@tinycloud/node-sdk 1.2.0 → 1.4.0

package/dist/index.js

@@ -17349,6 +17349,7 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
     this.sessionExpirationMs = config.sessionExpirationMs ?? 60 * 60 * 1e3;
     this.autoCreateSpace = config.autoCreateSpace ?? false;
     this.tinycloudHosts = config.tinycloudHosts ?? ["https://node.tinycloud.xyz"];
+    this.enablePublicSpace = config.enablePublicSpace ?? true;
     this.sessionManager = new SessionManager();
   }
   /**
@@ -17380,12 +17381,12 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
    * Create the space on the TinyCloud server (host delegation).
    * This registers the user as the owner of the space.
    */
-  async hostSpace() {
+  async hostSpace(targetSpaceId) {
     if (!this._tinyCloudSession || !this._address || !this._chainId) {
       throw new Error("Must be signed in to host space");
     }
     const host = this.tinycloudHosts[0];
-    const spaceId = this._tinyCloudSession.spaceId;
+    const spaceId = targetSpaceId ?? this._tinyCloudSession.spaceId;
     const peerId = await fetchPeerId(host, spaceId);
     const siwe = generateHostSIWEMessage({
       address: this._address,
@@ -17400,6 +17401,13 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
     const result = await submitHostDelegation(host, headers);
     return result.success;
   }
+  /**
+   * Create a specific space on the server via host delegation.
+   * Used for lazy creation of additional spaces (e.g., public).
+   */
+  async hostPublicSpace(spaceId) {
+    return this.hostSpace(spaceId);
+  }
   /**
    * Ensure the user's space exists on the TinyCloud server.
    * Creates the space if it doesn't exist and autoCreateSpace is enabled.
@@ -17413,11 +17421,33 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
       throw new Error("Must be signed in to ensure space exists");
     }
     const host = this.tinycloudHosts[0];
+    const primarySpaceId = this._tinyCloudSession.spaceId;
     const result = await activateSessionWithHost(
       host,
       this._tinyCloudSession.delegationHeader
     );
     if (result.success) {
+      const primarySkipped = result.skipped?.includes(primarySpaceId);
+      if (!primarySkipped) {
+        return;
+      }
+      if (!this.autoCreateSpace) {
+        return;
+      }
+      const created = await this.hostSpace();
+      if (!created) {
+        throw new Error(`Failed to create space: ${primarySpaceId}`);
+      }
+      await new Promise((resolve) => setTimeout(resolve, 100));
+      const retryResult = await activateSessionWithHost(
+        host,
+        this._tinyCloudSession.delegationHeader
+      );
+      if (!retryResult.success) {
+        throw new Error(
+          `Failed to activate session after creating space: ${retryResult.error}`
+        );
+      }
       return;
     }
     if (result.status === 404) {
@@ -17426,9 +17456,7 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
       }
       const created = await this.hostSpace();
       if (!created) {
-        throw new Error(
-          `Failed to create space: ${this._tinyCloudSession.spaceId}`
-        );
+        throw new Error(`Failed to create space: ${primarySpaceId}`);
       }
       await new Promise((resolve) => setTimeout(resolve, 100));
       const retryResult = await activateSessionWithHost(
@@ -17496,11 +17524,13 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
       siwe: prepared.siwe,
       signature: signature2
     };
+    const spacesMetadata = this.enablePublicSpace ? { public: makeSpaceId(address, chainId, "public") } : void 0;
     const tinyCloudSession = {
       address,
       chainId,
       sessionKey: keyId,
       spaceId,
+      spaces: spacesMetadata,
       delegationCid: session.delegationCid,
       delegationHeader: session.delegationHeader,
       verificationMethod: this.sessionManager.getDID(keyId),
@@ -17518,6 +17548,7 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
