@metalabel/dfos-protocol 0.0.3 → 0.2.0

package/README.md

@@ -13,19 +13,22 @@ npm install @metalabel/dfos-protocol
 ```ts
 // Chain verification
 import { verifyContentChain, verifyIdentityChain } from '@metalabel/dfos-protocol/chain';
+// Credentials (auth tokens + VC-JWT)
+import { createAuthToken, verifyCredential } from '@metalabel/dfos-protocol/credentials';
 // Crypto primitives
 import { createJws, dagCborCanonicalEncode, verifyJws } from '@metalabel/dfos-protocol/crypto';
-// Reference registry server
-import { createRegistryServer } from '@metalabel/dfos-protocol/registry';
+// Merkle trees
+import { buildMerkleTree, verifyMerkleProof } from '@metalabel/dfos-protocol/merkle';
 ```
 
 ## Subpath Exports
 
-| Export                              | Description                                                         |
-| ----------------------------------- | ------------------------------------------------------------------- |
-| `@metalabel/dfos-protocol/chain`    | Identity and content chain signing, verification, multikey encoding |
-| `@metalabel/dfos-protocol/crypto`   | Ed25519, JWS, JWT, dag-cbor, base64url, ID generation               |
-| `@metalabel/dfos-protocol/registry` | Hono-based registry server, in-memory store, Zod schemas            |
+| Export                                 | Description                                                             |
+| -------------------------------------- | ----------------------------------------------------------------------- |
+| `@metalabel/dfos-protocol/chain`       | Identity and content chain signing, verification, beacons, countersigns |
+| `@metalabel/dfos-protocol/credentials` | Auth tokens (DID-signed JWT) and VC-JWT credentials for authorization   |
+| `@metalabel/dfos-protocol/crypto`      | Ed25519, JWS, JWT, dag-cbor, base64url, ID generation                   |
+| `@metalabel/dfos-protocol/merkle`      | SHA-256 binary merkle tree, inclusion proofs                            |
 
 ## Specifications
 
@@ -33,19 +36,22 @@ import { createRegistryServer } from '@metalabel/dfos-protocol/registry';
 | -------------------------------------- | -------------------------------------------------------------- |
 | [PROTOCOL.md](./PROTOCOL.md)           | Core protocol — chains, signatures, verification, test vectors |
 | [DID-METHOD.md](./DID-METHOD.md)       | W3C DID method specification for `did:dfos`                    |
-| [CONTENT-MODEL.md](./CONTENT-MODEL.md) | Standard content schemas (post, profile, media)                |
-| [REGISTRY-API.md](./REGISTRY-API.md)   | HTTP API for chain storage and resolution                      |
-| [openapi.yaml](./openapi.yaml)         | OpenAPI 3.1 machine-readable registry spec                     |
+| [CONTENT-MODEL.md](./CONTENT-MODEL.md) | Standard content schemas (post, profile, manifest)             |
 
 ## Examples
 
-The `examples/` directory contains deterministic reference chain fixtures that can be independently verified by any Ed25519 + dag-cbor implementation:
+The `examples/` directory contains deterministic reference fixtures that can be independently verified by any Ed25519 + dag-cbor implementation:
 
 - `identity-genesis.json` — single create operation
 - `identity-rotation.json` — genesis + key rotation
 - `identity-delete.json` — genesis + delete (terminal)
 - `content-lifecycle.json` — create + update (with both documents)
 - `content-delete.json` — create + delete
+- `content-delegated.json` — creator genesis + delegated update with DFOSContentWrite VC-JWT
+- `credential-write.json` — DFOSContentWrite VC-JWT (broad + content-narrowed)
+- `credential-read.json` — DFOSContentRead VC-JWT
+- `merkle-tree.json` — 5 content IDs → sorted tree → root, with inclusion proof
+- `beacon.json` — signed merkle root announcement with witness countersignature
 
