npm - @tinycloud/node-sdk - Versions diffs - 2.2.0-beta.9 → 2.2.1-beta.0 - Mend

@tinycloud/node-sdk 2.2.0-beta.9 → 2.2.1-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/{core-DcJ27GsA.d.cts → core-CNyXnUx9.d.cts} +80 -6
package/dist/{core-DcJ27GsA.d.ts → core-CNyXnUx9.d.ts} +80 -6
package/dist/core.cjs +725 -92
package/dist/core.cjs.map +1 -1
package/dist/core.d.cts +2 -2
package/dist/core.d.ts +2 -2
package/dist/core.js +743 -99
package/dist/core.js.map +1 -1
package/dist/index.cjs +819 -114
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +4 -3
package/dist/index.d.ts +4 -3
package/dist/index.js +822 -100
package/dist/index.js.map +1 -1
package/package.json +3 -3

package/dist/index.js CHANGED Viewed

@@ -17031,6 +17031,7 @@ var require_utils2 = __commonJS({
 import {
   invoke,
   invokeAny,
+  computeCid,
   prepareSession,
   completeSessionSetup,
   ensureEip55,
@@ -17054,6 +17055,7 @@ var _NodeWasmBindings = class _NodeWasmBindings {
   constructor() {
     this.invoke = invoke;
     this.invokeAny = invokeAny;
+    this.computeCid = computeCid;
     this.prepareSession = prepareSession;
     this.completeSessionSetup = completeSessionSetup;
     this.ensureEip55 = ensureEip55;
@@ -17159,6 +17161,7 @@ import {
   DuckDbService as DuckDbService2,
   HooksService as HooksService2,
   DataVaultService,
+  EncryptionService,
   SecretsService,
   createVaultCrypto,
   ServiceContext as ServiceContext2,
@@ -17170,12 +17173,17 @@ import {
   UnsupportedFeatureError,
   makePublicSpaceId,
   ACCOUNT_REGISTRY_SPACE,
+  ENCRYPTION_PERMISSION_SERVICE as ENCRYPTION_PERMISSION_SERVICE2,
   PermissionNotInManifestError,
   SessionExpiredError,
   expandPermissionEntries as expandPermissionEntriesCore,
   isCapabilitySubset,
   parseRecapCapabilities,
-  SERVICE_LONG_TO_SHORT
+  SERVICE_LONG_TO_SHORT,
+  EXPIRY as EXPIRY3,
+  canonicalHashHex,
+  canonicalizeEncryptionJson,
+  verifyDidKeyEd25519Signature
 } from "@tinycloud/sdk-core";
 // src/authorization/NodeUserAuthorization.ts
@@ -17186,10 +17194,12 @@ import {
   checkNodeInfo,
   AutoApproveSpaceCreationHandler,
   DEFAULT_MANIFEST_SPACE,
+  ENCRYPTION_PERMISSION_SERVICE,
   composeManifestRequest,
   resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap,
-  resolveTinyCloudHosts
+  resolveTinyCloudHosts,
+  EXPIRY
 } from "@tinycloud/sdk-core";
 // src/authorization/strategies.ts
@@ -17320,7 +17330,7 @@ var NodeUserAuthorization = class {
         ]
       }
     };
-    this.sessionExpirationMs = config.sessionExpirationMs ?? 60 * 60 * 1e3;
+    this.sessionExpirationMs = config.sessionExpirationMs ?? EXPIRY.SESSION_MS;
     this.autoCreateSpace = config.autoCreateSpace ?? false;
     this.spaceCreationHandler = config.spaceCreationHandler;
     this.tinycloudHosts = config.tinycloudHosts;
@@ -17373,6 +17383,23 @@ var NodeUserAuthorization = class {
   get tinyCloudSession() {
     return this._tinyCloudSession;
   }
+  /**
+   * Rehydrate the auth-layer session from previously-persisted delegation
+   * data. Used by {@link TinyCloudNode.restoreSession} so that downstream
+   * surfaces that read from `tinyCloudSession` (notably
+   * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work
+   * without re-running the full sign-in flow.
+   *
+   * Caller must supply the same fields that `signIn` would have written —
+   * `siwe` is the load-bearing one because `extractSiweExpiration` returns
+   * undefined for missing SIWEs and the SDK then treats the session as
+   * expired-at-epoch-zero.
+   */
+  setRestoredTinyCloudSession(session) {
+    this._tinyCloudSession = session;
+    this._address = session.address;
+    this._chainId = session.chainId;
+  }
   async resolveTinyCloudHostsForSignIn(address, chainId) {
     if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
       return;
@@ -17443,21 +17470,64 @@ var NodeUserAuthorization = class {
     }
     return this.wasm.makeSpaceId(address, chainId, space);
   }
+  defaultEncryptionNetworkId(address, chainId) {
+    return `urn:tinycloud:encryption:did:pkh:eip155:${chainId}:${address}:default`;
+  }
   resolveSignInCapabilities(address, chainId) {
     const request = this.getCapabilityRequest();
     if (request === void 0) {
+      const defaultNetworkId = this.defaultEncryptionNetworkId(address, chainId);
+      const secretsSpaceId = this.wasm.makeSpaceId(address, chainId, "secrets");
       return {
         abilities: this.defaultActions,
-        spaceId: this.wasm.makeSpaceId(address, chainId, this.spacePrefix)
+        spaceId: this.wasm.makeSpaceId(address, chainId, this.spacePrefix),
+        spaceAbilities: {
+          [secretsSpaceId]: {
+            kv: {
+              "vault/secrets/": [
+                "tinycloud.kv/get",
+                "tinycloud.kv/put",
+                "tinycloud.kv/del",
+                "tinycloud.kv/list",
+                "tinycloud.kv/metadata"
+              ]
+            }
+          }
+        },
+        rawAbilities: {
+          [defaultNetworkId]: [
+            "tinycloud.encryption/decrypt",
+            "tinycloud.encryption/network.create"
+          ]
+        }
       };
     }
-    const primarySpaceName = request.resources.find((entry) => entry.space !== "account")?.space ?? DEFAULT_MANIFEST_SPACE;
+    const rawAbilities = {};
+    const spaceResources = request.resources.filter((entry) => {
+      if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {
+        return true;
+      }
+      const existing = rawAbilities[entry.path];
+      if (existing === void 0) {
+        rawAbilities[entry.path] = [...entry.actions];
+      } else {
+        const seen = new Set(existing);
+        for (const action of entry.actions) {
+          if (!seen.has(action)) {
+            existing.push(action);
+            seen.add(action);
+          }
+        }
+      }
+      return false;
+    });
+    const primarySpaceName = spaceResources.find((entry) => entry.space !== "account")?.space ?? DEFAULT_MANIFEST_SPACE;
     const primarySpaceId = this.resolveSpaceName(
       primarySpaceName,
       address,
       chainId
     );
