@tinycloud/sdk-core 2.0.1 → 2.0.2-beta.0

package/dist/index.d.ts

@@ -1,27 +1,3867 @@
+import { z } from 'zod';
+import { InvokeFunction, ServiceError, Result as Result$1, ServiceSession, FetchFunction, ServiceConstructor, RetryPolicy, IServiceContext, IService, IKVService, ISQLService, IDuckDbService, IDataVaultService } from '@tinycloud/sdk-services';
+export { BatchOptions, BatchResponse, ColumnInfo, DataVaultConfig, DataVaultService, DatabaseHandle, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ErrorCode, ErrorCodes, ExecuteOptions, ExecuteResponse, FetchFunction, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IKVService, IPrefixedKVService, ISQLService, IService, IServiceContext, InvokeFunction, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService, QueryOptions, QueryResponse, Result, RetryPolicy, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceError, ServiceSession, SqlStatement, SqlValue, TableInfo, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, ViewInfo, WasmVaultFunctions, createVaultCrypto, defaultRetryPolicy, err, ok, serviceError } from '@tinycloud/sdk-services';
+export { SiweMessage } from 'siwe';
+
 /**
- * @tinycloud/sdk-core
+ * Platform-agnostic client types for TinyCloud SDK.
  *
- * Core TinyCloud SDK package providing shared interfaces and the TinyCloud class.
+ * @packageDocumentation
+ */
+
+/** ENS data associated with a user session. */
+interface EnsData {
+    domain?: string | null;
+    avatarUrl?: string | null;
+}
+declare const EnsDataSchema: z.ZodObject<{
+    domain: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    avatarUrl: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, "strip", z.ZodTypeAny, {
+    domain?: string | null | undefined;
+    avatarUrl?: string | null | undefined;
+}, {
+    domain?: string | null | undefined;
+    avatarUrl?: string | null | undefined;
+}>;
+/** SIWE configuration. All fields optional — callers provide only what they need to override. */
+interface SiweConfig {
+    domain?: string;
+    uri?: string;
+    chainId?: number;
+    statement?: string;
+    nonce?: string;
+    expirationTime?: string;
+    notBefore?: string;
+    requestId?: string;
+    resources?: string[];
+}
+declare const SiweConfigSchema: z.ZodObject<{
+    domain: z.ZodOptional<z.ZodString>;
+    uri: z.ZodOptional<z.ZodString>;
+    chainId: z.ZodOptional<z.ZodNumber>;
+    statement: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    expirationTime: z.ZodOptional<z.ZodString>;
+    notBefore: z.ZodOptional<z.ZodString>;
+    requestId: z.ZodOptional<z.ZodString>;
+    resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    domain: z.ZodOptional<z.ZodString>;
+    uri: z.ZodOptional<z.ZodString>;
+    chainId: z.ZodOptional<z.ZodNumber>;
+    statement: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    expirationTime: z.ZodOptional<z.ZodString>;
+    notBefore: z.ZodOptional<z.ZodString>;
+    requestId: z.ZodOptional<z.ZodString>;
+    resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    domain: z.ZodOptional<z.ZodString>;
+    uri: z.ZodOptional<z.ZodString>;
+    chainId: z.ZodOptional<z.ZodNumber>;
+    statement: z.ZodOptional<z.ZodString>;
+    nonce: z.ZodOptional<z.ZodString>;
+    expirationTime: z.ZodOptional<z.ZodString>;
+    notBefore: z.ZodOptional<z.ZodString>;
+    requestId: z.ZodOptional<z.ZodString>;
+    resources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, z.ZodTypeAny, "passthrough">>;
+/** Representation of an active client session. */
+interface ClientSession {
+    /** User address (may be delegated) */
+    address: string;
+    /** User address without delegation */
+    walletAddress: string;
+    /** EIP-155 chain ID */
+    chainId: number;
+    /** Key to identify the session */
+    sessionKey: string;
+    /** The SIWE message text (from SiweMessage.prepareMessage()) */
+    siwe: string;
+    /** The signature of the SIWE message */
+    signature: string;
+    /** ENS data supported by TinyCloud */
+    ens?: EnsData;
+}
+declare const ClientSessionSchema: z.ZodObject<{
+    address: z.ZodString;
+    walletAddress: z.ZodString;
+    chainId: z.ZodNumber;
+    sessionKey: z.ZodString;
+    siwe: z.ZodString;
+    signature: z.ZodString;
+    ens: z.ZodOptional<z.ZodObject<{
+        domain: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        avatarUrl: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    }, {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    chainId: number;
+    address: string;
+    walletAddress: string;
+    sessionKey: string;
+    siwe: string;
+    signature: string;
+    ens?: {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    } | undefined;
+}, {
+    chainId: number;
+    address: string;
+    walletAddress: string;
+    sessionKey: string;
+    siwe: string;
+    signature: string;
+    ens?: {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    } | undefined;
+}>;
+/** The URL of a server running tinycloud-node. */
+type ServerHost = string;
+/** Validate unknown data as a ClientSession. Returns the parsed session or null. */
+declare function validateClientSession(data: unknown): ClientSession | null;
+
+/**
+ * Notification handler interface for TinyCloud SDK.
+ *
+ * Abstracts UI notifications so that web-sdk can show toasts
+ * while node-sdk uses a silent no-op handler.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Platform-agnostic notification handler.
+ *
+ * Implementations can provide different UX patterns:
+ * - Browser: toast notifications via antd or similar
+ * - Node.js: silent (default) or logging
+ * - CLI: console output
+ */
+interface INotificationHandler {
+    /** Called on successful operations (e.g., "Successfully signed in") */
+    success(message: string, description?: string): void;
+    /** Called on warnings */
+    warning(message: string, description?: string): void;
+    /** Called on errors */
+    error(category: string, message: string, description?: string): void;
+    /** Optional cleanup (e.g., dismiss all active notifications) */
+    cleanup?(): void;
+}
+/** No-op handler for environments without UI (node-sdk default). */
+declare class SilentNotificationHandler implements INotificationHandler {
+    success(): void;
+    warning(): void;
+    error(): void;
+}
+
+/**
+ * Platform-agnostic ENS resolution interface.
+ *
+ * Browser implementations use ethers.js provider.
+ * Node implementations can use any Ethereum RPC.
+ *
+ * @packageDocumentation
+ */
+interface IENSResolver {
+    /** Resolve an ENS name to an Ethereum address */
+    resolveAddress(ensName: string): Promise<string | null>;
+    /** Reverse-resolve an address to an ENS name */
+    resolveName(address: string): Promise<string | null>;
+    /** Resolve an ENS name to an avatar URL */
+    resolveAvatar?(ensName: string): Promise<string | null>;
+}
+
+/**
+ * WASM binding abstraction for TinyCloud SDK.
+ *
+ * Allows TinyCloudNode to accept either @tinycloud/node-sdk-wasm (Node.js)
+ * or @tinycloud/web-sdk-wasm (browser) without direct dependency on either.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Platform-agnostic WASM bindings interface.
+ *
+ * Each platform provides its own implementation:
+ * - node-sdk-wasm: Node.js WASM bindings
+ * - web-sdk-wasm: Browser WASM bindings
+ */
+interface IWasmBindings {
+    /** Invoke a TinyCloud action */
+    invoke: InvokeFunction;
+    /** Prepare a session (generate session key, build SIWE message) */
+    prepareSession: (params: any) => any;
+    /** Complete session setup (create delegation) */
+    completeSessionSetup: (params: any) => any;
+    /** Ensure an address is in EIP-55 checksummed format */
+    ensureEip55: (address: string) => string;
+    /** Generate a space ID from address, chain ID, and prefix */
+    makeSpaceId: (address: string, chainId: number, prefix: string) => string;
+    /** Create a delegation */
+    createDelegation: (...args: any[]) => any;
+    /** Generate a host SIWE message for space activation */
+    generateHostSIWEMessage: (params: any) => string;
+    /** Convert a signed SIWE message to delegation headers */
+    siweToDelegationHeaders: (params: any) => any;
+    /** Get the protocol version */
+    protocolVersion: () => number;
+    vault_encrypt: (key: Uint8Array, plaintext: Uint8Array) => Uint8Array;
+    vault_decrypt: (key: Uint8Array, blob: Uint8Array) => Uint8Array;
+    vault_derive_key: (salt: Uint8Array, signature: Uint8Array, info: Uint8Array) => Uint8Array;
+    vault_x25519_from_seed: (seed: Uint8Array) => {
+        publicKey: Uint8Array;
+        privateKey: Uint8Array;
+    };
+    vault_x25519_dh: (privateKey: Uint8Array, publicKey: Uint8Array) => Uint8Array;
+    vault_random_bytes: (length: number) => Uint8Array;
+    vault_sha256: (data: Uint8Array) => Uint8Array;
+    /** Factory for session managers */
+    createSessionManager: () => ISessionManager;
+    /** Ensure WASM module is initialized (optional — some bindings auto-init) */
+    ensureInitialized?: () => Promise<void>;
+}
+/**
+ * Session key manager backed by WASM.
+ *
+ * Manages Ed25519 session keys used for delegated authentication.
+ */
+interface ISessionManager {
+    /** Create a new session key with the given ID, returns the DID */
+    createSessionKey(id: string): string;
+    /** Rename a session key ID */
+    renameSessionKeyId(oldId: string, newId: string): void;
+    /** Get the DID for a session key */
+    getDID(keyId: string): string;
+    /** Get the JWK representation of a session key */
+    jwk(keyId: string): string | undefined;
+}
+
+/**
+ * Bytes representation as an array of integers.
+ */
+type Bytes = ArrayLike<number>;
+/**
+ * Platform-agnostic signer interface.
+ *
+ * This interface defines the minimal signing capabilities required by TinyCloud.
+ * It can be implemented by browser wallets (via ethers.js Signer), private key
+ * signers in Node.js, or hardware wallets.
+ */
+interface ISigner {
+    /**
+     * Returns the account address.
+     */
+    getAddress(): Promise<string>;
+    /**
+     * Returns the chain ID that this signer is connected to.
+     */
+    getChainId(): Promise<number>;
+    /**
+     * Signs a message and returns the signature.
+     * @param message - The message to sign (string or bytes)
+     * @returns The signature as a hex string (format: "0x<65 bytes>")
+     */
+    signMessage(message: Bytes | string): Promise<string>;
+}
+
+/**
+ * Zod schemas for session persistence types.
+ *
+ * This is the source of truth for session-related types. TypeScript types
+ * are derived from these schemas using z.infer<>.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Schema for TinyCloud-specific session data that's persisted.
+ */
+declare const PersistedTinyCloudSessionSchema: z.ZodObject<{
+    /** The delegation header containing the UCAN */
+    delegationHeader: z.ZodObject<{
+        Authorization: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        Authorization: string;
+    }, {
+        Authorization: string;
+    }>;
+    /** The delegation CID */
+    delegationCid: z.ZodString;
+    /** The space ID for this session */
+    spaceId: z.ZodString;
+    /** Additional spaces included in this session's capabilities. Key is logical name, value is full spaceId URI */
+    spaces: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** The verification method DID */
+    verificationMethod: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    delegationHeader: {
+        Authorization: string;
+    };
+    delegationCid: string;
+    spaceId: string;
+    verificationMethod: string;
+    spaces?: Record<string, string> | undefined;
+}, {
+    delegationHeader: {
+        Authorization: string;
+    };
+    delegationCid: string;
+    spaceId: string;
+    verificationMethod: string;
+    spaces?: Record<string, string> | undefined;
+}>;
+type PersistedTinyCloudSession = z.infer<typeof PersistedTinyCloudSessionSchema>;
+/**
+ * Schema for full persisted session data.
+ *
+ * Contains all data needed to restore a session without re-authentication.
+ */
+declare const PersistedSessionDataSchema: z.ZodObject<{
+    /** User's Ethereum address */
+    address: z.ZodString;
+    /** EIP-155 Chain ID */
+    chainId: z.ZodNumber;
+    /** Session key in JWK format (stringified) */
+    sessionKey: z.ZodString;
+    /** The signed SIWE message */
+    siwe: z.ZodString;
+    /** User's signature of the SIWE message */
+    signature: z.ZodString;
+    /** TinyCloud delegation data if available */
+    tinycloudSession: z.ZodOptional<z.ZodObject<{
+        /** The delegation header containing the UCAN */
+        delegationHeader: z.ZodObject<{
+            Authorization: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            Authorization: string;
+        }, {
+            Authorization: string;
+        }>;
+        /** The delegation CID */
+        delegationCid: z.ZodString;
+        /** The space ID for this session */
+        spaceId: z.ZodString;
+        /** Additional spaces included in this session's capabilities. Key is logical name, value is full spaceId URI */
+        spaces: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+        /** The verification method DID */
+        verificationMethod: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        delegationHeader: {
+            Authorization: string;
+        };
+        delegationCid: string;
+        spaceId: string;
+        verificationMethod: string;
+        spaces?: Record<string, string> | undefined;
+    }, {
+        delegationHeader: {
+            Authorization: string;
+        };
+        delegationCid: string;
+        spaceId: string;
+        verificationMethod: string;
+        spaces?: Record<string, string> | undefined;
+    }>>;
+    /** Session expiration timestamp (ISO 8601 with timezone offset) */
+    expiresAt: z.ZodString;
+    /** Session creation timestamp (ISO 8601 with timezone offset) */
+    createdAt: z.ZodString;
+    /** Schema version for migrations */
+    version: z.ZodString;
+    /** Optional ENS data */
+    ens: z.ZodOptional<z.ZodObject<{
+        /** ENS name/domain. */
+        domain: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        /** ENS avatar URL. */
+        avatarUrl: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    }, {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    chainId: number;
+    address: string;
+    sessionKey: string;
+    siwe: string;
+    signature: string;
+    expiresAt: string;
+    createdAt: string;
+    version: string;
+    ens?: {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    } | undefined;
+    tinycloudSession?: {
+        delegationHeader: {
+            Authorization: string;
+        };
+        delegationCid: string;
+        spaceId: string;
+        verificationMethod: string;
+        spaces?: Record<string, string> | undefined;
+    } | undefined;
+}, {
+    chainId: number;
+    address: string;
+    sessionKey: string;
+    siwe: string;
+    signature: string;
+    expiresAt: string;
+    createdAt: string;
+    version: string;
+    ens?: {
+        domain?: string | null | undefined;
+        avatarUrl?: string | null | undefined;
+    } | undefined;
+    tinycloudSession?: {
+        delegationHeader: {
+            Authorization: string;
+        };
+        delegationCid: string;
+        spaceId: string;
+        verificationMethod: string;
+        spaces?: Record<string, string> | undefined;
+    } | undefined;
+}>;
+type PersistedSessionData = z.infer<typeof PersistedSessionDataSchema>;
+/**
+ * Schema for full TinyCloud session with delegation data.
+ *
+ * This is the runtime session type used for making invocations and delegations.
