@web_of_trust/core 0.2.2

package/README.md

@@ -0,0 +1,357 @@
+# @web_of_trust/core
+
+Core library for building decentralized Web of Trust applications.
+
+## What is Web of Trust?
+
+A system where trust grows through real-world encounters. People meet, verify each other's identity, and build reputation through genuine actions - not followers or likes.
+
+Three pillars:
+- **Verification** - Confirm identity through meeting in person
+- **Cooperation** - Share encrypted content (calendars, maps, projects)
+- **Attestation** - Build reputation through real deeds
+
+## Installation
+
+```bash
+npm install @web_of_trust/core
+# or
+pnpm add @web_of_trust/core
+```
+
+## Quick Start
+
+```typescript
+import { WotIdentity } from '@web_of_trust/core'
+
+// Create a new identity
+const identity = new WotIdentity()
+const result = await identity.create('your-secure-passphrase', true)
+
+console.log(result.mnemonic) // 12-word BIP39 mnemonic
+console.log(result.did)      // did:key:z6Mk...
+
+// Later: Unlock from storage
+const identity2 = new WotIdentity()
+await identity2.unlockFromStorage('your-secure-passphrase')
+console.log(identity2.getDid()) // Same DID
+```
+
+## Core Concepts
+
+### Identity Management with WotIdentity
+
+`WotIdentity` provides a secure, deterministic identity system based on BIP39 mnemonics:
+
+**Key Features:**
+
+- **BIP39 Mnemonic**: 12-word recovery phrase (128-bit entropy)
+- **Deterministic**: Same mnemonic always produces same DID
+- **Encrypted Storage**: Seed encrypted with PBKDF2 + AES-GCM in IndexedDB
+- **Native WebCrypto**: Pure browser crypto, no external dependencies
+- **Runtime-only Keys**: Keys exist only in memory during session (non-extractable)
+
+```typescript
+import { WotIdentity } from '@web_of_trust/core'
+
+const identity = new WotIdentity()
+
+// Create new identity
+const { mnemonic, did } = await identity.create('passphrase', true)
+// Save the mnemonic securely! It's the only way to recover your identity
+
+// Recover from mnemonic
+await identity.unlock(mnemonic, 'passphrase')
+
+// Sign data
+const signature = await identity.sign('Hello, World!')
+
+// Get public key
+const pubKey = await identity.getPublicKeyMultibase()
+```
+
+### Decentralized Identifiers (DIDs)
+
+Every identity is a `did:key` - a self-sovereign identifier derived from an Ed25519 public key. No central authority needed.
+
+```typescript
+const did = identity.getDid()
+console.log(did) // did:key:z6MkpTHz...
+```
+
+### Encrypted Storage
+
+Identity seeds are stored encrypted in IndexedDB:
+
+- Seed encrypted with PBKDF2 (600k iterations) + AES-GCM
+- Random salt and IV per storage operation
+- Keys derived at runtime as non-extractable CryptoKey objects
+- Keys cleared from memory on lock/reload
+
+```typescript
+// Check if identity exists
+const hasIdentity = await identity.hasStoredIdentity()
+
+// Delete stored identity
+await identity.deleteStoredIdentity()
+```
+
+## Adapter Interfaces
+
+The core defines 7 adapter interfaces. Each can be implemented independently — swap your CRDT, messaging protocol, or storage backend without touching application code.
+
+### StorageAdapter
+
+Local persistence for identity, contacts, verifications, and attestations. Follows the **Receiver Principle**: verifications and attestations are stored at the recipient, not the sender.
+
+```typescript
+interface StorageAdapter {
+  createIdentity(did: string, profile: Profile): Promise<Identity>
+  getContacts(): Promise<Contact[]>
+  addContact(contact: Contact): Promise<void>
+  saveVerification(verification: Verification): Promise<void>
+  saveAttestation(attestation: Attestation): Promise<void>
+  // ... full CRUD for all entity types
+}
+```
+
+**Implementations:** `LocalStorageAdapter` (IndexedDB)
+
+### ReactiveStorageAdapter
+
+Extends StorageAdapter with live queries and subscriptions. UI components subscribe to data changes and re-render automatically.
+
+```typescript
+interface ReactiveStorageAdapter extends StorageAdapter {
+  watchIdentity(): Subscribable<Identity | null>
+  watchContacts(): Subscribable<Contact[]>
+  watchAllVerifications(): Subscribable<Verification[]>
+  watchReceivedAttestations(): Subscribable<Attestation[]>
+  // ... observables for all entity types
+}
+```
+
+**Implementations:** Yjs-based (default), Automerge-based (option)
+
+### CryptoAdapter
+
+Signing, verification, and symmetric encryption. Uses WebCrypto API internally — no external crypto dependencies for core operations.
+
+```typescript
+interface CryptoAdapter {
+  sign(data: Uint8Array, privateKey: CryptoKey): Promise<Uint8Array>
+  verify(data: Uint8Array, signature: Uint8Array, publicKey: Uint8Array): Promise<boolean>
+  generateSymmetricKey(): Promise<Uint8Array>
+  encryptSymmetric(data: Uint8Array, key: Uint8Array): Promise<Uint8Array>
+  decryptSymmetric(data: Uint8Array, key: Uint8Array): Promise<Uint8Array>
+}
+```
+
+**Implementations:** `WebCryptoCryptoAdapter` (Ed25519, AES-256-GCM)
+
+### DiscoveryAdapter
+
