gdc-sdk-front-ts 0.6.2 → 0.6.6

package/dist/gdc-common-utils-ts/src/utils/did-resolution.d.ts

@@ -0,0 +1,60 @@
+import type { ActorKind } from '../models/actor-session';
+import { DidDocument, DidResolutionResult, ResolvedServiceEndpoint } from '../models/did';
+/**
+ * Service selection criteria used when resolving operational endpoints from a DID Document.
+ */
+export type ServiceEndpointMatchInput = {
+    /** Exact service id, such as `#jwks` or `#identity-openid-smart-token`. */
+    id?: string;
+    /** Exact DID service type, such as `OpenIdProvider` or `JsonWebKeyService2020`. */
+    type?: string;
+    /** Logical capability inferred from service id/type, such as `smart-token`. */
+    capability?: string;
+};
+/**
+ * Normalizes every `service[]` entry in a DID Document into a capability-aware structure.
+ *
+ * This is the canonical starting point for SDK and GW code that needs to select
+ * operational endpoints without reconstructing URLs manually.
+ */
+export declare function resolveDidDocumentServices(didDocument: DidDocument): ResolvedServiceEndpoint[];
+/**
+ * Returns the first DID service entry matching the provided selector.
+ */
+export declare function getDidDocumentService(didDocument: DidDocument, match: ServiceEndpointMatchInput): ResolvedServiceEndpoint | undefined;
+/**
+ * Returns the invocable `serviceEndpoint` URL for the first matching DID service entry.
+ */
+export declare function selectServiceEndpoint(didDocument: DidDocument, match: ServiceEndpointMatchInput): string | undefined;
+/**
+ * Returns the public URL that serves the DID Document itself, when published in `service[]`.
+ */
+export declare function getDidDocumentEndpoint(didDocument: DidDocument): string | undefined;
+/**
+ * Returns the public JWKS endpoint advertised by the DID Document.
+ */
+export declare function getJwksServiceEndpoint(didDocument: DidDocument): string | undefined;
+/**
+ * Returns the SMART token endpoint advertised by the DID Document.
+ */
+export declare function getSmartTokenEndpoint(didDocument: DidDocument): string | undefined;
+/**
+ * Collapses an actor DID into the owning organization/provider DID when the actor
+ * uses the current data-space member suffix conventions.
+ */
+export declare function getOrganizationDidFromIndividualDid(did: string): string;
+/**
+ * Alias of `getOrganizationDidFromIndividualDid` kept for provider-centric callers.
+ */
+export declare function getProviderDidFromSubjectDid(did: string): string;
+/**
+ * Infers the current actor kind from a DID naming convention.
+ *
+ * This helper is intentionally heuristic and should be treated as a convenience
+ * layer over the currently published DID patterns, not as an authorization decision.
+ */
+export declare function getActorKindFromDid(did: string): ActorKind | 'unknown';
+/**
+ * Builds a reusable DID resolution result from a raw DID Document.
+ */
+export declare function toDidResolutionResult(didDocument: DidDocument): DidResolutionResult;

package/dist/gdc-common-utils-ts/src/utils/did-resolution.js

@@ -0,0 +1,173 @@
+// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
+import { ActorKinds } from '../constants/actor-session';
+import { DiscoveryCapabilities, DidServiceIds } from '../constants/did-services';
+function normalizeServiceEndpoint(service) {
+    const capability = inferCapabilityFromServiceId(service.id)
+        || inferCapabilityFromServiceType(service.type);
+    return {
+        id: service.id,
+        type: service.type,
+        serviceEndpoint: service.serviceEndpoint,
+        capability,
+        raw: service,
+    };
+}
+function inferCapabilityFromServiceId(serviceId) {
+    const normalized = String(serviceId || '').trim().toLowerCase();
+    switch (normalized) {
+        case DidServiceIds.DidDocument:
+            return DiscoveryCapabilities.DidDocument;
+        case DidServiceIds.Jwks:
+            return DiscoveryCapabilities.Jwks;
+        case DidServiceIds.OpenIdConfiguration:
+            return DiscoveryCapabilities.OpenIdConfiguration;
+        case DidServiceIds.SmartConfiguration:
+            return DiscoveryCapabilities.SmartConfiguration;
+        case DidServiceIds.SmartToken:
+            return DiscoveryCapabilities.SmartToken;
+        case DidServiceIds.CredentialIssuer:
+            return DiscoveryCapabilities.CredentialIssuer;
+        case DidServiceIds.CapabilityStatement:
+            return DiscoveryCapabilities.CapabilityStatement;
+        case DidServiceIds.Catalog:
+            return DiscoveryCapabilities.Catalog;
+        default:
+            if (normalized.endsWith(':smart:token'))
+                return DiscoveryCapabilities.SmartToken;
+            return undefined;
+    }
+}
+function inferCapabilityFromServiceType(serviceType) {
+    const normalized = String(serviceType || '').trim().toLowerCase();
+    switch (normalized) {
+        case 'linkeddomains':
+            return DiscoveryCapabilities.DidDocument;
+        case 'jsonwebkeyservice2020':
+            return DiscoveryCapabilities.Jwks;
+        case 'openidprovider':
+            return DiscoveryCapabilities.OpenIdConfiguration;
+        case 'smartonfhirconfiguration':
+            return DiscoveryCapabilities.SmartConfiguration;
+        case 'openidcredentialissuer':
+            return DiscoveryCapabilities.CredentialIssuer;
+        case 'capabilitystatement':
+            return DiscoveryCapabilities.CapabilityStatement;
+        case 'catalogservice':
+            return DiscoveryCapabilities.Catalog;
+        case 'apiservice':
+            return undefined;
+        default:
+            return undefined;
+    }
+}
+/**
+ * Normalizes every `service[]` entry in a DID Document into a capability-aware structure.
+ *
+ * This is the canonical starting point for SDK and GW code that needs to select
+ * operational endpoints without reconstructing URLs manually.
+ */
+export function resolveDidDocumentServices(didDocument) {
+    return (didDocument.service || []).map(normalizeServiceEndpoint);
+}
+/**
+ * Returns the first DID service entry matching the provided selector.
+ */
+export function getDidDocumentService(didDocument, match) {
+    return resolveDidDocumentServices(didDocument).find((service) => {
+        if (match.id && service.id !== match.id)
+            return false;
+        if (match.type && service.type !== match.type)
+            return false;
+        if (match.capability && service.capability !== match.capability)
+            return false;
+        return true;
+    });
+}
+/**
+ * Returns the invocable `serviceEndpoint` URL for the first matching DID service entry.
+ */
+export function selectServiceEndpoint(didDocument, match) {
+    return getDidDocumentService(didDocument, match)?.serviceEndpoint;
+}
+/**
+ * Returns the public URL that serves the DID Document itself, when published in `service[]`.
+ */
+export function getDidDocumentEndpoint(didDocument) {
+    return selectServiceEndpoint(didDocument, {
+        id: DidServiceIds.DidDocument,
+        capability: DiscoveryCapabilities.DidDocument,
+    });
+}
+/**
+ * Returns the public JWKS endpoint advertised by the DID Document.
+ */
+export function getJwksServiceEndpoint(didDocument) {
+    return selectServiceEndpoint(didDocument, {
+        id: DidServiceIds.Jwks,
+        capability: DiscoveryCapabilities.Jwks,
+    });
+}
+/**
+ * Returns the SMART token endpoint advertised by the DID Document.
+ */
+export function getSmartTokenEndpoint(didDocument) {
+    return selectServiceEndpoint(didDocument, {
+        id: DidServiceIds.SmartToken,
+        capability: DiscoveryCapabilities.SmartToken,
+    });
+}
+/**
+ * Collapses an actor DID into the owning organization/provider DID when the actor
+ * uses the current data-space member suffix conventions.
+ */
+export function getOrganizationDidFromIndividualDid(did) {
+    const markers = [':family:', ':employee:', ':member:'];
+    for (const marker of markers) {
+        const index = did.indexOf(marker);
+        if (index > -1) {
+            return did.slice(0, index);
+        }
+    }
+    return did;
+}
+/**
+ * Alias of `getOrganizationDidFromIndividualDid` kept for provider-centric callers.
+ */
+export function getProviderDidFromSubjectDid(did) {
+    return getOrganizationDidFromIndividualDid(did);
+}
+/**
+ * Infers the current actor kind from a DID naming convention.
+ *
+ * This helper is intentionally heuristic and should be treated as a convenience
+ * layer over the currently published DID patterns, not as an authorization decision.
+ */
+export function getActorKindFromDid(did) {
+    const normalized = String(did || '').trim().toLowerCase();
+    if (!normalized)
+        return 'unknown';
+    if (normalized.includes(':employee:')) {
+        return normalized.includes('resprsn') || normalized.includes('controller')
+            ? ActorKinds.OrganizationController
+            : ActorKinds.Professional;
+    }
+    if (normalized.includes(':family:') || normalized.includes(':member:')) {
+        return normalized.includes('oneself') || normalized.includes('controller')
+            ? ActorKinds.IndividualController
+            : ActorKinds.IndividualMember;
+    }
+    if (normalized.includes('host'))
+        return ActorKinds.HostOnboarding;
+    return 'unknown';
+}
+/**
+ * Builds a reusable DID resolution result from a raw DID Document.
+ */
+export function toDidResolutionResult(didDocument) {
+    return {
+        did: didDocument.id,
+        didDocument,
+        serviceEndpoints: resolveDidDocumentServices(didDocument),
+        jwksUri: getJwksServiceEndpoint(didDocument),
+    };
+}

package/dist/gdc-common-utils-ts/src/utils/did.d.ts

@@ -0,0 +1,124 @@
+import { ServiceEndpointSelector } from "../models/did";
+/**
+ * Generates a DID Service ID fragment from a selector object.
+ * The format is always `#<section>:<format>:<resourceType>:<action>`.
+ *
+ * This utility's only job is to correctly assemble the string. It contains no
+ * conditional logic about DID types, as that is handled by the data layer.
+ *
+ * @param selector The structured object containing the endpoint parts.
+ * @returns The formatted service ID fragment string.
+ */
+export declare function generateServiceId(selector: ServiceEndpointSelector): string;
+/**
+ * Normalizes a did:web string to a canonical format to prevent resolution errors
+ * due to case sensitivity in the path component of the underlying URL.
+ *
+ * The rule is:
+ * - All segments are lowercased, EXCEPT the final segment.
+ * - If the final segment represents a `system|code` pair (e.g., for a role),
+ *   the `system` part is lowercased, but the `code` is preserved as-is.
+ * - If the final segment is a unique identifier (like a Tax ID), it is preserved as-is.
+ *
+ * @param did The did:web string to normalize.
+ * @returns The canonicalized did:web string.
+ */
+export declare function normalizeDidWeb(did: string): string;
+/**
+* Creates the deterministic "hosted" did:web for a tenant (Organization).
+*
+* @param hostDidWeb The DID of the host (e.g., 'did:web:host.example.com').
+ * @param tenantId Canonical tenant identifier (for example a tax-ID based tenant id).
+* @param context An object containing jurisdiction, version, and sector.
+* @returns The tenant's full, correctly formatted hosted did:web.
+*          Example: 'did:web:host.example.com:acme:cds-es:v1:health-care'
+*/
+export declare function createHostedDidWeb(hostDidWeb: string, tenantId: string, context: {
+    jurisdiction: string;
+    version: string;
+    sector: string;
+}): string;
+/**
+ * Builds the canonical details (URL and did:web URN) for a hosted DID.
+ * This is the single source of truth for constructing hosted identifiers in the app.
+ *
+ * @param options An object with the components of the DID.
+ * @param options.host The provider's domain (e.g., 'provider.com').
+ * @param options.tenantId The canonical tenant identifier.
+ * @param options.alternateName Deprecated legacy alias kept only for backward compatibility.
+ * @param options.jurisdiction The legal jurisdiction (defaults to 'ES').
+ * @param options.sector The business sector (defaults to 'health-care').
+ * @returns An object with the full URL (with trailing /) and the canonical did:web.
+ */
+export declare function buildHostedDidDetails({ host, tenantId, alternateName, jurisdiction, sector, }: {
+    host: string;
+    tenantId?: string;
+    alternateName: string;
+    jurisdiction?: string;
+    sector?: string;
+}): {
+    did: string;
+    url: string;
+};
+/**
+* Converts a did:web identifier into a full HTTPS or HTTP base URL with a trailing slash.
+* It correctly decodes percent-encoded ports for local development.
+* @param did The did:web string (e.g., 'did:web:example.com' or 'did:web:localhost%3A3000:acme:cds-es:v1:health-care').
+* @returns The full base URL (e.g., 'https://example.com/acme/cds-es/v1/health-care/').
+*/
+export declare function getBaseUrlFromDidWeb(did: string): string;
+/**
+ * Builds the canonical hosted organization/tenant DID in the data space.
+ *
+ * This is a semantic alias over `createHostedDidWeb(...)` for callers that want
+ * the API name to reflect the organization role more explicitly.
+ *
+ * @param input.hostDidWeb Host/provider DID root such as `did:web:api.example.org`.
+ * @param input.tenantId Canonical tenant identifier used in the data space. In
+ * new integrations this should be the real tenant ID, typically tax-ID based.
+ * @param input.tenantAlternateName Deprecated legacy alias kept only for backward compatibility.
+ * @param input.jurisdiction Jurisdiction segment used in the hosted DID path.
+ * @param input.version API/version segment. Defaults to `v1`.
+ * @param input.sector Functional data-space sector such as `health-care`.
+ */
+export declare function buildOrganizationDidWeb(input: {
+    hostDidWeb: string;
+    tenantId?: string;
+    tenantAlternateName?: string;
+    jurisdiction: string;
+    version?: string;
+    sector: string;
+}): string;
+/**
+ * Builds a professional/member DID under a hosted organization DID.
+ *
+ * The stable actor identifier is derived from the email using multibase(base58btc(multihash(sha384))).
+ *
+ * @param input.organizationDidWeb Canonical hosted organization DID.
+ * @param input.email Professional email used to derive a stable member identifier.
+ * @param input.role Canonical role code such as `ISCO-08|2211`.
+ * @param input.deviceId Optional per-device suffix for device-bound identities.
+ */
+export declare function buildProfessionalDidWeb(input: {
+    organizationDidWeb: string;
+    email: string;
+    role: string;
+    deviceId?: string;
+}): string;
+/**
+ * Builds an individual/family DID under a hosted organization DID.
+ *
+ * `subjectId` should already be a stable logical subject identifier. If no
+ * relationship role is provided, the health-sector default (`ONESELF`) is used.
+ *
+ * @param input.organizationDidWeb Canonical hosted organization DID.
+ * @param input.subjectId Stable logical subject identifier.
+ * @param input.relationshipRole Optional HL7 relationship role claim.
+ * @param input.deviceId Optional per-device suffix for device-bound identities.
+ */
+export declare function buildIndividualDidWeb(input: {
+    organizationDidWeb: string;
+    subjectId: string;
+    relationshipRole?: string;
+    deviceId?: string;
+}): string;

package/dist/gdc-common-utils-ts/src/utils/did.js

@@ -0,0 +1,204 @@
+// crypto-ts/utils/did.ts
+// Copyright 2025 Antifraud Services Inc. under the Apache License, Version 2.0.
+import { encodeMultibaseSha384 } from './multibasehash';
+import { HL7_CLAIMS_CODING_SYSTEM, HL7_DEFAULT_ROLE_HEALTH } from '../constants/hl7-roles';
+/**
+ * Generates a DID Service ID fragment from a selector object.
+ * The format is always `#<section>:<format>:<resourceType>:<action>`.
+ *
+ * This utility's only job is to correctly assemble the string. It contains no
+ * conditional logic about DID types, as that is handled by the data layer.
+ *
+ * @param selector The structured object containing the endpoint parts.
+ * @returns The formatted service ID fragment string.
+ */
+export function generateServiceId(selector) {
+    // Canonical casing:
+    // - `section`, `format`, `resourceType` are matched case-insensitively by the backend router,
+    //   and lowercasing them makes DID Document lookup deterministic across SDKs.
+    // - `action` is kept as-is (future actions may be case-sensitive identifiers).
+    const parts = [
+        selector.section?.toLowerCase(),
+        selector.format?.toLowerCase(),
+        selector.resourceType?.toLowerCase(),
+        selector.action,
+    ];
+    return `#${parts.filter(p => p).join(':')}`;
+}
+/**
+ * Normalizes a did:web string to a canonical format to prevent resolution errors
+ * due to case sensitivity in the path component of the underlying URL.
+ *
+ * The rule is:
+ * - All segments are lowercased, EXCEPT the final segment.
+ * - If the final segment represents a `system|code` pair (e.g., for a role),
+ *   the `system` part is lowercased, but the `code` is preserved as-is.
+ * - If the final segment is a unique identifier (like a Tax ID), it is preserved as-is.
+ *
+ * @param did The did:web string to normalize.
+ * @returns The canonicalized did:web string.
+ */
+export function normalizeDidWeb(did) {
+    const parts = did.split(':');
+    if (parts[0] !== 'did' || parts[1] !== 'web' || parts.length < 3) {
+        // Not a valid did:web, return as is.
+        return did;
+    }
+    // Lowercase all parts except the very last one.
+    const lowercasedParts = parts.slice(0, -1).map(part => part.toLowerCase());
+    let lastPart = parts[parts.length - 1];
+    // Special handling for the last part if it contains a role descriptor.
+    if (lastPart.includes('|')) {
+        const [system, ...codeParts] = lastPart.split('|');
+        const code = codeParts.join('|'); // Re-join in case the code itself has a pipe.
+        lastPart = `${system.toLowerCase()}|${code}`;
+    }
+    return [...lowercasedParts, lastPart].join(':');
+}
+/**
+* Encodes a hostname according to did:web spec (percent-encodes port colons).
+* @param apiUrl The full base URL of the API.
+* @returns The percent-encoded hostname.
+*/
+function getEncodedHost(apiUrl) {
+    try {
+        const parsedUrl = new URL(apiUrl);
+        return parsedUrl.host.replace(':', '%3A');
+    }
+    catch (e) {
+        console.error(`[getEncodedHost] Invalid apiUrl provided: ${apiUrl}`);
+        return 'localhost'; // Fallback
+    }
+}
+/**
+* Creates the deterministic "hosted" did:web for a tenant (Organization).
+*
+* @param hostDidWeb The DID of the host (e.g., 'did:web:host.example.com').
+ * @param tenantId Canonical tenant identifier (for example a tax-ID based tenant id).
+* @param context An object containing jurisdiction, version, and sector.
+* @returns The tenant's full, correctly formatted hosted did:web.
+*          Example: 'did:web:host.example.com:acme:cds-es:v1:health-care'
+*/
+export function createHostedDidWeb(hostDidWeb, tenantId, context) {
+    const hostPart = hostDidWeb.replace(/^did:web:/, '');
+    // The path in a did:web uses colons as separators.
+    const didPath = `cds-${context.jurisdiction}:${context.version}:${context.sector}`;
+    return `did:web:${hostPart}:${tenantId}:${didPath}`;
+}
+/**
+ * Builds the canonical details (URL and did:web URN) for a hosted DID.
+ * This is the single source of truth for constructing hosted identifiers in the app.
+ *
+ * @param options An object with the components of the DID.
+ * @param options.host The provider's domain (e.g., 'provider.com').
+ * @param options.tenantId The canonical tenant identifier.
+ * @param options.alternateName Deprecated legacy alias kept only for backward compatibility.
+ * @param options.jurisdiction The legal jurisdiction (defaults to 'ES').
+ * @param options.sector The business sector (defaults to 'health-care').
+ * @returns An object with the full URL (with trailing /) and the canonical did:web.
+ */
+export function buildHostedDidDetails({ host, tenantId, alternateName, jurisdiction = 'ES', sector = 'health-care', }) {
+    const resolvedTenantId = String(tenantId || alternateName || '').trim();
+    if (!resolvedTenantId) {
+        throw new Error('buildHostedDidDetails requires tenantId.');
+    }
+    // 1. Build the path part of the DID/URL.
+    const pathPart = `${resolvedTenantId}/cds-${jurisdiction}/v1/${sector}`;
+    // 2. Build the full URL, ensuring a trailing slash.
+    const url = `https://${host}/${pathPart}/`;
+    // 3. Build the canonical did:web, replacing / with :.
+    const hostAndPath = `${host}/${pathPart}`;
+    const did = `did:web:${hostAndPath.replace(/\//g, ':')}`;
+    return { did, url };
+}
+/**
+* Converts a did:web identifier into a full HTTPS or HTTP base URL with a trailing slash.
+* It correctly decodes percent-encoded ports for local development.
+* @param did The did:web string (e.g., 'did:web:example.com' or 'did:web:localhost%3A3000:acme:cds-es:v1:health-care').
+* @returns The full base URL (e.g., 'https://example.com/acme/cds-es/v1/health-care/').
+*/
+export function getBaseUrlFromDidWeb(did) {
+    const didParts = did.replace(/^did:web:/, '').split(':');
+    const domainPart = didParts[0];
+    const pathParts = didParts.slice(1);
+    const decodedDomain = decodeURIComponent(domainPart);
+    const protocol = decodedDomain.startsWith('localhost') ? 'http' : 'https';
+    const path = pathParts.join('/').replace(/cds-(es|us|gb)/, (match, p1) => `cds-${p1.toUpperCase()}`);
+    // Ensure a trailing slash for the base URL, without double slashes when no path is present.
+    const normalizedPath = path ? `${path}/` : '';
+    return `${protocol}://${decodedDomain}/${normalizedPath}`;
+}
+/**
+ * Builds the canonical hosted organization/tenant DID in the data space.
+ *
+ * This is a semantic alias over `createHostedDidWeb(...)` for callers that want
+ * the API name to reflect the organization role more explicitly.
+ *
+ * @param input.hostDidWeb Host/provider DID root such as `did:web:api.example.org`.
+ * @param input.tenantId Canonical tenant identifier used in the data space. In
+ * new integrations this should be the real tenant ID, typically tax-ID based.
+ * @param input.tenantAlternateName Deprecated legacy alias kept only for backward compatibility.
+ * @param input.jurisdiction Jurisdiction segment used in the hosted DID path.
+ * @param input.version API/version segment. Defaults to `v1`.
+ * @param input.sector Functional data-space sector such as `health-care`.
+ */
+export function buildOrganizationDidWeb(input) {
+    const tenantId = String(input.tenantId || input.tenantAlternateName || '').trim();
+    if (!tenantId)
+        throw new Error('buildOrganizationDidWeb requires tenantId.');
+    return createHostedDidWeb(input.hostDidWeb, tenantId, {
+        jurisdiction: input.jurisdiction,
+        version: input.version || 'v1',
+        sector: input.sector,
+    });
+}
+/**
+ * Builds a professional/member DID under a hosted organization DID.
+ *
+ * The stable actor identifier is derived from the email using multibase(base58btc(multihash(sha384))).
+ *
+ * @param input.organizationDidWeb Canonical hosted organization DID.
+ * @param input.email Professional email used to derive a stable member identifier.
+ * @param input.role Canonical role code such as `ISCO-08|2211`.
+ * @param input.deviceId Optional per-device suffix for device-bound identities.
+ */
+export function buildProfessionalDidWeb(input) {
+    const normalizedEmail = String(input.email || '').trim().toLowerCase();
+    const role = String(input.role || '').trim();
+    if (!normalizedEmail)
+        throw new Error('buildProfessionalDidWeb requires email.');
+    if (!role)
+        throw new Error('buildProfessionalDidWeb requires role.');
+    const memberId = encodeMultibaseSha384(normalizedEmail);
+    return [
+        String(input.organizationDidWeb).trim(),
+        'employee',
+        memberId,
+        role,
+        input.deviceId ? String(input.deviceId).trim() : undefined,
+    ].filter(Boolean).join(':');
+}
+/**
+ * Builds an individual/family DID under a hosted organization DID.
+ *
+ * `subjectId` should already be a stable logical subject identifier. If no
+ * relationship role is provided, the health-sector default (`ONESELF`) is used.
+ *
+ * @param input.organizationDidWeb Canonical hosted organization DID.
+ * @param input.subjectId Stable logical subject identifier.
+ * @param input.relationshipRole Optional HL7 relationship role claim.
+ * @param input.deviceId Optional per-device suffix for device-bound identities.
+ */
+export function buildIndividualDidWeb(input) {
+    const subjectId = String(input.subjectId || '').trim();
+    if (!subjectId)
+        throw new Error('buildIndividualDidWeb requires subjectId.');
+    const role = String(input.relationshipRole || `${HL7_CLAIMS_CODING_SYSTEM}|${HL7_DEFAULT_ROLE_HEALTH}`).trim();
+    return [
+        String(input.organizationDidWeb).trim(),
+        'family',
+        subjectId,
+        role,
+        input.deviceId ? String(input.deviceId).trim() : undefined,
+    ].filter(Boolean).join(':');
+}

package/dist/gdc-common-utils-ts/src/utils/didcomm-submit-policy.d.ts

@@ -0,0 +1,10 @@
+export type CommunicationMode = 'plain' | 'strict' | 'auto-detect';
+export type DidcommSubmissionCapabilities = {
+    hasRecipientEncryptionJwk: boolean;
+};
+export type DidcommSubmissionPlan = {
+    mode: CommunicationMode;
+    submitKind: 'plain' | 'encrypted';
+    reason: 'plain-mode' | 'strict-mode' | 'auto-detect-encrypted' | 'auto-detect-plain';
+};
+export declare function resolveDidcommSubmissionPlan(mode: CommunicationMode, capabilities: DidcommSubmissionCapabilities): DidcommSubmissionPlan;

package/dist/gdc-common-utils-ts/src/utils/didcomm-submit-policy.js

@@ -0,0 +1,15 @@
+export function resolveDidcommSubmissionPlan(mode, capabilities) {
+    if (mode === 'plain') {
+        return { mode, submitKind: 'plain', reason: 'plain-mode' };
+    }
+    if (mode === 'strict') {
+        if (!capabilities.hasRecipientEncryptionJwk) {
+            throw new Error('strict mode requires recipient encryption JWK.');
+        }
+        return { mode, submitKind: 'encrypted', reason: 'strict-mode' };
+    }
+    if (capabilities.hasRecipientEncryptionJwk) {
+        return { mode, submitKind: 'encrypted', reason: 'auto-detect-encrypted' };
+    }
+    return { mode, submitKind: 'plain', reason: 'auto-detect-plain' };
+}

package/dist/gdc-common-utils-ts/src/utils/didcomm-submit.d.ts

@@ -0,0 +1,48 @@
+import { CommunicationMode } from './didcomm-submit-policy';
+export type DidcommFetchInit = {
+    method: 'POST';
+    headers: Record<string, string>;
+    body: string;
+};
+export type DidcommFetchResponse = {
+    status: number;
+    headers?: {
+        get(name: string): string | null;
+    };
+    json?: () => Promise<unknown>;
+    text?: () => Promise<string>;
+};
+export type DidcommFetchLike = (url: string, init: DidcommFetchInit) => Promise<DidcommFetchResponse>;
+export type DidcommSubmitInput = {
+    mode: CommunicationMode;
+    url: string;
+    payload: Record<string, unknown>;
+    defaultHeaders?: Record<string, string>;
+    bearerToken?: string;
+    recipientEncryptionJwk?: unknown;
+    fetcher: DidcommFetchLike;
+    signCompactJws?: (claims: Record<string, unknown>) => Promise<string>;
+    encryptCompactJwe?: (compactJws: string, recipientEncryptionJwk: unknown) => Promise<string>;
+};
+export type DidcommSubmitResult = {
+    status: number;
+    location?: string;
+    body: unknown;
+    submitKind: 'plain' | 'encrypted';
+    contentType: 'application/didcomm-plaintext+json' | 'application/didcomm-encrypted+json';
+};
+/**
+ * Submits a DIDComm payload using either plaintext or encrypted transport,
+ * depending on the resolved submission policy.
+ *
+ * @param input.mode Communication mode that drives plain vs encrypted submission.
+ * @param input.url Target endpoint URL.
+ * @param input.payload DIDComm payload body to submit.
+ * @param input.defaultHeaders Optional extra request headers.
+ * @param input.bearerToken Optional bearer token.
+ * @param input.recipientEncryptionJwk Recipient public key for encrypted mode.
+ * @param input.fetcher Runtime fetch-like implementation.
+ * @param input.signCompactJws Callback used to sign plaintext claims before encryption.
+ * @param input.encryptCompactJwe Callback used to encrypt the signed JWS.
+ */
+export declare function submitDidcomm(input: DidcommSubmitInput): Promise<DidcommSubmitResult>;