@tinycloud/sdk-core 2.1.0-beta.1 → 2.1.0-beta.3

package/dist/index.d.cts

@@ -430,6 +430,63 @@ declare function normalizeDefaults(value: Manifest["defaults"] | undefined): Man
  * - Prefix inheritance applies identically to `permissions` and `delegations[*].permissions`.
  */
 declare function resolveManifest(input: Manifest): ResolvedCapabilities;
+/**
+ * The shape `prepareSession` and the multi-resource `createDelegation` WASM
+ * export both accept:
+ *
+ * ```
+ * { [shortService]: { [path]: [fullUrnAction, ...] } }
+ * ```
+ *
+ * - `shortService` is the recap-level service segment (`"kv"`, `"sql"`,
+ *   `"duckdb"`, `"capabilities"`, `"hooks"`) — not the manifest long form.
+ * - `path` is the fully-resolved path (prefix already applied). An empty
+ *   string means "no path segment" on the resource URI.
+ * - Action strings are full URNs like `"tinycloud.kv/get"`.
+ *
+ * This is a single source of truth for both the session's own recap (at
+ * sign-in) and the delegations it can derive (post sign-in). We re-use it
+ * for both so one manifest drives both sides.
+ */
+type AbilitiesMap = Record<string, Record<string, string[]>>;
+/**
+ * Convert a list of {@link ResourceCapability} entries (manifest
+ * long-form service, full-URN actions) into the {@link AbilitiesMap}
+ * shape the WASM layer expects.
+ *
+ * When multiple entries target the same `(service, path)` pair, their
+ * action lists are merged and deduped. Entries whose service has no
+ * short-form mapping in {@link SERVICE_LONG_TO_SHORT} are rejected with
+ * a {@link ManifestValidationError} — the SDK does not silently drop
+ * unknown services because the recap encoding would lose them.
+ *
+ * Paths are kept verbatim: this function does NOT collapse
+ * `"com.listen.app/"` and `"com.listen.app"` or reinterpret empty /
+ * slash strings. Callers that care about path canonicalization should
+ * normalize before calling.
+ */
+declare function resourceCapabilitiesToAbilitiesMap(resources: readonly ResourceCapability[]): AbilitiesMap;
+/**
+ * Build the {@link AbilitiesMap} that a session should be signed with,
+ * given a {@link ResolvedCapabilities} (i.e. the output of
+ * {@link resolveManifest}).
+ *
+ * The resulting map is the **union** of:
+ * 1. the app's own resources (`resolved.resources`), and
+ * 2. every permission declared in every `additionalDelegates[*]` entry.
+ *
+ * The union is what makes the manifest's delegations ergonomic: at
+ * sign-in, the session key acquires recap coverage for both the app's
+ * runtime needs and every downstream delegation target. Post sign-in,
+ * `delegateTo(backendDID, backendPermissions)` can then issue the
+ * sub-delegation via the session key (no wallet prompt) because the
+ * caps are already part of the granted set.
+ *
+ * Duplicate `(service, path, action)` triples across resources and
+ * delegations are merged and deduped — the session SIWE doesn't need
+ * them repeated.
+ */
+declare function manifestAbilitiesUnion(resolved: ResolvedCapabilities): AbilitiesMap;
 
 /**
  * Capability subset checking and recap parsing.
@@ -2190,8 +2247,51 @@ declare const DelegationApiResponseSchema: z.ZodObject<{
     cid?: string | undefined;
 }>;
 type DelegationApiResponse = z.infer<typeof DelegationApiResponseSchema>;
+/**
+ * A single (service, space, path, actions) entry inside a
+ * createDelegation WASM result.
+ *
+ * Mirrors the Rust `DelegatedResource` struct in
+ * `tinycloud-sdk-wasm/src/session.rs`. Field names match the manifest
+ * {@link PermissionEntry} shape so callers can reconstruct what they sent
+ * without having to re-parse the UCAN.
+ *
+ * `service` is the short form (e.g. `"kv"`, `"sql"`) as returned by the
+ * Rust layer. The SDK layer translates to the long form
+ * (`"tinycloud.kv"`) when comparing against manifests.
