@tinycloud/sdk-services 2.2.0-beta.7 → 2.2.0

package/dist/index.d.cts

@@ -1,9 +1,11 @@
-import { I as IServiceContext, a as InvokeFunction, b as InvokeAnyFunction, F as FetchFunction, S as ServiceSession, R as RetryPolicy, c as IService, d as ServiceError, e as Result, B as BaseService, f as StorageQuotaInfo } from './BaseService-BiS6HRwE.cjs';
-export { E as ErrorCode, g as ErrorCodes, h as EventHandler, i as FetchRequestInit, j as FetchResponse, k as InvocationFact, l as InvocationFacts, m as InvokeAnyEntry, n as ServiceErrorEvent, o as ServiceHeaders, p as ServiceRequestEvent, q as ServiceResponseEvent, r as ServiceRetryEvent, T as TelemetryEvents, s as defaultRetryPolicy, t as err, u as ok, v as serviceError } from './BaseService-BiS6HRwE.cjs';
+import { I as IServiceContext, a as InvokeFunction, b as InvokeAnyFunction, F as FetchFunction, S as ServiceSession, R as RetryPolicy, c as IService, d as ServiceError, e as Result, B as BaseService, f as StorageQuotaInfo } from './BaseService-C_iXlTeN.cjs';
+export { E as ErrorCode, g as ErrorCodes, h as EventHandler, i as FetchRequestInit, j as FetchResponse, k as InvocationFact, l as InvocationFacts, m as InvokeAnyEntry, n as ServiceErrorEvent, o as ServiceHeaders, p as ServiceRequestEvent, q as ServiceResponseEvent, r as ServiceRetryEvent, T as TelemetryEvents, s as defaultRetryPolicy, t as err, u as ok, v as serviceError } from './BaseService-C_iXlTeN.cjs';
 import { z } from 'zod';
 import { IKVService } from './kv/index.cjs';
-export { IPrefixedKVService, KVAction, KVActionType, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService } from './kv/index.cjs';
+export { DEFAULT_SIGNED_READ_URL_EXPIRY_MS, IPrefixedKVService, KVAction, KVActionType, KVCreateSignedReadUrlOptions, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, KVSignedReadUrlResponse, PrefixedKVService } from './kv/index.cjs';
 export { BatchOptions, BatchResponse, DatabaseHandle, ExecuteOptions, ExecuteResponse, IDatabaseHandle, ISQLService, QueryOptions, QueryResponse, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SqlStatement, SqlValue } from './sql/index.cjs';
+import { IEncryptionService, DecryptCapabilityProof } from './encryption/index.cjs';
+export { BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CanonicalDecryptRequest, CanonicalJson, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, InlineEncryptedEnvelope, Json, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, RandomReceiverKeyInput, ReceiverKeyPair, ReceiverKeySigner, SignedReceiverKeyInput, VerifyDecryptResponseInput, WellKnownDescriptorFetcher, base64Decode, base64Encode, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, canonicalHashHex, canonicalSignedResponse, canonicalize as canonicalizeEncryptionJson, checkDecryptInvocationInput, decryptEnvelopeWithKey, deriveSignedReceiverKey, discoverNetwork, encryptToNetwork, encryptionError, ensureNetworkUsableForDecrypt, generateRandomReceiverKey, hexDecode, hexEncode, isNetworkId, networkDiscoveryKey, openWrappedKey, parseNetworkId, utf8Decode, utf8Encode, validateEnvelope, verifyDecryptResponse } from './encryption/index.cjs';
 
