sh3-server 0.8.1 → 0.9.0

package/dist/shard-router.js

@@ -1,31 +1,77 @@
 // packages/sh3-server/src/shard-router.ts
 import { Hono } from 'hono';
-import { mkdirSync } from 'node:fs';
+import { mkdirSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
+import { scopeRequired, tenantRequired } from './scope.js';
 import { pathToFileURL } from 'node:url';
-/** Middleware that requires admin session OR valid API key. */
-export function adminOnly(keys, settings) {
+/** Middleware requiring the caller's scope set to include admin:*. */
+export function adminOnly(_keys, settings) {
     return async (c, next) => {
-        // When auth is disabled (--no-auth), skip admin checks entirely
-        if (!settings.get().auth.required) {
+        if (!settings.get().auth.required)
             return next();
-        }
-        // Session-based admin — forwarded from upstream sessionAuth via env
-        const session = c.get('session') ?? c.env?.session;
-        if (session?.role === 'admin') {
+        const caller = c.get('caller');
+        if (caller?.scopes.includes('admin:*'))
             return next();
-        }
-        // Fallback: API key (for external tools / CLI)
-        const authHeader = c.req.header('Authorization');
-        if (authHeader?.startsWith('Bearer sh3_')) {
-            const token = authHeader.slice(7);
-            if (keys.validate(token)) {
-                return next();
-            }
-        }
         return c.json({ error: 'Admin privileges required' }, 403);
     };
 }
+/**
+ * Build the shard-facing TenantDocumentAPI for a given calling shard, tenant,
+ * and permission set. Each operation is permission-checked at call time so
+ * grants can change between boot and request.
+ */
+function makeTenantDocumentAPI(store, tenant, callingShardId, permissions) {
+    const hasSyncPeer = permissions.includes('sync:peer');
+    const hasSyncPolicy = permissions.includes('sync:policy');
+    return {
+        read: (shardId, path) => store.read(tenant, shardId, path),
+        exists: (shardId, path) => store.exists(tenant, shardId, path),
+        list: (shardId) => store.list(tenant, shardId),
+        listAll: () => store.listAll(tenant),
+        write: (shardId, path, content, metadata) => {
+            if (shardId !== callingShardId && !hasSyncPeer) {
+                throw new Error(`Shard "${callingShardId}" cannot write to shard "${shardId}" without sync:peer`);
+            }
+            return store.write(tenant, shardId, path, content, metadata);
+        },
+        delete: (shardId, path) => {
+            if (shardId !== callingShardId && !hasSyncPeer) {
+                throw new Error(`Shard "${callingShardId}" cannot delete from shard "${shardId}" without sync:peer`);
+            }
+            return store.delete(tenant, shardId, path);
+        },
+        applyFromPeer: (input) => {
+            if (!hasSyncPeer)
+                throw new Error('sync:peer permission required');
+            return store.applyFromPeer(tenant, {
+                ...input,
+                content: input.content,
+            });
+        },
+        getTick: () => {
+            if (!hasSyncPeer)
+                throw new Error('sync:peer permission required');
+            return store.getTick(tenant);
+        },
+        readPolicy: () => store.readPolicy(tenant),
+        writePolicy: (policy) => {
+            if (!hasSyncPolicy)
+                throw new Error('sync:policy permission required');
+            return store.writePolicy(tenant, policy);
+        },
+        listConflicts: () => {
+            if (!hasSyncPeer)
+                throw new Error('sync:peer permission required');
+            return store.listConflicts(tenant);
+        },
+        readConflict: (shardId, path) => {
+            if (!hasSyncPeer)
+                throw new Error('sync:peer permission required');
+            return store.readConflict(tenant, shardId, path);
+        },
+        resolveConflict: (shardId, path, choice) => store.resolveConflict(tenant, shardId, path, choice),
+    };
+}
 /**
  * Dynamic shard route manager. Holds a Map of shard Hono sub-apps
  * and delegates requests from a single wildcard route.
@@ -39,23 +85,14 @@ export class ShardRouter {
     async mount(shardId, serverJsPath, ctx) {
         const fileUrl = pathToFileURL(serverJsPath).href + `?t=${Date.now()}`;
         const mod = await import(fileUrl);
-        const shard = mod.default ?? mod;
+        const shard = (mod.default ?? mod);
         if (typeof shard.id !== 'string' || typeof shard.routes !== 'function') {
             throw new Error(`${shardId}/server.js invalid export shape — expected { id, routes }`);
         }
-        const shardDataDir = join(ctx.pkgDir, 'data');
         const router = new Hono();
-        const shardCtx = {
-            shardId: shard.id,
-            dataDir: shardDataDir,
-            adminOnly: adminOnly(ctx.keys, ctx.settings),
-            wsRegister: ctx.wsRegister,
-        };
-        await shard.routes(router, shardCtx);
-        // Create data dir only after routes() succeeds — so a failure
-        // doesn't leave behind a dir that prevents install rollback cleanup.
-        mkdirSync(shardDataDir, { recursive: true });
-        this.shards.set(shardId, router);
+        await shard.routes(router, this.#buildContext(shard.id, ctx));
+        mkdirSync(join(ctx.pkgDir, 'data'), { recursive: true });
+        this.shards.set(shardId, { app: router, shard });
         console.log(`[sh3]   ${shardId} — server routes mounted at /api/${shardId}/`);
     }
     /**
@@ -67,26 +104,70 @@ export class ShardRouter {
         if (typeof mod.id !== 'string' || typeof mod.routes !== 'function') {
             throw new Error(`${shardId} static mount — expected { id, routes }, got ${typeof mod}`);
         }
-        const shardDataDir = join(ctx.pkgDir, 'data');
         const router = new Hono();
-        const shardCtx = {
-            shardId: mod.id,
+        await mod.routes(router, this.#buildContext(mod.id, ctx));
+        mkdirSync(join(ctx.pkgDir, 'data'), { recursive: true });
+        this.shards.set(shardId, { app: router, shard: mod });
+        console.log(`[sh3]   ${shardId} — static server routes mounted at /api/${shardId}/`);
+    }
+    #buildContext(shardId, ctx) {
+        const shardDataDir = join(ctx.pkgDir, 'data');
+        const manifestPath = join(ctx.pkgDir, 'manifest.json');
+        let permissions = [];
+        try {
+            const manifest = JSON.parse(readFileSync(manifestPath, 'utf-8'));
+            permissions = Array.isArray(manifest.permissions) ? manifest.permissions : [];
+        }
+        catch {
+            // Framework built-ins (mountStatic) may have no sibling manifest; default to empty.
+        }
+        const docStore = ctx.docStore;
+        // Hono's MiddlewareHandler uses a concrete Context generic that isn't
+        // assignable to sh3-core's framework-agnostic stand-in (c: unknown).
+        // Cast once at assembly — shards only call the handlers, never introspect.
+        const ctxOut = {
+            shardId,
             dataDir: shardDataDir,
+            permissions,
             adminOnly: adminOnly(ctx.keys, ctx.settings),
+            scopeRequired,
+            tenantRequired,
             wsRegister: ctx.wsRegister,
+            tenants: () => docStore.listTenantsSync(),
+            documents: (tenant) => makeTenantDocumentAPI(docStore, tenant, shardId, permissions),
+            setPeerRole: (tenant, role) => {
+                if (!permissions.includes('sync:peer'))
+                    return; // silent no-op
+                docStore.roles.set(tenant, role);
+            },
         };
-        await mod.routes(router, shardCtx);
-        mkdirSync(shardDataDir, { recursive: true });
-        this.shards.set(shardId, router);
-        console.log(`[sh3]   ${shardId} — static server routes mounted at /api/${shardId}/`);
+        return ctxOut;
     }
-    /** Remove a shard's routes. */
-    unmount(shardId) {
-        const removed = this.shards.delete(shardId);
-        if (removed) {
-            console.log(`[sh3]   ${shardId} — server routes unmounted`);
+    /** Remove a shard's routes. Calls `teardown()` if the shard defined one. */
+    async unmount(shardId) {
+        const entry = this.shards.get(shardId);
+        if (!entry)
+            return false;
+        try {
+            await entry.shard.teardown?.();
+        }
+        catch (err) {
+            console.error(`[sh3] teardown failed for shard "${shardId}":`, err);
+        }
+        this.shards.delete(shardId);
+        console.log(`[sh3]   ${shardId} — server routes unmounted`);
+        return true;
+    }
+    /** Call teardown on every mounted shard without clearing the registry. */
+    async unmountAll() {
+        for (const [id, entry] of this.shards) {
+            try {
+                await entry.shard.teardown?.();
+            }
+            catch (err) {
+                console.error(`[sh3] teardown failed for shard "${id}":`, err);
+            }
         }
-        return removed;
     }
     /**
      * Hono handler for the wildcard route.
@@ -95,8 +176,8 @@ export class ShardRouter {
     handler() {
         return async (c, next) => {
             const shardId = c.req.param('shardId');
-            const shardApp = this.shards.get(shardId);
-            if (!shardApp) {
+            const entry = this.shards.get(shardId);
+            if (!entry) {
                 return next();
             }
             try {
@@ -114,7 +195,7 @@ export class ShardRouter {
                 });
                 // Forward session from upstream sessionAuth so shard middleware can see it
                 const env = { ...c.env, session: c.get('session') ?? null };
-                return await shardApp.fetch(strippedRequest, env);
+                return await entry.app.fetch(strippedRequest, env);
             }
             catch (err) {
                 console.error(`[sh3] Shard "${shardId}" runtime error:`, err);
@@ -126,8 +207,8 @@ export class ShardRouter {
     listRoutes() {
         const routes = [];
         const seen = new Set();
-        for (const [shardId, app] of this.shards) {
-            for (const r of app.routes) {
+        for (const [shardId, entry] of this.shards) {
+            for (const r of entry.app.routes) {
                 const path = `/api/${shardId}${r.path}`;
                 const key = `${r.method} ${path}`;
                 if (seen.has(key))

package/dist/shell-shard/index.d.ts

@@ -1,5 +1,5 @@
 import { Hono } from 'hono';
-import type { Context } from 'hono';
+import type { Context, MiddlewareHandler } from 'hono';
 import type { WsLike } from './session-manager.js';
 export interface ShellServerContext {
     shardId: string;
@@ -8,6 +8,9 @@ export interface ShellServerContext {
     tenantRootBase?: string;
     adminOnly: any;
     wsRegister: (onConnect: (ws: WsLike, c: Context) => void) => any;
+    permissions: string[];
+    scopeRequired: (scope: string) => MiddlewareHandler;
+    tenantRequired: MiddlewareHandler;
 }
 declare const _default: {
     id: string;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sh3-server",
-  "version": "0.8.1",
+  "version": "0.9.0",
   "type": "module",
   "bin": {
     "sh3-server": "dist/cli.js"