@peerbit/trusted-network 1.0.2

package/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2021 dao.xyz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

package/README.md

@@ -0,0 +1,58 @@
+# Trusted network
+## 🚧 Experimental state 🚧
+
+A store that lets you build trusted networks of identities
+The store is defined by the "root trust" which have the responsibility in the beginning to trust additional identities. Later, these identities can add more identities to the network. 
+Trusted identities can also be revoked.
+
+Distributing content among untrusted peers will be unreliable and not resilient to malicious parties that starts to participate in the replication process with large amount (>> min replicas) of nodes and shutting them down simultaneously (no way for the original peers recover all lost data). To mitigate this you can launch your program in a "Network", which is basically a list of nodes that trust each other. Symbolically you could thing of this as a VPC.
+
+To do this, you only have to implement the "Network" interface: 
+```typescript
+import { Peerbit, Network } from 'peerbit'
+import { Log } from '@peerbit/log'
+import { Program } from '@peerbit/program' 
+import { TrustedNetwork } from '@peerbit/trusted-network' 
+import { field, variant } from '@dao-xyz/borst-ts' 
+
+@variant("string_store") 
+@network({property: 'network'})
+class StringStore extends Program
+{
+    @field({type: Store})
+    log: Log<Uint8Array>
+
+    @field({type: TrustedNetwork}) 
+    network: TrustedNetwork // this is a database storing all peers. Peers that are trusted can add new peers
+
+    constructor(properties:{ log: Store<any>, network: TrustedNetwork }) {
+       
+		this.log = properties.store
+		this.network = properties.network;
+        
+    }
+
+    async setup() 
+    {
+        await store.setup({ encoding: ... , canAppend: ..., canRead: ...})
+        await trustedNetwork.setup()
+    }
+}
+
+
+// Later 
+const peer1 = await Peerbit.create(LIBP2P_CLIENT, {... options ...})
+const peer2 = await Peerbit.create(LIBP2P_CLIENT_2, {... options ...})
+
+const programPeer1 = await peer1.open(new StringStore({log: new Log(), network: new TrustedNetwork()}), {... options ...})
+
+// add trust to another peer
+await program.network.add(peer2.identity.publicKey) 
+
+
+// peer2 also has to "join" the network, in practice this means that peer2 adds a record telling that its Peer ID trusts its libp2p Id
+const programPeer2 = await peer2.open(programPeer1.address, {... options ...})
+await peer2.join(programPeer2) // This might fail with "AccessError" if you do this too quickly after "open", because it has not yet recieved the full trust graph from peer1 yet
+```
+
+See [this test(s)](./src/__tests__/network.test.ts) for working examples

package/lib/esm/controller.d.ts

@@ -0,0 +1,57 @@
+import { Documents, Operation } from "@peerbit/document";
+import { AppendOptions, Entry } from "@peerbit/log";
+import { PublicSignKey } from "@peerbit/crypto";
+import { IdentityRelation } from "./identity-graph.js";
+import { Program } from "@peerbit/program";
+import { CanRead } from "@peerbit/rpc";
+import { PeerId } from "@libp2p/interface-peer-id";
+import { SubscriptionType } from "@peerbit/shared-log";
+type IdentityGraphArgs = {
+    canRead?: CanRead;
+    role?: SubscriptionType;
+};
+export declare class IdentityGraph extends Program<IdentityGraphArgs> {
+    relationGraph: Documents<IdentityRelation>;
+    constructor(props?: {
+        id?: Uint8Array;
+        relationGraph?: Documents<IdentityRelation>;
+    });
+    canAppend(entry: Entry<Operation<IdentityRelation>>): Promise<boolean>;
+    open(options?: IdentityGraphArgs): Promise<void>;
+    addRelation(to: PublicSignKey | PeerId, options?: AppendOptions<Operation<IdentityRelation>>): Promise<void>;
+}
+/**
+ * Not shardeable since we can not query trusted relations, because this would lead to a recursive problem where we then need to determine whether the responder is trusted or not
+ */
+type TrustedNetworkArgs = {
+    role?: SubscriptionType;
+};
+export declare class TrustedNetwork extends Program<TrustedNetworkArgs> {
+    rootTrust: PublicSignKey;
+    trustGraph: Documents<IdentityRelation>;
+    constructor(props: {
+        id?: Uint8Array;
+        rootTrust: PublicSignKey | PeerId;
+    });
+    open(options?: TrustedNetworkArgs): Promise<void>;
+    canAppend(entry: Entry<Operation<IdentityRelation>>): Promise<boolean>;
+    canRead(_key?: PublicSignKey): Promise<boolean>;
+    add(trustee: PublicSignKey | PeerId): Promise<IdentityRelation | undefined>;
+    hasRelation(trustee: PublicSignKey | PeerId, truster?: PublicSignKey | PeerId): Promise<boolean>;
+    getRelation(trustee: PublicSignKey | PeerId, truster?: PublicSignKey | PeerId): Promise<IdentityRelation | undefined>;
+    /**
+     * Follow trust path back to trust root.
+     * Trust root is always trusted.
+     * Hence if
+     * Root trust A trust B trust C
+     * C is trusted by Root
+     * @param trustee
+     * @param truster, the truster "root", if undefined defaults to the root trust
+     * @returns true, if trusted
+     */
+    isTrusted(trustee: PublicSignKey, truster?: PublicSignKey): Promise<boolean>;
+    _isTrustedLocal(trustee: PublicSignKey, truster?: PublicSignKey): Promise<boolean>;
+    getTrusted(): Promise<PublicSignKey[]>;
+    hashCode(): string;
+}
+export {};

