holosphere 2.0.0-alpha13 → 2.0.0-alpha15

package/src/federation/handshake.js

@@ -17,27 +17,52 @@ import {
   generateNonce,
   getPublicKey,
 } from '../crypto/nostr-utils.js';
-import { addFederatedPartner, storeInboundCapability } from './registry.js';
+import {
+  addFederatedPartner,
+  storeInboundCapability,
+  grantAccess,
+  convertLegacyLensConfig,
+  convertToLegacyLensConfig,
+} from './registry.js';
 import { registerHolon } from './holon-registry.js';
 import { issueCapability } from '../crypto/secp256k1.js';
 import * as cardStorage from './card-storage.js';
+import { buildLensPath } from '../crypto/key-store.js';
 
 // ============================================================================
 // Types (documented for reference)
 // ============================================================================
 
+/**
+ * @typedef {Object} LensConfigV1 - Legacy v1.0 lens configuration format
+ * @property {string[]} inbound - Lenses sender will accept (read)
+ * @property {string[]} outbound - Lenses sender will share (read)
+ * @property {string[]} [writeInbound] - Lenses sender wants write access to
+ * @property {string[]} [writeOutbound] - Lenses sender will grant write access for
+ */
+
+/**
+ * @typedef {Object} LensPermissions - v2.0 permissions for a single lens
+ * @property {string[]} receive - Permissions received from partner ('read', 'write')
+ * @property {string[]} share - Permissions shared with partner ('read', 'write')
+ */
+
+/**
+ * @typedef {Object} LensConfigV2 - Unified v2.0 lens configuration format
+ * @property {'2.0'} version - Format version
+ * @property {Object.<string, LensPermissions>} permissions - Per-lens permissions
+ */
+
 /**
  * @typedef {Object} FederationRequestPayload
  * @property {'federation_request'} type
- * @property {'1.0'} version
+ * @property {'1.0'|'2.0'} version - Protocol version
  * @property {string} requestId - Unique request ID
  * @property {number} timestamp
  * @property {string} senderHolonId - Holon ID of the sender
  * @property {string} senderHolonName - Human-readable holon name
  * @property {string} senderNpub - Sender's npub
- * @property {Object} lensConfig - Lens configuration
- * @property {string[]} lensConfig.inbound - Lenses sender will accept
- * @property {string[]} lensConfig.outbound - Lenses sender will share
+ * @property {LensConfigV1|LensConfigV2} lensConfig - Lens configuration (v1 or v2 format)
  * @property {Array} capabilities - Capability tokens
  * @property {string} [message] - Optional personal message
  */
@@ -45,18 +70,87 @@ import * as cardStorage from './card-storage.js';
 /**
  * @typedef {Object} FederationResponsePayload
  * @property {'federation_response'} type
- * @property {'1.0'} version
+ * @property {'1.0'|'2.0'} version - Protocol version
  * @property {string} requestId - References original request
  * @property {number} timestamp
  * @property {'accepted'|'rejected'} status
  * @property {string} [responderHolonId]
  * @property {string} [responderHolonName]
  * @property {string} [responderNpub]
- * @property {Object} [lensConfig]
+ * @property {LensConfigV1|LensConfigV2} [lensConfig] - Lens configuration
  * @property {Array} [capabilities]
  * @property {string} [message]
  */
 
+/**
+ * @typedef {Object} LensKeySharePayload
+ * @property {'lens_key_share'} type
+ * @property {'1.0'} version - Protocol version
+ * @property {string} lensPath - Path identifying the lens (appName/holonId/lensName)
+ * @property {string} wrappedKey - NIP-44 wrapped symmetric key
+ * @property {number} timestamp
+ */
+
+// ============================================================================
+// Lens Config Format Utilities
+// ============================================================================
+
+/**
+ * Check if a lensConfig is in v2.0 format
+ * @param {Object} lensConfig - Lens configuration
+ * @returns {boolean} True if v2.0 format
+ */
+export function isV2LensConfig(lensConfig) {
+  return lensConfig && lensConfig.version === '2.0' && lensConfig.permissions;
+}
+
+/**
+ * Normalize lensConfig to ensure it has a consistent format.
+ * Accepts either v1.0 or v2.0 format and returns normalized v1.0 for backward compat.
+ *
+ * @param {Object} lensConfig - Input lens configuration (v1 or v2)
+ * @returns {Object} Normalized v1.0 format { inbound, outbound, writeInbound, writeOutbound }
+ */
+export function normalizeLensConfig(lensConfig) {
+  if (!lensConfig) {
+    return { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] };
+  }
+
+  // If v2.0 format, convert to v1.0
+  if (isV2LensConfig(lensConfig)) {
+    return convertToLegacyLensConfig(lensConfig);
+  }
+
+  // Already v1.0 format, just ensure all fields exist
+  return {
+    inbound: lensConfig.inbound || [],
+    outbound: lensConfig.outbound || [],
+    writeInbound: lensConfig.writeInbound || [],
+    writeOutbound: lensConfig.writeOutbound || [],
+  };
+}
+
+/**
+ * Create unified permissions from lensConfig.
+ * Converts any format to the unified v2.0 format.
+ *
+ * @param {Object} lensConfig - Input lens configuration (v1 or v2)
+ * @returns {Object} v2.0 format { version: '2.0', permissions: {...} }
+ */
+export function toUnifiedPermissions(lensConfig) {
+  if (!lensConfig) {
+    return { version: '2.0', permissions: {} };
+  }
+
+  // If already v2.0, return as-is
+  if (isV2LensConfig(lensConfig)) {
+    return lensConfig;
+  }
+
+  // Convert v1.0 to v2.0
+  return convertLegacyLensConfig(lensConfig);
+}
+
 // ============================================================================
 // Request/Response Creation
 // ============================================================================
@@ -67,28 +161,35 @@ import * as cardStorage from './card-storage.js';
  * @param {string} params.senderHolonId
  * @param {string} params.senderHolonName
  * @param {string} params.senderPubKey - Hex public key
- * @param {Object} params.lensConfig - { inbound: string[], outbound: string[] }
+ * @param {Object} params.lensConfig - Lens config (v1 or v2 format supported)
  * @param {Array} [params.capabilities] - Capability tokens to include
  * @param {string} [params.message] - Optional message
+ * @param {boolean} [params.useV2=false] - Send in v2.0 format
  * @returns {FederationRequestPayload}
  */
 export function createFederationRequest({
   senderHolonId,
   senderHolonName,
   senderPubKey,
-  lensConfig = { inbound: [], outbound: [] },
+  lensConfig = { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] },
   capabilities = [],
   message,
+  useV2 = false,
 }) {
+  // Normalize lensConfig
+  const normalizedLensConfig = useV2
+    ? toUnifiedPermissions(lensConfig)
+    : normalizeLensConfig(lensConfig);
+
   return {
     type: 'federation_request',
-    version: '1.0',
+    version: useV2 ? '2.0' : '1.0',
     requestId: generateNonce(),
     timestamp: Date.now(),
     senderHolonId,
     senderHolonName,
     senderNpub: hexToNpub(senderPubKey),
-    lensConfig,
+    lensConfig: normalizedLensConfig,
     capabilities,
     message,
   };
@@ -102,9 +203,10 @@ export function createFederationRequest({
  * @param {string} [params.responderHolonId]
  * @param {string} [params.responderHolonName]
  * @param {string} [params.responderPubKey] - Hex public key
- * @param {Object} [params.lensConfig]
+ * @param {Object} [params.lensConfig] - Lens config (v1 or v2 format supported)
  * @param {Array} [params.capabilities]
  * @param {string} [params.message]
+ * @param {boolean} [params.useV2=false] - Respond in v2.0 format
  * @returns {FederationResponsePayload}
  */
 export function createFederationResponse({
@@ -116,17 +218,26 @@ export function createFederationResponse({
   lensConfig,
   capabilities,
   message,
+  useV2 = false,
 }) {
+  // Normalize lensConfig if provided
+  let normalizedLensConfig;
+  if (lensConfig) {
+    normalizedLensConfig = useV2
+      ? toUnifiedPermissions(lensConfig)
+      : normalizeLensConfig(lensConfig);
+  }
+
   return {
     type: 'federation_response',
-    version: '1.0',
+    version: useV2 ? '2.0' : '1.0',
     requestId,
     timestamp: Date.now(),
     status,
     responderHolonId,
     responderHolonName,
     responderNpub: responderPubKey ? hexToNpub(responderPubKey) : undefined,
-    lensConfig,
+    lensConfig: normalizedLensConfig,
     capabilities,
     message,
   };
@@ -192,6 +303,45 @@ export async function sendFederationResponse(client, privateKey, recipientPubKey
   }
 }
 
