@tinycloud/node-sdk 2.4.0 → 2.5.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
2
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, disableTinyCloudDebug, discoverNetwork, enableTinyCloudDebug, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, getTinyCloudDebugLogs, hexDecode, hexEncode, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-DfE4s_Rg.cjs';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-ojeY-wet.cjs';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
2
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, disableTinyCloudDebug, discoverNetwork, enableTinyCloudDebug, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, getTinyCloudDebugLogs, hexDecode, hexEncode, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-DfE4s_Rg.js';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-ojeY-wet.js';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.js CHANGED
@@ -17668,7 +17668,7 @@ var NodeUserAuthorization = class {
17668
17668
  * Create the space on the TinyCloud server (host delegation).
17669
17669
  * This registers the user as the owner of the space.
17670
17670
  */
17671
- async hostSpace(targetSpaceId) {
17671
+ async hostSpace(targetSpaceId, purpose) {
17672
17672
  if (!this._tinyCloudSession || !this._address || !this._chainId) {
17673
17673
  throw new Error("Must be signed in to host space");
17674
17674
  }
@@ -17684,7 +17684,7 @@ var NodeUserAuthorization = class {
17684
17684
  spaceId,
17685
17685
  peerId
17686
17686
  });
17687
- const signature2 = await this.signMessage(siwe);
17687
+ const signature2 = await this.signMessage(siwe, purpose);
17688
17688
  const headers = this.wasm.siweToDelegationHeaders({ siwe, signature: signature2 });
17689
17689
  const result = await submitHostDelegation(host, headers);
17690
17690
  return result.success;
@@ -17700,8 +17700,8 @@ var NodeUserAuthorization = class {
17700
17700
  * Create a specific owned space on the server via host delegation.
17701
17701
  * Used by manifest registry setup for the account space.
17702
17702
  */
17703
- async hostOwnedSpace(spaceId) {
17704
- return this.hostSpace(spaceId);
17703
+ async hostOwnedSpace(spaceId, purpose) {
17704
+ return this.hostSpace(spaceId, purpose);
17705
17705
  }
17706
17706
  /**
17707
17707
  * Ensure the user's space exists on the TinyCloud server.
@@ -17851,7 +17851,8 @@ var NodeUserAuthorization = class {
17851
17851
  address,
17852
17852
  chainId,
17853
17853
  message: prepared.siwe,
17854
- type: "siwe"
17854
+ type: "siwe",
17855
+ purpose: "bootstrap-session"
17855
17856
  });
17856
17857
  const session = this.wasm.completeSessionSetup({
17857
17858
  ...prepared,
@@ -17915,7 +17916,8 @@ var NodeUserAuthorization = class {
17915
17916
  address,
17916
17917
  chainId,
17917
17918
  message: prepared.siwe,
17918
- type: "siwe"
17919
+ type: "siwe",
17920
+ purpose: "sign-in"
17919
17921
  });
17920
17922
  const session = this.wasm.completeSessionSetup({
17921
17923
  ...prepared,
@@ -18003,7 +18005,7 @@ var NodeUserAuthorization = class {
18003
18005
  /**
18004
18006
  * Sign a message with the connected signer.
18005
18007
  */
18006
- async signMessage(message) {
18008
+ async signMessage(message, purpose) {
18007
18009
  if (!this._address) {
18008
18010
  this._address = canonicalizeAddress(await this.signer.getAddress());
18009
18011
  }
@@ -18014,7 +18016,8 @@ var NodeUserAuthorization = class {
18014
18016
  address: this._address,
18015
18017
  chainId: this._chainId,
18016
18018
  message,
18017
- type: "message"
18019
+ type: "message",
18020
+ ...purpose ? { purpose } : {}
18018
18021
  });
18019
18022
  }
18020
18023
  /**
@@ -18502,12 +18505,12 @@ function displayActionUrn(action) {
18502
18505
  function secretActionName(action) {
18503
18506
  return action;
18504
18507
  }
18505
- function secretPermissionEntries(name, options, action, encryptionNetworkId) {
18508
+ function secretPermissionEntries(name, options, action, space, encryptionNetworkId) {
18506
18509
  const entries = [];
18507
18510
  const path = action === "list" ? resolveSecretListPrefix(options) : resolveSecretPath(name, options).permissionPaths.vault;
18508
18511
  entries.push({
18509
18512
  service: "tinycloud.kv",
18510
- space: SECRETS_SPACE,
18513
+ space,
18511
18514
  path,
18512
18515
  actions: [secretActionName(action)],
18513
18516
  skipPrefix: true
@@ -18522,11 +18525,23 @@ function secretPermissionEntries(name, options, action, encryptionNetworkId) {
18522
18525
  }
18523
18526
  return entries;
18524
18527
  }
18528
+ function normalizeSpace(space, resolveSpace) {
18529
+ if (!space) return void 0;
18530
+ if (space.startsWith("tinycloud:")) return space;
18531
+ return resolveSpace?.(space) ?? space;
18532
+ }
18533
+ function spaceMatches(granted, requested, resolveSpace) {
18534
+ if (!granted || !requested) return false;
18535
+ return normalizeSpace(granted, resolveSpace) === normalizeSpace(requested, resolveSpace);
18536
+ }
18525
18537
  var NodeSecretsService = class {
18526
18538
  constructor(config) {
18527
18539
  this.config = config;
18528
18540
  this.shouldRestoreUnlock = false;
18529
18541
  }
18542
+ get space() {
18543
+ return this.config.space ?? SECRETS_SPACE;
18544
+ }
18530
18545
  get vault() {
18531
18546
  return this.service.vault;
18532
18547
  }
@@ -18579,6 +18594,7 @@ var NodeSecretsService = class {
18579
18594
  name,
18580
18595
  options,
18581
18596
  action,
18597
+ this.space,
18582
18598
  action === "get" ? this.config.getEncryptionNetworkId?.() : void 0
18583
18599
  );
18584
18600
  } catch (error) {
@@ -18628,7 +18644,7 @@ var NodeSecretsService = class {
18628
18644
  (entry) => manifests.some((candidate) => {
18629
18645
  const resolved = resolveManifest(candidate);
18630
18646
  return resolved.resources.some(
18631
- (resource) => resource.service === entry.service && resource.space === entry.space && resource.path === entry.path && entry.actions.every((action) => resource.actions.includes(action))
18647
+ (resource) => resource.service === entry.service && spaceMatches(resource.space, entry.space, this.config.resolveSpace) && resource.path === entry.path && entry.actions.every((action) => resource.actions.includes(action))
18632
18648
  );
18633
18649
  })
18634
18650
  );
@@ -18645,6 +18661,15 @@ var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
18645
18661
  function isOpenKeyAutoSignStrategy(strategy) {
18646
18662
  return strategy?.openKeyAutoSign === true;
18647
18663
  }
18664
+ function isInteractiveSigner(config) {
18665
+ if (config.privateKey) {
18666
+ return false;
18667
+ }
18668
+ if (isOpenKeyAutoSignStrategy(config.signStrategy)) {
18669
+ return false;
18670
+ }
18671
+ return config.signer !== void 0;
18672
+ }
18648
18673
  function didPrincipalMatches2(actual, expected) {
18649
18674
  try {
18650
18675
  return principalDidEquals2(actual, expected);
@@ -18652,6 +18677,20 @@ function didPrincipalMatches2(actual, expected) {
18652
18677
  return actual === expected;
18653
18678
  }
18654
18679
  }
18680
+ function sharingActionsToAbilities(path, actions) {
18681
+ var _a;
18682
+ const abilities = {};
18683
+ for (const action of actions) {
18684
+ const slash = action.indexOf("/");
18685
+ if (slash === -1) return void 0;
18686
+ const shortService = SERVICE_LONG_TO_SHORT[action.slice(0, slash)];
18687
+ if (shortService === void 0) return void 0;
18688
+ abilities[shortService] ?? (abilities[shortService] = {});
18689
+ (_a = abilities[shortService])[path] ?? (_a[path] = []);
18690
+ abilities[shortService][path].push(action);
18691
+ }
18692
+ return Object.keys(abilities).length > 0 ? abilities : void 0;
18693
+ }
18655
18694
  function base64UrlEncode(bytes) {
18656
18695
  const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
18657
18696
  let output = "";
@@ -18764,7 +18803,24 @@ var _TinyCloudNode = class _TinyCloudNode {
18764
18803
  this.auth = null;
18765
18804
  this.tc = null;
18766
18805
  this._chainId = 1;
18806
+ this._baseSecrets = /* @__PURE__ */ new Map();
18807
+ this._secrets = /* @__PURE__ */ new Map();
18767
18808
  this.runtimePermissionGrants = [];
18809
+ /**
18810
+ * True when the last signIn() detected an interactive signer and skipped
18811
+ * client-side bootstrap. Apps can read this to know whether bootstrap was
18812
+ * deferred to the server (OpenKey) or requires a separate user action.
