameAs` and `hasCredential`. Activation policy must therefore accept the
- * canonical person URN form and must not require a representative `did:web`.
+ * controller/bootstrap continuity is carried in sibling claims:
+ * - `sameAs` for public identity continuity
+ * - `hasCredential` for key-binding continuity
+ *
+ * Activation policy must therefore accept the canonical person URN form and
+ * must not require a representative `did:web`.
  *
  * @param representativeCredential Candidate representative credential.
  */
@@ -306,6 +317,14 @@ export function isMemberDidWebUnderOwner(memberDidWeb, ownerDidWeb) {
 /**
  * Validates the activation representative policy against organization and representative credentials.
  *
+ * The representative proof model is intentionally two-dimensional:
+ * - `credentialSubject.sameAs` expresses public identity continuity
+ * - `credentialSubject.hasCredential.material` expresses signing-key continuity
+ *
+ * For GW activation, the key-binding dimension is the hard requirement
+ * enforced here. The public-identity dimension may still be used by higher
+ * layers for stronger demo/production matching and auditability.
+ *
  * @param input.organizationCredential Candidate organization credential.
  * @param input.representativeCredential Candidate representative credential.
  * @param input.requiredRoleCode Required representative role, defaults to `RESPRSN`.

package/dist/utils/activation-request.d.ts

@@ -1,4 +1,4 @@
-import { ControllerBindingInput, IdentityBootstrapValidationResult, OrganizationActivationRequest, OrganizationBindingInput } from '../models/identity-bootstrap';
+import { ControllerBindingInput, DidcommPlaintextTransportMetadata, IdentityBootstrapValidationResult, OrganizationActivationRequest, OrganizationBindingInput } from '../models/identity-bootstrap';
 import { JwkSet } from '../models/jwk';
 /**
  * Builder input for the canonical organization/service activation payload.
@@ -54,6 +54,23 @@ export interface BuildOrganizationBindingInputInput {
         keys: Array<Record<string, unknown>>;
     } | Array<Record<string, unknown>>;
 }
+export interface BuildDidcommPlaintextTransportMetadataInput {
+    /**
+     * Explicit controller/person binding used by `_activate`.
+     *
+     * In demo/plaintext flows this is the preferred source for mirroring the
+     * technical communication key metadata into `meta.jws.protected` /
+     * `meta.jwe.header`.
+     */
+    controller?: ControllerBindingInput;
+    /**
+     * Optional explicit content type copied into the mirrored technical JWS
+     * header.
+     *
+     * Defaults to `application/didcomm-plaintext+json`.
+     */
+    contentType?: string;
+}
 /**
  * Builds the canonical controller/person binding from semantic variables.
  *
@@ -79,12 +96,37 @@ export declare function buildControllerBindingInput(input: BuildControllerBindin
  * Builds the canonical organization/provider binding from semantic variables.
  */
 export declare function buildOrganizationBindingInput(input: BuildOrganizationBindingInputInput): OrganizationBindingInput;
+/**
+ * Builds the technical plaintext transport metadata expected by GW-compatible
+ * demo flows.
+ *
+ * Transport rule:
+ * - in secure JOSE transport, these values belong in the protected JWS/JWE
+ *   headers of the real envelope
+ * - in `application/didcomm-plaintext+json`, there is no signed outer
+ *   envelope on the wire, so high-level SDK/BFF helpers may mirror the same
+ *   technical key identifiers and public JWKs into `meta.jws.protected` and
+ *   `meta.jwe.header`
+ *
+ * This is technical compatibility fallback only. The canonical activation
+ * contract remains `controller.publicKeyJwk` / `controller.jwks`.
+ */
+export declare function buildDidcommPlaintextTransportMetadata(input: BuildDidcommPlaintextTransportMetadataInput): DidcommPlaintextTransportMetadata | undefined;
 /**
  * Builds the canonical `_activate` request payload shared by SDK and GW helpers.
  *
  * The resulting object intentionally preserves deprecated compatibility fields
  * when supplied, so callers can keep legacy flows alive while validators and
  * runtime layers flag that debt explicitly.
+ *
+ * Transport note:
+ * - secure JOSE submission should place technical signing/encryption metadata
+ *   in the protected headers of the real JWS/JWE envelope
+ * - demo `application/didcomm-plaintext+json` flows may mirror those same
+ *   values into plaintext `meta.jws.protected` / `meta.jwe.header` as a
+ *   technical fallback expected by GW-compatible backends
+ * - that plaintext transport metadata must not replace the canonical
+ *   `controller.publicKeyJwk` / `controller.jwks` activation contract
  */
 export declare function buildOrganizationActivationRequest(input: BuildOrganizationActivationRequestInput): OrganizationActivationRequest;
 /**

