{"version":3,"sources":["../../../node_modules/.pnpm/tsup@8.5.0_@swc+core@1.11.29_postcss@8.5.3_tsx@4.19.4_typescript@5.8.3_yaml@2.8.0/node_modules/tsup/assets/cjs_shims.js","../lib/functions/randomBytes.cjs","../lib/index.ts","../lib/functions/index.ts","../lib/functions/CredentialRequestUtil.ts","../lib/types/index.ts","../lib/types/OpenIDClient.ts","../lib/types/Authorization.types.ts","../lib/types/Generic.types.ts","../lib/types/CredentialIssuance.types.ts","../lib/types/v1_0_08.types.ts","../lib/types/v1_0_09.types.ts","../lib/types/v1_0_11.types.ts","../lib/types/v1_0_13.types.ts","../lib/types/ServerMetadata.ts","../lib/types/OpenID4VCIErrors.ts","../lib/types/OpenID4VCIVersions.types.ts","../lib/types/StateManager.types.ts","../lib/types/Token.types.ts","../lib/types/QRCode.types.ts","../lib/functions/FormatUtils.ts","../lib/functions/CredentialResponseUtil.ts","../lib/functions/HttpUtils.ts","../lib/functions/CredentialOfferUtil.ts","../lib/functions/Encoding.ts","../lib/functions/TypeConversionUtils.ts","../lib/functions/IssuerMetadataUtils.ts","../lib/functions/ProofUtil.ts","../lib/functions/AuthorizationResponseUtil.ts","../lib/functions/RandomUtils.ts","../lib/experimental/holder-vci.ts","../lib/events/index.ts"],"sourcesContent":["// Shim globals in cjs bundle\n// There's a weird bug that esbuild will always inject importMetaUrl\n// if we export it as `const importMetaUrl = ... __filename ...`\n// But using a function will not cause this issue\n\nconst getImportMetaUrl = () =>\n  typeof document === 'undefined'\n    ? new URL(`file:${__filename}`).href\n    : (document.currentScript && document.currentScript.src) ||\n      new URL('main.js', document.baseURI).href\n\nexport const importMetaUrl = /* @__PURE__ */ getImportMetaUrl()\n","// limit of Crypto.getRandomValues()\n// https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues\nconst MAX_BYTES = 65536\n\n// Node supports requesting up to this number of bytes\n// https://github.com/nodejs/node/blob/master/lib/internal/crypto/random.js#L48\nconst MAX_UINT32 = 4294967295\n\nfunction oldBrowser() {\n  throw new Error('Secure random number generation is not supported by this browser.\\nUse Chrome, Firefox or Internet Explorer 11')\n}\n\n// eslint-disable-next-line no-undef\nconst _global = typeof globalThis !== 'undefined' ? globalThis : global\n\nlet crypto = _global.crypto || _global.msCrypto\nif (!crypto) {\n  try {\n    // eslint-disable-next-line no-undef\n    crypto = require('crypto')\n  } catch (err) {\n    throw Error('crypto module is not available')\n  }\n}\n\nfunction randomBytes(size) {\n  // phantomjs needs to throw\n  if (size > MAX_UINT32) throw new Error('requested too many random bytes')\n\n  // eslint-disable-next-line no-undef\n  const bytes = Buffer.allocUnsafe(size)\n\n  if (size > 0) {\n    // getRandomValues fails on IE if size == 0\n    if (size > MAX_BYTES) {\n      // this is the max bytes crypto.getRandomValues\n      // can do at once see https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues\n      for (let generated = 0; generated < size; generated += MAX_BYTES) {\n        // buffer.slice automatically checks if the end is past the end of\n        // the buffer so we don't have to here\n        crypto.getRandomValues(bytes.slice(generated, generated + MAX_BYTES))\n      }\n    } else {\n      crypto.getRandomValues(bytes)\n    }\n  }\n  return Uint8Array.from(bytes)\n}\n\n// eslint-disable-next-line no-undef\nmodule.exports = randomBytes\n","import { Loggers } from '@sphereon/ssi-types'\n\nexport const VCI_LOGGERS = Loggers.DEFAULT\nexport const VCI_LOG_COMMON = VCI_LOGGERS.get('sphereon:oid4vci:common')\n\nexport * from './functions'\nexport * from './types'\nexport * from './experimental/holder-vci'\nexport * from './events'\n","export * from './CredentialRequestUtil'\nexport * from './CredentialResponseUtil'\nexport * from './CredentialOfferUtil'\nexport * from './Encoding'\nexport * from './TypeConversionUtils'\nexport * from './IssuerMetadataUtils'\nexport * from './FormatUtils'\nexport * from './HttpUtils'\nexport * from './ProofUtil'\nexport * from './AuthorizationResponseUtil'\nexport * from './RandomUtils'\n","import {\n  CredentialRequest,\n  CredentialRequestV1_0_08,\n  CredentialRequestV1_0_11,\n  CredentialRequestV1_0_13,\n  OpenId4VCIVersion,\n  UniformCredentialRequest,\n} from '../types'\n\nimport { getFormatForVersion } from './FormatUtils'\n\nexport function getTypesFromRequest(credentialRequest: CredentialRequest, opts?: { filterVerifiableCredential: boolean }) {\n  let types: string[] = []\n  if ('credential_identifier' in credentialRequest && credentialRequest.credential_identifier) {\n    throw Error(`Cannot get types from request when it contains a credential_identifier`)\n  } else if (\n    credentialRequest.format === 'jwt_vc_json-ld' ||\n    credentialRequest.format === 'ldp_vc' ||\n    credentialRequest.format === 'jwt_vc' ||\n    credentialRequest.format === 'jwt_vc_json'\n  ) {\n    if ('credential_definition' in credentialRequest && credentialRequest.credential_definition) {\n      types =\n        'types' in credentialRequest.credential_definition\n          ? credentialRequest.credential_definition.types\n          : credentialRequest.credential_definition.type\n    }\n\n    if ('type' in credentialRequest && Array.isArray(credentialRequest.type)) {\n      types = credentialRequest.type\n    }\n\n    if ('types' in credentialRequest && Array.isArray(credentialRequest.types)) {\n      types = credentialRequest.types\n    }\n  } else if (credentialRequest.format === 'vc+sd-jwt' && 'vct' in credentialRequest) {\n    types = [credentialRequest.vct]\n  } else if (credentialRequest.format === 'mso_mdoc' && 'doctype' in credentialRequest) {\n    types = [credentialRequest.doctype]\n  }\n\n  if (!types || types.length === 0) {\n    throw Error('Could not deduce types from credential request')\n  }\n  if (opts?.filterVerifiableCredential) {\n    return types.filter((type) => type !== 'VerifiableCredential')\n  }\n  return types\n}\n\nexport function getCredentialRequestForVersion(\n  credentialRequest: UniformCredentialRequest,\n  version: OpenId4VCIVersion,\n): UniformCredentialRequest | CredentialRequestV1_0_08 | CredentialRequestV1_0_11 | CredentialRequestV1_0_13 {\n  if (version === OpenId4VCIVersion.VER_1_0_08) {\n    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n    const draft8Format = getFormatForVersion(credentialRequest.format!, version)\n    const types = getTypesFromRequest(credentialRequest, { filterVerifiableCredential: true })\n\n    if (credentialRequest.credential_subject_issuance) {\n      throw Error('Experimental subject issuance is not supported for older versions of the spec')\n    }\n    return {\n      format: draft8Format,\n      proof: credentialRequest.proof,\n      type: types[0],\n    } satisfies CredentialRequestV1_0_08\n    /* } else if (version === OpenId4VCIVersion.VER_1_0_11) {\n    // eslint-disable-next-line @typescript-eslint/ban-ts-comment\n    // @ts-ignore\n    const { credential_definition = undefined, ...requestv11 } = credentialRequest;\n    return {\n      ...requestv11,\n      ...credential_definition,\n    } as CredentialRequestV1_0_11;*/\n  }\n\n  return credentialRequest\n}\n","export * from './OpenIDClient'\nexport * from './Authorization.types'\nexport * from './CredentialIssuance.types'\nexport * from './Generic.types'\nexport * from './v1_0_08.types'\nexport * from './v1_0_09.types'\nexport * from './v1_0_11.types'\nexport * from './v1_0_13.types'\nexport * from './ServerMetadata'\nexport * from './OpenID4VCIErrors'\nexport * from './OpenID4VCIVersions.types'\nexport * from './StateManager.types'\nexport * from './Token.types'\nexport * from './QRCode.types'\n","/**\n * Copied from openid-client\n */\nexport type ClientResponseType = 'code' | 'id_token' | 'code id_token' | 'none' | string\nexport type ClientAuthMethod =\n  | 'client_secret_basic'\n  | 'client_secret_post'\n  | 'client_secret_jwt'\n  | 'private_key_jwt'\n  | 'tls_client_auth'\n  | 'self_signed_tls_client_auth'\n  | 'none'\nexport interface ClientMetadata {\n  // important\n  client_id: string\n  id_token_signed_response_alg?: string\n  token_endpoint_auth_method?: ClientAuthMethod\n  client_secret?: string\n  redirect_uris?: string[]\n  response_types?: ClientResponseType[]\n  post_logout_redirect_uris?: string[]\n  default_max_age?: number\n  require_auth_time?: boolean\n  tls_client_certificate_bound_access_tokens?: boolean\n  request_object_signing_alg?: string\n\n  // less important\n  id_token_encrypted_response_alg?: string\n  id_token_encrypted_response_enc?: string\n  introspection_endpoint_auth_method?: ClientAuthMethod\n  introspection_endpoint_auth_signing_alg?: string\n  request_object_encryption_alg?: string\n  request_object_encryption_enc?: string\n  revocation_endpoint_auth_method?: ClientAuthMethod\n  revocation_endpoint_auth_signing_alg?: string\n  token_endpoint_auth_signing_alg?: string\n  userinfo_encrypted_response_alg?: string\n  userinfo_encrypted_response_enc?: string\n  userinfo_signed_response_alg?: string\n  authorization_encrypted_response_alg?: string\n  authorization_encrypted_response_enc?: string\n  authorization_signed_response_alg?: string\n\n  [key: string]: unknown\n}\n","import { CreateDPoPClientOpts } from '@sphereon/oid4vc-common'\n\nimport { Alg, CredentialOfferPayload, ProofOfPossessionCallbacks, UniformCredentialOffer } from './CredentialIssuance.types'\nimport {\n  ErrorResponse,\n  IssuerCredentialSubject,\n  JsonLdIssuerCredentialDefinition,\n  OID4VCICredentialFormat,\n  PRE_AUTH_CODE_LITERAL,\n  TxCode,\n} from './Generic.types'\nimport { EndpointMetadata } from './ServerMetadata'\n\nexport interface CommonAuthorizationRequest {\n  /**\n   * REQUIRED.  Value MUST be set to \"code\". for Authorization Code Grant\n   */\n  response_type: ResponseType.AUTH_CODE\n  /**\n   * The authorization server issues the registered client a client\n   *    identifier -- a unique string representing the registration\n   *    information provided by the client.\n   */\n  client_id: string\n  /**\n   * If the \"code_challenge_method\" from Section 4.3 was \"S256\", the\n   *    received \"code_verifier\" is hashed by SHA-256, base64url-encoded, and\n   *    then compared to the \"code_challenge\", i.e.:\n   *    BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge\n   *\n   * If the \"code_challenge_method\" from Section 4.3 was \"plain\", they are\n   *    compared directly, i.e.:\n   *    code_verifier == code_challenge.\n   */\n  code_challenge: string\n  /**\n   * value must be set either to \"S256\" or a value defined by a cryptographically secure\n   */\n  code_challenge_method: CodeChallengeMethod\n  /**\n   * The redirection endpoint URI MUST be an absolute URI as defined by: absolute-URI  = scheme \":\" hier-part [ \"?\" query ]\n   */\n  redirect_uri: string\n  /**\n   * The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings.\n   */\n  scope?: string\n  /**\n   * There are two possible ways to request issuance of a specific Credential type in an Authorization Request.\n   * One way is to use of the authorization_details request parameter as defined in [I-D.ietf-oauth-rar]\n   * with one or more authorization details objects of type openid_credential Section 5.1.1.\n   * (The other is through the use of scopes as defined in Section 5.1.2.)\n   */\n  authorization_details?: AuthorizationDetails[] | AuthorizationDetails\n  /**\n   * OPTIONAL. JSON string containing the Wallet's OpenID Connect issuer URL. The Credential Issuer will use the discovery process as defined in\n   * [SIOPv2] to determine the Wallet's capabilities and endpoints. RECOMMENDED in Dynamic Credential Request.\n   */\n  wallet_issuer?: string\n  /**\n   * OPTIONAL. JSON string containing an opaque user hint the Wallet MAY use in subsequent callbacks to optimize the user's experience.\n   * RECOMMENDED in Dynamic Credential Request.\n   */\n  user_hint?: string\n  /**\n   * OPTIONAL. String value identifying a certain processing context at the Credential Issuer. A value for this parameter is typically passed in\n   * an issuance initation request from the Credential Issuer to the Wallet (see (Section 4.1). This request parameter is used to pass the\n   * issuer_state value back to the Credential Issuer.\n   */\n  issuer_state?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-authorization-challenge-req\nexport interface CommonAuthorizationChallengeRequest {\n  /**\n   * REQUIRED if the client is not authenticating with the authorization server and if no auth_session is included..\n   */\n  client_id?: string\n  /**\n   * OPTIONAL. String value identifying a certain processing context at the Credential Issuer. A value for this parameter is typically passed in\n   * an issuance initation request from the Credential Issuer to the Wallet. This request parameter is used to pass the\n   * issuer_state value back to the Credential Issuer.\n   */\n  issuer_state?: string\n  /**\n   * The value of the scope parameter is expressed as a list of space-delimited, case-sensitive strings.\n   */\n  scope?: string // TODO what we do with this\n  /**\n   * OPTIONAL. A random string or a JWE. The auth session allows the authorization server to associate subsequent\n   * requests by this client with an ongoing authorization request sequence. The client MUST include the\n   * auth_session in follow-up requests to the authorization challenge endpoint if it receives one along with\n   * the error response.\n   */\n  auth_session?: string\n  /**\n   * OPTIONAL. If the \"code_challenge_method\" from Section 4.3 was \"S256\", the\n   *    received \"code_verifier\" is hashed by SHA-256, base64url-encoded, and\n   *    then compared to the \"code_challenge\", i.e.:\n   *    BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) == code_challenge\n   *\n   * If the \"code_challenge_method\" from Section 4.3 was \"plain\", they are\n   *    compared directly, i.e.:\n   *    code_verifier == code_challenge.\n   */\n  code_challenge?: string // TODO what we do with this\n  /**\n   * OPTIONAL. value must be set either to \"S256\" or a value defined by a cryptographically secure\n   */\n  code_challenge_method?: CodeChallengeMethod // TODO what we do with this\n  /**\n   * OPTIONAL. String containing information about the session when credential presentation is happening during issuance of another\n   * credential. The content of this parameter is opaque to the wallet. When this parameter is present the Wallet MUST use this parameter in\n   * the subsequent Authorization Challenge Request. This allows the Issuer to determine which it can be used by to prevent session\n   * fixation attacks. The Response URI MAY return this parameter in response to successful Authorization Responses or for Error\n   * Responses.\n   */\n  presentation_during_issuance_session?: string\n}\n\nexport interface AuthorizationChallengeRequestOpts {\n  clientId?: string\n  issuerState?: string\n  authSession?: string\n  scope?: string\n  codeChallenge?: string\n  codeChallengeMethod?: CodeChallengeMethod\n  presentationDuringIssuanceSession?: string\n  metadata?: EndpointMetadata\n  credentialIssuer?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-error-response\nexport interface AuthorizationChallengeErrorResponse {\n  /**\n   * A single ASCII error code of type AuthorizationChallengeError.\n   */\n  error: AuthorizationChallengeError\n  /**\n   * OPTIONAL. OPTIONAL. Human-readable ASCII text providing additional information, used\n   * to assist the client developer in understanding the error that occurred. Values for the error_description\n   * parameter MUST NOT include characters outside the set %x20-21 / %x23-5B / %x5D-7E.\n   */\n  error_description?: string\n  /**\n   * OPTIONAL. A URI identifying a human-readable web page with information about the error, used\n   * to provide the client developer with additional information about the error. Values for the error_uri\n   * parameter MUST conform to the URI-reference syntax and thus MUST NOT include characters outside the\n   * set %x21 / %x23-5B / %x5D-7E.\n   */\n  error_uri?: string\n  /**\n   * OPTIONAL. A random string or a JWE. The auth session allows the authorization server to associate subsequent\n   * requests by this client with an ongoing authorization request sequence. The client MUST include the\n   * auth_session in follow-up requests to the authorization challenge endpoint if it receives one along with\n   * the error response.\n   */\n  auth_session?: string\n  /**\n   * OPTIONAL. The request URI corresponding to the authorization request posted. This URI is a single-use reference\n   * to the respective request data in the subsequent authorization request.\n   */\n  request_uri?: string\n  /**\n   * OPTIONAL. A JSON number that represents the lifetime of the request URI in seconds as a positive integer.\n   */\n  expires_in?: number\n  /**\n   * String containing the OID4VP request URI. The Wallet will use this URI to start the OID4VP flow.\n   */\n  presentation?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-authorization-challenge-res\nexport interface AuthorizationChallengeCodeResponse {\n  /**\n   * The authorization code issued by the authorization server.\n   */\n  authorization_code: string\n  state?: string\n}\n\n// https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-error-response\nexport enum AuthorizationChallengeError {\n  invalid_request = 'invalid_request',\n  invalid_client = 'invalid_client',\n  unauthorized_client = 'unauthorized_client',\n  invalid_session = 'invalid_session',\n  invalid_scope = 'invalid_scope',\n  insufficient_authorization = 'insufficient_authorization',\n  redirect_to_web = 'redirect_to_web',\n}\n\n/**\n * string type added for conformity with our previous code in the client\n */\nexport type AuthorizationDetails =\n  | (CommonAuthorizationDetails &\n      (AuthorizationDetailsJwtVcJson | AuthorizationDetailsJwtVcJsonLdAndLdpVc | AuthorizationDetailsSdJwtVc | AuthorizationDetailsMsoMdoc))\n  | string\n\nexport type AuthorizationRequest =\n  | AuthorizationRequestJwtVcJson\n  | AuthorizationRequestJwtVcJsonLdAndLdpVc\n  | AuthorizationRequestSdJwtVc\n  | AuthorizationRequestMsoMdoc\n\nexport interface AuthorizationRequestJwtVcJson extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsJwtVcJson[]\n}\n\nexport interface AuthorizationRequestJwtVcJsonLdAndLdpVc extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsJwtVcJsonLdAndLdpVc[]\n}\n\nexport interface AuthorizationRequestSdJwtVc extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsSdJwtVc[]\n}\n\nexport interface AuthorizationRequestMsoMdoc extends CommonAuthorizationRequest {\n  authorization_details?: AuthorizationDetailsMsoMdoc[]\n}\n\n/*\nexport interface AuthDetails {\n  type: 'openid_credential' | string;\n  locations?: string | string[];\n  format: CredentialFormat | CredentialFormat[];\n\n  [s: string]: unknown;\n}\n*/\n\nexport interface CommonAuthorizationDetails {\n  /**\n   * REQUIRED. JSON string that determines the authorization details type.\n   * MUST be set to openid_credential for the purpose of this specification.\n   */\n  type: 'openid_credential' | string\n\n  /**\n   *  REQUIRED when format parameter is not present. String specifying a unique identifier of the Credential being described in the credential_configurations_supported map in the Credential Issuer Metadata as defined in Section 11.2.3. The referenced object in the credential_configurations_supported map conveys the details, such as the format, for issuance of the requested Credential. This specification defines Credential Format specific Issuer Metadata in Appendix A. It MUST NOT be present if format parameter is present.\n   */\n  credential_configuration_id?: string // FIXME maybe split up and make this & format required again\n\n  /**\n   * REQUIRED. JSON string representing the format in which the Credential is requested to be issued.\n   * This Credential format identifier determines further claims in the authorization details object\n   * specifically used to identify the Credential type to be issued. This specification defines\n   * Credential Format Profiles in Appendix E.\n   */\n  format?: OID4VCICredentialFormat\n  /**\n   * If the Credential Issuer metadata contains an authorization_server parameter,\n   * the authorization detail's locations common data field MUST be set to the Credential Issuer Identifier value.\n   */\n  locations?: string[]\n\n  /* // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  // [key: string]: any;*/\n}\n\nexport interface AuthorizationDetailsJwtVcJson extends CommonAuthorizationDetails {\n  format: 'jwt_vc_json' | 'jwt_vc' // jwt_vc added for backward compat\n\n  /**\n   * A JSON object containing a list of key value pairs, where the key identifies the claim offered in the Credential.\n   * The value MAY be a dictionary, which allows to represent the full (potentially deeply nested) structure of the\n   * verifiable credential to be issued. This object indicates the claims the Wallet would like to turn up in the\n   * credential to be issued.\n   */\n  credentialSubject?: IssuerCredentialSubject\n\n  types: string[] // This claim contains the type values the Wallet requests authorization for at the issuer.\n}\n\nexport interface AuthorizationDetailsJwtVcJsonLdAndLdpVc extends CommonAuthorizationDetails {\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n\n  /**\n   * REQUIRED. JSON object containing (and isolating) the detailed description of the credential type.\n   * This object MUST be processed using full JSON-LD processing. It consists of the following sub-claims:\n   *   - @context: REQUIRED. JSON array as defined in Appendix E.1.3.2\n   *   - types: REQUIRED. JSON array as defined in Appendix E.1.3.2.\n   *            This claim contains the type values the Wallet shall request in the subsequent Credential Request\n   */\n  credential_definition: JsonLdIssuerCredentialDefinition\n}\n\nexport interface AuthorizationDetailsSdJwtVc extends CommonAuthorizationDetails {\n  format: 'vc+sd-jwt'\n\n  vct: string\n  claims?: IssuerCredentialSubject\n}\n\nexport interface AuthorizationDetailsMsoMdoc extends CommonAuthorizationDetails {\n  format: 'mso_mdoc'\n\n  doctype: string\n  claims?: IssuerCredentialSubject\n}\n\nexport enum GrantTypes {\n  AUTHORIZATION_CODE = 'authorization_code',\n  PRE_AUTHORIZED_CODE = 'urn:ietf:params:oauth:grant-type:pre-authorized_code',\n  PASSWORD = 'password',\n}\n\nexport enum Encoding {\n  FORM_URL_ENCODED = 'application/x-www-form-urlencoded',\n  UTF_8 = 'UTF-8',\n}\n\nexport enum ResponseType {\n  AUTH_CODE = 'code',\n}\n\nexport enum CodeChallengeMethod {\n  plain = 'plain',\n  S256 = 'S256',\n}\n\nexport interface AuthorizationServerOpts {\n  allowInsecureEndpoints?: boolean\n  as?: string // If not provided the issuer hostname will be used!\n  tokenEndpoint?: string // Allows to override the default '/token' endpoint\n  clientOpts?: AuthorizationServerClientOpts\n}\n\nexport type AuthorizationServerClientOpts = {\n  clientId: string\n  clientAssertionType?: 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'\n  kid?: string\n  alg?: Alg\n  signCallbacks?: ProofOfPossessionCallbacks\n}\n\nexport interface IssuerOpts {\n  issuer: string\n  tokenEndpoint?: string\n  fetchMetadata?: boolean\n}\n\nexport interface AccessTokenFromAuthorizationResponseOpts extends AccessTokenRequestOpts {\n  authorizationResponse: AuthorizationResponse\n}\n\nexport type TxCodeAndPinRequired = { isPinRequired?: boolean; txCode?: TxCode }\n\nexport interface AccessTokenRequestOpts {\n  credentialOffer?: UniformCredentialOffer\n  credentialIssuer?: string\n  asOpts?: AuthorizationServerOpts\n  metadata?: EndpointMetadata\n  codeVerifier?: string // only required for authorization flow\n  code?: string // only required for authorization flow\n  redirectUri?: string // only required for authorization flow\n  pin?: string // Pin-number. Only used when required\n  pinMetadata?: TxCodeAndPinRequired // OPTIONAL. String value containing a Transaction Code. This value MUST be present if a tx_code object was present in the Credential Offer (including if the object was empty). This parameter MUST only be used if the grant_type is urn:ietf:params:oauth:grant-type:pre-authorized_code.\n  // if the CreateDPoPOpts are provided, a dPoP will be created using the provided callback,\n  // if the authorization server indicates that it supports dPoP via the dpop_signing_alg_values_supported parameter.