d804a436d7
Polyfill capabilities landed for Festipod's T02 features (all generic,
zero-domain — the consumer injects the domain).
- inbox: implement the previously-stubbed namespace. post(target,{from?,
payload,ts?}) deposits {from,payload,ts} as RDF via docs.sparqlUpdate (the
real injected ng, never makeNg); read/materialize + watch emulate the curator
in-lib (deposits read via docs.sparqlQuery). `from` optional = anonymity.
- write-guard: caps.hasWritePolicy() + ng-proxy.sparql_update rejects when the
target doc is under a write policy and the current user lacks its write cap;
passthrough otherwise (no regression). Read-cap registry unchanged.
- sparql.ts (new): escapeLiteral / escapeIri / assertNuri, exported from index.
store-registry now escapes every literal and validates/encodes every IRI-
position value — closes a SPARQL-injection hole where an untrusted username
could inject triples into the shim (the account→doc-NURI trust root).
Tests: inbox, sparql (incl. injection), ng-proxy write-guard, isolation-active.
68 tests pass; tsc --noEmit rc=0.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ng-eventually/client
Two entry points — the data-plane is SDK-identical, the polyfill bootstrap is separate:
| Import | Surface | At migration |
|---|---|---|
@ng-eventually/client |
Same signature as the SDK — ng, useShape, inbox (+ types). Drop-in for @ng-org/web / @ng-org/orm. |
Resolves to the real SDK (build alias removed) — no code change. |
@ng-eventually/client/polyfill |
The only non-SDK surface — configure, setCurrentUser, capability helpers (canRead/canWrite/defaultGrant/grantRead). |
Removed. |
// bootstrap (the only non-SDK call) — inject the REAL SDK
import { configure } from "@ng-eventually/client/polyfill";
configure({ ng: realNg, useShape: realUseShape, sharedWallet, currentUser });
// from here on, pure SDK surface:
import { ng, useShape, inbox } from "@ng-eventually/client";
await ng.doc_create(/* … */);
const set = useShape(MyShape, scope); // filtered to what the user may read
await inbox.post(targetInbox, ref); // deposit (anticipated SDK API)
What the polyfill adds on top of the real SDK (all removed/native at migration):
- Shared-wallet login (one wallet for everyone).
- Capability enforcement — read filter + write guard, on emulated grants attached to documents.
- Anticipated methods (inbox
post, capability ops) with their future-SDK shapes, emulated for now.
Generic: no application domain. The consumer injects shapes and performs the acts of granting access. The client must not contain the global-index curator (a separate package, deferred — see the repo README).