@tinycloud/sdk-core 2.2.0-beta.9 → 2.2.1-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.cjs +274 -57
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +98 -34
  4. package/dist/index.d.ts +98 -34
  5. package/dist/index.js +243 -31
  6. package/dist/index.js.map +1 -1
  7. package/package.json +2 -2
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
1
  import { z } from 'zod';
2
- import { InvokeFunction, InvokeAnyFunction, ServiceError, Result as Result$1, ServiceSession, FetchFunction, ServiceConstructor, RetryPolicy, IServiceContext, IService, IKVService, ISQLService, IDuckDbService, IHooksService, IDataVaultService } from '@tinycloud/sdk-services';
3
- export { BatchOptions, BatchResponse, ColumnInfo, DataVaultConfig, DataVaultService, DatabaseHandle, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ErrorCode, ErrorCodes, ExecuteOptions, ExecuteResponse, FetchFunction, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IHooksService, IKVService, IPrefixedKVService, ISQLService, ISecretsService, IService, IServiceContext, InvokeAnyEntry, InvokeAnyFunction, InvokeFunction, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService, QueryOptions, QueryResponse, Result, RetryPolicy, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceError, ServiceSession, SqlStatement, SqlValue, SubscribeOptions, TableInfo, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, ViewInfo, WasmVaultFunctions, createVaultCrypto, defaultRetryPolicy, err, ok, serviceError } from '@tinycloud/sdk-services';
2
+ import { InvokeFunction, InvokeAnyFunction, ServiceError, Result as Result$1, ServiceSession, FetchFunction, ServiceConstructor, RetryPolicy, IServiceContext, IService, IKVService, ISQLService, IDuckDbService, IHooksService, IDataVaultService, IEncryptionService } from '@tinycloud/sdk-services';
3
+ export { BatchOptions, BatchResponse, BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CanonicalDecryptRequest, CanonicalJson, ColumnInfo, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DataVaultConfig, DataVaultService, DatabaseHandle, DecryptCapabilityProof, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, DuckDbAction, DuckDbActionType, DuckDbBatchOptions, DuckDbBatchResponse, DuckDbDatabaseHandle, DuckDbExecuteOptions, DuckDbExecuteResponse, DuckDbOptions, DuckDbQueryOptions, DuckDbQueryResponse, DuckDbService, DuckDbServiceConfig, DuckDbStatement, DuckDbValue, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, ErrorCode, ErrorCodes, ExecuteOptions, ExecuteResponse, FetchFunction, HookEvent, HookServiceName, HookStreamEvent, HookSubscription, HookWebhookListOptions, HookWebhookRecord, HookWebhookRegistration, HookWebhookScope, HookWebhookUnregisterOptions, HooksService, HooksServiceConfig, IDataVaultService, IDatabaseHandle, IDuckDbDatabaseHandle, IDuckDbService, IEncryptionService, IHooksService, IKVService, IPrefixedKVService, ISQLService, ISecretsService, IService, IServiceContext, InlineEncryptedEnvelope, InvokeAnyEntry, InvokeAnyFunction, InvokeFunction, KVCreateSignedReadUrlOptions, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, KVSignedReadUrlResponse, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, PrefixedKVService, QueryOptions, QueryResponse, RandomReceiverKeyInput, ReceiverKeyPair, ReceiverKeySigner, ResolvedSecretPath, Result, RetryPolicy, SECRET_NAME_RE, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SchemaInfo, SecretPayload, SecretScopeOptions, SecretsError, SecretsService, ServiceContext, ServiceContextConfig, ServiceError, ServiceSession, SignedReceiverKeyInput, SqlStatement, SqlValue, SubscribeOptions, TableInfo, VaultCrypto, VaultEntry, VaultError, VaultGetOptions, VaultGrantOptions, VaultHeaders, VaultListOptions, VaultPublicSpaceKVActions, VaultPutOptions, VerifyDecryptResponseInput, ViewInfo, WasmVaultFunctions, WellKnownDescriptorFetcher, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, canonicalHashHex, canonicalSignedResponse, canonicalizeEncryptionJson, canonicalizeSecretScope, checkDecryptInvocationInput, createVaultCrypto, decryptEnvelopeWithKey, defaultRetryPolicy, deriveSignedReceiverKey, discoverNetwork, encryptToNetwork, base64Decode as encryptionBase64Decode, base64Encode as encryptionBase64Encode, encryptionError, utf8Decode as encryptionUtf8Decode, utf8Encode as encryptionUtf8Encode, ensureNetworkUsableForDecrypt, err, generateRandomReceiverKey, hexDecode, hexEncode, isNetworkId, networkDiscoveryKey, ok, openWrappedKey, parseNetworkId, resolveSecretListPrefix, resolveSecretPath, serviceError, validateEnvelope, verifyDecryptResponse } from '@tinycloud/sdk-services';
4
4
  export { SiweMessage } from 'siwe';
5
5
 
6
6
  /**
@@ -231,6 +231,10 @@ interface PermissionEntry {
231
231
  description?: string;
232
232
  }
233
233
  type ManifestSecretActions = true | string | string[] | {
234
+ /** Actual vault secret name. Defaults to the manifest object key. */
235
+ name?: string;
236
+ /** Optional scoped secret namespace. Omit for global secrets. */
237
+ scope?: string;
234
238
  actions?: string | string[];
235
239
  expiry?: string;
236
240
  description?: string;
@@ -380,7 +384,12 @@ declare class ManifestValidationError extends Error {
380
384
  }
381
385
  /**
382
386
  * Default expiry when neither the manifest, delegation, nor permission
383
- * specifies one. Spec: 30 days.
387
+ * specifies one. APP tier — see `expiry.ts`. Spec: 30 days.
388
+ *
389
+ * Kept as an ms-format string because the manifest schema stores expiry
390
+ * as a string and the parser is shared between this default and
391
+ * caller-provided values; converting `EXPIRY.APP_MS` back to a string
392
+ * here would duplicate that same `30d` literal in another form.
384
393
  */
385
394
  declare const DEFAULT_EXPIRY = "30d";
386
395
  /**
@@ -404,6 +413,22 @@ declare const VAULT_PERMISSION_SERVICE = "tinycloud.vault";
404
413
  * This table is the canonical bridge between the two.
405
414
  */
406
415
  declare const SERVICE_SHORT_TO_LONG: Readonly<Record<string, string>>;
416
+ /**
417
+ * Manifest service identifier for TinyCloud encryption network grants.
418
+ *
419
+ * Encryption permissions live on a network id URN
420
+ * (`urn:tinycloud:encryption:<principal>:<network>`), not on a space.
421
+ * The `path` field is the literal networkId; `actions` are
422
+ * `["decrypt"]` (expanded to `["tinycloud.encryption/decrypt"]`).
423
+ *
424
+ * Apps should omit `space` for encryption permissions. The SDK may emit
425
+ * an internal `"encryption"` compatibility label after expansion so the
426
+ * older `PermissionEntry`/`ResourceCapability` shape can still carry the
427
+ * raw network URN through subset checks.
428
+ */
429
+ declare const ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
430
+ /** Synthetic space label used by encryption manifest entries. */
431
+ declare const ENCRYPTION_MANIFEST_SPACE = "encryption";
407
432
  /**
408
433
  * Inverse of {@link SERVICE_SHORT_TO_LONG}.
409
434
  */
@@ -430,10 +455,11 @@ declare function expandActionShortNames(service: string, actions: readonly strin
430
455
  /**
431
456
  * Expand SDK virtual permission services into concrete recap-capable services.
432
457
  *
433
- * Today this handles `"tinycloud.vault"`, which is backed by KV resources:
434
- * - read/get: `keys/<path>` + `vault/<path>` with `tinycloud.kv/get`
435
- * - write/put: `keys/<path>` + `vault/<path>` with `tinycloud.kv/put`
436
- * - delete/del: `keys/<path>` + `vault/<path>` with `tinycloud.kv/del`
458
+ * Today this handles `"tinycloud.vault"`, which is backed by inline
459
+ * network-encrypted KV records:
460
+ * - read/get: `vault/<path>` with `tinycloud.kv/get`
461
+ * - write/put: `vault/<path>` with `tinycloud.kv/put`
462
+ * - delete/del: `vault/<path>` with `tinycloud.kv/del`
437
463
  * - list: `vault/<path>` with `tinycloud.kv/list`
438
464
  * - head: `vault/<path>` with `tinycloud.kv/get`
439
465
  * - metadata: `vault/<path>` with `tinycloud.kv/metadata`
@@ -686,6 +712,8 @@ interface IWasmBindings {
686
712
  invoke: InvokeFunction;
687
713
  /** Invoke multiple TinyCloud capabilities in one authorization header */
688
714
  invokeAny?: InvokeAnyFunction;
715
+ /** Compute a CID for signed invocation bytes. */
716
+ computeCid?: (data: Uint8Array, codec: bigint) => string;
689
717
  /** Prepare a session (generate session key, build SIWE message) */
690
718
  prepareSession: (params: any) => any;
691
719
  /** Complete session setup (create delegation) */
@@ -1332,8 +1360,8 @@ declare const DelegationSchema: z.ZodObject<{
1332
1360
  authHeader: z.ZodOptional<z.ZodString>;
1333
1361
  }, "strip", z.ZodTypeAny, {
1334
1362
  path: string;
1335
- actions: string[];
1336
1363
  expiry: Date;
1364
+ actions: string[];
1337
1365
  spaceId: string;
1338
1366
  cid: string;
1339
1367
  delegateDID: string;
@@ -1345,8 +1373,8 @@ declare const DelegationSchema: z.ZodObject<{
1345
1373
  authHeader?: string | undefined;
1346
1374
  }, {
1347
1375
  path: string;
1348
- actions: string[];
1349
1376
  expiry: Date;
1377
+ actions: string[];
1350
1378
  spaceId: string;
1351
1379
  cid: string;
1352
1380
  delegateDID: string;
@@ -1490,8 +1518,8 @@ declare const CapabilityEntrySchema: z.ZodObject<{
1490
1518
  authHeader: z.ZodOptional<z.ZodString>;
1491
1519
  }, "strip", z.ZodTypeAny, {
1492
1520
  path: string;
1493
- actions: string[];
1494
1521
  expiry: Date;
1522
+ actions: string[];
1495
1523
  spaceId: string;
1496
1524
  cid: string;
1497
1525
  delegateDID: string;
@@ -1503,8 +1531,8 @@ declare const CapabilityEntrySchema: z.ZodObject<{
1503
1531
  authHeader?: string | undefined;
1504
1532
  }, {
1505
1533
  path: string;
1506
- actions: string[];
1507
1534
  expiry: Date;
1535
+ actions: string[];
1508
1536
  spaceId: string;
1509
1537
  cid: string;
1510
1538
  delegateDID: string;
@@ -1539,8 +1567,8 @@ declare const CapabilityEntrySchema: z.ZodObject<{
1539
1567
  }[];
1540
1568
  delegation: {
1541
1569
  path: string;
1542
- actions: string[];
1543
1570
  expiry: Date;
1571
+ actions: string[];
1544
1572
  spaceId: string;
1545
1573
  cid: string;
1546
1574
  delegateDID: string;
@@ -1576,8 +1604,8 @@ declare const CapabilityEntrySchema: z.ZodObject<{
1576
1604
  }[];
1577
1605
  delegation: {
1578
1606
  path: string;
1579
- actions: string[];
1580
1607
  expiry: Date;
1608
+ actions: string[];
1581
1609
  spaceId: string;
1582
1610
  cid: string;
1583
1611
  delegateDID: string;
@@ -1711,8 +1739,8 @@ declare const DelegationChainSchema: z.ZodArray<z.ZodObject<{
1711
1739
  authHeader: z.ZodOptional<z.ZodString>;
1712
1740
  }, "strip", z.ZodTypeAny, {
1713
1741
  path: string;
1714
- actions: string[];
1715
1742
  expiry: Date;
1743
+ actions: string[];
1716
1744
  spaceId: string;
1717
1745
  cid: string;
1718
1746
  delegateDID: string;
@@ -1724,8 +1752,8 @@ declare const DelegationChainSchema: z.ZodArray<z.ZodObject<{
1724
1752
  authHeader?: string | undefined;
1725
1753
  }, {
1726
1754
  path: string;
1727
- actions: string[];
1728
1755
  expiry: Date;
1756
+ actions: string[];
1729
1757
  spaceId: string;
1730
1758
  cid: string;
1731
1759
  delegateDID: string;
@@ -1769,8 +1797,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1769
1797
  authHeader: z.ZodOptional<z.ZodString>;
1770
1798
  }, "strip", z.ZodTypeAny, {
1771
1799
  path: string;
1772
- actions: string[];
1773
1800
  expiry: Date;
1801
+ actions: string[];
1774
1802
  spaceId: string;
1775
1803
  cid: string;
1776
1804
  delegateDID: string;
@@ -1782,8 +1810,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1782
1810
  authHeader?: string | undefined;
1783
1811
  }, {
1784
1812
  path: string;
1785
- actions: string[];
1786
1813
  expiry: Date;
1814
+ actions: string[];
1787
1815
  spaceId: string;
1788
1816
  cid: string;
1789
1817
  delegateDID: string;
@@ -1822,8 +1850,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1822
1850
  authHeader: z.ZodOptional<z.ZodString>;
1823
1851
  }, "strip", z.ZodTypeAny, {
1824
1852
  path: string;
1825
- actions: string[];
1826
1853
  expiry: Date;
1854
+ actions: string[];
1827
1855
  spaceId: string;
1828
1856
  cid: string;
1829
1857
  delegateDID: string;
@@ -1835,8 +1863,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1835
1863
  authHeader?: string | undefined;
1836
1864
  }, {
1837
1865
  path: string;
1838
- actions: string[];
1839
1866
  expiry: Date;
1867
+ actions: string[];
1840
1868
  spaceId: string;
1841
1869
  cid: string;
1842
1870
  delegateDID: string;
@@ -1875,8 +1903,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1875
1903
  authHeader: z.ZodOptional<z.ZodString>;
1876
1904
  }, "strip", z.ZodTypeAny, {
1877
1905
  path: string;
1878
- actions: string[];
1879
1906
  expiry: Date;
1907
+ actions: string[];
1880
1908
  spaceId: string;
1881
1909
  cid: string;
1882
1910
  delegateDID: string;
@@ -1888,8 +1916,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1888
1916
  authHeader?: string | undefined;
1889
1917
  }, {
1890
1918
  path: string;
1891
- actions: string[];
1892
1919
  expiry: Date;
1920
+ actions: string[];
1893
1921
  spaceId: string;
1894
1922
  cid: string;
1895
1923
  delegateDID: string;
@@ -1903,8 +1931,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1903
1931
  }, "strip", z.ZodTypeAny, {
1904
1932
  root: {
1905
1933
  path: string;
1906
- actions: string[];
1907
1934
  expiry: Date;
1935
+ actions: string[];
1908
1936
  spaceId: string;
1909
1937
  cid: string;
1910
1938
  delegateDID: string;
@@ -1917,8 +1945,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1917
1945
  };
1918
1946
  chain: {
1919
1947
  path: string;
1920
- actions: string[];
1921
1948
  expiry: Date;
1949
+ actions: string[];
1922
1950
  spaceId: string;
1923
1951
  cid: string;
1924
1952
  delegateDID: string;
@@ -1931,8 +1959,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1931
1959
  }[];
1932
1960
  leaf: {
1933
1961
  path: string;
1934
- actions: string[];
1935
1962
  expiry: Date;
1963
+ actions: string[];
1936
1964
  spaceId: string;
1937
1965
  cid: string;
1938
1966
  delegateDID: string;
@@ -1946,8 +1974,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1946
1974
  }, {
1947
1975
  root: {
1948
1976
  path: string;
1949
- actions: string[];
1950
1977
  expiry: Date;
1978
+ actions: string[];
1951
1979
  spaceId: string;
1952
1980
  cid: string;
1953
1981
  delegateDID: string;
@@ -1960,8 +1988,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1960
1988
  };
1961
1989
  chain: {
1962
1990
  path: string;
1963
- actions: string[];
1964
1991
  expiry: Date;
1992
+ actions: string[];
1965
1993
  spaceId: string;
1966
1994
  cid: string;
1967
1995
  delegateDID: string;
@@ -1974,8 +2002,8 @@ declare const DelegationChainV2Schema: z.ZodObject<{
1974
2002
  }[];
1975
2003
  leaf: {
1976
2004
  path: string;
1977
- actions: string[];
1978
2005
  expiry: Date;
2006
+ actions: string[];
1979
2007
  spaceId: string;
1980
2008
  cid: string;
1981
2009
  delegateDID: string;
@@ -2115,8 +2143,8 @@ declare const ShareLinkSchema: z.ZodObject<{
2115
2143
  authHeader: z.ZodOptional<z.ZodString>;
2116
2144
  }, "strip", z.ZodTypeAny, {
2117
2145
  path: string;
2118
- actions: string[];
2119
2146
  expiry: Date;
2147
+ actions: string[];
2120
2148
  spaceId: string;
2121
2149
  cid: string;
2122
2150
  delegateDID: string;
@@ -2128,8 +2156,8 @@ declare const ShareLinkSchema: z.ZodObject<{
2128
2156
  authHeader?: string | undefined;
2129
2157
  }, {
2130
2158
  path: string;
2131
- actions: string[];
2132
2159
  expiry: Date;
2160
+ actions: string[];
2133
2161
  spaceId: string;
2134
2162
  cid: string;
2135
2163
  delegateDID: string;
@@ -2150,8 +2178,8 @@ declare const ShareLinkSchema: z.ZodObject<{
2150
2178
  url: string;
2151
2179
  delegation: {
2152
2180
  path: string;
2153
- actions: string[];
2154
2181
  expiry: Date;
2182
+ actions: string[];
2155
2183
  spaceId: string;
2156
2184
  cid: string;
2157
2185
  delegateDID: string;
@@ -2170,8 +2198,8 @@ declare const ShareLinkSchema: z.ZodObject<{
2170
2198
  url: string;
2171
2199
  delegation: {
2172
2200
  path: string;
2173
- actions: string[];
2174
2201
  expiry: Date;
2202
+ actions: string[];
2175
2203
  spaceId: string;
2176
2204
  cid: string;
2177
2205
  delegateDID: string;
@@ -2240,16 +2268,16 @@ declare const GenerateShareParamsSchema: z.ZodObject<{
2240
2268
  baseUrl: z.ZodOptional<z.ZodString>;
2241
2269
  }, "strip", z.ZodTypeAny, {
2242
2270
  path: string;
2243
- actions?: string[] | undefined;
2244
2271
  expiry?: Date | undefined;
2245
2272
  description?: string | undefined;
2273
+ actions?: string[] | undefined;
2246
2274
  schema?: "base64" | "compact" | "ipfs" | undefined;
2247
2275
  baseUrl?: string | undefined;
2248
2276
  }, {
2249
2277
  path: string;
2250
- actions?: string[] | undefined;
2251
2278
  expiry?: Date | undefined;
2252
2279
  description?: string | undefined;
2280
+ actions?: string[] | undefined;
2253
2281
  schema?: "base64" | "compact" | "ipfs" | undefined;
2254
2282
  baseUrl?: string | undefined;
2255
2283
  }>;
@@ -3312,6 +3340,11 @@ declare class TinyCloud {
3312
3340
  * @throws Error if services are not initialized or vault service is not registered
3313
3341
  */
3314
3342
  get vault(): IDataVaultService;
3343
+ /**
3344
+ * Get the Encryption service.
3345
+ * @throws Error if services are not initialized or encryption service is not registered
3346
+ */
3347
+ get encryption(): IEncryptionService;
3315
3348
  /**
3316
3349
  * Notify services of session change.
3317
3350
  * Called internally after sign-in and sign-out.
@@ -4482,6 +4515,7 @@ declare class UnsupportedFeatureError extends Error {
4482
4515
  }
4483
4516
  interface NodeInfo {
4484
4517
  features: string[];
4518
+ nodeId?: string;
4485
4519
  quotaUrl?: string;
4486
4520
  }
4487
4521
  declare function checkNodeInfo(host: string, sdkProtocol: number, fetchFn?: typeof globalThis.fetch): Promise<NodeInfo>;
@@ -4584,5 +4618,35 @@ declare function resolveCloudLocation(subject: string, options?: ResolveCloudLoc
4584
4618
  declare function resolveTinyCloudHosts(subject: string, options?: ResolveTinyCloudHostsOptions): Promise<ResolvedTinyCloudHosts>;
4585
4619
  declare function multiaddrToHttpUrl(input: string): string;
4586
4620
  declare function httpUrlToMultiaddr(input: string): string;
4621
+ declare function verifyDidKeyEd25519Signature(did: string, payload: Uint8Array, signature: Uint8Array): boolean;
4622
+
4623
+ /**
4624
+ * Default lifetimes for the various delegation shapes the SDK mints.
4625
+ *
4626
+ * The SDK has many delegation flows (session sign-in, runtime grants,
4627
+ * share links, manifest installs, public-space sub-delegations, …) and
4628
+ * each one used to pick its own number freehand. That made it hard to
4629
+ * tell whether a chosen value was deliberate or copy-pasted, and made
4630
+ * silent inconsistencies easy to ship.
4631
+ *
4632
+ * Every default below answers two questions:
4633
+ * - Who recovers if the delegation leaks? (re-auth, revocation, no one)
4634
+ * - Who is the principal at use time? (issuer, third party)
4635
+ *
4636
+ * The five tiers fall out of those answers. Pick a tier, not a number,
4637
+ * when introducing a new delegation surface.
4638
+ *
4639
+ * @packageDocumentation
4640
+ */
4641
+ declare const EXPIRY: {
4642
+ readonly EPHEMERAL_MS: number;
4643
+ readonly SIGNED_READ_URL_MS: number;
4644
+ readonly SESSION_MS: number;
4645
+ readonly SHARE_MS: number;
4646
+ readonly APP_MS: number;
4647
+ readonly MAX_MS: number;
4648
+ };
4649
+ declare const DEFAULT_SIGNED_READ_URL_EXPIRY_MS: number;
4650
+ type ExpiryTier = keyof typeof EXPIRY;
4587
4651
 
4588
- export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, CloudLocationResolutionError, type ComposeManifestOptions, type ComposedManifestRequest, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_TINYCLOUD_FALLBACK_HOST, DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type LocationCandidate, type LocationCandidateInput, type LocationRecord, type LocationRecordPayload, type LocationRecordSigner, LocationRecordValidationError, type LocationResolutionAttempt, type LocationSource, type Manifest, type ManifestDefaults, type ManifestRegistryRecord, type ManifestSecretActions, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolveCloudLocationOptions, type ResolveTinyCloudHostsOptions, type ResolvedCapabilities, type ResolvedCloudLocation, type ResolvedDelegate, type ResolvedTinyCloudHosts, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignInOptions, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceAbilitiesMap, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, VAULT_PERMISSION_SERVICE, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, canonicalLocationPayload, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, fetchLocationRecord, fetchPeerId, httpUrlToMultiaddr, isCapabilitySubset, loadManifest, locationPayloadForRecord, makePublicSpaceId, manifestAbilitiesUnion, multiaddrToHttpUrl, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveCloudLocation, resolveManifest, resolveTinyCloudHosts, resourceCapabilitiesToAbilitiesMap, resourceCapabilitiesToSpaceAbilitiesMap, signLocationRecord, submitHostDelegation, validateClientSession, validateLocationRecord, validateLocationRecordPayload, validateManifest, validatePersistedSessionData, verifyLocationRecord };
4652
+ export { ACCOUNT_REGISTRY_PATH, ACCOUNT_REGISTRY_SPACE, type AbilitiesMap, AutoApproveSpaceCreationHandler, type AutoRejectStrategy, type AutoSignStrategy, type Bytes, type CallbackStrategy, type CapabilityEntry, CapabilityKeyRegistry, type CapabilityKeyRegistryErrorCode, CapabilityKeyRegistryErrorCodes, type ClientSession, ClientSessionSchema, CloudLocationResolutionError, type ComposeManifestOptions, type ComposedManifestRequest, type CreateDelegationFunction, type CreateDelegationParams, type CreateDelegationWasmParams, type CreateDelegationWasmResult, DEFAULT_DEFAULTS, DEFAULT_EXPIRY, DEFAULT_MANIFEST_SPACE, DEFAULT_MANIFEST_VERSION, DEFAULT_SIGNED_READ_URL_EXPIRY_MS, DEFAULT_TINYCLOUD_FALLBACK_HOST, DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL, type DelegatedResource, type Delegation, type DelegationApiResponse, type DelegationChain, type DelegationChainV2, type DelegationDirection, type DelegationError, type DelegationErrorCode, DelegationErrorCodes, type DelegationFilters, DelegationManager, type DelegationManagerConfig, type DelegationRecord, type Result as DelegationResult, ENCRYPTION_MANIFEST_SPACE, ENCRYPTION_PERMISSION_SERVICE, EXPIRY, type EncodedShareData, type EnsData, EnsDataSchema, type EventEmitterStrategy, type ExpiryTier, type Extension, type GenerateShareParams, type ICapabilityKeyRegistry, type IENSResolver, type INotificationHandler, type ISessionManager, type ISessionStorage, type ISharingService, type ISigner, type ISpace, type ISpaceCreationHandler, type ISpaceScopedDelegations, type ISpaceScopedSharing, type ISpaceService, type IUserAuthorization, type IWasmBindings, type IngestOptions, type JWK, type KeyInfo, type KeyProvider, type KeyType, type LocationCandidate, type LocationCandidateInput, type LocationRecord, type LocationRecordPayload, type LocationRecordSigner, LocationRecordValidationError, type LocationResolutionAttempt, type LocationSource, type Manifest, type ManifestDefaults, type ManifestRegistryRecord, type ManifestSecretActions, ManifestValidationError, type NodeInfo, type ParseRecapFromSiwe, type PartialSiweMessage, type PermissionEntry, PermissionNotInManifestError, type PersistedSessionData, type PersistedTinyCloudSession, ProtocolMismatchError, type ReceiveOptions, type ResolveCloudLocationOptions, type ResolveTinyCloudHostsOptions, type ResolvedCapabilities, type ResolvedCloudLocation, type ResolvedDelegate, type ResolvedTinyCloudHosts, type ResourceCapability, SERVICE_LONG_TO_SHORT, SERVICE_SHORT_TO_LONG, type ServerHost, SessionExpiredError, type ShareAccess, type ShareLink, type ShareLinkData, type ShareSchema, SharingService, type SharingServiceConfig, type SignCallback, type SignInOptions, type SignRequest, type SignResponse, type SignStrategy, SilentNotificationHandler, type SiweConfig, SiweConfigSchema, Space, type SpaceAbilitiesMap, type SpaceConfig, type SpaceCreationContext, type SpaceDelegationParams, type SpaceErrorCode, SpaceErrorCodes, type SpaceHostResult, type SpaceInfo, type SpaceOwnership, SpaceService, type SpaceServiceConfig, type StoredDelegationChain, type SubsetCheckResult, TinyCloud, type TinyCloudConfig, type TinyCloudSession, UnsupportedFeatureError, type UserAuthorizationConfig, VAULT_PERMISSION_SERVICE, type ValidationError, VersionCheckError, type WasmRecapEntry, activateSessionWithHost, applyPrefix, buildSpaceUri, canonicalLocationPayload, checkNodeInfo, composeManifestRequest, createCapabilityKeyRegistry, createSharingService, createSpaceService, defaultSignStrategy, defaultSpaceCreationHandler, expandActionShortNames, expandPermissionEntries, expandPermissionEntry, fetchLocationRecord, fetchPeerId, httpUrlToMultiaddr, isCapabilitySubset, loadManifest, locationPayloadForRecord, makePublicSpaceId, manifestAbilitiesUnion, multiaddrToHttpUrl, normalizeDefaults, parseExpiry, parseRecapCapabilities, parseSpaceUri, resolveCloudLocation, resolveManifest, resolveTinyCloudHosts, resourceCapabilitiesToAbilitiesMap, resourceCapabilitiesToSpaceAbilitiesMap, signLocationRecord, submitHostDelegation, validateClientSession, validateLocationRecord, validateLocationRecordPayload, validateManifest, validatePersistedSessionData, verifyDidKeyEd25519Signature, verifyLocationRecord };