gdc-sdk-client-ts 1.0.3 → 1.1.0

package/README.md

@@ -141,14 +141,14 @@ The `SmartTokenManager` within the SDK handles this flow automatically. API serv
 
 1.  **The `API_INTEGRATORS_GUIDE.md` is the Source of Truth:** All API method implementations, service selectors, and payload structures **must** be based on the official documentation available at `https://raw.githubusercontent.com/Global-DataCare/docs/refs/heads/main/API_INTEGRATORS_GUIDE.md`. The SDK should not invent or assume logic.
 2.  **Test Data is the Second Source of Truth:** The mock data files in `client-sdk-ts/__tests__/data/` are sourced from the backend's own test suite and documentation. They represent the ground truth for API responses and **must** be used for all Jest tests and for the in-app `DEMO_MODE`.
-3.  **Specific Methods are Simple, The Engine is Smart:** A specific API method (e.g., `createOrganization`) is responsible for knowing the "what" (the endpoint selector, the payload). The `BaseApiService` engine (`resolveAndExecute`) is responsible for the "how" (DID resolution, message construction, job submission).
+3.  **Specific Methods are Simple, The Engine is Smart:** A specific API method (e.g., `startOrganizationRegistration`) is responsible for knowing the "what" (the endpoint selector, the payload). The `BaseApiService` engine (`resolveAndExecute`) is responsible for the "how" (DID resolution, message construction, job submission).
 
 ## End-to-End Onboarding Flow
 
 The SDK is designed to follow a specific, multi-step business process for onboarding a new organization.
 
-1.  **`orgAdmin.admin.createOrganization()`**: A legal representative, authenticated with an external OIDC `id_token`, submits the organization's details to the **Host Provider's DID**. The async response will contain an `Offer`.
-2.  **`orgAdmin.admin.confirmOrder()`**: The representative accepts the offer by submitting an order, again to the **Host Provider's DID**. The async response will contain a set of license codes.
+1.  **`orgAdmin.admin.startOrganizationRegistration()`**: A legal representative, authenticated with an external OIDC `id_token`, submits the organization's details. The SDK automatically resolves and targets the operator host DID for this onboarding call. The async response will contain an `Offer`.
+2.  **`orgAdmin.admin.confirmOrganizationRegistration()`**: The representative accepts the offer by submitting an order. The SDK again resolves the operator host DID automatically. The async response will contain a set of license codes.
 3.  **Payment (External)**: If required, the user completes the payment flow.
 4.  **`common.auth.activateDevice()`**: The representative (or another employee) uses a valid license code to register their device. This is a DCR (Dynamic Client Registration) call made to the **Gateway's (Tenant's) DID**. This call creates the `client_id` (`did:web`) for the device and marks it as active.
 5.  **`smartToken` Acquisition**: From this point forward, all API calls are authorized (Post-DCR) and must acquire a `smartToken`. The SDK handles this automatically using the device's identity (via `private_key_jwt`) and the user's `id_token`.
@@ -316,16 +316,15 @@ const session = await sdk.initializeSession({
 const orgAdminService = session.orgAdmin.admin;
 
 // --- Step 2: Create the Organization ---
-// This call is directed at the HOST's DID.
-const hostDid = 'did:web:provider.example.com';
+// The SDK derives the operator host DID from `providerDid`.
 const orgClaims = { /* ... organization registration data ... */ };
-const { thid: createOrgThid } = await orgAdminService.createOrganization(orgClaims, hostDid, legalRepIdToken);
+const { thid: createOrgThid } = await orgAdminService.startOrganizationRegistration(orgClaims, legalRepIdToken);
 // Poll for the result, which will contain an Offer...
 
 // --- Step 3: Confirm the Order ---
-// The user accepts the offer. This call is also to the HOST's DID.
+// The user accepts the offer. The SDK keeps targeting the operator host DID internally.
 const offerId = '...'; // From the result of the previous step
-const { thid: confirmOrderThid } = await orgAdminService.confirmOrder(offerId, hostDid, legalRepIdToken);
+const { thid: confirmOrderThid } = await orgAdminService.confirmOrganizationRegistration(offerId, legalRepIdToken);
 // Poll for the result, which will contain a license code...
 
 // --- Step 4: Activate the First Device ---
@@ -337,7 +336,7 @@ const { thid: activateThid } = await commonAuthService.activateDevice(licenseCod
 ```
 
 ### Note on Production vs. Test Onboarding
-The self-service `createOrganization` flow detailed above is intended for the **`test-network`**. Onboarding a new organization in the **production** environment involves a manual verification process by the host provider to ensure the legitimacy of the legal entity.
+The self-service `startOrganizationRegistration` flow detailed above is intended for the **`test-network`**. Onboarding a new organization in the **production** environment involves a manual verification process by the host provider to ensure the legitimacy of the legal entity.
 
 ## Testing
 

package/dist/ClientSDK.d.ts

@@ -0,0 +1,56 @@
+import { IWallet } from 'gdc-common-utils-ts/interfaces/IWallet';
+import { IVaultRepository } from './interfaces/IVaultRepository';
+import { ProfileManager } from './ProfileManager';
+import { SdkConfig } from './interfaces/others';
+import { DidDocument } from 'gdc-common-utils-ts/models/did';
+import { IVerifier } from './interfaces/ITrustRegistry';
+import { AppInfo } from './interfaces/others';
+import { ProfileRegistry } from './ProfileRegistry';
+/**
+ * The parameters required to initialize a user session.
+ */
+export interface InitializeSessionParams {
+    profileId?: string;
+    email: string;
+    role: string;
+    providerDid: string;
+    appType?: AppInfo['appType'];
+    familyId?: string;
+}
+/**
+ * @class ClientSDK
+ * The main entry point for the client-side SDK.
+ */
+export declare class ClientSDK {
+    private sdkConfig;
+    private appInfo;
+    private wallet;
+    private verifier;
+    private icaDid;
+    private _fetch;
+    currentSession: ProfileManager | null;
+    profileRegistry: ProfileRegistry | null;
+    get operationMode(): string;
+    /**
+     * Dynamically adds a mock DID Document to the SDK's configuration for DEMO mode.
+     * This allows the UI to inject mock data at runtime to bypass network failures.
+     * @param did The DID to mock.
+     * @param didDoc The DID Document to return when the DID is resolved.
+     */
+    addMockDidDocument(did: string, didDoc: DidDocument): void;
+    constructor(sdkConfig: SdkConfig, appInfo: AppInfo, wallet: IWallet, verifier: IVerifier, icaDid: string);
+    /**
+     * The single, unified method for creating a new user session.
+     * This method orchestrates the entire trust verification and session creation flow.
+     */
+    initializeSession(params: InitializeSessionParams, createVault: (profileId: string) => IVaultRepository): Promise<ProfileManager>;
+    private _createProfileManager;
+    /**
+     * Shuts down the currently active session.
+     */
+    initializeProfileRegistry(createVault: (registryId: string) => IVaultRepository, registryId?: string): Promise<ProfileRegistry>;
+    shutdownSession(): void;
+    private normalizeRoleCodeForDid;
+    private constructEmployeeDid;
+    private constructIndividualDid;
+}

package/dist/ClientSDK.js

@@ -0,0 +1,202 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: client-sdk-ts/src/ClientSDK.ts
+import { ProfileManager } from './ProfileManager.js';
+import { getBaseUrlFromDidWeb, normalizeDidWeb } from 'gdc-common-utils-ts/utils/did';
+import { ProfileRegistry } from './ProfileRegistry.js';
+/**
+ * @class ClientSDK
+ * The main entry point for the client-side SDK.
+ */
+export class ClientSDK {
+    get operationMode() {
+        return this.sdkConfig.api.operationMode;
+    }
+    /**
+     * Dynamically adds a mock DID Document to the SDK's configuration for DEMO mode.
+     * This allows the UI to inject mock data at runtime to bypass network failures.
+     * @param did The DID to mock.
+     * @param didDoc The DID Document to return when the DID is resolved.
