@tinycloud/node-sdk 2.2.0-beta.1 → 2.2.0-beta.10

package/dist/index.cjs

@@ -17025,69 +17025,76 @@ var require_utils2 = __commonJS({
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
-  ACCOUNT_REGISTRY_PATH: () => import_sdk_core8.ACCOUNT_REGISTRY_PATH,
-  ACCOUNT_REGISTRY_SPACE: () => import_sdk_core8.ACCOUNT_REGISTRY_SPACE,
-  AutoApproveSpaceCreationHandler: () => import_sdk_core7.AutoApproveSpaceCreationHandler,
-  CapabilityKeyRegistry: () => import_sdk_core15.CapabilityKeyRegistry,
-  CapabilityKeyRegistryErrorCodes: () => import_sdk_core15.CapabilityKeyRegistryErrorCodes,
-  DEFAULT_MANIFEST_SPACE: () => import_sdk_core8.DEFAULT_MANIFEST_SPACE,
-  DEFAULT_MANIFEST_VERSION: () => import_sdk_core8.DEFAULT_MANIFEST_VERSION,
-  DataVaultService: () => import_sdk_core12.DataVaultService,
-  DatabaseHandle: () => import_sdk_core10.DatabaseHandle,
+  ACCOUNT_REGISTRY_PATH: () => import_sdk_core9.ACCOUNT_REGISTRY_PATH,
+  ACCOUNT_REGISTRY_SPACE: () => import_sdk_core9.ACCOUNT_REGISTRY_SPACE,
+  AutoApproveSpaceCreationHandler: () => import_sdk_core8.AutoApproveSpaceCreationHandler,
+  CapabilityKeyRegistry: () => import_sdk_core16.CapabilityKeyRegistry,
+  CapabilityKeyRegistryErrorCodes: () => import_sdk_core16.CapabilityKeyRegistryErrorCodes,
+  DEFAULT_MANIFEST_SPACE: () => import_sdk_core9.DEFAULT_MANIFEST_SPACE,
+  DEFAULT_MANIFEST_VERSION: () => import_sdk_core9.DEFAULT_MANIFEST_VERSION,
+  DataVaultService: () => import_sdk_core13.DataVaultService,
+  DatabaseHandle: () => import_sdk_core11.DatabaseHandle,
   DelegatedAccess: () => DelegatedAccess,
-  DelegationErrorCodes: () => import_sdk_core14.DelegationErrorCodes,
-  DelegationManager: () => import_sdk_core14.DelegationManager,
-  DuckDbAction: () => import_sdk_core11.DuckDbAction,
-  DuckDbDatabaseHandle: () => import_sdk_core11.DuckDbDatabaseHandle,
-  DuckDbService: () => import_sdk_core11.DuckDbService,
+  DelegationErrorCodes: () => import_sdk_core15.DelegationErrorCodes,
+  DelegationManager: () => import_sdk_core15.DelegationManager,
+  DuckDbAction: () => import_sdk_core12.DuckDbAction,
+  DuckDbDatabaseHandle: () => import_sdk_core12.DuckDbDatabaseHandle,
+  DuckDbService: () => import_sdk_core12.DuckDbService,
   FileSessionStorage: () => FileSessionStorage,
-  HooksService: () => import_sdk_core13.HooksService,
-  KVService: () => import_sdk_core9.KVService,
-  ManifestValidationError: () => import_sdk_core8.ManifestValidationError,
+  HooksService: () => import_sdk_core14.HooksService,
+  KVService: () => import_sdk_core10.KVService,
+  ManifestValidationError: () => import_sdk_core9.ManifestValidationError,
   MemorySessionStorage: () => MemorySessionStorage,
   NodeUserAuthorization: () => NodeUserAuthorization,
   NodeWasmBindings: () => NodeWasmBindings,
-  PermissionNotInManifestError: () => import_sdk_core8.PermissionNotInManifestError,
-  PrefixedKVService: () => import_sdk_core9.PrefixedKVService,
+  PermissionNotInManifestError: () => import_sdk_core9.PermissionNotInManifestError,
+  PrefixedKVService: () => import_sdk_core10.PrefixedKVService,
   PrivateKeySigner: () => PrivateKeySigner,
-  ProtocolMismatchError: () => import_sdk_core17.ProtocolMismatchError,
-  SQLAction: () => import_sdk_core10.SQLAction,
-  SQLService: () => import_sdk_core10.SQLService,
-  ServiceContext: () => import_sdk_core18.ServiceContext,
-  SessionExpiredError: () => import_sdk_core8.SessionExpiredError,
-  SharingService: () => import_sdk_core14.SharingService,
-  SilentNotificationHandler: () => import_sdk_core7.SilentNotificationHandler,
-  Space: () => import_sdk_core16.Space,
-  SpaceErrorCodes: () => import_sdk_core16.SpaceErrorCodes,
-  SpaceService: () => import_sdk_core16.SpaceService,
-  TinyCloud: () => import_sdk_core6.TinyCloud,
+  ProtocolMismatchError: () => import_sdk_core18.ProtocolMismatchError,
+  SECRET_NAME_RE: () => import_sdk_core13.SECRET_NAME_RE,
+  SQLAction: () => import_sdk_core11.SQLAction,
+  SQLService: () => import_sdk_core11.SQLService,
+  SecretsService: () => import_sdk_core13.SecretsService,
+  ServiceContext: () => import_sdk_core19.ServiceContext,
+  SessionExpiredError: () => import_sdk_core9.SessionExpiredError,
+  SharingService: () => import_sdk_core15.SharingService,
+  SilentNotificationHandler: () => import_sdk_core8.SilentNotificationHandler,
+  Space: () => import_sdk_core17.Space,
+  SpaceErrorCodes: () => import_sdk_core17.SpaceErrorCodes,
+  SpaceService: () => import_sdk_core17.SpaceService,
+  TinyCloud: () => import_sdk_core7.TinyCloud,
   TinyCloudNode: () => TinyCloudNode,
-  UnsupportedFeatureError: () => import_sdk_core17.UnsupportedFeatureError,
-  VaultHeaders: () => import_sdk_core12.VaultHeaders,
-  VaultPublicSpaceKVActions: () => import_sdk_core12.VaultPublicSpaceKVActions,
-  VersionCheckError: () => import_sdk_core17.VersionCheckError,
+  UnsupportedFeatureError: () => import_sdk_core18.UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE: () => import_sdk_core9.VAULT_PERMISSION_SERVICE,
+  VaultHeaders: () => import_sdk_core13.VaultHeaders,
+  VaultPublicSpaceKVActions: () => import_sdk_core13.VaultPublicSpaceKVActions,
+  VersionCheckError: () => import_sdk_core18.VersionCheckError,
   WasmKeyProvider: () => WasmKeyProvider,
-  buildSpaceUri: () => import_sdk_core16.buildSpaceUri,
-  checkNodeInfo: () => import_sdk_core17.checkNodeInfo,
-  composeManifestRequest: () => import_sdk_core8.composeManifestRequest,
-  createCapabilityKeyRegistry: () => import_sdk_core15.createCapabilityKeyRegistry,
-  createSharingService: () => import_sdk_core14.createSharingService,
-  createSpaceService: () => import_sdk_core16.createSpaceService,
-  createVaultCrypto: () => import_sdk_core12.createVaultCrypto,
+  buildSpaceUri: () => import_sdk_core17.buildSpaceUri,
+  canonicalizeSecretScope: () => import_sdk_core13.canonicalizeSecretScope,
+  checkNodeInfo: () => import_sdk_core18.checkNodeInfo,
+  composeManifestRequest: () => import_sdk_core9.composeManifestRequest,
+  createCapabilityKeyRegistry: () => import_sdk_core16.createCapabilityKeyRegistry,
+  createSharingService: () => import_sdk_core15.createSharingService,
+  createSpaceService: () => import_sdk_core17.createSpaceService,
+  createVaultCrypto: () => import_sdk_core13.createVaultCrypto,
   createWasmKeyProvider: () => createWasmKeyProvider,
   defaultSignStrategy: () => defaultSignStrategy,
-  defaultSpaceCreationHandler: () => import_sdk_core7.defaultSpaceCreationHandler,
+  defaultSpaceCreationHandler: () => import_sdk_core8.defaultSpaceCreationHandler,
   deserializeDelegation: () => deserializeDelegation,
-  expandActionShortNames: () => import_sdk_core8.expandActionShortNames,
-  isCapabilitySubset: () => import_sdk_core8.isCapabilitySubset,
-  loadManifest: () => import_sdk_core8.loadManifest,
-  makePublicSpaceId: () => import_sdk_core16.makePublicSpaceId,
-  parseExpiry: () => import_sdk_core8.parseExpiry,
-  parseSpaceUri: () => import_sdk_core16.parseSpaceUri,
-  resolveManifest: () => import_sdk_core8.resolveManifest,
-  resourceCapabilitiesToSpaceAbilitiesMap: () => import_sdk_core8.resourceCapabilitiesToSpaceAbilitiesMap,
+  expandActionShortNames: () => import_sdk_core9.expandActionShortNames,
+  expandPermissionEntries: () => import_sdk_core9.expandPermissionEntries,
+  expandPermissionEntry: () => import_sdk_core9.expandPermissionEntry,
+  isCapabilitySubset: () => import_sdk_core9.isCapabilitySubset,
+  loadManifest: () => import_sdk_core9.loadManifest,
+  makePublicSpaceId: () => import_sdk_core17.makePublicSpaceId,
+  parseExpiry: () => import_sdk_core9.parseExpiry,
+  parseSpaceUri: () => import_sdk_core17.parseSpaceUri,
+  resolveManifest: () => import_sdk_core9.resolveManifest,
+  resolveSecretPath: () => import_sdk_core13.resolveSecretPath,
+  resourceCapabilitiesToSpaceAbilitiesMap: () => import_sdk_core9.resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation: () => serializeDelegation,
-  validateManifest: () => import_sdk_core8.validateManifest
+  validateManifest: () => import_sdk_core9.validateManifest
 });
 module.exports = __toCommonJS(index_exports);
 
@@ -17191,7 +17198,7 @@ var PrivateKeySigner = class {
 };
 
 // src/TinyCloudNode.ts
-var import_sdk_core4 = require("@tinycloud/sdk-core");
+var import_sdk_core5 = require("@tinycloud/sdk-core");
 
 // src/authorization/NodeUserAuthorization.ts
 var import_sdk_core = require("@tinycloud/sdk-core");
@@ -17327,9 +17334,9 @@ var NodeUserAuthorization = class {
     this.sessionExpirationMs = config.sessionExpirationMs ?? 60 * 60 * 1e3;
     this.autoCreateSpace = config.autoCreateSpace ?? false;
     this.spaceCreationHandler = config.spaceCreationHandler;
-    this.tinycloudHosts = config.tinycloudHosts ?? [
-      "https://node.tinycloud.xyz"
-    ];
+    this.tinycloudHosts = config.tinycloudHosts;
+    this.tinycloudRegistryUrl = config.tinycloudRegistryUrl;
+    this.tinycloudFallbackHosts = config.tinycloudFallbackHosts;
     this.enablePublicSpace = config.enablePublicSpace ?? true;
     this.nonce = config.nonce;
     this.siweConfig = config.siweConfig;
@@ -17350,6 +17357,9 @@ var NodeUserAuthorization = class {
   get capabilityRequest() {
     return this.getCapabilityRequest();
   }
+  get hosts() {
+    return this.tinycloudHosts ? [...this.tinycloudHosts] : [];
+  }
   /**
    * Install or replace the stored manifest. Takes effect on the next
    * `signIn()` call — the current session (if any) is not touched.
@@ -17374,6 +17384,26 @@ var NodeUserAuthorization = class {
   get tinyCloudSession() {
     return this._tinyCloudSession;
   }
+  async resolveTinyCloudHostsForSignIn(address, chainId) {
+    if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
+      return;
+    }
+    const subject = `did:pkh:eip155:${chainId}:${address}`;
+    const resolved = await (0, import_sdk_core.resolveTinyCloudHosts)(subject, {
+      registryUrl: this.tinycloudRegistryUrl,
+      fallbackHosts: this.tinycloudFallbackHosts
+    });
+    this.tinycloudHosts = resolved.hosts;
+  }
+  requireTinyCloudHosts() {
+    if (!this.tinycloudHosts || this.tinycloudHosts.length === 0) {
+      throw new Error("TinyCloud hosts have not been resolved. Call signIn() first.");
+    }
+    return this.tinycloudHosts;
+  }
+  get primaryTinyCloudHost() {
+    return this.requireTinyCloudHosts()[0];
+  }
   get nodeFeatures() {
     return this._nodeFeatures;
   }
@@ -17505,7 +17535,7 @@ var NodeUserAuthorization = class {
     if (!this._tinyCloudSession || !this._address || !this._chainId) {
       throw new Error("Must be signed in to host space");
     }
-    const host = this.tinycloudHosts[0];
+    const host = this.primaryTinyCloudHost;
     const spaceId = targetSpaceId ?? this._tinyCloudSession.spaceId;
     const peerId = await (0, import_sdk_core.fetchPeerId)(host, spaceId);
     const siwe = this.wasm.generateHostSIWEMessage({
@@ -17547,7 +17577,7 @@ var NodeUserAuthorization = class {
     if (!this._tinyCloudSession) {
       throw new Error("Must be signed in to ensure space exists");
     }
-    const host = this.tinycloudHosts[0];
+    const host = this.primaryTinyCloudHost;
     const primarySpaceId = this._tinyCloudSession.spaceId;
     const result = await (0, import_sdk_core.activateSessionWithHost)(
       host,
@@ -17656,6 +17686,7 @@ var NodeUserAuthorization = class {
     this._chainId = await this.signer.getChainId();
     const address = this.wasm.ensureEip55(this._address);
     const chainId = this._chainId;
+    await this.resolveTinyCloudHostsForSignIn(address, chainId);
     const keyId = `session-${Date.now()}`;
     this.sessionManager.renameSessionKeyId("default", keyId);
     const jwkString = this.sessionManager.jwk(keyId);
@@ -17734,7 +17765,7 @@ var NodeUserAuthorization = class {
     this._address = address;
     this._chainId = chainId;
     const nodeInfo = await (0, import_sdk_core.checkNodeInfo)(
-      this.tinycloudHosts[0],
+      this.primaryTinyCloudHost,
       this.wasm.protocolVersion()
     );
     this._nodeFeatures = nodeInfo.features;
@@ -17850,6 +17881,7 @@ var NodeUserAuthorization = class {
     });
     const address = this.wasm.ensureEip55(await this.signer.getAddress());
     const chainId = await this.signer.getChainId();
+    await this.resolveTinyCloudHostsForSignIn(address, chainId);
     const clientSession = {
       address,
       walletAddress: address,
@@ -17899,7 +17931,7 @@ var NodeUserAuthorization = class {
     this._address = address;
     this._chainId = chainId;
     const nodeInfo = await (0, import_sdk_core.checkNodeInfo)(
-      this.tinycloudHosts[0],
+      this.primaryTinyCloudHost,
       this.wasm.protocolVersion()
     );
     this._nodeFeatures = nodeInfo.features;
@@ -18057,6 +18089,24 @@ var DelegatedAccess = class {
   get hooks() {
     return this._hooks;
   }
+  /**
+   * Export the handles needed to rehydrate this activated delegation via
+   * `TinyCloudNode.restoreSession(...)` in another process or after a
+   * restart.
+   *
+   * See `RestorableSession` for lifetime caveats.
