@viewportai/daemon 0.5.2 → 0.6.0

package/dist/context/local-edge-sync.d.ts

@@ -1,4 +1,5 @@
 import { transportFetch, type TlsVerifyMode } from '../cli/network.js';
+import { type SignedContextGrantMaterialization } from '../security/epoch-protocol.js';
 import type { ContextCredentials } from './local-edge-types.js';
 export declare function pushContextEvents(options: {
     contextResourceId: string;
@@ -32,8 +33,70 @@ export declare function pullContextEvents(options: {
 }): Promise<{
     appliedCandidateDecisions: number;
     imported: number;
+    materializedGrants: number;
     pendingCandidateDecisions: number;
     pulled: number;
     repoId: string;
 }>;
+export declare function recordContextGrantMaterialization(options: {
+    workspaceId: string;
+    serverUrl: string;
+    credential: string;
+    contextResourceId: string;
+    receipts: SignedContextGrantMaterialization[];
+    tlsVerify?: TlsVerifyMode;
+    caCertPath?: string;
+    tlsPins?: string[];
+    fetchImpl?: typeof transportFetch;
+}): Promise<number>;
+export declare function recordContextCandidatePreviewProof(options: {
+    workspaceId: string;
+    serverUrl: string;
+    credential: string;
+    contextResourceId: string;
+    candidateEventId: string;
+    payloadDigest?: string | null;
+    previewDigest?: string | null;
+    tlsVerify?: TlsVerifyMode;
+    caCertPath?: string;
+    tlsPins?: string[];
+    fetchImpl?: typeof transportFetch;
+}): Promise<{
+    previewProofId: string;
+    expiresAt: string | null;
+}>;
+export declare function processPendingContextGrants(options: {
+    contextResourceId: string;
+    workspaceId: string;
+    serverUrl: string;
+    credential: string;
+    actorName: string;
+    credentials: ContextCredentials;
+    tlsVerify?: TlsVerifyMode;
+    caCertPath?: string;
+    tlsPins?: string[];
+    home?: string;
+    fetchImpl?: typeof transportFetch;
+}): Promise<{
+    emitted: number;
+    missingIdentity: number;
+    pushed: number;
+}>;
+export declare function processPendingContextRevocations(options: {
+    contextResourceId: string;
+    workspaceId: string;
+    serverUrl: string;
+    credential: string;
+    actorName: string;
+    credentials: ContextCredentials;
+    tlsVerify?: TlsVerifyMode;
+    caCertPath?: string;
+    tlsPins?: string[];
+    home?: string;
+    fetchImpl?: typeof transportFetch;
+}): Promise<{
+    revoked: number;
+    missingIdentity: number;
+    pushed: number;
+}>;
 //# sourceMappingURL=local-edge-sync.d.ts.map

package/dist/context/local-edge-sync.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"local-edge-sync.d.ts","sourceRoot":"","sources":["../../src/context/local-edge-sync.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAUvE,OAAO,KAAK,EAEV,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAE/B,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAoChE;AAED,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IACV,yBAAyB,EAAE,MAAM,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,yBAAyB,EAAE,MAAM,CAAC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC,CAgFD"}
+{"version":3,"file":"local-edge-sync.d.ts","sourceRoot":"","sources":["../../src/context/local-edge-sync.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAavE,OAAO,EAKL,KAAK,iCAAiC,EAEvC,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAEV,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAI/B,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CAoChE;AAED,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IACV,yBAAyB,EAAE,MAAM,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,yBAAyB,EAAE,MAAM,CAAC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC,CA0GD;AAED,wBAAsB,iCAAiC,CAAC,OAAO,EAAE;IAC/D,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,iCAAiC,EAAE,CAAC;IAC9C,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC,MAAM,CAAC,CAwBlB;AAED,wBAAsB,kCAAkC,CAAC,OAAO,EAAE;IAChE,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CA+BhE;AAED,wBAAsB,2BAA2B,CAAC,OAAO,EAAE;IACzD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA2LxE;AAED,wBAAsB,gCAAgC,CAAC,OAAO,EAAE;IAC9D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA6ExE"}

package/dist/context/local-edge-sync.js

@@ -5,6 +5,11 @@ import { applyContextCandidateDecision } from './local-edge-candidates.js';
 import { readCandidateDecisionApplications } from './local-edge-decision-applications.js';
 import { verifyContextCandidateDecision } from './local-edge-decision-signature.js';
 import { readContextMetadata, touchContextMetadata } from './local-edge-metadata.js';
+import { grantContextHpkeRecipient, revokeContextUser } from './local-edge-store.js';
