npm - keri-ts - Versions diffs - 0.8.0 → 0.9.1 - Mend

keri-ts 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (99) hide show

package/README.md +10 -0
package/esm/cesr/src/primitives/counter.js +64 -9
package/esm/cesr/src/version.js +2 -2
package/esm/keri/src/app/cesr-http.js +4 -3
package/esm/keri/src/app/cli/delegate.js +106 -10
package/esm/keri/src/app/cli/did.js +182 -0
package/esm/keri/src/app/cli/ends.js +40 -0
package/esm/keri/src/app/cli/index.js +2 -0
package/esm/keri/src/app/cli/ipex.js +365 -22
package/esm/keri/src/app/cli/multisig.js +1089 -0
package/esm/keri/src/app/cli/vc.js +259 -2
package/esm/keri/src/app/delegating.js +26 -11
package/esm/keri/src/app/endpoint-roleing.js +140 -0
package/esm/keri/src/app/exchanging.js +14 -15
package/esm/keri/src/app/forwarding.js +90 -36
package/esm/keri/src/app/habbing.js +189 -36
package/esm/keri/src/app/ipex-credentialing.js +41 -23
package/esm/keri/src/app/oobiery.js +13 -2
package/esm/keri/src/app/version.js +2 -2
package/esm/keri/src/app/witnessing.js +82 -49
package/esm/keri/src/core/attachment-countering.js +105 -0
package/esm/keri/src/core/protocol-exchanging.js +13 -11
package/esm/keri/src/core/protocol-serialization.js +102 -76
package/esm/keri/src/db/basing.js +32 -43
package/esm/keri/src/db/reger.js +18 -24
package/esm/keri/src/did/index.js +7 -0
package/esm/keri/src/did/keri/resolving.js +26 -0
package/esm/keri/src/did/webs/artifacts.js +104 -0
package/esm/keri/src/did/webs/designated-aliases-public-schema.js +156 -0
package/esm/keri/src/did/webs/designated-aliases.js +235 -0
package/esm/keri/src/did/webs/dids.js +186 -0
package/esm/keri/src/did/webs/documenting.js +190 -0
package/esm/keri/src/did/webs/resolving.js +115 -0
package/esm/keri/src/runtime/index.js +2 -0
package/esm/keri/src/vdr/credentialing.js +9 -8
package/package.json +2 -2
package/types/cesr/src/primitives/counter.d.ts +8 -0
package/types/cesr/src/primitives/counter.d.ts.map +1 -1
package/types/cesr/src/version.d.ts +2 -2
package/types/keri/src/app/cesr-http.d.ts +2 -1
package/types/keri/src/app/cesr-http.d.ts.map +1 -1
package/types/keri/src/app/cli/delegate.d.ts.map +1 -1
package/types/keri/src/app/cli/did.d.ts +10 -0
package/types/keri/src/app/cli/did.d.ts.map +1 -0
package/types/keri/src/app/cli/ends.d.ts.map +1 -1
package/types/keri/src/app/cli/index.d.ts +2 -0
package/types/keri/src/app/cli/index.d.ts.map +1 -1
package/types/keri/src/app/cli/ipex.d.ts +9 -0
package/types/keri/src/app/cli/ipex.d.ts.map +1 -1
package/types/keri/src/app/cli/multisig.d.ts +12 -0
package/types/keri/src/app/cli/multisig.d.ts.map +1 -0
package/types/keri/src/app/cli/vc.d.ts +9 -0
package/types/keri/src/app/cli/vc.d.ts.map +1 -1
package/types/keri/src/app/delegating.d.ts +1 -0
package/types/keri/src/app/delegating.d.ts.map +1 -1
package/types/keri/src/app/endpoint-roleing.d.ts +46 -0
package/types/keri/src/app/endpoint-roleing.d.ts.map +1 -0
package/types/keri/src/app/exchanging.d.ts.map +1 -1
package/types/keri/src/app/forwarding.d.ts +7 -1
package/types/keri/src/app/forwarding.d.ts.map +1 -1
package/types/keri/src/app/habbing.d.ts +51 -4
package/types/keri/src/app/habbing.d.ts.map +1 -1
package/types/keri/src/app/ipex-credentialing.d.ts +11 -4
package/types/keri/src/app/ipex-credentialing.d.ts.map +1 -1
package/types/keri/src/app/oobiery.d.ts +1 -0
package/types/keri/src/app/oobiery.d.ts.map +1 -1
package/types/keri/src/app/protocol-host-policy.d.ts +8 -0
package/types/keri/src/app/protocol-host-policy.d.ts.map +1 -1
package/types/keri/src/app/version.d.ts +2 -2
package/types/keri/src/app/witnessing.d.ts.map +1 -1
package/types/keri/src/core/attachment-countering.d.ts +39 -0
package/types/keri/src/core/attachment-countering.d.ts.map +1 -0
package/types/keri/src/core/protocol-exchanging.d.ts +2 -1
package/types/keri/src/core/protocol-exchanging.d.ts.map +1 -1
package/types/keri/src/core/protocol-serialization.d.ts +38 -4
package/types/keri/src/core/protocol-serialization.d.ts.map +1 -1
package/types/keri/src/db/basing.d.ts.map +1 -1
package/types/keri/src/db/reger.d.ts +2 -2
package/types/keri/src/db/reger.d.ts.map +1 -1
package/types/keri/src/did/index.d.ts +8 -0
package/types/keri/src/did/index.d.ts.map +1 -0
package/types/keri/src/did/keri/resolving.d.ts +19 -0
package/types/keri/src/did/keri/resolving.d.ts.map +1 -0
package/types/keri/src/did/webs/artifacts.d.ts +19 -0
package/types/keri/src/did/webs/artifacts.d.ts.map +1 -0
package/types/keri/src/did/webs/designated-aliases-public-schema.d.ts +147 -0
package/types/keri/src/did/webs/designated-aliases-public-schema.d.ts.map +1 -0
package/types/keri/src/did/webs/designated-aliases.d.ts +46 -0
package/types/keri/src/did/webs/designated-aliases.d.ts.map +1 -0
package/types/keri/src/did/webs/dids.d.ts +65 -0
package/types/keri/src/did/webs/dids.d.ts.map +1 -0
package/types/keri/src/did/webs/documenting.d.ts +29 -0
package/types/keri/src/did/webs/documenting.d.ts.map +1 -0
package/types/keri/src/did/webs/resolving.d.ts +22 -0
package/types/keri/src/did/webs/resolving.d.ts.map +1 -0
package/types/keri/src/runtime/index.d.ts +2 -0
package/types/keri/src/runtime/index.d.ts.map +1 -1
package/types/keri/src/vdr/credentialing.d.ts +1 -1
package/types/keri/src/vdr/credentialing.d.ts.map +1 -1

