npm - @tinycloud/node-sdk - Versions diffs - 2.2.0-beta.9 → 2.2.0 - Mend

@tinycloud/node-sdk 2.2.0-beta.9 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/{core-DcJ27GsA.d.cts → core-CNyXnUx9.d.cts} +80 -6
package/dist/{core-DcJ27GsA.d.ts → core-CNyXnUx9.d.ts} +80 -6
package/dist/core.cjs +708 -92
package/dist/core.cjs.map +1 -1
package/dist/core.d.cts +2 -2
package/dist/core.d.ts +2 -2
package/dist/core.js +726 -99
package/dist/core.js.map +1 -1
package/dist/index.cjs +802 -114
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +4 -3
package/dist/index.d.ts +4 -3
package/dist/index.js +805 -100
package/dist/index.js.map +1 -1
package/package.json +3 -3

package/dist/{core-DcJ27GsA.d.cts → core-CNyXnUx9.d.cts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { ISessionStorage, PersistedSessionData, AutoSignStrategy, AutoRejectStrategy, CallbackStrategy, IUserAuthorization, ISigner, ISpaceCreationHandler, IWasmBindings, SiweConfig, Manifest, ComposedManifestRequest, ClientSession, TinyCloudSession, Extension, SignInOptions, Delegation, DelegatedResource, IKVService, ISQLService, IDuckDbService, IHooksService, INotificationHandler, IENSResolver, IDataVaultService, ISecretsService, ICapabilityKeyRegistry, PermissionEntry, DelegationManager, ISpaceService, ISpace, ISharingService, CreateDelegationParams, DelegationResult, ResolvedDelegate, KeyProvider, ISessionManager, JWK } from '@tinycloud/sdk-core';
+import { ISessionStorage, PersistedSessionData, AutoSignStrategy, AutoRejectStrategy, CallbackStrategy, IUserAuthorization, ISigner, ISpaceCreationHandler, IWasmBindings, SiweConfig, Manifest, ComposedManifestRequest, ClientSession, TinyCloudSession, Extension, SignInOptions, Delegation, DelegatedResource, IKVService, ISQLService, IDuckDbService, IHooksService, INotificationHandler, IENSResolver, IDataVaultService, IEncryptionService, NetworkDescriptor, ISecretsService, ICapabilityKeyRegistry, PermissionEntry, DelegationManager, ISpaceService, ISpace, ISharingService, CreateDelegationParams, DelegationResult, ResolvedDelegate, KeyProvider, ISessionManager, JWK } from '@tinycloud/sdk-core';
 import { EventEmitter } from 'events';
 import { InvokeFunction } from '@tinycloud/sdk-services';
@@ -321,6 +321,19 @@ declare class NodeUserAuthorization implements IUserAuthorization {
      * Includes spaceId, delegationHeader, and delegationCid.
      */
     get tinyCloudSession(): TinyCloudSession | undefined;
+    /**
+     * Rehydrate the auth-layer session from previously-persisted delegation
+     * data. Used by {@link TinyCloudNode.restoreSession} so that downstream
+     * surfaces that read from `tinyCloudSession` (notably
+     * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work
+     * without re-running the full sign-in flow.
+     *
+     * Caller must supply the same fields that `signIn` would have written —
+     * `siwe` is the load-bearing one because `extractSiweExpiration` returns
+     * undefined for missing SIWEs and the SDK then treats the session as
+     * expired-at-epoch-zero.
+     */
+    setRestoredTinyCloudSession(session: TinyCloudSession): void;
     private resolveTinyCloudHostsForSignIn;
     private requireTinyCloudHosts;
     private get primaryTinyCloudHost();
@@ -353,6 +366,7 @@ declare class NodeUserAuthorization implements IUserAuthorization {
      */
     private getCapabilityRequest;
     private resolveSpaceName;
+    private defaultEncryptionNetworkId;
     private resolveSignInCapabilities;
     /**
      * Build SIWE overrides from the top-level nonce and siweConfig.
@@ -777,6 +791,7 @@ declare class TinyCloudNode {
     private _duckdb?;
     private _hooks?;
     private _vault?;
+    private _encryption?;
     private _baseSecrets?;
     private _secrets?;
     /** Cached public KV with proper delegation (set by ensurePublicSpace) */
@@ -793,6 +808,13 @@ declare class TinyCloudNode {
     private _delegationManager?;
     private _spaceService?;
     private runtimePermissionGrants;
+    /**
+     * TinyCloudSession captured by {@link restoreSession} when there's no
+     * auth-layer signer available (session-only mode used by OpenKey-backed
+     * CLI restores, public-space replays, …). Read by
+     * {@link currentTinyCloudSession} as a fallback for `auth.tinyCloudSession`.
+     */
+    private _restoredTcSession?;
     private get nodeFeatures();
     /** SIWE domain — uses config override or defaults to app.tinycloud.xyz */
     private get siweDomain();
@@ -909,7 +931,28 @@ declare class TinyCloudNode {
         verificationMethod: string;
         address?: string;
         chainId?: number;
+        /**
+         * The SIWE message that authorized this session. Required for
+         * downstream operations that need the session's expiry (e.g.
+         * {@link grantRuntimePermissions}). When omitted the SDK can still
+         * invoke services with the existing delegation, but anything that
+         * reads `auth.tinyCloudSession.siwe` will treat the session as
+         * expired-at-epoch-zero.
+         */
+        siwe?: string;
+        /**
+         * The wallet/OpenKey signature over `siwe`. Optional because the
+         * runtime doesn't re-verify it — it's persisted alongside the SIWE
+         * for callers that need to round-trip the full session shape.
+         */
+        signature?: string;
     }): Promise<void>;
+    /**
+     * Resolve the currently-active TinyCloudSession, preferring the auth
+     * layer's value (wallet mode) and falling back to the node-level
+     * rehydration set by {@link restoreSession} (session-only mode).
+     */
+    private currentTinyCloudSession;
     /**
      * Connect a wallet to upgrade from session-only mode to wallet mode.
      *
@@ -962,6 +1005,13 @@ declare class TinyCloudNode {
      */
     private initializeServices;
     private createSpaceScopedKVService;
+    getDefaultEncryptionNetworkId(name?: string): string;
+    private requireServiceSession;
+    private createEncryptionCrypto;
+    private fetchNodeId;
+    private signRawNetworkAuthorization;
+    private createEncryptionService;
+    private getEncryptionService;
     private createVaultService;
     /**
      * Initialize the v2 delegation system services.
@@ -1011,6 +1061,21 @@ declare class TinyCloudNode {
      * SQL database operations on this user's space.
      */
     get sql(): ISQLService;
+    /**
+     * Get an SQL service scoped to a specific space.
+     *
+     * Mirrors {@link SpaceService}'s per-space KV factory: clones the active
+     * service context and overrides its session's spaceId so that subsequent
+     * `sql/<dbName>/<action>` invocations route to that space. Useful when
+     * the caller already holds a delegation covering the target space (e.g.
+     * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})
+     * but the SDK's per-space SQL surface isn't otherwise exposed.
+     *
+     * Does NOT auto-create the space.
+     *
+     * @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).
+     */
+    sqlForSpace(spaceId: string): ISQLService;
     /**
      * DuckDB database operations on this user's space.
      */
@@ -1020,6 +1085,13 @@ declare class TinyCloudNode {
      * Call `vault.unlock(signer)` after signIn() to derive encryption keys.
      */
     get vault(): IDataVaultService;
+    /**
+     * Network-scoped encryption/decrypt service.
+     */
+    get encryption(): IEncryptionService;
+    getEncryptionNetwork(nameOrNetworkId?: string): Promise<NetworkDescriptor | null>;
+    createEncryptionNetwork(name?: string): Promise<NetworkDescriptor>;
+    ensureEncryptionNetwork(name?: string): Promise<NetworkDescriptor>;
     /**
      * App-facing secrets API backed by the `secrets` space vault.
      */
@@ -1315,11 +1387,8 @@ declare class TinyCloudNode {
      * the current session; we build one multi-resource abilities map
      * and emit one signed UCAN covering them all.
      *
-     * All entries must share the same target space (the UCAN is
-     * scoped to a single space). If they don't, this throws — mixing
-     * spaces in a single delegation is not supported by the underlying
-     * Rust create_delegation call and the resulting UCAN would be
-     * under-specified.
+     * Non-encryption entries must share the same target space. Encryption
+     * entries are raw network URNs and do not participate in space grouping.