package/lib/esm/controller.js

@@ -0,0 +1,211 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+import { deserialize, field, serialize, variant } from "@dao-xyz/borsh";
+import { SearchRequest, Documents, PutOperation, } from "@peerbit/document";
+import { PublicSignKey, getPublicKeyFromPeerId } from "@peerbit/crypto";
+import { DeleteOperation } from "@peerbit/document";
+import { IdentityRelation, createIdentityGraphStore, getPathGenerator, hasPath, getFromByTo, getToByFrom, getRelation, AbstractRelation, } from "./identity-graph.js";
+import { Program } from "@peerbit/program";
+import { sha256Base64Sync } from "@peerbit/crypto";
+import { Replicator } from "@peerbit/shared-log";
+const coercePublicKey = (publicKey) => {
+    return publicKey instanceof PublicSignKey
+        ? publicKey
+        : getPublicKeyFromPeerId(publicKey);
+};
+const canAppendByRelation = async (entry, isTrusted) => {
+    // verify the payload
+    const operation = await entry.getPayloadValue();
+    if (operation instanceof PutOperation ||
+        operation instanceof DeleteOperation) {
+        /*  const relation: Relation = operation.value || deserialize(operation.data, Relation); */
+        const keys = await entry.getPublicKeys();
+        const checkKey = async (key) => {
+            if (operation instanceof PutOperation) {
+                // TODO, this clause is only applicable when we modify the identityGraph, but it does not make sense that the canAppend method does not know what the payload will
+                // be, upon deserialization. There should be known in the `canAppend` method whether we are appending to the identityGraph.
+                const relation = operation._value || deserialize(operation.data, AbstractRelation);
+                operation._value = relation;
+                if (relation instanceof IdentityRelation) {
+                    if (!relation.from.equals(key)) {
+                        return false;
+                    }
+                }
+                // else assume the payload is accepted
+            }
+            if (isTrusted) {
+                const trusted = await isTrusted(key);
+                return trusted;
+            }
+            else {
+                return true;
+            }
+        };
+        for (const key of keys) {
+            const result = await checkKey(key);
+            if (result) {
+                return true;
+            }
+        }
+        return false;
+    }
+    else {
+        return false;
+    }
+};
+export let IdentityGraph = class IdentityGraph extends Program {
+    relationGraph;
+    constructor(props) {
+        super();
+        if (props) {
+            this.relationGraph =
+                props.relationGraph || createIdentityGraphStore(props?.id);
+        }
+    }
+    async canAppend(entry) {
+        return canAppendByRelation(entry);
+    }
+    async open(options) {
+        await this.relationGraph.open({
+            type: IdentityRelation,
+            canAppend: this.canAppend.bind(this),
+            canRead: options?.canRead,
+            index: {
+                fields: (obj, _entry) => {
+                    return {
+                        from: obj.from.hashcode(),
+                        to: obj.to.hashcode(),
+                    };
+                },
+            },
+            role: options?.role,
+        }); // self referencing access controller
+    }
+    async addRelation(to, options) {
+        /*  trustee = PublicKey.from(trustee); */
+        await this.relationGraph.put(new IdentityRelation({
+            to: coercePublicKey(to),
+            from: options?.identity?.publicKey || this.node.identity.publicKey,
+        }), options);
+    }
+};
+__decorate([
+    field({ type: Documents }),
+    __metadata("design:type", Documents)
+], IdentityGraph.prototype, "relationGraph", void 0);
+IdentityGraph = __decorate([
+    variant("relations"),
+    __metadata("design:paramtypes", [Object])
+], IdentityGraph);
+export let TrustedNetwork = class TrustedNetwork extends Program {
+    rootTrust;
+    trustGraph;
+    constructor(props) {
+        super();
+        this.trustGraph = createIdentityGraphStore(props.id);
+        this.rootTrust = coercePublicKey(props.rootTrust);
+    }
+    async open(options) {
+        await this.trustGraph.open({
+            type: IdentityRelation,
+            canAppend: this.canAppend.bind(this),
+            canRead: this.canRead.bind(this),
+            role: options?.role,
+            index: {
+                fields: (obj, _entry) => {
+                    return {
+                        from: obj.from.hashcode(),
+                        to: obj.to.hashcode(),
+                    };
+                },
+            },
+        }); // self referencing access controller
+    }
+    async canAppend(entry) {
+        return canAppendByRelation(entry, (key) => this.isTrusted(key));
+    }
+    async canRead(_key) {
+        return true; // TODO should we have read access control?
+    }
+    async add(trustee) {
+        const key = trustee instanceof PublicSignKey
+            ? trustee
+            : getPublicKeyFromPeerId(trustee);
+        const existingRelation = await this.getRelation(key, this.node.identity.publicKey);
+        if (!existingRelation) {
+            const relation = new IdentityRelation({
+                to: key,
+                from: this.node.identity.publicKey,
+            });
+            await this.trustGraph.put(relation);
+            return relation;
+        }
+        return existingRelation;
+    }
+    async hasRelation(trustee, truster = this.rootTrust) {
+        return !!(await this.getRelation(trustee, truster));
+    }
+    getRelation(trustee, truster = this.rootTrust) {
+        return getRelation(coercePublicKey(truster), coercePublicKey(trustee), this.trustGraph);
+    }
+    /**
+     * Follow trust path back to trust root.
+     * Trust root is always trusted.
+     * Hence if
+     * Root trust A trust B trust C
+     * C is trusted by Root
+     * @param trustee
+     * @param truster, the truster "root", if undefined defaults to the root trust
+     * @returns true, if trusted
+     */
+    async isTrusted(trustee, truster = this.rootTrust) {
+        if (trustee.equals(this.rootTrust)) {
+            return true;
+        }
+        if (this.trustGraph.log.role instanceof Replicator) {
+            return this._isTrustedLocal(trustee, truster);
+        }
+        else {
+            this.trustGraph.index.search(new SearchRequest({ query: [] }), {
+                remote: { sync: true },
+            });
+            return this._isTrustedLocal(trustee, truster);
+        }
+    }
+    async _isTrustedLocal(trustee, truster = this.rootTrust) {
+        const trustPath = await hasPath(trustee, truster, this.trustGraph, getFromByTo);
+        return !!trustPath;
+    }
+    async getTrusted() {
+        const current = this.rootTrust;
+        const participants = [current];
+        const generator = getPathGenerator(current, this.trustGraph, getToByFrom);
+        for await (const next of generator) {
+            participants.push(next.to);
+        }
+        return participants;
+    }
+    hashCode() {
+        return sha256Base64Sync(serialize(this));
+    }
+};
+__decorate([
+    field({ type: PublicSignKey }),
+    __metadata("design:type", PublicSignKey)
+], TrustedNetwork.prototype, "rootTrust", void 0);
+__decorate([
+    field({ type: Documents }),
+    __metadata("design:type", Documents)
+], TrustedNetwork.prototype, "trustGraph", void 0);
+TrustedNetwork = __decorate([
+    variant("trusted_network"),
+    __metadata("design:paramtypes", [Object])
+], TrustedNetwork);
+//# sourceMappingURL=controller.js.map

