gdc-sdk-node-ts 2.0.9 → 2.0.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +30 -32
- package/dist/UserProfileIndexStore.d.ts +47 -0
- package/dist/UserProfileIndexStore.js +66 -0
- package/dist/UserProfileIndexStore.types.d.ts +16 -0
- package/dist/UserProfileIndexStore.types.js +2 -0
- package/dist/index.d.ts +4 -0
- package/dist/index.js +4 -0
- package/dist/individual-onboarding.js +7 -0
- package/dist/individual-start.js +9 -0
- package/dist/node-crypto-helper.d.ts +19 -0
- package/dist/node-crypto-helper.js +27 -0
- package/dist/node-managed-wallet.d.ts +154 -0
- package/dist/node-managed-wallet.js +604 -0
- package/dist/node-runtime-client.d.ts +25 -0
- package/dist/node-runtime-client.js +25 -0
- package/dist/orchestration/host-onboarding-sdk.d.ts +6 -0
- package/dist/orchestration/host-onboarding-sdk.js +6 -0
- package/dist/organization-controller-recovery.js +6 -0
- package/dist/resource-operations.d.ts +13 -3
- package/dist/resource-operations.js +10 -0
- package/dist/wallet-backed-job-manager.d.ts +19 -0
- package/dist/wallet-backed-job-manager.js +301 -0
- package/dist/wallet-backed-job-manager.types.d.ts +57 -0
- package/dist/wallet-backed-job-manager.types.js +2 -0
- package/package.json +7 -4
package/README.md
CHANGED
|
@@ -63,50 +63,42 @@ If you are integrating this package for the first time, open these in order:
|
|
|
63
63
|
1. [gdc-sdk-core-ts/docs/101-SDK_PACKAGE_BOUNDARIES.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/101-SDK_PACKAGE_BOUNDARIES.md)
|
|
64
64
|
Why `core`, `node`, and `front` are separate packages, what belongs in each
|
|
65
65
|
one, and why actor-scoped facades must stay aligned across runtimes.
|
|
66
|
-
1. [tests/101-live-full-cycle-bff-runtime.e2e.test.mjs](./tests/101-live-full-cycle-bff-runtime.e2e.test.mjs)
|
|
67
|
-
Canonical live backend/BFF walkthrough on a fresh local GW lifecycle:
|
|
68
|
-
host/tenant activation, employee provisioning, individual bootstrap,
|
|
69
|
-
consent grant, professional SMART token, clinical read, and final cleanup.
|
|
70
|
-
1. [tests/101-backend-profile-runtime.test.mjs](./tests/101-backend-profile-runtime.test.mjs)
|
|
71
|
-
Minimal backend-generic walkthrough for loading one actor profile,
|
|
72
|
-
registering one trusted device/runtime context, connecting to one subject
|
|
73
|
-
index, reading one subject index composition, and then materializing the
|
|
74
|
-
`IndividualController` facade from the loaded backend session.
|
|
75
|
-
That walkthrough now uses the concrete direct backend runtime over the
|
|
76
|
-
injected `RuntimeClient`, not only one abstract adapter mock, and now also
|
|
77
|
-
demonstrates in-memory `JobManager` usage plus `closeProfile(...)`.
|
|
78
|
-
1. [tests/101-individual-controller-backend-runtime.test.mjs](./tests/101-individual-controller-backend-runtime.test.mjs)
|
|
79
|
-
First pragmatic backend wrapper over the generic profile runtime for the
|
|
80
|
-
current individual-controller CORE baseline:
|
|
81
|
-
load profile, start registration, confirm order, and search the clinical
|
|
82
|
-
index.
|
|
83
|
-
1. [docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md](./docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md)
|
|
84
|
-
Reconciles the old consumer flow with the current CORE registration baseline
|
|
85
|
-
and separates the stable registration base from later product extensions.
|
|
86
66
|
1. [docs/101-SDK_END_TO_END.md](./docs/101-SDK_END_TO_END.md)
|
|
87
67
|
Ordered onboarding guide with end-to-end journeys, copy/paste snippets, and
|
|
88
68
|
the recommended reading path for new backend integrators.
|
|
89
69
|
2. [docs/101-SDK_INTEGRATION.md](./docs/101-SDK_INTEGRATION.md)
|
|
90
|
-
Real backend setup
|
|
91
|
-
`
|
|
92
|
-
usage.
