npm - @tinycloud/node-sdk - Versions diffs - 2.1.0-beta.6 → 2.2.0-beta.0 - Mend

@tinycloud/node-sdk 2.1.0-beta.6 → 2.2.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
-export { AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, CreateDelegationParams, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestDelegation, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, validateManifest } from '@tinycloud/sdk-core';
+export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
 export { DelegateToOptions, DelegateToResult, DelegatedAccess, FileSessionStorage, MemorySessionStorage, NodeEventEmitterStrategy, NodeUserAuthorization, NodeUserAuthorizationConfig, PortableDelegation, SignStrategy, TinyCloudNode, TinyCloudNodeConfig, WasmKeyProvider, WasmKeyProviderConfig, createWasmKeyProvider, defaultSignStrategy, deserializeDelegation, serializeDelegation } from './core.cjs';
 import { invoke, invokeAny, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
 import 'events';

package/dist/index.d.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
-export { AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, CreateDelegationParams, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestDelegation, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, validateManifest } from '@tinycloud/sdk-core';
+export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
 export { DelegateToOptions, DelegateToResult, DelegatedAccess, FileSessionStorage, MemorySessionStorage, NodeEventEmitterStrategy, NodeUserAuthorization, NodeUserAuthorizationConfig, PortableDelegation, SignStrategy, TinyCloudNode, TinyCloudNodeConfig, WasmKeyProvider, WasmKeyProviderConfig, createWasmKeyProvider, defaultSignStrategy, deserializeDelegation, serializeDelegation } from './core.js';
 import { invoke, invokeAny, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
 import 'events';

package/dist/index.js CHANGED Viewed

@@ -17168,6 +17168,7 @@ import {
   SharingService,
   UnsupportedFeatureError,
   makePublicSpaceId,
+  ACCOUNT_REGISTRY_SPACE,
   PermissionNotInManifestError,
   SessionExpiredError,
   expandActionShortNames,
@@ -17183,8 +17184,10 @@ import {
   activateSessionWithHost,
   checkNodeInfo,
   AutoApproveSpaceCreationHandler,
-  manifestAbilitiesUnion,
-  resolveManifest
+  DEFAULT_MANIFEST_SPACE,
+  composeManifestRequest,
+  resourceCapabilitiesToAbilitiesMap,
+  resourceCapabilitiesToSpaceAbilitiesMap
 } from "@tinycloud/sdk-core";
 // src/authorization/strategies.ts
@@ -17324,7 +17327,9 @@ var NodeUserAuthorization = class {
     this.enablePublicSpace = config.enablePublicSpace ?? true;
     this.nonce = config.nonce;
     this.siweConfig = config.siweConfig;
+    this.includeAccountRegistryPermissions = config.includeAccountRegistryPermissions ?? true;
     this._manifest = config.manifest;
+    this._capabilityRequest = config.capabilityRequest;
     this.sessionManager = this.wasm.createSessionManager();
   }
   /**
@@ -17336,12 +17341,19 @@ var NodeUserAuthorization = class {
   get manifest() {
     return this._manifest;
   }
+  get capabilityRequest() {
+    return this.getCapabilityRequest();
+  }
   /**
    * Install or replace the stored manifest. Takes effect on the next
    * `signIn()` call — the current session (if any) is not touched.
    */
   setManifest(manifest) {
     this._manifest = manifest;
+    this._capabilityRequest = void 0;
+  }
+  setCapabilityRequest(request) {
+    this._capabilityRequest = request;
   }
   /**
    * The current active session (web-core compatible).
@@ -17385,12 +17397,51 @@ var NodeUserAuthorization = class {
    *
    * @internal
    */
-  resolveSignInAbilities() {
+  getCapabilityRequest() {
+    if (this._capabilityRequest !== void 0) {
+      return this._capabilityRequest;
+    }
     if (this._manifest === void 0) {
-      return this.defaultActions;
+      return void 0;
+    }
+    this._capabilityRequest = composeManifestRequest(
+      Array.isArray(this._manifest) ? this._manifest : [this._manifest],
+      {
+        includeAccountRegistryPermissions: this.includeAccountRegistryPermissions
+      }
+    );
+    return this._capabilityRequest;
+  }
+  resolveSpaceName(space, address, chainId) {
+    if (space.startsWith("tinycloud:")) {
+      return space;
     }
-    const resolved = resolveManifest(this._manifest);
-    return manifestAbilitiesUnion(resolved);
+    return this.wasm.makeSpaceId(address, chainId, space);
+  }
+  resolveSignInCapabilities(address, chainId) {
+    const request = this.getCapabilityRequest();
+    if (request === void 0) {
+      return {
+        abilities: this.defaultActions,
+        spaceId: this.wasm.makeSpaceId(address, chainId, this.spacePrefix)
+      };
+    }
+    const primarySpaceName = request.resources.find((entry) => entry.space !== "account")?.space ?? DEFAULT_MANIFEST_SPACE;
+    const primarySpaceId = this.resolveSpaceName(
+      primarySpaceName,
+      address,
+      chainId
+    );
+    const bySpace = resourceCapabilitiesToSpaceAbilitiesMap(request.resources);
+    const spaceAbilities = {};
+    for (const [space, abilities] of Object.entries(bySpace)) {
+      spaceAbilities[this.resolveSpaceName(space, address, chainId)] = abilities;
+    }
+    return {
+      abilities: spaceAbilities[primarySpaceId] ?? resourceCapabilitiesToAbilitiesMap([]),
+      spaceId: primarySpaceId,
+      spaceAbilities
+    };
   }
   /**
    * Build SIWE overrides from the top-level nonce and siweConfig.
@@ -17471,6 +17522,13 @@ var NodeUserAuthorization = class {
   async hostPublicSpace(spaceId) {
     return this.hostSpace(spaceId);
   }
+  /**
+   * Create a specific owned space on the server via host delegation.
+   * Used by manifest registry setup for the account space.
+   */
+  async hostOwnedSpace(spaceId) {
+    return this.hostSpace(spaceId);
+  }
   /**
    * Ensure the user's space exists on the TinyCloud server.
    * Creates the space if it doesn't exist and autoCreateSpace is enabled.
@@ -17599,11 +17657,13 @@ var NodeUserAuthorization = class {
       throw new Error("Failed to create session key");
     }
     const jwk = JSON.parse(jwkString);
-    const spaceId = this.wasm.makeSpaceId(address, chainId, this.spacePrefix);
+    const capabilityPlan = this.resolveSignInCapabilities(address, chainId);
+    const spaceId = capabilityPlan.spaceId;
     const now = /* @__PURE__ */ new Date();
     const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);
     const prepared = this.wasm.prepareSession({
-      abilities: this.resolveSignInAbilities(),
+      abilities: capabilityPlan.abilities,
+      ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -17742,11 +17802,13 @@ var NodeUserAuthorization = class {
       throw new Error("Failed to create session key");
     }
     const jwk = JSON.parse(jwkString);
-    const spaceId = this.wasm.makeSpaceId(address, chainId, this.spacePrefix);
+    const capabilityPlan = this.resolveSignInCapabilities(address, chainId);
+    const spaceId = capabilityPlan.spaceId;
     const now = /* @__PURE__ */ new Date();
     const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);
     const prepared = this.wasm.prepareSession({
-      abilities: this.resolveSignInAbilities(),
+      abilities: capabilityPlan.abilities,
+      ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -18262,7 +18324,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       spaceCreationHandler: config.spaceCreationHandler,
       nonce: config.nonce,
       siweConfig: config.siweConfig,
-      manifest: config.manifest
+      manifest: config.manifest,
+      capabilityRequest: config.capabilityRequest,
+      includeAccountRegistryPermissions: config.includeAccountRegistryPermissions
     });
     this.tc = new TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
@@ -18281,8 +18345,20 @@ var _TinyCloudNode = class _TinyCloudNode {
         "setManifest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config."
       );
     }
+    this.config.manifest = manifest;
+    this.config.capabilityRequest = void 0;
     this.auth.setManifest(manifest);
   }
+  setCapabilityRequest(request) {
+    if (!this.auth) {
+      throw new Error(
+        "setCapabilityRequest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config."
+      );
+    }
+    this.config.capabilityRequest = request;
+    this.config.manifest = request?.manifests;
+    this.auth.setCapabilityRequest(request);
+  }
   /**
    * Return the manifest currently installed on the auth handler,
    * or `undefined` if none is set.
@@ -18290,6 +18366,9 @@ var _TinyCloudNode = class _TinyCloudNode {
   get manifest() {
     return this.auth?.manifest;
   }
+  get capabilityRequest() {
+    return this.auth?.capabilityRequest;
+  }
   /**
    * Get the primary identity DID for this user.
    * - If wallet connected and signed in: returns PKH DID (did:pkh:eip155:{chainId}:{address})
@@ -18363,8 +18442,39 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._serviceContext = void 0;
     await this.tc.signIn(options);
     this.initializeServices();
+    await this.writeManifestRegistryRecords();
     this.notificationHandler.success("Successfully signed in");
   }
+  ownedSpaceId(name) {
+    if (!this._address) {
+      throw new Error("Cannot resolve owned space before sign-in");
+    }
+    return this.wasmBindings.makeSpaceId(this._address, this._chainId, name);
+  }
+  async writeManifestRegistryRecords() {
+    const request = this.capabilityRequest;
+    if (!request || request.registryRecords.length === 0) {
+      return;
+    }
+    if (!this.auth || !this.signer) {
+      throw new Error("Manifest registry write requires wallet mode");
+    }
+    const accountSpaceId = this.ownedSpaceId(ACCOUNT_REGISTRY_SPACE);
+    await this.auth.hostOwnedSpace(accountSpaceId);
+    const accountKV = this.spaces.get(accountSpaceId).kv;
+    for (const record of request.registryRecords) {
+      const result = await accountKV.put(record.key, {
+        app_id: record.app_id,
+        manifests: record.manifests,
+        updated_at: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      if (!result.ok) {
+        throw new Error(
+          `Failed to write manifest registry record ${record.key}: ${result.error.message}`
+        );
+      }
+    }
+  }
   /**
    * Restore a previously established session from stored delegation data.
    *
@@ -18502,7 +18612,10 @@ var _TinyCloudNode = class _TinyCloudNode {
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
       nonce: this.config.nonce,
-      siweConfig: this.config.siweConfig
+      siweConfig: this.config.siweConfig,
+      manifest: this.config.manifest,
+      capabilityRequest: this.config.capabilityRequest,
+      includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
     this.tc = new TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
@@ -18542,7 +18655,10 @@ var _TinyCloudNode = class _TinyCloudNode {
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
       nonce: this.config.nonce,
-      siweConfig: this.config.siweConfig
+      siweConfig: this.config.siweConfig,
+      manifest: this.config.manifest,
+      capabilityRequest: this.config.capabilityRequest,
+      includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
     this.tc = new TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
@@ -19404,6 +19520,42 @@ var _TinyCloudNode = class _TinyCloudNode {
     );
     return { delegation, prompted: false };
   }
+  /**
+   * Materialize one manifest-declared delegation using the current session key.
+   * Delivery is intentionally out of band; callers decide how to transmit the
+   * returned UCAN to the delegate.
+   */
+  async materializeDelegation(did, request = this.capabilityRequest) {
+    if (!request) {
+      throw new Error(
+        "materializeDelegation requires a composed manifest request"
+      );
+    }
+    const target = request.delegationTargets.find((entry) => entry.did === did);
+    if (!target) {
+      throw new Error(`No manifest delegation target found for DID ${did}`);
+    }
+    const result = await this.delegateTo(target.did, target.permissions, {
+      expiry: target.expiryMs
+    });
+    return { ...result, target };
+  }
+  /**
+   * Materialize every delegation target declared by the composed manifest
+   * request. This does not deliver the delegations anywhere.