+ */
+declare const TinyCloudSessionSchema: z.ZodObject<{
+    /** User's Ethereum address */
+    address: z.ZodString;
+    /** EIP-155 Chain ID */
+    chainId: z.ZodNumber;
+    /** Session key ID */
+    sessionKey: z.ZodString;
+    /** The space ID for this session */
+    spaceId: z.ZodString;
+    /** Additional spaces included in this session's capabilities. Key is logical name, value is full spaceId URI */
+    spaces: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    /** The delegation CID */
+    delegationCid: z.ZodString;
+    /** The delegation header for API calls */
+    delegationHeader: z.ZodObject<{
+        Authorization: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        Authorization: string;
+    }, {
+        Authorization: string;
+    }>;
+    /** The verification method DID */
+    verificationMethod: z.ZodString;
+    /** The session key JWK (required for invoke operations) */
+    jwk: z.ZodObject<{}, "passthrough", z.ZodTypeAny, z.objectOutputType<{}, z.ZodTypeAny, "passthrough">, z.objectInputType<{}, z.ZodTypeAny, "passthrough">>;
+    /** The signed SIWE message */
+    siwe: z.ZodString;
+    /** User's signature of the SIWE message */
+    signature: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    chainId: number;
+    address: string;
+    sessionKey: string;
+    siwe: string;
+    signature: string;
+    delegationHeader: {
+        Authorization: string;
+    };
+    delegationCid: string;
+    spaceId: string;
+    verificationMethod: string;
+    jwk: {} & {
+        [k: string]: unknown;
+    };
+    spaces?: Record<string, string> | undefined;
+}, {
+    chainId: number;
+    address: string;
+    sessionKey: string;
+    siwe: string;
+    signature: string;
+    delegationHeader: {
+        Authorization: string;
+    };
+    delegationCid: string;
+    spaceId: string;
+    verificationMethod: string;
+    jwk: {} & {
+        [k: string]: unknown;
+    };
+    spaces?: Record<string, string> | undefined;
+}>;
+type TinyCloudSession = z.infer<typeof TinyCloudSessionSchema>;
+/**
+ * Validation error type for schema validation failures.
+ */
+interface ValidationError extends ServiceError {
+    code: "VALIDATION_ERROR";
+    meta?: {
+        issues: z.ZodIssue[];
+        path?: string;
+    };
+}
+/**
+ * Validate persisted session data against the schema.
+ *
+ * @param data - Unknown data to validate
+ * @returns Result with validated data or validation error
+ *
+ * @example
+ * ```typescript
+ * const result = validatePersistedSessionData(JSON.parse(rawData));
+ * if (result.ok) {
+ *   // result.data is typed as PersistedSessionData
+ *   console.log(result.data.address);
+ * } else {
+ *   console.error(result.error.message);
+ * }
+ * ```
+ */
+declare function validatePersistedSessionData(data: unknown): Result$1<PersistedSessionData, ValidationError>;
+
+/**
+ * Session storage types and interfaces.
+ *
+ * Types are derived from Zod schemas in storage.schema.ts.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Session storage interface.
+ *
+ * Abstracts how sessions are persisted across different platforms.
+ * - Browser: localStorage
+ * - Node.js: file system or memory
+ */
+interface ISessionStorage {
+    /**
+     * Save a session for an address.
+     * @param address - Ethereum address (key for lookup)
+     * @param session - Session data to persist
+     */
+    save(address: string, session: PersistedSessionData): Promise<void>;
+    /**
+     * Load a session for an address.
+     * @param address - Ethereum address
+     * @returns Session data or null if not found
+     */
+    load(address: string): Promise<PersistedSessionData | null>;
+    /**
+     * Clear a session for an address.
+     * @param address - Ethereum address
+     */
+    clear(address: string): Promise<void>;
+    /**
+     * Check if a session exists for an address (synchronous check).
+     * @param address - Ethereum address
+     * @returns true if session exists
+     */
+    exists(address: string): boolean;
+    /**
+     * Check if the storage backend is available.
+     * @returns true if storage can be used
+     */
+    isAvailable(): boolean;
+}
+
+/**
+ * Zod schemas for delegation management types.
+ *
+ * These schemas provide runtime validation for delegation, capability key management,
+ * and sharing link functionality. Types are derived from schemas using z.infer<>.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Result type pattern for delegation operations.
+ */
+type Result<T, E = DelegationError> = {
+    ok: true;
+    data: T;
+} | {
+    ok: false;
+    error: E;
+};
+/**
+ * JSON Web Key representation for cryptographic keys.
+ * Follows the JWK specification (RFC 7517).
+ */
+declare const JWKSchema: z.ZodObject<{
+    /** Key type (e.g., "EC", "RSA", "OKP") */
+    kty: z.ZodString;
+    /** Curve for EC/OKP keys (e.g., "P-256", "Ed25519") */
+    crv: z.ZodOptional<z.ZodString>;
+    /** X coordinate for EC keys, public key for OKP */
+    x: z.ZodOptional<z.ZodString>;
+    /** Y coordinate for EC keys */
+    y: z.ZodOptional<z.ZodString>;
+    /** Private key value (d parameter) */
+    d: z.ZodOptional<z.ZodString>;
+    /** Public exponent for RSA keys */
+    e: z.ZodOptional<z.ZodString>;
+    /** Modulus for RSA keys */
+    n: z.ZodOptional<z.ZodString>;
+    /** Key ID */
+    kid: z.ZodOptional<z.ZodString>;
+    /** Algorithm */
+    alg: z.ZodOptional<z.ZodString>;
+    /** Key use (e.g., "sig", "enc") */
+    use: z.ZodOptional<z.ZodString>;
+    /** Key operations (e.g., ["sign", "verify"]) */
+    key_ops: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+}, "strip", z.ZodTypeAny, {
+    kty: string;
+    crv?: string | undefined;
+    x?: string | undefined;
+    y?: string | undefined;
+    d?: string | undefined;
+    e?: string | undefined;
+    n?: string | undefined;
+    kid?: string | undefined;
+    alg?: string | undefined;
+    use?: string | undefined;
+    key_ops?: string[] | undefined;
+}, {
+    kty: string;
+    crv?: string | undefined;
+    x?: string | undefined;
+    y?: string | undefined;
+    d?: string | undefined;
+    e?: string | undefined;
+    n?: string | undefined;
+    kid?: string | undefined;
+    alg?: string | undefined;
+    use?: string | undefined;
+    key_ops?: string[] | undefined;
+}>;
+type JWK = z.infer<typeof JWKSchema>;
+/**
+ * Type of key in the capability registry.
+ */
+declare const KeyTypeSchema: z.ZodEnum<["main", "session", "ingested"]>;
+type KeyType = z.infer<typeof KeyTypeSchema>;
+/**
+ * Information about a cryptographic key used for delegations.
+ */
+declare const KeyInfoSchema: z.ZodObject<{
+    /** Unique identifier for this key */
+    id: z.ZodString;
+    /** DID associated with this key */
+    did: z.ZodString;
+    /** Type of key determining its authority level */
+    type: z.ZodEnum<["main", "session", "ingested"]>;
+    /** Private key in JWK format */
+    jwk: z.ZodOptional<z.ZodObject<{
+        /** Key type (e.g., "EC", "RSA", "OKP") */
+        kty: z.ZodString;
+        /** Curve for EC/OKP keys (e.g., "P-256", "Ed25519") */
+        crv: z.ZodOptional<z.ZodString>;
+        /** X coordinate for EC keys, public key for OKP */
+        x: z.ZodOptional<z.ZodString>;
+        /** Y coordinate for EC keys */
+        y: z.ZodOptional<z.ZodString>;
+        /** Private key value (d parameter) */
+        d: z.ZodOptional<z.ZodString>;
+        /** Public exponent for RSA keys */
+        e: z.ZodOptional<z.ZodString>;
+        /** Modulus for RSA keys */
+        n: z.ZodOptional<z.ZodString>;
+        /** Key ID */
+        kid: z.ZodOptional<z.ZodString>;
+        /** Algorithm */
+        alg: z.ZodOptional<z.ZodString>;
+        /** Key use (e.g., "sig", "enc") */
+        use: z.ZodOptional<z.ZodString>;
+        /** Key operations (e.g., ["sign", "verify"]) */
+        key_ops: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        kty: string;
+        crv?: string | undefined;
+        x?: string | undefined;
+        y?: string | undefined;
+        d?: string | undefined;
+        e?: string | undefined;
+        n?: string | undefined;
+        kid?: string | undefined;
+        alg?: string | undefined;
+        use?: string | undefined;
+        key_ops?: string[] | undefined;
+    }, {
+        kty: string;
+        crv?: string | undefined;
+        x?: string | undefined;
+        y?: string | undefined;
+        d?: string | undefined;
+        e?: string | undefined;
+        n?: string | undefined;
+        kid?: string | undefined;
+        alg?: string | undefined;
+        use?: string | undefined;
+        key_ops?: string[] | undefined;
+    }>>;
+    /** Priority for key selection (lower = higher priority) */
+    priority: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    type: "session" | "main" | "ingested";
+    id: string;
+    did: string;
+    priority: number;
+    jwk?: {
+        kty: string;
+        crv?: string | undefined;
+        x?: string | undefined;
+        y?: string | undefined;
+        d?: string | undefined;
+        e?: string | undefined;
+        n?: string | undefined;
+        kid?: string | undefined;
+        alg?: string | undefined;
+        use?: string | undefined;
+        key_ops?: string[] | undefined;
+    } | undefined;
+}, {
+    type: "session" | "main" | "ingested";
+    id: string;
+    did: string;
+    priority: number;
+    jwk?: {
+        kty: string;
+        crv?: string | undefined;
+        x?: string | undefined;
+        y?: string | undefined;
+        d?: string | undefined;
+        e?: string | undefined;
+        n?: string | undefined;
+        kid?: string | undefined;
+        alg?: string | undefined;
+        use?: string | undefined;
+        key_ops?: string[] | undefined;
+    } | undefined;
+}>;
+type KeyInfo = z.infer<typeof KeyInfoSchema>;
+/**
+ * Error type for delegation operations.
+ */
+declare const DelegationErrorSchema: z.ZodObject<{
+    /** Error code for programmatic handling */
+    code: z.ZodString;
+    /** Human-readable error message */
+    message: z.ZodString;
+    /** The service that produced the error */
+    service: z.ZodLiteral<"delegation">;
+    /** Original error if wrapping another error */
+    cause: z.ZodOptional<z.ZodType<Error, z.ZodTypeDef, Error>>;
+    /** Additional metadata about the error */
+    meta: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+}, "strip", z.ZodTypeAny, {
+    code: string;
+    message: string;
+    service: "delegation";
+    cause?: Error | undefined;
+    meta?: Record<string, unknown> | undefined;
+}, {
+    code: string;
+    message: string;
+    service: "delegation";
+    cause?: Error | undefined;
+    meta?: Record<string, unknown> | undefined;
+}>;
+type DelegationError = z.infer<typeof DelegationErrorSchema>;
+/**
+ * Error codes for delegation operations.
+ */
+declare const DelegationErrorCodes: {
+    readonly AUTH_REQUIRED: "AUTH_REQUIRED";
+    readonly AUTH_EXPIRED: "AUTH_EXPIRED";
+    readonly NOT_INITIALIZED: "NOT_INITIALIZED";
+    readonly NOT_FOUND: "NOT_FOUND";
+    readonly REVOKED: "REVOKED";
+    readonly NETWORK_ERROR: "NETWORK_ERROR";
+    readonly TIMEOUT: "TIMEOUT";
+    readonly ABORTED: "ABORTED";
+    readonly INVALID_INPUT: "INVALID_INPUT";
+    readonly PERMISSION_DENIED: "PERMISSION_DENIED";
+    readonly CREATION_FAILED: "CREATION_FAILED";
+    readonly REVOCATION_FAILED: "REVOCATION_FAILED";
+    readonly INVALID_TOKEN: "INVALID_TOKEN";
+    readonly KV_SERVICE_UNAVAILABLE: "KV_SERVICE_UNAVAILABLE";
+    readonly DATA_FETCH_FAILED: "DATA_FETCH_FAILED";
+    readonly VALIDATION_ERROR: "VALIDATION_ERROR";
+};
+type DelegationErrorCode = (typeof DelegationErrorCodes)[keyof typeof DelegationErrorCodes];
+/**
+ * Represents a delegation from one DID to another.
+ */
+declare const DelegationSchema: z.ZodObject<{
+    /** Content identifier (CID) of the delegation */
+    cid: z.ZodString;
+    /** DID of the delegate (the party receiving the delegation) */
+    delegateDID: z.ZodString;
+    /** Space ID this delegation applies to */
+    spaceId: z.ZodString;
+    /** Resource path this delegation grants access to */
+    path: z.ZodString;
+    /** Actions this delegation authorizes */
+    actions: z.ZodArray<z.ZodString, "many">;
+    /** When this delegation expires (accepts Date or ISO string from JSON) */
+    expiry: z.ZodDate;
+    /** Whether this delegation has been revoked */
+    isRevoked: z.ZodBoolean;
+    /** DID of the delegator (the party granting the delegation) */
+    delegatorDID: z.ZodOptional<z.ZodString>;
+    /** When this delegation was created (accepts Date or ISO string from JSON) */
+    createdAt: z.ZodOptional<z.ZodDate>;
+    /** Parent delegation CID if this is a sub-delegation */
+    parentCid: z.ZodOptional<z.ZodString>;
+    /** Whether sub-delegation is allowed */
+    allowSubDelegation: z.ZodOptional<z.ZodBoolean>;
+    /** Authorization header (UCAN bearer token) */
+    authHeader: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    spaceId: string;
+    cid: string;
+    delegateDID: string;
+    actions: string[];
+    expiry: Date;
+    isRevoked: boolean;
+    createdAt?: Date | undefined;
+    delegatorDID?: string | undefined;
+    parentCid?: string | undefined;
+    allowSubDelegation?: boolean | undefined;
+    authHeader?: string | undefined;
+}, {
+    path: string;
+    spaceId: string;
+    cid: string;
+    delegateDID: string;
+    actions: string[];
+    expiry: Date;
+    isRevoked: boolean;
+    createdAt?: Date | undefined;
+    delegatorDID?: string | undefined;
+    parentCid?: string | undefined;
+    allowSubDelegation?: boolean | undefined;
+    authHeader?: string | undefined;
+}>;
+type Delegation = z.infer<typeof DelegationSchema>;
+/**
+ * Entry in the capability registry mapping a capability to available keys.
