@tinycloud/node-sdk 2.4.0-beta.1 → 2.4.0-beta.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/core.d.cts CHANGED
@@ -1,4 +1,4 @@
1
- export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
2
- export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, e as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, f as TinyCloudNodeConfig, W as WasmKeyProvider, g as WasmKeyProviderConfig, h as createWasmKeyProvider, i as defaultSignStrategy, j as deserializeDelegation, s as serializeDelegation } from './core-Dbzm1kA_.cjs';
1
+ export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
2
+ export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core--mjBU9Jq.cjs';
3
3
  import 'events';
4
4
  import '@tinycloud/sdk-services';
package/dist/core.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
2
- export { D as DelegateToOptions, a as DelegateToResult, b as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, c as NodeUserAuthorization, d as NodeUserAuthorizationConfig, P as PortableDelegation, e as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, f as TinyCloudNodeConfig, W as WasmKeyProvider, g as WasmKeyProviderConfig, h as createWasmKeyProvider, i as defaultSignStrategy, j as deserializeDelegation, s as serializeDelegation } from './core-Dbzm1kA_.js';
1
+ export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateManifest } from '@tinycloud/sdk-core';
2
+ export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core--mjBU9Jq.js';
3
3
  import 'events';
4
4
  import '@tinycloud/sdk-services';
package/dist/core.js CHANGED
@@ -17,7 +17,7 @@ import {
17
17
  parsePkhDid,
18
18
  pkhDid as pkhDid3,
19
19
  principalDid,
20
- principalDidEquals as principalDidEquals2,
20
+ principalDidEquals as principalDidEquals3,
21
21
  parseCanonicalNetworkId
22
22
  } from "@tinycloud/sdk-core";
23
23
 
@@ -222,6 +222,8 @@ import {
222
222
  DEFAULT_MANIFEST_SPACE,
223
223
  ENCRYPTION_PERMISSION_SERVICE,
224
224
  composeManifestRequest,
225
+ parseNetworkId,
226
+ principalDidEquals,
225
227
  resourceCapabilitiesToAbilitiesMap,
226
228
  resourceCapabilitiesToSpaceAbilitiesMap,
227
229
  resolveTinyCloudHosts,
@@ -235,6 +237,25 @@ import {
235
237
  var defaultSignStrategy = { type: "auto-sign" };
236
238
 
237
239
  // src/authorization/NodeUserAuthorization.ts
240
+ var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
241
+ var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
242
+ function didPrincipalMatches(actual, expected) {
243
+ try {
244
+ return principalDidEquals(actual, expected);
245
+ } catch {
246
+ return actual === expected;
247
+ }
248
+ }
249
+ function addRawAbility(rawAbilities, resource, action) {
250
+ const actions = rawAbilities[resource];
251
+ if (actions === void 0) {
252
+ rawAbilities[resource] = [action];
253
+ return;
254
+ }
255
+ if (!actions.includes(action)) {
256
+ actions.push(action);
257
+ }
258
+ }
238
259
  var NodeUserAuthorization = class {
239
260
  constructor(config) {
240
261
  this.extensions = [];
@@ -261,6 +282,7 @@ var NodeUserAuthorization = class {
261
282
  "": [
262
283
  "tinycloud.sql/read",
263
284
  "tinycloud.sql/write",
285
+ "tinycloud.sql/ddl",
264
286
  "tinycloud.sql/admin",
265
287
  "tinycloud.sql/export"
266
288
  ]
@@ -352,12 +374,48 @@ var NodeUserAuthorization = class {
352
374
  * `siwe` is the load-bearing one because `extractSiweExpiration` returns
353
375
  * undefined for missing SIWEs and the SDK then treats the session as
354
376
  * expired-at-epoch-zero.
377
+ *
378
+ * @param hosts - The TinyCloud hosts this session was created against,
379
+ * as persisted in {@link PersistedSessionData.tinycloudHosts}. When
380
+ * present (and non-empty) they are adopted directly so the restored
381
+ * session resolves to the same node as the original sign-in without
382
+ * re-running registry/fallback resolution. When absent (old session)
383
+ * hosts are resolved lazily on the first host-needing call via
384
+ * {@link ensureTinyCloudHosts}.
