npm - @tinycloud/sdk-core - Versions diffs - 2.1.0 → 2.2.0-beta.1 - Mend

@tinycloud/sdk-core 2.1.0 → 2.2.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -2666,6 +2666,10 @@ var ManifestValidationError = class extends Error {
 };
 var DEFAULT_EXPIRY = "30d";
 var DEFAULT_DEFAULTS = true;
+var DEFAULT_MANIFEST_VERSION = 1;
+var DEFAULT_MANIFEST_SPACE = "applications";
+var ACCOUNT_REGISTRY_SPACE = "account";
+var ACCOUNT_REGISTRY_PATH = "applications/";
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
@@ -2681,19 +2685,19 @@ var SERVICE_LONG_TO_SHORT = Object.freeze(
 var DEFAULT_STANDARD_ENTRIES = [
   {
     service: "tinycloud.kv",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["get", "put", "del", "list", "metadata"]
   },
   {
     service: "tinycloud.sql",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write"]
   },
   {
     service: "tinycloud.capabilities",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read"]
   }
@@ -2701,19 +2705,19 @@ var DEFAULT_STANDARD_ENTRIES = [
 var DEFAULT_ADMIN_ENTRIES = [
   {
     service: "tinycloud.kv",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["get", "put", "del", "list", "metadata"]
   },
   {
     service: "tinycloud.sql",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write", "ddl"]
   },
   {
     service: "tinycloud.capabilities",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "admin"]
   }
@@ -2721,25 +2725,25 @@ var DEFAULT_ADMIN_ENTRIES = [
 var DEFAULT_ALL_ENTRIES = [
   {
     service: "tinycloud.kv",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["get", "put", "del", "list", "metadata"]
   },
   {
     service: "tinycloud.sql",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write", "ddl"]
   },
   {
     service: "tinycloud.duckdb",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write"]
   },
   {
     service: "tinycloud.capabilities",
-    space: "default",
+    space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "admin"]
   }
@@ -2750,9 +2754,7 @@ function parseExpiry(duration) {
       `expiry must be a non-empty duration string (got ${JSON.stringify(duration)})`
     );
   }
-  const parsed = ms(
-    duration
-  );
+  const parsed = ms(duration);
   if (typeof parsed !== "number" || !Number.isFinite(parsed) || parsed <= 0) {
     throw new ManifestValidationError(
       `invalid expiry duration: ${JSON.stringify(duration)}`
@@ -2801,46 +2803,44 @@ function validateManifest(input) {
     throw new ManifestValidationError("manifest must be an object");
   }
   const m = input;
-  if (typeof m.id !== "string" || m.id.length === 0) {
-    throw new ManifestValidationError("manifest.id is required and must be a non-empty string");
+  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
+    throw new ManifestValidationError(
+      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
+    );
+  }
+  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
+    throw new ManifestValidationError(
+      "manifest.app_id is required and must be a non-empty string"
+    );
   }
   if (typeof m.name !== "string" || m.name.length === 0) {
-    throw new ManifestValidationError("manifest.name is required and must be a non-empty string");
+    throw new ManifestValidationError(
+      "manifest.name is required and must be a non-empty string"
+    );
+  }
+  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.did must be a non-empty DID string"
+    );
+  }
+  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.space must be a non-empty string"
+    );
   }
   if (m.expiry !== void 0) {
     parseExpiry(m.expiry);
   }
   if (m.permissions !== void 0) {
     if (!Array.isArray(m.permissions)) {
-      throw new ManifestValidationError("manifest.permissions must be an array");
+      throw new ManifestValidationError(
+        "manifest.permissions must be an array"
+      );
     }
     m.permissions.forEach(
       (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
     );
   }
-  if (m.delegations !== void 0) {
-    if (!Array.isArray(m.delegations)) {
-      throw new ManifestValidationError("manifest.delegations must be an array");
-    }
-    m.delegations.forEach((d, i) => {
-      if (typeof d?.to !== "string" || d.to.length === 0) {
-        throw new ManifestValidationError(
-          `delegations[${i}].to is required and must be a non-empty DID string`
-        );
-      }
-      if (d.expiry !== void 0) {
-        parseExpiry(d.expiry);
-      }
-      if (!Array.isArray(d.permissions)) {
-        throw new ManifestValidationError(
-          `delegations[${i}].permissions must be an array`
-        );
-      }
-      d.permissions.forEach(
-        (p, j) => validatePermissionEntry(p, `delegations[${i}].permissions[${j}]`)
-      );
-    });
-  }
   return m;
 }
 function validatePermissionEntry(p, path) {
@@ -2851,8 +2851,10 @@ function validatePermissionEntry(p, path) {
   if (typeof entry.service !== "string" || entry.service.length === 0) {
     throw new ManifestValidationError(`${path}.service is required`);
   }
-  if (typeof entry.space !== "string" || entry.space.length === 0) {
-    throw new ManifestValidationError(`${path}.space is required`);
+  if (entry.space !== void 0 && (typeof entry.space !== "string" || entry.space.length === 0)) {
+    throw new ManifestValidationError(
+      `${path}.space must be a non-empty string`
+    );
   }
   if (typeof entry.path !== "string") {
     throw new ManifestValidationError(
@@ -2898,7 +2900,8 @@ function defaultEntriesForTier(tier) {
 }
 function resolveManifest(input) {
   const manifest = validateManifest(input);
-  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.id;
+  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.app_id;
+  const space = manifest.space ?? DEFAULT_MANIFEST_SPACE;
   const expiryMs = parseExpiry(manifest.expiry ?? DEFAULT_EXPIRY);
   const includePublicSpace = manifest.includePublicSpace ?? true;
   const tier = normalizeDefaults(manifest.defaults);
@@ -2906,29 +2909,27 @@ function resolveManifest(input) {
   const explicitEntries = manifest.permissions ?? [];
   const allEntries = [...defaultEntries, ...explicitEntries];
   const resources = allEntries.map(
-    (entry) => resolveEntry(entry, prefix, expiryMs)
+    (entry) => resolveEntry(entry, prefix, expiryMs, space)
   );
-  const additionalDelegates = (manifest.delegations ?? []).map((d) => ({
-    did: d.to,
-    name: d.name,
-    expiryMs: parseExpiry(d.expiry ?? manifest.expiry ?? DEFAULT_EXPIRY),
-    permissions: d.permissions.map(
-      (entry) => resolveEntry(
-        entry,
-        prefix,
-        parseExpiry(d.expiry ?? manifest.expiry ?? DEFAULT_EXPIRY)
-      )
-    )
-  }));
+  const additionalDelegates = manifest.did === void 0 ? [] : [
+    {
+      did: manifest.did,
+      name: manifest.name,
+      expiryMs,
+      permissions: resources.map(cloneResourceCapability)
+    }
+  ];
   return {
-    id: manifest.id,
+    app_id: manifest.app_id,
+    ...manifest.did !== void 0 ? { did: manifest.did } : {},
+    space,
     resources,
     expiryMs,
     includePublicSpace,
     additionalDelegates
   };
 }
-function resolveEntry(entry, prefix, _inheritedExpiryMs) {
+function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
   const resolvedPath = applyPrefix(
     prefix,
     entry.path,
@@ -2938,13 +2939,110 @@ function resolveEntry(entry, prefix, _inheritedExpiryMs) {
   const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
   return {
     service: entry.service,
-    space: entry.space,
+    space: entry.space ?? inheritedSpace,
     path: resolvedPath,
     actions: resolvedActions,
     // Only populate `expiryMs` when the entry had its own expiry override.
     // When absent, callers use the parent (delegation or manifest) expiry
     // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
-    ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {}
+    ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function cloneResourceCapability(entry) {
+  return {
+    service: entry.service,
+    space: entry.space,
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function clonePermissionEntry(entry) {
+  return {
+    service: entry.service,
+    ...entry.space !== void 0 ? { space: entry.space } : {},
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
+    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function dedupeResources(resources) {
+  const byKey = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
+    const existing = byKey.get(key);
+    if (existing === void 0) {
+      byKey.set(key, cloneResourceCapability(resource));
+      continue;
+    }
+    const seen = new Set(existing.actions);
+    for (const action of resource.actions) {
+      if (!seen.has(action)) {
+        existing.actions.push(action);
+        seen.add(action);
+      }
+    }
+    if (existing.description === void 0 && resource.description !== void 0) {
+      existing.description = resource.description;
+    }
+  }
+  return [...byKey.values()];
+}
+function accountRegistryPermission() {
+  return {
+    service: "tinycloud.kv",
+    space: ACCOUNT_REGISTRY_SPACE,
+    path: ACCOUNT_REGISTRY_PATH,
+    actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/list"]
+  };
+}
+function composeManifestRequest(inputs, options = {}) {
+  if (!Array.isArray(inputs) || inputs.length === 0) {
+    throw new ManifestValidationError(
+      "composeManifestRequest requires at least one manifest"
+    );
+  }
+  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
+  const manifests = inputs.map(validateManifest);
+  const resolved = manifests.map(resolveManifest);
+  const resources = resolved.flatMap((entry) => entry.resources);
+  const delegationTargets = resolved.flatMap(
+    (entry) => entry.additionalDelegates.map((delegate) => ({
+      ...delegate,
+      permissions: dedupeResources(delegate.permissions)
+    }))
+  );
+  if (includeAccountRegistryPermissions) {
+    resources.push(accountRegistryPermission());
+  }
+  const manifestsByAppId = /* @__PURE__ */ new Map();
+  for (const manifest of manifests) {
+    const current = manifestsByAppId.get(manifest.app_id);
+    if (current === void 0) {
+      manifestsByAppId.set(manifest.app_id, [manifest]);
+    } else {
+      current.push(manifest);
+    }
+  }
+  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
+    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
+    app_id,
+    manifests: appManifests.map((manifest) => ({
+      ...manifest,
+      permissions: manifest.permissions?.map(clonePermissionEntry)
+    }))
+  })) : [];
+  return {
+    manifests,
+    resources: dedupeResources(resources),
+    delegationTargets,
+    registryRecords,
+    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
+    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
   };
 }
 function resourceCapabilitiesToAbilitiesMap(resources) {
@@ -2975,6 +3073,22 @@ function resourceCapabilitiesToAbilitiesMap(resources) {
   }
   return out;
 }
+function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const entries = grouped.get(resource.space);
+    if (entries === void 0) {
+      grouped.set(resource.space, [resource]);
+    } else {
+      entries.push(resource);
+    }
+  }
+  const out = {};
+  for (const [space, entries] of grouped.entries()) {
+    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
+  }
+  return out;
+}
 function manifestAbilitiesUnion(resolved) {
   const all = [...resolved.resources];
   for (const delegate of resolved.additionalDelegates) {
@@ -4179,7 +4293,7 @@ function canonicalizeEntryMatches(requested, granted) {
   if (requested.service !== granted.service) {
     return false;
   }
-  if (normalizeSpace(requested.space) !== normalizeSpace(granted.space)) {
+  if (normalizeSpace(requested.space ?? DEFAULT_MANIFEST_SPACE) !== normalizeSpace(granted.space ?? DEFAULT_MANIFEST_SPACE)) {
     return false;
   }
   if (!pathContains(granted.path, requested.path)) {
@@ -4210,7 +4324,7 @@ function pathContains(grantedPath, requestedPath) {
 function cloneEntry(entry) {
   return {
     service: entry.service,
-    space: entry.space,
+    ...entry.space !== void 0 ? { space: entry.space } : {},
     path: entry.path,
     actions: [...entry.actions],
     ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
@@ -4240,7 +4354,9 @@ function parseRecapCapabilities(parseWasm, siwe) {
     };
   });
   normalized.sort((a, b) => {
-    if (a.space !== b.space) return a.space < b.space ? -1 : 1;
+    const aSpace = a.space ?? DEFAULT_MANIFEST_SPACE;
+    const bSpace = b.space ?? DEFAULT_MANIFEST_SPACE;
+    if (aSpace !== bSpace) return aSpace < bSpace ? -1 : 1;
     if (a.service !== b.service) return a.service < b.service ? -1 : 1;
     if (a.path !== b.path) return a.path < b.path ? -1 : 1;
     return 0;
@@ -4248,12 +4364,16 @@ function parseRecapCapabilities(parseWasm, siwe) {
   return normalized;
 }
 export {
+  ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE,
   AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema,
   DEFAULT_DEFAULTS,
   DEFAULT_EXPIRY,
+  DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION,
   DataVaultService,
   DatabaseHandle,
   DelegationErrorCodes,
@@ -4291,6 +4411,7 @@ export {
   applyPrefix,
   buildSpaceUri,
   checkNodeInfo,
+  composeManifestRequest,
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
@@ -4312,6 +4433,7 @@ export {
   parseSpaceUri,
   resolveManifest,
   resourceCapabilitiesToAbilitiesMap,
+  resourceCapabilitiesToSpaceAbilitiesMap,
   serviceError4 as serviceError,
   submitHostDelegation,
   validateClientSession,