-    const bySpace = resourceCapabilitiesToSpaceAbilitiesMap(request.resources);
+    const bySpace = resourceCapabilitiesToSpaceAbilitiesMap(spaceResources);
     const spaceAbilities = {};
     for (const [space, abilities] of Object.entries(bySpace)) {
       spaceAbilities[this.resolveSpaceName(space, address, chainId)] = abilities;
@@ -17465,7 +17535,8 @@ var NodeUserAuthorization = class {
     return {
       abilities: spaceAbilities[primarySpaceId] ?? resourceCapabilitiesToAbilitiesMap([]),
       spaceId: primarySpaceId,
-      spaceAbilities
+      spaceAbilities,
+      rawAbilities: Object.keys(rawAbilities).length > 0 ? rawAbilities : void 0
     };
   }
   /**
@@ -17690,6 +17761,7 @@ var NodeUserAuthorization = class {
     const prepared = this.wasm.prepareSession({
       abilities: capabilityPlan.abilities,
       ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
+      ...capabilityPlan.rawAbilities !== void 0 ? { rawAbilities: capabilityPlan.rawAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -17835,6 +17907,7 @@ var NodeUserAuthorization = class {
     const prepared = this.wasm.prepareSession({
       abilities: capabilityPlan.abilities,
       ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
+      ...capabilityPlan.rawAbilities !== void 0 ? { rawAbilities: capabilityPlan.rawAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -18182,7 +18255,8 @@ function createWasmKeyProvider(sessionManager) {
 // src/delegateToHelpers.ts
 import {
   parseExpiry,
-  SiweMessage
+  SiweMessage,
+  EXPIRY as EXPIRY2
 } from "@tinycloud/sdk-core";
 function legacyParamsToPermissionEntries(actions, path, spaceIdOverride) {
   const byService = /* @__PURE__ */ new Map();
@@ -18214,9 +18288,10 @@ function legacyParamsToPermissionEntries(actions, path, spaceIdOverride) {
   }
   return entries;
 }
+var DEFAULT_DELEGATION_EXPIRY_MS = EXPIRY2.SESSION_MS;
 function resolveExpiryMs(expiry) {
   if (expiry === void 0) {
-    return 60 * 60 * 1e3;
+    return DEFAULT_DELEGATION_EXPIRY_MS;
   }
   if (typeof expiry === "number") {
     if (!Number.isFinite(expiry) || expiry <= 0) {
@@ -18245,10 +18320,11 @@ function extractSiweExpiration(siwe) {
 // src/NodeSecretsService.ts
 import {
   ErrorCodes,
+  resolveSecretListPrefix,
+  resolveSecretPath,
+  expandPermissionEntries,
   resolveManifest
 } from "@tinycloud/sdk-core";
-var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
-var SECRET_PREFIX = "secrets/";
 var SECRETS_SPACE = "secrets";
 function ok() {
   return { ok: true, data: void 0 };
@@ -18265,27 +18341,39 @@ function secretsError(code, message, cause) {
   };
 }
 function displayActionUrn(action) {
-  return action === "put" ? "tinycloud.vault/write" : "tinycloud.vault/delete";
+  switch (action) {
+    case "get":
+      return "tinycloud.kv/get";
+    case "put":
+      return "tinycloud.kv/put";
+    case "del":
+      return "tinycloud.kv/del";
+    case "list":
+      return "tinycloud.kv/list";
+  }
 }
-function kvActionUrn(action) {
-  return `tinycloud.kv/${action}`;
+function secretActionName(action) {
+  return action;
 }
-function secretPermissionEntries(name, action) {
-  return [
-    {
-      service: "tinycloud.vault",
-      space: SECRETS_SPACE,
-      path: `${SECRET_PREFIX}${name}`,
-      actions: [action === "put" ? "write" : "delete"],
+function secretPermissionEntries(name, options, action, encryptionNetworkId) {
+  const entries = [];
+  const path = action === "list" ? resolveSecretListPrefix(options) : resolveSecretPath(name, options).permissionPaths.vault;
+  entries.push({
+    service: "tinycloud.kv",
+    space: SECRETS_SPACE,
+    path,
+    actions: [secretActionName(action)],
+    skipPrefix: true
+  });
+  if (action === "get" && encryptionNetworkId !== void 0) {
+    entries.push({
+      service: "tinycloud.encryption",
+      path: encryptionNetworkId,
+      actions: ["decrypt"],
       skipPrefix: true
-    }
-  ];
-}
-function secretResourcePath(base2, name) {
-  return `${base2}/${SECRET_PREFIX}${name}`;
-}
-function isSecretsSpace(space) {
-  return space === SECRETS_SPACE || space.endsWith(`:${SECRETS_SPACE}`);
+    });
+  }
+  return entries;
 }
 var NodeSecretsService = class {
   constructor(config) {
@@ -18313,48 +18401,62 @@ var NodeSecretsService = class {
     this.shouldRestoreUnlock = false;
     this.service.lock();
   }
-  get(name) {
-    return this.service.get(name);
+  async get(name, options) {
+    const permission = await this.ensurePermission(name, options, "get");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.get(name) : this.service.get(name, options);
   }
-  async put(name, value) {
-    const permission = await this.ensureMutationPermission(name, "put");
+  async put(name, value, options) {
+    const permission = await this.ensurePermission(name, options, "put");
     if (!permission.ok) return permission;
-    return this.service.put(name, value);
+    return options === void 0 ? this.service.put(name, value) : this.service.put(name, value, options);
   }
-  async delete(name) {
-    const permission = await this.ensureMutationPermission(name, "del");
+  async delete(name, options) {
+    const permission = await this.ensurePermission(name, options, "del");
     if (!permission.ok) return permission;
-    return this.service.delete(name);
+    return options === void 0 ? this.service.delete(name) : this.service.delete(name, options);
   }
-  list() {
-    return this.service.list();
+  async list(options) {
+    const permission = await this.ensurePermission("", options, "list");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.list() : this.service.list(options);
   }
   get service() {
     return this.config.getService();
   }
-  async ensureMutationPermission(name, action) {
-    if (!SECRET_NAME_RE.test(name)) {
+  async ensurePermission(name, options, action) {
+    const target = name || "secrets";
+    let permissionEntries;
+    try {
+      permissionEntries = secretPermissionEntries(
+        name,
+        options,
+        action,
+        action === "get" ? this.config.getEncryptionNetworkId?.() : void 0
+      );
+    } catch (error) {
       return secretsError(
