holosphere 2.0.0-alpha13 → 2.0.0-alpha15

package/src/index.js

@@ -28,6 +28,8 @@ import * as requestCard from './federation/request-card.js';
 import * as cardStorage from './federation/card-storage.js';
 import * as crypto from './crypto/secp256k1.js';
 import * as nostrUtils from './crypto/nostr-utils.js';
+import { LensKeyStore, buildLensPath } from './crypto/key-store.js';
+import * as lensKeys from './crypto/lens-keys.js';
 import * as social from './content/social-protocols.js';
 import * as subscriptions from './subscriptions/manager.js';
 import * as hierarchical from './hierarchical/upcast.js';
@@ -128,6 +130,24 @@ class HoloSphereBase extends HoloSphereCore {
     // Contracts module (lazy initialized)
     /** @type {Object|null} */
     this._contracts = null;
+
+    /**
+     * Lens key store for encrypted federation.
+     * Manages symmetric keys for encrypting/decrypting lens data.
+     * @type {LensKeyStore}
+     */
+    this.keyStore = new LensKeyStore();
+
+    /**
+     * Encryption configuration.
+     * @type {Object}
+     * @property {boolean} encryptByDefault - Whether to encrypt lens data by default
+     * @property {string[]} publicLenses - Lenses that should never be encrypted
+     */
+    this._encryptionConfig = {
+      encryptByDefault: config.encryptByDefault ?? false,
+      publicLenses: config.publicLenses || ['profile', 'settings', 'public'],
+    };
   }
 
   /**
@@ -322,6 +342,7 @@ class HoloSphereBase extends HoloSphereCore {
    * @param {Object} [options.propagationOptions] - Options for propagation
    * @param {boolean} [options.blocking=false] - If true, wait for relay confirmation before returning
    * @param {string} [options.signingKey] - Private key to sign with (hex format). If not provided, uses holosphere's default key.
+   * @param {boolean} [options.encrypt] - Whether to encrypt this data. Defaults to encryptByDefault config.
    * @returns {Promise<boolean>} True if write succeeded (or queued for optimistic writes)
    * @throws {ValidationError} If holonId, lensName, or data is invalid
    * @throws {AuthorizationError} If capability token is invalid
@@ -341,8 +362,81 @@ class HoloSphereBase extends HoloSphereCore {
       throw new ValidationError('ValidationError: data must be an object');
     }
 
+    // Check write authorization BEFORE optimistic caching
+    // Helper function to detect if a string is a pubkey (64-char hex)
+    const isPubkeyHolon = typeof holonId === 'string' && /^[0-9a-f]{64}$/i.test(holonId);
+
+    // Determine the effective writer pubkey - use signingKey's pubkey if provided
+    let effectiveWriterPubKey = this.client?.publicKey;
+    if (options.signingKey) {
+      try {
+        effectiveWriterPubKey = crypto.getPublicKey(options.signingKey);
+      } catch (err) {
+        this._log('WARN', '⚠️ Invalid signingKey provided, using client key', { error: err.message });
+      }
+    }
+
+    // For pubkey-based holons, check if it's our own holon (matches effective writer's pubkey)
+    // For non-pubkey holons (H3 cells, UUIDs), skip authorization for backwards compatibility
+    const isOwnHolon = effectiveWriterPubKey && (holonId === effectiveWriterPubKey || !isPubkeyHolon);
     const capToken = options.capabilityToken || options.capability;
-    if (capToken) {
+    const actingAsHolon = options.actingAs || options.actingAsHolon;
+
+    if (!isOwnHolon) {
+      // Writing to non-own holon - check authorization
+      // Priority: 1. Explicit capability token, 2. Membership-based access
+
+      if (capToken) {
+        // Explicit capability token provided - verify it
+        const authorized = await this.verifyCapability(capToken, 'write', { holonId, lensName });
+        if (!authorized) {
+          this._log('WARN', '🚫 Write denied: Invalid capability token', { holonId, lensName });
+          throw new AuthorizationError(
+            'Invalid capability token for write operation',
+            'write'
+          );
+        }
+        this._log('DEBUG', '✅ Write authorized via capability token', { holonId, lensName });
+      } else {
+        // No capability token - check unified access control
+        // Uses canAccess() which checks: 1. owner, 2. membership, 3. federation grants (unified)
+        const writerPubKey = effectiveWriterPubKey;
+
+        if (!writerPubKey) {
+          this._log('WARN', '🚫 Write denied: No authenticated user', { holonId, lensName });
+          throw new AuthorizationError(
+            'Authentication required for writing to federated holons',
+            'write'
+          );
+        }
+
+        // Check unified access control
+        const accessCheck = await this.canAccess(holonId, lensName, writerPubKey, 'write', { actingAsHolon });
+
+        if (!accessCheck.allowed) {
+          this._log('WARN', '🚫 Write denied: No write access', {
+            holonId,
+            lensName,
+            reason: accessCheck.reason,
+            via: accessCheck.via,
+            writerPubKey: writerPubKey?.slice(0, 12) + '...'
+          });
+          throw new AuthorizationError(
+            `Write access denied: ${accessCheck.reason}`,
+            'write'
+          );
+        }
+
+        this._log('DEBUG', '✅ Write authorized via unified access control', {
+          holonId,
+          lensName,
+          via: accessCheck.via,
+          reason: accessCheck.reason,
+          grant: accessCheck.grant ? 'yes' : 'no'
+        });
+      }
+    } else if (capToken) {
+      // Own holon with explicit token - validate it anyway
       const authorized = await this.verifyCapability(capToken, 'write', { holonId, lensName });
       if (!authorized) {
         throw new AuthorizationError('AuthorizationError: Invalid capability token for write operation', 'write');
@@ -427,8 +521,35 @@ class HoloSphereBase extends HoloSphereCore {
         return this._syncHologramWrite(existingData, data, path, lensName, options);
       }
 
