@tinycloud/node-sdk 2.4.0-beta.3 → 2.4.0-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/core.d.cts CHANGED
@@ -1,4 +1,4 @@
1
1
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
2
- export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-ClOKiSR_.cjs';
2
+ export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-BSQqoLAd.cjs';
3
3
  import 'events';
4
4
  import '@tinycloud/sdk-services';
package/dist/core.d.ts CHANGED
@@ -1,4 +1,4 @@
1
1
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
2
- export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-ClOKiSR_.js';
2
+ export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-BSQqoLAd.js';
3
3
  import 'events';
4
4
  import '@tinycloud/sdk-services';
package/dist/core.js CHANGED
@@ -17,7 +17,7 @@ import {
17
17
  parsePkhDid,
18
18
  pkhDid as pkhDid3,
19
19
  principalDid,
20
- principalDidEquals as principalDidEquals2,
20
+ principalDidEquals as principalDidEquals3,
21
21
  parseCanonicalNetworkId
22
22
  } from "@tinycloud/sdk-core";
23
23
 
@@ -222,6 +222,8 @@ import {
222
222
  DEFAULT_MANIFEST_SPACE,
223
223
  ENCRYPTION_PERMISSION_SERVICE,
224
224
  composeManifestRequest,
225
+ parseNetworkId,
226
+ principalDidEquals,
225
227
  resourceCapabilitiesToAbilitiesMap,
226
228
  resourceCapabilitiesToSpaceAbilitiesMap,
227
229
  resolveTinyCloudHosts,
@@ -235,6 +237,25 @@ import {
235
237
  var defaultSignStrategy = { type: "auto-sign" };
236
238
 
237
239
  // src/authorization/NodeUserAuthorization.ts
240
+ var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
241
+ var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
242
+ function didPrincipalMatches(actual, expected) {
243
+ try {
244
+ return principalDidEquals(actual, expected);
245
+ } catch {
246
+ return actual === expected;
247
+ }
248
+ }
249
+ function addRawAbility(rawAbilities, resource, action) {
250
+ const actions = rawAbilities[resource];
251
+ if (actions === void 0) {
252
+ rawAbilities[resource] = [action];
253
+ return;
254
+ }
255
+ if (!actions.includes(action)) {
256
+ actions.push(action);
257
+ }
258
+ }
238
259
  var NodeUserAuthorization = class {
239
260
  constructor(config) {
240
261
  this.extensions = [];
@@ -464,20 +485,18 @@ var NodeUserAuthorization = class {
464
485
  };
465
486
  }
466
487
  const rawAbilities = {};
488
+ const currentDid = pkhDid(address, chainId);
467
489
  const spaceResources = request.resources.filter((entry) => {
468
490
  if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {
469
491
  return true;
470
492
  }
471
- const existing = rawAbilities[entry.path];
472
- if (existing === void 0) {
473
- rawAbilities[entry.path] = [...entry.actions];
474
- } else {
475
- const seen = new Set(existing);
476
- for (const action of entry.actions) {
477
- if (!seen.has(action)) {
478
- existing.push(action);
479
- seen.add(action);
480
- }
493
+ for (const action of entry.actions) {
494
+ addRawAbility(rawAbilities, entry.path, action);
495
+ }
496
+ if (entry.actions.includes(DECRYPT_ACTION)) {
497
+ const parsed = parseNetworkId(entry.path);
498
+ if (didPrincipalMatches(parsed.ownerDid, currentDid)) {
499
+ addRawAbility(rawAbilities, entry.path, NETWORK_CREATE_ACTION);
481
500
  }
482
501
  }
483
502
  return false;
@@ -1070,7 +1089,8 @@ import {
1070
1089
  verifyDidKeyEd25519Signature,
1071
1090
  canonicalizeAddress as canonicalizeAddress2,
1072
1091
  pkhDid as pkhDid2,
1073
- principalDidEquals
1092
+ principalDidEquals as principalDidEquals2,
1093
+ parseNetworkId as parseNetworkId2
1074
1094
  } from "@tinycloud/sdk-core";
1075
1095
 
1076
1096
  // src/DelegatedAccess.ts
@@ -1490,13 +1510,13 @@ var NodeSecretsService = class {
1490
1510
  // src/TinyCloudNode.ts
1491
1511
  var DEFAULT_HOST = "https://node.tinycloud.xyz";
1492
1512
  var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
1493
- var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
1494
- var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
1513
+ var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
1514
+ var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
1495
1515
  var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
1496
1516
  var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
1497
- function didPrincipalMatches(actual, expected) {
1517
+ function didPrincipalMatches2(actual, expected) {
1498
1518
  try {
1499
- return principalDidEquals(actual, expected);
1519
+ return principalDidEquals2(actual, expected);
1500
1520
  } catch {
1501
1521
  return actual === expected;
1502
1522
  }
@@ -1870,6 +1890,7 @@ var _TinyCloudNode = class _TinyCloudNode {
1870
1890
  await this.tc.signIn(options);
1871
1891
  this.syncResolvedHostFromAuth();
1872
1892
  this.initializeServices();
1893
+ await this.ensureRequestedEncryptionNetworks();
1873
1894
  if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
1874
1895
  await this.ensureOwnedSpaceHosted(this.ownedSpaceId("secrets"));
1875
1896
  }
@@ -1906,6 +1927,31 @@ var _TinyCloudNode = class _TinyCloudNode {
1906
1927
  }
1907
1928
  }
1908
1929
  }
1930
+ requestedEncryptionNetworkIds() {
1931
+ const request = this.capabilityRequest;
1932
+ if (!request) {
1933
+ return [];
1934
+ }
1935
+ const networkIds = /* @__PURE__ */ new Set();
1936
+ for (const resource of request.resources) {
1937
+ if (resource.service === ENCRYPTION_PERMISSION_SERVICE2 && resource.path.startsWith("urn:tinycloud:encryption:") && resource.actions.includes(DECRYPT_ACTION2)) {
1938
+ networkIds.add(resource.path);
1939
+ }
1940
+ }
1941
+ return [...networkIds];
1942
+ }
1943
+ async ensureRequestedEncryptionNetworks() {
1944
+ if (!this.signer || !this.auth) {
1945
+ return;
1946
+ }
1947
+ for (const networkId of this.requestedEncryptionNetworkIds()) {
1948
+ const parsed = parseNetworkId2(networkId);
1949
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
1950
+ continue;
1951
+ }
1952
+ await this.ensureEncryptionNetwork(networkId);
1953
+ }
1954
+ }
1909
1955
  async ensureOwnedSpaceHosted(spaceId) {
1910
1956
  if (!this.auth) {
1911
1957
  throw new Error("Owned space hosting requires wallet mode");
@@ -2374,7 +2420,7 @@ var _TinyCloudNode = class _TinyCloudNode {
2374
2420
  const signed = await this.signRawNetworkAuthorization({
2375
2421
  targetNode: input.targetNode,
2376
2422
  networkId: input.networkId,
2377
- action: DECRYPT_ACTION,
2423
+ action: DECRYPT_ACTION2,
2378
2424
  facts: input.facts
2379
2425
  });
2380
2426
  return {
@@ -2391,7 +2437,7 @@ var _TinyCloudNode = class _TinyCloudNode {
2391
2437
  },
2392
2438
  wellKnown: {
2393
2439
  fetchWellKnown: async (principal, discoveryKey) => {
2394
- if (!this._address || !didPrincipalMatches(principal, this.did)) {
2440
+ if (!this._address || !didPrincipalMatches2(principal, this.did)) {
2395
2441
  return null;
2396
2442
  }
2397
2443
  if (!this.config.host) {
@@ -2898,12 +2944,12 @@ var _TinyCloudNode = class _TinyCloudNode {
2898
2944
  crypto.sha256,
2899
2945
  body
2900
2946
  ),
2901
- action: NETWORK_CREATE_ACTION
2947
+ action: NETWORK_CREATE_ACTION2
2902
2948
  };
2903
2949
  const signed = await this.signRawNetworkAuthorization({
2904
2950
  targetNode,
2905
2951
  networkId,
2906
- action: NETWORK_CREATE_ACTION,
2952
+ action: NETWORK_CREATE_ACTION2,
2907
2953
  facts
2908
2954
  });
2909
2955
  const response = await fetch(`${this.config.host}/encryption/networks`, {
@@ -2924,12 +2970,19 @@ var _TinyCloudNode = class _TinyCloudNode {
2924
2970
  const created = await response.json();
2925
2971
  return created.descriptor;
2926
2972
  }
2927
- async ensureEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
2928
- const existing = await this.getEncryptionNetwork(name);
2973
+ async ensureEncryptionNetwork(nameOrNetworkId = DEFAULT_ENCRYPTION_NETWORK_NAME) {
2974
+ const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
2975
+ const existing = await this.getEncryptionNetwork(networkId);
2929
2976
  if (existing) {
2930
2977
  return existing;
2931
2978
  }
2932
- return this.createEncryptionNetwork(name);
2979
+ const parsed = parseNetworkId2(networkId);
2980
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
2981
+ throw new Error(
2982
+ `Cannot create encryption network ${networkId}: owner ${parsed.ownerDid} does not match signed-in DID ${this.did}`
2983
+ );
2984
+ }
2985
+ return this.createEncryptionNetwork(parsed.name);
2933
2986
  }
2934
2987
  /**
2935
2988
  * App-facing secrets API backed by the `secrets` space vault.
@@ -3077,7 +3130,7 @@ var _TinyCloudNode = class _TinyCloudNode {
3077
3130
  throw new SessionExpiredError(delegation.expiry);
3078
3131
  }
3079
3132
  const expectedDids = [session.verificationMethod, this.sessionDid];
3080
- if (!expectedDids.some((did) => didPrincipalMatches(delegation.delegateDID, did))) {
3133
+ if (!expectedDids.some((did) => didPrincipalMatches2(delegation.delegateDID, did))) {
3081
3134
  throw new Error(
3082
3135
  `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
3083
3136
  );
@@ -3606,7 +3659,7 @@ var _TinyCloudNode = class _TinyCloudNode {
3606
3659
  );
3607
3660
  }
3608
3661
  const target = request.delegationTargets.find(
3609
- (entry) => didPrincipalMatches(entry.did, did)
3662
+ (entry) => didPrincipalMatches2(entry.did, did)
3610
3663
  );
3611
3664
  if (!target) {
3612
3665
  throw new Error(`No manifest delegation target found for DID ${did}`);
@@ -4336,7 +4389,7 @@ var _TinyCloudNode = class _TinyCloudNode {
4336
4389
  const targetHost = delegation.host ?? this.config.host;
4337
4390
  if (this.isSessionOnly) {
4338
4391
  const myDid = this.did;
4339
- if (!didPrincipalMatches(delegation.delegateDID, myDid)) {
4392
+ if (!didPrincipalMatches2(delegation.delegateDID, myDid)) {
4340
4393
  throw new Error(
4341
4394
  `Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. The delegation must target this user's DID.`
4342
4395
  );
@@ -4708,7 +4761,7 @@ export {
4708
4761
  parseSpaceUri,
4709
4762
  pkhDid3 as pkhDid,
4710
4763
  principalDid,
4711
- principalDidEquals2 as principalDidEquals,
4764
+ principalDidEquals3 as principalDidEquals,
4712
4765
  resolveManifest2 as resolveManifest,
4713
4766
  resolveSecretListPrefix2 as resolveSecretListPrefix,
4714
4767
  resolveSecretPath2 as resolveSecretPath,