@tinycloud/sdk-core 2.4.0-beta.2 → 2.4.0-beta.6

package/dist/index.js

@@ -2151,1017 +2151,292 @@ var TinyCloud = class _TinyCloud {
   }
 };
 
-// src/index.ts
+// src/account/AccountService.ts
 import {
-  ServiceContext as ServiceContext2,
-  KVService as KVService2,
-  PrefixedKVService,
-  ok as ok4,
-  err as err4,
-  serviceError as serviceError4,
-  ErrorCodes as ErrorCodes2,
-  defaultRetryPolicy as defaultRetryPolicy2,
-  SQLService as SQLService2,
-  DatabaseHandle,
-  SQLAction,
-  DuckDbService as DuckDbService2,
-  DuckDbDatabaseHandle,
-  DuckDbAction,
-  HooksService as HooksService2,
-  DataVaultService,
-  VaultHeaders,
-  VaultPublicSpaceKVActions,
-  createVaultCrypto,
-  SecretsService,
-  SECRET_NAME_RE as SECRET_NAME_RE2,
-  canonicalizeSecretScope,
-  resolveSecretListPrefix,
-  resolveSecretPath as resolveSecretPath2,
-  EncryptionService,
-  parseNetworkId as parseNetworkId2,
-  buildNetworkId as buildNetworkId2,
-  isNetworkId,
-  networkDiscoveryKey,
-  NetworkIdError,
-  ENCRYPTION_NETWORK_URN_PREFIX,
-  NETWORK_NAME_PATTERN,
-  canonicalizeEncryptionJson,
-  canonicalHashHex,
-  hexEncode,
-  hexDecode,
-  base64Encode,
-  base64Decode,
-  utf8Encode,
-  utf8Decode,
-  encryptToNetwork,
-  decryptEnvelopeWithKey,
-  validateEnvelope,
-  generateRandomReceiverKey,
-  deriveSignedReceiverKey,
-  buildCanonicalDecryptRequest,
-  buildDecryptFacts,
-  buildDecryptAttenuation,
-  buildDecryptInvocation,
-  checkDecryptInvocationInput,
-  verifyDecryptResponse,
-  canonicalSignedResponse,
-  openWrappedKey,
-  discoverNetwork,
-  ensureNetworkUsableForDecrypt,
-  DEFAULT_ENCRYPTION_ALG,
-  ENVELOPE_VERSION,
-  DEFAULT_KEY_VERSION,
-  DECRYPT_FACT_TYPE,
-  DECRYPT_RESULT_TYPE,
-  DECRYPT_ACTION,
-  ENCRYPTION_SERVICE,
-  ENCRYPTION_SERVICE_SHORT,
-  encryptionError
+  err as err3,
+  ok as ok3,
+  serviceError as serviceError3
 } from "@tinycloud/sdk-services";
 
-// src/space.ts
-async function fetchPeerId(host, spaceId) {
-  const res = await fetch(
-    `${host}/peer/generate/${encodeURIComponent(spaceId)}`
-  );
-  if (!res.ok) {
-    const error = await res.text().catch(() => res.statusText);
-    throw new Error(`Failed to get peer ID: ${res.status} - ${error}`);
+// src/manifest.ts
+import ms from "ms";
+import { resolveSecretPath, SECRET_NAME_RE } from "@tinycloud/sdk-services";
+var ManifestValidationError = class extends Error {
+  constructor(message) {
+    super(`Manifest validation failed: ${message}`);
+    this.name = "ManifestValidationError";
   }
-  return res.text();
+};
+var DEFAULT_EXPIRY = "30d";
+var DEFAULT_DEFAULTS = true;
+var DEFAULT_MANIFEST_VERSION = 1;
+var DEFAULT_MANIFEST_SPACE = "applications";
+var ACCOUNT_REGISTRY_SPACE = "account";
+var ACCOUNT_REGISTRY_PATH = "applications/";
+var SECRETS_SPACE = "secrets";
+var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
+var SERVICE_SHORT_TO_LONG = Object.freeze({
+  kv: "tinycloud.kv",
+  sql: "tinycloud.sql",
+  duckdb: "tinycloud.duckdb",
+  capabilities: "tinycloud.capabilities",
+  hooks: "tinycloud.hooks",
+  encryption: "tinycloud.encryption"
+});
+var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
+var ENCRYPTION_MANIFEST_SPACE = "encryption";
+var SERVICE_LONG_TO_SHORT = Object.freeze(
+  Object.fromEntries(
+    Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
+  )
+);
+var DEFAULT_STANDARD_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write"]
+  }
+];
+var DEFAULT_ADMIN_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write", "ddl"]
+  }
+];
+var DEFAULT_ALL_ENTRIES = [
+  {
+    service: "tinycloud.kv",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["get", "put", "del", "list", "metadata"]
+  },
+  {
+    service: "tinycloud.sql",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write", "ddl"]
+  },
+  {
+    service: "tinycloud.duckdb",
+    space: DEFAULT_MANIFEST_SPACE,
+    path: "/",
+    actions: ["read", "write"]
+  }
+];
+function parseExpiry(duration) {
+  if (typeof duration !== "string" || duration.length === 0) {
+    throw new ManifestValidationError(
+      `expiry must be a non-empty duration string (got ${JSON.stringify(duration)})`
+    );
+  }
+  const parsed = ms(duration);
+  if (typeof parsed !== "number" || !Number.isFinite(parsed) || parsed <= 0) {
+    throw new ManifestValidationError(
+      `invalid expiry duration: ${JSON.stringify(duration)}`
+    );
+  }
+  return parsed;
 }
-async function submitHostDelegation(host, headers) {
-  const res = await fetch(`${host}/delegate`, {
-    method: "POST",
-    headers
+function expandActionShortNames(service, actions) {
+  return actions.map((a) => {
+    if (a.includes("/")) {
+      return a;
+    }
+    return `${service}/${a}`;
   });
-  return {
-    success: res.ok,
-    status: res.status,
-    error: res.ok ? void 0 : await res.text().catch(() => res.statusText)
-  };
 }
-async function activateSessionWithHost(host, delegationHeader) {
-  const res = await fetch(`${host}/delegate`, {
-    method: "POST",
-    headers: delegationHeader
-  });
-  if (res.ok) {
-    try {
-      const body = await res.json();
-      return {
-        success: true,
-        status: res.status,
-        activated: body.activated ?? [],
-        skipped: body.skipped ?? []
-      };
-    } catch {
-      return {
-        success: true,
-        status: res.status,
-        activated: [],
-        skipped: []
-      };
-    }
+function expandPermissionEntry(entry) {
+  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
+    return expandEncryptionPermissionEntry(entry);
   }
-  return {
-    success: false,
-    status: res.status,
-    error: await res.text().catch(() => res.statusText)
-  };
-}
-
-// src/delegations/DelegationManager.ts
-var DelegationAction = {
-  CREATE: "tinycloud.delegation/create",
-  REVOKE: "tinycloud.delegation/revoke",
-  LIST: "tinycloud.delegation/list",
-  GET: "tinycloud.delegation/get",
-  CHECK: "tinycloud.delegation/check"
-};
-function createError(code, message, cause, meta) {
-  return {
-    code,
-    message,
-    service: "delegation",
-    cause,
-    meta
-  };
+  if (entry.service !== VAULT_PERMISSION_SERVICE) {
+    return [
+      {
+        ...entry,
+        actions: expandActionShortNames(entry.service, entry.actions)
+      }
+    ];
+  }
+  return expandVaultPermissionEntry(entry);
 }
-var DelegationManager = class {
-  /**
-   * Creates a new DelegationManager instance.
-   *
-   * @param config - Configuration including hosts, session, and invoke function
-   */
-  constructor(config) {
-    this.hosts = config.hosts;
-    this.session = config.session;
-    this.invoke = config.invoke;
-    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+function expandEncryptionPermissionEntry(entry) {
+  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
+    throw new ManifestValidationError(
+      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
+    );
   }
-  /**
-   * Updates the session (e.g., after re-authentication).
-   *
-   * @param session - New session to use for operations
-   */
-  updateSession(session) {
-    this.session = session;
-  }
-  /**
-   * Gets the primary host URL.
-   */
-  get host() {
-    return this.hosts[0];
-  }
-  /**
-   * Executes an invoke operation against the delegation API.
-   */
-  async invokeOperation(path, action, body) {
-    const headers = this.invoke(this.session, "delegation", path, action);
-    return this.fetchFn(`${this.host}/invoke`, {
-      method: "POST",
-      headers,
-      body
-    });
-  }
-  /**
-   * Creates a new delegation.
-   *
-   * Delegates specific permissions to another DID for a given path.
-   * The delegatee can then use these permissions to access resources
-   * within the specified scope.
-   *
-   * @param params - Parameters for the delegation
-   * @returns Result containing the created Delegation or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.create({
-   *   delegateDID: bob.did,
-   *   path: "documents/shared/",
-   *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
-   *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
-   * });
-   * ```
-   */
-  async create(params) {
-    if (!params.delegateDID) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "delegateDID is required"
-        )
-      };
+  const normalizedActions = [];
+  for (const action of entry.actions) {
+    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
+      normalizedActions.push("tinycloud.encryption/decrypt");
+      continue;
     }
-    if (!params.path) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "path is required"
-        )
-      };
+    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
+      normalizedActions.push("tinycloud.encryption/network.create");
+      continue;
     }
-    if (!params.actions || params.actions.length === 0) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "at least one action is required"
-        )
-      };
+    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
+      normalizedActions.push("tinycloud.encryption/network.revoke");
+      continue;
     }
-    try {
-      const body = JSON.stringify({
-        delegateDID: params.delegateDID,
-        path: params.path,
-        actions: params.actions,
-        expiry: params.expiry?.toISOString(),
-        disableSubDelegation: params.disableSubDelegation ?? false,
-        statement: params.statement
-      });
-      const response = await this.invokeOperation(
-        params.path,
-        DelegationAction.CREATE,
-        body
+    if (action.includes("/")) {
+      throw new ManifestValidationError(
+        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
       );
-      if (!response.ok) {
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.CREATION_FAILED,
-            `Failed to create delegation: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, path: params.path }
-          )
-        };
-      }
-      const apiResponse = await response.json();
-      const delegation = {
-        cid: apiResponse.cid ?? "",
-        delegateDID: params.delegateDID,
-        spaceId: this.session.spaceId,
-        path: params.path,
-        actions: params.actions,
-        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
-        isRevoked: false,
-        allowSubDelegation: !(params.disableSubDelegation ?? false),
-        createdAt: /* @__PURE__ */ new Date()
-      };
-      return { ok: true, data: delegation };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation creation: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
     }
+    throw new ManifestValidationError(
+      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
+    );
   }
-  /**
-   * Revokes an existing delegation.
