@metalabel/dfos-protocol 0.0.1

package/dist/chunk-LWC4PWGZ.js

@@ -0,0 +1,385 @@
+import {
+  createJws,
+  dagCborCanonicalEncode,
+  decodeJwsUnsafe,
+  generateIdNoPrefix,
+  verifyJws
+} from "./chunk-ZXXP5W5N.js";
+
+// src/chain/schemas.ts
+import { z } from "zod";
+var MAX_KEY_ID = 64;
+var MAX_PUBLIC_KEY_MULTIBASE = 128;
+var MAX_CID = 256;
+var MAX_NOTE = 256;
+var MAX_KEYS_PER_ROLE = 16;
+var MultikeyPublicKey = z.strictObject({
+  id: z.string().max(MAX_KEY_ID),
+  type: z.literal("Multikey"),
+  publicKeyMultibase: z.string().max(MAX_PUBLIC_KEY_MULTIBASE)
+});
+var Iso8601 = z.iso.datetime({ offset: false, precision: 3 });
+var CIDString = z.string().max(MAX_CID);
+var IdentityCreate = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("create"),
+  authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  createdAt: Iso8601
+});
+var IdentityUpdate = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("update"),
+  previousOperationCID: CIDString,
+  authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  controllerKeys: z.array(MultikeyPublicKey).min(1, "update must have at least one controller key").max(MAX_KEYS_PER_ROLE),
+  createdAt: Iso8601
+});
+var IdentityDelete = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("delete"),
+  previousOperationCID: CIDString,
+  createdAt: Iso8601
+});
+var IdentityOperation = z.discriminatedUnion("type", [
+  IdentityCreate,
+  IdentityUpdate,
+  IdentityDelete
+]);
+var VerifiedIdentity = z.strictObject({
+  did: z.string(),
+  isDeleted: z.boolean(),
+  authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE)
+});
+var ContentCreate = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("create"),
+  documentCID: CIDString,
+  createdAt: Iso8601,
+  note: z.string().max(MAX_NOTE).nullable()
+});
+var ContentUpdate = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("update"),
+  previousOperationCID: CIDString,
+  documentCID: CIDString.nullable(),
+  createdAt: Iso8601,
+  note: z.string().max(MAX_NOTE).nullable()
+});
+var ContentDelete = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("delete"),
+  previousOperationCID: CIDString,
+  createdAt: Iso8601,
+  note: z.string().max(MAX_NOTE).nullable()
+});
+var ContentOperation = z.discriminatedUnion("type", [
+  ContentCreate,
+  ContentUpdate,
+  ContentDelete
+]);
+
+// src/chain/multikey.ts
+import { base58btc } from "multiformats/bases/base58";
+var ED25519_PUB_PREFIX = new Uint8Array([237, 1]);
+var ED25519_PRIV_PREFIX = new Uint8Array([128, 38]);
+var ED25519_PUB_MULTICODEC = 237;
+var ED25519_PRIV_MULTICODEC = 4864;
+var encodeEd25519Multikey = (publicKeyBytes) => {
+  if (publicKeyBytes.length !== 32) {
+    throw new Error(`expected 32-byte Ed25519 public key, got ${publicKeyBytes.length}`);
+  }
+  const prefixed = new Uint8Array(ED25519_PUB_PREFIX.length + publicKeyBytes.length);
+  prefixed.set(ED25519_PUB_PREFIX);
+  prefixed.set(publicKeyBytes, ED25519_PUB_PREFIX.length);
+  return base58btc.encode(prefixed);
+};
+var decodeMultikey = (multibase) => {
+  const bytes = base58btc.decode(multibase);
+  if (bytes.length < 2) {
+    throw new Error("multikey too short");
+  }
+  if (bytes[0] === ED25519_PUB_PREFIX[0] && bytes[1] === ED25519_PUB_PREFIX[1]) {
+    const keyBytes = bytes.slice(2);
+    if (keyBytes.length !== 32) {
+      throw new Error(`expected 32-byte Ed25519 public key, got ${keyBytes.length}`);
+    }
+    return { keyBytes, codec: ED25519_PUB_MULTICODEC };
+  }
+  if (bytes[0] === ED25519_PRIV_PREFIX[0] && bytes[1] === ED25519_PRIV_PREFIX[1]) {
+    const keyBytes = bytes.slice(2);
+    if (keyBytes.length !== 32) {
+      throw new Error(`expected 32-byte Ed25519 private key, got ${keyBytes.length}`);
+    }
+    return { keyBytes, codec: ED25519_PRIV_MULTICODEC };
+  }
+  throw new Error(
+    `unsupported multikey codec: [0x${bytes[0]?.toString(16)}, 0x${bytes[1]?.toString(16)}]`
+  );
+};
+
+// src/chain/derivation.ts
+var deriveChainIdentifier = (cidBytes, prefix) => {
+  const id = generateIdNoPrefix({ seed: cidBytes });
+  return `${prefix}:${id}`;
+};
+var deriveEntityId = (cidBytes) => {
+  return generateIdNoPrefix({ seed: cidBytes });
+};
+
+// src/chain/identity-chain.ts
+var signIdentityOperation = async (input) => {
+  const kid = input.identityDID ? `${input.identityDID}#${input.keyId}` : input.keyId;
+  const encoded = await dagCborCanonicalEncode(input.operation);
+  const operationCID = encoded.cid.toString();
+  const jwsToken = await createJws({
+    header: { alg: "EdDSA", typ: "did:dfos:identity-op", kid, cid: operationCID },
+    payload: input.operation,
+    sign: input.signer
+  });
+  return { jwsToken, operationCID };
+};
+var verifyIdentityChain = async (input) => {
+  if (input.log.length === 0) throw new Error("log must have at least one operation");
+  const state = {
+    did: void 0,
+    isDeleted: false,
+    previousOperationCID: null,
+    lastCreatedAt: null,
+    authKeys: [],
+    assertKeys: [],
+    controllerKeys: [],
+    seenKeys: /* @__PURE__ */ new Map()
+  };
+  for (const [idx, jwsToken] of input.log.entries()) {
+    const decoded = decodeJwsUnsafe(jwsToken);
+    if (!decoded) throw new Error(`log[${idx}]: failed to decode JWS`);
+    const result = IdentityOperation.safeParse(decoded.payload);
+    if (!result.success) {
+      const messages = result.error.issues.map((e) => e.message).join(", ");
+      throw new Error(`log[${idx}]: ${messages}`);
+    }
+    const op = result.data;
+    if (state.isDeleted) throw new Error(`log[${idx}]: cannot modify a deleted identity`);
+    if (idx === 0 && op.type !== "create") {
+      throw new Error(`log[${idx}]: first operation must be create`);
+    }
+    if (idx > 0 && op.type === "create") {
+      throw new Error(`log[${idx}]: create can only be the first operation`);
+    }
+    if (op.type === "create") {
+      if (op.controllerKeys.length === 0) {
+        throw new Error(`log[${idx}]: create must have at least one controller key`);
+      }
+      state.authKeys = op.authKeys;
+      state.assertKeys = op.assertKeys;
+      state.controllerKeys = op.controllerKeys;
+    }
+    if (op.type === "update" || op.type === "delete") {
+      if (op.previousOperationCID !== state.previousOperationCID) {
+        throw new Error(`log[${idx}]: previousCID is incorrect`);
+      }
+      if (!state.lastCreatedAt) throw new Error(`log[${idx}]: lastCreatedAt is not set`);
+      if (op.createdAt <= state.lastCreatedAt) {
+        throw new Error(`log[${idx}]: createdAt must be after last op`);
+      }
+    }
+    if (op.type === "create" || op.type === "update") {
+      const incomingKeys = [...op.authKeys, ...op.assertKeys, ...op.controllerKeys];
+      const currentKeys = [...state.authKeys, ...state.assertKeys, ...state.controllerKeys];
+      for (const k of [...currentKeys, ...incomingKeys]) {
+        const existing = state.seenKeys.get(k.id);
+        if (!existing) {
+          state.seenKeys.set(k.id, k);
+        } else if (existing.publicKeyMultibase !== k.publicKeyMultibase || existing.type !== k.type) {
+          throw new Error(`log[${idx}]: key ${k.id} type or public key inconsistency`);
+        }
+      }
+      [op.authKeys, op.assertKeys, op.controllerKeys].forEach((keys) => {
+        const set = new Set(keys.map((k) => k.id));
+        if (set.size !== keys.length) {
+          throw new Error(`log[${idx}]: cannot repeat key ids in same usage`);
+        }
+      });
+    }
+    const encoded = await dagCborCanonicalEncode(op);
+    const operationCID = encoded.cid.toString();
+    if (!decoded.header.cid) {
+      throw new Error(`log[${idx}]: missing cid in protected header`);
+    }
+    if (decoded.header.cid !== operationCID) {
+      throw new Error(`log[${idx}]: cid mismatch in protected header`);
+    }
+    const kid = decoded.header.kid;
+    let signingKeyId;
+    if (kid.includes("#")) {
+      const hashIdx = kid.indexOf("#");
+      signingKeyId = kid.substring(hashIdx + 1);
+      if (idx === 0) {
+        throw new Error(`log[${idx}]: genesis op kid must be bare key ID, got DID URL`);
+      }
+    } else {
+      signingKeyId = kid;
+      if (idx > 0) {
+        throw new Error(`log[${idx}]: non-genesis op kid must be DID URL, got bare key ID`);
+      }
+    }
+    const signingKey = state.controllerKeys.find((k) => k.id === signingKeyId);
+    if (!signingKey) {
+      throw new Error(`log[${idx}]: kid references unknown key: ${signingKeyId}`);
+    }
+    const { keyBytes } = decodeMultikey(signingKey.publicKeyMultibase);
+    try {
+      verifyJws({ token: jwsToken, publicKey: keyBytes });
+    } catch {
+      throw new Error(`log[${idx}]: invalid signature`);
+    }
+    if (state.did === void 0) {
+      state.did = deriveChainIdentifier(encoded.cid.bytes, input.didPrefix);
+    }
+    if (idx > 0 && kid.includes("#")) {
+      const didFromKid = kid.substring(0, kid.indexOf("#"));
+      if (didFromKid !== state.did) {
+        throw new Error(`log[${idx}]: kid DID does not match identity DID`);
+      }
+    }
+    state.previousOperationCID = operationCID;
+    state.lastCreatedAt = op.createdAt;
+    switch (op.type) {
+      case "create":
+        break;
+      case "update":
+        if (op.controllerKeys.length === 0) {
+          throw new Error(`log[${idx}]: update must have at least one controller key`);
+        }
+        state.authKeys = op.authKeys;
+        state.assertKeys = op.assertKeys;
+        state.controllerKeys = op.controllerKeys;
+        break;
+      case "delete":
+        state.isDeleted = true;
+        break;
+    }
+  }
+  if (!state.did) throw new Error("did is not set");
+  return {
+    did: state.did,
+    isDeleted: state.isDeleted,
+    authKeys: state.authKeys,
+    assertKeys: state.assertKeys,
+    controllerKeys: state.controllerKeys
+  };
+};
+
+// src/chain/content-chain.ts
+var signContentOperation = async (input) => {
+  const encoded = await dagCborCanonicalEncode(input.operation);
+  const operationCID = encoded.cid.toString();
+  const jwsToken = await createJws({
+    header: { alg: "EdDSA", typ: "did:dfos:content-op", kid: input.kid, cid: operationCID },
+    payload: input.operation,
+    sign: input.signer
+  });
+  return { jwsToken, operationCID };
+};
+var verifyContentChain = async (input) => {
+  if (input.log.length === 0) throw new Error("log must have at least one operation");
+  const state = {
+    entityId: null,
+    genesisCID: null,
+    headCID: null,
+    isDeleted: false,
+    currentDocumentCID: null,
+    previousCID: null,
+    lastCreatedAt: null
+  };
+  for (const [idx, jwsToken] of input.log.entries()) {
+    const decoded = decodeJwsUnsafe(jwsToken);
+    if (!decoded) throw new Error(`log[${idx}]: failed to decode JWS`);
+    const result = ContentOperation.safeParse(decoded.payload);
+    if (!result.success) {
+      const messages = result.error.issues.map((e) => e.message).join(", ");
+      throw new Error(`log[${idx}]: ${messages}`);
+    }
+    const op = result.data;
+    if (state.isDeleted) throw new Error(`log[${idx}]: cannot extend a deleted chain`);
+    if (idx === 0 && op.type !== "create") {
+      throw new Error(`log[${idx}]: first operation must be create`);
+    }
+    if (idx > 0 && op.type === "create") {
+      throw new Error(`log[${idx}]: create can only be the first operation`);
+    }
+    if (op.type === "update" || op.type === "delete") {
+      if (op.previousOperationCID !== state.previousCID) {
+        throw new Error(`log[${idx}]: previousOperationCID is incorrect`);
+      }
+      if (!state.lastCreatedAt) throw new Error(`log[${idx}]: lastCreatedAt is not set`);
+      if (op.createdAt <= state.lastCreatedAt) {
+        throw new Error(`log[${idx}]: createdAt must be after last op`);
+      }
+    }
+    const kid = decoded.header.kid;
+    const publicKey = await input.resolveKey(kid);
+    try {
+      verifyJws({ token: jwsToken, publicKey });
+    } catch {
+      throw new Error(`log[${idx}]: invalid signature`);
+    }
+    const encoded = await dagCborCanonicalEncode(op);
+    const operationCID = encoded.cid.toString();
+    if (!decoded.header.cid) {
+      throw new Error(`log[${idx}]: missing cid in protected header`);
+    }
+    if (decoded.header.cid !== operationCID) {
+      throw new Error(`log[${idx}]: cid mismatch in protected header`);
+    }
+    if (idx === 0) {
+      state.genesisCID = operationCID;
+      state.entityId = deriveEntityId(encoded.cid.bytes);
+    }
+    state.headCID = operationCID;
+    state.previousCID = operationCID;
+    state.lastCreatedAt = op.createdAt;
+    switch (op.type) {
+      case "create":
+        state.currentDocumentCID = op.documentCID;
+        break;
+      case "update":
+        state.currentDocumentCID = op.documentCID;
+        break;
+      case "delete":
+        state.isDeleted = true;
+        state.currentDocumentCID = null;
+        break;
+    }
+  }
+  return {
+    entityId: state.entityId,
+    genesisCID: state.genesisCID,
+    headCID: state.headCID,
+    isDeleted: state.isDeleted,
+    currentDocumentCID: state.currentDocumentCID,
+    length: input.log.length
+  };
+};
+
+export {
+  MultikeyPublicKey,
+  IdentityOperation,
+  VerifiedIdentity,
+  ContentOperation,
+  ED25519_PUB_MULTICODEC,
+  ED25519_PRIV_MULTICODEC,
+  encodeEd25519Multikey,
+  decodeMultikey,
+  deriveChainIdentifier,
+  deriveEntityId,
+  signIdentityOperation,
+  verifyIdentityChain,
+  signContentOperation,
+  verifyContentChain
+};

package/dist/chunk-ZXXP5W5N.js

@@ -0,0 +1,251 @@
+// src/crypto/base64url.ts
+var base64urlEncode = (data) => {
+  const bytes = typeof data === "string" ? new TextEncoder().encode(data) : data;
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  const base64 = btoa(binary);
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+};
+var base64urlDecode = (str) => {
+  let padded = str.replace(/-/g, "+").replace(/_/g, "/");
+  while (padded.length % 4) padded += "=";
+  const binary = atob(padded);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) {
+    bytes[i] = binary.charCodeAt(i);
+  }
+  return bytes;
+};
+
+// src/crypto/ed25519.ts
+import { ed25519 } from "@noble/curves/ed25519.js";
+var createNewEd25519Keypair = () => {
+  const privateKey = ed25519.utils.randomSecretKey();
+  const publicKey = ed25519.getPublicKey(privateKey);
+  return { privateKey, publicKey };
+};
+var importEd25519Keypair = (privateKey) => {
+  const publicKey = ed25519.getPublicKey(privateKey);
+  return { privateKey, publicKey };
+};
+var signPayloadEd25519 = (payload, privateKey) => {
+  return ed25519.sign(payload, privateKey);
+};
+var isValidEd25519Signature = (payload, signature, publicKey) => {
+  return ed25519.verify(signature, payload, publicKey);
+};
+
+// src/crypto/id.ts
+import { sha256 as sha256Hash } from "@noble/hashes/sha2.js";
+var alphabet = "2346789acdefhknrtvz";
+var idLength = 22;
+var getRandomBytes = (length) => {
+  const bytes = new Uint8Array(length);
+  globalThis.crypto.getRandomValues(bytes);
+  return bytes;
+};
+var generateIdNoPrefix = (options) => {
+  const hash = sha256Hash(options?.seed ?? getRandomBytes(32));
+  let encoded = "";
+  for (let i = 0; i < idLength; i++) {
+    const byte = hash[i];
+    if (byte === void 0) throw new Error("hash is too short");
+    encoded += alphabet.charAt(byte % alphabet.length);
+  }
+  return encoded;
+};
+var generateId = (prefix, options) => {
+  const encoded = generateIdNoPrefix(options);
+  return `${prefix}_${encoded}`;
+};
+var isValidId = (prefix, id) => {
+  const expectedLength = prefix.length + 1 + idLength;
+  return id.startsWith(`${prefix}_`) && id.length === expectedLength;
+};
+var normalizedId = (prefix, id) => {
+  const prefixLowered = prefix.toLowerCase();
+  const idLowered = id.toLowerCase();
+  if (idLowered.startsWith(`${prefixLowered}_`)) {
+    return idLowered;
+  } else if (idLowered.includes("_")) {
+    throw new Error(`unexpected id prefix for ${id}`);
+  }
+  return `${prefixLowered}_${idLowered}`;
+};
+
+// src/crypto/jws.ts
+var createJws = async (options) => {
+  const headerB64 = base64urlEncode(JSON.stringify(options.header));
+  const payloadB64 = base64urlEncode(JSON.stringify(options.payload));
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  const signatureBytes = await options.sign(signingInputBytes);
+  const signatureB64 = base64urlEncode(signatureBytes);
+  return `${signingInput}.${signatureB64}`;
+};
+var verifyJws = (options) => {
+  const parts = options.token.split(".");
+  if (parts.length !== 3) {
+    throw new JwsVerificationError("Invalid token format");
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  let header;
+  let payload;
+  try {
+    header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+    payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
+  } catch {
+    throw new JwsVerificationError("Failed to decode token");
+  }
+  if (header.alg !== "EdDSA") {
+    throw new JwsVerificationError(`Unsupported algorithm: ${header.alg}`);
+  }
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  const signatureBytes = base64urlDecode(signatureB64);
+  const isValid = isValidEd25519Signature(signingInputBytes, signatureBytes, options.publicKey);
+  if (!isValid) {
+    throw new JwsVerificationError("Invalid signature");
+  }
+  return { header, payload };
+};
+var decodeJwsUnsafe = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const [headerB64, payloadB64] = parts;
+    const header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+    const payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
+    return { header, payload };
+  } catch {
+    return null;
+  }
+};
+var JwsVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "JwsVerificationError";
+  }
+};
+
+// src/crypto/jwt.ts
+var createJwt = async (options) => {
+  const headerJson = JSON.stringify(options.header);
+  const payloadJson = JSON.stringify(options.payload);
+  const headerB64 = base64urlEncode(headerJson);
+  const payloadB64 = base64urlEncode(payloadJson);
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  const signatureBytes = await options.sign(signingInputBytes);
+  const signatureB64 = base64urlEncode(signatureBytes);
+  return `${signingInput}.${signatureB64}`;
+};
+var decodeJwtUnsafe = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const [headerB64, payloadB64] = parts;
+    const headerJson = new TextDecoder().decode(base64urlDecode(headerB64));
+    const payloadJson = new TextDecoder().decode(base64urlDecode(payloadB64));
+    const header = JSON.parse(headerJson);
+    const payload = JSON.parse(payloadJson);
+    return { header, payload };
+  } catch {
+    return null;
+  }
+};
+var verifyJwt = (options) => {
+  const parts = options.token.split(".");
+  if (parts.length !== 3) {
+    throw new JwtVerificationError("Invalid token format");
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  let header;
+  let payload;
+  try {
+    const headerJson = new TextDecoder().decode(base64urlDecode(headerB64));
+    const payloadJson = new TextDecoder().decode(base64urlDecode(payloadB64));
+    header = JSON.parse(headerJson);
+    payload = JSON.parse(payloadJson);
+  } catch {
+    throw new JwtVerificationError("Failed to decode token");
+  }
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  const signatureBytes = base64urlDecode(signatureB64);
+  if (header.alg !== "EdDSA") {
+    throw new JwtVerificationError(`Unsupported algorithm: ${header.alg}`);
+  }
+  const isValid = isValidEd25519Signature(signingInputBytes, signatureBytes, options.publicKey);
+  if (!isValid) throw new JwtVerificationError("Invalid signature");
+  const currentTime = options.currentTime ?? Math.floor(Date.now() / 1e3);
+  if (payload.exp <= currentTime) {
+    throw new JwtVerificationError("Token expired");
+  }
+  if (options.issuer !== void 0 && payload.iss !== options.issuer) {
+    throw new JwtVerificationError(
+      `Invalid issuer: expected ${options.issuer}, got ${payload.iss}`
+    );
+  }
+  if (options.audience !== void 0 && payload.aud !== options.audience) {
+    throw new JwtVerificationError(
+      `Invalid audience: expected ${options.audience}, got ${payload.aud}`
+    );
+  }
+  return { header, payload };
+};
+var JwtVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "JwtVerificationError";
+  }
+};
+
+// src/crypto/multiformats.ts
+import * as dagCborCodec from "@ipld/dag-cbor";
+import * as Block from "multiformats/block";
+import { CID } from "multiformats/cid";
+import { sha256 } from "multiformats/hashes/sha2";
+var dagCborCanonicalEncode = async (value) => {
+  return await Block.encode({
+    // removes any undefineds or other non-serializable values, kinda whack but
+    // it works for now
+    value: JSON.parse(JSON.stringify(value)),
+    codec: dagCborCodec,
+    hasher: sha256
+  });
+};
+var parseDagCborCID = (cid) => {
+  return CID.parse(cid);
+};
+var isCanonicallyEqual = async (data1, data2) => {
+  const block1 = await dagCborCanonicalEncode(data1);
+  const block2 = await dagCborCanonicalEncode(data2);
+  return block1.cid.toString() === block2.cid.toString();
+};
+
+export {
+  base64urlEncode,
+  base64urlDecode,
+  createNewEd25519Keypair,
+  importEd25519Keypair,
+  signPayloadEd25519,
+  isValidEd25519Signature,
+  generateIdNoPrefix,
+  generateId,
+  isValidId,
+  normalizedId,
+  createJws,
+  verifyJws,
+  decodeJwsUnsafe,
+  JwsVerificationError,
+  createJwt,
+  decodeJwtUnsafe,
+  verifyJwt,
+  JwtVerificationError,
+  dagCborCanonicalEncode,
+  parseDagCborCID,
+  isCanonicallyEqual
+};