npm - @viewportai/daemon - Versions diffs - 0.5.3 → 0.6.1 - Mend

@viewportai/daemon 0.5.3 → 0.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (118) hide show

package/dist/cli/commands.d.ts +1 -0
package/dist/cli/commands.d.ts.map +1 -1
package/dist/cli/commands.js +1 -0
package/dist/cli/commands.js.map +1 -1
package/dist/cli/context-access-command.d.ts +0 -6
package/dist/cli/context-access-command.d.ts.map +1 -1
package/dist/cli/context-access-command.js +1 -71
package/dist/cli/context-access-command.js.map +1 -1
package/dist/cli/context-command.d.ts.map +1 -1
package/dist/cli/context-command.js +575 -38
package/dist/cli/context-command.js.map +1 -1
package/dist/cli/context-vault-metadata-command.d.ts.map +1 -1
package/dist/cli/context-vault-metadata-command.js +6 -1
package/dist/cli/context-vault-metadata-command.js.map +1 -1
package/dist/cli/lifecycle-commands.d.ts.map +1 -1
package/dist/cli/lifecycle-commands.js +2 -8
package/dist/cli/lifecycle-commands.js.map +1 -1
package/dist/cli/skills-command.js +3 -3
package/dist/cli/unlock-command.d.ts +2 -0
package/dist/cli/unlock-command.d.ts.map +1 -0
package/dist/cli/unlock-command.js +35 -0
package/dist/cli/unlock-command.js.map +1 -0
package/dist/context/local-edge-auto-sync.d.ts +17 -0
package/dist/context/local-edge-auto-sync.d.ts.map +1 -0
package/dist/context/local-edge-auto-sync.js +94 -0
package/dist/context/local-edge-auto-sync.js.map +1 -0
package/dist/context/local-edge-store.d.ts +11 -0
package/dist/context/local-edge-store.d.ts.map +1 -1
package/dist/context/local-edge-store.js +25 -0
package/dist/context/local-edge-store.js.map +1 -1
package/dist/context/local-edge-sync.d.ts +2 -15
package/dist/context/local-edge-sync.d.ts.map +1 -1
package/dist/context/local-edge-sync.js +306 -86
package/dist/context/local-edge-sync.js.map +1 -1
package/dist/context/local-edge-types.d.ts +12 -0
package/dist/context/local-edge-types.d.ts.map +1 -1
package/dist/context-providers/viewport-vault-provider.d.ts.map +1 -1
package/dist/context-providers/viewport-vault-provider.js +11 -0
package/dist/context-providers/viewport-vault-provider.js.map +1 -1
package/dist/core/session-context-prompt.d.ts.map +1 -1
package/dist/core/session-context-prompt.js +8 -0
package/dist/core/session-context-prompt.js.map +1 -1
package/dist/hooks/trusted-edge-plan-artifacts.d.ts +30 -27
package/dist/hooks/trusted-edge-plan-artifacts.d.ts.map +1 -1
package/dist/hooks/trusted-edge-plan-artifacts.js +71 -89
package/dist/hooks/trusted-edge-plan-artifacts.js.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +3 -1
package/dist/index.js.map +1 -1
package/dist/relay/bridge-daemon-key-registration.d.ts.map +1 -1
package/dist/relay/bridge-daemon-key-registration.js +27 -7
package/dist/relay/bridge-daemon-key-registration.js.map +1 -1
package/dist/security/epoch-enrollment.d.ts +48 -0
package/dist/security/epoch-enrollment.d.ts.map +1 -0
package/dist/security/epoch-enrollment.js +290 -0
package/dist/security/epoch-enrollment.js.map +1 -0
package/dist/security/epoch-protocol.d.ts +181 -0
package/dist/security/epoch-protocol.d.ts.map +1 -0
package/dist/security/epoch-protocol.js +285 -0
package/dist/security/epoch-protocol.js.map +1 -0
package/dist/security/epoch-public-pins.d.ts +19 -0
package/dist/security/epoch-public-pins.d.ts.map +1 -0
package/dist/security/epoch-public-pins.js +129 -0
package/dist/security/epoch-public-pins.js.map +1 -0
package/dist/security/epoch-recovery.d.ts +56 -0
package/dist/security/epoch-recovery.d.ts.map +1 -0
package/dist/security/epoch-recovery.js +314 -0
package/dist/security/epoch-recovery.js.map +1 -0
package/dist/security/epoch-store.d.ts +111 -0
package/dist/security/epoch-store.d.ts.map +1 -0
package/dist/security/epoch-store.js +224 -0
package/dist/security/epoch-store.js.map +1 -0
package/dist/security/epoch-sync.d.ts +47 -0
package/dist/security/epoch-sync.d.ts.map +1 -0
package/dist/security/epoch-sync.js +371 -0
package/dist/security/epoch-sync.js.map +1 -0
package/dist/security/team-epoch-grant-payloads.d.ts +44 -0
package/dist/security/team-epoch-grant-payloads.d.ts.map +1 -0
package/dist/security/team-epoch-grant-payloads.js +100 -0
package/dist/security/team-epoch-grant-payloads.js.map +1 -0
package/dist/security/team-epoch-grants.d.ts +31 -0
package/dist/security/team-epoch-grants.d.ts.map +1 -0
