@enc-protocol/services 0.9.0

package/LICENSE

@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2026 Zhenyu Sun, Tomoya Nagasawa, and WEAVEDB LTD.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -0,0 +1,191 @@
+# @enc-protocol/services
+
+Platform-agnostic generic protocol services that sit between per-app SDKs and platform adapters. Provides identity & enclave registration, cross-enclave profiles, peer messaging, event subscription with decryption, and dynamic enclave provisioning.
+
+## Install
+
+```bash
+npm install @enc-protocol/services
+```
+
+## API
+
+### Registry
+
+Class for managing three independent registration sub-apps (identities, enclaves, nodes) that share one registry enclave. Delegates lookups to a `RegistryStrategyFn` plugin or falls back to HTTP dataview + event log traversal.
+
+**`Registry` constructor**
+```typescript
+new Registry(opts?: {
+  adapter?: Adapter,
+  identitiesAdapter?: Adapter,
+  enclavesAdapter?: Adapter,
+  nodesAdapter?: Adapter,
+  plugins?: ClientPluginRegistry
+})
+```
+
+**`registry.identities`** — Sub-app for identity records (pubkey → app enclaves map).
+- `lookup(id_pub)` → Promise resolves record or null; caches results
+- `publish(record)` → Promise submits identity event
+- `list(opts?: {limit?})` → Promise resolves array of all identities
+- `resolveEnclave(pubKey, appName)` → Promise resolves `{ok, enclave?, error?}`
+
+**`registry.enclaves`** — Sub-app for enclave directory.
+- `lookup(enclave_id)` → Promise resolves record or null
+- `publish(record)` → Promise submits enclave event
+- `list(opts?: {limit?})` → Promise resolves array of all enclaves
+
+**`registry.nodes`** — Sub-app for node directory.
+- `lookup(seq_pub)` → Promise resolves record or null
+- `publish(record)` → Promise submits node event
+- `list(opts?: {limit?})` → Promise resolves array of all nodes
+
+**`registry.setAdapter(adapter)`** — Point all three sub-apps at the same adapter.
+
+**`registry.setPlugins(plugins)`** — Wire all three sub-apps to the `RegistryStrategyFn` plugin.
+
+### Profiles
+
+Class for cross-enclave profile resolution. Profiles live in each user's Personal enclave under a `Shared(profile)` slot. Delegates to `ProfileResolverFn` plugin or falls back to synchronous cache lookup + HTTP dataview fetch.
+
+**`Profiles` constructor**
+```typescript
+new Profiles(opts?: {
+  personalAdapter?: Adapter,
+  dataviewUrl?: string,
+  plugins?: ClientPluginRegistry
+})
+```
+
+**`profiles.get(pubKey)`** — Promise resolves profile object for the given pubkey, or null if not found. Caches results.
+
+**`profiles.set(profile)`** — Promise submits profile to the personal adapter's `Shared(profile)` slot.
+
+**`profiles.nameFor(pubKey)`** — Synchronous lookup of profile name from cache. Returns first of `name` or `display_name` fields, or first 8 chars of pubkey as fallback.
+
+**`profiles.setPersonalAdapter(adapter)`** — Point at a personal enclave adapter.
+
+**`profiles.setDataviewUrl(url)`** — Set HTTP dataview base URL for profile queries.
+
+### PeerMessaging
+
+Class for submitting events into a peer's enclave rather than the user's own. Routes via `PeerRoutingFn` plugin or falls back to registry lookup + optional encryption + adapter.toEnclave.
+
+**`PeerMessaging` constructor**
+```typescript
+new PeerMessaging(opts?: {
+  adapter?: Adapter,
+  registry?: Registry,
+  encrypted?: string[],
+  eventToDataType?: {[event: string]: string},
+  sdk?: any,
+  plugins?: ClientPluginRegistry
+})
+```
+
+**`peer.submit(peerPub, targetAppName, event, content, cryptoOpts?)`** — Promise<{ok, error?, receipt?, target?}> submits an event to peer's enclave. Resolves peer's enclave_id via registry, optionally encrypts content, and routes through adapter.toEnclave.
+
+### Subscriber
+
+Class wrapping adapter.subscribe with optional per-event decryption. Decrypts content for events in `encrypted` set using sdk._decrypt, sdk.crypto.decrypt, or `EnvelopeDecryptFn` plugin.
+
+**`Subscriber` constructor**
+```typescript
+new Subscriber(opts?: {
+  adapter?: Adapter,
+  encrypted?: string[],
+  eventToDataType?: {[event: string]: string},
+  sdk?: any,
+  plugins?: ClientPluginRegistry
+})
+```
+
+**`subscriber.subscribe(callback)`** — Returns unsubscribe function. Calls callback with each event from adapter, auto-decrypting encrypted event types. Callback receives `{type, content, from, _encrypted?, ...}`.
+
+### EnclaveProvisioner
+
+Class for minting enclaves on demand with timeout. Delegates to `ProvisionerFn` plugin or falls back to adapter.createEnclave with configurable timeout.
+
+**`EnclaveProvisioner` constructor**
+```typescript
+new EnclaveProvisioner(opts?: {
+  adapter?: Adapter,
+  timeoutMs?: number,
+  plugins?: ClientPluginRegistry
+})
+```
+
+**`provisioner.mint(rbacManifest)`** — Promise resolves enclave creation result. Throws on timeout (default 5000ms) or if adapter has no createEnclave method.
+
+### Schema
+
+**`flattenEnclaveManifest(raw, opts?)`** — Transforms authored enclave JSON manifest into normalized `{schema, states, traits, initEntries, ...}` shape expected by adapters. Delegates to `ManifestNormalizerFn` plugin (default from `@enc-protocol/plugin-client-base/normalizer`).
+
+**`setManifestNormalizer(fn)`** — Swap the active normalizer implementation. Pass `null` to restore the default.
+
+### Legacy Shim
+
+**`createLegacyShim(opts)`** — Bridges typed SDK + protocol services to legacy impl-web renderer surface. Returns an object with:
+- Dynamic `submit_<event>(content, cryptoOpts?)` methods for each write event
+- Dynamic `query_<table>(queryOpts?)` methods for each read table
+- `submit_to_peer(peerPub, targetAppName, event, content, cryptoOpts?)` — delegates to peer.submit
+- `create_enclave(rbac)` — delegates to provisioner.mint
+- `subscribe(cb)` — delegates to subscriber.subscribe
+- `identities`, `enclaves`, `nodes` — direct sub-app access
+- `profiles` — direct profiles access
+- `query_events(eventType, opts?)` — raw event query
+- `_events`, `_queries`, `_encrypted` — metadata arrays for renderers
+
+### Composition
+
+**`composeSdk(opts)`** — Construct typed SDK + all protocol services + legacy shim in one call.
+
+```typescript
+composeSdk({
+  SdkClass: HelloSdk,
+  adapter: myAdapter,
+  crypto?: {encrypt, decrypt},
+  infra?: manifestWithEndpoints,
+  identity?: overrideFromAddress,
+  plugins?: ClientPluginRegistry
+})
+```
+
+Returns the legacy-shim wrapper. All SDK + services share one plugin registry, so plugin overrides apply consistently across encryption, routing, provisioning, etc. Throws if adapter is missing; returns null if SdkClass is null.
+
+## Example
+
+```javascript
+import { composeSdk, Registry, Profiles, PeerMessaging } from '@enc-protocol/services'
+import { HelloSdk } from '@enc-protocol/hello-sdk'
+import { MemoryAdapter } from '@enc-protocol/adapters'
+
+const adapter = new MemoryAdapter()
+const registryAdapter = new MemoryAdapter()
+
+// Option 1: Compose everything at once
+const sdk = composeSdk({
+  SdkClass: HelloSdk,
+  adapter,
+  crypto: { encrypt, decrypt }
+})
+
+// Option 2: Assemble services separately
+const registry = new Registry({ adapter: registryAdapter })
+const profiles = new Profiles({ personalAdapter: adapter })
+const peer = new PeerMessaging({ adapter, registry })
+
+// Use the registry
+const identity = await registry.identities.lookup('0x1234...')
+await registry.identities.publish({ id_pub: '0x1234...', enclaves: { hello: 'encl_xyz' } })
+
+// Cross-enclave profiles
+const profile = await profiles.get('0x5678...')
+await profiles.set({ name: 'Alice', display_name: 'alice.eth' })
+
+// Send to peer's enclave
+const result = await peer.submit('0x9abc...', 'hello', 'message', {body: 'hi'})
+
+// Subscribe to events
+const unsubscribe = sdk.subscribe(event => console.log(event))

package/compose.mjs

@@ -0,0 +1,55 @@
+/**
+ * composeSdk — construct typed per-app SDK + protocol-runtime services
+ * + legacy shim in one call.
+ *
+ *   import { composeSdk } from '@enc-protocol/services'
+ *   const sdk = composeSdk({ SdkClass: HelloSdk, adapter, crypto, infra })
+ *
+ * Returns the legacy-shim wrapper exposing both typed methods
+ * (sdk.submitMessages) AND the legacy renderer surface (sdk.submit_post,
+ * sdk.profiles.*, sdk.identities.*, sdk.subscribe, ...).
+ *
+ * The SDK + every protocol service share one ClientPluginRegistry so
+ * plugin overrides apply consistently (e.g. swapping
+ * EnvelopeEncryptFn rebinds encryption for both Sdk._encrypt and
+ * PeerMessaging.submit).
+ */
+
+import { Registry } from './registry.mjs'
+import { Profiles } from './profiles.mjs'
+import { PeerMessaging } from './peer.mjs'
+import { Subscriber } from './subscriber.mjs'
+import { EnclaveProvisioner } from './provisioner.mjs'
+import { createLegacyShim } from './legacy-shim.mjs'
+
+/**
+ * @param {object} opts
+ *   SdkClass        the per-app SDK class (HelloSdk / DmSdk / ...). If null, returns null.
+ *   adapter         the network/browser/memory adapter
+ *   crypto?         optional encrypt/decrypt hook bag (set as sdk.crypto)
+ *   infra?          optional infra manifest (passes through to shim for endpoints metadata)
+ *   identity?       optional identity override (used by AppClient for dataview "from")
+ *   plugins?        ClientPluginRegistry — if omitted, sdk.client builds its own default
+ */
+export function composeSdk(opts = {}) {
+  const { SdkClass, adapter, crypto, infra, identity, plugins } = opts
+  if (!SdkClass) return null
+  if (!adapter) throw new Error('composeSdk: adapter required')
+
+  const sdk = new SdkClass({ adapter, identity, plugins })
+  if (crypto) sdk.crypto = crypto
+
+  // Share the SDK's plugin registry with every protocol service.
+  const sharedPlugins = sdk.client?.plugins || plugins || null
+
+  const registry = new Registry({ plugins: sharedPlugins })
+  const profiles = new Profiles({ plugins: sharedPlugins })
+  const peer = new PeerMessaging({ adapter, registry, sdk, plugins: sharedPlugins })
+  const subscriber = new Subscriber({ adapter, sdk, plugins: sharedPlugins })
+  const provisioner = new EnclaveProvisioner({ adapter, plugins: sharedPlugins })
+
+  return createLegacyShim({
+    sdk, registry, profiles, peer, subscriber, provisioner,
+    infra: infra?.manifest || infra,
+  })
+}

package/index.mjs

@@ -0,0 +1,32 @@
+/**
+ * @enc-protocol/services — generic protocol services
+ *
+ * Platform-agnostic classes every ENC client uses on top of a per-app
+ * SDK (@enc-protocol/<app>-cli):
+ *
+ *   Registry             — identities/enclaves/nodes sub-apps
+ *   Profiles             — cross-enclave profile resolution
+ *   PeerMessaging        — submit_to_peer routing
+ *   Subscriber           — adapter.subscribe wrapper with decrypt
+ *   EnclaveProvisioner   — mint enclaves on demand
+ *
+ * Plus:
+ *
+ *   flattenEnclaveManifest — turn authored enclave JSON into the
+ *                            { schema, states, traits, initEntries, ... }
+ *                            shape PureAdapter + cf-mint expect
+ *
+ *   createLegacyShim       — bridge to expose legacy submit_<event> /
+ *                            query_<table> shape over typed SDK +
+ *                            services. impl-web's app-runtime.ts uses
+ *                            the shim unchanged.
+ */
+
+export { Registry } from './registry.mjs'
+export { Profiles } from './profiles.mjs'
+export { PeerMessaging } from './peer.mjs'
+export { Subscriber } from './subscriber.mjs'
+export { EnclaveProvisioner } from './provisioner.mjs'
+export { flattenEnclaveManifest } from './schema.mjs'
+export { createLegacyShim } from './legacy-shim.mjs'
+export { composeSdk } from './compose.mjs'

