@tinycloud/node-sdk 2.0.4 → 2.1.0-beta.1

package/dist/index.cjs

@@ -17025,53 +17025,63 @@ var require_utils2 = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  AutoApproveSpaceCreationHandler: () => import_sdk_core6.AutoApproveSpaceCreationHandler,
-  CapabilityKeyRegistry: () => import_sdk_core12.CapabilityKeyRegistry,
-  CapabilityKeyRegistryErrorCodes: () => import_sdk_core12.CapabilityKeyRegistryErrorCodes,
-  DataVaultService: () => import_sdk_core10.DataVaultService,
-  DatabaseHandle: () => import_sdk_core8.DatabaseHandle,
+  AutoApproveSpaceCreationHandler: () => import_sdk_core7.AutoApproveSpaceCreationHandler,
+  CapabilityKeyRegistry: () => import_sdk_core15.CapabilityKeyRegistry,
+  CapabilityKeyRegistryErrorCodes: () => import_sdk_core15.CapabilityKeyRegistryErrorCodes,
+  DataVaultService: () => import_sdk_core12.DataVaultService,
+  DatabaseHandle: () => import_sdk_core10.DatabaseHandle,
   DelegatedAccess: () => DelegatedAccess,
-  DelegationErrorCodes: () => import_sdk_core11.DelegationErrorCodes,
-  DelegationManager: () => import_sdk_core11.DelegationManager,
-  DuckDbAction: () => import_sdk_core9.DuckDbAction,
-  DuckDbDatabaseHandle: () => import_sdk_core9.DuckDbDatabaseHandle,
-  DuckDbService: () => import_sdk_core9.DuckDbService,
+  DelegationErrorCodes: () => import_sdk_core14.DelegationErrorCodes,
+  DelegationManager: () => import_sdk_core14.DelegationManager,
+  DuckDbAction: () => import_sdk_core11.DuckDbAction,
+  DuckDbDatabaseHandle: () => import_sdk_core11.DuckDbDatabaseHandle,
+  DuckDbService: () => import_sdk_core11.DuckDbService,
   FileSessionStorage: () => FileSessionStorage,
-  KVService: () => import_sdk_core7.KVService,
+  HooksService: () => import_sdk_core13.HooksService,
+  KVService: () => import_sdk_core9.KVService,
+  ManifestValidationError: () => import_sdk_core8.ManifestValidationError,
   MemorySessionStorage: () => MemorySessionStorage,
   NodeUserAuthorization: () => NodeUserAuthorization,
   NodeWasmBindings: () => NodeWasmBindings,
-  PrefixedKVService: () => import_sdk_core7.PrefixedKVService,
+  PermissionNotInManifestError: () => import_sdk_core8.PermissionNotInManifestError,
+  PrefixedKVService: () => import_sdk_core9.PrefixedKVService,
   PrivateKeySigner: () => PrivateKeySigner,
-  ProtocolMismatchError: () => import_sdk_core14.ProtocolMismatchError,
-  SQLAction: () => import_sdk_core8.SQLAction,
-  SQLService: () => import_sdk_core8.SQLService,
-  ServiceContext: () => import_sdk_core15.ServiceContext,
-  SharingService: () => import_sdk_core11.SharingService,
-  SilentNotificationHandler: () => import_sdk_core6.SilentNotificationHandler,
-  Space: () => import_sdk_core13.Space,
-  SpaceErrorCodes: () => import_sdk_core13.SpaceErrorCodes,
-  SpaceService: () => import_sdk_core13.SpaceService,
-  TinyCloud: () => import_sdk_core5.TinyCloud,
+  ProtocolMismatchError: () => import_sdk_core17.ProtocolMismatchError,
+  SQLAction: () => import_sdk_core10.SQLAction,
+  SQLService: () => import_sdk_core10.SQLService,
+  ServiceContext: () => import_sdk_core18.ServiceContext,
+  SessionExpiredError: () => import_sdk_core8.SessionExpiredError,
+  SharingService: () => import_sdk_core14.SharingService,
+  SilentNotificationHandler: () => import_sdk_core7.SilentNotificationHandler,
+  Space: () => import_sdk_core16.Space,
+  SpaceErrorCodes: () => import_sdk_core16.SpaceErrorCodes,
+  SpaceService: () => import_sdk_core16.SpaceService,
+  TinyCloud: () => import_sdk_core6.TinyCloud,
   TinyCloudNode: () => TinyCloudNode,
-  UnsupportedFeatureError: () => import_sdk_core14.UnsupportedFeatureError,
-  VaultHeaders: () => import_sdk_core10.VaultHeaders,
-  VaultPublicSpaceKVActions: () => import_sdk_core10.VaultPublicSpaceKVActions,
-  VersionCheckError: () => import_sdk_core14.VersionCheckError,
+  UnsupportedFeatureError: () => import_sdk_core17.UnsupportedFeatureError,
+  VaultHeaders: () => import_sdk_core12.VaultHeaders,
+  VaultPublicSpaceKVActions: () => import_sdk_core12.VaultPublicSpaceKVActions,
+  VersionCheckError: () => import_sdk_core17.VersionCheckError,
   WasmKeyProvider: () => WasmKeyProvider,
-  buildSpaceUri: () => import_sdk_core13.buildSpaceUri,
-  checkNodeInfo: () => import_sdk_core14.checkNodeInfo,
-  createCapabilityKeyRegistry: () => import_sdk_core12.createCapabilityKeyRegistry,
-  createSharingService: () => import_sdk_core11.createSharingService,