+/**
+ * Send a lens key share DM
+ * Used to share encrypted lens keys with federation partners
+ * @param {Object} client - NostrClient instance with publish method
+ * @param {string} privateKey - Sender's hex private key
+ * @param {string} recipientPubKey - Recipient's hex public key
+ * @param {Object} keyShare - Key share payload
+ * @param {string} keyShare.lensPath - Path identifying the lens
+ * @param {string} keyShare.wrappedKey - NIP-44 wrapped symmetric key for recipient
+ * @returns {Promise<boolean>} Success indicator
+ */
+export async function sendLensKeyShare(client, privateKey, recipientPubKey, keyShare) {
+  try {
+    const payload = {
+      type: 'lens_key_share',
+      version: '1.0',
+      lensPath: keyShare.lensPath,
+      wrappedKey: keyShare.wrappedKey,
+      timestamp: Date.now(),
+    };
+
+    const content = JSON.stringify(payload);
+    const encrypted = encryptNIP44(privateKey, recipientPubKey, content);
+    const event = createDMEvent(recipientPubKey, encrypted, privateKey);
+
+    if (client?.publish) {
+      await client.publish(event);
+      console.log('[Handshake] Lens key share sent to:', recipientPubKey.substring(0, 8) + '...', 'for lens:', keyShare.lensPath);
+      return true;
+    } else {
+      console.error('[Handshake] No publish method on client');
+      return false;
+    }
+  } catch (error) {
+    console.error('[Handshake] Failed to send lens key share:', error);
+    return false;
+  }
+}
+
 // ============================================================================
 // DM Subscription
 // ============================================================================
@@ -208,12 +358,13 @@ export async function sendFederationResponse(client, privateKey, recipientPubKey
  * @param {Function} handlers.onResponse - Called with (response, senderPubKey)
  * @param {Function} [handlers.onUpdate] - Called with (update, senderPubKey)
  * @param {Function} [handlers.onUpdateResponse] - Called with (response, senderPubKey)
+ * @param {Function} [handlers.onKeyShare] - Called with (keyShare, senderPubKey) for encrypted lens key shares
  * @param {Object} options - Subscription options
  * @param {string} options.appname - Application namespace (for persistent storage)
  * @returns {Function} Unsubscribe function
  */
 export function subscribeToFederationDMs(client, privateKey, publicKey, handlers, options = {}) {
-  const { onRequest, onResponse, onUpdate, onUpdateResponse } = handlers;
+  const { onRequest, onResponse, onUpdate, onUpdateResponse, onKeyShare } = handlers;
   const { appname } = options;
   let isActive = true;
 
@@ -348,6 +499,23 @@ export function subscribeToFederationDMs(client, privateKey, publicKey, handlers
 
         console.log('[Handshake] Received federation update response from:', event.pubkey.substring(0, 8) + '...');
         onUpdateResponse?.(payload, event.pubkey);
+      } else if (payload.type === 'lens_key_share' && payload.version === '1.0') {
+        // Lens key share - receive encrypted symmetric key from partner
+        const keyShareKey = `key_${payload.lensPath}_${event.pubkey}`;
+        if (processedResponseIds.has(keyShareKey)) {
+          console.log('[Handshake] Skipping already processed key share:', keyShareKey);
+          return;
+        }
+
+        // Mark as processed
+        if (appname && client?.client) {
+          await cardStorage.markDMProcessed(client.client, appname, event.id, 'key_share');
+          processedResponseIds.add(keyShareKey);
+          processedDMIds.add(event.id);
+        }
+
+        console.log('[Handshake] Received lens key share from:', event.pubkey.substring(0, 8) + '...', 'for lens:', payload.lensPath);
+        onKeyShare?.(payload, event.pubkey);
       }
     } catch (error) {
       // Silently ignore non-federation DMs
@@ -430,7 +598,7 @@ export async function initiateFederationHandshake(holosphere, privateKey, params
     partnerPubKey,
     holonId,
     holonName,
-    lensConfig = { inbound: [], outbound: [] },
+    lensConfig = { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] },
     message,
   } = params;
 
@@ -438,9 +606,17 @@ export async function initiateFederationHandshake(holosphere, privateKey, params
     // Get sender's public key
     const senderPubKey = getPublicKey(privateKey);
 
+    // Normalize lensConfig
+    const normalizedLensConfig = {
+      inbound: lensConfig.inbound || [],
+      outbound: lensConfig.outbound || [],
+      writeInbound: lensConfig.writeInbound || [],
+      writeOutbound: lensConfig.writeOutbound || [],
+    };
+
     // Issue capabilities for outbound lenses (lenses we're sharing with partner)
     const capabilities = [];
-    for (const lensName of (lensConfig.outbound || [])) {
+    for (const lensName of normalizedLensConfig.outbound) {
       try {
         const token = await issueCapability(
           ['read'],
@@ -462,12 +638,49 @@ export async function initiateFederationHandshake(holosphere, privateKey, params
       }
     }
 
+    // Grant write access to partner for our writeOutbound lenses
+    // This allows the partner to write to these lenses in our holon
+    if (holosphere.client) {
+      for (const lensName of normalizedLensConfig.writeOutbound) {
+        try {
+          // New unified grant
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            partnerPubKey,
+            { holonId: '*', lensName },
+            ['write'],
+            { direction: 'inbound' }
+          );
+          console.log(`[Handshake] Pre-granted write access to partner for lens "${lensName}"`);
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant write access for ${lensName}:`, err.message);
+        }
+      }
+
+      // Also grant read access for outbound lenses using unified format
+      for (const lensName of normalizedLensConfig.outbound) {
+        try {
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            partnerPubKey,
+            { holonId: '*', lensName },
+            ['read'],
+            { direction: 'outbound' }
+          );
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant read access for ${lensName}:`, err.message);
+        }
+      }
+    }
+
     // Create federation request
     const request = createFederationRequest({
       senderHolonId: holonId,
       senderHolonName: holonName,
       senderPubKey,
-      lensConfig,
+      lensConfig: normalizedLensConfig,
       capabilities,
       message,
     });
@@ -513,7 +726,7 @@ export async function acceptFederationRequest(holosphere, privateKey, params) {
     senderPubKey,
     holonId,
     holonName,
-    lensConfig = { inbound: [], outbound: [] },
+    lensConfig = { inbound: [], outbound: [], writeInbound: [], writeOutbound: [] },
     message,
   } = params;
 
@@ -521,6 +734,14 @@ export async function acceptFederationRequest(holosphere, privateKey, params) {
     // Get responder's public key
     const responderPubKey = getPublicKey(privateKey);
 
+    // Normalize lensConfig
+    const normalizedLensConfig = {
+      inbound: lensConfig.inbound || [],
+      outbound: lensConfig.outbound || [],
+      writeInbound: lensConfig.writeInbound || [],
+      writeOutbound: lensConfig.writeOutbound || [],
+    };
+
     // Add sender as federated partner in Nostr registry
     if (holosphere.client) {
       await addFederatedPartner(holosphere.client, holosphere.config.appName, senderPubKey, {
@@ -535,6 +756,48 @@ export async function acceptFederationRequest(holosphere, privateKey, params) {
         }
       }
 
+      // Process write grants from sender (they offered writeOutbound = we get write access)
+      const senderWriteOutbound = request.lensConfig?.writeOutbound || [];
+      if (senderWriteOutbound.length > 0) {
+        console.log('[Handshake] Sender is granting write access for lenses:', senderWriteOutbound);
+        // Note: This is tracked on the sender's side - we just acknowledge it in the response
+      }
+
+      // Grant write access to sender for our writeOutbound lenses
+      // This allows the sender to write to these lenses in our holon
+      for (const lensName of normalizedLensConfig.writeOutbound) {
+        try {
+          // New unified grant
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            senderPubKey,
+            { holonId: '*', lensName },
+            ['write'],
+            { direction: 'inbound' }
+          );
+          console.log(`[Handshake] Granted write access to sender for lens "${lensName}"`);
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant write access for ${lensName}:`, err.message);
+        }
+      }
+
+      // Also grant read access for outbound lenses using unified format
+      for (const lensName of normalizedLensConfig.outbound) {
+        try {
+          await grantAccess(
+            holosphere.client,
+            holosphere.config.appName,
+            senderPubKey,
+            { holonId: '*', lensName },
+            ['read'],
+            { direction: 'outbound' }
+          );
+        } catch (err) {
+          console.warn(`[Handshake] Failed to grant read access for ${lensName}:`, err.message);
+        }
+      }
+
       // Register the sender's holon -> pubkey mapping in our holon registry
       // This is critical for resolveHolonToPubkey to work when navigating to their holon
       if (request.senderHolonId) {
@@ -552,13 +815,13 @@ export async function acceptFederationRequest(holosphere, privateKey, params) {
     // This is what makes the partner appear in getFederation() / loadFederationData()
     // Store the sender's name so we can display it without reading their settings
     await holosphere.federateHolon(holonId, senderPubKey, {
-      lensConfig,
+      lensConfig: normalizedLensConfig,
       partnerName: request.senderHolonName
     });
 
     // Issue capabilities for our outbound lenses (lenses we're sharing with partner)
     const capabilities = [];
-    for (const lensName of (lensConfig.outbound || [])) {
+    for (const lensName of normalizedLensConfig.outbound) {
       try {
         const token = await issueCapability(
           ['read'],
@@ -580,6 +843,37 @@ export async function acceptFederationRequest(holosphere, privateKey, params) {
       }
     }
 
+    // Share lens keys for encrypted outbound lenses
+    // This allows the partner to decrypt data from our shared lenses
+    if (holosphere.keyStore && holosphere.client?.privateKey) {
+      for (const lensName of normalizedLensConfig.outbound) {
+        const lensPath = buildLensPath(holosphere.config.appName, responderPubKey, lensName);
+        const lensKey = holosphere.keyStore.getKey(lensPath);
+
+        if (lensKey) {
+          try {
+            // Wrap the lens key for the partner
+            const wrappedKey = holosphere.keyStore.wrapKeyForPartner(
+              lensPath,
+              holosphere.client.privateKey,
+              senderPubKey
+            );
+
+            if (wrappedKey) {
+              // Send the wrapped key via encrypted DM
+              await sendLensKeyShare(holosphere.client, privateKey, senderPubKey, {
+                lensPath,
+                wrappedKey,
+              });
+              console.log(`[Handshake] Shared lens key for "${lensName}" with partner`);
+            }
+          } catch (err) {
+            console.warn(`[Handshake] Failed to share lens key for ${lensName}:`, err.message);
+          }
+        }
+      }
+    }
+
     // Create and send response
     const response = createFederationResponse({
       requestId: request.requestId,
@@ -587,7 +881,7 @@ export async function acceptFederationRequest(holosphere, privateKey, params) {
       responderHolonId: holonId,
       responderHolonName: holonName,
       responderPubKey,
-      lensConfig,
+      lensConfig: normalizedLensConfig,
       capabilities,
       message,
     });
@@ -604,7 +898,7 @@ export async function acceptFederationRequest(holosphere, privateKey, params) {
       // Auto-receive federated lens data as holograms for configured inbound lenses
       // This enables the user to immediately see the partner's data in their holon
       const receivedHolograms = {};
-      const inboundLenses = lensConfig.inbound || [];
+      const inboundLenses = normalizedLensConfig.inbound;
 
       if (inboundLenses.length > 0 && holosphere.receiveFederatedLens) {
         console.log('[Handshake] Receiving federated lens data as holograms...');

package/src/federation/hologram.js

@@ -16,7 +16,7 @@
  */
 
 import { buildPath, write, read, update } from '../storage/unified-storage.js';
-import { verifyCapability, issueCapability } from '../crypto/secp256k1.js';
+import { verifyCapability, issueCapability, verifyCapabilityIssuer, decodeCapability } from '../crypto/secp256k1.js';
 import { getCapabilityForAuthor, storeInboundCapability } from './registry.js';
 
 /** @constant {number} Maximum depth for hologram resolution chain */
@@ -134,6 +134,7 @@ export function createHologram(sourceHolon, targetHolon, lensName, dataId, appna
     capability,  // Always the token string (normalized above)
     _meta: {
       created: Date.now(),
+      lastUpdated: Date.now(),
       sourceHolon,
       source: sourceHolon,  // Alias for compatibility
       sourcePubKey: authorPubKey,
@@ -158,6 +159,7 @@ export function createHologram(sourceHolon, targetHolon, lensName, dataId, appna
  * @param {string} appname - Application namespace
  * @param {Object} options - Hologram options
  * @param {string} [options.sourceAuthorPubKey] - Source author's public key (defaults to client.publicKey)
+ * @param {string} [options.sourceAuthorPrivKey] - Source author's private key for signing capability (defaults to client.privateKey)
  * @param {string} [options.targetAuthorPubKey] - Target author's public key (defaults to client.publicKey)
  * @param {string} [options.capability] - Pre-issued capability (if not provided, one will be issued)
  * @param {string[]} [options.permissions=['read']] - Permissions for auto-issued capability
@@ -167,6 +169,7 @@ export function createHologram(sourceHolon, targetHolon, lensName, dataId, appna
 export async function createHologramWithCapability(client, sourceHolon, targetHolon, lensName, dataId, appname, options = {}) {
   const {
     sourceAuthorPubKey = client.publicKey,
+    sourceAuthorPrivKey = client.privateKey,  // Allow passing author's private key for signing
     targetAuthorPubKey = client.publicKey,
     capability: providedCapability = null,
     permissions = ['read'],
@@ -187,7 +190,7 @@ export async function createHologramWithCapability(client, sourceHolon, targetHo
       {
         expiresIn: expiresIn !== null ? expiresIn : (isSelfCapability ? 365 * 24 * 60 * 60 * 1000 : 3600000), // 1 year for self, 1 hour for cross
         issuer: sourceAuthorPubKey,
-        issuerKey: client.privateKey,
+        issuerKey: sourceAuthorPrivKey,  // Use passed private key (holon's key when federated via holonsbot)
       }
     );
 
@@ -316,6 +319,21 @@ export async function resolveHologram(client, hologram, visited = new Set(), cha
       return null;
     }
 
