@tinycloud/node-sdk 2.2.0-beta.6 → 2.2.0-beta.7

package/dist/index.d.cts

@@ -1,6 +1,6 @@
 import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
-export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
-export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, S as SignStrategy, T as TinyCloudNode, e as TinyCloudNodeConfig, W as WasmKeyProvider, f as WasmKeyProviderConfig, g as createWasmKeyProvider, h as defaultSignStrategy, i as deserializeDelegation, s as serializeDelegation } from './core-DdMPUB5s.cjs';
+export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
+export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, S as SignStrategy, T as TinyCloudNode, e as TinyCloudNodeConfig, W as WasmKeyProvider, f as WasmKeyProviderConfig, g as createWasmKeyProvider, h as defaultSignStrategy, i as deserializeDelegation, s as serializeDelegation } from './core-C3s0bgRe.cjs';
 import { invoke, invokeAny, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
 import 'events';
 import '@tinycloud/sdk-services';

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
-export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
-export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, S as SignStrategy, T as TinyCloudNode, e as TinyCloudNodeConfig, W as WasmKeyProvider, f as WasmKeyProviderConfig, g as createWasmKeyProvider, h as defaultSignStrategy, i as deserializeDelegation, s as serializeDelegation } from './core-DdMPUB5s.js';
+export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IngestOptions, InvokeFunction, JWK, KVResponse, KVService, KVServiceConfig, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResourceCapability, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, buildSpaceUri, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, expandActionShortNames, isCapabilitySubset, loadManifest, makePublicSpaceId, parseExpiry, parseSpaceUri, resolveManifest, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
+export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, S as SignStrategy, T as TinyCloudNode, e as TinyCloudNodeConfig, W as WasmKeyProvider, f as WasmKeyProviderConfig, g as createWasmKeyProvider, h as defaultSignStrategy, i as deserializeDelegation, s as serializeDelegation } from './core-C3s0bgRe.js';
 import { invoke, invokeAny, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
 import 'events';
 import '@tinycloud/sdk-services';

package/dist/index.js

@@ -17159,6 +17159,7 @@ import {
   DuckDbService as DuckDbService2,
   HooksService as HooksService2,
   DataVaultService,
+  SecretsService,
   createVaultCrypto,
   ServiceContext as ServiceContext2,
   SilentNotificationHandler,
@@ -18241,6 +18242,179 @@ function extractSiweExpiration(siwe) {
   return d;
 }
 
+// src/NodeSecretsService.ts
+import {
+  ErrorCodes,
+  resolveManifest
+} from "@tinycloud/sdk-core";
+var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+var SECRET_PREFIX = "secrets/";
+var SECRETS_SPACE = "secrets";
+function ok() {
+  return { ok: true, data: void 0 };
+}
+function secretsError(code, message, cause) {
+  return {
+    ok: false,
+    error: {
+      code,
+      service: "secrets",
+      message,
+      ...cause ? { cause } : {}
+    }
+  };
+}
+function actionUrn(action) {
+  return `tinycloud.kv/${action}`;
+}
+function secretResourcePath(base2, name) {
+  return `${base2}/${SECRET_PREFIX}${name}`;
+}
+function secretPermissionEntries(name, action) {
+  return [
+    {
+      service: "tinycloud.kv",
+      space: SECRETS_SPACE,
+      path: secretResourcePath("keys", name),
+      actions: [action],
+      skipPrefix: true
+    },
+    {
+      service: "tinycloud.kv",
+      space: SECRETS_SPACE,
+      path: secretResourcePath("vault", name),
+      actions: [action],
+      skipPrefix: true
+    }
+  ];
+}
+function isSecretsSpace(space) {
+  return space === SECRETS_SPACE || space.endsWith(`:${SECRETS_SPACE}`);
+}
+function composeEscalatedManifest(manifest, additional) {
+  if (Array.isArray(manifest)) {
+    const [primary, ...rest] = manifest;
+    return [
+      {
+        ...primary,
+        permissions: [...primary.permissions ?? [], ...additional]
+      },
+      ...rest
+    ];
+  }
+  return {
+    ...manifest,