-  createSpaceService: () => import_sdk_core13.createSpaceService,
-  createVaultCrypto: () => import_sdk_core10.createVaultCrypto,
+  buildSpaceUri: () => import_sdk_core16.buildSpaceUri,
+  checkNodeInfo: () => import_sdk_core17.checkNodeInfo,
+  createCapabilityKeyRegistry: () => import_sdk_core15.createCapabilityKeyRegistry,
+  createSharingService: () => import_sdk_core14.createSharingService,
+  createSpaceService: () => import_sdk_core16.createSpaceService,
+  createVaultCrypto: () => import_sdk_core12.createVaultCrypto,
   createWasmKeyProvider: () => createWasmKeyProvider,
   defaultSignStrategy: () => defaultSignStrategy,
-  defaultSpaceCreationHandler: () => import_sdk_core6.defaultSpaceCreationHandler,
+  defaultSpaceCreationHandler: () => import_sdk_core7.defaultSpaceCreationHandler,
   deserializeDelegation: () => deserializeDelegation,
-  makePublicSpaceId: () => import_sdk_core13.makePublicSpaceId,
-  parseSpaceUri: () => import_sdk_core13.parseSpaceUri,
-  serializeDelegation: () => serializeDelegation
+  expandActionShortNames: () => import_sdk_core8.expandActionShortNames,
+  isCapabilitySubset: () => import_sdk_core8.isCapabilitySubset,
+  loadManifest: () => import_sdk_core8.loadManifest,
+  makePublicSpaceId: () => import_sdk_core16.makePublicSpaceId,
+  parseExpiry: () => import_sdk_core8.parseExpiry,
+  parseSpaceUri: () => import_sdk_core16.parseSpaceUri,
+  resolveManifest: () => import_sdk_core8.resolveManifest,
+  serializeDelegation: () => serializeDelegation,
+  validateManifest: () => import_sdk_core8.validateManifest
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -17080,11 +17090,13 @@ var import_node_sdk_wasm = require("@tinycloud/node-sdk-wasm");
 var _NodeWasmBindings = class _NodeWasmBindings {
   constructor() {
     this.invoke = import_node_sdk_wasm.invoke;
+    this.invokeAny = import_node_sdk_wasm.invokeAny;
     this.prepareSession = import_node_sdk_wasm.prepareSession;
     this.completeSessionSetup = import_node_sdk_wasm.completeSessionSetup;
     this.ensureEip55 = import_node_sdk_wasm.ensureEip55;
     this.makeSpaceId = import_node_sdk_wasm.makeSpaceId;
     this.createDelegation = import_node_sdk_wasm.createDelegation;
+    this.parseRecapFromSiwe = import_node_sdk_wasm.parseRecapFromSiwe;
     this.generateHostSIWEMessage = import_node_sdk_wasm.generateHostSIWEMessage;
     this.siweToDelegationHeaders = import_node_sdk_wasm.siweToDelegationHeaders;
     this.protocolVersion = import_node_sdk_wasm.protocolVersion;
@@ -17173,7 +17185,7 @@ var PrivateKeySigner = class {
 };
 
 // src/TinyCloudNode.ts
-var import_sdk_core3 = require("@tinycloud/sdk-core");
+var import_sdk_core4 = require("@tinycloud/sdk-core");
 
 // src/authorization/NodeUserAuthorization.ts
 var import_sdk_core = require("@tinycloud/sdk-core");
@@ -17296,12 +17308,22 @@ var NodeUserAuthorization = class {
       },
       capabilities: {
         "": ["tinycloud.capabilities/read"]
+      },
+      hooks: {
+        "": [
+          "tinycloud.hooks/subscribe",
+          "tinycloud.hooks/register",
+          "tinycloud.hooks/list",
+          "tinycloud.hooks/unregister"
+        ]
       }
     };
     this.sessionExpirationMs = config.sessionExpirationMs ?? 60 * 60 * 1e3;
     this.autoCreateSpace = config.autoCreateSpace ?? false;
     this.spaceCreationHandler = config.spaceCreationHandler;
-    this.tinycloudHosts = config.tinycloudHosts ?? ["https://node.tinycloud.xyz"];
+    this.tinycloudHosts = config.tinycloudHosts ?? [
+      "https://node.tinycloud.xyz"
+    ];
     this.enablePublicSpace = config.enablePublicSpace ?? true;
     this.nonce = config.nonce;
     this.siweConfig = config.siweConfig;
@@ -17441,7 +17463,10 @@ var NodeUserAuthorization = class {
           throw err;
         }
       } catch (error) {
-        handler.onSpaceCreationFailed?.(creationContext, error instanceof Error ? error : new Error(String(error)));
+        handler.onSpaceCreationFailed?.(
+          creationContext,
+          error instanceof Error ? error : new Error(String(error))
+        );
         throw error;
       }
       await new Promise((resolve) => setTimeout(resolve, 100));
@@ -17475,7 +17500,10 @@ var NodeUserAuthorization = class {
           throw err;
         }
       } catch (error) {
-        handler.onSpaceCreationFailed?.(creationContext, error instanceof Error ? error : new Error(String(error)));