 /**
  * Zod schemas for SDK Services API response types.
@@ -1375,6 +1377,15 @@ declare class TinyCloudQuota {
  *
  * Type definitions for the Data Vault (encrypted KV) service operations.
  */
+
+interface VaultNetworkEncryptionConfig {
+    /** Default encryption network used for inline vault envelopes. */
+    networkId: string;
+    /** TinyCloud encryption module used for local encrypt and node-mediated decrypt. */
+    service: IEncryptionService;
+    /** Proof material presented to the encryption module for decrypt requests. */
+    decryptCapabilityProof?: DecryptCapabilityProof | (() => DecryptCapabilityProof | Promise<DecryptCapabilityProof>);
+}
 /**
  * Configuration for DataVaultService.
  */
@@ -1383,6 +1394,8 @@ interface DataVaultConfig {
     spaceId: string;
     /** Key rotation policy */
     keyRotation?: "per-write" | "per-key";
+    /** Network-envelope encryption mode. When set, vault.unlock/key grants are not used. */
+    encryption?: VaultNetworkEncryptionConfig;
 }
 /**
  * Options for vault put operations.
@@ -1747,6 +1760,7 @@ declare class DataVaultService extends BaseService implements IDataVaultService
     private encryptionIdentity;
     private _isUnlocked;
     private vaultConfig;
+    private unlockInFlight;
     /**
      * Create a new DataVaultService instance.
      *
@@ -1774,10 +1788,15 @@ declare class DataVaultService extends BaseService implements IDataVaultService
      * Convenience accessor for TinyCloud instance.
      */
     private get tc();
+    private get networkEncryption();
+    private get usesNetworkEncryption();
     /**
      * Get the host URL.
      */
     private get host();
+    private decryptCapabilityProof;
+    private serializeValue;
+    private deserializeValue;
     /**
      * Unlock the vault. Derives keys from two wallet signatures:
      * 1. Master signature (per-space) — used to derive the master encryption key
@@ -1807,6 +1826,9 @@ declare class DataVaultService extends BaseService implements IDataVaultService
      * Called when SDK signs out. Locks the vault and aborts operations.
      */
     onSignOut(): void;
+    private putNetworkEncrypted;
+    private getNetworkEncrypted;
+    private headNetworkEncrypted;
     /**
      * Encrypt and store a value at the given key.
      *
@@ -1937,6 +1959,27 @@ interface WasmVaultFunctions {
 }
 declare function createVaultCrypto(wasm: WasmVaultFunctions): VaultCrypto;
 
+declare const SECRET_NAME_RE: RegExp;
+interface SecretScopeOptions {
+    /** Optional logical scope. Omit for the global secret namespace. */
+    scope?: string;
+}
+interface ResolvedSecretPath {
+    /** Canonical env-style secret name. */
+    name: string;
+    /** Canonical scope. Undefined means global. */
+    scope?: string;
+    /** Key passed to the data vault service. */
+    vaultKey: string;
+    /** KV permission path that backs the encrypted vault entry. */
+    permissionPaths: {
+        vault: string;
+    };
+}
+declare function canonicalizeSecretScope(scope: string | undefined): string | undefined;
+declare function resolveSecretPath(name: string, options?: SecretScopeOptions): ResolvedSecretPath;
+declare function resolveSecretListPrefix(options?: SecretScopeOptions): string;
+
 interface SecretPayload {
     value: string;
     createdAt: string;
@@ -1948,10 +1991,10 @@ interface ISecretsService {
     unlock(signer?: unknown): Promise<Result<void, VaultError>>;
     lock(): void;
     readonly isUnlocked: boolean;
-    get(name: string): Promise<Result<string, SecretsError>>;
-    put(name: string, value: string): Promise<Result<void, SecretsError>>;
-    delete(name: string): Promise<Result<void, SecretsError>>;
-    list(): Promise<Result<string[], SecretsError>>;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
 }
 
 declare class SecretsService implements ISecretsService {
@@ -1961,10 +2004,10 @@ declare class SecretsService implements ISecretsService {
     get isUnlocked(): boolean;
     unlock(signer?: unknown): Promise<Result<void, VaultError>>;
     lock(): void;
-    get(name: string): Promise<Result<string, SecretsError>>;
-    put(name: string, value: string): Promise<Result<void, SecretsError>>;
-    delete(name: string): Promise<Result<void, SecretsError>>;
-    list(): Promise<Result<string[], SecretsError>>;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
 }
 
-export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, type IHooksService, IKVService, type ISecretsService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, type SchemaInfo, type SecretPayload, type SecretsError, SecretsService, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };
+export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DecryptCapabilityProof, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, IEncryptionService, type IHooksService, IKVService, type ISecretsService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, type ResolvedSecretPath, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, SECRET_NAME_RE, type SchemaInfo, type SecretPayload, type SecretScopeOptions, type SecretsError, SecretsService, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, canonicalizeSecretScope, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, resolveSecretListPrefix, resolveSecretPath, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };

package/dist/index.d.ts

@@ -1,9 +1,11 @@
-import { I as IServiceContext, a as InvokeFunction, b as InvokeAnyFunction, F as FetchFunction, S as ServiceSession, R as RetryPolicy, c as IService, d as ServiceError, e as Result, B as BaseService, f as StorageQuotaInfo } from './BaseService-BiS6HRwE.js';
-export { E as ErrorCode, g as ErrorCodes, h as EventHandler, i as FetchRequestInit, j as FetchResponse, k as InvocationFact, l as InvocationFacts, m as InvokeAnyEntry, n as ServiceErrorEvent, o as ServiceHeaders, p as ServiceRequestEvent, q as ServiceResponseEvent, r as ServiceRetryEvent, T as TelemetryEvents, s as defaultRetryPolicy, t as err, u as ok, v as serviceError } from './BaseService-BiS6HRwE.js';
+import { I as IServiceContext, a as InvokeFunction, b as InvokeAnyFunction, F as FetchFunction, S as ServiceSession, R as RetryPolicy, c as IService, d as ServiceError, e as Result, B as BaseService, f as StorageQuotaInfo } from './BaseService-C_iXlTeN.js';
+export { E as ErrorCode, g as ErrorCodes, h as EventHandler, i as FetchRequestInit, j as FetchResponse, k as InvocationFact, l as InvocationFacts, m as InvokeAnyEntry, n as ServiceErrorEvent, o as ServiceHeaders, p as ServiceRequestEvent, q as ServiceResponseEvent, r as ServiceRetryEvent, T as TelemetryEvents, s as defaultRetryPolicy, t as err, u as ok, v as serviceError } from './BaseService-C_iXlTeN.js';
 import { z } from 'zod';
 import { IKVService } from './kv/index.js';
-export { IPrefixedKVService, KVAction, KVActionType, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, PrefixedKVService } from './kv/index.js';
+export { DEFAULT_SIGNED_READ_URL_EXPIRY_MS, IPrefixedKVService, KVAction, KVActionType, KVCreateSignedReadUrlOptions, KVDeleteOptions, KVGetOptions, KVHeadOptions, KVListOptions, KVListResponse, KVPutOptions, KVResponse, KVResponseHeaders, KVService, KVServiceConfig, KVSignedReadUrlResponse, PrefixedKVService } from './kv/index.js';
 export { BatchOptions, BatchResponse, DatabaseHandle, ExecuteOptions, ExecuteResponse, IDatabaseHandle, ISQLService, QueryOptions, QueryResponse, SQLAction, SQLActionType, SQLService, SQLServiceConfig, SqlStatement, SqlValue } from './sql/index.js';
+import { IEncryptionService, DecryptCapabilityProof } from './encryption/index.js';
+export { BuildCanonicalDecryptRequestInput, BuildDecryptFactsInput, BuildDecryptInvocationInput, BuiltDecryptInvocation, CanonicalDecryptRequest, CanonicalJson, DECRYPT_ACTION, DECRYPT_FACT_TYPE, DECRYPT_RESULT_TYPE, DEFAULT_ENCRYPTION_ALG, DEFAULT_KEY_VERSION, DecryptEnvelopeOptions, DecryptInvocationFact, DecryptInvocationSigner, DecryptRequestBody, DecryptResponseBody, DecryptTransport, DiscoverNetworkInput, DiscoveredNetwork, DiscoverySource, ENCRYPTION_NETWORK_URN_PREFIX, ENCRYPTION_SERVICE, ENCRYPTION_SERVICE_SHORT, ENVELOPE_VERSION, EncryptToNetworkInput, EncryptToNetworkOptions, EncryptToNetworkResult, EncryptionCrypto, EncryptionError, EncryptionErrorInput, EncryptionService, EncryptionServiceConfig, InlineEncryptedEnvelope, Json, NETWORK_NAME_PATTERN, NetworkDescriptor, NetworkIdError, NodeDescriptorFetcher, ParsedNetworkId, RandomReceiverKeyInput, ReceiverKeyPair, ReceiverKeySigner, SignedReceiverKeyInput, VerifyDecryptResponseInput, WellKnownDescriptorFetcher, base64Decode, base64Encode, buildCanonicalDecryptRequest, buildDecryptAttenuation, buildDecryptFacts, buildDecryptInvocation, buildNetworkId, canonicalHashHex, canonicalSignedResponse, canonicalize as canonicalizeEncryptionJson, checkDecryptInvocationInput, decryptEnvelopeWithKey, deriveSignedReceiverKey, discoverNetwork, encryptToNetwork, encryptionError, ensureNetworkUsableForDecrypt, generateRandomReceiverKey, hexDecode, hexEncode, isNetworkId, networkDiscoveryKey, openWrappedKey, parseNetworkId, utf8Decode, utf8Encode, validateEnvelope, verifyDecryptResponse } from './encryption/index.js';
 
