@tinycloud/node-sdk 2.5.1 → 2.6.0-beta.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/{core-ojeY-wet.d.cts → core-Cr-zD1lk.d.cts} +42 -0
- package/dist/{core-ojeY-wet.d.ts → core-Cr-zD1lk.d.ts} +42 -0
- package/dist/core.cjs +169 -96
- package/dist/core.cjs.map +1 -1
- package/dist/core.d.cts +1 -1
- package/dist/core.d.ts +1 -1
- package/dist/core.js +180 -97
- package/dist/core.js.map +1 -1
- package/dist/index.cjs +169 -96
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +1 -1
- package/dist/index.d.ts +1 -1
- package/dist/index.js +180 -97
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
package/dist/index.d.cts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
|
|
2
2
|
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, disableTinyCloudDebug, discoverNetwork, enableTinyCloudDebug, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, getTinyCloudDebugLogs, hexDecode, hexEncode, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
|
|
3
|
-
export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-
|
|
3
|
+
export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-Cr-zD1lk.cjs';
|
|
4
4
|
import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
|
|
5
5
|
import 'events';
|
|
6
6
|
import '@tinycloud/sdk-services';
|
package/dist/index.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
|
|
2
2
|
export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, disableTinyCloudDebug, discoverNetwork, enableTinyCloudDebug, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, getTinyCloudDebugLogs, hexDecode, hexEncode, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
|
|
3
|
-
export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-
|
|
3
|
+
export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-Cr-zD1lk.js';
|
|
4
4
|
import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
|
|
5
5
|
import 'events';
|
|
6
6
|
import '@tinycloud/sdk-services';
|
package/dist/index.js
CHANGED
|
@@ -17185,6 +17185,10 @@ import {
|
|
|
17185
17185
|
isCapabilitySubset,
|
|
17186
17186
|
parseRecapCapabilities,
|
|
17187
17187
|
SERVICE_LONG_TO_SHORT,
|
|
17188
|
+
KV as KV2,
|
|
17189
|
+
SQL as SQL2,
|
|
17190
|
+
DUCKDB as DUCKDB2,
|
|
17191
|
+
ENCRYPTION as ENCRYPTION2,
|
|
17188
17192
|
EXPIRY as EXPIRY3,
|
|
17189
17193
|
canonicalHashHex,
|
|
17190
17194
|
canonicalizeEncryptionJson,
|
|
@@ -17214,7 +17218,13 @@ import {
|
|
|
17214
17218
|
EXPIRY,
|
|
17215
17219
|
canonicalizeAddress,
|
|
17216
17220
|
makePkhSpaceId,
|
|
17217
|
-
pkhDid
|
|
17221
|
+
pkhDid,
|
|
17222
|
+
KV,
|
|
17223
|
+
SQL,
|
|
17224
|
+
DUCKDB,
|
|
17225
|
+
CAPABILITIES,
|
|
17226
|
+
HOOKS,
|
|
17227
|
+
ENCRYPTION
|
|
17218
17228
|
} from "@tinycloud/sdk-core";
|
|
17219
17229
|
|
|
17220
17230
|
// src/authorization/strategies.ts
|
|
@@ -17293,8 +17303,8 @@ var MemorySessionStorage = class {
|
|
|
17293
17303
|
};
|
|
17294
17304
|
|
|
17295
17305
|
// src/authorization/NodeUserAuthorization.ts
|
|
17296
|
-
var DECRYPT_ACTION =
|
|
17297
|
-
var NETWORK_CREATE_ACTION =
|
|
17306
|
+
var DECRYPT_ACTION = ENCRYPTION.DECRYPT;
|
|
17307
|
+
var NETWORK_CREATE_ACTION = ENCRYPTION.NETWORK_CREATE;
|
|
17298
17308
|
function didPrincipalMatches(actual, expected) {
|
|
17299
17309
|
try {
|
|
17300
17310
|
return principalDidEquals(actual, expected);
|
|
@@ -17327,44 +17337,27 @@ var NodeUserAuthorization = class {
|
|
|
17327
17337
|
this.spacePrefix = config.spacePrefix ?? "default";
|
|
17328
17338
|
this.defaultActions = config.defaultActions ?? {
|
|
17329
17339
|
kv: {
|
|
17330
|
-
"": [
|
|
17331
|
-
"tinycloud.kv/put",
|
|
17332
|
-
"tinycloud.kv/get",
|
|
17333
|
-
"tinycloud.kv/del",
|
|
17334
|
-
"tinycloud.kv/list",
|
|
17335
|
-
"tinycloud.kv/metadata"
|
|
17336
|
-
]
|
|
17340
|
+
"": [KV.PUT, KV.GET, KV.DEL, KV.LIST, KV.METADATA]
|
|
17337
17341
|
},
|
|
17338
17342
|
sql: {
|
|
17339
|
-
"": [
|
|
17340
|
-
"tinycloud.sql/read",
|
|
17341
|
-
"tinycloud.sql/write",
|
|
17342
|
-
"tinycloud.sql/schema",
|
|
17343
|
-
"tinycloud.sql/admin",
|
|
17344
|
-
"tinycloud.sql/export"
|
|
17345
|
-
]
|
|
17343
|
+
"": [SQL.READ, SQL.WRITE, SQL.SCHEMA, SQL.ADMIN, SQL.EXPORT]
|
|
17346
17344
|
},
|
|
17347
17345
|
duckdb: {
|
|
17348
17346
|
"": [
|
|
17349
|
-
|
|
17350
|
-
|
|
17351
|
-
|
|
17352
|
-
|
|
17353
|
-
|
|
17354
|
-
|
|
17355
|
-
|
|
17347
|
+
DUCKDB.READ,
|
|
17348
|
+
DUCKDB.WRITE,
|
|
17349
|
+
DUCKDB.ADMIN,
|
|
17350
|
+
DUCKDB.DESCRIBE,
|
|
17351
|
+
DUCKDB.EXPORT,
|
|
17352
|
+
DUCKDB.IMPORT,
|
|
17353
|
+
DUCKDB.EXECUTE
|
|
17356
17354
|
]
|
|
17357
17355
|
},
|
|
17358
17356
|
capabilities: {
|
|
17359
|
-
"": [
|
|
17357
|
+
"": [CAPABILITIES.READ]
|
|
17360
17358
|
},
|
|
17361
17359
|
hooks: {
|
|
17362
|
-
"": [
|
|
17363
|
-
"tinycloud.hooks/subscribe",
|
|
17364
|
-
"tinycloud.hooks/register",
|
|
17365
|
-
"tinycloud.hooks/list",
|
|
17366
|
-
"tinycloud.hooks/unregister"
|
|
17367
|
-
]
|
|
17360
|
+
"": [HOOKS.SUBSCRIBE, HOOKS.REGISTER, HOOKS.LIST, HOOKS.UNREGISTER]
|
|
17368
17361
|
}
|
|
17369
17362
|
};
|
|
17370
17363
|
this.sessionExpirationMs = config.sessionExpirationMs ?? EXPIRY.SESSION_MS;
|
|
@@ -17564,20 +17557,17 @@ var NodeUserAuthorization = class {
|
|
|
17564
17557
|
[secretsSpaceId]: {
|
|
17565
17558
|
kv: {
|
|
17566
17559
|
"vault/secrets/": [
|
|
17567
|
-
|
|
17568
|
-
|
|
17569
|
-
|
|
17570
|
-
|
|
17571
|
-
|
|
17560
|
+
KV.GET,
|
|
17561
|
+
KV.PUT,
|
|
17562
|
+
KV.DEL,
|
|
17563
|
+
KV.LIST,
|
|
17564
|
+
KV.METADATA
|
|
17572
17565
|
]
|
|
17573
17566
|
}
|
|
17574
17567
|
}
|
|
17575
17568
|
},
|
|
17576
17569
|
rawAbilities: {
|
|
17577
|
-
[defaultNetworkId]: [
|
|
17578
|
-
"tinycloud.encryption/decrypt",
|
|
17579
|
-
"tinycloud.encryption/network.create"
|
|
17580
|
-
]
|
|
17570
|
+
[defaultNetworkId]: [DECRYPT_ACTION, NETWORK_CREATE_ACTION]
|
|
17581
17571
|
}
|
|
17582
17572
|
};
|
|
17583
17573
|
}
|
|
@@ -18654,9 +18644,27 @@ var NodeSecretsService = class {
|
|
|
18654
18644
|
// src/TinyCloudNode.ts
|
|
18655
18645
|
var DEFAULT_HOST = "https://node.tinycloud.xyz";
|
|
18656
18646
|
var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
|
|
18657
|
-
var NETWORK_CREATE_ACTION2 =
|
|
18658
|
-
var DECRYPT_ACTION2 =
|
|
18647
|
+
var NETWORK_CREATE_ACTION2 = ENCRYPTION2.NETWORK_CREATE;
|
|
18648
|
+
var DECRYPT_ACTION2 = ENCRYPTION2.DECRYPT;
|
|
18659
18649
|
var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
|
|
18650
|
+
var ROOT_DELEGATION_ACTIONS = [
|
|
18651
|
+
KV2.PUT,
|
|
18652
|
+
KV2.GET,
|
|
18653
|
+
KV2.DEL,
|
|
18654
|
+
KV2.LIST,
|
|
18655
|
+
KV2.METADATA,
|
|
18656
|
+
SQL2.READ,
|
|
18657
|
+
SQL2.WRITE,
|
|
18658
|
+
SQL2.ADMIN,
|
|
18659
|
+
SQL2.ALL,
|
|
18660
|
+
DUCKDB2.READ,
|
|
18661
|
+
DUCKDB2.WRITE,
|
|
18662
|
+
DUCKDB2.ADMIN,
|
|
18663
|
+
DUCKDB2.DESCRIBE,
|
|
18664
|
+
DUCKDB2.EXPORT,
|
|
18665
|
+
DUCKDB2.IMPORT,
|
|
18666
|
+
DUCKDB2.ALL
|
|
18667
|
+
];
|
|
18660
18668
|
var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
|
|
18661
18669
|
function isOpenKeyAutoSignStrategy(strategy) {
|
|
18662
18670
|
return strategy?.openKeyAutoSign === true;
|
|
@@ -19128,6 +19136,10 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
19128
19136
|
await this.tc.signIn(options);
|
|
19129
19137
|
this.syncResolvedHostFromAuth();
|
|
19130
19138
|
this.initializeServices();
|
|
19139
|
+
const primarySession = this.currentTinyCloudSession();
|
|
19140
|
+
if (primarySession) {
|
|
19141
|
+
this.registerPrimarySessionGrant(primarySession);
|
|
19142
|
+
}
|
|
19131
19143
|
const bootstrapped = await this.bootstrapAccountIfNeeded();
|
|
19132
19144
|
await this.ensureRequestedEncryptionNetworks();
|
|
19133
19145
|
if (!bootstrapped && this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
|
|
@@ -19371,7 +19383,107 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
19371
19383
|
host: this.config.host
|
|
19372
19384
|
},
|
|
19373
19385
|
operations,
|
|
19374
|
-
expiresAt
|
|
19386
|
+
expiresAt,
|
|
19387
|
+
provenance: "bootstrap"
|
|
19388
|
+
});
|
|
19389
|
+
}
|
|
19390
|
+
/**
|
|
19391
|
+
* Map the base session's OWN recap into runtime permission operations.
|
|
19392
|
+
*
|
|
19393
|
+
* Uses the RAW `parseRecapFromSiwe` binding — NOT `parseRecapCapabilities`,
|
|
19394
|
+
* whose `normalizeSpace` collapses `tinycloud:pkh:...:<owner>:<space>` to a
|
|
19395
|
+
* bare short name and would conflate two owners' identically-named spaces.
|
|
19396
|
+
* We must keep the full owner-scoped URI so a synthetic primary grant can
|
|
19397
|
+
* never cover an operation on a different owner's space.
|
|
19398
|
+
*
|
|
19399
|
+
* Mirrors {@link operationsFromDelegation}'s op shape: encryption network
|
|
19400
|
+
* entries (`urn:tinycloud:encryption:` paths) become `resource` ops; every
|
|
19401
|
+
* other entry becomes a `spaceId` op carrying the raw recap `space` URI.
|
|
19402
|
+
* One op per action.
|
|
19403
|
+
*
|
|
19404
|
+
* Returns `[]` for session-only / restored-without-siwe modes and for any
|
|
19405
|
+
* unparseable SIWE — the primary grant is simply not registered in that case.
|
|
19406
|
+
*/
|
|
19407
|
+
recapOperationsFromSession(session) {
|
|
19408
|
+
const siwe = session.siwe;
|
|
19409
|
+
if (!siwe) {
|
|
19410
|
+
return [];
|
|
19411
|
+
}
|
|
19412
|
+
if (this._recapOperationsCache?.siwe === siwe) {
|
|
19413
|
+
return this._recapOperationsCache.operations;
|
|
19414
|
+
}
|
|
19415
|
+
let operations = [];
|
|
19416
|
+
try {
|
|
19417
|
+
const entries = this.wasmBindings.parseRecapFromSiwe(siwe);
|
|
19418
|
+
if (Array.isArray(entries)) {
|
|
19419
|
+
operations = entries.flatMap((entry) => {
|
|
19420
|
+
const service = this.invocationServiceName(entry.service);
|
|
19421
|
+
return entry.actions.map((action) => ({
|
|
19422
|
+
...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId: entry.space },
|
|
19423
|
+
service,
|
|
19424
|
+
path: entry.path,
|
|
19425
|
+
action
|
|
19426
|
+
}));
|
|
19427
|
+
});
|
|
19428
|
+
}
|
|
19429
|
+
} catch {
|
|
19430
|
+
operations = [];
|
|
19431
|
+
}
|
|
19432
|
+
this._recapOperationsCache = { siwe, operations };
|
|
19433
|
+
return operations;
|
|
19434
|
+
}
|
|
19435
|
+
/**
|
|
19436
|
+
* Register the base (primary) session's own recap as a synthetic runtime
|
|
19437
|
+
* grant tagged `provenance: "primary"` so it always out-ranks other covering
|
|
19438
|
+
* grants in {@link findGrantForOperations}. This closes the selection-design
|
|
19439
|
+
* hazard where a broad — possibly broken — bootstrap/delegated grant could
|
|
19440
|
+
* hijack an operation the primary session itself already authorized (TC-111).
|
|
19441
|
+
*
|
|
19442
|
+
* Two safety exclusions:
|
|
19443
|
+
* - Ops whose space is in `lastActivationSkippedSpaceIds` are dropped: the
|
|
19444
|
+
* node refused to activate those spaces this sign-in even though the recap
|
|
19445
|
+
* claims them. Including them would let the synthetic primary out-rank a
|
|
19446
|
+
* working grant and 401 (the "skipped-activation inverted hijack").
|
|
19447
|
+
* - Encryption `resource` ops are kept as-is (space-independent).
|
|
19448
|
+
*
|
|
19449
|
+
* No-ops when nothing remains after exclusion. Callers (`signIn`,
|
|
19450
|
+
* `restoreSession`) clear `runtimePermissionGrants` first, so no dupes.
|
|
19451
|
+
*/
|
|
19452
|
+
registerPrimarySessionGrant(session) {
|
|
19453
|
+
const skipped = this.auth ? this.auth.lastActivationSkippedSpaceIds ?? [] : [];
|
|
19454
|
+
const operations = this.recapOperationsFromSession(session).filter(
|
|
19455
|
+
(operation) => operation.spaceId === void 0 || !skipped.some((spaceId) => this.spaceIdsEqual(spaceId, operation.spaceId))
|
|
19456
|
+
);
|
|
19457
|
+
if (operations.length === 0) {
|
|
19458
|
+
return;
|
|
19459
|
+
}
|
|
19460
|
+
const expiresAt = extractSiweExpiration(session.siwe) ?? this.getSessionExpiry();
|
|
19461
|
+
const actions = [...new Set(operations.map((operation) => operation.action))];
|
|
19462
|
+
this.runtimePermissionGrants.push({
|
|
19463
|
+
session: {
|
|
19464
|
+
delegationHeader: session.delegationHeader,
|
|
19465
|
+
delegationCid: session.delegationCid,
|
|
19466
|
+
spaceId: session.spaceId,
|
|
19467
|
+
verificationMethod: session.verificationMethod,
|
|
19468
|
+
jwk: session.jwk
|
|
19469
|
+
},
|
|
19470
|
+
delegation: {
|
|
19471
|
+
cid: session.delegationCid,
|
|
19472
|
+
delegationHeader: session.delegationHeader,
|
|
19473
|
+
delegateDID: session.verificationMethod,
|
|
19474
|
+
delegatorDID: this.did,
|
|
19475
|
+
spaceId: session.spaceId,
|
|
19476
|
+
path: "",
|
|
19477
|
+
actions,
|
|
19478
|
+
expiry: expiresAt,
|
|
19479
|
+
allowSubDelegation: true,
|
|
19480
|
+
ownerAddress: session.address,
|
|
19481
|
+
chainId: session.chainId,
|
|
19482
|
+
host: this.config.host
|
|
19483
|
+
},
|
|
19484
|
+
operations,
|
|
19485
|
+
expiresAt,
|
|
19486
|
+
provenance: "primary"
|
|
19375
19487
|
});
|
|
19376
19488
|
}
|
|
19377
19489
|
async writeManifestRegistryRecords() {
|
|
@@ -19707,6 +19819,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
19707
19819
|
} else {
|
|
19708
19820
|
this._restoredTcSession = tcSession;
|
|
19709
19821
|
}
|
|
19822
|
+
this.registerPrimarySessionGrant(tcSession);
|
|
19710
19823
|
}
|
|
19711
19824
|
}
|
|
19712
19825
|
/**
|
|
@@ -20178,24 +20291,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
20178
20291
|
spaceId: tcSession.spaceId,
|
|
20179
20292
|
path: "",
|
|
20180
20293
|
// Root access
|
|
20181
|
-
actions: [
|
|
20182
|
-
"tinycloud.kv/put",
|
|
20183
|
-
"tinycloud.kv/get",
|
|
20184
|
-
"tinycloud.kv/del",
|
|
20185
|
-
"tinycloud.kv/list",
|
|
20186
|
-
"tinycloud.kv/metadata",
|
|
20187
|
-
"tinycloud.sql/read",
|
|
20188
|
-
"tinycloud.sql/write",
|
|
20189
|
-
"tinycloud.sql/admin",
|
|
20190
|
-
"tinycloud.sql/*",
|
|
20191
|
-
"tinycloud.duckdb/read",
|
|
20192
|
-
"tinycloud.duckdb/write",
|
|
20193
|
-
"tinycloud.duckdb/admin",
|
|
20194
|
-
"tinycloud.duckdb/describe",
|
|
20195
|
-
"tinycloud.duckdb/export",
|
|
20196
|
-
"tinycloud.duckdb/import",
|
|
20197
|
-
"tinycloud.duckdb/*"
|
|
20198
|
-
],
|
|
20294
|
+
actions: [...ROOT_DELEGATION_ACTIONS],
|
|
20199
20295
|
expiry: this.getSessionExpiry(),
|
|
20200
20296
|
isRevoked: false,
|
|
20201
20297
|
allowSubDelegation: true
|
|
@@ -20208,24 +20304,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
20208
20304
|
delegateDID: tcSession.verificationMethod,
|
|
20209
20305
|
spaceId,
|
|
20210
20306
|
path: "",
|
|
20211
|
-
actions: [
|
|
20212
|
-
"tinycloud.kv/put",
|
|
20213
|
-
"tinycloud.kv/get",
|
|
20214
|
-
"tinycloud.kv/del",
|
|
20215
|
-
"tinycloud.kv/list",
|
|
20216
|
-
"tinycloud.kv/metadata",
|
|
20217
|
-
"tinycloud.sql/read",
|
|
20218
|
-
"tinycloud.sql/write",
|
|
20219
|
-
"tinycloud.sql/admin",
|
|
20220
|
-
"tinycloud.sql/*",
|
|
20221
|
-
"tinycloud.duckdb/read",
|
|
20222
|
-
"tinycloud.duckdb/write",
|
|
20223
|
-
"tinycloud.duckdb/admin",
|
|
20224
|
-
"tinycloud.duckdb/describe",
|
|
20225
|
-
"tinycloud.duckdb/export",
|
|
20226
|
-
"tinycloud.duckdb/import",
|
|
20227
|
-
"tinycloud.duckdb/*"
|
|
20228
|
-
],
|
|
20307
|
+
actions: [...ROOT_DELEGATION_ACTIONS],
|
|
20229
20308
|
expiry: this.getSessionExpiry(),
|
|
20230
20309
|
isRevoked: false,
|
|
20231
20310
|
allowSubDelegation: true
|
|
@@ -20779,7 +20858,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
20779
20858
|
getRuntimePermissionDelegations(permissions) {
|
|
20780
20859
|
this.pruneExpiredRuntimePermissionGrants();
|
|
20781
20860
|
if (permissions === void 0) {
|
|
20782
|
-
return this.runtimePermissionGrants.map((grant) => grant.delegation);
|
|
20861
|
+
return this.runtimePermissionGrants.filter((grant) => grant.provenance !== "primary").map((grant) => grant.delegation);
|
|
20783
20862
|
}
|
|
20784
20863
|
const session = this.currentTinyCloudSession();
|
|
20785
20864
|
if (!session || !Array.isArray(permissions) || permissions.length === 0) {
|
|
@@ -20931,7 +21010,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
20931
21010
|
},
|
|
20932
21011
|
delegation,
|
|
20933
21012
|
operations: this.permissionOperations(delegatedEntries, spaceId),
|
|
20934
|
-
expiresAt
|
|
21013
|
+
expiresAt,
|
|
21014
|
+
provenance: "runtime"
|
|
20935
21015
|
});
|
|
20936
21016
|
delegations.push(delegation);
|
|
20937
21017
|
}
|
|
@@ -21069,13 +21149,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
21069
21149
|
throw new Error("Public space not enabled. Set enablePublicSpace: true in config.");
|
|
21070
21150
|
}
|
|
21071
21151
|
await this.auth.hostPublicSpace(publicSpaceId);
|
|
21072
|
-
const kvActions = [
|
|
21073
|
-
"tinycloud.kv/put",
|
|
21074
|
-
"tinycloud.kv/get",
|
|
21075
|
-
"tinycloud.kv/del",
|
|
21076
|
-
"tinycloud.kv/list",
|
|
21077
|
-
"tinycloud.kv/metadata"
|
|
21078
|
-
];
|
|
21152
|
+
const kvActions = [KV2.PUT, KV2.GET, KV2.DEL, KV2.LIST, KV2.METADATA];
|
|
21079
21153
|
const abilities = { kv: { "": kvActions } };
|
|
21080
21154
|
const now = /* @__PURE__ */ new Date();
|
|
21081
21155
|
const expiryMs = EXPIRY3.EPHEMERAL_MS;
|
|
@@ -21598,7 +21672,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
21598
21672
|
return grants;
|
|
21599
21673
|
}
|
|
21600
21674
|
for (const operation of operations) {
|
|
21601
|
-
const grant = this.findGrantForOperation(operation);
|
|
21675
|
+
const grant = this.findGrantForOperation(operation, { excludePrimary: true });
|
|
21602
21676
|
if (!grant) {
|
|
21603
21677
|
return [];
|
|
21604
21678
|
}
|
|
@@ -21638,7 +21712,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
21638
21712
|
},
|
|
21639
21713
|
delegation,
|
|
21640
21714
|
operations,
|
|
21641
|
-
expiresAt: delegation.expiry
|
|
21715
|
+
expiresAt: delegation.expiry,
|
|
21716
|
+
provenance: "delegated"
|
|
21642
21717
|
};
|
|
21643
21718
|
}
|
|
21644
21719
|
installRuntimeGrantFromServiceSession(delegation, session, expiresAt) {
|
|
@@ -21653,7 +21728,8 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
21653
21728
|
session,
|
|
21654
21729
|
delegation,
|
|
21655
21730
|
operations,
|
|
21656
|
-
expiresAt
|
|
21731
|
+
expiresAt,
|
|
21732
|
+
provenance: "delegated"
|
|
21657
21733
|
});
|
|
21658
21734
|
}
|
|
21659
21735
|
delegatedResourcesForEntries(entries, spaceId) {
|
|
@@ -21753,21 +21829,28 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
21753
21829
|
});
|
|
21754
21830
|
return grant?.session ?? fallback;
|
|
21755
21831
|
}
|
|
21756
|
-
findGrantForOperations(operations) {
|
|
21832
|
+
findGrantForOperations(operations, options) {
|
|
21757
21833
|
if (operations.length === 0) {
|
|
21758
21834
|
return void 0;
|
|
21759
21835
|
}
|
|
21760
21836
|
this.pruneExpiredRuntimePermissionGrants();
|
|
21761
|
-
|
|
21837
|
+
const covering = this.runtimePermissionGrants.filter((grant) => {
|
|
21838
|
+
if (options?.excludePrimary && grant.provenance === "primary") {
|
|
21839
|
+
return false;
|
|
21840
|
+
}
|
|
21762
21841
|
return operations.every(
|
|
21763
21842
|
(operation) => grant.operations.some(
|
|
21764
21843
|
(granted) => this.operationCovers(granted, operation)
|
|
21765
21844
|
)
|
|
21766
21845
|
);
|
|
21767
21846
|
});
|
|
21847
|
+
if (covering.length === 0) {
|
|
21848
|
+
return void 0;
|
|
21849
|
+
}
|
|
21850
|
+
return covering.find((grant) => grant.provenance === "primary") ?? covering[0];
|
|
21768
21851
|
}
|
|
21769
|
-
findGrantForOperation(operation) {
|
|
21770
|
-
return this.findGrantForOperations([operation]);
|
|
21852
|
+
findGrantForOperation(operation, options) {
|
|
21853
|
+
return this.findGrantForOperations([operation], options);
|
|
21771
21854
|
}
|
|
21772
21855
|
pruneExpiredRuntimePermissionGrants() {
|
|
21773
21856
|
const now = Date.now();
|
|
@@ -22004,7 +22087,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
22004
22087
|
session.chainId
|
|
22005
22088
|
);
|
|
22006
22089
|
const publicAbilities = {
|
|
22007
|
-
kv: { "": [
|
|
22090
|
+
kv: { "": [KV2.GET, KV2.PUT, KV2.METADATA] }
|
|
22008
22091
|
};
|
|
22009
22092
|
const publicPrepared = this.wasmBindings.prepareSession({
|
|
22010
22093
|
abilities: publicAbilities,
|
|
@@ -22032,7 +22115,7 @@ var _TinyCloudNode = class _TinyCloudNode {
|
|
|
22032
22115
|
delegationHeader: publicSession.delegationHeader,
|
|
22033
22116
|
spaceId: publicSpaceId,
|
|
22034
22117
|
path: "",
|
|
22035
|
-
actions: [
|
|
22118
|
+
actions: [KV2.GET, KV2.PUT, KV2.METADATA],
|
|
22036
22119
|
disableSubDelegation: params.disableSubDelegation ?? false,
|
|
22037
22120
|
expiry: expirationTime,
|
|
22038
22121
|
delegateDID: params.delegateDID,
|