@tinycloud/sdk-core 2.4.0-beta.1 → 2.4.0-beta.10

package/dist/index.js

@@ -970,6 +970,7 @@ var SpaceService = class {
     this._userDid = config.userDid;
     this.sharingService = config.sharingService;
     this.createDelegationFn = config.createDelegation;
+    this.onSpaceRegisteredFn = config.onSpaceRegistered;
   }
   /**
    * Update the service configuration.
@@ -985,6 +986,7 @@ var SpaceService = class {
     if (config.userDid !== void 0) this._userDid = config.userDid;
     if (config.sharingService) this.sharingService = config.sharingService;
     if (config.createDelegation) this.createDelegationFn = config.createDelegation;
+    if (config.onSpaceRegistered) this.onSpaceRegisteredFn = config.onSpaceRegistered;
     this.spaceCache.clear();
     this.infoCache.clear();
   }
@@ -1035,6 +1037,9 @@ var SpaceService = class {
         spaces.push(...delegatedSpaces);
       }
       const uniqueSpaces = this.deduplicateSpaces(spaces);
+      for (const space of uniqueSpaces) {
+        this.notifySpaceRegistered(space);
+      }
       return ok(uniqueSpaces);
     } catch (error) {
       return err(
@@ -1232,6 +1237,7 @@ var SpaceService = class {
         permissions: ["*"]
       };
       this.infoCache.set(spaceInfo.id, { info: spaceInfo, cachedAt: Date.now() });
+      this.notifySpaceRegistered(spaceInfo);
       return ok(spaceInfo);
     } catch (error) {
       return err(
@@ -1244,6 +1250,11 @@ var SpaceService = class {
       );
     }
   }
+  notifySpaceRegistered(space) {
+    if (!this.onSpaceRegisteredFn) return;
+    void Promise.resolve(this.onSpaceRegisteredFn(space)).catch(() => {
+    });
+  }
   // ===========================================================================
   // Get Space
   // ===========================================================================
@@ -2151,1474 +2162,2326 @@ var TinyCloud = class _TinyCloud {
   }
 };
 
-// src/index.ts
+// src/account/AccountService.ts
 import {
-  ServiceContext as ServiceContext2,
-  KVService as KVService2,
-  PrefixedKVService,
-  ok as ok4,
-  err as err4,
-  serviceError as serviceError4,
-  ErrorCodes as ErrorCodes2,
-  defaultRetryPolicy as defaultRetryPolicy2,
-  SQLService as SQLService2,
-  DatabaseHandle,
-  SQLAction,
-  DuckDbService as DuckDbService2,
-  DuckDbDatabaseHandle,
-  DuckDbAction,
-  HooksService as HooksService2,
-  DataVaultService,
-  VaultHeaders,
-  VaultPublicSpaceKVActions,
-  createVaultCrypto,
-  SecretsService,
-  SECRET_NAME_RE as SECRET_NAME_RE2,
-  canonicalizeSecretScope,
-  resolveSecretListPrefix,
-  resolveSecretPath as resolveSecretPath2,
-  EncryptionService,
-  parseNetworkId as parseNetworkId2,
-  buildNetworkId as buildNetworkId2,
-  isNetworkId,
-  networkDiscoveryKey,
-  NetworkIdError,
-  ENCRYPTION_NETWORK_URN_PREFIX,
-  NETWORK_NAME_PATTERN,
-  canonicalizeEncryptionJson,
-  canonicalHashHex,
-  hexEncode,
-  hexDecode,
-  base64Encode,
-  base64Decode,
-  utf8Encode,
-  utf8Decode,
-  encryptToNetwork,
-  decryptEnvelopeWithKey,
-  validateEnvelope,
-  generateRandomReceiverKey,
-  deriveSignedReceiverKey,
-  buildCanonicalDecryptRequest,
-  buildDecryptFacts,
-  buildDecryptAttenuation,
-  buildDecryptInvocation,
-  checkDecryptInvocationInput,
-  verifyDecryptResponse,
-  canonicalSignedResponse,
-  openWrappedKey,
-  discoverNetwork,
-  ensureNetworkUsableForDecrypt,
-  DEFAULT_ENCRYPTION_ALG,
-  ENVELOPE_VERSION,
-  DEFAULT_KEY_VERSION,
-  DECRYPT_FACT_TYPE,
-  DECRYPT_RESULT_TYPE,
-  DECRYPT_ACTION,
-  ENCRYPTION_SERVICE,
-  ENCRYPTION_SERVICE_SHORT,
-  encryptionError
+  err as err3,
+  ok as ok3,
+  serviceError as serviceError3
 } from "@tinycloud/sdk-services";
 
-// src/space.ts
-async function fetchPeerId(host, spaceId) {
-  const res = await fetch(
-    `${host}/peer/generate/${encodeURIComponent(spaceId)}`
-  );
-  if (!res.ok) {
-    const error = await res.text().catch(() => res.statusText);
-    throw new Error(`Failed to get peer ID: ${res.status} - ${error}`);
+// src/manifest.ts
+import ms from "ms";
+import { resolveSecretPath, SECRET_NAME_RE } from "@tinycloud/sdk-services";
+var ManifestValidationError = class extends Error {
+  constructor(message) {
+    super(`Manifest validation failed: ${message}`);
+    this.name = "ManifestValidationError";
   }
-  return res.text();
+};
+var DEFAULT_EXPIRY = "30d";
+var DEFAULT_DEFAULTS = true;
+var DEFAULT_MANIFEST_VERSION = 1;
+var DEFAULT_MANIFEST_SPACE = "applications";
+var ACCOUNT_REGISTRY_SPACE = "account";
+var ACCOUNT_REGISTRY_PATH = "applications/";
+var SECRETS_SPACE = "secrets";
+var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
+var SERVICE_SHORT_TO_LONG = Object.freeze({
+  kv: "tinycloud.kv",
+  sql: "tinycloud.sql",
+  duckdb: "tinycloud.duckdb",
+  capabilities: "tinycloud.capabilities",
+  hooks: "tinycloud.hooks",
+  encryption: "tinycloud.encryption"
+});
+var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_MANIFEST_SPACE = "encryption";
+var SERVICE_LONG_TO_SHORT = Object.freeze(
+  Object.fromEntries(
+    Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
+  )
+);
+var DEFAULT_STANDARD_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write"]
+  }
+];
+var DEFAULT_ADMIN_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write", "ddl"]
+  }
+];
+var DEFAULT_ALL_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write", "ddl"]
+  },
+  {
+    service: "tinycloud.duckdb",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write"]
+  }
+];
+function parseExpiry(duration) {
+  if (typeof duration !== "string" || duration.length === 0) {
+    throw new ManifestValidationError(
+      `expiry must be a non-empty duration string (got ${JSON.stringify(duration)})`
+    );
+  }
+  const parsed = ms(duration);
+  if (typeof parsed !== "number" || !Number.isFinite(parsed) || parsed <= 0) {
+    throw new ManifestValidationError(
+      `invalid expiry duration: ${JSON.stringify(duration)}`
+    );
+  }
+  return parsed;
 }
-async function submitHostDelegation(host, headers) {
-  const res = await fetch(`${host}/delegate`, {
-    method: "POST",
-    headers
+function expandActionShortNames(service, actions) {
+  return actions.map((a) => {
+    if (a.includes("/")) {
+      return a;
+    }
+    return `${service}/${a}`;
   });
-  return {
-    success: res.ok,
-    status: res.status,
-    error: res.ok ? void 0 : await res.text().catch(() => res.statusText)
-  };
 }
-async function activateSessionWithHost(host, delegationHeader) {
-  const res = await fetch(`${host}/delegate`, {
-    method: "POST",
-    headers: delegationHeader
-  });
-  if (res.ok) {
-    try {
-      const body = await res.json();
-      return {
-        success: true,
-        status: res.status,
-        activated: body.activated ?? [],
-        skipped: body.skipped ?? []
-      };
-    } catch {
-      return {
-        success: true,
-        status: res.status,
-        activated: [],
-        skipped: []
-      };
-    }
+function expandPermissionEntry(entry) {
+  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
+    return expandEncryptionPermissionEntry(entry);
   }
-  return {
-    success: false,
-    status: res.status,
-    error: await res.text().catch(() => res.statusText)
-  };
-}
-
-// src/delegations/DelegationManager.ts
-var DelegationAction = {
-  CREATE: "tinycloud.delegation/create",
-  REVOKE: "tinycloud.delegation/revoke",
-  LIST: "tinycloud.delegation/list",
-  GET: "tinycloud.delegation/get",
-  CHECK: "tinycloud.delegation/check"
-};
-function createError(code, message, cause, meta) {
-  return {
-    code,
-    message,
-    service: "delegation",
-    cause,
-    meta
-  };
+  if (entry.service !== VAULT_PERMISSION_SERVICE) {
+    return [
+      {
+        ...entry,
+        actions: expandActionShortNames(entry.service, entry.actions)
+      }
+    ];
+  }
+  return expandVaultPermissionEntry(entry);
 }
-var DelegationManager = class {
-  /**
-   * Creates a new DelegationManager instance.
-   *
-   * @param config - Configuration including hosts, session, and invoke function
-   */
-  constructor(config) {
-    this.hosts = config.hosts;
-    this.session = config.session;
-    this.invoke = config.invoke;
-    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+function expandEncryptionPermissionEntry(entry) {
+  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
+    throw new ManifestValidationError(
+      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
+    );
   }
-  /**
-   * Updates the session (e.g., after re-authentication).
-   *
-   * @param session - New session to use for operations
-   */
-  updateSession(session) {
-    this.session = session;
-  }
-  /**
-   * Gets the primary host URL.
-   */
-  get host() {
-    return this.hosts[0];
-  }
-  /**
-   * Executes an invoke operation against the delegation API.
-   */
-  async invokeOperation(path, action, body) {
-    const headers = this.invoke(this.session, "delegation", path, action);
-    return this.fetchFn(`${this.host}/invoke`, {
-      method: "POST",
-      headers,
-      body
-    });
-  }
-  /**
-   * Creates a new delegation.
-   *
-   * Delegates specific permissions to another DID for a given path.
-   * The delegatee can then use these permissions to access resources
-   * within the specified scope.
-   *
-   * @param params - Parameters for the delegation
-   * @returns Result containing the created Delegation or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.create({
-   *   delegateDID: bob.did,
-   *   path: "documents/shared/",
-   *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
-   *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
-   * });
-   * ```
-   */
-  async create(params) {
-    if (!params.delegateDID) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "delegateDID is required"
-        )
-      };
+  const normalizedActions = [];
+  for (const action of entry.actions) {
+    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
+      normalizedActions.push("tinycloud.encryption/decrypt");
+      continue;
     }
-    if (!params.path) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "path is required"
-        )
-      };
+    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
+      normalizedActions.push("tinycloud.encryption/network.create");
+      continue;
     }
-    if (!params.actions || params.actions.length === 0) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "at least one action is required"
-        )
-      };
+    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
+      normalizedActions.push("tinycloud.encryption/network.revoke");
+      continue;
     }
-    try {
-      const body = JSON.stringify({
-        delegateDID: params.delegateDID,
-        path: params.path,
-        actions: params.actions,
-        expiry: params.expiry?.toISOString(),
-        disableSubDelegation: params.disableSubDelegation ?? false,
-        statement: params.statement
-      });
-      const response = await this.invokeOperation(
-        params.path,
-        DelegationAction.CREATE,
-        body
+    if (action.includes("/")) {
+      throw new ManifestValidationError(
+        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
       );
-      if (!response.ok) {
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.CREATION_FAILED,
-            `Failed to create delegation: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, path: params.path }
-          )
-        };
-      }
-      const apiResponse = await response.json();
-      const delegation = {
-        cid: apiResponse.cid ?? "",
-        delegateDID: params.delegateDID,
-        spaceId: this.session.spaceId,
-        path: params.path,
-        actions: params.actions,
-        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
-        isRevoked: false,
-        allowSubDelegation: !(params.disableSubDelegation ?? false),
-        createdAt: /* @__PURE__ */ new Date()
-      };
-      return { ok: true, data: delegation };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation creation: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
     }
+    throw new ManifestValidationError(
+      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+    );
   }
-  /**
-   * Revokes an existing delegation.
-   *
-   * Once revoked, the delegation can no longer be used to access resources.
-   * This also invalidates any sub-delegations derived from this delegation.
-   *
-   * @param cid - The CID of the delegation to revoke
-   * @returns Result indicating success or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.revoke("bafy...");
-   * if (result.ok) {
-   *   console.log("Delegation revoked successfully");
-   * }
-   * ```
-   */
-  async revoke(cid) {
-    if (!cid) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "cid is required"
-        )
-      };
+  const dedupedActions = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const a of normalizedActions) {
+    if (!seen.has(a)) {
+      dedupedActions.push(a);
+      seen.add(a);
     }
-    try {
-      const body = JSON.stringify({ cid });
-      const response = await this.invokeOperation(
-        cid,
-        DelegationAction.REVOKE,
-        body
-      );
-      if (!response.ok) {
-        const errorText = await response.text();
-        if (response.status === 404) {
-          return {
-            ok: false,
-            error: createError(
-              DelegationErrorCodes.NOT_FOUND,
-              `Delegation not found: ${cid}`
-            )
-          };
-        }
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.REVOCATION_FAILED,
-            `Failed to revoke delegation: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, cid }
-          )
-        };
-      }
-      return { ok: true, data: void 0 };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation revocation: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
+  }
+  return [
+    {
+      service: ENCRYPTION_PERMISSION_SERVICE,
+      space: ENCRYPTION_MANIFEST_SPACE,
+      path: entry.path,
+      actions: dedupedActions,
+      skipPrefix: true,
+      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+      ...entry.description !== void 0 ? { description: entry.description } : {}
     }
+  ];
+}
+function expandPermissionEntries(entries) {
+  return entries.flatMap(expandPermissionEntry);
+}
+function applyPrefix(prefix, path, skipPrefix) {
+  if (skipPrefix) {
+    return path;
   }
-  /**
-   * Lists all delegations for the current session's space.