+ */
+declare const CapabilityEntrySchema: z.ZodObject<{
+    /** Resource URI this capability applies to */
+    resource: z.ZodString;
+    /** Action this capability authorizes */
+    action: z.ZodString;
+    /** Keys that can exercise this capability, ordered by priority */
+    keys: z.ZodArray<z.ZodObject<{
+        /** Unique identifier for this key */
+        id: z.ZodString;
+        /** DID associated with this key */
+        did: z.ZodString;
+        /** Type of key determining its authority level */
+        type: z.ZodEnum<["main", "session", "ingested"]>;
+        /** Private key in JWK format */
+        jwk: z.ZodOptional<z.ZodObject<{
+            /** Key type (e.g., "EC", "RSA", "OKP") */
+            kty: z.ZodString;
+            /** Curve for EC/OKP keys (e.g., "P-256", "Ed25519") */
+            crv: z.ZodOptional<z.ZodString>;
+            /** X coordinate for EC keys, public key for OKP */
+            x: z.ZodOptional<z.ZodString>;
+            /** Y coordinate for EC keys */
+            y: z.ZodOptional<z.ZodString>;
+            /** Private key value (d parameter) */
+            d: z.ZodOptional<z.ZodString>;
+            /** Public exponent for RSA keys */
+            e: z.ZodOptional<z.ZodString>;
+            /** Modulus for RSA keys */
+            n: z.ZodOptional<z.ZodString>;
+            /** Key ID */
+            kid: z.ZodOptional<z.ZodString>;
+            /** Algorithm */
+            alg: z.ZodOptional<z.ZodString>;
+            /** Key use (e.g., "sig", "enc") */
+            use: z.ZodOptional<z.ZodString>;
+            /** Key operations (e.g., ["sign", "verify"]) */
+            key_ops: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        }, "strip", z.ZodTypeAny, {
+            kty: string;
+            crv?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            d?: string | undefined;
+            e?: string | undefined;
+            n?: string | undefined;
+            kid?: string | undefined;
+            alg?: string | undefined;
+            use?: string | undefined;
+            key_ops?: string[] | undefined;
+        }, {
+            kty: string;
+            crv?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            d?: string | undefined;
+            e?: string | undefined;
+            n?: string | undefined;
+            kid?: string | undefined;
+            alg?: string | undefined;
+            use?: string | undefined;
+            key_ops?: string[] | undefined;
+        }>>;
+        /** Priority for key selection (lower = higher priority) */
+        priority: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        type: "session" | "main" | "ingested";
+        id: string;
+        did: string;
+        priority: number;
+        jwk?: {
+            kty: string;
+            crv?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            d?: string | undefined;
+            e?: string | undefined;
+            n?: string | undefined;
+            kid?: string | undefined;
+            alg?: string | undefined;
+            use?: string | undefined;
+            key_ops?: string[] | undefined;
+        } | undefined;
+    }, {
+        type: "session" | "main" | "ingested";
+        id: string;
+        did: string;
+        priority: number;
+        jwk?: {
+            kty: string;
+            crv?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            d?: string | undefined;
+            e?: string | undefined;
+            n?: string | undefined;
+            kid?: string | undefined;
+            alg?: string | undefined;
+            use?: string | undefined;
+            key_ops?: string[] | undefined;
+        } | undefined;
+    }>, "many">;
+    /** The delegation that grants this capability */
+    delegation: z.ZodObject<{
+        /** Content identifier (CID) of the delegation */
+        cid: z.ZodString;
+        /** DID of the delegate (the party receiving the delegation) */
+        delegateDID: z.ZodString;
+        /** Space ID this delegation applies to */
+        spaceId: z.ZodString;
+        /** Resource path this delegation grants access to */
+        path: z.ZodString;
+        /** Actions this delegation authorizes */
+        actions: z.ZodArray<z.ZodString, "many">;
+        /** When this delegation expires (accepts Date or ISO string from JSON) */
+        expiry: z.ZodDate;
+        /** Whether this delegation has been revoked */
+        isRevoked: z.ZodBoolean;
+        /** DID of the delegator (the party granting the delegation) */
+        delegatorDID: z.ZodOptional<z.ZodString>;
+        /** When this delegation was created (accepts Date or ISO string from JSON) */
+        createdAt: z.ZodOptional<z.ZodDate>;
+        /** Parent delegation CID if this is a sub-delegation */
+        parentCid: z.ZodOptional<z.ZodString>;
+        /** Whether sub-delegation is allowed */
+        allowSubDelegation: z.ZodOptional<z.ZodBoolean>;
+        /** Authorization header (UCAN bearer token) */
+        authHeader: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }>;
+    /** When this capability expires (accepts Date or ISO string from JSON) */
+    expiresAt: z.ZodOptional<z.ZodDate>;
+}, "strip", z.ZodTypeAny, {
+    keys: {
+        type: "session" | "main" | "ingested";
+        id: string;
+        did: string;
+        priority: number;
+        jwk?: {
+            kty: string;
+            crv?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            d?: string | undefined;
+            e?: string | undefined;
+            n?: string | undefined;
+            kid?: string | undefined;
+            alg?: string | undefined;
+            use?: string | undefined;
+            key_ops?: string[] | undefined;
+        } | undefined;
+    }[];
+    delegation: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+    resource: string;
+    action: string;
+    expiresAt?: Date | undefined;
+}, {
+    keys: {
+        type: "session" | "main" | "ingested";
+        id: string;
+        did: string;
+        priority: number;
+        jwk?: {
+            kty: string;
+            crv?: string | undefined;
+            x?: string | undefined;
+            y?: string | undefined;
+            d?: string | undefined;
+            e?: string | undefined;
+            n?: string | undefined;
+            kid?: string | undefined;
+            alg?: string | undefined;
+            use?: string | undefined;
+            key_ops?: string[] | undefined;
+        } | undefined;
+    }[];
+    delegation: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+    resource: string;
+    action: string;
+    expiresAt?: Date | undefined;
+}>;
+type CapabilityEntry = z.infer<typeof CapabilityEntrySchema>;
+/**
+ * Persistent record of a delegation stored in the system.
+ */
+declare const DelegationRecordSchema: z.ZodObject<{
+    /** Content identifier (CID) of the delegation */
+    cid: z.ZodString;
+    /** Space ID this delegation applies to */
+    spaceId: z.ZodString;
+    /** DID of the delegator (grantor) */
+    delegator: z.ZodString;
+    /** DID of the delegatee (recipient) */
+    delegatee: z.ZodString;
+    /** Key ID used to sign/exercise this delegation */
+    keyId: z.ZodOptional<z.ZodString>;
+    /** Resource path pattern this delegation grants access to */
+    path: z.ZodString;
+    /** Actions this delegation authorizes */
+    actions: z.ZodArray<z.ZodString, "many">;
+    /** When this delegation expires (accepts Date or ISO string from JSON) */
+    expiry: z.ZodOptional<z.ZodDate>;
+    /** When this delegation becomes valid (not before) (accepts Date or ISO string) */
+    notBefore: z.ZodOptional<z.ZodDate>;
+    /** Whether this delegation has been revoked */
+    isRevoked: z.ZodBoolean;
+    /** When this delegation was created (accepts Date or ISO string from JSON) */
+    createdAt: z.ZodDate;
+    /** Parent delegation CID if this is a sub-delegation */
+    parentCid: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    spaceId: string;
+    createdAt: Date;
+    cid: string;
+    actions: string[];
+    isRevoked: boolean;
+    delegator: string;
+    delegatee: string;
+    notBefore?: Date | undefined;
+    expiry?: Date | undefined;
+    parentCid?: string | undefined;
+    keyId?: string | undefined;
+}, {
+    path: string;
+    spaceId: string;
+    createdAt: Date;
+    cid: string;
+    actions: string[];
+    isRevoked: boolean;
+    delegator: string;
+    delegatee: string;
+    notBefore?: Date | undefined;
+    expiry?: Date | undefined;
+    parentCid?: string | undefined;
+    keyId?: string | undefined;
+}>;
+type DelegationRecord = z.infer<typeof DelegationRecordSchema>;
+/**
+ * Parameters for creating a new delegation.
+ */
+declare const CreateDelegationParamsSchema: z.ZodObject<{
+    /** DID of the delegate (the party receiving the delegation) */
+    delegateDID: z.ZodString;
+    /** Resource path this delegation grants access to */
+    path: z.ZodString;
+    /** Actions to authorize */
+    actions: z.ZodArray<z.ZodString, "many">;
+    /** When this delegation expires (accepts Date or ISO string) */
+    expiry: z.ZodOptional<z.ZodDate>;
+    /** Whether to disable sub-delegation */
+    disableSubDelegation: z.ZodOptional<z.ZodBoolean>;
+    /** Optional statement for the SIWE message */
+    statement: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    delegateDID: string;
+    actions: string[];
+    statement?: string | undefined;
+    expiry?: Date | undefined;
+    disableSubDelegation?: boolean | undefined;
+}, {
+    path: string;
+    delegateDID: string;
+    actions: string[];
+    statement?: string | undefined;
+    expiry?: Date | undefined;
+    disableSubDelegation?: boolean | undefined;
+}>;
+type CreateDelegationParams = z.infer<typeof CreateDelegationParamsSchema>;
+/**
+ * A chain of delegations from root to leaf (array format).
+ */
+declare const DelegationChainSchema: z.ZodArray<z.ZodObject<{
+    /** Content identifier (CID) of the delegation */
+    cid: z.ZodString;
+    /** DID of the delegate (the party receiving the delegation) */
+    delegateDID: z.ZodString;
+    /** Space ID this delegation applies to */
+    spaceId: z.ZodString;
+    /** Resource path this delegation grants access to */
+    path: z.ZodString;
+    /** Actions this delegation authorizes */
+    actions: z.ZodArray<z.ZodString, "many">;
+    /** When this delegation expires (accepts Date or ISO string from JSON) */
+    expiry: z.ZodDate;
+    /** Whether this delegation has been revoked */
+    isRevoked: z.ZodBoolean;
+    /** DID of the delegator (the party granting the delegation) */
+    delegatorDID: z.ZodOptional<z.ZodString>;
+    /** When this delegation was created (accepts Date or ISO string from JSON) */
+    createdAt: z.ZodOptional<z.ZodDate>;
+    /** Parent delegation CID if this is a sub-delegation */
+    parentCid: z.ZodOptional<z.ZodString>;
+    /** Whether sub-delegation is allowed */
+    allowSubDelegation: z.ZodOptional<z.ZodBoolean>;
+    /** Authorization header (UCAN bearer token) */
+    authHeader: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    spaceId: string;
+    cid: string;
+    delegateDID: string;
+    actions: string[];
+    expiry: Date;
+    isRevoked: boolean;
+    createdAt?: Date | undefined;
+    delegatorDID?: string | undefined;
+    parentCid?: string | undefined;
+    allowSubDelegation?: boolean | undefined;
+    authHeader?: string | undefined;
+}, {
+    path: string;
+    spaceId: string;
+    cid: string;
+    delegateDID: string;
+    actions: string[];
+    expiry: Date;
+    isRevoked: boolean;
+    createdAt?: Date | undefined;
+    delegatorDID?: string | undefined;
+    parentCid?: string | undefined;
+    allowSubDelegation?: boolean | undefined;
+    authHeader?: string | undefined;
+}>, "many">;
+type DelegationChain = z.infer<typeof DelegationChainSchema>;
+/**
+ * Structured delegation chain (v2 spec).
+ */
+declare const DelegationChainV2Schema: z.ZodObject<{
+    /** The root delegation from the original authority */
+    root: z.ZodObject<{
+        /** Content identifier (CID) of the delegation */
+        cid: z.ZodString;
+        /** DID of the delegate (the party receiving the delegation) */
+        delegateDID: z.ZodString;
+        /** Space ID this delegation applies to */
+        spaceId: z.ZodString;
+        /** Resource path this delegation grants access to */
+        path: z.ZodString;
+        /** Actions this delegation authorizes */
+        actions: z.ZodArray<z.ZodString, "many">;
+        /** When this delegation expires (accepts Date or ISO string from JSON) */
+        expiry: z.ZodDate;
+        /** Whether this delegation has been revoked */
+        isRevoked: z.ZodBoolean;
+        /** DID of the delegator (the party granting the delegation) */
+        delegatorDID: z.ZodOptional<z.ZodString>;
+        /** When this delegation was created (accepts Date or ISO string from JSON) */
+        createdAt: z.ZodOptional<z.ZodDate>;
+        /** Parent delegation CID if this is a sub-delegation */
+        parentCid: z.ZodOptional<z.ZodString>;
+        /** Whether sub-delegation is allowed */
+        allowSubDelegation: z.ZodOptional<z.ZodBoolean>;
+        /** Authorization header (UCAN bearer token) */
+        authHeader: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }>;
+    /** Intermediate delegations in the chain (may be empty) */
+    chain: z.ZodArray<z.ZodObject<{
+        /** Content identifier (CID) of the delegation */
+        cid: z.ZodString;
+        /** DID of the delegate (the party receiving the delegation) */
+        delegateDID: z.ZodString;
+        /** Space ID this delegation applies to */
+        spaceId: z.ZodString;
+        /** Resource path this delegation grants access to */
+        path: z.ZodString;
+        /** Actions this delegation authorizes */
+        actions: z.ZodArray<z.ZodString, "many">;
+        /** When this delegation expires (accepts Date or ISO string from JSON) */
+        expiry: z.ZodDate;
+        /** Whether this delegation has been revoked */
+        isRevoked: z.ZodBoolean;
+        /** DID of the delegator (the party granting the delegation) */
+        delegatorDID: z.ZodOptional<z.ZodString>;
+        /** When this delegation was created (accepts Date or ISO string from JSON) */
+        createdAt: z.ZodOptional<z.ZodDate>;
+        /** Parent delegation CID if this is a sub-delegation */
+        parentCid: z.ZodOptional<z.ZodString>;
+        /** Whether sub-delegation is allowed */
+        allowSubDelegation: z.ZodOptional<z.ZodBoolean>;
+        /** Authorization header (UCAN bearer token) */
+        authHeader: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }>, "many">;
+    /** The final delegation to the current user */
+    leaf: z.ZodObject<{
+        /** Content identifier (CID) of the delegation */
+        cid: z.ZodString;
+        /** DID of the delegate (the party receiving the delegation) */
+        delegateDID: z.ZodString;
+        /** Space ID this delegation applies to */
+        spaceId: z.ZodString;
+        /** Resource path this delegation grants access to */
+        path: z.ZodString;
+        /** Actions this delegation authorizes */
+        actions: z.ZodArray<z.ZodString, "many">;
+        /** When this delegation expires (accepts Date or ISO string from JSON) */
+        expiry: z.ZodDate;
+        /** Whether this delegation has been revoked */
+        isRevoked: z.ZodBoolean;
+        /** DID of the delegator (the party granting the delegation) */
+        delegatorDID: z.ZodOptional<z.ZodString>;
+        /** When this delegation was created (accepts Date or ISO string from JSON) */
+        createdAt: z.ZodOptional<z.ZodDate>;
+        /** Parent delegation CID if this is a sub-delegation */
+        parentCid: z.ZodOptional<z.ZodString>;
+        /** Whether sub-delegation is allowed */
+        allowSubDelegation: z.ZodOptional<z.ZodBoolean>;
+        /** Authorization header (UCAN bearer token) */
+        authHeader: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }>;
+}, "strip", z.ZodTypeAny, {
+    root: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+    chain: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }[];
+    leaf: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+}, {
+    root: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+    chain: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }[];
+    leaf: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+}>;
+type DelegationChainV2 = z.infer<typeof DelegationChainV2Schema>;
+/**
+ * Direction of delegation to filter by.
+ */
+declare const DelegationDirectionSchema: z.ZodEnum<["granted", "received", "all"]>;
+type DelegationDirection = z.infer<typeof DelegationDirectionSchema>;
+/**
+ * Filters for listing delegations.
+ */
+declare const DelegationFiltersSchema: z.ZodObject<{
+    /** Filter by delegation direction */
+    direction: z.ZodOptional<z.ZodEnum<["granted", "received", "all"]>>;
+    /** Filter by resource path pattern */
+    path: z.ZodOptional<z.ZodString>;
+    /** Filter by required actions */
+    actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** Include revoked delegations */
+    includeRevoked: z.ZodOptional<z.ZodBoolean>;
+    /** Filter by delegator DID */
+    delegator: z.ZodOptional<z.ZodString>;
+    /** Filter by delegatee DID */
+    delegatee: z.ZodOptional<z.ZodString>;
+    /** Only include delegations valid at this time */
+    validAt: z.ZodOptional<z.ZodDate>;
+    /** Maximum number of results to return */
+    limit: z.ZodOptional<z.ZodNumber>;
+    /** Cursor for pagination */
+    cursor: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    path?: string | undefined;
+    actions?: string[] | undefined;
+    delegator?: string | undefined;
+    delegatee?: string | undefined;
+    direction?: "received" | "granted" | "all" | undefined;
+    includeRevoked?: boolean | undefined;
+    validAt?: Date | undefined;
+    limit?: number | undefined;
+    cursor?: string | undefined;
+}, {
+    path?: string | undefined;
+    actions?: string[] | undefined;
+    delegator?: string | undefined;
+    delegatee?: string | undefined;
+    direction?: "received" | "granted" | "all" | undefined;
+    includeRevoked?: boolean | undefined;
+    validAt?: Date | undefined;
+    limit?: number | undefined;
+    cursor?: string | undefined;
+}>;
+type DelegationFilters = z.infer<typeof DelegationFiltersSchema>;
+/**
+ * Type of space ownership.
+ */
+declare const SpaceOwnershipSchema: z.ZodEnum<["owned", "delegated"]>;
+type SpaceOwnership = z.infer<typeof SpaceOwnershipSchema>;
+/**
+ * Information about a space the user has access to.
