@tinycloud/node-sdk 2.5.1 → 2.6.0-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
2
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, disableTinyCloudDebug, discoverNetwork, enableTinyCloudDebug, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, getTinyCloudDebugLogs, hexDecode, hexEncode, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-ojeY-wet.cjs';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-Cr-zD1lk.cjs';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { ISigner, Bytes, IWasmBindings, ISessionManager } from '@tinycloud/sdk-core';
2
2
  export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, AccountApplication, AccountApplicationListOptions, AccountDelegation, AccountDelegationListOptions, AccountDelegationRevokeOptions, AccountIndexEnsureResult, AccountIndexRebuildResult, AccountIndexStatus, AccountIndexedReadOptions, AccountService, AccountServiceConfig, AccountSpace, AccountSpaceListOptions, AccountStatus, AutoApproveSpaceCreationHandler, AutoRejectStrategy, AutoSignStrategy, BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CallbackStrategy, CanonicalAddress, CanonicalDecryptRequest, CanonicalJson, CanonicalParsedNetworkId, CapabilityEntry, CapabilityKeyRegistry, CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, ClientSession, ColumnInfo, ComposeManifestOptions, ComposedManifestRequest, CreateDelegationParams, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, Delegation, DelegationChain, DelegationChainV2, DelegationDirection, DelegationError, DelegationErrorCode, DelegationErrorCodes, DelegationFilters, DelegationManager, DelegationManagerConfig, DelegationRecord, DelegationResult, DidCacheKeyOptions, DidEqualsOptions, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncodedShareData, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ExecuteOptions, ExecuteResponse, Extension, FetchFunction, GenerateShareParams, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, ICapabilityKeyRegistry, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IENSResolver, IEncryptionService, IHooksService, IKVService, INotificationHandler, IPrefixedKVService, ISQLService, ISecretsService, ISessionManager, ISessionStorage, ISharingService, ISigner, ISpace, ISpaceCreationHandler, ISpaceScopedDelegations, ISpaceScopedSharing, ISpaceService, IUserAuthorization, IWasmBindings, IdentityParseError, IngestOptions, InlineEncryptedEnvelope, InvokeFunction, JWK, KVCreateSignedReadUrlOptions, KVResponse, KVService, KVServiceConfig, KVSignedReadUrlResponse, KeyInfo, KeyProvider, KeyType, Manifest, ManifestDefaults, ManifestRegistryRecord, ManifestSecretActions, ManifestValidationError, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, OpenKeyCallbackStrategy, OpenKeySigningRequestBody, OpenKeySigningResponseBody, OpenKeySigningStrategyOptions, ParsedNetworkId, PermissionEntry, PermissionNotInManifestError, PersistedSessionData, PkhDidParts, PrefixedKVService, ProtocolMismatchError, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiveOptions, ReceiverKeyPair, ReceiverKeySigner, ResolvedCapabilities, ResolvedDelegate, ResolvedSecretPath, ResourceCapability, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceSession, SessionExpiredError, ShareAccess, ShareLink, ShareLinkData, ShareSchema, SharingService, SharingServiceConfig, SignCallback, SignInOptions, SignRequest, SignResponse, SignedReceiverKeyInput, SilentNotificationHandler, Space, SpaceAbilitiesMap, SpaceConfig, SpaceCreationContext, SpaceErrorCode, SpaceErrorCodes, SpaceInfo, SpaceOwnership, SpaceService, SpaceServiceConfig, SqlStatement, SqlValue, StoredDelegationChain, SubscribeOptions, TableInfo, TelemetryConfig, TelemetryEventHandler, TinyCloud, TinyCloudConfig, TinyCloudDebugEnableOptions, TinyCloudDebugEvent, TinyCloudDebugLevel, TinyCloudDebugLogger, TinyCloudDebugTimer, TinyCloudSession, UnsupportedFeatureError, VAULT_PERMISSION_SERVICE, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, VersionCheckError, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, addressStorageKey, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, buildSpaceUri, canonicalHashHex, canonicalSignedResponse, canonicalizeAddress, canonicalizeDid, canonicalizeDidUrl, canonicalizeEncryptionJson, canonicalizeNetworkId, canonicalizeSecretScope, checkDecryptInvocationInput, checkNodeInfo, clearTinyCloudDebugLogs, composeManifestRequest, createCapabilityKeyRegistry, createOpenKeyCallbackSigningStrategy, createSharingService, createSpaceService, createVaultCrypto, decryptEnvelopeWithKey, defaultSpaceCreationHandler, deriveSignedReceiverKey, didCacheKey, didEquals, disableTinyCloudDebug, discoverNetwork, enableTinyCloudDebug, encryptToNetwork, encryptionBase64Decode, encryptionBase64Encode, encryptionError, encryptionUtf8Decode, encryptionUtf8Encode, ensureNetworkUsableForDecrypt, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, generateRandomReceiverKey, getTinyCloudDebugLogs, hexDecode, hexEncode, installTinyCloudDebugGlobals, isCapabilitySubset, isEvmAddress, isNetworkId, loadManifest, makePkhSpaceId, makePublicSpaceId, networkDiscoveryKey, openWrappedKey, parseCanonicalNetworkId, parseExpiry, parseNetworkId, parsePkhDid, parseSpaceUri, pkhDid, principalDid, principalDidEquals, resolveManifest, resolveSecretListPrefix, resolveSecretPath, resourceCapabilitiesToSpaceAbilitiesMap, tinyCloudDebugLogger, validateEnvelope, validateManifest, verifyDecryptResponse } from '@tinycloud/sdk-core';
3
- export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-ojeY-wet.js';
3
+ export { A as AuthDelegationArtifact, a as AuthRequestArtifact, D as DelegateToOptions, b as DelegateToResult, c as DelegatedAccess, d as DelegationAuthority, F as FileSessionStorage, M as MemorySessionStorage, N as NodeEventEmitterStrategy, e as NodeUserAuthorization, f as NodeUserAuthorizationConfig, P as PortableDelegation, R as RestorableSession, g as RuntimePermissionGrantOptions, S as SignStrategy, T as TinyCloudNode, h as TinyCloudNodeConfig, W as WasmKeyProvider, i as WasmKeyProviderConfig, j as createWasmKeyProvider, k as defaultSignStrategy, l as deserializeDelegation, m as grantAuthRequest, s as serializeDelegation } from './core-Cr-zD1lk.js';
4
4
  import { invoke, invokeAny, computeCid, prepareSession, completeSessionSetup, ensureEip55, makeSpaceId, createDelegation, parseRecapFromSiwe, generateHostSIWEMessage, siweToDelegationHeaders, protocolVersion, vault_encrypt, vault_decrypt, vault_derive_key, vault_x25519_from_seed, vault_x25519_dh, vault_random_bytes, vault_sha256 } from '@tinycloud/node-sdk-wasm';
5
5
  import 'events';
6
6
  import '@tinycloud/sdk-services';
