@tinycloud/sdk-core 2.0.0 → 2.0.2-beta.0

package/dist/index.js

@@ -1,62 +1,3768 @@
-/**
- * @tinycloud/sdk-core
- *
- * Core TinyCloud SDK package providing shared interfaces and the TinyCloud class.
- *
- * This package defines the platform-agnostic interfaces that both web-sdk and node-sdk
- * implement. The main TinyCloud class accepts an IUserAuthorization implementation,
- * allowing it to work in both browser and Node.js environments.
- *
- * @packageDocumentation
- */
-// Platform-agnostic client types (canonical definitions)
-export { ClientSessionSchema, EnsDataSchema, SiweConfigSchema, validateClientSession, SiweMessage, } from "./client-types";
-// Notification handler
-export { SilentNotificationHandler, } from "./notifications";
-// Session storage interface and types
-export { 
-// Validation
-validatePersistedSessionData, } from "./storage";
-// Main TinyCloud class
-export { TinyCloud, } from "./TinyCloud";
-// Re-export service types from sdk-services for convenience
-export { 
-// Context
-ServiceContext, 
-// KV Service
-KVService, PrefixedKVService, ok, err, serviceError, ErrorCodes, defaultRetryPolicy, 
-// SQL Service
-SQLService, DatabaseHandle, SQLAction, 
-// DuckDB Service
-DuckDbService, DuckDbDatabaseHandle, DuckDbAction, 
-// Vault Service
-DataVaultService, VaultHeaders, VaultPublicSpaceKVActions, createVaultCrypto, } from "@tinycloud/sdk-services";
-// Space utilities
-export { fetchPeerId, submitHostDelegation, activateSessionWithHost, } from "./space";
-// Delegations
-export { DelegationErrorCodes, 
-// Classes
-DelegationManager, 
-// v2 SharingService
-SharingService, createSharingService, } from "./delegations";
-// Authorization (v2 spec)
-export { 
-// Class
-CapabilityKeyRegistry, 
-// Factory
-createCapabilityKeyRegistry, 
-// Error codes
-CapabilityKeyRegistryErrorCodes, defaultSignStrategy, AutoApproveSpaceCreationHandler, defaultSpaceCreationHandler, } from "./authorization";
-// Spaces (v2 spec)
-export { 
-// Space object
-Space, 
-// SpaceService
-SpaceService, SpaceErrorCodes, createSpaceService, 
-// URI utilities
-parseSpaceUri, buildSpaceUri, 
-// Public space utility
-makePublicSpaceId, } from "./spaces";
-// Protocol version checking
-export { ProtocolMismatchError, VersionCheckError, UnsupportedFeatureError, checkNodeInfo, } from "./version";
+// src/client-types.ts
+import { z } from "zod";
+import { SiweMessage } from "siwe";
+var EnsDataSchema = z.object({
+  domain: z.string().nullable().optional(),
+  avatarUrl: z.string().nullable().optional()
+});
+var SiweConfigSchema = z.object({
+  domain: z.string().optional(),
+  uri: z.string().optional(),
+  chainId: z.number().optional(),
+  statement: z.string().optional(),
+  nonce: z.string().optional(),
+  expirationTime: z.string().optional(),
+  notBefore: z.string().optional(),
+  requestId: z.string().optional(),
+  resources: z.array(z.string()).optional()
+}).passthrough();
+var ClientSessionSchema = z.object({
+  address: z.string(),
+  walletAddress: z.string(),
+  chainId: z.number(),
+  sessionKey: z.string(),
+  siwe: z.string(),
+  signature: z.string(),
+  ens: EnsDataSchema.optional()
+});
+function validateClientSession(data) {
+  const result = ClientSessionSchema.safeParse(data);
+  return result.success ? result.data : null;
+}
+
+// src/notifications.ts
+var SilentNotificationHandler = class {
+  success() {
+  }
+  warning() {
+  }
+  error() {
+  }
+};
+
+// src/storage.schema.ts
+import { z as z2 } from "zod";
+var ethereumAddressPattern = /^0x[a-fA-F0-9]{40}$/;
+var EnsDataSchema2 = z2.object({
+  /** ENS name/domain. */
+  domain: z2.string().nullable().optional(),
+  /** ENS avatar URL. */
+  avatarUrl: z2.string().nullable().optional()
+});
+var PersistedTinyCloudSessionSchema = z2.object({
+  /** The delegation header containing the UCAN */
+  delegationHeader: z2.object({
+    Authorization: z2.string()
+  }),
+  /** The delegation CID */
+  delegationCid: z2.string(),
+  /** The space ID for this session */
+  spaceId: z2.string(),
+  /** Additional spaces included in this session's capabilities. Key is logical name, value is full spaceId URI */
+  spaces: z2.record(z2.string(), z2.string()).optional(),
+  /** The verification method DID */
+  verificationMethod: z2.string()
+});
+var PersistedSessionDataSchema = z2.object({
+  /** User's Ethereum address */
+  address: z2.string().regex(ethereumAddressPattern, "Invalid Ethereum address"),
+  /** EIP-155 Chain ID */
+  chainId: z2.number().int().positive(),
+  /** Session key in JWK format (stringified) */
+  sessionKey: z2.string(),
+  /** The signed SIWE message */
+  siwe: z2.string(),
+  /** User's signature of the SIWE message */
+  signature: z2.string(),
+  /** TinyCloud delegation data if available */
+  tinycloudSession: PersistedTinyCloudSessionSchema.optional(),
+  /** Session expiration timestamp (ISO 8601 with timezone offset) */
+  expiresAt: z2.string().datetime({ offset: true }),
+  /** Session creation timestamp (ISO 8601 with timezone offset) */
+  createdAt: z2.string().datetime({ offset: true }),
+  /** Schema version for migrations */
+  version: z2.string(),
+  /** Optional ENS data */
+  ens: EnsDataSchema2.optional()
+});
+var TinyCloudSessionSchema = z2.object({
+  /** User's Ethereum address */
+  address: z2.string().regex(ethereumAddressPattern, "Invalid Ethereum address"),
+  /** EIP-155 Chain ID */
+  chainId: z2.number().int().positive(),
+  /** Session key ID */
+  sessionKey: z2.string(),
+  /** The space ID for this session */
+  spaceId: z2.string(),
+  /** Additional spaces included in this session's capabilities. Key is logical name, value is full spaceId URI */
+  spaces: z2.record(z2.string(), z2.string()).optional(),
+  /** The delegation CID */
+  delegationCid: z2.string(),
+  /** The delegation header for API calls */
+  delegationHeader: z2.object({
+    Authorization: z2.string()
+  }),
+  /** The verification method DID */
+  verificationMethod: z2.string(),
+  /** The session key JWK (required for invoke operations) */
+  jwk: z2.object({}).passthrough(),
+  /** The signed SIWE message */
+  siwe: z2.string(),
+  /** User's signature of the SIWE message */
+  signature: z2.string()
+});
+function validatePersistedSessionData(data) {
+  const result = PersistedSessionDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: "VALIDATION_ERROR",
+        message: result.error.message,
+        service: "session",
+        meta: { issues: result.error.issues }
+      }
+    };
+  }
+  return { ok: true, data: result.data };
+}
+
+// src/TinyCloud.ts
+import {
+  ServiceContext,
+  KVService,
+  SQLService,
+  DuckDbService,
+  ok as ok2,
+  err as err2,
+  serviceError as serviceError2,
+  ErrorCodes
+} from "@tinycloud/sdk-services";
+
+// src/spaces/SpaceService.ts
+import { ok, err, serviceError } from "@tinycloud/sdk-services";
+
+// src/spaces/Space.ts
+var Space = class {
+  /**
+   * Create a new Space instance.
+   *
+   * @param config - Space configuration
+   */
+  constructor(config) {
+    this._id = config.id;
+    this._name = config.name;
+    this._kv = config.createKV(config.id);
+    this._delegations = config.createDelegations(config.id);
+    this._sharing = config.createSharing(config.id);
+    this._getInfo = config.getInfo;
+  }
+  /**
+   * The space identifier (full URI).
+   */
+  get id() {
+    return this._id;
+  }
+  /**
+   * The short name of the space.
+   */
+  get name() {
+    return this._name;
+  }
+  /**
+   * KV operations scoped to this space.
+   */
+  get kv() {
+    return this._kv;
+  }
+  /**
+   * Delegation operations scoped to this space.
+   */
+  get delegations() {
+    return this._delegations;
+  }
+  /**
+   * Sharing operations scoped to this space.
+   */
+  get sharing() {
+    return this._sharing;
+  }
+  /**
+   * Get space metadata.
+   *
+   * @returns Result containing space information
+   */
+  async info() {
+    return this._getInfo(this._id);
+  }
+};
+
+// src/spaces/spaces.schema.ts
+import { z as z4 } from "zod";
+
+// src/delegations/types.schema.ts
+import { z as z3 } from "zod";
+var JWKSchema = z3.object({
+  /** Key type (e.g., "EC", "RSA", "OKP") */
+  kty: z3.string(),
+  /** Curve for EC/OKP keys (e.g., "P-256", "Ed25519") */
+  crv: z3.string().optional(),
+  /** X coordinate for EC keys, public key for OKP */
+  x: z3.string().optional(),
+  /** Y coordinate for EC keys */
+  y: z3.string().optional(),
+  /** Private key value (d parameter) */
+  d: z3.string().optional(),
+  /** Public exponent for RSA keys */
+  e: z3.string().optional(),
+  /** Modulus for RSA keys */
+  n: z3.string().optional(),
+  /** Key ID */
+  kid: z3.string().optional(),
+  /** Algorithm */
+  alg: z3.string().optional(),
+  /** Key use (e.g., "sig", "enc") */
+  use: z3.string().optional(),
+  /** Key operations (e.g., ["sign", "verify"]) */
+  key_ops: z3.array(z3.string()).optional()
+});
+var KeyTypeSchema = z3.enum(["main", "session", "ingested"]);
+var KeyInfoSchema = z3.object({
+  /** Unique identifier for this key */
+  id: z3.string(),
+  /** DID associated with this key */
+  did: z3.string(),
+  /** Type of key determining its authority level */
+  type: KeyTypeSchema,
+  /** Private key in JWK format */
+  jwk: JWKSchema.optional(),
+  /** Priority for key selection (lower = higher priority) */
+  priority: z3.number()
+});
+var DelegationErrorSchema = z3.object({
+  /** Error code for programmatic handling */
+  code: z3.string(),
+  /** Human-readable error message */
+  message: z3.string(),
+  /** The service that produced the error */
+  service: z3.literal("delegation"),
+  /** Original error if wrapping another error */
+  cause: z3.instanceof(Error).optional(),
+  /** Additional metadata about the error */
+  meta: z3.record(z3.string(), z3.unknown()).optional()
+});
+var DelegationErrorCodes = {
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  AUTH_EXPIRED: "AUTH_EXPIRED",
+  NOT_INITIALIZED: "NOT_INITIALIZED",
+  NOT_FOUND: "NOT_FOUND",
+  REVOKED: "REVOKED",
+  NETWORK_ERROR: "NETWORK_ERROR",
+  TIMEOUT: "TIMEOUT",
+  ABORTED: "ABORTED",
+  INVALID_INPUT: "INVALID_INPUT",
+  PERMISSION_DENIED: "PERMISSION_DENIED",
+  CREATION_FAILED: "CREATION_FAILED",
+  REVOCATION_FAILED: "REVOCATION_FAILED",
+  INVALID_TOKEN: "INVALID_TOKEN",
+  KV_SERVICE_UNAVAILABLE: "KV_SERVICE_UNAVAILABLE",
+  DATA_FETCH_FAILED: "DATA_FETCH_FAILED",
+  VALIDATION_ERROR: "VALIDATION_ERROR"
+};
+var DelegationSchema = z3.object({
+  /** Content identifier (CID) of the delegation */
+  cid: z3.string(),
+  /** DID of the delegate (the party receiving the delegation) */
+  delegateDID: z3.string(),
+  /** Space ID this delegation applies to */
+  spaceId: z3.string(),
+  /** Resource path this delegation grants access to */
+  path: z3.string(),
+  /** Actions this delegation authorizes */
+  actions: z3.array(z3.string()),
+  /** When this delegation expires (accepts Date or ISO string from JSON) */
+  expiry: z3.coerce.date(),
+  /** Whether this delegation has been revoked */
+  isRevoked: z3.boolean(),
+  /** DID of the delegator (the party granting the delegation) */
+  delegatorDID: z3.string().optional(),
+  /** When this delegation was created (accepts Date or ISO string from JSON) */
+  createdAt: z3.coerce.date().optional(),
+  /** Parent delegation CID if this is a sub-delegation */
+  parentCid: z3.string().optional(),
+  /** Whether sub-delegation is allowed */
+  allowSubDelegation: z3.boolean().optional(),
+  /** Authorization header (UCAN bearer token) */
+  authHeader: z3.string().optional()
+});
+var CapabilityEntrySchema = z3.object({
+  /** Resource URI this capability applies to */
+  resource: z3.string(),
+  /** Action this capability authorizes */
+  action: z3.string(),
+  /** Keys that can exercise this capability, ordered by priority */
+  keys: z3.array(KeyInfoSchema),
+  /** The delegation that grants this capability */
+  delegation: DelegationSchema,
+  /** When this capability expires (accepts Date or ISO string from JSON) */
+  expiresAt: z3.coerce.date().optional()
+});
+var DelegationRecordSchema = z3.object({
+  /** Content identifier (CID) of the delegation */
+  cid: z3.string(),
+  /** Space ID this delegation applies to */
+  spaceId: z3.string(),
+  /** DID of the delegator (grantor) */
+  delegator: z3.string(),
+  /** DID of the delegatee (recipient) */
+  delegatee: z3.string(),
+  /** Key ID used to sign/exercise this delegation */
+  keyId: z3.string().optional(),
+  /** Resource path pattern this delegation grants access to */
+  path: z3.string(),
+  /** Actions this delegation authorizes */
+  actions: z3.array(z3.string()),
+  /** When this delegation expires (accepts Date or ISO string from JSON) */
+  expiry: z3.coerce.date().optional(),
+  /** When this delegation becomes valid (not before) (accepts Date or ISO string) */
+  notBefore: z3.coerce.date().optional(),
+  /** Whether this delegation has been revoked */
+  isRevoked: z3.boolean(),
+  /** When this delegation was created (accepts Date or ISO string from JSON) */
+  createdAt: z3.coerce.date(),
+  /** Parent delegation CID if this is a sub-delegation */
+  parentCid: z3.string().optional()
+});
+var CreateDelegationParamsSchema = z3.object({
+  /** DID of the delegate (the party receiving the delegation) */
+  delegateDID: z3.string(),
+  /** Resource path this delegation grants access to */
+  path: z3.string(),
+  /** Actions to authorize */
+  actions: z3.array(z3.string()),
+  /** When this delegation expires (accepts Date or ISO string) */
+  expiry: z3.coerce.date().optional(),
+  /** Whether to disable sub-delegation */
+  disableSubDelegation: z3.boolean().optional(),
+  /** Optional statement for the SIWE message */
+  statement: z3.string().optional()
+});
+var DelegationChainSchema = z3.array(DelegationSchema);
+var DelegationChainV2Schema = z3.object({
+  /** The root delegation from the original authority */
+  root: DelegationSchema,
+  /** Intermediate delegations in the chain (may be empty) */
+  chain: z3.array(DelegationSchema),
+  /** The final delegation to the current user */
+  leaf: DelegationSchema
+});
+var DelegationDirectionSchema = z3.enum(["granted", "received", "all"]);
+var DelegationFiltersSchema = z3.object({
+  /** Filter by delegation direction */
+  direction: DelegationDirectionSchema.optional(),
+  /** Filter by resource path pattern */
+  path: z3.string().optional(),
+  /** Filter by required actions */
+  actions: z3.array(z3.string()).optional(),
+  /** Include revoked delegations */
+  includeRevoked: z3.boolean().optional(),
+  /** Filter by delegator DID */
+  delegator: z3.string().optional(),
+  /** Filter by delegatee DID */
+  delegatee: z3.string().optional(),
+  /** Only include delegations valid at this time */
+  validAt: z3.coerce.date().optional(),
+  /** Maximum number of results to return */
+  limit: z3.number().optional(),
+  /** Cursor for pagination */
+  cursor: z3.string().optional()
+});
+var SpaceOwnershipSchema = z3.enum(["owned", "delegated"]);
+var SpaceInfoSchema = z3.object({
+  /** Space identifier */
+  id: z3.string(),
+  /** Human-readable name for the space */
+  name: z3.string().optional(),
+  /** DID of the space owner */
+  owner: z3.string(),
+  /** Whether user owns or has delegated access */
+  type: SpaceOwnershipSchema,
+  /** Permissions the user has in this space */
+  permissions: z3.array(z3.string()).optional(),
+  /** When the access expires (for delegated spaces) */
+  expiresAt: z3.coerce.date().optional()
+});
+var ShareSchemaSchema = z3.enum(["base64", "compact", "ipfs"]);
+var ShareLinkSchema = z3.object({
+  /** Unique token identifying this share link */
+  token: z3.string(),
+  /** Full URL for sharing */
+  url: z3.string(),
+  /** The delegation this link grants access to */
+  delegation: DelegationSchema,
+  /** Encoding schema used for the link */
+  schema: ShareSchemaSchema,
+  /** When this share link expires */
+  expiresAt: z3.coerce.date().optional(),
+  /** Human-readable description of what is being shared */
+  description: z3.string().optional()
+});
+function createShareLinkDataSchema(dataSchema) {
+  return z3.object({
+    /** The retrieved data */
+    data: dataSchema,
+    /** The delegation that authorized this access */
+    delegation: DelegationSchema,
+    /** The space the data belongs to */
+    spaceId: z3.string(),
+    /** The resource path that was accessed */
+    path: z3.string()
+  });
+}
+var ShareLinkDataSchema = createShareLinkDataSchema(z3.unknown());
+var IngestOptionsSchema = z3.object({
+  /** Whether to persist the delegation to storage */
+  persist: z3.boolean().optional(),
+  /** Whether to validate the full delegation chain */
+  validateChain: z3.boolean().optional(),
+  /** Name for the ingested key */
+  keyName: z3.string().optional(),
+  /** Whether to create a session key for this delegation */
+  createSessionKey: z3.boolean().optional(),
+  /** Override the priority for the ingested key */
+  priority: z3.number().optional()
+});
+var GenerateShareParamsSchema = z3.object({
+  /** Resource path to share */
+  path: z3.string(),
+  /** Actions to authorize */
+  actions: z3.array(z3.string()).optional(),
+  /** When the share link expires */
+  expiry: z3.coerce.date().optional(),
+  /** Encoding schema for the link */
+  schema: ShareSchemaSchema.optional(),
+  /** Human-readable description */
+  description: z3.string().optional(),
+  /** Base URL for the share link */
+  baseUrl: z3.string().optional()
+});
+var DelegationManagerConfigSchema = z3.object({
+  /** TinyCloud host URLs */
+  hosts: z3.array(z3.string()),
+  /** Active session for authentication */
+  session: z3.unknown().refine(
+    (val) => val !== null && typeof val === "object",
+    { message: "Expected a ServiceSession object" }
+  ),
+  /** Platform-specific invoke function */
+  invoke: z3.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected an invoke function" }
+  ),
+  /** Optional custom fetch implementation */
+  fetch: z3.unknown().refine(
+    (val) => val === void 0 || typeof val === "function",
+    { message: "Expected a fetch function or undefined" }
+  ).optional()
+});
+var KeyProviderSchema = z3.object({
+  /** Generate a new session key, returns key ID */
+  createSessionKey: z3.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected a function" }
+  ),
+  /** Get JWK for a key */
+  getJWK: z3.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected a function" }
+  ),
+  /** Get DID for a key */
+  getDID: z3.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected a function" }
+  )
+});
+var DelegationApiResponseSchema = z3.object({
+  /** SIWE message content */
+  siwe: z3.string(),
+  /** Signature of the SIWE message */
+  signature: z3.string(),
+  /** Delegation version */
+  version: z3.number(),
+  /** CID of the created delegation */
+  cid: z3.string().optional()
+});
+var CreateDelegationWasmParamsSchema = z3.object({
+  /** The session containing delegation credentials */
+  session: z3.unknown().refine(
+    (val) => val !== null && typeof val === "object",
+    { message: "Expected a ServiceSession object" }
+  ),
+  /** DID of the delegate */
+  delegateDID: z3.string(),
+  /** Space ID this delegation applies to */
+  spaceId: z3.string(),
+  /** Resource path this delegation grants access to */
+  path: z3.string(),
+  /** Actions to authorize */
+  actions: z3.array(z3.string()),
+  /** Expiration time in seconds since Unix epoch */
+  expirationSecs: z3.number(),
+  /** Optional not-before time in seconds since Unix epoch */
+  notBeforeSecs: z3.number().optional()
+});
+var CreateDelegationWasmResultSchema = z3.object({
+  /** Base64url-encoded UCAN delegation */
+  delegation: z3.string(),
+  /** CID of the delegation */
+  cid: z3.string(),
+  /** DID of the delegate */
+  delegateDID: z3.string(),
+  /** Resource path the delegation grants access to */
+  path: z3.string(),
+  /** Actions the delegation authorizes */
+  actions: z3.array(z3.string()),
+  /** Expiration time */
+  expiry: z3.coerce.date()
+});
+
+// src/spaces/spaces.schema.ts
+var SpaceConfigSchema = z4.object({
+  /** The space identifier (full URI) */
+  id: z4.string(),
+  /** The short name of the space */
+  name: z4.string(),
+  /** Factory function to create a space-scoped KV service */
+  createKV: z4.function(),
+  /** Factory function to create space-scoped delegations */
+  createDelegations: z4.function(),
+  /** Factory function to create space-scoped sharing */
+  createSharing: z4.function(),
+  /** Function to get space info */
+  getInfo: z4.function()
+});
+var SpaceServiceConfigSchema = z4.object({
+  /** TinyCloud host URLs */
+  hosts: z4.array(z4.string()),
+  /** Active session for authentication */
+  session: z4.unknown(),
+  /** Platform-specific invoke function */
+  invoke: z4.function(),
+  /** Optional custom fetch implementation */
+  fetch: z4.function().optional(),
+  /** Optional capability key registry for delegated space discovery */
+  capabilityRegistry: z4.unknown().optional(),
+  /** Factory function to create a space-scoped KV service */
+  createKVService: z4.function().optional(),
+  /** User's PKH DID (derived from address or provided explicitly) */
+  userDid: z4.string().optional(),
+  /** Optional SharingService for v2 sharing links (client-side) */
+  sharingService: z4.unknown().optional(),
+  /** Factory function to create delegations using SIWE-based flow */
+  createDelegation: z4.function().optional()
+});
+var SpaceDelegationParamsSchema = CreateDelegationParamsSchema.extend({
+  /** The space ID to create the delegation for */
+  spaceId: z4.string()
+});
+var ServerDelegationInfoSchema = z4.object({
+  /** DID of the delegator */
+  delegator: z4.string(),
+  /** DID of the delegate */
+  delegate: z4.string(),
+  /** Parent delegation CIDs - accepts string or byte array format from server */
+  parents: z4.array(z4.union([z4.string(), z4.array(z4.number())])),
+  /** Expiration time (ISO8601 string) */
+  expiry: z4.string().optional(),
+  /** Not-before time (ISO8601 string) */
+  not_before: z4.string().optional(),
+  /** Issued-at time (ISO8601 string) */
+  issued_at: z4.string().optional(),
+  /** Capabilities granted by this delegation */
+  capabilities: z4.array(
+    z4.object({
+      resource: z4.string(),
+      ability: z4.string()
+    })
+  )
+});
+var ServerDelegationsResponseSchema = z4.record(
+  z4.string(),
+  ServerDelegationInfoSchema
+);
+var ServerOwnedSpaceSchema = z4.object({
+  /** Space identifier */
+  id: z4.string(),
+  /** Space name (optional, can be derived from id) */
+  name: z4.string().optional(),
+  /** Owner DID */
+  owner: z4.string(),
+  /** Creation timestamp */
+  createdAt: z4.string().optional()
+});
+var ServerOwnedSpacesResponseSchema = z4.array(ServerOwnedSpaceSchema);
+var ServerCreateSpaceResponseSchema = z4.object({
+  /** Space identifier */
+  id: z4.string(),
+  /** Space name */
+  name: z4.string(),
+  /** Owner DID */
+  owner: z4.string(),
+  /** Creation timestamp */
+  createdAt: z4.string().optional()
+});
+var ServerSpaceInfoResponseSchema = z4.object({
+  /** Space identifier */
+  id: z4.string(),
+  /** Space name (optional) */
+  name: z4.string().optional(),
+  /** Owner DID */
+  owner: z4.string(),
+  /** Ownership type */
+  type: z4.enum(["owned", "delegated"]).optional(),
+  /** Permissions the user has in this space */
+  permissions: z4.array(z4.string()).optional(),
+  /** Expiration for delegated access */
+  expiresAt: z4.string().optional()
+});
+function validateServerDelegationsResponse(data) {
+  if (data === null || data === void 0) {
+    return { ok: true, data: {} };
+  }
+  if (Array.isArray(data)) {
+    return { ok: true, data: {} };
+  }
+  const result = ServerDelegationsResponseSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: "VALIDATION_ERROR",
+        message: `Invalid server delegations response: ${result.error.message}`,
+        service: "space",
+        meta: { issues: result.error.issues }
+      }
+    };
+  }
+  return { ok: true, data: result.data };
+}
+function validateServerOwnedSpacesResponse(data) {
+  const result = ServerOwnedSpacesResponseSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: "VALIDATION_ERROR",
+        message: `Invalid server owned spaces response: ${result.error.message}`,
+        service: "space",
+        meta: { issues: result.error.issues }
+      }
+    };
+  }
+  return { ok: true, data: result.data };
+}
+function validateServerCreateSpaceResponse(data) {
+  const result = ServerCreateSpaceResponseSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: "VALIDATION_ERROR",
+        message: `Invalid server create space response: ${result.error.message}`,
+        service: "space",
+        meta: { issues: result.error.issues }
+      }
+    };
+  }
+  return { ok: true, data: result.data };
+}
+function validateServerSpaceInfoResponse(data) {
+  const result = ServerSpaceInfoResponseSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: "VALIDATION_ERROR",
+        message: `Invalid server space info response: ${result.error.message}`,
+        service: "space",
+        meta: { issues: result.error.issues }
+      }
+    };
+  }
+  return { ok: true, data: result.data };
+}
+
+// src/spaces/SpaceService.ts
+var SERVICE_NAME = "space";
+var SpaceErrorCodes = {
+  /** Space not found */
+  NOT_FOUND: "SPACE_NOT_FOUND",
+  /** Space already exists */
+  ALREADY_EXISTS: "SPACE_ALREADY_EXISTS",
+  /** Creation failed */
+  CREATION_FAILED: "SPACE_CREATION_FAILED",
+  /** Authentication required */
+  AUTH_REQUIRED: "AUTH_REQUIRED",
+  /** Invalid space name or URI */
+  INVALID_NAME: "INVALID_SPACE_NAME",
+  /** Network error */
+  NETWORK_ERROR: "NETWORK_ERROR",
+  /** Not initialized */
+  NOT_INITIALIZED: "NOT_INITIALIZED"
+};
+function makePublicSpaceId(address, chainId) {
+  return `tinycloud:pkh:eip155:${chainId}:${address}:public`;
+}
+function parseSpaceUri(uri) {
+  const fullUriMatch = uri.match(
+    /^tinycloud:pkh:eip155:(\d+):(0x[a-fA-F0-9]{40}):(.+)$/
+  );
+  if (fullUriMatch) {
+    const [, chainId, address, name] = fullUriMatch;
+    return {
+      owner: `did:pkh:eip155:${chainId}:${address}`,
+      name,
+      chainId,
+      address
+    };
+  }
+  if (/^[a-zA-Z0-9_-]+$/.test(uri)) {
+    return {
+      owner: "",
+      // Will be filled in from session
+      name: uri
+    };
+  }
+  return null;
+}
+function buildSpaceUri(owner, name) {
+  const pkhMatch = owner.match(/^did:pkh:eip155:(\d+):(0x[a-fA-F0-9]{40})$/);
+  if (pkhMatch) {
+    const [, chainId, address] = pkhMatch;
+    return `tinycloud:pkh:eip155:${chainId}:${address}:${name}`;
+  }
+  return `tinycloud:${owner}:${name}`;
+}
+function transformServerDelegations(validatedData, defaultSpaceId) {
+  const result = [];
+  for (const [cid, info] of Object.entries(validatedData)) {
+    const capabilities = info.capabilities;
+    let path = "";
+    let spaceId = defaultSpaceId;
+    const actions = [];
+    for (const cap of capabilities) {
+      actions.push(cap.ability);
+      const resourceMatch = cap.resource.match(
+        /^(tinycloud:pkh:eip155:\d+:0x[a-fA-F0-9]+:[^/]+)\/[^/]+\/(.*)$/
+      );
+      if (resourceMatch) {
+        spaceId = resourceMatch[1];
+        path = resourceMatch[2] || "";
+      }
+    }
+    const firstStringParent = info.parents?.find((p) => typeof p === "string");
+    result.push({
+      cid,
+      delegateDID: info.delegate,
+      delegatorDID: info.delegator,
+      spaceId,
+      path,
+      actions,
+      expiry: info.expiry ? new Date(info.expiry) : new Date(Date.now() + 24 * 60 * 60 * 1e3),
+      isRevoked: false,
+      createdAt: info.issued_at ? new Date(info.issued_at) : void 0,
+      parentCid: firstStringParent
+    });
+  }
+  return result;
+}
+var SpaceService = class {
+  /**
+   * Create a new SpaceService instance.