+Public profile lookup — find information about a DID before establishing contact. Profiles are JWS-signed for authenticity.
+
+```typescript
+interface DiscoveryAdapter {
+  lookupProfile(did: string): Promise<PublicProfile | null>
+  publishProfile(profile: PublicProfile): Promise<void>
+}
+```
+
+**Implementations:** `HttpDiscoveryAdapter` (wot-profiles server), `OfflineFirstDiscoveryAdapter` (cache + dirty flags)
+
+### MessagingAdapter
+
+Point-to-point message delivery between DIDs. Messages are E2E encrypted and delivered via the Relay with ACK-based guaranteed delivery.
+
+```typescript
+interface MessagingAdapter {
+  sendMessage(recipientDid: string, message: Uint8Array): Promise<void>
+  onMessage(handler: (senderDid: string, message: Uint8Array) => void): void
+  register(did: string): Promise<void>
+}
+```
+
+**Implementations:** `WebSocketMessagingAdapter` (wot-relay), `OutboxMessagingAdapter` (decorator, queues for offline)
+
+### ReplicationAdapter
+
+Encrypted CRDT-based shared spaces. Multiple users collaborate on the same document with automatic conflict resolution and group key encryption.
+
+```typescript
+interface ReplicationAdapter {
+  createSpace(info: SpaceInfo): Promise<SpaceHandle>
+  joinSpace(spaceId: string, info: SpaceInfo): Promise<SpaceHandle>
+  getSpace(spaceId: string): SpaceHandle | undefined
+  listSpaces(): SpaceHandle[]
+}
+```
+
+**Implementations:** `YjsReplicationAdapter` (default), `AutomergeReplicationAdapter` (option)
+
+### AuthorizationAdapter
+
+UCAN-inspired capability system. Capabilities are offline-verifiable, delegable, and attenuable. The private key stays encapsulated via the SignFn pattern.
+
+```typescript
+interface AuthorizationAdapter {
+  createCapability(scope: string, actions: string[], subject: string): Promise<Capability>
+  verifyCapability(capability: Capability): Promise<boolean>
+  delegateCapability(capability: Capability, to: string, attenuate?: Attenuation): Promise<Capability>
+}
+```
+
+**Implementations:** `InMemoryAuthorizationAdapter` + `crypto/capabilities.ts`
+
+---
+
+## API Reference
+
+### WotIdentity
+
+Core identity management class.
+
+#### Constructor
+
+```typescript
+const identity = new WotIdentity()
+```
+
+#### Methods
+
+**`create(passphrase: string, storeSeed: boolean): Promise<{ mnemonic: string, did: string }>`**
+
+Create a new identity with a BIP39 mnemonic.
+
+```typescript
+const { mnemonic, did } = await identity.create('secure-passphrase', true)
+// Save mnemonic securely! It's your only recovery method
+```
+
+**`unlock(mnemonic: string, passphrase: string): Promise<void>`**
+
+Restore identity from BIP39 mnemonic.
+
+```typescript
+await identity.unlock(mnemonic, 'secure-passphrase')
+```
+
+**`unlockFromStorage(passphrase: string): Promise<void>`**
+
+Unlock identity from encrypted storage.
+
+```typescript
+await identity.unlockFromStorage('secure-passphrase')
+```
+
+**`sign(data: string): Promise<string>`**
+
+Sign data with Ed25519, returns base64url signature.
+
+```typescript
+const signature = await identity.sign('Hello, World!')
+```
+
+**`getDid(): string`**
+
+Get the current DID (throws if locked).
+
+```typescript
+const did = identity.getDid() // did:key:z6Mk...
+```
+
+**`getPublicKeyMultibase(): Promise<string>`**
+
+Get public key in multibase format (z-prefixed base58btc).
+
+```typescript
+const pubKey = await identity.getPublicKeyMultibase()
+```
+
+**`hasStoredIdentity(): Promise<boolean>`**
+
+Check if encrypted seed exists in storage.
+
+```typescript
+const exists = await identity.hasStoredIdentity()
+```
+
+**`deleteStoredIdentity(): Promise<void>`**
+
+Delete encrypted seed from storage and lock identity.
+
+```typescript
+await identity.deleteStoredIdentity()
+```
+
+**`deriveFrameworkKey(info: string): Promise<Uint8Array>`**
+
+Derive framework-specific keys using HKDF.
+
+```typescript
+const evolKey = await identity.deriveFrameworkKey('evolu-storage-v1')
+```
+
+### SeedStorage
+
+Low-level encrypted storage for identity seeds.
+
+```typescript
+import { SeedStorage } from '@web_of_trust/core'
+
+const storage = new SeedStorage()
+
+// Store encrypted
+await storage.storeSeed(seedBytes, 'passphrase')
+
+// Load and decrypt
+const seed = await storage.loadSeed('passphrase')
+
+// Check existence
+const exists = await storage.hasSeed()
+
+// Delete
+await storage.deleteSeed()
+```
+
+## Development
+
+```bash
+# Install dependencies
+pnpm install
+
+# Build
+pnpm build
+
+# Run tests
+pnpm test
+
+# Type check
+pnpm typecheck
+```
+
+### Testing
+
+The package includes comprehensive test coverage:
+
+- **29 tests** covering identity creation, encryption, deterministic key derivation
+- Uses Vitest with happy-dom and fake-indexeddb for browser environment simulation
+- Tests validate BIP39 mnemonic generation, PBKDF2+AES-GCM encryption, and Ed25519 signing
+
+Run tests with:
+
+```bash
+pnpm test
+```
+
+## Part of the Web of Trust Project
+
+This package is the foundation for:
+- [Demo App](../apps/demo) - Try the Web of Trust
+- [Protocol Docs](../docs) - Full specification
+
+## License
+
+MIT

