@tinycloud/node-sdk 2.4.0-beta.1 → 2.4.0-beta.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
- export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, e as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, f as TinyCloudNodeConfig, W as WasmKeyProvider, g as WasmKeyProviderConfig, h as createWasmKeyProvider, i as defaultSignStrategy, j as deserializeDelegation, s as serializeDelegation } from './core-Dbzm1kA_.cjs';
2
+ export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-DiVEwp2P.cjs';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
- export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, e as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, f as TinyCloudNodeConfig, W as WasmKeyProvider, g as WasmKeyProviderConfig, h as createWasmKeyProvider, i as defaultSignStrategy, j as deserializeDelegation, s as serializeDelegation } from './core-Dbzm1kA_.js';
2
+ export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-DiVEwp2P.js';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.js CHANGED
@@ -17186,7 +17186,8 @@ import {
17186
17186
  verifyDidKeyEd25519Signature,
17187
17187
  canonicalizeAddress as canonicalizeAddress2,
17188
17188
  pkhDid as pkhDid2,
17189
- principalDidEquals
17189
+ principalDidEquals as principalDidEquals2,
17190
+ parseNetworkId as parseNetworkId2
17190
17191
  } from "@tinycloud/sdk-core";
17191
17192
 
17192
17193
  // src/authorization/NodeUserAuthorization.ts
@@ -17199,6 +17200,8 @@ import {
17199
17200
  DEFAULT_MANIFEST_SPACE,
17200
17201
  ENCRYPTION_PERMISSION_SERVICE,
17201
17202
  composeManifestRequest,
17203
+ parseNetworkId,
17204
+ principalDidEquals,
17202
17205
  resourceCapabilitiesToAbilitiesMap,
17203
17206
  resourceCapabilitiesToSpaceAbilitiesMap,
17204
17207
  resolveTinyCloudHosts,
@@ -17283,6 +17286,25 @@ var MemorySessionStorage = class {
17283
17286
  };
17284
17287
 
17285
17288
  // src/authorization/NodeUserAuthorization.ts
17289
+ var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
17290
+ var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
17291
+ function didPrincipalMatches(actual, expected) {
17292
+ try {
17293
+ return principalDidEquals(actual, expected);
17294
+ } catch {
17295
+ return actual === expected;
17296
+ }
17297
+ }
17298
+ function addRawAbility(rawAbilities, resource, action) {
17299
+ const actions = rawAbilities[resource];
17300
+ if (actions === void 0) {
17301
+ rawAbilities[resource] = [action];
17302
+ return;
17303
+ }
17304
+ if (!actions.includes(action)) {
17305
+ actions.push(action);
17306
+ }
17307
+ }
17286
17308
  var NodeUserAuthorization = class {
17287
17309
  constructor(config) {
17288
17310
  this.extensions = [];
@@ -17309,6 +17331,7 @@ var NodeUserAuthorization = class {
17309
17331
  "": [
17310
17332
  "tinycloud.sql/read",
17311
17333
  "tinycloud.sql/write",
17334
+ "tinycloud.sql/ddl",
17312
17335
  "tinycloud.sql/admin",
17313
17336
  "tinycloud.sql/export"
17314
17337
  ]
@@ -17512,20 +17535,18 @@ var NodeUserAuthorization = class {
17512
17535
  };
17513
17536
  }
17514
17537
  const rawAbilities = {};
17538
+ const currentDid = pkhDid(address, chainId);
17515
17539
  const spaceResources = request.resources.filter((entry) => {
17516
17540
  if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {
17517
17541
  return true;
17518
17542
  }
17519
- const existing = rawAbilities[entry.path];
17520
- if (existing === void 0) {
17521
- rawAbilities[entry.path] = [...entry.actions];
17522
- } else {
17523
- const seen = new Set(existing);
17524
- for (const action of entry.actions) {
17525
- if (!seen.has(action)) {
17526
- existing.push(action);
17527
- seen.add(action);
17528
- }
17543
+ for (const action of entry.actions) {
17544
+ addRawAbility(rawAbilities, entry.path, action);
17545
+ }
17546
+ if (entry.actions.includes(DECRYPT_ACTION)) {
17547
+ const parsed = parseNetworkId(entry.path);
17548
+ if (didPrincipalMatches(parsed.ownerDid, currentDid)) {