package/README.md CHANGED Viewed

@@ -18,6 +18,16 @@ npm install keri-ts
 Only those three entrypoints are supported public surfaces. Runnable CLI/server
 ownership lives in the separate `tufa` package.
+## Maintainer Docs
+- `docs/ARCHITECTURE_MAP.md`: package and module ownership map
+- `docs/design-docs/keri/ACDC_TEL_IPEX_VERIFIER_MAINTAINER_GUIDE.md`:
+  credential stack ownership and failure modes
+- `docs/design-docs/keri/DELEGATION_MULTISIG_ENDPOINT_ROLES_MAINTAINER_GUIDE.md`:
+  delegation, group coordination, and endpoint-role mental model
+- `docs/design-docs/keri/ATTACHMENT_COUNTER_GVRSN_MAINTAINER_GUIDE.md`:
+  attachment counter versioning and replay boundaries
 ## License
 Licensed under the Apache License, Version 2.0 (`Apache-2.0`). See the top-level

package/esm/cesr/src/primitives/counter.js CHANGED Viewed

@@ -1,5 +1,6 @@
-import { b, b64ToInt, codeB2ToB64, codeB64ToB2, intToB64, nabSextets, sceil } from "../core/bytes.js";
+import { b, b64ToInt, codeB2ToB64, codeB64ToB2, concatBytes, intToB64, nabSextets, sceil } from "../core/bytes.js";
 import { DeserializeError, ShortageError, UnknownCodeError } from "../core/errors.js";
+import { CtrDexV2 } from "../tables/counter-codex.js";
 import { resolveCounterCodeNameTable, resolveCounterSizeTable } from "../tables/counter-version-registry.js";
 import { COUNTER_HARDS } from "../tables/counter.tables.generated.js";
 const COUNTER_BARDS = new Map([...COUNTER_HARDS.entries()].map(([code, hs]) => [
@@ -126,6 +127,38 @@ function encodeCounterFromFields(code, count, version) {
         version,
     };
 }
+function semanticNameForCode(code, version) {
+    const nameTable = resolveCounterCodeNameTable(version);
+    return nameTable[code] ?? null;
+}
+function codeForSemanticName(name, version) {
+    const nameTable = resolveCounterCodeNameTable(version);
+    for (const [code, candidate] of Object.entries(nameTable)) {
+        if (candidate === name) {
+            return code;
+        }
+    }
+    return null;
+}
+function promoteCounterCodeForCount(code, count, version) {
+    const sizeTable = resolveCounterSizeTable(version);
+    const sizage = sizeTable.get(code);
+    if (!sizage) {
+        throw new UnknownCodeError(`Unsupported counter code for version: ${code}`);
+    }
+    if (count <= (64 ** sizage.ss) - 1) {
+        return code;
+    }
+    const name = semanticNameForCode(code, version);
+    if (!name || name.startsWith("Big")) {
+        throw new DeserializeError(`Invalid count=${count} for code=${code}`);
+    }
+    const bigCode = codeForSemanticName(`Big${name}`, version);
+    if (!bigCode) {
+        throw new DeserializeError(`Counter code=${code} has no Big${name} form.`);
+    }
+    return bigCode;
+}
 /** Normalize the supported constructor variants into one shared counter payload. */
 function parseCounterInit(init) {
     const version = init.version ?? { major: 2, minor: 0 };
@@ -152,6 +185,34 @@ function parseCounterInit(init) {
  * payload groups and carry versioned code-name semantics.
  */
 export class Counter {
+    static makeGVC(version) {
+        return new Counter({
+            code: CtrDexV2.KERIACDCGenusVersion,
+            countB64: `${intToB64(version.major, 1)}${intToB64(version.minor, 2)}`,
+            version,
+        }).qb64b;
+    }
+    static enclose({ qb64 = undefined, qb2 = undefined, code = "AttachmentGroup", version = { major: 2, minor: 0 }, } = {}) {
+        const actualQb64 = typeof qb64 === "string" ? b(qb64) : qb64;
+        if (actualQb64 !== undefined && actualQb64 !== null) {
+            if (actualQb64.length % 4 !== 0) {
+                throw new DeserializeError(`Bad enclosed qb64 length=${actualQb64.length}`);
+            }
+            const count = actualQb64.length / 4;
+            const counterCode = promoteCounterCodeForCount(codeForSemanticName(code, version) ?? code, count, version);
+            return concatBytes(new Counter({ code: counterCode, count, version }).qb64b, actualQb64);
+        }
+        if (qb2 !== undefined && qb2 !== null) {
+            if (qb2.length % 3 !== 0) {
+                throw new DeserializeError(`Bad enclosed qb2 length=${qb2.length}`);
+            }
+            const count = qb2.length / 3;
+            const counterCode = promoteCounterCodeForCount(codeForSemanticName(code, version) ?? code, count, version);
+            return concatBytes(new Counter({ code: counterCode, count, version }).qb2, qb2);
+        }
+        const counterCode = promoteCounterCodeForCount(codeForSemanticName(code, version) ?? code, 0, version);
+        return new Counter({ code: counterCode, count: 0, version }).qb64b;
+    }
     constructor(init) {
         Object.defineProperty(this, "_code", {
             enumerable: true,
@@ -195,11 +256,7 @@ export class Counter {
             writable: true,
             value: void 0
         });
-        const data = init instanceof Counter
-            ? init.toCounterData()
-            : isCounterData(init)
-                ? init
-                : parseCounterInit(init);
+        const data = init instanceof Counter ? init.toCounterData() : isCounterData(init) ? init : parseCounterInit(init);
         this._code = data.code;
         this._count = data.count;
         this._fullSize = data.fullSize;
@@ -287,7 +344,5 @@ export function parseCounterFromBinary(input, version) {
 }
 /** Parse counter using domain hint (`txt` or `bny`) and versioned codex tables. */
 export function parseCounter(input, version, cold) {
-    return cold === "bny"
-        ? parseCounterFromBinary(input, version)
-        : parseCounterFromText(input, version);
+    return cold === "bny" ? parseCounterFromBinary(input, version) : parseCounterFromText(input, version);
 }

