npm - @tinycloud/sdk-services - Versions diffs - 2.1.0 → 2.2.0-beta.12 - Mend

@tinycloud/sdk-services 2.1.0 → 2.2.0-beta.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.cjs CHANGED Viewed

@@ -21,6 +21,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   BaseService: () => BaseService,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS: () => DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService: () => DataVaultService,
   DatabaseHandle: () => DatabaseHandle,
   DuckDbAction: () => DuckDbAction,
@@ -37,8 +38,10 @@ __export(index_exports, {
   KVService: () => KVService,
   PrefixedKVService: () => PrefixedKVService,
   RetryPolicySchema: () => RetryPolicySchema,
+  SECRET_NAME_RE: () => SECRET_NAME_RE,
   SQLAction: () => SQLAction,
   SQLService: () => SQLService,
+  SecretsService: () => SecretsService,
   ServiceContext: () => ServiceContext,
   ServiceErrorEventSchema: () => ServiceErrorEventSchema,
   ServiceErrorSchema: () => ServiceErrorSchema,
@@ -54,6 +57,7 @@ __export(index_exports, {
   authExpiredError: () => authExpiredError,
   authRequiredError: () => authRequiredError,
   authUnauthorizedError: () => authUnauthorizedError,
+  canonicalizeSecretScope: () => canonicalizeSecretScope,
   createKVResponseSchema: () => createKVResponseSchema,
   createResultSchema: () => createResultSchema,
   createVaultCrypto: () => createVaultCrypto,
@@ -65,6 +69,7 @@ __export(index_exports, {
   ok: () => ok,
   parseAuthError: () => parseAuthError,
   permissionDeniedError: () => permissionDeniedError,
+  resolveSecretPath: () => resolveSecretPath,
   serviceError: () => serviceError,
   storageLimitReachedError: () => storageLimitReachedError,
   storageQuotaExceededError: () => storageQuotaExceededError,
@@ -900,6 +905,13 @@ var PrefixedKVService = class _PrefixedKVService {
     const fullKey = this.getFullKey(key);
     return this._kv.head(fullKey, { ...options, prefix: "" });
   }
+  /**
+   * Create a short-lived signed URL for reading a KV object.
+   */
+  async createSignedReadUrl(key, options) {
+    const fullKey = this.getFullKey(key);
+    return this._kv.createSignedReadUrl(fullKey, { ...options, prefix: "" });
+  }
   /**
    * Create a nested prefix-scoped view.
    */
@@ -911,6 +923,7 @@ var PrefixedKVService = class _PrefixedKVService {
 };
 // src/kv/types.ts
+var DEFAULT_SIGNED_READ_URL_EXPIRY_MS = 5 * 60 * 1e3;
 var KVAction = {
   GET: "tinycloud.kv/get",
   PUT: "tinycloud.kv/put",
@@ -995,6 +1008,15 @@ var KVService = class extends BaseService {
   get host() {
     return this.context.hosts[0];
   }
+  withJsonContentType(headers) {
+    if (Array.isArray(headers)) {
+      return [...headers, ["content-type", "application/json"]];
+    }
+    return {
+      ...headers,
+      "content-type": "application/json"
+    };
+  }
   /**
    * Execute an invoke operation.
    *
@@ -1064,6 +1086,48 @@ var KVService = class extends BaseService {
       return text;
     }
   }
+  async createSignedReadUrlError(response, key) {
+    let errorText = response.statusText;
+    try {
+      const text = await response.text();
+      if (text) {
+        errorText = text;
+      }
+    } catch {
+    }
+    if (response.status === 401 || response.status === 403) {
+      const { resource, action } = parseAuthError(errorText);
+      return err(authUnauthorizedError("kv", errorText, {
+        status: response.status,
+        ...action && { requiredAction: action },
+        ...resource && { resource }
+      }));
+    }
+    const code = response.status === 400 ? ErrorCodes.INVALID_INPUT : ErrorCodes.NETWORK_ERROR;
+    return err(
+      serviceError(
+        code,
+        `Failed to create signed read URL for key "${key}": ${response.status} - ${errorText}`,
+        "kv",
+        { meta: { status: response.status, statusText: response.statusText } }
+      )
+    );
+  }
+  normalizeSignedReadUrlResponse(data) {
+    if (!data || typeof data !== "object") {
+      return void 0;
+    }
+    const response = data;
+    if (typeof response.url !== "string" || typeof response.ticketId !== "string" || typeof response.expiresAt !== "string") {
+      return void 0;
+    }
+    return {
+      url: new URL(response.url, this.host).toString(),
+      relativeUrl: response.url,
+      ticketId: response.ticketId,
+      expiresAt: response.expiresAt
+    };
+  }
   /**
    * Get a value by key.
    */
@@ -1336,6 +1400,61 @@ var KVService = class extends BaseService {
       }
     });
   }
+  /**
+   * Create a short-lived signed URL for reading a KV object.
+   */
+  async createSignedReadUrl(key, options) {
+    return this.withTelemetry("createSignedReadUrl", key, async () => {
+      if (!this.requireAuth()) {
+        return err(authRequiredError("kv"));
+      }
+      const path = this.getFullPath(key, options?.prefix);
+      const session = this.context.session;
+      const headers = this.context.invoke(
+        session,
+        "kv",
+        path,
+        KVAction.GET
+      );
+      const body = {
+        space: session.spaceId,
+        path,
+        ttl_seconds: options?.expiresInSeconds ?? Math.ceil(DEFAULT_SIGNED_READ_URL_EXPIRY_MS / 1e3)
+      };
+      if (options?.contentHash !== void 0) {
+        body.content_hash = options.contentHash;
+      }
+      if (options?.etag !== void 0) {
+        body.etag = options.etag;
+      }
+      try {
+        const response = await this.context.fetch(`${this.host}/signed/kv`, {
+          method: "POST",
+          headers: this.withJsonContentType(headers),
+          body: JSON.stringify(body),
+          signal: this.combineSignals(options?.signal)
+        });
+        if (!response.ok) {
+          return this.createSignedReadUrlError(response, key);
+        }
+        const signedUrl = this.normalizeSignedReadUrlResponse(
+          await response.json()
+        );
+        if (!signedUrl) {
+          return err(
+            serviceError(
+              ErrorCodes.NETWORK_ERROR,
+              "Signed read URL response did not include url, ticketId, and expiresAt",
+              "kv"
+            )
+          );
+        }
+        return ok(signedUrl);
+      } catch (error) {
+        return err(wrapError("kv", error));
+      }
+    });
+  }
   /**
    * Create a prefix-scoped view of this KV service.
    *
@@ -3844,9 +3963,131 @@ function createVaultCrypto(wasm) {
     sha256: (data) => wasm.vault_sha256(data)
   };
 }
+// src/secrets/paths.ts
+var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+var SECRET_PREFIX = "secrets/";
+var SCOPED_SECRET_PREFIX = "secrets/scoped/";
+var RESERVED_SECRET_SCOPES = /* @__PURE__ */ new Set(["default", "global"]);
+function canonicalizeSecretScope(scope) {
+  if (scope === void 0) {
+    return void 0;
+  }
+  const trimmed = scope.trim();
+  if (trimmed === "") {
+    throw new Error("Secret scope must be non-empty; omit scope for global secrets.");
+  }
+  const canonical = trimmed.toLowerCase().replace(/[^a-z0-9-]/g, "-").replace(/-+/g, "-").replace(/^-|-$/g, "");
+  if (canonical === "") {
+    throw new Error("Secret scope must contain at least one letter or number.");
+  }
+  if (RESERVED_SECRET_SCOPES.has(canonical)) {
+    throw new Error(
+      `Secret scope ${JSON.stringify(scope)} is reserved; omit scope for global secrets.`
+    );
+  }
+  return canonical;
+}
+function resolveSecretPath(name, options = {}) {
+  const normalizedName = name.trim();
+  if (!SECRET_NAME_RE.test(normalizedName)) {
+    throw new Error(
+      `Invalid secret name ${JSON.stringify(name)}. Secret names must match ${SECRET_NAME_RE.source}.`
+    );
+  }
+  const scope = canonicalizeSecretScope(options.scope);
+  const vaultKey = scope === void 0 ? `${SECRET_PREFIX}${normalizedName}` : `${SCOPED_SECRET_PREFIX}${scope}/${normalizedName}`;
+  return {
+    name: normalizedName,
+    ...scope !== void 0 ? { scope } : {},
+    vaultKey,
+    permissionPaths: {
+      keys: `keys/${vaultKey}`,
+      vault: `vault/${vaultKey}`
+    }
+  };
+}
+// src/secrets/SecretsService.ts
+function invalidSecretInput(message) {
+  return err({
+    code: ErrorCodes.INVALID_INPUT,
+    service: "secrets",
+    message
+  });
+}
+function resolveSecretPathResult(name, options) {
+  try {
+    return resolveSecretPath(name, options);
+  } catch (error) {
+    return invalidSecretInput(error instanceof Error ? error.message : String(error));
+  }
+}
+var SecretsService = class {
+  constructor(vault) {
+    this.getVault = typeof vault === "function" ? vault : () => vault;
+  }
+  get vault() {
+    return this.getVault();
+  }
+  get isUnlocked() {
+    return this.vault.isUnlocked;
+  }
+  unlock(signer) {
+    return this.vault.unlock(signer);
+  }
+  lock() {
+    this.vault.lock();
+  }
+  async get(name, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    const result = await this.vault.get(secretPath.vaultKey);
+    if (!result.ok) {
+      return result;
+    }
+    return { ok: true, data: result.data.value.value };
+  }
+  async put(name, value, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    return this.vault.put(secretPath.vaultKey, {
+      value,
+      createdAt: now,
+      updatedAt: now
+    });
+  }
+  async delete(name, options) {
+    const secretPath = resolveSecretPathResult(name, options);
+    if ("ok" in secretPath) return secretPath;
+    return this.vault.delete(secretPath.vaultKey);
+  }
+  async list(options) {
+    let prefix;
+    try {
+      const scope = canonicalizeSecretScope(options?.scope);
+      prefix = scope === void 0 ? "secrets/" : `secrets/scoped/${scope}/`;
+    } catch (error) {
+      return invalidSecretInput(error instanceof Error ? error.message : String(error));
+    }
+    const result = await this.vault.list({
+      prefix,
+      removePrefix: true
+    });
+    if (!result.ok) {
+      return result;
+    }
+    return {
+      ok: true,
+      data: result.data.filter((name) => SECRET_NAME_RE.test(name))
+    };
+  }
+};
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BaseService,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService,
   DatabaseHandle,
   DuckDbAction,
@@ -3863,8 +4104,10 @@ function createVaultCrypto(wasm) {
   KVService,
   PrefixedKVService,
   RetryPolicySchema,
+  SECRET_NAME_RE,
   SQLAction,
   SQLService,
+  SecretsService,
   ServiceContext,
   ServiceErrorEventSchema,
   ServiceErrorSchema,
@@ -3880,6 +4123,7 @@ function createVaultCrypto(wasm) {
   authExpiredError,
   authRequiredError,
   authUnauthorizedError,
+  canonicalizeSecretScope,
   createKVResponseSchema,
   createResultSchema,
   createVaultCrypto,
@@ -3891,6 +4135,7 @@ function createVaultCrypto(wasm) {
   ok,
   parseAuthError,
   permissionDeniedError,
+  resolveSecretPath,
   serviceError,
   storageLimitReachedError,
   storageQuotaExceededError,