@metalabel/dfos-protocol 0.11.0 → 0.13.0

package/dist/chain/index.d.ts

@@ -1,5 +1,5 @@
-import { I as IdentityOperation, h as Signer, V as VerifiedIdentity, S as ServiceEntry, b as ContentOperation, c as CountersignPayload, a as ArtifactPayload } from '../schemas-Myod8ES9.js';
-export { A as ARTIFACT_CID_ANCHOR_RE, C as CONTENT_ID_ANCHOR_RE, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_SERVICES_ENTRIES, e as MAX_SERVICES_PAYLOAD_SIZE, f as MultikeyPublicKey, R as RevocationPayload, g as ServicesArray } from '../schemas-Myod8ES9.js';
+import { I as IdentityOperation, i as Signer, V as VerifiedIdentity, S as ServiceEntry, b as ContentOperation, c as CountersignPayload, a as ArtifactPayload } from '../schemas-BXye25k7.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, C as CONTENT_ID_ANCHOR_RE, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_OPERATION_SIZE, e as MAX_SERVICES_ENTRIES, f as MAX_SERVICES_PAYLOAD_SIZE, g as MultikeyPublicKey, R as RevocationPayload, h as ServicesArray } from '../schemas-BXye25k7.js';
 import 'zod';
 
 /** Ed25519 public key multicodec value */

package/dist/chain/index.js

@@ -6,6 +6,7 @@ import {
   CountersignPayload,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
@@ -33,14 +34,14 @@ import {
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   verifyRevocation
-} from "../chunk-SDUOUFTF.js";
+} from "../chunk-4EJCATUC.js";
 import {
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
   decodeMultikey,
   encodeEd25519Multikey
-} from "../chunk-LQFOBE6X.js";
-import "../chunk-GQOZJKKO.js";
+} from "../chunk-FMHROCFH.js";
+import "../chunk-4QQ5HK5M.js";
 export {
   ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
@@ -51,6 +52,7 @@ export {
   ED25519_PUB_MULTICODEC,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,

package/dist/{chunk-SDUOUFTF.js → chunk-4EJCATUC.js}

@@ -1,52 +1,46 @@
 import {
+  MAX_CREDENTIAL_SIZE,
   decodeDFOSCredentialUnsafe,
   decodeMultikey,
   matchesResource,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "./chunk-LQFOBE6X.js";
+} from "./chunk-FMHROCFH.js";
 import {
   createJws,
   dagCborCanonicalEncode,
   decodeJwsUnsafe,
   generateIdNoPrefix,
   verifyJws
-} from "./chunk-GQOZJKKO.js";
+} from "./chunk-4QQ5HK5M.js";
 
 // src/chain/schemas.ts
 import { z } from "zod";
-var MAX_KEY_ID = 64;
-var MAX_PUBLIC_KEY_MULTIBASE = 128;
-var MAX_CID = 256;
-var MAX_NOTE = 256;
-var MAX_KEYS_PER_ROLE = 16;
-var MAX_DID = 256;
-var MAX_SERVICE_ID = 64;
-var MAX_SERVICE_TYPE = 64;
-var MAX_SERVICE_STRING = 512;
+var MAX_KEYS_PER_ROLE = 256;
 var MAX_RELATION = 64;
-var MAX_SERVICES_ENTRIES = 16;
-var MAX_SERVICES_PAYLOAD_SIZE = 8192;
-var MultikeyPublicKey = z.strictObject({
-  id: z.string().max(MAX_KEY_ID),
+var MAX_SERVICES_ENTRIES = 256;
+var MAX_SERVICES_PAYLOAD_SIZE = 32768;
+var MAX_OPERATION_SIZE = 65536;
+var MultikeyPublicKey = z.looseObject({
+  id: z.string(),
   type: z.literal("Multikey"),
-  publicKeyMultibase: z.string().max(MAX_PUBLIC_KEY_MULTIBASE)
+  publicKeyMultibase: z.string()
 });
 var CONTENT_ID_ANCHOR_RE = /^[2346789acdefhknrtvz]{31}$/;
-var ARTIFACT_CID_ANCHOR_RE = /^baf[a-z2-7]{20,}$/;
+var ARTIFACT_CID_ANCHOR_RE = /^bafyrei[a-z2-7]{52}$/;
 var ServiceEntry = z.object({
-  id: z.string().min(1).max(MAX_SERVICE_ID),
-  type: z.string().min(1).max(MAX_SERVICE_TYPE)
+  id: z.string().min(1),
+  type: z.string().min(1)
 }).catchall(z.unknown()).superRefine((entry, ctx) => {
   if (entry.type === "DfosRelay") {
     const endpoint = entry["endpoint"];
-    if (typeof endpoint !== "string" || endpoint.length < 1 || endpoint.length > MAX_SERVICE_STRING) {
+    if (typeof endpoint !== "string" || endpoint.length < 1) {
       ctx.addIssue({ code: "custom", message: "DfosRelay requires a non-empty endpoint string" });
     }
   } else if (entry.type === "ContentAnchor") {
     const label = entry["label"];
     const anchor = entry["anchor"];
-    if (typeof label !== "string" || label.length < 1 || label.length > MAX_SERVICE_STRING) {
+    if (typeof label !== "string" || label.length < 1) {
       ctx.addIssue({
         code: "custom",
         message: "ContentAnchor requires a non-empty label string"
@@ -65,8 +59,8 @@ var ServicesArray = z.array(ServiceEntry).max(MAX_SERVICES_ENTRIES).refine(
   "service entry ids must be unique"
 );
 var Iso8601 = z.iso.datetime({ offset: false, precision: 3 });
-var CIDString = z.string().max(MAX_CID);
-var IdentityCreate = z.strictObject({
+var CIDString = z.string();
+var IdentityCreate = z.looseObject({
   version: z.literal(1),
   type: z.literal("create"),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
@@ -77,7 +71,7 @@ var IdentityCreate = z.strictObject({
   services: ServicesArray.optional(),
   createdAt: Iso8601
 });
-var IdentityUpdate = z.strictObject({
+var IdentityUpdate = z.looseObject({
   version: z.literal(1),
   type: z.literal("update"),
   previousOperationCID: CIDString,
@@ -88,7 +82,7 @@ var IdentityUpdate = z.strictObject({
   services: ServicesArray.optional(),
   createdAt: Iso8601
 });
-var IdentityDelete = z.strictObject({
+var IdentityDelete = z.looseObject({
   version: z.literal(1),
   type: z.literal("delete"),
   previousOperationCID: CIDString,
@@ -100,7 +94,7 @@ var IdentityOperation = z.discriminatedUnion("type", [
   IdentityDelete
 ]);
 var VerifiedIdentity = z.strictObject({
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   isDeleted: z.boolean(),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
@@ -108,34 +102,31 @@ var VerifiedIdentity = z.strictObject({
   /** Resolved discovery vocabulary — projection of the winning head's services */
   services: ServicesArray
 });
-var ContentCreate = z.strictObject({
+var ContentCreate = z.looseObject({
   version: z.literal(1),
   type: z.literal("create"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   documentCID: CIDString,
   baseDocumentCID: CIDString.nullable(),
-  createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable()
+  createdAt: Iso8601
 });
-var ContentUpdate = z.strictObject({
+var ContentUpdate = z.looseObject({
   version: z.literal(1),
   type: z.literal("update"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   previousOperationCID: CIDString,
   documentCID: CIDString.nullable(),
   baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable(),
   /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
-var ContentDelete = z.strictObject({
+var ContentDelete = z.looseObject({
   version: z.literal(1),
   type: z.literal("delete"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   previousOperationCID: CIDString,
   createdAt: Iso8601,
-  note: z.string().max(MAX_NOTE).nullable(),
   /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
@@ -144,28 +135,27 @@ var ContentOperation = z.discriminatedUnion("type", [
   ContentUpdate,
   ContentDelete
 ]);
-var MAX_SCHEMA = 256;
 var MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
-var ArtifactContent = z.object({ $schema: z.string().max(MAX_SCHEMA) }).catchall(z.unknown());
-var ArtifactPayload = z.strictObject({
+var ArtifactContent = z.object({ $schema: z.string() }).catchall(z.unknown());
+var ArtifactPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("artifact"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   content: ArtifactContent,
   createdAt: Iso8601
 });
-var CountersignPayload = z.strictObject({
+var CountersignPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("countersign"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   targetCID: CIDString,
   relation: z.string().min(1).max(MAX_RELATION).optional(),
   createdAt: Iso8601
 });
-var RevocationPayload = z.strictObject({
+var RevocationPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("revocation"),
-  did: z.string().max(MAX_DID),
+  did: z.string(),
   credentialCID: CIDString,
   createdAt: Iso8601
 });
@@ -288,6 +278,11 @@ var verifyIdentityChain = async (input) => {
       }
     }
     const encoded = await dagCborCanonicalEncode(op);
+    if (encoded.bytes.length > MAX_OPERATION_SIZE) {
+      throw new Error(
+        `log[${idx}]: operation exceeds max size: ${encoded.bytes.length} > ${MAX_OPERATION_SIZE}`
+      );
+    }
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
       throw new Error(`log[${idx}]: missing cid in protected header`);
@@ -383,6 +378,9 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
     throw new Error("createdAt must be after last op");
   }
   const encoded = await dagCborCanonicalEncode(op);
+  if (encoded.bytes.length > MAX_OPERATION_SIZE) {
+    throw new Error(`operation exceeds max size: ${encoded.bytes.length} > ${MAX_OPERATION_SIZE}`);
+  }
   const operationCID = encoded.cid.toString();
   if (!decoded.header.cid) throw new Error("missing cid in protected header");
   if (decoded.header.cid !== operationCID) throw new Error("cid mismatch in protected header");
@@ -434,6 +432,18 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
 };
 
 // src/chain/content-chain.ts
+var operationSizeForCap = async (op, fullByteLength) => {
+  const auth = op.authorization;
+  if (typeof auth !== "string") return fullByteLength;
+  if (auth.length > MAX_CREDENTIAL_SIZE) {
+    throw new Error(
+      `authorization credential exceeds max size: ${auth.length} > ${MAX_CREDENTIAL_SIZE}`
+    );
+  }
+  const { authorization: _omit, ...rest } = op;
+  const encoded = await dagCborCanonicalEncode(rest);
+  return encoded.bytes.length;
+};
 var signContentOperation = async (input) => {
   const encoded = await dagCborCanonicalEncode(input.operation);
   const operationCID = encoded.cid.toString();
@@ -557,6 +567,10 @@ var verifyContentChain = async (input) => {
       }
     }
     const encoded = await dagCborCanonicalEncode(op);
+    const opSize = await operationSizeForCap(op, encoded.bytes.length);
+    if (opSize > MAX_OPERATION_SIZE) {
+      throw new Error(`operation exceeds max size: ${opSize} > ${MAX_OPERATION_SIZE}`);
+    }
     const operationCID = encoded.cid.toString();
     if (!decoded.header.cid) {
       throw new Error(`log[${idx}]: missing cid in protected header`);
@@ -658,6 +672,10 @@ var verifyContentExtensionFromTrustedState = async (input) => {
     }
   }
   const encoded = await dagCborCanonicalEncode(op);
+  const opSize = await operationSizeForCap(op, encoded.bytes.length);
+  if (opSize > MAX_OPERATION_SIZE) {
+    throw new Error(`operation exceeds max size: ${opSize} > ${MAX_OPERATION_SIZE}`);
+  }
   const operationCID = encoded.cid.toString();
   if (!decoded.header.cid) throw new Error("missing cid in protected header");
   if (decoded.header.cid !== operationCID) throw new Error("cid mismatch in protected header");
@@ -835,6 +853,7 @@ var verifyRevocation = async (input) => {
 export {
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MultikeyPublicKey,
   CONTENT_ID_ANCHOR_RE,
   ARTIFACT_CID_ANCHOR_RE,

package/dist/{chunk-GQOZJKKO.js → chunk-4QQ5HK5M.js}

@@ -239,7 +239,11 @@ var dagCborCanonicalEncode = async (value) => {
   });
 };
 var MAX_SAFE_CANONICAL_INTEGER = 9007199254740991;
-var assertCanonicalNumbers = (value) => {
+var MAX_CANONICAL_DEPTH = 1024;
+var assertCanonicalNumbers = (value, depth = 0) => {
+  if (depth > MAX_CANONICAL_DEPTH) {
+    throw new Error(`value nesting exceeds max depth ${MAX_CANONICAL_DEPTH}`);
+  }
   if (typeof value === "number") {
     if (!Number.isFinite(value)) {
       throw new Error(`non-finite number is not canonicalizable: ${value}`);
@@ -257,11 +261,11 @@ var assertCanonicalNumbers = (value) => {
     return;
   }
   if (Array.isArray(value)) {
-    for (const entry of value) assertCanonicalNumbers(entry);
+    for (const entry of value) assertCanonicalNumbers(entry, depth + 1);
     return;
   }
   if (value !== null && typeof value === "object") {
-    for (const entry of Object.values(value)) assertCanonicalNumbers(entry);
+    for (const entry of Object.values(value)) assertCanonicalNumbers(entry, depth + 1);
   }
 };
 var parseDagCborCID = (cid) => {

package/dist/{chunk-LQFOBE6X.js → chunk-FMHROCFH.js}

@@ -5,27 +5,24 @@ import {
   decodeJwsUnsafe,
   verifyJws,
   verifyJwt
-} from "./chunk-GQOZJKKO.js";
+} from "./chunk-4QQ5HK5M.js";
 
 // src/credentials/schemas.ts
 import { z } from "zod";
-var MAX_DID = 256;
-var MAX_AUD = 512;
-var MAX_RESOURCE = 512;
-var MAX_ACTION = 64;
 var MAX_ATT = 32;
 var MAX_PRF = 1;
-var Attenuation = z.strictObject({
-  resource: z.string().min(1).max(MAX_RESOURCE),
-  action: z.string().min(1).max(MAX_ACTION)
+var MAX_CREDENTIAL_SIZE = 262144;
+var Attenuation = z.looseObject({
+  resource: z.string().min(1),
+  action: z.string().min(1)
 });
-var DFOSCredentialPayload = z.strictObject({
+var DFOSCredentialPayload = z.looseObject({
   version: z.literal(1),
   type: z.literal("DFOSCredential"),
   /** Issuer DID */
-  iss: z.string().min(1).max(MAX_DID),
+  iss: z.string().min(1),
   /** Audience DID or "*" for public credentials */
-  aud: z.string().min(1).max(MAX_AUD),
+  aud: z.string().min(1),
   /** Attenuations — resource + action pairs */
   att: z.array(Attenuation).min(1).max(MAX_ATT),
   /** Parent credential JWS tokens (for delegation chains) */
@@ -35,13 +32,13 @@ var DFOSCredentialPayload = z.strictObject({
   /** Issued at — unix seconds */
   iat: z.number().int().positive()
 });
-var AuthTokenClaims = z.strictObject({
+var AuthTokenClaims = z.looseObject({
   /** Issuer — the DID proving identity */
-  iss: z.string().max(MAX_DID),
+  iss: z.string(),
   /** Subject — same as iss for auth tokens */
-  sub: z.string().max(MAX_DID),
+  sub: z.string(),
   /** Audience — target relay hostname (prevents cross-relay replay) */
-  aud: z.string().max(MAX_AUD),
+  aud: z.string(),
   /** Expiration — unix seconds, short-lived (minutes) */
   exp: z.number().int().positive(),
   /** Issued at — unix seconds */
@@ -187,6 +184,11 @@ var createDFOSCredential = async (options) => {
   return jwsToken;
 };
 var verifyDFOSCredential = async (jwsToken, options) => {
+  if (jwsToken.length > MAX_CREDENTIAL_SIZE) {
+    throw new CredentialVerificationError(
+      `credential exceeds max size: ${jwsToken.length} > ${MAX_CREDENTIAL_SIZE}`
+    );
+  }
   const decoded = decodeJwsUnsafe(jwsToken);
   if (!decoded) throw new CredentialVerificationError("failed to decode credential JWS");
   if (decoded.header.typ !== "did:dfos:credential") {
@@ -290,16 +292,16 @@ var verifyDelegationChain = async (credential, options) => {
     chain.push(parent);
     current = parent;
   }
-  throw new CredentialVerificationError("delegation chain too deep (max 16 hops)");
+  throw new CredentialVerificationError("delegation chain too deep (max 16 credentials)");
 };
 var parseResource = (resource) => {
   const colonIdx = resource.indexOf(":");
   if (colonIdx < 0) return null;
   return { type: resource.substring(0, colonIdx), id: resource.substring(colonIdx + 1) };
 };
-var parseActions = (action) => {
-  return new Set(action.split(",").map((a) => a.trim()));
-};
+var parseActions = (action) => new Set(
+  action.split(",").map((a) => a.trim()).filter((a) => a !== "")
+);
 var isAttenuated = (parentAtt, childAtt) => {
   return childAtt.every((childEntry) => {
     const childRes = parseResource(childEntry.resource);
@@ -372,6 +374,7 @@ export {
   ED25519_PRIV_MULTICODEC,
   encodeEd25519Multikey,
   decodeMultikey,
+  MAX_CREDENTIAL_SIZE,
   Attenuation,
   DFOSCredentialPayload,
   AuthTokenClaims,

package/dist/credentials/index.d.ts

@@ -1,11 +1,22 @@
 import { z } from 'zod';
-import { V as VerifiedIdentity } from '../schemas-Myod8ES9.js';
+import { V as VerifiedIdentity } from '../schemas-BXye25k7.js';
 
+/**
+ * Max byte length of a credential JWS token — the credential's analog of
+ * MAX_OPERATION_SIZE. Credentials are EXEMPT from the 64 KiB operation cap (a
+ * maximum-depth 16-credential delegation chain embeds each parent token in `prf` and
+ * legitimately exceeds it), so they carry their own larger ceiling. Measured
+ * over the serialized leaf token, which contains the entire nested chain, so one
+ * bound caps the whole delegation. A DoS guard on the nested `prf` structure;
+ * generous (a max-depth chain serializes to well under this). VALIDITY-
+ * determining: MUST match the Go reference (maxCredentialSize in jwt.go).
+ */
+declare const MAX_CREDENTIAL_SIZE = 262144;
 /** Single attenuation entry — resource + action pair */
 declare const Attenuation: z.ZodObject<{
     resource: z.ZodString;
     action: z.ZodString;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type Attenuation = z.infer<typeof Attenuation>;
 /** DFOS credential payload — UCAN-style authorization token */
 declare const DFOSCredentialPayload: z.ZodObject<{
@@ -16,11 +27,11 @@ declare const DFOSCredentialPayload: z.ZodObject<{
     att: z.ZodArray<z.ZodObject<{
         resource: z.ZodString;
         action: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     prf: z.ZodDefault<z.ZodArray<z.ZodString>>;
     exp: z.ZodNumber;
     iat: z.ZodNumber;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type DFOSCredentialPayload = z.infer<typeof DFOSCredentialPayload>;
 /** Claims for a DID-signed auth token (relay AuthN) */
 declare const AuthTokenClaims: z.ZodObject<{
@@ -29,7 +40,7 @@ declare const AuthTokenClaims: z.ZodObject<{
     aud: z.ZodString;
     exp: z.ZodNumber;
     iat: z.ZodNumber;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type AuthTokenClaims = z.infer<typeof AuthTokenClaims>;
 
 interface AuthTokenCreateOptions {
@@ -200,4 +211,4 @@ declare class CredentialVerificationError extends Error {
     constructor(message: string);
 }
 
-export { Attenuation, AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, type VerifiedAuthToken, type VerifiedDFOSCredential, type VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain };
+export { Attenuation, AuthTokenClaims, type AuthTokenCreateOptions, AuthTokenVerificationError, type AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, MAX_CREDENTIAL_SIZE, type VerifiedAuthToken, type VerifiedDFOSCredential, type VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain };

package/dist/credentials/index.js

@@ -4,6 +4,7 @@ import {
   AuthTokenVerificationError,
   CredentialVerificationError,
   DFOSCredentialPayload,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,
@@ -12,14 +13,15 @@ import {
   verifyAuthToken,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "../chunk-LQFOBE6X.js";
-import "../chunk-GQOZJKKO.js";
+} from "../chunk-FMHROCFH.js";
+import "../chunk-4QQ5HK5M.js";
 export {
   Attenuation,
   AuthTokenClaims,
   AuthTokenVerificationError,
   CredentialVerificationError,
   DFOSCredentialPayload,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,

package/dist/crypto/index.js

@@ -21,7 +21,7 @@ import {
   signPayloadEd25519,
   verifyJws,
   verifyJwt
-} from "../chunk-GQOZJKKO.js";
+} from "../chunk-4QQ5HK5M.js";
 export {
   JwsVerificationError,
   JwtVerificationError,

package/dist/index.d.ts

@@ -1,7 +1,7 @@
 export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, assertJwsProfile, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
-export { A as ARTIFACT_CID_ANCHOR_RE, a as ArtifactPayload, C as CONTENT_ID_ANCHOR_RE, b as ContentOperation, c as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_SERVICES_ENTRIES, e as MAX_SERVICES_PAYLOAD_SIZE, f as MultikeyPublicKey, R as RevocationPayload, S as ServiceEntry, g as ServicesArray, h as Signer, V as VerifiedIdentity } from './schemas-Myod8ES9.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, a as ArtifactPayload, C as CONTENT_ID_ANCHOR_RE, b as ContentOperation, c as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_OPERATION_SIZE, e as MAX_SERVICES_ENTRIES, f as MAX_SERVICES_PAYLOAD_SIZE, g as MultikeyPublicKey, R as RevocationPayload, S as ServiceEntry, h as ServicesArray, i as Signer, V as VerifiedIdentity } from './schemas-BXye25k7.js';
 export { AnchorKind, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, RECOGNIZED_SERVICE_TYPES, VerifiedArtifact, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, anchorsByLabel, assertServicesWithinCap, classifyAnchor, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, isRecognizedServiceType, relayEndpoints, signArtifact, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
-export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
+export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, MAX_CREDENTIAL_SIZE, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
 import 'multiformats';
 import 'multiformats/cid';
 import 'zod';

package/dist/index.js

@@ -6,6 +6,7 @@ import {
   CountersignPayload,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
@@ -33,7 +34,7 @@ import {
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   verifyRevocation
-} from "./chunk-SDUOUFTF.js";
+} from "./chunk-4EJCATUC.js";
 import {
   Attenuation,
   AuthTokenClaims,
@@ -42,6 +43,7 @@ import {
   DFOSCredentialPayload,
   ED25519_PRIV_MULTICODEC,
   ED25519_PUB_MULTICODEC,
+  MAX_CREDENTIAL_SIZE,
   createAuthToken,
   createDFOSCredential,
   decodeDFOSCredentialUnsafe,
@@ -52,7 +54,7 @@ import {
   verifyAuthToken,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "./chunk-LQFOBE6X.js";
+} from "./chunk-FMHROCFH.js";
 import {
   JwsVerificationError,
   JwtVerificationError,
@@ -76,7 +78,7 @@ import {
   signPayloadEd25519,
   verifyJws,
   verifyJwt
-} from "./chunk-GQOZJKKO.js";
+} from "./chunk-4QQ5HK5M.js";
 export {
   ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
@@ -94,6 +96,8 @@ export {
   JwsVerificationError,
   JwtVerificationError,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_CREDENTIAL_SIZE,
+  MAX_OPERATION_SIZE,
   MAX_SERVICES_ENTRIES,
   MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,

package/dist/{schemas-Myod8ES9.d.ts → schemas-BXye25k7.d.ts}

@@ -2,23 +2,54 @@ import { z } from 'zod';
 
 /** Function that signs a byte array and returns a signature */
 type Signer = (message: Uint8Array) => Promise<Uint8Array>;
-/** Max number of service entries in an identity's services state */
-declare const MAX_SERVICES_ENTRIES = 16;
-/** Max CBOR-encoded size of the services array (bytes) — protocol constant */
-declare const MAX_SERVICES_PAYLOAD_SIZE = 8192;
+/**
+ * Max number of service entries in an identity's services state — a generous
+ * cardinality ceiling on resolution fan-out. Individual entry fields are NOT
+ * separately length-capped (no per-field length zoo): the aggregate byte cap
+ * below, plus the operation-size cap, bound entry size. The op-size cap is the
+ * real arbiter when services and keys are both large.
+ */
+declare const MAX_SERVICES_ENTRIES = 256;
+/**
+ * Max CBOR-encoded size of the services array (bytes) — the SINGLE aggregate that
+ * bounds the services manifest, replacing the former per-field length caps (the
+ * same collapse the op-size cap applied at the operation level). Sized so the
+ * 256-entry ceiling is genuinely reachable with realistic entries.
+ */
+declare const MAX_SERVICES_PAYLOAD_SIZE = 32768;
+/**
+ * Max dag-cbor-encoded size of a single protocol operation payload (bytes) — the
+ * one aggregate validity bound on operation size, measured over the exact bytes
+ * the CID commits to. Generously set (64 KiB) so it never binds a legitimate
+ * proof-layer operation while bounding decode/verify cost (a DoS + determinism
+ * invariant). This is a VALIDITY-determining cap: it MUST be identical across
+ * implementations. Large binary media does NOT travel in operation payloads —
+ * it is referenced, not inlined — so this bound is about proof-layer ops only.
+ */
+declare const MAX_OPERATION_SIZE = 65536;
 declare const MultikeyPublicKey: z.ZodObject<{
     id: z.ZodString;
     type: z.ZodLiteral<"Multikey">;
     publicKeyMultibase: z.ZodString;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type MultikeyPublicKey = z.infer<typeof MultikeyPublicKey>;
 /**
  * Anchor target shapes — a ContentAnchor references a STABLE content
  * identifier, dispatched by structural form:
  *   - 31-char contentId (content chain) → mutable, gateable
- *   - CIDv1 base32 (artifact)           → immutable, public
- * Both are stable; a chain HEAD CID (also base32 but resolves to a non-artifact
- * op) is rejected by the shape-dispatch + resolution type check, never anchored.
+ *   - CIDv1 dag-cbor+sha256 (artifact)  → immutable, public
+ * Both are stable; a chain HEAD CID (also a `bafyrei…` CID but resolves to a
+ * non-artifact op) is rejected by the shape-dispatch + resolution type check,
+ * never anchored.
+ *
+ * The artifact form is the EXACT 59-char CIDv1(dag-cbor 0x71 + sha256 0x12 0x20)
+ * base32 string — 36 raw bytes → 58 base32 chars + the `b` multibase prefix,
+ * fixed `bafyrei` head + 52 base32 chars. Artifact payloads are ALWAYS dag-cbor +
+ * sha256 (ArtifactPayload below), so every real artifact CID is `bafyrei…`. The
+ * regex is pinned to that exact length (not a loose `baf…{20,}`) so an anchor of
+ * any other shape — wrong codec, wrong length — is rejected uniformly across
+ * implementations. New anchor KINDS arrive via a new service `type`, never a new
+ * anchor shape.
  */
 declare const CONTENT_ID_ANCHOR_RE: RegExp;
 declare const ARTIFACT_CID_ANCHOR_RE: RegExp;
@@ -49,23 +80,23 @@ declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     assertKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     controllerKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     services: z.ZodOptional<z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
     }, z.core.$catchall<z.ZodUnknown>>>>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"update">;
     previousOperationCID: z.ZodString;
@@ -73,28 +104,28 @@ declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     assertKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     controllerKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     services: z.ZodOptional<z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
     }, z.core.$catchall<z.ZodUnknown>>>>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"delete">;
     previousOperationCID: z.ZodString;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>], "type">;
+}, z.core.$loose>], "type">;
 type IdentityOperation = z.infer<typeof IdentityOperation>;
 declare const VerifiedIdentity: z.ZodObject<{
     did: z.ZodString;
@@ -103,17 +134,17 @@ declare const VerifiedIdentity: z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     assertKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     controllerKeys: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodLiteral<"Multikey">;
         publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
+    }, z.core.$loose>>;
     services: z.ZodArray<z.ZodObject<{
         id: z.ZodString;
         type: z.ZodString;
@@ -127,8 +158,7 @@ declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     documentCID: z.ZodString;
     baseDocumentCID: z.ZodNullable<z.ZodString>;
     createdAt: z.ZodISODateTime;
-    note: z.ZodNullable<z.ZodString>;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"update">;
     did: z.ZodString;
@@ -136,17 +166,15 @@ declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
     documentCID: z.ZodNullable<z.ZodString>;
     baseDocumentCID: z.ZodNullable<z.ZodString>;
     createdAt: z.ZodISODateTime;
-    note: z.ZodNullable<z.ZodString>;
     authorization: z.ZodOptional<z.ZodString>;
-}, z.core.$strict>, z.ZodObject<{
+}, z.core.$loose>, z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"delete">;
     did: z.ZodString;
     previousOperationCID: z.ZodString;
     createdAt: z.ZodISODateTime;
-    note: z.ZodNullable<z.ZodString>;
     authorization: z.ZodOptional<z.ZodString>;
-}, z.core.$strict>], "type">;
+}, z.core.$loose>], "type">;
 type ContentOperation = z.infer<typeof ContentOperation>;
 /** Max CBOR-encoded payload size for artifacts (bytes) — protocol constant */
 declare const MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
@@ -159,7 +187,7 @@ declare const ArtifactPayload: z.ZodObject<{
         $schema: z.ZodString;
     }, z.core.$catchall<z.ZodUnknown>>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type ArtifactPayload = z.infer<typeof ArtifactPayload>;
 /**
  * Countersign: standalone witness attestation referencing a target operation by CID.
@@ -177,7 +205,7 @@ declare const CountersignPayload: z.ZodObject<{
     targetCID: z.ZodString;
     relation: z.ZodOptional<z.ZodString>;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type CountersignPayload = z.infer<typeof CountersignPayload>;
 /** Revocation: signed credential revocation artifact, gossiped on the proof plane */
 declare const RevocationPayload: z.ZodObject<{
@@ -186,7 +214,7 @@ declare const RevocationPayload: z.ZodObject<{
     did: z.ZodString;
     credentialCID: z.ZodString;
     createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
+}, z.core.$loose>;
 type RevocationPayload = z.infer<typeof RevocationPayload>;
 
-export { ARTIFACT_CID_ANCHOR_RE as A, CONTENT_ID_ANCHOR_RE as C, IdentityOperation as I, MAX_ARTIFACT_PAYLOAD_SIZE as M, RevocationPayload as R, ServiceEntry as S, VerifiedIdentity as V, ArtifactPayload as a, ContentOperation as b, CountersignPayload as c, MAX_SERVICES_ENTRIES as d, MAX_SERVICES_PAYLOAD_SIZE as e, MultikeyPublicKey as f, ServicesArray as g, type Signer as h };
+export { ARTIFACT_CID_ANCHOR_RE as A, CONTENT_ID_ANCHOR_RE as C, IdentityOperation as I, MAX_ARTIFACT_PAYLOAD_SIZE as M, RevocationPayload as R, ServiceEntry as S, VerifiedIdentity as V, ArtifactPayload as a, ContentOperation as b, CountersignPayload as c, MAX_OPERATION_SIZE as d, MAX_SERVICES_ENTRIES as e, MAX_SERVICES_PAYLOAD_SIZE as f, MultikeyPublicKey as g, ServicesArray as h, type Signer as i };

package/examples/content-delegated.json

@@ -2,8 +2,8 @@
   "description": "Content chain: creator signs genesis, delegate signs update with write credential",
   "type": "content-delegated",
   "chain": [
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwiY2lkIjoiYmFmeXJlaWRkc2pnZGk3dmZib2tlejVyZWl4enRmcm9kNnhjbmh0Ymc0NmI3dnZmZGRwb2Z4czVtaXkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWRyd2V4NWRjYjJ1c3NqNmJ0eGJjMzQyM3U1d2VzNnJyd29tbXhhemt1bHRzcG9oN2EzdGkiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MTA6MDAuMDAwWiIsIm5vdGUiOm51bGx9.cxfEOGZ08zCQVuqiiljZNCxZudQi3CGqANtFnWLVyh0m9Sdq2yFk_fl4jCcw_4lTDvkYOkMgEOm_VvkpnqdMDA",
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczo5NGFoNzk2M24yMjNrOGM5ODg0aGgyN2VraDQybmVhI2tleV9hOHIyNzQzNGFhcjc2YWU3MmM4NzdmYTQ3a2FyOHJuIiwiY2lkIjoiYmFmeXJlaWd3ZjI0aGhkN2N3dGlhMndocWl3bDVndHZwbGRxNnZtZmozY2ZvdGV5cmJpdjNxMmJhbGkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoidXBkYXRlIiwiZGlkIjoiZGlkOmRmb3M6OTRhaDc5NjNuMjIzazhjOTg4NGhoMjdla2g0Mm5lYSIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWRkc2pnZGk3dmZib2tlejVyZWl4enRmcm9kNnhjbmh0Ymc0NmI3dnZmZGRwb2Z4czVtaXkiLCJkb2N1bWVudENJRCI6ImJhZnlyZWllanNzaWhrZGZsamphYmRhbWhrdXlpYm1jNzQzaG4zaTM2YTdmbnV6c2plb2FydHBlNXdhIiwiYmFzZURvY3VtZW50Q0lEIjoiYmFmeXJlaWRyd2V4NWRjYjJ1c3NqNmJ0eGJjMzQyM3U1d2VzNnJyd29tbXhhemt1bHRzcG9oN2EzdGkiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjExOjAwLjAwMFoiLCJub3RlIjoiZGVsZWdhdGVkIGVkaXQgYnkga2V5MyIsImF1dGhvcml6YXRpb24iOiJleUpoYkdjaU9pSkZaRVJUUVNJc0luUjVjQ0k2SW1ScFpEcGtabTl6T21OeVpXUmxiblJwWVd3aUxDSnJhV1FpT2lKa2FXUTZaR1p2Y3pwamJtNXVablE1WmpoaE1uSnVPVE00WkRadWEzb3pPSEk0TkRkMk1tdHlJMnRsZVY5eU9XVjJNelJtZG1NeU0zbzVPVGwyWldGaFpuUTRNMjV1TWpsNmRtaGxJaXdpWTJsa0lqb2lZbUZtZVhKbGFXUmtaVzkyZFRJeVpYTjVhSE5pTlRaa2FHRTJaVFJ4TkhZeU5tbHVObmQ1YjNsMGRYbDJjVFV5TlhjMWFqTnlZMlp0Tm1raWZRLmV5SjJaWEp6YVc5dUlqb3hMQ0owZVhCbElqb2lSRVpQVTBOeVpXUmxiblJwWVd3aUxDSnBjM01pT2lKa2FXUTZaR1p2Y3pwamJtNXVablE1WmpoaE1uSnVPVE00WkRadWEzb3pPSEk0TkRkMk1tdHlJaXdpWVhWa0lqb2laR2xrT21SbWIzTTZPVFJoYURjNU5qTnVNakl6YXpoak9UZzROR2hvTWpkbGEyZzBNbTVsWVNJc0ltRjBkQ0k2VzNzaWNtVnpiM1Z5WTJVaU9pSmphR0ZwYmpvemNqSTBNMmczTnpsbGEzSnVjbUZoWTJVMk16ZzRNbVoyT0dRNE16ZzVJaXdpWVdOMGFXOXVJam9pZDNKcGRHVWlmVjBzSW5CeVppSTZXMTBzSW1WNGNDSTZNVGM1T0RjMk1UWXdNQ3dpYVdGMElqb3hOemN5T0RReE5qQXdmUS5oWko1LXpLTXNKR0tQaEtVdjVCaEt4QnJYLWlaUjNJazNJNTB2b1NEUTVrbWFLOXlvNkI3MTZBY05ibnhlc01tclpXX0FfNzJuZDVYQ29iSTZUbFJBZyJ9.0eNH6RC6O-OkFDBLEWk3YugPUzc9WGtZnG8wRzEEjz0SEwTx5z4FkNoP8Fygu7nd9DZbel9flZL-f0Lg_yD6BA"
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwiY2lkIjoiYmFmeXJlaWFjZXVvcW1jc3ZjdXZmN3M3YnlscWtvaG01aDdtdXhxbWVxbXYzbjdpc3F0ZHl0dzZuZ3kifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWRyd2V4NWRjYjJ1c3NqNmJ0eGJjMzQyM3U1d2VzNnJyd29tbXhhemt1bHRzcG9oN2EzdGkiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MTA6MDAuMDAwWiJ9.5S4nTGLjqy6WD1ojt8h858AsTh_js8kV_YJsRY-LeERRIPnPBG2wMbYgVhWcTUX2iYln_l-PgRlGlcs3XT98DA",
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczo5NGFoNzk2M24yMjNrOGM5ODg0aGgyN2VraDQybmVhI2tleV9hOHIyNzQzNGFhcjc2YWU3MmM4NzdmYTQ3a2FyOHJuIiwiY2lkIjoiYmFmeXJlaWVrNXozNXRiN256aTdoY3praGJseG56d2xjcjNtY25pbXlmcWh4NzRqbWhmM2FyYzd3YmkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoidXBkYXRlIiwiZGlkIjoiZGlkOmRmb3M6OTRhaDc5NjNuMjIzazhjOTg4NGhoMjdla2g0Mm5lYSIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWFjZXVvcW1jc3ZjdXZmN3M3YnlscWtvaG01aDdtdXhxbWVxbXYzbjdpc3F0ZHl0dzZuZ3kiLCJkb2N1bWVudENJRCI6ImJhZnlyZWllanNzaWhrZGZsamphYmRhbWhrdXlpYm1jNzQzaG4zaTM2YTdmbnV6c2plb2FydHBlNXdhIiwiYmFzZURvY3VtZW50Q0lEIjoiYmFmeXJlaWRyd2V4NWRjYjJ1c3NqNmJ0eGJjMzQyM3U1d2VzNnJyd29tbXhhemt1bHRzcG9oN2EzdGkiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjExOjAwLjAwMFoiLCJhdXRob3JpemF0aW9uIjoiZXlKaGJHY2lPaUpGWkVSVFFTSXNJblI1Y0NJNkltUnBaRHBrWm05ek9tTnlaV1JsYm5ScFlXd2lMQ0pyYVdRaU9pSmthV1E2WkdadmN6cGpibTV1Wm5RNVpqaGhNbkp1T1RNNFpEWnVhM296T0hJNE5EZDJNbXR5STJ0bGVWOXlPV1YyTXpSbWRtTXlNM281T1RsMlpXRmhablE0TTI1dU1qbDZkbWhsSWl3aVkybGtJam9pWW1GbWVYSmxhV1Z5ZERKcWNHaHJlWEI0ZDIxMWFqZHRkbTExY0hoamQybzNlbkZxZUdJek1tMTFhbnBwTWpObVlua3lkekpzWW5Wa2EzVWlmUS5leUoyWlhKemFXOXVJam94TENKMGVYQmxJam9pUkVaUFUwTnlaV1JsYm5ScFlXd2lMQ0pwYzNNaU9pSmthV1E2WkdadmN6cGpibTV1Wm5RNVpqaGhNbkp1T1RNNFpEWnVhM296T0hJNE5EZDJNbXR5SWl3aVlYVmtJam9pWkdsa09tUm1iM002T1RSaGFEYzVOak51TWpJemF6aGpPVGc0Tkdob01qZGxhMmcwTW01bFlTSXNJbUYwZENJNlczc2ljbVZ6YjNWeVkyVWlPaUpqYUdGcGJqb3lNbU00Y25ab09ISjJaRGRoTjJSa2EyVnJNelEwTXpKb2VucG9OelJ5SWl3aVlXTjBhVzl1SWpvaWQzSnBkR1VpZlYwc0luQnlaaUk2VzEwc0ltVjRjQ0k2TVRjNU9EYzJNVFl3TUN3aWFXRjBJam94TnpjeU9EUXhOakF3ZlEuZXJYMkRSUnRSWnctdFFueGd0RWE2SGNyaHZGM0pONHNESHppbGxFOXY1ZkhMYldLMEtJVTQ5SWtNRTdBTmJ5bDBETWo0WDRQTlZFZk1QUDlHRTFiQ0EifQ.XtEeHcTkXUaPPrkfH3a_JIxzgqL5fKe4jR7r52VpgnBx_ptjeyBmy9kjJxM0e0rpKkFSwE2Egi06yEr7a9q_DA"
   ],
   "creatorPublicKey": "z6MkrzLMNwoJSV4P3YccWcbtk8vd9LtgMKnLeaDLUqLuASjb",
   "delegatePublicKey": "z6MkvsvmSh2dGnu2qw1Tnw7M5fz98ycfuYGxqnpfgmPkLv7o",
@@ -33,9 +33,9 @@
       "createdAt": "2026-03-07T00:11:00.000Z"
     }
   ],
-  "authorization": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNyZWRlbnRpYWwiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwiY2lkIjoiYmFmeXJlaWRkZW92dTIyZXN5aHNiNTZkaGE2ZTRxNHYyNmluNnd5b3l0dXl2cTUyNXc1ajNyY2ZtNmkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiREZPU0NyZWRlbnRpYWwiLCJpc3MiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyIiwiYXVkIjoiZGlkOmRmb3M6OTRhaDc5NjNuMjIzazhjOTg4NGhoMjdla2g0Mm5lYSIsImF0dCI6W3sicmVzb3VyY2UiOiJjaGFpbjozcjI0M2g3Nzlla3JucmFhY2U2Mzg4MmZ2OGQ4Mzg5IiwiYWN0aW9uIjoid3JpdGUifV0sInByZiI6W10sImV4cCI6MTc5ODc2MTYwMCwiaWF0IjoxNzcyODQxNjAwfQ.hZJ5-zKMsJGKPhKUv5BhKxBrX-iZR3Ik3I50voSDQ5kmaK9yo6B716AcNbnxesMmrZW_A_72nd5XCobI6TlRAg",
+  "authorization": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNyZWRlbnRpYWwiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwiY2lkIjoiYmFmeXJlaWVydDJqcGhreXB4d211ajdtdm11cHhjd2o3enFqeGIzMm11anppMjNmYnkydzJsYnVka3UifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiREZPU0NyZWRlbnRpYWwiLCJpc3MiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyIiwiYXVkIjoiZGlkOmRmb3M6OTRhaDc5NjNuMjIzazhjOTg4NGhoMjdla2g0Mm5lYSIsImF0dCI6W3sicmVzb3VyY2UiOiJjaGFpbjoyMmM4cnZoOHJ2ZDdhN2Rka2VrMzQ0MzJoenpoNzRyIiwiYWN0aW9uIjoid3JpdGUifV0sInByZiI6W10sImV4cCI6MTc5ODc2MTYwMCwiaWF0IjoxNzcyODQxNjAwfQ.erX2DRRtRZw-tQnxgtEa6HcrhvF3JN4sDHzillE9v5fHLbWK0KIU49IkME7ANbyl0DMj4X4PNVEfMPP9GE1bCA",
   "expected": {
-    "contentId": "3r243h779ekrnraace63882fv8d8389",
+    "contentId": "22c8rvh8rvd7a7ddkek34432hzzh74r",
     "creatorDID": "did:dfos:cnnnft9f8a2rn938d6nkz38r847v2kr",
     "isDeleted": false,
     "currentDocumentCID": "bafyreiejssihkdfljjabdamhkuyibmc743hn3i36a7fnuzsjeoartpe5wa",

package/examples/content-delete.json

@@ -2,8 +2,8 @@
   "description": "Content chain: create + delete",
   "type": "content",
   "chain": [
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWFxYXRnZGd3Z2d1Zmd5NHRzejZldXJ3dWR0ZHh5Z3V6dHQ3bnE1d2dkN3FpNDQ1bnY1NnkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiIsIm5vdGUiOm51bGx9.POTcvRbYb5r_P6ZpJRNAufCkEHmfebUyc1jb_USg7xdG8bwq520HMsg6wWjfrhU8Y-7_86IcLwpldD03_L0-Ag",
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWFsaXlvenNqaW4yaTd4NHl4ejJwcmJnaGIybGU1YzYycGxsbWxhc3YyaGlhZ3l5ZnZjc2kifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiZGVsZXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWFxYXRnZGd3Z2d1Zmd5NHRzejZldXJ3dWR0ZHh5Z3V6dHQ3bnE1d2dkN3FpNDQ1bnY1NnkiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjAzOjAwLjAwMFoiLCJub3RlIjoicmVtb3ZpbmcgY29udGVudCJ9.k_zTEiRy1aPc1d39SQJOCf8yCVaRoYhenun4RJTxBsmDu6TZ5EvBAvXnbFS0DYLE3X1wV1G6YQG6rpxYElG_Ag"
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWQyNmJhZ241Y2ZlZTN4cHRhZmptYmx4d3VkdzQzNXA2cms1ZzNwNGdqdGtudXlscnhzc3kifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiJ9.mTRCvPga89hVeu-gNowrL8TApoGJlxVQBw3CzrvEA-LxAQaSp03Uyn0JwdhPWh22UtwZTe2d27IIuJ7P-5PtAA",
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWhkcTZ0ZGw0c2R1N3V6b3l3c3p1NnNrMnJveGd1b3hqenp2ZjRkeTZtcDRmaGdkemczYm0ifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiZGVsZXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWQyNmJhZ241Y2ZlZTN4cHRhZmptYmx4d3VkdzQzNXA2cms1ZzNwNGdqdGtudXlscnhzc3kiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjAzOjAwLjAwMFoifQ.AgSmh-c1vXQYDan91HHkt8js1AH3upLxodv45RcfU-4TTNRaJq6fLdwe8tlto3N1_RSdaxhEEee9GgTLpYmXAQ"
   ],
   "signerPublicKey": "z6MkfUd65JrAhfdgFuMCccU9ThQvjB2fJAMUHkuuajF992gK",
   "documents": [
@@ -21,7 +21,7 @@
     }
   ],
   "expected": {
-    "contentId": "cv7n8vkvr64cctf3294h9k4eanhff8z",
+    "contentId": "a3n7r3nde8e4keeak92rr3aeztftvc2",
     "isDeleted": true,
     "currentDocumentCID": null,
     "length": 2

package/examples/content-lifecycle.json

@@ -2,8 +2,8 @@
   "description": "Content chain: create + update (with both documents)",
   "type": "content",
   "chain": [
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWFxYXRnZGd3Z2d1Zmd5NHRzejZldXJ3dWR0ZHh5Z3V6dHQ3bnE1d2dkN3FpNDQ1bnY1NnkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiIsIm5vdGUiOm51bGx9.POTcvRbYb5r_P6ZpJRNAufCkEHmfebUyc1jb_USg7xdG8bwq520HMsg6wWjfrhU8Y-7_86IcLwpldD03_L0-Ag",
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWJweDRjZ2I0ajZuM216NzY0cHlscmRnNnE3YTQ2bmpuaHg2cDRjcTJybGdldWUzczNldnEifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoidXBkYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWFxYXRnZGd3Z2d1Zmd5NHRzejZldXJ3dWR0ZHh5Z3V6dHQ3bnE1d2dkN3FpNDQ1bnY1NnkiLCJkb2N1bWVudENJRCI6ImJhZnlyZWlmZXRwdXRreTRmbnp2N3NyZzdsN3luaWg2ajR5dHplcWlicmNwNXVpZXB2b2x4cWhjYmN5IiwiYmFzZURvY3VtZW50Q0lEIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjAzOjAwLjAwMFoiLCJub3RlIjoiZWRpdGVkIHRpdGxlIGFuZCBib2R5In0.yTkJOiiCsjIBHmR7773W1pdjC5in_Fl3WUXHl8Y_Hyb47RgfiWVufPirIolnuI-IOOl6zHNNmDfmy6kFROwOAg"
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWQyNmJhZ241Y2ZlZTN4cHRhZmptYmx4d3VkdzQzNXA2cms1ZzNwNGdqdGtudXlscnhzc3kifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsImRvY3VtZW50Q0lEIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkiLCJiYXNlRG9jdW1lbnRDSUQiOm51bGwsImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDI6MDAuMDAwWiJ9.mTRCvPga89hVeu-gNowrL8TApoGJlxVQBw3CzrvEA-LxAQaSp03Uyn0JwdhPWh22UtwZTe2d27IIuJ7P-5PtAA",
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNvbnRlbnQtb3AiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9lejlhODc0dGNrcjNkdjkzM2QzY2tkbjd6NnpyY3Q4IiwiY2lkIjoiYmFmeXJlaWEybGxwbHVvN2kyc2xoNzUyaXB3YnNxd2t2YXppdmpidnpkN202NmlzZm16aGJvaDNsNnkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoidXBkYXRlIiwiZGlkIjoiZGlkOmRmb3M6Y25ubmZ0OWY4YTJybjkzOGQ2bmt6MzhyODQ3djJrciIsInByZXZpb3VzT3BlcmF0aW9uQ0lEIjoiYmFmeXJlaWQyNmJhZ241Y2ZlZTN4cHRhZmptYmx4d3VkdzQzNXA2cms1ZzNwNGdqdGtudXlscnhzc3kiLCJkb2N1bWVudENJRCI6ImJhZnlyZWlmZXRwdXRreTRmbnp2N3NyZzdsN3luaWg2ajR5dHplcWlicmNwNXVpZXB2b2x4cWhjYmN5IiwiYmFzZURvY3VtZW50Q0lEIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkiLCJjcmVhdGVkQXQiOiIyMDI2LTAzLTA3VDAwOjAzOjAwLjAwMFoifQ._1k6S9qAFJeS7Ti1CmF32PhPjIxNTAiA63rSo9oF88Nf7ksKc1ENLLYgjkJcb6YOZ-C7O_3i_noJfnFsrX1xBQ"
   ],
   "signerPublicKey": "z6MkfUd65JrAhfdgFuMCccU9ThQvjB2fJAMUHkuuajF992gK",
   "documents": [
@@ -33,7 +33,7 @@
     }
   ],
   "expected": {
-    "contentId": "cv7n8vkvr64cctf3294h9k4eanhff8z",
+    "contentId": "a3n7r3nde8e4keeak92rr3aeztftvc2",
     "isDeleted": false,
     "currentDocumentCID": "bafyreifetputky4fnzv7srg7l7ynih6j4ytzeqibrcp5uiepvolxqhcbcy",
     "length": 2

package/examples/credential-write.json

@@ -2,12 +2,12 @@
   "description": "DFOS credential: write access (broad + narrowed)",
   "type": "credential",
   "broadCredential": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNyZWRlbnRpYWwiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwiY2lkIjoiYmFmeXJlaWZ5aW5ieGhicml0NTZtM2FhdjY2bXc0eGQ2YWRxamFzdmNmaG11NjZnNnRudXFncnljbG0ifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiREZPU0NyZWRlbnRpYWwiLCJpc3MiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyIiwiYXVkIjoiZGlkOmRmb3M6OTRhaDc5NjNuMjIzazhjOTg4NGhoMjdla2g0Mm5lYSIsImF0dCI6W3sicmVzb3VyY2UiOiJjaGFpbjoqIiwiYWN0aW9uIjoid3JpdGUifV0sInByZiI6W10sImV4cCI6MTc5ODc2MTYwMCwiaWF0IjoxNzcyODQxNjAwfQ.A-EygURAN2bALVwI2AZKFEuy30ZnWJFBaD4jCTf1d7A90rYELStjTWJ1iI7OulihTCfaVtlvj5HtX6Dwv1VxAg",
-  "narrowCredential": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNyZWRlbnRpYWwiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwiY2lkIjoiYmFmeXJlaWNiNGVoZWl6eHNrM3N6Ymgyb2dvbXU0cmV1NGd0a2kycHB4NjR6ZW8zeGFrMnh1bWZ2dWkifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiREZPU0NyZWRlbnRpYWwiLCJpc3MiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyIiwiYXVkIjoiZGlkOmRmb3M6OTRhaDc5NjNuMjIzazhjOTg4NGhoMjdla2g0Mm5lYSIsImF0dCI6W3sicmVzb3VyY2UiOiJjaGFpbjpjdjduOHZrdnI2NGNjdGYzMjk0aDlrNGVhbmhmZjh6IiwiYWN0aW9uIjoid3JpdGUifV0sInByZiI6W10sImV4cCI6MTc5ODc2MTYwMCwiaWF0IjoxNzcyODQxNjAwfQ.xwsGleofAr78xbT4jCrK402PEI8G_OzvxJITvAjL5ltr7_2bdkX4sCjmZbnjl9m9QcEXnWyWbBgYO8KFl2r8CQ",
+  "narrowCredential": "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmNyZWRlbnRpYWwiLCJraWQiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyI2tleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwiY2lkIjoiYmFmeXJlaWVzemt5YW9lc256eXlzcXVxc3JweGJwM2NwMmxpNGg0MjZxZGZxaXg1bnlvcnV1b3dibmEifQ.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiREZPU0NyZWRlbnRpYWwiLCJpc3MiOiJkaWQ6ZGZvczpjbm5uZnQ5ZjhhMnJuOTM4ZDZua3ozOHI4NDd2MmtyIiwiYXVkIjoiZGlkOmRmb3M6OTRhaDc5NjNuMjIzazhjOTg4NGhoMjdla2g0Mm5lYSIsImF0dCI6W3sicmVzb3VyY2UiOiJjaGFpbjphM243cjNuZGU4ZTRrZWVhazkycnIzYWV6dGZ0dmMyIiwiYWN0aW9uIjoid3JpdGUifV0sInByZiI6W10sImV4cCI6MTc5ODc2MTYwMCwiaWF0IjoxNzcyODQxNjAwfQ.jzGLUBl0NhKaigoKH2OQBcC-bOlnhdL0ro4gWQpM2F-dZtdumxnixQ3cHabp8EaqfQ-jsRVkjqQ6Sf8sib8ZAg",
   "issuerPublicKey": "z6MkrzLMNwoJSV4P3YccWcbtk8vd9LtgMKnLeaDLUqLuASjb",
   "audiencePublicKey": "z6MkvsvmSh2dGnu2qw1Tnw7M5fz98ycfuYGxqnpfgmPkLv7o",
   "expected": {
     "iss": "did:dfos:cnnnft9f8a2rn938d6nkz38r847v2kr",
     "aud": "did:dfos:94ah7963n223k8c9884hh27ekh42nea",
-    "narrowContentId": "cv7n8vkvr64cctf3294h9k4eanhff8z"
+    "narrowContentId": "a3n7r3nde8e4keeak92rr3aeztftvc2"
   }
 }

package/examples/identity-services.json

@@ -2,11 +2,11 @@
   "description": "Identity chain: genesis publishing a services set (relay locator + content/artifact anchors)",
   "type": "identity",
   "chain": [
-    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmlkZW50aXR5LW9wIiwia2lkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJjaWQiOiJiYWZ5cmVpZGkzcXBzM3F0dHFwMjJtM3kzM2JkYmYyaXlrYnE1cjQ1ampod2EzN21nZXNvdjdzZGd6ZSJ9.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiYXV0aEtleXMiOlt7ImlkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJ0eXBlIjoiTXVsdGlrZXkiLCJwdWJsaWNLZXlNdWx0aWJhc2UiOiJ6Nk1rcnpMTU53b0pTVjRQM1ljY1djYnRrOHZkOUx0Z01LbkxlYURMVXFMdUFTamIifV0sImFzc2VydEtleXMiOlt7ImlkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJ0eXBlIjoiTXVsdGlrZXkiLCJwdWJsaWNLZXlNdWx0aWJhc2UiOiJ6Nk1rcnpMTU53b0pTVjRQM1ljY1djYnRrOHZkOUx0Z01LbkxlYURMVXFMdUFTamIifV0sImNvbnRyb2xsZXJLZXlzIjpbeyJpZCI6ImtleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwidHlwZSI6Ik11bHRpa2V5IiwicHVibGljS2V5TXVsdGliYXNlIjoiejZNa3J6TE1Od29KU1Y0UDNZY2NXY2J0azh2ZDlMdGdNS25MZWFETFVxTHVBU2piIn1dLCJzZXJ2aWNlcyI6W3siaWQiOiJyZWxheSIsInR5cGUiOiJEZm9zUmVsYXkiLCJlbmRwb2ludCI6Imh0dHBzOi8vcmVsYXkuZGZvcy5jb20ifSx7ImlkIjoicHJvZmlsZSIsInR5cGUiOiJDb250ZW50QW5jaG9yIiwibGFiZWwiOiJwcm9maWxlIiwiYW5jaG9yIjoiY3Y3bjh2a3ZyNjRjY3RmMzI5NGg5azRlYW5oZmY4eiJ9LHsiaWQiOiJhdmF0YXIiLCJ0eXBlIjoiQ29udGVudEFuY2hvciIsImxhYmVsIjoiYXZhdGFyIiwiYW5jaG9yIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkifV0sImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDU6MDAuMDAwWiJ9.HCzVJXcUzL62lxtC8omBlit1JNSWk4b4kQKjjjWT00honzZ9-k3dKusIRuhTV6gjT1M74bLVZYUxPb8kJvhHAw"
+    "eyJhbGciOiJFZERTQSIsInR5cCI6ImRpZDpkZm9zOmlkZW50aXR5LW9wIiwia2lkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJjaWQiOiJiYWZ5cmVpZ2h1dnppdGZhN29meXlyd3l2eXVha21xZmVmem11cGhpN2ZhZmF3b3gzYWh4ZGgzdHNhNCJ9.eyJ2ZXJzaW9uIjoxLCJ0eXBlIjoiY3JlYXRlIiwiYXV0aEtleXMiOlt7ImlkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJ0eXBlIjoiTXVsdGlrZXkiLCJwdWJsaWNLZXlNdWx0aWJhc2UiOiJ6Nk1rcnpMTU53b0pTVjRQM1ljY1djYnRrOHZkOUx0Z01LbkxlYURMVXFMdUFTamIifV0sImFzc2VydEtleXMiOlt7ImlkIjoia2V5X3I5ZXYzNGZ2YzIzejk5OXZlYWFmdDgzbm4yOXp2aGUiLCJ0eXBlIjoiTXVsdGlrZXkiLCJwdWJsaWNLZXlNdWx0aWJhc2UiOiJ6Nk1rcnpMTU53b0pTVjRQM1ljY1djYnRrOHZkOUx0Z01LbkxlYURMVXFMdUFTamIifV0sImNvbnRyb2xsZXJLZXlzIjpbeyJpZCI6ImtleV9yOWV2MzRmdmMyM3o5OTl2ZWFhZnQ4M25uMjl6dmhlIiwidHlwZSI6Ik11bHRpa2V5IiwicHVibGljS2V5TXVsdGliYXNlIjoiejZNa3J6TE1Od29KU1Y0UDNZY2NXY2J0azh2ZDlMdGdNS25MZWFETFVxTHVBU2piIn1dLCJzZXJ2aWNlcyI6W3siaWQiOiJyZWxheSIsInR5cGUiOiJEZm9zUmVsYXkiLCJlbmRwb2ludCI6Imh0dHBzOi8vcmVsYXkuZGZvcy5jb20ifSx7ImlkIjoicHJvZmlsZSIsInR5cGUiOiJDb250ZW50QW5jaG9yIiwibGFiZWwiOiJwcm9maWxlIiwiYW5jaG9yIjoiYTNuN3IzbmRlOGU0a2VlYWs5MnJyM2FlenRmdHZjMiJ9LHsiaWQiOiJhdmF0YXIiLCJ0eXBlIjoiQ29udGVudEFuY2hvciIsImxhYmVsIjoiYXZhdGFyIiwiYW5jaG9yIjoiYmFmeXJlaWV2Y3FybXZ0ejJwaXM1dGRpenQ3c2pvdG9xcW9nbDZ2cnJxZ2E2NHcydG53a3Eycm51ZHkifV0sImNyZWF0ZWRBdCI6IjIwMjYtMDMtMDdUMDA6MDU6MDAuMDAwWiJ9.uN27ljlSuUwY2EO9bfX-G2yXliJQjEsWBsHYt1-0Vds5IASc2BO8FmjhcNv5JSQjDWJ54anTR2yRPkVxkeLKBw"
   ],
   "controllerPublicKey": "z6MkrzLMNwoJSV4P3YccWcbtk8vd9LtgMKnLeaDLUqLuASjb",
   "expected": {
-    "did": "did:dfos:zhkrrzrd7z623ha8tt7dt699de8r3ar",
+    "did": "did:dfos:hd34z9a4tf6h62864nh4f7at6hr36r4",
     "isDeleted": false,
     "controllerKeys": [
       {
@@ -25,7 +25,7 @@
         "id": "profile",
         "type": "ContentAnchor",
         "label": "profile",
-        "anchor": "cv7n8vkvr64cctf3294h9k4eanhff8z"
+        "anchor": "a3n7r3nde8e4keeak92rr3aeztftvc2"
       },
       {
         "id": "avatar",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metalabel/dfos-protocol",
-  "version": "0.11.0",
+  "version": "0.13.0",
   "type": "module",
   "description": "DFOS Protocol — Ed25519 signed chain primitives, services, credentials, and verification",
   "license": "MIT",