npm - @tinycloud/sdk-core - Versions diffs - 2.2.0-beta.9 → 2.2.1-beta.0 - Mend

@tinycloud/sdk-core 2.2.0-beta.9 → 2.2.1-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.js CHANGED Viewed

@@ -728,6 +728,23 @@ function validateServerSpaceInfoResponse(data) {
   return { ok: true, data: result.data };
 }
+// src/expiry.ts
+var EPHEMERAL_MS = 60 * 60 * 1e3;
+var SIGNED_READ_URL_MS = 5 * 60 * 1e3;
+var SESSION_MS = 7 * 24 * 60 * 60 * 1e3;
+var SHARE_MS = 7 * 24 * 60 * 60 * 1e3;
+var APP_MS = 30 * 24 * 60 * 60 * 1e3;
+var MAX_MS = 10 * 365 * 24 * 60 * 60 * 1e3;
+var EXPIRY = {
+  EPHEMERAL_MS,
+  SIGNED_READ_URL_MS,
+  SESSION_MS,
+  SHARE_MS,
+  APP_MS,
+  MAX_MS
+};
+var DEFAULT_SIGNED_READ_URL_EXPIRY_MS = EXPIRY.SIGNED_READ_URL_MS;
 // src/spaces/SpaceService.ts
 var SERVICE_NAME = "space";
 var SpaceErrorCodes = {
@@ -804,7 +821,7 @@ function transformServerDelegations(validatedData, defaultSpaceId) {
       spaceId,
       path,
       actions,
-      expiry: info.expiry ? new Date(info.expiry) : new Date(Date.now() + 24 * 60 * 60 * 1e3),
+      expiry: info.expiry ? new Date(info.expiry) : new Date(Date.now() + EXPIRY.SHARE_MS),
       isRevoked: false,
       createdAt: info.issued_at ? new Date(info.issued_at) : void 0,
       parentCid: firstStringParent
@@ -1664,6 +1681,22 @@ var TinyCloud = class _TinyCloud {
     }
     return service;
   }
+  /**
+   * Get the Encryption service.
+   * @throws Error if services are not initialized or encryption service is not registered
+   */
+  get encryption() {
+    if (!this._servicesInitialized) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const service = this._services.get("encryption");
+    if (!service) {
+      throw new Error("Encryption service is not registered.");
+    }
+    return service;
+  }
   /**
    * Notify services of session change.
    * Called internally after sign-in and sign-out.
@@ -2019,7 +2052,51 @@ import {
   VaultHeaders,
   VaultPublicSpaceKVActions,
   createVaultCrypto,
-  SecretsService
+  SecretsService,
+  SECRET_NAME_RE as SECRET_NAME_RE2,
+  canonicalizeSecretScope,
+  resolveSecretListPrefix,
+  resolveSecretPath as resolveSecretPath2,
+  EncryptionService,
+  parseNetworkId,
+  buildNetworkId,
+  isNetworkId,
+  networkDiscoveryKey,
+  NetworkIdError,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  NETWORK_NAME_PATTERN,
+  canonicalizeEncryptionJson,
+  canonicalHashHex,
+  hexEncode,
+  hexDecode,
+  base64Encode,
+  base64Decode,
+  utf8Encode,
+  utf8Decode,
+  encryptToNetwork,
+  decryptEnvelopeWithKey,
+  validateEnvelope,
+  generateRandomReceiverKey,
+  deriveSignedReceiverKey,
+  buildCanonicalDecryptRequest,
+  buildDecryptFacts,
+  buildDecryptAttenuation,
+  buildDecryptInvocation,
+  checkDecryptInvocationInput,
+  verifyDecryptResponse,
+  canonicalSignedResponse,
+  openWrappedKey,
+  discoverNetwork,
+  ensureNetworkUsableForDecrypt,
+  DEFAULT_ENCRYPTION_ALG,
+  ENVELOPE_VERSION,
+  DEFAULT_KEY_VERSION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DECRYPT_ACTION,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  encryptionError
 } from "@tinycloud/sdk-services";
 // src/space.ts
@@ -2209,7 +2286,7 @@ var DelegationManager = class {
         spaceId: this.session.spaceId,
         path: params.path,
         actions: params.actions,
-        expiry: params.expiry ?? new Date(Date.now() + 24 * 60 * 60 * 1e3),
+        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
         isRevoked: false,
         allowSubDelegation: !(params.disableSubDelegation ?? false),
         createdAt: /* @__PURE__ */ new Date()
@@ -2688,6 +2765,7 @@ function validateEncodedShareData(data) {
 // src/manifest.ts
 import ms from "ms";
+import { resolveSecretPath, SECRET_NAME_RE } from "@tinycloud/sdk-services";
 var ManifestValidationError = class extends Error {
   constructor(message) {
     super(`Manifest validation failed: ${message}`);
@@ -2701,15 +2779,17 @@ var DEFAULT_MANIFEST_SPACE = "applications";
 var ACCOUNT_REGISTRY_SPACE = "account";
 var ACCOUNT_REGISTRY_PATH = "applications/";
 var SECRETS_SPACE = "secrets";
-var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
 var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
   duckdb: "tinycloud.duckdb",
   capabilities: "tinycloud.capabilities",
-  hooks: "tinycloud.hooks"
+  hooks: "tinycloud.hooks",
+  encryption: "tinycloud.encryption"
 });
+var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_MANIFEST_SPACE = "encryption";
 var SERVICE_LONG_TO_SHORT = Object.freeze(
   Object.fromEntries(
     Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
@@ -2786,6 +2866,9 @@ function expandActionShortNames(service, actions) {
   });
 }
 function expandPermissionEntry(entry) {
+  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
+    return expandEncryptionPermissionEntry(entry);
+  }
   if (entry.service !== VAULT_PERMISSION_SERVICE) {
     return [
       {
@@ -2796,6 +2879,55 @@ function expandPermissionEntry(entry) {
   }
   return expandVaultPermissionEntry(entry);
 }
+function expandEncryptionPermissionEntry(entry) {
+  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
+    throw new ManifestValidationError(
+      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
+    );
+  }
+  const normalizedActions = [];
+  for (const action of entry.actions) {
+    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
+      normalizedActions.push("tinycloud.encryption/decrypt");
+      continue;
+    }
+    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
+      normalizedActions.push("tinycloud.encryption/network.create");
+      continue;
+    }
+    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
+      normalizedActions.push("tinycloud.encryption/network.revoke");
+      continue;
+    }
+    if (action.includes("/")) {
+      throw new ManifestValidationError(
+        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+      );
+    }
+    throw new ManifestValidationError(
+      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+    );
+  }
+  const dedupedActions = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const a of normalizedActions) {
+    if (!seen.has(a)) {
+      dedupedActions.push(a);
+      seen.add(a);
+    }
+  }
+  return [
+    {
+      service: ENCRYPTION_PERMISSION_SERVICE,
+      space: ENCRYPTION_MANIFEST_SPACE,
+      path: entry.path,
+      actions: dedupedActions,
+      skipPrefix: true,
+      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+      ...entry.description !== void 0 ? { description: entry.description } : {}
+    }
+  ];
+}
 function expandPermissionEntries(entries) {
   return entries.flatMap(expandPermissionEntry);
 }
@@ -2885,6 +3017,16 @@ function validateManifestSecrets(secrets) {
         `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
       );
     }
+    try {
+      resolveSecretPath(
+        secretNameFromSpec(name, spec),
+        { scope: secretScopeFromSpec(spec) }
+      );
+    } catch (error) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
     const actions = secretActionsFromSpec(name, spec);
     if (actions.length === 0) {
       throw new ManifestValidationError(
@@ -3041,6 +3183,18 @@ function normalizeSecretActions(actions) {
   }
   return out;
 }
+function secretNameFromSpec(fallbackName, spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.name ?? fallbackName;
+  }
+  return fallbackName;
+}
+function secretScopeFromSpec(spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.scope;
+  }
+  return void 0;
+}
 function secretActionsFromSpec(name, spec) {
   if (spec === true) {
     return ["read"];
@@ -3076,27 +3230,26 @@ function secretEntriesForManifest(secrets) {
   const entries = [];
   for (const [name, spec] of Object.entries(secrets)) {
     const actions = secretActionsFromSpec(name, spec);
+    const secretPath = resolveSecretPath(
+      secretNameFromSpec(name, spec),
+      { scope: secretScopeFromSpec(spec) }
+    );
     const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
-    for (const base of ["keys", "vault"]) {
-      entries.push({
-        service: "tinycloud.kv",
-        space: SECRETS_SPACE,
-        path: `${base}/secrets/${name}`,
-        actions: normalizeSecretActions(actions),
-        skipPrefix: true,
-        ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
-        ...extra.description !== void 0 ? { description: extra.description } : {}
-      });
-    }
+    entries.push({
+      service: VAULT_PERMISSION_SERVICE,
+      space: SECRETS_SPACE,
+      path: secretPath.vaultKey,
+      actions: normalizeSecretActions(actions),
+      skipPrefix: true,
+      ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
+      ...extra.description !== void 0 ? { description: extra.description } : {}
+    });
   }
   return entries;
 }
 function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
-  const resolvedPath = applyPrefix(
-    prefix,
-    entry.path,
-    entry.skipPrefix === true
-  );
+  const skipPrefixForEntry = entry.skipPrefix === true || entry.service === ENCRYPTION_PERMISSION_SERVICE;
+  const resolvedPath = applyPrefix(prefix, entry.path, skipPrefixForEntry);
   const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
   return expandPermissionEntry({
     ...entry,
@@ -3138,13 +3291,13 @@ function expandVaultPermissionEntry(entry) {
 function vaultActionExpansion(action) {
   const normalized = normalizeVaultAction(action);
   if (normalized === "read" || normalized === "get") {
-    return { bases: ["keys", "vault"], action: "tinycloud.kv/get" };
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
   }
   if (normalized === "write" || normalized === "put") {
-    return { bases: ["keys", "vault"], action: "tinycloud.kv/put" };
+    return { bases: ["vault"], action: "tinycloud.kv/put" };
   }
   if (normalized === "delete" || normalized === "del") {
-    return { bases: ["keys", "vault"], action: "tinycloud.kv/del" };
+    return { bases: ["vault"], action: "tinycloud.kv/del" };
   }
   if (normalized === "list") {
     return { bases: ["vault"], action: "tinycloud.kv/list" };
@@ -3232,7 +3385,9 @@ function withCapabilitiesReadForSpaces(resources) {
   if (resources.length === 0) {
     return [];
   }
-  const spaces = new Set(resources.map((resource) => resource.space));
+  const spaces = new Set(
+    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
+  );
   return dedupeResources([
     ...resources,
     ...[...spaces].map(capabilitiesReadPermission)
@@ -3364,7 +3519,7 @@ function inferShortServiceFromActionUrns(actions) {
   return short;
 }
 var DEFAULT_READ_ACTIONS = ["tinycloud.kv/get", "tinycloud.kv/metadata"];
-var DEFAULT_EXPIRY_MS = 24 * 60 * 60 * 1e3;
+var DEFAULT_EXPIRY_MS = EXPIRY.SHARE_MS;
 var BASE64_PREFIX = "tc1:";
 function createError2(code, message, cause, meta) {
   return {
@@ -4493,6 +4648,7 @@ async function checkNodeInfo(host, sdkProtocol, fetchFn = globalThis.fetch.bind(
   }
   return {
     features: data.features ?? [],
+    nodeId: data.nodeId,
     quotaUrl: data.quota_url
   };
 }
@@ -4829,6 +4985,10 @@ function verifyDidKeySignature(did, payload, signature) {
     publicKey
   );
 }
+function verifyDidKeyEd25519Signature(did, payload, signature) {
+  const publicKey = ed25519PublicKeyFromDidKey(did);
+  return ed25519.verify(signature, payload, publicKey);
+}
 function ed25519PublicKeyFromDidKey(did) {
   const identifier = did.slice("did:key:".length);
   if (!identifier.startsWith("z")) {
@@ -4837,12 +4997,15 @@ function ed25519PublicKeyFromDidKey(did) {
     );
   }
   const bytes = bases.base58btc.decode(identifier);
-  if (bytes.length !== 34 || bytes[0] !== 237 || bytes[1] !== 1) {
-    throw new LocationRecordValidationError(
-      "did:key must be an Ed25519 public key"
-    );
+  if (bytes.length === 34 && bytes[0] === 237 && bytes[1] === 1) {
+    return bytes.slice(2);
+  }
+  if (bytes.length === 33 && bytes[0] === 237) {
+    return bytes.slice(1);
   }
-  return bytes.slice(2);
+  throw new LocationRecordValidationError(
+    "did:key must be an Ed25519 public key"
+  );
 }
 function base64UrlEncode2(bytes) {
   const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
@@ -5006,10 +5169,16 @@ export {
   CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema,
   CloudLocationResolutionError,
+  DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
   DEFAULT_DEFAULTS,
+  DEFAULT_ENCRYPTION_ALG,
   DEFAULT_EXPIRY,
+  DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DEFAULT_TINYCLOUD_FALLBACK_HOST,
   DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL,
   DataVaultService,
@@ -5019,15 +5188,26 @@ export {
   DuckDbAction,
   DuckDbDatabaseHandle,
   DuckDbService2 as DuckDbService,
+  ENCRYPTION_MANIFEST_SPACE,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_PERMISSION_SERVICE,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION,
+  EXPIRY,
+  EncryptionService,
   EnsDataSchema,
   ErrorCodes2 as ErrorCodes,
   HooksService2 as HooksService,
   KVService2 as KVService,
   LocationRecordValidationError,
   ManifestValidationError,
+  NETWORK_NAME_PATTERN,
+  NetworkIdError,
   PermissionNotInManifestError,
   PrefixedKVService,
   ProtocolMismatchError,
+  SECRET_NAME_RE2 as SECRET_NAME_RE,
   SERVICE_LONG_TO_SHORT,
   SERVICE_SHORT_TO_LONG,
   SQLAction,
@@ -5050,37 +5230,66 @@ export {
   VersionCheckError,
   activateSessionWithHost,
   applyPrefix,
+  buildCanonicalDecryptRequest,
+  buildDecryptAttenuation,
+  buildDecryptFacts,
+  buildDecryptInvocation,
+  buildNetworkId,
   buildSpaceUri,
+  canonicalHashHex,
   canonicalLocationPayload,
+  canonicalSignedResponse,
+  canonicalizeEncryptionJson,
+  canonicalizeSecretScope,
+  checkDecryptInvocationInput,
   checkNodeInfo,
   composeManifestRequest,
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
   createVaultCrypto,
+  decryptEnvelopeWithKey,
   defaultRetryPolicy2 as defaultRetryPolicy,
   defaultSignStrategy,
   defaultSpaceCreationHandler,
+  deriveSignedReceiverKey,
+  discoverNetwork,
+  encryptToNetwork,
+  base64Decode as encryptionBase64Decode,
+  base64Encode as encryptionBase64Encode,
+  encryptionError,
+  utf8Decode as encryptionUtf8Decode,
+  utf8Encode as encryptionUtf8Encode,
+  ensureNetworkUsableForDecrypt,
   err4 as err,
   expandActionShortNames,
   expandPermissionEntries,
   expandPermissionEntry,
   fetchLocationRecord,
   fetchPeerId,
+  generateRandomReceiverKey,
+  hexDecode,
+  hexEncode,
   httpUrlToMultiaddr,
   isCapabilitySubset,
+  isNetworkId,
   loadManifest,
   locationPayloadForRecord,
   makePublicSpaceId,
   manifestAbilitiesUnion,
   multiaddrToHttpUrl,
+  networkDiscoveryKey,
   normalizeDefaults,
   ok4 as ok,
+  openWrappedKey,
   parseExpiry,
+  parseNetworkId,
   parseRecapCapabilities,
   parseSpaceUri,
   resolveCloudLocation,
   resolveManifest,
+  resolveSecretListPrefix,
+  resolveSecretPath2 as resolveSecretPath,
   resolveTinyCloudHosts,
   resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap,
@@ -5088,10 +5297,13 @@ export {
   signLocationRecord,
   submitHostDelegation,
   validateClientSession,
+  validateEnvelope,
   validateLocationRecord,
   validateLocationRecordPayload,
   validateManifest,
   validatePersistedSessionData,
+  verifyDecryptResponse,
+  verifyDidKeyEd25519Signature,
   verifyLocationRecord
 };
 //# sourceMappingURL=index.js.map