+ */
+declare const SpaceInfoSchema: z.ZodObject<{
+    /** Space identifier */
+    id: z.ZodString;
+    /** Human-readable name for the space */
+    name: z.ZodOptional<z.ZodString>;
+    /** DID of the space owner */
+    owner: z.ZodString;
+    /** Whether user owns or has delegated access */
+    type: z.ZodEnum<["owned", "delegated"]>;
+    /** Permissions the user has in this space */
+    permissions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** When the access expires (for delegated spaces) */
+    expiresAt: z.ZodOptional<z.ZodDate>;
+}, "strip", z.ZodTypeAny, {
+    type: "owned" | "delegated";
+    id: string;
+    owner: string;
+    expiresAt?: Date | undefined;
+    name?: string | undefined;
+    permissions?: string[] | undefined;
+}, {
+    type: "owned" | "delegated";
+    id: string;
+    owner: string;
+    expiresAt?: Date | undefined;
+    name?: string | undefined;
+    permissions?: string[] | undefined;
+}>;
+type SpaceInfo = z.infer<typeof SpaceInfoSchema>;
+/**
+ * Schema for encoding share link data.
+ */
+declare const ShareSchemaSchema: z.ZodEnum<["base64", "compact", "ipfs"]>;
+type ShareSchema = z.infer<typeof ShareSchemaSchema>;
+/**
+ * A shareable link containing delegation credentials.
+ */
+declare const ShareLinkSchema: z.ZodObject<{
+    /** Unique token identifying this share link */
+    token: z.ZodString;
+    /** Full URL for sharing */
+    url: z.ZodString;
+    /** The delegation this link grants access to */
+    delegation: z.ZodObject<{
+        /** Content identifier (CID) of the delegation */
+        cid: z.ZodString;
+        /** DID of the delegate (the party receiving the delegation) */
+        delegateDID: z.ZodString;
+        /** Space ID this delegation applies to */
+        spaceId: z.ZodString;
+        /** Resource path this delegation grants access to */
+        path: z.ZodString;
+        /** Actions this delegation authorizes */
+        actions: z.ZodArray<z.ZodString, "many">;
+        /** When this delegation expires (accepts Date or ISO string from JSON) */
+        expiry: z.ZodDate;
+        /** Whether this delegation has been revoked */
+        isRevoked: z.ZodBoolean;
+        /** DID of the delegator (the party granting the delegation) */
+        delegatorDID: z.ZodOptional<z.ZodString>;
+        /** When this delegation was created (accepts Date or ISO string from JSON) */
+        createdAt: z.ZodOptional<z.ZodDate>;
+        /** Parent delegation CID if this is a sub-delegation */
+        parentCid: z.ZodOptional<z.ZodString>;
+        /** Whether sub-delegation is allowed */
+        allowSubDelegation: z.ZodOptional<z.ZodBoolean>;
+        /** Authorization header (UCAN bearer token) */
+        authHeader: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }, {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    }>;
+    /** Encoding schema used for the link */
+    schema: z.ZodEnum<["base64", "compact", "ipfs"]>;
+    /** When this share link expires */
+    expiresAt: z.ZodOptional<z.ZodDate>;
+    /** Human-readable description of what is being shared */
+    description: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    url: string;
+    delegation: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+    token: string;
+    schema: "base64" | "compact" | "ipfs";
+    expiresAt?: Date | undefined;
+    description?: string | undefined;
+}, {
+    url: string;
+    delegation: {
+        path: string;
+        spaceId: string;
+        cid: string;
+        delegateDID: string;
+        actions: string[];
+        expiry: Date;
+        isRevoked: boolean;
+        createdAt?: Date | undefined;
+        delegatorDID?: string | undefined;
+        parentCid?: string | undefined;
+        allowSubDelegation?: boolean | undefined;
+        authHeader?: string | undefined;
+    };
+    token: string;
+    schema: "base64" | "compact" | "ipfs";
+    expiresAt?: Date | undefined;
+    description?: string | undefined;
+}>;
+type ShareLink = z.infer<typeof ShareLinkSchema>;
+type ShareLinkData<T = unknown> = {
+    data: T;
+    delegation: Delegation;
+    spaceId: string;
+    path: string;
+};
+/**
+ * Options for ingesting an external delegation.
+ */
+declare const IngestOptionsSchema: z.ZodObject<{
+    /** Whether to persist the delegation to storage */
+    persist: z.ZodOptional<z.ZodBoolean>;
+    /** Whether to validate the full delegation chain */
+    validateChain: z.ZodOptional<z.ZodBoolean>;
+    /** Name for the ingested key */
+    keyName: z.ZodOptional<z.ZodString>;
+    /** Whether to create a session key for this delegation */
+    createSessionKey: z.ZodOptional<z.ZodBoolean>;
+    /** Override the priority for the ingested key */
+    priority: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    priority?: number | undefined;
+    persist?: boolean | undefined;
+    validateChain?: boolean | undefined;
+    keyName?: string | undefined;
+    createSessionKey?: boolean | undefined;
+}, {
+    priority?: number | undefined;
+    persist?: boolean | undefined;
+    validateChain?: boolean | undefined;
+    keyName?: string | undefined;
+    createSessionKey?: boolean | undefined;
+}>;
+type IngestOptions = z.infer<typeof IngestOptionsSchema>;
+/**
+ * Parameters for generating a share link.
+ */
+declare const GenerateShareParamsSchema: z.ZodObject<{
+    /** Resource path to share */
+    path: z.ZodString;
+    /** Actions to authorize */
+    actions: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    /** When the share link expires */
+    expiry: z.ZodOptional<z.ZodDate>;
+    /** Encoding schema for the link */
+    schema: z.ZodOptional<z.ZodEnum<["base64", "compact", "ipfs"]>>;
+    /** Human-readable description */
+    description: z.ZodOptional<z.ZodString>;
+    /** Base URL for the share link */
+    baseUrl: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    actions?: string[] | undefined;
+    expiry?: Date | undefined;
+    schema?: "base64" | "compact" | "ipfs" | undefined;
+    description?: string | undefined;
+    baseUrl?: string | undefined;
+}, {
+    path: string;
+    actions?: string[] | undefined;
+    expiry?: Date | undefined;
+    schema?: "base64" | "compact" | "ipfs" | undefined;
+    description?: string | undefined;
+    baseUrl?: string | undefined;
+}>;
+type GenerateShareParams = z.infer<typeof GenerateShareParamsSchema>;
+/**
+ * Configuration for DelegationManager.
+ * Note: ServiceSession, InvokeFunction, and FetchFunction are external types.
+ */
+declare const DelegationManagerConfigSchema: z.ZodObject<{
+    /** TinyCloud host URLs */
+    hosts: z.ZodArray<z.ZodString, "many">;
+    /** Active session for authentication */
+    session: z.ZodEffects<z.ZodUnknown, ServiceSession, unknown>;
+    /** Platform-specific invoke function */
+    invoke: z.ZodEffects<z.ZodUnknown, InvokeFunction, unknown>;
+    /** Optional custom fetch implementation */
+    fetch: z.ZodOptional<z.ZodEffects<z.ZodUnknown, FetchFunction, unknown>>;
+}, "strip", z.ZodTypeAny, {
+    session: ServiceSession;
+    hosts: string[];
+    invoke: InvokeFunction;
+    fetch?: FetchFunction | undefined;
+}, {
+    hosts: string[];
+    session?: unknown;
+    invoke?: unknown;
+    fetch?: unknown;
+}>;
+type DelegationManagerConfig = z.infer<typeof DelegationManagerConfigSchema>;
+/**
+ * Provider interface for cryptographic key operations.
+ */
+declare const KeyProviderSchema: z.ZodObject<{
+    /** Generate a new session key, returns key ID */
+    createSessionKey: z.ZodEffects<z.ZodUnknown, (name: string) => Promise<string>, unknown>;
+    /** Get JWK for a key */
+    getJWK: z.ZodEffects<z.ZodUnknown, (keyId: string) => object, unknown>;
+    /** Get DID for a key */
+    getDID: z.ZodEffects<z.ZodUnknown, (keyId: string) => Promise<string>, unknown>;
+}, "strip", z.ZodTypeAny, {
+    createSessionKey: (name: string) => Promise<string>;
+    getJWK: (keyId: string) => object;
+    getDID: (keyId: string) => Promise<string>;
+}, {
+    createSessionKey?: unknown;
+    getJWK?: unknown;
+    getDID?: unknown;
+}>;
+type KeyProvider = z.infer<typeof KeyProviderSchema>;
+/**
+ * Response from the delegation API.
+ */
+declare const DelegationApiResponseSchema: z.ZodObject<{
+    /** SIWE message content */
+    siwe: z.ZodString;
+    /** Signature of the SIWE message */
+    signature: z.ZodString;
+    /** Delegation version */
+    version: z.ZodNumber;
+    /** CID of the created delegation */
+    cid: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    siwe: string;
+    signature: string;
+    version: number;
+    cid?: string | undefined;
+}, {
+    siwe: string;
+    signature: string;
+    version: number;
+    cid?: string | undefined;
+}>;
+type DelegationApiResponse = z.infer<typeof DelegationApiResponseSchema>;
+/**
+ * Input parameters for the createDelegation WASM function.
+ */
+declare const CreateDelegationWasmParamsSchema: z.ZodObject<{
+    /** The session containing delegation credentials */
+    session: z.ZodEffects<z.ZodUnknown, ServiceSession, unknown>;
+    /** DID of the delegate */
+    delegateDID: z.ZodString;
+    /** Space ID this delegation applies to */
+    spaceId: z.ZodString;
+    /** Resource path this delegation grants access to */
+    path: z.ZodString;
+    /** Actions to authorize */
+    actions: z.ZodArray<z.ZodString, "many">;
+    /** Expiration time in seconds since Unix epoch */
+    expirationSecs: z.ZodNumber;
+    /** Optional not-before time in seconds since Unix epoch */
+    notBeforeSecs: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    spaceId: string;
+    session: ServiceSession;
+    delegateDID: string;
+    actions: string[];
+    expirationSecs: number;
+    notBeforeSecs?: number | undefined;
+}, {
+    path: string;
+    spaceId: string;
+    delegateDID: string;
+    actions: string[];
+    expirationSecs: number;
+    session?: unknown;
+    notBeforeSecs?: number | undefined;
+}>;
+type CreateDelegationWasmParams = z.infer<typeof CreateDelegationWasmParamsSchema>;
+/**
+ * Result from the createDelegation WASM function.
+ */
+declare const CreateDelegationWasmResultSchema: z.ZodObject<{
+    /** Base64url-encoded UCAN delegation */
+    delegation: z.ZodString;
+    /** CID of the delegation */
+    cid: z.ZodString;
+    /** DID of the delegate */
+    delegateDID: z.ZodString;
+    /** Resource path the delegation grants access to */
+    path: z.ZodString;
+    /** Actions the delegation authorizes */
+    actions: z.ZodArray<z.ZodString, "many">;
+    /** Expiration time */
+    expiry: z.ZodDate;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    delegation: string;
+    cid: string;
+    delegateDID: string;
+    actions: string[];
+    expiry: Date;
+}, {
+    path: string;
+    delegation: string;
+    cid: string;
+    delegateDID: string;
+    actions: string[];
+    expiry: Date;
+}>;
+type CreateDelegationWasmResult = z.infer<typeof CreateDelegationWasmResultSchema>;
+
+/**
+ * CapabilityKeyRegistry - Tracks keys and their capabilities for automatic key selection.
+ *
+ * The registry maintains mappings between:
+ * - Keys and their associated delegations
+ * - Capabilities (resource/action pairs) and the keys that can exercise them
+ *
+ * This enables automatic key selection when performing operations, choosing
+ * the most appropriate key based on priority and validity.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Error codes specific to CapabilityKeyRegistry operations.
+ */
+declare const CapabilityKeyRegistryErrorCodes: {
+    /** Key not found in registry */
+    readonly KEY_NOT_FOUND: "KEY_NOT_FOUND";
+    /** No key available for the requested capability */
+    readonly NO_CAPABLE_KEY: "NO_CAPABLE_KEY";
+    /** Delegation has expired */
+    readonly DELEGATION_EXPIRED: "DELEGATION_EXPIRED";
+    /** Delegation has been revoked */
+    readonly DELEGATION_REVOKED: "DELEGATION_REVOKED";
+    /** Invalid delegation data */
+    readonly INVALID_DELEGATION: "INVALID_DELEGATION";
+    /** Key already registered */
+    readonly KEY_EXISTS: "KEY_EXISTS";
+};
+type CapabilityKeyRegistryErrorCode = (typeof CapabilityKeyRegistryErrorCodes)[keyof typeof CapabilityKeyRegistryErrorCodes];
+/**
+ * Stored delegation with chain information.
+ */
+interface StoredDelegationChain {
+    /** The delegation itself */
+    delegation: Delegation;
+    /** Parent delegation CID if this is a sub-delegation */
+    parentCid?: string;
+    /** Key ID used to sign/exercise this delegation */
+    keyId: string;
+    /** When this was stored */
+    storedAt: Date;
+}
+/**
+ * Interface for the CapabilityKeyRegistry.
+ *
+ * Tracks keys and their capabilities for automatic key selection.
+ */
+interface ICapabilityKeyRegistry {
+    /**
+     * Register a key with its associated delegations.
+     *
+     * @param key - Key information
+     * @param delegations - Delegations granted to this key
+     */
+    registerKey(key: KeyInfo, delegations: Delegation[]): void;
+    /**
+     * Remove a key and all its associated delegations.
+     *
+     * @param keyId - The key ID to remove
+     */
+    removeKey(keyId: string): void;
+    /**
+     * Get a key that can exercise the specified capability.
+     *
+     * Uses the key selection algorithm:
+     * 1. Filter keys that have the required capability
+     * 2. Check delegation validity (not expired, not revoked)
+     * 3. Sort by priority (session=0, main=1, ingested=2)
+     * 4. Return highest priority valid key
+     *
+     * @param resource - Resource URI (e.g., "tinycloud://space-id/kv/my-data")
+     * @param action - Action to perform (e.g., "tinycloud.kv/get")
+     * @returns The best matching key, or null if none available
+     */
+    getKeyForCapability(resource: string, action: string): KeyInfo | null;
+    /**
+     * Get all registered capabilities.
+     *
+     * @returns All capability entries in the registry
+     */
+    getAllCapabilities(): CapabilityEntry[];
+    /**
+     * Get all delegations for a specific key.
+     *
+     * @param keyId - The key ID
+     * @returns Array of delegations for this key
+     */
+    getDelegationsForKey(keyId: string): Delegation[];
+    /**
+     * Ingest a key and delegation from an external source (e.g., sharing link).
+     *
+     * @param key - Key information to ingest
+     * @param delegation - Delegation to associate with the key
+     * @param options - Ingestion options
+     */
+    ingestKey(key: KeyInfo, delegation: Delegation, options?: IngestOptions): void;
+    /**
+     * Check if a delegation is currently valid.
+     *
+     * @param delegation - The delegation to check
+     * @returns true if valid, false if expired or revoked
+     */
+    isDelegationValid(delegation: Delegation): boolean;
+    /**
+     * Get a key by its ID.
+     *
+     * @param keyId - The key ID
+     * @returns The key info, or undefined if not found
+     */
+    getKey(keyId: string): KeyInfo | undefined;
+    /**
+     * Get all registered keys.
+     *
+     * @returns Array of all registered keys
+     */
+    getAllKeys(): KeyInfo[];
+    /**
+     * Clear all registered keys and delegations.
+     */
+    clear(): void;
+    /**
+     * Revoke a delegation by CID.
+     *
+     * @param cid - The delegation CID to revoke
+     * @returns Result indicating success or failure
+     */
+    revokeDelegation(cid: string): Result$1<void, ServiceError>;
+    /**
+     * Find capabilities that match a resource path pattern.
