		@@ -54,2 +54,3 @@ export { top } from "./top.js";
		}>, Schema.InferStruct<{
		cause: Schema.Schema<Types.Link<unknown, number, number, 1>, any>;
		iss: Schema.Schema<`did:mailto:${string}` & `did:${string}` & Types.Phantom<{
		@@ -65,30 +66,2 @@ protocol: "did:";
		}>>>;
		/**
		* Issued by trusted authority (usually the one handling invocation) that attest
		* that specific UCAN delegation has been considered authentic.
		*
		* @see https://github.com/web3-storage/specs/blob/main/w3-session.md#authorization-session
		*
		* @example
		* ```js
		* {
		iss: "did:web:web3.storage",
		aud: "did:key:z6Mkk89bC3JrVqKie71YEcc5M1SMVxuCgNx6zLZ8SYJsxALi",
		att: [{
		"with": "did:web:web3.storage",
		"can": "ucan/attest",
		"nb": {
		"proof": {
		"/": "bafyreifer23oxeyamllbmrfkkyvcqpujevuediffrpvrxmgn736f4fffui"
		}
		}
		}],
		exp: null
		sig: "..."
		}
		* ```
		*/
		export const session: Types.TheCapabilityParser<Types.CapabilityMatch<"ucan/attest", Types.URI<"did:">, Schema.InferStruct<{
		proof: typeof Link;
		}>>>;
		export const claim: Types.TheCapabilityParser<Types.CapabilityMatch<"access/claim", (`did:key:${string}` & `did:${string}` & Types.Phantom<{
		@@ -116,3 +89,2 @@ protocol: "did:";
		import { Schema } from '@ucanto/validator';
		import { Link } from '@ucanto/validator';
		//# sourceMappingURL=access.d.ts.map

dist/src/index.d.ts

		@@ -23,3 +23,4 @@ /** @type {import('./types.js').AbilitiesArray} */
		import * as Plan from './plan.js';
		export { Access, Provider, Space, Top, Store, Upload, Consumer, Customer, Console, Utils, RateLimit, Subscription, Filecoin, Storefront, Aggregator, Dealer, DealTracker, Admin, UCAN, Plan };
		import * as Usage from './usage.js';
		export { Access, Provider, Space, Top, Store, Upload, Consumer, Customer, Console, Utils, RateLimit, Subscription, Filecoin, Storefront, Aggregator, Dealer, DealTracker, Admin, UCAN, Plan, Usage };
		//# sourceMappingURL=index.d.ts.map

dist/src/types.d.ts

		import type { TupleToUnion } from 'type-fest';
		import * as Ucanto from '@ucanto/interface';
		import type { Schema } from '@ucanto/core';
		import { InferInvokedCapability, Unit, DID, DIDKey, ToString, Link, UnknownLink } from '@ucanto/interface';
		import { InferInvokedCapability, Unit, DID, DIDKey, ToString, Link, Failure, UnknownLink } from '@ucanto/interface';
		import { CAR } from '@ucanto/transport';
		@@ -24,2 +24,3 @@ import { Phantom, PieceLink, ProofData, uint64 } from '@web3-storage/data-segment';
		import * as PlanCaps from './plan.js';
		import * as UsageCaps from './usage.js';
		export type ISO8601Date = string;
		@@ -40,3 +41,3 @@ export type { Unit, PieceLink };
		}
		export interface UnknownProvider extends Ucanto.Failure {
		export interface UnknownProvider extends Failure {
		name: 'UnknownProvider';
		@@ -51,3 +52,8 @@ did: DID;
		export type AccessAuthorize = InferInvokedCapability<typeof AccessCaps.authorize>;
		export type AccessAuthorizeSuccess = Unit;
		export interface AccessAuthorizeSuccess {
		request: Link;
		expiration: number;
		}
		export interface AccessAuthorizeFailure extends Ucanto.Failure {
		}
		export type AccessClaim = InferInvokedCapability<typeof AccessCaps.claim>;
		@@ -72,4 +78,36 @@ export interface AccessClaimSuccess {
		}
		export type AccessSession = InferInvokedCapability<typeof AccessCaps.session>;
		export type AccessConfirm = InferInvokedCapability<typeof AccessCaps.confirm>;
		export type Usage = InferInvokedCapability<typeof UsageCaps.usage>;
		export type UsageReport = InferInvokedCapability<typeof UsageCaps.report>;
		export type UsageReportSuccess = Record<ProviderDID, UsageData>;
		export type UsageReportFailure = Ucanto.Failure;
		export interface UsageData {
		/** Provider the report concerns, e.g. `did:web:web3.storage` */
		provider: ProviderDID;
		/** Space the report concerns. */
		space: SpaceDID;
		/** Period the report applies to. */
		period: {
		/** ISO datetime the report begins from (inclusive). */
		from: ISO8601Date;
		/** ISO datetime the report ends at (inclusive). */
		to: ISO8601Date;
		};
		/** Observed space size for the period. */
		size: {
		/** Size at the beginning of the report period. */
		initial: number;
		/** Size at the end of the report period. */
		final: number;
		};
		/** Events that caused the size to change during the period. */
		events: Array<{
		/** CID of the invoked task that caused the size to change. */
		cause: Link;
		/** Number of bytes that were added or removed. */
		delta: number;
		/** ISO datetime that the receipt was issued for the change. */
		receiptAt: ISO8601Date;
		}>;
		}
		export type ProviderAdd = InferInvokedCapability<typeof provider.add>;
		@@ -329,2 +367,3 @@ export interface ProviderAddSuccess {
		export type UCANRevoke = InferInvokedCapability<typeof UCANCaps.revoke>;
		export type UCANAttest = InferInvokedCapability<typeof UCANCaps.attest>;
		export interface Timestamp {
		@@ -417,3 +456,3 @@ /**
		AccessAuthorize['can'],
		AccessSession['can'],
		UCANAttest['can'],
		CustomerGet['can'],
		@@ -437,4 +476,6 @@ ConsumerHas['can'],
		AdminStoreInspect['can'],
		PlanGet['can']
		PlanGet['can'],
		Usage['can'],
		UsageReport['can']
		];
		//# sourceMappingURL=types.d.ts.map

dist/src/ucan.d.ts

		@@ -28,4 +28,34 @@ export const UCANLink: Schema.Schema<API.UCANLink<API.Capabilities, API.MulticodecCode<number, string>, API.SigAlg>, unknown>;
		}>>>;
		/**
		* Issued by trusted authority (usually the one handling invocation) that attest
		* that specific UCAN delegation has been considered authentic.
		*
		* @see https://github.com/web3-storage/specs/blob/main/w3-session.md#authorization-session
		*
		* @example
		* ```js
		* {
		iss: "did:web:web3.storage",
		aud: "did:key:z6Mkk89bC3JrVqKie71YEcc5M1SMVxuCgNx6zLZ8SYJsxALi",
		att: [{
		"with": "did:web:web3.storage",
		"can": "ucan/attest",
		"nb": {
		"proof": {
		"/": "bafyreifer23oxeyamllbmrfkkyvcqpujevuediffrpvrxmgn736f4fffui"
		}
		}
		}],
		exp: null
		sig: "..."
		}
		* ```
		*/
		export const attest: API.TheCapabilityParser<API.CapabilityMatch<"ucan/attest", `did:${string}:${string}` & `did:${string}` & API.Phantom<{
		protocol: "did:";
		}>, Schema.InferStruct<{
		proof: Schema.Schema<API.Link<unknown, number, number, 1>, any>;
		}>>>;
		import * as API from '@ucanto/interface';
		import { Schema } from '@ucanto/validator';
		//# sourceMappingURL=ucan.d.ts.map

package.json

		{
		"name": "@web3-storage/capabilities",
		"version": "11.1.0",
		"version": "11.2.0",
		"description": "Capabilities provided by web3.storage",
		@@ -48,3 +48,6 @@ "homepage": "https://github.com/web3-storage/w3protocol/tree/main/packages/capabilities",
		},
		"./types": "./dist/src/types.d.ts"
		"./types": {
		"types": "./dist/src/types.d.ts",
		"import": "./src/types.js"
		}
		},
		@@ -85,3 +88,2 @@ "typesVersions": {
		"assert": "^2.0.0",
		"hd-scripts": "^4.0.0",
		"mocha": "^10.2.0",
		@@ -91,7 +93,8 @@ "playwright-test": "^12.3.4",
		"typescript": "5.2.2",
		"watch": "^1.0.2"
		"watch": "^1.0.2",
		"@web3-storage/eslint-config-w3up": "^1.0.0"
		},
		"eslintConfig": {
		"extends": [
		"./node_modules/hd-scripts/eslint/index.js"
		"@web3-storage/eslint-config-w3up"
		],
		@@ -101,23 +104,12 @@ "parserOptions": {
		},
		"rules": {
		"unicorn/expiring-todo-comments": "off",
		"unicorn/numeric-separators-style": "off",
		"unicorn/prefer-number-properties": "off",
		"unicorn/prefer-export-from": "off",
		"unicorn/no-array-reduce": "off",
		"jsdoc/no-undefined-types": [
		"error",
		{
		"definedTypes": [
		"Iterable"
		]
		}
		]
		},
		"env": {
		"mocha": true
		"es2022": true,
		"mocha": true,
		"browser": true,
		"node": true
		},
		"ignorePatterns": [
		"dist",
		"coverage"
		"coverage",
		"src/types.js"
		]
		@@ -131,4 +123,4 @@ },
		"@types/*",
		"hd-scripts",
		"assert"
		"assert",
		"@web3-storage/eslint-config-w3up"
		]
		@@ -135,0 +127,0 @@ },

src/access.js

		@@ -11,5 +11,5 @@ /**
		*/
		import { capability, URI, DID, Link, Schema, fail, ok } from '@ucanto/validator'
		import { capability, URI, DID, Schema, fail, ok } from '@ucanto/validator'
		import * as Types from '@ucanto/interface'
		import { equalWith, equal, and, SpaceDID } from './utils.js'
		import { equalWith, equal, and, SpaceDID, checkLink } from './utils.js'
		export { top } from './top.js'
		@@ -87,2 +87,7 @@
		nb: Schema.struct({
		/**
		* Link to the `access/authorize` request that this delegation was created
		* for.
		*/
		cause: Schema.link({ version: 1 }),
		iss: Account,
		@@ -98,2 +103,3 @@ aud: Schema.did(),
		and(subsetCapabilities(claim.nb.att, proof.nb.att)) \|\|
		and(checkLink(claim.nb.cause, proof.nb.cause, 'nb.cause')) \|\|
		ok({})
		@@ -104,37 +110,2 @@ )

		/**
		* Issued by trusted authority (usually the one handling invocation) that attest
		* that specific UCAN delegation has been considered authentic.
		*
		* @see https://github.com/web3-storage/specs/blob/main/w3-session.md#authorization-session
		*
		* @example
		* ```js
		* {
		iss: "did:web:web3.storage",
		aud: "did:key:z6Mkk89bC3JrVqKie71YEcc5M1SMVxuCgNx6zLZ8SYJsxALi",
		att: [{
		"with": "did:web:web3.storage",
		"can": "ucan/attest",
		"nb": {
		"proof": {
		"/": "bafyreifer23oxeyamllbmrfkkyvcqpujevuediffrpvrxmgn736f4fffui"
		}
		}
		}],
		exp: null
		sig: "..."
		}
		* ```
		*/
		export const session = capability({
		can: 'ucan/attest',
		// Should be web3.storage DID
		with: URI.match({ protocol: 'did:' }),
		nb: Schema.struct({
		// UCAN delegation that is being attested.
		proof: Link,
		}),
		})

		export const claim = capability({
		@@ -141,0 +112,0 @@ can: 'access/claim',

src/index.js

		@@ -21,2 +21,3 @@ import * as Provider from './provider.js'
		import * as Plan from './plan.js'
		import * as Usage from './usage.js'

		@@ -44,2 +45,3 @@ export {
		Plan,
		Usage,
		}
		@@ -65,3 +67,3 @@
		Access.authorize.can,
		Access.session.can,
		UCAN.attest.can,
		Customer.get.can,
		@@ -86,2 +88,4 @@ Consumer.has.can,
		Plan.get.can,
		Usage.usage.can,
		Usage.report.can,
		]

src/types.ts

		@@ -11,2 +11,3 @@ import type { TupleToUnion } from 'type-fest'
		Link,
		Failure,
		UnknownLink,
		@@ -38,2 +39,3 @@ } from '@ucanto/interface'
		import * as PlanCaps from './plan.js'
		import * as UsageCaps from './usage.js'

		@@ -60,3 +62,3 @@ export type ISO8601Date = string

		export interface UnknownProvider extends Ucanto.Failure {
		export interface UnknownProvider extends Failure {
		name: 'UnknownProvider'
		@@ -78,3 +80,9 @@ did: DID
		// eslint-disable-next-line @typescript-eslint/no-empty-interface
		export type AccessAuthorizeSuccess = Unit
		export interface AccessAuthorizeSuccess {
		request: Link
		expiration: number
		}

		export interface AccessAuthorizeFailure extends Ucanto.Failure {}

		export type AccessClaim = InferInvokedCapability<typeof AccessCaps.claim>
		@@ -102,5 +110,41 @@ export interface AccessClaimSuccess {

		export type AccessSession = InferInvokedCapability<typeof AccessCaps.session>
		export type AccessConfirm = InferInvokedCapability<typeof AccessCaps.confirm>

		// Usage

		export type Usage = InferInvokedCapability<typeof UsageCaps.usage>
		export type UsageReport = InferInvokedCapability<typeof UsageCaps.report>
		export type UsageReportSuccess = Record<ProviderDID, UsageData>
		export type UsageReportFailure = Ucanto.Failure

		export interface UsageData {
		/** Provider the report concerns, e.g. `did:web:web3.storage` */
		provider: ProviderDID
		/** Space the report concerns. */
		space: SpaceDID
		/** Period the report applies to. */
		period: {
		/** ISO datetime the report begins from (inclusive). */
		from: ISO8601Date
		/** ISO datetime the report ends at (inclusive). */
		to: ISO8601Date
		}
		/** Observed space size for the period. */
		size: {
		/** Size at the beginning of the report period. */
		initial: number
		/** Size at the end of the report period. */
		final: number
		}
		/** Events that caused the size to change during the period. */
		events: Array<{
		/** CID of the invoked task that caused the size to change. */
		cause: Link
		/** Number of bytes that were added or removed. */
		delta: number
		/** ISO datetime that the receipt was issued for the change. */
		receiptAt: ISO8601Date
		}>
		}

		// Provider
		@@ -434,2 +478,3 @@ export type ProviderAdd = InferInvokedCapability<typeof provider.add>
		export type UCANRevoke = InferInvokedCapability<typeof UCANCaps.revoke>
		export type UCANAttest = InferInvokedCapability<typeof UCANCaps.attest>

		@@ -563,3 +608,3 @@ export interface Timestamp {
		AccessAuthorize['can'],
		AccessSession['can'],
		UCANAttest['can'],
		CustomerGet['can'],
		@@ -583,3 +628,5 @@ ConsumerHas['can'],
		AdminStoreInspect['can'],
		PlanGet['can']
		PlanGet['can'],
		Usage['can'],
		UsageReport['can']
		]

src/ucan.js

		@@ -76,1 +76,41 @@ /**
		})

		/**
		* Issued by trusted authority (usually the one handling invocation) that attest
		* that specific UCAN delegation has been considered authentic.
		*
		* @see https://github.com/web3-storage/specs/blob/main/w3-session.md#authorization-session
		*
		* @example
		* ```js
		* {
		iss: "did:web:web3.storage",
		aud: "did:key:z6Mkk89bC3JrVqKie71YEcc5M1SMVxuCgNx6zLZ8SYJsxALi",
		att: [{
		"with": "did:web:web3.storage",
		"can": "ucan/attest",
		"nb": {
		"proof": {
		"/": "bafyreifer23oxeyamllbmrfkkyvcqpujevuediffrpvrxmgn736f4fffui"
		}
		}
		}],
		exp: null
		sig: "..."
		}
		* ```
		*/
		export const attest = capability({
		can: 'ucan/attest',
		// Should be web3.storage DID
		with: Schema.did(),
		nb: Schema.struct({
		// UCAN delegation that is being attested.
		proof: Schema.link({ version: 1 }),
		}),
		derives: (claim, from) =>
		// With field MUST be the same
		and(equalWith(claim, from)) ??
		// UCAN link MUST be the same
		checkLink(claim.nb.proof, from.nb.proof, 'nb.proof'),
		})

src/utils.js

		@@ -49,3 +49,2 @@ import { DID, fail, ok } from '@ucanto/validator'
		*/

		export function equal(child, parent, constraint) {
		@@ -52,0 +51,0 @@ if (parent === undefined \|\| parent === '*') {

dist/src/access.d.ts.map