         ErrorCodes.INVALID_INPUT,
-        `Invalid secret name ${JSON.stringify(name)}. Secret names must match ${SECRET_NAME_RE.source}.`
+        error instanceof Error ? error.message : String(error),
+        error instanceof Error ? error : void 0
       );
     }
-    if (this.hasMutationPermission(name, action)) {
+    if (this.hasPermission(permissionEntries)) {
       return ok();
     }
     if (!this.config.canEscalate()) {
       return secretsError(
         ErrorCodes.PERMISSION_DENIED,
-        `Cannot autosign ${displayActionUrn(action)} for ${name}; TinyCloudNode needs wallet mode with a signer or privateKey.`
+        `Cannot autosign ${displayActionUrn(action)} for ${target}; TinyCloudNode needs wallet mode with a signer or privateKey.`
       );
     }
     try {
-      await this.config.grantPermissions(secretPermissionEntries(name, action));
+      await this.config.grantPermissions(permissionEntries);
       return this.restoreUnlockAfterEscalation();
     } catch (error) {
       return secretsError(
         ErrorCodes.PERMISSION_DENIED,
-        error instanceof Error ? error.message : `Autosign escalation for ${displayActionUrn(action)} on ${name} failed.`,
+        error instanceof Error ? error.message : `Autosign escalation for ${displayActionUrn(action)} on ${target} failed.`,
         error instanceof Error ? error : void 0
       );
     }
@@ -18365,26 +18467,117 @@ var NodeSecretsService = class {
     }
     return this.service.unlock(this.unlockSigner);
   }
-  hasMutationPermission(name, action) {
+  hasPermission(permissionEntries) {
+    if (this.config.hasPermissions?.(permissionEntries)) {
+      return true;
+    }
     const manifest = this.config.getManifest();
     if (manifest === void 0) {
       return false;
     }
     const manifests = Array.isArray(manifest) ? manifest : [manifest];
-    const requiredAction = kvActionUrn(action);
-    return manifests.some((entry) => {
-      const resolved = resolveManifest(entry);
-      return ["keys", "vault"].every(
-        (base2) => resolved.resources.some(
-          (resource) => resource.service === "tinycloud.kv" && isSecretsSpace(resource.space) && resource.path === secretResourcePath(base2, name) && resource.actions.includes(requiredAction)
-        )
-      );
-    });
+    const requestedEntries = expandPermissionEntries(permissionEntries);
+    return requestedEntries.every(
+      (entry) => manifests.some((candidate) => {
+        const resolved = resolveManifest(candidate);
+        return resolved.resources.some(
+          (resource) => resource.service === entry.service && resource.space === entry.space && resource.path === entry.path && entry.actions.every((action) => resource.actions.includes(action))
+        );
+      })
+    );
   }
 };
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
+var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
+var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
+var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
+var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
+var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
+function base64UrlEncode(bytes) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+  let output = "";
+  for (let i = 0; i < bytes.length; i += 3) {
+    const a = bytes[i];
+    const b = bytes[i + 1];
+    const c = bytes[i + 2];
+    const triplet = a << 16 | (b ?? 0) << 8 | (c ?? 0);
+    output += alphabet[triplet >> 18 & 63];
+    output += alphabet[triplet >> 12 & 63];
+    if (i + 1 < bytes.length) output += alphabet[triplet >> 6 & 63];
+    if (i + 2 < bytes.length) output += alphabet[triplet & 63];
+  }
+  return output;
+}
+function base64UrlDecode(value) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+  const bytes = [];
+  let buffer = 0;
+  let bits = 0;
+  for (const char of value) {
+    const index = alphabet.indexOf(char);
+    if (index < 0) {
+      throw new Error("invalid base64url input");
+    }
+    buffer = buffer << 6 | index;
+    bits += 6;
+    if (bits >= 8) {
+      bits -= 8;
+      bytes.push(buffer >> bits & 255);
+    }
+  }
+  return new Uint8Array(bytes);
+}
+async function signJwtInputWithJwk(signingInput, jwk) {
+  const bytes = new TextEncoder().encode(signingInput);
+  try {
+    const subtle = globalThis.crypto?.subtle;
+    if (!subtle) {
+      throw new Error("WebCrypto subtle API is unavailable");
+    }
+    const key2 = await subtle.importKey(
+      "jwk",
+      jwk,
+      { name: "Ed25519" },
+      false,
+      ["sign"]
+    );
+    return new Uint8Array(await subtle.sign({ name: "Ed25519" }, key2, bytes));
+  } catch {
+    const nodeCrypto = await import("crypto");
+    const key2 = nodeCrypto.createPrivateKey({ key: jwk, format: "jwk" });
+    return new Uint8Array(nodeCrypto.sign(null, Buffer.from(bytes), key2));
+  }
+}
+async function rewriteInvocationAudience(authorization, audience, jwk) {
+  const [headerPart, payloadPart] = authorization.split(".");
+  if (!headerPart || !payloadPart) {
+    throw new Error("invalid invocation authorization");
+  }
+  const header = JSON.parse(new TextDecoder().decode(base64UrlDecode(headerPart)));
+  const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadPart)));
+  payload.aud = audience;
+  const signingInput = `${base64UrlEncode(
+    new TextEncoder().encode(JSON.stringify(header))
+  )}.${base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)))}`;
+  const signature2 = await signJwtInputWithJwk(signingInput, jwk);
+  return `${signingInput}.${base64UrlEncode(signature2)}`;
+}
+function authorizationHeader(headers) {
+  if (Array.isArray(headers)) {
+    const entry = headers.find(([name]) => name.toLowerCase() === "authorization");
+    if (!entry) {
+      throw new Error("network invocation did not include an Authorization header");
+    }
+    return entry[1];
+  }
+  const value = headers.Authorization ?? headers.authorization;
+  if (!value) {
+    throw new Error("network invocation did not include an Authorization header");
+  }
+  return value;
+}
 var _TinyCloudNode = class _TinyCloudNode {
   /**
    * Create a new TinyCloudNode instance.