-   *
-   * Returns both delegations created by the current user (as delegator)
-   * and delegations granted to the current user (as delegatee).
-   *
-   * @returns Result containing an array of Delegations or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.list();
-   * if (result.ok) {
-   *   for (const delegation of result.data) {
-   *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
-   *   }
-   * }
-   * ```
-   */
-  async list() {
-    try {
-      const response = await this.invokeOperation("", DelegationAction.LIST);
-      if (!response.ok) {
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to list delegations: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status }
-          )
-        };
-      }
-      const data = await response.json();
-      const delegations = data.map((item) => ({
-        cid: item.cid,
-        delegateDID: item.delegateDID,
-        delegatorDID: item.delegatorDID,
-        spaceId: item.spaceId,
-        path: item.path,
-        actions: item.actions,
-        expiry: new Date(item.expiry),
-        isRevoked: item.isRevoked,
-        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
-        parentCid: item.parentCid,
-        allowSubDelegation: item.allowSubDelegation
-      }));
-      return { ok: true, data: delegations };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation list: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
+  if (prefix === "") {
+    return path;
+  }
+  if (path.startsWith("/")) {
+    return `${prefix}${path}`;
+  }
+  return `${prefix}/${path}`;
+}
+async function loadManifest(url) {
+  const fetchFn = globalThis.fetch;
+  if (typeof fetchFn !== "function") {
+    throw new ManifestValidationError(
+      "loadManifest requires a global fetch; pass the manifest object directly on runtimes without fetch"
+    );
+  }
+  const res = await fetchFn(url);
+  if (!res.ok) {
+    throw new ManifestValidationError(
+      `failed to fetch manifest from ${url}: HTTP ${res.status}`
+    );
+  }
+  const json = await res.json();
+  return validateManifest(json);
+}
+function validateManifest(input) {
+  if (input === null || typeof input !== "object") {
+    throw new ManifestValidationError("manifest must be an object");
+  }
+  const m = input;
+  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
+    throw new ManifestValidationError(
+      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
+    );
+  }
+  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
+    throw new ManifestValidationError(
+      "manifest.app_id is required and must be a non-empty string"
+    );
+  }
+  if (typeof m.name !== "string" || m.name.length === 0) {
+    throw new ManifestValidationError(
+      "manifest.name is required and must be a non-empty string"
+    );
+  }
+  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.did must be a non-empty DID string"
+    );
+  }
+  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.space must be a non-empty string"
+    );
+  }
+  if (m.expiry !== void 0) {
+    parseExpiry(m.expiry);
+  }
+  if (m.permissions !== void 0) {
+    if (!Array.isArray(m.permissions)) {
+      throw new ManifestValidationError(
+        "manifest.permissions must be an array"
+      );
     }
+    m.permissions.forEach(
+      (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
+    );
   }
-  /**
-   * Gets the full delegation chain for a given delegation.
-   *
-   * Returns the chain of delegations from the root (original delegator)
-   * to the specified delegation, including all intermediate sub-delegations.
-   *
-   * @param cid - The CID of the delegation to get the chain for
-   * @returns Result containing the DelegationChain or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.getChain("bafy...");
-   * if (result.ok) {
-   *   console.log("Chain length:", result.data.length);
-   *   for (const delegation of result.data) {
-   *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
-   *   }
-   * }
-   * ```
-   */
-  async getChain(cid) {
-    if (!cid) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "cid is required"
-        )
-      };
+  if (m.secrets !== void 0) {
+    validateManifestSecrets(m.secrets);
+  }
+  return m;
+}
+function validateManifestSecrets(secrets) {
+  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
+    throw new ManifestValidationError("manifest.secrets must be an object");
+  }
+  for (const [name, spec] of Object.entries(secrets)) {
+    if (!SECRET_NAME_RE.test(name)) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
+      );
     }
     try {
-      const body = JSON.stringify({ cid, includeChain: true });
-      const response = await this.invokeOperation(
-        cid,
-        DelegationAction.GET,
-        body
+      resolveSecretPath(
+        secretNameFromSpec(name, spec),
+        { scope: secretScopeFromSpec(spec) }
       );
-      if (!response.ok) {
-        const errorText = await response.text();
-        if (response.status === 404) {
-          return {
-            ok: false,
-            error: createError(
-              DelegationErrorCodes.NOT_FOUND,
-              `Delegation not found: ${cid}`
-            )
-          };
-        }
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to get delegation chain: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, cid }
-          )
-        };
-      }
-      const data = await response.json();
-      const chain = data.chain.map((item) => ({
-        cid: item.cid,
-        delegateDID: item.delegateDID,
-        delegatorDID: item.delegatorDID,
-        spaceId: item.spaceId,
-        path: item.path,
-        actions: item.actions,
-        expiry: new Date(item.expiry),
-        isRevoked: item.isRevoked,
-        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
-        parentCid: item.parentCid,
-        allowSubDelegation: item.allowSubDelegation
-      }));
-      return { ok: true, data: chain };
     } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
+      throw new ManifestValidationError(
+        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+    const actions = secretActionsFromSpec(name, spec);
+    if (actions.length === 0) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} actions must be non-empty`
+      );
+    }
+    for (const action of actions) {
+      if (typeof action !== "string" || action.length === 0) {
+        throw new ManifestValidationError(
+          `manifest.secrets.${name} actions must be non-empty strings`
+        );
       }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during chain retrieval: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
+    }
+    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
+      parseExpiry(spec.expiry);
     }
   }
-  /**
-   * Checks if the current session has permission for a given path and action.
-   *
-   * This can be used to verify permissions before attempting an operation,
-   * or to implement custom access control logic.
-   *
-   * @param path - The resource path to check
-   * @param action - The action to check (e.g., "tinycloud.kv/get")
-   * @returns Result containing a boolean indicating permission or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
-   * if (result.ok && result.data) {
-   *   console.log("Permission granted");
-   * } else {
-   *   console.log("Permission denied");
-   * }
-   * ```
-   */
-  async checkPermission(path, action) {
-    if (!path) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "path is required"
-        )
-      };
-    }
-    if (!action) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "action is required"
-        )
-      };
-    }
-    try {
-      const body = JSON.stringify({ path, action });
-      const response = await this.invokeOperation(
-        path,
-        DelegationAction.CHECK,
-        body
-      );
-      if (!response.ok) {
-        if (response.status === 403) {
-          return { ok: true, data: false };
-        }
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to check permission: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, path, action }
-          )
-        };
-      }
-      const data = await response.json();
-      return { ok: true, data: data.allowed };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during permission check: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-};
-
-// src/delegations/SharingService.schema.ts
-import { z as z5 } from "zod";
-var EncodedShareDataSchema = z5.object({
-  /** Private key in JWK format (must include d parameter) */
-  key: JWKSchema.refine(
-    (jwk) => typeof jwk.d === "string" && jwk.d.length > 0,
-    { message: "JWK must include private key (d parameter)" }
-  ),
-  /** DID of the key */
-  keyDid: z5.string().min(1, "keyDid is required"),
-  /** The delegation granting access */
-  delegation: DelegationSchema,
-  /** Resource path this link grants access to */
-  path: z5.string().min(1, "path is required"),
-  /** TinyCloud host URL */
-  host: z5.string().url("host must be a valid URL"),
-  /** Space ID */
-  spaceId: z5.string().min(1, "spaceId is required"),
-  /** Schema version (must be 1) */
-  version: z5.literal(1)
-});
-var ReceiveOptionsSchema = z5.object({
-  /**
-   * Whether to automatically create a sub-delegation to the current session key.
-   * Default: true
-   */
-  autoSubdelegate: z5.boolean().optional(),
-  /**
-   * Whether to use the current session key for operations (requires autoSubdelegate).
-   * Default: true
-   */
-  useSessionKey: z5.boolean().optional(),
-  /**
-   * Ingestion options passed to CapabilityKeyRegistry.
-   */
-  ingestOptions: IngestOptionsSchema.optional()
-});
-var SharingServiceConfigSchema = z5.object({
-  /** TinyCloud host URLs */
-  hosts: z5.array(z5.string().url()).min(1, "At least one host URL is required"),
-  /**
-   * Active session for authentication.
-   * Required for generate(), optional for receive().
-   */
-  session: z5.unknown().refine(
-    (val) => val === void 0 || val !== null && typeof val === "object",
-    { message: "Expected a ServiceSession object or undefined" }
-  ).optional(),
-  /** Platform-specific invoke function */
-  invoke: z5.unknown().refine((val) => typeof val === "function", {
-    message: "Expected an invoke function"
-  }),
-  /** Optional custom fetch implementation */
-  fetch: z5.unknown().refine(
-    (val) => val === void 0 || typeof val === "function",
-    { message: "Expected a fetch function or undefined" }
-  ).optional(),
-  /** Key provider for cryptographic operations */
-  keyProvider: KeyProviderSchema,
-  /** Capability key registry for key/delegation management */
-  registry: z5.unknown().refine(
-    (val) => val !== null && typeof val === "object",
-    { message: "Expected an ICapabilityKeyRegistry object" }
-  ),
-  /**
-   * Delegation manager for creating delegations.
-   * Required for generate(), optional for receive().
-   */
-  delegationManager: z5.unknown().refine(
-    (val) => val === void 0 || val !== null && typeof val === "object",
-    { message: "Expected a DelegationManager object or undefined" }
-  ).optional(),
-  /** Factory for creating KV service instances */
-  createKVService: z5.unknown().refine(
-    (val) => typeof val === "function",
-    { message: "Expected a createKVService factory function" }
-  ),
-  /** Base URL for sharing links (e.g., "https://share.myapp.com") */
-  baseUrl: z5.string().optional(),
-  /**
-   * Custom delegation creation function.
-   */
-  createDelegation: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected a createDelegation function or undefined"
-  }).optional(),
-  /**
-   * WASM function for client-side delegation creation.
-   */
-  createDelegationWasm: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected a createDelegationWasm function or undefined"
-  }).optional(),
-  /**
-   * Path prefix for KV operations.
-   */
-  pathPrefix: z5.string().optional(),
-  /**
-   * Session expiry time.
-   */
-  sessionExpiry: z5.date().optional(),
-  /**
-   * Callback to create a DIRECT delegation from wallet to share key.
-   * This is the preferred method for long-lived share links because it
-   * bypasses the session delegation chain entirely.
-   */
-  onRootDelegationNeeded: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected an onRootDelegationNeeded function or undefined"
-  }).optional()
-});
-function validateEncodedShareData(data) {
-  const result = EncodedShareDataSchema.safeParse(data);
-  if (!result.success) {
-    return {
-      ok: false,
-      error: {
-        code: DelegationErrorCodes.VALIDATION_ERROR,
-        message: `Invalid share data: ${result.error.message}`,
-        service: "delegation",
-        meta: { issues: result.error.issues }
-      }
-    };
-  }
-  return { ok: true, data: result.data };
 }
-
-// src/manifest.ts
-import ms from "ms";
-import { resolveSecretPath, SECRET_NAME_RE } from "@tinycloud/sdk-services";
-var ManifestValidationError = class extends Error {
-  constructor(message) {
-    super(`Manifest validation failed: ${message}`);
-    this.name = "ManifestValidationError";
-  }
-};
-var DEFAULT_EXPIRY = "30d";
-var DEFAULT_DEFAULTS = true;
-var DEFAULT_MANIFEST_VERSION = 1;
-var DEFAULT_MANIFEST_SPACE = "applications";
-var ACCOUNT_REGISTRY_SPACE = "account";
-var ACCOUNT_REGISTRY_PATH = "applications/";
-var SECRETS_SPACE = "secrets";
-var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
-var SERVICE_SHORT_TO_LONG = Object.freeze({
-  kv: "tinycloud.kv",
-  sql: "tinycloud.sql",
-  duckdb: "tinycloud.duckdb",
-  capabilities: "tinycloud.capabilities",
-  hooks: "tinycloud.hooks",
-  encryption: "tinycloud.encryption"
-});
-var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
-var ENCRYPTION_MANIFEST_SPACE = "encryption";
-var SERVICE_LONG_TO_SHORT = Object.freeze(
-  Object.fromEntries(
-    Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
-  )
-);
-var DEFAULT_STANDARD_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write"]
+function validatePermissionEntry(p, path) {
+  if (p === null || typeof p !== "object") {
+    throw new ManifestValidationError(`${path} must be an object`);
   }
-];
-var DEFAULT_ADMIN_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write", "ddl"]
+  const entry = p;
+  if (typeof entry.service !== "string" || entry.service.length === 0) {
+    throw new ManifestValidationError(`${path}.service is required`);
   }
-];
-var DEFAULT_ALL_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write", "ddl"]
-  },
-  {
-    service: "tinycloud.duckdb",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write"]
+  if (entry.space !== void 0 && (typeof entry.space !== "string" || entry.space.length === 0)) {
+    throw new ManifestValidationError(
+      `${path}.space must be a non-empty string`
+    );
   }
-];
-function parseExpiry(duration) {
-  if (typeof duration !== "string" || duration.length === 0) {
+  if (typeof entry.path !== "string") {
     throw new ManifestValidationError(
-      `expiry must be a non-empty duration string (got ${JSON.stringify(duration)})`
+      `${path}.path is required (use "" or "/" for root)`
     );
   }
-  const parsed = ms(duration);
-  if (typeof parsed !== "number" || !Number.isFinite(parsed) || parsed <= 0) {
+  if (!Array.isArray(entry.actions) || entry.actions.length === 0) {
     throw new ManifestValidationError(
-      `invalid expiry duration: ${JSON.stringify(duration)}`
+      `${path}.actions must be a non-empty array`
     );
   }
-  return parsed;
-}
-function expandActionShortNames(service, actions) {
-  return actions.map((a) => {
-    if (a.includes("/")) {
-      return a;
+  for (const action of entry.actions) {
+    if (typeof action !== "string" || action.length === 0) {
+      throw new ManifestValidationError(
+        `${path}.actions must contain non-empty strings`
+      );
     }
-    return `${service}/${a}`;
-  });
+    if (entry.service === VAULT_PERMISSION_SERVICE) {
+      vaultActionExpansion(action);
+    }
+  }
+  if (entry.expiry !== void 0) {
+    parseExpiry(entry.expiry);
+  }
 }
-function expandPermissionEntry(entry) {
-  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
-    return expandEncryptionPermissionEntry(entry);
+function normalizeDefaults(value) {
+  if (value === void 0) {
+    return DEFAULT_DEFAULTS;
   }
-  if (entry.service !== VAULT_PERMISSION_SERVICE) {
-    return [
-      {
-        ...entry,
-        actions: expandActionShortNames(entry.service, entry.actions)
-      }
-    ];
+  if (typeof value === "boolean") {
+    return value;
   }
-  return expandVaultPermissionEntry(entry);
+  if (typeof value !== "string") {
+    return true;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "admin" || normalized === "all") {
+    return normalized;
+  }
+  return true;
 }
-function expandEncryptionPermissionEntry(entry) {
-  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
-    throw new ManifestValidationError(
-      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
-    );
+function defaultEntriesForTier(tier) {
+  if (tier === false) {
+    return [];
   }
-  const normalizedActions = [];
-  for (const action of entry.actions) {
-    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
-      normalizedActions.push("tinycloud.encryption/decrypt");
+  const source = tier === "admin" ? DEFAULT_ADMIN_ENTRIES : tier === "all" ? DEFAULT_ALL_ENTRIES : DEFAULT_STANDARD_ENTRIES;
+  return source.map((e) => ({
+    service: e.service,
+    space: e.space,
+    path: e.path,
+    actions: [...e.actions],
+    ...e.skipPrefix !== void 0 ? { skipPrefix: e.skipPrefix } : {}
+  }));
+}
+function resolveManifest(input) {
+  const manifest = validateManifest(input);
+  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.app_id;
+  const space = manifest.space ?? DEFAULT_MANIFEST_SPACE;
+  const expiryMs = parseExpiry(manifest.expiry ?? DEFAULT_EXPIRY);
+  const includePublicSpace = manifest.includePublicSpace ?? true;
+  const tier = normalizeDefaults(manifest.defaults);
+  const defaultEntries = defaultEntriesForTier(tier);
+  const explicitEntries = manifest.permissions ?? [];
+  const secretEntries = secretEntriesForManifest(manifest.secrets);
+  const allEntries = [
+    ...defaultEntries,
+    ...explicitEntries,
+    ...secretEntries
+  ];
+  const resources = withCapabilitiesReadForSpaces(
+    allEntries.flatMap((entry) => resolveEntry(entry, prefix, expiryMs, space))
+  );
+  const additionalDelegates = manifest.did === void 0 ? [] : [
+    {
+      did: manifest.did,
+      name: manifest.name,
+      expiryMs,
+      permissions: resources.map(cloneResourceCapability)
+    }
+  ];
+  return {
+    app_id: manifest.app_id,
+    ...manifest.did !== void 0 ? { did: manifest.did } : {},
+    space,
+    resources,
+    expiryMs,
+    includePublicSpace,
+    additionalDelegates
+  };
+}
+function normalizeSecretActions(actions) {
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  const add = (action) => {
+    if (!seen.has(action)) {
+      out.push(action);
+      seen.add(action);
+    }
+  };
+  for (const action of actions) {
+    if (action === "read") {
+      add("get");
       continue;
     }
-    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
-      normalizedActions.push("tinycloud.encryption/network.create");
+    if (action === "write") {
+      add("put");
       continue;
     }
-    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
-      normalizedActions.push("tinycloud.encryption/network.revoke");
+    if (action === "delete") {
+      add("del");
       continue;
     }
-    if (action.includes("/")) {
-      throw new ManifestValidationError(
-        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
-      );
+    if (action === "get" || action === "put" || action === "del" || action === "list" || action === "metadata") {
+      add(action);
+      continue;
+    }
+    if (action === "tinycloud.kv/get" || action === "tinycloud.kv/put" || action === "tinycloud.kv/del" || action === "tinycloud.kv/list" || action === "tinycloud.kv/metadata") {
+      add(action);
+      continue;
     }
     throw new ManifestValidationError(
-      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+      `unknown secret action ${JSON.stringify(action)}; expected read, write, delete, list, or metadata`
     );
   }
-  const dedupedActions = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const a of normalizedActions) {
-    if (!seen.has(a)) {
-      dedupedActions.push(a);
-      seen.add(a);
-    }
-  }
-  return [
-    {
-      service: ENCRYPTION_PERMISSION_SERVICE,
-      space: ENCRYPTION_MANIFEST_SPACE,
-      path: entry.path,
-      actions: dedupedActions,
-      skipPrefix: true,
-      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
-      ...entry.description !== void 0 ? { description: entry.description } : {}
-    }
-  ];
-}
-function expandPermissionEntries(entries) {
-  return entries.flatMap(expandPermissionEntry);
+  return out;
 }
-function applyPrefix(prefix, path, skipPrefix) {
-  if (skipPrefix) {
-    return path;
-  }
-  if (prefix === "") {
-    return path;
-  }
-  if (path.startsWith("/")) {
-    return `${prefix}${path}`;
+function secretNameFromSpec(fallbackName, spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.name ?? fallbackName;
   }
-  return `${prefix}/${path}`;
+  return fallbackName;
 }
-async function loadManifest(url) {
-  const fetchFn = globalThis.fetch;
-  if (typeof fetchFn !== "function") {
-    throw new ManifestValidationError(
-      "loadManifest requires a global fetch; pass the manifest object directly on runtimes without fetch"
-    );
-  }
-  const res = await fetchFn(url);
-  if (!res.ok) {
-    throw new ManifestValidationError(
-      `failed to fetch manifest from ${url}: HTTP ${res.status}`
-    );
+function secretScopeFromSpec(spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.scope;
   }
-  const json = await res.json();
-  return validateManifest(json);
+  return void 0;
 }
-function validateManifest(input) {
-  if (input === null || typeof input !== "object") {
-    throw new ManifestValidationError("manifest must be an object");
-  }
-  const m = input;
-  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
-    throw new ManifestValidationError(
-      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
-    );
-  }
-  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
-    throw new ManifestValidationError(
-      "manifest.app_id is required and must be a non-empty string"
-    );
+function secretActionsFromSpec(name, spec) {
+  if (spec === true) {
+    return ["read"];
   }
-  if (typeof m.name !== "string" || m.name.length === 0) {
-    throw new ManifestValidationError(
-      "manifest.name is required and must be a non-empty string"
-    );
+  if (typeof spec === "string") {
+    return [spec];
   }
-  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
-    throw new ManifestValidationError(
-      "manifest.did must be a non-empty DID string"
-    );
+  if (Array.isArray(spec)) {
+    return spec;
   }
-  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
+  if (spec === null || typeof spec !== "object") {
     throw new ManifestValidationError(
-      "manifest.space must be a non-empty string"
+      `manifest.secrets.${name} must be true, a string action, an actions array, or an object`
     );
   }
-  if (m.expiry !== void 0) {
-    parseExpiry(m.expiry);
+  if (spec.actions === void 0) {
+    return ["read"];
   }
-  if (m.permissions !== void 0) {
-    if (!Array.isArray(m.permissions)) {
-      throw new ManifestValidationError(
-        "manifest.permissions must be an array"
-      );
-    }
-    m.permissions.forEach(
-      (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
-    );
+  if (typeof spec.actions === "string") {
+    return [spec.actions];
   }
-  if (m.secrets !== void 0) {
-    validateManifestSecrets(m.secrets);
+  if (Array.isArray(spec.actions)) {
+    return spec.actions;
   }
-  return m;
+  throw new ManifestValidationError(
+    `manifest.secrets.${name}.actions must be a string or array`
+  );
 }
-function validateManifestSecrets(secrets) {
-  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
-    throw new ManifestValidationError("manifest.secrets must be an object");
+function secretEntriesForManifest(secrets) {
+  if (secrets === void 0) {
+    return [];
   }
+  const entries = [];
   for (const [name, spec] of Object.entries(secrets)) {
-    if (!SECRET_NAME_RE.test(name)) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
-      );
-    }
-    try {
-      resolveSecretPath(
-        secretNameFromSpec(name, spec),
-        { scope: secretScopeFromSpec(spec) }
-      );
-    } catch (error) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
-      );
-    }
     const actions = secretActionsFromSpec(name, spec);
-    if (actions.length === 0) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name} actions must be non-empty`
-      );
-    }
-    for (const action of actions) {
-      if (typeof action !== "string" || action.length === 0) {
-        throw new ManifestValidationError(
-          `manifest.secrets.${name} actions must be non-empty strings`
-        );
+    const secretPath = resolveSecretPath(
+      secretNameFromSpec(name, spec),
+      { scope: secretScopeFromSpec(spec) }
+    );
+    const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
+    entries.push({
+      service: VAULT_PERMISSION_SERVICE,
+      space: SECRETS_SPACE,
+      path: secretPath.vaultKey,
+      actions: normalizeSecretActions(actions),
+      skipPrefix: true,
+      ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
+      ...extra.description !== void 0 ? { description: extra.description } : {}
+    });
+  }
+  return entries;
+}
+function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
+  const skipPrefixForEntry = entry.skipPrefix === true || entry.service === ENCRYPTION_PERMISSION_SERVICE;
+  const resolvedPath = applyPrefix(prefix, entry.path, skipPrefixForEntry);
+  const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
+  return expandPermissionEntry({
+    ...entry,
+    space: entry.space ?? inheritedSpace,
+    path: resolvedPath,
+    skipPrefix: true
+  }).map((expanded) => ({
+    service: expanded.service,
+    space: expanded.space ?? inheritedSpace,
+    path: expanded.path,
+    actions: expanded.actions,
+    // Only populate `expiryMs` when the entry had its own expiry override.
+    // When absent, callers use the parent (delegation or manifest) expiry
+    // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
+    ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  }));
+}
+function expandVaultPermissionEntry(entry) {
+  const byBase = /* @__PURE__ */ new Map();
+  for (const action of entry.actions) {
+    const expansion = vaultActionExpansion(action);
+    for (const base of expansion.bases) {
+      const actions = byBase.get(base) ?? [];
+      if (!actions.includes(expansion.action)) {
+        actions.push(expansion.action);
       }
-    }
-    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
-      parseExpiry(spec.expiry);
+      byBase.set(base, actions);
     }
   }
+  return [...byBase.entries()].map(([base, actions]) => ({
+    ...entry,
+    service: "tinycloud.kv",
+    path: vaultKVPath(base, entry.path),
+    actions,
+    skipPrefix: true
+  }));
 }
-function validatePermissionEntry(p, path) {
-  if (p === null || typeof p !== "object") {
-    throw new ManifestValidationError(`${path} must be an object`);
-  }
-  const entry = p;
-  if (typeof entry.service !== "string" || entry.service.length === 0) {
-    throw new ManifestValidationError(`${path}.service is required`);
+function vaultActionExpansion(action) {
+  const normalized = normalizeVaultAction(action);
+  if (normalized === "read" || normalized === "get") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
   }
-  if (entry.space !== void 0 && (typeof entry.space !== "string" || entry.space.length === 0)) {
-    throw new ManifestValidationError(
-      `${path}.space must be a non-empty string`
-    );
+  if (normalized === "write" || normalized === "put") {
+    return { bases: ["vault"], action: "tinycloud.kv/put" };
   }
-  if (typeof entry.path !== "string") {
-    throw new ManifestValidationError(
-      `${path}.path is required (use "" or "/" for root)`
-    );
+  if (normalized === "delete" || normalized === "del") {
+    return { bases: ["vault"], action: "tinycloud.kv/del" };
   }
-  if (!Array.isArray(entry.actions) || entry.actions.length === 0) {
-    throw new ManifestValidationError(
-      `${path}.actions must be a non-empty array`
-    );
+  if (normalized === "list") {
+    return { bases: ["vault"], action: "tinycloud.kv/list" };
   }
-  for (const action of entry.actions) {
-    if (typeof action !== "string" || action.length === 0) {
-      throw new ManifestValidationError(
-        `${path}.actions must contain non-empty strings`
-      );
-    }
-    if (entry.service === VAULT_PERMISSION_SERVICE) {
-      vaultActionExpansion(action);
-    }
+  if (normalized === "head") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
   }
-  if (entry.expiry !== void 0) {
-    parseExpiry(entry.expiry);
+  if (normalized === "metadata") {
+    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
   }
+  throw new ManifestValidationError(
+    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
+  );
 }
-function normalizeDefaults(value) {
-  if (value === void 0) {
-    return DEFAULT_DEFAULTS;
+function normalizeVaultAction(action) {
+  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
+    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
   }
-  if (typeof value === "boolean") {
-    return value;
+  if (action.startsWith("tinycloud.kv/")) {
+    return action.slice("tinycloud.kv/".length);
   }
-  if (typeof value !== "string") {
-    return true;
+  if (action.includes("/")) {
+    throw new ManifestValidationError(
+      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
+    );
   }
-  const normalized = value.trim().toLowerCase();
-  if (normalized === "admin" || normalized === "all") {
-    return normalized;
+  return action;
+}
+function vaultKVPath(base, path) {
+  const normalized = path.startsWith("/") ? path.slice(1) : path;
+  return `${base}/${normalized}`;
+}
+function cloneResourceCapability(entry) {
+  return {
+    service: entry.service,
+    space: entry.space,
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function clonePermissionEntry(entry) {
+  return {
+    service: entry.service,
+    ...entry.space !== void 0 ? { space: entry.space } : {},
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
+    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function dedupeResources(resources) {
+  const byKey = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
+    const existing = byKey.get(key);
+    if (existing === void 0) {
+      byKey.set(key, cloneResourceCapability(resource));
+      continue;
+    }
+    const seen = new Set(existing.actions);
+    for (const action of resource.actions) {
+      if (!seen.has(action)) {
+        existing.actions.push(action);
+        seen.add(action);
+      }
+    }
+    if (existing.description === void 0 && resource.description !== void 0) {
+      existing.description = resource.description;
+    }
   }
-  return true;
+  return [...byKey.values()];
 }
-function defaultEntriesForTier(tier) {
-  if (tier === false) {
+function capabilitiesReadPermission(space) {
+  return {
+    service: "tinycloud.capabilities",
+    space,
+    path: "",
+    actions: ["tinycloud.capabilities/read"]
+  };
+}
+function withCapabilitiesReadForSpaces(resources) {
+  if (resources.length === 0) {
     return [];
   }
-  const source = tier === "admin" ? DEFAULT_ADMIN_ENTRIES : tier === "all" ? DEFAULT_ALL_ENTRIES : DEFAULT_STANDARD_ENTRIES;
-  return source.map((e) => ({
-    service: e.service,
-    space: e.space,
-    path: e.path,
-    actions: [...e.actions],
-    ...e.skipPrefix !== void 0 ? { skipPrefix: e.skipPrefix } : {}
+  const spaces = new Set(
+    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
+  );
+  return dedupeResources([
+    ...resources,
+    ...[...spaces].map(capabilitiesReadPermission)
+  ]);
+}
+function accountRegistryPermissions() {
+  return [ACCOUNT_REGISTRY_PATH, "spaces/"].map((path) => ({
+    service: "tinycloud.kv",
+    space: ACCOUNT_REGISTRY_SPACE,
+    path,
+    actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/list"]
   }));
 }
-function resolveManifest(input) {
-  const manifest = validateManifest(input);
-  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.app_id;
-  const space = manifest.space ?? DEFAULT_MANIFEST_SPACE;
-  const expiryMs = parseExpiry(manifest.expiry ?? DEFAULT_EXPIRY);
-  const includePublicSpace = manifest.includePublicSpace ?? true;
-  const tier = normalizeDefaults(manifest.defaults);
-  const defaultEntries = defaultEntriesForTier(tier);
-  const explicitEntries = manifest.permissions ?? [];
-  const secretEntries = secretEntriesForManifest(manifest.secrets);
-  const allEntries = [
-    ...defaultEntries,
-    ...explicitEntries,
-    ...secretEntries
-  ];
-  const resources = withCapabilitiesReadForSpaces(
-    allEntries.flatMap((entry) => resolveEntry(entry, prefix, expiryMs, space))
-  );
-  const additionalDelegates = manifest.did === void 0 ? [] : [
-    {
-      did: manifest.did,
-      name: manifest.name,
-      expiryMs,
-      permissions: resources.map(cloneResourceCapability)
-    }
-  ];
+function accountRegistryIndexPermission() {
   return {
-    app_id: manifest.app_id,
-    ...manifest.did !== void 0 ? { did: manifest.did } : {},
-    space,
-    resources,
-    expiryMs,
-    includePublicSpace,
-    additionalDelegates
+    service: "tinycloud.sql",
+    space: ACCOUNT_REGISTRY_SPACE,
+    path: "account",
+    actions: ["tinycloud.sql/read", "tinycloud.sql/write", "tinycloud.sql/ddl"]
   };
 }
-function normalizeSecretActions(actions) {
-  const out = [];
-  const seen = /* @__PURE__ */ new Set();
-  const add = (action) => {
-    if (!seen.has(action)) {
-      out.push(action);
-      seen.add(action);
+function composeManifestRequest(inputs, options = {}) {
+  if (!Array.isArray(inputs) || inputs.length === 0) {
+    throw new ManifestValidationError(
+      "composeManifestRequest requires at least one manifest"
+    );
+  }
+  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
+  const manifests = inputs.map(validateManifest);
+  const resolved = manifests.map(resolveManifest);
+  const resources = resolved.flatMap((entry) => entry.resources);
+  const delegationTargets = resolved.flatMap(
+    (entry) => entry.additionalDelegates.map((delegate) => ({
+      ...delegate,
+      permissions: dedupeResources(delegate.permissions)
+    }))
+  );
+  if (includeAccountRegistryPermissions) {
+    resources.push(...accountRegistryPermissions());
+    resources.push(accountRegistryIndexPermission());
+  }
+  const resourcesWithImplicitCapabilities = withCapabilitiesReadForSpaces(resources);
+  const manifestsByAppId = /* @__PURE__ */ new Map();
+  for (const manifest of manifests) {
+    const current = manifestsByAppId.get(manifest.app_id);
+    if (current === void 0) {
+      manifestsByAppId.set(manifest.app_id, [manifest]);
+    } else {
+      current.push(manifest);
     }
+  }
+  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
+    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
+    app_id,
+    manifests: appManifests.map((manifest) => ({
+      ...manifest,
+      permissions: manifest.permissions?.map(clonePermissionEntry)
+    }))
+  })) : [];
+  return {
+    manifests,
+    resources: resourcesWithImplicitCapabilities,
+    delegationTargets,
+    registryRecords,
+    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
+    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
   };
-  for (const action of actions) {
-    if (action === "read") {
-      add("get");
-      continue;
-    }
-    if (action === "write") {
-      add("put");
-      continue;
-    }
-    if (action === "delete") {
-      add("del");
-      continue;
+}
+function resourceCapabilitiesToAbilitiesMap(resources) {
+  const out = {};
+  for (const r of resources) {
+    const shortService = SERVICE_LONG_TO_SHORT[r.service];
+    if (shortService === void 0) {
+      throw new ManifestValidationError(
+        `unknown service '${r.service}' \u2014 no short-form mapping. Known services: ${Object.keys(SERVICE_LONG_TO_SHORT).join(", ")}`
+      );
     }
-    if (action === "get" || action === "put" || action === "del" || action === "list" || action === "metadata") {
-      add(action);
-      continue;
+    if (out[shortService] === void 0) {
+      out[shortService] = {};
     }
-    if (action === "tinycloud.kv/get" || action === "tinycloud.kv/put" || action === "tinycloud.kv/del" || action === "tinycloud.kv/list" || action === "tinycloud.kv/metadata") {
-      add(action);
-      continue;
+    const pathsMap = out[shortService];
+    const existing = pathsMap[r.path];
+    if (existing === void 0) {
+      pathsMap[r.path] = [...r.actions];
+    } else {
+      const seen = new Set(existing);
+      for (const action of r.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
+      }
     }
-    throw new ManifestValidationError(
-      `unknown secret action ${JSON.stringify(action)}; expected read, write, delete, list, or metadata`
-    );
   }
   return out;
 }
-function secretNameFromSpec(fallbackName, spec) {
-  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
-    return spec.name ?? fallbackName;
+function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const entries = grouped.get(resource.space);
+    if (entries === void 0) {
+      grouped.set(resource.space, [resource]);
+    } else {
+      entries.push(resource);
+    }
   }
-  return fallbackName;
+  const out = {};
+  for (const [space, entries] of grouped.entries()) {
+    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
+  }
+  return out;
 }
-function secretScopeFromSpec(spec) {
-  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
-    return spec.scope;
+function manifestAbilitiesUnion(resolved) {
+  const all = [...resolved.resources];
+  for (const delegate of resolved.additionalDelegates) {
+    for (const perm of delegate.permissions) {
+      all.push(perm);
+    }
   }
-  return void 0;
+  return resourceCapabilitiesToAbilitiesMap(all);
 }
-function secretActionsFromSpec(name, spec) {
-  if (spec === true) {
-    return ["read"];
+
+// src/account/AccountService.ts
+var SERVICE_NAME2 = "account";
+var ACCOUNT_INDEX_DB = "account";
+var ACCOUNT_INDEX_NAMESPACE = "tinycloud.account.index";
+var ACCOUNT_SPACES_PATH = "spaces/";
+var AccountService = class {
+  constructor(config) {
+    this.config = config;
+    this.applications = {
+      list: async (options = {}) => {
+        if (options.preferIndex) {
+          const indexed = await this.index.applications.list();
+          if (indexed.ok && indexed.data.length > 0) return indexed;
+          if (!indexed.ok && !isMissingIndexError(indexed.error)) return indexed;
+          const canonical = await this.applications.list();
+          if (canonical.ok && options.refreshIndex !== false) {
+            await this.replaceApplicationsIndexQuietly(canonical.data);
+          }
+          return canonical;
+        }
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const listed = await kvResult.data.list({ prefix: ACCOUNT_REGISTRY_PATH });
+        if (!listed.ok) return accountErr(listed.error);
+        const applications = [];
+        for (const key of listed.data.keys) {
+          const loaded = await kvResult.data.get(key);
+          if (!loaded.ok) return accountErr(loaded.error);
+          applications.push(applicationFromRecord(key, loaded.data.data));
+        }
+        applications.sort((a, b) => a.appId.localeCompare(b.appId));
+        return ok3(applications);
+      },
+      get: async (appId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const key = applicationKey(appId);
+        const loaded = await kvResult.data.get(key);
+        if (!loaded.ok) return accountErr(loaded.error);
+        return ok3(applicationFromRecord(key, loaded.data.data));
+      },
+      register: async (manifest) => {
+        const manifests = Array.isArray(manifest) ? manifest : [manifest];
+        const request = composeManifestRequest(manifests);
+        if (request.registryRecords.length === 0) {
+          return err3(
+            serviceError3(
+              "INVALID_MANIFEST",
+              "Manifest did not produce an account application registry record",
+              SERVICE_NAME2
+            )
+          );
+        }
+        await this.config.ensureAccountSpaceHosted?.();
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        let registered;
+        for (const record of request.registryRecords) {
+          const manifestHash = hashJson(record.manifests);
+          if (await this.indexHasApplicationHash(record.app_id, manifestHash)) {
+            registered = {
+              appId: record.app_id,
+              manifests: record.manifests,
+              manifestHash,
+              name: record.manifests[0]?.name,
+              description: record.manifests[0]?.description
+            };
+            continue;
+          }
+          const stored = {
+            app_id: record.app_id,
+            manifests: record.manifests,
+            manifest_hash: manifestHash,
+            updated_at: (/* @__PURE__ */ new Date()).toISOString()
+          };
+          const written = await kvResult.data.put(record.key, stored);
+          if (!written.ok) return accountErr(written.error);
+          registered = applicationFromRecord(record.key, stored);
+          await this.upsertApplicationIndexQuietly(registered);
+        }
+        return ok3(registered);
+      },
+      remove: async (appId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const removed = await kvResult.data.delete(applicationKey(appId));
+        if (!removed.ok) return accountErr(removed.error);
+        await this.deleteApplicationIndexQuietly(appId);
+        return ok3(void 0);
+      }
+    };
+    this.spaces = {
+      list: async (options = {}) => {
+        if (options.preferIndex) {
+          const indexed = await this.index.spaces.list();
+          if (indexed.ok && indexed.data.length > 0) return indexed;
+          if (!indexed.ok && !isMissingIndexError(indexed.error)) return indexed;
+          const canonical = await this.spaces.syncAccessible();
+          if (canonical.ok && options.refreshIndex !== false) {
+            await this.replaceSpacesIndexQuietly(canonical.data);
+          }
+          return canonical;
+        }
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const listed = await kvResult.data.list({ prefix: ACCOUNT_SPACES_PATH });
+        if (!listed.ok) return accountErr(listed.error);
+        const spaces = [];
+        for (const key of listed.data.keys) {
+          const loaded = await kvResult.data.get(key);
+          if (!loaded.ok) return accountErr(loaded.error);
+          spaces.push(spaceFromRecord(key, loaded.data.data));
+        }
+        spaces.sort((a, b) => a.name.localeCompare(b.name) || a.spaceId.localeCompare(b.spaceId));
+        return ok3(spaces);
+      },
+      get: async (spaceId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const loaded = await kvResult.data.get(spaceKey(spaceId));
+        if (!loaded.ok) return accountErr(loaded.error);
+        return ok3(spaceFromRecord(spaceKey(spaceId), loaded.data.data));
+      },
+      register: async (space) => {
+        await this.config.ensureAccountSpaceHosted?.();
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const stored = spaceRecordFromInput(space);
+        const written = await kvResult.data.put(spaceKey(stored.space_id), stored);
+        if (!written.ok) return accountErr(written.error);
+        const registered = spaceFromRecord(spaceKey(stored.space_id), stored);
+        await this.upsertSpaceIndexQuietly(registered);
+        return ok3(registered);
+      },
+      syncAccessible: async () => {
+        const listed = await this.config.getSpaces().list();
+        if (!listed.ok) return accountErr(listed.error);
+        const registered = [];
+        for (const space of listed.data) {
+          const result = await this.spaces.register(space);
+          if (!result.ok) return result;
+          registered.push(result.data);
+        }
+        return ok3(registered);
+      },
+      remove: async (spaceId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const removed = await kvResult.data.delete(spaceKey(spaceId));
+        if (!removed.ok) return accountErr(removed.error);
+        await this.deleteSpaceIndexQuietly(spaceId);
+        return ok3(void 0);
+      }
+    };
+    this.delegations = {
+      list: async (options = {}) => {
+        if (options.preferIndex) {
+          const indexed = await this.index.delegations.list(options);
+          if (indexed.ok && indexed.data.length > 0) return indexed;
+          if (!indexed.ok && !isMissingIndexError(indexed.error)) return indexed;
+          const live = await this.delegations.list({
+            direction: options.direction,
+            space: options.space
+          });
+          if (live.ok && options.refreshIndex !== false) {
+            await this.replaceDelegationsIndexQuietly(live.data);
+          }
+          return live;
+        }
+        const spaces = await this.config.getSpaces().list();
+        if (!spaces.ok) return accountErr(spaces.error);
+        const targetSpaces = options.space ? spaces.data.filter((space) => space.id === options.space || space.name === options.space) : spaces.data;
+        const delegations = [];
+        for (const space of targetSpaces) {
+          const scoped = this.config.getSpaces().get(space.id).delegations;
+          if (options.direction !== "received") {
+            const granted = await scoped.list();
+            if (!granted.ok) return accountErr(granted.error);
+            delegations.push(...granted.data.map((d) => mapDelegation(d, space, "granted")));
+          }
+          if (options.direction !== "granted") {
+            const received = await scoped.listReceived();
+            if (!received.ok) return accountErr(received.error);
+            delegations.push(...received.data.map((d) => mapDelegation(d, space, "received")));
+          }
+        }
+        delegations.sort((a, b) => a.spaceId.localeCompare(b.spaceId) || a.cid.localeCompare(b.cid));
+        return ok3(delegations);
+      },
+      revoke: async (options) => {
+        const space = await this.resolveSpace(options.space);
+        if (!space.ok) return space;
+        const revoked = await this.config.getSpaces().get(space.data.id).delegations.revoke(options.cid);
+        if (!revoked.ok) return accountErr(revoked.error);
+        return ok3(void 0);
+      }
+    };
+    this.index = {
+      rebuild: async () => {
+        const dbResult = this.accountDb();
+        if (!dbResult.ok) return dbResult;
+        const applications = await this.applications.list();
+        if (!applications.ok) return applications;
+        const spaces = await this.spaces.list();
+        if (!spaces.ok) return spaces;
+        const delegations = await this.delegations.list();
+        if (!delegations.ok) return delegations;
+        const syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+        const schema = await this.ensureAccountIndex(dbResult.data);
+        if (!schema.ok) return schema;
+        const statements = [
+          { sql: "DELETE FROM applications" },
+          { sql: "DELETE FROM application_state" },
+          { sql: "DELETE FROM spaces" },
+          { sql: "DELETE FROM delegations" },
+          { sql: "DELETE FROM sync_state" },
+          ...applications.data.map((app) => ({
+            sql: "INSERT INTO applications (app_id, name, description, updated_at, manifest_json) VALUES (?, ?, ?, ?, ?)",
+            params: [
+              app.appId,
+              app.name ?? null,
+              app.description ?? null,
+              app.updatedAt ?? syncedAt,
+              JSON.stringify(app.manifests)
+            ]
+          })),
+          ...applications.data.map((app) => ({
+            sql: "INSERT OR REPLACE INTO application_state (app_id, manifest_hash, indexed_at) VALUES (?, ?, ?)",
+            params: [app.appId, app.manifestHash ?? hashJson(app.manifests), syncedAt]
+          })),
+          ...spaces.data.map((space) => ({
+            sql: "INSERT OR REPLACE INTO spaces (space_id, name, owner_did, type, permissions_json, status, registered_at, updated_at, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            params: [
+              space.spaceId,
+              space.name,
+              space.ownerDid,
+              space.type,
+              JSON.stringify(space.permissions),
+              space.status,
+              space.registeredAt ?? syncedAt,
+              space.updatedAt ?? syncedAt,
+              space.expiresAt?.toISOString() ?? null
+            ]
+          })),
+          ...delegations.data.map((delegation) => ({
+            sql: "INSERT INTO delegations (cid, direction, space_id, space_name, counterparty_did, delegate_did, delegator_did, path, actions_json, expiry, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            params: [
+              delegation.cid,
+              delegation.direction,
+              delegation.spaceId,
+              delegation.spaceName ?? null,
+              delegation.counterpartyDid,
+              delegation.delegateDid,
+              delegation.delegatorDid ?? null,
+              delegation.path,
+              JSON.stringify(delegation.actions),
+              delegation.expiry.toISOString(),
+              delegation.status,
+              delegation.createdAt?.toISOString() ?? null,
+              syncedAt
+            ]
+          })),
+          {
+            sql: "INSERT INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+            params: ["applications", syncedAt, applications.data.length]
+          },
+          {
+            sql: "INSERT INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+            params: ["spaces", syncedAt, spaces.data.length]
+          },
+          {
+            sql: "INSERT INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+            params: ["delegations", syncedAt, delegations.data.length]
+          }
+        ];
+        const rebuilt = await dbResult.data.batch(statements);
+        if (!rebuilt.ok) return accountErr(rebuilt.error);
+        return ok3({
+          database: ACCOUNT_INDEX_DB,
+          applications: applications.data.length,
+          spaces: spaces.data.length,
+          delegations: delegations.data.length,
+          syncedAt
+        });
+      },
+      applications: {
+        list: async () => {
+          const dbResult = this.accountDb();
+          if (!dbResult.ok) return dbResult;
+          const queried = await dbResult.data.query(
+            "SELECT applications.app_id, name, description, updated_at, manifest_json, application_state.manifest_hash FROM applications LEFT JOIN application_state ON applications.app_id = application_state.app_id ORDER BY applications.app_id"
+          );
+          if (!queried.ok) return accountErr(queried.error);
+          return ok3(queried.data.rows.map(indexedApplicationFromRow));
+        }
+      },
+      spaces: {
+        list: async () => {
+          const dbResult = this.accountDb();
+          if (!dbResult.ok) return dbResult;
+          const queried = await dbResult.data.query(
+            "SELECT space_id, name, owner_did, type, permissions_json, status, registered_at, updated_at, expires_at FROM spaces ORDER BY name, space_id"
+          );
+          if (!queried.ok) return accountErr(queried.error);
+          return ok3(queried.data.rows.map(indexedSpaceFromRow));
+        }
+      },
+      delegations: {
+        list: async (options = {}) => {
+          const dbResult = this.accountDb();
+          if (!dbResult.ok) return dbResult;
+          const where = [];
+          const params = [];
+          if (options.direction && options.direction !== "all") {
+            where.push("direction = ?");
+            params.push(options.direction);
+          }
+          if (options.space) {
+            where.push("(space_id = ? OR space_name = ?)");
+            params.push(options.space, options.space);
+          }
+          const queried = await dbResult.data.query(
+            `SELECT cid, direction, space_id, space_name, counterparty_did, delegate_did, delegator_did, path, actions_json, expiry, status, created_at FROM delegations${where.length > 0 ? ` WHERE ${where.join(" AND ")}` : ""} ORDER BY space_id, cid`,
+            params
+          );
+          if (!queried.ok) return accountErr(queried.error);
+          return ok3(queried.data.rows.map(indexedDelegationFromRow));
+        }
+      },
+      query: async (sql, params) => {
+        const dbResult = this.accountDb();
+        if (!dbResult.ok) return dbResult;
+        const queried = await dbResult.data.query(sql, params);
+        if (!queried.ok) return accountErr(queried.error);
+        return ok3(queried.data);
+      },
+      status: async () => {
+        const dbResult = this.accountDb();
+        if (!dbResult.ok) return dbResult;
+        const queried = await dbResult.data.query(
+          "SELECT source, synced_at, count FROM sync_state ORDER BY source"
+        );
+        if (!queried.ok) {
+          if (isMissingIndexError(queried.error)) {
+            return ok3({ database: ACCOUNT_INDEX_DB, state: "missing", sources: [] });
+          }
+          return accountErr(queried.error);
+        }
+        return ok3({
+          database: ACCOUNT_INDEX_DB,
+          state: "ready",
+          sources: queried.data.rows.map(([source, syncedAt, count]) => ({
+            source,
+            syncedAt,
+            count
+          }))
+        });
+      }
+    };
+  }
+  async status() {
+    const apps = await this.applications.list();
+    if (!apps.ok) return apps;
+    const delegations = await this.delegations.list();
+    if (!delegations.ok) return delegations;
+    const spaces = await this.spaces.list();
+    if (!spaces.ok) return spaces;
+    return ok3({
+      did: this.config.getDid(),
+      host: this.config.getHost(),
+      primarySpaceId: this.config.getPrimarySpaceId(),
+      accountSpaceId: this.config.getAccountSpaceId(),
+      applications: apps.data.length,
+      spaces: spaces.data.length,
+      grantedDelegations: delegations.data.filter((d) => d.direction === "granted").length,
+      receivedDelegations: delegations.data.filter((d) => d.direction === "received").length
+    });
+  }
+  accountKV() {
+    const accountSpaceId = this.config.getAccountSpaceId();
+    if (!accountSpaceId) {
+      return err3(
+        serviceError3(
+          "ACCOUNT_SPACE_UNAVAILABLE",
+          "Account space is unavailable. Sign in with a wallet-backed profile first.",
+          SERVICE_NAME2
+        )
+      );
+    }
+    return ok3(this.config.getSpaces().get(accountSpaceId).kv);
+  }
+  accountDb() {
+    const db = this.config.getAccountDb?.();
+    if (!db) {
+      return err3(
+        serviceError3(
+          "ACCOUNT_INDEX_UNAVAILABLE",
+          "Account index database is unavailable. Sign in with a wallet-backed profile first.",
+          SERVICE_NAME2
+        )
+      );
+    }
+    return ok3(db);
   }
-  if (typeof spec === "string") {
-    return [spec];
+  async indexHasApplicationHash(appId, manifestHash) {
+    const dbResult = this.accountDb();
+    if (!dbResult.ok) return false;
+    const schema = await this.ensureAccountIndex(dbResult.data);
+    if (!schema.ok) return false;
+    const queried = await dbResult.data.query(
+      "SELECT 1 FROM application_state WHERE app_id = ? AND manifest_hash = ? LIMIT 1",
+      [appId, manifestHash]
+    );
+    return queried.ok && queried.data.rows.length > 0;
+  }
+  async upsertApplicationIndexQuietly(app) {
+    await ignoreIndexFailure(() => this.upsertApplicationIndex(app));
+  }
+  async upsertApplicationIndex(app) {
+    const dbResult = this.accountDb();
+    if (!dbResult.ok) return ok3(void 0);
+    const schema = await this.ensureAccountIndex(dbResult.data);
+    if (!schema.ok) return schema;
+    const updatedAt = app.updatedAt ?? (/* @__PURE__ */ new Date()).toISOString();
+    const manifestHash = app.manifestHash ?? hashJson(app.manifests);
+    const written = await dbResult.data.batch([
+      {
+        sql: "INSERT OR REPLACE INTO applications (app_id, name, description, updated_at, manifest_json) VALUES (?, ?, ?, ?, ?)",
+        params: [
+          app.appId,
+          app.name ?? null,
+          app.description ?? null,
+          updatedAt,
+          JSON.stringify(app.manifests)
+        ]
+      },
+      {
+        sql: "INSERT OR REPLACE INTO application_state (app_id, manifest_hash, indexed_at) VALUES (?, ?, ?)",
+        params: [app.appId, manifestHash, updatedAt]
+      }
+    ]);
+    if (!written.ok) return accountErr(written.error);
+    return ok3(void 0);
   }
-  if (Array.isArray(spec)) {
-    return spec;
+  async deleteApplicationIndexQuietly(appId) {
+    await ignoreIndexFailure(() => this.deleteApplicationIndex(appId));
+  }
+  async deleteApplicationIndex(appId) {
+    const dbResult = this.accountDb();
+    if (!dbResult.ok) return ok3(void 0);
+    const schema = await this.ensureAccountIndex(dbResult.data);
+    if (!schema.ok) return schema;
+    const deleted = await dbResult.data.batch([
+      { sql: "DELETE FROM applications WHERE app_id = ?", params: [appId] },
+      { sql: "DELETE FROM application_state WHERE app_id = ?", params: [appId] }
+    ]);
+    if (!deleted.ok) return accountErr(deleted.error);
+    return ok3(void 0);
   }
-  if (spec === null || typeof spec !== "object") {
-    throw new ManifestValidationError(
-      `manifest.secrets.${name} must be true, a string action, an actions array, or an object`
-    );
+  async upsertSpaceIndexQuietly(space) {
+    await ignoreIndexFailure(() => this.upsertSpaceIndex(space));
   }
-  if (spec.actions === void 0) {
-    return ["read"];
+  async upsertSpaceIndex(space) {
+    const dbResult = this.accountDb();
+    if (!dbResult.ok) return ok3(void 0);
+    const schema = await this.ensureAccountIndex(dbResult.data);
+    if (!schema.ok) return schema;
+    const updatedAt = space.updatedAt ?? (/* @__PURE__ */ new Date()).toISOString();
+    const written = await dbResult.data.batch([
+      {
+        sql: "INSERT OR REPLACE INTO spaces (space_id, name, owner_did, type, permissions_json, status, registered_at, updated_at, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)",
+        params: [
+          space.spaceId,
+          space.name,
+          space.ownerDid,
+          space.type,
+          JSON.stringify(space.permissions),
+          space.status,
+          space.registeredAt ?? updatedAt,
+          updatedAt,
+          space.expiresAt?.toISOString() ?? null
+        ]
+      }
+    ]);
+    if (!written.ok) return accountErr(written.error);
+    return ok3(void 0);
   }
-  if (typeof spec.actions === "string") {
-    return [spec.actions];
+  async deleteSpaceIndexQuietly(spaceId) {
+    await ignoreIndexFailure(() => this.deleteSpaceIndex(spaceId));
+  }
+  async deleteSpaceIndex(spaceId) {
+    const dbResult = this.accountDb();
+    if (!dbResult.ok) return ok3(void 0);
+    const schema = await this.ensureAccountIndex(dbResult.data);
+    if (!schema.ok) return schema;
+    const deleted = await dbResult.data.batch([
+      { sql: "DELETE FROM spaces WHERE space_id = ?", params: [spaceId] }
+    ]);
+    if (!deleted.ok) return accountErr(deleted.error);
+    return ok3(void 0);
   }
-  if (Array.isArray(spec.actions)) {
-    return spec.actions;
+  async resolveSpace(space) {
+    const listed = await this.config.getSpaces().list();
+    if (!listed.ok) return accountErr(listed.error);
+    const found = listed.data.find((candidate) => candidate.id === space || candidate.name === space);
+    if (!found) {
+      return err3(
+        serviceError3("SPACE_NOT_FOUND", `No account space found for ${JSON.stringify(space)}`, SERVICE_NAME2)
+      );
+    }
+    return ok3(found);
+  }
+  async replaceApplicationsIndexQuietly(applications) {
+    await ignoreIndexFailure(async () => {
+      const dbResult = this.accountDb();
+      if (!dbResult.ok) return;
+      const syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const schema = await this.ensureAccountIndex(dbResult.data);
+      if (!schema.ok) return;
+      await dbResult.data.batch([
+        { sql: "DELETE FROM applications" },
+        { sql: "DELETE FROM application_state" },
+        ...applications.map((app) => ({
+          sql: "INSERT OR REPLACE INTO applications (app_id, name, description, updated_at, manifest_json) VALUES (?, ?, ?, ?, ?)",
+          params: [
+            app.appId,
+            app.name ?? null,
+            app.description ?? null,
+            app.updatedAt ?? syncedAt,
+            JSON.stringify(app.manifests)
+          ]
+        })),
+        ...applications.map((app) => ({
+          sql: "INSERT OR REPLACE INTO application_state (app_id, manifest_hash, indexed_at) VALUES (?, ?, ?)",
+          params: [app.appId, app.manifestHash ?? hashJson(app.manifests), syncedAt]
+        })),
+        {
+          sql: "INSERT OR REPLACE INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+          params: ["applications", syncedAt, applications.length]
+        }
+      ]);
+    });
   }
-  throw new ManifestValidationError(
-    `manifest.secrets.${name}.actions must be a string or array`
-  );
-}
-function secretEntriesForManifest(secrets) {
-  if (secrets === void 0) {
-    return [];
+  async replaceSpacesIndexQuietly(spaces) {
+    await ignoreIndexFailure(async () => {
+      const dbResult = this.accountDb();
+      if (!dbResult.ok) return;
+      const syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const schema = await this.ensureAccountIndex(dbResult.data);
+      if (!schema.ok) return;
+      await dbResult.data.batch([
+        { sql: "DELETE FROM spaces" },
+        ...spaces.map((space) => ({
+          sql: "INSERT OR REPLACE INTO spaces (space_id, name, owner_did, type, permissions_json, status, registered_at, updated_at, expires_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)",
+          params: [
+            space.spaceId,
+            space.name,
+            space.ownerDid,
+            space.type,
+            JSON.stringify(space.permissions),
+            space.status,
+            space.registeredAt ?? syncedAt,
+            space.updatedAt ?? syncedAt,
+            space.expiresAt?.toISOString() ?? null
+          ]
+        })),
+        {
+          sql: "INSERT OR REPLACE INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+          params: ["spaces", syncedAt, spaces.length]
+        }
+      ]);
+    });
   }
-  const entries = [];
-  for (const [name, spec] of Object.entries(secrets)) {
-    const actions = secretActionsFromSpec(name, spec);
-    const secretPath = resolveSecretPath(
-      secretNameFromSpec(name, spec),
-      { scope: secretScopeFromSpec(spec) }
-    );
-    const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
-    entries.push({
-      service: VAULT_PERMISSION_SERVICE,
-      space: SECRETS_SPACE,
-      path: secretPath.vaultKey,
-      actions: normalizeSecretActions(actions),
-      skipPrefix: true,
-      ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
-      ...extra.description !== void 0 ? { description: extra.description } : {}
+  async replaceDelegationsIndexQuietly(delegations) {
+    await ignoreIndexFailure(async () => {
+      const dbResult = this.accountDb();
+      if (!dbResult.ok) return;
+      const syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+      const schema = await this.ensureAccountIndex(dbResult.data);
+      if (!schema.ok) return;
+      await dbResult.data.batch([
+        { sql: "DELETE FROM delegations" },
+        ...delegations.map((delegation) => ({
+          sql: "INSERT OR REPLACE INTO delegations (cid, direction, space_id, space_name, counterparty_did, delegate_did, delegator_did, path, actions_json, expiry, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+          params: [
+            delegation.cid,
+            delegation.direction,
+            delegation.spaceId,
+            delegation.spaceName ?? null,
+            delegation.counterpartyDid,
+            delegation.delegateDid,
+            delegation.delegatorDid ?? null,
+            delegation.path,
+            JSON.stringify(delegation.actions),
+            delegation.expiry.toISOString(),
+            delegation.status,
+            delegation.createdAt?.toISOString() ?? null,
+            syncedAt
+          ]
+        })),
+        {
+          sql: "INSERT OR REPLACE INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+          params: ["delegations", syncedAt, delegations.length]
+        }
+      ]);
     });
   }
-  return entries;
+  async ensureAccountIndex(db) {
+    const migrated = await db.migrations.apply({
+      namespace: ACCOUNT_INDEX_NAMESPACE,
+      migrations: [
+        {
+          id: "001_initial",
+          sql: ACCOUNT_INDEX_SCHEMA
+        }
+      ]
+    });
+    if (!migrated.ok) return accountErr(migrated.error);
+    return ok3(void 0);
+  }
+};
+var ACCOUNT_INDEX_SCHEMA = [
+  `CREATE TABLE IF NOT EXISTS applications (
+    app_id TEXT PRIMARY KEY,
+    name TEXT,
+    description TEXT,
+    updated_at TEXT,
+    manifest_json TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS application_state (
+    app_id TEXT PRIMARY KEY,
+    manifest_hash TEXT NOT NULL,
+    indexed_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS spaces (
+    space_id TEXT PRIMARY KEY,
+    name TEXT NOT NULL,
+    owner_did TEXT NOT NULL,
+    type TEXT NOT NULL,
+    permissions_json TEXT NOT NULL,
+    status TEXT NOT NULL,
+    registered_at TEXT,
+    updated_at TEXT NOT NULL,
+    expires_at TEXT
+  )`,
+  `CREATE TABLE IF NOT EXISTS delegations (
+    cid TEXT PRIMARY KEY,
+    direction TEXT NOT NULL,
+    space_id TEXT NOT NULL,
+    space_name TEXT,
+    counterparty_did TEXT NOT NULL,
+    delegate_did TEXT NOT NULL,
+    delegator_did TEXT,
+    path TEXT NOT NULL,
+    actions_json TEXT NOT NULL,
+    expiry TEXT NOT NULL,
+    status TEXT NOT NULL,
+    created_at TEXT,
+    updated_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS sync_state (
+    source TEXT PRIMARY KEY,
+    synced_at TEXT NOT NULL,
+    count INTEGER NOT NULL
+  )`,
+  "CREATE INDEX IF NOT EXISTS idx_delegations_direction ON delegations(direction)",
+  "CREATE INDEX IF NOT EXISTS idx_delegations_space ON delegations(space_id)",
+  "CREATE INDEX IF NOT EXISTS idx_delegations_counterparty ON delegations(counterparty_did)",
+  "CREATE INDEX IF NOT EXISTS idx_spaces_owner ON spaces(owner_did)",
+  "CREATE INDEX IF NOT EXISTS idx_spaces_type ON spaces(type)"
+];
+function applicationKey(appId) {
+  return `${ACCOUNT_REGISTRY_PATH}${appId}`;
 }
-function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
-  const skipPrefixForEntry = entry.skipPrefix === true || entry.service === ENCRYPTION_PERMISSION_SERVICE;
-  const resolvedPath = applyPrefix(prefix, entry.path, skipPrefixForEntry);
-  const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
-  return expandPermissionEntry({
-    ...entry,
-    space: entry.space ?? inheritedSpace,
-    path: resolvedPath,
-    skipPrefix: true
-  }).map((expanded) => ({
-    service: expanded.service,
-    space: expanded.space ?? inheritedSpace,
-    path: expanded.path,
-    actions: expanded.actions,
-    // Only populate `expiryMs` when the entry had its own expiry override.
-    // When absent, callers use the parent (delegation or manifest) expiry
-    // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
-    ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
-  }));
+function appIdFromKey(key) {
+  return key.startsWith(ACCOUNT_REGISTRY_PATH) ? key.slice(ACCOUNT_REGISTRY_PATH.length) : key;
 }
-function expandVaultPermissionEntry(entry) {
-  const byBase = /* @__PURE__ */ new Map();
-  for (const action of entry.actions) {
-    const expansion = vaultActionExpansion(action);
-    for (const base of expansion.bases) {
-      const actions = byBase.get(base) ?? [];
-      if (!actions.includes(expansion.action)) {
-        actions.push(expansion.action);
-      }
-      byBase.set(base, actions);
-    }
-  }
-  return [...byBase.entries()].map(([base, actions]) => ({
-    ...entry,
-    service: "tinycloud.kv",
-    path: vaultKVPath(base, entry.path),
-    actions,
-    skipPrefix: true
-  }));
+function applicationFromRecord(key, record) {
+  const manifests = Array.isArray(record.manifests) ? record.manifests : [];
+  const first = manifests[0];
+  return {
+    appId: record.app_id ?? record.appId ?? first?.app_id ?? appIdFromKey(key),
+    manifests,
+    updatedAt: record.updated_at ?? record.updatedAt,
+    name: first?.name,
+    description: first?.description,
+    manifestHash: record.manifest_hash ?? record.manifestHash ?? hashJson(manifests)
+  };
 }
-function vaultActionExpansion(action) {
-  const normalized = normalizeVaultAction(action);
-  if (normalized === "read" || normalized === "get") {
-    return { bases: ["vault"], action: "tinycloud.kv/get" };
-  }
-  if (normalized === "write" || normalized === "put") {
-    return { bases: ["vault"], action: "tinycloud.kv/put" };
-  }
-  if (normalized === "delete" || normalized === "del") {
-    return { bases: ["vault"], action: "tinycloud.kv/del" };
-  }
-  if (normalized === "list") {
-    return { bases: ["vault"], action: "tinycloud.kv/list" };
-  }
-  if (normalized === "head") {
-    return { bases: ["vault"], action: "tinycloud.kv/get" };
+function indexedApplicationFromRow(row) {
+  const [appId, name, description, updatedAt, manifestJson, manifestHash] = row;
+  return {
+    appId,
+    name: name ?? void 0,
+    description: description ?? void 0,
+    updatedAt: updatedAt ?? void 0,
+    manifests: JSON.parse(manifestJson),
+    manifestHash: manifestHash ?? void 0
+  };
+}
+function spaceKey(spaceId) {
+  return `${ACCOUNT_SPACES_PATH}${spaceId}`;
+}
+function spaceIdFromKey(key) {
+  return key.startsWith(ACCOUNT_SPACES_PATH) ? key.slice(ACCOUNT_SPACES_PATH.length) : key;
+}
+function spaceRecordFromInput(space) {
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const accountSpace = "spaceId" in space ? space : {
+    spaceId: space.id,
+    name: space.name ?? space.id.split(":").pop() ?? space.id,
+    ownerDid: space.owner ?? "",
+    type: space.type ?? "discovered",
+    permissions: space.permissions ?? [],
+    status: "active",
+    expiresAt: space.expiresAt
+  };
+  return {
+    space_id: accountSpace.spaceId,
+    name: accountSpace.name,
+    owner_did: accountSpace.ownerDid,
+    type: accountSpace.type,
+    permissions: accountSpace.permissions,
+    status: accountSpace.status,
+    registered_at: accountSpace.registeredAt ?? now,
+    updated_at: now,
+    expires_at: accountSpace.expiresAt instanceof Date ? accountSpace.expiresAt.toISOString() : accountSpace.expiresAt
+  };
+}
+function spaceFromRecord(key, record) {
+  const expiresAt = record.expires_at ?? record.expiresAt;
+  return {
+    spaceId: record.space_id ?? record.spaceId ?? spaceIdFromKey(key),
+    name: record.name ?? spaceIdFromKey(key).split(":").pop() ?? spaceIdFromKey(key),
+    ownerDid: record.owner_did ?? record.ownerDid ?? record.owner ?? "",
+    type: record.type ?? "discovered",
+    permissions: Array.isArray(record.permissions) ? record.permissions : [],
+    status: record.status ?? "active",
+    registeredAt: record.registered_at ?? record.registeredAt,
+    updatedAt: record.updated_at ?? record.updatedAt,
+    expiresAt: expiresAt ? new Date(expiresAt) : void 0
+  };
+}
+function indexedSpaceFromRow(row) {
+  const [spaceId, name, ownerDid, type, permissionsJson, status, registeredAt, updatedAt, expiresAt] = row;
+  return {
+    spaceId,
+    name,
+    ownerDid,
+    type,
+    permissions: JSON.parse(permissionsJson),
+    status,
+    registeredAt: registeredAt ?? void 0,
+    updatedAt,
+    expiresAt: expiresAt ? new Date(expiresAt) : void 0
+  };
+}
+function hashJson(value) {
+  const input = stableJson(value);
+  let hash = 0xcbf29ce484222325n;
+  const prime = 0x100000001b3n;
+  for (let index = 0; index < input.length; index += 1) {
+    hash ^= BigInt(input.charCodeAt(index));
+    hash = BigInt.asUintN(64, hash * prime);
+  }
+  return hash.toString(16).padStart(16, "0");
+}
+function stableJson(value) {
+  if (value === null || typeof value !== "object") {
+    return JSON.stringify(value);
   }
-  if (normalized === "metadata") {
-    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
+  if (Array.isArray(value)) {
+    return `[${value.map(stableJson).join(",")}]`;
   }
-  throw new ManifestValidationError(
-    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
-  );
+  const object = value;
+  return `{${Object.keys(object).sort().map((key) => `${JSON.stringify(key)}:${stableJson(object[key])}`).join(",")}}`;
 }
-function normalizeVaultAction(action) {
-  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
-    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
+function indexedDelegationFromRow(row) {
+  const [
+    cid,
+    direction,
+    spaceId,
+    spaceName,
+    counterpartyDid,
+    delegateDid,
+    delegatorDid,
+    path,
+    actionsJson,
+    expiry,
+    status,
+    createdAt
+  ] = row;
+  return {
+    cid,
+    direction,
+    spaceId,
+    spaceName: spaceName ?? void 0,
+    counterpartyDid,
+    delegateDid,
+    delegatorDid: delegatorDid ?? void 0,
+    path,
+    actions: JSON.parse(actionsJson),
+    expiry: new Date(expiry),
+    status,
+    createdAt: createdAt ? new Date(createdAt) : void 0
+  };
+}
+function mapDelegation(delegation, space, direction) {
+  return {
+    cid: delegation.cid,
+    direction,
+    spaceId: delegation.spaceId || space.id,
+    spaceName: space.name,
+    counterpartyDid: direction === "granted" ? delegation.delegateDID : delegation.delegatorDID ?? delegation.delegateDID,
+    delegateDid: delegation.delegateDID,
+    delegatorDid: delegation.delegatorDID,
+    path: delegation.path,
+    actions: delegation.actions,
+    expiry: delegation.expiry,
+    status: delegation.isRevoked ? "revoked" : delegation.expiry.getTime() <= Date.now() ? "expired" : "active",
+    createdAt: delegation.createdAt
+  };
+}
+function accountErr(error) {
+  return err3(serviceError3(error.code, error.message, SERVICE_NAME2, { cause: error.cause, meta: error.meta }));
+}
+function isMissingIndexError(error) {
+  return /no such table:/i.test(error.message);
+}
+async function ignoreIndexFailure(task) {
+  try {
+    await task();
+  } catch {
   }
-  if (action.startsWith("tinycloud.kv/")) {
-    return action.slice("tinycloud.kv/".length);
+}
+
+// src/index.ts
+import {
+  ServiceContext as ServiceContext2,
+  KVService as KVService2,
+  PrefixedKVService,
+  ok as ok5,
+  err as err5,
+  serviceError as serviceError5,
+  ErrorCodes as ErrorCodes2,
+  defaultRetryPolicy as defaultRetryPolicy2,
+  SQLService as SQLService2,
+  DatabaseHandle,
+  SQLAction,
+  DuckDbService as DuckDbService2,
+  DuckDbDatabaseHandle,
+  DuckDbAction,
+  HooksService as HooksService2,
+  DataVaultService,
+  VaultHeaders,
+  VaultPublicSpaceKVActions,
+  createVaultCrypto,
+  SecretsService,
+  SECRET_NAME_RE as SECRET_NAME_RE2,
+  canonicalizeSecretScope,
+  resolveSecretListPrefix,
+  resolveSecretPath as resolveSecretPath2,
+  EncryptionService,
+  parseNetworkId as parseNetworkId2,
+  buildNetworkId as buildNetworkId2,
+  isNetworkId,
+  networkDiscoveryKey,
+  NetworkIdError,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  NETWORK_NAME_PATTERN,
+  canonicalizeEncryptionJson,
+  canonicalHashHex,
+  hexEncode,
+  hexDecode,
+  base64Encode,
+  base64Decode,
+  utf8Encode,
+  utf8Decode,
+  encryptToNetwork,
+  decryptEnvelopeWithKey,
+  validateEnvelope,
+  generateRandomReceiverKey,
+  deriveSignedReceiverKey,
+  buildCanonicalDecryptRequest,
+  buildDecryptFacts,
+  buildDecryptAttenuation,
+  buildDecryptInvocation,
+  checkDecryptInvocationInput,
+  verifyDecryptResponse,
+  canonicalSignedResponse,
+  openWrappedKey,
+  discoverNetwork,
+  ensureNetworkUsableForDecrypt,
+  DEFAULT_ENCRYPTION_ALG,
+  ENVELOPE_VERSION,
+  DEFAULT_KEY_VERSION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DECRYPT_ACTION,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  encryptionError
+} from "@tinycloud/sdk-services";
+
+// src/space.ts
+async function fetchPeerId(host, spaceId) {
+  const res = await fetch(
+    `${host}/peer/generate/${encodeURIComponent(spaceId)}`
+  );
+  if (!res.ok) {
+    const error = await res.text().catch(() => res.statusText);
+    throw new Error(`Failed to get peer ID: ${res.status} - ${error}`);
   }
-  if (action.includes("/")) {
-    throw new ManifestValidationError(
-      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
-    );
+  return res.text();
+}
+async function submitHostDelegation(host, headers) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers
+  });
+  return {
+    success: res.ok,
+    status: res.status,
+    error: res.ok ? void 0 : await res.text().catch(() => res.statusText)
+  };
+}
+async function activateSessionWithHost(host, delegationHeader) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers: delegationHeader
+  });
+  if (res.ok) {
+    try {
+      const body = await res.json();
+      return {
+        success: true,
+        status: res.status,
+        activated: body.activated ?? [],
+        skipped: body.skipped ?? []
+      };
+    } catch {
+      return {
+        success: true,
+        status: res.status,
+        activated: [],
+        skipped: []
+      };
+    }
   }
-  return action;
-}
-function vaultKVPath(base, path) {
-  const normalized = path.startsWith("/") ? path.slice(1) : path;
-  return `${base}/${normalized}`;
-}
-function cloneResourceCapability(entry) {
   return {
-    service: entry.service,
-    space: entry.space,
-    path: entry.path,
-    actions: [...entry.actions],
-    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
+    success: false,
+    status: res.status,
+    error: await res.text().catch(() => res.statusText)
   };
 }
-function clonePermissionEntry(entry) {
+
+// src/delegations/DelegationManager.ts
+var DelegationAction = {
+  CREATE: "tinycloud.delegation/create",
+  REVOKE: "tinycloud.delegation/revoke",
+  LIST: "tinycloud.delegation/list",
+  GET: "tinycloud.delegation/get",
+  CHECK: "tinycloud.delegation/check"
+};
+function createError(code, message, cause, meta) {
   return {
-    service: entry.service,
-    ...entry.space !== void 0 ? { space: entry.space } : {},
-    path: entry.path,
-    actions: [...entry.actions],
-    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
-    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
+    code,
+    message,
+    service: "delegation",
+    cause,
+    meta
   };
 }
-function dedupeResources(resources) {
-  const byKey = /* @__PURE__ */ new Map();
-  for (const resource of resources) {
-    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
-    const existing = byKey.get(key);
-    if (existing === void 0) {
-      byKey.set(key, cloneResourceCapability(resource));
-      continue;
+var DelegationManager = class {
+  /**
+   * Creates a new DelegationManager instance.
+   *
+   * @param config - Configuration including hosts, session, and invoke function
+   */
+  constructor(config) {
+    this.hosts = config.hosts;
+    this.session = config.session;
+    this.invoke = config.invoke;
+    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+  }
+  /**
+   * Updates the session (e.g., after re-authentication).
+   *
+   * @param session - New session to use for operations
+   */
+  updateSession(session) {
+    this.session = session;
+  }
+  /**
+   * Gets the primary host URL.
+   */
+  get host() {
+    return this.hosts[0];
+  }
+  /**
+   * Executes an invoke operation against the delegation API.
+   */
+  async invokeOperation(path, action, body) {
+    const headers = this.invoke(this.session, "delegation", path, action);
+    return this.fetchFn(`${this.host}/invoke`, {
+      method: "POST",
+      headers,
+      body
+    });
+  }
+  /**
+   * Creates a new delegation.
+   *
+   * Delegates specific permissions to another DID for a given path.
+   * The delegatee can then use these permissions to access resources
+   * within the specified scope.
+   *
+   * @param params - Parameters for the delegation
+   * @returns Result containing the created Delegation or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.create({
+   *   delegateDID: bob.did,
+   *   path: "documents/shared/",
+   *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
+   *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
+   * });
+   * ```
+   */
+  async create(params) {
+    if (!params.delegateDID) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "delegateDID is required"
+        )
+      };
     }
-    const seen = new Set(existing.actions);
-    for (const action of resource.actions) {
-      if (!seen.has(action)) {
-        existing.actions.push(action);
-        seen.add(action);
+    if (!params.path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
+    }
+    if (!params.actions || params.actions.length === 0) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "at least one action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({
+        delegateDID: params.delegateDID,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry?.toISOString(),
+        disableSubDelegation: params.disableSubDelegation ?? false,
+        statement: params.statement
+      });
+      const response = await this.invokeOperation(
+        params.path,
+        DelegationAction.CREATE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.CREATION_FAILED,
+            `Failed to create delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path: params.path }
+          )
+        };
+      }
+      const apiResponse = await response.json();
+      const delegation = {
+        cid: apiResponse.cid ?? "",
+        delegateDID: params.delegateDID,
+        spaceId: this.session.spaceId,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
+        isRevoked: false,
+        allowSubDelegation: !(params.disableSubDelegation ?? false),
+        createdAt: /* @__PURE__ */ new Date()
+      };
+      return { ok: true, data: delegation };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation creation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+  /**
+   * Revokes an existing delegation.
+   *
+   * Once revoked, the delegation can no longer be used to access resources.
+   * This also invalidates any sub-delegations derived from this delegation.
+   *
+   * @param cid - The CID of the delegation to revoke
+   * @returns Result indicating success or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.revoke("bafy...");
+   * if (result.ok) {
+   *   console.log("Delegation revoked successfully");
+   * }
+   * ```
+   */
+  async revoke(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.REVOKE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.REVOCATION_FAILED,
+            `Failed to revoke delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
       }
+      return { ok: true, data: void 0 };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation revocation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
-    if (existing.description === void 0 && resource.description !== void 0) {
-      existing.description = resource.description;
-    }
-  }
-  return [...byKey.values()];
-}
-function capabilitiesReadPermission(space) {
-  return {
-    service: "tinycloud.capabilities",
-    space,
-    path: "",
-    actions: ["tinycloud.capabilities/read"]
-  };
-}
-function withCapabilitiesReadForSpaces(resources) {
-  if (resources.length === 0) {
-    return [];
-  }
-  const spaces = new Set(
-    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
-  );
-  return dedupeResources([
-    ...resources,
-    ...[...spaces].map(capabilitiesReadPermission)
-  ]);
-}
-function accountRegistryPermission() {
-  return {
-    service: "tinycloud.kv",
-    space: ACCOUNT_REGISTRY_SPACE,
-    path: ACCOUNT_REGISTRY_PATH,
-    actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/list"]
-  };
-}
-function composeManifestRequest(inputs, options = {}) {
-  if (!Array.isArray(inputs) || inputs.length === 0) {
-    throw new ManifestValidationError(
-      "composeManifestRequest requires at least one manifest"
-    );
-  }
-  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
-  const manifests = inputs.map(validateManifest);
-  const resolved = manifests.map(resolveManifest);
-  const resources = resolved.flatMap((entry) => entry.resources);
-  const delegationTargets = resolved.flatMap(
-    (entry) => entry.additionalDelegates.map((delegate) => ({
-      ...delegate,
-      permissions: dedupeResources(delegate.permissions)
-    }))
-  );
-  if (includeAccountRegistryPermissions) {
-    resources.push(accountRegistryPermission());
   }
-  const resourcesWithImplicitCapabilities = withCapabilitiesReadForSpaces(resources);
-  const manifestsByAppId = /* @__PURE__ */ new Map();
-  for (const manifest of manifests) {
-    const current = manifestsByAppId.get(manifest.app_id);
-    if (current === void 0) {
-      manifestsByAppId.set(manifest.app_id, [manifest]);
-    } else {
-      current.push(manifest);
+  /**
+   * Lists all delegations for the current session's space.
+   *
+   * Returns both delegations created by the current user (as delegator)
+   * and delegations granted to the current user (as delegatee).
+   *
+   * @returns Result containing an array of Delegations or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.list();
+   * if (result.ok) {
+   *   for (const delegation of result.data) {
+   *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async list() {
+    try {
+      const response = await this.invokeOperation("", DelegationAction.LIST);
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to list delegations: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status }
+          )
+        };
+      }
+      const data = await response.json();
+      const delegations = data.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: delegations };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation list: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
   }
-  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
-    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
-    app_id,
-    manifests: appManifests.map((manifest) => ({
-      ...manifest,
-      permissions: manifest.permissions?.map(clonePermissionEntry)
-    }))
-  })) : [];
-  return {
-    manifests,
-    resources: resourcesWithImplicitCapabilities,
-    delegationTargets,
-    registryRecords,
-    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
-    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
-  };
-}
-function resourceCapabilitiesToAbilitiesMap(resources) {
-  const out = {};
-  for (const r of resources) {
-    const shortService = SERVICE_LONG_TO_SHORT[r.service];
-    if (shortService === void 0) {
-      throw new ManifestValidationError(
-        `unknown service '${r.service}' \u2014 no short-form mapping. Known services: ${Object.keys(SERVICE_LONG_TO_SHORT).join(", ")}`
+  /**
+   * Gets the full delegation chain for a given delegation.
+   *
+   * Returns the chain of delegations from the root (original delegator)
+   * to the specified delegation, including all intermediate sub-delegations.
+   *
+   * @param cid - The CID of the delegation to get the chain for
+   * @returns Result containing the DelegationChain or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.getChain("bafy...");
+   * if (result.ok) {
+   *   console.log("Chain length:", result.data.length);
+   *   for (const delegation of result.data) {
+   *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async getChain(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid, includeChain: true });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.GET,
+        body
       );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to get delegation chain: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
+      }
+      const data = await response.json();
+      const chain = data.chain.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: chain };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during chain retrieval: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
-    if (out[shortService] === void 0) {
-      out[shortService] = {};
+  }
+  /**
+   * Checks if the current session has permission for a given path and action.
+   *
+   * This can be used to verify permissions before attempting an operation,
+   * or to implement custom access control logic.
+   *
+   * @param path - The resource path to check
+   * @param action - The action to check (e.g., "tinycloud.kv/get")
+   * @returns Result containing a boolean indicating permission or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
+   * if (result.ok && result.data) {
+   *   console.log("Permission granted");
+   * } else {
+   *   console.log("Permission denied");
+   * }
+   * ```
+   */
+  async checkPermission(path, action) {
+    if (!path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
     }
-    const pathsMap = out[shortService];
-    const existing = pathsMap[r.path];
-    if (existing === void 0) {
-      pathsMap[r.path] = [...r.actions];
-    } else {
-      const seen = new Set(existing);
-      for (const action of r.actions) {
-        if (!seen.has(action)) {
-          existing.push(action);
-          seen.add(action);
+    if (!action) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ path, action });
+      const response = await this.invokeOperation(
+        path,
+        DelegationAction.CHECK,
+        body
+      );
+      if (!response.ok) {
+        if (response.status === 403) {
+          return { ok: true, data: false };
         }
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to check permission: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path, action }
+          )
+        };
       }
+      const data = await response.json();
+      return { ok: true, data: data.allowed };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during permission check: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
   }
-  return out;
-}
-function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
-  const grouped = /* @__PURE__ */ new Map();
-  for (const resource of resources) {
-    const entries = grouped.get(resource.space);
-    if (entries === void 0) {
-      grouped.set(resource.space, [resource]);
-    } else {
-      entries.push(resource);
-    }
-  }
-  const out = {};
-  for (const [space, entries] of grouped.entries()) {
-    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
-  }
-  return out;
-}
-function manifestAbilitiesUnion(resolved) {
-  const all = [...resolved.resources];
-  for (const delegate of resolved.additionalDelegates) {
-    for (const perm of delegate.permissions) {
-      all.push(perm);
-    }
+};
+
+// src/delegations/SharingService.schema.ts
+import { z as z5 } from "zod";
+var EncodedShareDataSchema = z5.object({
+  /** Private key in JWK format (must include d parameter) */
+  key: JWKSchema.refine(
+    (jwk) => typeof jwk.d === "string" && jwk.d.length > 0,
+    { message: "JWK must include private key (d parameter)" }
+  ),
+  /** DID of the key */
+  keyDid: z5.string().min(1, "keyDid is required"),
+  /** The delegation granting access */
+  delegation: DelegationSchema,
+  /** Resource path this link grants access to */
+  path: z5.string().min(1, "path is required"),
+  /** TinyCloud host URL */
+  host: z5.string().url("host must be a valid URL"),
+  /** Space ID */
+  spaceId: z5.string().min(1, "spaceId is required"),
+  /** Schema version (must be 1) */
+  version: z5.literal(1)
+});
+var ReceiveOptionsSchema = z5.object({
+  /**
+   * Whether to automatically create a sub-delegation to the current session key.
+   * Default: true
+   */
+  autoSubdelegate: z5.boolean().optional(),
+  /**
+   * Whether to use the current session key for operations (requires autoSubdelegate).
+   * Default: true
+   */
+  useSessionKey: z5.boolean().optional(),
+  /**
+   * Ingestion options passed to CapabilityKeyRegistry.
+   */
+  ingestOptions: IngestOptionsSchema.optional()
+});
+var SharingServiceConfigSchema = z5.object({
+  /** TinyCloud host URLs */
+  hosts: z5.array(z5.string().url()).min(1, "At least one host URL is required"),
+  /**
+   * Active session for authentication.
+   * Required for generate(), optional for receive().
+   */
+  session: z5.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a ServiceSession object or undefined" }
+  ).optional(),
+  /** Platform-specific invoke function */
+  invoke: z5.unknown().refine((val) => typeof val === "function", {
+    message: "Expected an invoke function"
+  }),
+  /** Optional custom fetch implementation */
+  fetch: z5.unknown().refine(
+    (val) => val === void 0 || typeof val === "function",
+    { message: "Expected a fetch function or undefined" }
+  ).optional(),
+  /** Key provider for cryptographic operations */
+  keyProvider: KeyProviderSchema,
+  /** Capability key registry for key/delegation management */
+  registry: z5.unknown().refine(
+    (val) => val !== null && typeof val === "object",
+    { message: "Expected an ICapabilityKeyRegistry object" }
+  ),
+  /**
+   * Delegation manager for creating delegations.
+   * Required for generate(), optional for receive().
+   */
+  delegationManager: z5.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a DelegationManager object or undefined" }
+  ).optional(),
+  /** Factory for creating KV service instances */
+  createKVService: z5.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected a createKVService factory function" }
+  ),
+  /** Base URL for sharing links (e.g., "https://share.myapp.com") */
+  baseUrl: z5.string().optional(),
+  /**
+   * Custom delegation creation function.
+   */
+  createDelegation: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegation function or undefined"
+  }).optional(),
+  /**
+   * WASM function for client-side delegation creation.
+   */
+  createDelegationWasm: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegationWasm function or undefined"
+  }).optional(),
+  /**
+   * Path prefix for KV operations.
+   */
+  pathPrefix: z5.string().optional(),
+  /**
+   * Session expiry time.
+   */
+  sessionExpiry: z5.date().optional(),
+  /**
+   * Callback to create a DIRECT delegation from wallet to share key.
+   * This is the preferred method for long-lived share links because it
+   * bypasses the session delegation chain entirely.
+   */
+  onRootDelegationNeeded: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected an onRootDelegationNeeded function or undefined"
+  }).optional()
+});
+function validateEncodedShareData(data) {
+  const result = EncodedShareDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: DelegationErrorCodes.VALIDATION_ERROR,
+        message: `Invalid share data: ${result.error.message}`,
+        service: "delegation",
+        meta: { issues: result.error.issues }
+      }
+    };
   }
-  return resourceCapabilitiesToAbilitiesMap(all);
+  return { ok: true, data: result.data };
 }
 
 // src/delegations/SharingService.ts
@@ -3799,13 +4662,13 @@ var SharingService = class {
           )
         };
       }
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.CREATION_FAILED,
-          `Failed to generate session key for share: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to generate session key for share: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
@@ -3851,7 +4714,7 @@ var SharingService = class {
           }
           delegation = parsed;
         }
-      } catch (err5) {
+      } catch (err6) {
         const fallbackResult = await this.handleSessionExtensionFallback(requestedExpiry);
         expiry = fallbackResult.expiry;
         const delegationResult = await this.createSessionDelegation(plainDID, fullPath, actions, expiry);
@@ -4049,13 +4912,13 @@ var SharingService = class {
           allowSubDelegation: true,
           createdAt: /* @__PURE__ */ new Date()
         };
-      } catch (err5) {
+      } catch (err6) {
         return {
           ok: false,
           error: createError2(
             DelegationErrorCodes.CREATION_FAILED,
-            `Failed to create delegation via WASM: ${err5 instanceof Error ? err5.message : String(err5)}`,
-            err5 instanceof Error ? err5 : void 0
+            `Failed to create delegation via WASM: ${err6 instanceof Error ? err6.message : String(err6)}`,
+            err6 instanceof Error ? err6 : void 0
           )
         };
       }
@@ -4136,8 +4999,8 @@ var SharingService = class {
     let activeKey = keyInfo;
     if (autoSubdelegate && useSessionKey && this.session) {
       try {
-      } catch (err5) {
-        console.warn("Auto-subdelegation failed, using ingested key directly:", err5);
+      } catch (err6) {
+        console.warn("Auto-subdelegation failed, using ingested key directly:", err6);
       }
     }
     const authHeader = shareData.delegation.authHeader ?? `Bearer ${shareData.delegation.cid}`;
@@ -4235,26 +5098,26 @@ var SharingService = class {
     let jsonString;
     try {
       jsonString = base64UrlDecode(base64Data);
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.INVALID_TOKEN,
-          `Failed to decode base64 data: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to decode base64 data: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
     let parsed;
     try {
       parsed = JSON.parse(jsonString);
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.INVALID_TOKEN,
-          `Failed to parse share data JSON: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to parse share data JSON: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
@@ -4281,8 +5144,8 @@ function createSharingService(config) {
 }
 
 // src/authorization/CapabilityKeyRegistry.ts
-import { ok as ok3, err as err3, serviceError as serviceError3 } from "@tinycloud/sdk-services";
-var SERVICE_NAME2 = "capability-key-registry";
+import { ok as ok4, err as err4, serviceError as serviceError4 } from "@tinycloud/sdk-services";
+var SERVICE_NAME3 = "capability-key-registry";
 var CapabilityKeyRegistryErrorCodes = {
   /** Key not found in registry */
   KEY_NOT_FOUND: "KEY_NOT_FOUND",
@@ -4499,11 +5362,11 @@ var CapabilityKeyRegistry = class {
   revokeDelegation(cid) {
     const stored = this.store.byCid.get(cid);
     if (!stored) {
-      return err3(
-        serviceError3(
+      return err4(
+        serviceError4(
           CapabilityKeyRegistryErrorCodes.KEY_NOT_FOUND,
           `Delegation not found: ${cid}`,
-          SERVICE_NAME2
+          SERVICE_NAME3
         )
       );
     }
@@ -4522,7 +5385,7 @@ var CapabilityKeyRegistry = class {
         }
       }
     }
-    return ok3(void 0);
+    return ok4(void 0);
   }
   // ===========================================================================
   // Search
@@ -4751,8 +5614,8 @@ async function checkNodeInfo(host, sdkProtocol, fetchFn = globalThis.fetch.bind(
     response = await fetchFn(`${host}/info`, {
       signal: AbortSignal.timeout(5e3)
     });
-  } catch (err5) {
-    throw new VersionCheckError(host, err5);
+  } catch (err6) {
+    throw new VersionCheckError(host, err6);
   }
   if (!response.ok) {
     throw new VersionCheckError(host);
@@ -5284,6 +6147,7 @@ function parseRecapCapabilities(parseWasm, siwe) {
 export {
   ACCOUNT_REGISTRY_PATH,
   ACCOUNT_REGISTRY_SPACE,
+  AccountService,
   AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
@@ -5389,7 +6253,7 @@ export {
   utf8Decode as encryptionUtf8Decode,
   utf8Encode as encryptionUtf8Encode,
   ensureNetworkUsableForDecrypt,
-  err4 as err,
+  err5 as err,
   expandActionShortNames,
   expandPermissionEntries,
   expandPermissionEntry,
@@ -5410,7 +6274,7 @@ export {
   multiaddrToHttpUrl,
   networkDiscoveryKey,
   normalizeDefaults,
-  ok4 as ok,
+  ok5 as ok,
   openWrappedKey,
   parseCanonicalNetworkId,
   parseExpiry,
@@ -5428,7 +6292,7 @@ export {
   resolveTinyCloudHosts,
   resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap,
-  serviceError4 as serviceError,
+  serviceError5 as serviceError,
   signLocationRecord,
   submitHostDelegation,
   validateClientSession,