@tinycloud/sdk-services 2.2.0-beta.10 → 2.2.0-beta.13

package/dist/index.cjs

@@ -21,6 +21,7 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 var index_exports = {};
 __export(index_exports, {
   BaseService: () => BaseService,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS: () => DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService: () => DataVaultService,
   DatabaseHandle: () => DatabaseHandle,
   DuckDbAction: () => DuckDbAction,
@@ -904,6 +905,13 @@ var PrefixedKVService = class _PrefixedKVService {
     const fullKey = this.getFullKey(key);
     return this._kv.head(fullKey, { ...options, prefix: "" });
   }
+  /**
+   * Create a short-lived signed URL for reading a KV object.
+   */
+  async createSignedReadUrl(key, options) {
+    const fullKey = this.getFullKey(key);
+    return this._kv.createSignedReadUrl(fullKey, { ...options, prefix: "" });
+  }
   /**
    * Create a nested prefix-scoped view.
    */
@@ -915,6 +923,7 @@ var PrefixedKVService = class _PrefixedKVService {
 };
 
 // src/kv/types.ts
+var DEFAULT_SIGNED_READ_URL_EXPIRY_MS = 5 * 60 * 1e3;
 var KVAction = {
   GET: "tinycloud.kv/get",
   PUT: "tinycloud.kv/put",
@@ -999,6 +1008,15 @@ var KVService = class extends BaseService {
   get host() {
     return this.context.hosts[0];
   }
+  withJsonContentType(headers) {
+    if (Array.isArray(headers)) {
+      return [...headers, ["content-type", "application/json"]];
+    }
+    return {
+      ...headers,
+      "content-type": "application/json"
+    };
+  }
   /**
    * Execute an invoke operation.
    *
@@ -1068,6 +1086,48 @@ var KVService = class extends BaseService {
       return text;
     }
   }
+  async createSignedReadUrlError(response, key) {
+    let errorText = response.statusText;
+    try {
+      const text = await response.text();
+      if (text) {
+        errorText = text;
+      }
+    } catch {
+    }
+    if (response.status === 401 || response.status === 403) {
+      const { resource, action } = parseAuthError(errorText);
+      return err(authUnauthorizedError("kv", errorText, {
+        status: response.status,
+        ...action && { requiredAction: action },
+        ...resource && { resource }
+      }));
+    }
+    const code = response.status === 400 ? ErrorCodes.INVALID_INPUT : ErrorCodes.NETWORK_ERROR;
+    return err(
+      serviceError(
+        code,
+        `Failed to create signed read URL for key "${key}": ${response.status} - ${errorText}`,
+        "kv",
+        { meta: { status: response.status, statusText: response.statusText } }
+      )
+    );
+  }
+  normalizeSignedReadUrlResponse(data) {
+    if (!data || typeof data !== "object") {
+      return void 0;
+    }
+    const response = data;
+    if (typeof response.url !== "string" || typeof response.ticketId !== "string" || typeof response.expiresAt !== "string") {
+      return void 0;
+    }
+    return {
+      url: new URL(response.url, this.host).toString(),
+      relativeUrl: response.url,
+      ticketId: response.ticketId,
+      expiresAt: response.expiresAt
+    };
+  }
   /**
    * Get a value by key.
    */
@@ -1340,6 +1400,61 @@ var KVService = class extends BaseService {
       }
     });
   }
+  /**
+   * Create a short-lived signed URL for reading a KV object.
+   */
+  async createSignedReadUrl(key, options) {
+    return this.withTelemetry("createSignedReadUrl", key, async () => {
+      if (!this.requireAuth()) {
+        return err(authRequiredError("kv"));
+      }
+      const path = this.getFullPath(key, options?.prefix);
+      const session = this.context.session;
+      const headers = this.context.invoke(
+        session,
+        "kv",
+        path,
+        KVAction.GET
+      );
+      const body = {
+        space: session.spaceId,
+        path,
+        ttl_seconds: options?.expiresInSeconds ?? Math.ceil(DEFAULT_SIGNED_READ_URL_EXPIRY_MS / 1e3)
+      };
+      if (options?.contentHash !== void 0) {
+        body.content_hash = options.contentHash;
+      }
+      if (options?.etag !== void 0) {
+        body.etag = options.etag;
+      }
+      try {
+        const response = await this.context.fetch(`${this.host}/signed/kv`, {
+          method: "POST",
+          headers: this.withJsonContentType(headers),
+          body: JSON.stringify(body),
+          signal: this.combineSignals(options?.signal)
+        });
+        if (!response.ok) {
+          return this.createSignedReadUrlError(response, key);
+        }
+        const signedUrl = this.normalizeSignedReadUrlResponse(
+          await response.json()
+        );
+        if (!signedUrl) {
+          return err(
+            serviceError(
+              ErrorCodes.NETWORK_ERROR,
+              "Signed read URL response did not include url, ticketId, and expiresAt",
+              "kv"
+            )
+          );
+        }
+        return ok(signedUrl);
+      } catch (error) {
+        return err(wrapError("kv", error));
+      }
+    });
+  }
   /**
    * Create a prefix-scoped view of this KV service.
    *
@@ -2909,6 +3024,9 @@ function base64Decode(str) {
   }
   return bytes;
 }
+function isUnlockSigner(signer) {
+  return typeof signer === "object" && signer !== null && typeof signer.signMessage === "function";
+}
 function defaultVaultMessage(input) {
   switch (input.code) {
     case "DECRYPTION_FAILED":
@@ -2946,6 +3064,7 @@ var DataVaultService = class extends BaseService {
     this.masterKey = null;
     this.encryptionIdentity = null;
     this._isUnlocked = false;
+    this.unlockInFlight = null;
     this.vaultConfig = config;
     this._config = config;
   }
@@ -3005,30 +3124,40 @@ var DataVaultService = class extends BaseService {
    *                 signatures exist (browser only).
    */
   async unlock(signer) {
-    return this.withTelemetry("unlock", void 0, async () => {
+    const unlockSigner = isUnlockSigner(signer) ? signer : void 0;
+    if (this._isUnlocked && this.masterKey && (this.encryptionIdentity || !unlockSigner)) {
+      return { ok: true, data: void 0 };
+    }
+    if (this.unlockInFlight) {
+      return this.unlockInFlight;
+    }
+    this.unlockInFlight = this.withTelemetry("unlock", void 0, async () => {
       const spaceId = this.vaultConfig.spaceId;
       const versionConfig = VaultVersionConfig[CURRENT_VAULT_VERSION];
       const masterCacheKey = `vault-master:${spaceId}`;
       const identityCacheKey = `vault-identity:${this.tc.address}`;
       try {
-        let masterSigBytes = await loadCachedSignature(masterCacheKey);
-        if (!masterSigBytes) {
-          if (!signer) {
-            return vaultError({
-              code: "VAULT_LOCKED",
-              message: "Signer is required when no cached master signature exists"
-            });
+        if (!this.masterKey) {
+          let masterSigBytes = await loadCachedSignature(masterCacheKey);
+          if (!masterSigBytes) {
+            if (!unlockSigner) {
+              return vaultError({
+                code: "VAULT_LOCKED",
+                message: "Signer is required when no cached master signature exists"
+              });
+            }
+            const sig = await unlockSigner.signMessage(
+              versionConfig.masterMessage(spaceId)
+            );
+            masterSigBytes = toBytes(sig);
+            await cacheSignature(masterCacheKey, masterSigBytes);
           }
-          const s = signer;
-          const sig = await s.signMessage(versionConfig.masterMessage(spaceId));
-          masterSigBytes = toBytes(sig);
-          await cacheSignature(masterCacheKey, masterSigBytes);
-        }
-        this.masterKey = this.crypto.deriveKey(
-          masterSigBytes,
-          this.crypto.sha256(toBytes(spaceId)),
-          toBytes("vault-master")
-        );
+          this.masterKey = this.crypto.deriveKey(
+            masterSigBytes,
+            this.crypto.sha256(toBytes(spaceId)),
+            toBytes("vault-master")
+          );
+        }
         const publicSpaceId = this.tc.makePublicSpaceId(this.tc.address, this.tc.chainId);
         let existingPubKey = null;
         try {
@@ -3051,13 +3180,14 @@ var DataVaultService = class extends BaseService {
         } else {
           let identitySigBytes = await loadCachedSignature(identityCacheKey);
           if (!identitySigBytes) {
-            if (!signer) {
+            if (!unlockSigner) {
               this.encryptionIdentity = null;
               this._isUnlocked = true;
               return ok(void 0);
             }
-            const s = signer;
-            const sig = await s.signMessage(versionConfig.identityMessage);
+            const sig = await unlockSigner.signMessage(
+              versionConfig.identityMessage
+            );
             identitySigBytes = toBytes(sig);
             await cacheSignature(identityCacheKey, identitySigBytes);
           }
@@ -3087,6 +3217,11 @@ var DataVaultService = class extends BaseService {
         });
       }
     });
+    try {
+      return await this.unlockInFlight;
+    } finally {
+      this.unlockInFlight = null;
+    }
   }
   /**
    * Clear the cached vault signatures.
@@ -3972,6 +4107,7 @@ var SecretsService = class {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   BaseService,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService,
   DatabaseHandle,
   DuckDbAction,