+   *
+   * @param config - Service configuration
+   */
+  constructor(config) {
+    /** Cache of created Space objects */
+    this.spaceCache = /* @__PURE__ */ new Map();
+    /** Cache of space info */
+    this.infoCache = /* @__PURE__ */ new Map();
+    /** Cache TTL in milliseconds (5 minutes) */
+    this.cacheTTL = 5 * 60 * 1e3;
+    this.hosts = config.hosts;
+    this.session = config.session;
+    this.invoke = config.invoke;
+    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+    this.capabilityRegistry = config.capabilityRegistry;
+    this.createKVServiceFn = config.createKVService;
+    this._userDid = config.userDid;
+    this.sharingService = config.sharingService;
+    this.createDelegationFn = config.createDelegation;
+  }
+  /**
+   * Update the service configuration.
+   */
+  updateConfig(config) {
+    if (config.hosts) this.hosts = config.hosts;
+    if (config.session) this.session = config.session;
+    if (config.invoke) this.invoke = config.invoke;
+    if (config.fetch) this.fetchFn = config.fetch;
+    if (config.capabilityRegistry) this.capabilityRegistry = config.capabilityRegistry;
+    if (config.createKVService) this.createKVServiceFn = config.createKVService;
+    if (config.userDid !== void 0) this._userDid = config.userDid;
+    if (config.sharingService) this.sharingService = config.sharingService;
+    if (config.createDelegation) this.createDelegationFn = config.createDelegation;
+    this.spaceCache.clear();
+    this.infoCache.clear();
+  }
+  /**
+   * Get the current user's primary space ID.
+   */
+  getCurrentSpaceId() {
+    return this.session?.spaceId;
+  }
+  /**
+   * Get the primary host URL.
+   */
+  get host() {
+    return this.hosts[0];
+  }
+  /**
+   * Get the current user's PKH DID.
+   */
+  get userDid() {
+    if (this._userDid) {
+      return this._userDid;
+    }
+    return void 0;
+  }
+  // ===========================================================================
+  // List Spaces
+  // ===========================================================================
+  /**
+   * List all spaces the user has access to.
+   *
+   * Combines owned spaces (from the server) with delegated spaces
+   * (from the capability registry).
+   */
+  async list() {
+    if (!this.session) {
+      return err(
+        serviceError(SpaceErrorCodes.AUTH_REQUIRED, "Authentication required", SERVICE_NAME)
+      );
+    }
+    try {
+      const spaces = [];
+      const ownedResult = await this.listOwnedSpaces();
+      if (ownedResult.ok) {
+        spaces.push(...ownedResult.data);
+      }
+      if (this.capabilityRegistry) {
+        const delegatedSpaces = this.discoverDelegatedSpaces();
+        spaces.push(...delegatedSpaces);
+      }
+      const uniqueSpaces = this.deduplicateSpaces(spaces);
+      return ok(uniqueSpaces);
+    } catch (error) {
+      return err(
+        serviceError(
+          SpaceErrorCodes.NETWORK_ERROR,
+          `Failed to list spaces: ${String(error)}`,
+          SERVICE_NAME,
+          { cause: error instanceof Error ? error : void 0 }
+        )
+      );
+    }
+  }
+  /**
+   * List owned spaces from the server.
+   */
+  async listOwnedSpaces() {
+    try {
+      const headers = this.invoke(this.session, "space", "", "tinycloud.space/list");
+      const response = await this.fetchFn(`${this.host}/invoke`, {
+        method: "POST",
+        headers
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        return err(
+          serviceError(
+            SpaceErrorCodes.NETWORK_ERROR,
+            `Failed to list owned spaces: ${response.status} - ${errorText}`,
+            SERVICE_NAME,
+            { meta: { status: response.status } }
+          )
+        );
+      }
+      const rawData = await response.json();
+      const validationResult = validateServerOwnedSpacesResponse(rawData);
+      if (!validationResult.ok) {
+        return err(
+          serviceError(
+            SpaceErrorCodes.NETWORK_ERROR,
+            validationResult.error.message,
+            SERVICE_NAME,
+            { meta: validationResult.error.meta }
+          )
+        );
+      }
+      const spaces = validationResult.data.map((item) => ({
+        id: item.id,
+        name: item.name ?? this.extractNameFromId(item.id),
+        owner: item.owner,
+        type: "owned",
+        permissions: ["*"]
+        // Full permissions for owned spaces
+      }));
+      return ok(spaces);
+    } catch (error) {
+      return err(
+        serviceError(
+          SpaceErrorCodes.NETWORK_ERROR,
+          `Network error listing owned spaces: ${String(error)}`,
+          SERVICE_NAME,
+          { cause: error instanceof Error ? error : void 0 }
+        )
+      );
+    }
+  }
+  /**
+   * Discover delegated spaces from the capability registry.
+   */
+  discoverDelegatedSpaces() {
+    if (!this.capabilityRegistry) {
+      return [];
+    }
+    const spaces = /* @__PURE__ */ new Map();
+    const capabilities = this.capabilityRegistry.getAllCapabilities();
+    for (const capability of capabilities) {
+      const spaceId = capability.delegation.spaceId;
+      if (spaces.has(spaceId)) {
+        const existing = spaces.get(spaceId);
+        if (existing.permissions) {
+          const actions = capability.delegation.actions;
+          for (const action of actions) {
+            if (!existing.permissions.includes(action)) {
+              existing.permissions.push(action);
+            }
+          }
+        }
+        continue;
+      }
+      if (spaceId === this.session?.spaceId) {
+        continue;
+      }
+      const parsed = parseSpaceUri(spaceId);
+      spaces.set(spaceId, {
+        id: spaceId,
+        name: parsed?.name ?? this.extractNameFromId(spaceId),
+        owner: capability.delegation.delegatorDID ?? parsed?.owner ?? "",
+        type: "delegated",
+        permissions: [...capability.delegation.actions],
+        expiresAt: capability.expiresAt
+      });
+    }
+    return Array.from(spaces.values());
+  }
+  /**
+   * Extract space name from a full space ID.
+   */
+  extractNameFromId(id) {
+    const parsed = parseSpaceUri(id);
+    if (parsed) {
+      return parsed.name;
+    }
+    const parts = id.split(":");
+    return parts[parts.length - 1] || id;
+  }
+  /**
+   * Deduplicate spaces, preferring owned over delegated.
+   */
+  deduplicateSpaces(spaces) {
+    const seen = /* @__PURE__ */ new Map();
+    for (const space of spaces) {
+      const existing = seen.get(space.id);
+      if (!existing || existing.type === "delegated" && space.type === "owned") {
+        seen.set(space.id, space);
+      }
+    }
+    return Array.from(seen.values());
+  }
+  // ===========================================================================
+  // Create Space
+  // ===========================================================================
+  /**
+   * Create a new space.
+   *
+   * @param name - The name for the new space
+   */
+  async create(name) {
+    if (!this.session) {
+      return err(
+        serviceError(SpaceErrorCodes.AUTH_REQUIRED, "Authentication required", SERVICE_NAME)
+      );
+    }
+    if (!name || !/^[a-zA-Z0-9_-]+$/.test(name)) {
+      return err(
+        serviceError(
+          SpaceErrorCodes.INVALID_NAME,
+          "Space name must contain only alphanumeric characters, underscores, and hyphens",
+          SERVICE_NAME
+        )
+      );
+    }
+    try {
+      const headers = this.invoke(this.session, "space", name, "tinycloud.space/create");
+      const response = await this.fetchFn(`${this.host}/invoke`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ name })
+      });
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 409) {
+          return err(
+            serviceError(
+              SpaceErrorCodes.ALREADY_EXISTS,
+              `Space "${name}" already exists`,
+              SERVICE_NAME
+            )
+          );
+        }
+        return err(
+          serviceError(
+            SpaceErrorCodes.CREATION_FAILED,
+            `Failed to create space: ${response.status} - ${errorText}`,
+            SERVICE_NAME,
+            { meta: { status: response.status } }
+          )
+        );
+      }
+      const rawData = await response.json();
+      const validationResult = validateServerCreateSpaceResponse(rawData);
+      if (!validationResult.ok) {
+        return err(
+          serviceError(
+            SpaceErrorCodes.CREATION_FAILED,
+            validationResult.error.message,
+            SERVICE_NAME,
+            { meta: validationResult.error.meta }
+          )
+        );
+      }
+      const spaceInfo = {
+        id: validationResult.data.id,
+        name: validationResult.data.name || name,
+        owner: validationResult.data.owner || this.userDid || "",
+        type: "owned",
+        permissions: ["*"]
+      };
+      this.infoCache.set(spaceInfo.id, { info: spaceInfo, cachedAt: Date.now() });
+      return ok(spaceInfo);
+    } catch (error) {
+      return err(
+        serviceError(
+          SpaceErrorCodes.NETWORK_ERROR,
+          `Network error creating space: ${String(error)}`,
+          SERVICE_NAME,
+          { cause: error instanceof Error ? error : void 0 }
+        )
+      );
+    }
+  }
+  // ===========================================================================
+  // Get Space
+  // ===========================================================================
+  /**
+   * Get a Space object by name or full URI.
+   *
+   * @param nameOrUri - Short name or full URI
+   */
+  get(nameOrUri) {
+    const spaceId = this.resolveSpaceId(nameOrUri);
+    const cached = this.spaceCache.get(spaceId);
+    if (cached) {
+      return cached;
+    }
+    const parsed = parseSpaceUri(spaceId);
+    const name = parsed?.name ?? this.extractNameFromId(spaceId);
+    const config = {
+      id: spaceId,
+      name,
+      createKV: this.createSpaceScopedKV.bind(this),
+      createDelegations: this.createSpaceScopedDelegations.bind(this),
+      createSharing: this.createSpaceScopedSharing.bind(this),
+      getInfo: this.getSpaceInfo.bind(this)
+    };
+    const space = new Space(config);
+    this.spaceCache.set(spaceId, space);
+    return space;
+  }
+  /**
+   * Resolve a name or URI to a full space ID.
+   */
+  resolveSpaceId(nameOrUri) {
+    const parsed = parseSpaceUri(nameOrUri);
+    if (!parsed) {
+      return nameOrUri;
+    }
+    if (parsed.owner) {
+      return nameOrUri;
+    }
+    if (this.userDid) {
+      return buildSpaceUri(this.userDid, parsed.name);
+    }
+    return nameOrUri;
+  }
+  // ===========================================================================
+  // Exists Check
+  // ===========================================================================
+  /**
+   * Check if a space exists and the user has access.
+   */
+  async exists(nameOrUri) {
+    const spaceId = this.resolveSpaceId(nameOrUri);
+    const cached = this.infoCache.get(spaceId);
+    if (cached && Date.now() - cached.cachedAt < this.cacheTTL) {
+      return ok(true);
+    }
+    const infoResult = await this.getSpaceInfo(spaceId);
+    return ok(infoResult.ok);
+  }
+  // ===========================================================================
+  // Space Info
+  // ===========================================================================
+  /**
+   * Get space info from server or cache.
+   */
+  async getSpaceInfo(spaceId) {
+    const cached = this.infoCache.get(spaceId);
+    if (cached && Date.now() - cached.cachedAt < this.cacheTTL) {
+      return ok(cached.info);
+    }
+    if (!this.session) {
+      return err(
+        serviceError(SpaceErrorCodes.AUTH_REQUIRED, "Authentication required", SERVICE_NAME)
+      );
+    }
+    try {
+      const headers = this.invoke(this.session, "space", spaceId, "tinycloud.space/info");
+      const response = await this.fetchFn(`${this.host}/invoke`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({ spaceId })
+      });
+      if (!response.ok) {
+        if (response.status === 404) {
+          return err(
+            serviceError(SpaceErrorCodes.NOT_FOUND, `Space not found: ${spaceId}`, SERVICE_NAME)
+          );
+        }
+        const errorText = await response.text();
+        return err(
+          serviceError(
+            SpaceErrorCodes.NETWORK_ERROR,
+            `Failed to get space info: ${response.status} - ${errorText}`,
+            SERVICE_NAME
+          )
+        );
+      }
+      const rawData = await response.json();
+      const validationResult = validateServerSpaceInfoResponse(rawData);
+      if (!validationResult.ok) {
+        return err(
+          serviceError(
+            SpaceErrorCodes.NETWORK_ERROR,
+            validationResult.error.message,
+            SERVICE_NAME,
+            { meta: validationResult.error.meta }
+          )
+        );
+      }
+      const data = validationResult.data;
+      const spaceInfo = {
+        id: data.id,
+        name: data.name ?? this.extractNameFromId(data.id),
+        owner: data.owner,
+        type: data.type ?? (data.owner === this.userDid ? "owned" : "delegated"),
+        permissions: data.permissions,
+        expiresAt: data.expiresAt ? new Date(data.expiresAt) : void 0
+      };
+      this.infoCache.set(spaceId, { info: spaceInfo, cachedAt: Date.now() });
+      return ok(spaceInfo);
+    } catch (error) {
+      return err(
+        serviceError(
+          SpaceErrorCodes.NETWORK_ERROR,
+          `Network error getting space info: ${String(error)}`,
+          SERVICE_NAME,
+          { cause: error instanceof Error ? error : void 0 }
+        )
+      );
+    }
+  }
+  // ===========================================================================
+  // Space-Scoped Service Factories
+  // ===========================================================================
+  /**
+   * Create a space-scoped KV service.
+   */
+  createSpaceScopedKV(spaceId) {
+    if (this.createKVServiceFn) {
+      return this.createKVServiceFn(spaceId);
+    }
+    return new Proxy({}, {
+      get: () => {
+        throw new Error(
+          "KV service factory not configured. Provide createKVService in SpaceServiceConfig."
+        );
+      }
+    });
+  }
+  /**
+   * Create space-scoped delegation operations.
+   */
+  createSpaceScopedDelegations(spaceId) {
+    const self = this;
+    return {
+      async list() {
+        try {
+          const facts = [
+            {
+              capabilitiesReadParams: {
+                type: "list",
+                filters: { direction: "created" }
+              }
+            }
+          ];
+          const headers = self.invoke(
+            self.session,
+            "capabilities",
+            "all",
+            "tinycloud.capabilities/read",
+            facts
+          );
+          const response = await self.fetchFn(`${self.host}/invoke`, {
+            method: "POST",
+            headers
+          });
+          if (!response.ok) {
+            const errorText = await response.text();
+            return err(
+              serviceError(
+                SpaceErrorCodes.NETWORK_ERROR,
+                `Failed to list delegations: ${response.status} - ${errorText}`,
+                SERVICE_NAME
+              )
+            );
+          }
+          const rawData = await response.json();
+          const validationResult = validateServerDelegationsResponse(rawData);
+          if (!validationResult.ok) {
+            return err(
+              serviceError(
+                SpaceErrorCodes.NETWORK_ERROR,
+                validationResult.error.message,
+                SERVICE_NAME,
+                { meta: validationResult.error.meta }
+              )
+            );
+          }
+          const delegations = transformServerDelegations(validationResult.data, spaceId);
+          return ok(delegations);
+        } catch (error) {
+          return err(
+            serviceError(
+              SpaceErrorCodes.NETWORK_ERROR,
+              `Network error listing delegations: ${String(error)}`,
+              SERVICE_NAME
+            )
+          );
+        }
+      },
+      async listReceived() {
+        try {
+          const facts = [
+            {
+              capabilitiesReadParams: {
+                type: "list",
+                filters: { direction: "received" }
+              }
+            }
+          ];
+          const headers = self.invoke(
+            self.session,
+            "capabilities",
+            "all",
+            "tinycloud.capabilities/read",
+            facts
+          );
+          const response = await self.fetchFn(`${self.host}/invoke`, {
+            method: "POST",
+            headers
+          });
+          if (!response.ok) {
+            const errorText = await response.text();
+            return err(
+              serviceError(
+                SpaceErrorCodes.NETWORK_ERROR,
+                `Failed to list received delegations: ${response.status} - ${errorText}`,
+                SERVICE_NAME
+              )
+            );
+          }
+          const rawData = await response.json();
+          const validationResult = validateServerDelegationsResponse(rawData);
+          if (!validationResult.ok) {
+            return err(
+              serviceError(
+                SpaceErrorCodes.NETWORK_ERROR,
+                validationResult.error.message,
+                SERVICE_NAME,
+                { meta: validationResult.error.meta }
+              )
+            );
+          }
+          const delegations = transformServerDelegations(validationResult.data, spaceId);
+          return ok(delegations);
+        } catch (error) {
+          return err(
+            serviceError(
+              SpaceErrorCodes.NETWORK_ERROR,
+              `Network error listing received delegations: ${String(error)}`,
+              SERVICE_NAME
+            )
+          );
+        }
+      },
+      async create(params) {
+        if (self.createDelegationFn) {
+          return self.createDelegationFn({ ...params, spaceId });
+        }
+        return err(
+          serviceError(
+            SpaceErrorCodes.NOT_INITIALIZED,
+            "Delegation creation requires a createDelegation function. This should be provided by the platform SDK (web-sdk or node-sdk).",
+            SERVICE_NAME
+          )
+        );
+      },
+      async revoke(cid) {
+        try {
+          const headers = self.invoke(
+            self.session,
+            "delegation",
+            cid,
+            "tinycloud.delegation/revoke"
+          );
+          const response = await self.fetchFn(`${self.host}/revoke`, {
+            method: "POST",
+            headers,
+            body: JSON.stringify({ cid, spaceId })
+          });
+          if (!response.ok) {
+            const errorText = await response.text();
+            return err(
+              serviceError(
+                SpaceErrorCodes.NETWORK_ERROR,
+                `Failed to revoke delegation: ${response.status} - ${errorText}`,
+                SERVICE_NAME
+              )
+            );
+          }
+          return ok(void 0);
+        } catch (error) {
+          return err(
+            serviceError(
+              SpaceErrorCodes.NETWORK_ERROR,
+              `Network error revoking delegation: ${String(error)}`,
+              SERVICE_NAME
+            )
+          );
+        }
+      }
+    };
+  }
+  /**
+   * Create space-scoped sharing operations.
+   *
+   * When a SharingService is configured, delegates to client-side v2 sharing.
+   * V2 sharing links are self-contained with embedded private keys - no server tracking.
+   */
+  createSpaceScopedSharing(spaceId) {
+    const self = this;
+    return {
+      async generate(params) {
+        if (self.sharingService) {
+          const result = await self.sharingService.generate(params);
+          if (!result.ok) {
+            return err(
+              serviceError(
+                SpaceErrorCodes.NETWORK_ERROR,
+                result.error.message || "Failed to generate share link",
+                SERVICE_NAME
+              )
+            );
+          }
+          return ok(result.data);
+        }
+        return err(
+          serviceError(
+            SpaceErrorCodes.NOT_INITIALIZED,
+            "SharingService not configured. V2 sharing requires a SharingService instance.",
+            SERVICE_NAME
+          )
+        );
+      },
+      async list() {
+        return err(
+          serviceError(
+            SpaceErrorCodes.NOT_INITIALIZED,
+            "Listing share links is not supported in v2. Share links are self-contained tokens that are not tracked on the server.",
+            SERVICE_NAME
+          )
+        );
+      },
+      async revoke(token) {
+        return err(
+          serviceError(
+            SpaceErrorCodes.NOT_INITIALIZED,
+            "Revoking share links by token is not supported in v2. To revoke access, revoke the underlying delegation using space.delegations.revoke(cid).",
+            SERVICE_NAME
+          )
+        );
+      }
+    };
+  }
+};
+function createSpaceService(config) {
+  return new SpaceService(config);
+}
+
+// src/TinyCloud.ts
+var TinyCloud = class _TinyCloud {
+  /**
+   * Create a new TinyCloud SDK instance.
+   *
+   * @param userAuthorization - Platform-specific authorization implementation
+   * @param config - Optional SDK configuration
+   */
+  constructor(userAuthorization, config) {
+    /**
+     * Registered extensions.
+     */
+    this.extensions = [];
+    /**
+     * Registered services by name.
+     */
+    this._services = /* @__PURE__ */ new Map();
+    /**
+     * Whether services have been initialized.
+     */
+    this._servicesInitialized = false;
+    this.userAuthorization = userAuthorization;
+    this.config = config || {};
+  }
+  // === Service Management ===
+  /**
+   * Initialize services with platform dependencies.
+   * Must be called before using services.
+   *
+   * @param invoke - Platform-specific invoke function from WASM binding
+   * @param hosts - TinyCloud host URLs (optional, uses config.hosts)
+   * @param fetchFn - Custom fetch implementation (optional)
+   */
+  initializeServices(invoke, hosts, fetchFn) {
+    const effectiveInvoke = invoke ?? this.config.invoke;
+    const effectiveHosts = hosts ?? this.config.hosts;
+    if (!effectiveInvoke) {
+      throw new Error(
+        "invoke function is required to initialize services. Provide it via config.invoke or initializeServices()."
+      );
+    }
+    if (!effectiveHosts || effectiveHosts.length === 0) {
+      throw new Error(
+        "hosts are required to initialize services. Provide them via config.hosts or initializeServices()."
+      );
+    }
+    this._serviceContext = new ServiceContext({
+      invoke: effectiveInvoke,
+      fetch: fetchFn ?? this.config.fetch ?? globalThis.fetch.bind(globalThis),
+      hosts: effectiveHosts,
+      retryPolicy: this.config.retryPolicy
+    });
+    const serviceConstructors = {
+      kv: KVService,
+      sql: SQLService,
+      duckdb: DuckDbService,
+      ...this.config.services
+    };
+    for (const [name, ServiceClass] of Object.entries(serviceConstructors)) {
+      const serviceConfig = this.config.serviceConfigs?.[name] ?? {};
+      const service = new ServiceClass(serviceConfig);
+      service.initialize(this._serviceContext);
+      this._serviceContext.registerService(name, service);
+      this._services.set(name, service);
+    }
+    this._servicesInitialized = true;
+  }
+  /**
+   * Get the service context.
+   * @throws Error if services are not initialized
+   */
+  get serviceContext() {
+    if (!this._serviceContext) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first."
+      );
+    }
+    return this._serviceContext;
+  }
+  /**
+   * Get a registered service by name.
+   *
+   * @param name - Service name (e.g., 'kv')
+   * @returns The service instance or undefined
+   */
+  getService(name) {
+    return this._services.get(name);
+  }
+  /**
+   * Get the KV service.
+   * @throws Error if services are not initialized
+   */
+  get kv() {
+    if (!this._servicesInitialized) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const service = this._services.get("kv");
+    if (!service) {
+      throw new Error("KV service is not registered.");
+    }
+    return service;
+  }
+  /**
+   * Get the SQL service.
+   * @throws Error if services are not initialized
+   */
+  get sql() {
+    if (!this._servicesInitialized) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const service = this._services.get("sql");
+    if (!service) {
+      throw new Error("SQL service is not registered.");
+    }
+    return service;
+  }
+  /**
+   * Get the DuckDB service.
+   * @throws Error if services are not initialized
+   */
+  get duckdb() {
+    if (!this._servicesInitialized) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const service = this._services.get("duckdb");
+    if (!service) {
+      throw new Error("DuckDB service is not registered.");
+    }
+    return service;
+  }
+  /**
+   * Get the Data Vault service.
+   * @throws Error if services are not initialized or vault service is not registered
+   */
+  get vault() {
+    if (!this._servicesInitialized) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const service = this._services.get("vault");
+    if (!service) {
+      throw new Error("Vault service is not registered.");
+    }
+    return service;
+  }
+  /**
+   * Notify services of session change.
+   * Called internally after sign-in and sign-out.
+   *
+   * @param session - The new session, or null if signed out
+   */
+  notifyServicesOfSessionChange(session) {
+    if (this._serviceContext) {
+      this._serviceContext.setSession(session);
+    }
+  }
+  /**
+   * Abort all pending service operations.
+   * Called internally before sign-out.
+   */
+  abortServiceOperations() {
+    if (this._serviceContext) {
+      this._serviceContext.abort();
+    }
+  }
+  /**
+   * Convert ClientSession to ServiceSession.
+   * Returns null if session lacks required fields.
+   */
+  toServiceSession(clientSession) {
+    if (!clientSession) return null;
+    const tcSession = clientSession.tinycloudSession;
+    if (!tcSession) return null;
+    return {
+      delegationHeader: tcSession.delegationHeader,
+      delegationCid: tcSession.delegationCid,
+      spaceId: tcSession.spaceId,
+      verificationMethod: tcSession.verificationMethod,
+      jwk: tcSession.jwk
+    };
+  }
+  /**
+   * Add an extension to the SDK.
+   * Extensions can add capabilities and lifecycle hooks.
+   */
+  extend(extension) {
+    this.extensions.push(extension);
+    this.userAuthorization.extend(extension);
+  }
+  /**
+   * Check if an extension is enabled.
+   * @param namespace - The extension namespace to check
+   */
+  isExtensionEnabled(namespace) {
+    return this.extensions.some((ext) => ext.namespace === namespace);
+  }
+  // === Authentication Methods (delegate to userAuthorization) ===
+  /**
+   * Get the current session, if signed in.
+   */
+  get session() {
+    return this.userAuthorization.session;
+  }
+  /**
+   * Check if the user is signed in.
+   */
+  get isSignedIn() {
+    return !!this.userAuthorization.session;
+  }
+  /**
+   * Sign in and create a new session.
+   * Notifies services of the new session after successful sign-in.
