@metalabel/dfos-protocol 0.7.0 → 0.8.0

package/dist/{chunk-QKHP7UVL.js → chunk-LQ56P4SU.js}

@@ -1,8 +1,10 @@
 import {
-  VC_TYPE_CONTENT_WRITE,
-  decodeCredentialUnsafe,
-  verifyCredential
-} from "./chunk-CZSEEZLL.js";
+  decodeDFOSCredentialUnsafe,
+  decodeMultikey,
+  matchesResource,
+  verifyDFOSCredential,
+  verifyDelegationChain
+} from "./chunk-MEV6QVLC.js";
 import {
   createJws,
   dagCborCanonicalEncode,
@@ -79,7 +81,7 @@ var ContentUpdate = z.strictObject({
   baseDocumentCID: CIDString.nullable(),
   createdAt: Iso8601,
   note: z.string().max(MAX_NOTE).nullable(),
-  /** VC-JWT authorizing this operation when signer is not the chain creator */
+  /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
 var ContentDelete = z.strictObject({
@@ -89,7 +91,7 @@ var ContentDelete = z.strictObject({
   previousOperationCID: CIDString,
   createdAt: Iso8601,
   note: z.string().max(MAX_NOTE).nullable(),
-  /** VC-JWT authorizing this operation when signer is not the chain creator */
+  /** DFOS credential authorizing this operation when signer is not the chain creator */
   authorization: z.string().optional()
 });
 var ContentOperation = z.discriminatedUnion("type", [
@@ -101,7 +103,7 @@ var BeaconPayload = z.strictObject({
   version: z.literal(1),
   type: z.literal("beacon"),
   did: z.string().max(MAX_DID),
-  merkleRoot: z.string().regex(/^[0-9a-f]{64}$/),
+  manifestContentId: z.string().max(MAX_CID),
   createdAt: Iso8601
 });
 var MAX_SCHEMA = 256;
@@ -121,45 +123,13 @@ var CountersignPayload = z.strictObject({
   targetCID: CIDString,
   createdAt: Iso8601
 });
-
-// src/chain/multikey.ts
-import { base58btc } from "multiformats/bases/base58";
-var ED25519_PUB_PREFIX = new Uint8Array([237, 1]);
-var ED25519_PRIV_PREFIX = new Uint8Array([128, 38]);
-var ED25519_PUB_MULTICODEC = 237;
-var ED25519_PRIV_MULTICODEC = 4864;
-var encodeEd25519Multikey = (publicKeyBytes) => {
-  if (publicKeyBytes.length !== 32) {
-    throw new Error(`expected 32-byte Ed25519 public key, got ${publicKeyBytes.length}`);
-  }
-  const prefixed = new Uint8Array(ED25519_PUB_PREFIX.length + publicKeyBytes.length);
-  prefixed.set(ED25519_PUB_PREFIX);
-  prefixed.set(publicKeyBytes, ED25519_PUB_PREFIX.length);
-  return base58btc.encode(prefixed);
-};
-var decodeMultikey = (multibase) => {
-  const bytes = base58btc.decode(multibase);
-  if (bytes.length < 2) {
-    throw new Error("multikey too short");
-  }
-  if (bytes[0] === ED25519_PUB_PREFIX[0] && bytes[1] === ED25519_PUB_PREFIX[1]) {
-    const keyBytes = bytes.slice(2);
-    if (keyBytes.length !== 32) {
-      throw new Error(`expected 32-byte Ed25519 public key, got ${keyBytes.length}`);
-    }
-    return { keyBytes, codec: ED25519_PUB_MULTICODEC };
-  }
-  if (bytes[0] === ED25519_PRIV_PREFIX[0] && bytes[1] === ED25519_PRIV_PREFIX[1]) {
-    const keyBytes = bytes.slice(2);
-    if (keyBytes.length !== 32) {
-      throw new Error(`expected 32-byte Ed25519 private key, got ${keyBytes.length}`);
-    }
-    return { keyBytes, codec: ED25519_PRIV_MULTICODEC };
-  }
-  throw new Error(
-    `unsupported multikey codec: [0x${bytes[0]?.toString(16)}, 0x${bytes[1]?.toString(16)}]`
-  );
-};
+var RevocationPayload = z.strictObject({
+  version: z.literal(1),
+  type: z.literal("revocation"),
+  did: z.string().max(MAX_DID),
+  credentialCID: CIDString,
+  createdAt: Iso8601
+});
 
 // src/chain/derivation.ts
 var deriveChainIdentifier = (cidBytes, prefix) => {
@@ -400,8 +370,39 @@ var signContentOperation = async (input) => {
   });
   return { jwsToken, operationCID };
 };
+var verifyOperationAuthorization = async (input) => {
+  const decoded = decodeDFOSCredentialUnsafe(input.authorization);
+  if (!decoded) {
+    throw new Error("failed to decode authorization credential");
+  }
+  if (decoded.header.typ !== "did:dfos:credential") {
+    throw new Error(`invalid authorization typ: ${decoded.header.typ}`);
+  }
+  const opCreatedAtUnix = Math.floor(new Date(input.createdAt).getTime() / 1e3);
+  const credential = await verifyDFOSCredential(input.authorization, {
+    resolveIdentity: input.resolveIdentity,
+    now: opCreatedAtUnix
+  });
+  await verifyDelegationChain(credential, {
+    resolveIdentity: input.resolveIdentity,
+    rootDID: input.creatorDID,
+    now: opCreatedAtUnix
+  });
+  if (credential.aud !== "*" && credential.aud !== input.operationDID) {
+    throw new Error(
+      `credential audience ${credential.aud} does not match operation signer ${input.operationDID}`
+    );
+  }
+  const covers = await matchesResource(credential.att, `chain:${input.contentId}`, "write");
+  if (!covers) {
+    throw new Error(`credential does not cover write access to chain:${input.contentId}`);
+  }
+};
 var verifyContentChain = async (input) => {
   if (input.log.length === 0) throw new Error("log must have at least one operation");
+  if (input.enforceAuthorization && !input.resolveIdentity) {
+    throw new Error("resolveIdentity is required when enforceAuthorization is true");
+  }
   const state = {
     contentId: null,
     genesisCID: null,
@@ -459,40 +460,18 @@ var verifyContentChain = async (input) => {
       const authorization = op.type !== "create" ? op.authorization : void 0;
       if (!authorization) {
         throw new Error(
-          `log[${idx}]: signer ${op.did} is not the chain creator \u2014 authorization VC required`
+          `log[${idx}]: signer ${op.did} is not the chain creator \u2014 authorization credential required`
         );
       }
-      const vcDecoded = decodeCredentialUnsafe(authorization);
-      if (!vcDecoded) {
-        throw new Error(`log[${idx}]: failed to decode authorization VC`);
-      }
-      const vcKid = vcDecoded.header.kid;
-      if (!vcKid || !vcKid.includes("#")) {
-        throw new Error(`log[${idx}]: authorization VC kid must be a DID URL`);
-      }
-      let creatorPublicKey;
-      try {
-        creatorPublicKey = await input.resolveKey(vcKid);
-      } catch {
-        throw new Error(`log[${idx}]: cannot resolve creator key for authorization verification`);
-      }
-      const opCreatedAtUnix = Math.floor(new Date(op.createdAt).getTime() / 1e3);
       try {
-        const credential = verifyCredential({
-          token: authorization,
-          publicKey: creatorPublicKey,
-          subject: op.did,
-          expectedType: VC_TYPE_CONTENT_WRITE,
-          currentTime: opCreatedAtUnix
+        await verifyOperationAuthorization({
+          authorization,
+          operationDID: op.did,
+          creatorDID: state.creatorDID,
+          contentId: state.contentId,
+          createdAt: op.createdAt,
+          resolveIdentity: input.resolveIdentity
         });
-        if (credential.iss !== state.creatorDID) {
-          throw new Error("VC issuer is not the chain creator");
-        }
-        if (credential.contentId && credential.contentId !== state.contentId) {
-          throw new Error(
-            `VC contentId ${credential.contentId} does not match chain ${state.contentId}`
-          );
-        }
       } catch (err) {
         const message = err instanceof Error ? err.message : "unknown error";
         throw new Error(`log[${idx}]: authorization verification failed: ${message}`);
@@ -541,6 +520,9 @@ var verifyContentExtensionFromTrustedState = async (input) => {
   if (currentState.isDeleted) {
     throw new Error("cannot extend a deleted chain");
   }
+  if (input.enforceAuthorization && !input.resolveIdentity) {
+    throw new Error("resolveIdentity is required when enforceAuthorization is true");
+  }
   const decoded = decodeJwsUnsafe(newOp);
   if (!decoded) throw new Error("failed to decode JWS");
   const result = ContentOperation.safeParse(decoded.payload);
@@ -577,37 +559,19 @@ var verifyContentExtensionFromTrustedState = async (input) => {
   if (op.did !== currentState.creatorDID && input.enforceAuthorization) {
     const authorization = op.authorization;
     if (!authorization) {
-      throw new Error(`signer ${op.did} is not the chain creator \u2014 authorization VC required`);
-    }
-    const vcDecoded = decodeCredentialUnsafe(authorization);
-    if (!vcDecoded) throw new Error("failed to decode authorization VC");
-    const vcKid = vcDecoded.header.kid;
-    if (!vcKid || !vcKid.includes("#")) {
-      throw new Error("authorization VC kid must be a DID URL");
-    }
-    let creatorPublicKey;
-    try {
-      creatorPublicKey = await resolveKey(vcKid);
-    } catch {
-      throw new Error("cannot resolve creator key for authorization verification");
+      throw new Error(
+        `signer ${op.did} is not the chain creator \u2014 authorization credential required`
+      );
     }
-    const opCreatedAtUnix = Math.floor(new Date(op.createdAt).getTime() / 1e3);
     try {
-      const credential = verifyCredential({
-        token: authorization,
-        publicKey: creatorPublicKey,
-        subject: op.did,
-        expectedType: VC_TYPE_CONTENT_WRITE,
-        currentTime: opCreatedAtUnix
+      await verifyOperationAuthorization({
+        authorization,
+        operationDID: op.did,
+        creatorDID: currentState.creatorDID,
+        contentId: currentState.contentId,
+        createdAt: op.createdAt,
+        resolveIdentity: input.resolveIdentity
       });
-      if (credential.iss !== currentState.creatorDID) {
-        throw new Error("VC issuer is not the chain creator");
-      }
-      if (credential.contentId && credential.contentId !== currentState.contentId) {
-        throw new Error(
-          `VC contentId ${credential.contentId} does not match chain ${currentState.contentId}`
-        );
-      }
     } catch (err) {
       const message = err instanceof Error ? err.message : "unknown error";
       throw new Error(`authorization verification failed: ${message}`);
@@ -675,7 +639,13 @@ var verifyBeacon = async (input) => {
   if (beaconTime > now + MAX_FUTURE_MS) {
     throw new Error("beacon createdAt is too far in the future");
   }
-  return { payload, beaconCID };
+  return {
+    did: payload.did,
+    manifestContentId: payload.manifestContentId,
+    createdAt: payload.createdAt,
+    signerKeyId: kid,
+    beaconCID
+  };
 };
 