\n  createDPoPOpts?: CreateDPoPClientOpts\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  additionalParams?: Record<string, any>\n}\n\n/*export interface AuthorizationRequestOpts {\n  clientId: string;\n  codeChallenge: string;\n  codeChallengeMethod: CodeChallengeMethod;\n  authorizationDetails?: AuthorizationDetails[];\n  redirectUri: string;\n  scope?: string;\n}*/\n\n/**\n * Determinse whether PAR should be used when supported\n *\n * REQUIRE: Require PAR, if AS does not support it throw an error\n * AUTO: Use PAR is the AS supports it, otherwise construct a reqular URI,\n * NEVER: Do not use PAR even if the AS supports it (not recommended)\n */\nexport enum PARMode {\n  REQUIRE,\n  AUTO,\n  NEVER,\n}\n\n/**\n * Optional options to provide PKCE params like code verifier and challenge yourself, or to disable PKCE altogether. If not provide PKCE will still be used! If individual params are not provide, they will be generated/calculated\n */\nexport interface PKCEOpts {\n  /**\n   * PKCE is enabled by default even if you do not provide these options. Set this to true to disable PKCE\n   */\n  disabled?: boolean\n\n  /**\n   * Provide a code_challenge, otherwise it will be calculated using the code_verifier and method\n   */\n  codeChallenge?: string\n\n  /**\n   * The code_challenge_method, should always by S256\n   */\n  codeChallengeMethod?: CodeChallengeMethod\n\n  /**\n   * Provide a code_verifier, otherwise it will be generated\n   */\n  codeVerifier?: string\n}\n\nexport enum CreateRequestObjectMode {\n  NONE,\n  REQUEST_OBJECT,\n  REQUEST_URI,\n}\n\nexport type RequestObjectOpts = {\n  requestObjectMode?: CreateRequestObjectMode\n  signCallbacks?: ProofOfPossessionCallbacks\n  // eslint-disable-next-line @typescript-eslint/no-explicit-any\n  clientMetadata?: Record<string, any> // TODO: Merge SIOP/OID4VP\n  iss?: string\n  jwksUri?: string\n  kid?: string\n}\n\nexport interface AuthorizationRequestOpts {\n  clientId?: string\n  pkce?: PKCEOpts\n  parMode?: PARMode\n  authorizationDetails?: AuthorizationDetails | AuthorizationDetails[]\n  redirectUri?: string\n  scope?: string\n  requestObjectOpts?: RequestObjectOpts\n  holderPreferredAuthzFlowTypeOrder?: AuthzFlowType[]\n}\n\nexport interface AuthorizationResponse {\n  code: string\n  scope?: string\n  state?: string\n}\n\nexport interface AuthorizationGrantResponse extends AuthorizationResponse {\n  grant_type: string\n}\n\nexport interface AccessTokenRequest {\n  client_id?: string\n  code?: string\n  code_verifier?: string\n  grant_type: GrantTypes\n  'pre-authorized_code': string\n  redirect_uri?: string\n  scope?: string\n  user_pin?: string //this is for v11, not required in v13 anymore\n  tx_code?: string //draft 13\n  [s: string]: unknown\n}\n\nexport interface OpenIDResponse<T, P = never> {\n  origResponse: Response\n  successBody?: T\n  errorBody?: ErrorResponse\n  params?: P\n}\n\nexport interface DPoPResponseParams {\n  dpop?: { dpopNonce: string }\n}\n\nexport interface AccessTokenResponse {\n  access_token: string\n  scope?: string\n  token_type?: string\n  expires_in?: number // in seconds\n  c_nonce?: string\n  c_nonce_expires_in?: number // in seconds\n  authorization_pending?: boolean\n  interval?: number // in seconds\n}\n\nexport enum AuthzFlowType {\n  AUTHORIZATION_CODE_FLOW = 'Authorization Code Flow',\n  PRE_AUTHORIZED_CODE_FLOW = 'Pre-Authorized Code Flow',\n}\n\n// eslint-disable-next-line @typescript-eslint/no-namespace\nexport namespace AuthzFlowType {\n  export function valueOf(request: CredentialOfferPayload): AuthzFlowType {\n    if (PRE_AUTH_CODE_LITERAL in request) {\n      return AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW\n    }\n    return AuthzFlowType.AUTHORIZATION_CODE_FLOW\n  }\n}\n\nexport interface PushedAuthorizationResponse {\n  request_uri: string\n  expires_in: number\n}\n","import { ICredentialContextType, IVerifiableCredential, W3CVerifiableCredential } from '@sphereon/ssi-types'\n\nimport { ExperimentalSubjectIssuance } from '../experimental/holder-vci'\n\nimport { ProofOfPossession } from './CredentialIssuance.types'\nimport { AuthorizationServerMetadata } from './ServerMetadata'\nimport { CredentialOfferSession } from './StateManager.types'\nimport { IssuerMetadataV1_0_08 } from './v1_0_08.types'\nimport { CredentialRequestV1_0_11, EndpointMetadataResultV1_0_11 } from './v1_0_11.types'\nimport {\n  CredentialConfigurationSupportedV1_0_13,\n  CredentialRequestV1_0_13,\n  EndpointMetadataResultV1_0_13,\n  IssuerMetadataV1_0_13,\n} from './v1_0_13.types'\n\nexport type InputCharSet = 'numeric' | 'text'\nexport type KeyProofType = 'jwt' | 'cwt' | 'ldp_vp'\n\nexport type PoPMode = 'pop' | 'JWT' // Proof of possession, or regular JWT\n\nexport type CredentialOfferMode = 'VALUE' | 'REFERENCE'\n\n/**\n * Important Note: please be aware that these Common interfaces are based on versions v1_0.11 and v1_0.09\n */\nexport interface ImageInfo {\n  url?: string\n  alt_text?: string\n\n  [key: string]: unknown\n}\n\nexport type OID4VCICredentialFormat = 'jwt_vc_json' | 'jwt_vc_json-ld' | 'ldp_vc' | 'vc+sd-jwt' | 'jwt_vc' | 'mso_mdoc' // jwt_vc is added for backwards compat\n\nexport interface NameAndLocale {\n  name?: string // REQUIRED. String value of a display name for the Credential.\n  locale?: string // OPTIONAL. String value that identifies the language of this object represented as a language tag taken from values defined in BCP47 [RFC5646]. Multiple display objects MAY be included for separate languages. There MUST be only one object with the same language identifier.\n  [key: string]: unknown\n}\n\nexport interface LogoAndColor {\n  logo?: ImageInfo // OPTIONAL. A JSON object with information about the logo of the Credential with a following non-exhaustive list of parameters that MAY be included:\n  description?: string // OPTIONAL. String value of a description of the Credential.\n  background_color?: string //OPTIONAL. String value of a background color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color].\n  text_color?: string // OPTIONAL. String value of a text color of the Credential represented as numerical color values defined in CSS Color Module Level 37 [CSS-Color].\n}\n\nexport type CredentialsSupportedDisplay = NameAndLocale &\n  LogoAndColor & {\n    name: string // REQUIRED. String value of a display name for the Credential.\n    background_image?: ImageInfo //OPTIONAL, NON-SPEC compliant!. URL of a background image useful for card views of credentials. Expected to an image that fills the full card-view of a wallet\n  }\n\nexport type MetadataDisplay = NameAndLocale &\n  LogoAndColor & {\n    name?: string //OPTIONAL. String value of a display name for the Credential Issuer.\n  }\n\nexport interface CredentialSupplierConfig {\n  [key: string]: any // This allows additional properties for credential suppliers\n}\n\nexport interface CredentialIssuerMetadataOpts {\n  credential_endpoint?: string // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  batch_credential_endpoint?: string // OPTIONAL. URL of the Credential Issuer's Batch Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components. If omitted, the Credential Issuer does not support the Batch Credential Endpoint.\n  credentials_supported: CredentialsSupportedLegacy[] // REQUIRED in versions below 13. A JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue. The JSON objects in the array MUST conform to the structure of the Section 10.2.3.1.\n  credential_issuer: string // REQUIRED. The Credential Issuer's identifier.\n  authorization_server?: string // OPTIONAL. Identifier of the OAuth 2.0 Authorization Server (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].\n  token_endpoint?: string\n  notification_endpoint?: string\n  authorization_challenge_endpoint?: string // OPTIONAL URL of the Credential Issuer's Authorization Challenge Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components. Described on https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-authorization-challenge-end\n  display?: MetadataDisplay[] //  An array of objects, where each object contains display properties of a Credential Issuer for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:\n  credential_supplier_config?: CredentialSupplierConfig\n}\n\n//todo: investigate if these values are enough.\nexport type AlgValue = 'RS256' | 'ES256' | 'PS256' | 'HS256' | string\nexport type EncValue = 'A128GCM' | 'A256GCM' | 'A128CBC-HS256' | 'A256CBC-HS512' | string\n\nexport interface ResponseEncryption {\n  /**\n   * REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms\n   * (alg values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the\n   * Credential or Batch Credential Response in a JWT\n   */\n  alg_values_supported: AlgValue[]\n\n  /**\n   * REQUIRED. Array containing a list of the JWE [RFC7516] encryption algorithms\n   * (enc values) [RFC7518] supported by the Credential and Batch Credential Endpoint to encode the\n   * Credential or Batch Credential Response in a JWT\n   */\n  enc_values_supported: EncValue[]\n\n  /**\n   * REQUIRED. Boolean value specifying whether the Credential Issuer requires the\n   * additional encryption on top of TLS for the Credential Response. If the value is true, the Credential\n   * Issuer requires encryption for every Credential Response and therefore the Wallet MUST provide\n   * encryption keys in the Credential Request. If the value is false, the Wallet MAY chose whether it\n   * provides encryption keys or not.\n   */\n  encryption_required: boolean\n}\n\n// For now we extend the opts above. Only difference is that the credential endpoint is optional in the Opts, as it can come from other sources. The value is however required in the eventual Issuer Metadata\nexport interface CredentialIssuerMetadata extends CredentialIssuerMetadataOpts, Partial<AuthorizationServerMetadata> {\n  authorization_servers?: string[] // OPTIONAL. Array of strings that identify the OAuth 2.0 Authorization Servers (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].\n  credential_endpoint: string // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  credential_configurations_supported: Record<string, CredentialConfigurationSupported> // REQUIRED. A JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue. The JSON objects in the array MUST conform to the structure of the Section 10.2.3.1.\n  credential_issuer: string // REQUIRED. The Credential Issuer's identifier.\n  credential_response_encryption_alg_values_supported?: string // OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  credential_response_encryption_enc_values_supported?: string //OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  require_credential_response_encryption?: boolean //OPTIONAL. Boolean value specifying whether the Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request, with true indicating support. When the value is true, credential_response_encryption_alg_values_supported parameter MUST also be provided. If omitted, the default value is false.\n  credential_identifiers_supported?: boolean // OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. If omitted, the default value is false.\n}\n\n// For now we extend the opts above. Only difference is that the credential endpoint is optional in the Opts, as it can come from other sources. The value is however required in the eventual Issuer Metadata\n\nexport interface CredentialSupportedBrief {\n  cryptographic_binding_methods_supported?: string[] // OPTIONAL. Array of case sensitive strings that identify how the Credential is bound to the identifier of the End-User who possesses the Credential\n  cryptographic_suites_supported?: string[] // OPTIONAL. Array of case sensitive strings that identify the cryptographic suites that are supported for the cryptographic_binding_methods_supported\n}\n\nexport interface ProofType {\n  proof_signing_alg_values_supported: string[]\n}\n\nexport type ProofTypesSupported = {\n  [key in KeyProofType]?: ProofType\n}\n\nexport type CommonCredentialSupported = CredentialSupportedBrief &\n  ExperimentalSubjectIssuance & {\n    format: OID4VCICredentialFormat | string //REQUIRED. A JSON string identifying the format of this credential, e.g. jwt_vc_json or ldp_vc.\n    id?: string // OPTIONAL. A JSON string identifying the respective object. The value MUST be unique across all credentials_supported entries in the Credential Issuer Metadata\n    display?: CredentialsSupportedDisplay[] // OPTIONAL. An array of objects, where each object contains the display properties of the supported credential for a certain language\n    scope?: string // OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple credential_configurations_supported objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request as defined in Section 5.1.2. Scope values in this Credential Issuer metadata MAY duplicate those in the scopes_supported parameter of the Authorization Server.\n    proof_types_supported?: ProofTypesSupported\n\n    /**\n     * following properties are non-mso_mdoc specific and we might wanna rethink them when we're going to support mso_mdoc\n     */\n  }\n\nexport interface CredentialSupportedJwtVcJsonLdAndLdpVc extends CommonCredentialSupported {\n  types: string[] // REQUIRED. JSON array designating the types a certain credential type supports\n  '@context': ICredentialContextType[] // REQUIRED. JSON array as defined in [VC_DATA], Section 4.1.\n  credentialSubject?: IssuerCredentialSubject // OPTIONAL. A JSON object containing a list of key value pairs, where the key identifies the claim offered in the Credential. The value MAY be a dictionary, which allows to represent the full (potentially deeply nested) structure of the verifiable credential to be issued.\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n}\n\nexport interface CredentialSupportedJwtVcJson extends CommonCredentialSupported {\n  types: string[] // REQUIRED. JSON array designating the types a certain credential type supports\n  credentialSubject?: IssuerCredentialSubject // OPTIONAL. A JSON object containing a list of key value pairs, where the key identifies the claim offered in the Credential. The value MAY be a dictionary, which allows to represent the full (potentially deeply nested) structure of the verifiable credential to be issued.\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n  format: 'jwt_vc_json' | 'jwt_vc' // jwt_vc added for backwards compat\n}\n\nexport interface CredentialSupportedSdJwtVc extends CommonCredentialSupported {\n  format: 'vc+sd-jwt'\n\n  vct: string\n  claims?: IssuerCredentialSubject\n\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport interface CredentialSupportedMsoMdoc extends CommonCredentialSupported {\n  format: 'mso_mdoc'\n\n  doctype: string\n  claims?: IssuerCredentialSubject\n\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport type CredentialConfigurationSupported =\n  | CredentialConfigurationSupportedV1_0_13\n  | (CommonCredentialSupported &\n      (CredentialSupportedJwtVcJson | CredentialSupportedJwtVcJsonLdAndLdpVc | CredentialSupportedSdJwtVc | CredentialSupportedMsoMdoc))\n\nexport type CredentialsSupportedLegacy = CommonCredentialSupported &\n  (CredentialSupportedJwtVcJson | CredentialSupportedJwtVcJsonLdAndLdpVc | CredentialSupportedSdJwtVc | CredentialSupportedMsoMdoc)\n\nexport interface CommonCredentialOfferFormat {\n  format: OID4VCICredentialFormat | string\n}\n\nexport interface CredentialOfferFormatJwtVcJsonLdAndLdpVc extends CommonCredentialOfferFormat {\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n  // REQUIRED. JSON object containing (and isolating) the detailed description of the credential type. This object MUST be processed using full JSON-LD processing.\n  credential_definition: JsonLdIssuerCredentialDefinition\n}\n\nexport interface CredentialOfferFormatJwtVcJson extends CommonCredentialOfferFormat {\n  format: 'jwt_vc_json' | 'jwt_vc' // jwt_vc is added for backwards compat\n  types: string[] // REQUIRED. JSON array as defined in Appendix E.1.1.2. This claim contains the type values the Wallet shall request in the subsequent Credential Request.\n}\n\n// NOTE: the sd-jwt format is added to oid4vci in a later draft version than currently\n// supported, so there's no defined offer format. However, based on the request structure\n// we support sd-jwt for older drafts of oid4vci as well\nexport interface CredentialOfferFormatSdJwtVc extends CommonCredentialOfferFormat {\n  format: 'vc+sd-jwt'\n\n  vct: string\n  claims?: IssuerCredentialSubject\n}\n\n// NOTE: the sd-jwt format is added to oid4vci in a later draft version than currently\n// supported, so there's no defined offer format. However, based on the request structure\n// we support sd-jwt for older drafts of oid4vci as well\nexport interface CredentialOfferFormatMsoMdoc extends CommonCredentialOfferFormat {\n  format: 'mso_mdoc'\n\n  doctype: string\n  claims?: IssuerCredentialSubject\n}\n\nexport type CredentialOfferFormatV1_0_11 = CommonCredentialOfferFormat &\n  (CredentialOfferFormatJwtVcJsonLdAndLdpVc | CredentialOfferFormatJwtVcJson | CredentialOfferFormatSdJwtVc | CredentialOfferFormatMsoMdoc)\n\n/**\n * Optional storage that can help the credential Data Supplier. For instance to store credential input data during offer creation, if no additional data can be supplied later on\n */\nexport type CredentialDataSupplierInput = any\n\nexport type CreateCredentialOfferURIResult = {\n  uri: string\n  correlationId: string\n  qrCodeDataUri?: string\n  session: CredentialOfferSession\n  userPin?: string\n  txCode?: TxCode\n}\n\nexport interface JsonLdIssuerCredentialDefinition {\n  '@context': ICredentialContextType[]\n  types: string[]\n  credentialSubject?: IssuerCredentialSubject\n}\n\nexport interface ErrorResponse {\n  error: string\n  error_description?: string\n  error_uri?: string\n  state?: string\n}\n\nexport type UniformCredentialRequest = CredentialRequestV1_0_11 | CredentialRequestV1_0_13\n\nexport interface CommonCredentialRequest extends ExperimentalSubjectIssuance {\n  format: OID4VCICredentialFormat /* | OID4VCICredentialFormat[];*/ // for now it seems only one is supported in the spec\n  proof?: ProofOfPossession\n}\n\nexport interface CredentialRequestJwtVcJson extends CommonCredentialRequest {\n  format: 'jwt_vc_json' | 'jwt_vc' // jwt_vc for backwards compat\n  types: string[]\n  credentialSubject?: IssuerCredentialSubject\n}\n\nexport interface CredentialRequestJwtVcJsonLdAndLdpVc extends CommonCredentialRequest {\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n  credential_definition: JsonLdIssuerCredentialDefinition\n}\n\nexport interface CredentialRequestSdJwtVc extends CommonCredentialRequest {\n  format: 'vc+sd-jwt'\n  vct: string\n  claims?: IssuerCredentialSubject\n}\n\nexport interface CredentialRequestMsoMdoc extends CommonCredentialRequest {\n  format: 'mso_mdoc'\n  doctype: string\n  claims?: IssuerCredentialSubject\n}\n\nexport interface CommonCredentialResponse extends ExperimentalSubjectIssuance {\n  // format: string;  TODO do we still need this for previous version support?\n  credential?: W3CVerifiableCredential\n  acceptance_token?: string\n  c_nonce?: string\n  c_nonce_expires_in?: string\n}\n\nexport interface CredentialResponseLdpVc extends CommonCredentialResponse {\n  //  format: 'ldp_vc';\n  credential: IVerifiableCredential\n}\n\nexport interface CredentialResponseJwtVc {\n  //  format: 'jwt_vc_json' | 'jwt_vc_json-ld';  TODO do we still need this for previous version support?\n  credential: string\n}\n\nexport interface CredentialResponseSdJwtVc {\n  //  format: 'vc+sd-jwt';   TODO do we still need this for previous version support?\n  credential: string\n}\n\n// export type CredentialSubjectDisplay = NameAndLocale[];\n\nexport type IssuerCredentialSubjectDisplay = CredentialSubjectDisplay & { [key: string]: CredentialSubjectDisplay }\n\nexport interface CredentialSubjectDisplay {\n  mandatory?: boolean // OPTIONAL. Boolean which when set to true indicates the claim MUST be present in the issued Credential. If the mandatory property is omitted its default should be assumed to be false.\n  value_type?: string // OPTIONAL. String value determining type of value of the claim. A non-exhaustive list of valid values defined by this specification are string, number, and image media types such as image/jpeg as defined in IANA media type registry for images\n  display?: NameAndLocale[] // OPTIONAL. An array of objects, where each object contains display properties of a certain claim in the Credential for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:\n}\n\nexport interface IssuerCredentialSubject {\n  [key: string]: IssuerCredentialSubjectDisplay\n}\n\nexport interface Grant {\n  authorization_code?: GrantAuthorizationCode\n  [PRE_AUTH_GRANT_LITERAL]?: GrantUrnIetf\n}\n\nexport interface GrantAuthorizationCode {\n  /**\n   * OPTIONAL. String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent\n   * Authorization Request with the Credential Issuer to a context set up during previous steps.\n   */\n  issuer_state?: string\n\n  // v12 feature\n  /**\n   * OPTIONAL string that the Wallet can use to identify the Authorization Server to use with this grant type when authorization_servers parameter in the Credential Issuer metadata has multiple entries. MUST NOT be used otherwise. The value of this parameter MUST match with one of the values in the authorization_servers array obtained from the Credential Issuer metadata\n   */\n  authorization_server?: string\n}\n\nexport interface TxCode {\n  /**\n   * OPTIONAL. String specifying the input character set. Possible values are numeric (only digits) and text (any characters). The default is numeric.\n   */\n  input_mode?: InputCharSet\n\n  /**\n   * OPTIONAL. Integer specifying the length of the Transaction Code. This helps the Wallet to render the input screen and improve the user experience.\n   */\n  length?: number\n\n  /**\n   * OPTIONAL. String containing guidance for the Holder of the Wallet on how to obtain the Transaction Code, e.g.,\n   * describing over which communication channel it is delivered. The Wallet is RECOMMENDED to display this description\n   * next to the Transaction Code input screen to improve the user experience. The length of the string MUST NOT exceed\n   * 300 characters. The description does not support internationalization, however the Issuer MAY detect the Holder's\n   * language by previous communication or an HTTP Accept-Language header within an HTTP GET request for a Credential Offer URI.\n   */\n  description?: string\n}\n\nexport interface GrantUrnIetf {\n  /**\n   * REQUIRED. The code representing the Credential Issuer's authorization for the Wallet to obtain Credentials of a certain type.\n   */\n  'pre-authorized_code': string\n\n  // v13\n  /**\n   * OPTIONAL. Object specifying whether the Authorization Server expects presentation of a Transaction Code by the\n   * End-User along with the Token Request in a Pre-Authorized Code Flow. If the Authorization Server does not expect a\n   * Transaction Code, this object is absent; this is the default. The Transaction Code is intended to bind the Pre-Authorized\n   * Code to a certain transaction to prevent replay of this code by an attacker that, for example, scanned the QR code while\n   * standing behind the legitimate End-User. It is RECOMMENDED to send the Transaction Code via a separate channel. If the Wallet\n   * decides to use the Pre-Authorized Code Flow, the Transaction Code value MUST be sent in the tx_code parameter with\n   * the respective Token Request as defined in Section 6.1. If no length or description is given, this object may be empty,\n   * indicating that a Transaction Code is required.\n   */\n  tx_code?: TxCode\n\n  // v12, v13\n  /**\n   * OPTIONAL. The minimum amount of time in seconds that the Wallet SHOULD wait between polling requests to the token endpoint (in case the Authorization Server responds with error code authorization_pending - see Section 6.3). If no value is provided, Wallets MUST use 5 as the default.\n   */\n  interval?: number\n\n  // v12, v13 feature\n  /**\n   * OPTIONAL string that the Wallet can use to identify the Authorization Server to use with this grant type when authorization_servers parameter in the Credential Issuer metadata has multiple entries. MUST NOT be used otherwise. The value of this parameter MUST match with one of the values in the authorization_servers array obtained from the Credential Issuer metadata\n   */\n  authorization_server?: string\n\n  // v12 and below feature\n  /**\n   * OPTIONAL. Boolean value specifying whether the AS\n   * expects presentation of the End-User PIN along with the Token Request\n   * in a Pre-Authorized Code Flow. Default is false. This PIN is intended\n   * to bind the Pre-Authorized Code to a certain transaction to prevent\n   * replay of this code by an attacker that, for example, scanned the QR\n   * code while standing behind the legitimate End-User. It is RECOMMENDED\n   * to send a PIN via a separate channel. If the Wallet decides to use\n   * the Pre-Authorized Code Flow, a PIN value MUST be sent in\n   * the user_pin parameter with the respective Token Request.\n   */\n  user_pin_required?: boolean\n}\n\nexport const PRE_AUTH_CODE_LITERAL = 'pre-authorized_code'\nexport const PRE_AUTH_GRANT_LITERAL = 'urn:ietf:params:oauth:grant-type:pre-authorized_code'\n\nexport type EndpointMetadataResult = EndpointMetadataResultV1_0_13 | EndpointMetadataResultV1_0_11\n\nexport type IssuerMetadata = IssuerMetadataV1_0_13 | IssuerMetadataV1_0_08\n\nexport type NotificationEventType = 'credential_accepted' | 'credential_failure' | 'credential_deleted'\n\nexport interface NotificationRequest {\n  notification_id: string\n  event: NotificationEventType | string\n  event_description?: string\n  credential?: any // Experimental support to have a wallet sign a credential. Not part of the spec\n}\n\nexport type NotificationError = 'invalid_notification_id' | 'invalid_notification_request'\n\nexport type NotificationResponseResult = {\n  error: boolean\n  response?: NotificationErrorResponse\n}\n\nexport interface NotificationErrorResponse {\n  error: NotificationError | string\n}\n\nexport interface StatusListOpts {\n  statusListId?: string // Explicit status list to use. Determines the id from the credentialStatus object in the VC itself or uses the default otherwise\n  statusListCorrelationId?: string\n  statusListIndex?: number\n  statusEntryCorrelationId?: string // An id to use for correlation. Can be the credential id, but also a business identifier. Will only be used for lookups/management\n}\n","import { BaseJWK } from '@sphereon/oid4vc-common'\nimport { IVerifiableCredential } from '@sphereon/ssi-types'\n\nimport { ExperimentalSubjectIssuance } from '../experimental/holder-vci'\n\nimport { AuthzFlowType } from './Authorization.types'\nimport { OID4VCICredentialFormat, TxCode, UniformCredentialRequest } from './Generic.types'\nimport { OpenId4VCIVersion } from './OpenID4VCIVersions.types'\nimport { CredentialOfferPayloadV1_0_08, CredentialRequestV1_0_08 } from './v1_0_08.types'\nimport { CredentialOfferPayloadV1_0_09, CredentialOfferV1_0_09 } from './v1_0_09.types'\nimport { CredentialOfferPayloadV1_0_11, CredentialOfferV1_0_11, CredentialRequestV1_0_11 } from './v1_0_11.types'\nimport { CredentialOfferPayloadV1_0_13, CredentialOfferV1_0_13, CredentialRequestV1_0_13 } from './v1_0_13.types'\n\nexport interface CredentialResponse extends ExperimentalSubjectIssuance {\n  credential?: IVerifiableCredential | string // OPTIONAL. Contains issued Credential. MUST be present when acceptance_token is not returned. MAY be a JSON string or a JSON object, depending on the Credential format. See Appendix E for the Credential format specific encoding requirements\n  format?: OID4VCICredentialFormat /* | OID4VCICredentialFormat[]*/ // REQUIRED. JSON string denoting the format of the issued Credential  TODO: remove when cleaning <v13\n  transaction_id?: string //OPTIONAL. A string identifying a Deferred Issuance transaction. This claim is contained in the response if the Credential Issuer was unable to immediately issue the credential. The value is subsequently used to obtain the respective Credential with the Deferred Credential Endpoint (see Section 9). It MUST be present when the credential parameter is not returned. It MUST be invalidated after the credential for which it was meant has been obtained by the Wallet.\n  acceptance_token?: string //deprecated // OPTIONAL. A JSON string containing a security token subsequently used to obtain a Credential. MUST be present when credential is not returned\n  c_nonce?: string // OPTIONAL. JSON string containing a nonce to be used to create a proof of possession of key material when requesting a Credential (see Section 7.2). When received, the Wallet MUST use this nonce value for its subsequent credential requests until the Credential Issuer provides a fresh nonce\n  c_nonce_expires_in?: number // OPTIONAL. JSON integer denoting the lifetime in seconds of the c_nonce\n  notification_id?: string\n}\n\nexport interface CredentialOfferRequestWithBaseUrl extends UniformCredentialOfferRequest {\n  scheme: string\n  clientId?: string\n  baseUrl: string\n  txCode?: TxCode\n  issuerState?: string\n  preAuthorizedCode?: string\n  userPinRequired: boolean\n}\n\nexport type CredentialOffer = CredentialOfferV1_0_09 | CredentialOfferV1_0_11 | CredentialOfferV1_0_13\n\nexport type CredentialOfferPayloadLatest = CredentialOfferPayloadV1_0_13\n\nexport type CredentialRequest = UniformCredentialRequest | CredentialRequestV1_0_13 | CredentialRequestV1_0_11 | CredentialRequestV1_0_08\n\nexport type CredentialOfferPayload = (\n  | CredentialOfferPayloadV1_0_08\n  | CredentialOfferPayloadV1_0_09\n  | CredentialOfferPayloadV1_0_11\n  | CredentialOfferPayloadV1_0_13\n) & {\n  [x: string]: any\n}\n\nexport interface AssertedUniformCredentialOffer extends UniformCredentialOffer {\n  credential_offer: UniformCredentialOfferPayload\n}\n\nexport interface UniformCredentialOffer {\n  credential_offer?: UniformCredentialOfferPayload\n  credential_offer_uri?: string\n}\n\nexport interface UniformCredentialOfferRequest extends AssertedUniformCredentialOffer {\n  original_credential_offer: CredentialOfferPayload\n  version: OpenId4VCIVersion\n  supportedFlows: AuthzFlowType[]\n}\n\n//todo: drop v11\nexport type UniformCredentialOfferPayload = CredentialOfferPayloadV1_0_11 | CredentialOfferPayloadV1_0_13\n\nexport interface ProofOfPossession {\n  proof_type: 'jwt'\n  jwt: string\n\n  [x: string]: unknown\n}\n\nexport type SearchValue = {\n  // eslint-disable-next-line  @typescript-eslint/no-explicit-any\n  [Symbol.replace](string: string, replacer: (substring: string, ...args: any[]) => string): string\n}\n\nexport enum JsonURIMode {\n  JSON_STRINGIFY,\n  X_FORM_WWW_URLENCODED,\n}\n\nexport type EncodeJsonAsURIOpts = {\n  uriTypeProperties?: string[]\n  arrayTypeProperties?: string[]\n  baseUrl?: string\n  param?: string\n  mode?: JsonURIMode\n  version?: OpenId4VCIVersion\n}\n\nexport type DecodeURIAsJsonOpts = {\n  requiredProperties?: string[]\n  arrayTypeProperties?: string[]\n}\n\nexport interface Jwt {\n  header: JWTHeader\n  payload: JWTPayload\n}\n\nexport interface ProofOfPossessionCallbacks {\n  signCallback: JWTSignerCallback\n  verifyCallback?: JWTVerifyCallback\n}\n\n/**\n * Signature algorithms.\n *\n * TODO: Move towards string literal unions and string type, given we do not provide signature/key implementations in this library to begin with\n * @See: https://github.com/Sphereon-Opensource/OID4VC/issues/88\n */\nexport enum Alg {\n  EdDSA = 'EdDSA',\n  ES256 = 'ES256',\n  ES256K = 'ES256K',\n  PS256 = 'PS256',\n  PS384 = 'PS384',\n  PS512 = 'PS512',\n  RS256 = 'RS256',\n  RS384 = 'RS384',\n  RS512 = 'RS512',\n}\n\nexport type Typ =\n  | 'JWT'\n  // https://www.rfc-editor.org/rfc/rfc8725.pdf#name-use-explicit-typing\n  // https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#section-7.2.1-2.1.2.1.2.1.1\n  | 'openid4vci-proof+jwt'\n\nexport interface JoseHeaderParameters {\n  kid?: string // CONDITIONAL. JWT header containing the key ID. If the Credential shall be bound to a DID, the kid refers to a DID URL which identifies a particular key in the DID Document that the Credential shall be bound to. MUST NOT be present if jwk or x5c is present.\n  x5t?: string\n  x5c?: string[] // CONDITIONAL. JWT header containing a certificate or certificate chain corresponding to the key used to sign the JWT. This element may be used to convey a key attestation. In such a case, the actual key certificate will contain attributes related to the key properties. MUST NOT be present if kid or jwk is present.\n  x5u?: string\n  jku?: string\n  jwk?: BaseJWK // CONDITIONAL. JWT header containing the key material the new Credential shall be bound to. MUST NOT be present if kid or x5c is present.\n  typ?: string //JWT always\n  cty?: string\n}\n\nexport interface JWSHeaderParameters extends JoseHeaderParameters {\n  alg?: Alg | string // REQUIRED by the JWT signer\n  b64?: boolean\n  crit?: string[]\n\n  [propName: string]: unknown\n}\n\nexport interface CompactJWSHeaderParameters extends JWSHeaderParameters {\n  alg: string\n}\n\nexport interface JWTHeaderParameters extends CompactJWSHeaderParameters {\n  b64?: true\n}\n\nexport type JWTHeader = JWTHeaderParameters\n\nexport interface JWTPayload {\n  iss?: string // REQUIRED (string). The value of this claim MUST be the client_id of the client making the credential request.\n  aud?: string | string[] // REQUIRED (string). The value of this claim MUST be the issuer URL of credential issuer.\n  iat?: number // REQUIRED (number). The value of this claim MUST be the time at which the proof was issued using the syntax defined in [RFC7519].\n  nonce?: string // REQUIRED (string). The value type of this claim MUST be a string, where the value is a c_nonce provided by the credential issuer. //TODO: Marked as required not present in NGI flow\n  jti?: string // A new nonce chosen by the wallet. Used to prevent replay\n  exp?: number // Not longer than 5 minutes\n  client_id?: string // (string). The value of this claim MUST be the client_id of the client making the credential request.\n  [s: string]: unknown\n}\n\nexport type JWTSignerCallback = (jwt: Jwt, kid?: string) => Promise<string>\nexport type JWTVerifyCallback = (args: { jwt: string; kid?: string }) => Promise<JwtVerifyResult>\n\nexport interface JwtVerifyResult {\n  jwt: Jwt\n  kid?: string\n  alg?: string\n  did?: string\n  didDocument?: Record<string, unknown>\n  x5c?: string[]\n  jwk?: BaseJWK\n}\n","import { CredentialFormat } from '@sphereon/ssi-types'\n\nimport { ProofOfPossession } from './CredentialIssuance.types'\nimport { CredentialsSupportedDisplay, CredentialSupportedBrief, IssuerCredentialSubject, MetadataDisplay, NameAndLocale } from './Generic.types'\n\nexport interface CredentialRequestV1_0_08 {\n  type: string\n  format: CredentialFormat\n  proof?: ProofOfPossession\n}\n\nexport interface IssuerMetadataV1_0_08 {\n  issuer?: string\n  credential_endpoint: string // REQUIRED. URL of the OP's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  credentials_supported: CredentialSupportedTypeV1_0_08 // REQUIRED. A JSON object containing a list of key value pairs, where the key is a string serving as an abstract identifier of the Credential. This identifier is RECOMMENDED to be collision resistant - it can be globally unique, but does not have to be when naming conflicts are unlikely to arise in a given use case. The value is a JSON object. The JSON object MUST conform to the structure of the Section 11.2.1.\n  credential_issuer?: {\n    //  OPTIONAL. A JSON object containing display properties for the Credential issuer.\n    display: NameAndLocale | NameAndLocale[] // OPTIONAL. An array of objects, where each object contains display properties of a Credential issuer for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:\n  }\n  authorization_server?: string\n  token_endpoint?: string\n  display?: MetadataDisplay[]\n  [x: string]: unknown\n}\n\nexport interface CredentialOfferPayloadV1_0_08 {\n  issuer: string //(url) REQUIRED The issuer URL of the Credential issuer, the Wallet is requested to obtain one or more Credentials from.\n  credential_type: string[] | string //(url) REQUIRED A JSON string denoting the type of the Credential the Wallet shall request\n  'pre-authorized_code'?: string //CONDITIONAL the code representing the issuer's authorization for the Wallet to obtain Credentials of a certain type. This code MUST be short-lived and single-use. MUST be present in a pre-authorized code flow.\n  user_pin_required?: boolean | string //OPTIONAL Boolean value specifying whether the issuer expects presentation of a user PIN along with the Token Request in a pre-authorized code flow. Default is false.\n  op_state?: string //(JWT) OPTIONAL String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent authentication request with the Credential Issuer to a context set up during previous steps\n}\nexport interface CredentialSupportedTypeV1_0_08 {\n  [credentialType: string]: CredentialSupportedV1_0_08\n}\n\nexport interface CredentialSupportedFormatV1_0_08 extends CredentialSupportedBrief {\n  name?: string\n  types: string[]\n}\n\nexport interface CredentialSupportedV1_0_08 {\n  display?: CredentialsSupportedDisplay[]\n  formats: {\n    // REQUIRED. A JSON object containing a list of key value pairs, where the key is a string identifying the format of the Credential. Below is a non-exhaustive list of valid key values defined by this specification:\n    [credentialFormat: string]: CredentialSupportedFormatV1_0_08\n  }\n  claims?: IssuerCredentialSubject // REQUIRED. A JSON object containing a list of key value pairs, where the key identifies the claim offered in the Credential. The value is a JSON object detailing the specifics about the support for the claim with a following non-exhaustive list of parameters that MAY be included:\n}\n","import { CommonAuthorizationRequest } from './Authorization.types'\nimport { CredentialOfferFormatV1_0_11 } from './Generic.types'\n\nexport interface CredentialOfferV1_0_09 {\n  credential_offer: CredentialOfferPayloadV1_0_09\n}\n\n// https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-09.html#name-issuance-initiation-request\nexport interface CredentialOfferPayloadV1_0_09 {\n  /**\n   * REQUIRED. The URL of the Credential Issuer, the Wallet is requested to obtain one or more Credentials from.\n   */\n  issuer: string\n  /**\n   * REQUIRED. A JSON array, where every entry is a JSON object or a JSON string. If the entry is an object,\n   * the object contains the data related to a certain credential type the Wallet MAY request.\n   * Each object MUST contain a format Claim determining the format of the credential to be requested and\n   * further parameters characterising the type of the credential to be requested as defined in Appendix E.\n   * If the entry is a string, the string value MUST be one of the id values in one of the objects in the\n   * credentials_supported Credential Issuer metadata parameter.\n   * When processing, the Wallet MUST resolve this string value to the respective object.\n   */\n  credentials: (CredentialOfferFormatV1_0_11 | string)[]\n  'pre-authorized_code'?: string //CONDITIONAL the code representing the issuer's authorization for the Wallet to obtain Credentials of a certain type. This code MUST be short-lived and single-use. MUST be present in a pre-authorized code flow.\n  user_pin_required?: boolean | string //OPTIONAL Boolean value specifying whether the issuer expects presentation of a user PIN along with the Token Request in a pre-authorized code flow. Default is false.\n  op_state?: string //(JWT) OPTIONAL String value created by the Credential Issuer and opaque to the Wallet that is used to bind the subsequent authentication request with the Credential Issuer to a context set up during previous steps\n}\n\nexport interface AuthorizationRequestV1_0_09 extends CommonAuthorizationRequest {\n  op_state?: string\n}\n\n// todo https://sphereon.atlassian.net/browse/VDX-185\nexport function isAuthorizationRequestV1_0_09(request: CommonAuthorizationRequest): boolean {\n  return request && 'op_state' in request\n}\n","import { AuthorizationDetailsJwtVcJson, AuthorizationServerOpts, CommonAuthorizationRequest } from './Authorization.types'\nimport { UniformCredentialOffer, UniformCredentialOfferRequest } from './CredentialIssuance.types'\nimport {\n  CommonCredentialRequest,\n  CredentialDataSupplierInput,\n  CredentialIssuerMetadataOpts,\n  CredentialOfferFormatV1_0_11,\n  CredentialRequestJwtVcJson,\n  CredentialRequestJwtVcJsonLdAndLdpVc,\n  CredentialRequestSdJwtVc,\n  Grant,\n} from './Generic.types'\nimport { QRCodeOpts } from './QRCode.types'\nimport { AuthorizationServerMetadata, AuthorizationServerType, EndpointMetadata } from './ServerMetadata'\nimport { IssuerMetadataV1_0_08 } from './v1_0_08.types'\n\nexport interface AccessTokenRequestOptsV1_0_11 {\n  credentialOffer?: UniformCredentialOffer\n  credentialIssuer?: string\n  asOpts?: AuthorizationServerOpts\n  metadata?: EndpointMetadata\n  codeVerifier?: string // only required for authorization flow\n  code?: string // only required for authorization flow\n  redirectUri?: string // only required for authorization flow\n  pin?: string // Pin-number. Only used when required\n}\n\nexport interface CredentialOfferV1_0_11 {\n  credential_offer?: CredentialOfferPayloadV1_0_11\n  credential_offer_uri?: string\n}\n\nexport interface CredentialOfferRESTRequestV1_0_11 extends CredentialOfferV1_0_11 {\n  baseUri?: string\n  scheme?: string\n  pinLength?: number\n  qrCodeOpts?: QRCodeOpts\n  credentialDataSupplierInput?: CredentialDataSupplierInput\n}\n\nexport interface CredentialOfferRequestWithBaseUrlV1_0_11 extends UniformCredentialOfferRequest {\n  scheme: string\n  clientId?: string\n  baseUrl: string\n  userPinRequired: boolean\n  issuerState?: string\n  preAuthorizedCode?: string\n}\n\nexport interface CredentialOfferPayloadV1_0_11 {\n  /**\n   * REQUIRED. The URL of the Credential Issuer, the Wallet is requested to obtain one or more Credentials from.\n   */\n  credential_issuer: string\n\n  /**\n   * REQUIRED. A JSON array, where every entry is a JSON object or a JSON string. If the entry is an object,\n   * the object contains the data related to a certain credential type the Wallet MAY request.\n   * Each object MUST contain a format Claim determining the format of the credential to be requested and\n   * further parameters characterising the type of the credential to be requested as defined in Appendix E.\n   * If the entry is a string, the string value MUST be one of the id values in one of the objects in the\n   * credentials_supported Credential Issuer metadata parameter.\n   * When processing, the Wallet MUST resolve this string value to the respective object.\n   */\n  credentials: (CredentialOfferFormatV1_0_11 | string)[]\n  /**\n   * OPTIONAL. A JSON object indicating to the Wallet the Grant Types the Credential Issuer's AS is prepared\n   * to process for this credential offer. Every grant is represented by a key and an object.\n   * The key value is the Grant Type identifier, the object MAY contain parameters either determining the way\n   * the Wallet MUST use the particular grant and/or parameters the Wallet MUST send with the respective request(s).\n   * If grants is not present or empty, the Wallet MUST determine the Grant Types the Credential Issuer's AS supports\n   * using the respective metadata. When multiple grants are present, it's at the Wallet's discretion which one to use.\n   */\n  grants?: Grant\n\n  /**\n   * Some implementations might include a client_id in the offer. For instance EBSI in a same-device flow. (Cross-device tucks it in the state JWT)\n   */\n  client_id?: string\n}\n\nexport type CredentialRequestV1_0_11 = CommonCredentialRequest &\n  (CredentialRequestJwtVcJson | CredentialRequestJwtVcJsonLdAndLdpVc | CredentialRequestSdJwtVc)\n\nexport interface CredentialIssuerMetadataV1_0_11 extends CredentialIssuerMetadataOpts, Partial<AuthorizationServerMetadata> {\n  authorization_servers?: string[] // OPTIONAL. Array of strings that identify the OAuth 2.0 Authorization Servers (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].\n  credential_endpoint: string // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  credential_response_encryption_alg_values_supported?: string // OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  credential_response_encryption_enc_values_supported?: string //OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  require_credential_response_encryption?: boolean //OPTIONAL. Boolean value specifying whether the Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request, with true indicating support. When the value is true, credential_response_encryption_alg_values_supported parameter MUST also be provided. If omitted, the default value is false.\n  credential_identifiers_supported?: boolean // OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. If omitted, the default value is false.\n}\n\nexport interface AuthorizationRequestV1_0_11 extends AuthorizationDetailsJwtVcJson, AuthorizationDetailsJwtVcJson {\n  issuer_state?: string\n}\n\n// todo https://sphereon.atlassian.net/browse/VDX-185\nexport function isAuthorizationRequestV1_0_11(request: CommonAuthorizationRequest): boolean {\n  return request && 'issuer_state' in request\n}\n\nexport interface EndpointMetadataResultV1_0_11 extends EndpointMetadata {\n  // The EndpointMetadata are snake-case so they can easily be used in payloads/JSON.\n  // The values below should not end up in requests/responses directly, so they are using our normal CamelCase convention\n  authorizationServerType: AuthorizationServerType\n  authorizationServerMetadata?: AuthorizationServerMetadata\n  credentialIssuerMetadata?: Partial<AuthorizationServerMetadata> & IssuerMetadataV1_0_08\n}\n","import { JWK } from '@sphereon/oid4vc-common'\n\nimport { ExperimentalSubjectIssuance } from '../experimental/holder-vci'\n\nimport { ProofOfPossession } from './CredentialIssuance.types'\nimport {\n  AlgValue,\n  CommonCredentialRequest,\n  CredentialDataSupplierInput,\n  CredentialOfferMode,\n  CredentialRequestMsoMdoc,\n  CredentialRequestSdJwtVc,\n  CredentialsSupportedDisplay,\n  CredentialSupplierConfig,\n  EncValue,\n  Grant,\n  IssuerCredentialSubject,\n  MetadataDisplay,\n  OID4VCICredentialFormat,\n  ProofTypesSupported,\n  ResponseEncryption,\n  StatusListOpts,\n} from './Generic.types'\nimport { QRCodeOpts } from './QRCode.types'\nimport { AuthorizationServerMetadata, AuthorizationServerType, EndpointMetadata } from './ServerMetadata'\n\nexport interface IssuerMetadataV1_0_13 {\n  credential_configurations_supported: Record<string, CredentialConfigurationSupportedV1_0_13> // REQUIRED. A JSON object containing a list of key value pairs, where the key is a string serving as an abstract identifier of the Credential. This identifier is RECOMMENDED to be collision resistant - it can be globally unique, but does not have to be when naming conflicts are unlikely to arise in a given use case. The value is a JSON object. The JSON object MUST conform to the structure of the Section 11.2.1.\n  credential_issuer: string // A Credential Issuer is identified by a case sensitive URL using the https scheme that contains scheme, host and, optionally, port number and path components, but no query or fragment components.\n  credential_endpoint: string // REQUIRED. URL of the OP's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  authorization_servers?: string[]\n  deferred_credential_endpoint?: string\n  notification_endpoint?: string\n  credential_response_encryption?: ResponseEncryption\n  token_endpoint?: string\n  display?: MetadataDisplay[]\n  authorization_challenge_endpoint?: string\n\n  [x: string]: unknown\n}\n\nexport type CredentialDefinitionJwtVcJsonV1_0_13 = {\n  type: string[]\n  credentialSubject?: IssuerCredentialSubject\n}\n\nexport type CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13 = {\n  '@context': string[]\n  type: string[]\n  credentialSubject?: IssuerCredentialSubject\n}\n\nexport type CredentialConfigurationSupportedV1_0_13 = CredentialConfigurationSupportedCommonV1_0_13 &\n  (\n    | CredentialConfigurationSupportedSdJwtVcV1_0_13\n    | CredentialConfigurationSupportedJwtVcJsonV1_0_13\n    | CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_13\n    | CredentialConfigurationSupportedMsoMdocV1_0_13\n  )\n\n// Base type covering credential configurations supported\nexport type CredentialConfigurationSupportedCommonV1_0_13 = {\n  format: OID4VCICredentialFormat | 'string' //REQUIRED. A JSON string identifying the format of this credential, e.g. jwt_vc_json or ldp_vc.\n  scope?: string // OPTIONAL. A JSON string identifying the scope value that this Credential Issuer supports for this particular Credential. The value can be the same across multiple credential_configurations_supported objects. The Authorization Server MUST be able to uniquely identify the Credential Issuer based on the scope value. The Wallet can use this value in the Authorization Request as defined in Section 5.1.2. Scope values in this Credential Issuer metadata MAY duplicate those in the scopes_supported parameter of the Authorization Server.\n  cryptographic_binding_methods_supported?: string[]\n  credential_signing_alg_values_supported?: string[]\n  proof_types_supported?: ProofTypesSupported\n  display?: CredentialsSupportedDisplay[] // OPTIONAL. An array of objects, where each object contains the display properties of the supported credential for a certain language\n  [x: string]: unknown\n}\n\nexport interface CredentialConfigurationSupportedSdJwtVcV1_0_13 extends CredentialConfigurationSupportedCommonV1_0_13 {\n  format: 'vc+sd-jwt'\n\n  vct: string\n  claims?: IssuerCredentialSubject\n\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport interface CredentialConfigurationSupportedMsoMdocV1_0_13 extends CredentialConfigurationSupportedCommonV1_0_13 {\n  format: 'mso_mdoc'\n\n  doctype: string\n  claims?: IssuerCredentialSubject\n\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport interface CredentialConfigurationSupportedJwtVcJsonV1_0_13 extends CredentialConfigurationSupportedCommonV1_0_13 {\n  format: 'jwt_vc_json' | 'jwt_vc'\n  credential_definition: CredentialDefinitionJwtVcJsonV1_0_13\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport interface CredentialConfigurationSupportedJwtVcJsonLdAndLdpVcV1_0_13 extends CredentialConfigurationSupportedCommonV1_0_13 {\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n  credential_definition: CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13\n  order?: string[] //An array of claims.display.name values that lists them in the order they should be displayed by the Wallet.\n}\n\nexport type CredentialRequestV1_0_13ResponseEncryption = {\n  jwk: JWK\n  alg: AlgValue\n  enc: EncValue\n}\n\nexport interface CredentialRequestV1_0_13Common extends ExperimentalSubjectIssuance {\n  credential_response_encryption?: CredentialRequestV1_0_13ResponseEncryption\n  proof?: ProofOfPossession\n\n  // We allow sending a issuer state back to the credential offer in case an auth code flow is used with an external AS and no nonces are used (not recommended), but does allow to integrate any OIDC server\n  issuer_state?: string\n}\n\nexport type CredentialRequestV1_0_13 = CredentialRequestV1_0_13Common &\n  (\n    | CredentialRequestJwtVcJsonV1_0_13\n    | CredentialRequestJwtVcJsonLdAndLdpVcV1_0_13\n    | CredentialRequestSdJwtVc\n    | CredentialRequestMsoMdoc\n    | CredentialRequestV1_0_13CredentialIdentifier\n  )\n\n/**\n * Normally a proof always needs to be present. There are exceptions for certain issuers doing strong user binding part of presentation flows\n */\nexport type CredentialRequestWithoutProofV1_0_13 = Omit<CredentialRequestV1_0_13Common, 'proof'> &\n  (\n    | CredentialRequestJwtVcJsonV1_0_13\n    | CredentialRequestJwtVcJsonLdAndLdpVcV1_0_13\n    | CredentialRequestSdJwtVc\n    | CredentialRequestMsoMdoc\n    | CredentialRequestV1_0_13CredentialIdentifier\n  )\n\nexport interface CredentialRequestV1_0_13CredentialIdentifier extends CredentialRequestV1_0_13Common {\n  // Format cannot be defined when credential_identifier is used\n  format?: undefined\n  credential_identifier: string\n}\n\nexport interface CredentialRequestJwtVcJsonV1_0_13 extends CommonCredentialRequest {\n  format: 'jwt_vc_json' | 'jwt_vc' // jwt_vc for backwards compat\n  credential_definition: CredentialDefinitionJwtVcJsonV1_0_13\n}\n\nexport interface CredentialRequestJwtVcJsonLdAndLdpVcV1_0_13 extends CommonCredentialRequest {\n  format: 'ldp_vc' | 'jwt_vc_json-ld'\n  credential_definition: CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13\n}\n\nexport interface CredentialOfferV1_0_13 {\n  credential_offer?: CredentialOfferPayloadV1_0_13\n  credential_offer_uri?: string\n}\n\nexport interface CredentialOfferRESTRequest extends Partial<CredentialOfferPayloadV1_0_13> {\n  redirectUri?: string\n  baseUri?: string\n  scheme?: string\n  // auth_session?: string; Would be a nice extension to support, to allow external systems to determine what the auth_session value should be\n  // @Deprecated use tx_code in the grant object\n  correlationId?: string\n  sessionLifeTimeInSec?: number\n  pinLength?: number\n  qrCodeOpts?: QRCodeOpts\n  client_id?: string\n  credentialDataSupplierInput?: CredentialDataSupplierInput\n  statusListOpts?: Array<StatusListOpts>\n  offerMode?: CredentialOfferMode\n}\n\nexport interface CredentialOfferPayloadV1_0_13 {\n  /**\n   * REQUIRED. The URL of the Credential Issuer, as defined in Section 11.2.1, from which the Wallet is requested to\n   * obtain one or more Credentials. The Wallet uses it to obtain the Credential Issuer's Metadata following the steps\n   * defined in Section 11.2.2.\n   */\n  credential_issuer: string\n\n  /**\n   *  REQUIRED. Array of unique strings that each identify one of the keys in the name/value pairs stored in\n   *  the credential_configurations_supported Credential Issuer metadata. The Wallet uses these string values\n   *  to obtain the respective object that contains information about the Credential being offered as defined\n   *  in Section 11.2.3. For example, these string values can be used to obtain scope values to be used in\n   *  the Authorization Request.\n   */\n  credential_configuration_ids: string[]\n  /**\n   * OPTIONAL. A JSON object indicating to the Wallet the Grant Types the Credential Issuer's AS is prepared\n   * to process for this credential offer. Every grant is represented by a key and an object.\n   * The key value is the Grant Type identifier, the object MAY contain parameters either determining the way\n   * the Wallet MUST use the particular grant and/or parameters the Wallet MUST send with the respective request(s).\n   * If grants is not present or empty, the Wallet MUST determine the Grant Types the Credential Issuer's AS supports\n   * using the respective metadata. When multiple grants are present, it's at the Wallet's discretion which one to use.\n   */\n  grants?: Grant\n\n  /**\n   * Some implementations might include a client_id in the offer. For instance EBSI in a same-device flow. (Cross-device tucks it in the state JWT)\n   */\n  client_id?: string\n}\n\nexport interface CredentialIssuerMetadataOptsV1_0_13 {\n  credential_endpoint: string // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  batch_credential_endpoint?: string // OPTIONAL. URL of the Credential Issuer's Batch Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components. If omitted, the Credential Issuer does not support the Batch Credential Endpoint.\n  deferred_credential_endpoint?: string // OPTIONAL. URL of the Credential Issuer's Deferred Credential Endpoint, as defined in Section 9. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Deferred Credential Endpoint.\n  notification_endpoint?: string // OPTIONAL. URL of the Credential Issuer's Notification Endpoint, as defined in Section 10. This URL MUST use the https scheme and MAY contain port, path, and query parameter components. If omitted, the Credential Issuer does not support the Notification Endpoint.\n  credential_response_encryption?: ResponseEncryption // OPTIONAL. Object containing information about whether the Credential Issuer supports encryption of the Credential and Batch Credential Response on top of TLS.\n  credential_identifiers_supported?: boolean // OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. If omitted, the default value is false.\n  credential_configurations_supported: Record<string, CredentialConfigurationSupportedV1_0_13> // REQUIRED. A JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue. The JSON objects in the array MUST conform to the structure of the Section 10.2.3.1.\n  credential_issuer: string // REQUIRED. The Credential Issuer's identifier.\n  authorization_servers?: string[] // OPTIONAL. Array of strings that identify the OAuth 2.0 Authorization Servers (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].\n  signed_metadata?: string // OPTIONAL. String that is a signed JWT. This JWT contains Credential Issuer metadata parameters as claims.\n  display?: MetadataDisplay[] //  An array of objects, where each object contains display properties of a Credential Issuer for a certain language. Below is a non-exhaustive list of valid parameters that MAY be included:\n  authorization_challenge_endpoint?: string // OPTIONAL URL of the Credential Issuer's Authorization Challenge Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components. Described on https://www.ietf.org/archive/id/draft-parecki-oauth-first-party-apps-02.html#name-authorization-challenge-end\n\n  //todo: these two are not mentioned in the spec\n  token_endpoint?: string\n  credential_supplier_config?: CredentialSupplierConfig\n}\n\n// These can be used be a reducer\nexport const credentialIssuerMetadataFieldNames: Array<keyof CredentialIssuerMetadataOptsV1_0_13> = [\n  // Required fields\n  'credential_issuer',\n  'credential_configurations_supported',\n  'credential_endpoint',\n\n  // Optional fields from CredentialIssuerMetadataOpts\n  'batch_credential_endpoint',\n  'deferred_credential_endpoint',\n  'notification_endpoint',\n  'credential_response_encryption',\n  'authorization_servers',\n  'token_endpoint',\n  'display',\n  'credential_supplier_config',\n\n  // Optional fields from v1.0.13\n  'credential_identifiers_supported',\n  'signed_metadata',\n] as const\n\nexport interface EndpointMetadataResultV1_0_13 extends EndpointMetadata {\n  // The EndpointMetadata are snake-case so they can easily be used in payloads/JSON.\n  // The values below should not end up in requests/responses directly, so they are using our normal CamelCase convention\n  authorizationServerType: AuthorizationServerType\n  authorizationServerMetadata?: AuthorizationServerMetadata\n  credentialIssuerMetadata?: Partial<AuthorizationServerMetadata> & IssuerMetadataV1_0_13\n}\n\n// For now we extend the opts above. Only difference is that the credential endpoint is optional in the Opts, as it can come from other sources. The value is however required in the eventual Issuer Metadata\nexport interface CredentialIssuerMetadataV1_0_13 extends CredentialIssuerMetadataOptsV1_0_13, Partial<AuthorizationServerMetadata> {\n  authorization_servers?: string[] // OPTIONAL. Array of strings that identify the OAuth 2.0 Authorization Servers (as defined in [RFC8414]) the Credential Issuer relies on for authorization. If this element is omitted, the entity providing the Credential Issuer is also acting as the AS, i.e. the Credential Issuer's identifier is used as the OAuth 2.0 Issuer value to obtain the Authorization Server metadata as per [RFC8414].\n  credential_endpoint: string // REQUIRED. URL of the Credential Issuer's Credential Endpoint. This URL MUST use the https scheme and MAY contain port, path and query parameter components.\n  credential_configurations_supported: Record<string, CredentialConfigurationSupportedV1_0_13> // REQUIRED. A JSON array containing a list of JSON objects, each of them representing metadata about a separate credential type that the Credential Issuer can issue. The JSON objects in the array MUST conform to the structure of the Section 10.2.3.1.\n  credential_issuer: string // REQUIRED. The Credential Issuer's identifier.\n  credential_response_encryption_alg_values_supported?: string // OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (alg values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  credential_response_encryption_enc_values_supported?: string //OPTIONAL. Array containing a list of the JWE [RFC7516] encryption algorithms (enc values) [RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [RFC7519].\n  require_credential_response_encryption?: boolean //OPTIONAL. Boolean value specifying whether the Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request, with true indicating support. When the value is true, credential_response_encryption_alg_values_supported parameter MUST also be provided. If omitted, the default value is false.\n  credential_identifiers_supported?: boolean // OPTIONAL. Boolean value specifying whether the Credential Issuer supports returning credential_identifiers parameter in the authorization_details Token Response parameter, with true indicating support. If omitted, the default value is false.\n}\n","import { DynamicRegistrationClientMetadata, SigningAlgo } from '@sphereon/oid4vc-common'\n\nexport type OAuthResponseType = 'code' | 'token' | 'id_token' | 'code token' | 'code id_token' | 'token id_token' | 'code token id_token'\n\nexport type TokenEndpointAuthMethod = 'client_secret_basic' | 'client_secret_post' | 'client_secret_jwt' | 'private_key_jwt' | 'none'\n\nexport type TokenEndpointAuthSigningAlg =\n  | 'RS256'\n  | 'RS384'\n  | 'RS512'\n  | 'ES256'\n  | 'ES384'\n  | 'ES512'\n  | 'PS256'\n  | 'PS384'\n  | 'PS512'\n  | 'HS256'\n  | 'HS384'\n  | 'HS512'\n\nexport type OAuthScope = 'openid' | 'profile' | 'email' | 'address' | 'phone' | 'offline_access'\n\nexport type OAuthResponseMode = 'query' | 'fragment' | 'form_post'\n\nexport type OAuthGrantType =\n  | 'authorization_code'\n  | 'implicit'\n  | 'password'\n  | 'client_credentials'\n  | 'refresh_token'\n  | 'urn:ietf:params:oauth:grant-type:device_code'\n  | 'urn:ietf:params:oauth:grant-type:saml2-bearer'\n  | 'urn:ietf:params:oauth:grant-type:jwt-bearer'\n\nexport type RevocationEndpointAuthMethod = 'client_secret_basic' | 'client_secret_post' | 'client_secret_jwt' | 'private_key_jwt' | 'none'\n\nexport type RevocationEndpointAuthSigningAlg =\n  | 'RS256'\n  | 'RS384'\n  | 'RS512'\n  | 'ES256'\n  | 'ES384'\n  | 'ES512'\n  | 'PS256'\n  | 'PS384'\n  | 'PS512'\n  | 'HS256'\n  | 'HS384'\n  | 'HS512'\n\nexport type PKCECodeChallengeMethod = 'plain' | 'S256'\n\nexport interface AuthorizationServerMetadata extends DynamicRegistrationClientMetadata {\n  issuer: string\n  authorization_endpoint?: string\n  authorization_challenge_endpoint?: string\n  token_endpoint?: string\n  token_endpoint_auth_methods_supported?: Array<TokenEndpointAuthMethod>\n  token_endpoint_auth_signing_alg_values_supported?: Array<TokenEndpointAuthSigningAlg>\n\n  registration_endpoint?: string\n  scopes_supported?: Array<OAuthScope | string>\n  response_types_supported: Array<OAuthResponseType>\n  response_modes_supported?: Array<OAuthResponseMode>\n  grant_types_supported?: Array<OAuthGrantType>\n  service_documentation?: string\n  ui_locales_supported?: string[]\n  op_policy_uri?: string\n  op_tos_uri?: string\n\n  revocation_endpoint?: string\n  revocation_endpoint_auth_methods_supported?: Array<RevocationEndpointAuthMethod>\n  revocation_endpoint_auth_signing_alg_values_supported?: Array<RevocationEndpointAuthSigningAlg>\n\n  introspection_endpoint?: string\n  code_challenge_methods_supported?: Array<PKCECodeChallengeMethod>\n\n  // TODO below fields are not in the rfc8414 spec, do we need them?\n  pushed_authorization_request_endpoint?: string // The URL of the pushed authorization request endpoint at which a client can post an authorization request to exchange for a request_uri value usable at the authorization server\n  // Note that the presence of pushed_authorization_request_endpoint is sufficient for a client to determine that it may use the PAR flow. A request_uri value obtained from the PAR endpoint is usable at the authorization endpoint regardless of other authorization server metadata such as request_uri_parameter_supported or require_request_uri_registration\n  require_pushed_authorization_requests?: boolean // Boolean parameter indicating whether Indicates whether the client is required to use PAR to initiate authorization. If omitted, the default value is false.\n  'pre-authorized_grant_anonymous_access_supported': boolean // OPTIONAL. A JSON Boolean indicating whether the issuer accepts a Token Request with a Pre-Authorized Code but without a client id. The default is false\n  // A JSON array containing a list of the JWS alg values (from the [IANA.JOSE.ALGS] registry) supported by the authorization server for DPoP proof JWTs.\n  dpop_signing_alg_values_supported?: (string | SigningAlgo)[]\n  // OIDC values\n  frontchannel_logout_supported?: boolean\n  frontchannel_logout_session_supported?: boolean\n  backchannel_logout_supported?: boolean\n  backchannel_logout_session_supported?: boolean\n  userinfo_endpoint?: string\n  check_session_iframe?: string\n  end_session_endpoint?: string\n  acr_values_supported?: string[]\n  subject_types_supported?: string[]\n  request_object_signing_alg_values_supported?: string[]\n  display_values_supported?: string[]\n  claim_types_supported?: string[]\n  claims_supported?: string[]\n  claims_parameter_supported?: boolean\n\n  // VCI values. In case an AS provides a credential_endpoint itself\n  credential_endpoint?: string\n  deferred_credential_endpoint?: string\n\n  // eslint-disable-next-line  @typescript-eslint/no-explicit-any\n  [x: string]: any //We use any, so you can access properties if you know the structure\n}\n\n// These can be used be a reducer\nexport const authorizationServerMetadataFieldNames: Array<keyof AuthorizationServerMetadata> = [\n  'issuer',\n  'authorization_endpoint',\n  'authorization_challenge_endpoint',\n  'token_endpoint',\n  'jwks_uri',\n  'registration_endpoint',\n  'scopes_supported',\n  'response_types_supported',\n  'response_modes_supported',\n  'grant_types_supported',\n  'token_endpoint_auth_methods_supported',\n  'token_endpoint_auth_signing_alg_values_supported',\n  'service_documentation',\n  'ui_locales_supported',\n  'op_policy_uri',\n  'op_tos_uri',\n  'revocation_endpoint',\n  'revocation_endpoint_auth_methods_supported',\n  'revocation_endpoint_auth_signing_alg_values_supported',\n  'introspection_endpoint',\n  'introspection_endpoint_auth_methods_supported',\n  'introspection_endpoint_auth_signing_alg_values_supported',\n  'code_challenge_methods_supported',\n  'signed_metadata',\n] as const\n\nexport enum WellKnownEndpoints {\n  OPENID_CONFIGURATION = '/.well-known/openid-configuration',\n  OAUTH_AS = '/.well-known/oauth-authorization-server',\n  OPENID4VCI_ISSUER = '/.well-known/openid-credential-issuer',\n}\n\nexport type AuthorizationServerType = 'OIDC' | 'OAuth 2.0' | 'OID4VCI' // OID4VCI means the Issuer hosts a token endpoint itself\n\nexport interface EndpointMetadata {\n  issuer: string\n  token_endpoint: string\n  credential_endpoint: string\n  deferred_credential_endpoint?: string\n  authorization_server?: string\n  authorization_endpoint?: string // Can be undefined in pre-auth flow\n  authorization_challenge_endpoint?: string\n}\n","import { Alg } from './CredentialIssuance.types'\n\nexport const BAD_PARAMS = 'Wrong parameters provided'\nexport const URL_NOT_VALID = 'Request url is not valid'\nexport const JWS_NOT_VALID = 'JWS is not valid'\nexport const PROOF_CANT_BE_CONSTRUCTED = \"Proof can't be constructed.\"\nexport const NO_JWT_PROVIDED = 'No JWT provided'\nexport const TYP_ERROR = 'Typ must be \"openid4vci-proof+jwt\"'\nexport const ALG_ERROR = `Algorithm is a required field, you are free to use the signing algorithm of your choice or one of the following: ${Object.keys(\n  Alg,\n).join(', ')}`\nexport const KID_JWK_X5C_ERROR = 'Only one must be present: x5c should not present when kid and/or jwk is already present'\nexport const KID_DID_NO_DID_ERROR = 'A DID value needs to be returned when kid is present'\nexport const DID_NO_DIDDOC_ERROR = 'A DID Document needs to be resolved when a DID is encountered'\nexport const AUD_ERROR = 'aud must be the URL of the credential issuer'\nexport const IAT_ERROR = 'iat must be the time at which the proof was issued'\nexport const NONCE_ERROR = 'nonce must be c_nonce provided by the credential issuer'\nexport const JWT_VERIFY_CONFIG_ERROR = 'JWT verify callback not configured correctly.'\nexport const ISSUER_CONFIG_ERROR = 'Issuer not configured correctly.'\nexport const UNKNOWN_CLIENT_ERROR = 'The client is not known by the issuer'\nexport const NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT = 'iss missing in authorization-code context'\nexport const ISS_PRESENT_IN_PRE_AUTHORIZED_CODE_CONTEXT = 'iss should be omitted in pre-authorized-code context'\nexport const ISS_MUST_BE_CLIENT_ID = 'iss must be the client id'\nexport const GRANTS_MUST_NOT_BE_UNDEFINED = 'Grants must not be undefined'\nexport const STATE_MISSING_ERROR = 'issuer state or pre-authorized key not found'\nexport const CREDENTIAL_MISSING_ERROR = 'Credential must be present in response'\nexport const UNSUPPORTED_GRANT_TYPE_ERROR = 'unsupported grant_type'\nexport const PRE_AUTHORIZED_CODE_REQUIRED_ERROR = 'pre-authorized_code is required'\nexport const USER_PIN_REQUIRED_ERROR = 'User pin is required'\nexport const USER_PIN_TX_CODE_SPEC_ERROR = 'user_pin is mixed with tx_code, indicating a spec mismatch'\nexport const USER_PIN_NOT_REQUIRED_ERROR = 'User pin is not required'\nexport const PIN_VALIDATION_ERROR = 'PIN must consist the following amount of characters:'\nexport const PIN_NOT_MATCH_ERROR = 'PIN is invalid'\nexport const INVALID_PRE_AUTHORIZED_CODE = 'pre-authorized_code is invalid'\nexport const EXPIRED_PRE_AUTHORIZED_CODE = 'pre-authorized_code is expired'\nexport const JWT_SIGNER_CALLBACK_REQUIRED_ERROR = 'JWT signer callback function is required'\nexport const STATE_MANAGER_REQUIRED_ERROR = 'StateManager instance is required'\nexport const NONCE_STATE_MANAGER_REQUIRED_ERROR = 'NonceStateManager instance is required'\nexport const ACCESS_TOKEN_ISSUER_REQUIRED_ERROR = 'access token issuer is required'\nexport const WRONG_METADATA_FORMAT = 'Wrong metadata format'\n","export enum OpenId4VCIVersion {\n  VER_1_0_08 = 1008,\n  VER_1_0_09 = 1009,\n  VER_1_0_11 = 1011,\n  VER_1_0_12 = 1012,\n  VER_1_0_13 = 1013,\n  VER_UNKNOWN = Number.MAX_VALUE,\n}\n\nexport enum DefaultURISchemes {\n  INITIATE_ISSUANCE = 'openid-initiate-issuance',\n  CREDENTIAL_OFFER = 'openid-credential-offer',\n}\n","import { AssertedUniformCredentialOffer } from './CredentialIssuance.types'\nimport { CredentialDataSupplierInput, NotificationRequest, StatusListOpts } from './Generic.types'\n\nexport interface StateType {\n  createdAt: number\n  expiresAt?: number\n}\n\nexport interface CredentialOfferSession extends StateType {\n  clientId?: string\n  credentialOffer: AssertedUniformCredentialOffer\n  credentialDataSupplierInput?: CredentialDataSupplierInput // Optional storage that can help the credential Data Supplier. For instance to store credential input data during offer creation, if no additional data can be supplied later on\n  txCode?: string // in here we only store the txCode, previously < V13 this was the userPin. We map the userPin onto this value\n  status: IssueStatus\n  error?: string\n  lastUpdatedAt: number\n  notification_id: string\n  notification?: NotificationRequest\n  issuerState?: string //todo: Probably good to hash it here, since it would come in from the client and we could match the hash and thus use the client value\n  preAuthorizedCode?: string //todo: Probably good to hash it here, since it would come in from the client and we could match the hash and thus use the client value\n  authorizationCode?: string\n  redirectUri?: string\n  statusLists?: Array<StatusListOpts>\n}\n\nexport enum IssueStatus {\n  OFFER_CREATED = 'OFFER_CREATED', // An offer is created. This is the initial state\n  ACCESS_TOKEN_REQUESTED = 'ACCESS_TOKEN_REQUESTED', // Optional state, given the token endpoint could also be on a separate AS\n  ACCESS_TOKEN_CREATED = 'ACCESS_TOKEN_CREATED', // Optional state, given the token endpoint could also be on a separate AS\n  CREDENTIAL_REQUEST_RECEIVED = 'CREDENTIAL_REQUEST_RECEIVED', // Credential request received. Next state would either be error or issued\n  CREDENTIAL_ISSUED = 'CREDENTIAL_ISSUED', // The credential iss issued from the issuer's perspective\n  NOTIFICATION_CREDENTIAL_ACCEPTED = 'NOTIFICATION_CREDENTIAL_ACCEPTED', // The holder/user stored the credential in the wallet (If notifications are enabled)\n  NOTIFICATION_CREDENTIAL_DELETED = 'NOTIFICATION_CREDENTIAL_DELETED', // The holder/user did not store the credential in the wallet (If notifications are enabled)\n  NOTIFICATION_CREDENTIAL_FAILURE = 'NOTIFICATION_CREDENTIAL_FAILURE', // The holder/user encountered an error (If notifications are enabled)\n  ERROR = 'ERROR', // An error occurred\n}\n\nexport interface CNonceState extends StateType {\n  cNonce: string\n  issuerState?: string\n  preAuthorizedCode?: string //todo: Probably good to hash it here, since it would come in from the client and we could match the hash and thus use the client value\n}\n\nexport interface URIState extends StateType {\n  issuerState?: string //todo: Probably good to hash it here, since it would come in from the client and we could match the hash and thus use the client value\n  preAuthorizedCode?: string //todo: Probably good to hash it here, since it would come in from the client and we could match the hash and thus use the client value\n  uri: string //todo: Probably good to hash it here, since it would come in from the client and we could match the hash and thus use the client value\n  correlationId?: string\n}\n\nexport interface IssueStatusResponse {\n  createdAt: number\n  lastUpdatedAt: number\n  expiresAt?: number\n  status: IssueStatus\n  error?: string\n  clientId?: string\n  statusLists?: Array<StatusListOpts>\n}\n\nexport interface IStateManager<T extends StateType> {\n  set(id: string, stateValue: T): Promise<void>\n\n  get(id: string): Promise<T | undefined>\n\n  has(id: string): Promise<boolean>\n\n  delete(id: string): Promise<boolean>\n\n  clearExpired(timestamp?: number): Promise<void> // clears all expired states compared against timestamp if provided, otherwise current timestamp\n\n  clearAll(): Promise<void> // clears all states\n\n  getAsserted(id: string): Promise<T>\n\n  startCleanupRoutine(timeout?: number): Promise<void>\n\n  stopCleanupRoutine(): Promise<void>\n}\n","export enum TokenErrorResponse {\n  invalid_request = 'invalid_request',\n  invalid_grant = 'invalid_grant',\n  invalid_client = 'invalid_client', // this code has been added only in v1_0-11, but I've added this to the common interface. @nklomp is this ok?\n  invalid_scope = 'invalid_scope',\n  invalid_dpop_proof = 'invalid_dpop_proof',\n}\n\nexport class TokenError extends Error {\n  private readonly _statusCode: number\n  private readonly _responseError: TokenErrorResponse\n  constructor(statusCode: number, responseError: TokenErrorResponse, message: string) {\n    super(message)\n    this._statusCode = statusCode\n    this._responseError = responseError\n\n    // 👇️ because we are extending a built-in class\n    Object.setPrototypeOf(this, TokenError.prototype)\n  }\n  get statusCode(): number {\n    return this._statusCode\n  }\n  get responseError(): TokenErrorResponse {\n    return this._responseError\n  }\n\n  getDescription() {\n    return this.message\n  }\n}\n","export interface ComponentOptions {\n  /**\n   * Component options for data/ECC.\n   */\n  data?: {\n    /**\n     * Scale factor for data/ECC dots.\n     * @default 1\n     */\n    scale?: number\n  }\n\n  /**\n   * Component options for timing patterns.\n   */\n  timing?: {\n    /**\n     * Scale factor for timing patterns.\n     * @default 1\n     */\n    scale?: number\n\n    /**\n     * Protector for timing patterns.\n     * @default false\n     */\n    protectors?: boolean\n  }\n\n  /**\n   * Component options for alignment patterns.\n   */\n  alignment?: {\n    /**\n     * Scale factor for alignment patterns.\n     * @default 1\n     */\n    scale?: number\n\n    /**\n     * Protector for alignment patterns.\n     * @default false\n     */\n    protectors?: boolean\n  }\n\n  /**\n   * Component options for alignment pattern on the bottom-right corner.\n   */\n  cornerAlignment?: {\n    /**\n     * Scale factor for alignment pattern on the bottom-right corner.\n     * @default 1\n     */\n    scale?: number\n\n    /**\n     * Protector for alignment pattern on the bottom-right corner.\n     * @default true\n     */\n    protectors?: boolean\n  }\n}\n\nexport interface QRCodeOpts {\n  /**\n   * Size of the QR code in pixel.\n   *\n   * @defaultValue 400\n   */\n  size?: number\n\n  /**\n   * Size of margins around the QR code body in pixel.\n   *\n   * @defaultValue 20\n   */\n  margin?: number\n\n  /**\n   * Error correction level of the QR code.\n   *\n   * Accepts a value provided by _QRErrorCorrectLevel_.\n   *\n   * For more information, please refer to [https://www.qrcode.com/en/about/error_correction.html](https://www.qrcode.com/en/about/error_correction.html).\n   *\n   * @defaultValue 0\n   */\n  correctLevel?: number\n\n  /**\n   * **This is an advanced option.**\n   *\n   * Specify the mask pattern to be used in QR code encoding.\n   *\n   * Accepts a value provided by _QRMaskPattern_.\n   *\n   * To find out all eight mask patterns, please refer to [https://en.wikipedia.org/wiki/File:QR_Code_Mask_Patterns.svg](https://en.wikipedia.org/wiki/File:QR_Code_Mask_Patterns.svg)\n   *\n   * For more information, please refer to [https://en.wikiversity.org/wiki/Reed%E2%80%93Solomon_codes_for_coders#Masking](https://en.wikiversity.org/wiki/Reed%E2%80%93Solomon_codes_for_coders#Masking).\n   */\n  maskPattern?: number\n\n  /**\n   * **This is an advanced option.**\n   *\n   * Specify the version to be used in QR code encoding.\n   *\n   * Accepts an integer in range [1, 40].\n   *\n   * For more information, please refer to [https://www.qrcode.com/en/about/version.html](https://www.qrcode.com/en/about/version.html).\n   */\n  version?: number\n\n  /**\n   * Options to control components in the QR code.\n   *\n   * @deafultValue undefined\n   */\n  components?: ComponentOptions\n\n  /**\n   * Color of the blocks on the QR code.\n   *\n   * Accepts a CSS &lt;color&gt;.\n   *\n   * For more information about CSS &lt;color&gt;, please refer to [https://developer.mozilla.org/en-US/docs/Web/CSS/color_value](https://developer.mozilla.org/en-US/docs/Web/CSS/color_value).\n   *\n   * @defaultValue \"#000000\"\n   */\n  colorDark?: string\n\n  /**\n   * Color of the empty areas on the QR code.\n   *\n   * Accepts a CSS &lt;color&gt;.\n   *\n   * For more information about CSS &lt;color&gt;, please refer to [https://developer.mozilla.org/en-US/docs/Web/CSS/color_value](https://developer.mozilla.org/en-US/docs/Web/CSS/color_value).\n   *\n   * @defaultValue \"#ffffff\"\n   */\n  colorLight?: string\n\n  /**\n   * Automatically calculate the _colorLight_ value from the QR code's background.\n   *\n   * @defaultValue true\n   */\n  autoColor?: boolean\n\n  /**\n   * Background image to be used in the QR code.\n   *\n   * Accepts a `data:` string in web browsers or a Buffer in Node.js.\n   *\n   * @defaultValue undefined\n   */\n  backgroundImage?: string | Buffer\n\n  /**\n   * Color of the dimming mask above the background image.\n   *\n   * Accepts a CSS &lt;color&gt;.\n   *\n   * For more information about CSS &lt;color&gt;, please refer to [https://developer.mozilla.org/en-US/docs/Web/CSS/color_value](https://developer.mozilla.org/en-US/docs/Web/CSS/color_value).\n   *\n   * @defaultValue \"rgba(0, 0, 0, 0)\"\n   */\n  backgroundDimming?: string\n\n  /**\n   * GIF background image to be used in the QR code.\n   *\n   * @defaultValue undefined\n   */\n  gifBackground?: ArrayBuffer\n\n  /**\n   * Use a white margin instead of a transparent one which reveals the background of the QR code on margins.\n   *\n   * @defaultValue true\n   */\n  whiteMargin?: boolean\n\n  /**\n   * Logo image to be displayed at the center of the QR code.\n   *\n   * Accepts a `data:` string in web browsers or a Buffer in Node.js.\n   *\n   * When set to `undefined` or `null`, the logo is disabled.