package/esm/cesr/src/version.js CHANGED Viewed

@@ -6,9 +6,9 @@
  * `src/version.ts` files by hand; edit this template instead.
  */
 /** Package semantic version copied from the owning package manifest. */
-export const PACKAGE_VERSION = "0.8.0";
+export const PACKAGE_VERSION = "0.9.0";
 /** Optional build metadata stamp injected by release/CI workflows. */
-export const BUILD_METADATA = "build.13.5884299463b061ec0fe2847a35a28b4189dee3f8";
+export const BUILD_METADATA = "build.15.488d4554e9b5462734e921e29385b9655b3c1e44";
 /** User-facing version string with build metadata appended when present. */
 export const DISPLAY_VERSION = BUILD_METADATA
     ? `${PACKAGE_VERSION}+${BUILD_METADATA}`

package/esm/keri/src/app/cesr-http.js CHANGED Viewed

@@ -62,10 +62,10 @@ export function cesrBodyModeFromGlobal(value) {
  * Body mode:
  * - the full payload is sent in the HTTP body
  */
-export function buildCesrRequest(message, { bodyMode = DEFAULT_CESR_BODY_MODE, destination, } = {}) {
+export function buildCesrRequest(message, { bodyMode = DEFAULT_CESR_BODY_MODE, contentType = CESR_CONTENT_TYPE, destination, } = {}) {
     const mode = normalizeCesrBodyMode(bodyMode);
     const headers = {
-        "Content-Type": CESR_CONTENT_TYPE,
+        "Content-Type": contentType,
     };
     if (destination) {
         headers[CESR_DESTINATION_HEADER] = destination;
@@ -76,7 +76,8 @@ export function buildCesrRequest(message, { bodyMode = DEFAULT_CESR_BODY_MODE, d
             body: arrayBufferFromBytes(message),
         };
     }
-    const serder = new SerderKERI({ raw: message });
+    const { smellage } = smell(message);
+    const serder = parseSerder(message.slice(0, smellage.size), smellage);
     headers[CESR_ATTACHMENT_HEADER] = textDecoder.decode(message.slice(serder.size));
     return {
         headers,

