@metalabel/dfos-protocol 0.1.0 → 0.3.0

package/dist/chunk-CZSEEZLL.js

@@ -0,0 +1,258 @@
+import {
+  base64urlDecode,
+  base64urlEncode,
+  createJwt,
+  isValidEd25519Signature,
+  verifyJwt
+} from "./chunk-ZXXP5W5N.js";
+
+// src/credentials/schemas.ts
+import { z } from "zod";
+var MAX_DID = 256;
+var MAX_AUD = 512;
+var MAX_CONTENT_ID = 256;
+var VC_TYPE_CONTENT_WRITE = "DFOSContentWrite";
+var VC_TYPE_CONTENT_READ = "DFOSContentRead";
+var DFOSCredentialType = z.enum([VC_TYPE_CONTENT_WRITE, VC_TYPE_CONTENT_READ]);
+var AuthTokenClaims = z.strictObject({
+  /** Issuer — the DID proving identity */
+  iss: z.string().max(MAX_DID),
+  /** Subject — same as iss for auth tokens */
+  sub: z.string().max(MAX_DID),
+  /** Audience — target relay hostname (prevents cross-relay replay) */
+  aud: z.string().max(MAX_AUD),
+  /** Expiration — unix seconds, short-lived (minutes) */
+  exp: z.number().int().positive(),
+  /** Issued at — unix seconds */
+  iat: z.number().int().positive()
+});
+var ContentWriteSubject = z.strictObject({
+  /** Optional content chain narrowing — if absent, grants broad write access */
+  contentId: z.string().max(MAX_CONTENT_ID).optional()
+});
+var ContentReadSubject = z.strictObject({
+  /** Optional content chain narrowing — if absent, grants broad read access */
+  contentId: z.string().max(MAX_CONTENT_ID).optional()
+});
+var VCClaim = z.strictObject({
+  "@context": z.tuple([z.literal("https://www.w3.org/ns/credentials/v2")]),
+  type: z.tuple([z.literal("VerifiableCredential"), DFOSCredentialType]).transform((t) => t),
+  credentialSubject: z.union([ContentWriteSubject, ContentReadSubject])
+});
+var CredentialClaims = z.strictObject({
+  /** Issuer — the DID granting the credential */
+  iss: z.string().max(MAX_DID),
+  /** Subject — the DID receiving the credential */
+  sub: z.string().max(MAX_DID),
+  /** Expiration — unix seconds */
+  exp: z.number().int().positive(),
+  /** Issued at — unix seconds */
+  iat: z.number().int().positive(),
+  /** Verifiable credential claim */
+  vc: VCClaim
+});
+
+// src/credentials/auth-token.ts
+var createAuthToken = async (options) => {
+  if (!options.kid.includes("#")) {
+    throw new Error("kid must be a DID URL (did:dfos:xxx#key_yyy)");
+  }
+  const kidDid = options.kid.substring(0, options.kid.indexOf("#"));
+  if (kidDid !== options.iss) {
+    throw new Error("kid DID does not match iss");
+  }
+  const now = options.iat ?? Math.floor(Date.now() / 1e3);
+  const header = { alg: "EdDSA", typ: "JWT", kid: options.kid };
+  const payload = {
+    iss: options.iss,
+    sub: options.iss,
+    aud: options.aud,
+    exp: options.exp,
+    iat: now
+  };
+  return createJwt({ header, payload, sign: options.sign });
+};
+var verifyAuthToken = (options) => {
+  const { header, payload } = verifyJwt({
+    token: options.token,
+    publicKey: options.publicKey,
+    audience: options.audience,
+    ...options.currentTime !== void 0 ? { currentTime: options.currentTime } : {}
+  });
+  const result = AuthTokenClaims.safeParse(payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new AuthTokenVerificationError(`invalid auth token claims: ${messages}`);
+  }
+  const currentTime = options.currentTime ?? Math.floor(Date.now() / 1e3);
+  if (result.data.iat > currentTime) {
+    throw new AuthTokenVerificationError("auth token not yet valid (iat is in the future)");
+  }
+  const kid = header.kid;
+  if (!kid || !kid.includes("#")) {
+    throw new AuthTokenVerificationError("auth token kid must be a DID URL");
+  }
+  const kidDid = kid.substring(0, kid.indexOf("#"));
+  if (kidDid !== result.data.iss) {
+    throw new AuthTokenVerificationError("auth token kid DID does not match iss");
+  }
+  return {
+    iss: result.data.iss,
+    aud: result.data.aud,
+    exp: result.data.exp,
+    kid
+  };
+};
+var AuthTokenVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "AuthTokenVerificationError";
+  }
+};
+
+// src/credentials/credential.ts
+var createCredential = async (options) => {
+  if (!options.kid.includes("#")) {
+    throw new Error("kid must be a DID URL (did:dfos:xxx#key_yyy)");
+  }
+  const kidDid = options.kid.substring(0, options.kid.indexOf("#"));
+  if (kidDid !== options.iss) {
+    throw new Error("kid DID does not match iss");
+  }
+  const now = options.iat ?? Math.floor(Date.now() / 1e3);
+  const header = { alg: "EdDSA", typ: "vc+jwt", kid: options.kid };
+  const credentialSubject = {};
+  if (options.contentId) {
+    credentialSubject.contentId = options.contentId;
+  }
+  const payload = {
+    iss: options.iss,
+    sub: options.sub,
+    exp: options.exp,
+    iat: now,
+    vc: {
+      "@context": ["https://www.w3.org/ns/credentials/v2"],
+      type: ["VerifiableCredential", options.type],
+      credentialSubject
+    }
+  };
+  const headerB64 = base64urlEncode(JSON.stringify(header));
+  const payloadB64 = base64urlEncode(JSON.stringify(payload));
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  const signatureBytes = await options.sign(signingInputBytes);
+  const signatureB64 = base64urlEncode(signatureBytes);
+  return `${signingInput}.${signatureB64}`;
+};
+var verifyCredential = (options) => {
+  const parts = options.token.split(".");
+  if (parts.length !== 3) {
+    throw new CredentialVerificationError("invalid token format");
+  }
+  const [headerB64, payloadB64, signatureB64] = parts;
+  let header;
+  let payload;
+  try {
+    header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+    payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
+  } catch {
+    throw new CredentialVerificationError("failed to decode token");
+  }
+  if (header.alg !== "EdDSA") {
+    throw new CredentialVerificationError(`unsupported algorithm: ${header.alg}`);
+  }
+  if (header.typ !== "vc+jwt") {
+    throw new CredentialVerificationError(`invalid typ: ${header.typ}`);
+  }
+  const signingInput = `${headerB64}.${payloadB64}`;
+  const signingInputBytes = new TextEncoder().encode(signingInput);
+  let signatureBytes;
+  try {
+    signatureBytes = base64urlDecode(signatureB64);
+  } catch {
+    throw new CredentialVerificationError("failed to decode signature");
+  }
+  const isValid = isValidEd25519Signature(signingInputBytes, signatureBytes, options.publicKey);
+  if (!isValid) {
+    throw new CredentialVerificationError("invalid signature");
+  }
+  const result = CredentialClaims.safeParse(payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new CredentialVerificationError(`invalid credential claims: ${messages}`);
+  }
+  const claims = result.data;
+  const kid = header.kid;
+  if (!kid || !kid.includes("#")) {
+    throw new CredentialVerificationError("credential kid must be a DID URL");
+  }
+  const kidDid = kid.substring(0, kid.indexOf("#"));
+  if (kidDid !== claims.iss) {
+    throw new CredentialVerificationError("credential kid DID does not match iss");
+  }
+  const currentTime = options.currentTime ?? Math.floor(Date.now() / 1e3);
+  if (claims.iat > currentTime) {
+    throw new CredentialVerificationError("credential not yet valid (iat is in the future)");
+  }
+  if (claims.exp <= currentTime) {
+    throw new CredentialVerificationError("credential expired");
+  }
+  if (options.subject !== void 0 && claims.sub !== options.subject) {
+    throw new CredentialVerificationError(
+      `subject mismatch: expected ${options.subject}, got ${claims.sub}`
+    );
+  }
+  const vcType = claims.vc.type[1];
+  if (options.expectedType !== void 0 && vcType !== options.expectedType) {
+    throw new CredentialVerificationError(
+      `type mismatch: expected ${options.expectedType}, got ${vcType}`
+    );
+  }
+  const contentId = claims.vc.credentialSubject.contentId;
+  return {
+    iss: claims.iss,
+    sub: claims.sub,
+    exp: claims.exp,
+    type: vcType,
+    kid,
+    ...contentId !== void 0 ? { contentId } : {}
+  };
+};
+var decodeCredentialUnsafe = (token) => {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  try {
+    const [headerB64, payloadB64] = parts;
+    const header = JSON.parse(new TextDecoder().decode(base64urlDecode(headerB64)));
+    const payload = JSON.parse(new TextDecoder().decode(base64urlDecode(payloadB64)));
+    const result = CredentialClaims.safeParse(payload);
+    if (!result.success) return null;
+    return { header, claims: result.data };
+  } catch {
+    return null;
+  }
+};
+var CredentialVerificationError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "CredentialVerificationError";
+  }
+};
+
+export {
+  VC_TYPE_CONTENT_WRITE,
+  VC_TYPE_CONTENT_READ,
+  DFOSCredentialType,
+  AuthTokenClaims,
+  ContentWriteSubject,
+  ContentReadSubject,
+  VCClaim,
+  CredentialClaims,
+  createAuthToken,
+  verifyAuthToken,
+  AuthTokenVerificationError,
+  createCredential,
+  verifyCredential,
+  decodeCredentialUnsafe,
+  CredentialVerificationError
+};

package/dist/{chunk-ASGEXSVT.js → chunk-GEVJ3SEV.js}

@@ -1,3 +1,8 @@
+import {
+  VC_TYPE_CONTENT_WRITE,
+  decodeCredentialUnsafe,
+  verifyCredential
+} from "./chunk-CZSEEZLL.js";
 import {
   createJws,
   dagCborCanonicalEncode,
@@ -73,7 +78,9 @@ var ContentUpdate = z.strictObject({
   documentCID: CIDString.nullable(),
   baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable()
+  note: z.string().max(MAX_NOTE).nullable(),
+  /** VC-JWT authorizing this operation when signer is not the chain creator */
+  authorization: z.string().optional()
 });
 var ContentDelete = z.strictObject({
   version: z.literal(1),
@@ -81,7 +88,9 @@ var ContentDelete = z.strictObject({
   did: z.string().max(MAX_DID),
   previousOperationCID: CIDString,
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable()
+  note: z.string().max(MAX_NOTE).nullable(),
+  /** VC-JWT authorizing this operation when signer is not the chain creator */
+  authorization: z.string().optional()
 });
 var ContentOperation = z.discriminatedUnion("type", [
   ContentCreate,
@@ -311,7 +320,8 @@ var verifyContentChain = async (input) => {
     isDeleted: false,
     currentDocumentCID: null,
     previousCID: null,
-    lastCreatedAt: null
+    lastCreatedAt: null,
+    creatorDID: null
   };
   for (const [idx, jwsToken] of input.log.entries()) {
     const decoded = decodeJwsUnsafe(jwsToken);
@@ -354,6 +364,51 @@ var verifyContentChain = async (input) => {
     } catch {
       throw new Error(`log[${idx}]: invalid signature`);
     }
+    if (idx === 0) {
+      state.creatorDID = op.did;
+    } else if (op.did !== state.creatorDID && input.enforceAuthorization) {
+      const authorization = op.type !== "create" ? op.authorization : void 0;
+      if (!authorization) {
+        throw new Error(
+          `log[${idx}]: signer ${op.did} is not the chain creator \u2014 authorization VC required`
+        );
+      }
+      const vcDecoded = decodeCredentialUnsafe(authorization);
+      if (!vcDecoded) {
+        throw new Error(`log[${idx}]: failed to decode authorization VC`);
+      }
+      const vcKid = vcDecoded.header.kid;
+      if (!vcKid || !vcKid.includes("#")) {
+        throw new Error(`log[${idx}]: authorization VC kid must be a DID URL`);
+      }
+      let creatorPublicKey;
+      try {
+        creatorPublicKey = await input.resolveKey(vcKid);
+      } catch {
+        throw new Error(`log[${idx}]: cannot resolve creator key for authorization verification`);
+      }
+      const opCreatedAtUnix = Math.floor(new Date(op.createdAt).getTime() / 1e3);
+      try {
+        const credential = verifyCredential({
+          token: authorization,
+          publicKey: creatorPublicKey,
+          subject: op.did,
+          expectedType: VC_TYPE_CONTENT_WRITE,
+          currentTime: opCreatedAtUnix
+        });
+        if (credential.iss !== state.creatorDID) {
+          throw new Error("VC issuer is not the chain creator");
+        }
+        if (credential.contentId && credential.contentId !== state.contentId) {
+          throw new Error(
+            `VC contentId ${credential.contentId} does not match chain ${state.contentId}`
+          );
+        }
+      } catch (err) {
+        const message = err instanceof Error ? err.message : "unknown error";
+        throw new Error(`log[${idx}]: authorization verification failed: ${message}`);
+      }
+    }
     const encoded = await dagCborCanonicalEncode(op);
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
@@ -388,7 +443,8 @@ var verifyContentChain = async (input) => {
     headCID: state.headCID,
     isDeleted: state.isDeleted,
     currentDocumentCID: state.currentDocumentCID,
-    length: input.log.length
+    length: input.log.length,
+    creatorDID: state.creatorDID
   };
 };
 

package/dist/credentials/index.d.ts

@@ -0,0 +1,206 @@
+import { z } from 'zod';
+
+/** VC type for authorizing content chain writes (delegated operations) */
+declare const VC_TYPE_CONTENT_WRITE = "DFOSContentWrite";
+/** VC type for authorizing content plane reads (relay access) */
+declare const VC_TYPE_CONTENT_READ = "DFOSContentRead";
+/** All known DFOS VC types */
+declare const DFOSCredentialType: z.ZodEnum<{
+    DFOSContentWrite: "DFOSContentWrite";
+    DFOSContentRead: "DFOSContentRead";
+}>;
+type DFOSCredentialType = z.infer<typeof DFOSCredentialType>;
+/** Claims for a DID-signed auth token (relay AuthN) */
+declare const AuthTokenClaims: z.ZodObject<{
+    /** Issuer — the DID proving identity */
+    iss: z.ZodString;
+    /** Subject — same as iss for auth tokens */
+    sub: z.ZodString;
+    /** Audience — target relay hostname (prevents cross-relay replay) */
+    aud: z.ZodString;
+    /** Expiration — unix seconds, short-lived (minutes) */
+    exp: z.ZodNumber;
+    /** Issued at — unix seconds */
+    iat: z.ZodNumber;
+}, z.core.$strict>;
+type AuthTokenClaims = z.infer<typeof AuthTokenClaims>;
+/** Credential subject for content write authorization */
+declare const ContentWriteSubject: z.ZodObject<{
+    /** Optional content chain narrowing — if absent, grants broad write access */
+    contentId: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+type ContentWriteSubject = z.infer<typeof ContentWriteSubject>;
+/** Credential subject for content read authorization */
+declare const ContentReadSubject: z.ZodObject<{
+    /** Optional content chain narrowing — if absent, grants broad read access */
+    contentId: z.ZodOptional<z.ZodString>;
+}, z.core.$strict>;
+type ContentReadSubject = z.infer<typeof ContentReadSubject>;
+/** The `vc` claim in a VC-JWT payload */
+declare const VCClaim: z.ZodObject<{
+    '@context': z.ZodTuple<[z.ZodLiteral<"https://www.w3.org/ns/credentials/v2">], null>;
+    type: z.ZodPipe<z.ZodTuple<[z.ZodLiteral<"VerifiableCredential">, z.ZodEnum<{
+        DFOSContentWrite: "DFOSContentWrite";
+        DFOSContentRead: "DFOSContentRead";
+    }>], null>, z.ZodTransform<[string, "DFOSContentWrite" | "DFOSContentRead"], ["VerifiableCredential", "DFOSContentWrite" | "DFOSContentRead"]>>;
+    credentialSubject: z.ZodUnion<readonly [z.ZodObject<{
+        /** Optional content chain narrowing — if absent, grants broad write access */
+        contentId: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>, z.ZodObject<{
+        /** Optional content chain narrowing — if absent, grants broad read access */
+        contentId: z.ZodOptional<z.ZodString>;
+    }, z.core.$strict>]>;
+}, z.core.$strict>;
+type VCClaim = z.infer<typeof VCClaim>;
+/** Full VC-JWT payload claims */
+declare const CredentialClaims: z.ZodObject<{
+    /** Issuer — the DID granting the credential */
+    iss: z.ZodString;
+    /** Subject — the DID receiving the credential */
+    sub: z.ZodString;
+    /** Expiration — unix seconds */
+    exp: z.ZodNumber;
+    /** Issued at — unix seconds */
+    iat: z.ZodNumber;
+    /** Verifiable credential claim */
+    vc: z.ZodObject<{
+        '@context': z.ZodTuple<[z.ZodLiteral<"https://www.w3.org/ns/credentials/v2">], null>;
+        type: z.ZodPipe<z.ZodTuple<[z.ZodLiteral<"VerifiableCredential">, z.ZodEnum<{
+            DFOSContentWrite: "DFOSContentWrite";
+            DFOSContentRead: "DFOSContentRead";
+        }>], null>, z.ZodTransform<[string, "DFOSContentWrite" | "DFOSContentRead"], ["VerifiableCredential", "DFOSContentWrite" | "DFOSContentRead"]>>;
+        credentialSubject: z.ZodUnion<readonly [z.ZodObject<{
+            /** Optional content chain narrowing — if absent, grants broad write access */
+            contentId: z.ZodOptional<z.ZodString>;
+        }, z.core.$strict>, z.ZodObject<{
+            /** Optional content chain narrowing — if absent, grants broad read access */
+            contentId: z.ZodOptional<z.ZodString>;
+        }, z.core.$strict>]>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+type CredentialClaims = z.infer<typeof CredentialClaims>;
+
+interface AuthTokenCreateOptions {
+    /** The DID proving identity */
+    iss: string;
+    /** Target relay hostname (prevents cross-relay replay) */
+    aud: string;
+    /** Expiration — unix seconds */
+    exp: number;
+    /** kid — DID URL: "did:dfos:xxx#key_yyy" */
+    kid: string;
+    /** Issued-at override — unix seconds (defaults to Date.now()) */
+    iat?: number;
+    /** Signer function */
+    sign: (message: Uint8Array) => Promise<Uint8Array>;
+}
+interface AuthTokenVerifyOptions {
+    /** The JWT token string */
+    token: string;
+    /** Raw Ed25519 public key bytes (32 bytes) */
+    publicKey: Uint8Array;
+    /** Expected audience (relay hostname) */
+    audience: string;
+    /** Current time in seconds (defaults to Date.now() / 1000) */
+    currentTime?: number;
+}
+interface VerifiedAuthToken {
+    /** The DID that created the token */
+    iss: string;
+    /** The target relay */
+    aud: string;
+    /** Token expiration (unix seconds) */
+    exp: number;
+    /** kid from the JWT header */
+    kid: string;
+}
+/**
+ * Create a DID-signed auth token JWT for relay authentication
+ */
+declare const createAuthToken: (options: AuthTokenCreateOptions) => Promise<string>;
+/**
+ * Verify a DID-signed auth token JWT
+ *
+ * Checks signature, expiration, audience, and payload structure.
+ */
+declare const verifyAuthToken: (options: AuthTokenVerifyOptions) => VerifiedAuthToken;
+declare class AuthTokenVerificationError extends Error {
+    constructor(message: string);
+}
+
+interface CredentialCreateOptions {
+    /** The DID granting the credential (content creator/controller) */
+    iss: string;
+    /** The DID receiving the credential (collaborator/reader) */
+    sub: string;
+    /** Expiration — unix seconds */
+    exp: number;
+    /** kid — DID URL of the issuer: "did:dfos:xxx#key_yyy" */
+    kid: string;
+    /** Credential type */
+    type: DFOSCredentialType;
+    /** Optional content chain narrowing */
+    contentId?: string;
+    /** Issued-at override — unix seconds (defaults to Date.now()) */
+    iat?: number;
+    /** Signer function */
+    sign: (message: Uint8Array) => Promise<Uint8Array>;
+}
+interface CredentialVerifyOptions {
+    /** The VC-JWT token string */
+    token: string;
+    /** Raw Ed25519 public key bytes (32 bytes) of the issuer */
+    publicKey: Uint8Array;
+    /** Expected subject DID (optional — if provided, sub must match) */
+    subject?: string;
+    /** Expected credential type (optional — if provided, type must match) */
+    expectedType?: DFOSCredentialType;
+    /** Current time in seconds (defaults to Date.now() / 1000) */
+    currentTime?: number;
+}
+interface VerifiedCredential {
+    /** The DID that issued the credential */
+    iss: string;
+    /** The DID the credential was issued to */
+    sub: string;
+    /** Credential expiration (unix seconds) */
+    exp: number;
+    /** The DFOS credential type */
+    type: DFOSCredentialType;
+    /** kid from the JWT header */
+    kid: string;
+    /** Optional content chain narrowing */
+    contentId?: string;
+}
+/**
+ * Create a VC-JWT credential
+ *
+ * The credential is a JWT with `typ: "vc+jwt"` in the header and a `vc`
+ * claim in the payload following W3C VC Data Model v2.
+ */
+declare const createCredential: (options: CredentialCreateOptions) => Promise<string>;
+/**
+ * Verify a VC-JWT credential
+ *
+ * Checks signature, expiration, payload structure, and optionally subject
+ * and credential type.
+ */
+declare const verifyCredential: (options: CredentialVerifyOptions) => VerifiedCredential;
+/**
+ * Decode a VC-JWT credential without verifying the signature
+ *
+ * Returns null if the token is malformed or claims are invalid.
+ */
+declare const decodeCredentialUnsafe: (token: string) => {
+    header: {
+        alg: string;
+        typ: string;
+        kid: string;
+    };
+    claims: CredentialClaims;
+} | null;
+declare class CredentialVerificationError extends Error {
+    constructor(message: string);
+}
+
+export { AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, ContentReadSubject, ContentWriteSubject, CredentialClaims, type CredentialCreateOptions, CredentialVerificationError, type CredentialVerifyOptions, DFOSCredentialType, VCClaim, VC_TYPE_CONTENT_READ, VC_TYPE_CONTENT_WRITE, type VerifiedAuthToken, type VerifiedCredential, createAuthToken, createCredential, decodeCredentialUnsafe, verifyAuthToken, verifyCredential };

package/dist/credentials/index.js

@@ -0,0 +1,35 @@
+import {
+  AuthTokenClaims,
+  AuthTokenVerificationError,
+  ContentReadSubject,
+  ContentWriteSubject,
+  CredentialClaims,
+  CredentialVerificationError,
+  DFOSCredentialType,
+  VCClaim,
+  VC_TYPE_CONTENT_READ,
+  VC_TYPE_CONTENT_WRITE,
+  createAuthToken,
+  createCredential,
+  decodeCredentialUnsafe,
+  verifyAuthToken,
+  verifyCredential
+} from "../chunk-CZSEEZLL.js";
+import "../chunk-ZXXP5W5N.js";
+export {
+  AuthTokenClaims,
+  AuthTokenVerificationError,
+  ContentReadSubject,
+  ContentWriteSubject,
+  CredentialClaims,
+  CredentialVerificationError,
+  DFOSCredentialType,
+  VCClaim,
+  VC_TYPE_CONTENT_READ,
+  VC_TYPE_CONTENT_WRITE,
+  createAuthToken,
+  createCredential,
+  decodeCredentialUnsafe,
+  verifyAuthToken,
+  verifyCredential
+};

package/dist/index.d.ts

@@ -1,6 +1,7 @@
 export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
 export { BeaconPayload, ContentOperation, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, MultikeyPublicKey, Signer, VerifiedBeacon, VerifiedBeaconCountersignature, VerifiedContentChain, VerifiedCountersignature, VerifiedIdentity, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, verifyBeacon, verifyBeaconCountersignature, verifyContentChain, verifyCountersignature, verifyIdentityChain } from './chain/index.js';
 export { MerkleProof, buildMerkleTree, generateMerkleProof, hashLeaf, hexToBytes, verifyMerkleProof } from './merkle/index.js';
+export { AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, ContentReadSubject, ContentWriteSubject, CredentialClaims, CredentialCreateOptions, CredentialVerificationError, CredentialVerifyOptions, DFOSCredentialType, VCClaim, VC_TYPE_CONTENT_READ, VC_TYPE_CONTENT_WRITE, VerifiedAuthToken, VerifiedCredential, createAuthToken, createCredential, decodeCredentialUnsafe, verifyAuthToken, verifyCredential } from './credentials/index.js';
 import 'multiformats';
 import 'multiformats/cid';
 import 'zod';

package/dist/index.js

@@ -19,7 +19,31 @@ import {
   verifyContentChain,
   verifyCountersignature,
   verifyIdentityChain
-} from "./chunk-ASGEXSVT.js";
+} from "./chunk-GEVJ3SEV.js";
+import {
+  buildMerkleTree,
+  generateMerkleProof,
+  hashLeaf,
+  hexToBytes,
+  verifyMerkleProof
+} from "./chunk-E5CFQG2B.js";
+import {
+  AuthTokenClaims,
+  AuthTokenVerificationError,
+  ContentReadSubject,
+  ContentWriteSubject,
+  CredentialClaims,
+  CredentialVerificationError,
+  DFOSCredentialType,
+  VCClaim,
+  VC_TYPE_CONTENT_READ,
+  VC_TYPE_CONTENT_WRITE,
+  createAuthToken,
+  createCredential,
+  decodeCredentialUnsafe,
+  verifyAuthToken,
+  verifyCredential
+} from "./chunk-CZSEEZLL.js";
 import {
   JwsVerificationError,
   JwtVerificationError,
@@ -43,30 +67,36 @@ import {
   verifyJws,
   verifyJwt
 } from "./chunk-ZXXP5W5N.js";
-import {
-  buildMerkleTree,
-  generateMerkleProof,
-  hashLeaf,
-  hexToBytes,
-  verifyMerkleProof
-} from "./chunk-E5CFQG2B.js";
 export {
+  AuthTokenClaims,
+  AuthTokenVerificationError,
   BeaconPayload,
   ContentOperation,
+  ContentReadSubject,
+  ContentWriteSubject,
+  CredentialClaims,
+  CredentialVerificationError,
+  DFOSCredentialType,
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
   IdentityOperation,
   JwsVerificationError,
   JwtVerificationError,
   MultikeyPublicKey,
+  VCClaim,
+  VC_TYPE_CONTENT_READ,
+  VC_TYPE_CONTENT_WRITE,
   VerifiedIdentity,
   base64urlDecode,
   base64urlEncode,
   buildMerkleTree,
+  createAuthToken,
+  createCredential,
   createJws,
   createJwt,
   createNewEd25519Keypair,
   dagCborCanonicalEncode,
+  decodeCredentialUnsafe,
   decodeJwsUnsafe,
   decodeJwtUnsafe,
   decodeMultikey,
@@ -89,10 +119,12 @@ export {
   signCountersignature,
   signIdentityOperation,
   signPayloadEd25519,
+  verifyAuthToken,
   verifyBeacon,
   verifyBeaconCountersignature,
   verifyContentChain,
   verifyCountersignature,
+  verifyCredential,
   verifyIdentityChain,
   verifyJws,
   verifyJwt,