@tinycloud/node-sdk 2.4.0-beta.1 → 2.4.0-beta.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{core-Dbzm1kA_.d.cts → core--mjBU9Jq.d.cts} +154 -6
- package/dist/{core-Dbzm1kA_.d.ts → core--mjBU9Jq.d.ts} +154 -6
- package/dist/core.cjs +462 -222
- package/dist/core.cjs.map +1 -1
- package/dist/core.d.cts +2 -2
- package/dist/core.d.ts +2 -2
- package/dist/core.js +291 -48
- package/dist/core.js.map +1 -1
- package/dist/index.cjs +533 -265
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +2 -2
- package/dist/index.d.ts +2 -2
- package/dist/index.js +322 -52
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/dist/core.d.cts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
-
export { D as DelegateToOptions,
|
|
1
|
+
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
+
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core--mjBU9Jq.cjs';
|
|
3
3
|
import 'events';
|
|
4
4
|
import '@tinycloud/sdk-services';
|
package/dist/core.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
-
export { D as DelegateToOptions,
|
|
1
|
+
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
+
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core--mjBU9Jq.js';
|
|
3
3
|
import 'events';
|
|
4
4
|
import '@tinycloud/sdk-services';
|
package/dist/core.js
CHANGED
|
@@ -17,7 +17,7 @@ import {
|
|
|
17
17
|
parsePkhDid,
|
|
18
18
|
pkhDid as pkhDid3,
|
|
19
19
|
principalDid,
|
|
20
|
-
principalDidEquals as
|
|
20
|
+
principalDidEquals as principalDidEquals3,
|
|
21
21
|
parseCanonicalNetworkId
|
|
22
22
|
} from "@tinycloud/sdk-core";
|
|
23
23
|
|
|
@@ -222,6 +222,8 @@ import {
|
|
|
222
222
|
DEFAULT_MANIFEST_SPACE,
|
|
223
223
|
ENCRYPTION_PERMISSION_SERVICE,
|
|
224
224
|
composeManifestRequest,
|
|
225
|
+
parseNetworkId,
|
|
226
|
+
principalDidEquals,
|
|
225
227
|
resourceCapabilitiesToAbilitiesMap,
|
|
226
228
|
resourceCapabilitiesToSpaceAbilitiesMap,
|
|
227
229
|
resolveTinyCloudHosts,
|
|
@@ -235,6 +237,25 @@ import {
|
|
|
235
237
|
var defaultSignStrategy = { type: "auto-sign" };
|
|
236
238
|
|
|
237
239
|
// src/authorization/NodeUserAuthorization.ts
|
|
240
|
+
var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
|
|
241
|
+
var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
|
|
242
|
+
function didPrincipalMatches(actual, expected) {
|
|
243
|
+
try {
|
|
244
|
+
return principalDidEquals(actual, expected);
|
|
245
|
+
} catch {
|
|
246
|
+
return actual === expected;
|
|
247
|
+
}
|
|
248
|
+
}
|
|
249
|
+
function addRawAbility(rawAbilities, resource, action) {
|
|
250
|
+
const actions = rawAbilities[resource];
|
|
251
|
+
if (actions === void 0) {
|
|
252
|
+
rawAbilities[resource] = [action];
|
|
253
|
+
return;
|
|
254
|
+
}
|
|
255
|
+
if (!actions.includes(action)) {
|
|
256
|
+
actions.push(action);
|
|
257
|
+
}
|
|
258
|
+
}
|
|
238
259
|
var NodeUserAuthorization = class {
|
|
239
260
|
constructor(config) {
|
|
240
261
|
this.extensions = [];
|
|
@@ -261,6 +282,7 @@ var NodeUserAuthorization = class {
|
|
|
261
282
|
"": [
|
|
262
283
|
"tinycloud.sql/read",
|
|
263
284
|
"tinycloud.sql/write",
|
|
285
|
+
"tinycloud.sql/ddl",
|
|
264
286
|
"tinycloud.sql/admin",
|
|
265
287
|
"tinycloud.sql/export"
|
|
266
288
|
]
|
|
@@ -352,12 +374,48 @@ var NodeUserAuthorization = class {
|
|
|
352
374
|
* `siwe` is the load-bearing one because `extractSiweExpiration` returns
|
|
353
375
|
* undefined for missing SIWEs and the SDK then treats the session as
|
|
354
376
|
* expired-at-epoch-zero.
|
|
377
|
+
*
|
|
378
|
+
* @param hosts - The TinyCloud hosts this session was created against,
|
|
379
|
+
* as persisted in {@link PersistedSessionData.tinycloudHosts}. When
|
|
380
|
+
* present (and non-empty) they are adopted directly so the restored
|
|
381
|
+
* session resolves to the same node as the original sign-in without
|
|
382
|
+
* re-running registry/fallback resolution. When absent (old session)
|
|
383
|
+
* hosts are resolved lazily on the first host-needing call via
|
|
384
|
+
* {@link ensureTinyCloudHosts}.
|
|
355
385
|
*/
|
|
356
|
-
setRestoredTinyCloudSession(session) {
|
|
386
|
+
setRestoredTinyCloudSession(session, hosts) {
|
|
357
387
|
const address = canonicalizeAddress(session.address);
|
|
358
388
|
this._tinyCloudSession = { ...session, address };
|
|
359
389
|
this._address = address;
|
|
360
390
|
this._chainId = session.chainId;
|
|
391
|
+
if ((!this.tinycloudHosts || this.tinycloudHosts.length === 0) && hosts && hosts.length > 0) {
|
|
392
|
+
this.tinycloudHosts = [...hosts];
|
|
393
|
+
}
|
|
394
|
+
}
|
|
395
|
+
/**
|
|
396
|
+
* Ensure `tinycloudHosts` are resolved before a host-needing call.
|
|
397
|
+
*
|
|
398
|
+
* Fresh sign-in resolves hosts up front; a restored session may not have
|
|
399
|
+
* (old persisted sessions predate {@link PersistedSessionData.tinycloudHosts}).
|
|
400
|
+
* This guard makes a restored session resolve the node exactly like a fresh
|
|
401
|
+
* sign-in — persisted hosts are preferred (already set by
|
|
402
|
+
* {@link setRestoredTinyCloudSession}), otherwise the registry/fallback
|
|
403
|
+
* resolution runs lazily here. Idempotent: {@link resolveTinyCloudHostsForSignIn}
|
|
404
|
+
* early-returns when hosts are already set.
|
|
405
|
+
*
|
|
406
|
+
* Throws if hosts are unset and the restored session has no address/chainId
|
|
407
|
+
* to resolve from — a real failure that must surface, not be masked.
|
|
408
|
+
*/
|
|
409
|
+
async ensureTinyCloudHosts() {
|
|
410
|
+
if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
|
|
411
|
+
return;
|
|
412
|
+
}
|
|
413
|
+
if (this._address === void 0 || this._chainId === void 0) {
|
|
414
|
+
throw new Error(
|
|
415
|
+
"Cannot resolve TinyCloud hosts: no address/chainId available. Sign in or restore a session first."
|
|
416
|
+
);
|
|
417
|
+
}
|
|
418
|
+
await this.resolveTinyCloudHostsForSignIn(this._address, this._chainId);
|
|
361
419
|
}
|
|
362
420
|
async resolveTinyCloudHostsForSignIn(address, chainId) {
|
|
363
421
|
if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
|
|
@@ -464,20 +522,18 @@ var NodeUserAuthorization = class {
|
|
|
464
522
|
};
|
|
465
523
|
}
|
|
466
524
|
const rawAbilities = {};
|
|
525
|
+
const currentDid = pkhDid(address, chainId);
|
|
467
526
|
const spaceResources = request.resources.filter((entry) => {
|
|
468
527
|
if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {
|
|
469
528
|
return true;
|
|
470
529
|
}
|
|
471
|
-
const
|
|
472
|
-
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
const
|
|
476
|
-
|
|
477
|
-
|
|
478
|
-
existing.push(action);
|
|
479
|
-
seen.add(action);
|
|
480
|
-
}
|
|
530
|
+
for (const action of entry.actions) {
|
|
531
|
+
addRawAbility(rawAbilities, entry.path, action);
|
|
532
|
+
}
|
|
533
|
+
if (entry.actions.includes(DECRYPT_ACTION)) {
|
|
534
|
+
const parsed = parseNetworkId(entry.path);
|
|
535
|
+
if (didPrincipalMatches(parsed.ownerDid, currentDid)) {
|
|
536
|
+
addRawAbility(rawAbilities, entry.path, NETWORK_CREATE_ACTION);
|
|
481
537
|
}
|
|
482
538
|
}
|
|
483
539
|
return false;
|
|
@@ -556,6 +612,7 @@ var NodeUserAuthorization = class {
|
|
|
556
612
|
if (!this._tinyCloudSession || !this._address || !this._chainId) {
|
|
557
613
|
throw new Error("Must be signed in to host space");
|
|
558
614
|
}
|
|
615
|
+
await this.ensureTinyCloudHosts();
|
|
559
616
|
const host = this.primaryTinyCloudHost;
|
|
560
617
|
const spaceId = targetSpaceId ?? this._tinyCloudSession.spaceId;
|
|
561
618
|
const peerId = await fetchPeerId(host, spaceId);
|
|
@@ -598,6 +655,7 @@ var NodeUserAuthorization = class {
|
|
|
598
655
|
if (!this._tinyCloudSession) {
|
|
599
656
|
throw new Error("Must be signed in to ensure space exists");
|
|
600
657
|
}
|
|
658
|
+
await this.ensureTinyCloudHosts();
|
|
601
659
|
const host = this.primaryTinyCloudHost;
|
|
602
660
|
const primarySpaceId = this._tinyCloudSession.spaceId;
|
|
603
661
|
const result = await activateSessionWithHost(
|
|
@@ -779,7 +837,8 @@ var NodeUserAuthorization = class {
|
|
|
779
837
|
},
|
|
780
838
|
expiresAt: expirationTime.toISOString(),
|
|
781
839
|
createdAt: now.toISOString(),
|
|
782
|
-
version: "1.0"
|
|
840
|
+
version: "1.0",
|
|
841
|
+
tinycloudHosts: this.tinycloudHosts
|
|
783
842
|
};
|
|
784
843
|
await this.sessionStorage.save(address, persistedData);
|
|
785
844
|
this._session = clientSession;
|
|
@@ -946,7 +1005,8 @@ var NodeUserAuthorization = class {
|
|
|
946
1005
|
},
|
|
947
1006
|
expiresAt,
|
|
948
1007
|
createdAt,
|
|
949
|
-
version: "1.0"
|
|
1008
|
+
version: "1.0",
|
|
1009
|
+
tinycloudHosts: this.tinycloudHosts
|
|
950
1010
|
};
|
|
951
1011
|
await this.sessionStorage.save(address, persistedData);
|
|
952
1012
|
this._session = clientSession;
|
|
@@ -1070,9 +1130,14 @@ import {
|
|
|
1070
1130
|
verifyDidKeyEd25519Signature,
|
|
1071
1131
|
canonicalizeAddress as canonicalizeAddress2,
|
|
1072
1132
|
pkhDid as pkhDid2,
|
|
1073
|
-
|
|
1133
|
+
resolveTinyCloudHosts as resolveTinyCloudHosts2,
|
|
1134
|
+
principalDidEquals as principalDidEquals2,
|
|
1135
|
+
parseNetworkId as parseNetworkId2
|
|
1074
1136
|
} from "@tinycloud/sdk-core";
|
|
1075
1137
|
|
|
1138
|
+
// src/account/AccountService.ts
|
|
1139
|
+
import { AccountService } from "@tinycloud/sdk-core";
|
|
1140
|
+
|
|
1076
1141
|
// src/DelegatedAccess.ts
|
|
1077
1142
|
import {
|
|
1078
1143
|
KVService,
|
|
@@ -1490,13 +1555,13 @@ var NodeSecretsService = class {
|
|
|
1490
1555
|
// src/TinyCloudNode.ts
|
|
1491
1556
|
var DEFAULT_HOST = "https://node.tinycloud.xyz";
|
|
1492
1557
|
var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
|
|
1493
|
-
var
|
|
1494
|
-
var
|
|
1558
|
+
var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
|
|
1559
|
+
var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
|
|
1495
1560
|
var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
|
|
1496
1561
|
var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
|
|
1497
|
-
function
|
|
1562
|
+
function didPrincipalMatches2(actual, expected) {
|
|
1498
1563
|
try {
|
|
1499
|
-
return
|
|
1564
|
+
return principalDidEquals2(actual, expected);
|
|
1500
1565
|
} catch {
|
|
1501
1566
|
return actual === expected;
|
|
1502
1567
|
}
|
|
@@ -1833,6 +1898,37 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
1833
1898
|
get spaceId() {
|
|
1834
1899
|
return this.auth?.tinyCloudSession?.spaceId;
|
|
1835
1900
|
}
|
|
1901
|
+
/**
|
|
1902
|
+
* Get the account space ID for this wallet identity.
|
|
1903
|
+
* Available after wallet-backed sign-in or a restored session with address metadata.
|
|
1904
|
+
*/
|
|
1905
|
+
get accountSpaceId() {
|
|
1906
|
+
if (!this._address) {
|
|
1907
|
+
return void 0;
|
|
1908
|
+
}
|
|
1909
|
+
return this.wasmBindings.makeSpaceId(this._address, this._chainId, ACCOUNT_REGISTRY_SPACE);
|
|
1910
|
+
}
|
|
1911
|
+
/**
|
|
1912
|
+
* Account-level application and delegation helpers.
|
|
1913
|
+
*/
|
|
1914
|
+
get account() {
|
|
1915
|
+
if (!this._account) {
|
|
1916
|
+
this._account = new AccountService({
|
|
1917
|
+
getDid: () => this.did,
|
|
1918
|
+
getHost: () => this.hosts[0] ?? this.config.host,
|
|
1919
|
+
getPrimarySpaceId: () => this.spaceId,
|
|
1920
|
+
getAccountSpaceId: () => this.accountSpaceId,
|
|
1921
|
+
getSpaces: () => this.spaces,
|
|
1922
|
+
getAccountDb: () => this.accountSpaceId ? this.sqlForSpace(this.accountSpaceId).db("account") : void 0,
|
|
1923
|
+
ensureAccountSpaceHosted: async () => {
|
|
1924
|
+
if (this.accountSpaceId && this.auth) {
|
|
1925
|
+
await this.ensureOwnedSpaceHostedById(this.accountSpaceId);
|
|
1926
|
+
}
|
|
1927
|
+
}
|
|
1928
|
+
});
|
|
1929
|
+
}
|
|
1930
|
+
return this._account;
|
|
1931
|
+
}
|
|
1836
1932
|
/**
|
|
1837
1933
|
* Get the current TinyCloud session.
|
|
1838
1934
|
* Available after signIn().
|
|
@@ -1870,10 +1966,11 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
1870
1966
|
await this.tc.signIn(options);
|
|
1871
1967
|
this.syncResolvedHostFromAuth();
|
|
1872
1968
|
this.initializeServices();
|
|
1969
|
+
await this.ensureRequestedEncryptionNetworks();
|
|
1873
1970
|
if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
|
|
1874
|
-
await this.
|
|
1971
|
+
await this.ensureOwnedSpaceHostedById(this.ownedSpaceId("secrets"));
|
|
1875
1972
|
}
|
|
1876
|
-
|
|
1973
|
+
this.scheduleAccountRegistrySync();
|
|
1877
1974
|
this.notificationHandler.success("Successfully signed in");
|
|
1878
1975
|
}
|
|
1879
1976
|
ownedSpaceId(name) {
|
|
@@ -1891,22 +1988,68 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
1891
1988
|
throw new Error("Manifest registry write requires wallet mode");
|
|
1892
1989
|
}
|
|
1893
1990
|
const accountSpaceId = this.ownedSpaceId(ACCOUNT_REGISTRY_SPACE);
|
|
1894
|
-
await this.
|
|
1895
|
-
const
|
|
1896
|
-
|
|
1897
|
-
|
|
1898
|
-
|
|
1899
|
-
|
|
1900
|
-
|
|
1901
|
-
|
|
1902
|
-
|
|
1903
|
-
|
|
1904
|
-
|
|
1905
|
-
|
|
1991
|
+
await this.ensureOwnedSpaceHostedById(accountSpaceId);
|
|
1992
|
+
const result = await this.account.applications.register(request.manifests);
|
|
1993
|
+
if (!result.ok) {
|
|
1994
|
+
throw new Error(
|
|
1995
|
+
`Failed to write manifest registry records: ${result.error.message}`
|
|
1996
|
+
);
|
|
1997
|
+
}
|
|
1998
|
+
}
|
|
1999
|
+
scheduleAccountRegistrySync() {
|
|
2000
|
+
void this.withAccountRegistryRetry(async () => {
|
|
2001
|
+
await this.writeManifestRegistryRecords();
|
|
2002
|
+
const spaces = await this.account.spaces.syncAccessible();
|
|
2003
|
+
if (!spaces.ok) {
|
|
2004
|
+
throw new Error(`Failed to sync account spaces: ${spaces.error.message}`);
|
|
2005
|
+
}
|
|
2006
|
+
});
|
|
2007
|
+
}
|
|
2008
|
+
async withAccountRegistryRetry(task) {
|
|
2009
|
+
const delays = [250, 1e3, 3e3];
|
|
2010
|
+
let lastError;
|
|
2011
|
+
for (let attempt = 0; attempt < delays.length; attempt += 1) {
|
|
2012
|
+
try {
|
|
2013
|
+
await task();
|
|
2014
|
+
return;
|
|
2015
|
+
} catch (error) {
|
|
2016
|
+
lastError = error;
|
|
2017
|
+
if (attempt < delays.length - 1) {
|
|
2018
|
+
await new Promise((resolve) => setTimeout(resolve, delays[attempt]));
|
|
2019
|
+
}
|
|
2020
|
+
}
|
|
2021
|
+
}
|
|
2022
|
+
console.warn(
|
|
2023
|
+
"TinyCloud account registry sync failed after retries",
|
|
2024
|
+
lastError
|
|
2025
|
+
);
|
|
2026
|
+
}
|
|
2027
|
+
requestedEncryptionNetworkIds() {
|
|
2028
|
+
const request = this.capabilityRequest;
|
|
2029
|
+
if (!request) {
|
|
2030
|
+
return [];
|
|
2031
|
+
}
|
|
2032
|
+
const networkIds = /* @__PURE__ */ new Set();
|
|
2033
|
+
for (const resource of request.resources) {
|
|
2034
|
+
if (resource.service === ENCRYPTION_PERMISSION_SERVICE2 && resource.path.startsWith("urn:tinycloud:encryption:") && resource.actions.includes(DECRYPT_ACTION2)) {
|
|
2035
|
+
networkIds.add(resource.path);
|
|
1906
2036
|
}
|
|
1907
2037
|
}
|
|
2038
|
+
return [...networkIds];
|
|
1908
2039
|
}
|
|
1909
|
-
async
|
|
2040
|
+
async ensureRequestedEncryptionNetworks() {
|
|
2041
|
+
if (!this.signer || !this.auth) {
|
|
2042
|
+
return;
|
|
2043
|
+
}
|
|
2044
|
+
for (const networkId of this.requestedEncryptionNetworkIds()) {
|
|
2045
|
+
const parsed = parseNetworkId2(networkId);
|
|
2046
|
+
if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
|
|
2047
|
+
continue;
|
|
2048
|
+
}
|
|
2049
|
+
await this.ensureEncryptionNetwork(networkId);
|
|
2050
|
+
}
|
|
2051
|
+
}
|
|
2052
|
+
async ensureOwnedSpaceHostedById(spaceId) {
|
|
1910
2053
|
if (!this.auth) {
|
|
1911
2054
|
throw new Error("Owned space hosting requires wallet mode");
|
|
1912
2055
|
}
|
|
@@ -1949,7 +2092,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
1949
2092
|
* caller is the root authority of their own owned spaces, so no additional
|
|
1950
2093
|
* delegation is required.
|
|
1951
2094
|
*
|
|
1952
|
-
* Unlike {@link
|
|
2095
|
+
* Unlike {@link ensureOwnedSpaceHostedById}, this always submits the host
|
|
1953
2096
|
* delegation rather than inferring hosting from session activation: a space
|
|
1954
2097
|
* the current session has never referenced is reported neither as
|
|
1955
2098
|
* `activated` nor `skipped`, so activation-based detection would wrongly
|
|
@@ -1983,8 +2126,40 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
1983
2126
|
`Failed to activate session for owned space ${spaceId}: ${activation.error ?? "space was skipped"}`
|
|
1984
2127
|
);
|
|
1985
2128
|
}
|
|
2129
|
+
void this.account.spaces.register({
|
|
2130
|
+
spaceId,
|
|
2131
|
+
name,
|
|
2132
|
+
ownerDid: this.did,
|
|
2133
|
+
type: "owned",
|
|
2134
|
+
permissions: ["*"],
|
|
2135
|
+
status: "active"
|
|
2136
|
+
}).catch(() => {
|
|
2137
|
+
});
|
|
1986
2138
|
return spaceId;
|
|
1987
2139
|
}
|
|
2140
|
+
/**
|
|
2141
|
+
* Ensure one of this user's owned spaces (e.g. `"secrets"`) is hosted on the
|
|
2142
|
+
* server.
|
|
2143
|
+
*
|
|
2144
|
+
* At sign-in, a full-authority session auto-hosts the owner's `secrets`
|
|
2145
|
+
* space, but a session created with a manifest / capabilityRequest does not.
|
|
2146
|
+
* Such a session can therefore hold valid `tinycloud.kv/*` capabilities for
|
|
2147
|
+
* the owned `secrets` space yet still fail its first scoped
|
|
2148
|
+
* `secrets.put(...)` with `404 Space not found`, because the space was never
|
|
2149
|
+
* registered on the node.
|
|
2150
|
+
*
|
|
2151
|
+
* Calling this resolves `name` to the owner's owned-space URI
|
|
2152
|
+
* (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`) and hosts it via the
|
|
2153
|
+
* host-SIWE delegation flow. The host SIWE is idempotent server-side, so it
|
|
2154
|
+
* is safe to call whether or not the space already exists; do not gate it on
|
|
2155
|
+
* a prior existence check. Must be called after {@link signIn}.
|
|
2156
|
+
*
|
|
2157
|
+
* @param name - The owned space name (e.g. `"secrets"`).
|
|
2158
|
+
* @returns The hosted owned-space URI.
|
|
2159
|
+
*/
|
|
2160
|
+
async ensureOwnedSpaceHosted(name) {
|
|
2161
|
+
return this.hostOwnedSpace(name);
|
|
2162
|
+
}
|
|
1988
2163
|
/**
|
|
1989
2164
|
* Restore a previously established session from stored delegation data.
|
|
1990
2165
|
*
|
|
@@ -2014,6 +2189,14 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2014
2189
|
if (sessionData.chainId) {
|
|
2015
2190
|
this._chainId = sessionData.chainId;
|
|
2016
2191
|
}
|
|
2192
|
+
const resolvedHost = await this.resolveRestoredHost(
|
|
2193
|
+
sessionData.tinycloudHosts,
|
|
2194
|
+
restoredAddress,
|
|
2195
|
+
sessionData.chainId
|
|
2196
|
+
);
|
|
2197
|
+
if (resolvedHost) {
|
|
2198
|
+
this.config.host = resolvedHost;
|
|
2199
|
+
}
|
|
2017
2200
|
this._serviceContext = new ServiceContext2({
|
|
2018
2201
|
invoke: this.invokeWithRuntimePermissions,
|
|
2019
2202
|
invokeAny: this.invokeAnyWithRuntimePermissions,
|
|
@@ -2059,12 +2242,45 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2059
2242
|
signature: sessionData.signature ?? ""
|
|
2060
2243
|
};
|
|
2061
2244
|
if (this.auth) {
|
|
2062
|
-
this.auth.setRestoredTinyCloudSession(
|
|
2245
|
+
this.auth.setRestoredTinyCloudSession(
|
|
2246
|
+
tcSession,
|
|
2247
|
+
this.config.host ? [this.config.host] : void 0
|
|
2248
|
+
);
|
|
2063
2249
|
} else {
|
|
2064
2250
|
this._restoredTcSession = tcSession;
|
|
2065
2251
|
}
|
|
2066
2252
|
}
|
|
2067
2253
|
}
|
|
2254
|
+
/**
|
|
2255
|
+
* Resolve the host a restored session should target.
|
|
2256
|
+
*
|
|
2257
|
+
* Mirrors fresh sign-in host resolution but for the restore path:
|
|
2258
|
+
* an explicit/pinned host always wins, then the hosts the session was
|
|
2259
|
+
* persisted with, then a lazy registry/fallback resolution for sessions
|
|
2260
|
+
* that predate the persisted `tinycloudHosts` field. Returns `undefined`
|
|
2261
|
+
* only when there's nothing to resolve from (no explicit host, no
|
|
2262
|
+
* persisted hosts, and no address/chainId) — in which case the existing
|
|
2263
|
+
* `config.host` (default) is left in place.
|
|
2264
|
+
*
|
|
2265
|
+
* Resolution failures are surfaced, not swallowed: a genuinely broken
|
|
2266
|
+
* registry lookup throws rather than silently falling back to a wrong host.
|
|
2267
|
+
*/
|
|
2268
|
+
async resolveRestoredHost(persistedHosts, address, chainId) {
|
|
2269
|
+
if (this.explicitHost) {
|
|
2270
|
+
return this.explicitHost;
|
|
2271
|
+
}
|
|
2272
|
+
if (persistedHosts && persistedHosts.length > 0) {
|
|
2273
|
+
return persistedHosts[0];
|
|
2274
|
+
}
|
|
2275
|
+
if (address === void 0 || chainId === void 0) {
|
|
2276
|
+
return void 0;
|
|
2277
|
+
}
|
|
2278
|
+
const resolved = await resolveTinyCloudHosts2(pkhDid2(address, chainId), {
|
|
2279
|
+
registryUrl: this.config.tinycloudRegistryUrl,
|
|
2280
|
+
fallbackHosts: this.config.tinycloudFallbackHosts
|
|
2281
|
+
});
|
|
2282
|
+
return resolved.hosts[0];
|
|
2283
|
+
}
|
|
2068
2284
|
/**
|
|
2069
2285
|
* Resolve the currently-active TinyCloudSession, preferring the auth
|
|
2070
2286
|
* layer's value (wallet mode) and falling back to the node-level
|
|
@@ -2374,7 +2590,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2374
2590
|
const signed = await this.signRawNetworkAuthorization({
|
|
2375
2591
|
targetNode: input.targetNode,
|
|
2376
2592
|
networkId: input.networkId,
|
|
2377
|
-
action:
|
|
2593
|
+
action: DECRYPT_ACTION2,
|
|
2378
2594
|
facts: input.facts
|
|
2379
2595
|
});
|
|
2380
2596
|
return {
|
|
@@ -2391,7 +2607,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2391
2607
|
},
|
|
2392
2608
|
wellKnown: {
|
|
2393
2609
|
fetchWellKnown: async (principal, discoveryKey) => {
|
|
2394
|
-
if (!this._address || !
|
|
2610
|
+
if (!this._address || !didPrincipalMatches2(principal, this.did)) {
|
|
2395
2611
|
return null;
|
|
2396
2612
|
}
|
|
2397
2613
|
if (!this.config.host) {
|
|
@@ -2600,6 +2816,9 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2600
2816
|
}
|
|
2601
2817
|
};
|
|
2602
2818
|
}
|
|
2819
|
+
},
|
|
2820
|
+
onSpaceRegistered: async (space) => {
|
|
2821
|
+
await this.account.spaces.register(space);
|
|
2603
2822
|
}
|
|
2604
2823
|
});
|
|
2605
2824
|
this._sharingService.updateConfig({
|
|
@@ -2898,12 +3117,12 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2898
3117
|
crypto.sha256,
|
|
2899
3118
|
body
|
|
2900
3119
|
),
|
|
2901
|
-
action:
|
|
3120
|
+
action: NETWORK_CREATE_ACTION2
|
|
2902
3121
|
};
|
|
2903
3122
|
const signed = await this.signRawNetworkAuthorization({
|
|
2904
3123
|
targetNode,
|
|
2905
3124
|
networkId,
|
|
2906
|
-
action:
|
|
3125
|
+
action: NETWORK_CREATE_ACTION2,
|
|
2907
3126
|
facts
|
|
2908
3127
|
});
|
|
2909
3128
|
const response = await fetch(`${this.config.host}/encryption/networks`, {
|
|
@@ -2924,12 +3143,19 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2924
3143
|
const created = await response.json();
|
|
2925
3144
|
return created.descriptor;
|
|
2926
3145
|
}
|
|
2927
|
-
async ensureEncryptionNetwork(
|
|
2928
|
-
const
|
|
3146
|
+
async ensureEncryptionNetwork(nameOrNetworkId = DEFAULT_ENCRYPTION_NETWORK_NAME) {
|
|
3147
|
+
const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
|
|
3148
|
+
const existing = await this.getEncryptionNetwork(networkId);
|
|
2929
3149
|
if (existing) {
|
|
2930
3150
|
return existing;
|
|
2931
3151
|
}
|
|
2932
|
-
|
|
3152
|
+
const parsed = parseNetworkId2(networkId);
|
|
3153
|
+
if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
|
|
3154
|
+
throw new Error(
|
|
3155
|
+
`Cannot create encryption network ${networkId}: owner ${parsed.ownerDid} does not match signed-in DID ${this.did}`
|
|
3156
|
+
);
|
|
3157
|
+
}
|
|
3158
|
+
return this.createEncryptionNetwork(parsed.name);
|
|
2933
3159
|
}
|
|
2934
3160
|
/**
|
|
2935
3161
|
* App-facing secrets API backed by the `secrets` space vault.
|
|
@@ -3077,7 +3303,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3077
3303
|
throw new SessionExpiredError(delegation.expiry);
|
|
3078
3304
|
}
|
|
3079
3305
|
const expectedDids = [session.verificationMethod, this.sessionDid];
|
|
3080
|
-
if (!expectedDids.some((did) =>
|
|
3306
|
+
if (!expectedDids.some((did) => didPrincipalMatches2(delegation.delegateDID, did))) {
|
|
3081
3307
|
throw new Error(
|
|
3082
3308
|
`Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
|
|
3083
3309
|
);
|
|
@@ -3606,7 +3832,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3606
3832
|
);
|
|
3607
3833
|
}
|
|
3608
3834
|
const target = request.delegationTargets.find(
|
|
3609
|
-
(entry) =>
|
|
3835
|
+
(entry) => didPrincipalMatches2(entry.did, did)
|
|
3610
3836
|
);
|
|
3611
3837
|
if (!target) {
|
|
3612
3838
|
throw new Error(`No manifest delegation target found for DID ${did}`);
|
|
@@ -4056,7 +4282,23 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4056
4282
|
if (granted.resource !== void 0 || requested.resource !== void 0) {
|
|
4057
4283
|
return granted.resource !== void 0 && requested.resource !== void 0 && granted.resource === requested.resource && this.pathContains(granted.path, requested.path);
|
|
4058
4284
|
}
|
|
4059
|
-
return granted.spaceId !== void 0 && requested.spaceId !== void 0 && granted.spaceId
|
|
4285
|
+
return granted.spaceId !== void 0 && requested.spaceId !== void 0 && this.spaceIdsEqual(granted.spaceId, requested.spaceId) && this.pathContains(granted.path, requested.path);
|
|
4286
|
+
}
|
|
4287
|
+
// Space IDs are `tinycloud:pkh:eip155:<chain>:<0xADDR>:<name>`. The embedded
|
|
4288
|
+
// EIP-155 address is case-insensitive, but the CLI canonicalizes it to
|
|
4289
|
+
// lowercase when building a space URI while stored runtime delegations keep
|
|
4290
|
+
// the EIP-55 checksummed form — so a byte-for-byte compare spuriously rejects
|
|
4291
|
+
// an otherwise-valid grant. Lowercase ONLY the `eip155:<chain>:0x<addr>`
|
|
4292
|
+
// segment and leave everything else (crucially the case-sensitive space NAME)
|
|
4293
|
+
// byte-exact. Mirrors the CLI's `normalizeSpaceForCompare` (OPENKEY_SCOPE_MISMATCH fix).
|
|
4294
|
+
spaceIdsEqual(a, b) {
|
|
4295
|
+
return this.normalizeSpaceAddress(a) === this.normalizeSpaceAddress(b);
|
|
4296
|
+
}
|
|
4297
|
+
normalizeSpaceAddress(space) {
|
|
4298
|
+
return space.replace(
|
|
4299
|
+
/(eip155:\d+:)(0x[0-9a-fA-F]{40})/,
|
|
4300
|
+
(_match, prefix, addr) => prefix + addr.toLowerCase()
|
|
4301
|
+
);
|
|
4060
4302
|
}
|
|
4061
4303
|
actionContains(grantedAction, requestedAction) {
|
|
4062
4304
|
if (grantedAction === requestedAction) {
|
|
@@ -4320,7 +4562,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4320
4562
|
const targetHost = delegation.host ?? this.config.host;
|
|
4321
4563
|
if (this.isSessionOnly) {
|
|
4322
4564
|
const myDid = this.did;
|
|
4323
|
-
if (!
|
|
4565
|
+
if (!didPrincipalMatches2(delegation.delegateDID, myDid)) {
|
|
4324
4566
|
throw new Error(
|
|
4325
4567
|
`Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. The delegation must target this user's DID.`
|
|
4326
4568
|
);
|
|
@@ -4617,6 +4859,7 @@ import { ServiceContext as ServiceContext3 } from "@tinycloud/sdk-core";
|
|
|
4617
4859
|
export {
|
|
4618
4860
|
ACCOUNT_REGISTRY_PATH,
|
|
4619
4861
|
ACCOUNT_REGISTRY_SPACE2 as ACCOUNT_REGISTRY_SPACE,
|
|
4862
|
+
AccountService,
|
|
4620
4863
|
AutoApproveSpaceCreationHandler2 as AutoApproveSpaceCreationHandler,
|
|
4621
4864
|
CapabilityKeyRegistry2 as CapabilityKeyRegistry,
|
|
4622
4865
|
CapabilityKeyRegistryErrorCodes,
|
|
@@ -4692,7 +4935,7 @@ export {
|
|
|
4692
4935
|
parseSpaceUri,
|
|
4693
4936
|
pkhDid3 as pkhDid,
|
|
4694
4937
|
principalDid,
|
|
4695
|
-
|
|
4938
|
+
principalDidEquals3 as principalDidEquals,
|
|
4696
4939
|
resolveManifest2 as resolveManifest,
|
|
4697
4940
|
resolveSecretListPrefix2 as resolveSecretListPrefix,
|
|
4698
4941
|
resolveSecretPath2 as resolveSecretPath,
|