package/esm/keri/src/app/cli/delegate.js CHANGED Viewed

@@ -17,6 +17,7 @@ import { ValidationError } from "../../core/errors.js";
 import { dgKey } from "../../db/core/keys.js";
 import { makeNowIso8601 } from "../../time/mod.js";
 import { createAgentRuntime, processRuntimeTurn, processRuntimeUntil, } from "../agent-runtime.js";
+import { MULTISIG_IXN_ROUTE } from "../grouping.js";
 import { queryTransportSink } from "../query-transport.js";
 import { WitnessReceiptor } from "../witnessing.js";
 import { setupHby } from "./common/existing.js";
@@ -86,6 +87,9 @@ function anchorData(serder) {
     }
     return { i: serder.pre, s: serder.snh, d: serder.said };
 }
+function approvingEvent(hby, serder, delegator) {
+    return hby.db.fetchLastSealingEventByEventSeal(delegator.pre, anchorData(serder));
+}
 /** Resolve delegate witnesses for either delegated inception or rotation. */
 function delegateWitnesses(hby, serder) {
     if ((serder.sn ?? 0) === 0) {
@@ -123,6 +127,57 @@ function delegateWitnessLogsQuery(hab, serder, witness) {
         msgs: [hab.query(serder.pre, witness, query, "logs")],
     };
 }
+function isGroupHab(hby, hab) {
+    return !!hab.pre && !!hby.db.getHab(hab.pre)?.mid;
+}
+function groupSigningMembers(hby, groupPre) {
+    const stored = hby.ks.getSmids(groupPre).map((tuple) => tuple[0].qb64);
+    if (stored.length > 0) {
+        return stored;
+    }
+    return hby.db.getHab(groupPre)?.smids ?? [];
+}
+function localGroupMember(hby, groupPre) {
+    const record = hby.db.getHab(groupPre);
+    const member = record?.mid ? hby.habs.get(record.mid) : null;
+    if (!member) {
+        throw new ValidationError(`Group ${groupPre} is missing local member metadata.`);
+    }
+    return member;
+}
+function* publishGroupDelegationApproval(runtime, hby, groupHab, message) {
+    const member = localGroupMember(hby, groupHab.pre);
+    const smids = groupSigningMembers(hby, groupHab.pre);
+    const deliveries = [];
+    for (const recipient of smids) {
+        if (recipient === member.pre || hby.habs.has(recipient)) {
+            continue;
+        }
+        const result = yield* runtime.poster.sendExchange(member, {
+            recipient,
+            route: MULTISIG_IXN_ROUTE,
+            payload: { gid: groupHab.pre, smids },
+            embeds: { ixn: message },
+            topic: "multisig",
+        });
+        deliveries.push(...result.deliveries, ...result.queued);
+    }
+    return deliveries;
+}
+function eventAccepted(hby, serder) {
+    return !!serder.pre && serder.said !== undefined
+        && hby.db.kels.getLast(serder.pre, serder.sn ?? 0) === serder.said;
+}
+function pinApprovalSeal(hby, hab, delegated, approving) {
+    if (!approving.sner || !approving.said || !delegated.pre || !delegated.said) {
+        throw new ValidationError("Approving event material is incomplete.");
+    }
+    hby.db.aess.pin(dgKey(delegated.pre, delegated.said), [
+        approving.sner,
+        new Diger({ qb64: approving.said }),
+    ]);
+    hab.kvy.processEscrowDelegables();
+}
 /** Route query cues through query transport and other cues through Respondant. */
 function delegateConfirmSink(runtime, hby, hab) {
     const querySink = queryTransportSink(runtime, hby, hab);
@@ -188,6 +243,54 @@ export function* delegateConfirmCommand(args) {
                 const selected = confirmArgs.auto ? pending : [pending[0]];
                 for (const serder of selected) {
                     const anchor = anchorData(serder);
+                    if (isGroupHab(hby, hab)) {
+                        if (!interactionApproval) {
+                            throw new ValidationError("Multisig delegated approval currently requires --interact.");
+                        }
+                        const approving = approvingEvent(hby, serder, hab);
+                        if (!approving) {
+                            const created = hby.interactGroupHab(confirmArgs.alias, undefined, { data: [anchor] });
+                            const deliveries = yield* publishGroupDelegationApproval(runtime, hby, created.hab, created.message);
+                            console.log(JSON.stringify({
+                                status: eventAccepted(hby, created.serder) ? "accepted" : "multisig-pending",
+                                route: MULTISIG_IXN_ROUTE,
+                                group: created.hab.pre,
+                                delegated: serder.pre,
+                                said: serder.said,
+                                anchor: created.serder.said,