package/dist/adapters/authorization/InMemoryAuthorizationAdapter.d.ts

@@ -0,0 +1,30 @@
+import { ResourceRef } from '../../types/resource-ref';
+import { AuthorizationAdapter } from '../interfaces/AuthorizationAdapter';
+import { CapabilityJws, CapabilityVerificationResult, Permission, SignFn } from '../../crypto/capabilities';
+/**
+ * In-memory AuthorizationAdapter for testing and simple use cases.
+ *
+ * Stores capabilities and revocations in memory.
+ * Requires a SignFn for creating/delegating capabilities.
+ */
+export declare class InMemoryAuthorizationAdapter implements AuthorizationAdapter {
+    private myDid;
+    private sign;
+    /** Capabilities granted TO this user (received from others) */
+    private received;
+    /** Capabilities granted BY this user (issued to others) */
+    private granted;
+    /** Revoked capability IDs */
+    private revoked;
+    constructor(myDid: string, sign: SignFn);
+    grant(resource: ResourceRef, toDid: string, permissions: Permission[], expiration: string): Promise<CapabilityJws>;
+    delegate(parentCapabilityJws: CapabilityJws, toDid: string, permissions: Permission[], expiration?: string): Promise<CapabilityJws>;
+    verify(capabilityJws: CapabilityJws): Promise<CapabilityVerificationResult>;
+    canAccess(did: string, resource: ResourceRef, permission: Permission): Promise<boolean>;
+    revoke(capabilityId: string): Promise<void>;
+    isRevoked(capabilityId: string): Promise<boolean>;
+    store(capabilityJws: CapabilityJws): Promise<void>;
+    getMyCapabilities(resource?: ResourceRef): Promise<CapabilityJws[]>;
+    getGrantedCapabilities(resource?: ResourceRef): Promise<CapabilityJws[]>;
+}
+//# sourceMappingURL=InMemoryAuthorizationAdapter.d.ts.map