+import { validateAndPinPublicEpoch } from '../security/epoch-public-pins.js';
+import { getActiveLocalUserEpoch, listActiveLocalTeamEpochs } from '../security/epoch-store.js';
+import { TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER, TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION, contextGrantMaterializationPayload, signContextGrantMaterialization, } from '../security/epoch-protocol.js';
+const CONTEXT_GRANT_EVENT_TYPES = new Set(['member.granted', 'key.rotated']);
 export async function pushContextEvents(options) {
     const home = options.home ?? configDir();
     const metadata = await readContextMetadata(options.contextResourceId, home);
@@ -64,11 +69,35 @@ export async function pullContextEvents(options) {
     });
     const records = extractPulledRecords(response);
     const events = records.map((record) => record.signedEvent);
+    const grantIdentities = await contextGrantIdentitiesForWorkspace({
+        workspaceId: options.workspaceId ?? options.contextResourceId,
+        home,
+    });
     const imported = await vault.importSyncEvents({
         repoId: metadata.repoId,
         events,
         actorName: options.actorName,
+        grantIdentities,
+    });
+    const materializationReceipts = contextGrantMaterializationReceipts({
+        workspaceId: options.workspaceId ?? options.contextResourceId,
+        contextResourceId: options.contextResourceId,
+        events,
+        grantIdentities,
     });
+    const materializedGrants = materializationReceipts.length > 0
+        ? await recordContextGrantMaterialization({
+            workspaceId: options.workspaceId ?? options.contextResourceId,
+            serverUrl: options.serverUrl,
+            credential: options.credential,
+            contextResourceId: options.contextResourceId,
+            receipts: materializationReceipts,
+            tlsVerify: options.tlsVerify,
+            caCertPath: options.caCertPath,
+            tlsPins: options.tlsPins,
+            fetchImpl: options.fetchImpl,
+        })
+        : 0;
     const candidateDecisions = extractPulledCandidateDecisions(response, options.trustedDecisionKeys);
     const candidateDecisionResults = [];
     for (const decision of candidateDecisions) {
@@ -91,19 +120,398 @@ export async function pullContextEvents(options) {
     return {
         appliedCandidateDecisions,
         imported: imported.imported.length,
+        materializedGrants,
         pendingCandidateDecisions,
         pulled: events.length,
         repoId: metadata.repoId,
     };
 }
+export async function recordContextGrantMaterialization(options) {
+    if (options.receipts.length === 0) {
+        return 0;
+    }
+    const response = await postJson(options.fetchImpl ?? transportFetch, contextGrantMaterializedUrl(options.serverUrl, options.workspaceId), {
+        credential: options.credential,
+        context_resource_id: options.contextResourceId,
+        receipts: options.receipts.map((receipt) => ({
+            payload: receipt.payload,
+            signature: receipt.signature,
+            signed_by_epoch_fingerprint: receipt.signedByEpochFingerprint,
+        })),
+    }, {
+        tlsVerify: options.tlsVerify,
+        caCertPath: options.caCertPath,
+        tlsPins: options.tlsPins,
+    });
+    return numberField(response, 'materialized');
+}
+export async function recordContextCandidatePreviewProof(options) {
+    const response = await postJson(options.fetchImpl ?? transportFetch, contextCandidatePreviewProofUrl(options.serverUrl, options.workspaceId), {
+        credential: options.credential,
+        context_resource_id: options.contextResourceId,
+        candidate_event_id: options.candidateEventId,
+        ...(options.payloadDigest ? { payload_digest: options.payloadDigest } : {}),
+        ...(options.previewDigest ? { preview_digest: options.previewDigest } : {}),
+    }, {
+        tlsVerify: options.tlsVerify,
+        caCertPath: options.caCertPath,
+        tlsPins: options.tlsPins,
+    });
+    if (!response || typeof response !== 'object') {
+        throw new Error('Context preview proof response was not an object');
+    }
+    const previewProofId = response.preview_proof_id;
+    if (typeof previewProofId !== 'string' || previewProofId === '') {
+        throw new Error('Context preview proof response did not include preview_proof_id');
+    }
+    const expiresAt = response.expires_at;
+    return {
+        previewProofId,
+        expiresAt: typeof expiresAt === 'string' ? expiresAt : null,
+    };
+}
+export async function processPendingContextGrants(options) {
+    const fetchImpl = options.fetchImpl ?? transportFetch;
+    const response = await postJson(fetchImpl, contextPendingGrantsUrl(options.serverUrl, options.workspaceId), {
+        credential: options.credential,
+        context_resource_id: options.contextResourceId,
+    }, {
+        tlsVerify: options.tlsVerify,
+        caCertPath: options.caCertPath,
+        tlsPins: options.tlsPins,
+    });
+    const grants = arrayField(response, 'grants');
+    let emitted = 0;
+    let missingIdentity = 0;
+    let pushed = 0;
+    for (const grant of grants) {
+        const record = objectValue(grant);
+        const userEpoch = objectField(record, 'user_epoch', false);
+        if (userEpoch) {
+            const userEpochId = String(numberOrStringField(userEpoch, 'id'));
+            const userId = String(numberOrStringField(userEpoch, 'user_id'));
+            const epoch = numberField(userEpoch, 'epoch');
+            const fingerprint = stringField(userEpoch, 'fingerprint');
+            const encryptionPublicKeyJwk = objectField(userEpoch, 'encryption_public_key_jwk');
+            const signingPublicKeyJwk = objectField(userEpoch, 'signing_public_key_jwk');
+            await validateAndPinPublicEpoch({
+                platformEpochId: userEpochId,
+                workspaceId: options.workspaceId,
+                subjectType: 'user',
+                subjectId: userId,
+                epoch,
+                schema: 'viewport.user_crypto_epoch/v1',
+                fingerprint,
+                encryptionPublicKeyJwk: encryptionPublicKeyJwk,
+                signingPublicKeyJwk: signingPublicKeyJwk,
+                previousEpochFingerprint: nullableStringField(userEpoch, 'previous_epoch_fingerprint'),
+                continuityPayload: objectField(userEpoch, 'continuity_payload', false),
+                continuitySignature: nullableStringField(userEpoch, 'continuity_signature'),
+                signedByEpochFingerprint: nullableStringField(userEpoch, 'signed_by_epoch_fingerprint'),
+            }, options.home);
+            const recipientName = contextUserEpochRecipientName({ userEpochId, fingerprint });
+            const result = await grantContextHpkeRecipient({
+                contextResourceId: options.contextResourceId,
+                actorName: options.actorName,
+                recipientName,
+                recipientHpkePublicKey: jwkPublicXToBase64(encryptionPublicKeyJwk),
+                credentials: options.credentials,
+                home: options.home,
+            });
+            const event = objectValue(result.event);
+            const grantEventId = stringField(event, 'id');
+            const grantPayload = objectField(event, 'grant', false);
+            const keyEpoch = grantPayload ? numberField(grantPayload, 'keyEpoch', false) : null;
+            const pushResult = await pushContextEvents({
+                contextResourceId: options.contextResourceId,
+                workspaceId: options.workspaceId,
+                serverUrl: options.serverUrl,
+                credential: options.credential,
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+                home: options.home,
+                fetchImpl,
+            });
+            pushed += pushResult.accepted;
+            await postJson(fetchImpl, contextMarkGrantEmittedUrl(options.serverUrl, options.workspaceId), {
+                credential: options.credential,
+                crypto_grant_id: stringField(record, 'id'),
+                grant_event_id: grantEventId,
+                recipient_identity_name: recipientName,
+                recipient_type: 'user_epoch',
+                recipient_epoch_id: userEpochId,
+                recipient_fingerprint: fingerprint,
+                ...(keyEpoch !== null ? { key_epoch: keyEpoch } : {}),
+            }, {
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+            });
+            emitted++;
+            continue;
+        }
+        const teamEpoch = objectField(record, 'team_epoch', false);
+        if (teamEpoch) {
+            const teamEpochId = String(numberOrStringField(teamEpoch, 'id'));
+            const teamId = String(numberOrStringField(teamEpoch, 'team_id'));
+            const epoch = numberField(teamEpoch, 'epoch');
+            const fingerprint = stringField(teamEpoch, 'fingerprint');
+            const encryptionPublicKeyJwk = objectField(teamEpoch, 'encryption_public_key_jwk');
+            const signingPublicKeyJwk = objectField(teamEpoch, 'signing_public_key_jwk');
+            await validateAndPinPublicEpoch({
+                platformEpochId: teamEpochId,
+                workspaceId: options.workspaceId,
+                subjectType: 'team',
+                subjectId: teamId,
+                epoch,
+                schema: 'viewport.team_crypto_epoch/v1',
+                fingerprint,
+                encryptionPublicKeyJwk: encryptionPublicKeyJwk,
+                signingPublicKeyJwk: signingPublicKeyJwk,
+                previousEpochFingerprint: nullableStringField(teamEpoch, 'previous_epoch_fingerprint'),
+                continuityPayload: objectField(teamEpoch, 'continuity_payload', false),
+                continuitySignature: nullableStringField(teamEpoch, 'continuity_signature'),
+                signedByEpochFingerprint: nullableStringField(teamEpoch, 'signed_by_epoch_fingerprint'),
+            }, options.home);
+            const recipientName = contextTeamEpochRecipientName({ teamEpochId, fingerprint });
+            const result = await grantContextHpkeRecipient({
+                contextResourceId: options.contextResourceId,
+                actorName: options.actorName,
+                recipientName,
+                recipientHpkePublicKey: jwkPublicXToBase64(encryptionPublicKeyJwk),
+                credentials: options.credentials,
+                home: options.home,
+            });
+            const event = objectValue(result.event);
+            const grantEventId = stringField(event, 'id');
+            const grantPayload = objectField(event, 'grant', false);
+            const keyEpoch = grantPayload ? numberField(grantPayload, 'keyEpoch', false) : null;
+            const pushResult = await pushContextEvents({
+                contextResourceId: options.contextResourceId,
+                workspaceId: options.workspaceId,
+                serverUrl: options.serverUrl,
+                credential: options.credential,
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+                home: options.home,
+                fetchImpl,
+            });
+            pushed += pushResult.accepted;
+            await postJson(fetchImpl, contextMarkGrantEmittedUrl(options.serverUrl, options.workspaceId), {
+                credential: options.credential,
+                crypto_grant_id: stringField(record, 'id'),
+                grant_event_id: grantEventId,
+                recipient_identity_name: recipientName,
+                recipient_type: 'team_epoch',
+                recipient_epoch_id: teamEpochId,
+                recipient_fingerprint: fingerprint,
+                ...(keyEpoch !== null ? { key_epoch: keyEpoch } : {}),
+            }, {
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+            });
+            emitted++;
+            continue;
+        }
+        missingIdentity++;
+    }
+    return { emitted, missingIdentity, pushed };
+}
+export async function processPendingContextRevocations(options) {
+    const fetchImpl = options.fetchImpl ?? transportFetch;
+    const response = await postJson(fetchImpl, contextPendingRevocationsUrl(options.serverUrl, options.workspaceId), {
+        credential: options.credential,
+        context_resource_id: options.contextResourceId,
+    }, {
+        tlsVerify: options.tlsVerify,
+        caCertPath: options.caCertPath,
+        tlsPins: options.tlsPins,
+    });
+    const revocations = arrayField(response, 'revocations');
+    let revoked = 0;
+    let missingIdentity = 0;
+    let pushed = 0;
+    for (const revocation of revocations) {
+        const record = objectValue(revocation);
+        const recipientName = nullableStringField(record, 'recipient_identity_name');
+        if (!recipientName) {
+            missingIdentity++;
+            continue;
+        }
+        const result = await revokeContextUser({
+            contextResourceId: options.contextResourceId,
+            actorName: options.actorName,
+            recipientName,
+            credentials: options.credentials,
+            home: options.home,
+        });
+        const revokeEventId = stringField(objectValue(result.revokeEvent), 'id');
+        const rotationEventIds = result.rotateEvents.map((event) => stringField(objectValue(event), 'id'));
+        const rotationEvents = result.rotateEvents.map((event) => contextGrantRotationReceipt(event));
+        const maxKeyEpoch = maxEventEpoch([result.revokeEvent, ...result.rotateEvents]);
+        const pushResult = await pushContextEvents({
+            contextResourceId: options.contextResourceId,
+            workspaceId: options.workspaceId,
+            serverUrl: options.serverUrl,
+            credential: options.credential,
+            tlsVerify: options.tlsVerify,
+            caCertPath: options.caCertPath,
+            tlsPins: options.tlsPins,
+            home: options.home,
+            fetchImpl,
+        });
+        pushed += pushResult.accepted;
+        await postJson(fetchImpl, contextMarkRevokedUrl(options.serverUrl, options.workspaceId), {
+            credential: options.credential,
+            crypto_grant_id: stringField(record, 'id'),
+            revoke_event_id: revokeEventId,
+            rotation_event_ids: rotationEventIds,
+            rotation_events: rotationEvents,
+            ...(maxKeyEpoch !== null ? { key_epoch: maxKeyEpoch } : {}),
+        }, {
+            tlsVerify: options.tlsVerify,
+            caCertPath: options.caCertPath,
+            tlsPins: options.tlsPins,
+        });
+        revoked++;
+    }
+    return { revoked, missingIdentity, pushed };
+}
+function maxEventEpoch(events) {
+    let max = null;
+    for (const event of events) {
+        const epoch = numberField(objectValue(event), 'keyEpoch', false);
+        if (epoch !== null)
+            max = max === null ? epoch : Math.max(max, epoch);
+    }
+    return max;
+}
+function contextGrantRotationReceipt(event) {
+    const object = objectValue(event);
+    const grant = objectField(object, 'grant', false);
+    const recipientName = grant ? nullableStringField(grant, 'recipientName') : null;
+    return {
+        event_id: stringField(object, 'id'),
+        ...(recipientName ? { recipient_identity_name: recipientName } : {}),
+    };
+}
+async function contextGrantIdentitiesForWorkspace(options) {
+    const userEpoch = await getActiveLocalUserEpoch(options.workspaceId, options.home);
+    const teamEpochs = await listActiveLocalTeamEpochs(options.workspaceId, options.home);
+    return [
+        ...(userEpoch?.platformEpochId
+            ? [
+                {
+                    kind: 'user_epoch',
+                    name: contextUserEpochRecipientName({
+                        userEpochId: userEpoch.platformEpochId,
+                        fingerprint: userEpoch.fingerprint,
+                    }),
+                    hpkePrivateKey: jwkPrivateDToBase64(objectValue(userEpoch.encryptionPrivateKeyJwk)),
+                    signingPrivateKeyJwk: userEpoch.signingPrivateKeyJwk,
+                    signerFingerprint: userEpoch.fingerprint,
+                },
+            ]
+            : []),
+        ...teamEpochs.map((epoch) => ({
+            kind: 'team_epoch',
+            name: contextTeamEpochRecipientName({
+                teamEpochId: epoch.platformEpochId ?? `${epoch.platformTeamId ?? epoch.teamId}:${epoch.epoch}`,
+                fingerprint: epoch.fingerprint,
+            }),
+            hpkePrivateKey: jwkPrivateDToBase64(objectValue(epoch.encryptionPrivateKeyJwk)),
+            signingPrivateKeyJwk: epoch.signingPrivateKeyJwk,
+            signerFingerprint: epoch.fingerprint,
+        })),
+    ];
+}
+function contextGrantMaterializationReceipts(options) {
+    const receipts = [];
+    for (const event of options.events) {
+        const match = grantEventRecipientMatch(event, options.grantIdentities);
+        if (!match)
+            continue;
+        const keyEpoch = numberField(event, 'keyEpoch', false);
+        const payload = contextGrantMaterializationPayload({
+            workspaceId: options.workspaceId,
+            contextResourceId: options.contextResourceId,
+            grantEventId: stringField(event, 'id'),
+            recipientName: match.identity.name,
+            keyEpoch,
+        });
+        receipts.push(signContextGrantMaterialization({
+            payload,
+            signingPrivateKeyJwk: match.identity.signingPrivateKeyJwk,
+            signedByEpochFingerprint: match.identity.signerFingerprint,
+        }));
+    }
+    return receipts;
+}
+function grantEventRecipientMatch(event, grantIdentities) {
+    if (!CONTEXT_GRANT_EVENT_TYPES.has(event.type))
+        return null;
+    const grant = event.grant;
+    if (!grant || typeof grant !== 'object' || Array.isArray(grant))
+        return null;
+    const recipientName = grant.recipientName;
+    if (typeof recipientName !== 'string' || recipientName === '')
+        return null;
+    const identity = grantIdentities.find((candidate) => candidate.name === recipientName);
+    return identity ? { grant: grant, identity } : null;
+}
+function contextUserEpochRecipientName(input) {
+    return `user-epoch:${input.userEpochId}:${input.fingerprint}`;
+}
+function contextTeamEpochRecipientName(input) {
+    return `team-epoch:${input.teamEpochId}:${input.fingerprint}`;
+}
+function jwkPublicXToBase64(jwk) {
+    const x = stringField(jwk, 'x');
+    return Buffer.from(x, 'base64url').toString('base64');
+}
+function jwkPrivateDToBase64(jwk) {
+    const d = stringField(jwk, 'd');
+    return Buffer.from(d, 'base64url').toString('base64');
+}
 function contextRuntimeUrl(serverUrl, workspaceId, operation) {
     const base = serverUrl.replace(/\/+$/, '');
     return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/events/${operation}`;
 }
+function contextCandidatePreviewProofUrl(serverUrl, workspaceId) {
+    const base = serverUrl.replace(/\/+$/, '');
+    return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/candidates/preview-proof`;
+}
+function contextPendingGrantsUrl(serverUrl, workspaceId) {
+    const base = serverUrl.replace(/\/+$/, '');
+    return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/grants/pending`;
+}
+function contextMarkGrantEmittedUrl(serverUrl, workspaceId) {
+    const base = serverUrl.replace(/\/+$/, '');
+    return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/grants/mark-emitted`;
+}
+function contextPendingRevocationsUrl(serverUrl, workspaceId) {
+    const base = serverUrl.replace(/\/+$/, '');
+    return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/grants/revocations/pending`;
+}
+function contextMarkRevokedUrl(serverUrl, workspaceId) {
+    const base = serverUrl.replace(/\/+$/, '');
+    return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/grants/mark-revoked`;
+}
+function contextGrantMaterializedUrl(serverUrl, workspaceId) {
+    const base = serverUrl.replace(/\/+$/, '');
+    return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/grants/materialized`;
+}
 async function postJson(fetchImpl, url, body, transportOptions = {}) {
     const response = await fetchImpl(url, {
         method: 'POST',
-        headers: { 'content-type': 'application/json', accept: 'application/json' },
+        headers: {
+            'content-type': 'application/json',
+            accept: 'application/json',
+            [TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER]: TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION,
+        },
         body: JSON.stringify(body),
         timeoutMs: 5_000,
         ...transportOptions,
@@ -144,6 +552,47 @@ function extractPulledRecords(response) {
         };
     });
 }
+function objectValue(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        throw new Error('Expected object value');
+    }
+    return value;
+}
+function objectField(value, field, required = true) {
+    const object = objectValue(value);
+    const child = object[field];
+    if (child === undefined || child === null) {
+        if (!required)
+            return null;
+    }
+    return objectValue(child);
+}
+function arrayField(value, field) {
+    const object = objectValue(value);
+    const child = object[field];
+    if (!Array.isArray(child)) {
+        throw new Error(`Expected ${field} to be an array`);
+    }
+    return child;
+}
+function nullableStringField(value, field) {
+    const object = objectValue(value);
+    const child = object[field];
+    if (child === undefined || child === null)
+        return null;
+    if (typeof child !== 'string') {
+        throw new Error(`Expected ${field} to be a string`);
+    }
+    return child;
+}
+function stringField(value, field) {
+    const object = objectValue(value);
+    const child = object[field];
+    if (typeof child !== 'string' || child.length === 0) {
+        throw new Error(`Expected ${field} to be a non-empty string`);
+    }
+    return child;
+}
 function extractPulledCandidateDecisions(response, trustedDecisionKeys) {
     if (!response ||
         typeof response !== 'object' ||
@@ -180,14 +629,25 @@ function latestReceivedAt(records, decisions = []) {
         .sort()
         .at(-1);
 }
-function numberField(response, field) {
-    if (!response || typeof response !== 'object') {
+function numberField(response, field, required = true) {
+    const object = objectValue(response);
+    const value = object[field];
+    if (value === undefined || value === null) {
+        if (!required)
+            return null;
         throw new Error(`Context sync response did not include ${field}`);
     }
-    const value = response[field];
     if (typeof value !== 'number') {
         throw new Error(`Context sync response ${field} must be a number`);
     }
     return value;
 }
+function numberOrStringField(response, field) {
+    const object = objectValue(response);
+    const value = object[field];
+    if (typeof value !== 'number' && typeof value !== 'string') {
+        throw new Error(`Context sync response ${field} must be a number or string`);
+    }
+    return value;
+}
 //# sourceMappingURL=local-edge-sync.js.map