+        handler.onSpaceCreationFailed?.(
+          creationContext,
+          error instanceof Error ? error : new Error(String(error))
+        );
         throw error;
       }
       await new Promise((resolve) => setTimeout(resolve, 100));
@@ -17584,7 +17612,10 @@ var NodeUserAuthorization = class {
     this._tinyCloudSession = tinyCloudSession;
     this._address = address;
     this._chainId = chainId;
-    const nodeInfo = await (0, import_sdk_core.checkNodeInfo)(this.tinycloudHosts[0], this.wasm.protocolVersion());
+    const nodeInfo = await (0, import_sdk_core.checkNodeInfo)(
+      this.tinycloudHosts[0],
+      this.wasm.protocolVersion()
+    );
     this._nodeFeatures = nodeInfo.features;
     for (const ext of this.extensions) {
       if (ext.afterSignIn) {
@@ -17744,7 +17775,10 @@ var NodeUserAuthorization = class {
     this._tinyCloudSession = tinyCloudSession;
     this._address = address;
     this._chainId = chainId;
-    const nodeInfo = await (0, import_sdk_core.checkNodeInfo)(this.tinycloudHosts[0], this.wasm.protocolVersion());
+    const nodeInfo = await (0, import_sdk_core.checkNodeInfo)(
+      this.tinycloudHosts[0],
+      this.wasm.protocolVersion()
+    );
     this._nodeFeatures = nodeInfo.features;
     for (const ext of this.extensions) {
       if (ext.afterSignIn) {
@@ -17795,7 +17829,9 @@ var NodeUserAuthorization = class {
         );
       }
       default:
-        throw new Error(`Unknown sign strategy: ${this.signStrategy.type}`);
+        throw new Error(
+          `Unknown sign strategy: ${this.signStrategy.type}`
+        );
     }
   }
   /**
@@ -17844,6 +17880,9 @@ var DelegatedAccess = class {
     this._duckdb = new import_sdk_core2.DuckDbService({});
     this._duckdb.initialize(this._serviceContext);
     this._serviceContext.registerService("duckdb", this._duckdb);
+    this._hooks = new import_sdk_core2.HooksService({});
+    this._hooks.initialize(this._serviceContext);
+    this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
       delegationHeader: session.delegationHeader,
       delegationCid: session.delegationCid,
@@ -17889,6 +17928,12 @@ var DelegatedAccess = class {
   get duckdb() {
     return this._duckdb;
   }
+  /**
+   * Hooks write-stream subscriptions on the delegated space.
+   */
+  get hooks() {
+    return this._hooks;
+  }
 };
 
 // src/keys/WasmKeyProvider.ts
@@ -17966,9 +18011,69 @@ function createWasmKeyProvider(sessionManager) {
   return new WasmKeyProvider({ sessionManager });
 }
 
+// src/delegateToHelpers.ts
+var import_sdk_core3 = require("@tinycloud/sdk-core");
+function legacyParamsToPermissionEntries(actions, path, spaceIdOverride) {
+  const byService = /* @__PURE__ */ new Map();
+  for (const a of actions) {
+    const slashIdx = a.indexOf("/");
+    if (slashIdx === -1) {
+      continue;
+    }
+    const service = a.slice(0, slashIdx);
+    if (!service.startsWith("tinycloud.")) {
+      continue;
+    }
+    const list = byService.get(service);
+    if (list === void 0) {
+      byService.set(service, [a]);
+    } else {
+      list.push(a);
+    }
+  }
+  const space = spaceIdOverride ?? "default";
+  const entries = [];
+  for (const [service, actionList] of byService) {
+    entries.push({
+      service,
+      space,
+      path,
+      actions: actionList
+    });
+  }
+  return entries;
+}
+function resolveExpiryMs(expiry) {
+  if (expiry === void 0) {
+    return 60 * 60 * 1e3;
+  }
+  if (typeof expiry === "number") {
+    if (!Number.isFinite(expiry) || expiry <= 0) {
+      throw new Error(
+        `delegateTo expiry must be a positive finite number (got ${expiry})`
+      );
+    }
+    return expiry;
+  }
+  return (0, import_sdk_core3.parseExpiry)(expiry);
+}
+function extractSiweExpiration(siwe) {
+  const parsed = new import_sdk_core3.SiweMessage(siwe);
+  if (parsed.expirationTime === void 0 || parsed.expirationTime === null) {
+    return void 0;
+  }
+  const d = new Date(parsed.expirationTime);
+  if (Number.isNaN(d.getTime())) {
+    throw new Error(
+      `Session SIWE has unparseable expirationTime: ${parsed.expirationTime}`
+    );
+  }
+  return d;
+}
+
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
-var TinyCloudNode = class _TinyCloudNode {
+var _TinyCloudNode = class _TinyCloudNode {
   /**
    * Create a new TinyCloudNode instance.
