@metalabel/dfos-web-relay 0.10.0 → 0.11.0

package/README.md

@@ -38,19 +38,18 @@ serve({ port: 4444 });
 
 ## Routes
 
-| Method | Path                                     | Description                                                      |
-| ------ | ---------------------------------------- | ---------------------------------------------------------------- |
-| `GET`  | `/.well-known/dfos-relay`                | Relay metadata (DID, protocol version)                           |
-| `POST` | `/operations`                            | Submit signed operations (identity, content, beacon, countersig) |
-| `GET`  | `/identities/:did`                       | Get identity chain state and operation log                       |
-| `GET`  | `/content/:contentId`                    | Get content chain state and operation log                        |
-| `GET`  | `/operations/:cid`                       | Get a single operation by CID                                    |
-| `GET`  | `/beacons/:did`                          | Get beacon for an identity                                       |
-| `GET`  | `/countersignatures/:cid`                | Get countersignatures for an operation                           |
-| `GET`  | `/operations/:cid/countersignatures`     | Same as above (alias)                                            |
-| `PUT`  | `/content/:contentId/blob/:operationCID` | Upload blob (auth required)                                      |
-| `GET`  | `/content/:contentId/blob`               | Download blob at head (standing auth, or auth + credential)      |
-| `GET`  | `/content/:contentId/blob/:ref`          | Download blob at specific operation ref                          |
+| Method | Path                                     | Description                                                 |
+| ------ | ---------------------------------------- | ----------------------------------------------------------- |
+| `GET`  | `/.well-known/dfos-relay`                | Relay metadata (DID, protocol version)                      |
+| `POST` | `/operations`                            | Submit signed operations (identity, content, countersig)    |
+| `GET`  | `/identities/:did`                       | Get identity chain state and operation log                  |
+| `GET`  | `/content/:contentId`                    | Get content chain state and operation log                   |
+| `GET`  | `/operations/:cid`                       | Get a single operation by CID                               |
+| `GET`  | `/countersignatures/:cid`                | Get countersignatures for an operation                      |
+| `GET`  | `/operations/:cid/countersignatures`     | Same as above (alias)                                       |
+| `PUT`  | `/content/:contentId/blob/:operationCID` | Upload blob (auth required)                                 |
+| `GET`  | `/content/:contentId/blob`               | Download blob at head (standing auth, or auth + credential) |
+| `GET`  | `/content/:contentId/blob/:ref`          | Download blob at specific operation ref                     |
 
 ## Blob Authorization
 

package/dist/index.d.ts

@@ -1,4 +1,4 @@
-import { VerifiedIdentity, VerifiedContentChain, VerifiedBeacon } from '@metalabel/dfos-protocol/chain';
+import { VerifiedIdentity, VerifiedContentChain } from '@metalabel/dfos-protocol/chain';
 import { Attenuation } from '@metalabel/dfos-protocol/credentials';
 import { Hono } from 'hono';
 
