@metalabel/dfos-web-relay 0.3.0

package/dist/index.js

@@ -0,0 +1,708 @@
+// src/relay.ts
+import { VC_TYPE_CONTENT_READ, verifyCredential } from "@metalabel/dfos-protocol/credentials";
+import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
+import { Hono } from "hono";
+import { z } from "zod";
+
+// src/auth.ts
+import { verifyAuthToken } from "@metalabel/dfos-protocol/credentials";
+import { decodeJwsUnsafe as decodeJwsUnsafe2 } from "@metalabel/dfos-protocol/crypto";
+
+// src/ingest.ts
+import {
+  decodeMultikey,
+  verifyBeacon,
+  verifyBeaconCountersignature,
+  verifyContentChain,
+  verifyCountersignature,
+  verifyIdentityChain
+} from "@metalabel/dfos-protocol/chain";
+import { dagCborCanonicalEncode, decodeJwsUnsafe } from "@metalabel/dfos-protocol/crypto";
+var classify = (jwsToken) => {
+  const unknown = {
+    jwsToken,
+    kind: "unknown",
+    referencedDID: null,
+    signerDID: null,
+    priority: 99,
+    operationCID: null,
+    previousCID: null,
+    originalIndex: 0
+  };
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return unknown;
+  const typ = decoded.header.typ;
+  const payload = decoded.payload;
+  const kid = decoded.header.kid;
+  if (!kid || typeof kid !== "string") return unknown;
+  const kidDID = kid.includes("#") ? kid.substring(0, kid.indexOf("#")) : null;
+  const operationCID = typeof decoded.header.cid === "string" ? decoded.header.cid : null;
+  const previousCID = typeof payload["previousOperationCID"] === "string" ? payload["previousOperationCID"] : null;
+  const base = { jwsToken, operationCID, previousCID, originalIndex: 0 };
+  if (typ === "did:dfos:identity-op") {
+    return { ...base, kind: "identity-op", referencedDID: kidDID, signerDID: null, priority: 0 };
+  }
+  if (typ === "did:dfos:content-op") {
+    const opDID = typeof payload["did"] === "string" ? payload["did"] : null;
+    if (opDID && kidDID && kidDID !== opDID) {
+      return {
+        ...base,
+        kind: "countersig",
+        referencedDID: opDID,
+        signerDID: kidDID,
+        priority: 3,
+        previousCID: null
+      };
+    }
+    return { ...base, kind: "content-op", referencedDID: null, signerDID: opDID, priority: 2 };
+  }
+  if (typ === "did:dfos:beacon") {
+    const beaconDID = typeof payload["did"] === "string" ? payload["did"] : null;
+    if (beaconDID && kidDID && kidDID !== beaconDID) {
+      return {
+        ...base,
+        kind: "beacon-countersig",
+        referencedDID: beaconDID,
+        signerDID: kidDID,
+        priority: 3,
+        previousCID: null
+      };
+    }
+    return {
+      ...base,
+      kind: "beacon",
+      referencedDID: beaconDID,
+      signerDID: null,
+      priority: 1,
+      previousCID: null
+    };
+  }
+  return unknown;
+};
+var createKeyResolver = (store) => async (kid) => {
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new Error(`kid must be a DID URL: ${kid}`);
+  const did = kid.substring(0, hashIdx);
+  const keyId = kid.substring(hashIdx + 1);
+  const identity = await store.getIdentityChain(did);
+  if (!identity) throw new Error(`unknown identity: ${did}`);
+  const currentKeys = [
+    ...identity.state.authKeys,
+    ...identity.state.assertKeys,
+    ...identity.state.controllerKeys
+  ];
+  const currentKey = currentKeys.find((k) => k.id === keyId);
+  if (currentKey) return decodeMultikey(currentKey.publicKeyMultibase).keyBytes;
+  for (const token of identity.log) {
+    const decoded = decodeJwsUnsafe(token);
+    if (!decoded) continue;
+    const payload = decoded.payload;
+    const opType = payload["type"];
+    if (opType !== "create" && opType !== "update") continue;
+    const keyArrays = ["authKeys", "assertKeys", "controllerKeys"];
+    for (const arrayName of keyArrays) {
+      const keys = payload[arrayName];
+      if (!Array.isArray(keys)) continue;
+      for (const k of keys) {
+        if (k && typeof k === "object" && "id" in k && k.id === keyId && "publicKeyMultibase" in k) {
+          return decodeMultikey(k.publicKeyMultibase).keyBytes;
+        }
+      }
+    }
+  }
+  throw new Error(`unknown key ${keyId} on identity ${did}`);
+};
+var createCurrentKeyResolver = (store) => async (kid) => {
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) throw new Error(`kid must be a DID URL: ${kid}`);
+  const did = kid.substring(0, hashIdx);
+  const keyId = kid.substring(hashIdx + 1);
+  const identity = await store.getIdentityChain(did);
+  if (!identity) throw new Error(`unknown identity: ${did}`);
+  const currentKeys = [
+    ...identity.state.authKeys,
+    ...identity.state.assertKeys,
+    ...identity.state.controllerKeys
+  ];
+  const currentKey = currentKeys.find((k) => k.id === keyId);
+  if (currentKey) return decodeMultikey(currentKey.publicKeyMultibase).keyBytes;
+  throw new Error(`unknown key ${keyId} on identity ${did}`);
+};
+var ingestIdentityOp = async (jwsToken, store) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
+  const payload = decoded.payload;
+  const encoded = await dagCborCanonicalEncode(payload);
+  const cid = encoded.cid.toString();
+  const existing = await store.getOperation(cid);
+  if (existing) return { cid, status: "accepted", kind: "identity-op", chainId: existing.chainId };
+  const opType = payload["type"];
+  const isGenesis = opType === "create";
+  if (isGenesis) {
+    const identity2 = await verifyIdentityChain({ didPrefix: "did:dfos", log: [jwsToken] });
+    const chain2 = { did: identity2.did, log: [jwsToken], state: identity2 };
+    await store.putIdentityChain(chain2);
+    await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: identity2.did });
+    return { cid, status: "accepted", kind: "identity-op", chainId: identity2.did };
+  }
+  const kid = decoded.header.kid;
+  const hashIdx = kid.indexOf("#");
+  if (hashIdx < 0) return { cid, status: "rejected", error: "non-genesis kid must be a DID URL" };
+  const did = kid.substring(0, hashIdx);
+  const chain = await store.getIdentityChain(did);
+  if (!chain) return { cid, status: "rejected", error: `unknown identity: ${did}` };
+  const newLog = [...chain.log, jwsToken];
+  const identity = await verifyIdentityChain({ didPrefix: "did:dfos", log: newLog });
+  const updated = { did: identity.did, log: newLog, state: identity };
+  await store.putIdentityChain(updated);
+  await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: did });
+  return { cid, status: "accepted", kind: "identity-op", chainId: did };
+};
+var ingestContentOp = async (jwsToken, store) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
+  const payload = decoded.payload;
+  const encoded = await dagCborCanonicalEncode(payload);
+  const cid = encoded.cid.toString();
+  const existing = await store.getOperation(cid);
+  if (existing) return { cid, status: "accepted", kind: "content-op", chainId: existing.chainId };
+  const resolveKey = createKeyResolver(store);
+  const opType = payload["type"];
+  const isGenesis = opType === "create";
+  if (isGenesis) {
+    const content2 = await verifyContentChain({
+      log: [jwsToken],
+      resolveKey,
+      enforceAuthorization: true
+    });
+    const chain2 = {
+      contentId: content2.contentId,
+      genesisCID: content2.genesisCID,
+      log: [jwsToken],
+      state: content2
+    };
+    await store.putContentChain(chain2);
+    await store.putOperation({ cid, jwsToken, chainType: "content", chainId: content2.contentId });
+    return { cid, status: "accepted", kind: "content-op", chainId: content2.contentId };
+  }
+  const previousCID = payload["previousOperationCID"];
+  if (typeof previousCID !== "string") {
+    return { cid, status: "rejected", error: "missing previousOperationCID" };
+  }
+  const prevOp = await store.getOperation(previousCID);
+  if (!prevOp)
+    return { cid, status: "rejected", error: `unknown previous operation: ${previousCID}` };
+  if (prevOp.chainType !== "content") {
+    return { cid, status: "rejected", error: "previousOperationCID is not a content operation" };
+  }
+  const chain = await store.getContentChain(prevOp.chainId);
+  if (!chain)
+    return { cid, status: "rejected", error: `content chain not found: ${prevOp.chainId}` };
+  if (chain.state.headCID !== previousCID) {
+    return { cid, status: "rejected", error: "chain has diverged (first-seen-wins)" };
+  }
+  const newLog = [...chain.log, jwsToken];
+  const content = await verifyContentChain({
+    log: newLog,
+    resolveKey,
+    enforceAuthorization: true
+  });
+  const updated = {
+    contentId: content.contentId,
+    genesisCID: content.genesisCID,
+    log: newLog,
+    state: content
+  };
+  await store.putContentChain(updated);
+  await store.putOperation({ cid, jwsToken, chainType: "content", chainId: content.contentId });
+  return { cid, status: "accepted", kind: "content-op", chainId: content.contentId };
+};
+var ingestBeacon = async (jwsToken, store) => {
+  const resolveKey = createKeyResolver(store);
+  let verified;
+  try {
+    verified = await verifyBeacon({ jwsToken, resolveKey });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "verification failed";
+    return { cid: "", status: "rejected", error: message };
+  }
+  const did = verified.payload.did;
+  const cid = verified.beaconCID;
+  const existing = await store.getBeacon(did);
+  if (existing) {
+    const existingTime = new Date(existing.state.payload.createdAt).getTime();
+    const newTime = new Date(verified.payload.createdAt).getTime();
+    if (newTime <= existingTime) {
+      return { cid, status: "accepted", kind: "beacon", chainId: did };
+    }
+  }
+  await store.putBeacon({ did, jwsToken, beaconCID: cid, state: verified });
+  return { cid, status: "accepted", kind: "beacon", chainId: did };
+};
+var ingestCountersig = async (jwsToken, store) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
+  const payload = decoded.payload;
+  const encoded = await dagCborCanonicalEncode(payload);
+  const operationCID = encoded.cid.toString();
+  const existingOp = await store.getOperation(operationCID);
+  if (!existingOp) {
+    return { cid: operationCID, status: "rejected", error: `unknown operation: ${operationCID}` };
+  }
+  const resolveKey = createKeyResolver(store);
+  try {
+    await verifyCountersignature({ jwsToken, expectedCID: operationCID, resolveKey });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "verification failed";
+    return { cid: operationCID, status: "rejected", error: message };
+  }
+  await store.addCountersignature(operationCID, jwsToken);
+  return {
+    cid: operationCID,
+    status: "accepted",
+    kind: "countersig",
+    chainId: existingOp.chainId
+  };
+};
+var ingestBeaconCountersig = async (jwsToken, store) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
+  const payload = decoded.payload;
+  const encoded = await dagCborCanonicalEncode(payload);
+  const beaconCID = encoded.cid.toString();
+  const beaconDID = typeof payload["did"] === "string" ? payload["did"] : null;
+  if (!beaconDID) {
+    return { cid: beaconCID, status: "rejected", error: "missing beacon DID" };
+  }
+  const existingBeacon = await store.getBeacon(beaconDID);
+  if (!existingBeacon) {
+    return { cid: beaconCID, status: "rejected", error: `unknown beacon for DID: ${beaconDID}` };
+  }
+  if (existingBeacon.beaconCID !== beaconCID) {
+    return {
+      cid: beaconCID,
+      status: "rejected",
+      error: "beacon countersignature CID does not match current beacon"
+    };
+  }
+  const resolveKey = createKeyResolver(store);
+  try {
+    await verifyBeaconCountersignature({
+      jwsToken,
+      expectedCID: beaconCID,
+      resolveKey
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "verification failed";
+    return { cid: beaconCID, status: "rejected", error: message };
+  }
+  await store.addCountersignature(beaconCID, jwsToken);
+  return {
+    cid: beaconCID,
+    status: "accepted",
+    kind: "beacon-countersig",
+    chainId: beaconDID
+  };
+};
+var dependencySort = (ops) => {
+  const buckets = /* @__PURE__ */ new Map();
+  for (const op of ops) {
+    const bucket = buckets.get(op.priority) ?? [];
+    bucket.push(op);
+    buckets.set(op.priority, bucket);
+  }
+  const result = [];
+  const sortedPriorities = [...buckets.keys()].sort((a, b) => a - b);
+  for (const priority of sortedPriorities) {
+    const bucket = buckets.get(priority);
+    if ((priority === 0 || priority === 2) && bucket.length > 1) {
+      result.push(...topologicalSortBucket(bucket));
+    } else {
+      result.push(...bucket);
+    }
+  }
+  return result;
+};
+var topologicalSortBucket = (ops) => {
+  if (ops.length <= 1) return ops;
+  const cidToOp = /* @__PURE__ */ new Map();
+  for (const op of ops) {
+    if (op.operationCID) cidToOp.set(op.operationCID, op);
+  }
+  const inDegree = /* @__PURE__ */ new Map();
+  const dependents = /* @__PURE__ */ new Map();
+  for (const op of ops) {
+    const depInBatch = op.previousCID !== null && cidToOp.has(op.previousCID);
+    inDegree.set(op, depInBatch ? 1 : 0);
+    if (depInBatch) {
+      const list = dependents.get(op.previousCID) ?? [];
+      list.push(op);
+      dependents.set(op.previousCID, list);
+    }
+  }
+  const queue = ops.filter((op) => inDegree.get(op) === 0);
+  const sorted = [];
+  while (queue.length > 0) {
+    const op = queue.shift();
+    sorted.push(op);
+    if (op.operationCID) {
+      for (const dep of dependents.get(op.operationCID) ?? []) {
+        const deg = inDegree.get(dep) - 1;
+        inDegree.set(dep, deg);
+        if (deg === 0) queue.push(dep);
+      }
+    }
+  }
+  if (sorted.length < ops.length) {
+    const placed = new Set(sorted);
+    for (const op of ops) {
+      if (!placed.has(op)) sorted.push(op);
+    }
+  }
+  return sorted;
+};
+var ingestOperations = async (tokens, store) => {
+  const classified = tokens.map((token, i) => ({ ...classify(token), originalIndex: i }));
+  const sorted = dependencySort(classified);
+  const indexedResults = [];
+  for (const op of sorted) {
+    try {
+      let result;
+      switch (op.kind) {
+        case "identity-op":
+          result = await ingestIdentityOp(op.jwsToken, store);
+          break;
+        case "content-op":
+          result = await ingestContentOp(op.jwsToken, store);
+          break;
+        case "beacon":
+          result = await ingestBeacon(op.jwsToken, store);
+          break;
+        case "countersig":
+          result = await ingestCountersig(op.jwsToken, store);
+          break;
+        case "beacon-countersig":
+          result = await ingestBeaconCountersig(op.jwsToken, store);
+          break;
+        default:
+          result = { cid: "", status: "rejected", error: "unrecognized operation type" };
+      }
+      indexedResults.push({ index: op.originalIndex, result });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "unexpected error";
+      indexedResults.push({
+        index: op.originalIndex,
+        result: { cid: "", status: "rejected", error: message }
+      });
+    }
+  }
+  return indexedResults.sort((a, b) => a.index - b.index).map((r) => r.result);
+};
+
+// src/auth.ts
+var authenticateRequest = async (authHeader, relayDID, store) => {
+  if (!authHeader) return null;
+  if (!authHeader.startsWith("Bearer ")) return null;
+  const token = authHeader.substring(7);
+  if (!token) return null;
+  const decoded = decodeJwsUnsafe2(token);
+  if (!decoded) return null;
+  const kid = decoded.header.kid;
+  if (!kid || !kid.includes("#")) return null;
+  const resolveKey = createCurrentKeyResolver(store);
+  let publicKey;
+  try {
+    publicKey = await resolveKey(kid);
+  } catch {
+    return null;
+  }
+  try {
+    return verifyAuthToken({ token, publicKey, audience: relayDID });
+  } catch {
+    return null;
+  }
+};
+
+// src/relay.ts
+var IngestBody = z.object({
+  operations: z.array(z.string()).min(1).max(100)
+});
+var createRelay = (options) => {
+  const { relayDID, store } = options;
+  const app = new Hono();
+  app.get("/.well-known/dfos-relay", (c) => {
+    return c.json({
+      did: relayDID,
+      protocol: "dfos-web-relay",
+      version: "0.1.0"
+    });
+  });
+  app.post("/operations", async (c) => {
+    let body;
+    try {
+      body = await c.req.json();
+    } catch {
+      return c.json({ error: "invalid JSON body" }, 400);
+    }
+    const parsed = IngestBody.safeParse(body);
+    if (!parsed.success) {
+      return c.json({ error: "invalid request", details: parsed.error.issues }, 400);
+    }
+    const results = await ingestOperations(parsed.data.operations, store);
+    return c.json({ results });
+  });
+  app.get("/operations/:cid", async (c) => {
+    const cid = c.req.param("cid");
+    const op = await store.getOperation(cid);
+    if (!op) return c.json({ error: "not found" }, 404);
+    return c.json({
+      cid: op.cid,
+      jwsToken: op.jwsToken,
+      chainType: op.chainType,
+      chainId: op.chainId
+    });
+  });
+  app.get("/identities/:did{.+}", async (c) => {
+    const did = c.req.param("did");
+    const chain = await store.getIdentityChain(did);
+    if (!chain) return c.json({ error: "not found" }, 404);
+    return c.json({
+      did: chain.did,
+      log: chain.log,
+      state: chain.state
+    });
+  });
+  app.get("/content/:contentId", async (c) => {
+    const contentId = c.req.param("contentId");
+    const chain = await store.getContentChain(contentId);
+    if (!chain) return c.json({ error: "not found" }, 404);
+    return c.json({
+      contentId: chain.contentId,
+      genesisCID: chain.genesisCID,
+      log: chain.log,
+      state: chain.state
+    });
+  });
+  app.get("/countersignatures/:cid", async (c) => {
+    const cid = c.req.param("cid");
+    const op = await store.getOperation(cid);
+    if (!op) {
+      const countersigs2 = await store.getCountersignatures(cid);
+      if (countersigs2.length === 0) return c.json({ error: "not found" }, 404);
+      return c.json({ cid, countersignatures: countersigs2 });
+    }
+    const countersigs = await store.getCountersignatures(cid);
+    return c.json({ operationCID: cid, countersignatures: countersigs });
+  });
+  app.get("/operations/:cid/countersignatures", async (c) => {
+    const cid = c.req.param("cid");
+    const op = await store.getOperation(cid);
+    if (!op) return c.json({ error: "not found" }, 404);
+    const countersigs = await store.getCountersignatures(cid);
+    return c.json({ operationCID: cid, countersignatures: countersigs });
+  });
+  app.get("/beacons/:did{.+}", async (c) => {
+    const did = c.req.param("did");
+    const beacon = await store.getBeacon(did);
+    if (!beacon) return c.json({ error: "not found" }, 404);
+    return c.json({
+      did: beacon.did,
+      jwsToken: beacon.jwsToken,
+      beaconCID: beacon.beaconCID,
+      payload: beacon.state.payload
+    });
+  });
+  app.put("/content/:contentId/blob", async (c) => {
+    const contentId = c.req.param("contentId");
+    const documentCID = c.req.header("x-document-cid");
+    if (!documentCID) {
+      return c.json({ error: "missing X-Document-CID header" }, 400);
+    }
+    const auth = await authenticateRequest(c.req.header("authorization"), relayDID, store);
+    if (!auth) return c.json({ error: "authentication required" }, 401);
+    const chain = await store.getContentChain(contentId);
+    if (!chain) return c.json({ error: "content chain not found" }, 404);
+    if (chain.state.creatorDID !== auth.iss) {
+      return c.json({ error: "not the chain creator" }, 403);
+    }
+    const chainLog = chain.log;
+    let documentReferenced = false;
+    for (const token of chainLog) {
+      const decoded = decodeJwsUnsafe3(token);
+      if (!decoded) continue;
+      const payload = decoded.payload;
+      if (payload["documentCID"] === documentCID) {
+        documentReferenced = true;
+        break;
+      }
+    }
+    if (!documentReferenced) {
+      return c.json({ error: "documentCID not referenced in chain" }, 400);
+    }
+    const bytes = new Uint8Array(await c.req.arrayBuffer());
+    try {
+      const parsed = JSON.parse(new TextDecoder().decode(bytes));
+      const encoded = await dagCborCanonicalEncode2(parsed);
+      if (encoded.cid.toString() !== documentCID) {
+        return c.json({ error: "blob bytes do not match documentCID" }, 400);
+      }
+    } catch {
+      return c.json({ error: "blob bytes do not match documentCID" }, 400);
+    }
+    await store.putBlob({ creatorDID: auth.iss, documentCID }, bytes);
+    return c.json({ status: "stored", contentId, documentCID });
+  });
+  app.get("/content/:contentId/blob", async (c) => {
+    return await readBlob({
+      contentId: c.req.param("contentId"),
+      ref: "head",
+      authHeader: c.req.header("authorization"),
+      credHeader: c.req.header("x-credential"),
+      relayDID,
+      store
+    });
+  });
+  app.get("/content/:contentId/blob/:ref", async (c) => {
+    return await readBlob({
+      contentId: c.req.param("contentId"),
+      ref: c.req.param("ref"),
+      authHeader: c.req.header("authorization"),
+      credHeader: c.req.header("x-credential"),
+      relayDID,
+      store
+    });
+  });
+  return app;
+};
+var jsonResponse = (body, status = 200) => new Response(JSON.stringify(body), {
+  status,
+  headers: { "content-type": "application/json" }
+});
+var readBlob = async (params) => {
+  const { contentId, ref, authHeader, credHeader, relayDID, store } = params;
+  const auth = await authenticateRequest(authHeader, relayDID, store);
+  if (!auth) return jsonResponse({ error: "authentication required" }, 401);
+  const chain = await store.getContentChain(contentId);
+  if (!chain) return jsonResponse({ error: "content chain not found" }, 404);
+  const credError = await verifyReadCredential(auth, chain, contentId, credHeader, store);
+  if (credError) return credError;
+  let documentCID = null;
+  let operationFound = ref === "head";
+  if (ref === "head") {
+    documentCID = chain.state.currentDocumentCID;
+  } else {
+    for (const token of chain.log) {
+      const decoded = decodeJwsUnsafe3(token);
+      if (!decoded) continue;
+      if (decoded.header.cid === ref) {
+        operationFound = true;
+        const payload = decoded.payload;
+        documentCID = typeof payload["documentCID"] === "string" ? payload["documentCID"] : null;
+        break;
