@dwk/solid-pod 0.1.0-beta.0

package/dist/gc.d.ts

@@ -0,0 +1,22 @@
+/**
+ * The R2 garbage-collection cron handler.
+ *
+ * Each pod's Durable Object forwards its orphaned blob keys (copy-on-write
+ * displacements and deletes) into a shared D1 table as it writes. This handler
+ * — wired to a Cloudflare cron trigger — reclaims those R2 objects once they
+ * are older than a safety window ≥ the maximum write duration, touching only D1
+ * and R2 and never waking a Durable Object. The reclamation logic lives in
+ * `@dwk/store`; this is the thin endpoint wiring.
+ */
+import { type SolidPodConfig, type SolidPodGcEnv } from "./config";
+/** A `scheduled`-compatible cron handler for R2 blob garbage collection. */
+export type SolidPodGcHandler = (event: ScheduledController, env: SolidPodGcEnv, ctx: ExecutionContext) => Promise<void>;
+/**
+ * Create the cron handler that reclaims orphaned R2 blobs. Bind it to a
+ * `scheduled` trigger alongside the pod Worker; it shares the same `BLOBS`
+ * bucket and the `GC_DB` D1 database the DO forwards orphans into.
+ *
+ * Fails loudly when the required `BLOBS` / `GC_DB` bindings are missing.
+ */
+export declare function createSolidPodGc(config: SolidPodConfig): SolidPodGcHandler;
+//# sourceMappingURL=gc.d.ts.map

package/dist/gc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gc.d.ts","sourceRoot":"","sources":["../src/gc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAEL,KAAK,cAAc,EACnB,KAAK,aAAa,EACnB,MAAM,UAAU,CAAC;AAElB,4EAA4E;AAC5E,MAAM,MAAM,iBAAiB,GAAG,CAC9B,KAAK,EAAE,mBAAmB,EAC1B,GAAG,EAAE,aAAa,EAClB,GAAG,EAAE,gBAAgB,KAClB,OAAO,CAAC,IAAI,CAAC,CAAC;AAEnB;;;;;;GAMG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,cAAc,GAAG,iBAAiB,CAa1E"}

package/dist/gc.js

@@ -0,0 +1,33 @@
+/**
+ * The R2 garbage-collection cron handler.
+ *
+ * Each pod's Durable Object forwards its orphaned blob keys (copy-on-write
+ * displacements and deletes) into a shared D1 table as it writes. This handler
+ * — wired to a Cloudflare cron trigger — reclaims those R2 objects once they
+ * are older than a safety window ≥ the maximum write duration, touching only D1
+ * and R2 and never waking a Durable Object. The reclamation logic lives in
+ * `@dwk/store`; this is the thin endpoint wiring.
+ */
+import { collectGarbage, ensureGcSchema } from "@dwk/store";
+import { resolveConfig, } from "./config";
+/**
+ * Create the cron handler that reclaims orphaned R2 blobs. Bind it to a
+ * `scheduled` trigger alongside the pod Worker; it shares the same `BLOBS`
+ * bucket and the `GC_DB` D1 database the DO forwards orphans into.
+ *
+ * Fails loudly when the required `BLOBS` / `GC_DB` bindings are missing.
+ */
+export function createSolidPodGc(config) {
+    const resolved = resolveConfig(config);
+    return async (_event, env, _ctx) => {
+        if (!env.BLOBS) {
+            throw new Error("@dwk/solid-pod: GC requires the `BLOBS` R2 binding");
+        }
+        if (!env.GC_DB) {
+            throw new Error("@dwk/solid-pod: GC requires the `GC_DB` D1 binding");
+        }
+        await ensureGcSchema(env.GC_DB);
+        await collectGarbage(env, { safetyWindowMs: resolved.gcSafetyWindowMs });
+    };
+}
+//# sourceMappingURL=gc.js.map

package/dist/gc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"gc.js","sourceRoot":"","sources":["../src/gc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,cAAc,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAE5D,OAAO,EACL,aAAa,GAGd,MAAM,UAAU,CAAC;AASlB;;;;;;GAMG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAsB;IACrD,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,OAAO,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QACjC,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;QACxE,CAAC;QACD,MAAM,cAAc,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAChC,MAAM,cAAc,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,QAAQ,CAAC,gBAAgB,EAAE,CAAC,CAAC;IAC3E,CAAC,CAAC;AACJ,CAAC"}

package/dist/handler.d.ts

@@ -0,0 +1,20 @@
+/**
+ * The stateless Solid Pod front door.
+ *
+ * It authenticates DPoP-bound bearer tokens at the edge (`auth.ts`), then hands
+ * the request — augmented with the verified agent facts via internal headers —
+ * to the per-pod Durable Object, which owns all consistency, authorization, and
+ * notification logic. v1 runs a single Durable Object per `baseUrl` (no
+ * sharding). The handler is mountable under any path prefix because it routes
+ * purely on the request URL.
+ */
+import { type SolidPodConfig, type SolidPodEnv } from "./config";
+/** A `fetch`-compatible Worker handler. */
+export type SolidPodHandler = (request: Request, env: SolidPodEnv, ctx: ExecutionContext) => Promise<Response>;
+/**
+ * Create the stateless Solid Pod front-door handler. Writes funnel through the
+ * per-pod {@link SolidPodObject}; reads and notifications likewise route through
+ * it so the DO remains the single consistency authority.
+ */
+export declare function createSolidPod(config: SolidPodConfig): SolidPodHandler;
+//# sourceMappingURL=handler.d.ts.map

