@tinycloud/node-sdk 2.5.1 → 2.6.0-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{core-ojeY-wet.d.cts → core-Cr-zD1lk.d.cts} +42 -0
- package/dist/{core-ojeY-wet.d.ts → core-Cr-zD1lk.d.ts} +42 -0
- package/dist/core.cjs +169 -96
- package/dist/core.cjs.map +1 -1
- package/dist/core.d.cts +1 -1
- package/dist/core.d.ts +1 -1
- package/dist/core.js +180 -97
- package/dist/core.js.map +1 -1
- package/dist/index.cjs +169 -96
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +180 -97
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/dist/core.d.cts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
1
|
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, disableTinyCloudDebug, enableTinyCloudDebug, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, getTinyCloudDebugLogs, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
-
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-
|
|
2
|
+
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-Cr-zD1lk.cjs';
|
|
3
3
|
import 'events';
|
|
4
4
|
import '@tinycloud/sdk-services';
|
package/dist/core.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
1
|
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, disableTinyCloudDebug, enableTinyCloudDebug, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, getTinyCloudDebugLogs, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateManifest } from '@tinycloud/sdk-core';
|
|
2
|
-
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-
|
|
2
|
+
export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-Cr-zD1lk.js';
|
|
3
3
|
import 'events';
|
|
4
4
|
import '@tinycloud/sdk-services';
|
package/dist/core.js
CHANGED
|
@@ -237,7 +237,13 @@ import {
|
|
|
237
237
|
EXPIRY,
|
|
238
238
|
canonicalizeAddress,
|
|
239
239
|
makePkhSpaceId,
|
|
240
|
-
pkhDid
|
|
240
|
+
pkhDid,
|
|
241
|
+
KV,
|
|
242
|
+
SQL,
|
|
243
|
+
DUCKDB,
|
|
244
|
+
CAPABILITIES,
|
|
245
|
+
HOOKS,
|
|
246
|
+
ENCRYPTION
|
|
241
247
|
} from "@tinycloud/sdk-core";
|
|
242
248
|
|
|
243
249
|
// src/authorization/strategies.ts
|
|
@@ -245,8 +251,8 @@ import { createOpenKeyCallbackSigningStrategy } from "@tinycloud/sdk-core";
|
|
|
245
251
|
var defaultSignStrategy = { type: "auto-sign" };
|
|
246
252
|
|
|
247
253
|
// src/authorization/NodeUserAuthorization.ts
|
|
248
|
-
var DECRYPT_ACTION =
|
|
249
|
-
var NETWORK_CREATE_ACTION =
|
|
254
|
+
var DECRYPT_ACTION = ENCRYPTION.DECRYPT;
|
|
255
|
+
var NETWORK_CREATE_ACTION = ENCRYPTION.NETWORK_CREATE;
|
|
250
256
|
function didPrincipalMatches(actual, expected) {
|
|
251
257
|
try {
|
|
252
258
|
return principalDidEquals(actual, expected);
|
|
@@ -279,44 +285,27 @@ var NodeUserAuthorization = class {
|
|
|
279
285
|
this.spacePrefix = config.spacePrefix ?? "default";
|
|
280
286
|
this.defaultActions = config.defaultActions ?? {
|
|
281
287
|
kv: {
|
|
282
|
-
"": [
|
|
283
|
-
"tinycloud.kv/put",
|
|
284
|
-
"tinycloud.kv/get",
|
|
285
|
-
"tinycloud.kv/del",
|
|
286
|
-
"tinycloud.kv/list",
|
|
287
|
-
"tinycloud.kv/metadata"
|
|
288
|
-
]
|
|
288
|
+
"": [KV.PUT, KV.GET, KV.DEL, KV.LIST, KV.METADATA]
|
|
289
289
|
},
|
|
290
290
|
sql: {
|
|
291
|
-
"": [
|
|
292
|
-
"tinycloud.sql/read",
|
|
293
|
-
"tinycloud.sql/write",
|
|
294
|
-
"tinycloud.sql/schema",
|
|
295
|
-
"tinycloud.sql/admin",
|
|
296
|
-
"tinycloud.sql/export"
|
|
297
|
-
]
|
|
291
|
+
"": [SQL.READ, SQL.WRITE, SQL.SCHEMA, SQL.ADMIN, SQL.EXPORT]
|
|
298
292
|
},
|
|
299
293
|
duckdb: {
|
|
300
294
|
"": [
|
|
301
|
-
|
|
302
|
-
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
295
|
+
DUCKDB.READ,
|
|
296
|
+
DUCKDB.WRITE,
|
|
297
|
+
DUCKDB.ADMIN,
|
|
298
|
+
DUCKDB.DESCRIBE,
|
|
299
|
+
DUCKDB.EXPORT,
|
|
300
|
+
DUCKDB.IMPORT,
|
|
301
|
+
DUCKDB.EXECUTE
|
|
308
302
|
]
|
|
309
303
|
},
|
|
310
304
|
capabilities: {
|
|
311
|
-
"": [
|
|
305
|
+
"": [CAPABILITIES.READ]
|
|
312
306
|
},
|
|
313
307
|
hooks: {
|
|
314
|
-
"": [
|
|
315
|
-
"tinycloud.hooks/subscribe",
|
|
316
|
-
"tinycloud.hooks/register",
|
|
317
|
-
"tinycloud.hooks/list",
|
|
318
|
-
"tinycloud.hooks/unregister"
|
|
319
|
-
]
|
|
308
|
+
"": [HOOKS.SUBSCRIBE, HOOKS.REGISTER, HOOKS.LIST, HOOKS.UNREGISTER]
|
|
320
309
|
}
|
|
321
310
|
};
|
|
322
311
|
this.sessionExpirationMs = config.sessionExpirationMs ?? EXPIRY.SESSION_MS;
|
|
@@ -516,20 +505,17 @@ var NodeUserAuthorization = class {
|
|
|
516
505
|
[secretsSpaceId]: {
|
|
517
506
|
kv: {
|
|
518
507
|
"vault/secrets/": [
|
|
519
|
-
|
|
520
|
-
|
|
521
|
-
|
|
522
|
-
|
|
523
|
-
|
|
508
|
+
KV.GET,
|
|
509
|
+
KV.PUT,
|
|
510
|
+
KV.DEL,
|
|
511
|
+
KV.LIST,
|
|
512
|
+
KV.METADATA
|
|
524
513
|
]
|
|
525
514
|
}
|
|
526
515
|
}
|
|
527
516
|
},
|
|
528
517
|
rawAbilities: {
|
|
529
|
-
[defaultNetworkId]: [
|
|
530
|
-
"tinycloud.encryption/decrypt",
|
|
531
|
-
"tinycloud.encryption/network.create"
|
|
532
|
-
]
|
|
518
|
+
[defaultNetworkId]: [DECRYPT_ACTION, NETWORK_CREATE_ACTION]
|
|
533
519
|
}
|
|
534
520
|
};
|
|
535
521
|
}
|
|
@@ -1205,6 +1191,10 @@ import {
|
|
|
1205
1191
|
isCapabilitySubset,
|
|
1206
1192
|
parseRecapCapabilities,
|
|
1207
1193
|
SERVICE_LONG_TO_SHORT,
|
|
1194
|
+
KV as KV2,
|
|
1195
|
+
SQL as SQL2,
|
|
1196
|
+
DUCKDB as DUCKDB2,
|
|
1197
|
+
ENCRYPTION as ENCRYPTION2,
|
|
1208
1198
|
EXPIRY as EXPIRY3,
|
|
1209
1199
|
canonicalHashHex,
|
|
1210
1200
|
canonicalizeEncryptionJson,
|
|
@@ -1650,9 +1640,27 @@ var NodeSecretsService = class {
|
|
|
1650
1640
|
// src/TinyCloudNode.ts
|
|
1651
1641
|
var DEFAULT_HOST = "https://node.tinycloud.xyz";
|
|
1652
1642
|
var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
|
|
1653
|
-
var NETWORK_CREATE_ACTION2 =
|
|
1654
|
-
var DECRYPT_ACTION2 =
|
|
1643
|
+
var NETWORK_CREATE_ACTION2 = ENCRYPTION2.NETWORK_CREATE;
|
|
1644
|
+
var DECRYPT_ACTION2 = ENCRYPTION2.DECRYPT;
|
|
1655
1645
|
var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
|
|
1646
|
+
var ROOT_DELEGATION_ACTIONS = [
|
|
1647
|
+
KV2.PUT,
|
|
1648
|
+
KV2.GET,
|
|
1649
|
+
KV2.DEL,
|
|
1650
|
+
KV2.LIST,
|
|
1651
|
+
KV2.METADATA,
|
|
1652
|
+
SQL2.READ,
|
|
1653
|
+
SQL2.WRITE,
|
|
1654
|
+
SQL2.ADMIN,
|
|
1655
|
+
SQL2.ALL,
|
|
1656
|
+
DUCKDB2.READ,
|
|
1657
|
+
DUCKDB2.WRITE,
|
|
1658
|
+
DUCKDB2.ADMIN,
|
|
1659
|
+
DUCKDB2.DESCRIBE,
|
|
1660
|
+
DUCKDB2.EXPORT,
|
|
1661
|
+
DUCKDB2.IMPORT,
|
|
1662
|
+
DUCKDB2.ALL
|
|
1663
|
+
];
|
|
1656
1664
|
var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
|
|
1657
1665
|
function isOpenKeyAutoSignStrategy(strategy) {
|
|
1658
1666
|
return strategy?.openKeyAutoSign === true;
|
|
@@ -2124,6 +2132,10 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2124
2132
|
await this.tc.signIn(options);
|
|
2125
2133
|
this.syncResolvedHostFromAuth();
|
|
2126
2134
|
this.initializeServices();
|
|
2135
|
+
const primarySession = this.currentTinyCloudSession();
|
|
2136
|
+
if (primarySession) {
|
|
2137
|
+
this.registerPrimarySessionGrant(primarySession);
|
|
2138
|
+
}
|
|
2127
2139
|
const bootstrapped = await this.bootstrapAccountIfNeeded();
|
|
2128
2140
|
await this.ensureRequestedEncryptionNetworks();
|
|
2129
2141
|
if (!bootstrapped && this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
|
|
@@ -2367,7 +2379,107 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2367
2379
|
host: this.config.host
|
|
2368
2380
|
},
|
|
2369
2381
|
operations,
|
|
2370
|
-
expiresAt
|
|
2382
|
+
expiresAt,
|
|
2383
|
+
provenance: "bootstrap"
|
|
2384
|
+
});
|
|
2385
|
+
}
|
|
2386
|
+
/**
|
|
2387
|
+
* Map the base session's OWN recap into runtime permission operations.
|
|
2388
|
+
*
|
|
2389
|
+
* Uses the RAW `parseRecapFromSiwe` binding — NOT `parseRecapCapabilities`,
|
|
2390
|
+
* whose `normalizeSpace` collapses `tinycloud:pkh:...:<owner>:<space>` to a
|
|
2391
|
+
* bare short name and would conflate two owners' identically-named spaces.
|
|
2392
|
+
* We must keep the full owner-scoped URI so a synthetic primary grant can
|
|
2393
|
+
* never cover an operation on a different owner's space.
|
|
2394
|
+
*
|
|
2395
|
+
* Mirrors {@link operationsFromDelegation}'s op shape: encryption network
|
|
2396
|
+
* entries (`urn:tinycloud:encryption:` paths) become `resource` ops; every
|
|
2397
|
+
* other entry becomes a `spaceId` op carrying the raw recap `space` URI.
|
|
2398
|
+
* One op per action.
|
|
2399
|
+
*
|
|
2400
|
+
* Returns `[]` for session-only / restored-without-siwe modes and for any
|
|
2401
|
+
* unparseable SIWE — the primary grant is simply not registered in that case.
|
|
2402
|
+
*/
|
|
2403
|
+
recapOperationsFromSession(session) {
|
|
2404
|
+
const siwe = session.siwe;
|
|
2405
|
+
if (!siwe) {
|
|
2406
|
+
return [];
|
|
2407
|
+
}
|
|
2408
|
+
if (this._recapOperationsCache?.siwe === siwe) {
|
|
2409
|
+
return this._recapOperationsCache.operations;
|
|
2410
|
+
}
|
|
2411
|
+
let operations = [];
|
|
2412
|
+
try {
|
|
2413
|
+
const entries = this.wasmBindings.parseRecapFromSiwe(siwe);
|
|
2414
|
+
if (Array.isArray(entries)) {
|
|
2415
|
+
operations = entries.flatMap((entry) => {
|
|
2416
|
+
const service = this.invocationServiceName(entry.service);
|
|
2417
|
+
return entry.actions.map((action) => ({
|
|
2418
|
+
...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId: entry.space },
|
|
2419
|
+
service,
|
|
2420
|
+
path: entry.path,
|
|
2421
|
+
action
|
|
2422
|
+
}));
|
|
2423
|
+
});
|
|
2424
|
+
}
|
|
2425
|
+
} catch {
|
|
2426
|
+
operations = [];
|
|
2427
|
+
}
|
|
2428
|
+
this._recapOperationsCache = { siwe, operations };
|
|
2429
|
+
return operations;
|
|
2430
|
+
}
|
|
2431
|
+
/**
|
|
2432
|
+
* Register the base (primary) session's own recap as a synthetic runtime
|
|
2433
|
+
* grant tagged `provenance: "primary"` so it always out-ranks other covering
|
|
2434
|
+
* grants in {@link findGrantForOperations}. This closes the selection-design
|
|
2435
|
+
* hazard where a broad — possibly broken — bootstrap/delegated grant could
|
|
2436
|
+
* hijack an operation the primary session itself already authorized (TC-111).
|
|
2437
|
+
*
|
|
2438
|
+
* Two safety exclusions:
|
|
2439
|
+
* - Ops whose space is in `lastActivationSkippedSpaceIds` are dropped: the
|
|
2440
|
+
* node refused to activate those spaces this sign-in even though the recap
|
|
2441
|
+
* claims them. Including them would let the synthetic primary out-rank a
|
|
2442
|
+
* working grant and 401 (the "skipped-activation inverted hijack").
|
|
2443
|
+
* - Encryption `resource` ops are kept as-is (space-independent).
|
|
2444
|
+
*
|
|
2445
|
+
* No-ops when nothing remains after exclusion. Callers (`signIn`,
|
|
2446
|
+
* `restoreSession`) clear `runtimePermissionGrants` first, so no dupes.
|
|
2447
|
+
*/
|
|
2448
|
+
registerPrimarySessionGrant(session) {
|
|
2449
|
+
const skipped = this.auth ? this.auth.lastActivationSkippedSpaceIds ?? [] : [];
|
|
2450
|
+
const operations = this.recapOperationsFromSession(session).filter(
|
|
2451
|
+
(operation) => operation.spaceId === void 0 || !skipped.some((spaceId) => this.spaceIdsEqual(spaceId, operation.spaceId))
|
|
2452
|
+
);
|
|
2453
|
+
if (operations.length === 0) {
|
|
2454
|
+
return;
|
|
2455
|
+
}
|
|
2456
|
+
const expiresAt = extractSiweExpiration(session.siwe) ?? this.getSessionExpiry();
|
|
2457
|
+
const actions = [...new Set(operations.map((operation) => operation.action))];
|
|
2458
|
+
this.runtimePermissionGrants.push({
|
|
2459
|
+
session: {
|
|
2460
|
+
delegationHeader: session.delegationHeader,
|
|
2461
|
+
delegationCid: session.delegationCid,
|
|
2462
|
+
spaceId: session.spaceId,
|
|
2463
|
+
verificationMethod: session.verificationMethod,
|
|
2464
|
+
jwk: session.jwk
|
|
2465
|
+
},
|
|
2466
|
+
delegation: {
|
|
2467
|
+
cid: session.delegationCid,
|
|
2468
|
+
delegationHeader: session.delegationHeader,
|
|
2469
|
+
delegateDID: session.verificationMethod,
|
|
2470
|
+
delegatorDID: this.did,
|
|
2471
|
+
spaceId: session.spaceId,
|
|
2472
|
+
path: "",
|
|
2473
|
+
actions,
|
|
2474
|
+
expiry: expiresAt,
|
|
2475
|
+
allowSubDelegation: true,
|
|
2476
|
+
ownerAddress: session.address,
|
|
2477
|
+
chainId: session.chainId,
|
|
2478
|
+
host: this.config.host
|
|
2479
|
+
},
|
|
2480
|
+
operations,
|
|
2481
|
+
expiresAt,
|
|
2482
|
+
provenance: "primary"
|
|
2371
2483
|
});
|
|
2372
2484
|
}
|
|
2373
2485
|
async writeManifestRegistryRecords() {
|
|
@@ -2703,6 +2815,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
2703
2815
|
} else {
|
|
2704
2816
|
this._restoredTcSession = tcSession;
|
|
2705
2817
|
}
|
|
2818
|
+
this.registerPrimarySessionGrant(tcSession);
|
|
2706
2819
|
}
|
|
2707
2820
|
}
|
|
2708
2821
|
/**
|
|
@@ -3174,24 +3287,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3174
3287
|
spaceId: tcSession.spaceId,
|
|
3175
3288
|
path: "",
|
|
3176
3289
|
// Root access
|
|
3177
|
-
actions: [
|
|
3178
|
-
"tinycloud.kv/put",
|
|
3179
|
-
"tinycloud.kv/get",
|
|
3180
|
-
"tinycloud.kv/del",
|
|
3181
|
-
"tinycloud.kv/list",
|
|
3182
|
-
"tinycloud.kv/metadata",
|
|
3183
|
-
"tinycloud.sql/read",
|
|
3184
|
-
"tinycloud.sql/write",
|
|
3185
|
-
"tinycloud.sql/admin",
|
|
3186
|
-
"tinycloud.sql/*",
|
|
3187
|
-
"tinycloud.duckdb/read",
|
|
3188
|
-
"tinycloud.duckdb/write",
|
|
3189
|
-
"tinycloud.duckdb/admin",
|
|
3190
|
-
"tinycloud.duckdb/describe",
|
|
3191
|
-
"tinycloud.duckdb/export",
|
|
3192
|
-
"tinycloud.duckdb/import",
|
|
3193
|
-
"tinycloud.duckdb/*"
|
|
3194
|
-
],
|
|
3290
|
+
actions: [...ROOT_DELEGATION_ACTIONS],
|
|
3195
3291
|
expiry: this.getSessionExpiry(),
|
|
3196
3292
|
isRevoked: false,
|
|
3197
3293
|
allowSubDelegation: true
|
|
@@ -3204,24 +3300,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3204
3300
|
delegateDID: tcSession.verificationMethod,
|
|
3205
3301
|
spaceId,
|
|
3206
3302
|
path: "",
|
|
3207
|
-
actions: [
|
|
3208
|
-
"tinycloud.kv/put",
|
|
3209
|
-
"tinycloud.kv/get",
|
|
3210
|
-
"tinycloud.kv/del",
|
|
3211
|
-
"tinycloud.kv/list",
|
|
3212
|
-
"tinycloud.kv/metadata",
|
|
3213
|
-
"tinycloud.sql/read",
|
|
3214
|
-
"tinycloud.sql/write",
|
|
3215
|
-
"tinycloud.sql/admin",
|
|
3216
|
-
"tinycloud.sql/*",
|
|
3217
|
-
"tinycloud.duckdb/read",
|
|
3218
|
-
"tinycloud.duckdb/write",
|
|
3219
|
-
"tinycloud.duckdb/admin",
|
|
3220
|
-
"tinycloud.duckdb/describe",
|
|
3221
|
-
"tinycloud.duckdb/export",
|
|
3222
|
-
"tinycloud.duckdb/import",
|
|
3223
|
-
"tinycloud.duckdb/*"
|
|
3224
|
-
],
|
|
3303
|
+
actions: [...ROOT_DELEGATION_ACTIONS],
|
|
3225
3304
|
expiry: this.getSessionExpiry(),
|
|
3226
3305
|
isRevoked: false,
|
|
3227
3306
|
allowSubDelegation: true
|
|
@@ -3775,7 +3854,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3775
3854
|
getRuntimePermissionDelegations(permissions) {
|
|
3776
3855
|
this.pruneExpiredRuntimePermissionGrants();
|
|
3777
3856
|
if (permissions === void 0) {
|
|
3778
|
-
return this.runtimePermissionGrants.map((grant) => grant.delegation);
|
|
3857
|
+
return this.runtimePermissionGrants.filter((grant) => grant.provenance !== "primary").map((grant) => grant.delegation);
|
|
3779
3858
|
}
|
|
3780
3859
|
const session = this.currentTinyCloudSession();
|
|
3781
3860
|
if (!session || !Array.isArray(permissions) || permissions.length === 0) {
|
|
@@ -3927,7 +4006,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
3927
4006
|
},
|
|
3928
4007
|
delegation,
|
|
3929
4008
|
operations: this.permissionOperations(delegatedEntries, spaceId),
|
|
3930
|
-
expiresAt
|
|
4009
|
+
expiresAt,
|
|
4010
|
+
provenance: "runtime"
|
|
3931
4011
|
});
|
|
3932
4012
|
delegations.push(delegation);
|
|
3933
4013
|
}
|
|
@@ -4065,13 +4145,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4065
4145
|
throw new Error("Public space not enabled. Set enablePublicSpace: true in config.");
|
|
4066
4146
|
}
|
|
4067
4147
|
await this.auth.hostPublicSpace(publicSpaceId);
|
|
4068
|
-
const kvActions = [
|
|
4069
|
-
"tinycloud.kv/put",
|
|
4070
|
-
"tinycloud.kv/get",
|
|
4071
|
-
"tinycloud.kv/del",
|
|
4072
|
-
"tinycloud.kv/list",
|
|
4073
|
-
"tinycloud.kv/metadata"
|
|
4074
|
-
];
|
|
4148
|
+
const kvActions = [KV2.PUT, KV2.GET, KV2.DEL, KV2.LIST, KV2.METADATA];
|
|
4075
4149
|
const abilities = { kv: { "": kvActions } };
|
|
4076
4150
|
const now = /* @__PURE__ */ new Date();
|
|
4077
4151
|
const expiryMs = EXPIRY3.EPHEMERAL_MS;
|
|
@@ -4594,7 +4668,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4594
4668
|
return grants;
|
|
4595
4669
|
}
|
|
4596
4670
|
for (const operation of operations) {
|
|
4597
|
-
const grant = this.findGrantForOperation(operation);
|
|
4671
|
+
const grant = this.findGrantForOperation(operation, { excludePrimary: true });
|
|
4598
4672
|
if (!grant) {
|
|
4599
4673
|
return [];
|
|
4600
4674
|
}
|
|
@@ -4634,7 +4708,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4634
4708
|
},
|
|
4635
4709
|
delegation,
|
|
4636
4710
|
operations,
|
|
4637
|
-
expiresAt: delegation.expiry
|
|
4711
|
+
expiresAt: delegation.expiry,
|
|
4712
|
+
provenance: "delegated"
|
|
4638
4713
|
};
|
|
4639
4714
|
}
|
|
4640
4715
|
installRuntimeGrantFromServiceSession(delegation, session, expiresAt) {
|
|
@@ -4649,7 +4724,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4649
4724
|
session,
|
|
4650
4725
|
delegation,
|
|
4651
4726
|
operations,
|
|
4652
|
-
expiresAt
|
|
4727
|
+
expiresAt,
|
|
4728
|
+
provenance: "delegated"
|
|
4653
4729
|
});
|
|
4654
4730
|
}
|
|
4655
4731
|
delegatedResourcesForEntries(entries, spaceId) {
|
|
@@ -4749,21 +4825,28 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
4749
4825
|
});
|
|
4750
4826
|
return grant?.session ?? fallback;
|
|
4751
4827
|
}
|
|
4752
|
-
findGrantForOperations(operations) {
|
|
4828
|
+
findGrantForOperations(operations, options) {
|
|
4753
4829
|
if (operations.length === 0) {
|
|
4754
4830
|
return void 0;
|
|
4755
4831
|
}
|
|
4756
4832
|
this.pruneExpiredRuntimePermissionGrants();
|
|
4757
|
-
|
|
4833
|
+
const covering = this.runtimePermissionGrants.filter((grant) => {
|
|
4834
|
+
if (options?.excludePrimary && grant.provenance === "primary") {
|
|
4835
|
+
return false;
|
|
4836
|
+
}
|
|
4758
4837
|
return operations.every(
|
|
4759
4838
|
(operation) => grant.operations.some(
|
|
4760
4839
|
(granted) => this.operationCovers(granted, operation)
|
|
4761
4840
|
)
|
|
4762
4841
|
);
|
|
4763
4842
|
});
|
|
4843
|
+
if (covering.length === 0) {
|
|
4844
|
+
return void 0;
|
|
4845
|
+
}
|
|
4846
|
+
return covering.find((grant) => grant.provenance === "primary") ?? covering[0];
|
|
4764
4847
|
}
|
|
4765
|
-
findGrantForOperation(operation) {
|
|
4766
|
-
return this.findGrantForOperations([operation]);
|
|
4848
|
+
findGrantForOperation(operation, options) {
|
|
4849
|
+
return this.findGrantForOperations([operation], options);
|
|
4767
4850
|
}
|
|
4768
4851
|
pruneExpiredRuntimePermissionGrants() {
|
|
4769
4852
|
const now = Date.now();
|
|
@@ -5000,7 +5083,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
5000
5083
|
session.chainId
|
|
5001
5084
|
);
|
|
5002
5085
|
const publicAbilities = {
|
|
5003
|
-
kv: { "": [
|
|
5086
|
+
kv: { "": [KV2.GET, KV2.PUT, KV2.METADATA] }
|
|
5004
5087
|
};
|
|
5005
5088
|
const publicPrepared = this.wasmBindings.prepareSession({
|
|
5006
5089
|
abilities: publicAbilities,
|
|
@@ -5028,7 +5111,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
5028
5111
|
delegationHeader: publicSession.delegationHeader,
|
|
5029
5112
|
spaceId: publicSpaceId,
|
|
5030
5113
|
path: "",
|
|
5031
|
-
actions: [
|
|
5114
|
+
actions: [KV2.GET, KV2.PUT, KV2.METADATA],
|
|
5032
5115
|
disableSubDelegation: params.disableSubDelegation ?? false,
|
|
5033
5116
|
expiry: expirationTime,
|
|
5034
5117
|
delegateDID: params.delegateDID,
|