    *
@@ -18023,12 +18128,12 @@ var TinyCloudNode = class _TinyCloudNode {
       throw new Error("Failed to get session key JWK");
     }
     this.sessionKeyJwk = JSON.parse(jwkStr);
-    this._capabilityRegistry = new import_sdk_core3.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core4.CapabilityKeyRegistry();
     this._keyProvider = new WasmKeyProvider({
       sessionManager: this.sessionManager
     });
-    this.notificationHandler = config.notificationHandler ?? new import_sdk_core3.SilentNotificationHandler();
-    this._sharingService = new import_sdk_core3.SharingService({
+    this.notificationHandler = config.notificationHandler ?? new import_sdk_core4.SilentNotificationHandler();
+    this._sharingService = new import_sdk_core4.SharingService({
       hosts: [this.config.host],
       // session: undefined - not needed for receive()
       invoke: this.wasmBindings.invoke,
@@ -18038,8 +18143,8 @@ var TinyCloudNode = class _TinyCloudNode {
       // delegationManager: undefined - not needed for receive()
       createKVService: (config2) => {
         const prefix = config2.pathPrefix?.replace(/\/$/, "");
-        const kvService = new import_sdk_core3.KVService({ prefix });
-        const kvContext = new import_sdk_core3.ServiceContext({
+        const kvService = new import_sdk_core4.KVService({ prefix });
+        const kvContext = new import_sdk_core4.ServiceContext({
           invoke: config2.invoke,
           fetch: config2.fetch ?? globalThis.fetch.bind(globalThis),
           hosts: config2.hosts
@@ -18094,7 +18199,9 @@ var TinyCloudNode = class _TinyCloudNode {
       nonce: config.nonce,
       siweConfig: config.siweConfig
     });
-    this.tc = new import_sdk_core3.TinyCloud(this.auth);
+    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
+      invokeAny: this.wasmBindings.invokeAny
+    });
   }
   /**
    * Get the primary identity DID for this user.
@@ -18163,6 +18270,7 @@ var TinyCloudNode = class _TinyCloudNode {
     this._kv = void 0;
     this._sql = void 0;
     this._duckdb = void 0;
+    this._hooks = void 0;
     this._serviceContext = void 0;
     await this.tc.signIn();
     this.initializeServices();
@@ -18182,6 +18290,7 @@ var TinyCloudNode = class _TinyCloudNode {
     this._kv = void 0;
     this._sql = void 0;
     this._duckdb = void 0;
+    this._hooks = void 0;
     this._serviceContext = void 0;
     if (sessionData.address) {
       this._address = sessionData.address;
@@ -18189,20 +18298,24 @@ var TinyCloudNode = class _TinyCloudNode {
     if (sessionData.chainId) {
       this._chainId = sessionData.chainId;
     }
-    this._serviceContext = new import_sdk_core3.ServiceContext({
+    this._serviceContext = new import_sdk_core4.ServiceContext({
       invoke: this.wasmBindings.invoke,
+      invokeAny: this.wasmBindings.invokeAny,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core3.KVService({});
+    this._kv = new import_sdk_core4.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
-    this._sql = new import_sdk_core3.SQLService({});
+    this._sql = new import_sdk_core4.SQLService({});
     this._sql.initialize(this._serviceContext);
     this._serviceContext.registerService("sql", this._sql);
-    this._duckdb = new import_sdk_core3.DuckDbService({});
+    this._duckdb = new import_sdk_core4.DuckDbService({});
     this._duckdb.initialize(this._serviceContext);
     this._serviceContext.registerService("duckdb", this._duckdb);
+    this._hooks = new import_sdk_core4.HooksService({});
+    this._hooks.initialize(this._serviceContext);
+    this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
       delegationHeader: sessionData.delegationHeader,
       delegationCid: sessionData.delegationCid,
@@ -18212,7 +18325,7 @@ var TinyCloudNode = class _TinyCloudNode {
     };
     this._serviceContext.setSession(serviceSession);
     const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core3.createVaultCrypto)({
+    const vaultCrypto = (0, import_sdk_core4.createVaultCrypto)({
       vault_encrypt: wasm.vault_encrypt,
       vault_decrypt: wasm.vault_decrypt,
       vault_derive_key: wasm.vault_derive_key,
@@ -18222,7 +18335,7 @@ var TinyCloudNode = class _TinyCloudNode {
       vault_sha256: wasm.vault_sha256
     });
     const self2 = this;
-    this._vault = new import_sdk_core3.DataVaultService({
+    this._vault = new import_sdk_core4.DataVaultService({
       spaceId: sessionData.spaceId,
       crypto: vaultCrypto,
       tc: {
@@ -18238,8 +18351,8 @@ var TinyCloudNode = class _TinyCloudNode {
         get publicKV() {
           return self2._publicKV ?? self2.tc.publicKV;
         },
-        readPublicSpace: (host, spaceId, key2) => import_sdk_core3.TinyCloud.readPublicSpace(host, spaceId, key2),
-        makePublicSpaceId: import_sdk_core3.TinyCloud.makePublicSpaceId,
+        readPublicSpace: (host, spaceId, key2) => import_sdk_core4.TinyCloud.readPublicSpace(host, spaceId, key2),
+        makePublicSpaceId: import_sdk_core4.TinyCloud.makePublicSpaceId,
         did: this.did,
         address: sessionData.address ?? this._address ?? "",
         chainId: sessionData.chainId ?? this._chainId,
@@ -18302,7 +18415,9 @@ var TinyCloudNode = class _TinyCloudNode {
       nonce: this.config.nonce,
       siweConfig: this.config.siweConfig
     });
-    this.tc = new import_sdk_core3.TinyCloud(this.auth);
+    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
+      invokeAny: this.wasmBindings.invokeAny
+    });
     this.config.prefix = prefix;
   }
   /**
@@ -18340,7 +18455,9 @@ var TinyCloudNode = class _TinyCloudNode {
       nonce: this.config.nonce,
       siweConfig: this.config.siweConfig
     });
-    this.tc = new import_sdk_core3.TinyCloud(this.auth);
+    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
+      invokeAny: this.wasmBindings.invokeAny
+    });