+    permissions: [...manifest.permissions ?? [], ...additional]
+  };
+}
+var NodeSecretsService = class {
+  constructor(config) {
+    this.config = config;
+    this.shouldRestoreUnlock = false;
+  }
+  get vault() {
+    return this.service.vault;
+  }
+  get isUnlocked() {
+    return this.service.isUnlocked;
+  }
+  async unlock(signer) {
+    if (signer !== void 0) {
+      this.unlockSigner = signer;
+    }
+    const result = await this.service.unlock(signer);
+    if (result.ok) {
+      this.shouldRestoreUnlock = true;
+    }
+    return result;
+  }
+  lock() {
+    this.shouldRestoreUnlock = false;
+    this.service.lock();
+  }
+  get(name) {
+    return this.service.get(name);
+  }
+  async put(name, value) {
+    const permission = await this.ensureMutationPermission(name, "put");
+    if (!permission.ok) return permission;
+    return this.service.put(name, value);
+  }
+  async delete(name) {
+    const permission = await this.ensureMutationPermission(name, "del");
+    if (!permission.ok) return permission;
+    return this.service.delete(name);
+  }
+  list() {
+    return this.service.list();
+  }
+  get service() {
+    return this.config.getService();
+  }
+  async ensureMutationPermission(name, action) {
+    if (!SECRET_NAME_RE.test(name)) {
+      return secretsError(
+        ErrorCodes.INVALID_INPUT,
+        `Invalid secret name ${JSON.stringify(name)}. Secret names must match ${SECRET_NAME_RE.source}.`
+      );
+    }
+    if (this.hasMutationPermission(name, action)) {
+      return ok();
+    }
+    if (!this.config.canEscalate()) {
+      return secretsError(
+        ErrorCodes.PERMISSION_DENIED,
+        `Cannot autosign ${actionUrn(action)} for ${name}; TinyCloudNode needs wallet mode with a signer or privateKey.`
+      );
+    }
+    const manifest = this.config.getManifest();
+    if (manifest === void 0) {
+      return secretsError(
+        ErrorCodes.PERMISSION_DENIED,
+        `Cannot autosign ${actionUrn(action)} for ${name}; set a manifest before mutating secrets.`
+      );
+    }
+    try {
+      this.config.setManifest(
+        composeEscalatedManifest(
+          manifest,
+          secretPermissionEntries(name, action)
+        )
+      );
+      await this.config.signIn();
+      return this.restoreUnlockAfterEscalation();
+    } catch (error) {
+      return secretsError(
+        ErrorCodes.PERMISSION_DENIED,
+        error instanceof Error ? error.message : `Autosign escalation for ${actionUrn(action)} on ${name} failed.`,
+        error instanceof Error ? error : void 0
+      );
+    }
+  }
+  async restoreUnlockAfterEscalation() {
+    if (!this.shouldRestoreUnlock) {
+      return ok();
+    }
+    return this.service.unlock(this.unlockSigner);
+  }
+  hasMutationPermission(name, action) {
+    const manifest = this.config.getManifest();
+    if (manifest === void 0) {
+      return false;
+    }
+    const manifests = Array.isArray(manifest) ? manifest : [manifest];
+    const requiredAction = actionUrn(action);
+    return manifests.some((entry) => {
+      const resolved = resolveManifest(entry);
+      return ["keys", "vault"].every(
+        (base2) => resolved.resources.some(
+          (resource) => resource.service === "tinycloud.kv" && isSecretsSpace(resource.space) && resource.path === secretResourcePath(base2, name) && resource.actions.includes(requiredAction)
+        )
+      );
+    });
+  }
+};
+
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
 var _TinyCloudNode = class _TinyCloudNode {
@@ -18495,6 +18669,10 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._sql = void 0;
     this._duckdb = void 0;
     this._hooks = void 0;
+    this._vault = void 0;
+    this._baseSecrets = void 0;
+    this._secrets = void 0;
+    this._spaceService = void 0;
     this._serviceContext = void 0;
     await this.tc.signIn(options);
     this.syncResolvedHostFromAuth();
@@ -18580,6 +18758,10 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._sql = void 0;
     this._duckdb = void 0;
     this._hooks = void 0;
+    this._vault = void 0;
+    this._baseSecrets = void 0;
+    this._secrets = void 0;
+    this._spaceService = void 0;
     this._serviceContext = void 0;
     if (sessionData.address) {
       this._address = sessionData.address;
@@ -18613,41 +18795,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       jwk: sessionData.jwk
     };
     this._serviceContext.setSession(serviceSession);
-    const wasm = this.wasmBindings;
-    const vaultCrypto = createVaultCrypto({
-      vault_encrypt: wasm.vault_encrypt,
-      vault_decrypt: wasm.vault_decrypt,
-      vault_derive_key: wasm.vault_derive_key,
-      vault_x25519_from_seed: wasm.vault_x25519_from_seed,
-      vault_x25519_dh: wasm.vault_x25519_dh,
-      vault_random_bytes: wasm.vault_random_bytes,
-      vault_sha256: wasm.vault_sha256
-    });
-    const self2 = this;
-    this._vault = new DataVaultService({
-      spaceId: sessionData.spaceId,
-      crypto: vaultCrypto,
-      tc: {
-        kv: this._kv,
-        ensurePublicSpace: async () => {
-          try {
-            await self2.ensurePublicSpace();
-            return { ok: true, data: void 0 };
-          } catch (error) {
-            return { ok: false, error: { code: "STORAGE_ERROR", message: error instanceof Error ? error.message : String(error), service: "vault" } };
-          }
-        },
-        get publicKV() {
-          return self2._publicKV ?? self2.tc.publicKV;
-        },
-        readPublicSpace: (host, spaceId, key2) => TinyCloud.readPublicSpace(host, spaceId, key2),
-        makePublicSpaceId: TinyCloud.makePublicSpaceId,
-        did: this.did,
-        address: sessionData.address ?? this._address ?? "",
-        chainId: sessionData.chainId ?? this._chainId,
-        hosts: [this.config.host]
-      }
-    });
+    this._vault = this.createVaultService(sessionData.spaceId, this._kv);
     this._vault.initialize(this._serviceContext);
     this._serviceContext.registerService("vault", this._vault);
     this.initializeV2Services(serviceSession);
@@ -18799,6 +18947,28 @@ var _TinyCloudNode = class _TinyCloudNode {
     };
     this._serviceContext.setSession(serviceSession);
     this.tc.serviceContext.setSession(serviceSession);
+    this._vault = this.createVaultService(session.spaceId, this._kv);
+    this._vault.initialize(this._serviceContext);
+    this._serviceContext.registerService("vault", this._vault);
+    this.initializeV2Services(serviceSession);
+  }
+  createSpaceScopedKVService(spaceId) {
+    const kvService = new KVService2({});
+    if (this._serviceContext) {
+      const spaceScopedContext = new ServiceContext2({
+        invoke: this._serviceContext.invoke,
+        fetch: this._serviceContext.fetch,
+        hosts: this._serviceContext.hosts
+      });
+      const session = this._serviceContext.session;
+      if (session) {
+        spaceScopedContext.setSession({ ...session, spaceId });
+      }
+      kvService.initialize(spaceScopedContext);
+    }
+    return kvService;
+  }
+  createVaultService(spaceId, kv) {
     const wasm = this.wasmBindings;
     const vaultCrypto = createVaultCrypto({
       vault_encrypt: wasm.vault_encrypt,
@@ -18810,11 +18980,11 @@ var _TinyCloudNode = class _TinyCloudNode {
       vault_sha256: wasm.vault_sha256
     });
     const self2 = this;
-    this._vault = new DataVaultService({
-      spaceId: session.spaceId,
+    return new DataVaultService({
+      spaceId,
       crypto: vaultCrypto,
       tc: {
-        kv: this._kv,
+        kv,
         ensurePublicSpace: async () => {
           try {
             await self2.ensurePublicSpace();
@@ -18826,17 +18996,14 @@ var _TinyCloudNode = class _TinyCloudNode {
         get publicKV() {
           return self2._publicKV ?? self2.tc.publicKV;
         },
-        readPublicSpace: (host, spaceId, key2) => TinyCloud.readPublicSpace(host, spaceId, key2),
+        readPublicSpace: (host, targetSpaceId, key2) => TinyCloud.readPublicSpace(host, targetSpaceId, key2),
         makePublicSpaceId: TinyCloud.makePublicSpaceId,
         did: this.did,
-        address: this._address,
+        address: this._address ?? "",
         chainId: this._chainId,
         hosts: [this.config.host]
       }
     });
-    this._vault.initialize(this._serviceContext);
-    this._serviceContext.registerService("vault", this._vault);
-    this.initializeV2Services(serviceSession);
   }
   /**
    * Initialize the v2 delegation system services.
@@ -18931,20 +19098,15 @@ var _TinyCloudNode = class _TinyCloudNode {
       capabilityRegistry: this._capabilityRegistry,
       userDid: this.did,
       createKVService: (spaceId) => {
-        const kvService = new KVService2({});
+        return this.createSpaceScopedKVService(spaceId);
+      },
+      createVaultService: (spaceId) => {
+        const kvService = this.createSpaceScopedKVService(spaceId);
+        const vaultService = this.createVaultService(spaceId, kvService);
         if (this._serviceContext) {
-          const spaceScopedContext = new ServiceContext2({
-            invoke: this._serviceContext.invoke,
-            fetch: this._serviceContext.fetch,
-            hosts: this._serviceContext.hosts
-          });
-          const session = this._serviceContext.session;
-          if (session) {
-            spaceScopedContext.setSession({ ...session, spaceId });
-          }
-          kvService.initialize(spaceScopedContext);
+          vaultService.initialize(this._serviceContext);
         }
-        return kvService;
+        return vaultService;
       },
       // Enable space.delegations.create() via SIWE-based delegation
       createDelegation: async (params) => {
@@ -19181,6 +19343,33 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._vault;
   }
+  /**
+   * App-facing secrets API backed by the `secrets` space vault.
+   */
+  get secrets() {
+    if (!this._spaceService) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._secrets) {
+      this._secrets = new NodeSecretsService({
+        getService: () => this.getBaseSecrets(),
+        getManifest: () => this.manifest,
+        setManifest: (manifest) => this.setManifest(manifest),
+        signIn: () => this.signIn(),
+        canEscalate: () => this.signer !== void 0 && this.tc !== void 0
+      });
+    }
+    return this._secrets;
+  }
+  getBaseSecrets() {
+    if (!this._spaceService) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._baseSecrets) {
+      this._baseSecrets = new SecretsService(() => this.space("secrets").vault);
+    }
+    return this._baseSecrets;
+  }
   /**
    * Hooks write stream subscription API.
    */
@@ -19319,6 +19508,12 @@ var _TinyCloudNode = class _TinyCloudNode {
   get spaceService() {
     return this.spaces;
   }
+  /**
+   * Get a Space object by short name or full URI.
+   */
+  space(nameOrUri) {
+    return this.spaces.get(nameOrUri);
+  }
   /**
    * Get the SharingService for creating and receiving v2 sharing links.
    *
@@ -20287,7 +20482,7 @@ import {
   SessionExpiredError as SessionExpiredError2,
   ManifestValidationError,
   composeManifestRequest as composeManifestRequest2,
-  resolveManifest,
+  resolveManifest as resolveManifest2,
   validateManifest,
   loadManifest,
   isCapabilitySubset as isCapabilitySubset2,
@@ -20324,7 +20519,8 @@ import {
   DataVaultService as DataVaultService2,
   VaultHeaders,
   VaultPublicSpaceKVActions,
-  createVaultCrypto as createVaultCrypto2
+  createVaultCrypto as createVaultCrypto2,
+  SecretsService as SecretsService2
 } from "@tinycloud/sdk-core";
 import { HooksService as HooksService3 } from "@tinycloud/sdk-core";
 import {
@@ -20383,6 +20579,7 @@ export {
   ProtocolMismatchError,
   SQLAction,
   SQLService3 as SQLService,
+  SecretsService2 as SecretsService,
   ServiceContext3 as ServiceContext,
   SessionExpiredError2 as SessionExpiredError,
   SharingService2 as SharingService,
@@ -20414,7 +20611,7 @@ export {
   makePublicSpaceId2 as makePublicSpaceId,
   parseExpiry2 as parseExpiry,
   parseSpaceUri,
-  resolveManifest,
+  resolveManifest2 as resolveManifest,
   resourceCapabilitiesToSpaceAbilitiesMap2 as resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation,
   validateManifest