package/dist/security/team-epoch-grants.js +194 -0
package/dist/security/team-epoch-grants.js.map +1 -0
package/dist/server/http-context-routes.d.ts +2 -1
package/dist/server/http-context-routes.d.ts.map +1 -1
package/dist/server/http-context-routes.js +57 -15
package/dist/server/http-context-routes.js.map +1 -1
package/dist/server/http-server.js +1 -1
package/dist/server/http-server.js.map +1 -1
package/dist/server/rate-limiter.d.ts.map +1 -1
package/dist/server/rate-limiter.js +2 -1
package/dist/server/rate-limiter.js.map +1 -1
package/dist/server/trusted-edge-command-capability.d.ts +2 -1
package/dist/server/trusted-edge-command-capability.d.ts.map +1 -1
package/dist/server/trusted-edge-command-capability.js +15 -0
package/dist/server/trusted-edge-command-capability.js.map +1 -1
package/dist/server/ws-command-handlers.d.ts.map +1 -1
package/dist/server/ws-command-handlers.js +200 -28
package/dist/server/ws-command-handlers.js.map +1 -1
package/dist/server/ws-protocol.d.ts +281 -44
package/dist/server/ws-protocol.d.ts.map +1 -1
package/dist/server/ws-protocol.js +89 -19
package/dist/server/ws-protocol.js.map +1 -1
package/dist/startup.d.ts.map +1 -1
package/dist/startup.js +0 -17
package/dist/startup.js.map +1 -1
package/docs/README.md +18 -0
package/docs/configuration.md +3 -3
package/docs/protocol-matrix.json +53 -8
package/docs/security.md +11 -8
package/node_modules/@viewportai/context-engine/src/repo/identities.js +7 -3
package/node_modules/@viewportai/context-engine/src/repo/materializer.js +20 -5
package/node_modules/@viewportai/context-engine/src/repo/membership.js +15 -0
package/node_modules/@viewportai/context-engine/src/repo/sync.js +4 -4
package/node_modules/@viewportai/context-engine/src/repo/vault.js +8 -3
package/package.json +1 -1

package/dist/context/local-edge-sync.d.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 import { transportFetch, type TlsVerifyMode } from '../cli/network.js';
+import { type SignedContextGrantMaterialization } from '../security/epoch-protocol.js';
 import type { ContextCredentials } from './local-edge-types.js';
 export declare function pushContextEvents(options: {
     contextResourceId: string;
@@ -42,7 +43,7 @@ export declare function recordContextGrantMaterialization(options: {
     serverUrl: string;
     credential: string;
     contextResourceId: string;
-    grantEventIds: string[];
+    receipts: SignedContextGrantMaterialization[];
     tlsVerify?: TlsVerifyMode;
     caCertPath?: string;
     tlsPins?: string[];
@@ -64,20 +65,6 @@ export declare function recordContextCandidatePreviewProof(options: {
     previewProofId: string;
     expiresAt: string | null;
 }>;
-export declare function publishContextPublicIdentity(options: {
-    workspaceId: string;
-    serverUrl: string;
-    credential: string;
-    identityName: string;
-    tlsVerify?: TlsVerifyMode;
-    caCertPath?: string;
-    tlsPins?: string[];
-    home?: string;
-    fetchImpl?: typeof transportFetch;
-}): Promise<{
-    identityId: string;
-    fingerprint: string | null;
-}>;
 export declare function processPendingContextGrants(options: {
     contextResourceId: string;
     workspaceId: string;

package/dist/context/local-edge-sync.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"local-edge-sync.d.ts","sourceRoot":"","sources":["../../src/context/local-edge-sync.ts"],"names":[],"mappings":"~~AACA~~,OAAO,EAAE,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;~~AAgBvE~~,OAAO,KAAK,EAEV,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAI/B,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,~~CAoChE~~;AAED,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IACV,yBAAyB,EAAE,MAAM,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,yBAAyB,EAAE,MAAM,CAAC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC,~~CAkGD~~;~~AAED~~,wBAAsB,iCAAiC,CAAC,OAAO,EAAE;IAC/D,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,~~aAAa~~,EAAE,~~MAAM~~,EAAE,CAAC;~~IACxB~~,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC,MAAM,CAAC,~~CAoBlB~~;AAED,wBAAsB,kCAAkC,CAAC,OAAO,EAAE;IAChE,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CA+BhE;AAED,wBAAsB,4BAA4B,CAAC,OAAO,EAAE;IAC1D,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,UAAU,EAAE,MAAM,CAAC;IAAC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CAwB9D;AAED,wBAAsB,2BAA2B,CAAC,OAAO,EAAE;IACzD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,~~CA6ExE~~;AAED,wBAAsB,gCAAgC,CAAC,OAAO,EAAE;IAC9D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,~~CAgFxE~~"}
1	+ {"version":3,"file":"local-edge-sync.d.ts","sourceRoot":"","sources":["../../src/context/local-edge-sync.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,cAAc,EAAE,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAavE,OAAO,EAKL,KAAK,iCAAiC,EAEvC,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAEV,kBAAkB,EAGnB,MAAM,uBAAuB,CAAC;AAI/B,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA4ChE;AAED,wBAAsB,iBAAiB,CAAC,OAAO,EAAE;IAC/C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,mBAAmB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC7C,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IACV,yBAAyB,EAAE,MAAM,CAAC;IAClC,QAAQ,EAAE,MAAM,CAAC;IACjB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,yBAAyB,EAAE,MAAM,CAAC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;CAChB,CAAC,CA2GD;AAiED,wBAAsB,iCAAiC,CAAC,OAAO,EAAE;IAC/D,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,QAAQ,EAAE,iCAAiC,EAAE,CAAC;IAC9C,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC,MAAM,CAAC,CAwBlB;AAED,wBAAsB,kCAAkC,CAAC,OAAO,EAAE;IAChE,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,cAAc,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAAA;CAAE,CAAC,CA+BhE;AAED,wBAAsB,2BAA2B,CAAC,OAAO,EAAE;IACzD,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA2LxE;AAED,wBAAsB,gCAAgC,CAAC,OAAO,EAAE;IAC9D,iBAAiB,EAAE,MAAM,CAAC;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,kBAAkB,CAAC;IAChC,SAAS,CAAC,EAAE,aAAa,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,SAAS,CAAC,EAAE,OAAO,cAAc,CAAC;CACnC,GAAG,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC,CA6ExE"}

package/dist/context/local-edge-sync.js CHANGED Viewed

@@ -1,3 +1,4 @@
+import { createHash } from 'node:crypto';
 import { configDir } from '../core/config.js';
 import { transportFetch } from '../cli/network.js';
 import { assertCredentialsOrApprovedDevice, createVault, ensureUserOrApprovedDevice, } from './local-edge-engine.js';
@@ -5,13 +6,23 @@ import { applyContextCandidateDecision } from './local-edge-candidates.js';
 import { readCandidateDecisionApplications } from './local-edge-decision-applications.js';
 import { verifyContextCandidateDecision } from './local-edge-decision-signature.js';
 import { readContextMetadata, touchContextMetadata } from './local-edge-metadata.js';
-import { exportContextIdentity, grantContextUser, importContextIdentity, revokeContextUser, } from './local-edge-store.js';
+import { grantContextHpkeRecipient, revokeContextUser } from './local-edge-store.js';
+import { validateAndPinPublicEpoch } from '../security/epoch-public-pins.js';
+import { getActiveLocalUserEpoch, listActiveLocalTeamEpochs } from '../security/epoch-store.js';
+import { TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER, TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION, contextGrantMaterializationPayload, signContextGrantMaterialization, } from '../security/epoch-protocol.js';
 const CONTEXT_GRANT_EVENT_TYPES = new Set(['member.granted', 'key.rotated']);
 export async function pushContextEvents(options) {
     const home = options.home ?? configDir();
     const metadata = await readContextMetadata(options.contextResourceId, home);
     const vault = createVault(home, metadata.keyStore);
     const events = vault.listSyncEvents({ repoId: metadata.repoId });
+    const publicIdentities = collectPublicIdentities(vault, [
+        metadata.userName,
+        metadata.deviceName,
+        ...events
+            .map((event) => nullableStringField(objectValue(event), 'actorName'))
+            .filter((name) => !!name),
+    ]);
     const candidateDecisionApplications = await readCandidateDecisionApplications({
         home,
         contextResourceId: options.contextResourceId,
@@ -23,6 +34,7 @@ export async function pushContextEvents(options) {
         credential: options.credential,
         ...(options.workspaceId ? { target_workspace_id: options.workspaceId } : {}),
         events,
+        ...(publicIdentities.length > 0 ? { public_identities: publicIdentities } : {}),
         ...(candidateDecisionApplications.length > 0
             ? { candidate_decision_applications: candidateDecisionApplications }
             : {}),