package/dist/handler.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.d.ts","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EAIL,KAAK,cAAc,EACnB,KAAK,WAAW,EACjB,MAAM,UAAU,CAAC;AAIlB,2CAA2C;AAC3C,MAAM,MAAM,eAAe,GAAG,CAC5B,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,WAAW,EAChB,GAAG,EAAE,gBAAgB,KAClB,OAAO,CAAC,QAAQ,CAAC,CAAC;AA0IvB;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,MAAM,EAAE,cAAc,GAAG,eAAe,CA2BtE"}

package/dist/handler.js

@@ -0,0 +1,155 @@
+/**
+ * The stateless Solid Pod front door.
+ *
+ * It authenticates DPoP-bound bearer tokens at the edge (`auth.ts`), then hands
+ * the request — augmented with the verified agent facts via internal headers —
+ * to the per-pod Durable Object, which owns all consistency, authorization, and
+ * notification logic. v1 runs a single Durable Object per `baseUrl` (no
+ * sharding). The handler is mountable under any path prefix because it routes
+ * purely on the request URL.
+ */
+import { hostFromUrl } from "@dwk/log";
+import { INTERNAL_HEADERS, resolveConfig, } from "./config";
+import { authenticate } from "./auth";
+import { PodOutcome, SolidPodLogEvent } from "./log";
+/** Client headers that are safe to forward verbatim to the Durable Object. */
+const FORWARDED_HEADERS = [
+    "accept",
+    "content-type",
+    "content-length",
+    "if-match",
+    "if-none-match",
+    "slug",
+    "link",
+    "origin",
+    "upgrade",
+    "sec-websocket-key",
+    "sec-websocket-version",
+    "sec-websocket-protocol",
+    "sec-websocket-extensions",
+];
+/** Fail loudly if a required Cloudflare binding is missing (no silent degradation). */
+function assertBindings(env) {
+    if (!env.POD) {
+        throw new Error("@dwk/solid-pod: missing required Durable Object binding `POD`");
+    }
+    if (!env.BLOBS) {
+        throw new Error("@dwk/solid-pod: missing required R2 binding `BLOBS`");
+    }
+}
+/** Build the internal DO request, stripping any client-supplied auth headers. */
+function internalRequest(request, config, auth) {
+    const headers = new Headers();
+    for (const name of FORWARDED_HEADERS) {
+        const value = request.headers.get(name);
+        if (value !== null)
+            headers.set(name, value);
+    }
+    // The DO trusts these headers, so they are always set by us — never passed
+    // through from the client.
+    if (auth) {
+        headers.set(INTERNAL_HEADERS.webid, auth.webid);
+        headers.set(INTERNAL_HEADERS.jti, auth.jti);
+        headers.set(INTERNAL_HEADERS.jkt, auth.jkt);
+    }
+    headers.set(INTERNAL_HEADERS.config, JSON.stringify({
+        owners: config.owners,
+        allowAnonymousWrites: config.allowAnonymousWrites,
+        ...(config.maxInlineBytes !== undefined
+            ? { maxInlineBytes: config.maxInlineBytes }
+            : {}),
+    }));
+    const method = request.method.toUpperCase();
+    const hasBody = method !== "GET" && method !== "HEAD";
+    return new Request(request.url, {
+        method: request.method,
+        headers,
+        ...(hasBody ? { body: request.body } : {}),
+    });
+}
+/** A `401` with the DPoP challenge and a machine-readable failure reason. */
+function unauthorized(reason) {
+    return new Response("Unauthorized", {
+        status: 401,
+        headers: {
+            "content-type": "text/plain; charset=utf-8",
+            "www-authenticate": `DPoP realm="solid", error="invalid_token", error_description="${reason}"`,
+        },
+    });
+}
+/**
+ * Emit a structured event on both the logger and the metrics seam, which share
+ * one event vocabulary (see `@dwk/log`): `warn` for handled-but-notable
+ * rejections, `info` for normal outcomes. Honors the redaction policy — callers
+ * pass only reason codes, HTTP method/status, and sanitized hosts.
+ */
+function emit(config, level, event, fields) {
+    config.logger[level](event, fields);
+    config.metrics.count(event, fields);
+}
+/**
+ * Translate the Durable Object's internal authorization-outcome header into the
+ * matching {@link SolidPodLogEvent} on the injected seams, then strip the header
+ * before the response reaches the client. The DO cannot hold the injected
+ * logger/metrics (they do not cross the isolate boundary), so it signals its WAC
+ * denial / anonymous-write refusal / replay rejection here, at the composition
+ * boundary, where the seams are wired. Responses without the header (including
+ * WebSocket upgrades) pass through untouched.
+ */
+function logPodOutcome(config, request, response) {
+    const outcome = response.headers.get(INTERNAL_HEADERS.outcome);
+    if (!outcome)
+        return response;
+    const method = request.method;
+    switch (outcome) {
+        case PodOutcome.WacDenied:
+            emit(config, "warn", SolidPodLogEvent.AccessDenied, {
+                method,
+                status: response.status,
+            });
+            break;
+        case PodOutcome.AnonymousWriteRefused:
+            emit(config, "warn", SolidPodLogEvent.AnonymousWriteRefused, { method });
+            break;
+        case PodOutcome.Replay:
+            emit(config, "warn", SolidPodLogEvent.ReplayRejected, { method });
+            break;
+    }
+    const headers = new Headers(response.headers);
+    headers.delete(INTERNAL_HEADERS.outcome);
+    return new Response(response.body, {
+        status: response.status,
+        statusText: response.statusText,
+        headers,
+    });
+}
+/**
+ * Create the stateless Solid Pod front-door handler. Writes funnel through the
+ * per-pod {@link SolidPodObject}; reads and notifications likewise route through
+ * it so the DO remains the single consistency authority.
+ */
+export function createSolidPod(config) {
+    const resolved = resolveConfig(config);
+    return async (request, env, _ctx) => {
+        assertBindings(env);
+        const result = await authenticate(request, resolved);
+        if (result.kind === "rejected") {
+            emit(resolved, "warn", SolidPodLogEvent.AuthRejected, {
+                reason: result.reason,
+            });
+            return unauthorized(result.reason);
+        }
+        const auth = result.kind === "authenticated" ? result.context : null;
+        if (auth) {
+            emit(resolved, "info", SolidPodLogEvent.AuthAccepted, {
+                agentHost: hostFromUrl(auth.webid),
+            });
+        }
+        const forwarded = internalRequest(request, resolved, auth);
+        // One Durable Object per pod, keyed by the identity root (no sharding).
+        const id = env.POD.idFromName(resolved.baseUrl);
+        const response = await env.POD.get(id).fetch(forwarded);
+        return logPodOutcome(resolved, request, response);
+    };
+}
+//# sourceMappingURL=handler.js.map

package/dist/handler.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"handler.js","sourceRoot":"","sources":["../src/handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAE,WAAW,EAAkB,MAAM,UAAU,CAAC;AAEvD,OAAO,EACL,gBAAgB,EAChB,aAAa,GAId,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,YAAY,EAAE,MAAM,QAAQ,CAAC;AACtC,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AASrD,8EAA8E;AAC9E,MAAM,iBAAiB,GAAG;IACxB,QAAQ;IACR,cAAc;IACd,gBAAgB;IAChB,UAAU;IACV,eAAe;IACf,MAAM;IACN,MAAM;IACN,QAAQ;IACR,SAAS;IACT,mBAAmB;IACnB,uBAAuB;IACvB,wBAAwB;IACxB,0BAA0B;CAClB,CAAC;AAEX,uFAAuF;AACvF,SAAS,cAAc,CAAC,GAAgB;IACtC,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CACb,+DAA+D,CAChE,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,CAAC;QACf,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED,iFAAiF;AACjF,SAAS,eAAe,CACtB,OAAgB,EAChB,MAAsB,EACtB,IAAwD;IAExD,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,KAAK,MAAM,IAAI,IAAI,iBAAiB,EAAE,CAAC;QACrC,MAAM,KAAK,GAAG,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;QACxC,IAAI,KAAK,KAAK,IAAI;YAAE,OAAO,CAAC,GAAG,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IAC/C,CAAC;IACD,2EAA2E;IAC3E,2BAA2B;IAC3B,IAAI,IAAI,EAAE,CAAC;QACT,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,GAAG,CAAC,CAAC;IAC9C,CAAC;IACD,OAAO,CAAC,GAAG,CACT,gBAAgB,CAAC,MAAM,EACvB,IAAI,CAAC,SAAS,CAAC;QACb,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,oBAAoB,EAAE,MAAM,CAAC,oBAAoB;QACjD,GAAG,CAAC,MAAM,CAAC,cAAc,KAAK,SAAS;YACrC,CAAC,CAAC,EAAE,cAAc,EAAE,MAAM,CAAC,cAAc,EAAE;YAC3C,CAAC,CAAC,EAAE,CAAC;KACR,CAAC,CACH,CAAC;IAEF,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC;IAC5C,MAAM,OAAO,GAAG,MAAM,KAAK,KAAK,IAAI,MAAM,KAAK,MAAM,CAAC;IACtD,OAAO,IAAI,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE;QAC9B,MAAM,EAAE,OAAO,CAAC,MAAM;QACtB,OAAO;QACP,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAC3C,CAAC,CAAC;AACL,CAAC;AAED,6EAA6E;AAC7E,SAAS,YAAY,CAAC,MAAc;IAClC,OAAO,IAAI,QAAQ,CAAC,cAAc,EAAE;QAClC,MAAM,EAAE,GAAG;QACX,OAAO,EAAE;YACP,cAAc,EAAE,2BAA2B;YAC3C,kBAAkB,EAAE,iEAAiE,MAAM,GAAG;SAC/F;KACF,CAAC,CAAC;AACL,CAAC;AAED;;;;;GAKG;AACH,SAAS,IAAI,CACX,MAAsB,EACtB,KAAsB,EACtB,KAAa,EACb,MAAkB;IAElB,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;IACpC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC;AACtC,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,aAAa,CACpB,MAAsB,EACtB,OAAgB,EAChB,QAAkB;IAElB,MAAM,OAAO,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IAC/D,IAAI,CAAC,OAAO;QAAE,OAAO,QAAQ,CAAC;IAE9B,MAAM,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IAC9B,QAAQ,OAAO,EAAE,CAAC;QAChB,KAAK,UAAU,CAAC,SAAS;YACvB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,YAAY,EAAE;gBAClD,MAAM;gBACN,MAAM,EAAE,QAAQ,CAAC,MAAM;aACxB,CAAC,CAAC;YACH,MAAM;QACR,KAAK,UAAU,CAAC,qBAAqB;YACnC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,qBAAqB,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;YACzE,MAAM;QACR,KAAK,UAAU,CAAC,MAAM;YACpB,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,cAAc,EAAE,EAAE,MAAM,EAAE,CAAC,CAAC;YAClE,MAAM;IACV,CAAC;IAED,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IAC9C,OAAO,CAAC,MAAM,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAC;IACzC,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE;QACjC,MAAM,EAAE,QAAQ,CAAC,MAAM;QACvB,UAAU,EAAE,QAAQ,CAAC,UAAU;QAC/B,OAAO;KACR,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,cAAc,CAAC,MAAsB;IACnD,MAAM,QAAQ,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAEvC,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE;QAClC,cAAc,CAAC,GAAG,CAAC,CAAC;QAEpB,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QACrD,IAAI,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;YAC/B,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,gBAAgB,CAAC,YAAY,EAAE;gBACpD,MAAM,EAAE,MAAM,CAAC,MAAM;aACtB,CAAC,CAAC;YACH,OAAO,YAAY,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;QACrC,CAAC;QAED,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI,KAAK,eAAe,CAAC,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC;QACrE,IAAI,IAAI,EAAE,CAAC;YACT,IAAI,CAAC,QAAQ,EAAE,MAAM,EAAE,gBAAgB,CAAC,YAAY,EAAE;gBACpD,SAAS,EAAE,WAAW,CAAC,IAAI,CAAC,KAAK,CAAC;aACnC,CAAC,CAAC;QACL,CAAC;QACD,MAAM,SAAS,GAAG,eAAe,CAAC,OAAO,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;QAE3D,wEAAwE;QACxE,MAAM,EAAE,GAAG,GAAG,CAAC,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;QACxD,OAAO,aAAa,CAAC,QAAQ,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC;IACpD,CAAC,CAAC;AACJ,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,24 @@
+/**
+ * `@dwk/solid-pod` — edge-native Solid Pod.
+ *
+ * A stateless Worker front door over a per-pod Durable Object that is the
+ * consistency, authz, and notification authority, with R2 for blob bodies. This
+ * is the only `@dwk` package that ships a Durable Object.
+ *
+ * The package is **not** protocol-agnostic: it is the Solid Protocol endpoint,
+ * composing the reusable libs `@dwk/dpop` (edge DPoP validation), `@dwk/rdf`
+ * (Turtle/JSON-LD content negotiation), `@dwk/wac` (access control), and
+ * `@dwk/store` (DO-SQLite quads + R2 copy-on-write blobs). v1 is a **Resource
+ * Server only** (no OIDC OP) and runs **one Durable Object per pod** (no
+ * sharding).
+ *
+ * @see spec/packages/solid-pod.md
+ * @packageDocumentation
+ */
+export { createSolidPod, type SolidPodHandler } from "./handler";
+export { createSolidPodGc, type SolidPodGcHandler } from "./gc";
+export { SolidPodObject } from "./pod";
+export { type SolidPodConfig, type SolidPodEnv, type SolidPodGcEnv, type AuthContext, type Jwks, } from "./config";
+export { SolidPodLogEvent } from "./log";
+export type { Logger, Metrics } from "@dwk/log";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,cAAc,EAAE,KAAK,eAAe,EAAE,MAAM,WAAW,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAAE,KAAK,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AAEvC,OAAO,EACL,KAAK,cAAc,EACnB,KAAK,WAAW,EAChB,KAAK,aAAa,EAClB,KAAK,WAAW,EAChB,KAAK,IAAI,GACV,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC;AACzC,YAAY,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,23 @@
+/**
+ * `@dwk/solid-pod` — edge-native Solid Pod.
+ *
+ * A stateless Worker front door over a per-pod Durable Object that is the
+ * consistency, authz, and notification authority, with R2 for blob bodies. This
+ * is the only `@dwk` package that ships a Durable Object.
+ *
+ * The package is **not** protocol-agnostic: it is the Solid Protocol endpoint,
+ * composing the reusable libs `@dwk/dpop` (edge DPoP validation), `@dwk/rdf`
+ * (Turtle/JSON-LD content negotiation), `@dwk/wac` (access control), and
+ * `@dwk/store` (DO-SQLite quads + R2 copy-on-write blobs). v1 is a **Resource
+ * Server only** (no OIDC OP) and runs **one Durable Object per pod** (no
+ * sharding).
+ *
+ * @see spec/packages/solid-pod.md
+ * @packageDocumentation
+ */
+export { createSolidPod } from "./handler";
+export { createSolidPodGc } from "./gc";
+export { SolidPodObject } from "./pod";
+export {} from "./config";
+export { SolidPodLogEvent } from "./log";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAE,cAAc,EAAwB,MAAM,WAAW,CAAC;AACjE,OAAO,EAAE,gBAAgB,EAA0B,MAAM,MAAM,CAAC;AAChE,OAAO,EAAE,cAAc,EAAE,MAAM,OAAO,CAAC;AAEvC,OAAO,EAMN,MAAM,UAAU,CAAC;AAElB,OAAO,EAAE,gBAAgB,EAAE,MAAM,OAAO,CAAC"}