package/legacy-shim.mjs

@@ -0,0 +1,219 @@
+/**
+ * createLegacyShim — exposes the legacy impl-web SDK surface
+ * (submit_<event>, query_<table>, sdk.profiles, sdk.identities, ...)
+ * over a typed per-app SDK + the platform-agnostic protocol-runtime
+ * services.
+ *
+ * This is the bridge that keeps impl-web's `app-runtime.ts` working
+ * unchanged while making the per-app SDK + protocol-runtime the source
+ * of truth.
+ *
+ *   const sdk = new HelloSdk({ adapter })
+ *   const registry = new Registry({ adapter: registryAdapter })
+ *   const profiles = new Profiles({ personalAdapter, dataviewUrl })
+ *   const legacy = createLegacyShim({ sdk, registry, profiles, peer, subscriber, provisioner })
+ *
+ *   // legacy.submit_post(content) → sdk.submit('post', content)
+ *   // legacy.query_messages()     → sdk.query('messages')
+ *   // legacy.identities.lookup    → registry.identities.lookup
+ *   // legacy.profiles.get         → profiles.get
+ *   // legacy.subscribe(cb)        → subscriber.subscribe(cb)
+ *   // legacy.submit_to_peer(...)  → peer.submit(...)
+ *   // legacy.create_enclave(...)  → provisioner.mint(...)
+ *
+ * Inserts metadata `_events`, `_queries`, `_encrypted` arrays that
+ * impl-web's renderer reads.
+ */
+
+export function createLegacyShim({ sdk, registry, profiles, peer, subscriber, provisioner, infra }) {
+  const schema = sdk.schema || {}
+  const tableMap = schema.tableMap || {}
+  // `schema.encrypt` is the data_type→plugin map (e.g. {messages:'ratchet-pair'});
+  // encryptSet is the SET of encrypted data_types. Take its keys. Tolerate the
+  // legacy array form ([data_type,...]) too. `new Set(object)` would throw
+  // "object is not iterable" — the `|| []` only guards null/undefined.
+  const encryptSet = new Set(Array.isArray(schema.encrypt) ? schema.encrypt : Object.keys(schema.encrypt || {}))
+
+  // Reverse tableMap: event → first matching data_type (for encryption lookup).
+  const eventToTables = {}
+  for (const [table, event] of Object.entries(tableMap)) {
+    ;(eventToTables[event] ||= []).push(table)
+  }
+
+  // Derive write events from schema.data_types (same rule as flow.json):
+  const writeTables = Object.keys(schema.data_types || {})
+  const writeEvents = new Set()
+  for (const table of writeTables) {
+    const event = tableMap[table] || table.replace(/s$/, '')
+    writeEvents.add(event)
+  }
+
+  const readTables = Object.keys(schema.reads || {}).filter(t => !t.startsWith('_'))
+
+  // The shim itself — a plain object that delegates to the typed SDK +
+  // runtime services. Lifecycle: any mutation of the underlying SDK's
+  // adapter propagates through transparently because every method reads
+  // `sdk.client` / `sdk.opts` at call time.
+  const shim = {
+    _sdk: sdk,
+    _registry: registry,
+    _profiles: profiles,
+    _peer: peer,
+    _subscriber: subscriber,
+    _provisioner: provisioner,
+
+    // Metadata for app-runtime.ts:
+    _events: [...writeEvents],
+    _queries: readTables.length > 0
+      ? readTables
+      : (infra?.endpoints || []).filter(e => !e.name.startsWith('_')).map(e => e.name),
+    _encrypted: [...encryptSet],
+    _appId: sdk.appId,
+    _adapter: getPrimaryAdapter(sdk),
+
+    // Generic services
+    identities: registry?.identities,
+    enclaves: registry?.enclaves,
+    nodes: registry?.nodes,
+    profiles,
+
+    // Back-compat alias used by older callers (ui-kit + emulator).
+    registry: {
+      setAdapter(a) {
+        registry?.identities.setAdapter(a)
+        registry?.enclaves.setAdapter(a)
+        registry?.nodes.setAdapter(a)
+      },
+      publish: (...args) => registry?.identities.publish(...args),
+      lookup: (...args) => registry?.identities.lookup(...args),
+    },
+
+    // Crypto hook passthrough — apps wire encrypt/decrypt at the SDK
+    // class level via _encrypt; legacy callers expect `sdk.crypto`.
+    get crypto() { return sdk.crypto || null },
+    set crypto(c) { sdk.crypto = c },
+
+    // Generic primitives
+    submit: (name, args, opts) => sdk.submit(name, args, opts),
+    query: (name) => sdk.query(name),
+
+    query_events: async (eventType, opts = {}) => {
+      const adapter = getPrimaryAdapter(sdk)
+      return adapter?.query(eventType, opts) || []
+    },
+
+    subscribe: (cb) => subscriber?.subscribe(cb) || (() => {}),
+
+    create_enclave: async (rbac) => provisioner?.mint(rbac),
+
+    submit_to_peer: async (peerPub, targetAppName, event, content, cryptoOpts) =>
+      peer?.submit(peerPub, targetAppName, event, content, cryptoOpts)
+        || { ok: false, error: 'no_peer_messaging' },
+  }
+
+  // Dynamic submit_<event> methods — one per write event the schema declares.
+  for (const event of writeEvents) {
+    shim['submit_' + event] = async (content, cryptoOpts) => {
+      let payload = content
+      const dataTypes = eventToTables[event] || [event]
+      const isEncrypted = dataTypes.some(t => encryptSet.has(t))
+      if (isEncrypted && sdk._encrypt) {
+        const dt = dataTypes.find(t => encryptSet.has(t)) || event
+        payload = await sdk._encrypt(dt, content, cryptoOpts)
+      }
+      const adapter = getPrimaryAdapter(sdk)
+      const str = typeof payload === 'string' ? payload : JSON.stringify(payload)
+      if (typeof globalThis !== 'undefined' && globalThis.__encDebugShim) {
+        console.log(`[shim] submit_${event} adapter.enclaveId=${adapter?.enclaveId || 'NULL'} ctor=${adapter?.constructor?.name}`)
+      }
+      const r = await adapter.submit(event, str)
+      if (typeof globalThis !== 'undefined' && globalThis.__encDebugShim) {
+        console.log(`[shim] submit_${event}(${str.slice(0, 60)}) → ${JSON.stringify(r)}`)
+      }
+      return r
+    }
+  }
+
+  // Dynamic query_<table> methods — one per read.
+  // The renderer expects FLATTENED rows: each row's content fields lifted
+  // to the row level, plus from/_event_id/_timestamp. Matches the legacy
+  // createSDK shape so `#list[0].body` resolves from the parsed `body`
+  // field, not from a nested `parsed.body`.
+  const flattenEvents = async (events, eventName, encrypted) => {
+    if (!Array.isArray(events)) return []
+    const decrypt = sdk._decrypt || sdk.crypto?.decrypt
+    return Promise.all(events.map(async ev => {
+      let c = ev.parsed
+      if (c == null) {
+        try { c = typeof ev.content === 'string' ? JSON.parse(ev.content) : (ev.content || {}) } catch { c = {} }
+      }
+      if (encrypted && decrypt && (c?.encrypted || c?.ciphertext)) {
+        try { c = await decrypt.call(sdk, eventName, c, ev.from) } catch { /* keep raw */ }
+      }
+      return { ...c, from: ev.from, _event_id: ev.id, _timestamp: ev.timestamp }
+    }))
+  }
+
+  for (const table of readTables) {
+    const eventName = tableMap[table] || table.replace(/s$/, '')
+    const isEncrypted = (eventToTables[eventName] || [table]).some(t => encryptSet.has(t))
+    shim['query_' + table] = async (queryOpts = {}) => {
+      // Cross-enclave dataview reads return already-flattened rows;
+      // pass through. Otherwise enclave event-walk + flatten.
+      const read = schema.reads?.[table]
+      if (read?.cross_enclave) {
+        try { return await sdk.query(table) } catch { return [] }
+      }
+      // Multi-enclave routing: if this event lives in a non-primary
+      // enclave (e.g. Super's moments → Personal.public when primary
+      // is DM), the primary adapter doesn't have a path to it. Look up
+      // the secondary's dataview URL via globalThis.__encConfig and
+      // override the adapter call with that URL. The MemoryAdapter
+      // ignores this override (its queryEndpoint walks all enclaves
+      // anyway); the BrowserAdapter respects it via the new
+      // `_dataviewUrl` opt.
+      const targetEnclave = sdk._eventToEnclave?.get?.(eventName)
+      const adapter = getPrimaryAdapter(sdk)
+      let dvOverride = null
+      if (targetEnclave && typeof globalThis !== 'undefined') {
+        const cfg = globalThis.__encConfig?.dataviews
+        if (cfg && cfg[targetEnclave]) dvOverride = cfg[targetEnclave]
+      }
+      if (adapter?.queryEndpoint && (adapter?.dataviewUrl || dvOverride)) {
+        return adapter.queryEndpoint('/' + table, { ...queryOpts, _eventName: eventName, _dataviewUrl: dvOverride })
+      }
+      const events = await (adapter?.query(eventName, queryOpts) || [])
+      const rows = await flattenEvents(events, eventName, isEncrypted)
+      if (typeof globalThis !== 'undefined' && globalThis.__encDebugShim) {
+        console.log(`[shim] query_${table}(${eventName}) → ${rows.length} rows; first=${JSON.stringify(rows[0]).slice(0, 80)}`)
+      }
+      return rows
+    }
+  }
+
+  // Endpoint fallbacks (apps without a dataview).
+  if (readTables.length === 0) {
+    for (const ep of (infra?.endpoints || []).filter(e => !e.name.startsWith('_'))) {
+      shim['query_' + ep.name] = async (queryOpts = {}) => {
+        const adapter = getPrimaryAdapter(sdk)
+        if (adapter?.dataviewUrl && adapter.queryEndpoint) return adapter.queryEndpoint(ep.path, queryOpts)
+        const eventName = [...writeEvents][0]
+        if (!eventName) return []
+        const events = await (adapter?.query(eventName, queryOpts) || [])
+        return flattenEvents(events, eventName, false)
+      }
+    }
+  }
+
+  return shim
+}
+
+function getPrimaryAdapter(sdk) {
+  // The "primary" adapter is the first enclave's adapter — used for
+  // event subscribe, query_events, dynamic submit_<event>. Matches the
+  // impl-web sdk-gen convention.
+  const enclaves = sdk.client?.enclaves
+  if (!enclaves) return null
+  for (const [, e] of enclaves) return e.adapter
+  return null
+}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@enc-protocol/services",
+  "version": "0.9.0",
+  "type": "module",
+  "description": "Platform-agnostic generic protocol services that sit between per-app SDKs (@enc-protocol/<app>-sdk) and platform adapters: Registry, Profiles, PeerMessaging, Subscriber, EnclaveProvisioner, plus a legacy-shim + composeSdk one-liner that wires everything together.",
+  "main": "./index.mjs",
+  "files": [
+    "index.mjs",
+    "registry.mjs",
+    "profiles.mjs",
+    "peer.mjs",
+    "subscriber.mjs",
+    "provisioner.mjs",
+    "schema.mjs",
+    "legacy-shim.mjs",
+    "compose.mjs",
+    "README.md"
+  ],
+  "exports": {
+    ".": "./index.mjs",
+    "./registry": "./registry.mjs",
+    "./profiles": "./profiles.mjs",
+    "./peer": "./peer.mjs",
+    "./subscriber": "./subscriber.mjs",
+    "./provisioner": "./provisioner.mjs",
+    "./schema": "./schema.mjs",
+    "./legacy-shim": "./legacy-shim.mjs",
+    "./compose": "./compose.mjs"
+  },
+  "keywords": [
+    "enc-protocol",
+    "runtime",
+    "registry",
+    "profiles",
+    "platform-agnostic",
+    "core",
+    "public"
+  ],
+  "dependencies": {
+    "@enc-protocol/plugin-runtime": "^0.9.0",
+    "@enc-protocol/plugin-client-base": "^0.9.0"
+  },
+  "license": "Apache-2.0",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  }
+}

package/peer.mjs

@@ -0,0 +1,88 @@
+/**
+ * PeerMessaging — submit an event into a peer's enclave rather than the
+ * user's own.
+ *
+ * Delegates to the `PeerRoutingFn` plugin from the ClientPluginRegistry.
+ * Default impl preserves legacy behavior: resolve peer enclave via
+ * registry, optionally encrypt via the SDK's _encrypt hook, dispatch
+ * through adapter.toEnclave.
+ */
+
+export class PeerMessaging {
+  constructor(opts = {}) {
+    this.adapter = opts.adapter
+    this.registry = opts.registry
+    this.encrypted = new Set(opts.encrypted || [])
+    this.eventToDataType = opts.eventToDataType || {}
+    this._sdk = opts.sdk || null
+    this._plugins = opts.plugins || this._sdk?.client?.plugins || null
+  }
+
+  /** Per-event encrypt hook lookup. Plugin-first, SDK override fallback. */
+  async _maybeEncrypt(event, content, cryptoOpts) {
+    if (!this.encrypted.has(event)) return content
+    const dataType = this.eventToDataType[event] || event
+    if (this._sdk?._encrypt) {
+      return this._sdk._encrypt(dataType, content, cryptoOpts)
+    }
+    if (this._plugins?.has?.('EnvelopeEncryptFn')) {
+      return this._plugins.invoke('EnvelopeEncryptFn', dataType, content, cryptoOpts)
+    }
+    return content
+  }
+
+  /**
+   * Submit to peer's enclave.
+   * @param {string} peerPub          target pubkey
+   * @param {string} targetAppName    app name (used to resolve which of peer's enclaves)
+   * @param {string} event            enclave event name
+   * @param {object|string} content   payload
+   * @param {object} [cryptoOpts]     extra opts for _encrypt
+   * @returns {Promise<{ok, error?, receipt?, target?}>}
+   */
+  async submit(peerPub, targetAppName, event, content, cryptoOpts) {
+    const routingFn = this._plugins?.get?.('PeerRoutingFn')
+    const maybeEncrypt = (ev, c, opts) => this._maybeEncrypt(ev, c, opts)
+    if (routingFn) {
+      return routingFn({
+        peerPub, targetAppName, event, content,
+        adapter: this.adapter, registry: this.registry,
+        cryptoOpts, maybeEncrypt,
+      })
+    }
+
+    // Fallback path (no plugin bound) — legacy inline behavior.
+    if (!this.registry?.identities?.resolveEnclave) {
+      return { ok: false, error: 'no_registry' }
+    }
+    let resolved
+    try {
+      resolved = await this.registry.identities.resolveEnclave(peerPub, targetAppName)
+    } catch (e) {
+      return { ok: false, error: 'resolve_threw', cause: e?.message || e }
+    }
+    if (!resolved.ok) return { ok: false, error: resolved.reason, ...resolved }
+    if (!this.adapter?.toEnclave) return { ok: false, error: 'adapter_no_retarget' }
+    const payload = await maybeEncrypt(event, content, { ...cryptoOpts, recipientPub: peerPub })
+    // strict-wire {__withTags, content, tags}: the runtime's pre-encrypt step
+    // (buildCrypto dm:invite / personal:notice) hands us a wrapper object. Submit
+    // the BARE content (base64) — the receiver's strict-string decrypt gate rejects
+    // anything starting with '{', so shipping the JSON wrapper means the peer never
+    // decrypts the invite/notice. Tags are routing fallbacks (to/enclave_id/epoch);
+    // the decrypted content carries the app-level fields.
+    const str =
+      payload && typeof payload === 'object' && payload.__withTags === true
+        ? typeof payload.content === 'string'
+          ? payload.content
+          : JSON.stringify(payload.content)
+        : typeof payload === 'string'
+          ? payload
+          : JSON.stringify(payload)
+    const peerAdapter = this.adapter.toEnclave(resolved.enclave)
+    const res = await peerAdapter.submit(event, str)
+    if (res?.error || res?.type === 'Error') {
+      return { ok: false, error: res.error || res.code || 'submit_failed', details: res }
+    }
+    return { ok: true, receipt: res, target: resolved.enclave }
+  }
+}

package/profiles.mjs

@@ -0,0 +1,64 @@
+/**
+ * Profiles — cross-enclave profile resolution.
+ *
+ * Profiles live in each user's Personal enclave under a `Shared(profile)`
+ * slot. Personal is OWNER-read, so other apps read via the Personal
+ * dataview which aggregates profile pushes from every user's Personal
+ * enclave keyed by sender pubkey.
+ *
+ * Delegates to the `ProfileResolverFn` plugin from the
+ * ClientPluginRegistry. Default impl preserves legacy behavior:
+ * synchronous mem-tier getProfile first, fall back to HTTP dataview.
+ */
+
+export class Profiles {
+  constructor(opts = {}) {
+    this._personalAdapter = opts.personalAdapter || null
+    this._dataviewUrl = opts.dataviewUrl || null
+    this._cache = new Map()
+    this._plugins = opts.plugins || null
+  }
+
+  setPersonalAdapter(adapter) { this._personalAdapter = adapter }
+  setDataviewUrl(url) { this._dataviewUrl = url }
+
+  async set(profile) {
+    if (!this._personalAdapter) return null
+    return this._personalAdapter.submit('Shared(profile)', JSON.stringify({ value: profile }))
+  }
+
+  async get(pubKey) {
+    const norm = (pubKey || '').toLowerCase()
+    if (this._cache.has(norm)) return this._cache.get(norm)
+    if (!pubKey) return null
+
+    const resolveFn = this._plugins?.get?.('ProfileResolverFn')
+    if (resolveFn) {
+      const row = await resolveFn(this._personalAdapter, this._dataviewUrl, pubKey)
+      if (row) { this._cache.set(norm, row); return row }
+      return null
+    }
+
+    // Fallback inline behavior preserved.
+    if (typeof this._personalAdapter?.getProfile === 'function') {
+      const row = this._personalAdapter.getProfile(pubKey)
+      if (row) { this._cache.set(norm, row); return row }
+      return null
+    }
+    if (!this._dataviewUrl) return null
+    try {
+      const url = this._dataviewUrl.replace(/\/+$/, '') + '/profiles?id_pub=' + encodeURIComponent(pubKey)
+      const res = await fetch(url)
+      if (!res.ok) return null
+      const body = await res.json()
+      const row = (body.profiles || [])[0]
+      if (row) { this._cache.set(norm, row); return row }
+      return null
+    } catch { return null }
+  }
+
+  nameFor(pubKey) {
+    const hit = this._cache.get((pubKey || '').toLowerCase())
+    return hit?.name || hit?.display_name || pubKey?.slice(0, 8) || ''
+  }
+}

package/provisioner.mjs

@@ -0,0 +1,29 @@
+/**
+ * EnclaveProvisioner — mint enclaves on demand + rebind active adapter.
+ *
+ * Delegates to the `ProvisionerFn` plugin from the ClientPluginRegistry.
+ * Default impl preserves legacy behavior: calls adapter.createEnclave
+ * with a timeout.
+ */
+
+export class EnclaveProvisioner {
+  constructor(opts = {}) {
+    this.adapter = opts.adapter
+    this.timeoutMs = opts.timeoutMs || 5000
+    this._plugins = opts.plugins || null
+  }
+
+  async mint(rbacManifest) {
+    const provisionFn = this._plugins?.get?.('ProvisionerFn')
+    if (provisionFn) {
+      return provisionFn(this.adapter, rbacManifest, { timeoutMs: this.timeoutMs })
+    }
+    // Fallback inline behavior (preserved).
+    if (!this.adapter?.createEnclave) throw new Error('provisioner: adapter has no createEnclave')
+    const result = await Promise.race([
+      this.adapter.createEnclave(rbacManifest),
+      new Promise((_, rej) => setTimeout(() => rej(new Error('createEnclave timeout')), this.timeoutMs)),
+    ])
+    return result
+  }
+}

package/registry.mjs

@@ -0,0 +1,124 @@
+/**
+ * Registry — three independent registration sub-apps that share one
+ * enclave. Each sub-app is keyed by a different field:
+ *
+ *   identities  → key=id_pub      (pubkey → { enclaves: {<app>: <id>, ...} })
+ *   enclaves    → key=enclave_id  (enclave directory)
+ *   nodes       → key=seq_pub     (node directory)
+ *
+ * Lookup is delegated to the `RegistryStrategyFn` plugin from the
+ * ClientPluginRegistry. The default impl is identical to the legacy
+ * inline behavior: dataview HTTP GET first, fall back to event log
+ * filtered by signer.
+ */
+
+function makeRegistrySubApp(eventName, { keyField, table } = {}) {
+  return {
+    _adapter: null,
+    _cache: new Map(),
+    _strategyFn: null,
+    setAdapter(adapter) { this._adapter = adapter },
+    setStrategy(strategyFn) { this._strategyFn = strategyFn },
+
+    async publish(record) {
+      if (!this._adapter) return null
+      return this._adapter.submit(eventName, JSON.stringify(record))
+    },
+
+    async lookup(key) {
+      if (this._strategyFn) {
+        return this._strategyFn({
+          adapter: this._adapter,
+          table,
+          keyField,
+          key,
+          cache: this._cache,
+        })
+      }
+      // Fallback inline behavior (kept verbatim in case no plugin bound).
+      const norm = (key || '').toLowerCase()
+      if (!this._adapter || !key) return this._cache.get(norm) || null
+      if (this._adapter.queryEndpoint && table && keyField) {
+        try {
+          const rows = await this._adapter.queryEndpoint(`/${table}?${keyField}=${encodeURIComponent(key)}`)
+          if (Array.isArray(rows) && rows.length > 0) {
+            const row = { ...rows[0] }
+            for (const [k, v] of Object.entries(row)) {
+              if (typeof v === 'string' && v.length > 1 && (v[0] === '{' || v[0] === '[')) {
+                try { row[k] = JSON.parse(v) } catch {}
+              }
+            }
+            this._cache.set(norm, row)
+            return row
+          }
+        } catch {}
+      }
+      try {
+        const events = await this._adapter.query(eventName, { from: key, limit: 20 })
+        if (events.length === 0) return null
+        const c = typeof events[0].content === 'string' ? JSON.parse(events[0].content) : events[0].content
+        this._cache.set(norm, c)
+        return c
+      } catch { return this._cache.get(norm) || null }
+    },
+
+    async list(opts = {}) {
+      if (!this._adapter) return []
+      try {
+        const events = await this._adapter.query(eventName, { limit: opts.limit || 500 })
+        return events.map(ev => {
+          const c = typeof ev.content === 'string' ? JSON.parse(ev.content) : (ev.content || {})
+          return { ...c, _from: ev.from }
+        })
+      } catch { return [] }
+    },
+  }
+}
+
+export class Registry {
+  /**
+   * @param {object} [opts]
+   * @param {object} [opts.adapter]            shared adapter for all three sub-apps
+   * @param {object} [opts.identitiesAdapter]  per-sub-app adapter override
+   * @param {object} [opts.enclavesAdapter]
+   * @param {object} [opts.nodesAdapter]
+   * @param {object} [opts.plugins]            ClientPluginRegistry to source RegistryStrategyFn from
+   */
+  constructor(opts = {}) {
+    this.identities = makeRegistrySubApp('reg_identity', { keyField: 'id_pub', table: 'reg_identities' })
+    this.enclaves = makeRegistrySubApp('reg_enclave', { keyField: 'enclave_id', table: 'reg_enclaves' })
+    this.nodes = makeRegistrySubApp('reg_node', { keyField: 'seq_pub', table: 'reg_nodes' })
+
+    // resolveEnclave: pubKey + appName → enclave_id (per Reg_Identity.enclaves map).
+    this.identities.resolveEnclave = async function (pubKey, appName) {
+      const entry = await this.lookup(pubKey)
+      if (!entry) return { ok: false, reason: 'unregistered', pubKey }
+      const enclaveId = entry.enclaves?.[String(appName).toLowerCase()]
+      if (!enclaveId) return { ok: false, reason: 'app_not_enabled', pubKey, appName }
+      return { ok: true, enclave: enclaveId, entry }
+    }
+
+    if (opts.adapter) this.setAdapter(opts.adapter)
+    if (opts.identitiesAdapter) this.identities.setAdapter(opts.identitiesAdapter)
+    if (opts.enclavesAdapter) this.enclaves.setAdapter(opts.enclavesAdapter)
+    if (opts.nodesAdapter) this.nodes.setAdapter(opts.nodesAdapter)
+
+    if (opts.plugins) this.setPlugins(opts.plugins)
+  }
+
+  /** Wire all three sub-apps to the registry's RegistryStrategyFn plugin. */
+  setPlugins(plugins) {
+    const strategy = plugins?.get?.('RegistryStrategyFn')
+    if (!strategy) return
+    this.identities.setStrategy(strategy)
+    this.enclaves.setStrategy(strategy)
+    this.nodes.setStrategy(strategy)
+  }
+
+  /** Point all three sub-apps at the same adapter (single shared Registry enclave). */
+  setAdapter(adapter) {
+    this.identities.setAdapter(adapter)
+    this.enclaves.setAdapter(adapter)
+    this.nodes.setAdapter(adapter)
+  }
+}

package/schema.mjs

@@ -0,0 +1,26 @@
+/**
+ * Schema flatteners — delegate to the ManifestNormalizerFn plugin.
+ *
+ * The actual implementation lives in
+ * `@enc-protocol/plugin-client-base/normalizer`. This file is kept
+ * as a thin re-export so existing callers (`flattenEnclaveManifest`)
+ * keep working, and so per-app SDKs can dependency-inject a different
+ * normalizer if they author a non-default manifest DSL.
+ */
+
+import defaultFlatten from '@enc-protocol/plugin-client-base/normalizer'
+
+/** Bound at module load to the default plugin impl. */
+let _impl = defaultFlatten
+
+/**
+ * Swap the active impl (e.g. from a ClientPluginRegistry binding).
+ * Pass `null` to restore the default.
+ */
+export function setManifestNormalizer(fn) {
+  _impl = fn || defaultFlatten
+}
+
+export function flattenEnclaveManifest(raw, opts) {
+  return _impl(raw, opts)
+}

package/subscriber.mjs

@@ -0,0 +1,51 @@
+/**
+ * Subscriber — wraps adapter.subscribe with optional per-event decrypt.
+ *
+ * The adapter delivers raw events; Subscriber decrypts content for
+ * events in `encrypted` (set of event names) using one of:
+ *   1. opts.sdk._decrypt (per-app SDK override — backward compat)
+ *   2. opts.sdk.crypto.decrypt (legacy override path)
+ *   3. opts.plugins.invoke('EnvelopeDecryptFn', ...) (protocol-level slot)
+ */
+
+export class Subscriber {
+  constructor(opts = {}) {
+    this.adapter = opts.adapter
+    this.encrypted = new Set(opts.encrypted || [])
+    this.eventToDataType = opts.eventToDataType || {}
+    this._sdk = opts.sdk || null
+    this._plugins = opts.plugins || this._sdk?.client?.plugins || null
+  }
+
+  _resolveDecrypt() {
+    if (typeof this._sdk?._decrypt === 'function') {
+      return (et, c, f) => this._sdk._decrypt(et, c, f)
+    }
+    if (typeof this._sdk?.crypto?.decrypt === 'function') {
+      return (et, c, f) => this._sdk.crypto.decrypt(et, c, f)
+    }
+    if (this._plugins?.has?.('EnvelopeDecryptFn')) {
+      return (et, c, f) => this._plugins.invoke('EnvelopeDecryptFn', et, c, f)
+    }
+    return null
+  }
+
+  subscribe(callback) {
+    if (!this.adapter?.subscribe) return () => {}
+    return this.adapter.subscribe(async (event) => {
+      const eventType = event.type || event.event
+      const isEnc = this.encrypted.has(eventType)
+      const decrypt = this._resolveDecrypt()
+      if (isEnc && decrypt && event.content) {
+        try {
+          const content = typeof event.content === 'string'
+            ? JSON.parse(event.content) : event.content
+          const decrypted = await decrypt(eventType, content, event.from)
+          callback({ ...event, content: decrypted, _encrypted: true })
+          return
+        } catch { /* fall through to raw */ }
+      }
+      callback(event)
+    })
+  }
+}