package/dist/adapters/authorization/InMemoryAuthorizationAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"InMemoryAuthorizationAdapter.d.ts","sourceRoot":"","sources":["../../../src/adapters/authorization/InMemoryAuthorizationAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,oCAAoC,CAAA;AAC9E,OAAO,EAKL,KAAK,aAAa,EAClB,KAAK,4BAA4B,EACjC,KAAK,UAAU,EACf,KAAK,MAAM,EACZ,MAAM,2BAA2B,CAAA;AAElC;;;;;GAKG;AACH,qBAAa,4BAA6B,YAAW,oBAAoB;IACvE,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,IAAI,CAAQ;IAEpB,+DAA+D;IAC/D,OAAO,CAAC,QAAQ,CAAsB;IAEtC,2DAA2D;IAC3D,OAAO,CAAC,OAAO,CAAsB;IAErC,6BAA6B;IAC7B,OAAO,CAAC,OAAO,CAAyB;gBAE5B,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM;IAKjC,KAAK,CACT,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,UAAU,EAAE,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,CAAC;IAenB,QAAQ,CACZ,mBAAmB,EAAE,aAAa,EAClC,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,UAAU,EAAE,EACzB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC;IAcnB,MAAM,CAAC,aAAa,EAAE,aAAa,GAAG,OAAO,CAAC,4BAA4B,CAAC;IAiB3E,SAAS,CACb,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,WAAW,EACrB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,OAAO,CAAC;IAmBb,MAAM,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAI3C,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC;IAIjD,KAAK,CAAC,aAAa,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC;IAIlD,iBAAiB,CAAC,QAAQ,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAQnE,sBAAsB,CAAC,QAAQ,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;CAO/E"}

package/dist/adapters/crypto/WebCryptoAdapter.d.ts

@@ -0,0 +1,30 @@
+import { CryptoAdapter } from '../interfaces/CryptoAdapter';
+import { KeyPair } from '../../types';
+export declare class WebCryptoAdapter implements CryptoAdapter {
+    generateKeyPair(): Promise<KeyPair>;
+    exportKeyPair(keyPair: KeyPair): Promise<{
+        publicKey: string;
+        privateKey: string;
+    }>;
+    importKeyPair(exported: {
+        publicKey: string;
+        privateKey: string;
+    }): Promise<KeyPair>;
+    exportPublicKey(publicKey: CryptoKey): Promise<string>;
+    importPublicKey(exported: string): Promise<CryptoKey>;
+    createDid(publicKey: CryptoKey): Promise<string>;
+    didToPublicKey(did: string): Promise<CryptoKey>;
+    sign(data: Uint8Array, privateKey: CryptoKey): Promise<Uint8Array>;
+    verify(data: Uint8Array, signature: Uint8Array, publicKey: CryptoKey): Promise<boolean>;
+    signString(data: string, privateKey: CryptoKey): Promise<string>;
+    verifyString(data: string, signature: string, publicKey: CryptoKey): Promise<boolean>;
+    generateSymmetricKey(): Promise<Uint8Array>;
+    encryptSymmetric(plaintext: Uint8Array, key: Uint8Array): Promise<{
+        ciphertext: Uint8Array;
+        nonce: Uint8Array;
+    }>;
+    decryptSymmetric(ciphertext: Uint8Array, nonce: Uint8Array, key: Uint8Array): Promise<Uint8Array>;
+    generateNonce(): string;
+    hashData(data: Uint8Array): Promise<Uint8Array>;
+}
+//# sourceMappingURL=WebCryptoAdapter.d.ts.map

package/dist/adapters/crypto/WebCryptoAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"WebCryptoAdapter.d.ts","sourceRoot":"","sources":["../../../src/adapters/crypto/WebCryptoAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,6BAA6B,CAAA;AAChE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAA;AAI1C,qBAAa,gBAAiB,YAAW,aAAa;IAC9C,eAAe,IAAI,OAAO,CAAC,OAAO,CAAC;IAYnC,aAAa,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,CAAC;IAWnF,aAAa,CAAC,QAAQ,EAAE;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,OAAO,CAAC;IAsBpF,eAAe,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;IAKtD,eAAe,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAWrD,SAAS,CAAC,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;IAKhD,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,SAAS,CAAC;IAW/C,IAAI,CAAC,IAAI,EAAE,UAAU,EAAE,UAAU,EAAE,SAAS,GAAG,OAAO,CAAC,UAAU,CAAC;IASlE,MAAM,CAAC,IAAI,EAAE,UAAU,EAAE,SAAS,EAAE,UAAU,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC;IASvF,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC;IAMhE,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,GAAG,OAAO,CAAC,OAAO,CAAC;IAOrF,oBAAoB,IAAI,OAAO,CAAC,UAAU,CAAC;IAU3C,gBAAgB,CACpB,SAAS,EAAE,UAAU,EACrB,GAAG,EAAE,UAAU,GACd,OAAO,CAAC;QAAE,UAAU,EAAE,UAAU,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC;IAiBnD,gBAAgB,CACpB,UAAU,EAAE,UAAU,EACtB,KAAK,EAAE,UAAU,EACjB,GAAG,EAAE,UAAU,GACd,OAAO,CAAC,UAAU,CAAC;IAgBtB,aAAa,IAAI,MAAM;IAMjB,QAAQ,CAAC,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC;CAItD"}

