@metalabel/dfos-protocol 0.7.0 → 0.8.0

package/README.md

@@ -1,6 +1,6 @@
 # @metalabel/dfos-protocol
 
-Cryptographic identity and content proof — Ed25519 signed chains, content-addressed CIDs, W3C DIDs. The protocol knows about keys and document hashes. It doesn't know about posts, profiles, or any application concept.
+Ed25519 signed chain primitives for cryptographic identity and verifiable content. Self-certifying DIDs, content-addressed CIDs, offline verification. The protocol operates on keys and document hashes — application semantics are a separate concern, free to evolve without protocol changes.
 
 ## Install
 
@@ -13,8 +13,8 @@ npm install @metalabel/dfos-protocol
 ```ts
 // Chain verification
 import { verifyContentChain, verifyIdentityChain } from '@metalabel/dfos-protocol/chain';
-// Credentials (auth tokens + VC-JWT)
-import { createAuthToken, verifyCredential } from '@metalabel/dfos-protocol/credentials';
+// Credentials (auth tokens + DFOS credentials)
+import { createAuthToken, createDFOSCredential } from '@metalabel/dfos-protocol/credentials';
 // Crypto primitives
 import { createJws, dagCborCanonicalEncode, verifyJws } from '@metalabel/dfos-protocol/crypto';
 // Merkle trees
@@ -26,7 +26,7 @@ import { buildMerkleTree, verifyMerkleProof } from '@metalabel/dfos-protocol/mer
 | Export                                 | Description                                                             |
 | -------------------------------------- | ----------------------------------------------------------------------- |
 | `@metalabel/dfos-protocol/chain`       | Identity and content chain signing, verification, beacons, countersigns |
-| `@metalabel/dfos-protocol/credentials` | Auth tokens (DID-signed JWT) and VC-JWT credentials for authorization   |
+| `@metalabel/dfos-protocol/credentials` | Auth tokens (DID-signed JWT) and DFOS credentials for authorization     |
 | `@metalabel/dfos-protocol/crypto`      | Ed25519, JWS, JWT, dag-cbor, base64url, ID generation                   |
 | `@metalabel/dfos-protocol/merkle`      | SHA-256 binary merkle tree, inclusion proofs                            |
 
@@ -47,24 +47,11 @@ The `examples/` directory contains deterministic reference fixtures that can be
 - `identity-delete.json` — genesis + delete (terminal)
 - `content-lifecycle.json` — create + update (with both documents)
 - `content-delete.json` — create + delete
-- `content-delegated.json` — creator genesis + delegated update with DFOSContentWrite VC-JWT
-- `credential-write.json` — DFOSContentWrite VC-JWT (broad + content-narrowed)
-- `credential-read.json` — DFOSContentRead VC-JWT
+- `content-delegated.json` — creator genesis + delegated update with DFOS write credential
+- `credential-write.json` — DFOS write credential (broad + content-narrowed)
+- `credential-read.json` — DFOS read credential
 - `merkle-tree.json` — 5 content IDs → sorted tree → root, with inclusion proof
-- `beacon.json` — signed merkle root announcement with witness countersignature
-
-## Cross-Language Verification
-
-The `verify/` directory contains independent verification suites that re-derive CIDs and verify signatures from the reference fixtures — proving protocol correctness across implementations:
-
-| Language | Path             | Status  |
-| -------- | ---------------- | ------- |
-| Go       | `verify/go/`     | Passing |
-| Python   | `verify/python/` | Passing |
-| Rust     | `verify/rust/`   | Passing |
-| Swift    | `verify/swift/`  | Passing |
-
-Each suite uses only its language's native Ed25519, dag-cbor, and multihash implementations — no shared code with the TypeScript reference.
+- `beacon.json` — signed manifest pointer announcement with witness countersignature
 
 ## License
 

package/dist/chain/index.d.ts

@@ -1,140 +1,6 @@
-import { z } from 'zod';
-
-/** Function that signs a byte array and returns a signature */
-type Signer = (message: Uint8Array) => Promise<Uint8Array>;
-declare const MultikeyPublicKey: z.ZodObject<{
-    id: z.ZodString;
-    type: z.ZodLiteral<"Multikey">;
-    publicKeyMultibase: z.ZodString;
-}, z.core.$strict>;
-type MultikeyPublicKey = z.infer<typeof MultikeyPublicKey>;
-declare const IdentityOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"create">;
-    authKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    assertKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    controllerKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    createdAt: z.ZodISODateTime;
-}, z.core.$strict>, z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"update">;
-    previousOperationCID: z.ZodString;
-    authKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    assertKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    controllerKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    createdAt: z.ZodISODateTime;
-}, z.core.$strict>, z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"delete">;
-    previousOperationCID: z.ZodString;
-    createdAt: z.ZodISODateTime;
-}, z.core.$strict>], "type">;
-type IdentityOperation = z.infer<typeof IdentityOperation>;
-declare const VerifiedIdentity: z.ZodObject<{
-    did: z.ZodString;
-    isDeleted: z.ZodBoolean;
-    authKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    assertKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-    controllerKeys: z.ZodArray<z.ZodObject<{
-        id: z.ZodString;
-        type: z.ZodLiteral<"Multikey">;
-        publicKeyMultibase: z.ZodString;
-    }, z.core.$strict>>;
-}, z.core.$strict>;
-type VerifiedIdentity = z.infer<typeof VerifiedIdentity>;
-declare const ContentOperation: z.ZodDiscriminatedUnion<[z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"create">;
-    did: z.ZodString;
-    documentCID: z.ZodString;
-    baseDocumentCID: z.ZodNullable<z.ZodString>;
-    createdAt: z.ZodISODateTime;
-    note: z.ZodNullable<z.ZodString>;
-}, z.core.$strict>, z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"update">;
-    did: z.ZodString;
-    previousOperationCID: z.ZodString;
-    documentCID: z.ZodNullable<z.ZodString>;
-    baseDocumentCID: z.ZodNullable<z.ZodString>;
-    createdAt: z.ZodISODateTime;
-    note: z.ZodNullable<z.ZodString>;
-    /** VC-JWT authorizing this operation when signer is not the chain creator */
-    authorization: z.ZodOptional<z.ZodString>;
-}, z.core.$strict>, z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"delete">;
-    did: z.ZodString;
-    previousOperationCID: z.ZodString;
-    createdAt: z.ZodISODateTime;
-    note: z.ZodNullable<z.ZodString>;
-    /** VC-JWT authorizing this operation when signer is not the chain creator */
-    authorization: z.ZodOptional<z.ZodString>;
-}, z.core.$strict>], "type">;
-type ContentOperation = z.infer<typeof ContentOperation>;
-/** Beacon: floating signed merkle root announcement */
-declare const BeaconPayload: z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"beacon">;
-    did: z.ZodString;
-    merkleRoot: z.ZodString;
-    createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
-type BeaconPayload = z.infer<typeof BeaconPayload>;
-/** Max CBOR-encoded payload size for artifacts (bytes) — protocol constant */
-declare const MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
-/** Artifact: standalone signed inline document, immutable, CID-addressable */
-declare const ArtifactPayload: z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"artifact">;
-    did: z.ZodString;
-    content: z.ZodObject<{
-        $schema: z.ZodString;
-    }, z.core.$catchall<z.ZodUnknown>>;
-    createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
-type ArtifactPayload = z.infer<typeof ArtifactPayload>;
-/** Countersign: standalone witness attestation referencing a target operation by CID */
-declare const CountersignPayload: z.ZodObject<{
-    version: z.ZodLiteral<1>;
-    type: z.ZodLiteral<"countersign">;
-    did: z.ZodString;
-    targetCID: z.ZodString;
-    createdAt: z.ZodISODateTime;
-}, z.core.$strict>;
-type CountersignPayload = z.infer<typeof CountersignPayload>;
+import { I as IdentityOperation, S as Signer, V as VerifiedIdentity, C as ContentOperation, B as BeaconPayload, a as CountersignPayload, A as ArtifactPayload } from '../schemas-BEl38wrI.js';
+export { M as MAX_ARTIFACT_PAYLOAD_SIZE, b as MultikeyPublicKey, R as RevocationPayload } from '../schemas-BEl38wrI.js';
+import 'zod';
 
 /** Ed25519 public key multicodec value */
 declare const ED25519_PUB_MULTICODEC = 237;
@@ -260,7 +126,8 @@ declare const signContentOperation: (input: {
  * - Genesis (create) operation: the signer is the chain creator, always authorized
  * - Subsequent operations signed by the creator DID: authorized (no credential needed)
  * - Subsequent operations signed by a different DID: must include an `authorization`
- *   field containing a valid DFOSContentWrite VC-JWT issued by the creator DID
+ *   field containing a valid DFOS credential with a delegation chain rooting at
+ *   the creator DID
  */
 declare const verifyContentChain: (input: {
     log: string[];
@@ -268,13 +135,15 @@ declare const verifyContentChain: (input: {
     resolveKey: (kid: string) => Promise<Uint8Array>;
     /**
      * Enforce creator-sovereignty authorization. When true, non-creator signers
-     * must include a DFOSContentWrite VC-JWT in the operation's `authorization`
-     * field. When false (default), any signer with a valid signature is accepted.
-     *
-     * Web relays should set this to true. Applications migrating to VC-based
-     * authorization can enable this once all chains include authorization fields.
+     * must include a DFOS credential in the operation's `authorization` field
+     * with a delegation chain rooting at the creator DID.
      */
     enforceAuthorization?: boolean;