|
|
93
|
-
3. [
|
|
70
|
+
Real backend setup plus the public runtime entrypoints:
|
|
71
|
+
`HostOnboardingSdk`, `OrganizationControllerSdk`,
|
|
72
|
+
`IndividualControllerSdk`, `ProfessionalSdk`, and route-context usage.
|
|
73
|
+
3. [tests/101-live-full-cycle-bff-runtime.e2e.test.mjs](./tests/101-live-full-cycle-bff-runtime.e2e.test.mjs)
|
|
74
|
+
Canonical live backend/BFF walkthrough on a fresh local GW lifecycle:
|
|
75
|
+
host/tenant activation, employee provisioning, individual bootstrap,
|
|
76
|
+
consent grant, professional SMART token, clinical read, and final cleanup.
|
|
77
|
+
4. [docs/101-LIVE_GW_LOCAL.md](./docs/101-LIVE_GW_LOCAL.md)
|
|
94
78
|
Exact TTY/local/Docker commands for running the SDK against a real local GW
|
|
95
79
|
CORE, including tenant bootstrap and employee-seat setup.
|
|
96
|
-
|
|
80
|
+
5. [docs/101-DISCOVERY.md](./docs/101-DISCOVERY.md)
|
|
97
81
|
Node/BFF dataspace discovery, hosting-operator resolution, provider
|
|
98
82
|
resolution, and the correct integration boundary for fallback and cache.
|
|
99
|
-
|
|
83
|
+
6. [gdc-sdk-core-ts/docs/101-SDK_FLOWS.md](https://github.com/Global-DataCare/gdc-sdk-core-ts/blob/main/docs/101-SDK_FLOWS.md)
|
|
100
84
|
Actor split and business-flow map across organization, individual,
|
|
101
85
|
permissions, invitation, import, and SMART flows.
|
|
102
|
-
|
|
86
|
+
7. [gwtemplate-node-ts/docs/PORTAL_API_TO_GW_CORE.md](https://github.com/Global-DataCare/gwtemplate-node-ts/blob/main/docs/PORTAL_API_TO_GW_CORE.md)
|
|
103
87
|
Canonical portal/BFF functional map over GW CORE, including the domain
|
|
104
88
|
split between `employees`, `related persons`, `members`, and `consents`.
|
|
105
|
-
|
|
89
|
+
8. [gdc-common-utils-ts/src/examples/](https://github.com/Global-DataCare/gdc-common-utils-ts/tree/main/src/examples)
|
|
106
90
|
Shared payload values used by the docs and tests.
|
|
107
|
-
|
|
91
|
+
9. [gdc-common-utils-ts/docs/101-LIFECYCLE.md](https://github.com/Global-DataCare/gdc-common-utils-ts/blob/main/docs/101-LIFECYCLE.md)
|
|
108
92
|
Canonical `enable/disable/delete` semantics and copy/paste placeholders.
|
|
109
|
-
|
|
93
|
+
10. [tests/101-backend-profile-runtime.test.mjs](./tests/101-backend-profile-runtime.test.mjs)
|
|
94
|
+
Technical runtime slice for profile/device/session orchestration internals.
|
|
95
|
+
Read this after the public actor SDK guides, not before them.
|
|
96
|
+
11. [tests/101-individual-controller-backend-runtime.test.mjs](./tests/101-individual-controller-backend-runtime.test.mjs)
|
|
97
|
+
Technical wrapper slice around the generic profile runtime. This is not the
|
|
98
|
+
main onboarding path for new integrators.
|
|
99
|
+
12. [docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md](./docs/V2_INDIVIDUAL_REGISTRATION_RECONCILIATION.md)
|
|
100
|
+
Historical reconciliation note for the current CORE registration baseline.
|
|
101
|
+
13. [docs/NEXT_STEPS.md](./docs/NEXT_STEPS.md)
|
|
110
102
|
Follow-up scope after GW CORE live validation, including the future user job
|
|
111
103
|
manager boundary.
|
|
112
104
|
|
|
@@ -114,6 +106,9 @@ If you need the shortest path:
|
|
|
114
106
|
|
|
115
107
|
- main onboarding guide:
|
|
116
108
|
[docs/101-SDK_END_TO_END.md](./docs/101-SDK_END_TO_END.md)
|
|
109
|
+
- first public actor surfaces:
|
|
110
|
+
`HostOnboardingSdk`, `OrganizationControllerSdk`,
|
|
111
|
+
`IndividualControllerSdk`, `ProfessionalSdk`
|
|
117
112
|
- GW CORE app identity:
|
|
118
113
|
`appId` mandatory, `appVersion` optional with default `v1.0`
|
|
119
114
|
- backend technical identity:
|
|
@@ -130,7 +125,7 @@ Current live teaching target:
|
|
|
130
125
|
|
|
131
126
|
- the main executable tutorial for integrators is now:
|
|
132
127
|
[tests/101-live-full-cycle-bff-runtime.e2e.test.mjs](tests/101-live-full-cycle-bff-runtime.e2e.test.mjs)
|
|
133
|
-
- the standalone actor-profile suites still exist as focused technical slices:
|
|
128
|
+
- the standalone actor-profile suites still exist only as focused technical slices:
|
|
134
129
|
- [tests/live-profile-runtime-individual.e2e.test.mjs](tests/live-profile-runtime-individual.e2e.test.mjs)
|
|
135
130
|
- [tests/live-profile-runtime-professional.e2e.test.mjs](tests/live-profile-runtime-professional.e2e.test.mjs)
|
|
136
131
|
- the larger runtime suite remains the regression-oriented environment proof:
|
|
@@ -208,7 +203,7 @@ Current live `101` flow covered by the test suite:
|
|
|
208
203
|
Run the main live `101`:
|
|
209
204
|
|
|
210
205
|
```bash
|
|
211
|
-
npm run test:e2e:
|
|
206
|
+
npm run test:e2e:live-full-cycle
|
|
212
207
|
```
|
|
213
208
|
|
|
214
209
|
What is still not fully covered as one single root lifecycle:
|
|
@@ -694,6 +689,9 @@ Existing-tenant recovery/reverification:
|
|
|
694
689
|
or directly `_exchange -> _dcr`
|
|
695
690
|
- for a reproducible local/staging runtime check, use:
|
|
696
691
|
`npm run test:e2e:live-gw:issue-recovery`
|
|
692
|
+
- for the deterministic controller-lifecycle contract that also proves
|
|
693
|
+
post-registration seat preservation and final tenant teardown, use:
|
|
694
|
+
[docs/101-ORGANIZATION_CONTROLLER_LIFECYCLE.md](docs/101-ORGANIZATION_CONTROLLER_LIFECYCLE.md)
|
|
697
695
|
|
|
698
696
|
Rules:
|
|
699
697
|
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
import type { IVaultRepository, UserProfileLookupKey } from 'gdc-sdk-core-ts';
|
|
2
|
+
import type { UserProfileIndexRecord } from './UserProfileIndexStore.types.js';
|
|
3
|
+
export type { UserProfileIndexRecord } from './UserProfileIndexStore.types.js';
|
|
4
|
+
/**
|
|
5
|
+
* Node/server persistence adapter for hashed local user-profile indexes.
|
|
6
|
+
*
|
|
7
|
+
* Responsibilities:
|
|
8
|
+
* - store ordered local profile indexes
|
|
9
|
+
* - list stored index documents
|
|
10
|
+
* - resolve one index by hashed lookup key before PIN unlock
|
|
11
|
+
*
|
|
12
|
+
* Non-responsibilities:
|
|
13
|
+
* - hashing raw email/phone input
|
|
14
|
+
* - unlocking profiles with PIN
|
|
15
|
+
* - storing seeds or decrypted private key material
|
|
16
|
+
*/
|
|
17
|
+
export declare class UserProfileIndexStore {
|
|
18
|
+
private readonly vault;
|
|
19
|
+
constructor(vault: IVaultRepository);
|
|
20
|
+
/**
|
|
21
|
+
* Initializes the underlying storage adapter.
|
|
22
|
+
*/
|
|
23
|
+
initialize(): Promise<void>;
|
|
24
|
+
/**
|
|
25
|
+
* Creates or replaces one stored user-profile index record.
|
|
26
|
+
*/
|
|
27
|
+
upsert(record: UserProfileIndexRecord): Promise<UserProfileIndexRecord>;
|
|
28
|
+
/**
|
|
29
|
+
* Returns every stored user-profile index record.
|
|
30
|
+
*/
|
|
31
|
+
list(): Promise<UserProfileIndexRecord[]>;
|
|
32
|
+
/**
|
|
33
|
+
* Returns one stored index by storage id.
|
|
34
|
+
*/
|
|
35
|
+
get(id: string): Promise<UserProfileIndexRecord | undefined>;
|
|
36
|
+
/**
|
|
37
|
+
* Resolves the first stored index that contains the given hashed lookup key.
|
|
38
|
+
*
|
|
39
|
+
* This intentionally compares hashed lookup tokens only. Raw phone/email
|
|
40
|
+
* values are outside this store contract.
|
|
41
|
+
*/
|
|
42
|
+
findByLookup(lookup: UserProfileLookupKey): Promise<UserProfileIndexRecord | undefined>;
|
|
43
|
+
/**
|
|
44
|
+
* Deletes one stored index by storage id.
|
|
45
|
+
*/
|
|
46
|
+
remove(id: string): Promise<boolean>;
|
|
47
|
+
}
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
|
|
2
|
+
const COLLECTION = 'user-profile-index';
|
|
3
|
+
/**
|
|
4
|
+
* Node/server persistence adapter for hashed local user-profile indexes.
|
|
5
|
+
*
|
|
6
|
+
* Responsibilities:
|
|
7
|
+
* - store ordered local profile indexes
|
|
8
|
+
* - list stored index documents
|
|
9
|
+
* - resolve one index by hashed lookup key before PIN unlock
|
|
10
|
+
*
|
|
11
|
+
* Non-responsibilities:
|
|
12
|
+
* - hashing raw email/phone input
|
|
13
|
+
* - unlocking profiles with PIN
|
|
14
|
+
* - storing seeds or decrypted private key material
|
|
15
|
+
*/
|
|
16
|
+
export class UserProfileIndexStore {
|
|
17
|
+
constructor(vault) {
|
|
18
|
+
this.vault = vault;
|
|
19
|
+
}
|
|
20
|
+
/**
|
|
21
|
+
* Initializes the underlying storage adapter.
|
|
22
|
+
*/
|
|
23
|
+
async initialize() {
|
|
24
|
+
await this.vault.initialize();
|
|
25
|
+
}
|
|
26
|
+
/**
|
|
27
|
+
* Creates or replaces one stored user-profile index record.
|
|
28
|
+
*/
|
|
29
|
+
async upsert(record) {
|
|
30
|
+
await this.vault.put(COLLECTION, record);
|
|
31
|
+
return record;
|
|
32
|
+
}
|
|
33
|
+
/**
|
|
34
|
+
* Returns every stored user-profile index record.
|
|
35
|
+
*/
|
|
36
|
+
async list() {
|
|
37
|
+
return this.vault.query(COLLECTION, {});
|
|
38
|
+
}
|
|
39
|
+
/**
|
|
40
|
+
* Returns one stored index by storage id.
|
|
41
|
+
*/
|
|
42
|
+
async get(id) {
|
|
43
|
+
return this.vault.get(COLLECTION, id);
|
|
44
|
+
}
|
|
45
|
+
/**
|
|
46
|
+
* Resolves the first stored index that contains the given hashed lookup key.
|
|
47
|
+
*
|
|
48
|
+
* This intentionally compares hashed lookup tokens only. Raw phone/email
|
|
49
|
+
* values are outside this store contract.
|
|
50
|
+
*/
|
|
51
|
+
async findByLookup(lookup) {
|
|
52
|
+
const records = await this.list();
|
|
53
|
+
return records.find((record) => record.lookup.some((item) => lookupEquals(item, lookup)));
|
|
54
|
+
}
|
|
55
|
+
/**
|
|
56
|
+
* Deletes one stored index by storage id.
|
|
57
|
+
*/
|
|
58
|
+
async remove(id) {
|
|
59
|
+
return this.vault.delete(COLLECTION, id);
|
|
60
|
+
}
|
|
61
|
+
}
|
|
62
|
+
function lookupEquals(left, right) {
|
|
63
|
+
return left.kind === right.kind
|
|
64
|
+
&& left.algorithm === right.algorithm
|
|
65
|
+
&& left.value === right.value;
|
|
66
|
+
}
|
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
import type { UserProfileIndex } from 'gdc-sdk-core-ts';
|
|
2
|
+
/**
|
|
3
|
+
* Persisted local user-profile index document for node/server runtimes.
|
|
4
|
+
*
|
|
5
|
+
* The shared `UserProfileIndex` contract from `gdc-sdk-core-ts` is
|
|
6
|
+
* runtime-neutral and intentionally omits any storage identifier. Node
|
|
7
|
+
* runtimes need a stable document id so one logical index record can be
|
|
8
|
+
* replaced atomically in a concrete vault adapter such as Firestore, Redis,
|
|
9
|
+
* SQLite, or an in-memory test vault.
|
|
10
|
+
*/
|
|
11
|
+
export interface UserProfileIndexRecord extends UserProfileIndex {
|
|
12
|
+
/**
|
|
13
|
+
* Stable storage identifier for one local profile-index document.
|
|
14
|
+
*/
|
|
15
|
+
id: string;
|
|
16
|
+
}
|
package/dist/index.d.ts
CHANGED
|
@@ -19,6 +19,10 @@ export * from './order-offer-summary.js';
|
|
|
19
19
|
export * from './organization-license-order.js';
|
|
20
20
|
export * from './resource-operations.js';
|
|
21
21
|
export * from './profile-workspace.js';
|
|
22
|
+
export * from './UserProfileIndexStore.js';
|
|
23
|
+
export * from './wallet-backed-job-manager.js';
|
|
24
|
+
export * from './node-crypto-helper.js';
|
|
25
|
+
export * from './node-managed-wallet.js';
|
|
22
26
|
export * from './constants/lifecycle.js';
|
|
23
27
|
export * from './consent-claim-helpers.js';
|
|
24
28
|
export * from './session.js';
|
package/dist/index.js
CHANGED
|
@@ -20,6 +20,10 @@ export * from './order-offer-summary.js';
|
|
|
20
20
|
export * from './organization-license-order.js';
|
|
21
21
|
export * from './resource-operations.js';
|
|
22
22
|
export * from './profile-workspace.js';
|
|
23
|
+
export * from './UserProfileIndexStore.js';
|
|
24
|
+
export * from './wallet-backed-job-manager.js';
|
|
25
|
+
export * from './node-crypto-helper.js';
|
|
26
|
+
export * from './node-managed-wallet.js';
|
|
23
27
|
export * from './constants/lifecycle.js';
|
|
24
28
|
export * from './consent-claim-helpers.js';
|
|
25
29
|
export * from './session.js';
|
|
@@ -1,6 +1,13 @@
|
|
|
1
1
|
// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
|
|
2
2
|
import { resolvePollOptionsFromSeconds } from './poll-options.js';
|
|
3
3
|
export async function confirmIndividualOrganizationOrderWithDeps(deps) {
|
|
4
|
+
/**
|
|
5
|
+
* Programming rule:
|
|
6
|
+
* - `offerId` here must come from the commercial individual/family bootstrap
|
|
7
|
+
* response
|
|
8
|
+
* - this helper must not be used for embedded legacy individual registration
|
|
9
|
+
* responses that do not mint an Offer
|
|
10
|
+
*/
|
|
4
11
|
const offerId = String(deps.input.offerId || '').trim();
|
|
5
12
|
if (!offerId) {
|
|
6
13
|
throw new Error('confirmIndividualOrganizationOrder requires offerId.');
|
package/dist/individual-start.js
CHANGED
|
@@ -64,6 +64,15 @@ export async function startIndividualOrganizationWithDeps(deps) {
|
|
|
64
64
|
});
|
|
65
65
|
const registration = await deps.submitAndPoll(deps.individualFamilyOrganizationBatchPath(deps.routeCtx), deps.individualFamilyOrganizationPollPath(deps.routeCtx), registrationPayload, pollOptions);
|
|
66
66
|
deps.assertFirstDidcommEntrySuccess?.(registration, 'startIndividualOrganization.registration');
|
|
67
|
+
/**
|
|
68
|
+
* Commercial contract for this SDK path:
|
|
69
|
+
* - this helper targets the family/individual commercial bootstrap flow
|
|
70
|
+
* - the registration response must expose one Offer identifier
|
|
71
|
+
* - the caller must later confirm that Offer through `Order/_batch`
|
|
72
|
+
*
|
|
73
|
+
* This helper must therefore fail fast if the underlying GW route behaves
|
|
74
|
+
* like the embedded non-commercial individual registration flow instead.
|
|
75
|
+
*/
|
|
67
76
|
const offerId = deps.getOfferIdFromResponse(registration);
|
|
68
77
|
if (!offerId) {
|
|
69
78
|
throw new Error('startIndividualOrganization failed: missing offerId in registration response.');
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import type { ICryptoHelper } from 'gdc-common-utils-ts/interfaces/ICryptoHelper';
|
|
2
|
+
/**
|
|
3
|
+
* Node.js implementation of the low-level crypto helper contract used by
|
|
4
|
+
* `CryptographyService` and managed wallet adapters.
|
|
5
|
+
*/
|
|
6
|
+
export declare class NodeCryptoHelper implements ICryptoHelper {
|
|
7
|
+
/**
|
|
8
|
+
* Returns cryptographically secure random bytes from the Node runtime.
|
|
9
|
+
*/
|
|
10
|
+
getRandomBytes(byteCount: number): Promise<Uint8Array>;
|
|
11
|
+
/**
|
|
12
|
+
* Computes a digest for the provided string using one Node-supported hash algorithm.
|
|
13
|
+
*/
|
|
14
|
+
digestString(data: string, algorithm: string): Promise<string>;
|
|
15
|
+
/**
|
|
16
|
+
* Returns a cryptographically secure UUID v4 from the Node runtime.
|
|
17
|
+
*/
|
|
18
|
+
randomUUID(): string;
|
|
19
|
+
}
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
// Copyright 2026 Antifraud Services Inc. under the Apache License, Version 2.0.
|
|
2
|
+
import { createHash, randomBytes, randomUUID } from 'crypto';
|
|
3
|
+
/**
|
|
4
|
+
* Node.js implementation of the low-level crypto helper contract used by
|
|
5
|
+
* `CryptographyService` and managed wallet adapters.
|
|
6
|
+
*/
|
|
7
|
+
export class NodeCryptoHelper {
|
|
8
|
+
/**
|
|
9
|
+
* Returns cryptographically secure random bytes from the Node runtime.
|
|
10
|
+
*/
|
|
11
|
+
async getRandomBytes(byteCount) {
|
|
12
|
+
return randomBytes(byteCount);
|
|
13
|
+
}
|
|
14
|
+
/**
|
|
15
|
+
* Computes a digest for the provided string using one Node-supported hash algorithm.
|
|
16
|
+
*/
|
|
17
|
+
async digestString(data, algorithm) {
|
|
18
|
+
const normalized = String(algorithm).replace(/-/g, '').toLowerCase();
|
|
19
|
+
return createHash(normalized).update(data, 'utf8').digest('hex');
|
|
20
|
+
}
|
|
21
|
+
/**
|
|
22
|
+
* Returns a cryptographically secure UUID v4 from the Node runtime.
|
|
23
|
+
*/
|
|
24
|
+
randomUUID() {
|
|
25
|
+
return randomUUID();
|
|
26
|
+
}
|
|
27
|
+
}
|
|
@@ -0,0 +1,154 @@
|
|
|
1
|
+
import { CryptographyService } from 'gdc-common-utils-ts/CryptographyService';
|
|
2
|
+
import type { ICryptoHelper } from 'gdc-common-utils-ts/interfaces/ICryptoHelper';
|
|
3
|
+
import type { IWallet, WalletAlgorithm, WalletCompactJweRequest, WalletCompactJwsRequest, WalletDetachedJwsRequest, WalletExecutionContext, WalletKeyDescriptor, WalletKeyPurpose, WalletKeySelection, WalletPackOptions, WalletProvisionRequest, WalletUnpackOptions } from 'gdc-sdk-core-ts';
|
|
4
|
+
import type { JWK, JwkSet } from 'gdc-common-utils-ts/models/jwk';
|
|
5
|
+
export type NodeManagedWalletPolicy = {
|
|
6
|
+
defaults: Partial<Record<WalletKeyPurpose, WalletAlgorithm>>;
|
|
7
|
+
};
|
|
8
|
+
export type NodeManagedWalletOptions = {
|
|
9
|
+
cryptoHelper?: ICryptoHelper;
|
|
10
|
+
cryptography?: CryptographyService;
|
|
11
|
+
resolveRecipientJwk?: (recipientDid: string) => Promise<JWK>;
|
|
12
|
+
policy?: Partial<NodeManagedWalletPolicy>;
|
|
13
|
+
};
|
|
14
|
+
/**
|
|
15
|
+
* Node-focused managed wallet implementation for BFF, portal, and backend flows.
|
|
16
|
+
*
|
|
17
|
+
* This adapter keeps actor/profile keys separate from runtime/channel keys and
|
|
18
|
+
* exposes one shared `IWallet` contract suitable for:
|
|
19
|
+
* - user/domain signing
|
|
20
|
+
* - OpenID/JWT signing
|
|
21
|
+
* - DIDComm-style transport wrapping
|
|
22
|
+
* - confidential document protection
|
|
23
|
+
*/
|
|
24
|
+
export declare class NodeManagedWallet implements IWallet {
|
|
25
|
+
private readonly cryptoHelper;
|
|
26
|
+
private readonly cryptography;
|
|
27
|
+
private readonly resolveRecipientJwk?;
|
|
28
|
+
private readonly policy;
|
|
29
|
+
private readonly owners;
|
|
30
|
+
/**
|
|
31
|
+
* Creates one managed wallet backed by `CryptographyService` and Node crypto.
|
|
32
|
+
*/
|
|
33
|
+
constructor(options?: NodeManagedWalletOptions);
|
|
34
|
+
/**
|
|
35
|
+
* Legacy provisioning shape kept for app compatibility.
|
|
36
|
+
*
|
|
37
|
+
* It provisions one profile-owned signing key, one runtime communication
|
|
38
|
+
* signing key, and one runtime communication encryption key while returning
|
|
39
|
+
* the signing/encryption public keys expected by older app-facing flows.
|
|
40
|
+
*/
|
|
41
|
+
provisionKeys(entityId: string): Promise<JwkSet>;
|
|
42
|
+
/**
|
|
43
|
+
* Rich provisioning shape for actor/profile keys and runtime/channel keys.
|
|
44
|
+
*/
|
|
45
|
+
provisionManagedKeys(context: WalletExecutionContext, request: WalletProvisionRequest): Promise<JwkSet>;
|
|
46
|
+
/**
|
|
47
|
+
* Returns the currently available public JWKs for the selected context and filter.
|
|
48
|
+
*/
|
|
49
|
+
getPublicJwks(context?: WalletExecutionContext, filter?: WalletKeySelection): Promise<WalletKeyDescriptor[]>;
|
|
50
|
+
/**
|
|
51
|
+
* Computes a digest of a string using the configured runtime helper.
|
|
52
|
+
*/
|
|
53
|
+
digest(data: string, algorithm: string): Promise<string>;
|
|
54
|
+
/**
|
|
55
|
+
* Protects one confidential document using one owner-specific symmetric storage key.
|
|
56
|
+
*/
|
|
57
|
+
protectConfidentialData(doc: any, entityId: string): Promise<any>;
|
|
58
|
+
/**
|
|
59
|
+
* Protects one confidential document using the richer execution-context model.
|
|
60
|
+
*/
|
|
61
|
+
protectManagedConfidentialData(doc: any, context: WalletExecutionContext, _options?: {
|
|
62
|
+
key?: WalletKeySelection;
|
|
63
|
+
}): Promise<any>;
|
|
64
|
+
/**
|
|
65
|
+
* Decrypts one confidential document using the legacy entity id shape.
|
|
66
|
+
*/
|
|
67
|
+
unprotectConfidentialData(doc: any, entityId: string): Promise<any>;
|
|
68
|
+
/**
|
|
69
|
+
* Decrypts one confidential document using the richer execution-context model.
|
|
70
|
+
*/
|
|
71
|
+
unprotectManagedConfidentialData(doc: any, context: WalletExecutionContext, _options?: {
|
|
72
|
+
key?: WalletKeySelection;
|
|
73
|
+
}): Promise<any>;
|
|
74
|
+
/**
|
|
75
|
+
* Signs arbitrary bytes or one UTF-8 string using the selected managed key.
|
|
76
|
+
*/
|
|
77
|
+
sign(payload: Uint8Array | string, context: WalletExecutionContext, options: WalletKeySelection): Promise<string>;
|
|
78
|
+
/**
|
|
79
|
+
* Verifies one signature against the provided public JWK.
|
|
80
|
+
*/
|
|
81
|
+
verify(payload: Uint8Array | string, signature: string, jwk: JWK, options?: {
|
|
82
|
+
alg?: WalletAlgorithm;
|
|
83
|
+
}): Promise<boolean>;
|
|
84
|
+
/**
|
|
85
|
+
* Encrypts one payload for the provided recipient public JWK.
|
|
86
|
+
*/
|
|
87
|
+
encrypt(plaintext: Uint8Array | string, recipientJwk: JWK, options?: {
|
|
88
|
+
context?: WalletExecutionContext;
|
|
89
|
+
key?: WalletKeySelection;
|
|
90
|
+
contentType?: string;
|
|
91
|
+
}): Promise<string>;
|
|
92
|
+
/**
|
|
93
|
+
* Decrypts one ciphertext using one selected local encryption key.
|
|
94
|
+
*/
|
|
95
|
+
decrypt(ciphertext: string, context: WalletExecutionContext, options?: {
|
|
96
|
+
key?: WalletKeySelection;
|
|
97
|
+
}): Promise<Uint8Array>;
|
|
98
|
+
/**
|
|
99
|
+
* Builds one compact JWS using one managed signing key.
|
|
100
|
+
*/
|
|
101
|
+
signCompactJws(context: WalletExecutionContext, request: WalletCompactJwsRequest): Promise<string>;
|
|
102
|
+
/**
|
|
103
|
+
* Builds one detached compact JWS using one managed signing key.
|
|
104
|
+
*/
|
|
105
|
+
signDetachedJws(context: WalletExecutionContext, request: WalletDetachedJwsRequest): Promise<string>;
|
|
106
|
+
/**
|
|
107
|
+
* Builds one compact JWE using one selected local ML-KEM key and one recipient public JWK.
|
|
108
|
+
*/
|
|
109
|
+
buildCompactJwe(context: WalletExecutionContext, request: WalletCompactJweRequest): Promise<string>;
|
|
110
|
+
/**
|
|
111
|
+
* Decrypts one compact JWE using one selected local ML-KEM key.
|
|
112
|
+
*/
|
|
113
|
+
decryptCompactJwe(jwe: string, context: WalletExecutionContext, options: {
|
|
114
|
+
key: WalletKeySelection;
|
|
115
|
+
}): Promise<Uint8Array>;
|
|
116
|
+
/**
|
|
117
|
+
* Legacy pack shape retained for app compatibility.
|
|
118
|
+
*/
|
|
119
|
+
packForRecipient(content: any, recipientDid: string): Promise<string>;
|
|
120
|
+
/**
|
|
121
|
+
* Packs one payload into a transport envelope signed and encrypted by the runtime.
|
|
122
|
+
*/
|
|
123
|
+
packForRecipientWithContext(content: any, recipientDidOrJwk: string | JWK, options: WalletPackOptions): Promise<string>;
|
|
124
|
+
/**
|
|
125
|
+
* Legacy unpack shape retained for app compatibility.
|
|
126
|
+
*/
|
|
127
|
+
unpack(packedMessage: string): Promise<{
|
|
128
|
+
content: any;
|
|
129
|
+
meta: any;
|
|
130
|
+
}>;
|
|
131
|
+
/**
|
|
132
|
+
* Unpacks one transport envelope and returns the decoded business payload plus JOSE metadata.
|
|
133
|
+
*/
|
|
134
|
+
unpackWithContext(packedMessage: string, options: WalletUnpackOptions): Promise<{
|
|
135
|
+
content: any;
|
|
136
|
+
meta: any;
|
|
137
|
+
}>;
|
|
138
|
+
private getOrCreateOwnerState;
|
|
139
|
+
private tryGetOwnerState;
|
|
140
|
+
private resolveOwnerId;
|
|
141
|
+
private resolveStorageOwnerId;
|
|
142
|
+
private createManagedKey;
|
|
143
|
+
private createStorageKey;
|
|
144
|
+
private requireStorageKey;
|
|
145
|
+
private requireManagedKey;
|
|
146
|
+
private inferRelevantScopes;
|
|
147
|
+
private matchesSelection;
|
|
148
|
+
private resolveAlgorithmForPurpose;
|
|
149
|
+
private deriveSignerSeed;
|
|
150
|
+
private deriveSeedBytes;
|
|
151
|
+
private deriveDeterministicBlock;
|
|
152
|
+
private resolveNodeDigestForAlgorithm;
|
|
153
|
+
private resolveRecipientPublicJwk;
|
|
154
|
+
}
|