@tinycloud/sdk-core 2.4.0-beta.2 → 2.4.0-beta.6

package/dist/index.cjs

@@ -32,57 +32,58 @@ var index_exports = {};
 __export(index_exports, {
   ACCOUNT_REGISTRY_PATH: () => ACCOUNT_REGISTRY_PATH,
   ACCOUNT_REGISTRY_SPACE: () => ACCOUNT_REGISTRY_SPACE,
+  AccountService: () => AccountService,
   AutoApproveSpaceCreationHandler: () => AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry: () => CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes: () => CapabilityKeyRegistryErrorCodes,
   ClientSessionSchema: () => ClientSessionSchema,
   CloudLocationResolutionError: () => CloudLocationResolutionError,
-  DECRYPT_ACTION: () => import_sdk_services6.DECRYPT_ACTION,
-  DECRYPT_FACT_TYPE: () => import_sdk_services6.DECRYPT_FACT_TYPE,
-  DECRYPT_RESULT_TYPE: () => import_sdk_services6.DECRYPT_RESULT_TYPE,
+  DECRYPT_ACTION: () => import_sdk_services7.DECRYPT_ACTION,
+  DECRYPT_FACT_TYPE: () => import_sdk_services7.DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE: () => import_sdk_services7.DECRYPT_RESULT_TYPE,
   DEFAULT_DEFAULTS: () => DEFAULT_DEFAULTS,
-  DEFAULT_ENCRYPTION_ALG: () => import_sdk_services6.DEFAULT_ENCRYPTION_ALG,
+  DEFAULT_ENCRYPTION_ALG: () => import_sdk_services7.DEFAULT_ENCRYPTION_ALG,
   DEFAULT_EXPIRY: () => DEFAULT_EXPIRY,
-  DEFAULT_KEY_VERSION: () => import_sdk_services6.DEFAULT_KEY_VERSION,
+  DEFAULT_KEY_VERSION: () => import_sdk_services7.DEFAULT_KEY_VERSION,
   DEFAULT_MANIFEST_SPACE: () => DEFAULT_MANIFEST_SPACE,
   DEFAULT_MANIFEST_VERSION: () => DEFAULT_MANIFEST_VERSION,
   DEFAULT_SIGNED_READ_URL_EXPIRY_MS: () => DEFAULT_SIGNED_READ_URL_EXPIRY_MS,
   DEFAULT_TINYCLOUD_FALLBACK_HOST: () => DEFAULT_TINYCLOUD_FALLBACK_HOST,
   DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL: () => DEFAULT_TINYCLOUD_LOCATION_REGISTRY_URL,
-  DataVaultService: () => import_sdk_services6.DataVaultService,
-  DatabaseHandle: () => import_sdk_services6.DatabaseHandle,
+  DataVaultService: () => import_sdk_services7.DataVaultService,
+  DatabaseHandle: () => import_sdk_services7.DatabaseHandle,
   DelegationErrorCodes: () => DelegationErrorCodes,
   DelegationManager: () => DelegationManager,
-  DuckDbAction: () => import_sdk_services6.DuckDbAction,
-  DuckDbDatabaseHandle: () => import_sdk_services6.DuckDbDatabaseHandle,
-  DuckDbService: () => import_sdk_services6.DuckDbService,
+  DuckDbAction: () => import_sdk_services7.DuckDbAction,
+  DuckDbDatabaseHandle: () => import_sdk_services7.DuckDbDatabaseHandle,
+  DuckDbService: () => import_sdk_services7.DuckDbService,
   ENCRYPTION_MANIFEST_SPACE: () => ENCRYPTION_MANIFEST_SPACE,
-  ENCRYPTION_NETWORK_URN_PREFIX: () => import_sdk_services6.ENCRYPTION_NETWORK_URN_PREFIX,
+  ENCRYPTION_NETWORK_URN_PREFIX: () => import_sdk_services7.ENCRYPTION_NETWORK_URN_PREFIX,
   ENCRYPTION_PERMISSION_SERVICE: () => ENCRYPTION_PERMISSION_SERVICE,
-  ENCRYPTION_SERVICE: () => import_sdk_services6.ENCRYPTION_SERVICE,
-  ENCRYPTION_SERVICE_SHORT: () => import_sdk_services6.ENCRYPTION_SERVICE_SHORT,
-  ENVELOPE_VERSION: () => import_sdk_services6.ENVELOPE_VERSION,
+  ENCRYPTION_SERVICE: () => import_sdk_services7.ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT: () => import_sdk_services7.ENCRYPTION_SERVICE_SHORT,
+  ENVELOPE_VERSION: () => import_sdk_services7.ENVELOPE_VERSION,
   EXPIRY: () => EXPIRY,
-  EncryptionService: () => import_sdk_services6.EncryptionService,
+  EncryptionService: () => import_sdk_services7.EncryptionService,
   EnsDataSchema: () => EnsDataSchema,
-  ErrorCodes: () => import_sdk_services6.ErrorCodes,
-  HooksService: () => import_sdk_services6.HooksService,
+  ErrorCodes: () => import_sdk_services7.ErrorCodes,
+  HooksService: () => import_sdk_services7.HooksService,
   IdentityParseError: () => IdentityParseError,
-  KVService: () => import_sdk_services6.KVService,
+  KVService: () => import_sdk_services7.KVService,
   LocationRecordValidationError: () => LocationRecordValidationError,
   ManifestValidationError: () => ManifestValidationError,
-  NETWORK_NAME_PATTERN: () => import_sdk_services6.NETWORK_NAME_PATTERN,
-  NetworkIdError: () => import_sdk_services6.NetworkIdError,
+  NETWORK_NAME_PATTERN: () => import_sdk_services7.NETWORK_NAME_PATTERN,
+  NetworkIdError: () => import_sdk_services7.NetworkIdError,
   PermissionNotInManifestError: () => PermissionNotInManifestError,
-  PrefixedKVService: () => import_sdk_services6.PrefixedKVService,
+  PrefixedKVService: () => import_sdk_services7.PrefixedKVService,
   ProtocolMismatchError: () => ProtocolMismatchError,
-  SECRET_NAME_RE: () => import_sdk_services6.SECRET_NAME_RE,
+  SECRET_NAME_RE: () => import_sdk_services7.SECRET_NAME_RE,
   SERVICE_LONG_TO_SHORT: () => SERVICE_LONG_TO_SHORT,
   SERVICE_SHORT_TO_LONG: () => SERVICE_SHORT_TO_LONG,
-  SQLAction: () => import_sdk_services6.SQLAction,
-  SQLService: () => import_sdk_services6.SQLService,
-  SecretsService: () => import_sdk_services6.SecretsService,
-  ServiceContext: () => import_sdk_services6.ServiceContext,
+  SQLAction: () => import_sdk_services7.SQLAction,
+  SQLService: () => import_sdk_services7.SQLService,
+  SecretsService: () => import_sdk_services7.SecretsService,
+  ServiceContext: () => import_sdk_services7.ServiceContext,
   SessionExpiredError: () => SessionExpiredError,
   SharingService: () => SharingService,
   SilentNotificationHandler: () => SilentNotificationHandler,
@@ -94,75 +95,75 @@ __export(index_exports, {
   TinyCloud: () => TinyCloud,
   UnsupportedFeatureError: () => UnsupportedFeatureError,
   VAULT_PERMISSION_SERVICE: () => VAULT_PERMISSION_SERVICE,
-  VaultHeaders: () => import_sdk_services6.VaultHeaders,
-  VaultPublicSpaceKVActions: () => import_sdk_services6.VaultPublicSpaceKVActions,
+  VaultHeaders: () => import_sdk_services7.VaultHeaders,
+  VaultPublicSpaceKVActions: () => import_sdk_services7.VaultPublicSpaceKVActions,
   VersionCheckError: () => VersionCheckError,
   activateSessionWithHost: () => activateSessionWithHost,
   addressStorageKey: () => addressStorageKey,
   applyPrefix: () => applyPrefix,
-  buildCanonicalDecryptRequest: () => import_sdk_services6.buildCanonicalDecryptRequest,
-  buildDecryptAttenuation: () => import_sdk_services6.buildDecryptAttenuation,
-  buildDecryptFacts: () => import_sdk_services6.buildDecryptFacts,
-  buildDecryptInvocation: () => import_sdk_services6.buildDecryptInvocation,
-  buildNetworkId: () => import_sdk_services6.buildNetworkId,
+  buildCanonicalDecryptRequest: () => import_sdk_services7.buildCanonicalDecryptRequest,
+  buildDecryptAttenuation: () => import_sdk_services7.buildDecryptAttenuation,
+  buildDecryptFacts: () => import_sdk_services7.buildDecryptFacts,
+  buildDecryptInvocation: () => import_sdk_services7.buildDecryptInvocation,
+  buildNetworkId: () => import_sdk_services7.buildNetworkId,
   buildSpaceUri: () => buildSpaceUri,
-  canonicalHashHex: () => import_sdk_services6.canonicalHashHex,
+  canonicalHashHex: () => import_sdk_services7.canonicalHashHex,
   canonicalLocationPayload: () => canonicalLocationPayload,
-  canonicalSignedResponse: () => import_sdk_services6.canonicalSignedResponse,
+  canonicalSignedResponse: () => import_sdk_services7.canonicalSignedResponse,
   canonicalizeAddress: () => canonicalizeAddress,
   canonicalizeDid: () => canonicalizeDid,
   canonicalizeDidUrl: () => canonicalizeDidUrl,
-  canonicalizeEncryptionJson: () => import_sdk_services6.canonicalizeEncryptionJson,
+  canonicalizeEncryptionJson: () => import_sdk_services7.canonicalizeEncryptionJson,
   canonicalizeNetworkId: () => canonicalizeNetworkId,
-  canonicalizeSecretScope: () => import_sdk_services6.canonicalizeSecretScope,
-  checkDecryptInvocationInput: () => import_sdk_services6.checkDecryptInvocationInput,
+  canonicalizeSecretScope: () => import_sdk_services7.canonicalizeSecretScope,
+  checkDecryptInvocationInput: () => import_sdk_services7.checkDecryptInvocationInput,
   checkNodeInfo: () => checkNodeInfo,
   composeManifestRequest: () => composeManifestRequest,
   createCapabilityKeyRegistry: () => createCapabilityKeyRegistry,
   createSharingService: () => createSharingService,
   createSpaceService: () => createSpaceService,
-  createVaultCrypto: () => import_sdk_services6.createVaultCrypto,
-  decryptEnvelopeWithKey: () => import_sdk_services6.decryptEnvelopeWithKey,
-  defaultRetryPolicy: () => import_sdk_services6.defaultRetryPolicy,
+  createVaultCrypto: () => import_sdk_services7.createVaultCrypto,
+  decryptEnvelopeWithKey: () => import_sdk_services7.decryptEnvelopeWithKey,
+  defaultRetryPolicy: () => import_sdk_services7.defaultRetryPolicy,
   defaultSignStrategy: () => defaultSignStrategy,
   defaultSpaceCreationHandler: () => defaultSpaceCreationHandler,
-  deriveSignedReceiverKey: () => import_sdk_services6.deriveSignedReceiverKey,
+  deriveSignedReceiverKey: () => import_sdk_services7.deriveSignedReceiverKey,
   didCacheKey: () => didCacheKey,
   didEquals: () => didEquals,
-  discoverNetwork: () => import_sdk_services6.discoverNetwork,
-  encryptToNetwork: () => import_sdk_services6.encryptToNetwork,
-  encryptionBase64Decode: () => import_sdk_services6.base64Decode,
-  encryptionBase64Encode: () => import_sdk_services6.base64Encode,
-  encryptionError: () => import_sdk_services6.encryptionError,
-  encryptionUtf8Decode: () => import_sdk_services6.utf8Decode,
-  encryptionUtf8Encode: () => import_sdk_services6.utf8Encode,
-  ensureNetworkUsableForDecrypt: () => import_sdk_services6.ensureNetworkUsableForDecrypt,
-  err: () => import_sdk_services6.err,
+  discoverNetwork: () => import_sdk_services7.discoverNetwork,
+  encryptToNetwork: () => import_sdk_services7.encryptToNetwork,
+  encryptionBase64Decode: () => import_sdk_services7.base64Decode,
+  encryptionBase64Encode: () => import_sdk_services7.base64Encode,
+  encryptionError: () => import_sdk_services7.encryptionError,
+  encryptionUtf8Decode: () => import_sdk_services7.utf8Decode,
+  encryptionUtf8Encode: () => import_sdk_services7.utf8Encode,
+  ensureNetworkUsableForDecrypt: () => import_sdk_services7.ensureNetworkUsableForDecrypt,
+  err: () => import_sdk_services7.err,
   expandActionShortNames: () => expandActionShortNames,
   expandPermissionEntries: () => expandPermissionEntries,
   expandPermissionEntry: () => expandPermissionEntry,
   fetchLocationRecord: () => fetchLocationRecord,
   fetchPeerId: () => fetchPeerId,
-  generateRandomReceiverKey: () => import_sdk_services6.generateRandomReceiverKey,
-  hexDecode: () => import_sdk_services6.hexDecode,
-  hexEncode: () => import_sdk_services6.hexEncode,
+  generateRandomReceiverKey: () => import_sdk_services7.generateRandomReceiverKey,
+  hexDecode: () => import_sdk_services7.hexDecode,
+  hexEncode: () => import_sdk_services7.hexEncode,
