kavachos 0.3.0 → 0.4.1

package/dist/vc/index.d.ts

@@ -1,5 +1,8 @@
-import { R as Result } from '../types-BuHrZcjE.js';
+import { l as AuditEntry } from '../types-RJPOU4un.js';
 import { z } from 'zod';
+import { R as Result } from '../types-BiUe9e8u.js';
+import 'drizzle-orm/sqlite-core';
+import '../redirect/index.js';
 
 /**
  * W3C Verifiable Credentials Data Model 2.0 types for KavachOS.
@@ -84,35 +87,55 @@ declare const CredentialSubjectSchema: z.ZodObject<{
     }>, "many">>;
     name: z.ZodOptional<z.ZodString>;
     type: z.ZodOptional<z.ZodString>;
-}, "strip", z.ZodTypeAny, {
-    name?: string | undefined;
-    id?: string | undefined;
-    type?: string | undefined;
-    agentId?: string | undefined;
-    permissions?: string[] | undefined;
-    trustLevel?: number | undefined;
-    delegationScope?: string[] | undefined;
-    delegationChain?: {
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    id: z.ZodOptional<z.ZodString>;
+    agentId: z.ZodOptional<z.ZodString>;
+    permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    trustLevel: z.ZodOptional<z.ZodNumber>;
+    delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        delegator: z.ZodString;
+        delegatee: z.ZodString;
+        permissions: z.ZodArray<z.ZodString, "many">;
+        createdAt: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
         createdAt: string;
         permissions: string[];
         delegator: string;
         delegatee: string;
-    }[] | undefined;
-}, {
-    name?: string | undefined;
-    id?: string | undefined;
-    type?: string | undefined;
-    agentId?: string | undefined;
-    permissions?: string[] | undefined;
-    trustLevel?: number | undefined;
-    delegationScope?: string[] | undefined;
-    delegationChain?: {
+    }, {
         createdAt: string;
         permissions: string[];
         delegator: string;
         delegatee: string;
-    }[] | undefined;
-}>;
+    }>, "many">>;
+    name: z.ZodOptional<z.ZodString>;
+    type: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    id: z.ZodOptional<z.ZodString>;
+    agentId: z.ZodOptional<z.ZodString>;
+    permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    trustLevel: z.ZodOptional<z.ZodNumber>;
+    delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        delegator: z.ZodString;
+        delegatee: z.ZodString;
+        permissions: z.ZodArray<z.ZodString, "many">;
+        createdAt: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        createdAt: string;
+        permissions: string[];
+        delegator: string;
+        delegatee: string;
+    }, {
+        createdAt: string;
+        permissions: string[];
+        delegator: string;
+        delegatee: string;
+    }>, "many">>;
+    name: z.ZodOptional<z.ZodString>;
+    type: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">>;
 type CredentialSubject = z.infer<typeof CredentialSubjectSchema>;
 declare const VerifiableCredentialSchema: z.ZodObject<{
     "@context": z.ZodArray<z.ZodString, "many">;
@@ -154,35 +177,55 @@ declare const VerifiableCredentialSchema: z.ZodObject<{
         }>, "many">>;
         name: z.ZodOptional<z.ZodString>;
         type: z.ZodOptional<z.ZodString>;
-    }, "strip", z.ZodTypeAny, {
-        name?: string | undefined;
-        id?: string | undefined;
-        type?: string | undefined;
-        agentId?: string | undefined;
-        permissions?: string[] | undefined;
-        trustLevel?: number | undefined;
-        delegationScope?: string[] | undefined;
-        delegationChain?: {
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        id: z.ZodOptional<z.ZodString>;
+        agentId: z.ZodOptional<z.ZodString>;
+        permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        trustLevel: z.ZodOptional<z.ZodNumber>;
+        delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            delegator: z.ZodString;
+            delegatee: z.ZodString;
+            permissions: z.ZodArray<z.ZodString, "many">;
+            createdAt: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
             createdAt: string;
             permissions: string[];
             delegator: string;
             delegatee: string;
-        }[] | undefined;
-    }, {
-        name?: string | undefined;
-        id?: string | undefined;
-        type?: string | undefined;
-        agentId?: string | undefined;
-        permissions?: string[] | undefined;
-        trustLevel?: number | undefined;
-        delegationScope?: string[] | undefined;
-        delegationChain?: {
+        }, {
             createdAt: string;
             permissions: string[];
             delegator: string;
             delegatee: string;
-        }[] | undefined;
-    }>;
+        }>, "many">>;
+        name: z.ZodOptional<z.ZodString>;
+        type: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        id: z.ZodOptional<z.ZodString>;
+        agentId: z.ZodOptional<z.ZodString>;
+        permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        trustLevel: z.ZodOptional<z.ZodNumber>;
+        delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            delegator: z.ZodString;
+            delegatee: z.ZodString;
+            permissions: z.ZodArray<z.ZodString, "many">;
+            createdAt: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            createdAt: string;
+            permissions: string[];
+            delegator: string;
+            delegatee: string;
+        }, {
+            createdAt: string;
+            permissions: string[];
+            delegator: string;
+            delegatee: string;
+        }>, "many">>;
+        name: z.ZodOptional<z.ZodString>;
+        type: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>;
     credentialStatus: z.ZodOptional<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
@@ -246,6 +289,8 @@ declare const VerifiableCredentialSchema: z.ZodObject<{
             delegator: string;
             delegatee: string;
         }[] | undefined;
+    } & {
+        [k: string]: unknown;
     };
     id?: string | undefined;
     expirationDate?: string | undefined;
@@ -286,6 +331,8 @@ declare const VerifiableCredentialSchema: z.ZodObject<{
             delegator: string;
             delegatee: string;
         }[] | undefined;
+    } & {
+        [k: string]: unknown;
     };
     id?: string | undefined;
     expirationDate?: string | undefined;
@@ -351,35 +398,55 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
             }>, "many">>;
             name: z.ZodOptional<z.ZodString>;
             type: z.ZodOptional<z.ZodString>;
-        }, "strip", z.ZodTypeAny, {
-            name?: string | undefined;
-            id?: string | undefined;
-            type?: string | undefined;
-            agentId?: string | undefined;
-            permissions?: string[] | undefined;
-            trustLevel?: number | undefined;
-            delegationScope?: string[] | undefined;
-            delegationChain?: {
+        }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+            id: z.ZodOptional<z.ZodString>;
+            agentId: z.ZodOptional<z.ZodString>;
+            permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            trustLevel: z.ZodOptional<z.ZodNumber>;
+            delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+                delegator: z.ZodString;
+                delegatee: z.ZodString;
+                permissions: z.ZodArray<z.ZodString, "many">;
+                createdAt: z.ZodString;
+            }, "strip", z.ZodTypeAny, {
                 createdAt: string;
                 permissions: string[];
                 delegator: string;
                 delegatee: string;
-            }[] | undefined;
-        }, {
-            name?: string | undefined;
-            id?: string | undefined;
-            type?: string | undefined;
-            agentId?: string | undefined;
-            permissions?: string[] | undefined;
-            trustLevel?: number | undefined;
-            delegationScope?: string[] | undefined;
-            delegationChain?: {
+            }, {
                 createdAt: string;
                 permissions: string[];
                 delegator: string;
                 delegatee: string;
-            }[] | undefined;
-        }>;
+            }>, "many">>;
+            name: z.ZodOptional<z.ZodString>;
+            type: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+            id: z.ZodOptional<z.ZodString>;
+            agentId: z.ZodOptional<z.ZodString>;
+            permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            trustLevel: z.ZodOptional<z.ZodNumber>;
+            delegationScope: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            delegationChain: z.ZodOptional<z.ZodArray<z.ZodObject<{
+                delegator: z.ZodString;
+                delegatee: z.ZodString;
+                permissions: z.ZodArray<z.ZodString, "many">;
+                createdAt: z.ZodString;
+            }, "strip", z.ZodTypeAny, {
+                createdAt: string;
+                permissions: string[];
+                delegator: string;
+                delegatee: string;
+            }, {
+                createdAt: string;
+                permissions: string[];
+                delegator: string;
+                delegatee: string;
+            }>, "many">>;
+            name: z.ZodOptional<z.ZodString>;
+            type: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">>;
         credentialStatus: z.ZodOptional<z.ZodObject<{
             id: z.ZodString;
             type: z.ZodString;
@@ -443,6 +510,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -483,6 +552,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -549,6 +620,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -603,6 +676,8 @@ declare const VerifiablePresentationSchema: z.ZodObject<{
                 delegator: string;
                 delegatee: string;
             }[] | undefined;
+        } & {
+            [k: string]: unknown;
         };
         id?: string | undefined;
         expirationDate?: string | undefined;
@@ -691,6 +766,120 @@ interface ExtractedPermissions {
     delegationScope: string[];
 }
 
