@drakkar.software/octospaces-sdk 0.1.0 → 0.4.3

package/src/spaces/object-index.ts

@@ -1,156 +1,94 @@
 /**
  * Headless reads + create-time seeding of a space's unified OBJECT INDEX.
  *
- * Both PRIVATE (encrypted) and PUBLIC (plaintext) spaces store their room/category
- * tree in `spaces/{spaceId}/objects/_index`. The `encryptor` parameter is null for
- * public spaces — the helpers pass data through unchanged.
+ * The index at `spaces/{spaceId}/objects/_index` is always PLAINTEXT (member-gated).
+ * For `invite` nodes the title/emoji are stripped before storage so non-invited
+ * members see only the structural fields (id, type, parentId, order, access, enc).
+ * Invited members read the real title from the node's content doc.
+ *
+ * Encryption lives at the node content level, not here.
  */
 import { ConflictError } from '@drakkar.software/starfish-client';
-import type { Encryptor, StarfishClient } from '@drakkar.software/starfish-client';
 
-import type { ObjectNode, Room, SpaceVisibility } from '../core/types.js';
+import type { ObjectNode } from '../core/types.js';
 import type { Session } from '../sync/identity.js';
-import { DEFAULT_CATEGORY, objectsToRoomCategories, seedIndexNodes } from '../objects/objects.js';
-import type { SeedRoom } from '../objects/objects.js';
 import { objIndexPull, objIndexPush } from '../sync/paths.js';
-import { buildSpaceAccess, getSpaceAccess } from '../sync/space-access.js';
-
-export type { SeedRoom };
-
-function indexNodes(plain: Record<string, unknown>): ObjectNode[] {
-  return Array.isArray((plain as { objects?: unknown }).objects)
-    ? (plain as { objects: ObjectNode[] }).objects
-    : [];
-}
-
-/**
- * Pull + (private: decrypt) + project a space's object index into the legacy
- * `{ rooms, categories }` shape. `encryptor` is null for a PUBLIC space.
- * Returns null on failure or an empty index.
- */
-export async function readIndexRooms(
-  client: StarfishClient,
-  encryptor: Encryptor | null,
-  indexPath: string,
-  spaceId: string,
-): Promise<{ rooms: Room[]; categories: string[] } | null> {
-  try {
-    const res = await client.pull(indexPath).catch(() => null);
-    if (!res?.data) return null;
-    const plain = encryptor
-      ? await encryptor.decrypt(res.data as Record<string, unknown>)
-      : (res.data as Record<string, unknown>);
-    const cats = objectsToRoomCategories(indexNodes(plain), spaceId, DEFAULT_CATEGORY);
-    if (!cats) return null;
-    return { rooms: cats.flatMap((c) => c.rooms), categories: cats.map((c) => c.name) };
-  } catch {
-    return null;
-  }
-}
+import { getSpaceClient } from '../sync/space-access.js';
 
-/**
- * Read a space's index rooms + categories, resolving access automatically.
- * Pass `reg` (from `readRooms`) so the accessor picks the right auth mode.
- */
-export async function readSpaceIndexRooms(
-  session: Session,
-  spaceId: string,
-  reg: { owner: string | null; members: string[]; visibility?: SpaceVisibility },
-): Promise<{ rooms: Room[]; categories: string[] } | null> {
-  if (reg.owner === null && reg.visibility !== 'public') return null;
-  try {
-    const { encryptor, client } = await getSpaceAccess(spaceId, session, reg);
-    return await readIndexRooms(client, encryptor, objIndexPull(spaceId), spaceId);
-  } catch {
-    return null;
+/** Strip title/emoji from invite nodes before writing to the index. */
+function serializeForIndex(node: ObjectNode): ObjectNode {
+  if (node.access === 'invite') {
+    const { emoji: _e, ...rest } = node;
+    return { ...rest, title: '' };
   }
-}
-
-/** SOFT read — never throws, never mints. Returns an empty array on any failure. */
-export async function readSpaceRooms(
-  session: Session,
-  spaceId: string,
-  hint?: { visibility?: SpaceVisibility },
-): Promise<Room[]> {
-  const access = await buildSpaceAccess(session, spaceId, hint).catch(() => null);
-  if (!access) return [];
-  const idx = await readIndexRooms(access.client, access.encryptor, objIndexPull(spaceId), spaceId);
-  return idx?.rooms ?? [];
+  return node;
 }
 
 /**
- * Write the create-time seed into a space's index doc with an already-open access handle.
- * Accepts a nullable encryptor — plaintext push when null (public spaces).
- * Idempotent: a no-op if the index doc already exists (either encrypted or plaintext).
+ * Write the create-time seed into a space's index doc.
+ * Idempotent: a no-op if the index doc already exists.
+ * Pass `nodes` to seed with initial objects; defaults to an empty index.
  */
 export async function pushIndexSeed(
-  client: StarfishClient,
-  encryptor: Encryptor | null,
+  client: import('@drakkar.software/starfish-client').StarfishClient,
   spaceId: string,
-  rooms: SeedRoom[],
+  nodes: ObjectNode[] = [],
 ): Promise<void> {
   const res = await client.pull(objIndexPull(spaceId)).catch(() => null);
   const existing = res?.data as Record<string, unknown> | undefined;
-  if (existing?._encrypted || Array.isArray(existing?.objects)) return;
-  const nodes = seedIndexNodes(rooms, Date.now());
-  const payload = encryptor
-    ? await encryptor.encrypt({ objects: nodes }) as Record<string, unknown>
-    : { objects: nodes };
-  await client.push(objIndexPush(spaceId), payload, res?.hash ?? null);
+  if (Array.isArray(existing?.objects)) return;
+  await client.push(
+    objIndexPush(spaceId),
+    { v: 2, objects: nodes.map(serializeForIndex), updatedAt: Date.now() },
+    res?.hash ?? null,
+  );
 }
 
 /**
- * Seed a brand-new space's index as the OWNER.
- * For private spaces: opens (minting if needed) the space keyring.
- * For public spaces: pushes plaintext nodes.
+ * Seed a brand-new space's index as the OWNER. Always plaintext.
+ * Pass `nodes` to seed with initial objects; defaults to an empty index.
  */
 export async function seedSpaceObjectIndex(
   session: Session,
   spaceId: string,
-  rooms: SeedRoom[],
-  opts?: { visibility?: SpaceVisibility },
+  nodes: ObjectNode[] = [],
 ): Promise<void> {
-  const { encryptor, client } = await getSpaceAccess(spaceId, session, {
-    owner: session.userId,
-    members: [],
-    visibility: opts?.visibility,
-  });
-  await pushIndexSeed(client, encryptor, spaceId, rooms);
+  const client = getSpaceClient(spaceId, session);
+  await pushIndexSeed(client, spaceId, nodes);
 }
 
 /**
- * Headless read-modify-write of a space's unified OBJECT INDEX. Works for both
- * private (encrypt round-trip) and public (plaintext) spaces. Retries up to 3 times
- * on ConflictError.
+ * Headless read-modify-write of a space's unified OBJECT INDEX.
+ * Always plaintext. Retries up to 3 times on ConflictError.
+ *
+ * The mutator receives the current nodes with real (or empty, for invite) titles.
+ * Before writing back, invite nodes have their title/emoji stripped again.
  */
 export async function updateObjectIndex(
   session: Session,
   spaceId: string,
   mutator: (nodes: ObjectNode[], now: number) => ObjectNode[] | null,
-  reg?: { owner: string | null; members: string[]; visibility?: SpaceVisibility } | null,
+  reg?: { owner: string | null; members: string[] } | null,
 ): Promise<void> {
-  const { client, encryptor } = await getSpaceAccess(spaceId, session, reg ?? null);
+  void reg; // no longer needed for encryption; kept for API compat during migration
+  const client = getSpaceClient(spaceId, session);
   const pullPath = objIndexPull(spaceId);
   const pushPath = objIndexPush(spaceId);
   const MAX_ATTEMPTS = 3;
   for (let attempt = 0; attempt < MAX_ATTEMPTS; attempt++) {
     const res = await client.pull(pullPath).catch(() => null);
     const raw = res?.data as Record<string, unknown> | undefined;
-    const plain = raw
-      ? encryptor
-        ? await encryptor.decrypt(raw)
-        : raw
-      : {};
-    const cur = Array.isArray((plain as { objects?: unknown }).objects)
-      ? (plain as { objects: ObjectNode[] }).objects
+    const cur: ObjectNode[] = Array.isArray((raw as { objects?: unknown })?.objects)
+      ? (raw as { objects: ObjectNode[] }).objects
       : [];
     const next = mutator(cur, Date.now());
     if (!next) return;
-    const payload = encryptor
-      ? await encryptor.encrypt({ objects: next }) as Record<string, unknown>
-      : { objects: next };
     try {
-      await client.push(pushPath, payload, res?.hash ?? null);
+      await client.push(
+        pushPath,
+        { v: 2, objects: next.map(serializeForIndex), updatedAt: Date.now() },
+        res?.hash ?? null,
+      );
       return;
     } catch (err) {
       if (err instanceof ConflictError && attempt < MAX_ATTEMPTS - 1) continue;
@@ -158,3 +96,19 @@ export async function updateObjectIndex(
     }
   }
 }
+
+/**
+ * Read the current object tree (read-only, no mutation). Returns the stored
+ * nodes (titles are empty for invite nodes the caller is not invited to).
+ */
+export async function readObjectTree(
+  session: Session,
+  spaceId: string,
+): Promise<ObjectNode[]> {
+  const client = getSpaceClient(spaceId, session);
+  const res = await client.pull(objIndexPull(spaceId)).catch(() => null);
+  const raw = res?.data as Record<string, unknown> | undefined;
+  return Array.isArray((raw as { objects?: unknown })?.objects)
+    ? (raw as { objects: ObjectNode[] }).objects
+    : [];
+}

package/src/spaces/registry.test.ts

@@ -1,36 +1,24 @@
 import { describe, it, expect, vi } from 'vitest';
 import type { StarfishClient } from '@drakkar.software/starfish-client';
-import { readRooms, writeRooms, addSpaceMember, removeSpaceMember } from './registry.js';
+import { readSpaceAccess, writeSpaceAccess, addSpaceMember, removeSpaceMember } from './registry.js';
 
 // ── Fake client ────────────────────────────────────────────────────────────────
 
-function makeRoomsClient(data: unknown, hash = 'h1'): StarfishClient {
+function makeAccessClient(data: unknown, hash = 'h1'): StarfishClient {
   return {
     pull: vi.fn().mockResolvedValue({ data, hash }),
     push: vi.fn().mockResolvedValue(undefined),
   } as unknown as StarfishClient;
 }
 
-// ── readRooms ──────────────────────────────────────────────────────────────────
-
-describe('readRooms', () => {
-  it('returns visibility null for a private space doc', async () => {
-    const client = makeRoomsClient({ v: 1, owner: 'alice', members: [] });
-    const result = await readRooms(client, 'sp-private');
-    expect(result.visibility).toBeNull();
-  });
-
-  it('returns visibility "public" when doc has visibility:"public"', async () => {
-    const client = makeRoomsClient({ v: 1, owner: 'alice', members: [], visibility: 'public' });
-    const result = await readRooms(client, 'sp-pub');
-    expect(result.visibility).toBe('public');
-  });
+// ── readSpaceAccess ────────────────────────────────────────────────────────────
 
+describe('readSpaceAccess', () => {
   it('returns owner, members, name, image', async () => {
-    const client = makeRoomsClient({
+    const client = makeAccessClient({
       v: 1, owner: 'alice', members: ['bob'], name: 'My Space', image: 'data:image/png;base64,abc',
     });
-    const result = await readRooms(client, 'sp-x');
+    const result = await readSpaceAccess(client, 'sp-x');
     expect(result.owner).toBe('alice');
     expect(result.members).toEqual(['bob']);
     expect(result.name).toBe('My Space');
@@ -38,74 +26,99 @@ describe('readRooms', () => {
   });
 
   it('returns null owner/name/image for missing fields', async () => {
-    const client = makeRoomsClient({});
-    const result = await readRooms(client, 'sp-empty');
+    const client = makeAccessClient({});
+    const result = await readSpaceAccess(client, 'sp-empty');
     expect(result.owner).toBeNull();
     expect(result.name).toBeNull();
     expect(result.image).toBeNull();
     expect(result.members).toEqual([]);
   });
-});
 
-// ── writeRooms ─────────────────────────────────────────────────────────────────
+  it('returns the hash from the pull response', async () => {
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: [] }, 'hash-abc');
+    const result = await readSpaceAccess(client, 'sp-1');
+    expect(result.hash).toBe('hash-abc');
+  });
 
-describe('writeRooms', () => {
-  it('omits visibility field for a private space', async () => {
-    const client = makeRoomsClient(null);
-    await writeRooms(client, 'sp-priv', 'alice', [], null);
-    const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
-    expect(doc).not.toHaveProperty('visibility');
+  it('does NOT return a visibility field', async () => {
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: [] });
+    const result = await readSpaceAccess(client, 'sp-x');
+    expect(result).not.toHaveProperty('visibility');
   });
+});
 
-  it('emits visibility:"public" for a public space', async () => {
-    const client = makeRoomsClient(null);
-    await writeRooms(client, 'sp-pub', 'alice', [], null, { visibility: 'public' });
+// ── writeSpaceAccess ───────────────────────────────────────────────────────────
+
+describe('writeSpaceAccess', () => {
+  it('writes owner and members', async () => {
+    const client = makeAccessClient(null);
+    await writeSpaceAccess(client, 'sp-x', 'alice', ['bob'], null);
     const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
-    expect(doc).toHaveProperty('visibility', 'public');
+    expect(doc).toHaveProperty('owner', 'alice');
+    expect((doc as { members: string[] }).members).toContain('bob');
   });
 
   it('preserves name and image', async () => {
-    const client = makeRoomsClient(null);
-    await writeRooms(client, 'sp-x', 'alice', ['bob'], null, { name: 'Test', image: 'data:x' });
+    const client = makeAccessClient(null);
+    await writeSpaceAccess(client, 'sp-x', 'alice', ['bob'], null, { name: 'Test', image: 'data:x' });
     const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
     expect(doc).toHaveProperty('name', 'Test');
     expect(doc).toHaveProperty('image', 'data:x');
   });
+
+  it('does NOT write a visibility field', async () => {
+    const client = makeAccessClient(null);
+    await writeSpaceAccess(client, 'sp-x', 'alice', [], null);
+    const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
+    expect(doc).not.toHaveProperty('visibility');
+  });
 });
 
 // ── addSpaceMember / removeSpaceMember ────────────────────────────────────────
 
 describe('addSpaceMember', () => {
-  it('adds a member and preserves visibility', async () => {
-    const client = makeRoomsClient({ v: 1, owner: 'alice', members: [], visibility: 'public' });
-    await addSpaceMember(client, 'sp-pub', 'alice', 'bob');
+  it('adds a member to the roster', async () => {
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: [] });
+    await addSpaceMember(client, 'sp-x', 'alice', 'bob');
     const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
     expect((doc as { members: string[] }).members).toContain('bob');
-    expect(doc).toHaveProperty('visibility', 'public');
   });
 
   it('is a no-op when member already present', async () => {
-    const client = makeRoomsClient({ v: 1, owner: 'alice', members: ['bob'] });
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: ['bob'] });
     await addSpaceMember(client, 'sp-x', 'alice', 'bob');
     expect(client.push).not.toHaveBeenCalled();
   });
+
+  it('preserves name and image when adding a member', async () => {
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: [], name: 'S', image: 'data:i' });
+    await addSpaceMember(client, 'sp-x', 'alice', 'bob');
+    const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
+    expect(doc).toHaveProperty('name', 'S');
+    expect(doc).toHaveProperty('image', 'data:i');
+  });
 });
 
 describe('removeSpaceMember', () => {
-  it('removes a member and preserves name/image/visibility', async () => {
-    const client = makeRoomsClient({
-      v: 1, owner: 'alice', members: ['bob', 'carol'], name: 'S', visibility: 'public',
-    });
-    await removeSpaceMember(client, 'sp-pub', 'bob');
+  it('removes a member from the roster', async () => {
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: ['bob', 'carol'], name: 'S' });
+    await removeSpaceMember(client, 'sp-x', 'bob');
     const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
     expect((doc as { members: string[] }).members).not.toContain('bob');
     expect((doc as { members: string[] }).members).toContain('carol');
-    expect(doc).toHaveProperty('visibility', 'public');
   });
 
   it('is a no-op when member is not in the roster', async () => {
-    const client = makeRoomsClient({ v: 1, owner: 'alice', members: ['carol'] });
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: ['carol'] });
     await removeSpaceMember(client, 'sp-x', 'unknown');
     expect(client.push).not.toHaveBeenCalled();
   });
+
+  it('preserves name and image when removing a member', async () => {
+    const client = makeAccessClient({ v: 1, owner: 'alice', members: ['bob'], name: 'S', image: 'data:i' });
+    await removeSpaceMember(client, 'sp-x', 'bob');
+    const [, doc] = (client.push as ReturnType<typeof vi.fn>).mock.calls[0] as [string, Record<string, unknown>];
+    expect(doc).toHaveProperty('name', 'S');
+    expect(doc).toHaveProperty('image', 'data:i');
+  });
 });

package/src/spaces/registry.ts

@@ -1,30 +1,26 @@
 /**
- * Space + room registries (plaintext metadata docs). A user's spaces live at
+ * Space registries (plaintext metadata docs). A user's spaces live at
  * `user/<userId>/_spaces`; each space's ACCESS RECORD (owner/members + shared
- * name/image) at `spaces/<spaceId>/_rooms`. The room/category LIST no longer lives
- * here — it moved to the encrypted unified object index (`objects/_index`, see
- * `object-index.ts`); `_rooms` is now just the owner-only access record.
+ * name/image) at `spaces/<spaceId>/_access`. The object tree lives in the plaintext
+ * unified object index (`objects/_index`, see `object-index.ts`); `_access` is the
+ * owner-only access record. Spaces are neutral containers — visibility and encryption
+ * are per-node properties (see `ObjectNode.access` / `ObjectNode.enc`).
  */
 import { ConflictError, StarfishHttpError } from '@drakkar.software/starfish-client';
 import type { StarfishClient } from '@drakkar.software/starfish-client';
 
-import type { ArchivedDms, CapMap, DmMap, MutePrefs, PubAccessMap, ReadPrefs, Room, Space, SpaceVisibility } from '../core/types.js';
+import type { ArchivedDms, CapMap, DmMap, MutePrefs, PubAccessMap, ReadPrefs, Space } from '../core/types.js';
 import type { SealedBlob } from '../sync/account-seal.js';
 import { randomId } from '../core/ids.js';
 import type { Session } from '../sync/identity.js';
-import { DEFAULT_CATEGORY } from '../objects/objects.js';
 import { seedSpaceObjectIndex } from './object-index.js';
-import { roomsRegistryPull, roomsRegistryPush, spacesPull, spacesPush } from '../sync/paths.js';
+import { spaceAccessPull, spaceAccessPush, spacesPull, spacesPush } from '../sync/paths.js';
 
-// Re-export so existing `import { DEFAULT_CATEGORY } from './registry'` consumers keep working.
-export { DEFAULT_CATEGORY };
-
-/** Owner-set, SHARED space identity, persisted in the `_rooms` registry doc
- *  (plaintext — NOT E2EE). `image` is a data URI. Both optional for back-compat. */
+/** Owner-set, SHARED space identity, persisted in the `_access` registry doc
+ *  (plaintext — NOT E2EE). `image` is a data URI. All fields optional for back-compat. */
 export interface SpaceMeta {
   name?: string | null;
   image?: string | null;
-  visibility?: SpaceVisibility;
 }
 
 /** A resolved name/image update fanned out so the SpacesProvider adopts a
@@ -302,36 +298,25 @@ function newSpaceId(): string {
   return `sp-${randomId()}`;
 }
 
-export function normalizeCategories(rooms: Room[], stored: unknown): string[] {
-  const distinct: string[] = [];
-  for (const r of rooms) if (r.category && !distinct.includes(r.category)) distinct.push(r.category);
-  const list = Array.isArray(stored) ? stored.filter((c): c is string => typeof c === 'string') : [];
-  if (!list.length) return distinct;
-  const result = [...list];
-  for (const c of distinct) if (!result.includes(c)) result.push(c);
-  return result;
-}
-
-export async function readRooms(
+export async function readSpaceAccess(
   client: StarfishClient,
   spaceId: string,
-): Promise<{ owner: string | null; members: string[]; visibility: SpaceVisibility | null; name: string | null; image: string | null; hash: string | null }> {
-  const res = await client.pull(roomsRegistryPull(spaceId)).catch((err: unknown) => {
+): Promise<{ owner: string | null; members: string[]; name: string | null; image: string | null; hash: string | null }> {
+  const res = await client.pull(spaceAccessPull(spaceId)).catch((err: unknown) => {
     if (err instanceof StarfishHttpError && err.status === 404) return null;
     throw err;
   });
-  const data = res?.data as { owner?: string; members?: unknown[]; visibility?: string; name?: string; image?: string } | undefined;
+  const data = res?.data as { owner?: string; members?: unknown[]; name?: string; image?: string } | undefined;
   return {
     owner: typeof data?.owner === 'string' ? data.owner : null,
     members: Array.isArray(data?.members) ? data!.members!.filter((m): m is string => typeof m === 'string') : [],
-    visibility: data?.visibility === 'public' ? 'public' : null,
     name: typeof data?.name === 'string' ? data.name : null,
     image: typeof data?.image === 'string' ? data.image : null,
     hash: res?.hash ?? null,
   };
 }
 
-export async function writeRooms(
+export async function writeSpaceAccess(
   client: StarfishClient,
   spaceId: string,
   owner: string,
@@ -341,10 +326,13 @@ export async function writeRooms(
 ): Promise<void> {
   const name = meta?.name?.trim() || undefined;
   const image = meta?.image || undefined;
-  const visibility = meta?.visibility === 'public' ? 'public' : undefined;
   await client.push(
-    roomsRegistryPush(spaceId),
-    { v: 1, owner, members, ...(visibility ? { visibility } : {}), ...(name ? { name } : {}), ...(image ? { image } : {}) },
+    spaceAccessPush(spaceId),
+    {
+      v: 1, owner, members,
+      ...(name ? { name } : {}),
+      ...(image ? { image } : {}),
+    },
     hash,
   );
 }
@@ -355,9 +343,9 @@ export async function addSpaceMember(
   ownerUserId: string,
   memberUserId: string,
 ): Promise<void> {
-  const { owner, members, visibility, name, image, hash } = await readRooms(client, spaceId);
+  const { owner, members, name, image, hash } = await readSpaceAccess(client, spaceId);
   if (memberUserId === (owner ?? ownerUserId) || members.includes(memberUserId)) return;
-  await writeRooms(client, spaceId, owner ?? ownerUserId, [...members, memberUserId], hash, { name, image, visibility: visibility ?? undefined });
+  await writeSpaceAccess(client, spaceId, owner ?? ownerUserId, [...members, memberUserId], hash, { name, image });
 }
 
 /** Remove a member from the space roster (used for link revocation). */
@@ -366,9 +354,9 @@ export async function removeSpaceMember(
   spaceId: string,
   memberUserId: string,
 ): Promise<void> {
-  const { owner, members, visibility, name, image, hash } = await readRooms(client, spaceId);
+  const { owner, members, name, image, hash } = await readSpaceAccess(client, spaceId);
   if (!members.includes(memberUserId)) return;
-  await writeRooms(client, spaceId, owner ?? memberUserId, members.filter((m) => m !== memberUserId), hash, { name, image, visibility: visibility ?? undefined });
+  await writeSpaceAccess(client, spaceId, owner ?? memberUserId, members.filter((m) => m !== memberUserId), hash, { name, image });
 }
 
 export async function addJoinedSpace(client: StarfishClient, userId: string, space: Space): Promise<void> {
@@ -406,36 +394,29 @@ export async function addJoinedSpaceWithLinkAccess(
 }
 
 /**
- * Create a new space owned by the identity. Seeds ONE generic `general` object node
- * into the object index (encrypted for private, plaintext for public).
- *
- * `opts.visibility` defaults to `'private'`.
+ * Create a new space owned by the identity. Seeds an empty plaintext object index.
+ * Apps populate the index with their own object types after creation using `createNode`.
  */
 export async function createSpace(
   session: Session,
   name: string,
-  opts?: { visibility?: SpaceVisibility },
 ): Promise<Space> {
   const { accountClient, userId } = session;
   const { spaces, hash } = await readSpaces(accountClient, userId);
   const trimmed = name.trim() || 'New Space';
-  const visibility = opts?.visibility ?? 'private';
   const id = newSpaceId();
   const space: Space = {
     id,
     name: trimmed,
     short: trimmed.slice(0, 2).toUpperCase(),
     members: 1,
-    ...(visibility === 'public' ? { visibility: 'public', ownerId: userId, write: true } : {}),
   };
-  await writeRooms(accountClient, id, userId, [], null, { name: trimmed, visibility: visibility === 'public' ? 'public' : undefined });
-  await seedSpaceObjectIndex(session, id, [{ id: `${id}-general`, name: 'general', kind: 'channel', category: DEFAULT_CATEGORY }], { visibility });
+  await writeSpaceAccess(accountClient, id, userId, [], null, { name: trimmed });
+  await seedSpaceObjectIndex(session, id);
   await writeSpaces(accountClient, userId, [...spaces, space], hash);
   return space;
 }
 
-export class CategoryError extends Error {}
-
 export async function reconcileSpaceMeta(
   client: StarfishClient,
   userId: string,

package/src/sync/client.ts

@@ -12,7 +12,7 @@ import { getSyncBase, getSyncNamespace, getSyncPrefix, getOnServerReachable } fr
 import { fetchWithTimeout } from './fetch-timeout.js';
 import { pullCache, PULL_CACHE_MAX_AGE_MS } from './pull-cache.js';
 import { cacheProfile, loadCachedProfile } from './profile-cache.js';
-import { keyringPull, keyringPush, profilePull, profilePush } from './paths.js';
+import { profilePull, profilePush } from './paths.js';
 import { SpaceAccessError } from '../core/space-access-error.js';
 
 export interface DeviceKeys {
@@ -48,24 +48,25 @@ export function makeClient(cap: unknown, devEdPrivHex: string, namespaceOverride
 }
 
 /**
- * Open a SPACE's decryptor, throwing a descriptive error per failure mode
+ * Open a node's decryptor, throwing a descriptive error per failure mode
  * (unreachable server / no keyring yet / not a recipient).
  *
- * A `SpaceAccessError` is a hard access denial; any other thrown error is a
- * transient offline state.
+ * `keyringPullPath` is the full `/pull/.../_keyring` path (e.g. from
+ * `keyringPull(spaceId)`). A `SpaceAccessError` is a hard access
+ * denial; any other thrown error is a transient offline state.
  */
 export async function openEncryptor(
   client: StarfishClient,
   keys: DeviceKeys,
-  spaceId: string,
+  keyringPullPath: string,
   trustedAdders: string[],
 ): Promise<Encryptor> {
-  const res = await client.pull(keyringPull(spaceId)).catch(() => {
-    throw new Error('Could not reach the server to fetch space keys.');
+  const res = await client.pull(keyringPullPath).catch(() => {
+    throw new Error('Could not reach the server to fetch node keys.');
   });
   const keyring = res?.data as unknown as Keyring | undefined;
   if (!keyring || !keyring.epochs) {
-    throw new SpaceAccessError('This space has no keyring yet — ask the owner to open it first.');
+    throw new SpaceAccessError('This node has no keyring yet — ask the owner to create it first.');
   }
   try {
     const enc = await createKeyringEncryptor(
@@ -75,7 +76,7 @@ export async function openEncryptor(
     );
     return enc as unknown as Encryptor;
   } catch {
-    throw new SpaceAccessError("You're not a recipient of this space's keyring yet — ask the owner to re-invite.");
+    throw new SpaceAccessError("You're not a recipient of this node's keyring yet — ask the owner to invite you.");
   }
 }
 
@@ -83,33 +84,37 @@ export async function openEncryptor(
 export async function buildEncryptor(
   client: StarfishClient,
   keys: DeviceKeys,
-  spaceId: string,
+  keyringPullPath: string,
   trustedAdders: string[],
 ): Promise<Encryptor | null> {
   try {
-    return await openEncryptor(client, keys, spaceId, trustedAdders);
+    return await openEncryptor(client, keys, keyringPullPath, trustedAdders);
   } catch {
     return null;
   }
 }
 
 /**
- * Owner-side: create the SPACE keyring if missing, return an encryptor.
+ * Owner-side: create a per-node keyring if missing, return an encryptor.
+ *
+ * `keyringPullPath` / `keyringPushPath` are the full `/pull|push/.../_keyring`
+ * paths (e.g. from `keyringPull`/`keyringPush`).
  */
 export async function ownerEnsureKeyring(
   client: StarfishClient,
   keys: DeviceKeys,
-  spaceId: string,
+  keyringPullPath: string,
+  keyringPushPath: string,
   trustedAdders: string[] = [keys.edPub],
 ): Promise<Encryptor> {
-  const krRes = await client.pull(keyringPull(spaceId)).catch(() => null);
+  const krRes = await client.pull(keyringPullPath).catch(() => null);
   let keyring = krRes?.data as unknown as Keyring | undefined;
   if (!keyring || !keyring.epochs) {
     const created = await createKeyring({ edPrivHex: keys.edPriv, edPubHex: keys.edPub }, [
       { subKemHex: keys.kemPub },
     ]);
     keyring = created.keyring;
-    await client.push(keyringPush(spaceId), keyring as unknown as Record<string, unknown>, krRes?.hash ?? null);
+    await client.push(keyringPushPath, keyring as unknown as Record<string, unknown>, krRes?.hash ?? null);
   }
   const enc = await createKeyringEncryptor(
     keyring,