+ */
+declare const DelegatedResourceSchema: z.ZodObject<{
+    /** Short-form service name, e.g. "kv", "sql", "duckdb", "capabilities", "hooks". */
+    service: z.ZodString;
+    /** Full space id string, e.g. "tinycloud:pkh:eip155:1:0x....:default". */
+    space: z.ZodString;
+    /** Resource path; empty string when the resource URI had no path segment. */
+    path: z.ZodString;
+    /** Full-URN ability strings, e.g. ["tinycloud.kv/get", "tinycloud.kv/put"]. */
+    actions: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    service: string;
+    space: string;
+    actions: string[];
+}, {
+    path: string;
+    service: string;
+    space: string;
+    actions: string[];
+}>;
+type DelegatedResource = z.infer<typeof DelegatedResourceSchema>;
 /**
  * Input parameters for the createDelegation WASM function.
+ *
+ * A single call may encode multiple `(service, path, actions)` entries
+ * via the `abilities` map — the underlying UCAN will contain one
+ * attenuation entry per `(service, path)` pair, all signed by the same
+ * session key in one blob.
+ *
+ * The `abilities` shape is identical to what `prepareSession` accepts
+ * (`Record<shortService, Record<path, actionURNs[]>>`), so manifest
+ * resolution can feed both sides from one data structure.
  */
 declare const CreateDelegationWasmParamsSchema: z.ZodObject<{
     /** The session containing delegation credentials */
@@ -2200,27 +2300,38 @@ declare const CreateDelegationWasmParamsSchema: z.ZodObject<{
     delegateDID: z.ZodString;
     /** Space ID this delegation applies to */
     spaceId: z.ZodString;
-    /** Resource path this delegation grants access to */
-    path: z.ZodString;
-    /** Actions to authorize */
-    actions: z.ZodArray<z.ZodString, "many">;
+    /**
+     * Multi-resource abilities map: short-service → path → full-URN actions.
+     * Matches the shape accepted by `prepareSession`.
+     *
+     * Example:
+     * ```
+     * {
+     *   kv: {
+     *     "com.listen.app/": ["tinycloud.kv/get", "tinycloud.kv/put"]
+     *   },
+     *   sql: {
+     *     "com.listen.app/data.sqlite": ["tinycloud.sql/read"]
+     *   }
+     * }
+     * ```
+     */
+    abilities: z.ZodRecord<z.ZodString, z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
     /** Expiration time in seconds since Unix epoch */
     expirationSecs: z.ZodNumber;
     /** Optional not-before time in seconds since Unix epoch */
     notBeforeSecs: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
-    path: string;
-    actions: string[];
     spaceId: string;
     session: ServiceSession;
     delegateDID: string;
+    abilities: Record<string, Record<string, string[]>>;
     expirationSecs: number;
     notBeforeSecs?: number | undefined;
 }, {
-    path: string;
-    actions: string[];
     spaceId: string;
     delegateDID: string;
+    abilities: Record<string, Record<string, string[]>>;
     expirationSecs: number;
     session?: unknown;
     notBeforeSecs?: number | undefined;
@@ -2228,6 +2339,11 @@ declare const CreateDelegationWasmParamsSchema: z.ZodObject<{
 type CreateDelegationWasmParams = z.infer<typeof CreateDelegationWasmParamsSchema>;
 /**
  * Result from the createDelegation WASM function.
+ *
+ * A single UCAN may cover multiple resources. The `resources` array
+ * describes every `(service, space, path, actions)` entry granted, in
+ * deterministic (service, path) lexicographic order (the Rust side sorts
+ * the HashMap entries before signing).
  */
 declare const CreateDelegationWasmResultSchema: z.ZodObject<{
     /** Base64url-encoded UCAN delegation */
@@ -2236,22 +2352,50 @@ declare const CreateDelegationWasmResultSchema: z.ZodObject<{
     cid: z.ZodString;
     /** DID of the delegate */
     delegateDID: z.ZodString;
-    /** Resource path the delegation grants access to */
-    path: z.ZodString;
-    /** Actions the delegation authorizes */
-    actions: z.ZodArray<z.ZodString, "many">;
     /** Expiration time */
     expiry: z.ZodDate;
+    /**
+     * All (service, space, path, actions) entries granted by this delegation.
