@tinycloud/node-sdk 2.2.0-beta.7 → 2.2.0-beta.9

package/dist/core.js

@@ -972,7 +972,7 @@ import {
   ACCOUNT_REGISTRY_SPACE,
   PermissionNotInManifestError,
   SessionExpiredError,
-  expandActionShortNames,
+  expandPermissionEntries as expandPermissionEntriesCore,
   isCapabilitySubset,
   parseRecapCapabilities,
   SERVICE_LONG_TO_SHORT
@@ -1240,49 +1240,29 @@ function secretsError(code, message, cause) {
     }
   };
 }
-function actionUrn(action) {
-  return `tinycloud.kv/${action}`;
+function displayActionUrn(action) {
+  return action === "put" ? "tinycloud.vault/write" : "tinycloud.vault/delete";
 }
-function secretResourcePath(base, name) {
-  return `${base}/${SECRET_PREFIX}${name}`;
+function kvActionUrn(action) {
+  return `tinycloud.kv/${action}`;
 }
 function secretPermissionEntries(name, action) {
   return [
     {
-      service: "tinycloud.kv",
-      space: SECRETS_SPACE,
-      path: secretResourcePath("keys", name),
-      actions: [action],
-      skipPrefix: true
-    },
-    {
-      service: "tinycloud.kv",
+      service: "tinycloud.vault",
       space: SECRETS_SPACE,
-      path: secretResourcePath("vault", name),
-      actions: [action],
+      path: `${SECRET_PREFIX}${name}`,
+      actions: [action === "put" ? "write" : "delete"],
       skipPrefix: true
     }
   ];
 }
+function secretResourcePath(base, name) {
+  return `${base}/${SECRET_PREFIX}${name}`;
+}
 function isSecretsSpace(space) {
   return space === SECRETS_SPACE || space.endsWith(`:${SECRETS_SPACE}`);
 }
-function composeEscalatedManifest(manifest, additional) {
-  if (Array.isArray(manifest)) {
-    const [primary, ...rest] = manifest;
-    return [
-      {
-        ...primary,
-        permissions: [...primary.permissions ?? [], ...additional]
-      },
-      ...rest
-    ];
-  }
-  return {
-    ...manifest,
-    permissions: [...manifest.permissions ?? [], ...additional]
-  };
-}
 var NodeSecretsService = class {
   constructor(config) {
     this.config = config;
@@ -1295,10 +1275,11 @@ var NodeSecretsService = class {
     return this.service.isUnlocked;
   }
   async unlock(signer) {
-    if (signer !== void 0) {
-      this.unlockSigner = signer;
+    const effectiveSigner = signer ?? this.config.getUnlockSigner?.();
+    if (effectiveSigner !== void 0) {
+      this.unlockSigner = effectiveSigner;
     }
-    const result = await this.service.unlock(signer);
+    const result = await this.service.unlock(effectiveSigner);
     if (result.ok) {
       this.shouldRestoreUnlock = true;
     }
@@ -1340,29 +1321,16 @@ var NodeSecretsService = class {
     if (!this.config.canEscalate()) {
       return secretsError(
         ErrorCodes.PERMISSION_DENIED,
-        `Cannot autosign ${actionUrn(action)} for ${name}; TinyCloudNode needs wallet mode with a signer or privateKey.`
-      );
-    }
-    const manifest = this.config.getManifest();
-    if (manifest === void 0) {
-      return secretsError(
-        ErrorCodes.PERMISSION_DENIED,
-        `Cannot autosign ${actionUrn(action)} for ${name}; set a manifest before mutating secrets.`
+        `Cannot autosign ${displayActionUrn(action)} for ${name}; TinyCloudNode needs wallet mode with a signer or privateKey.`
       );
     }
     try {
-      this.config.setManifest(
-        composeEscalatedManifest(
-          manifest,
-          secretPermissionEntries(name, action)
-        )
-      );
-      await this.config.signIn();
+      await this.config.grantPermissions(secretPermissionEntries(name, action));
       return this.restoreUnlockAfterEscalation();
     } catch (error) {
       return secretsError(
         ErrorCodes.PERMISSION_DENIED,
-        error instanceof Error ? error.message : `Autosign escalation for ${actionUrn(action)} on ${name} failed.`,
+        error instanceof Error ? error.message : `Autosign escalation for ${displayActionUrn(action)} on ${name} failed.`,
         error instanceof Error ? error : void 0
       );
     }
@@ -1379,7 +1347,7 @@ var NodeSecretsService = class {
       return false;
     }
     const manifests = Array.isArray(manifest) ? manifest : [manifest];
-    const requiredAction = actionUrn(action);
+    const requiredAction = kvActionUrn(action);
     return manifests.some((entry) => {
       const resolved = resolveManifest(entry);
       return ["keys", "vault"].every(
@@ -1422,6 +1390,30 @@ var _TinyCloudNode = class _TinyCloudNode {
     this.auth = null;
     this.tc = null;
     this._chainId = 1;
+    this.runtimePermissionGrants = [];
+    this.invokeWithRuntimePermissions = (session, service, path, action, facts) => {
+      return this.wasmBindings.invoke(
+        this.selectInvocationSession(session, service, path, action),
+        service,
+        path,
+        action,
+        facts
+      );
+    };
+    this.invokeAnyWithRuntimePermissions = (session, entries, facts) => {
+      if (!this.wasmBindings.invokeAny) {
+        throw new Error("WASM binding does not support invokeAny");
+      }
+      const grant = this.findGrantForOperations(
+        entries.map((entry) => ({
+          spaceId: entry.spaceId,
+          service: this.invocationServiceName(entry.service),
+          path: entry.path,
+          action: entry.action
+        }))
+      );
+      return this.wasmBindings.invokeAny(grant?.session ?? session, entries, facts);
+    };
     this.explicitHost = config.host;
     this.config = {
       ...config,
@@ -1457,7 +1449,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._sharingService = new SharingService({
       hosts: [this.config.host],
       // session: undefined - not needed for receive()
-      invoke: this.wasmBindings.invoke,
+      invoke: this.invokeWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       keyProvider: this._keyProvider,
       registry: this._capabilityRegistry,
@@ -1525,7 +1517,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       includeAccountRegistryPermissions: config.includeAccountRegistryPermissions
     });
     this.tc = new TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
   }
   syncResolvedHostFromAuth() {
@@ -1650,6 +1642,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._secrets = void 0;
     this._spaceService = void 0;
     this._serviceContext = void 0;
+    this.runtimePermissionGrants = [];
     await this.tc.signIn(options);
     this.syncResolvedHostFromAuth();
     this.initializeServices();
@@ -1739,6 +1732,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._secrets = void 0;
     this._spaceService = void 0;
     this._serviceContext = void 0;
+    this.runtimePermissionGrants = [];
     if (sessionData.address) {
       this._address = sessionData.address;
     }
@@ -1746,8 +1740,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       this._chainId = sessionData.chainId;
     }
     this._serviceContext = new ServiceContext2({
-      invoke: this.wasmBindings.invoke,
-      invokeAny: this.wasmBindings.invokeAny,
+      invoke: this.invokeWithRuntimePermissions,
+      invokeAny: this.invokeAnyWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
@@ -1833,7 +1827,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
     this.tc = new TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
     this.config.prefix = prefix;
   }
@@ -1877,7 +1871,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       includeAccountRegistryPermissions: this.config.includeAccountRegistryPermissions
     });
     this.tc = new TinyCloud(this.auth, {
-      invokeAny: this.wasmBindings.invokeAny
+      invokeAny: this.invokeAnyWithRuntimePermissions
     });
     this.config.prefix = prefix;
   }
@@ -1890,10 +1884,10 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!session) {
       return;
     }
-    this.tc.initializeServices(this.wasmBindings.invoke, [this.config.host]);
+    this.tc.initializeServices(this.invokeWithRuntimePermissions, [this.config.host]);
     this._serviceContext = new ServiceContext2({
-      invoke: this.wasmBindings.invoke,
-      invokeAny: this.wasmBindings.invokeAny,
+      invoke: this.invokeWithRuntimePermissions,
+      invokeAny: this.invokeAnyWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis),
       hosts: [this.config.host]
     });
@@ -2063,7 +2057,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._delegationManager = new DelegationManager({
       hosts: [this.config.host],
       session: serviceSession,
-      invoke: this.wasmBindings.invoke,
+      invoke: this.invokeWithRuntimePermissions,
       fetch: globalThis.fetch.bind(globalThis)
     });
     this._spaceService = new SpaceService({
@@ -2330,9 +2324,9 @@ var _TinyCloudNode = class _TinyCloudNode {
       this._secrets = new NodeSecretsService({
         getService: () => this.getBaseSecrets(),
         getManifest: () => this.manifest,
-        setManifest: (manifest) => this.setManifest(manifest),
-        signIn: () => this.signIn(),
-        canEscalate: () => this.signer !== void 0 && this.tc !== void 0
+        grantPermissions: (additional) => this.grantRuntimePermissions(additional),
+        canEscalate: () => this.signer !== void 0 && this.tc !== void 0,
+        getUnlockSigner: () => this.signer ?? void 0
       });
     }
     return this._secrets;
@@ -2416,6 +2410,171 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
     };
   }
+  /**
+   * Check whether the current session or an approved runtime delegation covers
+   * every requested permission.
+   */
+  hasRuntimePermissions(permissions) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session || !Array.isArray(permissions) || permissions.length === 0) {
+      return false;
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    if (this.sessionCoversPermissionEntries(session, expanded)) {
+      return true;
+    }
+    return this.findRuntimeGrantsForPermissionEntries(expanded, session).length > 0;
+  }
+  /**
+   * Return installed runtime permission delegations. When `permissions` is
+   * provided, only delegations currently covering those permissions are
+   * returned. Base-session manifest permissions are not represented here.
+   */
+  getRuntimePermissionDelegations(permissions) {
+    this.pruneExpiredRuntimePermissionGrants();
+    if (permissions === void 0) {
+      return this.runtimePermissionGrants.map((grant) => grant.delegation);
+    }
+    const session = this.auth?.tinyCloudSession;
+    if (!session || !Array.isArray(permissions) || permissions.length === 0) {
+      return [];
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    return this.findRuntimeGrantsForPermissionEntries(expanded, session).map(
+      (grant) => grant.delegation
+    );
+  }
+  /**
+   * Install a portable runtime permission delegation into this SDK instance so
+   * matching service calls and downstream `delegateTo()` calls can use it.
+   */
+  async useRuntimeDelegation(delegation) {
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    if (delegation.expiry.getTime() <= Date.now()) {
+      throw new SessionExpiredError(delegation.expiry);
+    }
+    const expectedDids = /* @__PURE__ */ new Set([session.verificationMethod, this.sessionDid]);
+    if (!expectedDids.has(delegation.delegateDID)) {
+      throw new Error(
+        `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
+      );
+    }
+    const targetHost = delegation.host ?? this.config.host;
+    const activateResult = await activateSessionWithHost2(
+      targetHost,
+      delegation.delegationHeader
+    );
+    if (!activateResult.success) {
+      throw new Error(
+        `Failed to activate runtime permission delegation: ${activateResult.error}`
+      );
+    }
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.delegation.cid !== delegation.cid
+    );
+    this.runtimePermissionGrants.push(
+      this.runtimeGrantFromDelegation(delegation, session)
+    );
+  }
+  /**
+   * Store additional permissions as narrow delegations to the current session
+   * key. Future service invocations automatically use a stored delegation when
+   * its `(space, service, path, action)` covers the request.
