@tinycloud/sdk-core 2.2.0-beta.7 → 2.2.0

package/dist/index.js

@@ -728,6 +728,23 @@ function validateServerSpaceInfoResponse(data) {
   return { ok: true, data: result.data };
 }
 
+// src/expiry.ts
+var EPHEMERAL_MS = 60 * 60 * 1e3;
+var SIGNED_READ_URL_MS = 5 * 60 * 1e3;
+var SESSION_MS = 7 * 24 * 60 * 60 * 1e3;
+var SHARE_MS = 7 * 24 * 60 * 60 * 1e3;
+var APP_MS = 30 * 24 * 60 * 60 * 1e3;
+var MAX_MS = 10 * 365 * 24 * 60 * 60 * 1e3;
+var EXPIRY = {
+  EPHEMERAL_MS,
+  SIGNED_READ_URL_MS,
+  SESSION_MS,
+  SHARE_MS,
+  APP_MS,
+  MAX_MS
+};
+var DEFAULT_SIGNED_READ_URL_EXPIRY_MS = EXPIRY.SIGNED_READ_URL_MS;
+
 // src/spaces/SpaceService.ts
 var SERVICE_NAME = "space";
 var SpaceErrorCodes = {
@@ -804,7 +821,7 @@ function transformServerDelegations(validatedData, defaultSpaceId) {
       spaceId,
       path,
       actions,
-      expiry: info.expiry ? new Date(info.expiry) : new Date(Date.now() + 24 * 60 * 60 * 1e3),
+      expiry: info.expiry ? new Date(info.expiry) : new Date(Date.now() + EXPIRY.SHARE_MS),
       isRevoked: false,
       createdAt: info.issued_at ? new Date(info.issued_at) : void 0,
       parentCid: firstStringParent
@@ -1664,6 +1681,22 @@ var TinyCloud = class _TinyCloud {
     }
     return service;
   }
+  /**
+   * Get the Encryption service.
+   * @throws Error if services are not initialized or encryption service is not registered
+   */
+  get encryption() {
+    if (!this._servicesInitialized) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const service = this._services.get("encryption");
+    if (!service) {
+      throw new Error("Encryption service is not registered.");
+    }
+    return service;
+  }
   /**
    * Notify services of session change.
    * Called internally after sign-in and sign-out.
@@ -2019,7 +2052,51 @@ import {
   VaultHeaders,
   VaultPublicSpaceKVActions,
   createVaultCrypto,
-  SecretsService
+  SecretsService,
+  SECRET_NAME_RE as SECRET_NAME_RE2,
+  canonicalizeSecretScope,
+  resolveSecretListPrefix,
+  resolveSecretPath as resolveSecretPath2,
+  EncryptionService,
+  parseNetworkId,
+  buildNetworkId,
+  isNetworkId,
+  networkDiscoveryKey,
+  NetworkIdError,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  NETWORK_NAME_PATTERN,
+  canonicalizeEncryptionJson,
+  canonicalHashHex,
+  hexEncode,
+  hexDecode,
+  base64Encode,
+  base64Decode,
+  utf8Encode,
+  utf8Decode,
+  encryptToNetwork,
+  decryptEnvelopeWithKey,
+  validateEnvelope,
+  generateRandomReceiverKey,
+  deriveSignedReceiverKey,
+  buildCanonicalDecryptRequest,
+  buildDecryptFacts,
+  buildDecryptAttenuation,
+  buildDecryptInvocation,
+  checkDecryptInvocationInput,
+  verifyDecryptResponse,
+  canonicalSignedResponse,
+  openWrappedKey,
+  discoverNetwork,
+  ensureNetworkUsableForDecrypt,
+  DEFAULT_ENCRYPTION_ALG,
+  ENVELOPE_VERSION,
+  DEFAULT_KEY_VERSION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DECRYPT_ACTION,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  encryptionError
 } from "@tinycloud/sdk-services";
 
 // src/space.ts
@@ -2209,7 +2286,7 @@ var DelegationManager = class {
         spaceId: this.session.spaceId,
         path: params.path,
         actions: params.actions,
-        expiry: params.expiry ?? new Date(Date.now() + 24 * 60 * 60 * 1e3),
+        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
         isRevoked: false,
         allowSubDelegation: !(params.disableSubDelegation ?? false),
         createdAt: /* @__PURE__ */ new Date()
@@ -2688,6 +2765,7 @@ function validateEncodedShareData(data) {
 
 // src/manifest.ts
 import ms from "ms";
+import { resolveSecretPath, SECRET_NAME_RE } from "@tinycloud/sdk-services";
 var ManifestValidationError = class extends Error {
   constructor(message) {
     super(`Manifest validation failed: ${message}`);
@@ -2701,14 +2779,17 @@ var DEFAULT_MANIFEST_SPACE = "applications";
 var ACCOUNT_REGISTRY_SPACE = "account";
 var ACCOUNT_REGISTRY_PATH = "applications/";
 var SECRETS_SPACE = "secrets";
-var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
   duckdb: "tinycloud.duckdb",
   capabilities: "tinycloud.capabilities",
-  hooks: "tinycloud.hooks"
+  hooks: "tinycloud.hooks",
+  encryption: "tinycloud.encryption"
 });
+var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_MANIFEST_SPACE = "encryption";
 var SERVICE_LONG_TO_SHORT = Object.freeze(
   Object.fromEntries(
     Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
@@ -2784,6 +2865,72 @@ function expandActionShortNames(service, actions) {
     return `${service}/${a}`;
   });
 }
+function expandPermissionEntry(entry) {
+  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
+    return expandEncryptionPermissionEntry(entry);
+  }
+  if (entry.service !== VAULT_PERMISSION_SERVICE) {
+    return [
+      {
+        ...entry,
+        actions: expandActionShortNames(entry.service, entry.actions)
+      }
+    ];
+  }
+  return expandVaultPermissionEntry(entry);
+}
+function expandEncryptionPermissionEntry(entry) {
+  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
+    throw new ManifestValidationError(
+      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
+    );
+  }
+  const normalizedActions = [];
+  for (const action of entry.actions) {
+    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
+      normalizedActions.push("tinycloud.encryption/decrypt");
+      continue;
+    }
+    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
+      normalizedActions.push("tinycloud.encryption/network.create");
+      continue;
+    }
+    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
+      normalizedActions.push("tinycloud.encryption/network.revoke");
+      continue;
+    }
+    if (action.includes("/")) {
+      throw new ManifestValidationError(
+        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+      );
+    }
+    throw new ManifestValidationError(
+      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+    );
+  }
+  const dedupedActions = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const a of normalizedActions) {
+    if (!seen.has(a)) {
+      dedupedActions.push(a);
+      seen.add(a);
+    }
+  }
+  return [
+    {
+      service: ENCRYPTION_PERMISSION_SERVICE,
+      space: ENCRYPTION_MANIFEST_SPACE,
+      path: entry.path,
+      actions: dedupedActions,
+      skipPrefix: true,
+      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+      ...entry.description !== void 0 ? { description: entry.description } : {}
+    }
+  ];
+}
+function expandPermissionEntries(entries) {
+  return entries.flatMap(expandPermissionEntry);
+}
 function applyPrefix(prefix, path, skipPrefix) {
   if (skipPrefix) {
     return path;
@@ -2870,6 +3017,16 @@ function validateManifestSecrets(secrets) {
         `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
       );
     }
+    try {
+      resolveSecretPath(
+        secretNameFromSpec(name, spec),
+        { scope: secretScopeFromSpec(spec) }
+      );
+    } catch (error) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
     const actions = secretActionsFromSpec(name, spec);
     if (actions.length === 0) {
       throw new ManifestValidationError(
@@ -2911,6 +3068,16 @@ function validatePermissionEntry(p, path) {
       `${path}.actions must be a non-empty array`
     );
   }
+  for (const action of entry.actions) {
+    if (typeof action !== "string" || action.length === 0) {
+      throw new ManifestValidationError(
+        `${path}.actions must contain non-empty strings`
+      );
+    }
+    if (entry.service === VAULT_PERMISSION_SERVICE) {
+      vaultActionExpansion(action);
+    }
+  }
   if (entry.expiry !== void 0) {
     parseExpiry(entry.expiry);
   }
@@ -2960,7 +3127,7 @@ function resolveManifest(input) {
     ...secretEntries
   ];
   const resources = withCapabilitiesReadForSpaces(
-    allEntries.map((entry) => resolveEntry(entry, prefix, expiryMs, space))
+    allEntries.flatMap((entry) => resolveEntry(entry, prefix, expiryMs, space))
   );
   const additionalDelegates = manifest.did === void 0 ? [] : [
     {
@@ -3016,6 +3183,18 @@ function normalizeSecretActions(actions) {
   }
   return out;
 }
+function secretNameFromSpec(fallbackName, spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.name ?? fallbackName;
+  }
+  return fallbackName;
+}
+function secretScopeFromSpec(spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.scope;
+  }
+  return void 0;
+}
 function secretActionsFromSpec(name, spec) {
   if (spec === true) {
     return ["read"];
@@ -3051,40 +3230,105 @@ function secretEntriesForManifest(secrets) {
   const entries = [];
   for (const [name, spec] of Object.entries(secrets)) {
     const actions = secretActionsFromSpec(name, spec);
+    const secretPath = resolveSecretPath(
+      secretNameFromSpec(name, spec),
+      { scope: secretScopeFromSpec(spec) }
+    );
     const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
-    for (const base of ["keys", "vault"]) {
-      entries.push({
-        service: "tinycloud.kv",
-        space: SECRETS_SPACE,
-        path: `${base}/secrets/${name}`,
-        actions: normalizeSecretActions(actions),
-        skipPrefix: true,
-        ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
-        ...extra.description !== void 0 ? { description: extra.description } : {}
-      });
-    }
+    entries.push({
+      service: VAULT_PERMISSION_SERVICE,
+      space: SECRETS_SPACE,
+      path: secretPath.vaultKey,
+      actions: normalizeSecretActions(actions),
+      skipPrefix: true,
+      ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
+      ...extra.description !== void 0 ? { description: extra.description } : {}
+    });
   }
   return entries;
 }
 function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
-  const resolvedPath = applyPrefix(
-    prefix,
-    entry.path,
-    entry.skipPrefix === true
-  );
-  const resolvedActions = expandActionShortNames(entry.service, entry.actions);
+  const skipPrefixForEntry = entry.skipPrefix === true || entry.service === ENCRYPTION_PERMISSION_SERVICE;
+  const resolvedPath = applyPrefix(prefix, entry.path, skipPrefixForEntry);
   const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
-  return {
-    service: entry.service,
+  return expandPermissionEntry({
+    ...entry,
     space: entry.space ?? inheritedSpace,
     path: resolvedPath,
-    actions: resolvedActions,
+    skipPrefix: true
+  }).map((expanded) => ({
+    service: expanded.service,
+    space: expanded.space ?? inheritedSpace,
+    path: expanded.path,
+    actions: expanded.actions,
     // Only populate `expiryMs` when the entry had its own expiry override.
     // When absent, callers use the parent (delegation or manifest) expiry
     // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
     ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
     ...entry.description !== void 0 ? { description: entry.description } : {}
-  };
+  }));
+}
+function expandVaultPermissionEntry(entry) {
+  const byBase = /* @__PURE__ */ new Map();
+  for (const action of entry.actions) {
+    const expansion = vaultActionExpansion(action);
+    for (const base of expansion.bases) {
+      const actions = byBase.get(base) ?? [];
+      if (!actions.includes(expansion.action)) {
+        actions.push(expansion.action);
+      }
+      byBase.set(base, actions);
+    }
+  }
+  return [...byBase.entries()].map(([base, actions]) => ({
+    ...entry,
+    service: "tinycloud.kv",
+    path: vaultKVPath(base, entry.path),
+    actions,
+    skipPrefix: true
+  }));
+}
+function vaultActionExpansion(action) {
+  const normalized = normalizeVaultAction(action);
+  if (normalized === "read" || normalized === "get") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "write" || normalized === "put") {
+    return { bases: ["vault"], action: "tinycloud.kv/put" };
+  }
+  if (normalized === "delete" || normalized === "del") {
+    return { bases: ["vault"], action: "tinycloud.kv/del" };
+  }
+  if (normalized === "list") {
+    return { bases: ["vault"], action: "tinycloud.kv/list" };
+  }
+  if (normalized === "head") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "metadata") {
+    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
+  }
+  throw new ManifestValidationError(
+    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
+  );
+}
+function normalizeVaultAction(action) {
+  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
+    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
+  }
+  if (action.startsWith("tinycloud.kv/")) {
+    return action.slice("tinycloud.kv/".length);
+  }
+  if (action.includes("/")) {
+    throw new ManifestValidationError(
+      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
+    );
+  }
+  return action;
+}
+function vaultKVPath(base, path) {
+  const normalized = path.startsWith("/") ? path.slice(1) : path;
+  return `${base}/${normalized}`;
 }
 function cloneResourceCapability(entry) {
   return {
@@ -3141,7 +3385,9 @@ function withCapabilitiesReadForSpaces(resources) {
   if (resources.length === 0) {
     return [];
   }
-  const spaces = new Set(resources.map((resource) => resource.space));
+  const spaces = new Set(
+    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
+  );
   return dedupeResources([
     ...resources,
     ...[...spaces].map(capabilitiesReadPermission)
@@ -3273,7 +3519,7 @@ function inferShortServiceFromActionUrns(actions) {
   return short;
 }
 var DEFAULT_READ_ACTIONS = ["tinycloud.kv/get", "tinycloud.kv/metadata"];
-var DEFAULT_EXPIRY_MS = 24 * 60 * 60 * 1e3;
+var DEFAULT_EXPIRY_MS = EXPIRY.SHARE_MS;
 var BASE64_PREFIX = "tc1:";
 function createError2(code, message, cause, meta) {
   return {
@@ -4402,6 +4648,7 @@ async function checkNodeInfo(host, sdkProtocol, fetchFn = globalThis.fetch.bind(
   }
   return {
     features: data.features ?? [],
+    nodeId: data.nodeId,
     quotaUrl: data.quota_url
   };
 }
@@ -4738,6 +4985,10 @@ function verifyDidKeySignature(did, payload, signature) {
     publicKey
   );
 }
+function verifyDidKeyEd25519Signature(did, payload, signature) {
+  const publicKey = ed25519PublicKeyFromDidKey(did);
+  return ed25519.verify(signature, payload, publicKey);
+}
 function ed25519PublicKeyFromDidKey(did) {
   const identifier = did.slice("did:key:".length);
   if (!identifier.startsWith("z")) {
@@ -4746,12 +4997,15 @@ function ed25519PublicKeyFromDidKey(did) {
     );
   }
   const bytes = bases.base58btc.decode(identifier);
-  if (bytes.length !== 34 || bytes[0] !== 237 || bytes[1] !== 1) {
-    throw new LocationRecordValidationError(
-      "did:key must be an Ed25519 public key"
-    );
+  if (bytes.length === 34 && bytes[0] === 237 && bytes[1] === 1) {
+    return bytes.slice(2);
   }
-  return bytes.slice(2);
+  if (bytes.length === 33 && bytes[0] === 237) {
+    return bytes.slice(1);
+  }
+  throw new LocationRecordValidationError(
+    "did:key must be an Ed25519 public key"
+  );
 }
 function base64UrlEncode2(bytes) {
   const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
@@ -4915,10 +5169,16 @@ export {
   CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema,
   CloudLocationResolutionError,
+  DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
   DEFAULT_DEFAULTS,
+  DEFAULT_ENCRYPTION_ALG,
   DEFAULT_EXPIRY,
+  DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DEFAULT_TINYCLOUD_FALLBACK_HOST,
   DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL,
   DataVaultService,
@@ -4928,15 +5188,26 @@ export {
   DuckDbAction,
   DuckDbDatabaseHandle,
   DuckDbService2 as DuckDbService,
+  ENCRYPTION_MANIFEST_SPACE,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_PERMISSION_SERVICE,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION,
+  EXPIRY,
+  EncryptionService,
   EnsDataSchema,
   ErrorCodes2 as ErrorCodes,
   HooksService2 as HooksService,
   KVService2 as KVService,
   LocationRecordValidationError,
   ManifestValidationError,
+  NETWORK_NAME_PATTERN,
+  NetworkIdError,
   PermissionNotInManifestError,
   PrefixedKVService,
   ProtocolMismatchError,
+  SECRET_NAME_RE2 as SECRET_NAME_RE,
   SERVICE_LONG_TO_SHORT,
   SERVICE_SHORT_TO_LONG,
   SQLAction,
@@ -4953,40 +5224,72 @@ export {
   SpaceService,
   TinyCloud,
   UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE,
   VaultHeaders,
   VaultPublicSpaceKVActions,
   VersionCheckError,
   activateSessionWithHost,
   applyPrefix,
+  buildCanonicalDecryptRequest,
+  buildDecryptAttenuation,
+  buildDecryptFacts,
+  buildDecryptInvocation,
+  buildNetworkId,
   buildSpaceUri,
+  canonicalHashHex,
   canonicalLocationPayload,
+  canonicalSignedResponse,
+  canonicalizeEncryptionJson,
+  canonicalizeSecretScope,
+  checkDecryptInvocationInput,
   checkNodeInfo,
   composeManifestRequest,
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
   createVaultCrypto,
+  decryptEnvelopeWithKey,
   defaultRetryPolicy2 as defaultRetryPolicy,
   defaultSignStrategy,
   defaultSpaceCreationHandler,
+  deriveSignedReceiverKey,
+  discoverNetwork,
+  encryptToNetwork,
+  base64Decode as encryptionBase64Decode,
+  base64Encode as encryptionBase64Encode,
+  encryptionError,
+  utf8Decode as encryptionUtf8Decode,
+  utf8Encode as encryptionUtf8Encode,
+  ensureNetworkUsableForDecrypt,
   err4 as err,
   expandActionShortNames,
+  expandPermissionEntries,
+  expandPermissionEntry,
   fetchLocationRecord,
   fetchPeerId,
+  generateRandomReceiverKey,
+  hexDecode,
+  hexEncode,
   httpUrlToMultiaddr,
   isCapabilitySubset,
+  isNetworkId,
   loadManifest,
   locationPayloadForRecord,
   makePublicSpaceId,
   manifestAbilitiesUnion,
   multiaddrToHttpUrl,
+  networkDiscoveryKey,
   normalizeDefaults,
   ok4 as ok,
+  openWrappedKey,
   parseExpiry,
+  parseNetworkId,
   parseRecapCapabilities,
   parseSpaceUri,
   resolveCloudLocation,
   resolveManifest,
+  resolveSecretListPrefix,
+  resolveSecretPath2 as resolveSecretPath,
   resolveTinyCloudHosts,
   resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap,
@@ -4994,10 +5297,13 @@ export {
   signLocationRecord,
   submitHostDelegation,
   validateClientSession,
+  validateEnvelope,
   validateLocationRecord,
   validateLocationRecordPayload,
   validateManifest,
   validatePersistedSessionData,
+  verifyDecryptResponse,
+  verifyDidKeyEd25519Signature,
   verifyLocationRecord
 };
 //# sourceMappingURL=index.js.map