+     * Always non-empty on success.
+     */
+    resources: z.ZodArray<z.ZodObject<{
+        /** Short-form service name, e.g. "kv", "sql", "duckdb", "capabilities", "hooks". */
+        service: z.ZodString;
+        /** Full space id string, e.g. "tinycloud:pkh:eip155:1:0x....:default". */
+        space: z.ZodString;
+        /** Resource path; empty string when the resource URI had no path segment. */
+        path: z.ZodString;
+        /** Full-URN ability strings, e.g. ["tinycloud.kv/get", "tinycloud.kv/put"]. */
+        actions: z.ZodArray<z.ZodString, "many">;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }, {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }>, "many">;
 }, "strip", z.ZodTypeAny, {
-    path: string;
-    actions: string[];
+    resources: {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }[];
     expiry: Date;
     delegation: string;
     cid: string;
     delegateDID: string;
 }, {
-    path: string;
-    actions: string[];
+    resources: {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }[];
     expiry: Date;
     delegation: string;
     cid: string;
@@ -4237,4 +4381,4 @@ interface NodeInfo {
 }
 declare function checkNodeInfo(host: string, sdkProtocol: number, fetchFn?: typeof globalThis.fetch): Promise<NodeInfo>;
 
-export { AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type Manifest, type ManifestDefaults, type ManifestDelegation, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolvedCapabilities, type ResolvedDelegate, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, checkNodeInfo, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchPeerId, isCapabilitySubset, loadManifest, makePublicSpaceId, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveManifest, submitHostDelegation, validateClientSession, validateManifest, validatePersistedSessionData };
+export { type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type Manifest, type ManifestDefaults, type ManifestDelegation, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolvedCapabilities, type ResolvedDelegate, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, checkNodeInfo, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchPeerId, isCapabilitySubset, loadManifest, makePublicSpaceId, manifestAbilitiesUnion, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveManifest, resourceCapabilitiesToAbilitiesMap, submitHostDelegation, validateClientSession, validateManifest, validatePersistedSessionData };

package/dist/index.d.ts

@@ -430,6 +430,63 @@ declare function normalizeDefaults(value: Manifest["defaults"] | undefined): Man
  * - Prefix inheritance applies identically to `permissions` and `delegations[*].permissions`.
  */
 declare function resolveManifest(input: Manifest): ResolvedCapabilities;
+/**
+ * The shape `prepareSession` and the multi-resource `createDelegation` WASM
+ * export both accept:
+ *
+ * ```
+ * { [shortService]: { [path]: [fullUrnAction, ...] } }
+ * ```
+ *
+ * - `shortService` is the recap-level service segment (`"kv"`, `"sql"`,
+ *   `"duckdb"`, `"capabilities"`, `"hooks"`) — not the manifest long form.
+ * - `path` is the fully-resolved path (prefix already applied). An empty
+ *   string means "no path segment" on the resource URI.
+ * - Action strings are full URNs like `"tinycloud.kv/get"`.
+ *
+ * This is a single source of truth for both the session's own recap (at
+ * sign-in) and the delegations it can derive (post sign-in). We re-use it
+ * for both so one manifest drives both sides.
+ */
+type AbilitiesMap = Record<string, Record<string, string[]>>;
+/**
+ * Convert a list of {@link ResourceCapability} entries (manifest
+ * long-form service, full-URN actions) into the {@link AbilitiesMap}
+ * shape the WASM layer expects.
+ *
+ * When multiple entries target the same `(service, path)` pair, their
+ * action lists are merged and deduped. Entries whose service has no
+ * short-form mapping in {@link SERVICE_LONG_TO_SHORT} are rejected with
+ * a {@link ManifestValidationError} — the SDK does not silently drop
+ * unknown services because the recap encoding would lose them.
+ *
+ * Paths are kept verbatim: this function does NOT collapse
+ * `"com.listen.app/"` and `"com.listen.app"` or reinterpret empty /
+ * slash strings. Callers that care about path canonicalization should
+ * normalize before calling.
+ */
+declare function resourceCapabilitiesToAbilitiesMap(resources: readonly ResourceCapability[]): AbilitiesMap;
+/**
+ * Build the {@link AbilitiesMap} that a session should be signed with,
+ * given a {@link ResolvedCapabilities} (i.e. the output of
+ * {@link resolveManifest}).
