@tinycloud/node-sdk 2.5.1 → 2.6.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/core.d.cts CHANGED
@@ -1,4 +1,4 @@
1
1
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, disableTinyCloudDebug, enableTinyCloudDebug, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, getTinyCloudDebugLogs, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateManifest } from '@tinycloud/sdk-core';
2
- export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-ojeY-wet.cjs';
2
+ export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-Cr-zD1lk.cjs';
3
3
  import 'events';
4
4
  import '@tinycloud/sdk-services';
package/dist/core.d.ts CHANGED
@@ -1,4 +1,4 @@
1
1
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, CallbackStrategy, CanonicalAddress, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, EncodedShareData, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, ReceiveOptions, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VersionCheckError, ViewInfo, WasmVaultFunctions, addressStorageKey, buildSpaceUri, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeNetworkId, canonicalizeSecretScope, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, defaultSpaceCreationHandler, didCacheKey, didEquals, disableTinyCloudDebug, enableTinyCloudDebug, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, getTinyCloudDebugLogs, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, loadManifest, makePkhSpaceId, makePublicSpaceId, parseCanonicalNetworkId, parseExpiry, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateManifest } from '@tinycloud/sdk-core';
2
- export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-ojeY-wet.js';
2
+ export { D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, s as serializeDelegation } from './core-Cr-zD1lk.js';
3
3
  import 'events';
4
4
  import '@tinycloud/sdk-services';
package/dist/core.js CHANGED
@@ -237,7 +237,13 @@ import {
237
237
  EXPIRY,
238
238
  canonicalizeAddress,
239
239
  makePkhSpaceId,
240
- pkhDid
240
+ pkhDid,
241
+ KV,
242
+ SQL,
243
+ DUCKDB,
244
+ CAPABILITIES,
245
+ HOOKS,
246
+ ENCRYPTION
241
247
  } from "@tinycloud/sdk-core";
242
248
 
243
249
  // src/authorization/strategies.ts
@@ -245,8 +251,8 @@ import { createOpenKeyCallbackSigningStrategy } from "@tinycloud/sdk-core";
245
251
  var defaultSignStrategy = { type: "auto-sign" };
246
252
 
247
253
  // src/authorization/NodeUserAuthorization.ts
248
- var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
249
- var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
254
+ var DECRYPT_ACTION = ENCRYPTION.DECRYPT;
255
+ var NETWORK_CREATE_ACTION = ENCRYPTION.NETWORK_CREATE;
250
256
  function didPrincipalMatches(actual, expected) {
251
257
  try {
252
258
  return principalDidEquals(actual, expected);
@@ -279,44 +285,27 @@ var NodeUserAuthorization = class {
279
285
  this.spacePrefix = config.spacePrefix ?? "default";
280
286
  this.defaultActions = config.defaultActions ?? {
281
287
  kv: {
282
- "": [
283
- "tinycloud.kv/put",
284
- "tinycloud.kv/get",
285
- "tinycloud.kv/del",
286
- "tinycloud.kv/list",
287
- "tinycloud.kv/metadata"
288
- ]
288
+ "": [KV.PUT, KV.GET, KV.DEL, KV.LIST, KV.METADATA]
289
289
  },
290
290
  sql: {
291
- "": [
292
- "tinycloud.sql/read",
293
- "tinycloud.sql/write",
294
- "tinycloud.sql/schema",
295
- "tinycloud.sql/admin",
296
- "tinycloud.sql/export"
297
- ]
291
+ "": [SQL.READ, SQL.WRITE, SQL.SCHEMA, SQL.ADMIN, SQL.EXPORT]
298
292
  },
299
293
  duckdb: {
300
294
  "": [
301
- "tinycloud.duckdb/read",
302
- "tinycloud.duckdb/write",
303
- "tinycloud.duckdb/admin",
304
- "tinycloud.duckdb/describe",
305
- "tinycloud.duckdb/export",
306
- "tinycloud.duckdb/import",
307
- "tinycloud.duckdb/execute"
295
+ DUCKDB.READ,
296
+ DUCKDB.WRITE,
297
+ DUCKDB.ADMIN,
298
+ DUCKDB.DESCRIBE,
299
+ DUCKDB.EXPORT,
300
+ DUCKDB.IMPORT,
301
+ DUCKDB.EXECUTE
308
302
  ]
309
303
  },
310
304
  capabilities: {
311
- "": ["tinycloud.capabilities/read"]
305
+ "": [CAPABILITIES.READ]
312
306
  },
313
307
  hooks: {
314
- "": [
315
- "tinycloud.hooks/subscribe",
316
- "tinycloud.hooks/register",
317
- "tinycloud.hooks/list",
318
- "tinycloud.hooks/unregister"
319
- ]
308
+ "": [HOOKS.SUBSCRIBE, HOOKS.REGISTER, HOOKS.LIST, HOOKS.UNREGISTER]
320
309
  }
321
310
  };
322
311
  this.sessionExpirationMs = config.sessionExpirationMs ?? EXPIRY.SESSION_MS;
@@ -516,20 +505,17 @@ var NodeUserAuthorization = class {
516
505
  [secretsSpaceId]: {
517
506
  kv: {
518
507
  "vault/secrets/": [
519
- "tinycloud.kv/get",
520
- "tinycloud.kv/put",
521
- "tinycloud.kv/del",
522
- "tinycloud.kv/list",
523
- "tinycloud.kv/metadata"
508
+ KV.GET,
509
+ KV.PUT,
510
+ KV.DEL,
511
+ KV.LIST,
512
+ KV.METADATA
524
513
  ]
525
514
  }
526
515
  }
527
516
  },
528
517
  rawAbilities: {
529
- [defaultNetworkId]: [
530
- "tinycloud.encryption/decrypt",
531
- "tinycloud.encryption/network.create"
532
- ]
518
+ [defaultNetworkId]: [DECRYPT_ACTION, NETWORK_CREATE_ACTION]
533
519
  }
534
520
  };
535
521
  }
@@ -1205,6 +1191,10 @@ import {
1205
1191
  isCapabilitySubset,
1206
1192
  parseRecapCapabilities,
1207
1193
  SERVICE_LONG_TO_SHORT,
1194
+ KV as KV2,
1195
+ SQL as SQL2,
1196
+ DUCKDB as DUCKDB2,
1197
+ ENCRYPTION as ENCRYPTION2,
1208
1198
  EXPIRY as EXPIRY3,
1209
1199
  canonicalHashHex,
1210
1200
  canonicalizeEncryptionJson,
@@ -1650,9 +1640,27 @@ var NodeSecretsService = class {
1650
1640
  // src/TinyCloudNode.ts
1651
1641
  var DEFAULT_HOST = "https://node.tinycloud.xyz";
1652
1642
  var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
1653
- var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
1654
- var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
1643
+ var NETWORK_CREATE_ACTION2 = ENCRYPTION2.NETWORK_CREATE;
1644
+ var DECRYPT_ACTION2 = ENCRYPTION2.DECRYPT;
1655
1645
  var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
1646
+ var ROOT_DELEGATION_ACTIONS = [
1647
+ KV2.PUT,
1648
+ KV2.GET,
1649
+ KV2.DEL,
1650
+ KV2.LIST,
1651
+ KV2.METADATA,
1652
+ SQL2.READ,
1653
+ SQL2.WRITE,
1654
+ SQL2.ADMIN,
1655
+ SQL2.ALL,
1656
+ DUCKDB2.READ,
1657
+ DUCKDB2.WRITE,
1658
+ DUCKDB2.ADMIN,
1659
+ DUCKDB2.DESCRIBE,
1660
+ DUCKDB2.EXPORT,
1661
+ DUCKDB2.IMPORT,
1662
+ DUCKDB2.ALL
1663
+ ];
1656
1664
  var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
1657
1665
  function isOpenKeyAutoSignStrategy(strategy) {
1658
1666
  return strategy?.openKeyAutoSign === true;
@@ -2124,6 +2132,10 @@ var _TinyCloudNode = class _TinyCloudNode {
2124
2132
  await this.tc.signIn(options);
2125
2133
  this.syncResolvedHostFromAuth();
2126
2134
  this.initializeServices();
2135
+ const primarySession = this.currentTinyCloudSession();
2136
+ if (primarySession) {
2137
+ this.registerPrimarySessionGrant(primarySession);
2138
+ }
2127
2139
  const bootstrapped = await this.bootstrapAccountIfNeeded();
2128
2140
  await this.ensureRequestedEncryptionNetworks();
2129
2141
  if (!bootstrapped && this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
@@ -2367,7 +2379,107 @@ var _TinyCloudNode = class _TinyCloudNode {
2367
2379
  host: this.config.host
2368
2380
  },
2369
2381
  operations,
2370
- expiresAt
2382
+ expiresAt,
2383
+ provenance: "bootstrap"
2384
+ });
2385
+ }
2386
+ /**
2387
+ * Map the base session's OWN recap into runtime permission operations.
