npm - @metalabel/dfos-web-relay - Versions diffs - 0.9.0 → 0.11.0 - Mend

@metalabel/dfos-web-relay 0.9.0 → 0.11.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -7,6 +7,7 @@ import {
 import {
   createNewEd25519Keypair,
   generateId,
+  importEd25519Keypair,
   signPayloadEd25519
 } from "@metalabel/dfos-protocol/crypto";
@@ -14,7 +15,6 @@ import {
 import {
   decodeMultikey,
   verifyArtifact,
-  verifyBeacon,
   verifyContentChain,
   verifyContentExtensionFromTrustedState,
   verifyCountersignature,
@@ -26,6 +26,16 @@ import {
   verifyDFOSCredential
 } from "@metalabel/dfos-protocol/credentials";
 import { dagCborCanonicalEncode, decodeJwsUnsafe } from "@metalabel/dfos-protocol/crypto";
+var FORK_POINT_STATE_ERROR_PREFIX = "failed to compute state at fork point: ";
+var DEPENDENCY_FAILURE_SUBSTRINGS = ["unknown identity:", "unknown key "];
+var isKeyResolutionFailure = (message) => DEPENDENCY_FAILURE_SUBSTRINGS.some((s) => message.includes(s));
+var isCredentialDependencyFailure = (message) => message.includes("issuer identity not found:") || message.includes(" not found on identity ");
+var computeOpCID = async (jwsToken) => {
+  const decoded = decodeJwsUnsafe(jwsToken);
+  if (!decoded) return "";
+  const encoded = await dagCborCanonicalEncode(decoded.payload);
+  return encoded.cid.toString();
+};
 var MAX_FUTURE_TIMESTAMP_MS = 24 * 60 * 60 * 1e3;
 var isFutureTimestamp = (createdAt) => {
   const ts = new Date(createdAt).getTime();
@@ -60,17 +70,6 @@ var classify = (jwsToken) => {
     const opDID = typeof payload["did"] === "string" ? payload["did"] : null;
     return { ...base, kind: "content-op", referencedDID: null, signerDID: opDID, priority: 2 };
   }
-  if (typ === "did:dfos:beacon") {
-    const beaconDID = typeof payload["did"] === "string" ? payload["did"] : null;
-    return {
-      ...base,
-      kind: "beacon",
-      referencedDID: beaconDID,
-      signerDID: null,
-      priority: 1,
-      previousCID: null
-    };
-  }
   if (typ === "did:dfos:countersign") {
     const witnessDID = typeof payload["did"] === "string" ? payload["did"] : null;
     return {
@@ -91,7 +90,7 @@ var classify = (jwsToken) => {
       referencedDID: artifactDID,
       signerDID: null,
       priority: 1,
-      // same as beacons — needs identity keys resolved first
+      // needs identity keys resolved first
       previousCID: null
     };
   }
@@ -103,7 +102,7 @@ var classify = (jwsToken) => {
       referencedDID: revocationDID,
       signerDID: null,
       priority: 1,
-      // same as beacons — needs identity keys to verify
+      // needs identity keys to verify
       previousCID: null
     };
   }
@@ -231,7 +230,13 @@ var ingestIdentityOp = async (jwsToken, store, logEnabled) => {
   const opType = payload["type"];
   const isGenesis = opType === "create";
   if (isGenesis) {
-    const identity = await verifyIdentityChain({ didPrefix: "did:dfos", log: [jwsToken] });
+    let identity;
+    try {
+      identity = await verifyIdentityChain({ didPrefix: "did:dfos", log: [jwsToken] });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return { cid, status: "rejected", error: message };
+    }
     const createdAt = payload["createdAt"];
     const chain2 = {
       did: identity.did,
@@ -252,15 +257,27 @@ var ingestIdentityOp = async (jwsToken, store, logEnabled) => {
   if (hashIdx < 0) return { cid, status: "rejected", error: "non-genesis kid must be a DID URL" };
   const did = kid.substring(0, hashIdx);
   const chain = await store.getIdentityChain(did);
-  if (!chain) return { cid, status: "rejected", error: `unknown identity: ${did}` };
+  if (!chain)
+    return {
+      cid,
+      status: "rejected",
+      error: `unknown identity: ${did}`,
+      dependencyMissing: true
+    };
   const previousCID = typeof payload["previousOperationCID"] === "string" ? payload["previousOperationCID"] : null;
   if (previousCID === chain.headCID) {
-    const extResult2 = await verifyIdentityExtensionFromTrustedState({
-      currentState: chain.state,
-      headCID: chain.headCID,
-      lastCreatedAt: chain.lastCreatedAt,
-      newOp: jwsToken
-    });
+    let extResult2;
+    try {
+      extResult2 = await verifyIdentityExtensionFromTrustedState({
+        currentState: chain.state,
+        headCID: chain.headCID,
+        lastCreatedAt: chain.lastCreatedAt,
+        newOp: jwsToken
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return { cid, status: "rejected", error: message };
+    }
     const updated2 = {
       did: chain.did,
       log: [...chain.log, jwsToken],