@@ -65,22 +77,31 @@ export async function pullContextEvents(options) {
         tlsPins: options.tlsPins,
     });
     const records = extractPulledRecords(response);
+    importPulledPublicIdentities(vault, response);
     const events = records.map((record) => record.signedEvent);
+    const grantIdentities = await contextGrantIdentitiesForWorkspace({
+        workspaceId: options.workspaceId ?? options.contextResourceId,
+        home,
+    });
     const imported = await vault.importSyncEvents({
         repoId: metadata.repoId,
         events,
         actorName: options.actorName,
+        grantIdentities,
+    });
+    const materializationReceipts = contextGrantMaterializationReceipts({
+        workspaceId: options.workspaceId ?? options.contextResourceId,
+        contextResourceId: options.contextResourceId,
+        events,
+        grantIdentities,
     });
-    const materializedGrantEventIds = events
-        .filter((event) => isGrantEventForUser(event, metadata.userName))
-        .map((event) => event.id);
-    const materializedGrants = materializedGrantEventIds.length > 0
+    const materializedGrants = materializationReceipts.length > 0
         ? await recordContextGrantMaterialization({
             workspaceId: options.workspaceId ?? options.contextResourceId,
             serverUrl: options.serverUrl,
             credential: options.credential,
             contextResourceId: options.contextResourceId,
-            grantEventIds: materializedGrantEventIds,
+            receipts: materializationReceipts,
             tlsVerify: options.tlsVerify,
             caCertPath: options.caCertPath,
             tlsPins: options.tlsPins,
@@ -115,14 +136,67 @@ export async function pullContextEvents(options) {
         repoId: metadata.repoId,
     };
 }
+function collectPublicIdentities(vault, names) {
+    const identities = new Map();
+    for (const name of names) {
+        if (!name)
+            continue;
+        try {
+            const publicIdentity = objectValue(vault.exportPublicIdentity(name));
+            const identityName = stringField(publicIdentity, 'name');
+            identities.set(identityName, {
+                name: identityName,
+                fingerprint: publicIdentityFingerprint(publicIdentity),
+                public_identity: publicIdentity,
+            });
+        }
+        catch (error) {
+            if (!isUnknownIdentityError(error)) {
+                throw error;
+            }
+        }
+    }
+    return [...identities.values()];
+}
+function importPulledPublicIdentities(vault, response) {
+    const object = objectValue(response);
+    const identities = Array.isArray(object.public_identities) ? object.public_identities : [];
+    for (const item of identities) {
+        const record = objectValue(item);
+        const identity = objectField(record, 'public_identity');
+        vault.importPublicIdentity(identity);
+    }
+}
+function publicIdentityFingerprint(identity) {
+    const canonical = JSON.stringify(sortJson(identity));
+    return `sha256:${createHash('sha256').update(canonical).digest('base64url')}`;
+}
+function sortJson(value) {
+    if (Array.isArray(value)) {
+        return value.map(sortJson);
+    }
+    if (value && typeof value === 'object') {
+        return Object.fromEntries(Object.entries(value)
+            .sort(([left], [right]) => left.localeCompare(right))
+            .map(([key, child]) => [key, sortJson(child)]));
+    }
+    return value;
+}
+function isUnknownIdentityError(error) {
+    return error instanceof Error && error.message.startsWith('Unknown identity:');
+}
 export async function recordContextGrantMaterialization(options) {
-    if (options.grantEventIds.length === 0) {
+    if (options.receipts.length === 0) {
         return 0;
     }
     const response = await postJson(options.fetchImpl ?? transportFetch, contextGrantMaterializedUrl(options.serverUrl, options.workspaceId), {
         credential: options.credential,
         context_resource_id: options.contextResourceId,
-        grant_event_ids: options.grantEventIds,
+        receipts: options.receipts.map((receipt) => ({
+            payload: receipt.payload,
+            signature: receipt.signature,
+            signed_by_epoch_fingerprint: receipt.signedByEpochFingerprint,
+        })),
     }, {
         tlsVerify: options.tlsVerify,
         caCertPath: options.caCertPath,
@@ -155,26 +229,6 @@ export async function recordContextCandidatePreviewProof(options) {
         expiresAt: typeof expiresAt === 'string' ? expiresAt : null,
     };
 }
-export async function publishContextPublicIdentity(options) {
-    const publicIdentity = exportContextIdentity({
-        name: options.identityName,
-        home: options.home,
-    });
-    const response = await postJson(options.fetchImpl ?? transportFetch, contextPublicIdentityUrl(options.serverUrl, options.workspaceId), {
-        credential: options.credential,
-        name: options.identityName,
-        public_identity: publicIdentity,
-    }, {
-        tlsVerify: options.tlsVerify,
-        caCertPath: options.caCertPath,
-        tlsPins: options.tlsPins,
-    });
-    const identity = objectField(response, 'identity');
-    return {
-        identityId: stringField(identity, 'id'),
-        fingerprint: nullableStringField(identity, 'fingerprint'),
-    };
-}
 export async function processPendingContextGrants(options) {
     const fetchImpl = options.fetchImpl ?? transportFetch;
     const response = await postJson(fetchImpl, contextPendingGrantsUrl(options.serverUrl, options.workspaceId), {
@@ -191,49 +245,137 @@ export async function processPendingContextGrants(options) {
     let pushed = 0;
     for (const grant of grants) {
         const record = objectValue(grant);
-        const recipient = objectField(record, 'recipient_identity', false);
-        if (!recipient) {
-            missingIdentity++;
+        const userEpoch = objectField(record, 'user_epoch', false);
+        if (userEpoch) {
+            const userEpochId = String(numberOrStringField(userEpoch, 'id'));
+            const userId = String(numberOrStringField(userEpoch, 'user_id'));
+            const epoch = numberField(userEpoch, 'epoch');
+            const fingerprint = stringField(userEpoch, 'fingerprint');
+            const encryptionPublicKeyJwk = objectField(userEpoch, 'encryption_public_key_jwk');
+            const signingPublicKeyJwk = objectField(userEpoch, 'signing_public_key_jwk');
+            await validateAndPinPublicEpoch({
+                platformEpochId: userEpochId,
+                workspaceId: options.workspaceId,
+                subjectType: 'user',
+                subjectId: userId,
+                epoch,
+                schema: 'viewport.user_crypto_epoch/v1',
+                fingerprint,
+                encryptionPublicKeyJwk: encryptionPublicKeyJwk,
+                signingPublicKeyJwk: signingPublicKeyJwk,
+                previousEpochFingerprint: nullableStringField(userEpoch, 'previous_epoch_fingerprint'),
+                continuityPayload: objectField(userEpoch, 'continuity_payload', false),
+                continuitySignature: nullableStringField(userEpoch, 'continuity_signature'),
+                signedByEpochFingerprint: nullableStringField(userEpoch, 'signed_by_epoch_fingerprint'),
+            }, options.home);
+            const recipientName = contextUserEpochRecipientName({ userEpochId, fingerprint });
+            const result = await grantContextHpkeRecipient({
+                contextResourceId: options.contextResourceId,
+                actorName: options.actorName,
+                recipientName,
+                recipientHpkePublicKey: jwkPublicXToBase64(encryptionPublicKeyJwk),
+                credentials: options.credentials,
+                home: options.home,
+            });
+            const event = objectValue(result.event);
+            const grantEventId = stringField(event, 'id');
+            const grantPayload = objectField(event, 'grant', false);
+            const keyEpoch = grantPayload ? numberField(grantPayload, 'keyEpoch', false) : null;
+            const pushResult = await pushContextEvents({
+                contextResourceId: options.contextResourceId,
+                workspaceId: options.workspaceId,
+                serverUrl: options.serverUrl,
+                credential: options.credential,
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+                home: options.home,
+                fetchImpl,
+            });
+            pushed += pushResult.accepted;
+            await postJson(fetchImpl, contextMarkGrantEmittedUrl(options.serverUrl, options.workspaceId), {
+                credential: options.credential,
+                crypto_grant_id: stringField(record, 'id'),
+                grant_event_id: grantEventId,
+                recipient_identity_name: recipientName,
+                recipient_type: 'user_epoch',
+                recipient_epoch_id: userEpochId,
+                recipient_fingerprint: fingerprint,
+                ...(keyEpoch !== null ? { key_epoch: keyEpoch } : {}),
+            }, {
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+            });
+            emitted++;
             continue;
         }
-        const publicIdentity = objectField(recipient, 'public_identity');
-        const recipientName = stringField(recipient, 'name');
-        importContextIdentity({ identity: publicIdentity, home: options.home });
-        const result = await grantContextUser({
-            contextResourceId: options.contextResourceId,
-            actorName: options.actorName,
-            recipientName,
-            credentials: options.credentials,
-            home: options.home,
-        });
-        const event = objectValue(result.event);
-        const grantEventId = stringField(event, 'id');
-        const grantPayload = objectField(event, 'grant', false);
-        const keyEpoch = grantPayload ? numberField(grantPayload, 'keyEpoch', false) : null;
-        const pushResult = await pushContextEvents({
-            contextResourceId: options.contextResourceId,
-            workspaceId: options.workspaceId,
-            serverUrl: options.serverUrl,
-            credential: options.credential,
-            tlsVerify: options.tlsVerify,
-            caCertPath: options.caCertPath,
-            tlsPins: options.tlsPins,
-            home: options.home,
-            fetchImpl,
-        });
-        pushed += pushResult.accepted;
-        await postJson(fetchImpl, contextMarkGrantEmittedUrl(options.serverUrl, options.workspaceId), {
-            credential: options.credential,
-            crypto_grant_id: stringField(record, 'id'),
-            grant_event_id: grantEventId,
-            recipient_identity_name: recipientName,
-            ...(keyEpoch !== null ? { key_epoch: keyEpoch } : {}),
-        }, {
-            tlsVerify: options.tlsVerify,
-            caCertPath: options.caCertPath,
-            tlsPins: options.tlsPins,
-        });
-        emitted++;
+        const teamEpoch = objectField(record, 'team_epoch', false);
+        if (teamEpoch) {
+            const teamEpochId = String(numberOrStringField(teamEpoch, 'id'));
+            const teamId = String(numberOrStringField(teamEpoch, 'team_id'));
+            const epoch = numberField(teamEpoch, 'epoch');
+            const fingerprint = stringField(teamEpoch, 'fingerprint');
+            const encryptionPublicKeyJwk = objectField(teamEpoch, 'encryption_public_key_jwk');
+            const signingPublicKeyJwk = objectField(teamEpoch, 'signing_public_key_jwk');
+            await validateAndPinPublicEpoch({
+                platformEpochId: teamEpochId,
+                workspaceId: options.workspaceId,
+                subjectType: 'team',
+                subjectId: teamId,
+                epoch,
+                schema: 'viewport.team_crypto_epoch/v1',
+                fingerprint,
+                encryptionPublicKeyJwk: encryptionPublicKeyJwk,
+                signingPublicKeyJwk: signingPublicKeyJwk,
+                previousEpochFingerprint: nullableStringField(teamEpoch, 'previous_epoch_fingerprint'),
+                continuityPayload: objectField(teamEpoch, 'continuity_payload', false),
+                continuitySignature: nullableStringField(teamEpoch, 'continuity_signature'),
+                signedByEpochFingerprint: nullableStringField(teamEpoch, 'signed_by_epoch_fingerprint'),
+            }, options.home);
+            const recipientName = contextTeamEpochRecipientName({ teamEpochId, fingerprint });
+            const result = await grantContextHpkeRecipient({
+                contextResourceId: options.contextResourceId,
+                actorName: options.actorName,
+                recipientName,
+                recipientHpkePublicKey: jwkPublicXToBase64(encryptionPublicKeyJwk),
+                credentials: options.credentials,
+                home: options.home,
+            });
+            const event = objectValue(result.event);
+            const grantEventId = stringField(event, 'id');
+            const grantPayload = objectField(event, 'grant', false);
+            const keyEpoch = grantPayload ? numberField(grantPayload, 'keyEpoch', false) : null;
+            const pushResult = await pushContextEvents({
+                contextResourceId: options.contextResourceId,
+                workspaceId: options.workspaceId,
+                serverUrl: options.serverUrl,
+                credential: options.credential,
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+                home: options.home,
+                fetchImpl,
+            });
+            pushed += pushResult.accepted;
+            await postJson(fetchImpl, contextMarkGrantEmittedUrl(options.serverUrl, options.workspaceId), {
+                credential: options.credential,
+                crypto_grant_id: stringField(record, 'id'),
+                grant_event_id: grantEventId,
+                recipient_identity_name: recipientName,
+                recipient_type: 'team_epoch',
+                recipient_epoch_id: teamEpochId,
+                recipient_fingerprint: fingerprint,
+                ...(keyEpoch !== null ? { key_epoch: keyEpoch } : {}),
+            }, {
+                tlsVerify: options.tlsVerify,
+                caCertPath: options.caCertPath,
+                tlsPins: options.tlsPins,
+            });
+            emitted++;
+            continue;
+        }
+        missingIdentity++;
     }
     return { emitted, missingIdentity, pushed };
 }
@@ -253,9 +395,7 @@ export async function processPendingContextRevocations(options) {
     let pushed = 0;
     for (const revocation of revocations) {
         const record = objectValue(revocation);
-        const recipient = objectField(record, 'recipient_identity', false);
-        const recipientName = nullableStringField(record, 'recipient_identity_name') ??
-            (recipient ? nullableStringField(recipient, 'name') : null);
+        const recipientName = nullableStringField(record, 'recipient_identity_name');
         if (!recipientName) {
             missingIdentity++;
             continue;
@@ -317,6 +457,84 @@ function contextGrantRotationReceipt(event) {
         ...(recipientName ? { recipient_identity_name: recipientName } : {}),
     };
 }
+async function contextGrantIdentitiesForWorkspace(options) {
+    const userEpoch = await getActiveLocalUserEpoch(options.workspaceId, options.home);
+    const teamEpochs = await listActiveLocalTeamEpochs(options.workspaceId, options.home);
+    return [
+        ...(userEpoch?.platformEpochId
+            ? [
+                {
+                    kind: 'user_epoch',
+                    name: contextUserEpochRecipientName({
+                        userEpochId: userEpoch.platformEpochId,
+                        fingerprint: userEpoch.fingerprint,
+                    }),
+                    hpkePrivateKey: jwkPrivateDToBase64(objectValue(userEpoch.encryptionPrivateKeyJwk)),
+                    signingPrivateKeyJwk: userEpoch.signingPrivateKeyJwk,
+                    signerFingerprint: userEpoch.fingerprint,
+                },
+            ]
+            : []),
+        ...teamEpochs.map((epoch) => ({
+            kind: 'team_epoch',
+            name: contextTeamEpochRecipientName({
+                teamEpochId: epoch.platformEpochId ?? `${epoch.platformTeamId ?? epoch.teamId}:${epoch.epoch}`,
+                fingerprint: epoch.fingerprint,
+            }),
+            hpkePrivateKey: jwkPrivateDToBase64(objectValue(epoch.encryptionPrivateKeyJwk)),
+            signingPrivateKeyJwk: epoch.signingPrivateKeyJwk,
+            signerFingerprint: epoch.fingerprint,
+        })),
+    ];
+}
+function contextGrantMaterializationReceipts(options) {
+    const receipts = [];
+    for (const event of options.events) {
+        const match = grantEventRecipientMatch(event, options.grantIdentities);
+        if (!match)
+            continue;
+        const keyEpoch = numberField(event, 'keyEpoch', false);
+        const payload = contextGrantMaterializationPayload({
+            workspaceId: options.workspaceId,
+            contextResourceId: options.contextResourceId,
+            grantEventId: stringField(event, 'id'),
+            recipientName: match.identity.name,
+            keyEpoch,
+        });
+        receipts.push(signContextGrantMaterialization({
+            payload,
+            signingPrivateKeyJwk: match.identity.signingPrivateKeyJwk,
+            signedByEpochFingerprint: match.identity.signerFingerprint,
+        }));
+    }
+    return receipts;
+}
+function grantEventRecipientMatch(event, grantIdentities) {
+    if (!CONTEXT_GRANT_EVENT_TYPES.has(event.type))
+        return null;
+    const grant = event.grant;
+    if (!grant || typeof grant !== 'object' || Array.isArray(grant))
+        return null;
+    const recipientName = grant.recipientName;
+    if (typeof recipientName !== 'string' || recipientName === '')
+        return null;
+    const identity = grantIdentities.find((candidate) => candidate.name === recipientName);
+    return identity ? { grant: grant, identity } : null;
+}
+function contextUserEpochRecipientName(input) {
+    return `user-epoch:${input.userEpochId}:${input.fingerprint}`;
+}
+function contextTeamEpochRecipientName(input) {
+    return `team-epoch:${input.teamEpochId}:${input.fingerprint}`;
+}
+function jwkPublicXToBase64(jwk) {
+    const x = stringField(jwk, 'x');
+    return Buffer.from(x, 'base64url').toString('base64');
+}
+function jwkPrivateDToBase64(jwk) {
+    const d = stringField(jwk, 'd');
+    return Buffer.from(d, 'base64url').toString('base64');
+}
 function contextRuntimeUrl(serverUrl, workspaceId, operation) {
     const base = serverUrl.replace(/\/+$/, '');
     return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/events/${operation}`;
@@ -325,10 +543,6 @@ function contextCandidatePreviewProofUrl(serverUrl, workspaceId) {
     const base = serverUrl.replace(/\/+$/, '');
     return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/candidates/preview-proof`;
 }
-function contextPublicIdentityUrl(serverUrl, workspaceId) {
-    const base = serverUrl.replace(/\/+$/, '');
-    return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/identities`;
-}
 function contextPendingGrantsUrl(serverUrl, workspaceId) {
     const base = serverUrl.replace(/\/+$/, '');
     return `${base}/api/runtime/workspaces/${encodeURIComponent(workspaceId)}/context-vault/grants/pending`;
@@ -352,7 +566,11 @@ function contextGrantMaterializedUrl(serverUrl, workspaceId) {
 async function postJson(fetchImpl, url, body, transportOptions = {}) {
     const response = await fetchImpl(url, {
         method: 'POST',
-        headers: { 'content-type': 'application/json', accept: 'application/json' },
+        headers: {
+            'content-type': 'application/json',
+            accept: 'application/json',
+            [TRUSTED_EDGE_CRYPTO_PROTOCOL_HEADER]: TRUSTED_EDGE_CRYPTO_PROTOCOL_VERSION,
+        },
         body: JSON.stringify(body),
         timeoutMs: 5_000,
         ...transportOptions,
@@ -367,7 +585,9 @@ async function postJson(fetchImpl, url, body, transportOptions = {}) {
     if (!response.ok) {
         const reason = typeof payload === 'object' && payload && 'reason' in payload
             ? String(payload.reason)
-            : `${response.status} ${response.statusText}`;
+            : typeof payload === 'object' && payload && 'message' in payload
+                ? String(payload.message)
+                : `${response.status} ${response.statusText}`;
         throw new Error(`Context sync request failed: ${reason}`);
     }
     return payload;
@@ -458,14 +678,6 @@ function extractPulledCandidateDecisions(response, trustedDecisionKeys) {
         return record;
     });
 }
-function isGrantEventForUser(event, userName) {
-    if (!CONTEXT_GRANT_EVENT_TYPES.has(event.type))
-        return false;
-    const grant = event.grant;
-    if (!grant || typeof grant !== 'object' || Array.isArray(grant))
-        return false;
-    return grant.recipientName === userName;
-}
 function latestReceivedAt(records, decisions = []) {
     return [
         ...records
@@ -491,4 +703,12 @@ function numberField(response, field, required = true) {
     }
     return value;
 }
+function numberOrStringField(response, field) {
+    const object = objectValue(response);
+    const value = object[field];
+    if (typeof value !== 'number' && typeof value !== 'string') {
+        throw new Error(`Context sync response ${field} must be a number or string`);
+    }
+    return value;
+}
 //# sourceMappingURL=local-edge-sync.js.map