-      // Regular write to relay
-      const writeOptions = options.signingKey ? { signingKey: options.signingKey } : {};
+      // Determine if encryption is needed
+      const shouldEncrypt = this._shouldEncryptLens(lensName, options);
+      let lensKey = null;
+
+      if (shouldEncrypt && this.client?.privateKey && this.client?.publicKey) {
+        // Get or create a key for this lens
+        const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+        const keyResult = this.keyStore.getOrCreateKey(
+          lensPath,
+          this.client.privateKey,
+          this.client.publicKey
+        );
+        lensKey = keyResult.key;
+
+        if (keyResult.isNew) {
+          this._log('DEBUG', '🔑 Generated new lens key', { lensPath });
+          // Store the wrapped key in Nostr for persistence
+          this._storeWrappedKey(lensPath, keyResult.wrappedForSelf).catch(err => {
+            this._log('WARN', '⚠️ Failed to persist wrapped key', { lensPath, error: err.message });
+          });
+        }
+      }
+
+      // Regular write to relay (with optional encryption)
+      const writeOptions = {
+        ...(options.signingKey ? { signingKey: options.signingKey } : {}),
+        ...(lensKey ? { lensKey } : {}),
+        waitForRelays: true  // Always wait for relay confirmation when sync is called
+      };
       await storage.write(this.client, path, data, writeOptions);
 
       const endTime = Date.now();
@@ -514,6 +635,26 @@ class HoloSphereBase extends HoloSphereCore {
     await storage.write(this.client, path, localData);
 
     if (Object.keys(sourceUpdates).length > 0) {
+      // Verify write capability before updating source
+      const capability = existingData.capability;
+      if (!capability) {
+        throw new Error('Hologram missing capability token for source update');
+      }
+
+      const hasWrite = await crypto.verifyCapability(
+        capability,
+        'write',
+        {
+          holonId: existingData.target.holonId,
+          lensName: existingData.target.lensName,
+          dataId: existingData.target.dataId
+        }
+      );
+
+      if (!hasWrite) {
+        throw new Error('Write capability required to update source data through hologram');
+      }
+
       const sourcePath = storage.buildPath(
         existingData.target.appname || this.config.appName,
         existingData.target.holonId,
@@ -563,6 +704,176 @@ class HoloSphereBase extends HoloSphereCore {
     return registry.getCapabilityForAuthor(this.client, this.config.appName, authorPubKey, scope);
   }
 
