@metalabel/dfos-protocol 0.0.3 → 0.2.0

package/dist/{chunk-VEBMLR37.js → chunk-GEVJ3SEV.js}

@@ -1,3 +1,8 @@
+import {
+  VC_TYPE_CONTENT_WRITE,
+  decodeCredentialUnsafe,
+  verifyCredential
+} from "./chunk-CZSEEZLL.js";
 import {
   createJws,
   dagCborCanonicalEncode,
@@ -13,6 +18,7 @@ var MAX_PUBLIC_KEY_MULTIBASE = 128;
 var MAX_CID = 256;
 var MAX_NOTE = 256;
 var MAX_KEYS_PER_ROLE = 16;
+var MAX_DID = 256;
 var MultikeyPublicKey = z.strictObject({
   id: z.string().max(MAX_KEY_ID),
   type: z.literal("Multikey"),
@@ -49,7 +55,7 @@ var IdentityOperation = z.discriminatedUnion("type", [
   IdentityDelete
 ]);
 var VerifiedIdentity = z.strictObject({
-  did: z.string(),
+  did: z.string().max(MAX_DID),
   isDeleted: z.boolean(),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
@@ -58,30 +64,46 @@ var VerifiedIdentity = z.strictObject({
 var ContentCreate = z.strictObject({
   version: z.literal(1),
   type: z.literal("create"),
+  did: z.string().max(MAX_DID),
   documentCID: CIDString,
+  baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
   note: z.string().max(MAX_NOTE).nullable()
 });
 var ContentUpdate = z.strictObject({
   version: z.literal(1),
   type: z.literal("update"),
+  did: z.string().max(MAX_DID),
   previousOperationCID: CIDString,
   documentCID: CIDString.nullable(),
+  baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable()
+  note: z.string().max(MAX_NOTE).nullable(),
+  /** VC-JWT authorizing this operation when signer is not the chain creator */
+  authorization: z.string().optional()
 });
 var ContentDelete = z.strictObject({
   version: z.literal(1),
   type: z.literal("delete"),
+  did: z.string().max(MAX_DID),
   previousOperationCID: CIDString,
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable()
+  note: z.string().max(MAX_NOTE).nullable(),
+  /** VC-JWT authorizing this operation when signer is not the chain creator */
+  authorization: z.string().optional()
 });
 var ContentOperation = z.discriminatedUnion("type", [
   ContentCreate,
   ContentUpdate,
   ContentDelete
 ]);
+var BeaconPayload = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("beacon"),
+  did: z.string().max(MAX_DID),
+  merkleRoot: z.string().regex(/^[0-9a-f]{64}$/),
+  createdAt: Iso8601
+});
 
 // src/chain/multikey.ts
 import { base58btc } from "multiformats/bases/base58";
@@ -164,6 +186,9 @@ var verifyIdentityChain = async (input) => {
       throw new Error(`log[${idx}]: ${messages}`);
     }
     const op = result.data;
+    if (decoded.header.typ !== "did:dfos:identity-op") {
+      throw new Error(`log[${idx}]: invalid typ: ${decoded.header.typ}`);
+    }
     if (state.isDeleted) throw new Error(`log[${idx}]: cannot modify a deleted identity`);
     if (idx === 0 && op.type !== "create") {
       throw new Error(`log[${idx}]: first operation must be create`);
@@ -295,7 +320,8 @@ var verifyContentChain = async (input) => {
     isDeleted: false,
     currentDocumentCID: null,
     previousCID: null,
-    lastCreatedAt: null
+    lastCreatedAt: null,
+    creatorDID: null
   };
   for (const [idx, jwsToken] of input.log.entries()) {
     const decoded = decodeJwsUnsafe(jwsToken);
@@ -306,6 +332,9 @@ var verifyContentChain = async (input) => {
       throw new Error(`log[${idx}]: ${messages}`);
     }
     const op = result.data;
+    if (decoded.header.typ !== "did:dfos:content-op") {
+      throw new Error(`log[${idx}]: invalid typ: ${decoded.header.typ}`);
+    }
     if (state.isDeleted) throw new Error(`log[${idx}]: cannot extend a deleted chain`);
     if (idx === 0 && op.type !== "create") {
       throw new Error(`log[${idx}]: first operation must be create`);
@@ -323,12 +352,63 @@ var verifyContentChain = async (input) => {
       }
     }
     const kid = decoded.header.kid;
+    const hashIdx = kid.indexOf("#");
+    if (hashIdx < 0) throw new Error(`log[${idx}]: kid must be a DID URL`);
+    const kidDid = kid.substring(0, hashIdx);
+    if (kidDid !== op.did) {
+      throw new Error(`log[${idx}]: kid DID does not match operation did`);
+    }
     const publicKey = await input.resolveKey(kid);
     try {
       verifyJws({ token: jwsToken, publicKey });
     } catch {
       throw new Error(`log[${idx}]: invalid signature`);
     }
+    if (idx === 0) {
+      state.creatorDID = op.did;
+    } else if (op.did !== state.creatorDID && input.enforceAuthorization) {
+      const authorization = op.type !== "create" ? op.authorization : void 0;
+      if (!authorization) {
+        throw new Error(
+          `log[${idx}]: signer ${op.did} is not the chain creator \u2014 authorization VC required`
+        );
+      }
+      const vcDecoded = decodeCredentialUnsafe(authorization);
+      if (!vcDecoded) {
+        throw new Error(`log[${idx}]: failed to decode authorization VC`);
+      }
+      const vcKid = vcDecoded.header.kid;
+      if (!vcKid || !vcKid.includes("#")) {
+        throw new Error(`log[${idx}]: authorization VC kid must be a DID URL`);
+      }
+      let creatorPublicKey;
+      try {
+        creatorPublicKey = await input.resolveKey(vcKid);
+      } catch {
+        throw new Error(`log[${idx}]: cannot resolve creator key for authorization verification`);
+      }
+      const opCreatedAtUnix = Math.floor(new Date(op.createdAt).getTime() / 1e3);
+      try {
+        const credential = verifyCredential({
+          token: authorization,
+          publicKey: creatorPublicKey,
+          subject: op.did,
+          expectedType: VC_TYPE_CONTENT_WRITE,
+          currentTime: opCreatedAtUnix
+        });
+        if (credential.iss !== state.creatorDID) {
+          throw new Error("VC issuer is not the chain creator");
+        }
+        if (credential.contentId && credential.contentId !== state.contentId) {
+          throw new Error(
+            `VC contentId ${credential.contentId} does not match chain ${state.contentId}`
+          );
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : "unknown error";
+        throw new Error(`log[${idx}]: authorization verification failed: ${message}`);
+      }
+    }
     const encoded = await dagCborCanonicalEncode(op);
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
@@ -363,7 +443,147 @@ var verifyContentChain = async (input) => {
     headCID: state.headCID,
     isDeleted: state.isDeleted,
     currentDocumentCID: state.currentDocumentCID,
-    length: input.log.length
+    length: input.log.length,
+    creatorDID: state.creatorDID
+  };
+};
+
+// src/chain/beacon.ts
+var signBeacon = async (input) => {
+  const encoded = await dagCborCanonicalEncode(input.payload);
+  const beaconCID = encoded.cid.toString();
+  const jwsToken = await createJws({
+    header: { alg: "EdDSA", typ: "did:dfos:beacon", kid: input.kid, cid: beaconCID },
+    payload: input.payload,
+    sign: input.signer
+  });
+  return { jwsToken, beaconCID };
+};
+var MAX_FUTURE_MS = 5 * 60 * 1e3;
+var verifyBeacon = async (input) => {
+  const decoded = decodeJwsUnsafe(input.jwsToken);
+  if (!decoded) throw new Error("failed to decode beacon JWS");
+  const result = BeaconPayload.safeParse(decoded.payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new Error(`invalid beacon payload: ${messages}`);
+  }
+  const payload = result.data;
+  if (decoded.header.typ !== "did:dfos:beacon") {
+    throw new Error(`invalid beacon typ: ${decoded.header.typ}`);
+  }
+  const kid = decoded.header.kid;
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new Error("beacon kid must be a DID URL");
+  const kidDid = kid.substring(0, hashIdx);
+  if (kidDid !== payload.did) {
+    throw new Error("beacon kid DID does not match payload did");
+  }
+  const publicKey = await input.resolveKey(kid);
+  try {
+    verifyJws({ token: input.jwsToken, publicKey });
+  } catch {
+    throw new Error("invalid beacon signature");
+  }
+  const encoded = await dagCborCanonicalEncode(payload);
+  const beaconCID = encoded.cid.toString();
+  if (!decoded.header.cid) throw new Error("missing cid in beacon header");
+  if (decoded.header.cid !== beaconCID) throw new Error("beacon cid mismatch");
+  const now = input.now ?? Date.now();
+  const beaconTime = new Date(payload.createdAt).getTime();
+  if (beaconTime > now + MAX_FUTURE_MS) {
+    throw new Error("beacon createdAt is too far in the future");
+  }
+  return { payload, beaconCID };
+};
+
+// src/chain/countersign.ts
+var signCountersignature = async (input) => {
+  const encoded = await dagCborCanonicalEncode(input.operationPayload);
+  const operationCID = encoded.cid.toString();
+  const jwsToken = await createJws({
+    header: { alg: "EdDSA", typ: "did:dfos:content-op", kid: input.kid, cid: operationCID },
+    payload: input.operationPayload,
+    sign: input.signer
+  });
+  return { jwsToken, operationCID };
+};
+var verifyCountersignature = async (input) => {
+  const decoded = decodeJwsUnsafe(input.jwsToken);
+  if (!decoded) throw new Error("failed to decode countersignature JWS");
+  if (decoded.header.typ !== "did:dfos:content-op") {
+    throw new Error(`invalid countersignature typ: ${decoded.header.typ}`);
+  }
+  const result = ContentOperation.safeParse(decoded.payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new Error(`invalid operation payload: ${messages}`);
+  }
+  const op = result.data;
+  const encoded = await dagCborCanonicalEncode(op);
+  const operationCID = encoded.cid.toString();
+  if (operationCID !== input.expectedCID) {
+    throw new Error("countersignature CID does not match expected CID");
+  }
+  if (decoded.header.cid !== operationCID) {
+    throw new Error("countersignature header cid mismatch");
+  }
+  const kid = decoded.header.kid;
+  const publicKey = await input.resolveKey(kid);
+  try {
+    verifyJws({ token: input.jwsToken, publicKey });
+  } catch {
+    throw new Error("invalid countersignature");
+  }
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new Error("countersignature kid must be a DID URL");
+  const witnessDID = kid.substring(0, hashIdx);
+  if (witnessDID === op.did) {
+    throw new Error("countersignature kid DID must differ from operation did (not a witness)");
+  }
+  return {
+    operationCID,
+    authorDID: op.did,
+    witnessDID
+  };
+};
+var verifyBeaconCountersignature = async (input) => {
+  const decoded = decodeJwsUnsafe(input.jwsToken);
+  if (!decoded) throw new Error("failed to decode beacon countersignature JWS");
+  if (decoded.header.typ !== "did:dfos:beacon") {
+    throw new Error(`invalid beacon countersignature typ: ${decoded.header.typ}`);
+  }
+  const result = BeaconPayload.safeParse(decoded.payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new Error(`invalid beacon payload: ${messages}`);
+  }
+  const beacon = result.data;
+  const encoded = await dagCborCanonicalEncode(beacon);
+  const beaconCID = encoded.cid.toString();
+  if (beaconCID !== input.expectedCID) {
+    throw new Error("beacon countersignature CID does not match expected CID");
+  }
+  if (decoded.header.cid !== beaconCID) {
+    throw new Error("beacon countersignature header cid mismatch");
+  }
+  const kid = decoded.header.kid;
+  const publicKey = await input.resolveKey(kid);
+  try {
+    verifyJws({ token: input.jwsToken, publicKey });
+  } catch {
+    throw new Error("invalid beacon countersignature");
+  }
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new Error("beacon countersignature kid must be a DID URL");
+  const witnessDID = kid.substring(0, hashIdx);
+  if (witnessDID === beacon.did) {
+    throw new Error("beacon countersignature kid DID must differ from beacon did (not a witness)");
+  }
+  return {
+    beaconCID,
+    controllerDID: beacon.did,
+    witnessDID
   };
 };
 
@@ -372,6 +592,7 @@ export {
   IdentityOperation,
   VerifiedIdentity,
   ContentOperation,
+  BeaconPayload,
   ED25519_PUB_MULTICODEC,
   ED25519_PRIV_MULTICODEC,
   encodeEd25519Multikey,
@@ -381,5 +602,10 @@ export {
   signIdentityOperation,
   verifyIdentityChain,
   signContentOperation,
-  verifyContentChain
+  verifyContentChain,
+  signBeacon,
+  verifyBeacon,
+  signCountersignature,
+  verifyCountersignature,
+  verifyBeaconCountersignature
 };

package/dist/credentials/index.d.ts

@@ -0,0 +1,206 @@
+import { z } from 'zod';
+
+/** VC type for authorizing content chain writes (delegated operations) */
+declare const VC_TYPE_CONTENT_WRITE = "DFOSContentWrite";
+/** VC type for authorizing content plane reads (relay access) */
+declare const VC_TYPE_CONTENT_READ = "DFOSContentRead";
+/** All known DFOS VC types */
+declare const DFOSCredentialType: z.ZodEnum<{
+    DFOSContentWrite: "DFOSContentWrite";
+    DFOSContentRead: "DFOSContentRead";
+}>;
+type DFOSCredentialType = z.infer<typeof DFOSCredentialType>;
+/** Claims for a DID-signed auth token (relay AuthN) */
+declare const AuthTokenClaims: z.ZodObject<{
+    /** Issuer — the DID proving identity */
+    iss: z.ZodString;
+    /** Subject — same as iss for auth tokens */
+    sub: z.ZodString;
+    /** Audience — target relay hostname (prevents cross-relay replay) */
+    aud: z.ZodString;
+    /** Expiration — unix seconds, short-lived (minutes) */
+    exp: z.ZodNumber;
+    /** Issued at — unix seconds */
+    iat: z.ZodNumber;
+}, z.core.$strict>;
+type AuthTokenClaims = z.infer<typeof AuthTokenClaims>;
+/** Credential subject for content write authorization */
+declare const ContentWriteSubject: z.ZodObject<{
+    /** Optional content chain narrowing — if absent, grants broad write access */
+    contentId: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+type ContentWriteSubject = z.infer<typeof ContentWriteSubject>;
+/** Credential subject for content read authorization */
+declare const ContentReadSubject: z.ZodObject<{
+    /** Optional content chain narrowing — if absent, grants broad read access */
+    contentId: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+type ContentReadSubject = z.infer<typeof ContentReadSubject>;
+/** The `vc` claim in a VC-JWT payload */
+declare const VCClaim: z.ZodObject<{
+    '@context': z.ZodTuple<[z.ZodLiteral<"https://www.w3.org/ns/credentials/v2">], null>;
+    type: z.ZodPipe<z.ZodTuple<[z.ZodLiteral<"VerifiableCredential">, z.ZodEnum<{
+        DFOSContentWrite: "DFOSContentWrite";
+        DFOSContentRead: "DFOSContentRead";
+    }>], null>, z.ZodTransform<[string, "DFOSContentWrite" | "DFOSContentRead"], ["VerifiableCredential", "DFOSContentWrite" | "DFOSContentRead"]>>;
+    credentialSubject: z.ZodUnion<readonly [z.ZodObject<{
+        /** Optional content chain narrowing — if absent, grants broad write access */
+        contentId: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>, z.ZodObject<{
+        /** Optional content chain narrowing — if absent, grants broad read access */
+        contentId: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>]>;
+}, z.core.$strict>;
+type VCClaim = z.infer<typeof VCClaim>;
+/** Full VC-JWT payload claims */
+declare const CredentialClaims: z.ZodObject<{
+    /** Issuer — the DID granting the credential */
+    iss: z.ZodString;
+    /** Subject — the DID receiving the credential */
+    sub: z.ZodString;
+    /** Expiration — unix seconds */
+    exp: z.ZodNumber;
+    /** Issued at — unix seconds */
+    iat: z.ZodNumber;
+    /** Verifiable credential claim */
+    vc: z.ZodObject<{
+        '@context': z.ZodTuple<[z.ZodLiteral<"https://www.w3.org/ns/credentials/v2">], null>;
+        type: z.ZodPipe<z.ZodTuple<[z.ZodLiteral<"VerifiableCredential">, z.ZodEnum<{
+            DFOSContentWrite: "DFOSContentWrite";
+            DFOSContentRead: "DFOSContentRead";
+        }>], null>, z.ZodTransform<[string, "DFOSContentWrite" | "DFOSContentRead"], ["VerifiableCredential", "DFOSContentWrite" | "DFOSContentRead"]>>;
+        credentialSubject: z.ZodUnion<readonly [z.ZodObject<{
+            /** Optional content chain narrowing — if absent, grants broad write access */
+            contentId: z.ZodOptional<z.ZodString>;
+        }, z.core.$strict>, z.ZodObject<{
+            /** Optional content chain narrowing — if absent, grants broad read access */
+            contentId: z.ZodOptional<z.ZodString>;
+        }, z.core.$strict>]>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+type CredentialClaims = z.infer<typeof CredentialClaims>;
+
+interface AuthTokenCreateOptions {
+    /** The DID proving identity */
+    iss: string;
+    /** Target relay hostname (prevents cross-relay replay) */
+    aud: string;
+    /** Expiration — unix seconds */
+    exp: number;
+    /** kid — DID URL: "did:dfos:xxx#key_yyy" */
+    kid: string;
+    /** Issued-at override — unix seconds (defaults to Date.now()) */
+    iat?: number;
+    /** Signer function */
+    sign: (message: Uint8Array) => Promise<Uint8Array>;
+}
+interface AuthTokenVerifyOptions {
+    /** The JWT token string */
+    token: string;
+    /** Raw Ed25519 public key bytes (32 bytes) */
+    publicKey: Uint8Array;
+    /** Expected audience (relay hostname) */
+    audience: string;
+    /** Current time in seconds (defaults to Date.now() / 1000) */
+    currentTime?: number;
+}
+interface VerifiedAuthToken {
+    /** The DID that created the token */
+    iss: string;
+    /** The target relay */
+    aud: string;
+    /** Token expiration (unix seconds) */
+    exp: number;
+    /** kid from the JWT header */
+    kid: string;
+}
+/**
+ * Create a DID-signed auth token JWT for relay authentication
+ */
+declare const createAuthToken: (options: AuthTokenCreateOptions) => Promise<string>;
+/**
+ * Verify a DID-signed auth token JWT
+ *
+ * Checks signature, expiration, audience, and payload structure.
+ */
+declare const verifyAuthToken: (options: AuthTokenVerifyOptions) => VerifiedAuthToken;
+declare class AuthTokenVerificationError extends Error {
+    constructor(message: string);
+}
+
+interface CredentialCreateOptions {
+    /** The DID granting the credential (content creator/controller) */
+    iss: string;
+    /** The DID receiving the credential (collaborator/reader) */
+    sub: string;
+    /** Expiration — unix seconds */
+    exp: number;
+    /** kid — DID URL of the issuer: "did:dfos:xxx#key_yyy" */
+    kid: string;
+    /** Credential type */
+    type: DFOSCredentialType;
+    /** Optional content chain narrowing */
+    contentId?: string;
+    /** Issued-at override — unix seconds (defaults to Date.now()) */
+    iat?: number;
+    /** Signer function */
+    sign: (message: Uint8Array) => Promise<Uint8Array>;
+}
+interface CredentialVerifyOptions {
+    /** The VC-JWT token string */
+    token: string;
+    /** Raw Ed25519 public key bytes (32 bytes) of the issuer */
+    publicKey: Uint8Array;
+    /** Expected subject DID (optional — if provided, sub must match) */
+    subject?: string;
+    /** Expected credential type (optional — if provided, type must match) */
+    expectedType?: DFOSCredentialType;
+    /** Current time in seconds (defaults to Date.now() / 1000) */
+    currentTime?: number;
+}
+interface VerifiedCredential {
+    /** The DID that issued the credential */
+    iss: string;
+    /** The DID the credential was issued to */
+    sub: string;
+    /** Credential expiration (unix seconds) */
+    exp: number;
+    /** The DFOS credential type */
+    type: DFOSCredentialType;
+    /** kid from the JWT header */
+    kid: string;
+    /** Optional content chain narrowing */
+    contentId?: string;
+}
+/**
+ * Create a VC-JWT credential
+ *
+ * The credential is a JWT with `typ: "vc+jwt"` in the header and a `vc`
+ * claim in the payload following W3C VC Data Model v2.
+ */
+declare const createCredential: (options: CredentialCreateOptions) => Promise<string>;
+/**
+ * Verify a VC-JWT credential
+ *
+ * Checks signature, expiration, payload structure, and optionally subject
+ * and credential type.
+ */
+declare const verifyCredential: (options: CredentialVerifyOptions) => VerifiedCredential;
+/**
+ * Decode a VC-JWT credential without verifying the signature
+ *
+ * Returns null if the token is malformed or claims are invalid.
+ */
+declare const decodeCredentialUnsafe: (token: string) => {
+    header: {
+        alg: string;
+        typ: string;
+        kid: string;
+    };
+    claims: CredentialClaims;
+} | null;
+declare class CredentialVerificationError extends Error {
+    constructor(message: string);
+}
+
+export { AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, ContentReadSubject, ContentWriteSubject, CredentialClaims, type CredentialCreateOptions, CredentialVerificationError, type CredentialVerifyOptions, DFOSCredentialType, VCClaim, VC_TYPE_CONTENT_READ, VC_TYPE_CONTENT_WRITE, type VerifiedAuthToken, type VerifiedCredential, createAuthToken, createCredential, decodeCredentialUnsafe, verifyAuthToken, verifyCredential };

package/dist/credentials/index.js

@@ -0,0 +1,35 @@
+import {
+  AuthTokenClaims,
+  AuthTokenVerificationError,
+  ContentReadSubject,
+  ContentWriteSubject,
+  CredentialClaims,
+  CredentialVerificationError,
+  DFOSCredentialType,
+  VCClaim,
+  VC_TYPE_CONTENT_READ,
+  VC_TYPE_CONTENT_WRITE,
+  createAuthToken,
+  createCredential,
+  decodeCredentialUnsafe,
+  verifyAuthToken,
+  verifyCredential
+} from "../chunk-CZSEEZLL.js";
+import "../chunk-ZXXP5W5N.js";
+export {
+  AuthTokenClaims,
+  AuthTokenVerificationError,
+  ContentReadSubject,
+  ContentWriteSubject,
+  CredentialClaims,
+  CredentialVerificationError,
+  DFOSCredentialType,
+  VCClaim,
+  VC_TYPE_CONTENT_READ,
+  VC_TYPE_CONTENT_WRITE,
+  createAuthToken,
+  createCredential,
+  decodeCredentialUnsafe,
+  verifyAuthToken,
+  verifyCredential
+};

package/dist/index.d.ts

@@ -1,8 +1,7 @@
 export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
-export { ContentOperation, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, MultikeyPublicKey, Signer, VerifiedContentChain, VerifiedIdentity, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signContentOperation, signIdentityOperation, verifyContentChain, verifyIdentityChain } from './chain/index.js';
-export { ChainStore, ContentOperationsParams, ContentOperationsResponse, IdentityOperationsParams, IdentityOperationsResponse, OperationEntry, PaginationParams, RegistryError, ResolveContentResponse, ResolveIdentityResponse, ResolveOperationResponse, StoredChain, SubmitContentChainRequest, SubmitContentChainResponse, SubmitIdentityChainRequest, SubmitIdentityChainResponse, createRegistryServer } from './registry/index.js';
+export { BeaconPayload, ContentOperation, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, MultikeyPublicKey, Signer, VerifiedBeacon, VerifiedBeaconCountersignature, VerifiedContentChain, VerifiedCountersignature, VerifiedIdentity, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, verifyBeacon, verifyBeaconCountersignature, verifyContentChain, verifyCountersignature, verifyIdentityChain } from './chain/index.js';
+export { MerkleProof, buildMerkleTree, generateMerkleProof, hashLeaf, hexToBytes, verifyMerkleProof } from './merkle/index.js';
+export { AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, ContentReadSubject, ContentWriteSubject, CredentialClaims, CredentialCreateOptions, CredentialVerificationError, CredentialVerifyOptions, DFOSCredentialType, VCClaim, VC_TYPE_CONTENT_READ, VC_TYPE_CONTENT_WRITE, VerifiedAuthToken, VerifiedCredential, createAuthToken, createCredential, decodeCredentialUnsafe, verifyAuthToken, verifyCredential } from './credentials/index.js';
 import 'multiformats';
 import 'multiformats/cid';
 import 'zod';
-import 'hono/types';
-import 'hono';