Expose the existing Blake3-256 content hash as an ETag header on KV
read responses. The hash was already computed and stored during writes;
this change threads it through InvocationOutcome::KvRead and sets
ETag: "blake3-<hex>" in the HTTP response.

Enables client-side caching for the TinyCloud CLI.

…22)

Implement the SQL service as specified in Appendix J, providing
relational database capabilities per-space via SQLite.

Core SQL module (tinycloud-core/src/sql/):
- types: SqlRequest/SqlResponse/SqlValue/SqlError with serde support
- caveats: SqlCaveats for table/column/statement/read-only restrictions
- parser: Pre-execution SQL validation via sqlparser-rs (blocks ATTACH/DETACH)
- authorizer: SQLite authorizer callback for defense-in-depth enforcement
- storage: Hybrid in-memory/file storage with WAL mode and backup API promotion
- database: Actor-per-database pattern via spawn_blocking + mpsc channels
- service: SqlService registry with DashMap, lazy actor spawning, idle timeout

Server integration:
- Route handler detects sql service capabilities and dispatches to SQL path
- JSON request/response for query/execute/batch, binary for export
- SqlError mapped to appropriate HTTP status codes
- SqlStorageConfig added to server configuration
- sql_database migration for metadata tracking
- "sql" added to /version features

Dependencies: rusqlite 0.31 (bundled), sqlparser 0.44

* Add public spaces: unauthenticated read endpoints, rate limiting, storage quota

Implement the public spaces feature for TinyCloud. Spaces with name "public"
are recognized as public and served via unauthenticated REST endpoints.

- New GET/HEAD/OPTIONS endpoints at /public/<space_id>/kv/<key> and
  /public/<space_id>/kv?prefix=<p> for unauthenticated KV reads
- is_public_space() detection based on space name == "public"
- Per-IP token bucket rate limiter (default 60 req/min, burst 10)
- If-None-Match / ETag conditional request support (304 Not Modified)
- CORS headers (Access-Control-Allow-Origin: *) on all public responses
- Cache-Control: public, max-age=60 on all public responses
- Separate storage quota for public spaces (default 10MB vs regular limit)
- Configurable via [public_spaces] config section

* fix: use KVKey request guard for dot-prefixed key paths

Rocket's PathBuf rejects path segments starting with dots (e.g.
.well-known/profile). Replace PathBuf with a KVKey FromRequest
guard that extracts the key from the raw request URI, and a
RawKeyPath FromSegments type for route matching.

* fix: use RawKeyPath to allow dot-prefixed keys in public endpoints

Rocket's PathBuf rejects dot-prefixed path segments like .well-known/
as a security measure. Replace with RawKeyPath (custom FromSegments)
that joins segments without filtering. Also merge duplicate OPTIONS
handlers into a single route to avoid collision.

* feat: add vault WASM crypto functions and fix public endpoint edge cases

Add AES-256-GCM encryption/decryption, HKDF-SHA256 key derivation,
X25519 key exchange, and utility functions (SHA-256, random bytes)
to tinycloud-sdk-wasm for the Data Vault feature.

Also fixes public space endpoint to properly handle async_trait
macro import and metadata filtering.

* chore: add changeset for vault WASM crypto

* fix: resolve clippy deprecated warning and rustfmt issues in vault.rs

* fix: rustfmt PUBLIC_SAFE_HEADERS array

Adds two new WASM-exported functions that enable Ed25519 session keys
to participate in vault encryption without requiring a wallet signature:

- vault_ed25519_seed_to_x25519: Converts Ed25519 seed to X25519 key pair
  via SHA-512 derivation (standard Ed25519→X25519 conversion)
- vault_ed25519_pub_to_x25519: Converts Ed25519 public key to X25519
  public key via Edwards→Montgomery birational map

This allows share link recipients (who only have a session key) to
derive the X25519 keys needed for vault grant decryption, removing the
requirement for a wallet signature to access shared encrypted content.

* feat: add multi-space session support to SessionConfig

SessionConfig now accepts optional `additionalSpaces` so a single SIWE
signature can cover multiple spaces (e.g., primary + public). The
into_message() method generates ReCap capability URIs for all spaces,
enabling the SDK to operate on both default and public spaces without
requiring a second wallet interaction.

* feat: lazy delegation activation - skip missing spaces for multi-space sessions

Server now tolerates missing spaces during delegation processing instead
of failing with SpaceNotFound. For delegation-only transactions, spaces
that don't exist in the DB are skipped (no epoch/event_order created),
while the delegation record is still fully saved. Invocations continue
to fail explicitly with 404 for non-existent spaces.

The /delegate endpoint now returns JSON with activated/skipped space
lists, allowing clients to defer public space creation until needed
rather than eagerly creating it during signIn.

