npm - @tinycloud/sdk-core - Versions diffs - 2.2.0-beta.6 → 2.2.0-beta.7 - Mend

@tinycloud/sdk-core 2.2.0-beta.6 → 2.2.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -154,6 +154,7 @@ var Space = class {
     this._id = config.id;
     this._name = config.name;
     this._kv = config.createKV(config.id);
+    this._vault = config.createVault(config.id);
     this._delegations = config.createDelegations(config.id);
     this._sharing = config.createSharing(config.id);
     this._getInfo = config.getInfo;
@@ -176,6 +177,12 @@ var Space = class {
   get kv() {
     return this._kv;
   }
+  /**
+   * Data Vault operations scoped to this space.
+   */
+  get vault() {
+    return this._vault;
+  }
   /**
    * Delegation operations scoped to this space.
    */
@@ -559,6 +566,8 @@ var SpaceConfigSchema = z4.object({
   name: z4.string(),
   /** Factory function to create a space-scoped KV service */
   createKV: z4.function(),
+  /** Factory function to create a space-scoped Data Vault service */
+  createVault: z4.function(),
   /** Factory function to create space-scoped delegations */
   createDelegations: z4.function(),
   /** Factory function to create space-scoped sharing */
@@ -579,6 +588,8 @@ var SpaceServiceConfigSchema = z4.object({
   capabilityRegistry: z4.unknown().optional(),
   /** Factory function to create a space-scoped KV service */
   createKVService: z4.function().optional(),
+  /** Factory function to create a space-scoped Data Vault service */
+  createVaultService: z4.function().optional(),
   /** User's PKH DID (derived from address or provided explicitly) */
   userDid: z4.string().optional(),
   /** Optional SharingService for v2 sharing links (client-side) */
@@ -820,6 +831,7 @@ var SpaceService = class {
     this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
     this.capabilityRegistry = config.capabilityRegistry;
     this.createKVServiceFn = config.createKVService;
+    this.createVaultServiceFn = config.createVaultService;
     this._userDid = config.userDid;
     this.sharingService = config.sharingService;
     this.createDelegationFn = config.createDelegation;
@@ -834,6 +846,7 @@ var SpaceService = class {
     if (config.fetch) this.fetchFn = config.fetch;
     if (config.capabilityRegistry) this.capabilityRegistry = config.capabilityRegistry;
     if (config.createKVService) this.createKVServiceFn = config.createKVService;
+    if (config.createVaultService) this.createVaultServiceFn = config.createVaultService;
     if (config.userDid !== void 0) this._userDid = config.userDid;
     if (config.sharingService) this.sharingService = config.sharingService;
     if (config.createDelegation) this.createDelegationFn = config.createDelegation;
@@ -1116,6 +1129,7 @@ var SpaceService = class {
       id: spaceId,
       name,
       createKV: this.createSpaceScopedKV.bind(this),
+      createVault: this.createSpaceScopedVault.bind(this),
       createDelegations: this.createSpaceScopedDelegations.bind(this),
       createSharing: this.createSpaceScopedSharing.bind(this),
       getInfo: this.getSpaceInfo.bind(this)
@@ -1245,6 +1259,21 @@ var SpaceService = class {
       }
     });
   }
+  /**
+   * Create a space-scoped Data Vault service.
+   */
+  createSpaceScopedVault(spaceId) {
+    if (this.createVaultServiceFn) {
+      return this.createVaultServiceFn(spaceId);
+    }
+    return new Proxy({}, {
+      get: () => {
+        throw new Error(
+          "Vault service factory not configured. Provide createVaultService in SpaceServiceConfig."
+        );
+      }
+    });
+  }
   /**
    * Create space-scoped delegation operations.
    */
@@ -1989,7 +2018,8 @@ import {
   DataVaultService,
   VaultHeaders,
   VaultPublicSpaceKVActions,
-  createVaultCrypto
+  createVaultCrypto,
+  SecretsService
 } from "@tinycloud/sdk-services";
 // src/space.ts
@@ -2670,6 +2700,8 @@ var DEFAULT_MANIFEST_VERSION = 1;
 var DEFAULT_MANIFEST_SPACE = "applications";
 var ACCOUNT_REGISTRY_SPACE = "account";
 var ACCOUNT_REGISTRY_PATH = "applications/";
+var SECRETS_SPACE = "secrets";
+var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
@@ -2823,8 +2855,39 @@ function validateManifest(input) {
       (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
     );
   }
+  if (m.secrets !== void 0) {
+    validateManifestSecrets(m.secrets);
+  }
   return m;
 }
+function validateManifestSecrets(secrets) {
+  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
+    throw new ManifestValidationError("manifest.secrets must be an object");
+  }
+  for (const [name, spec] of Object.entries(secrets)) {
+    if (!SECRET_NAME_RE.test(name)) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
+      );
+    }
+    const actions = secretActionsFromSpec(name, spec);
+    if (actions.length === 0) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} actions must be non-empty`
+      );
+    }
+    for (const action of actions) {
+      if (typeof action !== "string" || action.length === 0) {
+        throw new ManifestValidationError(
+          `manifest.secrets.${name} actions must be non-empty strings`
+        );
+      }
+    }
+    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
+      parseExpiry(spec.expiry);
+    }
+  }
+}
 function validatePermissionEntry(p, path) {
   if (p === null || typeof p !== "object") {
     throw new ManifestValidationError(`${path} must be an object`);
@@ -2890,7 +2953,12 @@ function resolveManifest(input) {
   const tier = normalizeDefaults(manifest.defaults);
   const defaultEntries = defaultEntriesForTier(tier);
   const explicitEntries = manifest.permissions ?? [];
-  const allEntries = [...defaultEntries, ...explicitEntries];
+  const secretEntries = secretEntriesForManifest(manifest.secrets);
+  const allEntries = [
+    ...defaultEntries,
+    ...explicitEntries,
+    ...secretEntries
+  ];
   const resources = withCapabilitiesReadForSpaces(
     allEntries.map((entry) => resolveEntry(entry, prefix, expiryMs, space))
   );
@@ -2912,6 +2980,92 @@ function resolveManifest(input) {
     additionalDelegates
   };
 }
+function normalizeSecretActions(actions) {
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  const add = (action) => {
+    if (!seen.has(action)) {
+      out.push(action);
+      seen.add(action);
+    }
+  };
+  for (const action of actions) {
+    if (action === "read") {
+      add("get");
+      continue;
+    }
+    if (action === "write") {
+      add("put");
+      continue;
+    }
+    if (action === "delete") {
+      add("del");
+      continue;
+    }
+    if (action === "get" || action === "put" || action === "del" || action === "list" || action === "metadata") {
+      add(action);
+      continue;
+    }
+    if (action === "tinycloud.kv/get" || action === "tinycloud.kv/put" || action === "tinycloud.kv/del" || action === "tinycloud.kv/list" || action === "tinycloud.kv/metadata") {
+      add(action);
+      continue;
+    }
+    throw new ManifestValidationError(
+      `unknown secret action ${JSON.stringify(action)}; expected read, write, delete, list, or metadata`
+    );
+  }
+  return out;
+}
+function secretActionsFromSpec(name, spec) {
+  if (spec === true) {
+    return ["read"];
+  }
+  if (typeof spec === "string") {
+    return [spec];
+  }
+  if (Array.isArray(spec)) {
+    return spec;
+  }
+  if (spec === null || typeof spec !== "object") {
+    throw new ManifestValidationError(
+      `manifest.secrets.${name} must be true, a string action, an actions array, or an object`
+    );
+  }
+  if (spec.actions === void 0) {
+    return ["read"];
+  }
+  if (typeof spec.actions === "string") {
+    return [spec.actions];
+  }
+  if (Array.isArray(spec.actions)) {
+    return spec.actions;
+  }
+  throw new ManifestValidationError(
+    `manifest.secrets.${name}.actions must be a string or array`
+  );
+}
+function secretEntriesForManifest(secrets) {
+  if (secrets === void 0) {
+    return [];
+  }
+  const entries = [];
+  for (const [name, spec] of Object.entries(secrets)) {
+    const actions = secretActionsFromSpec(name, spec);
+    const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
+    for (const base of ["keys", "vault"]) {
+      entries.push({
+        service: "tinycloud.kv",
+        space: SECRETS_SPACE,
+        path: `${base}/secrets/${name}`,
+        actions: normalizeSecretActions(actions),
+        skipPrefix: true,
+        ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
+        ...extra.description !== void 0 ? { description: extra.description } : {}
+      });
+    }
+  }
+  return entries;
+}
 function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
   const resolvedPath = applyPrefix(
     prefix,
@@ -4787,6 +4941,7 @@ export {
   SERVICE_SHORT_TO_LONG,
   SQLAction,
   SQLService2 as SQLService,
+  SecretsService,
   ServiceContext2 as ServiceContext,
   SessionExpiredError,
   SharingService,