@metalabel/dfos-protocol 0.9.0 → 0.11.0

package/dist/{chunk-UEJ364OG.js → chunk-SDUOUFTF.js}

@@ -4,14 +4,14 @@ import {
   matchesResource,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "./chunk-24VGJGUM.js";
+} from "./chunk-LQFOBE6X.js";
 import {
   createJws,
   dagCborCanonicalEncode,
   decodeJwsUnsafe,
   generateIdNoPrefix,
   verifyJws
-} from "./chunk-ZXXP5W5N.js";
+} from "./chunk-GQOZJKKO.js";
 
 // src/chain/schemas.ts
 import { z } from "zod";
@@ -21,11 +21,49 @@ var MAX_CID = 256;
 var MAX_NOTE = 256;
 var MAX_KEYS_PER_ROLE = 16;
 var MAX_DID = 256;
+var MAX_SERVICE_ID = 64;
+var MAX_SERVICE_TYPE = 64;
+var MAX_SERVICE_STRING = 512;
+var MAX_RELATION = 64;
+var MAX_SERVICES_ENTRIES = 16;
+var MAX_SERVICES_PAYLOAD_SIZE = 8192;
 var MultikeyPublicKey = z.strictObject({
   id: z.string().max(MAX_KEY_ID),
   type: z.literal("Multikey"),
   publicKeyMultibase: z.string().max(MAX_PUBLIC_KEY_MULTIBASE)
 });
+var CONTENT_ID_ANCHOR_RE = /^[2346789acdefhknrtvz]{31}$/;
+var ARTIFACT_CID_ANCHOR_RE = /^baf[a-z2-7]{20,}$/;
+var ServiceEntry = z.object({
+  id: z.string().min(1).max(MAX_SERVICE_ID),
+  type: z.string().min(1).max(MAX_SERVICE_TYPE)
+}).catchall(z.unknown()).superRefine((entry, ctx) => {
+  if (entry.type === "DfosRelay") {
+    const endpoint = entry["endpoint"];
+    if (typeof endpoint !== "string" || endpoint.length < 1 || endpoint.length > MAX_SERVICE_STRING) {
+      ctx.addIssue({ code: "custom", message: "DfosRelay requires a non-empty endpoint string" });
+    }
+  } else if (entry.type === "ContentAnchor") {
+    const label = entry["label"];
+    const anchor = entry["anchor"];
+    if (typeof label !== "string" || label.length < 1 || label.length > MAX_SERVICE_STRING) {
+      ctx.addIssue({
+        code: "custom",
+        message: "ContentAnchor requires a non-empty label string"
+      });
+    }
+    if (typeof anchor !== "string" || !(CONTENT_ID_ANCHOR_RE.test(anchor) || ARTIFACT_CID_ANCHOR_RE.test(anchor))) {
+      ctx.addIssue({
+        code: "custom",
+        message: "ContentAnchor anchor must be a 31-char contentId or a CIDv1 artifact CID"
+      });
+    }
+  }
+});
+var ServicesArray = z.array(ServiceEntry).max(MAX_SERVICES_ENTRIES).refine(
+  (arr) => new Set(arr.map((e) => e.id)).size === arr.length,
+  "service entry ids must be unique"
+);
 var Iso8601 = z.iso.datetime({ offset: false, precision: 3 });
 var CIDString = z.string().max(MAX_CID);
 var IdentityCreate = z.strictObject({
@@ -34,6 +72,9 @@ var IdentityCreate = z.strictObject({
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  // Full-state discovery vocabulary. Optional so ops without services encode
+  // identically (undefined strips under canonical CBOR — CID-neutral).
+  services: ServicesArray.optional(),
   createdAt: Iso8601
 });
 var IdentityUpdate = z.strictObject({
@@ -43,6 +84,8 @@ var IdentityUpdate = z.strictObject({
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   controllerKeys: z.array(MultikeyPublicKey).min(1, "update must have at least one controller key").max(MAX_KEYS_PER_ROLE),
+  // Full-state: an update REPLACES the entire services set (omit to clear).
+  services: ServicesArray.optional(),
   createdAt: Iso8601
 });
 var IdentityDelete = z.strictObject({
@@ -61,7 +104,9 @@ var VerifiedIdentity = z.strictObject({
   isDeleted: z.boolean(),
   authKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
   assertKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
-  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE)
+  controllerKeys: z.array(MultikeyPublicKey).max(MAX_KEYS_PER_ROLE),
+  /** Resolved discovery vocabulary — projection of the winning head's services */
+  services: ServicesArray
 });
 var ContentCreate = z.strictObject({
   version: z.literal(1),
@@ -99,13 +144,6 @@ var ContentOperation = z.discriminatedUnion("type", [
   ContentUpdate,
   ContentDelete
 ]);
-var BeaconPayload = z.strictObject({
-  version: z.literal(1),
-  type: z.literal("beacon"),
-  did: z.string().max(MAX_DID),
-  manifestContentId: z.string().max(MAX_CID),
-  createdAt: Iso8601
-});
 var MAX_SCHEMA = 256;
 var MAX_ARTIFACT_PAYLOAD_SIZE = 16384;
 var ArtifactContent = z.object({ $schema: z.string().max(MAX_SCHEMA) }).catchall(z.unknown());
@@ -121,6 +159,7 @@ var CountersignPayload = z.strictObject({
   type: z.literal("countersign"),
   did: z.string().max(MAX_DID),
   targetCID: CIDString,
+  relation: z.string().min(1).max(MAX_RELATION).optional(),
   createdAt: Iso8601
 });
 var RevocationPayload = z.strictObject({
@@ -140,6 +179,27 @@ var deriveContentId = (cidBytes) => {
   return generateIdNoPrefix({ seed: cidBytes });
 };
 