+   */
+  async materializeDelegations(request = this.capabilityRequest) {
+    if (!request) {
+      throw new Error(
+        "materializeDelegations requires a composed manifest request"
+      );
+    }
+    const out = [];
+    for (const target of request.delegationTargets) {
+      out.push(await this.materializeDelegation(target.did, request));
+    }
+    return out;
+  }
   /**
    * Issue a delegation via the session-key UCAN WASM path.
    *
@@ -19427,7 +19579,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     const resolvedSpaces = /* @__PURE__ */ new Set();
     for (const entry of entries) {
-      const spaceId2 = entry.space === "default" ? session.spaceId : entry.space;
+      const spaceId2 = this.resolvePermissionSpace(entry.space, session);
       resolvedSpaces.add(spaceId2);
     }
     if (resolvedSpaces.size !== 1) {
@@ -19502,6 +19654,22 @@ var _TinyCloudNode = class _TinyCloudNode {
       host: this.config.host
     };
   }
+  resolvePermissionSpace(space, session) {
+    if (space === void 0) {
+      return this.wasmBindings.makeSpaceId(
+        session.address,
+        session.chainId,
+        "applications"
+      );
+    }
+    if (space === "default") {
+      return session.spaceId;
+    }
+    if (space.startsWith("tinycloud:")) {
+      return space;
+    }
+    return this.wasmBindings.makeSpaceId(session.address, session.chainId, space);
+  }
   /**
    * Issue a delegation via the legacy wallet-signed SIWE path for a single
    * {@link PermissionEntry}. Shares the implementation with the public
@@ -19512,7 +19680,8 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   async createDelegationLegacyWalletPath(delegateDID, entry, expirationTime) {
-    const spaceIdOverride = entry.space === "default" ? void 0 : entry.space;
+    const session = this.auth?.tinyCloudSession;
+    const spaceIdOverride = session === void 0 || entry.space === "default" ? void 0 : this.resolvePermissionSpace(entry.space, session);
     return this.createDelegationWalletPath({
       path: entry.path,
       actions: entry.actions,
@@ -20018,15 +20187,21 @@ var FileSessionStorage = class {
 // src/index.ts
 import {
+  ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE as ACCOUNT_REGISTRY_SPACE2,
+  DEFAULT_MANIFEST_SPACE as DEFAULT_MANIFEST_SPACE2,
+  DEFAULT_MANIFEST_VERSION,
   PermissionNotInManifestError as PermissionNotInManifestError2,
   SessionExpiredError as SessionExpiredError2,
   ManifestValidationError,
-  resolveManifest as resolveManifest2,
+  composeManifestRequest as composeManifestRequest2,
+  resolveManifest,
   validateManifest,
   loadManifest,
   isCapabilitySubset as isCapabilitySubset2,
   expandActionShortNames as expandActionShortNames2,
-  parseExpiry as parseExpiry2
+  parseExpiry as parseExpiry2,
+  resourceCapabilitiesToSpaceAbilitiesMap as resourceCapabilitiesToSpaceAbilitiesMap2
 } from "@tinycloud/sdk-core";
 // src/delegation.ts
@@ -20088,9 +20263,13 @@ import {
 } from "@tinycloud/sdk-core";
 import { ServiceContext as ServiceContext3 } from "@tinycloud/sdk-core";
 export {
+  ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE2 as ACCOUNT_REGISTRY_SPACE,
   AutoApproveSpaceCreationHandler2 as AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry2 as CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
+  DEFAULT_MANIFEST_SPACE2 as DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION,
   DataVaultService2 as DataVaultService,
   DatabaseHandle,
   DelegatedAccess,
@@ -20128,6 +20307,7 @@ export {
   WasmKeyProvider,
   buildSpaceUri,
   checkNodeInfo2 as checkNodeInfo,
+  composeManifestRequest2 as composeManifestRequest,
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
@@ -20142,7 +20322,8 @@ export {
   makePublicSpaceId2 as makePublicSpaceId,
   parseExpiry2 as parseExpiry,
   parseSpaceUri,
-  resolveManifest2 as resolveManifest,
+  resolveManifest,
+  resourceCapabilitiesToSpaceAbilitiesMap2 as resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation,
   validateManifest
 };