@tinycloud/node-sdk 2.4.0-beta.2 → 2.4.0-beta.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
2
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-BucTrpWH.cjs';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-BSQqoLAd.cjs';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
2
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, discoverNetwork, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, hexDecode, hexEncode, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-BucTrpWH.js';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-BSQqoLAd.js';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.js CHANGED
@@ -17186,7 +17186,8 @@ import {
17186
17186
  verifyDidKeyEd25519Signature,
17187
17187
  canonicalizeAddress as canonicalizeAddress2,
17188
17188
  pkhDid as pkhDid2,
17189
- principalDidEquals
17189
+ principalDidEquals as principalDidEquals2,
17190
+ parseNetworkId as parseNetworkId2
17190
17191
  } from "@tinycloud/sdk-core";
17191
17192
 
17192
17193
  // src/authorization/NodeUserAuthorization.ts
@@ -17199,6 +17200,8 @@ import {
17199
17200
  DEFAULT_MANIFEST_SPACE,
17200
17201
  ENCRYPTION_PERMISSION_SERVICE,
17201
17202
  composeManifestRequest,
17203
+ parseNetworkId,
17204
+ principalDidEquals,
17202
17205
  resourceCapabilitiesToAbilitiesMap,
17203
17206
  resourceCapabilitiesToSpaceAbilitiesMap,
17204
17207
  resolveTinyCloudHosts,
@@ -17283,6 +17286,25 @@ var MemorySessionStorage = class {
17283
17286
  };
17284
17287
 
17285
17288
  // src/authorization/NodeUserAuthorization.ts
17289
+ var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
17290
+ var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
17291
+ function didPrincipalMatches(actual, expected) {
17292
+ try {
17293
+ return principalDidEquals(actual, expected);
17294
+ } catch {
17295
+ return actual === expected;
17296
+ }
17297
+ }
17298
+ function addRawAbility(rawAbilities, resource, action) {
17299
+ const actions = rawAbilities[resource];
17300
+ if (actions === void 0) {
17301
+ rawAbilities[resource] = [action];
17302
+ return;
17303
+ }
17304
+ if (!actions.includes(action)) {
17305
+ actions.push(action);
17306
+ }
17307
+ }
17286
17308
  var NodeUserAuthorization = class {
17287
17309
  constructor(config) {
17288
17310
  this.extensions = [];
@@ -17512,20 +17534,18 @@ var NodeUserAuthorization = class {
17512
17534
  };
17513
17535
  }
17514
17536
  const rawAbilities = {};
17537
+ const currentDid = pkhDid(address, chainId);
17515
17538
  const spaceResources = request.resources.filter((entry) => {
17516
17539
  if (entry.service !== ENCRYPTION_PERMISSION_SERVICE) {
17517
17540
  return true;
17518
17541
  }
17519
- const existing = rawAbilities[entry.path];
17520
- if (existing === void 0) {
17521
- rawAbilities[entry.path] = [...entry.actions];
17522
- } else {
17523
- const seen = new Set(existing);
17524
- for (const action of entry.actions) {
17525
- if (!seen.has(action)) {
17526
- existing.push(action);
17527
- seen.add(action);
17528
- }
17542
+ for (const action of entry.actions) {
17543
+ addRawAbility(rawAbilities, entry.path, action);
17544
+ }
17545
+ if (entry.actions.includes(DECRYPT_ACTION)) {
17546
+ const parsed = parseNetworkId(entry.path);
17547
+ if (didPrincipalMatches(parsed.ownerDid, currentDid)) {
17548
+ addRawAbility(rawAbilities, entry.path, NETWORK_CREATE_ACTION);
17529
17549
  }
17530
17550
  }
17531
17551
  return false;
@@ -18501,13 +18521,13 @@ var NodeSecretsService = class {
18501
18521
  // src/TinyCloudNode.ts
18502
18522
  var DEFAULT_HOST = "https://node.tinycloud.xyz";
18503
18523