@@ -276,18 +293,34 @@ var ingestIdentityOp = async (jwsToken, store, logEnabled) => {
     return { cid, status: "new", kind: "identity-op", chainId: did };
   }
   if (!previousCID || !chainLogContainsCID(chain.log, previousCID)) {
-    return { cid, status: "rejected", error: "unknown previous operation in identity chain" };
+    return {
+      cid,
+      status: "rejected",
+      error: "unknown previous operation in identity chain",
+      dependencyMissing: true
+    };
   }
   const forkState = await store.getIdentityStateAtCID(did, previousCID);
   if (!forkState) {
-    return { cid, status: "rejected", error: "failed to compute state at fork point" };
+    return {
+      cid,
+      status: "rejected",
+      error: `${FORK_POINT_STATE_ERROR_PREFIX}${previousCID}`,
+      dependencyMissing: true
+    };
+  }
+  let extResult;
+  try {
+    extResult = await verifyIdentityExtensionFromTrustedState({
+      currentState: forkState.state,
+      headCID: previousCID,
+      lastCreatedAt: forkState.lastCreatedAt,
+      newOp: jwsToken
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "verification failed";
+    return { cid, status: "rejected", error: message };
   }
-  const extResult = await verifyIdentityExtensionFromTrustedState({
-    currentState: forkState.state,
-    headCID: previousCID,
-    lastCreatedAt: forkState.lastCreatedAt,
-    newOp: jwsToken
-  });
   const updatedLog = [...chain.log, jwsToken];
   const head = selectDeterministicHead(updatedLog);
   let headState = chain.state;
@@ -345,15 +378,28 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
   }
   const resolveKey = createKeyResolver(store);
   const resolveIdentity = createHistoricalIdentityResolver(store);
+  const isRevoked = (issuerDID, credentialCID) => store.isCredentialRevoked(issuerDID, credentialCID);
   const opType = payload["type"];
   const isGenesis = opType === "create";
   if (isGenesis) {
-    const content = await verifyContentChain({
-      log: [jwsToken],
-      resolveKey,
-      enforceAuthorization: true,
-      resolveIdentity
-    });
+    let content;
+    try {
+      content = await verifyContentChain({
+        log: [jwsToken],
+        resolveKey,
+        enforceAuthorization: true,
+        resolveIdentity,
+        isRevoked
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return {
+        cid,
+        status: "rejected",
+        error: message,
+        dependencyMissing: isKeyResolutionFailure(message)
+      };
+    }
     const createdAt = payload["createdAt"];
     const chain2 = {
       contentId: content.contentId,
@@ -375,26 +421,48 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
   }
   const prevOp = await store.getOperation(previousCID);
   if (!prevOp)
-    return { cid, status: "rejected", error: `unknown previous operation: ${previousCID}` };
+    return {
+      cid,
+      status: "rejected",
+      error: `unknown previous operation: ${previousCID}`,
+      dependencyMissing: true
+    };
   if (prevOp.chainType !== "content") {
     return { cid, status: "rejected", error: "previousOperationCID is not a content operation" };
   }
   const chain = await store.getContentChain(prevOp.chainId);
   if (!chain)
-    return { cid, status: "rejected", error: `content chain not found: ${prevOp.chainId}` };
+    return {
+      cid,
+      status: "rejected",
+      error: `content chain not found: ${prevOp.chainId}`,
+      dependencyMissing: true
+    };
   const creatorIdentity = await store.getIdentityChain(chain.state.creatorDID);
   if (creatorIdentity?.state.isDeleted) {
     return { cid, status: "rejected", error: "content creator identity is deleted" };
   }
   if (chain.state.headCID === previousCID) {
-    const extResult2 = await verifyContentExtensionFromTrustedState({
-      currentState: chain.state,
-      lastCreatedAt: chain.lastCreatedAt,
-      newOp: jwsToken,
-      resolveKey,
-      enforceAuthorization: true,
-      resolveIdentity
-    });
+    let extResult2;
+    try {
+      extResult2 = await verifyContentExtensionFromTrustedState({
+        currentState: chain.state,
+        lastCreatedAt: chain.lastCreatedAt,
+        newOp: jwsToken,
+        resolveKey,
+        enforceAuthorization: true,
+        resolveIdentity,
+        isRevoked
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "verification failed";
+      return {
+        cid,
+        status: "rejected",
+        error: message,
+        dependencyMissing: isKeyResolutionFailure(message)
+      };
+    }
     const updated2 = {
       contentId: chain.contentId,
       genesisCID: chain.genesisCID,