+     */
+    addMockDidDocument(did, didDoc) {
+        if (!this.sdkConfig.mockOptions) {
+            this.sdkConfig.mockOptions = {};
+        }
+        if (!this.sdkConfig.mockOptions.resolvedDidDocs) {
+            this.sdkConfig.mockOptions.resolvedDidDocs = {};
+        }
+        this.sdkConfig.mockOptions.resolvedDidDocs[did] = didDoc;
+        console.log(`[SDK-MOCK] Injected mock for DID: ${did}`);
+    }
+    constructor(sdkConfig, appInfo, wallet, verifier, icaDid) {
+        var _a;
+        this.currentSession = null;
+        this.profileRegistry = null;
+        if (!sdkConfig || !appInfo || !wallet || !verifier || !icaDid) {
+            throw new Error("ClientSDK requires sdkConfig, appInfo, wallet, verifier, and an icaDid.");
+        }
+        this.sdkConfig = Object.assign({}, sdkConfig);
+        this.appInfo = appInfo;
+        this.wallet = wallet;
+        this.verifier = verifier;
+        this.icaDid = icaDid;
+        // --- Mockable Fetcher Initialization (Remains the same) ---
+        if ((_a = this.sdkConfig.mockOptions) === null || _a === void 0 ? void 0 : _a.apiResponse) {
+            console.warn("SDK is in MOCK API mode. Real network calls will be bypassed.");
+            const mock = this.sdkConfig.mockOptions.apiResponse;
+            this._fetch = async (url, options) => {
+                var _a;
+                console.log(`[MOCK FETCH] Intercepted call to: ${url}`);
+                if ((_a = options === null || options === void 0 ? void 0 : options.body) === null || _a === void 0 ? void 0 : _a.includes('thid=')) {
+                    console.log(`[MOCK FETCH] Simulating FINAL polling response with status: ${mock.finalPolledStatus || 200}`);
+                    return new Response(JSON.stringify(mock.body || {}), {
+                        status: mock.finalPolledStatus || 200,
+                        headers: { 'Content-Type': 'application/json' },
+                    });
+                }
+                console.log(`[MOCK FETCH] Simulating INITIAL response with status: ${mock.status}`);
+                const headers = new Headers({ 'Content-Type': 'application/json' });
+                if (mock.status === 202) {
+                    headers.set('Location', 'https://mock.example.com/poll/12345');
+                }
+                return new Response(mock.status === 202 ? '' : JSON.stringify(mock.body || {}), {
+                    status: mock.status,
+                    headers: headers,
+                });
+            };
+        }
+        else {
+            this._fetch = this.sdkConfig.fetcher;
+        }
+        this.sdkConfig.fetcher = this._fetch;
+    }
+    /**
+     * The single, unified method for creating a new user session.
+     * This method orchestrates the entire trust verification and session creation flow.
+     */
+    async initializeSession(params, createVault) {
+        var _a, _b, _c, _d;
+        this.shutdownSession();
+        // The entry point is the DID. The SDK resolves it to a URL for fetching.
+        const { providerDid } = params;
+        const providerUrl = getBaseUrlFromDidWeb(providerDid);
+        // --- STEP 0: CHECK FOR MOCK OVERRIDE ---
+        // The key for mock resolution is always the providerDid.
+        const mockDidDocs = (_a = this.sdkConfig.mockOptions) === null || _a === void 0 ? void 0 : _a.resolvedDidDocs;
+        if (mockDidDocs && mockDidDocs[providerDid]) {
+            console.warn(`[MOCK] Bypassing trust verification. Using mocked DID Document for ${providerDid}`);
+            const trustedDidDoc = mockDidDocs[providerDid];
+            return this._createProfileManager(params, trustedDidDoc, createVault);
+        }
+        // --- STEP 1: FETCH THE GOVERNANCE PROOF (vc.json) ---
+        const vcUrl = new URL('.well-known/vc.json', providerUrl).href;
+        const vcResponse = await this._fetch(vcUrl);
+        if (!vcResponse.ok)
+            throw new Error(`Failed to fetch assurance VC from ${vcUrl}`);
+        const assuranceVC = await vcResponse.json();
+        // --- STEP 2: VERIFY THE ISSUER ---
+        // The issuer of the VC MUST match the configured, trusted ICA DID.
+        if (assuranceVC.issuer !== this.icaDid) {
+            throw new Error(`Assurance VC issuer '${assuranceVC.issuer}' does not match the configured trusted ICA '${this.icaDid}'.`);
+        }
+        // --- STEP 3: VERIFY THE CREDENTIAL'S CHAIN OF TRUST ---
+        const isVCSignatureValid = await this.verifier.verifyCredential(assuranceVC);
+        if (!isVCSignatureValid)
+            throw new Error("Assurance VC signature is invalid or the trust chain is broken.");
+        // --- STEP 3: SECURELY FETCH AND VERIFY THE DID DOCUMENT ---
+        const evidence = (_b = assuranceVC.evidence) === null || _b === void 0 ? void 0 : _b[0];
+        const attachment = (_c = evidence === null || evidence === void 0 ? void 0 : evidence.attachments) === null || _c === void 0 ? void 0 : _c[0];
+        if (!attachment || !((_d = attachment.digest) === null || _d === void 0 ? void 0 : _d.value) || !attachment.url) {
+            throw new Error("Assurance VC is missing valid integrity evidence for the DID Document.");
+        }
+        const didDocUrl = attachment.url;
+        const didDocResponse = await this._fetch(didDocUrl);
+        if (!didDocResponse.ok)
+            throw new Error(`Failed to fetch DID Document from ${didDocUrl}`);
+        const didDocText = await didDocResponse.text();
+        const calculatedHash = await this.sdkConfig.crypto.digestString(didDocText, 'SHA-256');
+        if (calculatedHash !== attachment.digest.value) {
+            throw new Error("Man-in-the-middle attack detected! DID Document hash does not match the hash in the trusted assurance VC.");
+        }
+        const trustedDidDoc = JSON.parse(didDocText);
+        // --- STEP 4: PROCEED WITH SESSION CREATION ---
+        return this._createProfileManager(params, trustedDidDoc, createVault);
+    }
+    // --- Private Helper for the final creation step ---
+    async _createProfileManager(params, orgDidDoc, createVault) {
+        const { email, role } = params;
+        const providerDid = orgDidDoc.id; // The authoritative DID from the trusted doc
+        const appType = params.appType || this.appInfo.appType;
+        const appInfoForSession = Object.assign(Object.assign({}, this.appInfo), { appType });
+        const finalProfileId = params.profileId || this.sdkConfig.crypto.randomUUID();
+        const userDid = appType === 'Organization'
+            ? this.constructEmployeeDid(providerDid, email, role)
+            : await this.constructIndividualDid(providerDid, finalProfileId, email, role, params.familyId);
+        const publicKeys = await this.wallet.provisionKeys(finalProfileId);
+        const newProfile = {
+            id: finalProfileId,
+            isAnonymous: false,
+            createdAt: new Date().toISOString(),
+            status: 'pending',
+            keys: publicKeys,
+            email: email,
+            role: role,
+            did: userDid,
+            appType: appType,
+            providerDid: providerDid,
+        };
+        const vault = createVault(finalProfileId);
+        const manager = new ProfileManager({
+            profile: newProfile,
+            orgDidDoc: orgDidDoc,
+            wallet: this.wallet,
+            vault: vault,
+            sdkConfig: this.sdkConfig,
+            appInfo: appInfoForSession, // Pass session app type down
+        });
+        await manager.initialize();
+        await vault.put('profile', newProfile);
+        this.currentSession = manager;
+        return manager;
+    }
+    /**
+     * Shuts down the currently active session.
+     */
+    async initializeProfileRegistry(createVault, registryId = 'profile-registry') {
+        const vault = createVault(registryId);
+        const registry = new ProfileRegistry(vault);
+        await registry.initialize();
+        this.profileRegistry = registry;
+        return registry;
+    }
+    shutdownSession() {
+        if (this.currentSession) {
+            this.currentSession.shutdown();
+            this.currentSession = null;
+        }
+    }
+    normalizeRoleCodeForDid(role, fallback = 'unknown-role') {
+        const raw = (role || '').trim();
+        if (!raw)
+            return fallback;
+        const parts = raw.split('|');
+        if (parts.length === 2) {
+            return (parts[1] || '').trim() || fallback;
+        }
+        return raw;
+    }
+    constructEmployeeDid(connectorDid, email, role) {
+        const roleCode = this.normalizeRoleCodeForDid(role, 'invalid-role');
+        const rawDid = `${connectorDid}:employee:${email}:${roleCode}`;
+        // Normalize it to ensure canonical representation
+        return normalizeDidWeb(rawDid);
+    }
+    async constructIndividualDid(connectorDid, profileId, email, role, familyId) {
+        const normalizedEmail = (email || '').trim().toLowerCase();
+        const emailHash = await this.sdkConfig.crypto.digestString(normalizedEmail, 'SHA-256');
+        const multibaseEmailHash = `z${emailHash}`;
+        const normalizedFamilyId = (familyId || `profile-${profileId}`).trim();
+        const normalizedRole = this.normalizeRoleCodeForDid(role, 'ONESELF').toUpperCase();
+        const rawDid = `${connectorDid}:family:${normalizedFamilyId}:${multibaseEmailHash}:${normalizedRole}`;
+        return normalizeDidWeb(rawDid);
+    }
+}

package/dist/JobManager.d.ts

@@ -0,0 +1,39 @@
+import { IWallet } from 'gdc-common-utils-ts/interfaces/IWallet';
+import { IProfile } from './interfaces/IProfile';
+import { IVaultRepository, VaultQuery } from './interfaces/IVaultRepository';
+import { SdkConfig } from './interfaces/others';
+import { IDecodedDidcommPayload } from 'gdc-common-utils-ts/models/confidential-message';
+import { IJobManager } from './interfaces/IJobManager';
+import { JobStatus, JobRequest } from 'gdc-common-utils-ts/models/confidential-job';
+import { ServiceEndpointSelector } from 'gdc-common-utils-ts/models/did';
+interface JobManagerConfig {
+    profile: IProfile;
+    wallet: IWallet;
+    vault: IVaultRepository;
+    sdkConfig: SdkConfig;
+}
+declare class JobManager implements IJobManager {
+    profile: IProfile;
+    wallet: IWallet;
+    vault: IVaultRepository;
+    private sdkConfig;
+    private listener;
+    private pollingIntervalId;
+    isInitialized: boolean;
+    constructor(config: JobManagerConfig);
+    setListener(listener: () => void): void;
+    initialize(): Promise<void>;
+    shutdown(): void;
+    createJob(content: IDecodedDidcommPayload, selector: ServiceEndpointSelector): Promise<JobRequest>;
+    findDraftJobByFormType(formType: string): Promise<JobRequest | null>;
+    createOrUpdateDraftJob(content: IDecodedDidcommPayload, selector: ServiceEndpointSelector): Promise<JobRequest>;
+    submitJob(job: JobRequest): Promise<void>;
+    pollSentJobs(): Promise<void>;
+    sealJobWithToken(job: JobRequest, token: string): Promise<JobRequest | null>;
+    sync(idToken: string): Promise<void>;
+    updateJobStatus(jobId: string, newStatus: JobStatus, additionalData?: object): Promise<JobRequest>;
+    queryJobs(query: VaultQuery): Promise<JobRequest[]>;
+    getJobResponseByThid(thid: string): Promise<any | null>;
+    generateId(): string;
+}
+export default JobManager;

package/dist/JobManager.js

@@ -0,0 +1,258 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: client-sdk-ts/src/JobManager.ts
+var __rest = (this && this.__rest) || function (s, e) {
+    var t = {};
+    for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p) && e.indexOf(p) < 0)
+        t[p] = s[p];
+    if (s != null && typeof Object.getOwnPropertySymbols === "function")
+        for (var i = 0, p = Object.getOwnPropertySymbols(s); i < p.length; i++) {
+            if (e.indexOf(p[i]) < 0 && Object.prototype.propertyIsEnumerable.call(s, p[i]))
+                t[p[i]] = s[p[i]];
+        }
+    return t;
+};
+import { normalizeDidcommPayloadForId } from 'gdc-common-utils-ts/utils/normalize';
+import { JobStatus } from 'gdc-common-utils-ts/models/confidential-job';
+class JobManager {
+    constructor(config) {
+        if (!config || !config.profile || !config.wallet || !config.vault || !config.sdkConfig) {
+            throw new Error("JobManager requires a configuration object with 'profile', 'wallet', 'vault', and 'sdkConfig'.");
+        }
+        this.profile = config.profile;
+        this.wallet = config.wallet;
+        this.vault = config.vault;
+        this.sdkConfig = config.sdkConfig;
+        this.listener = () => { };
+        this.pollingIntervalId = null;
+        this.isInitialized = false;
+    }
+    setListener(listener) { this.listener = listener; }
+    async initialize() {
+        if (this.isInitialized)
+            return;
+        await this.vault.initialize();
+        this.pollingIntervalId = setInterval(() => this.pollSentJobs(), 8000);
+        this.isInitialized = true;
+    }
+    shutdown() {
+        if (this.pollingIntervalId)
+            clearInterval(this.pollingIntervalId);
+        this.isInitialized = false;
+    }
+    async createJob(content, selector) {
+        const jti = this.generateId();
+        const now = Date.now();
+        const versionHash = await this.sdkConfig.crypto.digestString(normalizeDidcommPayloadForId(content), 'SHA-256');
+        const finalContent = Object.assign(Object.assign({}, content), { id: versionHash, jti: jti, thid: content.thid || this.generateId() });
+        const unprotectedDoc = Object.assign({ id: jti, thid: finalContent.thid, versionId: versionHash, status: JobStatus.DRAFT, vaultId: this.profile.id, createdAtTimestamp: now, sequence: now, content: finalContent }, selector);
+        const protectedDoc = await this.wallet.protectConfidentialData(unprotectedDoc, this.profile.id);
+        await this.vault.put('jobs', protectedDoc);
+        this.listener();
+        return protectedDoc;
+    }
+    async findDraftJobByFormType(formType) {
+        if (!this.isInitialized)
+            return null;
+        const draftJobs = await this.vault.query('jobs', {
+            where: [
+                { attribute: 'status', equals: JobStatus.DRAFT },
+                { attribute: 'content.type', equals: formType },
+                { attribute: 'vaultId', equals: this.profile.id }
+            ]
+        });
+        return draftJobs.length > 0 ? draftJobs[0] : null;
+    }
+    async createOrUpdateDraftJob(content, selector) {
+        const existingDraft = await this.findDraftJobByFormType(content.type);
+        if (existingDraft) {
+            const unprotected = await this.wallet.unprotectConfidentialData(existingDraft, this.profile.id);
+            if (!unprotected.content)
+                throw new Error(`Job ${existingDraft.id} is invalid.`);
+            const newContentBody = Object.assign(Object.assign({}, unprotected.content), { body: content.body });
+            const newVersionHash = await this.sdkConfig.crypto.digestString(normalizeDidcommPayloadForId(newContentBody), 'SHA-256');
+            newContentBody.id = newVersionHash;
+            const now = Date.now();
+            const docToReEncrypt = Object.assign(Object.assign(Object.assign({}, unprotected), { versionId: newVersionHash, thid: newContentBody.thid, sequence: now, previousSequence: unprotected.sequence, content: newContentBody }), selector);
+            const reProtectedDoc = await this.wallet.protectConfidentialData(docToReEncrypt, this.profile.id);
+            await this.vault.put('jobs', reProtectedDoc);
+            this.listener();
+            return reProtectedDoc;
+        }
+        else {
+            return this.createJob(content, selector);
+        }
+    }
+    async submitJob(job) {
+        var _a, _b, _c;
+        await this.updateJobStatus(job.id, JobStatus.SUBMITTING);
+        try {
+            const unprotected = await this.wallet.unprotectConfidentialData(job, this.profile.id);
+            const { content } = unprotected;
+            if (!content || !content.aud)
+                throw new Error("Job is missing 'aud' property.");
+            const { operationMode, legacyFhirEnabled } = this.sdkConfig.api;
+            const { fetcher } = this.sdkConfig;
+            const { id: versionId } = content, contentForSending = __rest(content, ["id"]);
+            const idToken = (_b = (_a = contentForSending === null || contentForSending === void 0 ? void 0 : contentForSending.meta) === null || _a === void 0 ? void 0 : _a.bearer) === null || _b === void 0 ? void 0 : _b.compact;
+            const recipientDid = (_c = contentForSending.to) === null || _c === void 0 ? void 0 : _c[0];
+            const submissionUrl = contentForSending.aud;
+            let requestBody;
+            let contentType;
+            if (operationMode === 'FAPI') {
+                if (!recipientDid)
+                    throw new Error("Recipient DID is missing for FAPI mode.");
+                const packedMessage = await this.wallet.packForRecipient(contentForSending, recipientDid);
+                requestBody = new URLSearchParams({ request: packedMessage }).toString();
+                contentType = 'application/x-www-form-urlencoded';
+            }
+            else {
+                requestBody = (submissionUrl.includes('fhir') && legacyFhirEnabled)
+                    ? JSON.stringify(contentForSending.body)
+                    : JSON.stringify(contentForSending);
+                contentType = (submissionUrl.includes('fhir') && legacyFhirEnabled)
+                    ? 'application/fhir+json'
+                    : 'application/json';
+            }
+            const headers = { 'Content-Type': contentType };
+            if (idToken)
+                headers['Authorization'] = `Bearer ${idToken}`;
+            const response = await fetcher(submissionUrl, { method: 'POST', headers, body: requestBody });
+            if (response.status === 202) {
+                const locationUrl = response.headers.get('Location');
+                const absoluteLocationUrl = locationUrl ? new URL(locationUrl, submissionUrl).href : undefined;
+                await this.updateJobStatus(job.id, JobStatus.SENT, { locationUrl: absoluteLocationUrl });
+            }
+            else if (response.ok) {
+                const result = await response.text();
+                await this.updateJobStatus(job.id, JobStatus.COMPLETED, { result });
+            }
+            else {
+                const errorBody = await response.text();
+                const errorMessage = `Server responded with status ${response.status}: ${errorBody}`;
+                const finalStatus = response.status >= 500 ? JobStatus.ERROR_RETRYABLE : JobStatus.FAILED;
+                await this.updateJobStatus(job.id, finalStatus, { errorMessage, retryCount: (job.retryCount || 0) + 1 });
+            }
+        }
+        catch (error) {
+            const errorMessage = error instanceof Error ? error.message : String(error);
+            await this.updateJobStatus(job.id, JobStatus.ERROR_RETRYABLE, { errorMessage, retryCount: (job.retryCount || 0) + 1 });
+        }
+    }
+    async pollSentJobs() {
+        var _a, _b, _c, _d, _e;
+        const sentJobs = await this.vault.query('jobs', { where: [{ attribute: 'status', equals: JobStatus.SENT }] });
+        if (sentJobs.length === 0)
+            return;
+        for (const job of sentJobs) {
+            if (!job.locationUrl)
+                continue;
+            try {
+                const unprotected = await this.wallet.unprotectConfidentialData(job, this.profile.id);
+                const thid = (_a = unprotected.content) === null || _a === void 0 ? void 0 : _a.thid;
+                const idToken = (_d = (_c = (_b = unprotected.content) === null || _b === void 0 ? void 0 : _b.meta) === null || _c === void 0 ? void 0 : _c.bearer) === null || _d === void 0 ? void 0 : _d.compact;
+                if (!thid) {
+                    await this.updateJobStatus(job.id, JobStatus.FAILED, { errorMessage: 'Cannot poll job: thid is missing.' });
+                    continue;
+                }
+                const headers = { 'Content-Type': 'application/x-www-form-urlencoded' };
+                if (idToken)
+                    headers['Authorization'] = `Bearer ${idToken}`;
+                const body = new URLSearchParams({ thid }).toString();
+                const pollResponse = await this.sdkConfig.fetcher(job.locationUrl, { method: 'POST', headers, body });
+                if (pollResponse.status === 202)
+                    continue;
+                const rawResponseBody = await pollResponse.text();
+                if (!rawResponseBody) {
+                    await this.updateJobStatus(job.id, JobStatus.FAILED, { errorMessage: `Polling returned ${pollResponse.status} with empty body.` });
+                    continue;
+                }
+                if (!this.wallet.unpack)
+                    throw new Error("Wallet does not support 'unpack' method.");
+                const { content: unpackedContent } = await this.wallet.unpack(rawResponseBody);
+                const responseId = this.sdkConfig.crypto.randomUUID();
+                await this.vault.put('messages', {
+                    id: responseId,
+                    thid: (_e = unprotected.content) === null || _e === void 0 ? void 0 : _e.thid,
+                    statusCode: pollResponse.status,
+                    content: unpackedContent,
+                });
+                const finalJobStatus = (pollResponse.ok || pollResponse.status === 409) ? JobStatus.COMPLETED : JobStatus.FAILED;
+                await this.updateJobStatus(job.id, finalJobStatus, { responseMessageId: responseId });
+            }
+            catch (error) {
+                const pollErrorMessage = error instanceof Error ? error.message : String(error);
+                await this.updateJobStatus(job.id, job.status, { errorMessage: `Polling network error: ${pollErrorMessage}` });
+            }
+        }
+    }
+    async sealJobWithToken(job, token) {
+        var _a, _b;
+        if (!job)
+            return null;
+        const unprotected = await this.wallet.unprotectConfidentialData(job, this.profile.id);
+        if (!unprotected.content)
+            return job;
+        if ((_b = (_a = unprotected.content.meta) === null || _a === void 0 ? void 0 : _a.bearer) === null || _b === void 0 ? void 0 : _b.compact)
+            return job;
+        if (!unprotected.content.meta)
+            unprotected.content.meta = {};
+        if (!unprotected.content.meta.bearer)
+            unprotected.content.meta.bearer = { jwt: {} };
+        unprotected.content.meta.bearer.compact = token;
+        const reProtectedDoc = await this.wallet.protectConfidentialData(unprotected, this.profile.id);
+        await this.vault.put('jobs', reProtectedDoc);
+        return reProtectedDoc;
+    }
+    async sync(idToken) {
+        var _a;
+        if (((_a = this.sdkConfig.mockOptions) === null || _a === void 0 ? void 0 : _a.networkStatus) === 'offline') {
+            return;
+        }
+        const isOnline = await this.sdkConfig.network.isConnected();
+        if (!isOnline)
+            return;
+        const jobsToSync = await this.vault.query('jobs', {
+            where: [{ attribute: 'status', in: [JobStatus.DRAFT, JobStatus.ERROR_RETRYABLE] }]
+        });
+        if (jobsToSync.length > 0) {
+            const sealedJobs = await Promise.all(jobsToSync.map((job) => this.sealJobWithToken(job, idToken)));
+            const validJobs = sealedJobs.filter((job) => job !== null);
+            await Promise.all(validJobs.map((job) => this.submitJob(job)));
+        }
+    }
+    async updateJobStatus(jobId, newStatus, additionalData = {}) {
+        const originalJob = await this.vault.get('jobs', jobId);
+        if (!originalJob)
+            throw new Error(`Job with id ${jobId} not found for update.`);
+        const now = Date.now();
+        const updateData = Object.assign(Object.assign({}, additionalData), { status: newStatus, sequence: now, previousSequence: originalJob.sequence });
+        const docToUpdate = Object.assign(Object.assign({}, originalJob), updateData);
+        await this.vault.put('jobs', docToUpdate);
+        this.listener();
+        return docToUpdate;
+    }
+    async queryJobs(query) {
+        if (!this.isInitialized)
+            return [];
+        return this.vault.query('jobs', query);
+    }
+    async getJobResponseByThid(thid) {
+        var _a;
+        if (!this.isInitialized)
+            return null;
+        const jobs = await this.vault.query('jobs', {
+            where: [{ attribute: 'thid', equals: thid }],
+            orderBy: { attribute: 'sequence', direction: 'desc' },
+            limit: 1,
+        });
+        const job = jobs === null || jobs === void 0 ? void 0 : jobs[0];
+        if (!job || !job.responseMessageId)
+            return null;
+        const message = await this.vault.get('messages', job.responseMessageId);
+        return (_a = message === null || message === void 0 ? void 0 : message.content) !== null && _a !== void 0 ? _a : null;
+    }
+    generateId() {
+        return this.sdkConfig.crypto.randomUUID();
+    }
+}
+export default JobManager;