@tinycloud/node-sdk 2.2.0-beta.10 → 2.2.0-beta.12

package/dist/{core-DcJ27GsA.d.cts → core-M5RMfMIi.d.cts}

@@ -321,6 +321,19 @@ declare class NodeUserAuthorization implements IUserAuthorization {
      * Includes spaceId, delegationHeader, and delegationCid.
      */
     get tinyCloudSession(): TinyCloudSession | undefined;
+    /**
+     * Rehydrate the auth-layer session from previously-persisted delegation
+     * data. Used by {@link TinyCloudNode.restoreSession} so that downstream
+     * surfaces that read from `tinyCloudSession` (notably
+     * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work
+     * without re-running the full sign-in flow.
+     *
+     * Caller must supply the same fields that `signIn` would have written —
+     * `siwe` is the load-bearing one because `extractSiweExpiration` returns
+     * undefined for missing SIWEs and the SDK then treats the session as
+     * expired-at-epoch-zero.
+     */
+    setRestoredTinyCloudSession(session: TinyCloudSession): void;
     private resolveTinyCloudHostsForSignIn;
     private requireTinyCloudHosts;
     private get primaryTinyCloudHost();
@@ -793,6 +806,13 @@ declare class TinyCloudNode {
     private _delegationManager?;
     private _spaceService?;
     private runtimePermissionGrants;
+    /**
+     * TinyCloudSession captured by {@link restoreSession} when there's no
+     * auth-layer signer available (session-only mode used by OpenKey-backed
+     * CLI restores, public-space replays, …). Read by
+     * {@link currentTinyCloudSession} as a fallback for `auth.tinyCloudSession`.
+     */
+    private _restoredTcSession?;
     private get nodeFeatures();
     /** SIWE domain — uses config override or defaults to app.tinycloud.xyz */
     private get siweDomain();
@@ -909,7 +929,28 @@ declare class TinyCloudNode {
         verificationMethod: string;
         address?: string;
         chainId?: number;
+        /**
+         * The SIWE message that authorized this session. Required for
+         * downstream operations that need the session's expiry (e.g.
+         * {@link grantRuntimePermissions}). When omitted the SDK can still
+         * invoke services with the existing delegation, but anything that
+         * reads `auth.tinyCloudSession.siwe` will treat the session as
+         * expired-at-epoch-zero.
+         */
+        siwe?: string;
+        /**
+         * The wallet/OpenKey signature over `siwe`. Optional because the
+         * runtime doesn't re-verify it — it's persisted alongside the SIWE
+         * for callers that need to round-trip the full session shape.
+         */
+        signature?: string;
     }): Promise<void>;
+    /**
+     * Resolve the currently-active TinyCloudSession, preferring the auth
+     * layer's value (wallet mode) and falling back to the node-level
+     * rehydration set by {@link restoreSession} (session-only mode).
+     */
+    private currentTinyCloudSession;
     /**
      * Connect a wallet to upgrade from session-only mode to wallet mode.
      *
@@ -1011,6 +1052,21 @@ declare class TinyCloudNode {
      * SQL database operations on this user's space.
      */
     get sql(): ISQLService;
+    /**
+     * Get an SQL service scoped to a specific space.
+     *
+     * Mirrors {@link SpaceService}'s per-space KV factory: clones the active
+     * service context and overrides its session's spaceId so that subsequent
+     * `sql/<dbName>/<action>` invocations route to that space. Useful when
+     * the caller already holds a delegation covering the target space (e.g.
+     * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})
+     * but the SDK's per-space SQL surface isn't otherwise exposed.
+     *
+     * Does NOT auto-create the space.
+     *
+     * @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).
+     */
+    sqlForSpace(spaceId: string): ISQLService;
     /**
      * DuckDB database operations on this user's space.
      */

