npm - @tinycloud/sdk-core - Versions diffs - 2.2.0-beta.7 → 2.2.0-beta.9 - Mend

@tinycloud/sdk-core 2.2.0-beta.7 → 2.2.0-beta.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -75,6 +75,7 @@ __export(index_exports, {
   SpaceService: () => SpaceService,
   TinyCloud: () => TinyCloud,
   UnsupportedFeatureError: () => UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE: () => VAULT_PERMISSION_SERVICE,
   VaultHeaders: () => import_sdk_services4.VaultHeaders,
   VaultPublicSpaceKVActions: () => import_sdk_services4.VaultPublicSpaceKVActions,
   VersionCheckError: () => VersionCheckError,
@@ -93,6 +94,8 @@ __export(index_exports, {
   defaultSpaceCreationHandler: () => defaultSpaceCreationHandler,
   err: () => import_sdk_services4.err,
   expandActionShortNames: () => expandActionShortNames,
+  expandPermissionEntries: () => expandPermissionEntries,
+  expandPermissionEntry: () => expandPermissionEntry,
   fetchLocationRecord: () => fetchLocationRecord,
   fetchPeerId: () => fetchPeerId,
   httpUrlToMultiaddr: () => httpUrlToMultiaddr,
@@ -2797,6 +2800,7 @@ var ACCOUNT_REGISTRY_SPACE = "account";
 var ACCOUNT_REGISTRY_PATH = "applications/";
 var SECRETS_SPACE = "secrets";
 var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
@@ -2879,6 +2883,20 @@ function expandActionShortNames(service, actions) {
     return `${service}/${a}`;
   });
 }
+function expandPermissionEntry(entry) {
+  if (entry.service !== VAULT_PERMISSION_SERVICE) {
+    return [
+      {
+        ...entry,
+        actions: expandActionShortNames(entry.service, entry.actions)
+      }
+    ];
+  }
+  return expandVaultPermissionEntry(entry);
+}
+function expandPermissionEntries(entries) {
+  return entries.flatMap(expandPermissionEntry);
+}
 function applyPrefix(prefix, path, skipPrefix) {
   if (skipPrefix) {
     return path;
@@ -3006,6 +3024,16 @@ function validatePermissionEntry(p, path) {
       `${path}.actions must be a non-empty array`
     );
   }
+  for (const action of entry.actions) {
+    if (typeof action !== "string" || action.length === 0) {
+      throw new ManifestValidationError(
+        `${path}.actions must contain non-empty strings`
+      );
+    }
+    if (entry.service === VAULT_PERMISSION_SERVICE) {
+      vaultActionExpansion(action);
+    }
+  }
   if (entry.expiry !== void 0) {
     parseExpiry(entry.expiry);
   }
@@ -3055,7 +3083,7 @@ function resolveManifest(input) {
     ...secretEntries
   ];
   const resources = withCapabilitiesReadForSpaces(
-    allEntries.map((entry) => resolveEntry(entry, prefix, expiryMs, space))
+    allEntries.flatMap((entry) => resolveEntry(entry, prefix, expiryMs, space))
   );
   const additionalDelegates = manifest.did === void 0 ? [] : [
     {
@@ -3167,19 +3195,85 @@ function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
     entry.path,
     entry.skipPrefix === true
   );
-  const resolvedActions = expandActionShortNames(entry.service, entry.actions);
   const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
-  return {
-    service: entry.service,
+  return expandPermissionEntry({
+    ...entry,
     space: entry.space ?? inheritedSpace,
     path: resolvedPath,
-    actions: resolvedActions,
+    skipPrefix: true
+  }).map((expanded) => ({
+    service: expanded.service,
+    space: expanded.space ?? inheritedSpace,
+    path: expanded.path,
+    actions: expanded.actions,
     // Only populate `expiryMs` when the entry had its own expiry override.
     // When absent, callers use the parent (delegation or manifest) expiry
     // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
     ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
     ...entry.description !== void 0 ? { description: entry.description } : {}
-  };
+  }));
+}
+function expandVaultPermissionEntry(entry) {
+  const byBase = /* @__PURE__ */ new Map();
+  for (const action of entry.actions) {
+    const expansion = vaultActionExpansion(action);
+    for (const base of expansion.bases) {
+      const actions = byBase.get(base) ?? [];
+      if (!actions.includes(expansion.action)) {
+        actions.push(expansion.action);
+      }
+      byBase.set(base, actions);
+    }
+  }
+  return [...byBase.entries()].map(([base, actions]) => ({
+    ...entry,
+    service: "tinycloud.kv",
+    path: vaultKVPath(base, entry.path),
+    actions,
+    skipPrefix: true
+  }));
+}
+function vaultActionExpansion(action) {
+  const normalized = normalizeVaultAction(action);
+  if (normalized === "read" || normalized === "get") {
+    return { bases: ["keys", "vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "write" || normalized === "put") {
+    return { bases: ["keys", "vault"], action: "tinycloud.kv/put" };
+  }
+  if (normalized === "delete" || normalized === "del") {
+    return { bases: ["keys", "vault"], action: "tinycloud.kv/del" };
+  }
+  if (normalized === "list") {
+    return { bases: ["vault"], action: "tinycloud.kv/list" };
+  }
+  if (normalized === "head") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "metadata") {
+    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
+  }
+  throw new ManifestValidationError(
+    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
+  );
+}
+function normalizeVaultAction(action) {
+  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
+    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
+  }
+  if (action.startsWith("tinycloud.kv/")) {
+    return action.slice("tinycloud.kv/".length);
+  }
+  if (action.includes("/")) {
+    throw new ManifestValidationError(
+      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
+    );
+  }
+  return action;
+}
+function vaultKVPath(base, path) {
+  const normalized = path.startsWith("/") ? path.slice(1) : path;
+  return `${base}/${normalized}`;
 }
 function cloneResourceCapability(entry) {
   return {
@@ -5049,6 +5143,7 @@ function parseRecapCapabilities(parseWasm, siwe) {
   SpaceService,
   TinyCloud,
   UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE,
   VaultHeaders,
   VaultPublicSpaceKVActions,
   VersionCheckError,
@@ -5067,6 +5162,8 @@ function parseRecapCapabilities(parseWasm, siwe) {
   defaultSpaceCreationHandler,
   err,
   expandActionShortNames,
+  expandPermissionEntries,
+  expandPermissionEntry,
   fetchLocationRecord,
   fetchPeerId,
   httpUrlToMultiaddr,