@keytrace/lexicon 0.0.10 → 0.0.11

package/lexicons/dev/keytrace/claim.json

@@ -8,11 +8,11 @@
       "description": "An identity claim linking this DID to an external account",
       "record": {
         "type": "object",
-        "required": ["type", "claimUri", "identity", "sig", "createdAt"],
+        "required": ["type", "claimUri", "identity", "sigs", "createdAt"],
         "properties": {
           "type": {
             "type": "string",
-            "knownValues": ["github", "dns", "mastodon", "twitter", "website"],
+            "knownValues": ["github", "dns", "mastodon", "twitter", "website", "pgp"],
             "description": "The claim type identifier"
           },
           "claimUri": {
@@ -24,23 +24,52 @@
             "ref": "#identity",
             "description": "Structured data about the claimed identity"
           },
-          "sig": {
-            "type": "ref",
-            "ref": "dev.keytrace.signature#main",
-            "description": "Cryptographic attestation signature from the keytrace service"
+          "sigs": {
+            "type": "array",
+            "items": {
+              "type": "ref",
+              "ref": "dev.keytrace.signature#main"
+            },
+            "description": "One or more cryptographic attestation signatures from verification services."
           },
           "comment": {
             "type": "string",
             "maxLength": 256,
             "description": "Optional user-provided label for this claim"
           },
+          "status": {
+            "type": "string",
+            "description": "Current verification status of this claim. Absent on legacy records, treated as 'verified'.",
+            "knownValues": ["verified", "failed", "retracted"]
+          },
+          "lastVerifiedAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Timestamp of the most recent successful re-verification by the system"
+          },
+          "failedAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Timestamp when the claim last failed re-verification or was retracted"
+          },
           "createdAt": {
             "type": "string",
-            "format": "datetime"
+            "format": "datetime",
+            "description": "Datetime when this claim was created (ISO 8601)."
+          },
+          "nonce": {
+            "type": "string",
+            "maxGraphemes": 128,
+            "description": "Random one-time value embedded in the challenge text posted to the external service. Used by verifiers to confirm the proof was created specifically for this claim session."
           },
           "prerelease": {
             "type": "boolean",
             "description": "Whether this claim was created during the prerelease/alpha period"
+          },
+          "retractedAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Datetime when this claim was retracted. Present only if the claim has been retracted (ISO 8601)."
           }
         }
       }

package/lexicons/dev/keytrace/profile.json

@@ -0,0 +1,30 @@
+{
+  "lexicon": 1,
+  "id": "dev.keytrace.profile",
+  "defs": {
+    "main": {
+      "type": "record",
+      "key": "literal:self",
+      "description": "Keytrace profile settings. Singleton record stored in the user's ATProto repo.",
+      "record": {
+        "type": "object",
+        "properties": {
+          "displayName": {
+            "type": "string",
+            "maxGraphemes": 128,
+            "description": "Display name override for the keytrace profile. Falls back to Bluesky display name if absent."
+          },
+          "bio": {
+            "type": "string",
+            "maxGraphemes": 1024,
+            "description": "Bio or description shown on the keytrace profile page."
+          },
+          "createdAt": {
+            "type": "string",
+            "format": "datetime"
+          }
+        }
+      }
+    }
+  }
+}

package/lexicons/dev/keytrace/{key.json → serverPublicKey.json}

@@ -1,6 +1,6 @@
 {
   "lexicon": 1,
-  "id": "dev.keytrace.key",
+  "id": "dev.keytrace.serverPublicKey",
   "defs": {
     "main": {
       "type": "record",
@@ -16,11 +16,18 @@
           },
           "validFrom": {
             "type": "string",
-            "format": "datetime"
+            "format": "datetime",
+            "description": "Datetime from which this key is valid (ISO 8601)."
           },
           "validUntil": {
             "type": "string",
-            "format": "datetime"
+            "format": "datetime",
+            "description": "Datetime until which this key is valid (ISO 8601)."
+          },
+         "comment": {
+            "type": "string",
+            "maxGraphemes": 512,
+            "description": "Optional comment or description."
           }
         }
       }

package/lexicons/dev/keytrace/signature.json

@@ -5,25 +5,40 @@
     "main": {
       "type": "object",
       "description": "A cryptographic signature attesting to a claim",
-      "required": ["kid", "src", "signedAt", "attestation"],
+      "required": ["kid", "src", "signedAt", "attestation", "signedFields"],
       "properties": {
         "kid": {
           "type": "string",
-          "description": "Key identifier (e.g., date in YYYY-MM-DD format)"
+          "description": "Key identifier (e.g., date in YYYY-MM-DD format)."
         },
         "src": {
           "type": "string",
           "format": "at-uri",
-          "description": "AT URI reference to the signing key record (e.g., at://did:plc:xxx/dev.keytrace.key/2024-01-15)"
+          "description": "AT URI reference to the signing key record published by the verification service (e.g., at://did:plc:serviceaccount/dev.keytrace.serverPublicKey/2024-01-15)."
         },
         "signedAt": {
           "type": "string",
           "format": "datetime",
-          "description": "Timestamp when the signature was created"
+          "description": "Datetime when the signature was created (ISO 8601)."
         },
         "attestation": {
           "type": "string",
-          "description": "The cryptographic signature (base64-encoded)"
+          "description": "The cryptographic signature (base64-encoded)."
+        },
+        "retractedAt": {
+          "type": "string",
+          "format": "datetime",
+          "description": "Datetime when this signature was retracted. Present only if the signature has been retracted (ISO 8601)."
+        },
+        "signedFields": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "Ordered list of field names included in the signed payload (e.g., ['did', 'subject', 'type', 'verifiedAt'])"
+        },
+        "comment": {
+          "type": "string",
+          "maxGraphemes": 512,
+          "description": "Optional comment or description."
         }
       }
     }

package/lexicons/dev/keytrace/statement.json

@@ -0,0 +1,47 @@
+{
+  "lexicon": 1,
+  "id": "dev.keytrace.statement",
+  "defs": {
+    "main": {
+      "type": "record",
+      "key": "tid",
+      "description": "A public statement signed by one of the user's own published public keys (dev.keytrace.userPublicKey).",
+      "record": {
+        "type": "object",
+        "required": ["content", "keyRef", "sig", "createdAt"],
+        "properties": {
+          "content": {
+            "type": "string",
+            "maxLength": 10000,
+            "maxGraphemes": 10000,
+            "description": "The statement text that was signed."
+          },
+          "subject": {
+            "type": "string",
+            "maxGraphemes": 256,
+            "description": "Optional short subject or title for the statement."
+          },
+          "keyRef": {
+            "type": "string",
+            "format": "at-uri",
+            "description": "AT URI of the dev.keytrace.userPublicKey record whose private key produced this signature (e.g., at://did:plc:xxx/dev.keytrace.userPublicKey/3k4...)"
+          },
+          "sig": {
+            "type": "string",
+            "description": "Cryptographic signature of the content field, produced by the key referenced in keyRef (PGP cleartext or detached, base64-encoded binary signature)."
+          },
+          "retractedAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Datetime when this statement was retracted. Present only if the statement has been retracted (ISO 8601)."
+          },
+          "createdAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Datetime when this statement was created (ISO 8601)."
+          }
+        }
+      }
+    }
+  }
+}

package/lexicons/dev/keytrace/userPublicKey.json

@@ -0,0 +1,58 @@
+{
+  "lexicon": 1,
+  "id": "dev.keytrace.userPublicKey",
+  "defs": {
+    "main": {
+      "type": "record",
+      "key": "tid",
+      "description": "A user-published public key.",
+      "record": {
+        "type": "object",
+        "required": ["keyType", "publicKey", "createdAt"],
+        "properties": {
+          "keyType": {
+            "type": "string",
+            "knownValues": ["pgp", "ssh-ed25519", "ssh-ecdsa"],
+            "description": "Format of the public key."
+          },
+          "publicKeyArmored": {
+            "type": "string",
+            "maxLength": 16384,
+            "maxGraphemes": 16384,
+            "description": "Full public key in standard text armored format."
+          },
+          "fingerprint": {
+            "type": "string",
+            "maxGraphemes": 256,
+            "description": "Key fingerprint."
+          },
+          "label": {
+            "type": "string",
+            "maxGraphemes": 128,
+            "description": "Human-readable label for this key (e.g., 'work laptop', 'signing key')."
+          },
+          "comment": {
+            "type": "string",
+            "maxGraphemes": 512,
+            "description": "Optional comment or description."
+          },
+          "expiresAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Datetime when this key expires (ISO 8601)."
+          },
+          "retractedAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Datetime when this key was retracted. Present only if the key has been retracted (ISO 8601)."
+          },
+          "createdAt": {
+            "type": "string",
+            "format": "datetime",
+            "description": "Datetime when this key was created (ISO 8601)."
+          }
+        }
+      }
+    }
+  }
+}

package/package.json

@@ -1,16 +1,25 @@
 {
   "name": "@keytrace/lexicon",
-  "version": "0.0.10",
+  "version": "0.0.11",
   "files": [
-    "lexicons"
+    "lexicons",
+    "types"
   ],
   "type": "module",
   "exports": {
-    "./lexicons/*": "./lexicons/*"
+    "./lexicons/*": "./lexicons/*",
+    "./types": "./types/index.js",
+    "./types/*": "./types/*"
+  },
+  "scripts": {
+    "codegen": "lex gen-api --yes ./types ./lexicons/dev/keytrace/*"
   },
   "repository": {
     "type": "git",
     "url": "https://github.com/orta/keytrace",
     "directory": "packages/lexicon"
+  },
+  "devDependencies": {
+    "@atproto/lex-cli": "^0.9.8"
   }
 }

package/types/index.ts

@@ -0,0 +1,387 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import {
+  XrpcClient,
+  type FetchHandler,
+  type FetchHandlerOptions,
+} from '@atproto/xrpc'
+import { schemas } from './lexicons.js'
+import { CID } from 'multiformats/cid'
+import { type OmitKey, type Un$Typed } from './util.js'
+import * as DevKeytraceClaim from './types/dev/keytrace/claim.js'
+import * as DevKeytraceProfile from './types/dev/keytrace/profile.js'
+import * as DevKeytraceServerPublicKey from './types/dev/keytrace/serverPublicKey.js'
+import * as DevKeytraceSignature from './types/dev/keytrace/signature.js'
+import * as DevKeytraceStatement from './types/dev/keytrace/statement.js'
+
+export * as DevKeytraceClaim from './types/dev/keytrace/claim.js'
+export * as DevKeytraceProfile from './types/dev/keytrace/profile.js'
+export * as DevKeytraceServerPublicKey from './types/dev/keytrace/serverPublicKey.js'
+export * as DevKeytraceSignature from './types/dev/keytrace/signature.js'
+export * as DevKeytraceStatement from './types/dev/keytrace/statement.js'
+
+export class AtpBaseClient extends XrpcClient {
+  dev: DevNS
+
+  constructor(options: FetchHandler | FetchHandlerOptions) {
+    super(options, schemas)
+    this.dev = new DevNS(this)
+  }
+
+  /** @deprecated use `this` instead */
+  get xrpc(): XrpcClient {
+    return this
+  }
+}
+
+export class DevNS {
+  _client: XrpcClient
+  keytrace: DevKeytraceNS
+
+  constructor(client: XrpcClient) {
+    this._client = client
+    this.keytrace = new DevKeytraceNS(client)
+  }
+}
+
+export class DevKeytraceNS {
+  _client: XrpcClient
+  claim: DevKeytraceClaimRecord
+  profile: DevKeytraceProfileRecord
+  serverPublicKey: DevKeytraceServerPublicKeyRecord
+  statement: DevKeytraceStatementRecord
+
+  constructor(client: XrpcClient) {
+    this._client = client
+    this.claim = new DevKeytraceClaimRecord(client)
+    this.profile = new DevKeytraceProfileRecord(client)
+    this.serverPublicKey = new DevKeytraceServerPublicKeyRecord(client)
+    this.statement = new DevKeytraceStatementRecord(client)
+  }
+}
+
+export class DevKeytraceClaimRecord {
+  _client: XrpcClient
+
+  constructor(client: XrpcClient) {
+    this._client = client
+  }
+
+  async list(
+    params: OmitKey<ComAtprotoRepoListRecords.QueryParams, 'collection'>,
+  ): Promise<{
+    cursor?: string
+    records: { uri: string; value: DevKeytraceClaim.Record }[]
+  }> {
+    const res = await this._client.call('com.atproto.repo.listRecords', {
+      collection: 'dev.keytrace.claim',
+      ...params,
+    })
+    return res.data
+  }
+
+  async get(
+    params: OmitKey<ComAtprotoRepoGetRecord.QueryParams, 'collection'>,
+  ): Promise<{ uri: string; cid: string; value: DevKeytraceClaim.Record }> {
+    const res = await this._client.call('com.atproto.repo.getRecord', {
+      collection: 'dev.keytrace.claim',
+      ...params,
+    })
+    return res.data
+  }
+
+  async create(
+    params: OmitKey<
+      ComAtprotoRepoCreateRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceClaim.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.claim'
+    const res = await this._client.call(
+      'com.atproto.repo.createRecord',
+      undefined,
+      { collection, ...params, record: { ...record, $type: collection } },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async put(
+    params: OmitKey<
+      ComAtprotoRepoPutRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceClaim.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.claim'
+    const res = await this._client.call(
+      'com.atproto.repo.putRecord',
+      undefined,
+      { collection, ...params, record: { ...record, $type: collection } },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async delete(
+    params: OmitKey<ComAtprotoRepoDeleteRecord.InputSchema, 'collection'>,
+    headers?: Record<string, string>,
+  ): Promise<void> {
+    await this._client.call(
+      'com.atproto.repo.deleteRecord',
+      undefined,
+      { collection: 'dev.keytrace.claim', ...params },
+      { headers },
+    )
+  }
+}
+
+export class DevKeytraceProfileRecord {
+  _client: XrpcClient
+
+  constructor(client: XrpcClient) {
+    this._client = client
+  }
+
+  async list(
+    params: OmitKey<ComAtprotoRepoListRecords.QueryParams, 'collection'>,
+  ): Promise<{
+    cursor?: string
+    records: { uri: string; value: DevKeytraceProfile.Record }[]
+  }> {
+    const res = await this._client.call('com.atproto.repo.listRecords', {
+      collection: 'dev.keytrace.profile',
+      ...params,
+    })
+    return res.data
+  }
+
+  async get(
+    params: OmitKey<ComAtprotoRepoGetRecord.QueryParams, 'collection'>,
+  ): Promise<{ uri: string; cid: string; value: DevKeytraceProfile.Record }> {
+    const res = await this._client.call('com.atproto.repo.getRecord', {
+      collection: 'dev.keytrace.profile',
+      ...params,
+    })
+    return res.data
+  }
+
+  async create(
+    params: OmitKey<
+      ComAtprotoRepoCreateRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceProfile.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.profile'
+    const res = await this._client.call(
+      'com.atproto.repo.createRecord',
+      undefined,
+      {
+        collection,
+        rkey: 'self',
+        ...params,
+        record: { ...record, $type: collection },
+      },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async put(
+    params: OmitKey<
+      ComAtprotoRepoPutRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceProfile.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.profile'
+    const res = await this._client.call(
+      'com.atproto.repo.putRecord',
+      undefined,
+      { collection, ...params, record: { ...record, $type: collection } },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async delete(
+    params: OmitKey<ComAtprotoRepoDeleteRecord.InputSchema, 'collection'>,
+    headers?: Record<string, string>,
+  ): Promise<void> {
+    await this._client.call(
+      'com.atproto.repo.deleteRecord',
+      undefined,
+      { collection: 'dev.keytrace.profile', ...params },
+      { headers },
+    )
+  }
+}
+
+export class DevKeytraceServerPublicKeyRecord {
+  _client: XrpcClient
+
+  constructor(client: XrpcClient) {
+    this._client = client
+  }
+
+  async list(
+    params: OmitKey<ComAtprotoRepoListRecords.QueryParams, 'collection'>,
+  ): Promise<{
+    cursor?: string
+    records: { uri: string; value: DevKeytraceServerPublicKey.Record }[]
+  }> {
+    const res = await this._client.call('com.atproto.repo.listRecords', {
+      collection: 'dev.keytrace.serverPublicKey',
+      ...params,
+    })
+    return res.data
+  }
+
+  async get(
+    params: OmitKey<ComAtprotoRepoGetRecord.QueryParams, 'collection'>,
+  ): Promise<{
+    uri: string
+    cid: string
+    value: DevKeytraceServerPublicKey.Record
+  }> {
+    const res = await this._client.call('com.atproto.repo.getRecord', {
+      collection: 'dev.keytrace.serverPublicKey',
+      ...params,
+    })
+    return res.data
+  }
+
+  async create(
+    params: OmitKey<
+      ComAtprotoRepoCreateRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceServerPublicKey.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.serverPublicKey'
+    const res = await this._client.call(
+      'com.atproto.repo.createRecord',
+      undefined,
+      { collection, ...params, record: { ...record, $type: collection } },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async put(
+    params: OmitKey<
+      ComAtprotoRepoPutRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceServerPublicKey.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.serverPublicKey'
+    const res = await this._client.call(
+      'com.atproto.repo.putRecord',
+      undefined,
+      { collection, ...params, record: { ...record, $type: collection } },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async delete(
+    params: OmitKey<ComAtprotoRepoDeleteRecord.InputSchema, 'collection'>,
+    headers?: Record<string, string>,
+  ): Promise<void> {
+    await this._client.call(
+      'com.atproto.repo.deleteRecord',
+      undefined,
+      { collection: 'dev.keytrace.serverPublicKey', ...params },
+      { headers },
+    )
+  }
+}
+
+export class DevKeytraceStatementRecord {
+  _client: XrpcClient
+
+  constructor(client: XrpcClient) {
+    this._client = client
+  }
+
+  async list(
+    params: OmitKey<ComAtprotoRepoListRecords.QueryParams, 'collection'>,
+  ): Promise<{
+    cursor?: string
+    records: { uri: string; value: DevKeytraceStatement.Record }[]
+  }> {
+    const res = await this._client.call('com.atproto.repo.listRecords', {
+      collection: 'dev.keytrace.statement',
+      ...params,
+    })
+    return res.data
+  }
+
+  async get(
+    params: OmitKey<ComAtprotoRepoGetRecord.QueryParams, 'collection'>,
+  ): Promise<{ uri: string; cid: string; value: DevKeytraceStatement.Record }> {
+    const res = await this._client.call('com.atproto.repo.getRecord', {
+      collection: 'dev.keytrace.statement',
+      ...params,
+    })
+    return res.data
+  }
+
+  async create(
+    params: OmitKey<
+      ComAtprotoRepoCreateRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceStatement.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.statement'
+    const res = await this._client.call(
+      'com.atproto.repo.createRecord',
+      undefined,
+      { collection, ...params, record: { ...record, $type: collection } },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async put(
+    params: OmitKey<
+      ComAtprotoRepoPutRecord.InputSchema,
+      'collection' | 'record'
+    >,
+    record: Un$Typed<DevKeytraceStatement.Record>,
+    headers?: Record<string, string>,
+  ): Promise<{ uri: string; cid: string }> {
+    const collection = 'dev.keytrace.statement'
+    const res = await this._client.call(
+      'com.atproto.repo.putRecord',
+      undefined,
+      { collection, ...params, record: { ...record, $type: collection } },
+      { encoding: 'application/json', headers },
+    )
+    return res.data
+  }
+
+  async delete(
+    params: OmitKey<ComAtprotoRepoDeleteRecord.InputSchema, 'collection'>,
+    headers?: Record<string, string>,
+  ): Promise<void> {
+    await this._client.call(
+      'com.atproto.repo.deleteRecord',
+      undefined,
+      { collection: 'dev.keytrace.statement', ...params },
+      { headers },
+    )
+  }
+}

package/types/lexicons.ts

@@ -0,0 +1,333 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import {
+  type LexiconDoc,
+  Lexicons,
+  ValidationError,
+  type ValidationResult,
+} from '@atproto/lexicon'
+import { type $Typed, is$typed, maybe$typed } from './util.js'
+
+export const schemaDict = {
+  DevKeytraceClaim: {
+    lexicon: 1,
+    id: 'dev.keytrace.claim',
+    defs: {
+      main: {
+        type: 'record',
+        key: 'tid',
+        description:
+          'An identity claim linking this DID to an external account',
+        record: {
+          type: 'object',
+          required: ['type', 'claimUri', 'identity', 'sigs', 'createdAt'],
+          properties: {
+            type: {
+              type: 'string',
+              knownValues: [
+                'github',
+                'dns',
+                'mastodon',
+                'twitter',
+                'website',
+                'pgp',
+              ],
+              description: 'The claim type identifier',
+            },
+            claimUri: {
+              type: 'string',
+              description:
+                'The identity claim URI (e.g., for github: https://gist.github.com/username/id, dns:example.com)',
+            },
+            identity: {
+              type: 'ref',
+              ref: 'lex:dev.keytrace.claim#identity',
+              description: 'Structured data about the claimed identity',
+            },
+            sigs: {
+              type: 'array',
+              items: {
+                type: 'ref',
+                ref: 'lex:dev.keytrace.signature#main',
+              },
+              description:
+                'One or more cryptographic attestation signatures from verification services.',
+            },
+            comment: {
+              type: 'string',
+              maxLength: 256,
+              description: 'Optional user-provided label for this claim',
+            },
+            status: {
+              type: 'string',
+              description:
+                "Current verification status of this claim. Absent on legacy records, treated as 'verified'.",
+              knownValues: ['verified', 'failed', 'retracted'],
+            },
+            lastVerifiedAt: {
+              type: 'string',
+              format: 'datetime',
+              description:
+                'Timestamp of the most recent successful re-verification by the system',
+            },
+            failedAt: {
+              type: 'string',
+              format: 'datetime',
+              description:
+                'Timestamp when the claim last failed re-verification or was retracted',
+            },
+            createdAt: {
+              type: 'string',
+              format: 'datetime',
+              description: 'Datetime when this claim was created (ISO 8601).',
+            },
+            nonce: {
+              type: 'string',
+              maxGraphemes: 128,
+              description:
+                'Random one-time value embedded in the challenge text posted to the external service. Used by verifiers to confirm the proof was created specifically for this claim session.',
+            },
+            prerelease: {
+              type: 'boolean',
+              description:
+                'Whether this claim was created during the prerelease/alpha period',
+            },
+            retractedAt: {
+              type: 'string',
+              format: 'datetime',
+              description:
+                'Datetime when this claim was retracted. Present only if the claim has been retracted (ISO 8601).',
+            },
+          },
+        },
+      },
+      identity: {
+        type: 'object',
+        description: 'Generic identity data for the claimed account',
+        required: ['subject'],
+        properties: {
+          subject: {
+            type: 'string',
+            description: 'Primary identifier (username, domain, handle, etc.)',
+          },
+          avatarUrl: {
+            type: 'string',
+            format: 'uri',
+            description: 'Avatar/profile image URL',
+          },
+          profileUrl: {
+            type: 'string',
+            format: 'uri',
+            description: 'Profile page URL',
+          },
+          displayName: {
+            type: 'string',
+            description: 'Display name if different from subject',
+          },
+        },
+      },
+    },
+  },
+  DevKeytraceProfile: {
+    lexicon: 1,
+    id: 'dev.keytrace.profile',
+    defs: {
+      main: {
+        type: 'record',
+        key: 'literal:self',
+        description:
+          "Keytrace profile settings. Singleton record stored in the user's ATProto repo.",
+        record: {
+          type: 'object',
+          properties: {
+            displayName: {
+              type: 'string',
+              maxGraphemes: 128,
+              description:
+                'Display name override for the keytrace profile. Falls back to Bluesky display name if absent.',
+            },
+            bio: {
+              type: 'string',
+              maxGraphemes: 1024,
+              description:
+                'Bio or description shown on the keytrace profile page.',
+            },
+            createdAt: {
+              type: 'string',
+              format: 'datetime',
+            },
+          },
+        },
+      },
+    },
+  },
+  DevKeytraceServerPublicKey: {
+    lexicon: 1,
+    id: 'dev.keytrace.serverPublicKey',
+    defs: {
+      main: {
+        type: 'record',
+        key: 'any',
+        description:
+          'A daily signing key for claim attestations. Record key is the date in YYYY-MM-DD format.',
+        record: {
+          type: 'object',
+          required: ['publicJwk', 'validFrom', 'validUntil'],
+          properties: {
+            publicJwk: {
+              type: 'string',
+              description: 'JWK public key as a JSON string (RFC 7517 format)',
+            },
+            validFrom: {
+              type: 'string',
+              format: 'datetime',
+              description: 'Datetime from which this key is valid (ISO 8601).',
+            },
+            validUntil: {
+              type: 'string',
+              format: 'datetime',
+              description: 'Datetime until which this key is valid (ISO 8601).',
+            },
+          },
+        },
+      },
+    },
+  },
+  DevKeytraceSignature: {
+    lexicon: 1,
+    id: 'dev.keytrace.signature',
+    defs: {
+      main: {
+        type: 'object',
+        description: 'A cryptographic signature attesting to a claim',
+        required: ['kid', 'src', 'signedAt', 'attestation', 'signedFields'],
+        properties: {
+          kid: {
+            type: 'string',
+            description: 'Key identifier (e.g., date in YYYY-MM-DD format).',
+          },
+          src: {
+            type: 'string',
+            format: 'at-uri',
+            description:
+              'AT URI reference to the signing key record published by the verification service (e.g., at://did:plc:serviceaccount/dev.keytrace.serverPublicKey/2024-01-15).',
+          },
+          signedAt: {
+            type: 'string',
+            format: 'datetime',
+            description: 'Datetime when the signature was created (ISO 8601).',
+          },
+          attestation: {
+            type: 'string',
+            description: 'The cryptographic signature (base64-encoded).',
+          },
+          retractedAt: {
+            type: 'string',
+            format: 'datetime',
+            description:
+              'Datetime when this signature was retracted. Present only if the signature has been retracted (ISO 8601).',
+          },
+          signedFields: {
+            type: 'array',
+            items: {
+              type: 'string',
+            },
+            description:
+              "Ordered list of field names included in the signed payload (e.g., ['did', 'subject', 'type', 'verifiedAt'])",
+          },
+        },
+      },
+    },
+  },
+  DevKeytraceStatement: {
+    lexicon: 1,
+    id: 'dev.keytrace.statement',
+    defs: {
+      main: {
+        type: 'record',
+        key: 'tid',
+        description:
+          "A public statement signed by one of the user's own published public keys (dev.keytrace.userPublicKey).",
+        record: {
+          type: 'object',
+          required: ['content', 'keyRef', 'sig', 'createdAt'],
+          properties: {
+            content: {
+              type: 'string',
+              maxLength: 10000,
+              maxGraphemes: 10000,
+              description: 'The statement text that was signed.',
+            },
+            subject: {
+              type: 'string',
+              maxGraphemes: 256,
+              description: 'Optional short subject or title for the statement.',
+            },
+            keyRef: {
+              type: 'string',
+              format: 'at-uri',
+              description:
+                'AT URI of the dev.keytrace.userPublicKey record whose private key produced this signature (e.g., at://did:plc:xxx/dev.keytrace.userPublicKey/3k4...)',
+            },
+            sig: {
+              type: 'string',
+              description:
+                'Cryptographic signature of the content field, produced by the key referenced in keyRef (PGP cleartext or detached, base64-encoded binary signature).',
+            },
+            retractedAt: {
+              type: 'string',
+              format: 'datetime',
+              description:
+                'Datetime when this statement was retracted. Present only if the statement has been retracted (ISO 8601).',
+            },
+            createdAt: {
+              type: 'string',
+              format: 'datetime',
+              description:
+                'Datetime when this statement was created (ISO 8601).',
+            },
+          },
+        },
+      },
+    },
+  },
+} as const satisfies Record<string, LexiconDoc>
+export const schemas = Object.values(schemaDict) satisfies LexiconDoc[]
+export const lexicons: Lexicons = new Lexicons(schemas)
+
+export function validate<T extends { $type: string }>(
+  v: unknown,
+  id: string,
+  hash: string,
+  requiredType: true,
+): ValidationResult<T>
+export function validate<T extends { $type?: string }>(
+  v: unknown,
+  id: string,
+  hash: string,
+  requiredType?: false,
+): ValidationResult<T>
+export function validate(
+  v: unknown,
+  id: string,
+  hash: string,
+  requiredType?: boolean,
+): ValidationResult {
+  return (requiredType ? is$typed : maybe$typed)(v, id, hash)
+    ? lexicons.validate(`${id}#${hash}`, v)
+    : {
+        success: false,
+        error: new ValidationError(
+          `Must be an object with "${hash === 'main' ? id : `${id}#${hash}`}" $type property`,
+        ),
+      }
+}
+
+export const ids = {
+  DevKeytraceClaim: 'dev.keytrace.claim',
+  DevKeytraceProfile: 'dev.keytrace.profile',
+  DevKeytraceServerPublicKey: 'dev.keytrace.serverPublicKey',
+  DevKeytraceSignature: 'dev.keytrace.signature',
+  DevKeytraceStatement: 'dev.keytrace.statement',
+} as const

package/types/types/dev/keytrace/claim.ts

@@ -0,0 +1,86 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { type ValidationResult, BlobRef } from '@atproto/lexicon'
+import { CID } from 'multiformats/cid'
+import { validate as _validate } from '../../../lexicons'
+import { type $Typed, is$typed as _is$typed, type OmitKey } from '../../../util'
+import type * as DevKeytraceSignature from './signature.js'
+
+const is$typed = _is$typed,
+  validate = _validate
+const id = 'dev.keytrace.claim'
+
+export interface Main {
+  $type: 'dev.keytrace.claim'
+  /** The claim type identifier */
+  type:
+    | 'github'
+    | 'dns'
+    | 'mastodon'
+    | 'twitter'
+    | 'website'
+    | 'pgp'
+    | (string & {})
+  /** The identity claim URI (e.g., for github: https://gist.github.com/username/id, dns:example.com) */
+  claimUri: string
+  identity: Identity
+  /** One or more cryptographic attestation signatures from verification services. */
+  sigs: DevKeytraceSignature.Main[]
+  /** Optional user-provided label for this claim */
+  comment?: string
+  /** Current verification status of this claim. Absent on legacy records, treated as 'verified'. */
+  status?: 'verified' | 'failed' | 'retracted' | (string & {})
+  /** Timestamp of the most recent successful re-verification by the system */
+  lastVerifiedAt?: string
+  /** Timestamp when the claim last failed re-verification or was retracted */
+  failedAt?: string
+  /** Datetime when this claim was created (ISO 8601). */
+  createdAt: string
+  /** Random one-time value embedded in the challenge text posted to the external service. Used by verifiers to confirm the proof was created specifically for this claim session. */
+  nonce?: string
+  /** Whether this claim was created during the prerelease/alpha period */
+  prerelease?: boolean
+  /** Datetime when this claim was retracted. Present only if the claim has been retracted (ISO 8601). */
+  retractedAt?: string
+  [k: string]: unknown
+}
+
+const hashMain = 'main'
+
+export function isMain<V>(v: V) {
+  return is$typed(v, id, hashMain)
+}
+
+export function validateMain<V>(v: V) {
+  return validate<Main & V>(v, id, hashMain, true)
+}
+
+export {
+  type Main as Record,
+  isMain as isRecord,
+  validateMain as validateRecord,
+}
+
+/** Generic identity data for the claimed account */
+export interface Identity {
+  $type?: 'dev.keytrace.claim#identity'
+  /** Primary identifier (username, domain, handle, etc.) */
+  subject: string
+  /** Avatar/profile image URL */
+  avatarUrl?: string
+  /** Profile page URL */
+  profileUrl?: string
+  /** Display name if different from subject */
+  displayName?: string
+}
+
+const hashIdentity = 'identity'
+
+export function isIdentity<V>(v: V) {
+  return is$typed(v, id, hashIdentity)
+}
+
+export function validateIdentity<V>(v: V) {
+  return validate<Identity & V>(v, id, hashIdentity)
+}

package/types/types/dev/keytrace/profile.ts

@@ -0,0 +1,37 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { type ValidationResult, BlobRef } from '@atproto/lexicon'
+import { CID } from 'multiformats/cid'
+import { validate as _validate } from '../../../lexicons'
+import { type $Typed, is$typed as _is$typed, type OmitKey } from '../../../util'
+
+const is$typed = _is$typed,
+  validate = _validate
+const id = 'dev.keytrace.profile'
+
+export interface Main {
+  $type: 'dev.keytrace.profile'
+  /** Display name override for the keytrace profile. Falls back to Bluesky display name if absent. */
+  displayName?: string
+  /** Bio or description shown on the keytrace profile page. */
+  bio?: string
+  createdAt?: string
+  [k: string]: unknown
+}
+
+const hashMain = 'main'
+
+export function isMain<V>(v: V) {
+  return is$typed(v, id, hashMain)
+}
+
+export function validateMain<V>(v: V) {
+  return validate<Main & V>(v, id, hashMain, true)
+}
+
+export {
+  type Main as Record,
+  isMain as isRecord,
+  validateMain as validateRecord,
+}

package/types/types/dev/keytrace/serverPublicKey.ts

@@ -0,0 +1,38 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { type ValidationResult, BlobRef } from '@atproto/lexicon'
+import { CID } from 'multiformats/cid'
+import { validate as _validate } from '../../../lexicons'
+import { type $Typed, is$typed as _is$typed, type OmitKey } from '../../../util'
+
+const is$typed = _is$typed,
+  validate = _validate
+const id = 'dev.keytrace.serverPublicKey'
+
+export interface Main {
+  $type: 'dev.keytrace.serverPublicKey'
+  /** JWK public key as a JSON string (RFC 7517 format) */
+  publicJwk: string
+  /** Datetime from which this key is valid (ISO 8601). */
+  validFrom: string
+  /** Datetime until which this key is valid (ISO 8601). */
+  validUntil: string
+  [k: string]: unknown
+}
+
+const hashMain = 'main'
+
+export function isMain<V>(v: V) {
+  return is$typed(v, id, hashMain)
+}
+
+export function validateMain<V>(v: V) {
+  return validate<Main & V>(v, id, hashMain, true)
+}
+
+export {
+  type Main as Record,
+  isMain as isRecord,
+  validateMain as validateRecord,
+}

package/types/types/dev/keytrace/signature.ts

@@ -0,0 +1,38 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { type ValidationResult, BlobRef } from '@atproto/lexicon'
+import { CID } from 'multiformats/cid'
+import { validate as _validate } from '../../../lexicons'
+import { type $Typed, is$typed as _is$typed, type OmitKey } from '../../../util'
+
+const is$typed = _is$typed,
+  validate = _validate
+const id = 'dev.keytrace.signature'
+
+/** A cryptographic signature attesting to a claim */
+export interface Main {
+  $type?: 'dev.keytrace.signature'
+  /** Key identifier (e.g., date in YYYY-MM-DD format). */
+  kid: string
+  /** AT URI reference to the signing key record published by the verification service (e.g., at://did:plc:serviceaccount/dev.keytrace.serverPublicKey/2024-01-15). */
+  src: string
+  /** Datetime when the signature was created (ISO 8601). */
+  signedAt: string
+  /** The cryptographic signature (base64-encoded). */
+  attestation: string
+  /** Datetime when this signature was retracted. Present only if the signature has been retracted (ISO 8601). */
+  retractedAt?: string
+  /** Ordered list of field names included in the signed payload (e.g., ['did', 'subject', 'type', 'verifiedAt']) */
+  signedFields: string[]
+}
+
+const hashMain = 'main'
+
+export function isMain<V>(v: V) {
+  return is$typed(v, id, hashMain)
+}
+
+export function validateMain<V>(v: V) {
+  return validate<Main & V>(v, id, hashMain)
+}

package/types/types/dev/keytrace/statement.ts

@@ -0,0 +1,44 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+import { type ValidationResult, BlobRef } from '@atproto/lexicon'
+import { CID } from 'multiformats/cid'
+import { validate as _validate } from '../../../lexicons'
+import { type $Typed, is$typed as _is$typed, type OmitKey } from '../../../util'
+
+const is$typed = _is$typed,
+  validate = _validate
+const id = 'dev.keytrace.statement'
+
+export interface Main {
+  $type: 'dev.keytrace.statement'
+  /** The statement text that was signed. */
+  content: string
+  /** Optional short subject or title for the statement. */
+  subject?: string
+  /** AT URI of the dev.keytrace.userPublicKey record whose private key produced this signature (e.g., at://did:plc:xxx/dev.keytrace.userPublicKey/3k4...) */
+  keyRef: string
+  /** Cryptographic signature of the content field, produced by the key referenced in keyRef (PGP cleartext or detached, base64-encoded binary signature). */
+  sig: string
+  /** Datetime when this statement was retracted. Present only if the statement has been retracted (ISO 8601). */
+  retractedAt?: string
+  /** Datetime when this statement was created (ISO 8601). */
+  createdAt: string
+  [k: string]: unknown
+}
+
+const hashMain = 'main'
+
+export function isMain<V>(v: V) {
+  return is$typed(v, id, hashMain)
+}
+
+export function validateMain<V>(v: V) {
+  return validate<Main & V>(v, id, hashMain, true)
+}
+
+export {
+  type Main as Record,
+  isMain as isRecord,
+  validateMain as validateRecord,
+}

package/types/util.ts

@@ -0,0 +1,82 @@
+/**
+ * GENERATED CODE - DO NOT MODIFY
+ */
+
+import { type ValidationResult } from '@atproto/lexicon'
+
+export type OmitKey<T, K extends keyof T> = {
+  [K2 in keyof T as K2 extends K ? never : K2]: T[K2]
+}
+
+export type $Typed<V, T extends string = string> = V & { $type: T }
+export type Un$Typed<V extends { $type?: string }> = OmitKey<V, '$type'>
+
+export type $Type<Id extends string, Hash extends string> = Hash extends 'main'
+  ? Id
+  : `${Id}#${Hash}`
+
+function isObject<V>(v: V): v is V & object {
+  return v != null && typeof v === 'object'
+}
+
+function is$type<Id extends string, Hash extends string>(
+  $type: unknown,
+  id: Id,
+  hash: Hash,
+): $type is $Type<Id, Hash> {
+  return hash === 'main'
+    ? $type === id
+    : // $type === `${id}#${hash}`
+      typeof $type === 'string' &&
+        $type.length === id.length + 1 + hash.length &&
+        $type.charCodeAt(id.length) === 35 /* '#' */ &&
+        $type.startsWith(id) &&
+        $type.endsWith(hash)
+}
+
+export type $TypedObject<
+  V,
+  Id extends string,
+  Hash extends string,
+> = V extends {
+  $type: $Type<Id, Hash>
+}
+  ? V
+  : V extends { $type?: string }
+    ? V extends { $type?: infer T extends $Type<Id, Hash> }
+      ? V & { $type: T }
+      : never
+    : V & { $type: $Type<Id, Hash> }
+
+export function is$typed<V, Id extends string, Hash extends string>(
+  v: V,
+  id: Id,
+  hash: Hash,
+): v is $TypedObject<V, Id, Hash> {
+  return isObject(v) && '$type' in v && is$type(v.$type, id, hash)
+}
+
+export function maybe$typed<V, Id extends string, Hash extends string>(
+  v: V,
+  id: Id,
+  hash: Hash,
+): v is V & object & { $type?: $Type<Id, Hash> } {
+  return (
+    isObject(v) &&
+    ('$type' in v ? v.$type === undefined || is$type(v.$type, id, hash) : true)
+  )
+}
+
+export type Validator<R = unknown> = (v: unknown) => ValidationResult<R>
+export type ValidatorParam<V extends Validator> =
+  V extends Validator<infer R> ? R : never
+
+/**
+ * Utility function that allows to convert a "validate*" utility function into a
+ * type predicate.
+ */
+export function asPredicate<V extends Validator>(validate: V) {
+  return function <T>(v: T): v is T & ValidatorParam<V> {
+    return validate(v).success
+  }
+}