@cero-base/core 0.8.9 → 1.0.1

package/src/database/dispatch.js

@@ -1,5 +1,16 @@
-import { SINGLE, COLLECTION, ACTION, COUNTERS } from '../lib/constants.js'
-import { toId, toKey } from '../lib/utils.js'
+import b4a from 'b4a'
+
+import {
+  SINGLE,
+  COLLECTION,
+  ACTION,
+  COUNTERS,
+  INVITE,
+  REMOVE,
+  ASSIGN,
+  WRITE
+} from '../lib/constants.js'
+import { toId, toKey, can, grants, outranks } from '../lib/utils.js'
 import { Identity } from '../identity/index.js'
 
 // Built-in collections wired into every cero spec.
@@ -7,15 +18,43 @@ export const BUILTINS = [
   { name: 'members', verb: 'member' },
   { name: 'devices', verb: 'device' },
   { name: 'invites', verb: 'invite' },
-  { name: 'handles', verb: 'handle' }
+  { name: 'handles', verb: 'handle' },
+  { name: 'files', verb: 'file' }
 ]
 
+/**
+ * Build the hyperdispatch router for a spec: wires membership, builtin, and
+ * spec-defined collection/action ops, returning the router plus an apply loop.
+ *
+ * @param {{ dispatch: { Router: Function }, meta?: { refs?: Record<string, { kind?: string, builtin?: boolean, verb?: string }> } }} spec  Generated hyperdispatch spec.
+ * @param {string} ns  Namespace prefix for collection and op names.
+ * @param {Record<string, Function>} routes  Custom action handlers keyed by route name.
+ * @returns {{ dispatcher: object, apply: (nodes: Array<{ value: Buffer, key: Buffer }>, view: object, host: object) => Promise<void> }}
+ */
 export function makeDispatcher(spec, ns, routes) {
   const dispatcher = new spec.dispatch.Router()
 
   const countersCol = `@${ns}/${COUNTERS}`
-  const member = (view, id) => view.get(`@${ns}/members`, { id })
-  const device = (view, id) => view.get(`@${ns}/devices`, { id })
+  const getMember = (view, id) => view.get(`@${ns}/members`, { id })
+  const getDevice = (view, id) => view.get(`@${ns}/devices`, { id })
+
+  const getRole = async (view, identityKey) =>
+    identityKey ? ((await getMember(view, toId(identityKey)))?.role ?? null) : null
+
+  const getSignerRole = async (view, writerKey) => {
+    if (!writerKey) return null
+    const d = await getDevice(view, toId(writerKey))
+    return d?.memberId ? ((await getMember(view, d.memberId))?.role ?? null) : null
+  }
+  const isGenesis = async (view) => !(await view.findOne(`@${ns}/members`, {}))
+  const getSignerMember = async (view, key) =>
+    (key ? (await getDevice(view, toId(key)))?.memberId : null) ?? null
+  const canRemoveMember = async (view, signerKey, targetMemberId) => {
+    const r = await getSignerRole(view, signerKey)
+    if (!can(r, REMOVE)) return false
+    const tRole = targetMemberId ? (await getMember(view, targetMemberId))?.role : null
+    return !tRole || outranks(r, tRole)
+  }
 
   async function insert(view, name, col, op) {
     if (name !== COUNTERS) {
@@ -32,7 +71,7 @@ export function makeDispatcher(spec, ns, routes) {
   }
 
   const upsert = (name, col, kind) => async (op, ctx) => {
-    const d = ctx.key && (await device(ctx.view, toId(ctx.key)))
+    const d = ctx.key && (await getDevice(ctx.view, toId(ctx.key)))
     op.memberId = d?.memberId || null
     if (kind === COLLECTION) await insert(ctx.view, name, col, op)
     else await ctx.view.insert(col, op)
@@ -46,7 +85,8 @@ export function makeDispatcher(spec, ns, routes) {
   const add = (verb, fn) => dispatcher.add(`@${ns}/${verb}`, fn)
 
   add('add-writer', async (op, ctx) => {
-    if (!Identity.verify(op.master, op.writer, op.sig)) return
+    if (!Identity.verify(op.master, b4a.concat([op.writer, ctx.key]), op.sig)) return
+    if (!(await isGenesis(ctx.view)) && !can(await getRole(ctx.view, op.master), INVITE)) return
     await ctx.host.addWriter(op.writer, { isIndexer: op.isIndexer !== false })
     const ts = Date.now()
     await insert(ctx.view, 'devices', `@${ns}/devices`, {
@@ -58,15 +98,19 @@ export function makeDispatcher(spec, ns, routes) {
   })
 
   add('del-writer', async (op, ctx) => {
-    if (!Identity.verify(op.master, op.writer, op.sig)) return
+    const target = await getDevice(ctx.view, toId(op.writer))
+    if (target?.memberId !== (await getSignerMember(ctx.view, ctx.key))) {
+      if (!(await canRemoveMember(ctx.view, ctx.key, target?.memberId))) return
+    }
     await ctx.host.removeWriter(op.writer)
     await ctx.view.delete(`@${ns}/devices`, { id: toId(op.writer) })
   })
 
   add('claim-writer', async (op, ctx) => {
     if (!Identity.verify(op.identity, op.writer, op.sig)) return
+    if (!b4a.equals(ctx.key, op.writer)) return
     const memberId = toId(op.identity)
-    if (!(await member(ctx.view, memberId))) return
+    if (!can(await getRole(ctx.view, op.identity), WRITE)) return
     await ctx.host.addWriter(op.writer, { isIndexer: true })
     const ts = Date.now()
     await insert(ctx.view, 'devices', `@${ns}/devices`, {
@@ -78,9 +122,13 @@ export function makeDispatcher(spec, ns, routes) {
   })
 
   add('add-member', async (op, ctx) => {
+    if (!(await isGenesis(ctx.view))) {
+      const r = await getSignerRole(ctx.view, ctx.key)
+      if (!can(r, INVITE) || !grants(r, op.role)) return
+    }
     await insert(ctx.view, 'members', `@${ns}/members`, op)
     const deviceId = toId(op.key)
-    const existingDevice = await device(ctx.view, deviceId)
+    const existingDevice = await getDevice(ctx.view, deviceId)
     const ts = Date.now()
     await insert(ctx.view, 'devices', `@${ns}/devices`, {
       id: deviceId,
@@ -93,21 +141,35 @@ export function makeDispatcher(spec, ns, routes) {
   })
 
   add('set-member', async (op, ctx) => {
-    const existing = await member(ctx.view, op.id)
+    const existing = await getMember(ctx.view, op.id)
     if (!existing) return
-    await insert(ctx.view, 'members', `@${ns}/members`, { ...existing, ...op })
+    const next = { ...existing, ...op }
+    if (next.role !== existing.role) {
+      const r = await getSignerRole(ctx.view, ctx.key)
+      if (!can(r, ASSIGN) || !grants(r, next.role) || !outranks(r, existing.role)) {
+        next.role = existing.role
+      }
+    }
+    await insert(ctx.view, 'members', `@${ns}/members`, next)
   })
 
   add('del-member', async (op, ctx) => {
-    const existing = await member(ctx.view, op.id)
+    const existing = await getMember(ctx.view, op.id)
     if (!existing) return
+    if (op.id !== (await getSignerMember(ctx.view, ctx.key))) {
+      const r = await getSignerRole(ctx.view, ctx.key)
+      if (!can(r, REMOVE) || !outranks(r, existing.role)) return
+    }
     if (existing.key) await ctx.host.removeWriter(existing.key)
     await ctx.view.delete(`@${ns}/members`, op)
   })
 
   add('del-device', async (op, ctx) => {
-    const existing = await device(ctx.view, op.id)
+    const existing = await getDevice(ctx.view, op.id)
     if (!existing) return
+    if (existing.memberId !== (await getSignerMember(ctx.view, ctx.key))) {
+      if (!(await canRemoveMember(ctx.view, ctx.key, existing.memberId))) return
+    }
     await ctx.host.removeWriter(toKey(existing.id))
     await ctx.view.delete(`@${ns}/devices`, op)
   })
@@ -120,7 +182,7 @@ export function makeDispatcher(spec, ns, routes) {
         await insert(ctx.view, b.name, col, { ...op, memberId: op.memberId ?? null })
       })
       add(`set-${b.verb}`, async (op, ctx) => {
-        const existing = await device(ctx.view, op.id)
+        const existing = await getDevice(ctx.view, op.id)
         const ts = Date.now()
         await insert(ctx.view, b.name, col, {
           ...op,
@@ -131,7 +193,15 @@ export function makeDispatcher(spec, ns, routes) {
       })
       continue
     }
-    add(`add-${b.verb}`, upsert(b.name, col, COLLECTION))
+    if (b.verb === 'file') {
+      add('add-file', async (op, ctx) => {
+        if (!can(await getSignerRole(ctx.view, ctx.key), WRITE)) return
+        const memberId = await getSignerMember(ctx.view, ctx.key)
+        await insert(ctx.view, b.name, col, { id: op.id, name: op.name ?? null, memberId })
+      })
+    } else {
+      add(`add-${b.verb}`, upsert(b.name, col, COLLECTION))
+    }
     add(`set-${b.verb}`, update(b.name, col))
     add(`del-${b.verb}`, remove(col))
   }
@@ -146,7 +216,11 @@ export function makeDispatcher(spec, ns, routes) {
     const col = `@${ns}/${name}`
     const kind = info.kind === SINGLE ? SINGLE : COLLECTION
     add(`set-${name}`, kind === SINGLE ? upsert(name, col, kind) : update(name, col))
-    if (info.kind === SINGLE) continue
+    if (info.kind === SINGLE) {
+      // wipe the keyless single row (the dummy id in the op is ignored)
+      add(`del-${name}`, async (op, ctx) => ctx.view.delete(col, {}))
+      continue
+    }
     add(`add-${name}`, upsert(name, col, COLLECTION))
     add(`del-${name}`, remove(col))
   }

package/src/database/index.js

@@ -5,7 +5,7 @@ import ReadyResource from 'ready-resource'
 import safetyCatch from 'safety-catch'
 import b4a from 'b4a'
 
-import { NAMESPACE, SINGLE, COLLECTION } from '../lib/constants.js'
+import { NAMESPACE, SINGLE, COLLECTION, ACTION } from '../lib/constants.js'
 import { genId, subscribe } from '../lib/utils.js'
 import { CeroError } from '../lib/errors.js'
 import { bootstrap } from './bootstrap.js'
@@ -23,6 +23,7 @@ import { makeDispatcher } from './dispatch.js'
  * @property {(nodes: any, view: any, host: any) => Promise<void>} [apply]  Override the default apply function.
  * @property {Uint8Array | null} [key]                                Existing autobee key to reopen.
  * @property {import('../identity/index.js').KeyPair} [keyPair]       Device writer keypair; defaults to identity's keypair.
+ * @property {(err: Error) => void} [onerror]                         Called when a background after-hook or onApply callback fails.
  *
  * @typedef {{ data: any | null }} SingleResult
  * @typedef {{ data: any[], total: number, size: number }} ListResult
@@ -65,6 +66,7 @@ export class Database extends ReadyResource {
       secretKey: opts.identity.secretKey
     }
 
+    this._onerror = opts.onerror || safetyCatch
     this.bee = null
     this.dispatcher = null
 
@@ -89,6 +91,9 @@ export class Database extends ReadyResource {
       this._discovery = null
     }
     if (this.bee) {
+      // detach before closing — else the closed bee lingers in the network's
+      // _replicateables set and gets replicated into every new connection
+      if (this.network) this.network.detach(this.bee)
       await this.bee.close()
       this.bee = null
     }
@@ -126,26 +131,34 @@ export class Database extends ReadyResource {
 
     if (this.network) {
       this.network.attach(bee)
+      // a writer swap re-opens the bee — tear down the prior discovery session
+      // first so it isn't orphaned by the reassignment below
+      if (this._discovery) await this._discovery.destroy()
       this._discovery = this.network.join(bee.discoveryKey)
     }
   }
 
+  /** @returns {Uint8Array | null} discovery key of the underlying bee */
   get discoveryKey() {
     return this.bee?.discoveryKey || null
   }
 
+  /** @returns {Uint8Array | null} this device's local writer key */
   get writerKey() {
     return this.bee?.local?.key || null
   }
 
+  /** @returns {boolean} whether the bee accepts local writes */
   get writable() {
     return this.bee?.writable === true
   }
 
+  /** @returns {number} number of ops in the local writer */
   get length() {
     return this.bee?.local?.length || 0
   }
 
+  /** @returns {object | null} the materialized HyperDB view */
   get view() {
     return this.bee?.view || null
   }
@@ -220,7 +233,7 @@ export class Database extends ReadyResource {
         try {
           fn(event)
         } catch (err) {
-          safetyCatch(err)
+          this._onerror(err)
         }
       }
     }
@@ -259,7 +272,7 @@ export class Database extends ReadyResource {
         try {
           await fn(ctx)
         } catch (err) {
-          safetyCatch(err)
+          this._onerror(err)
         }
       }
     }
@@ -276,6 +289,7 @@ export class Database extends ReadyResource {
   async put(name, row) {
     this.guard()
     const ref = this.ref(name)
+    this._checkFields(name, row)
     const id = row.id || genId()
     const ts = Date.now()
     const stored = { createdAt: ts, updatedAt: ts, ...row, id }
@@ -303,6 +317,7 @@ export class Database extends ReadyResource {
   async set(name, row, { upsert = true } = {}) {
     this.guard()
     const ref = this.ref(name)
+    this._checkFields(name, row)
     const col = this.col(ref)
     const ts = Date.now()
     const existing =
@@ -347,7 +362,10 @@ export class Database extends ReadyResource {
     const ctx = { op: 'del', name, id }
     if ((await this.runBefore('del', ctx)) === false) return null
 
-    await this.write([[`del-${ref.verb}`, { id }]])
+    // Singles have no id — the apply handler wipes the keyless row; the dummy id
+    // just satisfies the shared del-by-id encoding.
+    const payload = ref.kind === SINGLE ? { id: '' } : { id }
+    await this.write([[`del-${ref.verb}`, payload]])
 
     await this.runAfter('del', ctx)
   }
@@ -361,6 +379,13 @@ export class Database extends ReadyResource {
    */
   async call(op, data = {}) {
     this.guard()
+    // A declared action with no local route would apply as a silent no-op — fail
+    // loud before writing a dead op. (Builtin verbs aren't refs, so they pass.)
+    if (this.refs[op]?.kind === ACTION && typeof this.routes[op] !== 'function') {
+      throw CeroError.INVALID(
+        `action '${op}' has no route — pass { routes: { ${op} } } when opening the handle`
+      )
+    }
     await this.write([[op, data]])
   }
 
@@ -373,19 +398,28 @@ export class Database extends ReadyResource {
    * @returns {Promise<T>}
    */
   async tx(fn) {
+    // Nested tx() (called while an outer tx's fn is running) joins the outer queue.
     if (this.txQueue) return fn()
-    const queue = []
-    this.txQueue = queue
-    let result
-    try {
-      result = await fn()
-    } catch (err) {
-      this.txQueue = null
-      throw err
+    // Outer transactions serialize — the run is deferred onto a chain so two
+    // concurrent tx() calls each get their own queue instead of the second
+    // buffering into the first's (and being dropped if the first rolls back).
+    const run = async () => {
+      const queue = []
+      this.txQueue = queue
+      try {
+        const result = await fn()
+        this.txQueue = null
+        if (queue.length) await this.write(queue)
+        return result
+      } catch (err) {
+        this.txQueue = null
+        throw err
+      }
     }
-    this.txQueue = null
-    if (queue.length) await this.write(queue)
-    return result
+    const prev = this._txChain || Promise.resolve()
+    // chain past prev's outcome so one failure doesn't wedge later transactions
+    this._txChain = prev.then(run, run)
+    return this._txChain
   }
 
   /**
@@ -430,8 +464,9 @@ export class Database extends ReadyResource {
 
     const idx = this.matchIndex(name, query)
     if (idx) {
-      const data = await this.view.find(idx.path, idx.range).toArray()
-      return { data, total: data.length, size: data.length }
+      const rows = await this.view.find(idx.path, idx.range).toArray()
+      const data = paginate(rows, query)
+      return { data, total: rows.length, size: data.length }
     }
 
     const all = await this.view.find(col, {}).toArray()
@@ -466,7 +501,6 @@ export class Database extends ReadyResource {
    */
   watch(name, query) {
     this.guard()
-    this.ref(name)
     return subscribe({
       get: () => this.get(name, query),
       watch: (fn) => this.onUpdate(fn)
@@ -571,11 +605,22 @@ export class Database extends ReadyResource {
     return this._write('del-writer', 'removeWriter', publicKey)
   }
 
+  /**
+   * Throw if the handle is closing/closed or the bee isn't ready yet.
+   *
+   * @returns {void}
+   */
   guard() {
     if (this.closing || this.closed) throw CeroError.CLOSED('Database')
     if (!this.bee) throw CeroError.NOT_READY('Database', 'db')
   }
 
+  /**
+   * Resolve a table name to its normalized `{ name, kind, verb }` ref.
+   *
+   * @param {string} name
+   * @returns {Ref}
+   */
   ref(name) {
     if (typeof name !== 'string' || !name)
       throw CeroError.INVALID('name must be a non-empty string')
@@ -584,11 +629,37 @@ export class Database extends ReadyResource {
     return { name, kind: ref.kind || COLLECTION, verb: ref.verb || name }
   }
 
+  /**
+   * Namespaced collection path for a ref.
+   *
+   * @param {Ref} ref
+   * @returns {string}
+   */
   col(ref) {
     return `@${this.ns}/${ref.name}`
   }
 
-  // Route an exact-field query to a declared secondary index, when one matches.
+  // Reject a write that carries a field the schema doesn't declare — the encoder
+  // would silently drop it, so the returned row would lie. Builtins (and specs
+  // built before field info shipped) carry no `fields`, so they skip validation.
+  _checkFields(name, row) {
+    const declared = this.refs[name]?.fields
+    if (!declared || !row) return
+    for (const key of Object.keys(row)) {
+      if (declared.includes(key) || SYSTEM_FIELDS.has(key)) continue
+      throw CeroError.INVALID(
+        `unknown field '${key}' on '${name}' — declared: ${declared.join(', ') || '(none)'}`
+      )
+    }
+  }
+
+  /**
+   * Find a secondary index whose fields exactly match the query's equality keys.
+   *
+   * @param {string} name
+   * @param {Query} [query]
+   * @returns {{ path: string, range: { gte: object, lte: object } } | null}
+   */
   matchIndex(name, query) {
     const indexes = this.refs[name]?.indexes
     if (!indexes || !query) return null
@@ -598,10 +669,8 @@ export class Database extends ReadyResource {
       if (idxFields.length === fields.length && idxFields.every((f) => fields.includes(f))) {
         const point = {}
         for (const f of idxFields) point[f] = query[f]
-        const range = { gte: point, lte: point }
-        if (query.limit !== undefined) range.limit = query.limit
-        if (query.reverse) range.reverse = true
-        return { path: `@${this.ns}/${name}-${idx}`, range }
+        // point lookup only — search/range/reverse/limit are applied by paginate
+        return { path: `@${this.ns}/${name}-${idx}`, range: { gte: point, lte: point } }
       }
     }
     return null
@@ -620,7 +689,7 @@ export class Database extends ReadyResource {
 
   async _write(verb, hook, publicKey) {
     this.guard()
-    if (!b4a.isBuffer(publicKey) && !(publicKey instanceof Uint8Array)) {
+    if (!b4a.isBuffer(publicKey)) {
       throw CeroError.INVALID('publicKey must be a buffer')
     }
     const ctx = { op: hook, publicKey }
@@ -629,17 +698,32 @@ export class Database extends ReadyResource {
       version: this.store.manifestVersion,
       signers: [{ publicKey }]
     })
-    const sig = this.identity.sign(writerKey)
+    const sig = this.identity.sign(b4a.concat([writerKey, this.writerKey]))
     await this.write([[verb, { master: this.identity.publicKey, writer: writerKey, sig }]])
     await this.runAfter(hook, ctx)
   }
 }
 
 const INDEX_RESERVED = new Set(['gt', 'gte', 'lt', 'lte', 'limit', 'reverse', 'search', 'fields'])
+// Fields the write path stamps itself — always allowed even if not user-declared.
+const SYSTEM_FIELDS = new Set(['id', 'memberId', 'index', 'createdAt', 'updatedAt'])
+
+// Match a query value against a stored value (bytes compared by content).
+const valueEq = (a, b) => {
+  if (a instanceof Uint8Array && b instanceof Uint8Array) return b4a.equals(a, b)
+  return a === b
+}
 
 function paginate(rows, query) {
   if (!query) return rows
   let out = rows
+  // Exact-field equality: every non-reserved key filters in memory. The secondary
+  // index is an optimization, not a correctness gate — so an unindexed field, or
+  // one passed alongside search/range, still filters instead of silently dropping.
+  for (const key of Object.keys(query)) {
+    if (INDEX_RESERVED.has(key)) continue
+    out = out.filter((r) => valueEq(r[key], query[key]))
+  }
   if (query.gt !== undefined) out = out.filter((r) => r.id > query.gt)
   if (query.gte !== undefined) out = out.filter((r) => r.id >= query.gte)
   if (query.lt !== undefined) out = out.filter((r) => r.id < query.lt)
@@ -662,7 +746,9 @@ const fold = (s) =>
 // every string field). 'smith' → 'John Smith', 'jo sm' → both must appear.
 function searchHit(row, term, fields) {
   const terms = String(term).split(/\s+/).map(fold).filter(Boolean)
-  const keys = fields && fields.length ? fields : Object.keys(row)
+  // default to all fields except memberId — a framework-stamped random z32 whose value would
+  // otherwise produce spurious, non-deterministic search hits (user-set id/code stay searchable)
+  const keys = fields && fields.length ? fields : Object.keys(row).filter((k) => k !== 'memberId')
   const hay = keys.map((k) => (typeof row[k] === 'string' ? fold(row[k]) : '')).join(' ')
   return terms.every((t) => hay.includes(t))
 }

package/src/identity/index.js

@@ -157,7 +157,7 @@ export class Identity {
    * @returns {x is Uint8Array}
    */
   static isSeed(x) {
-    if (!b4a.isBuffer(x) && !(x instanceof Uint8Array)) return false
+    if (!b4a.isBuffer(x)) return false
     return x.length === 16 || x.length === 32
   }
 

package/src/index.js

@@ -8,13 +8,36 @@
  */
 
 export * from './identity/index.js'
-export * from './storage/index.js'
+// `database`, `pairing` and `pairing/invite` declare a few generically-named
+// result/option typedefs (`Ref`, `SingleResult`, `ListResult`,
+// `CreateInviteOpts`) that also exist on `storage`/`pairing`. Re-export the
+// lower-level modules' colliding names under namespaced aliases so the barrel
+// stays unambiguous while the canonical (`database`/`pairing`) versions own the
+// bare names.
+export { Storage } from './storage/index.js'
+/**
+ * `Ref` / `SingleResult` / `ListResult` are JSDoc typedefs (types, not runtime exports), so they
+ * are re-exported as namespaced type aliases — `export { Ref as StorageRef }` fails at import
+ * because the module provides no runtime `Ref` export.
+ * @typedef {import('./storage/index.js').Ref} StorageRef
+ * @typedef {import('./storage/index.js').SingleResult} StorageSingleResult
+ * @typedef {import('./storage/index.js').ListResult} StorageListResult
+ * @typedef {import('./storage/index.js').StorageOpts} StorageOpts
+ * @typedef {import('./storage/index.js').StoredRow} StoredRow
+ * @typedef {import('./storage/index.js').GetByIdResult} GetByIdResult
+ */
 export * from './network/index.js'
 export * from './database/index.js'
 export * from './blobs/index.js'
 export * from './rpc/index.js'
 export * from './pairing/index.js'
-export * from './pairing/invite.js'
+export { Invite } from './pairing/invite.js'
+/**
+ * `CreateInviteOpts` is a typedef (not a runtime export); re-export it as a type alias.
+ * @typedef {import('./pairing/invite.js').CreateInviteOpts} MintInviteOpts
+ * @typedef {import('./pairing/invite.js').InviteFields} InviteFields
+ * @typedef {import('./pairing/invite.js').ParseInviteOpts} ParseInviteOpts
+ */
 export * from './lib/schema.js'
 export * from './lib/utils.js'
 export * from './lib/errors.js'

package/src/lib/constants.js

@@ -14,8 +14,28 @@ export const BEE = 'bee'
 
 // Roles
 export const OWNER = 'owner'
-export const WRITE = 'write'
+export const ADMIN = 'admin'
+export const MEMBER = 'member'
+export const READER = 'reader'
+
+// Permissions
 export const READ = 'read'
+export const WRITE = 'write'
+export const DELETE = 'delete'
+export const INVITE = 'invite'
+export const REMOVE = 'remove'
+export const ASSIGN = 'assign'
+
+// Default role → permissions
+export const ROLE_PERMS = {
+  [OWNER]: ['*'],
+  [ADMIN]: [READ, WRITE, DELETE, INVITE, REMOVE, ASSIGN],
+  [MEMBER]: [READ, WRITE, INVITE],
+  [READER]: [READ]
+}
+
+// Role ordering (higher = more authority)
+export const RANK = { [OWNER]: 3, [ADMIN]: 2, [MEMBER]: 1, [READER]: 0 }
 
 // Identity / hypercore namespace
 export const NAMESPACE = 'cero'

package/src/lib/schema.js

@@ -25,6 +25,8 @@ export const t = {
   fixed32: prim('fixed32'),
   fixed64: prim('fixed64'),
 
+  file: prim('file'),
+
   /**
    * Mark a field as required. Fields are optional by default.
    *