+// src/chain/services.ts
+var assertServicesWithinCap = async (services) => {
+  const encoded = await dagCborCanonicalEncode(services);
+  if (encoded.bytes.length > MAX_SERVICES_PAYLOAD_SIZE) {
+    throw new Error(
+      `services payload exceeds max size: ${encoded.bytes.length} > ${MAX_SERVICES_PAYLOAD_SIZE}`
+    );
+  }
+};
+var classifyAnchor = (anchor) => {
+  if (CONTENT_ID_ANCHOR_RE.test(anchor)) return "chain";
+  if (ARTIFACT_CID_ANCHOR_RE.test(anchor)) return "artifact";
+  return "invalid";
+};
+var RECOGNIZED_SERVICE_TYPES = ["DfosRelay", "ContentAnchor"];
+var isRecognizedServiceType = (type) => RECOGNIZED_SERVICE_TYPES.includes(type);
+var relayEndpoints = (services) => services.filter((e) => e.type === "DfosRelay").map((e) => e["endpoint"]).filter((v) => typeof v === "string");
+var anchorsByLabel = (services, label) => services.filter(
+  (e) => e.type === "ContentAnchor" && e["label"] === label
+);
+
 // src/chain/identity-chain.ts
 var signIdentityOperation = async (input) => {
   const kid = input.identityDID ? `${input.identityDID}#${input.keyId}` : input.keyId;
@@ -162,6 +222,7 @@ var verifyIdentityChain = async (input) => {
     authKeys: [],
     assertKeys: [],
     controllerKeys: [],
+    services: [],
     seenKeys: /* @__PURE__ */ new Map()
   };
   for (const [idx, jwsToken] of input.log.entries()) {
@@ -190,6 +251,7 @@ var verifyIdentityChain = async (input) => {
       state.authKeys = op.authKeys;
       state.assertKeys = op.assertKeys;
       state.controllerKeys = op.controllerKeys;
+      state.services = op.services ?? [];
     }
     if (op.type === "update" || op.type === "delete") {
       if (op.previousOperationCID !== state.previousOperationCID) {
@@ -217,6 +279,13 @@ var verifyIdentityChain = async (input) => {
           throw new Error(`log[${idx}]: cannot repeat key ids in same usage`);
         }
       });
+      if (op.services) {
+        try {
+          await assertServicesWithinCap(op.services);
+        } catch (e) {
+          throw new Error(`log[${idx}]: ${e.message}`);
+        }
+      }
     }
     const encoded = await dagCborCanonicalEncode(op);
     const operationCID = encoded.cid.toString();
@@ -271,6 +340,7 @@ var verifyIdentityChain = async (input) => {
         state.authKeys = op.authKeys;
         state.assertKeys = op.assertKeys;
         state.controllerKeys = op.controllerKeys;
+        state.services = op.services ?? [];
         break;
       case "delete":
         state.isDeleted = true;
@@ -283,7 +353,8 @@ var verifyIdentityChain = async (input) => {
     isDeleted: state.isDeleted,
     authKeys: state.authKeys,
     assertKeys: state.assertKeys,
-    controllerKeys: state.controllerKeys
+    controllerKeys: state.controllerKeys,
+    services: state.services
   };
 };
 var verifyIdentityExtensionFromTrustedState = async (input) => {
@@ -342,19 +413,22 @@ var verifyIdentityExtensionFromTrustedState = async (input) => {
         throw new Error("cannot repeat key ids in same usage");
       }
     });
+    if (op.services) await assertServicesWithinCap(op.services);
   }
   const newState = op.type === "update" ? {
     did: currentState.did,
     isDeleted: false,
     authKeys: op.authKeys,
     assertKeys: op.assertKeys,
-    controllerKeys: op.controllerKeys
+    controllerKeys: op.controllerKeys,
+    services: op.services ?? []
   } : {
     did: currentState.did,
     isDeleted: true,
     authKeys: currentState.authKeys,
     assertKeys: currentState.assertKeys,
-    controllerKeys: currentState.controllerKeys
+    controllerKeys: currentState.controllerKeys,
+    services: currentState.services
   };
   return { state: newState, operationCID, createdAt: op.createdAt };
 };
@@ -383,10 +457,14 @@ var verifyOperationAuthorization = async (input) => {
     resolveIdentity: input.resolveIdentity,
     now: opCreatedAtUnix
   });
+  if (input.isRevoked && await input.isRevoked(credential.iss, credential.credentialCID)) {
+    throw new Error("credential is revoked");
+  }
   await verifyDelegationChain(credential, {
     resolveIdentity: input.resolveIdentity,
     rootDID: input.creatorDID,
-    now: opCreatedAtUnix
+    now: opCreatedAtUnix,
+    ...input.isRevoked ? { isRevoked: input.isRevoked } : {}
   });
   if (credential.aud !== "*" && credential.aud !== input.operationDID) {
     throw new Error(
@@ -470,7 +548,8 @@ var verifyContentChain = async (input) => {
           creatorDID: state.creatorDID,
           contentId: state.contentId,
           createdAt: op.createdAt,
-          resolveIdentity: input.resolveIdentity
+          resolveIdentity: input.resolveIdentity,
+          ...input.isRevoked ? { isRevoked: input.isRevoked } : {}
         });
       } catch (err) {
         const message = err instanceof Error ? err.message : "unknown error";
@@ -570,7 +649,8 @@ var verifyContentExtensionFromTrustedState = async (input) => {
         creatorDID: currentState.creatorDID,
         contentId: currentState.contentId,
         createdAt: op.createdAt,
-        resolveIdentity: input.resolveIdentity
+        resolveIdentity: input.resolveIdentity,
+        ...input.isRevoked ? { isRevoked: input.isRevoked } : {}
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : "unknown error";
@@ -593,61 +673,6 @@ var verifyContentExtensionFromTrustedState = async (input) => {
   return { state: newState, operationCID, createdAt: op.createdAt };
 };
 
-// src/chain/beacon.ts
-var signBeacon = async (input) => {
-  const encoded = await dagCborCanonicalEncode(input.payload);
-  const beaconCID = encoded.cid.toString();
-  const jwsToken = await createJws({
-    header: { alg: "EdDSA", typ: "did:dfos:beacon", kid: input.kid, cid: beaconCID },
-    payload: input.payload,
-    sign: input.signer
-  });
-  return { jwsToken, beaconCID };
-};
-var MAX_FUTURE_MS = 5 * 60 * 1e3;
-var verifyBeacon = async (input) => {
-  const decoded = decodeJwsUnsafe(input.jwsToken);
-  if (!decoded) throw new Error("failed to decode beacon JWS");
-  const result = BeaconPayload.safeParse(decoded.payload);
-  if (!result.success) {
-    const messages = result.error.issues.map((e) => e.message).join(", ");
-    throw new Error(`invalid beacon payload: ${messages}`);
-  }
-  const payload = result.data;
-  if (decoded.header.typ !== "did:dfos:beacon") {
-    throw new Error(`invalid beacon typ: ${decoded.header.typ}`);
-  }
-  const kid = decoded.header.kid;
-  const hashIdx = kid.indexOf("#");
-  if (hashIdx < 0) throw new Error("beacon kid must be a DID URL");
-  const kidDid = kid.substring(0, hashIdx);
-  if (kidDid !== payload.did) {
-    throw new Error("beacon kid DID does not match payload did");
-  }
-  const publicKey = await input.resolveKey(kid);
-  try {
-    verifyJws({ token: input.jwsToken, publicKey });
-  } catch {
-    throw new Error("invalid beacon signature");
-  }
-  const encoded = await dagCborCanonicalEncode(payload);
-  const beaconCID = encoded.cid.toString();
-  if (!decoded.header.cid) throw new Error("missing cid in beacon header");
-  if (decoded.header.cid !== beaconCID) throw new Error("beacon cid mismatch");
-  const now = input.now ?? Date.now();
-  const beaconTime = new Date(payload.createdAt).getTime();
-  if (beaconTime > now + MAX_FUTURE_MS) {
-    throw new Error("beacon createdAt is too far in the future");
-  }
-  return {
-    did: payload.did,
-    manifestContentId: payload.manifestContentId,
-    createdAt: payload.createdAt,
-    signerKeyId: kid,
-    beaconCID
-  };
-};
-
 // src/chain/countersign.ts
 var signCountersignature = async (input) => {
   const encoded = await dagCborCanonicalEncode(input.payload);
@@ -691,7 +716,8 @@ var verifyCountersignature = async (input) => {
   return {
     countersignCID,
     witnessDID: payload.did,
-    targetCID: payload.targetCID
+    targetCID: payload.targetCID,
+    ...payload.relation !== void 0 ? { relation: payload.relation } : {}
   };
 };
 
@@ -807,25 +833,34 @@ var verifyRevocation = async (input) => {
 };
 
 export {
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  CONTENT_ID_ANCHOR_RE,
+  ARTIFACT_CID_ANCHOR_RE,
+  ServiceEntry,
+  ServicesArray,
   IdentityOperation,
   VerifiedIdentity,
   ContentOperation,
-  BeaconPayload,
   MAX_ARTIFACT_PAYLOAD_SIZE,
   ArtifactPayload,
   CountersignPayload,
   RevocationPayload,
   deriveChainIdentifier,
   deriveContentId,
+  assertServicesWithinCap,
+  classifyAnchor,
+  RECOGNIZED_SERVICE_TYPES,
+  isRecognizedServiceType,
+  relayEndpoints,
+  anchorsByLabel,
   signIdentityOperation,
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   signContentOperation,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
-  signBeacon,
-  verifyBeacon,
   signCountersignature,
   verifyCountersignature,
   signArtifact,

package/dist/credentials/index.d.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { V as VerifiedIdentity } from '../schemas-BEl38wrI.js';
+import { V as VerifiedIdentity } from '../schemas-Myod8ES9.js';
 
 /** Single attenuation entry — resource + action pair */
 declare const Attenuation: z.ZodObject<{
@@ -11,34 +11,23 @@ type Attenuation = z.infer<typeof Attenuation>;
 declare const DFOSCredentialPayload: z.ZodObject<{
     version: z.ZodLiteral<1>;
     type: z.ZodLiteral<"DFOSCredential">;
-    /** Issuer DID */
     iss: z.ZodString;
-    /** Audience DID or "*" for public credentials */
     aud: z.ZodString;
-    /** Attenuations — resource + action pairs */
     att: z.ZodArray<z.ZodObject<{
         resource: z.ZodString;
         action: z.ZodString;
     }, z.core.$strict>>;
-    /** Parent credential JWS tokens (for delegation chains) */
     prf: z.ZodDefault<z.ZodArray<z.ZodString>>;
-    /** Expiration — unix seconds */
     exp: z.ZodNumber;
-    /** Issued at — unix seconds */
     iat: z.ZodNumber;
 }, z.core.$strict>;
 type DFOSCredentialPayload = z.infer<typeof DFOSCredentialPayload>;
 /** Claims for a DID-signed auth token (relay AuthN) */
 declare const AuthTokenClaims: z.ZodObject<{
-    /** Issuer — the DID proving identity */
     iss: z.ZodString;
-    /** Subject — same as iss for auth tokens */
     sub: z.ZodString;
-    /** Audience — target relay hostname (prevents cross-relay replay) */
     aud: z.ZodString;
-    /** Expiration — unix seconds, short-lived (minutes) */
     exp: z.ZodNumber;
-    /** Issued at — unix seconds */
     iat: z.ZodNumber;
 }, z.core.$strict>;
 type AuthTokenClaims = z.infer<typeof AuthTokenClaims>;
@@ -74,6 +63,8 @@ interface VerifiedAuthToken {
     aud: string;
     /** Token expiration (unix seconds) */
     exp: number;
+    /** Token issued-at (unix seconds) */
+    iat: number;
     /** kid from the JWT header */
     kid: string;
 }

package/dist/credentials/index.js

@@ -12,8 +12,8 @@ import {
   verifyAuthToken,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "../chunk-24VGJGUM.js";
-import "../chunk-ZXXP5W5N.js";
+} from "../chunk-LQFOBE6X.js";
+import "../chunk-GQOZJKKO.js";
 export {
   Attenuation,
   AuthTokenClaims,

package/dist/crypto/index.d.ts

@@ -14,22 +14,22 @@ declare const base64urlDecode: (str: string) => Uint8Array;
  * Generate a new random Ed25519 keypair
  */
 declare const createNewEd25519Keypair: () => {
-    privateKey: Uint8Array<ArrayBufferLike>;
-    publicKey: Uint8Array<ArrayBufferLike>;
+    privateKey: Uint8Array<ArrayBufferLike> & Uint8Array<ArrayBuffer>;
+    publicKey: Uint8Array<ArrayBufferLike> & Uint8Array<ArrayBuffer>;
 };
 /**
  * Generate an Ed25519 keypair from a private key
  */
 declare const importEd25519Keypair: (privateKey: Uint8Array) => {
     privateKey: Uint8Array<ArrayBufferLike>;
-    publicKey: Uint8Array<ArrayBufferLike>;
+    publicKey: Uint8Array<ArrayBufferLike> & Uint8Array<ArrayBuffer>;
 };
 /**
  * Sign a payload with an Ed25519 private key
  *
  * Ed25519 handles hashing internally (SHA-512) — no external prehash needed
  */
-declare const signPayloadEd25519: (payload: Uint8Array, privateKey: Uint8Array) => Uint8Array<ArrayBufferLike>;
+declare const signPayloadEd25519: (payload: Uint8Array, privateKey: Uint8Array) => Uint8Array<ArrayBufferLike> & Uint8Array<ArrayBuffer>;
 /**
  * Check that a signature is valid for a given payload and Ed25519 public key
  */
@@ -51,7 +51,7 @@ declare const generateIdNoPrefix: (options?: {
 /**
  * Generate a prefixed ID
  *
- * Without options: generates random 22-char ID
+ * Without options: generates random 31-char ID
  * With { seed }: generates deterministic ID from seed (for external ID mapping)
  *
  * @example
@@ -66,7 +66,7 @@ declare const generateId: <T extends string>(prefix: T, options?: {
  *
  * @param prefix - Expected prefix (e.g., 'msg', 'post')
  * @param id - ID to validate
- * @returns true if ID has correct prefix and length (prefix + _ + 22 chars)
+ * @returns true if ID has correct prefix and length (prefix + _ + 31 chars)
  *
  * @example
  * isValidId('msg', 'msg_abc123...') // true
@@ -125,6 +125,15 @@ declare class JwsVerificationError extends Error {
     constructor(message: string);
 }
 
+/**
+ * Apply the DFOS signature verification profile to a decoded protected header.
+ *
+ * Throws the provided error type with a precise message on any violation. The
+ * caller invokes this BEFORE verifying the signature so that an out-of-profile
+ * token is rejected regardless of whether its signature would have verified.
+ */
+declare const assertJwsProfile: (header: Record<string, unknown>, makeError: (message: string) => Error) => void;
+
 interface JwtHeader {
     alg: 'EdDSA';
     typ: 'JWT';
@@ -202,4 +211,4 @@ declare const parseDagCborCID: (cid: string) => CID<unknown, number, number, mul
  */
 declare const isCanonicallyEqual: (data1: unknown, data2: unknown) => Promise<boolean>;
 
-export { type JwsHeader, JwsVerificationError, type JwtClaims, type JwtCreateOptions, type JwtHeader, JwtVerificationError, type JwtVerifyOptions, type PrefixedID, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt };
+export { type JwsHeader, JwsVerificationError, type JwtClaims, type JwtCreateOptions, type JwtHeader, JwtVerificationError, type JwtVerifyOptions, type PrefixedID, assertJwsProfile, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt };

package/dist/crypto/index.js

@@ -1,6 +1,7 @@
 import {
   JwsVerificationError,
   JwtVerificationError,
+  assertJwsProfile,
   base64urlDecode,
   base64urlEncode,
   createJws,
@@ -20,10 +21,11 @@ import {
   signPayloadEd25519,
   verifyJws,
   verifyJwt
-} from "../chunk-ZXXP5W5N.js";
+} from "../chunk-GQOZJKKO.js";
 export {
   JwsVerificationError,
   JwtVerificationError,
+  assertJwsProfile,
   base64urlDecode,
   base64urlEncode,
   createJws,

package/dist/index.d.ts

@@ -1,7 +1,6 @@
-export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
-export { A as ArtifactPayload, B as BeaconPayload, C as ContentOperation, a as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, b as MultikeyPublicKey, R as RevocationPayload, S as Signer, V as VerifiedIdentity } from './schemas-BEl38wrI.js';
-export { ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, VerifiedArtifact, VerifiedBeacon, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, signArtifact, signBeacon, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyBeacon, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
-export { MerkleProof, buildMerkleTree, generateMerkleProof, hashLeaf, hexToBytes, verifyMerkleProof } from './merkle/index.js';
+export { JwsHeader, JwsVerificationError, JwtClaims, JwtCreateOptions, JwtHeader, JwtVerificationError, JwtVerifyOptions, PrefixedID, assertJwsProfile, base64urlDecode, base64urlEncode, createJws, createJwt, createNewEd25519Keypair, dagCborCanonicalEncode, decodeJwsUnsafe, decodeJwtUnsafe, generateId, generateIdNoPrefix, importEd25519Keypair, isCanonicallyEqual, isValidEd25519Signature, isValidId, normalizedId, parseDagCborCID, signPayloadEd25519, verifyJws, verifyJwt } from './crypto/index.js';
+export { A as ARTIFACT_CID_ANCHOR_RE, a as ArtifactPayload, C as CONTENT_ID_ANCHOR_RE, b as ContentOperation, c as CountersignPayload, I as IdentityOperation, M as MAX_ARTIFACT_PAYLOAD_SIZE, d as MAX_SERVICES_ENTRIES, e as MAX_SERVICES_PAYLOAD_SIZE, f as MultikeyPublicKey, R as RevocationPayload, S as ServiceEntry, g as ServicesArray, h as Signer, V as VerifiedIdentity } from './schemas-Myod8ES9.js';
+export { AnchorKind, ED25519_PRIV_MULTICODEC, ED25519_PUB_MULTICODEC, RECOGNIZED_SERVICE_TYPES, VerifiedArtifact, VerifiedContentChain, VerifiedCountersignature, VerifiedRevocation, anchorsByLabel, assertServicesWithinCap, classifyAnchor, decodeMultikey, deriveChainIdentifier, deriveContentId, encodeEd25519Multikey, isRecognizedServiceType, relayEndpoints, signArtifact, signContentOperation, signCountersignature, signIdentityOperation, signRevocation, verifyArtifact, verifyContentChain, verifyContentExtensionFromTrustedState, verifyCountersignature, verifyIdentityChain, verifyIdentityExtensionFromTrustedState, verifyRevocation } from './chain/index.js';
 export { Attenuation, AuthTokenClaims, AuthTokenCreateOptions, AuthTokenVerificationError, AuthTokenVerifyOptions, CredentialVerificationError, DFOSCredentialPayload, VerifiedAuthToken, VerifiedDFOSCredential, VerifiedDelegationChain, createAuthToken, createDFOSCredential, decodeDFOSCredentialUnsafe, isAttenuated, matchesResource, verifyAuthToken, verifyDFOSCredential, verifyDelegationChain } from './credentials/index.js';
 import 'multiformats';
 import 'multiformats/cid';

package/dist/index.js

@@ -1,37 +1,39 @@
 import {
+  ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
-  BeaconPayload,
+  CONTENT_ID_ANCHOR_RE,
   ContentOperation,
   CountersignPayload,
   IdentityOperation,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RECOGNIZED_SERVICE_TYPES,
   RevocationPayload,
+  ServiceEntry,
+  ServicesArray,
   VerifiedIdentity,
+  anchorsByLabel,
+  assertServicesWithinCap,
+  classifyAnchor,
   deriveChainIdentifier,
   deriveContentId,
+  isRecognizedServiceType,
+  relayEndpoints,
   signArtifact,
-  signBeacon,
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
   signRevocation,
   verifyArtifact,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
   verifyIdentityChain,
   verifyIdentityExtensionFromTrustedState,
   verifyRevocation
-} from "./chunk-UEJ364OG.js";
-import {
-  buildMerkleTree,
-  generateMerkleProof,
-  hashLeaf,
-  hexToBytes,
-  verifyMerkleProof
-} from "./chunk-E5CFQG2B.js";
+} from "./chunk-SDUOUFTF.js";
 import {
   Attenuation,
   AuthTokenClaims,
@@ -50,10 +52,11 @@ import {
   verifyAuthToken,
   verifyDFOSCredential,
   verifyDelegationChain
-} from "./chunk-24VGJGUM.js";
+} from "./chunk-LQFOBE6X.js";
 import {
   JwsVerificationError,
   JwtVerificationError,
+  assertJwsProfile,
   base64urlDecode,
   base64urlEncode,
   createJws,
@@ -73,13 +76,14 @@ import {
   signPayloadEd25519,
   verifyJws,
   verifyJwt
-} from "./chunk-ZXXP5W5N.js";
+} from "./chunk-GQOZJKKO.js";
 export {
+  ARTIFACT_CID_ANCHOR_RE,
   ArtifactPayload,
   Attenuation,
   AuthTokenClaims,
   AuthTokenVerificationError,
-  BeaconPayload,
+  CONTENT_ID_ANCHOR_RE,
   ContentOperation,
   CountersignPayload,
   CredentialVerificationError,
@@ -90,12 +94,20 @@ export {
   JwsVerificationError,
   JwtVerificationError,
   MAX_ARTIFACT_PAYLOAD_SIZE,
+  MAX_SERVICES_ENTRIES,
+  MAX_SERVICES_PAYLOAD_SIZE,
   MultikeyPublicKey,
+  RECOGNIZED_SERVICE_TYPES,
   RevocationPayload,
+  ServiceEntry,
+  ServicesArray,
   VerifiedIdentity,
+  anchorsByLabel,
+  assertJwsProfile,
+  assertServicesWithinCap,
   base64urlDecode,
   base64urlEncode,
-  buildMerkleTree,
+  classifyAnchor,
   createAuthToken,
   createDFOSCredential,
   createJws,
@@ -111,19 +123,17 @@ export {
   encodeEd25519Multikey,
   generateId,
   generateIdNoPrefix,
-  generateMerkleProof,
-  hashLeaf,
-  hexToBytes,
   importEd25519Keypair,
   isAttenuated,
   isCanonicallyEqual,
+  isRecognizedServiceType,
   isValidEd25519Signature,
   isValidId,
   matchesResource,
   normalizedId,
   parseDagCborCID,
+  relayEndpoints,
   signArtifact,
-  signBeacon,
   signContentOperation,
   signCountersignature,
   signIdentityOperation,
@@ -131,7 +141,6 @@ export {
   signRevocation,
   verifyArtifact,
   verifyAuthToken,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
@@ -141,6 +150,5 @@ export {
   verifyIdentityExtensionFromTrustedState,
   verifyJws,
   verifyJwt,
-  verifyMerkleProof,
   verifyRevocation
 };