* feat: add DuckDB service (tinycloud.duckdb/*) with full server integration

Add embedded analytical database service with columnar storage, per-space
isolation, and UCAN capability model. Mirrors the SQL service architecture
with DuckDB-specific features:

Core module (tinycloud-core/src/duckdb/):
- Actor-based connection pool with idle timeout and memory threshold promotion
- SQL parser validation (GenericDialect) as primary security layer
- DuckDB settings lockdown (external access disabled, unsigned extensions blocked)
- Rich value types including List and Struct with recursive serde
- Describe, Ingest, ExportToKv, Export, Import request variants
- UCAN caveats for table/column/statement allowlists and read-only mode

Server integration:
- DuckDbStorageConfig with configurable path, memory threshold, idle timeout
- Route handling with capability extraction and error status mapping
- Binary response support for database export and Arrow IPC streams
- "duckdb" added to /version features

* fix: DuckDB service security hardening, type alignment, and robustness

Security:
- Replace statement blocklist with 3-tier allowlist (default/admin/delegation bypass)
- Block security-critical SET vars (enable_external_access, etc.) unconditionally
- Expand function blocklist (parquet_scan, csv_scan, glob, iceberg_scan, etc.)
- Validate max_memory against SQL injection
- Validate db_name against path traversal (.., /, \, null)
- Validate imported databases (temp file + DuckDB open + test query)
- Block export when caveats active
- Apply caveats to describe (filter tables/columns)
- Handle SELECT * with column caveats

Types:
- Fix ColumnInfo wire format (type/nullable instead of dataType/isNullable)
- Remove unnecessary Deserialize from DuckDbResponse
- Fix UBigInt truncation (values > i64::MAX as string)
- Fix Map key formatting (Display instead of Debug)

Robustness:
- Clean up stale actor entries from DashMap on exit
- Fix promote_to_file (temporarily enable external access for EXPORT DATABASE)
- Use async I/O (tokio::fs) in async functions
- Replace expect() with error propagation in actor open
- Replace filter_map(|r| r.ok()) with proper error propagation
- Add statement_timeout = 30s

Arrow IPC:
- Add execute_query_arrow() using stmt.query_arrow() + StreamWriter
- Route Arrow format via Accept header through to actor
- Add Arrow variant to DuckDbResponse

Quality:
- Extract verify_auth() and read_json_body() helpers from route handlers
- Add 32 unit tests across parser, caveats, storage, and types

* fix: add g++ to Docker build for arrow crate compilation

* feat: auto-create local storage directories on startup

Local resources (SQLite parent dir, block storage dir, SQL/DuckDB dirs)
are now created automatically on first run. Remote backends (Postgres,
S3) are left untouched — their connection errors surface naturally.

Replaces the raw .unwrap() panic in main with a readable error chain
so misconfigured remote backends get clear diagnostics.

* fix: DuckDB query panic and statement_timeout incompatibility

- Remove SET statement_timeout (unsupported in duckdb crate v1.4.4)
- Move column_names() call after query() execution to avoid panic
  in RawStatement::schema when schema isn't populated yet
- Remove DenchClaw references from spec

* fix: route export through actor for in-memory database support

Export previously read directly from disk, returning 404 for in-memory
databases. Now routes through the database actor which can serialize
both in-memory and file-backed databases.

- Add Export message variant to DuckDB and SQL actors
- Use Arrow record batches (appender-arrow) for fast bulk copy
- Fix promote_to_file to use copy_tables instead of broken
  enable_external_access toggle
- SQL export uses SQLite backup API for in-memory serialization

* fix: resolve SQLite concurrency deadlock for concurrent requests

SQLite's DEFERRED transactions deadlock when concurrent verify_auth()
calls both try to upgrade from shared read to exclusive write locks.
The SQLITE_BUSY error was incorrectly mapped to SpaceNotFound (404).

- Set max_connections(1) for SQLite to serialize writes
- Enable WAL mode for concurrent reads
- Set busy_timeout(5s) as safety net
- Add tracing::warn with actual error details on epoch insert failure
- Keep max_connections(100) for PostgreSQL/MySQL

* fix: propagate errors in copy_tables instead of silently dropping them

Replace .filter_map(|r| r.ok()) with .collect::<Result<Vec<_>, _>>()
to surface row deserialization errors during table copy. Log view copy
failures instead of silently swallowing them with let _ =.

* fix: resolve clippy large_enum_variant and rustfmt issues

- Box DuckDbRequest in DbMessage::Execute to reduce enum size disparity
  (209 bytes vs 8 bytes)
- Apply rustfmt formatting to storage.rs

* style: apply rustfmt formatting

- release.yml: on push to main, creates a "Version Packages" PR via
  changesets/action when changeset files exist, creates a GitHub Release
  when version bump is merged
- version-cargo.mjs: custom version script that reads changeset files,
  bumps all Cargo.toml versions, updates CHANGELOG.md, and removes
  consumed changesets
- Add duckdb-service changeset for the DuckDB feature

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>