@@ -410,20 +478,42 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
     return { cid, status: "new", kind: "content-op", chainId: chain.contentId };
   }
   if (!chainLogContainsCID(chain.log, previousCID)) {
-    return { cid, status: "rejected", error: "unknown previous operation in content chain" };
+    return {
+      cid,
+      status: "rejected",
+      error: "unknown previous operation in content chain",
+      dependencyMissing: true
+    };
   }
   const forkState = await store.getContentStateAtCID(chain.contentId, previousCID);
   if (!forkState) {
-    return { cid, status: "rejected", error: "failed to compute state at fork point" };
-  }
-  const extResult = await verifyContentExtensionFromTrustedState({
-    currentState: forkState.state,
-    lastCreatedAt: forkState.lastCreatedAt,
-    newOp: jwsToken,
-    resolveKey,
-    enforceAuthorization: true,
-    resolveIdentity
-  });
+    return {
+      cid,
+      status: "rejected",
+      error: `${FORK_POINT_STATE_ERROR_PREFIX}${previousCID}`,
+      dependencyMissing: true
+    };
+  }
+  let extResult;
+  try {
+    extResult = await verifyContentExtensionFromTrustedState({
+      currentState: forkState.state,
+      lastCreatedAt: forkState.lastCreatedAt,
+      newOp: jwsToken,
+      resolveKey,
+      enforceAuthorization: true,
+      resolveIdentity,
+      isRevoked
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : "verification failed";
+    return {
+      cid,
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
+  }
   const updatedLog = [...chain.log, jwsToken];
   const head = selectDeterministicHead(updatedLog);
   let headState = chain.state;
@@ -446,36 +536,6 @@ var ingestContentOp = async (jwsToken, store, logEnabled) => {
   }
   return { cid, status: "new", kind: "content-op", chainId: chain.contentId };
 };
-var ingestBeacon = async (jwsToken, store, logEnabled) => {
-  const resolveKey = createKeyResolver(store);
-  let verified;
-  try {
-    verified = await verifyBeacon({ jwsToken, resolveKey });
-  } catch (err) {
-    const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
-  }
-  const did = verified.did;
-  const cid = verified.beaconCID;
-  const identity = await store.getIdentityChain(did);
-  if (identity?.state.isDeleted) {
-    return { cid, status: "rejected", error: "identity is deleted" };
-  }
-  const existing = await store.getBeacon(did);
-  if (existing) {
-    const existingTime = new Date(existing.state.createdAt).getTime();
-    const newTime = new Date(verified.createdAt).getTime();
-    if (newTime <= existingTime) {
-      return { cid, status: "duplicate", kind: "beacon", chainId: did };
-    }
-  }
-  await store.putBeacon({ did, jwsToken, beaconCID: cid, state: verified });
-  await store.putOperation({ cid, jwsToken, chainType: "beacon", chainId: did });
-  if (logEnabled) {
-    await store.appendToLog({ cid, jwsToken, kind: "beacon", chainId: did });
-  }
-  return { cid, status: "new", kind: "beacon", chainId: did };
-};
 var ingestCountersign = async (jwsToken, store, logEnabled) => {
   const resolveKey = createKeyResolver(store);
   let verified;
@@ -483,7 +543,12 @@ var ingestCountersign = async (jwsToken, store, logEnabled) => {
     verified = await verifyCountersignature({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
   }
   const cid = verified.countersignCID;
   const { witnessDID, targetCID } = verified;
@@ -500,7 +565,12 @@ var ingestCountersign = async (jwsToken, store, logEnabled) => {
   }
   const targetOp = await store.getOperation(targetCID);
   if (!targetOp) {
-    return { cid, status: "rejected", error: `unknown target operation: ${targetCID}` };
+    return {
+      cid,
+      status: "rejected",
+      error: `unknown target operation: ${targetCID}`,
+      dependencyMissing: true
+    };
   }
   let targetAuthorDID = null;
   if (targetOp.chainType === "identity") {
@@ -542,7 +612,12 @@ var ingestArtifact = async (jwsToken, store, logEnabled) => {
     verified = await verifyArtifact({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
   }
   const cid = verified.artifactCID;
   const did = verified.payload.did;
@@ -574,7 +649,12 @@ var ingestRevocation = async (jwsToken, store, logEnabled) => {
     verified = await verifyRevocation({ jwsToken, resolveKey });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isKeyResolutionFailure(message)
+    };
   }
   const cid = verified.revocationCID;
   const did = verified.did;
@@ -613,11 +693,16 @@ var ingestPublicCredential = async (jwsToken, store, logEnabled) => {
     verified = await verifyDFOSCredential(jwsToken, { resolveIdentity });
   } catch (err) {
     const message = err instanceof Error ? err.message : "verification failed";
-    return { cid: "", status: "rejected", error: message };
+    return {
+      cid: await computeOpCID(jwsToken),
+      status: "rejected",
+      error: message,
+      dependencyMissing: isCredentialDependencyFailure(message)
+    };
   }
   const cid = verified.credentialCID;
   if (verified.aud !== "*") {
-    return { cid: "", status: "rejected", error: "not a public credential" };
+    return { cid, status: "rejected", error: "not a public credential" };
   }
   const existing = await store.getOperation(cid);
   if (existing) {
@@ -726,9 +811,10 @@ var selectDeterministicHead = (log) => {
     if (previousCID) hasChild.add(previousCID);
   }
   const tips = ops.filter((op) => !hasChild.has(op.cid));
+  const cmp = (x, y) => x < y ? -1 : x > y ? 1 : 0;
   tips.sort((a, b) => {
-    if (a.createdAt !== b.createdAt) return b.createdAt.localeCompare(a.createdAt);
-    return b.cid.localeCompare(a.cid);
+    if (a.createdAt !== b.createdAt) return cmp(b.createdAt, a.createdAt);
+    return cmp(b.cid, a.cid);
   });
   return tips[0] ?? { cid: "", createdAt: "" };
 };
@@ -747,9 +833,6 @@ var ingestOperations = async (tokens, store, options) => {
         case "content-op":
           result = await ingestContentOp(op.jwsToken, store, logEnabled);
           break;
-        case "beacon":
-          result = await ingestBeacon(op.jwsToken, store, logEnabled);
-          break;
         case "countersign":
           result = await ingestCountersign(op.jwsToken, store, logEnabled);
           break;
@@ -763,14 +846,18 @@ var ingestOperations = async (tokens, store, options) => {
           result = await ingestPublicCredential(op.jwsToken, store, logEnabled);
           break;
         default:
-          result = { cid: "", status: "rejected", error: "unrecognized operation type" };
+          result = {
+            cid: await computeOpCID(op.jwsToken),
+            status: "rejected",
+            error: "unrecognized operation type"
+          };
       }
       indexedResults.push({ index: op.originalIndex, result });
     } catch (err) {
       const message = err instanceof Error ? err.message : "unexpected error";
       indexedResults.push({
         index: op.originalIndex,
-        result: { cid: "", status: "rejected", error: message }
+        result: { cid: await computeOpCID(op.jwsToken), status: "rejected", error: message }
       });
     }
   }
@@ -781,8 +868,28 @@ var ingestOperations = async (tokens, store, options) => {
 var bootstrapRelayIdentity = async (store) => {
   const keypair = createNewEd25519Keypair();
   const keyId = generateId("key");
-  const multibase = encodeEd25519Multikey(keypair.publicKey);
-  const signer = async (msg) => signPayloadEd25519(msg, keypair.privateKey);
+  return bootstrapWithKeyMaterial(store, {
+    privateKey: keypair.privateKey,
+    publicKey: keypair.publicKey,
+    keyId
+  });
+};
+var bootstrapRelayIdentityFromKey = async (store, params) => {
+  const { publicKey } = importEd25519Keypair(params.privateKey);
+  return bootstrapWithKeyMaterial(store, {
+    privateKey: params.privateKey,
+    publicKey,
+    keyId: params.keyId,
+    ...params.name !== void 0 ? { name: params.name } : {},
+    ...params.createdAt !== void 0 ? { createdAt: params.createdAt } : {}
+  });
+};
+var bootstrapWithKeyMaterial = async (store, params) => {
+  const { privateKey, publicKey, keyId } = params;
+  const name = params.name ?? "DFOS Relay";
+  const createdAt = params.createdAt ?? (/* @__PURE__ */ new Date()).toISOString();
+  const multibase = encodeEd25519Multikey(publicKey);
+  const signer = async (msg) => signPayloadEd25519(msg, privateKey);
   const key = { id: keyId, type: "Multikey", publicKeyMultibase: multibase };
   const identityOp = {
     version: 1,
@@ -790,7 +897,7 @@ var bootstrapRelayIdentity = async (store) => {
     authKeys: [key],
     assertKeys: [key],
     controllerKeys: [key],
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    createdAt
   };
   const { jwsToken: identityJws } = await signIdentityOperation({
     operation: identityOp,
@@ -808,9 +915,9 @@ var bootstrapRelayIdentity = async (store) => {
     did,
     content: {
       $schema: "https://schemas.dfos.com/profile/v1",
-      name: "DFOS Relay"
+      name
     },
-    createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    createdAt
   };
   const kid = `${did}#${keyId}`;
   const { jwsToken: profileArtifactJws } = await signArtifact({
@@ -865,11 +972,16 @@ var createHttpPeerClient = () => {
     },
     async submitOperations(peerUrl, operations) {
       try {
-        await fetch(new URL("/operations", peerUrl).toString(), {
+        const res = await fetch(new URL("/operations", peerUrl).toString(), {
           method: "POST",
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify({ operations })
         });
+        if (!res.ok) {
+          console.warn(
+            `gossip submitOperations to ${peerUrl} returned ${res.status} (${operations.length} ops dropped)`
+          );
+        }
       } catch {
       }
     }
@@ -878,7 +990,7 @@ var createHttpPeerClient = () => {
 // src/relay.ts
 import { createRequire } from "module";
-import { dagCborCanonicalEncode as dagCborCanonicalEncode3, decodeJwsUnsafe as decodeJwsUnsafe4 } from "@metalabel/dfos-protocol/crypto";
+import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
 import { Hono } from "hono";
 import { z } from "zod";
@@ -890,7 +1002,8 @@ import {
   verifyDFOSCredential as verifyDFOSCredential2
 } from "@metalabel/dfos-protocol/credentials";
 import { decodeJwsUnsafe as decodeJwsUnsafe2 } from "@metalabel/dfos-protocol/crypto";
-var authenticateRequest = async (authHeader, relayDID, store) => {
+var DEFAULT_MAX_AUTH_TOKEN_TTL_SECONDS = 86400;
+var authenticateRequest = async (authHeader, relayDID, store, maxAuthTokenTTLSeconds = DEFAULT_MAX_AUTH_TOKEN_TTL_SECONDS) => {
   if (!authHeader) return null;
   if (!authHeader.startsWith("Bearer ")) return null;
   const token = authHeader.substring(7);
@@ -907,7 +1020,11 @@ var authenticateRequest = async (authHeader, relayDID, store) => {
     return null;
   }
   try {
-    return verifyAuthToken({ token, publicKey, audience: relayDID });
+    const verified = verifyAuthToken({ token, publicKey, audience: relayDID });
+    if (maxAuthTokenTTLSeconds > 0 && verified.exp - verified.iat > maxAuthTokenTTLSeconds) {
+      return null;
+    }
+    return verified;
   } catch {
     return null;
   }
@@ -986,22 +1103,7 @@ var verifyContentAccess = async (options) => {
 };
 // src/sequencer.ts
-import { dagCborCanonicalEncode as dagCborCanonicalEncode2, decodeJwsUnsafe as decodeJwsUnsafe3 } from "@metalabel/dfos-protocol/crypto";
-var isDependencyFailure = (error) => {
-  const patterns = [
-    "unknown previous operation",
-    "unknown identity:",
-    "content chain not found:",
-    "failed to compute state at fork point:"
-  ];
-  return patterns.some((p) => error.includes(p));
-};
-var computeOpCID = async (jwsToken) => {
-  const decoded = decodeJwsUnsafe3(jwsToken);
-  if (!decoded) return void 0;
-  const encoded = await dagCborCanonicalEncode2(decoded.payload);
-  return encoded.cid.toString();
-};
+var isDependencyFailure = (res) => res.dependencyMissing === true;
 var sequenceOps = async (store) => {
   const newOps = [];
   const result = { sequenced: 0, rejected: 0, pending: 0 };
@@ -1022,7 +1124,7 @@ var sequenceOps = async (store) => {
       } else if (res.status === "duplicate") {
         sequencedCIDs.push(res.cid);
         progress = true;
-      } else if (res.status === "rejected" && !isDependencyFailure(res.error ?? "")) {
+      } else if (res.status === "rejected" && !isDependencyFailure(res)) {
         await store.markOpRejected(res.cid, res.error ?? "unknown");
         result.rejected++;
         progress = true;
@@ -1041,13 +1143,37 @@ var sequenceOps = async (store) => {
 // src/relay.ts
 var require2 = createRequire(import.meta.url);
 var { version: RELAY_VERSION } = require2("../package.json");
+var MAX_OPERATIONS_PER_BATCH = 100;
 var IngestBody = z.object({
-  operations: z.array(z.string()).min(1).max(100)
+  operations: z.array(z.string()).min(1).max(MAX_OPERATIONS_PER_BATCH)
 });
+var MAX_GOSSIP_BATCH = MAX_OPERATIONS_PER_BATCH;
+var chunkOps = (items, size) => {
+  const chunks = [];
+  for (let start = 0; start < items.length; start += size) {
+    chunks.push(items.slice(start, start + size));
+  }
+  return chunks;
+};
+var MAX_BODY_BYTES = 16 << 20;
+var exceedsBodyCap = (contentLength) => {
+  if (!contentLength) return false;
+  const n = Number(contentLength);
+  return Number.isFinite(n) && n > MAX_BODY_BYTES;
+};
+var parseLimit = (raw, defaultLimit, maxLimit) => {
+  if (raw === void 0 || raw === "") return defaultLimit;
+  if (!/^-?\d+$/.test(raw)) return defaultLimit;
+  const n = Number(raw);
+  if (!Number.isSafeInteger(n) || n < 1) return defaultLimit;
+  if (n > maxLimit) return maxLimit;
+  return n;
+};
 var createRelay = async (options) => {
   const { store } = options;
   const contentEnabled = options.content !== false;
   const logEnabled = options.log !== false;
+  const maxAuthTokenTTLSeconds = options.maxAuthTokenTTLSeconds ?? DEFAULT_MAX_AUTH_TOKEN_TTL_SECONDS;
   const peers = options.peers ?? [];
   const peerClient = options.peerClient;
   const gossipPeers = peers.filter((p) => p.gossip !== false);
@@ -1059,8 +1185,10 @@ var createRelay = async (options) => {
   const gossip = (ops) => {
     if (ops.length === 0 || gossipPeers.length === 0 || !peerClient) return;
     for (const peer of gossipPeers) {
-      peerClient.submitOperations(peer.url, ops).catch(() => {
-      });
+      for (const chunk of chunkOps(ops, MAX_GOSSIP_BATCH)) {
+        peerClient.submitOperations(peer.url, chunk).catch(() => {
+        });
+      }
     }
   };
   const ingestWithGossip = async (tokens) => {
@@ -1086,6 +1214,20 @@ var createRelay = async (options) => {
     return results;
   };
   const app = new Hono();
+  app.use("*", async (c, next) => {
+    if (c.req.method === "OPTIONS") {
+      return c.body(null, 204, {
+        "Access-Control-Allow-Origin": "*",
+        "Access-Control-Allow-Methods": "GET, POST, PUT, OPTIONS",
+        "Access-Control-Allow-Headers": "Content-Type, Authorization"
+      });
+    }
+    await next();
+    c.res.headers.set("Access-Control-Allow-Origin", "*");
+    c.res.headers.set("Access-Control-Allow-Methods", "GET, POST, PUT, OPTIONS");
+    c.res.headers.set("Access-Control-Allow-Headers", "Content-Type, Authorization");
+    return;
+  });
   app.get("/.well-known/dfos-relay", (c) => {
     return c.json({
       did: relayDID,
@@ -1101,6 +1243,9 @@ var createRelay = async (options) => {
     });
   });
   app.post("/operations", async (c) => {
+    if (exceedsBodyCap(c.req.header("content-length"))) {
+      return c.json({ error: "request body too large" }, 413);
+    }
     let body;
     try {
       body = await c.req.json();
@@ -1130,9 +1275,9 @@ var createRelay = async (options) => {
     const chain = await store.getIdentityChain(did);
     if (!chain) return c.json({ error: "not found" }, 404);
     const after = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const entries = chain.log.map((jws) => {
-      const decoded = decodeJwsUnsafe4(jws);
+      const decoded = decodeJwsUnsafe3(jws);
       return { cid: decoded?.header.cid || "", jwsToken: jws };
     });
     let startIdx = 0;
@@ -1176,9 +1321,9 @@ var createRelay = async (options) => {
     const chain = await store.getContentChain(contentId);
     if (!chain) return c.json({ error: "not found" }, 404);
     const after = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const entries = chain.log.map((jws) => {
-      const decoded = decodeJwsUnsafe4(jws);
+      const decoded = decodeJwsUnsafe3(jws);
       return { cid: decoded?.header.cid || "", jwsToken: jws };
     });
     let startIdx = 0;
@@ -1197,7 +1342,12 @@ var createRelay = async (options) => {
     if (!chain) return c.json({ error: "not found" }, 404);
     const publicAccess = await hasPublicStandingAuth(contentId, "read", store);
     if (!publicAccess) {
-      const auth = await authenticateRequest(c.req.header("authorization"), relayDID, store);
+      const auth = await authenticateRequest(
+        c.req.header("authorization"),
+        relayDID,
+        store,
+        maxAuthTokenTTLSeconds
+      );
       if (!auth) return c.json({ error: "authentication required" }, 401);
       const accessError = await verifyReadAccess(
         auth,
@@ -1209,7 +1359,7 @@ var createRelay = async (options) => {
       if (accessError) return accessError;
     }
     const after = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const result = await store.getDocuments(contentId, {
       ...after ? { after } : {},
       limit
@@ -1266,22 +1416,10 @@ var createRelay = async (options) => {
     const countersigs = await store.getCountersignatures(cid);
     return c.json({ operationCID: cid, countersignatures: countersigs });
   });
-  app.get("/beacons/:did{.+}", async (c) => {
-    const did = c.req.param("did");
-    const beacon = await store.getBeacon(did);
-    if (!beacon) return c.json({ error: "not found" }, 404);
-    return c.json({
-      did: beacon.did,
-      jwsToken: beacon.jwsToken,
-      beaconCID: beacon.beaconCID,
-      manifestContentId: beacon.state.manifestContentId,
-      createdAt: beacon.state.createdAt
-    });
-  });
   app.get("/log", async (c) => {
     if (!logEnabled) return c.json({ error: "global log not available" }, 501);
     const afterParam = c.req.query("after");
-    const limit = Math.min(Number(c.req.query("limit") || 100), 1e3);
+    const limit = parseLimit(c.req.query("limit"), 100, 1e3);
     const result = await store.readLog(afterParam ? { after: afterParam, limit } : { limit });
     return c.json(result);
   });
@@ -1289,14 +1427,22 @@ var createRelay = async (options) => {
     if (!contentEnabled) return c.json({ error: "content plane not available" }, 501);
     const contentId = c.req.param("contentId");
     const operationCID = c.req.param("operationCID");
-    const auth = await authenticateRequest(c.req.header("authorization"), relayDID, store);
+    if (exceedsBodyCap(c.req.header("content-length"))) {
+      return c.json({ error: "request body too large" }, 413);
+    }
+    const auth = await authenticateRequest(
+      c.req.header("authorization"),
+      relayDID,
+      store,
+      maxAuthTokenTTLSeconds
+    );
     if (!auth) return c.json({ error: "authentication required" }, 401);
     const chain = await store.getContentChain(contentId);
     if (!chain) return c.json({ error: "content chain not found" }, 404);
     let documentCID = null;
     let operationSignerDID = null;
     for (const token of chain.log) {
-      const decoded = decodeJwsUnsafe4(token);
+      const decoded = decodeJwsUnsafe3(token);
       if (!decoded) continue;
       if (decoded.header.cid !== operationCID) continue;
       const payload = decoded.payload;
@@ -1311,9 +1457,12 @@ var createRelay = async (options) => {
       return c.json({ error: "not authorized \u2014 must be chain creator or operation signer" }, 403);
     }
     const bytes = new Uint8Array(await c.req.arrayBuffer());
+    if (bytes.byteLength > MAX_BODY_BYTES) {
+      return c.json({ error: "request body too large" }, 413);
+    }
     try {
       const parsed = JSON.parse(new TextDecoder().decode(bytes));
-      const encoded = await dagCborCanonicalEncode3(parsed);
+      const encoded = await dagCborCanonicalEncode2(parsed);
       if (encoded.cid.toString() !== documentCID) {
         return c.json({ error: "blob bytes do not match documentCID" }, 400);
       }
@@ -1331,7 +1480,8 @@ var createRelay = async (options) => {
       authHeader: c.req.header("authorization"),
       credHeader: c.req.header("x-credential"),
       relayDID,
-      store
+      store,
+      maxAuthTokenTTLSeconds
     });
   });
   app.get("/content/:contentId/blob/:ref", async (c) => {
@@ -1342,20 +1492,24 @@ var createRelay = async (options) => {
       authHeader: c.req.header("authorization"),
       credHeader: c.req.header("x-credential"),
       relayDID,
-      store
+      store,
+      maxAuthTokenTTLSeconds
     });
   });
+  const maxOpsPerSyncCycle = 5e3;
   const syncFromPeers = async () => {
     if (!peerClient) return;
     for (const peer of syncPeers) {
       let cursor = await store.getPeerCursor(peer.url);
-      while (true) {
+      let fetched = 0;
+      while (fetched < maxOpsPerSyncCycle) {
         const page = await peerClient.getOperationLog(peer.url, {
           ...cursor ? { after: cursor } : {},
           limit: 1e3
         });
         if (!page || page.entries.length === 0) break;
         await ingestWithGossip(page.entries.map((e) => e.jwsToken));
+        fetched += page.entries.length;
         cursor = page.cursor ?? page.entries[page.entries.length - 1].cid;
         await store.setPeerCursor(peer.url, cursor);
         if (!page.cursor) break;
@@ -1369,12 +1523,12 @@ var jsonResponse = (body, status = 200) => new Response(JSON.stringify(body), {
   headers: { "content-type": "application/json" }
 });
 var readBlob = async (params) => {
-  const { contentId, ref, authHeader, credHeader, relayDID, store } = params;
+  const { contentId, ref, authHeader, credHeader, relayDID, store, maxAuthTokenTTLSeconds } = params;
   const chain = await store.getContentChain(contentId);
   if (!chain) return jsonResponse({ error: "content chain not found" }, 404);
   const publicAccess = await hasPublicStandingAuth(contentId, "read", store);
   if (!publicAccess) {
-    const auth = await authenticateRequest(authHeader, relayDID, store);
+    const auth = await authenticateRequest(authHeader, relayDID, store, maxAuthTokenTTLSeconds);
     if (!auth) return jsonResponse({ error: "authentication required" }, 401);
     const credError = await verifyReadAccess(auth, chain, contentId, credHeader, store);
     if (credError) return credError;
@@ -1385,7 +1539,7 @@ var readBlob = async (params) => {
     documentCID = chain.state.currentDocumentCID;
   } else {
     for (const token of chain.log) {
-      const decoded = decodeJwsUnsafe4(token);
+      const decoded = decodeJwsUnsafe3(token);
       if (!decoded) continue;
       if (decoded.header.cid === ref) {
         operationFound = true;
@@ -1421,13 +1575,12 @@ var verifyReadAccess = async (auth, chain, contentId, credHeader, store) => {
 // src/store.ts
 import { verifyContentChain as verifyContentChain2, verifyIdentityChain as verifyIdentityChain2 } from "@metalabel/dfos-protocol/chain";
-import { decodeJwsUnsafe as decodeJwsUnsafe5 } from "@metalabel/dfos-protocol/crypto";
+import { decodeJwsUnsafe as decodeJwsUnsafe4 } from "@metalabel/dfos-protocol/crypto";
 var blobKeyString = (key) => `${key.creatorDID}::${key.documentCID}`;
 var MemoryRelayStore = class {
   operations = /* @__PURE__ */ new Map();
   identityChains = /* @__PURE__ */ new Map();
   contentChains = /* @__PURE__ */ new Map();
-  beacons = /* @__PURE__ */ new Map();
   blobs = /* @__PURE__ */ new Map();
   countersignatures = /* @__PURE__ */ new Map();
   operationLog = [];
@@ -1454,12 +1607,6 @@ var MemoryRelayStore = class {
   async putContentChain(chain) {
     this.contentChains.set(chain.contentId, chain);
   }
-  async getBeacon(did) {
-    return this.beacons.get(did);
-  }
-  async putBeacon(beacon) {
-    this.beacons.set(beacon.did, beacon);
-  }
   async getBlob(key) {
     return this.blobs.get(blobKeyString(key));
   }
@@ -1471,12 +1618,12 @@ var MemoryRelayStore = class {
   }
   async addCountersignature(operationCID, jwsToken) {
     const existing = this.countersignatures.get(operationCID) ?? [];
-    const decoded = decodeJwsUnsafe5(jwsToken);
+    const decoded = decodeJwsUnsafe4(jwsToken);
     if (decoded) {
       const kid = decoded.header.kid;
       const witnessDID = kid.includes("#") ? kid.split("#")[0] : kid;
       for (const cs of existing) {
-        const d = decodeJwsUnsafe5(cs);
+        const d = decodeJwsUnsafe4(cs);
         if (!d) continue;
         const existingKid = d.header.kid;
         const existingDID = existingKid.includes("#") ? existingKid.split("#")[0] : existingKid;
@@ -1531,7 +1678,7 @@ var MemoryRelayStore = class {
     if (!chain) return { documents: [], cursor: null };
     const entries = [];
     for (const jws of chain.log) {
-      const decoded = decodeJwsUnsafe5(jws);
+      const decoded = decodeJwsUnsafe4(jws);
       if (!decoded) continue;
       const payload = decoded.payload;
       const cid = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
@@ -1593,7 +1740,7 @@ var MemoryRelayStore = class {
     if (!chain) return null;
     const opsByCID = /* @__PURE__ */ new Map();
     for (const jws of chain.log) {
-      const decoded = decodeJwsUnsafe5(jws);
+      const decoded = decodeJwsUnsafe4(jws);
       if (!decoded) continue;
       const payload = decoded.payload;
       const opCID = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
@@ -1610,7 +1757,7 @@ var MemoryRelayStore = class {
       currentCID = op.previousCID;
     }
     const identity = await verifyIdentityChain2({ didPrefix: "did:dfos", log: path });
-    const targetDecoded = decodeJwsUnsafe5(opsByCID.get(cid).jws);
+    const targetDecoded = decodeJwsUnsafe4(opsByCID.get(cid).jws);
     const lastCreatedAt = typeof targetDecoded?.payload?.["createdAt"] === "string" ? (targetDecoded?.payload)["createdAt"] : "";
     return { state: identity, lastCreatedAt };
   }
@@ -1619,7 +1766,7 @@ var MemoryRelayStore = class {
     if (!chain) return null;
     const opsByCID = /* @__PURE__ */ new Map();
     for (const jws of chain.log) {
-      const decoded = decodeJwsUnsafe5(jws);
+      const decoded = decodeJwsUnsafe4(jws);
       if (!decoded) continue;
       const payload = decoded.payload;
       const opCID = typeof decoded.header.cid === "string" ? decoded.header.cid : "";
@@ -1646,7 +1793,7 @@ var MemoryRelayStore = class {
       enforceAuthorization: true,
       resolveIdentity
     });
-    const targetDecoded = decodeJwsUnsafe5(opsByCID.get(cid).jws);
+    const targetDecoded = decodeJwsUnsafe4(opsByCID.get(cid).jws);
     const lastCreatedAt = typeof targetDecoded?.payload?.["createdAt"] === "string" ? (targetDecoded?.payload)["createdAt"] : "";
     return { state: content, lastCreatedAt };
   }
@@ -1680,8 +1827,7 @@ var MemoryRelayStore = class {
     }
   }
   async markOpRejected(cid, _reason) {
-    const entry = this.rawOps.get(cid);
-    if (entry) entry.status = "rejected";
+    this.rawOps.delete(cid);
   }
   async countUnsequenced() {
     let count = 0;
@@ -1699,6 +1845,8 @@ var MemoryRelayStore = class {
 export {
   MemoryRelayStore,
   bootstrapRelayIdentity,
+  bootstrapRelayIdentityFromKey,
+  chunkOps,
   computeOpCID,
   createCurrentKeyResolver,
   createHistoricalIdentityResolver,