355
385
  */
356
- setRestoredTinyCloudSession(session) {
386
+ setRestoredTinyCloudSession(session, hosts) {
357
387
  const address = canonicalizeAddress(session.address);
358
388
  this._tinyCloudSession = { ...session, address };
359
389
  this._address = address;
360
390
  this._chainId = session.chainId;
391
+ if ((!this.tinycloudHosts || this.tinycloudHosts.length === 0) && hosts && hosts.length > 0) {
392
+ this.tinycloudHosts = [...hosts];
393
+ }
394
+ }
395
+ /**
396
+ * Ensure `tinycloudHosts` are resolved before a host-needing call.
397
+ *
398
+ * Fresh sign-in resolves hosts up front; a restored session may not have
399
+ * (old persisted sessions predate {@link PersistedSessionData.tinycloudHosts}).
400
+ * This guard makes a restored session resolve the node exactly like a fresh
401
+ * sign-in — persisted hosts are preferred (already set by
402
+ * {@link setRestoredTinyCloudSession}), otherwise the registry/fallback
403
+ * resolution runs lazily here. Idempotent: {@link resolveTinyCloudHostsForSignIn}
404
+ * early-returns when hosts are already set.
405
+ *
406
+ * Throws if hosts are unset and the restored session has no address/chainId
407
+ * to resolve from — a real failure that must surface, not be masked.
408
+ */
409
+ async ensureTinyCloudHosts() {
410
+ if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
411
+ return;
412
+ }
413
+ if (this._address === void 0 || this._chainId === void 0) {
414
+ throw new Error(
415
+ "Cannot resolve TinyCloud hosts: no address/chainId available. Sign in or restore a session first."
416
+ );
417
+ }
418
+ await this.resolveTinyCloudHostsForSignIn(this._address, this._chainId);
361
419
  }
362
420
  async resolveTinyCloudHostsForSignIn(address, chainId) {
363
421
  if (this.tinycloudHosts && this.tinycloudHosts.length > 0) {
@@ -464,20 +522,18 @@ var NodeUserAuthorization = class {
464
522
  };
465
523
  }
466
524
  const rawAbilities = {};
525
+ const currentDid = pkhDid(address, chainId);
467
526
  const spaceResources = request.resources.filter((entry) => {
468
527
  if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {
469
528
  return true;
470
529
  }
471
- const existing = rawAbilities[entry.path];
472
- if (existing === void 0) {
473
- rawAbilities[entry.path] = [...entry.actions];
474
- } else {
475
- const seen = new Set(existing);
476
- for (const action of entry.actions) {
477
- if (!seen.has(action)) {
478
- existing.push(action);
479
- seen.add(action);
480
- }
530
+ for (const action of entry.actions) {
531
+ addRawAbility(rawAbilities, entry.path, action);
532
+ }
533
+ if (entry.actions.includes(DECRYPT_ACTION)) {
534
+ const parsed = parseNetworkId(entry.path);
535
+ if (didPrincipalMatches(parsed.ownerDid, currentDid)) {
536
+ addRawAbility(rawAbilities, entry.path, NETWORK_CREATE_ACTION);
481
537
  }
482
538
  }
483
539
  return false;
@@ -556,6 +612,7 @@ var NodeUserAuthorization = class {
556
612
  if (!this._tinyCloudSession || !this._address || !this._chainId) {
557
613
  throw new Error("Must be signed in to host space");
558
614
  }
615
+ await this.ensureTinyCloudHosts();
559
616
  const host = this.primaryTinyCloudHost;
560
617
  const spaceId = targetSpaceId ?? this._tinyCloudSession.spaceId;
561
618
  const peerId = await fetchPeerId(host, spaceId);
@@ -598,6 +655,7 @@ var NodeUserAuthorization = class {
598
655
  if (!this._tinyCloudSession) {
599
656
  throw new Error("Must be signed in to ensure space exists");
600
657
  }
658
+ await this.ensureTinyCloudHosts();
601
659
  const host = this.primaryTinyCloudHost;
602
660
  const primarySpaceId = this._tinyCloudSession.spaceId;
