kavachos 0.0.4 → 0.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (44) hide show
  1. package/dist/a2a/index.d.ts +2340 -0
  2. package/dist/a2a/index.js +821 -0
  3. package/dist/a2a/index.js.map +1 -0
  4. package/dist/agent/index.d.ts +3 -4
  5. package/dist/agent/index.js +4 -3
  6. package/dist/audit/index.d.ts +2 -3
  7. package/dist/audit/index.js +3 -3
  8. package/dist/auth/index.d.ts +490 -93
  9. package/dist/auth/index.js +4 -3
  10. package/dist/{chunk-KL6XW4S4.js → chunk-FKVAXCNJ.js} +2375 -633
  11. package/dist/chunk-FKVAXCNJ.js.map +1 -0
  12. package/dist/{chunk-5DT4DN4Y.js → chunk-IKTOSJ4O.js} +13 -13
  13. package/dist/chunk-IKTOSJ4O.js.map +1 -0
  14. package/dist/{chunk-V66UUIA7.js → chunk-KDL6A76K.js} +93 -4
  15. package/dist/chunk-KDL6A76K.js.map +1 -0
  16. package/dist/chunk-NSBPE2FW.js +15 -0
  17. package/dist/{chunk-PZ5AY32C.js.map → chunk-NSBPE2FW.js.map} +1 -1
  18. package/dist/chunk-NSTER7KE.js +538 -0
  19. package/dist/chunk-NSTER7KE.js.map +1 -0
  20. package/dist/chunk-QCRHJMDX.js +186 -0
  21. package/dist/chunk-QCRHJMDX.js.map +1 -0
  22. package/dist/{chunk-OVGNZ5OX.js → chunk-VHKZARMM.js} +6 -6
  23. package/dist/chunk-VHKZARMM.js.map +1 -0
  24. package/dist/{chunk-SJGSPIAD.js → chunk-Y3OWAJHK.js} +3 -3
  25. package/dist/{chunk-SJGSPIAD.js.map → chunk-Y3OWAJHK.js.map} +1 -1
  26. package/dist/index.d.ts +138 -6
  27. package/dist/index.js +580 -35
  28. package/dist/index.js.map +1 -1
  29. package/dist/mcp/index.d.ts +2 -2
  30. package/dist/mcp/index.js +12 -16
  31. package/dist/mcp/index.js.map +1 -1
  32. package/dist/permission/index.d.ts +3 -4
  33. package/dist/permission/index.js +4 -3
  34. package/dist/{types-Xk83hv4O.d.ts → types-W8X0PXE7.d.ts} +1764 -99
  35. package/dist/vc/index.d.ts +800 -0
  36. package/dist/vc/index.js +5 -0
  37. package/dist/vc/index.js.map +1 -0
  38. package/package.json +17 -1
  39. package/dist/chunk-5DT4DN4Y.js.map +0 -1
  40. package/dist/chunk-KL6XW4S4.js.map +0 -1
  41. package/dist/chunk-OVGNZ5OX.js.map +0 -1
  42. package/dist/chunk-PZ5AY32C.js +0 -9
  43. package/dist/chunk-V66UUIA7.js.map +0 -1
  44. package/dist/{types-mwupB57A.d.ts → types-BuHrZcjE.d.ts} +2 -2
package/dist/chunk-NSTER7KE.js ADDED
@@ -0,0 +1,538 @@
1
+ import { generateId } from './chunk-QCRHJMDX.js';
2
+ import { importJWK, jwtVerify, errors, compactVerify, SignJWT } from 'jose';
3
+ import { z } from 'zod';
4
+
5
+ var VC_CONTEXT_V2 = "https://www.w3.org/ns/credentials/v2";
6
+ var VC_CONTEXT_V1 = "https://www.w3.org/2018/credentials/v1";
7
+ var VC_TYPE_CREDENTIAL = "VerifiableCredential";
8
+ var VC_TYPE_PRESENTATION = "VerifiablePresentation";
9
+ var KAVACH_AGENT_CREDENTIAL = "KavachAgentCredential";
10
+ var KAVACH_PERMISSION_CREDENTIAL = "KavachPermissionCredential";
11
+ var KAVACH_DELEGATION_CREDENTIAL = "KavachDelegationCredential";
12
+ var ProofSchema = z.object({
13
+ type: z.enum(["Ed25519Signature2020", "JsonWebSignature2020"]),
14
+ created: z.string(),
15
+ verificationMethod: z.string(),
16
+ proofPurpose: z.enum(["assertionMethod", "authentication"]),
17
+ proofValue: z.string().optional(),
18
+ jws: z.string().optional()
19
+ });
20
+ var CredentialStatusSchema = z.object({
21
+ id: z.string(),
22
+ type: z.string(),
23
+ statusPurpose: z.enum(["revocation", "suspension"]),
24
+ statusListIndex: z.number().int().nonnegative(),
25
+ statusListCredential: z.string()
26
+ });
27
+ var CredentialSubjectSchema = z.object({
28
+ id: z.string().optional(),
29
+ agentId: z.string().optional(),
30
+ permissions: z.array(z.string()).optional(),
31
+ trustLevel: z.number().min(0).max(1).optional(),
32
+ delegationScope: z.array(z.string()).optional(),
33
+ delegationChain: z.array(
34
+ z.object({
35
+ delegator: z.string(),
36
+ delegatee: z.string(),
37
+ permissions: z.array(z.string()),
38
+ createdAt: z.string()
39
+ })
40
+ ).optional(),
41
+ name: z.string().optional(),
42
+ type: z.string().optional()
43
+ });
44
+ var VerifiableCredentialSchema = z.object({
45
+ "@context": z.array(z.string()).min(1),
46
+ id: z.string().optional(),
47
+ type: z.array(z.string()).min(1),
48
+ issuer: z.union([z.string(), z.object({ id: z.string(), name: z.string().optional() })]),
49
+ issuanceDate: z.string(),
50
+ expirationDate: z.string().optional(),
51
+ credentialSubject: CredentialSubjectSchema,
52
+ credentialStatus: CredentialStatusSchema.optional(),
53
+ proof: ProofSchema.optional()
54
+ });
55
+ var VerifiablePresentationSchema = z.object({
56
+ "@context": z.array(z.string()).min(1),
57
+ id: z.string().optional(),
58
+ type: z.array(z.string()).min(1),
59
+ holder: z.string().optional(),
60
+ verifiableCredential: z.array(VerifiableCredentialSchema).min(1),
61
+ proof: ProofSchema.optional()
62
+ });
63
+
64
+ // src/vc/issuer.ts
65
+ var DEFAULT_TTL_SECONDS = 86400;
66
+ function makeError(code, message, details) {
67
+ return { code, message, ...{} };
68
+ }
69
+ function nowISO() {
70
+ return (/* @__PURE__ */ new Date()).toISOString();
71
+ }
72
+ function futureISO(seconds) {
73
+ return new Date(Date.now() + seconds * 1e3).toISOString();
74
+ }
75
+ function createVCIssuer(config) {
76
+ const { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS } = config;
77
+ const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
78
+ async function signAsJwt(credential, subject, ttl) {
79
+ try {
80
+ const key = await importJWK(privateKeyJwk, "EdDSA");
81
+ const { proof: _proof, ...vcWithoutProof } = credential;
82
+ const builder = new SignJWT({
83
+ vc: vcWithoutProof
84
+ }).setProtectedHeader({ alg: "EdDSA", kid, typ: "JWT" }).setIssuer(issuerDid).setIssuedAt().setExpirationTime(Math.floor(Date.now() / 1e3) + ttl);
85
+ if (credential.id) {
86
+ builder.setJti(credential.id);
87
+ }
88
+ if (subject) {
89
+ builder.setSubject(subject);
90
+ }
91
+ const jwt = await builder.sign(key);
92
+ return { success: true, data: { credential, jwt } };
93
+ } catch (err) {
94
+ return {
95
+ success: false,
96
+ error: makeError(
97
+ "VC_SIGN_FAILED",
98
+ err instanceof Error ? err.message : "Failed to sign credential as JWT"
99
+ )
100
+ };
101
+ }
102
+ }
103
+ async function signAsJsonLd(credential) {
104
+ try {
105
+ const key = await importJWK(privateKeyJwk, "EdDSA");
106
+ const { proof: _proof, ...vcWithoutProof } = credential;
107
+ const payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));
108
+ const { CompactSign } = await import('jose');
109
+ const jws = await new CompactSign(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
110
+ const proof = {
111
+ type: "JsonWebSignature2020",
112
+ created: nowISO(),
113
+ verificationMethod: kid,
114
+ proofPurpose: "assertionMethod",
115
+ jws
116
+ };
117
+ const signedCredential = {
118
+ ...credential,
119
+ proof
120
+ };
121
+ return { success: true, data: { credential: signedCredential } };
122
+ } catch (err) {
123
+ return {
124
+ success: false,
125
+ error: makeError(
126
+ "VC_SIGN_FAILED",
127
+ err instanceof Error ? err.message : "Failed to sign credential as JSON-LD"
128
+ )
129
+ };
130
+ }
131
+ }
132
+ function buildCredential(types, subject, ttl, expirationDate) {
133
+ return {
134
+ "@context": [VC_CONTEXT_V2],
135
+ id: `urn:uuid:${generateId()}`,
136
+ type: [VC_TYPE_CREDENTIAL, ...types],
137
+ issuer: issuerDid,
138
+ issuanceDate: nowISO(),
139
+ expirationDate: futureISO(ttl),
140
+ credentialSubject: subject
141
+ };
142
+ }
143
+ async function signCredential(credential, subject, ttl, format) {
144
+ if (format === "jwt") {
145
+ return signAsJwt(credential, subject, ttl);
146
+ }
147
+ return signAsJsonLd(credential);
148
+ }
149
+ async function issueAgentCredential(input) {
150
+ const {
151
+ agentId,
152
+ name,
153
+ agentType,
154
+ permissions,
155
+ trustLevel,
156
+ ttl = defaultTtl,
157