17549
+ addRawAbility(rawAbilities, entry.path, NETWORK_CREATE_ACTION);
17529
17550
  }
17530
17551
  }
17531
17552
  return false;
@@ -18084,6 +18105,9 @@ var NodeUserAuthorization = class {
18084
18105
  }
18085
18106
  };
18086
18107
 
18108
+ // src/account/AccountService.ts
18109
+ import { AccountService } from "@tinycloud/sdk-core";
18110
+
18087
18111
  // src/DelegatedAccess.ts
18088
18112
  import {
18089
18113
  KVService,
@@ -18501,13 +18525,13 @@ var NodeSecretsService = class {
18501
18525
  // src/TinyCloudNode.ts
18502
18526
  var DEFAULT_HOST = "https://node.tinycloud.xyz";
18503
18527
  var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
18504
- var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
18505
- var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
18528
+ var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
18529
+ var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
18506
18530
  var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
18507
18531
  var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
18508
- function didPrincipalMatches(actual, expected) {
18532
+ function didPrincipalMatches2(actual, expected) {
18509
18533
  try {
18510
- return principalDidEquals(actual, expected);
18534
+ return principalDidEquals2(actual, expected);
18511
18535
  } catch {
18512
18536
  return actual === expected;
18513
18537
  }
@@ -18844,6 +18868,37 @@ var _TinyCloudNode = class _TinyCloudNode {
18844
18868
  get spaceId() {
18845
18869
  return this.auth?.tinyCloudSession?.spaceId;
18846
18870
  }
18871
+ /**
18872
+ * Get the account space ID for this wallet identity.
18873
+ * Available after wallet-backed sign-in or a restored session with address metadata.
18874
+ */
18875
+ get accountSpaceId() {
18876
+ if (!this._address) {
18877
+ return void 0;
18878
+ }
18879
+ return this.wasmBindings.makeSpaceId(this._address, this._chainId, ACCOUNT_REGISTRY_SPACE);
18880
+ }
18881
+ /**
18882
+ * Account-level application and delegation helpers.
18883
+ */
18884
+ get account() {
18885
+ if (!this._account) {
18886
+ this._account = new AccountService({
18887
+ getDid: () => this.did,
18888
+ getHost: () => this.hosts[0] ?? this.config.host,
18889
+ getPrimarySpaceId: () => this.spaceId,
18890
+ getAccountSpaceId: () => this.accountSpaceId,
18891
+ getSpaces: () => this.spaces,
18892
+ getAccountDb: () => this.accountSpaceId ? this.sqlForSpace(this.accountSpaceId).db("account") : void 0,
18893
+ ensureAccountSpaceHosted: async () => {
18894
+ if (this.accountSpaceId && this.auth) {
18895
+ await this.ensureOwnedSpaceHostedById(this.accountSpaceId);
18896
+ }
18897
+ }
18898
+ });
18899
+ }
18900
+ return this._account;
18901
+ }
18847
18902
  /**
18848
18903
  * Get the current TinyCloud session.
18849
18904
  * Available after signIn().
@@ -18881,10 +18936,11 @@ var _TinyCloudNode = class _TinyCloudNode {
18881
18936
  await this.tc.signIn(options);
18882
18937
  this.syncResolvedHostFromAuth();
18883
18938
  this.initializeServices();
18939
+ await this.ensureRequestedEncryptionNetworks();
18884
18940
  if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
18885
- await this.ensureOwnedSpaceHosted(this.ownedSpaceId("secrets"));
18941
+ await this.ensureOwnedSpaceHostedById(this.ownedSpaceId("secrets"));
18886
18942
  }
18887
- await this.writeManifestRegistryRecords();
18943
+ this.scheduleAccountRegistrySync();
18888
18944
  this.notificationHandler.success("Successfully signed in");
18889
18945
  }
18890
18946
  ownedSpaceId(name) {
@@ -18902,22 +18958,68 @@ var _TinyCloudNode = class _TinyCloudNode {
18902
18958
  throw new Error("Manifest registry write requires wallet mode");
18903
18959
  }
18904
18960
  const accountSpaceId = this.ownedSpaceId(ACCOUNT_REGISTRY_SPACE);
18905
- await this.ensureOwnedSpaceHosted(accountSpaceId);
18906
- const accountKV = this.spaces.get(accountSpaceId).kv;
18907
- for (const record of request.registryRecords) {
18908
- const result = await accountKV.put(record.key, {
18909
- app_id: record.app_id,
18910
- manifests: record.manifests,
18911
- updated_at: (/* @__PURE__ */ new Date()).toISOString()
18912
- });
18913
- if (!result.ok) {
18914
- throw new Error(
18915
- `Failed to write manifest registry record ${record.key}: ${result.error.message}`
18916
- );
18961
+ await this.ensureOwnedSpaceHostedById(accountSpaceId);
18962
+ const result = await this.account.applications.register(request.manifests);
18963
+ if (!result.ok) {
18964
+ throw new Error(
18965
+ `Failed to write manifest registry records: ${result.error.message}`
18966
+ );
18967
+ }
18968
+ }
18969
+ scheduleAccountRegistrySync() {
18970
+ void this.withAccountRegistryRetry(async () => {
18971
+ await this.writeManifestRegistryRecords();
18972
+ const spaces = await this.account.spaces.syncAccessible();
18973
+ if (!spaces.ok) {
18974
+ throw new Error(`Failed to sync account spaces: ${spaces.error.message}`);
18975
+ }
18976
+ });
18977
+ }
18978
+ async withAccountRegistryRetry(task) {
18979
+ const delays = [250, 1e3, 3e3];
18980
+ let lastError;
18981
+ for (let attempt = 0; attempt < delays.length; attempt += 1) {
18982
+ try {
18983
+ await task();
18984
+ return;
18985
+ } catch (error) {
18986
+ lastError = error;
18987
+ if (attempt < delays.length - 1) {
18988
+ await new Promise((resolve) => setTimeout(resolve, delays[attempt]));
18989
+ }
18990
+ }
18991
+ }
18992
+ console.warn(
18993
+ "TinyCloud account registry sync failed after retries",
18994
+ lastError
18995
+ );
18996
+ }
18997
+ requestedEncryptionNetworkIds() {
18998
+ const request = this.capabilityRequest;
18999
+ if (!request) {
19000
+ return [];
19001
+ }
19002
+ const networkIds = /* @__PURE__ */ new Set();
19003
+ for (const resource of request.resources) {
19004
+ if (resource.service === ENCRYPTION_PERMISSION_SERVICE2 && resource.path.startsWith("urn:tinycloud:encryption:") && resource.actions.includes(DECRYPT_ACTION2)) {
19005
+ networkIds.add(resource.path);
19006
+ }
19007
+ }
19008
+ return [...networkIds];
19009
+ }
19010
+ async ensureRequestedEncryptionNetworks() {
19011
+ if (!this.signer || !this.auth) {
19012
+ return;
19013
+ }
19014
+ for (const networkId of this.requestedEncryptionNetworkIds()) {
19015
+ const parsed = parseNetworkId2(networkId);
19016
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
19017
+ continue;
18917
19018
  }
19019
+ await this.ensureEncryptionNetwork(networkId);
18918
19020
  }
18919
19021
  }
18920
- async ensureOwnedSpaceHosted(spaceId) {
19022
+ async ensureOwnedSpaceHostedById(spaceId) {
18921
19023
  if (!this.auth) {
18922
19024
  throw new Error("Owned space hosting requires wallet mode");
18923
19025
  }
@@ -18960,7 +19062,7 @@ var _TinyCloudNode = class _TinyCloudNode {
18960
19062
  * caller is the root authority of their own owned spaces, so no additional
18961
19063
  * delegation is required.
18962
19064
  *
18963
- * Unlike {@link ensureOwnedSpaceHosted}, this always submits the host
19065
+ * Unlike {@link ensureOwnedSpaceHostedById}, this always submits the host
18964
19066
  * delegation rather than inferring hosting from session activation: a space
18965
19067
  * the current session has never referenced is reported neither as
18966
19068
  * `activated` nor `skipped`, so activation-based detection would wrongly
@@ -18994,8 +19096,40 @@ var _TinyCloudNode = class _TinyCloudNode {
18994
19096
  `Failed to activate session for owned space ${spaceId}: ${activation.error ?? "space was skipped"}`
18995
19097
  );
18996
19098
  }
19099
+ void this.account.spaces.register({
19100
+ spaceId,
19101
+ name,
19102
+ ownerDid: this.did,
19103
+ type: "owned",
19104
+ permissions: ["*"],
19105
+ status: "active"
19106
+ }).catch(() => {
19107
+ });
18997
19108
  return spaceId;
18998
19109
  }
19110
+ /**
19111
+ * Ensure one of this user's owned spaces (e.g. `"secrets"`) is hosted on the
19112
+ * server.
19113
+ *
19114
+ * At sign-in, a full-authority session auto-hosts the owner's `secrets`
19115
+ * space, but a session created with a manifest / capabilityRequest does not.
19116
+ * Such a session can therefore hold valid `tinycloud.kv/*` capabilities for
19117
+ * the owned `secrets` space yet still fail its first scoped
19118
+ * `secrets.put(...)` with `404 Space not found`, because the space was never
19119
+ * registered on the node.
19120
+ *
19121
+ * Calling this resolves `name` to the owner's owned-space URI
19122
+ * (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`) and hosts it via the
19123
+ * host-SIWE delegation flow. The host SIWE is idempotent server-side, so it
19124
+ * is safe to call whether or not the space already exists; do not gate it on
19125
+ * a prior existence check. Must be called after {@link signIn}.
19126
+ *
19127
+ * @param name - The owned space name (e.g. `"secrets"`).
19128
+ * @returns The hosted owned-space URI.
19129
+ */
19130
+ async ensureOwnedSpaceHosted(name) {
19131
+ return this.hostOwnedSpace(name);
19132
+ }
18999
19133
  /**
19000
19134
  * Restore a previously established session from stored delegation data.
19001
19135
  *
@@ -19385,7 +19519,7 @@ var _TinyCloudNode = class _TinyCloudNode {
19385
19519
  const signed2 = await this.signRawNetworkAuthorization({
19386
19520
  targetNode: input.targetNode,
19387
19521
  networkId: input.networkId,
19388
- action: DECRYPT_ACTION,
19522
+ action: DECRYPT_ACTION2,
19389
19523
  facts: input.facts
19390
19524
  });
19391
19525
  return {
@@ -19402,7 +19536,7 @@ var _TinyCloudNode = class _TinyCloudNode {
19402
19536
  },
19403
19537
  wellKnown: {
19404
19538
  fetchWellKnown: async (principal, discoveryKey) => {
19405
- if (!this._address || !didPrincipalMatches(principal, this.did)) {
19539
+ if (!this._address || !didPrincipalMatches2(principal, this.did)) {
19406
19540
  return null;
19407
19541
  }
19408
19542
  if (!this.config.host) {
@@ -19611,6 +19745,9 @@ var _TinyCloudNode = class _TinyCloudNode {
19611
19745
  }
19612
19746
  };
19613
19747
  }
19748
+ },
19749
+ onSpaceRegistered: async (space) => {
19750
+ await this.account.spaces.register(space);
19614
19751
  }
19615
19752
  });
19616
19753
  this._sharingService.updateConfig({
@@ -19909,12 +20046,12 @@ var _TinyCloudNode = class _TinyCloudNode {
19909
20046
  crypto2.sha256,
19910
20047
  body
19911
20048
  ),
19912
- action: NETWORK_CREATE_ACTION
20049
+ action: NETWORK_CREATE_ACTION2
19913
20050
  };
19914
20051
  const signed2 = await this.signRawNetworkAuthorization({
19915
20052
  targetNode,
19916
20053
  networkId,
19917
- action: NETWORK_CREATE_ACTION,
20054
+ action: NETWORK_CREATE_ACTION2,
19918
20055
  facts
19919
20056
  });
19920
20057
  const response = await fetch(`${this.config.host}/encryption/networks`, {
@@ -19935,12 +20072,19 @@ var _TinyCloudNode = class _TinyCloudNode {
19935
20072
  const created = await response.json();
19936
20073
  return created.descriptor;
19937
20074
  }
19938
- async ensureEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
19939
- const existing = await this.getEncryptionNetwork(name);
20075
+ async ensureEncryptionNetwork(nameOrNetworkId = DEFAULT_ENCRYPTION_NETWORK_NAME) {
20076
+ const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
20077
+ const existing = await this.getEncryptionNetwork(networkId);
19940
20078
  if (existing) {
19941
20079
  return existing;
19942
20080
  }
19943
- return this.createEncryptionNetwork(name);
20081
+ const parsed = parseNetworkId2(networkId);
20082
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
20083
+ throw new Error(
20084
+ `Cannot create encryption network ${networkId}: owner ${parsed.ownerDid} does not match signed-in DID ${this.did}`
20085
+ );
20086
+ }
20087
+ return this.createEncryptionNetwork(parsed.name);
19944
20088
  }
19945
20089
  /**
19946
20090
  * App-facing secrets API backed by the `secrets` space vault.
@@ -20088,7 +20232,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20088
20232
  throw new SessionExpiredError(delegation.expiry);
20089
20233
  }
20090
20234
  const expectedDids = [session.verificationMethod, this.sessionDid];
20091
- if (!expectedDids.some((did) => didPrincipalMatches(delegation.delegateDID, did))) {
20235
+ if (!expectedDids.some((did) => didPrincipalMatches2(delegation.delegateDID, did))) {
20092
20236
  throw new Error(
20093
20237
  `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
20094
20238
  );
@@ -20617,7 +20761,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20617
20761
  );
20618
20762
  }
20619
20763
  const target = request.delegationTargets.find(
20620
- (entry) => didPrincipalMatches(entry.did, did)
20764
+ (entry) => didPrincipalMatches2(entry.did, did)
20621
20765
  );
20622
20766
  if (!target) {
20623
20767
  throw new Error(`No manifest delegation target found for DID ${did}`);
@@ -21067,7 +21211,23 @@ var _TinyCloudNode = class _TinyCloudNode {
21067
21211
  if (granted.resource !== void 0 || requested.resource !== void 0) {
21068
21212
  return granted.resource !== void 0 && requested.resource !== void 0 && granted.resource === requested.resource && this.pathContains(granted.path, requested.path);
21069
21213
  }
21070
- return granted.spaceId !== void 0 && requested.spaceId !== void 0 && granted.spaceId === requested.spaceId && this.pathContains(granted.path, requested.path);
21214
+ return granted.spaceId !== void 0 && requested.spaceId !== void 0 && this.spaceIdsEqual(granted.spaceId, requested.spaceId) && this.pathContains(granted.path, requested.path);
21215
+ }
21216
+ // Space IDs are `tinycloud:pkh:eip155:<chain>:<0xADDR>:<name>`. The embedded
21217
+ // EIP-155 address is case-insensitive, but the CLI canonicalizes it to
21218
+ // lowercase when building a space URI while stored runtime delegations keep
21219
+ // the EIP-55 checksummed form — so a byte-for-byte compare spuriously rejects
21220
+ // an otherwise-valid grant. Lowercase ONLY the `eip155:<chain>:0x<addr>`
21221
+ // segment and leave everything else (crucially the case-sensitive space NAME)
21222
+ // byte-exact. Mirrors the CLI's `normalizeSpaceForCompare` (OPENKEY_SCOPE_MISMATCH fix).
21223
+ spaceIdsEqual(a, b) {
21224
+ return this.normalizeSpaceAddress(a) === this.normalizeSpaceAddress(b);
21225
+ }
21226
+ normalizeSpaceAddress(space) {
21227
+ return space.replace(
21228
+ /(eip155:\d+:)(0x[0-9a-fA-F]{40})/,
21229
+ (_match, prefix, addr) => prefix + addr.toLowerCase()
21230
+ );
21071
21231
  }
21072
21232
  actionContains(grantedAction, requestedAction) {
21073
21233
  if (grantedAction === requestedAction) {
@@ -21331,7 +21491,7 @@ var _TinyCloudNode = class _TinyCloudNode {
21331
21491
  const targetHost = delegation.host ?? this.config.host;
21332
21492
  if (this.isSessionOnly) {
21333
21493
  const myDid = this.did;
21334
- if (!didPrincipalMatches(delegation.delegateDID, myDid)) {
21494
+ if (!didPrincipalMatches2(delegation.delegateDID, myDid)) {
21335
21495
  throw new Error(
21336
21496
  `Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. The delegation must target this user's DID.`
21337
21497
  );
@@ -21562,7 +21722,7 @@ import {
21562
21722
  parsePkhDid,
21563
21723
  pkhDid as pkhDid3,
21564
21724
  principalDid,
21565
- principalDidEquals as principalDidEquals2,
21725
+ principalDidEquals as principalDidEquals3,
21566
21726
  parseCanonicalNetworkId
21567
21727
  } from "@tinycloud/sdk-core";
21568
21728
 
@@ -21709,6 +21869,32 @@ import {
21709
21869
  } from "@tinycloud/sdk-core";
21710
21870
 
21711
21871
  // src/delegation.ts
21872
+ async function grantAuthRequest(authority, request, options) {
21873
+ if (request.kind !== "tinycloud.auth.request") {
21874
+ throw new Error(
21875
+ `grantAuthRequest expects a tinycloud.auth.request artifact, got "${request.kind}".`
21876
+ );
21877
+ }
21878
+ if (!Array.isArray(request.requested) || request.requested.length === 0) {
21879
+ throw new Error("grantAuthRequest request has no requested capabilities.");
21880
+ }
21881
+ const expiry = options?.expiry ?? request.requestedExpiry;
21882
+ const result = await authority.delegateTo(
21883
+ request.sessionDid,
21884
+ request.requested,
21885
+ expiry !== void 0 ? { expiry } : void 0
21886
+ );
21887
+ return {
21888
+ kind: "tinycloud.auth.delegation",
21889
+ version: 1,
21890
+ requestId: request.requestId,
21891
+ delegationCid: result.delegation.cid,
21892
+ delegation: result.delegation,
21893
+ permissions: request.requested,
21894
+ expiry: result.delegation.expiry.toISOString(),
21895
+ prompted: result.prompted
21896
+ };
21897
+ }
21712
21898
  function serializeDelegation(delegation) {
21713
21899
  return JSON.stringify({
21714
21900
  ...delegation,
@@ -21749,7 +21935,7 @@ import {
21749
21935
  } from "@tinycloud/sdk-core";
21750
21936
  import {
21751
21937
  EncryptionService as EncryptionService2,
21752
- parseNetworkId,
21938
+ parseNetworkId as parseNetworkId3,
21753
21939
  buildNetworkId,
21754
21940
  isNetworkId,
21755
21941
  networkDiscoveryKey,
@@ -21784,7 +21970,7 @@ import {
21784
21970
  DEFAULT_KEY_VERSION,
21785
21971
  DECRYPT_FACT_TYPE,
21786
21972
  DECRYPT_RESULT_TYPE,
21787
- DECRYPT_ACTION as DECRYPT_ACTION2,
21973
+ DECRYPT_ACTION as DECRYPT_ACTION3,
21788
21974
  ENCRYPTION_SERVICE,
21789
21975
  ENCRYPTION_SERVICE_SHORT,
21790
21976
  encryptionError
@@ -21820,10 +22006,11 @@ import { ServiceContext as ServiceContext3 } from "@tinycloud/sdk-core";
21820
22006
  export {
21821
22007
  ACCOUNT_REGISTRY_PATH,
21822
22008
  ACCOUNT_REGISTRY_SPACE2 as ACCOUNT_REGISTRY_SPACE,
22009
+ AccountService,
21823
22010
  AutoApproveSpaceCreationHandler2 as AutoApproveSpaceCreationHandler,
21824
22011
  CapabilityKeyRegistry2 as CapabilityKeyRegistry,
21825
22012
  CapabilityKeyRegistryErrorCodes,
21826
- DECRYPT_ACTION2 as DECRYPT_ACTION,
22013
+ DECRYPT_ACTION3 as DECRYPT_ACTION,
21827
22014
  DECRYPT_FACT_TYPE,
21828
22015
  DECRYPT_RESULT_TYPE,
21829
22016
  DEFAULT_ENCRYPTION_ALG,
@@ -21919,6 +22106,7 @@ export {
21919
22106
  expandPermissionEntries2 as expandPermissionEntries,
21920
22107
  expandPermissionEntry,
21921
22108
  generateRandomReceiverKey,
22109
+ grantAuthRequest,
21922
22110
  hexDecode,
21923
22111
  hexEncode,
21924
22112
  isCapabilitySubset2 as isCapabilitySubset,
@@ -21931,12 +22119,12 @@ export {
21931
22119
  openWrappedKey,
21932
22120
  parseCanonicalNetworkId,
21933
22121
  parseExpiry2 as parseExpiry,
21934
- parseNetworkId,
22122
+ parseNetworkId3 as parseNetworkId,
21935
22123
  parsePkhDid,
21936
22124
  parseSpaceUri,
21937
22125
  pkhDid3 as pkhDid,
21938
22126
  principalDid,
21939
- principalDidEquals2 as principalDidEquals,
22127
+ principalDidEquals3 as principalDidEquals,
21940
22128
  resolveManifest2 as resolveManifest,
21941
22129
  resolveSecretListPrefix2 as resolveSecretListPrefix,
21942
22130
  resolveSecretPath2 as resolveSecretPath,