 // src/chain/countersign.ts
@@ -778,6 +748,64 @@ var verifyArtifact = async (input) => {
   return { payload, artifactCID };
 };
 
+// src/chain/revocation.ts
+var signRevocation = async (input) => {
+  const kid = `${input.issuerDID}#${input.keyId}`;
+  const now = (/* @__PURE__ */ new Date()).toISOString().replace(/\d{3}Z$/, "000Z");
+  const payload = {
+    version: 1,
+    type: "revocation",
+    did: input.issuerDID,
+    credentialCID: input.credentialCID,
+    createdAt: now
+  };
+  const encoded = await dagCborCanonicalEncode(payload);
+  const revocationCID = encoded.cid.toString();
+  const jwsToken = await createJws({
+    header: { alg: "EdDSA", typ: "did:dfos:revocation", kid, cid: revocationCID },
+    payload,
+    sign: input.signer
+  });
+  return { jwsToken, revocationCID };
+};
+var verifyRevocation = async (input) => {
+  const decoded = decodeJwsUnsafe(input.jwsToken);
+  if (!decoded) throw new Error("failed to decode revocation JWS");
+  const result = RevocationPayload.safeParse(decoded.payload);
+  if (!result.success) {
+    const messages = result.error.issues.map((e) => e.message).join(", ");
+    throw new Error(`invalid revocation payload: ${messages}`);
+  }
+  const payload = result.data;
+  if (decoded.header.typ !== "did:dfos:revocation") {
+    throw new Error(`invalid revocation typ: ${decoded.header.typ}`);
+  }
+  const kid = decoded.header.kid;
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new Error("revocation kid must be a DID URL");
+  const kidDid = kid.substring(0, hashIdx);
+  if (kidDid !== payload.did) {
+    throw new Error("revocation kid DID does not match payload did");
+  }
+  const publicKey = await input.resolveKey(kid);
+  try {
+    verifyJws({ token: input.jwsToken, publicKey });
+  } catch {
+    throw new Error("invalid revocation signature");
+  }
+  const encoded = await dagCborCanonicalEncode(payload);
+  const revocationCID = encoded.cid.toString();
+  if (!decoded.header.cid) throw new Error("missing cid in revocation header");
+  if (decoded.header.cid !== revocationCID) throw new Error("revocation cid mismatch");
+  return {
+    did: payload.did,
+    credentialCID: payload.credentialCID,
+    createdAt: payload.createdAt,
+    signerKeyId: kid,
+    revocationCID
+  };
+};
+
 export {
   MultikeyPublicKey,
   IdentityOperation,
@@ -787,10 +815,7 @@ export {
   MAX_ARTIFACT_PAYLOAD_SIZE,
   ArtifactPayload,
   CountersignPayload,
-  ED25519_PUB_MULTICODEC,
-  ED25519_PRIV_MULTICODEC,
-  encodeEd25519Multikey,
-  decodeMultikey,
+  RevocationPayload,
   deriveChainIdentifier,
   deriveContentId,
   signIdentityOperation,
@@ -804,5 +829,7 @@ export {
   signCountersignature,
   verifyCountersignature,
   signArtifact,
-  verifyArtifact
+  verifyArtifact,
+  signRevocation,
+  verifyRevocation
 };