spicedb-embedded 0.1.0

package/README.md

@@ -0,0 +1,146 @@
+# spicedb-embedded (Node.js)
+
+Embedded [SpiceDB](https://authzed.com/spicedb) for Node.js — authorization server for tests and development. Uses the shared/c C library via koffi FFI and connects over gRPC via Unix sockets or TCP. Supports memory (default), postgres, cockroachdb, spanner, and mysql datastores. **Node.js only** (not for browser/frontend).
+
+## Comparison with SpiceDB WASM
+
+SpiceDB also provides a [WebAssembly (WASM) build](https://authzed.com/blog/some-assembly-required) used in the [Authzed Playground](https://play.authzed.com). This Node.js implementation differs in several important ways:
+
+| Aspect           | **spicedb-embedded** (this package)                                  | **SpiceDB WASM**                                       |
+| ---------------- | -------------------------------------------------------------------- | ------------------------------------------------------ |
+| **Runtime**      | Node.js only (native addon)                                          | Browser + Node.js (via WASM)                           |
+| **Architecture** | Spawns real SpiceDB server via C/CGO FFI; full gRPC over Unix socket | Compiled Go→WASM; callback-based development API       |
+| **API**          | Full SpiceDB gRPC API (Permissions, Schema, Watch, etc.)             | Development API only (check, validate, run operations) |
+| **Use case**     | Server-side tests, development, local tooling                        | Browser Playground, client-side validation             |
+| **Performance**  | Native SpiceDB; full caching, production-grade                       | No Ristretto cache; simplified for WASM                |
+| **Distribution** | Requires platform-specific `libspicedb.so`/`.dylib`                  | Single `.wasm` file (~25MB)                            |
+
+**When to use this package:** Node.js applications that need an embedded SpiceDB for integration tests, local development, or tooling. You get the real SpiceDB implementation with the full API.
+
+**When to use WASM:** Browser-based tools (e.g., schema playground) or when you need a single portable binary.
+
+## Installation
+
+```bash
+npm install spicedb-embedded
+```
+
+Or from source:
+
+```bash
+cd node && npm install
+```
+
+**Prerequisites:** Go 1.23+ with CGO enabled. Build the shared library first:
+
+```bash
+cd shared/c && CGO_ENABLED=1 go build -buildmode=c-shared -o libspicedb.dylib .  # macOS
+cd shared/c && CGO_ENABLED=1 go build -buildmode=c-shared -o libspicedb.so .      # Linux
+```
+
+The library looks for `libspicedb.dylib` (macOS) or `libspicedb.so` (Linux) in `SPICEDB_LIBRARY_PATH` or relative to the working directory. Override with `SPICEDB_LIBRARY_PATH=/path/to/shared/c`.
+
+## Usage
+
+```typescript
+import { v1, EmbeddedSpiceDB } from "spicedb-embedded";
+
+const {
+  ObjectReference,
+  Relationship,
+  SubjectReference,
+  CheckPermissionRequest,
+  Consistency,
+  CheckPermissionResponse,
+  CheckPermissionResponse_Permissionship,
+} = v1;
+
+const schema = `
+definition user {}
+
+definition document {
+    relation reader: user
+    permission read = reader
+}
+`;
+
+const rel = Relationship.create({
+  resource: ObjectReference.create({
+    objectType: "document",
+    objectId: "readme",
+  }),
+  relation: "reader",
+  subject: SubjectReference.create({
+    object: ObjectReference.create({ objectType: "user", objectId: "alice" }),
+  }),
+});
+
+const spicedb = await EmbeddedSpiceDB.create(schema, [rel]);
+
+try {
+  const response = await spicedb.permissions().promises.checkPermission(
+    CheckPermissionRequest.create({
+      consistency: Consistency.create({
+        requirement: { oneofKind: "fullyConsistent", fullyConsistent: true },
+      }),
+      resource: ObjectReference.create({
+        objectType: "document",
+        objectId: "readme",
+      }),
+      permission: "read",
+      subject: SubjectReference.create({
+        object: ObjectReference.create({
+          objectType: "user",
+          objectId: "alice",
+        }),
+      }),
+    })
+  );
+
+  const allowed =
+    response.permissionship ===
+    CheckPermissionResponse_Permissionship.HAS_PERMISSION;
+} finally {
+  spicedb.close();
+}
+```
+
+## API
+
+- **`EmbeddedSpiceDB.create(schema, relationships, options?)`** — Create an instance (async). Pass `[]` for no initial relationships. Pass `SpiceDBStartOptions` for datastore/transport config.
+- **`permissions()`** — Permissions service client (CheckPermission, WriteRelationships, ReadRelationships, etc.). Use `.promises` for async/await.
+- **`schema()`** — Schema service client (ReadSchema, WriteSchema, ReflectSchema, etc.).
+- **`watch()`** — Watch service client for relationship changes.
+- **`close()`** — Dispose the instance and close the channel.
+
+Use types from `v1` (re-exported from `@authzed/authzed-node`) for `ObjectReference`, `SubjectReference`, `Relationship`, etc.
+
+### SpiceDBStartOptions
+
+```typescript
+import { EmbeddedSpiceDB, SpiceDBStartOptions } from "spicedb-embedded";
+
+const options: SpiceDBStartOptions = {
+  datastore: "memory", // or "postgres", "cockroachdb", "spanner", "mysql"
+  grpc_transport: "unix", // or "tcp"; default by platform
+  datastore_uri: "postgres://user:pass@localhost:5432/spicedb", // required for remote
+  spanner_credentials_file: "/path/to/key.json", // Spanner only
+  spanner_emulator_host: "localhost:9010", // Spanner emulator
+  mysql_table_prefix: "spicedb_", // MySQL only (optional)
+  metrics_enabled: false, // default; set true to enable Prometheus metrics
+};
+
+const spicedb = await EmbeddedSpiceDB.create(schema, [], options);
+```
+
+## Building & Testing
+
+```bash
+mise run shared-c-build
+cd node
+npm install
+npm run build
+npm test
+```
+
+Or from the repo root: `mise run node-test`

package/dist/embedded.d.ts

@@ -0,0 +1,45 @@
+/**
+ * Embedded SpiceDB instance.
+ *
+ * A thin wrapper that starts SpiceDB via the C-shared library, connects over a Unix
+ * socket, and bootstraps schema and relationships via gRPC.
+ *
+ * Use permissions(), schema(), and watch() to access the full SpiceDB API.
+ */
+import { v1 } from "@authzed/authzed-node";
+import { type SpiceDBStartOptions } from "./ffi.js";
+export declare class SpiceDBError extends Error {
+    constructor(message: string);
+}
+export declare class EmbeddedSpiceDB {
+    private readonly handle;
+    private readonly client;
+    private constructor();
+    /**
+     * Create a new embedded SpiceDB instance with a schema and relationships.
+     *
+     * @param schema - The SpiceDB schema definition (ZED language)
+     * @param relationships - Initial relationships (empty array allowed)
+     * @param options - Optional configuration (datastore, grpc_transport). Omit for defaults.
+     * @returns New EmbeddedSpiceDB instance
+     */
+    static create(schema: string, relationships?: v1.Relationship[], options?: SpiceDBStartOptions | null): Promise<EmbeddedSpiceDB>;
+    private bootstrap;
+    /**
+     * Permissions service client (CheckPermission, WriteRelationships, ReadRelationships, etc.)
+     */
+    permissions(): v1.ZedClientInterface;
+    /**
+     * Schema service client (ReadSchema, WriteSchema, ReflectSchema, etc.)
+     */
+    schema(): v1.ZedClientInterface;
+    /**
+     * Watch service client (watch for relationship changes)
+     */
+    watch(): v1.ZedClientInterface;
+    /**
+     * Dispose the instance and close the channel.
+     */
+    close(): void;
+}
+//# sourceMappingURL=embedded.d.ts.map