603
661
  const result = await activateSessionWithHost(
@@ -779,7 +837,8 @@ var NodeUserAuthorization = class {
779
837
  },
780
838
  expiresAt: expirationTime.toISOString(),
781
839
  createdAt: now.toISOString(),
782
- version: "1.0"
840
+ version: "1.0",
841
+ tinycloudHosts: this.tinycloudHosts
783
842
  };
784
843
  await this.sessionStorage.save(address, persistedData);
785
844
  this._session = clientSession;
@@ -946,7 +1005,8 @@ var NodeUserAuthorization = class {
946
1005
  },
947
1006
  expiresAt,
948
1007
  createdAt,
949
- version: "1.0"
1008
+ version: "1.0",
1009
+ tinycloudHosts: this.tinycloudHosts
950
1010
  };
951
1011
  await this.sessionStorage.save(address, persistedData);
952
1012
  this._session = clientSession;
@@ -1070,9 +1130,14 @@ import {
1070
1130
  verifyDidKeyEd25519Signature,
1071
1131
  canonicalizeAddress as canonicalizeAddress2,
1072
1132
  pkhDid as pkhDid2,
1073
- principalDidEquals
1133
+ resolveTinyCloudHosts as resolveTinyCloudHosts2,
1134
+ principalDidEquals as principalDidEquals2,
1135
+ parseNetworkId as parseNetworkId2
1074
1136
  } from "@tinycloud/sdk-core";
1075
1137
 
1138
+ // src/account/AccountService.ts
1139
+ import { AccountService } from "@tinycloud/sdk-core";
1140
+
1076
1141
  // src/DelegatedAccess.ts
1077
1142
  import {
1078
1143
  KVService,
@@ -1490,13 +1555,13 @@ var NodeSecretsService = class {
1490
1555
  // src/TinyCloudNode.ts
1491
1556
  var DEFAULT_HOST = "https://node.tinycloud.xyz";
1492
1557
  var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
1493
- var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
1494
- var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
1558
+ var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
1559
+ var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
1495
1560
  var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
1496
1561
  var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
1497
- function didPrincipalMatches(actual, expected) {
1562
+ function didPrincipalMatches2(actual, expected) {
1498
1563
  try {
1499
- return principalDidEquals(actual, expected);
1564
+ return principalDidEquals2(actual, expected);
1500
1565
  } catch {
1501
1566
  return actual === expected;
1502
1567
  }
@@ -1833,6 +1898,37 @@ var _TinyCloudNode = class _TinyCloudNode {
1833
1898
  get spaceId() {
1834
1899
  return this.auth?.tinyCloudSession?.spaceId;
1835
1900
  }
1901
+ /**
1902
+ * Get the account space ID for this wallet identity.
1903
+ * Available after wallet-backed sign-in or a restored session with address metadata.
1904
+ */
1905
+ get accountSpaceId() {
1906
+ if (!this._address) {
1907
+ return void 0;
1908
+ }
1909
+ return this.wasmBindings.makeSpaceId(this._address, this._chainId, ACCOUNT_REGISTRY_SPACE);
1910
+ }
1911
+ /**
1912
+ * Account-level application and delegation helpers.
1913
+ */
1914
+ get account() {
1915
+ if (!this._account) {
1916
+ this._account = new AccountService({
1917
+ getDid: () => this.did,
1918
+ getHost: () => this.hosts[0] ?? this.config.host,
1919
+ getPrimarySpaceId: () => this.spaceId,
1920
+ getAccountSpaceId: () => this.accountSpaceId,
1921
+ getSpaces: () => this.spaces,
1922
+ getAccountDb: () => this.accountSpaceId ? this.sqlForSpace(this.accountSpaceId).db("account") : void 0,
1923
+ ensureAccountSpaceHosted: async () => {
1924
+ if (this.accountSpaceId && this.auth) {
1925
+ await this.ensureOwnedSpaceHostedById(this.accountSpaceId);
1926
+ }
1927
+ }
1928
+ });
1929
+ }
1930
+ return this._account;
1931
+ }
1836
1932
  /**
1837
1933
  * Get the current TinyCloud session.
1838
1934
  * Available after signIn().
