Abstract: A computing system is provided, including non-volatile storage storing a reactive database including a plurality of database entities. The computing system may further include a processor configured to, via a reactive database application program interface (API), receive a first standing query registration input including a first standing query. The first standing query may include a first update condition and may be associated with a first database entity. The processor may be further configured to store the first standing query in the non-volatile storage. The processor may be further configured to write data to the reactive database and determine that the first update condition is satisfied by the written data. In response to determining that the first update condition is satisfied, the processor may be further configured to execute the first standing query to perform a first state change at the first database entity of the plurality of database entities.

Abstract: An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user's computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user's computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user's computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user's computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.

Abstract: An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user's computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user's computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.

Abstract: Systems and methods for implementing online and offline applications are described. Such systems and methods may in some cases provide the same programming interface, regardless of whether the application is online or offline. Such systems and methods may also or instead in some cases provide additional or other possible capabilities, including installation without elevated privileges, simplified data synchronization, sharing of applications and application data, access to data from other applications, and richer client functionality than may be provided by an application such as a web browser.

Abstract: In scenarios involving a data set accessible through a protocol, operations sets may be formulated for performing various operations on the data set, and may be expressed as resource scripts according to a scripting language. However, such resource scripts may be difficult to design due to the complicated aspects of the interaction, such as asynchrony, network transport, the syntax of the scripting language, and the details of the protocol. A design environment may be devised to facilitate designers in generating resource scripts, e.g., through the manipulation of visual elements. The design environment may abstract the lower-level working details of the resource scripts, and may allow designers to focus on the logical designing of the operations set. The design environment may then automatically generate the resource script from the operations set in accordance with the constraints of the script language and the protocol.

Abstract: Portions of a computing environment (such as a user's mesh) may restrict accessing to particular types of access by particular applications. The computer may support applications executing within a virtual environment (such as a web browser) by brokering such access through a token-based system. When an application requests a particular type of access (e.g., writing to a particular data object), the computer may contact an authorization server with the credentials of the application to request the specified access, and may receive and store an authorization token. The computer may then access the computing environment with the authorization token, and may return the results to the application within the virtual environment. Additional features may further support such applications; e.g., a programmatic interface may be provided in a familiar language, such as JavaScript, whereby applications can request access to particular data objects and identify authorized access capabilities.

Abstract: A deployable computing environment may facilitate interaction and data sharing between users and devices. Users, devices, and relationships between the users and devices may be represented within the deployable computing environment. A relationship between a user and a device may specify that the device is owned by the user and that the device is authorized to perform operations within the deployable computing environment on behalf of the user. Secure authentication of devices and users for interaction within the deployable computing environment is achieved by authenticating tickets corresponding to the user, the device, and the relationship. A device identification ticket and a user identification ticket are used to authenticate the device and user for interaction within the deployable computing environment. A device claim ticket allows the device to perform delegated operations (e.g., data synchronization, peer connectivity, etc.) on behalf of the user without the user's credentials (e.g.

Abstract: A user interface for building a componentized workflow model. Each step of the workflow is modeled as an activity that has metadata to describe design time aspects, compile time aspects, and runtime aspects of the workflow step. A user selects and arranges the activities to create the workflow via the user interface. The metadata associated with each of the activities in the workflow is collected to create a persistent representation of the workflow. Users extend the workflow model by authoring custom activities.

Abstract: Designing and executing a workflow having flow-based and constraint-based regions. A user selects one or more activities to be part of a constraint-based region. Each constraint-based region has a constraint associated therewith. The workflow is executed by executing the flow-based region and the constraint-based region. The flow-based region executes sequentially. The constraint is evaluated, and the constraint-based region executes responsive to the evaluated constraint.

Abstract: Designing and executing a workflow having flow-based and constraint-based regions. A user selects one or more activities to be part of a constraint-based region. Each constraint-based region has a constraint associated therewith. The workflow is executed by executing the flow-based region and the constraint-based region. The flow-based region executes sequentially. The constraint is evaluated, and the constraint-based region executes responsive to the evaluated constraint.

Abstract: A user interface for building a componentized workflow model. Each step of the workflow is modeled as an activity that has metadata to describe design time aspects, compile time aspects, and runtime aspects of the workflow step. A user selects and arranges the activities to create the workflow via the user interface. The metadata associated with each of the activities in the workflow is collected to create a persistent representation of the workflow. Users extend the workflow model by authoring custom activities.

Abstract: Enabling creation of control flow patterns in a workflow via continuations. Each continuation represents an activity execution context for an activity executing in the workflow by a workflow engine virtualizing a managed execution environment. Responsive to a request, the activity execution context is recreated via the continuation and the activity is executed within the recreated context.

Abstract: Designing and executing a workflow having flow-based and constraint-based regions. A user selects one or more activities to be part of a constraint-based region. Each constraint-based region has a constraint associated therewith. The workflow is executed by executing the flow-based region and the constraint-based region. The flow-based region executes sequentially. The constraint is evaluated, and the constraint-based region executes responsive to the evaluated constraint.

Abstract: An application host (such as a web application server) may execute a set of applications on behalf of a set of users. Such applications may not be fully trusted, and a two-way isolation of the distributed resources of an application (e.g., the executing application, the application user interface on the user's computer, and server- and client-side stored resources) from other applications may be desirable. This isolation may be promoted utilizing the cross-domain restriction policies of each user's computer by allocating a distinct subdomain of the application host for each application. The routing of network requests to a large number of distinct subdomains may be economized by mapping all distinct subdomains to the address of the domain of the application host. Moreover, the application user interfaces may be embedded in an isolation construct (e.g., an IFRAME HTML element) to promote two-way isolation among application user interfaces and client-side application resources.