gdc-sdk-front-ts 0.6.2 → 0.6.6

package/dist/gdc-common-utils-ts/src/CryptographyService.js

@@ -0,0 +1,401 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+// File: crypto-ts/CryptographyService.ts
+import * as pako from 'pako';
+import * as jwtUtils from './utils/jwt';
+import { AesManager } from './AesManager';
+import { Content } from './utils/content';
+/**
+ * Implements the ICryptography interface, providing a complete suite of low-level,
+ * stateless cryptographic functions. This service is the "engine" of the security layer,
+ * orchestrating Post-Quantum and AES primitives.
+ */
+export class CryptographyService {
+    constructor(cryptoHelper) {
+        this.mlDsaModule = null;
+        this.mlKemModule = null;
+        // Constants for seed sizes, as per @noble library requirements.
+        this.ML_KEM_SEED_SIZE = 64;
+        this.ML_DSA_SEED_SIZE = 32;
+        this.aesManager = new AesManager();
+        this.cryptoHelper = cryptoHelper;
+    }
+    async loadMlDsa() {
+        if (this.mlDsaModule)
+            return this.mlDsaModule;
+        try {
+            // Use explicit .js subpath to satisfy package exports in Metro/Node ESM.
+            const module = await import('@noble/post-quantum/ml-dsa.js');
+            this.mlDsaModule = module;
+            return module;
+        }
+        catch (error) {
+            throw new Error('[CryptographyService] Missing dependency "@noble/post-quantum/ml-dsa.js". Install it for ML-DSA operations.');
+        }
+    }
+    async loadMlKem() {
+        if (this.mlKemModule)
+            return this.mlKemModule;
+        try {
+            // Use explicit .js subpath to satisfy package exports in Metro/Node ESM.
+            const module = await import('@noble/post-quantum/ml-kem.js');
+            this.mlKemModule = module;
+            return module;
+        }
+        catch (error) {
+            throw new Error('[CryptographyService] Missing dependency "@noble/post-quantum/ml-kem.js". Install it for ML-KEM operations.');
+        }
+    }
+    digestString(data, algorithm) {
+        return this.cryptoHelper.digestString(data, algorithm);
+    }
+    // --- Key Generation ---
+    async generateKeyPairMlKem(seedBytes, crv = 'ML-KEM-768') {
+        const mlKem = await this.loadMlKem();
+        let seed;
+        if (seedBytes && seedBytes.length === this.ML_KEM_SEED_SIZE) {
+            seed = seedBytes;
+        }
+        else {
+            seed = await this.cryptoHelper.getRandomBytes(this.ML_KEM_SEED_SIZE);
+        }
+        let keygenFn;
+        switch (crv) {
+            case 'ML-KEM-512':
+                keygenFn = mlKem.ml_kem512.keygen;
+                break;
+            case 'ML-KEM-1024':
+                keygenFn = mlKem.ml_kem1024.keygen;
+                break;
+            case 'ML-KEM-768':
+            default:
+                keygenFn = mlKem.ml_kem768.keygen;
+                break;
+        }
+        const { secretKey, publicKey: publicKeyBytes } = keygenFn(seed);
+        const pubJwkWithoutKid = {
+            kty: 'OKP', crv: crv, x: Content.bytesToRawBase64UrlSafe(publicKeyBytes),
+        };
+        const kid = await this._computeJwkThumbprint(pubJwkWithoutKid);
+        const publicKey = { ...pubJwkWithoutKid, kid };
+        return { publicJWKey: publicKey, secretKeyBytes: secretKey };
+    }
+    async generateKeyPairMlDsa(seedBytes, alg = 'ML-DSA-44') {
+        const mlDsa = await this.loadMlDsa();
+        let seed;
+        if (seedBytes && seedBytes.length === this.ML_DSA_SEED_SIZE) {
+            seed = seedBytes;
+        }
+        else {
+            seed = await this.cryptoHelper.getRandomBytes(this.ML_DSA_SEED_SIZE);
+        }
+        let keygenFn;
+        switch (alg) {
+            case 'ML-DSA-65':
+                keygenFn = mlDsa.ml_dsa65.keygen;
+                break;
+            case 'ML-DSA-87':
+                keygenFn = mlDsa.ml_dsa87.keygen;
+                break;
