@tinycloud/node-sdk 2.1.0 → 2.2.0-beta.0

package/dist/core.cjs

@@ -20,9 +20,13 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/core.ts
 var core_exports = {};
 __export(core_exports, {
+  ACCOUNT_REGISTRY_PATH: () => import_sdk_core8.ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE: () => import_sdk_core8.ACCOUNT_REGISTRY_SPACE,
   AutoApproveSpaceCreationHandler: () => import_sdk_core7.AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry: () => import_sdk_core14.CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes: () => import_sdk_core14.CapabilityKeyRegistryErrorCodes,
+  DEFAULT_MANIFEST_SPACE: () => import_sdk_core8.DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION: () => import_sdk_core8.DEFAULT_MANIFEST_VERSION,
   DataVaultService: () => import_sdk_core12.DataVaultService,
   DatabaseHandle: () => import_sdk_core10.DatabaseHandle,
   DelegatedAccess: () => DelegatedAccess,
@@ -57,6 +61,7 @@ __export(core_exports, {
   WasmKeyProvider: () => WasmKeyProvider,
   buildSpaceUri: () => import_sdk_core15.buildSpaceUri,
   checkNodeInfo: () => import_sdk_core16.checkNodeInfo,
+  composeManifestRequest: () => import_sdk_core8.composeManifestRequest,
   createCapabilityKeyRegistry: () => import_sdk_core14.createCapabilityKeyRegistry,
   createSharingService: () => import_sdk_core13.createSharingService,
   createSpaceService: () => import_sdk_core15.createSpaceService,
@@ -72,6 +77,7 @@ __export(core_exports, {
   parseExpiry: () => import_sdk_core8.parseExpiry,
   parseSpaceUri: () => import_sdk_core15.parseSpaceUri,
   resolveManifest: () => import_sdk_core8.resolveManifest,
+  resourceCapabilitiesToSpaceAbilitiesMap: () => import_sdk_core8.resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation: () => serializeDelegation,
   validateManifest: () => import_sdk_core8.validateManifest
 });
@@ -339,7 +345,9 @@ var NodeUserAuthorization = class {
     this.enablePublicSpace = config.enablePublicSpace ?? true;
     this.nonce = config.nonce;
     this.siweConfig = config.siweConfig;
+    this.includeAccountRegistryPermissions = config.includeAccountRegistryPermissions ?? true;
     this._manifest = config.manifest;
+    this._capabilityRequest = config.capabilityRequest;
     this.sessionManager = this.wasm.createSessionManager();
   }
   /**
@@ -351,12 +359,19 @@ var NodeUserAuthorization = class {
   get manifest() {
     return this._manifest;
   }
+  get capabilityRequest() {
+    return this.getCapabilityRequest();
+  }
   /**
    * Install or replace the stored manifest. Takes effect on the next
    * `signIn()` call — the current session (if any) is not touched.
    */
   setManifest(manifest) {
     this._manifest = manifest;
+    this._capabilityRequest = void 0;
+  }
+  setCapabilityRequest(request) {
+    this._capabilityRequest = request;
   }
   /**
    * The current active session (web-core compatible).
@@ -400,12 +415,51 @@ var NodeUserAuthorization = class {
    *
    * @internal
    */
-  resolveSignInAbilities() {
+  getCapabilityRequest() {
+    if (this._capabilityRequest !== void 0) {
+      return this._capabilityRequest;
+    }
     if (this._manifest === void 0) {
-      return this.defaultActions;
+      return void 0;
+    }
+    this._capabilityRequest = (0, import_sdk_core2.composeManifestRequest)(
+      Array.isArray(this._manifest) ? this._manifest : [this._manifest],
+      {
+        includeAccountRegistryPermissions: this.includeAccountRegistryPermissions
+      }
+    );
+    return this._capabilityRequest;
+  }
+  resolveSpaceName(space, address, chainId) {
+    if (space.startsWith("tinycloud:")) {
+      return space;
     }
-    const resolved = (0, import_sdk_core2.resolveManifest)(this._manifest);
-    return (0, import_sdk_core2.manifestAbilitiesUnion)(resolved);
+    return this.wasm.makeSpaceId(address, chainId, space);
+  }
+  resolveSignInCapabilities(address, chainId) {
+    const request = this.getCapabilityRequest();
+    if (request === void 0) {
+      return {
+        abilities: this.defaultActions,
+        spaceId: this.wasm.makeSpaceId(address, chainId, this.spacePrefix)
+      };
+    }
+    const primarySpaceName = request.resources.find((entry) => entry.space !== "account")?.space ?? import_sdk_core2.DEFAULT_MANIFEST_SPACE;
+    const primarySpaceId = this.resolveSpaceName(
+      primarySpaceName,
+      address,
+      chainId
+    );
+    const bySpace = (0, import_sdk_core2.resourceCapabilitiesToSpaceAbilitiesMap)(request.resources);
+    const spaceAbilities = {};
+    for (const [space, abilities] of Object.entries(bySpace)) {
+      spaceAbilities[this.resolveSpaceName(space, address, chainId)] = abilities;
+    }
+    return {
+      abilities: spaceAbilities[primarySpaceId] ?? (0, import_sdk_core2.resourceCapabilitiesToAbilitiesMap)([]),
+      spaceId: primarySpaceId,
+      spaceAbilities
+    };
   }
   /**
    * Build SIWE overrides from the top-level nonce and siweConfig.