@@ -18429,12 +18622,10 @@ var _TinyCloudNode = class _TinyCloudNode {
         throw new Error("WASM binding does not support invokeAny");
       }
       const grant = this.findGrantForOperations(
-        entries.map((entry) => ({
-          spaceId: entry.spaceId,
-          service: this.invocationServiceName(entry.service),
-          path: entry.path,
-          action: entry.action
-        }))
+        entries.flatMap((entry) => {
+          const operation = this.operationFromInvokeAnyEntry(entry);
+          return operation ? [operation] : [];
+        })
       );
       return this.wasmBindings.invokeAny(grant?.session ?? session, entries, facts);
     };
@@ -18527,7 +18718,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: config.prefix,
-      sessionExpirationMs: config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: config.tinycloudFallbackHosts,
@@ -18662,6 +18853,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._duckdb = void 0;
     this._hooks = void 0;
     this._vault = void 0;
+    this._encryption = void 0;
     this._baseSecrets = void 0;
     this._secrets = void 0;
     this._spaceService = void 0;
@@ -18670,6 +18862,9 @@ var _TinyCloudNode = class _TinyCloudNode {
     await this.tc.signIn(options);
     this.syncResolvedHostFromAuth();
     this.initializeServices();
+    if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
+      await this.ensureOwnedSpaceHosted(this.ownedSpaceId("secrets"));
+    }
     await this.writeManifestRegistryRecords();
     this.notificationHandler.success("Successfully signed in");
   }
@@ -18752,6 +18947,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._duckdb = void 0;
     this._hooks = void 0;
     this._vault = void 0;
+    this._encryption = void 0;
     this._baseSecrets = void 0;
     this._secrets = void 0;
     this._spaceService = void 0;
@@ -18793,6 +18989,33 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._vault.initialize(this._serviceContext);
     this._serviceContext.registerService("vault", this._vault);
     this.initializeV2Services(serviceSession);
+    if (sessionData.siwe && sessionData.address && sessionData.chainId) {
+      const tcSession = {
+        address: sessionData.address,
+        chainId: sessionData.chainId,
+        sessionKey: JSON.stringify(sessionData.jwk),
+        spaceId: sessionData.spaceId,
+        delegationCid: sessionData.delegationCid,
+        delegationHeader: sessionData.delegationHeader,
+        verificationMethod: sessionData.verificationMethod,
+        jwk: sessionData.jwk,
+        siwe: sessionData.siwe,
+        signature: sessionData.signature ?? ""
+      };
+      if (this.auth) {
+        this.auth.setRestoredTinyCloudSession(tcSession);
+      } else {
+        this._restoredTcSession = tcSession;
+      }
+    }
+  }
+  /**
+   * Resolve the currently-active TinyCloudSession, preferring the auth
+   * layer's value (wallet mode) and falling back to the node-level
+   * rehydration set by {@link restoreSession} (session-only mode).
+   */
+  currentTinyCloudSession() {
+    return this.auth?.tinyCloudSession ?? this._restoredTcSession;
   }
   /**
    * Connect a wallet to upgrade from session-only mode to wallet mode.
@@ -18837,7 +19060,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: prefix,
-      sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
@@ -18881,7 +19104,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: prefix,
-      sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
@@ -18904,7 +19127,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   initializeServices() {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       return;
     }
@@ -18962,6 +19185,180 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return kvService;
   }
+  getDefaultEncryptionNetworkId(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
+    return `urn:tinycloud:encryption:${this.did}:${name}`;
+  }
+  requireServiceSession() {
+    const session = this._serviceContext?.session;
+    if (!session) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    return session;
+  }
+  createEncryptionCrypto() {
+    const wasm = this.wasmBindings;
+    const columnEncrypt = (key2, plaintext) => {
+      const encrypted = wasm.vault_encrypt(key2, plaintext);
+      const out = new Uint8Array(1 + encrypted.length);
+      out[0] = 1;
+      out.set(encrypted, 1);
+      return out;
+    };
+    const columnDecrypt = (key2, blob) => {
+      if (blob[0] !== 1) {
+        return blob;
+      }
+      return wasm.vault_decrypt(key2, blob.slice(1));
+    };
+    return {
+      sha256: (data) => wasm.vault_sha256(data),
+      randomBytes: (length) => wasm.vault_random_bytes(length),
+      x25519FromSeed: (seed) => wasm.vault_x25519_from_seed(seed),
+      x25519Dh: (privateKey, publicKey) => wasm.vault_x25519_dh(privateKey, publicKey),
+      authEncrypt: (key2, plaintext) => wasm.vault_encrypt(key2, plaintext),
+      authDecrypt: (key2, ciphertext) => wasm.vault_decrypt(key2, ciphertext),
+      sealToNetworkKey: (networkPublicKey, symmetricKey) => {
+        const seed = wasm.vault_random_bytes(32);
+        const ephemeral = wasm.vault_x25519_from_seed(seed);
+        const shared = wasm.vault_x25519_dh(
+          ephemeral.privateKey,
+          networkPublicKey
+        );
+        const encrypted = columnEncrypt(shared, symmetricKey);
+        const out = new Uint8Array(ephemeral.publicKey.length + encrypted.length);
+        out.set(ephemeral.publicKey, 0);
+        out.set(encrypted, ephemeral.publicKey.length);
+        return out;
+      },
+      openWithReceiverKey: (receiverPrivateKey, wrappedKey) => {
+        const peerPublic = wrappedKey.slice(0, 32);
+        const ciphertext = wrappedKey.slice(32);
+        const shared = wasm.vault_x25519_dh(receiverPrivateKey, peerPublic);
+        return columnDecrypt(shared, ciphertext);
+      },
+      verifyNodeSignature: (nodeId, message, signature2) => verifyDidKeyEd25519Signature(nodeId, message, signature2)
+    };
+  }
+  async fetchNodeId() {
+    const response = await fetch(`${this.config.host}/info`);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch node info: HTTP ${response.status}`);
+    }
+    const info = await response.json();
+    if (typeof info.nodeId !== "string" || info.nodeId.length === 0) {
+      throw new Error("Node /info response did not include nodeId");
+    }
+    return info.nodeId;
+  }
+  async signRawNetworkAuthorization(input) {
+    if (!this.wasmBindings.invokeAny) {
+      throw new Error("WASM binding does not support raw-resource invokeAny");
+    }
+    if (!this.wasmBindings.computeCid) {
+      throw new Error("WASM binding does not support invocation CID computation");
+    }
+    const session = this.requireServiceSession();
+    const headers = this.invokeAnyWithRuntimePermissions(
+      session,
+      [
+        {
+          resource: input.networkId,
+          service: "encryption",
+          path: input.networkId,
+          action: input.action
+        }
+      ],
+      [input.facts]
+    );
+    const authorization = authorizationHeader(headers);
+    const audienceBound = await rewriteInvocationAudience(
+      authorization,
+      input.targetNode,
+      session.jwk
+    );
+    return {
+      authorization: audienceBound,
+      invocationCid: this.wasmBindings.computeCid(
+        new TextEncoder().encode(audienceBound),
+        0x55n
+      )
+    };
+  }
+  createEncryptionService() {
+    const crypto2 = this.createEncryptionCrypto();
+    const transport = {
+      postDecrypt: async ({ networkId, authorization, canonicalBody }) => {
+        const response = await fetch(
