Merge pull request #321 from NillionNetwork/feat/update-nuc-ts

tim-hm · web-flow · commit e9323630df8b · 2025-11-19T09:41:26.000Z
diff --git a/justfile b/justfile
@@ -21,7 +21,7 @@ install:
 
 # Check for formatting, lint, and type errors
 check:
-    pnpm exec biome ci && pnpm exec tsc -b --noEmit
+    pnpm exec tsc -b && pnpm exec biome ci && pnpm exec tsc -b --noEmit
 
 # Format, fix, and type check all files
 fix:
diff --git a/packages/api/package.json b/packages/api/package.json
@@ -26,7 +26,7 @@
     "@hono/prometheus": "^1.0.2",
     "@hono/standard-validator": "^0.1.5",
     "@hono/zod-validator": "^0.7.4",
-    "@nillion/nuc": "^1.0.0",
+    "@nillion/nuc": "^1.1.0-rc.0",
     "@noble/curves": "^2.0.1",
     "@noble/hashes": "^2.0.1",
     "@standard-community/standard-json": "^0.3.5",
diff --git a/packages/api/src/middleware/capability.middleware.ts b/packages/api/src/middleware/capability.middleware.ts
@@ -31,7 +31,9 @@ export function loadNucToken<
         );
       }
 
-      const envelope = Codec.decodeBase64Url(tokenString);
+      // We must use the unsafe decode first to extract the subject/claims required
+      // to fetch the correct context (User/Builder) for validation
+      const envelope = Codec._unsafeDecodeBase64Url(tokenString);
       c.set("envelope", envelope);
 
       return next();
@@ -60,7 +62,9 @@ export function loadSubjectAndVerifyAsAdmin<
   return async (c, next) => {
     try {
       const envelope = c.get("envelope");
-      Validator.validate(envelope, { rootIssuers: [nildbNodeDid.didString] });
+      await Validator.validate(envelope, {
+        rootIssuers: [nildbNodeDid.didString],
+      });
       return next();
     } catch (cause) {
       if (cause && typeof cause === "object" && "message" in cause) {
@@ -127,7 +131,7 @@ export function loadSubjectAndVerifyAsBuilder<
       const nilauthDid = Did.fromPublicKey(config.nilauthPubKey);
       const nildbNodeDid = bindings.node.did;
 
-      Validator.validate(envelope, {
+      await Validator.validate(envelope, {
         rootIssuers: [nilauthDid.didString],
         params: {
           tokenRequirements: {
@@ -215,7 +219,7 @@ export function loadSubjectAndVerifyAsUser<
           StatusCodes.UNAUTHORIZED,
         );
       }
-      Validator.validate(envelope, {
+      await Validator.validate(envelope, {
         rootIssuers: [subject],
       });
       c.set("user", user);
diff --git a/packages/api/tests/02-integration/02-builder-lifecycle.test.ts b/packages/api/tests/02-integration/02-builder-lifecycle.test.ts
@@ -25,6 +25,7 @@ describe("02-builder-lifecycle.test.js", () => {
       .command("/nil/db")
       .audience(bindings.node.did)
       .subject(builderDid)
+      .expiresIn(1000 * 10)
       .signAndSerialize(builderSigner);
 
