sh3-server 0.19.6 → 0.20.1

package/dist/scope.d.ts

@@ -10,7 +10,6 @@
  * unless their accessibleScopes list includes the requested scope.
  */
 import type { MiddlewareHandler } from 'hono';
-import type { SettingsStore } from './settings.js';
 export declare function scopeRequired(scope: string): MiddlewareHandler;
 export declare const requireCallerScope: MiddlewareHandler;
-export declare function scopeAccessMatch(paramName: string, settings?: SettingsStore): MiddlewareHandler;
+export declare function scopeAccessMatch(paramName: string): MiddlewareHandler;

package/dist/scope.js

@@ -28,12 +28,8 @@ export const requireCallerScope = async (c, next) => {
         return c.json({ error: 'Scope-bound credentials required' }, 401);
     return next();
 };
-export function scopeAccessMatch(paramName, settings) {
+export function scopeAccessMatch(paramName) {
     return async (c, next) => {
-        // Open / no-auth mode: admin has explicitly disabled scope isolation.
-        // Mirrors sessionAuth's open-mode bypass; required for Tauri sidecar mode.
-        if (settings && !settings.get().auth.required)
-            return next();
         const caller = c.get('caller');
         if (!caller)
             return c.json({ error: 'Caller not resolved' }, 500);

package/dist/settings.d.ts

@@ -4,7 +4,6 @@
  */
 export interface GlobalSettings {
     auth: {
-        required: boolean;
         guestAllowed: boolean;
         sessionTTL: number;
         selfRegistration: boolean;

package/dist/settings.js

@@ -7,7 +7,6 @@ import { dirname } from 'node:path';
 const MAX_PACKAGE_CACHE_AGE = 31536000; // 1 year
 const DEFAULTS = {
     auth: {
-        required: true,
         guestAllowed: false,
         sessionTTL: 24,
         selfRegistration: false,
@@ -44,7 +43,6 @@ export class SettingsStore {
             const raw = JSON.parse(readFileSync(this.#path, 'utf-8'));
             return {
                 auth: {
-                    required: raw.auth?.required ?? DEFAULTS.auth.required,
                     guestAllowed: raw.auth?.guestAllowed ?? DEFAULTS.auth.guestAllowed,
                     sessionTTL: raw.auth?.sessionTTL ?? DEFAULTS.auth.sessionTTL,
                     selfRegistration: raw.auth?.selfRegistration ?? DEFAULTS.auth.selfRegistration,
@@ -72,8 +70,6 @@ export class SettingsStore {
     /** Patch settings. Only provided fields are updated. */
     update(patch) {
         if (patch.auth) {
-            if (patch.auth.required !== undefined)
-                this.#settings.auth.required = patch.auth.required;
             if (patch.auth.guestAllowed !== undefined)
                 this.#settings.auth.guestAllowed = patch.auth.guestAllowed;
             if (patch.auth.sessionTTL !== undefined)

package/dist/shard-router.d.ts

@@ -48,7 +48,7 @@ export interface MountContext {
     wsRegister(onConnect: (ws: any, c: any) => void): any;
 }
 /** Middleware requiring the caller's scope set to include admin:*. */
-export declare function adminOnly(_keys: KeyStore, settings: SettingsStore): MiddlewareHandler;
+export declare function adminOnly(): MiddlewareHandler;
 /**
  * Dynamic shard route manager. Holds a Map of shard Hono sub-apps
  * and delegates requests from a single wildcard route.

package/dist/shard-router.js

@@ -5,10 +5,8 @@ import { join } from 'node:path';
 import { scopeRequired, requireCallerScope } from './scope.js';
 import { pathToFileURL } from 'node:url';
 /** Middleware requiring the caller's scope set to include admin:*. */
-export function adminOnly(_keys, settings) {
+export function adminOnly() {
     return async (c, next) => {
-        if (!settings.get().auth.required)
-            return next();
         const caller = c.get('caller');
         if (caller?.scopes.includes('admin:*'))
             return next();
@@ -154,6 +152,26 @@ export class ShardRouter {
             // Framework built-ins (mountStatic) may have no sibling manifest; default to empty.
         }
         const docStore = ctx.docStore;
+        // Symmetric path translator: same (shardId, path) pair that documents()
+        // accepts. `mounts/*` walks the MountedPathResolver wired on the docStore;
+        // any other shardId resolves to the canonical native-doc location under
+        // the host's docs dir. Throws on unresolvable mounts so callers can just
+        // hand the result to spawn/streams without branching.
+        const resolveFsPath = (tenant, targetShardId, path) => {
+            if (targetShardId === 'mounts') {
+                const resolver = docStore.mountResolver;
+                if (!resolver)
+                    throw new Error('Mount resolver not configured on docStore');
+                const docPath = path ? `mounts/${path}` : 'mounts';
+                const resolved = resolver.resolve(tenant, docPath);
+                if (resolved.kind === 'mount')
+                    return resolved.realPath;
+                if (resolved.kind === 'mount-unresolved')
+                    throw new Error(resolved.error);
+                throw new Error(`Invalid mount path: ${docPath}`);
+            }
+            return join(docStore.dataDir, 'docs', tenant, targetShardId, path);
+        };
         // Hono's MiddlewareHandler uses a concrete Context generic that isn't
         // assignable to sh3-core's framework-agnostic stand-in (c: unknown).
         // Cast once at assembly — shards only call the handlers, never introspect.
@@ -161,7 +179,7 @@ export class ShardRouter {
             shardId,
             dataDir: shardDataDir,
             permissions,
-            adminOnly: adminOnly(ctx.keys, ctx.settings),
+            adminOnly: adminOnly(),
             scopeRequired,
             tenantRequired: requireCallerScope,
             wsRegister: ctx.wsRegister,
@@ -172,6 +190,7 @@ export class ShardRouter {
                     return; // silent no-op
                 docStore.roles.set(tenant, role);
             },
+            resolveFsPath,
         };
         return ctxOut;
     }

package/dist/tenant-fs/http.d.ts

@@ -5,11 +5,9 @@
  * Read-only. Writes are out of scope for this iteration.
  */
 import type { Hono } from 'hono';
-import type { SettingsStore } from '../settings.js';
 export interface TenantFsRouteContext {
     dataDir: string;
     rootBase: string;
-    settings: SettingsStore;
     maxReadBytes: number;
 }
 export declare function registerTenantFsRoutes(app: Hono, ctx: TenantFsRouteContext): void;

package/dist/tenant-fs/http.js

@@ -16,7 +16,7 @@ function userIdFromContext(c) {
     return session.userId;
 }
 export function registerTenantFsRoutes(app, ctx) {
-    const sessionRequired = makeSessionRequired(ctx.settings);
+    const sessionRequired = makeSessionRequired();
     app.get('/api/fs/list', sessionRequired, async (c) => {
         const rel = c.req.query('path') ?? '';
         const root = documentsRoot(ctx.dataDir, userIdFromContext(c), ctx.rootBase);

package/dist/tenant-fs/session-required.d.ts

@@ -1,11 +1,9 @@
 import type { MiddlewareHandler } from 'hono';
-import type { SettingsStore } from '../settings.js';
 /**
  * Requires an authenticated session on the request. Any role passes.
- * When `auth.required` is false (dev/--no-auth), passes through.
  *
  * Contrast with adminOnly: this gate is for tenant-scoped APIs where any
  * logged-in user can operate — scope is enforced by the handler jailing to
  * the caller's own tenant root, not by role.
  */
-export declare function makeSessionRequired(settings: SettingsStore): MiddlewareHandler;
+export declare function makeSessionRequired(): MiddlewareHandler;

package/dist/tenant-fs/session-required.js

@@ -1,15 +1,12 @@
 /**
  * Requires an authenticated session on the request. Any role passes.
- * When `auth.required` is false (dev/--no-auth), passes through.
  *
  * Contrast with adminOnly: this gate is for tenant-scoped APIs where any
  * logged-in user can operate — scope is enforced by the handler jailing to
  * the caller's own tenant root, not by role.
  */
-export function makeSessionRequired(settings) {
+export function makeSessionRequired() {
     return async (c, next) => {
-        if (!settings.get().auth.required)
-            return next();
         const session = c.get('session') ?? c.env?.session;
         if (!session?.userId) {
             return c.json({ error: 'authentication required' }, 401);

package/dist/users.d.ts

@@ -6,7 +6,7 @@ export interface StoredUser {
     id: string;
     username: string;
     displayName: string;
-    passwordHash: string;
+    passwordHash: string | null;
     role: 'admin' | 'user';
     createdAt: string;
     updatedAt: string;
@@ -39,6 +39,19 @@ export declare class UserStore {
     }): Promise<PublicUser | null>;
     /** Delete a user by ID. Returns true if found and removed. */
     delete(id: string): boolean;
+    /**
+     * Upsert a synthetic user (no password). Used by `--local` desktop mode to
+     * persist the `local` owner without invoking bcrypt (which the SEA sidecar
+     * cannot load). Users created via this path have `passwordHash=null` and
+     * can never authenticate through the password flow — `authenticate()` filters
+     * them out.
+     */
+    upsertSynthetic(opts: {
+        id: string;
+        username: string;
+        displayName: string;
+        role: 'admin' | 'user';
+    }): PublicUser;
     /** Generate a random temporary password. */
     static generatePassword(): string;
 }

package/dist/users.js

@@ -64,6 +64,8 @@ export class UserStore {
         const user = this.#users.find(u => u.username === username.toLowerCase());
         if (!user)
             return null;
+        if (!user.passwordHash)
+            return null;
         if (!(await (await getBcrypt()).compare(password, user.passwordHash)))
             return null;
         return this.#toPublic(user);
@@ -102,6 +104,38 @@ export class UserStore {
         }
         return false;
     }
+    /**
+     * Upsert a synthetic user (no password). Used by `--local` desktop mode to
+     * persist the `local` owner without invoking bcrypt (which the SEA sidecar
+     * cannot load). Users created via this path have `passwordHash=null` and
+     * can never authenticate through the password flow — `authenticate()` filters
+     * them out.
+     */
+    upsertSynthetic(opts) {
+        const lower = opts.username.toLowerCase();
+        const existing = this.#users.find((u) => u.id === opts.id);
+        const now = new Date().toISOString();
+        if (existing) {
+            existing.username = lower;
+            existing.displayName = opts.displayName;
+            existing.role = opts.role;
+            existing.updatedAt = now;
+            this.#save();
+            return this.#toPublic(existing);
+        }
+        const user = {
+            id: opts.id,
+            username: lower,
+            displayName: opts.displayName,
+            passwordHash: null,
+            role: opts.role,
+            createdAt: now,
+            updatedAt: now,
+        };
+        this.#users.push(user);
+        this.#save();
+        return this.#toPublic(user);
+    }
     /** Generate a random temporary password. */
     static generatePassword() {
         return randomBytes(6).toString('base64url');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sh3-server",
-  "version": "0.19.6",
+  "version": "0.20.1",
   "type": "module",
   "bin": {
     "sh3-server": "dist/cli.js"