+ format = "jwt"
158
+ } = input;
159
+ if (!agentId) {
160
+ return {
161
+ success: false,
162
+ error: makeError("VC_INVALID_INPUT", "agentId is required")
163
+ };
164
+ }
165
+ if (trustLevel !== void 0 && (trustLevel < 0 || trustLevel > 1)) {
166
+ return {
167
+ success: false,
168
+ error: makeError("VC_INVALID_INPUT", "trustLevel must be between 0 and 1")
169
+ };
170
+ }
171
+ const subject = {
172
+ id: agentId,
173
+ agentId,
174
+ ...name !== void 0 ? { name } : {},
175
+ ...agentType !== void 0 ? { type: agentType } : {},
176
+ ...permissions !== void 0 ? { permissions } : {},
177
+ ...trustLevel !== void 0 ? { trustLevel } : {}
178
+ };
179
+ const credential = buildCredential([KAVACH_AGENT_CREDENTIAL], subject, ttl);
180
+ return signCredential(credential, agentId, ttl, format);
181
+ }
182
+ async function issuePermissionCredential(input) {
183
+ const { agentId, permissions, ttl = defaultTtl, format = "jwt" } = input;
184
+ if (!agentId) {
185
+ return {
186
+ success: false,
187
+ error: makeError("VC_INVALID_INPUT", "agentId is required")
188
+ };
189
+ }
190
+ if (!permissions || permissions.length === 0) {
191
+ return {
192
+ success: false,
193
+ error: makeError("VC_INVALID_INPUT", "At least one permission is required")
194
+ };
195
+ }
196
+ const subject = {
197
+ id: agentId,
198
+ agentId,
199
+ permissions
200
+ };
201
+ const credential = buildCredential([KAVACH_PERMISSION_CREDENTIAL], subject, ttl);
202
+ return signCredential(credential, agentId, ttl, format);
203
+ }
204
+ async function issueDelegationCredential(input) {
205
+ const { agentId, chain, delegationScope, ttl = defaultTtl, format = "jwt" } = input;
206
+ if (!agentId) {
207
+ return {
208
+ success: false,
209
+ error: makeError("VC_INVALID_INPUT", "agentId is required")
210
+ };
211
+ }
212
+ if (!chain || chain.length === 0) {
213
+ return {
214
+ success: false,
215
+ error: makeError("VC_INVALID_INPUT", "Delegation chain must have at least one link")
216
+ };
217
+ }
218
+ const subject = {
219
+ id: agentId,
220
+ agentId,
221
+ delegationChain: chain,
222
+ ...delegationScope !== void 0 ? { delegationScope } : {}
223
+ };
224
+ const credential = buildCredential([KAVACH_DELEGATION_CREDENTIAL], subject, ttl);
225
+ return signCredential(credential, agentId, ttl, format);
226
+ }
227
+ return {
228
+ issueAgentCredential,
229
+ issuePermissionCredential,
230
+ issueDelegationCredential,
231
+ issuerDid
232
+ };
233
+ }
234
+ function makeError2(code, message, details) {
235
+ return { code, message, ...details !== void 0 ? { details } : {} };
236
+ }
237
+ function getIssuerString(issuer) {
238
+ if (typeof issuer === "string") return issuer;
239
+ return issuer.id;
240
+ }
241
+ function createVCVerifier(config = {}) {
242
+ const { resolveDidKey, checkRevocationStatus } = config;
243
+ async function resolveKey(did, providedKey) {
244
+ if (providedKey) {
245
+ return { success: true, data: providedKey };
246
+ }
247
+ if (resolveDidKey) {
248
+ const resolved = await resolveDidKey(did);
249
+ if (resolved) {
250
+ return { success: true, data: resolved };
251
+ }
252
+ }
253
+ return {
254
+ success: false,
255
+ error: makeError2("VC_KEY_NOT_FOUND", `Could not resolve public key for DID: ${did}`)
256
+ };
257
+ }
258
+ async function verifyJwtCredential(jwt, providedKey) {
259
+ try {
260
+ const parts = jwt.split(".");
261
+ if (parts.length !== 3) {
262
+ return {
263
+ success: false,
264
+ error: makeError2("VC_INVALID_JWT", "JWT must have three parts")
265
+ };
266
+ }
267
+ const payloadB64 = parts[1];
268
+ if (!payloadB64) {
269
+ return {
270
+ success: false,
271
+ error: makeError2("VC_INVALID_JWT", "JWT payload is missing")
272
+ };
273
+ }
274
+ const rawPayload = JSON.parse(
275
+ new TextDecoder().decode(
276
+ Uint8Array.from(
277
+ atob(payloadB64.replace(/-/g, "+").replace(/_/g, "/")),
278
+ (c) => c.charCodeAt(0)
279
+ )
280
+ )
281
+ );
282
+ const issuerDid = typeof rawPayload.iss === "string" ? rawPayload.iss : null;
283
+ if (!issuerDid) {
284
+ return {
285
+ success: false,
286
+ error: makeError2("VC_NO_ISSUER", "JWT has no iss claim")
287
+ };
288
+ }
289
+ const keyResult = await resolveKey(issuerDid, providedKey);
290
+ if (!keyResult.success) return keyResult;
291
+ const publicKey = await importJWK(keyResult.data, "EdDSA");
292
+ const { payload } = await jwtVerify(jwt, publicKey);
293
+ const vcClaim = payload.vc;
294
+ if (!vcClaim) {
295
+ return {
296
+ success: false,
297
+ error: makeError2("VC_MISSING_VC_CLAIM", "JWT does not contain a vc claim")
298
+ };
299
+ }
300
+ const credential = {
301
+ ...vcClaim,
302
+ issuer: issuerDid
303
+ };
304
+ const parsed = VerifiableCredentialSchema.safeParse(credential);
305
+ if (!parsed.success) {
306
+ return {
307
+ success: false,
308
+ error: makeError2("VC_INVALID_CREDENTIAL", "Credential does not match W3C schema", {
309
+ issues: parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`)
310
+ })
311
+ };
312
+ }
313
+ if (payload.exp && payload.exp < Math.floor(Date.now() / 1e3)) {
314
+ return {
315
+ success: false,
316
+ error: makeError2("VC_EXPIRED", "Credential has expired")
317
+ };
318
+ }
319
+ if (parsed.data.credentialStatus && checkRevocationStatus) {
320
+ const revoked = await checkRevocationStatus(parsed.data.credentialStatus);
321
+ if (revoked) {
322
+ return {
323
+ success: false,
324
+ error: makeError2("VC_REVOKED", "Credential has been revoked")
325
+ };
326
+ }
327
+ }
328
+ return {
329
+ success: true,
330
+ data: {
331
+ credential: parsed.data,
332
+ format: "jwt",
333
+ issuer: issuerDid,
334
+ issuedAt: new Date((payload.iat ?? 0) * 1e3),
335
+ expiresAt: payload.exp ? new Date(payload.exp * 1e3) : null
336
+ }
337
+ };
338
+ } catch (err) {
339
+ if (err instanceof errors.JWTExpired) {
340
+ return {
341
+ success: false,
342
+ error: makeError2("VC_EXPIRED", "Credential has expired")
343
+ };
344
+ }
345
+ return {
346
+ success: false,
347
+ error: makeError2(
348
+ "VC_VERIFY_FAILED",
349
+ err instanceof Error ? err.message : "Failed to verify JWT credential"
350
+ )
351
+ };
352
+ }
353
+ }
354
+ async function verifyJsonLdCredential(vc, providedKey) {
355
+ const parsed = VerifiableCredentialSchema.safeParse(vc);
356
+ if (!parsed.success) {
357
+ return {
358
+ success: false,
359
+ error: makeError2("VC_INVALID_CREDENTIAL", "Credential does not match W3C schema", {
360
+ issues: parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`)
361
+ })
362
+ };
363
+ }
364
+ const credential = parsed.data;
365
+ if (!credential.proof) {
366
+ return {
367
+ success: false,
368
+ error: makeError2("VC_NO_PROOF", "JSON-LD credential has no embedded proof")
369
+ };
370
+ }
371
+ if (!credential.proof.jws) {
372
+ return {
373
+ success: false,
374
+ error: makeError2("VC_NO_JWS", "Proof does not contain a JWS value")
375
+ };
376
+ }
377
+ const issuerDid = getIssuerString(credential.issuer);
378
+ const keyResult = await resolveKey(issuerDid, providedKey);
379
+ if (!keyResult.success) return keyResult;
380
+ try {
381
+ const publicKey = await importJWK(keyResult.data, "EdDSA");
382
+ const { payload } = await compactVerify(credential.proof.jws, publicKey);
383
+ const { proof: _proof, ...vcWithoutProof } = credential;
384
+ const signedContent = new TextDecoder().decode(payload);
385
+ const currentContent = JSON.stringify(vcWithoutProof);
386
+ if (signedContent !== currentContent) {
387
+ return {
388
+ success: false,
389
+ error: makeError2("VC_TAMPERED", "Credential content does not match the signed payload")
390
+ };
391
+ }
392
+ if (credential.expirationDate) {
393
+ const expiry = new Date(credential.expirationDate);
394
+ if (expiry <= /* @__PURE__ */ new Date()) {
395
+ return {
396
+ success: false,
397
+ error: makeError2("VC_EXPIRED", "Credential has expired")
398
+ };
399
+ }
400
+ }
401
+ if (credential.credentialStatus && checkRevocationStatus) {
402
+ const revoked = await checkRevocationStatus(credential.credentialStatus);
403
+ if (revoked) {
404
+ return {
405
+ success: false,
406
+ error: makeError2("VC_REVOKED", "Credential has been revoked")
407
+ };
408
+ }
409
+ }
410
+ return {
411
+ success: true,
412
+ data: {
413
+ credential,
414
+ format: "json-ld",
415
+ issuer: issuerDid,
416
+ issuedAt: new Date(credential.issuanceDate),
417
+ expiresAt: credential.expirationDate ? new Date(credential.expirationDate) : null
418
+ }
419
+ };
420
+ } catch (err) {
421
+ return {
422
+ success: false,
423
+ error: makeError2(
424
+ "VC_VERIFY_FAILED",
425
+ err instanceof Error ? err.message : "Failed to verify JSON-LD credential"
426
+ )
427
+ };
428
+ }
429
+ }
430
+ async function verifyCredential(vc, publicKeyJwk) {
431
+ if (typeof vc === "string") {
432
+ return verifyJwtCredential(vc, publicKeyJwk);
433
+ }
434
+ return verifyJsonLdCredential(vc, publicKeyJwk);
435
+ }
436
+ async function verifyPresentation(vp, publicKeyJwk) {
437
+ let presentation;
438
+ if (typeof vp === "string") {
439
+ try {
440
+ const parts = vp.split(".");
441
+ if (parts.length !== 3 || !parts[1]) {
442
+ return {
443
+ success: false,
444
+ error: makeError2("VC_INVALID_JWT", "Presentation JWT must have three parts")
445
+ };
446
+ }
447
+ const payloadB64 = parts[1];
448
+ const rawPayload = JSON.parse(
449
+ new TextDecoder().decode(
450
+ Uint8Array.from(
451
+ atob(payloadB64.replace(/-/g, "+").replace(/_/g, "/")),
452
+ (c) => c.charCodeAt(0)
453
+ )
454
+ )
455
+ );
456
+ const issuerDid = typeof rawPayload.iss === "string" ? rawPayload.iss : null;
457
+ if (!issuerDid) {
458
+ return {
459
+ success: false,
460
+ error: makeError2("VC_NO_ISSUER", "Presentation JWT has no iss claim")
461
+ };
462
+ }
463
+ const keyResult = await resolveKey(issuerDid, publicKeyJwk);
464
+ if (!keyResult.success) return keyResult;
465
+ const publicKey = await importJWK(keyResult.data, "EdDSA");
466
+ const { payload } = await jwtVerify(vp, publicKey);
467
+ const vpClaim = payload.vp;
468
+ if (!vpClaim) {
469
+ return {
470
+ success: false,
471
+ error: makeError2("VC_MISSING_VP_CLAIM", "JWT does not contain a vp claim")
472
+ };
473
+ }
474
+ presentation = vpClaim;
475
+ } catch (err) {
476
+ return {
477
+ success: false,
478
+ error: makeError2(
479
+ "VC_VERIFY_FAILED",
480
+ err instanceof Error ? err.message : "Failed to verify presentation JWT"
481
+ )
482
+ };
483
+ }
484
+ } else {
485
+ presentation = vp;
486
+ }
487
+ const parsed = VerifiablePresentationSchema.safeParse(presentation);
488
+ if (!parsed.success) {
489
+ return {
490
+ success: false,
491
+ error: makeError2("VC_INVALID_PRESENTATION", "Presentation does not match W3C schema", {
492
+ issues: parsed.error.issues.map((i) => `${i.path.join(".")}: ${i.message}`)
493
+ })
494
+ };
495
+ }
496
+ const verifiedCredentials = [];
497
+ for (const vc of parsed.data.verifiableCredential) {
498
+ const result = await verifyCredential(vc, publicKeyJwk);
499
+ if (!result.success) {
500
+ return {
501
+ success: false,
502
+ error: makeError2(
503
+ "VC_PRESENTATION_CREDENTIAL_INVALID",
504
+ `Failed to verify credential in presentation: ${result.error.message}`,
505
+ { originalError: result.error }
506
+ )
507
+ };
508
+ }
509
+ verifiedCredentials.push(result.data);
510
+ }
511
+ return {
512
+ success: true,
513
+ data: {
514
+ presentation: parsed.data,
515
+ credentials: verifiedCredentials,
516
+ holder: parsed.data.holder ?? null
517
+ }
518
+ };
519
+ }
520
+ function extractPermissions(vc) {
521
+ const subject = vc.credentialSubject;
522
+ return {
523
+ agentId: subject.agentId ?? subject.id ?? null,
524
+ permissions: subject.permissions ?? [],
525
+ trustLevel: subject.trustLevel ?? null,
526
+ delegationScope: subject.delegationScope ?? []
527
+ };
528
+ }
529
+ return {
530
+ verifyCredential,
531
+ verifyPresentation,
532
+ extractPermissions
533
+ };
534
+ }
535
+
536
+ export { CredentialStatusSchema, CredentialSubjectSchema, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, ProofSchema, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredentialSchema, VerifiablePresentationSchema, createVCIssuer, createVCVerifier };
537
+ //# sourceMappingURL=chunk-NSTER7KE.js.map
538
+ //# sourceMappingURL=chunk-NSTER7KE.js.map
package/dist/chunk-NSTER7KE.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/vc/types.ts","../src/vc/issuer.ts","../src/vc/verifier.ts"],"names":["makeError","importJWK","joseErrors"],"mappings":";;;;AAaO,IAAM,aAAA,GAAgB;AACtB,IAAM,aAAA,GAAgB;AACtB,IAAM,kBAAA,GAAqB;AAC3B,IAAM,oBAAA,GAAuB;AAG7B,IAAM,uBAAA,GAA0B;AAChC,IAAM,4BAAA,GAA+B;AACrC,IAAM,4BAAA,GAA+B;AAIrC,IAAM,WAAA,GAAc,EAAE,MAAA,CAAO;AAAA,EACnC,MAAM,CAAA,CAAE,IAAA,CAAK,CAAC,sBAAA,EAAwB,sBAAsB,CAAC,CAAA;AAAA,EAC7D,OAAA,EAAS,EAAE,MAAA,EAAO;AAAA,EAClB,kBAAA,EAAoB,EAAE,MAAA,EAAO;AAAA,EAC7B,cAAc,CAAA,CAAE,IAAA,CAAK,CAAC,iBAAA,EAAmB,gBAAgB,CAAC,CAAA;AAAA,EAC1D,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAChC,GAAA,EAAK,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AACjB,CAAC;AAMM,IAAM,sBAAA,GAAyB,EAAE,MAAA,CAAO;AAAA,EAC9C,EAAA,EAAI,EAAE,MAAA,EAAO;AAAA,EACb,IAAA,EAAM,EAAE,MAAA,EAAO;AAAA,EACf,eAAe,CAAA,CAAE,IAAA,CAAK,CAAC,YAAA,EAAc,YAAY,CAAC,CAAA;AAAA,EAClD,iBAAiB,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,GAAM,WAAA,EAAY;AAAA,EAC9C,oBAAA,EAAsB,EAAE,MAAA;AACzB,CAAC;AAMM,IAAM,uBAAA,GAA0B,EAAE,MAAA,CAAO;AAAA,EAC/C,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,OAAA,EAAS,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC7B,aAAa,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC1C,UAAA,EAAY,CAAA,CAAE,MAAA,EAAO,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,GAAA,CAAI,CAAC,CAAA,CAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CAAE,KAAA,CAAM,EAAE,MAAA,EAAQ,EAAE,QAAA,EAAS;AAAA,EAC9C,iBAAiB,CAAA,CACf,KAAA;AAAA,IACA,EAAE,MAAA,CAAO;AAAA,MACR,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,SAAA,EAAW,EAAE,MAAA,EAAO;AAAA,MACpB,WAAA,EAAa,CAAA,CAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA;AAAA,MAC/B,SAAA,EAAW,EAAE,MAAA;AAAO,KACpB;AAAA,IAED,QAAA,EAAS;AAAA,EACX,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC1B,IAAA,EAAM,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA;AAClB,CAAC;AAMM,IAAM,0BAAA,GAA6B,EAAE,MAAA,CAAO;AAAA,EAClD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,EAAE,KAAA,CAAM,CAAC,EAAE,MAAA,EAAO,EAAG,CAAA,CAAE,MAAA,CAAO,EAAE,EAAA,EAAI,EAAE,MAAA,EAAO,EAAG,MAAM,CAAA,CAAE,MAAA,GAAS,QAAA,EAAS,EAAG,CAAC,CAAC,CAAA;AAAA,EACvF,YAAA,EAAc,EAAE,MAAA,EAAO;AAAA,EACvB,cAAA,EAAgB,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACpC,iBAAA,EAAmB,uBAAA;AAAA,EACnB,gBAAA,EAAkB,uBAAuB,QAAA,EAAS;AAAA,EAClD,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;AAMM,IAAM,4BAAA,GAA+B,EAAE,MAAA,CAAO;AAAA,EACpD,UAAA,EAAY,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EACrC,EAAA,EAAI,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EACxB,IAAA,EAAM,EAAE,KAAA,CAAM,CAAA,CAAE,QAAQ,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/B,MAAA,EAAQ,CAAA,CAAE,MAAA,EAAO,CAAE,QAAA,EAAS;AAAA,EAC5B,sBAAsB,CAAA,CAAE,KAAA,CAAM,0BAA0B,CAAA,CAAE,IAAI,CAAC,CAAA;AAAA,EAC/D,KAAA,EAAO,YAAY,QAAA;AACpB,CAAC;;;ACpED,IAAM,mBAAA,GAAsB,KAAA;AAI5B,SAAS,SAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAA0C,EAAC,EAAG;AACvE;AAEA,SAAS,MAAA,GAAiB;AACzB,EAAA,OAAA,iBAAO,IAAI,IAAA,EAAK,EAAE,WAAA,EAAY;AAC/B;AAEA,SAAS,UAAU,OAAA,EAAyB;AAC3C,EAAA,OAAO,IAAI,KAAK,IAAA,CAAK,GAAA,KAAQ,OAAA,GAAU,GAAI,EAAE,WAAA,EAAY;AAC1D;AAoFO,SAAS,eAAe,MAAA,EAAkC;AAChE,EAAA,MAAM,EAAE,SAAA,EAAW,aAAA,EAAe,UAAA,GAAa,qBAAoB,GAAI,MAAA;AAEvE,EAAA,MAAM,GAAA,GAAM,CAAA,EAAG,SAAS,CAAA,CAAA,EAAI,SAAA,CAAU,MAAM,GAAG,CAAA,CAAE,GAAA,EAAI,IAAK,OAAO,CAAA,CAAA;AAEjE,EAAA,eAAe,SAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACqE;AACrE,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAE7C,MAAA,MAAM,OAAA,GAAU,IAAI,OAAA,CAAQ;AAAA,QAC3B,EAAA,EAAI;AAAA,OACJ,CAAA,CACC,kBAAA,CAAmB,EAAE,GAAA,EAAK,SAAS,GAAA,EAAK,GAAA,EAAK,KAAA,EAAO,CAAA,CACpD,SAAA,CAAU,SAAS,CAAA,CACnB,WAAA,EAAY,CACZ,iBAAA,CAAkB,IAAA,CAAK,KAAA,CAAM,KAAK,GAAA,EAAI,GAAI,GAAI,CAAA,GAAI,GAAG,CAAA;AAEvD,MAAA,IAAI,WAAW,EAAA,EAAI;AAClB,QAAA,OAAA,CAAQ,MAAA,CAAO,WAAW,EAAE,CAAA;AAAA,MAC7B;AACA,MAAA,IAAI,OAAA,EAAS;AACZ,QAAA,OAAA,CAAQ,WAAW,OAAO,CAAA;AAAA,MAC3B;AAEA,MAAA,MAAM,GAAA,GAAM,MAAM,OAAA,CAAQ,IAAA,CAAK,GAAG,CAAA;AAClC,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,KAAI,EAAE;AAAA,IACnD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,aACd,UAAA,EACwD;AACxD,IAAA,IAAI;AACH,MAAA,MAAM,GAAA,GAAM,MAAM,SAAA,CAAU,aAAA,EAAe,OAAO,CAAA;AAGlD,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,OAAA,GAAU,IAAI,WAAA,EAAY,CAAE,OAAO,IAAA,CAAK,SAAA,CAAU,cAAc,CAAC,CAAA;AAEvE,MAAA,MAAM,EAAE,WAAA,EAAY,GAAI,MAAM,OAAO,MAAM,CAAA;AAC3C,MAAA,MAAM,GAAA,GAAM,MAAM,IAAI,WAAA,CAAY,OAAO,CAAA,CACvC,kBAAA,CAAmB,EAAE,GAAA,EAAK,OAAA,EAAS,GAAA,EAAK,CAAA,CACxC,KAAK,GAAG,CAAA;AAEV,MAAA,MAAM,KAAA,GAAe;AAAA,QACpB,IAAA,EAAM,sBAAA;AAAA,QACN,SAAS,MAAA,EAAO;AAAA,QAChB,kBAAA,EAAoB,GAAA;AAAA,QACpB,YAAA,EAAc,iBAAA;AAAA,QACd;AAAA,OACD;AAEA,MAAA,MAAM,gBAAA,GAAyC;AAAA,QAC9C,GAAG,UAAA;AAAA,QACH;AAAA,OACD;AAEA,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,MAAM,EAAE,UAAA,EAAY,kBAAiB,EAAE;AAAA,IAChE,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA;AAAA,UACN,gBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,SAAS,eAAA,CACR,KAAA,EACA,OAAA,EACA,GAAA,EACA,cAAA,EACuB;AACvB,IAAA,OAAO;AAAA,MACN,UAAA,EAAY,CAAC,aAAa,CAAA;AAAA,MAC1B,EAAA,EAAI,CAAA,SAAA,EAAY,UAAA,EAAY,CAAA,CAAA;AAAA,MAC5B,IAAA,EAAM,CAAC,kBAAA,EAAoB,GAAG,KAAK,CAAA;AAAA,MACnC,MAAA,EAAQ,SAAA;AAAA,MACR,cAAc,MAAA,EAAO;AAAA,MACrB,cAAA,EAAkC,SAAA,CAAU,GAAG,CAAA;AAAA,MAC/C,iBAAA,EAAmB;AAAA,KACpB;AAAA,EACD;AAEA,EAAA,eAAe,cAAA,CACd,UAAA,EACA,OAAA,EACA,GAAA,EACA,MAAA,EACsE;AACtE,IAAA,IAAI,WAAW,KAAA,EAAO;AACrB,MAAA,OAAO,SAAA,CAAU,UAAA,EAAY,OAAA,EAAS,GAAG,CAAA;AAAA,IAC1C;AACA,IAAA,OAAO,aAAa,UAAU,CAAA;AAAA,EAC/B;AAIA,EAAA,eAAe,qBACd,KAAA,EACsE;AACtE,IAAA,MAAM;AAAA,MACL,OAAA;AAAA,MACA,IAAA;AAAA,MACA,SAAA;AAAA,MACA,WAAA;AAAA,MACA,UAAA;AAAA,MACA,GAAA,GAAM,UAAA;AAAA,MACN,MAAA,GAAS;AAAA,KACV,GAAI,KAAA;AAEJ,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,UAAA,KAAe,MAAA,KAAc,UAAA,GAAa,CAAA,IAAK,aAAa,CAAA,CAAA,EAAI;AACnE,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,oCAAoC;AAAA,OAC1E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,GAAI,IAAA,KAAS,MAAA,GAAY,EAAE,IAAA,KAAS,EAAC;AAAA,MACrC,GAAI,SAAA,KAAc,MAAA,GAAY,EAAE,IAAA,EAAM,SAAA,KAAc,EAAC;AAAA,MACrD,GAAI,WAAA,KAAgB,MAAA,GAAY,EAAE,WAAA,KAAgB,EAAC;AAAA,MACnD,GAAI,UAAA,KAAe,MAAA,GAAY,EAAE,UAAA,KAAe;AAAC,KAClD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,uBAAuB,CAAA,EAAG,SAAS,GAAG,CAAA;AAC1E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,OAAA,EAAS,WAAA,EAAa,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAEnE,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,WAAA,IAAe,WAAA,CAAY,MAAA,KAAW,CAAA,EAAG;AAC7C,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qCAAqC;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA;AAAA,KACD;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,eAAe,0BACd,KAAA,EACsE;AACtE,IAAA,MAAM,EAAE,SAAS,KAAA,EAAO,eAAA,EAAiB,MAAM,UAAA,EAAY,MAAA,GAAS,OAAM,GAAI,KAAA;AAE9E,IAAA,IAAI,CAAC,OAAA,EAAS;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,qBAAqB;AAAA,OAC3D;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,KAAA,IAAS,KAAA,CAAM,MAAA,KAAW,CAAA,EAAG;AACjC,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAO,SAAA,CAAU,kBAAA,EAAoB,8CAA8C;AAAA,OACpF;AAAA,IACD;AAEA,IAAA,MAAM,OAAA,GAA6B;AAAA,MAClC,EAAA,EAAI,OAAA;AAAA,MACJ,OAAA;AAAA,MACA,eAAA,EAAiB,KAAA;AAAA,MACjB,GAAI,eAAA,KAAoB,MAAA,GAAY,EAAE,eAAA,KAAoB;AAAC,KAC5D;AAEA,IAAA,MAAM,aAAa,eAAA,CAAgB,CAAC,4BAA4B,CAAA,EAAG,SAAS,GAAG,CAAA;AAC/E,IAAA,OAAO,cAAA,CAAe,UAAA,EAAY,OAAA,EAAS,GAAA,EAAK,MAAM,CAAA;AAAA,EACvD;AAEA,EAAA,OAAO;AAAA,IACN,oBAAA;AAAA,IACA,yBAAA;AAAA,IACA,yBAAA;AAAA,IACA;AAAA,GACD;AACD;ACpUA,SAASA,UAAAA,CAAU,IAAA,EAAc,OAAA,EAAiB,OAAA,EAAgD;AACjG,EAAA,OAAO,EAAE,IAAA,EAAM,OAAA,EAAS,GAAI,OAAA,KAAY,SAAY,EAAE,OAAA,EAAQ,GAAI,EAAC,EAAG;AACvE;AAEA,SAAS,gBAAgB,MAAA,EAAwD;AAChF,EAAA,IAAI,OAAO,MAAA,KAAW,QAAA,EAAU,OAAO,MAAA;AACvC,EAAA,OAAO,MAAA,CAAO,EAAA;AACf;AA4BO,SAAS,gBAAA,CAAiB,MAAA,GAA2B,EAAC,EAAe;AAC3E,EAAA,MAAM,EAAE,aAAA,EAAe,qBAAA,EAAsB,GAAI,MAAA;AAEjD,EAAA,eAAe,UAAA,CAAW,KAAa,WAAA,EAAuD;AAC7F,IAAA,IAAI,WAAA,EAAa;AAChB,MAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,WAAA,EAAY;AAAA,IAC3C;AAEA,IAAA,IAAI,aAAA,EAAe;AAClB,MAAA,MAAM,QAAA,GAAW,MAAM,aAAA,CAAc,GAAG,CAAA;AACxC,MAAA,IAAI,QAAA,EAAU;AACb,QAAA,OAAO,EAAE,OAAA,EAAS,IAAA,EAAM,IAAA,EAAM,QAAA,EAAS;AAAA,MACxC;AAAA,IACD;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,KAAA;AAAA,MACT,KAAA,EAAOA,UAAAA,CAAU,kBAAA,EAAoB,CAAA,sCAAA,EAAyC,GAAG,CAAA,CAAE;AAAA,KACpF;AAAA,EACD;AAEA,EAAA,eAAe,mBAAA,CACd,KACA,WAAA,EACsC;AACtC,IAAA,IAAI;AAEH,MAAA,MAAM,KAAA,GAAQ,GAAA,CAAI,KAAA,CAAM,GAAG,CAAA;AAC3B,MAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACvB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,2BAA2B;AAAA,SAC/D;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,MAAA,IAAI,CAAC,UAAA,EAAY;AAChB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wBAAwB;AAAA,SAC5D;AAAA,MACD;AACA,MAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,QACvB,IAAI,aAAY,CAAE,MAAA;AAAA,UACjB,UAAA,CAAW,IAAA;AAAA,YAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,YAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,OACD;AAEA,MAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,MAAA,IAAI,CAAC,SAAA,EAAW;AACf,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,sBAAsB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,MAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,MAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,KAAK,SAAS,CAAA;AAElD,MAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,MAAA,IAAI,CAAC,OAAA,EAAS;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,SAC1E;AAAA,MACD;AAGA,MAAA,MAAM,UAAA,GAAmC;AAAA,QACxC,GAAI,OAAA;AAAA,QACJ,MAAA,EAAQ;AAAA,OACT;AAGA,MAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,CAAA;AAC9D,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,YACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,WAC1E;AAAA,SACF;AAAA,MACD;AAGA,MAAA,IAAI,OAAA,CAAQ,GAAA,IAAO,OAAA,CAAQ,GAAA,GAAM,IAAA,CAAK,MAAM,IAAA,CAAK,GAAA,EAAI,GAAI,GAAI,CAAA,EAAG;AAC/D,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AAGA,MAAA,IAAI,MAAA,CAAO,IAAA,CAAK,gBAAA,IAAoB,qBAAA,EAAuB;AAC1D,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,MAAA,CAAO,KAAK,gBAAgB,CAAA;AACxE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,YAAY,MAAA,CAAO,IAAA;AAAA,UACnB,MAAA,EAAQ,KAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,UAAU,IAAI,IAAA,CAAA,CAAM,OAAA,CAAQ,GAAA,IAAO,KAAK,GAAI,CAAA;AAAA,UAC5C,SAAA,EAAW,QAAQ,GAAA,GAAM,IAAI,KAAK,OAAA,CAAQ,GAAA,GAAM,GAAI,CAAA,GAAI;AAAA;AACzD,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AAEb,MAAA,IAAI,GAAA,YAAeE,OAAW,UAAA,EAAY;AACzC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOF,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,SACxD;AAAA,MACD;AACA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAEA,EAAA,eAAe,sBAAA,CACd,IACA,WAAA,EACsC;AAEtC,IAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,SAAA,CAAU,EAAE,CAAA;AACtD,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,uBAAA,EAAyB,sCAAA,EAAwC;AAAA,UACjF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAEA,IAAA,MAAM,aAAa,MAAA,CAAO,IAAA;AAE1B,IAAA,IAAI,CAAC,WAAW,KAAA,EAAO;AACtB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,aAAA,EAAe,0CAA0C;AAAA,OAC3E;AAAA,IACD;AAEA,IAAA,IAAI,CAAC,UAAA,CAAW,KAAA,CAAM,GAAA,EAAK;AAC1B,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,WAAA,EAAa,oCAAoC;AAAA,OACnE;AAAA,IACD;AAEA,IAAA,MAAM,SAAA,GAAY,eAAA,CAAgB,UAAA,CAAW,MAAM,CAAA;AAGnD,IAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,WAAW,CAAA;AACzD,IAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,IAAA,IAAI;AACH,MAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AAGzD,MAAA,MAAM,EAAE,SAAQ,GAAI,MAAM,cAAc,UAAA,CAAW,KAAA,CAAM,KAAK,SAAS,CAAA;AAGvE,MAAA,MAAM,EAAE,KAAA,EAAO,MAAA,EAAQ,GAAG,gBAAe,GAAI,UAAA;AAC7C,MAAA,MAAM,aAAA,GAAgB,IAAI,WAAA,EAAY,CAAE,OAAO,OAAO,CAAA;AACtD,MAAA,MAAM,cAAA,GAAiB,IAAA,CAAK,SAAA,CAAU,cAAc,CAAA;AAEpD,MAAA,IAAI,kBAAkB,cAAA,EAAgB;AACrC,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOD,UAAAA,CAAU,aAAA,EAAe,sDAAsD;AAAA,SACvF;AAAA,MACD;AAGA,MAAA,IAAI,WAAW,cAAA,EAAgB;AAC9B,QAAA,MAAM,MAAA,GAAS,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA;AACjD,QAAA,IAAI,MAAA,oBAAU,IAAI,IAAA,EAAK,EAAG;AACzB,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,wBAAwB;AAAA,WACxD;AAAA,QACD;AAAA,MACD;AAGA,MAAA,IAAI,UAAA,CAAW,oBAAoB,qBAAA,EAAuB;AACzD,QAAA,MAAM,OAAA,GAAU,MAAM,qBAAA,CAAsB,UAAA,CAAW,gBAAgB,CAAA;AACvE,QAAA,IAAI,OAAA,EAAS;AACZ,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,YAAA,EAAc,6BAA6B;AAAA,WAC7D;AAAA,QACD;AAAA,MACD;AAEA,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,IAAA;AAAA,QACT,IAAA,EAAM;AAAA,UACL,UAAA;AAAA,UACA,MAAA,EAAQ,SAAA;AAAA,UACR,MAAA,EAAQ,SAAA;AAAA,UACR,QAAA,EAAU,IAAI,IAAA,CAAK,UAAA,CAAW,YAAY,CAAA;AAAA,UAC1C,WAAW,UAAA,CAAW,cAAA,GAAiB,IAAI,IAAA,CAAK,UAAA,CAAW,cAAc,CAAA,GAAI;AAAA;AAC9E,OACD;AAAA,IACD,SAAS,GAAA,EAAK;AACb,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA;AAAA,UACN,kBAAA;AAAA,UACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,OACD;AAAA,IACD;AAAA,EACD;AAIA,EAAA,eAAe,gBAAA,CACd,IACA,YAAA,EACsC;AACtC,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAC3B,MAAA,OAAO,mBAAA,CAAoB,IAAI,YAAY,CAAA;AAAA,IAC5C;AACA,IAAA,OAAO,sBAAA,CAAuB,IAAI,YAAY,CAAA;AAAA,EAC/C;AAEA,EAAA,eAAe,kBAAA,CACd,IACA,YAAA,EACwC;AACxC,IAAA,IAAI,YAAA;AAEJ,IAAA,IAAI,OAAO,OAAO,QAAA,EAAU;AAE3B,MAAA,IAAI;AACH,QAAA,MAAM,KAAA,GAAQ,EAAA,CAAG,KAAA,CAAM,GAAG,CAAA;AAC1B,QAAA,IAAI,MAAM,MAAA,KAAW,CAAA,IAAK,CAAC,KAAA,CAAM,CAAC,CAAA,EAAG;AACpC,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,gBAAA,EAAkB,wCAAwC;AAAA,WAC5E;AAAA,QACD;AAEA,QAAA,MAAM,UAAA,GAAa,MAAM,CAAC,CAAA;AAC1B,QAAA,MAAM,aAAa,IAAA,CAAK,KAAA;AAAA,UACvB,IAAI,aAAY,CAAE,MAAA;AAAA,YACjB,UAAA,CAAW,IAAA;AAAA,cAAK,IAAA,CAAK,WAAW,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAA,CAAE,OAAA,CAAQ,IAAA,EAAM,GAAG,CAAC,CAAA;AAAA,cAAG,CAAC,CAAA,KACxE,CAAA,CAAE,UAAA,CAAW,CAAC;AAAA;AACf;AACD,SACD;AAEA,QAAA,MAAM,YAAY,OAAO,UAAA,CAAW,GAAA,KAAQ,QAAA,GAAW,WAAW,GAAA,GAAM,IAAA;AACxE,QAAA,IAAI,CAAC,SAAA,EAAW;AACf,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOA,UAAAA,CAAU,cAAA,EAAgB,mCAAmC;AAAA,WACrE;AAAA,QACD;AAEA,QAAA,MAAM,SAAA,GAAY,MAAM,UAAA,CAAW,SAAA,EAAW,YAAY,CAAA;AAC1D,QAAA,IAAI,CAAC,SAAA,CAAU,OAAA,EAAS,OAAO,SAAA;AAE/B,QAAA,MAAM,SAAA,GAAY,MAAMC,SAAAA,CAAU,SAAA,CAAU,MAAM,OAAO,CAAA;AACzD,QAAA,MAAM,EAAE,OAAA,EAAQ,GAAI,MAAM,SAAA,CAAU,IAAI,SAAS,CAAA;AAEjD,QAAA,MAAM,UAAU,OAAA,CAAQ,EAAA;AACxB,QAAA,IAAI,CAAC,OAAA,EAAS;AACb,UAAA,OAAO;AAAA,YACN,OAAA,EAAS,KAAA;AAAA,YACT,KAAA,EAAOD,UAAAA,CAAU,qBAAA,EAAuB,iCAAiC;AAAA,WAC1E;AAAA,QACD;AAEA,QAAA,YAAA,GAAe,OAAA;AAAA,MAChB,SAAS,GAAA,EAAK;AACb,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,kBAAA;AAAA,YACA,GAAA,YAAe,KAAA,GAAQ,GAAA,CAAI,OAAA,GAAU;AAAA;AACtC,SACD;AAAA,MACD;AAAA,IACD,CAAA,MAAO;AACN,MAAA,YAAA,GAAe,EAAA;AAAA,IAChB;AAGA,IAAA,MAAM,MAAA,GAAS,4BAAA,CAA6B,SAAA,CAAU,YAAY,CAAA;AAClE,IAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,MAAA,OAAO;AAAA,QACN,OAAA,EAAS,KAAA;AAAA,QACT,KAAA,EAAOA,UAAAA,CAAU,yBAAA,EAA2B,wCAAA,EAA0C;AAAA,UACrF,QAAQ,MAAA,CAAO,KAAA,CAAM,MAAA,CAAO,GAAA,CAAI,CAAC,CAAA,KAAM,CAAA,EAAG,CAAA,CAAE,IAAA,CAAK,KAAK,GAAG,CAAC,CAAA,EAAA,EAAK,CAAA,CAAE,OAAO,CAAA,CAAE;AAAA,SAC1E;AAAA,OACF;AAAA,IACD;AAGA,IAAA,MAAM,sBAA4C,EAAC;AACnD,IAAA,KAAA,MAAW,EAAA,IAAM,MAAA,CAAO,IAAA,CAAK,oBAAA,EAAsB;AAClD,MAAA,MAAM,MAAA,GAAS,MAAM,gBAAA,CAAiB,EAAA,EAAI,YAAY,CAAA;AACtD,MAAA,IAAI,CAAC,OAAO,OAAA,EAAS;AACpB,QAAA,OAAO;AAAA,UACN,OAAA,EAAS,KAAA;AAAA,UACT,KAAA,EAAOA,UAAAA;AAAA,YACN,oCAAA;AAAA,YACA,CAAA,6CAAA,EAAgD,MAAA,CAAO,KAAA,CAAM,OAAO,CAAA,CAAA;AAAA,YACpE,EAAE,aAAA,EAAe,MAAA,CAAO,KAAA;AAAM;AAC/B,SACD;AAAA,MACD;AACA,MAAA,mBAAA,CAAoB,IAAA,CAAK,OAAO,IAAI,CAAA;AAAA,IACrC;AAEA,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,IAAA;AAAA,MACT,IAAA,EAAM;AAAA,QACL,cAAc,MAAA,CAAO,IAAA;AAAA,QACrB,WAAA,EAAa,mBAAA;AAAA,QACb,MAAA,EAAQ,MAAA,CAAO,IAAA,CAAK,MAAA,IAAU;AAAA;AAC/B,KACD;AAAA,EACD;AAEA,EAAA,SAAS,mBAAmB,EAAA,EAAgD;AAC3E,IAAA,MAAM,UAAU,EAAA,CAAG,iBAAA;AACnB,IAAA,OAAO;AAAA,MACN,OAAA,EAAS,OAAA,CAAQ,OAAA,IAAW,OAAA,CAAQ,EAAA,IAAM,IAAA;AAAA,MAC1C,WAAA,EAAa,OAAA,CAAQ,WAAA,IAAe,EAAC;AAAA,MACrC,UAAA,EAAY,QAAQ,UAAA,IAAc,IAAA;AAAA,MAClC,eAAA,EAAiB,OAAA,CAAQ,eAAA,IAAmB;AAAC,KAC9C;AAAA,EACD;AAEA,EAAA,OAAO;AAAA,IACN,gBAAA;AAAA,IACA,kBAAA;AAAA,IACA;AAAA,GACD;AACD","file":"chunk-NSTER7KE.js","sourcesContent":["/**\n * W3C Verifiable Credentials Data Model 2.0 types for KavachOS.\n *\n * Defines Zod-validated schemas for credentials, presentations,\n * proofs, and credential status. Agent-centric: the credential\n * subject carries agent identity, permissions, trust level, and\n * delegation scope.\n */\n\nimport { z } from \"zod\";\n\n// ─── W3C VC Constants ────────────────────────────────────────────────────────\n\nexport const VC_CONTEXT_V2 = \"https://www.w3.org/ns/credentials/v2\";\nexport const VC_CONTEXT_V1 = \"https://www.w3.org/2018/credentials/v1\";\nexport const VC_TYPE_CREDENTIAL = \"VerifiableCredential\";\nexport const VC_TYPE_PRESENTATION = \"VerifiablePresentation\";\n\n// KavachOS-specific credential types\nexport const KAVACH_AGENT_CREDENTIAL = \"KavachAgentCredential\";\nexport const KAVACH_PERMISSION_CREDENTIAL = \"KavachPermissionCredential\";\nexport const KAVACH_DELEGATION_CREDENTIAL = \"KavachDelegationCredential\";\n\n// ─── Proof Types ─────────────────────────────────────────────────────────────\n\nexport const ProofSchema = z.object({\n\ttype: z.enum([\"Ed25519Signature2020\", \"JsonWebSignature2020\"]),\n\tcreated: z.string(),\n\tverificationMethod: z.string(),\n\tproofPurpose: z.enum([\"assertionMethod\", \"authentication\"]),\n\tproofValue: z.string().optional(),\n\tjws: z.string().optional(),\n});\n\nexport type Proof = z.infer<typeof ProofSchema>;\n\n// ─── Credential Status ──────────────────────────────────────────────────────\n\nexport const CredentialStatusSchema = z.object({\n\tid: z.string(),\n\ttype: z.string(),\n\tstatusPurpose: z.enum([\"revocation\", \"suspension\"]),\n\tstatusListIndex: z.number().int().nonnegative(),\n\tstatusListCredential: z.string(),\n});\n\nexport type CredentialStatus = z.infer<typeof CredentialStatusSchema>;\n\n// ─── Credential Subject ─────────────────────────────────────────────────────\n\nexport const CredentialSubjectSchema = z.object({\n\tid: z.string().optional(),\n\tagentId: z.string().optional(),\n\tpermissions: z.array(z.string()).optional(),\n\ttrustLevel: z.number().min(0).max(1).optional(),\n\tdelegationScope: z.array(z.string()).optional(),\n\tdelegationChain: z\n\t\t.array(\n\t\t\tz.object({\n\t\t\t\tdelegator: z.string(),\n\t\t\t\tdelegatee: z.string(),\n\t\t\t\tpermissions: z.array(z.string()),\n\t\t\t\tcreatedAt: z.string(),\n\t\t\t}),\n\t\t)\n\t\t.optional(),\n\tname: z.string().optional(),\n\ttype: z.string().optional(),\n});\n\nexport type CredentialSubject = z.infer<typeof CredentialSubjectSchema>;\n\n// ─── Verifiable Credential ──────────────────────────────────────────────────\n\nexport const VerifiableCredentialSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tissuer: z.union([z.string(), z.object({ id: z.string(), name: z.string().optional() })]),\n\tissuanceDate: z.string(),\n\texpirationDate: z.string().optional(),\n\tcredentialSubject: CredentialSubjectSchema,\n\tcredentialStatus: CredentialStatusSchema.optional(),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiableCredential = z.infer<typeof VerifiableCredentialSchema>;\n\n// ─── Verifiable Presentation ────────────────────────────────────────────────\n\nexport const VerifiablePresentationSchema = z.object({\n\t\"@context\": z.array(z.string()).min(1),\n\tid: z.string().optional(),\n\ttype: z.array(z.string()).min(1),\n\tholder: z.string().optional(),\n\tverifiableCredential: z.array(VerifiableCredentialSchema).min(1),\n\tproof: ProofSchema.optional(),\n});\n\nexport type VerifiablePresentation = z.infer<typeof VerifiablePresentationSchema>;\n\n// ─── Issuer Config ──────────────────────────────────────────────────────────\n\nexport interface VCIssuerConfig {\n\t/** DID of the issuer (e.g. did:key:z6Mk...) */\n\tissuerDid: string;\n\t/** Private key JWK for signing credentials */\n\tprivateKeyJwk: JsonWebKey;\n\t/** Public key JWK for verification method references */\n\tpublicKeyJwk: JsonWebKey;\n\t/** Default credential lifetime in seconds. Default: 86400 (24 hours). */\n\tdefaultTtl?: number;\n\t/** Credential status endpoint base URL (for revocation). Optional. */\n\tstatusEndpoint?: string;\n}\n\n// ─── Verifier Config ────────────────────────────────────────────────────────\n\nexport interface VCVerifierConfig {\n\t/**\n\t * Resolve a DID to its public key JWK.\n\t * If not provided, only credentials with a known public key can be verified.\n\t */\n\tresolveDidKey?: (did: string) => Promise<JsonWebKey | null>;\n\t/**\n\t * Check credential revocation status.\n\t * If not provided, revocation checks are skipped.\n\t */\n\tcheckRevocationStatus?: (status: CredentialStatus) => Promise<boolean>;\n}\n\n// ─── JWT VC Types ───────────────────────────────────────────────────────────\n\n/** Claims embedded in a JWT-encoded Verifiable Credential */\nexport interface VCJwtPayload {\n\tiss: string;\n\tsub?: string;\n\tvc: Omit<VerifiableCredential, \"proof\">;\n\tiat: number;\n\texp?: number;\n\tjti?: string;\n}\n\n/** The format a credential was issued in */\nexport type CredentialFormat = \"jwt\" | \"json-ld\";\n\n/** Result of a successful credential verification */\nexport interface VerifiedCredential {\n\tcredential: VerifiableCredential;\n\tformat: CredentialFormat;\n\tissuer: string;\n\tissuedAt: Date;\n\texpiresAt: Date | null;\n}\n\n/** Result of a successful presentation verification */\nexport interface VerifiedPresentation {\n\tpresentation: VerifiablePresentation;\n\tcredentials: VerifiedCredential[];\n\tholder: string | null;\n}\n\n/** Extracted permissions from a verified credential */\nexport interface ExtractedPermissions {\n\tagentId: string | null;\n\tpermissions: string[];\n\ttrustLevel: number | null;\n\tdelegationScope: string[];\n}\n","/**\n * W3C Verifiable Credential issuance for KavachOS.\n *\n * Issues VCs as JWT (compact JWS) or JSON-LD with embedded proof.\n * Credentials encode agent identity, permissions, and delegation chains\n * so agents can prove their capabilities to any verifier without\n * a network call back to KavachOS.\n */\n\nimport { importJWK, SignJWT } from \"jose\";\nimport { generateId } from \"../crypto/web-crypto.js\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tCredentialSubject,\n\tProof,\n\tVCIssuerConfig,\n\tVerifiableCredential,\n} from \"./types.js\";\nimport {\n\tKAVACH_AGENT_CREDENTIAL,\n\tKAVACH_DELEGATION_CREDENTIAL,\n\tKAVACH_PERMISSION_CREDENTIAL,\n\tVC_CONTEXT_V2,\n\tVC_TYPE_CREDENTIAL,\n} from \"./types.js\";\n\n// ─── Constants ──────────────────────────────────────────────────────────────\n\nconst DEFAULT_TTL_SECONDS = 86400; // 24 hours\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction nowISO(): string {\n\treturn new Date().toISOString();\n}\n\nfunction futureISO(seconds: number): string {\n\treturn new Date(Date.now() + seconds * 1000).toISOString();\n}\n\n// ─── Agent Credential Input ─────────────────────────────────────────────────\n\nexport interface IssueAgentCredentialInput {\n\t/** Agent ID (used as credentialSubject.id and sub claim) */\n\tagentId: string;\n\t/** Agent name */\n\tname?: string;\n\t/** Agent type (e.g. \"autonomous\", \"supervised\") */\n\tagentType?: string;\n\t/** Permissions granted to this agent */\n\tpermissions?: string[];\n\t/** Trust score between 0 and 1 */\n\ttrustLevel?: number;\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Permission Credential Input ────────────────────────────────────────────\n\nexport interface IssuePermissionCredentialInput {\n\t/** Agent DID or ID that receives the permissions */\n\tagentId: string;\n\t/** Permissions being granted */\n\tpermissions: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── Delegation Credential Input ────────────────────────────────────────────\n\nexport interface DelegationLink {\n\tdelegator: string;\n\tdelegatee: string;\n\tpermissions: string[];\n\tcreatedAt: string;\n}\n\nexport interface IssueDelegationCredentialInput {\n\t/** The agent at the end of the delegation chain */\n\tagentId: string;\n\t/** Ordered delegation chain from root to leaf */\n\tchain: DelegationLink[];\n\t/** Scope of delegated permissions (subset of original) */\n\tdelegationScope?: string[];\n\t/** Credential lifetime in seconds. Overrides the issuer default. */\n\tttl?: number;\n\t/** Output format. Default: \"jwt\". */\n\tformat?: CredentialFormat;\n}\n\n// ─── VC Issuer Interface ────────────────────────────────────────────────────\n\nexport interface VCIssuer {\n\t/** Issue a VC encoding agent identity, permissions, and trust score */\n\tissueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC for specific permission grants */\n\tissuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** Issue a VC encoding a delegation chain */\n\tissueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>>;\n\t/** The DID of this issuer */\n\treadonly issuerDid: string;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC issuer bound to a specific DID and keypair.\n *\n * The issuer can produce credentials in JWT or JSON-LD format.\n * JWT credentials are signed as a compact JWS with the VC embedded\n * in the `vc` claim. JSON-LD credentials carry an embedded proof.\n */\nexport function createVCIssuer(config: VCIssuerConfig): VCIssuer {\n\tconst { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS } = config;\n\n\tconst kid = `${issuerDid}#${issuerDid.split(\":\").pop() ?? \"key-1\"}`;\n\n\tasync function signAsJwt(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt: string }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Strip proof from the VC when embedding in JWT — the JWT signature is the proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\n\t\t\tconst builder = new SignJWT({\n\t\t\t\tvc: vcWithoutProof,\n\t\t\t})\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid, typ: \"JWT\" })\n\t\t\t\t.setIssuer(issuerDid)\n\t\t\t\t.setIssuedAt()\n\t\t\t\t.setExpirationTime(Math.floor(Date.now() / 1000) + ttl);\n\n\t\t\tif (credential.id) {\n\t\t\t\tbuilder.setJti(credential.id);\n\t\t\t}\n\t\t\tif (subject) {\n\t\t\t\tbuilder.setSubject(subject);\n\t\t\t}\n\n\t\t\tconst jwt = await builder.sign(key);\n\t\t\treturn { success: true, data: { credential, jwt } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JWT\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function signAsJsonLd(\n\t\tcredential: VerifiableCredential,\n\t): Promise<Result<{ credential: VerifiableCredential }>> {\n\t\ttry {\n\t\t\tconst key = await importJWK(privateKeyJwk, \"EdDSA\");\n\n\t\t\t// Create a JWS over the credential without proof\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));\n\n\t\t\tconst { CompactSign } = await import(\"jose\");\n\t\t\tconst jws = await new