+            case 'ML-DSA-44':
+            default:
+                keygenFn = mlDsa.ml_dsa44.keygen;
+                break;
+        }
+        const { secretKey, publicKey: publicKeyBytes } = keygenFn(seed);
+        const pubJwkWithoutKid = {
+            kty: 'AKP', alg: alg, pub: Content.bytesToRawBase64UrlSafe(publicKeyBytes),
+        };
+        const kid = await this._computeJwkThumbprint(pubJwkWithoutKid);
+        const publicKey = { ...pubJwkWithoutKid, kid };
+        return { publicJWKey: publicKey, secretKeyBytes: secretKey };
+    }
+    // --- High-Level Workflows ---
+    async encryptJwe(payload, protectedHeader, secretJWKey, recipientsJWKeys) {
+        // ARCHITECTURAL NOTE: This implementation is currently only suitable for a single recipient.
+        // A Key Encapsulation Mechanism (KEM) derives a *different* shared secret for each recipient's public key.
+        // A true multi-recipient JWE requires a single Content Encryption Key (CEK) that is then
+        // encrypted (wrapped) for each recipient. This code uses the KEM-derived shared secret as the CEK.
+        // This must be refactored to a key-wrapping approach to support multiple recipients correctly.
+        if (recipientsJWKeys.length !== 1) {
+            // Temporarily throw until the architecture is fixed for multi-recipient.
+            throw new Error("CryptographyService.encryptJwe currently only supports a single recipient.");
+        }
+        const recipient = recipientsJWKeys[0];
+        const publicKeyBytes = Content.base64ToBytes(recipient.x);
+        // Per RFC 9278, we generate a random seed for the KEM. The KEM then derives both the
+        // final Content Encryption Key (CEK) and the encapsulated key from this seed.
+        const cekSeedBytes = await this.cryptoHelper.getRandomBytes(32);
+        const { derivedCekBytes, // This is the actual Content Encryption Key
+        encapsulatedCekBytes // This is the encrypted key for the recipient
+         } = await this.encapsulate(cekSeedBytes, secretJWKey.dBytes, publicKeyBytes);
+        // 2. Now, use the *derived* CEK to encrypt the payload with AES.
+        const protectedHeaderB64Url = Content.objectToRawBase64UrlSafe(protectedHeader);
+        let payloadBytes = Content.objectToBytes(payload);
+        let payloadString;
+        if (protectedHeader.zip === 'DEF') {
+            payloadBytes = pako.deflate(payloadBytes);
+            payloadString = Content.bytesToRawBase64UrlSafe(payloadBytes);
+        }
+        else {
+            payloadString = Content.bytesToStringASCII(payloadBytes);
+        }
+        const encrypted = await this.encrypt(payloadString, derivedCekBytes, protectedHeaderB64Url);
+        // 3. Assemble the JWE. The `encrypted_key` is the result of the KEM encapsulation.
+        const recipientData = [{
+                header: { alg: recipient.crv, kid: recipient.kid },
+                encrypted_key: Content.bytesToRawBase64UrlSafe(encapsulatedCekBytes),
+            }];
+        return {
+            protected: protectedHeaderB64Url,
+            recipients: recipientData,
+            iv: encrypted.iv,
+            ciphertext: encrypted.ciphertext,
+            tag: encrypted.tag,
+        };
+    }
+    async encryptJweToCompact(payload, protectedHeader, secretJWKey, recipientJWKey) {
+        // 1. Construct the complete, final protected header by merging the main and recipient headers.
+        const recipientHeader = { alg: recipientJWKey.crv, kid: recipientJWKey.kid };
+        const finalProtectedHeader = { ...protectedHeader, ...recipientHeader };
+        const protectedHeaderB64Url = Content.objectToRawBase64UrlSafe(finalProtectedHeader);
+        // 2. Perform KEM to derive the Content Encryption Key (CEK).
+        const publicKeyBytes = Content.base64ToBytes(recipientJWKey.x);
+        const cekSeedBytes = await this.cryptoHelper.getRandomBytes(32);
