SWIP-XXXX: Swarm Provider API (window.swarm)#94
Open
flotob wants to merge 6 commits intoethersphere:masterfrom
Open
SWIP-XXXX: Swarm Provider API (window.swarm)#94flotob wants to merge 6 commits intoethersphere:masterfrom
flotob wants to merge 6 commits intoethersphere:masterfrom
Conversation
…provements Add Security Considerations section (origin trust, resource exhaustion, iframe behavior, feed key material, temp artifacts). Add Future Extensions section (swarm_listFeeds, capabilitiesChanged, preferredIdentityMode, specVersion promotion path). Promote convenience methods and re-prompting from SHOULD to MUST. Add specVersion (SHOULD) to swarm_getCapabilities. Document UTF-8 string encoding, session-scoped tag ownership, feed update failure semantics, and bzz:// URI scheme status. Add edge-case test cases. Fix stale branch links. Rename file to match repo conventions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…eedEntry Two coordinated updates reflecting the implemented behavior in Freedom Browser (PR ethersphere#19): 1. New method: swarm_listFeeds() - Origin-scoped introspection returning the calling origin's previously created feed records — name, topic, owner, manifestReference, bzzUrl, createdAt, lastUpdated, lastReference. - No permission required: feed coordinates are deterministic given (origin, name) and the metadata persists across permission revocation by design, so gating it would be friction without security benefit. - Returns [] for origins with no feeds (never an error). - Removed from the Future Extensions list since it now ships in 1.0. 2. Permission correction for swarm_readFeedEntry - The 1.0 draft previously required connection permission. That was wrong — feeds are public Swarm data readable from any Bee gateway without auth, and forcing requestAccess broke passive use cases like profile pages displaying on-chain-discovered activity feeds. - Method now requires NO permission grant. Updated description, errors (4100 removed), behavior bullets, permission lifecycle item 4, and the corresponding test case ("Without Feed Grant" → "Without Any Permission" with stronger assertions). - Permission lifecycle item 5 (disconnection) clarified that permission-free reads MUST continue to function after revocation. Other touches: - Method count in the abstract bumped from "nine" to "ten". - Convenience method list extended with window.swarm.listFeeds(). - Implementation reference updated: removed the broken docs/swarm-provider-test link (the file moved to research/ and is no longer tracked); Swarmit's method usage list extended to include writeFeedEntry / readFeedEntry / listFeeds. Net diff: +83 / -14 lines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Reflects implementation findings from the iOS Freedom Browser provider:
- USTAR tar's 100-byte name field caps file paths far below the prior
256-char wording. Replace the hardcoded limit with a capability-advertised
maxPathBytes (normative floor of 100, recommended default 100 UTF-8 bytes)
so future PAX-supporting implementations can advertise more.
- Bee's GET /feeds/{owner}/{topic}?index=N is at-or-before, not exact-match,
which silently breaks writeFeedEntry's overwrite protection on sparse
writes and corrupts readFeedEntry's explicit-index contract. Add normative
exact-match requirements on both methods plus an informative section
documenting the SOC-address derivation (GET /chunks/{socAddress}) and the
big-endian/little-endian endianness trap.
- Clarify that the 4 KB SOC body limit is internal to the storage envelope,
not a writeFeedEntry payload cap; the dApp-visible cap is maxDataBytes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR proposes a new draft SWIP defining a standard JavaScript provider API —
window.swarm— that lets web pages request access to a user's Swarm (Bee) node for publishing data, uploading files, managing mutable feeds, reading and writing indexed feed entries, and introspecting their own feed records. It follows the request/response pattern established by EIP-1193 for Ethereum providers, adapted for Swarm's publishing and feed primitives.The draft lives at
SWIPs/swip-draft_provider_api.mdand will be renamed toswip-XXXX.mdonce a number is assigned.Motivation
Today, publishing to Swarm from a web app requires either:
localhost, orNeither is acceptable for a user-sovereign web. Users need a way to grant web apps controlled, permissioned access to Swarm publishing — the way
window.ethereumlets pages interact with a wallet without exposing private keys. Without a standard, every Swarm-enabled browser or extension will invent its own API, fragmenting the ecosystem.What the SWIP specifies
window.swarm) injected beforeDOMContentLoaded, withrequest(), convenience wrappers, and an event interface.swarm_requestAccess), capability discovery (swarm_getCapabilities), publishing (swarm_publishData,swarm_publishFiles,swarm_getUploadStatus), mutable feeds (swarm_createFeed,swarm_updateFeed), indexed feed entries (swarm_writeFeedEntry,swarm_readFeedEntry), and origin-scoped feed introspection (swarm_listFeeds).127.0.0.1doesn't collapse into one permission scope), and app-scoped feed identities (each origin's feeds signed by a per-origin derived key, so dApps can't impersonate the user's main wallet).GET /feeds/{owner}/{topic}at-or-before semantics and the SOC-address fallback) so overwrite protection and explicit-index reads are safe.maxDataBytes,maxPathBytes) so future implementations supporting PAX tar can advertise larger paths without breaking the spec.capabilitiesChangedevent,preferredIdentityMode, encoding parameter for reads, promotion path forspecVersion).Reference implementations
This is not a paper spec — both sides of the API are already implemented and exercise the full surface:
window.swarminto webview contexts, with main-process IPC enforcement, origin normalization, app-scoped feed keys, and per-origin permissions.swarm_requestAccess,swarm_publishData,swarm_createFeed,swarm_writeFeedEntry,swarm_readFeedEntry, andswarm_listFeedsfor its full publishing and profile-discovery pipeline.The implementation work surfaced several spec issues that have already been folded back into this draft (USTAR tar's 100-byte path limit, Bee's at-or-before feed lookup semantics, the SOC-address endianness trap, permission gating for public reads).
Status
swip-draft_provider_api.mdtoswip-XXXX.mdonce a number is assigned.