@@ -486,6 +540,13 @@ var NodeUserAuthorization = class {
   async hostPublicSpace(spaceId) {
     return this.hostSpace(spaceId);
   }
+  /**
+   * Create a specific owned space on the server via host delegation.
+   * Used by manifest registry setup for the account space.
+   */
+  async hostOwnedSpace(spaceId) {
+    return this.hostSpace(spaceId);
+  }
   /**
    * Ensure the user's space exists on the TinyCloud server.
    * Creates the space if it doesn't exist and autoCreateSpace is enabled.
@@ -614,11 +675,13 @@ var NodeUserAuthorization = class {
       throw new Error("Failed to create session key");
     }
     const jwk = JSON.parse(jwkString);
-    const spaceId = this.wasm.makeSpaceId(address, chainId, this.spacePrefix);
+    const capabilityPlan = this.resolveSignInCapabilities(address, chainId);
+    const spaceId = capabilityPlan.spaceId;
     const now = /* @__PURE__ */ new Date();
     const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);
     const prepared = this.wasm.prepareSession({
-      abilities: this.resolveSignInAbilities(),
+      abilities: capabilityPlan.abilities,
+      ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -757,11 +820,13 @@ var NodeUserAuthorization = class {
       throw new Error("Failed to create session key");
     }
     const jwk = JSON.parse(jwkString);
-    const spaceId = this.wasm.makeSpaceId(address, chainId, this.spacePrefix);
+    const capabilityPlan = this.resolveSignInCapabilities(address, chainId);
+    const spaceId = capabilityPlan.spaceId;
     const now = /* @__PURE__ */ new Date();
     const expirationTime = new Date(now.getTime() + this.sessionExpirationMs);
     const prepared = this.wasm.prepareSession({
-      abilities: this.resolveSignInAbilities(),
+      abilities: capabilityPlan.abilities,
+      ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -1271,7 +1336,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       spaceCreationHandler: config.spaceCreationHandler,
       nonce: config.nonce,
       siweConfig: config.siweConfig,
-      manifest: config.manifest
+      manifest: config.manifest,
+      capabilityRequest: config.capabilityRequest,
+      includeAccountRegistryPermissions: config.includeAccountRegistryPermissions
     });
     this.tc = new import_sdk_core5.TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
@@ -1290,8 +1357,20 @@ var _TinyCloudNode = class _TinyCloudNode {
         "setManifest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config."
       );
     }
+    this.config.manifest = manifest;
+    this.config.capabilityRequest = void 0;
     this.auth.setManifest(manifest);
   }
+  setCapabilityRequest(request) {
+    if (!this.auth) {
+      throw new Error(
+        "setCapabilityRequest requires wallet mode. Provide a signer or privateKey in the TinyCloudNode config."
+      );
+    }
+    this.config.capabilityRequest = request;
+    this.config.manifest = request?.manifests;
+    this.auth.setCapabilityRequest(request);
+  }
   /**
    * Return the manifest currently installed on the auth handler,
    * or `undefined` if none is set.
@@ -1299,6 +1378,9 @@ var _TinyCloudNode = class _TinyCloudNode {
   get manifest() {
     return this.auth?.manifest;
   }
+  get capabilityRequest() {
+    return this.auth?.capabilityRequest;
+  }
   /**
    * Get the primary identity DID for this user.
    * - If wallet connected and signed in: returns PKH DID (did:pkh:eip155:{chainId}:{address})
@@ -1372,8 +1454,39 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._serviceContext = void 0;
     await this.tc.signIn(options);
     this.initializeServices();
+    await this.writeManifestRegistryRecords();
     this.notificationHandler.success("Successfully signed in");
   }
+  ownedSpaceId(name) {
+    if (!this._address) {
+      throw new Error("Cannot resolve owned space before sign-in");
+    }
+    return this.wasmBindings.makeSpaceId(this._address, this._chainId, name);
+  }
+  async writeManifestRegistryRecords() {
+    const request = this.capabilityRequest;
+    if (!request || request.registryRecords.length === 0) {
+      return;
+    }
+    if (!this.auth || !this.signer) {
+      throw new Error("Manifest registry write requires wallet mode");
+    }
+    const accountSpaceId = this.ownedSpaceId(import_sdk_core5.ACCOUNT_REGISTRY_SPACE);
+    await this.auth.hostOwnedSpace(accountSpaceId);
+    const accountKV = this.spaces.get(accountSpaceId).kv;
+    for (const record of request.registryRecords) {
+      const result = await accountKV.put(record.key, {
+        app_id: record.app_id,
+        manifests: record.manifests,
+        updated_at: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      if (!result.ok) {
+        throw new Error(
+          `Failed to write manifest registry record ${record.key}: ${result.error.message}`
+        );
+      }
+    }
+  }
   /**
    * Restore a previously established session from stored delegation data.
    *
@@ -1511,7 +1624,10 @@ var _TinyCloudNode = class _TinyCloudNode {
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
       nonce: this.config.nonce,
-      siweConfig: this.config.siweConfig
+      siweConfig: this.config.siweConfig,
+      manifest: this.config.manifest,
+      capabilityRequest: this.config.capabilityRequest,
+      includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
     this.tc = new import_sdk_core5.TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
@@ -1551,7 +1667,10 @@ var _TinyCloudNode = class _TinyCloudNode {
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
       nonce: this.config.nonce,
-      siweConfig: this.config.siweConfig
+      siweConfig: this.config.siweConfig,
+      manifest: this.config.manifest,
+      capabilityRequest: this.config.capabilityRequest,
+      includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
     this.tc = new import_sdk_core5.TinyCloud(this.auth, {
       invokeAny: this.wasmBindings.invokeAny
@@ -2413,6 +2532,42 @@ var _TinyCloudNode = class _TinyCloudNode {
     );
     return { delegation, prompted: false };
   }
+  /**
+   * Materialize one manifest-declared delegation using the current session key.
+   * Delivery is intentionally out of band; callers decide how to transmit the
+   * returned UCAN to the delegate.
+   */
+  async materializeDelegation(did, request = this.capabilityRequest) {
+    if (!request) {
+      throw new Error(
+        "materializeDelegation requires a composed manifest request"
+      );
+    }
+    const target = request.delegationTargets.find((entry) => entry.did === did);
+    if (!target) {
+      throw new Error(`No manifest delegation target found for DID ${did}`);
+    }
+    const result = await this.delegateTo(target.did, target.permissions, {
+      expiry: target.expiryMs
+    });
+    return { ...result, target };
+  }
+  /**
+   * Materialize every delegation target declared by the composed manifest
+   * request. This does not deliver the delegations anywhere.
+   */
+  async materializeDelegations(request = this.capabilityRequest) {
+    if (!request) {
+      throw new Error(
+        "materializeDelegations requires a composed manifest request"
+      );
+    }
+    const out = [];
+    for (const target of request.delegationTargets) {
+      out.push(await this.materializeDelegation(target.did, request));
+    }
+    return out;
+  }
   /**
    * Issue a delegation via the session-key UCAN WASM path.
    *
@@ -2436,7 +2591,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     const resolvedSpaces = /* @__PURE__ */ new Set();
     for (const entry of entries) {
-      const spaceId2 = entry.space === "default" ? session.spaceId : entry.space;
+      const spaceId2 = this.resolvePermissionSpace(entry.space, session);
       resolvedSpaces.add(spaceId2);
     }
     if (resolvedSpaces.size !== 1) {
@@ -2511,6 +2666,22 @@ var _TinyCloudNode = class _TinyCloudNode {
       host: this.config.host
     };
   }
+  resolvePermissionSpace(space, session) {
+    if (space === void 0) {
+      return this.wasmBindings.makeSpaceId(
+        session.address,
+        session.chainId,
+        "applications"
+      );
+    }
+    if (space === "default") {
+      return session.spaceId;
+    }
+    if (space.startsWith("tinycloud:")) {
+      return space;
+    }
+    return this.wasmBindings.makeSpaceId(session.address, session.chainId, space);
+  }
   /**
    * Issue a delegation via the legacy wallet-signed SIWE path for a single
    * {@link PermissionEntry}. Shares the implementation with the public
@@ -2521,7 +2692,8 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   async createDelegationLegacyWalletPath(delegateDID, entry, expirationTime) {
-    const spaceIdOverride = entry.space === "default" ? void 0 : entry.space;
+    const session = this.auth?.tinyCloudSession;
+    const spaceIdOverride = session === void 0 || entry.space === "default" ? void 0 : this.resolvePermissionSpace(entry.space, session);
     return this.createDelegationWalletPath({
       path: entry.path,
       actions: entry.actions,
@@ -2922,9 +3094,13 @@ var import_sdk_core16 = require("@tinycloud/sdk-core");
 var import_sdk_core17 = require("@tinycloud/sdk-core");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE,
   AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
+  DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION,
   DataVaultService,
   DatabaseHandle,
   DelegatedAccess,
@@ -2959,6 +3135,7 @@ var import_sdk_core17 = require("@tinycloud/sdk-core");
   WasmKeyProvider,
   buildSpaceUri,
   checkNodeInfo,
+  composeManifestRequest,
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
@@ -2974,6 +3151,7 @@ var import_sdk_core17 = require("@tinycloud/sdk-core");
   parseExpiry,
   parseSpaceUri,
   resolveManifest,
+  resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation,
   validateManifest
 });