+   */
+  async grantRuntimePermissions(permissions, options) {
+    if (!Array.isArray(permissions) || permissions.length === 0) {
+      throw new Error("grantRuntimePermissions requires a non-empty permissions array");
+    }
+    const session = this.auth?.tinyCloudSession;
+    if (!session) {
+      throw new SessionExpiredError(/* @__PURE__ */ new Date(0));
+    }
+    const sessionExpiry = extractSiweExpiration(session.siwe);
+    if (sessionExpiry !== void 0) {
+      const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+      if (sessionExpiry.getTime() <= Date.now() + marginMs) {
+        throw new SessionExpiredError(sessionExpiry);
+      }
+    }
+    const expanded = this.expandPermissionEntries(permissions);
+    if (this.sessionCoversPermissionEntries(session, expanded)) {
+      return [];
+    }
+    const existingGrants = this.findRuntimeGrantsForPermissionEntries(expanded, session);
+    if (existingGrants.length > 0) {
+      return existingGrants.map((grant) => grant.delegation);
+    }
+    if (!this.signer) {
+      throw new Error(
+        "grantRuntimePermissions requires wallet mode with a signer or privateKey."
+      );
+    }
+    const bySpace = /* @__PURE__ */ new Map();
+    for (const entry of expanded) {
+      const spaceId = this.resolvePermissionSpace(entry.space, session);
+      const current = bySpace.get(spaceId) ?? [];
+      current.push(entry);
+      bySpace.set(spaceId, current);
+    }
+    const now = /* @__PURE__ */ new Date();
+    const requestedExpiryMs = resolveExpiryMs(options?.expiry);
+    let expiresAt = new Date(now.getTime() + requestedExpiryMs);
+    if (sessionExpiry !== void 0 && sessionExpiry < expiresAt) {
+      expiresAt = sessionExpiry;
+    }
+    const delegations = [];
+    for (const [spaceId, entries] of bySpace) {
+      const abilities = this.permissionsToAbilities(entries);
+      const prepared = this.wasmBindings.prepareSession({
+        abilities,
+        address: this.wasmBindings.ensureEip55(session.address),
+        chainId: session.chainId,
+        domain: this.siweDomain,
+        issuedAt: now.toISOString(),
+        expirationTime: expiresAt.toISOString(),
+        spaceId,
+        jwk: session.jwk
+      });
+      const signature = await this.signer.signMessage(prepared.siwe);
+      const delegatedSession = this.wasmBindings.completeSessionSetup({
+        ...prepared,
+        signature
+      });
+      const activateResult = await activateSessionWithHost2(
+        this.config.host,
+        delegatedSession.delegationHeader
+      );
+      if (!activateResult.success) {
+        throw new Error(
+          `Failed to activate runtime permission delegation: ${activateResult.error}`
+        );
+      }
+      const delegation = this.runtimeDelegationFromSession(
+        delegatedSession,
+        entries,
+        spaceId,
+        session,
+        expiresAt
+      );
+      this.runtimePermissionGrants.push({
+        session: {
+          delegationHeader: delegatedSession.delegationHeader,
+          delegationCid: delegatedSession.delegationCid,
+          spaceId,
+          verificationMethod: session.verificationMethod,
+          jwk: session.jwk
+        },
+        delegation,
+        operations: this.permissionOperations(entries, spaceId),
+        expiresAt
+      });
+      delegations.push(delegation);
+    }
+    return delegations;
+  }
   /**
    * Get the DelegationManager for delegation CRUD operations.
    *
@@ -2604,7 +2763,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (this._serviceContext) {
       const publicKV = new KVService2({ prefix: "" });
       const publicContext = new ServiceContext2({
-        invoke: this.wasmBindings.invoke,
+        invoke: this.invokeWithRuntimePermissions,
         fetch: this._serviceContext.fetch,
         hosts: this._serviceContext.hosts
       });
@@ -2692,8 +2851,9 @@ var _TinyCloudNode = class _TinyCloudNode {
    * Issue a delegation using the capability-chain flow.
    *
    * When every requested permission is a subset of the current
-   * session's recap, the delegation is signed by the session key via
-   * WASM — no wallet prompt. When at least one is NOT derivable, a
+   * session's recap, or of one installed runtime permission delegation,
+   * the delegation is signed by the session key via WASM — no wallet
+   * prompt. When at least one is NOT derivable, a
    * {@link PermissionNotInManifestError} is raised (carrying the
    * missing entries) so the caller can trigger an escalation flow
    * (e.g. `TinyCloudWeb.requestPermissions`). Passing
@@ -2743,10 +2903,7 @@ var _TinyCloudNode = class _TinyCloudNode {
         "delegateTo requires a non-empty permissions array"
       );
     }
-    const expandedEntries = permissions.map((entry) => ({
-      ...entry,
-      actions: expandActionShortNames(entry.service, entry.actions)
-    }));
+    const expandedEntries = this.expandPermissionEntries(permissions);
     const now = /* @__PURE__ */ new Date();
     const expiryMs = resolveExpiryMs(options?.expiry);
     const expirationTime = new Date(now.getTime() + expiryMs);
@@ -2773,6 +2930,23 @@ var _TinyCloudNode = class _TinyCloudNode {
     );
     const { subset, missing } = isCapabilitySubset(expandedEntries, granted);
     if (!subset) {
+      const runtimeGrant = this.findGrantForOperations(
+        this.permissionEntriesToOperations(expandedEntries, session)
+      );
+      if (runtimeGrant) {
+        const marginMs = _TinyCloudNode.SESSION_EXPIRY_SAFETY_MARGIN_MS;
+        if (runtimeGrant.expiresAt.getTime() <= Date.now() + marginMs) {
+          throw new SessionExpiredError(runtimeGrant.expiresAt);
+        }
+        const runtimeExpiration = runtimeGrant.expiresAt < effectiveExpiration ? runtimeGrant.expiresAt : effectiveExpiration;
+        const delegation2 = await this.createDelegationViaRuntimeGrant(
+          did,
+          expandedEntries,
+          runtimeExpiration,
+          runtimeGrant
+        );
+        return { delegation: delegation2, prompted: false };
+      }
       throw new PermissionNotInManifestError(missing, granted);
     }
     const delegation = await this.createDelegationViaWasmPath(
@@ -2917,6 +3091,41 @@ var _TinyCloudNode = class _TinyCloudNode {
       host: this.config.host
     };
   }
+  async createDelegationViaRuntimeGrant(did, entries, expirationTime, grant) {
+    const result = this.createDelegationWrapper({
+      session: grant.session,
+      delegateDID: did,
+      spaceId: grant.session.spaceId,
+      abilities: this.permissionsToAbilities(entries),
+      expirationSecs: Math.floor(expirationTime.getTime() / 1e3)
+    });
+    const primary = result.resources[0];
+    const delegationHeader = { Authorization: result.delegation };
+    const targetHost = grant.delegation.host ?? this.config.host;
+    const activateResult = await activateSessionWithHost2(
+      targetHost,
+      delegationHeader
+    );
+    if (!activateResult.success) {
+      throw new Error(
+        `Failed to activate delegation with host: ${activateResult.error}`
+      );
+    }
+    return {
+      cid: result.cid,
+      delegationHeader,
+      spaceId: grant.session.spaceId,
+      path: primary.path,
+      actions: primary.actions,
+      resources: result.resources,
+      disableSubDelegation: false,
+      expiry: result.expiry,
+      delegateDID: did,
+      ownerAddress: grant.delegation.ownerAddress,
+      chainId: grant.delegation.chainId,
+      host: targetHost
+    };
+  }
   resolvePermissionSpace(space, session) {
     if (space === void 0) {
       return this.wasmBindings.makeSpaceId(
@@ -2933,6 +3142,220 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this.wasmBindings.makeSpaceId(session.address, session.chainId, space);
   }
+  expandPermissionEntries(permissions) {
+    return expandPermissionEntriesCore(permissions);
+  }
+  shortServiceName(service) {
+    const short = SERVICE_LONG_TO_SHORT[service];
+    if (short === void 0) {
+      throw new Error(
+        `unknown service '${service}' \u2014 no short-form mapping`
+      );
+    }
+    return short;
+  }
+  permissionsToAbilities(entries) {
+    const abilities = {};
+    for (const entry of entries) {
+      const service = this.shortServiceName(entry.service);
+      abilities[service] ?? (abilities[service] = {});
+      const existing = abilities[service][entry.path] ?? [];
+      const seen = new Set(existing);
+      for (const action of entry.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
+      }
+      abilities[service][entry.path] = existing;
+    }
+    return abilities;
+  }
+  permissionOperations(entries, spaceId) {
+    return entries.flatMap((entry) => {
+      const service = this.shortServiceName(entry.service);
+      return entry.actions.map((action) => ({
+        spaceId,
+        service,
+        path: entry.path,
+        action
+      }));
+    });
+  }
+  sessionCoversPermissionEntries(session, entries) {
+    try {
+      const granted = parseRecapCapabilities(
+        (siwe) => this.wasmBindings.parseRecapFromSiwe(siwe),
+        session.siwe
+      );
+      return isCapabilitySubset(entries, granted).subset;
+    } catch {
+      return false;
+    }
+  }
+  permissionEntriesToOperations(entries, session) {
+    return entries.flatMap((entry) => {
+      const spaceId = this.resolvePermissionSpace(entry.space, session);
+      const service = this.shortServiceName(entry.service);
+      return entry.actions.map((action) => ({
+        spaceId,
+        service,
+        path: entry.path,
+        action
+      }));
+    });
+  }
+  findRuntimeGrantsForPermissionEntries(entries, session) {
+    const grants = [];
+    const operations = this.permissionEntriesToOperations(entries, session);
+    if (operations.length === 0) {
+      return grants;
+    }
+    for (const operation of operations) {
+      const grant = this.findGrantForOperation(operation);
+      if (!grant) {
+        return [];
+      }
+      if (!grants.includes(grant)) {
+        grants.push(grant);
+      }
+    }
+    return grants;
+  }
+  runtimeDelegationFromSession(delegatedSession, entries, spaceId, session, expiresAt) {
+    const resources = this.delegatedResourcesForEntries(entries, spaceId);
+    const primary = resources[0];
+    return {
+      cid: delegatedSession.delegationCid,
+      delegationHeader: delegatedSession.delegationHeader,
+      spaceId,
+      path: primary.path,
+      actions: primary.actions,
+      resources,
+      disableSubDelegation: false,
+      expiry: expiresAt,
+      delegateDID: session.verificationMethod,
+      ownerAddress: session.address,
+      chainId: session.chainId,
+      host: this.config.host
+    };
+  }
+  runtimeGrantFromDelegation(delegation, session) {
+    const operations = this.operationsFromDelegation(delegation);
+    return {
+      session: {
+        delegationHeader: delegation.delegationHeader,
+        delegationCid: delegation.cid,
+        spaceId: delegation.spaceId,
+        verificationMethod: session.verificationMethod,
+        jwk: session.jwk
+      },
+      delegation,
+      operations,
+      expiresAt: delegation.expiry
+    };
+  }
+  delegatedResourcesForEntries(entries, spaceId) {
+    return entries.map((entry) => ({
+      service: this.shortServiceName(entry.service),
+      space: spaceId,
+      path: entry.path,
+      actions: [...entry.actions]
+    }));
+  }
+  operationsFromDelegation(delegation) {
+    const resources = delegation.resources !== void 0 && delegation.resources.length > 0 ? delegation.resources : this.flatDelegationResources(delegation);
+    return resources.flatMap(
+      (resource) => resource.actions.map((action) => ({
+        spaceId: resource.space,
+        service: this.invocationServiceName(resource.service),
+        path: resource.path,
+        action
+      }))
+    );
+  }
+  flatDelegationResources(delegation) {
+    const byService = /* @__PURE__ */ new Map();
+    for (const action of delegation.actions) {
+      const service = this.shortServiceName(action.split("/")[0]);
+      const actions = byService.get(service) ?? [];
+      actions.push(action);
+      byService.set(service, actions);
+    }
+    return [...byService.entries()].map(([service, actions]) => ({
+      service,
+      space: delegation.spaceId,
+      path: delegation.path,
+      actions
+    }));
+  }
+  selectInvocationSession(fallback, service, path, action) {
+    const grant = this.findGrantForOperation({
+      spaceId: fallback.spaceId,
+      service: this.invocationServiceName(service),
+      path,
+      action
+    });
+    return grant?.session ?? fallback;
+  }
+  findGrantForOperations(operations) {
+    if (operations.length === 0) {
+      return void 0;
+    }
+    this.pruneExpiredRuntimePermissionGrants();
+    return this.runtimePermissionGrants.find((grant) => {
+      return operations.every(
+        (operation) => grant.operations.some(
+          (granted) => this.operationCovers(granted, operation)
+        )
+      );
+    });
+  }
+  findGrantForOperation(operation) {
+    return this.findGrantForOperations([operation]);
+  }
+  pruneExpiredRuntimePermissionGrants() {
+    const now = Date.now();
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.expiresAt.getTime() > now
+    );
+  }
+  operationCovers(granted, requested) {
+    return granted.spaceId === requested.spaceId && granted.service === requested.service && this.actionContains(granted.action, requested.action) && this.pathContains(granted.path, requested.path);
+  }
+  actionContains(grantedAction, requestedAction) {
+    if (grantedAction === requestedAction) {
+      return true;
+    }
+    if (grantedAction.endsWith("/*")) {
+      const prefix = grantedAction.slice(0, -2);
+      return requestedAction.startsWith(`${prefix}/`);
+    }
+    return false;
+  }
+  invocationServiceName(service) {
+    return service.startsWith("tinycloud.") ? this.shortServiceName(service) : service;
+  }
+  pathContains(grantedPath, requestedPath) {
+    if (grantedPath === "" || grantedPath === "/") {
+      return true;
+    }
+    if (grantedPath.endsWith("/**")) {
+      return requestedPath.startsWith(grantedPath.slice(0, -3));
+    }
+    if (grantedPath.endsWith("/*")) {
+      const prefix = grantedPath.slice(0, -2);
+      if (!requestedPath.startsWith(prefix)) {
+        return false;
+      }
+      const remainder = requestedPath.slice(prefix.length);
+      return !remainder.includes("/") || remainder === "/";
+    }
+    if (grantedPath.endsWith("/")) {
+      return requestedPath.startsWith(grantedPath);
+    }
+    return grantedPath === requestedPath;
+  }
   /**
    * Issue a delegation via the legacy wallet-signed SIWE path for a single
    * {@link PermissionEntry}. Shares the implementation with the public
@@ -3320,6 +3743,7 @@ import {
   ACCOUNT_REGISTRY_SPACE as ACCOUNT_REGISTRY_SPACE2,
   DEFAULT_MANIFEST_SPACE as DEFAULT_MANIFEST_SPACE2,
   DEFAULT_MANIFEST_VERSION,
+  VAULT_PERMISSION_SERVICE,
   PermissionNotInManifestError as PermissionNotInManifestError2,
   SessionExpiredError as SessionExpiredError2,
   ManifestValidationError,
@@ -3328,7 +3752,9 @@ import {
   validateManifest,
   loadManifest,
   isCapabilitySubset as isCapabilitySubset2,
-  expandActionShortNames as expandActionShortNames2,
+  expandActionShortNames,
+  expandPermissionEntries,
+  expandPermissionEntry,
   parseExpiry as parseExpiry2,
   resourceCapabilitiesToSpaceAbilitiesMap as resourceCapabilitiesToSpaceAbilitiesMap2
 } from "@tinycloud/sdk-core";
@@ -3418,6 +3844,7 @@ export {
   TinyCloud2 as TinyCloud,
   TinyCloudNode,
   UnsupportedFeatureError2 as UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE,
   VaultHeaders,
   VaultPublicSpaceKVActions,
   VersionCheckError,
@@ -3433,7 +3860,9 @@ export {
   defaultSignStrategy,
   defaultSpaceCreationHandler,
   deserializeDelegation,
-  expandActionShortNames2 as expandActionShortNames,
+  expandActionShortNames,
+  expandPermissionEntries,
+  expandPermissionEntry,
   isCapabilitySubset2 as isCapabilitySubset,
   loadManifest,
   makePublicSpaceId2 as makePublicSpaceId,