@kubun/server 0.4.1 → 0.4.2

package/lib/data/access-control.d.ts

@@ -0,0 +1,46 @@
+import type { KubunDB } from '@kubun/db';
+import type { DocumentNode } from '@kubun/protocol';
+export type AccessRule = {
+    level: string;
+    allowedDIDs: Array<string> | null;
+};
+export type AccessPermissions = {
+    read?: AccessRule;
+    write?: AccessRule;
+};
+export type ServerAccessConfig = {
+    defaultAccessLevel: {
+        read: 'only_owner' | 'anyone' | 'allowed_dids';
+        write: 'only_owner' | 'allowed_dids';
+    };
+};
+export type AccessChecker = (doc: DocumentNode, permissionType: 'read' | 'write') => Promise<boolean>;
+/**
+ * Parse and validate access permissions from document data
+ */
+export declare function parseDocumentAccessPermissions(data: any): AccessPermissions | null;
+/**
+ * Validate that DIDs have the correct format
+ */
+export declare function validateDIDs(dids: Array<string>): void;
+/**
+ * Resolve the effective access rule for a document and permission type
+ * Order of precedence:
+ * 1. Document _accessPermissions override
+ * 2. User's model default from database
+ * 3. Server configuration default
+ */
+export declare function resolveAccessRule(document: DocumentNode, modelId: string, ownerDID: string, permissionType: 'read' | 'write', db: KubunDB, serverConfig: ServerAccessConfig): Promise<AccessRule>;
+/**
+ * Check if viewer has access to document through delegation tokens
+ */
+export declare function checkDelegation(viewerDID: string, grantor: string, document: DocumentNode, permissionType: 'read' | 'write', delegationTokens?: Array<string>): Promise<boolean>;
+/**
+ * Check if viewer has access to a document for the specified permission type
+ */
+export declare function checkAccess(viewerDID: string | null, document: DocumentNode, permissionType: 'read' | 'write', db: KubunDB, serverConfig: ServerAccessConfig, delegationTokens?: Array<string>): Promise<boolean>;
+/**
+ * Create an access checker function bound to specific viewer and delegation tokens
+ */
+export declare function createAccessChecker(viewerDID: string | null, delegationTokens: Array<string> | undefined, db: KubunDB, serverConfig: ServerAccessConfig): AccessChecker;
+//# sourceMappingURL=access-control.d.ts.map

package/lib/data/access-control.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../src/data/access-control.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACxC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAA;AAEnD,MAAM,MAAM,UAAU,GAAG;IACvB,KAAK,EAAE,MAAM,CAAA;IACb,WAAW,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAAA;CAClC,CAAA;AAED,MAAM,MAAM,iBAAiB,GAAG;IAC9B,IAAI,CAAC,EAAE,UAAU,CAAA;IACjB,KAAK,CAAC,EAAE,UAAU,CAAA;CACnB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG;IAC/B,kBAAkB,EAAE;QAClB,IAAI,EAAE,YAAY,GAAG,QAAQ,GAAG,cAAc,CAAA;QAC9C,KAAK,EAAE,YAAY,GAAG,cAAc,CAAA;KACrC,CAAA;CACF,CAAA;AAED,MAAM,MAAM,aAAa,GAAG,CAC1B,GAAG,EAAE,YAAY,EACjB,cAAc,EAAE,MAAM,GAAG,OAAO,KAC7B,OAAO,CAAC,OAAO,CAAC,CAAA;AAErB;;GAEG;AACH,wBAAgB,8BAA8B,CAAC,IAAI,EAAE,GAAG,GAAG,iBAAiB,GAAG,IAAI,CAiBlF;AAED;;GAEG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,IAAI,CAMtD;AAaD;;;;;;GAMG;AACH,wBAAsB,iBAAiB,CACrC,QAAQ,EAAE,YAAY,EACtB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,cAAc,EAAE,MAAM,GAAG,OAAO,EAChC,EAAE,EAAE,OAAO,EACX,YAAY,EAAE,kBAAkB,GAC/B,OAAO,CAAC,UAAU,CAAC,CA4BrB;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,YAAY,EACtB,cAAc,EAAE,MAAM,GAAG,OAAO,EAChC,gBAAgB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAC/B,OAAO,CAAC,OAAO,CAAC,CA0BlB;AAED;;GAEG;AACH,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,QAAQ,EAAE,YAAY,EACtB,cAAc,EAAE,MAAM,GAAG,OAAO,EAChC,EAAE,EAAE,OAAO,EACX,YAAY,EAAE,kBAAkB,EAChC,gBAAgB,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,GAC/B,OAAO,CAAC,OAAO,CAAC,CA+DlB;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CACjC,SAAS,EAAE,MAAM,GAAG,IAAI,EACxB,gBAAgB,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG,SAAS,EAC3C,EAAE,EAAE,OAAO,EACX,YAAY,EAAE,kBAAkB,GAC/B,aAAa,CAIf"}

package/lib/data/access-control.js

@@ -0,0 +1,148 @@
+import { checkCapability } from '@enkaku/capability';
+/**
+ * Parse and validate access permissions from document data
+ */ export function parseDocumentAccessPermissions(data) {
+    try {
+        if (!data._accessPermissions) return null;
+        const perms = data._accessPermissions;
+        // Basic validation - check if the permission object has the expected structure
+        if (typeof perms !== 'object') {
+            console.warn('Invalid _accessPermissions structure in document, ignoring');
+            return null;
+        }
+        return perms;
+    } catch (error) {
+        console.warn('Failed to parse document access permissions:', error);
+        return null;
+    }
+}
+/**
+ * Validate that DIDs have the correct format
+ */ export function validateDIDs(dids) {
+    for (const did of dids){
+        if (!did.startsWith('did:')) {
+            throw new Error(`Invalid DID format: ${did}`);
+        }
+    }
+}
+/**
+ * Check if a level string is valid for the given permission type
+ */ function isValidAccessLevel(level, permissionType) {
+    if (permissionType === 'read') {
+        return level === 'only_owner' || level === 'anyone' || level === 'allowed_dids';
+    }
+    // write permission
+    return level === 'only_owner' || level === 'allowed_dids';
+}
+/**
+ * Resolve the effective access rule for a document and permission type
+ * Order of precedence:
+ * 1. Document _accessPermissions override
+ * 2. User's model default from database
+ * 3. Server configuration default
+ */ export async function resolveAccessRule(document, modelId, ownerDID, permissionType, db, serverConfig) {
+    // 1. Check document override
+    const docPerms = parseDocumentAccessPermissions(document.data);
+    if (docPerms?.[permissionType]) {
+        const rule = docPerms[permissionType];
+        if (rule && isValidAccessLevel(rule.level, permissionType)) {
+            return {
+                level: rule.level,
+                allowedDIDs: rule.allowedDIDs || null
+            };
+        }
+    }
+    // 2. Check user's model default
+    const modelDefault = await db.getUserModelAccessDefault(ownerDID, modelId, permissionType);
+    if (modelDefault) {
+        return {
+            level: modelDefault.level,
+            allowedDIDs: modelDefault.allowedDIDs
+        };
+    }
+    // 3. Fall back to server default
+    const level = serverConfig.defaultAccessLevel[permissionType];
+    return {
+        level,
+        allowedDIDs: null
+    };
+}
+/**
+ * Check if viewer has access to document through delegation tokens
+ */ export async function checkDelegation(viewerDID, grantor, document, permissionType, delegationTokens) {
+    if (!delegationTokens || delegationTokens.length === 0) {
+        return false;
+    }
+    // Build expected permission based on specificity
+    const resources = [
+        `urn:kubun:document:${document.id}`,
+        `urn:kubun:model:${document.model}`,
+        '*'
+    ];
+    const action = `document/${permissionType}` // document/read or document/write
+    ;
+    // Try to validate against any matching resource level
+    for (const res of resources){
+        try {
+            await checkCapability({
+                act: action,
+                res
+            }, {
+                iss: viewerDID,
+                sub: grantor,
+                cap: delegationTokens
+            });
+            return true;
+        } catch  {}
+    }
+    return false;
+}
+/**
+ * Check if viewer has access to a document for the specified permission type
+ */ export async function checkAccess(viewerDID, document, permissionType, db, serverConfig, delegationTokens) {
+    // Validate document has owner
+    if (!document.owner) {
+        throw new Error('Document missing owner field');
+    }
+    // FAST PATH: Owner always has access
+    if (viewerDID === document.owner) {
+        return true;
+    }
+    // Resolve effective access rule
+    const rule = await resolveAccessRule(document, document.model, document.owner, permissionType, db, serverConfig);
+    // ANYONE: Always allow (read only)
+    if (rule.level === 'anyone') {
+        return true;
+    }
+    // No viewer: Deny
+    if (!viewerDID) {
+        return false;
+    }
+    // ONLY_OWNER: Check delegation from owner
+    if (rule.level === 'only_owner') {
+        return await checkDelegation(viewerDID, document.owner, document, permissionType, delegationTokens);
+    }
+    // ALLOWED_DIDS: Check if viewer is in list or has delegation
+    if (rule.level === 'allowed_dids') {
+        const allowedDIDs = rule.allowedDIDs || [];
+        if (allowedDIDs.includes(viewerDID)) {
+            return true;
+        }
+        // Check if any allowedDID has delegated to viewer
+        for (const allowedDID of allowedDIDs){
+            if (await checkDelegation(viewerDID, allowedDID, document, permissionType, delegationTokens)) {
+                return true;
+            }
+        }
+        return false;
+    }
+    // Unknown access level
+    return false;
+}
+/**
+ * Create an access checker function bound to specific viewer and delegation tokens
+ */ export function createAccessChecker(viewerDID, delegationTokens, db, serverConfig) {
+    return async (doc, permissionType)=>{
+        return await checkAccess(viewerDID, doc, permissionType, db, serverConfig, delegationTokens);
+    };
+}

package/lib/data/graphql.d.ts

@@ -2,10 +2,12 @@ import type { KubunDB } from '@kubun/db';
 import { type Context } from '@kubun/graphql';
 import type { DocumentNode } from '@kubun/protocol';
 import { type ExecutionArgs, type GraphQLSchema, type OperationTypeNode } from 'graphql';
+import type { AccessChecker } from './access-control.js';
 export type ExecutionContext = {
     db: KubunDB;
     viewerDID: string;
     mutatedDocuments?: Record<string, DocumentNode>;
+    accessChecker?: AccessChecker;
 };
 export declare function createContext(ctx: ExecutionContext): Context;
 export type ExecuteGraphQLParams = {

package/lib/data/graphql.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graphql.d.ts","sourceRoot":"","sources":["../../src/data/graphql.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACxC,OAAO,EAAE,KAAK,OAAO,EAA+C,MAAM,gBAAgB,CAAA;AAC1F,OAAO,KAAK,EAAgB,YAAY,EAAE,MAAM,iBAAiB,CAAA;AACjE,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,aAAa,EAElB,KAAK,iBAAiB,EAEvB,MAAM,SAAS,CAAA;AAEhB,MAAM,MAAM,gBAAgB,GAAG;IAC7B,EAAE,EAAE,OAAO,CAAA;IACX,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAA;CAChD,CAAA;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAkC5D;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,OAAO,EAAE,gBAAgB,CAAA;IACzB,MAAM,EAAE,aAAa,CAAA;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,iBAAiB,CAAA;IACvB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC,CAAA;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,oBAAoB,GAAG,aAAa,CAiB5E"}
+{"version":3,"file":"graphql.d.ts","sourceRoot":"","sources":["../../src/data/graphql.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACxC,OAAO,EAAE,KAAK,OAAO,EAA+C,MAAM,gBAAgB,CAAA;AAC1F,OAAO,KAAK,EAAgB,YAAY,EAAE,MAAM,iBAAiB,CAAA;AACjE,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,aAAa,EAElB,KAAK,iBAAiB,EAEvB,MAAM,SAAS,CAAA;AAEhB,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAA;AAExD,MAAM,MAAM,gBAAgB,GAAG;IAC7B,EAAE,EAAE,OAAO,CAAA;IACX,SAAS,EAAE,MAAM,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,YAAY,CAAC,CAAA;IAC/C,aAAa,CAAC,EAAE,aAAa,CAAA;CAC9B,CAAA;AAED,wBAAgB,aAAa,CAAC,GAAG,EAAE,gBAAgB,GAAG,OAAO,CAsC5D;AAED,MAAM,MAAM,oBAAoB,GAAG;IACjC,OAAO,EAAE,gBAAgB,CAAA;IACzB,MAAM,EAAE,aAAa,CAAA;IACrB,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,iBAAiB,CAAA;IACvB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;CACnC,CAAA;AAED,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,oBAAoB,GAAG,aAAa,CAiB5E"}

package/lib/data/graphql.js

@@ -1,7 +1,11 @@
 import { createReadContext } from '@kubun/graphql';
 import { Kind, parse } from 'graphql';
 export function createContext(ctx) {
-    const readContext = createReadContext(ctx);
+    const readContext = createReadContext({
+        db: ctx.db,
+        viewerDID: ctx.viewerDID,
+        accessChecker: ctx.accessChecker
+    });
     function getMutationDocument(info) {
         return ctx.mutatedDocuments?.[info.path.key];
     }

package/lib/handlers/graph.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../src/handlers/graph.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAKvD,OAAO,KAAK,EAKV,aAAa,EACd,MAAM,iBAAiB,CAAA;AAcxB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAUtD,wBAAgB,cAAc,CAC5B,cAAc,EAAE,oBAAoB,GACnC,iBAAiB,CAAC,aAAa,CAAC,CAsJlC"}
+{"version":3,"file":"graph.d.ts","sourceRoot":"","sources":["../../src/handlers/graph.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAA;AAKvD,OAAO,KAAK,EAKV,aAAa,EACd,MAAM,iBAAiB,CAAA;AAexB,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAA;AAUtD,wBAAgB,cAAc,CAC5B,cAAc,EAAE,oBAAoB,GACnC,iBAAiB,CAAC,aAAa,CAAC,CAqKlC"}

package/lib/handlers/graph.js

@@ -5,6 +5,7 @@ import { AttachmentID } from '@kubun/id';
 import { GraphModel } from '@kubun/protocol';
 import { execute, OperationTypeNode, // printSchema,
 subscribe } from 'graphql';
+import { createAccessChecker } from '../data/access-control.js';
 import { getExecutionArgs } from '../data/graphql.js';
 import { applyMutation } from '../data/mutations.js';
 function toGraphResult(result) {
@@ -15,7 +16,7 @@ function toGraphResult(result) {
     };
 }
 export function createHandlers(handlersParams) {
-    const { db, logger } = handlersParams;
+    const { db, logger, serverAccessConfig } = handlersParams;
     const graphModels = {};
     async function getGraphModels(id) {
         if (graphModels[id] == null) {
@@ -109,9 +110,11 @@ export function createHandlers(handlersParams) {
                 }, mutation);
             }));
             const payload = ctx.message.payload;
-            // TODO: viewerDID is token subject or fallback to the issuer
-            // also add token capabilities check
-            const viewerDID = payload.iss;
+            const viewerDID = payload.sub || payload.iss;
+            const delegationTokens = payload.cap ? Array.isArray(payload.cap) ? payload.cap : [
+                payload.cap
+            ] : undefined;
+            const accessChecker = createAccessChecker(viewerDID, delegationTokens, db, serverAccessConfig);
             return await executeGraphQL({
                 schema: await getGraphQLSchema(ctx.param.id),
                 type: OperationTypeNode.MUTATION,
@@ -120,15 +123,18 @@ export function createHandlers(handlersParams) {
                 context: {
                     db,
                     mutatedDocuments,
-                    viewerDID
+                    viewerDID,
+                    accessChecker
                 }
             });
         },
         'graph/query': async (ctx)=>{
             const payload = ctx.message.payload;
-            // TODO: viewerDID is token subject or fallback to the issuer
-            // also add token capabilities check
-            const viewerDID = payload.iss;
+            const viewerDID = payload.sub || payload.iss;
+            const delegationTokens = payload.cap ? Array.isArray(payload.cap) ? payload.cap : [
+                payload.cap
+            ] : undefined;
+            const accessChecker = createAccessChecker(viewerDID, delegationTokens, db, serverAccessConfig);
             return await executeGraphQL({
                 schema: await getGraphQLSchema(ctx.param.id),
                 type: OperationTypeNode.QUERY,
@@ -136,13 +142,18 @@ export function createHandlers(handlersParams) {
                 variables: ctx.param.variables ?? {},
                 context: {
                     db,
-                    viewerDID
+                    viewerDID,
+                    accessChecker
                 }
             });
         },
         'graph/subscribe': async (ctx)=>{
             const payload = ctx.message.payload;
-            const viewerDID = payload.iss;
+            const viewerDID = payload.sub || payload.iss;
+            const delegationTokens = payload.cap ? Array.isArray(payload.cap) ? payload.cap : [
+                payload.cap
+            ] : undefined;
+            const accessChecker = createAccessChecker(viewerDID, delegationTokens, db, serverAccessConfig);
             const args = getExecutionArgs({
                 schema: await getGraphQLSchema(ctx.param.id),
                 type: OperationTypeNode.SUBSCRIPTION,
@@ -150,7 +161,8 @@ export function createHandlers(handlersParams) {
                 variables: ctx.param.variables ?? {},
                 context: {
                     db,
-                    viewerDID
+                    viewerDID,
+                    accessChecker
                 }
             });
             const subscription = await subscribe(args);

package/lib/handlers/types.d.ts

@@ -1,7 +1,9 @@
 import type { KubunDB } from '@kubun/db';
 import type { Logger } from '@kubun/logger';
+import type { ServerAccessConfig } from '../data/access-control.js';
 export type CreateHandlersParams = {
     db: KubunDB;
     logger: Logger;
+    serverAccessConfig: ServerAccessConfig;
 };
 //# sourceMappingURL=types.d.ts.map

package/lib/handlers/types.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/handlers/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACxC,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAA;AAE3C,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,EAAE,OAAO,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;CACf,CAAA"}
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/handlers/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AACxC,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,eAAe,CAAA;AAE3C,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAA;AAEnE,MAAM,MAAM,oBAAoB,GAAG;IACjC,EAAE,EAAE,OAAO,CAAA;IACX,MAAM,EAAE,MAAM,CAAA;IACd,kBAAkB,EAAE,kBAAkB,CAAA;CACvC,CAAA"}

package/lib/server.d.ts

@@ -8,6 +8,10 @@ export type ServerParams = {
     db: KubunDB | DBParams;
     id: string;
     logger?: Logger;
+    defaultAccessLevel?: {
+        read?: 'only_owner' | 'anyone' | 'allowed_dids';
+        write?: 'only_owner' | 'allowed_dids';
+    };
 };
 export type CreateClientParams = Omit<ClientParams, 'serverID' | 'transport'> & {
     signal?: AbortSignal;
@@ -16,6 +20,10 @@ export declare class KubunServer {
     #private;
     constructor(params: ServerParams);
     get db(): KubunDB;
+    get defaultAccessLevel(): {
+        read: "only_owner" | "anyone" | "allowed_dids";
+        write: "only_owner" | "allowed_dids";
+    };
     createClient(params: CreateClientParams): KubunClient;
     serve(transport: ServerTransport, signal?: AbortSignal): Server<Protocol>;
 }

package/lib/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,MAAM,EAAS,MAAM,gBAAgB,CAAA;AAEnD,OAAO,EAAE,KAAK,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAC9D,OAAO,EAAE,KAAK,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAClD,OAAO,EAAkB,KAAK,MAAM,EAAE,MAAM,eAAe,CAAA;AAC3D,OAAO,KAAK,EAAiB,QAAQ,EAAiB,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAI9F,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;IAChD,EAAE,EAAE,OAAO,GAAG,QAAQ,CAAA;IACtB,EAAE,EAAE,MAAM,CAAA;IACV,MAAM,CAAC,EAAE,MAAM,CAAA;CAChB,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,IAAI,CAAC,YAAY,EAAE,UAAU,GAAG,WAAW,CAAC,GAAG;IAC9E,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAW;;gBAOV,MAAM,EAAE,YAAY;IAUhC,IAAI,EAAE,IAAI,OAAO,CAEhB;IAED,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,WAAW;IAkBrD,KAAK,CAAC,SAAS,EAAE,eAAe,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC;CAU1E"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../src/server.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,KAAK,MAAM,EAAS,MAAM,gBAAgB,CAAA;AAEnD,OAAO,EAAE,KAAK,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAA;AAC9D,OAAO,EAAE,KAAK,QAAQ,EAAE,OAAO,EAAE,MAAM,WAAW,CAAA;AAClD,OAAO,EAAkB,KAAK,MAAM,EAAE,MAAM,eAAe,CAAA;AAC3D,OAAO,KAAK,EAAiB,QAAQ,EAAiB,eAAe,EAAE,MAAM,iBAAiB,CAAA;AAI9F,MAAM,MAAM,YAAY,GAAG;IACzB,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAA;IAChD,EAAE,EAAE,OAAO,GAAG,QAAQ,CAAA;IACtB,EAAE,EAAE,MAAM,CAAA;IACV,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,kBAAkB,CAAC,EAAE;QACnB,IAAI,CAAC,EAAE,YAAY,GAAG,QAAQ,GAAG,cAAc,CAAA;QAC/C,KAAK,CAAC,EAAE,YAAY,GAAG,cAAc,CAAA;KACtC,CAAA;CACF,CAAA;AAED,MAAM,MAAM,kBAAkB,GAAG,IAAI,CAAC,YAAY,EAAE,UAAU,GAAG,WAAW,CAAC,GAAG;IAC9E,MAAM,CAAC,EAAE,WAAW,CAAA;CACrB,CAAA;AAED,qBAAa,WAAW;;gBAWV,MAAM,EAAE,YAAY;IAmBhC,IAAI,EAAE,IAAI,OAAO,CAEhB;IAED,IAAI,kBAAkB;cA3Bd,YAAY,GAAG,QAAQ,GAAG,cAAc;eACvC,YAAY,GAAG,cAAc;MA4BrC;IAED,YAAY,CAAC,MAAM,EAAE,kBAAkB,GAAG,WAAW;IAkBrD,KAAK,CAAC,SAAS,EAAE,eAAe,EAAE,MAAM,CAAC,EAAE,WAAW,GAAG,MAAM,CAAC,QAAQ,CAAC;CAU1E"}

package/lib/server.js

@@ -10,6 +10,7 @@ export class KubunServer {
     #handlers;
     #id;
     #logger;
+    #defaultAccessLevel;
     constructor(params){
         const { access, db, id } = params;
         const logger = params.logger ?? getKubunLogger('server', {
@@ -17,16 +18,27 @@ export class KubunServer {
         });
         this.#access = access ?? {};
         this.#db = db instanceof KubunDB ? db : new KubunDB(db);
+        this.#id = id;
+        this.#logger = logger;
+        // Secure by default
+        this.#defaultAccessLevel = {
+            read: params.defaultAccessLevel?.read ?? 'only_owner',
+            write: params.defaultAccessLevel?.write ?? 'only_owner'
+        };
         this.#handlers = createHandlers({
             db: this.#db,
-            logger
+            logger,
+            serverAccessConfig: {
+                defaultAccessLevel: this.#defaultAccessLevel
+            }
         });
-        this.#id = id;
-        this.#logger = logger;
     }
     get db() {
         return this.#db;
     }
+    get defaultAccessLevel() {
+        return this.#defaultAccessLevel;
+    }
     createClient(params) {
         const { signal, ...clientParams } = params;
         const transports = new DirectTransports({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@kubun/server",
-  "version": "0.4.1",
+  "version": "0.4.2",
   "license": "see LICENSE.md",
   "keywords": [],
   "type": "module",
@@ -16,26 +16,28 @@
   "sideEffects": false,
   "dependencies": {
     "@enkaku/async": "^0.12.2",
+    "@enkaku/capability": "^0.12.1",
     "@enkaku/codec": "^0.12.0",
     "@enkaku/generator": "^0.12.1",
     "@enkaku/schema": "^0.12.1",
-    "@enkaku/server": "^0.12.2",
+    "@enkaku/server": "^0.12.3",
     "@enkaku/token": "0.12.3",
     "@enkaku/transport": "0.12.0",
     "graphql": "^16.12.0",
-    "@kubun/db": "^0.4.0",
-    "@kubun/id": "^0.4.0",
-    "@kubun/protocol": "^0.4.0",
     "@kubun/client": "^0.4.0",
-    "@kubun/graphql": "^0.4.1",
+    "@kubun/db": "^0.4.0",
     "@kubun/mutation": "^0.4.0",
-    "@kubun/logger": "^0.4.0"
+    "@kubun/protocol": "^0.4.0",
+    "@kubun/graphql": "^0.4.4",
+    "@kubun/logger": "^0.4.0",
+    "@kubun/id": "^0.4.0"
   },
   "devDependencies": {
     "@databases/pg-test": "^3.1.2",
     "@enkaku/stream": "^0.12.1",
-    "@kubun/scalars": "^0.4.0",
     "@kubun/db-postgres": "^0.4.0",
+    "@kubun/db-sqlite": "^0.4.0",
+    "@kubun/scalars": "^0.4.0",
     "@kubun/test-utils": "^0.4.0"
   },
   "scripts": {