2388
+ *
2389
+ * Uses the RAW `parseRecapFromSiwe` binding — NOT `parseRecapCapabilities`,
2390
+ * whose `normalizeSpace` collapses `tinycloud:pkh:...:<owner>:<space>` to a
2391
+ * bare short name and would conflate two owners' identically-named spaces.
2392
+ * We must keep the full owner-scoped URI so a synthetic primary grant can
2393
+ * never cover an operation on a different owner's space.
2394
+ *
2395
+ * Mirrors {@link operationsFromDelegation}'s op shape: encryption network
2396
+ * entries (`urn:tinycloud:encryption:` paths) become `resource` ops; every
2397
+ * other entry becomes a `spaceId` op carrying the raw recap `space` URI.
2398
+ * One op per action.
2399
+ *
2400
+ * Returns `[]` for session-only / restored-without-siwe modes and for any
2401
+ * unparseable SIWE — the primary grant is simply not registered in that case.
2402
+ */
2403
+ recapOperationsFromSession(session) {
2404
+ const siwe = session.siwe;
2405
+ if (!siwe) {
2406
+ return [];
2407
+ }
2408
+ if (this._recapOperationsCache?.siwe === siwe) {
2409
+ return this._recapOperationsCache.operations;
2410
+ }
2411
+ let operations = [];
2412
+ try {
2413
+ const entries = this.wasmBindings.parseRecapFromSiwe(siwe);
2414
+ if (Array.isArray(entries)) {
2415
+ operations = entries.flatMap((entry) => {
2416
+ const service = this.invocationServiceName(entry.service);
2417
+ return entry.actions.map((action) => ({
2418
+ ...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId: entry.space },
2419
+ service,
2420
+ path: entry.path,
2421
+ action
2422
+ }));
2423
+ });
2424
+ }
2425
+ } catch {
2426
+ operations = [];
2427
+ }
2428
+ this._recapOperationsCache = { siwe, operations };
2429
+ return operations;
2430
+ }
2431
+ /**
2432
+ * Register the base (primary) session's own recap as a synthetic runtime
2433
+ * grant tagged `provenance: "primary"` so it always out-ranks other covering
2434
+ * grants in {@link findGrantForOperations}. This closes the selection-design
2435
+ * hazard where a broad — possibly broken — bootstrap/delegated grant could
2436
+ * hijack an operation the primary session itself already authorized (TC-111).
2437
+ *
2438
+ * Two safety exclusions:
2439
+ * - Ops whose space is in `lastActivationSkippedSpaceIds` are dropped: the
2440
+ * node refused to activate those spaces this sign-in even though the recap
2441
+ * claims them. Including them would let the synthetic primary out-rank a
2442
+ * working grant and 401 (the "skipped-activation inverted hijack").
2443
+ * - Encryption `resource` ops are kept as-is (space-independent).
2444
+ *
2445
+ * No-ops when nothing remains after exclusion. Callers (`signIn`,
2446
+ * `restoreSession`) clear `runtimePermissionGrants` first, so no dupes.
2447
+ */
2448
+ registerPrimarySessionGrant(session) {
2449
+ const skipped = this.auth ? this.auth.lastActivationSkippedSpaceIds ?? [] : [];
2450
+ const operations = this.recapOperationsFromSession(session).filter(
2451
+ (operation) => operation.spaceId === void 0 || !skipped.some((spaceId) => this.spaceIdsEqual(spaceId, operation.spaceId))
2452
+ );
2453
+ if (operations.length === 0) {
2454
+ return;
2455
+ }
2456
+ const expiresAt = extractSiweExpiration(session.siwe) ?? this.getSessionExpiry();
2457
+ const actions = [...new Set(operations.map((operation) => operation.action))];
2458
+ this.runtimePermissionGrants.push({
2459
+ session: {
2460
+ delegationHeader: session.delegationHeader,
2461
+ delegationCid: session.delegationCid,
2462
+ spaceId: session.spaceId,
2463
+ verificationMethod: session.verificationMethod,
2464
+ jwk: session.jwk
