@metalabel/dfos-protocol 0.10.0 → 0.11.0

package/README.md

@@ -21,11 +21,11 @@ import { createJws, dagCborCanonicalEncode, verifyJws } from '@metalabel/dfos-pr
 
 ## Subpath Exports
 
-| Export                                 | Description                                                             |
-| -------------------------------------- | ----------------------------------------------------------------------- |
-| `@metalabel/dfos-protocol/chain`       | Identity and content chain signing, verification, beacons, countersigns |
-| `@metalabel/dfos-protocol/credentials` | Auth tokens (DID-signed JWT) and DFOS credentials for authorization     |
-| `@metalabel/dfos-protocol/crypto`      | Ed25519, JWS, JWT, dag-cbor, base64url, ID generation                   |
+| Export                                 | Description                                                               |
+| -------------------------------------- | ------------------------------------------------------------------------- |
+| `@metalabel/dfos-protocol/chain`       | Identity & content chains, services, artifacts, countersigns, revocations |
+| `@metalabel/dfos-protocol/credentials` | Auth tokens (DID-signed JWT) and DFOS credentials for authorization       |
+| `@metalabel/dfos-protocol/crypto`      | Ed25519, JWS, JWT, dag-cbor, base64url, ID generation                     |
 
 ## Specifications
 
@@ -33,7 +33,7 @@ import { createJws, dagCborCanonicalEncode, verifyJws } from '@metalabel/dfos-pr
 | ------------------------------------------------ | -------------------------------------------------------------- |
 | [PROTOCOL.md](../../specs/PROTOCOL.md)           | Core protocol — chains, signatures, verification, test vectors |
 | [DID-METHOD.md](../../specs/DID-METHOD.md)       | W3C DID method specification for `did:dfos`                    |
-| [CONTENT-MODEL.md](../../specs/CONTENT-MODEL.md) | Standard content schemas (post, profile, manifest)             |
+| [CONTENT-MODEL.md](../../specs/CONTENT-MODEL.md) | Standard content schemas (post, profile)                       |
 
 ## Examples
 
@@ -47,7 +47,7 @@ The `examples/` directory contains deterministic reference fixtures that can be
 - `content-delegated.json` — creator genesis + delegated update with DFOS write credential
 - `credential-write.json` — DFOS write credential (broad + content-narrowed)
 - `credential-read.json` — DFOS read credential
-- `beacon.json` — signed manifest pointer announcement with witness countersignature
+- `identity-services.json` — genesis publishing a services set (relay locator + content/artifact anchors)
 
 ## License
 

package/dist/chain/index.d.ts

@@ -1,5 +1,5 @@
-import { I as IdentityOperation, S as Signer, V as VerifiedIdentity, C as ContentOperation, B as BeaconPayload, a as CountersignPayload, A as ArtifactPayload } from '../schemas-BhikXSf_.js';
-export { M as MAX_ARTIFACT_PAYLOAD_SIZE, b as MultikeyPublicKey, R as RevocationPayload } from '../schemas-BhikXSf_.js';
+import { I as IdentityOperation, h as Signer, V as VerifiedIdentity, S as ServiceEntry, b as ContentOperation, c as CountersignPayload, a as ArtifactPayload } from '../schemas-Myod8ES9.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, C as CONTENT_ID_ANCHOR_RE, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_SERVICES_ENTRIES, e as MAX_SERVICES_PAYLOAD_SIZE, f as MultikeyPublicKey, R as RevocationPayload, g as ServicesArray } from '../schemas-Myod8ES9.js';
 import 'zod';
 
 /** Ed25519 public key multicodec value */
@@ -88,6 +88,29 @@ declare const verifyIdentityExtensionFromTrustedState: (input: {
     createdAt: string;
 }>;
 
+type AnchorKind = 'chain' | 'artifact' | 'invalid';
+/**
+ * Enforce the services byte cap on the CBOR-encoded array — same encoding the
+ * wire uses, so the bound is identical across implementations. Mirrors the
+ * artifact payload size check.
+ */
+declare const assertServicesWithinCap: (services: ServiceEntry[]) => Promise<void>;
+/**
+ * Classify a ContentAnchor target by structural form. Resolvers dispatch on the
+ * result: 'chain' → resolve a content chain by contentId; 'artifact' → fetch by
+ * CID and require type:"artifact"; 'invalid' → reject (e.g. a bare head CID is
+ * 'artifact'-shaped but fails the resolution-time type check).
+ */
+declare const classifyAnchor: (anchor: string) => AnchorKind;
+/** Recognized (core-blessed) service types. All other types are valid but opaque. */
+declare const RECOGNIZED_SERVICE_TYPES: readonly ["DfosRelay", "ContentAnchor"];
+/** Whether the core assigns structural semantics to this service type. */
+declare const isRecognizedServiceType: (type: string) => boolean;
+/** Select the DfosRelay transport endpoints from a services set, in entry order. */
+declare const relayEndpoints: (services: ServiceEntry[]) => string[];
+/** Select ContentAnchor entries matching a client label (e.g. "profile"). */
+declare const anchorsByLabel: (services: ServiceEntry[], label: string) => ServiceEntry[];
+
 interface VerifiedContentChain {
     /** Content identifier — bare 31-char hash derived from genesis CID */
     contentId: string;
@@ -178,34 +201,6 @@ declare const verifyContentExtensionFromTrustedState: (input: {
     createdAt: string;
 }>;
 
-interface VerifiedBeacon {
-    did: string;
-    manifestContentId: string;
-    createdAt: string;
-    signerKeyId: string;
-    beaconCID: string;
-}
-/**
- * Sign a beacon announcement as a JWS
- */
-declare const signBeacon: (input: {
-    payload: BeaconPayload;
-    signer: Signer;
-    kid: string;
-}) => Promise<{
-    jwsToken: string;
-    beaconCID: string;
-}>;
-/**
- * Verify a beacon JWS — signature, CID, payload schema, clock skew
- */
-declare const verifyBeacon: (input: {
-    jwsToken: string;
-    resolveKey: (kid: string) => Promise<Uint8Array>;
-    /** Current time for clock skew check (defaults to Date.now()) */
-    now?: number;
-}) => Promise<VerifiedBeacon>;
-
 interface VerifiedCountersignature {
     /** CID of this countersign operation (distinct from the target) */
     countersignCID: string;
@@ -213,6 +208,8 @@ interface VerifiedCountersignature {
     witnessDID: string;
     /** The CID being attested to */
     targetCID: string;
+    /** Open-namespace relation tag, if present (e.g. "endorses", "coauthors") */
+    relation?: string;
 }
 /**
  * Sign a countersignature attesting to a target operation by CID
@@ -294,4 +291,4 @@ declare const verifyRevocation: (input: {
     resolveKey: (kid: string) => Promise<Uint8Array>;
 }) => Promise<VerifiedRevocation>;
 
-export { ArtifactPayload, BeaconPayload, ContentOperation, CountersignPayload, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, Signer, type VerifiedArtifact, type VerifiedBeacon, type VerifiedContentChain, type VerifiedCountersignature, VerifiedIdentity, type VerifiedRevocation, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signArtifact, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyBeacon, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation };
+export { type AnchorKind, ArtifactPayload, ContentOperation, CountersignPayload, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, RECOGNIZED_SERVICE_TYPES, ServiceEntry, Signer, type VerifiedArtifact, type VerifiedContentChain, type VerifiedCountersignature, VerifiedIdentity, type VerifiedRevocation, anchorsByLabel, assertServicesWithinCap, classifyAnchor, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, isRecognizedServiceType, relayEndpoints, signArtifact, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation };

package/dist/chain/index.js

@@ -1,30 +1,39 @@
 import {
+  ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
-  BeaconPayload,
+  CONTENT_ID_ANCHOR_RE,
   ContentOperation,
   CountersignPayload,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RECOGNIZED_SERVICE_TYPES,
   RevocationPayload,
+  ServiceEntry,
+  ServicesArray,
   VerifiedIdentity,
+  anchorsByLabel,
+  assertServicesWithinCap,
+  classifyAnchor,
   deriveChainIdentifier,
   deriveContentId,
+  isRecognizedServiceType,
+  relayEndpoints,
   signArtifact,
-  signBeacon,
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
   signRevocation,
   verifyArtifact,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   verifyRevocation
-} from "../chunk-GZ7ZAIRD.js";
+} from "../chunk-SDUOUFTF.js";
 import {
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
@@ -33,29 +42,38 @@ import {
 } from "../chunk-LQFOBE6X.js";
 import "../chunk-GQOZJKKO.js";
 export {
+  ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
-  BeaconPayload,
+  CONTENT_ID_ANCHOR_RE,
   ContentOperation,
   CountersignPayload,
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RECOGNIZED_SERVICE_TYPES,
   RevocationPayload,
+  ServiceEntry,
+  ServicesArray,
   VerifiedIdentity,
+  anchorsByLabel,
+  assertServicesWithinCap,
+  classifyAnchor,
   decodeMultikey,
   deriveChainIdentifier,
   deriveContentId,
   encodeEd25519Multikey,
+  isRecognizedServiceType,
+  relayEndpoints,
   signArtifact,
-  signBeacon,
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
   signRevocation,
   verifyArtifact,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,

package/dist/{chunk-GZ7ZAIRD.js → chunk-SDUOUFTF.js}

@@ -21,11 +21,49 @@ var MAX_CID = 256;
 var MAX_NOTE = 256;
 var MAX_KEYS_PER_ROLE = 16;
 var MAX_DID = 256;
+var MAX_SERVICE_ID = 64;
+var MAX_SERVICE_TYPE = 64;
+var MAX_SERVICE_STRING = 512;
+var MAX_RELATION = 64;
+var MAX_SERVICES_ENTRIES = 16;
+var MAX_SERVICES_PAYLOAD_SIZE = 8192;
 var MultikeyPublicKey = z.strictObject({
   id: z.string().max(MAX_KEY_ID),
   type: z.literal("Multikey"),
   publicKeyMultibase: z.string().max(MAX_PUBLIC_KEY_MULTIBASE)
 });
+var CONTENT_ID_ANCHOR_RE = /^[2346789acdefhknrtvz]{31}$/;
+var ARTIFACT_CID_ANCHOR_RE = /^baf[a-z2-7]{20,}$/;
+var ServiceEntry = z.object({
+  id: z.string().min(1).max(MAX_SERVICE_ID),
+  type: z.string().min(1).max(MAX_SERVICE_TYPE)
+}).catchall(z.unknown()).superRefine((entry, ctx) => {
+  if (entry.type === "DfosRelay") {
+    const endpoint = entry["endpoint"];
+    if (typeof endpoint !== "string" || endpoint.length < 1 || endpoint.length > MAX_SERVICE_STRING) {
+      ctx.addIssue({ code: "custom", message: "DfosRelay requires a non-empty endpoint string" });
+    }
+  } else if (entry.type === "ContentAnchor") {
+    const label = entry["label"];
+    const anchor = entry["anchor"];
+    if (typeof label !== "string" || label.length < 1 || label.length > MAX_SERVICE_STRING) {
+      ctx.addIssue({
+        code: "custom",
+        message: "ContentAnchor requires a non-empty label string"
+      });
+    }
+    if (typeof anchor !== "string" || !(CONTENT_ID_ANCHOR_RE.test(anchor) || ARTIFACT_CID_ANCHOR_RE.test(anchor))) {
+      ctx.addIssue({
+        code: "custom",
+        message: "ContentAnchor anchor must be a 31-char contentId or a CIDv1 artifact CID"
+      });
+    }
+  }
+});
+var ServicesArray = z.array(ServiceEntry).max(MAX_SERVICES_ENTRIES).refine(
+  (arr) => new Set(arr.map((e) => e.id)).size === arr.length,
+  "service entry ids must be unique"
+);
 var Iso8601 = z.iso.datetime({ offset: false, precision: 3 });
 var CIDString = z.string().max(MAX_CID);
 var IdentityCreate = z.strictObject({
@@ -34,6 +72,9 @@ var IdentityCreate = z.strictObject({
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  // Full-state discovery vocabulary. Optional so ops without services encode
+  // identically (undefined strips under canonical CBOR — CID-neutral).
+  services: ServicesArray.optional(),
   createdAt: Iso8601
 });
 var IdentityUpdate = z.strictObject({
@@ -43,6 +84,8 @@ var IdentityUpdate = z.strictObject({
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   controllerKeys: z.array(MultikeyPublicKey).min(1, "update must have at least one controller key").max(MAX_KEYS_PER_ROLE),
+  // Full-state: an update REPLACES the entire services set (omit to clear).
+  services: ServicesArray.optional(),
   createdAt: Iso8601
 });
 var IdentityDelete = z.strictObject({
@@ -61,7 +104,9 @@ var VerifiedIdentity = z.strictObject({
   isDeleted: z.boolean(),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
-  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE)
+  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  /** Resolved discovery vocabulary — projection of the winning head's services */
+  services: ServicesArray
 });
 var ContentCreate = z.strictObject({
   version: z.literal(1),
@@ -99,13 +144,6 @@ var ContentOperation = z.discriminatedUnion("type", [
   ContentUpdate,
   ContentDelete
 ]);
-var BeaconPayload = z.strictObject({
-  version: z.literal(1),
-  type: z.literal("beacon"),
-  did: z.string().max(MAX_DID),
-  manifestContentId: z.string().max(MAX_CID),
-  createdAt: Iso8601
-});
 var MAX_SCHEMA = 256;
 var MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
 var ArtifactContent = z.object({ $schema: z.string().max(MAX_SCHEMA) }).catchall(z.unknown());
@@ -121,6 +159,7 @@ var CountersignPayload = z.strictObject({
   type: z.literal("countersign"),
   did: z.string().max(MAX_DID),
   targetCID: CIDString,
+  relation: z.string().min(1).max(MAX_RELATION).optional(),
   createdAt: Iso8601
 });
 var RevocationPayload = z.strictObject({
@@ -140,6 +179,27 @@ var deriveContentId = (cidBytes) => {
   return generateIdNoPrefix({ seed: cidBytes });
 };
 
+// src/chain/services.ts
+var assertServicesWithinCap = async (services) => {
+  const encoded = await dagCborCanonicalEncode(services);
+  if (encoded.bytes.length > MAX_SERVICES_PAYLOAD_SIZE) {
+    throw new Error(
+      `services payload exceeds max size: ${encoded.bytes.length} > ${MAX_SERVICES_PAYLOAD_SIZE}`
+    );
+  }
+};
+var classifyAnchor = (anchor) => {
+  if (CONTENT_ID_ANCHOR_RE.test(anchor)) return "chain";
+  if (ARTIFACT_CID_ANCHOR_RE.test(anchor)) return "artifact";
+  return "invalid";
+};
+var RECOGNIZED_SERVICE_TYPES = ["DfosRelay", "ContentAnchor"];
+var isRecognizedServiceType = (type) => RECOGNIZED_SERVICE_TYPES.includes(type);
+var relayEndpoints = (services) => services.filter((e) => e.type === "DfosRelay").map((e) => e["endpoint"]).filter((v) => typeof v === "string");
+var anchorsByLabel = (services, label) => services.filter(
+  (e) => e.type === "ContentAnchor" && e["label"] === label
+);
+
 // src/chain/identity-chain.ts
 var signIdentityOperation = async (input) => {
   const kid = input.identityDID ? `${input.identityDID}#${input.keyId}` : input.keyId;
@@ -162,6 +222,7 @@ var verifyIdentityChain = async (input) => {
     authKeys: [],
     assertKeys: [],
     controllerKeys: [],
+    services: [],
     seenKeys: /* @__PURE__ */ new Map()
   };
   for (const [idx, jwsToken] of input.log.entries()) {
@@ -190,6 +251,7 @@ var verifyIdentityChain = async (input) => {
       state.authKeys = op.authKeys;
       state.assertKeys = op.assertKeys;
       state.controllerKeys = op.controllerKeys;
+      state.services = op.services ?? [];
     }
     if (op.type === "update" || op.type === "delete") {
       if (op.previousOperationCID !== state.previousOperationCID) {
@@ -217,6 +279,13 @@ var verifyIdentityChain = async (input) => {
           throw new Error(`log[${idx}]: cannot repeat key ids in same usage`);
         }
       });
+      if (op.services) {
+        try {
+          await assertServicesWithinCap(op.services);
+        } catch (e) {
+          throw new Error(`log[${idx}]: ${e.message}`);
+        }
+      }
     }
     const encoded = await dagCborCanonicalEncode(op);
     const operationCID = encoded.cid.toString();
@@ -271,6 +340,7 @@ var verifyIdentityChain = async (input) => {
         state.authKeys = op.authKeys;
         state.assertKeys = op.assertKeys;
         state.controllerKeys = op.controllerKeys;
+        state.services = op.services ?? [];
         break;
       case "delete":
         state.isDeleted = true;
@@ -283,7 +353,8 @@ var verifyIdentityChain = async (input) => {
     isDeleted: state.isDeleted,
     authKeys: state.authKeys,
     assertKeys: state.assertKeys,
-    controllerKeys: state.controllerKeys
+    controllerKeys: state.controllerKeys,
+    services: state.services
   };
 };
 var verifyIdentityExtensionFromTrustedState = async (input) => {
@@ -342,19 +413,22 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
         throw new Error("cannot repeat key ids in same usage");
       }
     });
+    if (op.services) await assertServicesWithinCap(op.services);
   }
   const newState = op.type === "update" ? {
     did: currentState.did,
     isDeleted: false,
     authKeys: op.authKeys,
     assertKeys: op.assertKeys,
-    controllerKeys: op.controllerKeys
+    controllerKeys: op.controllerKeys,
+    services: op.services ?? []
   } : {
     did: currentState.did,
     isDeleted: true,
     authKeys: currentState.authKeys,
     assertKeys: currentState.assertKeys,
-    controllerKeys: currentState.controllerKeys
+    controllerKeys: currentState.controllerKeys,
+    services: currentState.services
   };
   return { state: newState, operationCID, createdAt: op.createdAt };
 };
@@ -599,61 +673,6 @@ var verifyContentExtensionFromTrustedState = async (input) => {
   return { state: newState, operationCID, createdAt: op.createdAt };
 };
 
-// src/chain/beacon.ts
-var signBeacon = async (input) => {
-  const encoded = await dagCborCanonicalEncode(input.payload);
-  const beaconCID = encoded.cid.toString();
-  const jwsToken = await createJws({
-    header: { alg: "EdDSA", typ: "did:dfos:beacon", kid: input.kid, cid: beaconCID },
-    payload: input.payload,
-    sign: input.signer
-  });
-  return { jwsToken, beaconCID };
-};
-var MAX_FUTURE_MS = 5 * 60 * 1e3;
-var verifyBeacon = async (input) => {
-  const decoded = decodeJwsUnsafe(input.jwsToken);
-  if (!decoded) throw new Error("failed to decode beacon JWS");
-  const result = BeaconPayload.safeParse(decoded.payload);
-  if (!result.success) {
-    const messages = result.error.issues.map((e) => e.message).join(", ");
-    throw new Error(`invalid beacon payload: ${messages}`);
-  }
-  const payload = result.data;
-  if (decoded.header.typ !== "did:dfos:beacon") {
-    throw new Error(`invalid beacon typ: ${decoded.header.typ}`);
-  }
-  const kid = decoded.header.kid;
-  const hashIdx = kid.indexOf("#");
-  if (hashIdx < 0) throw new Error("beacon kid must be a DID URL");
-  const kidDid = kid.substring(0, hashIdx);
-  if (kidDid !== payload.did) {
-    throw new Error("beacon kid DID does not match payload did");
-  }
-  const publicKey = await input.resolveKey(kid);
-  try {
-    verifyJws({ token: input.jwsToken, publicKey });
-  } catch {
-    throw new Error("invalid beacon signature");
-  }
-  const encoded = await dagCborCanonicalEncode(payload);
-  const beaconCID = encoded.cid.toString();
-  if (!decoded.header.cid) throw new Error("missing cid in beacon header");
-  if (decoded.header.cid !== beaconCID) throw new Error("beacon cid mismatch");
-  const now = input.now ?? Date.now();
-  const beaconTime = new Date(payload.createdAt).getTime();
-  if (beaconTime > now + MAX_FUTURE_MS) {
-    throw new Error("beacon createdAt is too far in the future");
-  }
-  return {
-    did: payload.did,
-    manifestContentId: payload.manifestContentId,
-    createdAt: payload.createdAt,
-    signerKeyId: kid,
-    beaconCID
-  };
-};
-
 // src/chain/countersign.ts
 var signCountersignature = async (input) => {
   const encoded = await dagCborCanonicalEncode(input.payload);
@@ -697,7 +716,8 @@ var verifyCountersignature = async (input) => {
   return {
     countersignCID,
     witnessDID: payload.did,
-    targetCID: payload.targetCID
+    targetCID: payload.targetCID,
+    ...payload.relation !== void 0 ? { relation: payload.relation } : {}
   };
 };
 