   httpUrlToMultiaddr: () => httpUrlToMultiaddr,
   isCapabilitySubset: () => isCapabilitySubset,
   isEvmAddress: () => isEvmAddress,
-  isNetworkId: () => import_sdk_services6.isNetworkId,
+  isNetworkId: () => import_sdk_services7.isNetworkId,
   loadManifest: () => loadManifest,
   locationPayloadForRecord: () => locationPayloadForRecord,
   makePkhSpaceId: () => makePkhSpaceId,
   makePublicSpaceId: () => makePublicSpaceId,
   manifestAbilitiesUnion: () => manifestAbilitiesUnion,
   multiaddrToHttpUrl: () => multiaddrToHttpUrl,
-  networkDiscoveryKey: () => import_sdk_services6.networkDiscoveryKey,
+  networkDiscoveryKey: () => import_sdk_services7.networkDiscoveryKey,
   normalizeDefaults: () => normalizeDefaults,
-  ok: () => import_sdk_services6.ok,
-  openWrappedKey: () => import_sdk_services6.openWrappedKey,
+  ok: () => import_sdk_services7.ok,
+  openWrappedKey: () => import_sdk_services7.openWrappedKey,
   parseCanonicalNetworkId: () => parseCanonicalNetworkId,
   parseExpiry: () => parseExpiry,
-  parseNetworkId: () => import_sdk_services6.parseNetworkId,
+  parseNetworkId: () => import_sdk_services7.parseNetworkId,
   parsePkhDid: () => parsePkhDid,
   parseRecapCapabilities: () => parseRecapCapabilities,
   parseSpaceUri: () => parseSpaceUri,
@@ -171,21 +172,21 @@ __export(index_exports, {
   principalDidEquals: () => principalDidEquals,
   resolveCloudLocation: () => resolveCloudLocation,
   resolveManifest: () => resolveManifest,
-  resolveSecretListPrefix: () => import_sdk_services6.resolveSecretListPrefix,
-  resolveSecretPath: () => import_sdk_services6.resolveSecretPath,
+  resolveSecretListPrefix: () => import_sdk_services7.resolveSecretListPrefix,
+  resolveSecretPath: () => import_sdk_services7.resolveSecretPath,
   resolveTinyCloudHosts: () => resolveTinyCloudHosts,
   resourceCapabilitiesToAbilitiesMap: () => resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap: () => resourceCapabilitiesToSpaceAbilitiesMap,
-  serviceError: () => import_sdk_services6.serviceError,
+  serviceError: () => import_sdk_services7.serviceError,
   signLocationRecord: () => signLocationRecord,
   submitHostDelegation: () => submitHostDelegation,
   validateClientSession: () => validateClientSession,
-  validateEnvelope: () => import_sdk_services6.validateEnvelope,
+  validateEnvelope: () => import_sdk_services7.validateEnvelope,
   validateLocationRecord: () => validateLocationRecord,
   validateLocationRecordPayload: () => validateLocationRecordPayload,
   validateManifest: () => validateManifest,
   validatePersistedSessionData: () => validatePersistedSessionData,
-  verifyDecryptResponse: () => import_sdk_services6.verifyDecryptResponse,
+  verifyDecryptResponse: () => import_sdk_services7.verifyDecryptResponse,
   verifyDidKeyEd25519Signature: () => verifyDidKeyEd25519Signature,
   verifyLocationRecord: () => verifyLocationRecord
 });
@@ -2331,1409 +2332,1771 @@ var TinyCloud = class _TinyCloud {
   }
 };
 
-// src/index.ts
-var import_sdk_services6 = require("@tinycloud/sdk-services");
+// src/account/AccountService.ts
+var import_sdk_services5 = require("@tinycloud/sdk-services");
 
-// src/space.ts
-async function fetchPeerId(host, spaceId) {
-  const res = await fetch(
-    `${host}/peer/generate/${encodeURIComponent(spaceId)}`
-  );
-  if (!res.ok) {
-    const error = await res.text().catch(() => res.statusText);
-    throw new Error(`Failed to get peer ID: ${res.status} - ${error}`);
+// src/manifest.ts
+var import_ms = __toESM(require("ms"), 1);
+var import_sdk_services4 = require("@tinycloud/sdk-services");
+var ManifestValidationError = class extends Error {
+  constructor(message) {
+    super(`Manifest validation failed: ${message}`);
+    this.name = "ManifestValidationError";
   }
-  return res.text();
+};
+var DEFAULT_EXPIRY = "30d";
+var DEFAULT_DEFAULTS = true;
+var DEFAULT_MANIFEST_VERSION = 1;
+var DEFAULT_MANIFEST_SPACE = "applications";
+var ACCOUNT_REGISTRY_SPACE = "account";
+var ACCOUNT_REGISTRY_PATH = "applications/";
+var SECRETS_SPACE = "secrets";
+var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
+var SERVICE_SHORT_TO_LONG = Object.freeze({
+  kv: "tinycloud.kv",
+  sql: "tinycloud.sql",
+  duckdb: "tinycloud.duckdb",
+  capabilities: "tinycloud.capabilities",
+  hooks: "tinycloud.hooks",
+  encryption: "tinycloud.encryption"
+});
+var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_MANIFEST_SPACE = "encryption";
+var SERVICE_LONG_TO_SHORT = Object.freeze(
+  Object.fromEntries(
+    Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
+  )
+);
+var DEFAULT_STANDARD_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write"]
+  }
+];
+var DEFAULT_ADMIN_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write", "ddl"]
+  }
+];
+var DEFAULT_ALL_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write", "ddl"]
+  },
+  {
+    service: "tinycloud.duckdb",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write"]
+  }
+];
+function parseExpiry(duration) {
+  if (typeof duration !== "string" || duration.length === 0) {
+    throw new ManifestValidationError(
+      `expiry must be a non-empty duration string (got ${JSON.stringify(duration)})`
+    );
+  }
+  const parsed = (0, import_ms.default)(duration);
+  if (typeof parsed !== "number" || !Number.isFinite(parsed) || parsed <= 0) {
+    throw new ManifestValidationError(
+      `invalid expiry duration: ${JSON.stringify(duration)}`
+    );
+  }
+  return parsed;
 }
-async function submitHostDelegation(host, headers) {
-  const res = await fetch(`${host}/delegate`, {
-    method: "POST",
-    headers
+function expandActionShortNames(service, actions) {
+  return actions.map((a) => {
+    if (a.includes("/")) {
+      return a;
+    }
+    return `${service}/${a}`;
   });
-  return {
-    success: res.ok,
-    status: res.status,
-    error: res.ok ? void 0 : await res.text().catch(() => res.statusText)
-  };
 }
-async function activateSessionWithHost(host, delegationHeader) {
-  const res = await fetch(`${host}/delegate`, {
-    method: "POST",
-    headers: delegationHeader
-  });
-  if (res.ok) {
-    try {
-      const body = await res.json();
-      return {
-        success: true,
-        status: res.status,
-        activated: body.activated ?? [],
-        skipped: body.skipped ?? []
-      };
-    } catch {
-      return {
-        success: true,
-        status: res.status,
-        activated: [],
-        skipped: []
-      };
+function expandPermissionEntry(entry) {
+  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
+    return expandEncryptionPermissionEntry(entry);
+  }
+  if (entry.service !== VAULT_PERMISSION_SERVICE) {
+    return [
+      {
+        ...entry,
+        actions: expandActionShortNames(entry.service, entry.actions)
+      }
+    ];
+  }
+  return expandVaultPermissionEntry(entry);
+}
+function expandEncryptionPermissionEntry(entry) {
+  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
+    throw new ManifestValidationError(
+      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
+    );
+  }
+  const normalizedActions = [];
+  for (const action of entry.actions) {
+    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
+      normalizedActions.push("tinycloud.encryption/decrypt");
+      continue;
+    }
+    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
+      normalizedActions.push("tinycloud.encryption/network.create");
+      continue;
+    }
+    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
+      normalizedActions.push("tinycloud.encryption/network.revoke");
+      continue;
+    }
+    if (action.includes("/")) {
+      throw new ManifestValidationError(
+        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+      );
     }
+    throw new ManifestValidationError(
+      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+    );
   }
-  return {
-    success: false,
-    status: res.status,
-    error: await res.text().catch(() => res.statusText)
-  };
+  const dedupedActions = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const a of normalizedActions) {
+    if (!seen.has(a)) {
+      dedupedActions.push(a);
+      seen.add(a);
+    }
+  }
+  return [
+    {
+      service: ENCRYPTION_PERMISSION_SERVICE,
+      space: ENCRYPTION_MANIFEST_SPACE,
+      path: entry.path,
+      actions: dedupedActions,
+      skipPrefix: true,
+      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+      ...entry.description !== void 0 ? { description: entry.description } : {}
+    }
+  ];
 }
-
-// src/delegations/DelegationManager.ts
-var DelegationAction = {
-  CREATE: "tinycloud.delegation/create",
-  REVOKE: "tinycloud.delegation/revoke",
-  LIST: "tinycloud.delegation/list",
-  GET: "tinycloud.delegation/get",
-  CHECK: "tinycloud.delegation/check"
-};
-function createError(code, message, cause, meta) {
-  return {
-    code,
-    message,
-    service: "delegation",
-    cause,
-    meta
-  };
+function expandPermissionEntries(entries) {
+  return entries.flatMap(expandPermissionEntry);
 }
-var DelegationManager = class {
-  /**
-   * Creates a new DelegationManager instance.
-   *
-   * @param config - Configuration including hosts, session, and invoke function
-   */
-  constructor(config) {
-    this.hosts = config.hosts;
-    this.session = config.session;
-    this.invoke = config.invoke;
-    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+function applyPrefix(prefix, path, skipPrefix) {
+  if (skipPrefix) {
+    return path;
   }
-  /**
-   * Updates the session (e.g., after re-authentication).
-   *
-   * @param session - New session to use for operations
-   */
-  updateSession(session) {
-    this.session = session;
+  if (prefix === "") {
+    return path;
   }
-  /**
-   * Gets the primary host URL.
-   */
-  get host() {
-    return this.hosts[0];
+  if (path.startsWith("/")) {
+    return `${prefix}${path}`;
   }
-  /**
-   * Executes an invoke operation against the delegation API.
-   */
-  async invokeOperation(path, action, body) {
-    const headers = this.invoke(this.session, "delegation", path, action);
-    return this.fetchFn(`${this.host}/invoke`, {
-      method: "POST",
-      headers,
-      body
-    });
+  return `${prefix}/${path}`;
+}
+async function loadManifest(url) {
+  const fetchFn = globalThis.fetch;
+  if (typeof fetchFn !== "function") {
+    throw new ManifestValidationError(
+      "loadManifest requires a global fetch; pass the manifest object directly on runtimes without fetch"
+    );
   }
-  /**
-   * Creates a new delegation.
-   *
-   * Delegates specific permissions to another DID for a given path.
-   * The delegatee can then use these permissions to access resources
-   * within the specified scope.
-   *
-   * @param params - Parameters for the delegation
-   * @returns Result containing the created Delegation or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.create({
-   *   delegateDID: bob.did,
-   *   path: "documents/shared/",
-   *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
-   *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
-   * });
-   * ```
-   */
-  async create(params) {
-    if (!params.delegateDID) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "delegateDID is required"
-        )
-      };
-    }
-    if (!params.path) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "path is required"
-        )
-      };
+  const res = await fetchFn(url);
+  if (!res.ok) {
+    throw new ManifestValidationError(
+      `failed to fetch manifest from ${url}: HTTP ${res.status}`
+    );
+  }
+  const json = await res.json();
+  return validateManifest(json);
+}
+function validateManifest(input) {
+  if (input === null || typeof input !== "object") {
+    throw new ManifestValidationError("manifest must be an object");
+  }
+  const m = input;
+  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
+    throw new ManifestValidationError(
+      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
+    );
+  }
+  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
+    throw new ManifestValidationError(
+      "manifest.app_id is required and must be a non-empty string"
+    );
+  }
+  if (typeof m.name !== "string" || m.name.length === 0) {
+    throw new ManifestValidationError(
+      "manifest.name is required and must be a non-empty string"
+    );
+  }
+  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.did must be a non-empty DID string"
+    );
+  }
+  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.space must be a non-empty string"
+    );
+  }
+  if (m.expiry !== void 0) {
+    parseExpiry(m.expiry);
+  }
+  if (m.permissions !== void 0) {
+    if (!Array.isArray(m.permissions)) {
+      throw new ManifestValidationError(
+        "manifest.permissions must be an array"
+      );
     }
-    if (!params.actions || params.actions.length === 0) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "at least one action is required"
-        )
-      };
+    m.permissions.forEach(
+      (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
+    );
+  }
+  if (m.secrets !== void 0) {
+    validateManifestSecrets(m.secrets);
+  }
+  return m;
+}
+function validateManifestSecrets(secrets) {
+  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
+    throw new ManifestValidationError("manifest.secrets must be an object");
+  }
+  for (const [name, spec] of Object.entries(secrets)) {
+    if (!import_sdk_services4.SECRET_NAME_RE.test(name)) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} must match ${import_sdk_services4.SECRET_NAME_RE.source}`
+      );
     }
     try {
-      const body = JSON.stringify({
-        delegateDID: params.delegateDID,
-        path: params.path,
-        actions: params.actions,
-        expiry: params.expiry?.toISOString(),
-        disableSubDelegation: params.disableSubDelegation ?? false,
-        statement: params.statement
-      });
-      const response = await this.invokeOperation(
-        params.path,
-        DelegationAction.CREATE,
-        body
+      (0, import_sdk_services4.resolveSecretPath)(
+        secretNameFromSpec(name, spec),
+        { scope: secretScopeFromSpec(spec) }
       );
-      if (!response.ok) {
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.CREATION_FAILED,
-            `Failed to create delegation: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, path: params.path }
-          )
-        };
-      }
-      const apiResponse = await response.json();
-      const delegation = {
-        cid: apiResponse.cid ?? "",
-        delegateDID: params.delegateDID,
-        spaceId: this.session.spaceId,
-        path: params.path,
-        actions: params.actions,
-        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
-        isRevoked: false,
-        allowSubDelegation: !(params.disableSubDelegation ?? false),
-        createdAt: /* @__PURE__ */ new Date()
-      };
-      return { ok: true, data: delegation };
     } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation creation: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-  /**
-   * Revokes an existing delegation.
-   *
-   * Once revoked, the delegation can no longer be used to access resources.
-   * This also invalidates any sub-delegations derived from this delegation.
-   *
-   * @param cid - The CID of the delegation to revoke
-   * @returns Result indicating success or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.revoke("bafy...");
-   * if (result.ok) {
-   *   console.log("Delegation revoked successfully");
-   * }
-   * ```
-   */
-  async revoke(cid) {
-    if (!cid) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "cid is required"
-        )
-      };
+      throw new ManifestValidationError(
+        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
+      );
     }
-    try {
-      const body = JSON.stringify({ cid });
-      const response = await this.invokeOperation(
-        cid,
-        DelegationAction.REVOKE,
-        body
+    const actions = secretActionsFromSpec(name, spec);
+    if (actions.length === 0) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} actions must be non-empty`
       );
-      if (!response.ok) {
-        const errorText = await response.text();
-        if (response.status === 404) {
-          return {
-            ok: false,
-            error: createError(
-              DelegationErrorCodes.NOT_FOUND,
-              `Delegation not found: ${cid}`
-            )
-          };
-        }
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.REVOCATION_FAILED,
-            `Failed to revoke delegation: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, cid }
-          )
-        };
+    }
+    for (const action of actions) {
+      if (typeof action !== "string" || action.length === 0) {
+        throw new ManifestValidationError(
+          `manifest.secrets.${name} actions must be non-empty strings`
+        );
       }
-      return { ok: true, data: void 0 };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation revocation: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-  /**
-   * Lists all delegations for the current session's space.
-   *
-   * Returns both delegations created by the current user (as delegator)
-   * and delegations granted to the current user (as delegatee).
-   *
-   * @returns Result containing an array of Delegations or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.list();
-   * if (result.ok) {
-   *   for (const delegation of result.data) {
-   *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
-   *   }
-   * }
-   * ```
-   */
-  async list() {
-    try {
-      const response = await this.invokeOperation("", DelegationAction.LIST);
-      if (!response.ok) {
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to list delegations: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status }
-          )
-        };
-      }
-      const data = await response.json();
-      const delegations = data.map((item) => ({
-        cid: item.cid,
-        delegateDID: item.delegateDID,
-        delegatorDID: item.delegatorDID,
-        spaceId: item.spaceId,
-        path: item.path,
-        actions: item.actions,
-        expiry: new Date(item.expiry),
-        isRevoked: item.isRevoked,
-        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
-        parentCid: item.parentCid,
-        allowSubDelegation: item.allowSubDelegation
-      }));
-      return { ok: true, data: delegations };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation list: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-  /**
-   * Gets the full delegation chain for a given delegation.
-   *
-   * Returns the chain of delegations from the root (original delegator)
-   * to the specified delegation, including all intermediate sub-delegations.
-   *
-   * @param cid - The CID of the delegation to get the chain for
-   * @returns Result containing the DelegationChain or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.getChain("bafy...");
-   * if (result.ok) {
-   *   console.log("Chain length:", result.data.length);
-   *   for (const delegation of result.data) {
-   *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
-   *   }
-   * }
-   * ```
-   */
-  async getChain(cid) {
-    if (!cid) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "cid is required"
-        )
-      };
-    }
-    try {
-      const body = JSON.stringify({ cid, includeChain: true });
-      const response = await this.invokeOperation(
-        cid,
-        DelegationAction.GET,
-        body
-      );
-      if (!response.ok) {
-        const errorText = await response.text();
-        if (response.status === 404) {
-          return {
-            ok: false,
-            error: createError(
-              DelegationErrorCodes.NOT_FOUND,
-              `Delegation not found: ${cid}`
-            )
-          };
-        }
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to get delegation chain: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, cid }
-          )
-        };
-      }
-      const data = await response.json();
-      const chain = data.chain.map((item) => ({
-        cid: item.cid,
-        delegateDID: item.delegateDID,
-        delegatorDID: item.delegatorDID,
-        spaceId: item.spaceId,
-        path: item.path,
-        actions: item.actions,
-        expiry: new Date(item.expiry),
-        isRevoked: item.isRevoked,
-        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
-        parentCid: item.parentCid,
-        allowSubDelegation: item.allowSubDelegation
-      }));
-      return { ok: true, data: chain };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during chain retrieval: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-  /**
-   * Checks if the current session has permission for a given path and action.
-   *
-   * This can be used to verify permissions before attempting an operation,
-   * or to implement custom access control logic.
-   *
-   * @param path - The resource path to check
-   * @param action - The action to check (e.g., "tinycloud.kv/get")
-   * @returns Result containing a boolean indicating permission or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
-   * if (result.ok && result.data) {
-   *   console.log("Permission granted");
-   * } else {
-   *   console.log("Permission denied");
-   * }
-   * ```
-   */
-  async checkPermission(path, action) {
-    if (!path) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "path is required"
-        )
-      };
-    }
-    if (!action) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "action is required"
-        )
-      };
-    }
-    try {
-      const body = JSON.stringify({ path, action });
-      const response = await this.invokeOperation(
-        path,
-        DelegationAction.CHECK,
-        body
-      );
-      if (!response.ok) {
-        if (response.status === 403) {
-          return { ok: true, data: false };
-        }
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to check permission: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, path, action }
-          )
-        };
-      }
-      const data = await response.json();
-      return { ok: true, data: data.allowed };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during permission check: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-};
-
-// src/delegations/SharingService.schema.ts
-var import_zod5 = require("zod");
-var EncodedShareDataSchema = import_zod5.z.object({
-  /** Private key in JWK format (must include d parameter) */
-  key: JWKSchema.refine(
-    (jwk) => typeof jwk.d === "string" && jwk.d.length > 0,
-    { message: "JWK must include private key (d parameter)" }
-  ),
-  /** DID of the key */
-  keyDid: import_zod5.z.string().min(1, "keyDid is required"),
-  /** The delegation granting access */
-  delegation: DelegationSchema,
-  /** Resource path this link grants access to */
-  path: import_zod5.z.string().min(1, "path is required"),
-  /** TinyCloud host URL */
-  host: import_zod5.z.string().url("host must be a valid URL"),
-  /** Space ID */
-  spaceId: import_zod5.z.string().min(1, "spaceId is required"),
-  /** Schema version (must be 1) */
-  version: import_zod5.z.literal(1)
-});
-var ReceiveOptionsSchema = import_zod5.z.object({
-  /**
-   * Whether to automatically create a sub-delegation to the current session key.
-   * Default: true
-   */
-  autoSubdelegate: import_zod5.z.boolean().optional(),
-  /**
-   * Whether to use the current session key for operations (requires autoSubdelegate).
-   * Default: true
-   */
-  useSessionKey: import_zod5.z.boolean().optional(),
-  /**
-   * Ingestion options passed to CapabilityKeyRegistry.
-   */
-  ingestOptions: IngestOptionsSchema.optional()
-});
-var SharingServiceConfigSchema = import_zod5.z.object({
-  /** TinyCloud host URLs */
-  hosts: import_zod5.z.array(import_zod5.z.string().url()).min(1, "At least one host URL is required"),
-  /**
-   * Active session for authentication.
-   * Required for generate(), optional for receive().
-   */
-  session: import_zod5.z.unknown().refine(
-    (val) => val === void 0 || val !== null && typeof val === "object",
-    { message: "Expected a ServiceSession object or undefined" }
-  ).optional(),
-  /** Platform-specific invoke function */
-  invoke: import_zod5.z.unknown().refine((val) => typeof val === "function", {
-    message: "Expected an invoke function"
-  }),
-  /** Optional custom fetch implementation */
-  fetch: import_zod5.z.unknown().refine(
-    (val) => val === void 0 || typeof val === "function",
-    { message: "Expected a fetch function or undefined" }
-  ).optional(),
-  /** Key provider for cryptographic operations */
-  keyProvider: KeyProviderSchema,
-  /** Capability key registry for key/delegation management */
-  registry: import_zod5.z.unknown().refine(
-    (val) => val !== null && typeof val === "object",
-    { message: "Expected an ICapabilityKeyRegistry object" }
-  ),
-  /**
-   * Delegation manager for creating delegations.
-   * Required for generate(), optional for receive().
-   */
-  delegationManager: import_zod5.z.unknown().refine(
-    (val) => val === void 0 || val !== null && typeof val === "object",
-    { message: "Expected a DelegationManager object or undefined" }
-  ).optional(),
-  /** Factory for creating KV service instances */
-  createKVService: import_zod5.z.unknown().refine(
-    (val) => typeof val === "function",
-    { message: "Expected a createKVService factory function" }
-  ),
-  /** Base URL for sharing links (e.g., "https://share.myapp.com") */
-  baseUrl: import_zod5.z.string().optional(),
-  /**
-   * Custom delegation creation function.
-   */
-  createDelegation: import_zod5.z.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected a createDelegation function or undefined"
-  }).optional(),
-  /**
-   * WASM function for client-side delegation creation.
-   */
-  createDelegationWasm: import_zod5.z.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected a createDelegationWasm function or undefined"
-  }).optional(),
-  /**
-   * Path prefix for KV operations.
-   */
-  pathPrefix: import_zod5.z.string().optional(),
-  /**
-   * Session expiry time.
-   */
-  sessionExpiry: import_zod5.z.date().optional(),
-  /**
-   * Callback to create a DIRECT delegation from wallet to share key.
-   * This is the preferred method for long-lived share links because it
-   * bypasses the session delegation chain entirely.
-   */
-  onRootDelegationNeeded: import_zod5.z.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected an onRootDelegationNeeded function or undefined"
-  }).optional()
-});
-function validateEncodedShareData(data) {
-  const result = EncodedShareDataSchema.safeParse(data);
-  if (!result.success) {
-    return {
-      ok: false,
-      error: {
-        code: DelegationErrorCodes.VALIDATION_ERROR,
-        message: `Invalid share data: ${result.error.message}`,
-        service: "delegation",
-        meta: { issues: result.error.issues }
-      }
-    };
+    }
+    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
+      parseExpiry(spec.expiry);
+    }
   }
-  return { ok: true, data: result.data };
 }
-
-// src/manifest.ts
-var import_ms = __toESM(require("ms"), 1);
-var import_sdk_services4 = require("@tinycloud/sdk-services");
-var ManifestValidationError = class extends Error {
-  constructor(message) {
-    super(`Manifest validation failed: ${message}`);
-    this.name = "ManifestValidationError";
-  }
-};
-var DEFAULT_EXPIRY = "30d";
-var DEFAULT_DEFAULTS = true;
-var DEFAULT_MANIFEST_VERSION = 1;
-var DEFAULT_MANIFEST_SPACE = "applications";
-var ACCOUNT_REGISTRY_SPACE = "account";
-var ACCOUNT_REGISTRY_PATH = "applications/";
-var SECRETS_SPACE = "secrets";
-var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
-var SERVICE_SHORT_TO_LONG = Object.freeze({
-  kv: "tinycloud.kv",
-  sql: "tinycloud.sql",
-  duckdb: "tinycloud.duckdb",
-  capabilities: "tinycloud.capabilities",
-  hooks: "tinycloud.hooks",
-  encryption: "tinycloud.encryption"
-});
-var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
-var ENCRYPTION_MANIFEST_SPACE = "encryption";
-var SERVICE_LONG_TO_SHORT = Object.freeze(
-  Object.fromEntries(
-    Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
-  )
-);
-var DEFAULT_STANDARD_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write"]
+function validatePermissionEntry(p, path) {
+  if (p === null || typeof p !== "object") {
+    throw new ManifestValidationError(`${path} must be an object`);
   }
-];
-var DEFAULT_ADMIN_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write", "ddl"]
+  const entry = p;
+  if (typeof entry.service !== "string" || entry.service.length === 0) {
+    throw new ManifestValidationError(`${path}.service is required`);
   }
-];
-var DEFAULT_ALL_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write", "ddl"]
-  },
-  {
-    service: "tinycloud.duckdb",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write"]
+  if (entry.space !== void 0 && (typeof entry.space !== "string" || entry.space.length === 0)) {
+    throw new ManifestValidationError(
+      `${path}.space must be a non-empty string`
+    );
   }
-];
-function parseExpiry(duration) {
-  if (typeof duration !== "string" || duration.length === 0) {
+  if (typeof entry.path !== "string") {
     throw new ManifestValidationError(
-      `expiry must be a non-empty duration string (got ${JSON.stringify(duration)})`
+      `${path}.path is required (use "" or "/" for root)`
     );
   }
-  const parsed = (0, import_ms.default)(duration);
-  if (typeof parsed !== "number" || !Number.isFinite(parsed) || parsed <= 0) {
+  if (!Array.isArray(entry.actions) || entry.actions.length === 0) {
     throw new ManifestValidationError(
-      `invalid expiry duration: ${JSON.stringify(duration)}`
+      `${path}.actions must be a non-empty array`
     );
   }
-  return parsed;
-}
-function expandActionShortNames(service, actions) {
-  return actions.map((a) => {
-    if (a.includes("/")) {
-      return a;
+  for (const action of entry.actions) {
+    if (typeof action !== "string" || action.length === 0) {
+      throw new ManifestValidationError(
+        `${path}.actions must contain non-empty strings`
+      );
     }
-    return `${service}/${a}`;
-  });
+    if (entry.service === VAULT_PERMISSION_SERVICE) {
+      vaultActionExpansion(action);
+    }
+  }
+  if (entry.expiry !== void 0) {
+    parseExpiry(entry.expiry);
+  }
 }
-function expandPermissionEntry(entry) {
-  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
-    return expandEncryptionPermissionEntry(entry);
+function normalizeDefaults(value) {
+  if (value === void 0) {
+    return DEFAULT_DEFAULTS;
   }
-  if (entry.service !== VAULT_PERMISSION_SERVICE) {
-    return [
-      {
-        ...entry,
-        actions: expandActionShortNames(entry.service, entry.actions)
-      }
-    ];
+  if (typeof value === "boolean") {
+    return value;
   }
-  return expandVaultPermissionEntry(entry);
+  if (typeof value !== "string") {
+    return true;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (normalized === "admin" || normalized === "all") {
+    return normalized;
+  }
+  return true;
+}
+function defaultEntriesForTier(tier) {
+  if (tier === false) {
+    return [];
+  }
+  const source = tier === "admin" ? DEFAULT_ADMIN_ENTRIES : tier === "all" ? DEFAULT_ALL_ENTRIES : DEFAULT_STANDARD_ENTRIES;
+  return source.map((e) => ({
+    service: e.service,
+    space: e.space,
+    path: e.path,
+    actions: [...e.actions],
+    ...e.skipPrefix !== void 0 ? { skipPrefix: e.skipPrefix } : {}
+  }));
+}
+function resolveManifest(input) {
+  const manifest = validateManifest(input);
+  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.app_id;
+  const space = manifest.space ?? DEFAULT_MANIFEST_SPACE;
+  const expiryMs = parseExpiry(manifest.expiry ?? DEFAULT_EXPIRY);
+  const includePublicSpace = manifest.includePublicSpace ?? true;
+  const tier = normalizeDefaults(manifest.defaults);
+  const defaultEntries = defaultEntriesForTier(tier);
+  const explicitEntries = manifest.permissions ?? [];
+  const secretEntries = secretEntriesForManifest(manifest.secrets);
+  const allEntries = [
+    ...defaultEntries,
+    ...explicitEntries,
+    ...secretEntries
+  ];
+  const resources = withCapabilitiesReadForSpaces(
+    allEntries.flatMap((entry) => resolveEntry(entry, prefix, expiryMs, space))
+  );
+  const additionalDelegates = manifest.did === void 0 ? [] : [
+    {
+      did: manifest.did,
+      name: manifest.name,
+      expiryMs,
+      permissions: resources.map(cloneResourceCapability)
+    }
+  ];
+  return {
+    app_id: manifest.app_id,
+    ...manifest.did !== void 0 ? { did: manifest.did } : {},
+    space,
+    resources,
+    expiryMs,
+    includePublicSpace,
+    additionalDelegates
+  };
 }
-function expandEncryptionPermissionEntry(entry) {
-  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
-    throw new ManifestValidationError(
-      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
-    );
-  }
-  const normalizedActions = [];
-  for (const action of entry.actions) {
-    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
-      normalizedActions.push("tinycloud.encryption/decrypt");
+function normalizeSecretActions(actions) {
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  const add = (action) => {
+    if (!seen.has(action)) {
+      out.push(action);
+      seen.add(action);
+    }
+  };
+  for (const action of actions) {
+    if (action === "read") {
+      add("get");
       continue;
     }
-    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
-      normalizedActions.push("tinycloud.encryption/network.create");
+    if (action === "write") {
+      add("put");
       continue;
     }
-    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
-      normalizedActions.push("tinycloud.encryption/network.revoke");
+    if (action === "delete") {
+      add("del");
       continue;
     }
-    if (action.includes("/")) {
-      throw new ManifestValidationError(
-        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
-      );
+    if (action === "get" || action === "put" || action === "del" || action === "list" || action === "metadata") {
+      add(action);
+      continue;
+    }
+    if (action === "tinycloud.kv/get" || action === "tinycloud.kv/put" || action === "tinycloud.kv/del" || action === "tinycloud.kv/list" || action === "tinycloud.kv/metadata") {
+      add(action);
+      continue;
     }
     throw new ManifestValidationError(
-      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+      `unknown secret action ${JSON.stringify(action)}; expected read, write, delete, list, or metadata`
     );
   }
-  const dedupedActions = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const a of normalizedActions) {
-    if (!seen.has(a)) {
-      dedupedActions.push(a);
-      seen.add(a);
-    }
-  }
-  return [
-    {
-      service: ENCRYPTION_PERMISSION_SERVICE,
-      space: ENCRYPTION_MANIFEST_SPACE,
-      path: entry.path,
-      actions: dedupedActions,
-      skipPrefix: true,
-      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
-      ...entry.description !== void 0 ? { description: entry.description } : {}
-    }
-  ];
-}
-function expandPermissionEntries(entries) {
-  return entries.flatMap(expandPermissionEntry);
+  return out;
 }
-function applyPrefix(prefix, path, skipPrefix) {
-  if (skipPrefix) {
-    return path;
-  }
-  if (prefix === "") {
-    return path;
-  }
-  if (path.startsWith("/")) {
-    return `${prefix}${path}`;
+function secretNameFromSpec(fallbackName, spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.name ?? fallbackName;
   }
-  return `${prefix}/${path}`;
+  return fallbackName;
 }
-async function loadManifest(url) {
-  const fetchFn = globalThis.fetch;
-  if (typeof fetchFn !== "function") {
-    throw new ManifestValidationError(
-      "loadManifest requires a global fetch; pass the manifest object directly on runtimes without fetch"
-    );
-  }
-  const res = await fetchFn(url);
-  if (!res.ok) {
-    throw new ManifestValidationError(
-      `failed to fetch manifest from ${url}: HTTP ${res.status}`
-    );
+function secretScopeFromSpec(spec) {
+  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
+    return spec.scope;
   }
-  const json = await res.json();
-  return validateManifest(json);
+  return void 0;
 }
-function validateManifest(input) {
-  if (input === null || typeof input !== "object") {
-    throw new ManifestValidationError("manifest must be an object");
-  }
-  const m = input;
-  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
-    throw new ManifestValidationError(
-      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
-    );
-  }
-  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
-    throw new ManifestValidationError(
-      "manifest.app_id is required and must be a non-empty string"
-    );
+function secretActionsFromSpec(name, spec) {
+  if (spec === true) {
+    return ["read"];
   }
-  if (typeof m.name !== "string" || m.name.length === 0) {
-    throw new ManifestValidationError(
-      "manifest.name is required and must be a non-empty string"
-    );
+  if (typeof spec === "string") {
+    return [spec];
   }
-  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
-    throw new ManifestValidationError(
-      "manifest.did must be a non-empty DID string"
-    );
+  if (Array.isArray(spec)) {
+    return spec;
   }
-  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
+  if (spec === null || typeof spec !== "object") {
     throw new ManifestValidationError(
-      "manifest.space must be a non-empty string"
+      `manifest.secrets.${name} must be true, a string action, an actions array, or an object`
     );
   }
-  if (m.expiry !== void 0) {
-    parseExpiry(m.expiry);
+  if (spec.actions === void 0) {
+    return ["read"];
   }
-  if (m.permissions !== void 0) {
-    if (!Array.isArray(m.permissions)) {
-      throw new ManifestValidationError(
-        "manifest.permissions must be an array"
-      );
-    }
-    m.permissions.forEach(
-      (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
-    );
+  if (typeof spec.actions === "string") {
+    return [spec.actions];
   }
-  if (m.secrets !== void 0) {
-    validateManifestSecrets(m.secrets);
+  if (Array.isArray(spec.actions)) {
+    return spec.actions;
   }
-  return m;
+  throw new ManifestValidationError(
+    `manifest.secrets.${name}.actions must be a string or array`
+  );
 }
-function validateManifestSecrets(secrets) {
-  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
-    throw new ManifestValidationError("manifest.secrets must be an object");
+function secretEntriesForManifest(secrets) {
+  if (secrets === void 0) {
+    return [];
   }
+  const entries = [];
   for (const [name, spec] of Object.entries(secrets)) {
-    if (!import_sdk_services4.SECRET_NAME_RE.test(name)) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name} must match ${import_sdk_services4.SECRET_NAME_RE.source}`
-      );
-    }
-    try {
-      (0, import_sdk_services4.resolveSecretPath)(
-        secretNameFromSpec(name, spec),
-        { scope: secretScopeFromSpec(spec) }
-      );
-    } catch (error) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
-      );
-    }
     const actions = secretActionsFromSpec(name, spec);
-    if (actions.length === 0) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name} actions must be non-empty`
-      );
-    }
-    for (const action of actions) {
-      if (typeof action !== "string" || action.length === 0) {
-        throw new ManifestValidationError(
-          `manifest.secrets.${name} actions must be non-empty strings`
-        );
+    const secretPath = (0, import_sdk_services4.resolveSecretPath)(
+      secretNameFromSpec(name, spec),
+      { scope: secretScopeFromSpec(spec) }
+    );
+    const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
+    entries.push({
+      service: VAULT_PERMISSION_SERVICE,
+      space: SECRETS_SPACE,
+      path: secretPath.vaultKey,
+      actions: normalizeSecretActions(actions),
+      skipPrefix: true,
+      ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
+      ...extra.description !== void 0 ? { description: extra.description } : {}
+    });
+  }
+  return entries;
+}
+function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
+  const skipPrefixForEntry = entry.skipPrefix === true || entry.service === ENCRYPTION_PERMISSION_SERVICE;
+  const resolvedPath = applyPrefix(prefix, entry.path, skipPrefixForEntry);
+  const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
+  return expandPermissionEntry({
+    ...entry,
+    space: entry.space ?? inheritedSpace,
+    path: resolvedPath,
+    skipPrefix: true
+  }).map((expanded) => ({
+    service: expanded.service,
+    space: expanded.space ?? inheritedSpace,
+    path: expanded.path,
+    actions: expanded.actions,
+    // Only populate `expiryMs` when the entry had its own expiry override.
+    // When absent, callers use the parent (delegation or manifest) expiry
+    // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
+    ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  }));
+}
+function expandVaultPermissionEntry(entry) {
+  const byBase = /* @__PURE__ */ new Map();
+  for (const action of entry.actions) {
+    const expansion = vaultActionExpansion(action);
+    for (const base of expansion.bases) {
+      const actions = byBase.get(base) ?? [];
+      if (!actions.includes(expansion.action)) {
+        actions.push(expansion.action);
       }
+      byBase.set(base, actions);
     }
-    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
-      parseExpiry(spec.expiry);
-    }
   }
-}
-function validatePermissionEntry(p, path) {
-  if (p === null || typeof p !== "object") {
-    throw new ManifestValidationError(`${path} must be an object`);
+  return [...byBase.entries()].map(([base, actions]) => ({
+    ...entry,
+    service: "tinycloud.kv",
+    path: vaultKVPath(base, entry.path),
+    actions,
+    skipPrefix: true
+  }));
+}
+function vaultActionExpansion(action) {
+  const normalized = normalizeVaultAction(action);
+  if (normalized === "read" || normalized === "get") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "write" || normalized === "put") {
+    return { bases: ["vault"], action: "tinycloud.kv/put" };
+  }
+  if (normalized === "delete" || normalized === "del") {
+    return { bases: ["vault"], action: "tinycloud.kv/del" };
   }
-  const entry = p;
-  if (typeof entry.service !== "string" || entry.service.length === 0) {
-    throw new ManifestValidationError(`${path}.service is required`);
+  if (normalized === "list") {
+    return { bases: ["vault"], action: "tinycloud.kv/list" };
   }
-  if (entry.space !== void 0 && (typeof entry.space !== "string" || entry.space.length === 0)) {
-    throw new ManifestValidationError(
-      `${path}.space must be a non-empty string`
-    );
+  if (normalized === "head") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
   }
-  if (typeof entry.path !== "string") {
-    throw new ManifestValidationError(
-      `${path}.path is required (use "" or "/" for root)`
-    );
+  if (normalized === "metadata") {
+    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
   }
-  if (!Array.isArray(entry.actions) || entry.actions.length === 0) {
+  throw new ManifestValidationError(
+    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
+  );
+}
+function normalizeVaultAction(action) {
+  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
+    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
+  }
+  if (action.startsWith("tinycloud.kv/")) {
+    return action.slice("tinycloud.kv/".length);
+  }
+  if (action.includes("/")) {
     throw new ManifestValidationError(
-      `${path}.actions must be a non-empty array`
+      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
     );
   }
-  for (const action of entry.actions) {
-    if (typeof action !== "string" || action.length === 0) {
-      throw new ManifestValidationError(
-        `${path}.actions must contain non-empty strings`
-      );
+  return action;
+}
+function vaultKVPath(base, path) {
+  const normalized = path.startsWith("/") ? path.slice(1) : path;
+  return `${base}/${normalized}`;
+}
+function cloneResourceCapability(entry) {
+  return {
+    service: entry.service,
+    space: entry.space,
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function clonePermissionEntry(entry) {
+  return {
+    service: entry.service,
+    ...entry.space !== void 0 ? { space: entry.space } : {},
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
+    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function dedupeResources(resources) {
+  const byKey = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
+    const existing = byKey.get(key);
+    if (existing === void 0) {
+      byKey.set(key, cloneResourceCapability(resource));
+      continue;
     }
-    if (entry.service === VAULT_PERMISSION_SERVICE) {
-      vaultActionExpansion(action);
+    const seen = new Set(existing.actions);
+    for (const action of resource.actions) {
+      if (!seen.has(action)) {
+        existing.actions.push(action);
+        seen.add(action);
+      }
+    }
+    if (existing.description === void 0 && resource.description !== void 0) {
+      existing.description = resource.description;
     }
   }
-  if (entry.expiry !== void 0) {
-    parseExpiry(entry.expiry);
-  }
+  return [...byKey.values()];
 }
-function normalizeDefaults(value) {
-  if (value === void 0) {
-    return DEFAULT_DEFAULTS;
-  }
-  if (typeof value === "boolean") {
-    return value;
-  }
-  if (typeof value !== "string") {
-    return true;
-  }
-  const normalized = value.trim().toLowerCase();
-  if (normalized === "admin" || normalized === "all") {
-    return normalized;
-  }
-  return true;
+function capabilitiesReadPermission(space) {
+  return {
+    service: "tinycloud.capabilities",
+    space,
+    path: "",
+    actions: ["tinycloud.capabilities/read"]
+  };
 }
-function defaultEntriesForTier(tier) {
-  if (tier === false) {
+function withCapabilitiesReadForSpaces(resources) {
+  if (resources.length === 0) {
     return [];
   }
-  const source = tier === "admin" ? DEFAULT_ADMIN_ENTRIES : tier === "all" ? DEFAULT_ALL_ENTRIES : DEFAULT_STANDARD_ENTRIES;
-  return source.map((e) => ({
-    service: e.service,
-    space: e.space,
-    path: e.path,
-    actions: [...e.actions],
-    ...e.skipPrefix !== void 0 ? { skipPrefix: e.skipPrefix } : {}
-  }));
-}
-function resolveManifest(input) {
-  const manifest = validateManifest(input);
-  const prefix = manifest.prefix !== void 0 ? manifest.prefix : manifest.app_id;
-  const space = manifest.space ?? DEFAULT_MANIFEST_SPACE;
-  const expiryMs = parseExpiry(manifest.expiry ?? DEFAULT_EXPIRY);
-  const includePublicSpace = manifest.includePublicSpace ?? true;
-  const tier = normalizeDefaults(manifest.defaults);
-  const defaultEntries = defaultEntriesForTier(tier);
-  const explicitEntries = manifest.permissions ?? [];
-  const secretEntries = secretEntriesForManifest(manifest.secrets);
-  const allEntries = [
-    ...defaultEntries,
-    ...explicitEntries,
-    ...secretEntries
-  ];
-  const resources = withCapabilitiesReadForSpaces(
-    allEntries.flatMap((entry) => resolveEntry(entry, prefix, expiryMs, space))
+  const spaces = new Set(
+    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
   );
-  const additionalDelegates = manifest.did === void 0 ? [] : [
-    {
-      did: manifest.did,
-      name: manifest.name,
-      expiryMs,
-      permissions: resources.map(cloneResourceCapability)
-    }
-  ];
+  return dedupeResources([
+    ...resources,
+    ...[...spaces].map(capabilitiesReadPermission)
+  ]);
+}
+function accountRegistryPermission() {
   return {
-    app_id: manifest.app_id,
-    ...manifest.did !== void 0 ? { did: manifest.did } : {},
-    space,
-    resources,
-    expiryMs,
-    includePublicSpace,
-    additionalDelegates
+    service: "tinycloud.kv",
+    space: ACCOUNT_REGISTRY_SPACE,
+    path: ACCOUNT_REGISTRY_PATH,
+    actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/list"]
   };
 }
-function normalizeSecretActions(actions) {
-  const out = [];
-  const seen = /* @__PURE__ */ new Set();
-  const add = (action) => {
-    if (!seen.has(action)) {
-      out.push(action);
-      seen.add(action);
+function composeManifestRequest(inputs, options = {}) {
+  if (!Array.isArray(inputs) || inputs.length === 0) {
+    throw new ManifestValidationError(
+      "composeManifestRequest requires at least one manifest"
+    );
+  }
+  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
+  const manifests = inputs.map(validateManifest);
+  const resolved = manifests.map(resolveManifest);
+  const resources = resolved.flatMap((entry) => entry.resources);
+  const delegationTargets = resolved.flatMap(
+    (entry) => entry.additionalDelegates.map((delegate) => ({
+      ...delegate,
+      permissions: dedupeResources(delegate.permissions)
+    }))
+  );
+  if (includeAccountRegistryPermissions) {
+    resources.push(accountRegistryPermission());
+  }
+  const resourcesWithImplicitCapabilities = withCapabilitiesReadForSpaces(resources);
+  const manifestsByAppId = /* @__PURE__ */ new Map();
+  for (const manifest of manifests) {
+    const current = manifestsByAppId.get(manifest.app_id);
+    if (current === void 0) {
+      manifestsByAppId.set(manifest.app_id, [manifest]);
+    } else {
+      current.push(manifest);
     }
+  }
+  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
+    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
+    app_id,
+    manifests: appManifests.map((manifest) => ({
+      ...manifest,
+      permissions: manifest.permissions?.map(clonePermissionEntry)
+    }))
+  })) : [];
+  return {
+    manifests,
+    resources: resourcesWithImplicitCapabilities,
+    delegationTargets,
+    registryRecords,
+    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
+    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
   };
-  for (const action of actions) {
-    if (action === "read") {
-      add("get");
-      continue;
-    }
-    if (action === "write") {
-      add("put");
-      continue;
-    }
-    if (action === "delete") {
-      add("del");
-      continue;
+}
+function resourceCapabilitiesToAbilitiesMap(resources) {
+  const out = {};
+  for (const r of resources) {
+    const shortService = SERVICE_LONG_TO_SHORT[r.service];
+    if (shortService === void 0) {
+      throw new ManifestValidationError(
+        `unknown service '${r.service}' \u2014 no short-form mapping. Known services: ${Object.keys(SERVICE_LONG_TO_SHORT).join(", ")}`
+      );
     }
-    if (action === "get" || action === "put" || action === "del" || action === "list" || action === "metadata") {
-      add(action);
-      continue;
+    if (out[shortService] === void 0) {
+      out[shortService] = {};
     }
-    if (action === "tinycloud.kv/get" || action === "tinycloud.kv/put" || action === "tinycloud.kv/del" || action === "tinycloud.kv/list" || action === "tinycloud.kv/metadata") {
-      add(action);
-      continue;
+    const pathsMap = out[shortService];
+    const existing = pathsMap[r.path];
+    if (existing === void 0) {
+      pathsMap[r.path] = [...r.actions];
+    } else {
+      const seen = new Set(existing);
+      for (const action of r.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
+      }
     }
-    throw new ManifestValidationError(
-      `unknown secret action ${JSON.stringify(action)}; expected read, write, delete, list, or metadata`
-    );
   }
   return out;
 }
-function secretNameFromSpec(fallbackName, spec) {
-  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
-    return spec.name ?? fallbackName;
+function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const entries = grouped.get(resource.space);
+    if (entries === void 0) {
+      grouped.set(resource.space, [resource]);
+    } else {
+      entries.push(resource);
+    }
   }
-  return fallbackName;
-}
-function secretScopeFromSpec(spec) {
-  if (spec !== null && typeof spec === "object" && !Array.isArray(spec)) {
-    return spec.scope;
+  const out = {};
+  for (const [space, entries] of grouped.entries()) {
+    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
   }
-  return void 0;
+  return out;
 }
-function secretActionsFromSpec(name, spec) {
-  if (spec === true) {
-    return ["read"];
-  }
-  if (typeof spec === "string") {
-    return [spec];
+function manifestAbilitiesUnion(resolved) {
+  const all = [...resolved.resources];
+  for (const delegate of resolved.additionalDelegates) {
+    for (const perm of delegate.permissions) {
+      all.push(perm);
+    }
   }
-  if (Array.isArray(spec)) {
-    return spec;
+  return resourceCapabilitiesToAbilitiesMap(all);
+}
+
+// src/account/AccountService.ts
+var SERVICE_NAME2 = "account";
+var ACCOUNT_INDEX_DB = "account";
+var AccountService = class {
+  constructor(config) {
+    this.config = config;
+    this.applications = {
+      list: async () => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const listed = await kvResult.data.list({ prefix: ACCOUNT_REGISTRY_PATH });
+        if (!listed.ok) return accountErr(listed.error);
+        const applications = [];
+        for (const key of listed.data.keys) {
+          const loaded = await kvResult.data.get(key);
+          if (!loaded.ok) return accountErr(loaded.error);
+          applications.push(applicationFromRecord(key, loaded.data.data));
+        }
+        applications.sort((a, b) => a.appId.localeCompare(b.appId));
+        return (0, import_sdk_services5.ok)(applications);
+      },
+      get: async (appId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const key = applicationKey(appId);
+        const loaded = await kvResult.data.get(key);
+        if (!loaded.ok) return accountErr(loaded.error);
+        return (0, import_sdk_services5.ok)(applicationFromRecord(key, loaded.data.data));
+      },
+      register: async (manifest) => {
+        const manifests = Array.isArray(manifest) ? manifest : [manifest];
+        const request = composeManifestRequest(manifests);
+        if (request.registryRecords.length === 0) {
+          return (0, import_sdk_services5.err)(
+            (0, import_sdk_services5.serviceError)(
+              "INVALID_MANIFEST",
+              "Manifest did not produce an account application registry record",
+              SERVICE_NAME2
+            )
+          );
+        }
+        await this.config.ensureAccountSpaceHosted?.();
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        let registered;
+        for (const record of request.registryRecords) {
+          const stored = {
+            app_id: record.app_id,
+            manifests: record.manifests,
+            updated_at: (/* @__PURE__ */ new Date()).toISOString()
+          };
+          const written = await kvResult.data.put(record.key, stored);
+          if (!written.ok) return accountErr(written.error);
+          registered = applicationFromRecord(record.key, stored);
+        }
+        return (0, import_sdk_services5.ok)(registered);
+      },
+      remove: async (appId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const removed = await kvResult.data.delete(applicationKey(appId));
+        if (!removed.ok) return accountErr(removed.error);
+        return (0, import_sdk_services5.ok)(void 0);
+      }
+    };
+    this.delegations = {
+      list: async (options = {}) => {
+        const spaces = await this.config.getSpaces().list();
+        if (!spaces.ok) return accountErr(spaces.error);
+        const targetSpaces = options.space ? spaces.data.filter((space) => space.id === options.space || space.name === options.space) : spaces.data;
+        const delegations = [];
+        for (const space of targetSpaces) {
+          const scoped = this.config.getSpaces().get(space.id).delegations;
+          if (options.direction !== "received") {
+            const granted = await scoped.list();
+            if (!granted.ok) return accountErr(granted.error);
+            delegations.push(...granted.data.map((d) => mapDelegation(d, space, "granted")));
+          }
+          if (options.direction !== "granted") {
+            const received = await scoped.listReceived();
+            if (!received.ok) return accountErr(received.error);
+            delegations.push(...received.data.map((d) => mapDelegation(d, space, "received")));
+          }
+        }
+        delegations.sort((a, b) => a.spaceId.localeCompare(b.spaceId) || a.cid.localeCompare(b.cid));
+        return (0, import_sdk_services5.ok)(delegations);
+      },
+      revoke: async (options) => {
+        const space = await this.resolveSpace(options.space);
+        if (!space.ok) return space;
+        const revoked = await this.config.getSpaces().get(space.data.id).delegations.revoke(options.cid);
+        if (!revoked.ok) return accountErr(revoked.error);
+        return (0, import_sdk_services5.ok)(void 0);
+      }
+    };
+    this.index = {
+      rebuild: async () => {
+        const dbResult = this.accountDb();
+        if (!dbResult.ok) return dbResult;
+        const applications = await this.applications.list();
+        if (!applications.ok) return applications;
+        const delegations = await this.delegations.list();
+        if (!delegations.ok) return delegations;
+        const syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+        const statements = [
+          ...ACCOUNT_INDEX_SCHEMA.map((sql) => ({ sql })),
+          { sql: "DELETE FROM applications" },
+          { sql: "DELETE FROM delegations" },
+          { sql: "DELETE FROM sync_state" },
+          ...applications.data.map((app) => ({
+            sql: "INSERT INTO applications (app_id, name, description, updated_at, manifest_json) VALUES (?, ?, ?, ?, ?)",
+            params: [
+              app.appId,
+              app.name ?? null,
+              app.description ?? null,
+              app.updatedAt ?? syncedAt,
+              JSON.stringify(app.manifests)
+            ]
+          })),
+          ...delegations.data.map((delegation) => ({
+            sql: "INSERT INTO delegations (cid, direction, space_id, space_name, counterparty_did, delegate_did, delegator_did, path, actions_json, expiry, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            params: [
+              delegation.cid,
+              delegation.direction,
+              delegation.spaceId,
+              delegation.spaceName ?? null,
+              delegation.counterpartyDid,
+              delegation.delegateDid,
+              delegation.delegatorDid ?? null,
+              delegation.path,
+              JSON.stringify(delegation.actions),
+              delegation.expiry.toISOString(),
+              delegation.status,
+              delegation.createdAt?.toISOString() ?? null,
+              syncedAt
+            ]
+          })),
+          {
+            sql: "INSERT INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+            params: ["applications", syncedAt, applications.data.length]
+          },
+          {
+            sql: "INSERT INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+            params: ["delegations", syncedAt, delegations.data.length]
+          }
+        ];
+        const rebuilt = await dbResult.data.batch(statements);
+        if (!rebuilt.ok) return accountErr(rebuilt.error);
+        return (0, import_sdk_services5.ok)({
+          database: ACCOUNT_INDEX_DB,
+          applications: applications.data.length,
+          delegations: delegations.data.length,
+          syncedAt
+        });
+      },
+      applications: {
+        list: async () => {
+          const dbResult = this.accountDb();
+          if (!dbResult.ok) return dbResult;
+          const queried = await dbResult.data.query(
+            "SELECT app_id, name, description, updated_at, manifest_json FROM applications ORDER BY app_id"
+          );
+          if (!queried.ok) return accountErr(queried.error);
+          return (0, import_sdk_services5.ok)(queried.data.rows.map(indexedApplicationFromRow));
+        }
+      },
+      delegations: {
+        list: async (options = {}) => {
+          const dbResult = this.accountDb();
+          if (!dbResult.ok) return dbResult;
+          const where = [];
+          const params = [];
+          if (options.direction && options.direction !== "all") {
+            where.push("direction = ?");
+            params.push(options.direction);
+          }
+          if (options.space) {
+            where.push("(space_id = ? OR space_name = ?)");
+            params.push(options.space, options.space);
+          }
+          const queried = await dbResult.data.query(
+            `SELECT cid, direction, space_id, space_name, counterparty_did, delegate_did, delegator_did, path, actions_json, expiry, status, created_at FROM delegations${where.length > 0 ? ` WHERE ${where.join(" AND ")}` : ""} ORDER BY space_id, cid`,
+            params
+          );
+          if (!queried.ok) return accountErr(queried.error);
+          return (0, import_sdk_services5.ok)(queried.data.rows.map(indexedDelegationFromRow));
+        }
+      },
+      query: async (sql, params) => {
+        const dbResult = this.accountDb();
+        if (!dbResult.ok) return dbResult;
+        const queried = await dbResult.data.query(sql, params);
+        if (!queried.ok) return accountErr(queried.error);
+        return (0, import_sdk_services5.ok)(queried.data);
+      }
+    };
   }
-  if (spec === null || typeof spec !== "object") {
-    throw new ManifestValidationError(
-      `manifest.secrets.${name} must be true, a string action, an actions array, or an object`
-    );
+  async status() {
+    const apps = await this.applications.list();
+    if (!apps.ok) return apps;
+    const delegations = await this.delegations.list();
+    if (!delegations.ok) return delegations;
+    return (0, import_sdk_services5.ok)({
+      did: this.config.getDid(),
+      host: this.config.getHost(),
+      primarySpaceId: this.config.getPrimarySpaceId(),
+      accountSpaceId: this.config.getAccountSpaceId(),
+      applications: apps.data.length,
+      grantedDelegations: delegations.data.filter((d) => d.direction === "granted").length,
+      receivedDelegations: delegations.data.filter((d) => d.direction === "received").length
+    });
   }
-  if (spec.actions === void 0) {
-    return ["read"];
+  accountKV() {
+    const accountSpaceId = this.config.getAccountSpaceId();
+    if (!accountSpaceId) {
+      return (0, import_sdk_services5.err)(
+        (0, import_sdk_services5.serviceError)(
+          "ACCOUNT_SPACE_UNAVAILABLE",
+          "Account space is unavailable. Sign in with a wallet-backed profile first.",
+          SERVICE_NAME2
+        )
+      );
+    }
+    return (0, import_sdk_services5.ok)(this.config.getSpaces().get(accountSpaceId).kv);
   }
-  if (typeof spec.actions === "string") {
-    return [spec.actions];
+  accountDb() {
+    const db = this.config.getAccountDb?.();
+    if (!db) {
+      return (0, import_sdk_services5.err)(
+        (0, import_sdk_services5.serviceError)(
+          "ACCOUNT_INDEX_UNAVAILABLE",
+          "Account index database is unavailable. Sign in with a wallet-backed profile first.",
+          SERVICE_NAME2
+        )
+      );
+    }
+    return (0, import_sdk_services5.ok)(db);
   }
-  if (Array.isArray(spec.actions)) {
-    return spec.actions;
+  async resolveSpace(space) {
+    const listed = await this.config.getSpaces().list();
+    if (!listed.ok) return accountErr(listed.error);
+    const found = listed.data.find((candidate) => candidate.id === space || candidate.name === space);
+    if (!found) {
+      return (0, import_sdk_services5.err)(
+        (0, import_sdk_services5.serviceError)("SPACE_NOT_FOUND", `No account space found for ${JSON.stringify(space)}`, SERVICE_NAME2)
+      );
+    }
+    return (0, import_sdk_services5.ok)(found);
   }
-  throw new ManifestValidationError(
-    `manifest.secrets.${name}.actions must be a string or array`
-  );
+};
+var ACCOUNT_INDEX_SCHEMA = [
+  `CREATE TABLE IF NOT EXISTS applications (
+    app_id TEXT PRIMARY KEY,
+    name TEXT,
+    description TEXT,
+    updated_at TEXT,
+    manifest_json TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS delegations (
+    cid TEXT PRIMARY KEY,
+    direction TEXT NOT NULL,
+    space_id TEXT NOT NULL,
+    space_name TEXT,
+    counterparty_did TEXT NOT NULL,
+    delegate_did TEXT NOT NULL,
+    delegator_did TEXT,
+    path TEXT NOT NULL,
+    actions_json TEXT NOT NULL,
+    expiry TEXT NOT NULL,
+    status TEXT NOT NULL,
+    created_at TEXT,
+    updated_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS sync_state (
+    source TEXT PRIMARY KEY,
+    synced_at TEXT NOT NULL,
+    count INTEGER NOT NULL
+  )`,
+  "CREATE INDEX IF NOT EXISTS idx_delegations_direction ON delegations(direction)",
+  "CREATE INDEX IF NOT EXISTS idx_delegations_space ON delegations(space_id)",
+  "CREATE INDEX IF NOT EXISTS idx_delegations_counterparty ON delegations(counterparty_did)"
+];
+function applicationKey(appId) {
+  return `${ACCOUNT_REGISTRY_PATH}${appId}`;
 }
-function secretEntriesForManifest(secrets) {
-  if (secrets === void 0) {
-    return [];
-  }
-  const entries = [];
-  for (const [name, spec] of Object.entries(secrets)) {
-    const actions = secretActionsFromSpec(name, spec);
-    const secretPath = (0, import_sdk_services4.resolveSecretPath)(
-      secretNameFromSpec(name, spec),
-      { scope: secretScopeFromSpec(spec) }
-    );
-    const extra = spec !== true && typeof spec === "object" && !Array.isArray(spec) ? spec : {};
-    entries.push({
-      service: VAULT_PERMISSION_SERVICE,
-      space: SECRETS_SPACE,
-      path: secretPath.vaultKey,
-      actions: normalizeSecretActions(actions),
-      skipPrefix: true,
-      ...extra.expiry !== void 0 ? { expiry: extra.expiry } : {},
-      ...extra.description !== void 0 ? { description: extra.description } : {}
-    });
-  }
-  return entries;
+function appIdFromKey(key) {
+  return key.startsWith(ACCOUNT_REGISTRY_PATH) ? key.slice(ACCOUNT_REGISTRY_PATH.length) : key;
 }
-function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
-  const skipPrefixForEntry = entry.skipPrefix === true || entry.service === ENCRYPTION_PERMISSION_SERVICE;
-  const resolvedPath = applyPrefix(prefix, entry.path, skipPrefixForEntry);
-  const entryExpiryMs = entry.expiry !== void 0 ? parseExpiry(entry.expiry) : void 0;
-  return expandPermissionEntry({
-    ...entry,
-    space: entry.space ?? inheritedSpace,
-    path: resolvedPath,
-    skipPrefix: true
-  }).map((expanded) => ({
-    service: expanded.service,
-    space: expanded.space ?? inheritedSpace,
-    path: expanded.path,
-    actions: expanded.actions,
-    // Only populate `expiryMs` when the entry had its own expiry override.
-    // When absent, callers use the parent (delegation or manifest) expiry
-    // which is carried on ResolvedDelegate.expiryMs / ResolvedCapabilities.expiryMs.
-    ...entryExpiryMs !== void 0 ? { expiryMs: entryExpiryMs } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
-  }));
+function applicationFromRecord(key, record) {
+  const manifests = Array.isArray(record.manifests) ? record.manifests : [];
+  const first = manifests[0];
+  return {
+    appId: record.app_id ?? record.appId ?? first?.app_id ?? appIdFromKey(key),
+    manifests,
+    updatedAt: record.updated_at ?? record.updatedAt,
+    name: first?.name,
+    description: first?.description
+  };
 }
-function expandVaultPermissionEntry(entry) {
-  const byBase = /* @__PURE__ */ new Map();
-  for (const action of entry.actions) {
-    const expansion = vaultActionExpansion(action);
-    for (const base of expansion.bases) {
-      const actions = byBase.get(base) ?? [];
-      if (!actions.includes(expansion.action)) {
-        actions.push(expansion.action);
-      }
-      byBase.set(base, actions);
-    }
-  }
-  return [...byBase.entries()].map(([base, actions]) => ({
-    ...entry,
-    service: "tinycloud.kv",
-    path: vaultKVPath(base, entry.path),
-    actions,
-    skipPrefix: true
-  }));
+function indexedApplicationFromRow(row) {
+  const [appId, name, description, updatedAt, manifestJson] = row;
+  return {
+    appId,
+    name: name ?? void 0,
+    description: description ?? void 0,
+    updatedAt: updatedAt ?? void 0,
+    manifests: JSON.parse(manifestJson)
+  };
 }
-function vaultActionExpansion(action) {
-  const normalized = normalizeVaultAction(action);
-  if (normalized === "read" || normalized === "get") {
-    return { bases: ["vault"], action: "tinycloud.kv/get" };
-  }
-  if (normalized === "write" || normalized === "put") {
-    return { bases: ["vault"], action: "tinycloud.kv/put" };
-  }
-  if (normalized === "delete" || normalized === "del") {
-    return { bases: ["vault"], action: "tinycloud.kv/del" };
-  }
-  if (normalized === "list") {
-    return { bases: ["vault"], action: "tinycloud.kv/list" };
-  }
-  if (normalized === "head") {
-    return { bases: ["vault"], action: "tinycloud.kv/get" };
-  }
-  if (normalized === "metadata") {
-    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
-  }
-  throw new ManifestValidationError(
-    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
-  );
+function indexedDelegationFromRow(row) {
+  const [
+    cid,
+    direction,
+    spaceId,
+    spaceName,
+    counterpartyDid,
+    delegateDid,
+    delegatorDid,
+    path,
+    actionsJson,
+    expiry,
+    status,
+    createdAt
+  ] = row;
+  return {
+    cid,
+    direction,
+    spaceId,
+    spaceName: spaceName ?? void 0,
+    counterpartyDid,
+    delegateDid,
+    delegatorDid: delegatorDid ?? void 0,
+    path,
+    actions: JSON.parse(actionsJson),
+    expiry: new Date(expiry),
+    status,
+    createdAt: createdAt ? new Date(createdAt) : void 0
+  };
 }
-function normalizeVaultAction(action) {
-  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
-    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
-  }
-  if (action.startsWith("tinycloud.kv/")) {
-    return action.slice("tinycloud.kv/".length);
+function mapDelegation(delegation, space, direction) {
+  return {
+    cid: delegation.cid,
+    direction,
+    spaceId: delegation.spaceId || space.id,
+    spaceName: space.name,
+    counterpartyDid: direction === "granted" ? delegation.delegateDID : delegation.delegatorDID ?? delegation.delegateDID,
+    delegateDid: delegation.delegateDID,
+    delegatorDid: delegation.delegatorDID,
+    path: delegation.path,
+    actions: delegation.actions,
+    expiry: delegation.expiry,
+    status: delegation.isRevoked ? "revoked" : delegation.expiry.getTime() <= Date.now() ? "expired" : "active",
+    createdAt: delegation.createdAt
+  };
+}
+function accountErr(error) {
+  return (0, import_sdk_services5.err)((0, import_sdk_services5.serviceError)(error.code, error.message, SERVICE_NAME2, { cause: error.cause, meta: error.meta }));
+}
+
+// src/index.ts
+var import_sdk_services7 = require("@tinycloud/sdk-services");
+
+// src/space.ts
+async function fetchPeerId(host, spaceId) {
+  const res = await fetch(
+    `${host}/peer/generate/${encodeURIComponent(spaceId)}`
+  );
+  if (!res.ok) {
+    const error = await res.text().catch(() => res.statusText);
+    throw new Error(`Failed to get peer ID: ${res.status} - ${error}`);
   }
-  if (action.includes("/")) {
-    throw new ManifestValidationError(
-      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
-    );
+  return res.text();
+}
+async function submitHostDelegation(host, headers) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers
+  });
+  return {
+    success: res.ok,
+    status: res.status,
+    error: res.ok ? void 0 : await res.text().catch(() => res.statusText)
+  };
+}
+async function activateSessionWithHost(host, delegationHeader) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers: delegationHeader
+  });
+  if (res.ok) {
+    try {
+      const body = await res.json();
+      return {
+        success: true,
+        status: res.status,
+        activated: body.activated ?? [],
+        skipped: body.skipped ?? []
+      };
+    } catch {
+      return {
+        success: true,
+        status: res.status,
+        activated: [],
+        skipped: []
+      };
+    }
   }
-  return action;
-}
-function vaultKVPath(base, path) {
-  const normalized = path.startsWith("/") ? path.slice(1) : path;
-  return `${base}/${normalized}`;
-}
-function cloneResourceCapability(entry) {
   return {
-    service: entry.service,
-    space: entry.space,
-    path: entry.path,
-    actions: [...entry.actions],
-    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
+    success: false,
+    status: res.status,
+    error: await res.text().catch(() => res.statusText)
   };
 }
-function clonePermissionEntry(entry) {
+
+// src/delegations/DelegationManager.ts
+var DelegationAction = {
+  CREATE: "tinycloud.delegation/create",
+  REVOKE: "tinycloud.delegation/revoke",
+  LIST: "tinycloud.delegation/list",
+  GET: "tinycloud.delegation/get",
+  CHECK: "tinycloud.delegation/check"
+};
+function createError(code, message, cause, meta) {
   return {
-    service: entry.service,
-    ...entry.space !== void 0 ? { space: entry.space } : {},
-    path: entry.path,
-    actions: [...entry.actions],
-    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
-    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
+    code,
+    message,
+    service: "delegation",
+    cause,
+    meta
   };
 }
-function dedupeResources(resources) {
-  const byKey = /* @__PURE__ */ new Map();
-  for (const resource of resources) {
-    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
-    const existing = byKey.get(key);
-    if (existing === void 0) {
-      byKey.set(key, cloneResourceCapability(resource));
-      continue;
+var DelegationManager = class {
+  /**
+   * Creates a new DelegationManager instance.
+   *
+   * @param config - Configuration including hosts, session, and invoke function
+   */
+  constructor(config) {
+    this.hosts = config.hosts;
+    this.session = config.session;
+    this.invoke = config.invoke;
+    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+  }
+  /**
+   * Updates the session (e.g., after re-authentication).
+   *
+   * @param session - New session to use for operations
+   */
+  updateSession(session) {
+    this.session = session;
+  }
+  /**
+   * Gets the primary host URL.
+   */
+  get host() {
+    return this.hosts[0];
+  }
+  /**
+   * Executes an invoke operation against the delegation API.
+   */
+  async invokeOperation(path, action, body) {
+    const headers = this.invoke(this.session, "delegation", path, action);
+    return this.fetchFn(`${this.host}/invoke`, {
+      method: "POST",
+      headers,
+      body
+    });
+  }
+  /**
+   * Creates a new delegation.
+   *
+   * Delegates specific permissions to another DID for a given path.
+   * The delegatee can then use these permissions to access resources
+   * within the specified scope.
+   *
+   * @param params - Parameters for the delegation
+   * @returns Result containing the created Delegation or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.create({
+   *   delegateDID: bob.did,
+   *   path: "documents/shared/",
+   *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
+   *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
+   * });
+   * ```
+   */
+  async create(params) {
+    if (!params.delegateDID) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "delegateDID is required"
+        )
+      };
     }
-    const seen = new Set(existing.actions);
-    for (const action of resource.actions) {
-      if (!seen.has(action)) {
-        existing.actions.push(action);
-        seen.add(action);
+    if (!params.path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
+    }
+    if (!params.actions || params.actions.length === 0) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "at least one action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({
+        delegateDID: params.delegateDID,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry?.toISOString(),
+        disableSubDelegation: params.disableSubDelegation ?? false,
+        statement: params.statement
+      });
+      const response = await this.invokeOperation(
+        params.path,
+        DelegationAction.CREATE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.CREATION_FAILED,
+            `Failed to create delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path: params.path }
+          )
+        };
+      }
+      const apiResponse = await response.json();
+      const delegation = {
+        cid: apiResponse.cid ?? "",
+        delegateDID: params.delegateDID,
+        spaceId: this.session.spaceId,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
+        isRevoked: false,
+        allowSubDelegation: !(params.disableSubDelegation ?? false),
+        createdAt: /* @__PURE__ */ new Date()
+      };
+      return { ok: true, data: delegation };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation creation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+  /**
+   * Revokes an existing delegation.
+   *
+   * Once revoked, the delegation can no longer be used to access resources.
+   * This also invalidates any sub-delegations derived from this delegation.
+   *
+   * @param cid - The CID of the delegation to revoke
+   * @returns Result indicating success or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.revoke("bafy...");
+   * if (result.ok) {
+   *   console.log("Delegation revoked successfully");
+   * }
+   * ```
+   */
+  async revoke(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.REVOKE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.REVOCATION_FAILED,
+            `Failed to revoke delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
       }
+      return { ok: true, data: void 0 };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation revocation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
-    if (existing.description === void 0 && resource.description !== void 0) {
-      existing.description = resource.description;
-    }
-  }
-  return [...byKey.values()];
-}
-function capabilitiesReadPermission(space) {
-  return {
-    service: "tinycloud.capabilities",
-    space,
-    path: "",
-    actions: ["tinycloud.capabilities/read"]
-  };
-}
-function withCapabilitiesReadForSpaces(resources) {
-  if (resources.length === 0) {
-    return [];
-  }
-  const spaces = new Set(
-    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
-  );
-  return dedupeResources([
-    ...resources,
-    ...[...spaces].map(capabilitiesReadPermission)
-  ]);
-}
-function accountRegistryPermission() {
-  return {
-    service: "tinycloud.kv",
-    space: ACCOUNT_REGISTRY_SPACE,
-    path: ACCOUNT_REGISTRY_PATH,
-    actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/list"]
-  };
-}
-function composeManifestRequest(inputs, options = {}) {
-  if (!Array.isArray(inputs) || inputs.length === 0) {
-    throw new ManifestValidationError(
-      "composeManifestRequest requires at least one manifest"
-    );
   }
-  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
-  const manifests = inputs.map(validateManifest);
-  const resolved = manifests.map(resolveManifest);
-  const resources = resolved.flatMap((entry) => entry.resources);
-  const delegationTargets = resolved.flatMap(
-    (entry) => entry.additionalDelegates.map((delegate) => ({
-      ...delegate,
-      permissions: dedupeResources(delegate.permissions)
-    }))
-  );
-  if (includeAccountRegistryPermissions) {
-    resources.push(accountRegistryPermission());
-  }
-  const resourcesWithImplicitCapabilities = withCapabilitiesReadForSpaces(resources);
-  const manifestsByAppId = /* @__PURE__ */ new Map();
-  for (const manifest of manifests) {
-    const current = manifestsByAppId.get(manifest.app_id);
-    if (current === void 0) {
-      manifestsByAppId.set(manifest.app_id, [manifest]);
-    } else {
-      current.push(manifest);
+  /**
+   * Lists all delegations for the current session's space.
+   *
+   * Returns both delegations created by the current user (as delegator)
+   * and delegations granted to the current user (as delegatee).
+   *
+   * @returns Result containing an array of Delegations or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.list();
+   * if (result.ok) {
+   *   for (const delegation of result.data) {
+   *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async list() {
+    try {
+      const response = await this.invokeOperation("", DelegationAction.LIST);
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to list delegations: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status }
+          )
+        };
+      }
+      const data = await response.json();
+      const delegations = data.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: delegations };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation list: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
   }
-  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
-    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
-    app_id,
-    manifests: appManifests.map((manifest) => ({
-      ...manifest,
-      permissions: manifest.permissions?.map(clonePermissionEntry)
-    }))
-  })) : [];
-  return {
-    manifests,
-    resources: resourcesWithImplicitCapabilities,
-    delegationTargets,
-    registryRecords,
-    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
-    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
-  };
-}
-function resourceCapabilitiesToAbilitiesMap(resources) {
-  const out = {};
-  for (const r of resources) {
-    const shortService = SERVICE_LONG_TO_SHORT[r.service];
-    if (shortService === void 0) {
-      throw new ManifestValidationError(
-        `unknown service '${r.service}' \u2014 no short-form mapping. Known services: ${Object.keys(SERVICE_LONG_TO_SHORT).join(", ")}`
+  /**
+   * Gets the full delegation chain for a given delegation.
+   *
+   * Returns the chain of delegations from the root (original delegator)
+   * to the specified delegation, including all intermediate sub-delegations.
+   *
+   * @param cid - The CID of the delegation to get the chain for
+   * @returns Result containing the DelegationChain or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.getChain("bafy...");
+   * if (result.ok) {
+   *   console.log("Chain length:", result.data.length);
+   *   for (const delegation of result.data) {
+   *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async getChain(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid, includeChain: true });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.GET,
+        body
       );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to get delegation chain: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
+      }
+      const data = await response.json();
+      const chain = data.chain.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: chain };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during chain retrieval: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
-    if (out[shortService] === void 0) {
-      out[shortService] = {};
+  }
+  /**
+   * Checks if the current session has permission for a given path and action.
+   *
+   * This can be used to verify permissions before attempting an operation,
+   * or to implement custom access control logic.
+   *
+   * @param path - The resource path to check
+   * @param action - The action to check (e.g., "tinycloud.kv/get")
+   * @returns Result containing a boolean indicating permission or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
+   * if (result.ok && result.data) {
+   *   console.log("Permission granted");
+   * } else {
+   *   console.log("Permission denied");
+   * }
+   * ```
+   */
+  async checkPermission(path, action) {
+    if (!path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
     }
-    const pathsMap = out[shortService];
-    const existing = pathsMap[r.path];
-    if (existing === void 0) {
-      pathsMap[r.path] = [...r.actions];
-    } else {
-      const seen = new Set(existing);
-      for (const action of r.actions) {
-        if (!seen.has(action)) {
-          existing.push(action);
-          seen.add(action);
+    if (!action) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ path, action });
+      const response = await this.invokeOperation(
+        path,
+        DelegationAction.CHECK,
+        body
+      );
+      if (!response.ok) {
+        if (response.status === 403) {
+          return { ok: true, data: false };
         }
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to check permission: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path, action }
+          )
+        };
       }
+      const data = await response.json();
+      return { ok: true, data: data.allowed };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during permission check: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
   }
-  return out;
-}
-function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
-  const grouped = /* @__PURE__ */ new Map();
-  for (const resource of resources) {
-    const entries = grouped.get(resource.space);
-    if (entries === void 0) {
-      grouped.set(resource.space, [resource]);
-    } else {
-      entries.push(resource);
-    }
-  }
-  const out = {};
-  for (const [space, entries] of grouped.entries()) {
-    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
-  }
-  return out;
-}
-function manifestAbilitiesUnion(resolved) {
-  const all = [...resolved.resources];
-  for (const delegate of resolved.additionalDelegates) {
-    for (const perm of delegate.permissions) {
-      all.push(perm);
-    }
+};
+
+// src/delegations/SharingService.schema.ts
+var import_zod5 = require("zod");
+var EncodedShareDataSchema = import_zod5.z.object({
+  /** Private key in JWK format (must include d parameter) */
+  key: JWKSchema.refine(
+    (jwk) => typeof jwk.d === "string" && jwk.d.length > 0,
+    { message: "JWK must include private key (d parameter)" }
+  ),
+  /** DID of the key */
+  keyDid: import_zod5.z.string().min(1, "keyDid is required"),
+  /** The delegation granting access */
+  delegation: DelegationSchema,
+  /** Resource path this link grants access to */
+  path: import_zod5.z.string().min(1, "path is required"),
+  /** TinyCloud host URL */
+  host: import_zod5.z.string().url("host must be a valid URL"),
+  /** Space ID */
+  spaceId: import_zod5.z.string().min(1, "spaceId is required"),
+  /** Schema version (must be 1) */
+  version: import_zod5.z.literal(1)
+});
+var ReceiveOptionsSchema = import_zod5.z.object({
+  /**
+   * Whether to automatically create a sub-delegation to the current session key.
+   * Default: true
+   */
+  autoSubdelegate: import_zod5.z.boolean().optional(),
+  /**
+   * Whether to use the current session key for operations (requires autoSubdelegate).
+   * Default: true
+   */
+  useSessionKey: import_zod5.z.boolean().optional(),
+  /**
+   * Ingestion options passed to CapabilityKeyRegistry.
+   */
+  ingestOptions: IngestOptionsSchema.optional()
+});
+var SharingServiceConfigSchema = import_zod5.z.object({
+  /** TinyCloud host URLs */
+  hosts: import_zod5.z.array(import_zod5.z.string().url()).min(1, "At least one host URL is required"),
+  /**
+   * Active session for authentication.
+   * Required for generate(), optional for receive().
+   */
+  session: import_zod5.z.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a ServiceSession object or undefined" }
+  ).optional(),
+  /** Platform-specific invoke function */
+  invoke: import_zod5.z.unknown().refine((val) => typeof val === "function", {
+    message: "Expected an invoke function"
+  }),
+  /** Optional custom fetch implementation */
+  fetch: import_zod5.z.unknown().refine(
+    (val) => val === void 0 || typeof val === "function",
+    { message: "Expected a fetch function or undefined" }
+  ).optional(),
+  /** Key provider for cryptographic operations */
+  keyProvider: KeyProviderSchema,
+  /** Capability key registry for key/delegation management */
+  registry: import_zod5.z.unknown().refine(
+    (val) => val !== null && typeof val === "object",
+    { message: "Expected an ICapabilityKeyRegistry object" }
+  ),
+  /**
+   * Delegation manager for creating delegations.
+   * Required for generate(), optional for receive().
+   */
+  delegationManager: import_zod5.z.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a DelegationManager object or undefined" }
+  ).optional(),
+  /** Factory for creating KV service instances */
+  createKVService: import_zod5.z.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected a createKVService factory function" }
+  ),
+  /** Base URL for sharing links (e.g., "https://share.myapp.com") */
+  baseUrl: import_zod5.z.string().optional(),
+  /**
+   * Custom delegation creation function.
+   */
+  createDelegation: import_zod5.z.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegation function or undefined"
+  }).optional(),
+  /**
+   * WASM function for client-side delegation creation.
+   */
+  createDelegationWasm: import_zod5.z.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegationWasm function or undefined"
+  }).optional(),
+  /**
+   * Path prefix for KV operations.
+   */
+  pathPrefix: import_zod5.z.string().optional(),
+  /**
+   * Session expiry time.
+   */
+  sessionExpiry: import_zod5.z.date().optional(),
+  /**
+   * Callback to create a DIRECT delegation from wallet to share key.
+   * This is the preferred method for long-lived share links because it
+   * bypasses the session delegation chain entirely.
+   */
+  onRootDelegationNeeded: import_zod5.z.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected an onRootDelegationNeeded function or undefined"
+  }).optional()
+});
+function validateEncodedShareData(data) {
+  const result = EncodedShareDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: DelegationErrorCodes.VALIDATION_ERROR,
+        message: `Invalid share data: ${result.error.message}`,
+        service: "delegation",
+        meta: { issues: result.error.issues }
+      }
+    };
   }
-  return resourceCapabilitiesToAbilitiesMap(all);
+  return { ok: true, data: result.data };
 }
 
 // src/delegations/SharingService.ts
@@ -3914,13 +4277,13 @@ var SharingService = class {
           )
         };
       }
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.CREATION_FAILED,
-          `Failed to generate session key for share: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to generate session key for share: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
@@ -3966,7 +4329,7 @@ var SharingService = class {
           }
           delegation = parsed;
         }
-      } catch (err5) {
+      } catch (err6) {
         const fallbackResult = await this.handleSessionExtensionFallback(requestedExpiry);
         expiry = fallbackResult.expiry;
         const delegationResult = await this.createSessionDelegation(plainDID, fullPath, actions, expiry);
@@ -4164,13 +4527,13 @@ var SharingService = class {
           allowSubDelegation: true,
           createdAt: /* @__PURE__ */ new Date()
         };
-      } catch (err5) {
+      } catch (err6) {
         return {
           ok: false,
           error: createError2(
             DelegationErrorCodes.CREATION_FAILED,
-            `Failed to create delegation via WASM: ${err5 instanceof Error ? err5.message : String(err5)}`,
-            err5 instanceof Error ? err5 : void 0
+            `Failed to create delegation via WASM: ${err6 instanceof Error ? err6.message : String(err6)}`,
+            err6 instanceof Error ? err6 : void 0
           )
         };
       }
@@ -4251,8 +4614,8 @@ var SharingService = class {
     let activeKey = keyInfo;
     if (autoSubdelegate && useSessionKey && this.session) {
       try {
-      } catch (err5) {
-        console.warn("Auto-subdelegation failed, using ingested key directly:", err5);
+      } catch (err6) {
+        console.warn("Auto-subdelegation failed, using ingested key directly:", err6);
       }
     }
     const authHeader = shareData.delegation.authHeader ?? `Bearer ${shareData.delegation.cid}`;
@@ -4350,26 +4713,26 @@ var SharingService = class {
     let jsonString;
     try {
       jsonString = base64UrlDecode(base64Data);
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.INVALID_TOKEN,
-          `Failed to decode base64 data: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to decode base64 data: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
     let parsed;
     try {
       parsed = JSON.parse(jsonString);
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.INVALID_TOKEN,
-          `Failed to parse share data JSON: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to parse share data JSON: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
@@ -4396,8 +4759,8 @@ function createSharingService(config) {
 }
 
 // src/authorization/CapabilityKeyRegistry.ts
-var import_sdk_services5 = require("@tinycloud/sdk-services");
-var SERVICE_NAME2 = "capability-key-registry";
+var import_sdk_services6 = require("@tinycloud/sdk-services");
+var SERVICE_NAME3 = "capability-key-registry";
 var CapabilityKeyRegistryErrorCodes = {
   /** Key not found in registry */
   KEY_NOT_FOUND: "KEY_NOT_FOUND",
@@ -4614,11 +4977,11 @@ var CapabilityKeyRegistry = class {
   revokeDelegation(cid) {
     const stored = this.store.byCid.get(cid);
     if (!stored) {
-      return (0, import_sdk_services5.err)(
-        (0, import_sdk_services5.serviceError)(
+      return (0, import_sdk_services6.err)(
+        (0, import_sdk_services6.serviceError)(
           CapabilityKeyRegistryErrorCodes.KEY_NOT_FOUND,
           `Delegation not found: ${cid}`,
-          SERVICE_NAME2
+          SERVICE_NAME3
         )
       );
     }
@@ -4637,7 +5000,7 @@ var CapabilityKeyRegistry = class {
         }
       }
     }
-    return (0, import_sdk_services5.ok)(void 0);
+    return (0, import_sdk_services6.ok)(void 0);
   }
   // ===========================================================================
   // Search
@@ -4866,8 +5229,8 @@ async function checkNodeInfo(host, sdkProtocol, fetchFn = globalThis.fetch.bind(
     response = await fetchFn(`${host}/info`, {
       signal: AbortSignal.timeout(5e3)
     });
-  } catch (err5) {
-    throw new VersionCheckError(host, err5);
+  } catch (err6) {
+    throw new VersionCheckError(host, err6);
   }
   if (!response.ok) {
     throw new VersionCheckError(host);
@@ -5400,6 +5763,7 @@ function parseRecapCapabilities(parseWasm, siwe) {
 0 && (module.exports = {
   ACCOUNT_REGISTRY_PATH,
   ACCOUNT_REGISTRY_SPACE,
+  AccountService,
   AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,