Skip to content

fix(core): add ScopedStack.putAttachmentBytes() with the same gate as putAttachment()#74

Merged
cuibonobo merged 1 commit into
mainfrom
claude/issue-71-plan-onuk58
Jul 9, 2026
Merged

fix(core): add ScopedStack.putAttachmentBytes() with the same gate as putAttachment()#74
cuibonobo merged 1 commit into
mainfrom
claude/issue-71-plan-onuk58

Conversation

@cuibonobo

Copy link
Copy Markdown
Member

Summary

  • ScopedStack had no bytes-only upload — servers implementing the spec's two-step POST /attachments flow had to either call the unscoped Stack.putAttachmentBytes() (a live permission-layer bypass) or reimplement the grant check themselves (violating the layering decided in _config is unprotected: update can change stack ownership, hard delete bricks the stack, query exclusion is a per-adapter convention #67).
  • Adds ScopedStack.putAttachmentBytes(data), gated identically to ScopedStack.putAttachment(): anonymous requesters denied, create grant on _attachment@1 required (owner bypasses). putAttachment() now delegates to it, so the check lives in exactly one place.
  • Updates docs/spec.md §Attachments: documents the new method alongside the existing Stack/ScopedStack attachment methods, and states POST /attachments's authorization requirement (401 anonymous, 403 ungranted) explicitly.

Test plan

  • New ScopedStack.putAttachmentBytes test suite in packages/core/tests/scoped-stack.test.ts: owner bypass, anonymous denial, no-grant denial, granted upload, default-grant upload, confirms no _attachment@1 record is created, and confirms putAttachment() still works end-to-end through the shared gate.
  • pnpm -r build && pnpm -r typecheck && pnpm -r test — all packages pass (189 core tests, plus adapter/record/blob suites).

Fixes #71

🤖 Generated with Claude Code


Generated by Claude Code

… putAttachment()

Servers implementing the two-step POST /attachments flow had no scoped
bytes-only upload — only the unscoped Stack.putAttachmentBytes(), which
skips the permission layer entirely. Add ScopedStack.putAttachmentBytes(),
gated identically to putAttachment() (anonymous denied, create grant on
_attachment@1 required), and refactor putAttachment() to call it so the
check lives in exactly one place.

Fixes #71
@cuibonobo cuibonobo merged commit 6198dad into main Jul 9, 2026
5 checks passed
@cuibonobo cuibonobo deleted the claude/issue-71-plan-onuk58 branch July 9, 2026 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ScopedStack has no bytes-only upload — servers implementing two-step POST /attachments must bypass the permission layer

2 participants