+/**
+ * Export audit records as W3C Verifiable Credentials.
+ *
+ * Takes a time range of audit log entries and returns either individual
+ * credentials per record or a single Verifiable Presentation wrapping
+ * all of them. Useful for compliance exports that must be
+ * cryptographically verifiable (EU AI Act Article 12, SOC 2 CC7).
+ *
+ * Context URL: https://kavachos.com/contexts/audit/v1.jsonld
+ * This context is defined locally — the URL does not need to resolve at
+ * runtime. It serves as a stable identifier for the credential schema.
+ */
+
+declare const KAVACHOS_AUDIT_CREDENTIAL = "KavachosAuditCredential";
+/**
+ * Context URL for KavachosAuditCredential.
+ * Defined locally — the URL does not need to resolve at runtime.
+ */
+declare const KAVACHOS_AUDIT_CONTEXT = "https://kavachos.com/contexts/audit/v1.jsonld";
+/** AuditRecord is an alias for AuditEntry used in the VC export surface. */
+type AuditRecord = AuditEntry;
+/** Options passed to `exportAuditAsVC`. */
+interface ExportAuditOptions {
+    /** Start of the time range (inclusive). */
+    since: Date;
+    /** End of the time range (inclusive). */
+    until: Date;
+    /**
+     * DID of the issuer signing the credentials.
+     * Must match the keypair in `issuerConfig`.
+     */
+    issuerDid: string;
+    /** Private/public keypair config for signing. */
+    issuerConfig: VCIssuerConfig;
+    /** Output format. Default: `"ldp_vc"` (JSON-LD with embedded proof). */
+    format?: "ldp_vc" | "jwt_vc";
+    /** Output structure. Default: `"individual"` (one VC per record). */
+    output?: "individual" | "presentation";
+    /** Optional filter applied after the time range query. */
+    filter?: (record: AuditRecord) => boolean;
+    /** Records to export. Pass the results of `listAuditRecords` or `kavach.audit.query()`. */
+    records: AuditRecord[];
+}
+/** The result of `exportAuditAsVC`. */
+interface AuditExportResult {
+    /**
+     * Individual credentials — one per audit record.
+     * When `output === "presentation"`, these are also embedded in `presentation`.
+     */
+    credentials: VerifiableCredential[];
+    /**
+     * JWT strings when `format === "jwt_vc"`. Parallel to `credentials`.
+     * Pass these to `verifyCredential()` instead of the credential objects.
+     */
+    jwts?: string[];
+    /** Present only when `output === "presentation"`. */
+    presentation?: VerifiablePresentation;
+    /** The format used. */
+    format: "ldp_vc" | "jwt_vc";
+    /** Timestamp of the export run. */
+    issuedAt: Date;
+    /** Number of credentials produced. */
+    count: number;
+}
+/** The credentialSubject for a KavachosAuditCredential. */
+interface AuditCredentialSubject {
+    id: string;
+    agentId: string;
+    principalId?: string;
+    operation: string;
+    target: string;
+    decision: "allow" | "deny" | "approval_required";
+    policyName?: string;
+    timestamp: string;
+    traceId?: string;
+    kavachosVersion: string;
+}
+/**
+ * Export a set of audit records as Verifiable Credentials.
+ *
+ * Pass `records` from `kavach.audit.query()` or `listAuditRecords`.
+ * The function applies the optional `filter`, signs each record with
+ * the issuer keypair, and returns either individual VCs or a single
+ * Verifiable Presentation.
+ *
+ * ```ts
+ * const result = await exportAuditAsVC({
+ *   since: new Date('2025-01-01'),
+ *   until: new Date('2025-01-31'),
+ *   issuerDid: keyPair.did,
+ *   issuerConfig: {
+ *     issuerDid: keyPair.did,
+ *     privateKeyJwk: keyPair.privateKeyJwk,
+ *     publicKeyJwk: keyPair.publicKeyJwk,
+ *   },
+ *   records,
+ * });
+ * console.log(result.count); // 42
+ * ```
+ */
+declare function exportAuditAsVC(options: ExportAuditOptions): Promise<AuditExportResult>;
+/**
+ * Filter audit records by time range with an optional predicate.
+ *
+ * Convenience helper for callers that already have records in memory
+ * and want to slice them before passing to `exportAuditAsVC`.
+ *
+ * ```ts
+ * const records = await kavach.audit.query({ since, until });
+ * const denyRecords = listAuditRecords(records, since, until, r => r.result === 'denied');
+ * ```
+ */
+declare function listAuditRecords(records: AuditRecord[], since: Date, until: Date, filter?: (record: AuditRecord) => boolean): AuditRecord[];
+
 /**
  * W3C Verifiable Credential issuance for KavachOS.
  *
@@ -797,4 +986,4 @@ interface VCVerifier {
  */
 declare function createVCVerifier(config?: VCVerifierConfig): VCVerifier;
 
-export { type CredentialFormat, type CredentialStatus, CredentialStatusSchema, type CredentialSubject, CredentialSubjectSchema, type DelegationLink, type ExtractedPermissions, type IssueAgentCredentialInput, type IssueDelegationCredentialInput, type IssuePermissionCredentialInput, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, type Proof, ProofSchema, type VCIssuer, type VCIssuerConfig, type VCJwtPayload, type VCVerifier, type VCVerifierConfig, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, type VerifiableCredential, VerifiableCredentialSchema, type VerifiablePresentation, VerifiablePresentationSchema, type VerifiedCredential, type VerifiedPresentation, createVCIssuer, createVCVerifier };
+export { type AuditCredentialSubject, type AuditExportResult, type AuditRecord, type CredentialFormat, type CredentialStatus, CredentialStatusSchema, type CredentialSubject, CredentialSubjectSchema, type DelegationLink, type ExportAuditOptions, type ExtractedPermissions, type IssueAgentCredentialInput, type IssueDelegationCredentialInput, type IssuePermissionCredentialInput, KAVACHOS_AUDIT_CONTEXT, KAVACHOS_AUDIT_CREDENTIAL, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, type Proof, ProofSchema, type VCIssuer, type VCIssuerConfig, type VCJwtPayload, type VCVerifier, type VCVerifierConfig, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, type VerifiableCredential, VerifiableCredentialSchema, type VerifiablePresentation, VerifiablePresentationSchema, type VerifiedCredential, type VerifiedPresentation, createVCIssuer, createVCVerifier, exportAuditAsVC, listAuditRecords };

package/dist/vc/index.js

@@ -1,7 +1,7 @@
-import { importJWK, jwtVerify, errors, compactVerify, SignJWT } from 'jose';
+import { importJWK, jwtVerify, SignJWT, CompactSign, errors, compactVerify } from 'jose';
 import { z } from 'zod';
 
-// src/vc/issuer.ts
+// src/vc/audit-export.ts
 
 // src/crypto/web-crypto.ts
 function generateId() {
@@ -46,7 +46,7 @@ var CredentialSubjectSchema = z.object({
   ).optional(),
   name: z.string().optional(),
   type: z.string().optional()
-});
+}).passthrough();
 var VerifiableCredentialSchema = z.object({
   "@context": z.array(z.string()).min(1),
   id: z.string().optional(),
@@ -67,8 +67,156 @@ var VerifiablePresentationSchema = z.object({
   proof: ProofSchema.optional()
 });
 
-// src/vc/issuer.ts
+// src/vc/audit-export.ts
+var KAVACHOS_AUDIT_CREDENTIAL = "KavachosAuditCredential";
+var KAVACHOS_AUDIT_CONTEXT = "https://kavachos.com/contexts/audit/v1.jsonld";
+var KAVACHOS_VERSION = "0.3.0";
 var DEFAULT_TTL_SECONDS = 86400;
+function toDecision(result) {
+  if (result === "allowed") return "allow";
+  return "deny";
+}
+function buildAuditCredential(record, issuerDid) {
+  const subject = {
+    id: record.id,
+    agentId: record.agentId,
+    ...record.userId ? { principalId: record.userId } : {},
+    operation: record.action,
+    target: record.resource,
+    decision: toDecision(record.result),
+    ...record.reason ? { policyName: record.reason } : {},
+    timestamp: record.timestamp.toISOString(),
+    kavachosVersion: KAVACHOS_VERSION
+  };
+  return {
+    "@context": [VC_CONTEXT_V2, KAVACHOS_AUDIT_CONTEXT],
+    id: `urn:uuid:${generateId()}`,
+    type: [VC_TYPE_CREDENTIAL, KAVACHOS_AUDIT_CREDENTIAL],
+    issuer: issuerDid,
+    issuanceDate: (/* @__PURE__ */ new Date()).toISOString(),
+    expirationDate: new Date(Date.now() + DEFAULT_TTL_SECONDS * 1e3).toISOString(),
+    // Cast: AuditCredentialSubject is intentionally wider than CredentialSubject
+    // because the VC schema uses an open-ended subject. The additional fields
+    // (operation, target, decision, etc.) are preserved via spread at runtime.
+    credentialSubject: subject
+  };
+}
+async function signAsJsonLd(credential, config) {
+  const { issuerDid, privateKeyJwk } = config;
+  const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
+  const key = await importJWK(privateKeyJwk, "EdDSA");
+  const { proof: _proof, ...vcWithoutProof } = credential;
+  const payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));
+  const jws = await new CompactSign(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
+  const proof = {
+    type: "JsonWebSignature2020",
+    created: (/* @__PURE__ */ new Date()).toISOString(),
+    verificationMethod: kid,
+    proofPurpose: "assertionMethod",
+    jws
+  };
+  return { ...credential, proof };
+}
+async function signAsJwt(credential, config) {
+  const { issuerDid, privateKeyJwk } = config;
+  const ttl = config.defaultTtl ?? DEFAULT_TTL_SECONDS;
+  const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
+  const key = await importJWK(privateKeyJwk, "EdDSA");
+  const { proof: _proof, ...vcWithoutProof } = credential;
+  const builder = new SignJWT({ vc: vcWithoutProof }).setProtectedHeader({ alg: "EdDSA", kid, typ: "JWT" }).setIssuer(issuerDid).setIssuedAt().setExpirationTime(Math.floor(Date.now() / 1e3) + ttl);
+  if (credential.id) builder.setJti(credential.id);
+  if (credential.credentialSubject.id) builder.setSubject(credential.credentialSubject.id);
+  const jwt = await builder.sign(key);
+  return { credential, jwt };
+}
+async function signPresentationAsJsonLd(presentation, config) {
+  const { issuerDid, privateKeyJwk } = config;
+  const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
+  const key = await importJWK(privateKeyJwk, "EdDSA");
+  const { proof: _proof, ...vpWithoutProof } = presentation;
+  const payload = new TextEncoder().encode(JSON.stringify(vpWithoutProof));
+  const jws = await new CompactSign(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
+  const proof = {
+    type: "JsonWebSignature2020",
+    created: (/* @__PURE__ */ new Date()).toISOString(),
+    verificationMethod: kid,
+    proofPurpose: "assertionMethod",
+    jws
+  };
+  return { ...presentation, proof };
+}
+async function exportAuditAsVC(options) {
+  const {
+    since,
+    until,
+    issuerDid,
+    issuerConfig,
+    format = "ldp_vc",
+    output = "individual",
+    filter,
+    records
+  } = options;
+  const inRange = records.filter((r) => {
+    const t = r.timestamp.getTime();
+    return t >= since.getTime() && t <= until.getTime();
+  });
+  const filtered = filter ? inRange.filter(filter) : inRange;
+  if (filtered.length === 0) {
+    return {
+      credentials: [],
+      format,
+      issuedAt: /* @__PURE__ */ new Date(),
+      count: 0
+    };
+  }
+  const credentials = [];
+  const jwts = [];
+  for (const record of filtered) {
+    const base = buildAuditCredential(record, issuerDid);
+    if (format === "jwt_vc") {
+      const { credential, jwt } = await signAsJwt(base, issuerConfig);
+      credentials.push(credential);
+      jwts.push(jwt);
+    } else {
+      const signed = await signAsJsonLd(base, issuerConfig);
+      credentials.push(signed);
+    }
+  }
+  const issuedAt = /* @__PURE__ */ new Date();
+  if (output === "individual") {
+    return {
+      credentials,
+      ...format === "jwt_vc" ? { jwts } : {},
+      format,
+      issuedAt,
+      count: credentials.length
+    };
+  }
+  const basePresentation = {
+    "@context": [VC_CONTEXT_V2, KAVACHOS_AUDIT_CONTEXT],
+    id: `urn:uuid:${generateId()}`,
+    type: [VC_TYPE_PRESENTATION],
+    holder: issuerDid,
+    verifiableCredential: credentials
+  };
+  const presentation = format === "jwt_vc" ? basePresentation : await signPresentationAsJsonLd(basePresentation, issuerConfig);
+  return {
+    credentials,
+    ...format === "jwt_vc" ? { jwts } : {},
+    presentation,
+    format,
+    issuedAt,
+    count: credentials.length
+  };
+}
+function listAuditRecords(records, since, until, filter) {
+  const inRange = records.filter((r) => {
+    const t = r.timestamp.getTime();
+    return t >= since.getTime() && t <= until.getTime();
+  });
+  return filter ? inRange.filter(filter) : inRange;
+}
+var DEFAULT_TTL_SECONDS2 = 86400;
 function makeError(code, message, details) {
   return { code, message, ...{} };
 }
@@ -79,9 +227,9 @@ function futureISO(seconds) {
   return new Date(Date.now() + seconds * 1e3).toISOString();
 }
 function createVCIssuer(config) {
-  const { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS } = config;
+  const { issuerDid, privateKeyJwk, defaultTtl = DEFAULT_TTL_SECONDS2 } = config;
   const kid = `${issuerDid}#${issuerDid.split(":").pop() ?? "key-1"}`;
-  async function signAsJwt(credential, subject, ttl) {
+  async function signAsJwt2(credential, subject, ttl) {
     try {
       const key = await importJWK(privateKeyJwk, "EdDSA");
       const { proof: _proof, ...vcWithoutProof } = credential;
@@ -106,13 +254,13 @@ function createVCIssuer(config) {
       };
     }
   }
-  async function signAsJsonLd(credential) {
+  async function signAsJsonLd2(credential) {
     try {
       const key = await importJWK(privateKeyJwk, "EdDSA");
       const { proof: _proof, ...vcWithoutProof } = credential;
       const payload = new TextEncoder().encode(JSON.stringify(vcWithoutProof));
-      const { CompactSign } = await import('jose');
-      const jws = await new CompactSign(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
+      const { CompactSign: CompactSign2 } = await import('jose');
+      const jws = await new CompactSign2(payload).setProtectedHeader({ alg: "EdDSA", kid }).sign(key);
       const proof = {
         type: "JsonWebSignature2020",
         created: nowISO(),
@@ -148,9 +296,9 @@ function createVCIssuer(config) {
   }
   async function signCredential(credential, subject, ttl, format) {
     if (format === "jwt") {
-      return signAsJwt(credential, subject, ttl);
+      return signAsJwt2(credential, subject, ttl);
     }
-    return signAsJsonLd(credential);
+    return signAsJsonLd2(credential);
   }
   async function issueAgentCredential(input) {
     const {
@@ -539,6 +687,6 @@ function createVCVerifier(config = {}) {
   };
 }
 
-export { CredentialStatusSchema, CredentialSubjectSchema, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, ProofSchema, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredentialSchema, VerifiablePresentationSchema, createVCIssuer, createVCVerifier };
+export { CredentialStatusSchema, CredentialSubjectSchema, KAVACHOS_AUDIT_CONTEXT, KAVACHOS_AUDIT_CREDENTIAL, KAVACH_AGENT_CREDENTIAL, KAVACH_DELEGATION_CREDENTIAL, KAVACH_PERMISSION_CREDENTIAL, ProofSchema, VC_CONTEXT_V1, VC_CONTEXT_V2, VC_TYPE_CREDENTIAL, VC_TYPE_PRESENTATION, VerifiableCredentialSchema, VerifiablePresentationSchema, createVCIssuer, createVCVerifier, exportAuditAsVC, listAuditRecords };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map