     this.config.prefix = prefix;
   }
   /**
@@ -18353,25 +18470,29 @@ var TinyCloudNode = class _TinyCloudNode {
       return;
     }
     this.tc.initializeServices(this.wasmBindings.invoke, [this.config.host]);
-    this._serviceContext = new import_sdk_core3.ServiceContext({
+    this._serviceContext = new import_sdk_core4.ServiceContext({
       invoke: this.wasmBindings.invoke,
+      invokeAny: this.wasmBindings.invokeAny,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core3.KVService({});
+    this._kv = new import_sdk_core4.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
     const features = this.nodeFeatures;
     if (features.length === 0 || features.includes("sql")) {
-      this._sql = new import_sdk_core3.SQLService({});
+      this._sql = new import_sdk_core4.SQLService({});
       this._sql.initialize(this._serviceContext);
       this._serviceContext.registerService("sql", this._sql);
     }
     if (features.length === 0 || features.includes("duckdb")) {
-      this._duckdb = new import_sdk_core3.DuckDbService({});
+      this._duckdb = new import_sdk_core4.DuckDbService({});
       this._duckdb.initialize(this._serviceContext);
       this._serviceContext.registerService("duckdb", this._duckdb);
     }
+    this._hooks = new import_sdk_core4.HooksService({});
+    this._hooks.initialize(this._serviceContext);
+    this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
       delegationHeader: session.delegationHeader,
       delegationCid: session.delegationCid,
@@ -18382,7 +18503,7 @@ var TinyCloudNode = class _TinyCloudNode {
     this._serviceContext.setSession(serviceSession);
     this.tc.serviceContext.setSession(serviceSession);
     const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core3.createVaultCrypto)({
+    const vaultCrypto = (0, import_sdk_core4.createVaultCrypto)({
       vault_encrypt: wasm.vault_encrypt,
       vault_decrypt: wasm.vault_decrypt,
       vault_derive_key: wasm.vault_derive_key,
@@ -18392,7 +18513,7 @@ var TinyCloudNode = class _TinyCloudNode {
       vault_sha256: wasm.vault_sha256
     });
     const self2 = this;
-    this._vault = new import_sdk_core3.DataVaultService({
+    this._vault = new import_sdk_core4.DataVaultService({
       spaceId: session.spaceId,
       crypto: vaultCrypto,
       tc: {
@@ -18408,8 +18529,8 @@ var TinyCloudNode = class _TinyCloudNode {
         get publicKV() {
           return self2._publicKV ?? self2.tc.publicKV;
         },
-        readPublicSpace: (host, spaceId, key2) => import_sdk_core3.TinyCloud.readPublicSpace(host, spaceId, key2),
-        makePublicSpaceId: import_sdk_core3.TinyCloud.makePublicSpaceId,
+        readPublicSpace: (host, spaceId, key2) => import_sdk_core4.TinyCloud.readPublicSpace(host, spaceId, key2),
+        makePublicSpaceId: import_sdk_core4.TinyCloud.makePublicSpaceId,
         did: this.did,
         address: this._address,
         chainId: this._chainId,
@@ -18425,7 +18546,7 @@ var TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   initializeV2Services(serviceSession) {
-    this._capabilityRegistry = new import_sdk_core3.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core4.CapabilityKeyRegistry();
     const tcSession = this.auth?.tinyCloudSession;
     if (tcSession && this._address) {
       const sessionKey = {
@@ -18499,13 +18620,13 @@ var TinyCloudNode = class _TinyCloudNode {
       }
       this._capabilityRegistry.registerKey(sessionKey, delegations);
     }
-    this._delegationManager = new import_sdk_core3.DelegationManager({
+    this._delegationManager = new import_sdk_core4.DelegationManager({
       hosts: [this.config.host],
       session: serviceSession,
       invoke: this.wasmBindings.invoke,
       fetch: globalThis.fetch.bind(globalThis)
     });
-    this._spaceService = new import_sdk_core3.SpaceService({
+    this._spaceService = new import_sdk_core4.SpaceService({
       hosts: [this.config.host],
       session: serviceSession,
       invoke: this.wasmBindings.invoke,
@@ -18513,9 +18634,9 @@ var TinyCloudNode = class _TinyCloudNode {
       capabilityRegistry: this._capabilityRegistry,
       userDid: this.did,
       createKVService: (spaceId) => {
-        const kvService = new import_sdk_core3.KVService({});
+        const kvService = new import_sdk_core4.KVService({});
         if (this._serviceContext) {
-          const spaceScopedContext = new import_sdk_core3.ServiceContext({
+          const spaceScopedContext = new import_sdk_core4.ServiceContext({
             invoke: this._serviceContext.invoke,
             fetch: this._serviceContext.fetch,
             hosts: this._serviceContext.hosts
@@ -18654,7 +18775,7 @@ var TinyCloudNode = class _TinyCloudNode {
         ...prepared,
         signature: signature2
       });
-      const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+      const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
         host,
         delegationSession.delegationHeader
       );
@@ -18721,7 +18842,7 @@ var TinyCloudNode = class _TinyCloudNode {
     if (!this._sql) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("sql")) {
-        throw new import_sdk_core3.UnsupportedFeatureError("sql", this.config.host, features);
+        throw new import_sdk_core4.UnsupportedFeatureError("sql", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -18734,7 +18855,7 @@ var TinyCloudNode = class _TinyCloudNode {
     if (!this._duckdb) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("duckdb")) {
-        throw new import_sdk_core3.UnsupportedFeatureError("duckdb", this.config.host, features);
+        throw new import_sdk_core4.UnsupportedFeatureError("duckdb", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -18750,6 +18871,15 @@ var TinyCloudNode = class _TinyCloudNode {
     }
     return this._vault;
   }
+  /**
+   * Hooks write stream subscription API.