+        const { derivedCekBytes, encapsulatedCekBytes } = await this.encapsulate(cekSeedBytes, secretJWKey.dBytes, publicKeyBytes);
+        const encapsulatedKeyB64Url = Content.bytesToRawBase64UrlSafe(encapsulatedCekBytes);
+        // 3. Encrypt the payload using the derived CEK and the *final* protected header as AAD.
+        const payloadBytes = typeof payload === 'string'
+            ? Content.stringToBytesUTF8(payload)
+            : Content.objectToBytes(payload);
+        if (finalProtectedHeader.zip === 'DEF') {
+            // Note: Compressing a compact JWS string is often inefficient, but supported.
+            const compressedPayload = pako.deflate(payloadBytes);
+            const payloadString = Content.bytesToRawBase64UrlSafe(compressedPayload);
+            const encrypted = await this.encrypt(payloadString, derivedCekBytes, protectedHeaderB64Url);
+            return `${protectedHeaderB64Url}.${encapsulatedKeyB64Url}.${encrypted.iv}.${encrypted.ciphertext}.${encrypted.tag}`;
+        }
+        const payloadString = Content.bytesToStringASCII(payloadBytes);
+        const encrypted = await this.encrypt(payloadString, derivedCekBytes, protectedHeaderB64Url);
+        // 4. Assemble the 5 parts of the compact JWE.
+        return `${protectedHeaderB64Url}.${encapsulatedKeyB64Url}.${encrypted.iv}.${encrypted.ciphertext}.${encrypted.tag}`;
+    }
+    async decryptJwe(jwe, secretKeyJwk) {
+        const jweObject = typeof jwe === 'string' ? this.parseCompactJwe(jwe) : jwe;
+        const recipient = jweObject.recipients.find(r => r.header?.kid === secretKeyJwk.kid);
+        if (!recipient || !recipient.encrypted_key) {
+            throw new Error(`JWE does not contain a recipient with kid=${secretKeyJwk.kid}`);
+        }
+        // Decapsulate to get the CEK
+        const encapsulatedKeyBytes = Content.base64ToBytes(recipient.encrypted_key);
+        const cekBytes = await this.decapsulate(encapsulatedKeyBytes, secretKeyJwk.dBytes);
+        // Decrypt the payload
+        const encryptedData = { ciphertext: jweObject.ciphertext, iv: jweObject.iv, tag: jweObject.tag };
+        const decryptedPayloadString = await this.decrypt(encryptedData, cekBytes, jweObject.protected);
+        // Handle decompression
+        const protectedHeader = Content.base64UrlSafeToJSON(jweObject.protected);
+        let decryptedBytes;
+        if (protectedHeader.zip === 'DEF') {
+            const compressedBytes = Content.base64ToBytes(decryptedPayloadString);
+            decryptedBytes = pako.inflate(compressedBytes);
+        }
+        else {
+            decryptedBytes = Content.stringToBytesUTF8(decryptedPayloadString);
+        }
+        return { decryptedBytes, protectedHeader };
+    }
+    getRecipientKidsFromJwe(jwe) {
+        const jweObject = typeof jwe === 'string' ? this.parseCompactJwe(jwe) : jwe;
+        if (!jweObject.recipients) {
+            return [];
+        }
+        return jweObject.recipients
+            .map(recipient => recipient.header?.kid)
+            .filter((kid) => !!kid);
+    }
+    async signDataJws(payload, protectedHeader, secretKeyBytes) {
+        const protectedHeaderB64Url = Content.objectToRawBase64UrlSafe(protectedHeader);
+        const payloadB64Url = await jwtUtils.encodePayload(payload);
+        const signingInput = `${protectedHeaderB64Url}.${payloadB64Url}`;
+        const signingInputBytes = Content.stringToBytesUTF8(signingInput);
+        // Infer algorithm from protected header
+        const alg = protectedHeader.alg;
+        if (!alg)
+            throw new Error("Protected header must contain 'alg' property for signing.");
+        const signatureBytes = await this.signBytes(signingInputBytes, secretKeyBytes, alg);
+        const jwsParts = {
+            protected: protectedHeaderB64Url,
+            payload: payloadB64Url,
+            signature: Content.bytesToRawBase64UrlSafe(signatureBytes),
+        };
+        return jwsParts;
+    }
+    async verifyJws(jws, publicJwk) {
+        const parts = typeof jws === 'string' ? jwtUtils.getPartsJWT(jws) : jws;
+        if (!parts)
+            throw new Error('Invalid Compact JWS format');
+        const signingInput = `${parts.protected}.${parts.payload}`;
+        const signingInputBytes = Content.stringToBytesUTF8(signingInput);
+        const signatureBytes = Content.base64ToBytes(parts.signature);
+        return this.verifyBytes(signatureBytes, signingInputBytes, publicJwk);
+    }
+    async verifyDetachedJws(payloadBytes, detachedJws, publicJWKey) {
+        const parts = detachedJws.split('..');
+        if (parts.length !== 2)
+            throw new Error("Invalid Detached JWS format");
+        const protectedHeaderB64Url = parts[0];
+        const signatureB64Url = parts[1];
+        const payloadB64Url = Content.bytesToRawBase64UrlSafe(payloadBytes);
+        const signingInput = `${protectedHeaderB64Url}.${payloadB64Url}`;
+        const signingInputBytes = Content.stringToBytesUTF8(signingInput);
+        const signatureBytes = Content.base64ToBytes(signatureB64Url);
+        return this.verifyBytes(signatureBytes, signingInputBytes, publicJWKey);
+    }
+    // --- Low-Level Primitives ---
+    encrypt(plaintext, cekBytes, aad) {
+        return this.aesManager.encrypt(plaintext, cekBytes, aad);
+    }
+    decrypt(encryptedData, cekBytes, aad) {
+        return this.aesManager.decrypt(encryptedData, cekBytes, aad);
+    }
+    async encapsulate(cekSeedBytes, secretKeyBytes, recipientPublicKeyBytes) {
+        // According to RFC 9278 (JWE with ML-KEM), a seed is used for the KEM encapsulation.
+        // The KEM then derives a shared secret from this seed. It is this *derived* shared secret
+        // that is used to encrypt the content, NOT the original seed.
+        // The `encapsulate` function from the noble library handles this correctly by accepting the
+        // seed as the second argument. It returns both the encapsulated key (`cipherText`)
+        // and the derived shared secret, which we must use as the actual AES key.
+        const mlKem = await this.loadMlKem();
+        const { sharedSecret, cipherText } = await mlKem.ml_kem768.encapsulate(recipientPublicKeyBytes, cekSeedBytes);
+        return { derivedCekBytes: sharedSecret, encapsulatedCekBytes: cipherText };
+    }
+    async decapsulate(encapsulatedBytes, secretKeyBytes) {
+        const mlKem = await this.loadMlKem();
+        return mlKem.ml_kem768.decapsulate(encapsulatedBytes, secretKeyBytes);
+    }
+    async signBytes(payloadBytes, secretKeyBytes, alg) {
+        const mlDsa = await this.loadMlDsa();
+        switch (alg) {
+            case 'ML-DSA-44': return mlDsa.ml_dsa44.sign(payloadBytes, secretKeyBytes);
+            case 'ML-DSA-65': return mlDsa.ml_dsa65.sign(payloadBytes, secretKeyBytes);
+            case 'ML-DSA-87': return mlDsa.ml_dsa87.sign(payloadBytes, secretKeyBytes);
+            default: throw new Error(`Unsupported ML-DSA algorithm: ${alg}`);
+        }
+    }
+    async verifyBytes(signatureBytes, dataBytes, publicKey) {
+        const mlDsa = await this.loadMlDsa();
+        const publicKeyBytes = Content.base64ToBytes(publicKey.pub || publicKey.x);
+        const alg = publicKey.alg;
+        if (!alg)
+            throw new Error("Public key must contain 'alg' property for verification.");
+        switch (alg) {
+            case 'ML-DSA-44': return mlDsa.ml_dsa44.verify(signatureBytes, dataBytes, publicKeyBytes);
+            case 'ML-DSA-65': return mlDsa.ml_dsa65.verify(signatureBytes, dataBytes, publicKeyBytes);
+            case 'ML-DSA-87': return mlDsa.ml_dsa87.verify(signatureBytes, dataBytes, publicKeyBytes);
+            default: throw new Error(`Unsupported ML-DSA algorithm: ${alg}`);
+        }
+    }
+    // --- Formatting & Parsing Utilities ---
+    jwsToCompact(jws) {
+        return `${jws.protected}.${jws.payload}.${jws.signature}`;
+    }
+    parseCompactJws(jwsString) {
+        if (jwsString.trim().startsWith('{')) {
+            const parsed = JSON.parse(jwsString);
+            if (!parsed.payload || !parsed.signatures || !parsed.signatures[0]) {
+                throw new Error("Invalid JWS JSON format");
+            }
+            return {
+                payload: parsed.payload,
+                protected: parsed.signatures[0].protected,
+                signature: parsed.signatures[0].signature,
+            };
+        }
+        const parts = jwtUtils.getPartsJWT(jwsString);
+        if (!parts)
+            throw new Error("Invalid Compact JWS format");
+        const result = {
+            payload: Content.base64UrlSafeToJSON(parts.payload),
+            protected: Content.base64UrlSafeToJSON(parts.protected),
+            signature: Content.base64ToBytes(parts.signature),
+        };
+        return result;
+    }
+    parseCompactJwe(jweString) {
+        if (jweString.trim().startsWith('{')) {
+            return JSON.parse(jweString);
+        }
+        const parts = jweString.split('.');
+        if (parts.length !== 5)
+            throw new Error("Invalid Compact JWE format");
+        const protectedHeader = Content.base64UrlSafeToJSON(parts[0]);
+        // Compact JWE has no per-recipient header, but our model requires one.
+        // The 'kid' should be in the main protected header for decryption to work.
+        return {
+            protected: parts[0],
+            recipients: [{
+                    header: { alg: protectedHeader.alg || '', kid: protectedHeader.kid || '' },
+                    encrypted_key: parts[1]
+                }],
+            iv: parts[2],
+            ciphertext: parts[3],
+            tag: parts[4],
+        };
+    }
+    // --- JWK Thumbprint Calculation (RFC 7638) ---
+    /**
+     * Computes a JWK thumbprint using a specified hash algorithm.
+     * This implementation is platform-agnostic by using the injected ICryptoHelper.
+     */
+    async _computeJwkThumbprint(jwk, hash = "SHA-256") {
+        const baseJwk = this._toBaseJwk(jwk);
+        const canonical = this._canonicalizeForJwkThumbprint(baseJwk);
+        // Use the platform-agnostic digest method
+        const digestHex = await this.cryptoHelper.digestString(canonical, hash);
+        // The digestString returns a hex string, but thumbprints are Base64UrlSafe.
+        // We need to convert from hex to bytes, then bytes to Base64UrlSafe.
+        const digestBytes = this._hexToBytes(digestHex);
+        return Content.bytesToRawBase64UrlSafe(digestBytes);
+    }
+    /**
+     * Creates a canonical string from a simple, flat JSON object as required by
+     * RFC 7638 for JWK thumbprints.
+     */
+    _canonicalizeForJwkThumbprint(obj) {
+        const keys = Object.keys(obj).sort();
+        const parts = keys.map(k => `"${k}":${JSON.stringify(obj[k])}`);
+        return `{${parts.join(",")}}`;
+    }
+    /**
+     * Extracts the Base JWK for thumbprint calculation per RFC 7638.
+     * This handles both Post-Quantum (OKP, AKP) and legacy (EC) key types.
+     */
+    _toBaseJwk(jwk) {
+        if (jwk.kty === "OKP") {
+            const { crv, x } = jwk;
+            return { kty: "OKP", crv, x };
+        }
+        else if (jwk.kty === "AKP") {
+            const { alg, pub } = jwk;
+            return { kty: "AKP", alg, pub };
+        }
+        else if (jwk.kty === "EC") {
+            const { crv, x, y } = jwk;
+            const baseJwk = { kty: "EC", crv, x, y };
+            return baseJwk;
+        }
+        else {
+            const exhaustiveCheck = jwk;
+            throw new Error(`Unsupported key type for JWK thumbprint: ${exhaustiveCheck.kty}`);
+        }
+    }
+    /**
+     * Utility to convert a hex string to a Uint8Array.
+     */
+    _hexToBytes(hex) {
+        const bytes = new Uint8Array(hex.length / 2);
+        for (let i = 0; i < hex.length; i += 2) {
+            bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
+        }
+        return bytes;
+    }
+}

package/dist/gdc-common-utils-ts/src/constants/actor-session.d.ts

@@ -0,0 +1,40 @@
+/**
+ * Canonical actor-kind vocabulary shared across SDK packages.
+ */
+export declare const ActorKinds: Readonly<{
+    readonly HostOnboarding: "host_onboarding";
+    readonly OrganizationController: "organization_controller";
+    readonly OrganizationEmployee: "organization_employee";
+    readonly IndividualController: "individual_controller";
+    readonly IndividualMember: "individual_member";
+    readonly Professional: "professional";
+}>;
+/**
+ * Canonical capability vocabulary shared across SDK packages.
+ */
+export declare const ActorCapabilities: Readonly<{
+    readonly HostActivateOrganization: "host.activate_organization";
+    readonly HostConfirmOrder: "host.confirm_order";
+    readonly OrganizationCreateEmployee: "organization.create_employee";
+    readonly OrganizationDisableEmployee: "organization.disable_employee";
+    readonly OrganizationPurgeEmployee: "organization.purge_employee";
+    readonly OrganizationActivateDevice: "organization.activate_device";
+    readonly OrganizationIssueActivationCode: "organization.issue_activation_code";
+    readonly OrganizationRequestSmartToken: "organization.request_smart_token";
+    readonly IndividualBootstrap: "individual.bootstrap";
+    readonly IndividualDisable: "individual.disable";
+    readonly IndividualPurge: "individual.purge";
+    readonly IndividualImportIps: "individual.import_ips";
+    readonly IndividualGenerateDigitalTwin: "individual.generate_digital_twin";
+    readonly IndividualIngestCommunication: "individual.ingest_communication";
+    readonly IndividualUpsertRelatedPerson: "individual.upsert_related_person";
+    readonly IndividualMemberDisable: "individual_member.disable";
+    readonly IndividualMemberPurge: "individual_member.purge";
+    readonly ConsentGrantProfessionalAccess: "consent.grant_professional_access";
+    readonly ProfessionalMedication: "professional.medication";
+    readonly ProfessionalAppointment: "professional.appointment";
+    readonly ProfessionalRequestSmartToken: "professional.request_smart_token";
+    readonly TokenRequestSmart: "token.request_smart";
+}>;
+export type ActorKindsValue = typeof ActorKinds[keyof typeof ActorKinds];
+export type ActorCapabilitiesValue = typeof ActorCapabilities[keyof typeof ActorCapabilities];

package/dist/gdc-common-utils-ts/src/constants/actor-session.js

@@ -0,0 +1,40 @@
+// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
+// Always create JSDoc, do not use strings inline in keys nor values, use types instead, and reuse the data test examples.
+/**
+ * Canonical actor-kind vocabulary shared across SDK packages.
+ */
+export const ActorKinds = Object.freeze({
+    HostOnboarding: 'host_onboarding',
+    OrganizationController: 'organization_controller',
+    OrganizationEmployee: 'organization_employee',
+    IndividualController: 'individual_controller',
+    IndividualMember: 'individual_member',
+    Professional: 'professional',
+});
+/**
+ * Canonical capability vocabulary shared across SDK packages.
+ */
+export const ActorCapabilities = Object.freeze({
+    HostActivateOrganization: 'host.activate_organization',
+    HostConfirmOrder: 'host.confirm_order',
+    OrganizationCreateEmployee: 'organization.create_employee',
+    OrganizationDisableEmployee: 'organization.disable_employee',
+    OrganizationPurgeEmployee: 'organization.purge_employee',
+    OrganizationActivateDevice: 'organization.activate_device',
+    OrganizationIssueActivationCode: 'organization.issue_activation_code',
+    OrganizationRequestSmartToken: 'organization.request_smart_token',
+    IndividualBootstrap: 'individual.bootstrap',
+    IndividualDisable: 'individual.disable',
+    IndividualPurge: 'individual.purge',
+    IndividualImportIps: 'individual.import_ips',
+    IndividualGenerateDigitalTwin: 'individual.generate_digital_twin',
+    IndividualIngestCommunication: 'individual.ingest_communication',
+    IndividualUpsertRelatedPerson: 'individual.upsert_related_person',
+    IndividualMemberDisable: 'individual_member.disable',
+    IndividualMemberPurge: 'individual_member.purge',
+    ConsentGrantProfessionalAccess: 'consent.grant_professional_access',
+    ProfessionalMedication: 'professional.medication',
+    ProfessionalAppointment: 'professional.appointment',
+    ProfessionalRequestSmartToken: 'professional.request_smart_token',
+    TokenRequestSmart: 'token.request_smart',
+});

package/dist/gdc-common-utils-ts/src/constants/communication.d.ts

@@ -0,0 +1,28 @@
+export declare const HL7_COMMUNICATION_CATEGORY_SYSTEM: "http://terminology.hl7.org/CodeSystem/communication-category";
+export type CommunicationCategoryDescriptor = Readonly<{
+    system: typeof HL7_COMMUNICATION_CATEGORY_SYSTEM;
+    code: string;
+    claim: string;
+}>;
+export declare const CommunicationCategoryCodes: Readonly<{
+    readonly Alert: Readonly<{
+        system: typeof HL7_COMMUNICATION_CATEGORY_SYSTEM;
+        code: string;
+        claim: string;
+    }>;
+    readonly Notification: Readonly<{
+        system: typeof HL7_COMMUNICATION_CATEGORY_SYSTEM;
+        code: string;
+        claim: string;
+    }>;
+    readonly Reminder: Readonly<{
+        system: typeof HL7_COMMUNICATION_CATEGORY_SYSTEM;
+        code: string;
+        claim: string;
+    }>;
+    readonly Instruction: Readonly<{
+        system: typeof HL7_COMMUNICATION_CATEGORY_SYSTEM;
+        code: string;
+        claim: string;
+    }>;
+}>;

package/dist/gdc-common-utils-ts/src/constants/communication.js

@@ -0,0 +1,14 @@
+export const HL7_COMMUNICATION_CATEGORY_SYSTEM = 'http://terminology.hl7.org/CodeSystem/communication-category';
+function defineCommunicationCategory(code) {
+    return Object.freeze({
+        system: HL7_COMMUNICATION_CATEGORY_SYSTEM,
+        code,
+        claim: `${HL7_COMMUNICATION_CATEGORY_SYSTEM}|${code}`,
+    });
+}
+export const CommunicationCategoryCodes = Object.freeze({
+    Alert: defineCommunicationCategory('alert'),
+    Notification: defineCommunicationCategory('notification'),
+    Reminder: defineCommunicationCategory('reminder'),
+    Instruction: defineCommunicationCategory('instruction'),
+});

package/dist/gdc-common-utils-ts/src/constants/cryptography.d.ts

@@ -0,0 +1,58 @@
+import { MldsaAlg, MlkemCurve } from '../interfaces/Cryptography.types';
+/**
+ * Canonical JOSE/JWK `use` values used across GDC communication key material.
+ */
+export declare const JwkKeyUses: {
+    readonly Signature: "sig";
+    readonly Encryption: "enc";
+};
+/**
+ * Canonical public-key purposes used by GW and SDKs to distinguish communication
+ * signing keys from VC signing keys.
+ */
+export declare const CommunicationKeyPurposes: {
+    readonly CommunicationSignature: "comm_sig";
+    readonly VerifiableCredentialSignature: "vc_sign";
+};
+/**
+ * Classical JOSE signature algorithms currently recognized across GDC VP/JWT
+ * examples and gateway trust adapters.
+ *
+ * Notes:
+ * - `ES256K` is the JOSE name for ECDSA over `secp256k1`
+ * - `ES384` remains the common P-384 legacy example in current GW fixtures
+ */
+export declare const ClassicalJoseSignatureAlgorithms: {
+    readonly Es256: "ES256";
+    readonly Es256K: "ES256K";
+    readonly Es384: "ES384";
+};
+/**
+ * JOSE signature algorithms accepted by shared VP/JWT helpers.
+ *
+ * This intentionally covers both:
+ * - classical ECDSA JOSE algorithms (`ES256`, `ES256K`, `ES384`)
+ * - post-quantum ML-DSA JOSE algorithm labels already used by GW
+ *
+ * Use this type when a helper builds or documents a JWS/JWT/VP proof header.
+ */
+export type JoseSignatureAlgorithm = typeof ClassicalJoseSignatureAlgorithms[keyof typeof ClassicalJoseSignatureAlgorithms] | MldsaAlg;
+/**
+ * Default post-quantum signing algorithms used for communication bootstrap.
+ */
+export declare const DefaultSigningAlgorithms: {
+    Communication: MldsaAlg;
+    VerifiableCredential: MldsaAlg;
+};
+/**
+ * Default post-quantum encryption curve used for communication bootstrap.
+ */
+export declare const DefaultEncryptionCurves: {
+    Communication: MlkemCurve;
+};
+/**
+ * Canonical JOSE content-encryption algorithms used by DIDComm/JWE envelopes.
+ */
+export declare const JoseContentEncryptionAlgorithms: {
+    readonly Aes256Gcm: "A256GCM";
+};

package/dist/gdc-common-utils-ts/src/constants/cryptography.js

@@ -0,0 +1,49 @@
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+import { AES_GCM_JWA_ENC } from '../models/aes';
+/**
+ * Canonical JOSE/JWK `use` values used across GDC communication key material.
+ */
+export const JwkKeyUses = {
+    Signature: 'sig',
+    Encryption: 'enc',
+};
+/**
+ * Canonical public-key purposes used by GW and SDKs to distinguish communication
+ * signing keys from VC signing keys.
+ */
+export const CommunicationKeyPurposes = {
+    CommunicationSignature: 'comm_sig',
+    VerifiableCredentialSignature: 'vc_sign',
+};
+/**
+ * Classical JOSE signature algorithms currently recognized across GDC VP/JWT
+ * examples and gateway trust adapters.
+ *
+ * Notes:
+ * - `ES256K` is the JOSE name for ECDSA over `secp256k1`
+ * - `ES384` remains the common P-384 legacy example in current GW fixtures
+ */
+export const ClassicalJoseSignatureAlgorithms = {
+    Es256: 'ES256',
+    Es256K: 'ES256K',
+    Es384: 'ES384',
+};
+/**
+ * Default post-quantum signing algorithms used for communication bootstrap.
+ */
+export const DefaultSigningAlgorithms = {
+    Communication: 'ML-DSA-44',
+    VerifiableCredential: 'ML-DSA-44',
+};
+/**
+ * Default post-quantum encryption curve used for communication bootstrap.
+ */
+export const DefaultEncryptionCurves = {
+    Communication: 'ML-KEM-768',
+};
+/**
+ * Canonical JOSE content-encryption algorithms used by DIDComm/JWE envelopes.
+ */
+export const JoseContentEncryptionAlgorithms = {
+    Aes256Gcm: AES_GCM_JWA_ENC,
+};

package/dist/gdc-common-utils-ts/src/constants/dataspace-discovery.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Shared discovery-source policies used by backend/bootstrap layers that must
+ * decide whether to start from configured defaults or from live internet/ICA
+ * discovery.
+ */
+export declare const DataspaceDiscoverySourceMode: Readonly<{
+    readonly DefaultFirst: "default-first";
+    readonly DefaultsOnly: "defaults-only";
+    readonly InternetFirst: "internet-first";
+}>;
+export type DataspaceDiscoverySourceModeValue = typeof DataspaceDiscoverySourceMode[keyof typeof DataspaceDiscoverySourceMode];

package/dist/gdc-common-utils-ts/src/constants/dataspace-discovery.js

@@ -0,0 +1,11 @@
+// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
+/**
+ * Shared discovery-source policies used by backend/bootstrap layers that must
+ * decide whether to start from configured defaults or from live internet/ICA
+ * discovery.
+ */
+export const DataspaceDiscoverySourceMode = Object.freeze({
+    DefaultFirst: 'default-first',
+    DefaultsOnly: 'defaults-only',
+    InternetFirst: 'internet-first',
+});