package/lib/esm/controller.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"controller.js","sourceRoot":"","sources":["../../src/controller.ts"],"names":[],"mappings":";;;;;;;;;AAAA,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,SAAS,EAAE,OAAO,EAAO,MAAM,gBAAgB,CAAC;AAC7E,OAAO,EACN,aAAa,EACb,SAAS,EAET,YAAY,GACZ,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,aAAa,EAAE,sBAAsB,EAAE,MAAM,iBAAiB,CAAC;AACxE,OAAO,EAAE,eAAe,EAAE,MAAM,mBAAmB,CAAC;AACpD,OAAO,EACN,gBAAgB,EAChB,wBAAwB,EACxB,gBAAgB,EAChB,OAAO,EACP,WAAW,EACX,WAAW,EACX,WAAW,EACX,gBAAgB,GAChB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAE3C,OAAO,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAEnD,OAAO,EAAE,UAAU,EAAoB,MAAM,qBAAqB,CAAC;AAEnE,MAAM,eAAe,GAAG,CAAC,SAAiC,EAAE,EAAE;IAC7D,OAAO,SAAS,YAAY,aAAa;QACxC,CAAC,CAAC,SAAS;QACX,CAAC,CAAC,sBAAsB,CAAC,SAAS,CAAC,CAAC;AACtC,CAAC,CAAC;AACF,MAAM,mBAAmB,GAAG,KAAK,EAChC,KAAyC,EACzC,SAAoD,EACjC,EAAE;IACrB,qBAAqB;IACrB,MAAM,SAAS,GAAG,MAAM,KAAK,CAAC,eAAe,EAAE,CAAC;IAChD,IACC,SAAS,YAAY,YAAY;QACjC,SAAS,YAAY,eAAe,EACnC;QACD,2FAA2F;QAE3F,MAAM,IAAI,GAAG,MAAM,KAAK,CAAC,aAAa,EAAE,CAAC;QACzC,MAAM,QAAQ,GAAG,KAAK,EAAE,GAAkB,EAAoB,EAAE;YAC/D,IAAI,SAAS,YAAY,YAAY,EAAE;gBACtC,kKAAkK;gBAClK,2HAA2H;gBAE3H,MAAM,QAAQ,GACb,SAAS,CAAC,MAAM,IAAI,WAAW,CAAC,SAAS,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC;gBACnE,SAAS,CAAC,MAAM,GAAG,QAAQ,CAAC;gBAE5B,IAAI,QAAQ,YAAY,gBAAgB,EAAE;oBACzC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE;wBAC/B,OAAO,KAAK,CAAC;qBACb;iBACD;gBAED,sCAAsC;aACtC;YACD,IAAI,SAAS,EAAE;gBACd,MAAM,OAAO,GAAG,MAAM,SAAS,CAAC,GAAG,CAAC,CAAC;gBACrC,OAAO,OAAO,CAAC;aACf;iBAAM;gBACN,OAAO,IAAI,CAAC;aACZ;QACF,CAAC,CAAC;QACF,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE;YACvB,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,GAAG,CAAC,CAAC;YACnC,IAAI,MAAM,EAAE;gBACX,OAAO,IAAI,CAAC;aACZ;SACD;QACD,OAAO,KAAK,CAAC;KACb;SAAM;QACN,OAAO,KAAK,CAAC;KACb;AACF,CAAC,CAAC;AAIK,WAAM,aAAa,GAAnB,MAAM,aAAc,SAAQ,OAA0B;IAE5D,aAAa,CAA8B;IAE3C,YAAY,KAGX;QACA,KAAK,EAAE,CAAC;QACR,IAAI,KAAK,EAAE;YACV,IAAI,CAAC,aAAa;gBACjB,KAAK,CAAC,aAAa,IAAI,wBAAwB,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;SAC5D;IACF,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAyC;QACxD,OAAO,mBAAmB,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAA2B;QACrC,MAAM,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC;YAC7B,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;YACpC,OAAO,EAAE,OAAO,EAAE,OAAO;YACzB,KAAK,EAAE;gBACN,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;oBACvB,OAAO;wBACN,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE;wBACzB,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE;qBACrB,CAAC;gBACH,CAAC;aACD;YACD,IAAI,EAAE,OAAO,EAAE,IAAI;SACnB,CAAC,CAAC,CAAC,qCAAqC;IAC1C,CAAC;IAED,KAAK,CAAC,WAAW,CAChB,EAA0B,EAC1B,OAAoD;QAEpD,yCAAyC;QACzC,MAAM,IAAI,CAAC,aAAa,CAAC,GAAG,CAC3B,IAAI,gBAAgB,CAAC;YACpB,EAAE,EAAE,eAAe,CAAC,EAAE,CAAC;YACvB,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS;SAClE,CAAC,EACF,OAAO,CACP,CAAC;IACH,CAAC;CACD,CAAA;AA/CA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;8BACZ,SAAS;oDAAmB;AAF/B,aAAa;IADzB,OAAO,CAAC,WAAW,CAAC;;GACR,aAAa,CAiDzB;AAQM,WAAM,cAAc,GAApB,MAAM,cAAe,SAAQ,OAA2B;IAE9D,SAAS,CAAgB;IAGzB,UAAU,CAA8B;IAExC,YAAY,KAA6D;QACxE,KAAK,EAAE,CAAC;QACR,IAAI,CAAC,UAAU,GAAG,wBAAwB,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACrD,IAAI,CAAC,SAAS,GAAG,eAAe,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IACnD,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,OAA4B;QACtC,MAAM,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;YAC1B,IAAI,EAAE,gBAAgB;YACtB,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC;YACpC,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC;YAChC,IAAI,EAAE,OAAO,EAAE,IAAI;YACnB,KAAK,EAAE;gBACN,MAAM,EAAE,CAAC,GAAG,EAAE,MAAM,EAAE,EAAE;oBACvB,OAAO;wBACN,IAAI,EAAE,GAAG,CAAC,IAAI,CAAC,QAAQ,EAAE;wBACzB,EAAE,EAAE,GAAG,CAAC,EAAE,CAAC,QAAQ,EAAE;qBACrB,CAAC;gBACH,CAAC;aACD;SACD,CAAC,CAAC,CAAC,qCAAqC;IAC1C,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,KAAyC;QACxD,OAAO,mBAAmB,CAAC,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,IAAoB;QACjC,OAAO,IAAI,CAAC,CAAC,2CAA2C;IACzD,CAAC;IAED,KAAK,CAAC,GAAG,CACR,OAA+B;QAE/B,MAAM,GAAG,GACR,OAAO,YAAY,aAAa;YAC/B,CAAC,CAAC,OAAO;YACT,CAAC,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;QAEpC,MAAM,gBAAgB,GAAG,MAAM,IAAI,CAAC,WAAW,CAC9C,GAAG,EACH,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAC5B,CAAC;QACF,IAAI,CAAC,gBAAgB,EAAE;YACtB,MAAM,QAAQ,GAAG,IAAI,gBAAgB,CAAC;gBACrC,EAAE,EAAE,GAAG;gBACP,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS;aAClC,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACpC,OAAO,QAAQ,CAAC;SAChB;QACD,OAAO,gBAAgB,CAAC;IACzB,CAAC;IAED,KAAK,CAAC,WAAW,CAChB,OAA+B,EAC/B,UAAkC,IAAI,CAAC,SAAS;QAEhD,OAAO,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;IACrD,CAAC;IACD,WAAW,CACV,OAA+B,EAC/B,UAAkC,IAAI,CAAC,SAAS;QAEhD,OAAO,WAAW,CACjB,eAAe,CAAC,OAAO,CAAC,EACxB,eAAe,CAAC,OAAO,CAAC,EACxB,IAAI,CAAC,UAAU,CACf,CAAC;IACH,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,SAAS,CACd,OAAsB,EACtB,UAAyB,IAAI,CAAC,SAAS;QAEvC,IAAI,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE;YACnC,OAAO,IAAI,CAAC;SACZ;QACD,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,YAAY,UAAU,EAAE;YACnD,OAAO,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;SAC9C;aAAM;YACN,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,aAAa,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,EAAE;gBAC9D,MAAM,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;aACtB,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;SAC9C;IACF,CAAC;IAED,KAAK,CAAC,eAAe,CACpB,OAAsB,EACtB,UAAyB,IAAI,CAAC,SAAS;QAEvC,MAAM,SAAS,GAAG,MAAM,OAAO,CAC9B,OAAO,EACP,OAAO,EACP,IAAI,CAAC,UAAU,EACf,WAAW,CACX,CAAC;QACF,OAAO,CAAC,CAAC,SAAS,CAAC;IACpB,CAAC;IAED,KAAK,CAAC,UAAU;QACf,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC;QAC/B,MAAM,YAAY,GAAoB,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,gBAAgB,CAAC,OAAO,EAAE,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;QAC1E,IAAI,KAAK,EAAE,MAAM,IAAI,IAAI,SAAS,EAAE;YACnC,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;SAC3B;QACD,OAAO,YAAY,CAAC;IACrB,CAAC;IAED,QAAQ;QACP,OAAO,gBAAgB,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC;IAC1C,CAAC;CACD,CAAA;AAjIA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;8BACpB,aAAa;iDAAC;AAGzB;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC;8BACf,SAAS;kDAAmB;AAL5B,cAAc;IAD1B,OAAO,CAAC,iBAAiB,CAAC;;GACd,cAAc,CAmI1B"}

package/lib/esm/identity-graph.d.ts

@@ -0,0 +1,35 @@
+import { Documents } from "@peerbit/document";
+import { PublicSignKey } from "@peerbit/crypto";
+export type RelationResolver = {
+    resolve: (key: PublicSignKey, db: Documents<IdentityRelation>) => Promise<IdentityRelation[]>;
+    next: (relation: IdentityRelation) => PublicSignKey;
+};
+export declare const getFromByTo: RelationResolver;
+export declare const getToByFrom: RelationResolver;
+export declare function getPathGenerator(from: PublicSignKey, db: Documents<IdentityRelation>, resolver: RelationResolver): AsyncGenerator<IdentityRelation, void, unknown>;
+/**
+ * Get path, to target.
+ * @param start
+ * @param target
+ * @param db
+ * @returns
+ */
+export declare const hasPathToTarget: (start: PublicSignKey, target: (key: PublicSignKey) => boolean, db: Documents<IdentityRelation>, resolver: RelationResolver) => Promise<boolean>;
+export declare abstract class AbstractRelation {
+    id: Uint8Array;
+}
+export declare class IdentityRelation extends AbstractRelation {
+    _from: PublicSignKey;
+    _to: PublicSignKey;
+    constructor(properties?: {
+        to: PublicSignKey;
+        from: PublicSignKey;
+    });
+    get from(): PublicSignKey;
+    get to(): PublicSignKey;
+    initializeId(): void;
+    static id(to: PublicSignKey, from: PublicSignKey): Uint8Array;
+}
+export declare const hasPath: (start: PublicSignKey, end: PublicSignKey, db: Documents<IdentityRelation>, resolver: RelationResolver) => Promise<boolean>;
+export declare const getRelation: (from: PublicSignKey, to: PublicSignKey, db: Documents<IdentityRelation>) => Promise<IdentityRelation | undefined>;
+export declare const createIdentityGraphStore: (id?: Uint8Array) => Documents<IdentityRelation>;

package/lib/esm/identity-graph.js

@@ -0,0 +1,151 @@
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var IdentityRelation_1;
+import { field, fixedArray, serialize, variant } from "@dao-xyz/borsh";
+import { Documents, DocumentIndex, SearchRequest, StringMatch, } from "@peerbit/document";
+import { PublicSignKey } from "@peerbit/crypto";
+import { concat } from "uint8arrays";
+import { RPC } from "@peerbit/rpc";
+import { sha256Sync } from "@peerbit/crypto";
+export const getFromByTo = {
+    resolve: async (to, db) => {
+        return Promise.all(await db.index.search(new SearchRequest({
+            query: [
+                new StringMatch({
+                    key: "to",
+                    value: to.hashcode(),
+                }),
+            ],
+        }), {
+            local: true,
+            remote: false,
+        }));
+    },
+    next: (relation) => relation.from,
+};
+export const getToByFrom = {
+    resolve: async (from, db) => {
+        return Promise.all(await db.index.search(new SearchRequest({
+            query: [
+                new StringMatch({
+                    key: "from",
+                    value: from.hashcode(),
+                }),
+            ],
+        }), {
+            local: true,
+            remote: false,
+        }));
+    },
+    next: (relation) => relation.to,
+};
+export async function* getPathGenerator(from, db, resolver) {
+    let iter = [from];
+    const visited = new Set();
+    while (iter.length > 0) {
+        const newIter = [];
+        for (const value of iter) {
+            const results = await resolver.resolve(value, db);
+            for (const result of results) {
+                if (result instanceof IdentityRelation) {
+                    if (visited.has(result.id)) {
+                        return;
+                    }
+                    visited.add(result.id);
+                    yield result;
+                    newIter.push(resolver.next(result));
+                }
+            }
+        }
+        iter = newIter;
+    }
+}
+/**
+ * Get path, to target.
+ * @param start
+ * @param target
+ * @param db
+ * @returns
+ */
+export const hasPathToTarget = async (start, target, db, resolver) => {
+    if (!db) {
+        throw new Error("Not initalized");
+    }
+    const current = start;
+    if (target(current)) {
+        return true;
+    }
+    const iterator = getPathGenerator(current, db, resolver);
+    for await (const relation of iterator) {
+        if (target(relation.from)) {
+            return true;
+        }
+    }
+    return false;
+};
+export let AbstractRelation = class AbstractRelation {
+    id;
+};
+__decorate([
+    field({ type: fixedArray("u8", 32) }),
+    __metadata("design:type", Uint8Array)
+], AbstractRelation.prototype, "id", void 0);
+AbstractRelation = __decorate([
+    variant(0)
+], AbstractRelation);
+export let IdentityRelation = IdentityRelation_1 = class IdentityRelation extends AbstractRelation {
+    _from;
+    _to;
+    constructor(properties) {
+        super();
+        if (properties) {
+            this._from = properties.from;
+            this._to = properties.to;
+            this.initializeId();
+        }
+    }
+    get from() {
+        return this._from;
+    }
+    get to() {
+        return this._to;
+    }
+    initializeId() {
+        this.id = IdentityRelation_1.id(this.to, this.from);
+    }
+    static id(to, from) {
+        return sha256Sync(concat([serialize(to), serialize(from)]));
+    }
+};
+__decorate([
+    field({ type: PublicSignKey }),
+    __metadata("design:type", PublicSignKey)
+], IdentityRelation.prototype, "_from", void 0);
+__decorate([
+    field({ type: PublicSignKey }),
+    __metadata("design:type", PublicSignKey)
+], IdentityRelation.prototype, "_to", void 0);
+IdentityRelation = IdentityRelation_1 = __decorate([
+    variant(0),
+    __metadata("design:paramtypes", [Object])
+], IdentityRelation);
+export const hasPath = async (start, end, db, resolver) => {
+    return hasPathToTarget(start, (key) => end.equals(key), db, resolver);
+};
+export const getRelation = async (from, to, db) => {
+    return db.index.get(new IdentityRelation({ from, to }).id);
+};
+export const createIdentityGraphStore = (id) => new Documents({
+    index: new DocumentIndex({
+        query: new RPC(),
+    }),
+    id,
+});
+//# sourceMappingURL=identity-graph.js.map

package/lib/esm/identity-graph.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"identity-graph.js","sourceRoot":"","sources":["../../src/identity-graph.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AACvE,OAAO,EACN,SAAS,EACT,aAAa,EACb,aAAa,EACb,WAAW,GACX,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,aAAa,EAAE,MAAM,iBAAiB,CAAC;AAChD,OAAO,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AACrC,OAAO,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AACnC,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAU7C,MAAM,CAAC,MAAM,WAAW,GAAqB;IAC5C,OAAO,EAAE,KAAK,EAAE,EAAiB,EAAE,EAA+B,EAAE,EAAE;QACrE,OAAO,OAAO,CAAC,GAAG,CACjB,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,CACpB,IAAI,aAAa,CAAC;YACjB,KAAK,EAAE;gBACN,IAAI,WAAW,CAAC;oBACf,GAAG,EAAE,IAAI;oBACT,KAAK,EAAE,EAAE,CAAC,QAAQ,EAAE;iBACpB,CAAC;aACF;SACD,CAAC,EACF;YACC,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,KAAK;SACb,CACD,CACD,CAAC;IACH,CAAC;IACD,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI;CACjC,CAAC;AAEF,MAAM,CAAC,MAAM,WAAW,GAAqB;IAC5C,OAAO,EAAE,KAAK,EAAE,IAAmB,EAAE,EAA+B,EAAE,EAAE;QACvE,OAAO,OAAO,CAAC,GAAG,CACjB,MAAM,EAAE,CAAC,KAAK,CAAC,MAAM,CACpB,IAAI,aAAa,CAAC;YACjB,KAAK,EAAE;gBACN,IAAI,WAAW,CAAC;oBACf,GAAG,EAAE,MAAM;oBACX,KAAK,EAAE,IAAI,CAAC,QAAQ,EAAE;iBACtB,CAAC;aACF;SACD,CAAC,EACF;YACC,KAAK,EAAE,IAAI;YACX,MAAM,EAAE,KAAK;SACb,CACD,CACD,CAAC;IACH,CAAC;IACD,IAAI,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,EAAE;CAC/B,CAAC;AAEF,MAAM,CAAC,KAAK,SAAS,CAAC,CAAC,gBAAgB,CACtC,IAAmB,EACnB,EAA+B,EAC/B,QAA0B;IAE1B,IAAI,IAAI,GAAG,CAAC,IAAI,CAAC,CAAC;IAClB,MAAM,OAAO,GAAG,IAAI,GAAG,EAAE,CAAC;IAC1B,OAAO,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE;QACvB,MAAM,OAAO,GAAoB,EAAE,CAAC;QACpC,KAAK,MAAM,KAAK,IAAI,IAAI,EAAE;YACzB,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAClD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE;gBAC7B,IAAI,MAAM,YAAY,gBAAgB,EAAE;oBACvC,IAAI,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE;wBAC3B,OAAO;qBACP;oBACD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;oBACvB,MAAM,MAAM,CAAC;oBAEb,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;iBACpC;aACD;SACD;QACD,IAAI,GAAG,OAAO,CAAC;KACf;AACF,CAAC;AAED;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,EACnC,KAAoB,EACpB,MAAuC,EACvC,EAA+B,EAC/B,QAA0B,EACP,EAAE;IACrB,IAAI,CAAC,EAAE,EAAE;QACR,MAAM,IAAI,KAAK,CAAC,gBAAgB,CAAC,CAAC;KAClC;IAED,MAAM,OAAO,GAAG,KAAK,CAAC;IACtB,IAAI,MAAM,CAAC,OAAO,CAAC,EAAE;QACpB,OAAO,IAAI,CAAC;KACZ;IAED,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;IACzD,IAAI,KAAK,EAAE,MAAM,QAAQ,IAAI,QAAQ,EAAE;QACtC,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE;YAC1B,OAAO,IAAI,CAAC;SACZ;KACD;IACD,OAAO,KAAK,CAAC;AACd,CAAC,CAAC;AAGK,WAAe,gBAAgB,GAA/B,MAAe,gBAAgB;IAErC,EAAE,CAAa;CACf,CAAA;AADA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;8BAClC,UAAU;4CAAC;AAFM,gBAAgB;IADrC,OAAO,CAAC,CAAC,CAAC;GACW,gBAAgB,CAGrC;AAGM,WAAM,gBAAgB,wBAAtB,MAAM,gBAAiB,SAAQ,gBAAgB;IAErD,KAAK,CAAgB;IAGrB,GAAG,CAAgB;IAEnB,YAAY,UAGX;QACA,KAAK,EAAE,CAAC;QACR,IAAI,UAAU,EAAE;YACf,IAAI,CAAC,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC;YAC7B,IAAI,CAAC,GAAG,GAAG,UAAU,CAAC,EAAE,CAAC;YACzB,IAAI,CAAC,YAAY,EAAE,CAAC;SACpB;IACF,CAAC;IAED,IAAI,IAAI;QACP,OAAO,IAAI,CAAC,KAAK,CAAC;IACnB,CAAC;IAED,IAAI,EAAE;QACL,OAAO,IAAI,CAAC,GAAG,CAAC;IACjB,CAAC;IAED,YAAY;QACX,IAAI,CAAC,EAAE,GAAG,kBAAgB,CAAC,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,CAAC,EAAE,CAAC,EAAiB,EAAE,IAAmB;QAC/C,OAAO,UAAU,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,EAAE,CAAC,EAAE,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7D,CAAC;CACD,CAAA;AAhCA;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;8BACxB,aAAa;+CAAC;AAGrB;IADC,KAAK,CAAC,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC;8BAC1B,aAAa;6CAAC;AALP,gBAAgB;IAD5B,OAAO,CAAC,CAAC,CAAC;;GACE,gBAAgB,CAkC5B;AAED,MAAM,CAAC,MAAM,OAAO,GAAG,KAAK,EAC3B,KAAoB,EACpB,GAAkB,EAClB,EAA+B,EAC/B,QAA0B,EACP,EAAE;IACrB,OAAO,eAAe,CAAC,KAAK,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,EAAE,EAAE,QAAQ,CAAC,CAAC;AACvE,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,WAAW,GAAG,KAAK,EAC/B,IAAmB,EACnB,EAAiB,EACjB,EAA+B,EACS,EAAE;IAC1C,OAAO,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,gBAAgB,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC;AAC5D,CAAC,CAAC;AAEF,MAAM,CAAC,MAAM,wBAAwB,GAAG,CAAC,EAAe,EAAE,EAAE,CAC3D,IAAI,SAAS,CAAmB;IAC/B,KAAK,EAAE,IAAI,aAAa,CAAC;QACxB,KAAK,EAAE,IAAI,GAAG,EAAE;KAChB,CAAC;IACF,EAAE;CACF,CAAC,CAAC"}

package/lib/esm/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./controller.js";
+export * from "./identity-graph.js";

package/lib/esm/index.js

@@ -0,0 +1,3 @@
+export * from "./controller.js";
+export * from "./identity-graph.js";
+//# sourceMappingURL=index.js.map

package/lib/esm/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC;AAChC,cAAc,qBAAqB,CAAC"}

package/lib/esm/package.json

@@ -0,0 +1,3 @@
+{
+  "type": "module"
+}

package/package.json

@@ -0,0 +1,44 @@
+{
+	"name": "@peerbit/trusted-network",
+	"version": "1.0.2",
+	"description": "Access controller that operates on a DB",
+	"type": "module",
+	"sideEffects": false,
+	"module": "lib/esm/index.js",
+	"types": "lib/esm/index.d.ts",
+	"exports": {
+		"import": "./lib/esm/index.js",
+		"require": "./lib/cjs/index.js"
+	},
+	"files": [
+		"lib",
+		"src",
+		"!src/**/__tests__",
+		"!lib/**/__tests__",
+		"LICENSE"
+	],
+	"publishConfig": {
+		"access": "public"
+	},
+	"scripts": {
+		"clean": "shx rm -rf lib/*",
+		"build": "yarn clean && tsc -p tsconfig.json",
+		"postbuild": "echo '{\"type\":\"module\"} ' | node ../../../../node_modules/.bin/json > lib/esm/package.json",
+		"test": "node ../../../../node_modules/.bin/jest test  -c  ../../../../jest.config.ts --runInBand --forceExit",
+		"test:unit": "node ../../../../node_modules/.bin/jest test  -c  ../../../../jest.config.unit.ts --runInBand --forceExit",
+		"test:integration": "node ../node_modules/.bin/jest test -c  ../../../../jest.config.integration.ts --runInBand --forceExit"
+	},
+	"author": "dao.xyz",
+	"license": "MIT",
+	"dependencies": {
+		"@dao-xyz/borsh": "^5.1.5",
+		"@peerbit/crypto": "1.0.1",
+		"@peerbit/document": "1.0.2"
+	},
+	"devDependencies": {
+		"@ethersproject/wallet": "^5.7.0",
+		"@peerbit/test-utils": "^1.0.2",
+		"@peerbit/time": "1.0.0"
+	},
+	"gitHead": "595db9f1efebf604393eddfff5f678f5d8f16142"
+}

package/src/controller.ts

@@ -0,0 +1,271 @@
+import { deserialize, field, serialize, variant, vec } from "@dao-xyz/borsh";
+import {
+	SearchRequest,
+	Documents,
+	Operation,
+	PutOperation,
+} from "@peerbit/document";
+import { AppendOptions, Entry } from "@peerbit/log";
+import { PublicSignKey, getPublicKeyFromPeerId } from "@peerbit/crypto";
+import { DeleteOperation } from "@peerbit/document";
+import {
+	IdentityRelation,
+	createIdentityGraphStore,
+	getPathGenerator,
+	hasPath,
+	getFromByTo,
+	getToByFrom,
+	getRelation,
+	AbstractRelation,
+} from "./identity-graph.js";
+import { Program } from "@peerbit/program";
+import { CanRead } from "@peerbit/rpc";
+import { sha256Base64Sync } from "@peerbit/crypto";
+import { PeerId } from "@libp2p/interface-peer-id";
+import { Replicator, SubscriptionType } from "@peerbit/shared-log";
+
+const coercePublicKey = (publicKey: PublicSignKey | PeerId) => {
+	return publicKey instanceof PublicSignKey
+		? publicKey
+		: getPublicKeyFromPeerId(publicKey);
+};
+const canAppendByRelation = async (
+	entry: Entry<Operation<IdentityRelation>>,
+	isTrusted?: (key: PublicSignKey) => Promise<boolean>
+): Promise<boolean> => {
+	// verify the payload
+	const operation = await entry.getPayloadValue();
+	if (
+		operation instanceof PutOperation ||
+		operation instanceof DeleteOperation
+	) {
+		/*  const relation: Relation = operation.value || deserialize(operation.data, Relation); */
+
+		const keys = await entry.getPublicKeys();
+		const checkKey = async (key: PublicSignKey): Promise<boolean> => {
+			if (operation instanceof PutOperation) {
+				// TODO, this clause is only applicable when we modify the identityGraph, but it does not make sense that the canAppend method does not know what the payload will
+				// be, upon deserialization. There should be known in the `canAppend` method whether we are appending to the identityGraph.
+
+				const relation: AbstractRelation =
+					operation._value || deserialize(operation.data, AbstractRelation);
+				operation._value = relation;
+
+				if (relation instanceof IdentityRelation) {
+					if (!relation.from.equals(key)) {
+						return false;
+					}
+				}
+
+				// else assume the payload is accepted
+			}
+			if (isTrusted) {
+				const trusted = await isTrusted(key);
+				return trusted;
+			} else {
+				return true;
+			}
+		};
+		for (const key of keys) {
+			const result = await checkKey(key);
+			if (result) {
+				return true;
+			}
+		}
+		return false;
+	} else {
+		return false;
+	}
+};
+
+type IdentityGraphArgs = { canRead?: CanRead; role?: SubscriptionType };
+@variant("relations")
+export class IdentityGraph extends Program<IdentityGraphArgs> {
+	@field({ type: Documents })
+	relationGraph: Documents<IdentityRelation>;
+
+	constructor(props?: {
+		id?: Uint8Array;
+		relationGraph?: Documents<IdentityRelation>;
+	}) {
+		super();
+		if (props) {
+			this.relationGraph =
+				props.relationGraph || createIdentityGraphStore(props?.id);
+		}
+	}
+
+	async canAppend(entry: Entry<Operation<IdentityRelation>>): Promise<boolean> {
+		return canAppendByRelation(entry);
+	}
+
+	async open(options?: IdentityGraphArgs) {
+		await this.relationGraph.open({
+			type: IdentityRelation,
+			canAppend: this.canAppend.bind(this),
+			canRead: options?.canRead,
+			index: {
+				fields: (obj, _entry) => {
+					return {
+						from: obj.from.hashcode(),
+						to: obj.to.hashcode(),
+					};
+				},
+			},
+			role: options?.role,
+		}); // self referencing access controller
+	}
+
+	async addRelation(
+		to: PublicSignKey | PeerId,
+		options?: AppendOptions<Operation<IdentityRelation>>
+	) {
+		/*  trustee = PublicKey.from(trustee); */
+		await this.relationGraph.put(
+			new IdentityRelation({
+				to: coercePublicKey(to),
+				from: options?.identity?.publicKey || this.node.identity.publicKey,
+			}),
+			options
+		);
+	}
+}
+
+/**
+ * Not shardeable since we can not query trusted relations, because this would lead to a recursive problem where we then need to determine whether the responder is trusted or not
+ */
+
+type TrustedNetworkArgs = { role?: SubscriptionType };
+@variant("trusted_network")
+export class TrustedNetwork extends Program<TrustedNetworkArgs> {
+	@field({ type: PublicSignKey })
+	rootTrust: PublicSignKey;
+
+	@field({ type: Documents })
+	trustGraph: Documents<IdentityRelation>;
+
+	constructor(props: { id?: Uint8Array; rootTrust: PublicSignKey | PeerId }) {
+		super();
+		this.trustGraph = createIdentityGraphStore(props.id);
+		this.rootTrust = coercePublicKey(props.rootTrust);
+	}
+
+	async open(options?: TrustedNetworkArgs) {
+		await this.trustGraph.open({
+			type: IdentityRelation,
+			canAppend: this.canAppend.bind(this),
+			canRead: this.canRead.bind(this),
+			role: options?.role,
+			index: {
+				fields: (obj, _entry) => {
+					return {
+						from: obj.from.hashcode(),
+						to: obj.to.hashcode(),
+					};
+				},
+			},
+		}); // self referencing access controller
+	}
+
+	async canAppend(entry: Entry<Operation<IdentityRelation>>): Promise<boolean> {
+		return canAppendByRelation(entry, (key) => this.isTrusted(key));
+	}
+
+	async canRead(_key?: PublicSignKey): Promise<boolean> {
+		return true; // TODO should we have read access control?
+	}
+
+	async add(
+		trustee: PublicSignKey | PeerId
+	): Promise<IdentityRelation | undefined> {
+		const key =
+			trustee instanceof PublicSignKey
+				? trustee
+				: getPublicKeyFromPeerId(trustee);
+
+		const existingRelation = await this.getRelation(
+			key,
+			this.node.identity.publicKey
+		);
+		if (!existingRelation) {
+			const relation = new IdentityRelation({
+				to: key,
+				from: this.node.identity.publicKey,
+			});
+			await this.trustGraph.put(relation);
+			return relation;
+		}
+		return existingRelation;
+	}
+
+	async hasRelation(
+		trustee: PublicSignKey | PeerId,
+		truster: PublicSignKey | PeerId = this.rootTrust
+	) {
+		return !!(await this.getRelation(trustee, truster));
+	}
+	getRelation(
+		trustee: PublicSignKey | PeerId,
+		truster: PublicSignKey | PeerId = this.rootTrust
+	) {
+		return getRelation(
+			coercePublicKey(truster),
+			coercePublicKey(trustee),
+			this.trustGraph
+		);
+	}
+
+	/**
+	 * Follow trust path back to trust root.
+	 * Trust root is always trusted.
+	 * Hence if
+	 * Root trust A trust B trust C
+	 * C is trusted by Root
+	 * @param trustee
+	 * @param truster, the truster "root", if undefined defaults to the root trust
+	 * @returns true, if trusted
+	 */
+	async isTrusted(
+		trustee: PublicSignKey,
+		truster: PublicSignKey = this.rootTrust
+	): Promise<boolean> {
+		if (trustee.equals(this.rootTrust)) {
+			return true;
+		}
+		if (this.trustGraph.log.role instanceof Replicator) {
+			return this._isTrustedLocal(trustee, truster);
+		} else {
+			this.trustGraph.index.search(new SearchRequest({ query: [] }), {
+				remote: { sync: true },
+			});
+			return this._isTrustedLocal(trustee, truster);
+		}
+	}
+
+	async _isTrustedLocal(
+		trustee: PublicSignKey,
+		truster: PublicSignKey = this.rootTrust
+	): Promise<boolean> {
+		const trustPath = await hasPath(
+			trustee,
+			truster,
+			this.trustGraph,
+			getFromByTo
+		);
+		return !!trustPath;
+	}
+
+	async getTrusted(): Promise<PublicSignKey[]> {
+		const current = this.rootTrust;
+		const participants: PublicSignKey[] = [current];
+		const generator = getPathGenerator(current, this.trustGraph, getToByFrom);
+		for await (const next of generator) {
+			participants.push(next.to);
+		}
+		return participants;
+	}
+
+	hashCode(): string {
+		return sha256Base64Sync(serialize(this));
+	}
+}

package/src/identity-graph.ts

@@ -0,0 +1,189 @@
+import { field, fixedArray, serialize, variant } from "@dao-xyz/borsh";
+import {
+	Documents,
+	DocumentIndex,
+	SearchRequest,
+	StringMatch,
+} from "@peerbit/document";
+import { PublicSignKey } from "@peerbit/crypto";
+import { concat } from "uint8arrays";
+import { RPC } from "@peerbit/rpc";
+import { sha256Sync } from "@peerbit/crypto";
+
+export type RelationResolver = {
+	resolve: (
+		key: PublicSignKey,
+		db: Documents<IdentityRelation>
+	) => Promise<IdentityRelation[]>;
+	next: (relation: IdentityRelation) => PublicSignKey;
+};
+
+export const getFromByTo: RelationResolver = {
+	resolve: async (to: PublicSignKey, db: Documents<IdentityRelation>) => {
+		return Promise.all(
+			await db.index.search(
+				new SearchRequest({
+					query: [
+						new StringMatch({
+							key: "to",
+							value: to.hashcode(),
+						}),
+					],
+				}),
+				{
+					local: true,
+					remote: false,
+				}
+			)
+		);
+	},
+	next: (relation) => relation.from,
+};
+
+export const getToByFrom: RelationResolver = {
+	resolve: async (from: PublicSignKey, db: Documents<IdentityRelation>) => {
+		return Promise.all(
+			await db.index.search(
+				new SearchRequest({
+					query: [
+						new StringMatch({
+							key: "from",
+							value: from.hashcode(),
+						}),
+					],
+				}),
+				{
+					local: true,
+					remote: false,
+				}
+			)
+		);
+	},
+	next: (relation) => relation.to,
+};
+
+export async function* getPathGenerator(
+	from: PublicSignKey,
+	db: Documents<IdentityRelation>,
+	resolver: RelationResolver
+) {
+	let iter = [from];
+	const visited = new Set();
+	while (iter.length > 0) {
+		const newIter: PublicSignKey[] = [];
+		for (const value of iter) {
+			const results = await resolver.resolve(value, db);
+			for (const result of results) {
+				if (result instanceof IdentityRelation) {
+					if (visited.has(result.id)) {
+						return;
+					}
+					visited.add(result.id);
+					yield result;
+
+					newIter.push(resolver.next(result));
+				}
+			}
+		}
+		iter = newIter;
+	}
+}
+
+/**
+ * Get path, to target.
+ * @param start
+ * @param target
+ * @param db
+ * @returns
+ */
+export const hasPathToTarget = async (
+	start: PublicSignKey,
+	target: (key: PublicSignKey) => boolean,
+	db: Documents<IdentityRelation>,
+	resolver: RelationResolver
+): Promise<boolean> => {
+	if (!db) {
+		throw new Error("Not initalized");
+	}
+
+	const current = start;
+	if (target(current)) {
+		return true;
+	}
+
+	const iterator = getPathGenerator(current, db, resolver);
+	for await (const relation of iterator) {
+		if (target(relation.from)) {
+			return true;
+		}
+	}
+	return false;
+};
+
+@variant(0)
+export abstract class AbstractRelation {
+	@field({ type: fixedArray("u8", 32) })
+	id: Uint8Array;
+}
+
+@variant(0)
+export class IdentityRelation extends AbstractRelation {
+	@field({ type: PublicSignKey })
+	_from: PublicSignKey;
+
+	@field({ type: PublicSignKey })
+	_to: PublicSignKey;
+
+	constructor(properties?: {
+		to: PublicSignKey; // signed by truster
+		from: PublicSignKey;
+	}) {
+		super();
+		if (properties) {
+			this._from = properties.from;
+			this._to = properties.to;
+			this.initializeId();
+		}
+	}
+
+	get from(): PublicSignKey {
+		return this._from;
+	}
+
+	get to(): PublicSignKey {
+		return this._to;
+	}
+
+	initializeId() {
+		this.id = IdentityRelation.id(this.to, this.from);
+	}
+
+	static id(to: PublicSignKey, from: PublicSignKey) {
+		return sha256Sync(concat([serialize(to), serialize(from)]));
+	}
+}
+
+export const hasPath = async (
+	start: PublicSignKey,
+	end: PublicSignKey,
+	db: Documents<IdentityRelation>,
+	resolver: RelationResolver
+): Promise<boolean> => {
+	return hasPathToTarget(start, (key) => end.equals(key), db, resolver);
+};
+
+export const getRelation = async (
+	from: PublicSignKey,
+	to: PublicSignKey,
+	db: Documents<IdentityRelation>
+): Promise<IdentityRelation | undefined> => {
+	return db.index.get(new IdentityRelation({ from, to }).id);
+};
+
+export const createIdentityGraphStore = (id?: Uint8Array) =>
+	new Documents<IdentityRelation>({
+		index: new DocumentIndex({
+			query: new RPC(),
+		}),
+		id,
+	});

package/src/index.ts

@@ -0,0 +1,2 @@
+export * from "./controller.js";
+export * from "./identity-graph.js";