@storacha/clawracha 0.2.3 → 0.3.1

package/dist/commands.d.ts

@@ -37,6 +37,7 @@ export interface JoinResult {
     pullCount: number;
 }
 export declare function doInit(workspace: string): Promise<InitResult>;
-export declare function doSetup(workspace: string, agentId: string, delegationArg: string, pluginConfig: Partial<SyncPluginConfig>, gatewayConfig?: NonNullable<OpenClawConfig["gateway"]>): Promise<SetupResult>;
-export declare function doJoin(workspace: string, agentId: string, uploadDelegationArg: string, nameDelegationArg: string, pluginConfig: Partial<SyncPluginConfig>, gatewayConfig?: NonNullable<OpenClawConfig["gateway"]>): Promise<JoinResult>;
+export declare function doSetup(workspace: string, agentId: string, email: string, spaceName: string, pluginConfig: Partial<SyncPluginConfig>, gatewayConfig?: NonNullable<OpenClawConfig["gateway"]>): Promise<SetupResult>;
+export declare function doJoin(workspace: string, agentId: string, bundleArg: string, pluginConfig: Partial<SyncPluginConfig>, gatewayConfig?: NonNullable<OpenClawConfig["gateway"]>): Promise<JoinResult>;
+export declare function doGrant(workspace: string, targetDID: `did:${string}:${string}`): Promise<Uint8Array>;
 //# sourceMappingURL=commands.d.ts.map

package/dist/commands.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"commands.d.ts","sourceRoot":"","sources":["../src/commands.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAS3C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,WAAW,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAID,wBAAsB,gBAAgB,CACpC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAS9B;AAED,wBAAsB,gBAAgB,CACpC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,sBAAsB,CAC1C,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,WAAW,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,GACpD,OAAO,CAAC,IAAI,CAAC,CAqCf;AAID,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,OAAO,CAAC,gBAAgB,CAAC,EACvC,UAAU,EAAE,OAAO,EACnB,MAAM,EAAE;IAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACnE,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmC/B;AAID,MAAM,WAAW,UAAU;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;CAC9B;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,wBAAsB,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAsBnE;AAED,wBAAsB,OAAO,CAC3B,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,MAAM,EACrB,YAAY,EAAE,OAAO,CAAC,gBAAgB,CAAC,EACvC,aAAa,CAAC,EAAE,WAAW,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,GACrD,OAAO,CAAC,WAAW,CAAC,CA0CtB;AAED,wBAAsB,MAAM,CAC1B,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,MAAM,EAC3B,iBAAiB,EAAE,MAAM,EACzB,YAAY,EAAE,OAAO,CAAC,gBAAgB,CAAC,EACvC,aAAa,CAAC,EAAE,WAAW,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,GACrD,OAAO,CAAC,UAAU,CAAC,CA8CrB"}
+{"version":3,"file":"commands.d.ts","sourceRoot":"","sources":["../src/commands.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,MAAM,kBAAkB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,WAAW,CAAC;AACvC,OAAO,EAAE,WAAW,EAAE,MAAM,cAAc,CAAC;AAiB3C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,UAAU,CAAC;IACnB,OAAO,EAAE,WAAW,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;CACjB;AAID,wBAAsB,gBAAgB,CACpC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,YAAY,GAAG,IAAI,CAAC,CAS9B;AAED,wBAAsB,gBAAgB,CACpC,SAAS,EAAE,MAAM,EACjB,MAAM,EAAE,YAAY,GACnB,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,sBAAsB,CAC1C,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,aAAa,EAAE,WAAW,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,GACpD,OAAO,CAAC,IAAI,CAAC,CAqCf;AAID,wBAAsB,kBAAkB,CACtC,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,YAAY,EAAE,OAAO,CAAC,gBAAgB,CAAC,EACvC,UAAU,EAAE,OAAO,EACnB,MAAM,EAAE;IAAE,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAAC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAA;CAAE,GACnE,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAmC/B;AAID,MAAM,WAAW,UAAU;IACzB,kBAAkB,EAAE,OAAO,CAAC;IAC5B,aAAa,EAAE,OAAO,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;CAC9B;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,GAAG,SAAS,CAAC;IAC7B,SAAS,EAAE,MAAM,CAAC;CACnB;AAID,wBAAsB,MAAM,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,UAAU,CAAC,CAsBnE;AAED,wBAAsB,OAAO,CAC3B,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,OAAO,CAAC,gBAAgB,CAAC,EACvC,aAAa,CAAC,EAAE,WAAW,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,GACrD,OAAO,CAAC,WAAW,CAAC,CAoGtB;AAoBD,wBAAsB,MAAM,CAC1B,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,SAAS,EAAE,MAAM,EACjB,YAAY,EAAE,OAAO,CAAC,gBAAgB,CAAC,EACvC,aAAa,CAAC,EAAE,WAAW,CAAC,cAAc,CAAC,SAAS,CAAC,CAAC,GACrD,OAAO,CAAC,UAAU,CAAC,CA+DrB;AAED,wBAAsB,OAAO,CAC3B,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,OAAO,MAAM,IAAI,MAAM,EAAE,GACnC,OAAO,CAAC,UAAU,CAAC,CAyDrB"}

package/dist/commands.js

@@ -8,8 +8,12 @@ import * as fs from "node:fs/promises";
 import * as path from "node:path";
 import { SyncEngine } from "./sync.js";
 import { FileWatcher } from "./watcher.js";
-import { encodeDelegation, readDelegationArg, } from "./utils/delegation.js";
-import { Agent } from "@storacha/ucn/pail";
+import { encodeDelegation, decodeDelegation, } from "./utils/delegation.js";
+import { createStorachaClient } from "./utils/client.js";
+import { createDelegationBundle, extractDelegationBundle, } from "./utils/bundle.js";
+import { Agent, Name } from "@storacha/ucn/pail";
+import { extract } from "@storacha/client/delegation";
+import { delegate } from "@ucanto/core";
 // --- Config helpers ---
 export async function loadDeviceConfig(workspace) {
     const configPath = path.join(workspace, ".storacha", "config.json");
@@ -114,7 +118,7 @@ export async function doInit(workspace) {
         agentKey,
     };
 }
-export async function doSetup(workspace, agentId, delegationArg, pluginConfig, gatewayConfig) {
+export async function doSetup(workspace, agentId, email, spaceName, pluginConfig, gatewayConfig) {
     const deviceConfig = await loadDeviceConfig(workspace);
     if (!deviceConfig?.agentKey) {
         throw new Error("Not initialized. Run init first.");
@@ -123,13 +127,59 @@ export async function doSetup(workspace, agentId, delegationArg, pluginConfig, g
         const agent = Agent.parse(deviceConfig.agentKey);
         return { agentDID: agent.did(), spaceDID: deviceConfig.spaceDID };
     }
-    const delegation = await readDelegationArg(delegationArg);
-    const spaceDID = delegation.capabilities[0]?.with;
-    const { ok: archiveBytes } = await delegation.archive();
-    if (!archiveBytes)
-        throw new Error("Failed to archive delegation");
-    deviceConfig.uploadDelegation = encodeDelegation(archiveBytes);
-    deviceConfig.spaceDID = spaceDID ?? undefined;
+    const { create: createClient } = await import("@storacha/client");
+    const { spaceAccess } = await import("@storacha/client/capability/access");
+    const tempClient = await createClient();
+    console.log(`\nA confirmation email will be sent to ${email}.`);
+    console.log("Please click the link in the email to continue...");
+    const account = await tempClient.login(email);
+    console.log("✅ Email confirmed!");
+    console.log("Checking payment plan...");
+    await account.plan.wait();
+    console.log("✅ Payment plan active!");
+    const { choose } = await import("./prompts.js");
+    const accessChoice = await choose("\nSpace access type:\n" +
+        "  ⚠️  Public — workspace data is accessible by anyone with the CID\n" +
+        "  🔒 Private — data is encrypted (requires paid plan)", ["Public", "Private (encrypted)"]);
+    const access = accessChoice === "Private (encrypted)"
+        ? {
+            type: "private",
+            encryption: {
+                provider: "google-kms",
+                algorithm: "RSA_DECRYPT_OAEP_3072_SHA256",
+            },
+        }
+        : { type: "public" };
+    console.log(`Creating space "${spaceName}"...`);
+    const space = await tempClient.createSpace(spaceName, { account, access });
+    await tempClient.setCurrentSpace(space.did());
+    // Delegate space access from the new space to our clawracha agent
+    const agent = Agent.parse(deviceConfig.agentKey);
+    const audience = { did: () => agent.did() };
+    const uploadDelegation = await tempClient.createDelegation(audience, Object.keys(spaceAccess), { expiration: Infinity });
+    const { ok: uploadArchive } = await uploadDelegation.archive();
+    if (!uploadArchive)
+        throw new Error("Failed to archive upload delegation");
+    // Delegate plan/get from account → clawracha agent
+    const accountDID = account.did();
+    const planProofs = tempClient.agent.proofs([{
+            can: "plan/get",
+            with: accountDID,
+        }]);
+    const planDelegation = await delegate({
+        issuer: tempClient.agent.issuer,
+        audience: { did: () => agent.did() },
+        capabilities: [{ can: "plan/get", with: accountDID }],
+        proofs: planProofs,
+        expiration: Infinity,
+    });
+    const { ok: planArchive } = await planDelegation.archive();
+    if (!planArchive)
+        throw new Error("Failed to archive plan delegation");
+    deviceConfig.uploadDelegation = encodeDelegation(uploadArchive);
+    deviceConfig.planDelegation = encodeDelegation(planArchive);
+    deviceConfig.spaceDID = space.did();
+    deviceConfig.access = access;
     deviceConfig.setupComplete = true;
     await saveDeviceConfig(workspace, deviceConfig);
     // One-shot sync: scan existing files, upload, stop
@@ -143,29 +193,54 @@ export async function doSetup(workspace, agentId, delegationArg, pluginConfig, g
     if (gatewayConfig) {
         await requestWorkspaceUpdate(workspace, agentId, gatewayConfig);
     }
-    const agent = Agent.parse(deviceConfig.agentKey);
-    return { agentDID: agent.did(), spaceDID: spaceDID ?? undefined };
+    return { agentDID: agent.did(), spaceDID: space.did() };
+}
+// --- Bundle arg helper ---
+/**
+ * Read a delegation bundle from a file path or base64-encoded string.
+ * Returns raw CAR bytes.
+ */
+async function readBundleArg(arg) {
+    // Try as file path first
+    try {
+        const bytes = await fs.readFile(arg);
+        return new Uint8Array(bytes);
+    }
+    catch (err) {
+        if (err.code !== "ENOENT")
+            throw err;
+    }
+    // Try as base64
+    return Uint8Array.from(Buffer.from(arg, "base64"));
 }
-export async function doJoin(workspace, agentId, uploadDelegationArg, nameDelegationArg, pluginConfig, gatewayConfig) {
+export async function doJoin(workspace, agentId, bundleArg, pluginConfig, gatewayConfig) {
     const deviceConfig = await loadDeviceConfig(workspace);
     if (!deviceConfig?.agentKey) {
         throw new Error("Not initialized. Run init first.");
     }
     if (deviceConfig.setupComplete) {
         const agent = Agent.parse(deviceConfig.agentKey);
-        return { agentDID: agent.did(), spaceDID: deviceConfig.spaceDID, pullCount: 0 };
+        return {
+            agentDID: agent.did(),
+            spaceDID: deviceConfig.spaceDID,
+            pullCount: 0,
+        };
     }
-    const uploadDelegation = await readDelegationArg(uploadDelegationArg);
-    const nameDelegation = await readDelegationArg(nameDelegationArg);
+    const bundleBytes = await readBundleArg(bundleArg);
+    const bundle = await extractDelegationBundle(bundleBytes);
+    const { ok: uploadDelegation, error: uploadErr } = await extract(bundle.upload);
+    if (!uploadDelegation)
+        throw new Error(`Failed to extract upload delegation: ${uploadErr}`);
+    const { ok: nameDelegation, error: nameErr } = await extract(bundle.name);
+    if (!nameDelegation)
+        throw new Error(`Failed to extract name delegation: ${nameErr}`);
+    const { ok: planDelegation, error: planErr } = await extract(bundle.plan);
+    if (!planDelegation)
+        throw new Error(`Failed to extract plan delegation: ${planErr}`);
     const spaceDID = uploadDelegation.capabilities[0]?.with;
-    const { ok: uploadArchive } = await uploadDelegation.archive();
-    if (!uploadArchive)
-        throw new Error("Failed to archive upload delegation");
-    const { ok: nameArchiveBytes } = await nameDelegation.archive();
-    if (!nameArchiveBytes)
-        throw new Error("Failed to archive name delegation");
-    deviceConfig.uploadDelegation = encodeDelegation(uploadArchive);
-    deviceConfig.nameDelegation = encodeDelegation(nameArchiveBytes);
+    deviceConfig.uploadDelegation = encodeDelegation(bundle.upload);
+    deviceConfig.nameDelegation = encodeDelegation(bundle.name);
+    deviceConfig.planDelegation = encodeDelegation(bundle.plan);
     deviceConfig.spaceDID = spaceDID ?? undefined;
     deviceConfig.setupComplete = true;
     await saveDeviceConfig(workspace, deviceConfig);
@@ -181,5 +256,65 @@ export async function doJoin(workspace, agentId, uploadDelegationArg, nameDelega
         await requestWorkspaceUpdate(workspace, agentId, gatewayConfig);
     }
     const agent = Agent.parse(deviceConfig.agentKey);
-    return { agentDID: agent.did(), spaceDID: spaceDID ?? undefined, pullCount };
+    return {
+        agentDID: agent.did(),
+        spaceDID: spaceDID ?? undefined,
+        pullCount,
+    };
+}
+export async function doGrant(workspace, targetDID) {
+    const deviceConfig = await loadDeviceConfig(workspace);
+    if (!deviceConfig?.setupComplete) {
+        throw new Error("Workspace not set up. Run setup first.");
+    }
+    // Upload delegation: re-delegate space access
+    const storachaClient = await createStorachaClient(deviceConfig);
+    const { spaceAccess } = await import("@storacha/client/capability/access");
+    const audience = { did: () => targetDID };
+    const uploadDel = await storachaClient.createDelegation(audience, Object.keys(spaceAccess), { expiration: Infinity });
+    const { ok: uploadArchive } = await uploadDel.archive();
+    if (!uploadArchive)
+        throw new Error("Failed to archive upload delegation");
+    // Name delegation: re-delegate via name.grant()
+    const agent = Agent.parse(deviceConfig.agentKey);
+    let name;
+    if (deviceConfig.nameArchive) {
+        const archiveBytes = decodeDelegation(deviceConfig.nameArchive);
+        name = await Name.extract(agent, archiveBytes);
+    }
+    else if (deviceConfig.nameDelegation) {
+        const nameBytes = decodeDelegation(deviceConfig.nameDelegation);
+        const { ok: nameDel } = await extract(nameBytes);
+        if (nameDel)
+            name = Name.from(agent, [nameDel]);
+    }
+    if (!name)
+        throw new Error("No name state available to grant from");
+    const nameDel = await name.grant(targetDID);
+    const { ok: nameArchive } = await nameDel.archive();
+    if (!nameArchive)
+        throw new Error("Failed to archive name delegation");
+    // Plan delegation: re-delegate from stored plan delegation
+    if (!deviceConfig.planDelegation) {
+        throw new Error("No plan delegation to re-delegate");
+    }
+    const planBytes = decodeDelegation(deviceConfig.planDelegation);
+    const { ok: existingPlanDel } = await extract(planBytes);
+    if (!existingPlanDel)
+        throw new Error("Failed to extract plan delegation");
+    const planDel = await delegate({
+        issuer: agent,
+        audience,
+        capabilities: existingPlanDel.capabilities,
+        proofs: [existingPlanDel],
+        expiration: Infinity,
+    });
+    const { ok: planArchive } = await planDel.archive();
+    if (!planArchive)
+        throw new Error("Failed to archive plan delegation");
+    return createDelegationBundle({
+        upload: uploadArchive,
+        name: nameArchive,
+        plan: planArchive,
+    });
 }

package/dist/handlers/process.d.ts

@@ -3,13 +3,17 @@
  *
  * Markdown files (.md) are handled via mdsync — CRDT merge rather than
  * whole-file UnixFS replacement. Regular files go through encodeFiles.
+ *
+ * When encryptionConfig is provided (private spaces), content is encrypted
+ * before upload via encryptToBlockStream.
  */
 import type { BlockFetcher, ValueView } from "@storacha/ucn/pail/api";
 import type { Block } from "multiformats";
 import type { FileChange, PailOp } from "../types/index.js";
+import type { EncryptionConfig } from "@storacha/encrypt-upload-client/types";
 /** Callback to persist a block to the CAR file for upload. */
 export type BlockSink = (block: Block) => Promise<void>;
 /** Callback to persist a block to the local blockstore for future reads. */
 export type BlockStore = (block: Block) => Promise<void>;
-export declare function processChanges(changes: FileChange[], workspace: string, current: ValueView | null, blocks: BlockFetcher, sink: BlockSink, store?: BlockStore): Promise<PailOp[]>;
+export declare function processChanges(changes: FileChange[], workspace: string, current: ValueView | null, blocks: BlockFetcher, sink: BlockSink, store?: BlockStore, encryptionConfig?: EncryptionConfig): Promise<PailOp[]>;
 //# sourceMappingURL=process.d.ts.map

package/dist/handlers/process.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"process.d.ts","sourceRoot":"","sources":["../../src/handlers/process.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,OAAO,KAAK,EACV,YAAY,EAEZ,SAAS,EACV,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAM5D,8DAA8D;AAC9D,MAAM,MAAM,SAAS,GAAG,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAExD,4EAA4E;AAC5E,MAAM,MAAM,UAAU,GAAG,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAIzD,wBAAsB,cAAc,CAClC,OAAO,EAAE,UAAU,EAAE,EACrB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,SAAS,GAAG,IAAI,EACzB,MAAM,EAAE,YAAY,EACpB,IAAI,EAAE,SAAS,EACf,KAAK,CAAC,EAAE,UAAU,GACjB,OAAO,CAAC,MAAM,EAAE,CAAC,CAoFnB"}
+{"version":3,"file":"process.d.ts","sourceRoot":"","sources":["../../src/handlers/process.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAIH,OAAO,KAAK,EACV,YAAY,EAEZ,SAAS,EACV,MAAM,wBAAwB,CAAC;AAChC,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,cAAc,CAAC;AAC1C,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,EAAE,MAAM,mBAAmB,CAAC;AAC5D,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,uCAAuC,CAAC;AAO9E,8DAA8D;AAC9D,MAAM,MAAM,SAAS,GAAG,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAExD,4EAA4E;AAC5E,MAAM,MAAM,UAAU,GAAG,CAAC,KAAK,EAAE,KAAK,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;AAqBzD,wBAAsB,cAAc,CAClC,OAAO,EAAE,UAAU,EAAE,EACrB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,SAAS,GAAG,IAAI,EACzB,MAAM,EAAE,YAAY,EACpB,IAAI,EAAE,SAAS,EACf,KAAK,CAAC,EAAE,UAAU,EAClB,gBAAgB,CAAC,EAAE,gBAAgB,GAClC,OAAO,CAAC,MAAM,EAAE,CAAC,CA6GnB"}

package/dist/handlers/process.js

@@ -3,37 +3,66 @@
  *
  * Markdown files (.md) are handled via mdsync — CRDT merge rather than
  * whole-file UnixFS replacement. Regular files go through encodeFiles.
+ *
+ * When encryptionConfig is provided (private spaces), content is encrypted
+ * before upload via encryptToBlockStream.
  */
 import { Revision } from "@storacha/ucn/pail";
 import { encodeFiles } from "../utils/encoder.js";
+import { encryptToBlockStream } from "../utils/crypto.js";
 import * as mdsync from "../mdsync/index.js";
 import * as fs from "node:fs/promises";
 import * as path from "node:path";
 const isMarkdown = (filePath) => filePath.endsWith(".md");
-export async function processChanges(changes, workspace, current, blocks, sink, store) {
+/** Read all blocks from a ReadableStream, sinking each, return the last CID (root). */
+async function drainBlockStream(stream, sink) {
+    const reader = stream.getReader();
+    let root = null;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        root = value.cid;
+        await sink(value);
+    }
+    if (!root)
+        throw new Error("Empty block stream");
+    return root;
+}
+export async function processChanges(changes, workspace, current, blocks, sink, store, encryptionConfig) {
     const pendingOps = [];
     const mdChanges = changes.filter((c) => isMarkdown(c.path));
     const regularChanges = changes.filter((c) => !isMarkdown(c.path));
-    // --- Regular files (UnixFS encode) ---
+    // --- Regular files ---
     const toEncode = regularChanges
         .filter((c) => c.type !== "unlink")
         .map((c) => c.path);
-    const encoded = await encodeFiles(workspace, toEncode);
     const files = [];
-    for (const file of encoded) {
-        let root = null;
-        const reader = file.blocks.getReader();
-        while (true) {
-            const { done, value } = await reader.read();
-            if (done)
-                break;
-            root = value.cid;
-            await sink(value);
+    if (encryptionConfig) {
+        // Private space: encrypt each file
+        for (const relPath of toEncode) {
+            try {
+                const fileBytes = await fs.readFile(path.join(workspace, relPath));
+                const encStream = await encryptToBlockStream(new Blob([fileBytes]), encryptionConfig);
+                const rootCID = await drainBlockStream(encStream, sink);
+                files.push({ path: relPath, rootCID });
+            }
+            catch (err) {
+                if (err.code === "ENOENT") {
+                    console.warn(`File not found during encoding: ${relPath}`);
+                    continue;
+                }
+                throw err;
+            }
         }
-        if (!root) {
-            throw new Error(`Failed to encode file: ${file.path}`);
+    }
+    else {
+        // Public space: UnixFS encode
+        const encoded = await encodeFiles(workspace, toEncode);
+        for (const file of encoded) {
+            const rootCID = await drainBlockStream(file.blocks, sink);
+            files.push({ path: file.path, rootCID });
         }
-        files.push({ path: file.path, rootCID: root });
     }
     for (const file of files) {
         const existing = current
@@ -51,24 +80,36 @@ export async function processChanges(changes, workspace, current, blocks, sink,
     const mdPuts = mdChanges.filter((c) => c.type !== "unlink");
     for (const change of mdPuts) {
         const content = await fs.readFile(path.join(workspace, change.path), "utf-8");
-        const newEntry = current
+        const block = current
             ? await mdsync.put(blocks, current, change.path, content)
             : await mdsync.v0Put(content);
-        if (!newEntry) {
+        if (!block) {
             continue; // No change detected, skip writing a new entry.
         }
-        const { mdEntryCid, additions } = newEntry;
-        // Sink blocks to CAR for upload, and store locally for future resolveValue calls.
-        for (const block of additions) {
+        if (encryptionConfig) {
+            // Private space: encrypt the single-block entry
+            const encStream = await encryptToBlockStream(new Blob([block.bytes]), encryptionConfig);
+            const rootCID = await drainBlockStream(encStream, sink);
+            // Store unencrypted block locally for future resolveValue calls
+            if (store)
+                await store(block);
+            pendingOps.push({
+                type: "put",
+                key: change.path,
+                value: rootCID,
+            });
+        }
+        else {
+            // Public space: store block directly
             await sink(block);
             if (store)
                 await store(block);
+            pendingOps.push({
+                type: "put",
+                key: change.path,
+                value: block.cid,
+            });
         }
-        pendingOps.push({
-            type: "put",
-            key: change.path,
-            value: mdEntryCid,
-        });
     }
     // --- Deletes (both regular and markdown) ---
     const toDelete = changes

package/dist/handlers/remote.d.ts

@@ -2,14 +2,18 @@
  * Apply remote changes to local filesystem.
  *
  * Regular files are fetched from the IPFS gateway (handles UnixFS reassembly).
+ * For private spaces, regular files are decrypted via EncryptedClient.
  * Markdown files (.md) are resolved via mdsync CRDT merge — the tiered
  * blockstore's gateway layer handles fetching any missing blocks.
  */
 import type { CID } from "multiformats/cid";
 import type { BlockFetcher, ValueView } from "@storacha/ucn/pail/api";
+import type { DecryptionConfig, EncryptedClient } from "@storacha/encrypt-upload-client/types";
 export declare function applyRemoteChanges(changedPaths: string[], entries: Map<string, CID>, workspace: string, options?: {
     gateway?: string;
     blocks?: BlockFetcher;
     current?: ValueView;
+    encryptedClient?: EncryptedClient;
+    decryptionConfig?: DecryptionConfig;
 }): Promise<void>;
 //# sourceMappingURL=remote.d.ts.map

package/dist/handlers/remote.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"remote.d.ts","sourceRoot":"","sources":["../../src/handlers/remote.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AAOtE,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EAAE,EACtB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,OAAO,CAAC,EAAE,SAAS,CAAC;CACrB,GACA,OAAO,CAAC,IAAI,CAAC,CAiCf"}
+{"version":3,"file":"remote.d.ts","sourceRoot":"","sources":["../../src/handlers/remote.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,wBAAwB,CAAC;AACtE,OAAO,KAAK,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,uCAAuC,CAAC;AA2B/F,wBAAsB,kBAAkB,CACtC,YAAY,EAAE,MAAM,EAAE,EACtB,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,EACzB,SAAS,EAAE,MAAM,EACjB,OAAO,CAAC,EAAE;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,YAAY,CAAC;IACtB,OAAO,CAAC,EAAE,SAAS,CAAC;IACpB,eAAe,CAAC,EAAE,eAAe,CAAC;IAClC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;CACrC,GACA,OAAO,CAAC,IAAI,CAAC,CA8Cf"}

package/dist/handlers/remote.js

@@ -2,16 +2,38 @@
  * Apply remote changes to local filesystem.
  *
  * Regular files are fetched from the IPFS gateway (handles UnixFS reassembly).
+ * For private spaces, regular files are decrypted via EncryptedClient.
  * Markdown files (.md) are resolved via mdsync CRDT merge — the tiered
  * blockstore's gateway layer handles fetching any missing blocks.
  */
 import * as fs from "node:fs/promises";
 import * as path from "node:path";
 import * as mdsync from "../mdsync/index.js";
+import { makeDecryptFn } from "../utils/crypto.js";
 const DEFAULT_GATEWAY = "https://storacha.link";
 const isMarkdown = (filePath) => filePath.endsWith(".md");
+/** Drain a ReadableStream into a single Uint8Array. */
+async function drainStream(stream) {
+    const reader = stream.getReader();
+    const chunks = [];
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        chunks.push(value);
+    }
+    const totalLength = chunks.reduce((sum, c) => sum + c.length, 0);
+    const result = new Uint8Array(totalLength);
+    let offset = 0;
+    for (const chunk of chunks) {
+        result.set(chunk, offset);
+        offset += chunk.length;
+    }
+    return result;
+}
 export async function applyRemoteChanges(changedPaths, entries, workspace, options) {
     const gateway = options?.gateway ?? DEFAULT_GATEWAY;
+    const isEncrypted = !!(options?.encryptedClient && options?.decryptionConfig);
     for (const relativePath of changedPaths) {
         const cid = entries.get(relativePath);
         const fullPath = path.join(workspace, relativePath);
@@ -27,16 +49,26 @@ export async function applyRemoteChanges(changedPaths, entries, workspace, optio
         }
         else if (isMarkdown(relativePath) && options?.blocks && options?.current) {
             // Markdown: resolve via mdsync CRDT merge.
-            // The blockstore's lowest tier is a gateway fetcher, so any blocks
-            // we don't have locally will be fetched transparently.
-            const content = await mdsync.get(options.blocks, options.current, relativePath);
+            // For single-device, unencrypted blocks are stored locally.
+            // TODO: For multi-device private spaces, add decrypt layer to resolveValue.
+            const decrypt = isEncrypted
+                ? makeDecryptFn(options.encryptedClient, options.decryptionConfig)
+                : undefined;
+            const content = await mdsync.get(options.blocks, options.current, relativePath, decrypt);
             if (content != null) {
                 await fs.mkdir(path.dirname(fullPath), { recursive: true });
                 await fs.writeFile(fullPath, content);
             }
         }
+        else if (isEncrypted) {
+            // Private space: retrieve and decrypt via EncryptedClient
+            const { stream } = await options.encryptedClient.retrieveAndDecryptFile(cid, options.decryptionConfig);
+            const bytes = await drainStream(stream);
+            await fs.mkdir(path.dirname(fullPath), { recursive: true });
+            await fs.writeFile(fullPath, bytes);
+        }
         else {
-            // Regular file: fetch full file from gateway (handles UnixFS reassembly)
+            // Public space: fetch full file from gateway (handles UnixFS reassembly)
             const res = await fetch(`${gateway}/ipfs/${cid}`);
             if (!res.ok) {
                 throw new Error(`Gateway fetch failed for ${cid}: ${res.status}`);

package/dist/mdsync/index.d.ts

@@ -1,29 +1,72 @@
 /**
  * mdsync — CRDT markdown storage on top of UCN Pail.
  *
- * Stores RGA-backed markdown trees at Pail keys. Each key's value is a
- * MarkdownEntry containing:
+ * Each key's value is a single DAG-CBOR block (DeserializedMarkdownEntry)
+ * containing:
  *   - The current RGA tree (full document state)
  *   - An RGA of MarkdownEvents (causal history scoped to this key)
  *   - The last changeset applied (for incremental replay during merge)
  *
  * On read, if the Pail has multiple heads (concurrent writes), we resolve
  * by walking from the common ancestor forward, replaying each branch's
- * changesets and merging event RGAs — analogous to how Pail itself resolves
- * concurrent root updates.
+ * changesets and merging event RGAs.
  */
-import { BlockFetcher, ValueView } from "@storacha/ucn/pail/api";
+import { BlockFetcher, EventLink, ValueView } from "@storacha/ucn/pail/api";
 import { Block, CID } from "multiformats";
-interface MarkdownResult {
-    mdEntryCid: CID;
-    additions: Block[];
+import { RGA, RGATreeRoot, RGAChangeSet } from "@storacha/md-merge";
+/**
+ * A MarkdownEvent ties an RGA tree mutation to its position in the Pail's
+ * merkle clock. `parents` are the EventLinks of the Pail revision that was
+ * current when this edit was made — this is what links the md-merge causal
+ * history to the Pail's causal history.
+ *
+ * Implements RGAEvent (toString) so it can be used as the event type in
+ * md-merge's RGA and RGATree.
+ */
+declare class MarkdownEvent {
+    parents: Array<EventLink>;
+    constructor(parents: Array<EventLink>);
+    toString(): string;
+}
+/** Shorthand for the event RGA type used throughout. */
+type EventRGA = RGA<MarkdownEvent, MarkdownEvent>;
+interface DeserializedMarkdownEntryBase {
+    type: string;
+    /** The full RGA tree for the document at this key. */
+    root: RGATreeRoot<MarkdownEvent>;
+    /**
+     * Causal history as an RGA. Each node is a MarkdownEvent; the RGA's
+     * afterId links encode causal ordering. toWeightedArray() gives a
+     * BFS linearization suitable for building a comparator.
+     */
+    events: EventRGA;
+}
+interface DeserializedMarkdownEntryInitial extends DeserializedMarkdownEntryBase {
+    type: "initial";
 }
+interface DeserializedMarkdownEntryUpdate extends DeserializedMarkdownEntryBase {
+    type: "update";
+    /** The changeset that was applied to produce this version of the tree. */
+    changeset: RGAChangeSet<MarkdownEvent>;
+}
+type DeserializedMarkdownEntry = DeserializedMarkdownEntryInitial | DeserializedMarkdownEntryUpdate;
+/**
+ * Encode a DeserializedMarkdownEntry as a single DAG-CBOR block.
+ * All data (tree, events, changeset) is inlined — no CID references.
+ */
+export declare const encodeMarkdownEntry: (entry: DeserializedMarkdownEntry) => Promise<Block>;
+/**
+ * Decode a single DAG-CBOR block back to a DeserializedMarkdownEntry.
+ */
+export declare const decodeMarkdownEntry: (block: {
+    bytes: Uint8Array;
+}) => Promise<DeserializedMarkdownEntry>;
 /**
  * First put into an empty Pail (v0 = no existing revision).
- * Returns the markdown entry CID and blocks to store. Caller is
- * responsible for creating the Pail revision via Revision.v0Put.
+ * Returns a single block to store. Caller is responsible for
+ * creating the Pail revision via Revision.v0Put.
  */
-export declare const v0Put: (newMarkdown: string) => Promise<MarkdownResult>;
+export declare const v0Put: (newMarkdown: string) => Promise<Block>;
 /**
  * Put markdown content at a key in an existing Pail.
  *
@@ -32,14 +75,14 @@ export declare const v0Put: (newMarkdown: string) => Promise<MarkdownResult>;
  * an RGA changeset against the resolved tree, applies it, and stores the
  * updated entry.
  *
- * Returns the markdown entry CID and blocks to store. Caller is
- * responsible for creating the Pail revision via Revision.put.
+ * Returns a single block to store, or null if no changes detected.
+ * Caller is responsible for creating the Pail revision via Revision.put.
  */
-export declare const put: (blocks: BlockFetcher, current: ValueView, key: string, newMarkdown: string) => Promise<MarkdownResult | null>;
+export declare const put: (blocks: BlockFetcher, current: ValueView, key: string, newMarkdown: string) => Promise<Block | null>;
 /**
  * Get the current markdown string for a key, resolving concurrent heads.
  * Returns undefined if the key doesn't exist.
  */
-export declare const get: (blocks: BlockFetcher, current: ValueView, key: string) => Promise<string | undefined>;
+export declare const get: (blocks: BlockFetcher, current: ValueView, key: string, decrypt?: (cid: CID) => Promise<Uint8Array>) => Promise<string | undefined>;
 export {};
 //# sourceMappingURL=index.d.ts.map

package/dist/mdsync/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mdsync/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAGH,OAAO,EACL,YAAY,EAGZ,SAAS,EACV,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAuJ1C,UAAU,cAAc;IACtB,UAAU,EAAE,GAAG,CAAC;IAChB,SAAS,EAAE,KAAK,EAAE,CAAC;CACpB;AAyBD;;;;GAIG;AACH,eAAO,MAAM,KAAK,GAAU,aAAa,MAAM,KAAG,OAAO,CAAC,cAAc,CAEvE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,GAAG,GACd,QAAQ,YAAY,EACpB,SAAS,SAAS,EAClB,KAAK,MAAM,EACX,aAAa,MAAM,KAClB,OAAO,CAAC,cAAc,GAAG,IAAI,CAkC/B,CAAC;AAkSF;;;GAGG;AACH,eAAO,MAAM,GAAG,GACd,QAAQ,YAAY,EACpB,SAAS,SAAS,EAClB,KAAK,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,SAAS,CAM5B,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/mdsync/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EACL,YAAY,EACZ,SAAS,EAET,SAAS,EACV,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,cAAc,CAAC;AAE1C,OAAO,EAEL,GAAG,EAGH,WAAW,EACX,YAAY,EAUb,MAAM,oBAAoB,CAAC;AAQ5B;;;;;;;;GAQG;AACH,cAAM,aAAa;IACjB,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;gBAEd,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC;IAIrC,QAAQ;CAGT;AAyBD,wDAAwD;AACxD,KAAK,QAAQ,GAAG,GAAG,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AAElD,UAAU,6BAA6B;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,sDAAsD;IACtD,IAAI,EAAE,WAAW,CAAC,aAAa,CAAC,CAAC;IACjC;;;;OAIG;IACH,MAAM,EAAE,QAAQ,CAAC;CAClB;AAED,UAAU,gCACR,SAAQ,6BAA6B;IACrC,IAAI,EAAE,SAAS,CAAC;CACjB;AAED,UAAU,+BACR,SAAQ,6BAA6B;IACrC,IAAI,EAAE,QAAQ,CAAC;IACf,0EAA0E;IAC1E,SAAS,EAAE,YAAY,CAAC,aAAa,CAAC,CAAC;CACxC;AAED,KAAK,yBAAyB,GAC1B,gCAAgC,GAChC,+BAA+B,CAAC;AA8BpC;;;GAGG;AACH,eAAO,MAAM,mBAAmB,GAC9B,OAAO,yBAAyB,KAC/B,OAAO,CAAC,KAAK,CAcf,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC9B,OAAO;IAAE,KAAK,EAAE,UAAU,CAAA;CAAE,KAC3B,OAAO,CAAC,yBAAyB,CA+BnC,CAAC;AA4BF;;;;GAIG;AACH,eAAO,MAAM,KAAK,GAAU,aAAa,MAAM,KAAG,OAAO,CAAC,KAAK,CAG9D,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,GAAG,GACd,QAAQ,YAAY,EACpB,SAAS,SAAS,EAClB,KAAK,MAAM,EACX,aAAa,MAAM,KAClB,OAAO,CAAC,KAAK,GAAG,IAAI,CAiCtB,CAAC;AA4IF;;;GAGG;AACH,eAAO,MAAM,GAAG,GACd,QAAQ,YAAY,EACpB,SAAS,SAAS,EAClB,KAAK,MAAM,EACX,UAAU,CAAC,GAAG,EAAE,GAAG,KAAK,OAAO,CAAC,UAAU,CAAC,KAC1C,OAAO,CAAC,MAAM,GAAG,SAAS,CAM5B,CAAC"}