18813
+ */
18814
+ this._bootstrapSkipped = false;
18815
+ /**
18816
+ * Outcome of the last signIn()'s account-bootstrap attempt. `skipped` is
18817
+ * true when bootstrap did not complete (interactive signer, auto-sign
18818
+ * denied, or a bootstrap step failed); `reason` carries the cause so apps
18819
+ * can surface a "finish account setup" call-to-action.
18820
+ */
18821
+ this._bootstrapStatus = {
18822
+ skipped: false
18823
+ };
18768
18824
  this.invokeWithRuntimePermissions = (session, service, path, action, facts) => {
18769
18825
  return this.wasmBindings.invoke(
18770
18826
  this.selectInvocationSession(session, service, path, action),
@@ -18857,6 +18913,15 @@ var _TinyCloudNode = class _TinyCloudNode {
18857
18913
  static registerNodeDefaults(defaults) {
18858
18914
  _TinyCloudNode.nodeDefaults = defaults;
18859
18915
  }
18916
+ /** Whether the last signIn() skipped client-side bootstrap because the
18917
+ * signer is interactive (browser wallet / EIP-1193 provider). */
18918
+ get bootstrapSkipped() {
18919
+ return this._bootstrapSkipped;
18920
+ }
18921
+ /** Outcome of the last signIn()'s account-bootstrap attempt. */
18922
+ get bootstrapStatus() {
18923
+ return this._bootstrapStatus;
18924
+ }
18860
18925
  get nodeFeatures() {
18861
18926
  return this.auth?.nodeFeatures ?? [];
18862
18927
  }
@@ -19026,6 +19091,13 @@ var _TinyCloudNode = class _TinyCloudNode {
19026
19091
  get session() {
19027
19092
  return this.auth?.tinyCloudSession;
19028
19093
  }
19094
+ /**
19095
+ * Get the currently active session in the shape callers can persist and later
19096
+ * pass back to {@link restoreSession}.
19097
+ */
19098
+ get restorableSession() {
19099
+ return this.currentTinyCloudSession();
19100
+ }
19029
19101
  /**
19030
19102
  * Sign in and create a new session.
19031
19103
  * This creates the user's space if it doesn't exist.
@@ -19048,8 +19120,8 @@ var _TinyCloudNode = class _TinyCloudNode {
19048
19120
  this._hooks = void 0;
19049
19121
  this._vault = void 0;
19050
19122
  this._encryption = void 0;
19051
- this._baseSecrets = void 0;
19052
- this._secrets = void 0;
19123
+ this._baseSecrets.clear();
19124
+ this._secrets.clear();
19053
19125
  this._spaceService = void 0;
19054
19126
  this._serviceContext = void 0;
19055
19127
  this.runtimePermissionGrants = [];
@@ -19073,17 +19145,38 @@ var _TinyCloudNode = class _TinyCloudNode {
19073
19145
  return this.wasmBindings.makeSpaceId(this._address, this._chainId, name);
19074
19146
  }
19075
19147
  async bootstrapAccountIfNeeded() {
19148
+ this._bootstrapSkipped = false;
19149
+ this._bootstrapStatus = { skipped: false };
19076
19150
  if (this.config.autoBootstrapAccount === false) {
19077
19151
  return false;
19078
19152
  }
19079
19153
  if (!this.auth || !this._address) {
19080
19154
  return false;
19081
19155
  }
19156
+ if (isInteractiveSigner(this.config)) {
19157
+ console.debug(
19158
+ "[TinyCloudNode] bootstrap skipped: interactive signer detected. Server-side bootstrap (OpenKey) is expected to have provisioned the account."