package/dist/utils/activation-request.js

@@ -1,5 +1,6 @@
 // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
 import { IssueSeverity } from '../models/issue.js';
+import { JoseContentEncryptionAlgorithms } from '../constants/cryptography.js';
 function pushIssue(issues, severity, code, message, path) {
     issues.push({ severity, code, message, ...(path ? { path } : {}) });
 }
@@ -12,6 +13,22 @@ function normalizeJwkSet(publicKeys) {
     }
     return publicKeys;
 }
+function normalizeJwk(input) {
+    return input && typeof input === 'object'
+        ? input
+        : undefined;
+}
+function isEncryptionJwk(key) {
+    if (!key) {
+        return false;
+    }
+    const purposes = Array.isArray(key.purposes) ? key.purposes.map((value) => String(value)) : [];
+    const keyOps = Array.isArray(key.key_ops) ? key.key_ops.map((value) => String(value)) : [];
+    return String(key.use || '').trim() === 'enc'
+        || purposes.includes('didcomm-enc')
+        || keyOps.includes('encrypt')
+        || keyOps.includes('deriveKey');
+}
 /**
  * Builds the canonical controller/person binding from semantic variables.
  *
@@ -53,12 +70,69 @@ export function buildOrganizationBindingInput(input) {
         ...(jwks ? { jwks } : {}),
     };
 }
+/**
+ * Builds the technical plaintext transport metadata expected by GW-compatible
+ * demo flows.
+ *
+ * Transport rule:
+ * - in secure JOSE transport, these values belong in the protected JWS/JWE
+ *   headers of the real envelope
+ * - in `application/didcomm-plaintext+json`, there is no signed outer
+ *   envelope on the wire, so high-level SDK/BFF helpers may mirror the same
+ *   technical key identifiers and public JWKs into `meta.jws.protected` and
+ *   `meta.jwe.header`
+ *
+ * This is technical compatibility fallback only. The canonical activation
+ * contract remains `controller.publicKeyJwk` / `controller.jwks`.
+ */
+export function buildDidcommPlaintextTransportMetadata(input) {
+    const signingKey = normalizeJwk(input.controller?.publicKeyJwk);
+    const encryptionKey = normalizeJwk(input.controller?.jwks?.keys?.find((candidate) => isEncryptionJwk(normalizeJwk(candidate))));
+    if (!signingKey && !encryptionKey) {
+        return undefined;
+    }
+    return {
+        ...(signingKey
+            ? {
+                jws: {
+                    protected: {
+                        alg: String(signingKey.alg || '').trim() || 'none',
+                        kid: String(signingKey.kid || '').trim() || 'none',
+                        cty: String(input.contentType || '').trim() || 'application/didcomm-plaintext+json',
+                        jwk: signingKey,
+                    },
+                },
+            }
+            : {}),
+        ...(encryptionKey
+            ? {
+                jwe: {
+                    header: {
+                        alg: String(encryptionKey.alg || encryptionKey.crv || '').trim() || 'none',
+                        enc: JoseContentEncryptionAlgorithms.Aes256Gcm,
+                        skid: String(encryptionKey.kid || '').trim() || 'none',
+                        jwk: encryptionKey,
+                    },
+                },
+            }
+            : {}),
+    };
+}
 /**
  * Builds the canonical `_activate` request payload shared by SDK and GW helpers.
  *
  * The resulting object intentionally preserves deprecated compatibility fields
  * when supplied, so callers can keep legacy flows alive while validators and
  * runtime layers flag that debt explicitly.
+ *
+ * Transport note:
+ * - secure JOSE submission should place technical signing/encryption metadata
+ *   in the protected headers of the real JWS/JWE envelope
+ * - demo `application/didcomm-plaintext+json` flows may mirror those same
+ *   values into plaintext `meta.jws.protected` / `meta.jwe.header` as a
+ *   technical fallback expected by GW-compatible backends
+ * - that plaintext transport metadata must not replace the canonical
+ *   `controller.publicKeyJwk` / `controller.jwks` activation contract
  */
 export function buildOrganizationActivationRequest(input) {
     return {