+      }
+    }
+  }
+  if (!operationFound) return jsonResponse({ error: "operation not found in chain" }, 404);
+  if (!documentCID) return jsonResponse({ error: "no document at this ref" }, 404);
+  const blob = await store.getBlob({ creatorDID: chain.state.creatorDID, documentCID });
+  if (!blob) return jsonResponse({ error: "blob not found" }, 404);
+  return new Response(blob, {
+    headers: {
+      "content-type": "application/octet-stream",
+      "x-document-cid": documentCID
+    }
+  });
+};
+var verifyReadCredential = async (auth, chain, contentId, credHeader, store) => {
+  if (auth.iss === chain.state.creatorDID) return null;
+  if (!credHeader) {
+    return jsonResponse({ error: "DFOSContentRead credential required" }, 403);
+  }
+  const resolveKey = createCurrentKeyResolver(store);
+  try {
+    const vcDecoded = decodeJwsUnsafe3(credHeader);
+    if (!vcDecoded) throw new Error("invalid credential format");
+    const vcHeader = vcDecoded.header;
+    if (!vcHeader.kid) throw new Error("credential missing kid");
+    const kidHashIdx = vcHeader.kid.indexOf("#");
+    if (kidHashIdx < 0) throw new Error("credential kid must be a DID URL");
+    const vcIssuerDID = vcHeader.kid.substring(0, kidHashIdx);
+    if (vcIssuerDID !== chain.state.creatorDID) {
+      throw new Error("credential must be issued by the chain creator");
+    }
+    const creatorKey = await resolveKey(vcHeader.kid);
+    const credential = verifyCredential({
+      token: credHeader,
+      publicKey: creatorKey,
+      subject: auth.iss,
+      expectedType: VC_TYPE_CONTENT_READ
+    });
+    if (credential.iss !== chain.state.creatorDID) {
+      throw new Error("credential issuer is not the chain creator");
+    }
+    if (credential.contentId && credential.contentId !== contentId) {
+      return jsonResponse({ error: "credential contentId does not match" }, 403);
+    }
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "credential verification failed";
+    return jsonResponse({ error: message }, 403);
+  }
+  return null;
+};
+
+// src/store.ts
+var blobKeyString = (key) => `${key.creatorDID}::${key.documentCID}`;
+var MemoryRelayStore = class {
+  operations = /* @__PURE__ */ new Map();
+  identityChains = /* @__PURE__ */ new Map();
+  contentChains = /* @__PURE__ */ new Map();
+  beacons = /* @__PURE__ */ new Map();
+  blobs = /* @__PURE__ */ new Map();
+  countersignatures = /* @__PURE__ */ new Map();
+  async getOperation(cid) {
+    return this.operations.get(cid);
+  }
+  async putOperation(op) {
+    this.operations.set(op.cid, op);
+  }
+  async getIdentityChain(did) {
+    return this.identityChains.get(did);
+  }
+  async putIdentityChain(chain) {
+    this.identityChains.set(chain.did, chain);
+  }
+  async getContentChain(contentId) {
+    return this.contentChains.get(contentId);
+  }
+  async putContentChain(chain) {
+    this.contentChains.set(chain.contentId, chain);
+  }
+  async getBeacon(did) {
+    return this.beacons.get(did);
+  }
+  async putBeacon(beacon) {
+    this.beacons.set(beacon.did, beacon);
+  }
+  async getBlob(key) {
+    return this.blobs.get(blobKeyString(key));
+  }
+  async putBlob(key, data) {
+    this.blobs.set(blobKeyString(key), data);
+  }
+  async getCountersignatures(operationCID) {
+    return this.countersignatures.get(operationCID) ?? [];
+  }
+  async addCountersignature(operationCID, jwsToken) {
+    const existing = this.countersignatures.get(operationCID) ?? [];
+    if (existing.includes(jwsToken)) return;
+    existing.push(jwsToken);
+    this.countersignatures.set(operationCID, existing);
+  }
+};
+export {
+  MemoryRelayStore,
+  createCurrentKeyResolver,
+  createKeyResolver,
+  createRelay,
+  ingestOperations
+};