sh3-server 0.7.5 → 0.8.2

package/dist/routes/keys.js

@@ -0,0 +1,164 @@
+/**
+ * User-tenant key management endpoints.
+ *
+ * Auth: uses `caller.tenantId` set by resolveCaller. Each caller can only
+ * see and revoke keys in their own tenant.
+ *
+ * Mint flow:
+ *   1. Shell calls POST /consent (session-only) → receives a short-lived ticket.
+ *   2. Shard calls POST / with the ticket → key is generated and returned once.
+ *
+ * Tickets are single-use and expire after TICKET_TTL_MS (60 s).
+ */
+import { Hono } from 'hono';
+import { randomBytes } from 'node:crypto';
+import { tenantRequired } from '../scope.js';
+const TICKET_TTL_MS = 60_000;
+function sweepExpired(tickets) {
+    const now = Date.now();
+    for (const [token, entry] of tickets) {
+        if (now - entry.issuedAt > TICKET_TTL_MS)
+            tickets.delete(token);
+    }
+}
+export function createKeysRouter(keys, onRevoke) {
+    const router = new Hono();
+    const tickets = new Map();
+    // SSE subscribers — one entry per connected browser tab.
+    const sseSubscribers = new Set();
+    /** Push a revocation event to all connected SSE listeners. */
+    function pushToBus(ev) {
+        for (const fn of sseSubscribers)
+            fn(ev);
+    }
+    router.use('*', tenantRequired);
+    router.get('/', (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        return c.json(keys.listForTenant(caller.tenantId));
+    });
+    /**
+     * POST /consent — shell-only endpoint that issues a single-use consent ticket.
+     *
+     * Only session-authenticated callers may call this — bearer-token clients
+     * (background shards) must not be able to self-issue consent proofs.
+     */
+    router.post('/consent', async (c) => {
+        sweepExpired(tickets);
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        if (caller.source !== 'session' || !caller.userId) {
+            return c.json({ error: 'Consent requires a logged-in session.' }, 403);
+        }
+        const body = (await c.req.json());
+        if (!body.shardId || !body.label || !Array.isArray(body.scopes)) {
+            return c.json({ error: 'Missing shardId/label/scopes' }, 400);
+        }
+        if (!body.scopes.every((s) => typeof s === 'string')) {
+            return c.json({ error: 'scopes must be an array of strings' }, 400);
+        }
+        const ticket = `tk_${randomBytes(16).toString('hex')}`;
+        tickets.set(ticket, {
+            shardId: body.shardId,
+            label: body.label,
+            scopes: body.scopes,
+            connectorId: body.connectorId,
+            expiresIn: body.expiresIn,
+            tenantId: caller.tenantId,
+            userId: caller.userId,
+            issuedAt: Date.now(),
+        });
+        return c.json({ ticket });
+    });
+    /**
+     * POST / — mint a key using a valid consent ticket.
+     *
+     * Ticket is consumed on first use (single-use). Expired or unknown tickets
+     * return 400. The full key value is returned exactly once.
+     */
+    router.post('/', async (c) => {
+        sweepExpired(tickets);
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        const body = (await c.req.json());
+        if (!body.ticket)
+            return c.json({ error: 'Missing ticket' }, 400);
+        const entry = tickets.get(body.ticket);
+        tickets.delete(body.ticket); // consume immediately (single-use)
+        if (!entry)
+            return c.json({ error: 'Ticket invalid or already used' }, 400);
+        if (Date.now() - entry.issuedAt > TICKET_TTL_MS) {
+            return c.json({ error: 'Ticket invalid or already used' }, 400);
+        }
+        if (entry.tenantId !== caller.tenantId) {
+            return c.json({ error: 'Ticket invalid or already used' }, 400);
+        }
+        const expiresAt = entry.expiresIn
+            ? new Date(Date.now() + entry.expiresIn).toISOString()
+            : undefined;
+        const row = keys.generate({
+            label: entry.label,
+            tenantId: entry.tenantId,
+            ownerUserId: entry.userId,
+            mintedByShardId: entry.shardId,
+            scopes: entry.scopes,
+            connectorId: entry.connectorId,
+            expiresAt,
+        });
+        return c.json({ id: row.id, key: row.key });
+    });
+    /**
+     * GET /events — server-sent events stream.
+     *
+     * Delivers `{ id, shardId }` messages whenever a key belonging to this
+     * tenant is revoked from any source. The client-side revocation bus
+     * consumes this stream and dispatches `onKeyRevoked` on the owning shard.
+     *
+     * Auth: tenantRequired (already applied via the `*` middleware above).
+     * Each connected tab gets its own stream. Connections are cleaned up
+     * automatically when the client disconnects (abort signal).
+     */
+    router.get('/events', (c) => {
+        return new Response(new ReadableStream({
+            start(controller) {
+                const enc = new TextEncoder();
+                const send = (data) => {
+                    controller.enqueue(enc.encode(`data: ${JSON.stringify(data)}\n\n`));
+                };
+                const fn = (ev) => send(ev);
+                sseSubscribers.add(fn);
+                // Send a keepalive comment every 20 s so proxies don't kill idle connections.
+                const heartbeat = setInterval(() => {
+                    try {
+                        controller.enqueue(enc.encode(': ping\n\n'));
+                    }
+                    catch { /* stream closed */ }
+                }, 20_000);
+                c.req.raw.signal?.addEventListener('abort', () => {
+                    clearInterval(heartbeat);
+                    sseSubscribers.delete(fn);
+                    controller.close();
+                });
+            },
+        }), {
+            headers: {
+                'content-type': 'text/event-stream',
+                'cache-control': 'no-cache',
+                connection: 'keep-alive',
+            },
+        });
+    });
+    router.delete('/:id', async (c) => {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const caller = c.get('caller');
+        const id = c.req.param('id');
+        const removed = keys.revoke(caller.tenantId, id);
+        if (!removed)
+            return c.json({ error: 'Key not found' }, 404);
+        await onRevoke({ tenantId: caller.tenantId, id, row: removed });
+        // Broadcast to SSE subscribers so other browser tabs learn of the revocation.
+        pushToBus({ id, shardId: removed.mintedByShardId ?? null });
+        return c.json({ ok: true });
+    });
+    return router;
+}

package/dist/scope.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Scope-based route guards. Operate on the `caller` set by resolveCaller.
+ *
+ * scopeRequired(scope) — 403 unless caller has that scope or admin:*.
+ * tenantRequired — 401 unless caller.tenantId is non-null.
+ */
+import type { MiddlewareHandler } from 'hono';
+export declare function scopeRequired(scope: string): MiddlewareHandler;
+export declare const tenantRequired: MiddlewareHandler;

package/dist/scope.js

@@ -0,0 +1,25 @@
+/**
+ * Scope-based route guards. Operate on the `caller` set by resolveCaller.
+ *
+ * scopeRequired(scope) — 403 unless caller has that scope or admin:*.
+ * tenantRequired — 401 unless caller.tenantId is non-null.
+ */
+export function scopeRequired(scope) {
+    return async (c, next) => {
+        const caller = c.get('caller');
+        if (!caller)
+            return c.json({ error: 'Caller not resolved' }, 500);
+        if (caller.scopes.includes('admin:*') || caller.scopes.includes(scope)) {
+            return next();
+        }
+        return c.json({ error: `Missing required scope: ${scope}` }, 403);
+    };
+}
+export const tenantRequired = async (c, next) => {
+    const caller = c.get('caller');
+    if (!caller)
+        return c.json({ error: 'Caller not resolved' }, 500);
+    if (!caller.tenantId)
+        return c.json({ error: 'Tenant-scoped credentials required' }, 401);
+    return next();
+};

package/dist/settings.d.ts

@@ -9,6 +9,17 @@ export interface GlobalSettings {
         sessionTTL: number;
         selfRegistration: boolean;
     };
+    tenants: {
+        /** Absolute or dataDir-relative base; each user gets `<base>/<userId>/documents/`.
+         *  Empty string means "<dataDir>/users" at resolve time. */
+        rootBase: string;
+    };
+    packages: {
+        /** Max-age in seconds for `GET /packages/:id/client.js` responses.
+         *  Clamped to [0, 31536000]. 0 emits `Cache-Control: no-store`.
+         *  Any other value emits `public, max-age=N` (never `immutable`). */
+        cacheMaxAge: number;
+    };
 }
 export declare class SettingsStore {
     #private;
@@ -18,5 +29,7 @@ export declare class SettingsStore {
     /** Patch settings. Only provided fields are updated. */
     update(patch: {
         auth?: Partial<GlobalSettings['auth']>;
+        tenants?: Partial<GlobalSettings['tenants']>;
+        packages?: Partial<GlobalSettings['packages']>;
     }): GlobalSettings;
 }

package/dist/settings.js

@@ -4,6 +4,7 @@
  */
 import { readFileSync, writeFileSync, mkdirSync, existsSync } from 'node:fs';
 import { dirname } from 'node:path';
+const MAX_PACKAGE_CACHE_AGE = 31536000; // 1 year
 const DEFAULTS = {
     auth: {
         required: true,
@@ -11,7 +12,24 @@ const DEFAULTS = {
         sessionTTL: 24,
         selfRegistration: false,
     },
+    tenants: {
+        rootBase: '',
+    },
+    packages: {
+        cacheMaxAge: MAX_PACKAGE_CACHE_AGE,
+    },
 };
+function clampCacheMaxAge(value) {
+    if (typeof value !== 'number' || !Number.isFinite(value)) {
+        return DEFAULTS.packages.cacheMaxAge;
+    }
+    const floored = Math.floor(value);
+    if (floored < 0)
+        return 0;
+    if (floored > MAX_PACKAGE_CACHE_AGE)
+        return MAX_PACKAGE_CACHE_AGE;
+    return floored;
+}
 export class SettingsStore {
     #path;
     #settings;
@@ -31,6 +49,12 @@ export class SettingsStore {
                     sessionTTL: raw.auth?.sessionTTL ?? DEFAULTS.auth.sessionTTL,
                     selfRegistration: raw.auth?.selfRegistration ?? DEFAULTS.auth.selfRegistration,
                 },
+                tenants: {
+                    rootBase: raw.tenants?.rootBase ?? DEFAULTS.tenants.rootBase,
+                },
+                packages: {
+                    cacheMaxAge: clampCacheMaxAge(raw.packages?.cacheMaxAge),
+                },
             };
         }
         catch {
@@ -57,6 +81,15 @@ export class SettingsStore {
             if (patch.auth.selfRegistration !== undefined)
                 this.#settings.auth.selfRegistration = patch.auth.selfRegistration;
         }
+        if (patch.tenants) {
+            if (patch.tenants.rootBase !== undefined)
+                this.#settings.tenants.rootBase = patch.tenants.rootBase;
+        }
+        if (patch.packages) {
+            if (patch.packages.cacheMaxAge !== undefined) {
+                this.#settings.packages.cacheMaxAge = clampCacheMaxAge(patch.packages.cacheMaxAge);
+            }
+        }
         this.#save();
         return this.get();
     }

package/dist/shard-router.d.ts

@@ -6,6 +6,8 @@ export interface MountContext {
     pkgDir: string;
     keys: KeyStore;
     settings: SettingsStore;
+    /** The server's document backend, for sync handle construction. */
+    documentBackend: import('sh3-core/server-sync').DocumentBackend;
     /**
      * Register a WebSocket upgrade handler on a path under this shard's
      * route prefix. The returned value is a Hono middleware handler that
@@ -45,8 +47,13 @@ export interface MountContext {
      */
     wsRegister(onConnect: (ws: any, c: any) => void): any;
 }
-/** Middleware that requires admin session OR valid API key. */
-export declare function adminOnly(keys: KeyStore, settings: SettingsStore): MiddlewareHandler;
+/** Middleware requiring the caller's scope set to include admin:*. */
+export declare function adminOnly(_keys: KeyStore, settings: SettingsStore): MiddlewareHandler;
+/**
+ * Build a ServerShardContext object for the given shard, wiring
+ * sync/syncRegistry based on the declared permissions.
+ */
+export declare function buildShardCtx(shardId: string, dataDir: string, permissions: string[], keys: KeyStore, settings: SettingsStore, wsRegister: MountContext['wsRegister'], documentBackend: MountContext['documentBackend']): Record<string, unknown>;
 /**
  * Dynamic shard route manager. Holds a Map of shard Hono sub-apps
  * and delegates requests from a single wildcard route.

package/dist/shard-router.js

@@ -1,30 +1,51 @@
 // packages/sh3-server/src/shard-router.ts
 import { Hono } from 'hono';
-import { mkdirSync } from 'node:fs';
+import { mkdirSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
+import { scopeRequired, tenantRequired } from './scope.js';
 import { pathToFileURL } from 'node:url';
-/** Middleware that requires admin session OR valid API key. */
-export function adminOnly(keys, settings) {
+import { getSyncBundle, createSyncHandle, createSyncRegistry } from 'sh3-core/server-sync';
+/** Middleware requiring the caller's scope set to include admin:*. */
+export function adminOnly(_keys, settings) {
     return async (c, next) => {
-        // When auth is disabled (--no-auth), skip admin checks entirely
-        if (!settings.get().auth.required) {
+        if (!settings.get().auth.required)
             return next();
-        }
-        // Session-based admin — forwarded from upstream sessionAuth via env
-        const session = c.get('session') ?? c.env?.session;
-        if (session?.role === 'admin') {
+        const caller = c.get('caller');
+        if (caller?.scopes.includes('admin:*'))
             return next();
+        return c.json({ error: 'Admin privileges required' }, 403);
+    };
+}
+const PERMISSION_DOCUMENTS_SYNC = 'documents:sync';
+/**
+ * Build a ServerShardContext object for the given shard, wiring
+ * sync/syncRegistry based on the declared permissions.
+ */
+export function buildShardCtx(shardId, dataDir, permissions, keys, settings, wsRegister, documentBackend) {
+    const hasSync = permissions.includes(PERMISSION_DOCUMENTS_SYNC);
+    const ctx = {
+        shardId,
+        dataDir,
+        permissions,
+        adminOnly: adminOnly(keys, settings),
+        scopeRequired,
+        tenantRequired,
+        wsRegister,
+    };
+    ctx.sync = async (tenantId, connectorId) => {
+        if (!hasSync) {
+            throw new Error(`Shard "${shardId}" cannot call ctx.sync — missing '${PERMISSION_DOCUMENTS_SYNC}' permission in manifest.`);
         }
-        // Fallback: API key (for external tools / CLI)
-        const authHeader = c.req.header('Authorization');
-        if (authHeader?.startsWith('Bearer sh3_')) {
-            const token = authHeader.slice(7);
-            if (keys.validate(token)) {
-                return next();
-            }
+        const { engine, registry } = await getSyncBundle(documentBackend, tenantId);
+        return createSyncHandle({ tenantId, connectorId, engine, registry });
+    };
+    ctx.syncRegistry = (tenantId) => {
+        if (!hasSync) {
+            throw new Error(`Shard "${shardId}" cannot call ctx.syncRegistry — missing '${PERMISSION_DOCUMENTS_SYNC}' permission in manifest.`);
         }
-        return c.json({ error: 'Admin privileges required' }, 403);
+        return createSyncRegistry(documentBackend, tenantId);
     };
+    return ctx;
 }
 /**
  * Dynamic shard route manager. Holds a Map of shard Hono sub-apps
@@ -44,13 +65,17 @@ export class ShardRouter {
             throw new Error(`${shardId}/server.js invalid export shape — expected { id, routes }`);
         }
         const shardDataDir = join(ctx.pkgDir, 'data');
+        const manifestPath = join(ctx.pkgDir, 'manifest.json');
+        let permissions = [];
+        try {
+            const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+            permissions = Array.isArray(manifest.permissions) ? manifest.permissions : [];
+        }
+        catch {
+            // Framework built-ins (mountStatic) may have no sibling manifest; default to empty.
+        }
         const router = new Hono();
-        const shardCtx = {
-            shardId: shard.id,
-            dataDir: shardDataDir,
-            adminOnly: adminOnly(ctx.keys, ctx.settings),
-            wsRegister: ctx.wsRegister,
-        };
+        const shardCtx = buildShardCtx(shard.id, shardDataDir, permissions, ctx.keys, ctx.settings, ctx.wsRegister, ctx.documentBackend);
         await shard.routes(router, shardCtx);
         // Create data dir only after routes() succeeds — so a failure
         // doesn't leave behind a dir that prevents install rollback cleanup.
@@ -68,13 +93,17 @@ export class ShardRouter {
             throw new Error(`${shardId} static mount — expected { id, routes }, got ${typeof mod}`);
         }
         const shardDataDir = join(ctx.pkgDir, 'data');
+        const manifestPath = join(ctx.pkgDir, 'manifest.json');
+        let permissions = [];
+        try {
+            const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+            permissions = Array.isArray(manifest.permissions) ? manifest.permissions : [];
+        }
+        catch {
+            // Framework built-ins (mountStatic) may have no sibling manifest; default to empty.
+        }
         const router = new Hono();
-        const shardCtx = {
-            shardId: mod.id,
-            dataDir: shardDataDir,
-            adminOnly: adminOnly(ctx.keys, ctx.settings),
-            wsRegister: ctx.wsRegister,
-        };
+        const shardCtx = buildShardCtx(mod.id, shardDataDir, permissions, ctx.keys, ctx.settings, ctx.wsRegister, ctx.documentBackend);
         await mod.routes(router, shardCtx);
         mkdirSync(shardDataDir, { recursive: true });
         this.shards.set(shardId, router);

package/dist/shell-shard/index.d.ts

@@ -1,11 +1,16 @@
 import { Hono } from 'hono';
-import type { Context } from 'hono';
+import type { Context, MiddlewareHandler } from 'hono';
 import type { WsLike } from './session-manager.js';
 export interface ShellServerContext {
     shardId: string;
     dataDir: string;
+    /** Base for per-user document roots; empty string → <dataDir>/users. */
+    tenantRootBase?: string;
     adminOnly: any;
     wsRegister: (onConnect: (ws: WsLike, c: Context) => void) => any;
+    permissions: string[];
+    scopeRequired: (scope: string) => MiddlewareHandler;
+    tenantRequired: MiddlewareHandler;
 }
 declare const _default: {
     id: string;

package/dist/shell-shard/index.js

@@ -10,6 +10,7 @@
 import { LocalRunner } from './runner.js';
 import { SessionManager } from './session-manager.js';
 import { handleClientMessage } from './ws.js';
+import { shardDocumentsPath } from '../tenant-fs/paths.js';
 function sessionUser(c) {
     const session = c.get('session') ?? c.env?.session;
     return session?.userId ?? 'admin';
@@ -20,7 +21,8 @@ export default {
         // Default config — overridable via shard env state in a future pass.
         const cfg = { ringSize: 500, historyMaxLines: 10_000, defaultCwd: '' };
         const runner = new LocalRunner();
-        const manager = new SessionManager(ctx.dataDir, runner, cfg);
+        const userCwd = (userId) => shardDocumentsPath(ctx.dataDir, userId, 'shell', ctx.tenantRootBase ?? '');
+        const manager = new SessionManager(ctx.dataDir, runner, cfg, userCwd);
         // NOTE: the JSON /history endpoint is convenience — the authoritative
         // delivery of history is via the `history` server message sent on WS
         // attach. Clients can skip the REST endpoint entirely. Kept for

package/dist/shell-shard/session-manager.d.ts

@@ -58,6 +58,7 @@ export declare class SessionManager {
     private readonly dataDir;
     private readonly runner;
     private readonly cfg;
-    constructor(dataDir: string, runner: Runner, cfg: SessionConfig);
+    private readonly userCwd;
+    constructor(dataDir: string, runner: Runner, cfg: SessionConfig, userCwd: (userId: string) => string);
     getOrCreate(userId: string): ShellSession;
 }

package/dist/shell-shard/session-manager.js

@@ -160,16 +160,29 @@ export class SessionManager {
     dataDir;
     runner;
     cfg;
-    constructor(dataDir, runner, cfg) {
+    userCwd;
+    constructor(dataDir, runner, cfg, userCwd) {
         this.dataDir = dataDir;
         this.runner = runner;
         this.cfg = cfg;
+        this.userCwd = userCwd;
     }
     getOrCreate(userId) {
         let session = this.sessions.get(userId);
         if (!session) {
             const history = new HistoryStore(this.dataDir, userId, this.cfg.historyMaxLines);
-            session = new ShellSession(userId, this.runner, history, this.cfg);
+            // Resolve user cwd; on disk failure fall back to cfg.defaultCwd so
+            // a sick data dir doesn't block login. The warning surfaces in the
+            // server log so ops can notice.
+            let cwd = this.cfg.defaultCwd;
+            try {
+                cwd = this.userCwd(userId);
+            }
+            catch (err) {
+                console.warn(`[shell-shard] userCwd failed for ${userId}: ${err.message} — falling back to ${cwd || 'process.cwd()'}`);
+            }
+            const cfg = { ...this.cfg, defaultCwd: cwd };
+            session = new ShellSession(userId, this.runner, history, cfg);
             this.sessions.set(userId, session);
         }
         return session;

package/dist/shell-shard/ws.js

@@ -15,21 +15,16 @@ export function handleClientMessage(session, ws, raw) {
         msg = JSON.parse(raw);
     }
     catch {
-        // Malformed frame — ignore, do not crash the session.
         return;
     }
     switch (msg.t) {
         case 'hello':
-            // attach() already sent welcome+replay+history at connection time.
-            // The only meaningful thing here is a late hello with replayFrom,
-            // which v1 ignores — the client can resync by reconnecting.
             return;
         case 'submit': {
             const trimmed = msg.line.trim();
             if (trimmed.startsWith('cd ') || trimmed === 'cd') {
-                // Server-managed cd — don't spawn, update session cwd directly.
                 const target = trimmed === 'cd' ? '' : trimmed.slice(3).trim();
-                handleCd(session, target);
+                applyCwdChange(session, target, 'cd');
                 return;
             }
             void session.submit(msg.line, ws);
@@ -42,12 +37,12 @@ export function handleClientMessage(session, ws, raw) {
             session.historyLog(msg.line);
             return;
         case 'cwd-query':
-            // Re-emit a cwd update message (reuses setCwd() broadcast path).
             session.setCwd(session.cwd);
             return;
+        case 'setCwd':
+            applyCwdChange(session, msg.path, 'setCwd');
+            return;
         default: {
-            // Exhaustiveness check. If a new ClientMessage variant is added to
-            // the protocol without a handler here, TypeScript flags this line.
             const _exhaustive = msg;
             void _exhaustive;
             return;
@@ -55,11 +50,16 @@ export function handleClientMessage(session, ws, raw) {
     }
 }
 /**
- * Handle a `cd` command server-side: resolve the target path, validate it
- * exists and is a directory, then update session.cwd via setCwd() which
- * broadcasts a 'cwd' message to every attached client.
+ * Resolve a cwd-change request against the session's current cwd, validate
+ * it exists and is a directory, then update session.cwd via setCwd(). Used
+ * for both interactive `cd` (from submit) and programmatic `setCwd` (from
+ * the docs tree / file explorer).
+ *
+ * Stderr wording keeps the familiar `cd: no such directory` for shell users
+ * and `setCwd: no such directory` for programmatic callers, so the source
+ * of a bad path is obvious in the terminal log.
  */
-function handleCd(session, target) {
+function applyCwdChange(session, target, source) {
     const dest = target === '' || target === '~'
         ? homedir()
         : isAbsolute(target)
@@ -69,7 +69,7 @@ function handleCd(session, target) {
         session.broadcast({
             seq: 0,
             kind: 'stderr',
-            data: `cd: no such directory: ${target}\n`,
+            data: `${source}: no such directory: ${target}\n`,
             ts: Date.now(),
         });
         return;

package/dist/tenant-fs/http.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Tenant FS HTTP API — mounts /api/fs/list, /api/fs/stat, /api/fs/read.
+ *
+ * Gated by sessionRequired; scope is the caller's own documentsRoot.
+ * Read-only. Writes are out of scope for this iteration.
+ */
+import type { Hono } from 'hono';
+import type { SettingsStore } from '../settings.js';
+export interface TenantFsRouteContext {
+    dataDir: string;
+    rootBase: string;
+    settings: SettingsStore;
+    maxReadBytes: number;
+}
+export declare function registerTenantFsRoutes(app: Hono, ctx: TenantFsRouteContext): void;