@metalabel/dfos-protocol 0.0.3 → 0.1.0

package/dist/merkle/index.d.ts

@@ -0,0 +1,45 @@
+declare const hexToBytes: (hex: string) => Uint8Array;
+/**
+ * Hash a leaf node — SHA-256 of UTF-8 encoded contentId
+ */
+declare const hashLeaf: (contentId: string) => Promise<Uint8Array>;
+/**
+ * Build a sorted binary Merkle tree over content identifiers
+ *
+ * ContentIds are sorted lexicographically, hashed to leaves, then paired
+ * and hashed up to the root. Odd nodes are promoted to the next level.
+ *
+ * Returns null root for empty input. Deduplicates contentIds.
+ */
+declare const buildMerkleTree: (contentIds: string[]) => Promise<{
+    root: string | null;
+    leafCount: number;
+}>;
+
+interface MerkleProof {
+    /** The contentId being proven */
+    contentId: string;
+    /** Hex SHA-256 root of the tree */
+    root: string;
+    /** Sibling hashes along the path from leaf to root */
+    path: Array<{
+        /** Hex SHA-256 of sibling node */
+        hash: string;
+        /** Position of the sibling relative to the current node */
+        position: 'left' | 'right';
+    }>;
+}
+/**
+ * Generate an inclusion proof for a contentId in the set
+ *
+ * Returns null if the contentId is not in the set.
+ */
+declare const generateMerkleProof: (contentIds: string[], targetId: string) => Promise<MerkleProof | null>;
+/**
+ * Verify a Merkle inclusion proof
+ *
+ * Recomputes the root from the leaf and proof path, compares to the claimed root.
+ */
+declare const verifyMerkleProof: (proof: MerkleProof) => Promise<boolean>;
+
+export { type MerkleProof, buildMerkleTree, generateMerkleProof, hashLeaf, hexToBytes, verifyMerkleProof };

package/dist/merkle/index.js

@@ -0,0 +1,14 @@
+import {
+  buildMerkleTree,
+  generateMerkleProof,
+  hashLeaf,
+  hexToBytes,
+  verifyMerkleProof
+} from "../chunk-E5CFQG2B.js";
+export {
+  buildMerkleTree,
+  generateMerkleProof,
+  hashLeaf,
+  hexToBytes,
+  verifyMerkleProof
+};

package/examples/content-delete.json

@@ -2,8 +2,8 @@
   "description": "Content chain: create + delete",
   "type": "content",
   "chain": [
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWE1ejd6eGtuYWU1ZHM3MmV1aWh1ZjJyZzNpeGw2dDRmYnpqZWZoY29nZzNucXBweW9ncXUifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZG9jdW1lbnRDSUQiOiJiYWZ5cmVpZnB2d3Vhcm1sNjJzZm9nZHBpMnZsbHR2ZzJldjZvNHh0dzc0emZ1ZDdjcGtnNzQyNnpuZSIsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiIsIm5vdGUiOm51bGx9.t_DDkJ_TmNekIGUFO22G-W78QoE4XTg9LKQ4gzAQHaK3B6491Tir9b-wtp-hcwmENu2Hqnieqv5ASiqfFrEbDw",
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWVwamFzN3JzdHV5aWI0eDY0NHYyeXJxN3c3MmV0dG5xcWozbzdhcmRhcWN1NnVzZml6b3kifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiZGVsZXRlIiwicHJldmlvdXNPcGVyYXRpb25DSUQiOiJiYWZ5cmVpYTV6N3p4a25hZTVkczcyZXVpaHVmMnJnM2l4bDZ0NGZiemplZmhjb2dnM25xcHB5b2dxdSIsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDM6MDAuMDAwWiIsIm5vdGUiOiJyZW1vdmluZyBjb250ZW50In0.VkfUjFIz40nBOMzCTtoO1nhExzQHB4QX9PIOe2MmDwC-nilMStTwdiRcxRskPRg0gw8eM5Mz9hNQ8dZfCJ9JAg"
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWFlZGhqcTY0YWFqcHdvY2lhaGw1dzM3ajZ1b3hyNW1vam9xNWRuYWg2ZnB2eHI1ZDRseHUifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6ZTN2dnRjazQyZDRlYWNkbnp2dHJuNiIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWh6d3VvdXBmZzNkeGlwNnhtZ3pteHN5d3lpaTJqZW94eHpiZ3gzenhtMmluN2tub2kzZzQiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiIsIm5vdGUiOm51bGx9.Rv6vlz5MfrwqDUrSVIGs4ZfeBbkQUSBcXhxwZ6hfudSr5MxhYl08hTqLDOA0W1NMjN0Hs0IW9jXTwLwP1dMDBg",
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWQydjUyN2lxMzZ2dnUyNWc3b3BjczJudjRjbmRhcWdrd29naHEzdHB3Z215cnBxZWVuZ2EifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiZGVsZXRlIiwiZGlkIjoiZGlkOmRmb3M6ZTN2dnRjazQyZDRlYWNkbnp2dHJuNiIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWFlZGhqcTY0YWFqcHdvY2lhaGw1dzM3ajZ1b3hyNW1vam9xNWRuYWg2ZnB2eHI1ZDRseHUiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjAzOjAwLjAwMFoiLCJub3RlIjoicmVtb3ZpbmcgY29udGVudCJ9.9DTnVeYjVV6Kc971etvWeNn9iMme7RnrRZRmYBO0iaYeePJDblL_p2uuEIuxtAQQp1bATpsQ475zpK6N2A0eAg"
   ],
   "signerPublicKey": "z6MkfUd65JrAhfdgFuMCccU9ThQvjB2fJAMUHkuuajF992gK",
   "documents": [
@@ -12,7 +12,8 @@
         "$schema": "https://schemas.dfos.com/post/v1",
         "format": "short-post",
         "title": "Hello World",
-        "body": "First post on the protocol."
+        "body": "First post on the protocol.",
+        "createdByDID": "did:dfos:e3vvtck42d4eacdnzvtrn6"
       },
       "baseDocumentCID": null,
       "createdByDID": "did:dfos:e3vvtck42d4eacdnzvtrn6",
@@ -20,7 +21,7 @@
     }
   ],
   "expected": {
-    "contentId": "67t27rzc83v7c22n9t6z7c",
+    "contentId": "a82z92a3hndk6c97thcrn8",
     "isDeleted": true,
     "currentDocumentCID": null,
     "length": 2

package/examples/content-lifecycle.json

@@ -2,8 +2,8 @@
   "description": "Content chain: create + update (with both documents)",
   "type": "content",
   "chain": [
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWE1ejd6eGtuYWU1ZHM3MmV1aWh1ZjJyZzNpeGw2dDRmYnpqZWZoY29nZzNucXBweW9ncXUifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZG9jdW1lbnRDSUQiOiJiYWZ5cmVpZnB2d3Vhcm1sNjJzZm9nZHBpMnZsbHR2ZzJldjZvNHh0dzc0emZ1ZDdjcGtnNzQyNnpuZSIsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiIsIm5vdGUiOm51bGx9.t_DDkJ_TmNekIGUFO22G-W78QoE4XTg9LKQ4gzAQHaK3B6491Tir9b-wtp-hcwmENu2Hqnieqv5ASiqfFrEbDw",
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWJiNGxzdnFtejRqNzZyc3Zoa3F3M3YyYjR2cDIzdDdkaW1tNnZsNWc1d2xuaW52a2VteHEifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoidXBkYXRlIiwicHJldmlvdXNPcGVyYXRpb25DSUQiOiJiYWZ5cmVpYTV6N3p4a25hZTVkczcyZXVpaHVmMnJnM2l4bDZ0NGZiemplZmhjb2dnM25xcHB5b2dxdSIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWV1bzI2emZtanh3cG13NWprNmJxenFodml2eGNiY2tneHR5ZXVjN3lwZjNwNHNpaGdxNHEiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjAzOjAwLjAwMFoiLCJub3RlIjoiZWRpdGVkIHRpdGxlIGFuZCBib2R5In0.v2BnXflq3lAiDqCpCuAoXUURY1scOGb9AMHHfCMxj1bD0GJOgdV_klv7KfqDLlSfF3Sn6CK1RDeLniF_UTKXAQ"
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWFlZGhqcTY0YWFqcHdvY2lhaGw1dzM3ajZ1b3hyNW1vam9xNWRuYWg2ZnB2eHI1ZDRseHUifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6ZTN2dnRjazQyZDRlYWNkbnp2dHJuNiIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWh6d3VvdXBmZzNkeGlwNnhtZ3pteHN5d3lpaTJqZW94eHpiZ3gzenhtMmluN2tub2kzZzQiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiIsIm5vdGUiOm51bGx9.Rv6vlz5MfrwqDUrSVIGs4ZfeBbkQUSBcXhxwZ6hfudSr5MxhYl08hTqLDOA0W1NMjN0Hs0IW9jXTwLwP1dMDBg",
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczplM3Z2dGNrNDJkNGVhY2RuenZ0cm42I2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkIiwiY2lkIjoiYmFmeXJlaWg2ZTVjYmppdHBvemh6aGdtZmt0bWlvaG14eW4zdWN3aHFkM21qaXhpenZ3bWxodjdobTQifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoidXBkYXRlIiwiZGlkIjoiZGlkOmRmb3M6ZTN2dnRjazQyZDRlYWNkbnp2dHJuNiIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWFlZGhqcTY0YWFqcHdvY2lhaGw1dzM3ajZ1b3hyNW1vam9xNWRuYWg2ZnB2eHI1ZDRseHUiLCJkb2N1bWVudENJRCI6ImJhZnlyZWlkaDdlMzZjdnd5M3V3NXlwaXRjcWs3dW9rdGJra2tqN2U2aHhoa3k0bzc1cnhuN2t4aWx1IiwiYmFzZURvY3VtZW50Q0lEIjoiYmFmeXJlaWh6d3VvdXBmZzNkeGlwNnhtZ3pteHN5d3lpaTJqZW94eHpiZ3gzenhtMmluN2tub2kzZzQiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjAzOjAwLjAwMFoiLCJub3RlIjoiZWRpdGVkIHRpdGxlIGFuZCBib2R5In0.46H3WBKigCzUrIOvS2ekYJFdK1OeLhqvcZTj8FBqFNKO1ivs3oC0ui_hzTKkKO-8uevMjf9-k0GOjyw2u16PDA"
   ],
   "signerPublicKey": "z6MkfUd65JrAhfdgFuMCccU9ThQvjB2fJAMUHkuuajF992gK",
   "documents": [
@@ -12,7 +12,8 @@
         "$schema": "https://schemas.dfos.com/post/v1",
         "format": "short-post",
         "title": "Hello World",
-        "body": "First post on the protocol."
+        "body": "First post on the protocol.",
+        "createdByDID": "did:dfos:e3vvtck42d4eacdnzvtrn6"
       },
       "baseDocumentCID": null,
       "createdByDID": "did:dfos:e3vvtck42d4eacdnzvtrn6",
@@ -23,17 +24,18 @@
         "$schema": "https://schemas.dfos.com/post/v1",
         "format": "short-post",
         "title": "Hello World (edited)",
-        "body": "Updated content."
+        "body": "Updated content.",
+        "createdByDID": "did:dfos:e3vvtck42d4eacdnzvtrn6"
       },
-      "baseDocumentCID": "bafyreifpvwuarml62sfogdpi2vlltvg2ev6o4xtw74zfud7cpkg7426zne",
+      "baseDocumentCID": "bafyreihzwuoupfg3dxip6xmgzmxsywyii2jeoxxzbgx3zxm2in7knoi3g4",
       "createdByDID": "did:dfos:e3vvtck42d4eacdnzvtrn6",
       "createdAt": "2026-03-07T00:03:00.000Z"
     }
   ],
   "expected": {
-    "contentId": "67t27rzc83v7c22n9t6z7c",
+    "contentId": "a82z92a3hndk6c97thcrn8",
     "isDeleted": false,
-    "currentDocumentCID": "bafyreieuo26zfmjxwpmw5jk6bqzqhvivxcbckgxtyeuc7ypf3p4sihgq4q",
+    "currentDocumentCID": "bafyreidh7e36cvwy3uw5ypitcqk7uoktbkkkj7e6hxhky4o75rxn7kxilu",
     "length": 2
   }
 }

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@metalabel/dfos-protocol",
-  "version": "0.0.3",
+  "version": "0.1.0",
   "type": "module",
-  "description": "DFOS Protocol — Ed25519 signed chain primitives, registry, and verification",
+  "description": "DFOS Protocol — Ed25519 signed chain primitives, beacons, merkle trees, and verification",
   "license": "MIT",
   "author": "Metalabel <hello@metalabel.com> (https://metalabel.com)",
   "repository": {
@@ -37,9 +37,9 @@
       "import": "./dist/chain/index.js",
       "types": "./dist/chain/index.d.ts"
     },
-    "./registry": {
-      "import": "./dist/registry/index.js",
-      "types": "./dist/registry/index.d.ts"
+    "./merkle": {
+      "import": "./dist/merkle/index.js",
+      "types": "./dist/merkle/index.d.ts"
     }
   },
   "files": [
@@ -49,8 +49,6 @@
     "PROTOCOL.md",
     "DID-METHOD.md",
     "CONTENT-MODEL.md",
-    "REGISTRY-API.md",
-    "openapi.yaml",
     "LICENSE",
     "README.md"
   ],
@@ -58,7 +56,6 @@
     "@ipld/dag-cbor": "^9.2.5",
     "@noble/curves": "^2.0.1",
     "@noble/hashes": "^2.0.1",
-    "hono": "^4.12.3",
     "multiformats": "^13.4.2",
     "zod": "^4.3.6"
   },
@@ -75,6 +72,6 @@
     "clean": "rm -rf dist",
     "typecheck": "tsc --noEmit",
     "test": "vitest run",
-    "generate-examples": "vitest run --config vitest.scripts.config.ts"
+    "generate-examples": "tsx scripts/generate-examples.ts"
   }
 }

package/schemas/manifest.v1.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.dfos.com/manifest/v1",
+  "title": "Manifest",
+  "description": "A manifest — a named map of protocol object references for semantic navigation. Keys are path-like labels. Values are protocol references: content chain identifiers (22-char bare hash), DIDs (did:dfos:...), or CIDs (bafyrei...). The document layer of the dark forest. Discovery is social or out-of-band.",
+  "type": "object",
+  "required": ["$schema", "entries"],
+  "properties": {
+    "$schema": {
+      "const": "https://schemas.dfos.com/manifest/v1"
+    },
+    "entries": {
+      "type": "object",
+      "propertyNames": {
+        "pattern": "^[a-z0-9][a-z0-9._/-]*[a-z0-9]$",
+        "minLength": 2,
+        "maxLength": 128
+      },
+      "additionalProperties": {
+        "type": "string",
+        "pattern": "^[a-z0-9][a-z0-9:._/-]*$",
+        "minLength": 1,
+        "maxLength": 512
+      },
+      "description": "Named entries mapping path-like keys to protocol object references (contentId, DID, or CID)."
+    }
+  },
+  "additionalProperties": false
+}

package/schemas/post.v1.json

@@ -35,6 +35,11 @@
       "type": "array",
       "items": { "type": "string" },
       "description": "Topic names this post belongs to. Stored as names for portability."
+    },
+    "createdByDID": {
+      "type": "string",
+      "pattern": "^did:",
+      "description": "DID of the identity that authored this content. Optional — omit when the signer IS the author."
     }
   },
   "additionalProperties": false,

package/schemas/profile.v1.json

@@ -28,6 +28,11 @@
     "background": {
       "$ref": "#/$defs/media",
       "description": "Background image."
+    },
+    "createdByDID": {
+      "type": "string",
+      "pattern": "^did:",
+      "description": "DID of the identity that authored this content. Optional — omit when the signer IS the author."
     }
   },
   "additionalProperties": false,

package/REGISTRY-API.md

@@ -1,242 +0,0 @@
-# DFOS Registry API
-
-Minimal HTTP API for chain storage, retrieval, and resolution. Any server implementing these endpoints with these semantics is a compatible DFOS registry.
-
-The protocol is transport-agnostic — chains can be exchanged through any mechanism. This API defines one standard transport binding: a REST interface for submitting chains, resolving identities and content, and retrieving operations and documents.
-
-[Protocol Specification](https://protocol.dfos.com/spec) · [OpenAPI Spec](https://github.com/metalabel/dfos/blob/main/packages/dfos-protocol/openapi.yaml) · [Reference Implementation](https://github.com/metalabel/dfos/blob/main/packages/dfos-protocol/src/registry/server.ts)
-
----
-
-## Overview
-
-The registry stores verified chains and serves resolved state. It enforces **linear chain integrity** — it accepts chains that are the same length or longer than what's stored, and rejects forks (two different operations at the same chain position).
-
-Six endpoints, two concerns:
-
-| Concern             | Endpoints                                       |
-| ------------------- | ----------------------------------------------- |
-| **Identity chains** | Submit chain, resolve identity, list operations |
-| **Content chains**  | Submit chain, resolve content, list operations  |
-| **Lookup**          | Resolve operation by CID                        |
-
-All request and response bodies are JSON (`application/json`).
-
----
-
-## Identity Endpoints
-
-### `POST /identities` — Submit or extend an identity chain
-
-Submit an ordered array of JWS tokens (genesis-first). The registry verifies the chain, derives the DID from the genesis CID, and stores it.
-
-**Request:**
-
-```json
-{
-  "chain": ["eyJhbGciOiJFZERTQSI...", "eyJhbGciOiJFZERTQSI..."]
-}
-```
-
-| Field   | Type     | Description                                                |
-| ------- | -------- | ---------------------------------------------------------- |
-| `chain` | string[] | Ordered JWS compact tokens, genesis-first. Minimum 1 item. |
-
-**Responses:**
-
-| Status | Meaning                                                    |
-| ------ | ---------------------------------------------------------- |
-| `201`  | Chain accepted (new or extended) — returns `IdentityState` |
-| `200`  | Chain already stored, no change — returns `IdentityState`  |
-| `400`  | Invalid chain (verification failed)                        |
-| `409`  | Fork conflict with stored chain                            |
-
----
-
-### `GET /identities/{did}` — Resolve current identity state
-
-Returns the current key state for a DID.
-
-**Parameters:**
-
-| Name  | In   | Pattern                              | Example                           |
-| ----- | ---- | ------------------------------------ | --------------------------------- |
-| `did` | path | `did:dfos:[2346789acdefhknrtvz]{22}` | `did:dfos:e3vvtck42d4eacdnzvtrn6` |
-
-**Response (`IdentityState`):**
-
-```json
-{
-  "did": "did:dfos:e3vvtck42d4eacdnzvtrn6",
-  "isDeleted": false,
-  "authKeys": [{ "id": "key_...", "type": "Multikey", "publicKeyMultibase": "z6Mk..." }],
-  "assertKeys": [{ "id": "key_...", "type": "Multikey", "publicKeyMultibase": "z6Mk..." }],
-  "controllerKeys": [{ "id": "key_...", "type": "Multikey", "publicKeyMultibase": "z6Mk..." }]
-}
-```
-
----
-
-### `GET /identities/{did}/operations` — List identity chain operations
-
-Returns operations newest-first, paginated.
-
-**Parameters:**
-
-| Name     | In    | Description                                                  |
-| -------- | ----- | ------------------------------------------------------------ |
-| `did`    | path  | The DID to list operations for                               |
-| `cursor` | query | Opaque pagination cursor (CID of last item on previous page) |
-| `limit`  | query | Page size, 1–100, default 25                                 |
-
-**Response (`PaginatedOperations`):**
-
-```json
-{
-  "operations": [
-    { "cid": "bafyrei...", "jwsToken": "eyJ...", "createdAt": "2026-03-07T00:01:00.000Z" },
-    { "cid": "bafyrei...", "jwsToken": "eyJ...", "createdAt": "2026-03-07T00:00:00.000Z" }
-  ],
-  "nextCursor": null
-}
-```
-
----
-
-## Content Endpoints
-
-### `POST /content` — Submit or extend a content chain
-
-Same mechanics as identity submission. The registry verifies the chain (resolving signing keys from stored identity chains), derives the content ID from the genesis CID, and stores it.
-
-**Request:** Same `{ "chain": [...] }` format as identity submission.
-
-**Responses:** Same status code semantics — `201` accepted, `200` noop, `400` invalid, `409` fork.
-
----
-
-### `GET /content/{contentId}` — Resolve current content state
-
-Returns the current state for a content chain.
-
-**Parameters:**
-
-| Name        | In   | Pattern                     | Example                  |
-| ----------- | ---- | --------------------------- | ------------------------ |
-| `contentId` | path | `[2346789acdefhknrtvz]{22}` | `67t27rzc83v7c22n9t6z7c` |
-
-**Response (`ContentState`):**
-
-```json
-{
-  "contentId": "67t27rzc83v7c22n9t6z7c",
-  "isDeleted": false,
-  "currentDocumentCID": "bafyrei...",
-  "genesisCID": "bafyrei...",
-  "headCID": "bafyrei..."
-}
-```
-
-| Field                | Description                                         |
-| -------------------- | --------------------------------------------------- |
-| `currentDocumentCID` | CID of current document, null if cleared or deleted |
-| `genesisCID`         | CID of the genesis operation                        |
-| `headCID`            | CID of the most recent operation                    |
-
----
-
-### `GET /content/{contentId}/operations` — List content chain operations
-
-Same pagination mechanics as identity operations.
-
----
-
-## Lookup Endpoints
-
-### `GET /operations/{cid}` — Resolve a single operation by CID
-
-Returns the JWS token for any operation (identity or content) by its CID.
-
-**Response:**
-
-```json
-{
-  "cid": "bafyrei...",
-  "jwsToken": "eyJ..."
-}
-```
-
----
-
-## Errors
-
-All error responses follow a standard shape:
-
-```json
-{
-  "error": "BAD_REQUEST",
-  "message": "Human-readable description"
-}
-```
-
-| Error Code    | Used By                                                    |
-| ------------- | ---------------------------------------------------------- |
-| `BAD_REQUEST` | Invalid chain, malformed request                           |
-| `NOT_FOUND`   | Identity, content, or operation not found                  |
-| `CONFLICT`    | Fork detected — submitted chain diverges from stored chain |
-
----
-
-## Chain Submission Semantics
-
-The registry enforces **linear chain extension**:
-
-- **New chain** — genesis operation not seen before → store and return `201`
-- **Extension** — submitted chain is longer than stored, shares the same prefix → replace stored chain, return `201`
-- **Noop** — submitted chain is identical to stored → return `200`
-- **Fork** — submitted chain diverges from stored chain at some operation → reject with `409`
-
-This means a registry is **eventually consistent with the longest valid chain** it receives. It does not implement consensus — if two registries receive different valid extensions, they may diverge. Fork detection is the caller's responsibility.
-
----
-
-## Authentication
-
-Registry endpoints that require authentication use **EdDSA JWTs** signed with the same Ed25519 keys from identity chains. The JWT convention is not part of the chain protocol — it's an application-layer auth mechanism for services.
-
-```json
-{
-  "alg": "EdDSA",
-  "typ": "JWT",
-  "kid": "key_ez9a874tckr3dv933d3ckd"
-}
-```
-
-```json
-{
-  "iss": "dfos",
-  "sub": "did:dfos:e3vvtck42d4eacdnzvtrn6",
-  "aud": "dfos-api",
-  "exp": 1772902800,
-  "iat": 1772899200,
-  "jti": "session_ref_example_01"
-}
-```
-
-| Field | Description                                                   |
-| ----- | ------------------------------------------------------------- |
-| `kid` | Bare key ID (not a DID URL — the `sub` claim carries the DID) |
-| `sub` | The DID of the authenticating identity                        |
-| `aud` | Target audience (e.g., `"dfos-api"`)                          |
-
-The signing mechanics are identical to operation JWS — `ed25519.sign(UTF8(base64url(header) + "." + base64url(payload)), privateKey)`. The key is resolved from the identity chain via `kid` + `sub`.
-
----
-
-## Reference Implementation
-
-A complete reference server is available in the protocol package:
-
-- [`registry/server.ts`](https://github.com/metalabel/dfos/blob/main/packages/dfos-protocol/src/registry/server.ts) — Hono-based HTTP server implementing all endpoints
-- [`registry/store.ts`](https://github.com/metalabel/dfos/blob/main/packages/dfos-protocol/src/registry/store.ts) — In-memory chain store with linear enforcement
-- [`openapi.yaml`](https://github.com/metalabel/dfos/blob/main/packages/dfos-protocol/openapi.yaml) — OpenAPI 3.1 machine-readable specification