+   */
+  get hooks() {
+    if (!this._hooks) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    return this._hooks;
+  }
   // ===========================================================================
   // v2 Service Accessors
   // ===========================================================================
@@ -18964,7 +19094,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -18991,8 +19121,8 @@ var TinyCloudNode = class _TinyCloudNode {
       }]);
     }
     if (this._serviceContext) {
-      const publicKV = new import_sdk_core3.KVService({ prefix: "" });
-      const publicContext = new import_sdk_core3.ServiceContext({
+      const publicKV = new import_sdk_core4.KVService({ prefix: "" });
+      const publicContext = new import_sdk_core4.ServiceContext({
         invoke: this.wasmBindings.invoke,
         fetch: this._serviceContext.fetch,
         hosts: this._serviceContext.hosts
@@ -19077,6 +19207,150 @@ var TinyCloudNode = class _TinyCloudNode {
   async checkPermission(path, action) {
     return this.delegationManager.checkPermission(path, action);
   }
+  /**
+   * Issue a delegation using the capability-chain flow.
+   *
+   * When the requested permissions are a subset of the current session's
+   * recap, the delegation is signed by the session key via WASM — no wallet
+   * prompt. When they are not, a {@link PermissionNotInManifestError} is
+   * raised so the caller can trigger an escalation flow (e.g.
+   * `TinyCloudWeb.requestPermissions`). Passing `forceWalletSign: true`
+   * bypasses the derivability check and always uses the wallet-signed SIWE
+   * path — used by the legacy `createDelegation` fallback and by callers
+   * that want explicit wallet confirmation.
+   *
+   * Current limitation: exactly one {@link PermissionEntry} per call. For
+   * multi-resource delegation, call `delegateTo` multiple times. This keeps
+   * each delegation a single `(spaceId, path)` grant, which matches the
+   * underlying `PortableDelegation` shape.
+   *
+   * @throws {@link SessionExpiredError} when there is no session or the
+   *   current session has expired (or will within the 60s safety margin).
+   * @throws {@link PermissionNotInManifestError} when the requested entries
+   *   are not a subset of the granted session capabilities and
+   *   `forceWalletSign` is not set.
+   */
+  async delegateTo(did, permissions, options) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new import_sdk_core4.SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    const sessionExpiry = extractSiweExpiration(session.siwe);
+    if (sessionExpiry !== void 0) {
+      const now2 = Date.now();
+      const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+      if (sessionExpiry.getTime() <= now2 + marginMs) {
+        throw new import_sdk_core4.SessionExpiredError(sessionExpiry);
+      }
+    }
+    if (!Array.isArray(permissions) || permissions.length === 0) {
+      throw new Error(
+        "delegateTo requires a non-empty permissions array"
+      );
+    }
+    if (permissions.length > 1) {
+      throw new Error(
+        "delegateTo currently supports one permission entry per call. Call delegateTo multiple times for multi-resource delegation."
+      );
+    }
+    const entry = permissions[0];
+    const expandedEntry = {
+      ...entry,
+      actions: (0, import_sdk_core4.expandActionShortNames)(entry.service, entry.actions)
+    };
+    const now = /* @__PURE__ */ new Date();
+    const expiryMs = resolveExpiryMs(options?.expiry);
+    const expirationTime = new Date(now.getTime() + expiryMs);
+    let effectiveExpiration = expirationTime;
+    if (sessionExpiry !== void 0 && sessionExpiry < expirationTime) {
+      effectiveExpiration = sessionExpiry;
+    }
+    if (options?.forceWalletSign) {
+      const delegation2 = await this.createDelegationLegacyWalletPath(
+        did,
+        expandedEntry,
+        effectiveExpiration
+      );
+      return { delegation: delegation2, prompted: true };
+    }
+    const granted = (0, import_sdk_core4.parseRecapCapabilities)(
+      (siwe) => this.wasmBindings.parseRecapFromSiwe(siwe),
+      session.siwe
+    );
+    const requested = [expandedEntry];
+    const { subset, missing } = (0, import_sdk_core4.isCapabilitySubset)(requested, granted);
+    if (!subset) {
+      throw new import_sdk_core4.PermissionNotInManifestError(missing, granted);
+    }
+    const delegation = await this.createDelegationViaWasmPath(
+      did,
+      expandedEntry,
+      effectiveExpiration,
+      session
+    );
+    return { delegation, prompted: false };
+  }
+  /**
+   * Issue a delegation via the session-key UCAN WASM path.
+   *
+   * The caller has already verified the request is derivable from the
+   * current session; we just need to shape the inputs for
+   * {@link createDelegationWrapper}.
+   *
+   * @internal
+   */
+  async createDelegationViaWasmPath(did, entry, expirationTime, session) {
+    const spaceId = entry.space === "default" ? session.spaceId : entry.space;
+    const serviceSession = {
+      delegationHeader: session.delegationHeader,
+      delegationCid: session.delegationCid,
+      jwk: session.jwk,
+      spaceId,
+      verificationMethod: session.verificationMethod
+    };
+    const expirationSecs = Math.floor(expirationTime.getTime() / 1e3);
+    const result = this.createDelegationWrapper({
+      session: serviceSession,
+      delegateDID: did,
+      spaceId,
+      path: entry.path,
+      actions: entry.actions,
+      expirationSecs
+    });
+    return {
+      cid: result.cid,
+      delegationHeader: { Authorization: `Bearer ${result.delegation}` },
+      spaceId,
+      path: entry.path,
+      actions: entry.actions,
+      disableSubDelegation: false,
+      expiry: result.expiry,
+      delegateDID: did,
+      ownerAddress: session.address,
+      chainId: session.chainId,
+      host: this.config.host
+    };
+  }
+  /**
+   * Issue a delegation via the legacy wallet-signed SIWE path for a single
+   * {@link PermissionEntry}. Shares the implementation with the public
+   * `createDelegation` method via {@link createDelegationWalletPath} so
+   * both entry points hit exactly the same SIWE / signer / public-space
+   * logic without mutual recursion.
+   *
+   * @internal
+   */
+  async createDelegationLegacyWalletPath(delegateDID, entry, expirationTime) {
+    const spaceIdOverride = entry.space === "default" ? void 0 : entry.space;
+    return this.createDelegationWalletPath({
+      path: entry.path,
+      actions: entry.actions,
+      delegateDID,
+      includePublicSpace: true,
+      expiryMs: Math.max(0, expirationTime.getTime() - Date.now()),
+      spaceIdOverride
+    });
+  }
   /**
    * Create a delegation from this user to another user.
    *
@@ -19087,6 +19361,51 @@ var TinyCloudNode = class _TinyCloudNode {
    * @returns A portable delegation that can be sent to the recipient
    */
   async createDelegation(params) {
+    if (!this.signer) {
+      throw new Error("Cannot createDelegation() in session-only mode. Requires wallet mode.");
+    }
+    if (!this.auth?.tinyCloudSession) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    let resolvedDelegateDID = params.delegateDID;
+    if (resolvedDelegateDID.endsWith(".eth") && this.config.ensResolver) {
+      const address = await this.config.ensResolver.resolveAddress(resolvedDelegateDID);
+      if (!address) throw new Error(`Could not resolve ENS name: ${resolvedDelegateDID}`);
+      resolvedDelegateDID = `did:pkh:eip155:1:${address}`;
+    }
+    const entries = legacyParamsToPermissionEntries(
+      params.actions,
+      params.path,
+      params.spaceIdOverride
+    );
+    if (entries.length === 1) {
+      try {
+        const result = await this.delegateTo(
+          resolvedDelegateDID,
+          [entries[0]],
+          params.expiryMs !== void 0 ? { expiry: params.expiryMs } : void 0
+        );
+        return result.delegation;
+      } catch (err) {
+        if (err instanceof import_sdk_core4.PermissionNotInManifestError) {
+        } else {
+          throw err;
+        }
+      }
+    }
+    return this.createDelegationWalletPath({
+      ...params,
+      delegateDID: resolvedDelegateDID
+    });
+  }
+  /**
+   * Legacy wallet-signed SIWE delegation path. Lifted from the original
+   * `createDelegation` body verbatim so both the legacy public method and
+   * `delegateTo({ forceWalletSign: true })` hit the same code.
+   *
+   * @internal
+   */
+  async createDelegationWalletPath(params) {
     if (!this.signer) {
       throw new Error("Cannot createDelegation() in session-only mode. Requires wallet mode.");
     }
@@ -19094,11 +19413,6 @@ var TinyCloudNode = class _TinyCloudNode {
     if (!session) {
       throw new Error("Not signed in. Call signIn() first.");
     }
-    if (params.delegateDID.endsWith(".eth") && this.config.ensResolver) {
-      const address = await this.config.ensResolver.resolveAddress(params.delegateDID);
-      if (!address) throw new Error(`Could not resolve ENS name: ${params.delegateDID}`);
-      params = { ...params, delegateDID: `did:pkh:eip155:1:${address}` };
-    }
     const abilities = {};
     const kvActions = params.actions.filter((a) => a.startsWith("tinycloud.kv/"));
     const sqlActions = params.actions.filter((a) => a.startsWith("tinycloud.sql/"));
@@ -19131,7 +19445,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -19153,7 +19467,7 @@ var TinyCloudNode = class _TinyCloudNode {
     };
     const hasKvActions = params.actions.some((a) => a.startsWith("tinycloud.kv/"));
     if (hasKvActions && params.includePublicSpace !== false) {
-      const publicSpaceId = (0, import_sdk_core3.makePublicSpaceId)(
+      const publicSpaceId = (0, import_sdk_core4.makePublicSpaceId)(
         this.wasmBindings.ensureEip55(session.address),
         session.chainId
       );
@@ -19176,7 +19490,7 @@ var TinyCloudNode = class _TinyCloudNode {
         ...publicPrepared,
         signature: publicSignature
       });
-      const publicActivateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+      const publicActivateResult = await (0, import_sdk_core4.activateSessionWithHost)(
         this.config.host,
         publicSession.delegationHeader
       );
@@ -19275,7 +19589,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       targetHost,
       invokerSession.delegationHeader
     );
@@ -19364,7 +19678,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       targetHost,
       subDelegationSession.delegationHeader
     );
@@ -19386,6 +19700,18 @@ var TinyCloudNode = class _TinyCloudNode {
     };
   }
 };
+// ===========================================================================
+// Capability-chain delegation (spec: .claude/specs/capability-chain.md)
+// ===========================================================================
+/**
+ * Safety margin before the session's own expiry at which {@link delegateTo}
+ * will refuse to issue a derived delegation. Prevents issuing sub-delegations
+ * that would be invalid by the time the recipient used them. Spec: 60 seconds.
+ *
+ * @internal
+ */
+_TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS = 6e4;
+var TinyCloudNode = _TinyCloudNode;
 
 // src/nodeDefaults.ts
 TinyCloudNode.registerNodeDefaults({
@@ -19394,11 +19720,11 @@ TinyCloudNode.registerNodeDefaults({
 });
 
 // src/index.ts
-var import_sdk_core5 = require("@tinycloud/sdk-core");
 var import_sdk_core6 = require("@tinycloud/sdk-core");
+var import_sdk_core7 = require("@tinycloud/sdk-core");
 
 // src/storage/FileSessionStorage.ts
-var import_sdk_core4 = require("@tinycloud/sdk-core");
+var import_sdk_core5 = require("@tinycloud/sdk-core");
 var import_fs = require("fs");
 var import_path = require("path");
 var FileSessionStorage = class {
@@ -19453,7 +19779,7 @@ var FileSessionStorage = class {
     try {
       const data = (0, import_fs.readFileSync)(filePath, "utf-8");
       const parsed = JSON.parse(data);
-      const validation = (0, import_sdk_core4.validatePersistedSessionData)(parsed);
+      const validation = (0, import_sdk_core5.validatePersistedSessionData)(parsed);
       if (!validation.ok) {
         console.warn(`Invalid session data for ${address}:`, validation.error.message);
         (0, import_fs.unlinkSync)(filePath);
@@ -19517,6 +19843,9 @@ var FileSessionStorage = class {
   }
 };
 
+// src/index.ts
+var import_sdk_core8 = require("@tinycloud/sdk-core");
+
 // src/delegation.ts
 function serializeDelegation(delegation) {
   return JSON.stringify({
@@ -19534,8 +19863,6 @@ function deserializeDelegation(data) {
 }
 
 // src/index.ts
-var import_sdk_core7 = require("@tinycloud/sdk-core");
-var import_sdk_core8 = require("@tinycloud/sdk-core");
 var import_sdk_core9 = require("@tinycloud/sdk-core");
 var import_sdk_core10 = require("@tinycloud/sdk-core");
 var import_sdk_core11 = require("@tinycloud/sdk-core");
@@ -19543,6 +19870,9 @@ var import_sdk_core12 = require("@tinycloud/sdk-core");
 var import_sdk_core13 = require("@tinycloud/sdk-core");
 var import_sdk_core14 = require("@tinycloud/sdk-core");
 var import_sdk_core15 = require("@tinycloud/sdk-core");
+var import_sdk_core16 = require("@tinycloud/sdk-core");
+var import_sdk_core17 = require("@tinycloud/sdk-core");
+var import_sdk_core18 = require("@tinycloud/sdk-core");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AutoApproveSpaceCreationHandler,
@@ -19557,16 +19887,20 @@ var import_sdk_core15 = require("@tinycloud/sdk-core");
   DuckDbDatabaseHandle,
   DuckDbService,
   FileSessionStorage,
+  HooksService,
   KVService,
+  ManifestValidationError,
   MemorySessionStorage,
   NodeUserAuthorization,
   NodeWasmBindings,
+  PermissionNotInManifestError,
   PrefixedKVService,
   PrivateKeySigner,
   ProtocolMismatchError,
   SQLAction,
   SQLService,
   ServiceContext,
+  SessionExpiredError,
   SharingService,
   SilentNotificationHandler,
   Space,
@@ -19589,9 +19923,15 @@ var import_sdk_core15 = require("@tinycloud/sdk-core");
   defaultSignStrategy,
   defaultSpaceCreationHandler,
   deserializeDelegation,
+  expandActionShortNames,
+  isCapabilitySubset,
+  loadManifest,
   makePublicSpaceId,
+  parseExpiry,
   parseSpaceUri,
-  serializeDelegation
+  resolveManifest,
+  serializeDelegation,
+  validateManifest
 });
 /*! Bundled license information: