@metalabel/dfos-web-relay 0.9.0 → 0.10.0

package/dist/index.d.ts

@@ -21,6 +21,12 @@ interface RelayOptions {
     peers?: PeerConfig[];
     /** Injected peer client — if omitted, a default HTTP implementation is used */
     peerClient?: PeerClient;
+    /**
+     * Max lifetime (exp-iat, seconds) honored on a self-signed auth token.
+     * Default 86400 (24h); a value <= 0 disables the ceiling. Applies only to auth
+     * tokens, never to DFOS credentials.
+     */
+    maxAuthTokenTTLSeconds?: number;
 }
 interface PeerConfig {
     url: string;
@@ -236,6 +242,14 @@ interface IngestionResult {
     kind?: OperationKind;
     /** Chain identifier if applicable */
     chainId?: string;
+    /**
+     * Structured dependency-failure signal. When true, the rejection is due to a
+     * missing dependency that may arrive later via sync or gossip, so the
+     * sequencer must keep the op pending (retryable) rather than durably reject
+     * it. This is the discriminator the sequencer branches on — NOT substring
+     * matching of the human-readable `error` string.
+     */
+    dependencyMissing?: boolean;
 }
 
 /**
@@ -247,6 +261,20 @@ interface IngestionResult {
  * they are available via the relay's proof plane routes.
  */
 declare const bootstrapRelayIdentity: (store: RelayStore) => Promise<RelayIdentity>;
+/**
+ * Bootstrap a relay identity from an EXISTING key + key ID, with optional pinned
+ * timestamps and profile name. Used for deterministic bootstrap — e.g. the
+ * dual-relay parity harness pins one key + one createdAt across both twins so
+ * the relay's own genesis + profile log entries are byte-identical, and durable
+ * relays that reload their key from storage. Mirrors the Go twin's
+ * BootstrapRelayIdentityFromKey.
+ */
+declare const bootstrapRelayIdentityFromKey: (store: RelayStore, params: {
+    privateKey: Uint8Array;
+    keyId: string;
+    name?: string;
+    createdAt?: string;
+}) => Promise<RelayIdentity>;
 
 /**
  * Create an HTTP-based PeerClient.
@@ -265,6 +293,13 @@ interface CreatedRelay {
     /** Sync operations from all configured sync peers (call on a schedule) */
     syncFromPeers: () => Promise<void>;
 }
+/**
+ * Split items into batches of at most `size`, preserving order with no loss.
+ * gossip() uses this to stay within the receiver's per-batch cap; exported so
+ * the split behavior is directly testable (mirrors Go's maxGossipBatch chunking,
+ * whose TestGossipChunksLargeBatches drives the split directly).
+ */
+declare const chunkOps: <T>(items: T[], size: number) => T[][];
 /**
  * Create a DFOS web relay Hono application
  *
@@ -346,6 +381,13 @@ declare class MemoryRelayStore implements RelayStore {
     resetSequencer(): Promise<void>;
 }
 
+/**
+ * Derive the operation CID from a JWS token by re-encoding the decoded payload.
+ * Returns the empty string for an undecodable token. Used at verify-failure
+ * sites so a rejection still carries a CID and can be durably rejected by the
+ * sequencer (instead of being skipped forever by `if (!res.cid) continue`).
+ */
+declare const computeOpCID: (jwsToken: string) => Promise<string>;
 /**
  * Create a key resolver that looks up Ed25519 public keys from identity chains
  * in the store. Used for chain re-verification during ingestion.
@@ -411,13 +453,13 @@ declare const ingestOperations: (tokens: string[], store: RelayStore, options?:
 }) => Promise<IngestionResult[]>;
 
 /**
- * Returns true if the rejection is due to a missing dependency that may
- * arrive later via sync or gossip. Only these specific patterns are
- * retryable — everything else is treated as permanent.
+ * Returns true if a rejection is retryable (a missing dependency that may
+ * arrive later via sync or gossip). The sequencer branches on the STRUCTURED
+ * `dependencyMissing` flag set by the ingest producer — not on substring
+ * matching of the human-readable `error` string. Mirrors the Go twin's
+ * structured discriminator.
  */
-declare const isDependencyFailure: (error: string) => boolean;
-/** Derive the operation CID from a JWS token */
-declare const computeOpCID: (jwsToken: string) => Promise<string | undefined>;
+declare const isDependencyFailure: (res: Pick<IngestionResult, "dependencyMissing">) => boolean;
 /**
  * Process unsequenced raw ops in a fixed-point loop until no more progress
  * is made. Returns the JWS tokens of newly sequenced ops and aggregate stats.
@@ -427,4 +469,4 @@ declare const sequenceOps: (store: RelayStore) => Promise<{
     result: SequenceResult;
 }>;
 
-export { type BlobKey, type CreatedRelay, type IngestionResult, type LogEntry, MemoryRelayStore, type OperationKind, type PeerClient, type PeerConfig, type PeerLogEntry, type RelayIdentity, type RelayOptions, type RelayStore, type SequenceResult, type StoredBeacon, type StoredContentChain, type StoredIdentityChain, type StoredOperation, bootstrapRelayIdentity, computeOpCID, createCurrentKeyResolver, createHistoricalIdentityResolver, createHttpPeerClient, createKeyResolver, createRelay, ingestOperations, isDependencyFailure, sequenceOps };
+export { type BlobKey, type CreatedRelay, type IngestionResult, type LogEntry, MemoryRelayStore, type OperationKind, type PeerClient, type PeerConfig, type PeerLogEntry, type RelayIdentity, type RelayOptions, type RelayStore, type SequenceResult, type StoredBeacon, type StoredContentChain, type StoredIdentityChain, type StoredOperation, bootstrapRelayIdentity, bootstrapRelayIdentityFromKey, chunkOps, computeOpCID, createCurrentKeyResolver, createHistoricalIdentityResolver, createHttpPeerClient, createKeyResolver, createRelay, ingestOperations, isDependencyFailure, sequenceOps };

package/dist/index.js

@@ -7,6 +7,7 @@ import {
 import {
   createNewEd25519Keypair,
   generateId,
+  importEd25519Keypair,
   signPayloadEd25519
 } from "@metalabel/dfos-protocol/crypto";
 
@@ -26,6 +27,16 @@ import {
   verifyDFOSCredential
 } from "@metalabel/dfos-protocol/credentials";
 import { dagCborCanonicalEncode, decodeJwsUnsafe } from "@metalabel/dfos-protocol/crypto";
+var FORK_POINT_STATE_ERROR_PREFIX = "failed to compute state at fork point: ";
+var DEPENDENCY_FAILURE_SUBSTRINGS = ["unknown identity:", "unknown key "];
+var isKeyResolutionFailure = (message) => DEPENDENCY_FAILURE_SUBSTRINGS.some((s) => message.includes(s));
+var isCredentialDependencyFailure = (message) => message.includes("issuer identity not found:") || message.includes(" not found on identity ");
+var computeOpCID = async (jwsToken) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return "";
+  const encoded = await dagCborCanonicalEncode(decoded.payload);
+  return encoded.cid.toString();
+};
 var MAX_FUTURE_TIMESTAMP_MS = 24 * 60 * 60 * 1e3;
 var isFutureTimestamp = (createdAt) => {
   const ts = new Date(createdAt).getTime();
@@ -231,7 +242,13 @@ var ingestIdentityOp = async (jwsToken, store, logEnabled) => {
   const opType = payload["type"];
   const isGenesis = opType === "create";
   if (isGenesis) {
-    const identity = await verifyIdentityChain({ didPrefix: "did:dfos", log: [jwsToken] });
+    let identity;
+    try {
+      identity = await verifyIdentityChain({ didPrefix: "did:dfos", log: [jwsToken] });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return { cid, status: "rejected", error: message };
+    }
     const createdAt = payload["createdAt"];
     const chain2 = {
       did: identity.did,
@@ -252,15 +269,27 @@ var ingestIdentityOp = async (jwsToken, store, logEnabled) => {
   if (hashIdx < 0) return { cid, status: "rejected", error: "non-genesis kid must be a DID URL" };
   const did = kid.substring(0, hashIdx);
   const chain = await store.getIdentityChain(did);
-  if (!chain) return { cid, status: "rejected", error: `unknown identity: ${did}` };
+  if (!chain)
+    return {
+      cid,
+      status: "rejected",
+      error: `unknown identity: ${did}`,
+      dependencyMissing: true
+    };
   const previousCID = typeof payload["previousOperationCID"] === "string" ? payload["previousOperationCID"] : null;
   if (previousCID === chain.headCID) {
-    const extResult2 = await verifyIdentityExtensionFromTrustedState({
-      currentState: chain.state,
-      headCID: chain.headCID,
-      lastCreatedAt: chain.lastCreatedAt,
-      newOp: jwsToken
-    });
+    let extResult2;
+    try {
+      extResult2 = await verifyIdentityExtensionFromTrustedState({
+        currentState: chain.state,
+        headCID: chain.headCID,
+        lastCreatedAt: chain.lastCreatedAt,
+        newOp: jwsToken
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return { cid, status: "rejected", error: message };
+    }
     const updated2 = {
       did: chain.did,
       log: [...chain.log, jwsToken],
@@ -276,18 +305,34 @@ var ingestIdentityOp = async (jwsToken, store, logEnabled) => {
     return { cid, status: "new", kind: "identity-op", chainId: did };
   }
   if (!previousCID || !chainLogContainsCID(chain.log, previousCID)) {
-    return { cid, status: "rejected", error: "unknown previous operation in identity chain" };
+    return {
+      cid,
+      status: "rejected",
+      error: "unknown previous operation in identity chain",
+      dependencyMissing: true
+    };
   }
   const forkState = await store.getIdentityStateAtCID(did, previousCID);
   if (!forkState) {
-    return { cid, status: "rejected", error: "failed to compute state at fork point" };
+    return {
+      cid,
+      status: "rejected",
+      error: `${FORK_POINT_STATE_ERROR_PREFIX}${previousCID}`,
+      dependencyMissing: true
+    };
+  }
+  let extResult;
+  try {
+    extResult = await verifyIdentityExtensionFromTrustedState({
+      currentState: forkState.state,
+      headCID: previousCID,
+      lastCreatedAt: forkState.lastCreatedAt,
+      newOp: jwsToken
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "verification failed";
+    return { cid, status: "rejected", error: message };
   }
-  const extResult = await verifyIdentityExtensionFromTrustedState({
-    currentState: forkState.state,
-    headCID: previousCID,
-    lastCreatedAt: forkState.lastCreatedAt,
-    newOp: jwsToken
-  });
   const updatedLog = [...chain.log, jwsToken];
   const head = selectDeterministicHead(updatedLog);
   let headState = chain.state;
@@ -345,15 +390,28 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
   }
   const resolveKey = createKeyResolver(store);
   const resolveIdentity = createHistoricalIdentityResolver(store);
+  const isRevoked = (issuerDID, credentialCID) => store.isCredentialRevoked(issuerDID, credentialCID);
   const opType = payload["type"];
   const isGenesis = opType === "create";
   if (isGenesis) {
-    const content = await verifyContentChain({
-      log: [jwsToken],
-      resolveKey,
-      enforceAuthorization: true,
-      resolveIdentity
-    });
+    let content;
+    try {
+      content = await verifyContentChain({
+        log: [jwsToken],
+        resolveKey,
+        enforceAuthorization: true,
+        resolveIdentity,
+        isRevoked
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return {
+        cid,
+        status: "rejected",
+        error: message,
+        dependencyMissing: isKeyResolutionFailure(message)
+      };
+    }
     const createdAt = payload["createdAt"];
     const chain2 = {
       contentId: content.contentId,
@@ -375,26 +433,48 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
   }
   const prevOp = await store.getOperation(previousCID);
   if (!prevOp)
-    return { cid, status: "rejected", error: `unknown previous operation: ${previousCID}` };
+    return {
+      cid,
+      status: "rejected",
+      error: `unknown previous operation: ${previousCID}`,
+      dependencyMissing: true
+    };
   if (prevOp.chainType !== "content") {
     return { cid, status: "rejected", error: "previousOperationCID is not a content operation" };
   }
   const chain = await store.getContentChain(prevOp.chainId);
   if (!chain)
-    return { cid, status: "rejected", error: `content chain not found: ${prevOp.chainId}` };
+    return {
+      cid,
+      status: "rejected",
+      error: `content chain not found: ${prevOp.chainId}`,
+      dependencyMissing: true
+    };
   const creatorIdentity = await store.getIdentityChain(chain.state.creatorDID);
   if (creatorIdentity?.state.isDeleted) {
     return { cid, status: "rejected", error: "content creator identity is deleted" };
   }
   if (chain.state.headCID === previousCID) {
-    const extResult2 = await verifyContentExtensionFromTrustedState({
-      currentState: chain.state,
-      lastCreatedAt: chain.lastCreatedAt,
-      newOp: jwsToken,
-      resolveKey,
-      enforceAuthorization: true,
-      resolveIdentity
-    });
+    let extResult2;
+    try {
+      extResult2 = await verifyContentExtensionFromTrustedState({
+        currentState: chain.state,
+        lastCreatedAt: chain.lastCreatedAt,
+        newOp: jwsToken,
+        resolveKey,
+        enforceAuthorization: true,
+        resolveIdentity,
+        isRevoked
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return {
+        cid,
+        status: "rejected",
+        error: message,
+        dependencyMissing: isKeyResolutionFailure(message)
+      };
+    }
     const updated2 = {
       contentId: chain.contentId,
       genesisCID: chain.genesisCID,
@@ -410,20 +490,42 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
     return { cid, status: "new", kind: "content-op", chainId: chain.contentId };
   }
   if (!chainLogContainsCID(chain.log, previousCID)) {
-    return { cid, status: "rejected", error: "unknown previous operation in content chain" };
+    return {
+      cid,
+      status: "rejected",
+      error: "unknown previous operation in content chain",
+      dependencyMissing: true
+    };
   }
   const forkState = await store.getContentStateAtCID(chain.contentId, previousCID);
   if (!forkState) {
