From c7fbe897b7d9510ef5557971711c33a2792fae47 Mon Sep 17 00:00:00 2001
From: Travis Vachon <travis.vachon@gmail.com>
Date: Wed, 5 Nov 2025 15:33:21 -0800
Subject: [PATCH 1/2] feat: script to grant admin rights to users

this allllmost works, but needs a tweak I'm proposing in an RFC
---
 scripts/grant-admin-rights.mts | 39 ++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 scripts/grant-admin-rights.mts

diff --git a/scripts/grant-admin-rights.mts b/scripts/grant-admin-rights.mts
new file mode 100644
index 0000000..b14f551
--- /dev/null
+++ b/scripts/grant-admin-rights.mts
@@ -0,0 +1,39 @@
+import { delegate } from '@ucanto/core'
+import { create } from '@storacha/client'
+import * as Signer from '@ucanto/principal/ed25519'
+import { Absentee } from '@ucanto/principal'
+import * as DIDMailto from '@storacha/did-mailto'
+import { MemoryDriver } from '@storacha/access/drivers/memory'
+
+// 90 days, in minutes
+const EXPIRY = 60 * 24 * 90
+
+// this must be run with the private key of the service passed as SERVICE_PRIVATE_KEY
+const servicePrincipal = process.env.SERVICE_PRIVATE_KEY ? Signer.parse(process.env.SERVICE_PRIVATE_KEY).withDID("did:web:up.storacha.network") : undefined
+if (!servicePrincipal) throw new Error("Principal not defined, can't continue.")
+
+const delegateeEmail = process.argv[2] as `${string}@${string}`
+const delegateeDidMailto = DIDMailto.fromEmail(delegateeEmail)
+
+// @ts-expect-error type mismatch on the signer here, but it's fine
+const client = await create({ principal: servicePrincipal, store: new MemoryDriver() })
+const delegation = await delegate({
+  issuer: servicePrincipal,
+  audience: Absentee.from({ id: delegateeDidMailto }),
+  // grant capabilities needed for admin work
+  capabilities: [
+    { with: servicePrincipal.did(), can: 'customer/get' },
+    { with: servicePrincipal.did(), can: 'consumer/get' },
+    { with: servicePrincipal.did(), can: 'subscription/get' },
+    { with: servicePrincipal.did(), can: 'rate-limit/*' },
+    { with: servicePrincipal.did(), can: 'admin/*' },
+  ],
+  expiration: Math.floor(Date.now() / 1000) + (60 * EXPIRY)
+})
+await client.capability.access.delegate({
+  // use the did:key of the service principal as the space to store the delegation in
+  space: servicePrincipal.toDIDKey(),
+  delegations: [delegation]
+})
+
+console.log(client)
\ No newline at end of file

From 9a733bbfea249a39dbf67519faadc33e3c8b9835 Mon Sep 17 00:00:00 2001
From: Travis Vachon <travis.vachon@gmail.com>
Date: Fri, 5 Dec 2025 16:52:51 -0800
Subject: [PATCH 2/2] wip: more work toward showing usage in the admin app

---
 app/console/page.tsx           | 10 ++++++----
 app/customers/[did]/page.tsx   | 24 +++++++++++++++++++++++-
 app/layout.tsx                 |  2 +-
 app/page.tsx                   |  2 +-
 contexts/service.tsx           | 14 +++++++++++++-
 hooks/customer.ts              | 25 ++++++++++++++++++++++++-
 package.json                   |  2 +-
 scripts/grant-admin-rights.mts |  8 ++++----
 8 files changed, 73 insertions(+), 14 deletions(-)

diff --git a/app/console/page.tsx b/app/console/page.tsx
index f394bf9..b87154d 100644
--- a/app/console/page.tsx
+++ b/app/console/page.tsx
@@ -26,10 +26,8 @@ async function toDelegation (car: Blob): Promise<Delegation> {
 export default function Console () {
   const agent = useAgent()
   const agentDID = agent?.did()
-  const [delegations, setDelegations] = useState<Delegation<Capabilities>[]>([])
-  if (agent) {
-    setDelegations(agent.proofs())
-  }
+  const [storedDelegations, setDelegations] = useState<Delegation<Capabilities>[]>([])
+  const delegations = storedDelegations ?? agent?.proofs() 
   const [configuredServiceSigner, setConfiguredServiceSigner] = useState<Ucanto.Signer>()
   const [expiry, setExpiry] = useState<number>(30)
   const { servicePrincipal } = useContext(ServiceContext)
@@ -48,6 +46,7 @@ export default function Console () {
           { with: servicePrincipal.did(), can: 'subscription/get' },
           { with: servicePrincipal.did(), can: 'rate-limit/*' },
           { with: servicePrincipal.did(), can: 'admin/*' },
+          { with: 'ucan:*', can: 'account/usage/get' },
         ],
         expiration: Math.floor(Date.now() / 1000) + (60 * expiry)
       })
@@ -92,7 +91,10 @@ export default function Console () {
   { with: '${servicePrincipal?.did()}', can: 'consumer/get' },
   { with: '${servicePrincipal?.did()}', can: 'subscription/get' },
   { with: '${servicePrincipal?.did()}', can: 'rate-limit/*' },
+  { with: '${servicePrincipal?.did()}', can: 'admin/*' },
+  { with: 'ucan:*', can: 'account/usage/get' },
 ]`
+
   return (
     <div className='flex flex-col items-center'>
       {
diff --git a/app/customers/[did]/page.tsx b/app/customers/[did]/page.tsx
index 14a12f2..529170a 100644
--- a/app/customers/[did]/page.tsx
+++ b/app/customers/[did]/page.tsx
@@ -4,7 +4,7 @@ import Link from "next/link";
 import { notFound } from "next/navigation";
 import * as DidMailto from "@storacha/did-mailto";
 
-import { useCustomer } from "@/hooks/customer";
+import { useCustomer, useCustomerUsage } from "@/hooks/customer";
 import { useRateLimitActions } from "@/hooks/rate-limit";
 import { SimpleError } from "@/components/error";
 import { Loader } from "@/components/brand";
@@ -33,6 +33,7 @@ export default function Customer(props: { params: Promise<{ did: string }> }) {
 
   console.log(did)
   const { data: customer, error, isLoading } = useCustomer(did);
+  const {data: usage} = useCustomerUsage(did)
   const {
     addBlock: addEmailBlock,
     removeBlock: removeEmailBlock,
@@ -105,6 +106,27 @@ export default function Customer(props: { params: Promise<{ did: string }> }) {
                 ))}
               </tbody>
             </table>
+            <h3 className="text-xl mb-2">Usage</h3>
+            <h4>{usage?.total} bytes</h4>
+            <table className="border-separate border-spacing-x-4">
+              <tbody>
+                {Object.entries(usage?.spaces || {}).map(([did, storage]) => (
+                  <tr key={did}>
+                    <td>
+                      {did}
+                    </td>
+                    <td>
+                      <Link
+                        className="underline text-blue-200"
+                        href={`/spaces/${did}`}
+                      >
+                        {storage.total}bytes
+                      </Link>
+                    </td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
           </div>
         )}
       </div>
diff --git a/app/layout.tsx b/app/layout.tsx
index b3cff76..ee9121f 100644
--- a/app/layout.tsx
+++ b/app/layout.tsx
@@ -22,7 +22,7 @@ export default function RootLayout({
         <ServiceProvider>
           <AgentProvider>
             <html>
-              <body className="min-h-screen bg-slate-800 text-white">
+              <body className="min-h-screen bg-red-800 text-white">
                 <Nav />
                 <main className="grow text-white p-4">
                   <AuthenticationEnsurer>{children}</AuthenticationEnsurer>
diff --git a/app/page.tsx b/app/page.tsx
index 84fa438..b348fd5 100644
--- a/app/page.tsx
+++ b/app/page.tsx
@@ -29,7 +29,7 @@ export default function Root () {
   }, [router, cid])
   return (
     <div className='flex flex-col items-center'>
-      <h1 className='text-xl mb-10'>w3admin</h1>
+      <h1 className='text-xl mb-10'>Sudoracha</h1>
       <form onSubmit={goToSpace} className='flex flex-col space-y-2 mb-16 items-center'>
         <input className='text-black py-1 px-2 rounded' type='text' placeholder="Space DID" onChange={(e: ChangeEvent<HTMLInputElement>) => setSpaceDID(e.target.value)} />
         <input className='btn w-24' type='submit' value='Go' />
diff --git a/contexts/service.tsx b/contexts/service.tsx
index b80f656..d468cc9 100644
--- a/contexts/service.tsx
+++ b/contexts/service.tsx
@@ -25,7 +25,10 @@ import {
   AdminUploadInspectSuccess,
   AdminUploadInspectFailure,
   AdminStoreInspectSuccess,
-  AdminStoreInspectFailure
+  AdminStoreInspectFailure,
+  AccountUsageGet,
+  AccountUsageGetSuccess,
+  AccountUsageGetFailure
 } from "@storacha/capabilities/types"
 import { Absentee } from "@ucanto/principal"
 import { useW3 } from "@storacha/ui-react"
@@ -78,6 +81,15 @@ export interface Service {
       RateLimitListFailure
     >
   },
+  account: {
+    usage: {
+      get: ServiceMethod<
+        AccountUsageGet,
+        AccountUsageGetSuccess,
+        AccountUsageGetFailure
+      >
+    }
+  }
   admin: {
     upload: {
       inspect: ServiceMethod<
diff --git a/hooks/customer.ts b/hooks/customer.ts
index bc160b6..8711809 100644
--- a/hooks/customer.ts
+++ b/hooks/customer.ts
@@ -1,6 +1,6 @@
 import useSWR from 'swr'
 import { DID } from '@ucanto/interface'
-import { Customer } from '@storacha/capabilities'
+import { Customer, AccountUsage } from '@storacha/capabilities'
 import { useAgent } from './agent'
 import { useServicePrincipal } from './service'
 
@@ -27,4 +27,27 @@ export function useCustomer (did: string | undefined) {
         return null
       }
     })
+}
+
+export function useCustomerUsage (did: string | undefined) {
+  const agent = useAgent()
+  const servicePrincipal = useServicePrincipal()
+  return useSWR(
+    (did && agent && servicePrincipal) ? ['account/usage/get', did] : null,
+    async ([, did]: [never, string | undefined]) => {
+      if (did && agent && servicePrincipal) {
+        const result = await agent?.invokeAndExecute(AccountUsage.get, {
+          with: did as DID<'mailto'>,
+          nb: {}
+        })
+        if (result.out.ok) {
+          return result.out.ok
+        } else {
+          console.error('Customer.get failed:', result.out.error)
+          throw result.out.error
+        }
+      } else {
+        return null
+      }
+    })
 }
\ No newline at end of file
diff --git a/package.json b/package.json
index 4bf66f6..c7cdd4a 100644
--- a/package.json
+++ b/package.json
@@ -19,7 +19,7 @@
     "@ipld/car": "^5.4.2",
     "@ipld/dag-ucan": "^3.4.5",
     "@storacha/access": "^1.6.2",
-    "@storacha/capabilities": "^1.10.0",
+    "@storacha/capabilities": "^1.12.0",
     "@storacha/client": "^1.8.12",
     "@storacha/did-mailto": "^1.0.2",
     "@storacha/ui-react": "^2.9.75",
diff --git a/scripts/grant-admin-rights.mts b/scripts/grant-admin-rights.mts
index b14f551..4ae0512 100644
--- a/scripts/grant-admin-rights.mts
+++ b/scripts/grant-admin-rights.mts
@@ -9,14 +9,14 @@ import { MemoryDriver } from '@storacha/access/drivers/memory'
 const EXPIRY = 60 * 24 * 90
 
 // this must be run with the private key of the service passed as SERVICE_PRIVATE_KEY
-const servicePrincipal = process.env.SERVICE_PRIVATE_KEY ? Signer.parse(process.env.SERVICE_PRIVATE_KEY).withDID("did:web:up.storacha.network") : undefined
+const servicePrincipal = process.env.SERVICE_PRIVATE_KEY ? Signer.parse(process.env.SERVICE_PRIVATE_KEY) : undefined
 if (!servicePrincipal) throw new Error("Principal not defined, can't continue.")
 
 const delegateeEmail = process.argv[2] as `${string}@${string}`
 const delegateeDidMailto = DIDMailto.fromEmail(delegateeEmail)
 
-// @ts-expect-error type mismatch on the signer here, but it's fine
 const client = await create({ principal: servicePrincipal, store: new MemoryDriver() })
+console.log(servicePrincipal.toDIDKey())
 const delegation = await delegate({
   issuer: servicePrincipal,
   audience: Absentee.from({ id: delegateeDidMailto }),
@@ -30,10 +30,10 @@ const delegation = await delegate({
   ],
   expiration: Math.floor(Date.now() / 1000) + (60 * EXPIRY)
 })
-await client.capability.access.delegate({
+const result = await client.capability.access.delegate({
   // use the did:key of the service principal as the space to store the delegation in
   space: servicePrincipal.toDIDKey(),
   delegations: [delegation]
 })
 
-console.log(client)
\ No newline at end of file
+console.log(result)
\ No newline at end of file