+  /**
+   * Determine if a lens should be encrypted.
+   *
+   * @private
+   * @param {string} lensName - Name of the lens
+   * @param {Object} options - Write options
+   * @returns {boolean} True if lens should be encrypted
+   */
+  _shouldEncryptLens(lensName, options = {}) {
+    // Explicit encrypt option takes precedence
+    if (options.encrypt !== undefined) {
+      return options.encrypt;
+    }
+
+    // Public lenses are never encrypted
+    if (this._encryptionConfig.publicLenses.includes(lensName)) {
+      return false;
+    }
+
+    // Use default setting
+    return this._encryptionConfig.encryptByDefault;
+  }
+
+  /**
+   * Store a wrapped lens key in Nostr for persistence.
+   * This allows recovering keys after restart.
+   *
+   * @private
+   * @param {string} lensPath - Path identifying the lens
+   * @param {string} wrappedKey - NIP-44 wrapped key for self
+   * @returns {Promise<void>}
+   */
+  async _storeWrappedKey(lensPath, wrappedKey) {
+    const keyStorePath = storage.buildPath(this.config.appName, '_keys', 'lens-keys', lensPath.replace(/\//g, '_'));
+    await storage.write(this.client, keyStorePath, {
+      id: lensPath.replace(/\//g, '_'),
+      lensPath,
+      wrappedKey,
+      algorithm: 'aes-256-gcm',
+      keyWrap: 'nip44',
+      version: '1.0',
+      createdAt: Date.now()
+    });
+  }
+
+  /**
+   * Load stored wrapped keys from Nostr and restore them to the keyStore.
+   * Called during initialization to recover keys after restart.
+   *
+   * @private
+   * @returns {Promise<number>} Number of keys restored
+   */
+  async _loadStoredKeys() {
+    if (!this.client?.privateKey || !this.client?.publicKey) {
+      return 0;
+    }
+
+    const keyStorePath = storage.buildPath(this.config.appName, '_keys', 'lens-keys') + '/';
+    const storedKeys = await storage.readAll(this.client, keyStorePath);
+
+    let restored = 0;
+    for (const keyData of storedKeys) {
+      if (keyData && keyData.lensPath && keyData.wrappedKey) {
+        try {
+          const key = lensKeys.unwrapKey(
+            keyData.wrappedKey,
+            this.client.privateKey,
+            this.client.publicKey
+          );
+          this.keyStore.storeOwnKey(keyData.lensPath, key, keyData.wrappedKey);
+          restored++;
+        } catch (err) {
+          this._log('WARN', '⚠️ Failed to restore lens key', { lensPath: keyData.lensPath, error: err.message });
+        }
+      }
+    }
+
+    if (restored > 0) {
+      this._log('DEBUG', '🔑 Restored lens keys', { count: restored });
+    }
+
+    return restored;
+  }
+
+  /**
+   * Get the lens key for reading encrypted data.
+   * Returns the key from keyStore if available, otherwise null.
+   *
+   * @private
+   * @param {string} holonId - Holon identifier
+   * @param {string} lensName - Lens name
+   * @returns {Buffer|null} Lens key or null if not available
+   */
+  _getLensKey(holonId, lensName) {
+    const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+    return this.keyStore.getKey(lensPath);
+  }
+
+  /**
+   * Handle a received lens key share from a federation partner.
+   * Call this from your onKeyShare handler in subscribeToFederationDMs.
+   *
+   * @param {Object} keyShare - Key share payload
+   * @param {string} keyShare.lensPath - Path identifying the lens
+   * @param {string} keyShare.wrappedKey - NIP-44 wrapped symmetric key
+   * @param {string} senderPubKey - Sender's public key
+   * @returns {boolean} True if key was successfully stored
+   */
+  handleReceivedKeyShare(keyShare, senderPubKey) {
+    if (!this.client?.privateKey) {
+      this._log('WARN', '⚠️ Cannot receive key share: no private key');
+      return false;
+    }
+
+    try {
+      const key = this.keyStore.receiveKey(
+        keyShare.lensPath,
+        keyShare.wrappedKey,
+        this.client.privateKey,
+        senderPubKey
+      );
+
+      this._log('DEBUG', '🔑 Received and stored lens key', {
+        lensPath: keyShare.lensPath,
+        from: senderPubKey.slice(0, 12) + '...'
+      });
+
+      return true;
+    } catch (error) {
+      this._log('ERROR', '❌ Failed to receive key share', {
+        lensPath: keyShare.lensPath,
+        error: error.message
+      });
+      return false;
+    }
+  }
+
+  /**
+   * Get encryption statistics for the key store.
+   *
+   * @returns {Object} { ownKeyCount, receivedKeyCount, totalPartnerGrants }
+   */
+  getEncryptionStats() {
+    return this.keyStore.getStats();
+  }
+
+  /**
+   * Check if a lens has an encryption key available.
+   *
+   * @param {string} holonId - Holon identifier
+   * @param {string} lensName - Lens name
+   * @returns {boolean} True if key is available for this lens
+   */
+  hasLensKey(holonId, lensName) {
+    const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+    return this.keyStore.hasKey(lensPath);
+  }
+
+  /**
+   * Check if we own the key for a lens (vs received it from a partner).
+   *
+   * @param {string} holonId - Holon identifier
+   * @param {string} lensName - Lens name
+   * @returns {boolean} True if we own the key
+   */
+  isOwnLensKey(holonId, lensName) {
+    const lensPath = buildLensPath(this.config.appName, holonId, lensName);
+    return this.keyStore.isOwnKey(lensPath);
+  }
+
   /**
    * Recursively resolves holograms (references) to their source data.
    * Handles circular reference detection and local overrides.
@@ -719,12 +1030,22 @@ class HoloSphereBase extends HoloSphereCore {
     }
 
     // Resolve holonId to public key (if registered)
-    const targetPubkey = await this._resolveHolonToPubkey(holonId);
+    // Skip resolution if explicitly requested (used for backward compat reads from old locations)
+    const targetPubkey = options.skipResolve ? null : await this._resolveHolonToPubkey(holonId);
 
     // Determine if reading another author's data
     // If holonId can't be resolved, treat as own data (backwards compatible for H3 holons)
     const isOtherAuthor = targetPubkey && targetPubkey !== this.client.publicKey;
+    this._log('DEBUG', '🔍 READ: author check', {
+      targetPubkey: targetPubkey?.slice(0, 12),
+      clientPubkey: this.client?.publicKey?.slice(0, 12),
+      isOtherAuthor,
+      holonId: holonId?.slice(0, 12)
+    });
+    // Start with caller's options that should be passed through
     let readOptions = {};
+    if (options.forceRelay) readOptions.forceRelay = true;
+    if (options.timeout) readOptions.timeout = options.timeout;
 
     // Explicit capability token takes precedence
     const capToken = options.capabilityToken || options.capability;
@@ -765,19 +1086,26 @@ class HoloSphereBase extends HoloSphereCore {
 
     // Include federated authors to see holograms written by federation partners
     // This enables visibility of holograms created during federation
+    // We include ALL federated partners, not just those whose capabilities match the current scope,
+    // because partners may have written holograms to our holon that we need to see
+    this._log('DEBUG', '🔍 Checking for federated authors', { isOtherAuthor, holonId: holonId?.slice(0, 12) });
     if (!isOtherAuthor) {
       try {
-        const federatedAuthors = await registry.getFederatedAuthorsForScope(
+        this._log('DEBUG', '🔍 Getting federated authors...');
+        // Add timeout to prevent hanging on relay queries
+        const fedAuthorsPromise = registry.getFederatedAuthors(
           this.client,
-          this.config.appName,
-          { holonId, lensName, dataId },
-          'read'
+          this.config.appName
         );
+        const fedAuthorsTimeout = new Promise((resolve) =>
+          setTimeout(() => resolve([]), 5000) // 5 second timeout, resolve with empty array
+        );
+        const federatedAuthors = await Promise.race([fedAuthorsPromise, fedAuthorsTimeout]);
+        this._log('DEBUG', '✅ Got federated authors', { count: federatedAuthors?.length || 0 });
         if (federatedAuthors.length > 0) {
-          const partnerPubkeys = federatedAuthors.map(f => f.pubKey);
-          // Include self + all federated partners
-          readOptions.authors = [this.client.publicKey, ...partnerPubkeys];
-          this._log('DEBUG', 'Including federated authors', { count: partnerPubkeys.length });
+          // Include self + all federated partners to see partner-written holograms
+          readOptions.authors = [this.client.publicKey, ...federatedAuthors];
+          this._log('DEBUG', 'Including federated authors', { count: federatedAuthors.length });
         }
       } catch (err) {
         this._log('WARN', 'Failed to get federated authors', { error: err.message });
@@ -787,6 +1115,12 @@ class HoloSphereBase extends HoloSphereCore {
     const startTime = Date.now();
     let result;
 
