@tinycloud/node-sdk 2.1.0-beta.0 → 2.1.0-beta.2

package/dist/index.cjs

@@ -17025,54 +17025,63 @@ var require_utils2 = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  AutoApproveSpaceCreationHandler: () => import_sdk_core6.AutoApproveSpaceCreationHandler,
-  CapabilityKeyRegistry: () => import_sdk_core13.CapabilityKeyRegistry,
-  CapabilityKeyRegistryErrorCodes: () => import_sdk_core13.CapabilityKeyRegistryErrorCodes,
-  DataVaultService: () => import_sdk_core10.DataVaultService,
-  DatabaseHandle: () => import_sdk_core8.DatabaseHandle,
+  AutoApproveSpaceCreationHandler: () => import_sdk_core7.AutoApproveSpaceCreationHandler,
+  CapabilityKeyRegistry: () => import_sdk_core15.CapabilityKeyRegistry,
+  CapabilityKeyRegistryErrorCodes: () => import_sdk_core15.CapabilityKeyRegistryErrorCodes,
+  DataVaultService: () => import_sdk_core12.DataVaultService,
+  DatabaseHandle: () => import_sdk_core10.DatabaseHandle,
   DelegatedAccess: () => DelegatedAccess,
-  DelegationErrorCodes: () => import_sdk_core12.DelegationErrorCodes,
-  DelegationManager: () => import_sdk_core12.DelegationManager,
-  DuckDbAction: () => import_sdk_core9.DuckDbAction,
-  DuckDbDatabaseHandle: () => import_sdk_core9.DuckDbDatabaseHandle,
-  DuckDbService: () => import_sdk_core9.DuckDbService,
+  DelegationErrorCodes: () => import_sdk_core14.DelegationErrorCodes,
+  DelegationManager: () => import_sdk_core14.DelegationManager,
+  DuckDbAction: () => import_sdk_core11.DuckDbAction,
+  DuckDbDatabaseHandle: () => import_sdk_core11.DuckDbDatabaseHandle,
+  DuckDbService: () => import_sdk_core11.DuckDbService,
   FileSessionStorage: () => FileSessionStorage,
-  HooksService: () => import_sdk_core11.HooksService,
-  KVService: () => import_sdk_core7.KVService,
+  HooksService: () => import_sdk_core13.HooksService,
+  KVService: () => import_sdk_core9.KVService,
+  ManifestValidationError: () => import_sdk_core8.ManifestValidationError,
   MemorySessionStorage: () => MemorySessionStorage,
   NodeUserAuthorization: () => NodeUserAuthorization,
   NodeWasmBindings: () => NodeWasmBindings,
-  PrefixedKVService: () => import_sdk_core7.PrefixedKVService,
+  PermissionNotInManifestError: () => import_sdk_core8.PermissionNotInManifestError,
+  PrefixedKVService: () => import_sdk_core9.PrefixedKVService,
   PrivateKeySigner: () => PrivateKeySigner,
-  ProtocolMismatchError: () => import_sdk_core15.ProtocolMismatchError,
-  SQLAction: () => import_sdk_core8.SQLAction,
-  SQLService: () => import_sdk_core8.SQLService,
-  ServiceContext: () => import_sdk_core16.ServiceContext,
-  SharingService: () => import_sdk_core12.SharingService,
-  SilentNotificationHandler: () => import_sdk_core6.SilentNotificationHandler,
-  Space: () => import_sdk_core14.Space,
-  SpaceErrorCodes: () => import_sdk_core14.SpaceErrorCodes,
-  SpaceService: () => import_sdk_core14.SpaceService,
-  TinyCloud: () => import_sdk_core5.TinyCloud,
+  ProtocolMismatchError: () => import_sdk_core17.ProtocolMismatchError,
+  SQLAction: () => import_sdk_core10.SQLAction,
+  SQLService: () => import_sdk_core10.SQLService,
+  ServiceContext: () => import_sdk_core18.ServiceContext,
+  SessionExpiredError: () => import_sdk_core8.SessionExpiredError,
+  SharingService: () => import_sdk_core14.SharingService,
+  SilentNotificationHandler: () => import_sdk_core7.SilentNotificationHandler,
+  Space: () => import_sdk_core16.Space,
+  SpaceErrorCodes: () => import_sdk_core16.SpaceErrorCodes,
+  SpaceService: () => import_sdk_core16.SpaceService,
+  TinyCloud: () => import_sdk_core6.TinyCloud,
   TinyCloudNode: () => TinyCloudNode,
-  UnsupportedFeatureError: () => import_sdk_core15.UnsupportedFeatureError,
-  VaultHeaders: () => import_sdk_core10.VaultHeaders,
-  VaultPublicSpaceKVActions: () => import_sdk_core10.VaultPublicSpaceKVActions,
-  VersionCheckError: () => import_sdk_core15.VersionCheckError,
+  UnsupportedFeatureError: () => import_sdk_core17.UnsupportedFeatureError,
+  VaultHeaders: () => import_sdk_core12.VaultHeaders,
+  VaultPublicSpaceKVActions: () => import_sdk_core12.VaultPublicSpaceKVActions,
+  VersionCheckError: () => import_sdk_core17.VersionCheckError,
   WasmKeyProvider: () => WasmKeyProvider,
-  buildSpaceUri: () => import_sdk_core14.buildSpaceUri,
-  checkNodeInfo: () => import_sdk_core15.checkNodeInfo,
-  createCapabilityKeyRegistry: () => import_sdk_core13.createCapabilityKeyRegistry,
-  createSharingService: () => import_sdk_core12.createSharingService,
-  createSpaceService: () => import_sdk_core14.createSpaceService,
-  createVaultCrypto: () => import_sdk_core10.createVaultCrypto,
+  buildSpaceUri: () => import_sdk_core16.buildSpaceUri,
+  checkNodeInfo: () => import_sdk_core17.checkNodeInfo,