+   * @returns The new session
+   */
+  async signIn() {
+    const session = await this.userAuthorization.signIn();
+    const serviceSession = this.toServiceSession(session);
+    this.notifyServicesOfSessionChange(serviceSession);
+    return session;
+  }
+  /**
+   * Sign out and clear the current session.
+   * Aborts pending service operations and notifies services.
+   */
+  async signOut() {
+    this.abortServiceOperations();
+    await this.userAuthorization.signOut();
+    this._publicKV = void 0;
+    this.notifyServicesOfSessionChange(null);
+  }
+  /**
+   * Get the current wallet address.
+   */
+  address() {
+    return this.userAuthorization.address();
+  }
+  /**
+   * Get the current chain ID.
+   */
+  chainId() {
+    return this.userAuthorization.chainId();
+  }
+  /**
+   * Sign a message with the connected wallet.
+   * @param message - Message to sign
+   */
+  async signMessage(message) {
+    return this.userAuthorization.signMessage(message);
+  }
+  /**
+   * Construct the deterministic public space ID for a given address and chain ID.
+   *
+   * @param address - Ethereum address (0x-prefixed)
+   * @param chainId - Chain ID (e.g., 1 for mainnet)
+   * @returns The public space ID
+   */
+  static makePublicSpaceId(address, chainId) {
+    return makePublicSpaceId(address, chainId);
+  }
+  /**
+   * Ensure the user's public space exists.
+   * Creates it via spaces.create('public') if it doesn't.
+   * Called automatically by modules that need to publish data.
+   *
+   * Requires the user to be signed in and services to be initialized.
+   */
+  async ensurePublicSpace() {
+    const address = this.address();
+    const chainId = this.chainId();
+    if (!address || !chainId) {
+      return err2(
+        serviceError2(
+          ErrorCodes.AUTH_REQUIRED,
+          "Must be signed in to ensure public space",
+          "public-space"
+        )
+      );
+    }
+    if (!this._serviceContext) {
+      return err2(
+        serviceError2(
+          ErrorCodes.AUTH_REQUIRED,
+          "Services not initialized. Call initializeServices() or signIn() first.",
+          "public-space"
+        )
+      );
+    }
+    const spaceId = makePublicSpaceId(address, chainId);
+    try {
+      const session = this._serviceContext.session;
+      if (!session) {
+        return err2(
+          serviceError2(
+            ErrorCodes.AUTH_REQUIRED,
+            "No active session",
+            "public-space"
+          )
+        );
+      }
+      const headers = this._serviceContext.invoke(
+        session,
+        "space",
+        spaceId,
+        "tinycloud.space/info"
+      );
+      const response = await this._serviceContext.fetch(
+        `${this._serviceContext.hosts[0]}/invoke`,
+        { method: "POST", headers, body: JSON.stringify({ spaceId }) }
+      );
+      if (response.ok) {
+        return ok2(void 0);
+      }
+      if (response.status === 404) {
+        const createHeaders = this._serviceContext.invoke(
+          session,
+          "space",
+          "public",
+          "tinycloud.space/create"
+        );
+        const createResponse = await this._serviceContext.fetch(
+          `${this._serviceContext.hosts[0]}/invoke`,
+          {
+            method: "POST",
+            headers: createHeaders,
+            body: JSON.stringify({ name: "public" })
+          }
+        );
+        if (!createResponse.ok) {
+          if (createResponse.status === 409) {
+            return ok2(void 0);
+          }
+          const errorText2 = await createResponse.text();
+          return err2(
+            serviceError2(
+              ErrorCodes.NETWORK_ERROR,
+              `Failed to create public space: ${createResponse.status} - ${errorText2}`,
+              "public-space"
+            )
+          );
+        }
+        return ok2(void 0);
+      }
+      const errorText = await response.text();
+      return err2(
+        serviceError2(
+          ErrorCodes.NETWORK_ERROR,
+          `Failed to check public space: ${response.status} - ${errorText}`,
+          "public-space"
+        )
+      );
+    } catch (error) {
+      return err2(
+        serviceError2(
+          ErrorCodes.NETWORK_ERROR,
+          `Network error ensuring public space: ${String(error)}`,
+          "public-space",
+          { cause: error instanceof Error ? error : void 0 }
+        )
+      );
+    }
+  }
+  /**
+   * Get a KVService scoped to the user's own public space.
+   * Writes require authentication (owner/delegate).
+   *
+   * @throws Error if not signed in or services not initialized
+   */
+  get publicKV() {
+    if (!this._servicesInitialized || !this._serviceContext) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const address = this.address();
+    const chainId = this.chainId();
+    if (!address || !chainId) {
+      throw new Error("Must be signed in to access publicKV.");
+    }
+    if (this._publicKV) {
+      return this._publicKV;
+    }
+    const publicSpaceId = makePublicSpaceId(address, chainId);
+    const session = this._serviceContext.session;
+    if (!session) {
+      throw new Error("No active session. Sign in first.");
+    }
+    const publicKV = new KVService({ prefix: "" });
+    const publicContext = new ServiceContext({
+      invoke: this._serviceContext.invoke,
+      fetch: this._serviceContext.fetch,
+      hosts: this._serviceContext.hosts,
+      retryPolicy: this.config.retryPolicy
+    });
+    publicContext.setSession({
+      ...session,
+      spaceId: publicSpaceId
+    });
+    publicKV.initialize(publicContext);
+    this._publicKV = publicKV;
+    return this._publicKV;
+  }
+  /**
+   * Read from any user's public space (unauthenticated).
+   * Uses the public REST endpoint — no session needed.
+   *
+   * @param host - TinyCloud server URL (e.g., "https://node.tinycloud.xyz")
+   * @param spaceId - Full public space ID
+   * @param key - Key to read
+   * @param fetchFn - Optional custom fetch function
+   * @returns The data at the key
+   */
+  static async readPublicSpace(host, spaceId, key, fetchFn) {
+    const doFetch = fetchFn ?? globalThis.fetch.bind(globalThis);
+    const encodedKey = key.split("/").map(encodeURIComponent).join("/");
+    const url = `${host}/public/${encodeURIComponent(spaceId)}/kv/${encodedKey}`;
+    try {
+      const response = await doFetch(url, { method: "GET" });
+      if (!response.ok) {
+        if (response.status === 404) {
+          return err2(
+            serviceError2(
+              ErrorCodes.NOT_FOUND,
+              `Key not found: ${key} in space ${spaceId}`,
+              "public-space"
+            )
+          );
+        }
+        const errorText = await response.text();
+        return err2(
+          serviceError2(
+            ErrorCodes.NETWORK_ERROR,
+            `Failed to read public space: ${response.status} - ${errorText}`,
+            "public-space",
+            { meta: { status: response.status } }
+          )
+        );
+      }
+      const contentType = response.headers.get("content-type");
+      let data;
+      if (contentType?.includes("application/json")) {
+        data = await response.json();
+      } else {
+        const text = await response.text();
+        try {
+          data = JSON.parse(text);
+        } catch {
+          data = text;
+        }
+      }
+      return ok2(data);
+    } catch (error) {
+      return err2(
+        serviceError2(
+          ErrorCodes.NETWORK_ERROR,
+          `Network error reading public space: ${String(error)}`,
+          "public-space",
+          { cause: error instanceof Error ? error : void 0 }
+        )
+      );
+    }
+  }
+  /**
+   * Read from any user's public space by address (unauthenticated).
+   * Convenience method that constructs the space ID from address and chain ID.
+   *
+   * @param host - TinyCloud server URL
+   * @param address - Ethereum address (0x-prefixed)
+   * @param chainId - Chain ID (e.g., 1 for mainnet)
+   * @param key - Key to read
+   * @param fetchFn - Optional custom fetch function
+   * @returns The data at the key
+   */
+  static async readPublicKey(host, address, chainId, key, fetchFn) {
+    const spaceId = makePublicSpaceId(address, chainId);
+    return _TinyCloud.readPublicSpace(host, spaceId, key, fetchFn);
+  }
+};
+
+// src/index.ts
+import {
+  ServiceContext as ServiceContext2,
+  KVService as KVService2,
+  PrefixedKVService,
+  ok as ok4,
+  err as err4,
+  serviceError as serviceError4,
+  ErrorCodes as ErrorCodes2,
+  defaultRetryPolicy as defaultRetryPolicy2,
+  SQLService as SQLService2,
+  DatabaseHandle,
+  SQLAction,
+  DuckDbService as DuckDbService2,
+  DuckDbDatabaseHandle,
+  DuckDbAction,
+  DataVaultService,
+  VaultHeaders,
+  VaultPublicSpaceKVActions,
+  createVaultCrypto
+} from "@tinycloud/sdk-services";
+
+// src/space.ts
+async function fetchPeerId(host, spaceId) {
+  const res = await fetch(
+    `${host}/peer/generate/${encodeURIComponent(spaceId)}`
+  );
+  if (!res.ok) {
+    const error = await res.text().catch(() => res.statusText);
+    throw new Error(`Failed to get peer ID: ${res.status} - ${error}`);
+  }
+  return res.text();
+}
+async function submitHostDelegation(host, headers) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers
+  });
+  return {
+    success: res.ok,
+    status: res.status,
+    error: res.ok ? void 0 : await res.text().catch(() => res.statusText)
+  };
+}
+async function activateSessionWithHost(host, delegationHeader) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers: delegationHeader
+  });
+  if (res.ok) {
+    try {
+      const body = await res.json();
+      return {
+        success: true,
+        status: res.status,
+        activated: body.activated ?? [],
+        skipped: body.skipped ?? []
+      };
+    } catch {
+      return {
+        success: true,
+        status: res.status,
+        activated: [],
+        skipped: []
+      };
+    }
+  }
+  return {
+    success: false,
+    status: res.status,
+    error: await res.text().catch(() => res.statusText)
+  };
+}
+
+// src/delegations/DelegationManager.ts
+var DelegationAction = {
+  CREATE: "tinycloud.delegation/create",
+  REVOKE: "tinycloud.delegation/revoke",
+  LIST: "tinycloud.delegation/list",
+  GET: "tinycloud.delegation/get",
+  CHECK: "tinycloud.delegation/check"
+};
+function createError(code, message, cause, meta) {
+  return {
+    code,
+    message,
+    service: "delegation",
+    cause,
+    meta
+  };
+}
+var DelegationManager = class {
+  /**
+   * Creates a new DelegationManager instance.
+   *
+   * @param config - Configuration including hosts, session, and invoke function
+   */
+  constructor(config) {
+    this.hosts = config.hosts;
+    this.session = config.session;
+    this.invoke = config.invoke;
+    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+  }
+  /**
+   * Updates the session (e.g., after re-authentication).
+   *
+   * @param session - New session to use for operations
+   */
+  updateSession(session) {
+    this.session = session;
+  }
+  /**
+   * Gets the primary host URL.
+   */
+  get host() {
+    return this.hosts[0];
+  }
+  /**
+   * Executes an invoke operation against the delegation API.
+   */
+  async invokeOperation(path, action, body) {
+    const headers = this.invoke(this.session, "delegation", path, action);
+    return this.fetchFn(`${this.host}/invoke`, {
+      method: "POST",
+      headers,
+      body
+    });
+  }
+  /**
+   * Creates a new delegation.
+   *
+   * Delegates specific permissions to another DID for a given path.
+   * The delegatee can then use these permissions to access resources
+   * within the specified scope.
+   *
+   * @param params - Parameters for the delegation
+   * @returns Result containing the created Delegation or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.create({
+   *   delegateDID: bob.did,
+   *   path: "documents/shared/",
+   *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
+   *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
+   * });
+   * ```
+   */
+  async create(params) {
+    if (!params.delegateDID) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "delegateDID is required"
+        )
+      };
+    }
+    if (!params.path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
+    }
+    if (!params.actions || params.actions.length === 0) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "at least one action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({
+        delegateDID: params.delegateDID,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry?.toISOString(),
+        disableSubDelegation: params.disableSubDelegation ?? false,
+        statement: params.statement
+      });
+      const response = await this.invokeOperation(
+        params.path,
+        DelegationAction.CREATE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.CREATION_FAILED,
+            `Failed to create delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path: params.path }
+          )
+        };
+      }
+      const apiResponse = await response.json();
+      const delegation = {
+        cid: apiResponse.cid ?? "",
+        delegateDID: params.delegateDID,
+        spaceId: this.session.spaceId,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry ?? new Date(Date.now() + 24 * 60 * 60 * 1e3),
+        isRevoked: false,
+        allowSubDelegation: !(params.disableSubDelegation ?? false),
+        createdAt: /* @__PURE__ */ new Date()
+      };
+      return { ok: true, data: delegation };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation creation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+  /**
+   * Revokes an existing delegation.
+   *
+   * Once revoked, the delegation can no longer be used to access resources.
+   * This also invalidates any sub-delegations derived from this delegation.
+   *
+   * @param cid - The CID of the delegation to revoke
+   * @returns Result indicating success or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.revoke("bafy...");
+   * if (result.ok) {
+   *   console.log("Delegation revoked successfully");
+   * }
+   * ```
+   */
+  async revoke(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.REVOKE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.REVOCATION_FAILED,
+            `Failed to revoke delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
+      }
+      return { ok: true, data: void 0 };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation revocation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+  /**
+   * Lists all delegations for the current session's space.
+   *
+   * Returns both delegations created by the current user (as delegator)
+   * and delegations granted to the current user (as delegatee).
+   *
+   * @returns Result containing an array of Delegations or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.list();
+   * if (result.ok) {
+   *   for (const delegation of result.data) {
+   *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async list() {
+    try {
+      const response = await this.invokeOperation("", DelegationAction.LIST);
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to list delegations: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status }
+          )
+        };
+      }
+      const data = await response.json();
+      const delegations = data.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: delegations };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation list: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+  /**
+   * Gets the full delegation chain for a given delegation.
+   *
+   * Returns the chain of delegations from the root (original delegator)
+   * to the specified delegation, including all intermediate sub-delegations.