+    // Get lens key for decryption (if available)
+    const lensKey = this._getLensKey(holonId, lensName);
+    if (lensKey) {
+      readOptions.lensKey = lensKey;
+    }
+
     if (dataId) {
       const path = storage.buildPath(this.config.appName, holonId, lensName, dataId);
 
@@ -813,7 +1147,7 @@ class HoloSphereBase extends HoloSphereCore {
           });
           result = cached.data;
         } else {
-          this._log('DEBUG', '📖 CACHE MISS: Reading from storage', { path, authors: readOptions.authors });
+          this._log('DEBUG', '📖 CACHE MISS: Reading from storage', { path, authors: readOptions.authors, hasKey: !!lensKey });
           result = await storage.read(this.client, path, readOptions);
           this._log('DEBUG', '💾 STORAGE READ', {
             path,
@@ -825,7 +1159,7 @@ class HoloSphereBase extends HoloSphereCore {
       }
     } else {
       const path = storage.buildPath(this.config.appName, holonId, lensName);
-      this._log('DEBUG', 'readAll', { holonId, lensName, path, authors: readOptions.authors });
+      this._log('DEBUG', 'readAll', { holonId, lensName, path, authors: readOptions.authors, hasKey: !!lensKey });
 
       // For readAll, merge cached writes with storage results and filter deleted
       const storageResult = await storage.readAll(this.client, path, readOptions);
@@ -916,8 +1250,33 @@ class HoloSphereBase extends HoloSphereCore {
       throw new ValidationError('ValidationError: updates must be an object');
     }
 
+    // Check write authorization BEFORE optimistic caching
+    // Helper function to detect if a string is a pubkey (64-char hex)
+    const isPubkeyHolon = typeof holonId === 'string' && /^[0-9a-f]{64}$/i.test(holonId);
+    // For pubkey-based holons, check if it's our own holon (our pubkey)
+    // For non-pubkey holons (H3 cells, UUIDs), skip authorization for backwards compatibility
+    const isOwnHolon = this.client && (holonId === this.client.publicKey || !isPubkeyHolon);
     const capToken = options.capabilityToken || options.capability;
-    if (capToken) {
+
+    if (!isOwnHolon) {
+      // Updating federated holon - require capability token
+      if (!capToken) {
+        this._log('WARN', '🚫 Update denied: No capability token for federated holon', { holonId, lensName, dataId });
+        throw new AuthorizationError(
+          'Capability token required for writing to federated holons',
+          'write'
+        );
+      }
+      const authorized = await this.verifyCapability(capToken, 'write', { holonId, lensName, dataId });
+      if (!authorized) {
+        this._log('WARN', '🚫 Update denied: Invalid capability token', { holonId, lensName, dataId });
+        throw new AuthorizationError(
+          'Invalid capability token for update operation',
+          'write'
+        );
+      }
+    } else if (capToken) {
+      // Own holon with explicit token - validate it anyway
       const authorized = await this.verifyCapability(capToken, 'write', { holonId, lensName, dataId });
       if (!authorized) {
         throw new AuthorizationError('AuthorizationError: Invalid capability token for update operation', 'write');
@@ -1008,7 +1367,7 @@ class HoloSphereBase extends HoloSphereCore {
 
       if (existingData._meta && existingData._meta.activeHolograms) {
         this._log('DEBUG', '🔗 Refreshing active holograms', { path });
-        federation.refreshActiveHolograms(this.client, this.config.appName, holonId, lensName, dataId)
+        await federation.refreshActiveHolograms(this.client, this.config.appName, holonId, lensName, dataId)
           .catch(err => this._log('WARN', '⚠️ Hologram refresh failed', { path, error: err.message }));
       }
 
@@ -1057,6 +1416,23 @@ class HoloSphereBase extends HoloSphereCore {
       throw new ValidationError('ValidationError: dataId must be a non-empty string');
     }
 
