@dwk/remotestorage 0.1.0-beta.0

package/dist/jwt.js

@@ -0,0 +1,119 @@
+/**
+ * Minimal JWT decode and JWKS-based signature verification for the built-in
+ * bearer-token verifier.
+ *
+ * remoteStorage uses **plain OAuth 2.0 bearer tokens** (no DPoP); a deployment
+ * that issues self-contained JWT access tokens can have this package verify them
+ * directly against the issuer's public JWKS. The module decodes the compact JWS,
+ * selects the key by `kid`/`kty`, and verifies with Web Crypto; claim policy
+ * (issuer/audience/expiry/`scope`) lives in `auth.ts`.
+ *
+ * Only asymmetric algorithms are accepted. `HS*` and `none` are refused: an
+ * access token must be signed by the issuer's private key, never a symmetric
+ * secret a resource server could not safely hold.
+ */
+import { base64urlToBytes, base64urlToText } from "./encoding";
+// We avoid the DOM lib's algorithm-parameter type names (not declared by
+// @cloudflare/workers-types); these objects are accepted structurally by
+// crypto.subtle.importKey / verify, mirroring `@dwk/dpop` and `@dwk/solid-pod`.
+const ALGS = {
+    ES256: {
+        kty: "EC",
+        crv: "P-256",
+        importParams: { name: "ECDSA", namedCurve: "P-256" },
+        verifyParams: { name: "ECDSA", hash: "SHA-256" },
+    },
+    ES384: {
+        kty: "EC",
+        crv: "P-384",
+        importParams: { name: "ECDSA", namedCurve: "P-384" },
+        verifyParams: { name: "ECDSA", hash: "SHA-384" },
+    },
+    RS256: {
+        kty: "RSA",
+        importParams: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+        verifyParams: { name: "RSASSA-PKCS1-v1_5" },
+    },
+    PS256: {
+        kty: "RSA",
+        importParams: { name: "RSA-PSS", hash: "SHA-256" },
+        verifyParams: { name: "RSA-PSS", saltLength: 32 },
+    },
+};
+function isObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+/**
+ * Decode a compact JWS into its header, payload, and signature. Returns `null`
+ * for anything that is not three base64url segments with JSON header/payload.
+ */
+export function decodeJwt(token) {
+    if (typeof token !== "string")
+        return null;
+    const segments = token.split(".");
+    if (segments.length !== 3)
+        return null;
+    const [headerSeg, payloadSeg, signatureSeg] = segments;
+    try {
+        const header = JSON.parse(base64urlToText(headerSeg));
+        const payload = JSON.parse(base64urlToText(payloadSeg));
+        if (!isObject(header) || !isObject(payload))
+            return null;
+        return {
+            header,
+            payload,
+            signingInput: `${headerSeg}.${payloadSeg}`,
+            signature: base64urlToBytes(signatureSeg),
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/** Whether a JWK could verify a signature under the given algorithm. */
+function keyMatchesAlg(jwk, spec) {
+    if (jwk.kty !== spec.kty)
+        return false;
+    if (spec.crv !== undefined && jwk.crv !== spec.crv)
+        return false;
+    return true;
+}
+/**
+ * Verify `decoded`'s signature against a JWKS. Selects the verification key by
+ * `kid` when the header carries one, otherwise tries every key compatible with
+ * the header `alg`. Returns `true` on the first key that verifies.
+ */
+export async function verifyJwtSignature(decoded, jwks) {
+    const alg = decoded.header.alg;
+    const spec = typeof alg === "string" ? ALGS[alg] : undefined;
+    if (!spec)
+        return false;
+    const kid = decoded.header.kid;
+    const compatible = jwks.filter((jwk) => keyMatchesAlg(jwk, spec));
+    // When the token names a `kid`, pin verification to the key(s) carrying it; a
+    // `kid` matching no JWKS key is rejected rather than verified against
+    // unrelated keys (which would silently weaken `kid` pinning). Only when the
+    // header omits `kid` do we try every alg-compatible key.
+    let candidates = compatible;
+    if (typeof kid === "string") {
+        candidates = compatible.filter((jwk) => jwk.kid === kid);
+        if (candidates.length === 0)
+            return false;
+    }
+    // The signing input is the same for every candidate key; encode it once.
+    const signingInput = new TextEncoder().encode(decoded.signingInput);
+    for (const jwk of candidates) {
+        try {
+            const key = await crypto.subtle.importKey("jwk", jwk, spec.importParams, false, ["verify"]);
+            const ok = await crypto.subtle.verify(spec.verifyParams, key, decoded.signature, signingInput);
+            if (ok)
+                return true;
+        }
+        catch {
+            // A key that fails to import (wrong shape) simply does not match; try the
+            // next candidate rather than aborting the whole verification.
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAY/D,yEAAyE;AACzE,yEAAyE;AACzE,gFAAgF;AAChF,MAAM,IAAI,GAAkC;IAC1C,KAAK,EAAE;QACL,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,OAAO;QACZ,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE;QACpD,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;KACjD;IACD,KAAK,EAAE;QACL,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,OAAO;QACZ,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE;QACpD,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;KACjD;IACD,KAAK,EAAE;QACL,GAAG,EAAE,KAAK;QACV,YAAY,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE;QAC5D,YAAY,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE;KAC5C;IACD,KAAK,EAAE;QACL,GAAG,EAAE,KAAK;QACV,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE;QAClD,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,EAAE,EAAE;KAClD;CACF,CAAC;AAUF,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,QAI7C,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAY,CAAC;QACjE,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAY,CAAC;QACnE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QACzD,OAAO;YACL,MAAM;YACN,OAAO;YACP,YAAY,EAAE,GAAG,SAAS,IAAI,UAAU,EAAE;YAC1C,SAAS,EAAE,gBAAgB,CAAC,YAAY,CAAC;SAC1C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,wEAAwE;AACxE,SAAS,aAAa,CAAC,GAAe,EAAE,IAAa;IACnD,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACjE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAmB,EACnB,IAA2B;IAE3B,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;IAC/B,MAAM,IAAI,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAmB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAExB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;IAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IAElE,8EAA8E;IAC9E,sEAAsE;IACtE,4EAA4E;IAC5E,yDAAyD;IACzD,IAAI,UAAU,GAAG,UAAU,CAAC;IAC5B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,UAAU,GAAG,UAAU,CAAC,MAAM,CAC5B,CAAC,GAAG,EAAE,EAAE,CAAE,GAAyB,CAAC,GAAG,KAAK,GAAG,CAChD,CAAC;QACF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IAC5C,CAAC;IAED,yEAAyE;IACzE,MAAM,YAAY,GAAG,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IACpE,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH,IAAI,CAAC,YAAY,EACjB,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;YACF,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACnC,IAAI,CAAC,YAAY,EACjB,GAAG,EACH,OAAO,CAAC,SAAS,EACjB,YAAY,CACb,CAAC;YACF,IAAI,EAAE;gBAAE,OAAO,IAAI,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,0EAA0E;YAC1E,8DAA8D;QAChE,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/log.d.ts