package/dist/index.js CHANGED
@@ -17185,6 +17185,10 @@ import {
17185
17185
  isCapabilitySubset,
17186
17186
  parseRecapCapabilities,
17187
17187
  SERVICE_LONG_TO_SHORT,
17188
+ KV as KV2,
17189
+ SQL as SQL2,
17190
+ DUCKDB as DUCKDB2,
17191
+ ENCRYPTION as ENCRYPTION2,
17188
17192
  EXPIRY as EXPIRY3,
17189
17193
  canonicalHashHex,
17190
17194
  canonicalizeEncryptionJson,
@@ -17214,7 +17218,13 @@ import {
17214
17218
  EXPIRY,
17215
17219
  canonicalizeAddress,
17216
17220
  makePkhSpaceId,
17217
- pkhDid
17221
+ pkhDid,
17222
+ KV,
17223
+ SQL,
17224
+ DUCKDB,
17225
+ CAPABILITIES,
17226
+ HOOKS,
17227
+ ENCRYPTION
17218
17228
  } from "@tinycloud/sdk-core";
17219
17229
 
17220
17230
  // src/authorization/strategies.ts
@@ -17293,8 +17303,8 @@ var MemorySessionStorage = class {
17293
17303
  };
17294
17304
 
17295
17305
  // src/authorization/NodeUserAuthorization.ts
17296
- var DECRYPT_ACTION = "tinycloud.encryption/decrypt";
17297
- var NETWORK_CREATE_ACTION = "tinycloud.encryption/network.create";
17306
+ var DECRYPT_ACTION = ENCRYPTION.DECRYPT;
17307
+ var NETWORK_CREATE_ACTION = ENCRYPTION.NETWORK_CREATE;
17298
17308
  function didPrincipalMatches(actual, expected) {
17299
17309
  try {
17300
17310
  return principalDidEquals(actual, expected);
@@ -17327,44 +17337,27 @@ var NodeUserAuthorization = class {
17327
17337
  this.spacePrefix = config.spacePrefix ?? "default";
17328
17338
  this.defaultActions = config.defaultActions ?? {
17329
17339
  kv: {
17330
- "": [
17331
- "tinycloud.kv/put",
17332
- "tinycloud.kv/get",
17333
- "tinycloud.kv/del",
17334
- "tinycloud.kv/list",
17335
- "tinycloud.kv/metadata"
17336
- ]
17340
+ "": [KV.PUT, KV.GET, KV.DEL, KV.LIST, KV.METADATA]
17337
17341
  },
17338
17342
  sql: {
17339
- "": [
17340
- "tinycloud.sql/read",
17341
- "tinycloud.sql/write",
17342
- "tinycloud.sql/schema",
17343
- "tinycloud.sql/admin",
17344
- "tinycloud.sql/export"
17345
- ]
17343
+ "": [SQL.READ, SQL.WRITE, SQL.SCHEMA, SQL.ADMIN, SQL.EXPORT]
17346
17344
  },
17347
17345
  duckdb: {
17348
17346
  "": [
17349
- "tinycloud.duckdb/read",
17350
- "tinycloud.duckdb/write",
17351
- "tinycloud.duckdb/admin",
17352
- "tinycloud.duckdb/describe",
17353
- "tinycloud.duckdb/export",
17354
- "tinycloud.duckdb/import",
17355
- "tinycloud.duckdb/execute"
17347
+ DUCKDB.READ,
17348
+ DUCKDB.WRITE,
17349
+ DUCKDB.ADMIN,
17350
+ DUCKDB.DESCRIBE,
17351
+ DUCKDB.EXPORT,
17352
+ DUCKDB.IMPORT,
17353
+ DUCKDB.EXECUTE
17356
17354
  ]
17357
17355
  },
17358
17356
  capabilities: {
17359
- "": ["tinycloud.capabilities/read"]
17357
+ "": [CAPABILITIES.READ]
17360
17358
  },
17361
17359
  hooks: {
17362
- "": [
17363
- "tinycloud.hooks/subscribe",
17364
- "tinycloud.hooks/register",
17365
- "tinycloud.hooks/list",
17366
- "tinycloud.hooks/unregister"
17367
- ]
17360
+ "": [HOOKS.SUBSCRIBE, HOOKS.REGISTER, HOOKS.LIST, HOOKS.UNREGISTER]
17368
17361
  }
17369
17362
  };
17370
17363
  this.sessionExpirationMs = config.sessionExpirationMs ?? EXPIRY.SESSION_MS;
@@ -17564,20 +17557,17 @@ var NodeUserAuthorization = class {
17564
17557
  [secretsSpaceId]: {
17565
17558
  kv: {
17566
17559
  "vault/secrets/": [
17567
- "tinycloud.kv/get",
17568
- "tinycloud.kv/put",
17569
- "tinycloud.kv/del",
17570
- "tinycloud.kv/list",
17571
- "tinycloud.kv/metadata"
17560
+ KV.GET,
17561
+ KV.PUT,