+    /**
+     * Resolve a DID to a VerifiedIdentity. Required when `enforceAuthorization`
+     * is true, as credential verification needs identity resolution.
+     */
+    resolveIdentity?: (did: string) => Promise<VerifiedIdentity | undefined>;
 }) => Promise<VerifiedContentChain>;
 /**
  * Verify a single new content operation against already-verified chain state
@@ -294,12 +163,21 @@ declare const verifyContentExtensionFromTrustedState: (input: {
     resolveKey: (kid: string) => Promise<Uint8Array>;
     /** Enforce creator-sovereignty authorization (see verifyContentChain) */
     enforceAuthorization?: boolean;
+    /** Resolve a DID to a VerifiedIdentity. Required when enforceAuthorization is true. */
+    resolveIdentity?: (did: string) => Promise<VerifiedIdentity | undefined>;
 }) => Promise<{
     state: VerifiedContentChain;
     operationCID: string;
     createdAt: string;
 }>;
 
+interface VerifiedBeacon {
+    did: string;
+    manifestContentId: string;
+    createdAt: string;
+    signerKeyId: string;
+    beaconCID: string;
+}
 /**
  * Sign a beacon announcement as a JWS
  */
@@ -311,10 +189,6 @@ declare const signBeacon: (input: {
     jwsToken: string;
     beaconCID: string;
 }>;
-interface VerifiedBeacon {
-    payload: BeaconPayload;
-    beaconCID: string;
-}
 /**
  * Verify a beacon JWS — signature, CID, payload schema, clock skew
  */
@@ -381,4 +255,36 @@ declare const verifyArtifact: (input: {
     resolveKey: (kid: string) => Promise<Uint8Array>;
 }) => Promise<VerifiedArtifact>;
 
-export { ArtifactPayload, BeaconPayload, ContentOperation, CountersignPayload, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, MAX_ARTIFACT_PAYLOAD_SIZE, MultikeyPublicKey, type Signer, type VerifiedArtifact, type VerifiedBeacon, type VerifiedContentChain, type VerifiedCountersignature, VerifiedIdentity, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signArtifact, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, verifyArtifact, verifyBeacon, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState };
+interface VerifiedRevocation {
+    /** The issuer DID that revoked the credential */
+    did: string;
+    /** CID of the revoked credential */
+    credentialCID: string;
+    /** Timestamp of the revocation */
+    createdAt: string;
+    /** kid from the JWS header */
+    signerKeyId: string;
+    /** CID of the revocation artifact itself */
+    revocationCID: string;
+}
+/**
+ * Sign a revocation artifact as a JWS
+ */
+declare const signRevocation: (input: {
+    issuerDID: string;
+    credentialCID: string;
+    signer: Signer;
+    keyId: string;
+}) => Promise<{
+    jwsToken: string;
+    revocationCID: string;
+}>;
+/**
+ * Verify a revocation JWS — signature, CID, payload schema, signer match
+ */
+declare const verifyRevocation: (input: {
+    jwsToken: string;
+    resolveKey: (kid: string) => Promise<Uint8Array>;
+}) => Promise<VerifiedRevocation>;
+
+export { ArtifactPayload, BeaconPayload, ContentOperation, CountersignPayload, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, IdentityOperation, Signer, type VerifiedArtifact, type VerifiedBeacon, type VerifiedContentChain, type VerifiedCountersignature, VerifiedIdentity, type VerifiedRevocation, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signArtifact, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyBeacon, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation };

package/dist/chain/index.js

@@ -3,30 +3,34 @@ import {
   BeaconPayload,
   ContentOperation,
   CountersignPayload,
-  ED25519_PRIV_MULTICODEC,
-  ED25519_PUB_MULTICODEC,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RevocationPayload,
   VerifiedIdentity,
-  decodeMultikey,
   deriveChainIdentifier,
   deriveContentId,
-  encodeEd25519Multikey,
   signArtifact,
   signBeacon,
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
+  signRevocation,
   verifyArtifact,
   verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
   verifyIdentityChain,
-  verifyIdentityExtensionFromTrustedState
-} from "../chunk-QKHP7UVL.js";
-import "../chunk-CZSEEZLL.js";
+  verifyIdentityExtensionFromTrustedState,
+  verifyRevocation
+} from "../chunk-LQ56P4SU.js";
+import {
+  ED25519_PRIV_MULTICODEC,
+  ED25519_PUB_MULTICODEC,
+  decodeMultikey,
+  encodeEd25519Multikey
+} from "../chunk-MEV6QVLC.js";
 import "../chunk-ZXXP5W5N.js";
 export {
   ArtifactPayload,
@@ -38,6 +42,7 @@ export {
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RevocationPayload,
   VerifiedIdentity,
   decodeMultikey,
   deriveChainIdentifier,
@@ -48,11 +53,13 @@ export {
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
+  signRevocation,
   verifyArtifact,
   verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
   verifyIdentityChain,
-  verifyIdentityExtensionFromTrustedState
+  verifyIdentityExtensionFromTrustedState,
+  verifyRevocation
 };