      *
      * @internal
      */
@@ -1329,12 +1398,15 @@ declare class TinyCloudNode {
     private expandPermissionEntries;
     private shortServiceName;
     private permissionsToAbilities;
+    private isEncryptionPermissionEntry;
+    private permissionsToRawAbilities;
     private permissionOperations;
     private sessionCoversPermissionEntries;
     private permissionEntriesToOperations;
     private findRuntimeGrantsForPermissionEntries;
     private runtimeDelegationFromSession;
     private runtimeGrantFromDelegation;
+    private installRuntimeGrantFromServiceSession;
     private delegatedResourcesForEntries;
     private operationsFromDelegation;
     private flatDelegationResources;
@@ -1345,6 +1417,8 @@ declare class TinyCloudNode {
     private operationCovers;
     private actionContains;
     private invocationServiceName;
+    private isEncryptionNetworkOperation;
+    private operationFromInvokeAnyEntry;
     private pathContains;
     /**
      * Issue a delegation via the legacy wallet-signed SIWE path for a single

package/dist/{core-DcJ27GsA.d.ts → core-CNyXnUx9.d.ts} RENAMED Viewed

@@ -1,4 +1,4 @@
-import { ISessionStorage, PersistedSessionData, AutoSignStrategy, AutoRejectStrategy, CallbackStrategy, IUserAuthorization, ISigner, ISpaceCreationHandler, IWasmBindings, SiweConfig, Manifest, ComposedManifestRequest, ClientSession, TinyCloudSession, Extension, SignInOptions, Delegation, DelegatedResource, IKVService, ISQLService, IDuckDbService, IHooksService, INotificationHandler, IENSResolver, IDataVaultService, ISecretsService, ICapabilityKeyRegistry, PermissionEntry, DelegationManager, ISpaceService, ISpace, ISharingService, CreateDelegationParams, DelegationResult, ResolvedDelegate, KeyProvider, ISessionManager, JWK } from '@tinycloud/sdk-core';
+import { ISessionStorage, PersistedSessionData, AutoSignStrategy, AutoRejectStrategy, CallbackStrategy, IUserAuthorization, ISigner, ISpaceCreationHandler, IWasmBindings, SiweConfig, Manifest, ComposedManifestRequest, ClientSession, TinyCloudSession, Extension, SignInOptions, Delegation, DelegatedResource, IKVService, ISQLService, IDuckDbService, IHooksService, INotificationHandler, IENSResolver, IDataVaultService, IEncryptionService, NetworkDescriptor, ISecretsService, ICapabilityKeyRegistry, PermissionEntry, DelegationManager, ISpaceService, ISpace, ISharingService, CreateDelegationParams, DelegationResult, ResolvedDelegate, KeyProvider, ISessionManager, JWK } from '@tinycloud/sdk-core';
 import { EventEmitter } from 'events';
 import { InvokeFunction } from '@tinycloud/sdk-services';
@@ -321,6 +321,19 @@ declare class NodeUserAuthorization implements IUserAuthorization {
      * Includes spaceId, delegationHeader, and delegationCid.
      */
     get tinyCloudSession(): TinyCloudSession | undefined;
+    /**
+     * Rehydrate the auth-layer session from previously-persisted delegation
+     * data. Used by {@link TinyCloudNode.restoreSession} so that downstream
+     * surfaces that read from `tinyCloudSession` (notably
+     * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work
+     * without re-running the full sign-in flow.
+     *
+     * Caller must supply the same fields that `signIn` would have written —
+     * `siwe` is the load-bearing one because `extractSiweExpiration` returns
+     * undefined for missing SIWEs and the SDK then treats the session as
+     * expired-at-epoch-zero.
+     */
+    setRestoredTinyCloudSession(session: TinyCloudSession): void;
     private resolveTinyCloudHostsForSignIn;
     private requireTinyCloudHosts;
     private get primaryTinyCloudHost();
@@ -353,6 +366,7 @@ declare class NodeUserAuthorization implements IUserAuthorization {
      */
     private getCapabilityRequest;
     private resolveSpaceName;
+    private defaultEncryptionNetworkId;
     private resolveSignInCapabilities;
     /**
      * Build SIWE overrides from the top-level nonce and siweConfig.
@@ -777,6 +791,7 @@ declare class TinyCloudNode {
     private _duckdb?;
     private _hooks?;
     private _vault?;
+    private _encryption?;
     private _baseSecrets?;
     private _secrets?;
     /** Cached public KV with proper delegation (set by ensurePublicSpace) */
@@ -793,6 +808,13 @@ declare class TinyCloudNode {
     private _delegationManager?;
     private _spaceService?;
     private runtimePermissionGrants;
+    /**
+     * TinyCloudSession captured by {@link restoreSession} when there's no
+     * auth-layer signer available (session-only mode used by OpenKey-backed
+     * CLI restores, public-space replays, …). Read by
+     * {@link currentTinyCloudSession} as a fallback for `auth.tinyCloudSession`.
+     */
+    private _restoredTcSession?;
     private get nodeFeatures();
     /** SIWE domain — uses config override or defaults to app.tinycloud.xyz */
     private get siweDomain();
@@ -909,7 +931,28 @@ declare class TinyCloudNode {
         verificationMethod: string;
         address?: string;
         chainId?: number;
+        /**
+         * The SIWE message that authorized this session. Required for
+         * downstream operations that need the session's expiry (e.g.
+         * {@link grantRuntimePermissions}). When omitted the SDK can still
+         * invoke services with the existing delegation, but anything that
+         * reads `auth.tinyCloudSession.siwe` will treat the session as
+         * expired-at-epoch-zero.
+         */
+        siwe?: string;
+        /**
+         * The wallet/OpenKey signature over `siwe`. Optional because the
+         * runtime doesn't re-verify it — it's persisted alongside the SIWE
+         * for callers that need to round-trip the full session shape.
+         */
+        signature?: string;
     }): Promise<void>;
+    /**
+     * Resolve the currently-active TinyCloudSession, preferring the auth
+     * layer's value (wallet mode) and falling back to the node-level
+     * rehydration set by {@link restoreSession} (session-only mode).
+     */
+    private currentTinyCloudSession;
     /**
      * Connect a wallet to upgrade from session-only mode to wallet mode.
      *
@@ -962,6 +1005,13 @@ declare class TinyCloudNode {
      */
     private initializeServices;
     private createSpaceScopedKVService;
+    getDefaultEncryptionNetworkId(name?: string): string;
+    private requireServiceSession;
+    private createEncryptionCrypto;
+    private fetchNodeId;
+    private signRawNetworkAuthorization;
+    private createEncryptionService;
+    private getEncryptionService;
     private createVaultService;
     /**
      * Initialize the v2 delegation system services.
@@ -1011,6 +1061,21 @@ declare class TinyCloudNode {
      * SQL database operations on this user's space.
      */
     get sql(): ISQLService;
+    /**
+     * Get an SQL service scoped to a specific space.
+     *
+     * Mirrors {@link SpaceService}'s per-space KV factory: clones the active
+     * service context and overrides its session's spaceId so that subsequent
+     * `sql/<dbName>/<action>` invocations route to that space. Useful when
+     * the caller already holds a delegation covering the target space (e.g.
+     * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})
+     * but the SDK's per-space SQL surface isn't otherwise exposed.
+     *
+     * Does NOT auto-create the space.
+     *
+     * @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).
+     */
+    sqlForSpace(spaceId: string): ISQLService;
     /**
      * DuckDB database operations on this user's space.
      */
@@ -1020,6 +1085,13 @@ declare class TinyCloudNode {
      * Call `vault.unlock(signer)` after signIn() to derive encryption keys.
      */
     get vault(): IDataVaultService;
+    /**
+     * Network-scoped encryption/decrypt service.
+     */
+    get encryption(): IEncryptionService;
+    getEncryptionNetwork(nameOrNetworkId?: string): Promise<NetworkDescriptor | null>;
+    createEncryptionNetwork(name?: string): Promise<NetworkDescriptor>;
+    ensureEncryptionNetwork(name?: string): Promise<NetworkDescriptor>;
     /**
      * App-facing secrets API backed by the `secrets` space vault.
      */
@@ -1315,11 +1387,8 @@ declare class TinyCloudNode {
      * the current session; we build one multi-resource abilities map
      * and emit one signed UCAN covering them all.
      *
-     * All entries must share the same target space (the UCAN is
-     * scoped to a single space). If they don't, this throws — mixing
-     * spaces in a single delegation is not supported by the underlying
-     * Rust create_delegation call and the resulting UCAN would be
-     * under-specified.
+     * Non-encryption entries must share the same target space. Encryption
+     * entries are raw network URNs and do not participate in space grouping.
      *
      * @internal
      */
@@ -1329,12 +1398,15 @@ declare class TinyCloudNode {
     private expandPermissionEntries;
     private shortServiceName;
     private permissionsToAbilities;
+    private isEncryptionPermissionEntry;
+    private permissionsToRawAbilities;
     private permissionOperations;
     private sessionCoversPermissionEntries;
     private permissionEntriesToOperations;
     private findRuntimeGrantsForPermissionEntries;
     private runtimeDelegationFromSession;
     private runtimeGrantFromDelegation;
+    private installRuntimeGrantFromServiceSession;
     private delegatedResourcesForEntries;
     private operationsFromDelegation;
     private flatDelegationResources;
@@ -1345,6 +1417,8 @@ declare class TinyCloudNode {
     private operationCovers;
     private actionContains;
     private invocationServiceName;
+    private isEncryptionNetworkOperation;
+    private operationFromInvokeAnyEntry;
     private pathContains;
     /**
      * Issue a delegation via the legacy wallet-signed SIWE path for a single