npm - @tinycloud/sdk-core - Versions diffs - 2.2.0-beta.4 → 2.2.0-beta.7 - Mend

@tinycloud/sdk-core 2.2.0-beta.4 → 2.2.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.cts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { z } from 'zod';
 import { InvokeFunction, InvokeAnyFunction, ServiceError, Result as Result$1, ServiceSession, FetchFunction, ServiceConstructor, RetryPolicy, IServiceContext, IService, IKVService, ISQLService, IDuckDbService, IHooksService, IDataVaultService } from '@tinycloud/sdk-services';
-export { BatchOptions, BatchResponse, ColumnInfo, DataVaultConfig, DataVaultService, DatabaseHandle, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ErrorCode, ErrorCodes, ExecuteOptions, ExecuteResponse, FetchFunction, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IHooksService, IKVService, IPrefixedKVService, ISQLService, IService, IServiceContext, InvokeAnyEntry, InvokeAnyFunction, InvokeFunction, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService, QueryOptions, QueryResponse, Result, RetryPolicy, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceError, ServiceSession, SqlStatement, SqlValue, SubscribeOptions, TableInfo, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, ViewInfo, WasmVaultFunctions, createVaultCrypto, defaultRetryPolicy, err, ok, serviceError } from '@tinycloud/sdk-services';
+export { BatchOptions, BatchResponse, ColumnInfo, DataVaultConfig, DataVaultService, DatabaseHandle, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ErrorCode, ErrorCodes, ExecuteOptions, ExecuteResponse, FetchFunction, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IHooksService, IKVService, IPrefixedKVService, ISQLService, ISecretsService, IService, IServiceContext, InvokeAnyEntry, InvokeAnyFunction, InvokeFunction, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService, QueryOptions, QueryResponse, Result, RetryPolicy, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceError, ServiceSession, SqlStatement, SqlValue, SubscribeOptions, TableInfo, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, ViewInfo, WasmVaultFunctions, createVaultCrypto, defaultRetryPolicy, err, ok, serviceError } from '@tinycloud/sdk-services';
 export { SiweMessage } from 'siwe';
 /**
@@ -229,12 +229,17 @@ interface PermissionEntry {
     /** User/agent-facing context for why this permission is requested. */
     description?: string;
 }
+type ManifestSecretActions = true | string | string[] | {
+    actions?: string | string[];
+    expiry?: string;
+    description?: string;
+};
 /**
  * The valid values for `Manifest.defaults`.
  *
  * - `false` → no auto-included permissions
  * - `true` → standard tier (KV + SQL read/write + capabilities:read)
- * - `"admin"` → standard + SQL ddl + capabilities:admin
+ * - `"admin"` → standard + SQL ddl
  * - `"all"` → everything the SDK supports (including DuckDB)
  *
  * Unknown string values silently fall back to `true`. Values are normalized
@@ -281,6 +286,11 @@ interface Manifest {
      * DuckDB (opt-in), or `skipPrefix: true` entries.
      */
     permissions?: PermissionEntry[];
+    /**
+     * Secret name shorthand. Entries resolve to encrypted vault KV resources in
+     * the `secrets` space.
+     */
+    secrets?: Record<string, ManifestSecretActions>;
 }
 /**
  * A resolved permission entry with fully-expanded paths and action URNs.
@@ -2033,15 +2043,15 @@ declare const SpaceInfoSchema: z.ZodObject<{
     type: "owned" | "delegated";
     id: string;
     owner: string;
-    expiresAt?: Date | undefined;
     name?: string | undefined;
+    expiresAt?: Date | undefined;
     permissions?: string[] | undefined;
 }, {
     type: "owned" | "delegated";
     id: string;
     owner: string;
-    expiresAt?: Date | undefined;
     name?: string | undefined;
+    expiresAt?: Date | undefined;
     permissions?: string[] | undefined;
 }>;
 type SpaceInfo = z.infer<typeof SpaceInfoSchema>;
@@ -2318,14 +2328,14 @@ declare const DelegatedResourceSchema: z.ZodObject<{
     actions: z.ZodArray<z.ZodString, "many">;
 }, "strip", z.ZodTypeAny, {
     path: string;
-    service: string;
-    space: string;
     actions: string[];
+    space: string;
+    service: string;
 }, {
     path: string;
-    service: string;
-    space: string;
     actions: string[];
+    space: string;
+    service: string;
 }>;
 type DelegatedResource = z.infer<typeof DelegatedResourceSchema>;
 /**
@@ -2416,21 +2426,21 @@ declare const CreateDelegationWasmResultSchema: z.ZodObject<{
         actions: z.ZodArray<z.ZodString, "many">;
     }, "strip", z.ZodTypeAny, {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }, {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }>, "many">;
 }, "strip", z.ZodTypeAny, {
     resources: {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }[];
     expiry: Date;
     delegation: string;
@@ -2439,9 +2449,9 @@ declare const CreateDelegationWasmResultSchema: z.ZodObject<{
 }, {
     resources: {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }[];
     expiry: Date;
     delegation: string;
@@ -4013,6 +4023,10 @@ interface ISpace {
      * KV operations scoped to this space.
      */
     readonly kv: IKVService;
+    /**
+     * Data Vault operations scoped to this space.
+     */
+    readonly vault: IDataVaultService;
     /**
      * Delegation operations scoped to this space.
      */
@@ -4042,6 +4056,10 @@ interface SpaceConfig {
      * Factory function to create a space-scoped KV service.
      */
     createKV: (spaceId: string) => IKVService;
+    /**
+     * Factory function to create a space-scoped Data Vault service.
+     */
+    createVault: (spaceId: string) => IDataVaultService;
     /**
      * Factory function to create space-scoped delegations.
      */
@@ -4081,6 +4099,7 @@ declare class Space implements ISpace {
     private readonly _id;
     private readonly _name;
     private readonly _kv;
+    private readonly _vault;
     private readonly _delegations;
     private readonly _sharing;
     private readonly _getInfo;
@@ -4102,6 +4121,10 @@ declare class Space implements ISpace {
      * KV operations scoped to this space.
      */
     get kv(): IKVService;
+    /**
+     * Data Vault operations scoped to this space.
+     */
+    get vault(): IDataVaultService;
     /**
      * Delegation operations scoped to this space.
      */
@@ -4177,6 +4200,8 @@ interface SpaceServiceConfig {
     capabilityRegistry?: ICapabilityKeyRegistry;
     /** Factory function to create a space-scoped KV service */
     createKVService?: (spaceId: string) => IKVService;
+    /** Factory function to create a space-scoped Data Vault service */
+    createVaultService?: (spaceId: string) => IDataVaultService;
     /** User's PKH DID (derived from address or provided explicitly) */
     userDid?: string;
     /** Optional SharingService for v2 sharing links (client-side) */
@@ -4303,6 +4328,7 @@ declare class SpaceService implements ISpaceService {
     private fetchFn;
     private capabilityRegistry?;
     private createKVServiceFn?;
+    private createVaultServiceFn?;
     private _userDid?;
     private sharingService?;
     private createDelegationFn?;
@@ -4385,6 +4411,10 @@ declare class SpaceService implements ISpaceService {
      * Create a space-scoped KV service.
      */
     private createSpaceScopedKV;
+    /**
+     * Create a space-scoped Data Vault service.
+     */
+    private createSpaceScopedVault;
     /**
      * Create space-scoped delegation operations.
      */
@@ -4536,4 +4566,4 @@ declare function resolveTinyCloudHosts(subject: string, options?: ResolveTinyClo
 declare function multiaddrToHttpUrl(input: string): string;
 declare function httpUrlToMultiaddr(input: string): string;
-export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, CloudLocationResolutionError, type ComposeManifestOptions, type ComposedManifestRequest, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_TINYCLOUD_FALLBACK_HOST, DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type LocationCandidate, type LocationCandidateInput, type LocationRecord, type LocationRecordPayload, type LocationRecordSigner, LocationRecordValidationError, type LocationResolutionAttempt, type LocationSource, type Manifest, type ManifestDefaults, type ManifestRegistryRecord, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolveCloudLocationOptions, type ResolveTinyCloudHostsOptions, type ResolvedCapabilities, type ResolvedCloudLocation, type ResolvedDelegate, type ResolvedTinyCloudHosts, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignInOptions, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceAbilitiesMap, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, canonicalLocationPayload, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchLocationRecord, fetchPeerId, httpUrlToMultiaddr, isCapabilitySubset, loadManifest, locationPayloadForRecord, makePublicSpaceId, manifestAbilitiesUnion, multiaddrToHttpUrl, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveCloudLocation, resolveManifest, resolveTinyCloudHosts, resourceCapabilitiesToAbilitiesMap, resourceCapabilitiesToSpaceAbilitiesMap, signLocationRecord, submitHostDelegation, validateClientSession, validateLocationRecord, validateLocationRecordPayload, validateManifest, validatePersistedSessionData, verifyLocationRecord };
+export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, CloudLocationResolutionError, type ComposeManifestOptions, type ComposedManifestRequest, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_TINYCLOUD_FALLBACK_HOST, DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type LocationCandidate, type LocationCandidateInput, type LocationRecord, type LocationRecordPayload, type LocationRecordSigner, LocationRecordValidationError, type LocationResolutionAttempt, type LocationSource, type Manifest, type ManifestDefaults, type ManifestRegistryRecord, type ManifestSecretActions, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolveCloudLocationOptions, type ResolveTinyCloudHostsOptions, type ResolvedCapabilities, type ResolvedCloudLocation, type ResolvedDelegate, type ResolvedTinyCloudHosts, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignInOptions, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceAbilitiesMap, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, canonicalLocationPayload, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchLocationRecord, fetchPeerId, httpUrlToMultiaddr, isCapabilitySubset, loadManifest, locationPayloadForRecord, makePublicSpaceId, manifestAbilitiesUnion, multiaddrToHttpUrl, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveCloudLocation, resolveManifest, resolveTinyCloudHosts, resourceCapabilitiesToAbilitiesMap, resourceCapabilitiesToSpaceAbilitiesMap, signLocationRecord, submitHostDelegation, validateClientSession, validateLocationRecord, validateLocationRecordPayload, validateManifest, validatePersistedSessionData, verifyLocationRecord };

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import { z } from 'zod';
 import { InvokeFunction, InvokeAnyFunction, ServiceError, Result as Result$1, ServiceSession, FetchFunction, ServiceConstructor, RetryPolicy, IServiceContext, IService, IKVService, ISQLService, IDuckDbService, IHooksService, IDataVaultService } from '@tinycloud/sdk-services';
-export { BatchOptions, BatchResponse, ColumnInfo, DataVaultConfig, DataVaultService, DatabaseHandle, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ErrorCode, ErrorCodes, ExecuteOptions, ExecuteResponse, FetchFunction, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IHooksService, IKVService, IPrefixedKVService, ISQLService, IService, IServiceContext, InvokeAnyEntry, InvokeAnyFunction, InvokeFunction, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService, QueryOptions, QueryResponse, Result, RetryPolicy, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, ServiceContext, ServiceContextConfig, ServiceError, ServiceSession, SqlStatement, SqlValue, SubscribeOptions, TableInfo, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, ViewInfo, WasmVaultFunctions, createVaultCrypto, defaultRetryPolicy, err, ok, serviceError } from '@tinycloud/sdk-services';
+export { BatchOptions, BatchResponse, ColumnInfo, DataVaultConfig, DataVaultService, DatabaseHandle, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ErrorCode, ErrorCodes, ExecuteOptions, ExecuteResponse, FetchFunction, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IHooksService, IKVService, IPrefixedKVService, ISQLService, ISecretsService, IService, IServiceContext, InvokeAnyEntry, InvokeAnyFunction, InvokeFunction, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService, QueryOptions, QueryResponse, Result, RetryPolicy, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceError, ServiceSession, SqlStatement, SqlValue, SubscribeOptions, TableInfo, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, ViewInfo, WasmVaultFunctions, createVaultCrypto, defaultRetryPolicy, err, ok, serviceError } from '@tinycloud/sdk-services';
 export { SiweMessage } from 'siwe';
 /**
@@ -229,12 +229,17 @@ interface PermissionEntry {
     /** User/agent-facing context for why this permission is requested. */
     description?: string;
 }
+type ManifestSecretActions = true | string | string[] | {
+    actions?: string | string[];
+    expiry?: string;
+    description?: string;
+};
 /**
  * The valid values for `Manifest.defaults`.
  *
  * - `false` → no auto-included permissions
  * - `true` → standard tier (KV + SQL read/write + capabilities:read)
- * - `"admin"` → standard + SQL ddl + capabilities:admin
+ * - `"admin"` → standard + SQL ddl
  * - `"all"` → everything the SDK supports (including DuckDB)
  *
  * Unknown string values silently fall back to `true`. Values are normalized
@@ -281,6 +286,11 @@ interface Manifest {
      * DuckDB (opt-in), or `skipPrefix: true` entries.
      */
     permissions?: PermissionEntry[];
+    /**
+     * Secret name shorthand. Entries resolve to encrypted vault KV resources in
+     * the `secrets` space.
+     */
+    secrets?: Record<string, ManifestSecretActions>;
 }
 /**
  * A resolved permission entry with fully-expanded paths and action URNs.
@@ -2033,15 +2043,15 @@ declare const SpaceInfoSchema: z.ZodObject<{
     type: "owned" | "delegated";
     id: string;
     owner: string;
-    expiresAt?: Date | undefined;
     name?: string | undefined;
+    expiresAt?: Date | undefined;
     permissions?: string[] | undefined;
 }, {
     type: "owned" | "delegated";
     id: string;
     owner: string;
-    expiresAt?: Date | undefined;
     name?: string | undefined;
+    expiresAt?: Date | undefined;
     permissions?: string[] | undefined;
 }>;
 type SpaceInfo = z.infer<typeof SpaceInfoSchema>;
@@ -2318,14 +2328,14 @@ declare const DelegatedResourceSchema: z.ZodObject<{
     actions: z.ZodArray<z.ZodString, "many">;
 }, "strip", z.ZodTypeAny, {
     path: string;
-    service: string;
-    space: string;
     actions: string[];
+    space: string;
+    service: string;
 }, {
     path: string;
-    service: string;
-    space: string;
     actions: string[];
+    space: string;
+    service: string;
 }>;
 type DelegatedResource = z.infer<typeof DelegatedResourceSchema>;
 /**
@@ -2416,21 +2426,21 @@ declare const CreateDelegationWasmResultSchema: z.ZodObject<{
         actions: z.ZodArray<z.ZodString, "many">;
     }, "strip", z.ZodTypeAny, {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }, {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }>, "many">;
 }, "strip", z.ZodTypeAny, {
     resources: {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }[];
     expiry: Date;
     delegation: string;
@@ -2439,9 +2449,9 @@ declare const CreateDelegationWasmResultSchema: z.ZodObject<{
 }, {
     resources: {
         path: string;
-        service: string;
-        space: string;
         actions: string[];
+        space: string;
+        service: string;
     }[];
     expiry: Date;
     delegation: string;
@@ -4013,6 +4023,10 @@ interface ISpace {
      * KV operations scoped to this space.
      */
     readonly kv: IKVService;
+    /**
+     * Data Vault operations scoped to this space.
+     */
+    readonly vault: IDataVaultService;
     /**
      * Delegation operations scoped to this space.
      */
@@ -4042,6 +4056,10 @@ interface SpaceConfig {
      * Factory function to create a space-scoped KV service.
      */
     createKV: (spaceId: string) => IKVService;
+    /**
+     * Factory function to create a space-scoped Data Vault service.
+     */
+    createVault: (spaceId: string) => IDataVaultService;
     /**
      * Factory function to create space-scoped delegations.
      */
@@ -4081,6 +4099,7 @@ declare class Space implements ISpace {
     private readonly _id;
     private readonly _name;
     private readonly _kv;
+    private readonly _vault;
     private readonly _delegations;
     private readonly _sharing;
     private readonly _getInfo;
@@ -4102,6 +4121,10 @@ declare class Space implements ISpace {
      * KV operations scoped to this space.
      */
     get kv(): IKVService;
+    /**
+     * Data Vault operations scoped to this space.
+     */
+    get vault(): IDataVaultService;
     /**
      * Delegation operations scoped to this space.
      */
@@ -4177,6 +4200,8 @@ interface SpaceServiceConfig {
     capabilityRegistry?: ICapabilityKeyRegistry;
     /** Factory function to create a space-scoped KV service */
     createKVService?: (spaceId: string) => IKVService;
+    /** Factory function to create a space-scoped Data Vault service */
+    createVaultService?: (spaceId: string) => IDataVaultService;
     /** User's PKH DID (derived from address or provided explicitly) */
     userDid?: string;
     /** Optional SharingService for v2 sharing links (client-side) */
@@ -4303,6 +4328,7 @@ declare class SpaceService implements ISpaceService {
     private fetchFn;
     private capabilityRegistry?;
     private createKVServiceFn?;
+    private createVaultServiceFn?;
     private _userDid?;
     private sharingService?;
     private createDelegationFn?;
@@ -4385,6 +4411,10 @@ declare class SpaceService implements ISpaceService {
      * Create a space-scoped KV service.
      */
     private createSpaceScopedKV;
+    /**
+     * Create a space-scoped Data Vault service.
+     */
+    private createSpaceScopedVault;
     /**
      * Create space-scoped delegation operations.
      */
@@ -4536,4 +4566,4 @@ declare function resolveTinyCloudHosts(subject: string, options?: ResolveTinyClo
 declare function multiaddrToHttpUrl(input: string): string;
 declare function httpUrlToMultiaddr(input: string): string;
-export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, CloudLocationResolutionError, type ComposeManifestOptions, type ComposedManifestRequest, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_TINYCLOUD_FALLBACK_HOST, DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type LocationCandidate, type LocationCandidateInput, type LocationRecord, type LocationRecordPayload, type LocationRecordSigner, LocationRecordValidationError, type LocationResolutionAttempt, type LocationSource, type Manifest, type ManifestDefaults, type ManifestRegistryRecord, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolveCloudLocationOptions, type ResolveTinyCloudHostsOptions, type ResolvedCapabilities, type ResolvedCloudLocation, type ResolvedDelegate, type ResolvedTinyCloudHosts, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignInOptions, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceAbilitiesMap, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, canonicalLocationPayload, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchLocationRecord, fetchPeerId, httpUrlToMultiaddr, isCapabilitySubset, loadManifest, locationPayloadForRecord, makePublicSpaceId, manifestAbilitiesUnion, multiaddrToHttpUrl, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveCloudLocation, resolveManifest, resolveTinyCloudHosts, resourceCapabilitiesToAbilitiesMap, resourceCapabilitiesToSpaceAbilitiesMap, signLocationRecord, submitHostDelegation, validateClientSession, validateLocationRecord, validateLocationRecordPayload, validateManifest, validatePersistedSessionData, verifyLocationRecord };
+export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, CloudLocationResolutionError, type ComposeManifestOptions, type ComposedManifestRequest, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_TINYCLOUD_FALLBACK_HOST, DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type LocationCandidate, type LocationCandidateInput, type LocationRecord, type LocationRecordPayload, type LocationRecordSigner, LocationRecordValidationError, type LocationResolutionAttempt, type LocationSource, type Manifest, type ManifestDefaults, type ManifestRegistryRecord, type ManifestSecretActions, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolveCloudLocationOptions, type ResolveTinyCloudHostsOptions, type ResolvedCapabilities, type ResolvedCloudLocation, type ResolvedDelegate, type ResolvedTinyCloudHosts, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignInOptions, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceAbilitiesMap, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, canonicalLocationPayload, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, fetchLocationRecord, fetchPeerId, httpUrlToMultiaddr, isCapabilitySubset, loadManifest, locationPayloadForRecord, makePublicSpaceId, manifestAbilitiesUnion, multiaddrToHttpUrl, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveCloudLocation, resolveManifest, resolveTinyCloudHosts, resourceCapabilitiesToAbilitiesMap, resourceCapabilitiesToSpaceAbilitiesMap, signLocationRecord, submitHostDelegation, validateClientSession, validateLocationRecord, validateLocationRecordPayload, validateManifest, validatePersistedSessionData, verifyLocationRecord };