+    // OBJECT-CAPABILITY SECURITY: Verify capability issuer matches claimed authorPubKey
+    // This prevents forged capabilities where someone signs a capability for data they don't own
+    if (authorPubKey) {
+      const issuerMatch = await verifyCapabilityIssuer(capability, authorPubKey);
+      if (!issuerMatch) {
+        console.warn(`❌ Capability issuer does not match authorPubKey for hologram: ${soul}`);
+        console.warn(`   Expected author: ${authorPubKey?.slice(0, 12)}...`);
+        const decoded = decodeCapability(capability);
+        if (decoded) {
+          console.warn(`   Actual issuer: ${decoded.issuer?.slice(0, 12)}...`);
+        }
+        return null;
+      }
+    }
+
     const isValid = await verifyCapability(
       capability,
       'read',
@@ -453,6 +471,7 @@ export async function setupFederation(
  * @param {string} mode - 'reference' or 'copy'
  * @param {Object} options - Propagation options
  * @param {string} [options.sourceAuthorPubKey] - Source author (defaults to client.publicKey)
+ * @param {string} [options.sourceAuthorPrivKey] - Source author's private key for signing capability (defaults to client.privateKey)
  * @param {string} [options.capability] - Pre-issued capability (auto-issued if not provided)
  * @returns {Promise<boolean>} Success indicator
  */
@@ -606,14 +625,6 @@ export async function propagateData(
     const isPubkey = typeof targetHolon === 'string' && /^[0-9a-f]{64}$/i.test(targetHolon);
     const targetAuthorPubKey = options.targetAuthorPubKey || (isPubkey ? targetHolon : client.publicKey);
 
-    console.log('[propagateData] Creating hologram with capability:', {
-      sourceHolon: sourceHolon?.slice(0, 12) + '...',
-      targetHolon: targetHolon?.slice(0, 12) + '...',
-      sourceAuthorPubKey: sourceAuthorPubKey?.slice(0, 12) + '...',
-      targetAuthorPubKey: targetAuthorPubKey?.slice(0, 12) + '...',
-      hasProvidedCapability: !!options.capability
-    });
-
     const hologram = await createHologramWithCapability(
       client,
       sourceHolon,
@@ -623,6 +634,7 @@ export async function propagateData(
       appname,
       {
         sourceAuthorPubKey,
+        sourceAuthorPrivKey: options.sourceAuthorPrivKey,  // Pass through for holon-signed capabilities
         targetAuthorPubKey,
         capability: options.capability,
         permissions: ['read'],
@@ -745,9 +757,10 @@ export async function addActiveHologram(client, appname, sourceHolon, lensName,
   let sourcePath = buildPath(currentAppname, currentHolon, currentLens, currentDataId);
 
   // Read existing source data
+  // Note: May return null if called immediately after write (before relay persistence)
+  // This is expected - the hologram still works, we just can't track activeHolograms
   let sourceData = await read(client, sourcePath);
   if (!sourceData) {
-    console.warn(`Source data not found at ${sourcePath}`);
     return false;
   }
 
@@ -765,14 +778,10 @@ export async function addActiveHologram(client, appname, sourceHolon, lensName,
 
     sourceData = await read(client, sourcePath);
     if (!sourceData) {
-      console.warn(`Real source data not found at ${sourcePath}`);
       return false;
     }
   }
 
-  if (depth > 0) {
-    console.info(`📍 Followed hologram chain (depth: ${depth}) to real source: ${currentHolon}/${currentLens}/${currentDataId}`);
-  }
 
   // Initialize _meta and activeHolograms if needed
   if (!sourceData._meta) {
@@ -885,9 +894,9 @@ export async function updateActiveHologramPlatform(client, appname, sourceHolon,
   let sourcePath = buildPath(currentAppname, currentHolon, currentLens, currentDataId);
 
   // Read existing source data
+  // Note: May return null if called immediately after write (before relay persistence)
   let sourceData = await read(client, sourcePath);
   if (!sourceData) {
-    console.warn(`Source data not found at ${sourcePath}`);
     return false;
   }
 
@@ -904,7 +913,6 @@ export async function updateActiveHologramPlatform(client, appname, sourceHolon,
 
     sourceData = await read(client, sourcePath);
     if (!sourceData) {
-      console.warn(`Real source data not found at ${sourcePath}`);
       return false;
     }
   }