-    return { cid, status: "rejected", error: "failed to compute state at fork point" };
-  }
-  const extResult = await verifyContentExtensionFromTrustedState({
-    currentState: forkState.state,
-    lastCreatedAt: forkState.lastCreatedAt,
-    newOp: jwsToken,
-    resolveKey,
-    enforceAuthorization: true,
-    resolveIdentity
-  });
+    return {
+      cid,
+      status: "rejected",
+      error: `${FORK_POINT_STATE_ERROR_PREFIX}${previousCID}`,
+      dependencyMissing: true
+    };
+  }
+  let extResult;
+  try {
+    extResult = await verifyContentExtensionFromTrustedState({
+      currentState: forkState.state,
+      lastCreatedAt: forkState.lastCreatedAt,
+      newOp: jwsToken,
+      resolveKey,
+      enforceAuthorization: true,
+      resolveIdentity,
+      isRevoked
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "verification failed";
+    return {
+      cid,
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
+  }
   const updatedLog = [...chain.log, jwsToken];
   const head = selectDeterministicHead(updatedLog);
   let headState = chain.state;
@@ -447,13 +549,18 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
   return { cid, status: "new", kind: "content-op", chainId: chain.contentId };
 };
 var ingestBeacon = async (jwsToken, store, logEnabled) => {
-  const resolveKey = createKeyResolver(store);
+  const resolveKey = createCurrentKeyResolver(store);
   let verified;
   try {
     verified = await verifyBeacon({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
   }
   const did = verified.did;
   const cid = verified.beaconCID;
@@ -465,7 +572,7 @@ var ingestBeacon = async (jwsToken, store, logEnabled) => {
   if (existing) {
     const existingTime = new Date(existing.state.createdAt).getTime();
     const newTime = new Date(verified.createdAt).getTime();
-    if (newTime <= existingTime) {
+    if (newTime < existingTime || newTime === existingTime && cid <= existing.beaconCID) {
       return { cid, status: "duplicate", kind: "beacon", chainId: did };
     }
   }
@@ -483,7 +590,12 @@ var ingestCountersign = async (jwsToken, store, logEnabled) => {
     verified = await verifyCountersignature({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
   }
   const cid = verified.countersignCID;
   const { witnessDID, targetCID } = verified;
@@ -500,7 +612,12 @@ var ingestCountersign = async (jwsToken, store, logEnabled) => {
   }
   const targetOp = await store.getOperation(targetCID);
   if (!targetOp) {
-    return { cid, status: "rejected", error: `unknown target operation: ${targetCID}` };
+    return {
+      cid,
+      status: "rejected",
+      error: `unknown target operation: ${targetCID}`,
+      dependencyMissing: true
+    };
   }
   let targetAuthorDID = null;
   if (targetOp.chainType === "identity") {
@@ -542,7 +659,12 @@ var ingestArtifact = async (jwsToken, store, logEnabled) => {
     verified = await verifyArtifact({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
   }
   const cid = verified.artifactCID;
   const did = verified.payload.did;
@@ -574,7 +696,12 @@ var ingestRevocation = async (jwsToken, store, logEnabled) => {
     verified = await verifyRevocation({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
   }
   const cid = verified.revocationCID;
   const did = verified.did;
@@ -613,11 +740,16 @@ var ingestPublicCredential = async (jwsToken, store, logEnabled) => {
     verified = await verifyDFOSCredential(jwsToken, { resolveIdentity });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isCredentialDependencyFailure(message)
+    };
   }
   const cid = verified.credentialCID;
   if (verified.aud !== "*") {
-    return { cid: "", status: "rejected", error: "not a public credential" };
+    return { cid, status: "rejected", error: "not a public credential" };
   }
   const existing = await store.getOperation(cid);
   if (existing) {
@@ -726,9 +858,10 @@ var selectDeterministicHead = (log) => {
     if (previousCID) hasChild.add(previousCID);
   }
   const tips = ops.filter((op) => !hasChild.has(op.cid));
+  const cmp = (x, y) => x < y ? -1 : x > y ? 1 : 0;
   tips.sort((a, b) => {
-    if (a.createdAt !== b.createdAt) return b.createdAt.localeCompare(a.createdAt);
-    return b.cid.localeCompare(a.cid);
+    if (a.createdAt !== b.createdAt) return cmp(b.createdAt, a.createdAt);
+    return cmp(b.cid, a.cid);
   });
   return tips[0] ?? { cid: "", createdAt: "" };
 };
@@ -763,14 +896,18 @@ var ingestOperations = async (tokens, store, options) => {
           result = await ingestPublicCredential(op.jwsToken, store, logEnabled);
           break;
         default:
-          result = { cid: "", status: "rejected", error: "unrecognized operation type" };
+          result = {
+            cid: await computeOpCID(op.jwsToken),
+            status: "rejected",
+            error: "unrecognized operation type"
+          };
       }
       indexedResults.push({ index: op.originalIndex, result });
     } catch (err) {
       const message = err instanceof Error ? err.message : "unexpected error";
       indexedResults.push({
         index: op.originalIndex,
-        result: { cid: "", status: "rejected", error: message }
+        result: { cid: await computeOpCID(op.jwsToken), status: "rejected", error: message }
       });
     }
   }
@@ -781,8 +918,28 @@ var ingestOperations = async (tokens, store, options) => {
 var bootstrapRelayIdentity = async (store) => {
   const keypair = createNewEd25519Keypair();
   const keyId = generateId("key");
-  const multibase = encodeEd25519Multikey(keypair.publicKey);
-  const signer = async (msg) => signPayloadEd25519(msg, keypair.privateKey);
+  return bootstrapWithKeyMaterial(store, {
+    privateKey: keypair.privateKey,
+    publicKey: keypair.publicKey,
+    keyId
+  });
+};
+var bootstrapRelayIdentityFromKey = async (store, params) => {
+  const { publicKey } = importEd25519Keypair(params.privateKey);
+  return bootstrapWithKeyMaterial(store, {
+    privateKey: params.privateKey,
+    publicKey,
+    keyId: params.keyId,
+    ...params.name !== void 0 ? { name: params.name } : {},
+    ...params.createdAt !== void 0 ? { createdAt: params.createdAt } : {}
+  });
+};
+var bootstrapWithKeyMaterial = async (store, params) => {
+  const { privateKey, publicKey, keyId } = params;
+  const name = params.name ?? "DFOS Relay";
+  const createdAt = params.createdAt ?? (/* @__PURE__ */ new Date()).toISOString();
+  const multibase = encodeEd25519Multikey(publicKey);
+  const signer = async (msg) => signPayloadEd25519(msg, privateKey);
   const key = { id: keyId, type: "Multikey", publicKeyMultibase: multibase };
   const identityOp = {
     version: 1,
@@ -790,7 +947,7 @@ var bootstrapRelayIdentity = async (store) => {
     authKeys: [key],
     assertKeys: [key],
     controllerKeys: [key],
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    createdAt
   };
   const { jwsToken: identityJws } = await signIdentityOperation({
     operation: identityOp,
@@ -808,9 +965,9 @@ var bootstrapRelayIdentity = async (store) => {
     did,
     content: {
       $schema: "https://schemas.dfos.com/profile/v1",
-      name: "DFOS Relay"
+      name
     },
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    createdAt
   };
   const kid = `${did}#${keyId}`;
   const { jwsToken: profileArtifactJws } = await signArtifact({
@@ -865,11 +1022,16 @@ var createHttpPeerClient = () => {
     },
     async submitOperations(peerUrl, operations) {
       try {
-        await fetch(new URL("/operations", peerUrl).toString(), {
+        const res = await fetch(new URL("/operations", peerUrl).toString(), {
           method: "POST",
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify({ operations })
         });
+        if (!res.ok) {
+          console.warn(
+            `gossip submitOperations to ${peerUrl} returned ${res.status} (${operations.length} ops dropped)`
+          );
+        }
       } catch {
       }
     }
@@ -878,7 +1040,7 @@ var createHttpPeerClient = () => {
 
 // src/relay.ts
 import { createRequire } from "module";
-import { dagCborCanonicalEncode as dagCborCanonicalEncode3, decodeJwsUnsafe as decodeJwsUnsafe4 } from "@metalabel/dfos-protocol/crypto";
+import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
 import { Hono } from "hono";
 import { z } from "zod";
 
@@ -890,7 +1052,8 @@ import {
   verifyDFOSCredential as verifyDFOSCredential2
 } from "@metalabel/dfos-protocol/credentials";
 import { decodeJwsUnsafe as decodeJwsUnsafe2 } from "@metalabel/dfos-protocol/crypto";
-var authenticateRequest = async (authHeader, relayDID, store) => {
+var DEFAULT_MAX_AUTH_TOKEN_TTL_SECONDS = 86400;
+var authenticateRequest = async (authHeader, relayDID, store, maxAuthTokenTTLSeconds = DEFAULT_MAX_AUTH_TOKEN_TTL_SECONDS) => {
   if (!authHeader) return null;
   if (!authHeader.startsWith("Bearer ")) return null;
   const token = authHeader.substring(7);
@@ -907,7 +1070,11 @@ var authenticateRequest = async (authHeader, relayDID, store) => {
     return null;
   }
   try {
-    return verifyAuthToken({ token, publicKey, audience: relayDID });
+    const verified = verifyAuthToken({ token, publicKey, audience: relayDID });
+    if (maxAuthTokenTTLSeconds > 0 && verified.exp - verified.iat > maxAuthTokenTTLSeconds) {
+      return null;
+    }
+    return verified;
   } catch {
     return null;
   }
@@ -986,22 +1153,7 @@ var verifyContentAccess = async (options) => {
 };
 
 // src/sequencer.ts
-import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
-var isDependencyFailure = (error) => {
-  const patterns = [
-    "unknown previous operation",
-    "unknown identity:",
-    "content chain not found:",
-    "failed to compute state at fork point:"
-  ];
-  return patterns.some((p) => error.includes(p));
-};
-var computeOpCID = async (jwsToken) => {
-  const decoded = decodeJwsUnsafe3(jwsToken);
-  if (!decoded) return void 0;
-  const encoded = await dagCborCanonicalEncode2(decoded.payload);
-  return encoded.cid.toString();
-};
+var isDependencyFailure = (res) => res.dependencyMissing === true;
 var sequenceOps = async (store) => {
   const newOps = [];
   const result = { sequenced: 0, rejected: 0, pending: 0 };
@@ -1022,7 +1174,7 @@ var sequenceOps = async (store) => {
       } else if (res.status === "duplicate") {
         sequencedCIDs.push(res.cid);
         progress = true;
-      } else if (res.status === "rejected" && !isDependencyFailure(res.error ?? "")) {
+      } else if (res.status === "rejected" && !isDependencyFailure(res)) {
         await store.markOpRejected(res.cid, res.error ?? "unknown");
         result.rejected++;
         progress = true;
@@ -1041,13 +1193,37 @@ var sequenceOps = async (store) => {
 // src/relay.ts
 var require2 = createRequire(import.meta.url);
 var { version: RELAY_VERSION } = require2("../package.json");
+var MAX_OPERATIONS_PER_BATCH = 100;
 var IngestBody = z.object({
-  operations: z.array(z.string()).min(1).max(100)
+  operations: z.array(z.string()).min(1).max(MAX_OPERATIONS_PER_BATCH)
 });
+var MAX_GOSSIP_BATCH = MAX_OPERATIONS_PER_BATCH;
+var chunkOps = (items, size) => {
+  const chunks = [];
+  for (let start = 0; start < items.length; start += size) {
+    chunks.push(items.slice(start, start + size));
+  }
+  return chunks;
+};
+var MAX_BODY_BYTES = 16 << 20;
+var exceedsBodyCap = (contentLength) => {
+  if (!contentLength) return false;
+  const n = Number(contentLength);
+  return Number.isFinite(n) && n > MAX_BODY_BYTES;
+};
+var parseLimit = (raw, defaultLimit, maxLimit) => {
+  if (raw === void 0 || raw === "") return defaultLimit;
+  if (!/^-?\d+$/.test(raw)) return defaultLimit;
+  const n = Number(raw);
+  if (!Number.isSafeInteger(n) || n < 1) return defaultLimit;
+  if (n > maxLimit) return maxLimit;
+  return n;
+};
 var createRelay = async (options) => {
   const { store } = options;
   const contentEnabled = options.content !== false;
   const logEnabled = options.log !== false;
+  const maxAuthTokenTTLSeconds = options.maxAuthTokenTTLSeconds ?? DEFAULT_MAX_AUTH_TOKEN_TTL_SECONDS;
   const peers = options.peers ?? [];
   const peerClient = options.peerClient;
   const gossipPeers = peers.filter((p) => p.gossip !== false);
@@ -1059,8 +1235,10 @@ var createRelay = async (options) => {
   const gossip = (ops) => {
     if (ops.length === 0 || gossipPeers.length === 0 || !peerClient) return;
     for (const peer of gossipPeers) {
-      peerClient.submitOperations(peer.url, ops).catch(() => {
-      });
+      for (const chunk of chunkOps(ops, MAX_GOSSIP_BATCH)) {
+        peerClient.submitOperations(peer.url, chunk).catch(() => {
+        });
+      }
     }
   };
   const ingestWithGossip = async (tokens) => {
@@ -1086,6 +1264,20 @@ var createRelay = async (options) => {
     return results;
   };
   const app = new Hono();
+  app.use("*", async (c, next) => {
+    if (c.req.method === "OPTIONS") {
+      return c.body(null, 204, {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, POST, PUT, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, Authorization"
+      });
+    }
+    await next();
+    c.res.headers.set("Access-Control-Allow-Origin", "*");
+    c.res.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS");
+    c.res.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    return;
+  });
   app.get("/.well-known/dfos-relay", (c) => {
     return c.json({
       did: relayDID,
@@ -1101,6 +1293,9 @@ var createRelay = async (options) => {
     });
   });
   app.post("/operations", async (c) => {
+    if (exceedsBodyCap(c.req.header("content-length"))) {
+      return c.json({ error: "request body too large" }, 413);
+    }
     let body;
     try {
       body = await c.req.json();
@@ -1130,9 +1325,9 @@ var createRelay = async (options) => {
     const chain = await store.getIdentityChain(did);
     if (!chain) return c.json({ error: "not found" }, 404);
     const after = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const entries = chain.log.map((jws) => {
-      const decoded = decodeJwsUnsafe4(jws);
+      const decoded = decodeJwsUnsafe3(jws);
       return { cid: decoded?.header.cid || "", jwsToken: jws };
     });
     let startIdx = 0;
@@ -1176,9 +1371,9 @@ var createRelay = async (options) => {
     const chain = await store.getContentChain(contentId);
     if (!chain) return c.json({ error: "not found" }, 404);
     const after = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const entries = chain.log.map((jws) => {
-      const decoded = decodeJwsUnsafe4(jws);
+      const decoded = decodeJwsUnsafe3(jws);
       return { cid: decoded?.header.cid || "", jwsToken: jws };
     });
     let startIdx = 0;
@@ -1197,7 +1392,12 @@ var createRelay = async (options) => {
     if (!chain) return c.json({ error: "not found" }, 404);
     const publicAccess = await hasPublicStandingAuth(contentId, "read", store);
     if (!publicAccess) {
-      const auth = await authenticateRequest(c.req.header("authorization"), relayDID, store);
+      const auth = await authenticateRequest(
+        c.req.header("authorization"),
+        relayDID,
+        store,
+        maxAuthTokenTTLSeconds
+      );
       if (!auth) return c.json({ error: "authentication required" }, 401);
       const accessError = await verifyReadAccess(
         auth,
@@ -1209,7 +1409,7 @@ var createRelay = async (options) => {
       if (accessError) return accessError;
     }
     const after = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const result = await store.getDocuments(contentId, {
       ...after ? { after } : {},
       limit
@@ -1281,7 +1481,7 @@ var createRelay = async (options) => {
   app.get("/log", async (c) => {
     if (!logEnabled) return c.json({ error: "global log not available" }, 501);
     const afterParam = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const result = await store.readLog(afterParam ? { after: afterParam, limit } : { limit });
     return c.json(result);
   });
@@ -1289,14 +1489,22 @@ var createRelay = async (options) => {
     if (!contentEnabled) return c.json({ error: "content plane not available" }, 501);
     const contentId = c.req.param("contentId");
     const operationCID = c.req.param("operationCID");
-    const auth = await authenticateRequest(c.req.header("authorization"), relayDID, store);
+    if (exceedsBodyCap(c.req.header("content-length"))) {
+      return c.json({ error: "request body too large" }, 413);
+    }
+    const auth = await authenticateRequest(
+      c.req.header("authorization"),
+      relayDID,
+      store,
+      maxAuthTokenTTLSeconds
+    );
     if (!auth) return c.json({ error: "authentication required" }, 401);
     const chain = await store.getContentChain(contentId);
     if (!chain) return c.json({ error: "content chain not found" }, 404);
     let documentCID = null;
     let operationSignerDID = null;
     for (const token of chain.log) {
-      const decoded = decodeJwsUnsafe4(token);
+      const decoded = decodeJwsUnsafe3(token);
       if (!decoded) continue;
       if (decoded.header.cid !== operationCID) continue;
       const payload = decoded.payload;
@@ -1311,9 +1519,12 @@ var createRelay = async (options) => {
       return c.json({ error: "not authorized \u2014 must be chain creator or operation signer" }, 403);
     }
     const bytes = new Uint8Array(await c.req.arrayBuffer());
+    if (bytes.byteLength > MAX_BODY_BYTES) {
+      return c.json({ error: "request body too large" }, 413);
+    }
     try {
       const parsed = JSON.parse(new TextDecoder().decode(bytes));
-      const encoded = await dagCborCanonicalEncode3(parsed);
+      const encoded = await dagCborCanonicalEncode2(parsed);
       if (encoded.cid.toString() !== documentCID) {
         return c.json({ error: "blob bytes do not match documentCID" }, 400);
       }
@@ -1331,7 +1542,8 @@ var createRelay = async (options) => {
       authHeader: c.req.header("authorization"),
       credHeader: c.req.header("x-credential"),
       relayDID,
-      store
+      store,
+      maxAuthTokenTTLSeconds
     });
   });
   app.get("/content/:contentId/blob/:ref", async (c) => {
@@ -1342,20 +1554,24 @@ var createRelay = async (options) => {
       authHeader: c.req.header("authorization"),
       credHeader: c.req.header("x-credential"),
       relayDID,
-      store
+      store,
+      maxAuthTokenTTLSeconds
     });
   });
+  const maxOpsPerSyncCycle = 5e3;
   const syncFromPeers = async () => {
     if (!peerClient) return;
     for (const peer of syncPeers) {
       let cursor = await store.getPeerCursor(peer.url);
-      while (true) {
+      let fetched = 0;
+      while (fetched < maxOpsPerSyncCycle) {
         const page = await peerClient.getOperationLog(peer.url, {
           ...cursor ? { after: cursor } : {},
           limit: 1e3
         });
         if (!page || page.entries.length === 0) break;
         await ingestWithGossip(page.entries.map((e) => e.jwsToken));
+        fetched += page.entries.length;
         cursor = page.cursor ?? page.entries[page.entries.length - 1].cid;
         await store.setPeerCursor(peer.url, cursor);
         if (!page.cursor) break;
@@ -1369,12 +1585,12 @@ var jsonResponse = (body, status = 200) => new Response(JSON.stringify(body), {
   headers: { "content-type": "application/json" }
 });
 var readBlob = async (params) => {
-  const { contentId, ref, authHeader, credHeader, relayDID, store } = params;
+  const { contentId, ref, authHeader, credHeader, relayDID, store, maxAuthTokenTTLSeconds } = params;
   const chain = await store.getContentChain(contentId);
   if (!chain) return jsonResponse({ error: "content chain not found" }, 404);
   const publicAccess = await hasPublicStandingAuth(contentId, "read", store);
   if (!publicAccess) {
-    const auth = await authenticateRequest(authHeader, relayDID, store);
+    const auth = await authenticateRequest(authHeader, relayDID, store, maxAuthTokenTTLSeconds);
     if (!auth) return jsonResponse({ error: "authentication required" }, 401);
     const credError = await verifyReadAccess(auth, chain, contentId, credHeader, store);
     if (credError) return credError;
@@ -1385,7 +1601,7 @@ var readBlob = async (params) => {
     documentCID = chain.state.currentDocumentCID;
   } else {
     for (const token of chain.log) {
-      const decoded = decodeJwsUnsafe4(token);
+      const decoded = decodeJwsUnsafe3(token);
       if (!decoded) continue;
       if (decoded.header.cid === ref) {
         operationFound = true;
@@ -1421,7 +1637,7 @@ var verifyReadAccess = async (auth, chain, contentId, credHeader, store) => {
 
 // src/store.ts
 import { verifyContentChain as verifyContentChain2, verifyIdentityChain as verifyIdentityChain2 } from "@metalabel/dfos-protocol/chain";
-import { decodeJwsUnsafe as decodeJwsUnsafe5 } from "@metalabel/dfos-protocol/crypto";
+import { decodeJwsUnsafe as decodeJwsUnsafe4 } from "@metalabel/dfos-protocol/crypto";
 var blobKeyString = (key) => `${key.creatorDID}::${key.documentCID}`;
 var MemoryRelayStore = class {
   operations = /* @__PURE__ */ new Map();
@@ -1471,12 +1687,12 @@ var MemoryRelayStore = class {
   }
   async addCountersignature(operationCID, jwsToken) {
     const existing = this.countersignatures.get(operationCID) ?? [];
-    const decoded = decodeJwsUnsafe5(jwsToken);
+    const decoded = decodeJwsUnsafe4(jwsToken);
     if (decoded) {
       const kid = decoded.header.kid;
       const witnessDID = kid.includes("#") ? kid.split("#")[0] : kid;
       for (const cs of existing) {
-        const d = decodeJwsUnsafe5(cs);
+        const d = decodeJwsUnsafe4(cs);
         if (!d) continue;
         const existingKid = d.header.kid;
         const existingDID = existingKid.includes("#") ? existingKid.split("#")[0] : existingKid;
@@ -1531,7 +1747,7 @@ var MemoryRelayStore = class {
     if (!chain) return { documents: [], cursor: null };
     const entries = [];
     for (const jws of chain.log) {
-      const decoded = decodeJwsUnsafe5(jws);
+      const decoded = decodeJwsUnsafe4(jws);
       if (!decoded) continue;
       const payload = decoded.payload;
       const cid = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
@@ -1593,7 +1809,7 @@ var MemoryRelayStore = class {
     if (!chain) return null;
     const opsByCID = /* @__PURE__ */ new Map();
     for (const jws of chain.log) {
-      const decoded = decodeJwsUnsafe5(jws);
+      const decoded = decodeJwsUnsafe4(jws);
       if (!decoded) continue;
       const payload = decoded.payload;
       const opCID = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
@@ -1610,7 +1826,7 @@ var MemoryRelayStore = class {
       currentCID = op.previousCID;
     }
     const identity = await verifyIdentityChain2({ didPrefix: "did:dfos", log: path });
-    const targetDecoded = decodeJwsUnsafe5(opsByCID.get(cid).jws);
+    const targetDecoded = decodeJwsUnsafe4(opsByCID.get(cid).jws);
     const lastCreatedAt = typeof targetDecoded?.payload?.["createdAt"] === "string" ? (targetDecoded?.payload)["createdAt"] : "";
     return { state: identity, lastCreatedAt };
   }
@@ -1619,7 +1835,7 @@ var MemoryRelayStore = class {
     if (!chain) return null;
     const opsByCID = /* @__PURE__ */ new Map();
     for (const jws of chain.log) {
-      const decoded = decodeJwsUnsafe5(jws);
+      const decoded = decodeJwsUnsafe4(jws);
       if (!decoded) continue;
       const payload = decoded.payload;
       const opCID = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
@@ -1646,7 +1862,7 @@ var MemoryRelayStore = class {
       enforceAuthorization: true,
       resolveIdentity
     });
-    const targetDecoded = decodeJwsUnsafe5(opsByCID.get(cid).jws);
+    const targetDecoded = decodeJwsUnsafe4(opsByCID.get(cid).jws);
     const lastCreatedAt = typeof targetDecoded?.payload?.["createdAt"] === "string" ? (targetDecoded?.payload)["createdAt"] : "";
     return { state: content, lastCreatedAt };
   }
@@ -1680,8 +1896,7 @@ var MemoryRelayStore = class {
     }
   }
   async markOpRejected(cid, _reason) {
-    const entry = this.rawOps.get(cid);
-    if (entry) entry.status = "rejected";
+    this.rawOps.delete(cid);
   }
   async countUnsequenced() {
     let count = 0;
@@ -1699,6 +1914,8 @@ var MemoryRelayStore = class {
 export {
   MemoryRelayStore,
   bootstrapRelayIdentity,
+  bootstrapRelayIdentityFromKey,
+  chunkOps,
   computeOpCID,
   createCurrentKeyResolver,
   createHistoricalIdentityResolver,