+  createCapabilityKeyRegistry: () => import_sdk_core15.createCapabilityKeyRegistry,
+  createSharingService: () => import_sdk_core14.createSharingService,
+  createSpaceService: () => import_sdk_core16.createSpaceService,
+  createVaultCrypto: () => import_sdk_core12.createVaultCrypto,
   createWasmKeyProvider: () => createWasmKeyProvider,
   defaultSignStrategy: () => defaultSignStrategy,
-  defaultSpaceCreationHandler: () => import_sdk_core6.defaultSpaceCreationHandler,
+  defaultSpaceCreationHandler: () => import_sdk_core7.defaultSpaceCreationHandler,
   deserializeDelegation: () => deserializeDelegation,
-  makePublicSpaceId: () => import_sdk_core14.makePublicSpaceId,
-  parseSpaceUri: () => import_sdk_core14.parseSpaceUri,
-  serializeDelegation: () => serializeDelegation
+  expandActionShortNames: () => import_sdk_core8.expandActionShortNames,
+  isCapabilitySubset: () => import_sdk_core8.isCapabilitySubset,
+  loadManifest: () => import_sdk_core8.loadManifest,
+  makePublicSpaceId: () => import_sdk_core16.makePublicSpaceId,
+  parseExpiry: () => import_sdk_core8.parseExpiry,
+  parseSpaceUri: () => import_sdk_core16.parseSpaceUri,
+  resolveManifest: () => import_sdk_core8.resolveManifest,
+  serializeDelegation: () => serializeDelegation,
+  validateManifest: () => import_sdk_core8.validateManifest
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -17087,6 +17096,7 @@ var _NodeWasmBindings = class _NodeWasmBindings {
     this.ensureEip55 = import_node_sdk_wasm.ensureEip55;
     this.makeSpaceId = import_node_sdk_wasm.makeSpaceId;
     this.createDelegation = import_node_sdk_wasm.createDelegation;
+    this.parseRecapFromSiwe = import_node_sdk_wasm.parseRecapFromSiwe;
     this.generateHostSIWEMessage = import_node_sdk_wasm.generateHostSIWEMessage;
     this.siweToDelegationHeaders = import_node_sdk_wasm.siweToDelegationHeaders;
     this.protocolVersion = import_node_sdk_wasm.protocolVersion;
@@ -17175,7 +17185,7 @@ var PrivateKeySigner = class {
 };
 
 // src/TinyCloudNode.ts
-var import_sdk_core3 = require("@tinycloud/sdk-core");
+var import_sdk_core4 = require("@tinycloud/sdk-core");
 
 // src/authorization/NodeUserAuthorization.ts
 var import_sdk_core = require("@tinycloud/sdk-core");
@@ -17317,8 +17327,25 @@ var NodeUserAuthorization = class {
     this.enablePublicSpace = config.enablePublicSpace ?? true;
     this.nonce = config.nonce;
     this.siweConfig = config.siweConfig;
+    this._manifest = config.manifest;
     this.sessionManager = this.wasm.createSessionManager();
   }
+  /**
+   * Return the manifest currently driving sign-in behavior, or
+   * `undefined` if none is set. Used by TinyCloudWeb/TinyCloudNode
+   * internals to surface the manifest for requestPermissions flows
+   * without forcing the caller to track it separately.
+   */
+  get manifest() {
+    return this._manifest;
+  }
+  /**
+   * Install or replace the stored manifest. Takes effect on the next
+   * `signIn()` call — the current session (if any) is not touched.
+   */
+  setManifest(manifest) {
+    this._manifest = manifest;
+  }
   /**
    * The current active session (web-core compatible).
    */
@@ -17335,6 +17362,39 @@ var NodeUserAuthorization = class {
   get nodeFeatures() {
     return this._nodeFeatures;
   }
+  /**
+   * Compute the `abilities` map the WASM `prepareSession` call should
+   * see at sign-in time.
+   *
+   * When a manifest is installed, we resolve it and union together:
+   * - the app's own `resources` (what it needs at runtime)
+   * - every `additionalDelegates[*].permissions` list (what it will
+   *   re-delegate to other DIDs post sign-in)
+   *
+   * into the short-service / path / full-URN-actions shape the WASM
+   * layer expects. This is the key invariant that lets
+   * {@link TinyCloudNode.delegateTo} issue manifest-declared
+   * delegations via the session key (no wallet prompt): the session's
+   * own recap already covers every action those delegations need.
+   *
+   * When no manifest is installed, we fall back to the
+   * {@link defaultActions} table so existing callers see no change.
+   *
+   * This is a pure function of `this._manifest` + `this.defaultActions`
+   * — the manifest resolution performs no I/O and throws a
+   * {@link ManifestValidationError} on structural problems (missing
+   * id/name, unparseable expiry, etc), which will surface at sign-in
+   * rather than being silently swallowed.
+   *
+   * @internal
+   */
+  resolveSignInAbilities() {
+    if (this._manifest === void 0) {
+      return this.defaultActions;
+    }
+    const resolved = (0, import_sdk_core.resolveManifest)(this._manifest);
+    return (0, import_sdk_core.manifestAbilitiesUnion)(resolved);
+  }
   /**
    * Build SIWE overrides from the top-level nonce and siweConfig.