package/dist/utils/communication-search-editor.d.ts

@@ -6,7 +6,7 @@ export declare const CommunicationSearchEntryTypes: Readonly<{
 export declare const CommunicationSearchOperationTypes: Readonly<{
     readonly Search: "search";
 }>;
-export type CommunicationSearchDraft = Readonly<{
+export type CommunicationSearchState = Readonly<{
     searchParams: Readonly<Record<string, string | number | boolean | readonly (string | number | boolean)[] | undefined>>;
     periodStart?: string;
     periodEnd?: string;
@@ -24,7 +24,7 @@ export type CommunicationSearchDraft = Readonly<{
  */
 export declare class CommunicationSearchEditor {
     private draft;
-    constructor(initial?: Partial<CommunicationSearchDraft>);
+    constructor(initial?: Partial<CommunicationSearchState>);
     setSearchParams(value: Readonly<Record<string, string | number | boolean | readonly (string | number | boolean)[] | undefined>>): this;
     setSearchParam(claimKey: string, value: string | number | boolean | readonly (string | number | boolean)[] | undefined): this;
     setSearchParamSender(value: string | readonly string[]): this;
@@ -36,7 +36,7 @@ export declare class CommunicationSearchEditor {
     setPeriodEnd(value: string): this;
     setPaginationCount(value: number): this;
     setPageNumber(value: number): this;
-    getDraft(): CommunicationSearchDraft;
+    getState(): CommunicationSearchState;
     toSearchInput(): CommunicationParticipantSearchInput;
     buildRequest(): FhirParametersResource;
     buildEntry(): {

package/dist/utils/communication-search-editor.js

@@ -121,7 +121,7 @@ export class CommunicationSearchEditor {
         this.draft = cloneDraft({ ...this.draft, page: value });
         return this;
     }
-    getDraft() {
+    getState() {
         return cloneDraft(this.draft);
     }
     toSearchInput() {

package/dist/utils/index.d.ts

@@ -48,6 +48,7 @@ export * from './fhir-validator';
 export * from './family-registration-test-data';
 export * from './individual-form-pdf';
 export * from './individual-organization-claims';
+export * from './organization-lifecycle';
 export * from './individual-organization-lifecycle';
 export * from './individual-onboarding-editor';
 export * from './individual-onboarding-document-reference';
@@ -57,6 +58,8 @@ export * from './invoice-bundle';
 export * from './ips-bundle-claims';
 export * from './interoperable-resource-operation';
 export * from './jwt';
+export * from './jwk-thumbprint';
+export * from './legal-organization-onboarding';
 export * from './license';
 export * from './license-commercial-search';
 export * from './license-list-search';

package/dist/utils/index.js

@@ -48,6 +48,7 @@ export * from './fhir-validator.js';
 export * from './family-registration-test-data.js';
 export * from './individual-form-pdf.js';
 export * from './individual-organization-claims.js';
+export * from './organization-lifecycle.js';
 export * from './individual-organization-lifecycle.js';
 export * from './individual-onboarding-editor.js';
 export * from './individual-onboarding-document-reference.js';
@@ -57,6 +58,8 @@ export * from './invoice-bundle.js';
 export * from './ips-bundle-claims.js';
 export * from './interoperable-resource-operation.js';
 export * from './jwt.js';
+export * from './jwk-thumbprint.js';
+export * from './legal-organization-onboarding.js';
 export * from './license.js';
 export * from './license-commercial-search.js';
 export * from './license-list-search.js';

package/dist/utils/individual-organization-lifecycle.d.ts

@@ -47,7 +47,7 @@ export type IndividualOrganizationLifecyclePayload = Readonly<{
         data: IndividualOrganizationLifecycleDataEntry[];
     };
 }>;
-export type IndividualOrganizationLifecycleDraftState = Readonly<{
+export type IndividualOrganizationLifecycleEditorState = Readonly<{
     operation: IndividualOrganizationLifecycleOperation;
     claims: IndividualOrganizationLifecycleClaims;
     resourceId?: string;
@@ -76,7 +76,7 @@ export declare function buildCurrentIndividualOrganizationLifecycleDataEntry(inp
  */
 export declare function buildCurrentIndividualOrganizationLifecyclePayload(input: IndividualOrganizationLifecyclePayloadInput): IndividualOrganizationLifecyclePayload;
 /**
- * High-level chainable draft for hosted individual/family lifecycle work.
+ * High-level chainable editor for hosted individual/family lifecycle work.
  *
  * Teaching goal:
  * - authors one canonical flat `org.schema.Organization.*` claim set
@@ -84,11 +84,12 @@ export declare function buildCurrentIndividualOrganizationLifecyclePayload(input
  * - can emit either a semantic lifecycle message or the current GW CORE
  *   payload shape used by `sdk-node`
  */
-export declare class IndividualOrganizationLifecycleDraft {
+export declare class IndividualOrganizationLifecycleEditor {
     private draft;
-    constructor(initial?: Partial<IndividualOrganizationLifecycleDraftState>);
+    constructor(initial?: Partial<IndividualOrganizationLifecycleEditorState>);
     mergeClaims(claims: IndividualOrganizationLifecycleClaims): this;
     setClaims(claims: IndividualOrganizationLifecycleClaims): this;
+    setContext(context: string): this;
     setIdentifier(identifier: string): this;
     setAlternateName(alternateName: string): this;
     setOwnerEmail(email: string): this;
@@ -96,8 +97,17 @@ export declare class IndividualOrganizationLifecycleDraft {
     setResourceId(resourceId?: string): this;
     setRequestType(requestType: string): this;
     setThreadId(thid: string): this;
+    getIdentifier(): string | undefined;
+    getContext(): string | undefined;
+    getAlternateName(): string | undefined;
+    getOwnerEmail(): string | undefined;
+    getOperation(): IndividualOrganizationLifecycleOperation;
+    getResourceId(): string | undefined;
+    getRequestType(): string | undefined;
+    getThreadId(): string | undefined;
     getClaims(): IndividualOrganizationLifecycleClaims;
-    getDraft(): IndividualOrganizationLifecycleDraftState;
+    getState(): IndividualOrganizationLifecycleEditorState;
+    getEditorState(): IndividualOrganizationLifecycleEditorState;
     toSemanticMessage(): IndividualOrganizationLifecycleSemanticMessage;
     buildCurrentGwDataEntry(): IndividualOrganizationLifecycleDataEntry;
     buildCurrentGwPayload(): IndividualOrganizationLifecyclePayload;

package/dist/utils/individual-organization-lifecycle.js

@@ -17,7 +17,10 @@ function normalizeText(value) {
 function normalizeDraft(draft) {
     return {
         operation: draft?.operation || IndividualOrganizationLifecycleOperations.Disable,
-        claims: cloneClaims(draft?.claims),
+        claims: {
+            '@context': 'org.schema',
+            ...cloneClaims(draft?.claims),
+        },
         resourceId: normalizeText(draft?.resourceId),
         requestType: normalizeText(draft?.requestType),
         thid: normalizeText(draft?.thid),
@@ -75,7 +78,7 @@ export function buildCurrentIndividualOrganizationLifecyclePayload(input) {
     };
 }
 /**
- * High-level chainable draft for hosted individual/family lifecycle work.
+ * High-level chainable editor for hosted individual/family lifecycle work.
  *
  * Teaching goal:
  * - authors one canonical flat `org.schema.Organization.*` claim set
@@ -83,7 +86,7 @@ export function buildCurrentIndividualOrganizationLifecyclePayload(input) {
  * - can emit either a semantic lifecycle message or the current GW CORE
  *   payload shape used by `sdk-node`
  */
-export class IndividualOrganizationLifecycleDraft {
+export class IndividualOrganizationLifecycleEditor {
     draft;
     constructor(initial) {
         this.draft = normalizeDraft(initial);
@@ -96,6 +99,15 @@ export class IndividualOrganizationLifecycleDraft {
         this.draft = patchDraft(this.draft, { claims });
         return this;
     }
+    setContext(context) {
+        this.draft = patchDraft(this.draft, {
+            claims: {
+                ...this.draft.claims,
+                '@context': String(context).trim(),
+            },
+        });
+        return this;
+    }
     setIdentifier(identifier) {
         this.draft = patchDraft(this.draft, {
             claims: {
@@ -139,12 +151,47 @@ export class IndividualOrganizationLifecycleDraft {
         this.draft = patchDraft(this.draft, { thid });
         return this;
     }
+    getIdentifier() {
+        const value = this.draft.claims[ClaimsOrganizationSchemaorg.identifier];
+        const normalized = normalizeText(value);
+        return normalized || undefined;
+    }
+    getContext() {
+        const value = this.draft.claims['@context'];
+        const normalized = normalizeText(value);
+        return normalized || undefined;
+    }
+    getAlternateName() {
+        const value = this.draft.claims[ClaimsOrganizationSchemaorg.alternateName];
+        const normalized = normalizeText(value);
+        return normalized || undefined;
+    }
+    getOwnerEmail() {
+        const value = this.draft.claims[ClaimsOrganizationSchemaorg.ownerEmail];
+        const normalized = normalizeText(value);
+        return normalized || undefined;
+    }
+    getOperation() {
+        return this.draft.operation;
+    }
+    getResourceId() {
+        return normalizeText(this.draft.resourceId) || undefined;
+    }
+    getRequestType() {
+        return normalizeText(this.draft.requestType) || undefined;
+    }
+    getThreadId() {
+        return normalizeText(this.draft.thid) || undefined;
+    }
     getClaims() {
         return cloneClaims(this.draft.claims);
     }
-    getDraft() {
+    getState() {
         return normalizeDraft(this.draft);
     }
+    getEditorState() {
+        return this.getState();
+    }
     toSemanticMessage() {
         return {
             operation: this.draft.operation,
@@ -156,7 +203,7 @@ export class IndividualOrganizationLifecycleDraft {
     buildCurrentGwDataEntry() {
         const requestType = normalizeText(this.draft.requestType);
         if (!requestType) {
-            throw new Error('IndividualOrganizationLifecycleDraft.buildCurrentGwDataEntry requires requestType.');
+            throw new Error('IndividualOrganizationLifecycleEditor.buildCurrentGwDataEntry requires requestType.');
         }
         return buildCurrentIndividualOrganizationLifecycleDataEntry({
             claims: this.getClaims(),
@@ -167,7 +214,7 @@ export class IndividualOrganizationLifecycleDraft {
     buildCurrentGwPayload() {
         const requestType = normalizeText(this.draft.requestType);
         if (!requestType) {
-            throw new Error('IndividualOrganizationLifecycleDraft.buildCurrentGwPayload requires requestType.');
+            throw new Error('IndividualOrganizationLifecycleEditor.buildCurrentGwPayload requires requestType.');
         }
         return {
             thid: this.draft.thid || createLifecycleThreadId(this.draft.operation),