@tinycloud/node-sdk 2.3.1-beta.0 → 2.4.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
- export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, e as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, f as TinyCloudNodeConfig, W as WasmKeyProvider, g as WasmKeyProviderConfig, h as createWasmKeyProvider, i as defaultSignStrategy, j as deserializeDelegation, s as serializeDelegation } from './core-D2hPECHW.cjs';
2
+ export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-DiVEwp2P.cjs';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
- export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, e as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, f as TinyCloudNodeConfig, W as WasmKeyProvider, g as WasmKeyProviderConfig, h as createWasmKeyProvider, i as defaultSignStrategy, j as deserializeDelegation, s as serializeDelegation } from './core-D2hPECHW.js';
2
+ export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-DiVEwp2P.js';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.js CHANGED
@@ -17186,7 +17186,8 @@ import {
17186
17186
  verifyDidKeyEd25519Signature,
17187
17187
  canonicalizeAddress as canonicalizeAddress2,
17188
17188
  pkhDid as pkhDid2,
17189
- principalDidEquals
17189
+ principalDidEquals as principalDidEquals2,
17190
+ parseNetworkId as parseNetworkId2
17190
17191
  } from "@tinycloud/sdk-core";
17191
17192
 
17192
17193
  // src/authorization/NodeUserAuthorization.ts
@@ -17199,6 +17200,8 @@ import {
17199
17200
  DEFAULT_MANIFEST_SPACE,
17200
17201
  ENCRYPTION_PERMISSION_SERVICE,
17201
17202
  composeManifestRequest,
17203
+ parseNetworkId,
17204
+ principalDidEquals,
17202
17205
  resourceCapabilitiesToAbilitiesMap,
17203
17206
  resourceCapabilitiesToSpaceAbilitiesMap,
17204
17207
  resolveTinyCloudHosts,
@@ -17283,6 +17286,25 @@ var MemorySessionStorage = class {
17283
17286
  };
17284
17287
 
17285
17288
  // src/authorization/NodeUserAuthorization.ts
17289
+ var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
17290
+ var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
17291
+ function didPrincipalMatches(actual, expected) {
17292
+ try {
17293
+ return principalDidEquals(actual, expected);
17294
+ } catch {
17295
+ return actual === expected;
17296
+ }
17297
+ }
17298
+ function addRawAbility(rawAbilities, resource, action) {
17299
+ const actions = rawAbilities[resource];
17300
+ if (actions === void 0) {
17301
+ rawAbilities[resource] = [action];
17302
+ return;
17303
+ }
17304
+ if (!actions.includes(action)) {
17305
+ actions.push(action);
17306
+ }
17307
+ }
17286
17308
  var NodeUserAuthorization = class {
17287
17309
  constructor(config) {
17288
17310
  this.extensions = [];
@@ -17309,6 +17331,7 @@ var NodeUserAuthorization = class {
17309
17331
  "": [
17310
17332
  "tinycloud.sql/read",
17311
17333
  "tinycloud.sql/write",
17334
+ "tinycloud.sql/ddl",
17312
17335
  "tinycloud.sql/admin",
17313
17336
  "tinycloud.sql/export"
17314
17337
  ]
@@ -17512,20 +17535,18 @@ var NodeUserAuthorization = class {
17512
17535
  };
17513
17536
  }
17514
17537
  const rawAbilities = {};
17538
+ const currentDid = pkhDid(address, chainId);
17515
17539
  const spaceResources = request.resources.filter((entry) => {
17516
17540
  if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {
17517
17541
  return true;
17518
17542
  }
17519
- const existing = rawAbilities[entry.path];
17520