+     *
+     * @param resourcePattern - Resource pattern (supports wildcards)
+     * @param action - Optional action filter
+     * @returns Matching capability entries
+     */
+    findCapabilities(resourcePattern: string, action?: string): CapabilityEntry[];
+}
+/**
+ * CapabilityKeyRegistry - Tracks keys and their capabilities for automatic key selection.
+ *
+ * @example
+ * ```typescript
+ * const registry = new CapabilityKeyRegistry();
+ *
+ * // Register a session key with its delegations
+ * registry.registerKey(sessionKey, [rootDelegation]);
+ *
+ * // Get the best key for an operation
+ * const key = registry.getKeyForCapability(
+ *   "tinycloud://my-space/kv/data",
+ *   "tinycloud.kv/get"
+ * );
+ *
+ * if (key) {
+ *   // Use this key for the operation
+ *   console.log("Using key:", key.id);
+ * }
+ * ```
+ */
+declare class CapabilityKeyRegistry implements ICapabilityKeyRegistry {
+    /**
+     * Registry of all keys indexed by ID.
+     */
+    private keys;
+    /**
+     * Delegation storage.
+     */
+    private store;
+    /**
+     * Register a key with its associated delegations.
+     *
+     * @param key - Key information
+     * @param delegations - Delegations granted to this key
+     */
+    registerKey(key: KeyInfo, delegations: Delegation[]): void;
+    /**
+     * Remove a key and all its associated delegations.
+     *
+     * @param keyId - The key ID to remove
+     */
+    removeKey(keyId: string): void;
+    /**
+     * Get a key that can exercise the specified capability.
+     *
+     * Key selection algorithm:
+     * 1. Filter keys that have the required capability
+     * 2. Check delegation validity (not expired, not revoked)
+     * 3. Sort by priority (session=0, main=1, ingested=2)
+     * 4. Return highest priority valid key
+     *
+     * @param resource - Resource URI
+     * @param action - Action to perform
+     * @returns The best matching key, or null if none available
+     */
+    getKeyForCapability(resource: string, action: string): KeyInfo | null;
+    /**
+     * Get all registered capabilities.
+     *
+     * @returns All capability entries in the registry
+     */
+    getAllCapabilities(): CapabilityEntry[];
+    /**
+     * Get all delegations for a specific key.
+     *
+     * @param keyId - The key ID
+     * @returns Array of delegations for this key
+     */
+    getDelegationsForKey(keyId: string): Delegation[];
+    /**
+     * Ingest a key and delegation from an external source.
+     *
+     * @param key - Key information to ingest
+     * @param delegation - Delegation to associate with the key
+     * @param options - Ingestion options
+     */
+    ingestKey(key: KeyInfo, delegation: Delegation, options?: IngestOptions): void;
+    /**
+     * Check if a delegation is currently valid.
+     *
+     * @param delegation - The delegation to check
+     * @returns true if valid, false if expired or revoked
+     */
+    isDelegationValid(delegation: Delegation): boolean;
+    /**
+     * Get a key by its ID.
+     *
+     * @param keyId - The key ID
+     * @returns The key info, or undefined if not found
+     */
+    getKey(keyId: string): KeyInfo | undefined;
+    /**
+     * Get all registered keys.
+     *
+     * @returns Array of all registered keys
+     */
+    getAllKeys(): KeyInfo[];
+    /**
+     * Clear all registered keys and delegations.
+     */
+    clear(): void;
+    /**
+     * Revoke a delegation by CID.
+     *
+     * @param cid - The delegation CID to revoke
+     * @returns Result indicating success or failure
+     */
+    revokeDelegation(cid: string): Result$1<void, ServiceError>;
+    /**
+     * Find capabilities that match a resource path pattern.
+     *
+     * @param resourcePattern - Resource pattern (supports wildcards)
+     * @param action - Optional action filter
+     * @returns Matching capability entries
+     */
+    findCapabilities(resourcePattern: string, action?: string): CapabilityEntry[];
+    /**
+     * Add a delegation to the store.
+     *
+     * @param key - The key associated with this delegation
+     * @param delegation - The delegation to add
+     */
+    private addDelegation;
+    /**
+     * Create a capability key for indexing.
+     *
+     * @param resource - Resource path
+     * @param action - Action
+     * @returns Combined key string
+     */
+    private makeCapabilityKey;
+    /**
+     * Find capability entries that match a resource and action.
+     *
+     * @param resource - Resource to match
+     * @param action - Action to match
+     * @returns Matching entries
+     */
+    private findMatchingEntries;
+    /**
+     * Check if an action pattern matches a specific action.
+     *
+     * @param pattern - Action pattern (may include wildcard like "tinycloud.kv/*")
+     * @param action - Specific action to check
+     * @returns true if pattern matches action
+     */
+    private actionMatches;
+    /**
+     * Check if a resource matches a pattern.
+     *
+     * Patterns support:
+     * - Exact match: "/kv/data" matches "/kv/data"
+     * - Wildcard suffix: "/kv/*" matches "/kv/anything"
+     * - Double wildcard: "/kv/**" matches "/kv/any/nested/path"
+     *
+     * @param resource - The specific resource being accessed
+     * @param pattern - The pattern from the delegation
+     * @returns true if resource matches pattern
+     */
+    private resourceMatchesPattern;
+    /**
+     * Check if a specific resource matches a resource pattern for searching.
+     *
+     * @param entryResource - The resource from a capability entry
+     * @param searchPattern - The pattern to search for
+     * @returns true if entry resource matches search pattern
+     */
+    private matchesResourcePattern;
+}
+/**
+ * Create a new CapabilityKeyRegistry instance.
+ *
+ * @returns A new registry instance
+ */
+declare function createCapabilityKeyRegistry(): ICapabilityKeyRegistry;
+
+/**
+ * SignStrategy types for TinyCloud authorization.
+ *
+ * These types define how sign requests are handled across different
+ * SDK implementations (web-sdk, node-sdk). The pattern allows for
+ * automatic signing, rejection, callback-based approval, or event-driven
+ * workflows.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Sign request passed to callback or event handlers.
+ */
+interface SignRequest {
+    /** Ethereum address of the signer */
+    address: string;
+    /** Chain ID for the signing context */
+    chainId: number;
+    /** Message to be signed */
+    message: string;
+    /** Type of sign operation */
+    type: "siwe" | "message";
+}
+/**
+ * Sign response from callback or event handlers.
+ */
+interface SignResponse {
+    /** Whether the sign request was approved */
+    approved: boolean;
+    /** The signature if approved */
+    signature?: string;
+    /** Reason for rejection if not approved */
+    reason?: string;
+}
+/**
+ * Callback handler type for sign requests.
+ */
+type SignCallback = (request: SignRequest) => Promise<SignResponse>;
+/**
+ * Auto-sign strategy: automatically signs all requests.
+ *
+ * Use cases:
+ * - Trusted backend services
+ * - Automated scripts
+ * - CI/CD pipelines
+ *
+ * @example
+ * ```typescript
+ * const strategy: AutoSignStrategy = { type: 'auto-sign' };
+ * ```
+ */
+interface AutoSignStrategy {
+    type: "auto-sign";
+}
+/**
+ * Auto-reject strategy: rejects all sign requests.
+ *
+ * Use cases:
+ * - Read-only applications
+ * - Testing rejection flows
+ *
+ * @example
+ * ```typescript
+ * const strategy: AutoRejectStrategy = { type: 'auto-reject' };
+ * ```
+ */
+interface AutoRejectStrategy {
+    type: "auto-reject";
+}
+/**
+ * Callback strategy: delegates sign decisions to a callback function.
+ *
+ * Use cases:
+ * - CLI applications with user prompts
+ * - Custom approval workflows
+ * - Interactive sign flows
+ *
+ * @example
+ * ```typescript
+ * const strategy: CallbackStrategy = {
+ *   type: 'callback',
+ *   handler: async (req) => {
+ *     const approved = await promptUser(`Sign message for ${req.address}?`);
+ *     return { approved, signature: approved ? await signer.sign(req.message) : undefined };
+ *   }
+ * };
+ * ```
+ */
+interface CallbackStrategy {
+    type: "callback";
+    handler: SignCallback;
+}
+/**
+ * Event emitter strategy: emits sign requests as events.
+ *
+ * Uses EventTarget for cross-platform compatibility (browser + Node.js).
+ *
+ * Events emitted:
+ * - 'sign-request': When a sign request is received
+ *
+ * Use cases:
+ * - Async approval workflows
+ * - External signing services
+ * - Multi-step authorization flows
+ *
+ * @example
+ * ```typescript
+ * const emitter = new EventTarget();
+ * const strategy: EventEmitterStrategy = { type: 'event-emitter', emitter };
+ *
+ * emitter.addEventListener('sign-request', async (event) => {
+ *   const { request, respond } = (event as CustomEvent).detail;
+ *   const approved = await externalApprovalService.check(request);
+ *   respond({ approved, signature: approved ? await sign(request.message) : undefined });
+ * });
+ * ```
+ */
+interface EventEmitterStrategy {
+    type: "event-emitter";
+    emitter: EventTarget;
+    /** Timeout in milliseconds for waiting on event response (default: 60000) */
+    timeout?: number;
+}
+/**
+ * Sign strategy union type.
+ *
+ * Determines how sign requests are handled in UserAuthorization implementations.
+ */
+type SignStrategy = AutoSignStrategy | AutoRejectStrategy | CallbackStrategy | EventEmitterStrategy;
+/**
+ * Default sign strategy is auto-sign for convenience.
+ */
+declare const defaultSignStrategy: SignStrategy;
+
+/**
+ * Space creation handler types for TinyCloud authorization.
+ *
+ * These types abstract space creation confirmation, allowing different
+ * implementations for web (modal) vs node (auto-approve) environments.
+ *
+ * @packageDocumentation
+ */
+/**
+ * Context passed to space creation handlers.
+ */
+interface SpaceCreationContext {
+    /** The unique identifier for the space being created */
+    spaceId: string;
+    /** Ethereum address of the user creating the space */
+    address: string;
+    /** Chain ID for the creation context */
+    chainId: number;
+    /** Host URL where the space will be created */
+    host: string;
+}
+/**
+ * Interface for handling space creation confirmation.
+ *
+ * Implementations can provide different UX patterns:
+ * - Auto-approve for backend services
+ * - Modal confirmation for web apps
+ * - CLI prompts for terminal apps
+ *
+ * @example
+ * ```typescript
+ * class ModalSpaceCreationHandler implements ISpaceCreationHandler {
+ *   async confirmSpaceCreation(context: SpaceCreationContext): Promise<boolean> {
+ *     return await showConfirmationModal(`Create space ${context.spaceId}?`);
+ *   }
+ *
+ *   onSpaceCreated(context: SpaceCreationContext): void {
+ *     showToast(`Space ${context.spaceId} created!`);
+ *   }
+ *
+ *   onSpaceCreationFailed(context: SpaceCreationContext, error: Error): void {
+ *     showErrorModal(`Failed to create space: ${error.message}`);
+ *   }
+ * }
+ * ```
+ */
+interface ISpaceCreationHandler {
+    /**
+     * Called when a new space needs to be created.
+     * Returns true if space should be created, false to skip.
+     *
+     * @param context - Information about the space to be created
+     * @returns Promise resolving to true to proceed, false to cancel
+     */
+    confirmSpaceCreation(context: SpaceCreationContext): Promise<boolean>;
+    /**
+     * Called after successful space creation.
+     * Optional - implement to show success UI or perform cleanup.
+     *
+     * @param context - Information about the created space
+     */
+    onSpaceCreated?(context: SpaceCreationContext): void;
+    /**
+     * Called if space creation fails.
+     * Optional - implement to show error UI or perform recovery.
+     *
+     * @param context - Information about the space that failed to create
+     * @param error - The error that occurred
+     */
+    onSpaceCreationFailed?(context: SpaceCreationContext, error: Error): void;
+}
+/**
+ * Default handler that auto-approves all space creation.
+ *
+ * Use cases:
+ * - Backend services
+ * - Automated scripts
+ * - Node.js applications without UI
+ *
+ * @example
+ * ```typescript
+ * const handler = new AutoApproveSpaceCreationHandler();
+ * const config = { spaceCreationHandler: handler };
+ * ```
+ */
+declare class AutoApproveSpaceCreationHandler implements ISpaceCreationHandler {
+    /**
+     * Always returns true to auto-approve space creation.
+     */
+    confirmSpaceCreation(): Promise<boolean>;
+}
+/**
+ * Default space creation handler that auto-approves all requests.
+ */
+declare const defaultSpaceCreationHandler: ISpaceCreationHandler;
+
+/**
+ * Interface for an extension to TCW.
+ * This is the platform-agnostic subset — browser-coupled extensions
+ * (IConnected, ConfigOverrides, ExtraFields) live in web-sdk/providers.
+ */
+interface Extension {
+    /** [recap] Capability namespace. */
+    namespace?: string;
+    /** [recap] Default delegated actions in capability namespace. */
+    defaultActions?(): Promise<string[]>;
+    /** [recap] Delegated actions by target in capability namespace. */
+    targetedActions?(): Promise<{
+        [target: string]: string[];
+    }>;
+    /** [recap] Extra metadata to help validate the capability. */
+    extraFields?(): Promise<Record<string, unknown>>;
+    /** Hook to run after TCW has signed in. */
+    afterSignIn?(session: ClientSession): Promise<void>;
+}
+/**
+ * Partial SIWE message for overrides.
+ */
+interface PartialSiweMessage extends Partial<SiweConfig> {
+    address?: string;
+    chainId?: number;
+    uri?: string;
+    version?: string;
+}
+/**
+ * Platform-agnostic user authorization interface.
+ *
+ * This interface defines how users authenticate and manage sessions.
+ * Implementations differ by platform:
+ * - WebUserAuthorization: Browser with wallet popups
+ * - NodeUserAuthorization: Node.js with configurable sign strategies
+ */
+interface IUserAuthorization {
+    /**
+     * The current active session, if signed in.
+     */
+    session?: ClientSession;
+    /**
+     * Add an extension to the authorization flow.
+     * Extensions can add capabilities and lifecycle hooks.
+     */
+    extend(extension: Extension): void;
+    /**
+     * Sign in and create a new session.
+     * This will prompt for wallet signature (browser) or use configured strategy (node).
+     * @returns The new session
+     */
+    signIn(): Promise<ClientSession>;
+    /**
+     * Sign out and clear the current session.
+     */
+    signOut(): Promise<void>;
+    /**
+     * Get the current wallet/signer address.
+     * @returns Address or undefined if not connected
+     */
+    address(): string | undefined;
+    /**
+     * Get the current chain ID.
+     * @returns Chain ID or undefined if not connected
+     */
+    chainId(): number | undefined;
+    /**
+     * Sign a message with the connected wallet/signer.
+     * @param message - Message to sign
+     * @returns Signature hex string
+     */
+    signMessage(message: string): Promise<string>;
+    /**
+     * Get the current space ID.
+     * @returns Space ID or undefined if not available
+     */
+    getSpaceId?(): string | undefined;
+    /**
+     * Ensure the user's space exists on the TinyCloud server.
+     * Creates the space if it doesn't exist (when autoCreateSpace is true).
+     * This is called automatically during sign-in but can be invoked manually.
+     */
+    ensureSpaceExists?(): Promise<void>;
+}
+/**
+ * Configuration for creating a UserAuthorization instance.