package/dist/adapters/crypto/index.d.ts

@@ -0,0 +1,2 @@
+export * from './WebCryptoAdapter';
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/crypto/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/adapters/crypto/index.ts"],"names":[],"mappings":"AAAA,cAAc,oBAAoB,CAAA"}

package/dist/adapters/discovery/HttpDiscoveryAdapter.d.ts

@@ -0,0 +1,25 @@
+import { PublicProfile } from '../../types/identity';
+import { Verification } from '../../types/verification';
+import { Attestation } from '../../types/attestation';
+import { WotIdentity } from '../../identity/WotIdentity';
+import { DiscoveryAdapter, ProfileResolveResult, PublicVerificationsData, PublicAttestationsData, ProfileSummary } from '../interfaces/DiscoveryAdapter';
+/**
+ * HTTP-based DiscoveryAdapter implementation.
+ *
+ * POC implementation backed by wot-profiles (HTTP REST + SQLite).
+ * Replaceable by Automerge Auto-Groups, IPFS, DHT, etc.
+ */
+export declare class HttpDiscoveryAdapter implements DiscoveryAdapter {
+    private baseUrl;
+    private readonly TIMEOUT_MS;
+    constructor(baseUrl: string);
+    private fetchWithTimeout;
+    publishProfile(data: PublicProfile, identity: WotIdentity): Promise<void>;
+    publishVerifications(data: PublicVerificationsData, identity: WotIdentity): Promise<void>;
+    publishAttestations(data: PublicAttestationsData, identity: WotIdentity): Promise<void>;
+    resolveProfile(did: string): Promise<ProfileResolveResult>;
+    resolveVerifications(did: string): Promise<Verification[]>;
+    resolveAttestations(did: string): Promise<Attestation[]>;
+    resolveSummaries(dids: string[]): Promise<ProfileSummary[]>;
+}
+//# sourceMappingURL=HttpDiscoveryAdapter.d.ts.map

package/dist/adapters/discovery/HttpDiscoveryAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"HttpDiscoveryAdapter.d.ts","sourceRoot":"","sources":["../../../src/adapters/discovery/HttpDiscoveryAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACzD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAC7D,OAAO,KAAK,EACV,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,cAAc,EACf,MAAM,gCAAgC,CAAA;AAIvC;;;;;GAKG;AACH,qBAAa,oBAAqB,YAAW,gBAAgB;IAG/C,OAAO,CAAC,OAAO;IAF3B,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAQ;gBAEf,OAAO,EAAE,MAAM;IAEnC,OAAO,CAAC,gBAAgB;IAMlB,cAAc,CAAC,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBzE,oBAAoB,CAAC,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBzF,mBAAmB,CAAC,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAiBvF,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAqB1D,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAuB1D,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAuBxD,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;CAelE"}

package/dist/adapters/discovery/InMemoryGraphCacheStore.d.ts

@@ -0,0 +1,29 @@
+import { PublicProfile } from '../../types/identity';
+import { Verification } from '../../types/verification';
+import { Attestation } from '../../types/attestation';
+import { GraphCacheStore, CachedGraphEntry } from '../interfaces/GraphCacheStore';
+/**
+ * In-memory implementation of GraphCacheStore.
+ *
+ * Useful for tests. Data is lost on page reload.
+ */
+export declare class InMemoryGraphCacheStore implements GraphCacheStore {
+    private profiles;
+    private verifications;
+    private attestations;
+    private fetchedAt;
+    private summaryCounts;
+    cacheEntry(did: string, profile: PublicProfile | null, verifications: Verification[], attestations: Attestation[]): Promise<void>;
+    getEntry(did: string): Promise<CachedGraphEntry | null>;
+    getEntries(dids: string[]): Promise<Map<string, CachedGraphEntry>>;
+    getCachedVerifications(did: string): Promise<Verification[]>;
+    getCachedAttestations(did: string): Promise<Attestation[]>;
+    resolveName(did: string): Promise<string | null>;
+    resolveNames(dids: string[]): Promise<Map<string, string>>;
+    findMutualContacts(targetDid: string, myContactDids: string[]): Promise<string[]>;
+    search(query: string): Promise<CachedGraphEntry[]>;
+    updateSummary(did: string, name: string | null, verificationCount: number, attestationCount: number): Promise<void>;
+    evict(did: string): Promise<void>;
+    clear(): Promise<void>;
+}
+//# sourceMappingURL=InMemoryGraphCacheStore.d.ts.map

package/dist/adapters/discovery/InMemoryGraphCacheStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"InMemoryGraphCacheStore.d.ts","sourceRoot":"","sources":["../../../src/adapters/discovery/InMemoryGraphCacheStore.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACzD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,+BAA+B,CAAA;AAEtF;;;;GAIG;AACH,qBAAa,uBAAwB,YAAW,eAAe;IAC7D,OAAO,CAAC,QAAQ,CAAmC;IACnD,OAAO,CAAC,aAAa,CAAoC;IACzD,OAAO,CAAC,YAAY,CAAmC;IACvD,OAAO,CAAC,SAAS,CAA4B;IAC7C,OAAO,CAAC,aAAa,CAA6E;IAE5F,UAAU,CACd,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,aAAa,GAAG,IAAI,EAC7B,aAAa,EAAE,YAAY,EAAE,EAC7B,YAAY,EAAE,WAAW,EAAE,GAC1B,OAAO,CAAC,IAAI,CAAC;IAUV,QAAQ,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAsBvD,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,gBAAgB,CAAC,CAAC;IASlE,sBAAsB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAI5D,qBAAqB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAI1D,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC;IAIhD,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAS1D,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,aAAa,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAMjF,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,EAAE,CAAC;IAiBlD,aAAa,CACjB,GAAG,EAAE,MAAM,EACX,IAAI,EAAE,MAAM,GAAG,IAAI,EACnB,iBAAiB,EAAE,MAAM,EACzB,gBAAgB,EAAE,MAAM,GACvB,OAAO,CAAC,IAAI,CAAC;IAiBV,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAQjC,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAO7B"}

package/dist/adapters/discovery/InMemoryPublishStateStore.d.ts

@@ -0,0 +1,13 @@
+import { PublishStateField, PublishStateStore } from '../interfaces/PublishStateStore';
+/**
+ * In-memory implementation of PublishStateStore.
+ *
+ * Useful for tests. Data is lost on page reload.
+ */
+export declare class InMemoryPublishStateStore implements PublishStateStore {
+    private dirty;
+    markDirty(did: string, field: PublishStateField): Promise<void>;
+    clearDirty(did: string, field: PublishStateField): Promise<void>;
+    getDirtyFields(did: string): Promise<Set<PublishStateField>>;
+}
+//# sourceMappingURL=InMemoryPublishStateStore.d.ts.map

package/dist/adapters/discovery/InMemoryPublishStateStore.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"InMemoryPublishStateStore.d.ts","sourceRoot":"","sources":["../../../src/adapters/discovery/InMemoryPublishStateStore.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AAE3F;;;;GAIG;AACH,qBAAa,yBAA0B,YAAW,iBAAiB;IACjE,OAAO,CAAC,KAAK,CAA4C;IAEnD,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAM/D,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC;IAQhE,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,CAAC;CAGnE"}

package/dist/adapters/discovery/OfflineFirstDiscoveryAdapter.d.ts

@@ -0,0 +1,62 @@
+import { PublicProfile } from '../../types/identity';
+import { Verification } from '../../types/verification';
+import { Attestation } from '../../types/attestation';
+import { WotIdentity } from '../../identity/WotIdentity';
+import { DiscoveryAdapter, ProfileResolveResult, PublicVerificationsData, PublicAttestationsData, ProfileSummary } from '../interfaces/DiscoveryAdapter';
+import { PublishStateStore } from '../interfaces/PublishStateStore';
+import { GraphCacheStore } from '../interfaces/GraphCacheStore';
+/**
+ * Offline-first wrapper for any DiscoveryAdapter.
+ *
+ * Decorator pattern: wraps an inner DiscoveryAdapter and adds:
+ * - Dirty-flag tracking for publish operations (via PublishStateStore)
+ * - Profile/verification/attestation caching for resolve operations (via GraphCacheStore)
+ * - syncPending() method for retry on reconnect
+ *
+ * The wrapper is optional — adapters that are natively offline-capable
+ * (e.g. Automerge-based) don't need it.
+ *
+ * Usage:
+ *   const http = new HttpDiscoveryAdapter(url)
+ *   const publishState = new EvoluPublishStateStore(evolu, did)
+ *   const graphCache = new EvoluGraphCacheStore(evolu)
+ *   const discovery = new OfflineFirstDiscoveryAdapter(http, publishState, graphCache)
+ */
+export declare class OfflineFirstDiscoveryAdapter implements DiscoveryAdapter {
+    private inner;
+    private publishState;
+    private graphCache;
+    private _lastError;
+    private _errorListeners;
+    constructor(inner: DiscoveryAdapter, publishState: PublishStateStore, graphCache: GraphCacheStore);
+    /** Last publish error message (null if last attempt succeeded) */
+    get lastError(): string | null;
+    /** Subscribe to error state changes */
+    onErrorChange(listener: (error: string | null) => void): () => void;
+    private setError;
+    private clearError;
+    publishProfile(data: PublicProfile, identity: WotIdentity): Promise<void>;
+    publishVerifications(data: PublicVerificationsData, identity: WotIdentity): Promise<void>;
+    publishAttestations(data: PublicAttestationsData, identity: WotIdentity): Promise<void>;
+    resolveProfile(did: string): Promise<ProfileResolveResult>;
+    resolveVerifications(did: string): Promise<Verification[]>;
+    resolveAttestations(did: string): Promise<Attestation[]>;
+    resolveSummaries(dids: string[]): Promise<ProfileSummary[]>;
+    /**
+     * Retry all pending publish operations.
+     *
+     * Called by the app when connectivity is restored (online event,
+     * visibility change, or on mount).
+     *
+     * @param did - The local user's DID
+     * @param identity - The unlocked WotIdentity (needed for JWS signing)
+     * @param getPublishData - Callback that reads current local data at retry time
+     *                         (not stale data from the original publish attempt)
+     */
+    syncPending(did: string, identity: WotIdentity, getPublishData: () => Promise<{
+        profile?: PublicProfile;
+        verifications?: PublicVerificationsData;
+        attestations?: PublicAttestationsData;
+    }>): Promise<void>;
+}
+//# sourceMappingURL=OfflineFirstDiscoveryAdapter.d.ts.map

package/dist/adapters/discovery/OfflineFirstDiscoveryAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"OfflineFirstDiscoveryAdapter.d.ts","sourceRoot":"","sources":["../../../src/adapters/discovery/OfflineFirstDiscoveryAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAA;AACzD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAA;AAC5D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAA;AAC1D,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,4BAA4B,CAAA;AAC7D,OAAO,KAAK,EACV,gBAAgB,EAChB,oBAAoB,EACpB,uBAAuB,EACvB,sBAAsB,EACtB,cAAc,EACf,MAAM,gCAAgC,CAAA;AACvC,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACxE,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,+BAA+B,CAAA;AAEpE;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,4BAA6B,YAAW,gBAAgB;IAKjE,OAAO,CAAC,KAAK;IACb,OAAO,CAAC,YAAY;IACpB,OAAO,CAAC,UAAU;IANpB,OAAO,CAAC,UAAU,CAAsB;IACxC,OAAO,CAAC,eAAe,CAA4C;gBAGzD,KAAK,EAAE,gBAAgB,EACvB,YAAY,EAAE,iBAAiB,EAC/B,UAAU,EAAE,eAAe;IAGrC,kEAAkE;IAClE,IAAI,SAAS,IAAI,MAAM,GAAG,IAAI,CAA2B;IAEzD,uCAAuC;IACvC,aAAa,CAAC,QAAQ,EAAE,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,KAAK,IAAI,GAAG,MAAM,IAAI;IAKnE,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;IAOZ,cAAc,CAAC,IAAI,EAAE,aAAa,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAWzE,oBAAoB,CAAC,IAAI,EAAE,uBAAuB,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAWzF,mBAAmB,CAAC,IAAI,EAAE,sBAAsB,EAAE,QAAQ,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAWvF,cAAc,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,oBAAoB,CAAC;IAuB1D,oBAAoB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC;IAQ1D,mBAAmB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAQxD,gBAAgB,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,cAAc,EAAE,CAAC;IAOjE;;;;;;;;;;OAUG;IACG,WAAW,CACf,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,WAAW,EACrB,cAAc,EAAE,MAAM,OAAO,CAAC;QAC5B,OAAO,CAAC,EAAE,aAAa,CAAA;QACvB,aAAa,CAAC,EAAE,uBAAuB,CAAA;QACvC,YAAY,CAAC,EAAE,sBAAsB,CAAA;KACtC,CAAC,GACD,OAAO,CAAC,IAAI,CAAC;CAoCjB"}

package/dist/adapters/index.d.ts

@@ -0,0 +1,5 @@
+export * from './interfaces';
+export * from './crypto';
+export * from './storage';
+export * from './messaging';
+//# sourceMappingURL=index.d.ts.map

package/dist/adapters/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/adapters/index.ts"],"names":[],"mappings":"AAAA,cAAc,cAAc,CAAA;AAC5B,cAAc,UAAU,CAAA;AACxB,cAAc,WAAW,CAAA;AACzB,cAAc,aAAa,CAAA"}

package/dist/adapters/interfaces/AuthorizationAdapter.d.ts

@@ -0,0 +1,52 @@
+import { ResourceRef } from '../../types/resource-ref';
+import { CapabilityJws, CapabilityVerificationResult, Permission } from '../../crypto/capabilities';
+/**
+ * AuthorizationAdapter — Stateful layer for capability management.
+ *
+ * Manages the lifecycle of capability tokens:
+ * - Granting capabilities to other DIDs
+ * - Storing received capabilities
+ * - Querying who can access what
+ * - Verifying access (signature + expiration + chain + revocation)
+ * - Revoking capabilities
+ *
+ * The cryptographic primitives (create, verify, delegate) live in
+ * crypto/capabilities.ts. This adapter adds state: storage, queries,
+ * and revocation lists.
+ *
+ * Implementations:
+ * - InMemoryAuthorizationAdapter (tests)
+ * - AutomergeAuthorizationAdapter (Demo-App, stores in Personal-Doc)
+ * - StatelessAuthorizationAdapter (wot-vault, verify-only)
+ */
+export interface AuthorizationAdapter {
+    /** Grant a capability to another DID. Signs and stores it. */
+    grant(resource: ResourceRef, toDid: string, permissions: Permission[], expiration: string): Promise<CapabilityJws>;
+    /**
+     * Delegate a received capability to another DID (attenuation only).
+     * Permissions must be a subset of the parent's.
+     * Expiration must be <= parent's.
+     */
+    delegate(parentCapabilityJws: CapabilityJws, toDid: string, permissions: Permission[], expiration?: string): Promise<CapabilityJws>;
+    /**
+     * Verify a capability: signature, expiration, chain, and revocation.
+     * Returns the full decoded capability and chain on success.
+     */
+    verify(capabilityJws: CapabilityJws): Promise<CapabilityVerificationResult>;
+    /**
+     * Check if a DID can perform an action on a resource.
+     * Convenience method that searches stored capabilities.
+     */
+    canAccess(did: string, resource: ResourceRef, permission: Permission): Promise<boolean>;
+    /** Revoke a capability by ID. Only the issuer can revoke. */
+    revoke(capabilityId: string): Promise<void>;
+    /** Check if a capability ID has been revoked. */
+    isRevoked(capabilityId: string): Promise<boolean>;
+    /** Store a received capability (e.g. from a space invite). */
+    store(capabilityJws: CapabilityJws): Promise<void>;
+    /** Get all capabilities granted TO the current user. */
+    getMyCapabilities(resource?: ResourceRef): Promise<CapabilityJws[]>;
+    /** Get all capabilities granted BY the current user. */
+    getGrantedCapabilities(resource?: ResourceRef): Promise<CapabilityJws[]>;
+}
+//# sourceMappingURL=AuthorizationAdapter.d.ts.map

package/dist/adapters/interfaces/AuthorizationAdapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AuthorizationAdapter.d.ts","sourceRoot":"","sources":["../../../src/adapters/interfaces/AuthorizationAdapter.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAA;AAC3D,OAAO,KAAK,EACV,aAAa,EACb,4BAA4B,EAC5B,UAAU,EACX,MAAM,2BAA2B,CAAA;AAElC;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,WAAW,oBAAoB;IAGnC,8DAA8D;IAC9D,KAAK,CACH,QAAQ,EAAE,WAAW,EACrB,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,UAAU,EAAE,EACzB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,aAAa,CAAC,CAAA;IAIzB;;;;OAIG;IACH,QAAQ,CACN,mBAAmB,EAAE,aAAa,EAClC,KAAK,EAAE,MAAM,EACb,WAAW,EAAE,UAAU,EAAE,EACzB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,aAAa,CAAC,CAAA;IAIzB;;;OAGG;IACH,MAAM,CAAC,aAAa,EAAE,aAAa,GAAG,OAAO,CAAC,4BAA4B,CAAC,CAAA;IAE3E;;;OAGG;IACH,SAAS,CACP,GAAG,EAAE,MAAM,EACX,QAAQ,EAAE,WAAW,EACrB,UAAU,EAAE,UAAU,GACrB,OAAO,CAAC,OAAO,CAAC,CAAA;IAInB,6DAA6D;IAC7D,MAAM,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAE3C,iDAAiD;IACjD,SAAS,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;IAIjD,8DAA8D;IAC9D,KAAK,CAAC,aAAa,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAAA;IAElD,wDAAwD;IACxD,iBAAiB,CAAC,QAAQ,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAA;IAEnE,wDAAwD;IACxD,sBAAsB,CAAC,QAAQ,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC,CAAA;CACzE"}