npm - @tinycloud/node-sdk - Versions diffs - 2.2.0-beta.9 → 2.2.1-beta.0 - Mend

@tinycloud/node-sdk 2.2.0-beta.9 → 2.2.1-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

package/dist/{core-DcJ27GsA.d.cts → core-CNyXnUx9.d.cts} +80 -6
package/dist/{core-DcJ27GsA.d.ts → core-CNyXnUx9.d.ts} +80 -6
package/dist/core.cjs +725 -92
package/dist/core.cjs.map +1 -1
package/dist/core.d.cts +2 -2
package/dist/core.d.ts +2 -2
package/dist/core.js +743 -99
package/dist/core.js.map +1 -1
package/dist/index.cjs +819 -114
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +4 -3
package/dist/index.d.ts +4 -3
package/dist/index.js +822 -100
package/dist/index.js.map +1 -1
package/package.json +3 -3

package/dist/index.cjs CHANGED Viewed

@@ -17028,70 +17028,115 @@ __export(index_exports, {
   ACCOUNT_REGISTRY_PATH: () => import_sdk_core9.ACCOUNT_REGISTRY_PATH,
   ACCOUNT_REGISTRY_SPACE: () => import_sdk_core9.ACCOUNT_REGISTRY_SPACE,
   AutoApproveSpaceCreationHandler: () => import_sdk_core8.AutoApproveSpaceCreationHandler,
-  CapabilityKeyRegistry: () => import_sdk_core16.CapabilityKeyRegistry,
-  CapabilityKeyRegistryErrorCodes: () => import_sdk_core16.CapabilityKeyRegistryErrorCodes,
+  CapabilityKeyRegistry: () => import_sdk_core17.CapabilityKeyRegistry,
+  CapabilityKeyRegistryErrorCodes: () => import_sdk_core17.CapabilityKeyRegistryErrorCodes,
+  DECRYPT_ACTION: () => import_sdk_core14.DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE: () => import_sdk_core14.DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE: () => import_sdk_core14.DECRYPT_RESULT_TYPE,
+  DEFAULT_ENCRYPTION_ALG: () => import_sdk_core14.DEFAULT_ENCRYPTION_ALG,
+  DEFAULT_KEY_VERSION: () => import_sdk_core14.DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE: () => import_sdk_core9.DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION: () => import_sdk_core9.DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS: () => import_sdk_core10.DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService: () => import_sdk_core13.DataVaultService,
   DatabaseHandle: () => import_sdk_core11.DatabaseHandle,
   DelegatedAccess: () => DelegatedAccess,
-  DelegationErrorCodes: () => import_sdk_core15.DelegationErrorCodes,
-  DelegationManager: () => import_sdk_core15.DelegationManager,
+  DelegationErrorCodes: () => import_sdk_core16.DelegationErrorCodes,
+  DelegationManager: () => import_sdk_core16.DelegationManager,
   DuckDbAction: () => import_sdk_core12.DuckDbAction,
   DuckDbDatabaseHandle: () => import_sdk_core12.DuckDbDatabaseHandle,
   DuckDbService: () => import_sdk_core12.DuckDbService,
+  ENCRYPTION_NETWORK_URN_PREFIX: () => import_sdk_core14.ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_SERVICE: () => import_sdk_core14.ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT: () => import_sdk_core14.ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION: () => import_sdk_core14.ENVELOPE_VERSION,
+  EncryptionService: () => import_sdk_core14.EncryptionService,
   FileSessionStorage: () => FileSessionStorage,
-  HooksService: () => import_sdk_core14.HooksService,
+  HooksService: () => import_sdk_core15.HooksService,
   KVService: () => import_sdk_core10.KVService,
   ManifestValidationError: () => import_sdk_core9.ManifestValidationError,
   MemorySessionStorage: () => MemorySessionStorage,
+  NETWORK_NAME_PATTERN: () => import_sdk_core14.NETWORK_NAME_PATTERN,
+  NetworkIdError: () => import_sdk_core14.NetworkIdError,
   NodeUserAuthorization: () => NodeUserAuthorization,
   NodeWasmBindings: () => NodeWasmBindings,
   PermissionNotInManifestError: () => import_sdk_core9.PermissionNotInManifestError,
   PrefixedKVService: () => import_sdk_core10.PrefixedKVService,
   PrivateKeySigner: () => PrivateKeySigner,
-  ProtocolMismatchError: () => import_sdk_core18.ProtocolMismatchError,
+  ProtocolMismatchError: () => import_sdk_core19.ProtocolMismatchError,
+  SECRET_NAME_RE: () => import_sdk_core13.SECRET_NAME_RE,
   SQLAction: () => import_sdk_core11.SQLAction,
   SQLService: () => import_sdk_core11.SQLService,
   SecretsService: () => import_sdk_core13.SecretsService,
-  ServiceContext: () => import_sdk_core19.ServiceContext,
+  ServiceContext: () => import_sdk_core20.ServiceContext,
   SessionExpiredError: () => import_sdk_core9.SessionExpiredError,
-  SharingService: () => import_sdk_core15.SharingService,
+  SharingService: () => import_sdk_core16.SharingService,
   SilentNotificationHandler: () => import_sdk_core8.SilentNotificationHandler,
-  Space: () => import_sdk_core17.Space,
-  SpaceErrorCodes: () => import_sdk_core17.SpaceErrorCodes,
-  SpaceService: () => import_sdk_core17.SpaceService,
+  Space: () => import_sdk_core18.Space,
+  SpaceErrorCodes: () => import_sdk_core18.SpaceErrorCodes,
+  SpaceService: () => import_sdk_core18.SpaceService,
   TinyCloud: () => import_sdk_core7.TinyCloud,
   TinyCloudNode: () => TinyCloudNode,
-  UnsupportedFeatureError: () => import_sdk_core18.UnsupportedFeatureError,
+  UnsupportedFeatureError: () => import_sdk_core19.UnsupportedFeatureError,
   VAULT_PERMISSION_SERVICE: () => import_sdk_core9.VAULT_PERMISSION_SERVICE,
   VaultHeaders: () => import_sdk_core13.VaultHeaders,
   VaultPublicSpaceKVActions: () => import_sdk_core13.VaultPublicSpaceKVActions,
-  VersionCheckError: () => import_sdk_core18.VersionCheckError,
+  VersionCheckError: () => import_sdk_core19.VersionCheckError,
   WasmKeyProvider: () => WasmKeyProvider,
-  buildSpaceUri: () => import_sdk_core17.buildSpaceUri,
-  checkNodeInfo: () => import_sdk_core18.checkNodeInfo,
+  buildCanonicalDecryptRequest: () => import_sdk_core14.buildCanonicalDecryptRequest,
+  buildDecryptAttenuation: () => import_sdk_core14.buildDecryptAttenuation,
+  buildDecryptFacts: () => import_sdk_core14.buildDecryptFacts,
+  buildDecryptInvocation: () => import_sdk_core14.buildDecryptInvocation,
+  buildNetworkId: () => import_sdk_core14.buildNetworkId,
+  buildSpaceUri: () => import_sdk_core18.buildSpaceUri,
+  canonicalHashHex: () => import_sdk_core14.canonicalHashHex,
+  canonicalSignedResponse: () => import_sdk_core14.canonicalSignedResponse,
+  canonicalizeEncryptionJson: () => import_sdk_core14.canonicalizeEncryptionJson,
+  canonicalizeSecretScope: () => import_sdk_core13.canonicalizeSecretScope,
+  checkDecryptInvocationInput: () => import_sdk_core14.checkDecryptInvocationInput,
+  checkNodeInfo: () => import_sdk_core19.checkNodeInfo,
   composeManifestRequest: () => import_sdk_core9.composeManifestRequest,
-  createCapabilityKeyRegistry: () => import_sdk_core16.createCapabilityKeyRegistry,
-  createSharingService: () => import_sdk_core15.createSharingService,
-  createSpaceService: () => import_sdk_core17.createSpaceService,
+  createCapabilityKeyRegistry: () => import_sdk_core17.createCapabilityKeyRegistry,
+  createSharingService: () => import_sdk_core16.createSharingService,
+  createSpaceService: () => import_sdk_core18.createSpaceService,
   createVaultCrypto: () => import_sdk_core13.createVaultCrypto,
   createWasmKeyProvider: () => createWasmKeyProvider,
+  decryptEnvelopeWithKey: () => import_sdk_core14.decryptEnvelopeWithKey,
   defaultSignStrategy: () => defaultSignStrategy,
   defaultSpaceCreationHandler: () => import_sdk_core8.defaultSpaceCreationHandler,
+  deriveSignedReceiverKey: () => import_sdk_core14.deriveSignedReceiverKey,
   deserializeDelegation: () => deserializeDelegation,
+  discoverNetwork: () => import_sdk_core14.discoverNetwork,
+  encryptToNetwork: () => import_sdk_core14.encryptToNetwork,
+  encryptionBase64Decode: () => import_sdk_core14.encryptionBase64Decode,
+  encryptionBase64Encode: () => import_sdk_core14.encryptionBase64Encode,
+  encryptionError: () => import_sdk_core14.encryptionError,
+  encryptionUtf8Decode: () => import_sdk_core14.encryptionUtf8Decode,
+  encryptionUtf8Encode: () => import_sdk_core14.encryptionUtf8Encode,
+  ensureNetworkUsableForDecrypt: () => import_sdk_core14.ensureNetworkUsableForDecrypt,
   expandActionShortNames: () => import_sdk_core9.expandActionShortNames,
   expandPermissionEntries: () => import_sdk_core9.expandPermissionEntries,
   expandPermissionEntry: () => import_sdk_core9.expandPermissionEntry,
+  generateRandomReceiverKey: () => import_sdk_core14.generateRandomReceiverKey,
+  hexDecode: () => import_sdk_core14.hexDecode,
+  hexEncode: () => import_sdk_core14.hexEncode,
   isCapabilitySubset: () => import_sdk_core9.isCapabilitySubset,
+  isNetworkId: () => import_sdk_core14.isNetworkId,
   loadManifest: () => import_sdk_core9.loadManifest,
-  makePublicSpaceId: () => import_sdk_core17.makePublicSpaceId,
+  makePublicSpaceId: () => import_sdk_core18.makePublicSpaceId,
+  networkDiscoveryKey: () => import_sdk_core14.networkDiscoveryKey,
+  openWrappedKey: () => import_sdk_core14.openWrappedKey,
   parseExpiry: () => import_sdk_core9.parseExpiry,
-  parseSpaceUri: () => import_sdk_core17.parseSpaceUri,
+  parseNetworkId: () => import_sdk_core14.parseNetworkId,
+  parseSpaceUri: () => import_sdk_core18.parseSpaceUri,
   resolveManifest: () => import_sdk_core9.resolveManifest,
+  resolveSecretListPrefix: () => import_sdk_core13.resolveSecretListPrefix,
+  resolveSecretPath: () => import_sdk_core13.resolveSecretPath,
   resourceCapabilitiesToSpaceAbilitiesMap: () => import_sdk_core9.resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation: () => serializeDelegation,
-  validateManifest: () => import_sdk_core9.validateManifest
+  validateEnvelope: () => import_sdk_core14.validateEnvelope,
+  validateManifest: () => import_sdk_core9.validateManifest,
+  verifyDecryptResponse: () => import_sdk_core14.verifyDecryptResponse
 });
 module.exports = __toCommonJS(index_exports);
@@ -17101,6 +17146,7 @@ var _NodeWasmBindings = class _NodeWasmBindings {
   constructor() {
     this.invoke = import_node_sdk_wasm.invoke;
     this.invokeAny = import_node_sdk_wasm.invokeAny;
+    this.computeCid = import_node_sdk_wasm.computeCid;
     this.prepareSession = import_node_sdk_wasm.prepareSession;
     this.completeSessionSetup = import_node_sdk_wasm.completeSessionSetup;
     this.ensureEip55 = import_node_sdk_wasm.ensureEip55;
@@ -17328,7 +17374,7 @@ var NodeUserAuthorization = class {
         ]
       }
     };
-    this.sessionExpirationMs = config.sessionExpirationMs ?? 60 * 60 * 1e3;
+    this.sessionExpirationMs = config.sessionExpirationMs ?? import_sdk_core.EXPIRY.SESSION_MS;
     this.autoCreateSpace = config.autoCreateSpace ?? false;
     this.spaceCreationHandler = config.spaceCreationHandler;
     this.tinycloudHosts = config.tinycloudHosts;
@@ -17381,6 +17427,23 @@ var NodeUserAuthorization = class {
   get tinyCloudSession() {
     return this._tinyCloudSession;
   }
+  /**
+   * Rehydrate the auth-layer session from previously-persisted delegation
+   * data. Used by {@link TinyCloudNode.restoreSession} so that downstream
+   * surfaces that read from `tinyCloudSession` (notably
+   * `grantRuntimePermissions`, which extracts the SIWE expiry from it) work
+   * without re-running the full sign-in flow.
+   *
+   * Caller must supply the same fields that `signIn` would have written —
+   * `siwe` is the load-bearing one because `extractSiweExpiration` returns
+   * undefined for missing SIWEs and the SDK then treats the session as
+   * expired-at-epoch-zero.
+   */
+  setRestoredTinyCloudSession(session) {
+    this._tinyCloudSession = session;
+    this._address = session.address;
+    this._chainId = session.chainId;
+  }
   async resolveTinyCloudHostsForSignIn(address, chainId) {
     if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
       return;
@@ -17451,21 +17514,64 @@ var NodeUserAuthorization = class {
     }
     return this.wasm.makeSpaceId(address, chainId, space);
   }
+  defaultEncryptionNetworkId(address, chainId) {
+    return `urn:tinycloud:encryption:did:pkh:eip155:${chainId}:${address}:default`;
+  }
   resolveSignInCapabilities(address, chainId) {
     const request = this.getCapabilityRequest();
     if (request === void 0) {
+      const defaultNetworkId = this.defaultEncryptionNetworkId(address, chainId);
+      const secretsSpaceId = this.wasm.makeSpaceId(address, chainId, "secrets");
       return {
         abilities: this.defaultActions,
-        spaceId: this.wasm.makeSpaceId(address, chainId, this.spacePrefix)
+        spaceId: this.wasm.makeSpaceId(address, chainId, this.spacePrefix),
+        spaceAbilities: {
+          [secretsSpaceId]: {
+            kv: {
+              "vault/secrets/": [
+                "tinycloud.kv/get",
+                "tinycloud.kv/put",
+                "tinycloud.kv/del",
+                "tinycloud.kv/list",
+                "tinycloud.kv/metadata"
+              ]
+            }
+          }
+        },
+        rawAbilities: {
+          [defaultNetworkId]: [
+            "tinycloud.encryption/decrypt",
+            "tinycloud.encryption/network.create"
+          ]
+        }
       };
     }
-    const primarySpaceName = request.resources.find((entry) => entry.space !== "account")?.space ?? import_sdk_core.DEFAULT_MANIFEST_SPACE;
+    const rawAbilities = {};
+    const spaceResources = request.resources.filter((entry) => {
+      if (entry.service !== import_sdk_core.ENCRYPTION_PERMISSION_SERVICE) {
+        return true;
+      }
+      const existing = rawAbilities[entry.path];
+      if (existing === void 0) {
+        rawAbilities[entry.path] = [...entry.actions];
+      } else {
+        const seen = new Set(existing);
+        for (const action of entry.actions) {
+          if (!seen.has(action)) {
+            existing.push(action);
+            seen.add(action);
+          }
+        }
+      }
+      return false;
+    });
+    const primarySpaceName = spaceResources.find((entry) => entry.space !== "account")?.space ?? import_sdk_core.DEFAULT_MANIFEST_SPACE;
     const primarySpaceId = this.resolveSpaceName(
       primarySpaceName,
       address,
       chainId
     );
-    const bySpace = (0, import_sdk_core.resourceCapabilitiesToSpaceAbilitiesMap)(request.resources);
+    const bySpace = (0, import_sdk_core.resourceCapabilitiesToSpaceAbilitiesMap)(spaceResources);
     const spaceAbilities = {};
     for (const [space, abilities] of Object.entries(bySpace)) {
       spaceAbilities[this.resolveSpaceName(space, address, chainId)] = abilities;
@@ -17473,7 +17579,8 @@ var NodeUserAuthorization = class {
     return {
       abilities: spaceAbilities[primarySpaceId] ?? (0, import_sdk_core.resourceCapabilitiesToAbilitiesMap)([]),
       spaceId: primarySpaceId,
-      spaceAbilities
+      spaceAbilities,
+      rawAbilities: Object.keys(rawAbilities).length > 0 ? rawAbilities : void 0
     };
   }
   /**
@@ -17698,6 +17805,7 @@ var NodeUserAuthorization = class {
     const prepared = this.wasm.prepareSession({
       abilities: capabilityPlan.abilities,
       ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
+      ...capabilityPlan.rawAbilities !== void 0 ? { rawAbilities: capabilityPlan.rawAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -17843,6 +17951,7 @@ var NodeUserAuthorization = class {
     const prepared = this.wasm.prepareSession({
       abilities: capabilityPlan.abilities,
       ...capabilityPlan.spaceAbilities !== void 0 ? { spaceAbilities: capabilityPlan.spaceAbilities } : {},
+      ...capabilityPlan.rawAbilities !== void 0 ? { rawAbilities: capabilityPlan.rawAbilities } : {},
       address,
       chainId,
       domain: this.domain,
@@ -18213,9 +18322,10 @@ function legacyParamsToPermissionEntries(actions, path, spaceIdOverride) {
   }
   return entries;
 }
+var DEFAULT_DELEGATION_EXPIRY_MS = import_sdk_core3.EXPIRY.SESSION_MS;
 function resolveExpiryMs(expiry) {
   if (expiry === void 0) {
-    return 60 * 60 * 1e3;
+    return DEFAULT_DELEGATION_EXPIRY_MS;
   }
   if (typeof expiry === "number") {
     if (!Number.isFinite(expiry) || expiry <= 0) {
@@ -18243,8 +18353,6 @@ function extractSiweExpiration(siwe) {
 // src/NodeSecretsService.ts
 var import_sdk_core4 = require("@tinycloud/sdk-core");
-var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
-var SECRET_PREFIX = "secrets/";
 var SECRETS_SPACE = "secrets";
 function ok() {
   return { ok: true, data: void 0 };
@@ -18261,27 +18369,39 @@ function secretsError(code, message, cause) {
   };
 }
 function displayActionUrn(action) {
-  return action === "put" ? "tinycloud.vault/write" : "tinycloud.vault/delete";
+  switch (action) {
+    case "get":
+      return "tinycloud.kv/get";
+    case "put":
+      return "tinycloud.kv/put";
+    case "del":
+      return "tinycloud.kv/del";
+    case "list":
+      return "tinycloud.kv/list";
+  }
 }
-function kvActionUrn(action) {
-  return `tinycloud.kv/${action}`;
+function secretActionName(action) {
+  return action;
 }
-function secretPermissionEntries(name, action) {
-  return [
-    {
-      service: "tinycloud.vault",
-      space: SECRETS_SPACE,
-      path: `${SECRET_PREFIX}${name}`,
-      actions: [action === "put" ? "write" : "delete"],
+function secretPermissionEntries(name, options, action, encryptionNetworkId) {
+  const entries = [];
+  const path = action === "list" ? (0, import_sdk_core4.resolveSecretListPrefix)(options) : (0, import_sdk_core4.resolveSecretPath)(name, options).permissionPaths.vault;
+  entries.push({
+    service: "tinycloud.kv",
+    space: SECRETS_SPACE,
+    path,
+    actions: [secretActionName(action)],
+    skipPrefix: true
+  });
+  if (action === "get" && encryptionNetworkId !== void 0) {
+    entries.push({
+      service: "tinycloud.encryption",
+      path: encryptionNetworkId,
+      actions: ["decrypt"],
       skipPrefix: true
-    }
-  ];
-}
-function secretResourcePath(base2, name) {
-  return `${base2}/${SECRET_PREFIX}${name}`;
-}
-function isSecretsSpace(space) {
-  return space === SECRETS_SPACE || space.endsWith(`:${SECRETS_SPACE}`);
+    });
+  }
+  return entries;
 }
 var NodeSecretsService = class {
   constructor(config) {
@@ -18309,48 +18429,62 @@ var NodeSecretsService = class {
     this.shouldRestoreUnlock = false;
     this.service.lock();
   }
-  get(name) {
-    return this.service.get(name);
+  async get(name, options) {
+    const permission = await this.ensurePermission(name, options, "get");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.get(name) : this.service.get(name, options);
   }
-  async put(name, value) {
-    const permission = await this.ensureMutationPermission(name, "put");
+  async put(name, value, options) {
+    const permission = await this.ensurePermission(name, options, "put");
     if (!permission.ok) return permission;
-    return this.service.put(name, value);
+    return options === void 0 ? this.service.put(name, value) : this.service.put(name, value, options);
   }
-  async delete(name) {
-    const permission = await this.ensureMutationPermission(name, "del");
+  async delete(name, options) {
+    const permission = await this.ensurePermission(name, options, "del");
     if (!permission.ok) return permission;
-    return this.service.delete(name);
+    return options === void 0 ? this.service.delete(name) : this.service.delete(name, options);
   }
-  list() {
-    return this.service.list();
+  async list(options) {
+    const permission = await this.ensurePermission("", options, "list");
+    if (!permission.ok) return permission;
+    return options === void 0 ? this.service.list() : this.service.list(options);
   }
   get service() {
     return this.config.getService();
   }
-  async ensureMutationPermission(name, action) {
-    if (!SECRET_NAME_RE.test(name)) {
+  async ensurePermission(name, options, action) {
+    const target = name || "secrets";
+    let permissionEntries;
+    try {
+      permissionEntries = secretPermissionEntries(
+        name,
+        options,
+        action,
+        action === "get" ? this.config.getEncryptionNetworkId?.() : void 0
+      );
+    } catch (error) {
       return secretsError(
         import_sdk_core4.ErrorCodes.INVALID_INPUT,
-        `Invalid secret name ${JSON.stringify(name)}. Secret names must match ${SECRET_NAME_RE.source}.`
+        error instanceof Error ? error.message : String(error),
+        error instanceof Error ? error : void 0
       );
     }
-    if (this.hasMutationPermission(name, action)) {
+    if (this.hasPermission(permissionEntries)) {
       return ok();
     }
     if (!this.config.canEscalate()) {
       return secretsError(
         import_sdk_core4.ErrorCodes.PERMISSION_DENIED,
-        `Cannot autosign ${displayActionUrn(action)} for ${name}; TinyCloudNode needs wallet mode with a signer or privateKey.`
+        `Cannot autosign ${displayActionUrn(action)} for ${target}; TinyCloudNode needs wallet mode with a signer or privateKey.`
       );
     }
     try {
-      await this.config.grantPermissions(secretPermissionEntries(name, action));
+      await this.config.grantPermissions(permissionEntries);
       return this.restoreUnlockAfterEscalation();
     } catch (error) {
       return secretsError(
         import_sdk_core4.ErrorCodes.PERMISSION_DENIED,
-        error instanceof Error ? error.message : `Autosign escalation for ${displayActionUrn(action)} on ${name} failed.`,
+        error instanceof Error ? error.message : `Autosign escalation for ${displayActionUrn(action)} on ${target} failed.`,
         error instanceof Error ? error : void 0
       );
     }
@@ -18361,26 +18495,117 @@ var NodeSecretsService = class {
     }
     return this.service.unlock(this.unlockSigner);
   }
-  hasMutationPermission(name, action) {
+  hasPermission(permissionEntries) {
+    if (this.config.hasPermissions?.(permissionEntries)) {
+      return true;
+    }
     const manifest = this.config.getManifest();
     if (manifest === void 0) {
       return false;
     }
     const manifests = Array.isArray(manifest) ? manifest : [manifest];
-    const requiredAction = kvActionUrn(action);
-    return manifests.some((entry) => {
-      const resolved = (0, import_sdk_core4.resolveManifest)(entry);
-      return ["keys", "vault"].every(
-        (base2) => resolved.resources.some(
-          (resource) => resource.service === "tinycloud.kv" && isSecretsSpace(resource.space) && resource.path === secretResourcePath(base2, name) && resource.actions.includes(requiredAction)
-        )
-      );
-    });
+    const requestedEntries = (0, import_sdk_core4.expandPermissionEntries)(permissionEntries);
+    return requestedEntries.every(
+      (entry) => manifests.some((candidate) => {
+        const resolved = (0, import_sdk_core4.resolveManifest)(candidate);
+        return resolved.resources.some(
+          (resource) => resource.service === entry.service && resource.space === entry.space && resource.path === entry.path && entry.actions.every((action) => resource.actions.includes(action))
+        );
+      })
+    );
   }
 };
 // src/TinyCloudNode.ts
 var DEFAULT_HOST = "https://node.tinycloud.xyz";
+var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
+var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
+var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
+var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
+var DEFAULT_SESSION_EXPIRATION_MS = import_sdk_core5.EXPIRY.SESSION_MS;
+function base64UrlEncode(bytes) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+  let output = "";
+  for (let i = 0; i < bytes.length; i += 3) {
+    const a = bytes[i];
+    const b = bytes[i + 1];
+    const c = bytes[i + 2];
+    const triplet = a << 16 | (b ?? 0) << 8 | (c ?? 0);
+    output += alphabet[triplet >> 18 & 63];
+    output += alphabet[triplet >> 12 & 63];
+    if (i + 1 < bytes.length) output += alphabet[triplet >> 6 & 63];
+    if (i + 2 < bytes.length) output += alphabet[triplet & 63];
+  }
+  return output;
+}
+function base64UrlDecode(value) {
+  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
+  const bytes = [];
+  let buffer = 0;
+  let bits = 0;
+  for (const char of value) {
+    const index = alphabet.indexOf(char);
+    if (index < 0) {
+      throw new Error("invalid base64url input");
+    }
+    buffer = buffer << 6 | index;
+    bits += 6;
+    if (bits >= 8) {
+      bits -= 8;
+      bytes.push(buffer >> bits & 255);
+    }
+  }
+  return new Uint8Array(bytes);
+}
+async function signJwtInputWithJwk(signingInput, jwk) {
+  const bytes = new TextEncoder().encode(signingInput);
+  try {
+    const subtle = globalThis.crypto?.subtle;
+    if (!subtle) {
+      throw new Error("WebCrypto subtle API is unavailable");
+    }
+    const key2 = await subtle.importKey(
+      "jwk",
+      jwk,
+      { name: "Ed25519" },
+      false,
+      ["sign"]
+    );
+    return new Uint8Array(await subtle.sign({ name: "Ed25519" }, key2, bytes));
+  } catch {
+    const nodeCrypto = await import("crypto");
+    const key2 = nodeCrypto.createPrivateKey({ key: jwk, format: "jwk" });
+    return new Uint8Array(nodeCrypto.sign(null, Buffer.from(bytes), key2));
+  }
+}
+async function rewriteInvocationAudience(authorization, audience, jwk) {
+  const [headerPart, payloadPart] = authorization.split(".");
+  if (!headerPart || !payloadPart) {
+    throw new Error("invalid invocation authorization");
+  }
+  const header = JSON.parse(new TextDecoder().decode(base64UrlDecode(headerPart)));
+  const payload = JSON.parse(new TextDecoder().decode(base64UrlDecode(payloadPart)));
+  payload.aud = audience;
+  const signingInput = `${base64UrlEncode(
+    new TextEncoder().encode(JSON.stringify(header))
+  )}.${base64UrlEncode(new TextEncoder().encode(JSON.stringify(payload)))}`;
+  const signature2 = await signJwtInputWithJwk(signingInput, jwk);
+  return `${signingInput}.${base64UrlEncode(signature2)}`;
+}
+function authorizationHeader(headers) {
+  if (Array.isArray(headers)) {
+    const entry = headers.find(([name]) => name.toLowerCase() === "authorization");
+    if (!entry) {
+      throw new Error("network invocation did not include an Authorization header");
+    }
+    return entry[1];
+  }
+  const value = headers.Authorization ?? headers.authorization;
+  if (!value) {
+    throw new Error("network invocation did not include an Authorization header");
+  }
+  return value;
+}
 var _TinyCloudNode = class _TinyCloudNode {
   /**
    * Create a new TinyCloudNode instance.
@@ -18425,12 +18650,10 @@ var _TinyCloudNode = class _TinyCloudNode {
         throw new Error("WASM binding does not support invokeAny");
       }
       const grant = this.findGrantForOperations(
-        entries.map((entry) => ({
-          spaceId: entry.spaceId,
-          service: this.invocationServiceName(entry.service),
-          path: entry.path,
-          action: entry.action
-        }))
+        entries.flatMap((entry) => {
+          const operation = this.operationFromInvokeAnyEntry(entry);
+          return operation ? [operation] : [];
+        })
       );
       return this.wasmBindings.invokeAny(grant?.session ?? session, entries, facts);
     };
@@ -18523,7 +18746,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: config.prefix,
-      sessionExpirationMs: config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: config.tinycloudFallbackHosts,
@@ -18658,6 +18881,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._duckdb = void 0;
     this._hooks = void 0;
     this._vault = void 0;
+    this._encryption = void 0;
     this._baseSecrets = void 0;
     this._secrets = void 0;
     this._spaceService = void 0;
@@ -18666,6 +18890,9 @@ var _TinyCloudNode = class _TinyCloudNode {
     await this.tc.signIn(options);
     this.syncResolvedHostFromAuth();
     this.initializeServices();
+    if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
+      await this.ensureOwnedSpaceHosted(this.ownedSpaceId("secrets"));
+    }
     await this.writeManifestRegistryRecords();
     this.notificationHandler.success("Successfully signed in");
   }
@@ -18748,6 +18975,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._duckdb = void 0;
     this._hooks = void 0;
     this._vault = void 0;
+    this._encryption = void 0;
     this._baseSecrets = void 0;
     this._secrets = void 0;
     this._spaceService = void 0;
@@ -18789,6 +19017,33 @@ var _TinyCloudNode = class _TinyCloudNode {
     this._vault.initialize(this._serviceContext);
     this._serviceContext.registerService("vault", this._vault);
     this.initializeV2Services(serviceSession);
+    if (sessionData.siwe && sessionData.address && sessionData.chainId) {
+      const tcSession = {
+        address: sessionData.address,
+        chainId: sessionData.chainId,
+        sessionKey: JSON.stringify(sessionData.jwk),
+        spaceId: sessionData.spaceId,
+        delegationCid: sessionData.delegationCid,
+        delegationHeader: sessionData.delegationHeader,
+        verificationMethod: sessionData.verificationMethod,
+        jwk: sessionData.jwk,
+        siwe: sessionData.siwe,
+        signature: sessionData.signature ?? ""
+      };
+      if (this.auth) {
+        this.auth.setRestoredTinyCloudSession(tcSession);
+      } else {
+        this._restoredTcSession = tcSession;
+      }
+    }
+  }
+  /**
+   * Resolve the currently-active TinyCloudSession, preferring the auth
+   * layer's value (wallet mode) and falling back to the node-level
+   * rehydration set by {@link restoreSession} (session-only mode).
+   */
+  currentTinyCloudSession() {
+    return this.auth?.tinyCloudSession ?? this._restoredTcSession;
   }
   /**
    * Connect a wallet to upgrade from session-only mode to wallet mode.
@@ -18833,7 +19088,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: prefix,
-      sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
@@ -18877,7 +19132,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       sessionStorage: options?.sessionStorage ?? this.config.sessionStorage ?? new MemorySessionStorage(),
       domain: this.siweDomain,
       spacePrefix: prefix,
-      sessionExpirationMs: this.config.sessionExpirationMs ?? 60 * 60 * 1e3,
+      sessionExpirationMs: this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS,
       tinycloudHosts: this.explicitHost ? [this.explicitHost] : void 0,
       tinycloudRegistryUrl: this.config.tinycloudRegistryUrl,
       tinycloudFallbackHosts: this.config.tinycloudFallbackHosts,
@@ -18900,7 +19155,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   initializeServices() {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       return;
     }
@@ -18958,6 +19213,180 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return kvService;
   }
+  getDefaultEncryptionNetworkId(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
+    return `urn:tinycloud:encryption:${this.did}:${name}`;
+  }
+  requireServiceSession() {
+    const session = this._serviceContext?.session;
+    if (!session) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    return session;
+  }
+  createEncryptionCrypto() {
+    const wasm = this.wasmBindings;
+    const columnEncrypt = (key2, plaintext) => {
+      const encrypted = wasm.vault_encrypt(key2, plaintext);
+      const out = new Uint8Array(1 + encrypted.length);
+      out[0] = 1;
+      out.set(encrypted, 1);
+      return out;
+    };
+    const columnDecrypt = (key2, blob) => {
+      if (blob[0] !== 1) {
+        return blob;
+      }
+      return wasm.vault_decrypt(key2, blob.slice(1));
+    };
+    return {
+      sha256: (data) => wasm.vault_sha256(data),
+      randomBytes: (length) => wasm.vault_random_bytes(length),
+      x25519FromSeed: (seed) => wasm.vault_x25519_from_seed(seed),
+      x25519Dh: (privateKey, publicKey) => wasm.vault_x25519_dh(privateKey, publicKey),
+      authEncrypt: (key2, plaintext) => wasm.vault_encrypt(key2, plaintext),
+      authDecrypt: (key2, ciphertext) => wasm.vault_decrypt(key2, ciphertext),
+      sealToNetworkKey: (networkPublicKey, symmetricKey) => {
+        const seed = wasm.vault_random_bytes(32);
+        const ephemeral = wasm.vault_x25519_from_seed(seed);
+        const shared = wasm.vault_x25519_dh(
+          ephemeral.privateKey,
+          networkPublicKey
+        );
+        const encrypted = columnEncrypt(shared, symmetricKey);
+        const out = new Uint8Array(ephemeral.publicKey.length + encrypted.length);
+        out.set(ephemeral.publicKey, 0);
+        out.set(encrypted, ephemeral.publicKey.length);
+        return out;
+      },
+      openWithReceiverKey: (receiverPrivateKey, wrappedKey) => {
+        const peerPublic = wrappedKey.slice(0, 32);
+        const ciphertext = wrappedKey.slice(32);
+        const shared = wasm.vault_x25519_dh(receiverPrivateKey, peerPublic);
+        return columnDecrypt(shared, ciphertext);
+      },
+      verifyNodeSignature: (nodeId, message, signature2) => (0, import_sdk_core5.verifyDidKeyEd25519Signature)(nodeId, message, signature2)
+    };
+  }
+  async fetchNodeId() {
+    const response = await fetch(`${this.config.host}/info`);
+    if (!response.ok) {
+      throw new Error(`Failed to fetch node info: HTTP ${response.status}`);
+    }
+    const info = await response.json();
+    if (typeof info.nodeId !== "string" || info.nodeId.length === 0) {
+      throw new Error("Node /info response did not include nodeId");
+    }
+    return info.nodeId;
+  }
+  async signRawNetworkAuthorization(input) {
+    if (!this.wasmBindings.invokeAny) {
+      throw new Error("WASM binding does not support raw-resource invokeAny");
+    }
+    if (!this.wasmBindings.computeCid) {
+      throw new Error("WASM binding does not support invocation CID computation");
+    }
+    const session = this.requireServiceSession();
+    const headers = this.invokeAnyWithRuntimePermissions(
+      session,
+      [
+        {
+          resource: input.networkId,
+          service: "encryption",
+          path: input.networkId,
+          action: input.action
+        }
+      ],
+      [input.facts]
+    );
+    const authorization = authorizationHeader(headers);
+    const audienceBound = await rewriteInvocationAudience(
+      authorization,
+      input.targetNode,
+      session.jwk
+    );
+    return {
+      authorization: audienceBound,
+      invocationCid: this.wasmBindings.computeCid(
+        new TextEncoder().encode(audienceBound),
+        0x55n
+      )
+    };
+  }
+  createEncryptionService() {
+    const crypto2 = this.createEncryptionCrypto();
+    const transport = {
+      postDecrypt: async ({ networkId, authorization, canonicalBody }) => {
+        const response = await fetch(
+          `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}/decrypt`,
+          {
+            method: "POST",
+            headers: {
+              Authorization: authorization,
+              "Content-Type": "application/json"
+            },
+            body: canonicalBody
+          }
+        );
+        if (!response.ok) {
+          throw new Error(
+            `decrypt failed ${response.status}: ${await response.text()}`
+          );
+        }
+        return await response.json();
+      }
+    };
+    return new import_sdk_core5.EncryptionService({
+      crypto: crypto2,
+      signer: {
+        signDecryptInvocation: async (input) => {
+          const signed2 = await this.signRawNetworkAuthorization({
+            targetNode: input.targetNode,
+            networkId: input.networkId,
+            action: DECRYPT_ACTION,
+            facts: input.facts
+          });
+          return {
+            ...signed2,
+            canonicalBody: (0, import_sdk_core5.canonicalizeEncryptionJson)(
+              input.body
+            )
+          };
+        }
+      },
+      transport,
+      node: {
+        fetchByNetworkId: (networkId) => this.getEncryptionNetwork(networkId)
+      },
+      wellKnown: {
+        fetchWellKnown: async (principal, discoveryKey) => {
+          if (!this._address || principal !== this.did) {
+            return null;
+          }
+          if (!this.config.host) {
+            return null;
+          }
+          const publicSpaceId = (0, import_sdk_core5.makePublicSpaceId)(this._address, this._chainId);
+          const result = await import_sdk_core5.TinyCloud.readPublicSpace(this.config.host, publicSpaceId, discoveryKey);
+          if (!result.ok) {
+            return null;
+          }
+          const body = result.data;
+          return "descriptor" in body && body.descriptor ? body.descriptor : body;
+        }
+      }
+    });
+  }
+  getEncryptionService() {
+    if (!this._serviceContext) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    if (!this._encryption) {
+      this._encryption = this.createEncryptionService();
+      this._encryption.initialize(this._serviceContext);
+      this._serviceContext.registerService("encryption", this._encryption);
+    }
+    return this._encryption;
+  }
   createVaultService(spaceId, kv) {
     const wasm = this.wasmBindings;
     const vaultCrypto = (0, import_sdk_core5.createVaultCrypto)({
@@ -18973,6 +19402,13 @@ var _TinyCloudNode = class _TinyCloudNode {
     return new import_sdk_core5.DataVaultService({
       spaceId,
       crypto: vaultCrypto,
+      encryption: {
+        networkId: this.getDefaultEncryptionNetworkId(),
+        service: this.getEncryptionService(),
+        decryptCapabilityProof: () => ({
+          proofs: [this.requireServiceSession().delegationCid]
+        })
+      },
       tc: {
         kv,
         ensurePublicSpace: async () => {
@@ -19153,7 +19589,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * @internal
    */
   getSessionExpiry() {
-    const expirationMs = this.config.sessionExpirationMs ?? 60 * 60 * 1e3;
+    const expirationMs = this.config.sessionExpirationMs ?? DEFAULT_SESSION_EXPIRATION_MS;
     return new Date(Date.now() + expirationMs);
   }
   /**
@@ -19210,7 +19646,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!this.signer) {
       return void 0;
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       return void 0;
     }
@@ -19310,6 +19746,34 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._sql;
   }
+  /**
+   * Get an SQL service scoped to a specific space.
+   *
+   * Mirrors {@link SpaceService}'s per-space KV factory: clones the active
+   * service context and overrides its session's spaceId so that subsequent
+   * `sql/<dbName>/<action>` invocations route to that space. Useful when
+   * the caller already holds a delegation covering the target space (e.g.
+   * via {@link grantRuntimePermissions} or {@link useRuntimeDelegation})
+   * but the SDK's per-space SQL surface isn't otherwise exposed.
+   *
+   * Does NOT auto-create the space.
+   *
+   * @param spaceId - Full space URI (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`).
+   */
+  sqlForSpace(spaceId) {
+    if (!this._serviceContext || !this._serviceContext.session) {
+      throw new Error("Not signed in. Call signIn() first.");
+    }
+    const sql = new import_sdk_core5.SQLService({});
+    const spaceScopedContext = new import_sdk_core5.ServiceContext({
+      invoke: this._serviceContext.invoke,
+      fetch: this._serviceContext.fetch,
+      hosts: this._serviceContext.hosts
+    });
+    spaceScopedContext.setSession({ ...this._serviceContext.session, spaceId });
+    sql.initialize(spaceScopedContext);
+    return sql;
+  }
   /**
    * DuckDB database operations on this user's space.
    */
@@ -19333,6 +19797,79 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return this._vault;
   }
+  /**
+   * Network-scoped encryption/decrypt service.
+   */
+  get encryption() {
+    return this.getEncryptionService();
+  }
+  async getEncryptionNetwork(nameOrNetworkId = this.getDefaultEncryptionNetworkId()) {
+    const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
+    const response = await fetch(
+      `${this.config.host}/encryption/networks/${encodeURIComponent(networkId)}`
+    );
+    if (response.status === 404) {
+      return null;
+    }
+    if (!response.ok) {
+      throw new Error(
+        `Failed to fetch encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`
+      );
+    }
+    const body = await response.json();
+    return "descriptor" in body && body.descriptor ? body.descriptor : body;
+  }
+  async createEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
+    const targetNode = await this.fetchNodeId();
+    const principal = this.did;
+    const networkId = this.getDefaultEncryptionNetworkId(name);
+    const body = {
+      name,
+      principal,
+      threshold: { n: 1, t: 1 }
+    };
+    const crypto2 = this.createEncryptionCrypto();
+    const facts = {
+      type: NETWORK_ADMIN_TYPE,
+      targetNode,
+      networkId,
+      bodyHash: (0, import_sdk_core5.canonicalHashHex)(
+        crypto2.sha256,
+        body
+      ),
+      action: NETWORK_CREATE_ACTION
+    };
+    const signed2 = await this.signRawNetworkAuthorization({
+      targetNode,
+      networkId,
+      action: NETWORK_CREATE_ACTION,
+      facts
+    });
+    const response = await fetch(`${this.config.host}/encryption/networks`, {
+      method: "POST",
+      headers: {
+        Authorization: signed2.authorization,
+        "Content-Type": "application/json"
+      },
+      body: (0, import_sdk_core5.canonicalizeEncryptionJson)(
+        body
+      )
+    });
+    if (!response.ok) {
+      throw new Error(
+        `Failed to create encryption network ${networkId}: HTTP ${response.status} ${await response.text()}`
+      );
+    }
+    const created = await response.json();
+    return created.descriptor;
+  }
+  async ensureEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
+    const existing = await this.getEncryptionNetwork(name);
+    if (existing) {
+      return existing;
+    }
+    return this.createEncryptionNetwork(name);
+  }
   /**
    * App-facing secrets API backed by the `secrets` space vault.
    */
@@ -19344,8 +19881,10 @@ var _TinyCloudNode = class _TinyCloudNode {
       this._secrets = new NodeSecretsService({
         getService: () => this.getBaseSecrets(),
         getManifest: () => this.manifest,
+        hasPermissions: (permissions) => this.hasRuntimePermissions(permissions),
         grantPermissions: (additional) => this.grantRuntimePermissions(additional),
         canEscalate: () => this.signer !== void 0 && this.tc !== void 0,
+        getEncryptionNetworkId: () => this.getDefaultEncryptionNetworkId(),
         getUnlockSigner: () => this.signer ?? void 0
       });
     }
@@ -19435,7 +19974,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * every requested permission.
    */
   hasRuntimePermissions(permissions) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session || !Array.isArray(permissions) || permissions.length === 0) {
       return false;
     }
@@ -19455,7 +19994,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (permissions === void 0) {
       return this.runtimePermissionGrants.map((grant) => grant.delegation);
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session || !Array.isArray(permissions) || permissions.length === 0) {
       return [];
     }
@@ -19469,7 +20008,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    * matching service calls and downstream `delegateTo()` calls can use it.
    */
   async useRuntimeDelegation(delegation) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new import_sdk_core5.SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -19508,7 +20047,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (!Array.isArray(permissions) || permissions.length === 0) {
       throw new Error("grantRuntimePermissions requires a non-empty permissions array");
     }
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new import_sdk_core5.SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -19532,13 +20071,22 @@ var _TinyCloudNode = class _TinyCloudNode {
         "grantRuntimePermissions requires wallet mode with a signer or privateKey."
       );
     }
+    const rawEntries = expanded.filter(
+      (entry) => this.isEncryptionPermissionEntry(entry)
+    );
+    const spaceEntries = expanded.filter(
+      (entry) => !this.isEncryptionPermissionEntry(entry)
+    );
     const bySpace = /* @__PURE__ */ new Map();
-    for (const entry of expanded) {
+    for (const entry of spaceEntries) {
       const spaceId = this.resolvePermissionSpace(entry.space, session);
       const current = bySpace.get(spaceId) ?? [];
       current.push(entry);
       bySpace.set(spaceId, current);
     }
+    if (bySpace.size === 0 && rawEntries.length > 0) {
+      bySpace.set(session.spaceId, []);
+    }
     const now = /* @__PURE__ */ new Date();
     const requestedExpiryMs = resolveExpiryMs(options?.expiry);
     let expiresAt = new Date(now.getTime() + requestedExpiryMs);
@@ -19546,10 +20094,17 @@ var _TinyCloudNode = class _TinyCloudNode {
       expiresAt = sessionExpiry;
     }
     const delegations = [];
+    let rawEntriesAttached = false;
     for (const [spaceId, entries] of bySpace) {
+      const rawForDelegation = !rawEntriesAttached ? rawEntries : [];
+      if (rawForDelegation.length > 0) {
+        rawEntriesAttached = true;
+      }
+      const delegatedEntries = [...entries, ...rawForDelegation];
       const abilities = this.permissionsToAbilities(entries);
       const prepared = this.wasmBindings.prepareSession({
         abilities,
+        ...rawForDelegation.length > 0 ? { rawAbilities: this.permissionsToRawAbilities(rawForDelegation) } : {},
         address: this.wasmBindings.ensureEip55(session.address),
         chainId: session.chainId,
         domain: this.siweDomain,
@@ -19574,7 +20129,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       }
       const delegation = this.runtimeDelegationFromSession(
         delegatedSession,
-        entries,
+        delegatedEntries,
         spaceId,
         session,
         expiresAt
@@ -19588,7 +20143,7 @@ var _TinyCloudNode = class _TinyCloudNode {
           jwk: session.jwk
         },
         delegation,
-        operations: this.permissionOperations(entries, spaceId),
+        operations: this.permissionOperations(delegatedEntries, spaceId),
         expiresAt
       });
       delegations.push(delegation);
@@ -19736,7 +20291,7 @@ var _TinyCloudNode = class _TinyCloudNode {
     ];
     const abilities = { kv: { "": kvActions } };
     const now = /* @__PURE__ */ new Date();
-    const expiryMs = 60 * 60 * 1e3;
+    const expiryMs = import_sdk_core5.EXPIRY.EPHEMERAL_MS;
     const expirationTime = new Date(now.getTime() + expiryMs);
     const prepared = this.wasmBindings.prepareSession({
       abilities,
@@ -19906,7 +20461,7 @@ var _TinyCloudNode = class _TinyCloudNode {
    *   `forceWalletSign` is not set.
    */
   async delegateTo(did, permissions, options) {
-    const session = this.auth?.tinyCloudSession;
+    const session = this.currentTinyCloudSession();
     if (!session) {
       throw new import_sdk_core5.SessionExpiredError(/* @__PURE__ */ new Date(0));
     }
@@ -20020,11 +20575,8 @@ var _TinyCloudNode = class _TinyCloudNode {
    * the current session; we build one multi-resource abilities map
    * and emit one signed UCAN covering them all.
    *
-   * All entries must share the same target space (the UCAN is
-   * scoped to a single space). If they don't, this throws — mixing
-   * spaces in a single delegation is not supported by the underlying
-   * Rust create_delegation call and the resulting UCAN would be
-   * under-specified.
+   * Non-encryption entries must share the same target space. Encryption
+   * entries are raw network URNs and do not participate in space grouping.
    *
    * @internal
    */
@@ -20036,15 +20588,18 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     const resolvedSpaces = /* @__PURE__ */ new Set();
     for (const entry of entries) {
+      if (this.isEncryptionPermissionEntry(entry)) {
+        continue;
+      }
       const spaceId2 = this.resolvePermissionSpace(entry.space, session);
       resolvedSpaces.add(spaceId2);
     }
-    if (resolvedSpaces.size !== 1) {
+    if (resolvedSpaces.size > 1) {
       throw new Error(
         `delegateTo: all permission entries must target the same space, got ${resolvedSpaces.size}: ${JSON.stringify([...resolvedSpaces])}`
       );
     }
-    const spaceId = [...resolvedSpaces][0];
+    const spaceId = resolvedSpaces.size === 1 ? [...resolvedSpaces][0] : session.spaceId;
     const abilities = {};
     for (const entry of entries) {
       const shortService = import_sdk_core5.SERVICE_LONG_TO_SHORT[entry.service];
@@ -20191,11 +20746,32 @@ var _TinyCloudNode = class _TinyCloudNode {
     }
     return abilities;
   }
+  isEncryptionPermissionEntry(entry) {
+    return entry.service === import_sdk_core5.ENCRYPTION_PERMISSION_SERVICE && entry.path.startsWith("urn:tinycloud:encryption:");
+  }
+  permissionsToRawAbilities(entries) {
+    const rawAbilities = {};
+    for (const entry of entries) {
+      if (!this.isEncryptionPermissionEntry(entry)) {
+        continue;
+      }
+      const existing = rawAbilities[entry.path] ?? [];
+      const seen = new Set(existing);
+      for (const action of entry.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
+      }
+      rawAbilities[entry.path] = existing;
+    }
+    return rawAbilities;
+  }
   permissionOperations(entries, spaceId) {
     return entries.flatMap((entry) => {
       const service = this.shortServiceName(entry.service);
       return entry.actions.map((action) => ({
-        spaceId,
+        ...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId },
         service,
         path: entry.path,
         action
@@ -20218,7 +20794,7 @@ var _TinyCloudNode = class _TinyCloudNode {
       const spaceId = this.resolvePermissionSpace(entry.space, session);
       const service = this.shortServiceName(entry.service);
       return entry.actions.map((action) => ({
-        spaceId,
+        ...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId },
         service,
         path: entry.path,
         action
@@ -20275,24 +20851,40 @@ var _TinyCloudNode = class _TinyCloudNode {
       expiresAt: delegation.expiry
     };
   }
+  installRuntimeGrantFromServiceSession(delegation, session, expiresAt) {
+    const operations = this.operationsFromDelegation(delegation);
+    if (operations.length === 0) {
+      return;
+    }
+    this.runtimePermissionGrants = this.runtimePermissionGrants.filter(
+      (grant) => grant.delegation.cid !== delegation.cid && grant.session.delegationCid !== session.delegationCid
+    );
+    this.runtimePermissionGrants.push({
+      session,
+      delegation,
+      operations,
+      expiresAt
+    });
+  }
   delegatedResourcesForEntries(entries, spaceId) {
     return entries.map((entry) => ({
       service: this.shortServiceName(entry.service),
-      space: spaceId,
+      space: this.isEncryptionPermissionEntry(entry) ? "encryption" : spaceId,
       path: entry.path,
       actions: [...entry.actions]
     }));
   }
   operationsFromDelegation(delegation) {
     const resources = delegation.resources !== void 0 && delegation.resources.length > 0 ? delegation.resources : this.flatDelegationResources(delegation);
-    return resources.flatMap(
-      (resource) => resource.actions.map((action) => ({
-        spaceId: resource.space,
-        service: this.invocationServiceName(resource.service),
+    return resources.flatMap((resource) => {
+      const service = this.invocationServiceName(resource.service);
+      return resource.actions.map((action) => ({
+        ...this.isEncryptionNetworkOperation(service, resource.path) ? { resource: resource.path } : { spaceId: resource.space },
+        service,
         path: resource.path,
         action
-      }))
-    );
+      }));
+    });
   }
   flatDelegationResources(delegation) {
     const byService = /* @__PURE__ */ new Map();
@@ -20341,7 +20933,13 @@ var _TinyCloudNode = class _TinyCloudNode {
     );
   }
   operationCovers(granted, requested) {
-    return granted.spaceId === requested.spaceId && granted.service === requested.service && this.actionContains(granted.action, requested.action) && this.pathContains(granted.path, requested.path);
+    if (granted.service !== requested.service || !this.actionContains(granted.action, requested.action)) {
+      return false;
+    }
+    if (granted.resource !== void 0 || requested.resource !== void 0) {
+      return granted.resource !== void 0 && requested.resource !== void 0 && granted.resource === requested.resource && this.pathContains(granted.path, requested.path);
+    }
+    return granted.spaceId !== void 0 && requested.spaceId !== void 0 && granted.spaceId === requested.spaceId && this.pathContains(granted.path, requested.path);
   }
   actionContains(grantedAction, requestedAction) {
     if (grantedAction === requestedAction) {
@@ -20356,6 +20954,37 @@ var _TinyCloudNode = class _TinyCloudNode {
   invocationServiceName(service) {
     return service.startsWith("tinycloud.") ? this.shortServiceName(service) : service;
   }
+  isEncryptionNetworkOperation(service, path) {
+    return service === "encryption" && path.startsWith("urn:tinycloud:encryption:");
+  }
+  operationFromInvokeAnyEntry(entry) {
+    const service = this.invocationServiceName(entry.service);
+    if (typeof entry.resource === "string") {
+      return {
+        resource: entry.resource,
+        service,
+        path: entry.path,
+        action: entry.action
+      };
+    }
+    if (this.isEncryptionNetworkOperation(service, entry.path)) {
+      return {
+        resource: entry.path,
+        service,
+        path: entry.path,
+        action: entry.action
+      };
+    }
+    if (typeof entry.spaceId === "string") {
+      return {
+        spaceId: entry.spaceId,
+        service,
+        path: entry.path,
+        action: entry.action
+      };
+    }
+    return void 0;
+  }
   pathContains(grantedPath, requestedPath) {
     if (grantedPath === "" || grantedPath === "/") {
       return true;
@@ -20594,6 +21223,17 @@ var _TinyCloudNode = class _TinyCloudNode {
         // Not used in session-only mode
       };
       this.trackReceivedDelegation(delegation, this.sessionKeyJwk);
+      this.installRuntimeGrantFromServiceSession(
+        delegation,
+        {
+          delegationHeader: session2.delegationHeader,
+          delegationCid: session2.delegationCid,
+          spaceId: session2.spaceId,
+          verificationMethod: session2.verificationMethod,
+          jwk: session2.jwk
+        },
+        delegation.expiry
+      );
       return new DelegatedAccess(session2, delegation, targetHost, this.wasmBindings.invoke);
     }
     const mySession = this.auth?.tinyCloudSession;
@@ -20605,6 +21245,10 @@ var _TinyCloudNode = class _TinyCloudNode {
     const kvActions = delegation.actions.filter((a) => a.startsWith("tinycloud.kv/"));
     const sqlActions = delegation.actions.filter((a) => a.startsWith("tinycloud.sql/"));
     const duckdbActions = delegation.actions.filter((a) => a.startsWith("tinycloud.duckdb/"));
+    const encryptionActions = delegation.actions.filter(
+      (a) => a.startsWith("tinycloud.encryption/")
+    );
+    const rawAbilities = {};
     if (kvActions.length > 0) {
       abilities.kv = { [delegation.path]: kvActions };
     }
@@ -20614,6 +21258,9 @@ var _TinyCloudNode = class _TinyCloudNode {
     if (duckdbActions.length > 0) {
       abilities.duckdb = { [delegation.path]: duckdbActions };
     }
+    if (encryptionActions.length > 0 && delegation.path.startsWith("urn:tinycloud:encryption:")) {
+      rawAbilities[delegation.path] = encryptionActions;
+    }
     const now = /* @__PURE__ */ new Date();
     const maxExpiry = new Date(now.getTime() + 60 * 60 * 1e3);
     const expirationTime = delegation.expiry < maxExpiry ? delegation.expiry : maxExpiry;
@@ -20626,7 +21273,8 @@ var _TinyCloudNode = class _TinyCloudNode {
       expirationTime: expirationTime.toISOString(),
       spaceId: delegation.spaceId,
       jwk,
-      parents: [delegation.cid]
+      parents: [delegation.cid],
+      ...Object.keys(rawAbilities).length > 0 ? { rawAbilities } : {}
     });
     const signature2 = await this.signer.signMessage(prepared.siwe);
     const invokerSession = this.wasmBindings.completeSessionSetup({
@@ -20653,6 +21301,17 @@ var _TinyCloudNode = class _TinyCloudNode {
       signature: signature2
     };
     this.trackReceivedDelegation(delegation, jwk);
+    this.installRuntimeGrantFromServiceSession(
+      delegation,
+      {
+        delegationHeader: session.delegationHeader,
+        delegationCid: session.delegationCid,
+        spaceId: session.spaceId,
+        verificationMethod: session.verificationMethod,
+        jwk: session.jwk
+      },
+      expirationTime
+    );
     return new DelegatedAccess(session, delegation, targetHost, this.wasmBindings.invoke);
   }
   /**
@@ -20917,6 +21576,7 @@ var import_sdk_core16 = require("@tinycloud/sdk-core");
 var import_sdk_core17 = require("@tinycloud/sdk-core");
 var import_sdk_core18 = require("@tinycloud/sdk-core");
 var import_sdk_core19 = require("@tinycloud/sdk-core");
+var import_sdk_core20 = require("@tinycloud/sdk-core");
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   ACCOUNT_REGISTRY_PATH,
@@ -20924,8 +21584,14 @@ var import_sdk_core19 = require("@tinycloud/sdk-core");
   AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
+  DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DEFAULT_ENCRYPTION_ALG,
+  DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DataVaultService,
   DatabaseHandle,
   DelegatedAccess,
@@ -20934,17 +21600,25 @@ var import_sdk_core19 = require("@tinycloud/sdk-core");
   DuckDbAction,
   DuckDbDatabaseHandle,
   DuckDbService,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION,
+  EncryptionService,
   FileSessionStorage,
   HooksService,
   KVService,
   ManifestValidationError,
   MemorySessionStorage,
+  NETWORK_NAME_PATTERN,
+  NetworkIdError,
   NodeUserAuthorization,
   NodeWasmBindings,
   PermissionNotInManifestError,
   PrefixedKVService,
   PrivateKeySigner,
   ProtocolMismatchError,
+  SECRET_NAME_RE,
   SQLAction,
   SQLService,
   SecretsService,
@@ -20963,7 +21637,17 @@ var import_sdk_core19 = require("@tinycloud/sdk-core");
   VaultPublicSpaceKVActions,
   VersionCheckError,
   WasmKeyProvider,
+  buildCanonicalDecryptRequest,
+  buildDecryptAttenuation,
+  buildDecryptFacts,
+  buildDecryptInvocation,
+  buildNetworkId,
   buildSpaceUri,
+  canonicalHashHex,
+  canonicalSignedResponse,
+  canonicalizeEncryptionJson,
+  canonicalizeSecretScope,
+  checkDecryptInvocationInput,
   checkNodeInfo,
   composeManifestRequest,
   createCapabilityKeyRegistry,
@@ -20971,21 +21655,42 @@ var import_sdk_core19 = require("@tinycloud/sdk-core");
   createSpaceService,
   createVaultCrypto,
   createWasmKeyProvider,
+  decryptEnvelopeWithKey,
   defaultSignStrategy,
   defaultSpaceCreationHandler,
+  deriveSignedReceiverKey,
   deserializeDelegation,
+  discoverNetwork,
+  encryptToNetwork,
+  encryptionBase64Decode,
+  encryptionBase64Encode,
+  encryptionError,
+  encryptionUtf8Decode,
+  encryptionUtf8Encode,
+  ensureNetworkUsableForDecrypt,
   expandActionShortNames,
   expandPermissionEntries,
   expandPermissionEntry,
+  generateRandomReceiverKey,
+  hexDecode,
+  hexEncode,
   isCapabilitySubset,
+  isNetworkId,
   loadManifest,
   makePublicSpaceId,
+  networkDiscoveryKey,
+  openWrappedKey,
   parseExpiry,
+  parseNetworkId,
   parseSpaceUri,
   resolveManifest,
+  resolveSecretListPrefix,
+  resolveSecretPath,
   resourceCapabilitiesToSpaceAbilitiesMap,
   serializeDelegation,
-  validateManifest
+  validateEnvelope,
+  validateManifest,
+  verifyDecryptResponse
 });
 /*! Bundled license information: