gdc-sdk-node-ts 2.0.9 → 2.0.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -63,50 +63,42 @@ If you are integrating this package for the first time, open these in order:
63
63
  1. [gdc-sdk-core-ts/docs/101-SDK_PACKAGE_BOUNDARIES.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/101-SDK_PACKAGE_BOUNDARIES.md)
64
64
  Why `core`, `node`, and `front` are separate packages, what belongs in each
65
65
  one, and why actor-scoped facades must stay aligned across runtimes.
66
- 1. [tests/101-live-full-cycle-bff-runtime.e2e.test.mjs](./tests/101-live-full-cycle-bff-runtime.e2e.test.mjs)
67
- Canonical live backend/BFF walkthrough on a fresh local GW lifecycle:
68
- host/tenant activation, employee provisioning, individual bootstrap,
69
- consent grant, professional SMART token, clinical read, and final cleanup.
70
- 1. [tests/101-backend-profile-runtime.test.mjs](./tests/101-backend-profile-runtime.test.mjs)
71
- Minimal backend-generic walkthrough for loading one actor profile,
72
- registering one trusted device/runtime context, connecting to one subject
73
- index, reading one subject index composition, and then materializing the
74
- `IndividualController` facade from the loaded backend session.
75
- That walkthrough now uses the concrete direct backend runtime over the
76
- injected `RuntimeClient`, not only one abstract adapter mock, and now also
77
- demonstrates in-memory `JobManager` usage plus `closeProfile(...)`.
78
- 1. [tests/101-individual-controller-backend-runtime.test.mjs](./tests/101-individual-controller-backend-runtime.test.mjs)
79
- First pragmatic backend wrapper over the generic profile runtime for the
80
- current individual-controller CORE baseline:
81
- load profile, start registration, confirm order, and search the clinical
82
- index.
83
- 1. [docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md](./docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md)
84
- Reconciles the old consumer flow with the current CORE registration baseline
85
- and separates the stable registration base from later product extensions.
86
66
  1. [docs/101-SDK_END_TO_END.md](./docs/101-SDK_END_TO_END.md)
87
67
  Ordered onboarding guide with end-to-end journeys, copy/paste snippets, and
88
68
  the recommended reading path for new backend integrators.
89
69
  2. [docs/101-SDK_INTEGRATION.md](./docs/101-SDK_INTEGRATION.md)
90
- Real backend setup, imports, `initializeCommunicationIdentity(...)`,
91
- `new NodeHttpClient(...)`, route context, facade selection, and live method
92
- usage.
93
- 3. [docs/101-LIVE_GW_LOCAL.md](./docs/101-LIVE_GW_LOCAL.md)
70
+ Real backend setup plus the public runtime entrypoints:
71
+ `HostOnboardingSdk`, `OrganizationControllerSdk`,
72
+ `IndividualControllerSdk`, `ProfessionalSdk`, and route-context usage.
73
+ 3. [tests/101-live-full-cycle-bff-runtime.e2e.test.mjs](./tests/101-live-full-cycle-bff-runtime.e2e.test.mjs)
74
+ Canonical live backend/BFF walkthrough on a fresh local GW lifecycle:
75
+ host/tenant activation, employee provisioning, individual bootstrap,
76
+ consent grant, professional SMART token, clinical read, and final cleanup.
77
+ 4. [docs/101-LIVE_GW_LOCAL.md](./docs/101-LIVE_GW_LOCAL.md)
94
78
  Exact TTY/local/Docker commands for running the SDK against a real local GW
95
79
  CORE, including tenant bootstrap and employee-seat setup.
96
- 4. [docs/101-DISCOVERY.md](./docs/101-DISCOVERY.md)
80
+ 5. [docs/101-DISCOVERY.md](./docs/101-DISCOVERY.md)
97
81
  Node/BFF dataspace discovery, hosting-operator resolution, provider
98
82
  resolution, and the correct integration boundary for fallback and cache.
99
- 5. [gdc-sdk-core-ts/docs/101-SDK_FLOWS.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/101-SDK_FLOWS.md)
83
+ 6. [gdc-sdk-core-ts/docs/101-SDK_FLOWS.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/101-SDK_FLOWS.md)
100
84
  Actor split and business-flow map across organization, individual,
101
85
  permissions, invitation, import, and SMART flows.
102
- 6. [gwtemplate-node-ts/docs/PORTAL_API_TO_GW_CORE.md](https://github.com/Global-DataCare/gwtemplate-node-ts/blob/main/docs/PORTAL_API_TO_GW_CORE.md)
86
+ 7. [gwtemplate-node-ts/docs/PORTAL_API_TO_GW_CORE.md](https://github.com/Global-DataCare/gwtemplate-node-ts/blob/main/docs/PORTAL_API_TO_GW_CORE.md)
103
87
  Canonical portal/BFF functional map over GW CORE, including the domain
104
88
  split between `employees`, `related persons`, `members`, and `consents`.
105
- 7. [gdc-common-utils-ts/src/examples/](https://github.com/Global-DataCare/gdc-common-utils-ts/tree/main/src/examples)
89
+ 8. [gdc-common-utils-ts/src/examples/](https://github.com/Global-DataCare/gdc-common-utils-ts/tree/main/src/examples)
106
90
  Shared payload values used by the docs and tests.
107
- 8. [gdc-common-utils-ts/docs/101-LIFECYCLE.md](https://github.com/Global-DataCare/gdc-common-utils-ts/blob/main/docs/101-LIFECYCLE.md)
91
+ 9. [gdc-common-utils-ts/docs/101-LIFECYCLE.md](https://github.com/Global-DataCare/gdc-common-utils-ts/blob/main/docs/101-LIFECYCLE.md)
108
92
  Canonical `enable/disable/delete` semantics and copy/paste placeholders.
109
- 9. [docs/NEXT_STEPS.md](./docs/NEXT_STEPS.md)
93
+ 10. [tests/101-backend-profile-runtime.test.mjs](./tests/101-backend-profile-runtime.test.mjs)
94
+ Technical runtime slice for profile/device/session orchestration internals.
95
+ Read this after the public actor SDK guides, not before them.
96
+ 11. [tests/101-individual-controller-backend-runtime.test.mjs](./tests/101-individual-controller-backend-runtime.test.mjs)
97
+ Technical wrapper slice around the generic profile runtime. This is not the
98
+ main onboarding path for new integrators.
99
+ 12. [docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md](./docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md)
100
+ Historical reconciliation note for the current CORE registration baseline.
101
+ 13. [docs/NEXT_STEPS.md](./docs/NEXT_STEPS.md)
110
102
  Follow-up scope after GW CORE live validation, including the future user job
111
103
  manager boundary.
112
104
 
@@ -114,6 +106,9 @@ If you need the shortest path:
114
106
 
115
107
  - main onboarding guide:
116
108
  [docs/101-SDK_END_TO_END.md](./docs/101-SDK_END_TO_END.md)
109
+ - first public actor surfaces:
110
+ `HostOnboardingSdk`, `OrganizationControllerSdk`,
111
+ `IndividualControllerSdk`, `ProfessionalSdk`
117
112
  - GW CORE app identity:
118
113
  `appId` mandatory, `appVersion` optional with default `v1.0`
119
114
  - backend technical identity:
@@ -130,7 +125,7 @@ Current live teaching target:
130
125
 
131
126
  - the main executable tutorial for integrators is now:
132
127
  [tests/101-live-full-cycle-bff-runtime.e2e.test.mjs](tests/101-live-full-cycle-bff-runtime.e2e.test.mjs)
133
- - the standalone actor-profile suites still exist as focused technical slices:
128
+ - the standalone actor-profile suites still exist only as focused technical slices:
134
129
  - [tests/live-profile-runtime-individual.e2e.test.mjs](tests/live-profile-runtime-individual.e2e.test.mjs)
135
130
  - [tests/live-profile-runtime-professional.e2e.test.mjs](tests/live-profile-runtime-professional.e2e.test.mjs)
136
131
  - the larger runtime suite remains the regression-oriented environment proof:
@@ -208,7 +203,7 @@ Current live `101` flow covered by the test suite:
208
203
  Run the main live `101`:
209
204
 
210
205
  ```bash
211
- npm run test:e2e:101:live-full-cycle
206
+ npm run test:e2e:live-full-cycle
212
207
  ```
213
208
 
214
209
  What is still not fully covered as one single root lifecycle:
@@ -694,6 +689,9 @@ Existing-tenant recovery/reverification:
694
689
  or directly `_exchange -> _dcr`
695
690
  - for a reproducible local/staging runtime check, use:
696
691
  `npm run test:e2e:live-gw:issue-recovery`
692
+ - for the deterministic controller-lifecycle contract that also proves
693
+ post-registration seat preservation and final tenant teardown, use:
694
+ [docs/101-ORGANIZATION_CONTROLLER_LIFECYCLE.md](docs/101-ORGANIZATION_CONTROLLER_LIFECYCLE.md)
697
695
 
698
696
  Rules:
699
697
 
@@ -0,0 +1,47 @@
1
+ import type { IVaultRepository, UserProfileLookupKey } from 'gdc-sdk-core-ts';
2
+ import type { UserProfileIndexRecord } from './UserProfileIndexStore.types.js';
3
+ export type { UserProfileIndexRecord } from './UserProfileIndexStore.types.js';
4
+ /**
5
+ * Node/server persistence adapter for hashed local user-profile indexes.
6
+ *
7
+ * Responsibilities:
8
+ * - store ordered local profile indexes
9
+ * - list stored index documents
10
+ * - resolve one index by hashed lookup key before PIN unlock
11
+ *
12
+ * Non-responsibilities:
13
+ * - hashing raw email/phone input
14
+ * - unlocking profiles with PIN
15
+ * - storing seeds or decrypted private key material
16
+ */
17
+ export declare class UserProfileIndexStore {
18
+ private readonly vault;
19
+ constructor(vault: IVaultRepository);
20
+ /**
21
+ * Initializes the underlying storage adapter.
22
+ */
23
+ initialize(): Promise<void>;
24
+ /**
25
+ * Creates or replaces one stored user-profile index record.
26
+ */
27
+ upsert(record: UserProfileIndexRecord): Promise<UserProfileIndexRecord>;
28
+ /**
29
+ * Returns every stored user-profile index record.
30
+ */
31
+ list(): Promise<UserProfileIndexRecord[]>;
32
+ /**
33
+ * Returns one stored index by storage id.
34
+ */
35
+ get(id: string): Promise<UserProfileIndexRecord | undefined>;
36
+ /**
37
+ * Resolves the first stored index that contains the given hashed lookup key.
38
+ *
39
+ * This intentionally compares hashed lookup tokens only. Raw phone/email
40
+ * values are outside this store contract.
41
+ */
42
+ findByLookup(lookup: UserProfileLookupKey): Promise<UserProfileIndexRecord | undefined>;
43
+ /**
44
+ * Deletes one stored index by storage id.
45
+ */
46
+ remove(id: string): Promise<boolean>;
47
+ }
@@ -0,0 +1,66 @@
1
+ // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
2
+ const COLLECTION = 'user-profile-index';
3
+ /**
4
+ * Node/server persistence adapter for hashed local user-profile indexes.
5
+ *
6
+ * Responsibilities:
7
+ * - store ordered local profile indexes
8
+ * - list stored index documents
9
+ * - resolve one index by hashed lookup key before PIN unlock
10
+ *
11
+ * Non-responsibilities:
12
+ * - hashing raw email/phone input
13
+ * - unlocking profiles with PIN
14
+ * - storing seeds or decrypted private key material
15
+ */
16
+ export class UserProfileIndexStore {
17
+ constructor(vault) {
18
+ this.vault = vault;
19
+ }
20
+ /**
21
+ * Initializes the underlying storage adapter.
22
+ */
23
+ async initialize() {
24
+ await this.vault.initialize();
25
+ }
26
+ /**
27
+ * Creates or replaces one stored user-profile index record.
28
+ */
29
+ async upsert(record) {
30
+ await this.vault.put(COLLECTION, record);
31
+ return record;
32
+ }
33
+ /**
34
+ * Returns every stored user-profile index record.
35
+ */
36
+ async list() {
37
+ return this.vault.query(COLLECTION, {});
38
+ }
39
+ /**
40
+ * Returns one stored index by storage id.
41
+ */
42
+ async get(id) {
43
+ return this.vault.get(COLLECTION, id);
44
+ }
45
+ /**
46
+ * Resolves the first stored index that contains the given hashed lookup key.
47
+ *
48
+ * This intentionally compares hashed lookup tokens only. Raw phone/email
49
+ * values are outside this store contract.
50
+ */
51
+ async findByLookup(lookup) {
52
+ const records = await this.list();
53
+ return records.find((record) => record.lookup.some((item) => lookupEquals(item, lookup)));
54
+ }
55
+ /**
56
+ * Deletes one stored index by storage id.
57
+ */
58
+ async remove(id) {
59
+ return this.vault.delete(COLLECTION, id);
60
+ }
61
+ }
62
+ function lookupEquals(left, right) {
63
+ return left.kind === right.kind
64
+ && left.algorithm === right.algorithm
65
+ && left.value === right.value;
66
+ }
@@ -0,0 +1,16 @@
1
+ import type { UserProfileIndex } from 'gdc-sdk-core-ts';
2
+ /**
3
+ * Persisted local user-profile index document for node/server runtimes.
4
+ *
5
+ * The shared `UserProfileIndex` contract from `gdc-sdk-core-ts` is
6
+ * runtime-neutral and intentionally omits any storage identifier. Node
7
+ * runtimes need a stable document id so one logical index record can be
8
+ * replaced atomically in a concrete vault adapter such as Firestore, Redis,
9
+ * SQLite, or an in-memory test vault.
10
+ */
11
+ export interface UserProfileIndexRecord extends UserProfileIndex {
12
+ /**
13
+ * Stable storage identifier for one local profile-index document.
14
+ */
15
+ id: string;
16
+ }
@@ -0,0 +1,2 @@
1
+ // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
2
+ export {};
package/dist/index.d.ts CHANGED
@@ -19,6 +19,10 @@ export * from './order-offer-summary.js';
19
19
  export * from './organization-license-order.js';
20
20
  export * from './resource-operations.js';
21
21
  export * from './profile-workspace.js';
22
+ export * from './UserProfileIndexStore.js';
23
+ export * from './wallet-backed-job-manager.js';
24
+ export * from './node-crypto-helper.js';
25
+ export * from './node-managed-wallet.js';
22
26
  export * from './constants/lifecycle.js';
23
27
  export * from './consent-claim-helpers.js';
24
28
  export * from './session.js';
package/dist/index.js CHANGED
@@ -20,6 +20,10 @@ export * from './order-offer-summary.js';
20
20
  export * from './organization-license-order.js';
21
21
  export * from './resource-operations.js';
22
22
  export * from './profile-workspace.js';
23
+ export * from './UserProfileIndexStore.js';
24
+ export * from './wallet-backed-job-manager.js';
25
+ export * from './node-crypto-helper.js';
26
+ export * from './node-managed-wallet.js';
23
27
  export * from './constants/lifecycle.js';
24
28
  export * from './consent-claim-helpers.js';
25
29
  export * from './session.js';
@@ -1,6 +1,13 @@
1
1
  // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
2
2
  import { resolvePollOptionsFromSeconds } from './poll-options.js';
3
3
  export async function confirmIndividualOrganizationOrderWithDeps(deps) {
4
+ /**
5
+ * Programming rule:
6
+ * - `offerId` here must come from the commercial individual/family bootstrap
7
+ * response
8
+ * - this helper must not be used for embedded legacy individual registration
9
+ * responses that do not mint an Offer
10
+ */
4
11
  const offerId = String(deps.input.offerId || '').trim();
5
12
  if (!offerId) {
6
13
  throw new Error('confirmIndividualOrganizationOrder requires offerId.');
@@ -64,6 +64,15 @@ export async function startIndividualOrganizationWithDeps(deps) {
64
64
  });
65
65
  const registration = await deps.submitAndPoll(deps.individualFamilyOrganizationBatchPath(deps.routeCtx), deps.individualFamilyOrganizationPollPath(deps.routeCtx), registrationPayload, pollOptions);
66
66
  deps.assertFirstDidcommEntrySuccess?.(registration, 'startIndividualOrganization.registration');
67
+ /**
68
+ * Commercial contract for this SDK path:
69
+ * - this helper targets the family/individual commercial bootstrap flow
70
+ * - the registration response must expose one Offer identifier
71
+ * - the caller must later confirm that Offer through `Order/_batch`
72
+ *
73
+ * This helper must therefore fail fast if the underlying GW route behaves
74
+ * like the embedded non-commercial individual registration flow instead.
75
+ */
67
76
  const offerId = deps.getOfferIdFromResponse(registration);
68
77
  if (!offerId) {
69
78
  throw new Error('startIndividualOrganization failed: missing offerId in registration response.');
@@ -0,0 +1,19 @@
1
+ import type { ICryptoHelper } from 'gdc-common-utils-ts/interfaces/ICryptoHelper';
2
+ /**
3
+ * Node.js implementation of the low-level crypto helper contract used by
4
+ * `CryptographyService` and managed wallet adapters.
5
+ */
6
+ export declare class NodeCryptoHelper implements ICryptoHelper {
7
+ /**
8
+ * Returns cryptographically secure random bytes from the Node runtime.
9
+ */
10
+ getRandomBytes(byteCount: number): Promise<Uint8Array>;
11
+ /**
12
+ * Computes a digest for the provided string using one Node-supported hash algorithm.
13
+ */
14
+ digestString(data: string, algorithm: string): Promise<string>;
15
+ /**
16
+ * Returns a cryptographically secure UUID v4 from the Node runtime.
17
+ */
18
+ randomUUID(): string;
19
+ }
@@ -0,0 +1,27 @@
1
+ // Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
2
+ import { createHash, randomBytes, randomUUID } from 'crypto';
3
+ /**
4
+ * Node.js implementation of the low-level crypto helper contract used by
5
+ * `CryptographyService` and managed wallet adapters.
6
+ */
7
+ export class NodeCryptoHelper {
8
+ /**
9
+ * Returns cryptographically secure random bytes from the Node runtime.
10
+ */
11
+ async getRandomBytes(byteCount) {
12
+ return randomBytes(byteCount);
13
+ }
14
+ /**
15
+ * Computes a digest for the provided string using one Node-supported hash algorithm.
16
+ */
17
+ async digestString(data, algorithm) {
18
+ const normalized = String(algorithm).replace(/-/g, '').toLowerCase();
19
+ return createHash(normalized).update(data, 'utf8').digest('hex');
20
+ }
21
+ /**
22
+ * Returns a cryptographically secure UUID v4 from the Node runtime.
23
+ */
24
+ randomUUID() {
25
+ return randomUUID();
26
+ }
27
+ }
@@ -0,0 +1,154 @@
1
+ import { CryptographyService } from 'gdc-common-utils-ts/CryptographyService';
2
+ import type { ICryptoHelper } from 'gdc-common-utils-ts/interfaces/ICryptoHelper';
3
+ import type { IWallet, WalletAlgorithm, WalletCompactJweRequest, WalletCompactJwsRequest, WalletDetachedJwsRequest, WalletExecutionContext, WalletKeyDescriptor, WalletKeyPurpose, WalletKeySelection, WalletPackOptions, WalletProvisionRequest, WalletUnpackOptions } from 'gdc-sdk-core-ts';
4
+ import type { JWK, JwkSet } from 'gdc-common-utils-ts/models/jwk';
5
+ export type NodeManagedWalletPolicy = {
6
+ defaults: Partial<Record<WalletKeyPurpose, WalletAlgorithm>>;
7
+ };
8
+ export type NodeManagedWalletOptions = {
9
+ cryptoHelper?: ICryptoHelper;
10
+ cryptography?: CryptographyService;
11
+ resolveRecipientJwk?: (recipientDid: string) => Promise<JWK>;
12
+ policy?: Partial<NodeManagedWalletPolicy>;
13
+ };
14
+ /**
15
+ * Node-focused managed wallet implementation for BFF, portal, and backend flows.
16
+ *
17
+ * This adapter keeps actor/profile keys separate from runtime/channel keys and
18
+ * exposes one shared `IWallet` contract suitable for:
19
+ * - user/domain signing
20
+ * - OpenID/JWT signing
21
+ * - DIDComm-style transport wrapping
22
+ * - confidential document protection
23
+ */
24
+ export declare class NodeManagedWallet implements IWallet {
25
+ private readonly cryptoHelper;
26
+ private readonly cryptography;
27
+ private readonly resolveRecipientJwk?;
28
+ private readonly policy;
29
+ private readonly owners;
30
+ /**
31
+ * Creates one managed wallet backed by `CryptographyService` and Node crypto.
32
+ */
33
+ constructor(options?: NodeManagedWalletOptions);
34
+ /**
35
+ * Legacy provisioning shape kept for app compatibility.
36
+ *
37
+ * It provisions one profile-owned signing key, one runtime communication
38
+ * signing key, and one runtime communication encryption key while returning
39
+ * the signing/encryption public keys expected by older app-facing flows.
40
+ */
41
+ provisionKeys(entityId: string): Promise<JwkSet>;
42
+ /**
43
+ * Rich provisioning shape for actor/profile keys and runtime/channel keys.
44
+ */
45
+ provisionManagedKeys(context: WalletExecutionContext, request: WalletProvisionRequest): Promise<JwkSet>;
46
+ /**
47
+ * Returns the currently available public JWKs for the selected context and filter.
48
+ */
49
+ getPublicJwks(context?: WalletExecutionContext, filter?: WalletKeySelection): Promise<WalletKeyDescriptor[]>;
50
+ /**
51
+ * Computes a digest of a string using the configured runtime helper.
52
+ */
53
+ digest(data: string, algorithm: string): Promise<string>;
54
+ /**
55
+ * Protects one confidential document using one owner-specific symmetric storage key.
56
+ */
57
+ protectConfidentialData(doc: any, entityId: string): Promise<any>;
58
+ /**
59
+ * Protects one confidential document using the richer execution-context model.
60
+ */
61
+ protectManagedConfidentialData(doc: any, context: WalletExecutionContext, _options?: {
62
+ key?: WalletKeySelection;
63
+ }): Promise<any>;
64
+ /**
65
+ * Decrypts one confidential document using the legacy entity id shape.
66
+ */
67
+ unprotectConfidentialData(doc: any, entityId: string): Promise<any>;
68
+ /**
69
+ * Decrypts one confidential document using the richer execution-context model.
70
+ */
71
+ unprotectManagedConfidentialData(doc: any, context: WalletExecutionContext, _options?: {
72
+ key?: WalletKeySelection;
73
+ }): Promise<any>;
74
+ /**
75
+ * Signs arbitrary bytes or one UTF-8 string using the selected managed key.
76
+ */
77
+ sign(payload: Uint8Array | string, context: WalletExecutionContext, options: WalletKeySelection): Promise<string>;
78
+ /**
79
+ * Verifies one signature against the provided public JWK.
80
+ */
81
+ verify(payload: Uint8Array | string, signature: string, jwk: JWK, options?: {
82
+ alg?: WalletAlgorithm;
83
+ }): Promise<boolean>;
84
+ /**
85
+ * Encrypts one payload for the provided recipient public JWK.
86
+ */
87
+ encrypt(plaintext: Uint8Array | string, recipientJwk: JWK, options?: {
88
+ context?: WalletExecutionContext;
89
+ key?: WalletKeySelection;
90
+ contentType?: string;
91
+ }): Promise<string>;
92
+ /**
93
+ * Decrypts one ciphertext using one selected local encryption key.
94
+ */
95
+ decrypt(ciphertext: string, context: WalletExecutionContext, options?: {
96
+ key?: WalletKeySelection;
97
+ }): Promise<Uint8Array>;
98
+ /**
99
+ * Builds one compact JWS using one managed signing key.
100
+ */
101
+ signCompactJws(context: WalletExecutionContext, request: WalletCompactJwsRequest): Promise<string>;
102
+ /**
103
+ * Builds one detached compact JWS using one managed signing key.
104
+ */
105
+ signDetachedJws(context: WalletExecutionContext, request: WalletDetachedJwsRequest): Promise<string>;
106
+ /**
107
+ * Builds one compact JWE using one selected local ML-KEM key and one recipient public JWK.
108
+ */
109
+ buildCompactJwe(context: WalletExecutionContext, request: WalletCompactJweRequest): Promise<string>;
110
+ /**
111
+ * Decrypts one compact JWE using one selected local ML-KEM key.
112
+ */
113
+ decryptCompactJwe(jwe: string, context: WalletExecutionContext, options: {
114
+ key: WalletKeySelection;
115
+ }): Promise<Uint8Array>;
116
+ /**
117
+ * Legacy pack shape retained for app compatibility.
118
+ */
119
+ packForRecipient(content: any, recipientDid: string): Promise<string>;
120
+ /**
121
+ * Packs one payload into a transport envelope signed and encrypted by the runtime.
122
+ */
123
+ packForRecipientWithContext(content: any, recipientDidOrJwk: string | JWK, options: WalletPackOptions): Promise<string>;
124
+ /**
125
+ * Legacy unpack shape retained for app compatibility.
126
+ */
127
+ unpack(packedMessage: string): Promise<{
128
+ content: any;
129
+ meta: any;
130
+ }>;
131
+ /**
132
+ * Unpacks one transport envelope and returns the decoded business payload plus JOSE metadata.
133
+ */
134
+ unpackWithContext(packedMessage: string, options: WalletUnpackOptions): Promise<{
135
+ content: any;
136
+ meta: any;
137
+ }>;
138
+ private getOrCreateOwnerState;
139
+ private tryGetOwnerState;
140
+ private resolveOwnerId;
141
+ private resolveStorageOwnerId;
142
+ private createManagedKey;
143
+ private createStorageKey;
144
+ private requireStorageKey;
145
+ private requireManagedKey;
146
+ private inferRelevantScopes;
147
+ private matchesSelection;
148
+ private resolveAlgorithmForPurpose;
149
+ private deriveSignerSeed;
150
+ private deriveSeedBytes;
151
+ private deriveDeterministicBlock;
152
+ private resolveNodeDigestForAlgorithm;
153
+ private resolveRecipientPublicJwk;
154
+ }