@fluxfiles/node 0.1.1 → 0.1.3

package/README.md

@@ -48,6 +48,26 @@ const token = createToken({
 });
 ```
 
+### Enable Import from URL
+
+Import-from-URL is **off by default**. Turn it on for a token by setting the
+import options — no server-side per-tenant config is needed:
+
+```ts
+const token = createToken({
+  userId: 'user-42',
+  perms: ['read', 'write'],
+  allowUrlImport: true,                    // required — enables the feature
+  maxImportMb: 20,                         // optional — cap per import (MB)
+  importUrlAllowlist: ['*.unsplash.com'],  // optional — restrict source hosts
+  // importPath, importRateLimit, importConcurrency also supported
+});
+```
+
+The core then accepts `POST /api/fm/import-url` for that token (SSRF-guarded,
+sharing the quota/dedup/variants pipeline). Server-wide defaults come from
+`FLUXFILES_IMPORT_*` env vars on the core service.
+
 ### BYOB — encrypt a user's own bucket credentials
 
 ```ts
@@ -115,6 +135,8 @@ app.get('/fluxfiles/token', (req, res) => {
 
 `createToken` options: `secret?`, `userId`, `perms?`, `disks?`, `prefix?`,
 `maxUploadMb?`, `allowedExt?`, `ttl?`, `ownerOnly?`, `maxStorageMb?`, `maxFiles?`.
+Per-tenant overrides (omit to inherit the server default): `aiAutoTag?` (bool),
+`rateRead?` / `rateWrite?` (req/min), `variants?` (`{ thumb?, medium?, large? }` px).
 `createByobToken` replaces `disks` with `byobDisks` (a map of name → S3-compatible
 config) and does not take `maxStorageMb`/`maxFiles` (matching the core).
 

package/dist/index.d.mts

@@ -1,5 +1,5 @@
-/** A FluxFiles permission. */
-type FluxPermission = 'read' | 'write' | 'delete';
+/** A FluxFiles permission. `audit` gates reading the activity log. */
+type FluxPermission = 'read' | 'write' | 'delete' | 'audit';
 /**
  * A BYOB (Bring Your Own Bucket) disk config. Encrypted into the JWT and
  * decrypted only at runtime by the FluxFiles server. Only S3-compatible
@@ -33,6 +33,25 @@ interface BaseTokenOptions {
     ttl?: number;
     /** Restrict destructive ops to files the user uploaded. */
     ownerOnly?: boolean;
+    /** Per-tenant AI auto-tag toggle. Omit to inherit the server default. */
+    aiAutoTag?: boolean;
+    /** Per-tenant read rate limit (requests/min). `0`/omitted = inherit server default. */
+    rateRead?: number;
+    /** Per-tenant write rate limit (requests/min). `0`/omitted = inherit server default. */
+    rateWrite?: number;
+    /** Per-tenant image variant widths, e.g. `{ thumb: 150, medium: 768, large: 1920 }`. Omit to inherit. */
+    variants?: Partial<Record<'thumb' | 'medium' | 'large', number>> | null;
+    /** Enable Import-from-URL for this tenant (`POST /api/fm/import-url`). Default off. */
+    allowUrlImport?: boolean;
+    /** Max size per URL import, in MB (same unit as `maxUploadMb`). `0`/omitted = inherit (50). */
+    maxImportMb?: number;
+    /** Restrict imports to these host globs, e.g. `['*.unsplash.com']`. Omit = any public host. */
+    importUrlAllowlist?: string[];
+    /** Force imports into this path, ignoring the request path. */
+    importPath?: string;
+    /** Import-specific rate limit (req/min) and max concurrent imports. `0`/omitted = inherit. */
+    importRateLimit?: number;
+    importConcurrency?: number;
 }
 interface CreateTokenOptions extends BaseTokenOptions {
     /** Disk names the token may access. */

package/dist/index.d.ts

@@ -1,5 +1,5 @@
-/** A FluxFiles permission. */
-type FluxPermission = 'read' | 'write' | 'delete';
+/** A FluxFiles permission. `audit` gates reading the activity log. */
+type FluxPermission = 'read' | 'write' | 'delete' | 'audit';
 /**
  * A BYOB (Bring Your Own Bucket) disk config. Encrypted into the JWT and
  * decrypted only at runtime by the FluxFiles server. Only S3-compatible
@@ -33,6 +33,25 @@ interface BaseTokenOptions {
     ttl?: number;
     /** Restrict destructive ops to files the user uploaded. */
     ownerOnly?: boolean;
+    /** Per-tenant AI auto-tag toggle. Omit to inherit the server default. */
+    aiAutoTag?: boolean;
+    /** Per-tenant read rate limit (requests/min). `0`/omitted = inherit server default. */
+    rateRead?: number;
+    /** Per-tenant write rate limit (requests/min). `0`/omitted = inherit server default. */
+    rateWrite?: number;
+    /** Per-tenant image variant widths, e.g. `{ thumb: 150, medium: 768, large: 1920 }`. Omit to inherit. */
+    variants?: Partial<Record<'thumb' | 'medium' | 'large', number>> | null;
+    /** Enable Import-from-URL for this tenant (`POST /api/fm/import-url`). Default off. */
+    allowUrlImport?: boolean;
+    /** Max size per URL import, in MB (same unit as `maxUploadMb`). `0`/omitted = inherit (50). */
+    maxImportMb?: number;
+    /** Restrict imports to these host globs, e.g. `['*.unsplash.com']`. Omit = any public host. */
+    importUrlAllowlist?: string[];
+    /** Force imports into this path, ignoring the request path. */
+    importPath?: string;
+    /** Import-specific rate limit (req/min) and max concurrent imports. `0`/omitted = inherit. */
+    importRateLimit?: number;
+    importConcurrency?: number;
 }
 interface CreateTokenOptions extends BaseTokenOptions {
     /** Disk names the token may access. */

package/dist/index.js

@@ -98,6 +98,7 @@ function createToken(opts) {
     max_files: opts.maxFiles ?? 0
   };
   if (opts.ownerOnly) payload.owner_only = true;
+  applyTenantOverrides(payload, opts);
   return sign(payload, secret);
 }
 function createByobToken(opts) {
@@ -123,8 +124,33 @@ function createByobToken(opts) {
     byob_disks: encrypted
   };
   if (opts.ownerOnly) payload.owner_only = true;
+  applyTenantOverrides(payload, opts);
   return sign(payload, secret);
 }
+function sanitizeVariants(v) {
+  if (!v || typeof v !== "object") return null;
+  const out = {};
+  for (const name of ["thumb", "medium", "large"]) {
+    const w = Math.trunc(Number(v[name]));
+    if (Number.isFinite(w) && w >= 16 && w <= 8e3) out[name] = w;
+  }
+  return Object.keys(out).length ? out : null;
+}
+function applyTenantOverrides(payload, opts) {
+  if (opts.aiAutoTag !== void 0) payload.ai_auto_tag = !!opts.aiAutoTag;
+  if (opts.rateRead && opts.rateRead > 0) payload.rate_read = Math.trunc(opts.rateRead);
+  if (opts.rateWrite && opts.rateWrite > 0) payload.rate_write = Math.trunc(opts.rateWrite);
+  const variants = sanitizeVariants(opts.variants);
+  if (variants) payload.variants = variants;
+  if (opts.allowUrlImport) payload.allow_url_import = true;
+  if (opts.maxImportMb && opts.maxImportMb > 0) payload.max_import_mb = Math.trunc(opts.maxImportMb);
+  if (opts.importRateLimit && opts.importRateLimit > 0) payload.import_rate_limit = Math.trunc(opts.importRateLimit);
+  if (opts.importConcurrency && opts.importConcurrency > 0) payload.import_concurrency = Math.trunc(opts.importConcurrency);
+  if (opts.importPath) payload.import_path = String(opts.importPath);
+  if (Array.isArray(opts.importUrlAllowlist) && opts.importUrlAllowlist.length) {
+    payload.import_url_allowlist = opts.importUrlAllowlist.map((h) => String(h));
+  }
+}
 function validateByobDisk(name, config) {
   if (!config || config.driver !== "s3") {
     throw new Error(`FluxFiles BYOB disk "${name}": driver must be "s3" (the server rejects "local").`);

package/dist/index.mjs

@@ -76,6 +76,7 @@ function createToken(opts) {
     max_files: opts.maxFiles ?? 0
   };
   if (opts.ownerOnly) payload.owner_only = true;
+  applyTenantOverrides(payload, opts);
   return sign(payload, secret);
 }
 function createByobToken(opts) {
@@ -101,8 +102,33 @@ function createByobToken(opts) {
     byob_disks: encrypted
   };
   if (opts.ownerOnly) payload.owner_only = true;
+  applyTenantOverrides(payload, opts);
   return sign(payload, secret);
 }
+function sanitizeVariants(v) {
+  if (!v || typeof v !== "object") return null;
+  const out = {};
+  for (const name of ["thumb", "medium", "large"]) {
+    const w = Math.trunc(Number(v[name]));
+    if (Number.isFinite(w) && w >= 16 && w <= 8e3) out[name] = w;
+  }
+  return Object.keys(out).length ? out : null;
+}
+function applyTenantOverrides(payload, opts) {
+  if (opts.aiAutoTag !== void 0) payload.ai_auto_tag = !!opts.aiAutoTag;
+  if (opts.rateRead && opts.rateRead > 0) payload.rate_read = Math.trunc(opts.rateRead);
+  if (opts.rateWrite && opts.rateWrite > 0) payload.rate_write = Math.trunc(opts.rateWrite);
+  const variants = sanitizeVariants(opts.variants);
+  if (variants) payload.variants = variants;
+  if (opts.allowUrlImport) payload.allow_url_import = true;
+  if (opts.maxImportMb && opts.maxImportMb > 0) payload.max_import_mb = Math.trunc(opts.maxImportMb);
+  if (opts.importRateLimit && opts.importRateLimit > 0) payload.import_rate_limit = Math.trunc(opts.importRateLimit);
+  if (opts.importConcurrency && opts.importConcurrency > 0) payload.import_concurrency = Math.trunc(opts.importConcurrency);
+  if (opts.importPath) payload.import_path = String(opts.importPath);
+  if (Array.isArray(opts.importUrlAllowlist) && opts.importUrlAllowlist.length) {
+    payload.import_url_allowlist = opts.importUrlAllowlist.map((h) => String(h));
+  }
+}
 function validateByobDisk(name, config) {
   if (!config || config.driver !== "s3") {
     throw new Error(`FluxFiles BYOB disk "${name}": driver must be "s3" (the server rejects "local").`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fluxfiles/node",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Server-side Node/TypeScript SDK for minting FluxFiles JWTs (plain + BYOB), byte-compatible with the PHP core",
   "license": "MIT",
   "sideEffects": false,
@@ -16,7 +16,8 @@
   },
   "files": [
     "dist",
-    "src"
+    "src",
+    "LICENSE"
   ],
   "engines": {
     "node": ">=16"

package/src/token.ts

@@ -1,6 +1,6 @@
 import { randomBytes } from 'node:crypto';
 import { base64url, hmacSha256, encryptByob } from './crypto';
-import type { ByobDiskConfig, CreateByobTokenOptions, CreateTokenOptions } from './types';
+import type { BaseTokenOptions, ByobDiskConfig, CreateByobTokenOptions, CreateTokenOptions } from './types';
 
 const MIN_SECRET_BYTES = 32;
 
@@ -48,6 +48,7 @@ export function createToken(opts: CreateTokenOptions): string {
     max_files: opts.maxFiles ?? 0,
   };
   if (opts.ownerOnly) payload.owner_only = true;
+  applyTenantOverrides(payload, opts);
   return sign(payload, secret);
 }
 
@@ -81,9 +82,40 @@ export function createByobToken(opts: CreateByobTokenOptions): string {
     byob_disks: encrypted,
   };
   if (opts.ownerOnly) payload.owner_only = true;
+  applyTenantOverrides(payload, opts);
   return sign(payload, secret);
 }
 
+/** Sanitize the per-tenant `variants` claim — matches PHP `Claims::sanitizeVariants`. */
+function sanitizeVariants(v: BaseTokenOptions['variants']): Record<string, number> | null {
+  if (!v || typeof v !== 'object') return null;
+  const out: Record<string, number> = {};
+  for (const name of ['thumb', 'medium', 'large'] as const) {
+    const w = Math.trunc(Number((v as Record<string, unknown>)[name]));
+    if (Number.isFinite(w) && w >= 16 && w <= 8000) out[name] = w;
+  }
+  return Object.keys(out).length ? out : null;
+}
+
+/** Copy the optional per-tenant override claims into a payload when set. */
+function applyTenantOverrides(payload: Record<string, unknown>, opts: BaseTokenOptions): void {
+  if (opts.aiAutoTag !== undefined) payload.ai_auto_tag = !!opts.aiAutoTag;
+  if (opts.rateRead && opts.rateRead > 0) payload.rate_read = Math.trunc(opts.rateRead);
+  if (opts.rateWrite && opts.rateWrite > 0) payload.rate_write = Math.trunc(opts.rateWrite);
+  const variants = sanitizeVariants(opts.variants);
+  if (variants) payload.variants = variants;
+
+  // URL-import claims (the server sanitizes/clamps these on decode).
+  if (opts.allowUrlImport) payload.allow_url_import = true;
+  if (opts.maxImportMb && opts.maxImportMb > 0) payload.max_import_mb = Math.trunc(opts.maxImportMb);
+  if (opts.importRateLimit && opts.importRateLimit > 0) payload.import_rate_limit = Math.trunc(opts.importRateLimit);
+  if (opts.importConcurrency && opts.importConcurrency > 0) payload.import_concurrency = Math.trunc(opts.importConcurrency);
+  if (opts.importPath) payload.import_path = String(opts.importPath);
+  if (Array.isArray(opts.importUrlAllowlist) && opts.importUrlAllowlist.length) {
+    payload.import_url_allowlist = opts.importUrlAllowlist.map((h) => String(h));
+  }
+}
+
 /**
  * Light client-side validation. The server independently re-validates (incl.
  * SSRF checks on the endpoint), so this only catches obvious mistakes early.

package/src/types.ts

@@ -1,5 +1,5 @@
-/** A FluxFiles permission. */
-export type FluxPermission = 'read' | 'write' | 'delete';
+/** A FluxFiles permission. `audit` gates reading the activity log. */
+export type FluxPermission = 'read' | 'write' | 'delete' | 'audit';
 
 /**
  * A BYOB (Bring Your Own Bucket) disk config. Encrypted into the JWT and
@@ -35,6 +35,25 @@ export interface BaseTokenOptions {
   ttl?: number;
   /** Restrict destructive ops to files the user uploaded. */
   ownerOnly?: boolean;
+  /** Per-tenant AI auto-tag toggle. Omit to inherit the server default. */
+  aiAutoTag?: boolean;
+  /** Per-tenant read rate limit (requests/min). `0`/omitted = inherit server default. */
+  rateRead?: number;
+  /** Per-tenant write rate limit (requests/min). `0`/omitted = inherit server default. */
+  rateWrite?: number;
+  /** Per-tenant image variant widths, e.g. `{ thumb: 150, medium: 768, large: 1920 }`. Omit to inherit. */
+  variants?: Partial<Record<'thumb' | 'medium' | 'large', number>> | null;
+  /** Enable Import-from-URL for this tenant (`POST /api/fm/import-url`). Default off. */
+  allowUrlImport?: boolean;
+  /** Max size per URL import, in MB (same unit as `maxUploadMb`). `0`/omitted = inherit (50). */
+  maxImportMb?: number;
+  /** Restrict imports to these host globs, e.g. `['*.unsplash.com']`. Omit = any public host. */
+  importUrlAllowlist?: string[];
+  /** Force imports into this path, ignoring the request path. */
+  importPath?: string;
+  /** Import-specific rate limit (req/min) and max concurrent imports. `0`/omitted = inherit. */
+  importRateLimit?: number;
+  importConcurrency?: number;
 }
 
 export interface CreateTokenOptions extends BaseTokenOptions {