@@ -0,0 +1,29 @@
+/**
+ * `@dwk/remotestorage` — structured observability event taxonomy.
+ *
+ * The vault authenticates OAuth bearer tokens and enforces per-module scopes at
+ * the edge; an auth/authz decision that is silently swallowed is an operational
+ * blind spot. Logging and metrics are opt-in via an injected {@link Logger} and
+ * {@link Metrics} (see `@dwk/log`) wired **once at the composition boundary**
+ * (the stateless front door). They **share this one vocabulary**: the same
+ * dotted event name is passed to the logger and the metrics sink so a log line
+ * and its counter line up.
+ *
+ * Fields follow the redaction policy: only machine-readable reason codes, HTTP
+ * method/status, and a sanitized subject host — never tokens, scopes verbatim,
+ * resource paths, or bodies. See `spec/observability.md`.
+ *
+ * @packageDocumentation
+ */
+/** Stable event names emitted by `@dwk/remotestorage`. */
+export declare const RemoteStorageLogEvent: {
+    /** A presented bearer token failed verification. Field: `reason`. */
+    readonly AuthRejected: "remotestorage.auth.rejected";
+    /** A request authenticated successfully at the edge. Field: `subjectHost`. */
+    readonly AuthAccepted: "remotestorage.auth.accepted";
+    /** A request lacked the scope (or auth) for the target. Fields: `method`, `status` (401/403). */
+    readonly AccessDenied: "remotestorage.scope.denied";
+};
+/** Union of the event-name string literals in {@link RemoteStorageLogEvent}. */
+export type RemoteStorageLogEvent = (typeof RemoteStorageLogEvent)[keyof typeof RemoteStorageLogEvent];
+//# sourceMappingURL=log.d.ts.map

package/dist/log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.d.ts","sourceRoot":"","sources":["../src/log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,0DAA0D;AAC1D,eAAO,MAAM,qBAAqB;IAChC,qEAAqE;;IAErE,8EAA8E;;IAE9E,iGAAiG;;CAEzF,CAAC;AAEX,gFAAgF;AAChF,MAAM,MAAM,qBAAqB,GAC/B,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,OAAO,qBAAqB,CAAC,CAAC"}

package/dist/log.js

@@ -0,0 +1,27 @@
+/**
+ * `@dwk/remotestorage` — structured observability event taxonomy.
+ *
+ * The vault authenticates OAuth bearer tokens and enforces per-module scopes at
+ * the edge; an auth/authz decision that is silently swallowed is an operational
+ * blind spot. Logging and metrics are opt-in via an injected {@link Logger} and
+ * {@link Metrics} (see `@dwk/log`) wired **once at the composition boundary**
+ * (the stateless front door). They **share this one vocabulary**: the same
+ * dotted event name is passed to the logger and the metrics sink so a log line
+ * and its counter line up.
+ *
+ * Fields follow the redaction policy: only machine-readable reason codes, HTTP
+ * method/status, and a sanitized subject host — never tokens, scopes verbatim,
+ * resource paths, or bodies. See `spec/observability.md`.
+ *
+ * @packageDocumentation
+ */
+/** Stable event names emitted by `@dwk/remotestorage`. */
+export const RemoteStorageLogEvent = {
+    /** A presented bearer token failed verification. Field: `reason`. */
+    AuthRejected: "remotestorage.auth.rejected",
+    /** A request authenticated successfully at the edge. Field: `subjectHost`. */
+    AuthAccepted: "remotestorage.auth.accepted",
+    /** A request lacked the scope (or auth) for the target. Fields: `method`, `status` (401/403). */
+    AccessDenied: "remotestorage.scope.denied",
+};
+//# sourceMappingURL=log.js.map

package/dist/log.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"log.js","sourceRoot":"","sources":["../src/log.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,0DAA0D;AAC1D,MAAM,CAAC,MAAM,qBAAqB,GAAG;IACnC,qEAAqE;IACrE,YAAY,EAAE,6BAA6B;IAC3C,8EAA8E;IAC9E,YAAY,EAAE,6BAA6B;IAC3C,iGAAiG;IACjG,YAAY,EAAE,4BAA4B;CAClC,CAAC"}

package/dist/scope.d.ts

@@ -0,0 +1,54 @@
+/**
+ * The remoteStorage authorization model as pure, runtime-free logic: OAuth
+ * **scope** parsing, the module a storage path belongs to, and the read/write
+ * access decision. No Workers runtime, no store, no token verification — so it
+ * unit-tests in isolation and the front door and any future co-tenant share one
+ * audited rule set.
+ *
+ * remoteStorage scopes are space-delimited `<module>:<mode>` entries (draft
+ * §10): `mode` is `r` (read-only) or `rw` (read-write), and the module is a
+ * top-level folder name, or `*` for the whole vault. A module scope `m` grants
+ * access to both the private tree `/<m>/…` and the public tree `/public/<m>/…`.
+ */
+/** A granted access mode: read-only or read-write. */
+export type ScopeMode = "r" | "rw";
+/** A single parsed remoteStorage OAuth scope. */
+export interface RemoteStorageScope {
+    /** Top-level module (folder) name, or {@link ROOT_MODULE} for the whole vault. */
+    readonly module: string;
+    /** Whether the scope grants writes (`rw`) or reads only (`r`). */
+    readonly mode: ScopeMode;
+}
+/** The wildcard module name granting access to the entire vault. */
+export declare const ROOT_MODULE = "*";
+/**
+ * Parse a space-delimited OAuth `scope` string into remoteStorage scopes.
+ * Malformed entries (no `:`, empty module, or a mode other than `r`/`rw`) are
+ * dropped rather than failing the whole token, so an unrelated scope a client
+ * also requested cannot deny access to a valid one.
+ */
+export declare function parseScopes(raw: string | undefined | null): RemoteStorageScope[];
+/** Whether a request path targets a folder (the trailing-slash convention). */
+export declare function isFolderPath(path: string): boolean;
+/**
+ * Whether a path is a **publicly readable document**: it lives under `/public/`
+ * and is not itself a folder. Folder listings are never public, even under
+ * `/public/` (draft §10), so a trailing-slash path returns `false`.
+ */
+export declare function isPublicDocument(path: string): boolean;
+/**
+ * The top-level module a storage path belongs to, for scope matching. The
+ * leading `/public/` segment is transparent — `/public/photos/x` and
+ * `/photos/x` share the module `photos` — and the vault root (`/`, or
+ * `/public/`) maps to the empty module, which only the {@link ROOT_MODULE}
+ * (`*`) scope can reach.
+ */
+export declare function moduleForPath(path: string): string;
+/**
+ * Decide whether the granted `scopes` permit the requested access to `path`.
+ * `needWrite` selects read-vs-write: a write requires an `rw` scope, a read is
+ * satisfied by either. A scope matches when its module equals the path's module
+ * or is the `*` wildcard. The empty-module root (`/`) is reachable only via `*`.
+ */
+export declare function authorizeScopes(scopes: readonly RemoteStorageScope[], path: string, needWrite: boolean): boolean;
+//# sourceMappingURL=scope.d.ts.map

package/dist/scope.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.d.ts","sourceRoot":"","sources":["../src/scope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,sDAAsD;AACtD,MAAM,MAAM,SAAS,GAAG,GAAG,GAAG,IAAI,CAAC;AAEnC,iDAAiD;AACjD,MAAM,WAAW,kBAAkB;IACjC,kFAAkF;IAClF,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,kEAAkE;IAClE,QAAQ,CAAC,IAAI,EAAE,SAAS,CAAC;CAC1B;AAED,oEAAoE;AACpE,eAAO,MAAM,WAAW,MAAM,CAAC;AAE/B;;;;;GAKG;AACH,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,GAC7B,kBAAkB,EAAE,CAatB;AAED,+EAA+E;AAC/E,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAElD;AAED;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEtD;AAED;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAOlD;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAC7B,MAAM,EAAE,SAAS,kBAAkB,EAAE,EACrC,IAAI,EAAE,MAAM,EACZ,SAAS,EAAE,OAAO,GACjB,OAAO,CAQT"}

package/dist/scope.js

@@ -0,0 +1,83 @@
+/**
+ * The remoteStorage authorization model as pure, runtime-free logic: OAuth
+ * **scope** parsing, the module a storage path belongs to, and the read/write
+ * access decision. No Workers runtime, no store, no token verification — so it
+ * unit-tests in isolation and the front door and any future co-tenant share one
+ * audited rule set.
+ *
+ * remoteStorage scopes are space-delimited `<module>:<mode>` entries (draft
+ * §10): `mode` is `r` (read-only) or `rw` (read-write), and the module is a
+ * top-level folder name, or `*` for the whole vault. A module scope `m` grants
+ * access to both the private tree `/<m>/…` and the public tree `/public/<m>/…`.
+ */
+/** The wildcard module name granting access to the entire vault. */
+export const ROOT_MODULE = "*";
+/**
+ * Parse a space-delimited OAuth `scope` string into remoteStorage scopes.
+ * Malformed entries (no `:`, empty module, or a mode other than `r`/`rw`) are
+ * dropped rather than failing the whole token, so an unrelated scope a client
+ * also requested cannot deny access to a valid one.
+ */
+export function parseScopes(raw) {
+    if (!raw)
+        return [];
+    const scopes = [];
+    for (const entry of raw.split(/\s+/)) {
+        if (entry === "")
+            continue;
+        const colon = entry.lastIndexOf(":");
+        if (colon <= 0)
+            continue;
+        const module = entry.slice(0, colon);
+        const mode = entry.slice(colon + 1);
+        if (mode !== "r" && mode !== "rw")
+            continue;
+        scopes.push({ module, mode });
+    }
+    return scopes;
+}
+/** Whether a request path targets a folder (the trailing-slash convention). */
+export function isFolderPath(path) {
+    return path.endsWith("/");
+}
+/**
+ * Whether a path is a **publicly readable document**: it lives under `/public/`
+ * and is not itself a folder. Folder listings are never public, even under
+ * `/public/` (draft §10), so a trailing-slash path returns `false`.
+ */
+export function isPublicDocument(path) {
+    return path.startsWith("/public/") && !isFolderPath(path);
+}
+/**
+ * The top-level module a storage path belongs to, for scope matching. The
+ * leading `/public/` segment is transparent — `/public/photos/x` and
+ * `/photos/x` share the module `photos` — and the vault root (`/`, or
+ * `/public/`) maps to the empty module, which only the {@link ROOT_MODULE}
+ * (`*`) scope can reach.
+ */
+export function moduleForPath(path) {
+    let rel = path.replace(/^\/+/, "");
+    if (rel === "public" || rel.startsWith("public/")) {
+        rel = rel.slice("public".length).replace(/^\/+/, "");
+    }
+    const slash = rel.indexOf("/");
+    return slash === -1 ? rel : rel.slice(0, slash);
+}
+/**
+ * Decide whether the granted `scopes` permit the requested access to `path`.
+ * `needWrite` selects read-vs-write: a write requires an `rw` scope, a read is
+ * satisfied by either. A scope matches when its module equals the path's module
+ * or is the `*` wildcard. The empty-module root (`/`) is reachable only via `*`.
+ */
+export function authorizeScopes(scopes, path, needWrite) {
+    const module = moduleForPath(path);
+    for (const scope of scopes) {
+        if (scope.module !== ROOT_MODULE && scope.module !== module)
+            continue;
+        if (needWrite && scope.mode !== "rw")
+            continue;
+        return true;
+    }
+    return false;
+}
+//# sourceMappingURL=scope.js.map

package/dist/scope.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scope.js","sourceRoot":"","sources":["../src/scope.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAaH,oEAAoE;AACpE,MAAM,CAAC,MAAM,WAAW,GAAG,GAAG,CAAC;AAE/B;;;;;GAKG;AACH,MAAM,UAAU,WAAW,CACzB,GAA8B;IAE9B,IAAI,CAAC,GAAG;QAAE,OAAO,EAAE,CAAC;IACpB,MAAM,MAAM,GAAyB,EAAE,CAAC;IACxC,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;QACrC,IAAI,KAAK,KAAK,EAAE;YAAE,SAAS;QAC3B,MAAM,KAAK,GAAG,KAAK,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,KAAK,IAAI,CAAC;YAAE,SAAS;QACzB,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;QACrC,MAAM,IAAI,GAAG,KAAK,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC;QACpC,IAAI,IAAI,KAAK,GAAG,IAAI,IAAI,KAAK,IAAI;YAAE,SAAS;QAC5C,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;IAChC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,+EAA+E;AAC/E,MAAM,UAAU,YAAY,CAAC,IAAY;IACvC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,gBAAgB,CAAC,IAAY;IAC3C,OAAO,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;AAC5D,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,aAAa,CAAC,IAAY;IACxC,IAAI,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACnC,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAClD,GAAG,GAAG,GAAG,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IACvD,CAAC;IACD,MAAM,KAAK,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAC/B,OAAO,KAAK,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;AAClD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAC7B,MAAqC,EACrC,IAAY,EACZ,SAAkB;IAElB,MAAM,MAAM,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC;IACnC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,IAAI,KAAK,CAAC,MAAM,KAAK,WAAW,IAAI,KAAK,CAAC,MAAM,KAAK,MAAM;YAAE,SAAS;QACtE,IAAI,SAAS,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI;YAAE,SAAS;QAC/C,OAAO,IAAI,CAAC;IACd,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/storage.d.ts

@@ -0,0 +1,22 @@
+/**
+ * The per-account Durable Object: the single-threaded consistency authority for
+ * one remoteStorage vault.
+ *
+ * The stateless front door (`handler.ts`) authenticates the bearer token and
+ * enforces per-module scopes at the edge, then forwards already-authorized
+ * requests here, where Cloudflare guarantees one thread per account. Everything
+ * that must be strongly consistent — document GET/PUT/DELETE, conditional
+ * (`If-Match`/`If-None-Match`) writes, document↔folder conflict detection, the
+ * virtual folder listing and its aggregate ETag, and R2 copy-on-write through
+ * `@dwk/store` — happens here. This object reuses `@dwk/store` exactly as
+ * `@dwk/solid-pod` does (same library, same storage primitives); the only Solid
+ * facility it leans on beyond the blob tier is the generic `list(prefix)`
+ * projection. Consumers bind this class as a Durable Object namespace.
+ */
+import { DurableObject } from "cloudflare:workers";
+import { type RemoteStorageEnv } from "./config";
+export declare class RemoteStorageObject extends DurableObject<RemoteStorageEnv> {
+    #private;
+    fetch(request: Request): Promise<Response>;
+}
+//# sourceMappingURL=storage.d.ts.map

package/dist/storage.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"storage.d.ts","sourceRoot":"","sources":["../src/storage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAWnD,OAAO,EAAoB,KAAK,gBAAgB,EAAE,MAAM,UAAU,CAAC;AAyBnE,qBAAa,mBAAoB,SAAQ,aAAa,CAAC,gBAAgB,CAAC;;IAevD,KAAK,CAAC,OAAO,EAAE,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC;CAyO1D"}