@powerhousedao/reactor-api 6.2.0-dev.9 → 6.2.0-rc.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.mts CHANGED
@@ -3,9 +3,9 @@ import { IAnalyticsStore } from "@powerhousedao/analytics-engine-core";
3
3
  import { AnalyticsModel } from "@powerhousedao/analytics-engine-graphql";
4
4
  import * as graphql from "graphql";
5
5
  import { DocumentNode, GraphQLResolveInfo, GraphQLScalarType, GraphQLScalarTypeConfig, GraphQLSchema } from "graphql";
6
+ import { IDocumentModelLoader, IDocumentModelRegistry, IDriveClient, IReactorClient, IRelationalDb, ISyncManager, ParsedDriveUrl, ReactorClientModule, driveIdFromUrl, parseDriveUrl } from "@powerhousedao/reactor";
6
7
  import { ILogger } from "document-model";
7
8
  import { DocumentModelGlobalState as DocumentModelGlobalState$1, DocumentModelModule, Operation, PHDocument, PHDocumentHeader } from "@powerhousedao/shared/document-model";
8
- import { IDocumentModelLoader, IDocumentModelRegistry, IDriveClient, IReactorClient, IRelationalDb, ISyncManager, ParsedDriveUrl, ReactorClientModule, driveIdFromUrl, parseDriveUrl } from "@powerhousedao/reactor";
9
9
  import * as z$1 from "zod";
10
10
  import { DocumentDriveDocument, DocumentDriveGlobalState } from "@powerhousedao/shared/document-drive";
11
11
  import { AttachmentBuildResult } from "@powerhousedao/reactor-attachments";
@@ -42,11 +42,7 @@ interface DocumentProtectionTable {
42
42
  }
43
43
  interface DocumentPermissionDatabase {
44
44
  DocumentPermission: DocumentPermissionTable;
45
- Group: GroupTable;
46
- UserGroup: UserGroupTable;
47
- DocumentGroupPermission: DocumentGroupPermissionTable;
48
45
  OperationUserPermission: OperationUserPermissionTable;
49
- OperationGroupPermission: OperationGroupPermissionTable;
50
46
  DocumentProtection: DocumentProtectionTable;
51
47
  }
52
48
  interface DocumentPermissionTable {
@@ -58,27 +54,6 @@ interface DocumentPermissionTable {
58
54
  createdAt: Date;
59
55
  updatedAt: Date;
60
56
  }
61
- interface GroupTable {
62
- id: Generated<number>;
63
- name: string;
64
- description: string | null;
65
- createdAt: Date;
66
- updatedAt: Date;
67
- }
68
- interface UserGroupTable {
69
- userAddress: string;
70
- groupId: number;
71
- createdAt: Date;
72
- }
73
- interface DocumentGroupPermissionTable {
74
- id: Generated<number>;
75
- documentId: string;
76
- groupId: number;
77
- permission: DocumentPermissionLevel;
78
- grantedBy: string;
79
- createdAt: Date;
80
- updatedAt: Date;
81
- }
82
57
  interface OperationUserPermissionTable {
83
58
  id: Generated<number>;
84
59
  documentId: string;
@@ -87,14 +62,6 @@ interface OperationUserPermissionTable {
87
62
  grantedBy: string;
88
63
  createdAt: Date;
89
64
  }
90
- interface OperationGroupPermissionTable {
91
- id: Generated<number>;
92
- documentId: string;
93
- operationType: string;
94
- groupId: number;
95
- grantedBy: string;
96
- createdAt: Date;
97
- }
98
65
  type Db = Kysely<any>;
99
66
  /**
100
67
  * Optional factory used by callers (e.g. Switchboard) to inject a
@@ -120,21 +87,6 @@ interface DocumentPermissionEntry {
120
87
  createdAt: Date;
121
88
  updatedAt: Date;
122
89
  }
123
- interface Group {
124
- id: number;
125
- name: string;
126
- description: string | null;
127
- createdAt: Date;
128
- updatedAt: Date;
129
- }
130
- interface DocumentGroupPermissionEntry {
131
- documentId: string;
132
- groupId: number;
133
- permission: DocumentPermissionLevel;
134
- grantedBy: string;
135
- createdAt: Date;
136
- updatedAt: Date;
137
- }
138
90
  interface OperationUserPermissionEntry {
139
91
  documentId: string;
140
92
  operationType: string;
@@ -142,13 +94,6 @@ interface OperationUserPermissionEntry {
142
94
  grantedBy: string;
143
95
  createdAt: Date;
144
96
  }
145
- interface OperationGroupPermissionEntry {
146
- documentId: string;
147
- operationType: string;
148
- groupId: number;
149
- grantedBy: string;
150
- createdAt: Date;
151
- }
152
97
  /**
153
98
  * Function type for getting parent document IDs
154
99
  * This is injected to avoid circular dependencies with the reactor client
@@ -169,7 +114,7 @@ interface DocumentPermissionConfig {
169
114
  * - ADMIN: Can manage document permissions and settings
170
115
  *
171
116
  * Operation permissions:
172
- * - Users and groups can be granted permission to execute specific operations
117
+ * - Users can be granted permission to execute specific operations
173
118
  */
174
119
  declare class DocumentPermissionService {
175
120
  private readonly db;
@@ -200,83 +145,6 @@ declare class DocumentPermissionService {
200
145
  * Delete all permissions for a document (used when deleting a document)
201
146
  */
202
147
  deleteAllDocumentPermissions(documentId: string): Promise<void>;
203
- /**
204
- * Check if a user can read a document.
205
- * Returns true if user has READ, WRITE, or ADMIN permission (direct or via group)
206
- */
207
- canReadDocument(documentId: string, userAddress: string | undefined): Promise<boolean>;
208
- /**
209
- * Check if a user can write to a document.
210
- * Returns true if user has WRITE or ADMIN permission (direct or via group)
211
- */
212
- canWriteDocument(documentId: string, userAddress: string | undefined): Promise<boolean>;
213
- /**
214
- * Check if a user can manage a document (change permissions, settings).
215
- * Returns true if user has ADMIN permission (direct or via group)
216
- */
217
- canManageDocument(documentId: string, userAddress: string | undefined): Promise<boolean>;
218
- /**
219
- * Check if a user can read a document, including parent permission inheritance.