+   */
+  get restorable() {
+    return {
+      delegationHeader: this.session.delegationHeader,
+      delegationCid: this.session.delegationCid,
+      spaceId: this.session.spaceId,
+      jwk: this.session.jwk,
+      verificationMethod: this.session.verificationMethod,
+      address: this.session.address,
+      chainId: this.session.chainId
+    };
+  }
 };
 
 // src/keys/WasmKeyProvider.ts
@@ -18194,6 +18244,148 @@ function extractSiweExpiration(siwe) {
   return d;
 }
 
+// src/NodeSecretsService.ts
+var import_sdk_core4 = require("@tinycloud/sdk-core");
+var SECRETS_SPACE = "secrets";
+function ok() {
+  return { ok: true, data: void 0 };
+}
+function secretsError(code, message, cause) {
+  return {
+    ok: false,
+    error: {
+      code,
+      service: "secrets",
+      message,
+      ...cause ? { cause } : {}
+    }
+  };
+}
+function displayActionUrn(action) {
+  return action === "put" ? "tinycloud.vault/write" : "tinycloud.vault/delete";
+}
+function kvActionUrn(action) {
+  return `tinycloud.kv/${action}`;
+}
+function vaultMutationAction(action) {
+  return action === "put" ? "write" : "delete";
+}
+function secretPermissionEntries(name, options, action) {
+  const secretPath = (0, import_sdk_core4.resolveSecretPath)(name, options);
+  return [
+    {
+      service: "tinycloud.vault",
+      space: SECRETS_SPACE,
+      path: secretPath.vaultKey,
+      actions: [vaultMutationAction(action)],
+      skipPrefix: true
+    }
+  ];
+}
+function isSecretsSpace(space) {
+  return space === SECRETS_SPACE || space.endsWith(`:${SECRETS_SPACE}`);
+}
+var NodeSecretsService = class {
+  constructor(config) {
+    this.config = config;
+    this.shouldRestoreUnlock = false;
+  }
+  get vault() {
+    return this.service.vault;
+  }
+  get isUnlocked() {
+    return this.service.isUnlocked;
+  }
+  async unlock(signer) {
+    const effectiveSigner = signer ?? this.config.getUnlockSigner?.();
+    if (effectiveSigner !== void 0) {
+      this.unlockSigner = effectiveSigner;
+    }
+    const result = await this.service.unlock(effectiveSigner);
+    if (result.ok) {
+      this.shouldRestoreUnlock = true;
+    }
+    return result;
+  }
+  lock() {
+    this.shouldRestoreUnlock = false;
+    this.service.lock();
+  }
+  get(name, options) {
+    return options === void 0 ? this.service.get(name) : this.service.get(name, options);
+  }
+  async put(name, value, options) {
+    const permission = await this.ensureMutationPermission(name, options, "put");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.put(name, value) : this.service.put(name, value, options);
+  }
+  async delete(name, options) {
+    const permission = await this.ensureMutationPermission(name, options, "del");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.delete(name) : this.service.delete(name, options);
+  }
+  list(options) {
+    return options === void 0 ? this.service.list() : this.service.list(options);
+  }
+  get service() {
+    return this.config.getService();
+  }
+  async ensureMutationPermission(name, options, action) {
+    let permissionEntries;
+    try {
+      permissionEntries = secretPermissionEntries(name, options, action);
+    } catch (error) {
+      return secretsError(
+        import_sdk_core4.ErrorCodes.INVALID_INPUT,
+        error instanceof Error ? error.message : String(error),
+        error instanceof Error ? error : void 0
+      );
+    }
+    if (this.hasMutationPermission(name, options, action)) {
+      return ok();
+    }
+    if (!this.config.canEscalate()) {
+      return secretsError(
+        import_sdk_core4.ErrorCodes.PERMISSION_DENIED,
+        `Cannot autosign ${displayActionUrn(action)} for ${name}; TinyCloudNode needs wallet mode with a signer or privateKey.`
+      );
+    }
+    try {
+      await this.config.grantPermissions(permissionEntries);
+      return this.restoreUnlockAfterEscalation();
+    } catch (error) {
+      return secretsError(
+        import_sdk_core4.ErrorCodes.PERMISSION_DENIED,
+        error instanceof Error ? error.message : `Autosign escalation for ${displayActionUrn(action)} on ${name} failed.`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  async restoreUnlockAfterEscalation() {
+    if (!this.shouldRestoreUnlock) {
+      return ok();
+    }
+    return this.service.unlock(this.unlockSigner);
+  }
+  hasMutationPermission(name, options, action) {
+    const manifest = this.config.getManifest();
+    if (manifest === void 0) {
+      return false;
+    }
+    const manifests = Array.isArray(manifest) ? manifest : [manifest];
+    const requiredAction = kvActionUrn(action);
+    const secretPath = (0, import_sdk_core4.resolveSecretPath)(name, options);
+    return manifests.some((entry) => {
+      const resolved = (0, import_sdk_core4.resolveManifest)(entry);
+      return ["keys", "vault"].every(
+        (base2) => resolved.resources.some(
+          (resource) => resource.service === "tinycloud.kv" && isSecretsSpace(resource.space) && resource.path === secretPath.permissionPaths[base2] && resource.actions.includes(requiredAction)
+        )
+      );
+    });
+  }
+};
+
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
 var _TinyCloudNode = class _TinyCloudNode {
@@ -18225,6 +18417,31 @@ var _TinyCloudNode = class _TinyCloudNode {
     this.auth = null;
     this.tc = null;
     this._chainId = 1;
+    this.runtimePermissionGrants = [];
+    this.invokeWithRuntimePermissions = (session, service, path, action, facts) => {
+      return this.wasmBindings.invoke(
+        this.selectInvocationSession(session, service, path, action),
+        service,
+        path,
+        action,
+        facts
+      );
+    };
+    this.invokeAnyWithRuntimePermissions = (session, entries, facts) => {
+      if (!this.wasmBindings.invokeAny) {
+        throw new Error("WASM binding does not support invokeAny");
+      }
+      const grant = this.findGrantForOperations(
+        entries.map((entry) => ({
+          spaceId: entry.spaceId,
+          service: this.invocationServiceName(entry.service),
+          path: entry.path,
+          action: entry.action
+        }))
+      );
+      return this.wasmBindings.invokeAny(grant?.session ?? session, entries, facts);
+    };
+    this.explicitHost = config.host;
     this.config = {
       ...config,
       host: config.host ?? DEFAULT_HOST
@@ -18251,23 +18468,23 @@ var _TinyCloudNode = class _TinyCloudNode {
       throw new Error("Failed to get session key JWK");
     }
     this.sessionKeyJwk = JSON.parse(jwkStr);
-    this._capabilityRegistry = new import_sdk_core4.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core5.CapabilityKeyRegistry();
     this._keyProvider = new WasmKeyProvider({
       sessionManager: this.sessionManager
     });
-    this.notificationHandler = config.notificationHandler ?? new import_sdk_core4.SilentNotificationHandler();
-    this._sharingService = new import_sdk_core4.SharingService({
+    this.notificationHandler = config.notificationHandler ?? new import_sdk_core5.SilentNotificationHandler();
+    this._sharingService = new import_sdk_core5.SharingService({
       hosts: [this.config.host],
       // session: undefined - not needed for receive()
-      invoke: this.wasmBindings.invoke,
+      invoke: this.invokeWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       keyProvider: this._keyProvider,
       registry: this._capabilityRegistry,
       // delegationManager: undefined - not needed for receive()
       createKVService: (config2) => {
         const prefix = config2.pathPrefix?.replace(/\/$/, "");
-        const kvService = new import_sdk_core4.KVService({ prefix });
-        const kvContext = new import_sdk_core4.ServiceContext({
+        const kvService = new import_sdk_core5.KVService({ prefix });
+        const kvContext = new import_sdk_core5.ServiceContext({
           invoke: config2.invoke,
           fetch: config2.fetch ?? globalThis.fetch.bind(globalThis),
           hosts: config2.hosts
@@ -18306,7 +18523,6 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   setupAuth(config) {
-    const host = this.config.host;
     this.auth = new NodeUserAuthorization({
       signer: this.signer,
       signStrategy: { type: "auto-sign" },
@@ -18315,7 +18531,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       domain: this.siweDomain,
       spacePrefix: config.prefix,
       sessionExpirationMs: config.sessionExpirationMs ?? 60 * 60 * 1e3,
-      tinycloudHosts: [host],
+      tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
+      tinycloudRegistryUrl: config.tinycloudRegistryUrl,
+      tinycloudFallbackHosts: config.tinycloudFallbackHosts,
       autoCreateSpace: config.autoCreateSpace,
       enablePublicSpace: config.enablePublicSpace ?? true,
       spaceCreationHandler: config.spaceCreationHandler,
@@ -18325,10 +18543,16 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRequest: config.capabilityRequest,
       includeAccountRegistryPermissions: config.includeAccountRegistryPermissions
     });
-    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+    this.tc = new import_sdk_core5.TinyCloud(this.auth, {
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
   }
+  syncResolvedHostFromAuth() {
+    const host = this.auth?.hosts[0];
+    if (host) {
+      this.config.host = host;
+    }
+  }
   /**
    * Install or replace the manifest that drives the SIWE recap at
    * sign-in. Takes effect on the next `signIn()` call — the current
@@ -18366,6 +18590,10 @@ var _TinyCloudNode = class _TinyCloudNode {
   get capabilityRequest() {
     return this.auth?.capabilityRequest;
   }
+  get hosts() {
+    const authHosts = this.auth?.hosts ?? [];
+    return authHosts.length > 0 ? authHosts : [this.config.host];
+  }
   /**
    * Get the primary identity DID for this user.
    * - If wallet connected and signed in: returns PKH DID (did:pkh:eip155:{chainId}:{address})
@@ -18436,8 +18664,14 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._sql = void 0;
     this._duckdb = void 0;
     this._hooks = void 0;
+    this._vault = void 0;
+    this._baseSecrets = void 0;
+    this._secrets = void 0;
+    this._spaceService = void 0;
     this._serviceContext = void 0;
+    this.runtimePermissionGrants = [];
     await this.tc.signIn(options);
+    this.syncResolvedHostFromAuth();
     this.initializeServices();
     await this.writeManifestRegistryRecords();
     this.notificationHandler.success("Successfully signed in");
@@ -18456,8 +18690,8 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this.auth || !this.signer) {
       throw new Error("Manifest registry write requires wallet mode");
     }
-    const accountSpaceId = this.ownedSpaceId(import_sdk_core4.ACCOUNT_REGISTRY_SPACE);
-    await this.auth.hostOwnedSpace(accountSpaceId);
+    const accountSpaceId = this.ownedSpaceId(import_sdk_core5.ACCOUNT_REGISTRY_SPACE);
+    await this.ensureOwnedSpaceHosted(accountSpaceId);
     const accountKV = this.spaces.get(accountSpaceId).kv;
     for (const record of request.registryRecords) {
       const result = await accountKV.put(record.key, {
@@ -18472,6 +18706,39 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
     }
   }
+  async ensureOwnedSpaceHosted(spaceId) {
+    if (!this.auth) {
+      throw new Error("Owned space hosting requires wallet mode");
+    }
+    const session = this.auth.tinyCloudSession;
+    if (!session) {
+      throw new Error("Owned space hosting requires an active session");
+    }
+    const host = this.hosts[0] ?? this.config.host;
+    if (!host) {
+      throw new Error("Owned space hosting requires a TinyCloud host");
+    }
+    const activation = await (0, import_sdk_core5.activateSessionWithHost)(host, session.delegationHeader);
+    if (activation.success && !activation.skipped?.includes(spaceId)) {
+      return;
+    }
+    if (!activation.success && activation.status !== 404) {
+      throw new Error(
+        `Failed to check owned space ${spaceId}: ${activation.error ?? activation.status}`
+      );
+    }
+    const created = await this.auth.hostOwnedSpace(spaceId);
+    if (!created) {
+      throw new Error(`Failed to create owned space: ${spaceId}`);
+    }
+    await new Promise((resolve) => setTimeout(resolve, 100));
+    const retry = await (0, import_sdk_core5.activateSessionWithHost)(host, session.delegationHeader);
+    if (!retry.success || retry.skipped?.includes(spaceId)) {
+      throw new Error(
+        `Failed to activate session after creating owned space ${spaceId}: ${retry.error ?? "space was skipped"}`
+      );
+    }
+  }
   /**
    * Restore a previously established session from stored delegation data.
    *
@@ -18487,29 +18754,34 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._sql = void 0;
     this._duckdb = void 0;
     this._hooks = void 0;
+    this._vault = void 0;
+    this._baseSecrets = void 0;
+    this._secrets = void 0;
+    this._spaceService = void 0;
     this._serviceContext = void 0;
+    this.runtimePermissionGrants = [];
     if (sessionData.address) {
       this._address = sessionData.address;
     }
     if (sessionData.chainId) {
       this._chainId = sessionData.chainId;
     }
-    this._serviceContext = new import_sdk_core4.ServiceContext({
-      invoke: this.wasmBindings.invoke,
-      invokeAny: this.wasmBindings.invokeAny,
+    this._serviceContext = new import_sdk_core5.ServiceContext({
+      invoke: this.invokeWithRuntimePermissions,
+      invokeAny: this.invokeAnyWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core4.KVService({});
+    this._kv = new import_sdk_core5.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
-    this._sql = new import_sdk_core4.SQLService({});
+    this._sql = new import_sdk_core5.SQLService({});
     this._sql.initialize(this._serviceContext);
     this._serviceContext.registerService("sql", this._sql);
-    this._duckdb = new import_sdk_core4.DuckDbService({});
+    this._duckdb = new import_sdk_core5.DuckDbService({});
     this._duckdb.initialize(this._serviceContext);
     this._serviceContext.registerService("duckdb", this._duckdb);
-    this._hooks = new import_sdk_core4.HooksService({});
+    this._hooks = new import_sdk_core5.HooksService({});
     this._hooks.initialize(this._serviceContext);
     this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
@@ -18520,41 +18792,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       jwk: sessionData.jwk
     };
     this._serviceContext.setSession(serviceSession);
-    const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core4.createVaultCrypto)({
-      vault_encrypt: wasm.vault_encrypt,
-      vault_decrypt: wasm.vault_decrypt,
-      vault_derive_key: wasm.vault_derive_key,
-      vault_x25519_from_seed: wasm.vault_x25519_from_seed,
-      vault_x25519_dh: wasm.vault_x25519_dh,
-      vault_random_bytes: wasm.vault_random_bytes,
-      vault_sha256: wasm.vault_sha256
-    });
-    const self2 = this;
-    this._vault = new import_sdk_core4.DataVaultService({
-      spaceId: sessionData.spaceId,
-      crypto: vaultCrypto,
-      tc: {
-        kv: this._kv,
-        ensurePublicSpace: async () => {
-          try {
-            await self2.ensurePublicSpace();
-            return { ok: true, data: void 0 };
-          } catch (error) {
-            return { ok: false, error: { code: "STORAGE_ERROR", message: error instanceof Error ? error.message : String(error), service: "vault" } };
-          }
-        },
-        get publicKV() {
-          return self2._publicKV ?? self2.tc.publicKV;
-        },
-        readPublicSpace: (host, spaceId, key2) => import_sdk_core4.TinyCloud.readPublicSpace(host, spaceId, key2),
-        makePublicSpaceId: import_sdk_core4.TinyCloud.makePublicSpaceId,
-        did: this.did,
-        address: sessionData.address ?? this._address ?? "",
-        chainId: sessionData.chainId ?? this._chainId,
-        hosts: [this.config.host]
-      }
-    });
+    this._vault = this.createVaultService(sessionData.spaceId, this._kv);
     this._vault.initialize(this._serviceContext);
     this._serviceContext.registerService("vault", this._vault);
     this.initializeV2Services(serviceSession);
@@ -18589,7 +18827,6 @@ var _TinyCloudNode = class _TinyCloudNode {
       throw new Error("Wallet already connected. Cannot connect another wallet.");
     }
     const prefix = options?.prefix ?? "default";
-    const host = this.config.host;
     if (!_TinyCloudNode.nodeDefaults) {
       throw new Error(
         "connectWallet() requires PrivateKeySigner. Use connectSigner() instead, or import from '@tinycloud/node-sdk' (not '/core') for automatic Node.js defaults."
@@ -18604,7 +18841,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       domain: this.siweDomain,
       spacePrefix: prefix,
       sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
-      tinycloudHosts: [host],
+      tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
+      tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
+      tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
       autoCreateSpace: this.config.autoCreateSpace,
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
@@ -18614,8 +18853,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRequest: this.config.capabilityRequest,
       includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
-    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+    this.tc = new import_sdk_core5.TinyCloud(this.auth, {
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
     this.config.prefix = prefix;
   }
@@ -18637,7 +18876,6 @@ var _TinyCloudNode = class _TinyCloudNode {
       throw new Error("Signer already connected. Cannot connect another signer.");
     }
     const prefix = options?.prefix ?? "default";
-    const host = this.config.host;
     this.signer = signer;
     this.auth = new NodeUserAuthorization({
       signer: this.signer,
@@ -18647,7 +18885,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       domain: this.siweDomain,
       spacePrefix: prefix,
       sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
-      tinycloudHosts: [host],
+      tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
+      tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
+      tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
       autoCreateSpace: this.config.autoCreateSpace,
       enablePublicSpace: this.config.enablePublicSpace ?? true,
       spaceCreationHandler: this.config.spaceCreationHandler,
@@ -18657,8 +18897,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRequest: this.config.capabilityRequest,
       includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
-    this.tc = new import_sdk_core4.TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+    this.tc = new import_sdk_core5.TinyCloud(this.auth, {
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
     this.config.prefix = prefix;
   }
@@ -18671,28 +18911,28 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!session) {
       return;
     }
-    this.tc.initializeServices(this.wasmBindings.invoke, [this.config.host]);
-    this._serviceContext = new import_sdk_core4.ServiceContext({
-      invoke: this.wasmBindings.invoke,
-      invokeAny: this.wasmBindings.invokeAny,
+    this.tc.initializeServices(this.invokeWithRuntimePermissions, [this.config.host]);
+    this._serviceContext = new import_sdk_core5.ServiceContext({
+      invoke: this.invokeWithRuntimePermissions,
+      invokeAny: this.invokeAnyWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
-    this._kv = new import_sdk_core4.KVService({});
+    this._kv = new import_sdk_core5.KVService({});
     this._kv.initialize(this._serviceContext);
     this._serviceContext.registerService("kv", this._kv);
     const features = this.nodeFeatures;
     if (features.length === 0 || features.includes("sql")) {
-      this._sql = new import_sdk_core4.SQLService({});
+      this._sql = new import_sdk_core5.SQLService({});
       this._sql.initialize(this._serviceContext);
       this._serviceContext.registerService("sql", this._sql);
     }
     if (features.length === 0 || features.includes("duckdb")) {
-      this._duckdb = new import_sdk_core4.DuckDbService({});
+      this._duckdb = new import_sdk_core5.DuckDbService({});
       this._duckdb.initialize(this._serviceContext);
       this._serviceContext.registerService("duckdb", this._duckdb);
     }
-    this._hooks = new import_sdk_core4.HooksService({});
+    this._hooks = new import_sdk_core5.HooksService({});
     this._hooks.initialize(this._serviceContext);
     this._serviceContext.registerService("hooks", this._hooks);
     const serviceSession = {
@@ -18704,8 +18944,30 @@ var _TinyCloudNode = class _TinyCloudNode {
     };
     this._serviceContext.setSession(serviceSession);
     this.tc.serviceContext.setSession(serviceSession);
+    this._vault = this.createVaultService(session.spaceId, this._kv);
+    this._vault.initialize(this._serviceContext);
+    this._serviceContext.registerService("vault", this._vault);
+    this.initializeV2Services(serviceSession);
+  }
+  createSpaceScopedKVService(spaceId) {
+    const kvService = new import_sdk_core5.KVService({});
+    if (this._serviceContext) {
+      const spaceScopedContext = new import_sdk_core5.ServiceContext({
+        invoke: this._serviceContext.invoke,
+        fetch: this._serviceContext.fetch,
+        hosts: this._serviceContext.hosts
+      });
+      const session = this._serviceContext.session;
+      if (session) {
+        spaceScopedContext.setSession({ ...session, spaceId });
+      }
+      kvService.initialize(spaceScopedContext);
+    }
+    return kvService;
+  }
+  createVaultService(spaceId, kv) {
     const wasm = this.wasmBindings;
-    const vaultCrypto = (0, import_sdk_core4.createVaultCrypto)({
+    const vaultCrypto = (0, import_sdk_core5.createVaultCrypto)({
       vault_encrypt: wasm.vault_encrypt,
       vault_decrypt: wasm.vault_decrypt,
       vault_derive_key: wasm.vault_derive_key,
@@ -18715,11 +18977,11 @@ var _TinyCloudNode = class _TinyCloudNode {
       vault_sha256: wasm.vault_sha256
     });
     const self2 = this;
-    this._vault = new import_sdk_core4.DataVaultService({
-      spaceId: session.spaceId,
+    return new import_sdk_core5.DataVaultService({
+      spaceId,
       crypto: vaultCrypto,
       tc: {
-        kv: this._kv,
+        kv,
         ensurePublicSpace: async () => {
           try {
             await self2.ensurePublicSpace();
@@ -18731,24 +18993,21 @@ var _TinyCloudNode = class _TinyCloudNode {
         get publicKV() {
           return self2._publicKV ?? self2.tc.publicKV;
         },
-        readPublicSpace: (host, spaceId, key2) => import_sdk_core4.TinyCloud.readPublicSpace(host, spaceId, key2),
-        makePublicSpaceId: import_sdk_core4.TinyCloud.makePublicSpaceId,
+        readPublicSpace: (host, targetSpaceId, key2) => import_sdk_core5.TinyCloud.readPublicSpace(host, targetSpaceId, key2),
+        makePublicSpaceId: import_sdk_core5.TinyCloud.makePublicSpaceId,
         did: this.did,
-        address: this._address,
+        address: this._address ?? "",
         chainId: this._chainId,
         hosts: [this.config.host]
       }
     });
-    this._vault.initialize(this._serviceContext);
-    this._serviceContext.registerService("vault", this._vault);
-    this.initializeV2Services(serviceSession);
   }
   /**
    * Initialize the v2 delegation system services.
    * @internal
    */
   initializeV2Services(serviceSession) {
-    this._capabilityRegistry = new import_sdk_core4.CapabilityKeyRegistry();
+    this._capabilityRegistry = new import_sdk_core5.CapabilityKeyRegistry();
     const tcSession = this.auth?.tinyCloudSession;
     if (tcSession && this._address) {
       const sessionKey = {
@@ -18822,13 +19081,13 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
       this._capabilityRegistry.registerKey(sessionKey, delegations);
     }
-    this._delegationManager = new import_sdk_core4.DelegationManager({
+    this._delegationManager = new import_sdk_core5.DelegationManager({
       hosts: [this.config.host],
       session: serviceSession,
-      invoke: this.wasmBindings.invoke,
+      invoke: this.invokeWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis)
     });
-    this._spaceService = new import_sdk_core4.SpaceService({
+    this._spaceService = new import_sdk_core5.SpaceService({
       hosts: [this.config.host],
       session: serviceSession,
       invoke: this.wasmBindings.invoke,
@@ -18836,20 +19095,15 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRegistry: this._capabilityRegistry,
       userDid: this.did,
       createKVService: (spaceId) => {
-        const kvService = new import_sdk_core4.KVService({});
+        return this.createSpaceScopedKVService(spaceId);
+      },
+      createVaultService: (spaceId) => {
+        const kvService = this.createSpaceScopedKVService(spaceId);
+        const vaultService = this.createVaultService(spaceId, kvService);
         if (this._serviceContext) {
-          const spaceScopedContext = new import_sdk_core4.ServiceContext({
-            invoke: this._serviceContext.invoke,
-            fetch: this._serviceContext.fetch,
-            hosts: this._serviceContext.hosts
-          });
-          const session = this._serviceContext.session;
-          if (session) {
-            spaceScopedContext.setSession({ ...session, spaceId });
-          }
-          kvService.initialize(spaceScopedContext);
+          vaultService.initialize(this._serviceContext);
         }
-        return kvService;
+        return vaultService;
       },
       // Enable space.delegations.create() via SIWE-based delegation
       createDelegation: async (params) => {
@@ -18990,7 +19244,7 @@ var _TinyCloudNode = class _TinyCloudNode {
         ...prepared,
         signature: signature2
       });
-      const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
+      const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
         host,
         delegationSession.delegationHeader
       );
@@ -19057,7 +19311,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this._sql) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("sql")) {
-        throw new import_sdk_core4.UnsupportedFeatureError("sql", this.config.host, features);
+        throw new import_sdk_core5.UnsupportedFeatureError("sql", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -19070,7 +19324,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this._duckdb) {
       const features = this.nodeFeatures;
       if (features.length > 0 && !features.includes("duckdb")) {
-        throw new import_sdk_core4.UnsupportedFeatureError("duckdb", this.config.host, features);
+        throw new import_sdk_core5.UnsupportedFeatureError("duckdb", this.config.host, features);
       }
       throw new Error("Not signed in. Call signIn() first.");
     }
@@ -19086,6 +19340,33 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._vault;
   }
+  /**
+   * App-facing secrets API backed by the `secrets` space vault.
+   */
+  get secrets() {
+    if (!this._spaceService) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._secrets) {
+      this._secrets = new NodeSecretsService({
+        getService: () => this.getBaseSecrets(),
+        getManifest: () => this.manifest,
+        grantPermissions: (additional) => this.grantRuntimePermissions(additional),
+        canEscalate: () => this.signer !== void 0 && this.tc !== void 0,
+        getUnlockSigner: () => this.signer ?? void 0
+      });
+    }
+    return this._secrets;
+  }
+  getBaseSecrets() {
+    if (!this._spaceService) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._baseSecrets) {
+      this._baseSecrets = new import_sdk_core5.SecretsService(() => this.space("secrets").vault);
+    }
+    return this._baseSecrets;
+  }
   /**
    * Hooks write stream subscription API.
    */
@@ -19156,6 +19437,171 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
     };
   }
+  /**
+   * Check whether the current session or an approved runtime delegation covers
+   * every requested permission.
+   */
+  hasRuntimePermissions(permissions) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session || !Array.isArray(permissions) || permissions.length === 0) {
+      return false;
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    if (this.sessionCoversPermissionEntries(session, expanded)) {
+      return true;
+    }
+    return this.findRuntimeGrantsForPermissionEntries(expanded, session).length > 0;
+  }
+  /**
+   * Return installed runtime permission delegations. When `permissions` is
+   * provided, only delegations currently covering those permissions are
+   * returned. Base-session manifest permissions are not represented here.
+   */
+  getRuntimePermissionDelegations(permissions) {
+    this.pruneExpiredRuntimePermissionGrants();
+    if (permissions === void 0) {
+      return this.runtimePermissionGrants.map((grant) => grant.delegation);
+    }
+    const session = this.auth?.tinyCloudSession;
+    if (!session || !Array.isArray(permissions) || permissions.length === 0) {
+      return [];
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    return this.findRuntimeGrantsForPermissionEntries(expanded, session).map(
+      (grant) => grant.delegation
+    );
+  }
+  /**
+   * Install a portable runtime permission delegation into this SDK instance so
+   * matching service calls and downstream `delegateTo()` calls can use it.
+   */
+  async useRuntimeDelegation(delegation) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new import_sdk_core5.SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    if (delegation.expiry.getTime() <= Date.now()) {
+      throw new import_sdk_core5.SessionExpiredError(delegation.expiry);
+    }
+    const expectedDids = /* @__PURE__ */ new Set([session.verificationMethod, this.sessionDid]);
+    if (!expectedDids.has(delegation.delegateDID)) {
+      throw new Error(
+        `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
+      );
+    }
+    const targetHost = delegation.host ?? this.config.host;
+    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+      targetHost,
+      delegation.delegationHeader
+    );
+    if (!activateResult.success) {
+      throw new Error(
+        `Failed to activate runtime permission delegation: ${activateResult.error}`
+      );
+    }
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.delegation.cid !== delegation.cid
+    );
+    this.runtimePermissionGrants.push(
+      this.runtimeGrantFromDelegation(delegation, session)
+    );
+  }
+  /**
+   * Store additional permissions as narrow delegations to the current session
+   * key. Future service invocations automatically use a stored delegation when
+   * its `(space, service, path, action)` covers the request.
+   */
+  async grantRuntimePermissions(permissions, options) {
+    if (!Array.isArray(permissions) || permissions.length === 0) {
+      throw new Error("grantRuntimePermissions requires a non-empty permissions array");
+    }
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new import_sdk_core5.SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    const sessionExpiry = extractSiweExpiration(session.siwe);
+    if (sessionExpiry !== void 0) {
+      const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+      if (sessionExpiry.getTime() <= Date.now() + marginMs) {
+        throw new import_sdk_core5.SessionExpiredError(sessionExpiry);
+      }
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    if (this.sessionCoversPermissionEntries(session, expanded)) {
+      return [];
+    }
+    const existingGrants = this.findRuntimeGrantsForPermissionEntries(expanded, session);
+    if (existingGrants.length > 0) {
+      return existingGrants.map((grant) => grant.delegation);
+    }
+    if (!this.signer) {
+      throw new Error(
+        "grantRuntimePermissions requires wallet mode with a signer or privateKey."
+      );
+    }
+    const bySpace = /* @__PURE__ */ new Map();
+    for (const entry of expanded) {
+      const spaceId = this.resolvePermissionSpace(entry.space, session);
+      const current = bySpace.get(spaceId) ?? [];
+      current.push(entry);
+      bySpace.set(spaceId, current);
+    }
+    const now = /* @__PURE__ */ new Date();
+    const requestedExpiryMs = resolveExpiryMs(options?.expiry);
+    let expiresAt = new Date(now.getTime() + requestedExpiryMs);
+    if (sessionExpiry !== void 0 && sessionExpiry < expiresAt) {
+      expiresAt = sessionExpiry;
+    }
+    const delegations = [];
+    for (const [spaceId, entries] of bySpace) {
+      const abilities = this.permissionsToAbilities(entries);
+      const prepared = this.wasmBindings.prepareSession({
+        abilities,
+        address: this.wasmBindings.ensureEip55(session.address),
+        chainId: session.chainId,
+        domain: this.siweDomain,
+        issuedAt: now.toISOString(),
+        expirationTime: expiresAt.toISOString(),
+        spaceId,
+        jwk: session.jwk
+      });
+      const signature2 = await this.signer.signMessage(prepared.siwe);
+      const delegatedSession = this.wasmBindings.completeSessionSetup({
+        ...prepared,
+        signature: signature2
+      });
+      const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+        this.config.host,
+        delegatedSession.delegationHeader
+      );
+      if (!activateResult.success) {
+        throw new Error(
+          `Failed to activate runtime permission delegation: ${activateResult.error}`
+        );
+      }
+      const delegation = this.runtimeDelegationFromSession(
+        delegatedSession,
+        entries,
+        spaceId,
+        session,
+        expiresAt
+      );
+      this.runtimePermissionGrants.push({
+        session: {
+          delegationHeader: delegatedSession.delegationHeader,
+          delegationCid: delegatedSession.delegationCid,
+          spaceId,
+          verificationMethod: session.verificationMethod,
+          jwk: session.jwk
+        },
+        delegation,
+        operations: this.permissionOperations(entries, spaceId),
+        expiresAt
+      });
+      delegations.push(delegation);
+    }
+    return delegations;
+  }
   /**
    * Get the DelegationManager for delegation CRUD operations.
    *
@@ -19224,6 +19670,12 @@ var _TinyCloudNode = class _TinyCloudNode {
   get spaceService() {
     return this.spaces;
   }
+  /**
+   * Get a Space object by short name or full URI.
+   */
+  space(nameOrUri) {
+    return this.spaces.get(nameOrUri);
+  }
   /**
    * Get the SharingService for creating and receiving v2 sharing links.
    *
@@ -19309,7 +19761,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -19336,9 +19788,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       }]);
     }
     if (this._serviceContext) {
-      const publicKV = new import_sdk_core4.KVService({ prefix: "" });
-      const publicContext = new import_sdk_core4.ServiceContext({
-        invoke: this.wasmBindings.invoke,
+      const publicKV = new import_sdk_core5.KVService({ prefix: "" });
+      const publicContext = new import_sdk_core5.ServiceContext({
+        invoke: this.invokeWithRuntimePermissions,
         fetch: this._serviceContext.fetch,
         hosts: this._serviceContext.hosts
       });
@@ -19426,8 +19878,9 @@ var _TinyCloudNode = class _TinyCloudNode {
    * Issue a delegation using the capability-chain flow.
    *
    * When every requested permission is a subset of the current
-   * session's recap, the delegation is signed by the session key via
-   * WASM — no wallet prompt. When at least one is NOT derivable, a
+   * session's recap, or of one installed runtime permission delegation,
+   * the delegation is signed by the session key via WASM — no wallet
+   * prompt. When at least one is NOT derivable, a
    * {@link PermissionNotInManifestError} is raised (carrying the
    * missing entries) so the caller can trigger an escalation flow
    * (e.g. `TinyCloudWeb.requestPermissions`). Passing
@@ -19462,14 +19915,14 @@ var _TinyCloudNode = class _TinyCloudNode {
   async delegateTo(did, permissions, options) {
     const session = this.auth?.tinyCloudSession;
     if (!session) {
-      throw new import_sdk_core4.SessionExpiredError(/* @__PURE__ */ new Date(0));
+      throw new import_sdk_core5.SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
     const sessionExpiry = extractSiweExpiration(session.siwe);
     if (sessionExpiry !== void 0) {
       const now2 = Date.now();
       const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
       if (sessionExpiry.getTime() <= now2 + marginMs) {
-        throw new import_sdk_core4.SessionExpiredError(sessionExpiry);
+        throw new import_sdk_core5.SessionExpiredError(sessionExpiry);
       }
     }
     if (!Array.isArray(permissions) || permissions.length === 0) {
@@ -19477,10 +19930,7 @@ var _TinyCloudNode = class _TinyCloudNode {
         "delegateTo requires a non-empty permissions array"
       );
     }
-    const expandedEntries = permissions.map((entry) => ({
-      ...entry,
-      actions: (0, import_sdk_core4.expandActionShortNames)(entry.service, entry.actions)
-    }));
+    const expandedEntries = this.expandPermissionEntries(permissions);
     const now = /* @__PURE__ */ new Date();
     const expiryMs = resolveExpiryMs(options?.expiry);
     const expirationTime = new Date(now.getTime() + expiryMs);
@@ -19501,13 +19951,30 @@ var _TinyCloudNode = class _TinyCloudNode {
       );
       return { delegation: delegation2, prompted: true };
     }
-    const granted = (0, import_sdk_core4.parseRecapCapabilities)(
+    const granted = (0, import_sdk_core5.parseRecapCapabilities)(
       (siwe) => this.wasmBindings.parseRecapFromSiwe(siwe),
       session.siwe
     );
-    const { subset, missing } = (0, import_sdk_core4.isCapabilitySubset)(expandedEntries, granted);
+    const { subset, missing } = (0, import_sdk_core5.isCapabilitySubset)(expandedEntries, granted);
     if (!subset) {
-      throw new import_sdk_core4.PermissionNotInManifestError(missing, granted);
+      const runtimeGrant = this.findGrantForOperations(
+        this.permissionEntriesToOperations(expandedEntries, session)
+      );
+      if (runtimeGrant) {
+        const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+        if (runtimeGrant.expiresAt.getTime() <= Date.now() + marginMs) {
+          throw new import_sdk_core5.SessionExpiredError(runtimeGrant.expiresAt);
+        }
+        const runtimeExpiration = runtimeGrant.expiresAt < effectiveExpiration ? runtimeGrant.expiresAt : effectiveExpiration;
+        const delegation2 = await this.createDelegationViaRuntimeGrant(
+          did,
+          expandedEntries,
+          runtimeExpiration,
+          runtimeGrant
+        );
+        return { delegation: delegation2, prompted: false };
+      }
+      throw new import_sdk_core5.PermissionNotInManifestError(missing, granted);
     }
     const delegation = await this.createDelegationViaWasmPath(
       did,
@@ -19587,7 +20054,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     const spaceId = [...resolvedSpaces][0];
     const abilities = {};
     for (const entry of entries) {
-      const shortService = import_sdk_core4.SERVICE_LONG_TO_SHORT[entry.service];
+      const shortService = import_sdk_core5.SERVICE_LONG_TO_SHORT[entry.service];
       if (shortService === void 0) {
         throw new Error(
           `delegateTo: unknown service '${entry.service}' \u2014 no short-form mapping`
@@ -19627,7 +20094,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     });
     const primary = result.resources[0];
     const delegationHeader = { Authorization: result.delegation };
-    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
       this.config.host,
       delegationHeader
     );
@@ -19651,6 +20118,41 @@ var _TinyCloudNode = class _TinyCloudNode {
       host: this.config.host
     };
   }
+  async createDelegationViaRuntimeGrant(did, entries, expirationTime, grant) {
+    const result = this.createDelegationWrapper({
+      session: grant.session,
+      delegateDID: did,
+      spaceId: grant.session.spaceId,
+      abilities: this.permissionsToAbilities(entries),
+      expirationSecs: Math.floor(expirationTime.getTime() / 1e3)
+    });
+    const primary = result.resources[0];
+    const delegationHeader = { Authorization: result.delegation };
+    const targetHost = grant.delegation.host ?? this.config.host;
+    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
+      targetHost,
+      delegationHeader
+    );
+    if (!activateResult.success) {
+      throw new Error(
+        `Failed to activate delegation with host: ${activateResult.error}`
+      );
+    }
+    return {
+      cid: result.cid,
+      delegationHeader,
+      spaceId: grant.session.spaceId,
+      path: primary.path,
+      actions: primary.actions,
+      resources: result.resources,
+      disableSubDelegation: false,
+      expiry: result.expiry,
+      delegateDID: did,
+      ownerAddress: grant.delegation.ownerAddress,
+      chainId: grant.delegation.chainId,
+      host: targetHost
+    };
+  }
   resolvePermissionSpace(space, session) {
     if (space === void 0) {
       return this.wasmBindings.makeSpaceId(
@@ -19667,6 +20169,220 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this.wasmBindings.makeSpaceId(session.address, session.chainId, space);
   }
+  expandPermissionEntries(permissions) {
+    return (0, import_sdk_core5.expandPermissionEntries)(permissions);
+  }
+  shortServiceName(service) {
+    const short = import_sdk_core5.SERVICE_LONG_TO_SHORT[service];
+    if (short === void 0) {
+      throw new Error(
+        `unknown service '${service}' \u2014 no short-form mapping`
+      );
+    }
+    return short;
+  }
+  permissionsToAbilities(entries) {
+    const abilities = {};
+    for (const entry of entries) {
+      const service = this.shortServiceName(entry.service);
+      abilities[service] ?? (abilities[service] = {});
+      const existing = abilities[service][entry.path] ?? [];
+      const seen = new Set(existing);
+      for (const action of entry.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
+      }
+      abilities[service][entry.path] = existing;
+    }
+    return abilities;
+  }
+  permissionOperations(entries, spaceId) {
+    return entries.flatMap((entry) => {
+      const service = this.shortServiceName(entry.service);
+      return entry.actions.map((action) => ({
+        spaceId,
+        service,
+        path: entry.path,
+        action
+      }));
+    });
+  }
+  sessionCoversPermissionEntries(session, entries) {
+    try {
+      const granted = (0, import_sdk_core5.parseRecapCapabilities)(
+        (siwe) => this.wasmBindings.parseRecapFromSiwe(siwe),
+        session.siwe
+      );
+      return (0, import_sdk_core5.isCapabilitySubset)(entries, granted).subset;
+    } catch {
+      return false;
+    }
+  }
+  permissionEntriesToOperations(entries, session) {
+    return entries.flatMap((entry) => {
+      const spaceId = this.resolvePermissionSpace(entry.space, session);
+      const service = this.shortServiceName(entry.service);
+      return entry.actions.map((action) => ({
+        spaceId,
+        service,
+        path: entry.path,
+        action
+      }));
+    });
+  }
+  findRuntimeGrantsForPermissionEntries(entries, session) {
+    const grants = [];
+    const operations = this.permissionEntriesToOperations(entries, session);
+    if (operations.length === 0) {
+      return grants;
+    }
+    for (const operation of operations) {
+      const grant = this.findGrantForOperation(operation);
+      if (!grant) {
+        return [];
+      }
+      if (!grants.includes(grant)) {
+        grants.push(grant);
+      }
+    }
+    return grants;
+  }
+  runtimeDelegationFromSession(delegatedSession, entries, spaceId, session, expiresAt) {
+    const resources = this.delegatedResourcesForEntries(entries, spaceId);
+    const primary = resources[0];
+    return {
+      cid: delegatedSession.delegationCid,
+      delegationHeader: delegatedSession.delegationHeader,
+      spaceId,
+      path: primary.path,
+      actions: primary.actions,
+      resources,
+      disableSubDelegation: false,
+      expiry: expiresAt,
+      delegateDID: session.verificationMethod,
+      ownerAddress: session.address,
+      chainId: session.chainId,
+      host: this.config.host
+    };
+  }
+  runtimeGrantFromDelegation(delegation, session) {
+    const operations = this.operationsFromDelegation(delegation);
+    return {
+      session: {
+        delegationHeader: delegation.delegationHeader,
+        delegationCid: delegation.cid,
+        spaceId: delegation.spaceId,
+        verificationMethod: session.verificationMethod,
+        jwk: session.jwk
+      },
+      delegation,
+      operations,
+      expiresAt: delegation.expiry
+    };
+  }
+  delegatedResourcesForEntries(entries, spaceId) {
+    return entries.map((entry) => ({
+      service: this.shortServiceName(entry.service),
+      space: spaceId,
+      path: entry.path,
+      actions: [...entry.actions]
+    }));
+  }
+  operationsFromDelegation(delegation) {
+    const resources = delegation.resources !== void 0 && delegation.resources.length > 0 ? delegation.resources : this.flatDelegationResources(delegation);
+    return resources.flatMap(
+      (resource) => resource.actions.map((action) => ({
+        spaceId: resource.space,
+        service: this.invocationServiceName(resource.service),
+        path: resource.path,
+        action
+      }))
+    );
+  }
+  flatDelegationResources(delegation) {
+    const byService = /* @__PURE__ */ new Map();
+    for (const action of delegation.actions) {
+      const service = this.shortServiceName(action.split("/")[0]);
+      const actions = byService.get(service) ?? [];
+      actions.push(action);
+      byService.set(service, actions);
+    }
+    return [...byService.entries()].map(([service, actions]) => ({
+      service,
+      space: delegation.spaceId,
+      path: delegation.path,
+      actions
+    }));
+  }
+  selectInvocationSession(fallback, service, path, action) {
+    const grant = this.findGrantForOperation({
+      spaceId: fallback.spaceId,
+      service: this.invocationServiceName(service),
+      path,
+      action
+    });
+    return grant?.session ?? fallback;
+  }
+  findGrantForOperations(operations) {
+    if (operations.length === 0) {
+      return void 0;
+    }
+    this.pruneExpiredRuntimePermissionGrants();
+    return this.runtimePermissionGrants.find((grant) => {
+      return operations.every(
+        (operation) => grant.operations.some(
+          (granted) => this.operationCovers(granted, operation)
+        )
+      );
+    });
+  }
+  findGrantForOperation(operation) {
+    return this.findGrantForOperations([operation]);
+  }
+  pruneExpiredRuntimePermissionGrants() {
+    const now = Date.now();
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.expiresAt.getTime() > now
+    );
+  }
+  operationCovers(granted, requested) {
+    return granted.spaceId === requested.spaceId && granted.service === requested.service && this.actionContains(granted.action, requested.action) && this.pathContains(granted.path, requested.path);
+  }
+  actionContains(grantedAction, requestedAction) {
+    if (grantedAction === requestedAction) {
+      return true;
+    }
+    if (grantedAction.endsWith("/*")) {
+      const prefix = grantedAction.slice(0, -2);
+      return requestedAction.startsWith(`${prefix}/`);
+    }
+    return false;
+  }
+  invocationServiceName(service) {
+    return service.startsWith("tinycloud.") ? this.shortServiceName(service) : service;
+  }
+  pathContains(grantedPath, requestedPath) {
+    if (grantedPath === "" || grantedPath === "/") {
+      return true;
+    }
+    if (grantedPath.endsWith("/**")) {
+      return requestedPath.startsWith(grantedPath.slice(0, -3));
+    }
+    if (grantedPath.endsWith("/*")) {
+      const prefix = grantedPath.slice(0, -2);
+      if (!requestedPath.startsWith(prefix)) {
+        return false;
+      }
+      const remainder = requestedPath.slice(prefix.length);
+      return !remainder.includes("/") || remainder === "/";
+    }
+    if (grantedPath.endsWith("/")) {
+      return requestedPath.startsWith(grantedPath);
+    }
+    return grantedPath === requestedPath;
+  }
   /**
    * Issue a delegation via the legacy wallet-signed SIWE path for a single
    * {@link PermissionEntry}. Shares the implementation with the public
@@ -19723,7 +20439,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       );
       return result.delegation;
     } catch (err) {
-      if (err instanceof import_sdk_core4.PermissionNotInManifestError) {
+      if (err instanceof import_sdk_core5.PermissionNotInManifestError) {
       } else {
         throw err;
       }
@@ -19780,7 +20496,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
       this.config.host,
       delegationSession.delegationHeader
     );
@@ -19802,7 +20518,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     };
     const hasKvActions = params.actions.some((a) => a.startsWith("tinycloud.kv/"));
     if (hasKvActions && params.includePublicSpace !== false) {
-      const publicSpaceId = (0, import_sdk_core4.makePublicSpaceId)(
+      const publicSpaceId = (0, import_sdk_core5.makePublicSpaceId)(
         this.wasmBindings.ensureEip55(session.address),
         session.chainId
       );
@@ -19825,7 +20541,7 @@ var _TinyCloudNode = class _TinyCloudNode {
         ...publicPrepared,
         signature: publicSignature
       });
-      const publicActivateResult = await (0, import_sdk_core4.activateSessionWithHost)(
+      const publicActivateResult = await (0, import_sdk_core5.activateSessionWithHost)(
         this.config.host,
         publicSession.delegationHeader
       );
@@ -19924,7 +20640,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
       targetHost,
       invokerSession.delegationHeader
     );
@@ -20013,7 +20729,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       ...prepared,
       signature: signature2
     });
-    const activateResult = await (0, import_sdk_core4.activateSessionWithHost)(
+    const activateResult = await (0, import_sdk_core5.activateSessionWithHost)(
       targetHost,
       subDelegationSession.delegationHeader
     );
@@ -20055,11 +20771,11 @@ TinyCloudNode.registerNodeDefaults({
 });
 
 // src/index.ts
-var import_sdk_core6 = require("@tinycloud/sdk-core");
 var import_sdk_core7 = require("@tinycloud/sdk-core");
+var import_sdk_core8 = require("@tinycloud/sdk-core");
 
 // src/storage/FileSessionStorage.ts
-var import_sdk_core5 = require("@tinycloud/sdk-core");
+var import_sdk_core6 = require("@tinycloud/sdk-core");
 var import_fs = require("fs");
 var import_path = require("path");
 var FileSessionStorage = class {
@@ -20114,7 +20830,7 @@ var FileSessionStorage = class {
     try {
       const data = (0, import_fs.readFileSync)(filePath, "utf-8");
       const parsed = JSON.parse(data);
-      const validation = (0, import_sdk_core5.validatePersistedSessionData)(parsed);
+      const validation = (0, import_sdk_core6.validatePersistedSessionData)(parsed);
       if (!validation.ok) {
         console.warn(`Invalid session data for ${address}:`, validation.error.message);
         (0, import_fs.unlinkSync)(filePath);
@@ -20179,7 +20895,7 @@ var FileSessionStorage = class {
 };
 
 // src/index.ts
-var import_sdk_core8 = require("@tinycloud/sdk-core");
+var import_sdk_core9 = require("@tinycloud/sdk-core");
 
 // src/delegation.ts
 function serializeDelegation(delegation) {
@@ -20198,7 +20914,6 @@ function deserializeDelegation(data) {
 }
 
 // src/index.ts
-var import_sdk_core9 = require("@tinycloud/sdk-core");
 var import_sdk_core10 = require("@tinycloud/sdk-core");
 var import_sdk_core11 = require("@tinycloud/sdk-core");
 var import_sdk_core12 = require("@tinycloud/sdk-core");
@@ -20208,6 +20923,7 @@ var import_sdk_core15 = require("@tinycloud/sdk-core");
 var import_sdk_core16 = require("@tinycloud/sdk-core");
 var import_sdk_core17 = require("@tinycloud/sdk-core");
 var import_sdk_core18 = require("@tinycloud/sdk-core");
+var import_sdk_core19 = require("@tinycloud/sdk-core");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ACCOUNT_REGISTRY_PATH,
@@ -20236,8 +20952,10 @@ var import_sdk_core18 = require("@tinycloud/sdk-core");
   PrefixedKVService,
   PrivateKeySigner,
   ProtocolMismatchError,
+  SECRET_NAME_RE,
   SQLAction,
   SQLService,
+  SecretsService,
   ServiceContext,
   SessionExpiredError,
   SharingService,
@@ -20248,11 +20966,13 @@ var import_sdk_core18 = require("@tinycloud/sdk-core");
   TinyCloud,
   TinyCloudNode,
   UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE,
   VaultHeaders,
   VaultPublicSpaceKVActions,
   VersionCheckError,
   WasmKeyProvider,
   buildSpaceUri,
+  canonicalizeSecretScope,
   checkNodeInfo,
   composeManifestRequest,
   createCapabilityKeyRegistry,
@@ -20264,12 +20984,15 @@ var import_sdk_core18 = require("@tinycloud/sdk-core");
   defaultSpaceCreationHandler,
   deserializeDelegation,
   expandActionShortNames,
+  expandPermissionEntries,
+  expandPermissionEntry,
   isCapabilitySubset,
   loadManifest,
   makePublicSpaceId,
   parseExpiry,
   parseSpaceUri,
   resolveManifest,
+  resolveSecretPath,
   resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation,
   validateManifest