\n   *\n   * @defaultValue undefined\n   */\n  logoImage?: string | Buffer\n\n  /**\n   * Ratio of the logo size to the QR code size.\n   *\n   * @defaultValue 0.2\n   */\n  logoScale?: number\n\n  /**\n   * Size of margins around the logo image in pixels.\n   *\n   * @defaultValue 6\n   */\n  logoMargin?: number\n\n  /**\n   * Corner radius of the logo image in pixels.\n   *\n   * @defaultValue 8\n   */\n  logoCornerRadius?: number\n\n  /**\n   * @deprecated\n   *\n   * Ratio of the real size to the full size of the blocks.\n   *\n   * This can be helpful when you want to make more parts of the background visible.\n   *\n   * @deafultValue 0.4\n   */\n  dotScale?: number\n}\n","import { CredentialFormat } from '@sphereon/ssi-types'\n\nimport { OID4VCICredentialFormat, OpenId4VCIVersion } from '../types'\n\nexport function isFormat<T extends { format?: OID4VCICredentialFormat }, Format extends OID4VCICredentialFormat>(\n  formatObject: T,\n  format: Format,\n): formatObject is T & { format: Format } {\n  return formatObject.format === format\n}\n\nexport function isNotFormat<T extends { format?: OID4VCICredentialFormat }, Format extends OID4VCICredentialFormat>(\n  formatObject: T,\n  format: Format,\n): formatObject is T & { format: Exclude<OID4VCICredentialFormat, Format> } {\n  return formatObject.format !== format\n}\n\nconst isUniformFormat = (format: string): format is OID4VCICredentialFormat => {\n  return ['jwt_vc_json', 'jwt_vc_json-ld', 'ldp_vc', 'vc+sd-jwt', 'mso_mdoc'].includes(format)\n}\n\nexport function getUniformFormat(format: string | OID4VCICredentialFormat | CredentialFormat): OID4VCICredentialFormat {\n  // Already valid format\n  if (isUniformFormat(format)) {\n    return format\n  }\n\n  // Older formats\n  if (format.toLocaleLowerCase() === 'jwt_vc' || format.toLocaleLowerCase() === 'jwt') {\n    return 'jwt_vc'\n  }\n  if (format === 'ldp_vc' || format === 'ldp') {\n    return 'ldp_vc'\n  }\n\n  throw new Error(`Invalid format: ${format}`)\n}\n\nexport function getFormatForVersion(format: string, version: OpenId4VCIVersion) {\n  const uniformFormat = isUniformFormat(format) ? format : getUniformFormat(format)\n\n  if (version === OpenId4VCIVersion.VER_1_0_08) {\n    if (uniformFormat === 'jwt_vc_json') {\n      return 'jwt_vc' as const\n    } else if (uniformFormat === 'ldp_vc' || uniformFormat === 'jwt_vc_json-ld') {\n      return 'ldp_vc' as const\n    }\n  }\n\n  return uniformFormat\n}\n","import { CredentialResponse, OpenIDResponse } from '../types'\n\nimport { post } from './HttpUtils'\n\nexport function isDeferredCredentialResponse(credentialResponse: OpenIDResponse<CredentialResponse>) {\n  const orig = credentialResponse.successBody\n  // Specs mention 202, but some implementations like EBSI return 200\n  return credentialResponse.origResponse.status % 200 <= 2 && !!orig && !orig.credential && (!!orig.acceptance_token || !!orig.transaction_id)\n}\nfunction assertNonFatalError(credentialResponse: OpenIDResponse<CredentialResponse>) {\n  if (credentialResponse.origResponse.status === 400 && credentialResponse.errorBody?.error) {\n    if (credentialResponse.errorBody.error === 'invalid_transaction_id' || credentialResponse.errorBody.error.includes('acceptance_token')) {\n      throw Error('Invalid transaction id. Probably the deferred credential request expired')\n    }\n  }\n}\n\nexport function isDeferredCredentialIssuancePending(credentialResponse: OpenIDResponse<CredentialResponse>) {\n  if (isDeferredCredentialResponse(credentialResponse)) {\n    return credentialResponse?.successBody?.transaction_id ?? !!credentialResponse?.successBody?.acceptance_token\n  }\n  if (credentialResponse.origResponse.status === 400 && credentialResponse.errorBody?.error) {\n    if (credentialResponse.errorBody.error === 'issuance_pending') {\n      return true\n    } else if (credentialResponse.errorBody.error_description?.toLowerCase().includes('not available yet')) {\n      return true\n    }\n  }\n  return false\n}\n\nfunction sleep(ms: number) {\n  return new Promise((resolve) => {\n    setTimeout(resolve, ms)\n  })\n}\n\nexport async function acquireDeferredCredential({\n  bearerToken,\n  transactionId,\n  deferredCredentialEndpoint,\n  deferredCredentialIntervalInMS,\n  deferredCredentialAwait,\n}: {\n  bearerToken: string\n  transactionId?: string\n  deferredCredentialIntervalInMS?: number\n  deferredCredentialAwait?: boolean\n  deferredCredentialEndpoint: string\n}): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {\n  let credentialResponse: OpenIDResponse<CredentialResponse> & { access_token: string } = await acquireDeferredCredentialImpl({\n    bearerToken,\n    transactionId,\n    deferredCredentialEndpoint,\n  })\n\n  const DEFAULT_SLEEP_IN_MS = 5000\n  while (!credentialResponse.successBody?.credential && deferredCredentialAwait) {\n    assertNonFatalError(credentialResponse)\n    const pending = isDeferredCredentialIssuancePending(credentialResponse)\n    console.log(`Issuance still pending?: ${pending}`)\n    if (!pending) {\n      throw Error(`Issuance isn't pending anymore: ${credentialResponse}`)\n    }\n\n    await sleep(deferredCredentialIntervalInMS ?? DEFAULT_SLEEP_IN_MS)\n    credentialResponse = await acquireDeferredCredentialImpl({ bearerToken, transactionId, deferredCredentialEndpoint })\n  }\n  return credentialResponse\n}\n\nasync function acquireDeferredCredentialImpl({\n  bearerToken,\n  transactionId,\n  deferredCredentialEndpoint,\n}: {\n  bearerToken: string\n  transactionId?: string\n  deferredCredentialEndpoint: string\n}): Promise<OpenIDResponse<CredentialResponse> & { access_token: string }> {\n  const response: OpenIDResponse<CredentialResponse> = await post(\n    deferredCredentialEndpoint,\n    JSON.stringify(transactionId ? { transaction_id: transactionId } : ''),\n    { bearerToken },\n  )\n  console.log(JSON.stringify(response, null, 2))\n  assertNonFatalError(response)\n\n  return { ...response, access_token: bearerToken }\n}\n","import { Loggers } from '@sphereon/ssi-types'\nimport { fetch } from 'cross-fetch'\n\nimport { Encoding, OpenIDResponse } from '../types'\n\nconst logger = Loggers.DEFAULT.get('sphereon:openid4vci:http')\n\nexport const getJson = async <T>(\n  URL: string,\n  opts?: {\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  return await openIdFetch(URL, undefined, { method: 'GET', ...opts })\n}\n\nexport const formPost = async <T>(\n  url: string,\n  body: BodyInit,\n  opts?: {\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  return await post(url, body, opts?.contentType ? { ...opts } : { contentType: Encoding.FORM_URL_ENCODED, ...opts })\n}\n\nexport const post = async <T>(\n  url: string,\n  body?: BodyInit,\n  opts?: {\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  return await openIdFetch(url, body, { method: 'POST', ...opts })\n}\n\nconst openIdFetch = async <T>(\n  url: string,\n  body?: BodyInit,\n  opts?: {\n    method?: string\n    bearerToken?: (() => Promise<string>) | string\n    contentType?: string\n    accept?: string\n    customHeaders?: Record<string, string>\n    exceptionOnHttpErrorStatus?: boolean\n  },\n): Promise<OpenIDResponse<T>> => {\n  const headers: Record<string, string> = opts?.customHeaders ?? {}\n  if (opts?.bearerToken) {\n    headers['Authorization'] =\n      `${headers.dpop ? 'DPoP' : 'Bearer'} ${typeof opts.bearerToken === 'function' ? await opts.bearerToken() : opts.bearerToken}`\n  }\n  const method = opts?.method ? opts.method : body ? 'POST' : 'GET'\n  const accept = opts?.accept ? opts.accept : 'application/json'\n  headers['Accept'] = accept\n  if (headers['Content-Type']) {\n    if (opts?.contentType && opts.contentType !== headers['Content-Type']) {\n      throw Error(`Mismatch in content-types from custom headers (${headers['Content-Type']}) and supplied content type option (${opts.contentType})`)\n    }\n  } else {\n    if (opts?.contentType) {\n      headers['Content-Type'] = opts.contentType\n    } else if (method !== 'GET') {\n      headers['Content-Type'] = 'application/json'\n    }\n  }\n\n  const payload: RequestInit = {\n    method,\n    headers,\n    body,\n  }\n\n  logger.debug(`START fetching url: ${url}`)\n  if (body) {\n    logger.debug(`Body:\\r\\n${typeof body == 'string' ? body : JSON.stringify(body)}`)\n  }\n  logger.debug(`Headers:\\r\\n${JSON.stringify(payload.headers)}`)\n  const origResponse = await fetch(url, payload)\n  const isJSONResponse = accept === 'application/json' || origResponse.headers.get('Content-Type') === 'application/json'\n  const success = origResponse && origResponse.status >= 200 && origResponse.status < 400\n  const responseText = await origResponse.text()\n  const responseBody = isJSONResponse && responseText.includes('{') ? JSON.parse(responseText) : responseText\n\n  logger.debug(`${success ? 'success' : 'error'} status: ${origResponse.status}, body:\\r\\n${JSON.stringify(responseBody)}`)\n  if (!success && opts?.exceptionOnHttpErrorStatus) {\n    const error = JSON.stringify(responseBody)\n    throw new Error(error === '{}' ? '{\"error\": \"not found\"}' : error)\n  }\n  logger.debug(`END fetching url: ${url}`)\n\n  return {\n    origResponse,\n    successBody: success ? responseBody : undefined,\n    errorBody: !success ? responseBody : undefined,\n  }\n}\n\nexport const isValidURL = (url: string): boolean => {\n  const urlPattern = new RegExp(\n    '^(https?:\\\\/\\\\/)' + // validate protocol\n      '((([a-z\\\\d]([a-z\\\\d-]*[a-z\\\\d])*)\\\\.)+[a-z]{2,}|' + // validate domain name\n      '((localhost))|' + // validate OR localhost\n      '((\\\\d{1,3}\\\\.){3}\\\\d{1,3}))' + // validate OR ip (v4) address\n      '(\\\\:\\\\d+)?(\\\\/[-a-z\\\\d%_.~+:]*)*' + // validate port and path\n      '(\\\\?[;&a-z\\\\d%_.~+=-]*)?' + // validate query string\n      '(\\\\#[-a-z\\\\d_]*)?$', // validate fragment locator\n    'i',\n  )\n  return urlPattern.test(url)\n}\n\nexport const trimBoth = (value: string, trim: string): string => {\n  return trimEnd(trimStart(value, trim), trim)\n}\n\nexport const trimEnd = (value: string, trim: string): string => {\n  return value.endsWith(trim) ? value.substring(0, value.length - trim.length) : value\n}\n\nexport const trimStart = (value: string, trim: string): string => {\n  return value.startsWith(trim) ? value.substring(trim.length) : value\n}\n\nexport const adjustUrl = <T extends string | URL>(\n  urlOrPath: T,\n  opts?: {\n    stripSlashEnd?: boolean\n    stripSlashStart?: boolean\n    prepend?: string\n    append?: string\n  },\n): T => {\n  let url = typeof urlOrPath === 'object' ? urlOrPath.toString() : (urlOrPath as string)\n  if (opts?.append) {\n    url = trimEnd(url, '/') + '/' + trimStart(opts.append, '/')\n  }\n  if (opts?.prepend) {\n    if (opts.prepend.includes('://')) {\n      // includes domain/hostname\n      if (!url.startsWith(opts.prepend)) {\n        url = trimEnd(opts.prepend, '/') + '/' + trimStart(url, '/')\n      }\n    } else {\n      // path only for prepend\n      let host = ''\n      let path = url\n      if (url.includes('://')) {\n        // includes domain/hostname\n        host = new URL(url).host\n        path = new URL(url).pathname\n      }\n      if (!path.startsWith(opts.prepend)) {\n        if (host && host !== '') {\n          url = trimEnd(host, '/')\n        }\n        url += trimEnd(url, '/') + '/' + trimBoth(opts.prepend, '/') + '/' + trimStart(path, '/')\n      }\n    }\n  }\n  if (opts?.stripSlashStart) {\n    url = trimStart(url, '/')\n  }\n  if (opts?.stripSlashEnd) {\n    url = trimEnd(url, '/')\n  }\n\n  if (typeof urlOrPath === 'string') {\n    return url as T\n  }\n  return new URL(url) as T\n}\n","import { Loggers } from '@sphereon/ssi-types'\nimport { jwtDecode, JwtPayload } from 'jwt-decode'\nimport { VCI_LOG_COMMON } from '../index'\n\nimport {\n  AssertedUniformCredentialOffer,\n  AuthzFlowType,\n  CredentialOffer,\n  CredentialOfferPayload,\n  CredentialOfferPayloadV1_0_08,\n  CredentialOfferPayloadV1_0_09,\n  CredentialOfferPayloadV1_0_11,\n  CredentialOfferPayloadV1_0_13,\n  DefaultURISchemes,\n  Grant,\n  GrantTypes,\n  OpenId4VCIVersion,\n  OpenIDResponse,\n  PRE_AUTH_CODE_LITERAL,\n  PRE_AUTH_GRANT_LITERAL,\n  UniformCredentialOffer,\n  UniformCredentialOfferPayload,\n  UniformCredentialOfferRequest,\n} from '../types'\n\nimport { getJson } from './HttpUtils'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:offer')\n\nexport function determineSpecVersionFromURI(uri: string): OpenId4VCIVersion {\n  let version = determineSpecVersionFromScheme(uri, OpenId4VCIVersion.VER_UNKNOWN) ?? OpenId4VCIVersion.VER_UNKNOWN\n  version = getVersionFromURIParam(uri, version, [OpenId4VCIVersion.VER_1_0_08], 'initiate_issuance')\n  version = getVersionFromURIParam(uri, version, [OpenId4VCIVersion.VER_1_0_08], 'credential_type')\n  version = getVersionFromURIParam(uri, version, [OpenId4VCIVersion.VER_1_0_08], 'op_state')\n\n  // version = getVersionFromURIParam(uri, version, OpenId4VCIVersion.VER_1_0_09, 'credentials');\n  // version = getVersionFromURIParam(uri, version, OpenId4VCIVersion.VER_1_0_09, 'initiate_issuance_uri')\n\n  // version = getVersionFromURIParam(uri, version, OpenId4VCIVersion.VER_1_0_11, 'credential_offer=');\n  version = getVersionFromURIParam(uri, version, [OpenId4VCIVersion.VER_1_0_11], 'credentials')\n  version = getVersionFromURIParam(uri, version, [OpenId4VCIVersion.VER_1_0_11], 'grants.user_pin_required')\n\n  version = getVersionFromURIParam(uri, version, [OpenId4VCIVersion.VER_1_0_13], 'credential_configuration_ids')\n  version = getVersionFromURIParam(uri, version, [OpenId4VCIVersion.VER_1_0_13], 'tx_code')\n  if (version === OpenId4VCIVersion.VER_UNKNOWN) {\n    version = OpenId4VCIVersion.VER_1_0_13\n  }\n  return version\n}\n\nexport function determineSpecVersionFromScheme(credentialOfferURI: string, openId4VCIVersion: OpenId4VCIVersion) {\n  const scheme = getScheme(credentialOfferURI)\n  if (credentialOfferURI.includes(DefaultURISchemes.INITIATE_ISSUANCE)) {\n    return recordVersion(openId4VCIVersion, [OpenId4VCIVersion.VER_1_0_08], scheme)\n  }\n  if (credentialOfferURI.includes('credential_offer_uri')) {\n    return undefined\n  }\n  // todo: drop support for v1_0_8. version 11 and version 13 have the same scheme 'openid-credential-offer'\n  else if (credentialOfferURI.includes(DefaultURISchemes.CREDENTIAL_OFFER)) {\n    if (credentialOfferURI.includes('credentials:') || credentialOfferURI.includes('credentials%22')) {\n      return recordVersion(openId4VCIVersion, [OpenId4VCIVersion.VER_1_0_11], scheme)\n    }\n    return recordVersion(openId4VCIVersion, [OpenId4VCIVersion.VER_1_0_13], scheme)\n  } else {\n    return recordVersion(openId4VCIVersion, [OpenId4VCIVersion.VER_UNKNOWN], scheme)\n  }\n}\n\nexport function getScheme(credentialOfferURI: string) {\n  if (!credentialOfferURI || !credentialOfferURI.includes('://')) {\n    throw Error('Invalid credential offer URI')\n  }\n  return credentialOfferURI.split('://')[0]\n}\n\nexport function getIssuerFromCredentialOfferPayload(request: CredentialOfferPayload): string | undefined {\n  if (!request || (!('issuer' in request) && !('credential_issuer' in request))) {\n    return undefined\n  }\n  return 'issuer' in request ? request.issuer : request['credential_issuer']\n}\n\nexport const getClientIdFromCredentialOfferPayload = (credentialOffer?: CredentialOfferPayload): string | undefined => {\n  if (!credentialOffer) {\n    return\n  }\n  if ('client_id' in credentialOffer) {\n    return credentialOffer.client_id\n  }\n\n  const state: string | undefined = getStateFromCredentialOfferPayload(credentialOffer)\n  if (state && isJWT(state)) {\n    const decoded = jwtDecode<JwtPayload>(state, { header: false })\n    if ('client_id' in decoded && typeof decoded.client_id === 'string') {\n      return decoded.client_id\n    }\n  }\n  return\n}\n\nconst isJWT = (input?: string) => {\n  if (!input) {\n    return false\n  }\n  const noParts = input?.split('.').length\n  return input?.startsWith('ey') && noParts === 3\n}\nexport const getStateFromCredentialOfferPayload = (credentialOffer: CredentialOfferPayload): string | undefined => {\n  if ('grants' in credentialOffer) {\n    if (credentialOffer.grants?.authorization_code) {\n      return credentialOffer.grants.authorization_code.issuer_state\n    } else if (credentialOffer.grants?.[PRE_AUTH_GRANT_LITERAL]) {\n      return credentialOffer.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL]\n    }\n  }\n  if ('op_state' in credentialOffer) {\n    // older spec versions\n    return credentialOffer.op_state\n  } else if (PRE_AUTH_CODE_LITERAL in credentialOffer) {\n    return credentialOffer[PRE_AUTH_CODE_LITERAL]\n  }\n\n  return\n}\n\nexport function determineSpecVersionFromOffer(offer: CredentialOfferPayload | CredentialOffer): OpenId4VCIVersion {\n  if (isCredentialOfferV1_0_13(offer)) {\n    return OpenId4VCIVersion.VER_1_0_13\n    // We don't have full support for V12, so let's skip for now\n    /*} else if (isCredentialOfferV1_0_12(offer)) {\n    return OpenId4VCIVersion.VER_1_0_12;*/\n  } else if (isCredentialOfferV1_0_11(offer)) {\n    return OpenId4VCIVersion.VER_1_0_11\n  } else if (isCredentialOfferV1_0_09(offer)) {\n    return OpenId4VCIVersion.VER_1_0_09\n  } else if (isCredentialOfferV1_0_08(offer)) {\n    return OpenId4VCIVersion.VER_1_0_08\n  }\n  return OpenId4VCIVersion.VER_UNKNOWN\n}\n\nexport function isCredentialOfferVersion(offer: CredentialOfferPayload | CredentialOffer, min: OpenId4VCIVersion, max?: OpenId4VCIVersion) {\n  if (max && max.valueOf() < min.valueOf()) {\n    throw Error(`Cannot have a max ${max.valueOf()} version smaller than the min version ${min.valueOf()}`)\n  }\n  const version = determineSpecVersionFromOffer(offer)\n  if (version.valueOf() < min.valueOf()) {\n    logger.debug(`Credential offer version (${version.valueOf()}) is lower than minimum required version (${min.valueOf()})`)\n    return false\n  } else if (max && version.valueOf() > max.valueOf()) {\n    logger.debug(`Credential offer version (${version.valueOf()}) is higher than maximum required version (${max.valueOf()})`)\n    return false\n  }\n  return true\n}\n\nfunction isCredentialOfferV1_0_08(offer: CredentialOfferPayload | CredentialOffer): boolean {\n  if (!offer) {\n    return false\n  }\n  if ('issuer' in offer && 'credential_type' in offer) {\n    // payload\n    return true\n  }\n  if ('credential_offer' in offer && offer['credential_offer']) {\n    // offer, so check payload\n    return isCredentialOfferV1_0_08(offer['credential_offer'])\n  }\n  return false\n}\n\nfunction isCredentialOfferV1_0_09(offer: CredentialOfferPayload | CredentialOffer): boolean {\n  if (!offer) {\n    return false\n  }\n  if ('issuer' in offer && 'credentials' in offer) {\n    // payload\n    return true\n  }\n  if ('credential_offer' in offer && offer['credential_offer']) {\n    // offer, so check payload\n    return isCredentialOfferV1_0_09(offer['credential_offer'])\n  }\n  return false\n}\n\nfunction isCredentialOfferV1_0_11(offer: CredentialOfferPayload | CredentialOffer): boolean {\n  if (!offer) {\n    return false\n  }\n  if ('credential_issuer' in offer && 'credentials' in offer) {\n    // payload\n    return true\n  }\n  if ('credential_offer' in offer && offer['credential_offer']) {\n    // offer, so check payload\n    return isCredentialOfferV1_0_11(offer['credential_offer'])\n  }\n  return 'credential_offer_uri' in offer\n}\n\n/*\nfunction isCredentialOfferV1_0_12(offer: CredentialOfferPayload | CredentialOffer): boolean {\n  if (!offer) {\n    return false;\n  }\n  if ('credential_issuer' in offer && 'credentials' in offer) {\n    // payload\n    return true;\n  }\n  if ('credential_offer' in offer && offer['credential_offer']) {\n    // offer, so check payload\n    return isCredentialOfferV1_0_12(offer['credential_offer']);\n  }\n  return 'credential_offer_uri' in offer;\n}\n*/\n\nfunction isCredentialOfferV1_0_13(offer: CredentialOfferPayload | CredentialOffer): boolean {\n  if (!offer) {\n    return false\n  } else if (typeof offer === 'string' && (offer as string).startsWith('{')) {\n    offer = JSON.parse(offer)\n  }\n  if ('credential_issuer' in offer && 'credential_configuration_ids' in offer) {\n    // payload\n    return true\n  }\n  if ('credential_offer' in offer && offer['credential_offer']) {\n    // offer, so check payload\n    return isCredentialOfferV1_0_13(offer['credential_offer'])\n  }\n  return 'credential_offer_uri' in offer\n}\n\nexport async function toUniformCredentialOfferRequest(\n  offer: CredentialOffer,\n  opts?: {\n    resolve?: boolean\n    version?: OpenId4VCIVersion\n  },\n): Promise<UniformCredentialOfferRequest> {\n  let version = opts?.version ?? determineSpecVersionFromOffer(offer)\n  let originalCredentialOffer = offer.credential_offer\n  let credentialOfferURI: string | undefined\n  if ('credential_offer_uri' in offer && offer?.credential_offer_uri !== undefined) {\n    credentialOfferURI = offer.credential_offer_uri\n\n    if (opts?.resolve || opts?.resolve === undefined) {\n      VCI_LOG_COMMON.log(`Credential offer contained a URI. Will use that to get the credential offer payload: ${credentialOfferURI}`)\n      originalCredentialOffer = (await resolveCredentialOfferURI(credentialOfferURI)) as\n        | CredentialOfferPayloadV1_0_09\n        | CredentialOfferPayloadV1_0_11\n        | CredentialOfferPayloadV1_0_13\n    } else if (!originalCredentialOffer) {\n      throw Error(`Credential offer uri (${credentialOfferURI}) found, but resolution was explicitly disabled and credential_offer was supplied`)\n    }\n    // We need to redetermine the version of the offer, as we only had the offer_uri until now\n    version = determineSpecVersionFromOffer(originalCredentialOffer)\n    VCI_LOG_COMMON.log(`Offer URI payload determined to be of version ${version}`)\n  }\n  if (!originalCredentialOffer) {\n    throw Error('No credential offer available')\n  }\n  const payload = toUniformCredentialOfferPayload(originalCredentialOffer, { ...opts, version })\n  const supportedFlows = determineFlowType(payload, version)\n  return {\n    credential_offer: payload,\n    original_credential_offer: originalCredentialOffer,\n    ...(credentialOfferURI && { credential_offer_uri: credentialOfferURI }),\n    supportedFlows,\n    version,\n  }\n}\n\nexport function isPreAuthCode(request: UniformCredentialOfferPayload | UniformCredentialOffer) {\n  const payload = 'credential_offer' in request ? request.credential_offer : (request as UniformCredentialOfferPayload)\n  return payload?.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL] !== undefined\n}\n\nexport async function assertedUniformCredentialOffer(\n  origCredentialOffer: UniformCredentialOffer,\n  opts?: {\n    resolve?: boolean\n  },\n): Promise<AssertedUniformCredentialOffer> {\n  const credentialOffer = JSON.parse(JSON.stringify(origCredentialOffer))\n  if (credentialOffer.credential_offer_uri && !credentialOffer.credential_offer) {\n    if (opts?.resolve === undefined || opts.resolve) {\n      credentialOffer.credential_offer = await resolveCredentialOfferURI(credentialOffer.credential_offer_uri)\n    } else {\n      throw Error(`No credential_offer present, but we did get a URI, but resolution was explicitly disabled`)\n    }\n  }\n  if (!credentialOffer.credential_offer) {\n    throw Error(`No credential_offer present`)\n  }\n  credentialOffer.credential_offer = await toUniformCredentialOfferPayload(credentialOffer.credential_offer, { version: credentialOffer.version })\n  return credentialOffer as AssertedUniformCredentialOffer\n}\n\nexport async function resolveCredentialOfferURI(uri?: string): Promise<UniformCredentialOfferPayload | undefined> {\n  if (!uri) {\n    return undefined\n  }\n  const response = (await getJson(uri)) as OpenIDResponse<UniformCredentialOfferPayload>\n  if (!response || !response.successBody) {\n    throw Error(`Could not get credential offer from uri: ${uri}: ${JSON.stringify(response?.errorBody)}`)\n  }\n  return response.successBody as UniformCredentialOfferPayload\n}\n\nexport function toUniformCredentialOfferPayload(\n  offer: CredentialOfferPayload,\n  opts?: {\n    version?: OpenId4VCIVersion\n  },\n): UniformCredentialOfferPayload {\n  // todo: create test to check idempotence once a payload is already been made uniform.\n  const version = opts?.version ?? determineSpecVersionFromOffer(offer)\n  if (version >= OpenId4VCIVersion.VER_1_0_11) {\n    const orig = offer as UniformCredentialOfferPayload\n    return {\n      ...orig,\n    }\n  }\n  const grants: Grant = 'grants' in offer ? (offer.grants as Grant) : {}\n  let offerPayloadAsV8V9 = offer as CredentialOfferPayloadV1_0_08 | CredentialOfferPayloadV1_0_09\n  if (isCredentialOfferVersion(offer, OpenId4VCIVersion.VER_1_0_08, OpenId4VCIVersion.VER_1_0_09)) {\n    if (offerPayloadAsV8V9.op_state) {\n      grants.authorization_code = {\n        ...grants.authorization_code,\n        issuer_state: offerPayloadAsV8V9.op_state,\n      }\n    }\n    let user_pin_required = false\n    if (typeof offerPayloadAsV8V9.user_pin_required === 'string') {\n      user_pin_required = offerPayloadAsV8V9.user_pin_required === 'true' || offerPayloadAsV8V9.user_pin_required === 'yes'\n    } else if (offerPayloadAsV8V9.user_pin_required !== undefined) {\n      user_pin_required = offerPayloadAsV8V9.user_pin_required\n    }\n    if (offerPayloadAsV8V9[PRE_AUTH_CODE_LITERAL]) {\n      grants[PRE_AUTH_GRANT_LITERAL] = {\n        'pre-authorized_code': offerPayloadAsV8V9[PRE_AUTH_CODE_LITERAL],\n        user_pin_required,\n      }\n    }\n  }\n  const issuer = getIssuerFromCredentialOfferPayload(offer)\n  if (version === OpenId4VCIVersion.VER_1_0_09) {\n    offerPayloadAsV8V9 = offer as CredentialOfferPayloadV1_0_09\n    return {\n      // credential_definition: getCredentialsSupported(never, offerPayloadAsV8V9.credentials).map(sup => {credentialSubject: sup.credentialSubject})[0],\n      credential_issuer: issuer ?? offerPayloadAsV8V9.issuer,\n      credentials: offerPayloadAsV8V9.credentials,\n      grants,\n    }\n  }\n  if (version === OpenId4VCIVersion.VER_1_0_08) {\n    offerPayloadAsV8V9 = offer as CredentialOfferPayloadV1_0_08\n    return {\n      credential_issuer: issuer ?? offerPayloadAsV8V9.issuer,\n      credentials: Array.isArray(offerPayloadAsV8V9.credential_type) ? offerPayloadAsV8V9.credential_type : [offerPayloadAsV8V9.credential_type],\n      grants,\n    } as UniformCredentialOfferPayload\n  }\n  throw Error(`Could not create uniform payload for version ${version}`)\n}\n\nexport function determineFlowType(\n  suppliedOffer: AssertedUniformCredentialOffer | UniformCredentialOfferPayload,\n  version: OpenId4VCIVersion,\n): AuthzFlowType[] {\n  const payload: UniformCredentialOfferPayload = getCredentialOfferPayload(suppliedOffer)\n  const supportedFlows: AuthzFlowType[] = []\n  if (payload.grants?.authorization_code) {\n    supportedFlows.push(AuthzFlowType.AUTHORIZATION_CODE_FLOW)\n  }\n  if (payload.grants?.