feat: embedded key resolution

packages/access-api/package.json

@@ -17,11 +17,11 @@
   "license": "(Apache-2.0 OR MIT)",
   "dependencies": {
     "@ipld/dag-ucan": "^3.0.1",
-    "@ucanto/core": "^4.0.2",
-    "@ucanto/interface": "^4.0.2",
-    "@ucanto/principal": "^4.0.2",
-    "@ucanto/server": "^4.0.2",
-    "@ucanto/transport": "^4.0.2",
+    "@ucanto/core": "^4.0.3",
+    "@ucanto/interface": "^4.0.3",
+    "@ucanto/principal": "^4.0.3",
+    "@ucanto/server": "^4.0.3",
+    "@ucanto/transport": "^4.0.3",
     "@web3-storage/access": "workspace:^",
     "@web3-storage/capabilities": "workspace:^",
     "@web3-storage/worker-utils": "0.4.3-dev",

packages/access-api/src/config.js

@@ -34,8 +34,7 @@ export function loadConfig(env) {
 
   const DID = env.DID
   const PRIVATE_KEY = vars.PRIVATE_KEY
-  const signer = configureSigner({ PRIVATE_KEY })
-  const ucantoServerId = configureUcantoServerId({ DID, PRIVATE_KEY })
+  const signer = configureSigner({ DID, PRIVATE_KEY })
   return {
     DEBUG: boolValue(vars.DEBUG),
     ENV: parseRuntimeEnv(vars.ENV),
@@ -56,7 +55,6 @@ export function loadConfig(env) {
     COMMITHASH: ACCOUNT_COMMITHASH,
 
     signer,
-    ucantoServerId,
 
     // bindings
     METRICS:
@@ -120,24 +118,13 @@ export function createAnalyticsEngine() {
  *
  * @param {object} config
  * @param {string} config.PRIVATE_KEY - multiformats private key of primary signing key
- * @returns {Signer.EdSigner}
+ * @param {string} [config.DID] - public DID for the service (did:key:... derived from PRIVATE_KEY if not set)
+ * @returns {import('@ucanto/interface').Signer}
  */
 export function configureSigner(config) {
   const signer = Signer.parse(config.PRIVATE_KEY)
-  return signer
-}
-
-/**
- * Given a config, return a ucanto principal
- *
- * @param {object} config
- * @param {string} [config.DID] - public identifier of the running service. e.g. a did:key or a did:web
- * @param {string} config.PRIVATE_KEY - multiformats private key of primary signing key
- * @returns {import('@ucanto/interface').Principal}
- */
-export function configureUcantoServerId(config) {
   if (config.DID) {
-    return DID.parse(config.DID)
+    return signer.withDID(DID.parse(config.DID).did())
   }
-  return configureSigner(config)
+  return signer
 }

packages/access-api/src/routes/raw.js

@@ -8,7 +8,7 @@ import { service } from '../service/index.js'
  */
 export async function postRaw(request, env) {
   const server = Server.create({
-    id: env.config.ucantoServerId,
+    id: env.signer,
     encoder: serverCodec,
     decoder: serverCodec,
     service: service(env),

packages/access-api/src/routes/root.js

@@ -9,7 +9,7 @@ import { service } from '../service/index.js'
  */
 export async function postRoot(request, env) {
   const server = Server.create({
-    id: env.config.ucantoServerId,
+    id: env.signer,
     encoder: CBOR,
     decoder: CAR,
     service: service(env),

packages/access-api/src/routes/version.js

@@ -7,6 +7,5 @@ export async function version(event, env, ctx) {
     commit: env.config.COMMITHASH,
     branch: env.config.BRANCH,
     did: env.signer.did(),
-    aud: env.config.ucantoServerId.did(),
   })
 }

packages/access-api/test/config.test.js

@@ -18,7 +18,7 @@ const testKeypair = {
   },
 }
 
-describe('@web3-storage/access-api/src/config configureSigner', () => {
+describe('configureSigner', () => {
   it('creates a signer using config.PRIVATE_KEY', async () => {
     const config = {
       PRIVATE_KEY: testKeypair.private.multiformats,
@@ -30,31 +30,31 @@ describe('@web3-storage/access-api/src/config configureSigner', () => {
     const didKeys = Object.keys(keys)
     assert.deepEqual(didKeys, [testKeypair.public.did])
   })
-})
 
-describe('@web3-storage/access-api/src/config configureUcantoServerId', () => {
   it('creates a signer using config.{DID,PRIVATE_KEY}', async () => {
     const config = {
       PRIVATE_KEY: testKeypair.private.multiformats,
       DID: 'did:web:exampe.com',
     }
-    const serverId = configModule.configureUcantoServerId(config)
+    const serverId = configModule.configureSigner(config)
     assert.ok(serverId)
     assert.equal(serverId.did().toString(), config.DID)
   })
+
   it('errors if config.DID is provided but not a did', () => {
     assert.throws(() => {
-      configModule.configureUcantoServerId({
+      configModule.configureSigner({
         DID: 'not a did',
         PRIVATE_KEY: testKeypair.private.multiformats,
       })
     }, 'Invalid DID')
   })
+
   it('infers did from config.PRIVATE_KEY when config.DID is omitted', async () => {
     const config = {
       PRIVATE_KEY: testKeypair.private.multiformats,
     }
-    const serverId = configModule.configureUcantoServerId(config)
+    const serverId = configModule.configureSigner(config)
     assert.ok(serverId)
     assert.equal(serverId.did().toString(), testKeypair.public.did)
   })

packages/access-client/package.json

@@ -61,12 +61,12 @@
     "@ipld/car": "^5.0.1",
     "@ipld/dag-cbor": "^8.0.0",
     "@ipld/dag-ucan": "^3.0.1",
-    "@ucanto/client": "^4.0.2",
-    "@ucanto/core": "^4.0.2",
-    "@ucanto/interface": "^4.0.2",
-    "@ucanto/principal": "^4.0.2",
-    "@ucanto/transport": "^4.0.2",
-    "@ucanto/validator": "^4.0.2",
+    "@ucanto/client": "^4.0.3",
+    "@ucanto/core": "^4.0.3",
+    "@ucanto/interface": "^4.0.3",
+    "@ucanto/principal": "^4.0.3",
+    "@ucanto/transport": "^4.0.3",
+    "@ucanto/validator": "^4.0.3",
     "@web3-storage/capabilities": "workspace:^",
     "bigint-mod-arith": "^3.1.2",
     "conf": "^10.2.0",
@@ -91,7 +91,7 @@
     "@types/node": "^18.11.14",
     "@types/varint": "^6.0.1",
     "@types/ws": "^8.5.3",
-    "@ucanto/server": "^4.0.2",
+    "@ucanto/server": "^4.0.3",
     "assert": "^2.0.0",
     "delay": "^5.0.0",
     "hd-scripts": "^3.0.2",

packages/access-client/src/agent-data.js

@@ -72,6 +72,7 @@ export class AgentData {
     return new AgentData(
       {
         meta: raw.meta,
+        // @ts-expect-error for some reason TS thinks this is a EdSigner
         principal: Signer.from(raw.principal),
         currentSpace: raw.currentSpace,
         spaces: raw.spaces,

packages/capabilities/package.json

@@ -57,11 +57,11 @@
     "dist/src/**/*.d.ts.map"
   ],
   "dependencies": {
-    "@ucanto/core": "^4.0.2",
-    "@ucanto/interface": "^4.0.2",
-    "@ucanto/principal": "^4.0.2",
-    "@ucanto/transport": "^4.0.2",
-    "@ucanto/validator": "^4.0.2"
+    "@ucanto/core": "^4.0.3",
+    "@ucanto/interface": "^4.0.3",
+    "@ucanto/principal": "^4.0.3",
+    "@ucanto/transport": "^4.0.3",
+    "@ucanto/validator": "^4.0.3"
   },
   "devDependencies": {
     "@types/assert": "^1.5.6",

packages/capabilities/test/capabilities/store.test.js

@@ -45,6 +45,7 @@ describe('store capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Store.add,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -74,6 +75,7 @@ describe('store capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Store.add,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -110,6 +112,7 @@ describe('store capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Store.add,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -150,6 +153,7 @@ describe('store capabilities', function () {
       const result = await access(await add.delegate(), {
         capability: Store.add,
         principal: Verifier,
+        authority: w3,
       })
 
       if (result.error) {
@@ -179,6 +183,7 @@ describe('store capabilities', function () {
       const result = await access(await add.delegate(), {
         capability: Store.add,
         principal: Verifier,
+        authority: w3,
       })
 
       assert.equal(result.error, true)
@@ -227,6 +232,7 @@ describe('store capabilities', function () {
       const result = await access(add, {
         capability: Store.add,
         principal: Verifier,
+        authority: w3,
       })
 
       assert.equal(result.error, true)

packages/capabilities/test/capabilities/upload.test.js

@@ -48,6 +48,7 @@ describe('upload capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -83,6 +84,7 @@ describe('upload capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -134,6 +136,7 @@ describe('upload capabilities', function () {
     const result = await access(add, {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
     assert.equal(result.error, true)
     assert(String(result).includes('Expected link to be CID with 0x202 codec'))
@@ -156,6 +159,7 @@ describe('upload capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -204,6 +208,7 @@ describe('upload capabilities', function () {
     const result = await access(add, {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
 
     assert.equal(result.error, true)
@@ -237,6 +242,7 @@ describe('upload capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -277,6 +283,7 @@ describe('upload capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
 
     assert.equal(result.error, true)
@@ -312,6 +319,7 @@ describe('upload capabilities', function () {
     const result = await access(await add.delegate(), {
       capability: Upload.add,
       principal: Verifier,
+      authority: w3,
     })
 
     assert.equal(result.error, true)
@@ -334,6 +342,7 @@ describe('upload capabilities', function () {
     const result = await access(await list.delegate(), {
       capability: Upload.list,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -364,6 +373,7 @@ describe('upload capabilities', function () {
     const result = await access(await list.delegate(), {
       capability: Upload.list,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -395,6 +405,7 @@ describe('upload capabilities', function () {
     const result = await access(await list.delegate(), {
       capability: Upload.list,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -435,6 +446,7 @@ describe('upload capabilities', function () {
     const result = await access(list, {
       capability: Upload.list,
       principal: Verifier,
+      authority: w3,
     })
     assert.equal(result.error, true)
     assert(
@@ -458,6 +470,7 @@ describe('upload capabilities', function () {
     const result = await access(await remove.delegate(), {
       capability: Upload.remove,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -492,6 +505,7 @@ describe('upload capabilities', function () {
     const result = await access(await remove.delegate(), {
       capability: Upload.remove,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -529,6 +543,7 @@ describe('upload capabilities', function () {
     const result = await access(await remove.delegate(), {
       capability: Upload.remove,
       principal: Verifier,
+      authority: w3,
     })
 
     if (result.error) {
@@ -573,6 +588,7 @@ describe('upload capabilities', function () {
     const result = await access(remove, {
       capability: Upload.remove,
       principal: Verifier,
+      authority: w3,
     })
     assert.equal(result.error, true)
     assert(
@@ -610,6 +626,7 @@ describe('upload capabilities', function () {
     const result = await access(await remove.delegate(), {
       capability: Upload.remove,
       principal: Verifier,
+      authority: w3,
     })
 
     assert.equal(result.error, true)

packages/capabilities/test/capabilities/voucher.test.js

@@ -34,6 +34,7 @@ describe('voucher capabilities', function () {
     const result = await access(await claim.delegate(), {
       capability: Voucher.claim,
       principal: Verifier,
+      authority: service,
     })
     if (!result.error) {
       assert.deepEqual(result.audience.did(), service.did())
@@ -73,6 +74,7 @@ describe('voucher capabilities', function () {
     const result = await access(await claim.delegate(), {
       capability: Voucher.claim,
       principal: Verifier,
+      authority: service,
     })
 
     if (!result.error) {
@@ -115,6 +117,7 @@ describe('voucher capabilities', function () {
     const result = await access(await claim.delegate(), {
       capability: Voucher.claim,
       principal: Verifier,
+      authority: service,
     })
 
     if (result.error) {