package/dist/{core-DcJ27GsA.d.ts → core-M5RMfMIi.d.ts}

@@ -321,6 +321,19 @@ declare class NodeUserAuthorization implements IUserAuthorization {
      * Includes spaceId, delegationHeader, and delegationCid.
      */
     get tinyCloudSession(): TinyCloudSession | undefined;
+    /**
+     * Rehydrate the auth-layer session from previously-persisted delegation
+     * data. Used by {@link TinyCloudNode.restoreSession} so that downstream
+     * surfaces that read from `tinyCloudSession` (notably
+     * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work
+     * without re-running the full sign-in flow.
+     *
+     * Caller must supply the same fields that `signIn` would have written —
+     * `siwe` is the load-bearing one because `extractSiweExpiration` returns
+     * undefined for missing SIWEs and the SDK then treats the session as
+     * expired-at-epoch-zero.
+     */
+    setRestoredTinyCloudSession(session: TinyCloudSession): void;
     private resolveTinyCloudHostsForSignIn;
     private requireTinyCloudHosts;
     private get primaryTinyCloudHost();
@@ -793,6 +806,13 @@ declare class TinyCloudNode {
     private _delegationManager?;
     private _spaceService?;
     private runtimePermissionGrants;
+    /**
+     * TinyCloudSession captured by {@link restoreSession} when there's no
+     * auth-layer signer available (session-only mode used by OpenKey-backed
+     * CLI restores, public-space replays, …). Read by
+     * {@link currentTinyCloudSession} as a fallback for `auth.tinyCloudSession`.
+     */
+    private _restoredTcSession?;
     private get nodeFeatures();
     /** SIWE domain — uses config override or defaults to app.tinycloud.xyz */
     private get siweDomain();
@@ -909,7 +929,28 @@ declare class TinyCloudNode {
         verificationMethod: string;
         address?: string;
         chainId?: number;
+        /**
+         * The SIWE message that authorized this session. Required for
+         * downstream operations that need the session's expiry (e.g.
+         * {@link grantRuntimePermissions}). When omitted the SDK can still
+         * invoke services with the existing delegation, but anything that
+         * reads `auth.tinyCloudSession.siwe` will treat the session as
+         * expired-at-epoch-zero.
+         */
+        siwe?: string;
+        /**
+         * The wallet/OpenKey signature over `siwe`. Optional because the
+         * runtime doesn't re-verify it — it's persisted alongside the SIWE
+         * for callers that need to round-trip the full session shape.
+         */
+        signature?: string;
     }): Promise<void>;
+    /**
+     * Resolve the currently-active TinyCloudSession, preferring the auth
+     * layer's value (wallet mode) and falling back to the node-level
+     * rehydration set by {@link restoreSession} (session-only mode).
+     */
+    private currentTinyCloudSession;
     /**
      * Connect a wallet to upgrade from session-only mode to wallet mode.
      *
@@ -1011,6 +1052,21 @@ declare class TinyCloudNode {
      * SQL database operations on this user's space.
      */
     get sql(): ISQLService;
+    /**
+     * Get an SQL service scoped to a specific space.
+     *
+     * Mirrors {@link SpaceService}'s per-space KV factory: clones the active
+     * service context and overrides its session's spaceId so that subsequent
+     * `sql/<dbName>/<action>` invocations route to that space. Useful when
+     * the caller already holds a delegation covering the target space (e.g.
+     * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})
+     * but the SDK's per-space SQL surface isn't otherwise exposed.
+     *
+     * Does NOT auto-create the space.
+     *
+     * @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).
+     */
+    sqlForSpace(spaceId: string): ISQLService;
     /**
      * DuckDB database operations on this user's space.
      */

package/dist/core.cjs

@@ -27,6 +27,7 @@ __export(core_exports, {
   CapabilityKeyRegistryErrorCodes: () => import_sdk_core15.CapabilityKeyRegistryErrorCodes,
   DEFAULT_MANIFEST_SPACE: () => import_sdk_core9.DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION: () => import_sdk_core9.DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS: () => import_sdk_core10.DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService: () => import_sdk_core13.DataVaultService,
   DatabaseHandle: () => import_sdk_core11.DatabaseHandle,
   DelegatedAccess: () => DelegatedAccess,
@@ -343,7 +344,7 @@ var NodeUserAuthorization = class {
         ]
       }
     };
-    this.sessionExpirationMs = config.sessionExpirationMs ?? 60 * 60 * 1e3;
+    this.sessionExpirationMs = config.sessionExpirationMs ?? import_sdk_core2.EXPIRY.SESSION_MS;
     this.autoCreateSpace = config.autoCreateSpace ?? false;
     this.spaceCreationHandler = config.spaceCreationHandler;
     this.tinycloudHosts = config.tinycloudHosts;
@@ -396,6 +397,23 @@ var NodeUserAuthorization = class {
   get tinyCloudSession() {
     return this._tinyCloudSession;
   }
+  /**
+   * Rehydrate the auth-layer session from previously-persisted delegation
+   * data. Used by {@link TinyCloudNode.restoreSession} so that downstream
+   * surfaces that read from `tinyCloudSession` (notably
+   * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work
+   * without re-running the full sign-in flow.
+   *
+   * Caller must supply the same fields that `signIn` would have written —
+   * `siwe` is the load-bearing one because `extractSiweExpiration` returns
+   * undefined for missing SIWEs and the SDK then treats the session as
+   * expired-at-epoch-zero.
+   */
+  setRestoredTinyCloudSession(session) {
+    this._tinyCloudSession = session;
+    this._address = session.address;
+    this._chainId = session.chainId;
+  }
   async resolveTinyCloudHostsForSignIn(address, chainId) {
     if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
       return;
@@ -1231,9 +1249,10 @@ function legacyParamsToPermissionEntries(actions, path, spaceIdOverride) {
   }
   return entries;
 }
+var DEFAULT_DELEGATION_EXPIRY_MS = import_sdk_core4.EXPIRY.SESSION_MS;
 function resolveExpiryMs(expiry) {
   if (expiry === void 0) {
-    return 60 * 60 * 1e3;
+    return DEFAULT_DELEGATION_EXPIRY_MS;
   }
   if (typeof expiry === "number") {
     if (!Number.isFinite(expiry) || expiry <= 0) {
@@ -1403,6 +1422,7 @@ var NodeSecretsService = class {
 
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
+var DEFAULT_SESSION_EXPIRATION_MS = import_sdk_core6.EXPIRY.SESSION_MS;
 var _TinyCloudNode = class _TinyCloudNode {
   /**
    * Create a new TinyCloudNode instance.
@@ -1545,7 +1565,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: config.prefix,
-      sessionExpirationMs: config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: config.tinycloudFallbackHosts,
@@ -1811,6 +1831,33 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._vault.initialize(this._serviceContext);
     this._serviceContext.registerService("vault", this._vault);
     this.initializeV2Services(serviceSession);
+    if (sessionData.siwe && sessionData.address && sessionData.chainId) {
+      const tcSession = {
+        address: sessionData.address,
+        chainId: sessionData.chainId,
+        sessionKey: JSON.stringify(sessionData.jwk),
+        spaceId: sessionData.spaceId,
+        delegationCid: sessionData.delegationCid,
+        delegationHeader: sessionData.delegationHeader,
+        verificationMethod: sessionData.verificationMethod,
+        jwk: sessionData.jwk,
+        siwe: sessionData.siwe,
+        signature: sessionData.signature ?? ""
+      };
+      if (this.auth) {
+        this.auth.setRestoredTinyCloudSession(tcSession);
+      } else {
+        this._restoredTcSession = tcSession;
+      }
+    }
+  }
+  /**
+   * Resolve the currently-active TinyCloudSession, preferring the auth
+   * layer's value (wallet mode) and falling back to the node-level
+   * rehydration set by {@link restoreSession} (session-only mode).
+   */
+  currentTinyCloudSession() {
+    return this.auth?.tinyCloudSession ?? this._restoredTcSession;
   }
   /**
    * Connect a wallet to upgrade from session-only mode to wallet mode.
@@ -1855,7 +1902,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: prefix,
-      sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
@@ -1899,7 +1946,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: prefix,
-      sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
@@ -2175,7 +2222,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   getSessionExpiry() {
-    const expirationMs = this.config.sessionExpirationMs ?? 60 * 60 * 1e3;
+    const expirationMs = this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS;
     return new Date(Date.now() + expirationMs);
   }
   /**
@@ -2332,6 +2379,34 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._sql;
   }
+  /**
+   * Get an SQL service scoped to a specific space.
+   *
+   * Mirrors {@link SpaceService}'s per-space KV factory: clones the active
+   * service context and overrides its session's spaceId so that subsequent
+   * `sql/<dbName>/<action>` invocations route to that space. Useful when
+   * the caller already holds a delegation covering the target space (e.g.
+   * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})
+   * but the SDK's per-space SQL surface isn't otherwise exposed.
+   *
+   * Does NOT auto-create the space.
+   *
+   * @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).
+   */
+  sqlForSpace(spaceId) {
+    if (!this._serviceContext || !this._serviceContext.session) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    const sql = new import_sdk_core6.SQLService({});
+    const spaceScopedContext = new import_sdk_core6.ServiceContext({
+      invoke: this._serviceContext.invoke,
+      fetch: this._serviceContext.fetch,
+      hosts: this._serviceContext.hosts
+    });
+    spaceScopedContext.setSession({ ...this._serviceContext.session, spaceId });
+    sql.initialize(spaceScopedContext);
+    return sql;
+  }
   /**
    * DuckDB database operations on this user's space.
    */
@@ -2457,7 +2532,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * every requested permission.
    */
   hasRuntimePermissions(permissions) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session || !Array.isArray(permissions) || permissions.length === 0) {
       return false;
     }
@@ -2477,7 +2552,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (permissions === void 0) {
       return this.runtimePermissionGrants.map((grant) => grant.delegation);
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session || !Array.isArray(permissions) || permissions.length === 0) {
       return [];
     }
@@ -2491,7 +2566,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * matching service calls and downstream `delegateTo()` calls can use it.
    */
   async useRuntimeDelegation(delegation) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new import_sdk_core6.SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -2530,7 +2605,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!Array.isArray(permissions) || permissions.length === 0) {
       throw new Error("grantRuntimePermissions requires a non-empty permissions array");
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new import_sdk_core6.SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -2758,7 +2833,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     ];
     const abilities = { kv: { "": kvActions } };
     const now = /* @__PURE__ */ new Date();
-    const expiryMs = 60 * 60 * 1e3;
+    const expiryMs = import_sdk_core6.EXPIRY.EPHEMERAL_MS;
     const expirationTime = new Date(now.getTime() + expiryMs);
     const prepared = this.wasmBindings.prepareSession({
       abilities,
@@ -3817,6 +3892,7 @@ var import_sdk_core18 = require("@tinycloud/sdk-core");
   CapabilityKeyRegistryErrorCodes,
   DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService,
   DatabaseHandle,
   DelegatedAccess,