@tinycloud/sdk-core 2.1.0-beta.5 → 2.2.0-beta.0

package/dist/index.cjs

@@ -30,12 +30,16 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  ACCOUNT_REGISTRY_PATH: () => ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE: () => ACCOUNT_REGISTRY_SPACE,
   AutoApproveSpaceCreationHandler: () => AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry: () => CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes: () => CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema: () => ClientSessionSchema,
   DEFAULT_DEFAULTS: () => DEFAULT_DEFAULTS,
   DEFAULT_EXPIRY: () => DEFAULT_EXPIRY,
+  DEFAULT_MANIFEST_SPACE: () => DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION: () => DEFAULT_MANIFEST_VERSION,
   DataVaultService: () => import_sdk_services4.DataVaultService,
   DatabaseHandle: () => import_sdk_services4.DatabaseHandle,
   DelegationErrorCodes: () => DelegationErrorCodes,
@@ -73,6 +77,7 @@ __export(index_exports, {
   applyPrefix: () => applyPrefix,
   buildSpaceUri: () => buildSpaceUri,
   checkNodeInfo: () => checkNodeInfo,
+  composeManifestRequest: () => composeManifestRequest,
   createCapabilityKeyRegistry: () => createCapabilityKeyRegistry,
   createSharingService: () => createSharingService,
   createSpaceService: () => createSpaceService,
@@ -94,6 +99,7 @@ __export(index_exports, {
   parseSpaceUri: () => parseSpaceUri,
   resolveManifest: () => resolveManifest,
   resourceCapabilitiesToAbilitiesMap: () => resourceCapabilitiesToAbilitiesMap,
+  resourceCapabilitiesToSpaceAbilitiesMap: () => resourceCapabilitiesToSpaceAbilitiesMap,
   serviceError: () => import_sdk_services4.serviceError,
   submitHostDelegation: () => submitHostDelegation,
   validateClientSession: () => validateClientSession,
@@ -2740,6 +2746,10 @@ var ManifestValidationError = class extends Error {
 };
 var DEFAULT_EXPIRY = "30d";
 var DEFAULT_DEFAULTS = true;
+var DEFAULT_MANIFEST_VERSION = 1;
+var DEFAULT_MANIFEST_SPACE = "applications";
+var ACCOUNT_REGISTRY_SPACE = "account";
+var ACCOUNT_REGISTRY_PATH = "applications/";
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
@@ -2755,19 +2765,19 @@ var SERVICE_LONG_TO_SHORT = Object.freeze(
 var DEFAULT_STANDARD_ENTRIES = [
   {
     service: "tinycloud.kv",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["get", "put", "del", "list", "metadata"]
   },
   {
     service: "tinycloud.sql",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write"]
   },
   {
     service: "tinycloud.capabilities",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read"]
   }
@@ -2775,19 +2785,19 @@ var DEFAULT_STANDARD_ENTRIES = [
 var DEFAULT_ADMIN_ENTRIES = [
   {
     service: "tinycloud.kv",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["get", "put", "del", "list", "metadata"]
   },
   {
     service: "tinycloud.sql",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write", "ddl"]
   },
   {
     service: "tinycloud.capabilities",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "admin"]
   }
@@ -2795,25 +2805,25 @@ var DEFAULT_ADMIN_ENTRIES = [
 var DEFAULT_ALL_ENTRIES = [
   {
     service: "tinycloud.kv",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["get", "put", "del", "list", "metadata"]
   },
   {
     service: "tinycloud.sql",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write", "ddl"]
   },
   {
     service: "tinycloud.duckdb",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write"]
   },
   {
     service: "tinycloud.capabilities",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "admin"]
   }
@@ -2875,12 +2885,23 @@ function validateManifest(input) {
     throw new ManifestValidationError("manifest must be an object");
   }
   const m = input;
-  if (typeof m.id !== "string" || m.id.length === 0) {
-    throw new ManifestValidationError("manifest.id is required and must be a non-empty string");
+  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
+    throw new ManifestValidationError(
+      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
+    );
+  }
+  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
+    throw new ManifestValidationError("manifest.app_id is required and must be a non-empty string");
   }
   if (typeof m.name !== "string" || m.name.length === 0) {
     throw new ManifestValidationError("manifest.name is required and must be a non-empty string");
   }
+  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
+    throw new ManifestValidationError("manifest.did must be a non-empty DID string");
+  }
+  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
+    throw new ManifestValidationError("manifest.space must be a non-empty string");
+  }
   if (m.expiry !== void 0) {
     parseExpiry(m.expiry);
   }
@@ -2892,29 +2913,6 @@ function validateManifest(input) {
       (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
     );
   }
-  if (m.delegations !== void 0) {
-    if (!Array.isArray(m.delegations)) {
-      throw new ManifestValidationError("manifest.delegations must be an array");
-    }
-    m.delegations.forEach((d, i) => {
-      if (typeof d?.to !== "string" || d.to.length === 0) {
-        throw new ManifestValidationError(
-          `delegations[${i}].to is required and must be a non-empty DID string`
-        );
-      }
-      if (d.expiry !== void 0) {
-        parseExpiry(d.expiry);
-      }
-      if (!Array.isArray(d.permissions)) {
-        throw new ManifestValidationError(
-          `delegations[${i}].permissions must be an array`
-        );
-      }
-      d.permissions.forEach(
-        (p, j) => validatePermissionEntry(p, `delegations[${i}].permissions[${j}]`)
-      );
-    });
-  }
   return m;
 }
 function validatePermissionEntry(p, path) {
@@ -2925,8 +2923,8 @@ function validatePermissionEntry(p, path) {
   if (typeof entry.service !== "string" || entry.service.length === 0) {
     throw new ManifestValidationError(`${path}.service is required`);
   }
-  if (typeof entry.space !== "string" || entry.space.length === 0) {
-    throw new ManifestValidationError(`${path}.space is required`);
+  if (entry.space !== void 0 && (typeof entry.space !== "string" || entry.space.length === 0)) {
+    throw new ManifestValidationError(`${path}.space must be a non-empty string`);
   }
   if (typeof entry.path !== "string") {
     throw new ManifestValidationError(
@@ -2972,7 +2970,8 @@ function defaultEntriesForTier(tier) {
 }
 function resolveManifest(input) {
   const manifest = validateManifest(input);
-  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.id;
+  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.app_id;
+  const space = manifest.space ?? DEFAULT_MANIFEST_SPACE;
   const expiryMs = parseExpiry(manifest.expiry ?? DEFAULT_EXPIRY);
   const includePublicSpace = manifest.includePublicSpace ?? true;
   const tier = normalizeDefaults(manifest.defaults);
@@ -2980,29 +2979,27 @@ function resolveManifest(input) {
   const explicitEntries = manifest.permissions ?? [];
   const allEntries = [...defaultEntries, ...explicitEntries];
   const resources = allEntries.map(
-    (entry) => resolveEntry(entry, prefix, expiryMs)
+    (entry) => resolveEntry(entry, prefix, expiryMs, space)
   );
-  const additionalDelegates = (manifest.delegations ?? []).map((d) => ({
-    did: d.to,
-    name: d.name,
-    expiryMs: parseExpiry(d.expiry ?? manifest.expiry ?? DEFAULT_EXPIRY),
-    permissions: d.permissions.map(
-      (entry) => resolveEntry(
-        entry,
-        prefix,
-        parseExpiry(d.expiry ?? manifest.expiry ?? DEFAULT_EXPIRY)
-      )
-    )
-  }));
+  const additionalDelegates = manifest.did === void 0 ? [] : [
+    {
+      did: manifest.did,
+      name: manifest.name,
+      expiryMs,
+      permissions: resources.map(cloneResourceCapability)
+    }
+  ];
   return {
-    id: manifest.id,
+    app_id: manifest.app_id,
+    ...manifest.did !== void 0 ? { did: manifest.did } : {},
+    space,
     resources,
     expiryMs,
     includePublicSpace,
     additionalDelegates
   };
 }
-function resolveEntry(entry, prefix, _inheritedExpiryMs) {
+function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
   const resolvedPath = applyPrefix(
     prefix,
     entry.path,
@@ -3012,7 +3009,7 @@ function resolveEntry(entry, prefix, _inheritedExpiryMs) {
   const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
   return {
     service: entry.service,
-    space: entry.space,
+    space: entry.space ?? inheritedSpace,
     path: resolvedPath,
     actions: resolvedActions,
     // Only populate `expiryMs` when the entry had its own expiry override.
@@ -3021,6 +3018,101 @@ function resolveEntry(entry, prefix, _inheritedExpiryMs) {
     ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {}
   };
 }
+function cloneResourceCapability(entry) {
+  return {
+    service: entry.service,
+    space: entry.space,
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {}
+  };
+}
+function clonePermissionEntry(entry) {
+  return {
+    service: entry.service,
+    ...entry.space !== void 0 ? { space: entry.space } : {},
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
+    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {}
+  };
+}
+function dedupeResources(resources) {
+  const byKey = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
+    const existing = byKey.get(key);
+    if (existing === void 0) {
+      byKey.set(key, cloneResourceCapability(resource));
+      continue;
+    }
+    const seen = new Set(existing.actions);
+    for (const action of resource.actions) {
+      if (!seen.has(action)) {
+        existing.actions.push(action);
+        seen.add(action);
+      }
+    }
+  }
+  return [...byKey.values()];
+}
+function accountRegistryPermission() {
+  return {
+    service: "tinycloud.kv",
+    space: ACCOUNT_REGISTRY_SPACE,
+    path: ACCOUNT_REGISTRY_PATH,
+    actions: [
+      "tinycloud.kv/get",
+      "tinycloud.kv/put",
+      "tinycloud.kv/list"
+    ]
+  };
+}
+function composeManifestRequest(inputs, options = {}) {
+  if (!Array.isArray(inputs) || inputs.length === 0) {
+    throw new ManifestValidationError(
+      "composeManifestRequest requires at least one manifest"
+    );
+  }
+  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
+  const manifests = inputs.map(validateManifest);
+  const resolved = manifests.map(resolveManifest);
+  const resources = resolved.flatMap((entry) => entry.resources);
+  const delegationTargets = resolved.flatMap(
+    (entry) => entry.additionalDelegates.map((delegate) => ({
+      ...delegate,
+      permissions: dedupeResources(delegate.permissions)
+    }))
+  );
+  if (includeAccountRegistryPermissions) {
+    resources.push(accountRegistryPermission());
+  }
+  const manifestsByAppId = /* @__PURE__ */ new Map();
+  for (const manifest of manifests) {
+    const current = manifestsByAppId.get(manifest.app_id);
+    if (current === void 0) {
+      manifestsByAppId.set(manifest.app_id, [manifest]);
+    } else {
+      current.push(manifest);
+    }
+  }
+  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
+    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
+    app_id,
+    manifests: appManifests.map((manifest) => ({
+      ...manifest,
+      permissions: manifest.permissions?.map(clonePermissionEntry)
+    }))
+  })) : [];
+  return {
+    manifests,
+    resources: dedupeResources(resources),
+    delegationTargets,
+    registryRecords,
+    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
+    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
+  };
+}
 function resourceCapabilitiesToAbilitiesMap(resources) {
   const out = {};
   for (const r of resources) {
@@ -3049,6 +3141,22 @@ function resourceCapabilitiesToAbilitiesMap(resources) {
   }
   return out;
 }
+function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const entries = grouped.get(resource.space);
+    if (entries === void 0) {
+      grouped.set(resource.space, [resource]);
+    } else {
+      entries.push(resource);
+    }
+  }
+  const out = {};
+  for (const [space, entries] of grouped.entries()) {
+    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
+  }
+  return out;
+}
 function manifestAbilitiesUnion(resolved) {
   const all = [...resolved.resources];
   for (const delegate of resolved.additionalDelegates) {
@@ -4253,7 +4361,7 @@ function canonicalizeEntryMatches(requested, granted) {
   if (requested.service !== granted.service) {
     return false;
   }
-  if (normalizeSpace(requested.space) !== normalizeSpace(granted.space)) {
+  if (normalizeSpace(requested.space ?? DEFAULT_MANIFEST_SPACE) !== normalizeSpace(granted.space ?? DEFAULT_MANIFEST_SPACE)) {
     return false;
   }
   if (!pathContains(granted.path, requested.path)) {
@@ -4284,7 +4392,7 @@ function pathContains(grantedPath, requestedPath) {
 function cloneEntry(entry) {
   return {
     service: entry.service,
-    space: entry.space,
+    ...entry.space !== void 0 ? { space: entry.space } : {},
     path: entry.path,
     actions: [...entry.actions],
     ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
@@ -4314,7 +4422,9 @@ function parseRecapCapabilities(parseWasm, siwe) {
     };
   });
   normalized.sort((a, b) => {
-    if (a.space !== b.space) return a.space < b.space ? -1 : 1;
+    const aSpace = a.space ?? DEFAULT_MANIFEST_SPACE;
+    const bSpace = b.space ?? DEFAULT_MANIFEST_SPACE;
+    if (aSpace !== bSpace) return aSpace < bSpace ? -1 : 1;
     if (a.service !== b.service) return a.service < b.service ? -1 : 1;
     if (a.path !== b.path) return a.path < b.path ? -1 : 1;
     return 0;
@@ -4323,12 +4433,16 @@ function parseRecapCapabilities(parseWasm, siwe) {
 }
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE,
   AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema,
   DEFAULT_DEFAULTS,
   DEFAULT_EXPIRY,
+  DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION,
   DataVaultService,
   DatabaseHandle,
   DelegationErrorCodes,
@@ -4366,6 +4480,7 @@ function parseRecapCapabilities(parseWasm, siwe) {
   applyPrefix,
   buildSpaceUri,
   checkNodeInfo,
+  composeManifestRequest,
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
@@ -4387,6 +4502,7 @@ function parseRecapCapabilities(parseWasm, siwe) {
   parseSpaceUri,
   resolveManifest,
   resourceCapabilitiesToAbilitiesMap,
+  resourceCapabilitiesToSpaceAbilitiesMap,
   serviceError,
   submitHostDelegation,
   validateClientSession,