@clioplaylists/clio 0.1.5 → 0.1.6

package/dist/auth-verifier.js

@@ -0,0 +1,473 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.verifySignatureWithKey = exports.createPublicKeyObject = exports.buildBasicAuth = exports.parseBasicAuth = exports.AuthVerifier = exports.RoleStatus = void 0;
+const xrpc_server_1 = require("@atproto/xrpc-server");
+const jose = __importStar(require("jose"));
+const key_encoder_1 = __importDefault(require("key-encoder"));
+const node_crypto_1 = __importDefault(require("node:crypto"));
+const ui8 = __importStar(require("uint8arrays"));
+// import { GetIdentityByDidResponse } from './proto/bsky_pb'
+const crypto_1 = require("@atproto/crypto");
+var RoleStatus;
+(function (RoleStatus) {
+    RoleStatus[RoleStatus["Valid"] = 0] = "Valid";
+    RoleStatus[RoleStatus["Invalid"] = 1] = "Invalid";
+    RoleStatus[RoleStatus["Missing"] = 2] = "Missing";
+})(RoleStatus || (exports.RoleStatus = RoleStatus = {}));
+const ALLOWED_AUTH_SCOPES = new Set([
+    'com.atproto.access',
+    'com.atproto.appPass',
+    'com.atproto.appPassPrivileged',
+]);
+class AuthVerifier {
+    constructor(dataplane, opts) {
+        Object.defineProperty(this, "dataplane", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: dataplane
+        });
+        Object.defineProperty(this, "ownDid", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "standardAudienceDids", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "modServiceDid", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "adminPasses", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        Object.defineProperty(this, "entrywayJwtPublicKey", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+        // verifiers (arrow fns to preserve scope)
+        Object.defineProperty(this, "standardOptionalParameterized", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: (opts) => async (ctx) => {
+                // @TODO remove! basic auth + did supported just for testing.
+                if (isBasicToken(ctx.req)) {
+                    const aud = this.ownDid;
+                    const iss = ctx.req.headers['appview-as-did'];
+                    if (typeof iss !== 'string' || !iss.startsWith('did:')) {
+                        throw new xrpc_server_1.AuthRequiredError('bad issuer');
+                    }
+                    if (!this.parseRoleCreds(ctx.req).admin) {
+                        throw new xrpc_server_1.AuthRequiredError('bad credentials');
+                    }
+                    return {
+                        credentials: { type: 'standard', iss, aud },
+                    };
+                }
+                else if (isBearerToken(ctx.req)) {
+                    // @NOTE temporarily accept entryway session tokens to shed load from PDS instances
+                    const token = bearerTokenFromReq(ctx.req);
+                    const header = token ? jose.decodeProtectedHeader(token) : undefined;
+                    if (header?.typ === 'at+jwt') {
+                        // we should never use entryway session tokens in the case of flexible auth audiences (namely in the case of getFeed)
+                        if (opts.skipAudCheck) {
+                            throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
+                        }
+                        return this.entrywaySession(ctx);
+                    }
+                    // const { iss, aud } = await this.verifyServiceJwt(ctx, {
+                    //   lxmCheck: opts.lxmCheck,
+                    //   iss: null,
+                    //   aud: null,
+                    // })
+                    const { aud } = {
+                        // iss: '',
+                        aud: '',
+                    };
+                    if (!opts.skipAudCheck && !this.standardAudienceDids.has(aud)) {
+                        throw new xrpc_server_1.AuthRequiredError('jwt audience does not match service did', 'BadJwtAudience');
+                    }
+                    return {
+                        credentials: {
+                            type: 'standard',
+                            iss: '',
+                            aud: '',
+                        },
+                    };
+                }
+                else {
+                    return this.nullCreds();
+                }
+            }
+        });
+        Object.defineProperty(this, "standardOptional", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: this.standardOptionalParameterized({})
+        });
+        Object.defineProperty(this, "standard", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (ctx) => {
+                const output = await this.standardOptional(ctx);
+                if (output.credentials.type === 'none') {
+                    throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
+                }
+                return output;
+            }
+        });
+        Object.defineProperty(this, "role", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: (ctx) => {
+                const creds = this.parseRoleCreds(ctx.req);
+                if (creds.status !== RoleStatus.Valid) {
+                    throw new xrpc_server_1.AuthRequiredError();
+                }
+                return {
+                    credentials: {
+                        ...creds,
+                        type: 'role',
+                    },
+                };
+            }
+        });
+        Object.defineProperty(this, "standardOrRole", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (ctx) => {
+                if (isBearerToken(ctx.req)) {
+                    return this.standard(ctx);
+                }
+                else {
+                    return this.role(ctx);
+                }
+            }
+        });
+        Object.defineProperty(this, "optionalStandardOrRole", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (ctx) => {
+                if (isBearerToken(ctx.req)) {
+                    return await this.standard(ctx);
+                }
+                else {
+                    const creds = this.parseRoleCreds(ctx.req);
+                    if (creds.status === RoleStatus.Valid) {
+                        return {
+                            credentials: {
+                                ...creds,
+                                type: 'role',
+                            },
+                        };
+                    }
+                    else if (creds.status === RoleStatus.Missing) {
+                        return this.nullCreds();
+                    }
+                    else {
+                        throw new xrpc_server_1.AuthRequiredError();
+                    }
+                }
+            }
+        });
+        // @NOTE this auth verifier method is not recommended to be implemented by most appviews
+        // this is a short term fix to remove proxy load from Bluesky's PDS and in line with possible
+        // future plans to have the client talk directly with the appview
+        Object.defineProperty(this, "entrywaySession", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: async (reqCtx) => {
+                const token = bearerTokenFromReq(reqCtx.req);
+                if (!token) {
+                    throw new xrpc_server_1.AuthRequiredError(undefined, 'AuthMissing');
+                }
+                // if entryway jwt key not configured then do not parsed these tokens
+                if (!this.entrywayJwtPublicKey) {
+                    throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
+                }
+                const res = await jose
+                    .jwtVerify(token, this.entrywayJwtPublicKey)
+                    .catch((err) => {
+                    if (err?.['code'] === 'ERR_JWT_EXPIRED') {
+                        throw new xrpc_server_1.AuthRequiredError('Token has expired', 'ExpiredToken');
+                    }
+                    throw new xrpc_server_1.AuthRequiredError('Token could not be verified', 'InvalidToken');
+                });
+                const { sub, aud, scope } = res.payload;
+                if (typeof sub !== 'string' || !sub.startsWith('did:')) {
+                    throw new xrpc_server_1.AuthRequiredError('Malformed token', 'InvalidToken');
+                }
+                else if (typeof aud !== 'string' ||
+                    !aud.startsWith('did:web:') ||
+                    !aud.endsWith('.bsky.network')) {
+                    throw new xrpc_server_1.AuthRequiredError('Bad token aud', 'InvalidToken');
+                }
+                else if (typeof scope !== 'string' || !ALLOWED_AUTH_SCOPES.has(scope)) {
+                    throw new xrpc_server_1.AuthRequiredError('Bad token scope', 'InvalidToken');
+                }
+                return {
+                    credentials: {
+                        type: 'standard',
+                        aud: this.ownDid,
+                        iss: sub,
+                    },
+                };
+            }
+        });
+        this.ownDid = opts.ownDid;
+        this.standardAudienceDids = new Set([
+            opts.ownDid,
+            ...opts.alternateAudienceDids,
+        ]);
+        this.modServiceDid = opts.modServiceDid;
+        this.adminPasses = new Set(opts.adminPasses);
+        this.entrywayJwtPublicKey = opts.entrywayJwtPublicKey;
+    }
+    // modService = async (reqCtx: ReqCtx): Promise<ModServiceOutput> => {
+    //   const { iss, aud } = await this.verifyServiceJwt(reqCtx, {
+    //     aud: this.ownDid,
+    //     iss: [this.modServiceDid, `${this.modServiceDid}#atproto_labeler`],
+    //   })
+    //   return { credentials: { type: 'mod_service', aud, iss } }
+    // }
+    // roleOrModService = async (
+    //   reqCtx: ReqCtx,
+    // ): Promise<RoleOutput | ModServiceOutput> => {
+    //   if (isBearerToken(reqCtx.req)) {
+    //     return this.modService(reqCtx)
+    //   } else {
+    //     return this.role(reqCtx)
+    //   }
+    // }
+    parseRoleCreds(req) {
+        const parsed = (0, exports.parseBasicAuth)(req.headers.authorization || '');
+        const { Missing, Valid, Invalid } = RoleStatus;
+        if (!parsed) {
+            return { status: Missing, admin: false, moderator: false, triage: false };
+        }
+        const { username, password } = parsed;
+        if (username === 'admin' && this.adminPasses.has(password)) {
+            return { status: Valid, admin: true };
+        }
+        return { status: Invalid, admin: false };
+    }
+    // async verifyServiceJwt(
+    //   reqCtx: ReqCtx,
+    //   opts: {
+    //     iss: string[] | null
+    //     aud: string | null
+    //     lxmCheck?: (method?: string) => boolean
+    //   },
+    // ) {
+    //   const getSigningKey = async (
+    //     iss: string,
+    //     _forceRefresh: boolean, // @TODO consider propagating to dataplane
+    //   ): Promise<string> => {
+    //     if (opts.iss !== null && !opts.iss.includes(iss)) {
+    //       throw new AuthRequiredError('Untrusted issuer', 'UntrustedIss')
+    //     }
+    //     const [did, serviceId] = iss.split('#')
+    //     const keyId =
+    //       serviceId === 'atproto_labeler' ? 'atproto_label' : 'atproto'
+    //     let identity: GetIdentityByDidResponse
+    //     try {
+    //       identity = await this.dataplane.getIdentityByDid({ did })
+    //     } catch (err) {
+    //       if (isDataplaneError(err, Code.NotFound)) {
+    //         throw new AuthRequiredError('identity unknown')
+    //       }
+    //       throw err
+    //     }
+    //     const keys = unpackIdentityKeys(identity.keys)
+    //     const didKey = getKeyAsDidKey(keys, { id: keyId })
+    //     if (!didKey) {
+    //       throw new AuthRequiredError('missing or bad key')
+    //     }
+    //     return didKey
+    //   }
+    //   const assertLxmCheck = () => {
+    //     const lxm = parseReqNsid(reqCtx.req)
+    //     if (
+    //       (opts.lxmCheck && !opts.lxmCheck(payload.lxm)) ||
+    //       (!opts.lxmCheck && payload.lxm !== lxm)
+    //     ) {
+    //       throw new AuthRequiredError(
+    //         payload.lxm !== undefined
+    //           ? `bad jwt lexicon method ("lxm"). must match: ${lxm}`
+    //           : `missing jwt lexicon method ("lxm"). must match: ${lxm}`,
+    //         'BadJwtLexiconMethod',
+    //       )
+    //     }
+    //   }
+    //   const jwtStr = bearerTokenFromReq(reqCtx.req)
+    //   if (!jwtStr) {
+    //     throw new AuthRequiredError('missing jwt', 'MissingJwt')
+    //   }
+    //   // if validating additional scopes, skip scope check in initial validation & follow up afterwards
+    //   const payload = await verifyServiceJwt(
+    //     jwtStr,
+    //     opts.aud,
+    //     null,
+    //     getSigningKey,
+    //     verifySignatureWithKey,
+    //   )
+    //   if (
+    //     !payload.iss.endsWith('#atproto_labeler') ||
+    //     payload.lxm !== undefined
+    //   ) {
+    //     // @TODO currently permissive of labelers who dont set lxm yet.
+    //     // we'll allow ozone self-hosters to upgrade before removing this condition.
+    //     assertLxmCheck()
+    //   }
+    //   return { iss: payload.iss, aud: payload.aud }
+    // }
+    isModService(iss) {
+        return [
+            this.modServiceDid,
+            `${this.modServiceDid}#atproto_labeler`,
+        ].includes(iss);
+    }
+    nullCreds() {
+        return {
+            credentials: {
+                type: 'none',
+                iss: null,
+            },
+        };
+    }
+    parseCreds(creds) {
+        const viewer = creds.credentials.type === 'standard' ? creds.credentials.iss : null;
+        const includeTakedownsAnd3pBlocks = (creds.credentials.type === 'role' && creds.credentials.admin) ||
+            creds.credentials.type === 'mod_service' ||
+            (creds.credentials.type === 'standard' &&
+                this.isModService(creds.credentials.iss));
+        const canPerformTakedown = (creds.credentials.type === 'role' && creds.credentials.admin) ||
+            creds.credentials.type === 'mod_service';
+        return {
+            viewer,
+            includeTakedowns: includeTakedownsAnd3pBlocks,
+            include3pBlocks: includeTakedownsAnd3pBlocks,
+            canPerformTakedown,
+        };
+    }
+}
+exports.AuthVerifier = AuthVerifier;
+// HELPERS
+// ---------
+const BEARER = 'Bearer ';
+const BASIC = 'Basic ';
+const isBearerToken = (req) => {
+    return req.headers.authorization?.startsWith(BEARER) ?? false;
+};
+const isBasicToken = (req) => {
+    return req.headers.authorization?.startsWith(BASIC) ?? false;
+};
+const bearerTokenFromReq = (req) => {
+    const header = req.headers.authorization || '';
+    if (!header.startsWith(BEARER))
+        return null;
+    return header.slice(BEARER.length).trim();
+};
+const parseBasicAuth = (token) => {
+    if (!token.startsWith(BASIC))
+        return null;
+    const b64 = token.slice(BASIC.length);
+    let parsed;
+    try {
+        parsed = ui8.toString(ui8.fromString(b64, 'base64pad'), 'utf8').split(':');
+    }
+    catch (err) {
+        return null;
+    }
+    const [username, password] = parsed;
+    if (!username || !password)
+        return null;
+    return { username, password };
+};
+exports.parseBasicAuth = parseBasicAuth;
+const buildBasicAuth = (username, password) => {
+    return (BASIC +
+        ui8.toString(ui8.fromString(`${username}:${password}`, 'utf8'), 'base64pad'));
+};
+exports.buildBasicAuth = buildBasicAuth;
+const keyEncoder = new key_encoder_1.default('secp256k1');
+const createPublicKeyObject = (publicKeyHex) => {
+    const key = keyEncoder.encodePublic(publicKeyHex, 'raw', 'pem');
+    return node_crypto_1.default.createPublicKey({ format: 'pem', key });
+};
+exports.createPublicKeyObject = createPublicKeyObject;
+const verifySig = (publicKey, data, sig) => {
+    const keyEncoder = new key_encoder_1.default('secp256k1');
+    const pemKey = keyEncoder.encodePublic(ui8.toString(publicKey, 'hex'), 'raw', 'pem');
+    const key = node_crypto_1.default.createPublicKey({ format: 'pem', key: pemKey });
+    return node_crypto_1.default.verify('sha256', data, {
+        key,
+        dsaEncoding: 'ieee-p1363',
+    }, sig);
+};
+const verifySignatureWithKey = async (didKey, msgBytes, sigBytes, alg) => {
+    if (alg === crypto_1.SECP256K1_JWT_ALG) {
+        const parsed = (0, crypto_1.parseDidKey)(didKey);
+        if (alg !== parsed.jwtAlg) {
+            throw new Error(`Expected key alg ${alg}, got ${parsed.jwtAlg}`);
+        }
+        return verifySig(parsed.keyBytes, msgBytes, sigBytes);
+    }
+    return (0, xrpc_server_1.cryptoVerifySignatureWithKey)(didKey, msgBytes, sigBytes, alg);
+};
+exports.verifySignatureWithKey = verifySignatureWithKey;

package/dist/client.d.ts

@@ -0,0 +1,9 @@
+import { Client } from '@connectrpc/connect';
+import { ClioService } from './rpc/clio_connect';
+export type DataPlaneClient = Client<typeof ClioService>;
+type HttpVersion = '1.1' | '2';
+export declare const createBaseClient: (baseUrl: string, opts: {
+    httpVersion?: HttpVersion;
+    rejectUnauthorized?: boolean;
+}) => DataPlaneClient;
+export {};

package/dist/client.js

@@ -0,0 +1,40 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createBaseClient = void 0;
+const connect_1 = require("@connectrpc/connect");
+const connect_node_1 = require("@connectrpc/connect-node");
+const node_assert_1 = __importDefault(require("node:assert"));
+const clio_connect_1 = require("./rpc/clio_connect");
+const createBaseClient = (baseUrl, opts) => {
+    const { httpVersion = '2', rejectUnauthorized = true } = opts;
+    const transport = (0, connect_node_1.createGrpcTransport)({
+        baseUrl,
+        acceptCompression: [],
+        httpVersion,
+        nodeOptions: { rejectUnauthorized },
+    });
+    (0, node_assert_1.default)(validateUrl(baseUrl));
+    return (0, connect_1.createClient)(clio_connect_1.ClioService, transport);
+};
+exports.createBaseClient = createBaseClient;
+const validateUrl = (urlStr) => {
+    let url;
+    try {
+        url = new URL(urlStr);
+    }
+    catch {
+        return undefined;
+    }
+    if (!['http:', 'https:'].includes(url.protocol)) {
+        return undefined;
+    }
+    else if (!url.hostname) {
+        return undefined;
+    }
+    else {
+        return urlStr;
+    }
+};

package/dist/config.d.ts

@@ -0,0 +1,21 @@
+export interface ServerConfigValues {
+    version?: string;
+    debugMode?: boolean;
+    port?: number;
+    serverDid: string;
+    didPlcUrl: string;
+    handleResolverNameservers?: string[];
+}
+export declare class ServerConfig {
+    private cfg;
+    private assignedPort?;
+    constructor(cfg: ServerConfigValues);
+    static readEnv(overrides?: Partial<ServerConfigValues>): ServerConfig;
+    assignPort(port: number): void;
+    get version(): string | undefined;
+    get debugMode(): boolean;
+    get port(): number | undefined;
+    get localUrl(): string;
+    get serverDid(): string;
+    get didPlcUrl(): string;
+}

package/dist/config.js

@@ -0,0 +1,65 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServerConfig = void 0;
+const node_assert_1 = __importDefault(require("node:assert"));
+class ServerConfig {
+    constructor(cfg) {
+        Object.defineProperty(this, "cfg", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: cfg
+        });
+        Object.defineProperty(this, "assignedPort", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: void 0
+        });
+    }
+    static readEnv(overrides) {
+        const version = overrides?.version || process.env.CLIO_VERSION || undefined;
+        const debugMode = overrides?.debugMode || process.env.NODE_ENV !== 'production';
+        const serverDid = overrides?.serverDid || process.env.CLIO_SERVER_DID || 'did:example:test';
+        const didPlcUrl = overrides?.didPlcUrl || process.env.DID_PLC_URL || 'http://localhost:2582';
+        // const handleResolverNameservers = process.env.BSKY_HANDLE_RESOLVER_NAMESERVERS
+        //   ? process.env.BSKY_HANDLE_RESOLVER_NAMESERVERS.split(',')
+        //   : []
+        const envPort = overrides?.port || parseInt(process.env.CLIO_PORT || '', 10);
+        const port = isNaN(envPort) ? 2635 : envPort;
+        return new ServerConfig({
+            version,
+            debugMode,
+            port,
+            serverDid,
+            didPlcUrl,
+        });
+    }
+    assignPort(port) {
+        (0, node_assert_1.default)(!this.cfg.port || this.cfg.port === port, 'Conflicting port in config');
+        this.assignedPort = port;
+    }
+    get version() {
+        return this.cfg.version;
+    }
+    get debugMode() {
+        return !!this.cfg.debugMode;
+    }
+    get port() {
+        return this.assignedPort || this.cfg.port;
+    }
+    get localUrl() {
+        (0, node_assert_1.default)(this.port, 'No port assigned');
+        return `http://localhost:${this.port}`;
+    }
+    get serverDid() {
+        return this.cfg.serverDid;
+    }
+    get didPlcUrl() {
+        return this.cfg.didPlcUrl;
+    }
+}
+exports.ServerConfig = ServerConfig;

package/dist/context.d.ts

@@ -0,0 +1,11 @@
+import { DataPlaneClient } from './client';
+import { ServerConfig } from './config';
+export default class AppContext {
+    private opts;
+    constructor(opts: {
+        cfg: ServerConfig;
+        dataplane: DataPlaneClient;
+    });
+    get cfg(): ServerConfig;
+    get dataplane(): DataPlaneClient;
+}

package/dist/context.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+class AppContext {
+    constructor(opts) {
+        Object.defineProperty(this, "opts", {
+            enumerable: true,
+            configurable: true,
+            writable: true,
+            value: opts
+        });
+    }
+    get cfg() {
+        return this.opts.cfg;
+    }
+    get dataplane() {
+        return this.opts.dataplane;
+    }
+}
+exports.default = AppContext;

package/dist/dataplane/client.d.ts

@@ -0,0 +1,27 @@
+import { Client, Code, ConnectError } from '@connectrpc/connect';
+import { ClioService } from '../rpc/clio_connect';
+export type DataPlaneClient = Client<typeof ClioService>;
+type HttpVersion = '1.1' | '2';
+export declare const createDataPlaneClient: (baseUrls: string[], opts: {
+    httpVersion?: HttpVersion;
+    rejectUnauthorized?: boolean;
+}) => DataPlaneClient;
+export { Code };
+export declare const isDataplaneError: (err: unknown, code?: Code) => err is ConnectError;
+export declare const unpackIdentityServices: (servicesBytes: Uint8Array) => UnpackedServices;
+export declare const unpackIdentityKeys: (keysBytes: Uint8Array) => UnpackedKeys;
+export declare const getServiceEndpoint: (services: UnpackedServices, opts: {
+    id: string;
+    type: string;
+}) => string | undefined;
+export declare const getKeyAsDidKey: (keys: UnpackedKeys, opts: {
+    id: string;
+}) => string | undefined;
+type UnpackedServices = Record<string, {
+    Type: string;
+    URL: string;
+}>;
+type UnpackedKeys = Record<string, {
+    Type: string;
+    PublicKeyMultibase: string;
+}>;