package/dist/jwt.d.ts

@@ -0,0 +1,36 @@
+/**
+ * Minimal JWT decode and JWKS-based signature verification for the Resource
+ * Server edge.
+ *
+ * Solid-OIDC access tokens are asymmetrically signed by the issuer (the OP), so
+ * — unlike `@dwk/indieauth`'s HS256 self-issued tokens — verification needs the
+ * issuer's public JWKS rather than a shared secret. This module decodes the
+ * compact JWS, selects the key by `kid`/`kty`, and verifies the signature with
+ * Web Crypto. It performs no claim policy (issuer/audience/expiry) itself; that
+ * lives in `auth.ts`.
+ *
+ * Only asymmetric algorithms are accepted. `HS*` and `none` are refused: an
+ * access token must be signed by the issuer's private key, never a symmetric
+ * secret an RS could not safely hold.
+ */
+/** Asymmetric JOSE algorithms accepted for issuer-signed access tokens. */
+export type JwtAlgorithm = "ES256" | "ES384" | "RS256" | "PS256";
+/** A decoded JWT: its header, claims, and the raw segments for verification. */
+export interface DecodedJwt {
+    readonly header: Record<string, unknown>;
+    readonly payload: Record<string, unknown>;
+    readonly signingInput: string;
+    readonly signature: Uint8Array;
+}
+/**
+ * Decode a compact JWS into its header, payload, and signature. Returns `null`
+ * for anything that is not three base64url segments with JSON header/payload.
+ */
+export declare function decodeJwt(token: string): DecodedJwt | null;
+/**
+ * Verify `decoded`'s signature against a JWKS. Selects the verification key by
+ * `kid` when the header carries one, otherwise tries every key compatible with
+ * the header `alg`. Returns `true` on the first key that verifies.
+ */
+export declare function verifyJwtSignature(decoded: DecodedJwt, jwks: readonly JsonWebKey[]): Promise<boolean>;
+//# sourceMappingURL=jwt.d.ts.map

package/dist/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAIH,2EAA2E;AAC3E,MAAM,MAAM,YAAY,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;AA+CjE,gFAAgF;AAChF,MAAM,WAAW,UAAU;IACzB,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACzC,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC1C,QAAQ,CAAC,YAAY,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,SAAS,EAAE,UAAU,CAAC;CAChC;AAMD;;;GAGG;AACH,wBAAgB,SAAS,CAAC,KAAK,EAAE,MAAM,GAAG,UAAU,GAAG,IAAI,CAsB1D;AASD;;;;GAIG;AACH,wBAAsB,kBAAkB,CACtC,OAAO,EAAE,UAAU,EACnB,IAAI,EAAE,SAAS,UAAU,EAAE,GAC1B,OAAO,CAAC,OAAO,CAAC,CA4ClB"}