+          `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}/decrypt`,
+          {
+            method: "POST",
+            headers: {
+              Authorization: authorization,
+              "Content-Type": "application/json"
+            },
+            body: canonicalBody
+          }
+        );
+        if (!response.ok) {
+          throw new Error(
+            `decrypt failed ${response.status}: ${await response.text()}`
+          );
+        }
+        return await response.json();
+      }
+    };
+    return new EncryptionService({
+      crypto: crypto2,
+      signer: {
+        signDecryptInvocation: async (input) => {
+          const signed2 = await this.signRawNetworkAuthorization({
+            targetNode: input.targetNode,
+            networkId: input.networkId,
+            action: DECRYPT_ACTION,
+            facts: input.facts
+          });
+          return {
+            ...signed2,
+            canonicalBody: canonicalizeEncryptionJson(
+              input.body
+            )
+          };
+        }
+      },
+      transport,
+      node: {
+        fetchByNetworkId: (networkId) => this.getEncryptionNetwork(networkId)
+      },
+      wellKnown: {
+        fetchWellKnown: async (principal, discoveryKey) => {
+          if (!this._address || principal !== this.did) {
+            return null;
+          }
+          if (!this.config.host) {
+            return null;
+          }
+          const publicSpaceId = makePublicSpaceId(this._address, this._chainId);
+          const result = await TinyCloud.readPublicSpace(this.config.host, publicSpaceId, discoveryKey);
+          if (!result.ok) {
+            return null;
+          }
+          const body = result.data;
+          return "descriptor" in body && body.descriptor ? body.descriptor : body;
+        }
+      }
+    });
+  }
+  getEncryptionService() {
+    if (!this._serviceContext) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._encryption) {
+      this._encryption = this.createEncryptionService();
+      this._encryption.initialize(this._serviceContext);
+      this._serviceContext.registerService("encryption", this._encryption);
+    }
+    return this._encryption;
+  }
   createVaultService(spaceId, kv) {
     const wasm = this.wasmBindings;
     const vaultCrypto = createVaultCrypto({
@@ -18977,6 +19374,13 @@ var _TinyCloudNode = class _TinyCloudNode {
     return new DataVaultService({
       spaceId,
       crypto: vaultCrypto,
+      encryption: {
+        networkId: this.getDefaultEncryptionNetworkId(),
+        service: this.getEncryptionService(),
+        decryptCapabilityProof: () => ({
+          proofs: [this.requireServiceSession().delegationCid]
+        })
+      },
       tc: {
         kv,
         ensurePublicSpace: async () => {
@@ -19157,7 +19561,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   getSessionExpiry() {
-    const expirationMs = this.config.sessionExpirationMs ?? 60 * 60 * 1e3;
+    const expirationMs = this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS;
     return new Date(Date.now() + expirationMs);
   }
   /**
@@ -19214,7 +19618,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this.signer) {
       return void 0;
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       return void 0;
     }
@@ -19314,6 +19718,34 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._sql;
   }
+  /**
+   * Get an SQL service scoped to a specific space.
+   *
+   * Mirrors {@link SpaceService}'s per-space KV factory: clones the active
+   * service context and overrides its session's spaceId so that subsequent
+   * `sql/<dbName>/<action>` invocations route to that space. Useful when
+   * the caller already holds a delegation covering the target space (e.g.
+   * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})
+   * but the SDK's per-space SQL surface isn't otherwise exposed.
+   *
+   * Does NOT auto-create the space.
+   *
+   * @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).
+   */
+  sqlForSpace(spaceId) {
+    if (!this._serviceContext || !this._serviceContext.session) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    const sql = new SQLService2({});
+    const spaceScopedContext = new ServiceContext2({
+      invoke: this._serviceContext.invoke,
+      fetch: this._serviceContext.fetch,
+      hosts: this._serviceContext.hosts
+    });
+    spaceScopedContext.setSession({ ...this._serviceContext.session, spaceId });
+    sql.initialize(spaceScopedContext);
+    return sql;
+  }
   /**
    * DuckDB database operations on this user's space.
    */
@@ -19337,6 +19769,79 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._vault;
   }
+  /**
+   * Network-scoped encryption/decrypt service.
+   */
+  get encryption() {
+    return this.getEncryptionService();
+  }
+  async getEncryptionNetwork(nameOrNetworkId = this.getDefaultEncryptionNetworkId()) {
+    const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
+    const response = await fetch(
+      `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}`
+    );
+    if (response.status === 404) {
+      return null;
+    }
+    if (!response.ok) {
+      throw new Error(
+        `Failed to fetch encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`
+      );
+    }
+    const body = await response.json();
+    return "descriptor" in body && body.descriptor ? body.descriptor : body;
+  }
+  async createEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
+    const targetNode = await this.fetchNodeId();
+    const principal = this.did;
+    const networkId = this.getDefaultEncryptionNetworkId(name);
+    const body = {
+      name,
+      principal,
+      threshold: { n: 1, t: 1 }
+    };
+    const crypto2 = this.createEncryptionCrypto();
+    const facts = {
+      type: NETWORK_ADMIN_TYPE,
+      targetNode,
+      networkId,
+      bodyHash: canonicalHashHex(
+        crypto2.sha256,
+        body
+      ),
+      action: NETWORK_CREATE_ACTION
+    };
+    const signed2 = await this.signRawNetworkAuthorization({
+      targetNode,
+      networkId,
+      action: NETWORK_CREATE_ACTION,
+      facts
+    });
+    const response = await fetch(`${this.config.host}/encryption/networks`, {
+      method: "POST",
+      headers: {
+        Authorization: signed2.authorization,
+        "Content-Type": "application/json"
+      },
+      body: canonicalizeEncryptionJson(
+        body
+      )
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Failed to create encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`
+      );
+    }
+    const created = await response.json();
+    return created.descriptor;
+  }
+  async ensureEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
+    const existing = await this.getEncryptionNetwork(name);
+    if (existing) {
+      return existing;
+    }
+    return this.createEncryptionNetwork(name);
+  }
   /**
    * App-facing secrets API backed by the `secrets` space vault.
    */
@@ -19348,8 +19853,10 @@ var _TinyCloudNode = class _TinyCloudNode {
       this._secrets = new NodeSecretsService({
         getService: () => this.getBaseSecrets(),
         getManifest: () => this.manifest,
+        hasPermissions: (permissions) => this.hasRuntimePermissions(permissions),
         grantPermissions: (additional) => this.grantRuntimePermissions(additional),
         canEscalate: () => this.signer !== void 0 && this.tc !== void 0,
+        getEncryptionNetworkId: () => this.getDefaultEncryptionNetworkId(),
         getUnlockSigner: () => this.signer ?? void 0
       });
     }
@@ -19439,7 +19946,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * every requested permission.
    */
   hasRuntimePermissions(permissions) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session || !Array.isArray(permissions) || permissions.length === 0) {
       return false;
     }
@@ -19459,7 +19966,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (permissions === void 0) {
       return this.runtimePermissionGrants.map((grant) => grant.delegation);
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session || !Array.isArray(permissions) || permissions.length === 0) {
       return [];
     }
@@ -19473,7 +19980,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * matching service calls and downstream `delegateTo()` calls can use it.
    */
   async useRuntimeDelegation(delegation) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -19512,7 +20019,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!Array.isArray(permissions) || permissions.length === 0) {
       throw new Error("grantRuntimePermissions requires a non-empty permissions array");
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -19536,13 +20043,22 @@ var _TinyCloudNode = class _TinyCloudNode {
         "grantRuntimePermissions requires wallet mode with a signer or privateKey."
       );
     }
+    const rawEntries = expanded.filter(
+      (entry) => this.isEncryptionPermissionEntry(entry)
+    );
+    const spaceEntries = expanded.filter(
+      (entry) => !this.isEncryptionPermissionEntry(entry)
+    );
     const bySpace = /* @__PURE__ */ new Map();
-    for (const entry of expanded) {
+    for (const entry of spaceEntries) {
       const spaceId = this.resolvePermissionSpace(entry.space, session);
       const current = bySpace.get(spaceId) ?? [];
       current.push(entry);
       bySpace.set(spaceId, current);
     }
+    if (bySpace.size === 0 && rawEntries.length > 0) {
+      bySpace.set(session.spaceId, []);
+    }
     const now = /* @__PURE__ */ new Date();
     const requestedExpiryMs = resolveExpiryMs(options?.expiry);
     let expiresAt = new Date(now.getTime() + requestedExpiryMs);
@@ -19550,10 +20066,17 @@ var _TinyCloudNode = class _TinyCloudNode {
       expiresAt = sessionExpiry;
     }
     const delegations = [];
+    let rawEntriesAttached = false;
     for (const [spaceId, entries] of bySpace) {
+      const rawForDelegation = !rawEntriesAttached ? rawEntries : [];
+      if (rawForDelegation.length > 0) {
+        rawEntriesAttached = true;
+      }
+      const delegatedEntries = [...entries, ...rawForDelegation];
       const abilities = this.permissionsToAbilities(entries);
       const prepared = this.wasmBindings.prepareSession({
         abilities,
+        ...rawForDelegation.length > 0 ? { rawAbilities: this.permissionsToRawAbilities(rawForDelegation) } : {},
         address: this.wasmBindings.ensureEip55(session.address),
         chainId: session.chainId,
         domain: this.siweDomain,
@@ -19578,7 +20101,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
       const delegation = this.runtimeDelegationFromSession(
         delegatedSession,
-        entries,
+        delegatedEntries,
         spaceId,
         session,
         expiresAt
@@ -19592,7 +20115,7 @@ var _TinyCloudNode = class _TinyCloudNode {
           jwk: session.jwk
         },
         delegation,
-        operations: this.permissionOperations(entries, spaceId),
+        operations: this.permissionOperations(delegatedEntries, spaceId),
         expiresAt
       });
       delegations.push(delegation);
@@ -19740,7 +20263,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     ];
     const abilities = { kv: { "": kvActions } };
     const now = /* @__PURE__ */ new Date();
-    const expiryMs = 60 * 60 * 1e3;
+    const expiryMs = EXPIRY3.EPHEMERAL_MS;
     const expirationTime = new Date(now.getTime() + expiryMs);
     const prepared = this.wasmBindings.prepareSession({
       abilities,
@@ -19910,7 +20433,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    *   `forceWalletSign` is not set.
    */
   async delegateTo(did, permissions, options) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -20024,11 +20547,8 @@ var _TinyCloudNode = class _TinyCloudNode {
    * the current session; we build one multi-resource abilities map
    * and emit one signed UCAN covering them all.
    *
-   * All entries must share the same target space (the UCAN is
-   * scoped to a single space). If they don't, this throws — mixing
-   * spaces in a single delegation is not supported by the underlying
-   * Rust create_delegation call and the resulting UCAN would be
-   * under-specified.
+   * Non-encryption entries must share the same target space. Encryption
+   * entries are raw network URNs and do not participate in space grouping.
    *
    * @internal
    */
@@ -20040,15 +20560,18 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     const resolvedSpaces = /* @__PURE__ */ new Set();
     for (const entry of entries) {
+      if (this.isEncryptionPermissionEntry(entry)) {
+        continue;
+      }
       const spaceId2 = this.resolvePermissionSpace(entry.space, session);
       resolvedSpaces.add(spaceId2);
     }
-    if (resolvedSpaces.size !== 1) {
+    if (resolvedSpaces.size > 1) {
       throw new Error(
         `delegateTo: all permission entries must target the same space, got ${resolvedSpaces.size}: ${JSON.stringify([...resolvedSpaces])}`
       );
     }
-    const spaceId = [...resolvedSpaces][0];
+    const spaceId = resolvedSpaces.size === 1 ? [...resolvedSpaces][0] : session.spaceId;
     const abilities = {};
     for (const entry of entries) {
       const shortService = SERVICE_LONG_TO_SHORT[entry.service];
@@ -20195,11 +20718,32 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return abilities;
   }
+  isEncryptionPermissionEntry(entry) {
+    return entry.service === ENCRYPTION_PERMISSION_SERVICE2 && entry.path.startsWith("urn:tinycloud:encryption:");
+  }
+  permissionsToRawAbilities(entries) {
+    const rawAbilities = {};
+    for (const entry of entries) {
+      if (!this.isEncryptionPermissionEntry(entry)) {
+        continue;
+      }
+      const existing = rawAbilities[entry.path] ?? [];
+      const seen = new Set(existing);
+      for (const action of entry.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
+      }
+      rawAbilities[entry.path] = existing;
+    }
+    return rawAbilities;
+  }
   permissionOperations(entries, spaceId) {
     return entries.flatMap((entry) => {
       const service = this.shortServiceName(entry.service);
       return entry.actions.map((action) => ({
-        spaceId,
+        ...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId },
         service,
         path: entry.path,
         action
@@ -20222,7 +20766,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       const spaceId = this.resolvePermissionSpace(entry.space, session);
       const service = this.shortServiceName(entry.service);
       return entry.actions.map((action) => ({
-        spaceId,
+        ...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId },
         service,
         path: entry.path,
         action
@@ -20279,24 +20823,40 @@ var _TinyCloudNode = class _TinyCloudNode {
       expiresAt: delegation.expiry
     };
   }
+  installRuntimeGrantFromServiceSession(delegation, session, expiresAt) {
+    const operations = this.operationsFromDelegation(delegation);
+    if (operations.length === 0) {
+      return;
+    }
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.delegation.cid !== delegation.cid && grant.session.delegationCid !== session.delegationCid
+    );
+    this.runtimePermissionGrants.push({
+      session,
+      delegation,
+      operations,
+      expiresAt
+    });
+  }
   delegatedResourcesForEntries(entries, spaceId) {
     return entries.map((entry) => ({
       service: this.shortServiceName(entry.service),
-      space: spaceId,
+      space: this.isEncryptionPermissionEntry(entry) ? "encryption" : spaceId,
       path: entry.path,
       actions: [...entry.actions]
     }));
   }
   operationsFromDelegation(delegation) {
     const resources = delegation.resources !== void 0 && delegation.resources.length > 0 ? delegation.resources : this.flatDelegationResources(delegation);
-    return resources.flatMap(
-      (resource) => resource.actions.map((action) => ({
-        spaceId: resource.space,
-        service: this.invocationServiceName(resource.service),
+    return resources.flatMap((resource) => {
+      const service = this.invocationServiceName(resource.service);
+      return resource.actions.map((action) => ({
+        ...this.isEncryptionNetworkOperation(service, resource.path) ? { resource: resource.path } : { spaceId: resource.space },
+        service,
         path: resource.path,
         action
-      }))
-    );
+      }));
+    });
   }
   flatDelegationResources(delegation) {
     const byService = /* @__PURE__ */ new Map();
@@ -20345,7 +20905,13 @@ var _TinyCloudNode = class _TinyCloudNode {
     );
   }
   operationCovers(granted, requested) {
-    return granted.spaceId === requested.spaceId && granted.service === requested.service && this.actionContains(granted.action, requested.action) && this.pathContains(granted.path, requested.path);
+    if (granted.service !== requested.service || !this.actionContains(granted.action, requested.action)) {
+      return false;
+    }
+    if (granted.resource !== void 0 || requested.resource !== void 0) {
+      return granted.resource !== void 0 && requested.resource !== void 0 && granted.resource === requested.resource && this.pathContains(granted.path, requested.path);
+    }
+    return granted.spaceId !== void 0 && requested.spaceId !== void 0 && granted.spaceId === requested.spaceId && this.pathContains(granted.path, requested.path);
   }
   actionContains(grantedAction, requestedAction) {
     if (grantedAction === requestedAction) {
@@ -20360,6 +20926,37 @@ var _TinyCloudNode = class _TinyCloudNode {
   invocationServiceName(service) {
     return service.startsWith("tinycloud.") ? this.shortServiceName(service) : service;
   }
+  isEncryptionNetworkOperation(service, path) {
+    return service === "encryption" && path.startsWith("urn:tinycloud:encryption:");
+  }
+  operationFromInvokeAnyEntry(entry) {
+    const service = this.invocationServiceName(entry.service);
+    if (typeof entry.resource === "string") {
+      return {
+        resource: entry.resource,
+        service,
+        path: entry.path,
+        action: entry.action
+      };
+    }
+    if (this.isEncryptionNetworkOperation(service, entry.path)) {
+      return {
+        resource: entry.path,
+        service,
+        path: entry.path,
+        action: entry.action
+      };
+    }
+    if (typeof entry.spaceId === "string") {
+      return {
+        spaceId: entry.spaceId,
+        service,
+        path: entry.path,
+        action: entry.action
+      };
+    }
+    return void 0;
+  }
   pathContains(grantedPath, requestedPath) {
     if (grantedPath === "" || grantedPath === "/") {
       return true;
@@ -20598,6 +21195,17 @@ var _TinyCloudNode = class _TinyCloudNode {
         // Not used in session-only mode
       };
       this.trackReceivedDelegation(delegation, this.sessionKeyJwk);
+      this.installRuntimeGrantFromServiceSession(
+        delegation,
+        {
+          delegationHeader: session2.delegationHeader,
+          delegationCid: session2.delegationCid,
+          spaceId: session2.spaceId,
+          verificationMethod: session2.verificationMethod,
+          jwk: session2.jwk
+        },
+        delegation.expiry
+      );
       return new DelegatedAccess(session2, delegation, targetHost, this.wasmBindings.invoke);
     }
     const mySession = this.auth?.tinyCloudSession;
@@ -20609,6 +21217,10 @@ var _TinyCloudNode = class _TinyCloudNode {
     const kvActions = delegation.actions.filter((a) => a.startsWith("tinycloud.kv/"));
     const sqlActions = delegation.actions.filter((a) => a.startsWith("tinycloud.sql/"));
     const duckdbActions = delegation.actions.filter((a) => a.startsWith("tinycloud.duckdb/"));
+    const encryptionActions = delegation.actions.filter(
+      (a) => a.startsWith("tinycloud.encryption/")
+    );
+    const rawAbilities = {};
     if (kvActions.length > 0) {
       abilities.kv = { [delegation.path]: kvActions };
     }
@@ -20618,6 +21230,9 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (duckdbActions.length > 0) {
       abilities.duckdb = { [delegation.path]: duckdbActions };
     }
+    if (encryptionActions.length > 0 && delegation.path.startsWith("urn:tinycloud:encryption:")) {
+      rawAbilities[delegation.path] = encryptionActions;
+    }
     const now = /* @__PURE__ */ new Date();
     const maxExpiry = new Date(now.getTime() + 60 * 60 * 1e3);
     const expirationTime = delegation.expiry < maxExpiry ? delegation.expiry : maxExpiry;
@@ -20630,7 +21245,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       expirationTime: expirationTime.toISOString(),
       spaceId: delegation.spaceId,
       jwk,
-      parents: [delegation.cid]
+      parents: [delegation.cid],
+      ...Object.keys(rawAbilities).length > 0 ? { rawAbilities } : {}
     });
     const signature2 = await this.signer.signMessage(prepared.siwe);
     const invokerSession = this.wasmBindings.completeSessionSetup({
@@ -20657,6 +21273,17 @@ var _TinyCloudNode = class _TinyCloudNode {
       signature: signature2
     };
     this.trackReceivedDelegation(delegation, jwk);
+    this.installRuntimeGrantFromServiceSession(
+      delegation,
+      {
+        delegationHeader: session.delegationHeader,
+        delegationCid: session.delegationCid,
+        spaceId: session.spaceId,
+        verificationMethod: session.verificationMethod,
+        jwk: session.jwk
+      },
+      expirationTime
+    );
     return new DelegatedAccess(session, delegation, targetHost, this.wasmBindings.invoke);
   }
   /**
@@ -20911,7 +21538,7 @@ import {
   loadManifest,
   isCapabilitySubset as isCapabilitySubset2,
   expandActionShortNames,
-  expandPermissionEntries,
+  expandPermissionEntries as expandPermissionEntries2,
   expandPermissionEntry,
   parseExpiry as parseExpiry2,
   resourceCapabilitiesToSpaceAbilitiesMap as resourceCapabilitiesToSpaceAbilitiesMap2
@@ -20934,7 +21561,11 @@ function deserializeDelegation(data) {
 }
 // src/index.ts
-import { KVService as KVService3, PrefixedKVService } from "@tinycloud/sdk-core";
+import {
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
+  KVService as KVService3,
+  PrefixedKVService
+} from "@tinycloud/sdk-core";
 import { SQLService as SQLService3, SQLAction, DatabaseHandle } from "@tinycloud/sdk-core";
 import {
   DuckDbService as DuckDbService3,
@@ -20946,7 +21577,53 @@ import {
   VaultHeaders,
   VaultPublicSpaceKVActions,
   createVaultCrypto as createVaultCrypto2,
-  SecretsService as SecretsService2
+  SecretsService as SecretsService2,
+  SECRET_NAME_RE,
+  canonicalizeSecretScope,
+  resolveSecretListPrefix as resolveSecretListPrefix2,
+  resolveSecretPath as resolveSecretPath2
+} from "@tinycloud/sdk-core";
+import {
+  EncryptionService as EncryptionService2,
+  parseNetworkId,
+  buildNetworkId,
+  isNetworkId,
+  networkDiscoveryKey,
+  NetworkIdError,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  NETWORK_NAME_PATTERN,
+  canonicalizeEncryptionJson as canonicalizeEncryptionJson2,
+  canonicalHashHex as canonicalHashHex2,
+  hexEncode,
+  hexDecode,
+  encryptionBase64Encode,
+  encryptionBase64Decode,
+  encryptionUtf8Encode,
+  encryptionUtf8Decode,
+  encryptToNetwork,
+  decryptEnvelopeWithKey,
+  validateEnvelope,
+  generateRandomReceiverKey,
+  deriveSignedReceiverKey,
+  buildCanonicalDecryptRequest,
+  buildDecryptFacts,
+  buildDecryptAttenuation,
+  buildDecryptInvocation,
+  checkDecryptInvocationInput,
+  verifyDecryptResponse,
+  canonicalSignedResponse,
+  openWrappedKey,
+  discoverNetwork,
+  ensureNetworkUsableForDecrypt,
+  DEFAULT_ENCRYPTION_ALG,
+  ENVELOPE_VERSION,
+  DEFAULT_KEY_VERSION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DECRYPT_ACTION as DECRYPT_ACTION2,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  encryptionError
 } from "@tinycloud/sdk-core";
 import { HooksService as HooksService3 } from "@tinycloud/sdk-core";
 import {
@@ -20982,8 +21659,14 @@ export {
   AutoApproveSpaceCreationHandler2 as AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry2 as CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
+  DECRYPT_ACTION2 as DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DEFAULT_ENCRYPTION_ALG,
+  DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE2 as DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService2 as DataVaultService,
   DatabaseHandle,
   DelegatedAccess,
@@ -20992,17 +21675,25 @@ export {
   DuckDbAction,
   DuckDbDatabaseHandle,
   DuckDbService3 as DuckDbService,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION,
+  EncryptionService2 as EncryptionService,
   FileSessionStorage,
   HooksService3 as HooksService,
   KVService3 as KVService,
   ManifestValidationError,
   MemorySessionStorage,
+  NETWORK_NAME_PATTERN,
+  NetworkIdError,
   NodeUserAuthorization,
   NodeWasmBindings,
   PermissionNotInManifestError2 as PermissionNotInManifestError,
   PrefixedKVService,
   PrivateKeySigner,
   ProtocolMismatchError,
+  SECRET_NAME_RE,
   SQLAction,
   SQLService3 as SQLService,
   SecretsService2 as SecretsService,
@@ -21021,7 +21712,17 @@ export {
   VaultPublicSpaceKVActions,
   VersionCheckError,
   WasmKeyProvider,
+  buildCanonicalDecryptRequest,
+  buildDecryptAttenuation,
+  buildDecryptFacts,
+  buildDecryptInvocation,
+  buildNetworkId,
   buildSpaceUri,
+  canonicalHashHex2 as canonicalHashHex,
+  canonicalSignedResponse,
+  canonicalizeEncryptionJson2 as canonicalizeEncryptionJson,
+  canonicalizeSecretScope,
+  checkDecryptInvocationInput,
   checkNodeInfo2 as checkNodeInfo,
   composeManifestRequest2 as composeManifestRequest,
   createCapabilityKeyRegistry,
@@ -21029,21 +21730,42 @@ export {
   createSpaceService,
   createVaultCrypto2 as createVaultCrypto,
   createWasmKeyProvider,
+  decryptEnvelopeWithKey,
   defaultSignStrategy,
   defaultSpaceCreationHandler,
+  deriveSignedReceiverKey,
   deserializeDelegation,
+  discoverNetwork,
+  encryptToNetwork,
+  encryptionBase64Decode,
+  encryptionBase64Encode,
+  encryptionError,
+  encryptionUtf8Decode,
+  encryptionUtf8Encode,
+  ensureNetworkUsableForDecrypt,
   expandActionShortNames,
-  expandPermissionEntries,
+  expandPermissionEntries2 as expandPermissionEntries,
   expandPermissionEntry,
+  generateRandomReceiverKey,
+  hexDecode,
+  hexEncode,
   isCapabilitySubset2 as isCapabilitySubset,
+  isNetworkId,
   loadManifest,
   makePublicSpaceId2 as makePublicSpaceId,
+  networkDiscoveryKey,
+  openWrappedKey,
   parseExpiry2 as parseExpiry,
+  parseNetworkId,
   parseSpaceUri,
   resolveManifest2 as resolveManifest,
+  resolveSecretListPrefix2 as resolveSecretListPrefix,
+  resolveSecretPath2 as resolveSecretPath,
   resourceCapabilitiesToSpaceAbilitiesMap2 as resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation,
-  validateManifest
+  validateEnvelope,
+  validateManifest,
+  verifyDecryptResponse
 };
 /*! Bundled license information: