npm - @tinycloud/sdk-core - Versions diffs - 2.2.0-beta.7 → 2.2.0 - Mend

@tinycloud/sdk-core 2.2.0-beta.7 → 2.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -37,34 +37,51 @@ __export(index_exports, {
   CapabilityKeyRegistryErrorCodes: () => CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema: () => ClientSessionSchema,
   CloudLocationResolutionError: () => CloudLocationResolutionError,
+  DECRYPT_ACTION: () => import_sdk_services5.DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE: () => import_sdk_services5.DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE: () => import_sdk_services5.DECRYPT_RESULT_TYPE,
   DEFAULT_DEFAULTS: () => DEFAULT_DEFAULTS,
+  DEFAULT_ENCRYPTION_ALG: () => import_sdk_services5.DEFAULT_ENCRYPTION_ALG,
   DEFAULT_EXPIRY: () => DEFAULT_EXPIRY,
+  DEFAULT_KEY_VERSION: () => import_sdk_services5.DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE: () => DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION: () => DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS: () => DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DEFAULT_TINYCLOUD_FALLBACK_HOST: () => DEFAULT_TINYCLOUD_FALLBACK_HOST,
   DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL: () => DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL,
-  DataVaultService: () => import_sdk_services4.DataVaultService,
-  DatabaseHandle: () => import_sdk_services4.DatabaseHandle,
+  DataVaultService: () => import_sdk_services5.DataVaultService,
+  DatabaseHandle: () => import_sdk_services5.DatabaseHandle,
   DelegationErrorCodes: () => DelegationErrorCodes,
   DelegationManager: () => DelegationManager,
-  DuckDbAction: () => import_sdk_services4.DuckDbAction,
-  DuckDbDatabaseHandle: () => import_sdk_services4.DuckDbDatabaseHandle,
-  DuckDbService: () => import_sdk_services4.DuckDbService,
+  DuckDbAction: () => import_sdk_services5.DuckDbAction,
+  DuckDbDatabaseHandle: () => import_sdk_services5.DuckDbDatabaseHandle,
+  DuckDbService: () => import_sdk_services5.DuckDbService,
+  ENCRYPTION_MANIFEST_SPACE: () => ENCRYPTION_MANIFEST_SPACE,
+  ENCRYPTION_NETWORK_URN_PREFIX: () => import_sdk_services5.ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_PERMISSION_SERVICE: () => ENCRYPTION_PERMISSION_SERVICE,
+  ENCRYPTION_SERVICE: () => import_sdk_services5.ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT: () => import_sdk_services5.ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION: () => import_sdk_services5.ENVELOPE_VERSION,
+  EXPIRY: () => EXPIRY,
+  EncryptionService: () => import_sdk_services5.EncryptionService,
   EnsDataSchema: () => EnsDataSchema,
-  ErrorCodes: () => import_sdk_services4.ErrorCodes,
-  HooksService: () => import_sdk_services4.HooksService,
-  KVService: () => import_sdk_services4.KVService,
+  ErrorCodes: () => import_sdk_services5.ErrorCodes,
+  HooksService: () => import_sdk_services5.HooksService,
+  KVService: () => import_sdk_services5.KVService,
   LocationRecordValidationError: () => LocationRecordValidationError,
   ManifestValidationError: () => ManifestValidationError,
+  NETWORK_NAME_PATTERN: () => import_sdk_services5.NETWORK_NAME_PATTERN,
+  NetworkIdError: () => import_sdk_services5.NetworkIdError,
   PermissionNotInManifestError: () => PermissionNotInManifestError,
-  PrefixedKVService: () => import_sdk_services4.PrefixedKVService,
+  PrefixedKVService: () => import_sdk_services5.PrefixedKVService,
   ProtocolMismatchError: () => ProtocolMismatchError,
+  SECRET_NAME_RE: () => import_sdk_services5.SECRET_NAME_RE,
   SERVICE_LONG_TO_SHORT: () => SERVICE_LONG_TO_SHORT,
   SERVICE_SHORT_TO_LONG: () => SERVICE_SHORT_TO_LONG,
-  SQLAction: () => import_sdk_services4.SQLAction,
-  SQLService: () => import_sdk_services4.SQLService,
-  SecretsService: () => import_sdk_services4.SecretsService,
-  ServiceContext: () => import_sdk_services4.ServiceContext,
+  SQLAction: () => import_sdk_services5.SQLAction,
+  SQLService: () => import_sdk_services5.SQLService,
+  SecretsService: () => import_sdk_services5.SecretsService,
+  ServiceContext: () => import_sdk_services5.ServiceContext,
   SessionExpiredError: () => SessionExpiredError,
   SharingService: () => SharingService,
   SilentNotificationHandler: () => SilentNotificationHandler,
@@ -75,51 +92,86 @@ __export(index_exports, {
   SpaceService: () => SpaceService,
   TinyCloud: () => TinyCloud,
   UnsupportedFeatureError: () => UnsupportedFeatureError,
-  VaultHeaders: () => import_sdk_services4.VaultHeaders,
-  VaultPublicSpaceKVActions: () => import_sdk_services4.VaultPublicSpaceKVActions,
+  VAULT_PERMISSION_SERVICE: () => VAULT_PERMISSION_SERVICE,
+  VaultHeaders: () => import_sdk_services5.VaultHeaders,
+  VaultPublicSpaceKVActions: () => import_sdk_services5.VaultPublicSpaceKVActions,
   VersionCheckError: () => VersionCheckError,
   activateSessionWithHost: () => activateSessionWithHost,
   applyPrefix: () => applyPrefix,
+  buildCanonicalDecryptRequest: () => import_sdk_services5.buildCanonicalDecryptRequest,
+  buildDecryptAttenuation: () => import_sdk_services5.buildDecryptAttenuation,
+  buildDecryptFacts: () => import_sdk_services5.buildDecryptFacts,
+  buildDecryptInvocation: () => import_sdk_services5.buildDecryptInvocation,
+  buildNetworkId: () => import_sdk_services5.buildNetworkId,
   buildSpaceUri: () => buildSpaceUri,
+  canonicalHashHex: () => import_sdk_services5.canonicalHashHex,
   canonicalLocationPayload: () => canonicalLocationPayload,
+  canonicalSignedResponse: () => import_sdk_services5.canonicalSignedResponse,
+  canonicalizeEncryptionJson: () => import_sdk_services5.canonicalizeEncryptionJson,
+  canonicalizeSecretScope: () => import_sdk_services5.canonicalizeSecretScope,
+  checkDecryptInvocationInput: () => import_sdk_services5.checkDecryptInvocationInput,
   checkNodeInfo: () => checkNodeInfo,
   composeManifestRequest: () => composeManifestRequest,
   createCapabilityKeyRegistry: () => createCapabilityKeyRegistry,
   createSharingService: () => createSharingService,
   createSpaceService: () => createSpaceService,
-  createVaultCrypto: () => import_sdk_services4.createVaultCrypto,
-  defaultRetryPolicy: () => import_sdk_services4.defaultRetryPolicy,
+  createVaultCrypto: () => import_sdk_services5.createVaultCrypto,
+  decryptEnvelopeWithKey: () => import_sdk_services5.decryptEnvelopeWithKey,
+  defaultRetryPolicy: () => import_sdk_services5.defaultRetryPolicy,
   defaultSignStrategy: () => defaultSignStrategy,
   defaultSpaceCreationHandler: () => defaultSpaceCreationHandler,
-  err: () => import_sdk_services4.err,
+  deriveSignedReceiverKey: () => import_sdk_services5.deriveSignedReceiverKey,
+  discoverNetwork: () => import_sdk_services5.discoverNetwork,
+  encryptToNetwork: () => import_sdk_services5.encryptToNetwork,
+  encryptionBase64Decode: () => import_sdk_services5.base64Decode,
+  encryptionBase64Encode: () => import_sdk_services5.base64Encode,
+  encryptionError: () => import_sdk_services5.encryptionError,
+  encryptionUtf8Decode: () => import_sdk_services5.utf8Decode,
+  encryptionUtf8Encode: () => import_sdk_services5.utf8Encode,
+  ensureNetworkUsableForDecrypt: () => import_sdk_services5.ensureNetworkUsableForDecrypt,
+  err: () => import_sdk_services5.err,
   expandActionShortNames: () => expandActionShortNames,
+  expandPermissionEntries: () => expandPermissionEntries,
+  expandPermissionEntry: () => expandPermissionEntry,
   fetchLocationRecord: () => fetchLocationRecord,
   fetchPeerId: () => fetchPeerId,
+  generateRandomReceiverKey: () => import_sdk_services5.generateRandomReceiverKey,
+  hexDecode: () => import_sdk_services5.hexDecode,
+  hexEncode: () => import_sdk_services5.hexEncode,
   httpUrlToMultiaddr: () => httpUrlToMultiaddr,
   isCapabilitySubset: () => isCapabilitySubset,
+  isNetworkId: () => import_sdk_services5.isNetworkId,
   loadManifest: () => loadManifest,
   locationPayloadForRecord: () => locationPayloadForRecord,
   makePublicSpaceId: () => makePublicSpaceId,
   manifestAbilitiesUnion: () => manifestAbilitiesUnion,
   multiaddrToHttpUrl: () => multiaddrToHttpUrl,
+  networkDiscoveryKey: () => import_sdk_services5.networkDiscoveryKey,
   normalizeDefaults: () => normalizeDefaults,
-  ok: () => import_sdk_services4.ok,
+  ok: () => import_sdk_services5.ok,
+  openWrappedKey: () => import_sdk_services5.openWrappedKey,
   parseExpiry: () => parseExpiry,
+  parseNetworkId: () => import_sdk_services5.parseNetworkId,
   parseRecapCapabilities: () => parseRecapCapabilities,
   parseSpaceUri: () => parseSpaceUri,
   resolveCloudLocation: () => resolveCloudLocation,
   resolveManifest: () => resolveManifest,
+  resolveSecretListPrefix: () => import_sdk_services5.resolveSecretListPrefix,
+  resolveSecretPath: () => import_sdk_services5.resolveSecretPath,
   resolveTinyCloudHosts: () => resolveTinyCloudHosts,
   resourceCapabilitiesToAbilitiesMap: () => resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap: () => resourceCapabilitiesToSpaceAbilitiesMap,
-  serviceError: () => import_sdk_services4.serviceError,
+  serviceError: () => import_sdk_services5.serviceError,
   signLocationRecord: () => signLocationRecord,
   submitHostDelegation: () => submitHostDelegation,
   validateClientSession: () => validateClientSession,
+  validateEnvelope: () => import_sdk_services5.validateEnvelope,
   validateLocationRecord: () => validateLocationRecord,
   validateLocationRecordPayload: () => validateLocationRecordPayload,
   validateManifest: () => validateManifest,
   validatePersistedSessionData: () => validatePersistedSessionData,
+  verifyDecryptResponse: () => import_sdk_services5.verifyDecryptResponse,
+  verifyDidKeyEd25519Signature: () => verifyDidKeyEd25519Signature,
   verifyLocationRecord: () => verifyLocationRecord
 });
 module.exports = __toCommonJS(index_exports);
@@ -844,6 +896,23 @@ function validateServerSpaceInfoResponse(data) {
   return { ok: true, data: result.data };
 }
+// src/expiry.ts
+var EPHEMERAL_MS = 60 * 60 * 1e3;
+var SIGNED_READ_URL_MS = 5 * 60 * 1e3;
+var SESSION_MS = 7 * 24 * 60 * 60 * 1e3;
+var SHARE_MS = 7 * 24 * 60 * 60 * 1e3;
+var APP_MS = 30 * 24 * 60 * 60 * 1e3;
+var MAX_MS = 10 * 365 * 24 * 60 * 60 * 1e3;
+var EXPIRY = {
+  EPHEMERAL_MS,
+  SIGNED_READ_URL_MS,
+  SESSION_MS,
+  SHARE_MS,
+  APP_MS,
+  MAX_MS
+};
+var DEFAULT_SIGNED_READ_URL_EXPIRY_MS = EXPIRY.SIGNED_READ_URL_MS;
 // src/spaces/SpaceService.ts
 var SERVICE_NAME = "space";
 var SpaceErrorCodes = {
@@ -920,7 +989,7 @@ function transformServerDelegations(validatedData, defaultSpaceId) {
       spaceId,
       path,
       actions,
-      expiry: info.expiry ? new Date(info.expiry) : new Date(Date.now() + 24 * 60 * 60 * 1e3),
+      expiry: info.expiry ? new Date(info.expiry) : new Date(Date.now() + EXPIRY.SHARE_MS),
       isRevoked: false,
       createdAt: info.issued_at ? new Date(info.issued_at) : void 0,
       parentCid: firstStringParent
@@ -1780,6 +1849,22 @@ var TinyCloud = class _TinyCloud {
     }
     return service;
   }
+  /**
+   * Get the Encryption service.
+   * @throws Error if services are not initialized or encryption service is not registered
+   */
+  get encryption() {
+    if (!this._servicesInitialized) {
+      throw new Error(
+        "Services not initialized. Call initializeServices() first, or use TinyCloudWeb/TinyCloudNode which handles this automatically."
+      );
+    }
+    const service = this._services.get("encryption");
+    if (!service) {
+      throw new Error("Encryption service is not registered.");
+    }
+    return service;
+  }
   /**
    * Notify services of session change.
    * Called internally after sign-in and sign-out.
@@ -2115,7 +2200,7 @@ var TinyCloud = class _TinyCloud {
 };
 // src/index.ts
-var import_sdk_services4 = require("@tinycloud/sdk-services");
+var import_sdk_services5 = require("@tinycloud/sdk-services");
 // src/space.ts
 async function fetchPeerId(host, spaceId) {
@@ -2304,7 +2389,7 @@ var DelegationManager = class {
         spaceId: this.session.spaceId,
         path: params.path,
         actions: params.actions,
-        expiry: params.expiry ?? new Date(Date.now() + 24 * 60 * 60 * 1e3),
+        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
         isRevoked: false,
         allowSubDelegation: !(params.disableSubDelegation ?? false),
         createdAt: /* @__PURE__ */ new Date()
@@ -2783,6 +2868,7 @@ function validateEncodedShareData(data) {
 // src/manifest.ts
 var import_ms = __toESM(require("ms"), 1);
+var import_sdk_services3 = require("@tinycloud/sdk-services");
 var ManifestValidationError = class extends Error {
   constructor(message) {
     super(`Manifest validation failed: ${message}`);
@@ -2796,14 +2882,17 @@ var DEFAULT_MANIFEST_SPACE = "applications";
 var ACCOUNT_REGISTRY_SPACE = "account";
 var ACCOUNT_REGISTRY_PATH = "applications/";
 var SECRETS_SPACE = "secrets";
-var SECRET_NAME_RE = /^[A-Z][A-Z0-9_]*$/;
+var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
 var SERVICE_SHORT_TO_LONG = Object.freeze({
   kv: "tinycloud.kv",
   sql: "tinycloud.sql",
   duckdb: "tinycloud.duckdb",
   capabilities: "tinycloud.capabilities",
-  hooks: "tinycloud.hooks"
+  hooks: "tinycloud.hooks",
+  encryption: "tinycloud.encryption"
 });
+var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_MANIFEST_SPACE = "encryption";
 var SERVICE_LONG_TO_SHORT = Object.freeze(
   Object.fromEntries(
     Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
@@ -2879,6 +2968,72 @@ function expandActionShortNames(service, actions) {
     return `${service}/${a}`;
   });
 }
+function expandPermissionEntry(entry) {
+  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
+    return expandEncryptionPermissionEntry(entry);
+  }
+  if (entry.service !== VAULT_PERMISSION_SERVICE) {
+    return [
+      {
+        ...entry,
+        actions: expandActionShortNames(entry.service, entry.actions)
+      }
+    ];
+  }
+  return expandVaultPermissionEntry(entry);
+}
+function expandEncryptionPermissionEntry(entry) {
+  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
+    throw new ManifestValidationError(
+      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
+    );
+  }
+  const normalizedActions = [];
+  for (const action of entry.actions) {
+    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
+      normalizedActions.push("tinycloud.encryption/decrypt");
+      continue;
+    }
+    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
+      normalizedActions.push("tinycloud.encryption/network.create");
+      continue;
+    }
+    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
+      normalizedActions.push("tinycloud.encryption/network.revoke");
+      continue;
+    }
+    if (action.includes("/")) {
+      throw new ManifestValidationError(
+        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+      );
+    }
+    throw new ManifestValidationError(
+      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+    );
+  }
+  const dedupedActions = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const a of normalizedActions) {
+    if (!seen.has(a)) {
+      dedupedActions.push(a);
+      seen.add(a);
+    }
+  }
+  return [
+    {
+      service: ENCRYPTION_PERMISSION_SERVICE,
+      space: ENCRYPTION_MANIFEST_SPACE,
+      path: entry.path,
+      actions: dedupedActions,
+      skipPrefix: true,
+      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+      ...entry.description !== void 0 ? { description: entry.description } : {}
+    }
+  ];
+}
+function expandPermissionEntries(entries) {
+  return entries.flatMap(expandPermissionEntry);
+}
 function applyPrefix(prefix, path, skipPrefix) {
   if (skipPrefix) {
     return path;
@@ -2960,9 +3115,19 @@ function validateManifestSecrets(secrets) {
     throw new ManifestValidationError("manifest.secrets must be an object");
   }
   for (const [name, spec] of Object.entries(secrets)) {
-    if (!SECRET_NAME_RE.test(name)) {
+    if (!import_sdk_services3.SECRET_NAME_RE.test(name)) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} must match ${import_sdk_services3.SECRET_NAME_RE.source}`
+      );
+    }
+    try {
+      (0, import_sdk_services3.resolveSecretPath)(
+        secretNameFromSpec(name, spec),
+        { scope: secretScopeFromSpec(spec) }
+      );
+    } catch (error) {
       throw new ManifestValidationError(
-        `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
+        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
       );
     }
     const actions = secretActionsFromSpec(name, spec);
@@ -3006,6 +3171,16 @@ function validatePermissionEntry(p, path) {
       `${path}.actions must be a non-empty array`
     );
   }
+  for (const action of entry.actions) {
+    if (typeof action !== "string" || action.length === 0) {
+      throw new ManifestValidationError(
+        `${path}.actions must contain non-empty strings`
+      );
+    }
+    if (entry.service === VAULT_PERMISSION_SERVICE) {
+      vaultActionExpansion(action);
+    }
+  }
   if (entry.expiry !== void 0) {
     parseExpiry(entry.expiry);
   }
@@ -3055,7 +3230,7 @@ function resolveManifest(input) {
     ...secretEntries
   ];
   const resources = withCapabilitiesReadForSpaces(
-    allEntries.map((entry) => resolveEntry(entry, prefix, expiryMs, space))
+    allEntries.flatMap((entry) => resolveEntry(entry, prefix, expiryMs, space))
   );
   const additionalDelegates = manifest.did === void 0 ? [] : [
     {
@@ -3111,6 +3286,18 @@ function normalizeSecretActions(actions) {
   }
   return out;
 }
+function secretNameFromSpec(fallbackName, spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.name ?? fallbackName;
+  }
+  return fallbackName;
+}
+function secretScopeFromSpec(spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.scope;
+  }
+  return void 0;
+}
 function secretActionsFromSpec(name, spec) {
   if (spec === true) {
     return ["read"];
@@ -3146,40 +3333,105 @@ function secretEntriesForManifest(secrets) {
   const entries = [];
   for (const [name, spec] of Object.entries(secrets)) {
     const actions = secretActionsFromSpec(name, spec);
+    const secretPath = (0, import_sdk_services3.resolveSecretPath)(
+      secretNameFromSpec(name, spec),
+      { scope: secretScopeFromSpec(spec) }
+    );
     const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
-    for (const base of ["keys", "vault"]) {
-      entries.push({
-        service: "tinycloud.kv",
-        space: SECRETS_SPACE,
-        path: `${base}/secrets/${name}`,
-        actions: normalizeSecretActions(actions),
-        skipPrefix: true,
-        ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
-        ...extra.description !== void 0 ? { description: extra.description } : {}
-      });
-    }
+    entries.push({
+      service: VAULT_PERMISSION_SERVICE,
+      space: SECRETS_SPACE,
+      path: secretPath.vaultKey,
+      actions: normalizeSecretActions(actions),
+      skipPrefix: true,
+      ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
+      ...extra.description !== void 0 ? { description: extra.description } : {}
+    });
   }
   return entries;
 }
 function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
-  const resolvedPath = applyPrefix(
-    prefix,
-    entry.path,
-    entry.skipPrefix === true
-  );
-  const resolvedActions = expandActionShortNames(entry.service, entry.actions);
+  const skipPrefixForEntry = entry.skipPrefix === true || entry.service === ENCRYPTION_PERMISSION_SERVICE;
+  const resolvedPath = applyPrefix(prefix, entry.path, skipPrefixForEntry);
   const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
-  return {
-    service: entry.service,
+  return expandPermissionEntry({
+    ...entry,
     space: entry.space ?? inheritedSpace,
     path: resolvedPath,
-    actions: resolvedActions,
+    skipPrefix: true
+  }).map((expanded) => ({
+    service: expanded.service,
+    space: expanded.space ?? inheritedSpace,
+    path: expanded.path,
+    actions: expanded.actions,
     // Only populate `expiryMs` when the entry had its own expiry override.
     // When absent, callers use the parent (delegation or manifest) expiry
     // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
     ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
     ...entry.description !== void 0 ? { description: entry.description } : {}
-  };
+  }));
+}
+function expandVaultPermissionEntry(entry) {
+  const byBase = /* @__PURE__ */ new Map();
+  for (const action of entry.actions) {
+    const expansion = vaultActionExpansion(action);
+    for (const base of expansion.bases) {
+      const actions = byBase.get(base) ?? [];
+      if (!actions.includes(expansion.action)) {
+        actions.push(expansion.action);
+      }
+      byBase.set(base, actions);
+    }
+  }
+  return [...byBase.entries()].map(([base, actions]) => ({
+    ...entry,
+    service: "tinycloud.kv",
+    path: vaultKVPath(base, entry.path),
+    actions,
+    skipPrefix: true
+  }));
+}
+function vaultActionExpansion(action) {
+  const normalized = normalizeVaultAction(action);
+  if (normalized === "read" || normalized === "get") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "write" || normalized === "put") {
+    return { bases: ["vault"], action: "tinycloud.kv/put" };
+  }
+  if (normalized === "delete" || normalized === "del") {
+    return { bases: ["vault"], action: "tinycloud.kv/del" };
+  }
+  if (normalized === "list") {
+    return { bases: ["vault"], action: "tinycloud.kv/list" };
+  }
+  if (normalized === "head") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "metadata") {
+    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
+  }
+  throw new ManifestValidationError(
+    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
+  );
+}
+function normalizeVaultAction(action) {
+  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
+    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
+  }
+  if (action.startsWith("tinycloud.kv/")) {
+    return action.slice("tinycloud.kv/".length);
+  }
+  if (action.includes("/")) {
+    throw new ManifestValidationError(
+      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
+    );
+  }
+  return action;
+}
+function vaultKVPath(base, path) {
+  const normalized = path.startsWith("/") ? path.slice(1) : path;
+  return `${base}/${normalized}`;
 }
 function cloneResourceCapability(entry) {
   return {
@@ -3236,7 +3488,9 @@ function withCapabilitiesReadForSpaces(resources) {
   if (resources.length === 0) {
     return [];
   }
-  const spaces = new Set(resources.map((resource) => resource.space));
+  const spaces = new Set(
+    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
+  );
   return dedupeResources([
     ...resources,
     ...[...spaces].map(capabilitiesReadPermission)
@@ -3368,7 +3622,7 @@ function inferShortServiceFromActionUrns(actions) {
   return short;
 }
 var DEFAULT_READ_ACTIONS = ["tinycloud.kv/get", "tinycloud.kv/metadata"];
-var DEFAULT_EXPIRY_MS = 24 * 60 * 60 * 1e3;
+var DEFAULT_EXPIRY_MS = EXPIRY.SHARE_MS;
 var BASE64_PREFIX = "tc1:";
 function createError2(code, message, cause, meta) {
   return {
@@ -4010,7 +4264,7 @@ function createSharingService(config) {
 }
 // src/authorization/CapabilityKeyRegistry.ts
-var import_sdk_services3 = require("@tinycloud/sdk-services");
+var import_sdk_services4 = require("@tinycloud/sdk-services");
 var SERVICE_NAME2 = "capability-key-registry";
 var CapabilityKeyRegistryErrorCodes = {
   /** Key not found in registry */
@@ -4228,8 +4482,8 @@ var CapabilityKeyRegistry = class {
   revokeDelegation(cid) {
     const stored = this.store.byCid.get(cid);
     if (!stored) {
-      return (0, import_sdk_services3.err)(
-        (0, import_sdk_services3.serviceError)(
+      return (0, import_sdk_services4.err)(
+        (0, import_sdk_services4.serviceError)(
           CapabilityKeyRegistryErrorCodes.KEY_NOT_FOUND,
           `Delegation not found: ${cid}`,
           SERVICE_NAME2
@@ -4251,7 +4505,7 @@ var CapabilityKeyRegistry = class {
         }
       }
     }
-    return (0, import_sdk_services3.ok)(void 0);
+    return (0, import_sdk_services4.ok)(void 0);
   }
   // ===========================================================================
   // Search
@@ -4497,6 +4751,7 @@ async function checkNodeInfo(host, sdkProtocol, fetchFn = globalThis.fetch.bind(
   }
   return {
     features: data.features ?? [],
+    nodeId: data.nodeId,
     quotaUrl: data.quota_url
   };
 }
@@ -4833,6 +5088,10 @@ function verifyDidKeySignature(did, payload, signature) {
     publicKey
   );
 }
+function verifyDidKeyEd25519Signature(did, payload, signature) {
+  const publicKey = ed25519PublicKeyFromDidKey(did);
+  return import_ed25519.ed25519.verify(signature, payload, publicKey);
+}
 function ed25519PublicKeyFromDidKey(did) {
   const identifier = did.slice("did:key:".length);
   if (!identifier.startsWith("z")) {
@@ -4841,12 +5100,15 @@ function ed25519PublicKeyFromDidKey(did) {
     );
   }
   const bytes = import_basics.bases.base58btc.decode(identifier);
-  if (bytes.length !== 34 || bytes[0] !== 237 || bytes[1] !== 1) {
-    throw new LocationRecordValidationError(
-      "did:key must be an Ed25519 public key"
-    );
+  if (bytes.length === 34 && bytes[0] === 237 && bytes[1] === 1) {
+    return bytes.slice(2);
+  }
+  if (bytes.length === 33 && bytes[0] === 237) {
+    return bytes.slice(1);
   }
-  return bytes.slice(2);
+  throw new LocationRecordValidationError(
+    "did:key must be an Ed25519 public key"
+  );
 }
 function base64UrlEncode2(bytes) {
   const alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_";
@@ -5011,10 +5273,16 @@ function parseRecapCapabilities(parseWasm, siwe) {
   CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema,
   CloudLocationResolutionError,
+  DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
   DEFAULT_DEFAULTS,
+  DEFAULT_ENCRYPTION_ALG,
   DEFAULT_EXPIRY,
+  DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION,
+  DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DEFAULT_TINYCLOUD_FALLBACK_HOST,
   DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL,
   DataVaultService,
@@ -5024,15 +5292,26 @@ function parseRecapCapabilities(parseWasm, siwe) {
   DuckDbAction,
   DuckDbDatabaseHandle,
   DuckDbService,
+  ENCRYPTION_MANIFEST_SPACE,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_PERMISSION_SERVICE,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION,
+  EXPIRY,
+  EncryptionService,
   EnsDataSchema,
   ErrorCodes,
   HooksService,
   KVService,
   LocationRecordValidationError,
   ManifestValidationError,
+  NETWORK_NAME_PATTERN,
+  NetworkIdError,
   PermissionNotInManifestError,
   PrefixedKVService,
   ProtocolMismatchError,
+  SECRET_NAME_RE,
   SERVICE_LONG_TO_SHORT,
   SERVICE_SHORT_TO_LONG,
   SQLAction,
@@ -5049,40 +5328,72 @@ function parseRecapCapabilities(parseWasm, siwe) {
   SpaceService,
   TinyCloud,
   UnsupportedFeatureError,
+  VAULT_PERMISSION_SERVICE,
   VaultHeaders,
   VaultPublicSpaceKVActions,
   VersionCheckError,
   activateSessionWithHost,
   applyPrefix,
+  buildCanonicalDecryptRequest,
+  buildDecryptAttenuation,
+  buildDecryptFacts,
+  buildDecryptInvocation,
+  buildNetworkId,
   buildSpaceUri,
+  canonicalHashHex,
   canonicalLocationPayload,
+  canonicalSignedResponse,
+  canonicalizeEncryptionJson,
+  canonicalizeSecretScope,
+  checkDecryptInvocationInput,
   checkNodeInfo,
   composeManifestRequest,
   createCapabilityKeyRegistry,
   createSharingService,
   createSpaceService,
   createVaultCrypto,
+  decryptEnvelopeWithKey,
   defaultRetryPolicy,
   defaultSignStrategy,
   defaultSpaceCreationHandler,
+  deriveSignedReceiverKey,
+  discoverNetwork,
+  encryptToNetwork,
+  encryptionBase64Decode,
+  encryptionBase64Encode,
+  encryptionError,
+  encryptionUtf8Decode,
+  encryptionUtf8Encode,
+  ensureNetworkUsableForDecrypt,
   err,
   expandActionShortNames,
+  expandPermissionEntries,
+  expandPermissionEntry,
   fetchLocationRecord,
   fetchPeerId,
+  generateRandomReceiverKey,
+  hexDecode,
+  hexEncode,
   httpUrlToMultiaddr,
   isCapabilitySubset,
+  isNetworkId,
   loadManifest,
   locationPayloadForRecord,
   makePublicSpaceId,
   manifestAbilitiesUnion,
   multiaddrToHttpUrl,
+  networkDiscoveryKey,
   normalizeDefaults,
   ok,
+  openWrappedKey,
   parseExpiry,
+  parseNetworkId,
   parseRecapCapabilities,
   parseSpaceUri,
   resolveCloudLocation,
   resolveManifest,
+  resolveSecretListPrefix,
+  resolveSecretPath,
   resolveTinyCloudHosts,
   resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap,
@@ -5090,10 +5401,13 @@ function parseRecapCapabilities(parseWasm, siwe) {
   signLocationRecord,
   submitHostDelegation,
   validateClientSession,
+  validateEnvelope,
   validateLocationRecord,
   validateLocationRecordPayload,
   validateManifest,
   validatePersistedSessionData,
+  verifyDecryptResponse,
+  verifyDidKeyEd25519Signature,
   verifyLocationRecord
 });
 //# sourceMappingURL=index.cjs.map