@@ -1870,10 +1966,11 @@ var _TinyCloudNode = class _TinyCloudNode {
1870
1966
  await this.tc.signIn(options);
1871
1967
  this.syncResolvedHostFromAuth();
1872
1968
  this.initializeServices();
1969
+ await this.ensureRequestedEncryptionNetworks();
1873
1970
  if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
1874
- await this.ensureOwnedSpaceHosted(this.ownedSpaceId("secrets"));
1971
+ await this.ensureOwnedSpaceHostedById(this.ownedSpaceId("secrets"));
1875
1972
  }
1876
- await this.writeManifestRegistryRecords();
1973
+ this.scheduleAccountRegistrySync();
1877
1974
  this.notificationHandler.success("Successfully signed in");
1878
1975
  }
1879
1976
  ownedSpaceId(name) {
@@ -1891,22 +1988,68 @@ var _TinyCloudNode = class _TinyCloudNode {
1891
1988
  throw new Error("Manifest registry write requires wallet mode");
1892
1989
  }
1893
1990
  const accountSpaceId = this.ownedSpaceId(ACCOUNT_REGISTRY_SPACE);
1894
- await this.ensureOwnedSpaceHosted(accountSpaceId);
1895
- const accountKV = this.spaces.get(accountSpaceId).kv;
1896
- for (const record of request.registryRecords) {
1897
- const result = await accountKV.put(record.key, {
1898
- app_id: record.app_id,
1899
- manifests: record.manifests,
1900
- updated_at: (/* @__PURE__ */ new Date()).toISOString()
1901
- });
1902
- if (!result.ok) {
1903
- throw new Error(
1904
- `Failed to write manifest registry record ${record.key}: ${result.error.message}`
1905
- );
1991
+ await this.ensureOwnedSpaceHostedById(accountSpaceId);
1992
+ const result = await this.account.applications.register(request.manifests);
1993
+ if (!result.ok) {
1994
+ throw new Error(
1995
+ `Failed to write manifest registry records: ${result.error.message}`
1996
+ );
1997
+ }
1998
+ }
1999
+ scheduleAccountRegistrySync() {
2000
+ void this.withAccountRegistryRetry(async () => {
2001
+ await this.writeManifestRegistryRecords();
2002
+ const spaces = await this.account.spaces.syncAccessible();
2003
+ if (!spaces.ok) {
2004
+ throw new Error(`Failed to sync account spaces: ${spaces.error.message}`);
2005
+ }
2006
+ });
2007
+ }
2008
+ async withAccountRegistryRetry(task) {
2009
+ const delays = [250, 1e3, 3e3];
2010
+ let lastError;
2011
+ for (let attempt = 0; attempt < delays.length; attempt += 1) {
2012
+ try {
2013
+ await task();
2014
+ return;
2015
+ } catch (error) {
2016
+ lastError = error;
2017
+ if (attempt < delays.length - 1) {
2018
+ await new Promise((resolve) => setTimeout(resolve, delays[attempt]));
2019
+ }
2020
+ }
2021
+ }
2022
+ console.warn(
2023
+ "TinyCloud account registry sync failed after retries",
2024
+ lastError
2025
+ );
2026
+ }
2027
+ requestedEncryptionNetworkIds() {
2028
+ const request = this.capabilityRequest;
2029
+ if (!request) {
2030
+ return [];
2031
+ }
2032
+ const networkIds = /* @__PURE__ */ new Set();
2033
+ for (const resource of request.resources) {
2034
+ if (resource.service === ENCRYPTION_PERMISSION_SERVICE2 && resource.path.startsWith("urn:tinycloud:encryption:") && resource.actions.includes(DECRYPT_ACTION2)) {
2035
+ networkIds.add(resource.path);
1906
2036
  }
1907
2037
  }
2038
+ return [...networkIds];
1908
2039
  }
1909
- async ensureOwnedSpaceHosted(spaceId) {
2040
+ async ensureRequestedEncryptionNetworks() {
2041
+ if (!this.signer || !this.auth) {
2042
+ return;
2043
+ }
2044
+ for (const networkId of this.requestedEncryptionNetworkIds()) {
2045
+ const parsed = parseNetworkId2(networkId);
2046
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
2047
+ continue;
2048
+ }
2049
+ await this.ensureEncryptionNetwork(networkId);
2050
+ }
2051
+ }
2052
+ async ensureOwnedSpaceHostedById(spaceId) {
1910
2053
  if (!this.auth) {
1911
2054
  throw new Error("Owned space hosting requires wallet mode");
1912
2055
  }
@@ -1949,7 +2092,7 @@ var _TinyCloudNode = class _TinyCloudNode {
1949
2092
  * caller is the root authority of their own owned spaces, so no additional
1950
2093
  * delegation is required.
1951
2094
  *
1952
- * Unlike {@link ensureOwnedSpaceHosted}, this always submits the host
2095
+ * Unlike {@link ensureOwnedSpaceHostedById}, this always submits the host
1953
2096
  * delegation rather than inferring hosting from session activation: a space
1954
2097
  * the current session has never referenced is reported neither as
1955
2098
  * `activated` nor `skipped`, so activation-based detection would wrongly
@@ -1983,8 +2126,40 @@ var _TinyCloudNode = class _TinyCloudNode {
1983
2126
  `Failed to activate session for owned space ${spaceId}: ${activation.error ?? "space was skipped"}`
1984
2127
  );
1985
2128
  }
2129
+ void this.account.spaces.register({
2130
+ spaceId,
2131
+ name,
2132
+ ownerDid: this.did,
2133
+ type: "owned",
2134
+ permissions: ["*"],
2135
+ status: "active"
2136
+ }).catch(() => {
2137
+ });
1986
2138
  return spaceId;
1987
2139
  }
2140
+ /**
2141
+ * Ensure one of this user's owned spaces (e.g. `"secrets"`) is hosted on the
2142
+ * server.
2143
+ *
2144
+ * At sign-in, a full-authority session auto-hosts the owner's `secrets`
2145
+ * space, but a session created with a manifest / capabilityRequest does not.
2146
+ * Such a session can therefore hold valid `tinycloud.kv/*` capabilities for
2147
+ * the owned `secrets` space yet still fail its first scoped
2148
+ * `secrets.put(...)` with `404 Space not found`, because the space was never
2149
+ * registered on the node.
2150
+ *
2151
+ * Calling this resolves `name` to the owner's owned-space URI
2152
+ * (`tinycloud:pkh:eip155:<chain>:<addr>:<name>`) and hosts it via the
2153
+ * host-SIWE delegation flow. The host SIWE is idempotent server-side, so it
2154
+ * is safe to call whether or not the space already exists; do not gate it on
2155
+ * a prior existence check. Must be called after {@link signIn}.
2156
+ *
2157
+ * @param name - The owned space name (e.g. `"secrets"`).
2158
+ * @returns The hosted owned-space URI.
2159
+ */
2160
+ async ensureOwnedSpaceHosted(name) {
2161
+ return this.hostOwnedSpace(name);
2162
+ }
1988
2163
  /**
1989
2164
  * Restore a previously established session from stored delegation data.
1990
2165
  *
@@ -2014,6 +2189,14 @@ var _TinyCloudNode = class _TinyCloudNode {
2014
2189
  if (sessionData.chainId) {
2015
2190
  this._chainId = sessionData.chainId;
2016
2191
  }
2192
+ const resolvedHost = await this.resolveRestoredHost(
2193
+ sessionData.tinycloudHosts,
2194
+ restoredAddress,
2195
+ sessionData.chainId
2196
+ );
2197
+ if (resolvedHost) {
2198
+ this.config.host = resolvedHost;
2199
+ }
2017
2200
  this._serviceContext = new ServiceContext2({
2018
2201
  invoke: this.invokeWithRuntimePermissions,
2019
2202
  invokeAny: this.invokeAnyWithRuntimePermissions,
@@ -2059,12 +2242,45 @@ var _TinyCloudNode = class _TinyCloudNode {
2059
2242
  signature: sessionData.signature ?? ""
2060
2243
  };
2061
2244
  if (this.auth) {
2062
- this.auth.setRestoredTinyCloudSession(tcSession);
2245
+ this.auth.setRestoredTinyCloudSession(
2246
+ tcSession,
2247
+ this.config.host ? [this.config.host] : void 0
2248
+ );
2063
2249
  } else {
2064
2250
  this._restoredTcSession = tcSession;
2065
2251
  }
2066
2252
  }
2067
2253
  }
2254
+ /**
2255
+ * Resolve the host a restored session should target.
2256
+ *
2257
+ * Mirrors fresh sign-in host resolution but for the restore path:
2258
+ * an explicit/pinned host always wins, then the hosts the session was
2259
+ * persisted with, then a lazy registry/fallback resolution for sessions
2260
+ * that predate the persisted `tinycloudHosts` field. Returns `undefined`
2261
+ * only when there's nothing to resolve from (no explicit host, no
2262
+ * persisted hosts, and no address/chainId) — in which case the existing
2263
+ * `config.host` (default) is left in place.
2264
+ *
2265
+ * Resolution failures are surfaced, not swallowed: a genuinely broken
2266
+ * registry lookup throws rather than silently falling back to a wrong host.
2267
+ */
2268
+ async resolveRestoredHost(persistedHosts, address, chainId) {
2269
+ if (this.explicitHost) {
2270
+ return this.explicitHost;
2271
+ }
2272
+ if (persistedHosts && persistedHosts.length > 0) {
2273
+ return persistedHosts[0];
2274
+ }
2275
+ if (address === void 0 || chainId === void 0) {
2276
+ return void 0;
2277
+ }
2278
+ const resolved = await resolveTinyCloudHosts2(pkhDid2(address, chainId), {
2279
+ registryUrl: this.config.tinycloudRegistryUrl,
2280
+ fallbackHosts: this.config.tinycloudFallbackHosts
2281
+ });
2282
+ return resolved.hosts[0];
2283
+ }
2068
2284
  /**
2069
2285
  * Resolve the currently-active TinyCloudSession, preferring the auth
2070
2286
  * layer's value (wallet mode) and falling back to the node-level
@@ -2374,7 +2590,7 @@ var _TinyCloudNode = class _TinyCloudNode {
2374
2590
  const signed = await this.signRawNetworkAuthorization({
2375
2591
  targetNode: input.targetNode,
2376
2592
  networkId: input.networkId,
2377
- action: DECRYPT_ACTION,
2593
+ action: DECRYPT_ACTION2,
2378
2594
  facts: input.facts
2379
2595
  });
2380
2596
  return {
@@ -2391,7 +2607,7 @@ var _TinyCloudNode = class _TinyCloudNode {
2391
2607
  },
2392
2608
  wellKnown: {
2393
2609
  fetchWellKnown: async (principal, discoveryKey) => {
2394
- if (!this._address || !didPrincipalMatches(principal, this.did)) {
2610
+ if (!this._address || !didPrincipalMatches2(principal, this.did)) {
2395
2611
  return null;
2396
2612
  }
2397
2613
  if (!this.config.host) {
@@ -2600,6 +2816,9 @@ var _TinyCloudNode = class _TinyCloudNode {
2600
2816
  }
2601
2817
  };
2602
2818
  }
2819
+ },
2820
+ onSpaceRegistered: async (space) => {
2821
+ await this.account.spaces.register(space);
2603
2822
  }
2604
2823
  });
2605
2824
  this._sharingService.updateConfig({
@@ -2898,12 +3117,12 @@ var _TinyCloudNode = class _TinyCloudNode {
2898
3117
  crypto.sha256,
2899
3118
  body
2900
3119
  ),
2901
- action: NETWORK_CREATE_ACTION
3120
+ action: NETWORK_CREATE_ACTION2
2902
3121
  };
2903
3122
  const signed = await this.signRawNetworkAuthorization({
2904
3123
  targetNode,
2905
3124
  networkId,
2906
- action: NETWORK_CREATE_ACTION,
3125
+ action: NETWORK_CREATE_ACTION2,
2907
3126
  facts
2908
3127
  });
2909
3128
  const response = await fetch(`${this.config.host}/encryption/networks`, {
@@ -2924,12 +3143,19 @@ var _TinyCloudNode = class _TinyCloudNode {
2924
3143
  const created = await response.json();
2925
3144
  return created.descriptor;
2926
3145
  }
2927
- async ensureEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
2928
- const existing = await this.getEncryptionNetwork(name);
3146
+ async ensureEncryptionNetwork(nameOrNetworkId = DEFAULT_ENCRYPTION_NETWORK_NAME) {
3147
+ const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
3148
+ const existing = await this.getEncryptionNetwork(networkId);
2929
3149
  if (existing) {
2930
3150
  return existing;
2931
3151
  }
2932
- return this.createEncryptionNetwork(name);
3152
+ const parsed = parseNetworkId2(networkId);
3153
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
3154
+ throw new Error(
3155
+ `Cannot create encryption network ${networkId}: owner ${parsed.ownerDid} does not match signed-in DID ${this.did}`
3156
+ );
3157
+ }
3158
+ return this.createEncryptionNetwork(parsed.name);
2933
3159
  }
2934
3160
  /**
2935
3161
  * App-facing secrets API backed by the `secrets` space vault.
@@ -3077,7 +3303,7 @@ var _TinyCloudNode = class _TinyCloudNode {
3077
3303
  throw new SessionExpiredError(delegation.expiry);
3078
3304
  }
3079
3305
  const expectedDids = [session.verificationMethod, this.sessionDid];
3080
- if (!expectedDids.some((did) => didPrincipalMatches(delegation.delegateDID, did))) {
3306
+ if (!expectedDids.some((did) => didPrincipalMatches2(delegation.delegateDID, did))) {
3081
3307
  throw new Error(
3082
3308
  `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
3083
3309
  );
@@ -3606,7 +3832,7 @@ var _TinyCloudNode = class _TinyCloudNode {
3606
3832
  );
3607
3833
  }
3608
3834
  const target = request.delegationTargets.find(
3609
- (entry) => didPrincipalMatches(entry.did, did)
3835
+ (entry) => didPrincipalMatches2(entry.did, did)
3610
3836
  );
3611
3837
  if (!target) {
3612
3838
  throw new Error(`No manifest delegation target found for DID ${did}`);
@@ -4056,7 +4282,23 @@ var _TinyCloudNode = class _TinyCloudNode {
4056
4282
  if (granted.resource !== void 0 || requested.resource !== void 0) {
4057
4283
  return granted.resource !== void 0 && requested.resource !== void 0 && granted.resource === requested.resource && this.pathContains(granted.path, requested.path);
4058
4284
  }
4059
- return granted.spaceId !== void 0 && requested.spaceId !== void 0 && granted.spaceId === requested.spaceId && this.pathContains(granted.path, requested.path);
4285
+ return granted.spaceId !== void 0 && requested.spaceId !== void 0 && this.spaceIdsEqual(granted.spaceId, requested.spaceId) && this.pathContains(granted.path, requested.path);
4286
+ }
4287
+ // Space IDs are `tinycloud:pkh:eip155:<chain>:<0xADDR>:<name>`. The embedded
4288
+ // EIP-155 address is case-insensitive, but the CLI canonicalizes it to
4289
+ // lowercase when building a space URI while stored runtime delegations keep
4290
+ // the EIP-55 checksummed form — so a byte-for-byte compare spuriously rejects
4291
+ // an otherwise-valid grant. Lowercase ONLY the `eip155:<chain>:0x<addr>`
4292
+ // segment and leave everything else (crucially the case-sensitive space NAME)
4293
+ // byte-exact. Mirrors the CLI's `normalizeSpaceForCompare` (OPENKEY_SCOPE_MISMATCH fix).
4294
+ spaceIdsEqual(a, b) {
4295
+ return this.normalizeSpaceAddress(a) === this.normalizeSpaceAddress(b);
4296
+ }
4297
+ normalizeSpaceAddress(space) {
4298
+ return space.replace(
4299
+ /(eip155:\d+:)(0x[0-9a-fA-F]{40})/,
4300
+ (_match, prefix, addr) => prefix + addr.toLowerCase()
4301
+ );
4060
4302
  }
4061
4303
  actionContains(grantedAction, requestedAction) {
4062
4304
  if (grantedAction === requestedAction) {
@@ -4320,7 +4562,7 @@ var _TinyCloudNode = class _TinyCloudNode {
4320
4562
  const targetHost = delegation.host ?? this.config.host;
4321
4563
  if (this.isSessionOnly) {
4322
4564
  const myDid = this.did;
4323
- if (!didPrincipalMatches(delegation.delegateDID, myDid)) {
4565
+ if (!didPrincipalMatches2(delegation.delegateDID, myDid)) {
4324
4566
  throw new Error(
4325
4567
  `Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. The delegation must target this user's DID.`
4326
4568
  );
@@ -4617,6 +4859,7 @@ import { ServiceContext as ServiceContext3 } from "@tinycloud/sdk-core";
4617
4859
  export {
4618
4860
  ACCOUNT_REGISTRY_PATH,
4619
4861
  ACCOUNT_REGISTRY_SPACE2 as ACCOUNT_REGISTRY_SPACE,
4862
+ AccountService,
4620
4863
  AutoApproveSpaceCreationHandler2 as AutoApproveSpaceCreationHandler,
4621
4864
  CapabilityKeyRegistry2 as CapabilityKeyRegistry,
4622
4865
  CapabilityKeyRegistryErrorCodes,
@@ -4692,7 +4935,7 @@ export {
4692
4935
  parseSpaceUri,
4693
4936
  pkhDid3 as pkhDid,
4694
4937
  principalDid,
4695
- principalDidEquals2 as principalDidEquals,
4938
+ principalDidEquals3 as principalDidEquals,
4696
4939
  resolveManifest2 as resolveManifest,
4697
4940
  resolveSecretListPrefix2 as resolveSecretListPrefix,
4698
4941
  resolveSecretPath2 as resolveSecretPath,