@metalabel/dfos-web-relay 0.5.0 → 0.6.0

package/dist/index.js

@@ -22,6 +22,12 @@ import {
   verifyIdentityExtensionFromTrustedState
 } from "@metalabel/dfos-protocol/chain";
 import { dagCborCanonicalEncode, decodeJwsUnsafe } from "@metalabel/dfos-protocol/crypto";
+var MAX_FUTURE_TIMESTAMP_MS = 24 * 60 * 60 * 1e3;
+var isFutureTimestamp = (createdAt) => {
+  const ts = new Date(createdAt).getTime();
+  if (isNaN(ts)) return false;
+  return ts > Date.now() + MAX_FUTURE_TIMESTAMP_MS;
+};
 var classify = (jwsToken) => {
   const unknown = {
     jwsToken,
@@ -136,12 +142,16 @@ var createCurrentKeyResolver = (store) => async (kid) => {
   if (currentKey) return decodeMultikey(currentKey.publicKeyMultibase).keyBytes;
   throw new Error(`unknown key ${keyId} on identity ${did}`);
 };
-var ingestIdentityOp = async (jwsToken, store) => {
+var ingestIdentityOp = async (jwsToken, store, logEnabled) => {
   const decoded = decodeJwsUnsafe(jwsToken);
   if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
   const payload = decoded.payload;
   const encoded = await dagCborCanonicalEncode(payload);
   const cid = encoded.cid.toString();
+  const createdAtVal = payload["createdAt"];
+  if (typeof createdAtVal === "string" && isFutureTimestamp(createdAtVal)) {
+    return { cid, status: "rejected", error: "createdAt is too far in the future" };
+  }
   const existing = await store.getOperation(cid);
   if (existing) {
     if (existing.jwsToken !== jwsToken) {
@@ -151,7 +161,7 @@ var ingestIdentityOp = async (jwsToken, store) => {
         error: "operation already exists with a different signature"
       };
     }
-    return { cid, status: "accepted", kind: "identity-op", chainId: existing.chainId };
+    return { cid, status: "duplicate", kind: "identity-op", chainId: existing.chainId };
   }
   const opType = payload["type"];
   const isGenesis = opType === "create";
@@ -167,8 +177,10 @@ var ingestIdentityOp = async (jwsToken, store) => {
     };
     await store.putIdentityChain(chain2);
     await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: identity.did });
-    await store.appendToLog({ cid, jwsToken, kind: "identity-op", chainId: identity.did });
-    return { cid, status: "accepted", kind: "identity-op", chainId: identity.did };
+    if (logEnabled) {
+      await store.appendToLog({ cid, jwsToken, kind: "identity-op", chainId: identity.did });
+    }
+    return { cid, status: "new", kind: "identity-op", chainId: identity.did };
   }
   const kid = decoded.header.kid;
   const hashIdx = kid.indexOf("#");
@@ -176,30 +188,78 @@ var ingestIdentityOp = async (jwsToken, store) => {
   const did = kid.substring(0, hashIdx);
   const chain = await store.getIdentityChain(did);
   if (!chain) return { cid, status: "rejected", error: `unknown identity: ${did}` };
+  const previousCID = typeof payload["previousOperationCID"] === "string" ? payload["previousOperationCID"] : null;
+  if (previousCID === chain.headCID) {
+    const extResult2 = await verifyIdentityExtensionFromTrustedState({
+      currentState: chain.state,
+      headCID: chain.headCID,
+      lastCreatedAt: chain.lastCreatedAt,
+      newOp: jwsToken
+    });
+    const updated2 = {
+      did: chain.did,
+      log: [...chain.log, jwsToken],
+      headCID: extResult2.operationCID,
+      lastCreatedAt: extResult2.createdAt,
+      state: extResult2.state
+    };
+    await store.putIdentityChain(updated2);
+    await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: did });
+    if (logEnabled) {
+      await store.appendToLog({ cid, jwsToken, kind: "identity-op", chainId: did });
+    }
+    return { cid, status: "new", kind: "identity-op", chainId: did };
+  }
+  if (!previousCID || !chainLogContainsCID(chain.log, previousCID)) {
+    return { cid, status: "rejected", error: "unknown previous operation in identity chain" };
+  }
+  const forkState = await store.getIdentityStateAtCID(did, previousCID);
+  if (!forkState) {
+    return { cid, status: "rejected", error: "failed to compute state at fork point" };
+  }
   const extResult = await verifyIdentityExtensionFromTrustedState({