 ## License
 

package/dist/chain/index.d.ts

@@ -77,24 +77,42 @@ type VerifiedIdentity = z.infer<typeof VerifiedIdentity>;
 declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"create">;
+    did: z.ZodString;
     documentCID: z.ZodString;
+    baseDocumentCID: z.ZodNullable<z.ZodString>;
     createdAt: z.ZodISODateTime;
     note: z.ZodNullable<z.ZodString>;
 }, z.core.$strict>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"update">;
+    did: z.ZodString;
     previousOperationCID: z.ZodString;
     documentCID: z.ZodNullable<z.ZodString>;
+    baseDocumentCID: z.ZodNullable<z.ZodString>;
     createdAt: z.ZodISODateTime;
     note: z.ZodNullable<z.ZodString>;
+    /** VC-JWT authorizing this operation when signer is not the chain creator */
+    authorization: z.ZodOptional<z.ZodString>;
 }, z.core.$strict>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"delete">;
+    did: z.ZodString;
     previousOperationCID: z.ZodString;
     createdAt: z.ZodISODateTime;
     note: z.ZodNullable<z.ZodString>;
+    /** VC-JWT authorizing this operation when signer is not the chain creator */
+    authorization: z.ZodOptional<z.ZodString>;
 }, z.core.$strict>], "type">;
 type ContentOperation = z.infer<typeof ContentOperation>;
+/** Beacon: floating signed merkle root announcement */
+declare const BeaconPayload: z.ZodObject<{
+    version: z.ZodLiteral<1>;
+    type: z.ZodLiteral<"beacon">;
+    did: z.ZodString;
+    merkleRoot: z.ZodString;
+    createdAt: z.ZodISODateTime;
+}, z.core.$strict>;
+type BeaconPayload = z.infer<typeof BeaconPayload>;
 
 /** Ed25519 public key multicodec value */
 declare const ED25519_PUB_MULTICODEC = 237;
@@ -168,6 +186,8 @@ interface VerifiedContentChain {
     currentDocumentCID: string | null;
     /** Number of operations in the chain */
     length: number;
+    /** The DID that created the chain (signer of genesis operation) */
+    creatorDID: string;
 }
 /**
  * Sign a content chain operation as a JWS and derive the operation CID
@@ -182,15 +202,108 @@ declare const signContentOperation: (input: {
     operationCID: string;
 }>;
 /**
- * Verify a content chain's structural integrity and signatures
+ * Verify a content chain's structural integrity, signatures, and authorization
  *
  * The caller provides a key resolver to look up public keys from kid values.
  * This keeps the content chain protocol independent of identity resolution.
+ *
+ * Authorization rules:
+ * - Genesis (create) operation: the signer is the chain creator, always authorized
+ * - Subsequent operations signed by the creator DID: authorized (no credential needed)
+ * - Subsequent operations signed by a different DID: must include an `authorization`
+ *   field containing a valid DFOSContentWrite VC-JWT issued by the creator DID
  */
 declare const verifyContentChain: (input: {
     log: string[];
     /** Resolve a kid (DID URL) to the raw Ed25519 public key bytes */
     resolveKey: (kid: string) => Promise<Uint8Array>;
+    /**
+     * Enforce creator-sovereignty authorization. When true, non-creator signers
+     * must include a DFOSContentWrite VC-JWT in the operation's `authorization`
+     * field. When false (default), any signer with a valid signature is accepted.
+     *
+     * Web relays should set this to true. Applications migrating to VC-based
+     * authorization can enable this once all chains include authorization fields.
+     */
+    enforceAuthorization?: boolean;
 }) => Promise<VerifiedContentChain>;
 
-export { ContentOperation, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, MultikeyPublicKey, type Signer, type VerifiedContentChain, VerifiedIdentity, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signContentOperation, signIdentityOperation, verifyContentChain, verifyIdentityChain };
+/**
+ * Sign a beacon announcement as a JWS
+ */
+declare const signBeacon: (input: {
+    payload: BeaconPayload;
+    signer: Signer;
+    kid: string;
+}) => Promise<{
+    jwsToken: string;
+    beaconCID: string;
+}>;
+interface VerifiedBeacon {
+    payload: BeaconPayload;
+    beaconCID: string;
+}
+/**
+ * Verify a beacon JWS — signature, CID, payload schema, clock skew
+ */
+declare const verifyBeacon: (input: {
+    jwsToken: string;
+    resolveKey: (kid: string) => Promise<Uint8Array>;
+    /** Current time for clock skew check (defaults to Date.now()) */
+    now?: number;
+}) => Promise<VerifiedBeacon>;
+
+/**
+ * Sign an existing content operation as a countersignature (witness JWS)
+ *
+ * The witness signs the same payload as the author, producing a different
+ * JWS token with their own kid. The CID is identical because the payload
+ * is identical.
+ */
+declare const signCountersignature: (input: {
+    /** The original operation payload (must include did of the author) */
+    operationPayload: ContentOperation;
+    /** Witness signer */
+    signer: Signer;
+    /** Witness kid — DID URL of the witness (must differ from payload.did) */
+    kid: string;
+}) => Promise<{
+    jwsToken: string;
+    operationCID: string;
+}>;
+interface VerifiedCountersignature {
+    operationCID: string;
+    /** The DID that authored the operation (payload.did) */
+    authorDID: string;
+    /** The DID that witnessed the operation (kid DID) */
+    witnessDID: string;
+}
+/**
+ * Verify a countersignature JWS against an expected operation CID
+ *
+ * Checks: valid signature, CID matches, kid DID differs from payload did
+ */
+declare const verifyCountersignature: (input: {
+    jwsToken: string;
+    expectedCID: string;
+    resolveKey: (kid: string) => Promise<Uint8Array>;
+}) => Promise<VerifiedCountersignature>;
+interface VerifiedBeaconCountersignature {
+    beaconCID: string;
+    /** The DID that controls the beacon (payload.did) */
+    controllerDID: string;
+    /** The DID that witnessed the beacon (kid DID) */
+    witnessDID: string;
+}
+/**
+ * Verify a beacon countersignature JWS against an expected beacon CID
+ *
+ * Checks: valid signature, CID matches, kid DID differs from payload did
+ */
+declare const verifyBeaconCountersignature: (input: {
+    jwsToken: string;
+    expectedCID: string;
+    resolveKey: (kid: string) => Promise<Uint8Array>;
+}) => Promise<VerifiedBeaconCountersignature>;
+
+export { BeaconPayload, ContentOperation, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, MultikeyPublicKey, type Signer, type VerifiedBeacon, type VerifiedBeaconCountersignature, type VerifiedContentChain, type VerifiedCountersignature, VerifiedIdentity, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, verifyBeacon, verifyBeaconCountersignature, verifyContentChain, verifyCountersignature, verifyIdentityChain };

package/dist/chain/index.js

@@ -1,4 +1,5 @@
 import {
+  BeaconPayload,
   ContentOperation,
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
@@ -9,13 +10,20 @@ import {
   deriveChainIdentifier,
   deriveContentId,
   encodeEd25519Multikey,
+  signBeacon,
   signContentOperation,
+  signCountersignature,
   signIdentityOperation,
+  verifyBeacon,
+  verifyBeaconCountersignature,
   verifyContentChain,
+  verifyCountersignature,
   verifyIdentityChain
-} from "../chunk-VEBMLR37.js";
+} from "../chunk-GEVJ3SEV.js";
+import "../chunk-CZSEEZLL.js";
 import "../chunk-ZXXP5W5N.js";
 export {
+  BeaconPayload,
   ContentOperation,
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
@@ -26,8 +34,13 @@ export {
   deriveChainIdentifier,
   deriveContentId,
   encodeEd25519Multikey,
+  signBeacon,
   signContentOperation,
+  signCountersignature,
   signIdentityOperation,
+  verifyBeacon,
+  verifyBeaconCountersignature,
   verifyContentChain,
+  verifyCountersignature,
   verifyIdentityChain
 };

package/dist/chunk-CZSEEZLL.js

@@ -0,0 +1,258 @@
+import {
+  base64urlDecode,
+  base64urlEncode,
+  createJwt,
+  isValidEd25519Signature,
+  verifyJwt
+} from "./chunk-ZXXP5W5N.js";
+
+// src/credentials/schemas.ts
+import { z } from "zod";
+var MAX_DID = 256;
+var MAX_AUD = 512;
+var MAX_CONTENT_ID = 256;
+var VC_TYPE_CONTENT_WRITE = "DFOSContentWrite";
+var VC_TYPE_CONTENT_READ = "DFOSContentRead";
+var DFOSCredentialType = z.enum([VC_TYPE_CONTENT_WRITE, VC_TYPE_CONTENT_READ]);
+var AuthTokenClaims = z.strictObject({
+  /** Issuer — the DID proving identity */
+  iss: z.string().max(MAX_DID),
+  /** Subject — same as iss for auth tokens */
+  sub: z.string().max(MAX_DID),
+  /** Audience — target relay hostname (prevents cross-relay replay) */
+  aud: z.string().max(MAX_AUD),
+  /** Expiration — unix seconds, short-lived (minutes) */
+  exp: z.number().int().positive(),
+  /** Issued at — unix seconds */
+  iat: z.number().int().positive()
+});
+var ContentWriteSubject = z.strictObject({
+  /** Optional content chain narrowing — if absent, grants broad write access */
+  contentId: z.string().max(MAX_CONTENT_ID).optional()
+});
+var ContentReadSubject = z.strictObject({
+  /** Optional content chain narrowing — if absent, grants broad read access */
+  contentId: z.string().max(MAX_CONTENT_ID).optional()
+});
+var VCClaim = z.strictObject({
+  "@context": z.tuple([z.literal("https://www.w3.org/ns/credentials/v2")]),
+  type: z.tuple([z.literal("VerifiableCredential"), DFOSCredentialType]).transform((t) => t),
+  credentialSubject: z.union([ContentWriteSubject, ContentReadSubject])
+});
+var CredentialClaims = z.strictObject({
+  /** Issuer — the DID granting the credential */
+  iss: z.string().max(MAX_DID),
+  /** Subject — the DID receiving the credential */
+  sub: z.string().max(MAX_DID),
+  /** Expiration — unix seconds */
+  exp: z.number().int().positive(),
+  /** Issued at — unix seconds */
+  iat: z.number().int().positive(),
+  /** Verifiable credential claim */
+  vc: VCClaim
+});
+
+// src/credentials/auth-token.ts
+var createAuthToken = async (options) => {
+  if (!options.kid.includes("#")) {
+    throw new Error("kid must be a DID URL (did:dfos:xxx#key_yyy)");
+  }
+  const kidDid = options.kid.substring(0, options.kid.indexOf("#"));
+  if (kidDid !== options.iss) {
+    throw new Error("kid DID does not match iss");
+  }
+  const now = options.iat ?? Math.floor(Date.now() / 1e3);
+  const header = { alg: "EdDSA", typ: "JWT", kid: options.kid };
+  const payload = {
+    iss: options.iss,
+    sub: options.iss,
+    aud: options.aud,
+    exp: options.exp,
+    iat: now
+  };
+  return createJwt({ header, payload, sign: options.sign });
+};
+var verifyAuthToken = (options) => {
+  const { header, payload } = verifyJwt({
+    token: options.token,
+    publicKey: options.publicKey,
+    audience: options.audience,
+    ...options.currentTime !== void 0 ? { currentTime: options.currentTime } : {}
+  });
+  const result = AuthTokenClaims.safeParse(payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new AuthTokenVerificationError(`invalid auth token claims: ${messages}`);
+  }
+  const currentTime = options.currentTime ?? Math.floor(Date.now() / 1e3);
+  if (result.data.iat > currentTime) {
+    throw new AuthTokenVerificationError("auth token not yet valid (iat is in the future)");
+  }
+  const kid = header.kid;
+  if (!kid || !kid.includes("#")) {
+    throw new AuthTokenVerificationError("auth token kid must be a DID URL");
+  }
+  const kidDid = kid.substring(0, kid.indexOf("#"));
+  if (kidDid !== result.data.iss) {
+    throw new AuthTokenVerificationError("auth token kid DID does not match iss");
+  }
+  return {
+    iss: result.data.iss,
+    aud: result.data.aud,
+    exp: result.data.exp,
+    kid
+  };
+};
+var AuthTokenVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "AuthTokenVerificationError";
+  }
+};
+
+// src/credentials/credential.ts
+var createCredential = async (options) => {
+  if (!options.kid.includes("#")) {
+    throw new Error("kid must be a DID URL (did:dfos:xxx#key_yyy)");
+  }
+  const kidDid = options.kid.substring(0, options.kid.indexOf("#"));
+  if (kidDid !== options.iss) {
+    throw new Error("kid DID does not match iss");
+  }
+  const now = options.iat ?? Math.floor(Date.now() / 1e3);
+  const header = { alg: "EdDSA", typ: "vc+jwt", kid: options.kid };
+  const credentialSubject = {};
+  if (options.contentId) {
+    credentialSubject.contentId = options.contentId;
+  }
+  const payload = {
+    iss: options.iss,
+    sub: options.sub,
+    exp: options.exp,
+    iat: now,
+    vc: {
+      "@context": ["https://www.w3.org/ns/credentials/v2"],
+      type: ["VerifiableCredential", options.type],
+      credentialSubject
+    }
+  };
+  const headerB64 = base64urlEncode(JSON.stringify(header));
+  const payloadB64 = base64urlEncode(JSON.stringify(payload));
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  const signatureBytes = await options.sign(signingInputBytes);
+  const signatureB64 = base64urlEncode(signatureBytes);
+  return `${signingInput}.${signatureB64}`;
+};
+var verifyCredential = (options) => {
+  const parts = options.token.split(".");
+  if (parts.length !== 3) {
+    throw new CredentialVerificationError("invalid token format");
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  let header;
+  let payload;
+  try {
+    header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+    payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
+  } catch {
+    throw new CredentialVerificationError("failed to decode token");
+  }
+  if (header.alg !== "EdDSA") {
+    throw new CredentialVerificationError(`unsupported algorithm: ${header.alg}`);
+  }
+  if (header.typ !== "vc+jwt") {
+    throw new CredentialVerificationError(`invalid typ: ${header.typ}`);
+  }
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  let signatureBytes;
+  try {
+    signatureBytes = base64urlDecode(signatureB64);
+  } catch {
+    throw new CredentialVerificationError("failed to decode signature");
+  }
+  const isValid = isValidEd25519Signature(signingInputBytes, signatureBytes, options.publicKey);
+  if (!isValid) {
+    throw new CredentialVerificationError("invalid signature");
+  }
+  const result = CredentialClaims.safeParse(payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new CredentialVerificationError(`invalid credential claims: ${messages}`);
+  }
+  const claims = result.data;
+  const kid = header.kid;
+  if (!kid || !kid.includes("#")) {
+    throw new CredentialVerificationError("credential kid must be a DID URL");
+  }
+  const kidDid = kid.substring(0, kid.indexOf("#"));
+  if (kidDid !== claims.iss) {
+    throw new CredentialVerificationError("credential kid DID does not match iss");
+  }
+  const currentTime = options.currentTime ?? Math.floor(Date.now() / 1e3);
+  if (claims.iat > currentTime) {
+    throw new CredentialVerificationError("credential not yet valid (iat is in the future)");
+  }
+  if (claims.exp <= currentTime) {
+    throw new CredentialVerificationError("credential expired");
+  }
+  if (options.subject !== void 0 && claims.sub !== options.subject) {
+    throw new CredentialVerificationError(
+      `subject mismatch: expected ${options.subject}, got ${claims.sub}`
+    );
+  }
+  const vcType = claims.vc.type[1];
+  if (options.expectedType !== void 0 && vcType !== options.expectedType) {
+    throw new CredentialVerificationError(
+      `type mismatch: expected ${options.expectedType}, got ${vcType}`
+    );
+  }
+  const contentId = claims.vc.credentialSubject.contentId;
+  return {
+    iss: claims.iss,
+    sub: claims.sub,
+    exp: claims.exp,
+    type: vcType,
+    kid,
+    ...contentId !== void 0 ? { contentId } : {}
+  };
+};
+var decodeCredentialUnsafe = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const [headerB64, payloadB64] = parts;
+    const header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+    const payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
+    const result = CredentialClaims.safeParse(payload);
+    if (!result.success) return null;
+    return { header, claims: result.data };
+  } catch {
+    return null;
+  }
+};
+var CredentialVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CredentialVerificationError";
+  }
+};
+
+export {
+  VC_TYPE_CONTENT_WRITE,
+  VC_TYPE_CONTENT_READ,
+  DFOSCredentialType,
+  AuthTokenClaims,
+  ContentWriteSubject,
+  ContentReadSubject,
+  VCClaim,
+  CredentialClaims,
+  createAuthToken,
+  verifyAuthToken,
+  AuthTokenVerificationError,
+  createCredential,
+  verifyCredential,
+  decodeCredentialUnsafe,
+  CredentialVerificationError
+};

package/dist/chunk-E5CFQG2B.js

@@ -0,0 +1,99 @@
+// src/merkle/tree.ts
+var sha256 = async (data) => {
+  const buf = await crypto.subtle.digest("SHA-256", data);
+  return new Uint8Array(buf);
+};
+var toHex = (bytes) => {
+  return Array.from(bytes).map((b) => b.toString(16).padStart(2, "0")).join("");
+};
+var hexToBytes = (hex) => {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substring(i, i + 2), 16);
+  }
+  return bytes;
+};
+var concat = (a, b) => {
+  const result = new Uint8Array(a.length + b.length);
+  result.set(a, 0);
+  result.set(b, a.length);
+  return result;
+};
+var hashLeaf = async (contentId) => {
+  return sha256(new TextEncoder().encode(contentId));
+};
+var hashInterior = async (left, right) => {
+  return sha256(concat(left, right));
+};
+var buildMerkleTree = async (contentIds) => {
+  const sorted = [...new Set(contentIds)].sort();
+  if (sorted.length === 0) return { root: null, leafCount: 0 };
+  let level = await Promise.all(sorted.map(hashLeaf));
+  while (level.length > 1) {
+    const nextLevel = [];
+    for (let i = 0; i < level.length; i += 2) {
+      if (i + 1 < level.length) {
+        nextLevel.push(await hashInterior(level[i], level[i + 1]));
+      } else {
+        nextLevel.push(level[i]);
+      }
+    }
+    level = nextLevel;
+  }
+  return { root: toHex(level[0]), leafCount: sorted.length };
+};
+
+// src/merkle/proof.ts
+var generateMerkleProof = async (contentIds, targetId) => {
+  const sorted = [...new Set(contentIds)].sort();
+  const targetIdx = sorted.indexOf(targetId);
+  if (targetIdx < 0) return null;
+  const { root } = await buildMerkleTree(sorted);
+  if (!root) return null;
+  const leaves = await Promise.all(sorted.map(hashLeaf));
+  const path = [];
+  let level = leaves;
+  let idx = targetIdx;
+  while (level.length > 1) {
+    const nextLevel = [];
+    const nextIdx = Math.floor(idx / 2);
+    for (let i = 0; i < level.length; i += 2) {
+      if (i + 1 < level.length) {
+        if (i === idx || i + 1 === idx) {
+          const siblingIdx = i === idx ? i + 1 : i;
+          path.push({
+            hash: toHex(level[siblingIdx]),
+            position: siblingIdx < idx ? "left" : "right"
+          });
+        }
+        const interior = await sha256(concat(level[i], level[i + 1]));
+        nextLevel.push(interior);
+      } else {
+        nextLevel.push(level[i]);
+      }
+    }
+    level = nextLevel;
+    idx = nextIdx;
+  }
+  return { contentId: targetId, root, path };
+};
+var verifyMerkleProof = async (proof) => {
+  let current = await hashLeaf(proof.contentId);
+  for (const step of proof.path) {
+    const sibling = hexToBytes(step.hash);
+    if (step.position === "left") {
+      current = await sha256(concat(sibling, current));
+    } else {
+      current = await sha256(concat(current, sibling));
+    }
+  }
+  return toHex(current) === proof.root;
+};
+
+export {
+  hexToBytes,
+  hashLeaf,
+  buildMerkleTree,
+  generateMerkleProof,
+  verifyMerkleProof
+};