CompactSign(payload)\n\t\t\t\t.setProtectedHeader({ alg: \"EdDSA\", kid })\n\t\t\t\t.sign(key);\n\n\t\t\tconst proof: Proof = {\n\t\t\t\ttype: \"JsonWebSignature2020\",\n\t\t\t\tcreated: nowISO(),\n\t\t\t\tverificationMethod: kid,\n\t\t\t\tproofPurpose: \"assertionMethod\",\n\t\t\t\tjws,\n\t\t\t};\n\n\t\t\tconst signedCredential: VerifiableCredential = {\n\t\t\t\t...credential,\n\t\t\t\tproof,\n\t\t\t};\n\n\t\t\treturn { success: true, data: { credential: signedCredential } };\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_SIGN_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to sign credential as JSON-LD\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tfunction buildCredential(\n\t\ttypes: string[],\n\t\tsubject: CredentialSubject,\n\t\tttl: number,\n\t\texpirationDate?: string,\n\t): VerifiableCredential {\n\t\treturn {\n\t\t\t\"@context\": [VC_CONTEXT_V2],\n\t\t\tid: `urn:uuid:${generateId()}`,\n\t\t\ttype: [VC_TYPE_CREDENTIAL, ...types],\n\t\t\tissuer: issuerDid,\n\t\t\tissuanceDate: nowISO(),\n\t\t\texpirationDate: expirationDate ?? futureISO(ttl),\n\t\t\tcredentialSubject: subject,\n\t\t};\n\t}\n\n\tasync function signCredential(\n\t\tcredential: VerifiableCredential,\n\t\tsubject: string | undefined,\n\t\tttl: number,\n\t\tformat: CredentialFormat,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tif (format === \"jwt\") {\n\t\t\treturn signAsJwt(credential, subject, ttl);\n\t\t}\n\t\treturn signAsJsonLd(credential);\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function issueAgentCredential(\n\t\tinput: IssueAgentCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst {\n\t\t\tagentId,\n\t\t\tname,\n\t\t\tagentType,\n\t\t\tpermissions,\n\t\t\ttrustLevel,\n\t\t\tttl = defaultTtl,\n\t\t\tformat = \"jwt\",\n\t\t} = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (trustLevel !== undefined && (trustLevel < 0 || trustLevel > 1)) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"trustLevel must be between 0 and 1\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\t...(name !== undefined ? { name } : {}),\n\t\t\t...(agentType !== undefined ? { type: agentType } : {}),\n\t\t\t...(permissions !== undefined ? { permissions } : {}),\n\t\t\t...(trustLevel !== undefined ? { trustLevel } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_AGENT_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issuePermissionCredential(\n\t\tinput: IssuePermissionCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, permissions, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!permissions || permissions.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"At least one permission is required\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tpermissions,\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_PERMISSION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\tasync function issueDelegationCredential(\n\t\tinput: IssueDelegationCredentialInput,\n\t): Promise<Result<{ credential: VerifiableCredential; jwt?: string }>> {\n\t\tconst { agentId, chain, delegationScope, ttl = defaultTtl, format = \"jwt\" } = input;\n\n\t\tif (!agentId) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"agentId is required\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!chain || chain.length === 0) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_INPUT\", \"Delegation chain must have at least one link\"),\n\t\t\t};\n\t\t}\n\n\t\tconst subject: CredentialSubject = {\n\t\t\tid: agentId,\n\t\t\tagentId,\n\t\t\tdelegationChain: chain,\n\t\t\t...(delegationScope !== undefined ? { delegationScope } : {}),\n\t\t};\n\n\t\tconst credential = buildCredential([KAVACH_DELEGATION_CREDENTIAL], subject, ttl);\n\t\treturn signCredential(credential, agentId, ttl, format);\n\t}\n\n\treturn {\n\t\tissueAgentCredential,\n\t\tissuePermissionCredential,\n\t\tissueDelegationCredential,\n\t\tissuerDid,\n\t};\n}\n","/**\n * W3C Verifiable Credential verification for KavachOS.\n *\n * Verifies credentials in both JWT and JSON-LD formats. Checks\n * signatures, expiry, and optional revocation status. Extracts\n * KavachOS-specific permissions from verified credentials.\n */\n\nimport { compactVerify, importJWK, errors as joseErrors, jwtVerify } from \"jose\";\nimport type { KavachError, Result } from \"../mcp/types.js\";\nimport type {\n\tCredentialFormat,\n\tExtractedPermissions,\n\tVCVerifierConfig,\n\tVerifiableCredential,\n\tVerifiablePresentation,\n\tVerifiedCredential,\n\tVerifiedPresentation,\n} from \"./types.js\";\nimport { VerifiableCredentialSchema, VerifiablePresentationSchema } from \"./types.js\";\n\n// ─── Helpers ────────────────────────────────────────────────────────────────\n\nfunction makeError(code: string, message: string, details?: Record<string, unknown>): KavachError {\n\treturn { code, message, ...(details !== undefined ? { details } : {}) };\n}\n\nfunction getIssuerString(issuer: string | { id: string; name?: string }): string {\n\tif (typeof issuer === \"string\") return issuer;\n\treturn issuer.id;\n}\n\n// ─── VC Verifier Interface ──────────────────────────────────────────────────\n\nexport interface VCVerifier {\n\t/** Verify a single credential (JWT string or JSON-LD object) */\n\tverifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>>;\n\t/** Verify a presentation containing multiple VCs */\n\tverifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>>;\n\t/** Extract KavachOS permissions from a verified credential */\n\textractPermissions(vc: VerifiableCredential): ExtractedPermissions;\n}\n\n// ─── Factory ────────────────────────────────────────────────────────────────\n\n/**\n * Create a VC verifier that checks signatures, expiry, and revocation.\n *\n * The verifier accepts both JWT-encoded and JSON-LD credentials.\n * For JWT credentials, pass the compact JWS string. For JSON-LD\n * credentials with embedded proof, pass the credential object.\n */\nexport function createVCVerifier(config: VCVerifierConfig = {}): VCVerifier {\n\tconst { resolveDidKey, checkRevocationStatus } = config;\n\n\tasync function resolveKey(did: string, providedKey?: JsonWebKey): Promise<Result<JsonWebKey>> {\n\t\tif (providedKey) {\n\t\t\treturn { success: true, data: providedKey };\n\t\t}\n\n\t\tif (resolveDidKey) {\n\t\t\tconst resolved = await resolveDidKey(did);\n\t\t\tif (resolved) {\n\t\t\t\treturn { success: true, data: resolved };\n\t\t\t}\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: false,\n\t\t\terror: makeError(\"VC_KEY_NOT_FOUND\", `Could not resolve public key for DID: ${did}`),\n\t\t};\n\t}\n\n\tasync function verifyJwtCredential(\n\t\tjwt: string,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\ttry {\n\t\t\t// Decode the header to get the kid, then resolve the key\n\t\t\tconst parts = jwt.split(\".\");\n\t\t\tif (parts.length !== 3) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT must have three parts\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// First pass: decode without verification to extract issuer\n\t\t\tconst payloadB64 = parts[1];\n\t\t\tif (!payloadB64) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"JWT payload is missing\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t),\n\t\t\t\t),\n\t\t\t) as Record<string, unknown>;\n\n\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\tif (!issuerDid) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"JWT has no iss claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Resolve key\n\t\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\tconst { payload } = await jwtVerify(jwt, publicKey);\n\n\t\t\tconst vcClaim = payload.vc as Record<string, unknown> | undefined;\n\t\t\tif (!vcClaim) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_MISSING_VC_CLAIM\", \"JWT does not contain a vc claim\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Reconstruct the full credential from the JWT claims\n\t\t\tconst credential: VerifiableCredential = {\n\t\t\t\t...