- if (existing === void 0) {
17521
- rawAbilities[entry.path] = [...entry.actions];
17522
- } else {
17523
- const seen = new Set(existing);
17524
- for (const action of entry.actions) {
17525
- if (!seen.has(action)) {
17526
- existing.push(action);
17527
- seen.add(action);
17528
- }
17543
+ for (const action of entry.actions) {
17544
+ addRawAbility(rawAbilities, entry.path, action);
17545
+ }
17546
+ if (entry.actions.includes(DECRYPT_ACTION)) {
17547
+ const parsed = parseNetworkId(entry.path);
17548
+ if (didPrincipalMatches(parsed.ownerDid, currentDid)) {
17549
+ addRawAbility(rawAbilities, entry.path, NETWORK_CREATE_ACTION);
17529
17550
  }
17530
17551
  }
17531
17552
  return false;
@@ -18084,6 +18105,9 @@ var NodeUserAuthorization = class {
18084
18105
  }
18085
18106
  };
18086
18107
 
18108
+ // src/account/AccountService.ts
18109
+ import { AccountService } from "@tinycloud/sdk-core";
18110
+
18087
18111
  // src/DelegatedAccess.ts
18088
18112
  import {
18089
18113
  KVService,
@@ -18501,13 +18525,13 @@ var NodeSecretsService = class {
18501
18525
  // src/TinyCloudNode.ts
18502
18526
  var DEFAULT_HOST = "https://node.tinycloud.xyz";
18503
18527
  var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
18504
- var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
18505
- var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
18528
+ var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
18529
+ var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
18506
18530
  var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
18507
18531
  var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
18508
- function didPrincipalMatches(actual, expected) {
18532
+ function didPrincipalMatches2(actual, expected) {
18509
18533
  try {
18510
- return principalDidEquals(actual, expected);
18534
+ return principalDidEquals2(actual, expected);
18511
18535
  } catch {
18512
18536
  return actual === expected;
18513
18537
  }
@@ -18844,6 +18868,37 @@ var _TinyCloudNode = class _TinyCloudNode {
18844
18868
  get spaceId() {
18845
18869
  return this.auth?.tinyCloudSession?.spaceId;
18846
18870
  }
18871
+ /**
18872
+ * Get the account space ID for this wallet identity.
18873
+ * Available after wallet-backed sign-in or a restored session with address metadata.
18874
+ */
18875
+ get accountSpaceId() {
18876
+ if (!this._address) {
18877
+ return void 0;
18878
+ }
18879
+ return this.wasmBindings.makeSpaceId(this._address, this._chainId, ACCOUNT_REGISTRY_SPACE);
18880
+ }
18881
+ /**
18882
+ * Account-level application and delegation helpers.
18883
+ */
18884
+ get account() {
18885
+ if (!this._account) {
18886
+ this._account = new AccountService({
18887
+ getDid: () => this.did,
18888
+ getHost: () => this.hosts[0] ?? this.config.host,
18889
+ getPrimarySpaceId: () => this.spaceId,
18890
+ getAccountSpaceId: () => this.accountSpaceId,
18891
+ getSpaces: () => this.spaces,
18892
+ getAccountDb: () => this.accountSpaceId ? this.sqlForSpace(this.accountSpaceId).db("account") : void 0,
18893
+ ensureAccountSpaceHosted: async () => {
18894
+ if (this.accountSpaceId && this.auth) {
18895
+ await this.ensureOwnedSpaceHostedById(this.accountSpaceId);
18896
+ }
18897
+ }
18898
+ });
18899
+ }
18900
+ return this._account;
18901
+ }
18847
18902
  /**
18848
18903
  * Get the current TinyCloud session.
18849
18904
  * Available after signIn().
@@ -18881,10 +18936,11 @@ var _TinyCloudNode = class _TinyCloudNode {
18881
18936
  await this.tc.signIn(options);
18882
18937
  this.syncResolvedHostFromAuth();
18883
18938
  this.initializeServices();
18939
+ await this.ensureRequestedEncryptionNetworks();
18884
18940
  if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
18885
- await this.ensureOwnedSpaceHosted(this.ownedSpaceId("secrets"));
18941
+ await this.ensureOwnedSpaceHostedById(this.ownedSpaceId("secrets"));
18886
18942
  }
18887
- await this.writeManifestRegistryRecords();
18943
+ this.scheduleAccountRegistrySync();
18888
18944
  this.notificationHandler.success("Successfully signed in");
18889
18945
  }
18890
18946
  ownedSpaceId(name) {
@@ -18902,22 +18958,68 @@ var _TinyCloudNode = class _TinyCloudNode {
18902
18958
  throw new Error("Manifest registry write requires wallet mode");
18903
18959
  }
18904
18960
  const accountSpaceId = this.ownedSpaceId(ACCOUNT_REGISTRY_SPACE);
18905
- await this.ensureOwnedSpaceHosted(accountSpaceId);
18906
- const accountKV = this.spaces.get(accountSpaceId).kv;
18907
- for (const record of request.registryRecords) {
18908
- const result = await accountKV.put(record.key, {
18909
- app_id: record.app_id,
18910
- manifests: record.manifests,
18911
- updated_at: (/* @__PURE__ */ new Date()).toISOString()
18912
- });
18913
- if (!result.ok) {
18914
- throw new Error(
18915
- `Failed to write manifest registry record ${record.key}: ${result.error.message}`
18916
- );
18961
+ await this.ensureOwnedSpaceHostedById(accountSpaceId);
18962
+ const result = await this.account.applications.register(request.manifests);
18963
+ if (!result.ok) {
18964
+ throw new Error(
18965
+ `Failed to write manifest registry records: ${result.error.message}`
18966
+ );
18967
+ }
18968
+ }
18969
+ scheduleAccountRegistrySync() {
18970
+ void this.withAccountRegistryRetry(async () => {
18971
+ await this.writeManifestRegistryRecords();
18972
+ const spaces = await this.account.spaces.syncAccessible();
18973
+ if (!spaces.ok) {
18974
+ throw new Error(`Failed to sync account spaces: ${spaces.error.message}`);
18975
+ }
18976
+ });
18977
+ }
18978
+ async withAccountRegistryRetry(task) {
18979
+ const delays = [250, 1e3, 3e3];
18980
+ let lastError;
18981
+ for (let attempt = 0; attempt < delays.length; attempt += 1) {
18982
+ try {
18983
+ await task();
18984
+ return;
18985
+ } catch (error) {
18986
+ lastError = error;
18987
+ if (attempt < delays.length - 1) {
18988
+ await new Promise((resolve) => setTimeout(resolve, delays[attempt]));
18989
+ }
18990
+ }
18991
+ }
18992
+ console.warn(
18993
+ "TinyCloud account registry sync failed after retries",
18994
+ lastError
18995
+ );
18996
+ }
18997
+ requestedEncryptionNetworkIds() {
18998
+ const request = this.capabilityRequest;
18999
+ if (!request) {
19000
+ return [];
19001
+ }
19002
+ const networkIds = /* @__PURE__ */ new Set();
19003
+ for (const resource of request.resources) {
19004
+ if (resource.service === ENCRYPTION_PERMISSION_SERVICE2 && resource.path.startsWith("urn:tinycloud:encryption:") && resource.actions.includes(DECRYPT_ACTION2)) {
19005
+ networkIds.add(resource.path);
18917
19006
  }
18918
19007
  }
19008
+ return [...networkIds];
18919
19009
  }
18920
- async ensureOwnedSpaceHosted(spaceId) {
19010
+ async ensureRequestedEncryptionNetworks() {
19011
+ if (!this.signer || !this.auth) {
19012
+ return;
19013
+ }
19014
+ for (const networkId of this.requestedEncryptionNetworkIds()) {
19015
+ const parsed = parseNetworkId2(networkId);
19016
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
19017
+ continue;
19018
+ }
19019
+ await this.ensureEncryptionNetwork(networkId);
19020
+ }
19021
+ }
19022
+ async ensureOwnedSpaceHostedById(spaceId) {
18921
19023
  if (!this.auth) {
18922
19024
  throw new Error("Owned space hosting requires wallet mode");
18923
19025
  }
@@ -18950,6 +19052,84 @@ var _TinyCloudNode = class _TinyCloudNode {
18950
19052
  );
18951
19053
  }
18952
19054
  }
19055
+ /**
19056
+ * Host one of this user's owned spaces by name (e.g. `"applications"`).