19159
+ );
19160
+ this._bootstrapSkipped = true;
19161
+ this._bootstrapStatus = { skipped: true, reason: "interactive-signer" };
19162
+ return false;
19163
+ }
19082
19164
  const steps = bootstrapSteps(this._address, this._chainId);
19083
19165
  if (!await this.isFreshBootstrapAccount(steps)) {
19084
19166
  return false;
19085
19167
  }
19086
- await this.runAccountBootstrap(steps);
19168
+ try {
19169
+ await this.runAccountBootstrap(steps);
19170
+ } catch (err) {
19171
+ const reason = err instanceof Error ? err.message : String(err);
19172
+ this._bootstrapSkipped = true;
19173
+ this._bootstrapStatus = { skipped: true, reason };
19174
+ this.notificationHandler.warning(
19175
+ `Account bootstrap did not complete: ${reason}`
19176
+ );
19177
+ console.warn(`[TinyCloudNode] account bootstrap failed: ${reason}`);
19178
+ return false;
19179
+ }
19087
19180
  return true;
19088
19181
  }
19089
19182
  async isFreshBootstrapAccount(steps) {
@@ -19135,16 +19228,23 @@ var _TinyCloudNode = class _TinyCloudNode {
19135
19228
  if (rawAbilities) {
19136
19229
  rawAbilitiesBySpace.set(step.space, rawAbilities);
19137
19230
  }
19138
- const session = await auth.createBootstrapSession({
19139
- spaceId: step.spaceId,
19140
- capabilityRequest: step.request ?? BOOTSTRAP_SESSION_REQUESTS[step.space],
19141
- rawAbilities
19142
- });
19231
+ let session;
19232
+ try {
19233
+ session = await auth.createBootstrapSession({
19234
+ spaceId: step.spaceId,
19235
+ capabilityRequest: step.request ?? BOOTSTRAP_SESSION_REQUESTS[step.space],
19236
+ rawAbilities
19237
+ });
19238
+ } catch (err) {
19239
+ throw new Error(
19240
+ `Account bootstrap aborted: signature rejected for space "${step.space}". Cause: ${err instanceof Error ? err.message : String(err)}`
19241
+ );
19242
+ }
19143
19243
  sessions.set(step.space, session);
19144
19244
  }
19145
19245
  for (const step of steps) {
19146
19246
  if (step.kind !== "host") continue;
19147
- const hosted = await auth.hostOwnedSpace(step.spaceId);
19247
+ const hosted = await auth.hostOwnedSpace(step.spaceId, "bootstrap-host");
19148
19248
  if (!hosted) {
19149
19249
  throw new Error(`Failed to host bootstrap space: ${step.spaceId}`);
19150
19250
  }
@@ -19535,8 +19635,8 @@ var _TinyCloudNode = class _TinyCloudNode {
19535
19635
  this._hooks = void 0;
19536
19636
  this._vault = void 0;
19537
19637
  this._encryption = void 0;
19538
- this._baseSecrets = void 0;
19539
- this._secrets = void 0;
19638
+ this._baseSecrets.clear();
19639
+ this._secrets.clear();
19540
19640
  this._spaceService = void 0;
19541
19641
  this._serviceContext = void 0;
19542
19642
  this.runtimePermissionGrants = [];
@@ -19826,6 +19926,20 @@ var _TinyCloudNode = class _TinyCloudNode {
19826
19926
  getDefaultEncryptionNetworkId(name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
19827
19927
  return `urn:tinycloud:encryption:${this.did}:${name}`;
19828
19928
  }
19929
+ getEncryptionNetworkIdForSpace(spaceId, name = DEFAULT_ENCRYPTION_NETWORK_NAME) {
19930
+ const ownerDid = this.ownerDidFromSpaceId(spaceId) ?? this.did;
19931
+ return `urn:tinycloud:encryption:${ownerDid}:${name}`;
19932
+ }
19933
+ ownerDidFromSpaceId(spaceId) {
19934
+ if (!spaceId.startsWith("tinycloud:")) return void 0;
19935
+ const body = spaceId.slice("tinycloud:".length);
19936
+ const lastSeparator = body.lastIndexOf(":");
19937
+ if (lastSeparator <= 0) return void 0;
19938
+ const owner = body.slice(0, lastSeparator);
19939
+ if (owner.startsWith("did:")) return owner;
19940
+ if (!owner.includes(":")) return void 0;
19941
+ return `did:${owner}`;
19942
+ }
19829
19943
  requireServiceSession() {
19830
19944
  const session = this._serviceContext?.session;
19831
19945
  if (!session) {
@@ -20013,7 +20127,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20013
20127
  spaceId,
20014
20128
  crypto: vaultCrypto,
20015
20129
  encryption: {
20016
- networkId: this.getDefaultEncryptionNetworkId(),
20130
+ networkId: this.getEncryptionNetworkIdForSpace(spaceId),
20017
20131
  service: this.getEncryptionService(),
20018
20132
  decryptCapabilityProof: () => ({
20019
20133
  proofs: [this.requireServiceSession().delegationCid]
@@ -20144,6 +20258,9 @@ var _TinyCloudNode = class _TinyCloudNode {
20144
20258
  }
20145
20259
  return vaultService;
20146
20260
  },
20261
+ createSecretsService: (spaceId) => {
20262
+ return this.secretsForSpace(spaceId);
20263
+ },
20147
20264
  // Enable space.delegations.create() via SIWE-based delegation
20148
20265
  createDelegation: async (params) => {
20149
20266
  try {
@@ -20266,11 +20383,10 @@ var _TinyCloudNode = class _TinyCloudNode {
20266
20383
  try {
20267
20384
  const host = this.config.host;
20268
20385
  const now = /* @__PURE__ */ new Date();
20269
- const abilities = {
20270
- kv: {
20271
- [params.path]: params.actions
20272
- }
20273
- };
20386
+ const abilities = sharingActionsToAbilities(params.path, params.actions);
20387
+ if (!abilities) {
20388
+ return void 0;
20389
+ }
20274
20390
  const prepared = this.wasmBindings.prepareSession({
20275
20391
  abilities,
20276
20392
  address: this.wasmBindings.ensureEip55(session.address),
@@ -20526,27 +20642,49 @@ var _TinyCloudNode = class _TinyCloudNode {
20526
20642
  if (!this._spaceService) {
20527
20643
  throw new Error("Not signed in. Call signIn() first.");
20528
20644
  }
20529
- if (!this._secrets) {
20530
- this._secrets = new NodeSecretsService({
20531
- getService: () => this.getBaseSecrets(),
20645
+ return this.secretsForSpace("secrets");
20646
+ }
20647
+ /**
20648
+ * App-facing secrets API backed by the requested space's vault.
20649
+ */
20650
+ secretsForSpace(spaceId) {
20651
+ if (!this._spaceService) {
20652
+ throw new Error("Not signed in. Call signIn() first.");
20653
+ }
20654
+ const resolvedSpace = spaceId.startsWith("tinycloud:") ? spaceId : this.ownedSpaceId(spaceId);
20655
+ let secrets = this._secrets.get(resolvedSpace);
20656
+ if (!secrets) {
20657
+ secrets = new NodeSecretsService({
20658
+ getService: () => this.getBaseSecrets(resolvedSpace),
20659
+ space: resolvedSpace,
20532
20660
  getManifest: () => this.manifest,
20533
20661
  hasPermissions: (permissions) => this.hasRuntimePermissions(permissions),
20534
20662
  grantPermissions: (additional) => this.grantRuntimePermissions(additional),
20535
20663
  canEscalate: () => this.signer !== void 0 && this.tc !== void 0,
20536
- getEncryptionNetworkId: () => this.getDefaultEncryptionNetworkId(),
20664
+ getEncryptionNetworkId: () => this.getEncryptionNetworkIdForSpace(resolvedSpace),
20665
+ resolveSpace: (space) => space.startsWith("tinycloud:") ? space : this.ownedSpaceId(space),
20537
20666
  getUnlockSigner: () => this.signer ?? void 0
20538
20667
  });
20668
+ this._secrets.set(resolvedSpace, secrets);
20539
20669
  }
20540
- return this._secrets;
20670
+ return secrets;
20541
20671
  }
20542
- getBaseSecrets() {
20672
+ getBaseSecrets(spaceId) {
20543
20673
  if (!this._spaceService) {
20544
20674
  throw new Error("Not signed in. Call signIn() first.");
20545
20675
  }
20546
- if (!this._baseSecrets) {
20547
- this._baseSecrets = new SecretsService(() => this.space("secrets").vault);
20676
+ const resolvedSpace = spaceId.startsWith("tinycloud:") ? spaceId : this.ownedSpaceId(spaceId);
20677
+ let secrets = this._baseSecrets.get(resolvedSpace);
20678
+ if (!secrets) {
20679
+ const kvService = this.createSpaceScopedKVService(resolvedSpace);
20680
+ const vaultService = this.createVaultService(resolvedSpace, kvService);
20681
+ if (this._serviceContext) {
20682
+ vaultService.initialize(this._serviceContext);
20683
+ }
20684
+ secrets = new SecretsService(() => vaultService);
20685
+ this._baseSecrets.set(resolvedSpace, secrets);
20548
20686
  }
20549
- return this._baseSecrets;
20687
+ return secrets;
20550
20688
  }
20551
20689
  /**
20552
20690
  * Hooks write stream subscription API.