17562
+ KV.DEL,
17563
+ KV.LIST,
17564
+ KV.METADATA
17572
17565
  ]
17573
17566
  }
17574
17567
  }
17575
17568
  },
17576
17569
  rawAbilities: {
17577
- [defaultNetworkId]: [
17578
- "tinycloud.encryption/decrypt",
17579
- "tinycloud.encryption/network.create"
17580
- ]
17570
+ [defaultNetworkId]: [DECRYPT_ACTION, NETWORK_CREATE_ACTION]
17581
17571
  }
17582
17572
  };
17583
17573
  }
@@ -18654,9 +18644,27 @@ var NodeSecretsService = class {
18654
18644
  // src/TinyCloudNode.ts
18655
18645
  var DEFAULT_HOST = "https://node.tinycloud.xyz";
18656
18646
  var DEFAULT_ENCRYPTION_NETWORK_NAME = "default";
18657
- var NETWORK_CREATE_ACTION2 = "tinycloud.encryption/network.create";
18658
- var DECRYPT_ACTION2 = "tinycloud.encryption/decrypt";
18647
+ var NETWORK_CREATE_ACTION2 = ENCRYPTION2.NETWORK_CREATE;
18648
+ var DECRYPT_ACTION2 = ENCRYPTION2.DECRYPT;
18659
18649
  var NETWORK_ADMIN_TYPE = "tinycloud.encryption.network-admin/v1";
18650
+ var ROOT_DELEGATION_ACTIONS = [
18651
+ KV2.PUT,
18652
+ KV2.GET,
18653
+ KV2.DEL,
18654
+ KV2.LIST,
18655
+ KV2.METADATA,
18656
+ SQL2.READ,
18657
+ SQL2.WRITE,
18658
+ SQL2.ADMIN,
18659
+ SQL2.ALL,
18660
+ DUCKDB2.READ,
18661
+ DUCKDB2.WRITE,
18662
+ DUCKDB2.ADMIN,
18663
+ DUCKDB2.DESCRIBE,
18664
+ DUCKDB2.EXPORT,
18665
+ DUCKDB2.IMPORT,
18666
+ DUCKDB2.ALL
18667
+ ];
18660
18668
  var DEFAULT_SESSION_EXPIRATION_MS = EXPIRY3.SESSION_MS;
18661
18669
  function isOpenKeyAutoSignStrategy(strategy) {
18662
18670
  return strategy?.openKeyAutoSign === true;
@@ -19128,6 +19136,10 @@ var _TinyCloudNode = class _TinyCloudNode {
19128
19136
  await this.tc.signIn(options);
19129
19137
  this.syncResolvedHostFromAuth();
19130
19138
  this.initializeServices();
19139
+ const primarySession = this.currentTinyCloudSession();
19140
+ if (primarySession) {
19141
+ this.registerPrimarySessionGrant(primarySession);
19142
+ }
19131
19143
  const bootstrapped = await this.bootstrapAccountIfNeeded();
19132
19144
  await this.ensureRequestedEncryptionNetworks();
19133
19145
  if (!bootstrapped && this.config.manifest === void 0 && this.config.capabilityRequest === void 0) {
@@ -19371,7 +19383,107 @@ var _TinyCloudNode = class _TinyCloudNode {
19371
19383
  host: this.config.host
19372
19384
  },
19373
19385
  operations,
19374
- expiresAt
19386
+ expiresAt,
19387
+ provenance: "bootstrap"
19388
+ });
19389
+ }
19390
+ /**
19391
+ * Map the base session's OWN recap into runtime permission operations.
19392
+ *
19393
+ * Uses the RAW `parseRecapFromSiwe` binding — NOT `parseRecapCapabilities`,
19394
+ * whose `normalizeSpace` collapses `tinycloud:pkh:...:<owner>:<space>` to a
19395
+ * bare short name and would conflate two owners' identically-named spaces.
19396
+ * We must keep the full owner-scoped URI so a synthetic primary grant can
19397
+ * never cover an operation on a different owner's space.
19398
+ *
19399
+ * Mirrors {@link operationsFromDelegation}'s op shape: encryption network
19400
+ * entries (`urn:tinycloud:encryption:` paths) become `resource` ops; every
19401
+ * other entry becomes a `spaceId` op carrying the raw recap `space` URI.
19402
+ * One op per action.
19403
+ *
19404
+ * Returns `[]` for session-only / restored-without-siwe modes and for any
19405
+ * unparseable SIWE — the primary grant is simply not registered in that case.
19406
+ */
19407
+ recapOperationsFromSession(session) {
19408
+ const siwe = session.siwe;
19409
+ if (!siwe) {
19410
+ return [];
19411
+ }
19412
+ if (this._recapOperationsCache?.siwe === siwe) {
19413
+ return this._recapOperationsCache.operations;
19414
+ }
19415
+ let operations = [];
19416
+ try {
19417
+ const entries = this.wasmBindings.parseRecapFromSiwe(siwe);
19418
+ if (Array.isArray(entries)) {
19419
+ operations = entries.flatMap((entry) => {
19420
+ const service = this.invocationServiceName(entry.service);
19421
+ return entry.actions.map((action) => ({
19422
+ ...this.isEncryptionNetworkOperation(service, entry.path) ? { resource: entry.path } : { spaceId: entry.space },
19423
+ service,
19424
+ path: entry.path,
19425
+ action
19426
+ }));
19427
+ });
19428
+ }
19429
+ } catch {
19430
+ operations = [];
19431
+ }
19432
+ this._recapOperationsCache = { siwe, operations };
19433
+ return operations;
19434
+ }
19435
+ /**
19436
+ * Register the base (primary) session's own recap as a synthetic runtime
19437
+ * grant tagged `provenance: "primary"` so it always out-ranks other covering
19438
+ * grants in {@link findGrantForOperations}. This closes the selection-design
19439
+ * hazard where a broad — possibly broken — bootstrap/delegated grant could
19440
+ * hijack an operation the primary session itself already authorized (TC-111).
19441
+ *
19442
+ * Two safety exclusions:
19443
+ * - Ops whose space is in `lastActivationSkippedSpaceIds` are dropped: the
19444
+ * node refused to activate those spaces this sign-in even though the recap
19445
+ * claims them. Including them would let the synthetic primary out-rank a
19446
+ * working grant and 401 (the "skipped-activation inverted hijack").
19447
+ * - Encryption `resource` ops are kept as-is (space-independent).
19448
+ *
19449
+ * No-ops when nothing remains after exclusion. Callers (`signIn`,
19450
+ * `restoreSession`) clear `runtimePermissionGrants` first, so no dupes.
19451
+ */
19452
+ registerPrimarySessionGrant(session) {
19453
+ const skipped = this.auth ? this.auth.lastActivationSkippedSpaceIds ?? [] : [];
19454
+ const operations = this.recapOperationsFromSession(session).filter(
19455
+ (operation) => operation.spaceId === void 0 || !skipped.some((spaceId) => this.spaceIdsEqual(spaceId, operation.spaceId))
19456
+ );
19457
+ if (operations.length === 0) {
19458
+ return;
19459
+ }
19460
+ const expiresAt = extractSiweExpiration(session.siwe) ?? this.getSessionExpiry();
19461
+ const actions = [...new Set(operations.map((operation) => operation.action))];
19462
+ this.runtimePermissionGrants.push({
19463
+ session: {
19464
+ delegationHeader: session.delegationHeader,
19465
+ delegationCid: session.delegationCid,
19466
+ spaceId: session.spaceId,
19467
+ verificationMethod: session.verificationMethod,
19468
+ jwk: session.jwk
19469
+ },
19470
+ delegation: {
19471
+ cid: session.delegationCid,
19472
+ delegationHeader: session.delegationHeader,
19473
+ delegateDID: session.verificationMethod,
19474
+ delegatorDID: this.did,
19475
+ spaceId: session.spaceId,
19476
+ path: "",
19477
+ actions,
19478
+ expiry: expiresAt,
19479
+ allowSubDelegation: true,
19480
+ ownerAddress: session.address,
19481
+ chainId: session.chainId,
19482
+ host: this.config.host
19483
+ },
19484
+ operations,
19485
+ expiresAt,
19486
+ provenance: "primary"
19375
19487
  });
19376
19488
  }
19377
19489
  async writeManifestRegistryRecords() {
@@ -19707,6 +19819,7 @@ var _TinyCloudNode = class _TinyCloudNode {
19707
19819
  } else {
19708
19820
  this._restoredTcSession = tcSession;
19709
19821
  }
19822
+ this.registerPrimarySessionGrant(tcSession);
19710
19823
  }
19711
19824
  }
19712
19825
  /**
@@ -20178,24 +20291,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20178
20291
  spaceId: tcSession.spaceId,
20179
20292
  path: "",
20180
20293
  // Root access
20181
- actions: [
20182
- "tinycloud.kv/put",
20183
- "tinycloud.kv/get",
20184
- "tinycloud.kv/del",
20185
- "tinycloud.kv/list",
20186
- "tinycloud.kv/metadata",
20187
- "tinycloud.sql/read",
20188
- "tinycloud.sql/write",
20189
- "tinycloud.sql/admin",
20190
- "tinycloud.sql/*",
20191
- "tinycloud.duckdb/read",
20192
- "tinycloud.duckdb/write",
20193
- "tinycloud.duckdb/admin",
20194
- "tinycloud.duckdb/describe",
20195
- "tinycloud.duckdb/export",
20196
- "tinycloud.duckdb/import",
20197
- "tinycloud.duckdb/*"
20198
- ],
20294
+ actions: [...ROOT_DELEGATION_ACTIONS],
20199
20295
  expiry: this.getSessionExpiry(),
20200
20296
  isRevoked: false,
20201
20297
  allowSubDelegation: true
@@ -20208,24 +20304,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20208
20304
  delegateDID: tcSession.verificationMethod,
20209
20305
  spaceId,
20210
20306
  path: "",
20211
- actions: [
20212
- "tinycloud.kv/put",
20213
- "tinycloud.kv/get",
20214
- "tinycloud.kv/del",
20215
- "tinycloud.kv/list",
20216
- "tinycloud.kv/metadata",
20217
- "tinycloud.sql/read",
20218
- "tinycloud.sql/write",
20219
- "tinycloud.sql/admin",
20220
- "tinycloud.sql/*",
20221
- "tinycloud.duckdb/read",
20222
- "tinycloud.duckdb/write",
20223
- "tinycloud.duckdb/admin",
20224
- "tinycloud.duckdb/describe",
20225
- "tinycloud.duckdb/export",
20226
- "tinycloud.duckdb/import",
20227
- "tinycloud.duckdb/*"
20228
- ],
20307
+ actions: [...ROOT_DELEGATION_ACTIONS],
20229
20308
  expiry: this.getSessionExpiry(),
20230
20309
  isRevoked: false,
20231
20310
  allowSubDelegation: true
@@ -20779,7 +20858,7 @@ var _TinyCloudNode = class _TinyCloudNode {
20779
20858
  getRuntimePermissionDelegations(permissions) {
20780
20859
  this.pruneExpiredRuntimePermissionGrants();
20781
20860
  if (permissions === void 0) {
20782
- return this.runtimePermissionGrants.map((grant) => grant.delegation);
20861
+ return this.runtimePermissionGrants.filter((grant) => grant.provenance !== "primary").map((grant) => grant.delegation);
20783
20862
  }
20784
20863
  const session = this.currentTinyCloudSession();
20785
20864
  if (!session || !Array.isArray(permissions) || permissions.length === 0) {
@@ -20931,7 +21010,8 @@ var _TinyCloudNode = class _TinyCloudNode {
20931
21010
  },
20932
21011
  delegation,
20933
21012
  operations: this.permissionOperations(delegatedEntries, spaceId),
20934
- expiresAt
21013
+ expiresAt,
21014
+ provenance: "runtime"
20935
21015
  });
20936
21016
  delegations.push(delegation);
20937
21017
  }
@@ -21069,13 +21149,7 @@ var _TinyCloudNode = class _TinyCloudNode {
21069
21149
  throw new Error("Public space not enabled. Set enablePublicSpace: true in config.");
21070
21150
  }
21071
21151
  await this.auth.hostPublicSpace(publicSpaceId);
21072
- const kvActions = [
21073
- "tinycloud.kv/put",
21074
- "tinycloud.kv/get",
21075
- "tinycloud.kv/del",
21076
- "tinycloud.kv/list",
21077
- "tinycloud.kv/metadata"
21078
- ];
21152
+ const kvActions = [KV2.PUT, KV2.GET, KV2.DEL, KV2.LIST, KV2.METADATA];
21079
21153
  const abilities = { kv: { "": kvActions } };
21080
21154
  const now = /* @__PURE__ */ new Date();
21081
21155
  const expiryMs = EXPIRY3.EPHEMERAL_MS;
@@ -21598,7 +21672,7 @@ var _TinyCloudNode = class _TinyCloudNode {
21598
21672
  return grants;
21599
21673
  }
21600
21674
  for (const operation of operations) {
21601
- const grant = this.findGrantForOperation(operation);
21675
+ const grant = this.findGrantForOperation(operation, { excludePrimary: true });
21602
21676
  if (!grant) {
21603
21677
  return [];
21604
21678
  }
@@ -21638,7 +21712,8 @@ var _TinyCloudNode = class _TinyCloudNode {
21638
21712
  },
21639
21713
  delegation,
21640
21714
  operations,
21641
- expiresAt: delegation.expiry
21715
+ expiresAt: delegation.expiry,
21716
+ provenance: "delegated"
21642
21717
  };
21643
21718
  }
21644
21719
  installRuntimeGrantFromServiceSession(delegation, session, expiresAt) {
@@ -21653,7 +21728,8 @@ var _TinyCloudNode = class _TinyCloudNode {
21653
21728
  session,
21654
21729
  delegation,
21655
21730
  operations,
21656
- expiresAt
21731
+ expiresAt,
21732
+ provenance: "delegated"
21657
21733
  });
21658
21734
  }
21659
21735
  delegatedResourcesForEntries(entries, spaceId) {
@@ -21753,21 +21829,28 @@ var _TinyCloudNode = class _TinyCloudNode {
21753
21829
  });
21754
21830
  return grant?.session ?? fallback;
21755
21831
  }
21756
- findGrantForOperations(operations) {
21832
+ findGrantForOperations(operations, options) {
21757
21833
  if (operations.length === 0) {
21758
21834
  return void 0;
21759
21835
  }
21760
21836
  this.pruneExpiredRuntimePermissionGrants();
21761
- return this.runtimePermissionGrants.find((grant) => {
21837
+ const covering = this.runtimePermissionGrants.filter((grant) => {
21838
+ if (options?.excludePrimary && grant.provenance === "primary") {
21839
+ return false;
21840
+ }
21762
21841
  return operations.every(
21763
21842
  (operation) => grant.operations.some(
21764
21843
  (granted) => this.operationCovers(granted, operation)
21765
21844
  )
21766
21845
  );
21767
21846
  });
21847
+ if (covering.length === 0) {
21848
+ return void 0;
21849
+ }
21850
+ return covering.find((grant) => grant.provenance === "primary") ?? covering[0];
21768
21851
  }
21769
- findGrantForOperation(operation) {
21770
- return this.findGrantForOperations([operation]);
21852
+ findGrantForOperation(operation, options) {
21853
+ return this.findGrantForOperations([operation], options);
21771
21854
  }
21772
21855
  pruneExpiredRuntimePermissionGrants() {
21773
21856
  const now = Date.now();
@@ -22004,7 +22087,7 @@ var _TinyCloudNode = class _TinyCloudNode {
22004
22087
  session.chainId
22005
22088
  );
22006
22089
  const publicAbilities = {
22007
- kv: { "": ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/metadata"] }
22090
+ kv: { "": [KV2.GET, KV2.PUT, KV2.METADATA] }
22008
22091
  };
22009
22092
  const publicPrepared = this.wasmBindings.prepareSession({
22010
22093
  abilities: publicAbilities,
@@ -22032,7 +22115,7 @@ var _TinyCloudNode = class _TinyCloudNode {
22032
22115
  delegationHeader: publicSession.delegationHeader,
22033
22116
  spaceId: publicSpaceId,
22034
22117
  path: "",
22035
- actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/metadata"],
22118
+ actions: [KV2.GET, KV2.PUT, KV2.METADATA],
22036
22119
  disableSubDelegation: params.disableSubDelegation ?? false,
22037
22120
  expiry: expirationTime,
22038
22121
  delegateDID: params.delegateDID,