-   *
-   * Once revoked, the delegation can no longer be used to access resources.
-   * This also invalidates any sub-delegations derived from this delegation.
-   *
-   * @param cid - The CID of the delegation to revoke
-   * @returns Result indicating success or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.revoke("bafy...");
-   * if (result.ok) {
-   *   console.log("Delegation revoked successfully");
-   * }
-   * ```
-   */
-  async revoke(cid) {
-    if (!cid) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "cid is required"
-        )
-      };
+  const dedupedActions = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const a of normalizedActions) {
+    if (!seen.has(a)) {
+      dedupedActions.push(a);
+      seen.add(a);
     }
-    try {
-      const body = JSON.stringify({ cid });
-      const response = await this.invokeOperation(
-        cid,
-        DelegationAction.REVOKE,
-        body
-      );
-      if (!response.ok) {
-        const errorText = await response.text();
-        if (response.status === 404) {
-          return {
-            ok: false,
-            error: createError(
-              DelegationErrorCodes.NOT_FOUND,
-              `Delegation not found: ${cid}`
-            )
-          };
-        }
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.REVOCATION_FAILED,
-            `Failed to revoke delegation: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, cid }
-          )
-        };
-      }
-      return { ok: true, data: void 0 };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation revocation: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
+  }
+  return [
+    {
+      service: ENCRYPTION_PERMISSION_SERVICE,
+      space: ENCRYPTION_MANIFEST_SPACE,
+      path: entry.path,
+      actions: dedupedActions,
+      skipPrefix: true,
+      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+      ...entry.description !== void 0 ? { description: entry.description } : {}
     }
+  ];
+}
+function expandPermissionEntries(entries) {
+  return entries.flatMap(expandPermissionEntry);
+}
+function applyPrefix(prefix, path, skipPrefix) {
+  if (skipPrefix) {
+    return path;
   }
-  /**
-   * Lists all delegations for the current session's space.
-   *
-   * Returns both delegations created by the current user (as delegator)
-   * and delegations granted to the current user (as delegatee).
-   *
-   * @returns Result containing an array of Delegations or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.list();
-   * if (result.ok) {
-   *   for (const delegation of result.data) {
-   *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
-   *   }
-   * }
-   * ```
-   */
-  async list() {
-    try {
-      const response = await this.invokeOperation("", DelegationAction.LIST);
-      if (!response.ok) {
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to list delegations: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status }
-          )
-        };
-      }
-      const data = await response.json();
-      const delegations = data.map((item) => ({
-        cid: item.cid,
-        delegateDID: item.delegateDID,
-        delegatorDID: item.delegatorDID,
-        spaceId: item.spaceId,
-        path: item.path,
-        actions: item.actions,
-        expiry: new Date(item.expiry),
-        isRevoked: item.isRevoked,
-        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
-        parentCid: item.parentCid,
-        allowSubDelegation: item.allowSubDelegation
-      }));
-      return { ok: true, data: delegations };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during delegation list: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
+  if (prefix === "") {
+    return path;
+  }
+  if (path.startsWith("/")) {
+    return `${prefix}${path}`;
+  }
+  return `${prefix}/${path}`;
+}
+async function loadManifest(url) {
+  const fetchFn = globalThis.fetch;
+  if (typeof fetchFn !== "function") {
+    throw new ManifestValidationError(
+      "loadManifest requires a global fetch; pass the manifest object directly on runtimes without fetch"
+    );
+  }
+  const res = await fetchFn(url);
+  if (!res.ok) {
+    throw new ManifestValidationError(
+      `failed to fetch manifest from ${url}: HTTP ${res.status}`
+    );
+  }
+  const json = await res.json();
+  return validateManifest(json);
+}
+function validateManifest(input) {
+  if (input === null || typeof input !== "object") {
+    throw new ManifestValidationError("manifest must be an object");
+  }
+  const m = input;
+  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
+    throw new ManifestValidationError(
+      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
+    );
+  }
+  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
+    throw new ManifestValidationError(
+      "manifest.app_id is required and must be a non-empty string"
+    );
+  }
+  if (typeof m.name !== "string" || m.name.length === 0) {
+    throw new ManifestValidationError(
+      "manifest.name is required and must be a non-empty string"
+    );
+  }
+  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.did must be a non-empty DID string"
+    );
+  }
+  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
+    throw new ManifestValidationError(
+      "manifest.space must be a non-empty string"
+    );
+  }
+  if (m.expiry !== void 0) {
+    parseExpiry(m.expiry);
+  }
+  if (m.permissions !== void 0) {
+    if (!Array.isArray(m.permissions)) {
+      throw new ManifestValidationError(
+        "manifest.permissions must be an array"
+      );
     }
+    m.permissions.forEach(
+      (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
+    );
   }
-  /**
-   * Gets the full delegation chain for a given delegation.
-   *
-   * Returns the chain of delegations from the root (original delegator)
-   * to the specified delegation, including all intermediate sub-delegations.
-   *
-   * @param cid - The CID of the delegation to get the chain for
-   * @returns Result containing the DelegationChain or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.getChain("bafy...");
-   * if (result.ok) {
-   *   console.log("Chain length:", result.data.length);
-   *   for (const delegation of result.data) {
-   *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
-   *   }
-   * }
-   * ```
-   */
-  async getChain(cid) {
-    if (!cid) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "cid is required"
-        )
-      };
+  if (m.secrets !== void 0) {
+    validateManifestSecrets(m.secrets);
+  }
+  return m;
+}
+function validateManifestSecrets(secrets) {
+  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
+    throw new ManifestValidationError("manifest.secrets must be an object");
+  }
+  for (const [name, spec] of Object.entries(secrets)) {
+    if (!SECRET_NAME_RE.test(name)) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
+      );
     }
     try {
-      const body = JSON.stringify({ cid, includeChain: true });
-      const response = await this.invokeOperation(
-        cid,
-        DelegationAction.GET,
-        body
+      resolveSecretPath(
+        secretNameFromSpec(name, spec),
+        { scope: secretScopeFromSpec(spec) }
       );
-      if (!response.ok) {
-        const errorText = await response.text();
-        if (response.status === 404) {
-          return {
-            ok: false,
-            error: createError(
-              DelegationErrorCodes.NOT_FOUND,
-              `Delegation not found: ${cid}`
-            )
-          };
-        }
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to get delegation chain: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, cid }
-          )
-        };
-      }
-      const data = await response.json();
-      const chain = data.chain.map((item) => ({
-        cid: item.cid,
-        delegateDID: item.delegateDID,
-        delegatorDID: item.delegatorDID,
-        spaceId: item.spaceId,
-        path: item.path,
-        actions: item.actions,
-        expiry: new Date(item.expiry),
-        isRevoked: item.isRevoked,
-        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
-        parentCid: item.parentCid,
-        allowSubDelegation: item.allowSubDelegation
-      }));
-      return { ok: true, data: chain };
     } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
+      throw new ManifestValidationError(
+        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
+      );
+    }
+    const actions = secretActionsFromSpec(name, spec);
+    if (actions.length === 0) {
+      throw new ManifestValidationError(
+        `manifest.secrets.${name} actions must be non-empty`
+      );
+    }
+    for (const action of actions) {
+      if (typeof action !== "string" || action.length === 0) {
+        throw new ManifestValidationError(
+          `manifest.secrets.${name} actions must be non-empty strings`
+        );
       }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during chain retrieval: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-  /**
-   * Checks if the current session has permission for a given path and action.
-   *
-   * This can be used to verify permissions before attempting an operation,
-   * or to implement custom access control logic.
-   *
-   * @param path - The resource path to check
-   * @param action - The action to check (e.g., "tinycloud.kv/get")
-   * @returns Result containing a boolean indicating permission or an error
-   *
-   * @example
-   * ```typescript
-   * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
-   * if (result.ok && result.data) {
-   *   console.log("Permission granted");
-   * } else {
-   *   console.log("Permission denied");
-   * }
-   * ```
-   */
-  async checkPermission(path, action) {
-    if (!path) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "path is required"
-        )
-      };
-    }
-    if (!action) {
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.INVALID_INPUT,
-          "action is required"
-        )
-      };
-    }
-    try {
-      const body = JSON.stringify({ path, action });
-      const response = await this.invokeOperation(
-        path,
-        DelegationAction.CHECK,
-        body
-      );
-      if (!response.ok) {
-        if (response.status === 403) {
-          return { ok: true, data: false };
-        }
-        const errorText = await response.text();
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.NETWORK_ERROR,
-            `Failed to check permission: ${response.status} - ${errorText}`,
-            void 0,
-            { status: response.status, path, action }
-          )
-        };
-      }
-      const data = await response.json();
-      return { ok: true, data: data.allowed };
-    } catch (error) {
-      if (error instanceof Error && error.name === "AbortError") {
-        return {
-          ok: false,
-          error: createError(
-            DelegationErrorCodes.ABORTED,
-            "Request aborted",
-            error
-          )
-        };
-      }
-      return {
-        ok: false,
-        error: createError(
-          DelegationErrorCodes.NETWORK_ERROR,
-          `Network error during permission check: ${String(error)}`,
-          error instanceof Error ? error : void 0
-        )
-      };
-    }
-  }
-};
-
-// src/delegations/SharingService.schema.ts
-import { z as z5 } from "zod";
-var EncodedShareDataSchema = z5.object({
-  /** Private key in JWK format (must include d parameter) */
-  key: JWKSchema.refine(
-    (jwk) => typeof jwk.d === "string" && jwk.d.length > 0,
-    { message: "JWK must include private key (d parameter)" }
-  ),
-  /** DID of the key */
-  keyDid: z5.string().min(1, "keyDid is required"),
-  /** The delegation granting access */
-  delegation: DelegationSchema,
-  /** Resource path this link grants access to */
-  path: z5.string().min(1, "path is required"),
-  /** TinyCloud host URL */
-  host: z5.string().url("host must be a valid URL"),
-  /** Space ID */
-  spaceId: z5.string().min(1, "spaceId is required"),
-  /** Schema version (must be 1) */
-  version: z5.literal(1)
-});
-var ReceiveOptionsSchema = z5.object({
-  /**
-   * Whether to automatically create a sub-delegation to the current session key.
-   * Default: true
-   */
-  autoSubdelegate: z5.boolean().optional(),
-  /**
-   * Whether to use the current session key for operations (requires autoSubdelegate).
-   * Default: true
-   */
-  useSessionKey: z5.boolean().optional(),
-  /**
-   * Ingestion options passed to CapabilityKeyRegistry.
-   */
-  ingestOptions: IngestOptionsSchema.optional()
-});
-var SharingServiceConfigSchema = z5.object({
-  /** TinyCloud host URLs */
-  hosts: z5.array(z5.string().url()).min(1, "At least one host URL is required"),
-  /**
-   * Active session for authentication.
-   * Required for generate(), optional for receive().
-   */
-  session: z5.unknown().refine(
-    (val) => val === void 0 || val !== null && typeof val === "object",
-    { message: "Expected a ServiceSession object or undefined" }
-  ).optional(),
-  /** Platform-specific invoke function */
-  invoke: z5.unknown().refine((val) => typeof val === "function", {
-    message: "Expected an invoke function"
-  }),
-  /** Optional custom fetch implementation */
-  fetch: z5.unknown().refine(
-    (val) => val === void 0 || typeof val === "function",
-    { message: "Expected a fetch function or undefined" }
-  ).optional(),
-  /** Key provider for cryptographic operations */
-  keyProvider: KeyProviderSchema,
-  /** Capability key registry for key/delegation management */
-  registry: z5.unknown().refine(
-    (val) => val !== null && typeof val === "object",
-    { message: "Expected an ICapabilityKeyRegistry object" }
-  ),
-  /**
-   * Delegation manager for creating delegations.
-   * Required for generate(), optional for receive().
-   */
-  delegationManager: z5.unknown().refine(
-    (val) => val === void 0 || val !== null && typeof val === "object",
-    { message: "Expected a DelegationManager object or undefined" }
-  ).optional(),
-  /** Factory for creating KV service instances */
-  createKVService: z5.unknown().refine(
-    (val) => typeof val === "function",
-    { message: "Expected a createKVService factory function" }
-  ),
-  /** Base URL for sharing links (e.g., "https://share.myapp.com") */
-  baseUrl: z5.string().optional(),
-  /**
-   * Custom delegation creation function.
-   */
-  createDelegation: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected a createDelegation function or undefined"
-  }).optional(),
-  /**
-   * WASM function for client-side delegation creation.
-   */
-  createDelegationWasm: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected a createDelegationWasm function or undefined"
-  }).optional(),
-  /**
-   * Path prefix for KV operations.
-   */
-  pathPrefix: z5.string().optional(),
-  /**
-   * Session expiry time.
-   */
-  sessionExpiry: z5.date().optional(),
-  /**
-   * Callback to create a DIRECT delegation from wallet to share key.
-   * This is the preferred method for long-lived share links because it
-   * bypasses the session delegation chain entirely.
-   */
-  onRootDelegationNeeded: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
-    message: "Expected an onRootDelegationNeeded function or undefined"
-  }).optional()
-});
-function validateEncodedShareData(data) {
-  const result = EncodedShareDataSchema.safeParse(data);
-  if (!result.success) {
-    return {
-      ok: false,
-      error: {
-        code: DelegationErrorCodes.VALIDATION_ERROR,
-        message: `Invalid share data: ${result.error.message}`,
-        service: "delegation",
-        meta: { issues: result.error.issues }
-      }
-    };
-  }
-  return { ok: true, data: result.data };
-}
-
-// src/manifest.ts
-import ms from "ms";
-import { resolveSecretPath, SECRET_NAME_RE } from "@tinycloud/sdk-services";
-var ManifestValidationError = class extends Error {
-  constructor(message) {
-    super(`Manifest validation failed: ${message}`);
-    this.name = "ManifestValidationError";
-  }
-};
-var DEFAULT_EXPIRY = "30d";
-var DEFAULT_DEFAULTS = true;
-var DEFAULT_MANIFEST_VERSION = 1;
-var DEFAULT_MANIFEST_SPACE = "applications";
-var ACCOUNT_REGISTRY_SPACE = "account";
-var ACCOUNT_REGISTRY_PATH = "applications/";
-var SECRETS_SPACE = "secrets";
-var VAULT_PERMISSION_SERVICE = "tinycloud.vault";
-var SERVICE_SHORT_TO_LONG = Object.freeze({
-  kv: "tinycloud.kv",
-  sql: "tinycloud.sql",
-  duckdb: "tinycloud.duckdb",
-  capabilities: "tinycloud.capabilities",
-  hooks: "tinycloud.hooks",
-  encryption: "tinycloud.encryption"
-});
-var ENCRYPTION_PERMISSION_SERVICE = "tinycloud.encryption";
-var ENCRYPTION_MANIFEST_SPACE = "encryption";
-var SERVICE_LONG_TO_SHORT = Object.freeze(
-  Object.fromEntries(
-    Object.entries(SERVICE_SHORT_TO_LONG).map(([s, l]) => [l, s])
-  )
-);
-var DEFAULT_STANDARD_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write"]
-  }
-];
-var DEFAULT_ADMIN_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write", "ddl"]
-  }
-];
-var DEFAULT_ALL_ENTRIES = [
-  {
-    service: "tinycloud.kv",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["get", "put", "del", "list", "metadata"]
-  },
-  {
-    service: "tinycloud.sql",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write", "ddl"]
-  },
-  {
-    service: "tinycloud.duckdb",
-    space: DEFAULT_MANIFEST_SPACE,
-    path: "/",
-    actions: ["read", "write"]
-  }
-];
-function parseExpiry(duration) {
-  if (typeof duration !== "string" || duration.length === 0) {
-    throw new ManifestValidationError(
-      `expiry must be a non-empty duration string (got ${JSON.stringify(duration)})`
-    );
-  }
-  const parsed = ms(duration);
-  if (typeof parsed !== "number" || !Number.isFinite(parsed) || parsed <= 0) {
-    throw new ManifestValidationError(
-      `invalid expiry duration: ${JSON.stringify(duration)}`
-    );
-  }
-  return parsed;
-}
-function expandActionShortNames(service, actions) {
-  return actions.map((a) => {
-    if (a.includes("/")) {
-      return a;
-    }
-    return `${service}/${a}`;
-  });
-}
-function expandPermissionEntry(entry) {
-  if (entry.service === ENCRYPTION_PERMISSION_SERVICE) {
-    return expandEncryptionPermissionEntry(entry);
-  }
-  if (entry.service !== VAULT_PERMISSION_SERVICE) {
-    return [
-      {
-        ...entry,
-        actions: expandActionShortNames(entry.service, entry.actions)
-      }
-    ];
-  }
-  return expandVaultPermissionEntry(entry);
-}
-function expandEncryptionPermissionEntry(entry) {
-  if (typeof entry.path !== "string" || !entry.path.startsWith("urn:tinycloud:encryption:")) {
-    throw new ManifestValidationError(
-      `tinycloud.encryption entries require path to be a networkId URN (got ${JSON.stringify(entry.path)})`
-    );
-  }
-  const normalizedActions = [];
-  for (const action of entry.actions) {
-    if (action === "decrypt" || action === "tinycloud.encryption/decrypt") {
-      normalizedActions.push("tinycloud.encryption/decrypt");
-      continue;
-    }
-    if (action === "network.create" || action === "tinycloud.encryption/network.create") {
-      normalizedActions.push("tinycloud.encryption/network.create");
-      continue;
-    }
-    if (action === "network.revoke" || action === "tinycloud.encryption/network.revoke") {
-      normalizedActions.push("tinycloud.encryption/network.revoke");
-      continue;
-    }
-    if (action.includes("/")) {
-      throw new ManifestValidationError(
-        `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
-      );
-    }
-    throw new ManifestValidationError(
-      `unknown encryption action ${JSON.stringify(action)}; expected decrypt, network.create, or network.revoke`
-    );
-  }
-  const dedupedActions = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const a of normalizedActions) {
-    if (!seen.has(a)) {
-      dedupedActions.push(a);
-      seen.add(a);
-    }
-  }
-  return [
-    {
-      service: ENCRYPTION_PERMISSION_SERVICE,
-      space: ENCRYPTION_MANIFEST_SPACE,
-      path: entry.path,
-      actions: dedupedActions,
-      skipPrefix: true,
-      ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
-      ...entry.description !== void 0 ? { description: entry.description } : {}
-    }
-  ];
-}
-function expandPermissionEntries(entries) {
-  return entries.flatMap(expandPermissionEntry);
-}
-function applyPrefix(prefix, path, skipPrefix) {
-  if (skipPrefix) {
-    return path;
-  }
-  if (prefix === "") {
-    return path;
-  }
-  if (path.startsWith("/")) {
-    return `${prefix}${path}`;
-  }
-  return `${prefix}/${path}`;
-}
-async function loadManifest(url) {
-  const fetchFn = globalThis.fetch;
-  if (typeof fetchFn !== "function") {
-    throw new ManifestValidationError(
-      "loadManifest requires a global fetch; pass the manifest object directly on runtimes without fetch"
-    );
-  }
-  const res = await fetchFn(url);
-  if (!res.ok) {
-    throw new ManifestValidationError(
-      `failed to fetch manifest from ${url}: HTTP ${res.status}`
-    );
-  }
-  const json = await res.json();
-  return validateManifest(json);
-}
-function validateManifest(input) {
-  if (input === null || typeof input !== "object") {
-    throw new ManifestValidationError("manifest must be an object");
-  }
-  const m = input;
-  if (m.manifest_version !== void 0 && m.manifest_version !== DEFAULT_MANIFEST_VERSION) {
-    throw new ManifestValidationError(
-      `manifest.manifest_version must be ${DEFAULT_MANIFEST_VERSION}`
-    );
-  }
-  if (typeof m.app_id !== "string" || m.app_id.length === 0) {
-    throw new ManifestValidationError(
-      "manifest.app_id is required and must be a non-empty string"
-    );
-  }
-  if (typeof m.name !== "string" || m.name.length === 0) {
-    throw new ManifestValidationError(
-      "manifest.name is required and must be a non-empty string"
-    );
-  }
-  if (m.did !== void 0 && (typeof m.did !== "string" || m.did.length === 0)) {
-    throw new ManifestValidationError(
-      "manifest.did must be a non-empty DID string"
-    );
-  }
-  if (m.space !== void 0 && (typeof m.space !== "string" || m.space.length === 0)) {
-    throw new ManifestValidationError(
-      "manifest.space must be a non-empty string"
-    );
-  }
-  if (m.expiry !== void 0) {
-    parseExpiry(m.expiry);
-  }
-  if (m.permissions !== void 0) {
-    if (!Array.isArray(m.permissions)) {
-      throw new ManifestValidationError(
-        "manifest.permissions must be an array"
-      );
-    }
-    m.permissions.forEach(
-      (p, i) => validatePermissionEntry(p, `permissions[${i}]`)
-    );
-  }
-  if (m.secrets !== void 0) {
-    validateManifestSecrets(m.secrets);
-  }
-  return m;
-}
-function validateManifestSecrets(secrets) {
-  if (secrets === null || typeof secrets !== "object" || Array.isArray(secrets)) {
-    throw new ManifestValidationError("manifest.secrets must be an object");
-  }
-  for (const [name, spec] of Object.entries(secrets)) {
-    if (!SECRET_NAME_RE.test(name)) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name} must match ${SECRET_NAME_RE.source}`
-      );
-    }
-    try {
-      resolveSecretPath(
-        secretNameFromSpec(name, spec),
-        { scope: secretScopeFromSpec(spec) }
-      );
-    } catch (error) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name}: ${error instanceof Error ? error.message : String(error)}`
-      );
-    }
-    const actions = secretActionsFromSpec(name, spec);
-    if (actions.length === 0) {
-      throw new ManifestValidationError(
-        `manifest.secrets.${name} actions must be non-empty`
-      );
-    }
-    for (const action of actions) {
-      if (typeof action !== "string" || action.length === 0) {
-        throw new ManifestValidationError(
-          `manifest.secrets.${name} actions must be non-empty strings`
-        );
-      }
-    }
-    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
-      parseExpiry(spec.expiry);
+    }
+    if (spec !== null && typeof spec === "object" && !Array.isArray(spec) && spec.expiry !== void 0) {
+      parseExpiry(spec.expiry);
     }
   }
 }
@@ -3388,237 +2663,1328 @@ function resolveEntry(entry, prefix, _inheritedExpiryMs, inheritedSpace) {
     ...entry.description !== void 0 ? { description: entry.description } : {}
   }));
 }
-function expandVaultPermissionEntry(entry) {
-  const byBase = /* @__PURE__ */ new Map();
-  for (const action of entry.actions) {
-    const expansion = vaultActionExpansion(action);
-    for (const base of expansion.bases) {
-      const actions = byBase.get(base) ?? [];
-      if (!actions.includes(expansion.action)) {
-        actions.push(expansion.action);
+function expandVaultPermissionEntry(entry) {
+  const byBase = /* @__PURE__ */ new Map();
+  for (const action of entry.actions) {
+    const expansion = vaultActionExpansion(action);
+    for (const base of expansion.bases) {
+      const actions = byBase.get(base) ?? [];
+      if (!actions.includes(expansion.action)) {
+        actions.push(expansion.action);
+      }
+      byBase.set(base, actions);
+    }
+  }
+  return [...byBase.entries()].map(([base, actions]) => ({
+    ...entry,
+    service: "tinycloud.kv",
+    path: vaultKVPath(base, entry.path),
+    actions,
+    skipPrefix: true
+  }));
+}
+function vaultActionExpansion(action) {
+  const normalized = normalizeVaultAction(action);
+  if (normalized === "read" || normalized === "get") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "write" || normalized === "put") {
+    return { bases: ["vault"], action: "tinycloud.kv/put" };
+  }
+  if (normalized === "delete" || normalized === "del") {
+    return { bases: ["vault"], action: "tinycloud.kv/del" };
+  }
+  if (normalized === "list") {
+    return { bases: ["vault"], action: "tinycloud.kv/list" };
+  }
+  if (normalized === "head") {
+    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  }
+  if (normalized === "metadata") {
+    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
+  }
+  throw new ManifestValidationError(
+    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
+  );
+}
+function normalizeVaultAction(action) {
+  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
+    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
+  }
+  if (action.startsWith("tinycloud.kv/")) {
+    return action.slice("tinycloud.kv/".length);
+  }
+  if (action.includes("/")) {
+    throw new ManifestValidationError(
+      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
+    );
+  }
+  return action;
+}
+function vaultKVPath(base, path) {
+  const normalized = path.startsWith("/") ? path.slice(1) : path;
+  return `${base}/${normalized}`;
+}
+function cloneResourceCapability(entry) {
+  return {
+    service: entry.service,
+    space: entry.space,
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function clonePermissionEntry(entry) {
+  return {
+    service: entry.service,
+    ...entry.space !== void 0 ? { space: entry.space } : {},
+    path: entry.path,
+    actions: [...entry.actions],
+    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
+    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
+    ...entry.description !== void 0 ? { description: entry.description } : {}
+  };
+}
+function dedupeResources(resources) {
+  const byKey = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
+    const existing = byKey.get(key);
+    if (existing === void 0) {
+      byKey.set(key, cloneResourceCapability(resource));
+      continue;
+    }
+    const seen = new Set(existing.actions);
+    for (const action of resource.actions) {
+      if (!seen.has(action)) {
+        existing.actions.push(action);
+        seen.add(action);
+      }
+    }
+    if (existing.description === void 0 && resource.description !== void 0) {
+      existing.description = resource.description;
+    }
+  }
+  return [...byKey.values()];
+}
+function capabilitiesReadPermission(space) {
+  return {
+    service: "tinycloud.capabilities",
+    space,
+    path: "",
+    actions: ["tinycloud.capabilities/read"]
+  };
+}
+function withCapabilitiesReadForSpaces(resources) {
+  if (resources.length === 0) {
+    return [];
+  }
+  const spaces = new Set(
+    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
+  );
+  return dedupeResources([
+    ...resources,
+    ...[...spaces].map(capabilitiesReadPermission)
+  ]);
+}
+function accountRegistryPermission() {
+  return {
+    service: "tinycloud.kv",
+    space: ACCOUNT_REGISTRY_SPACE,
+    path: ACCOUNT_REGISTRY_PATH,
+    actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/list"]
+  };
+}
+function composeManifestRequest(inputs, options = {}) {
+  if (!Array.isArray(inputs) || inputs.length === 0) {
+    throw new ManifestValidationError(
+      "composeManifestRequest requires at least one manifest"
+    );
+  }
+  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
+  const manifests = inputs.map(validateManifest);
+  const resolved = manifests.map(resolveManifest);
+  const resources = resolved.flatMap((entry) => entry.resources);
+  const delegationTargets = resolved.flatMap(
+    (entry) => entry.additionalDelegates.map((delegate) => ({
+      ...delegate,
+      permissions: dedupeResources(delegate.permissions)
+    }))
+  );
+  if (includeAccountRegistryPermissions) {
+    resources.push(accountRegistryPermission());
+  }
+  const resourcesWithImplicitCapabilities = withCapabilitiesReadForSpaces(resources);
+  const manifestsByAppId = /* @__PURE__ */ new Map();
+  for (const manifest of manifests) {
+    const current = manifestsByAppId.get(manifest.app_id);
+    if (current === void 0) {
+      manifestsByAppId.set(manifest.app_id, [manifest]);
+    } else {
+      current.push(manifest);
+    }
+  }
+  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
+    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
+    app_id,
+    manifests: appManifests.map((manifest) => ({
+      ...manifest,
+      permissions: manifest.permissions?.map(clonePermissionEntry)
+    }))
+  })) : [];
+  return {
+    manifests,
+    resources: resourcesWithImplicitCapabilities,
+    delegationTargets,
+    registryRecords,
+    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
+    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
+  };
+}
+function resourceCapabilitiesToAbilitiesMap(resources) {
+  const out = {};
+  for (const r of resources) {
+    const shortService = SERVICE_LONG_TO_SHORT[r.service];
+    if (shortService === void 0) {
+      throw new ManifestValidationError(
+        `unknown service '${r.service}' \u2014 no short-form mapping. Known services: ${Object.keys(SERVICE_LONG_TO_SHORT).join(", ")}`
+      );
+    }
+    if (out[shortService] === void 0) {
+      out[shortService] = {};
+    }
+    const pathsMap = out[shortService];
+    const existing = pathsMap[r.path];
+    if (existing === void 0) {
+      pathsMap[r.path] = [...r.actions];
+    } else {
+      const seen = new Set(existing);
+      for (const action of r.actions) {
+        if (!seen.has(action)) {
+          existing.push(action);
+          seen.add(action);
+        }
       }
-      byBase.set(base, actions);
     }
   }
-  return [...byBase.entries()].map(([base, actions]) => ({
-    ...entry,
-    service: "tinycloud.kv",
-    path: vaultKVPath(base, entry.path),
-    actions,
-    skipPrefix: true
-  }));
+  return out;
 }
-function vaultActionExpansion(action) {
-  const normalized = normalizeVaultAction(action);
-  if (normalized === "read" || normalized === "get") {
-    return { bases: ["vault"], action: "tinycloud.kv/get" };
+function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const resource of resources) {
+    const entries = grouped.get(resource.space);
+    if (entries === void 0) {
+      grouped.set(resource.space, [resource]);
+    } else {
+      entries.push(resource);
+    }
   }
-  if (normalized === "write" || normalized === "put") {
-    return { bases: ["vault"], action: "tinycloud.kv/put" };
+  const out = {};
+  for (const [space, entries] of grouped.entries()) {
+    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
   }
-  if (normalized === "delete" || normalized === "del") {
-    return { bases: ["vault"], action: "tinycloud.kv/del" };
+  return out;
+}
+function manifestAbilitiesUnion(resolved) {
+  const all = [...resolved.resources];
+  for (const delegate of resolved.additionalDelegates) {
+    for (const perm of delegate.permissions) {
+      all.push(perm);
+    }
   }
-  if (normalized === "list") {
