spicedb-embedded 0.1.0 → 0.1.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +84 -13
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -1,23 +1,94 @@
1
- # spicedb-embedded (Node.js)
1
+ # spicedb-embedded
2
2
 
3
- Embedded [SpiceDB](https://authzed.com/spicedb) for Node.js authorization server for tests and development. Uses the shared/c C library via koffi FFI and connects over gRPC via Unix sockets or TCP. Supports memory (default), postgres, cockroachdb, spanner, and mysql datastores. **Node.js only** (not for browser/frontend).
3
+ Sometimes you need a simple way to run access checks without spinning up a new service. This library provides an embedded version of [SpiceDB](https://authzed.com/spicedb) in various languages. Each implementation is based on a C-shared library (compiled from the SpiceDB source code) with a very thin FFI binding on top of it. This means that it runs the native SpiceDB code within your already-running process.
4
+
5
+ ```typescript
6
+ import { v1, EmbeddedSpiceDB } from "spicedb-embedded";
7
+
8
+ const schema = `definition user {} definition document { relation reader: user permission read = reader }`;
9
+ const rel = v1.Relationship.create({
10
+ resource: v1.ObjectReference.create({
11
+ objectType: "document",
12
+ objectId: "readme",
13
+ }),
14
+ relation: "reader",
15
+ subject: v1.SubjectReference.create({
16
+ object: v1.ObjectReference.create({
17
+ objectType: "user",
18
+ objectId: "alice",
19
+ }),
20
+ }),
21
+ });
22
+
23
+ const spicedb = await EmbeddedSpiceDB.create(schema, [rel]);
24
+ const resp = await spicedb.permissions().promises.checkPermission(
25
+ v1.CheckPermissionRequest.create({
26
+ resource: v1.ObjectReference.create({
27
+ objectType: "document",
28
+ objectId: "readme",
29
+ }),
30
+ permission: "read",
31
+ subject: v1.SubjectReference.create({
32
+ object: v1.ObjectReference.create({
33
+ objectType: "user",
34
+ objectId: "alice",
35
+ }),
36
+ }),
37
+ })
38
+ );
39
+ spicedb.close();
40
+ ```
41
+
42
+ ## Who should consider using this?
43
+
44
+ If you want to spin up SpiceDB, but don't want the overhead of managing another service, this might be for you.
45
+
46
+ If you want an embedded server for your unit tests and don't have access to Docker / Testcontainers, this might be for you.
47
+
48
+ If you have a schema and set of permissions that are static / readonly, this might be for you.
49
+
50
+ ## Who should avoid using this?
51
+
52
+ If you live in a world of microservices that each need to perform permission checks, you should almost certainly spin up a centralized SpiceDB deployment.
53
+
54
+ If you want visibility into metrics for SpiceDB, you should avoid this.
55
+
56
+ ## How does storage work?
57
+
58
+ The default datastore is "memory" (memdb). If you use this datastore, keep in mind that it will reset on each app startup. This is a great option if you can easily provide your schema and relationships at runtime. This way, there are no external network calls to check relationships at runtime.
59
+
60
+ If you need a longer term storage, you can use any SpiceDB-compatible datastores.
61
+
62
+ ```typescript
63
+ import { EmbeddedSpiceDB } from "spicedb-embedded";
64
+
65
+ // Run migrations first: spicedb datastore migrate head --datastore-engine postgres --datastore-conn-uri "postgres://..."
66
+ const schema = `definition user {} definition document { relation reader: user permission read = reader }`;
67
+ const spicedb = await EmbeddedSpiceDB.create(schema, [], {
68
+ datastore: "postgres",
69
+ datastore_uri: "postgres://user:pass@localhost:5432/spicedb",
70
+ });
71
+ // Use full Permissions API (writeRelationships, checkPermission, etc.)
72
+ spicedb.close();
73
+ ```
74
+
75
+ ## Running code written in Go compiled to a C-shared library within my service sounds scary
76
+
77
+ It is scary! Using a C-shared library via FFI bindings introduces memory management in languages that don't typically have to worry about it.
78
+
79
+ However, this library purposely limits the FFI layer. The only thing it is used for is to spawn the SpiceDB server (and to dispose of it when you shut down the embedded server). Once the SpiceDB server is running, it exposes a gRPC interface that listens over Unix Sockets (default on Linux/macOS) or TCP (default on Windows).
80
+
81
+ So you get the benefits of (1) using the same generated gRPC code to communicate with SpiceDB that would in a non-embedded world, and (2) communication happens out-of-band so that no memory allocations happen in the FFI layer once the embedded server is running.
4
82
 
5
83
  ## Comparison with SpiceDB WASM
6
84
 
7
- SpiceDB also provides a [WebAssembly (WASM) build](https://authzed.com/blog/some-assembly-required) used in the [Authzed Playground](https://play.authzed.com). This Node.js implementation differs in several important ways:
85
+ SpiceDB also provides a [WebAssembly (WASM) build](https://authzed.com/blog/some-assembly-required) used in the [Authzed Playground](https://play.authzed.com).
8
86
 
9
- | Aspect | **spicedb-embedded** (this package) | **SpiceDB WASM** |
10
- | ---------------- | -------------------------------------------------------------------- | ------------------------------------------------------ |
11
- | **Runtime** | Node.js only (native addon) | Browser + Node.js (via WASM) |
12
- | **Architecture** | Spawns real SpiceDB server via C/CGO FFI; full gRPC over Unix socket | Compiled Go→WASM; callback-based development API |
13
- | **API** | Full SpiceDB gRPC API (Permissions, Schema, Watch, etc.) | Development API only (check, validate, run operations) |
14
- | **Use case** | Server-side tests, development, local tooling | Browser Playground, client-side validation |
15
- | **Performance** | Native SpiceDB; full caching, production-grade | No Ristretto cache; simplified for WASM |
16
- | **Distribution** | Requires platform-specific `libspicedb.so`/`.dylib` | Single `.wasm` file (~25MB) |
87
+ The WASM only provides a small subset of the functionality of SpiceDB, but it has the advantage of working within the context of a browser.
17
88
 
18
- **When to use this package:** Node.js applications that need an embedded SpiceDB for integration tests, local development, or tooling. You get the real SpiceDB implementation with the full API.
89
+ **When to use this package:** Node.js applications that want access to full set of APIs that SpiceDB offers.
19
90
 
20
- **When to use WASM:** Browser-based tools (e.g., schema playground) or when you need a single portable binary.
91
+ **When to use WASM:** Browser-based tools.
21
92
 
22
93
  ## Installation
23
94
 
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "spicedb-embedded",
3
- "version": "0.1.0",
3
+ "version": "0.1.5",
4
4
  "description": "Embedded SpiceDB for TypeScript/Node.js — in-memory authorization using the standard gRPC API",
5
5
  "type": "module",
6
6
  "main": "dist/index.js",