+ */
+interface UserAuthorizationConfig {
+    /** The signer to use for signing */
+    signer: ISigner;
+    /** Session storage implementation */
+    sessionStorage?: ISessionStorage;
+    /** Default SIWE configuration */
+    siweConfig?: SiweConfig;
+    /** Domain for SIWE messages */
+    domain?: string;
+    /** Extensions to apply */
+    extensions?: Extension[];
+    /** Strategy for handling sign requests (default: auto-sign for node, callback for web) */
+    signStrategy?: SignStrategy;
+    /** Handler for space creation confirmation (default: AutoApproveSpaceCreationHandler) */
+    spaceCreationHandler?: ISpaceCreationHandler;
+    /** Whether to automatically create space if it doesn't exist */
+    autoCreateSpace?: boolean;
+    /** Space name prefix (default: "default") */
+    spacePrefix?: string;
+    /** TinyCloud host URLs */
+    tinycloudHosts?: string[];
+    /** Session expiration in milliseconds */
+    sessionExpirationMs?: number;
+}
+
+/**
+ * Configuration for the TinyCloud SDK.
+ */
+interface TinyCloudConfig {
+    /** Whether to automatically resolve ENS names */
+    resolveEns?: boolean;
+    /**
+     * TinyCloud host URLs.
+     * Required when using services.
+     */
+    hosts?: string[];
+    /**
+     * Platform-specific invoke function from WASM binding.
+     * Required when using services.
+     */
+    invoke?: InvokeFunction;
+    /**
+     * Custom fetch implementation.
+     * Defaults to globalThis.fetch.
+     */
+    fetch?: FetchFunction;
+    /**
+     * Service constructors to register.
+     * Built-in services (like KVService) are registered by default unless overridden.
+     *
+     * @example
+     * ```typescript
+     * services: {
+     *   kv: KVService,  // default
+     *   files: MyFileService,  // custom
+     * }
+     * ```
+     */
+    services?: Record<string, ServiceConstructor>;
+    /**
+     * Per-service configuration.
+     *
+     * @example
+     * ```typescript
+     * serviceConfigs: {
+     *   kv: { prefix: 'myapp' },
+     *   files: { maxSize: 10_000_000 },
+     * }
+     * ```
+     */
+    serviceConfigs?: Record<string, Record<string, unknown>>;
+    /**
+     * Retry policy for service operations.
+     */
+    retryPolicy?: Partial<RetryPolicy>;
+}
+/**
+ * TinyCloud SDK - Unified entry point for web and node.
+ *
+ * This class provides the main SDK interface. Platform-specific behavior
+ * is injected through the IUserAuthorization implementation:
+ * - WebUserAuthorization for browser environments
+ * - NodeUserAuthorization for Node.js environments
+ *
+ * @example
+ * ```typescript
+ * // Web usage
+ * import { TinyCloud } from '@tinycloud/sdk-core';
+ * import { WebUserAuthorization } from '@tinycloud/web-sdk';
+ *
+ * const auth = new WebUserAuthorization({ ... });
+ * const tc = new TinyCloud(auth);
+ * await tc.signIn();
+ * const result = await tc.kv.put('key', 'value');
+ *
+ * // Node usage
+ * import { TinyCloud } from '@tinycloud/sdk-core';
+ * import { NodeUserAuthorization, PrivateKeySigner } from '@tinycloud/node-sdk';
+ *
+ * const signer = new PrivateKeySigner(process.env.PRIVATE_KEY);
+ * const auth = new NodeUserAuthorization({
+ *   signStrategy: { type: 'auto-sign' },
+ *   signer,
+ *   domain: 'api.myapp.com'
+ * });
+ * const tc = new TinyCloud(auth);
+ * await tc.signIn();
+ * ```
+ */
+declare class TinyCloud {
+    /**
+     * User authorization handler.
+     * Provides authentication and signing capabilities.
+     */
+    readonly userAuthorization: IUserAuthorization;
+    /**
+     * SDK configuration.
+     */
+    private config;
+    /**
+     * Registered extensions.
+     */
+    private extensions;
+    /**
+     * Service context providing platform dependencies to services.
+     */
+    private _serviceContext?;
+    /**
+     * Registered services by name.
+     */
+    private _services;
+    /**
+     * Whether services have been initialized.
+     */
+    private _servicesInitialized;
+    /**
+     * Create a new TinyCloud SDK instance.
+     *
+     * @param userAuthorization - Platform-specific authorization implementation
+     * @param config - Optional SDK configuration
+     */
+    constructor(userAuthorization: IUserAuthorization, config?: TinyCloudConfig);
+    /**
+     * Initialize services with platform dependencies.
+     * Must be called before using services.
+     *
+     * @param invoke - Platform-specific invoke function from WASM binding
+     * @param hosts - TinyCloud host URLs (optional, uses config.hosts)
+     * @param fetchFn - Custom fetch implementation (optional)
+     */
+    initializeServices(invoke?: InvokeFunction, hosts?: string[], fetchFn?: FetchFunction): void;
+    /**
+     * Get the service context.
+     * @throws Error if services are not initialized
+     */
+    get serviceContext(): IServiceContext;
+    /**
+     * Get a registered service by name.
+     *
+     * @param name - Service name (e.g., 'kv')
+     * @returns The service instance or undefined
+     */
+    getService<T extends IService>(name: string): T | undefined;
+    /**
+     * Get the KV service.
+     * @throws Error if services are not initialized
+     */
+    get kv(): IKVService;
+    /**
+     * Get the SQL service.
+     * @throws Error if services are not initialized
+     */
+    get sql(): ISQLService;
+    /**
+     * Get the DuckDB service.
+     * @throws Error if services are not initialized
+     */
+    get duckdb(): IDuckDbService;
+    /**
+     * Get the Data Vault service.
+     * @throws Error if services are not initialized or vault service is not registered
+     */
+    get vault(): IDataVaultService;
+    /**
+     * Notify services of session change.
+     * Called internally after sign-in and sign-out.
+     *
+     * @param session - The new session, or null if signed out
+     */
+    private notifyServicesOfSessionChange;
+    /**
+     * Abort all pending service operations.
+     * Called internally before sign-out.
+     */
+    private abortServiceOperations;
+    /**
+     * Convert ClientSession to ServiceSession.
+     * Returns null if session lacks required fields.
+     */
+    private toServiceSession;
+    /**
+     * Add an extension to the SDK.
+     * Extensions can add capabilities and lifecycle hooks.
+     */
+    extend(extension: Extension): void;
+    /**
+     * Check if an extension is enabled.
+     * @param namespace - The extension namespace to check
+     */
+    isExtensionEnabled(namespace: string): boolean;
+    /**
+     * Get the current session, if signed in.
+     */
+    get session(): ClientSession | undefined;
+    /**
+     * Check if the user is signed in.
+     */
+    get isSignedIn(): boolean;
+    /**
+     * Sign in and create a new session.
+     * Notifies services of the new session after successful sign-in.
+     * @returns The new session
+     */
+    signIn(): Promise<ClientSession>;
+    /**
+     * Sign out and clear the current session.
+     * Aborts pending service operations and notifies services.
+     */
+    signOut(): Promise<void>;
+    /**
+     * Get the current wallet address.
+     */
+    address(): string | undefined;
+    /**
+     * Get the current chain ID.
+     */
+    chainId(): number | undefined;
+    /**
+     * Sign a message with the connected wallet.
+     * @param message - Message to sign
+     */
+    signMessage(message: string): Promise<string>;
+    /**
+     * Cached public KV service instance.
+     */
+    private _publicKV?;
+    /**
+     * Construct the deterministic public space ID for a given address and chain ID.
+     *
+     * @param address - Ethereum address (0x-prefixed)
+     * @param chainId - Chain ID (e.g., 1 for mainnet)
+     * @returns The public space ID
+     */
+    static makePublicSpaceId(address: string, chainId: number): string;
+    /**
+     * Ensure the user's public space exists.
+     * Creates it via spaces.create('public') if it doesn't.
+     * Called automatically by modules that need to publish data.
+     *
+     * Requires the user to be signed in and services to be initialized.
+     */
+    ensurePublicSpace(): Promise<Result$1<void, ServiceError>>;
+    /**
+     * Get a KVService scoped to the user's own public space.
+     * Writes require authentication (owner/delegate).
+     *
+     * @throws Error if not signed in or services not initialized
+     */
+    get publicKV(): IKVService;
+    /**
+     * Read from any user's public space (unauthenticated).
+     * Uses the public REST endpoint — no session needed.
+     *
+     * @param host - TinyCloud server URL (e.g., "https://node.tinycloud.xyz")
+     * @param spaceId - Full public space ID
+     * @param key - Key to read
+     * @param fetchFn - Optional custom fetch function
+     * @returns The data at the key
+     */
+    static readPublicSpace<T = unknown>(host: string, spaceId: string, key: string, fetchFn?: FetchFunction): Promise<Result$1<T, ServiceError>>;
+    /**
+     * Read from any user's public space by address (unauthenticated).
+     * Convenience method that constructs the space ID from address and chain ID.
+     *
+     * @param host - TinyCloud server URL
+     * @param address - Ethereum address (0x-prefixed)
+     * @param chainId - Chain ID (e.g., 1 for mainnet)
+     * @param key - Key to read
+     * @param fetchFn - Optional custom fetch function
+     * @returns The data at the key
+     */
+    static readPublicKey<T = unknown>(host: string, address: string, chainId: number, key: string, fetchFn?: FetchFunction): Promise<Result$1<T, ServiceError>>;
+}
+
+/**
+ * Shared space utilities for TinyCloud.
+ *
+ * These functions are platform-agnostic and can be used by both
+ * web-sdk and node-sdk for space hosting and session activation.
+ */
+/**
+ * Result of a space hosting or session activation attempt.
+ */
+interface SpaceHostResult {
+    /** Whether the operation succeeded (2xx status) */
+    success: boolean;
+    /** HTTP status code */
+    status: number;
+    /** Error message if failed */
+    error?: string;
+    /** Space IDs that were successfully activated */
+    activated?: string[];
+    /** Space IDs that were skipped (e.g., space doesn't exist yet) */
+    skipped?: string[];
+}
+/**
+ * Fetch the peer ID from TinyCloud server for space hosting.
+ *
+ * The peer ID identifies the TinyCloud server instance that will host the space.
+ *
+ * @param host - TinyCloud server URL (e.g., "https://node.tinycloud.xyz")
+ * @param spaceId - The space ID to host
+ * @returns The peer ID string
+ * @throws Error if the request fails
+ */
+declare function fetchPeerId(host: string, spaceId: string): Promise<string>;
+/**
+ * Submit a space hosting delegation to TinyCloud server.
+ *
+ * This registers a new space with the server, allowing the user
+ * to store data in it.
+ *
+ * @param host - TinyCloud server URL
+ * @param headers - Delegation headers (from siweToDelegationHeaders)
+ * @returns Result indicating success/failure
+ */
+declare function submitHostDelegation(host: string, headers: Record<string, string>): Promise<SpaceHostResult>;
+/**
+ * Activate a session with TinyCloud server.
+ *
+ * This submits the session delegation to the server, enabling the session
+ * key to perform operations on behalf of the user.
+ *
+ * @param host - TinyCloud server URL
+ * @param delegationHeader - Session delegation header (from session.delegationHeader)
+ * @returns Result indicating success/failure (404 means space doesn't exist)
+ */
+declare function activateSessionWithHost(host: string, delegationHeader: {
+    Authorization: string;
+}): Promise<SpaceHostResult>;
+
+/**
+ * DelegationManager - Handles delegation CRUD operations.
+ *
+ * This class manages the creation, revocation, listing, and querying
+ * of delegations within TinyCloud. It extracts and improves upon the
+ * delegation functionality previously in ITinyCloudStorage.
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * DelegationManager handles all delegation-related operations.
+ *
+ * @example
+ * ```typescript
+ * import { DelegationManager } from "@tinycloud/sdk-core/delegations";
+ *
+ * const delegations = new DelegationManager({
+ *   hosts: ["https://node.tinycloud.xyz"],
+ *   session,
+ *   invoke,
+ * });
+ *
+ * // Create a delegation
+ * const result = await delegations.create({
+ *   delegateDID: "did:pkh:eip155:1:0x...",
+ *   path: "shared/",
+ *   actions: ["tinycloud.kv/get", "tinycloud.kv/list"],
+ *   expiry: new Date(Date.now() + 24 * 60 * 60 * 1000), // 24 hours
+ * });
+ *
+ * if (result.ok) {
+ *   console.log("Created delegation:", result.data.cid);
+ * }
+ * ```
+ */
+declare class DelegationManager {
+    private hosts;
+    private session;
+    private invoke;
+    private fetchFn;
+    /**
+     * Creates a new DelegationManager instance.
+     *
+     * @param config - Configuration including hosts, session, and invoke function
+     */
+    constructor(config: DelegationManagerConfig);
+    /**
+     * Updates the session (e.g., after re-authentication).
+     *
+     * @param session - New session to use for operations
+     */
+    updateSession(session: ServiceSession): void;
+    /**
+     * Gets the primary host URL.
+     */
+    private get host();
+    /**
+     * Executes an invoke operation against the delegation API.
+     */
+    private invokeOperation;
+    /**
+     * Creates a new delegation.
+     *
+     * Delegates specific permissions to another DID for a given path.
+     * The delegatee can then use these permissions to access resources
+     * within the specified scope.
+     *
+     * @param params - Parameters for the delegation
+     * @returns Result containing the created Delegation or an error
+     *
+     * @example
+     * ```typescript
+     * const result = await manager.create({
+     *   delegateDID: bob.did,
+     *   path: "documents/shared/",
+     *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
+     *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
+     * });
+     * ```
+     */
+    create(params: CreateDelegationParams): Promise<Result<Delegation>>;
+    /**
+     * Revokes an existing delegation.
+     *
+     * Once revoked, the delegation can no longer be used to access resources.
+     * This also invalidates any sub-delegations derived from this delegation.
+     *
+     * @param cid - The CID of the delegation to revoke
+     * @returns Result indicating success or an error
+     *
+     * @example
+     * ```typescript
+     * const result = await manager.revoke("bafy...");
+     * if (result.ok) {
+     *   console.log("Delegation revoked successfully");
+     * }
+     * ```
+     */
+    revoke(cid: string): Promise<Result<void>>;
+    /**
+     * Lists all delegations for the current session's space.
+     *
+     * Returns both delegations created by the current user (as delegator)
+     * and delegations granted to the current user (as delegatee).
+     *
+     * @returns Result containing an array of Delegations or an error
+     *
+     * @example
+     * ```typescript
+     * const result = await manager.list();
+     * if (result.ok) {
+     *   for (const delegation of result.data) {
+     *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
+     *   }
+     * }
+     * ```
+     */
+    list(): Promise<Result<Delegation[]>>;
+    /**
+     * Gets the full delegation chain for a given delegation.
+     *
+     * Returns the chain of delegations from the root (original delegator)
+     * to the specified delegation, including all intermediate sub-delegations.
+     *
+     * @param cid - The CID of the delegation to get the chain for
+     * @returns Result containing the DelegationChain or an error
+     *
+     * @example
+     * ```typescript
+     * const result = await manager.getChain("bafy...");
+     * if (result.ok) {
+     *   console.log("Chain length:", result.data.length);
+     *   for (const delegation of result.data) {
+     *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
+     *   }
+     * }
+     * ```
+     */
+    getChain(cid: string): Promise<Result<DelegationChain>>;
+    /**
+     * Checks if the current session has permission for a given path and action.
+     *
+     * This can be used to verify permissions before attempting an operation,
+     * or to implement custom access control logic.
+     *
+     * @param path - The resource path to check
+     * @param action - The action to check (e.g., "tinycloud.kv/get")
+     * @returns Result containing a boolean indicating permission or an error
+     *
+     * @example
+     * ```typescript
+     * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
+     * if (result.ok && result.data) {
+     *   console.log("Permission granted");
+     * } else {
+     *   console.log("Permission denied");
+     * }
+     * ```
+     */
+    checkPermission(path: string, action: string): Promise<Result<boolean>>;
+}
+
+/**
+ * SharingService - v2 sharing link service with embedded private keys.
  *
- * This package defines the platform-agnostic interfaces that both web-sdk and node-sdk
- * implement. The main TinyCloud class accepts an IUserAuthorization implementation,
- * allowing it to work in both browser and Node.js environments.
+ * This service implements the v2 sharing specification, which embeds private keys
+ * directly in sharing links. This allows recipients to exercise delegations
+ * without requiring prior session setup.
+ *
+ * Key differences from v1 SharingLinks:
+ * - Private keys are embedded in the link (not just tokens)
+ * - Recipients can optionally sub-delegate to their own session key
+ * - Pre-configured KV service returned for immediate use
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Data encoded in a sharing link.
+ */
+interface EncodedShareData {
+    /** Private key in JWK format (includes d parameter) */
+    key: JWK;
+    /** DID of the key */
+    keyDid: string;
+    /** The delegation granting access */
+    delegation: Delegation;
+    /** Resource path this link grants access to */
+    path: string;
+    /** TinyCloud host URL */
+    host: string;
+    /** Space ID */
+    spaceId: string;
+    /** Schema version */
+    version: 1;
+}
+/**
+ * Options for receiving a sharing link.
+ */
+interface ReceiveOptions {
+    /**
+     * Whether to automatically create a sub-delegation to the current session key.
+     * Default: true
+     */
+    autoSubdelegate?: boolean;
+    /**
+     * Whether to use the current session key for operations (requires autoSubdelegate).
+     * Default: true
+     */
+    useSessionKey?: boolean;
+    /**
+     * Ingestion options passed to CapabilityKeyRegistry.
+     */
+    ingestOptions?: IngestOptions;
+}
+/**
+ * Result of receiving a sharing link.
+ */
+interface ShareAccess {
+    /** The delegation that was received/created */
+    delegation: Delegation;
+    /** Key info for the received key */
+    key: KeyInfo;
+    /** Pre-configured KV service for the shared path */
+    kv: IKVService;
+    /** The space ID */
+    spaceId: string;
+    /** The path prefix for this share */
+    path: string;
+}
+/**
+ * Configuration for SharingService.
+ */
+interface SharingServiceConfig {
+    /** TinyCloud host URLs */
+    hosts: string[];
+    /**
+     * Active session for authentication.
+     * Required for generate(), optional for receive().
+     */
+    session?: ServiceSession;
+    /** Platform-specific invoke function */
+    invoke: InvokeFunction;
+    /** Optional custom fetch implementation */
+    fetch?: FetchFunction;
+    /** Key provider for cryptographic operations */
+    keyProvider: KeyProvider;
+    /** Capability key registry for key/delegation management */
+    registry: ICapabilityKeyRegistry;
+    /**
+     * Delegation manager for creating delegations (used if createDelegation not provided).
+     * Required for generate(), optional for receive().
+     */
+    delegationManager?: DelegationManager;
+    /** Factory for creating KV service instances */
+    createKVService: (config: {
+        hosts: string[];
+        session: ServiceSession;
+        invoke: InvokeFunction;
+        fetch?: FetchFunction;
+        pathPrefix?: string;
+    }) => IKVService;
+    /** Base URL for sharing links (e.g., "https://share.myapp.com") */
+    baseUrl?: string;
+    /**
+     * Custom delegation creation function. When provided, this is used instead
+     * of delegationManager.create(). This allows platforms to use their own
+     * delegation creation logic (e.g., SIWE-based /delegate endpoint).
+     */
+    createDelegation?: (params: CreateDelegationParams) => Promise<Result<Delegation, DelegationError>>;
+    /**
+     * WASM function for client-side delegation creation.
+     * When provided, this is preferred over server-side creation (createDelegation/delegationManager).
+     * Creates UCAN delegations directly without requiring server roundtrip.
+     */
+    createDelegationWasm?: (params: CreateDelegationWasmParams) => CreateDelegationWasmResult;
+    /**
+     * Path prefix for KV operations.
+     * When set, paths passed to generate() are prefixed with this value.
+     * This ensures the share path matches the session's authorized paths.
+     */
+    pathPrefix?: string;
+    /**
+     * Session expiry time.
+     * When set, sharing link expiry is clamped to not exceed this value
+     * unless onRootDelegationNeeded is provided and returns a new delegation.
+     */
+    sessionExpiry?: Date;
+    /**
+     * Callback to create a DIRECT delegation from the root (wallet) to a share key.
+     * This bypasses the session delegation chain, allowing share links with
+     * expiry longer than the current session.
+     *
+     * When provided and share expiry > session expiry:
+     * 1. SharingService creates the ephemeral share key
+     * 2. This callback is invoked with the share key DID
+     * 3. The callback signs a direct PKH -> share key delegation with the wallet
+     * 4. The returned delegation is used for the share link
+     *
+     * This is the CORRECT solution for long-lived share links because:
+     * - It creates a fresh delegation chain: PKH -> share key
+     * - Not constrained by session expiry (no sub-delegation from session key)
+     *
+     * @param params - Parameters for creating the root delegation
+     * @returns The delegation from wallet to share key, or undefined to fall back to session extension
+     */
+    onRootDelegationNeeded?: (params: {
+        /** DID of the share key to delegate to */
+        shareKeyDID: string;
+        /** Space ID */
+        spaceId: string;
+        /** Path to grant access to */
+        path: string;
+        /** Actions to grant */
+        actions: string[];
+        /** Requested expiry time */
+        requestedExpiry: Date;
+    }) => Promise<Delegation | undefined>;
+}
+/**
+ * Interface for the SharingService.
+ */
+interface ISharingService {
+    /**
+     * Generate a sharing link with an embedded private key.
+     *
+     * This creates a new session key, delegates to it, and encodes
+     * the key and delegation into a shareable link.
+     */
+    generate(params: GenerateShareParams): Promise<Result<ShareLink, DelegationError>>;
+    /**
+     * Receive and activate a sharing link.
+     *
+     * Decodes the link, ingests the key into the registry, and optionally
+     * creates a sub-delegation to the current session key.
+     */
+    receive(link: string, options?: ReceiveOptions): Promise<Result<ShareAccess, DelegationError>>;
+    /**
+     * Encode sharing data into a link string.
+     */
+    encodeLink(data: EncodedShareData, schema?: ShareSchema): string;
+    /**
+     * Decode a link string into sharing data.
+     */
+    decodeLink(link: string): EncodedShareData;
+}
+/**
+ * SharingService - v2 sharing link service with embedded private keys.
+ *
+ * @example
+ * ```typescript
+ * import { SharingService } from "@tinycloud/sdk-core/delegations";
+ *
+ * const sharing = new SharingService({
+ *   hosts: ["https://node.tinycloud.xyz"],
+ *   session,
+ *   invoke,
+ *   keyProvider,
+ *   registry,
+ *   delegationManager,
+ *   createKVService,
+ *   baseUrl: "https://share.myapp.com"
+ * });
+ *
+ * // Generate a sharing link
+ * const result = await sharing.generate({
+ *   path: "/kv/documents/report.pdf",
+ *   actions: ["tinycloud.kv/get"],
+ *   expiry: new Date("2024-12-31")
+ * });
+ *
+ * if (result.ok) {
+ *   console.log("Share this URL:", result.data.url);
+ * }
+ *
+ * // Receive a sharing link
+ * const receiveResult = await sharing.receive(shareUrl);
+ * if (receiveResult.ok) {
+ *   // Use the pre-configured KV service
+ *   const data = await receiveResult.data.kv.get("report.pdf");
+ * }
+ * ```
+ */
+declare class SharingService implements ISharingService {
+    private hosts;
+    private session?;
+    private invoke;
+    private fetchFn;
+    private keyProvider;
+    private registry;
+    private delegationManager?;
+    private createKVService;
+    private baseUrl;
+    private createDelegationFn?;
+    private createDelegationWasmFn?;
+    private pathPrefix;
+    private sessionExpiry?;
+    private onRootDelegationNeeded?;
+    /**
+     * Creates a new SharingService instance.
+     */
+    constructor(config: SharingServiceConfig);
+    /**
+     * Gets the primary host URL.
+     */
+    private get host();
+    /**
+     * Updates the session (e.g., after re-authentication).
+     */
+    updateSession(session: ServiceSession): void;
+    /**
+     * Updates the service configuration.
+     * Used to add full capabilities (session, delegationManager, createDelegation, createDelegationWasm) after signIn.
+     */
+    updateConfig(config: Partial<Pick<SharingServiceConfig, "session" | "delegationManager" | "createDelegation" | "createDelegationWasm" | "sessionExpiry" | "onRootDelegationNeeded">>): void;
+    /**
+     * Generate a sharing link with an embedded private key.
+     *
+     * Flow:
+     * 1. Spawn new session key (unique per share)
+     * 2. Create delegation from current session to spawned key
+     * 3. Package: { key (with private!), delegation, path, host }
+     * 4. Encode based on schema (base64 for now)
+     * 5. Return link string
+     */
+    generate(params: GenerateShareParams): Promise<Result<ShareLink, DelegationError>>;
+    /**
+     * Check if any key in the registry can satisfy the delegation request.
+     * A key can satisfy if it has a delegation that:
+     * 1. Covers the required path (exact match or parent path)
+     * 2. Has all required actions
+     * 3. Has sufficient expiry (delegation.expiry >= requestedExpiry)
+     * 4. Allows sub-delegation
+     * @internal
+     */
+    private findSuitableKeyForDelegation;
+    /**
+     * Check if a delegation path matches/covers the requested path.
+     * A delegation path covers the request if:
+     * - It's an exact match
+     * - It's a parent path (e.g., delegation for "" covers "foo/bar")
+     * - It uses wildcards that match
+     * @internal
+     */
+    private pathMatches;
+    /**
+     * Handle fallback to session extension when root delegation is not available.
+     * @internal
+     */
+    private handleSessionExtensionFallback;
+    /**
+     * Create a delegation from the current session to a share key.
+     * This is the fallback path when root delegation is not available.
+     * @internal
+     */
+    private createSessionDelegation;
+    /**
+     * Receive and activate a sharing link.
+     *
+     * Flow:
+     * 1. Decode link -> extract { key, delegation, path, host }
+     * 2. Ingest key into CapabilityKeyRegistry
+     * 3. If autoSubdelegate (default true) + useSessionKey:
+     *    - Create sub-delegation from ingested key -> current session
+     *    - Register sub-delegation capabilities
+     * 4. Return ShareAccess with pre-configured KV service
+     */
+    receive(link: string, options?: ReceiveOptions): Promise<Result<ShareAccess, DelegationError>>;
+    /**
+     * Encode sharing data into a link string.
+     *
+     * @param data - The share data to encode
+     * @param schema - The encoding schema (default: "base64")
+     * @returns Encoded link string
+     */
+    encodeLink(data: EncodedShareData, schema?: ShareSchema): string;
+    /**
+     * Decode a link string into sharing data.
+     *
+     * @param link - The encoded link string (may include URL prefix)
+     * @returns Decoded share data
+     * @throws Error if link format is invalid or data fails validation
+     */
+    decodeLink(link: string): EncodedShareData;
+    /**
+     * Decode and validate a link string into sharing data.
+     *
+     * Internal method that returns a Result instead of throwing.
+     * Used by receive() for proper error handling.
+     *
+     * @param link - The encoded link string (may include URL prefix)
+     * @returns Result with decoded share data or validation error
+     */
+    private decodeLinkWithValidation;
+}
+/**
+ * Create a new SharingService instance.
+ */
+declare function createSharingService(config: SharingServiceConfig): ISharingService;
+
+/**
+ * Interface for space-scoped delegation operations.
+ *
+ * Provides delegation management scoped to a specific space.
+ */
+interface ISpaceScopedDelegations {
+    /**
+     * List delegations created by the user in this space (outgoing).
+     */
+    list(): Promise<Result$1<Delegation[], ServiceError>>;
+    /**
+     * List delegations received by the user for this space (incoming).
+     */
+    listReceived(): Promise<Result$1<Delegation[], ServiceError>>;
+    /**
+     * Create a delegation within this space.
+     */
+    create(params: Omit<CreateDelegationParams, "spaceId">): Promise<Result$1<Delegation, ServiceError>>;
+    /**
+     * Revoke a delegation within this space.
+     */
+    revoke(cid: string): Promise<Result$1<void, ServiceError>>;
+}
+/**
+ * Interface for space-scoped sharing operations.
+ *
+ * Provides sharing link management scoped to a specific space.
+ */
+interface ISpaceScopedSharing {
+    /**
+     * Generate a sharing link for a resource in this space.
+     */
+    generate(params: Omit<GenerateShareParams, "spaceId">): Promise<Result$1<ShareLink, ServiceError>>;
+    /**
+     * List active sharing links in this space.
+     */
+    list(): Promise<Result$1<ShareLink[], ServiceError>>;
+    /**
+     * Revoke a sharing link.
+     */
+    revoke(token: string): Promise<Result$1<void, ServiceError>>;
+}
+/**
+ * Interface for a Space object.
+ *
+ * Provides scoped access to services within a specific space.
+ */
+interface ISpace {
+    /**
+     * The space identifier.
+     */
+    readonly id: string;
+    /**
+     * The short name of the space.
+     */
+    readonly name: string;
+    /**
+     * KV operations scoped to this space.
+     */
+    readonly kv: IKVService;
+    /**
+     * Delegation operations scoped to this space.
+     */
+    readonly delegations: ISpaceScopedDelegations;
+    /**
+     * Sharing operations scoped to this space.
+     */
+    readonly sharing: ISpaceScopedSharing;
+    /**
+     * Get space metadata.
+     */
+    info(): Promise<Result$1<SpaceInfo, ServiceError>>;
+}
+/**
+ * Configuration for creating a Space object.
+ */
+interface SpaceConfig {
+    /**
+     * The space identifier (full URI).
+     */
+    id: string;
+    /**
+     * The short name of the space.
+     */
+    name: string;
+    /**
+     * Factory function to create a space-scoped KV service.
+     */
+    createKV: (spaceId: string) => IKVService;
+    /**
+     * Factory function to create space-scoped delegations.
+     */
+    createDelegations: (spaceId: string) => ISpaceScopedDelegations;
+    /**
+     * Factory function to create space-scoped sharing.
+     */
+    createSharing: (spaceId: string) => ISpaceScopedSharing;
+    /**
+     * Function to get space info.
+     */
+    getInfo: (spaceId: string) => Promise<Result$1<SpaceInfo, ServiceError>>;
+}
+/**
+ * Space - Provides scoped access to services within a specific space.
+ *
+ * @example
+ * ```typescript
+ * const space = sdk.space('default');
+ *
+ * // KV operations scoped to this space
+ * await space.kv.put('key', 'value');
+ * const result = await space.kv.get('key');
+ *
+ * // Delegation operations scoped to this space
+ * await space.delegations.create({
+ *   delegateDID: 'did:pkh:eip155:1:0x...',
+ *   path: '/shared/',
+ *   actions: ['tinycloud.kv/get']
+ * });
+ *
+ * // Get space metadata
+ * const info = await space.info();
+ * ```
+ */
+declare class Space implements ISpace {
+    private readonly _id;
+    private readonly _name;
+    private readonly _kv;
+    private readonly _delegations;
+    private readonly _sharing;
+    private readonly _getInfo;
+    /**
+     * Create a new Space instance.
+     *
+     * @param config - Space configuration
+     */
+    constructor(config: SpaceConfig);
+    /**
+     * The space identifier (full URI).
+     */
+    get id(): string;
+    /**
+     * The short name of the space.
+     */
+    get name(): string;
+    /**
+     * KV operations scoped to this space.
+     */
+    get kv(): IKVService;
+    /**
+     * Delegation operations scoped to this space.
+     */
+    get delegations(): ISpaceScopedDelegations;
+    /**
+     * Sharing operations scoped to this space.
+     */
+    get sharing(): ISpaceScopedSharing;
+    /**
+     * Get space metadata.
+     *
+     * @returns Result containing space information
+     */
+    info(): Promise<Result$1<SpaceInfo, ServiceError>>;
+}
+
+/**
+ * SpaceService - Global singleton for managing spaces (owned and delegated).
+ *
+ * SpaceService provides a unified interface for discovering, creating,
+ * and accessing spaces. It handles both owned spaces (created by the user)
+ * and delegated spaces (shared by other users).
+ *
+ * @packageDocumentation
+ */
+
+/**
+ * Error codes for SpaceService operations.
+ */
+declare const SpaceErrorCodes: {
+    /** Space not found */
+    readonly NOT_FOUND: "SPACE_NOT_FOUND";
+    /** Space already exists */
+    readonly ALREADY_EXISTS: "SPACE_ALREADY_EXISTS";
+    /** Creation failed */
+    readonly CREATION_FAILED: "SPACE_CREATION_FAILED";
+    /** Authentication required */
+    readonly AUTH_REQUIRED: "AUTH_REQUIRED";
+    /** Invalid space name or URI */
+    readonly INVALID_NAME: "INVALID_SPACE_NAME";
+    /** Network error */
+    readonly NETWORK_ERROR: "NETWORK_ERROR";
+    /** Not initialized */
+    readonly NOT_INITIALIZED: "NOT_INITIALIZED";
+};
+type SpaceErrorCode = (typeof SpaceErrorCodes)[keyof typeof SpaceErrorCodes];
+/**
+ * Parameters for creating a space-scoped delegation.
+ * Extends CreateDelegationParams with the spaceId.
+ */
+interface SpaceDelegationParams extends Omit<CreateDelegationParams, "spaceId"> {
+    /** The space ID to create the delegation for */
+    spaceId: string;
+}
+/**
+ * Function type for creating delegations.
+ * Platform SDKs provide this to handle SIWE-based delegation creation.
+ */
+type CreateDelegationFunction = (params: SpaceDelegationParams) => Promise<Result$1<Delegation, ServiceError>>;
+/**
+ * Configuration for SpaceService.
+ */
+interface SpaceServiceConfig {
+    /** TinyCloud host URLs */
+    hosts: string[];
+    /** Active session for authentication */
+    session: ServiceSession;
+    /** Platform-specific invoke function */
+    invoke: InvokeFunction;
+    /** Optional custom fetch implementation */
+    fetch?: FetchFunction;
+    /** Optional capability key registry for delegated space discovery */
+    capabilityRegistry?: ICapabilityKeyRegistry;
+    /** Factory function to create a space-scoped KV service */
+    createKVService?: (spaceId: string) => IKVService;
+    /** User's PKH DID (derived from address or provided explicitly) */
+    userDid?: string;
+    /** Optional SharingService for v2 sharing links (client-side) */
+    sharingService?: ISharingService;
+    /**
+     * Factory function to create delegations using SIWE-based flow.
+     * Platform SDKs (web-sdk, node-sdk) provide this using their WASM bindings.
+     * Required for space.delegations.create() to work.
+     */
+    createDelegation?: CreateDelegationFunction;
+}
+/**
+ * Interface for SpaceService.
+ */
+interface ISpaceService {
+    /**
+     * List all spaces the user has access to (owned + delegated).
+     */
+    list(): Promise<Result$1<SpaceInfo[], ServiceError>>;
+    /**
+     * Create a new space.
+     *
+     * @param name - The name for the new space
+     */
+    create(name: string): Promise<Result$1<SpaceInfo, ServiceError>>;
+    /**
+     * Get a Space object by name or full URI.
+     *
+     * For owned spaces, use the short name: `sdk.space('default')`
+     * For delegated spaces, use the full URI: `sdk.space('tinycloud:pkh:eip155:1:0x...:photos')`
+     *
+     * @param nameOrUri - Short name or full URI
+     */
+    get(nameOrUri: string): ISpace;
+    /**
+     * Check if a space exists and the user has access.
+     *
+     * @param nameOrUri - Short name or full URI
+     */
+    exists(nameOrUri: string): Promise<Result$1<boolean, ServiceError>>;
+    /**
+     * Get the current user's primary space ID.
+     */
+    getCurrentSpaceId(): string | undefined;
+    /**
+     * Update the service configuration.
+     */
+    updateConfig(config: Partial<SpaceServiceConfig>): void;
+}
+/**
+ * Construct the deterministic public space ID for a given address and chain ID.
+ *
+ * Public space IDs follow the format:
+ * `tinycloud:pkh:eip155:{chainId}:{address}:public`
+ *
+ * Given an address and chain ID, any client can construct this ID
+ * to discover and read a user's public data without prior interaction.
+ *
+ * @param address - Ethereum address (0x-prefixed)
+ * @param chainId - Chain ID (e.g., 1 for mainnet)
+ * @returns The full public space ID URI
+ *
+ * @example
+ * ```typescript
+ * const spaceId = makePublicSpaceId('0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045', 1);
+ * // => "tinycloud:pkh:eip155:1:0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045:public"
+ * ```
+ */
+declare function makePublicSpaceId(address: string, chainId: number): string;
+/**
+ * Parse a space URI to extract components.
+ *
+ * Full URI format: `tinycloud:pkh:eip155:{chainId}:{address}:{name}`
+ * Short name format: `{name}`
+ *
+ * @param uri - The space URI or short name
+ * @returns Parsed components or null if invalid
+ */
+declare function parseSpaceUri(uri: string): {
+    owner: string;
+    name: string;
+    chainId?: string;
+    address?: string;
+} | null;
+/**
+ * Build a full space URI from components.
+ *
+ * @param owner - Owner DID (did:pkh:eip155:{chainId}:{address})
+ * @param name - Space name
+ * @returns Full space URI
+ */
+declare function buildSpaceUri(owner: string, name: string): string;
+/**
+ * SpaceService - Global singleton for managing spaces.
+ *
+ * @example
+ * ```typescript
+ * const spaceService = new SpaceService({
+ *   hosts: ['https://node.tinycloud.xyz'],
+ *   session,
+ *   invoke,
+ * });
+ *
+ * // List all accessible spaces
+ * const result = await spaceService.list();
+ * if (result.ok) {
+ *   for (const space of result.data) {
+ *     console.log(`${space.name} (${space.type})`);
+ *   }
+ * }
+ *
+ * // Create a new space
+ * const createResult = await spaceService.create('photos');
+ *
+ * // Get a space object for operations
+ * const space = spaceService.get('photos');
+ * await space.kv.put('album/vacation', { photos: [...] });
+ * ```
+ */
+declare class SpaceService implements ISpaceService {
+    private hosts;
+    private session;
+    private invoke;
+    private fetchFn;
+    private capabilityRegistry?;
+    private createKVServiceFn?;
+    private _userDid?;
+    private sharingService?;
+    private createDelegationFn?;
+    /** Cache of created Space objects */
+    private spaceCache;
+    /** Cache of space info */
+    private infoCache;
+    /** Cache TTL in milliseconds (5 minutes) */
+    private readonly cacheTTL;
+    /**
+     * Create a new SpaceService instance.
+     *
+     * @param config - Service configuration
+     */
+    constructor(config: SpaceServiceConfig);
+    /**
+     * Update the service configuration.
+     */
+    updateConfig(config: Partial<SpaceServiceConfig>): void;
+    /**
+     * Get the current user's primary space ID.
+     */
+    getCurrentSpaceId(): string | undefined;
+    /**
+     * Get the primary host URL.
+     */
+    private get host();
+    /**
+     * Get the current user's PKH DID.
+     */
+    private get userDid();
+    /**
+     * List all spaces the user has access to.
+     *
+     * Combines owned spaces (from the server) with delegated spaces
+     * (from the capability registry).
+     */
+    list(): Promise<Result$1<SpaceInfo[], ServiceError>>;
+    /**
+     * List owned spaces from the server.
+     */
+    private listOwnedSpaces;
+    /**
+     * Discover delegated spaces from the capability registry.
+     */
+    private discoverDelegatedSpaces;
+    /**
+     * Extract space name from a full space ID.
+     */
+    private extractNameFromId;
+    /**
+     * Deduplicate spaces, preferring owned over delegated.
+     */
+    private deduplicateSpaces;
+    /**
+     * Create a new space.
+     *
+     * @param name - The name for the new space
+     */
+    create(name: string): Promise<Result$1<SpaceInfo, ServiceError>>;
+    /**
+     * Get a Space object by name or full URI.
+     *
+     * @param nameOrUri - Short name or full URI
+     */
+    get(nameOrUri: string): ISpace;
+    /**
+     * Resolve a name or URI to a full space ID.
+     */
+    private resolveSpaceId;
+    /**
+     * Check if a space exists and the user has access.
+     */
+    exists(nameOrUri: string): Promise<Result$1<boolean, ServiceError>>;
+    /**
+     * Get space info from server or cache.
+     */
+    private getSpaceInfo;
+    /**
+     * Create a space-scoped KV service.
+     */
+    private createSpaceScopedKV;
+    /**
+     * Create space-scoped delegation operations.
+     */
+    private createSpaceScopedDelegations;
+    /**
+     * Create space-scoped sharing operations.
+     *
+     * When a SharingService is configured, delegates to client-side v2 sharing.
+     * V2 sharing links are self-contained with embedded private keys - no server tracking.
+     */
+    private createSpaceScopedSharing;
+}
+/**
+ * Create a new SpaceService instance.
+ *
+ * @param config - Service configuration
+ * @returns A new SpaceService instance
+ */
+declare function createSpaceService(config: SpaceServiceConfig): ISpaceService;
+
+/**
+ * Protocol version checking for SDK-to-node compatibility.
  *
  * @packageDocumentation
  */
-export { ClientSession, EnsData, SiweConfig, ServerHost, ClientSessionSchema, EnsDataSchema, SiweConfigSchema, validateClientSession, SiweMessage, } from "./client-types";
-export { INotificationHandler, SilentNotificationHandler, } from "./notifications";
-export { IENSResolver } from "./ens";
-export { IWasmBindings, ISessionManager } from "./wasm";
-export { ISigner, Bytes } from "./signer";
-export { ISessionStorage, PersistedSessionData, PersistedTinyCloudSession, TinyCloudSession, ValidationError, validatePersistedSessionData, } from "./storage";
-export { IUserAuthorization, Extension, PartialSiweMessage, UserAuthorizationConfig, } from "./userAuthorization";
-export { TinyCloud, TinyCloudConfig, } from "./TinyCloud";
-export { ServiceContext, type ServiceContextConfig, type IServiceContext, type IService, KVService, PrefixedKVService, type IKVService, type IPrefixedKVService, type KVServiceConfig, type KVGetOptions, type KVPutOptions, type KVListOptions, type KVDeleteOptions, type KVHeadOptions, type KVResponse, type KVListResponse, type KVResponseHeaders, type Result, ok, err, serviceError, ErrorCodes, type ErrorCode, type ServiceError, type ServiceSession, type InvokeFunction, type FetchFunction, type RetryPolicy, defaultRetryPolicy, SQLService, DatabaseHandle, SQLAction, type ISQLService, type IDatabaseHandle, type SQLServiceConfig, type SqlValue, type SqlStatement, type QueryOptions, type ExecuteOptions, type BatchOptions, type QueryResponse, type ExecuteResponse, type BatchResponse, type SQLActionType, DuckDbService, DuckDbDatabaseHandle, DuckDbAction, type IDuckDbService, type IDuckDbDatabaseHandle, type DuckDbServiceConfig, type DuckDbQueryOptions, type DuckDbExecuteOptions, type DuckDbBatchOptions, type DuckDbOptions, type DuckDbValue, type DuckDbStatement, type DuckDbQueryResponse, type DuckDbExecuteResponse, type DuckDbBatchResponse, type DuckDbActionType, type SchemaInfo, type TableInfo, type ColumnInfo, type ViewInfo, DataVaultService, VaultHeaders, VaultPublicSpaceKVActions, createVaultCrypto, type IDataVaultService, type VaultCrypto, type WasmVaultFunctions, type DataVaultConfig, type VaultPutOptions, type VaultGetOptions, type VaultListOptions, type VaultGrantOptions, type VaultEntry, type VaultError, } from "@tinycloud/sdk-services";
-export { SpaceHostResult, fetchPeerId, submitHostDelegation, activateSessionWithHost, } from "./space";
-export { Result as DelegationResult, DelegationError, DelegationErrorCodes, DelegationErrorCode, Delegation, CreateDelegationParams, CreateDelegationWasmParams, CreateDelegationWasmResult, DelegationChain, DelegationApiResponse, DelegationManagerConfig, KeyProvider, DelegationManager, SharingService, createSharingService, ISharingService, SharingServiceConfig, EncodedShareData, ReceiveOptions, ShareAccess, JWK, KeyType, KeyInfo, CapabilityEntry, DelegationRecord, DelegationChainV2, DelegationDirection, DelegationFilters, SpaceOwnership, SpaceInfo, ShareSchema, ShareLink, ShareLinkData, IngestOptions, GenerateShareParams, } from "./delegations";
-export { CapabilityKeyRegistry, ICapabilityKeyRegistry, createCapabilityKeyRegistry, StoredDelegationChain, CapabilityKeyRegistryErrorCodes, CapabilityKeyRegistryErrorCode, SignRequest, SignResponse, SignCallback, AutoSignStrategy, AutoRejectStrategy, CallbackStrategy, EventEmitterStrategy, SignStrategy, defaultSignStrategy, SpaceCreationContext, ISpaceCreationHandler, AutoApproveSpaceCreationHandler, defaultSpaceCreationHandler, } from "./authorization";
-export { Space, ISpace, SpaceConfig, ISpaceScopedDelegations, ISpaceScopedSharing, SpaceService, ISpaceService, SpaceServiceConfig, SpaceErrorCodes, SpaceErrorCode, createSpaceService, parseSpaceUri, buildSpaceUri, makePublicSpaceId, SpaceDelegationParams, CreateDelegationFunction, } from "./spaces";
-export { ProtocolMismatchError, VersionCheckError, UnsupportedFeatureError, checkNodeInfo, } from "./version";
-export type { NodeInfo } from "./version";
-//# sourceMappingURL=index.d.ts.map
+declare class ProtocolMismatchError extends Error {
+    readonly sdkProtocol: number;
+    readonly nodeProtocol: number;
+    readonly nodeVersion: string;
+    readonly host: string;
+    name: "ProtocolMismatchError";
+    constructor(sdkProtocol: number, nodeProtocol: number, nodeVersion: string, host: string);
+}
+declare class VersionCheckError extends Error {
+    readonly host: string;
+    readonly cause?: Error | undefined;
+    name: "VersionCheckError";
+    constructor(host: string, cause?: Error | undefined);
+}
+declare class UnsupportedFeatureError extends Error {
+    readonly feature: string;
+    readonly host: string;
+    readonly availableFeatures: string[];
+    name: "UnsupportedFeatureError";
+    constructor(feature: string, host: string, availableFeatures: string[]);
+}
+interface NodeInfo {
+    features: string[];
+    quotaUrl?: string;
+}
+declare function checkNodeInfo(host: string, sdkProtocol: number, fetchFn?: typeof globalThis.fetch): Promise<NodeInfo>;
+
+export { AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type NodeInfo, type PartialSiweMessage, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ServerHost, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, activateSessionWithHost, buildSpaceUri, checkNodeInfo, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, fetchPeerId, makePublicSpaceId, parseSpaceUri, submitHostDelegation, validateClientSession, validatePersistedSessionData };