[PRE_AUTH_GRANT_LITERAL]?.[PRE_AUTH_CODE_LITERAL]) {\n    supportedFlows.push(AuthzFlowType.PRE_AUTHORIZED_CODE_FLOW)\n  }\n  if (supportedFlows.length === 0 && version < OpenId4VCIVersion.VER_1_0_09) {\n    // auth flow without op_state was possible in v08. The only way to know is that the detections would result in finding nothing.\n    supportedFlows.push(AuthzFlowType.AUTHORIZATION_CODE_FLOW)\n  }\n  return supportedFlows\n}\n\nexport function getCredentialOfferPayload(offer: AssertedUniformCredentialOffer | UniformCredentialOfferPayload): UniformCredentialOfferPayload {\n  let payload: UniformCredentialOfferPayload\n  if ('credential_offer' in offer && offer['credential_offer']) {\n    payload = offer.credential_offer\n  } else {\n    payload = offer as UniformCredentialOfferPayload\n  }\n  return payload\n}\n\nexport function determineGrantTypes(\n  offer:\n    | AssertedUniformCredentialOffer\n    | UniformCredentialOfferPayload\n    | ({\n        grants: Grant\n      } & Record<never, never>),\n): GrantTypes[] {\n  let grants: Grant | undefined\n  if ('grants' in offer && offer.grants) {\n    grants = offer.grants\n  } else {\n    grants = getCredentialOfferPayload(offer as AssertedUniformCredentialOffer | UniformCredentialOfferPayload).grants\n  }\n\n  const types: GrantTypes[] = []\n  if (grants) {\n    if ('authorization_code' in grants) {\n      types.push(GrantTypes.AUTHORIZATION_CODE)\n    }\n    if (PRE_AUTH_GRANT_LITERAL in grants) {\n      types.push(GrantTypes.PRE_AUTHORIZED_CODE)\n    }\n  }\n  return types\n}\n\nfunction getVersionFromURIParam(\n  credentialOfferURI: string,\n  currentVersion: OpenId4VCIVersion,\n  matchingVersion: OpenId4VCIVersion[],\n  param: string,\n  allowUpgrade = true,\n) {\n  if (credentialOfferURI.includes(param)) {\n    return recordVersion(currentVersion, matchingVersion, param, allowUpgrade)\n  }\n  return currentVersion\n}\n\nfunction recordVersion(currentVersion: OpenId4VCIVersion, matchingVersion: OpenId4VCIVersion[], key: string, allowUpgrade = true) {\n  matchingVersion = matchingVersion.sort().reverse()\n  if (currentVersion === OpenId4VCIVersion.VER_UNKNOWN) {\n    return matchingVersion[0]\n  } else if (matchingVersion.includes(currentVersion)) {\n    if (!allowUpgrade) {\n      return currentVersion\n    }\n    return matchingVersion[0]\n  }\n\n  throw new Error(\n    `Invalid param. Some keys have been used from version: ${currentVersion} version while '${key}' is used from version: ${JSON.stringify(matchingVersion)}`,\n  )\n}\n\nexport function getTypesFromOfferV1_0_11(credentialOffer: CredentialOfferPayloadV1_0_11, opts?: { filterVerifiableCredential: boolean }) {\n  const types = credentialOffer.credentials.reduce<string[]>((prev, curr) => {\n    // FIXME returning the string value is wrong (as it's an id), but just matching the current behavior of this library\n    // The credential_type (from draft 8) and the actual 'type' value in a VC (from draft 11) are mixed up\n    // Fix for this here: https://github.com/Sphereon-Opensource/OID4VC/pull/54\n    if (typeof curr === 'string') {\n      return [...prev, curr]\n    } else if (curr.format === 'jwt_vc_json-ld' || curr.format === 'ldp_vc') {\n      return [...prev, ...curr.credential_definition.types]\n    } else if (curr.format === 'jwt_vc_json' || curr.format === 'jwt_vc') {\n      return [...prev, ...curr.types]\n    } else if (curr.format === 'vc+sd-jwt') {\n      return [...prev, curr.vct]\n    }\n\n    return prev\n  }, [])\n\n  if (!types || types.length === 0) {\n    throw Error('Could not deduce types from credential offer')\n  }\n  if (opts?.filterVerifiableCredential) {\n    return types.filter((type) => type !== 'VerifiableCredential')\n  }\n  return types\n}\n","import { BAD_PARAMS, DecodeURIAsJsonOpts, EncodeJsonAsURIOpts, JsonURIMode, OpenId4VCIVersion, SearchValue } from '../types'\n\n/**\n * @type {(json: {[s:string]: never} | ArrayLike<never> | string | object, opts?: EncodeJsonAsURIOpts)} encodes a Json object into a URI\n * @param { {[s:string]: never} | ArrayLike<never> | string | object } json\n * @param {EncodeJsonAsURIOpts} [opts] Option to encode json as uri\n *          - urlTypeProperties: a list of properties of which the value is a URL\n *          - arrayTypeProperties: a list of properties which are an array\n */\n\n// /* eslint-disable @typescript-eslint/no-explicit-any */\nexport function convertJsonToURI(\n  json:\n    | {\n        [s: string]: never\n      }\n    | ArrayLike<never>\n    | string\n    | object,\n  opts?: EncodeJsonAsURIOpts,\n): string {\n  if (typeof json === 'string') {\n    return convertJsonToURI(JSON.parse(json), opts)\n  }\n\n  const results = []\n\n  function encodeAndStripWhitespace(key: string): string {\n    return encodeURIComponent(key.replace(' ', ''))\n  }\n\n  let components: string\n  if ((opts?.version && opts.version > OpenId4VCIVersion.VER_1_0_08 && !opts.mode) || opts?.mode === JsonURIMode.JSON_STRINGIFY) {\n    // v11 changed from encoding every param to a encoded json object with a credential_offer param key\n    components = encodeAndStripWhitespace(JSON.stringify(json))\n  } else {\n    // version 8 or lower, or mode is x-form-www-urlencoded\n    for (const [key, value] of Object.entries(json)) {\n      if (!value) {\n        continue\n      }\n      //Skip properties that are not of URL type\n      if (!opts?.uriTypeProperties?.includes(key)) {\n        results.push(`${key}=${value}`)\n        continue\n      }\n      if (opts?.arrayTypeProperties?.includes(key) && Array.isArray(value)) {\n        results.push(value.map((v) => `${encodeAndStripWhitespace(key)}=${customEncodeURIComponent(v, /\\./g)}`).join('&'))\n        continue\n      }\n      const isBool = typeof value == 'boolean'\n      const isNumber = typeof value == 'number'\n      const isString = typeof value == 'string'\n      let encoded\n      if (isBool || isNumber) {\n        encoded = `${encodeAndStripWhitespace(key)}=${value}`\n      } else if (isString) {\n        encoded = `${encodeAndStripWhitespace(key)}=${customEncodeURIComponent(value, /\\./g)}`\n      } else {\n        encoded = `${encodeAndStripWhitespace(key)}=${customEncodeURIComponent(JSON.stringify(value), /\\./g)}`\n      }\n      results.push(encoded)\n    }\n    components = results.join('&')\n  }\n  if (opts?.baseUrl) {\n    if (opts.baseUrl.endsWith('=')) {\n      if (opts.param) {\n        throw Error('Cannot combine param with an url ending in =')\n      }\n      return `${opts.baseUrl}${components}`\n    } else if (!opts.baseUrl.includes('?')) {\n      return `${opts.baseUrl}?${opts.param ? opts.param + '=' : ''}${components}`\n    } else if (opts.baseUrl.endsWith('?')) {\n      return `${opts.baseUrl}${opts.param ? opts.param + '=' : ''}${components}`\n    } else {\n      return `${opts.baseUrl}${opts.param ? '&' + opts.param : ''}=${components}`\n    }\n  }\n  return components\n}\n\n/**\n * @type {(uri: string, opts?: DecodeURIAsJsonOpts): unknown} convertURIToJsonObject converts an URI into a Json object decoding its properties\n * @param {string} uri\n * @param {DecodeURIAsJsonOpts} [opts]\n *          - requiredProperties: the required properties\n *          - arrayTypeProperties: properties that can show up more that once\n * @returns JSON object\n */\nexport function convertURIToJsonObject(uri: string, opts?: DecodeURIAsJsonOpts): unknown {\n  if (!uri || (opts?.requiredProperties && !opts.requiredProperties?.every((p) => uri.includes(p)))) {\n    throw new Error(BAD_PARAMS)\n  }\n\n  const uriComponents = getURIComponentsAsArray(uri, opts?.arrayTypeProperties)\n  return decodeJsonProperties(uriComponents)\n}\n\nexport function decodeJsonProperties(parts: string[] | string[][]): unknown {\n  const result: { [s: string]: unknown } | ArrayLike<unknown> = {}\n  for (const key in parts) {\n    const value = parts[key]\n    if (!value) {\n      continue\n    }\n    if (Array.isArray(value)) {\n      result[decodeURIComponent(key)] = value.map((v) => decodeURIComponent(v))\n      continue\n    }\n\n    const isBool = typeof value == 'boolean'\n    const isNumber = typeof value == 'number'\n    const isString = typeof value == 'string'\n    const isObject = typeof value == 'object'\n    if (isBool || isNumber) {\n      result[decodeURIComponent(key)] = value\n    } else if (isString) {\n      const decoded = decodeURIComponent(value)\n      if (decoded.startsWith('{') && decoded.endsWith('}')) {\n        result[decodeURIComponent(key)] = JSON.parse(decoded)\n      } else {\n        result[decodeURIComponent(key)] = decoded\n      }\n    } else if (isObject) {\n      result[decodeURIComponent(key)] = decodeJsonProperties(value)\n    }\n  }\n  return result\n}\n\n/**\n * @function get URI Components as Array\n * @param {string} uri uri\n * @param {string[]} [arrayTypes] array of string containing array like keys\n */\nexport function getURIComponentsAsArray(uri: string, arrayTypes?: string[]): string[] | string[][] {\n  const parts = uri.includes('?') ? uri.split('?')[1] : uri.includes('://') ? uri.split('://')[1] : uri\n  const json: string[] | string[][] = []\n  const dict: string[] = parts.split('&')\n  for (const entry of dict) {\n    const pair: string[] = entry.split('=')\n    const p0: any = pair[0]\n    const p1: any = pair[1]\n    if (arrayTypes?.includes(p0)) {\n      const key = json[p0]\n      if (Array.isArray(key)) {\n        key.push(p1)\n      } else {\n        json[p0] = [p1]\n      }\n      continue\n    }\n    json[p0] = p1\n  }\n  return json\n}\n\n/**\n * @function customEncodeURIComponent is used to encode chars that are not encoded by default\n * @param searchValue The pattern/regexp to find the char(s) to be encoded\n * @param uriComponent query string\n */\nfunction customEncodeURIComponent(uriComponent: string, searchValue: SearchValue): string {\n  // -_.!~*'() are not escaped because they are considered safe.\n  // Add them to the regex as you need\n  return encodeURIComponent(uriComponent).replace(searchValue, (c) => `%${c.charCodeAt(0).toString(16).toUpperCase()}`)\n}\n","import { VCI_LOG_COMMON } from '../index'\nimport {\n  AuthorizationDetails,\n  CredentialConfigurationSupported,\n  CredentialConfigurationSupportedMsoMdocV1_0_13,\n  CredentialConfigurationSupportedSdJwtVcV1_0_13,\n  CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13,\n  CredentialDefinitionJwtVcJsonV1_0_13,\n  CredentialOfferFormatV1_0_11,\n  CredentialOfferPayload,\n  CredentialsSupportedLegacy,\n  CredentialSupportedMsoMdoc,\n  CredentialSupportedSdJwtVc,\n  JsonLdIssuerCredentialDefinition,\n  UniformCredentialOfferPayload,\n  UniformCredentialOfferRequest,\n} from '../types'\n\nexport function isW3cCredentialSupported(\n  supported: CredentialConfigurationSupported | CredentialsSupportedLegacy,\n): supported is Exclude<\n  CredentialConfigurationSupported,\n  | CredentialConfigurationSupportedMsoMdocV1_0_13\n  | CredentialSupportedMsoMdoc\n  | CredentialConfigurationSupportedSdJwtVcV1_0_13\n  | CredentialSupportedSdJwtVc\n> {\n  return ['jwt_vc_json', 'jwt_vc_json-ld', 'ldp_vc', 'jwt_vc'].includes(supported.format)\n}\n\nexport const getNumberOrUndefined = (input?: string): number | undefined => {\n  return input && !isNaN(+input) ? +input : undefined\n}\n\n/**\n * The specs had many places where types could be expressed. This method ensures we get them in any way possible\n * @param subject\n */\nexport function getTypesFromObject(\n  subject:\n    | CredentialConfigurationSupported\n    | CredentialOfferFormatV1_0_11\n    | CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13\n    | CredentialDefinitionJwtVcJsonV1_0_13\n    | JsonLdIssuerCredentialDefinition\n    | string,\n): string[] | undefined {\n  if (subject === undefined) {\n    return undefined\n  } else if (typeof subject === 'string') {\n    return [subject]\n  } else if ('credential_definition' in subject) {\n    return getTypesFromObject(\n      subject.credential_definition as\n        | CredentialDefinitionJwtVcJsonLdAndLdpVcV1_0_13\n        | CredentialDefinitionJwtVcJsonV1_0_13\n        | JsonLdIssuerCredentialDefinition,\n    )\n  } else if ('types' in subject && subject.types) {\n    return Array.isArray(subject.types) ? subject.types : [subject.types as string]\n  } else if ('type' in subject && subject.type) {\n    return Array.isArray(subject.type) ? subject.type : [subject.type as string]\n  } else if ('vct' in subject && subject.vct) {\n    return [subject.vct as string]\n  } else if ('doctype' in subject && subject.doctype) {\n    return [subject.doctype as string]\n  }\n  VCI_LOG_COMMON.warning('Could not deduce credential types. Probably a failure down the line will happen!')\n  return undefined\n}\n\nexport function getTypesFromCredentialOffer(\n  offer: UniformCredentialOfferRequest | CredentialOfferPayload | UniformCredentialOfferPayload,\n  opts?: { configIdAsType?: boolean },\n): Array<Array<string>> | undefined {\n  const { configIdAsType = false } = { ...opts }\n  if ('credentials' in offer && Array.isArray(offer.credentials)) {\n    return offer.credentials.map((cred) => getTypesFromObject(cred)).filter((cred): cred is string[] => cred !== undefined)\n  } else if (configIdAsType && 'credential_configuration_ids' in offer && Array.isArray(offer.credential_configuration_ids)) {\n    return offer.credential_configuration_ids.map((id) => [id])\n  } else if ('credential_offer' in offer && offer.credential_offer) {\n    return getTypesFromCredentialOffer(offer.credential_offer, opts)\n  } else if ('credential_type' in offer && offer.credential_type) {\n    if (typeof offer.credential_type === 'string') {\n      return [[offer.credential_type]]\n    } else if (Array.isArray(offer.credential_type)) {\n      return [offer.credential_type]\n    }\n  }\n  VCI_LOG_COMMON.warning('Could not deduce credential types from offer. Probably a failure down the line will happen!')\n  return undefined\n}\n\nexport function getTypesFromAuthorizationDetails(authDetails: AuthorizationDetails, opts?: { configIdAsType?: boolean }): string[] | undefined {\n  const { configIdAsType = false } = { ...opts }\n  if (typeof authDetails === 'string') {\n    return [authDetails]\n  } else if ('types' in authDetails && Array.isArray(authDetails.types)) {\n    return authDetails.types\n  } else if (configIdAsType && authDetails.credential_configuration_id) {\n    return [authDetails.credential_configuration_id]\n  }\n\n  return undefined\n}\n\nexport function getTypesFromCredentialSupported(\n  credentialSupported: CredentialConfigurationSupported,\n  opts?: { filterVerifiableCredential: boolean },\n) {\n  let types: string[] = []\n  if (\n    credentialSupported.format === 'jwt_vc_json' ||\n    credentialSupported.format === 'jwt_vc' ||\n    credentialSupported.format === 'jwt_vc_json-ld' ||\n    credentialSupported.format === 'ldp_vc'\n  ) {\n    types = getTypesFromObject(credentialSupported) ?? []\n  } else if (credentialSupported.format === 'vc+sd-jwt') {\n    types = [credentialSupported.vct]\n  } else if (credentialSupported.format === 'mso_mdoc') {\n    types = [credentialSupported.doctype]\n  }\n\n  if (!types || types.length === 0) {\n    throw Error('Could not deduce types from credential supported')\n  }\n  if (opts?.filterVerifiableCredential) {\n    return types.filter((type) => type !== 'VerifiableCredential')\n  }\n  return types\n}\n","import { VCI_LOG_COMMON } from '../index'\nimport {\n  AuthorizationServerMetadata,\n  CredentialConfigurationSupported,\n  CredentialConfigurationSupportedV1_0_13,\n  CredentialIssuerMetadata,\n  CredentialSupportedTypeV1_0_08,\n  CredentialSupportedV1_0_08,\n  IssuerMetadata,\n  MetadataDisplay,\n  OID4VCICredentialFormat,\n  OpenId4VCIVersion,\n} from '../types'\nimport { getTypesFromObject, isW3cCredentialSupported } from './TypeConversionUtils'\nexport function getSupportedCredentials(opts?: {\n  issuerMetadata?: CredentialIssuerMetadata | IssuerMetadata\n  version: OpenId4VCIVersion\n  types?: string[][]\n  format?: OID4VCICredentialFormat | string | (OID4VCICredentialFormat | string)[]\n}): Record<string, CredentialConfigurationSupportedV1_0_13> | Array<CredentialConfigurationSupported> {\n  const { version = OpenId4VCIVersion.VER_1_0_13, types } = opts ?? {}\n  if (types && Array.isArray(types)) {\n    if (version < OpenId4VCIVersion.VER_1_0_13) {\n      return types.flatMap((typeSet) => getSupportedCredential({ ...opts, version, types: typeSet }) as Array<CredentialConfigurationSupported>)\n    } else {\n      return types\n        .map((typeSet) => {\n          return getSupportedCredential({ ...opts, version, types: typeSet })\n        })\n        .reduce(\n          (acc, result) => {\n            Object.assign(acc, result)\n            return acc\n          },\n          {} as Record<string, CredentialConfigurationSupportedV1_0_13>,\n        )\n    }\n  }\n\n  return getSupportedCredential(opts ? { ...opts, types: undefined } : undefined)\n}\n\nexport function determineVersionsFromIssuerMetadata(issuerMetadata: CredentialIssuerMetadata | IssuerMetadata): Array<OpenId4VCIVersion> {\n  const versions = new Set<OpenId4VCIVersion>()\n  if ('authorization_server' in issuerMetadata) {\n    versions.add(OpenId4VCIVersion.VER_1_0_11)\n  } else if ('authorization_servers' in issuerMetadata) {\n    versions.add(OpenId4VCIVersion.VER_1_0_13)\n  }\n  if (versions.size === 0) {\n    // The above checks where already very specific and only applicable to single versions we support, so let's skip if we encounter them\n    if ('credential_configurations_supported' in issuerMetadata) {\n      versions.add(OpenId4VCIVersion.VER_1_0_13)\n    } else if ('credentials_supported' in issuerMetadata) {\n      if (typeof issuerMetadata.credentials_supported === 'object') {\n        versions.add(OpenId4VCIVersion.VER_1_0_08)\n      } else {\n        versions.add(OpenId4VCIVersion.VER_1_0_09).add(OpenId4VCIVersion.VER_1_0_11)\n      }\n    }\n  }\n  if (versions.size === 0) {\n    versions.add(OpenId4VCIVersion.VER_UNKNOWN)\n  }\n\n  return Array.from(versions).sort().reverse() // highest version first\n}\n\nexport function getSupportedCredential(opts?: {\n  issuerMetadata?: CredentialIssuerMetadata | IssuerMetadata\n  version: OpenId4VCIVersion\n  types?: string | string[]\n  format?: OID4VCICredentialFormat | string | (OID4VCICredentialFormat | string)[]\n}): Record<string, CredentialConfigurationSupportedV1_0_13> | Array<CredentialConfigurationSupported> {\n  const { issuerMetadata, types, format, version = OpenId4VCIVersion.VER_1_0_13 } = opts ?? {}\n\n  let credentialConfigurationsV11: Array<CredentialConfigurationSupported> | undefined = undefined\n  let credentialConfigurationsV13: Record<string, CredentialConfigurationSupportedV1_0_13> | undefined = undefined\n  if (\n    version < OpenId4VCIVersion.VER_1_0_12 ||\n    (issuerMetadata?.credential_configurations_supported === undefined && issuerMetadata?.credentials_supported)\n  ) {\n    if (issuerMetadata?.credentials_supported && !Array.isArray(issuerMetadata?.credentials_supported)) {\n      // The current code duplication and logic is such a mess, that we re-adjust the object to the proper type again\n      credentialConfigurationsV11 = []\n      // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n      Object.entries(issuerMetadata.credentials_supported!).forEach(([id, supported]) => {\n        if (!supported.id) {\n          supported.id = id\n        }\n        credentialConfigurationsV11?.push(supported as CredentialConfigurationSupported)\n      })\n    } else {\n      credentialConfigurationsV11 = (issuerMetadata?.credentials_supported as Array<CredentialConfigurationSupported>) ?? []\n    }\n  } else {\n    credentialConfigurationsV13 =\n      (issuerMetadata?.credential_configurations_supported as Record<string, CredentialConfigurationSupportedV1_0_13>) ?? {}\n  }\n  if (!issuerMetadata || (!issuerMetadata.credential_configurations_supported && !issuerMetadata.credentials_supported)) {\n    VCI_LOG_COMMON.warning(`No credential issuer metadata or supported credentials found for issuer}`)\n    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n    return version < OpenId4VCIVersion.VER_1_0_13 ? credentialConfigurationsV11! : credentialConfigurationsV13!\n  }\n\n  const normalizedTypes: string[] = Array.isArray(types) ? types : types ? [types] : []\n  const normalizedFormats: string[] = Array.isArray(format) ? format : format ? [format] : []\n\n  function filterMatchingConfig(config: CredentialConfigurationSupported): CredentialConfigurationSupported | undefined {\n    let isTypeMatch = normalizedTypes.length === 0\n    const types = getTypesFromObject(config)\n    if (!isTypeMatch) {\n      if (normalizedTypes.length === 1 && config.id === normalizedTypes[0]) {\n        isTypeMatch = true\n      } else if (types) {\n        isTypeMatch = normalizedTypes.every((type) => types.includes(type))\n      } else {\n        if (isW3cCredentialSupported(config) && 'credential_definition' in config) {\n          isTypeMatch = normalizedTypes.every((type) => config.credential_definition.type.includes(type))\n        } else if (isW3cCredentialSupported(config) && 'type' in config && Array.isArray(config.type)) {\n          isTypeMatch = normalizedTypes.every((type) => (config.type as string[]).includes(type))\n        } else if (isW3cCredentialSupported(config) && 'types' in config) {\n          isTypeMatch = normalizedTypes.every((type) => config.types?.includes(type))\n        }\n      }\n    }\n\n    const isFormatMatch = normalizedFormats.length === 0 || normalizedFormats.includes(config.format)\n\n    return isTypeMatch && isFormatMatch ? config : undefined\n  }\n\n  if (credentialConfigurationsV13) {\n    return Object.entries(credentialConfigurationsV13).reduce(\n      (filteredConfigs, [id, config]) => {\n        if (filterMatchingConfig(config)) {\n          filteredConfigs[id] = config\n          // Added to enable support < 13. We basically assign the\n          if (!config.id) {\n            config.id = id\n          }\n        }\n        return filteredConfigs\n      },\n      {} as Record<string, CredentialConfigurationSupportedV1_0_13>,\n    )\n  } else if (credentialConfigurationsV11) {\n    return credentialConfigurationsV11.filter((config) => filterMatchingConfig(config))\n  }\n  throw Error(`Either < v11 configurations or V13 configurations should have been filtered at this point`)\n}\n\nexport function credentialsSupportedV8ToV13(supportedV8: CredentialSupportedTypeV1_0_08): Record<string, CredentialConfigurationSupported> {\n  const credentialConfigsSupported: Record<string, CredentialConfigurationSupported> = {}\n  Object.entries(supportedV8).flatMap((entry) => {\n    const type = entry[0]\n    const supportedV8 = entry[1]\n    Object.assign(credentialConfigsSupported, credentialSupportedV8ToV13(type, supportedV8))\n  })\n  return credentialConfigsSupported\n}\n\nexport function credentialSupportedV8ToV13(key: string, supportedV8: CredentialSupportedV1_0_08): Record<string, CredentialConfigurationSupported> {\n  const credentialConfigsSupported: Record<string, CredentialConfigurationSupported> = {}\n  Object.entries(supportedV8.formats).map((entry) => {\n    const format = entry[0]\n    const credentialSupportBrief = entry[1]\n    if (typeof format !== 'string') {\n      throw Error(`Unknown format received ${JSON.stringify(format)}`)\n    }\n    const credentialConfigSupported: Partial<CredentialConfigurationSupported> = {\n      format: format as OID4VCICredentialFormat,\n      display: supportedV8.display,\n      ...credentialSupportBrief,\n      credentialSubject: supportedV8.claims,\n    }\n    credentialConfigsSupported[key] = credentialConfigSupported as CredentialConfigurationSupported\n  })\n  return credentialConfigsSupported\n}\n\nexport function getIssuerDisplays(metadata: CredentialIssuerMetadata | IssuerMetadata, opts?: { prefLocales: string[] }): MetadataDisplay[] {\n  const matchedDisplays =\n    metadata.display?.filter(\n      (item) => !opts?.prefLocales || opts.prefLocales.length === 0 || (item.locale && opts.prefLocales.includes(item.locale)) || !item.locale,\n    ) ?? []\n  return matchedDisplays.sort((item) => (item.locale ? (opts?.prefLocales.indexOf(item.locale) ?? 1) : Number.MAX_VALUE))\n}\n\n/**\n * TODO check again when WAL-617 is done to replace how we get the issuer name.\n */\nexport function getIssuerName(\n  url: string,\n  credentialIssuerMetadata?: Partial<AuthorizationServerMetadata> & (CredentialIssuerMetadata | IssuerMetadata),\n): string {\n  if (credentialIssuerMetadata) {\n    const displays: Array<MetadataDisplay> = credentialIssuerMetadata ? getIssuerDisplays(credentialIssuerMetadata) : []\n    for (const display of displays) {\n      if (display.name) {\n        return display.name\n      }\n    }\n  }\n  return url\n}\n","import { BaseJWK, JWK } from '@sphereon/oid4vc-common'\nimport { Loggers } from '@sphereon/ssi-types'\nimport { jwtDecode } from 'jwt-decode'\n\nimport { PoPMode, VCI_LOG_COMMON } from '..'\nimport {\n  BAD_PARAMS,\n  JWS_NOT_VALID,\n  Jwt,\n  JWTHeader,\n  JWTPayload,\n  JWTVerifyCallback,\n  JwtVerifyResult,\n  ProofOfPossession,\n  ProofOfPossessionCallbacks,\n  Typ,\n} from '../types'\n\nconst logger = Loggers.DEFAULT.get('sphereon:oid4vci:common')\n\n/**\n *\n *  - proofOfPossessionCallback: JWTSignerCallback\n *    Mandatory if you want to create (sign) ProofOfPossession\n *  - proofOfPossessionVerifierCallback?: JWTVerifyCallback\n *    If exists, verifies the ProofOfPossession\n *  - proofOfPossessionCallbackArgs: ProofOfPossessionCallbackArgs\n *    arguments needed for signing ProofOfPossession\n *    - proofOfPossessionCallback: JWTSignerCallback\n *      Mandatory to create (sign) ProofOfPossession\n *    - proofOfPossessionVerifierCallback?: JWTVerifyCallback\n *      If exists, verifies the ProofOfPossession\n * @param popMode\n * @param callbacks\n * @param jwtProps\n * @param existingJwt\n *  - Optional, clientId of the party requesting the credential\n */\nexport const createProofOfPossession = async <DIDDoc extends object = never>(\n  popMode: PoPMode,\n  callbacks: ProofOfPossessionCallbacks,\n  jwtProps?: JwtProps,\n  existingJwt?: Jwt,\n): Promise<ProofOfPossession> => {\n  if (!callbacks.signCallback) {\n    logger.debug(`no jwt signer callback or arguments supplied!`)\n    throw new Error(BAD_PARAMS)\n  }\n\n  const jwtPayload = createJWT(popMode, jwtProps, existingJwt)\n  const jwt = await callbacks.signCallback(jwtPayload, jwtPayload.header.kid)\n  const proof = {\n    proof_type: 'jwt',\n    jwt,\n  } as ProofOfPossession\n\n  try {\n    partiallyValidateJWS(jwt)\n    if (callbacks.verifyCallback) {\n      logger.debug(`Calling supplied verify callback....`)\n      await callbacks.verifyCallback({ jwt, kid: jwtPayload.header.kid })\n      logger.debug(`Supplied verify callback return success result`)\n    }\n  } catch {\n    logger.debug(`JWS was not valid`)\n    throw new Error(JWS_NOT_VALID)\n  }\n  logger.debug(`Proof of Possession JWT:\\r\\n${jwt}`)\n  return proof\n}\n\nconst partiallyValidateJWS = (jws: string): void => {\n  if (jws.split('.').length !== 3 || !jws.startsWith('ey')) {\n    throw new Error(JWS_NOT_VALID)\n  }\n}\n\nexport const isJWS = (token: string): boolean => {\n  try {\n    partiallyValidateJWS(token)\n    return true\n  } catch (e) {\n    return false\n  }\n}\n\nexport const extractBearerToken = (authorizationHeader?: string): string | undefined => {\n  return authorizationHeader ? /Bearer (.*)/i.exec(authorizationHeader)?.[1] : undefined\n}\n\nexport const validateJWT = async <DIDDoc extends object = never>(\n  jwt?: string,\n  opts?: { kid?: string; accessTokenVerificationCallback?: JWTVerifyCallback },\n): Promise<JwtVerifyResult> => {\n  if (!jwt) {\n    throw Error('No JWT was supplied')\n  }\n\n  if (!opts?.accessTokenVerificationCallback) {\n    VCI_LOG_COMMON.warning(`No access token verification callback supplied. Access tokens will not be verified, except for a very basic check`)\n    partiallyValidateJWS(jwt)\n    const header = jwtDecode<JWTHeader>(jwt, { header: true })\n    const payload = jwtDecode<JWTPayload>(jwt, { header: false })\n    return {\n      jwt: { header, payload } satisfies Jwt,\n      ...header,\n      ...payload,\n    }\n  } else {\n    return await opts.accessTokenVerificationCallback({ jwt, kid: opts.kid })\n  }\n}\n\nexport interface JwtProps {\n  typ?: Typ\n  kid?: string\n  jwk?: JWK\n  x5c?: string[]\n  aud?: string | string[]\n  issuer?: string\n  clientId?: string\n  alg?: string\n  jti?: string\n  nonce?: string\n}\n\nconst createJWT = (mode: PoPMode, jwtProps?: JwtProps, existingJwt?: Jwt): Jwt => {\n  const aud =\n    mode === 'pop'\n      ? getJwtProperty<string | string[]>('aud', true, jwtProps?.issuer, existingJwt?.payload?.aud)\n      : getJwtProperty<string | string[]>('aud', false, jwtProps?.aud, existingJwt?.payload?.aud)\n  const iss =\n    mode === 'pop'\n      ? getJwtProperty<string>('iss', false, jwtProps?.clientId, existingJwt?.payload?.iss)\n      : getJwtProperty<string>('iss', false, jwtProps?.issuer, existingJwt?.payload?.iss)\n  const client_id = mode === 'JWT' ? getJwtProperty<string>('client_id', false, jwtProps?.clientId, existingJwt?.payload?.client_id) : undefined\n  const jti = getJwtProperty<string>('jti', false, jwtProps?.jti, existingJwt?.payload?.jti)\n  const typ = getJwtProperty<string>('typ', true, jwtProps?.typ, existingJwt?.header?.typ, 'openid4vci-proof+jwt')\n  const nonce = getJwtProperty<string>('nonce', false, jwtProps?.nonce, existingJwt?.payload?.nonce) // Officially this is required, but some implementations don't have it\n  // eslint-disable-next-line @typescript-eslint/no-non-null-assertion\n  const alg = getJwtProperty<string>('alg', false, jwtProps?.alg, existingJwt?.header?.alg, 'ES256')!\n  const kid = getJwtProperty<string>('kid', false, jwtProps?.kid, existingJwt?.header?.kid)\n  const jwk = getJwtProperty<BaseJWK>('jwk', false, jwtProps?.jwk, existingJwt?.header?.jwk)\n  const x5c = getJwtProperty<string[]>('x5c', false, jwtProps?.x5c, existingJwt?.header.x5c)\n  const jwt: Partial<Jwt> = { ...existingJwt }\n  const now = +new Date()\n  const jwtPayload: Partial<JWTPayload> = {\n    ...(aud && { aud }),\n    iat: jwt.payload?.iat ?? Math.floor(now / 1000) - 60, // Let's ensure we subtract 60 seconds for potential time offsets\n    exp: jwt.payload?.exp ?? Math.floor(now / 1000) + 10 * 60,\n    nonce,\n    ...(client_id && { client_id }),\n    ...(iss && { iss }),\n    ...(jti && { jti }),\n  }\n\n  const jwtHeader: JWTHeader = {\n    typ,\n    alg,\n    ...(kid && { kid }),\n    ...(jwk && { jwk }),\n    ...(x5c && { x5c }),\n  }\n  return {\n    payload: { ...jwt.payload, ...jwtPayload },\n    header: { ...jwt.header, ...jwtHeader },\n  }\n}\n\nconst getJwtProperty = <T>(\n  propertyName: string,\n  required: boolean,\n  option?: string | string[] | JWK,\n  jwtProperty?: T,\n  defaultValue?: T,\n): T | undefined => {\n  if ((typeof option === 'string' || Array.isArray(option)) && option && jwtProperty && option !== jwtProperty) {\n    throw Error(`Cannot have a property '${propertyName}' with value '${option}' and different JWT value '${jwtProperty}' at the same time`)\n  }\n  let result = (jwtProperty ? jwtProperty : option) as T | undefined\n  if (!result) {\n    if (required) {\n      throw Error(`No ${propertyName} property provided either in a JWT or as option`)\n    }\n    result = defaultValue\n  }\n  return result\n}\n","import { AuthorizationChallengeCodeResponse, AuthorizationResponse } from '../types'\n\nimport { convertURIToJsonObject } from './Encoding'\n\nexport const toAuthorizationResponsePayload = (\n  input: AuthorizationResponse | AuthorizationChallengeCodeResponse | string,\n): AuthorizationResponse | AuthorizationChallengeCodeResponse => {\n  let response = input\n  if (typeof input === 'string') {\n    if (input.trim().startsWith('{') && input.trim().endsWith('}')) {\n      response = JSON.parse(input)\n    } else if (input.includes('?') && input.includes('code')) {\n      response = convertURIToJsonObject(input) as AuthorizationResponse\n    }\n  }\n  if (response && typeof response !== 'string') {\n    return response\n  }\n  throw Error(`Could not create authorization response from the input ${input}`)\n}\n","import { defaultHasher } from '@sphereon/oid4vc-common'\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { toString } = u8a\n// eslint-disable-next-line @typescript-eslint/ban-ts-comment\n// @ts-ignore\nimport { SupportedEncodings } from 'uint8arrays/to-string'\n\nimport { CodeChallengeMethod } from '../types'\n\nimport randomBytes from './randomBytes.cjs'\n\nexport const CODE_VERIFIER_DEFAULT_LENGTH = 128\nexport const NONCE_LENGTH = 32\n\nexport const generateRandomString = (length: number, encoding?: SupportedEncodings): string => {\n  return toString(randomBytes(length), encoding).slice(0, length)\n}\n\nexport const generateNonce = (length?: number): string => {\n  return generateRandomString(length ?? NONCE_LENGTH)\n}\nexport const generateCodeVerifier = (length?: number): string => {\n  const codeVerifier = generateRandomString(length ?? CODE_VERIFIER_DEFAULT_LENGTH, 'base64url')\n  assertValidCodeVerifier(codeVerifier)\n  return codeVerifier\n}\n\nexport const createCodeChallenge = (codeVerifier: string, codeChallengeMethod?: CodeChallengeMethod): string => {\n  if (codeChallengeMethod === CodeChallengeMethod.plain) {\n    return codeVerifier\n  } else if (!codeChallengeMethod || codeChallengeMethod === CodeChallengeMethod.S256) {\n    return toString(defaultHasher(codeVerifier, 'sha256'), 'base64url')\n  } else {\n    // Just a precaution if a new method would be introduced\n    throw Error(`code challenge method ${codeChallengeMethod} not implemented`)\n  }\n}\n\nexport const assertValidCodeVerifier = (codeVerifier: string) => {\n  const length = codeVerifier.length\n  if (length < 43) {\n    throw Error(`code_verifier should have a minimum length of 43; see rfc7636`)\n  } else if (length > 128) {\n    throw Error(`code_verifier should have a maximum length of 128; see rfc7636`)\n  }\n}\n","/**\n * Experimental support not following the VCI spec to have the holder actually (re)sign the issued credential and return it to the issuer\n */\n\nexport const EXPERIMENTAL_SUBJECT_PROOF_MODE_ENABLED = process.env.EXPERIMENTAL_SUBJECT_PROOF_MODE?.trim().toLowerCase() === 'true'\n\nexport type SubjectProofMode = 'proof_chain' | 'proof_set' | 'proof_replace'\n\nexport type SubjectProofNotificationEventsSupported = 'credential_accepted_holder_signed' | 'credential_deleted_holder_signed' | 'credential_accepted'\n\nexport interface ExperimentalSubjectIssuance {\n  credential_subject_issuance?: {\n    subject_proof_mode: SubjectProofMode\n    notification_events_supported: Array<SubjectProofNotificationEventsSupported>\n  }\n}\n","import { EventManager } from '@sphereon/ssi-types'\n\nexport type EventNames = CredentialOfferEventNames | NotificationStatusEventNames | LogEvents | CredentialEventNames\n\nexport enum CredentialOfferEventNames {\n  OID4VCI_OFFER_CREATED = 'OID4VCI_OFFER_CREATED',\n  OID4VCI_OFFER_EXPIRED = 'OID4VCI_OFFER_EXPIRED',\n  OID4VCI_OFFER_DELETED = 'OID4VCI_OFFER_DELETED',\n}\n\nexport enum CredentialEventNames {\n  OID4VCI_CREDENTIAL_ISSUED = 'OID4VCI_CREDENTIAL_ISSUED',\n}\n\nexport enum NotificationStatusEventNames {\n  OID4VCI_NOTIFICATION_RECEIVED = 'OID4VCI_NOTIFICATION_RECEIVED',\n  OID4VCI_NOTIFICATION_PROCESSED = 'OID4VCI_NOTIFICATION_PROCESSED',\n  OID4VCI_NOTIFICATION_ERROR = 'OID4VCI_NOTIFICATION_ERROR',\n}\nexport type LogEvents = 'oid4vciLog'\nexport const EVENTS = EventManager.instance()\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA;AAAA,2CAAAA,SAAA;AAAA;AAAA;AAEA,QAAM,YAAY;AAIlB,QAAM,aAAa;AAOnB,QAAM,UAAU,OAAO,eAAe,cAAc,aAAa;AAEjE,QAAI,SAAS,QAAQ,UAAU,QAAQ;AACvC,QAAI,CAAC,QAAQ;AACX,UAAI;AAEF,iBAAS,QAAQ,QAAQ;AAAA,MAC3B,SAAS,KAAK;AACZ,cAAM,MAAM,gCAAgC;AAAA,MAC9C;AAAA,IACF;AAEA,aAASC,aAAY,MAAM;AAEzB,UAAI,OAAO,WAAY,OAAM,IAAI,MAAM,iCAAiC;AAGxE,YAAM,QAAQ,OAAO,YAAY,IAAI;AAErC,UAAI,OAAO,GAAG;AAEZ,YAAI,OAAO,WAAW;AAGpB,mBAAS,YAAY,GAAG,YAAY,MAAM,aAAa,WAAW;AAGhE,mBAAO,gBAAgB,MAAM,MAAM,WAAW,YAAY,SAAS,CAAC;AAAA,UACtE;AAAA,QACF,OAAO;AACL,iBAAO,gBAAgB,KAAK;AAAA,QAC9B;AAAA,MACF;AACA,aAAO,WAAW,KAAK,KAAK;AAAA,IAC9B;AAtBS,WAAAA,cAAA;AAyBT,IAAAD,QAAO,UAAUC;AAAA;AAAA;;;AClDjB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;IAAAC,oBAAwB;;;ACAxB;;;ACAA;;;ACAA;;;ACAA;;;ACGA;;;ACiZA;AAAO,IAAMC,wBAAwB;AAC9B,IAAMC,yBAAyB;;;AD9N/B,IAAKC,8BAAAA,yBAAAA,8BAAAA;;;;;;;;SAAAA;;AAwHL,IAAKC,aAAAA,yBAAAA,aAAAA;;;;SAAAA;;AAML,IAAKC,WAAAA,yBAAAA,WAAAA;;;SAAAA;;AAKL,IAAKC,eAAAA,yBAAAA,eAAAA;;SAAAA;;AAIL,IAAKC,sBAAAA,yBAAAA,sBAAAA;;;SAAAA;;AAiEL,IAAKC,UAAAA,yBAAAA,UAAAA;;;;SAAAA;;AA+BL,IAAKC,0BAAAA,yBAAAA,0BAAAA;;;;SAAAA;;AAwEL,IAAKC,gBAAAA,yBAAAA,gBAAAA;;;SAAAA;;UAMKA,gBAAAA;AACR,WAASC,QAAQC,SAA+B;AACrD,QAAIC,yBAAyBD,SAAS;AACpC,aAAA;IACF;AACA,WAAA;EACF;AALgBD;iBAAAA,UAAAA;AAMlB,GAPiBD,kBAAAA,gBAAAA,CAAAA,EAAAA;;;AE9ZjB;AAAO,IAAKI,cAAAA,yBAAAA,cAAAA;;;SAAAA;;AAmCL,IAAKC,MAAAA,yBAAAA,MAAAA;;;;;;;;;;SAAAA;;;;ACxEZ;;;ACTA;AACO,SAASC,8BAA8BC,SAAmC;AAC/E,SAAOA,WAAW,cAAcA;AAClC;AAFgBD;;;ACgEhB;AACO,SAASE,8BAA8BC,SAAmC;AAC/E,SAAOA,WAAW,kBAAkBA;AACtC;AAFgBD;;;AC8HhB;AACO,IAAME,qCAAuF;;EAElG;EACA;EACA;;EAGA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;EAGA;EACA;;;;ACvIF;AACO,IAAMC,wCAAkF;EAC7F;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;;AAGK,IAAKC,qBAAAA,yBAAAA,qBAAAA;;;;SAAAA;;;;ACxIZ;AAEO,IAAMC,aAAa;AACnB,IAAMC,gBAAgB;AACtB,IAAMC,gBAAgB;AACtB,IAAMC,4BAA4B;AAClC,IAAMC,kBAAkB;AACxB,IAAMC,YAAY;AAClB,IAAMC,YAAY,oHAAoHC,OAAOC,KAClJC,GAAAA,EACAC,KAAK,IAAA,CAAA;AACA,IAAMC,oBAAoB;AAC1B,IAAMC,uBAAuB;AAC7B,IAAMC,sBAAsB;AAC5B,IAAMC,YAAY;AAClB,IAAMC,YAAY;AAClB,IAAMC,cAAc;AACpB,IAAMC,0BAA0B;AAChC,IAAMC,sBAAsB;AAC5B,IAAMC,uBAAuB;AAC7B,IAAMC,uCAAuC;AAC7C,IAAMC,6CAA6C;AACnD,IAAMC,wBAAwB;AAC9B,IAAMC,+BAA+B;AACrC,IAAMC,sBAAsB;AAC5B,IAAMC,2BAA2B;AACjC,IAAMC,+BAA+B;AACrC,IAAMC,qCAAqC;AAC3C,IAAMC,0BAA0B;AAChC,IAAMC,8BAA8B;AACpC,IAAMC,8BAA8B;AACpC,IAAMC,uBAAuB;AAC7B,IAAMC,sBAAsB;AAC5B,IAAMC,8BAA8B;AACpC,IAAMC,8BAA8B;AACpC,IAAMC,qCAAqC;AAC3C,IAAMC,+BAA+B;AACrC,IAAMC,qCAAqC;AAC3C,IAAMC,qCAAqC;AAC3C,IAAMC,wBAAwB;;;ACvCrC;AAAO,IAAKC,oBAAAA,yBAAAA,oBAAAA;;;;;;yDAMIC,OAAOC,SAAS,IAAA;SANpBF;;AASL,IAAKG,oBAAAA,yBAAAA,oBAAAA;;;SAAAA;;;;ACgBZ;AAAO,IAAKC,cAAAA,yBAAAA,cAAAA;;;;;;;;;;SAAAA;;;;ACzBZ;AAAO,IAAKC,qBAAAA,yBAAAA,qBAAAA;;;;;;SAAAA;;AAQL,IAAMC,aAAN,MAAMA,oBAAmBC,MAAAA;EARhC,OAQgCA;;;EACbC;EACAC;EACjBC,YAAYC,YAAoBC,eAAmCC,SAAiB;AAClF,UAAMA,OAAAA;AACN,SAAKL,cAAcG;AACnB,SAAKF,iBAAiBG;AAGtBE,WAAOC,eAAe,MAAMT,YAAWU,SAAS;EAClD;EACA,IAAIL,aAAqB;AACvB,WAAO,KAAKH;EACd;EACA,IAAII,gBAAoC;AACtC,WAAO,KAAKH;EACd;EAEAQ,iBAAiB;AACf,WAAO,KAAKJ;EACd;AACF;;;ACmCA;;;AC9DA;AAEO,SAASK,SACdC,cACAC,QAAc;AAEd,SAAOD,aAAaC,WAAWA;AACjC;AALgBF;AAOT,SAASG,YACdF,cACAC,QAAc;AAEd,SAAOD,aAAaC,WAAWA;AACjC;AALgBC;AAOhB,IAAMC,kBAAkB,wBAACF,WAAAA;AACvB,SAAO;IAAC;IAAe;IAAkB;IAAU;IAAa;IAAYG,SAASH,MAAAA;AACvF,GAFwB;AAIjB,SAASI,iBAAiBJ,QAA2D;AAE1F,MAAIE,gBAAgBF,MAAAA,GAAS;AAC3B,WAAOA;EACT;AAGA,MAAIA,OAAOK,kBAAiB,MAAO,YAAYL,OAAOK,kBAAiB,MAAO,OAAO;AACnF,WAAO;EACT;AACA,MAAIL,WAAW,YAAYA,WAAW,OAAO;AAC3C,WAAO;EACT;AAEA,QAAM,IAAIM,MAAM,mBAAmBN,MAAAA,EAAQ;AAC7C;AAfgBI;AAiBT,SAASG,oBAAoBP,QAAgBQ,SAA0B;AAC5E,QAAMC,gBAAgBP,gBAAgBF,MAAAA,IAAUA,SAASI,iBAAiBJ,MAAAA;AAE1E,MAAIQ,YAAYE,kBAAkBC,YAAY;AAC5C,QAAIF,kBAAkB,eAAe;AACnC,aAAO;IACT,WAAWA,kBAAkB,YAAYA,kBAAkB,kBAAkB;AAC3E,aAAO;IACT;EACF;AAEA,SAAOA;AACT;AAZgBF;;;AhB5BT,SAASK,oBAAoBC,mBAAsCC,MAA8C;AACtH,MAAIC,QAAkB,CAAA;AACtB,MAAI,2BAA2BF,qBAAqBA,kBAAkBG,uBAAuB;AAC3F,UAAMC,MAAM,wEAAwE;EACtF,WACEJ,kBAAkBK,WAAW,oBAC7BL,kBAAkBK,WAAW,YAC7BL,kBAAkBK,WAAW,YAC7BL,kBAAkBK,WAAW,eAC7B;AACA,QAAI,2BAA2BL,qBAAqBA,kBAAkBM,uBAAuB;AAC3FJ,cACE,WAAWF,kBAAkBM,wBACzBN,kBAAkBM,sBAAsBJ,QACxCF,kBAAkBM,sBAAsBC;IAChD;AAEA,QAAI,UAAUP,qBAAqBQ,MAAMC,QAAQT,kBAAkBO,IAAI,GAAG;AACxEL,cAAQF,kBAAkBO;IAC5B;AAEA,QAAI,WAAWP,qBAAqBQ,MAAMC,QAAQT,kBAAkBE,KAAK,GAAG;AAC1EA,cAAQF,kBAAkBE;IAC5B;EACF,WAAWF,kBAAkBK,WAAW,eAAe,SAASL,mBAAmB;AACjFE,YAAQ;MAACF,kBAAkBU;;EAC7B,WAAWV,kBAAkBK,WAAW,cAAc,aAAaL,mBAAmB;AACpFE,YAAQ;MAACF,kBAAkBW;;EAC7B;AAEA,MAAI,CAACT,SAASA,MAAMU,WAAW,GAAG;AAChC,UAAMR,MAAM,gDAAA;EACd;AACA,MAAIH,MAAMY,4BAA4B;AACpC,WAAOX,MAAMY,OAAO,CAACP,SAASA,SAAS,sBAAA;EACzC;AACA,SAAOL;AACT;AArCgBH;AAuCT,SAASgB,+BACdf,mBACAgB,SAA0B;AAE1B,MAAIA,YAAYC,kBAAkBC,YAAY;AAE5C,UAAMC,eAAeC,oBAAoBpB,kBAAkBK,QAASW,OAAAA;AACpE,UAAMd,QAAQH,oBAAoBC,mBAAmB;MAAEa,4BAA4B;IAAK,CAAA;AAExF,QAAIb,kBAAkBqB,6BAA6B;AACjD,YAAMjB,MAAM,+EAAA;IACd;AACA,WAAO;MACLC,QAAQc;MACRG,OAAOtB,kBAAkBsB;MACzBf,MAAML,MAAM,CAAA;IACd;EASF;AAEA,SAAOF;AACT;AA5BgBe;;;AiBhDhB;;;ACFA;uBAAwB;AACxB,yBAAsB;AAItB,IAAMQ,SAASC,yBAAQC,QAAQC,IAAI,0BAAA;AAE5B,IAAMC,UAAU,8BACrBC,MACAC,SAAAA;AAQA,SAAO,MAAMC,YAAYF,MAAKG,QAAW;IAAEC,QAAQ;IAAO,GAAGH;EAAK,CAAA;AACpE,GAXuB;AAahB,IAAMI,WAAW,8BACtBC,KACAC,MACAN,SAAAA;AAQA,SAAO,MAAMO,KAAKF,KAAKC,MAAMN,MAAMQ,cAAc;IAAE,GAAGR;EAAK,IAAI;IAAEQ,aAAaC,SAASC;IAAkB,GAAGV;EAAK,CAAA;AACnH,GAZwB;AAcjB,IAAMO,OAAO,8BAClBF,KACAC,MACAN,SAAAA;AAQA,SAAO,MAAMC,YAAYI,KAAKC,MAAM;IAAEH,QAAQ;IAAQ,GAAGH;EAAK,CAAA;AAChE,GAZoB;AAcpB,IAAMC,cAAc,8BAClBI,KACAC,MACAN,SAAAA;AASA,QAAMW,UAAkCX,MAAMY,iBAAiB,CAAC;AAChE,MAAIZ,MAAMa,aAAa;AACrBF,YAAQ,eAAA,IACN,GAAGA,QAAQG,OAAO,SAAS,QAAA,IAAY,OAAOd,KAAKa,gBAAgB,aAAa,MAAMb,KAAKa,YAAW,IAAKb,KAAKa,WAAW;EAC/H;AACA,QAAMV,SAASH,MAAMG,SAASH,KAAKG,SAASG,OAAO,SAAS;AAC5D,QAAMS,SAASf,MAAMe,SAASf,KAAKe,SAAS;AAC5CJ,UAAQ,QAAA,IAAYI;AACpB,MAAIJ,QAAQ,cAAA,GAAiB;AAC3B,QAAIX,MAAMQ,eAAeR,KAAKQ,gBAAgBG,QAAQ,cAAA,GAAiB;AACrE,YAAMK,MAAM,kDAAkDL,QAAQ,cAAA,CAAe,uCAAuCX,KAAKQ,WAAW,GAAG;IACjJ;EACF,OAAO;AACL,QAAIR,MAAMQ,aAAa;AACrBG,cAAQ,cAAA,IAAkBX,KAAKQ;IACjC,WAAWL,WAAW,OAAO;AAC3BQ,cAAQ,cAAA,IAAkB;IAC5B;EACF;AAEA,QAAMM,UAAuB;IAC3Bd;IACAQ;IACAL;EACF;AAEAZ,SAAOwB,MAAM,uBAAuBb,GAAAA,EAAK;AACzC,MAAIC,MAAM;AACRZ,WAAOwB,MAAM;EAAY,OAAOZ,QAAQ,WAAWA,OAAOa,KAAKC,UAAUd,IAAAA,CAAAA,EAAO;EAClF;AACAZ,SAAOwB,MAAM;EAAeC,KAAKC,UAAUH,QAAQN,OAAO,CAAA,EAAG;AAC7D,QAAMU,eAAe,UAAMC,0BAAMjB,KAAKY,OAAAA;AACtC,QAAMM,iBAAiBR,WAAW,sBAAsBM,aAAaV,QAAQd,IAAI,cAAA,MAAoB;AACrG,QAAM2B,UAAUH,gBAAgBA,aAAaI,UAAU,OAAOJ,aAAaI,SAAS;AACpF,QAAMC,eAAe,MAAML,aAAaM,KAAI;AAC5C,QAAMC,eAAeL,kBAAkBG,aAAaG,SAAS,GAAA,IAAOV,KAAKW,MAAMJ,YAAAA,IAAgBA;AAE/FhC,SAAOwB,MAAM,GAAGM,UAAU,YAAY,OAAA,YAAmBH,aAAaI,MAAM;EAAcN,KAAKC,UAAUQ,YAAAA,CAAAA,EAAe;AACxH,MAAI,CAACJ,WAAWxB,MAAM+B,4BAA4B;AAChD,UAAMC,QAAQb,KAAKC,UAAUQ,YAAAA;AAC7B,UAAM,IAAIZ,MAAMgB,UAAU,OAAO,2BAA2BA,KAAAA;EAC9D;AACAtC,SAAOwB,MAAM,qBAAqBb,GAAAA,EAAK;AAEvC,SAAO;IACLgB;IACAY,aAAaT,UAAUI,eAAe1B;IACtCgC,WAAW,CAACV,UAAUI,eAAe1B;EACvC;AACF,GA7DoB;AA+Db,IAAMiC,aAAa,wBAAC9B,QAAAA;AACzB,QAAM+B,aAAa,IAAIC,OACrB,uLAOA,GAAA;AAEF,SAAOD,WAAWE,KAAKjC,GAAAA;AACzB,GAZ0B;AAcnB,IAAMkC,WAAW,wBAACC,OAAeC,SAAAA;AACtC,SAAOC,QAAQC,UAAUH,OAAOC,IAAAA,GAAOA,IAAAA;AACzC,GAFwB;AAIjB,IAAMC,UAAU,wBAACF,OAAeC,SAAAA;AACrC,SAAOD,MAAMI,SAASH,IAAAA,IAAQD,MAAMK,UAAU,GAAGL,MAAMM,SAASL,KAAKK,MAAM,IAAIN;AACjF,GAFuB;AAIhB,IAAMG,YAAY,wBAACH,OAAeC,SAAAA;AACvC,SAAOD,MAAMO,WAAWN,IAAAA,IAAQD,MAAMK,UAAUJ,KAAKK,MAAM,IAAIN;AACjE,GAFyB;AAIlB,IAAMQ,YAAY,wBACvBC,WACAjD,SAAAA;AAOA,MAAIK,MAAM,OAAO4C,cAAc,WAAWA,UAAUC,SAAQ,IAAMD;AAClE,MAAIjD,MAAMmD,QAAQ;AAChB9C,UAAMqC,QAAQrC,KAAK,GAAA,IAAO,MAAMsC,UAAU3C,KAAKmD,QAAQ,GAAA;EACzD;AACA,MAAInD,MAAMoD,SAAS;AACjB,QAAIpD,KAAKoD,QAAQvB,SAAS,KAAA,GAAQ;AAEhC,UAAI,CAACxB,IAAI0C,WAAW/C,KAAKoD,OAAO,GAAG;AACjC/C,cAAMqC,QAAQ1C,KAAKoD,SAAS,GAAA,IAAO,MAAMT,UAAUtC,KAAK,GAAA;MAC1D;IACF,OAAO;AAEL,UAAIgD,OAAO;AACX,UAAIC,OAAOjD;AACX,UAAIA,IAAIwB,SAAS,KAAA,GAAQ;AAEvBwB,eAAO,IAAItD,IAAIM,GAAAA,EAAKgD;AACpBC,eAAO,IAAIvD,IAAIM,GAAAA,EAAKkD;MACtB;AACA,UAAI,CAACD,KAAKP,WAAW/C,KAAKoD,OAAO,GAAG;AAClC,YAAIC,QAAQA,SAAS,IAAI;AACvBhD,gBAAMqC,QAAQW,MAAM,GAAA;QACtB;AACAhD,eAAOqC,QAAQrC,KAAK,GAAA,IAAO,MAAMkC,SAASvC,KAAKoD,SAAS,GAAA,IAAO,MAAMT,UAAUW,MAAM,GAAA;MACvF;IACF;EACF;AACA,MAAItD,MAAMwD,iBAAiB;AACzBnD,UAAMsC,UAAUtC,KAAK,GAAA;EACvB;AACA,MAAIL,MAAMyD,eAAe;AACvBpD,UAAMqC,QAAQrC,KAAK,GAAA;EACrB;AAEA,MAAI,OAAO4C,cAAc,UAAU;AACjC,WAAO5C;EACT;AACA,SAAO,IAAIN,IAAIM,GAAAA;AACjB,GA/CyB;;;ADrIlB,SAASqD,6BAA6BC,oBAAsD;AACjG,QAAMC,OAAOD,mBAAmBE;AAEhC,SAAOF,mBAAmBG,aAAaC,SAAS,OAAO,KAAK,CAAC,CAACH,QAAQ,CAACA,KAAKI,eAAe,CAAC,CAACJ,KAAKK,oBAAoB,CAAC,CAACL,KAAKM;AAC/H;AAJgBR;AAKhB,SAASS,oBAAoBR,oBAAsD;AACjF,MAAIA,mBAAmBG,aAAaC,WAAW,OAAOJ,mBAAmBS,WAAWC,OAAO;AACzF,QAAIV,mBAAmBS,UAAUC,UAAU,4BAA4BV,mBAAmBS,UAAUC,MAAMC,SAAS,kBAAA,GAAqB;AACtI,YAAMC,MAAM,0EAAA;IACd;EACF;AACF;AANSJ;AAQF,SAASK,oCAAoCb,oBAAsD;AACxG,MAAID,6BAA6BC,kBAAAA,GAAqB;AACpD,WAAOA,oBAAoBE,aAAaK,kBAAkB,CAAC,CAACP,oBAAoBE,aAAaI;EAC/F;AACA,MAAIN,mBAAmBG,aAAaC,WAAW,OAAOJ,mBAAmBS,WAAWC,OAAO;AACzF,QAAIV,mBAAmBS,UAAUC,UAAU,oBAAoB;AAC7D,aAAO;IACT,WAAWV,mBAAmBS,UAAUK,mBAAmBC,YAAAA,EAAcJ,SAAS,mBAAA,GAAsB;AACtG,aAAO;IACT;EACF;AACA,SAAO;AACT;AAZgBE;AAchB,SAASG,MAAMC,IAAU;AACvB,SAAO,IAAIC,QAAQ,CAACC,YAAAA;AAClBC,eAAWD,SAASF,EAAAA;EACtB,CAAA;AACF;AAJSD;AAMT,eAAsBK,0BAA0B,EAC9CC,aACAC,eACAC,4BACAC,gCACAC,wBAAuB,GAOxB;AACC,MAAI1B,qBAAoF,MAAM2B,8BAA8B;IAC1HL;IACAC;IACAC;EACF,CAAA;AAEA,QAAMI,sBAAsB;AAC5B,SAAO,CAAC5B,mBAAmBE,aAAaG,cAAcqB,yBAAyB;AAC7ElB,wBAAoBR,kBAAAA;AACpB,UAAM6B,UAAUhB,oCAAoCb,kBAAAA;AACpD8B,YAAQC,IAAI,4BAA4BF,OAAAA,EAAS;AACjD,QAAI,CAACA,SAAS;AACZ,YAAMjB,MAAM,mCAAmCZ,kBAAAA,EAAoB;IACrE;AAEA,UAAMgB,MAAMS,kCAAkCG,mBAAAA;AAC9C5B,yBAAqB,MAAM2B,8BAA8B;MAAEL;MAAaC;MAAeC;IAA2B,CAAA;EACpH;AACA,SAAOxB;AACT;AAhCsBqB;AAkCtB,eAAeM,8BAA8B,EAC3CL,aACAC,eACAC,2BAA0B,GAK3B;AACC,QAAMQ,WAA+C,MAAMC,KACzDT,4BACAU,KAAKC,UAAUZ,gBAAgB;IAAEhB,gBAAgBgB;EAAc,IAAI,EAAA,GACnE;IAAED;EAAY,CAAA;AAEhBQ,UAAQC,IAAIG,KAAKC,UAAUH,UAAU,MAAM,CAAA,CAAA;AAC3CxB,sBAAoBwB,QAAAA;AAEpB,SAAO;IAAE,GAAGA;IAAUI,cAAcd;EAAY;AAClD;AAlBeK;;;AEvEf;IAAAU,oBAAwB;AACxB,wBAAsC;AA0BtC,IAAMC,UAASC,0BAAQC,QAAQC,IAAI,wBAAA;AAE5B,SAASC,4BAA4BC,KAAW;AACrD,MAAIC,UAAUC,+BAA+BF,KAAKG,kBAAkBC,WAAW,KAAKD,kBAAkBC;AACtGH,YAAUI,uBAAuBL,KAAKC,SAAS;IAACE,kBAAkBG;KAAa,mBAAA;AAC/EL,YAAUI,uBAAuBL,KAAKC,SAAS;IAACE,kBAAkBG;KAAa,iBAAA;AAC/EL,YAAUI,uBAAuBL,KAAKC,SAAS;IAACE,kBAAkBG;KAAa,UAAA;AAM/EL,YAAUI,uBAAuBL,KAAKC,SAAS;IAACE,kBAAkBI;KAAa,aAAA;AAC/EN,YAAUI,uBAAuBL,KAAKC,SAAS;IAACE,kBAAkBI;KAAa,0BAAA;AAE/EN,YAAUI,uBAAuBL,KAAKC,SAAS;IAACE,kBAAkBK;KAAa,8BAAA;AAC/EP,YAAUI,uBAAuBL,KAAKC,SAAS;IAACE,kBAAkBK;KAAa,SAAA;AAC/E,MAAIP,YAAYE,kBAAkBC,aAAa;AAC7CH,cAAUE,kBAAkBK;EAC9B;AACA,SAAOP;AACT;AAnBgBF;AAqBT,SAASG,+BAA+BO,oBAA4BC,mBAAoC;AAC7G,QAAMC,SAASC,UAAUH,kBAAAA;AACzB,MAAIA,mBAAmBI,SAASC,kBAAkBC,iBAAiB,GAAG;AACpE,WAAOC,cAAcN,mBAAmB;MAACP,kBAAkBG;OAAaK,MAAAA;EAC1E;AACA,MAAIF,mBAAmBI,SAAS,sBAAA,GAAyB;AACvD,WAAOI;EACT,WAESR,mBAAmBI,SAASC,kBAAkBI,gBAAgB,GAAG;AACxE,QAAIT,mBAAmBI,SAAS,cAAA,KAAmBJ,mBAAmBI,SAAS,gBAAA,GAAmB;AAChG,aAAOG,cAAcN,mBAAmB;QAACP,kBAAkBI;SAAaI,MAAAA;IAC1E;AACA,WAAOK,cAAcN,mBAAmB;MAACP,kBAAkBK;OAAaG,MAAAA;EAC1E,OAAO;AACL,WAAOK,cAAcN,mBAAmB;MAACP,kBAAkBC;OAAcO,MAAAA;EAC3E;AACF;AAjBgBT;AAmBT,SAASU,UAAUH,oBAA0B;AAClD,MAAI,CAACA,sBAAsB,CAACA,mBAAmBI,SAAS,KAAA,GAAQ;AAC9D,UAAMM,MAAM,8BAAA;EACd;AACA,SAAOV,mBAAmBW,MAAM,KAAA,EAAO,CAAA;AACzC;AALgBR;AAOT,SAASS,oCAAoCC,SAA+B;AACjF,MAAI,CAACA,WAAY,EAAE,YAAYA,YAAY,EAAE,uBAAuBA,UAAW;AAC7E,WAAOL;EACT;AACA,SAAO,YAAYK,UAAUA,QAAQC,SAASD,QAAQ,mBAAA;AACxD;AALgBD;AAOT,IAAMG,wCAAwC,wBAACC,oBAAAA;AACpD,MAAI,CAACA,iBAAiB;AACpB;EACF;AACA,MAAI,eAAeA,iBAAiB;AAClC,WAAOA,gBAAgBC;EACzB;AAEA,QAAMC,QAA4BC,mCAAmCH,eAAAA;AACrE,MAAIE,SAASE,MAAMF,KAAAA,GAAQ;AACzB,UAAMG,cAAUC,6BAAsBJ,OAAO;MAAEK,QAAQ;IAAM,CAAA;AAC7D,QAAI,eAAeF,WAAW,OAAOA,QAAQJ,cAAc,UAAU;AACnE,aAAOI,QAAQJ;IACjB;EACF;AACA;AACF,GAhBqD;AAkBrD,IAAMG,QAAQ,wBAACI,UAAAA;AACb,MAAI,CAACA,OAAO;AACV,WAAO;EACT;AACA,QAAMC,UAAUD,OAAOb,MAAM,GAAA,EAAKe;AAClC,SAAOF,OAAOG,WAAW,IAAA,KAASF,YAAY;AAChD,GANc;AAOP,IAAMN,qCAAqC,wBAACH,oBAAAA;AACjD,MAAI,YAAYA,iBAAiB;AAC/B,QAAIA,gBAAgBY,QAAQC,oBAAoB;AAC9C,aAAOb,gBAAgBY,OAAOC,mBAAmBC;IACnD,WAAWd,gBAAgBY,SAASG,sBAAAA,GAAyB;AAC3D,aAAOf,gBAAgBY,SAASG,sBAAAA,IAA0BC,qBAAAA;IAC5D;EACF;AACA,MAAI,cAAchB,iBAAiB;AAEjC,WAAOA,gBAAgBiB;EACzB,WAAWD,yBAAyBhB,iBAAiB;AACnD,WAAOA,gBAAgBgB,qBAAAA;EACzB;AAEA;AACF,GAhBkD;AAkB3C,SAASE,8BAA8BC,OAA+C;AAC3F,MAAIC,yBAAyBD,KAAAA,GAAQ;AACnC,WAAOzC,kBAAkBK;EAI3B,WAAWsC,yBAAyBF,KAAAA,GAAQ;AAC1C,WAAOzC,kBAAkBI;EAC3B,WAAWwC,yBAAyBH,KAAAA,GAAQ;AAC1C,WAAOzC,kBAAkB6C;EAC3B,WAAWC,yBAAyBL,KAAAA,GAAQ;AAC1C,WAAOzC,kBAAkBG;EAC3B;AACA,SAAOH,kBAAkBC;AAC3B;AAdgBuC;AAgBT,SAASO,yBAAyBN,OAAiDO,KAAwBC,KAAuB;AACvI,MAAIA,OAAOA,IAAIC,QAAO,IAAKF,IAAIE,QAAO,GAAI;AACxC,UAAMlC,MAAM,qBAAqBiC,IAAIC,QAAO,CAAA,yCAA2CF,IAAIE,QAAO,CAAA,EAAI;EACxG;AACA,QAAMpD,UAAU0C,8BAA8BC,KAAAA;AAC9C,MAAI3C,QAAQoD,QAAO,IAAKF,IAAIE,QAAO,GAAI;AACrC1D,IAAAA,QAAO2D,MAAM,6BAA6BrD,QAAQoD,QAAO,CAAA,6CAA+CF,IAAIE,QAAO,CAAA,GAAK;AACxH,WAAO;EACT,WAAWD,OAAOnD,QAAQoD,QAAO,IAAKD,IAAIC,QAAO,GAAI;AACnD1D,IAAAA,QAAO2D,MAAM,6BAA6BrD,QAAQoD,QAAO,CAAA,8CAAgDD,IAAIC,QAAO,CAAA,GAAK;AACzH,WAAO;EACT;AACA,SAAO;AACT;AAbgBH;AAehB,SAASD,yBAAyBL,OAA+C;AAC/E,MAAI,CAACA,OAAO;AACV,WAAO;EACT;AACA,MAAI,YAAYA,SAAS,qBAAqBA,OAAO;AAEnD,WAAO;EACT;AACA,MAAI,sBAAsBA,SAASA,MAAM,kBAAA,GAAqB;AAE5D,WAAOK,yBAAyBL,MAAM,kBAAA,CAAmB;EAC3D;AACA,SAAO;AACT;AAbSK;AAeT,SAASF,yBAAyBH,OAA+C;AAC/E,MAAI,CAACA,OAAO;AACV,WAAO;EACT;AACA,MAAI,YAAYA,SAAS,iBAAiBA,OAAO;AAE/C,WAAO;EACT;AACA,MAAI,sBAAsBA,SAASA,MAAM,kBAAA,GAAqB;AAE5D,WAAOG,yBAAyBH,MAAM,kBAAA,CAAmB;EAC3D;AACA,SAAO;AACT;AAbSG;AAeT,SAASD,yBAAyBF,OAA+C;AAC/E,MAAI,CAACA,OAAO;AACV,WAAO;EACT;AACA,MAAI,uBAAuBA,SAAS,iBAAiBA,OAAO;AAE1D,WAAO;EACT;AACA,MAAI,sBAAsBA,SAASA,MAAM,kBAAA,GAAqB;AAE5D,WAAOE,yBAAyBF,MAAM,kBAAA,CAAmB;EAC3D;AACA,SAAO,0BAA0BA;AACnC;AAbSE;AAgCT,SAASD,yBAAyBD,OAA+C;AAC/E,MAAI,CAACA,OAAO;AACV,WAAO;EACT,WAAW,OAAOA,UAAU,YAAaA,MAAiBR,WAAW,GAAA,GAAM;AACzEQ,YAAQW,KAAKC,MAAMZ,KAAAA;EACrB;AACA,MAAI,uBAAuBA,SAAS,kCAAkCA,OAAO;AAE3E,WAAO;EACT;AACA,MAAI,sBAAsBA,SAASA,MAAM,kBAAA,GAAqB;AAE5D,WAAOC,yBAAyBD,MAAM,kBAAA,CAAmB;EAC3D;AACA,SAAO,0BAA0BA;AACnC;AAfSC;AAiBT,eAAsBY,gCACpBb,OACAc,MAGC;AAED,MAAIzD,UAAUyD,MAAMzD,WAAW0C,8BAA8BC,KAAAA;AAC7D,MAAIe,0BAA0Bf,MAAMgB;AACpC,MAAInD;AACJ,MAAI,0BAA0BmC,SAASA,OAAOiB,yBAAyB5C,QAAW;AAChFR,yBAAqBmC,MAAMiB;AAE3B,QAAIH,MAAMI,WAAWJ,MAAMI,YAAY7C,QAAW;AAChD8C,qBAAeC,IAAI,wFAAwFvD,kBAAAA,EAAoB;AAC/HkD,gCAA2B,MAAMM,0BAA0BxD,kBAAAA;IAI7D,WAAW,CAACkD,yBAAyB;AACnC,YAAMxC,MAAM,yBAAyBV,kBAAAA,mFAAqG;IAC5I;AAEAR,cAAU0C,8BAA8BgB,uBAAAA;AACxCI,mBAAeC,IAAI,iDAAiD/D,OAAAA,EAAS;EAC/E;AACA,MAAI,CAAC0D,yBAAyB;AAC5B,UAAMxC,MAAM,+BAAA;EACd;AACA,QAAM+C,UAAUC,gCAAgCR,yBAAyB;IAAE,GAAGD;IAAMzD;EAAQ,CAAA;AAC5F,QAAMmE,iBAAiBC,kBAAkBH,SAASjE,OAAAA;AAClD,SAAO;IACL2D,kBAAkBM;IAClBI,2BAA2BX;IAC3B,GAAIlD,sBAAsB;MAAEoD,sBAAsBpD;IAAmB;IACrE2D;IACAnE;EACF;AACF;AAtCsBwD;AAwCf,SAASc,cAAcjD,SAA+D;AAC3F,QAAM4C,UAAU,sBAAsB5C,UAAUA,QAAQsC,mBAAoBtC;AAC5E,SAAO4C,SAAS7B,SAASG,sBAAAA,IAA0BC,qBAAAA,MAA2BxB;AAChF;AAHgBsD;AAKhB,eAAsBC,+BACpBC,qBACAf,MAEC;AAED,QAAMjC,kBAAkB8B,KAAKC,MAAMD,KAAKmB,UAAUD,mBAAAA,CAAAA;AAClD,MAAIhD,gBAAgBoC,wBAAwB,CAACpC,gBAAgBmC,kBAAkB;AAC7E,QAAIF,MAAMI,YAAY7C,UAAayC,KAAKI,SAAS;AAC/CrC,sBAAgBmC,mBAAmB,MAAMK,0BAA0BxC,gBAAgBoC,oBAAoB;IACzG,OAAO;AACL,YAAM1C,MAAM,2FAA2F;IACzG;EACF;AACA,MAAI,CAACM,gBAAgBmC,kBAAkB;AACrC,UAAMzC,MAAM,6BAA6B;EAC3C;AACAM,kBAAgBmC,mBAAmB,MAAMO,gCAAgC1C,gBAAgBmC,kBAAkB;IAAE3D,SAASwB,gBAAgBxB;EAAQ,CAAA;AAC9I,SAAOwB;AACT;AAnBsB+C;AAqBtB,eAAsBP,0BAA0BjE,KAAY;AAC1D,MAAI,CAACA,KAAK;AACR,WAAOiB;EACT;AACA,QAAM0D,WAAY,MAAMC,QAAQ5E,GAAAA;AAChC,MAAI,CAAC2E,YAAY,CAACA,SAASE,aAAa;AACtC,UAAM1D,MAAM,4CAA4CnB,GAAAA,KAAQuD,KAAKmB,UAAUC,UAAUG,SAAAA,CAAAA,EAAY;EACvG;AACA,SAAOH,SAASE;AAClB;AATsBZ;AAWf,SAASE,gCACdvB,OACAc,MAEC;AAGD,QAAMzD,UAAUyD,MAAMzD,WAAW0C,8BAA8BC,KAAAA;AAC/D,MAAI3C,WAAWE,kBAAkBI,YAAY;AAC3C,UAAMwE,OAAOnC;AACb,WAAO;MACL,GAAGmC;IACL;EACF;AACA,QAAM1C,SAAgB,YAAYO,QAASA,MAAMP,SAAmB,CAAC;AACrE,MAAI2C,qBAAqBpC;AACzB,MAAIM,yBAAyBN,OAAOzC,kBAAkBG,YAAYH,kBAAkB6C,UAAU,GAAG;AAC/F,QAAIgC,mBAAmBtC,UAAU;AAC/BL,aAAOC,qBAAqB;QAC1B,GAAGD,OAAOC;QACVC,cAAcyC,mBAAmBtC;MACnC;IACF;AACA,QAAIuC,oBAAoB;AACxB,QAAI,OAAOD,mBAAmBC,sBAAsB,UAAU;AAC5DA,0BAAoBD,mBAAmBC,sBAAsB,UAAUD,mBAAmBC,sBAAsB;IAClH,WAAWD,mBAAmBC,sBAAsBhE,QAAW;AAC7DgE,0BAAoBD,mBAAmBC;IACzC;AACA,QAAID,mBAAmBvC,qBAAAA,GAAwB;AAC7CJ,aAAOG,sBAAAA,IAA0B;QAC/B,uBAAuBwC,mBAAmBvC,qBAAAA;QAC1CwC;MACF;IACF;EACF;AACA,QAAM1D,SAASF,oCAAoCuB,KAAAA;AACnD,MAAI3C,YAAYE,kBAAkB6C,YAAY;AAC5CgC,yBAAqBpC;AACrB,WAAO;;MAELsC,mBAAmB3D,UAAUyD,mBAAmBzD;MAChD4D,aAAaH,mBAAmBG;MAChC9C;IACF;EACF;AACA,MAAIpC,YAAYE,kBAAkBG,YAAY;AAC5C0E,yBAAqBpC;AACrB,WAAO;MACLsC,mBAAmB3D,UAAUyD,mBAAmBzD;MAChD4D,aAAaC,MAAMC,QAAQL,mBAAmBM,eAAe,IAAIN,mBAAmBM,kBAAkB;QAACN,mBAAmBM;;MAC1HjD;IACF;EACF;AACA,QAAMlB,MAAM,gDAAgDlB,OAAAA,EAAS;AACvE;AAvDgBkE;AAyDT,SAASE,kBACdkB,eACAtF,SAA0B;AAE1B,QAAMiE,UAAyCsB,0BAA0BD,aAAAA;AACzE,QAAMnB,iBAAkC,CAAA;AACxC,MAAIF,QAAQ7B,QAAQC,oBAAoB;AACtC8B,mBAAeqB,KAAKC,cAAcC,uBAAuB;EAC3D;AACA,MAAIzB,QAAQ7B,SAASG,sBAAAA,IAA0BC,qBAAAA,GAAwB;AACrE2B,mBAAeqB,KAAKC,cAAcE,wBAAwB;EAC5D;AACA,MAAIxB,eAAejC,WAAW,KAAKlC,UAAUE,kBAAkB6C,YAAY;AAEzEoB,mBAAeqB,KAAKC,cAAcC,uBAAuB;EAC3D;AACA,SAAOvB;AACT;AAjBgBC;AAmBT,SAASmB,0BAA0B5C,OAAqE;AAC7G,MAAIsB;AACJ,MAAI,sBAAsBtB,SAASA,MAAM,kBAAA,GAAqB;AAC5DsB,cAAUtB,MAAMgB;EAClB,OAAO;AACLM,cAAUtB;EACZ;AACA,SAAOsB;AACT;AARgBsB;AAUT,SAASK,oBACdjD,OAK6B;AAE7B,MAAIP;AACJ,MAAI,YAAYO,SAASA,MAAMP,QAAQ;AACrCA,aAASO,MAAMP;EACjB,OAAO;AACLA,aAASmD,0BAA0B5C,KAAAA,EAAyEP;EAC9G;AAEA,QAAMyD,QAAsB,CAAA;AAC5B,MAAIzD,QAAQ;AACV,QAAI,wBAAwBA,QAAQ;AAClCyD,YAAML,KAAKM,WAAWC,kBAAkB;IAC1C;AACA,QAAIxD,0BAA0BH,QAAQ;AACpCyD,YAAML,KAAKM,WAAWE,mBAAmB;IAC3C;EACF;AACA,SAAOH;AACT;AAzBgBD;AA2BhB,SAASxF,uBACPI,oBACAyF,gBACAC,iBACAC,OACAC,eAAe,MAAI;AAEnB,MAAI5F,mBAAmBI,SAASuF,KAAAA,GAAQ;AACtC,WAAOpF,cAAckF,gBAAgBC,iBAAiBC,OAAOC,YAAAA;EAC/D;AACA,SAAOH;AACT;AAXS7F;AAaT,SAASW,cAAckF,gBAAmCC,iBAAsCG,KAAaD,eAAe,MAAI;AAC9HF,oBAAkBA,gBAAgBI,KAAI,EAAGC,QAAO;AAChD,MAAIN,mBAAmB/F,kBAAkBC,aAAa;AACpD,WAAO+F,gBAAgB,CAAA;EACzB,WAAWA,gBAAgBtF,SAASqF,cAAAA,GAAiB;AACnD,QAAI,CAACG,cAAc;AACjB,aAAOH;IACT;AACA,WAAOC,gBAAgB,CAAA;EACzB;AAEA,QAAM,IAAIhF,MACR,yDAAyD+E,cAAAA,mBAAiCI,GAAAA,2BAA8B/C,KAAKmB,UAAUyB,eAAAA,CAAAA,EAAkB;AAE7J;AAdSnF;AAgBF,SAASyF,yBAAyBhF,iBAAgDiC,MAA8C;AACrI,QAAMoC,QAAQrE,gBAAgB0D,YAAYuB,OAAiB,CAACC,MAAMC,SAAAA;AAIhE,QAAI,OAAOA,SAAS,UAAU;AAC5B,aAAO;WAAID;QAAMC;;IACnB,WAAWA,KAAKC,WAAW,oBAAoBD,KAAKC,WAAW,UAAU;AACvE,aAAO;WAAIF;WAASC,KAAKE,sBAAsBhB;;IACjD,WAAWc,KAAKC,WAAW,iBAAiBD,KAAKC,WAAW,UAAU;AACpE,aAAO;WAAIF;WAASC,KAAKd;;IAC3B,WAAWc,KAAKC,WAAW,aAAa;AACtC,aAAO;WAAIF;QAAMC,KAAKG;;IACxB;AAEA,WAAOJ;EACT,GAAG,CAAA,CAAE;AAEL,MAAI,CAACb,SAASA,MAAM3D,WAAW,GAAG;AAChC,UAAMhB,MAAM,8CAAA;EACd;AACA,MAAIuC,MAAMsD,4BAA4B;AACpC,WAAOlB,MAAMmB,OAAO,CAACC,SAASA,SAAS,sBAAA;EACzC;AACA,SAAOpB;AACT;AAzBgBW;;;ACvchB;AAWO,SAASU,iBACdC,MAOAC,MAA0B;AAE1B,MAAI,OAAOD,SAAS,UAAU;AAC5B,WAAOD,iBAAiBG,KAAKC,MAAMH,IAAAA,GAAOC,IAAAA;EAC5C;AAEA,QAAMG,UAAU,CAAA;AAEhB,WAASC,yBAAyBC,KAAW;AAC3C,WAAOC,mBAAmBD,IAAIE,QAAQ,KAAK,EAAA,CAAA;EAC7C;AAFSH;AAIT,MAAII;AACJ,MAAKR,MAAMS,WAAWT,KAAKS,UAAUC,kBAAkBC,cAAc,CAACX,KAAKY,QAASZ,MAAMY,SAASC,YAAYC,gBAAgB;AAE7HN,iBAAaJ,yBAAyBH,KAAKc,UAAUhB,IAAAA,CAAAA;EACvD,OAAO;AAEL,eAAW,CAACM,KAAKW,KAAAA,KAAUC,OAAOC,QAAQnB,IAAAA,GAAO;AAC/C,UAAI,CAACiB,OAAO;AACV;MACF;AAEA,UAAI,CAAChB,MAAMmB,mBAAmBC,SAASf,GAAAA,GAAM;AAC3CF,gBAAQkB,KAAK,GAAGhB,GAAAA,IAAOW,KAAAA,EAAO;AAC9B;MACF;AACA,UAAIhB,MAAMsB,qBAAqBF,SAASf,GAAAA,KAAQkB,MAAMC,QAAQR,KAAAA,GAAQ;AACpEb,gBAAQkB,KAAKL,MAAMS,IAAI,CAACC,MAAM,GAAGtB,yBAAyBC,GAAAA,CAAAA,IAAQsB,yBAAyBD,GAAG,KAAA,CAAA,EAAQ,EAAEE,KAAK,GAAA,CAAA;AAC7G;MACF;AACA,YAAMC,SAAS,OAAOb,SAAS;AAC/B,YAAMc,WAAW,OAAOd,SAAS;AACjC,YAAMe,WAAW,OAAOf,SAAS;AACjC,UAAIgB;AACJ,UAAIH,UAAUC,UAAU;AACtBE,kBAAU,GAAG5B,yBAAyBC,GAAAA,CAAAA,IAAQW,KAAAA;MAChD,WAAWe,UAAU;AACnBC,kBAAU,GAAG5B,yBAAyBC,GAAAA,CAAAA,IAAQsB,yBAAyBX,OAAO,KAAA,CAAA;MAChF,OAAO;AACLgB,kBAAU,GAAG5B,yBAAyBC,GAAAA,CAAAA,IAAQsB,yBAAyB1B,KAAKc,UAAUC,KAAAA,GAAQ,KAAA,CAAA;MAChG;AACAb,cAAQkB,KAAKW,OAAAA;IACf;AACAxB,iBAAaL,QAAQyB,KAAK,GAAA;EAC5B;AACA,MAAI5B,MAAMiC,SAAS;AACjB,QAAIjC,KAAKiC,QAAQC,SAAS,GAAA,GAAM;AAC9B,UAAIlC,KAAKmC,OAAO;AACd,cAAMC,MAAM,8CAAA;MACd;AACA,aAAO,GAAGpC,KAAKiC,OAAO,GAAGzB,UAAAA;IAC3B,WAAW,CAACR,KAAKiC,QAAQb,SAAS,GAAA,GAAM;AACtC,aAAO,GAAGpB,KAAKiC,OAAO,IAAIjC,KAAKmC,QAAQnC,KAAKmC,QAAQ,MAAM,EAAA,GAAK3B,UAAAA;IACjE,WAAWR,KAAKiC,QAAQC,SAAS,GAAA,GAAM;AACrC,aAAO,GAAGlC,KAAKiC,OAAO,GAAGjC,KAAKmC,QAAQnC,KAAKmC,QAAQ,MAAM,EAAA,GAAK3B,UAAAA;IAChE,OAAO;AACL,aAAO,GAAGR,KAAKiC,OAAO,GAAGjC,KAAKmC,QAAQ,MAAMnC,KAAKmC,QAAQ,EAAA,IAAM3B,UAAAA;IACjE;EACF;AACA,SAAOA;AACT;AArEgBV;AA+ET,SAASuC,uBAAuBC,KAAatC,MAA0B;AAC5E,MAAI,CAACsC,OAAQtC,MAAMuC,sBAAsB,CAACvC,KAAKuC,oBAAoBC,MAAM,CAACC,MAAMH,IAAIlB,SAASqB,CAAAA,CAAAA,GAAM;AACjG,UAAM,IAAIL,MAAMM,UAAAA;EAClB;AAEA,QAAMC,gBAAgBC,wBAAwBN,KAAKtC,MAAMsB,mBAAAA;AACzD,SAAOuB,qBAAqBF,aAAAA;AAC9B;AAPgBN;AAST,SAASQ,qBAAqBC,OAA4B;AAC/D,QAAMC,SAAwD,CAAC;AAC/D,aAAW1C,OAAOyC,OAAO;AACvB,UAAM9B,QAAQ8B,MAAMzC,GAAAA;AACpB,QAAI,CAACW,OAAO;AACV;IACF;AACA,QAAIO,MAAMC,QAAQR,KAAAA,GAAQ;AACxB+B,aAAOC,mBAAmB3C,GAAAA,CAAAA,IAAQW,MAAMS,IAAI,CAACC,MAAMsB,mBAAmBtB,CAAAA,CAAAA;AACtE;IACF;AAEA,UAAMG,SAAS,OAAOb,SAAS;AAC/B,UAAMc,WAAW,OAAOd,SAAS;AACjC,UAAMe,WAAW,OAAOf,SAAS;AACjC,UAAMiC,WAAW,OAAOjC,SAAS;AACjC,QAAIa,UAAUC,UAAU;AACtBiB,aAAOC,mBAAmB3C,GAAAA,CAAAA,IAAQW;IACpC,WAAWe,UAAU;AACnB,YAAMmB,UAAUF,mBAAmBhC,KAAAA;AACnC,UAAIkC,QAAQC,WAAW,GAAA,KAAQD,QAAQhB,SAAS,GAAA,GAAM;AACpDa,eAAOC,mBAAmB3C,GAAAA,CAAAA,IAAQJ,KAAKC,MAAMgD,OAAAA;MAC/C,OAAO;AACLH,eAAOC,mBAAmB3C,GAAAA,CAAAA,IAAQ6C;MACpC;IACF,WAAWD,UAAU;AACnBF,aAAOC,mBAAmB3C,GAAAA,CAAAA,IAAQwC,qBAAqB7B,KAAAA;IACzD;EACF;AACA,SAAO+B;AACT;AA9BgBF;AAqCT,SAASD,wBAAwBN,KAAac,YAAqB;AACxE,QAAMN,QAAQR,IAAIlB,SAAS,GAAA,IAAOkB,IAAIe,MAAM,GAAA,EAAK,CAAA,IAAKf,IAAIlB,SAAS,KAAA,IAASkB,IAAIe,MAAM,KAAA,EAAO,CAAA,IAAKf;AAClG,QAAMvC,OAA8B,CAAA;AACpC,QAAMuD,OAAiBR,MAAMO,MAAM,GAAA;AACnC,aAAWE,SAASD,MAAM;AACxB,UAAME,OAAiBD,MAAMF,MAAM,GAAA;AACnC,UAAMI,KAAUD,KAAK,CAAA;AACrB,UAAME,KAAUF,KAAK,CAAA;AACrB,QAAIJ,YAAYhC,SAASqC,EAAAA,GAAK;AAC5B,YAAMpD,MAAMN,KAAK0D,EAAAA;AACjB,UAAIlC,MAAMC,QAAQnB,GAAAA,GAAM;AACtBA,YAAIgB,KAAKqC,EAAAA;MACX,OAAO;AACL3D,aAAK0D,EAAAA,IAAM;UAACC;;MACd;AACA;IACF;AACA3D,SAAK0D,EAAAA,IAAMC;EACb;AACA,SAAO3D;AACT;AApBgB6C;AA2BhB,SAASjB,yBAAyBgC,cAAsBC,aAAwB;AAG9E,SAAOtD,mBAAmBqD,YAAAA,EAAcpD,QAAQqD,aAAa,CAACC,MAAM,IAAIA,EAAEC,WAAW,CAAA,EAAGC,SAAS,EAAA,EAAIC,YAAW,CAAA,EAAI;AACtH;AAJSrC;;;ACnKT;AAkBO,SAASsC,yBACdC,WAAwE;AAQxE,SAAO;IAAC;IAAe;IAAkB;IAAU;IAAUC,SAASD,UAAUE,MAAM;AACxF;AAVgBH;AAYT,IAAMI,uBAAuB,wBAACC,UAAAA;AACnC,SAAOA,SAAS,CAACC,MAAM,CAACD,KAAAA,IAAS,CAACA,QAAQE;AAC5C,GAFoC;AAQ7B,SAASC,mBACdC,SAMU;AAEV,MAAIA,YAAYF,QAAW;AACzB,WAAOA;EACT,WAAW,OAAOE,YAAY,UAAU;AACtC,WAAO;MAACA;;EACV,WAAW,2BAA2BA,SAAS;AAC7C,WAAOD,mBACLC,QAAQC,qBAAqB;EAKjC,WAAW,WAAWD,WAAWA,QAAQE,OAAO;AAC9C,WAAOC,MAAMC,QAAQJ,QAAQE,KAAK,IAAIF,QAAQE,QAAQ;MAACF,QAAQE;;EACjE,WAAW,UAAUF,WAAWA,QAAQK,MAAM;AAC5C,WAAOF,MAAMC,QAAQJ,QAAQK,IAAI,IAAIL,QAAQK,OAAO;MAACL,QAAQK;;EAC/D,WAAW,SAASL,WAAWA,QAAQM,KAAK;AAC1C,WAAO;MAACN,QAAQM;;EAClB,WAAW,aAAaN,WAAWA,QAAQO,SAAS;AAClD,WAAO;MAACP,QAAQO;;EAClB;AACAC,iBAAeC,QAAQ,kFAAA;AACvB,SAAOX;AACT;AA/BgBC;AAiCT,SAASW,4BACdC,OACAC,MAAmC;AAEnC,QAAM,EAAEC,iBAAiB,MAAK,IAAK;IAAE,GAAGD;EAAK;AAC7C,MAAI,iBAAiBD,SAASR,MAAMC,QAAQO,MAAMG,WAAW,GAAG;AAC9D,WAAOH,MAAMG,YAAYC,IAAI,CAACC,SAASjB,mBAAmBiB,IAAAA,CAAAA,EAAOC,OAAO,CAACD,SAA2BA,SAASlB,MAAAA;EAC/G,WAAWe,kBAAkB,kCAAkCF,SAASR,MAAMC,QAAQO,MAAMO,4BAA4B,GAAG;AACzH,WAAOP,MAAMO,6BAA6BH,IAAI,CAACI,OAAO;MAACA;KAAG;EAC5D,WAAW,sBAAsBR,SAASA,MAAMS,kBAAkB;AAChE,WAAOV,4BAA4BC,MAAMS,kBAAkBR,IAAAA;EAC7D,WAAW,qBAAqBD,SAASA,MAAMU,iBAAiB;AAC9D,QAAI,OAAOV,MAAMU,oBAAoB,UAAU;AAC7C,aAAO;QAAC;UAACV,MAAMU;;;IACjB,WAAWlB,MAAMC,QAAQO,MAAMU,eAAe,GAAG;AAC/C,aAAO;QAACV,MAAMU;;IAChB;EACF;AACAb,iBAAeC,QAAQ,6FAAA;AACvB,SAAOX;AACT;AApBgBY;AAsBT,SAASY,iCAAiCC,aAAmCX,MAAmC;AACrH,QAAM,EAAEC,iBAAiB,MAAK,IAAK;IAAE,GAAGD;EAAK;AAC7C,MAAI,OAAOW,gBAAgB,UAAU;AACnC,WAAO;MAACA;;EACV,WAAW,WAAWA,eAAepB,MAAMC,QAAQmB,YAAYrB,KAAK,GAAG;AACrE,WAAOqB,YAAYrB;EACrB,WAAWW,kBAAkBU,YAAYC,6BAA6B;AACpE,WAAO;MAACD,YAAYC;;EACtB;AAEA,SAAO1B;AACT;AAXgBwB;AAaT,SAASG,gCACdC,qBACAd,MAA8C;AAE9C,MAAIV,QAAkB,CAAA;AACtB,MACEwB,oBAAoBhC,WAAW,iBAC/BgC,oBAAoBhC,WAAW,YAC/BgC,oBAAoBhC,WAAW,oBAC/BgC,oBAAoBhC,WAAW,UAC/B;AACAQ,YAAQH,mBAAmB2B,mBAAAA,KAAwB,CAAA;EACrD,WAAWA,oBAAoBhC,WAAW,aAAa;AACrDQ,YAAQ;MAACwB,oBAAoBpB;;EAC/B,WAAWoB,oBAAoBhC,WAAW,YAAY;AACpDQ,YAAQ;MAACwB,oBAAoBnB;;EAC/B;AAEA,MAAI,CAACL,SAASA,MAAMyB,WAAW,GAAG;AAChC,UAAMC,MAAM,kDAAA;EACd;AACA,MAAIhB,MAAMiB,4BAA4B;AACpC,WAAO3B,MAAMe,OAAO,CAACZ,SAASA,SAAS,sBAAA;EACzC;AACA,SAAOH;AACT;AAzBgBuB;;;AC1GhB;AAcO,SAASK,wBAAwBC,MAKvC;AACC,QAAM,EAAEC,UAAUC,kBAAkBC,YAAYC,MAAK,IAAKJ,QAAQ,CAAC;AACnE,MAAII,SAASC,MAAMC,QAAQF,KAAAA,GAAQ;AACjC,QAAIH,UAAUC,kBAAkBC,YAAY;AAC1C,aAAOC,MAAMG,QAAQ,CAACC,YAAYC,uBAAuB;QAAE,GAAGT;QAAMC;QAASG,OAAOI;MAAQ,CAAA,CAAA;IAC9F,OAAO;AACL,aAAOJ,MACJM,IAAI,CAACF,YAAAA;AACJ,eAAOC,uBAAuB;UAAE,GAAGT;UAAMC;UAASG,OAAOI;QAAQ,CAAA;MACnE,CAAA,EACCG,OACC,CAACC,KAAKC,WAAAA;AACJC,eAAOC,OAAOH,KAAKC,MAAAA;AACnB,eAAOD;MACT,GACA,CAAC,CAAA;IAEP;EACF;AAEA,SAAOH,uBAAuBT,OAAO;IAAE,GAAGA;IAAMI,OAAOY;EAAU,IAAIA,MAAAA;AACvE;AA1BgBjB;AA4BT,SAASkB,oCAAoCC,gBAAyD;AAC3G,QAAMC,WAAW,oBAAIC,IAAAA;AACrB,MAAI,0BAA0BF,gBAAgB;AAC5CC,aAASE,IAAInB,kBAAkBoB,UAAU;EAC3C,WAAW,2BAA2BJ,gBAAgB;AACpDC,aAASE,IAAInB,kBAAkBC,UAAU;EAC3C;AACA,MAAIgB,SAASI,SAAS,GAAG;AAEvB,QAAI,yCAAyCL,gBAAgB;AAC3DC,eAASE,IAAInB,kBAAkBC,UAAU;IAC3C,WAAW,2BAA2Be,gBAAgB;AACpD,UAAI,OAAOA,eAAeM,0BAA0B,UAAU;AAC5DL,iBAASE,IAAInB,kBAAkBuB,UAAU;MAC3C,OAAO;AACLN,iBAASE,IAAInB,kBAAkBwB,UAAU,EAAEL,IAAInB,kBAAkBoB,UAAU;MAC7E;IACF;EACF;AACA,MAAIH,SAASI,SAAS,GAAG;AACvBJ,aAASE,IAAInB,kBAAkByB,WAAW;EAC5C;AAEA,SAAOtB,MAAMuB,KAAKT,QAAAA,EAAUU,KAAI,EAAGC,QAAO;AAC5C;AAxBgBb;AA0BT,SAASR,uBAAuBT,MAKtC;AACC,QAAM,EAAEkB,gBAAgBd,OAAO2B,QAAQ9B,UAAUC,kBAAkBC,WAAU,IAAKH,QAAQ,CAAC;AAE3F,MAAIgC,8BAAmFhB;AACvF,MAAIiB,8BAAmGjB;AACvG,MACEf,UAAUC,kBAAkBgC,cAC3BhB,gBAAgBiB,wCAAwCnB,UAAaE,gBAAgBM,uBACtF;AACA,QAAIN,gBAAgBM,yBAAyB,CAACnB,MAAMC,QAAQY,gBAAgBM,qBAAAA,GAAwB;AAElGQ,oCAA8B,CAAA;AAE9BlB,aAAOsB,QAAQlB,eAAeM,qBAAqB,EAAGa,QAAQ,CAAC,CAACC,IAAIC,SAAAA,MAAU;AAC5E,YAAI,CAACA,UAAUD,IAAI;AACjBC,oBAAUD,KAAKA;QACjB;AACAN,qCAA6BQ,KAAKD,SAAAA;MACpC,CAAA;IACF,OAAO;AACLP,oCAA+Bd,gBAAgBM,yBAAqE,CAAA;IACtH;EACF,OAAO;AACLS,kCACGf,gBAAgBiB,uCAAmG,CAAC;EACzH;AACA,MAAI,CAACjB,kBAAmB,CAACA,eAAeiB,uCAAuC,CAACjB,eAAeM,uBAAwB;AACrHiB,mBAAeC,QAAQ,0EAA0E;AAEjG,WAAOzC,UAAUC,kBAAkBC,aAAa6B,8BAA+BC;EACjF;AAEA,QAAMU,kBAA4BtC,MAAMC,QAAQF,KAAAA,IAASA,QAAQA,QAAQ;IAACA;MAAS,CAAA;AACnF,QAAMwC,oBAA8BvC,MAAMC,QAAQyB,MAAAA,IAAUA,SAASA,SAAS;IAACA;MAAU,CAAA;AAEzF,WAASc,qBAAqBC,QAAwC;AACpE,QAAIC,cAAcJ,gBAAgBK,WAAW;AAC7C,UAAM5C,SAAQ6C,mBAAmBH,MAAAA;AACjC,QAAI,CAACC,aAAa;AAChB,UAAIJ,gBAAgBK,WAAW,KAAKF,OAAOR,OAAOK,gBAAgB,CAAA,GAAI;AACpEI,sBAAc;MAChB,WAAW3C,QAAO;AAChB2C,sBAAcJ,gBAAgBO,MAAM,CAACC,SAAS/C,OAAMgD,SAASD,IAAAA,CAAAA;MAC/D,OAAO;AACL,YAAIE,yBAAyBP,MAAAA,KAAW,2BAA2BA,QAAQ;AACzEC,wBAAcJ,gBAAgBO,MAAM,CAACC,SAASL,OAAOQ,sBAAsBH,KAAKC,SAASD,IAAAA,CAAAA;QAC3F,WAAWE,yBAAyBP,MAAAA,KAAW,UAAUA,UAAUzC,MAAMC,QAAQwC,OAAOK,IAAI,GAAG;AAC7FJ,wBAAcJ,gBAAgBO,MAAM,CAACC,SAAUL,OAAOK,KAAkBC,SAASD,IAAAA,CAAAA;QACnF,WAAWE,yBAAyBP,MAAAA,KAAW,WAAWA,QAAQ;AAChEC,wBAAcJ,gBAAgBO,MAAM,CAACC,SAASL,OAAO1C,OAAOgD,SAASD,IAAAA,CAAAA;QACvE;MACF;IACF;AAEA,UAAMI,gBAAgBX,kBAAkBI,WAAW,KAAKJ,kBAAkBQ,SAASN,OAAOf,MAAM;AAEhG,WAAOgB,eAAeQ,gBAAgBT,SAAS9B;EACjD;AAtBS6B;AAwBT,MAAIZ,6BAA6B;AAC/B,WAAOnB,OAAOsB,QAAQH,2BAAAA,EAA6BtB,OACjD,CAAC6C,iBAAiB,CAAClB,IAAIQ,MAAAA,MAAO;AAC5B,UAAID,qBAAqBC,MAAAA,GAAS;AAChCU,wBAAgBlB,EAAAA,IAAMQ;AAEtB,YAAI,CAACA,OAAOR,IAAI;AACdQ,iBAAOR,KAAKA;QACd;MACF;AACA,aAAOkB;IACT,GACA,CAAC,CAAA;EAEL,WAAWxB,6BAA6B;AACtC,WAAOA,4BAA4ByB,OAAO,CAACX,WAAWD,qBAAqBC,MAAAA,CAAAA;EAC7E;AACA,QAAMY,MAAM,2FAA2F;AACzG;AAlFgBjD;AAoFT,SAASkD,4BAA4BC,aAA2C;AACrF,QAAMC,6BAA+E,CAAC;AACtF/C,SAAOsB,QAAQwB,WAAAA,EAAarD,QAAQ,CAACuD,UAAAA;AACnC,UAAMX,OAAOW,MAAM,CAAA;AACnB,UAAMF,eAAcE,MAAM,CAAA;AAC1BhD,WAAOC,OAAO8C,4BAA4BE,2BAA2BZ,MAAMS,YAAAA,CAAAA;EAC7E,CAAA;AACA,SAAOC;AACT;AARgBF;AAUT,SAASI,2BAA2BC,KAAaJ,aAAuC;AAC7F,QAAMC,6BAA+E,CAAC;AACtF/C,SAAOsB,QAAQwB,YAAYK,OAAO,EAAEvD,IAAI,CAACoD,UAAAA;AACvC,UAAM/B,SAAS+B,MAAM,CAAA;AACrB,UAAMI,yBAAyBJ,MAAM,CAAA;AACrC,QAAI,OAAO/B,WAAW,UAAU;AAC9B,YAAM2B,MAAM,2BAA2BS,KAAKC,UAAUrC,MAAAA,CAAAA,EAAS;IACjE;AACA,UAAMsC,4BAAuE;MAC3EtC;MACAuC,SAASV,YAAYU;MACrB,GAAGJ;MACHK,mBAAmBX,YAAYY;IACjC;AACAX,+BAA2BG,GAAAA,IAAOK;EACpC,CAAA;AACA,SAAOR;AACT;AAjBgBE;AAmBT,SAASU,kBAAkBC,UAAqD1E,MAAgC;AACrH,QAAM2E,kBACJD,SAASJ,SAASb,OAChB,CAACmB,SAAS,CAAC5E,MAAM6E,eAAe7E,KAAK6E,YAAY7B,WAAW,KAAM4B,KAAKE,UAAU9E,KAAK6E,YAAYzB,SAASwB,KAAKE,MAAM,KAAM,CAACF,KAAKE,MAAM,KACrI,CAAA;AACP,SAAOH,gBAAgB9C,KAAK,CAAC+C,SAAUA,KAAKE,SAAU9E,MAAM6E,YAAYE,QAAQH,KAAKE,MAAM,KAAK,IAAKE,OAAOC,SAAS;AACvH;AANgBR;AAWT,SAASS,cACdC,KACAC,0BAA6G;AAE7G,MAAIA,0BAA0B;AAC5B,UAAMC,WAAmCD,2BAA2BX,kBAAkBW,wBAAAA,IAA4B,CAAA;AAClH,eAAWd,WAAWe,UAAU;AAC9B,UAAIf,QAAQgB,MAAM;AAChB,eAAOhB,QAAQgB;MACjB;IACF;EACF;AACA,SAAOH;AACT;AAbgBD;;;AC/LhB;IAAAK,oBAAwB;AACxB,IAAAC,qBAA0B;AAgB1B,IAAMC,UAASC,0BAAQC,QAAQC,IAAI,yBAAA;AAoB5B,IAAMC,0BAA0B,8BACrCC,SACAC,WACAC,UACAC,gBAAAA;AAEA,MAAI,CAACF,UAAUG,cAAc;AAC3BT,IAAAA,QAAOU,MAAM,+CAA+C;AAC5D,UAAM,IAAIC,MAAMC,UAAAA;EAClB;AAEA,QAAMC,aAAaC,UAAUT,SAASE,UAAUC,WAAAA;AAChD,QAAMO,MAAM,MAAMT,UAAUG,aAAaI,YAAYA,WAAWG,OAAOC,GAAG;AAC1E,QAAMC,QAAQ;IACZC,YAAY;IACZJ;EACF;AAEA,MAAI;AACFK,yBAAqBL,GAAAA;AACrB,QAAIT,UAAUe,gBAAgB;AAC5BrB,MAAAA,QAAOU,MAAM,sCAAsC;AACnD,YAAMJ,UAAUe,eAAe;QAAEN;QAAKE,KAAKJ,WAAWG,OAAOC;MAAI,CAAA;AACjEjB,MAAAA,QAAOU,MAAM,gDAAgD;IAC/D;EACF,QAAQ;AACNV,IAAAA,QAAOU,MAAM,mBAAmB;AAChC,UAAM,IAAIC,MAAMW,aAAAA;EAClB;AACAtB,EAAAA,QAAOU,MAAM;EAA+BK,GAAAA,EAAK;AACjD,SAAOG;AACT,GA/BuC;AAiCvC,IAAME,uBAAuB,wBAACG,QAAAA;AAC5B,MAAIA,IAAIC,MAAM,GAAA,EAAKC,WAAW,KAAK,CAACF,IAAIG,WAAW,IAAA,GAAO;AACxD,UAAM,IAAIf,MAAMW,aAAAA;EAClB;AACF,GAJ6B;AAMtB,IAAMK,QAAQ,wBAACC,UAAAA;AACpB,MAAI;AACFR,yBAAqBQ,KAAAA;AACrB,WAAO;EACT,SAASC,GAAG;AACV,WAAO;EACT;AACF,GAPqB;AASd,IAAMC,qBAAqB,wBAACC,wBAAAA;AACjC,SAAOA,sBAAsB,eAAeC,KAAKD,mBAAAA,IAAuB,CAAA,IAAKE;AAC/E,GAFkC;AAI3B,IAAMC,cAAc,8BACzBnB,KACAoB,SAAAA;AAEA,MAAI,CAACpB,KAAK;AACR,UAAMJ,MAAM,qBAAA;EACd;AAEA,MAAI,CAACwB,MAAMC,iCAAiC;AAC1CC,mBAAeC,QAAQ,mHAAmH;AAC1IlB,yBAAqBL,GAAAA;AACrB,UAAMC,aAASuB,8BAAqBxB,KAAK;MAAEC,QAAQ;IAAK,CAAA;AACxD,UAAMwB,cAAUD,8BAAsBxB,KAAK;MAAEC,QAAQ;IAAM,CAAA;AAC3D,WAAO;MACLD,KAAK;QAAEC;QAAQwB;MAAQ;MACvB,GAAGxB;MACH,GAAGwB;IACL;EACF,OAAO;AACL,WAAO,MAAML,KAAKC,gCAAgC;MAAErB;MAAKE,KAAKkB,KAAKlB;IAAI,CAAA;EACzE;AACF,GArB2B;AAoC3B,IAAMH,YAAY,wBAAC2B,MAAelC,UAAqBC,gBAAAA;AACrD,QAAMkC,MACJD,SAAS,QACLE,eAAkC,OAAO,MAAMpC,UAAUqC,QAAQpC,aAAagC,SAASE,GAAAA,IACvFC,eAAkC,OAAO,OAAOpC,UAAUmC,KAAKlC,aAAagC,SAASE,GAAAA;AAC3F,QAAMG,MACJJ,SAAS,QACLE,eAAuB,OAAO,OAAOpC,UAAUuC,UAAUtC,aAAagC,SAASK,GAAAA,IAC/EF,eAAuB,OAAO,OAAOpC,UAAUqC,QAAQpC,aAAagC,SAASK,GAAAA;AACnF,QAAME,YAAYN,SAAS,QAAQE,eAAuB,aAAa,OAAOpC,UAAUuC,UAAUtC,aAAagC,SAASO,SAAAA,IAAad;AACrI,QAAMe,MAAML,eAAuB,OAAO,OAAOpC,UAAUyC,KAAKxC,aAAagC,SAASQ,GAAAA;AACtF,QAAMC,MAAMN,eAAuB,OAAO,MAAMpC,UAAU0C,KAAKzC,aAAaQ,QAAQiC,KAAK,sBAAA;AACzF,QAAMC,QAAQP,eAAuB,SAAS,OAAOpC,UAAU2C,OAAO1C,aAAagC,SAASU,KAAAA;AAE5F,QAAMC,MAAMR,eAAuB,OAAO,OAAOpC,UAAU4C,KAAK3C,aAAaQ,QAAQmC,KAAK,OAAA;AAC1F,QAAMlC,MAAM0B,eAAuB,OAAO,OAAOpC,UAAUU,KAAKT,aAAaQ,QAAQC,GAAAA;AACrF,QAAMmC,MAAMT,eAAwB,OAAO,OAAOpC,UAAU6C,KAAK5C,aAAaQ,QAAQoC,GAAAA;AACtF,QAAMC,MAAMV,eAAyB,OAAO,OAAOpC,UAAU8C,KAAK7C,aAAaQ,OAAOqC,GAAAA;AACtF,QAAMtC,MAAoB;IAAE,GAAGP;EAAY;AAC3C,QAAM8C,MAAM,CAAC,oBAAIC,KAAAA;AACjB,QAAM1C,aAAkC;IACtC,GAAI6B,OAAO;MAAEA;IAAI;IACjBc,KAAKzC,IAAIyB,SAASgB,OAAOC,KAAKC,MAAMJ,MAAM,GAAA,IAAQ;IAClDK,KAAK5C,IAAIyB,SAASmB,OAAOF,KAAKC,MAAMJ,MAAM,GAAA,IAAQ,KAAK;IACvDJ;IACA,GAAIH,aAAa;MAAEA;IAAU;IAC7B,GAAIF,OAAO;MAAEA;IAAI;IACjB,GAAIG,OAAO;MAAEA;IAAI;EACnB;AAEA,QAAMY,YAAuB;IAC3BX;IACAE;IACA,GAAIlC,OAAO;MAAEA;IAAI;IACjB,GAAImC,OAAO;MAAEA;IAAI;IACjB,GAAIC,OAAO;MAAEA;IAAI;EACnB;AACA,SAAO;IACLb,SAAS;MAAE,GAAGzB,IAAIyB;MAAS,GAAG3B;IAAW;IACzCG,QAAQ;MAAE,GAAGD,IAAIC;MAAQ,GAAG4C;IAAU;EACxC;AACF,GAzCkB;AA2ClB,IAAMjB,iBAAiB,wBACrBkB,cACAC,UACAC,QACAC,aACAC,iBAAAA;AAEA,OAAK,OAAOF,WAAW,YAAYG,MAAMC,QAAQJ,MAAAA,MAAYA,UAAUC,eAAeD,WAAWC,aAAa;AAC5G,UAAMrD,MAAM,2BAA2BkD,YAAAA,iBAA6BE,MAAAA,8BAAoCC,WAAAA,oBAA+B;EACzI;AACA,MAAII,SAAUJ,cAAcA,cAAcD;AAC1C,MAAI,CAACK,QAAQ;AACX,QAAIN,UAAU;AACZ,YAAMnD,MAAM,MAAMkD,YAAAA,iDAA6D;IACjF;AACAO,aAASH;EACX;AACA,SAAOG;AACT,GAlBuB;;;ACvKvB;AAEO,IAAMC,iCAAiC,wBAC5CC,UAAAA;AAEA,MAAIC,WAAWD;AACf,MAAI,OAAOA,UAAU,UAAU;AAC7B,QAAIA,MAAME,KAAI,EAAGC,WAAW,GAAA,KAAQH,MAAME,KAAI,EAAGE,SAAS,GAAA,GAAM;AAC9DH,iBAAWI,KAAKC,MAAMN,KAAAA;IACxB,WAAWA,MAAMO,SAAS,GAAA,KAAQP,MAAMO,SAAS,MAAA,GAAS;AACxDN,iBAAWO,uBAAuBR,KAAAA;IACpC;EACF;AACA,MAAIC,YAAY,OAAOA,aAAa,UAAU;AAC5C,WAAOA;EACT;AACA,QAAMQ,MAAM,0DAA0DT,KAAAA,EAAO;AAC/E,GAf8C;;;ACJ9C;2BAA8B;AAG9B,UAAqB;AAQrB,yBAAwB;AAPxB,IAAM,EAAEU,SAAQ,IAAKC;AASd,IAAMC,+BAA+B;AACrC,IAAMC,eAAe;AAErB,IAAMC,uBAAuB,wBAACC,QAAgBC,aAAAA;AACnD,SAAON,aAASO,mBAAAA,SAAYF,MAAAA,GAASC,QAAAA,EAAUE,MAAM,GAAGH,MAAAA;AAC1D,GAFoC;AAI7B,IAAMI,gBAAgB,wBAACJ,WAAAA;AAC5B,SAAOD,qBAAqBC,UAAUF,YAAAA;AACxC,GAF6B;AAGtB,IAAMO,uBAAuB,wBAACL,WAAAA;AACnC,QAAMM,eAAeP,qBAAqBC,UAAUH,8BAA8B,WAAA;AAClFU,0BAAwBD,YAAAA;AACxB,SAAOA;AACT,GAJoC;AAM7B,IAAME,sBAAsB,wBAACF,cAAsBG,wBAAAA;AACxD,MAAIA,wBAAwBC,oBAAoBC,OAAO;AACrD,WAAOL;EACT,WAAW,CAACG,uBAAuBA,wBAAwBC,oBAAoBE,MAAM;AACnF,WAAOjB,aAASkB,oCAAcP,cAAc,QAAA,GAAW,WAAA;EACzD,OAAO;AAEL,UAAMQ,MAAM,yBAAyBL,mBAAAA,kBAAqC;EAC5E;AACF,GATmC;AAW5B,IAAMF,0BAA0B,wBAACD,iBAAAA;AACtC,QAAMN,SAASM,aAAaN;AAC5B,MAAIA,SAAS,IAAI;AACf,UAAMc,MAAM,+DAA+D;EAC7E,WAAWd,SAAS,KAAK;AACvB,UAAMc,MAAM,gEAAgE;EAC9E;AACF,GAPuC;;;ACxCvC;AAIO,IAAMC,0CAA0CC,QAAQC,IAAIC,iCAAiCC,KAAAA,EAAOC,YAAAA,MAAkB;;;ACJ7H;IAAAC,oBAA6B;AAItB,IAAKC,4BAAAA,yBAAAA,4BAAAA;;;;SAAAA;;AAML,IAAKC,uBAAAA,yBAAAA,uBAAAA;;SAAAA;;AAIL,IAAKC,+BAAAA,yBAAAA,+BAAAA;;;;SAAAA;;AAML,IAAMC,SAASC,+BAAaC,SAAQ;;;A7BlBpC,IAAMC,cAAcC,0BAAQC;AAC5B,IAAMC,iBAAiBH,YAAYI,IAAI,yBAAA;","names":["module","randomBytes","import_ssi_types","PRE_AUTH_CODE_LITERAL","PRE_AUTH_GRANT_LITERAL","AuthorizationChallengeError","GrantTypes","Encoding","ResponseType","CodeChallengeMethod","PARMode","CreateRequestObjectMode","AuthzFlowType","valueOf","request","PRE_AUTH_CODE_LITERAL","JsonURIMode","Alg","isAuthorizationRequestV1_0_09","request","isAuthorizationRequestV1_0_11","request","credentialIssuerMetadataFieldNames","authorizationServerMetadataFieldNames","WellKnownEndpoints","BAD_PARAMS","URL_NOT_VALID","JWS_NOT_VALID","PROOF_CANT_BE_CONSTRUCTED","NO_JWT_PROVIDED","TYP_ERROR","ALG_ERROR","Object","keys","Alg","join","KID_JWK_X5C_ERROR","KID_DID_NO_DID_ERROR","DID_NO_DIDDOC_ERROR","AUD_ERROR","IAT_ERROR","NONCE_ERROR","JWT_VERIFY_CONFIG_ERROR","ISSUER_CONFIG_ERROR","UNKNOWN_CLIENT_ERROR","NO_ISS_IN_AUTHORIZATION_CODE_CONTEXT","ISS_PRESENT_IN_PRE_AUTHORIZED_CODE_CONTEXT","ISS_MUST_BE_CLIENT_ID","GRANTS_MUST_NOT_BE_UNDEFINED","STATE_MISSING_ERROR","CREDENTIAL_MISSING_ERROR","UNSUPPORTED_GRANT_TYPE_ERROR","PRE_AUTHORIZED_CODE_REQUIRED_ERROR","USER_PIN_REQUIRED_ERROR","USER_PIN_TX_CODE_SPEC_ERROR","USER_PIN_NOT_REQUIRED_ERROR","PIN_VALIDATION_ERROR","PIN_NOT_MATCH_ERROR","INVALID_PRE_AUTHORIZED_CODE","EXPIRED_PRE_AUTHORIZED_CODE","JWT_SIGNER_CALLBACK_REQUIRED_ERROR","STATE_MANAGER_REQUIRED_ERROR","NONCE_STATE_MANAGER_REQUIRED_ERROR","ACCESS_TOKEN_ISSUER_REQUIRED_ERROR","WRONG_METADATA_FORMAT","OpenId4VCIVersion","Number","MAX_VALUE","DefaultURISchemes","IssueStatus","TokenErrorResponse","TokenError","Error","_statusCode","_responseError","constructor","statusCode","responseError","message","Object","setPrototypeOf","prototype","getDescription","isFormat","formatObject","format","isNotFormat","isUniformFormat","includes","getUniformFormat","toLocaleLowerCase","Error","getFormatForVersion","version","uniformFormat","OpenId4VCIVersion","VER_1_0_08","getTypesFromRequest","credentialRequest","opts","types","credential_identifier","Error","format","credential_definition","type","Array","isArray","vct","doctype","length","filterVerifiableCredential","filter","getCredentialRequestForVersion","version","OpenId4VCIVersion","VER_1_0_08","draft8Format","getFormatForVersion","credential_subject_issuance","proof","logger","Loggers","DEFAULT","get","getJson","URL","opts","openIdFetch","undefined","method","formPost","url","body","post","contentType","Encoding","FORM_URL_ENCODED","headers","customHeaders","bearerToken","dpop","accept","Error","payload","debug","JSON","stringify","origResponse","fetch","isJSONResponse","success","status","responseText","text","responseBody","includes","parse","exceptionOnHttpErrorStatus","error","successBody","errorBody","isValidURL","urlPattern","RegExp","test","trimBoth","value","trim","trimEnd","trimStart","endsWith","substring","length","startsWith","adjustUrl","urlOrPath","toString","append","prepend","host","path","pathname","stripSlashStart","stripSlashEnd","isDeferredCredentialResponse","credentialResponse","orig","successBody","origResponse","status","credential","acceptance_token","transaction_id","assertNonFatalError","errorBody","error","includes","Error","isDeferredCredentialIssuancePending","error_description","toLowerCase","sleep","ms","Promise","resolve","setTimeout","acquireDeferredCredential","bearerToken","transactionId","deferredCredentialEndpoint","deferredCredentialIntervalInMS","deferredCredentialAwait","acquireDeferredCredentialImpl","DEFAULT_SLEEP_IN_MS","pending","console","log","response","post","JSON","stringify","access_token","import_ssi_types","logger","Loggers","DEFAULT","get","determineSpecVersionFromURI","uri","version","determineSpecVersionFromScheme","OpenId4VCIVersion","VER_UNKNOWN","getVersionFromURIParam","VER_1_0_08","VER_1_0_11","VER_1_0_13","credentialOfferURI","openId4VCIVersion","scheme","getScheme","includes","DefaultURISchemes","INITIATE_ISSUANCE","recordVersion","undefined","CREDENTIAL_OFFER","Error","split","getIssuerFromCredentialOfferPayload","request","issuer","getClientIdFromCredentialOfferPayload","credentialOffer","client_id","state","getStateFromCredentialOfferPayload","isJWT","decoded","jwtDecode","header","input","noParts","length","startsWith","grants","authorization_code","issuer_state","PRE_AUTH_GRANT_LITERAL","PRE_AUTH_CODE_LITERAL","op_state","determineSpecVersionFromOffer","offer","isCredentialOfferV1_0_13","isCredentialOfferV1_0_11","isCredentialOfferV1_0_09","VER_1_0_09","isCredentialOfferV1_0_08","isCredentialOfferVersion","min","max","valueOf","debug","JSON","parse","toUniformCredentialOfferRequest","opts","originalCredentialOffer","credential_offer","credential_offer_uri","resolve","VCI_LOG_COMMON","log","resolveCredentialOfferURI","payload","toUniformCredentialOfferPayload","supportedFlows","determineFlowType","original_credential_offer","isPreAuthCode","assertedUniformCredentialOffer","origCredentialOffer","stringify","response","getJson","successBody","errorBody","orig","offerPayloadAsV8V9","user_pin_required","credential_issuer","credentials","Array","isArray","credential_type","suppliedOffer","getCredentialOfferPayload","push","AuthzFlowType","AUTHORIZATION_CODE_FLOW","PRE_AUTHORIZED_CODE_FLOW","determineGrantTypes","types","GrantTypes","AUTHORIZATION_CODE","PRE_AUTHORIZED_CODE","currentVersion","matchingVersion","param","allowUpgrade","key","sort","reverse","getTypesFromOfferV1_0_11","reduce","prev","curr","format","credential_definition","vct","filterVerifiableCredential","filter","type","convertJsonToURI","json","opts","JSON","parse","results","encodeAndStripWhitespace","key","encodeURIComponent","replace","components","version","OpenId4VCIVersion","VER_1_0_08","mode","JsonURIMode","JSON_STRINGIFY","stringify","value","Object","entries","uriTypeProperties","includes","push","arrayTypeProperties","Array","isArray","map","v","customEncodeURIComponent","join","isBool","isNumber","isString","encoded","baseUrl","endsWith","param","Error","convertURIToJsonObject","uri","requiredProperties","every","p","BAD_PARAMS","uriComponents","getURIComponentsAsArray","decodeJsonProperties","parts","result","decodeURIComponent","isObject","decoded","startsWith","arrayTypes","split","dict","entry","pair","p0","p1","uriComponent","searchValue","c","charCodeAt","toString","toUpperCase","isW3cCredentialSupported","supported","includes","format","getNumberOrUndefined","input","isNaN","undefined","getTypesFromObject","subject","credential_definition","types","Array","isArray","type","vct","doctype","VCI_LOG_COMMON","warning","getTypesFromCredentialOffer","offer","opts","configIdAsType","credentials","map","cred","filter","credential_configuration_ids","id","credential_offer","credential_type","getTypesFromAuthorizationDetails","authDetails","credential_configuration_id","getTypesFromCredentialSupported","credentialSupported","length","Error","filterVerifiableCredential","getSupportedCredentials","opts","version","OpenId4VCIVersion","VER_1_0_13","types","Array","isArray","flatMap","typeSet","getSupportedCredential","map","reduce","acc","result","Object","assign","undefined","determineVersionsFromIssuerMetadata","issuerMetadata","versions","Set","add","VER_1_0_11","size","credentials_supported","VER_1_0_08","VER_1_0_09","VER_UNKNOWN","from","sort","reverse","format","credentialConfigurationsV11","credentialConfigurationsV13","VER_1_0_12","credential_configurations_supported","entries","forEach","id","supported","push","VCI_LOG_COMMON","warning","normalizedTypes","normalizedFormats","filterMatchingConfig","config","isTypeMatch","length","getTypesFromObject","every","type","includes","isW3cCredentialSupported","credential_definition","isFormatMatch","filteredConfigs","filter","Error","credentialsSupportedV8ToV13","supportedV8","credentialConfigsSupported","entry","credentialSupportedV8ToV13","key","formats","credentialSupportBrief","JSON","stringify","credentialConfigSupported","display","credentialSubject","claims","getIssuerDisplays","metadata","matchedDisplays","item","prefLocales","locale","indexOf","Number","MAX_VALUE","getIssuerName","url","credentialIssuerMetadata","displays","name","import_ssi_types","import_jwt_decode","logger","Loggers","DEFAULT","get","createProofOfPossession","popMode","callbacks","jwtProps","existingJwt","signCallback","debug","Error","BAD_PARAMS","jwtPayload","createJWT","jwt","header","kid","proof","proof_type","partiallyValidateJWS","verifyCallback","JWS_NOT_VALID","jws","split","length","startsWith","isJWS","token","e","extractBearerToken","authorizationHeader","exec","undefined","validateJWT","opts","accessTokenVerificationCallback","VCI_LOG_COMMON","warning","jwtDecode","payload","mode","aud","getJwtProperty","issuer","iss","clientId","client_id","jti","typ","nonce","alg","jwk","x5c","now","Date","iat","Math","floor","exp","jwtHeader","propertyName","required","option","jwtProperty","defaultValue","Array","isArray","result","toAuthorizationResponsePayload","input","response","trim","startsWith","endsWith","JSON","parse","includes","convertURIToJsonObject","Error","toString","u8a","CODE_VERIFIER_DEFAULT_LENGTH","NONCE_LENGTH","generateRandomString","length","encoding","randomBytes","slice","generateNonce","generateCodeVerifier","codeVerifier","assertValidCodeVerifier","createCodeChallenge","codeChallengeMethod","CodeChallengeMethod","plain","S256","defaultHasher","Error","EXPERIMENTAL_SUBJECT_PROOF_MODE_ENABLED","process","env","EXPERIMENTAL_SUBJECT_PROOF_MODE","trim","toLowerCase","import_ssi_types","CredentialOfferEventNames","CredentialEventNames","NotificationStatusEventNames","EVENTS","EventManager","instance","VCI_LOGGERS","Loggers","DEFAULT","VCI_LOG_COMMON","get"]}