         delegationHeader: session.delegationHeader,
         delegationCid: session.delegationCid,
         spaceId,
+        spaces: spacesMetadata,
         verificationMethod: this.sessionManager.getDID(keyId)
       },
       expiresAt: expirationTime.toISOString(),
@@ -17647,11 +17678,13 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
       siwe: prepared.siwe,
       signature: signature2
     };
+    const spacesMetadata = this.enablePublicSpace ? { public: makeSpaceId(address, chainId, "public") } : void 0;
     const tinyCloudSession = {
       address,
       chainId,
       sessionKey: keyId,
       spaceId: prepared.spaceId,
+      spaces: spacesMetadata,
       delegationCid: session.delegationCid,
       delegationHeader: session.delegationHeader,
       verificationMethod: this.sessionManager.getDID(keyId),
@@ -17673,6 +17706,7 @@ var _NodeUserAuthorization = class _NodeUserAuthorization {
         delegationHeader: session.delegationHeader,
         delegationCid: session.delegationCid,
         spaceId: prepared.spaceId,
+        spaces: spacesMetadata,
         verificationMethod: this.sessionManager.getDID(keyId)
       },
       expiresAt,
@@ -17770,6 +17804,8 @@ import {
   activateSessionWithHost as activateSessionWithHost2,
   KVService as KVService2,
   SQLService as SQLService2,
+  DataVaultService,
+  createVaultCrypto,
   ServiceContext as ServiceContext2,
   DelegationManager,
   SpaceService,
@@ -17783,7 +17819,14 @@ import {
   ensureEip55 as ensureEip553,
   invoke as invoke2,
   initPanicHook as initPanicHook2,
-  createDelegation
+  createDelegation,
+  vault_encrypt,
+  vault_decrypt,
+  vault_derive_key,
+  vault_x25519_from_seed,
+  vault_x25519_dh,
+  vault_random_bytes,
+  vault_sha256
 } from "@tinycloud/node-sdk-wasm";
 
 // src/DelegatedAccess.ts
@@ -18015,7 +18058,8 @@ var _TinyCloudNode = class _TinyCloudNode {
         spacePrefix: config.prefix,
         sessionExpirationMs: config.sessionExpirationMs ?? 60 * 60 * 1e3,
         tinycloudHosts: [host],
-        autoCreateSpace: config.autoCreateSpace
+        autoCreateSpace: config.autoCreateSpace,
+        enablePublicSpace: config.enablePublicSpace ?? true
       });
       this.tc = new TinyCloud(this.auth);
     }
@@ -18089,6 +18133,46 @@ var _TinyCloudNode = class _TinyCloudNode {
     await this.tc.signIn();
     this.initializeServices();
   }
+  /**
+   * Restore a previously established session from stored delegation data.
+   *
+   * This is used by the CLI to restore a session that was created via the
+   * browser-based delegation flow (OpenKey `/delegate` page). Instead of
+   * signing in with a private key, it injects the delegation data directly.
+   *
+   * @param sessionData - The stored delegation data from the browser flow
+   */
+  async restoreSession(sessionData) {
+    this._kv = void 0;
+    this._sql = void 0;
+    this._serviceContext = void 0;
+    if (sessionData.address) {
+      this._address = sessionData.address;
+    }
+    if (sessionData.chainId) {
+      this._chainId = sessionData.chainId;
+    }
+    this._serviceContext = new ServiceContext2({
+      invoke: invoke2,
+      fetch: globalThis.fetch.bind(globalThis),
+      hosts: [this.config.host]
+    });
+    this._kv = new KVService2({});
+    this._kv.initialize(this._serviceContext);
+    this._serviceContext.registerService("kv", this._kv);
+    this._sql = new SQLService2({});
+    this._sql.initialize(this._serviceContext);
+    this._serviceContext.registerService("sql", this._sql);
+    const serviceSession = {
+      delegationHeader: sessionData.delegationHeader,
+      delegationCid: sessionData.delegationCid,
+      spaceId: sessionData.spaceId,
+      verificationMethod: sessionData.verificationMethod,
+      jwk: sessionData.jwk
+    };
+    this._serviceContext.setSession(serviceSession);
+    this.initializeV2Services(serviceSession);
+  }
   /**
    * Connect a wallet to upgrade from session-only mode to wallet mode.
    *
@@ -18130,7 +18214,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       spacePrefix: prefix,
       sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
       tinycloudHosts: [host],
-      autoCreateSpace: this.config.autoCreateSpace
+      autoCreateSpace: this.config.autoCreateSpace,
+      enablePublicSpace: this.config.enablePublicSpace ?? true
     });
     this.tc = new TinyCloud(this.auth);
     this.config.prefix = prefix;
@@ -18144,6 +18229,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!session) {
       return;
     }
+    this.tc.initializeServices(invoke2, [this.config.host]);
     this._serviceContext = new ServiceContext2({
       invoke: invoke2,
       fetch: globalThis.fetch.bind(globalThis),
@@ -18163,6 +18249,43 @@ var _TinyCloudNode = class _TinyCloudNode {
       jwk: session.jwk
     };
     this._serviceContext.setSession(serviceSession);
+    this.tc.serviceContext.setSession(serviceSession);
+    const vaultCrypto = createVaultCrypto({
+      vault_encrypt,
+      vault_decrypt,
+      vault_derive_key,
+      vault_x25519_from_seed,
+      vault_x25519_dh,
+      vault_random_bytes,
+      vault_sha256
+    });
+    const self2 = this;
+    this._vault = new DataVaultService({
+      spaceId: session.spaceId,
+      crypto: vaultCrypto,
+      tc: {
+        kv: this._kv,
+        ensurePublicSpace: async () => {
+          try {
+            await self2.ensurePublicSpace();
+            return { ok: true, data: void 0 };
+          } catch (error) {
+            return { ok: false, error: { code: "STORAGE_ERROR", message: error instanceof Error ? error.message : String(error), service: "vault" } };
+          }
+        },
+        get publicKV() {
+          return self2._publicKV ?? self2.tc.publicKV;
+        },
+        readPublicSpace: (host, spaceId, key2) => TinyCloud.readPublicSpace(host, spaceId, key2),
+        makePublicSpaceId: TinyCloud.makePublicSpaceId,
+        did: this.did,
+        address: this._address,
+        chainId: this._chainId,
+        hosts: [this.config.host]
+      }
+    });
+    this._vault.initialize(this._serviceContext);
+    this._serviceContext.registerService("vault", this._vault);
     this.initializeV2Services(serviceSession);
   }
   /**
@@ -18203,7 +18326,32 @@ var _TinyCloudNode = class _TinyCloudNode {
         isRevoked: false,
         allowSubDelegation: true
       };
-      this._capabilityRegistry.registerKey(sessionKey, [rootDelegation]);
+      const delegations = [rootDelegation];
+      if (tcSession.spaces) {
+        for (const [spaceName, spaceId] of Object.entries(tcSession.spaces)) {
+          delegations.push({
+            cid: tcSession.delegationCid,
+            delegateDID: tcSession.verificationMethod,
+            spaceId,
+            path: "",
+            actions: [
+              "tinycloud.kv/put",
+              "tinycloud.kv/get",
+              "tinycloud.kv/del",
+              "tinycloud.kv/list",
+              "tinycloud.kv/metadata",
+              "tinycloud.sql/read",
+              "tinycloud.sql/write",
+              "tinycloud.sql/admin",
+              "tinycloud.sql/*"
+            ],
+            expiry: this.getSessionExpiry(),
+            isRevoked: false,
+            allowSubDelegation: true
+          });
+        }
+      }
+      this._capabilityRegistry.registerKey(sessionKey, delegations);
     }
     this._delegationManager = new DelegationManager({
       hosts: [this.config.host],
@@ -18221,7 +18369,16 @@ var _TinyCloudNode = class _TinyCloudNode {
       createKVService: (spaceId) => {
         const kvService = new KVService2({});
         if (this._serviceContext) {
-          kvService.initialize(this._serviceContext);
+          const spaceScopedContext = new ServiceContext2({
+            invoke: this._serviceContext.invoke,
+            fetch: this._serviceContext.fetch,
+            hosts: this._serviceContext.hosts
+          });
+          const session = this._serviceContext.session;
+          if (session) {
+            spaceScopedContext.setSession({ ...session, spaceId });
+          }
+          kvService.initialize(spaceScopedContext);
         }
         return kvService;
       },
@@ -18356,6 +18513,16 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._sql;
   }
+  /**
+   * Data Vault operations - client-side encrypted KV storage.
+   * Call `vault.unlock(signer)` after signIn() to derive encryption keys.
+   */
+  get vault() {
+    if (!this._vault) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    return this._vault;
+  }
   // ===========================================================================
   // v2 Service Accessors
   // ===========================================================================
@@ -18529,21 +18696,99 @@ var _TinyCloudNode = class _TinyCloudNode {
   // Public Space Methods
   // ===========================================================================
   /**
-   * Ensure the user's public space exists.
-   * Creates it via spaces.create('public') if it doesn't.
-   * Requires the user to be signed in.
+   * Ensure the user's public space exists and is accessible.
+   * Creates the space and activates a session delegation for it.
+   * This is the trigger for lazy public space creation — call it
+   * before writing to spaces.get('public').kv.
    */
   async ensurePublicSpace() {
-    if (!this.tc) {
+    if (!this.auth || !this.session || !this.signer) {
       throw new Error("Not signed in. Call signIn() first.");
     }
-    return this.tc.ensurePublicSpace();
+    const publicSpaceId = this.session.spaces?.public;
+    if (!publicSpaceId) {
+      throw new Error("Public space not enabled. Set enablePublicSpace: true in config.");
+    }
+    await this.auth.hostPublicSpace(publicSpaceId);
+    const kvActions = [
+      "tinycloud.kv/put",
+      "tinycloud.kv/get",
+      "tinycloud.kv/del",
+      "tinycloud.kv/list",
+      "tinycloud.kv/metadata"
+    ];
+    const abilities = { kv: { "": kvActions } };
+    const now = /* @__PURE__ */ new Date();
+    const expiryMs = 60 * 60 * 1e3;
+    const expirationTime = new Date(now.getTime() + expiryMs);
+    const prepared = prepareSession2({
+      abilities,
+      address: ensureEip553(this.session.address),
+      chainId: this.session.chainId,
+      domain: new URL(this.config.host).hostname,
+      issuedAt: now.toISOString(),
+      expirationTime: expirationTime.toISOString(),
+      spaceId: publicSpaceId,
+      jwk: this.session.jwk,
+      parents: [this.session.delegationCid]
+    });
+    const signature2 = await this.signer.signMessage(prepared.siwe);
+    const delegationSession = completeSessionSetup2({
+      ...prepared,
+      signature: signature2
+    });
+    const activateResult = await activateSessionWithHost2(
+      this.config.host,
+      delegationSession.delegationHeader
+    );
+    if (!activateResult.success) {
+      throw new Error(`Failed to activate public space delegation: ${activateResult.error}`);
+    }
+    if (this._capabilityRegistry && this.session) {
+      const sessionKey = {
+        id: this.session.sessionKey,
+        did: this.session.verificationMethod,
+        type: "session",
+        jwk: this.session.jwk,
+        priority: 0
+      };
+      this._capabilityRegistry.registerKey(sessionKey, [{
+        cid: delegationSession.delegationCid,
+        delegateDID: this.session.verificationMethod,
+        spaceId: publicSpaceId,
+        path: "",
+        actions: kvActions,
+        expiry: expirationTime,
+        isRevoked: false,
+        allowSubDelegation: true
+      }]);
+    }
+    if (this._serviceContext) {
+      const publicKV = new KVService2({ prefix: "" });
+      const publicContext = new ServiceContext2({
+        invoke: invoke2,
+        fetch: this._serviceContext.fetch,
+        hosts: this._serviceContext.hosts
+      });
+      publicContext.setSession({
+        delegationHeader: delegationSession.delegationHeader,
+        delegationCid: delegationSession.delegationCid,
+        spaceId: publicSpaceId,
+        verificationMethod: this.session.verificationMethod,
+        jwk: this.session.jwk
+      });
+      publicKV.initialize(publicContext);
+      this._publicKV = publicKV;
+    }
   }
   /**
    * Get a KVService scoped to the user's own public space.
    * Writes require authentication (owner/delegate).
    */
   get publicKV() {
+    if (this._publicKV) {
+      return this._publicKV;
+    }
     if (!this.tc) {
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -18641,7 +18886,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       domain: new URL(this.config.host).hostname,
       issuedAt: now.toISOString(),
       expirationTime: expirationTime.toISOString(),
-      spaceId: session.spaceId,
+      spaceId: params.spaceIdOverride ?? session.spaceId,
       delegateUri: params.delegateDID,
       parents: [session.delegationCid]
     });
@@ -18660,7 +18905,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     return {
       cid: delegationSession.delegationCid,
       delegationHeader: delegationSession.delegationHeader,
-      spaceId: session.spaceId,
+      spaceId: params.spaceIdOverride ?? session.spaceId,
       path: params.path,
       actions: params.actions,
       disableSubDelegation: params.disableSubDelegation ?? false,
@@ -18874,6 +19119,7 @@ function deserializeDelegation(data) {
 // src/index.ts
 import { KVService as KVService3, PrefixedKVService } from "@tinycloud/sdk-core";
 import { SQLService as SQLService3, SQLAction, DatabaseHandle } from "@tinycloud/sdk-core";
+import { DataVaultService as DataVaultService2, VaultAction, VaultHeaders, createVaultCrypto as createVaultCrypto2 } from "@tinycloud/sdk-core";
 import {
   DelegationManager as DelegationManager2,
   SharingService as SharingService2,
@@ -18903,6 +19149,7 @@ import { ServiceContext as ServiceContext3 } from "@tinycloud/sdk-core";
 export {
   CapabilityKeyRegistry2 as CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
+  DataVaultService2 as DataVaultService,
   DatabaseHandle,
   DelegatedAccess,
   DelegationErrorCodes,
@@ -18923,6 +19170,8 @@ export {
   SpaceService2 as SpaceService,
   TinyCloud2 as TinyCloud,
   TinyCloudNode,
+  VaultAction,
+  VaultHeaders,
   VersionCheckError,
   WasmKeyProvider,
   buildSpaceUri,
@@ -18930,6 +19179,7 @@ export {
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
+  createVaultCrypto2 as createVaultCrypto,
   createWasmKeyProvider,
   defaultSignStrategy,
   deserializeDelegation,