@opendatalabs/vana-sdk 0.1.0-alpha.f54fafd → 0.1.0-alpha.f732fa2

package/dist/utils/grantValidation.cjs

@@ -0,0 +1,243 @@
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var grantValidation_exports = {};
+__export(grantValidation_exports, {
+  GrantExpiredError: () => GrantExpiredError,
+  GrantSchemaError: () => GrantSchemaError,
+  GrantValidationError: () => GrantValidationError,
+  GranteeMismatchError: () => GranteeMismatchError,
+  OperationNotAllowedError: () => OperationNotAllowedError,
+  validateGrant: () => validateGrant,
+  validateGrantExpiry: () => validateGrantExpiry,
+  validateGranteeAccess: () => validateGranteeAccess,
+  validateOperationAccess: () => validateOperationAccess
+});
+module.exports = __toCommonJS(grantValidation_exports);
+var import_viem = require("viem");
+var import_ajv = __toESM(require("ajv"), 1);
+var import_ajv_formats = __toESM(require("ajv-formats"), 1);
+var import_grantFile_schema = __toESM(require("../schemas/grantFile.schema.json"), 1);
+class GrantValidationError extends Error {
+  constructor(message, details) {
+    super(message);
+    this.details = details;
+    this.name = "GrantValidationError";
+  }
+}
+class GrantExpiredError extends GrantValidationError {
+  constructor(message, expires, currentTime) {
+    super(message, { expires, currentTime });
+    this.expires = expires;
+    this.currentTime = currentTime;
+    this.name = "GrantExpiredError";
+  }
+}
+class GranteeMismatchError extends GrantValidationError {
+  constructor(message, grantee, requestingAddress) {
+    super(message, { grantee, requestingAddress });
+    this.grantee = grantee;
+    this.requestingAddress = requestingAddress;
+    this.name = "GranteeMismatchError";
+  }
+}
+class OperationNotAllowedError extends GrantValidationError {
+  constructor(message, grantedOperation, requestedOperation) {
+    super(message, { grantedOperation, requestedOperation });
+    this.grantedOperation = grantedOperation;
+    this.requestedOperation = requestedOperation;
+    this.name = "OperationNotAllowedError";
+  }
+}
+class GrantSchemaError extends GrantValidationError {
+  constructor(message, schemaErrors, invalidData) {
+    super(message, { errors: schemaErrors, data: invalidData });
+    this.schemaErrors = schemaErrors;
+    this.invalidData = invalidData;
+    this.name = "GrantSchemaError";
+  }
+}
+const ajv = new import_ajv.default({
+  strict: true,
+  removeAdditional: false,
+  useDefaults: false,
+  coerceTypes: false
+});
+(0, import_ajv_formats.default)(ajv);
+const validateGrantFileSchema = ajv.compile(import_grantFile_schema.default);
+function validateGrant(data, options = {}) {
+  const {
+    schema = true,
+    grantee,
+    operation,
+    currentTime,
+    throwOnError = true
+  } = options;
+  const errors = [];
+  let grant;
+  if (schema) {
+    try {
+      if (validateGrantFileSchema(data)) {
+        grant = data;
+      } else {
+        throw new GrantValidationError("Invalid grant file schema");
+      }
+    } catch (error) {
+      if (error instanceof GrantValidationError) {
+        const schemaError = new GrantSchemaError(
+          error.message,
+          Array.isArray(error.details?.errors) ? error.details.errors : [],
+          data
+        );
+        errors.push({
+          type: "schema",
+          message: error.message,
+          error: schemaError
+        });
+      } else {
+        errors.push({
+          type: "schema",
+          message: `Schema validation failed: ${error instanceof Error ? error.message : "Unknown error"}`,
+          error: error instanceof Error ? error : new Error("Unknown error")
+        });
+      }
+    }
+  } else {
+    grant = data;
+  }
+  if (grant) {
+    if (grantee) {
+      try {
+        validateGranteeAccess(grant, grantee);
+      } catch (error) {
+        const field = extractFieldFromBusinessError(error);
+        errors.push({
+          type: "business",
+          field,
+          message: error instanceof Error ? error.message : "Unknown business rule error",
+          error: error instanceof Error ? error : new Error("Unknown error")
+        });
+      }
+    }
+    try {
+      validateGrantExpiry(grant, currentTime);
+    } catch (error) {
+      const field = extractFieldFromBusinessError(error);
+      errors.push({
+        type: "business",
+        field,
+        message: error instanceof Error ? error.message : "Unknown business rule error",
+        error: error instanceof Error ? error : new Error("Unknown error")
+      });
+    }
+    if (operation) {
+      try {
+        validateOperationAccess(grant, operation);
+      } catch (error) {
+        const field = extractFieldFromBusinessError(error);
+        errors.push({
+          type: "business",
+          field,
+          message: error instanceof Error ? error.message : "Unknown business rule error",
+          error: error instanceof Error ? error : new Error("Unknown error")
+        });
+      }
+    }
+  }
+  if (errors.length > 0) {
+    if (throwOnError) {
+      const firstError = errors[0];
+      if (firstError.error) {
+        throw firstError.error;
+      } else {
+        const combinedMessage = errors.map((e) => e.message).join("; ");
+        throw new GrantValidationError(
+          `Grant validation failed: ${combinedMessage}`,
+          { errors, data }
+        );
+      }
+    }
+    return { valid: false, errors, grant };
+  }
+  if (throwOnError) {
+    return grant;
+  } else {
+    return { valid: true, errors: [], grant };
+  }
+}
+function extractFieldFromBusinessError(error) {
+  if (error instanceof GrantExpiredError) return "expires";
+  if (error instanceof GranteeMismatchError) return "grantee";
+  if (error instanceof OperationNotAllowedError) return "operation";
+  return void 0;
+}
+function validateGranteeAccess(grantFile, requestingAddress) {
+  const normalizedGrantee = (0, import_viem.getAddress)(grantFile.grantee);
+  const normalizedRequesting = (0, import_viem.getAddress)(requestingAddress);
+  if (normalizedGrantee !== normalizedRequesting) {
+    throw new GranteeMismatchError(
+      "Permission denied: requesting address does not match grantee",
+      grantFile.grantee,
+      requestingAddress
+    );
+  }
+}
+function validateGrantExpiry(grantFile, currentTime) {
+  if (grantFile.expires) {
+    const now = currentTime !== void 0 ? currentTime : Math.floor(Date.now() / 1e3);
+    if (now > grantFile.expires) {
+      throw new GrantExpiredError(
+        "Permission denied: grant has expired",
+        grantFile.expires,
+        now
+      );
+    }
+  }
+}
+function validateOperationAccess(grantFile, requestedOperation) {
+  if (grantFile.operation !== requestedOperation) {
+    throw new OperationNotAllowedError(
+      "Permission denied: operation not allowed by grant",
+      grantFile.operation,
+      requestedOperation
+    );
+  }
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  GrantExpiredError,
+  GrantSchemaError,
+  GrantValidationError,
+  GranteeMismatchError,
+  OperationNotAllowedError,
+  validateGrant,
+  validateGrantExpiry,
+  validateGranteeAccess,
+  validateOperationAccess
+});
+//# sourceMappingURL=grantValidation.cjs.map

package/dist/utils/grantValidation.cjs.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../src/utils/grantValidation.ts"],"sourcesContent":["/**\n * Provides comprehensive validation for permission grant files.\n *\n * @remarks\n * This module implements multi-layer validation for grant files including\n * JSON schema validation, business rule checking, expiration verification,\n * and access control validation. It provides both throwing and non-throwing\n * modes for flexible error handling.\n *\n * @category Permissions\n * @module utils/grantValidation\n */\n\nimport type { Address } from \"viem\";\nimport { getAddress } from \"viem\";\nimport Ajv, { type ValidateFunction } from \"ajv\";\nimport addFormats from \"ajv-formats\";\nimport type { GrantFile } from \"../types/permissions\";\nimport grantFileSchema from \"../schemas/grantFile.schema.json\";\n\n/**\n * Indicates a general grant validation failure.\n *\n * @remarks\n * Base class for all grant validation errors. Provides structured\n * error details for debugging and recovery.\n *\n * @category Permissions\n */\nexport class GrantValidationError extends Error {\n  constructor(\n    message: string,\n    public details?: Record<string, unknown>,\n  ) {\n    super(message);\n    this.name = \"GrantValidationError\";\n  }\n}\n\n/**\n * Indicates that a grant has expired and is no longer valid.\n *\n * @remarks\n * Thrown when attempting to use a grant past its expiration timestamp.\n * Includes both the expiration time and current time for debugging.\n *\n * @category Permissions\n */\nexport class GrantExpiredError extends GrantValidationError {\n  constructor(\n    message: string,\n    public expires: number,\n    public currentTime: number,\n  ) {\n    super(message, { expires, currentTime });\n    this.name = \"GrantExpiredError\";\n  }\n}\n\n/**\n * Indicates that the requesting address doesn't match the grant's grantee.\n *\n * @remarks\n * Thrown when a user attempts to use a grant that was issued to a\n * different address. This prevents unauthorized use of permissions.\n *\n * @category Permissions\n */\nexport class GranteeMismatchError extends GrantValidationError {\n  constructor(\n    message: string,\n    public grantee: Address,\n    public requestingAddress: Address,\n  ) {\n    super(message, { grantee, requestingAddress });\n    this.name = \"GranteeMismatchError\";\n  }\n}\n\n/**\n * Indicates that the requested operation is not allowed by the grant.\n *\n * @remarks\n * Thrown when attempting an operation that differs from what the\n * grant authorizes. Includes both granted and requested operations.\n *\n * @category Permissions\n */\nexport class OperationNotAllowedError extends GrantValidationError {\n  constructor(\n    message: string,\n    public grantedOperation: string,\n    public requestedOperation: string,\n  ) {\n    super(message, { grantedOperation, requestedOperation });\n    this.name = \"OperationNotAllowedError\";\n  }\n}\n\n/**\n * Indicates that the grant file structure violates the JSON schema.\n *\n * @remarks\n * Thrown when a grant file doesn't conform to the expected schema.\n * Includes detailed schema validation errors and the invalid data.\n *\n * @category Permissions\n */\nexport class GrantSchemaError extends GrantValidationError {\n  constructor(\n    message: string,\n    public schemaErrors: unknown[],\n    public invalidData: unknown,\n  ) {\n    super(message, { errors: schemaErrors, data: invalidData });\n    this.name = \"GrantSchemaError\";\n  }\n}\n\n/**\n * Ajv instance configured for strict grant file validation.\n *\n * @internal\n */\nconst ajv = new Ajv({\n  strict: true,\n  removeAdditional: false,\n  useDefaults: false,\n  coerceTypes: false,\n});\n\n// Add format validators (email, date, etc.)\naddFormats(ajv);\n\n/**\n * Pre-compiled grant file schema validator for performance.\n *\n * @internal\n */\nconst validateGrantFileSchema: ValidateFunction = ajv.compile(grantFileSchema);\n\n/**\n * Configures grant validation behavior and scope.\n *\n * @remarks\n * Controls which validations to perform and how to handle errors.\n * Allows selective validation of specific aspects of a grant.\n *\n * @category Permissions\n */\nexport interface GrantValidationOptions {\n  /** Enable JSON schema validation (default: true) */\n  schema?: boolean;\n  /** Grantee address to validate access for */\n  grantee?: Address;\n  /** Operation to validate permission for */\n  operation?: string;\n  /** Override current time for expiry checking (Unix timestamp) */\n  currentTime?: number;\n  /** Return detailed results instead of throwing (default: false) */\n  throwOnError?: boolean;\n}\n\n/**\n * Represents the detailed result of grant validation.\n *\n * @remarks\n * Provides comprehensive validation results including all errors\n * encountered during validation. Used in non-throwing mode.\n *\n * @category Permissions\n */\nexport interface GrantValidationResult {\n  /** Whether validation passed */\n  valid: boolean;\n  /** Validation errors encountered */\n  errors: Array<{\n    type: \"schema\" | \"business\";\n    field?: string;\n    message: string;\n    error?: Error;\n  }>;\n  /** The validated grant file (if validation passed) */\n  grant?: GrantFile;\n}\n\n/**\n * Validates a grant file with comprehensive schema and business rule checking.\n *\n * This function provides flexible validation with TypeScript overloads:\n * - When `throwOnError` is false (or `{ throwOnError: false }`), returns a detailed validation result\n * - When `throwOnError` is true (default), throws specific errors or returns the validated grant\n *\n * @param data - The grant file data to validate (unknown type for safety)\n * @param options - Validation options including grantee, operation, files, etc.\n * @returns Either a GrantFile (when throwing) or GrantValidationResult (when not throwing)\n * @throws {GrantSchemaError} When the grant file structure is invalid\n * @throws {GrantExpiredError} When the grant has expired\n * @throws {GranteeMismatchError} When the grantee doesn't match the requesting address\n * @throws {OperationNotAllowedError} When the requested operation is not allowed\n * @example\n * ```typescript\n * // Throwing mode (default) - returns GrantFile or throws\n * const grant = validateGrant(data, {\n *   grantee: '0x123...',\n *   operation: 'llm_inference',\n * });\n *\n * // Non-throwing mode - returns validation result\n * const result = validateGrant(data, {\n *   grantee: '0x123...',\n *   throwOnError: false\n * });\n * if (result.valid) {\n *   console.log('Grant is valid:', result.grant);\n * } else {\n *   console.log('Validation errors:', result.errors);\n * }\n * ```\n */\n\nexport function validateGrant(\n  data: unknown,\n  options: GrantValidationOptions & { throwOnError: false },\n): GrantValidationResult;\n\nexport function validateGrant(\n  data: unknown,\n  options?:\n    | Omit<GrantValidationOptions, \"throwOnError\">\n    | (GrantValidationOptions & { throwOnError?: true }),\n): GrantFile;\n\n/** @internal */\nexport function validateGrant(\n  data: unknown,\n  options: GrantValidationOptions = {},\n): GrantFile | GrantValidationResult {\n  const {\n    schema = true,\n    grantee,\n    operation,\n    currentTime,\n    throwOnError = true,\n  } = options;\n\n  const errors: GrantValidationResult[\"errors\"] = [];\n  let grant: GrantFile | undefined;\n\n  // 1. Schema Validation\n  if (schema) {\n    try {\n      if (validateGrantFileSchema(data)) {\n        grant = data as GrantFile;\n      } else {\n        throw new GrantValidationError(\"Invalid grant file schema\");\n      }\n    } catch (error) {\n      if (error instanceof GrantValidationError) {\n        const schemaError = new GrantSchemaError(\n          error.message,\n          Array.isArray(error.details?.errors) ? error.details.errors : [],\n          data,\n        );\n        errors.push({\n          type: \"schema\",\n          message: error.message,\n          error: schemaError,\n        });\n      } else {\n        errors.push({\n          type: \"schema\",\n          message: `Schema validation failed: ${error instanceof Error ? error.message : \"Unknown error\"}`,\n          error: error instanceof Error ? error : new Error(\"Unknown error\"),\n        });\n      }\n    }\n  } else {\n    // Minimal type assertion if schema validation is skipped\n    grant = data as GrantFile;\n  }\n\n  // 2. Business Logic Validation (only if we have a valid grant)\n  if (grant) {\n    // Check grantee access\n    if (grantee) {\n      try {\n        validateGranteeAccess(grant, grantee);\n      } catch (error) {\n        const field = extractFieldFromBusinessError(error);\n        errors.push({\n          type: \"business\",\n          field,\n          message:\n            error instanceof Error\n              ? error.message\n              : \"Unknown business rule error\",\n          error: error instanceof Error ? error : new Error(\"Unknown error\"),\n        });\n      }\n    }\n\n    // Check expiration\n    try {\n      validateGrantExpiry(grant, currentTime);\n    } catch (error) {\n      const field = extractFieldFromBusinessError(error);\n      errors.push({\n        type: \"business\",\n        field,\n        message:\n          error instanceof Error\n            ? error.message\n            : \"Unknown business rule error\",\n        error: error instanceof Error ? error : new Error(\"Unknown error\"),\n      });\n    }\n\n    // Check operation access\n    if (operation) {\n      try {\n        validateOperationAccess(grant, operation);\n      } catch (error) {\n        const field = extractFieldFromBusinessError(error);\n        errors.push({\n          type: \"business\",\n          field,\n          message:\n            error instanceof Error\n              ? error.message\n              : \"Unknown business rule error\",\n          error: error instanceof Error ? error : new Error(\"Unknown error\"),\n        });\n      }\n    }\n  }\n\n  // 3. Return Results\n  if (errors.length > 0) {\n    if (throwOnError) {\n      // Throw the most specific error we have\n      const firstError = errors[0];\n      if (firstError.error) {\n        throw firstError.error;\n      } else {\n        const combinedMessage = errors.map((e) => e.message).join(\"; \");\n        throw new GrantValidationError(\n          `Grant validation failed: ${combinedMessage}`,\n          { errors, data },\n        );\n      }\n    }\n\n    return { valid: false, errors, grant };\n  }\n\n  if (throwOnError) {\n    return grant as GrantFile;\n  } else {\n    return { valid: true, errors: [], grant: grant as GrantFile };\n  }\n}\n\n/**\n * Extracts the field name from business validation errors for reporting.\n *\n * @param error - The validation error to analyze\n * @returns The field name associated with the error, or undefined\n *\n * @internal\n */\nfunction extractFieldFromBusinessError(error: unknown): string | undefined {\n  if (error instanceof GrantExpiredError) return \"expires\";\n  if (error instanceof GranteeMismatchError) return \"grantee\";\n  if (error instanceof OperationNotAllowedError) return \"operation\";\n  return undefined;\n}\n\n/**\n * Validates that a grant allows access for the requesting address.\n *\n * @param grantFile - The grant file to validate.\n *   Obtain from permission operations or server responses.\n * @param requestingAddress - The address requesting access.\n *   Typically the current wallet address.\n *\n * @throws {GranteeMismatchError} If addresses don't match.\n *   Ensure using the correct wallet that received the grant.\n *\n * @example\n * ```typescript\n * validateGranteeAccess(grantFile, walletAddress);\n * // Throws if walletAddress doesn't match grantFile.grantee\n * ```\n *\n * @category Permissions\n */\nexport function validateGranteeAccess(\n  grantFile: GrantFile,\n  requestingAddress: Address,\n): void {\n  const normalizedGrantee = getAddress(grantFile.grantee);\n  const normalizedRequesting = getAddress(requestingAddress);\n\n  if (normalizedGrantee !== normalizedRequesting) {\n    throw new GranteeMismatchError(\n      \"Permission denied: requesting address does not match grantee\",\n      grantFile.grantee,\n      requestingAddress,\n    );\n  }\n}\n\n/**\n * Validates that a grant has not expired.\n *\n * @param grantFile - The grant file to check.\n *   Must include expiry timestamp if time-limited.\n * @param currentTime - Optional time override for testing.\n *   Unix timestamp in seconds. Defaults to current time.\n *\n * @throws {GrantExpiredError} If grant has expired.\n *   Request a new grant from the data owner.\n *\n * @example\n * ```typescript\n * validateGrantExpiry(grantFile);\n * // Throws if current time > grantFile.expires\n * ```\n *\n * @category Permissions\n */\nexport function validateGrantExpiry(\n  grantFile: GrantFile,\n  currentTime?: number,\n): void {\n  if (grantFile.expires) {\n    const now =\n      currentTime !== undefined ? currentTime : Math.floor(Date.now() / 1000); // Current Unix timestamp\n\n    if (now > grantFile.expires) {\n      throw new GrantExpiredError(\n        \"Permission denied: grant has expired\",\n        grantFile.expires,\n        now,\n      );\n    }\n  }\n}\n\n/**\n * Validates that a grant authorizes the requested operation.\n *\n * @param grantFile - The grant file to check.\n *   Contains the authorized operation.\n * @param requestedOperation - The operation to validate.\n *   Must match the grant's operation exactly.\n *\n * @throws {OperationNotAllowedError} If operations don't match.\n *   Request a grant for the specific operation needed.\n *\n * @example\n * ```typescript\n * validateOperationAccess(grantFile, 'llm_inference');\n * // Throws if grantFile.operation !== 'llm_inference'\n * ```\n *\n * @category Permissions\n */\nexport function validateOperationAccess(\n  grantFile: GrantFile,\n  requestedOperation: string,\n): void {\n  if (grantFile.operation !== requestedOperation) {\n    throw new OperationNotAllowedError(\n      \"Permission denied: operation not allowed by grant\",\n      grantFile.operation,\n      requestedOperation,\n    );\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAcA,kBAA2B;AAC3B,iBAA2C;AAC3C,yBAAuB;AAEvB,8BAA4B;AAWrB,MAAM,6BAA6B,MAAM;AAAA,EAC9C,YACE,SACO,SACP;AACA,UAAM,OAAO;AAFN;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAWO,MAAM,0BAA0B,qBAAqB;AAAA,EAC1D,YACE,SACO,SACA,aACP;AACA,UAAM,SAAS,EAAE,SAAS,YAAY,CAAC;AAHhC;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAWO,MAAM,6BAA6B,qBAAqB;AAAA,EAC7D,YACE,SACO,SACA,mBACP;AACA,UAAM,SAAS,EAAE,SAAS,kBAAkB,CAAC;AAHtC;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAWO,MAAM,iCAAiC,qBAAqB;AAAA,EACjE,YACE,SACO,kBACA,oBACP;AACA,UAAM,SAAS,EAAE,kBAAkB,mBAAmB,CAAC;AAHhD;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAWO,MAAM,yBAAyB,qBAAqB;AAAA,EACzD,YACE,SACO,cACA,aACP;AACA,UAAM,SAAS,EAAE,QAAQ,cAAc,MAAM,YAAY,CAAC;AAHnD;AACA;AAGP,SAAK,OAAO;AAAA,EACd;AACF;AAOA,MAAM,MAAM,IAAI,WAAAA,QAAI;AAAA,EAClB,QAAQ;AAAA,EACR,kBAAkB;AAAA,EAClB,aAAa;AAAA,EACb,aAAa;AACf,CAAC;AAAA,IAGD,mBAAAC,SAAW,GAAG;AAOd,MAAM,0BAA4C,IAAI,QAAQ,wBAAAC,OAAe;AA+FtE,SAAS,cACd,MACA,UAAkC,CAAC,GACA;AACnC,QAAM;AAAA,IACJ,SAAS;AAAA,IACT;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe;AAAA,EACjB,IAAI;AAEJ,QAAM,SAA0C,CAAC;AACjD,MAAI;AAGJ,MAAI,QAAQ;AACV,QAAI;AACF,UAAI,wBAAwB,IAAI,GAAG;AACjC,gBAAQ;AAAA,MACV,OAAO;AACL,cAAM,IAAI,qBAAqB,2BAA2B;AAAA,MAC5D;AAAA,IACF,SAAS,OAAO;AACd,UAAI,iBAAiB,sBAAsB;AACzC,cAAM,cAAc,IAAI;AAAA,UACtB,MAAM;AAAA,UACN,MAAM,QAAQ,MAAM,SAAS,MAAM,IAAI,MAAM,QAAQ,SAAS,CAAC;AAAA,UAC/D;AAAA,QACF;AACA,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS,MAAM;AAAA,UACf,OAAO;AAAA,QACT,CAAC;AAAA,MACH,OAAO;AACL,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN,SAAS,6BAA6B,iBAAiB,QAAQ,MAAM,UAAU,eAAe;AAAA,UAC9F,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,eAAe;AAAA,QACnE,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF,OAAO;AAEL,YAAQ;AAAA,EACV;AAGA,MAAI,OAAO;AAET,QAAI,SAAS;AACX,UAAI;AACF,8BAAsB,OAAO,OAAO;AAAA,MACtC,SAAS,OAAO;AACd,cAAM,QAAQ,8BAA8B,KAAK;AACjD,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN;AAAA,UACA,SACE,iBAAiB,QACb,MAAM,UACN;AAAA,UACN,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,eAAe;AAAA,QACnE,CAAC;AAAA,MACH;AAAA,IACF;AAGA,QAAI;AACF,0BAAoB,OAAO,WAAW;AAAA,IACxC,SAAS,OAAO;AACd,YAAM,QAAQ,8BAA8B,KAAK;AACjD,aAAO,KAAK;AAAA,QACV,MAAM;AAAA,QACN;AAAA,QACA,SACE,iBAAiB,QACb,MAAM,UACN;AAAA,QACN,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,eAAe;AAAA,MACnE,CAAC;AAAA,IACH;AAGA,QAAI,WAAW;AACb,UAAI;AACF,gCAAwB,OAAO,SAAS;AAAA,MAC1C,SAAS,OAAO;AACd,cAAM,QAAQ,8BAA8B,KAAK;AACjD,eAAO,KAAK;AAAA,UACV,MAAM;AAAA,UACN;AAAA,UACA,SACE,iBAAiB,QACb,MAAM,UACN;AAAA,UACN,OAAO,iBAAiB,QAAQ,QAAQ,IAAI,MAAM,eAAe;AAAA,QACnE,CAAC;AAAA,MACH;AAAA,IACF;AAAA,EACF;AAGA,MAAI,OAAO,SAAS,GAAG;AACrB,QAAI,cAAc;AAEhB,YAAM,aAAa,OAAO,CAAC;AAC3B,UAAI,WAAW,OAAO;AACpB,cAAM,WAAW;AAAA,MACnB,OAAO;AACL,cAAM,kBAAkB,OAAO,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,KAAK,IAAI;AAC9D,cAAM,IAAI;AAAA,UACR,4BAA4B,eAAe;AAAA,UAC3C,EAAE,QAAQ,KAAK;AAAA,QACjB;AAAA,MACF;AAAA,IACF;AAEA,WAAO,EAAE,OAAO,OAAO,QAAQ,MAAM;AAAA,EACvC;AAEA,MAAI,cAAc;AAChB,WAAO;AAAA,EACT,OAAO;AACL,WAAO,EAAE,OAAO,MAAM,QAAQ,CAAC,GAAG,MAA0B;AAAA,EAC9D;AACF;AAUA,SAAS,8BAA8B,OAAoC;AACzE,MAAI,iBAAiB,kBAAmB,QAAO;AAC/C,MAAI,iBAAiB,qBAAsB,QAAO;AAClD,MAAI,iBAAiB,yBAA0B,QAAO;AACtD,SAAO;AACT;AAqBO,SAAS,sBACd,WACA,mBACM;AACN,QAAM,wBAAoB,wBAAW,UAAU,OAAO;AACtD,QAAM,2BAAuB,wBAAW,iBAAiB;AAEzD,MAAI,sBAAsB,sBAAsB;AAC9C,UAAM,IAAI;AAAA,MACR;AAAA,MACA,UAAU;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;AAqBO,SAAS,oBACd,WACA,aACM;AACN,MAAI,UAAU,SAAS;AACrB,UAAM,MACJ,gBAAgB,SAAY,cAAc,KAAK,MAAM,KAAK,IAAI,IAAI,GAAI;AAExE,QAAI,MAAM,UAAU,SAAS;AAC3B,YAAM,IAAI;AAAA,QACR;AAAA,QACA,UAAU;AAAA,QACV;AAAA,MACF;AAAA,IACF;AAAA,EACF;AACF;AAqBO,SAAS,wBACd,WACA,oBACM;AACN,MAAI,UAAU,cAAc,oBAAoB;AAC9C,UAAM,IAAI;AAAA,MACR;AAAA,MACA,UAAU;AAAA,MACV;AAAA,IACF;AAAA,EACF;AACF;","names":["Ajv","addFormats","grantFileSchema"]}

package/dist/utils/grantValidation.d.ts

@@ -0,0 +1,226 @@
+/**
+ * Provides comprehensive validation for permission grant files.
+ *
+ * @remarks
+ * This module implements multi-layer validation for grant files including
+ * JSON schema validation, business rule checking, expiration verification,
+ * and access control validation. It provides both throwing and non-throwing
+ * modes for flexible error handling.
+ *
+ * @category Permissions
+ * @module utils/grantValidation
+ */
+import type { Address } from "viem";
+import type { GrantFile } from "../types/permissions";
+/**
+ * Indicates a general grant validation failure.
+ *
+ * @remarks
+ * Base class for all grant validation errors. Provides structured
+ * error details for debugging and recovery.
+ *
+ * @category Permissions
+ */
+export declare class GrantValidationError extends Error {
+    details?: Record<string, unknown> | undefined;
+    constructor(message: string, details?: Record<string, unknown> | undefined);
+}
+/**
+ * Indicates that a grant has expired and is no longer valid.
+ *
+ * @remarks
+ * Thrown when attempting to use a grant past its expiration timestamp.
+ * Includes both the expiration time and current time for debugging.
+ *
+ * @category Permissions
+ */
+export declare class GrantExpiredError extends GrantValidationError {
+    expires: number;
+    currentTime: number;
+    constructor(message: string, expires: number, currentTime: number);
+}
+/**
+ * Indicates that the requesting address doesn't match the grant's grantee.
+ *
+ * @remarks
+ * Thrown when a user attempts to use a grant that was issued to a
+ * different address. This prevents unauthorized use of permissions.
+ *
+ * @category Permissions
+ */
+export declare class GranteeMismatchError extends GrantValidationError {
+    grantee: Address;
+    requestingAddress: Address;
+    constructor(message: string, grantee: Address, requestingAddress: Address);
+}
+/**
+ * Indicates that the requested operation is not allowed by the grant.
+ *
+ * @remarks
+ * Thrown when attempting an operation that differs from what the
+ * grant authorizes. Includes both granted and requested operations.
+ *
+ * @category Permissions
+ */
+export declare class OperationNotAllowedError extends GrantValidationError {
+    grantedOperation: string;
+    requestedOperation: string;
+    constructor(message: string, grantedOperation: string, requestedOperation: string);
+}
+/**
+ * Indicates that the grant file structure violates the JSON schema.
+ *
+ * @remarks
+ * Thrown when a grant file doesn't conform to the expected schema.
+ * Includes detailed schema validation errors and the invalid data.
+ *
+ * @category Permissions
+ */
+export declare class GrantSchemaError extends GrantValidationError {
+    schemaErrors: unknown[];
+    invalidData: unknown;
+    constructor(message: string, schemaErrors: unknown[], invalidData: unknown);
+}
+/**
+ * Configures grant validation behavior and scope.
+ *
+ * @remarks
+ * Controls which validations to perform and how to handle errors.
+ * Allows selective validation of specific aspects of a grant.
+ *
+ * @category Permissions
+ */
+export interface GrantValidationOptions {
+    /** Enable JSON schema validation (default: true) */
+    schema?: boolean;
+    /** Grantee address to validate access for */
+    grantee?: Address;
+    /** Operation to validate permission for */
+    operation?: string;
+    /** Override current time for expiry checking (Unix timestamp) */
+    currentTime?: number;
+    /** Return detailed results instead of throwing (default: false) */
+    throwOnError?: boolean;
+}
+/**
+ * Represents the detailed result of grant validation.
+ *
+ * @remarks
+ * Provides comprehensive validation results including all errors
+ * encountered during validation. Used in non-throwing mode.
+ *
+ * @category Permissions
+ */
+export interface GrantValidationResult {
+    /** Whether validation passed */
+    valid: boolean;
+    /** Validation errors encountered */
+    errors: Array<{
+        type: "schema" | "business";
+        field?: string;
+        message: string;
+        error?: Error;
+    }>;
+    /** The validated grant file (if validation passed) */
+    grant?: GrantFile;
+}
+/**
+ * Validates a grant file with comprehensive schema and business rule checking.
+ *
+ * This function provides flexible validation with TypeScript overloads:
+ * - When `throwOnError` is false (or `{ throwOnError: false }`), returns a detailed validation result
+ * - When `throwOnError` is true (default), throws specific errors or returns the validated grant
+ *
+ * @param data - The grant file data to validate (unknown type for safety)
+ * @param options - Validation options including grantee, operation, files, etc.
+ * @returns Either a GrantFile (when throwing) or GrantValidationResult (when not throwing)
+ * @throws {GrantSchemaError} When the grant file structure is invalid
+ * @throws {GrantExpiredError} When the grant has expired
+ * @throws {GranteeMismatchError} When the grantee doesn't match the requesting address
+ * @throws {OperationNotAllowedError} When the requested operation is not allowed
+ * @example
+ * ```typescript
+ * // Throwing mode (default) - returns GrantFile or throws
+ * const grant = validateGrant(data, {
+ *   grantee: '0x123...',
+ *   operation: 'llm_inference',
+ * });
+ *
+ * // Non-throwing mode - returns validation result
+ * const result = validateGrant(data, {
+ *   grantee: '0x123...',
+ *   throwOnError: false
+ * });
+ * if (result.valid) {
+ *   console.log('Grant is valid:', result.grant);
+ * } else {
+ *   console.log('Validation errors:', result.errors);
+ * }
+ * ```
+ */
+export declare function validateGrant(data: unknown, options: GrantValidationOptions & {
+    throwOnError: false;
+}): GrantValidationResult;
+export declare function validateGrant(data: unknown, options?: Omit<GrantValidationOptions, "throwOnError"> | (GrantValidationOptions & {
+    throwOnError?: true;
+})): GrantFile;
+/**
+ * Validates that a grant allows access for the requesting address.
+ *
+ * @param grantFile - The grant file to validate.
+ *   Obtain from permission operations or server responses.
+ * @param requestingAddress - The address requesting access.
+ *   Typically the current wallet address.
+ *
+ * @throws {GranteeMismatchError} If addresses don't match.
+ *   Ensure using the correct wallet that received the grant.
+ *
+ * @example
+ * ```typescript
+ * validateGranteeAccess(grantFile, walletAddress);
+ * // Throws if walletAddress doesn't match grantFile.grantee
+ * ```
+ *
+ * @category Permissions
+ */
+export declare function validateGranteeAccess(grantFile: GrantFile, requestingAddress: Address): void;
+/**
+ * Validates that a grant has not expired.
+ *
+ * @param grantFile - The grant file to check.
+ *   Must include expiry timestamp if time-limited.
+ * @param currentTime - Optional time override for testing.
+ *   Unix timestamp in seconds. Defaults to current time.
+ *
+ * @throws {GrantExpiredError} If grant has expired.
+ *   Request a new grant from the data owner.
+ *
+ * @example
+ * ```typescript
+ * validateGrantExpiry(grantFile);
+ * // Throws if current time > grantFile.expires
+ * ```
+ *
+ * @category Permissions
+ */
+export declare function validateGrantExpiry(grantFile: GrantFile, currentTime?: number): void;
+/**
+ * Validates that a grant authorizes the requested operation.
+ *
+ * @param grantFile - The grant file to check.
+ *   Contains the authorized operation.
+ * @param requestedOperation - The operation to validate.
+ *   Must match the grant's operation exactly.
+ *
+ * @throws {OperationNotAllowedError} If operations don't match.
+ *   Request a grant for the specific operation needed.
+ *
+ * @example
+ * ```typescript
+ * validateOperationAccess(grantFile, 'llm_inference');
+ * // Throws if grantFile.operation !== 'llm_inference'
+ * ```
+ *
+ * @category Permissions
+ */
+export declare function validateOperationAccess(grantFile: GrantFile, requestedOperation: string): void;