@@ -90,18 +90,12 @@ interface StoredContentChain {
     lastCreatedAt: string;
     state: VerifiedContentChain;
 }
-interface StoredBeacon {
-    did: string;
-    jwsToken: string;
-    beaconCID: string;
-    state: VerifiedBeacon;
-}
 interface StoredOperation {
     cid: string;
     jwsToken: string;
     /** Which chain type this operation belongs to */
-    chainType: 'identity' | 'content' | 'artifact' | 'beacon' | 'countersign' | 'revocation' | 'credential';
-    /** The chain identifier — DID for identity/beacon/artifact, contentId for content, targetCID for countersign */
+    chainType: 'identity' | 'content' | 'artifact' | 'countersign' | 'revocation' | 'credential';
+    /** The chain identifier — DID for identity/artifact, contentId for content, targetCID for countersign */
     chainId: string;
 }
 /** Key for blob storage — deduplicates across chains sharing the same document */
@@ -117,7 +111,7 @@ interface LogEntry {
     chainId: string;
 }
 /** All operation kinds in the protocol */
-type OperationKind = 'identity-op' | 'content-op' | 'beacon' | 'artifact' | 'countersign' | 'revocation' | 'credential';
+type OperationKind = 'identity-op' | 'content-op' | 'artifact' | 'countersign' | 'revocation' | 'credential';
 interface StoredRevocation {
     cid: string;
     issuerDID: string;
@@ -156,8 +150,6 @@ interface RelayStore {
     putIdentityChain(chain: StoredIdentityChain): Promise<void>;
     getContentChain(contentId: string): Promise<StoredContentChain | undefined>;
     putContentChain(chain: StoredContentChain): Promise<void>;
-    getBeacon(did: string): Promise<StoredBeacon | undefined>;
-    putBeacon(beacon: StoredBeacon): Promise<void>;
     getBlob(key: BlobKey): Promise<Uint8Array | undefined>;
     putBlob(key: BlobKey, data: Uint8Array): Promise<void>;
     getCountersignatures(operationCID: string): Promise<string[]>;
@@ -320,7 +312,6 @@ declare class MemoryRelayStore implements RelayStore {
     private operations;
     private identityChains;
     private contentChains;
-    private beacons;
     private blobs;
     private countersignatures;
     private operationLog;
@@ -335,8 +326,6 @@ declare class MemoryRelayStore implements RelayStore {
     putIdentityChain(chain: StoredIdentityChain): Promise<void>;
     getContentChain(contentId: string): Promise<StoredContentChain | undefined>;
     putContentChain(chain: StoredContentChain): Promise<void>;
-    getBeacon(did: string): Promise<StoredBeacon | undefined>;
-    putBeacon(beacon: StoredBeacon): Promise<void>;
     getBlob(key: BlobKey): Promise<Uint8Array | undefined>;
     putBlob(key: BlobKey, data: Uint8Array): Promise<void>;
     getCountersignatures(operationCID: string): Promise<string[]>;
@@ -432,6 +421,11 @@ declare const createHistoricalIdentityResolver: (store: RelayStore) => (did: str
     }[];
     did: string;
     isDeleted: boolean;
+    services: {
+        [x: string]: unknown;
+        id: string;
+        type: string;
+    }[];
 } | undefined>;
 /**
  * Create a key resolver that only resolves current-state keys.
@@ -445,7 +439,7 @@ declare const createCurrentKeyResolver: (store: RelayStore) => (kid: string) =>
  * Ingest a batch of JWS operations
  *
  * Classifies, dependency-sorts, and processes each token. Identity operations
- * are processed first so content chains and beacons can resolve their keys.
+ * are processed first so content chains can resolve their keys.
  * Within each kind, genesis operations are processed before extensions.
  */
 declare const ingestOperations: (tokens: string[], store: RelayStore, options?: {
@@ -469,4 +463,4 @@ declare const sequenceOps: (store: RelayStore) => Promise<{
     result: SequenceResult;
 }>;
 
-export { type BlobKey, type CreatedRelay, type IngestionResult, type LogEntry, MemoryRelayStore, type OperationKind, type PeerClient, type PeerConfig, type PeerLogEntry, type RelayIdentity, type RelayOptions, type RelayStore, type SequenceResult, type StoredBeacon, type StoredContentChain, type StoredIdentityChain, type StoredOperation, bootstrapRelayIdentity, bootstrapRelayIdentityFromKey, chunkOps, computeOpCID, createCurrentKeyResolver, createHistoricalIdentityResolver, createHttpPeerClient, createKeyResolver, createRelay, ingestOperations, isDependencyFailure, sequenceOps };
+export { type BlobKey, type CreatedRelay, type IngestionResult, type LogEntry, MemoryRelayStore, type OperationKind, type PeerClient, type PeerConfig, type PeerLogEntry, type RelayIdentity, type RelayOptions, type RelayStore, type SequenceResult, type StoredContentChain, type StoredIdentityChain, type StoredOperation, bootstrapRelayIdentity, bootstrapRelayIdentityFromKey, chunkOps, computeOpCID, createCurrentKeyResolver, createHistoricalIdentityResolver, createHttpPeerClient, createKeyResolver, createRelay, ingestOperations, isDependencyFailure, sequenceOps };

package/dist/index.js

@@ -15,7 +15,6 @@ import {
 import {
   decodeMultikey,
   verifyArtifact,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
@@ -71,17 +70,6 @@ var classify = (jwsToken) => {
     const opDID = typeof payload["did"] === "string" ? payload["did"] : null;
     return { ...base, kind: "content-op", referencedDID: null, signerDID: opDID, priority: 2 };
   }
-  if (typ === "did:dfos:beacon") {
-    const beaconDID = typeof payload["did"] === "string" ? payload["did"] : null;
-    return {
-      ...base,
-      kind: "beacon",
-      referencedDID: beaconDID,
-      signerDID: null,
-      priority: 1,
-      previousCID: null
-    };
-  }
   if (typ === "did:dfos:countersign") {
     const witnessDID = typeof payload["did"] === "string" ? payload["did"] : null;
     return {
@@ -102,7 +90,7 @@ var classify = (jwsToken) => {
       referencedDID: artifactDID,
       signerDID: null,
       priority: 1,
-      // same as beacons — needs identity keys resolved first
+      // needs identity keys resolved first
       previousCID: null
     };
   }
@@ -114,7 +102,7 @@ var classify = (jwsToken) => {
       referencedDID: revocationDID,
       signerDID: null,
       priority: 1,
-      // same as beacons — needs identity keys to verify
+      // needs identity keys to verify
       previousCID: null
     };
   }
@@ -548,41 +536,6 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
   }
   return { cid, status: "new", kind: "content-op", chainId: chain.contentId };
 };
-var ingestBeacon = async (jwsToken, store, logEnabled) => {
-  const resolveKey = createCurrentKeyResolver(store);
-  let verified;
-  try {
-    verified = await verifyBeacon({ jwsToken, resolveKey });
-  } catch (err) {
-    const message = err instanceof Error ? err.message : "verification failed";
-    return {
-      cid: await computeOpCID(jwsToken),
-      status: "rejected",
-      error: message,
-      dependencyMissing: isKeyResolutionFailure(message)
-    };
-  }
-  const did = verified.did;
-  const cid = verified.beaconCID;
-  const identity = await store.getIdentityChain(did);
-  if (identity?.state.isDeleted) {
-    return { cid, status: "rejected", error: "identity is deleted" };
-  }
-  const existing = await store.getBeacon(did);
-  if (existing) {
-    const existingTime = new Date(existing.state.createdAt).getTime();
-    const newTime = new Date(verified.createdAt).getTime();
-    if (newTime < existingTime || newTime === existingTime && cid <= existing.beaconCID) {
-      return { cid, status: "duplicate", kind: "beacon", chainId: did };
-    }
-  }
-  await store.putBeacon({ did, jwsToken, beaconCID: cid, state: verified });
-  await store.putOperation({ cid, jwsToken, chainType: "beacon", chainId: did });
-  if (logEnabled) {
-    await store.appendToLog({ cid, jwsToken, kind: "beacon", chainId: did });
-  }
-  return { cid, status: "new", kind: "beacon", chainId: did };
-};
 var ingestCountersign = async (jwsToken, store, logEnabled) => {
   const resolveKey = createKeyResolver(store);
   let verified;
@@ -880,9 +833,6 @@ var ingestOperations = async (tokens, store, options) => {
         case "content-op":
           result = await ingestContentOp(op.jwsToken, store, logEnabled);
           break;
-        case "beacon":
-          result = await ingestBeacon(op.jwsToken, store, logEnabled);
-          break;
         case "countersign":
           result = await ingestCountersign(op.jwsToken, store, logEnabled);
           break;
@@ -1466,18 +1416,6 @@ var createRelay = async (options) => {
     const countersigs = await store.getCountersignatures(cid);
     return c.json({ operationCID: cid, countersignatures: countersigs });
   });
-  app.get("/beacons/:did{.+}", async (c) => {
-    const did = c.req.param("did");
-    const beacon = await store.getBeacon(did);
-    if (!beacon) return c.json({ error: "not found" }, 404);
-    return c.json({
-      did: beacon.did,
-      jwsToken: beacon.jwsToken,
-      beaconCID: beacon.beaconCID,
-      manifestContentId: beacon.state.manifestContentId,
-      createdAt: beacon.state.createdAt
-    });
-  });
   app.get("/log", async (c) => {
     if (!logEnabled) return c.json({ error: "global log not available" }, 501);
     const afterParam = c.req.query("after");
@@ -1643,7 +1581,6 @@ var MemoryRelayStore = class {
   operations = /* @__PURE__ */ new Map();
   identityChains = /* @__PURE__ */ new Map();
   contentChains = /* @__PURE__ */ new Map();
-  beacons = /* @__PURE__ */ new Map();
   blobs = /* @__PURE__ */ new Map();
   countersignatures = /* @__PURE__ */ new Map();
   operationLog = [];
@@ -1670,12 +1607,6 @@ var MemoryRelayStore = class {
   async putContentChain(chain) {
     this.contentChains.set(chain.contentId, chain);
   }
-  async getBeacon(did) {
-    return this.beacons.get(did);
-  }
-  async putBeacon(beacon) {
-    this.beacons.set(beacon.did, beacon);
-  }
   async getBlob(key) {
     return this.blobs.get(blobKeyString(key));
   }

package/openapi.yaml

@@ -4,10 +4,10 @@ info:
   version: 0.9.0
   description: |
     HTTP relay for the DFOS protocol. Receives, verifies, stores, and serves
-    identity chains, content chains, beacons, countersignatures, and content blobs.
+    identity chains, content chains, countersignatures, and content blobs.
 
     Two data planes:
-    - **Proof plane** (public): signed chain operations, beacons, countersignatures
+    - **Proof plane** (public): signed chain operations, countersignatures
     - **Content plane** (authenticated): raw content blobs gated by DID auth tokens and DFOS credentials
 
 servers:
@@ -66,7 +66,7 @@ paths:
       summary: Submit operations for ingestion
       description: |
         Accept a batch of JWS tokens — identity operations, content operations,
-        beacons, and countersignatures. The relay classifies, dependency-sorts,
+        and countersignatures. The relay classifies, dependency-sorts,
         verifies, and stores each token.
       tags: [Proof Plane]
       requestBody:
@@ -422,7 +422,7 @@ paths:
       summary: Paginated global log of all accepted operations
       description: |
         Returns every operation the relay has accepted — across all identity and
-        content chains, plus beacons and countersignatures — in acceptance order.
+        content chains, plus countersignatures — in acceptance order.
         Cursor-based pagination. Used by peer relays to background-sync. Available
         only when the relay advertises the `log` capability; otherwise returns 501.
       tags: [Proof Plane]
@@ -462,15 +462,7 @@ paths:
                         kind:
                           type: string
                           enum:
-                            [
-                              identity-op,
-                              content-op,
-                              beacon,
-                              artifact,
-                              countersign,
-                              revocation,
-                              credential,
-                            ]
+                            [identity-op, content-op, artifact, countersign, revocation, credential]
                         chainId:
                           type: string
                           description: Chain identifier (DID or contentId)
@@ -589,7 +581,7 @@ paths:
   /countersignatures/{cid}:
     get:
       operationId: getCountersignaturesByCID
-      summary: Get countersignatures for any CID (operation or beacon)
+      summary: Get countersignatures for an operation CID
       tags: [Proof Plane]
       parameters:
         - name: cid
@@ -597,7 +589,7 @@ paths:
           required: true
           schema:
             type: string
-          description: CIDv1 of the operation or beacon
+          description: CIDv1 of the operation
       responses:
         '200':
           description: Countersignatures
@@ -617,27 +609,6 @@ paths:
         '404':
           $ref: '#/components/responses/NotFound'
 
-  /beacons/{did}:
-    get:
-      operationId: getBeacon
-      summary: Get the latest beacon for a DID
-      tags: [Proof Plane]
-      parameters:
-        - name: did
-          in: path
-          required: true
-          schema:
-            type: string
-      responses:
-        '200':
-          description: Latest beacon
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/BeaconResponse'
-        '404':
-          $ref: '#/components/responses/NotFound'
-
 components:
   securitySchemes:
     BearerAuth:
@@ -661,7 +632,7 @@ components:
           description: Error message if rejected
         kind:
           type: string
-          enum: [identity-op, content-op, beacon, artifact, countersign, revocation, credential]
+          enum: [identity-op, content-op, artifact, countersign, revocation, credential]
         chainId:
           type: string
           description: Chain identifier (DID or contentId)
@@ -676,7 +647,7 @@ components:
           type: string
         chainType:
           type: string
-          enum: [identity, content, artifact, beacon, countersign, revocation, credential]
+          enum: [identity, content, artifact, countersign, revocation, credential]
         chainId:
           type: string
 
@@ -691,7 +662,7 @@ components:
           description: CID of the current head operation
         state:
           type: object
-          required: [did, isDeleted, authKeys, assertKeys, controllerKeys]
+          required: [did, isDeleted, authKeys, assertKeys, controllerKeys, services]
           properties:
             did:
               type: string
@@ -709,6 +680,22 @@ components:
               type: array
               items:
                 $ref: '#/components/schemas/MultikeyPublicKey'
+            services:
+              type: array
+              description: >-
+                Resolved discovery vocabulary (controller-signed). Each entry has
+                a common envelope {id, type}; recognized types DfosRelay and
+                ContentAnchor carry type-specific fields. The namespace is open —
+                unrecognized types are preserved verbatim.
+              items:
+                type: object
+                required: [id, type]
+                properties:
+                  id:
+                    type: string
+                  type:
+                    type: string
+                additionalProperties: true
 
     ContentChainResponse:
       type: object
@@ -743,23 +730,6 @@ components:
             creatorDID:
               type: string
 
-    BeaconResponse:
-      type: object
-      required: [did, jwsToken, beaconCID, manifestContentId, createdAt]
-      properties:
-        did:
-          type: string
-        jwsToken:
-          type: string
-        beaconCID:
-          type: string
-        manifestContentId:
-          type: string
-          description: Content ID of the manifest chain
-        createdAt:
-          type: string
-          format: date-time
-
     MultikeyPublicKey:
       type: object
       required: [id, type, publicKeyMultibase]
@@ -809,6 +779,6 @@ tags:
   - name: Meta
     description: Relay metadata and discovery
   - name: Proof Plane
-    description: Public routes for signed chain operations, beacons, and countersignatures
+    description: Public routes for signed chain operations and countersignatures
   - name: Content Plane
     description: Authenticated routes for content blob storage and retrieval

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@metalabel/dfos-web-relay",
-  "version": "0.10.0",
+  "version": "0.11.0",
   "type": "module",
-  "description": "DFOS Web Relay — verifying HTTP relay for identity chains, content chains, beacons, and content blobs",
+  "description": "DFOS Web Relay — verifying HTTP relay for identity chains, content chains, and content blobs",
   "license": "MIT",
   "author": "Metalabel <hello@metalabel.com> (https://metalabel.com)",
   "repository": {
@@ -45,14 +45,14 @@
     "zod": "^4.4.3"
   },
   "peerDependencies": {
-    "@metalabel/dfos-protocol": "^0.10.0"
+    "@metalabel/dfos-protocol": "^0.11.0"
   },
   "devDependencies": {
     "@types/node": "^24.10.4",
     "tsup": "^8.5.1",
     "tsx": "^4.22.4",
     "vitest": "^4.1.8",
-    "@metalabel/dfos-protocol": "0.10.0"
+    "@metalabel/dfos-protocol": "0.11.0"
   },
   "scripts": {
     "build": "tsup",