    * - Top-level `nonce` is seeded first so `siweConfig.nonce` wins if both are set.
@@ -17538,7 +17598,7 @@ var NodeUserAuthorization = class {
     const now = /* @__PURE__ */ new Date();
     const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);
     const prepared = this.wasm.prepareSession({
-      abilities: this.defaultActions,
+      abilities: this.resolveSignInAbilities(),
       address,
       chainId,
       domain: this.domain,
@@ -17681,7 +17741,7 @@ var NodeUserAuthorization = class {
     const now = /* @__PURE__ */ new Date();
     const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);
     const prepared = this.wasm.prepareSession({
-      abilities: this.defaultActions,
+      abilities: this.resolveSignInAbilities(),
       address,
       chainId,
       domain: this.domain,
@@ -18001,9 +18061,69 @@ function createWasmKeyProvider(sessionManager) {
   return new WasmKeyProvider({ sessionManager });
 }
 
+// src/delegateToHelpers.ts
+var import_sdk_core3 = require("@tinycloud/sdk-core");
+function legacyParamsToPermissionEntries(actions, path, spaceIdOverride) {
+  const byService = /* @__PURE__ */ new Map();
+  for (const a of actions) {
+    const slashIdx = a.indexOf("/");
+    if (slashIdx === -1) {
+      continue;
+    }
+    const service = a.slice(0, slashIdx);
+    if (!service.startsWith("tinycloud.")) {
+      continue;
+    }
+    const list = byService.get(service);
+    if (list === void 0) {
+      byService.set(service, [a]);
+    } else {
+      list.push(a);
+    }
+  }
+  const space = spaceIdOverride ?? "default";
+  const entries = [];
+  for (const [service, actionList] of byService) {
+    entries.push({
+      service,
+      space,
+      path,
+      actions: actionList
+    });
+  }
+  return entries;
+}
+function resolveExpiryMs(expiry) {
+  if (expiry === void 0) {
+    return 60 * 60 * 1e3;
+  }
+  if (typeof expiry === "number") {
+    if (!Number.isFinite(expiry) || expiry <= 0) {
+      throw new Error(
+        `delegateTo expiry must be a positive finite number (got ${expiry})`
+      );
+    }
+    return expiry;
+  }
+  return (0, import_sdk_core3.parseExpiry)(expiry);
+}
+function extractSiweExpiration(siwe) {
+  const parsed = new import_sdk_core3.SiweMessage(siwe);
+  if (parsed.expirationTime === void 0 || parsed.expirationTime === null) {
+    return void 0;
+  }
+  const d = new Date(parsed.expirationTime);
+  if (Number.isNaN(d.getTime())) {
+    throw new Error(
+      `Session SIWE has unparseable expirationTime: ${parsed.expirationTime}`
+    );
+  }
+  return d;
+}
+
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
-var TinyCloudNode = class _TinyCloudNode {
+var _TinyCloudNode = class _TinyCloudNode {
   /**
    * Create a new TinyCloudNode instance.
    *
@@ -18058,12 +18178,12 @@ var TinyCloudNode = class _TinyCloudNode {
       throw new Error("Failed to get session key JWK");
     }
     this.sessionKeyJwk = JSON.parse(jwkStr);
-    this._capabilityRegistry = new import_sdk_core3.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core4.CapabilityKeyRegistry();
     this._keyProvider = new WasmKeyProvider({
       sessionManager: this.sessionManager
     });
-    this.notificationHandler = config.notificationHandler ?? new import_sdk_core3.SilentNotificationHandler();
-    this._sharingService = new import_sdk_core3.SharingService({
+    this.notificationHandler = config.notificationHandler ?? new import_sdk_core4.SilentNotificationHandler();
+    this._sharingService = new import_sdk_core4.SharingService({
       hosts: [this.config.host],
       // session: undefined - not needed for receive()
       invoke: this.wasmBindings.invoke,
@@ -18073,8 +18193,8 @@ var TinyCloudNode = class _TinyCloudNode {
       // delegationManager: undefined - not needed for receive()
       createKVService: (config2) => {
         const prefix = config2.pathPrefix?.replace(/\/$/, "");
-        const kvService = new import_sdk_core3.KVService({ prefix });
-        const kvContext = new import_sdk_core3.ServiceContext({
+        const kvService = new import_sdk_core4.KVService({ prefix });
+        const kvContext = new import_sdk_core4.ServiceContext({
           invoke: config2.invoke,
           fetch: config2.fetch ?? globalThis.fetch.bind(globalThis),
           hosts: config2.hosts
@@ -18127,12 +18247,35 @@ var TinyCloudNode = class _TinyCloudNode {
       enablePublicSpace: config.enablePublicSpace ?? true,
       spaceCreationHandler: config.spaceCreationHandler,
       nonce: config.nonce,
-      siweConfig: config.siweConfig
+      siweConfig: config.siweConfig,
+      manifest: config.manifest
     });
-    this.tc = new import_sdk_core3.TinyCloud(this.auth, {
+    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
     });
   }
+  /**
+   * Install or replace the manifest that drives the SIWE recap at
+   * sign-in. Takes effect on the next `signIn()` call — the current
+   * session (if any) is not touched. Wire this up from a higher
+   * layer (e.g. TinyCloudWeb.setManifest) so the manifest is kept
+   * in sync across the stack.
+   */
+  setManifest(manifest) {
+    if (!this.auth) {
+      throw new Error(
+        "setManifest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config."
+      );
+    }
+    this.auth.setManifest(manifest);
+  }
+  /**
+   * Return the manifest currently installed on the auth handler,
+   * or `undefined` if none is set.
+   */
+  get manifest() {
+    return this.auth?.manifest;
+  }
   /**
    * Get the primary identity DID for this user.
    * - If wallet connected and signed in: returns PKH DID (did:pkh:eip155:{chainId}:{address})
@@ -18228,22 +18371,22 @@ var TinyCloudNode = class _TinyCloudNode {
     if (sessionData.chainId) {
       this._chainId = sessionData.chainId;
     }
-    this._serviceContext = new import_sdk_core3.ServiceContext({
+    this._serviceContext = new import_sdk_core4.ServiceContext({
       invoke: this.wasmBindings.invoke,
       invokeAny: this.wasmBindings.invokeAny,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core3.KVService({});
+    this._kv = new import_sdk_core4.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
-    this._sql = new import_sdk_core3.SQLService({});
+    this._sql = new import_sdk_core4.SQLService({});
     this._sql.initialize(this._serviceContext);
     this._serviceContext.registerService("sql", this._sql);
-    this._duckdb = new import_sdk_core3.DuckDbService({});
+    this._duckdb = new import_sdk_core4.DuckDbService({});
     this._duckdb.initialize(this._serviceContext);
     this._serviceContext.registerService("duckdb", this._duckdb);
-    this._hooks = new import_sdk_core3.HooksService({});
+    this._hooks = new import_sdk_core4.HooksService({});
     this._hooks.initialize(this._serviceContext);
     this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
@@ -18255,7 +18398,7 @@ var TinyCloudNode = class _TinyCloudNode {
     };
     this._serviceContext.setSession(serviceSession);
     const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core3.createVaultCrypto)({
+    const vaultCrypto = (0, import_sdk_core4.createVaultCrypto)({
       vault_encrypt: wasm.vault_encrypt,
       vault_decrypt: wasm.vault_decrypt,
       vault_derive_key: wasm.vault_derive_key,
@@ -18265,7 +18408,7 @@ var TinyCloudNode = class _TinyCloudNode {
       vault_sha256: wasm.vault_sha256
     });
     const self2 = this;
-    this._vault = new import_sdk_core3.DataVaultService({
+    this._vault = new import_sdk_core4.DataVaultService({
       spaceId: sessionData.spaceId,
       crypto: vaultCrypto,
       tc: {
@@ -18281,8 +18424,8 @@ var TinyCloudNode = class _TinyCloudNode {
         get publicKV() {
           return self2._publicKV ?? self2.tc.publicKV;
         },
-        readPublicSpace: (host, spaceId, key2) => import_sdk_core3.TinyCloud.readPublicSpace(host, spaceId, key2),
-        makePublicSpaceId: import_sdk_core3.TinyCloud.makePublicSpaceId,
+        readPublicSpace: (host, spaceId, key2) => import_sdk_core4.TinyCloud.readPublicSpace(host, spaceId, key2),
+        makePublicSpaceId: import_sdk_core4.TinyCloud.makePublicSpaceId,
         did: this.did,
         address: sessionData.address ?? this._address ?? "",
         chainId: sessionData.chainId ?? this._chainId,
@@ -18345,7 +18488,7 @@ var TinyCloudNode = class _TinyCloudNode {
       nonce: this.config.nonce,
       siweConfig: this.config.siweConfig
     });
-    this.tc = new import_sdk_core3.TinyCloud(this.auth, {
+    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
     });
     this.config.prefix = prefix;
@@ -18385,7 +18528,7 @@ var TinyCloudNode = class _TinyCloudNode {
       nonce: this.config.nonce,
       siweConfig: this.config.siweConfig
     });
-    this.tc = new import_sdk_core3.TinyCloud(this.auth, {
+    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
     });
     this.config.prefix = prefix;
@@ -18400,27 +18543,27 @@ var TinyCloudNode = class _TinyCloudNode {
       return;
     }
     this.tc.initializeServices(this.wasmBindings.invoke, [this.config.host]);
-    this._serviceContext = new import_sdk_core3.ServiceContext({
+    this._serviceContext = new import_sdk_core4.ServiceContext({
       invoke: this.wasmBindings.invoke,
       invokeAny: this.wasmBindings.invokeAny,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core3.KVService({});
+    this._kv = new import_sdk_core4.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
     const features = this.nodeFeatures;
     if (features.length === 0 || features.includes("sql")) {
-      this._sql = new import_sdk_core3.SQLService({});
+      this._sql = new import_sdk_core4.SQLService({});
       this._sql.initialize(this._serviceContext);
       this._serviceContext.registerService("sql", this._sql);
     }
     if (features.length === 0 || features.includes("duckdb")) {
-      this._duckdb = new import_sdk_core3.DuckDbService({});
+      this._duckdb = new import_sdk_core4.DuckDbService({});
       this._duckdb.initialize(this._serviceContext);
       this._serviceContext.registerService("duckdb", this._duckdb);
     }
-    this._hooks = new import_sdk_core3.HooksService({});
+    this._hooks = new import_sdk_core4.HooksService({});
     this._hooks.initialize(this._serviceContext);
     this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
@@ -18433,7 +18576,7 @@ var TinyCloudNode = class _TinyCloudNode {
     this._serviceContext.setSession(serviceSession);
     this.tc.serviceContext.setSession(serviceSession);
     const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core3.createVaultCrypto)({
+    const vaultCrypto = (0, import_sdk_core4.createVaultCrypto)({
       vault_encrypt: wasm.vault_encrypt,
       vault_decrypt: wasm.vault_decrypt,
       vault_derive_key: wasm.vault_derive_key,
@@ -18443,7 +18586,7 @@ var TinyCloudNode = class _TinyCloudNode {
       vault_sha256: wasm.vault_sha256
     });
     const self2 = this;
-    this._vault = new import_sdk_core3.DataVaultService({
+    this._vault = new import_sdk_core4.DataVaultService({
       spaceId: session.spaceId,
       crypto: vaultCrypto,
       tc: {
@@ -18459,8 +18602,8 @@ var TinyCloudNode = class _TinyCloudNode {
         get publicKV() {
           return self2._publicKV ?? self2.tc.publicKV;
         },
-        readPublicSpace: (host, spaceId, key2) => import_sdk_core3.TinyCloud.readPublicSpace(host, spaceId, key2),
-        makePublicSpaceId: import_sdk_core3.TinyCloud.makePublicSpaceId,
+        readPublicSpace: (host, spaceId, key2) => import_sdk_core4.TinyCloud.readPublicSpace(host, spaceId, key2),
+        makePublicSpaceId: import_sdk_core4.TinyCloud.makePublicSpaceId,
         did: this.did,
         address: this._address,
         chainId: this._chainId,
@@ -18476,7 +18619,7 @@ var TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   initializeV2Services(serviceSession) {
-    this._capabilityRegistry = new import_sdk_core3.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core4.CapabilityKeyRegistry();
     const tcSession = this.auth?.tinyCloudSession;
     if (tcSession && this._address) {
       const sessionKey = {
@@ -18550,13 +18693,13 @@ var TinyCloudNode = class _TinyCloudNode {
       }
       this._capabilityRegistry.registerKey(sessionKey, delegations);
     }
-    this._delegationManager = new import_sdk_core3.DelegationManager({
+    this._delegationManager = new import_sdk_core4.DelegationManager({
       hosts: [this.config.host],
       session: serviceSession,
       invoke: this.wasmBindings.invoke,
       fetch: globalThis.fetch.bind(globalThis)
     });
-    this._spaceService = new import_sdk_core3.SpaceService({
+    this._spaceService = new import_sdk_core4.SpaceService({
       hosts: [this.config.host],
       session: serviceSession,
       invoke: this.wasmBindings.invoke,
@@ -18564,9 +18707,9 @@ var TinyCloudNode = class _TinyCloudNode {
       capabilityRegistry: this._capabilityRegistry,
       userDid: this.did,
       createKVService: (spaceId) => {
-        const kvService = new import_sdk_core3.KVService({});
+        const kvService = new import_sdk_core4.KVService({});
         if (this._serviceContext) {
-          const spaceScopedContext = new import_sdk_core3.ServiceContext({
+          const spaceScopedContext = new import_sdk_core4.ServiceContext({
             invoke: this._serviceContext.invoke,
             fetch: this._serviceContext.fetch,
             hosts: this._serviceContext.hosts
@@ -18639,7 +18782,19 @@ var TinyCloudNode = class _TinyCloudNode {
   }
   /**
    * Wrapper for the WASM createDelegation function.
-   * Adapts the WASM interface to what SharingService expects.
+   *
+   * The WASM call now takes a multi-resource `abilities` map
+   * (matching `prepareSession`'s shape) and emits ONE UCAN that
+   * covers every `(service, path, actions)` entry. We mirror the raw
+   * result back through `CreateDelegationWasmResult`, converting the
+   * seconds-since-epoch `expiry` to a Date and normalizing the
+   * `delegateDid` → `delegateDID` case.
+   *
+   * Both SharingService (single-entry) and
+   * {@link TinyCloudNode.delegateTo} (multi-entry) drive this through
+   * the same code path so there's exactly one place that touches the
+   * WASM boundary.
+   *
    * @internal
    */
   createDelegationWrapper(params) {
@@ -18654,18 +18809,19 @@ var TinyCloudNode = class _TinyCloudNode {
       wasmSession,
       params.delegateDID,
       params.spaceId,
-      params.path,
-      params.actions,
+      params.abilities,
       params.expirationSecs,
       params.notBeforeSecs
     );
     return {
       delegation: result.delegation,
       cid: result.cid,
-      delegateDID: result.delegateDid,
-      path: result.path,
-      actions: result.actions,
-      expiry: new Date(result.expiry * 1e3)
+      // Rust serde `rename_all = "camelCase"` emits `delegateDid`
+      // (lowercase d); the TypeScript interface uses `delegateDID`
+      // (historical, matches Delegation.delegateDID). Normalize here.
+      delegateDID: result.delegateDid ?? result.delegateDID,
+      expiry: new Date(result.expiry * 1e3),
+      resources: result.resources
     };
   }
   /**
@@ -18705,7 +18861,7 @@ var TinyCloudNode = class _TinyCloudNode {
         ...prepared,
         signature: signature2
       });
-      const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+      const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
         host,
         delegationSession.delegationHeader
       );
@@ -18772,7 +18928,7 @@ var TinyCloudNode = class _TinyCloudNode {
     if (!this._sql) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("sql")) {
-        throw new import_sdk_core3.UnsupportedFeatureError("sql", this.config.host, features);
+        throw new import_sdk_core4.UnsupportedFeatureError("sql", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -18785,7 +18941,7 @@ var TinyCloudNode = class _TinyCloudNode {
     if (!this._duckdb) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("duckdb")) {
-        throw new import_sdk_core3.UnsupportedFeatureError("duckdb", this.config.host, features);
+        throw new import_sdk_core4.UnsupportedFeatureError("duckdb", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -19024,7 +19180,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -19051,8 +19207,8 @@ var TinyCloudNode = class _TinyCloudNode {
       }]);
     }
     if (this._serviceContext) {
-      const publicKV = new import_sdk_core3.KVService({ prefix: "" });
-      const publicContext = new import_sdk_core3.ServiceContext({
+      const publicKV = new import_sdk_core4.KVService({ prefix: "" });
+      const publicContext = new import_sdk_core4.ServiceContext({
         invoke: this.wasmBindings.invoke,
         fetch: this._serviceContext.fetch,
         hosts: this._serviceContext.hosts
@@ -19137,6 +19293,209 @@ var TinyCloudNode = class _TinyCloudNode {
   async checkPermission(path, action) {
     return this.delegationManager.checkPermission(path, action);
   }
+  /**
+   * Issue a delegation using the capability-chain flow.
+   *
+   * When every requested permission is a subset of the current
+   * session's recap, the delegation is signed by the session key via
+   * WASM — no wallet prompt. When at least one is NOT derivable, a
+   * {@link PermissionNotInManifestError} is raised (carrying the
+   * missing entries) so the caller can trigger an escalation flow
+   * (e.g. `TinyCloudWeb.requestPermissions`). Passing
+   * `forceWalletSign: true` bypasses the derivability check and
+   * always uses the wallet-signed SIWE path — used by the legacy
+   * `createDelegation` fallback and by callers that want explicit
+   * wallet confirmation.
+   *
+   * Multi-entry delegations are now emitted as **one** signed UCAN:
+   * the underlying WASM `createDelegation` takes a full
+   * `HashMap<Service, HashMap<Path, Vec<Ability>>>` abilities map
+   * and produces a single attenuation carrying every
+   * `(service, path, actions)` entry. The returned
+   * {@link DelegateToResult.delegation} is that single blob, and
+   * apps can POST it to their backend exactly like a single-entry
+   * delegation (the server verifies all granted resources from one
+   * UCAN).
+   *
+   * For single-entry requests the `PortableDelegation.path` and
+   * `.actions` fields mirror the one granted entry. For
+   * multi-entry requests they mirror the **first** entry (stable
+   * lexicographic order from the Rust side); consumers that need
+   * the full picture read `PortableDelegation.resources`.
+   *
+   * @throws {@link SessionExpiredError} when there is no session or
+   *   the current session has expired (or will within the 60s
+   *   safety margin).
+   * @throws {@link PermissionNotInManifestError} when any requested
+   *   entry is not a subset of the granted session capabilities and
+   *   `forceWalletSign` is not set.
+   */
+  async delegateTo(did, permissions, options) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new import_sdk_core4.SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    const sessionExpiry = extractSiweExpiration(session.siwe);
+    if (sessionExpiry !== void 0) {
+      const now2 = Date.now();
+      const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+      if (sessionExpiry.getTime() <= now2 + marginMs) {
+        throw new import_sdk_core4.SessionExpiredError(sessionExpiry);
+      }
+    }
+    if (!Array.isArray(permissions) || permissions.length === 0) {
+      throw new Error(
+        "delegateTo requires a non-empty permissions array"
+      );
+    }
+    const expandedEntries = permissions.map((entry) => ({
+      ...entry,
+      actions: (0, import_sdk_core4.expandActionShortNames)(entry.service, entry.actions)
+    }));
+    const now = /* @__PURE__ */ new Date();
+    const expiryMs = resolveExpiryMs(options?.expiry);
+    const expirationTime = new Date(now.getTime() + expiryMs);
+    let effectiveExpiration = expirationTime;
+    if (sessionExpiry !== void 0 && sessionExpiry < expirationTime) {
+      effectiveExpiration = sessionExpiry;
+    }
+    if (options?.forceWalletSign) {
+      if (expandedEntries.length > 1) {
+        throw new Error(
+          "delegateTo with forceWalletSign=true supports at most one PermissionEntry. Multi-entry requests must go through the session-key UCAN path (drop forceWalletSign) or the legacy createDelegation method."
+        );
+      }
+      const delegation2 = await this.createDelegationLegacyWalletPath(
+        did,
+        expandedEntries[0],
+        effectiveExpiration
+      );
+      return { delegation: delegation2, prompted: true };
+    }
+    const granted = (0, import_sdk_core4.parseRecapCapabilities)(
+      (siwe) => this.wasmBindings.parseRecapFromSiwe(siwe),
+      session.siwe
+    );
+    const { subset, missing } = (0, import_sdk_core4.isCapabilitySubset)(expandedEntries, granted);
+    if (!subset) {
+      throw new import_sdk_core4.PermissionNotInManifestError(missing, granted);
+    }
+    const delegation = await this.createDelegationViaWasmPath(
+      did,
+      expandedEntries,
+      effectiveExpiration,
+      session
+    );
+    return { delegation, prompted: false };
+  }
+  /**
+   * Issue a delegation via the session-key UCAN WASM path.
+   *
+   * The caller has already verified every entry is derivable from
+   * the current session; we build one multi-resource abilities map
+   * and emit one signed UCAN covering them all.
+   *
+   * All entries must share the same target space (the UCAN is
+   * scoped to a single space). If they don't, this throws — mixing
+   * spaces in a single delegation is not supported by the underlying
+   * Rust create_delegation call and the resulting UCAN would be
+   * under-specified.
