@kehto/acl 0.1.0

package/README.md

@@ -0,0 +1,97 @@
+# @kehto/acl
+
+Pure, WASM-ready ACL module for the napplet protocol — zero dependencies, zero side effects.
+
+## Install
+
+```bash
+pnpm add @kehto/acl
+```
+
+## Overview
+
+`@kehto/acl` is the authoritative access-control core for kehto. It owns an immutable `AclState` keyed on the NIP-5D 2-segment identity `(dTag, hash)` — the v1.2 canonical shape (the pre-v1.2 `(pubkey, dTag, hash)` triple is dropped; `migrateAclState` ships for legacy persistence readers).
+
+Every function is pure: state in, state out. No I/O, no timers, no globals — the module is trivially compilable to WASM and is the single source of truth for capability decisions.
+
+The module exposes two parallel capability surfaces:
+
+- **Bitfield constants** (`CAP_RELAY_READ`, `CAP_RELAY_WRITE`, `CAP_STATE_READ`, `CAP_STATE_WRITE`, …) — the compact per-entry representation used inside `AclState.entries[*].caps`.
+- **Canonical v1.2 NIP-5D 8-domain capability strings** (`CAP_IDENTITY_READ`, `CAP_KEYS_BIND`, `CAP_KEYS_FORWARD`, `CAP_MEDIA_CONTROL`, `CAP_NOTIFY_SEND`, `CAP_NOTIFY_CHANNEL`, `CAP_THEME_READ`) — plus the retained `relay:*`, `cache:*`, `hotkey:forward`, and `state:*` literals. These strings are what `resolveCapabilitiesNub()` returns and what `@kehto/runtime`'s enforce gate grants/revokes against. The v1.1 `sign:event`/`sign:nip04`/`sign:nip44` entries were intentionally removed — canonical NIP-5D does not expose napplet-visible signing.
+
+## Quick Start
+
+```ts
+import {
+  createState,
+  grant,
+  check,
+  block,
+  unblock,
+  CAP_RELAY_WRITE,
+  CAP_NOTIFY_SEND,
+} from '@kehto/acl';
+
+// 1. Start with a restrictive state — unknown identities are denied everything.
+let state = createState('restrictive');
+
+const id = { dTag: 'chat', hash: 'ff00aa11' };
+
+// 2. Grant the two canonical v1.2 capabilities this napplet needs.
+state = grant(state, id, CAP_RELAY_WRITE);
+state = grant(state, id, CAP_NOTIFY_SEND);
+
+check(state, id, CAP_RELAY_WRITE); // true
+check(state, id, CAP_NOTIFY_SEND); // true
+
+// 3. Block the identity — all checks fail until unblocked, caps are preserved.
+state = block(state, id);
+check(state, id, CAP_RELAY_WRITE); // false (blocked)
+
+state = unblock(state, id);
+check(state, id, CAP_RELAY_WRITE); // true (restored)
+```
+
+## Public API
+
+### Types
+- `AclState` — immutable ACL state container
+- `AclEntry` — per-identity entry (`caps`, `blocked`, `quota`)
+- `Identity` — `{ dTag, hash }` pair (NIP-5D 2-segment identity)
+- `Capability` — union of every canonical capability string
+- `CapabilityResolution` — `{ senderCap, recipientCap }` returned by `resolveCapabilitiesNub`
+- `NubMessage` — minimal shape consumed by `resolveCapabilitiesNub` (`{ type: string }`)
+
+### Constants — bit flags
+- `CAP_RELAY_READ`, `CAP_RELAY_WRITE`, `CAP_CACHE_READ`, `CAP_CACHE_WRITE`
+- `CAP_HOTKEY_FORWARD`, `CAP_SIGN_EVENT`, `CAP_SIGN_NIP04`, `CAP_SIGN_NIP44`
+- `CAP_STATE_READ`, `CAP_STATE_WRITE`, `CAP_ALL`, `CAP_NONE`
+- `DEFAULT_QUOTA`
+
+### Constants — canonical NIP-5D capability strings (v1.2)
+- `ALL_CAPABILITIES` — readonly tuple of every recognized capability string
+- `CAP_IDENTITY_READ`, `CAP_KEYS_BIND`, `CAP_KEYS_FORWARD`
+- `CAP_MEDIA_CONTROL`, `CAP_NOTIFY_SEND`, `CAP_NOTIFY_CHANNEL`, `CAP_THEME_READ`
+
+### State mutations
+- [`createState`](../../docs/api/functions/_kehto_acl.createState.html) — create an empty AclState
+- [`grant`](../../docs/api/functions/_kehto_acl.grant.html), [`revoke`](../../docs/api/functions/_kehto_acl.revoke.html) — add/remove capability bits
+- [`block`](../../docs/api/functions/_kehto_acl.block.html), [`unblock`](../../docs/api/functions/_kehto_acl.unblock.html) — toggle the block flag
+- [`setQuota`](../../docs/api/functions/_kehto_acl.setQuota.html), [`getQuota`](../../docs/api/functions/_kehto_acl.getQuota.html) — per-identity state storage quota
+- [`serialize`](../../docs/api/functions/_kehto_acl.serialize.html), [`deserialize`](../../docs/api/functions/_kehto_acl.deserialize.html) — JSON round-trip for persistence
+
+### Capability resolution
+- [`check`](../../docs/api/functions/_kehto_acl.check.html) — evaluate identity + capability against state
+- [`toKey`](../../docs/api/functions/_kehto_acl.toKey.html) — compute the `dTag:hash` composite key
+- [`resolveCapabilitiesNub`](../../docs/api/functions/_kehto_acl.resolveCapabilitiesNub.html) — map a NIP-5D NUB envelope type to the required sender/recipient capabilities across the 8 canonical domains
+
+### Migration
+- [`migrateAclState`](../../docs/api/functions/_kehto_acl.migrateAclState.html) — one-shot migration from the legacy 3-segment `pubkey:dTag:hash` keys to the v1.2 2-segment `dTag:hash` keys; idempotent (returns the same reference when nothing to migrate)
+
+## API Reference
+
+Full API reference: [docs/api/@kehto/acl/](../../docs/api/modules/_kehto_acl.html) (generated via `pnpm docs:api`).
+
+## License
+
+MIT

package/dist/capabilities.d.ts

@@ -0,0 +1,40 @@
+/**
+ * @kehto/acl — String capability constants.
+ *
+ * Canonical capability strings for NIP-5D ACL gating (v1.2 milestone).
+ * Complements the bit constants in types.ts (CAP_RELAY_READ etc.) — these
+ * string literals are what the runtime + shell read/write in grant/revoke
+ * paths and what resolveCapabilitiesNub returns.
+ *
+ * Zero runtime dependencies. The eight canonical NIP-5D domains are
+ * identity, keys, media, notify, relay, storage, ifc, theme; capabilities
+ * here cover each domain's gated actions.
+ */
+/**
+ * All capability strings recognized by @kehto/acl.
+ *
+ * Ordering: v1.1 surface first (relay/cache/hotkey/state), then the
+ * v1.2 additions for the seven nubs + theme. The v1.1 `sign:event`,
+ * `sign:nip04`, `sign:nip44` strings were intentionally removed — no
+ * napplet-visible signing exists in canonical NIP-5D; signing flows
+ * through shell-internal `relay.publishEncrypted` instead.
+ */
+declare const ALL_CAPABILITIES: readonly ["relay:read", "relay:write", "cache:read", "cache:write", "hotkey:forward", "state:read", "state:write", "identity:read", "keys:bind", "keys:forward", "media:control", "notify:send", "notify:channel", "theme:read"];
+/** Union of every capability string in ALL_CAPABILITIES. */
+type Capability = typeof ALL_CAPABILITIES[number];
+/** identity.getProfile/getFollows/getList/getZaps/getMutes/getBlocked/getBadges */
+declare const CAP_IDENTITY_READ: "identity:read";
+/** keys.registerAction / keys.unregisterAction / keys.bindings */
+declare const CAP_KEYS_BIND: "keys:bind";
+/** keys.forward / keys.action */
+declare const CAP_KEYS_FORWARD: "keys:forward";
+/** media.* (all actions) */
+declare const CAP_MEDIA_CONTROL: "media:control";
+/** notify.send / notify.dismiss / notify.badge / notify.action / notify.clicked / notify.dismissed / notify.controls / notify.send.result */
+declare const CAP_NOTIFY_SEND: "notify:send";
+/** notify.channel.register / notify.permission.request / notify.permission.result */
+declare const CAP_NOTIFY_CHANNEL: "notify:channel";
+/** theme.get / theme.changed */
+declare const CAP_THEME_READ: "theme:read";
+
+export { ALL_CAPABILITIES, CAP_IDENTITY_READ, CAP_KEYS_BIND, CAP_KEYS_FORWARD, CAP_MEDIA_CONTROL, CAP_NOTIFY_CHANNEL, CAP_NOTIFY_SEND, CAP_THEME_READ, type Capability };

package/dist/capabilities.js

@@ -0,0 +1,21 @@
+import {
+  ALL_CAPABILITIES,
+  CAP_IDENTITY_READ,
+  CAP_KEYS_BIND,
+  CAP_KEYS_FORWARD,
+  CAP_MEDIA_CONTROL,
+  CAP_NOTIFY_CHANNEL,
+  CAP_NOTIFY_SEND,
+  CAP_THEME_READ
+} from "./chunk-7M23OTGP.js";
+export {
+  ALL_CAPABILITIES,
+  CAP_IDENTITY_READ,
+  CAP_KEYS_BIND,
+  CAP_KEYS_FORWARD,
+  CAP_MEDIA_CONTROL,
+  CAP_NOTIFY_CHANNEL,
+  CAP_NOTIFY_SEND,
+  CAP_THEME_READ
+};
+//# sourceMappingURL=capabilities.js.map

package/dist/capabilities.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/chunk-7M23OTGP.js

@@ -0,0 +1,38 @@
+// src/capabilities.ts
+var ALL_CAPABILITIES = [
+  // v1.1 kept:
+  "relay:read",
+  "relay:write",
+  "cache:read",
+  "cache:write",
+  "hotkey:forward",
+  "state:read",
+  "state:write",
+  // v1.2 additions (seven nubs + theme):
+  "identity:read",
+  "keys:bind",
+  "keys:forward",
+  "media:control",
+  "notify:send",
+  "notify:channel",
+  "theme:read"
+];
+var CAP_IDENTITY_READ = "identity:read";
+var CAP_KEYS_BIND = "keys:bind";
+var CAP_KEYS_FORWARD = "keys:forward";
+var CAP_MEDIA_CONTROL = "media:control";
+var CAP_NOTIFY_SEND = "notify:send";
+var CAP_NOTIFY_CHANNEL = "notify:channel";
+var CAP_THEME_READ = "theme:read";
+
+export {
+  ALL_CAPABILITIES,
+  CAP_IDENTITY_READ,
+  CAP_KEYS_BIND,
+  CAP_KEYS_FORWARD,
+  CAP_MEDIA_CONTROL,
+  CAP_NOTIFY_SEND,
+  CAP_NOTIFY_CHANNEL,
+  CAP_THEME_READ
+};
+//# sourceMappingURL=chunk-7M23OTGP.js.map

package/dist/chunk-7M23OTGP.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/capabilities.ts"],"sourcesContent":["/**\n * @kehto/acl — String capability constants.\n *\n * Canonical capability strings for NIP-5D ACL gating (v1.2 milestone).\n * Complements the bit constants in types.ts (CAP_RELAY_READ etc.) — these\n * string literals are what the runtime + shell read/write in grant/revoke\n * paths and what resolveCapabilitiesNub returns.\n *\n * Zero runtime dependencies. The eight canonical NIP-5D domains are\n * identity, keys, media, notify, relay, storage, ifc, theme; capabilities\n * here cover each domain's gated actions.\n */\n\n/**\n * All capability strings recognized by @kehto/acl.\n *\n * Ordering: v1.1 surface first (relay/cache/hotkey/state), then the\n * v1.2 additions for the seven nubs + theme. The v1.1 `sign:event`,\n * `sign:nip04`, `sign:nip44` strings were intentionally removed — no\n * napplet-visible signing exists in canonical NIP-5D; signing flows\n * through shell-internal `relay.publishEncrypted` instead.\n */\nexport const ALL_CAPABILITIES = [\n  // v1.1 kept:\n  'relay:read', 'relay:write',\n  'cache:read', 'cache:write',\n  'hotkey:forward',\n  'state:read', 'state:write',\n  // v1.2 additions (seven nubs + theme):\n  'identity:read',\n  'keys:bind', 'keys:forward',\n  'media:control',\n  'notify:send', 'notify:channel',\n  'theme:read',\n] as const;\n\n/** Union of every capability string in ALL_CAPABILITIES. */\nexport type Capability = typeof ALL_CAPABILITIES[number];\n\n// ─── Per-cap string constants (grep-friendly call sites) ────────────────────\n//\n// The v1.1 capability strings (relay:read, relay:write, cache:read,\n// cache:write, hotkey:forward, state:read, state:write) are used\n// throughout the codebase as bare literals; constants for them are\n// deliberately omitted here to keep the surface minimal.\n// The v1.2 additions below each get a named constant because they are\n// the newly-introduced surface and benefit from greppable call sites.\n\n/** identity.getProfile/getFollows/getList/getZaps/getMutes/getBlocked/getBadges */\nexport const CAP_IDENTITY_READ   = 'identity:read' as const;\n/** keys.registerAction / keys.unregisterAction / keys.bindings */\nexport const CAP_KEYS_BIND       = 'keys:bind' as const;\n/** keys.forward / keys.action */\nexport const CAP_KEYS_FORWARD    = 'keys:forward' as const;\n/** media.* (all actions) */\nexport const CAP_MEDIA_CONTROL   = 'media:control' as const;\n/** notify.send / notify.dismiss / notify.badge / notify.action / notify.clicked / notify.dismissed / notify.controls / notify.send.result */\nexport const CAP_NOTIFY_SEND     = 'notify:send' as const;\n/** notify.channel.register / notify.permission.request / notify.permission.result */\nexport const CAP_NOTIFY_CHANNEL  = 'notify:channel' as const;\n/** theme.get / theme.changed */\nexport const CAP_THEME_READ      = 'theme:read' as const;\n"],"mappings":";AAsBO,IAAM,mBAAmB;AAAA;AAAA,EAE9B;AAAA,EAAc;AAAA,EACd;AAAA,EAAc;AAAA,EACd;AAAA,EACA;AAAA,EAAc;AAAA;AAAA,EAEd;AAAA,EACA;AAAA,EAAa;AAAA,EACb;AAAA,EACA;AAAA,EAAe;AAAA,EACf;AACF;AAeO,IAAM,oBAAsB;AAE5B,IAAM,gBAAsB;AAE5B,IAAM,mBAAsB;AAE5B,IAAM,oBAAsB;AAE5B,IAAM,kBAAsB;AAE5B,IAAM,qBAAsB;AAE5B,IAAM,iBAAsB;","names":[]}

package/dist/index.d.ts

@@ -0,0 +1,433 @@
+export { ALL_CAPABILITIES, CAP_IDENTITY_READ, CAP_KEYS_BIND, CAP_KEYS_FORWARD, CAP_MEDIA_CONTROL, CAP_NOTIFY_CHANNEL, CAP_NOTIFY_SEND, CAP_THEME_READ, Capability } from './capabilities.js';
+
+/**
+ * @kehto/acl — Type definitions and capability bit constants.
+ *
+ * All types use Readonly<> to enforce immutability at the type level.
+ * Capability constants are bitfield values for fast check/grant/revoke.
+ */
+/** relay:read — subscribe to relay events */
+declare const CAP_RELAY_READ: number;
+/** relay:write — publish events to relays */
+declare const CAP_RELAY_WRITE: number;
+/** cache:read — read from local cache */
+declare const CAP_CACHE_READ: number;
+/** cache:write — write to local cache */
+declare const CAP_CACHE_WRITE: number;
+/** hotkey:forward — forward keyboard shortcuts to shell */
+declare const CAP_HOTKEY_FORWARD: number;
+/** sign:event — request event signing */
+declare const CAP_SIGN_EVENT: number;
+/** sign:nip04 — request NIP-04 encrypt/decrypt */
+declare const CAP_SIGN_NIP04: number;
+/** sign:nip44 — request NIP-44 encrypt/decrypt */
+declare const CAP_SIGN_NIP44: number;
+/** state:read — read napplet-scoped state */
+declare const CAP_STATE_READ: number;
+/** state:write — write napplet-scoped state */
+declare const CAP_STATE_WRITE: number;
+/** All capabilities granted (bits 0-9 set) */
+declare const CAP_ALL: number;
+/** No capabilities granted */
+declare const CAP_NONE = 0;
+/**
+ * Napplet identity — composite key for ACL lookups.
+ *
+ * Under NIP-5D v0.1.0, identity is assigned from the NIP-5A manifest
+ * at iframe creation time. The pubkey field is no longer used.
+ *
+ * @param pubkey - (deprecated) Ephemeral AUTH keypair pubkey. Ignored by toKey().
+ * @param dTag - Derived tag (deterministic from napp type)
+ * @param hash - Aggregate hash of napplet build artifacts
+ */
+interface Identity {
+    /** @deprecated NIP-5D: AUTH keypair no longer exists. Pass '' or omit entirely.
+     *  Kept as optional for backward compatibility during data migration. */
+    readonly pubkey?: string;
+    readonly dTag: string;
+    readonly hash: string;
+}
+/**
+ * A single ACL entry for one napplet identity.
+ *
+ * @param caps - Bitfield of granted capabilities (use CAP_* constants)
+ * @param blocked - Orthogonal block flag; when true, all checks fail regardless of caps
+ * @param quota - State storage quota in bytes
+ */
+interface AclEntry {
+    readonly caps: number;
+    readonly blocked: boolean;
+    readonly quota: number;
+}
+/**
+ * Complete ACL state — immutable data structure.
+ *
+ * All mutations return a new AclState; the original is never modified.
+ *
+ * @param defaultPolicy - 'permissive' grants all caps to unknown identities;
+ *                        'restrictive' denies all caps to unknown identities
+ * @param entries - Map from composite key ('dTag:hash') to AclEntry
+ */
+interface AclState {
+    readonly defaultPolicy: 'permissive' | 'restrictive';
+    readonly entries: Readonly<Record<string, AclEntry>>;
+}
+/** Default state storage quota in bytes (512 KB) */
+declare const DEFAULT_QUOTA: number;
+
+/**
+ * @kehto/acl — Pure check function.
+ *
+ * Determines whether an identity has a specific capability.
+ * No side effects, no I/O, no mutations.
+ */
+
+/**
+ * Compute composite key from identity fields.
+ *
+ * Under NIP-5D v0.1.0, the key is 'dTag:hash' (pubkey is ignored).
+ *
+ * @param identity - Napplet identity
+ * @returns Composite key string 'dTag:hash'
+ *
+ * @example
+ * ```ts
+ * toKey({ dTag: 'chat', hash: 'ff00' })
+ * // => 'chat:ff00'
+ * ```
+ */
+declare function toKey(identity: Identity): string;
+/**
+ * Check whether an identity has a specific capability.
+ *
+ * Decision logic:
+ * 1. If identity has no entry: return based on defaultPolicy
+ *    - 'permissive' → true (all caps granted to unknown identities)
+ *    - 'restrictive' → false (all caps denied to unknown identities)
+ * 2. If identity is blocked: return false (blocked overrides all caps)
+ * 3. Otherwise: return (entry.caps & cap) !== 0
+ *
+ * @param state - Current ACL state (immutable)
+ * @param identity - Napplet identity to check
+ * @param cap - Capability bit constant (e.g., CAP_RELAY_READ)
+ * @returns true if the identity has the capability, false otherwise
+ *
+ * @example
+ * ```ts
+ * import { check, createState, grant } from '@kehto/acl';
+ * import { CAP_RELAY_READ } from '@kehto/acl';
+ *
+ * const state = createState('restrictive');
+ * const id = { dTag: 'chat', hash: 'ff00' };
+ *
+ * check(state, id, CAP_RELAY_READ); // false (restrictive, no entry)
+ *
+ * const state2 = grant(state, id, CAP_RELAY_READ);
+ * check(state2, id, CAP_RELAY_READ); // true
+ * ```
+ */
+declare function check(state: AclState, identity: Identity, cap: number): boolean;
+
+/**
+ * @kehto/acl — Pure state mutation functions.
+ *
+ * Every function takes an AclState and returns a NEW AclState.
+ * The original state is never modified. No side effects, no I/O.
+ */
+
+/**
+ * Create a new ACL state with the given default policy.
+ *
+ * @param policy - 'permissive' grants all caps to unknown identities;
+ *                 'restrictive' denies all caps to unknown identities.
+ *                 Defaults to 'permissive'.
+ * @returns A new empty AclState
+ *
+ * @example
+ * ```ts
+ * const state = createState('restrictive');
+ * // { defaultPolicy: 'restrictive', entries: {} }
+ * ```
+ */
+declare function createState(policy?: 'permissive' | 'restrictive'): AclState;
+/**
+ * Grant a capability to an identity.
+ *
+ * If the identity has no entry, one is created with default caps plus the granted cap.
+ * Returns a new AclState — the original is not modified.
+ *
+ * @param state - Current ACL state
+ * @param identity - Napplet identity
+ * @param cap - Capability bit constant to grant (e.g., CAP_RELAY_READ)
+ * @returns New AclState with the capability granted
+ *
+ * @example
+ * ```ts
+ * const state2 = grant(state, id, CAP_RELAY_READ);
+ * check(state2, id, CAP_RELAY_READ); // true
+ * ```
+ */
+declare function grant(state: AclState, identity: Identity, cap: number): AclState;
+/**
+ * Revoke a capability from an identity.
+ *
+ * If the identity has no entry, one is created with default caps minus the revoked cap.
+ * Returns a new AclState — the original is not modified.
+ *
+ * @param state - Current ACL state
+ * @param identity - Napplet identity
+ * @param cap - Capability bit constant to revoke (e.g., CAP_RELAY_WRITE)
+ * @returns New AclState with the capability revoked
+ *
+ * @example
+ * ```ts
+ * const state2 = revoke(state, id, CAP_RELAY_WRITE);
+ * check(state2, id, CAP_RELAY_WRITE); // false
+ * ```
+ */
+declare function revoke(state: AclState, identity: Identity, cap: number): AclState;
+/**
+ * Block an identity.
+ *
+ * A blocked identity fails all capability checks regardless of granted caps.
+ * The caps bitfield is preserved — unblocking restores previous capabilities.
+ * Returns a new AclState — the original is not modified.
+ *
+ * @param state - Current ACL state
+ * @param identity - Napplet identity to block
+ * @returns New AclState with the identity blocked
+ *
+ * @example
+ * ```ts
+ * const state2 = block(state, id);
+ * check(state2, id, CAP_RELAY_READ); // false (blocked)
+ * ```
+ */
+declare function block(state: AclState, identity: Identity): AclState;
+/**
+ * Unblock an identity.
+ *
+ * Restores capability checks to use the caps bitfield.
+ * Returns a new AclState — the original is not modified.
+ *
+ * @param state - Current ACL state
+ * @param identity - Napplet identity to unblock
+ * @returns New AclState with the identity unblocked
+ *
+ * @example
+ * ```ts
+ * const state2 = unblock(state, id);
+ * check(state2, id, CAP_RELAY_READ); // true (if cap was granted)
+ * ```
+ */
+declare function unblock(state: AclState, identity: Identity): AclState;
+/**
+ * Set the state storage quota for an identity.
+ *
+ * @param state - Current ACL state
+ * @param identity - Napplet identity
+ * @param bytes - Quota in bytes
+ * @returns New AclState with the quota set
+ *
+ * @example
+ * ```ts
+ * const state2 = setQuota(state, id, 1024 * 1024); // 1 MB
+ * getQuota(state2, id); // 1048576
+ * ```
+ */
+declare function setQuota(state: AclState, identity: Identity, bytes: number): AclState;
+/**
+ * Get the state storage quota for an identity.
+ *
+ * Returns DEFAULT_QUOTA (512 KB) if no entry exists.
+ *
+ * @param state - Current ACL state
+ * @param identity - Napplet identity
+ * @returns Quota in bytes
+ *
+ * @example
+ * ```ts
+ * getQuota(state, id); // 524288 (default 512 KB)
+ * ```
+ */
+declare function getQuota(state: AclState, identity: Identity): number;
+/**
+ * Serialize ACL state to a JSON string.
+ *
+ * Pure function — no I/O. The persistence adapter in @kehto/shell
+ * uses this to write state to localStorage or other backends.
+ *
+ * @param state - ACL state to serialize
+ * @returns JSON string representation
+ *
+ * @example
+ * ```ts
+ * const json = serialize(state);
+ * localStorage.setItem('napplet:acl', json);
+ * ```
+ */
+declare function serialize(state: AclState): string;
+/**
+ * Deserialize ACL state from a JSON string.
+ *
+ * Pure function — no I/O. Returns a valid AclState or a fresh
+ * permissive state if the input is invalid.
+ *
+ * @param json - JSON string to parse
+ * @returns Parsed AclState, or fresh permissive state on parse failure
+ *
+ * @example
+ * ```ts
+ * const json = localStorage.getItem('napplet:acl') ?? '';
+ * const state = deserialize(json);
+ * ```
+ */
+declare function deserialize(json: string): AclState;
+
+/**
+ * @kehto/acl — ACL state migration utility.
+ *
+ * Provides a pure function to migrate persisted ACL state from the old
+ * 3-segment composite key format (pubkey:dTag:hash) to the new 2-segment
+ * format (dTag:hash) introduced in NIP-5D v0.1.0.
+ *
+ * No I/O, no side effects. Pure function: takes AclState, returns AclState.
+ */
+
+/**
+ * Migrate ACL state from old 3-segment key format to new 2-segment key format.
+ *
+ * Converts entries stored under 'pubkey:dTag:hash' keys to 'dTag:hash' keys.
+ * If two old entries map to the same dTag:hash, merges them conservatively:
+ * - caps: OR of both bitfields (never removes a granted capability)
+ * - blocked: OR of both flags (blocks if either source was blocked)
+ * - quota: MAX of both values (keeps the higher allocation)
+ *
+ * Idempotent: if no 3-segment keys are found, returns the original state
+ * unchanged (same object reference).
+ *
+ * @param state - Current ACL state (may contain old-format entries)
+ * @returns Migrated AclState with only 2-segment keys, or the original
+ *          state unchanged if no migration was needed
+ *
+ * @example
+ * ```ts
+ * const oldState = deserialize(localStorage.getItem('napplet:acl') ?? '');
+ * const newState = migrateAclState(oldState);
+ * if (newState !== oldState) {
+ *   // Migration occurred — persist the new format
+ *   localStorage.setItem('napplet:acl', serialize(newState));
+ * }
+ * ```
+ */
+declare function migrateAclState(state: AclState): AclState;
+
+/**
+ * @kehto/acl — NUB domain capability resolution (8-domain canonical).
+ *
+ * Maps NUB message types (e.g., 'relay.subscribe', 'identity.getProfile') to
+ * the capability strings required by sender and recipient. This is the
+ * canonical source for "which capability does this NUB operation require?"
+ * in the @kehto/acl package.
+ *
+ * Canonical NIP-5D 8 domains: identity, keys, media, notify, relay,
+ * storage, ifc, theme. The v1.1 `signer` domain is REMOVED — getPublicKey/
+ * getRelays migrated to `identity`; signEvent/nip04/nip44 have no
+ * napplet-visible surface (shell handles encryption inside
+ * `relay.publishEncrypted`).
+ *
+ * Zero dependencies. No imports from @napplet/core or any external package.
+ *
+ * @see packages/acl/src/capabilities.ts for cap string constants + ALL_CAPABILITIES.
+ * @see docs/ACL-MIGRATION.md section 2 — Capability Constant to NUB Domain Mapping.
+ */
+/**
+ * Minimal message shape used for capability resolution.
+ *
+ * Compatible with NappletMessage from @napplet/core, but defined here
+ * independently to maintain @kehto/acl's zero-dependency constraint.
+ *
+ * @param type - NUB message type, e.g. 'relay.subscribe', 'identity.getProfile'
+ */
+interface NubMessage {
+    readonly type: string;
+}
+/**
+ * Result of resolving what capabilities a NUB message requires.
+ *
+ * | Field          | Description                                                    |
+ * |----------------|----------------------------------------------------------------|
+ * | `senderCap`    | Capability the sender must have, or null if no check needed    |
+ * | `recipientCap` | Capability the recipient must have, or null if no check needed |
+ *
+ * @param senderCap - Capability the sender must have, or null if no ACL gate required
+ * @param recipientCap - Capability the recipient must have, or null if no recipient check
+ */
+interface CapabilityResolution {
+    readonly senderCap: string | null;
+    readonly recipientCap: string | null;
+}
+/**
+ * Resolve the capabilities required by a NUB message.
+ *
+ * Splits `msg.type` on '.' to obtain `[domain, action]`, then dispatches to
+ * a per-domain mapper. Unknown domains return `null/null` (silently ignored).
+ *
+ * **NUB domain mapping table (8 canonical domains):**
+ *
+ * | Domain     | Action(s)                                                    | senderCap       | recipientCap  |
+ * |------------|--------------------------------------------------------------|-----------------|---------------|
+ * | `relay`    | `subscribe`, `query`, `close`, results/pushes                | `relay:read`    | `null`        |
+ * | `relay`    | `publish`                                                    | `relay:write`   | `relay:read`  |
+ * | `relay`    | `publishEncrypted`                                           | `relay:write`   | `null`        |
+ * | `identity` | `getPublicKey`, `getRelays`                                 | `null`          | `null`        |
+ * | `identity` | `getProfile/getFollows/getList/getZaps/getMutes/...`        | `identity:read` | `null`        |
+ * | `keys`     | `forward`, `action`                                         | `keys:forward`  | `null`        |
+ * | `keys`     | `registerAction`, `unregisterAction`, `bindings`            | `keys:bind`     | `null`        |
+ * | `media`    | any                                                         | `media:control` | `null`        |
+ * | `notify`   | `channel.register`, `permission.request`, `permission.result` | `notify:channel`| `null`        |
+ * | `notify`   | `send`, `dismiss`, `badge`, `clicked`, `action`, ...        | `notify:send`   | `null`        |
+ * | `storage`  | `get`, `keys`                                               | `state:read`    | `null`        |
+ * | `storage`  | `set`, `remove`                                             | `state:write`   | `null`        |
+ * | `storage`  | any other (incl. removed `clear`)                           | `null`          | `null`        |
+ * | `ifc`      | `emit`, `channel.emit`, `channel.broadcast`                 | `relay:write`   | `relay:read`  |
+ * | `ifc`      | `subscribe`, `unsubscribe`, `channel.open/list/close`       | `relay:read`    | `null`        |
+ * | `theme`    | `get`, `get.result`                                         | `theme:read`    | `null`        |
+ * | `theme`    | `changed` (shell → napplet push)                            | `null`          | `theme:read`  |
+ * | unknown    | any                                                         | `null`          | `null`        |
+ *
+ * The `signer` domain is REMOVED — signer messages fall through to the
+ * default null/null branch. `getPublicKey`/`getRelays` migrated to
+ * `identity`; napplet-visible signing does not exist in NIP-5D (shell
+ * signs internally for `relay.publishEncrypted`).
+ *
+ * @param msg - Message with a `type` field in NUB format (e.g., 'relay.subscribe')
+ * @returns CapabilityResolution with senderCap and recipientCap (each may be null)
+ *
+ * @example
+ * ```ts
+ * resolveCapabilitiesNub({ type: 'relay.subscribe' })
+ * // => { senderCap: 'relay:read', recipientCap: null }
+ *
+ * resolveCapabilitiesNub({ type: 'relay.publishEncrypted' })
+ * // => { senderCap: 'relay:write', recipientCap: null }
+ *
+ * resolveCapabilitiesNub({ type: 'identity.getProfile' })
+ * // => { senderCap: 'identity:read', recipientCap: null }
+ *
+ * resolveCapabilitiesNub({ type: 'keys.forward' })
+ * // => { senderCap: 'keys:forward', recipientCap: null }
+ *
+ * resolveCapabilitiesNub({ type: 'ifc.channel.broadcast' })
+ * // => { senderCap: 'relay:write', recipientCap: 'relay:read' }
+ *
+ * resolveCapabilitiesNub({ type: 'theme.changed' })
+ * // => { senderCap: null, recipientCap: 'theme:read' }
+ *
+ * resolveCapabilitiesNub({ type: 'signer.signEvent' })
+ * // => { senderCap: null, recipientCap: null }   // domain removed
+ * ```
+ */
+declare function resolveCapabilitiesNub(msg: NubMessage): CapabilityResolution;
+
+export { type AclEntry, type AclState, CAP_ALL, CAP_CACHE_READ, CAP_CACHE_WRITE, CAP_HOTKEY_FORWARD, CAP_NONE, CAP_RELAY_READ, CAP_RELAY_WRITE, CAP_SIGN_EVENT, CAP_SIGN_NIP04, CAP_SIGN_NIP44, CAP_STATE_READ, CAP_STATE_WRITE, type CapabilityResolution, DEFAULT_QUOTA, type Identity, type NubMessage, block, check, createState, deserialize, getQuota, grant, migrateAclState, resolveCapabilitiesNub, revoke, serialize, setQuota, toKey, unblock };

package/dist/index.js

@@ -0,0 +1,278 @@
+import {
+  ALL_CAPABILITIES,
+  CAP_IDENTITY_READ,
+  CAP_KEYS_BIND,
+  CAP_KEYS_FORWARD,
+  CAP_MEDIA_CONTROL,
+  CAP_NOTIFY_CHANNEL,
+  CAP_NOTIFY_SEND,
+  CAP_THEME_READ
+} from "./chunk-7M23OTGP.js";
+
+// src/types.ts
+var CAP_RELAY_READ = 1 << 0;
+var CAP_RELAY_WRITE = 1 << 1;
+var CAP_CACHE_READ = 1 << 2;
+var CAP_CACHE_WRITE = 1 << 3;
+var CAP_HOTKEY_FORWARD = 1 << 4;
+var CAP_SIGN_EVENT = 1 << 5;
+var CAP_SIGN_NIP04 = 1 << 6;
+var CAP_SIGN_NIP44 = 1 << 7;
+var CAP_STATE_READ = 1 << 8;
+var CAP_STATE_WRITE = 1 << 9;
+var CAP_ALL = (1 << 10) - 1;
+var CAP_NONE = 0;
+var DEFAULT_QUOTA = 512 * 1024;
+
+// src/check.ts
+function toKey(identity) {
+  return `${identity.dTag}:${identity.hash}`;
+}
+function check(state, identity, cap) {
+  const key = toKey(identity);
+  const entry = state.entries[key];
+  if (!entry) {
+    return state.defaultPolicy === "permissive";
+  }
+  if (entry.blocked) {
+    return false;
+  }
+  return (entry.caps & cap) !== 0;
+}
+
+// src/mutations.ts
+function createState(policy = "permissive") {
+  return { defaultPolicy: policy, entries: {} };
+}
+function getEntry(state, key) {
+  const existing = state.entries[key];
+  if (existing) return existing;
+  return {
+    caps: state.defaultPolicy === "permissive" ? CAP_ALL : 0,
+    blocked: false,
+    quota: DEFAULT_QUOTA
+  };
+}
+function grant(state, identity, cap) {
+  const key = toKey(identity);
+  const entry = getEntry(state, key);
+  return {
+    ...state,
+    entries: {
+      ...state.entries,
+      [key]: { ...entry, caps: entry.caps | cap }
+    }
+  };
+}
+function revoke(state, identity, cap) {
+  const key = toKey(identity);
+  const entry = getEntry(state, key);
+  return {
+    ...state,
+    entries: {
+      ...state.entries,
+      [key]: { ...entry, caps: entry.caps & ~cap }
+    }
+  };
+}
+function block(state, identity) {
+  const key = toKey(identity);
+  const entry = getEntry(state, key);
+  return {
+    ...state,
+    entries: {
+      ...state.entries,
+      [key]: { ...entry, blocked: true }
+    }
+  };
+}
+function unblock(state, identity) {
+  const key = toKey(identity);
+  const entry = getEntry(state, key);
+  return {
+    ...state,
+    entries: {
+      ...state.entries,
+      [key]: { ...entry, blocked: false }
+    }
+  };
+}
+function setQuota(state, identity, bytes) {
+  const key = toKey(identity);
+  const entry = getEntry(state, key);
+  return {
+    ...state,
+    entries: {
+      ...state.entries,
+      [key]: { ...entry, quota: bytes }
+    }
+  };
+}
+function getQuota(state, identity) {
+  const key = toKey(identity);
+  const entry = state.entries[key];
+  return entry?.quota ?? DEFAULT_QUOTA;
+}
+function serialize(state) {
+  return JSON.stringify(state);
+}
+function deserialize(json) {
+  try {
+    const parsed = JSON.parse(json);
+    if (typeof parsed === "object" && parsed !== null && (parsed.defaultPolicy === "permissive" || parsed.defaultPolicy === "restrictive") && typeof parsed.entries === "object" && parsed.entries !== null) {
+      const entries = {};
+      for (const [key, value] of Object.entries(parsed.entries)) {
+        const entry = value;
+        if (typeof entry.caps === "number" && typeof entry.blocked === "boolean" && typeof entry.quota === "number") {
+          entries[key] = {
+            caps: entry.caps,
+            blocked: entry.blocked,
+            quota: entry.quota
+          };
+        }
+      }
+      return { defaultPolicy: parsed.defaultPolicy, entries };
+    }
+  } catch {
+  }
+  return createState("permissive");
+}
+
+// src/migrate.ts
+function migrateAclState(state) {
+  const newEntries = {};
+  let migrated = false;
+  for (const [key, entry] of Object.entries(state.entries)) {
+    const parts = key.split(":");
+    if (parts.length === 3) {
+      const newKey = `${parts[1]}:${parts[2]}`;
+      const existing = newEntries[newKey];
+      if (existing) {
+        newEntries[newKey] = {
+          caps: existing.caps | entry.caps,
+          blocked: existing.blocked || entry.blocked,
+          quota: Math.max(existing.quota, entry.quota)
+        };
+      } else {
+        newEntries[newKey] = entry;
+      }
+      migrated = true;
+    } else {
+      const existing = newEntries[key];
+      if (existing) {
+        newEntries[key] = {
+          caps: existing.caps | entry.caps,
+          blocked: existing.blocked || entry.blocked,
+          quota: Math.max(existing.quota, entry.quota)
+        };
+      } else {
+        newEntries[key] = entry;
+      }
+    }
+  }
+  if (!migrated) return state;
+  return { defaultPolicy: state.defaultPolicy, entries: newEntries };
+}
+
+// src/resolve.ts
+function relayMap(action) {
+  if (action === "publish") return { senderCap: "relay:write", recipientCap: "relay:read" };
+  if (action === "publishEncrypted") return { senderCap: "relay:write", recipientCap: null };
+  return { senderCap: "relay:read", recipientCap: null };
+}
+function identityMap(action) {
+  if (action === "getPublicKey" || action === "getRelays") {
+    return { senderCap: null, recipientCap: null };
+  }
+  return { senderCap: "identity:read", recipientCap: null };
+}
+function keysMap(action) {
+  if (action === "forward" || action === "action") {
+    return { senderCap: "keys:forward", recipientCap: null };
+  }
+  return { senderCap: "keys:bind", recipientCap: null };
+}
+function notifyMap(action) {
+  if (action === "channel.register" || action === "permission.request" || action === "permission.result") {
+    return { senderCap: "notify:channel", recipientCap: null };
+  }
+  return { senderCap: "notify:send", recipientCap: null };
+}
+function storageMap(action) {
+  if (action === "get" || action === "keys") return { senderCap: "state:read", recipientCap: null };
+  if (action === "set" || action === "remove") return { senderCap: "state:write", recipientCap: null };
+  return { senderCap: null, recipientCap: null };
+}
+function ifcMap(action) {
+  if (action === "emit" || action === "channel.emit" || action === "channel.broadcast") {
+    return { senderCap: "relay:write", recipientCap: "relay:read" };
+  }
+  return { senderCap: "relay:read", recipientCap: null };
+}
+function themeMap(action) {
+  if (action === "changed") return { senderCap: null, recipientCap: "theme:read" };
+  return { senderCap: "theme:read", recipientCap: null };
+}
+function resolveCapabilitiesNub(msg) {
+  const dotIdx = msg.type.indexOf(".");
+  if (dotIdx === -1) return { senderCap: null, recipientCap: null };
+  const domain = msg.type.slice(0, dotIdx);
+  const action = msg.type.slice(dotIdx + 1);
+  switch (domain) {
+    case "relay":
+      return relayMap(action);
+    case "identity":
+      return identityMap(action);
+    case "keys":
+      return keysMap(action);
+    case "media":
+      return { senderCap: "media:control", recipientCap: null };
+    case "notify":
+      return notifyMap(action);
+    case "storage":
+      return storageMap(action);
+    case "ifc":
+      return ifcMap(action);
+    case "theme":
+      return themeMap(action);
+    default:
+      return { senderCap: null, recipientCap: null };
+  }
+}
+export {
+  ALL_CAPABILITIES,
+  CAP_ALL,
+  CAP_CACHE_READ,
+  CAP_CACHE_WRITE,
+  CAP_HOTKEY_FORWARD,
+  CAP_IDENTITY_READ,
+  CAP_KEYS_BIND,
+  CAP_KEYS_FORWARD,
+  CAP_MEDIA_CONTROL,
+  CAP_NONE,
+  CAP_NOTIFY_CHANNEL,
+  CAP_NOTIFY_SEND,
+  CAP_RELAY_READ,
+  CAP_RELAY_WRITE,
+  CAP_SIGN_EVENT,
+  CAP_SIGN_NIP04,
+  CAP_SIGN_NIP44,
+  CAP_STATE_READ,
+  CAP_STATE_WRITE,
+  CAP_THEME_READ,
+  DEFAULT_QUOTA,
+  block,
+  check,
+  createState,
+  deserialize,
+  getQuota,
+  grant,
+  migrateAclState,
+  resolveCapabilitiesNub,
+  revoke,
+  serialize,
+  setQuota,
+  toKey,
+  unblock
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/types.ts","../src/check.ts","../src/mutations.ts","../src/migrate.ts","../src/resolve.ts"],"sourcesContent":["/**\n * @kehto/acl — Type definitions and capability bit constants.\n *\n * All types use Readonly<> to enforce immutability at the type level.\n * Capability constants are bitfield values for fast check/grant/revoke.\n */\n\n// ─── Capability Bit Constants ─────────────────────────────────────────────────\n\n/** relay:read — subscribe to relay events */\nexport const CAP_RELAY_READ    = 1 << 0;   // 1\n/** relay:write — publish events to relays */\nexport const CAP_RELAY_WRITE   = 1 << 1;   // 2\n/** cache:read — read from local cache */\nexport const CAP_CACHE_READ    = 1 << 2;   // 4\n/** cache:write — write to local cache */\nexport const CAP_CACHE_WRITE   = 1 << 3;   // 8\n/** hotkey:forward — forward keyboard shortcuts to shell */\nexport const CAP_HOTKEY_FORWARD = 1 << 4;  // 16\n/** sign:event — request event signing */\nexport const CAP_SIGN_EVENT    = 1 << 5;   // 32\n/** sign:nip04 — request NIP-04 encrypt/decrypt */\nexport const CAP_SIGN_NIP04    = 1 << 6;   // 64\n/** sign:nip44 — request NIP-44 encrypt/decrypt */\nexport const CAP_SIGN_NIP44    = 1 << 7;   // 128\n/** state:read — read napplet-scoped state */\nexport const CAP_STATE_READ    = 1 << 8;   // 256\n/** state:write — write napplet-scoped state */\nexport const CAP_STATE_WRITE   = 1 << 9;   // 512\n\n/** All capabilities granted (bits 0-9 set) */\nexport const CAP_ALL = (1 << 10) - 1;      // 1023\n\n/** No capabilities granted */\nexport const CAP_NONE = 0;\n\n// ─── Identity ─────────────────────────────────────────────────────────────────\n\n/**\n * Napplet identity — composite key for ACL lookups.\n *\n * Under NIP-5D v0.1.0, identity is assigned from the NIP-5A manifest\n * at iframe creation time. The pubkey field is no longer used.\n *\n * @param pubkey - (deprecated) Ephemeral AUTH keypair pubkey. Ignored by toKey().\n * @param dTag - Derived tag (deterministic from napp type)\n * @param hash - Aggregate hash of napplet build artifacts\n */\nexport interface Identity {\n  /** @deprecated NIP-5D: AUTH keypair no longer exists. Pass '' or omit entirely.\n   *  Kept as optional for backward compatibility during data migration. */\n  readonly pubkey?: string;\n  readonly dTag: string;\n  readonly hash: string;\n}\n\n// ─── ACL Entry ────────────────────────────────────────────────────────────────\n\n/**\n * A single ACL entry for one napplet identity.\n *\n * @param caps - Bitfield of granted capabilities (use CAP_* constants)\n * @param blocked - Orthogonal block flag; when true, all checks fail regardless of caps\n * @param quota - State storage quota in bytes\n */\nexport interface AclEntry {\n  readonly caps: number;\n  readonly blocked: boolean;\n  readonly quota: number;\n}\n\n// ─── ACL State ────────────────────────────────────────────────────────────────\n\n/**\n * Complete ACL state — immutable data structure.\n *\n * All mutations return a new AclState; the original is never modified.\n *\n * @param defaultPolicy - 'permissive' grants all caps to unknown identities;\n *                        'restrictive' denies all caps to unknown identities\n * @param entries - Map from composite key ('dTag:hash') to AclEntry\n */\nexport interface AclState {\n  readonly defaultPolicy: 'permissive' | 'restrictive';\n  readonly entries: Readonly<Record<string, AclEntry>>;\n}\n\n/** Default state storage quota in bytes (512 KB) */\nexport const DEFAULT_QUOTA = 512 * 1024;\n","/**\n * @kehto/acl — Pure check function.\n *\n * Determines whether an identity has a specific capability.\n * No side effects, no I/O, no mutations.\n */\n\nimport type { AclState, Identity } from './types.js';\n\n/**\n * Compute composite key from identity fields.\n *\n * Under NIP-5D v0.1.0, the key is 'dTag:hash' (pubkey is ignored).\n *\n * @param identity - Napplet identity\n * @returns Composite key string 'dTag:hash'\n *\n * @example\n * ```ts\n * toKey({ dTag: 'chat', hash: 'ff00' })\n * // => 'chat:ff00'\n * ```\n */\nexport function toKey(identity: Identity): string {\n  return `${identity.dTag}:${identity.hash}`;\n}\n\n/**\n * Check whether an identity has a specific capability.\n *\n * Decision logic:\n * 1. If identity has no entry: return based on defaultPolicy\n *    - 'permissive' → true (all caps granted to unknown identities)\n *    - 'restrictive' → false (all caps denied to unknown identities)\n * 2. If identity is blocked: return false (blocked overrides all caps)\n * 3. Otherwise: return (entry.caps & cap) !== 0\n *\n * @param state - Current ACL state (immutable)\n * @param identity - Napplet identity to check\n * @param cap - Capability bit constant (e.g., CAP_RELAY_READ)\n * @returns true if the identity has the capability, false otherwise\n *\n * @example\n * ```ts\n * import { check, createState, grant } from '@kehto/acl';\n * import { CAP_RELAY_READ } from '@kehto/acl';\n *\n * const state = createState('restrictive');\n * const id = { dTag: 'chat', hash: 'ff00' };\n *\n * check(state, id, CAP_RELAY_READ); // false (restrictive, no entry)\n *\n * const state2 = grant(state, id, CAP_RELAY_READ);\n * check(state2, id, CAP_RELAY_READ); // true\n * ```\n */\nexport function check(state: AclState, identity: Identity, cap: number): boolean {\n  const key = toKey(identity);\n  const entry = state.entries[key];\n  if (!entry) {\n    return state.defaultPolicy === 'permissive';\n  }\n  if (entry.blocked) {\n    return false;\n  }\n  return (entry.caps & cap) !== 0;\n}\n","/**\n * @kehto/acl — Pure state mutation functions.\n *\n * Every function takes an AclState and returns a NEW AclState.\n * The original state is never modified. No side effects, no I/O.\n */\n\nimport type { AclState, AclEntry, Identity } from './types.js';\nimport { CAP_ALL, DEFAULT_QUOTA } from './types.js';\nimport { toKey } from './check.js';\n\n/**\n * Create a new ACL state with the given default policy.\n *\n * @param policy - 'permissive' grants all caps to unknown identities;\n *                 'restrictive' denies all caps to unknown identities.\n *                 Defaults to 'permissive'.\n * @returns A new empty AclState\n *\n * @example\n * ```ts\n * const state = createState('restrictive');\n * // { defaultPolicy: 'restrictive', entries: {} }\n * ```\n */\nexport function createState(policy: 'permissive' | 'restrictive' = 'permissive'): AclState {\n  return { defaultPolicy: policy, entries: {} };\n}\n\n/**\n * Get the entry for an identity, or a default entry based on policy.\n * Internal helper — not exported.\n */\nfunction getEntry(state: AclState, key: string): AclEntry {\n  const existing = state.entries[key];\n  if (existing) return existing;\n  // Default entry: all caps if permissive, no caps if restrictive\n  return {\n    caps: state.defaultPolicy === 'permissive' ? CAP_ALL : 0,\n    blocked: false,\n    quota: DEFAULT_QUOTA,\n  };\n}\n\n/**\n * Grant a capability to an identity.\n *\n * If the identity has no entry, one is created with default caps plus the granted cap.\n * Returns a new AclState — the original is not modified.\n *\n * @param state - Current ACL state\n * @param identity - Napplet identity\n * @param cap - Capability bit constant to grant (e.g., CAP_RELAY_READ)\n * @returns New AclState with the capability granted\n *\n * @example\n * ```ts\n * const state2 = grant(state, id, CAP_RELAY_READ);\n * check(state2, id, CAP_RELAY_READ); // true\n * ```\n */\nexport function grant(state: AclState, identity: Identity, cap: number): AclState {\n  const key = toKey(identity);\n  const entry = getEntry(state, key);\n  return {\n    ...state,\n    entries: {\n      ...state.entries,\n      [key]: { ...entry, caps: entry.caps | cap },\n    },\n  };\n}\n\n/**\n * Revoke a capability from an identity.\n *\n * If the identity has no entry, one is created with default caps minus the revoked cap.\n * Returns a new AclState — the original is not modified.\n *\n * @param state - Current ACL state\n * @param identity - Napplet identity\n * @param cap - Capability bit constant to revoke (e.g., CAP_RELAY_WRITE)\n * @returns New AclState with the capability revoked\n *\n * @example\n * ```ts\n * const state2 = revoke(state, id, CAP_RELAY_WRITE);\n * check(state2, id, CAP_RELAY_WRITE); // false\n * ```\n */\nexport function revoke(state: AclState, identity: Identity, cap: number): AclState {\n  const key = toKey(identity);\n  const entry = getEntry(state, key);\n  return {\n    ...state,\n    entries: {\n      ...state.entries,\n      [key]: { ...entry, caps: entry.caps & ~cap },\n    },\n  };\n}\n\n/**\n * Block an identity.\n *\n * A blocked identity fails all capability checks regardless of granted caps.\n * The caps bitfield is preserved — unblocking restores previous capabilities.\n * Returns a new AclState — the original is not modified.\n *\n * @param state - Current ACL state\n * @param identity - Napplet identity to block\n * @returns New AclState with the identity blocked\n *\n * @example\n * ```ts\n * const state2 = block(state, id);\n * check(state2, id, CAP_RELAY_READ); // false (blocked)\n * ```\n */\nexport function block(state: AclState, identity: Identity): AclState {\n  const key = toKey(identity);\n  const entry = getEntry(state, key);\n  return {\n    ...state,\n    entries: {\n      ...state.entries,\n      [key]: { ...entry, blocked: true },\n    },\n  };\n}\n\n/**\n * Unblock an identity.\n *\n * Restores capability checks to use the caps bitfield.\n * Returns a new AclState — the original is not modified.\n *\n * @param state - Current ACL state\n * @param identity - Napplet identity to unblock\n * @returns New AclState with the identity unblocked\n *\n * @example\n * ```ts\n * const state2 = unblock(state, id);\n * check(state2, id, CAP_RELAY_READ); // true (if cap was granted)\n * ```\n */\nexport function unblock(state: AclState, identity: Identity): AclState {\n  const key = toKey(identity);\n  const entry = getEntry(state, key);\n  return {\n    ...state,\n    entries: {\n      ...state.entries,\n      [key]: { ...entry, blocked: false },\n    },\n  };\n}\n\n/**\n * Set the state storage quota for an identity.\n *\n * @param state - Current ACL state\n * @param identity - Napplet identity\n * @param bytes - Quota in bytes\n * @returns New AclState with the quota set\n *\n * @example\n * ```ts\n * const state2 = setQuota(state, id, 1024 * 1024); // 1 MB\n * getQuota(state2, id); // 1048576\n * ```\n */\nexport function setQuota(state: AclState, identity: Identity, bytes: number): AclState {\n  const key = toKey(identity);\n  const entry = getEntry(state, key);\n  return {\n    ...state,\n    entries: {\n      ...state.entries,\n      [key]: { ...entry, quota: bytes },\n    },\n  };\n}\n\n/**\n * Get the state storage quota for an identity.\n *\n * Returns DEFAULT_QUOTA (512 KB) if no entry exists.\n *\n * @param state - Current ACL state\n * @param identity - Napplet identity\n * @returns Quota in bytes\n *\n * @example\n * ```ts\n * getQuota(state, id); // 524288 (default 512 KB)\n * ```\n */\nexport function getQuota(state: AclState, identity: Identity): number {\n  const key = toKey(identity);\n  const entry = state.entries[key];\n  return entry?.quota ?? DEFAULT_QUOTA;\n}\n\n/**\n * Serialize ACL state to a JSON string.\n *\n * Pure function — no I/O. The persistence adapter in @kehto/shell\n * uses this to write state to localStorage or other backends.\n *\n * @param state - ACL state to serialize\n * @returns JSON string representation\n *\n * @example\n * ```ts\n * const json = serialize(state);\n * localStorage.setItem('napplet:acl', json);\n * ```\n */\nexport function serialize(state: AclState): string {\n  return JSON.stringify(state);\n}\n\n/**\n * Deserialize ACL state from a JSON string.\n *\n * Pure function — no I/O. Returns a valid AclState or a fresh\n * permissive state if the input is invalid.\n *\n * @param json - JSON string to parse\n * @returns Parsed AclState, or fresh permissive state on parse failure\n *\n * @example\n * ```ts\n * const json = localStorage.getItem('napplet:acl') ?? '';\n * const state = deserialize(json);\n * ```\n */\nexport function deserialize(json: string): AclState {\n  try {\n    const parsed = JSON.parse(json);\n    if (\n      typeof parsed === 'object' &&\n      parsed !== null &&\n      (parsed.defaultPolicy === 'permissive' || parsed.defaultPolicy === 'restrictive') &&\n      typeof parsed.entries === 'object' &&\n      parsed.entries !== null\n    ) {\n      // Validate each entry\n      const entries: Record<string, AclEntry> = {};\n      for (const [key, value] of Object.entries(parsed.entries)) {\n        const entry = value as Record<string, unknown>;\n        if (\n          typeof entry.caps === 'number' &&\n          typeof entry.blocked === 'boolean' &&\n          typeof entry.quota === 'number'\n        ) {\n          entries[key] = {\n            caps: entry.caps,\n            blocked: entry.blocked,\n            quota: entry.quota,\n          };\n        }\n      }\n      return { defaultPolicy: parsed.defaultPolicy, entries };\n    }\n  } catch {\n    // Invalid JSON — fall through to default\n  }\n  return createState('permissive');\n}\n","/**\n * @kehto/acl — ACL state migration utility.\n *\n * Provides a pure function to migrate persisted ACL state from the old\n * 3-segment composite key format (pubkey:dTag:hash) to the new 2-segment\n * format (dTag:hash) introduced in NIP-5D v0.1.0.\n *\n * No I/O, no side effects. Pure function: takes AclState, returns AclState.\n */\n\nimport type { AclState, AclEntry } from './types.js';\n\n/**\n * Migrate ACL state from old 3-segment key format to new 2-segment key format.\n *\n * Converts entries stored under 'pubkey:dTag:hash' keys to 'dTag:hash' keys.\n * If two old entries map to the same dTag:hash, merges them conservatively:\n * - caps: OR of both bitfields (never removes a granted capability)\n * - blocked: OR of both flags (blocks if either source was blocked)\n * - quota: MAX of both values (keeps the higher allocation)\n *\n * Idempotent: if no 3-segment keys are found, returns the original state\n * unchanged (same object reference).\n *\n * @param state - Current ACL state (may contain old-format entries)\n * @returns Migrated AclState with only 2-segment keys, or the original\n *          state unchanged if no migration was needed\n *\n * @example\n * ```ts\n * const oldState = deserialize(localStorage.getItem('napplet:acl') ?? '');\n * const newState = migrateAclState(oldState);\n * if (newState !== oldState) {\n *   // Migration occurred — persist the new format\n *   localStorage.setItem('napplet:acl', serialize(newState));\n * }\n * ```\n */\nexport function migrateAclState(state: AclState): AclState {\n  const newEntries: Record<string, AclEntry> = {};\n  let migrated = false;\n\n  for (const [key, entry] of Object.entries(state.entries)) {\n    const parts = key.split(':');\n    if (parts.length === 3) {\n      // Old format: pubkey:dTag:hash -> dTag:hash\n      const newKey = `${parts[1]}:${parts[2]}`;\n      const existing = newEntries[newKey];\n      if (existing) {\n        // Merge: union caps, preserve block, max quota\n        newEntries[newKey] = {\n          caps: existing.caps | entry.caps,\n          blocked: existing.blocked || entry.blocked,\n          quota: Math.max(existing.quota, entry.quota),\n        };\n      } else {\n        newEntries[newKey] = entry;\n      }\n      migrated = true;\n    } else {\n      // Already new format or other key — merge if collision with a previously migrated entry\n      const existing = newEntries[key];\n      if (existing) {\n        // Collision: old-format entry was processed first under the same key — merge\n        newEntries[key] = {\n          caps: existing.caps | entry.caps,\n          blocked: existing.blocked || entry.blocked,\n          quota: Math.max(existing.quota, entry.quota),\n        };\n      } else {\n        newEntries[key] = entry;\n      }\n    }\n  }\n\n  if (!migrated) return state; // No old entries found — return original unchanged\n\n  return { defaultPolicy: state.defaultPolicy, entries: newEntries };\n}\n","/**\n * @kehto/acl — NUB domain capability resolution (8-domain canonical).\n *\n * Maps NUB message types (e.g., 'relay.subscribe', 'identity.getProfile') to\n * the capability strings required by sender and recipient. This is the\n * canonical source for \"which capability does this NUB operation require?\"\n * in the @kehto/acl package.\n *\n * Canonical NIP-5D 8 domains: identity, keys, media, notify, relay,\n * storage, ifc, theme. The v1.1 `signer` domain is REMOVED — getPublicKey/\n * getRelays migrated to `identity`; signEvent/nip04/nip44 have no\n * napplet-visible surface (shell handles encryption inside\n * `relay.publishEncrypted`).\n *\n * Zero dependencies. No imports from @napplet/core or any external package.\n *\n * @see packages/acl/src/capabilities.ts for cap string constants + ALL_CAPABILITIES.\n * @see docs/ACL-MIGRATION.md section 2 — Capability Constant to NUB Domain Mapping.\n */\n\n// ─── Types ────────────────────────────────────────────────────────────────────\n\n/**\n * Minimal message shape used for capability resolution.\n *\n * Compatible with NappletMessage from @napplet/core, but defined here\n * independently to maintain @kehto/acl's zero-dependency constraint.\n *\n * @param type - NUB message type, e.g. 'relay.subscribe', 'identity.getProfile'\n */\nexport interface NubMessage {\n  readonly type: string;\n}\n\n/**\n * Result of resolving what capabilities a NUB message requires.\n *\n * | Field          | Description                                                    |\n * |----------------|----------------------------------------------------------------|\n * | `senderCap`    | Capability the sender must have, or null if no check needed    |\n * | `recipientCap` | Capability the recipient must have, or null if no check needed |\n *\n * @param senderCap - Capability the sender must have, or null if no ACL gate required\n * @param recipientCap - Capability the recipient must have, or null if no recipient check\n */\nexport interface CapabilityResolution {\n  readonly senderCap: string | null;\n  readonly recipientCap: string | null;\n}\n\n// ─── Per-domain resolvers ─────────────────────────────────────────────────────\n\n/**\n * `relay.*` — split publish / publishEncrypted / read actions.\n *\n * - `publish`          → sender `relay:write`, recipient `relay:read`.\n * - `publishEncrypted` → sender `relay:write`, recipient `null` (the shell\n *   handles encryption internally; no napplet-visible recipient ACL check).\n * - `subscribe` / `query` / `close` (and `.result` / `event` / `eose` /\n *   `closed` / `publish.result` / `publishEncrypted.result`) → sender\n *   `relay:read`, recipient `null`.\n */\nfunction relayMap(action: string): CapabilityResolution {\n  if (action === 'publish') return { senderCap: 'relay:write', recipientCap: 'relay:read' };\n  if (action === 'publishEncrypted') return { senderCap: 'relay:write', recipientCap: null };\n  return { senderCap: 'relay:read', recipientCap: null };\n}\n\n/**\n * `identity.*` — split shell-public reads from gated profile reads.\n *\n * - `getPublicKey` / `getRelays`            → `null`/`null` (shell-public info).\n * - `getProfile` / `getFollows` / `getList` / `getZaps` / `getMutes` /\n *   `getBlocked` / `getBadges` (and any other identity read) → sender\n *   `identity:read`, recipient `null`.\n */\nfunction identityMap(action: string): CapabilityResolution {\n  if (action === 'getPublicKey' || action === 'getRelays') {\n    return { senderCap: null, recipientCap: null };\n  }\n  return { senderCap: 'identity:read', recipientCap: null };\n}\n\n/**\n * `keys.*` — split forwarding from binding lifecycle.\n *\n * - `forward` / `action`                                    → `keys:forward`.\n * - `registerAction` / `unregisterAction` / `bindings`      → `keys:bind`.\n */\nfunction keysMap(action: string): CapabilityResolution {\n  if (action === 'forward' || action === 'action') {\n    return { senderCap: 'keys:forward', recipientCap: null };\n  }\n  return { senderCap: 'keys:bind', recipientCap: null };\n}\n\n/**\n * `notify.*` — split channel/permission registration from send/interaction.\n *\n * - `channel.register` / `permission.request` / `permission.result` → `notify:channel`.\n * - `send` / `dismiss` / `badge` / `send.result` / `action` / `clicked` /\n *   `dismissed` / `controls` (and any other notify action)          → `notify:send`.\n */\nfunction notifyMap(action: string): CapabilityResolution {\n  if (\n    action === 'channel.register' ||\n    action === 'permission.request' ||\n    action === 'permission.result'\n  ) {\n    return { senderCap: 'notify:channel', recipientCap: null };\n  }\n  return { senderCap: 'notify:send', recipientCap: null };\n}\n\n/**\n * `storage.*` — narrowed to the canonical 4 actions (get/keys/set/remove).\n *\n * - `get` / `keys`      → `state:read`.\n * - `set` / `remove`    → `state:write`.\n * - anything else (incl. the removed `clear`) → `null`/`null`. The runtime\n *   storage handler rejects non-canonical actions before ACL resolution so\n *   napplets see the explicit rejection rather than a misleading cap denial.\n */\nfunction storageMap(action: string): CapabilityResolution {\n  if (action === 'get' || action === 'keys') return { senderCap: 'state:read', recipientCap: null };\n  if (action === 'set' || action === 'remove') return { senderCap: 'state:write', recipientCap: null };\n  return { senderCap: null, recipientCap: null };\n}\n\n/**\n * `ifc.*` — topic + channel sub-protocol.\n *\n * - Write actions (`emit`, `channel.emit`, `channel.broadcast`) → sender\n *   `relay:write`, recipient `relay:read`. Semantically equivalent to relay\n *   publish: point-to-point or fan-out writes gate on relay-write at wire\n *   level even though channel membership ACL is enforced at `channel.open`.\n * - Read / control actions (`subscribe`, `unsubscribe`, `channel.open`,\n *   `channel.list`, `channel.close`)                             → sender\n *   `relay:read`, recipient `null`. Channel open-time ACL semantics: the\n *   caller must already hold `relay:read`, and channel membership is\n *   recorded by the ifc handler.\n */\nfunction ifcMap(action: string): CapabilityResolution {\n  if (action === 'emit' || action === 'channel.emit' || action === 'channel.broadcast') {\n    return { senderCap: 'relay:write', recipientCap: 'relay:read' };\n  }\n  return { senderCap: 'relay:read', recipientCap: null };\n}\n\n/**\n * `theme.*` — napplet read gate vs shell-initiated push.\n *\n * - `get` / `get.result` (and any other napplet-originated query) →\n *   sender `theme:read`, recipient `null`.\n * - `changed` (shell → napplet push)                              →\n *   sender `null`, recipient `theme:read`. The push is gated against the\n *   receiving napplet's cap so a napplet without `theme:read` never sees\n *   the update.\n *\n * Note: theme's runtime/service wiring lands in Phase 13. The ACL gate is\n * defined here in Phase 12 so the cap surface is canonical ahead of the\n * runtime work.\n */\nfunction themeMap(action: string): CapabilityResolution {\n  if (action === 'changed') return { senderCap: null, recipientCap: 'theme:read' };\n  return { senderCap: 'theme:read', recipientCap: null };\n}\n\n// ─── Resolution ───────────────────────────────────────────────────────────────\n\n/**\n * Resolve the capabilities required by a NUB message.\n *\n * Splits `msg.type` on '.' to obtain `[domain, action]`, then dispatches to\n * a per-domain mapper. Unknown domains return `null/null` (silently ignored).\n *\n * **NUB domain mapping table (8 canonical domains):**\n *\n * | Domain     | Action(s)                                                    | senderCap       | recipientCap  |\n * |------------|--------------------------------------------------------------|-----------------|---------------|\n * | `relay`    | `subscribe`, `query`, `close`, results/pushes                | `relay:read`    | `null`        |\n * | `relay`    | `publish`                                                    | `relay:write`   | `relay:read`  |\n * | `relay`    | `publishEncrypted`                                           | `relay:write`   | `null`        |\n * | `identity` | `getPublicKey`, `getRelays`                                 | `null`          | `null`        |\n * | `identity` | `getProfile/getFollows/getList/getZaps/getMutes/...`        | `identity:read` | `null`        |\n * | `keys`     | `forward`, `action`                                         | `keys:forward`  | `null`        |\n * | `keys`     | `registerAction`, `unregisterAction`, `bindings`            | `keys:bind`     | `null`        |\n * | `media`    | any                                                         | `media:control` | `null`        |\n * | `notify`   | `channel.register`, `permission.request`, `permission.result` | `notify:channel`| `null`        |\n * | `notify`   | `send`, `dismiss`, `badge`, `clicked`, `action`, ...        | `notify:send`   | `null`        |\n * | `storage`  | `get`, `keys`                                               | `state:read`    | `null`        |\n * | `storage`  | `set`, `remove`                                             | `state:write`   | `null`        |\n * | `storage`  | any other (incl. removed `clear`)                           | `null`          | `null`        |\n * | `ifc`      | `emit`, `channel.emit`, `channel.broadcast`                 | `relay:write`   | `relay:read`  |\n * | `ifc`      | `subscribe`, `unsubscribe`, `channel.open/list/close`       | `relay:read`    | `null`        |\n * | `theme`    | `get`, `get.result`                                         | `theme:read`    | `null`        |\n * | `theme`    | `changed` (shell → napplet push)                            | `null`          | `theme:read`  |\n * | unknown    | any                                                         | `null`          | `null`        |\n *\n * The `signer` domain is REMOVED — signer messages fall through to the\n * default null/null branch. `getPublicKey`/`getRelays` migrated to\n * `identity`; napplet-visible signing does not exist in NIP-5D (shell\n * signs internally for `relay.publishEncrypted`).\n *\n * @param msg - Message with a `type` field in NUB format (e.g., 'relay.subscribe')\n * @returns CapabilityResolution with senderCap and recipientCap (each may be null)\n *\n * @example\n * ```ts\n * resolveCapabilitiesNub({ type: 'relay.subscribe' })\n * // => { senderCap: 'relay:read', recipientCap: null }\n *\n * resolveCapabilitiesNub({ type: 'relay.publishEncrypted' })\n * // => { senderCap: 'relay:write', recipientCap: null }\n *\n * resolveCapabilitiesNub({ type: 'identity.getProfile' })\n * // => { senderCap: 'identity:read', recipientCap: null }\n *\n * resolveCapabilitiesNub({ type: 'keys.forward' })\n * // => { senderCap: 'keys:forward', recipientCap: null }\n *\n * resolveCapabilitiesNub({ type: 'ifc.channel.broadcast' })\n * // => { senderCap: 'relay:write', recipientCap: 'relay:read' }\n *\n * resolveCapabilitiesNub({ type: 'theme.changed' })\n * // => { senderCap: null, recipientCap: 'theme:read' }\n *\n * resolveCapabilitiesNub({ type: 'signer.signEvent' })\n * // => { senderCap: null, recipientCap: null }   // domain removed\n * ```\n */\nexport function resolveCapabilitiesNub(msg: NubMessage): CapabilityResolution {\n  const dotIdx = msg.type.indexOf('.');\n  if (dotIdx === -1) return { senderCap: null, recipientCap: null };\n  const domain = msg.type.slice(0, dotIdx);\n  const action = msg.type.slice(dotIdx + 1);\n\n  switch (domain) {\n    case 'relay':    return relayMap(action);\n    case 'identity': return identityMap(action);\n    case 'keys':     return keysMap(action);\n    case 'media':    return { senderCap: 'media:control', recipientCap: null };\n    case 'notify':   return notifyMap(action);\n    case 'storage':  return storageMap(action);\n    case 'ifc':      return ifcMap(action);\n    case 'theme':    return themeMap(action);\n    default:         return { senderCap: null, recipientCap: null };\n  }\n}\n"],"mappings":";;;;;;;;;;;;AAUO,IAAM,iBAAoB,KAAK;AAE/B,IAAM,kBAAoB,KAAK;AAE/B,IAAM,iBAAoB,KAAK;AAE/B,IAAM,kBAAoB,KAAK;AAE/B,IAAM,qBAAqB,KAAK;AAEhC,IAAM,iBAAoB,KAAK;AAE/B,IAAM,iBAAoB,KAAK;AAE/B,IAAM,iBAAoB,KAAK;AAE/B,IAAM,iBAAoB,KAAK;AAE/B,IAAM,kBAAoB,KAAK;AAG/B,IAAM,WAAW,KAAK,MAAM;AAG5B,IAAM,WAAW;AAsDjB,IAAM,gBAAgB,MAAM;;;ACjE5B,SAAS,MAAM,UAA4B;AAChD,SAAO,GAAG,SAAS,IAAI,IAAI,SAAS,IAAI;AAC1C;AA+BO,SAAS,MAAM,OAAiB,UAAoB,KAAsB;AAC/E,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,MAAM,QAAQ,GAAG;AAC/B,MAAI,CAAC,OAAO;AACV,WAAO,MAAM,kBAAkB;AAAA,EACjC;AACA,MAAI,MAAM,SAAS;AACjB,WAAO;AAAA,EACT;AACA,UAAQ,MAAM,OAAO,SAAS;AAChC;;;ACzCO,SAAS,YAAY,SAAuC,cAAwB;AACzF,SAAO,EAAE,eAAe,QAAQ,SAAS,CAAC,EAAE;AAC9C;AAMA,SAAS,SAAS,OAAiB,KAAuB;AACxD,QAAM,WAAW,MAAM,QAAQ,GAAG;AAClC,MAAI,SAAU,QAAO;AAErB,SAAO;AAAA,IACL,MAAM,MAAM,kBAAkB,eAAe,UAAU;AAAA,IACvD,SAAS;AAAA,IACT,OAAO;AAAA,EACT;AACF;AAmBO,SAAS,MAAM,OAAiB,UAAoB,KAAuB;AAChF,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,SAAS,OAAO,GAAG;AACjC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,SAAS;AAAA,MACP,GAAG,MAAM;AAAA,MACT,CAAC,GAAG,GAAG,EAAE,GAAG,OAAO,MAAM,MAAM,OAAO,IAAI;AAAA,IAC5C;AAAA,EACF;AACF;AAmBO,SAAS,OAAO,OAAiB,UAAoB,KAAuB;AACjF,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,SAAS,OAAO,GAAG;AACjC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,SAAS;AAAA,MACP,GAAG,MAAM;AAAA,MACT,CAAC,GAAG,GAAG,EAAE,GAAG,OAAO,MAAM,MAAM,OAAO,CAAC,IAAI;AAAA,IAC7C;AAAA,EACF;AACF;AAmBO,SAAS,MAAM,OAAiB,UAA8B;AACnE,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,SAAS,OAAO,GAAG;AACjC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,SAAS;AAAA,MACP,GAAG,MAAM;AAAA,MACT,CAAC,GAAG,GAAG,EAAE,GAAG,OAAO,SAAS,KAAK;AAAA,IACnC;AAAA,EACF;AACF;AAkBO,SAAS,QAAQ,OAAiB,UAA8B;AACrE,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,SAAS,OAAO,GAAG;AACjC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,SAAS;AAAA,MACP,GAAG,MAAM;AAAA,MACT,CAAC,GAAG,GAAG,EAAE,GAAG,OAAO,SAAS,MAAM;AAAA,IACpC;AAAA,EACF;AACF;AAgBO,SAAS,SAAS,OAAiB,UAAoB,OAAyB;AACrF,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,SAAS,OAAO,GAAG;AACjC,SAAO;AAAA,IACL,GAAG;AAAA,IACH,SAAS;AAAA,MACP,GAAG,MAAM;AAAA,MACT,CAAC,GAAG,GAAG,EAAE,GAAG,OAAO,OAAO,MAAM;AAAA,IAClC;AAAA,EACF;AACF;AAgBO,SAAS,SAAS,OAAiB,UAA4B;AACpE,QAAM,MAAM,MAAM,QAAQ;AAC1B,QAAM,QAAQ,MAAM,QAAQ,GAAG;AAC/B,SAAO,OAAO,SAAS;AACzB;AAiBO,SAAS,UAAU,OAAyB;AACjD,SAAO,KAAK,UAAU,KAAK;AAC7B;AAiBO,SAAS,YAAY,MAAwB;AAClD,MAAI;AACF,UAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,QACE,OAAO,WAAW,YAClB,WAAW,SACV,OAAO,kBAAkB,gBAAgB,OAAO,kBAAkB,kBACnE,OAAO,OAAO,YAAY,YAC1B,OAAO,YAAY,MACnB;AAEA,YAAM,UAAoC,CAAC;AAC3C,iBAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,OAAO,OAAO,GAAG;AACzD,cAAM,QAAQ;AACd,YACE,OAAO,MAAM,SAAS,YACtB,OAAO,MAAM,YAAY,aACzB,OAAO,MAAM,UAAU,UACvB;AACA,kBAAQ,GAAG,IAAI;AAAA,YACb,MAAM,MAAM;AAAA,YACZ,SAAS,MAAM;AAAA,YACf,OAAO,MAAM;AAAA,UACf;AAAA,QACF;AAAA,MACF;AACA,aAAO,EAAE,eAAe,OAAO,eAAe,QAAQ;AAAA,IACxD;AAAA,EACF,QAAQ;AAAA,EAER;AACA,SAAO,YAAY,YAAY;AACjC;;;ACzOO,SAAS,gBAAgB,OAA2B;AACzD,QAAM,aAAuC,CAAC;AAC9C,MAAI,WAAW;AAEf,aAAW,CAAC,KAAK,KAAK,KAAK,OAAO,QAAQ,MAAM,OAAO,GAAG;AACxD,UAAM,QAAQ,IAAI,MAAM,GAAG;AAC3B,QAAI,MAAM,WAAW,GAAG;AAEtB,YAAM,SAAS,GAAG,MAAM,CAAC,CAAC,IAAI,MAAM,CAAC,CAAC;AACtC,YAAM,WAAW,WAAW,MAAM;AAClC,UAAI,UAAU;AAEZ,mBAAW,MAAM,IAAI;AAAA,UACnB,MAAM,SAAS,OAAO,MAAM;AAAA,UAC5B,SAAS,SAAS,WAAW,MAAM;AAAA,UACnC,OAAO,KAAK,IAAI,SAAS,OAAO,MAAM,KAAK;AAAA,QAC7C;AAAA,MACF,OAAO;AACL,mBAAW,MAAM,IAAI;AAAA,MACvB;AACA,iBAAW;AAAA,IACb,OAAO;AAEL,YAAM,WAAW,WAAW,GAAG;AAC/B,UAAI,UAAU;AAEZ,mBAAW,GAAG,IAAI;AAAA,UAChB,MAAM,SAAS,OAAO,MAAM;AAAA,UAC5B,SAAS,SAAS,WAAW,MAAM;AAAA,UACnC,OAAO,KAAK,IAAI,SAAS,OAAO,MAAM,KAAK;AAAA,QAC7C;AAAA,MACF,OAAO;AACL,mBAAW,GAAG,IAAI;AAAA,MACpB;AAAA,IACF;AAAA,EACF;AAEA,MAAI,CAAC,SAAU,QAAO;AAEtB,SAAO,EAAE,eAAe,MAAM,eAAe,SAAS,WAAW;AACnE;;;AChBA,SAAS,SAAS,QAAsC;AACtD,MAAI,WAAW,UAAW,QAAO,EAAE,WAAW,eAAe,cAAc,aAAa;AACxF,MAAI,WAAW,mBAAoB,QAAO,EAAE,WAAW,eAAe,cAAc,KAAK;AACzF,SAAO,EAAE,WAAW,cAAc,cAAc,KAAK;AACvD;AAUA,SAAS,YAAY,QAAsC;AACzD,MAAI,WAAW,kBAAkB,WAAW,aAAa;AACvD,WAAO,EAAE,WAAW,MAAM,cAAc,KAAK;AAAA,EAC/C;AACA,SAAO,EAAE,WAAW,iBAAiB,cAAc,KAAK;AAC1D;AAQA,SAAS,QAAQ,QAAsC;AACrD,MAAI,WAAW,aAAa,WAAW,UAAU;AAC/C,WAAO,EAAE,WAAW,gBAAgB,cAAc,KAAK;AAAA,EACzD;AACA,SAAO,EAAE,WAAW,aAAa,cAAc,KAAK;AACtD;AASA,SAAS,UAAU,QAAsC;AACvD,MACE,WAAW,sBACX,WAAW,wBACX,WAAW,qBACX;AACA,WAAO,EAAE,WAAW,kBAAkB,cAAc,KAAK;AAAA,EAC3D;AACA,SAAO,EAAE,WAAW,eAAe,cAAc,KAAK;AACxD;AAWA,SAAS,WAAW,QAAsC;AACxD,MAAI,WAAW,SAAS,WAAW,OAAQ,QAAO,EAAE,WAAW,cAAc,cAAc,KAAK;AAChG,MAAI,WAAW,SAAS,WAAW,SAAU,QAAO,EAAE,WAAW,eAAe,cAAc,KAAK;AACnG,SAAO,EAAE,WAAW,MAAM,cAAc,KAAK;AAC/C;AAeA,SAAS,OAAO,QAAsC;AACpD,MAAI,WAAW,UAAU,WAAW,kBAAkB,WAAW,qBAAqB;AACpF,WAAO,EAAE,WAAW,eAAe,cAAc,aAAa;AAAA,EAChE;AACA,SAAO,EAAE,WAAW,cAAc,cAAc,KAAK;AACvD;AAgBA,SAAS,SAAS,QAAsC;AACtD,MAAI,WAAW,UAAW,QAAO,EAAE,WAAW,MAAM,cAAc,aAAa;AAC/E,SAAO,EAAE,WAAW,cAAc,cAAc,KAAK;AACvD;AAiEO,SAAS,uBAAuB,KAAuC;AAC5E,QAAM,SAAS,IAAI,KAAK,QAAQ,GAAG;AACnC,MAAI,WAAW,GAAI,QAAO,EAAE,WAAW,MAAM,cAAc,KAAK;AAChE,QAAM,SAAS,IAAI,KAAK,MAAM,GAAG,MAAM;AACvC,QAAM,SAAS,IAAI,KAAK,MAAM,SAAS,CAAC;AAExC,UAAQ,QAAQ;AAAA,IACd,KAAK;AAAY,aAAO,SAAS,MAAM;AAAA,IACvC,KAAK;AAAY,aAAO,YAAY,MAAM;AAAA,IAC1C,KAAK;AAAY,aAAO,QAAQ,MAAM;AAAA,IACtC,KAAK;AAAY,aAAO,EAAE,WAAW,iBAAiB,cAAc,KAAK;AAAA,IACzE,KAAK;AAAY,aAAO,UAAU,MAAM;AAAA,IACxC,KAAK;AAAY,aAAO,WAAW,MAAM;AAAA,IACzC,KAAK;AAAY,aAAO,OAAO,MAAM;AAAA,IACrC,KAAK;AAAY,aAAO,SAAS,MAAM;AAAA,IACvC;AAAiB,aAAO,EAAE,WAAW,MAAM,cAAc,KAAK;AAAA,EAChE;AACF;","names":[]}

package/package.json

@@ -0,0 +1,69 @@
+{
+  "name": "@kehto/acl",
+  "version": "0.1.0",
+  "description": "Pure, WASM-ready ACL module for the napplet protocol \u2014 zero dependencies, zero side effects",
+  "type": "module",
+  "main": "./dist/index.js",
+  "module": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js"
+    },
+    "./capabilities": {
+      "types": "./dist/capabilities.d.ts",
+      "import": "./dist/capabilities.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {},
+  "peerDependencies": {
+    "@napplet/core": "^0.2.1",
+    "@napplet/nub-identity": "^0.2.1",
+    "@napplet/nub-ifc": "^0.2.1",
+    "@napplet/nub-keys": "^0.2.1",
+    "@napplet/nub-media": "^0.2.1",
+    "@napplet/nub-notify": "^0.2.1",
+    "@napplet/nub-relay": "^0.2.1",
+    "@napplet/nub-storage": "^0.2.1",
+    "@napplet/nub-theme": "^0.2.1"
+  },
+  "devDependencies": {
+    "@napplet/core": "^0.2.1",
+    "@napplet/nub-identity": "^0.2.1",
+    "@napplet/nub-ifc": "^0.2.1",
+    "@napplet/nub-keys": "^0.2.1",
+    "@napplet/nub-media": "^0.2.1",
+    "@napplet/nub-notify": "^0.2.1",
+    "@napplet/nub-relay": "^0.2.1",
+    "@napplet/nub-storage": "^0.2.1",
+    "@napplet/nub-theme": "^0.2.1",
+    "tsup": "^8.5.0",
+    "typescript": "^5.9.3"
+  },
+  "scripts": {
+    "build": "tsup",
+    "type-check": "tsc --noEmit",
+    "test:unit": "vitest run --config ../../vitest.config.ts"
+  },
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/kehto/runtime.git",
+    "directory": "packages/acl"
+  },
+  "keywords": [
+    "nostr",
+    "napplet",
+    "kehto",
+    "acl",
+    "capability"
+  ]
+}