+    // Check holon-level authorization BEFORE reading data or caching
+    // Helper function to detect if a string is a pubkey (64-char hex)
+    const isPubkeyHolon = typeof holonId === 'string' && /^[0-9a-f]{64}$/i.test(holonId);
+    // For pubkey-based holons, check if it's our own holon (our pubkey)
+    // For non-pubkey holons (H3 cells, UUIDs), skip authorization for backwards compatibility
+    const isOwnHolon = this.client && (holonId === this.client.publicKey || !isPubkeyHolon);
+    const capToken = options.capabilityToken || options.capability;
+
+    if (!isOwnHolon && !capToken) {
+      // Deleting from federated holon without capability token - fail fast
+      this._log('WARN', '🚫 Delete denied: No capability token for federated holon', { holonId, lensName, dataId });
+      throw new AuthorizationError(
+        'Capability token required for writing to federated holons',
+        'delete'
+      );
+    }
+
     const path = storage.buildPath(this.config.appName, holonId, lensName, dataId);
 
     // Check write cache first, then storage
@@ -1077,13 +1453,12 @@ class HoloSphereBase extends HoloSphereCore {
 
     this._log('DEBUG', '🗑️ DELETE: Found data', { path, source: dataSource });
 
-    // Check authorization: owner can delete, others need capability token
+    // Check authorization: data owner can delete, others need capability token
     const dataOwner = existingData.owner || existingData._creator;
-    const isOwner = !dataOwner || dataOwner === this.client.publicKey;
+    const isDataOwner = !dataOwner || dataOwner === this.client.publicKey;
 
-    const capToken = options.capabilityToken || options.capability;
-    if (!isOwner) {
-      // Non-owner must provide a valid capability token
+    if (!isDataOwner) {
+      // Non-data-owner must provide a valid capability token
       if (!capToken) {
         throw new AuthorizationError('AuthorizationError: Capability token required for delete operation', 'delete');
       }
@@ -1092,7 +1467,7 @@ class HoloSphereBase extends HoloSphereCore {
         throw new AuthorizationError('AuthorizationError: Invalid capability token for delete operation', 'delete');
       }
     } else if (capToken) {
-      // Owner provided a token - validate it anyway
+      // Data owner provided a token - validate it anyway
       const authorized = await this.verifyCapability(capToken, 'delete', { holonId, lensName, dataId });
       if (!authorized) {
         throw new AuthorizationError('AuthorizationError: Invalid capability token for delete operation', 'delete');
@@ -1434,15 +1809,23 @@ class HoloSphereBase extends HoloSphereCore {
    * @param {string} lensName - Name of the lens
    * @param {Object} data - Data object containing the id to reference
    * @param {string} [targetHolon=null] - Target holon for the hologram, defaults to sourceHolon
-   * @returns {Object} Hologram object structure
+   * @returns {Promise<Object>} Hologram object structure
    */
-  createHologram(sourceHolon, lensName, data, targetHolon = null) {
-    return federation.createHologram(
+  async createHologram(sourceHolon, lensName, data, targetHolon = null) {
+    const target = targetHolon || sourceHolon;
+    // Use createHologramWithCapability which auto-generates capability for self-operations
+    return federation.createHologramWithCapability(
+      this.client,
       sourceHolon,
-      targetHolon || sourceHolon,
+      target,
       lensName,
       data.id,
-      this.config.appName
+      this.config.appName,
+      {
+        sourceAuthorPubKey: this.client.publicKey,
+        targetAuthorPubKey: this.client.publicKey,
+        permissions: ['read'],
+      }
     );
   }
 
@@ -1785,6 +2168,8 @@ class HoloSphereBase extends HoloSphereCore {
     federationData.lensConfig[targetHolon] = {
       inbound: lensConfig.inbound || [],
       outbound: lensConfig.outbound || [],
+      writeInbound: lensConfig.writeInbound || [],
+      writeOutbound: lensConfig.writeOutbound || [],
       timestamp: Date.now()
     };
 
@@ -2385,6 +2770,10 @@ export { capabilities, requestCard, cardStorage, holonRegistry, registry };
 export { matchScope } from './crypto/secp256k1.js';
 export { createHologram } from './federation/hologram.js';
 
+// Re-export lens encryption utilities
+export { LensKeyStore, buildLensPath, parseLensPath } from './crypto/key-store.js';
+export * as lensKeys from './crypto/lens-keys.js';
+
 // Re-export federation card functions
 export {
   createFederationCard,