-    currentState: chain.state,
-    headCID: chain.headCID,
-    lastCreatedAt: chain.lastCreatedAt,
+    currentState: forkState.state,
+    headCID: previousCID,
+    lastCreatedAt: forkState.lastCreatedAt,
     newOp: jwsToken
   });
+  const updatedLog = [...chain.log, jwsToken];
+  const head = selectDeterministicHead(updatedLog);
+  let headState = chain.state;
+  let headLastCreatedAt = chain.lastCreatedAt;
+  let headCID = chain.headCID;
+  if (head.cid === cid) {
+    headState = extResult.state;
+    headLastCreatedAt = extResult.createdAt;
+    headCID = cid;
+  } else {
+    headCID = head.cid;
+    headLastCreatedAt = head.createdAt;
+  }
   const updated = {
     did: chain.did,
-    log: [...chain.log, jwsToken],
-    headCID: extResult.operationCID,
-    lastCreatedAt: extResult.createdAt,
-    state: extResult.state
+    log: updatedLog,
+    headCID,
+    lastCreatedAt: headLastCreatedAt,
+    state: headState
   };
   await store.putIdentityChain(updated);
   await store.putOperation({ cid, jwsToken, chainType: "identity", chainId: did });
-  await store.appendToLog({ cid, jwsToken, kind: "identity-op", chainId: did });
-  return { cid, status: "accepted", kind: "identity-op", chainId: did };
+  if (logEnabled) {
+    await store.appendToLog({ cid, jwsToken, kind: "identity-op", chainId: did });
+  }
+  return { cid, status: "new", kind: "identity-op", chainId: did };
 };
-var ingestContentOp = async (jwsToken, store) => {
+var ingestContentOp = async (jwsToken, store, logEnabled) => {
   const decoded = decodeJwsUnsafe(jwsToken);
   if (!decoded) return { cid: "", status: "rejected", error: "failed to decode JWS" };
   const payload = decoded.payload;
   const encoded = await dagCborCanonicalEncode(payload);
   const cid = encoded.cid.toString();
+  const createdAtVal = payload["createdAt"];
+  if (typeof createdAtVal === "string" && isFutureTimestamp(createdAtVal)) {
+    return { cid, status: "rejected", error: "createdAt is too far in the future" };
+  }
   const existing = await store.getOperation(cid);
   if (existing) {
     if (existing.jwsToken !== jwsToken) {
@@ -209,7 +269,7 @@ var ingestContentOp = async (jwsToken, store) => {
         error: "operation already exists with a different signature"
       };
     }
-    return { cid, status: "accepted", kind: "content-op", chainId: existing.chainId };
+    return { cid, status: "duplicate", kind: "content-op", chainId: existing.chainId };
   }
   const signerDID = payload["did"];
   if (typeof signerDID === "string") {
@@ -237,8 +297,10 @@ var ingestContentOp = async (jwsToken, store) => {
     };
     await store.putContentChain(chain2);
     await store.putOperation({ cid, jwsToken, chainType: "content", chainId: content.contentId });
-    await store.appendToLog({ cid, jwsToken, kind: "content-op", chainId: content.contentId });
-    return { cid, status: "accepted", kind: "content-op", chainId: content.contentId };
+    if (logEnabled) {
+      await store.appendToLog({ cid, jwsToken, kind: "content-op", chainId: content.contentId });
+    }
+    return { cid, status: "new", kind: "content-op", chainId: content.contentId };
   }
   const previousCID = payload["previousOperationCID"];
   if (typeof previousCID !== "string") {
@@ -257,29 +319,65 @@ var ingestContentOp = async (jwsToken, store) => {
   if (creatorIdentity?.state.isDeleted) {
     return { cid, status: "rejected", error: "content creator identity is deleted" };
   }
-  if (chain.state.headCID !== previousCID) {
-    return { cid, status: "rejected", error: "chain has diverged (first-seen-wins)" };
+  if (chain.state.headCID === previousCID) {
+    const extResult2 = await verifyContentExtensionFromTrustedState({
+      currentState: chain.state,
+      lastCreatedAt: chain.lastCreatedAt,
+      newOp: jwsToken,
+      resolveKey,
+      enforceAuthorization: true
+    });
+    const updated2 = {
+      contentId: chain.contentId,
+      genesisCID: chain.genesisCID,
+      log: [...chain.log, jwsToken],
+      lastCreatedAt: extResult2.createdAt,
+      state: extResult2.state
+    };
+    await store.putContentChain(updated2);
+    await store.putOperation({ cid, jwsToken, chainType: "content", chainId: chain.contentId });
+    if (logEnabled) {
+      await store.appendToLog({ cid, jwsToken, kind: "content-op", chainId: chain.contentId });
+    }
+    return { cid, status: "new", kind: "content-op", chainId: chain.contentId };
+  }
+  if (!chainLogContainsCID(chain.log, previousCID)) {
+    return { cid, status: "rejected", error: "unknown previous operation in content chain" };
+  }
+  const forkState = await store.getContentStateAtCID(chain.contentId, previousCID);
+  if (!forkState) {
+    return { cid, status: "rejected", error: "failed to compute state at fork point" };
   }
   const extResult = await verifyContentExtensionFromTrustedState({
-    currentState: chain.state,
-    lastCreatedAt: chain.lastCreatedAt,
+    currentState: forkState.state,
+    lastCreatedAt: forkState.lastCreatedAt,
     newOp: jwsToken,
     resolveKey,
     enforceAuthorization: true
   });
+  const updatedLog = [...chain.log, jwsToken];
+  const head = selectDeterministicHead(updatedLog);
+  let headState = chain.state;
+  let headLastCreatedAt = chain.lastCreatedAt;
+  if (head.cid === cid) {
+    headState = extResult.state;
+    headLastCreatedAt = extResult.createdAt;
+  }
   const updated = {
     contentId: chain.contentId,
     genesisCID: chain.genesisCID,
-    log: [...chain.log, jwsToken],
-    lastCreatedAt: extResult.createdAt,
-    state: extResult.state
+    log: updatedLog,
+    lastCreatedAt: headLastCreatedAt,
+    state: headState
   };
   await store.putContentChain(updated);
   await store.putOperation({ cid, jwsToken, chainType: "content", chainId: chain.contentId });
-  await store.appendToLog({ cid, jwsToken, kind: "content-op", chainId: chain.contentId });
-  return { cid, status: "accepted", kind: "content-op", chainId: chain.contentId };
+  if (logEnabled) {
+    await store.appendToLog({ cid, jwsToken, kind: "content-op", chainId: chain.contentId });
+  }
+  return { cid, status: "new", kind: "content-op", chainId: chain.contentId };
 };
-var ingestBeacon = async (jwsToken, store) => {
+var ingestBeacon = async (jwsToken, store, logEnabled) => {
   const resolveKey = createKeyResolver(store);
   let verified;
   try {
@@ -299,15 +397,17 @@ var ingestBeacon = async (jwsToken, store) => {
     const existingTime = new Date(existing.state.payload.createdAt).getTime();
     const newTime = new Date(verified.payload.createdAt).getTime();
     if (newTime <= existingTime) {
-      return { cid, status: "accepted", kind: "beacon", chainId: did };
+      return { cid, status: "duplicate", kind: "beacon", chainId: did };
     }
   }
   await store.putBeacon({ did, jwsToken, beaconCID: cid, state: verified });
   await store.putOperation({ cid, jwsToken, chainType: "beacon", chainId: did });
-  await store.appendToLog({ cid, jwsToken, kind: "beacon", chainId: did });
-  return { cid, status: "accepted", kind: "beacon", chainId: did };
+  if (logEnabled) {
+    await store.appendToLog({ cid, jwsToken, kind: "beacon", chainId: did });
+  }
+  return { cid, status: "new", kind: "beacon", chainId: did };
 };
-var ingestCountersign = async (jwsToken, store) => {
+var ingestCountersign = async (jwsToken, store, logEnabled) => {
   const resolveKey = createKeyResolver(store);
   let verified;
   try {
@@ -327,7 +427,7 @@ var ingestCountersign = async (jwsToken, store) => {
         error: "countersign already exists with a different signature"
       };
     }
-    return { cid, status: "accepted", kind: "countersign", chainId: targetCID };
+    return { cid, status: "duplicate", kind: "countersign", chainId: targetCID };
   }
   const targetOp = await store.getOperation(targetCID);
   if (!targetOp) {
@@ -356,15 +456,17 @@ var ingestCountersign = async (jwsToken, store) => {
     if (!csDecoded) continue;
     const csPayload = csDecoded.payload;
     if (csPayload["did"] === witnessDID) {
-      return { cid, status: "accepted", kind: "countersign", chainId: targetCID };