package/dist/serve.js

@@ -1,11 +1,38 @@
 // src/serve.ts
 import { createServer } from "http";
+var MAX_STREAM_BODY_BYTES = (16 << 20) + (1 << 20);
 var serve = (app, options = {}) => {
   const { port = 4444, hostname } = options;
   const server = createServer(async (req, res) => {
     const url = new URL(req.url ?? "/", `http://${hostname ?? "localhost"}:${port}`);
+    const reject413 = () => {
+      if (res.headersSent) return;
+      res.writeHead(413, {
+        "content-type": "application/json",
+        connection: "close"
+      });
+      res.end(JSON.stringify({ error: "request body too large" }));
+    };
+    const declaredLength = Number(req.headers["content-length"]);
+    if (Number.isFinite(declaredLength) && declaredLength > MAX_STREAM_BODY_BYTES) {
+      reject413();
+      return;
+    }
     const chunks = [];
-    for await (const chunk of req) chunks.push(chunk);
+    let total = 0;
+    let aborted = false;
+    for await (const chunk of req) {
+      total += chunk.length;
+      if (total > MAX_STREAM_BODY_BYTES) {
+        aborted = true;
+        break;
+      }
+      chunks.push(chunk);
+    }
+    if (aborted) {
+      reject413();
+      return;
+    }
     const body = Buffer.concat(chunks);
     const headers = new Headers();
     for (const [k, v] of Object.entries(req.headers)) {

package/openapi.yaml

@@ -1,7 +1,7 @@
 openapi: 3.1.0
 info:
   title: DFOS Web Relay
-  version: 0.1.0
+  version: 0.9.0
   description: |
     HTTP relay for the DFOS protocol. Receives, verifies, stores, and serves
     identity chains, content chains, beacons, countersignatures, and content blobs.
@@ -185,7 +185,7 @@ paths:
           required: true
           schema:
             type: string
-          description: Content identifier (22-char hash)
+          description: Content identifier (31-char hash)
       responses:
         '200':
           description: Content chain state and log
@@ -416,6 +416,70 @@ paths:
         '501':
           description: Documents capability not enabled
 
+  /log:
+    get:
+      operationId: getLog
+      summary: Paginated global log of all accepted operations
+      description: |
+        Returns every operation the relay has accepted — across all identity and
+        content chains, plus beacons and countersignatures — in acceptance order.
+        Cursor-based pagination. Used by peer relays to background-sync. Available
+        only when the relay advertises the `log` capability; otherwise returns 501.
+      tags: [Proof Plane]
+      parameters:
+        - name: after
+          in: query
+          required: false
+          schema:
+            type: string
+          description: CID cursor — start after this operation CID
+        - name: limit
+          in: query
+          required: false
+          schema:
+            type: integer
+            default: 100
+            maximum: 1000
+      responses:
+        '200':
+          description: Global log entries
+          content:
+            application/json:
+              schema:
+                type: object
+                required: [entries, cursor]
+                properties:
+                  entries:
+                    type: array
+                    items:
+                      type: object
+                      required: [cid, jwsToken, kind, chainId]
+                      properties:
+                        cid:
+                          type: string
+                        jwsToken:
+                          type: string
+                        kind:
+                          type: string
+                          enum:
+                            [
+                              identity-op,
+                              content-op,
+                              beacon,
+                              artifact,
+                              countersign,
+                              revocation,
+                              credential,
+                            ]
+                        chainId:
+                          type: string
+                          description: Chain identifier (DID or contentId)
+                  cursor:
+                    type: string
+                    nullable: true
+        '501':
+          description: Global log capability not enabled
+
   /identities/{did}/log:
     get:
       operationId: getIdentityLog
@@ -483,7 +547,7 @@ paths:
           required: true
           schema:
             type: string
-          description: Content identifier (22-char hash)
+          description: Content identifier (31-char hash)
         - name: after
           in: query
           required: false

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@metalabel/dfos-web-relay",
-  "version": "0.9.0",
+  "version": "0.10.0",
   "type": "module",
   "description": "DFOS Web Relay — verifying HTTP relay for identity chains, content chains, beacons, and content blobs",
   "license": "MIT",
@@ -41,18 +41,18 @@
     "README.md"
   ],
   "dependencies": {
-    "hono": "^4.12.9",
-    "zod": "^4.3.6"
+    "hono": "^4.12.23",
+    "zod": "^4.4.3"
   },
   "peerDependencies": {
-    "@metalabel/dfos-protocol": "^0.6.0"
+    "@metalabel/dfos-protocol": "^0.10.0"
   },
   "devDependencies": {
     "@types/node": "^24.10.4",
     "tsup": "^8.5.1",
-    "tsx": "^4.20.3",
-    "vitest": "^4.1.2",
-    "@metalabel/dfos-protocol": "0.9.0"
+    "tsx": "^4.22.4",
+    "vitest": "^4.1.8",
+    "@metalabel/dfos-protocol": "0.10.0"
   },
   "scripts": {
     "build": "tsup",