  var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
18504
- var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
18505
- var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
18524
+ var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
18525
+ var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
18506
18526
  var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
18507
18527
  var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
18508
- function didPrincipalMatches(actual, expected) {
18528
+ function didPrincipalMatches2(actual, expected) {
18509
18529
  try {
18510
- return principalDidEquals(actual, expected);
18530
+ return principalDidEquals2(actual, expected);
18511
18531
  } catch {
18512
18532
  return actual === expected;
18513
18533
  }
@@ -18881,6 +18901,7 @@ var _TinyCloudNode = class _TinyCloudNode {
18881
18901
  await this.tc.signIn(options);
18882
18902
  this.syncResolvedHostFromAuth();
18883
18903
  this.initializeServices();
18904
+ await this.ensureRequestedEncryptionNetworks();
18884
18905
  if (this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
18885
18906
  await this.ensureOwnedSpaceHosted(this.ownedSpaceId("secrets"));
18886
18907
  }
@@ -18917,6 +18938,31 @@ var _TinyCloudNode = class _TinyCloudNode {
18917
18938
  }
18918
18939
  }
18919
18940
  }
18941
+ requestedEncryptionNetworkIds() {
18942
+ const request = this.capabilityRequest;
18943
+ if (!request) {
18944
+ return [];
18945
+ }
18946
+ const networkIds = /* @__PURE__ */ new Set();
18947
+ for (const resource of request.resources) {
18948
+ if (resource.service === ENCRYPTION_PERMISSION_SERVICE2 && resource.path.startsWith("urn:tinycloud:encryption:") && resource.actions.includes(DECRYPT_ACTION2)) {
18949
+ networkIds.add(resource.path);
18950
+ }
18951
+ }
18952
+ return [...networkIds];
18953
+ }
18954
+ async ensureRequestedEncryptionNetworks() {
18955
+ if (!this.signer || !this.auth) {
18956
+ return;
18957
+ }
18958
+ for (const networkId of this.requestedEncryptionNetworkIds()) {
18959
+ const parsed = parseNetworkId2(networkId);
18960
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
18961
+ continue;
18962
+ }
18963
+ await this.ensureEncryptionNetwork(networkId);
18964
+ }
18965
+ }
18920
18966
  async ensureOwnedSpaceHosted(spaceId) {
18921
18967
  if (!this.auth) {
18922
18968
  throw new Error("Owned space hosting requires wallet mode");
@@ -19385,7 +19431,7 @@ var _TinyCloudNode = class _TinyCloudNode {
19385
19431
  const signed2 = await this.signRawNetworkAuthorization({
19386
19432
  targetNode: input.targetNode,
19387
19433
  networkId: input.networkId,
19388
- action: DECRYPT_ACTION,
19434
+ action: DECRYPT_ACTION2,
19389
19435
  facts: input.facts
19390
19436
  });
19391
19437
  return {
@@ -19402,7 +19448,7 @@ var _TinyCloudNode = class _TinyCloudNode {
19402
19448
  },
19403
19449
  wellKnown: {
19404
19450
  fetchWellKnown: async (principal, discoveryKey) => {
19405
- if (!this._address || !didPrincipalMatches(principal, this.did)) {
19451
+ if (!this._address || !didPrincipalMatches2(principal, this.did)) {
19406
19452
  return null;
19407
19453
  }
19408
19454
  if (!this.config.host) {
@@ -19909,12 +19955,12 @@ var _TinyCloudNode = class _TinyCloudNode {
19909
19955
  crypto2.sha256,
19910
19956
  body
19911
19957
  ),
19912
- action: NETWORK_CREATE_ACTION
19958
+ action: NETWORK_CREATE_ACTION2
19913
19959
  };
19914
19960
  const signed2 = await this.signRawNetworkAuthorization({
19915
19961
  targetNode,
19916
19962
  networkId,
19917
- action: NETWORK_CREATE_ACTION,
19963
+ action: NETWORK_CREATE_ACTION2,
19918
19964
  facts
19919
19965
  });
19920
19966
  const response = await fetch(`${this.config.host}/encryption/networks`, {
@@ -19935,12 +19981,19 @@ var _TinyCloudNode = class _TinyCloudNode {
19935
19981
  const created = await response.json();
19936
19982
  return created.descriptor;
19937
19983
  }
19938
- async ensureEncryptionNetwork(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
19939
- const existing = await this.getEncryptionNetwork(name);
19984
+ async ensureEncryptionNetwork(nameOrNetworkId = DEFAULT_ENCRYPTION_NETWORK_NAME) {
19985
+ const networkId = nameOrNetworkId.startsWith("urn:tinycloud:encryption:") ? nameOrNetworkId : this.getDefaultEncryptionNetworkId(nameOrNetworkId);
19986
+ const existing = await this.getEncryptionNetwork(networkId);
19940
19987
  if (existing) {
19941
19988
  return existing;
19942
19989
  }
19943
- return this.createEncryptionNetwork(name);
19990
+ const parsed = parseNetworkId2(networkId);
19991
+ if (!didPrincipalMatches2(parsed.ownerDid, this.did)) {
19992
+ throw new Error(
19993
+ `Cannot create encryption network ${networkId}: owner ${parsed.ownerDid} does not match signed-in DID ${this.did}`
19994
+ );
19995
+ }
19996
+ return this.createEncryptionNetwork(parsed.name);
19944
19997
  }
19945
19998
  /**
19946
19999
  * App-facing secrets API backed by the `secrets` space vault.
@@ -20088,7 +20141,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20088
20141
  throw new SessionExpiredError(delegation.expiry);
20089
20142
  }
20090
20143
  const expectedDids = [session.verificationMethod, this.sessionDid];
20091
- if (!expectedDids.some((did) => didPrincipalMatches(delegation.delegateDID, did))) {
20144
+ if (!expectedDids.some((did) => didPrincipalMatches2(delegation.delegateDID, did))) {
20092
20145
  throw new Error(
20093
20146
  `Runtime delegation targets ${delegation.delegateDID} but this session key is ${session.verificationMethod}.`
20094
20147
  );
@@ -20617,7 +20670,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20617
20670
  );
20618
20671
  }
20619
20672
  const target = request.delegationTargets.find(
20620
- (entry) => didPrincipalMatches(entry.did, did)
20673
+ (entry) => didPrincipalMatches2(entry.did, did)
20621
20674
  );
20622
20675
  if (!target) {
20623
20676
  throw new Error(`No manifest delegation target found for DID ${did}`);
@@ -21067,7 +21120,23 @@ var _TinyCloudNode = class _TinyCloudNode {
21067
21120
  if (granted.resource !== void 0 || requested.resource !== void 0) {
21068
21121
  return granted.resource !== void 0 && requested.resource !== void 0 && granted.resource === requested.resource && this.pathContains(granted.path, requested.path);
21069
21122
  }
21070
- return granted.spaceId !== void 0 && requested.spaceId !== void 0 && granted.spaceId === requested.spaceId && this.pathContains(granted.path, requested.path);
21123
+ return granted.spaceId !== void 0 && requested.spaceId !== void 0 && this.spaceIdsEqual(granted.spaceId, requested.spaceId) && this.pathContains(granted.path, requested.path);
21124
+ }
21125
+ // Space IDs are `tinycloud:pkh:eip155:<chain>:<0xADDR>:<name>`. The embedded
21126
+ // EIP-155 address is case-insensitive, but the CLI canonicalizes it to
21127
+ // lowercase when building a space URI while stored runtime delegations keep
21128
+ // the EIP-55 checksummed form — so a byte-for-byte compare spuriously rejects
21129
+ // an otherwise-valid grant. Lowercase ONLY the `eip155:<chain>:0x<addr>`
21130
+ // segment and leave everything else (crucially the case-sensitive space NAME)
21131
+ // byte-exact. Mirrors the CLI's `normalizeSpaceForCompare` (OPENKEY_SCOPE_MISMATCH fix).
21132
+ spaceIdsEqual(a, b) {
21133
+ return this.normalizeSpaceAddress(a) === this.normalizeSpaceAddress(b);
21134
+ }
21135
+ normalizeSpaceAddress(space) {
21136
+ return space.replace(
21137
+ /(eip155:\d+:)(0x[0-9a-fA-F]{40})/,
21138
+ (_match, prefix, addr) => prefix + addr.toLowerCase()
21139
+ );
21071
21140
  }
21072
21141
  actionContains(grantedAction, requestedAction) {
21073
21142
  if (grantedAction === requestedAction) {
@@ -21331,7 +21400,7 @@ var _TinyCloudNode = class _TinyCloudNode {
21331
21400
  const targetHost = delegation.host ?? this.config.host;
21332
21401
  if (this.isSessionOnly) {
21333
21402
  const myDid = this.did;
21334
- if (!didPrincipalMatches(delegation.delegateDID, myDid)) {
21403
+ if (!didPrincipalMatches2(delegation.delegateDID, myDid)) {
21335
21404
  throw new Error(
21336
21405
  `Delegation targets ${delegation.delegateDID} but this user's DID is ${myDid}. The delegation must target this user's DID.`
21337
21406
  );
@@ -21562,7 +21631,7 @@ import {
21562
21631
  parsePkhDid,
21563
21632
  pkhDid as pkhDid3,
21564
21633
  principalDid,
21565
- principalDidEquals as principalDidEquals2,
21634
+ principalDidEquals as principalDidEquals3,
21566
21635
  parseCanonicalNetworkId
21567
21636
  } from "@tinycloud/sdk-core";
21568
21637
 
@@ -21775,7 +21844,7 @@ import {
21775
21844
  } from "@tinycloud/sdk-core";
21776
21845
  import {
21777
21846
  EncryptionService as EncryptionService2,
21778
- parseNetworkId,
21847
+ parseNetworkId as parseNetworkId3,
21779
21848
  buildNetworkId,
21780
21849
  isNetworkId,
21781
21850
  networkDiscoveryKey,
@@ -21810,7 +21879,7 @@ import {
21810
21879
  DEFAULT_KEY_VERSION,
21811
21880
  DECRYPT_FACT_TYPE,
21812
21881
  DECRYPT_RESULT_TYPE,
21813
- DECRYPT_ACTION as DECRYPT_ACTION2,
21882
+ DECRYPT_ACTION as DECRYPT_ACTION3,
21814
21883
  ENCRYPTION_SERVICE,
21815
21884
  ENCRYPTION_SERVICE_SHORT,
21816
21885
  encryptionError
@@ -21849,7 +21918,7 @@ export {
21849
21918
  AutoApproveSpaceCreationHandler2 as AutoApproveSpaceCreationHandler,
21850
21919
  CapabilityKeyRegistry2 as CapabilityKeyRegistry,
21851
21920
  CapabilityKeyRegistryErrorCodes,
21852
- DECRYPT_ACTION2 as DECRYPT_ACTION,
21921
+ DECRYPT_ACTION3 as DECRYPT_ACTION,
21853
21922
  DECRYPT_FACT_TYPE,
21854
21923
  DECRYPT_RESULT_TYPE,
21855
21924
  DEFAULT_ENCRYPTION_ALG,
@@ -21958,12 +22027,12 @@ export {
21958
22027
  openWrappedKey,
21959
22028
  parseCanonicalNetworkId,
21960
22029
  parseExpiry2 as parseExpiry,
21961
- parseNetworkId,
22030
+ parseNetworkId3 as parseNetworkId,
21962
22031
  parsePkhDid,
21963
22032
  parseSpaceUri,
21964
22033
  pkhDid3 as pkhDid,
21965
22034
  principalDid,
21966
- principalDidEquals2 as principalDidEquals,
22035
+ principalDidEquals3 as principalDidEquals,
21967
22036
  resolveManifest2 as resolveManifest,
21968
22037
  resolveSecretListPrefix2 as resolveSecretListPrefix,
21969
22038
  resolveSecretPath2 as resolveSecretPath,