@@ -813,25 +833,34 @@ var verifyRevocation = async (input) => {
 };
 
 export {
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  CONTENT_ID_ANCHOR_RE,
+  ARTIFACT_CID_ANCHOR_RE,
+  ServiceEntry,
+  ServicesArray,
   IdentityOperation,
   VerifiedIdentity,
   ContentOperation,
-  BeaconPayload,
   MAX_ARTIFACT_PAYLOAD_SIZE,
   ArtifactPayload,
   CountersignPayload,
   RevocationPayload,
   deriveChainIdentifier,
   deriveContentId,
+  assertServicesWithinCap,
+  classifyAnchor,
+  RECOGNIZED_SERVICE_TYPES,
+  isRecognizedServiceType,
+  relayEndpoints,
+  anchorsByLabel,
   signIdentityOperation,
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   signContentOperation,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
-  signBeacon,
-  verifyBeacon,
   signCountersignature,
   verifyCountersignature,
   signArtifact,

package/dist/credentials/index.d.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { V as VerifiedIdentity } from '../schemas-BhikXSf_.js';
+import { V as VerifiedIdentity } from '../schemas-Myod8ES9.js';
 
 /** Single attenuation entry — resource + action pair */
 declare const Attenuation: z.ZodObject<{

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, assertJwsProfile, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
-export { A as ArtifactPayload, B as BeaconPayload, C as ContentOperation, a as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, b as MultikeyPublicKey, R as RevocationPayload, S as Signer, V as VerifiedIdentity } from './schemas-BhikXSf_.js';
-export { ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, VerifiedArtifact, VerifiedBeacon, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signArtifact, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyBeacon, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, a as ArtifactPayload, C as CONTENT_ID_ANCHOR_RE, b as ContentOperation, c as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_SERVICES_ENTRIES, e as MAX_SERVICES_PAYLOAD_SIZE, f as MultikeyPublicKey, R as RevocationPayload, S as ServiceEntry, g as ServicesArray, h as Signer, V as VerifiedIdentity } from './schemas-Myod8ES9.js';
+export { AnchorKind, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, RECOGNIZED_SERVICE_TYPES, VerifiedArtifact, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, anchorsByLabel, assertServicesWithinCap, classifyAnchor, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, isRecognizedServiceType, relayEndpoints, signArtifact, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
 export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
 import 'multiformats';
 import 'multiformats/cid';

package/dist/index.js

@@ -1,30 +1,39 @@
 import {
+  ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
-  BeaconPayload,
+  CONTENT_ID_ANCHOR_RE,
   ContentOperation,
   CountersignPayload,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RECOGNIZED_SERVICE_TYPES,
   RevocationPayload,
+  ServiceEntry,
+  ServicesArray,
   VerifiedIdentity,
+  anchorsByLabel,
+  assertServicesWithinCap,
+  classifyAnchor,
   deriveChainIdentifier,
   deriveContentId,
+  isRecognizedServiceType,
+  relayEndpoints,
   signArtifact,
-  signBeacon,
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
   signRevocation,
   verifyArtifact,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   verifyRevocation
-} from "./chunk-GZ7ZAIRD.js";
+} from "./chunk-SDUOUFTF.js";
 import {
   Attenuation,
   AuthTokenClaims,
@@ -69,11 +78,12 @@ import {
   verifyJwt
 } from "./chunk-GQOZJKKO.js";
 export {
+  ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
   Attenuation,
   AuthTokenClaims,
   AuthTokenVerificationError,
-  BeaconPayload,
+  CONTENT_ID_ANCHOR_RE,
   ContentOperation,
   CountersignPayload,
   CredentialVerificationError,
@@ -84,12 +94,20 @@ export {
   JwsVerificationError,
   JwtVerificationError,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RECOGNIZED_SERVICE_TYPES,
   RevocationPayload,
+  ServiceEntry,
+  ServicesArray,
   VerifiedIdentity,
+  anchorsByLabel,
   assertJwsProfile,
+  assertServicesWithinCap,
   base64urlDecode,
   base64urlEncode,
+  classifyAnchor,
   createAuthToken,
   createDFOSCredential,
   createJws,
@@ -108,13 +126,14 @@ export {
   importEd25519Keypair,
   isAttenuated,
   isCanonicallyEqual,
+  isRecognizedServiceType,
   isValidEd25519Signature,
   isValidId,
   matchesResource,
   normalizedId,
   parseDagCborCID,
+  relayEndpoints,
   signArtifact,
-  signBeacon,
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
@@ -122,7 +141,6 @@ export {
   signRevocation,
   verifyArtifact,
   verifyAuthToken,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,

package/dist/{schemas-BhikXSf_.d.ts → schemas-Myod8ES9.d.ts}

@@ -2,12 +2,46 @@ import { z } from 'zod';
 
 /** Function that signs a byte array and returns a signature */
 type Signer = (message: Uint8Array) => Promise<Uint8Array>;
+/** Max number of service entries in an identity's services state */
+declare const MAX_SERVICES_ENTRIES = 16;
+/** Max CBOR-encoded size of the services array (bytes) — protocol constant */
+declare const MAX_SERVICES_PAYLOAD_SIZE = 8192;
 declare const MultikeyPublicKey: z.ZodObject<{
     id: z.ZodString;
     type: z.ZodLiteral<"Multikey">;
     publicKeyMultibase: z.ZodString;
 }, z.core.$strict>;
 type MultikeyPublicKey = z.infer<typeof MultikeyPublicKey>;
+/**
+ * Anchor target shapes — a ContentAnchor references a STABLE content
+ * identifier, dispatched by structural form:
+ *   - 31-char contentId (content chain) → mutable, gateable
+ *   - CIDv1 base32 (artifact)           → immutable, public
+ * Both are stable; a chain HEAD CID (also base32 but resolves to a non-artifact
+ * op) is rejected by the shape-dispatch + resolution type check, never anchored.
+ */
+declare const CONTENT_ID_ANCHOR_RE: RegExp;
+declare const ARTIFACT_CID_ANCHOR_RE: RegExp;
+/**
+ * Service entry — discovery vocabulary in identity-chain state.
+ *
+ * Open namespace: `type` is an arbitrary bounded string. Recognized types
+ * (`DfosRelay`, `ContentAnchor`) are structurally validated; UNRECOGNIZED types
+ * are preserved verbatim and ignored (MUST-ignore-unknown) — only the common
+ * envelope (id + type) and the byte cap apply. New service types therefore
+ * never require a protocol/cross-language change.
+ */
+declare const ServiceEntry: z.ZodObject<{
+    id: z.ZodString;
+    type: z.ZodString;
+}, z.core.$catchall<z.ZodUnknown>>;
+type ServiceEntry = z.infer<typeof ServiceEntry>;
+/** Identity services state — full-state, bounded, unique entry ids */
+declare const ServicesArray: z.ZodArray<z.ZodObject<{
+    id: z.ZodString;
+    type: z.ZodString;
+}, z.core.$catchall<z.ZodUnknown>>>;
+type ServicesArray = z.infer<typeof ServicesArray>;
 declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"create">;
@@ -26,6 +60,10 @@ declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
     }, z.core.$strict>>;
+    services: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        type: z.ZodString;
+    }, z.core.$catchall<z.ZodUnknown>>>>;
     createdAt: z.ZodISODateTime;
 }, z.core.$strict>, z.ZodObject<{
     version: z.ZodLiteral<1>;
@@ -46,6 +84,10 @@ declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
     }, z.core.$strict>>;
+    services: z.ZodOptional<z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        type: z.ZodString;
+    }, z.core.$catchall<z.ZodUnknown>>>>;
     createdAt: z.ZodISODateTime;
 }, z.core.$strict>, z.ZodObject<{
     version: z.ZodLiteral<1>;
@@ -72,6 +114,10 @@ declare const VerifiedIdentity: z.ZodObject<{
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
     }, z.core.$strict>>;
+    services: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        type: z.ZodString;
+    }, z.core.$catchall<z.ZodUnknown>>>;
 }, z.core.$strict>;
 type VerifiedIdentity = z.infer<typeof VerifiedIdentity>;
 declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
@@ -102,15 +148,6 @@ declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     authorization: z.ZodOptional<z.ZodString>;
 }, z.core.$strict>], "type">;
 type ContentOperation = z.infer<typeof ContentOperation>;
-/** Beacon: floating signed manifest pointer announcement */
-declare const BeaconPayload: z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"beacon">;
-    did: z.ZodString;
-    manifestContentId: z.ZodString;
-    createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
-type BeaconPayload = z.infer<typeof BeaconPayload>;
 /** Max CBOR-encoded payload size for artifacts (bytes) — protocol constant */
 declare const MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
 /** Artifact: standalone signed inline document, immutable, CID-addressable */
@@ -124,16 +161,25 @@ declare const ArtifactPayload: z.ZodObject<{
     createdAt: z.ZodISODateTime;
 }, z.core.$strict>;
 type ArtifactPayload = z.infer<typeof ArtifactPayload>;
-/** Countersign: standalone witness attestation referencing a target operation by CID */
+/**
+ * Countersign: standalone witness attestation referencing a target operation by CID.
+ *
+ * `relation` is an OPEN-namespace tag naming the nature of the attestation
+ * (e.g. `coauthors`, `endorses`, `witnessed`, `holds`, `received`). It is an
+ * arbitrary bounded string — recognized values carry social meaning to clients,
+ * unrecognized values MUST be preserved and ignored. Optional, so a bare witness
+ * attestation (no relation) encodes identically (CID-neutral).
+ */
 declare const CountersignPayload: z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"countersign">;
     did: z.ZodString;
     targetCID: z.ZodString;
+    relation: z.ZodOptional<z.ZodString>;
     createdAt: z.ZodISODateTime;
 }, z.core.$strict>;
 type CountersignPayload = z.infer<typeof CountersignPayload>;
-/** Revocation: signed credential revocation artifact, gossiped like beacons */
+/** Revocation: signed credential revocation artifact, gossiped on the proof plane */
 declare const RevocationPayload: z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"revocation">;
@@ -143,4 +189,4 @@ declare const RevocationPayload: z.ZodObject<{
 }, z.core.$strict>;
 type RevocationPayload = z.infer<typeof RevocationPayload>;
 
-export { ArtifactPayload as A, BeaconPayload as B, ContentOperation as C, IdentityOperation as I, MAX_ARTIFACT_PAYLOAD_SIZE as M, RevocationPayload as R, type Signer as S, VerifiedIdentity as V, CountersignPayload as a, MultikeyPublicKey as b };
+export { ARTIFACT_CID_ANCHOR_RE as A, CONTENT_ID_ANCHOR_RE as C, IdentityOperation as I, MAX_ARTIFACT_PAYLOAD_SIZE as M, RevocationPayload as R, ServiceEntry as S, VerifiedIdentity as V, ArtifactPayload as a, ContentOperation as b, CountersignPayload as c, MAX_SERVICES_ENTRIES as d, MAX_SERVICES_PAYLOAD_SIZE as e, MultikeyPublicKey as f, ServicesArray as g, type Signer as h };

package/examples/identity-services.json

@@ -0,0 +1,38 @@
+{
+  "description": "Identity chain: genesis publishing a services set (relay locator + content/artifact anchors)",
+  "type": "identity",
+  "chain": [
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmlkZW50aXR5LW9wIiwia2lkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJjaWQiOiJiYWZ5cmVpZGkzcXBzM3F0dHFwMjJtM3kzM2JkYmYyaXlrYnE1cjQ1ampod2EzN21nZXNvdjdzZGd6ZSJ9.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiYXV0aEtleXMiOlt7ImlkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJ0eXBlIjoiTXVsdGlrZXkiLCJwdWJsaWNLZXlNdWx0aWJhc2UiOiJ6Nk1rcnpMTU53b0pTVjRQM1ljY1djYnRrOHZkOUx0Z01LbkxlYURMVXFMdUFTamIifV0sImFzc2VydEtleXMiOlt7ImlkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJ0eXBlIjoiTXVsdGlrZXkiLCJwdWJsaWNLZXlNdWx0aWJhc2UiOiJ6Nk1rcnpMTU53b0pTVjRQM1ljY1djYnRrOHZkOUx0Z01LbkxlYURMVXFMdUFTamIifV0sImNvbnRyb2xsZXJLZXlzIjpbeyJpZCI6ImtleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwidHlwZSI6Ik11bHRpa2V5IiwicHVibGljS2V5TXVsdGliYXNlIjoiejZNa3J6TE1Od29KU1Y0UDNZY2NXY2J0azh2ZDlMdGdNS25MZWFETFVxTHVBU2piIn1dLCJzZXJ2aWNlcyI6W3siaWQiOiJyZWxheSIsInR5cGUiOiJEZm9zUmVsYXkiLCJlbmRwb2ludCI6Imh0dHBzOi8vcmVsYXkuZGZvcy5jb20ifSx7ImlkIjoicHJvZmlsZSIsInR5cGUiOiJDb250ZW50QW5jaG9yIiwibGFiZWwiOiJwcm9maWxlIiwiYW5jaG9yIjoiY3Y3bjh2a3ZyNjRjY3RmMzI5NGg5azRlYW5oZmY4eiJ9LHsiaWQiOiJhdmF0YXIiLCJ0eXBlIjoiQ29udGVudEFuY2hvciIsImxhYmVsIjoiYXZhdGFyIiwiYW5jaG9yIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkifV0sImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDU6MDAuMDAwWiJ9.HCzVJXcUzL62lxtC8omBlit1JNSWk4b4kQKjjjWT00honzZ9-k3dKusIRuhTV6gjT1M74bLVZYUxPb8kJvhHAw"
+  ],
+  "controllerPublicKey": "z6MkrzLMNwoJSV4P3YccWcbtk8vd9LtgMKnLeaDLUqLuASjb",
+  "expected": {
+    "did": "did:dfos:zhkrrzrd7z623ha8tt7dt699de8r3ar",
+    "isDeleted": false,
+    "controllerKeys": [
+      {
+        "id": "key_r9ev34fvc23z999veaaft83nn29zvhe",
+        "type": "Multikey",
+        "publicKeyMultibase": "z6MkrzLMNwoJSV4P3YccWcbtk8vd9LtgMKnLeaDLUqLuASjb"
+      }
+    ],
+    "services": [
+      {
+        "id": "relay",
+        "type": "DfosRelay",
+        "endpoint": "https://relay.dfos.com"
+      },
+      {
+        "id": "profile",
+        "type": "ContentAnchor",
+        "label": "profile",
+        "anchor": "cv7n8vkvr64cctf3294h9k4eanhff8z"
+      },
+      {
+        "id": "avatar",
+        "type": "ContentAnchor",
+        "label": "avatar",
+        "anchor": "bafyreievcqrmvtz2pis5tdizt7sjotoqqogl6vrrqga64w2tnwkq2rnudy"
+      }
+    ]
+  }
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@metalabel/dfos-protocol",
-  "version": "0.10.0",
+  "version": "0.11.0",
   "type": "module",
-  "description": "DFOS Protocol — Ed25519 signed chain primitives, beacons, credentials, and verification",
+  "description": "DFOS Protocol — Ed25519 signed chain primitives, services, credentials, and verification",
   "license": "MIT",
   "author": "Metalabel <hello@metalabel.com> (https://metalabel.com)",
   "repository": {

package/examples/beacon.json

@@ -1,14 +0,0 @@
-{
-  "description": "Beacon: signed manifest content ID announcement with witness countersignature",
-  "type": "beacon",
-  "controllerJws": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmJlYWNvbiIsImtpZCI6ImRpZDpkZm9zOmNubm5mdDlmOGEycm45MzhkNm5rejM4cjg0N3Yya3Ija2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJjaWQiOiJiYWZ5cmVpYjR3MnAydTZ0bHc3N3NidGtwdnc3ZnF2d3ZrNnJ3MzdweWFtM29zb2JvNXhwM29vZWt1cSJ9.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiYmVhY29uIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsIm1hbmlmZXN0Q29udGVudElkIjoiY3Y3bjh2a3ZyNjRjY3RmMzI5NGg5azRlYW5oZmY4eiIsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDU6MDAuMDAwWiJ9.exr0Dfb_asVXeMpnUOaql9ppeO2pifzEdId8ocXHQ6-v_XUwccQdJaL4MhKzJGUbRAa0hfRVSFRndhjJ4NN1DA",
-  "witnessJws": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmJlYWNvbiIsImtpZCI6ImRpZDpkZm9zOmNubm5mdDlmOGEycm45MzhkNm5rejM4cjg0N3Yya3Ija2V5X2V6OWE4NzR0Y2tyM2R2OTMzZDNja2RuN3o2enJjdDgiLCJjaWQiOiJiYWZ5cmVpYjR3MnAydTZ0bHc3N3NidGtwdnc3ZnF2d3ZrNnJ3MzdweWFtM29zb2JvNXhwM29vZWt1cSJ9.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiYmVhY29uIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsIm1hbmlmZXN0Q29udGVudElkIjoiY3Y3bjh2a3ZyNjRjY3RmMzI5NGg5azRlYW5oZmY4eiIsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDU6MDAuMDAwWiJ9.-49R4npkmKMJtnK4sVS_x7MFOgB1RhjkZAzwycLp80g_o6y0gV0JjnUAj12as8NglccBXEk_5DdZTFs17ygKCA",
-  "controllerPublicKey": "z6MkrzLMNwoJSV4P3YccWcbtk8vd9LtgMKnLeaDLUqLuASjb",
-  "witnessPublicKey": "z6MkfUd65JrAhfdgFuMCccU9ThQvjB2fJAMUHkuuajF992gK",
-  "expected": {
-    "beaconCID": "bafyreib4w2p2u6tlw77sbtkpvw7fqvwvk6rw37pyam3osobo5xp3ooekuq",
-    "did": "did:dfos:cnnnft9f8a2rn938d6nkz38r847v2kr",
-    "manifestContentId": "cv7n8vkvr64cctf3294h9k4eanhff8z",
-    "createdAt": "2026-03-07T00:05:00.000Z"
-  }
-}

package/schemas/manifest.v1.json

@@ -1,29 +0,0 @@
-{
-  "$schema": "https://json-schema.org/draft/2020-12/schema",
-  "$id": "https://schemas.dfos.com/manifest/v1",
-  "title": "Manifest",
-  "description": "A manifest — a named map of protocol object references for semantic navigation. Keys are path-like labels. Values are protocol references: content chain identifiers (31-char bare hash), DIDs (did:dfos:...), or CIDs (bafyrei...). The document layer of the dark forest. Discovery is social or out-of-band.",
-  "type": "object",
-  "required": ["$schema", "entries"],
-  "properties": {
-    "$schema": {
-      "const": "https://schemas.dfos.com/manifest/v1"
-    },
-    "entries": {
-      "type": "object",
-      "propertyNames": {
-        "pattern": "^[a-z0-9][a-z0-9._/-]*[a-z0-9]$",
-        "minLength": 2,
-        "maxLength": 128
-      },
-      "additionalProperties": {
-        "type": "string",
-        "pattern": "^[a-z0-9][a-z0-9:._/-]*$",
-        "minLength": 1,
-        "maxLength": 512
-      },
-      "description": "Named entries mapping path-like keys to protocol object references (contentId, DID, or CID)."
-    }
-  },
-  "additionalProperties": false
-}