(vcClaim as unknown as VerifiableCredential),\n\t\t\t\tissuer: issuerDid,\n\t\t\t};\n\n\t\t\t// Validate against schema\n\t\t\tconst parsed = VerifiableCredentialSchema.safeParse(credential);\n\t\t\tif (!parsed.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t\t}),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (parsed.data.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(parsed.data.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential: parsed.data,\n\t\t\t\t\tformat: \"jwt\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date((payload.iat ?? 0) * 1000),\n\t\t\t\t\texpiresAt: payload.exp ? new Date(payload.exp * 1000) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\t// Distinguish between expiry and other errors\n\t\t\tif (err instanceof joseErrors.JWTExpired) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t};\n\t\t\t}\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JWT credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\tasync function verifyJsonLdCredential(\n\t\tvc: VerifiableCredential,\n\t\tprovidedKey?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\t// Validate schema\n\t\tconst parsed = VerifiableCredentialSchema.safeParse(vc);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_CREDENTIAL\", \"Credential does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\tconst credential = parsed.data;\n\n\t\tif (!credential.proof) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_PROOF\", \"JSON-LD credential has no embedded proof\"),\n\t\t\t};\n\t\t}\n\n\t\tif (!credential.proof.jws) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_NO_JWS\", \"Proof does not contain a JWS value\"),\n\t\t\t};\n\t\t}\n\n\t\tconst issuerDid = getIssuerString(credential.issuer);\n\n\t\t// Resolve key\n\t\tconst keyResult = await resolveKey(issuerDid, providedKey);\n\t\tif (!keyResult.success) return keyResult;\n\n\t\ttry {\n\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\n\t\t\t// Verify the JWS\n\t\t\tconst { payload } = await compactVerify(credential.proof.jws, publicKey);\n\n\t\t\t// Compare signed content against current credential (minus proof)\n\t\t\tconst { proof: _proof, ...vcWithoutProof } = credential;\n\t\t\tconst signedContent = new TextDecoder().decode(payload);\n\t\t\tconst currentContent = JSON.stringify(vcWithoutProof);\n\n\t\t\tif (signedContent !== currentContent) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\"VC_TAMPERED\", \"Credential content does not match the signed payload\"),\n\t\t\t\t};\n\t\t\t}\n\n\t\t\t// Check expiry\n\t\t\tif (credential.expirationDate) {\n\t\t\t\tconst expiry = new Date(credential.expirationDate);\n\t\t\t\tif (expiry <= new Date()) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_EXPIRED\", \"Credential has expired\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\t// Check revocation\n\t\t\tif (credential.credentialStatus && checkRevocationStatus) {\n\t\t\t\tconst revoked = await checkRevocationStatus(credential.credentialStatus);\n\t\t\t\tif (revoked) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_REVOKED\", \"Credential has been revoked\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\t\t\t}\n\n\t\t\treturn {\n\t\t\t\tsuccess: true,\n\t\t\t\tdata: {\n\t\t\t\t\tcredential,\n\t\t\t\t\tformat: \"json-ld\" as CredentialFormat,\n\t\t\t\t\tissuer: issuerDid,\n\t\t\t\t\tissuedAt: new Date(credential.issuanceDate),\n\t\t\t\t\texpiresAt: credential.expirationDate ? new Date(credential.expirationDate) : null,\n\t\t\t\t},\n\t\t\t};\n\t\t} catch (err) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\n\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify JSON-LD credential\",\n\t\t\t\t),\n\t\t\t};\n\t\t}\n\t}\n\n\t// ── Public API ────────────────────────────────────────────────────────\n\n\tasync function verifyCredential(\n\t\tvc: string | VerifiableCredential,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedCredential>> {\n\t\tif (typeof vc === \"string\") {\n\t\t\treturn verifyJwtCredential(vc, publicKeyJwk);\n\t\t}\n\t\treturn verifyJsonLdCredential(vc, publicKeyJwk);\n\t}\n\n\tasync function verifyPresentation(\n\t\tvp: string | VerifiablePresentation,\n\t\tpublicKeyJwk?: JsonWebKey,\n\t): Promise<Result<VerifiedPresentation>> {\n\t\tlet presentation: VerifiablePresentation;\n\n\t\tif (typeof vp === \"string\") {\n\t\t\t// JWT-encoded presentation\n\t\t\ttry {\n\t\t\t\tconst parts = vp.split(\".\");\n\t\t\t\tif (parts.length !== 3 || !parts[1]) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_INVALID_JWT\", \"Presentation JWT must have three parts\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst payloadB64 = parts[1];\n\t\t\t\tconst rawPayload = JSON.parse(\n\t\t\t\t\tnew TextDecoder().decode(\n\t\t\t\t\t\tUint8Array.from(atob(payloadB64.replace(/-/g, \"+\").replace(/_/g, \"/\")), (c) =>\n\t\t\t\t\t\t\tc.charCodeAt(0),\n\t\t\t\t\t\t),\n\t\t\t\t\t),\n\t\t\t\t) as Record<string, unknown>;\n\n\t\t\t\tconst issuerDid = typeof rawPayload.iss === \"string\" ? rawPayload.iss : null;\n\t\t\t\tif (!issuerDid) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_NO_ISSUER\", \"Presentation JWT has no iss claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tconst keyResult = await resolveKey(issuerDid, publicKeyJwk);\n\t\t\t\tif (!keyResult.success) return keyResult;\n\n\t\t\t\tconst publicKey = await importJWK(keyResult.data, \"EdDSA\");\n\t\t\t\tconst { payload } = await jwtVerify(vp, publicKey);\n\n\t\t\t\tconst vpClaim = payload.vp as Record<string, unknown> | undefined;\n\t\t\t\tif (!vpClaim) {\n\t\t\t\t\treturn {\n\t\t\t\t\t\tsuccess: false,\n\t\t\t\t\t\terror: makeError(\"VC_MISSING_VP_CLAIM\", \"JWT does not contain a vp claim\"),\n\t\t\t\t\t};\n\t\t\t\t}\n\n\t\t\t\tpresentation = vpClaim as unknown as VerifiablePresentation;\n\t\t\t} catch (err) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_VERIFY_FAILED\",\n\t\t\t\t\t\terr instanceof Error ? err.message : \"Failed to verify presentation JWT\",\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t} else {\n\t\t\tpresentation = vp;\n\t\t}\n\n\t\t// Validate schema\n\t\tconst parsed = VerifiablePresentationSchema.safeParse(presentation);\n\t\tif (!parsed.success) {\n\t\t\treturn {\n\t\t\t\tsuccess: false,\n\t\t\t\terror: makeError(\"VC_INVALID_PRESENTATION\", \"Presentation does not match W3C schema\", {\n\t\t\t\t\tissues: parsed.error.issues.map((i) => `${i.path.join(\".\")}: ${i.message}`),\n\t\t\t\t}),\n\t\t\t};\n\t\t}\n\n\t\t// Verify each credential in the presentation\n\t\tconst verifiedCredentials: VerifiedCredential[] = [];\n\t\tfor (const vc of parsed.data.verifiableCredential) {\n\t\t\tconst result = await verifyCredential(vc, publicKeyJwk);\n\t\t\tif (!result.success) {\n\t\t\t\treturn {\n\t\t\t\t\tsuccess: false,\n\t\t\t\t\terror: makeError(\n\t\t\t\t\t\t\"VC_PRESENTATION_CREDENTIAL_INVALID\",\n\t\t\t\t\t\t`Failed to verify credential in presentation: ${result.error.message}`,\n\t\t\t\t\t\t{ originalError: result.error },\n\t\t\t\t\t),\n\t\t\t\t};\n\t\t\t}\n\t\t\tverifiedCredentials.push(result.data);\n\t\t}\n\n\t\treturn {\n\t\t\tsuccess: true,\n\t\t\tdata: {\n\t\t\t\tpresentation: parsed.data,\n\t\t\t\tcredentials: verifiedCredentials,\n\t\t\t\tholder: parsed.data.holder ?? null,\n\t\t\t},\n\t\t};\n\t}\n\n\tfunction extractPermissions(vc: VerifiableCredential): ExtractedPermissions {\n\t\tconst subject = vc.credentialSubject;\n\t\treturn {\n\t\t\tagentId: subject.agentId ?? subject.id ?? null,\n\t\t\tpermissions: subject.permissions ?? [],\n\t\t\ttrustLevel: subject.trustLevel ?? null,\n\t\t\tdelegationScope: subject.delegationScope ?? [],\n\t\t};\n\t}\n\n\treturn {\n\t\tverifyCredential,\n\t\tverifyPresentation,\n\t\textractPermissions,\n\t};\n}\n"]}