     const response = await app.request(PathsV1.collections.root, {
diff --git a/packages/api/tests/fixture/fixture.ts b/packages/api/tests/fixture/fixture.ts
@@ -123,6 +123,7 @@ export async function buildFixture(
     .subject(adminDid)
     .command(NucCmd.nil.db.root)
     .audience(adminDid)
+    .expiresIn(1000 * 60 * 5)
     .sign(node.signer);
   const system = new AdminClient({
     baseUrl: bindings.config.nodePublicEndpoint,
diff --git a/packages/api/tsconfig.json b/packages/api/tsconfig.json
@@ -7,7 +7,7 @@
       "@nildb/*": ["./src/*"],
       "@nillion/nildb-types": ["../types/src/lib.ts"],
       "@nillion/nildb-types/*": ["../types/src/*"],
-      "@nillion/nildb-shared": ["../shared/src/index.ts"],
+      "@nillion/nildb-shared": ["../shared/src/lib.ts"],
       "@nillion/nildb-shared/*": ["../shared/src/*"],
       "@nillion/nildb-client": ["../client/src/index.ts"],
       "@nillion/nildb-client/*": ["../client/src/*"]
diff --git a/packages/client/package.json b/packages/client/package.json
@@ -17,7 +17,7 @@
     "stub": "tsdown --stub"
   },
   "dependencies": {
-    "@nillion/nuc": "^1.0.0",
+    "@nillion/nuc": "^1.1.0-rc.0",
     "@nillion/nildb-types": "workspace:*"
   },
   "devDependencies": {
diff --git a/packages/client/src/admin/client.ts b/packages/client/src/admin/client.ts
@@ -29,6 +29,7 @@ export class AdminClient {
     const nodeDid = Did.fromPublicKey(this.options.nodePublicKey);
     return await Builder.invocationFrom(this.nodeDelegation)
       .audience(nodeDid)
+      .expiresIn(60 * 1000)
       .signAndSerialize(this.options.signer);
   }
 
diff --git a/packages/client/src/builder/client.ts b/packages/client/src/builder/client.ts
@@ -64,6 +64,7 @@ export class BuilderClient {
 
     return await Builder.invocationFrom(rootToken)
       .audience(nodeDid)
+      .expiresIn(60 * 1000)
       .signAndSerialize(this.options.signer);
   }
 
diff --git a/packages/client/src/user/client.ts b/packages/client/src/user/client.ts
@@ -35,6 +35,7 @@ export class UserClient {
       .command(NucCmd.nil.db.users.root)
       .audience(nodeDid)
       .subject(did)
+      .expiresIn(60 * 1000)
       .signAndSerialize(this.options.signer);
   }
 
diff --git a/packages/shared/package.json b/packages/shared/package.json
@@ -17,7 +17,7 @@
     "stub": "tsdown --stub"
   },
   "dependencies": {
-    "@nillion/nuc": "^1.0.0",
+    "@nillion/nuc": "^1.1.0-rc.0",
     "temporal-polyfill": "^0.3.0"
   },
   "devDependencies": {
diff --git a/packages/types/tsconfig.json b/packages/types/tsconfig.json
@@ -2,6 +2,7 @@
   "$schema": "https://json.schemastore.org/tsconfig",
   "extends": "../../tsconfig.base.json",
   "compilerOptions": {
+    "composite": true,
     "baseUrl": ".",
     "paths": {
       "@nillion/nildb-types/*": ["./src/*"]
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -29,6 +29,7 @@ export class AdminClient {`
`29`	`29`	`const nodeDid = Did.fromPublicKey(this.options.nodePublicKey);`
`30`	`30`	`return await Builder.invocationFrom(this.nodeDelegation)`
`31`	`31`	`.audience(nodeDid)`
	`32`	`+ .expiresIn(60 * 1000)`
`32`	`33`	`.signAndSerialize(this.options.signer);`
`33`	`34`	`}`
`34`	`35`
Original file line number	Diff line number	Diff line change
`@@ -64,6 +64,7 @@ export class BuilderClient {`
`64`	`64`
`65`	`65`	`return await Builder.invocationFrom(rootToken)`
`66`	`66`	`.audience(nodeDid)`
	`67`	`+ .expiresIn(60 * 1000)`
`67`	`68`	`.signAndSerialize(this.options.signer);`
`68`	`69`	`}`
`69`	`70`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ export class UserClient {`
`35`	`35`	`.command(NucCmd.nil.db.users.root)`
`36`	`36`	`.audience(nodeDid)`
`37`	`37`	`.subject(did)`
	`38`	`+ .expiresIn(60 * 1000)`
`38`	`39`	`.signAndSerialize(this.options.signer);`
`39`	`40`	`}`
`40`	`41`