@peers-app/peers-sdk 0.1.4

package/dist/data/files/index.d.ts

@@ -0,0 +1,4 @@
+export * from './file.types';
+export * from './files';
+export { FileWriteStream } from './file-write-stream';
+export { FileReadStream } from './file-read-stream';

package/dist/data/files/index.js

@@ -0,0 +1,23 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.FileReadStream = exports.FileWriteStream = void 0;
+__exportStar(require("./file.types"), exports);
+__exportStar(require("./files"), exports);
+var file_write_stream_1 = require("./file-write-stream");
+Object.defineProperty(exports, "FileWriteStream", { enumerable: true, get: function () { return file_write_stream_1.FileWriteStream; } });
+var file_read_stream_1 = require("./file-read-stream");
+Object.defineProperty(exports, "FileReadStream", { enumerable: true, get: function () { return file_read_stream_1.FileReadStream; } });

package/dist/data/group-member-roles.d.ts

@@ -0,0 +1,9 @@
+export declare enum GroupMemberRole {
+    None = 0,
+    Reader = 20,
+    Writer = 40,
+    Admin = 60,
+    Owner = 80,
+    Founder = 100
+}
+export declare function getRoleLabel(value: number): string;

package/dist/data/group-member-roles.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GroupMemberRole = void 0;
+exports.getRoleLabel = getRoleLabel;
+var GroupMemberRole;
+(function (GroupMemberRole) {
+    GroupMemberRole[GroupMemberRole["None"] = 0] = "None";
+    GroupMemberRole[GroupMemberRole["Reader"] = 20] = "Reader";
+    GroupMemberRole[GroupMemberRole["Writer"] = 40] = "Writer";
+    GroupMemberRole[GroupMemberRole["Admin"] = 60] = "Admin";
+    GroupMemberRole[GroupMemberRole["Owner"] = 80] = "Owner";
+    GroupMemberRole[GroupMemberRole["Founder"] = 100] = "Founder";
+})(GroupMemberRole || (exports.GroupMemberRole = GroupMemberRole = {}));
+function getRoleLabel(value) {
+    const roleEntries = Object.entries(GroupMemberRole)
+        .filter(([key, val]) => typeof val === 'number')
+        .map(([key, val]) => ({ level: val, label: key }))
+        .sort((a, b) => b.level - a.level);
+    for (const role of roleEntries) {
+        if (value >= role.level) {
+            return value === role.level ? role.label : `${role.label}+`;
+        }
+    }
+    return 'None';
+}

package/dist/data/group-members.d.ts

@@ -0,0 +1,39 @@
+import { z } from "zod";
+import type { DataContext } from "../context/data-context";
+import { Table } from "./orm";
+import { GroupMemberRole } from './group-member-roles';
+import { ISaveOptions } from "..";
+export declare const groupMemberSchema: z.ZodObject<{
+    groupMemberId: z.ZodEffects<z.ZodString, string, string>;
+    groupId: z.ZodEffects<z.ZodString, string, string>;
+    userId: z.ZodEffects<z.ZodString, string, string>;
+    role: z.ZodNativeEnum<typeof GroupMemberRole>;
+    signature: z.ZodString;
+    deleted: z.ZodOptional<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    role: GroupMemberRole;
+    signature: string;
+    groupMemberId: string;
+    groupId: string;
+    userId: string;
+    deleted?: boolean | undefined;
+}, {
+    role: GroupMemberRole;
+    signature: string;
+    groupMemberId: string;
+    groupId: string;
+    userId: string;
+    deleted?: boolean | undefined;
+}>;
+export type IGroupMember = z.infer<typeof groupMemberSchema>;
+export declare const groupMembersTableName = "GroupMembers";
+export declare class GroupMembersTable extends Table<IGroupMember> {
+    static isPassthrough: boolean;
+    save(groupMember: IGroupMember, opts?: ISaveOptions): Promise<IGroupMember>;
+    delete(groupMemberId: string): Promise<void>;
+    /** @deprecated Forbidden on GroupsTable; use save() */
+    insert(..._args: Parameters<Table<IGroupMember>['insert']>): never;
+    /** @deprecated Forbidden on GroupsTable; use save() */
+    update(..._args: Parameters<Table<IGroupMember>['update']>): never;
+}
+export declare function GroupMembers(dataContext?: DataContext): GroupMembersTable;

package/dist/data/group-members.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GroupMembersTable = exports.groupMembersTableName = exports.groupMemberSchema = void 0;
+exports.GroupMembers = GroupMembers;
+const zod_1 = require("zod");
+const user_context_singleton_1 = require("../context/user-context-singleton");
+const zod_types_1 = require("../types/zod-types");
+const orm_1 = require("./orm");
+const table_definitions_system_1 = require("./orm/table-definitions.system");
+const types_1 = require("./orm/types");
+const group_member_roles_1 = require("./group-member-roles");
+const group_permissions_1 = require("./group-permissions");
+const __1 = require("..");
+exports.groupMemberSchema = zod_1.z.object({
+    groupMemberId: zod_types_1.zodPeerId,
+    groupId: zod_types_1.zodPeerId.describe('The id of the group'),
+    userId: zod_types_1.zodPeerId.describe('The id of the user who is a member of the group'),
+    role: zod_1.z.nativeEnum(group_member_roles_1.GroupMemberRole).describe('The role of the user in the group.  Use "none" to explicitly block a user'),
+    signature: zod_1.z.string().describe('The signed hash of this data excluding the signature itself'),
+    deleted: zod_1.z.boolean().optional().describe('Whether this membership has been deleted (soft delete)'),
+});
+exports.groupMembersTableName = 'GroupMembers';
+const metaData = {
+    name: exports.groupMembersTableName,
+    description: 'group membership associations',
+    primaryKeyName: 'groupMemberId',
+    fields: (0, types_1.schemaToFields)(exports.groupMemberSchema),
+    indexes: [
+        { fields: ['groupId', 'userId'], unique: true },
+    ]
+};
+class GroupMembersTable extends orm_1.Table {
+    static isPassthrough = false;
+    async save(groupMember, opts) {
+        if (GroupMembersTable.isPassthrough) {
+            return super.save(groupMember, opts);
+        }
+        const oldGroupMember = groupMember.groupMemberId ? await this.get(groupMember.groupMemberId) : undefined;
+        if (await (0, group_permissions_1.isGroupMemberSignatureValid)(groupMember.groupId, groupMember, oldGroupMember)) {
+            return super.save(groupMember, opts);
+        }
+        throw new Error('Group member signature is not valid');
+    }
+    async delete(groupMemberId) {
+        if (GroupMembersTable.isPassthrough) {
+            return super.delete(groupMemberId);
+        }
+        const groupMember = await this.get(groupMemberId);
+        if (groupMember) {
+            groupMember.deleted = true;
+            groupMember.role = group_member_roles_1.GroupMemberRole.None;
+            await __1.rpcServerCalls.tableSave(groupMember.groupId, "GroupMembers", groupMember);
+        }
+    }
+    /** @deprecated Forbidden on GroupsTable; use save() */
+    insert(..._args) {
+        throw new Error('GroupsTable forbids insert; use save()');
+    }
+    /** @deprecated Forbidden on GroupsTable; use save() */
+    update(..._args) {
+        throw new Error('GroupsTable forbids update; use save()');
+    }
+}
+exports.GroupMembersTable = GroupMembersTable;
+(0, table_definitions_system_1.registerSystemTableDefinition)(metaData, exports.groupMemberSchema, GroupMembersTable);
+function GroupMembers(dataContext) {
+    return (0, user_context_singleton_1.getTableContainer)(dataContext).getTable(metaData, exports.groupMemberSchema, GroupMembersTable);
+}

package/dist/data/group-members.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/data/group-members.test.js

@@ -0,0 +1,287 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const keys_1 = require("../keys");
+const group_permissions_1 = require("./group-permissions");
+// Test the group members signature logic directly without ORM dependencies
+describe('Group Members Signature Logic', () => {
+    let testGroupMember;
+    let ownerKeys;
+    let adminKeys;
+    beforeEach(() => {
+        ownerKeys = (0, keys_1.newKeys)();
+        adminKeys = (0, keys_1.newKeys)();
+        testGroupMember = {
+            groupMemberId: 'test-member-1',
+            groupId: 'test-group-1',
+            userId: 'test-user-1',
+            role: group_permissions_1.GroupMemberRole.Reader,
+            signature: ''
+        };
+    });
+    describe('basic signature functionality', () => {
+        it('should add signature to group member object', () => {
+            const signedGroupMember = (0, keys_1.addSignatureToObject)(testGroupMember, ownerKeys.secretKey);
+            expect(signedGroupMember.signature).toBeTruthy();
+            expect(signedGroupMember.signature).toContain(':');
+            expect(signedGroupMember.groupId).toBe(testGroupMember.groupId);
+            expect(signedGroupMember.userId).toBe(testGroupMember.userId);
+            expect(signedGroupMember.role).toBe(testGroupMember.role);
+        });
+        it('should verify valid signature', () => {
+            const signedGroupMember = (0, keys_1.addSignatureToObject)(testGroupMember, ownerKeys.secretKey);
+            const isValid = (0, keys_1.isObjectSignatureValid)(signedGroupMember);
+            expect(isValid).toBe(true);
+        });
+        it('should reject invalid signature after modification', () => {
+            const signedGroupMember = (0, keys_1.addSignatureToObject)(testGroupMember, ownerKeys.secretKey);
+            // Modify the group member after signing
+            signedGroupMember.role = group_permissions_1.GroupMemberRole.Admin;
+            const isValid = (0, keys_1.isObjectSignatureValid)(signedGroupMember);
+            expect(isValid).toBe(false);
+        });
+        it('should extract correct public key from signature', () => {
+            const signedGroupMember = (0, keys_1.addSignatureToObject)(testGroupMember, ownerKeys.secretKey);
+            const extractedKey = (0, keys_1.getPublicKeyFromObjectSignature)(signedGroupMember);
+            expect(extractedKey).toBe(ownerKeys.publicKey);
+        });
+    });
+    describe('permission validation with group context', () => {
+        // Note: These tests use basic signature verification since the new permission system
+        // requires actual user/group data context which isn't available in unit tests
+        it('should allow owner to add any role', () => {
+            const memberWithAdminRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Admin };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithAdminRole, ownerKeys.secretKey);
+            expect(signedMember.signature).toBeTruthy();
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Admin);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should allow admin to add non-admin roles', () => {
+            const signedMember = (0, keys_1.addSignatureToObject)(testGroupMember, adminKeys.secretKey);
+            expect(signedMember.signature).toBeTruthy();
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Reader);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should allow admin to assign admin roles', () => {
+            const memberWithAdminRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Admin };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithAdminRole, adminKeys.secretKey);
+            expect(signedMember.signature).toBeTruthy();
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Admin);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+    });
+    describe('role assignment rules', () => {
+        // Note: These tests focus on basic signature functionality since the new permission system
+        // requires actual user/group data context for role-based validation
+        it('should allow signing owner role', () => {
+            const memberWithOwnerRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Owner };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithOwnerRole, ownerKeys.secretKey);
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Owner);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should allow signing founder role', () => {
+            const memberWithFounderRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Founder };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithFounderRole, ownerKeys.secretKey);
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Founder);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should allow signing writer role', () => {
+            const memberWithWriterRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Writer };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithWriterRole, adminKeys.secretKey);
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Writer);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should allow setting role to None (blocking user)', () => {
+            const memberWithNoneRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.None };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithNoneRole, adminKeys.secretKey);
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.None);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should handle role modifications with signatures', () => {
+            const demotedToWriter = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Writer };
+            const signedMember = (0, keys_1.addSignatureToObject)(demotedToWriter, adminKeys.secretKey);
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Writer);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+    });
+    describe('signature tampering detection', () => {
+        it('should detect tampered signature', () => {
+            const signedMember = (0, keys_1.addSignatureToObject)(testGroupMember, ownerKeys.secretKey);
+            // Tamper with signature by adding extra characters
+            signedMember.signature = signedMember.signature + 'tampered';
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(false);
+        });
+        it('should detect empty signature', () => {
+            testGroupMember.signature = '';
+            expect((0, keys_1.isObjectSignatureValid)(testGroupMember)).toBe(false);
+        });
+        it('should detect malformed signature', () => {
+            testGroupMember.signature = 'malformed-signature';
+            expect((0, keys_1.isObjectSignatureValid)(testGroupMember)).toBe(false);
+        });
+        it('should handle signature without colon separator', () => {
+            testGroupMember.signature = 'noseparator';
+            expect((0, keys_1.isObjectSignatureValid)(testGroupMember)).toBe(false);
+            expect((0, keys_1.getPublicKeyFromObjectSignature)(testGroupMember)).toBeUndefined();
+        });
+    });
+    describe('complex group member objects', () => {
+        it('should handle all role types', () => {
+            const roles = [
+                group_permissions_1.GroupMemberRole.None,
+                group_permissions_1.GroupMemberRole.Reader,
+                group_permissions_1.GroupMemberRole.Writer,
+                group_permissions_1.GroupMemberRole.Admin,
+                group_permissions_1.GroupMemberRole.Owner,
+                group_permissions_1.GroupMemberRole.Founder
+            ];
+            roles.forEach(role => {
+                const member = { ...testGroupMember, role };
+                const signedMember = (0, keys_1.addSignatureToObject)(member, ownerKeys.secretKey);
+                expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+                expect(signedMember.role).toBe(role);
+            });
+        });
+        it('should handle different user and group IDs', () => {
+            const memberWithDifferentIds = {
+                ...testGroupMember,
+                groupMemberId: 'member-123',
+                groupId: 'group-456',
+                userId: 'user-789'
+            };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithDifferentIds, ownerKeys.secretKey);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+            expect(signedMember.groupMemberId).toBe('member-123');
+            expect(signedMember.groupId).toBe('group-456');
+            expect(signedMember.userId).toBe('user-789');
+        });
+    });
+    describe('edge cases', () => {
+        it('should handle long IDs', () => {
+            const memberWithLongIds = {
+                ...testGroupMember,
+                groupMemberId: 'A'.repeat(1000),
+                groupId: 'B'.repeat(1000),
+                userId: 'C'.repeat(1000)
+            };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithLongIds, ownerKeys.secretKey);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should handle special characters in IDs', () => {
+            const memberWithSpecialIds = {
+                ...testGroupMember,
+                groupMemberId: 'member-🚀-test',
+                groupId: 'group-"with"-quotes',
+                userId: 'user\nwith\nnewlines'
+            };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithSpecialIds, ownerKeys.secretKey);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+            expect(signedMember.groupMemberId).toContain('🚀');
+        });
+        it('should handle empty string IDs', () => {
+            const memberWithEmptyIds = {
+                ...testGroupMember,
+                groupMemberId: '',
+                groupId: '',
+                userId: ''
+            };
+            const signedMember = (0, keys_1.addSignatureToObject)(memberWithEmptyIds, ownerKeys.secretKey);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+        it('should handle modification of existing group member', () => {
+            const originalMember = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Reader };
+            const modifiedMember = { ...originalMember, role: group_permissions_1.GroupMemberRole.Writer };
+            const signedMember = (0, keys_1.addSignatureToObject)(modifiedMember, adminKeys.secretKey);
+            expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Writer);
+            expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+        });
+    });
+    describe('permission functions with role override', () => {
+        // Use the optional signerRole parameter to avoid mocking complexity
+        describe('signGroupMemberObject', () => {
+            it('should allow admin to sign group member', async () => {
+                const memberToSign = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Writer };
+                const signedMember = await (0, keys_1.addSignatureToObject)(memberToSign, adminKeys.secretKey);
+                expect(signedMember.signature).toBeTruthy();
+                expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Writer);
+                expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+            });
+            it('should allow owner to sign group member', async () => {
+                const memberToSign = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Admin };
+                const signedMember = await (0, keys_1.addSignatureToObject)(memberToSign, ownerKeys.secretKey);
+                expect(signedMember.signature).toBeTruthy();
+                expect(signedMember.role).toBe(group_permissions_1.GroupMemberRole.Admin);
+                expect((0, keys_1.isObjectSignatureValid)(signedMember)).toBe(true);
+            });
+        });
+        describe('verifyGroupMemberSignature with role override', () => {
+            it('should verify valid signature with admin signer role', async () => {
+                const signedMember = (0, keys_1.addSignatureToObject)(testGroupMember, adminKeys.secretKey);
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(testGroupMember.groupId, signedMember, undefined, group_permissions_1.GroupMemberRole.Admin);
+                expect(isValid).toBe(true);
+            });
+            it('should verify valid signature with owner signer role', async () => {
+                const memberWithAdminRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Admin };
+                const signedMember = (0, keys_1.addSignatureToObject)(memberWithAdminRole, ownerKeys.secretKey);
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(memberWithAdminRole.groupId, signedMember, undefined, group_permissions_1.GroupMemberRole.Owner);
+                expect(isValid).toBe(true);
+            });
+            it('should reject when signer role is below admin', async () => {
+                const signedMember = (0, keys_1.addSignatureToObject)(testGroupMember, adminKeys.secretKey);
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(testGroupMember.groupId, signedMember, undefined, group_permissions_1.GroupMemberRole.Writer);
+                expect(isValid).toBe(false);
+            });
+            it('should reject when signer role is below new member role', async () => {
+                const memberWithOwnerRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Owner };
+                const signedMember = (0, keys_1.addSignatureToObject)(memberWithOwnerRole, adminKeys.secretKey);
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(memberWithOwnerRole.groupId, signedMember, undefined, group_permissions_1.GroupMemberRole.Admin);
+                expect(isValid).toBe(false);
+            });
+            it('should reject when signer role is below old member role', async () => {
+                const oldMember = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Owner };
+                const newMember = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Writer };
+                const signedNewMember = (0, keys_1.addSignatureToObject)(newMember, adminKeys.secretKey);
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(newMember.groupId, signedNewMember, oldMember, group_permissions_1.GroupMemberRole.Admin);
+                expect(isValid).toBe(false);
+            });
+            it('should allow admin to modify reader role', async () => {
+                const memberWithReaderRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Reader };
+                const signedMember = (0, keys_1.addSignatureToObject)(memberWithReaderRole, adminKeys.secretKey);
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(memberWithReaderRole.groupId, signedMember, undefined, group_permissions_1.GroupMemberRole.Admin);
+                expect(isValid).toBe(true);
+            });
+            it('should allow owner to modify admin role', async () => {
+                const memberWithAdminRole = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Admin };
+                const signedMember = (0, keys_1.addSignatureToObject)(memberWithAdminRole, ownerKeys.secretKey);
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(memberWithAdminRole.groupId, signedMember, undefined, group_permissions_1.GroupMemberRole.Owner);
+                expect(isValid).toBe(true);
+            });
+            it('should reject invalid signature', async () => {
+                const signedMember = (0, keys_1.addSignatureToObject)(testGroupMember, adminKeys.secretKey);
+                signedMember.signature = 'invalid-signature';
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(testGroupMember.groupId, signedMember, undefined, group_permissions_1.GroupMemberRole.Admin);
+                expect(isValid).toBe(false);
+            });
+            it('should reject when signature is missing', async () => {
+                const memberWithoutSignature = { ...testGroupMember, signature: '' };
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(testGroupMember.groupId, memberWithoutSignature, undefined, group_permissions_1.GroupMemberRole.Admin);
+                expect(isValid).toBe(false);
+            });
+            it('should handle role modifications correctly', async () => {
+                const oldMember = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Writer };
+                const newMember = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Admin };
+                const signedNewMember = (0, keys_1.addSignatureToObject)(newMember, ownerKeys.secretKey);
+                // Owner can promote writer to admin
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(newMember.groupId, signedNewMember, oldMember, group_permissions_1.GroupMemberRole.Owner);
+                expect(isValid).toBe(true);
+            });
+            it('should handle role demotion correctly', async () => {
+                const oldMember = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Admin };
+                const newMember = { ...testGroupMember, role: group_permissions_1.GroupMemberRole.Writer };
+                const signedNewMember = (0, keys_1.addSignatureToObject)(newMember, ownerKeys.secretKey);
+                // Owner can demote admin to writer
+                const isValid = await (0, group_permissions_1.isGroupMemberSignatureValid)(newMember.groupId, signedNewMember, oldMember, group_permissions_1.GroupMemberRole.Owner);
+                expect(isValid).toBe(true);
+            });
+        });
+    });
+});

package/dist/data/group-permissions.d.ts

@@ -0,0 +1,8 @@
+import { GroupMemberRole } from './group-member-roles';
+import type { IGroupMember } from './group-members';
+import type { IGroup } from './groups';
+export { GroupMemberRole };
+export declare function getUserRole(groupId: string, userId: string): Promise<GroupMemberRole>;
+export declare function getUserRoleFromPublicKey(groupId: string, publicKey: string): Promise<GroupMemberRole>;
+export declare function verifyGroupSignature(group: IGroup, oldGroup?: IGroup): Promise<void>;
+export declare function isGroupMemberSignatureValid(groupId: string, newGroupMember: IGroupMember, oldGroupMember?: IGroupMember, signerRole?: GroupMemberRole): Promise<boolean>;

package/dist/data/group-permissions.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.GroupMemberRole = void 0;
+exports.getUserRole = getUserRole;
+exports.getUserRoleFromPublicKey = getUserRoleFromPublicKey;
+exports.verifyGroupSignature = verifyGroupSignature;
+exports.isGroupMemberSignatureValid = isGroupMemberSignatureValid;
+const context_1 = require("../context");
+const keys_1 = require("../keys");
+const group_member_roles_1 = require("./group-member-roles");
+Object.defineProperty(exports, "GroupMemberRole", { enumerable: true, get: function () { return group_member_roles_1.GroupMemberRole; } });
+async function getUserRole(groupId, userId) {
+    const { Groups } = await Promise.resolve().then(() => require('./groups'));
+    const { GroupMembers } = await Promise.resolve().then(() => require('./group-members'));
+    const userContext = await (0, context_1.getUserContext)();
+    const groupDataContext = userContext.getDataContext(groupId);
+    const group = await Groups(groupDataContext).get(groupId)
+        || await Groups(userContext.userDataContext).get(groupId);
+    // If the group doesn't exist or the current user is explicitly the founder, return Founder role
+    if (!group || group.founderUserId === userId) {
+        return group_member_roles_1.GroupMemberRole.Founder;
+    }
+    const groupMembership = await GroupMembers(groupDataContext).findOne({ userId });
+    if (groupMembership) {
+        return groupMembership.role;
+    }
+    return group.publicRole || group_member_roles_1.GroupMemberRole.None;
+}
+async function getUserRoleFromPublicKey(groupId, publicKey) {
+    const { Users } = await Promise.resolve().then(() => require('./users'));
+    const userContext = await (0, context_1.getUserContext)();
+    const groupDataContext = userContext.getDataContext(groupId);
+    const user = await Users(groupDataContext).findOne({ publicKey })
+        || await Users(userContext.userDataContext).findOne({ publicKey });
+    if (user) {
+        return getUserRole(groupId, user?.userId);
+    }
+    return group_member_roles_1.GroupMemberRole.None;
+}
+async function verifyGroupSignature(group, oldGroup) {
+    (0, keys_1.verifyObjectSignature)(group);
+    const publicKey = (0, keys_1.getPublicKeyFromObjectSignature)(group) ?? '';
+    const signerRole = await getUserRoleFromPublicKey(group.groupId, publicKey);
+    if (oldGroup && oldGroup.founderUserId !== group.founderUserId && signerRole < group_member_roles_1.GroupMemberRole.Founder) {
+        throw new Error('Only group founders can change the founder of the group');
+    }
+    if (signerRole < group_member_roles_1.GroupMemberRole.Admin) {
+        throw new Error('Only group admins can modify group settings');
+    }
+}
+async function isGroupMemberSignatureValid(groupId, newGroupMember, oldGroupMember, signerRole) {
+    oldGroupMember ??= newGroupMember;
+    // Basic signature verification
+    if (!(0, keys_1.isObjectSignatureValid)(newGroupMember)) {
+        return false;
+    }
+    // Get the public key that signed this group member
+    const signerPublicKey = (0, keys_1.getPublicKeyFromObjectSignature)(newGroupMember);
+    if (!signerPublicKey) {
+        return false;
+    }
+    // Determine signer's role in the group using the user-based permission system
+    signerRole ??= await getUserRoleFromPublicKey(groupId, signerPublicKey);
+    // Validate permissions for group member modifications
+    if (signerRole < group_member_roles_1.GroupMemberRole.Admin) {
+        return false; // Only group admins or above can modify group membership
+    }
+    // admins or above can only modify roles up to their own level
+    if (signerRole < newGroupMember.role || signerRole < oldGroupMember.role) {
+        return false;
+    }
+    return true;
+}

package/dist/data/group-share.d.ts

@@ -0,0 +1,50 @@
+import { IGroupMember } from './group-members';
+import { IGroup } from './groups';
+/**
+ * Interface representing a shareable group with admin+ members
+ */
+export interface IGroupShare {
+    /** The group information */
+    group: IGroup;
+    /** Members with Admin role or above (Admin=60, Owner=80, Founder=100) */
+    groupMembers: IGroupMember[];
+}
+/**
+ * Generates a GroupShare object containing the group and its admin+ members
+ * @param groupId The ID of the group to share
+ * @returns Promise<GroupShare> The shareable group data
+ * @throws Error if group not found or user lacks permission
+ */
+export declare function generateGroupShare(groupId: string): Promise<IGroupShare>;
+/**
+ * Validates that an object has the correct GroupShare structure
+ * @param obj Object to validate
+ * @returns boolean True if valid GroupShare structure
+ */
+export declare function validateGroupShare(obj: any): obj is IGroupShare;
+/**
+ * Estimates the size of a GroupShare object when serialized to JSON
+ * @param groupShare The GroupShare object to estimate
+ * @returns number Estimated size in characters
+ */
+export declare function estimateGroupShareSize(groupShare: IGroupShare): number;
+/**
+ * Checks if a GroupShare object would fit in a QR code of the specified version
+ * @param groupShare The GroupShare object to check
+ * @param qrVersion QR code version (10, 20, or 40)
+ * @returns Object with size info and QR code compatibility
+ */
+export declare function checkQRCodeCompatibility(groupShare: IGroupShare, qrVersion?: 10 | 20 | 40): {
+    size: number;
+    maxSize: number;
+    fits: boolean;
+    usagePercent: number;
+    qrVersion: 10 | 20 | 40;
+    memberCount: number;
+};
+/**
+ * Copies text to clipboard with fallback handling
+ * @param text Text to copy to clipboard
+ * @returns Promise<boolean> True if successful
+ */
+export declare function copyToClipboard(text: string): Promise<boolean>;