+ *
+ * The resulting map is the **union** of:
+ * 1. the app's own resources (`resolved.resources`), and
+ * 2. every permission declared in every `additionalDelegates[*]` entry.
+ *
+ * The union is what makes the manifest's delegations ergonomic: at
+ * sign-in, the session key acquires recap coverage for both the app's
+ * runtime needs and every downstream delegation target. Post sign-in,
+ * `delegateTo(backendDID, backendPermissions)` can then issue the
+ * sub-delegation via the session key (no wallet prompt) because the
+ * caps are already part of the granted set.
+ *
+ * Duplicate `(service, path, action)` triples across resources and
+ * delegations are merged and deduped — the session SIWE doesn't need
+ * them repeated.
+ */
+declare function manifestAbilitiesUnion(resolved: ResolvedCapabilities): AbilitiesMap;
 
 /**
  * Capability subset checking and recap parsing.
@@ -2190,8 +2247,51 @@ declare const DelegationApiResponseSchema: z.ZodObject<{
     cid?: string | undefined;
 }>;
 type DelegationApiResponse = z.infer<typeof DelegationApiResponseSchema>;
+/**
+ * A single (service, space, path, actions) entry inside a
+ * createDelegation WASM result.
+ *
+ * Mirrors the Rust `DelegatedResource` struct in
+ * `tinycloud-sdk-wasm/src/session.rs`. Field names match the manifest
+ * {@link PermissionEntry} shape so callers can reconstruct what they sent
+ * without having to re-parse the UCAN.
+ *
+ * `service` is the short form (e.g. `"kv"`, `"sql"`) as returned by the
+ * Rust layer. The SDK layer translates to the long form
+ * (`"tinycloud.kv"`) when comparing against manifests.
+ */
+declare const DelegatedResourceSchema: z.ZodObject<{
+    /** Short-form service name, e.g. "kv", "sql", "duckdb", "capabilities", "hooks". */
+    service: z.ZodString;
+    /** Full space id string, e.g. "tinycloud:pkh:eip155:1:0x....:default". */
+    space: z.ZodString;
+    /** Resource path; empty string when the resource URI had no path segment. */
+    path: z.ZodString;
+    /** Full-URN ability strings, e.g. ["tinycloud.kv/get", "tinycloud.kv/put"]. */
+    actions: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    path: string;
+    service: string;
+    space: string;
+    actions: string[];
+}, {
+    path: string;
+    service: string;
+    space: string;
+    actions: string[];
+}>;
+type DelegatedResource = z.infer<typeof DelegatedResourceSchema>;
 /**
  * Input parameters for the createDelegation WASM function.
+ *
+ * A single call may encode multiple `(service, path, actions)` entries
+ * via the `abilities` map — the underlying UCAN will contain one
+ * attenuation entry per `(service, path)` pair, all signed by the same
+ * session key in one blob.
+ *
+ * The `abilities` shape is identical to what `prepareSession` accepts
+ * (`Record<shortService, Record<path, actionURNs[]>>`), so manifest
+ * resolution can feed both sides from one data structure.
  */
 declare const CreateDelegationWasmParamsSchema: z.ZodObject<{
     /** The session containing delegation credentials */
@@ -2200,27 +2300,38 @@ declare const CreateDelegationWasmParamsSchema: z.ZodObject<{
     delegateDID: z.ZodString;
     /** Space ID this delegation applies to */
     spaceId: z.ZodString;
-    /** Resource path this delegation grants access to */
-    path: z.ZodString;
-    /** Actions to authorize */
-    actions: z.ZodArray<z.ZodString, "many">;
+    /**
+     * Multi-resource abilities map: short-service → path → full-URN actions.
+     * Matches the shape accepted by `prepareSession`.
+     *
+     * Example:
+     * ```
+     * {
+     *   kv: {
+     *     "com.listen.app/": ["tinycloud.kv/get", "tinycloud.kv/put"]
+     *   },
+     *   sql: {
+     *     "com.listen.app/data.sqlite": ["tinycloud.sql/read"]
+     *   }
+     * }
+     * ```
+     */
+    abilities: z.ZodRecord<z.ZodString, z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
     /** Expiration time in seconds since Unix epoch */
     expirationSecs: z.ZodNumber;
     /** Optional not-before time in seconds since Unix epoch */
     notBeforeSecs: z.ZodOptional<z.ZodNumber>;
 }, "strip", z.ZodTypeAny, {
-    path: string;
-    actions: string[];
     spaceId: string;
     session: ServiceSession;
     delegateDID: string;
+    abilities: Record<string, Record<string, string[]>>;
     expirationSecs: number;
     notBeforeSecs?: number | undefined;
 }, {
-    path: string;
-    actions: string[];
     spaceId: string;
     delegateDID: string;
+    abilities: Record<string, Record<string, string[]>>;
     expirationSecs: number;
     session?: unknown;
     notBeforeSecs?: number | undefined;
@@ -2228,6 +2339,11 @@ declare const CreateDelegationWasmParamsSchema: z.ZodObject<{
 type CreateDelegationWasmParams = z.infer<typeof CreateDelegationWasmParamsSchema>;
 /**
  * Result from the createDelegation WASM function.
+ *
+ * A single UCAN may cover multiple resources. The `resources` array
+ * describes every `(service, space, path, actions)` entry granted, in
+ * deterministic (service, path) lexicographic order (the Rust side sorts
+ * the HashMap entries before signing).
  */
 declare const CreateDelegationWasmResultSchema: z.ZodObject<{
     /** Base64url-encoded UCAN delegation */
@@ -2236,22 +2352,50 @@ declare const CreateDelegationWasmResultSchema: z.ZodObject<{
     cid: z.ZodString;
     /** DID of the delegate */
     delegateDID: z.ZodString;
-    /** Resource path the delegation grants access to */
-    path: z.ZodString;
-    /** Actions the delegation authorizes */
-    actions: z.ZodArray<z.ZodString, "many">;
     /** Expiration time */
     expiry: z.ZodDate;
+    /**
+     * All (service, space, path, actions) entries granted by this delegation.
+     * Always non-empty on success.
+     */
+    resources: z.ZodArray<z.ZodObject<{
+        /** Short-form service name, e.g. "kv", "sql", "duckdb", "capabilities", "hooks". */
+        service: z.ZodString;
+        /** Full space id string, e.g. "tinycloud:pkh:eip155:1:0x....:default". */
+        space: z.ZodString;
+        /** Resource path; empty string when the resource URI had no path segment. */
+        path: z.ZodString;
+        /** Full-URN ability strings, e.g. ["tinycloud.kv/get", "tinycloud.kv/put"]. */
+        actions: z.ZodArray<z.ZodString, "many">;
+    }, "strip", z.ZodTypeAny, {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }, {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }>, "many">;
 }, "strip", z.ZodTypeAny, {
-    path: string;
-    actions: string[];
+    resources: {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }[];
     expiry: Date;
     delegation: string;
     cid: string;
     delegateDID: string;
 }, {
-    path: string;
-    actions: string[];
+    resources: {
+        path: string;
+        service: string;
+        space: string;
+        actions: string[];
+    }[];
     expiry: Date;
     delegation: string;
     cid: string;
@@ -4237,4 +4381,4 @@ interface NodeInfo {
 }
 declare function checkNodeInfo(host: string, sdkProtocol: number, fetchFn?: typeof globalThis.fetch): Promise<NodeInfo>;
 
-export { AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type Manifest, type ManifestDefaults, type ManifestDelegation, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolvedCapabilities, type ResolvedDelegate, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, checkNodeInfo, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchPeerId, isCapabilitySubset, loadManifest, makePublicSpaceId, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveManifest, submitHostDelegation, validateClientSession, validateManifest, validatePersistedSessionData };
+export { type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type Manifest, type ManifestDefaults, type ManifestDelegation, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolvedCapabilities, type ResolvedDelegate, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, checkNodeInfo, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchPeerId, isCapabilitySubset, loadManifest, makePublicSpaceId, manifestAbilitiesUnion, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveManifest, resourceCapabilitiesToAbilitiesMap, submitHostDelegation, validateClientSession, validateManifest, validatePersistedSessionData };