gdc-common-utils-ts 1.6.0 → 1.8.0

package/README.md

@@ -131,6 +131,8 @@ The canonical API contract should live in JSDoc on exported code. The README act
 ### Communication / document utilities
 
 - [`initializeCommunicationIdentity(...)`](src/utils/communication-identity.ts)
+  - bootstraps the technical communication profile identity for a device/app/channel runtime
+  - do not teach its `entityId` as if it were the legal organization id
   - Derives the technical ML-DSA/ML-KEM communication identity for a device, portal, or app profile and returns JOSE header templates for `meta.jws.protected` and `meta.jwe.header`.
   - Uses explicit `seedMaterial` for deterministic derivation. Without `seedMaterial`, it defaults to random generation. `mode = deterministic` requires `seedMaterial`.
 - [`buildOrganizationDidWeb(...)`, `buildProfessionalDidWeb(...)`, `buildIndividualDidWeb(...)`](src/utils/did.ts)
@@ -208,7 +210,7 @@ The canonical API contract should live in JSDoc on exported code. The README act
   - Shared route contexts, controller binding fragments, and reusable helper builders.
   - `tenantId` is modeled as an identifier-like route token (`acme-id`), not as a friendly alternate name.
 - [`docs/LIFECYCLE_101.md`](docs/LIFECYCLE_101.md)
-  - Copy/paste lifecycle guide "for torpes" with semantic rules and reusable placeholders.
+  - Copy/paste lifecycle `101` guide with semantic rules and reusable placeholders.
 
 ## Documentation Naming Rules
 

package/dist/constants/actor-session.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Canonical actor-kind vocabulary shared across SDK packages.
+ */
+export declare const ActorKinds: Readonly<{
+    readonly HostOnboarding: "host_onboarding";
+    readonly OrganizationController: "organization_controller";
+    readonly OrganizationEmployee: "organization_employee";
+    readonly IndividualController: "individual_controller";
+    readonly IndividualMember: "individual_member";
+    readonly Professional: "professional";
+}>;
+/**
+ * Canonical capability vocabulary shared across SDK packages.
+ */
+export declare const ActorCapabilities: Readonly<{
+    readonly HostActivateOrganization: "host.activate_organization";
+    readonly HostConfirmOrder: "host.confirm_order";
+    readonly OrganizationCreateEmployee: "organization.create_employee";
+    readonly OrganizationDisableEmployee: "organization.disable_employee";
+    readonly OrganizationPurgeEmployee: "organization.purge_employee";
+    readonly OrganizationActivateDevice: "organization.activate_device";
+    readonly OrganizationIssueActivationCode: "organization.issue_activation_code";
+    readonly OrganizationRequestSmartToken: "organization.request_smart_token";
+    readonly IndividualBootstrap: "individual.bootstrap";
+    readonly IndividualDisable: "individual.disable";
+    readonly IndividualPurge: "individual.purge";
+    readonly IndividualImportIps: "individual.import_ips";
+    readonly IndividualGenerateDigitalTwin: "individual.generate_digital_twin";
+    readonly IndividualIngestCommunication: "individual.ingest_communication";
+    readonly IndividualUpsertRelatedPerson: "individual.upsert_related_person";
+    readonly IndividualMemberDisable: "individual_member.disable";
+    readonly IndividualMemberPurge: "individual_member.purge";
+    readonly ConsentGrantProfessionalAccess: "consent.grant_professional_access";
+    readonly ProfessionalMedication: "professional.medication";
+    readonly ProfessionalAppointment: "professional.appointment";
+    readonly ProfessionalRequestSmartToken: "professional.request_smart_token";
+    readonly TokenRequestSmart: "token.request_smart";
+}>;
+export type ActorKindsValue = typeof ActorKinds[keyof typeof ActorKinds];
+export type ActorCapabilitiesValue = typeof ActorCapabilities[keyof typeof ActorCapabilities];

package/dist/constants/actor-session.js

@@ -0,0 +1,40 @@
+// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
+// Always create JSDoc, do not use strings inline in keys nor values, use types instead, and reuse the data test examples.
+/**
+ * Canonical actor-kind vocabulary shared across SDK packages.
+ */
+export const ActorKinds = Object.freeze({
+    HostOnboarding: 'host_onboarding',
+    OrganizationController: 'organization_controller',
+    OrganizationEmployee: 'organization_employee',
+    IndividualController: 'individual_controller',
+    IndividualMember: 'individual_member',
+    Professional: 'professional',
+});
+/**
+ * Canonical capability vocabulary shared across SDK packages.
+ */
+export const ActorCapabilities = Object.freeze({
+    HostActivateOrganization: 'host.activate_organization',
+    HostConfirmOrder: 'host.confirm_order',
+    OrganizationCreateEmployee: 'organization.create_employee',
+    OrganizationDisableEmployee: 'organization.disable_employee',
+    OrganizationPurgeEmployee: 'organization.purge_employee',
+    OrganizationActivateDevice: 'organization.activate_device',
+    OrganizationIssueActivationCode: 'organization.issue_activation_code',
+    OrganizationRequestSmartToken: 'organization.request_smart_token',
+    IndividualBootstrap: 'individual.bootstrap',
+    IndividualDisable: 'individual.disable',
+    IndividualPurge: 'individual.purge',
+    IndividualImportIps: 'individual.import_ips',
+    IndividualGenerateDigitalTwin: 'individual.generate_digital_twin',
+    IndividualIngestCommunication: 'individual.ingest_communication',
+    IndividualUpsertRelatedPerson: 'individual.upsert_related_person',
+    IndividualMemberDisable: 'individual_member.disable',
+    IndividualMemberPurge: 'individual_member.purge',
+    ConsentGrantProfessionalAccess: 'consent.grant_professional_access',
+    ProfessionalMedication: 'professional.medication',
+    ProfessionalAppointment: 'professional.appointment',
+    ProfessionalRequestSmartToken: 'professional.request_smart_token',
+    TokenRequestSmart: 'token.request_smart',
+});

package/dist/constants/index.d.ts

@@ -1,3 +1,4 @@
+export * from './actor-session';
 export * from './communication';
 export * from './cryptography';
 export * from './device';
@@ -12,3 +13,5 @@ export * from './vital-signs';
 export * from './network';
 export * from './sectors';
 export * from './smart';
+export * from './service-capabilities';
+export * from './verifiable-credentials';

package/dist/constants/index.js

@@ -1,3 +1,4 @@
+export * from './actor-session.js';
 export * from './communication.js';
 export * from './cryptography.js';
 export * from './device.js';
@@ -12,3 +13,5 @@ export * from './vital-signs.js';
 export * from './network.js';
 export * from './sectors.js';
 export * from './smart.js';
+export * from './service-capabilities.js';
+export * from './verifiable-credentials.js';

package/dist/constants/service-capabilities.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Canonical capability families persisted through
+ * `org.schema.Service.serviceType`.
+ */
+export declare const ServiceCapabilityFamily: {
+    readonly Indexing: "indexing";
+    readonly DigitalTwin: "digitaltwin";
+};
+export type ServiceCapabilityFamilyValue = typeof ServiceCapabilityFamily[keyof typeof ServiceCapabilityFamily];
+/**
+ * Canonical capability tokens currently documented for tenant activation.
+ *
+ * The family prefix is the stable part of the contract. Suffixes such as
+ * `.rs` and `.cruds` can evolve independently across runtimes.
+ */
+export declare const ServiceCapabilityToken: {
+    readonly IndexingReadSearch: "indexing.rs";
+    readonly IndexingCruds: "indexing.cruds";
+    readonly DigitalTwinReadSearch: "digitaltwin.rs";
+    readonly DigitalTwinCruds: "digitaltwin.cruds";
+};
+export type ServiceCapabilityTokenValue = typeof ServiceCapabilityToken[keyof typeof ServiceCapabilityToken];
+/**
+ * SDK-facing capability names.
+ *
+ * These names are intentionally more explicit than the persisted claim tokens:
+ * - `Provider` maps to write/manage capability (`*.cruds`)
+ * - `Reader` maps to read/search capability (`*.rs`)
+ */
+export declare const ServiceCapability: {
+    readonly IndexingProvider: "indexing.cruds";
+    readonly IndexingReader: "indexing.rs";
+    readonly DigitalTwinProvider: "digitaltwin.cruds";
+    readonly DigitalTwinReader: "digitaltwin.rs";
+};
+export type ServiceCapabilityValue = typeof ServiceCapability[keyof typeof ServiceCapability];
+/**
+ * Parses the CSV stored in `org.schema.Service.serviceType`.
+ */
+export declare function parseServiceCapabilityTokens(value: unknown): string[];
+/**
+ * Serializes capability tokens into the canonical CSV claim format.
+ */
+export declare function serializeServiceCapabilityTokens(values: ReadonlyArray<string | undefined | null>): string | undefined;
+/**
+ * Returns the capability family prefix from a token.
+ */
+export declare function getServiceCapabilityFamily(value: string | undefined): string | undefined;
+/**
+ * Checks whether the claim contains at least one capability from the requested
+ * family.
+ */
+export declare function hasServiceCapabilityFamily(value: unknown, family: ServiceCapabilityFamilyValue | string): boolean;

package/dist/constants/service-capabilities.js

@@ -0,0 +1,72 @@
+// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
+// Always create JSDoc, do not use strings inline in keys nor values, use types instead, and reuse the data test examples.
+/**
+ * Canonical capability families persisted through
+ * `org.schema.Service.serviceType`.
+ */
+export const ServiceCapabilityFamily = {
+    Indexing: 'indexing',
+    DigitalTwin: 'digitaltwin',
+};
+/**
+ * Canonical capability tokens currently documented for tenant activation.
+ *
+ * The family prefix is the stable part of the contract. Suffixes such as
+ * `.rs` and `.cruds` can evolve independently across runtimes.
+ */
+export const ServiceCapabilityToken = {
+    IndexingReadSearch: 'indexing.rs',
+    IndexingCruds: 'indexing.cruds',
+    DigitalTwinReadSearch: 'digitaltwin.rs',
+    DigitalTwinCruds: 'digitaltwin.cruds',
+};
+/**
+ * SDK-facing capability names.
+ *
+ * These names are intentionally more explicit than the persisted claim tokens:
+ * - `Provider` maps to write/manage capability (`*.cruds`)
+ * - `Reader` maps to read/search capability (`*.rs`)
+ */
+export const ServiceCapability = {
+    IndexingProvider: ServiceCapabilityToken.IndexingCruds,
+    IndexingReader: ServiceCapabilityToken.IndexingReadSearch,
+    DigitalTwinProvider: ServiceCapabilityToken.DigitalTwinCruds,
+    DigitalTwinReader: ServiceCapabilityToken.DigitalTwinReadSearch,
+};
+/**
+ * Parses the CSV stored in `org.schema.Service.serviceType`.
+ */
+export function parseServiceCapabilityTokens(value) {
+    return Array.from(new Set(String(value || '')
+        .split(',')
+        .map((item) => item.trim())
+        .filter(Boolean)));
+}
+/**
+ * Serializes capability tokens into the canonical CSV claim format.
+ */
+export function serializeServiceCapabilityTokens(values) {
+    const normalized = Array.from(new Set(values
+        .map((item) => String(item || '').trim())
+        .filter(Boolean)));
+    return normalized.length ? normalized.join(',') : undefined;
+}
+/**
+ * Returns the capability family prefix from a token.
+ */
+export function getServiceCapabilityFamily(value) {
+    const normalized = String(value || '').trim().toLowerCase();
+    if (!normalized)
+        return undefined;
+    return normalized.split('.')[0] || undefined;
+}
+/**
+ * Checks whether the claim contains at least one capability from the requested
+ * family.
+ */
+export function hasServiceCapabilityFamily(value, family) {
+    const normalizedFamily = String(family || '').trim().toLowerCase();
+    if (!normalizedFamily)
+        return false;
+    return parseServiceCapabilityTokens(value).some((item) => getServiceCapabilityFamily(item) === normalizedFamily);
+}

package/dist/constants/verifiable-credentials.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Canonical W3C credential contexts reused by activation/VP helpers and tests.
+ *
+ * Keep these values centralized so examples and unit suites do not re-hardcode
+ * W3C context URLs inline.
+ */
+export declare const W3cCredentialContexts: Readonly<{
+    V1: "https://www.w3.org/2018/credentials/v1";
+    V2: "https://www.w3.org/ns/credentials/v2";
+}>;
+/**
+ * Canonical W3C credential and presentation base types.
+ */
+export declare const W3cCredentialTypes: Readonly<{
+    VerifiableCredential: "VerifiableCredential";
+    VerifiablePresentation: "VerifiablePresentation";
+}>;
+/**
+ * Canonical activation VC subtype names currently accepted by CORE helpers.
+ *
+ * Notes:
+ * - `LegalOrganizationCredential` and `PersonCredential` remain accepted as
+ *   compatibility aliases while ICA/GW contracts converge.
+ * - Example/test code must import these constants instead of re-hardcoding the
+ *   subtype strings inline.
+ */
+export declare const ActivationCredentialTypes: Readonly<{
+    OrganizationCredential: "OrganizationCredential";
+    LegalOrganizationCredential: "LegalOrganizationCredential";
+    LegalRepresentativeCredential: "LegalRepresentativeCredential";
+    PersonCredential: "PersonCredential";
+}>;
+export declare const ORGANIZATION_ACTIVATION_VC_TYPES: readonly ("OrganizationCredential" | "LegalOrganizationCredential")[];
+export declare const REPRESENTATIVE_ACTIVATION_VC_TYPES: readonly ("LegalRepresentativeCredential" | "PersonCredential")[];

package/dist/constants/verifiable-credentials.js

@@ -0,0 +1,42 @@
+// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
+// Always create JSDoc, do not use strings inline in keys nor values, use types instead, and reuse the data test examples.
+/**
+ * Canonical W3C credential contexts reused by activation/VP helpers and tests.
+ *
+ * Keep these values centralized so examples and unit suites do not re-hardcode
+ * W3C context URLs inline.
+ */
+export const W3cCredentialContexts = Object.freeze({
+    V1: 'https://www.w3.org/2018/credentials/v1',
+    V2: 'https://www.w3.org/ns/credentials/v2',
+});
+/**
+ * Canonical W3C credential and presentation base types.
+ */
+export const W3cCredentialTypes = Object.freeze({
+    VerifiableCredential: 'VerifiableCredential',
+    VerifiablePresentation: 'VerifiablePresentation',
+});
+/**
+ * Canonical activation VC subtype names currently accepted by CORE helpers.
+ *
+ * Notes:
+ * - `LegalOrganizationCredential` and `PersonCredential` remain accepted as
+ *   compatibility aliases while ICA/GW contracts converge.
+ * - Example/test code must import these constants instead of re-hardcoding the
+ *   subtype strings inline.
+ */
+export const ActivationCredentialTypes = Object.freeze({
+    OrganizationCredential: 'OrganizationCredential',
+    LegalOrganizationCredential: 'LegalOrganizationCredential',
+    LegalRepresentativeCredential: 'LegalRepresentativeCredential',
+    PersonCredential: 'PersonCredential',
+});
+export const ORGANIZATION_ACTIVATION_VC_TYPES = Object.freeze([
+    ActivationCredentialTypes.OrganizationCredential,
+    ActivationCredentialTypes.LegalOrganizationCredential,
+]);
+export const REPRESENTATIVE_ACTIVATION_VC_TYPES = Object.freeze([
+    ActivationCredentialTypes.LegalRepresentativeCredential,
+    ActivationCredentialTypes.PersonCredential,
+]);

package/dist/examples/api-flow-examples.d.ts

@@ -6,6 +6,7 @@
  * while preserving a stable migration target for older imports.
  */
 export * from './shared';
+export * from './ica-activation-proof';
 export * from './organization-controller';
 export * from './individual-controller';
 export * from './professional';

package/dist/examples/api-flow-examples.js

@@ -7,6 +7,7 @@
  * while preserving a stable migration target for older imports.
  */
 export * from './shared.js';
+export * from './ica-activation-proof.js';
 export * from './organization-controller.js';
 export * from './individual-controller.js';
 export * from './professional.js';

package/dist/examples/consent-access.d.ts

@@ -1,7 +1,8 @@
+import { ClaimConsent, type ConsentRule } from '../models/consent-rule';
+import { EXAMPLE_EMAIL_PROFESSIONAL, EXAMPLE_EMAIL_RELATED_PERSON } from './shared';
 export declare const EXAMPLE_INDIVIDUAL_DID_WEB: "did:web:api.acme.org:individual:123";
 export declare const EXAMPLE_PROVIDER_ORGANIZATION_DID_WEB: "did:web:hospital.acme.org";
-export declare const EXAMPLE_EMAIL_PROFESSIONAL: "doctor.oncall@example.org";
-export declare const EXAMPLE_EMAIL_RELATED_PERSON: "parent.guardian@example.org";
+export { EXAMPLE_EMAIL_PROFESSIONAL, EXAMPLE_EMAIL_RELATED_PERSON };
 export declare const EXAMPLE_CONSENT_ACCESS_JURISDICTION: "ES";
 /**
  * Legacy compatibility aliases kept so older docs/tests/imports continue to work
@@ -12,132 +13,15 @@ export declare const EXAMPLE_CONSENT_ACCESS_PROVIDER_DID: "did:web:hospital.acme
 export declare const EXAMPLE_CONSENT_ACCESS_PROVIDER_EMAIL: "doctor.oncall@example.org";
 export declare const EXAMPLE_CONSENT_ACCESS_RELATED_PERSON_EMAIL: "parent.guardian@example.org";
 export declare const EXAMPLE_CONSENT_ACCESS_RULES: Readonly<{
-    physicianByEmailContinuousCare: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    physicianByEmailEmergency: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    physicianByOrganizationContinuousCare: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    physicianByJurisdictionEmergency: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    nurseByOrganization: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    paramedicByJurisdiction: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    directPhysicianDenyInsideAllowedOrganization: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    relatedPersonByEmail: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
-    revokedPhysicianEmailConsent: {
-        readonly 'Consent.date': "2026-05-20";
-        readonly 'Consent.period-end'?: string | undefined;
-        readonly 'Consent.period-start'?: string | undefined;
-        readonly 'Consent.resourceType'?: string | undefined;
-        readonly '@context': "org.hl7.fhir.api";
-        readonly 'Consent.identifier': string;
-        readonly 'Consent.subject': "did:web:api.acme.org:individual:123";
-        readonly 'Consent.actor-identifier': string;
-        readonly 'Consent.actor-role': string;
-        readonly 'Consent.decision': "permit" | "deny";
-        readonly 'Consent.purpose': string;
-        readonly 'Consent.action': string;
-    };
+    physicianByEmailContinuousCare: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    physicianByEmailEmergency: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    physicianByOrganizationContinuousCare: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    physicianByJurisdictionEmergency: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    nurseByOrganization: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    paramedicByJurisdiction: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    directPhysicianDenyInsideAllowedOrganization: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    relatedPersonByEmail: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
+    revokedPhysicianEmailConsent: ConsentRule & Partial<Record<ClaimConsent.resourceType, string>>;
 }>;
 export declare const EXAMPLE_CONSENT_PHONE_EXTENSION_PENDING: Readonly<{
     target: "tel:+34600111222";

package/dist/examples/consent-access.js

@@ -1,11 +1,12 @@
 // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
 import { HealthcareActorRoles, HealthcareBasicSections, HealthcareConsentPurposes, } from '../constants/healthcare.js';
+import { ClaimConsent } from '../models/consent-rule.js';
 import { ResourceTypesFhirR4 } from '../constants/fhir-resource-types.js';
-export const EXAMPLE_INDIVIDUAL_DID_WEB = 'did:web:api.acme.org:individual:123';
-export const EXAMPLE_PROVIDER_ORGANIZATION_DID_WEB = 'did:web:hospital.acme.org';
-export const EXAMPLE_EMAIL_PROFESSIONAL = 'doctor.oncall@example.org';
-export const EXAMPLE_EMAIL_RELATED_PERSON = 'parent.guardian@example.org';
-export const EXAMPLE_CONSENT_ACCESS_JURISDICTION = 'ES';
+import { EXAMPLE_CONSENT_DATE, EXAMPLE_CONSENT_PERIOD_END, EXAMPLE_EMAIL_PROFESSIONAL, EXAMPLE_EMAIL_RELATED_PERSON, EXAMPLE_HEALTHCARE_JURISDICTION, EXAMPLE_PROVIDER_ORGANIZATION_DID, EXAMPLE_RELATED_PERSON_ROLE, EXAMPLE_SUBJECT_DID, } from './shared.js';
+export const EXAMPLE_INDIVIDUAL_DID_WEB = EXAMPLE_SUBJECT_DID;
+export const EXAMPLE_PROVIDER_ORGANIZATION_DID_WEB = EXAMPLE_PROVIDER_ORGANIZATION_DID;
+export { EXAMPLE_EMAIL_PROFESSIONAL, EXAMPLE_EMAIL_RELATED_PERSON };
+export const EXAMPLE_CONSENT_ACCESS_JURISDICTION = EXAMPLE_HEALTHCARE_JURISDICTION;
 /**
  * Legacy compatibility aliases kept so older docs/tests/imports continue to work
  * while the canonical variable names converge.
@@ -14,20 +15,28 @@ export const EXAMPLE_CONSENT_ACCESS_SUBJECT = EXAMPLE_INDIVIDUAL_DID_WEB;
 export const EXAMPLE_CONSENT_ACCESS_PROVIDER_DID = EXAMPLE_PROVIDER_ORGANIZATION_DID_WEB;
 export const EXAMPLE_CONSENT_ACCESS_PROVIDER_EMAIL = EXAMPLE_EMAIL_PROFESSIONAL;
 export const EXAMPLE_CONSENT_ACCESS_RELATED_PERSON_EMAIL = EXAMPLE_EMAIL_RELATED_PERSON;
+/**
+ * Consent example builder used by docs/tests.
+ *
+ * Contract note:
+ * repeated actor identifiers, dates, jurisdictions, role fixtures, and
+ * canonical consent claim keys must be imported, never re-hardcoded inline in
+ * each example rule.
+ */
 function buildRule(input) {
     return {
         '@context': 'org.hl7.fhir.api',
-        'Consent.identifier': input.identifier,
-        'Consent.subject': EXAMPLE_INDIVIDUAL_DID_WEB,
-        'Consent.actor-identifier': input.actorIdentifier,
-        'Consent.actor-role': input.actorRole,
-        'Consent.decision': input.decision || 'permit',
-        'Consent.purpose': input.purpose,
-        'Consent.action': input.actions.join(','),
-        ...(input.resourceTypes?.length ? { 'Consent.resourceType': input.resourceTypes.join(',') } : {}),
-        ...(input.periodStart ? { 'Consent.period-start': input.periodStart } : {}),
-        ...(input.periodEnd ? { 'Consent.period-end': input.periodEnd } : {}),
-        'Consent.date': '2026-05-20',
+        [ClaimConsent.identifier]: input.identifier,
+        [ClaimConsent.subject]: EXAMPLE_INDIVIDUAL_DID_WEB,
+        [ClaimConsent.actorIdentifier]: input.actorIdentifier,
+        [ClaimConsent.actorRole]: input.actorRole,
+        [ClaimConsent.decision]: input.decision || 'permit',
+        [ClaimConsent.purpose]: input.purpose,
+        [ClaimConsent.action]: input.actions.join(','),
+        ...(input.resourceTypes?.length ? { [ClaimConsent.resourceType]: input.resourceTypes.join(',') } : {}),
+        ...(input.periodStart ? { [ClaimConsent.periodStart]: input.periodStart } : {}),
+        ...(input.periodEnd ? { [ClaimConsent.periodEnd]: input.periodEnd } : {}),
+        [ClaimConsent.date]: EXAMPLE_CONSENT_DATE,
     };
 }
 export const EXAMPLE_CONSENT_ACCESS_RULES = Object.freeze({
@@ -91,7 +100,7 @@ export const EXAMPLE_CONSENT_ACCESS_RULES = Object.freeze({
     relatedPersonByEmail: buildRule({
         identifier: 'urn:uuid:consent-related-person-email',
         actorIdentifier: EXAMPLE_EMAIL_RELATED_PERSON,
-        actorRole: 'v3-RoleCode|RESPRSN',
+        actorRole: EXAMPLE_RELATED_PERSON_ROLE,
         purpose: HealthcareConsentPurposes.Treatment,
         actions: [HealthcareBasicSections.PatientSummaryDocument.claim],
         resourceTypes: [ResourceTypesFhirR4.Composition, ResourceTypesFhirR4.DocumentReference],
@@ -102,7 +111,7 @@ export const EXAMPLE_CONSENT_ACCESS_RULES = Object.freeze({
         actorRole: HealthcareActorRoles.Physician,
         purpose: HealthcareConsentPurposes.EmergencyTreatment,
         actions: [HealthcareBasicSections.PatientSummaryDocument.claim],
-        periodEnd: '2026-05-01T00:00:00Z',
+        periodEnd: EXAMPLE_CONSENT_PERIOD_END,
     }),
 });
 export const EXAMPLE_CONSENT_PHONE_EXTENSION_PENDING = Object.freeze({

package/dist/examples/contract-examples.d.ts

@@ -6,6 +6,7 @@
  * breaking while the examples are reorganized by flow/case of use.
  */
 export * from './shared';
+export * from './ica-activation-proof';
 export * from './organization-controller';
 export * from './individual-controller';
 export * from './professional';

package/dist/examples/contract-examples.js

@@ -7,6 +7,7 @@
  * breaking while the examples are reorganized by flow/case of use.
  */
 export * from './shared.js';
+export * from './ica-activation-proof.js';
 export * from './organization-controller.js';
 export * from './individual-controller.js';
 export * from './professional.js';

package/dist/examples/frontend-session.d.ts

@@ -1,7 +1,3 @@
-/**
- * Examples for frontend session/profile bootstrap flows.
- */
-export declare const EXAMPLE_PROFILE_PROVIDER_DID = "did:web:provider.example.org";
 export declare const EXAMPLE_PROFILE_SESSION_INPUT: {
     readonly profileId: " profile-1 ";
     readonly email: " user@example.com ";

package/dist/examples/frontend-session.js

@@ -1,18 +1,24 @@
 // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
 /**
  * Examples for frontend session/profile bootstrap flows.
+ *
+ * Note:
+ *
+ * - profile/provider identifiers in this file are synthetic fixtures imported
+ *   from `./shared`
+ * - do not inline DID/email/profile literals directly in frontend examples
  */
-export const EXAMPLE_PROFILE_PROVIDER_DID = 'did:web:provider.example.org';
+import { EXAMPLE_PROFILE_EMAIL, EXAMPLE_PROFILE_ID, EXAMPLE_PROFILE_ORGANIZATION_DID, } from './shared.js';
 export const EXAMPLE_PROFILE_SESSION_INPUT = {
-    profileId: ' profile-1 ',
-    email: ' user@example.com ',
+    profileId: ` ${EXAMPLE_PROFILE_ID} `,
+    email: ` ${EXAMPLE_PROFILE_EMAIL} `,
     role: ' controller ',
-    providerDid: ' did:web:org.example ',
+    providerDid: ` ${EXAMPLE_PROFILE_ORGANIZATION_DID} `,
     appType: 'Family',
 };
 export const EXAMPLE_PROFILE_REGISTRY_ENTRY = {
-    id: 'profile-1',
-    email: 'user@example.com',
+    id: EXAMPLE_PROFILE_ID,
+    email: EXAMPLE_PROFILE_EMAIL,
     role: 'controller',
-    providerDid: 'did:web:org.example',
+    providerDid: EXAMPLE_PROFILE_ORGANIZATION_DID,
 };