+   *
+   * @param cid - The CID of the delegation to get the chain for
+   * @returns Result containing the DelegationChain or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.getChain("bafy...");
+   * if (result.ok) {
+   *   console.log("Chain length:", result.data.length);
+   *   for (const delegation of result.data) {
+   *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async getChain(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid, includeChain: true });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.GET,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to get delegation chain: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
+      }
+      const data = await response.json();
+      const chain = data.chain.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: chain };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during chain retrieval: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+  /**
+   * Checks if the current session has permission for a given path and action.
+   *
+   * This can be used to verify permissions before attempting an operation,
+   * or to implement custom access control logic.
+   *
+   * @param path - The resource path to check
+   * @param action - The action to check (e.g., "tinycloud.kv/get")
+   * @returns Result containing a boolean indicating permission or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
+   * if (result.ok && result.data) {
+   *   console.log("Permission granted");
+   * } else {
+   *   console.log("Permission denied");
+   * }
+   * ```
+   */
+  async checkPermission(path, action) {
+    if (!path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
+    }
+    if (!action) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ path, action });
+      const response = await this.invokeOperation(
+        path,
+        DelegationAction.CHECK,
+        body
+      );
+      if (!response.ok) {
+        if (response.status === 403) {
+          return { ok: true, data: false };
+        }
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to check permission: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path, action }
+          )
+        };
+      }
+      const data = await response.json();
+      return { ok: true, data: data.allowed };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during permission check: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+};
+
+// src/delegations/SharingService.schema.ts
+import { z as z5 } from "zod";
+var EncodedShareDataSchema = z5.object({
+  /** Private key in JWK format (must include d parameter) */
+  key: JWKSchema.refine(
+    (jwk) => typeof jwk.d === "string" && jwk.d.length > 0,
+    { message: "JWK must include private key (d parameter)" }
+  ),
+  /** DID of the key */
+  keyDid: z5.string().min(1, "keyDid is required"),
+  /** The delegation granting access */
+  delegation: DelegationSchema,
+  /** Resource path this link grants access to */
+  path: z5.string().min(1, "path is required"),
+  /** TinyCloud host URL */
+  host: z5.string().url("host must be a valid URL"),
+  /** Space ID */
+  spaceId: z5.string().min(1, "spaceId is required"),
+  /** Schema version (must be 1) */
+  version: z5.literal(1)
+});
+var ReceiveOptionsSchema = z5.object({
+  /**
+   * Whether to automatically create a sub-delegation to the current session key.
+   * Default: true
+   */
+  autoSubdelegate: z5.boolean().optional(),
+  /**
+   * Whether to use the current session key for operations (requires autoSubdelegate).
+   * Default: true
+   */
+  useSessionKey: z5.boolean().optional(),
+  /**
+   * Ingestion options passed to CapabilityKeyRegistry.
+   */
+  ingestOptions: IngestOptionsSchema.optional()
+});
+var SharingServiceConfigSchema = z5.object({
+  /** TinyCloud host URLs */
+  hosts: z5.array(z5.string().url()).min(1, "At least one host URL is required"),
+  /**
+   * Active session for authentication.
+   * Required for generate(), optional for receive().
+   */
+  session: z5.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a ServiceSession object or undefined" }
+  ).optional(),
+  /** Platform-specific invoke function */
+  invoke: z5.unknown().refine((val) => typeof val === "function", {
+    message: "Expected an invoke function"
+  }),
+  /** Optional custom fetch implementation */
+  fetch: z5.unknown().refine(
+    (val) => val === void 0 || typeof val === "function",
+    { message: "Expected a fetch function or undefined" }
+  ).optional(),
+  /** Key provider for cryptographic operations */
+  keyProvider: KeyProviderSchema,
+  /** Capability key registry for key/delegation management */
+  registry: z5.unknown().refine(
+    (val) => val !== null && typeof val === "object",
+    { message: "Expected an ICapabilityKeyRegistry object" }
+  ),
+  /**
+   * Delegation manager for creating delegations.
+   * Required for generate(), optional for receive().
+   */
+  delegationManager: z5.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a DelegationManager object or undefined" }
+  ).optional(),
+  /** Factory for creating KV service instances */
+  createKVService: z5.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected a createKVService factory function" }
+  ),
+  /** Base URL for sharing links (e.g., "https://share.myapp.com") */
+  baseUrl: z5.string().optional(),
+  /**
+   * Custom delegation creation function.
+   */
+  createDelegation: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegation function or undefined"
+  }).optional(),
+  /**
+   * WASM function for client-side delegation creation.
+   */
+  createDelegationWasm: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegationWasm function or undefined"
+  }).optional(),
+  /**
+   * Path prefix for KV operations.
+   */
+  pathPrefix: z5.string().optional(),
+  /**
+   * Session expiry time.
+   */
+  sessionExpiry: z5.date().optional(),
+  /**
+   * Callback to create a DIRECT delegation from wallet to share key.
+   * This is the preferred method for long-lived share links because it
+   * bypasses the session delegation chain entirely.
+   */
+  onRootDelegationNeeded: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected an onRootDelegationNeeded function or undefined"
+  }).optional()
+});
+function validateEncodedShareData(data) {
+  const result = EncodedShareDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: DelegationErrorCodes.VALIDATION_ERROR,
+        message: `Invalid share data: ${result.error.message}`,
+        service: "delegation",
+        meta: { issues: result.error.issues }
+      }
+    };
+  }
+  return { ok: true, data: result.data };
+}
+
+// src/delegations/SharingService.ts
+var DEFAULT_READ_ACTIONS = ["tinycloud.kv/get", "tinycloud.kv/metadata"];
+var DEFAULT_EXPIRY_MS = 24 * 60 * 60 * 1e3;
+var BASE64_PREFIX = "tc1:";
+function createError2(code, message, cause, meta) {
+  return {
+    code,
+    message,
+    service: "delegation",
+    cause,
+    meta
+  };
+}
+function base64UrlEncode(data) {
+  let base64;
+  if (typeof btoa !== "undefined") {
+    base64 = btoa(unescape(encodeURIComponent(data)));
+  } else if (typeof Buffer !== "undefined") {
+    base64 = Buffer.from(data, "utf-8").toString("base64");
+  } else {
+    throw new Error("No base64 encoding available");
+  }
+  return base64.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function base64UrlDecode(encoded) {
+  let base64 = encoded.replace(/-/g, "+").replace(/_/g, "/");
+  while (base64.length % 4) {
+    base64 += "=";
+  }
+  if (typeof atob !== "undefined") {
+    return decodeURIComponent(escape(atob(base64)));
+  } else if (typeof Buffer !== "undefined") {
+    return Buffer.from(base64, "base64").toString("utf-8");
+  } else {
+    throw new Error("No base64 decoding available");
+  }
+}
+var SharingService = class {
+  /**
+   * Creates a new SharingService instance.
+   */
+  constructor(config) {
+    this.hosts = config.hosts;
+    this.session = config.session;
+    this.invoke = config.invoke;
+    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+    this.keyProvider = config.keyProvider;
+    this.registry = config.registry;
+    this.delegationManager = config.delegationManager;
+    this.createKVService = config.createKVService;
+    this.baseUrl = (config.baseUrl ?? "").replace(/\/$/, "");
+    this.createDelegationFn = config.createDelegation;
+    this.createDelegationWasmFn = config.createDelegationWasm;
+    this.pathPrefix = config.pathPrefix ?? "";
+    this.sessionExpiry = config.sessionExpiry;
+    this.onRootDelegationNeeded = config.onRootDelegationNeeded;
+  }
+  /**
+   * Gets the primary host URL.
+   */
+  get host() {
+    return this.hosts[0];
+  }
+  /**
+   * Updates the session (e.g., after re-authentication).
+   */
+  updateSession(session) {
+    this.session = session;
+  }
+  /**
+   * Updates the service configuration.
+   * Used to add full capabilities (session, delegationManager, createDelegation, createDelegationWasm) after signIn.
+   */
+  updateConfig(config) {
+    if (config.session !== void 0) {
+      this.session = config.session;
+    }
+    if (config.delegationManager !== void 0) {
+      this.delegationManager = config.delegationManager;
+    }
+    if (config.createDelegation !== void 0) {
+      this.createDelegationFn = config.createDelegation;
+    }
+    if (config.createDelegationWasm !== void 0) {
+      this.createDelegationWasmFn = config.createDelegationWasm;
+    }
+    if (config.sessionExpiry !== void 0) {
+      this.sessionExpiry = config.sessionExpiry;
+    }
+    if (config.onRootDelegationNeeded !== void 0) {
+      this.onRootDelegationNeeded = config.onRootDelegationNeeded;
+    }
+  }
+  /**
+   * Generate a sharing link with an embedded private key.
+   *
+   * Flow:
+   * 1. Spawn new session key (unique per share)
+   * 2. Create delegation from current session to spawned key
+   * 3. Package: { key (with private!), delegation, path, host }
+   * 4. Encode based on schema (base64 for now)
+   * 5. Return link string
+   */
+  async generate(params) {
+    if (!this.session) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.NOT_INITIALIZED,
+          "Session required for generating sharing links. Call signIn() first."
+        )
+      };
+    }
+    if (!this.createDelegationWasmFn && !this.createDelegationFn && !this.delegationManager) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.NOT_INITIALIZED,
+          "DelegationManager, createDelegation, or createDelegationWasm function required for generating sharing links."
+        )
+      };
+    }
+    if (!params.path) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
+    }
+    const actions = params.actions ?? DEFAULT_READ_ACTIONS;
+    const requestedExpiry = params.expiry ?? new Date(Date.now() + DEFAULT_EXPIRY_MS);
+    let expiry = requestedExpiry;
+    const schema = params.schema ?? "base64";
+    const fullPath = this.pathPrefix ? `${this.pathPrefix}/${params.path}`.replace(/\/+/g, "/") : params.path;
+    if (schema !== "base64") {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.INVALID_INPUT,
+          `Schema '${schema}' not implemented. Only 'base64' is supported.`
+        )
+      };
+    }
+    let keyId;
+    let keyDid;
+    let keyJwk;
+    try {
+      const shareKeyName = `share:${Date.now()}:${Math.random().toString(36).substring(2, 10)}`;
+      keyId = await this.keyProvider.createSessionKey(shareKeyName);
+      keyDid = await this.keyProvider.getDID(keyId);
+      keyJwk = this.keyProvider.getJWK(keyId);
+      if (!keyJwk.d) {
+        return {
+          ok: false,
+          error: createError2(
+            DelegationErrorCodes.CREATION_FAILED,
+            "KeyProvider did not return private key (d parameter) in JWK"
+          )
+        };
+      }
+    } catch (err5) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.CREATION_FAILED,
+          `Failed to generate session key for share: ${err5 instanceof Error ? err5.message : String(err5)}`,
+          err5 instanceof Error ? err5 : void 0
+        )
+      };
+    }
+    let delegation;
+    const plainDID = keyDid.split("#")[0];
+    const handleDelegationResult = (result) => {
+      if (result && typeof result === "object" && "ok" in result) {
+        return result;
+      }
+      return result;
+    };
+    const canSatisfyFromRegistry = this.findSuitableKeyForDelegation(
+      fullPath,
+      actions,
+      requestedExpiry
+    );
+    if (canSatisfyFromRegistry) {
+      const delegationResult = await this.createSessionDelegation(plainDID, fullPath, actions, expiry);
+      const parsed = handleDelegationResult(delegationResult);
+      if ("ok" in parsed && parsed.ok === false) {
+        return parsed;
+      }
+      delegation = parsed;
+    } else if (this.onRootDelegationNeeded) {
+      try {
+        const rootDelegation = await this.onRootDelegationNeeded({
+          shareKeyDID: plainDID,
+          spaceId: this.session.spaceId,
+          path: fullPath,
+          actions,
+          requestedExpiry
+        });
+        if (rootDelegation) {
+          delegation = rootDelegation;
+          expiry = requestedExpiry;
+        } else {
+          const fallbackResult = await this.handleSessionExtensionFallback(requestedExpiry);
+          expiry = fallbackResult.expiry;
+          const delegationResult = await this.createSessionDelegation(plainDID, fullPath, actions, expiry);
+          const parsed = handleDelegationResult(delegationResult);
+          if ("ok" in parsed && parsed.ok === false) {
+            return parsed;
+          }
+          delegation = parsed;
+        }
+      } catch (err5) {
+        const fallbackResult = await this.handleSessionExtensionFallback(requestedExpiry);
+        expiry = fallbackResult.expiry;
+        const delegationResult = await this.createSessionDelegation(plainDID, fullPath, actions, expiry);
+        const parsed = handleDelegationResult(delegationResult);
+        if ("ok" in parsed && parsed.ok === false) {
+          return parsed;
+        }
+        delegation = parsed;
+      }
+    } else {
+      const fallbackResult = await this.handleSessionExtensionFallback(requestedExpiry);
+      expiry = fallbackResult.expiry;
+      const delegationResult = await this.createSessionDelegation(plainDID, fullPath, actions, expiry);
+      const parsed = handleDelegationResult(delegationResult);
+      if ("ok" in parsed && parsed.ok === false) {
+        return parsed;
+      }
+      delegation = parsed;
+    }
+    const shareData = {
+      key: keyJwk,
+      keyDid,
+      delegation,
+      path: fullPath,
+      host: this.host,
+      spaceId: this.session.spaceId,
+      version: 1
+    };
+    const encodedData = this.encodeLink(shareData, schema);
+    const baseUrl = params.baseUrl ?? this.baseUrl;
+    const url = baseUrl ? `${baseUrl}/share/${encodedData}` : encodedData;
+    const shareLink = {
+      token: encodedData,
+      url,
+      delegation,
+      schema,
+      expiresAt: expiry,
+      description: params.description
+    };
+    return { ok: true, data: shareLink };
+  }
+  /**
+   * Check if any key in the registry can satisfy the delegation request.
+   * A key can satisfy if it has a delegation that:
+   * 1. Covers the required path (exact match or parent path)
+   * 2. Has all required actions
+   * 3. Has sufficient expiry (delegation.expiry >= requestedExpiry)
+   * 4. Allows sub-delegation
+   * @internal
+   */
+  findSuitableKeyForDelegation(path, actions, requestedExpiry) {
+    if (this.sessionExpiry && requestedExpiry <= this.sessionExpiry) {
+      return true;
+    }
+    const allKeys = this.registry.getAllKeys();
+    for (const key of allKeys) {
+      const delegations = this.registry.getDelegationsForKey(key.id);
+      for (const delegation of delegations) {
+        if (!this.registry.isDelegationValid(delegation)) {
+          continue;
+        }
+        if (delegation.expiry < requestedExpiry) {
+          continue;
+        }
+        if (delegation.allowSubDelegation === false) {
+          continue;
+        }
+        const delegationPath = delegation.path || "";
+        if (!this.pathMatches(delegationPath, path)) {
+          continue;
+        }
+        const delegationActions = delegation.actions || [];
+        const hasAllActions = actions.every(
+          (action) => delegationActions.includes(action) || delegationActions.includes("*")
+        );
+        if (!hasAllActions) {
+          continue;
+        }
+        return true;
+      }
+    }
+    return false;
+  }
+  /**
+   * Check if a delegation path matches/covers the requested path.
+   * A delegation path covers the request if:
+   * - It's an exact match
+   * - It's a parent path (e.g., delegation for "" covers "foo/bar")
+   * - It uses wildcards that match
+   * @internal
+   */
+  pathMatches(delegationPath, requestedPath) {
+    if (delegationPath === "" || delegationPath === "*") {
+      return true;
+    }
+    if (delegationPath === requestedPath) {
+      return true;
+    }
+    const normalizedDelegation = delegationPath.replace(/\/$/, "");
+    const normalizedRequest = requestedPath.replace(/\/$/, "");
+    if (normalizedRequest.startsWith(normalizedDelegation + "/")) {
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Handle fallback to session extension when root delegation is not available.
+   * @internal
+   */
+  async handleSessionExtensionFallback(requestedExpiry) {
+    return { expiry: this.sessionExpiry ?? requestedExpiry };
+  }
+  /**
+   * Create a delegation from the current session to a share key.
+   * This is the fallback path when root delegation is not available.
+   * @internal
+   */
+  async createSessionDelegation(delegateDID, path, actions, expiry) {
+    if (!this.session) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.NOT_INITIALIZED,
+          "Session required for creating delegation"
+        )
+      };
+    }
+    if (this.createDelegationWasmFn) {
+      try {
+        const wasmResult = this.createDelegationWasmFn({
+          session: this.session,
+          delegateDID,
+          spaceId: this.session.spaceId,
+          path,
+          actions,
+          expirationSecs: Math.floor(expiry.getTime() / 1e3)
+        });
+        const registerRes = await this.fetchFn(`${this.host}/delegate`, {
+          method: "POST",
+          headers: {
+            Authorization: wasmResult.delegation
+          }
+        });
+        if (!registerRes.ok) {
+          const errorText = await registerRes.text();
+          return {
+            ok: false,
+            error: createError2(
+              DelegationErrorCodes.CREATION_FAILED,
+              `Failed to register delegation with server: ${registerRes.status} ${errorText}`
+            )
+          };
+        }
+        return {
+          cid: wasmResult.cid,
+          delegateDID: wasmResult.delegateDID,
+          spaceId: this.session.spaceId,
+          path: wasmResult.path,
+          actions: wasmResult.actions,
+          expiry: wasmResult.expiry,
+          isRevoked: false,
+          authHeader: wasmResult.delegation,
+          allowSubDelegation: true,
+          createdAt: /* @__PURE__ */ new Date()
+        };
+      } catch (err5) {
+        return {
+          ok: false,
+          error: createError2(
+            DelegationErrorCodes.CREATION_FAILED,
+            `Failed to create delegation via WASM: ${err5 instanceof Error ? err5.message : String(err5)}`,
+            err5 instanceof Error ? err5 : void 0
+          )
+        };
+      }
+    } else {
+      const delegationParams = {
+        delegateDID,
+        path,
+        actions,
+        expiry,
+        disableSubDelegation: false
+      };
+      const delegationResult = this.createDelegationFn ? await this.createDelegationFn(delegationParams) : await this.delegationManager.create(delegationParams);
+      if (!delegationResult.ok) {
+        return {
+          ok: false,
+          error: createError2(
+            DelegationErrorCodes.CREATION_FAILED,
+            `Failed to create delegation for share: ${delegationResult.error.message}`,
+            delegationResult.error.cause,
+            delegationResult.error.meta
+          )
+        };
+      }
+      return delegationResult.data;
+    }
+  }
+  /**
+   * Receive and activate a sharing link.
+   *
+   * Flow:
+   * 1. Decode link -> extract { key, delegation, path, host }
+   * 2. Ingest key into CapabilityKeyRegistry
+   * 3. If autoSubdelegate (default true) + useSessionKey:
+   *    - Create sub-delegation from ingested key -> current session
+   *    - Register sub-delegation capabilities
+   * 4. Return ShareAccess with pre-configured KV service
+   */
+  async receive(link, options = {}) {
+    const {
+      autoSubdelegate = true,
+      useSessionKey = true,
+      ingestOptions
+    } = options;
+    const decodeResult = this.decodeLinkWithValidation(link);
+    if (!decodeResult.ok) {
+      return decodeResult;
+    }
+    const shareData = decodeResult.data;
+    const delegationExpiry = new Date(shareData.delegation.expiry);
+    if (delegationExpiry < /* @__PURE__ */ new Date()) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.AUTH_EXPIRED,
+          "Sharing link has expired"
+        )
+      };
+    }
+    if (shareData.delegation.isRevoked) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.REVOKED,
+          "Sharing link has been revoked"
+        )
+      };
+    }
+    const keyInfo = {
+      id: `ingested:${shareData.keyDid}`,
+      did: shareData.keyDid,
+      type: "ingested",
+      jwk: shareData.key,
+      priority: 2
+      // Ingested keys have lowest priority
+    };
+    this.registry.ingestKey(keyInfo, shareData.delegation, ingestOptions);
+    let activeDelegation = shareData.delegation;
+    let activeKey = keyInfo;
+    if (autoSubdelegate && useSessionKey && this.session) {
+      try {
+      } catch (err5) {
+        console.warn("Auto-subdelegation failed, using ingested key directly:", err5);
+      }
+    }
+    const authHeader = shareData.delegation.authHeader ?? `Bearer ${shareData.delegation.cid}`;
+    const shareSession = {
+      delegationHeader: { Authorization: authHeader },
+      delegationCid: shareData.delegation.cid,
+      spaceId: shareData.spaceId,
+      verificationMethod: shareData.keyDid,
+      jwk: shareData.key
+    };
+    const kvService = this.createKVService({
+      hosts: [shareData.host],
+      session: shareSession,
+      invoke: this.invoke,
+      fetch: this.fetchFn,
+      pathPrefix: shareData.path
+    });
+    const shareAccess = {
+      delegation: activeDelegation,
+      key: activeKey,
+      kv: kvService,
+      spaceId: shareData.spaceId,
+      path: shareData.path
+    };
+    return { ok: true, data: shareAccess };
+  }
+  /**
+   * Encode sharing data into a link string.
+   *
+   * @param data - The share data to encode
+   * @param schema - The encoding schema (default: "base64")
+   * @returns Encoded link string
+   */
+  encodeLink(data, schema = "base64") {
+    if (schema !== "base64") {
+      throw new Error(`Schema '${schema}' not implemented. Only 'base64' is supported.`);
+    }
+    const jsonString = JSON.stringify(data);
+    const encoded = base64UrlEncode(jsonString);
+    return `${BASE64_PREFIX}${encoded}`;
+  }
+  /**
+   * Decode a link string into sharing data.
+   *
+   * @param link - The encoded link string (may include URL prefix)
+   * @returns Decoded share data
+   * @throws Error if link format is invalid or data fails validation
+   */
+  decodeLink(link) {
+    const result = this.decodeLinkWithValidation(link);
+    if (!result.ok) {
+      throw new Error(result.error.message);
+    }
+    return result.data;
+  }
+  /**
+   * Decode and validate a link string into sharing data.
+   *
+   * Internal method that returns a Result instead of throwing.
+   * Used by receive() for proper error handling.
+   *
+   * @param link - The encoded link string (may include URL prefix)
+   * @returns Result with decoded share data or validation error
+   */
+  decodeLinkWithValidation(link) {
+    let encoded = link;
+    if (link.includes("/share/")) {
+      const parts = link.split("/share/");
+      encoded = parts[parts.length - 1];
+    }
+    if (link.includes("?share=")) {
+      try {
+        const url = new URL(link);
+        encoded = url.searchParams.get("share") ?? encoded;
+      } catch {
+        return {
+          ok: false,
+          error: createError2(
+            DelegationErrorCodes.INVALID_TOKEN,
+            "Invalid URL format in sharing link"
+          )
+        };
+      }
+    }
+    if (!encoded.startsWith(BASE64_PREFIX)) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.INVALID_TOKEN,
+          `Invalid sharing link format. Expected prefix '${BASE64_PREFIX}'`
+        )
+      };
+    }
+    const base64Data = encoded.slice(BASE64_PREFIX.length);
+    let jsonString;
+    try {
+      jsonString = base64UrlDecode(base64Data);
+    } catch (err5) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.INVALID_TOKEN,
+          `Failed to decode base64 data: ${err5 instanceof Error ? err5.message : String(err5)}`,
+          err5 instanceof Error ? err5 : void 0
+        )
+      };
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(jsonString);
+    } catch (err5) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.INVALID_TOKEN,
+          `Failed to parse share data JSON: ${err5 instanceof Error ? err5.message : String(err5)}`,
+          err5 instanceof Error ? err5 : void 0
+        )
+      };
+    }
+    if (parsed && typeof parsed === "object" && "delegation" in parsed && parsed.delegation && typeof parsed.delegation === "object" && "expiry" in parsed.delegation && typeof parsed.delegation.expiry === "string") {
+      parsed.delegation.expiry = new Date(parsed.delegation.expiry);
+    }
+    const validationResult = validateEncodedShareData(parsed);
+    if (!validationResult.ok) {
+      return {
+        ok: false,
+        error: createError2(
+          DelegationErrorCodes.INVALID_TOKEN,
+          validationResult.error.message,
+          void 0,
+          validationResult.error.meta
+        )
+      };
+    }
+    return { ok: true, data: validationResult.data };
+  }
+};
+function createSharingService(config) {
+  return new SharingService(config);
+}
+
+// src/authorization/CapabilityKeyRegistry.ts
+import { ok as ok3, err as err3, serviceError as serviceError3 } from "@tinycloud/sdk-services";
+var SERVICE_NAME2 = "capability-key-registry";
+var CapabilityKeyRegistryErrorCodes = {
+  /** Key not found in registry */
+  KEY_NOT_FOUND: "KEY_NOT_FOUND",
+  /** No key available for the requested capability */
+  NO_CAPABLE_KEY: "NO_CAPABLE_KEY",
+  /** Delegation has expired */
+  DELEGATION_EXPIRED: "DELEGATION_EXPIRED",
+  /** Delegation has been revoked */
+  DELEGATION_REVOKED: "DELEGATION_REVOKED",
+  /** Invalid delegation data */
+  INVALID_DELEGATION: "INVALID_DELEGATION",
+  /** Key already registered */
+  KEY_EXISTS: "KEY_EXISTS"
+};
+var CapabilityKeyRegistry = class {
+  constructor() {
+    /**
+     * Registry of all keys indexed by ID.
+     */
+    this.keys = /* @__PURE__ */ new Map();
+    /**
+     * Delegation storage.
+     */
+    this.store = {
+      byKey: /* @__PURE__ */ new Map(),
+      byCid: /* @__PURE__ */ new Map(),
+      byCapability: /* @__PURE__ */ new Map()
+    };
+  }
+  // ===========================================================================
+  // Key Management
+  // ===========================================================================
+  /**
+   * Register a key with its associated delegations.
+   *
+   * @param key - Key information
+   * @param delegations - Delegations granted to this key
+   */
+  registerKey(key, delegations) {
+    this.keys.set(key.id, key);
+    if (!this.store.byKey.has(key.id)) {
+      this.store.byKey.set(key.id, []);
+    }
+    for (const delegation of delegations) {
+      this.addDelegation(key, delegation);
+    }
+  }
+  /**
+   * Remove a key and all its associated delegations.
+   *
+   * @param keyId - The key ID to remove
+   */
+  removeKey(keyId) {
+    const delegations = this.store.byKey.get(keyId) || [];
+    for (const delegation of delegations) {
+      this.store.byCid.delete(delegation.cid);
+    }
+    for (const [capKey, entries] of this.store.byCapability) {
+      const filtered = entries.filter(
+        (entry) => !entry.keys.some((k) => k.id === keyId)
+      );
+      if (filtered.length === 0) {
+        this.store.byCapability.delete(capKey);
+      } else {
+        for (const entry of filtered) {
+          entry.keys = entry.keys.filter((k) => k.id !== keyId);
+        }
+        this.store.byCapability.set(capKey, filtered.filter((e) => e.keys.length > 0));
+      }
+    }
+    this.store.byKey.delete(keyId);
+    this.keys.delete(keyId);
+  }
+  // ===========================================================================
+  // Capability Lookup
+  // ===========================================================================
+  /**
+   * Get a key that can exercise the specified capability.
+   *
+   * Key selection algorithm:
+   * 1. Filter keys that have the required capability
+   * 2. Check delegation validity (not expired, not revoked)
+   * 3. Sort by priority (session=0, main=1, ingested=2)
+   * 4. Return highest priority valid key
+   *
+   * @param resource - Resource URI
+   * @param action - Action to perform
+   * @returns The best matching key, or null if none available
+   */
+  getKeyForCapability(resource, action) {
+    const matchingEntries = this.findMatchingEntries(resource, action);
+    if (matchingEntries.length === 0) {
+      return null;
+    }
+    const validKeys = [];
+    for (const entry of matchingEntries) {
+      if (!this.isDelegationValid(entry.delegation)) {
+        continue;
+      }
+      for (const key of entry.keys) {
+        if (!validKeys.some((k) => k.id === key.id)) {
+          validKeys.push(key);
+        }
+      }
+    }
+    if (validKeys.length === 0) {
+      return null;
+    }
+    validKeys.sort((a, b) => a.priority - b.priority);
+    return validKeys[0];
+  }
+  /**
+   * Get all registered capabilities.
+   *
+   * @returns All capability entries in the registry
+   */
+  getAllCapabilities() {
+    const all = [];
+    for (const entries of this.store.byCapability.values()) {
+      all.push(...entries);
+    }
+    return all;
+  }
+  // ===========================================================================
+  // Delegation Tracking
+  // ===========================================================================
+  /**
+   * Get all delegations for a specific key.
+   *
+   * @param keyId - The key ID
+   * @returns Array of delegations for this key
+   */
+  getDelegationsForKey(keyId) {
+    return this.store.byKey.get(keyId) || [];
+  }
+  // ===========================================================================
+  // Ingestion
+  // ===========================================================================
+  /**
+   * Ingest a key and delegation from an external source.
+   *
+   * @param key - Key information to ingest
+   * @param delegation - Delegation to associate with the key
+   * @param options - Ingestion options
+   */
+  ingestKey(key, delegation, options) {
+    const keyToStore = options?.priority !== void 0 ? { ...key, priority: options.priority } : key;
+    this.keys.set(keyToStore.id, keyToStore);
+    if (!this.store.byKey.has(keyToStore.id)) {
+      this.store.byKey.set(keyToStore.id, []);
+    }
+    this.addDelegation(keyToStore, delegation);
+  }
+  // ===========================================================================
+  // Validation
+  // ===========================================================================
+  /**
+   * Check if a delegation is currently valid.
+   *
+   * @param delegation - The delegation to check
+   * @returns true if valid, false if expired or revoked
+   */
+  isDelegationValid(delegation) {
+    if (delegation.isRevoked) {
+      return false;
+    }
+    const now = /* @__PURE__ */ new Date();
+    if (delegation.expiry && delegation.expiry < now) {
+      return false;
+    }
+    return true;
+  }
+  // ===========================================================================
+  // Key Access
+  // ===========================================================================
+  /**
+   * Get a key by its ID.
+   *
+   * @param keyId - The key ID
+   * @returns The key info, or undefined if not found
+   */
+  getKey(keyId) {
+    return this.keys.get(keyId);
+  }
+  /**
+   * Get all registered keys.
+   *
+   * @returns Array of all registered keys
+   */
+  getAllKeys() {
+    return Array.from(this.keys.values());
+  }
+  // ===========================================================================
+  // Clear
+  // ===========================================================================
+  /**
+   * Clear all registered keys and delegations.
+   */
+  clear() {
+    this.keys.clear();
+    this.store.byKey.clear();
+    this.store.byCid.clear();
+    this.store.byCapability.clear();
+  }
+  // ===========================================================================
+  // Revocation
+  // ===========================================================================
+  /**
+   * Revoke a delegation by CID.
+   *
+   * @param cid - The delegation CID to revoke
+   * @returns Result indicating success or failure
+   */
+  revokeDelegation(cid) {
+    const stored = this.store.byCid.get(cid);
+    if (!stored) {
+      return err3(
+        serviceError3(
+          CapabilityKeyRegistryErrorCodes.KEY_NOT_FOUND,
+          `Delegation not found: ${cid}`,
+          SERVICE_NAME2
+        )
+      );
+    }
+    stored.delegation.isRevoked = true;
+    const keyDelegations = this.store.byKey.get(stored.keyId);
+    if (keyDelegations) {
+      const delegation = keyDelegations.find((d) => d.cid === cid);
+      if (delegation) {
+        delegation.isRevoked = true;
+      }
+    }
+    for (const entries of this.store.byCapability.values()) {
+      for (const entry of entries) {
+        if (entry.delegation.cid === cid) {
+          entry.delegation.isRevoked = true;
+        }
+      }
+    }
+    return ok3(void 0);
+  }
+  // ===========================================================================
+  // Search
+  // ===========================================================================
+  /**
+   * Find capabilities that match a resource path pattern.
+   *
+   * @param resourcePattern - Resource pattern (supports wildcards)
+   * @param action - Optional action filter
+   * @returns Matching capability entries
+   */
+  findCapabilities(resourcePattern, action) {
+    const results = [];
+    for (const entries of this.store.byCapability.values()) {
+      for (const entry of entries) {
+        if (action && entry.action !== action) {
+          continue;
+        }
+        if (this.matchesResourcePattern(entry.resource, resourcePattern)) {
+          results.push(entry);
+        }
+      }
+    }
+    return results;
+  }
+  // ===========================================================================
+  // Private Methods
+  // ===========================================================================
+  /**
+   * Add a delegation to the store.
+   *
+   * @param key - The key associated with this delegation
+   * @param delegation - The delegation to add
+   */
+  addDelegation(key, delegation) {
+    const keyDelegations = this.store.byKey.get(key.id) || [];
+    if (!keyDelegations.some((d) => d.cid === delegation.cid)) {
+      keyDelegations.push(delegation);
+      this.store.byKey.set(key.id, keyDelegations);
+    }
+    if (!this.store.byCid.has(delegation.cid)) {
+      this.store.byCid.set(delegation.cid, {
+        delegation,
+        parentCid: delegation.parentCid,
+        keyId: key.id,
+        storedAt: /* @__PURE__ */ new Date()
+      });
+    }
+    for (const action of delegation.actions) {
+      const capKey = this.makeCapabilityKey(delegation.path, action);
+      const entries = this.store.byCapability.get(capKey) || [];
+      const existingEntry = entries.find((e) => e.delegation.cid === delegation.cid);
+      if (existingEntry) {
+        if (!existingEntry.keys.some((k) => k.id === key.id)) {
+          existingEntry.keys.push(key);
+          existingEntry.keys.sort((a, b) => a.priority - b.priority);
+        }
+      } else {
+        const entry = {
+          resource: delegation.path,
+          action,
+          keys: [key],
+          delegation,
+          expiresAt: delegation.expiry
+        };
+        entries.push(entry);
+        this.store.byCapability.set(capKey, entries);
+      }
+    }
+  }
+  /**
+   * Create a capability key for indexing.
+   *
+   * @param resource - Resource path
+   * @param action - Action
+   * @returns Combined key string
+   */
+  makeCapabilityKey(resource, action) {
+    return `${resource}|${action}`;
+  }
+  /**
+   * Find capability entries that match a resource and action.
+   *
+   * @param resource - Resource to match
+   * @param action - Action to match
+   * @returns Matching entries
+   */
+  findMatchingEntries(resource, action) {
+    const results = [];
+    const exactKey = this.makeCapabilityKey(resource, action);
+    const exactEntries = this.store.byCapability.get(exactKey);
+    if (exactEntries) {
+      results.push(...exactEntries);
+    }
+    for (const [capKey, entries] of this.store.byCapability) {
+      if (capKey === exactKey) continue;
+      for (const entry of entries) {
+        if (!this.actionMatches(entry.action, action)) {
+          continue;
+        }
+        if (this.resourceMatchesPattern(resource, entry.resource)) {
+          if (!results.some((r) => r.delegation.cid === entry.delegation.cid)) {
+            results.push(entry);
+          }
+        }
+      }
+    }
+    return results;
+  }
+  /**
+   * Check if an action pattern matches a specific action.
+   *
+   * @param pattern - Action pattern (may include wildcard like "tinycloud.kv/*")
+   * @param action - Specific action to check
+   * @returns true if pattern matches action
+   */
+  actionMatches(pattern, action) {
+    if (pattern === action) {
+      return true;
+    }
+    if (pattern.endsWith("/*")) {
+      const prefix = pattern.slice(0, -2);
+      return action.startsWith(prefix + "/") || action === prefix;
+    }
+    return false;
+  }
+  /**
+   * Check if a resource matches a pattern.
+   *
+   * Patterns support:
+   * - Exact match: "/kv/data" matches "/kv/data"
+   * - Wildcard suffix: "/kv/*" matches "/kv/anything"
+   * - Double wildcard: "/kv/**" matches "/kv/any/nested/path"
+   *
+   * @param resource - The specific resource being accessed
+   * @param pattern - The pattern from the delegation
+   * @returns true if resource matches pattern
+   */
+  resourceMatchesPattern(resource, pattern) {
+    if (pattern === resource) {
+      return true;
+    }
+    if (pattern.endsWith("/**")) {
+      const prefix = pattern.slice(0, -3);
+      return resource.startsWith(prefix);
+    }
+    if (pattern.endsWith("/*")) {
+      const prefix = pattern.slice(0, -2);
+      if (!resource.startsWith(prefix)) {
+        return false;
+      }
+      const remainder = resource.slice(prefix.length);
+      return !remainder.includes("/") || remainder === "/";
+    }
+    if (pattern.endsWith("/") && resource.startsWith(pattern)) {
+      return true;
+    }
+    return false;
+  }
+  /**
+   * Check if a specific resource matches a resource pattern for searching.
+   *
+   * @param entryResource - The resource from a capability entry
+   * @param searchPattern - The pattern to search for
+   * @returns true if entry resource matches search pattern
+   */
+  matchesResourcePattern(entryResource, searchPattern) {
+    return this.resourceMatchesPattern(entryResource, searchPattern) || this.resourceMatchesPattern(searchPattern, entryResource);
+  }
+};
+function createCapabilityKeyRegistry() {
+  return new CapabilityKeyRegistry();
+}
+
+// src/authorization/strategies.ts
+var defaultSignStrategy = { type: "auto-sign" };
+
+// src/authorization/spaceCreation.ts
+var AutoApproveSpaceCreationHandler = class {
+  /**
+   * Always returns true to auto-approve space creation.
+   */
+  async confirmSpaceCreation() {
+    return true;
+  }
+};
+var defaultSpaceCreationHandler = new AutoApproveSpaceCreationHandler();
+
+// src/version.ts
+var ProtocolMismatchError = class extends Error {
+  constructor(sdkProtocol, nodeProtocol, nodeVersion, host) {
+    super(
+      `SDK protocol version ${sdkProtocol} is incompatible with node protocol version ${nodeProtocol} (node v${nodeVersion}) at ${host}. ` + (sdkProtocol < nodeProtocol ? "Please update your SDK." : "Please update the TinyCloud node.")
+    );
+    this.sdkProtocol = sdkProtocol;
+    this.nodeProtocol = nodeProtocol;
+    this.nodeVersion = nodeVersion;
+    this.host = host;
+    this.name = "ProtocolMismatchError";
+  }
+};
+var VersionCheckError = class extends Error {
+  constructor(host, cause) {
+    super(
+      `Failed to fetch node info at ${host}. Ensure the node is running and the /info endpoint is accessible.`
+    );
+    this.host = host;
+    this.cause = cause;
+    this.name = "VersionCheckError";
+  }
+};
+var UnsupportedFeatureError = class extends Error {
+  constructor(feature, host, availableFeatures) {
+    super(
+      `Feature "${feature}" is not supported by the node at ${host}. Available features: ${availableFeatures.join(", ") || "none"}.`
+    );
+    this.feature = feature;
+    this.host = host;
+    this.availableFeatures = availableFeatures;
+    this.name = "UnsupportedFeatureError";
+  }
+};
+async function checkNodeInfo(host, sdkProtocol, fetchFn = globalThis.fetch.bind(globalThis)) {
+  let response;
+  try {
+    response = await fetchFn(`${host}/info`, {
+      signal: AbortSignal.timeout(5e3)
+    });
+  } catch (err5) {
+    throw new VersionCheckError(host, err5);
+  }
+  if (!response.ok) {
+    throw new VersionCheckError(host);
+  }
+  const data = await response.json();
+  if (sdkProtocol !== data.protocol) {
+    throw new ProtocolMismatchError(
+      sdkProtocol,
+      data.protocol,
+      data.version,
+      host
+    );
+  }
+  return {
+    features: data.features ?? [],
+    quotaUrl: data.quota_url
+  };
+}
+export {
+  AutoApproveSpaceCreationHandler,
+  CapabilityKeyRegistry,
+  CapabilityKeyRegistryErrorCodes,
+  ClientSessionSchema,
+  DataVaultService,
+  DatabaseHandle,
+  DelegationErrorCodes,
+  DelegationManager,
+  DuckDbAction,
+  DuckDbDatabaseHandle,
+  DuckDbService2 as DuckDbService,
+  EnsDataSchema,
+  ErrorCodes2 as ErrorCodes,
+  KVService2 as KVService,
+  PrefixedKVService,
+  ProtocolMismatchError,
+  SQLAction,
+  SQLService2 as SQLService,
+  ServiceContext2 as ServiceContext,
+  SharingService,
+  SilentNotificationHandler,
+  SiweConfigSchema,
+  SiweMessage,
+  Space,
+  SpaceErrorCodes,
+  SpaceService,
+  TinyCloud,
+  UnsupportedFeatureError,
+  VaultHeaders,
+  VaultPublicSpaceKVActions,
+  VersionCheckError,
+  activateSessionWithHost,
+  buildSpaceUri,
+  checkNodeInfo,
+  createCapabilityKeyRegistry,
+  createSharingService,
+  createSpaceService,
+  createVaultCrypto,
+  defaultRetryPolicy2 as defaultRetryPolicy,
+  defaultSignStrategy,
+  defaultSpaceCreationHandler,
+  err4 as err,
+  fetchPeerId,
+  makePublicSpaceId,
+  ok4 as ok,
+  parseSpaceUri,
+  serviceError4 as serviceError,
+  submitHostDelegation,
+  validateClientSession,
+  validatePersistedSessionData
+};
 //# sourceMappingURL=index.js.map