@tinycloud/sdk-core 2.2.0-beta.4 → 2.2.0-beta.7

package/dist/index.js

@@ -154,6 +154,7 @@ var Space = class {
     this._id = config.id;
     this._name = config.name;
     this._kv = config.createKV(config.id);
+    this._vault = config.createVault(config.id);
     this._delegations = config.createDelegations(config.id);
     this._sharing = config.createSharing(config.id);
     this._getInfo = config.getInfo;
@@ -176,6 +177,12 @@ var Space = class {
   get kv() {
     return this._kv;
   }
+  /**
+   * Data Vault operations scoped to this space.
+   */
+  get vault() {
+    return this._vault;
+  }
   /**
    * Delegation operations scoped to this space.
    */
@@ -559,6 +566,8 @@ var SpaceConfigSchema = z4.object({
   name: z4.string(),
   /** Factory function to create a space-scoped KV service */
   createKV: z4.function(),
+  /** Factory function to create a space-scoped Data Vault service */
+  createVault: z4.function(),
   /** Factory function to create space-scoped delegations */
   createDelegations: z4.function(),
   /** Factory function to create space-scoped sharing */
@@ -579,6 +588,8 @@ var SpaceServiceConfigSchema = z4.object({
   capabilityRegistry: z4.unknown().optional(),
   /** Factory function to create a space-scoped KV service */
   createKVService: z4.function().optional(),
+  /** Factory function to create a space-scoped Data Vault service */
+  createVaultService: z4.function().optional(),
   /** User's PKH DID (derived from address or provided explicitly) */
   userDid: z4.string().optional(),
   /** Optional SharingService for v2 sharing links (client-side) */
@@ -820,6 +831,7 @@ var SpaceService = class {
     this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
     this.capabilityRegistry = config.capabilityRegistry;
     this.createKVServiceFn = config.createKVService;
+    this.createVaultServiceFn = config.createVaultService;
     this._userDid = config.userDid;
     this.sharingService = config.sharingService;
     this.createDelegationFn = config.createDelegation;
@@ -834,6 +846,7 @@ var SpaceService = class {
     if (config.fetch) this.fetchFn = config.fetch;
     if (config.capabilityRegistry) this.capabilityRegistry = config.capabilityRegistry;
     if (config.createKVService) this.createKVServiceFn = config.createKVService;
+    if (config.createVaultService) this.createVaultServiceFn = config.createVaultService;
     if (config.userDid !== void 0) this._userDid = config.userDid;
     if (config.sharingService) this.sharingService = config.sharingService;
     if (config.createDelegation) this.createDelegationFn = config.createDelegation;
@@ -1116,6 +1129,7 @@ var SpaceService = class {
       id: spaceId,
       name,
       createKV: this.createSpaceScopedKV.bind(this),
+      createVault: this.createSpaceScopedVault.bind(this),
       createDelegations: this.createSpaceScopedDelegations.bind(this),
       createSharing: this.createSpaceScopedSharing.bind(this),
       getInfo: this.getSpaceInfo.bind(this)
@@ -1245,6 +1259,21 @@ var SpaceService = class {
       }
     });
   }
+  /**
+   * Create a space-scoped Data Vault service.
+   */
+  createSpaceScopedVault(spaceId) {
+    if (this.createVaultServiceFn) {
+      return this.createVaultServiceFn(spaceId);
+    }
+    return new Proxy({}, {
+      get: () => {
+        throw new Error(
+          "Vault service factory not configured. Provide createVaultService in SpaceServiceConfig."
+        );
+      }
+    });
+  }
   /**
    * Create space-scoped delegation operations.
    */
@@ -1989,7 +2018,8 @@ import {
   DataVaultService,
   VaultHeaders,
   VaultPublicSpaceKVActions,
-  createVaultCrypto
+  createVaultCrypto,
+  SecretsService
 } from "@tinycloud/sdk-services";
 
 // src/space.ts
@@ -2670,6 +2700,8 @@ var DEFAULT_MANIFEST_VERSION = 1;
 var DEFAULT_MANIFEST_SPACE = "applications";
 var ACCOUNT_REGISTRY_SPACE = "account";
 var ACCOUNT_REGISTRY_PATH = "applications/";
+var SECRETS_SPACE = "secrets";
+var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
@@ -2694,12 +2726,6 @@ var DEFAULT_STANDARD_ENTRIES = [
     space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write"]
-  },
-  {
-    service: "tinycloud.capabilities",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read"]
   }
 ];
 var DEFAULT_ADMIN_ENTRIES = [
@@ -2714,12 +2740,6 @@ var DEFAULT_ADMIN_ENTRIES = [
     space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write", "ddl"]
-  },
-  {
-    service: "tinycloud.capabilities",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "admin"]
   }
 ];
 var DEFAULT_ALL_ENTRIES = [
@@ -2740,12 +2760,6 @@ var DEFAULT_ALL_ENTRIES = [
     space: DEFAULT_MANIFEST_SPACE,
     path: "/",
     actions: ["read", "write"]
-  },
-  {
-    service: "tinycloud.capabilities",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "admin"]
   }
 ];
 function parseExpiry(duration) {
@@ -2841,8 +2855,39 @@ function validateManifest(input) {
       (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
     );
   }
+  if (m.secrets !== void 0) {
+    validateManifestSecrets(m.secrets);
+  }
   return m;
 }
+function validateManifestSecrets(secrets) {
+  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
+    throw new ManifestValidationError("manifest.secrets must be an object");
+  }
+  for (const [name, spec] of Object.entries(secrets)) {
+    if (!SECRET_NAME_RE.test(name)) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
+      );
+    }
+    const actions = secretActionsFromSpec(name, spec);
+    if (actions.length === 0) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} actions must be non-empty`
+      );
+    }
+    for (const action of actions) {
+      if (typeof action !== "string" || action.length === 0) {
+        throw new ManifestValidationError(
+          `manifest.secrets.${name} actions must be non-empty strings`
+        );
+      }
+    }
+    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
+      parseExpiry(spec.expiry);
+    }
+  }
+}
 function validatePermissionEntry(p, path) {
   if (p === null || typeof p !== "object") {
     throw new ManifestValidationError(`${path} must be an object`);
@@ -2895,7 +2940,8 @@ function defaultEntriesForTier(tier) {
     service: e.service,
     space: e.space,
     path: e.path,
-    actions: [...e.actions]
+    actions: [...e.actions],
+    ...e.skipPrefix !== void 0 ? { skipPrefix: e.skipPrefix } : {}
   }));
 }
 function resolveManifest(input) {
@@ -2907,9 +2953,14 @@ function resolveManifest(input) {
   const tier = normalizeDefaults(manifest.defaults);
   const defaultEntries = defaultEntriesForTier(tier);
   const explicitEntries = manifest.permissions ?? [];
-  const allEntries = [...defaultEntries, ...explicitEntries];
-  const resources = allEntries.map(
-    (entry) => resolveEntry(entry, prefix, expiryMs, space)
+  const secretEntries = secretEntriesForManifest(manifest.secrets);
+  const allEntries = [
+    ...defaultEntries,
+    ...explicitEntries,
+    ...secretEntries
+  ];
+  const resources = withCapabilitiesReadForSpaces(
+    allEntries.map((entry) => resolveEntry(entry, prefix, expiryMs, space))
   );
   const additionalDelegates = manifest.did === void 0 ? [] : [
     {
@@ -2929,6 +2980,92 @@ function resolveManifest(input) {
     additionalDelegates
   };
 }
+function normalizeSecretActions(actions) {
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  const add = (action) => {
+    if (!seen.has(action)) {
+      out.push(action);
+      seen.add(action);
+    }
+  };
+  for (const action of actions) {
+    if (action === "read") {
+      add("get");
+      continue;
+    }
+    if (action === "write") {
+      add("put");
+      continue;
+    }
+    if (action === "delete") {
+      add("del");
+      continue;
+    }
+    if (action === "get" || action === "put" || action === "del" || action === "list" || action === "metadata") {
+      add(action);
+      continue;
+    }
+    if (action === "tinycloud.kv/get" || action === "tinycloud.kv/put" || action === "tinycloud.kv/del" || action === "tinycloud.kv/list" || action === "tinycloud.kv/metadata") {
+      add(action);
+      continue;
+    }
+    throw new ManifestValidationError(
+      `unknown secret action ${JSON.stringify(action)}; expected read, write, delete, list, or metadata`
+    );
+  }
+  return out;
+}
+function secretActionsFromSpec(name, spec) {
+  if (spec === true) {
+    return ["read"];
+  }
+  if (typeof spec === "string") {
+    return [spec];
+  }
+  if (Array.isArray(spec)) {
+    return spec;
+  }
+  if (spec === null || typeof spec !== "object") {
+    throw new ManifestValidationError(
+      `manifest.secrets.${name} must be true, a string action, an actions array, or an object`
+    );
+  }
+  if (spec.actions === void 0) {
+    return ["read"];
+  }
+  if (typeof spec.actions === "string") {
+    return [spec.actions];
+  }
+  if (Array.isArray(spec.actions)) {
+    return spec.actions;
+  }
+  throw new ManifestValidationError(
+    `manifest.secrets.${name}.actions must be a string or array`
+  );
+}
+function secretEntriesForManifest(secrets) {
+  if (secrets === void 0) {
+    return [];
+  }
+  const entries = [];
+  for (const [name, spec] of Object.entries(secrets)) {
+    const actions = secretActionsFromSpec(name, spec);
+    const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
+    for (const base of ["keys", "vault"]) {
+      entries.push({
+        service: "tinycloud.kv",
+        space: SECRETS_SPACE,
+        path: `${base}/secrets/${name}`,
+        actions: normalizeSecretActions(actions),
+        skipPrefix: true,
+        ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
+        ...extra.description !== void 0 ? { description: extra.description } : {}
+      });
+    }
+  }
+  return entries;
+}
 function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
   const resolvedPath = applyPrefix(
     prefix,
@@ -2992,6 +3129,24 @@ function dedupeResources(resources) {
   }
   return [...byKey.values()];
 }
+function capabilitiesReadPermission(space) {
+  return {
+    service: "tinycloud.capabilities",
+    space,
+    path: "",
+    actions: ["tinycloud.capabilities/read"]
+  };
+}
+function withCapabilitiesReadForSpaces(resources) {
+  if (resources.length === 0) {
+    return [];
+  }
+  const spaces = new Set(resources.map((resource) => resource.space));
+  return dedupeResources([
+    ...resources,
+    ...[...spaces].map(capabilitiesReadPermission)
+  ]);
+}
 function accountRegistryPermission() {
   return {
     service: "tinycloud.kv",
@@ -3019,6 +3174,7 @@ function composeManifestRequest(inputs, options = {}) {
   if (includeAccountRegistryPermissions) {
     resources.push(accountRegistryPermission());
   }
+  const resourcesWithImplicitCapabilities = withCapabilitiesReadForSpaces(resources);
   const manifestsByAppId = /* @__PURE__ */ new Map();
   for (const manifest of manifests) {
     const current = manifestsByAppId.get(manifest.app_id);
@@ -3038,7 +3194,7 @@ function composeManifestRequest(inputs, options = {}) {
   })) : [];
   return {
     manifests,
-    resources: dedupeResources(resources),
+    resources: resourcesWithImplicitCapabilities,
     delegationTargets,
     registryRecords,
     expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
@@ -4785,6 +4941,7 @@ export {
   SERVICE_SHORT_TO_LONG,
   SQLAction,
   SQLService2 as SQLService,
+  SecretsService,
   ServiceContext2 as ServiceContext,
   SessionExpiredError,
   SharingService,