+                                deliveries,
+                            }));
+                            continue;
+                        }
+                        const witnesses = delegateWitnesses(hby, serder).sort();
+                        const selectedWitness = witnesses[0];
+                        const member = localGroupMember(hby, hab.pre);
+                        const memberSink = delegateConfirmSink(runtime, hby, member);
+                        pinApprovalSeal(hby, hab, serder, approving);
+                        yield* processRuntimeTurn(runtime, {
+                            hab: member,
+                            pollMailbox: true,
+                            sink: memberSink,
+                        });
+                        if (!delegateCommitted(hby, serder) && selectedWitness) {
+                            yield* memberSink.send(delegateWitnessLogsQuery(member, serder, selectedWitness));
+                            yield* processRuntimeUntil(runtime, () => delegateCommitted(hby, serder), { hab: member, maxTurns: 128, pollMailbox: true, sink: memberSink });
+                        }
+                        pinApprovalSeal(hby, hab, serder, approving);
+                        yield* processRuntimeTurn(runtime, {
+                            hab: member,
+                            pollMailbox: true,
+                            sink: memberSink,
+                        });
+                        if (serder.pre && serder.said) {
+                            const stillPending = hby.db.delegables.get([serder.pre]).includes(serder.said);
+                            if (stillPending) {
+                                throw new ValidationError(`Delegated event ${serder.said} remained in delegables escrow after approval.`);
+                            }
+                        }
+                        console.log(`Approved delegated ${serder.ilk} ${serder.said ?? ""} for ${serder.pre ?? ""} using multisig ixn.`);
+                        continue;
+                    }
                     // KERIpy permits either interaction or rotation approval. Keep this
                     // explicit because the chosen approving event type affects later
                     // replay, but the embedded anchor seal is the same.
@@ -205,16 +308,9 @@ export function* delegateConfirmCommand(args) {
                         });
                     }
                     const approving = hby.db.getEvtSerder(hab.pre, hab.kever.said);
-                    if (!approving?.sner || !approving.said || !serder.pre || !serder.said) {
+                    if (!approving) {
                         throw new ValidationError("Approving event material is incomplete.");
                     }
-                    const pinApprovalSeal = () => {
-                        hby.db.aess.pin(dgKey(serder.pre, serder.said), [
-                            approving.sner,
-                            new Diger({ qb64: approving.said }),
-                        ]);
-                        hab.kvy.processEscrowDelegables();
-                    };
                     const witnesses = delegateWitnesses(hby, serder).sort();
                     const selectedWitness = witnesses[0];
                     if (selectedWitness) {
@@ -229,7 +325,7 @@ export function* delegateConfirmCommand(args) {
                         // No delegate witness exists to query. Process the local delegable
                         // after the delegator has anchored approval; the delegate still
                         // discovers approval through its own delegator-KEL query path.
-                        pinApprovalSeal();
+                        pinApprovalSeal(hby, hab, serder, approving);
                         yield* processRuntimeUntil(runtime, () => querier.done, { hab, maxTurns: 128, pollMailbox: true, sink });
                     }
                     yield* processRuntimeTurn(runtime, { hab, pollMailbox: true, sink });
@@ -237,7 +333,7 @@ export function* delegateConfirmCommand(args) {
                     // delegated unescrow after the delegate event has been observed as
                     // locally committed through the witness-backed query/replay path.
                     if (selectedWitness) {
-                        pinApprovalSeal();
+                        pinApprovalSeal(hby, hab, serder, approving);
                     }
                     if (serder.pre && serder.said) {
                         const stillPending = hby.db.delegables.get([serder.pre]).includes(serder.said);

package/esm/keri/src/app/cli/did.js ADDED Viewed

@@ -0,0 +1,182 @@
+/**
+ * DID-related CLI operations shared by the Tufa command dispatcher.
+ */
+import * as dntShim from "../../../../_dnt.shims.js";
+import { ValidationError } from "../../core/errors.js";
+import { Reger } from "../../db/reger.js";
+import { bindDesignatedAliases, DEFAULT_DESIGNATED_ALIASES_REGISTRY_NAME, generateDidWebsArtifacts, parseDidWebs, resolveDidKeri, resolveDidWebs, } from "../../did/index.js";
+import { createAgentRuntime } from "../agent-runtime.js";
+import { WitnessReceiptor } from "../witnessing.js";
+import { setupHby } from "./common/existing.js";
+/** Implement `tufa dws bind`. */
+export function* dwsBindCommand(args) {
+    const commandArgs = {
+        ...baseArgs(args),
+        alias: args.alias,
+        dids: asStringList(args.did),
+        registryName: args.registryName,
+        createRegistry: args.createRegistry,
+        allowExternalDid: args.allowExternalDid,
+    };
+    requireNonEmpty(commandArgs.alias, "Alias");
+    const { hby, runtime } = yield* openRuntime(commandArgs);
+    try {
+        const hab = hby.habByName(commandArgs.alias);
+        const priorSn = hab?.kever?.sn ?? 0;
+        const result = bindDesignatedAliases(runtime, {
+            alias: commandArgs.alias,
+            dids: commandArgs.dids,
+            registryName: commandArgs.registryName ?? DEFAULT_DESIGNATED_ALIASES_REGISTRY_NAME,
+            createRegistry: commandArgs.createRegistry ?? true,
+            allowExternalDid: commandArgs.allowExternalDid ?? false,
+        });
+        if (hab?.pre) {
+            yield* receiptNewWitnessEvents(hby, hab.pre, priorSn);
+        }
+        console.log(JSON.stringify(result));
+    }
+    finally {
+        yield* closeRuntime(hby, runtime);
+    }
+}
+/** Implement `tufa dws generate`. */
+export function* dwsGenerateCommand(args) {
+    const commandArgs = {
+        ...baseArgs(args),
+        alias: args.alias,
+        did: args.did,
+        outputDir: args.outputDir,
+        meta: args.meta,
+    };
+    requireNonEmpty(commandArgs.alias, "Alias");
+    requireNonEmpty(commandArgs.did, "DID");
+    requireNonEmpty(commandArgs.outputDir, "Output directory");
+    const { hby, runtime } = yield* openRuntime(commandArgs);
+    try {
+        const artifacts = generateDidWebsArtifacts(runtime, {
+            alias: commandArgs.alias,
+            did: commandArgs.did,
+            metadata: commandArgs.meta ?? false,
+        });
+        const parsed = parseDidWebs(commandArgs.did);
+        const dir = artifactOutputDir(commandArgs.outputDir, parsed.path, artifacts.aid);
+        dntShim.Deno.mkdirSync(dir, { recursive: true });
+        dntShim.Deno.writeFileSync(`${dir}/did.json`, artifacts.didJson);
+        dntShim.Deno.writeFileSync(`${dir}/keri.cesr`, artifacts.keriCesr);
+        console.log(JSON.stringify({
+            aid: artifacts.aid,
+            did: commandArgs.did,
+            didJson: `${dir}/did.json`,
+            keriCesr: `${dir}/keri.cesr`,
+        }));
+    }
+    finally {
+        yield* closeRuntime(hby, runtime);
+    }
+}
+/** Implement `tufa dws resolve`. */
+export function* dwsResolveCommand(args) {
+    const commandArgs = {
+        ...baseArgs(args),
+        did: args.did,
+        meta: args.meta,
+        insecureHttp: args.insecureHttp,
+    };
+    requireNonEmpty(commandArgs.did, "DID");
+    const { hby, runtime } = yield* openRuntime(commandArgs);
+    try {
+        const result = yield* resolveDidWebs(runtime, {
+            did: commandArgs.did,
+            metadata: commandArgs.meta ?? false,
+            insecureHttp: commandArgs.insecureHttp ?? false,
+        });
+        console.log(JSON.stringify(commandArgs.meta ? result.resolution : result.document, null, 2));
+    }
+    finally {
+        yield* closeRuntime(hby, runtime);
+    }
+}
+/** Implement `tufa dkr resolve`. */
+export function* dkrResolveCommand(args) {
+    const commandArgs = {
+        ...baseArgs(args),
+        did: args.did,
+        oobis: asStringList(args.oobi),
+        meta: args.meta,
+    };
+    requireNonEmpty(commandArgs.did, "DID");
+    const { hby, runtime } = yield* openRuntime(commandArgs);
+    try {
+        const result = yield* resolveDidKeri(runtime, {
+            did: commandArgs.did,
+            oobis: commandArgs.oobis,
+            metadata: commandArgs.meta ?? false,
+        });
+        console.log(JSON.stringify(commandArgs.meta ? result.resolution : result.document, null, 2));
+    }
+    finally {
+        yield* closeRuntime(hby, runtime);
+    }
+}
+function baseArgs(args) {
+    return {
+        name: args.name,
+        base: args.base,
+        headDirPath: args.headDirPath,
+        passcode: args.passcode,
+        compat: args.compat,
+    };
+}
+function* openRuntime(args) {
+    requireNonEmpty(args.name, "Name");
+    const hby = yield* setupHby(args.name, args.base ?? "", args.passcode, false, args.headDirPath, {
+        compat: args.compat ?? false,
+        skipConfig: true,
+    });
+    const runtime = yield* createAgentRuntime(hby, { mode: "local" });
+    const reger = runtime.vdr.reger;
+    if (!(reger instanceof Reger)) {
+        throw new ValidationError("VDR runtime did not open Reger.");
+    }
+    return { hby, runtime, reger };
+}
+function* closeRuntime(hby, runtime) {
+    yield* runtime.close();
+    yield* hby.close();
+}
+function requireNonEmpty(value, label) {
+    if (!value || value.trim().length === 0) {
+        throw new ValidationError(`${label} is required.`);
+    }
+}
+function* receiptNewWitnessEvents(hby, pre, priorSn) {
+    const hab = hby.habs.get(pre);
+    const latestSn = hab?.kever?.sn;
+    if (!hab?.kever || latestSn === undefined || latestSn <= priorSn || hab.kever.wits.length === 0) {
+        return;
+    }
+    const receiptor = new WitnessReceiptor(hby);
+    for (let sn = priorSn + 1; sn <= latestSn; sn += 1) {
+        yield* receiptor.submit(pre, { sn });
+    }
+}
+function asStringList(value) {
+    if (Array.isArray(value)) {
+        return value.filter((item) => typeof item === "string");
+    }
+    return typeof value === "string" ? [value] : [];
+}
+function artifactOutputDir(root, didPath, aid) {
+    const normalizedRoot = root.replace(/\/+$/u, "");
+    return [
+        normalizedRoot,
+        ...didPath.map(safePathSegment),
+        safePathSegment(aid),
+    ].filter((part) => part.length > 0).join("/");
+}
+function safePathSegment(segment) {
+    if (segment.includes("/") || segment === ".." || segment.includes("\0")) {
+        throw new ValidationError(`Unsafe DID path segment ${segment}.`);
+    }
+    return segment;
+}

package/esm/keri/src/app/cli/ends.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { ValidationError } from "../../core/errors.js";
 import { isEndpointRole } from "../../core/roles.js";
 import { createAgentRuntime, ingestKeriBytes, processRuntimeTurn } from "../agent-runtime.js";
+import { endpointRoleAccepted, isLocalGroupHab, proposeGroupEndpointRole, } from "../endpoint-roleing.js";
 import { setupHby } from "./common/existing.js";
 /**
  * Implement `tufa ends add` on top of the shared local runtime.
@@ -23,6 +24,7 @@ export function* endsAddCommand(args) {
         alias: args.alias,
         role: args.role,
         eid: args.eid,
+        multisigMode: parseMultisigMode(args.multisigMode),
         compat: args.compat,
     };
     if (!commandArgs.name) {
@@ -49,6 +51,35 @@ export function* endsAddCommand(args) {
             throw new ValidationError(`No local AID found for alias ${commandArgs.alias}`);
         }
         const runtime = yield* createAgentRuntime(hby, { mode: "local" });
+        if (isLocalGroupHab(hby, hab)) {
+            if (!commandArgs.multisigMode) {
+                throw new ValidationError("Group endpoint role authorization requires --multisig-mode propose or --multisig-mode complete.");
+            }
+            if (commandArgs.multisigMode === "propose") {
+                const result = yield* proposeGroupEndpointRole(runtime, hab, {
+                    eid: commandArgs.eid,
+                    role: commandArgs.role,
+                    allow: true,
+                });
+                console.log(JSON.stringify({
+                    route: result.route,
+                    said: result.said,
+                    group: result.group,
+                    accepted: result.accepted,
+                    deliveries: result.deliveries,
+                    attachmentBytes: result.attachmentBytes,
+                }));
+                return;
+            }
+            if (!endpointRoleAccepted(hby, hab.pre, commandArgs.role, commandArgs.eid)) {
+                throw new ValidationError(`Endpoint role ${commandArgs.role} for ${commandArgs.eid} is not yet approved for group ${hab.pre}.`);
+            }
+            console.log(`${commandArgs.role} ${commandArgs.eid}`);
+            return;
+        }
+        if (commandArgs.multisigMode) {
+            throw new ValidationError("--multisig-mode is only valid for local group aliases.");
+        }
         ingestKeriBytes(runtime, hab.makeEndRole(commandArgs.eid, commandArgs.role, true));
         yield* processRuntimeTurn(runtime, { hab, pollMailbox: false });
         const end = hby.db.ends.get([hab.pre, commandArgs.role, commandArgs.eid]);
@@ -61,3 +92,12 @@ export function* endsAddCommand(args) {
         yield* hby.close();
     }
 }
+function parseMultisigMode(value) {
+    if (value === undefined) {
+        return undefined;
+    }
+    if (value === "propose" || value === "complete") {
+        return value;
+    }
+    throw new ValidationError("--multisig-mode must be propose or complete.");
+}

package/esm/keri/src/app/cli/index.js CHANGED Viewed

@@ -10,6 +10,7 @@ export { benchmarkCommand } from "./benchmark.js";
 export { challengeGenerateCommand, challengeRespondCommand, challengeVerifyCommand } from "./challenge.js";
 export { dumpEvts } from "./db-dump.js";
 export { delegateConfirmCommand } from "./delegate.js";
+export { dkrResolveCommand, dwsBindCommand, dwsGenerateCommand, dwsResolveCommand } from "./did.js";
 export { endsAddCommand } from "./ends.js";
 export { exchangeSendCommand } from "./exchange.js";
 export { exportCommand } from "./export.js";
@@ -19,6 +20,7 @@ export { interactCommand } from "./interact.js";
 export { ipexAdmitCommand, ipexAgreeCommand, ipexApplyCommand, ipexGrantCommand, ipexJoinCommand, ipexListCommand, ipexOfferCommand, ipexPollCommand, ipexSpurnCommand, } from "./ipex.js";
 export { listCommand } from "./list.js";
 export { locAddCommand } from "./loc.js";
+export { multisigInceptCommand, multisigInteractCommand, multisigJoinCommand, multisigRotateCommand, multisigRpyCommand, } from "./multisig.js";
 export { notificationsListCommand, notificationsMarkReadCommand, notificationsRemoveCommand } from "./notifications.js";
 export { oobiGenerateCommand, oobiRequestCommand, oobiResolveCommand } from "./oobi.js";
 export { queryCommand } from "./query.js";