package/dist/embedded.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"embedded.d.ts","sourceRoot":"","sources":["../src/embedded.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC;AAC3C,OAAO,EAGL,KAAK,mBAAmB,EACzB,MAAM,UAAU,CAAC;AAYlB,qBAAa,YAAa,SAAQ,KAAK;gBACzB,OAAO,EAAE,MAAM;CAI5B;AAED,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAS;IAChC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAwB;IAE/C,OAAO;IAKP;;;;;;;OAOG;WACU,MAAM,CACjB,MAAM,EAAE,MAAM,EACd,aAAa,GAAE,EAAE,CAAC,YAAY,EAAO,EACrC,OAAO,CAAC,EAAE,mBAAmB,GAAG,IAAI,GACnC,OAAO,CAAC,eAAe,CAAC;YAyBb,SAAS;IAqBvB;;OAEG;IACH,WAAW,IAAI,EAAE,CAAC,kBAAkB;IAIpC;;OAEG;IACH,MAAM,IAAI,EAAE,CAAC,kBAAkB;IAI/B;;OAEG;IACH,KAAK,IAAI,EAAE,CAAC,kBAAkB;IAI9B;;OAEG;IACH,KAAK,IAAI,IAAI;CAId"}

package/dist/embedded.js

@@ -0,0 +1,94 @@
+/**
+ * Embedded SpiceDB instance.
+ *
+ * A thin wrapper that starts SpiceDB via the C-shared library, connects over a Unix
+ * socket, and bootstraps schema and relationships via gRPC.
+ *
+ * Use permissions(), schema(), and watch() to access the full SpiceDB API.
+ */
+import * as grpc from "@grpc/grpc-js";
+import { v1 } from "@authzed/authzed-node";
+import { spicedb_dispose, spicedb_start, } from "./ffi.js";
+import { getTarget as getTcpTarget } from "./tcp_channel.js";
+import { getTarget as getUnixSocketTarget } from "./unix_socket_channel.js";
+const { NewClientWithChannelCredentials, RelationshipUpdate, RelationshipUpdate_Operation, WriteRelationshipsRequest, WriteSchemaRequest, } = v1;
+export class SpiceDBError extends Error {
+    constructor(message) {
+        super(message);
+        this.name = "SpiceDBError";
+    }
+}
+export class EmbeddedSpiceDB {
+    handle;
+    client;
+    constructor(handle, client) {
+        this.handle = handle;
+        this.client = client;
+    }
+    /**
+     * Create a new embedded SpiceDB instance with a schema and relationships.
+     *
+     * @param schema - The SpiceDB schema definition (ZED language)
+     * @param relationships - Initial relationships (empty array allowed)
+     * @param options - Optional configuration (datastore, grpc_transport). Omit for defaults.
+     * @returns New EmbeddedSpiceDB instance
+     */
+    static async create(schema, relationships = [], options) {
+        const data = spicedb_start(options ?? undefined);
+        const { handle, grpc_transport, address } = data;
+        const target = grpc_transport === "unix"
+            ? getUnixSocketTarget(address)
+            : getTcpTarget(address);
+        const creds = grpc.credentials.createInsecure();
+        const client = NewClientWithChannelCredentials(target, creds);
+        const db = new EmbeddedSpiceDB(handle, client);
+        try {
+            await db.bootstrap(schema, relationships);
+        }
+        catch (e) {
+            db.close();
+            throw new SpiceDBError(`Failed to bootstrap: ${e instanceof Error ? e.message : String(e)}`);
+        }
+        return db;
+    }
+    async bootstrap(schema, relationships) {
+        const schemaRequest = WriteSchemaRequest.create({ schema });
+        await this.client.promises.writeSchema(schemaRequest);
+        if (relationships.length > 0) {
+            const updates = relationships.map((r) => RelationshipUpdate.create({
+                operation: RelationshipUpdate_Operation.TOUCH,
+                relationship: r,
+            }));
+            const writeRequest = WriteRelationshipsRequest.create({
+                updates,
+            });
+            await this.client.promises.writeRelationships(writeRequest);
+        }
+    }
+    /**
+     * Permissions service client (CheckPermission, WriteRelationships, ReadRelationships, etc.)
+     */
+    permissions() {
+        return this.client;
+    }
+    /**
+     * Schema service client (ReadSchema, WriteSchema, ReflectSchema, etc.)
+     */
+    schema() {
+        return this.client;
+    }
+    /**
+     * Watch service client (watch for relationship changes)
+     */
+    watch() {
+        return this.client;
+    }
+    /**
+     * Dispose the instance and close the channel.
+     */
+    close() {
+        this.client.close();
+        spicedb_dispose(this.handle);
+    }
+}
+//# sourceMappingURL=embedded.js.map

package/dist/embedded.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"embedded.js","sourceRoot":"","sources":["../src/embedded.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,IAAI,MAAM,eAAe,CAAC;AACtC,OAAO,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC;AAC3C,OAAO,EACL,eAAe,EACf,aAAa,GAEd,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,SAAS,IAAI,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAC7D,OAAO,EAAE,SAAS,IAAI,mBAAmB,EAAE,MAAM,0BAA0B,CAAC;AAE5E,MAAM,EACJ,+BAA+B,EAC/B,kBAAkB,EAClB,4BAA4B,EAC5B,yBAAyB,EACzB,kBAAkB,GACnB,GAAG,EAAE,CAAC;AAEP,MAAM,OAAO,YAAa,SAAQ,KAAK;IACrC,YAAY,OAAe;QACzB,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,cAAc,CAAC;IAC7B,CAAC;CACF;AAED,MAAM,OAAO,eAAe;IACT,MAAM,CAAS;IACf,MAAM,CAAwB;IAE/C,YAAoB,MAAc,EAAE,MAA6B;QAC/D,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;QACrB,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC;IACvB,CAAC;IAED;;;;;;;OAOG;IACH,MAAM,CAAC,KAAK,CAAC,MAAM,CACjB,MAAc,EACd,gBAAmC,EAAE,EACrC,OAAoC;QAEpC,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,IAAI,SAAS,CAAC,CAAC;QACjD,MAAM,EAAE,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;QAEjD,MAAM,MAAM,GACV,cAAc,KAAK,MAAM;YACvB,CAAC,CAAC,mBAAmB,CAAC,OAAO,CAAC;YAC9B,CAAC,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,MAAM,KAAK,GAAG,IAAI,CAAC,WAAW,CAAC,cAAc,EAAE,CAAC;QAChD,MAAM,MAAM,GAAG,+BAA+B,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;QAE9D,MAAM,EAAE,GAAG,IAAI,eAAe,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAE/C,IAAI,CAAC;YACH,MAAM,EAAE,CAAC,SAAS,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;QAC5C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,EAAE,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,YAAY,CACpB,wBAAwB,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CACrE,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,CAAC;IACZ,CAAC;IAEO,KAAK,CAAC,SAAS,CACrB,MAAc,EACd,aAAgC;QAEhC,MAAM,aAAa,GAAG,kBAAkB,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;QAC5D,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,aAAa,CAAC,CAAC;QAEtD,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CACtC,kBAAkB,CAAC,MAAM,CAAC;gBACxB,SAAS,EAAE,4BAA4B,CAAC,KAAK;gBAC7C,YAAY,EAAE,CAAC;aAChB,CAAC,CACH,CAAC;YACF,MAAM,YAAY,GAAG,yBAAyB,CAAC,MAAM,CAAC;gBACpD,OAAO;aACR,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC;QAC9D,CAAC;IACH,CAAC;IAED;;OAEG;IACH,WAAW;QACT,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,MAAM;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAED;;OAEG;IACH,KAAK;QACH,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;QACpB,eAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC/B,CAAC;CACF"}

package/dist/ffi.d.ts

@@ -0,0 +1,27 @@
+/**
+ * FFI bindings to the SpiceDB C-shared library (shared/c).
+ */
+export interface SpiceDBStartResult {
+    handle: number;
+    grpc_transport: "unix" | "tcp";
+    address: string;
+}
+export interface SpiceDBStartOptions {
+    /** Datastore: "memory" (default), "postgres", "cockroachdb", "spanner", "mysql" */
+    datastore?: string;
+    /** Connection string for remote datastores */
+    datastore_uri?: string;
+    /** gRPC transport: "unix" (default on Unix), "tcp" (default on Windows) */
+    grpc_transport?: string;
+    /** Path to Spanner service account JSON (Spanner only) */
+    spanner_credentials_file?: string;
+    /** Spanner emulator host (Spanner only) */
+    spanner_emulator_host?: string;
+    /** Prefix for all tables (MySQL only) */
+    mysql_table_prefix?: string;
+    /** Enable datastore Prometheus metrics (default: false; disabled allows multiple instances in same process) */
+    metrics_enabled?: boolean;
+}
+export declare function spicedb_start(options?: SpiceDBStartOptions | null): SpiceDBStartResult;
+export declare function spicedb_dispose(handle: number): void;
+//# sourceMappingURL=ffi.d.ts.map

package/dist/ffi.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ffi.d.ts","sourceRoot":"","sources":["../src/ffi.ts"],"names":[],"mappings":"AAAA;;GAEG;AAOH,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,MAAM,GAAG,KAAK,CAAC;IAC/B,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,mBAAmB;IAClC,mFAAmF;IACnF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,8CAA8C;IAC9C,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,2EAA2E;IAC3E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,0DAA0D;IAC1D,wBAAwB,CAAC,EAAE,MAAM,CAAC;IAClC,2CAA2C;IAC3C,qBAAqB,CAAC,EAAE,MAAM,CAAC;IAC/B,yCAAyC;IACzC,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,+GAA+G;IAC/G,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AA8ED,wBAAgB,aAAa,CAC3B,OAAO,CAAC,EAAE,mBAAmB,GAAG,IAAI,GACnC,kBAAkB,CAapB;AAED,wBAAgB,eAAe,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAOpD"}

package/dist/ffi.js

@@ -0,0 +1,82 @@
+/**
+ * FFI bindings to the SpiceDB C-shared library (shared/c).
+ */
+import koffi from "koffi";
+import { accessSync } from "fs";
+import { platform } from "os";
+import { resolve } from "path";
+function findLibrary() {
+    const currentPlatform = platform();
+    const libName = currentPlatform === "win32"
+        ? "spicedb.dll"
+        : currentPlatform === "darwin"
+            ? "libspicedb.dylib"
+            : "libspicedb.so";
+    const explicit = process.env.SPICEDB_LIBRARY_PATH;
+    if (explicit) {
+        const libExtensions = [".so", ".dylib", ".dll"];
+        const candidate = libExtensions.some((e) => explicit.endsWith(e))
+            ? explicit
+            : resolve(explicit, libName);
+        try {
+            accessSync(candidate);
+            return candidate;
+        }
+        catch (err) {
+            const message = err instanceof Error && err.message ? err.message : String(err);
+            throw new Error(`Unable to access SpiceDB library at '${candidate}' specified by SPICEDB_LIBRARY_PATH: ${message}`);
+        }
+    }
+    const searchPaths = [
+        "shared/c",
+        resolve(process.cwd(), "shared/c"),
+        resolve(process.cwd(), "../shared/c"),
+        resolve(process.cwd(), "node/../shared/c"),
+    ];
+    for (const base of searchPaths) {
+        const candidate = resolve(base, libName);
+        try {
+            accessSync(candidate);
+            return candidate;
+        }
+        catch {
+            // continue
+        }
+    }
+    return libName;
+}
+let lib = null;
+function getLib() {
+    if (lib)
+        return lib;
+    const path = findLibrary();
+    const loaded = koffi.load(path);
+    const spicedb_free = loaded.func("void spicedb_free(char* ptr)");
+    koffi.disposable("HeapStr", "str", (ptr) => spicedb_free(ptr));
+    lib = {
+        spicedb_start: loaded.func("HeapStr spicedb_start(const char* optionsJson)"),
+        spicedb_dispose: loaded.func("HeapStr spicedb_dispose(unsigned long long handle)"),
+    };
+    return lib;
+}
+export function spicedb_start(options) {
+    const l = getLib();
+    const optionsJson = options != null ? JSON.stringify(options) : null;
+    const raw = l.spicedb_start(optionsJson);
+    if (!raw)
+        throw new Error("Null response from C library");
+    const data = JSON.parse(raw);
+    if (!data.success) {
+        throw new Error(data.error ?? "Unknown error");
+    }
+    return data.data;
+}
+export function spicedb_dispose(handle) {
+    const l = getLib();
+    const raw = l.spicedb_dispose(handle);
+    const data = JSON.parse(raw);
+    if (!data.success) {
+        throw new Error(data.error ?? "Unknown error");
+    }
+}
+//# sourceMappingURL=ffi.js.map

package/dist/ffi.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ffi.js","sourceRoot":"","sources":["../src/ffi.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,UAAU,EAAE,MAAM,IAAI,CAAC;AAChC,OAAO,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AAC9B,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAyB/B,SAAS,WAAW;IAClB,MAAM,eAAe,GAAG,QAAQ,EAAE,CAAC;IAEnC,MAAM,OAAO,GACX,eAAe,KAAK,OAAO;QACzB,CAAC,CAAC,aAAa;QACf,CAAC,CAAC,eAAe,KAAK,QAAQ;YAC5B,CAAC,CAAC,kBAAkB;YACpB,CAAC,CAAC,eAAe,CAAC;IAExB,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;IAClD,IAAI,QAAQ,EAAE,CAAC;QACb,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;QAChD,MAAM,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAC/D,CAAC,CAAC,QAAQ;YACV,CAAC,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAC/B,IAAI,CAAC;YACH,UAAU,CAAC,SAAS,CAAC,CAAC;YACtB,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,OAAO,GACX,GAAG,YAAY,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAClE,MAAM,IAAI,KAAK,CACb,wCAAwC,SAAS,wCAAwC,OAAO,EAAE,CACnG,CAAC;QACJ,CAAC;IACH,CAAC;IAED,MAAM,WAAW,GAAG;QAClB,UAAU;QACV,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,UAAU,CAAC;QAClC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,CAAC;QACrC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,kBAAkB,CAAC;KAC3C,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,WAAW,EAAE,CAAC;QAC/B,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QACzC,IAAI,CAAC;YACH,UAAU,CAAC,SAAS,CAAC,CAAC;YACtB,OAAO,SAAS,CAAC;QACnB,CAAC;QAAC,MAAM,CAAC;YACP,WAAW;QACb,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAOD,IAAI,GAAG,GAAsB,IAAI,CAAC;AAElC,SAAS,MAAM;IACb,IAAI,GAAG;QAAE,OAAO,GAAG,CAAC;IAEpB,MAAM,IAAI,GAAG,WAAW,EAAE,CAAC;IAC3B,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEhC,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,8BAA8B,CAAC,CAAC;IACjE,KAAK,CAAC,UAAU,CAAC,SAAS,EAAE,KAAK,EAAE,CAAC,GAAY,EAAE,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC;IAExE,GAAG,GAAG;QACJ,aAAa,EAAE,MAAM,CAAC,IAAI,CACxB,gDAAgD,CACjD;QACD,eAAe,EAAE,MAAM,CAAC,IAAI,CAC1B,oDAAoD,CACrD;KACF,CAAC;IAEF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,OAAoC;IAEpC,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC;IACnB,MAAM,WAAW,GAAG,OAAO,IAAI,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IACrE,MAAM,GAAG,GAAG,CAAC,CAAC,aAAa,CAAC,WAAW,CAAC,CAAC;IACzC,IAAI,CAAC,GAAG;QAAE,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;IAE1D,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,eAAe,CAAC,CAAC;IACjD,CAAC;IAED,OAAO,IAAI,CAAC,IAAI,CAAC;AACnB,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,MAAc;IAC5C,MAAM,CAAC,GAAG,MAAM,EAAE,CAAC;IACnB,MAAM,GAAG,GAAG,CAAC,CAAC,eAAe,CAAC,MAAM,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC7B,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;QAClB,MAAM,IAAI,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,eAAe,CAAC,CAAC;IACjD,CAAC;AACH,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Embedded SpiceDB for TypeScript/Node.js — in-memory authorization server for tests and development.
+ */
+export { EmbeddedSpiceDB, SpiceDBError } from "./embedded.js";
+export type { SpiceDBStartOptions, SpiceDBStartResult } from "./ffi.js";
+export { v1 } from "@authzed/authzed-node";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC9D,YAAY,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAGxE,OAAO,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/index.js

@@ -0,0 +1,7 @@
+/**
+ * Embedded SpiceDB for TypeScript/Node.js — in-memory authorization server for tests and development.
+ */
+export { EmbeddedSpiceDB, SpiceDBError } from "./embedded.js";
+// Re-export authzed v1 for types and client creation
+export { v1 } from "@authzed/authzed-node";
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,eAAe,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAG9D,qDAAqD;AACrD,OAAO,EAAE,EAAE,EAAE,MAAM,uBAAuB,CAAC"}

package/dist/tcp_channel.d.ts

@@ -0,0 +1,6 @@
+/**
+ * gRPC target for TCP connections.
+ */
+/** Returns the gRPC target string for a TCP connection (e.g. 127.0.0.1:50051). */
+export declare function getTarget(address: string): string;
+//# sourceMappingURL=tcp_channel.d.ts.map

package/dist/tcp_channel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tcp_channel.d.ts","sourceRoot":"","sources":["../src/tcp_channel.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,kFAAkF;AAClF,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEjD"}

package/dist/tcp_channel.js

@@ -0,0 +1,8 @@
+/**
+ * gRPC target for TCP connections.
+ */
+/** Returns the gRPC target string for a TCP connection (e.g. 127.0.0.1:50051). */
+export function getTarget(address) {
+    return address;
+}
+//# sourceMappingURL=tcp_channel.js.map

package/dist/tcp_channel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tcp_channel.js","sourceRoot":"","sources":["../src/tcp_channel.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,kFAAkF;AAClF,MAAM,UAAU,SAAS,CAAC,OAAe;IACvC,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/dist/unix_socket_channel.d.ts

@@ -0,0 +1,6 @@
+/**
+ * gRPC target for Unix domain socket connections.
+ */
+/** Returns the gRPC target string for a Unix domain socket (e.g. unix:///tmp/spicedb-123.sock). */
+export declare function getTarget(address: string): string;
+//# sourceMappingURL=unix_socket_channel.d.ts.map

package/dist/unix_socket_channel.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"unix_socket_channel.d.ts","sourceRoot":"","sources":["../src/unix_socket_channel.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,mGAAmG;AACnG,wBAAgB,SAAS,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAEjD"}

package/dist/unix_socket_channel.js

@@ -0,0 +1,8 @@
+/**
+ * gRPC target for Unix domain socket connections.
+ */
+/** Returns the gRPC target string for a Unix domain socket (e.g. unix:///tmp/spicedb-123.sock). */
+export function getTarget(address) {
+    return `unix://${address}`;
+}
+//# sourceMappingURL=unix_socket_channel.js.map

package/dist/unix_socket_channel.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"unix_socket_channel.js","sourceRoot":"","sources":["../src/unix_socket_channel.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,mGAAmG;AACnG,MAAM,UAAU,SAAS,CAAC,OAAe;IACvC,OAAO,UAAU,OAAO,EAAE,CAAC;AAC7B,CAAC"}

package/package.json

@@ -0,0 +1,46 @@
+{
+  "name": "spicedb-embedded",
+  "version": "0.1.0",
+  "description": "Embedded SpiceDB for TypeScript/Node.js — in-memory authorization using the standard gRPC API",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "test": "vitest run",
+    "format": "prettier --write .",
+    "format:check": "prettier --check .",
+    "lint": "npm run format:check"
+  },
+  "dependencies": {
+    "@authzed/authzed-node": "^1.5.0",
+    "@grpc/grpc-js": "^1.14.3",
+    "koffi": "^2.9.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "eslint": "^9.0.0",
+    "prettier": "^3.4.0",
+    "typescript": "^5.7.0",
+    "vitest": "^2.0.0"
+  },
+  "engines": {
+    "node": ">=18.18.0"
+  },
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/borkfork/spicedb-embedded.git"
+  }
+}