package/dist/jwt.js

@@ -0,0 +1,120 @@
+/**
+ * Minimal JWT decode and JWKS-based signature verification for the Resource
+ * Server edge.
+ *
+ * Solid-OIDC access tokens are asymmetrically signed by the issuer (the OP), so
+ * — unlike `@dwk/indieauth`'s HS256 self-issued tokens — verification needs the
+ * issuer's public JWKS rather than a shared secret. This module decodes the
+ * compact JWS, selects the key by `kid`/`kty`, and verifies the signature with
+ * Web Crypto. It performs no claim policy (issuer/audience/expiry) itself; that
+ * lives in `auth.ts`.
+ *
+ * Only asymmetric algorithms are accepted. `HS*` and `none` are refused: an
+ * access token must be signed by the issuer's private key, never a symmetric
+ * secret an RS could not safely hold.
+ */
+import { base64urlToBytes, base64urlToText } from "./encoding";
+// We avoid the DOM lib's algorithm-parameter type names (not declared by
+// @cloudflare/workers-types); these objects are accepted structurally by
+// crypto.subtle.importKey / verify, mirroring the approach in `@dwk/dpop`.
+const ALGS = {
+    ES256: {
+        kty: "EC",
+        crv: "P-256",
+        importParams: { name: "ECDSA", namedCurve: "P-256" },
+        verifyParams: { name: "ECDSA", hash: "SHA-256" },
+    },
+    ES384: {
+        kty: "EC",
+        crv: "P-384",
+        importParams: { name: "ECDSA", namedCurve: "P-384" },
+        verifyParams: { name: "ECDSA", hash: "SHA-384" },
+    },
+    RS256: {
+        kty: "RSA",
+        importParams: { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+        verifyParams: { name: "RSASSA-PKCS1-v1_5" },
+    },
+    PS256: {
+        kty: "RSA",
+        importParams: { name: "RSA-PSS", hash: "SHA-256" },
+        verifyParams: { name: "RSA-PSS", saltLength: 32 },
+    },
+};
+function isObject(value) {
+    return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+/**
+ * Decode a compact JWS into its header, payload, and signature. Returns `null`
+ * for anything that is not three base64url segments with JSON header/payload.
+ */
+export function decodeJwt(token) {
+    if (typeof token !== "string")
+        return null;
+    const segments = token.split(".");
+    if (segments.length !== 3)
+        return null;
+    const [headerSeg, payloadSeg, signatureSeg] = segments;
+    try {
+        const header = JSON.parse(base64urlToText(headerSeg));
+        const payload = JSON.parse(base64urlToText(payloadSeg));
+        if (!isObject(header) || !isObject(payload))
+            return null;
+        return {
+            header,
+            payload,
+            signingInput: `${headerSeg}.${payloadSeg}`,
+            signature: base64urlToBytes(signatureSeg),
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/** Whether a JWK could verify a signature under the given algorithm. */
+function keyMatchesAlg(jwk, spec) {
+    if (jwk.kty !== spec.kty)
+        return false;
+    if (spec.crv !== undefined && jwk.crv !== spec.crv)
+        return false;
+    return true;
+}
+/**
+ * Verify `decoded`'s signature against a JWKS. Selects the verification key by
+ * `kid` when the header carries one, otherwise tries every key compatible with
+ * the header `alg`. Returns `true` on the first key that verifies.
+ */
+export async function verifyJwtSignature(decoded, jwks) {
+    const alg = decoded.header.alg;
+    const spec = typeof alg === "string" ? ALGS[alg] : undefined;
+    if (!spec)
+        return false;
+    const kid = decoded.header.kid;
+    const compatible = jwks.filter((jwk) => keyMatchesAlg(jwk, spec));
+    // When the token names a `kid`, pin verification to the key(s) carrying it.
+    // A token that names a `kid` matching no JWKS key is rejected rather than
+    // verified against unrelated keys: trying other keys would silently weaken
+    // `kid` pinning (a token claiming an unknown key still passing). Only when
+    // the header omits `kid` do we try every alg-compatible key.
+    let candidates = compatible;
+    if (typeof kid === "string") {
+        // `kid` is not in the standard JsonWebKey type but is carried by JWKS keys.
+        candidates = compatible.filter((jwk) => jwk.kid === kid);
+        if (candidates.length === 0)
+            return false;
+    }
+    for (const jwk of candidates) {
+        try {
+            const key = await crypto.subtle.importKey("jwk", jwk, spec.importParams, false, ["verify"]);
+            const ok = await crypto.subtle.verify(spec.verifyParams, key, decoded.signature, new TextEncoder().encode(decoded.signingInput));
+            if (ok)
+                return true;
+        }
+        catch {
+            // A key that fails to import (wrong shape) simply does not match; try
+            // the next candidate rather than aborting the whole verification.
+        }
+    }
+    return false;
+}
+//# sourceMappingURL=jwt.js.map

package/dist/jwt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.js","sourceRoot":"","sources":["../src/jwt.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAsB/D,yEAAyE;AACzE,yEAAyE;AACzE,2EAA2E;AAC3E,MAAM,IAAI,GAAkC;IAC1C,KAAK,EAAE;QACL,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,OAAO;QACZ,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE;QACpD,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;KACjD;IACD,KAAK,EAAE;QACL,GAAG,EAAE,IAAI;QACT,GAAG,EAAE,OAAO;QACZ,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE;QACpD,YAAY,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE;KACjD;IACD,KAAK,EAAE;QACL,GAAG,EAAE,KAAK;QACV,YAAY,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,SAAS,EAAE;QAC5D,YAAY,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE;KAC5C;IACD,KAAK,EAAE;QACL,GAAG,EAAE,KAAK;QACV,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,SAAS,EAAE;QAClD,YAAY,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,EAAE,EAAE;KAClD;CACF,CAAC;AAUF,SAAS,QAAQ,CAAC,KAAc;IAC9B,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC9E,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,SAAS,CAAC,KAAa;IACrC,IAAI,OAAO,KAAK,KAAK,QAAQ;QAAE,OAAO,IAAI,CAAC;IAC3C,MAAM,QAAQ,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACvC,MAAM,CAAC,SAAS,EAAE,UAAU,EAAE,YAAY,CAAC,GAAG,QAI7C,CAAC;IACF,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,SAAS,CAAC,CAAY,CAAC;QACjE,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,UAAU,CAAC,CAAY,CAAC;QACnE,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;YAAE,OAAO,IAAI,CAAC;QACzD,OAAO;YACL,MAAM;YACN,OAAO;YACP,YAAY,EAAE,GAAG,SAAS,IAAI,UAAU,EAAE;YAC1C,SAAS,EAAE,gBAAgB,CAAC,YAAY,CAAC;SAC1C,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,wEAAwE;AACxE,SAAS,aAAa,CAAC,GAAe,EAAE,IAAa;IACnD,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACvC,IAAI,IAAI,CAAC,GAAG,KAAK,SAAS,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG;QAAE,OAAO,KAAK,CAAC;IACjE,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,OAAmB,EACnB,IAA2B;IAE3B,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;IAC/B,MAAM,IAAI,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,GAAmB,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAExB,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;IAC/B,MAAM,UAAU,GAAG,IAAI,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;IAElE,4EAA4E;IAC5E,0EAA0E;IAC1E,2EAA2E;IAC3E,2EAA2E;IAC3E,6DAA6D;IAC7D,IAAI,UAAU,GAAG,UAAU,CAAC;IAC5B,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QAC5B,4EAA4E;QAC5E,UAAU,GAAG,UAAU,CAAC,MAAM,CAC5B,CAAC,GAAG,EAAE,EAAE,CAAE,GAAyB,CAAC,GAAG,KAAK,GAAG,CAChD,CAAC;QACF,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;IAC5C,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CACvC,KAAK,EACL,GAAG,EACH,IAAI,CAAC,YAAY,EACjB,KAAK,EACL,CAAC,QAAQ,CAAC,CACX,CAAC;YACF,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,MAAM,CACnC,IAAI,CAAC,YAAY,EACjB,GAAG,EACH,OAAO,CAAC,SAAS,EACjB,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,CAC/C,CAAC;YACF,IAAI,EAAE;gBAAE,OAAO,IAAI,CAAC;QACtB,CAAC;QAAC,MAAM,CAAC;YACP,sEAAsE;YACtE,kEAAkE;QACpE,CAAC;IACH,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/ldp.d.ts

@@ -0,0 +1,37 @@
+/**
+ * Path and IRI helpers for the LDP resource/container model.
+ *
+ * Resources are keyed in the store by their URL pathname. Containers are the
+ * keys that end in `/`; everything else is a plain resource. ACL documents
+ * follow the Solid convention `<resource>.acl` (and `<container>.acl`). These
+ * helpers are pure string math so they unit-test without a Workers runtime.
+ */
+/** Whether a store key denotes an LDP container (trailing slash). */
+export declare function isContainer(path: string): boolean;
+/** Whether a path is an ACL document (`*.acl`). */
+export declare function isAclPath(path: string): boolean;
+/** Whether a name/path ends in a reserved auxiliary suffix (`.acl`/`.meta`). */
+export declare function hasReservedAuxiliarySuffix(value: string): boolean;
+/** The ACL document path that governs `path` (`<path>.acl`). */
+export declare function aclPath(path: string): string;
+/** The resource an ACL document governs (`<resource>.acl` → `<resource>`). */
+export declare function resourceForAcl(aclPathValue: string): string;
+/**
+ * The immediate parent container of `path`, or `null` for the root container.
+ * `"/a/b"` → `"/a/"`, `"/a/b/"` → `"/a/"`, `"/"` → `null`.
+ */
+export declare function parentContainer(path: string): string | null;
+/**
+ * The ancestor containers of `path`, nearest first, up to and including the
+ * root container `"/"`.
+ */
+export declare function ancestorContainers(path: string): string[];
+/** Resolve a store key to its absolute resource IRI under `origin`. */
+export declare function toIri(origin: string, path: string): string;
+/**
+ * Pick a child key for a `POST` to `container`, honoring a client `Slug` when
+ * present and safe, and falling back to a random name. A trailing slash is
+ * appended when the new resource is itself a container.
+ */
+export declare function childKey(container: string, slug: string | null, asContainer: boolean): string;
+//# sourceMappingURL=ldp.d.ts.map

package/dist/ldp.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ldp.d.ts","sourceRoot":"","sources":["../src/ldp.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,qEAAqE;AACrE,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAEjD;AAED,mDAAmD;AACnD,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAE/C;AAUD,gFAAgF;AAChF,wBAAgB,0BAA0B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED,gEAAgE;AAChE,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAE5C;AAED,8EAA8E;AAC9E,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,MAAM,CAE3D;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAK3D;AAED;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,EAAE,CAQzD;AAED,uEAAuE;AACvE,wBAAgB,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAE1D;AAID;;;;GAIG;AACH,wBAAgB,QAAQ,CACtB,SAAS,EAAE,MAAM,EACjB,IAAI,EAAE,MAAM,GAAG,IAAI,EACnB,WAAW,EAAE,OAAO,GACnB,MAAM,CAeR"}

package/dist/ldp.js

@@ -0,0 +1,85 @@
+/**
+ * Path and IRI helpers for the LDP resource/container model.
+ *
+ * Resources are keyed in the store by their URL pathname. Containers are the
+ * keys that end in `/`; everything else is a plain resource. ACL documents
+ * follow the Solid convention `<resource>.acl` (and `<container>.acl`). These
+ * helpers are pure string math so they unit-test without a Workers runtime.
+ */
+/** Whether a store key denotes an LDP container (trailing slash). */
+export function isContainer(path) {
+    return path.endsWith("/");
+}
+/** Whether a path is an ACL document (`*.acl`). */
+export function isAclPath(path) {
+    return path.endsWith(".acl");
+}
+/**
+ * Suffixes of server-governed auxiliary resources. Writing one requires
+ * `acl:Control` on the resource it governs (WAC), so a client `Slug` must
+ * never be allowed to mint one through a container `POST` (which is only
+ * authorized for `Append`/`Write` on the parent).
+ */
+const RESERVED_AUXILIARY_SUFFIXES = [".acl", ".meta"];
+/** Whether a name/path ends in a reserved auxiliary suffix (`.acl`/`.meta`). */
+export function hasReservedAuxiliarySuffix(value) {
+    return RESERVED_AUXILIARY_SUFFIXES.some((suffix) => value.endsWith(suffix));
+}
+/** The ACL document path that governs `path` (`<path>.acl`). */
+export function aclPath(path) {
+    return `${path}.acl`;
+}
+/** The resource an ACL document governs (`<resource>.acl` → `<resource>`). */
+export function resourceForAcl(aclPathValue) {
+    return aclPathValue.slice(0, -".acl".length);
+}
+/**
+ * The immediate parent container of `path`, or `null` for the root container.
+ * `"/a/b"` → `"/a/"`, `"/a/b/"` → `"/a/"`, `"/"` → `null`.
+ */
+export function parentContainer(path) {
+    if (path === "/")
+        return null;
+    const trimmed = isContainer(path) ? path.slice(0, -1) : path;
+    const slash = trimmed.lastIndexOf("/");
+    return slash < 0 ? "/" : trimmed.slice(0, slash + 1);
+}
+/**
+ * The ancestor containers of `path`, nearest first, up to and including the
+ * root container `"/"`.
+ */
+export function ancestorContainers(path) {
+    const ancestors = [];
+    let current = parentContainer(path);
+    while (current !== null) {
+        ancestors.push(current);
+        current = parentContainer(current);
+    }
+    return ancestors;
+}
+/** Resolve a store key to its absolute resource IRI under `origin`. */
+export function toIri(origin, path) {
+    return `${origin}${path}`;
+}
+const SLUG_UNSAFE = /[^A-Za-z0-9._~-]+/g;
+/**
+ * Pick a child key for a `POST` to `container`, honoring a client `Slug` when
+ * present and safe, and falling back to a random name. A trailing slash is
+ * appended when the new resource is itself a container.
+ */
+export function childKey(container, slug, asContainer) {
+    const cleaned = slug
+        ?.trim()
+        .replace(SLUG_UNSAFE, "-")
+        .replace(/^-+|-+$/g, "");
+    // A Slug must never mint a reserved auxiliary resource (`.acl`/`.meta`):
+    // those govern a sibling's access/metadata and require `acl:Control` to
+    // write, which a container POST (authorized only for Append/Write on the
+    // parent) does not confer. Treat such a Slug as unusable and fall back to a
+    // random name, closing a privilege-escalation path (issue #28).
+    const name = cleaned && cleaned.length > 0 && !hasReservedAuxiliarySuffix(cleaned)
+        ? cleaned
+        : crypto.randomUUID();
+    return `${container}${name}${asContainer ? "/" : ""}`;
+}
+//# sourceMappingURL=ldp.js.map

package/dist/ldp.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ldp.js","sourceRoot":"","sources":["../src/ldp.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,qEAAqE;AACrE,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAC5B,CAAC;AAED,mDAAmD;AACnD,MAAM,UAAU,SAAS,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED;;;;;GAKG;AACH,MAAM,2BAA2B,GAAG,CAAC,MAAM,EAAE,OAAO,CAAU,CAAC;AAE/D,gFAAgF;AAChF,MAAM,UAAU,0BAA0B,CAAC,KAAa;IACtD,OAAO,2BAA2B,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;AAC9E,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,OAAO,CAAC,IAAY;IAClC,OAAO,GAAG,IAAI,MAAM,CAAC;AACvB,CAAC;AAED,8EAA8E;AAC9E,MAAM,UAAU,cAAc,CAAC,YAAoB;IACjD,OAAO,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,IAAI,IAAI,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC9B,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAC7D,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;IACvC,OAAO,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC;AACvD,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAAY;IAC7C,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACpC,OAAO,OAAO,KAAK,IAAI,EAAE,CAAC;QACxB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,OAAO,GAAG,eAAe,CAAC,OAAO,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,KAAK,CAAC,MAAc,EAAE,IAAY;IAChD,OAAO,GAAG,MAAM,GAAG,IAAI,EAAE,CAAC;AAC5B,CAAC;AAED,MAAM,WAAW,GAAG,oBAAoB,CAAC;AAEzC;;;;GAIG;AACH,MAAM,UAAU,QAAQ,CACtB,SAAiB,EACjB,IAAmB,EACnB,WAAoB;IAEpB,MAAM,OAAO,GAAG,IAAI;QAClB,EAAE,IAAI,EAAE;SACP,OAAO,CAAC,WAAW,EAAE,GAAG,CAAC;SACzB,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IAC3B,yEAAyE;IACzE,wEAAwE;IACxE,yEAAyE;IACzE,4EAA4E;IAC5E,gEAAgE;IAChE,MAAM,IAAI,GACR,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC;QACnE,CAAC,CAAC,OAAO;QACT,CAAC,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;IAC1B,OAAO,GAAG,SAAS,GAAG,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC;AACxD,CAAC"}