2465
+ },
2466
+ delegation: {
2467
+ cid: session.delegationCid,
2468
+ delegationHeader: session.delegationHeader,
2469
+ delegateDID: session.verificationMethod,
2470
+ delegatorDID: this.did,
2471
+ spaceId: session.spaceId,
2472
+ path: "",
2473
+ actions,
2474
+ expiry: expiresAt,
2475
+ allowSubDelegation: true,
2476
+ ownerAddress: session.address,
2477
+ chainId: session.chainId,
2478
+ host: this.config.host
2479
+ },
2480
+ operations,
2481
+ expiresAt,
2482
+ provenance: "primary"
2371
2483
  });
2372
2484
  }
2373
2485
  async writeManifestRegistryRecords() {
@@ -2703,6 +2815,7 @@ var _TinyCloudNode = class _TinyCloudNode {
2703
2815
  } else {
2704
2816
  this._restoredTcSession = tcSession;
2705
2817
  }
2818
+ this.registerPrimarySessionGrant(tcSession);
2706
2819
  }
2707
2820
  }
2708
2821
  /**
@@ -3174,24 +3287,7 @@ var _TinyCloudNode = class _TinyCloudNode {
3174
3287
  spaceId: tcSession.spaceId,
3175
3288
  path: "",
3176
3289
  // Root access
3177
- actions: [
3178
- "tinycloud.kv/put",
3179
- "tinycloud.kv/get",
3180
- "tinycloud.kv/del",
3181
- "tinycloud.kv/list",
3182
- "tinycloud.kv/metadata",
3183
- "tinycloud.sql/read",
3184
- "tinycloud.sql/write",
3185
- "tinycloud.sql/admin",
3186
- "tinycloud.sql/*",
3187
- "tinycloud.duckdb/read",
3188
- "tinycloud.duckdb/write",
3189
- "tinycloud.duckdb/admin",
3190
- "tinycloud.duckdb/describe",
3191
- "tinycloud.duckdb/export",
3192
- "tinycloud.duckdb/import",
3193
- "tinycloud.duckdb/*"
3194
- ],
3290
+ actions: [...ROOT_DELEGATION_ACTIONS],
3195
3291
  expiry: this.getSessionExpiry(),
3196
3292
  isRevoked: false,
3197
3293
  allowSubDelegation: true
@@ -3204,24 +3300,7 @@ var _TinyCloudNode = class _TinyCloudNode {
3204
3300
  delegateDID: tcSession.verificationMethod,
3205
3301
  spaceId,
3206
3302
  path: "",
3207
- actions: [
3208
- "tinycloud.kv/put",
3209
- "tinycloud.kv/get",
3210
- "tinycloud.kv/del",
3211
- "tinycloud.kv/list",
3212
- "tinycloud.kv/metadata",
3213
- "tinycloud.sql/read",
3214
- "tinycloud.sql/write",
3215
- "tinycloud.sql/admin",
3216
- "tinycloud.sql/*",
3217
- "tinycloud.duckdb/read",
3218
- "tinycloud.duckdb/write",
3219
- "tinycloud.duckdb/admin",
3220
- "tinycloud.duckdb/describe",
3221
- "tinycloud.duckdb/export",
3222
- "tinycloud.duckdb/import",
3223
- "tinycloud.duckdb/*"
3224
- ],
3303
+ actions: [...ROOT_DELEGATION_ACTIONS],
3225
3304
  expiry: this.getSessionExpiry(),
3226
3305
  isRevoked: false,
3227
3306
  allowSubDelegation: true
@@ -3775,7 +3854,7 @@ var _TinyCloudNode = class _TinyCloudNode {
3775
3854
  getRuntimePermissionDelegations(permissions) {
3776
3855
  this.pruneExpiredRuntimePermissionGrants();
3777
3856
  if (permissions === void 0) {
3778
- return this.runtimePermissionGrants.map((grant) => grant.delegation);
3857
+ return this.runtimePermissionGrants.filter((grant) => grant.provenance !== "primary").map((grant) => grant.delegation);
3779
3858
  }
3780
3859
  const session = this.currentTinyCloudSession();
3781
3860
  if (!session || !Array.isArray(permissions) || permissions.length === 0) {
@@ -3927,7 +4006,8 @@ var _TinyCloudNode = class _TinyCloudNode {
3927
4006
  },
3928
4007
  delegation,
3929
4008
  operations: this.permissionOperations(delegatedEntries, spaceId),
3930
- expiresAt
4009
+ expiresAt,
4010
+ provenance: "runtime"
3931
4011
  });
3932
4012
  delegations.push(delegation);
3933
4013
  }
@@ -4065,13 +4145,7 @@ var _TinyCloudNode = class _TinyCloudNode {
4065
4145
  throw new Error("Public space not enabled. Set enablePublicSpace: true in config.");
4066
4146
  }
4067
4147
  await this.auth.hostPublicSpace(publicSpaceId);
4068
- const kvActions = [
4069
- "tinycloud.kv/put",
4070
- "tinycloud.kv/get",
4071
- "tinycloud.kv/del",
4072
- "tinycloud.kv/list",
4073
- "tinycloud.kv/metadata"
4074
- ];
4148
+ const kvActions = [KV2.PUT, KV2.GET, KV2.DEL, KV2.LIST, KV2.METADATA];
4075
4149
  const abilities = { kv: { "": kvActions } };
4076
4150
  const now = /* @__PURE__ */ new Date();
4077
4151
  const expiryMs = EXPIRY3.EPHEMERAL_MS;
@@ -4594,7 +4668,7 @@ var _TinyCloudNode = class _TinyCloudNode {
4594
4668
  return grants;
4595
4669
  }
4596
4670
  for (const operation of operations) {
4597
- const grant = this.findGrantForOperation(operation);
4671
+ const grant = this.findGrantForOperation(operation, { excludePrimary: true });
4598
4672
  if (!grant) {
4599
4673
  return [];
4600
4674
  }
@@ -4634,7 +4708,8 @@ var _TinyCloudNode = class _TinyCloudNode {
4634
4708
  },
4635
4709
  delegation,
4636
4710
  operations,
4637
- expiresAt: delegation.expiry
4711
+ expiresAt: delegation.expiry,
4712
+ provenance: "delegated"
4638
4713
  };
4639
4714
  }
4640
4715
  installRuntimeGrantFromServiceSession(delegation, session, expiresAt) {
@@ -4649,7 +4724,8 @@ var _TinyCloudNode = class _TinyCloudNode {
4649
4724
  session,
4650
4725
  delegation,
4651
4726
  operations,
4652
- expiresAt
4727
+ expiresAt,
4728
+ provenance: "delegated"
4653
4729
  });
4654
4730
  }
4655
4731
  delegatedResourcesForEntries(entries, spaceId) {
@@ -4749,21 +4825,28 @@ var _TinyCloudNode = class _TinyCloudNode {
4749
4825
  });
4750
4826
  return grant?.session ?? fallback;
4751
4827
  }
4752
- findGrantForOperations(operations) {
4828
+ findGrantForOperations(operations, options) {
4753
4829
  if (operations.length === 0) {
4754
4830
  return void 0;
4755
4831
  }
4756
4832
  this.pruneExpiredRuntimePermissionGrants();
4757
- return this.runtimePermissionGrants.find((grant) => {
4833
+ const covering = this.runtimePermissionGrants.filter((grant) => {
4834
+ if (options?.excludePrimary && grant.provenance === "primary") {
4835
+ return false;
4836
+ }
4758
4837
  return operations.every(
4759
4838
  (operation) => grant.operations.some(
4760
4839
  (granted) => this.operationCovers(granted, operation)
4761
4840
  )
4762
4841
  );
4763
4842
  });
4843
+ if (covering.length === 0) {
4844
+ return void 0;
4845
+ }
4846
+ return covering.find((grant) => grant.provenance === "primary") ?? covering[0];
4764
4847
  }
4765
- findGrantForOperation(operation) {
4766
- return this.findGrantForOperations([operation]);
4848
+ findGrantForOperation(operation, options) {
4849
+ return this.findGrantForOperations([operation], options);
4767
4850
  }
4768
4851
  pruneExpiredRuntimePermissionGrants() {
4769
4852
  const now = Date.now();
@@ -5000,7 +5083,7 @@ var _TinyCloudNode = class _TinyCloudNode {
5000
5083
  session.chainId
5001
5084
  );
5002
5085
  const publicAbilities = {
5003
- kv: { "": ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/metadata"] }
5086
+ kv: { "": [KV2.GET, KV2.PUT, KV2.METADATA] }
5004
5087
  };
5005
5088
  const publicPrepared = this.wasmBindings.prepareSession({
5006
5089
  abilities: publicAbilities,
@@ -5028,7 +5111,7 @@ var _TinyCloudNode = class _TinyCloudNode {
5028
5111
  delegationHeader: publicSession.delegationHeader,
5029
5112
  spaceId: publicSpaceId,
5030
5113
  path: "",
5031
- actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/metadata"],
5114
+ actions: [KV2.GET, KV2.PUT, KV2.METADATA],
5032
5115
  disableSubDelegation: params.disableSubDelegation ?? false,
5033
5116
  expiry: expirationTime,
5034
5117
  delegateDID: params.delegateDID,