+   *
+   * @internal
+   */
+  async createDelegationViaWasmPath(did, entries, expirationTime, session) {
+    if (entries.length === 0) {
+      throw new Error(
+        "createDelegationViaWasmPath requires a non-empty entries array"
+      );
+    }
+    const resolvedSpaces = /* @__PURE__ */ new Set();
+    for (const entry of entries) {
+      const spaceId2 = entry.space === "default" ? session.spaceId : entry.space;
+      resolvedSpaces.add(spaceId2);
+    }
+    if (resolvedSpaces.size !== 1) {
+      throw new Error(
+        `delegateTo: all permission entries must target the same space, got ${resolvedSpaces.size}: ${JSON.stringify([...resolvedSpaces])}`
+      );
+    }
+    const spaceId = [...resolvedSpaces][0];
+    const abilities = {};
+    for (const entry of entries) {
+      const shortService = import_sdk_core4.SERVICE_LONG_TO_SHORT[entry.service];
+      if (shortService === void 0) {
+        throw new Error(
+          `delegateTo: unknown service '${entry.service}' \u2014 no short-form mapping`
+        );
+      }
+      if (abilities[shortService] === void 0) {
+        abilities[shortService] = {};
+      }
+      const pathsMap = abilities[shortService];
+      const existing = pathsMap[entry.path];
+      if (existing === void 0) {
+        pathsMap[entry.path] = [...entry.actions];
+      } else {
+        const seen = new Set(existing);
+        for (const action of entry.actions) {
+          if (!seen.has(action)) {
+            existing.push(action);
+            seen.add(action);
+          }
+        }
+      }
+    }
+    const serviceSession = {
+      delegationHeader: session.delegationHeader,
+      delegationCid: session.delegationCid,
+      jwk: session.jwk,
+      spaceId,
+      verificationMethod: session.verificationMethod
+    };
+    const expirationSecs = Math.floor(expirationTime.getTime() / 1e3);
+    const result = this.createDelegationWrapper({
+      session: serviceSession,
+      delegateDID: did,
+      spaceId,
+      abilities,
+      expirationSecs
+    });
+    const primary = result.resources[0];
+    return {
+      cid: result.cid,
+      delegationHeader: { Authorization: `Bearer ${result.delegation}` },
+      spaceId,
+      path: primary.path,
+      actions: primary.actions,
+      resources: result.resources,
+      disableSubDelegation: false,
+      expiry: result.expiry,
+      delegateDID: did,
+      ownerAddress: session.address,
+      chainId: session.chainId,
+      host: this.config.host
+    };
+  }
+  /**
+   * Issue a delegation via the legacy wallet-signed SIWE path for a single
+   * {@link PermissionEntry}. Shares the implementation with the public
+   * `createDelegation` method via {@link createDelegationWalletPath} so
+   * both entry points hit exactly the same SIWE / signer / public-space
+   * logic without mutual recursion.
+   *
+   * @internal
+   */
+  async createDelegationLegacyWalletPath(delegateDID, entry, expirationTime) {
+    const spaceIdOverride = entry.space === "default" ? void 0 : entry.space;
+    return this.createDelegationWalletPath({
+      path: entry.path,
+      actions: entry.actions,
+      delegateDID,
+      includePublicSpace: true,
+      expiryMs: Math.max(0, expirationTime.getTime() - Date.now()),
+      spaceIdOverride
+    });
+  }
   /**
    * Create a delegation from this user to another user.
    *
@@ -19147,6 +19506,49 @@ var TinyCloudNode = class _TinyCloudNode {
    * @returns A portable delegation that can be sent to the recipient
    */
   async createDelegation(params) {
+    if (!this.signer) {
+      throw new Error("Cannot createDelegation() in session-only mode. Requires wallet mode.");
+    }
+    if (!this.auth?.tinyCloudSession) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    let resolvedDelegateDID = params.delegateDID;
+    if (resolvedDelegateDID.endsWith(".eth") && this.config.ensResolver) {
+      const address = await this.config.ensResolver.resolveAddress(resolvedDelegateDID);
+      if (!address) throw new Error(`Could not resolve ENS name: ${resolvedDelegateDID}`);
+      resolvedDelegateDID = `did:pkh:eip155:1:${address}`;
+    }
+    const entries = legacyParamsToPermissionEntries(
+      params.actions,
+      params.path,
+      params.spaceIdOverride
+    );
+    try {
+      const result = await this.delegateTo(
+        resolvedDelegateDID,
+        entries,
+        params.expiryMs !== void 0 ? { expiry: params.expiryMs } : void 0
+      );
+      return result.delegation;
+    } catch (err) {
+      if (err instanceof import_sdk_core4.PermissionNotInManifestError) {
+      } else {
+        throw err;
+      }
+    }
+    return this.createDelegationWalletPath({
+      ...params,
+      delegateDID: resolvedDelegateDID
+    });
+  }
+  /**
+   * Legacy wallet-signed SIWE delegation path. Lifted from the original
+   * `createDelegation` body verbatim so both the legacy public method and
+   * `delegateTo({ forceWalletSign: true })` hit the same code.