19057
+ *
19058
+ * Resolves the name to the owned space URI
19059
+ * (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`) and registers it on the
19060
+ * server via the host-SIWE delegation flow, so subsequent KV/SQL writes to
19061
+ * that space succeed instead of returning `404 - Space not found`. The
19062
+ * caller is the root authority of their own owned spaces, so no additional
19063
+ * delegation is required.
19064
+ *
19065
+ * Unlike {@link ensureOwnedSpaceHostedById}, this always submits the host
19066
+ * delegation rather than inferring hosting from session activation: a space
19067
+ * the current session has never referenced is reported neither as
19068
+ * `activated` nor `skipped`, so activation-based detection would wrongly
19069
+ * skip the host. The host SIWE is idempotent server-side, so re-hosting an
19070
+ * existing space is a safe no-op. Must be called after {@link signIn}.
19071
+ *
19072
+ * @param name - The owned space name (e.g. `"applications"`).
19073
+ * @returns The hosted space URI.
19074
+ */
19075
+ async hostOwnedSpace(name) {
19076
+ if (!this.auth || !this.auth.tinyCloudSession) {
19077
+ throw new Error("Not signed in. Call signIn() first.");
19078
+ }
19079
+ const spaceId = this.ownedSpaceId(name);
19080
+ const host = this.hosts[0] ?? this.config.host;
19081
+ if (!host) {
19082
+ throw new Error("Owned space hosting requires a TinyCloud host");
19083
+ }
19084
+ const hosted = await this.auth.hostOwnedSpace(
19085
+ spaceId
19086
+ );
19087
+ if (!hosted) {
19088
+ throw new Error(`Failed to host owned space: ${spaceId}`);
19089
+ }
19090
+ const activation = await activateSessionWithHost2(
19091
+ host,
19092
+ this.auth.tinyCloudSession.delegationHeader
19093
+ );
19094
+ if (!activation.success || activation.skipped?.includes(spaceId)) {
19095
+ throw new Error(
19096
+ `Failed to activate session for owned space ${spaceId}: ${activation.error ?? "space was skipped"}`
19097
+ );
19098
+ }
19099
+ void this.account.spaces.register({
19100
+ spaceId,
19101
+ name,
19102
+ ownerDid: this.did,
19103
+ type: "owned",
19104
+ permissions: ["*"],
19105
+ status: "active"
19106
+ }).catch(() => {
19107
+ });
19108
+ return spaceId;
19109
+ }
19110
+ /**
19111
+ * Ensure one of this user's owned spaces (e.g. `"secrets"`) is hosted on the
19112
+ * server.
19113
+ *
19114
+ * At sign-in, a full-authority session auto-hosts the owner's `secrets`
19115
+ * space, but a session created with a manifest / capabilityRequest does not.
19116
+ * Such a session can therefore hold valid `tinycloud.kv/*` capabilities for
19117
+ * the owned `secrets` space yet still fail its first scoped
19118
+ * `secrets.put(...)` with `404 Space not found`, because the space was never
19119
+ * registered on the node.
19120
+ *
19121
+ * Calling this resolves `name` to the owner's owned-space URI
19122
+ * (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`) and hosts it via the
19123
+ * host-SIWE delegation flow. The host SIWE is idempotent server-side, so it
19124
+ * is safe to call whether or not the space already exists; do not gate it on
19125
+ * a prior existence check. Must be called after {@link signIn}.
19126
+ *
19127
+ * @param name - The owned space name (e.g. `"secrets"`).
19128
+ * @returns The hosted owned-space URI.
19129
+ */
19130
+ async ensureOwnedSpaceHosted(name) {
19131
+ return this.hostOwnedSpace(name);
19132
+ }
18953
19133
  /**
18954
19134
  * Restore a previously established session from stored delegation data.
18955
19135
  *
@@ -19339,7 +19519,7 @@ var _TinyCloudNode = class _TinyCloudNode {
19339
19519
  const signed2 = await this.signRawNetworkAuthorization({
19340
19520
  targetNode: input.targetNode,
19341
19521
  networkId: input.networkId,
19342
- action: DECRYPT_ACTION,
19522
+ action: DECRYPT_ACTION2,
19343
19523
  facts: input.facts
19344
19524
  });
19345
19525
  return {
@@ -19356,7 +19536,7 @@ var _TinyCloudNode = class _TinyCloudNode {
19356
19536
  },
19357
19537
  wellKnown: {
19358
19538
  fetchWellKnown: async (principal, discoveryKey) => {
19359
- if (!this._address || !didPrincipalMatches(principal, this.did)) {
19539
+ if (!this._address || !didPrincipalMatches2(principal, this.did)) {
19360
19540
  return null;
19361
19541
  }
19362
19542
  if (!this.config.host) {
@@ -19565,6 +19745,9 @@ var _TinyCloudNode = class _TinyCloudNode {
19565
19745
  }
19566
19746
  };
19567
19747
  }
19748
+ },
19749
+ onSpaceRegistered: async (space) => {
19750
+ await this.account.spaces.register(space);
19568
19751
  }
19569
19752
  });
19570
19753
  this._sharingService.updateConfig({
@@ -19863,12 +20046,12 @@ var _TinyCloudNode = class _TinyCloudNode {
19863
20046
  crypto2.sha256,
19864
20047
  body
19865
20048
  ),
19866
- action: NETWORK_CREATE_ACTION
20049
+ action: NETWORK_CREATE_ACTION2
19867
20050
  };
19868
20051
  const signed2 = await this.signRawNetworkAuthorization({
19869
20052
  targetNode,
19870
20053
  networkId,
19871
- action: NETWORK_CREATE_ACTION,
20054
+ action: NETWORK_CREATE_ACTION2,
19872
20055
  facts
19873
20056
  });
19874
20057
  const response = await fetch(`${this.config.host}/encryption/networks`, {
@@ -19889,12 +20072,19 @@ var _TinyCloudNode = class _TinyCloudNode {
19889
20072
  const created = await response.json();
19890
20073
  return created.descriptor;
19891
20074
  }
19892
- async ensureEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
19893
- const existing = await this.getEncryptionNetwork(name);
20075
+ async ensureEncryptionNetwork(nameOrNetworkId = DEFAULT_ENCRYPTION_NETWORK_NAME) {
20076
+ const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
20077
+ const existing = await this.getEncryptionNetwork(networkId);
19894
20078
  if (existing) {
19895
20079
  return existing;
19896
20080
  }
19897
- return this.createEncryptionNetwork(name);
20081
+ const parsed = parseNetworkId2(networkId);
20082
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
20083
+ throw new Error(
20084
+ `Cannot create encryption network ${networkId}: owner ${parsed.ownerDid} does not match signed-in DID ${this.did}`
20085
+ );
20086
+ }
20087
+ return this.createEncryptionNetwork(parsed.name);
19898
20088
  }
19899
20089
  /**
19900
20090
  * App-facing secrets API backed by the `secrets` space vault.
@@ -20042,7 +20232,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20042
20232
  throw new SessionExpiredError(delegation.expiry);
20043
20233
  }
20044
20234
  const expectedDids = [session.verificationMethod, this.sessionDid];
20045
- if (!expectedDids.some((did) => didPrincipalMatches(delegation.delegateDID, did))) {
20235
+ if (!expectedDids.some((did) => didPrincipalMatches2(delegation.delegateDID, did))) {
20046
20236
  throw new Error(
20047
20237
  `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
20048
20238
  );
@@ -20571,7 +20761,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20571
20761
  );
20572
20762
  }
20573
20763
  const target = request.delegationTargets.find(
20574
- (entry) => didPrincipalMatches(entry.did, did)
20764
+ (entry) => didPrincipalMatches2(entry.did, did)
20575
20765
  );
20576
20766
  if (!target) {
20577
20767
  throw new Error(`No manifest delegation target found for DID ${did}`);
@@ -21021,7 +21211,23 @@ var _TinyCloudNode = class _TinyCloudNode {
21021
21211
  if (granted.resource !== void 0 || requested.resource !== void 0) {
21022
21212
  return granted.resource !== void 0 && requested.resource !== void 0 && granted.resource === requested.resource && this.pathContains(granted.path, requested.path);
21023
21213
  }
21024
- return granted.spaceId !== void 0 && requested.spaceId !== void 0 && granted.spaceId === requested.spaceId && this.pathContains(granted.path, requested.path);
21214
+ return granted.spaceId !== void 0 && requested.spaceId !== void 0 && this.spaceIdsEqual(granted.spaceId, requested.spaceId) && this.pathContains(granted.path, requested.path);
21215
+ }
21216
+ // Space IDs are `tinycloud:pkh:eip155:<chain>:<0xADDR>:<name>`. The embedded
21217
+ // EIP-155 address is case-insensitive, but the CLI canonicalizes it to
21218
+ // lowercase when building a space URI while stored runtime delegations keep
21219
+ // the EIP-55 checksummed form — so a byte-for-byte compare spuriously rejects
21220
+ // an otherwise-valid grant. Lowercase ONLY the `eip155:<chain>:0x<addr>`
21221
+ // segment and leave everything else (crucially the case-sensitive space NAME)
21222
+ // byte-exact. Mirrors the CLI's `normalizeSpaceForCompare` (OPENKEY_SCOPE_MISMATCH fix).
21223
+ spaceIdsEqual(a, b) {
21224
+ return this.normalizeSpaceAddress(a) === this.normalizeSpaceAddress(b);
21225
+ }
21226
+ normalizeSpaceAddress(space) {
21227
+ return space.replace(
21228
+ /(eip155:\d+:)(0x[0-9a-fA-F]{40})/,
21229
+ (_match, prefix, addr) => prefix + addr.toLowerCase()
21230
+ );
21025
21231
  }
21026
21232
  actionContains(grantedAction, requestedAction) {
21027
21233
  if (grantedAction === requestedAction) {
@@ -21285,7 +21491,7 @@ var _TinyCloudNode = class _TinyCloudNode {
21285
21491
  const targetHost = delegation.host ?? this.config.host;
21286
21492
  if (this.isSessionOnly) {
21287
21493
  const myDid = this.did;
21288
- if (!didPrincipalMatches(delegation.delegateDID, myDid)) {
21494
+ if (!didPrincipalMatches2(delegation.delegateDID, myDid)) {
21289
21495
  throw new Error(
21290
21496
  `Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. The delegation must target this user's DID.`
21291
21497
  );
@@ -21516,7 +21722,7 @@ import {
21516
21722
  parsePkhDid,
21517
21723
  pkhDid as pkhDid3,
21518
21724
  principalDid,
21519
- principalDidEquals as principalDidEquals2,
21725
+ principalDidEquals as principalDidEquals3,
21520
21726
  parseCanonicalNetworkId
21521
21727
  } from "@tinycloud/sdk-core";
21522
21728
 
@@ -21663,6 +21869,32 @@ import {
21663
21869
  } from "@tinycloud/sdk-core";
21664
21870
 
21665
21871
  // src/delegation.ts
21872
+ async function grantAuthRequest(authority, request, options) {
21873
+ if (request.kind !== "tinycloud.auth.request") {
21874
+ throw new Error(
21875
+ `grantAuthRequest expects a tinycloud.auth.request artifact, got "${request.kind}".`
21876
+ );
21877
+ }
21878
+ if (!Array.isArray(request.requested) || request.requested.length === 0) {
21879
+ throw new Error("grantAuthRequest request has no requested capabilities.");
21880
+ }
21881
+ const expiry = options?.expiry ?? request.requestedExpiry;
21882
+ const result = await authority.delegateTo(
21883
+ request.sessionDid,
21884
+ request.requested,
21885
+ expiry !== void 0 ? { expiry } : void 0
21886
+ );
21887
+ return {
21888
+ kind: "tinycloud.auth.delegation",
21889
+ version: 1,
21890
+ requestId: request.requestId,
21891
+ delegationCid: result.delegation.cid,
21892
+ delegation: result.delegation,
21893
+ permissions: request.requested,
21894
+ expiry: result.delegation.expiry.toISOString(),
21895
+ prompted: result.prompted
21896
+ };
21897
+ }
21666
21898
  function serializeDelegation(delegation) {
21667
21899
  return JSON.stringify({
21668
21900
  ...delegation,
@@ -21703,7 +21935,7 @@ import {
21703
21935
  } from "@tinycloud/sdk-core";
21704
21936
  import {
21705
21937
  EncryptionService as EncryptionService2,
21706
- parseNetworkId,
21938
+ parseNetworkId as parseNetworkId3,
21707
21939
  buildNetworkId,
21708
21940
  isNetworkId,
21709
21941
  networkDiscoveryKey,
@@ -21738,7 +21970,7 @@ import {
21738
21970
  DEFAULT_KEY_VERSION,
21739
21971
  DECRYPT_FACT_TYPE,
21740
21972
  DECRYPT_RESULT_TYPE,
21741
- DECRYPT_ACTION as DECRYPT_ACTION2,
21973
+ DECRYPT_ACTION as DECRYPT_ACTION3,
21742
21974
  ENCRYPTION_SERVICE,
21743
21975
  ENCRYPTION_SERVICE_SHORT,
21744
21976
  encryptionError
@@ -21774,10 +22006,11 @@ import { ServiceContext as ServiceContext3 } from "@tinycloud/sdk-core";
21774
22006
  export {
21775
22007
  ACCOUNT_REGISTRY_PATH,
21776
22008
  ACCOUNT_REGISTRY_SPACE2 as ACCOUNT_REGISTRY_SPACE,
22009
+ AccountService,
21777
22010
  AutoApproveSpaceCreationHandler2 as AutoApproveSpaceCreationHandler,
21778
22011
  CapabilityKeyRegistry2 as CapabilityKeyRegistry,
21779
22012
  CapabilityKeyRegistryErrorCodes,
21780
- DECRYPT_ACTION2 as DECRYPT_ACTION,
22013
+ DECRYPT_ACTION3 as DECRYPT_ACTION,
21781
22014
  DECRYPT_FACT_TYPE,
21782
22015
  DECRYPT_RESULT_TYPE,
21783
22016
  DEFAULT_ENCRYPTION_ALG,
@@ -21873,6 +22106,7 @@ export {
21873
22106
  expandPermissionEntries2 as expandPermissionEntries,
21874
22107
  expandPermissionEntry,
21875
22108
  generateRandomReceiverKey,
22109
+ grantAuthRequest,
21876
22110
  hexDecode,
21877
22111
  hexEncode,
21878
22112
  isCapabilitySubset2 as isCapabilitySubset,
@@ -21885,12 +22119,12 @@ export {
21885
22119
  openWrappedKey,
21886
22120
  parseCanonicalNetworkId,
21887
22121
  parseExpiry2 as parseExpiry,
21888
- parseNetworkId,
22122
+ parseNetworkId3 as parseNetworkId,
21889
22123
  parsePkhDid,
21890
22124
  parseSpaceUri,
21891
22125
  pkhDid3 as pkhDid,
21892
22126
  principalDid,
21893
- principalDidEquals2 as principalDidEquals,
22127
+ principalDidEquals3 as principalDidEquals,
21894
22128
  resolveManifest2 as resolveManifest,
21895
22129
  resolveSecretListPrefix2 as resolveSecretListPrefix,
21896
22130
  resolveSecretPath2 as resolveSecretPath,