220
- * Returns true if user has permission on the document OR any parent in the hierarchy.
221
- */
222
- canRead(documentId: string, userAddress: string | undefined, getParentIds: GetParentIdsFn): Promise<boolean>;
223
- /**
224
- * Check if a user can write to a document, including parent permission inheritance.
225
- * Returns true if user has write permission on the document OR any parent in the hierarchy.
226
- */
227
- canWrite(documentId: string, userAddress: string | undefined, getParentIds: GetParentIdsFn): Promise<boolean>;
228
- /**
229
- * Filter a list of document IDs to only include those the user can read.
230
- */
231
- filterReadableDocuments(documentIds: string[], userAddress: string | undefined, getParentIds: GetParentIdsFn): Promise<string[]>;
232
- /**
233
- * Create a new group
234
- */
235
- createGroup(name: string, description?: string): Promise<Group>;
236
- /**
237
- * Delete a group and all its associations
238
- */
239
- deleteGroup(groupId: number): Promise<void>;
240
- /**
241
- * Get a group by ID
242
- */
243
- getGroup(groupId: number): Promise<Group | null>;
244
- /**
245
- * List all groups
246
- */
247
- listGroups(): Promise<Group[]>;
248
- /**
249
- * Add a user to a group
250
- */
251
- addUserToGroup(userAddress: string, groupId: number): Promise<void>;
252
- /**
253
- * Remove a user from a group
254
- */
255
- removeUserFromGroup(userAddress: string, groupId: number): Promise<void>;
256
- /**
257
- * Get all groups a user belongs to
258
- */
259
- getUserGroups(userAddress: string): Promise<Group[]>;
260
- /**
261
- * Get all members of a group
262
- */
263
- getGroupMembers(groupId: number): Promise<string[]>;
264
- /**
265
- * Grant a group permission on a document
266
- */
267
- grantGroupPermission(documentId: string, groupId: number, permission: DocumentPermissionLevel, grantedBy: string): Promise<DocumentGroupPermissionEntry>;
268
- /**
269
- * Revoke a group's permission on a document
270
- */
271
- revokeGroupPermission(documentId: string, groupId: number): Promise<void>;
272
- /**
273
- * Get all group permissions for a document
274
- */
275
- getDocumentGroupPermissions(documentId: string): Promise<DocumentGroupPermissionEntry[]>;
276
- /**
277
- * Get best permission level a user has on a document via groups
278
- */
279
- getUserGroupPermission(documentId: string, userAddress: string): Promise<DocumentPermissionLevel | null>;
280
148
  /**
281
149
  * Grant a user permission to execute an operation on a document
282
150
  */
@@ -285,27 +153,14 @@ declare class DocumentPermissionService {
285
153
  * Revoke a user's permission to execute an operation
286
154
  */
287
155
  revokeOperationPermission(documentId: string, operationType: string, userAddress: string): Promise<void>;
288
- /**
289
- * Grant a group permission to execute an operation on a document
290
- */
291
- grantGroupOperationPermission(documentId: string, operationType: string, groupId: number, grantedBy: string): Promise<OperationGroupPermissionEntry>;
292
- /**
293
- * Revoke a group's permission to execute an operation
294
- */
295
- revokeGroupOperationPermission(documentId: string, operationType: string, groupId: number): Promise<void>;
296
156
  /**
297
157
  * Get all users with permission to execute an operation
298
158
  */
299
159
  getOperationUserPermissions(documentId: string, operationType: string): Promise<OperationUserPermissionEntry[]>;
300
160
  /**
301
- * Get all groups with permission to execute an operation
161
+ * Whether an operation-permission row exists for the user on this operation.
302
162
  */
303
- getOperationGroupPermissions(documentId: string, operationType: string): Promise<OperationGroupPermissionEntry[]>;
304
- /**
305
- * Check if a user can execute a specific operation on a document.
306
- * Returns true if user has direct permission or is in a group with permission.
307
- */
308
- canExecuteOperation(documentId: string, operationType: string, userAddress: string | undefined): Promise<boolean>;
163
+ hasOperationGrant(documentId: string, operationType: string, userAddress: string): Promise<boolean>;
309
164
  /**
310
165
  * Check if an operation has any permissions set (is restricted)
311
166
  */
@@ -352,6 +207,34 @@ declare class DocumentPermissionService {
352
207
  }
353
208
  //#endregion
354
209
  //#region src/services/authorization.service.d.ts
210
+ /**
211
+ * A document id that has been resolved to its canonical form, never a slug.
212
+ *
213
+ * Protection and grant rows are written under the canonical id, while the
214
+ * read/operation data paths accept an id-or-slug identifier. The decision layer
215
+ * must key on the canonical id, so branding it forces every caller to resolve a
216
+ * slug to its id before consulting this service, closing the slug-aliasing
217
+ * bypass (S-C1). The only sanctioned cast from string to CanonicalDocumentId
218
+ * lives in the BaseSubgraph resolution helpers, immediately after the shared
219
+ * resolveIdOrSlug lookup returns.
220
+ */
221
+ type CanonicalDocumentId = string & {
222
+ readonly __canonicalDocumentId: unique symbol;
223
+ };
224
+ /**
225
+ * Result of a passed per-document authorization check. `fetchIdentifier` is
226
+ * always safe for the data fetch: the canonical id when resolved, or the raw
227
+ * identifier when the check was skipped for a policy-wide caller.
228
+ */
229
+ declare class AuthorizedDocumentHandle {
230
+ readonly fetchIdentifier: string;
231
+ readonly isResolved: boolean;
232
+ private constructor();
233
+ static resolved(documentId: CanonicalDocumentId): AuthorizedDocumentHandle;
234
+ static skipped(identifier: string): AuthorizedDocumentHandle;
235
+ /** The verified canonical id; throws when resolution was skipped. */
236
+ canonicalId(): CanonicalDocumentId;
237
+ }
355
238
  declare const AuthorizationPolicy: {
356
239
  readonly OPEN: "OPEN";
357
240
  readonly ADMIN_ONLY: "ADMIN_ONLY";
@@ -371,14 +254,33 @@ interface AuthorizationConfig {
371
254
  * - OPEN: authentication disabled — everyone (incl. anonymous) is allowed.
372
255
  * - ADMIN_ONLY: authentication on, document permissions off — only ADMINS.
373
256
  * - DOCUMENT_PERMISSIONS: the full per-document protection + grant model.
257
+ *
258
+ * Permission inheritance walks the parent-document hierarchy through a
259
+ * parent resolver injected at construction; callers never supply one.
374
260
  */
375
261
  interface IAuthorizationService {
376
262
  readonly config: AuthorizationConfig;
263
+ /**
264
+ * Whether the user has unrestricted, policy-wide access. Under OPEN this is
265
+ * true for everyone (including anonymous callers) by design: OPEN means "no
266
+ * restrictions", and consumers use this check to skip per-document
267
+ * filtering. It does NOT mean the caller is in the ADMINS list.
268
+ */
377
269
  isSupremeAdmin(userAddress?: string): boolean;
378
- canRead(documentId: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
379
- canWrite(documentId: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
380
- canManage(documentId: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
381
- canMutate(documentId: string, operationType: string, userAddress?: string, getParentIds?: GetParentIdsFn): Promise<boolean>;
270
+ /**
271
+ * Whether the user may create new documents under the current policy:
272
+ * everyone in OPEN, only admins in ADMIN_ONLY, any authenticated user in
273
+ * DOCUMENT_PERMISSIONS.
274
+ */
275
+ canCreate(userAddress?: string): boolean;
276
+ canRead(documentId: CanonicalDocumentId, userAddress?: string): Promise<boolean>;
277
+ canWrite(documentId: CanonicalDocumentId, userAddress?: string): Promise<boolean>;
278
+ /**
279
+ * Whether the user administers the document: supreme admin, document
280
+ * owner, or holder of an ADMIN grant.
281
+ */
282
+ canManage(documentId: CanonicalDocumentId, userAddress?: string): Promise<boolean>;
283
+ canMutate(documentId: CanonicalDocumentId, operationType: string, userAddress?: string): Promise<boolean>;
382
284
  }
383
285
  //#endregion
384
286
  //#region src/graphql/types.d.ts
@@ -473,6 +375,7 @@ type GqlDriveDocument = GqlDocument & {
473
375
  //#endregion
474
376
  //#region src/graphql/base-subgraph.d.ts
475
377
  declare class BaseSubgraph implements ISubgraph$1 {
378
+ #private;
476
379
  name: string;
477
380
  path: string;
478
381
  resolvers: Record<string, any>;
@@ -485,12 +388,44 @@ declare class BaseSubgraph implements ISubgraph$1 {
485
388
  authorizationService: IAuthorizationService;
486
389
  constructor(args: SubgraphArgs$1);
487
390
  onSetup(): Promise<void>;
488
- protected getParentIdsFn(): GetParentIdsFn;
489
- protected canReadDocument(documentId: string, ctx: Context): Promise<boolean>;
490
- protected assertCanRead(documentId: string, ctx: Context): Promise<void>;
491
- protected assertCanWrite(documentId: string, ctx: Context): Promise<void>;
492
- protected assertCanExecuteOperation(documentId: string, operationType: string, ctx: Context): Promise<void>;
493
- protected assertCanCreate(ctx: Context): void;
391
+ /**
392
+ * Resolves a caller-supplied identifier (id or slug) to its canonical
393
+ * document id, memoized per request. Both the decision layer and the data
394
+ * layer must agree on the subject, so this runs the same resolveIdOrSlug
395
+ * lookup the data path uses. A resolution failure (not found, ambiguous, or
396
+ * transient) surfaces as a generic Forbidden, fail-closed, so a bad
397
+ * identifier cannot be used as a document-existence oracle.
398
+ */
399
+ resolveCanonicalDocumentId(identifier: string, requestKey: object): Promise<CanonicalDocumentId>;
400
+ /**
401
+ * Resolves the args' `documentId` to canonical form. Unconditional (unlike the
402
+ * assertCan* helpers, no admin skip): ACL rows are keyed on the canonical id.
403
+ */
404
+ withCanonicalDocumentId<T extends {
405
+ documentId: string;
406
+ }>(args: T, requestKey: object): Promise<T & {
407
+ documentId: CanonicalDocumentId;
408
+ }>;
409
+ /**
410
+ * Read filter for an already-canonical document id (one sourced from the data
411
+ * layer, such as a fetched document's id). Performs no slug resolution.
412
+ */
413
+ canReadDocument(documentId: CanonicalDocumentId, ctx: Context): Promise<boolean>;
414
+ /**
415
+ * Asserts read access, resolving a slug first. Returns a handle whose
416
+ * `fetchIdentifier` the caller reuses for the data fetch; a denial throws.
417
+ */
418
+ assertCanRead(identifier: string, ctx: Context): Promise<AuthorizedDocumentHandle>;
419
+ assertCanWrite(identifier: string, ctx: Context): Promise<AuthorizedDocumentHandle>;
420
+ assertCanExecuteOperation(identifier: string, operationType: string, ctx: Context): Promise<AuthorizedDocumentHandle>;
421
+ /**
422
+ * Read assertion for an already-canonical document id. No slug resolution;
423
+ * use only with ids sourced from the data layer or already resolved.
424
+ */
425
+ assertCanReadCanonical(documentId: CanonicalDocumentId, ctx: Context): Promise<void>;
426
+ assertCanWriteCanonical(documentId: CanonicalDocumentId, ctx: Context): Promise<void>;
427
+ assertCanExecuteOperationCanonical(documentId: CanonicalDocumentId, operationType: string, ctx: Context): Promise<void>;
428
+ assertCanCreate(ctx: Context): void;
494
429
  }
495
430
  //#endregion
496
431
  //#region src/graphql/analytics-subgraph.d.ts
@@ -514,29 +449,6 @@ type DocumentAccessInfo = {
514
449
  createdAt: Date;
515
450
  updatedAt: Date;
516
451
  }>;
517
- groupPermissions: Array<{
518
- documentId: string;
519
- groupId: number;
520
- permission: DocumentPermissionLevel;
521
- grantedBy: string;
522
- createdAt: Date;
523
- updatedAt: Date;
524
- }>;
525
- };
526
- type Group$1 = {
527
- id: number;
528
- name: string;
529
- description: string | null;
530
- createdAt: Date;
531
- updatedAt: Date;
532
- };
533
- type DocumentGroupPermission = {
534
- documentId: string;
535
- groupId: number;
536
- permission: DocumentPermissionLevel;
537
- grantedBy: string;
538
- createdAt: Date;
539
- updatedAt: Date;
540
452
  };
541
453
  type OperationUserPermission = {
542
454
  documentId: string;
@@ -545,18 +457,10 @@ type OperationUserPermission = {
545
457
  grantedBy: string;
546
458
  createdAt: Date;
547
459
  };
548
- type OperationGroupPermission = {
549
- documentId: string;
550
- operationType: string;
551
- groupId: number;
552
- grantedBy: string;
553
- createdAt: Date;
554
- };
555
460
  type OperationPermissionsInfo = {
556
461
  documentId: string;
557
462
  operationType: string;
558
463
  userPermissions: OperationUserPermission[];
559
- groupPermissions: OperationGroupPermission[];
560
464
  };
561
465
  type DocumentProtectionInfo = {
562
466
  documentId: string;
@@ -571,8 +475,7 @@ type DocumentProtectionInfo = {
571
475
  * This subgraph is conditionally registered based on the DOCUMENT_PERMISSIONS_ENABLED
572
476
  * feature flag. When enabled, it provides GraphQL operations for:
573
477
  * - Document permissions (grant/revoke user access)
574
- * - Group management (create/delete groups, manage membership)
575
- * - Group document permissions (grant/revoke group access)
478
+ * - Document protection and ownership
576
479
  * - Operation-level permissions (fine-grained operation control)
577
480
  */
578
481
  declare class AuthSubgraph extends BaseSubgraph {
@@ -585,6 +488,10 @@ declare class AuthSubgraph extends BaseSubgraph {
585
488
  Query: {
586
489
  documentAccess: (_parent: unknown, args: {
587
490
  documentId: string;
491
+ }, ctx: {
492
+ user?: {
493
+ address: string;
494
+ };
588
495
  }) => Promise<DocumentAccessInfo>;
589
496
  userDocumentPermissions: (_parent: unknown, _args: unknown, ctx: {
590
497
  user?: {
@@ -598,16 +505,13 @@ declare class AuthSubgraph extends BaseSubgraph {
598
505
  createdAt: Date;
599
506
  updatedAt: Date;
600
507
  }[]>;
601
- groups: () => Promise<Group$1[]>;
602
- group: (_parent: unknown, args: {
603
- id: number;
604
- }) => Promise<Group$1 | null>;
605
- userGroups: (_parent: unknown, args: {
606
- userAddress: string;
607
- }) => Promise<Group$1[]>;
608
508
  operationPermissions: (_parent: unknown, args: {
609
509
  documentId: string;
610
510
  operationType: string;
511
+ }, ctx: {
512
+ user?: {
513
+ address: string;
514
+ };
611
515
  }) => Promise<OperationPermissionsInfo>;
612
516
  canExecuteOperation: (_parent: unknown, args: {
613
517
  documentId: string;
@@ -666,38 +570,6 @@ declare class AuthSubgraph extends BaseSubgraph {
666
570
  address: string;
667
571
  };
668
572
  }) => Promise<boolean>;
669
- createGroup: (_parent: unknown, args: {
670
- name: string;
671
- description?: string | null;
672
- }) => Promise<Group$1>;
673
- deleteGroup: (_parent: unknown, args: {
674
- id: number;
675
- }) => Promise<boolean>;
676
- addUserToGroup: (_parent: unknown, args: {
677
- userAddress: string;
678
- groupId: number;
679
- }) => Promise<boolean>;
680
- removeUserFromGroup: (_parent: unknown, args: {
681
- userAddress: string;
682
- groupId: number;
683
- }) => Promise<boolean>;
684
- grantGroupPermission: (_parent: unknown, args: {
685
- documentId: string;
686
- groupId: number;
687
- permission: string;
688
- }, ctx: {
689
- user?: {
690
- address: string;
691
- };
692
- }) => Promise<DocumentGroupPermission>;
693
- revokeGroupPermission: (_parent: unknown, args: {
694
- documentId: string;
695
- groupId: number;
696
- }, ctx: {
697
- user?: {
698
- address: string;
699
- };
700
- }) => Promise<boolean>;
701
573
  grantOperationPermission: (_parent: unknown, args: {
702
574
  documentId: string;
703
575
  operationType: string;
@@ -716,39 +588,6 @@ declare class AuthSubgraph extends BaseSubgraph {
716
588
  address: string;
717
589
  };
718
590
  }) => Promise<boolean>;
719
- grantGroupOperationPermission: (_parent: unknown, args: {
720
- documentId: string;
721
- operationType: string;
722
- groupId: number;
723
- }, ctx: {
724
- user?: {
725
- address: string;
726
- };
727
- }) => Promise<OperationGroupPermission>;
728
- revokeGroupOperationPermission: (_parent: unknown, args: {
729
- documentId: string;
730
- operationType: string;
731
- groupId: number;
732
- }, ctx: {
733
- user?: {
734
- address: string;
735
- };
736
- }) => Promise<boolean>;
737
- };
738
- Group: {
739
- members: (parent: {
740
- id: number;
741
- }) => Promise<string[]>;
742
- };
743
- DocumentGroupPermission: {
744
- group: (parent: {
745
- groupId: number;
746
- }) => Promise<Group$1>;
747
- };
748
- OperationGroupPermission: {
749
- group: (parent: {
750
- groupId: number;
751
- }) => Promise<Group$1>;
752
591
  };
753
592
  };
754
593
  onSetup(): Promise<void>;
@@ -759,6 +598,7 @@ interface AuthConfig {
759
598
  enabled: boolean;
760
599
  admins: string[];
761
600
  skipCredentialVerification?: boolean;
601
+ credentialVerificationCacheTtlMs?: number;
762
602
  }
763
603
  interface User {
764
604
  address: string;
@@ -772,6 +612,7 @@ interface AuthContext {
772
612
  }
773
613
  declare class AuthService {
774
614
  private readonly config;
615
+ private readonly credentialCache;
775
616
  constructor(config: AuthConfig);
776
617
  authenticateRequest(request: globalThis.Request): Promise<AuthContext | globalThis.Response>;
777
618
  /**
@@ -789,9 +630,28 @@ declare class AuthService {
789
630
  */
790
631
  private extractUserFromVerification;
791
632
  /**
792
- * Verify that the credential still exists on the Renown API
633
+ * Verify that the credential still exists on the Renown API.
634
+ *
635
+ * Results are cached per (address, chainId, issuer) for a short TTL so the
636
+ * blocking external round-trip is not paid on every request. Concurrent
637
+ * checks for the same key share a single in-flight request, and entries
638
+ * that resolve to false are evicted immediately so failed or revoked
639
+ * credentials are re-checked on the next request.
793
640
  */
794
641
  private verifyCredentialExists;
642
+ /**
643
+ * Enforce the cache size cap before inserting a new entry: drop expired
644
+ * entries first, then evict oldest-inserted entries (insertion order
645
+ * matches expiry order since the TTL is constant) until under the cap, so
646
+ * a flood of distinct keys cannot grow the map without bound.
647
+ */
648
+ private pruneCredentialCache;
649
+ /**
650
+ * Fetch the credential from the Renown API and validate it against the
651
+ * expected address, chainId and issuer. Never throws; returns false on any
652
+ * network or validation failure.
653
+ */
654
+ private fetchCredentialExists;
795
655
  }
796
656
  //#endregion
797
657
  //#region src/graphql/gateway/types.d.ts
@@ -944,7 +804,7 @@ declare class GraphQLManager {
944
804
  private readonly logger;
945
805
  private readonly httpAdapter;
946
806
  private readonly gatewayAdapter;
947
- private readonly authConfig?;
807
+ private readonly authService?;
948
808
  private readonly documentPermissionService?;
949
809
  private readonly featureFlags;
950
810
  private readonly port;
@@ -952,7 +812,6 @@ declare class GraphQLManager {
952
812
  private coreSubgraphsMap;
953
813
  private contextFields;
954
814
  private readonly subgraphs;
955
- private authService;
956
815
  private readonly subgraphWsDisposers;
957
816
  readonly driveOwnershipCache: DriveOwnershipCache;
958
817
  /** Cached document models for schema generation - updated on init and regenerate */
@@ -965,7 +824,7 @@ declare class GraphQLManager {
965
824
  */
966
825
  readonly reactorDriveClient?: IDriveClient;
967
826
  private readonly authorizationService;
968
- constructor(path: string, httpServer: http.Server, wsServer: WebSocketServer, reactorClient: IReactorClient, relationalDb: IRelationalDb, analyticsStore: IAnalyticsStore, syncManager: ISyncManager, logger: ILogger, httpAdapter: IHttpAdapter, gatewayAdapter: IGatewayAdapter<Context$1>, authConfig?: AuthConfig | undefined, documentPermissionService?: DocumentPermissionService | undefined, featureFlags?: GraphqlManagerFeatureFlags, port?: number, authorizationService?: IAuthorizationService, reactorDriveClient?: IDriveClient);
827
+ constructor(path: string, httpServer: http.Server, wsServer: WebSocketServer, reactorClient: IReactorClient, relationalDb: IRelationalDb, analyticsStore: IAnalyticsStore, syncManager: ISyncManager, logger: ILogger, httpAdapter: IHttpAdapter, gatewayAdapter: IGatewayAdapter<Context$1>, authService?: AuthService | undefined, documentPermissionService?: DocumentPermissionService | undefined, featureFlags?: GraphqlManagerFeatureFlags, port?: number, authorizationService?: IAuthorizationService, reactorDriveClient?: IDriveClient);
969
828
  init(coreSubgraphs: SubgraphClass$1[], authMiddleware?: AuthFetchMiddleware): Promise<void>;
970
829
  /**
971
830
  * Regenerate document model subgraphs when models are dynamically loaded.
@@ -2946,6 +2805,12 @@ type ProcessorInitializer = ProcessorFactoryBuilder;
2946
2805
  * authorization check fails closed. Refuse to boot rather than run broken.
2947
2806
  */
2948
2807
  declare function assertAuthRequiredForDocumentPermissions(authEnabled: boolean, documentPermissionsRequested: boolean): void;
2808
+ /**
2809
+ * Refuses SKIP_CREDENTIAL_VERIFICATION at boot outside tests or an explicit
2810
+ * opt-in: it removes the only binding between a token's claimed address and its
2811
+ * signing key. Fail-closed — unset NODE_ENV counts as production.
2812
+ */
2813
+ declare function assertSkipCredentialVerificationAllowed(authEnabled: boolean, skipCredentialVerification: boolean, env: NodeJS.ProcessEnv): void;
2949
2814
  /**
2950
2815
  * Initializes and starts the API server using an initializer function.
2951
2816
  * This function first loads packages to get document models, then calls the initializer function
@@ -3005,5 +2870,5 @@ interface DocumentModelSchemaOptions {
3005
2870
  */
3006
2871
  declare function generateDocumentModelSchema(documentModel: DocumentModelGlobalState$1, options?: DocumentModelSchemaOptions): DocumentNode;
3007
2872
  //#endregion
3008
- export { ADMIN_USERS, API, Action, ActionContext, ActionContextInput, ActionContextInputSchema, ActionContextResolvers, ActionInput, ActionInputSchema, ActionResolvers, AddRelationshipDocument, AddRelationshipMutation, AddRelationshipMutationVariables, AnalyticsSubgraph, AuthConfig, AuthContext, AuthFetchMiddleware, AuthService, AuthSubgraph, BaseSubgraph, ChannelMeta, ChannelMetaInput, ChannelMetaInputSchema, ChannelMetaResolvers, ClientInitializerResult, Context, CreateDocumentDocument, CreateDocumentMutation, CreateDocumentMutationVariables, CreateEmptyDocumentDocument, CreateEmptyDocumentMutation, CreateEmptyDocumentMutationVariables, DateTimeScalarConfig, DbClient, DeadLetterInfo, DeadLetterInfoResolvers, DeleteDocumentDocument, DeleteDocumentMutation, DeleteDocumentMutationVariables, DeleteDocumentsDocument, DeleteDocumentsMutation, DeleteDocumentsMutationVariables, DirectiveResolverFn, DocumentChangeContext, DocumentChangeContextResolvers, DocumentChangeEvent, DocumentChangeEventResolvers, DocumentChangeType, DocumentChangeTypeSchema, DocumentChangesDocument, DocumentChangesSubscription, DocumentChangesSubscriptionVariables, DocumentGroupPermissionEntry, DocumentGroupPermissionTable, DocumentModelGlobalState, DocumentModelGlobalStateResolvers, DocumentModelResultPage, DocumentModelResultPageResolvers, DocumentModelSchemaOptions, DocumentOperationsFilterInput, DocumentOperationsFilterInputSchema, DocumentPermissionConfig, DocumentPermissionDatabase, DocumentPermissionEntry, DocumentPermissionLevel, DocumentPermissionService, DocumentPermissionTable, DocumentProtectionTable, DocumentWithChildren, DocumentWithChildrenResolvers, Exact, FetchHandler, FindDocumentsDocument, FindDocumentsQuery, FindDocumentsQueryVariables, GatewayAdapterType, GatewayContextFactory, GetDocumentDocument, GetDocumentIncomingRelationshipsDocument, GetDocumentIncomingRelationshipsQuery, GetDocumentIncomingRelationshipsQueryVariables, GetDocumentModelsDocument, GetDocumentModelsQuery, GetDocumentModelsQueryVariables, GetDocumentOperationsDocument, GetDocumentOperationsQuery, GetDocumentOperationsQueryVariables, GetDocumentOutgoingRelationshipsDocument, GetDocumentOutgoingRelationshipsQuery, GetDocumentOutgoingRelationshipsQueryVariables, GetDocumentQuery, GetDocumentQueryVariables, GetDocumentWithOperationsDocument, GetDocumentWithOperationsQuery, GetDocumentWithOperationsQueryVariables, GetJobStatusDocument, GetJobStatusQuery, GetJobStatusQueryVariables, GetParentIdsFn, GqlDocument, GqlDriveDocument, GqlOperation, GqlOperationContext, GqlSigner, GqlSignerApp, GqlSignerUser, GraphQLManager, GraphqlManagerFeatureFlags, Group, GroupTable, HttpAdapterSetup, HttpAdapterType, HttpDocumentModelLoader, HttpPackageLoader, HttpPackageLoaderLogger, HttpPackageLoaderOptions, IGatewayAdapter, IHttpAdapter, type IPackageLoader, type IPackageLoaderOptions, IPackageStorage, IReactorProcessorHostModule, ISubgraph, ImportPackageLoader, InMemoryPackageStorage, Incremental, InputMaybe, InstallPackageResult, InstalledPackageInfo, IsTypeOfResolverFn, JobChangeEvent, JobChangeEventResolvers, JobChangesDocument, JobChangesSubscription, JobChangesSubscriptionVariables, JobInfo, JobInfoResolvers, JsonObjectScalarConfig, MakeEmpty, MakeMaybe, MakeOptional, Maybe, MoveRelationshipDocument, MoveRelationshipMutation, MoveRelationshipMutationVariables, MoveRelationshipResult, MoveRelationshipResultResolvers, MutateDocumentAsyncDocument, MutateDocumentAsyncMutation, MutateDocumentAsyncMutationVariables, MutateDocumentDocument, MutateDocumentMutation, MutateDocumentMutationVariables, Mutation, MutationAddRelationshipArgs, MutationCreateDocumentArgs, MutationCreateEmptyDocumentArgs, MutationDeleteDocumentArgs, MutationDeleteDocumentsArgs, MutationMoveRelationshipArgs, MutationMutateDocumentArgs, MutationMutateDocumentAsyncArgs, MutationPushSyncEnvelopesArgs, MutationRemoveRelationshipArgs, MutationRenameDocumentArgs, MutationResolvers, MutationSetPreferredEditorArgs, MutationTouchChannelArgs, NextResolverFn, OperationContext, OperationContextInput, OperationContextInputSchema, OperationContextResolvers, OperationGroupPermissionEntry, OperationGroupPermissionTable, OperationInput, OperationInputSchema, OperationUserPermissionEntry, OperationUserPermissionTable, OperationWithContext, OperationWithContextInput, OperationWithContextInputSchema, OperationWithContextResolvers, OperationsFilterInput, OperationsFilterInputSchema, PackageManagementService, PackageManagementServiceOptions, PackageManager, PackagesSubgraph, type PackagesSubgraphArgs, PagingInput, PagingInputSchema, type ParsedDriveUrl, PgliteFactory, PhDocument, PhDocumentFieldsFragment, PhDocumentFieldsFragmentDoc, PhDocumentOperationsArgs, PhDocumentResolvers, PhDocumentResultPage, PhDocumentResultPageResolvers, PollSyncEnvelopesDocument, PollSyncEnvelopesQuery, PollSyncEnvelopesQueryVariables, PollSyncEnvelopesResult, PollSyncEnvelopesResultResolvers, Processor, ProcessorDriveFactory, ProcessorFactoryBuilder, PropagationMode, PropagationModeSchema, PushSyncEnvelopesDocument, PushSyncEnvelopesMutation, PushSyncEnvelopesMutationVariables, Query, QueryDocumentArgs, QueryDocumentIncomingRelationshipsArgs, QueryDocumentModelsArgs, QueryDocumentOperationsArgs, QueryDocumentOutgoingRelationshipsArgs, QueryFindDocumentsArgs, QueryJobStatusArgs, QueryPollSyncEnvelopesArgs, QueryResolvers, ReactorModule, ReactorOperation, ReactorOperationResolvers, ReactorOperationResultPage, ReactorOperationResultPageResolvers, ReactorSigner, ReactorSignerApp, ReactorSignerAppInput, ReactorSignerAppInputSchema, ReactorSignerAppResolvers, ReactorSignerInput, ReactorSignerInputSchema, ReactorSignerResolvers, ReactorSignerUser, ReactorSignerUserInput, ReactorSignerUserInputSchema, ReactorSignerUserResolvers, ReactorSubgraph, ReadinessGate, RemoteCursor, RemoteCursorInput, RemoteCursorInputSchema, RemoteCursorResolvers, RemoteFilterInput, RemoteFilterInputSchema, RemoveRelationshipDocument, RemoveRelationshipMutation, RemoveRelationshipMutationVariables, RenameDocumentDocument, RenameDocumentMutation, RenameDocumentMutationVariables, Requester, RequireFields, Resolver, ResolverFn, ResolverTypeWrapper, ResolverWithResolve, Resolvers, ResolversObject, ResolversParentTypes, ResolversTypes, Revision, RevisionResolvers, Scalars, Sdk, SearchFilterInput, SearchFilterInputSchema, SetPreferredEditorDocument, SetPreferredEditorMutation, SetPreferredEditorMutationVariables, SubgraphArgs, SubgraphClass, SubgraphDefinition, Subscription, SubscriptionDocumentChangesArgs, SubscriptionJobChangesArgs, SubscriptionObject, SubscriptionResolveFn, SubscriptionResolver, SubscriptionResolverObject, SubscriptionResolvers, SubscriptionSubscribeFn, SubscriptionSubscriberObject, SyncEnvelope, SyncEnvelopeInput, SyncEnvelopeInputSchema, SyncEnvelopeResolvers, SyncEnvelopeType, SyncEnvelopeTypeSchema, SystemSubgraph, TlsOptions, TouchChannelDocument, TouchChannelInput, TouchChannelInputSchema, TouchChannelMutation, TouchChannelMutationVariables, TouchChannelResult, TouchChannelResultResolvers, TypeResolveFn, User, UserGroupTable, ViewFilterInput, ViewFilterInputSchema, WithIndex, WsContextFactory, WsDisposer, assertAuthRequiredForDocumentPermissions, buildGraphQlDocument, buildGraphQlDriveDocument, buildGraphqlOperation, buildGraphqlOperations, buildSubgraphSchemaModule, createAuthFetchMiddleware, createGatewayAdapter, createHttpAdapter, createMergedSchema, createReactorGraphQLClient, createSchema, definedNonNullAnySchema, driveIdFromUrl, extractSubgraphsFromModule, generateDocumentModelSchema, getAuthContext, getDbClient, getDocumentModelSchemaName, getDocumentModelTypeDefs, getGitHash, getGitUrl, getSdk, getUniqueDocumentModels, getVersion, initAnalyticsStoreSql, initializeAndStartAPI, isDefinedNonNullAny, isExpectedLoaderMiss, isSubgraphClass, parseDriveUrl, renderGraphqlPlayground };
2873
+ export { ADMIN_USERS, API, Action, ActionContext, ActionContextInput, ActionContextInputSchema, ActionContextResolvers, ActionInput, ActionInputSchema, ActionResolvers, AddRelationshipDocument, AddRelationshipMutation, AddRelationshipMutationVariables, AnalyticsSubgraph, AuthConfig, AuthContext, AuthFetchMiddleware, AuthService, AuthSubgraph, type AuthorizationConfig, AuthorizationPolicy, AuthorizedDocumentHandle, BaseSubgraph, type CanonicalDocumentId, ChannelMeta, ChannelMetaInput, ChannelMetaInputSchema, ChannelMetaResolvers, ClientInitializerResult, Context, CreateDocumentDocument, CreateDocumentMutation, CreateDocumentMutationVariables, CreateEmptyDocumentDocument, CreateEmptyDocumentMutation, CreateEmptyDocumentMutationVariables, DateTimeScalarConfig, DbClient, DeadLetterInfo, DeadLetterInfoResolvers, DeleteDocumentDocument, DeleteDocumentMutation, DeleteDocumentMutationVariables, DeleteDocumentsDocument, DeleteDocumentsMutation, DeleteDocumentsMutationVariables, DirectiveResolverFn, DocumentChangeContext, DocumentChangeContextResolvers, DocumentChangeEvent, DocumentChangeEventResolvers, DocumentChangeType, DocumentChangeTypeSchema, DocumentChangesDocument, DocumentChangesSubscription, DocumentChangesSubscriptionVariables, DocumentModelGlobalState, DocumentModelGlobalStateResolvers, DocumentModelResultPage, DocumentModelResultPageResolvers, DocumentModelSchemaOptions, DocumentOperationsFilterInput, DocumentOperationsFilterInputSchema, DocumentPermissionConfig, DocumentPermissionDatabase, DocumentPermissionEntry, DocumentPermissionLevel, DocumentPermissionService, DocumentPermissionTable, DocumentProtectionTable, DocumentWithChildren, DocumentWithChildrenResolvers, Exact, FetchHandler, FindDocumentsDocument, FindDocumentsQuery, FindDocumentsQueryVariables, GatewayAdapterType, GatewayContextFactory, GetDocumentDocument, GetDocumentIncomingRelationshipsDocument, GetDocumentIncomingRelationshipsQuery, GetDocumentIncomingRelationshipsQueryVariables, GetDocumentModelsDocument, GetDocumentModelsQuery, GetDocumentModelsQueryVariables, GetDocumentOperationsDocument, GetDocumentOperationsQuery, GetDocumentOperationsQueryVariables, GetDocumentOutgoingRelationshipsDocument, GetDocumentOutgoingRelationshipsQuery, GetDocumentOutgoingRelationshipsQueryVariables, GetDocumentQuery, GetDocumentQueryVariables, GetDocumentWithOperationsDocument, GetDocumentWithOperationsQuery, GetDocumentWithOperationsQueryVariables, GetJobStatusDocument, GetJobStatusQuery, GetJobStatusQueryVariables, GetParentIdsFn, GqlDocument, GqlDriveDocument, GqlOperation, GqlOperationContext, GqlSigner, GqlSignerApp, GqlSignerUser, GraphQLManager, GraphqlManagerFeatureFlags, HttpAdapterSetup, HttpAdapterType, HttpDocumentModelLoader, HttpPackageLoader, HttpPackageLoaderLogger, HttpPackageLoaderOptions, type IAuthorizationService, IGatewayAdapter, IHttpAdapter, type IPackageLoader, type IPackageLoaderOptions, IPackageStorage, IReactorProcessorHostModule, ISubgraph, ImportPackageLoader, InMemoryPackageStorage, Incremental, InputMaybe, InstallPackageResult, InstalledPackageInfo, IsTypeOfResolverFn, JobChangeEvent, JobChangeEventResolvers, JobChangesDocument, JobChangesSubscription, JobChangesSubscriptionVariables, JobInfo, JobInfoResolvers, JsonObjectScalarConfig, MakeEmpty, MakeMaybe, MakeOptional, Maybe, MoveRelationshipDocument, MoveRelationshipMutation, MoveRelationshipMutationVariables, MoveRelationshipResult, MoveRelationshipResultResolvers, MutateDocumentAsyncDocument, MutateDocumentAsyncMutation, MutateDocumentAsyncMutationVariables, MutateDocumentDocument, MutateDocumentMutation, MutateDocumentMutationVariables, Mutation, MutationAddRelationshipArgs, MutationCreateDocumentArgs, MutationCreateEmptyDocumentArgs, MutationDeleteDocumentArgs, MutationDeleteDocumentsArgs, MutationMoveRelationshipArgs, MutationMutateDocumentArgs, MutationMutateDocumentAsyncArgs, MutationPushSyncEnvelopesArgs, MutationRemoveRelationshipArgs, MutationRenameDocumentArgs, MutationResolvers, MutationSetPreferredEditorArgs, MutationTouchChannelArgs, NextResolverFn, OperationContext, OperationContextInput, OperationContextInputSchema, OperationContextResolvers, OperationInput, OperationInputSchema, OperationUserPermissionEntry, OperationUserPermissionTable, OperationWithContext, OperationWithContextInput, OperationWithContextInputSchema, OperationWithContextResolvers, OperationsFilterInput, OperationsFilterInputSchema, PackageManagementService, PackageManagementServiceOptions, PackageManager, PackagesSubgraph, type PackagesSubgraphArgs, PagingInput, PagingInputSchema, type ParsedDriveUrl, PgliteFactory, PhDocument, PhDocumentFieldsFragment, PhDocumentFieldsFragmentDoc, PhDocumentOperationsArgs, PhDocumentResolvers, PhDocumentResultPage, PhDocumentResultPageResolvers, PollSyncEnvelopesDocument, PollSyncEnvelopesQuery, PollSyncEnvelopesQueryVariables, PollSyncEnvelopesResult, PollSyncEnvelopesResultResolvers, Processor, ProcessorDriveFactory, ProcessorFactoryBuilder, PropagationMode, PropagationModeSchema, PushSyncEnvelopesDocument, PushSyncEnvelopesMutation, PushSyncEnvelopesMutationVariables, Query, QueryDocumentArgs, QueryDocumentIncomingRelationshipsArgs, QueryDocumentModelsArgs, QueryDocumentOperationsArgs, QueryDocumentOutgoingRelationshipsArgs, QueryFindDocumentsArgs, QueryJobStatusArgs, QueryPollSyncEnvelopesArgs, QueryResolvers, ReactorModule, ReactorOperation, ReactorOperationResolvers, ReactorOperationResultPage, ReactorOperationResultPageResolvers, ReactorSigner, ReactorSignerApp, ReactorSignerAppInput, ReactorSignerAppInputSchema, ReactorSignerAppResolvers, ReactorSignerInput, ReactorSignerInputSchema, ReactorSignerResolvers, ReactorSignerUser, ReactorSignerUserInput, ReactorSignerUserInputSchema, ReactorSignerUserResolvers, ReactorSubgraph, ReadinessGate, RemoteCursor, RemoteCursorInput, RemoteCursorInputSchema, RemoteCursorResolvers, RemoteFilterInput, RemoteFilterInputSchema, RemoveRelationshipDocument, RemoveRelationshipMutation, RemoveRelationshipMutationVariables, RenameDocumentDocument, RenameDocumentMutation, RenameDocumentMutationVariables, Requester, RequireFields, Resolver, ResolverFn, ResolverTypeWrapper, ResolverWithResolve, Resolvers, ResolversObject, ResolversParentTypes, ResolversTypes, Revision, RevisionResolvers, Scalars, Sdk, SearchFilterInput, SearchFilterInputSchema, SetPreferredEditorDocument, SetPreferredEditorMutation, SetPreferredEditorMutationVariables, SubgraphArgs, SubgraphClass, SubgraphDefinition, Subscription, SubscriptionDocumentChangesArgs, SubscriptionJobChangesArgs, SubscriptionObject, SubscriptionResolveFn, SubscriptionResolver, SubscriptionResolverObject, SubscriptionResolvers, SubscriptionSubscribeFn, SubscriptionSubscriberObject, SyncEnvelope, SyncEnvelopeInput, SyncEnvelopeInputSchema, SyncEnvelopeResolvers, SyncEnvelopeType, SyncEnvelopeTypeSchema, SystemSubgraph, TlsOptions, TouchChannelDocument, TouchChannelInput, TouchChannelInputSchema, TouchChannelMutation, TouchChannelMutationVariables, TouchChannelResult, TouchChannelResultResolvers, TypeResolveFn, User, ViewFilterInput, ViewFilterInputSchema, WithIndex, WsContextFactory, WsDisposer, assertAuthRequiredForDocumentPermissions, assertSkipCredentialVerificationAllowed, buildGraphQlDocument, buildGraphQlDriveDocument, buildGraphqlOperation, buildGraphqlOperations, buildSubgraphSchemaModule, createAuthFetchMiddleware, createGatewayAdapter, createHttpAdapter, createMergedSchema, createReactorGraphQLClient, createSchema, definedNonNullAnySchema, driveIdFromUrl, extractSubgraphsFromModule, generateDocumentModelSchema, getAuthContext, getDbClient, getDocumentModelSchemaName, getDocumentModelTypeDefs, getGitHash, getGitUrl, getSdk, getUniqueDocumentModels, getVersion, initAnalyticsStoreSql, initializeAndStartAPI, isDefinedNonNullAny, isExpectedLoaderMiss, isSubgraphClass, parseDriveUrl, renderGraphqlPlayground };
3009
2874
  //# sourceMappingURL=index.d.mts.map