+   *
+   * @internal
+   */
+  async createDelegationWalletPath(params) {
     if (!this.signer) {
       throw new Error("Cannot createDelegation() in session-only mode. Requires wallet mode.");
     }
@@ -19154,11 +19556,6 @@ var TinyCloudNode = class _TinyCloudNode {
     if (!session) {
       throw new Error("Not signed in. Call signIn() first.");
     }
-    if (params.delegateDID.endsWith(".eth") && this.config.ensResolver) {
-      const address = await this.config.ensResolver.resolveAddress(params.delegateDID);
-      if (!address) throw new Error(`Could not resolve ENS name: ${params.delegateDID}`);
-      params = { ...params, delegateDID: `did:pkh:eip155:1:${address}` };
-    }
     const abilities = {};
     const kvActions = params.actions.filter((a) => a.startsWith("tinycloud.kv/"));
     const sqlActions = params.actions.filter((a) => a.startsWith("tinycloud.sql/"));
@@ -19191,7 +19588,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -19213,7 +19610,7 @@ var TinyCloudNode = class _TinyCloudNode {
     };
     const hasKvActions = params.actions.some((a) => a.startsWith("tinycloud.kv/"));
     if (hasKvActions && params.includePublicSpace !== false) {
-      const publicSpaceId = (0, import_sdk_core3.makePublicSpaceId)(
+      const publicSpaceId = (0, import_sdk_core4.makePublicSpaceId)(
         this.wasmBindings.ensureEip55(session.address),
         session.chainId
       );
@@ -19236,7 +19633,7 @@ var TinyCloudNode = class _TinyCloudNode {
         ...publicPrepared,
         signature: publicSignature
       });
-      const publicActivateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+      const publicActivateResult = await (0, import_sdk_core4.activateSessionWithHost)(
         this.config.host,
         publicSession.delegationHeader
       );
@@ -19335,7 +19732,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       targetHost,
       invokerSession.delegationHeader
     );
@@ -19424,7 +19821,7 @@ var TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core3.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
       targetHost,
       subDelegationSession.delegationHeader
     );
@@ -19446,6 +19843,18 @@ var TinyCloudNode = class _TinyCloudNode {
     };
   }
 };
+// ===========================================================================
+// Capability-chain delegation (spec: .claude/specs/capability-chain.md)
+// ===========================================================================
+/**
+ * Safety margin before the session's own expiry at which {@link delegateTo}
+ * will refuse to issue a derived delegation. Prevents issuing sub-delegations
+ * that would be invalid by the time the recipient used them. Spec: 60 seconds.
+ *
+ * @internal
+ */
+_TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS = 6e4;
+var TinyCloudNode = _TinyCloudNode;
 
 // src/nodeDefaults.ts
 TinyCloudNode.registerNodeDefaults({
@@ -19454,11 +19863,11 @@ TinyCloudNode.registerNodeDefaults({
 });
 
 // src/index.ts
-var import_sdk_core5 = require("@tinycloud/sdk-core");
 var import_sdk_core6 = require("@tinycloud/sdk-core");
+var import_sdk_core7 = require("@tinycloud/sdk-core");
 
 // src/storage/FileSessionStorage.ts
-var import_sdk_core4 = require("@tinycloud/sdk-core");
+var import_sdk_core5 = require("@tinycloud/sdk-core");
 var import_fs = require("fs");
 var import_path = require("path");
 var FileSessionStorage = class {
@@ -19513,7 +19922,7 @@ var FileSessionStorage = class {
     try {
       const data = (0, import_fs.readFileSync)(filePath, "utf-8");
       const parsed = JSON.parse(data);
-      const validation = (0, import_sdk_core4.validatePersistedSessionData)(parsed);
+      const validation = (0, import_sdk_core5.validatePersistedSessionData)(parsed);
       if (!validation.ok) {
         console.warn(`Invalid session data for ${address}:`, validation.error.message);
         (0, import_fs.unlinkSync)(filePath);
@@ -19577,6 +19986,9 @@ var FileSessionStorage = class {
   }
 };
 
+// src/index.ts
+var import_sdk_core8 = require("@tinycloud/sdk-core");
+
 // src/delegation.ts
 function serializeDelegation(delegation) {
   return JSON.stringify({
@@ -19594,8 +20006,6 @@ function deserializeDelegation(data) {
 }
 
 // src/index.ts
-var import_sdk_core7 = require("@tinycloud/sdk-core");
-var import_sdk_core8 = require("@tinycloud/sdk-core");
 var import_sdk_core9 = require("@tinycloud/sdk-core");
 var import_sdk_core10 = require("@tinycloud/sdk-core");
 var import_sdk_core11 = require("@tinycloud/sdk-core");
@@ -19604,6 +20014,8 @@ var import_sdk_core13 = require("@tinycloud/sdk-core");
 var import_sdk_core14 = require("@tinycloud/sdk-core");
 var import_sdk_core15 = require("@tinycloud/sdk-core");
 var import_sdk_core16 = require("@tinycloud/sdk-core");
+var import_sdk_core17 = require("@tinycloud/sdk-core");
+var import_sdk_core18 = require("@tinycloud/sdk-core");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   AutoApproveSpaceCreationHandler,
@@ -19620,15 +20032,18 @@ var import_sdk_core16 = require("@tinycloud/sdk-core");
   FileSessionStorage,
   HooksService,
   KVService,
+  ManifestValidationError,
   MemorySessionStorage,
   NodeUserAuthorization,
   NodeWasmBindings,
+  PermissionNotInManifestError,
   PrefixedKVService,
   PrivateKeySigner,
   ProtocolMismatchError,
   SQLAction,
   SQLService,
   ServiceContext,
+  SessionExpiredError,
   SharingService,
   SilentNotificationHandler,
   Space,
@@ -19651,9 +20066,15 @@ var import_sdk_core16 = require("@tinycloud/sdk-core");
   defaultSignStrategy,
   defaultSpaceCreationHandler,
   deserializeDelegation,
+  expandActionShortNames,
+  isCapabilitySubset,
+  loadManifest,
   makePublicSpaceId,
+  parseExpiry,
   parseSpaceUri,
-  serializeDelegation
+  resolveManifest,
+  serializeDelegation,
+  validateManifest
 });
 /*! Bundled license information: