dacument 1.0.0 → 1.0.1

package/README.md

@@ -79,7 +79,7 @@ Map keys must be JSON-compatible values (`string`, `number`, `boolean`, `null`,
 Roles are evaluated at the op stamp time (HLC).
 
 - Owner: full control (including ownership transfer).
-- Manager: can grant editor/viewer/revoked roles.
+- Manager: can grant editor/viewer/revoked roles (cannot change owner).
 - Editor: can write non-ACL fields.
 - Viewer: read-only.
 - Revoked: reads are masked to initial values; writes are rejected.
@@ -164,6 +164,19 @@ If any non-revoked actor is offline and never acks, tombstones are kept.
 Eventual consistency is achieved when all signed ops are delivered to all
 replicas. Dacument does not provide transport; use `change` events to wire it up.
 
+## Possible threats and how to handle
+
+- Key compromise: no rotation exists, so migrate by snapshotting into a new
+  dacument with fresh keys.
+- Shared role keys: attribution is role-level, not per-user; treat roles as
+  trust groups and log merge events if you need auditing.
+- Insider DoS/flooding: rate-limit ops, cap payload sizes, and monitor merge
+  errors at the application layer.
+- Withholding/delivery delays: eventual consistency depends on ops arriving;
+  use reliable transport and resync via snapshot when needed.
+- No built-in encryption: use TLS or E2E encryption and treat snapshots as
+  sensitive data.
+
 ## Compatibility
 
 - ESM only (`type: module`).

package/dist/Dacument/class.d.ts

@@ -131,6 +131,7 @@ export declare class Dacument<S extends SchemaDefinition> {
     private emitError;
     private canWriteField;
     private canWriteAcl;
+    private canWriteAclTarget;
     private assertWritable;
     private assertValueType;
     private assertValueArray;

package/dist/Dacument/class.js

@@ -671,7 +671,7 @@ export class Dacument {
                     const roleAt = this.aclLog.roleAt(payload.iss, payload.stamp);
                     if (roleAt === signerRole &&
                         isAclPatch(payload.patch) &&
-                        this.canWriteAcl(signerRole, payload.patch.role))
+                        this.canWriteAclTarget(signerRole, payload.patch.role, payload.patch.target, payload.stamp))
                         allowed = true;
                 }
             }
@@ -1448,7 +1448,7 @@ export class Dacument {
         if (!isAclPatch(payload.patch))
             return false;
         const patch = payload.patch;
-        if (!this.canWriteAcl(signerRole, patch.role))
+        if (!this.canWriteAclTarget(signerRole, patch.role, patch.target, payload.stamp))
             return false;
         const assignment = {
             id: patch.id,
@@ -1871,7 +1871,7 @@ export class Dacument {
     setRole(actorId, role) {
         const stamp = this.clock.next();
         const signerRole = this.aclLog.roleAt(this.actorId, stamp);
-        if (!this.canWriteAcl(signerRole, role))
+        if (!this.canWriteAclTarget(signerRole, role, actorId, stamp))
             throw new Error(`Dacument: role '${signerRole}' cannot grant '${role}'`);
         const assignmentId = uuidv7();
         this.queueLocalOp({
@@ -1959,6 +1959,16 @@ export class Dacument {
             return targetRole === "editor" || targetRole === "viewer" || targetRole === "revoked";
         return false;
     }
+    canWriteAclTarget(role, targetRole, targetActorId, stamp) {
+        if (!this.canWriteAcl(role, targetRole))
+            return false;
+        if (role === "manager") {
+            const targetRoleAt = this.aclLog.roleAt(targetActorId, stamp);
+            if (targetRoleAt === "owner")
+                return false;
+        }
+        return true;
+    }
     assertWritable(field, role) {
         if (!this.canWriteField(role))
             throw new Error(`Dacument: role '${role}' cannot write '${field}'`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "dacument",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "Schema-driven CRDT document with signed ops and role-based ACLs.",
   "keywords": [
     "crdt",