+      return { cid, status: "duplicate", kind: "countersign", chainId: targetCID };
     }
   }
   await store.putOperation({ cid, jwsToken, chainType: "countersign", chainId: targetCID });
   await store.addCountersignature(targetCID, jwsToken);
-  await store.appendToLog({ cid, jwsToken, kind: "countersign", chainId: targetCID });
-  return { cid, status: "accepted", kind: "countersign", chainId: targetCID };
+  if (logEnabled) {
+    await store.appendToLog({ cid, jwsToken, kind: "countersign", chainId: targetCID });
+  }
+  return { cid, status: "new", kind: "countersign", chainId: targetCID };
 };
-var ingestArtifact = async (jwsToken, store) => {
+var ingestArtifact = async (jwsToken, store, logEnabled) => {
   const resolveKey = createKeyResolver(store);
   let verified;
   try {
@@ -384,15 +486,17 @@ var ingestArtifact = async (jwsToken, store) => {
         error: "artifact already exists with a different signature"
       };
     }
-    return { cid, status: "accepted", kind: "artifact", chainId: did };
+    return { cid, status: "duplicate", kind: "artifact", chainId: did };
   }
   const identity = await store.getIdentityChain(did);
   if (identity?.state.isDeleted) {
     return { cid, status: "rejected", error: "identity is deleted" };
   }
   await store.putOperation({ cid, jwsToken, chainType: "artifact", chainId: did });
-  await store.appendToLog({ cid, jwsToken, kind: "artifact", chainId: did });
-  return { cid, status: "accepted", kind: "artifact", chainId: did };
+  if (logEnabled) {
+    await store.appendToLog({ cid, jwsToken, kind: "artifact", chainId: did });
+  }
+  return { cid, status: "new", kind: "artifact", chainId: did };
 };
 var dependencySort = (ops) => {
   const buckets = /* @__PURE__ */ new Map();
@@ -451,7 +555,36 @@ var topologicalSortBucket = (ops) => {
   }
   return sorted;
 };
-var ingestOperations = async (tokens, store) => {
+var chainLogContainsCID = (log, targetCID) => {
+  for (const jws of log) {
+    const decoded = decodeJwsUnsafe(jws);
+    if (!decoded) continue;
+    if (decoded.header.cid === targetCID) return true;
+  }
+  return false;
+};
+var selectDeterministicHead = (log) => {
+  const ops = [];
+  const hasChild = /* @__PURE__ */ new Set();
+  for (const jws of log) {
+    const decoded = decodeJwsUnsafe(jws);
+    if (!decoded) continue;
+    const payload = decoded.payload;
+    const cid = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
+    const previousCID = typeof payload["previousOperationCID"] === "string" ? payload["previousOperationCID"] : null;
+    const createdAt = typeof payload["createdAt"] === "string" ? payload["createdAt"] : "";
+    ops.push({ cid, previousCID, createdAt });
+    if (previousCID) hasChild.add(previousCID);
+  }
+  const tips = ops.filter((op) => !hasChild.has(op.cid));
+  tips.sort((a, b) => {
+    if (a.createdAt !== b.createdAt) return b.createdAt.localeCompare(a.createdAt);
+    return b.cid.localeCompare(a.cid);
+  });
+  return tips[0] ?? { cid: "", createdAt: "" };
+};
+var ingestOperations = async (tokens, store, options) => {
+  const logEnabled = options?.logEnabled !== false;
   const classified = tokens.map((token, i) => ({ ...classify(token), originalIndex: i }));
   const sorted = dependencySort(classified);
   const indexedResults = [];
@@ -460,19 +593,19 @@ var ingestOperations = async (tokens, store) => {
       let result;
       switch (op.kind) {
         case "identity-op":
-          result = await ingestIdentityOp(op.jwsToken, store);
+          result = await ingestIdentityOp(op.jwsToken, store, logEnabled);
           break;
         case "content-op":
-          result = await ingestContentOp(op.jwsToken, store);
+          result = await ingestContentOp(op.jwsToken, store, logEnabled);
           break;
         case "beacon":
-          result = await ingestBeacon(op.jwsToken, store);
+          result = await ingestBeacon(op.jwsToken, store, logEnabled);
           break;
         case "countersign":
-          result = await ingestCountersign(op.jwsToken, store);
+          result = await ingestCountersign(op.jwsToken, store, logEnabled);
           break;
         case "artifact":
-          result = await ingestArtifact(op.jwsToken, store);
+          result = await ingestArtifact(op.jwsToken, store, logEnabled);
           break;
         default:
           result = { cid: "", status: "rejected", error: "unrecognized operation type" };
@@ -510,7 +643,7 @@ var bootstrapRelayIdentity = async (store) => {
     keyId
   });
   const [identityResult] = await ingestOperations([identityJws], store);
-  if (!identityResult || identityResult.status !== "accepted" || !identityResult.chainId) {
+  if (!identityResult || identityResult.status === "rejected" || !identityResult.chainId) {
     throw new Error(`failed to bootstrap relay identity: ${identityResult?.error ?? "unknown"}`);
   }
   const did = identityResult.chainId;
@@ -531,7 +664,7 @@ var bootstrapRelayIdentity = async (store) => {
     kid
   });
   const [artifactResult] = await ingestOperations([profileArtifactJws], store);
-  if (!artifactResult || artifactResult.status !== "accepted") {
+  if (!artifactResult || artifactResult.status === "rejected") {
     throw new Error(
       `failed to ingest relay profile artifact: ${artifactResult?.error ?? "unknown"}`
     );
@@ -539,6 +672,55 @@ var bootstrapRelayIdentity = async (store) => {
   return { did, profileArtifactJws };
 };
 
+// src/peer-client.ts
+var createHttpPeerClient = () => {
+  const fetchJSON = async (url) => {
+    try {
+      const res = await fetch(url);
+      if (!res.ok) return null;
+      return await res.json();
+    } catch {
+      return null;
+    }
+  };
+  return {
+    async getIdentityLog(peerUrl, did, params) {
+      const url = new URL(`/identities/${encodeURIComponent(did)}/log`, peerUrl);
+      if (params?.after) url.searchParams.set("after", params.after);
+      if (params?.limit) url.searchParams.set("limit", String(params.limit));
+      const data = await fetchJSON(url.toString());
+      if (!data?.entries) return null;
+      return { entries: data.entries, cursor: data.cursor ?? null };
+    },
+    async getContentLog(peerUrl, contentId, params) {
+      const url = new URL(`/content/${encodeURIComponent(contentId)}/log`, peerUrl);
+      if (params?.after) url.searchParams.set("after", params.after);
+      if (params?.limit) url.searchParams.set("limit", String(params.limit));
+      const data = await fetchJSON(url.toString());
+      if (!data?.entries) return null;
+      return { entries: data.entries, cursor: data.cursor ?? null };
+    },
+    async getOperationLog(peerUrl, params) {
+      const url = new URL("/log", peerUrl);
+      if (params?.after) url.searchParams.set("after", params.after);
+      if (params?.limit) url.searchParams.set("limit", String(params.limit));
+      const data = await fetchJSON(url.toString());
+      if (!data?.entries) return null;
+      return { entries: data.entries, cursor: data.cursor ?? null };
+    },
+    async submitOperations(peerUrl, operations) {
+      try {
+        await fetch(new URL("/operations", peerUrl).toString(), {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ operations })
+        });
+      } catch {
+      }
+    }
+  };
+};
+
 // src/relay.ts
 import { VC_TYPE_CONTENT_READ, verifyCredential } from "@metalabel/dfos-protocol/credentials";
 import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
@@ -578,17 +760,40 @@ var IngestBody = z.object({
 var createRelay = async (options) => {
   const { store } = options;
   const contentEnabled = options.content !== false;
+  const logEnabled = options.log !== false;
+  const peers = options.peers ?? [];
+  const peerClient = options.peerClient;
+  const gossipPeers = peers.filter((p) => p.gossip !== false);
+  const readThroughPeers = peers.filter((p) => p.readThrough !== false);
+  const syncPeers = peers.filter((p) => p.sync !== false);
   const identity = options.identity ?? await bootstrapRelayIdentity(store);
   const relayDID = identity.did;
   const profileArtifactJws = identity.profileArtifactJws;
+  const ingestWithGossip = async (tokens) => {
+    const results = await ingestOperations(tokens, store, { logEnabled });
+    if (gossipPeers.length > 0 && peerClient) {
+      const newOps = [];
+      for (let i = 0; i < results.length; i++) {
+        if (results[i].status === "new") newOps.push(tokens[i]);
+      }
+      if (newOps.length > 0) {
+        for (const peer of gossipPeers) {
+          peerClient.submitOperations(peer.url, newOps).catch(() => {
+          });
+        }
+      }
+    }
+    return results;
+  };
   const app = new Hono();
   app.get("/.well-known/dfos-relay", (c) => {
     return c.json({
       did: relayDID,
       protocol: "dfos-web-relay",
-      version: "0.1.0",
+      version: "0.6.0",
       proof: true,
       content: contentEnabled,
+      log: logEnabled,
       profile: profileArtifactJws
     });
   });
@@ -603,7 +808,7 @@ var createRelay = async (options) => {
     if (!parsed.success) {
       return c.json({ error: "invalid request", details: parsed.error.issues }, 400);
     }
-    const results = await ingestOperations(parsed.data.operations, store);
+    const results = await ingestWithGossip(parsed.data.operations);
     return c.json({ results });
   });
   app.get("/operations/:cid", async (c) => {
@@ -638,7 +843,24 @@ var createRelay = async (options) => {
   });
   app.get("/identities/:did{.+}", async (c) => {
     const did = c.req.param("did");
-    const chain = await store.getIdentityChain(did);
+    let chain = await store.getIdentityChain(did);
+    if (!chain && readThroughPeers.length > 0 && peerClient) {
+      for (const peer of readThroughPeers) {
+        let after;
+        while (true) {
+          const logPage = await peerClient.getIdentityLog(peer.url, did, {
+            ...after ? { after } : {},
+            limit: 1e3
+          });
+          if (!logPage || logPage.entries.length === 0) break;
+          await ingestWithGossip(logPage.entries.map((e) => e.jwsToken));
+          if (!logPage.cursor) break;
+          after = logPage.cursor;
+        }
+        chain = await store.getIdentityChain(did);
+        if (chain) break;
+      }
+    }
     if (!chain) return c.json({ error: "not found" }, 404);
     return c.json({
       did: chain.did,
@@ -667,7 +889,24 @@ var createRelay = async (options) => {
   });
   app.get("/content/:contentId", async (c) => {
     const contentId = c.req.param("contentId");
-    const chain = await store.getContentChain(contentId);
+    let chain = await store.getContentChain(contentId);
+    if (!chain && readThroughPeers.length > 0 && peerClient) {
+      for (const peer of readThroughPeers) {
+        let after;
+        while (true) {
+          const logPage = await peerClient.getContentLog(peer.url, contentId, {
+            ...after ? { after } : {},
+            limit: 1e3
+          });
+          if (!logPage || logPage.entries.length === 0) break;
+          await ingestWithGossip(logPage.entries.map((e) => e.jwsToken));
+          if (!logPage.cursor) break;
+          after = logPage.cursor;
+        }
+        chain = await store.getContentChain(contentId);
+        if (chain) break;
+      }
+    }
     if (!chain) return c.json({ error: "not found" }, 404);
     return c.json({
       contentId: chain.contentId,
@@ -706,6 +945,7 @@ var createRelay = async (options) => {
     });
   });
   app.get("/log", async (c) => {
+    if (!logEnabled) return c.json({ error: "global log not available" }, 501);
     const afterParam = c.req.query("after");
     const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
     const result = await store.readLog(afterParam ? { after: afterParam, limit } : { limit });
@@ -771,7 +1011,24 @@ var createRelay = async (options) => {
       store
     });
   });
-  return app;
+  const syncFromPeers = async () => {
+    if (!peerClient) return;
+    for (const peer of syncPeers) {
+      let cursor = await store.getPeerCursor(peer.url);
+      while (true) {
+        const page = await peerClient.getOperationLog(peer.url, {
+          ...cursor ? { after: cursor } : {},
+          limit: 1e3
+        });
+        if (!page || page.entries.length === 0) break;
+        await ingestWithGossip(page.entries.map((e) => e.jwsToken));
+        cursor = page.cursor ?? page.entries[page.entries.length - 1].cid;
+        await store.setPeerCursor(peer.url, cursor);
+        if (!page.cursor) break;
+      }
+    }
+  };
+  return { app, did: relayDID, syncFromPeers };
 };
 var jsonResponse = (body, status = 200) => new Response(JSON.stringify(body), {
   status,
@@ -854,6 +1111,7 @@ var verifyReadCredential = async (auth, chain, contentId, credHeader, store) =>
 };
 
 // src/store.ts
+import { verifyContentChain as verifyContentChain2, verifyIdentityChain as verifyIdentityChain2 } from "@metalabel/dfos-protocol/chain";
 import { decodeJwsUnsafe as decodeJwsUnsafe4 } from "@metalabel/dfos-protocol/crypto";
 var blobKeyString = (key) => `${key.creatorDID}::${key.documentCID}`;
 var MemoryRelayStore = class {
@@ -864,6 +1122,7 @@ var MemoryRelayStore = class {
   blobs = /* @__PURE__ */ new Map();
   countersignatures = /* @__PURE__ */ new Map();
   operationLog = [];
+  peerCursors = /* @__PURE__ */ new Map();
   async getOperation(cid) {
     return this.operations.get(cid);
   }
@@ -928,11 +1187,71 @@ var MemoryRelayStore = class {
     const cursor = entries.length === params.limit ? entries[entries.length - 1].cid : null;
     return { entries, cursor };
   }
+  async getIdentityStateAtCID(did, cid) {
+    const chain = this.identityChains.get(did);
+    if (!chain) return null;
+    const opsByCID = /* @__PURE__ */ new Map();
+    for (const jws of chain.log) {
+      const decoded = decodeJwsUnsafe4(jws);
+      if (!decoded) continue;
+      const payload = decoded.payload;
+      const opCID = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
+      const prevCID = typeof payload["previousOperationCID"] === "string" ? payload["previousOperationCID"] : null;
+      opsByCID.set(opCID, { jws, previousCID: prevCID });
+    }
+    if (!opsByCID.has(cid)) return null;
+    const path = [];
+    let currentCID = cid;
+    while (currentCID) {
+      const op = opsByCID.get(currentCID);
+      if (!op) return null;
+      path.unshift(op.jws);
+      currentCID = op.previousCID;
+    }
+    const identity = await verifyIdentityChain2({ didPrefix: "did:dfos", log: path });
+    const targetDecoded = decodeJwsUnsafe4(opsByCID.get(cid).jws);
+    const lastCreatedAt = typeof targetDecoded?.payload?.["createdAt"] === "string" ? (targetDecoded?.payload)["createdAt"] : "";
+    return { state: identity, lastCreatedAt };
+  }
+  async getContentStateAtCID(contentId, cid) {
+    const chain = this.contentChains.get(contentId);
+    if (!chain) return null;
+    const opsByCID = /* @__PURE__ */ new Map();
+    for (const jws of chain.log) {
+      const decoded = decodeJwsUnsafe4(jws);
+      if (!decoded) continue;
+      const payload = decoded.payload;
+      const opCID = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
+      const prevCID = typeof payload["previousOperationCID"] === "string" ? payload["previousOperationCID"] : null;
+      opsByCID.set(opCID, { jws, previousCID: prevCID });
+    }
+    if (!opsByCID.has(cid)) return null;
+    const path = [];
+    let currentCID = cid;
+    while (currentCID) {
+      const op = opsByCID.get(currentCID);
+      if (!op) return null;
+      path.unshift(op.jws);
+      currentCID = op.previousCID;
+    }
+    const resolveKey = createKeyResolver(this);
+    const content = await verifyContentChain2({ log: path, resolveKey, enforceAuthorization: true });
+    const targetDecoded = decodeJwsUnsafe4(opsByCID.get(cid).jws);
+    const lastCreatedAt = typeof targetDecoded?.payload?.["createdAt"] === "string" ? (targetDecoded?.payload)["createdAt"] : "";
+    return { state: content, lastCreatedAt };
+  }
+  async getPeerCursor(peerUrl) {
+    return this.peerCursors.get(peerUrl);
+  }
+  async setPeerCursor(peerUrl, cursor) {
+    this.peerCursors.set(peerUrl, cursor);
+  }
 };
 export {
   MemoryRelayStore,
   bootstrapRelayIdentity,
   createCurrentKeyResolver,
+  createHttpPeerClient,
   createKeyResolver,
   createRelay,
   ingestOperations