 /**
  * Zod schemas for SDK Services API response types.
@@ -1375,6 +1377,15 @@ declare class TinyCloudQuota {
  *
  * Type definitions for the Data Vault (encrypted KV) service operations.
  */
+
+interface VaultNetworkEncryptionConfig {
+    /** Default encryption network used for inline vault envelopes. */
+    networkId: string;
+    /** TinyCloud encryption module used for local encrypt and node-mediated decrypt. */
+    service: IEncryptionService;
+    /** Proof material presented to the encryption module for decrypt requests. */
+    decryptCapabilityProof?: DecryptCapabilityProof | (() => DecryptCapabilityProof | Promise<DecryptCapabilityProof>);
+}
 /**
  * Configuration for DataVaultService.
  */
@@ -1383,6 +1394,8 @@ interface DataVaultConfig {
     spaceId: string;
     /** Key rotation policy */
     keyRotation?: "per-write" | "per-key";
+    /** Network-envelope encryption mode. When set, vault.unlock/key grants are not used. */
+    encryption?: VaultNetworkEncryptionConfig;
 }
 /**
  * Options for vault put operations.
@@ -1747,6 +1760,7 @@ declare class DataVaultService extends BaseService implements IDataVaultService
     private encryptionIdentity;
     private _isUnlocked;
     private vaultConfig;
+    private unlockInFlight;
     /**
      * Create a new DataVaultService instance.
      *
@@ -1774,10 +1788,15 @@ declare class DataVaultService extends BaseService implements IDataVaultService
      * Convenience accessor for TinyCloud instance.
      */
     private get tc();
+    private get networkEncryption();
+    private get usesNetworkEncryption();
     /**
      * Get the host URL.
      */
     private get host();
+    private decryptCapabilityProof;
+    private serializeValue;
+    private deserializeValue;
     /**
      * Unlock the vault. Derives keys from two wallet signatures:
      * 1. Master signature (per-space) — used to derive the master encryption key
@@ -1807,6 +1826,9 @@ declare class DataVaultService extends BaseService implements IDataVaultService
      * Called when SDK signs out. Locks the vault and aborts operations.
      */
     onSignOut(): void;
+    private putNetworkEncrypted;
+    private getNetworkEncrypted;
+    private headNetworkEncrypted;
     /**
      * Encrypt and store a value at the given key.
      *
@@ -1937,6 +1959,27 @@ interface WasmVaultFunctions {
 }
 declare function createVaultCrypto(wasm: WasmVaultFunctions): VaultCrypto;
 
+declare const SECRET_NAME_RE: RegExp;
+interface SecretScopeOptions {
+    /** Optional logical scope. Omit for the global secret namespace. */
+    scope?: string;
+}
+interface ResolvedSecretPath {
+    /** Canonical env-style secret name. */
+    name: string;
+    /** Canonical scope. Undefined means global. */
+    scope?: string;
+    /** Key passed to the data vault service. */
+    vaultKey: string;
+    /** KV permission path that backs the encrypted vault entry. */
+    permissionPaths: {
+        vault: string;
+    };
+}
+declare function canonicalizeSecretScope(scope: string | undefined): string | undefined;
+declare function resolveSecretPath(name: string, options?: SecretScopeOptions): ResolvedSecretPath;
+declare function resolveSecretListPrefix(options?: SecretScopeOptions): string;
+
 interface SecretPayload {
     value: string;
     createdAt: string;
@@ -1948,10 +1991,10 @@ interface ISecretsService {
     unlock(signer?: unknown): Promise<Result<void, VaultError>>;
     lock(): void;
     readonly isUnlocked: boolean;
-    get(name: string): Promise<Result<string, SecretsError>>;
-    put(name: string, value: string): Promise<Result<void, SecretsError>>;
-    delete(name: string): Promise<Result<void, SecretsError>>;
-    list(): Promise<Result<string[], SecretsError>>;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
 }
 
 declare class SecretsService implements ISecretsService {
@@ -1961,10 +2004,10 @@ declare class SecretsService implements ISecretsService {
     get isUnlocked(): boolean;
     unlock(signer?: unknown): Promise<Result<void, VaultError>>;
     lock(): void;
-    get(name: string): Promise<Result<string, SecretsError>>;
-    put(name: string, value: string): Promise<Result<void, SecretsError>>;
-    delete(name: string): Promise<Result<void, SecretsError>>;
-    list(): Promise<Result<string[], SecretsError>>;
+    get(name: string, options?: SecretScopeOptions): Promise<Result<string, SecretsError>>;
+    put(name: string, value: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    delete(name: string, options?: SecretScopeOptions): Promise<Result<void, SecretsError>>;
+    list(options?: SecretScopeOptions): Promise<Result<string[], SecretsError>>;
 }
 
-export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, type IHooksService, IKVService, type ISecretsService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, type SchemaInfo, type SecretPayload, type SecretsError, SecretsService, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };
+export { BaseService, type BaseServiceOptions, type ColumnInfo, type DataVaultConfig, DataVaultService, DecryptCapabilityProof, DuckDbAction, type DuckDbActionType, type DuckDbBatchOptions, type BatchResponse as DuckDbBatchResponse, DuckDbDatabaseHandle, type DuckDbExecuteOptions, type ExecuteResponse as DuckDbExecuteResponse, type DuckDbOptions, type DuckDbQueryOptions, type QueryResponse as DuckDbQueryResponse, DuckDbService, type DuckDbServiceConfig, type DuckDbStatement, type DuckDbValue, FetchFunction, GenericKVResponseSchema, type GenericKVResponseType, GenericResultSchema, type HookEvent, type HookServiceName, type HookStreamEvent, type HookSubscription, type HookWebhookListOptions, type HookWebhookRecord, type HookWebhookRegistration, type HookWebhookScope, type HookWebhookUnregisterOptions, HooksService, type HooksServiceConfig, type IDataVaultService, type IDuckDbDatabaseHandle, type IDuckDbService, IEncryptionService, type IHooksService, IKVService, type ISecretsService, IService, IServiceContext, InvokeAnyFunction, InvokeFunction, KVListResponseSchema, type KVListResponseType, KVListResultSchema, type KVListResultType, KVResponseHeadersSchema, type KVResponseHeadersType, type QuotaConfig, type QuotaStatus, type ResolvedSecretPath, Result, RetryPolicy, RetryPolicySchema, type RetryPolicyType, SECRET_NAME_RE, type SchemaInfo, type SecretPayload, type SecretScopeOptions, type SecretsError, SecretsService, type ServiceConstructor, ServiceContext, type ServiceContextConfig, ServiceError, ServiceErrorEventSchema, type ServiceErrorEventType, ServiceErrorSchema, type ServiceErrorType, type ServiceRegistration, ServiceRequestEventSchema, type ServiceRequestEventType, ServiceResponseEventSchema, type ServiceResponseEventType, ServiceRetryEventSchema, type ServiceRetryEventType, ServiceSession, ServiceSessionSchema, type ServiceSessionType, StorageQuotaInfo, type SubscribeOptions, type TableInfo, TinyCloudQuota, type ValidationError, type VaultCrypto, type VaultEntry, type VaultError, type VaultGetOptions, type VaultGrantOptions, VaultHeaders, type VaultListOptions, VaultPublicSpaceKVActions, type VaultPutOptions, type ViewInfo, type WasmVaultFunctions, abortedError, authExpiredError, authRequiredError, authUnauthorizedError, canonicalizeSecretScope, createKVResponseSchema, createResultSchema, createVaultCrypto, errorResult, networkError, notFoundError, parseAuthError, permissionDeniedError, resolveSecretListPrefix, resolveSecretPath, storageLimitReachedError, storageQuotaExceededError, timeoutError, validateKVListResponse, validateKVResponseHeaders, validateRetryPolicy, validateServiceError, validateServiceRequestEvent, validateServiceResponseEvent, validateServiceSession, wrapError };