-    return { bases: ["vault"], action: "tinycloud.kv/list" };
+  return resourceCapabilitiesToAbilitiesMap(all);
+}
+
+// src/account/AccountService.ts
+var SERVICE_NAME2 = "account";
+var ACCOUNT_INDEX_DB = "account";
+var AccountService = class {
+  constructor(config) {
+    this.config = config;
+    this.applications = {
+      list: async () => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const listed = await kvResult.data.list({ prefix: ACCOUNT_REGISTRY_PATH });
+        if (!listed.ok) return accountErr(listed.error);
+        const applications = [];
+        for (const key of listed.data.keys) {
+          const loaded = await kvResult.data.get(key);
+          if (!loaded.ok) return accountErr(loaded.error);
+          applications.push(applicationFromRecord(key, loaded.data.data));
+        }
+        applications.sort((a, b) => a.appId.localeCompare(b.appId));
+        return ok3(applications);
+      },
+      get: async (appId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const key = applicationKey(appId);
+        const loaded = await kvResult.data.get(key);
+        if (!loaded.ok) return accountErr(loaded.error);
+        return ok3(applicationFromRecord(key, loaded.data.data));
+      },
+      register: async (manifest) => {
+        const manifests = Array.isArray(manifest) ? manifest : [manifest];
+        const request = composeManifestRequest(manifests);
+        if (request.registryRecords.length === 0) {
+          return err3(
+            serviceError3(
+              "INVALID_MANIFEST",
+              "Manifest did not produce an account application registry record",
+              SERVICE_NAME2
+            )
+          );
+        }
+        await this.config.ensureAccountSpaceHosted?.();
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        let registered;
+        for (const record of request.registryRecords) {
+          const stored = {
+            app_id: record.app_id,
+            manifests: record.manifests,
+            updated_at: (/* @__PURE__ */ new Date()).toISOString()
+          };
+          const written = await kvResult.data.put(record.key, stored);
+          if (!written.ok) return accountErr(written.error);
+          registered = applicationFromRecord(record.key, stored);
+        }
+        return ok3(registered);
+      },
+      remove: async (appId) => {
+        const kvResult = this.accountKV();
+        if (!kvResult.ok) return kvResult;
+        const removed = await kvResult.data.delete(applicationKey(appId));
+        if (!removed.ok) return accountErr(removed.error);
+        return ok3(void 0);
+      }
+    };
+    this.delegations = {
+      list: async (options = {}) => {
+        const spaces = await this.config.getSpaces().list();
+        if (!spaces.ok) return accountErr(spaces.error);
+        const targetSpaces = options.space ? spaces.data.filter((space) => space.id === options.space || space.name === options.space) : spaces.data;
+        const delegations = [];
+        for (const space of targetSpaces) {
+          const scoped = this.config.getSpaces().get(space.id).delegations;
+          if (options.direction !== "received") {
+            const granted = await scoped.list();
+            if (!granted.ok) return accountErr(granted.error);
+            delegations.push(...granted.data.map((d) => mapDelegation(d, space, "granted")));
+          }
+          if (options.direction !== "granted") {
+            const received = await scoped.listReceived();
+            if (!received.ok) return accountErr(received.error);
+            delegations.push(...received.data.map((d) => mapDelegation(d, space, "received")));
+          }
+        }
+        delegations.sort((a, b) => a.spaceId.localeCompare(b.spaceId) || a.cid.localeCompare(b.cid));
+        return ok3(delegations);
+      },
+      revoke: async (options) => {
+        const space = await this.resolveSpace(options.space);
+        if (!space.ok) return space;
+        const revoked = await this.config.getSpaces().get(space.data.id).delegations.revoke(options.cid);
+        if (!revoked.ok) return accountErr(revoked.error);
+        return ok3(void 0);
+      }
+    };
+    this.index = {
+      rebuild: async () => {
+        const dbResult = this.accountDb();
+        if (!dbResult.ok) return dbResult;
+        const applications = await this.applications.list();
+        if (!applications.ok) return applications;
+        const delegations = await this.delegations.list();
+        if (!delegations.ok) return delegations;
+        const syncedAt = (/* @__PURE__ */ new Date()).toISOString();
+        const statements = [
+          ...ACCOUNT_INDEX_SCHEMA.map((sql) => ({ sql })),
+          { sql: "DELETE FROM applications" },
+          { sql: "DELETE FROM delegations" },
+          { sql: "DELETE FROM sync_state" },
+          ...applications.data.map((app) => ({
+            sql: "INSERT INTO applications (app_id, name, description, updated_at, manifest_json) VALUES (?, ?, ?, ?, ?)",
+            params: [
+              app.appId,
+              app.name ?? null,
+              app.description ?? null,
+              app.updatedAt ?? syncedAt,
+              JSON.stringify(app.manifests)
+            ]
+          })),
+          ...delegations.data.map((delegation) => ({
+            sql: "INSERT INTO delegations (cid, direction, space_id, space_name, counterparty_did, delegate_did, delegator_did, path, actions_json, expiry, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)",
+            params: [
+              delegation.cid,
+              delegation.direction,
+              delegation.spaceId,
+              delegation.spaceName ?? null,
+              delegation.counterpartyDid,
+              delegation.delegateDid,
+              delegation.delegatorDid ?? null,
+              delegation.path,
+              JSON.stringify(delegation.actions),
+              delegation.expiry.toISOString(),
+              delegation.status,
+              delegation.createdAt?.toISOString() ?? null,
+              syncedAt
+            ]
+          })),
+          {
+            sql: "INSERT INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+            params: ["applications", syncedAt, applications.data.length]
+          },
+          {
+            sql: "INSERT INTO sync_state (source, synced_at, count) VALUES (?, ?, ?)",
+            params: ["delegations", syncedAt, delegations.data.length]
+          }
+        ];
+        const rebuilt = await dbResult.data.batch(statements);
+        if (!rebuilt.ok) return accountErr(rebuilt.error);
+        return ok3({
+          database: ACCOUNT_INDEX_DB,
+          applications: applications.data.length,
+          delegations: delegations.data.length,
+          syncedAt
+        });
+      },
+      applications: {
+        list: async () => {
+          const dbResult = this.accountDb();
+          if (!dbResult.ok) return dbResult;
+          const queried = await dbResult.data.query(
+            "SELECT app_id, name, description, updated_at, manifest_json FROM applications ORDER BY app_id"
+          );
+          if (!queried.ok) return accountErr(queried.error);
+          return ok3(queried.data.rows.map(indexedApplicationFromRow));
+        }
+      },
+      delegations: {
+        list: async (options = {}) => {
+          const dbResult = this.accountDb();
+          if (!dbResult.ok) return dbResult;
+          const where = [];
+          const params = [];
+          if (options.direction && options.direction !== "all") {
+            where.push("direction = ?");
+            params.push(options.direction);
+          }
+          if (options.space) {
+            where.push("(space_id = ? OR space_name = ?)");
+            params.push(options.space, options.space);
+          }
+          const queried = await dbResult.data.query(
+            `SELECT cid, direction, space_id, space_name, counterparty_did, delegate_did, delegator_did, path, actions_json, expiry, status, created_at FROM delegations${where.length > 0 ? ` WHERE ${where.join(" AND ")}` : ""} ORDER BY space_id, cid`,
+            params
+          );
+          if (!queried.ok) return accountErr(queried.error);
+          return ok3(queried.data.rows.map(indexedDelegationFromRow));
+        }
+      },
+      query: async (sql, params) => {
+        const dbResult = this.accountDb();
+        if (!dbResult.ok) return dbResult;
+        const queried = await dbResult.data.query(sql, params);
+        if (!queried.ok) return accountErr(queried.error);
+        return ok3(queried.data);
+      }
+    };
   }
-  if (normalized === "head") {
-    return { bases: ["vault"], action: "tinycloud.kv/get" };
+  async status() {
+    const apps = await this.applications.list();
+    if (!apps.ok) return apps;
+    const delegations = await this.delegations.list();
+    if (!delegations.ok) return delegations;
+    return ok3({
+      did: this.config.getDid(),
+      host: this.config.getHost(),
+      primarySpaceId: this.config.getPrimarySpaceId(),
+      accountSpaceId: this.config.getAccountSpaceId(),
+      applications: apps.data.length,
+      grantedDelegations: delegations.data.filter((d) => d.direction === "granted").length,
+      receivedDelegations: delegations.data.filter((d) => d.direction === "received").length
+    });
   }
-  if (normalized === "metadata") {
-    return { bases: ["vault"], action: "tinycloud.kv/metadata" };
+  accountKV() {
+    const accountSpaceId = this.config.getAccountSpaceId();
+    if (!accountSpaceId) {
+      return err3(
+        serviceError3(
+          "ACCOUNT_SPACE_UNAVAILABLE",
+          "Account space is unavailable. Sign in with a wallet-backed profile first.",
+          SERVICE_NAME2
+        )
+      );
+    }
+    return ok3(this.config.getSpaces().get(accountSpaceId).kv);
   }
-  throw new ManifestValidationError(
-    `unknown vault action ${JSON.stringify(action)}; expected read, write, delete, get, put, del, list, head, or metadata`
-  );
-}
-function normalizeVaultAction(action) {
-  if (action.startsWith(`${VAULT_PERMISSION_SERVICE}/`)) {
-    return action.slice(`${VAULT_PERMISSION_SERVICE}/`.length);
+  accountDb() {
+    const db = this.config.getAccountDb?.();
+    if (!db) {
+      return err3(
+        serviceError3(
+          "ACCOUNT_INDEX_UNAVAILABLE",
+          "Account index database is unavailable. Sign in with a wallet-backed profile first.",
+          SERVICE_NAME2
+        )
+      );
+    }
+    return ok3(db);
   }
-  if (action.startsWith("tinycloud.kv/")) {
-    return action.slice("tinycloud.kv/".length);
+  async resolveSpace(space) {
+    const listed = await this.config.getSpaces().list();
+    if (!listed.ok) return accountErr(listed.error);
+    const found = listed.data.find((candidate) => candidate.id === space || candidate.name === space);
+    if (!found) {
+      return err3(
+        serviceError3("SPACE_NOT_FOUND", `No account space found for ${JSON.stringify(space)}`, SERVICE_NAME2)
+      );
+    }
+    return ok3(found);
   }
-  if (action.includes("/")) {
-    throw new ManifestValidationError(
-      `unknown vault action ${JSON.stringify(action)}; expected a tinycloud.vault or tinycloud.kv action`
-    );
+};
+var ACCOUNT_INDEX_SCHEMA = [
+  `CREATE TABLE IF NOT EXISTS applications (
+    app_id TEXT PRIMARY KEY,
+    name TEXT,
+    description TEXT,
+    updated_at TEXT,
+    manifest_json TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS delegations (
+    cid TEXT PRIMARY KEY,
+    direction TEXT NOT NULL,
+    space_id TEXT NOT NULL,
+    space_name TEXT,
+    counterparty_did TEXT NOT NULL,
+    delegate_did TEXT NOT NULL,
+    delegator_did TEXT,
+    path TEXT NOT NULL,
+    actions_json TEXT NOT NULL,
+    expiry TEXT NOT NULL,
+    status TEXT NOT NULL,
+    created_at TEXT,
+    updated_at TEXT NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS sync_state (
+    source TEXT PRIMARY KEY,
+    synced_at TEXT NOT NULL,
+    count INTEGER NOT NULL
+  )`,
+  "CREATE INDEX IF NOT EXISTS idx_delegations_direction ON delegations(direction)",
+  "CREATE INDEX IF NOT EXISTS idx_delegations_space ON delegations(space_id)",
+  "CREATE INDEX IF NOT EXISTS idx_delegations_counterparty ON delegations(counterparty_did)"
+];
+function applicationKey(appId) {
+  return `${ACCOUNT_REGISTRY_PATH}${appId}`;
+}
+function appIdFromKey(key) {
+  return key.startsWith(ACCOUNT_REGISTRY_PATH) ? key.slice(ACCOUNT_REGISTRY_PATH.length) : key;
+}
+function applicationFromRecord(key, record) {
+  const manifests = Array.isArray(record.manifests) ? record.manifests : [];
+  const first = manifests[0];
+  return {
+    appId: record.app_id ?? record.appId ?? first?.app_id ?? appIdFromKey(key),
+    manifests,
+    updatedAt: record.updated_at ?? record.updatedAt,
+    name: first?.name,
+    description: first?.description
+  };
+}
+function indexedApplicationFromRow(row) {
+  const [appId, name, description, updatedAt, manifestJson] = row;
+  return {
+    appId,
+    name: name ?? void 0,
+    description: description ?? void 0,
+    updatedAt: updatedAt ?? void 0,
+    manifests: JSON.parse(manifestJson)
+  };
+}
+function indexedDelegationFromRow(row) {
+  const [
+    cid,
+    direction,
+    spaceId,
+    spaceName,
+    counterpartyDid,
+    delegateDid,
+    delegatorDid,
+    path,
+    actionsJson,
+    expiry,
+    status,
+    createdAt
+  ] = row;
+  return {
+    cid,
+    direction,
+    spaceId,
+    spaceName: spaceName ?? void 0,
+    counterpartyDid,
+    delegateDid,
+    delegatorDid: delegatorDid ?? void 0,
+    path,
+    actions: JSON.parse(actionsJson),
+    expiry: new Date(expiry),
+    status,
+    createdAt: createdAt ? new Date(createdAt) : void 0
+  };
+}
+function mapDelegation(delegation, space, direction) {
+  return {
+    cid: delegation.cid,
+    direction,
+    spaceId: delegation.spaceId || space.id,
+    spaceName: space.name,
+    counterpartyDid: direction === "granted" ? delegation.delegateDID : delegation.delegatorDID ?? delegation.delegateDID,
+    delegateDid: delegation.delegateDID,
+    delegatorDid: delegation.delegatorDID,
+    path: delegation.path,
+    actions: delegation.actions,
+    expiry: delegation.expiry,
+    status: delegation.isRevoked ? "revoked" : delegation.expiry.getTime() <= Date.now() ? "expired" : "active",
+    createdAt: delegation.createdAt
+  };
+}
+function accountErr(error) {
+  return err3(serviceError3(error.code, error.message, SERVICE_NAME2, { cause: error.cause, meta: error.meta }));
+}
+
+// src/index.ts
+import {
+  ServiceContext as ServiceContext2,
+  KVService as KVService2,
+  PrefixedKVService,
+  ok as ok5,
+  err as err5,
+  serviceError as serviceError5,
+  ErrorCodes as ErrorCodes2,
+  defaultRetryPolicy as defaultRetryPolicy2,
+  SQLService as SQLService2,
+  DatabaseHandle,
+  SQLAction,
+  DuckDbService as DuckDbService2,
+  DuckDbDatabaseHandle,
+  DuckDbAction,
+  HooksService as HooksService2,
+  DataVaultService,
+  VaultHeaders,
+  VaultPublicSpaceKVActions,
+  createVaultCrypto,
+  SecretsService,
+  SECRET_NAME_RE as SECRET_NAME_RE2,
+  canonicalizeSecretScope,
+  resolveSecretListPrefix,
+  resolveSecretPath as resolveSecretPath2,
+  EncryptionService,
+  parseNetworkId as parseNetworkId2,
+  buildNetworkId as buildNetworkId2,
+  isNetworkId,
+  networkDiscoveryKey,
+  NetworkIdError,
+  ENCRYPTION_NETWORK_URN_PREFIX,
+  NETWORK_NAME_PATTERN,
+  canonicalizeEncryptionJson,
+  canonicalHashHex,
+  hexEncode,
+  hexDecode,
+  base64Encode,
+  base64Decode,
+  utf8Encode,
+  utf8Decode,
+  encryptToNetwork,
+  decryptEnvelopeWithKey,
+  validateEnvelope,
+  generateRandomReceiverKey,
+  deriveSignedReceiverKey,
+  buildCanonicalDecryptRequest,
+  buildDecryptFacts,
+  buildDecryptAttenuation,
+  buildDecryptInvocation,
+  checkDecryptInvocationInput,
+  verifyDecryptResponse,
+  canonicalSignedResponse,
+  openWrappedKey,
+  discoverNetwork,
+  ensureNetworkUsableForDecrypt,
+  DEFAULT_ENCRYPTION_ALG,
+  ENVELOPE_VERSION,
+  DEFAULT_KEY_VERSION,
+  DECRYPT_FACT_TYPE,
+  DECRYPT_RESULT_TYPE,
+  DECRYPT_ACTION,
+  ENCRYPTION_SERVICE,
+  ENCRYPTION_SERVICE_SHORT,
+  encryptionError
+} from "@tinycloud/sdk-services";
+
+// src/space.ts
+async function fetchPeerId(host, spaceId) {
+  const res = await fetch(
+    `${host}/peer/generate/${encodeURIComponent(spaceId)}`
+  );
+  if (!res.ok) {
+    const error = await res.text().catch(() => res.statusText);
+    throw new Error(`Failed to get peer ID: ${res.status} - ${error}`);
+  }
+  return res.text();
+}
+async function submitHostDelegation(host, headers) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers
+  });
+  return {
+    success: res.ok,
+    status: res.status,
+    error: res.ok ? void 0 : await res.text().catch(() => res.statusText)
+  };
+}
+async function activateSessionWithHost(host, delegationHeader) {
+  const res = await fetch(`${host}/delegate`, {
+    method: "POST",
+    headers: delegationHeader
+  });
+  if (res.ok) {
+    try {
+      const body = await res.json();
+      return {
+        success: true,
+        status: res.status,
+        activated: body.activated ?? [],
+        skipped: body.skipped ?? []
+      };
+    } catch {
+      return {
+        success: true,
+        status: res.status,
+        activated: [],
+        skipped: []
+      };
+    }
   }
-  return action;
-}
-function vaultKVPath(base, path) {
-  const normalized = path.startsWith("/") ? path.slice(1) : path;
-  return `${base}/${normalized}`;
-}
-function cloneResourceCapability(entry) {
   return {
-    service: entry.service,
-    space: entry.space,
-    path: entry.path,
-    actions: [...entry.actions],
-    ...entry.expiryMs !== void 0 ? { expiryMs: entry.expiryMs } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
+    success: false,
+    status: res.status,
+    error: await res.text().catch(() => res.statusText)
   };
 }
-function clonePermissionEntry(entry) {
+
+// src/delegations/DelegationManager.ts
+var DelegationAction = {
+  CREATE: "tinycloud.delegation/create",
+  REVOKE: "tinycloud.delegation/revoke",
+  LIST: "tinycloud.delegation/list",
+  GET: "tinycloud.delegation/get",
+  CHECK: "tinycloud.delegation/check"
+};
+function createError(code, message, cause, meta) {
   return {
-    service: entry.service,
-    ...entry.space !== void 0 ? { space: entry.space } : {},
-    path: entry.path,
-    actions: [...entry.actions],
-    ...entry.skipPrefix !== void 0 ? { skipPrefix: entry.skipPrefix } : {},
-    ...entry.expiry !== void 0 ? { expiry: entry.expiry } : {},
-    ...entry.description !== void 0 ? { description: entry.description } : {}
+    code,
+    message,
+    service: "delegation",
+    cause,
+    meta
   };
 }
-function dedupeResources(resources) {
-  const byKey = /* @__PURE__ */ new Map();
-  for (const resource of resources) {
-    const key = `${resource.service}\0${resource.space}\0${resource.path}\0${resource.expiryMs ?? ""}`;
-    const existing = byKey.get(key);
-    if (existing === void 0) {
-      byKey.set(key, cloneResourceCapability(resource));
-      continue;
+var DelegationManager = class {
+  /**
+   * Creates a new DelegationManager instance.
+   *
+   * @param config - Configuration including hosts, session, and invoke function
+   */
+  constructor(config) {
+    this.hosts = config.hosts;
+    this.session = config.session;
+    this.invoke = config.invoke;
+    this.fetchFn = config.fetch ?? globalThis.fetch.bind(globalThis);
+  }
+  /**
+   * Updates the session (e.g., after re-authentication).
+   *
+   * @param session - New session to use for operations
+   */
+  updateSession(session) {
+    this.session = session;
+  }
+  /**
+   * Gets the primary host URL.
+   */
+  get host() {
+    return this.hosts[0];
+  }
+  /**
+   * Executes an invoke operation against the delegation API.
+   */
+  async invokeOperation(path, action, body) {
+    const headers = this.invoke(this.session, "delegation", path, action);
+    return this.fetchFn(`${this.host}/invoke`, {
+      method: "POST",
+      headers,
+      body
+    });
+  }
+  /**
+   * Creates a new delegation.
+   *
+   * Delegates specific permissions to another DID for a given path.
+   * The delegatee can then use these permissions to access resources
+   * within the specified scope.
+   *
+   * @param params - Parameters for the delegation
+   * @returns Result containing the created Delegation or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.create({
+   *   delegateDID: bob.did,
+   *   path: "documents/shared/",
+   *   actions: ["tinycloud.kv/get", "tinycloud.kv/put"],
+   *   expiry: new Date(Date.now() + 7 * 24 * 60 * 60 * 1000), // 7 days
+   * });
+   * ```
+   */
+  async create(params) {
+    if (!params.delegateDID) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "delegateDID is required"
+        )
+      };
     }
-    const seen = new Set(existing.actions);
-    for (const action of resource.actions) {
-      if (!seen.has(action)) {
-        existing.actions.push(action);
-        seen.add(action);
+    if (!params.path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
+    }
+    if (!params.actions || params.actions.length === 0) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "at least one action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({
+        delegateDID: params.delegateDID,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry?.toISOString(),
+        disableSubDelegation: params.disableSubDelegation ?? false,
+        statement: params.statement
+      });
+      const response = await this.invokeOperation(
+        params.path,
+        DelegationAction.CREATE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.CREATION_FAILED,
+            `Failed to create delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path: params.path }
+          )
+        };
+      }
+      const apiResponse = await response.json();
+      const delegation = {
+        cid: apiResponse.cid ?? "",
+        delegateDID: params.delegateDID,
+        spaceId: this.session.spaceId,
+        path: params.path,
+        actions: params.actions,
+        expiry: params.expiry ?? new Date(Date.now() + EXPIRY.SHARE_MS),
+        isRevoked: false,
+        allowSubDelegation: !(params.disableSubDelegation ?? false),
+        createdAt: /* @__PURE__ */ new Date()
+      };
+      return { ok: true, data: delegation };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation creation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
+    }
+  }
+  /**
+   * Revokes an existing delegation.
+   *
+   * Once revoked, the delegation can no longer be used to access resources.
+   * This also invalidates any sub-delegations derived from this delegation.
+   *
+   * @param cid - The CID of the delegation to revoke
+   * @returns Result indicating success or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.revoke("bafy...");
+   * if (result.ok) {
+   *   console.log("Delegation revoked successfully");
+   * }
+   * ```
+   */
+  async revoke(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.REVOKE,
+        body
+      );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.REVOCATION_FAILED,
+            `Failed to revoke delegation: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
       }
+      return { ok: true, data: void 0 };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation revocation: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
-    if (existing.description === void 0 && resource.description !== void 0) {
-      existing.description = resource.description;
-    }
-  }
-  return [...byKey.values()];
-}
-function capabilitiesReadPermission(space) {
-  return {
-    service: "tinycloud.capabilities",
-    space,
-    path: "",
-    actions: ["tinycloud.capabilities/read"]
-  };
-}
-function withCapabilitiesReadForSpaces(resources) {
-  if (resources.length === 0) {
-    return [];
-  }
-  const spaces = new Set(
-    resources.filter((resource) => resource.service !== ENCRYPTION_PERMISSION_SERVICE).map((resource) => resource.space)
-  );
-  return dedupeResources([
-    ...resources,
-    ...[...spaces].map(capabilitiesReadPermission)
-  ]);
-}
-function accountRegistryPermission() {
-  return {
-    service: "tinycloud.kv",
-    space: ACCOUNT_REGISTRY_SPACE,
-    path: ACCOUNT_REGISTRY_PATH,
-    actions: ["tinycloud.kv/get", "tinycloud.kv/put", "tinycloud.kv/list"]
-  };
-}
-function composeManifestRequest(inputs, options = {}) {
-  if (!Array.isArray(inputs) || inputs.length === 0) {
-    throw new ManifestValidationError(
-      "composeManifestRequest requires at least one manifest"
-    );
-  }
-  const includeAccountRegistryPermissions = options.includeAccountRegistryPermissions ?? true;
-  const manifests = inputs.map(validateManifest);
-  const resolved = manifests.map(resolveManifest);
-  const resources = resolved.flatMap((entry) => entry.resources);
-  const delegationTargets = resolved.flatMap(
-    (entry) => entry.additionalDelegates.map((delegate) => ({
-      ...delegate,
-      permissions: dedupeResources(delegate.permissions)
-    }))
-  );
-  if (includeAccountRegistryPermissions) {
-    resources.push(accountRegistryPermission());
   }
-  const resourcesWithImplicitCapabilities = withCapabilitiesReadForSpaces(resources);
-  const manifestsByAppId = /* @__PURE__ */ new Map();
-  for (const manifest of manifests) {
-    const current = manifestsByAppId.get(manifest.app_id);
-    if (current === void 0) {
-      manifestsByAppId.set(manifest.app_id, [manifest]);
-    } else {
-      current.push(manifest);
+  /**
+   * Lists all delegations for the current session's space.
+   *
+   * Returns both delegations created by the current user (as delegator)
+   * and delegations granted to the current user (as delegatee).
+   *
+   * @returns Result containing an array of Delegations or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.list();
+   * if (result.ok) {
+   *   for (const delegation of result.data) {
+   *     console.log(`${delegation.cid}: ${delegation.path} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async list() {
+    try {
+      const response = await this.invokeOperation("", DelegationAction.LIST);
+      if (!response.ok) {
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to list delegations: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status }
+          )
+        };
+      }
+      const data = await response.json();
+      const delegations = data.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: delegations };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during delegation list: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
   }
-  const registryRecords = includeAccountRegistryPermissions ? [...manifestsByAppId.entries()].map(([app_id, appManifests]) => ({
-    key: `${ACCOUNT_REGISTRY_PATH}${app_id}`,
-    app_id,
-    manifests: appManifests.map((manifest) => ({
-      ...manifest,
-      permissions: manifest.permissions?.map(clonePermissionEntry)
-    }))
-  })) : [];
-  return {
-    manifests,
-    resources: resourcesWithImplicitCapabilities,
-    delegationTargets,
-    registryRecords,
-    expiryMs: Math.max(...resolved.map((entry) => entry.expiryMs)),
-    includePublicSpace: resolved.some((entry) => entry.includePublicSpace)
-  };
-}
-function resourceCapabilitiesToAbilitiesMap(resources) {
-  const out = {};
-  for (const r of resources) {
-    const shortService = SERVICE_LONG_TO_SHORT[r.service];
-    if (shortService === void 0) {
-      throw new ManifestValidationError(
-        `unknown service '${r.service}' \u2014 no short-form mapping. Known services: ${Object.keys(SERVICE_LONG_TO_SHORT).join(", ")}`
+  /**
+   * Gets the full delegation chain for a given delegation.
+   *
+   * Returns the chain of delegations from the root (original delegator)
+   * to the specified delegation, including all intermediate sub-delegations.
+   *
+   * @param cid - The CID of the delegation to get the chain for
+   * @returns Result containing the DelegationChain or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.getChain("bafy...");
+   * if (result.ok) {
+   *   console.log("Chain length:", result.data.length);
+   *   for (const delegation of result.data) {
+   *     console.log(`- ${delegation.delegatorDID} -> ${delegation.delegateDID}`);
+   *   }
+   * }
+   * ```
+   */
+  async getChain(cid) {
+    if (!cid) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "cid is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ cid, includeChain: true });
+      const response = await this.invokeOperation(
+        cid,
+        DelegationAction.GET,
+        body
       );
+      if (!response.ok) {
+        const errorText = await response.text();
+        if (response.status === 404) {
+          return {
+            ok: false,
+            error: createError(
+              DelegationErrorCodes.NOT_FOUND,
+              `Delegation not found: ${cid}`
+            )
+          };
+        }
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to get delegation chain: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, cid }
+          )
+        };
+      }
+      const data = await response.json();
+      const chain = data.chain.map((item) => ({
+        cid: item.cid,
+        delegateDID: item.delegateDID,
+        delegatorDID: item.delegatorDID,
+        spaceId: item.spaceId,
+        path: item.path,
+        actions: item.actions,
+        expiry: new Date(item.expiry),
+        isRevoked: item.isRevoked,
+        createdAt: item.createdAt ? new Date(item.createdAt) : void 0,
+        parentCid: item.parentCid,
+        allowSubDelegation: item.allowSubDelegation
+      }));
+      return { ok: true, data: chain };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during chain retrieval: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
-    if (out[shortService] === void 0) {
-      out[shortService] = {};
+  }
+  /**
+   * Checks if the current session has permission for a given path and action.
+   *
+   * This can be used to verify permissions before attempting an operation,
+   * or to implement custom access control logic.
+   *
+   * @param path - The resource path to check
+   * @param action - The action to check (e.g., "tinycloud.kv/get")
+   * @returns Result containing a boolean indicating permission or an error
+   *
+   * @example
+   * ```typescript
+   * const result = await manager.checkPermission("documents/private/", "tinycloud.kv/put");
+   * if (result.ok && result.data) {
+   *   console.log("Permission granted");
+   * } else {
+   *   console.log("Permission denied");
+   * }
+   * ```
+   */
+  async checkPermission(path, action) {
+    if (!path) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "path is required"
+        )
+      };
     }
-    const pathsMap = out[shortService];
-    const existing = pathsMap[r.path];
-    if (existing === void 0) {
-      pathsMap[r.path] = [...r.actions];
-    } else {
-      const seen = new Set(existing);
-      for (const action of r.actions) {
-        if (!seen.has(action)) {
-          existing.push(action);
-          seen.add(action);
+    if (!action) {
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.INVALID_INPUT,
+          "action is required"
+        )
+      };
+    }
+    try {
+      const body = JSON.stringify({ path, action });
+      const response = await this.invokeOperation(
+        path,
+        DelegationAction.CHECK,
+        body
+      );
+      if (!response.ok) {
+        if (response.status === 403) {
+          return { ok: true, data: false };
         }
+        const errorText = await response.text();
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.NETWORK_ERROR,
+            `Failed to check permission: ${response.status} - ${errorText}`,
+            void 0,
+            { status: response.status, path, action }
+          )
+        };
       }
+      const data = await response.json();
+      return { ok: true, data: data.allowed };
+    } catch (error) {
+      if (error instanceof Error && error.name === "AbortError") {
+        return {
+          ok: false,
+          error: createError(
+            DelegationErrorCodes.ABORTED,
+            "Request aborted",
+            error
+          )
+        };
+      }
+      return {
+        ok: false,
+        error: createError(
+          DelegationErrorCodes.NETWORK_ERROR,
+          `Network error during permission check: ${String(error)}`,
+          error instanceof Error ? error : void 0
+        )
+      };
     }
   }
-  return out;
-}
-function resourceCapabilitiesToSpaceAbilitiesMap(resources) {
-  const grouped = /* @__PURE__ */ new Map();
-  for (const resource of resources) {
-    const entries = grouped.get(resource.space);
-    if (entries === void 0) {
-      grouped.set(resource.space, [resource]);
-    } else {
-      entries.push(resource);
-    }
-  }
-  const out = {};
-  for (const [space, entries] of grouped.entries()) {
-    out[space] = resourceCapabilitiesToAbilitiesMap(entries);
-  }
-  return out;
-}
-function manifestAbilitiesUnion(resolved) {
-  const all = [...resolved.resources];
-  for (const delegate of resolved.additionalDelegates) {
-    for (const perm of delegate.permissions) {
-      all.push(perm);
-    }
+};
+
+// src/delegations/SharingService.schema.ts
+import { z as z5 } from "zod";
+var EncodedShareDataSchema = z5.object({
+  /** Private key in JWK format (must include d parameter) */
+  key: JWKSchema.refine(
+    (jwk) => typeof jwk.d === "string" && jwk.d.length > 0,
+    { message: "JWK must include private key (d parameter)" }
+  ),
+  /** DID of the key */
+  keyDid: z5.string().min(1, "keyDid is required"),
+  /** The delegation granting access */
+  delegation: DelegationSchema,
+  /** Resource path this link grants access to */
+  path: z5.string().min(1, "path is required"),
+  /** TinyCloud host URL */
+  host: z5.string().url("host must be a valid URL"),
+  /** Space ID */
+  spaceId: z5.string().min(1, "spaceId is required"),
+  /** Schema version (must be 1) */
+  version: z5.literal(1)
+});
+var ReceiveOptionsSchema = z5.object({
+  /**
+   * Whether to automatically create a sub-delegation to the current session key.
+   * Default: true
+   */
+  autoSubdelegate: z5.boolean().optional(),
+  /**
+   * Whether to use the current session key for operations (requires autoSubdelegate).
+   * Default: true
+   */
+  useSessionKey: z5.boolean().optional(),
+  /**
+   * Ingestion options passed to CapabilityKeyRegistry.
+   */
+  ingestOptions: IngestOptionsSchema.optional()
+});
+var SharingServiceConfigSchema = z5.object({
+  /** TinyCloud host URLs */
+  hosts: z5.array(z5.string().url()).min(1, "At least one host URL is required"),
+  /**
+   * Active session for authentication.
+   * Required for generate(), optional for receive().
+   */
+  session: z5.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a ServiceSession object or undefined" }
+  ).optional(),
+  /** Platform-specific invoke function */
+  invoke: z5.unknown().refine((val) => typeof val === "function", {
+    message: "Expected an invoke function"
+  }),
+  /** Optional custom fetch implementation */
+  fetch: z5.unknown().refine(
+    (val) => val === void 0 || typeof val === "function",
+    { message: "Expected a fetch function or undefined" }
+  ).optional(),
+  /** Key provider for cryptographic operations */
+  keyProvider: KeyProviderSchema,
+  /** Capability key registry for key/delegation management */
+  registry: z5.unknown().refine(
+    (val) => val !== null && typeof val === "object",
+    { message: "Expected an ICapabilityKeyRegistry object" }
+  ),
+  /**
+   * Delegation manager for creating delegations.
+   * Required for generate(), optional for receive().
+   */
+  delegationManager: z5.unknown().refine(
+    (val) => val === void 0 || val !== null && typeof val === "object",
+    { message: "Expected a DelegationManager object or undefined" }
+  ).optional(),
+  /** Factory for creating KV service instances */
+  createKVService: z5.unknown().refine(
+    (val) => typeof val === "function",
+    { message: "Expected a createKVService factory function" }
+  ),
+  /** Base URL for sharing links (e.g., "https://share.myapp.com") */
+  baseUrl: z5.string().optional(),
+  /**
+   * Custom delegation creation function.
+   */
+  createDelegation: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegation function or undefined"
+  }).optional(),
+  /**
+   * WASM function for client-side delegation creation.
+   */
+  createDelegationWasm: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected a createDelegationWasm function or undefined"
+  }).optional(),
+  /**
+   * Path prefix for KV operations.
+   */
+  pathPrefix: z5.string().optional(),
+  /**
+   * Session expiry time.
+   */
+  sessionExpiry: z5.date().optional(),
+  /**
+   * Callback to create a DIRECT delegation from wallet to share key.
+   * This is the preferred method for long-lived share links because it
+   * bypasses the session delegation chain entirely.
+   */
+  onRootDelegationNeeded: z5.unknown().refine((val) => val === void 0 || typeof val === "function", {
+    message: "Expected an onRootDelegationNeeded function or undefined"
+  }).optional()
+});
+function validateEncodedShareData(data) {
+  const result = EncodedShareDataSchema.safeParse(data);
+  if (!result.success) {
+    return {
+      ok: false,
+      error: {
+        code: DelegationErrorCodes.VALIDATION_ERROR,
+        message: `Invalid share data: ${result.error.message}`,
+        service: "delegation",
+        meta: { issues: result.error.issues }
+      }
+    };
   }
-  return resourceCapabilitiesToAbilitiesMap(all);
+  return { ok: true, data: result.data };
 }
 
 // src/delegations/SharingService.ts
@@ -3799,13 +4165,13 @@ var SharingService = class {
           )
         };
       }
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.CREATION_FAILED,
-          `Failed to generate session key for share: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to generate session key for share: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
@@ -3851,7 +4217,7 @@ var SharingService = class {
           }
           delegation = parsed;
         }
-      } catch (err5) {
+      } catch (err6) {
         const fallbackResult = await this.handleSessionExtensionFallback(requestedExpiry);
         expiry = fallbackResult.expiry;
         const delegationResult = await this.createSessionDelegation(plainDID, fullPath, actions, expiry);
@@ -4049,13 +4415,13 @@ var SharingService = class {
           allowSubDelegation: true,
           createdAt: /* @__PURE__ */ new Date()
         };
-      } catch (err5) {
+      } catch (err6) {
         return {
           ok: false,
           error: createError2(
             DelegationErrorCodes.CREATION_FAILED,
-            `Failed to create delegation via WASM: ${err5 instanceof Error ? err5.message : String(err5)}`,
-            err5 instanceof Error ? err5 : void 0
+            `Failed to create delegation via WASM: ${err6 instanceof Error ? err6.message : String(err6)}`,
+            err6 instanceof Error ? err6 : void 0
           )
         };
       }
@@ -4136,8 +4502,8 @@ var SharingService = class {
     let activeKey = keyInfo;
     if (autoSubdelegate && useSessionKey && this.session) {
       try {
-      } catch (err5) {
-        console.warn("Auto-subdelegation failed, using ingested key directly:", err5);
+      } catch (err6) {
+        console.warn("Auto-subdelegation failed, using ingested key directly:", err6);
       }
     }
     const authHeader = shareData.delegation.authHeader ?? `Bearer ${shareData.delegation.cid}`;
@@ -4235,26 +4601,26 @@ var SharingService = class {
     let jsonString;
     try {
       jsonString = base64UrlDecode(base64Data);
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.INVALID_TOKEN,
-          `Failed to decode base64 data: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to decode base64 data: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
     let parsed;
     try {
       parsed = JSON.parse(jsonString);
-    } catch (err5) {
+    } catch (err6) {
       return {
         ok: false,
         error: createError2(
           DelegationErrorCodes.INVALID_TOKEN,
-          `Failed to parse share data JSON: ${err5 instanceof Error ? err5.message : String(err5)}`,
-          err5 instanceof Error ? err5 : void 0
+          `Failed to parse share data JSON: ${err6 instanceof Error ? err6.message : String(err6)}`,
+          err6 instanceof Error ? err6 : void 0
         )
       };
     }
@@ -4281,8 +4647,8 @@ function createSharingService(config) {
 }
 
 // src/authorization/CapabilityKeyRegistry.ts
-import { ok as ok3, err as err3, serviceError as serviceError3 } from "@tinycloud/sdk-services";
-var SERVICE_NAME2 = "capability-key-registry";
+import { ok as ok4, err as err4, serviceError as serviceError4 } from "@tinycloud/sdk-services";
+var SERVICE_NAME3 = "capability-key-registry";
 var CapabilityKeyRegistryErrorCodes = {
   /** Key not found in registry */
   KEY_NOT_FOUND: "KEY_NOT_FOUND",
@@ -4499,11 +4865,11 @@ var CapabilityKeyRegistry = class {
   revokeDelegation(cid) {
     const stored = this.store.byCid.get(cid);
     if (!stored) {
-      return err3(
-        serviceError3(
+      return err4(
+        serviceError4(
           CapabilityKeyRegistryErrorCodes.KEY_NOT_FOUND,
           `Delegation not found: ${cid}`,
-          SERVICE_NAME2
+          SERVICE_NAME3
         )
       );
     }
@@ -4522,7 +4888,7 @@ var CapabilityKeyRegistry = class {
         }
       }
     }
-    return ok3(void 0);
+    return ok4(void 0);
   }
   // ===========================================================================
   // Search
@@ -4751,8 +5117,8 @@ async function checkNodeInfo(host, sdkProtocol, fetchFn = globalThis.fetch.bind(
     response = await fetchFn(`${host}/info`, {
       signal: AbortSignal.timeout(5e3)
     });
-  } catch (err5) {
-    throw new VersionCheckError(host, err5);
+  } catch (err6) {
+    throw new VersionCheckError(host, err6);
   }
   if (!response.ok) {
     throw new VersionCheckError(host);
@@ -5284,6 +5650,7 @@ function parseRecapCapabilities(parseWasm, siwe) {
 export {
   ACCOUNT_REGISTRY_PATH,
   ACCOUNT_REGISTRY_SPACE,
+  AccountService,
   AutoApproveSpaceCreationHandler,
   CapabilityKeyRegistry,
   CapabilityKeyRegistryErrorCodes,
@@ -5389,7 +5756,7 @@ export {
   utf8Decode as encryptionUtf8Decode,
   utf8Encode as encryptionUtf8Encode,
   ensureNetworkUsableForDecrypt,
-  err4 as err,
+  err5 as err,
   expandActionShortNames,
   expandPermissionEntries,
   expandPermissionEntry,
@@ -5410,7 +5777,7 @@ export {
   multiaddrToHttpUrl,
   networkDiscoveryKey,
   normalizeDefaults,
-  ok4 as ok,
+  ok5 as ok,
   openWrappedKey,
   parseCanonicalNetworkId,
   parseExpiry,
@@ -5428,7 +5795,7 @@ export {
   resolveTinyCloudHosts,
   resourceCapabilitiesToAbilitiesMap,
   resourceCapabilitiesToSpaceAbilitiesMap,
-  serviceError4 as serviceError,
+  serviceError5 as serviceError,
   signLocationRecord,
   submitHostDelegation,
   validateClientSession,