@metalabel/dfos-protocol 0.10.0 → 0.12.0

package/dist/{chunk-GZ7ZAIRD.js → chunk-J5C4OXL4.js}

@@ -1,51 +1,88 @@
 import {
+  MAX_CREDENTIAL_SIZE,
   decodeDFOSCredentialUnsafe,
   decodeMultikey,
   matchesResource,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "./chunk-LQFOBE6X.js";
+} from "./chunk-J3XXF6F5.js";
 import {
   createJws,
   dagCborCanonicalEncode,
   decodeJwsUnsafe,
   generateIdNoPrefix,
   verifyJws
-} from "./chunk-GQOZJKKO.js";
+} from "./chunk-4QQ5HK5M.js";
 
 // src/chain/schemas.ts
 import { z } from "zod";
-var MAX_KEY_ID = 64;
-var MAX_PUBLIC_KEY_MULTIBASE = 128;
-var MAX_CID = 256;
-var MAX_NOTE = 256;
-var MAX_KEYS_PER_ROLE = 16;
-var MAX_DID = 256;
-var MultikeyPublicKey = z.strictObject({
-  id: z.string().max(MAX_KEY_ID),
+var MAX_KEYS_PER_ROLE = 256;
+var MAX_RELATION = 64;
+var MAX_SERVICES_ENTRIES = 256;
+var MAX_SERVICES_PAYLOAD_SIZE = 32768;
+var MAX_OPERATION_SIZE = 65536;
+var MultikeyPublicKey = z.looseObject({
+  id: z.string(),
   type: z.literal("Multikey"),
-  publicKeyMultibase: z.string().max(MAX_PUBLIC_KEY_MULTIBASE)
+  publicKeyMultibase: z.string()
 });
+var CONTENT_ID_ANCHOR_RE = /^[2346789acdefhknrtvz]{31}$/;
+var ARTIFACT_CID_ANCHOR_RE = /^baf[a-z2-7]{20,}$/;
+var ServiceEntry = z.object({
+  id: z.string().min(1),
+  type: z.string().min(1)
+}).catchall(z.unknown()).superRefine((entry, ctx) => {
+  if (entry.type === "DfosRelay") {
+    const endpoint = entry["endpoint"];
+    if (typeof endpoint !== "string" || endpoint.length < 1) {
+      ctx.addIssue({ code: "custom", message: "DfosRelay requires a non-empty endpoint string" });
+    }
+  } else if (entry.type === "ContentAnchor") {
+    const label = entry["label"];
+    const anchor = entry["anchor"];
+    if (typeof label !== "string" || label.length < 1) {
+      ctx.addIssue({
+        code: "custom",
+        message: "ContentAnchor requires a non-empty label string"
+      });
+    }
+    if (typeof anchor !== "string" || !(CONTENT_ID_ANCHOR_RE.test(anchor) || ARTIFACT_CID_ANCHOR_RE.test(anchor))) {
+      ctx.addIssue({
+        code: "custom",
+        message: "ContentAnchor anchor must be a 31-char contentId or a CIDv1 artifact CID"
+      });
+    }
+  }
+});
+var ServicesArray = z.array(ServiceEntry).max(MAX_SERVICES_ENTRIES).refine(
+  (arr) => new Set(arr.map((e) => e.id)).size === arr.length,
+  "service entry ids must be unique"
+);
 var Iso8601 = z.iso.datetime({ offset: false, precision: 3 });
-var CIDString = z.string().max(MAX_CID);
-var IdentityCreate = z.strictObject({
+var CIDString = z.string();
+var IdentityCreate = z.looseObject({
   version: z.literal(1),
   type: z.literal("create"),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  // Full-state discovery vocabulary. Optional so ops without services encode
+  // identically (undefined strips under canonical CBOR — CID-neutral).
+  services: ServicesArray.optional(),
   createdAt: Iso8601
 });
-var IdentityUpdate = z.strictObject({
+var IdentityUpdate = z.looseObject({
   version: z.literal(1),
   type: z.literal("update"),
   previousOperationCID: CIDString,
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   controllerKeys: z.array(MultikeyPublicKey).min(1, "update must have at least one controller key").max(MAX_KEYS_PER_ROLE),
+  // Full-state: an update REPLACES the entire services set (omit to clear).
+  services: ServicesArray.optional(),
   createdAt: Iso8601
 });
-var IdentityDelete = z.strictObject({
+var IdentityDelete = z.looseObject({
   version: z.literal(1),
   type: z.literal("delete"),
   previousOperationCID: CIDString,
@@ -57,40 +94,42 @@ var IdentityOperation = z.discriminatedUnion("type", [
   IdentityDelete
 ]);
 var VerifiedIdentity = z.strictObject({
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   isDeleted: z.boolean(),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
-  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE)
+  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  /** Resolved discovery vocabulary — projection of the winning head's services */
+  services: ServicesArray
 });
-var ContentCreate = z.strictObject({
+var ContentCreate = z.looseObject({
   version: z.literal(1),
   type: z.literal("create"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   documentCID: CIDString,
   baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable()
+  note: z.string().nullable()
 });
-var ContentUpdate = z.strictObject({
+var ContentUpdate = z.looseObject({
   version: z.literal(1),
   type: z.literal("update"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   previousOperationCID: CIDString,
   documentCID: CIDString.nullable(),
   baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable(),
+  note: z.string().nullable(),
   /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
-var ContentDelete = z.strictObject({
+var ContentDelete = z.looseObject({
   version: z.literal(1),
   type: z.literal("delete"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   previousOperationCID: CIDString,
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable(),
+  note: z.string().nullable(),
   /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
@@ -99,34 +138,27 @@ var ContentOperation = z.discriminatedUnion("type", [
   ContentUpdate,
   ContentDelete
 ]);
-var BeaconPayload = z.strictObject({
-  version: z.literal(1),
-  type: z.literal("beacon"),
-  did: z.string().max(MAX_DID),
-  manifestContentId: z.string().max(MAX_CID),
-  createdAt: Iso8601
-});
-var MAX_SCHEMA = 256;
 var MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
-var ArtifactContent = z.object({ $schema: z.string().max(MAX_SCHEMA) }).catchall(z.unknown());
-var ArtifactPayload = z.strictObject({
+var ArtifactContent = z.object({ $schema: z.string() }).catchall(z.unknown());
+var ArtifactPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("artifact"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   content: ArtifactContent,
   createdAt: Iso8601
 });
-var CountersignPayload = z.strictObject({
+var CountersignPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("countersign"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   targetCID: CIDString,
+  relation: z.string().min(1).max(MAX_RELATION).optional(),
   createdAt: Iso8601
 });
-var RevocationPayload = z.strictObject({
+var RevocationPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("revocation"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   credentialCID: CIDString,
   createdAt: Iso8601
 });
@@ -140,6 +172,27 @@ var deriveContentId = (cidBytes) => {
   return generateIdNoPrefix({ seed: cidBytes });
 };
 
+// src/chain/services.ts
+var assertServicesWithinCap = async (services) => {
+  const encoded = await dagCborCanonicalEncode(services);
+  if (encoded.bytes.length > MAX_SERVICES_PAYLOAD_SIZE) {
+    throw new Error(
+      `services payload exceeds max size: ${encoded.bytes.length} > ${MAX_SERVICES_PAYLOAD_SIZE}`
+    );
+  }
+};
+var classifyAnchor = (anchor) => {
+  if (CONTENT_ID_ANCHOR_RE.test(anchor)) return "chain";
+  if (ARTIFACT_CID_ANCHOR_RE.test(anchor)) return "artifact";
+  return "invalid";
+};
+var RECOGNIZED_SERVICE_TYPES = ["DfosRelay", "ContentAnchor"];
+var isRecognizedServiceType = (type) => RECOGNIZED_SERVICE_TYPES.includes(type);
+var relayEndpoints = (services) => services.filter((e) => e.type === "DfosRelay").map((e) => e["endpoint"]).filter((v) => typeof v === "string");
+var anchorsByLabel = (services, label) => services.filter(
+  (e) => e.type === "ContentAnchor" && e["label"] === label
+);
+
 // src/chain/identity-chain.ts
 var signIdentityOperation = async (input) => {
   const kid = input.identityDID ? `${input.identityDID}#${input.keyId}` : input.keyId;
@@ -162,6 +215,7 @@ var verifyIdentityChain = async (input) => {
     authKeys: [],
     assertKeys: [],
     controllerKeys: [],
+    services: [],
     seenKeys: /* @__PURE__ */ new Map()
   };
   for (const [idx, jwsToken] of input.log.entries()) {
@@ -190,6 +244,7 @@ var verifyIdentityChain = async (input) => {
       state.authKeys = op.authKeys;
       state.assertKeys = op.assertKeys;
       state.controllerKeys = op.controllerKeys;
+      state.services = op.services ?? [];
     }
     if (op.type === "update" || op.type === "delete") {
       if (op.previousOperationCID !== state.previousOperationCID) {
@@ -217,8 +272,20 @@ var verifyIdentityChain = async (input) => {
           throw new Error(`log[${idx}]: cannot repeat key ids in same usage`);
         }
       });
+      if (op.services) {
+        try {
+          await assertServicesWithinCap(op.services);
+        } catch (e) {
+          throw new Error(`log[${idx}]: ${e.message}`);
+        }
+      }
     }
     const encoded = await dagCborCanonicalEncode(op);
+    if (encoded.bytes.length > MAX_OPERATION_SIZE) {
+      throw new Error(
+        `log[${idx}]: operation exceeds max size: ${encoded.bytes.length} > ${MAX_OPERATION_SIZE}`
+      );
+    }
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
       throw new Error(`log[${idx}]: missing cid in protected header`);
@@ -271,6 +338,7 @@ var verifyIdentityChain = async (input) => {
         state.authKeys = op.authKeys;
         state.assertKeys = op.assertKeys;
         state.controllerKeys = op.controllerKeys;
+        state.services = op.services ?? [];
         break;
       case "delete":
         state.isDeleted = true;
@@ -283,7 +351,8 @@ var verifyIdentityChain = async (input) => {
     isDeleted: state.isDeleted,
     authKeys: state.authKeys,
     assertKeys: state.assertKeys,
-    controllerKeys: state.controllerKeys
+    controllerKeys: state.controllerKeys,
+    services: state.services
   };
 };
 var verifyIdentityExtensionFromTrustedState = async (input) => {
@@ -312,6 +381,9 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
     throw new Error("createdAt must be after last op");
   }
   const encoded = await dagCborCanonicalEncode(op);
+  if (encoded.bytes.length > MAX_OPERATION_SIZE) {
+    throw new Error(`operation exceeds max size: ${encoded.bytes.length} > ${MAX_OPERATION_SIZE}`);
+  }
   const operationCID = encoded.cid.toString();
   if (!decoded.header.cid) throw new Error("missing cid in protected header");
   if (decoded.header.cid !== operationCID) throw new Error("cid mismatch in protected header");
@@ -342,24 +414,39 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
         throw new Error("cannot repeat key ids in same usage");
       }
     });
+    if (op.services) await assertServicesWithinCap(op.services);
   }
   const newState = op.type === "update" ? {
     did: currentState.did,
     isDeleted: false,
     authKeys: op.authKeys,
     assertKeys: op.assertKeys,
-    controllerKeys: op.controllerKeys
+    controllerKeys: op.controllerKeys,
+    services: op.services ?? []
   } : {
     did: currentState.did,
     isDeleted: true,
     authKeys: currentState.authKeys,
     assertKeys: currentState.assertKeys,
-    controllerKeys: currentState.controllerKeys
+    controllerKeys: currentState.controllerKeys,
+    services: currentState.services
   };
   return { state: newState, operationCID, createdAt: op.createdAt };
 };
 
 // src/chain/content-chain.ts
+var operationSizeForCap = async (op, fullByteLength) => {
+  const auth = op.authorization;
+  if (typeof auth !== "string") return fullByteLength;
+  if (auth.length > MAX_CREDENTIAL_SIZE) {
+    throw new Error(
+      `authorization credential exceeds max size: ${auth.length} > ${MAX_CREDENTIAL_SIZE}`
+    );
+  }
+  const { authorization: _omit, ...rest } = op;
+  const encoded = await dagCborCanonicalEncode(rest);
+  return encoded.bytes.length;
+};
 var signContentOperation = async (input) => {
   const encoded = await dagCborCanonicalEncode(input.operation);
   const operationCID = encoded.cid.toString();
@@ -483,6 +570,10 @@ var verifyContentChain = async (input) => {
       }
     }
     const encoded = await dagCborCanonicalEncode(op);
+    const opSize = await operationSizeForCap(op, encoded.bytes.length);
+    if (opSize > MAX_OPERATION_SIZE) {
+      throw new Error(`operation exceeds max size: ${opSize} > ${MAX_OPERATION_SIZE}`);
+    }
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
       throw new Error(`log[${idx}]: missing cid in protected header`);
@@ -584,6 +675,10 @@ var verifyContentExtensionFromTrustedState = async (input) => {
     }
   }
   const encoded = await dagCborCanonicalEncode(op);
+  const opSize = await operationSizeForCap(op, encoded.bytes.length);
+  if (opSize > MAX_OPERATION_SIZE) {
+    throw new Error(`operation exceeds max size: ${opSize} > ${MAX_OPERATION_SIZE}`);
+  }
   const operationCID = encoded.cid.toString();
   if (!decoded.header.cid) throw new Error("missing cid in protected header");
   if (decoded.header.cid !== operationCID) throw new Error("cid mismatch in protected header");
@@ -599,61 +694,6 @@ var verifyContentExtensionFromTrustedState = async (input) => {
   return { state: newState, operationCID, createdAt: op.createdAt };
 };
 
-// src/chain/beacon.ts
-var signBeacon = async (input) => {
-  const encoded = await dagCborCanonicalEncode(input.payload);
-  const beaconCID = encoded.cid.toString();
-  const jwsToken = await createJws({
-    header: { alg: "EdDSA", typ: "did:dfos:beacon", kid: input.kid, cid: beaconCID },
-    payload: input.payload,
-    sign: input.signer
-  });
-  return { jwsToken, beaconCID };
-};
-var MAX_FUTURE_MS = 5 * 60 * 1e3;
-var verifyBeacon = async (input) => {
-  const decoded = decodeJwsUnsafe(input.jwsToken);
-  if (!decoded) throw new Error("failed to decode beacon JWS");
-  const result = BeaconPayload.safeParse(decoded.payload);
-  if (!result.success) {
-    const messages = result.error.issues.map((e) => e.message).join(", ");
-    throw new Error(`invalid beacon payload: ${messages}`);
-  }
-  const payload = result.data;
-  if (decoded.header.typ !== "did:dfos:beacon") {
-    throw new Error(`invalid beacon typ: ${decoded.header.typ}`);
-  }
-  const kid = decoded.header.kid;
-  const hashIdx = kid.indexOf("#");
-  if (hashIdx < 0) throw new Error("beacon kid must be a DID URL");
-  const kidDid = kid.substring(0, hashIdx);
-  if (kidDid !== payload.did) {
-    throw new Error("beacon kid DID does not match payload did");
-  }
-  const publicKey = await input.resolveKey(kid);
-  try {
-    verifyJws({ token: input.jwsToken, publicKey });
-  } catch {
-    throw new Error("invalid beacon signature");
-  }
-  const encoded = await dagCborCanonicalEncode(payload);
-  const beaconCID = encoded.cid.toString();
-  if (!decoded.header.cid) throw new Error("missing cid in beacon header");
-  if (decoded.header.cid !== beaconCID) throw new Error("beacon cid mismatch");
-  const now = input.now ?? Date.now();
-  const beaconTime = new Date(payload.createdAt).getTime();
-  if (beaconTime > now + MAX_FUTURE_MS) {
-    throw new Error("beacon createdAt is too far in the future");
-  }
-  return {
-    did: payload.did,
-    manifestContentId: payload.manifestContentId,
-    createdAt: payload.createdAt,
-    signerKeyId: kid,
-    beaconCID
-  };
-};
-
 // src/chain/countersign.ts
 var signCountersignature = async (input) => {
   const encoded = await dagCborCanonicalEncode(input.payload);
@@ -697,7 +737,8 @@ var verifyCountersignature = async (input) => {
   return {
     countersignCID,
     witnessDID: payload.did,
-    targetCID: payload.targetCID
+    targetCID: payload.targetCID,
+    ...payload.relation !== void 0 ? { relation: payload.relation } : {}
   };
 };
 
@@ -813,25 +854,35 @@ var verifyRevocation = async (input) => {
 };
 
 export {
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MultikeyPublicKey,
+  CONTENT_ID_ANCHOR_RE,
+  ARTIFACT_CID_ANCHOR_RE,
+  ServiceEntry,
+  ServicesArray,
   IdentityOperation,
   VerifiedIdentity,
   ContentOperation,
-  BeaconPayload,
   MAX_ARTIFACT_PAYLOAD_SIZE,
   ArtifactPayload,
   CountersignPayload,
   RevocationPayload,
   deriveChainIdentifier,
   deriveContentId,
+  assertServicesWithinCap,
+  classifyAnchor,
+  RECOGNIZED_SERVICE_TYPES,
+  isRecognizedServiceType,
+  relayEndpoints,
+  anchorsByLabel,
   signIdentityOperation,
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   signContentOperation,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
-  signBeacon,
-  verifyBeacon,
   signCountersignature,
   verifyCountersignature,
   signArtifact,

package/dist/credentials/index.d.ts

@@ -1,11 +1,22 @@
 import { z } from 'zod';
-import { V as VerifiedIdentity } from '../schemas-BhikXSf_.js';
+import { V as VerifiedIdentity } from '../schemas-Bb_9P8_s.js';
 
+/**
+ * Max byte length of a credential JWS token — the credential's analog of
+ * MAX_OPERATION_SIZE. Credentials are EXEMPT from the 64 KiB operation cap (a
+ * maximum-depth 16-hop delegation chain embeds each parent token in `prf` and
+ * legitimately exceeds it), so they carry their own larger ceiling. Measured
+ * over the serialized leaf token, which contains the entire nested chain, so one
+ * bound caps the whole delegation. A DoS guard on the nested `prf` structure;
+ * generous (a max-depth chain serializes to well under this). VALIDITY-
+ * determining: MUST match the Go reference (maxCredentialSize in jwt.go).
+ */
+declare const MAX_CREDENTIAL_SIZE = 262144;
 /** Single attenuation entry — resource + action pair */
 declare const Attenuation: z.ZodObject<{
     resource: z.ZodString;
     action: z.ZodString;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type Attenuation = z.infer<typeof Attenuation>;
 /** DFOS credential payload — UCAN-style authorization token */
 declare const DFOSCredentialPayload: z.ZodObject<{
@@ -16,11 +27,11 @@ declare const DFOSCredentialPayload: z.ZodObject<{
     att: z.ZodArray<z.ZodObject<{
         resource: z.ZodString;
         action: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     prf: z.ZodDefault<z.ZodArray<z.ZodString>>;
     exp: z.ZodNumber;
     iat: z.ZodNumber;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type DFOSCredentialPayload = z.infer<typeof DFOSCredentialPayload>;
 /** Claims for a DID-signed auth token (relay AuthN) */
 declare const AuthTokenClaims: z.ZodObject<{
@@ -29,7 +40,7 @@ declare const AuthTokenClaims: z.ZodObject<{
     aud: z.ZodString;
     exp: z.ZodNumber;
     iat: z.ZodNumber;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type AuthTokenClaims = z.infer<typeof AuthTokenClaims>;
 
 interface AuthTokenCreateOptions {
@@ -200,4 +211,4 @@ declare class CredentialVerificationError extends Error {
     constructor(message: string);
 }
 
-export { Attenuation, AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, type VerifiedAuthToken, type VerifiedDFOSCredential, type VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain };
+export { Attenuation, AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, MAX_CREDENTIAL_SIZE, type VerifiedAuthToken, type VerifiedDFOSCredential, type VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain };

package/dist/credentials/index.js

@@ -4,6 +4,7 @@ import {
   AuthTokenVerificationError,
   CredentialVerificationError,
   DFOSCredentialPayload,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,
@@ -12,14 +13,15 @@ import {
   verifyAuthToken,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "../chunk-LQFOBE6X.js";
-import "../chunk-GQOZJKKO.js";
+} from "../chunk-J3XXF6F5.js";
+import "../chunk-4QQ5HK5M.js";
 export {
   Attenuation,
   AuthTokenClaims,
   AuthTokenVerificationError,
   CredentialVerificationError,
   DFOSCredentialPayload,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,

package/dist/crypto/index.js

@@ -21,7 +21,7 @@ import {
   signPayloadEd25519,
   verifyJws,
   verifyJwt
-} from "../chunk-GQOZJKKO.js";
+} from "../chunk-4QQ5HK5M.js";
 export {
   JwsVerificationError,
   JwtVerificationError,

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, assertJwsProfile, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
-export { A as ArtifactPayload, B as BeaconPayload, C as ContentOperation, a as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, b as MultikeyPublicKey, R as RevocationPayload, S as Signer, V as VerifiedIdentity } from './schemas-BhikXSf_.js';
-export { ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, VerifiedArtifact, VerifiedBeacon, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signArtifact, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyBeacon, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
-export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, a as ArtifactPayload, C as CONTENT_ID_ANCHOR_RE, b as ContentOperation, c as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_OPERATION_SIZE, e as MAX_SERVICES_ENTRIES, f as MAX_SERVICES_PAYLOAD_SIZE, g as MultikeyPublicKey, R as RevocationPayload, S as ServiceEntry, h as ServicesArray, i as Signer, V as VerifiedIdentity } from './schemas-Bb_9P8_s.js';
+export { AnchorKind, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, RECOGNIZED_SERVICE_TYPES, VerifiedArtifact, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, anchorsByLabel, assertServicesWithinCap, classifyAnchor, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, isRecognizedServiceType, relayEndpoints, signArtifact, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
+export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, MAX_CREDENTIAL_SIZE, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
 import 'multiformats';
 import 'multiformats/cid';
 import 'zod';