@agentvault/agentvault 0.16.0 → 0.17.1

package/README.md

@@ -1,119 +1,274 @@
 # @agentvault/agentvault
 
-The security infrastructure layer for AI agents — cryptographic identity, earned trust, and Signal-grade encrypted communications natively integrated with OpenClaw.
+The security infrastructure layer for AI agents — cryptographic identity, earned trust, and Signal-grade encrypted communications natively integrated with [OpenClaw](https://openclaw.ai).
 
-Connect your agent to its owner with XChaCha20-Poly1305 encryption, Double Ratchet forward secrecy, and W3C Decentralized Identifiers (DIDs).
+Connect your agent to its owner with XChaCha20-Poly1305 encryption, Double Ratchet forward secrecy, and W3C Decentralized Identifiers (DIDs). No plaintext ever touches the server.
 
-## What's New in v0.14.30 (Gen2)
+## What's New in v0.17.0
 
-* **OpenClaw Native Plugin:** AgentVault now integrates directly into OpenClaw as a first-class channel (`agentvault`).
-* **W3C Decentralized Identifiers (DIDs):** Agents are now addressed using cryptographic identities (`did:hub:<address>`).
-* **Room Cryptography & Sender Keys:** Advanced group chat encryption using sender key distribution, automatic force rekeying, and robust ratchet state snapshot/restore mechanisms.
-* **Trust Scoring & Telemetry:** Native OpenTelemetry (OTel) auto-instrumentation to compute real-time trust scores.
-* **Skill Permission Tokens (SPTs):** Support for explicit-deny authorization and cryptographic capability access grants.
+* **Policy Enforcer:** 5-stage policy pipeline (Parse → Validate → Enforce → Log → Report) with tool blocklists, model routing rules, and telemetry emission.
+* **SKILL.md `agentVault` Namespace:** Extended skill metadata supporting certification tiers, integrity declarations, runtime capabilities, and model routing.
+* **Unified Delivery Protocol:** Single `deliver()` dispatcher for all outbound messages — text, decisions, approvals, policy alerts, and artifacts.
+* **20 OTel Span Types:** Full observability with `av.*`-prefixed spans for policy violations, decisions, A2A, scans, rooms, trust, and more.
+* **W3C TraceContext:** All telemetry spans carry `traceparent` and `tracestate` for cross-agent trace correlation.
 
----
-
-## Installation & Quick Start
+## Installation
 
-### 1. OpenClaw Channel Integration (Recommended)
-
-To install AgentVault globally as an OpenClaw channel plugin:
+### OpenClaw Plugin (Recommended)
 
 ```bash
-# Using pnpm (adjust path to your global installation)
-PNPM_HOME=~/Library/pnpm /opt/homebrew/bin/pnpm add -g @agentvault/agentvault@latest
+openclaw plugins install @agentvault/agentvault
 ```
 
-After installation, configure the channel with your invite token from the AgentVault dashboard:
+Then enroll your agent with an invite token from the [AgentVault dashboard](https://app.agentvault.chat):
 
 ```bash
 npx @agentvault/agentvault setup --token=YOUR_INVITE_TOKEN
 ```
 
-⚠️ **CRITICAL WARNING FOR UPGRADES:**
-> There is currently a known bug in `setup.js` where running `setup` on an already enrolled agent will wipe the existing account configuration. **Always back up your `agentvault.json` and `agentvault-data` directories before updating the plugin or re-running setup.**
-
-### 2. Standalone CLI Usage
-
-If you are not using OpenClaw, you can run AgentVault as a standalone interactive CLI:
+### Standalone CLI
 
 ```bash
 npx @agentvault/agentvault setup --token=YOUR_INVITE_TOKEN
 npx @agentvault/agentvault
 ```
 
-The CLI will:
-1. Generate an Ed25519 identity keypair
-2. Enroll your agent with the server (anchoring a `did:hub` identity)
-3. Wait for owner approval
-4. Establish an end-to-end encrypted channel
+The CLI will generate an Ed25519 identity keypair, enroll with the server (anchoring a `did:hub` identity), wait for owner approval, and establish an E2E encrypted channel.
 
----
+## CLI Commands
+
+| Command | Description |
+|---------|-------------|
+| `setup --token=TOKEN` | Enroll a new agent with an invite token |
+| `create --name=NAME` | Create a new agent account in OpenClaw |
+| `send --text="..."` | Send a message through the gateway |
+| `status` | Check gateway connection and agent status |
+| `skills` | List loaded skills from SKILL.md files |
+| `doctor [--fix]` | Diagnose and fix LaunchAgent / gateway issues |
+| `version` | Print the installed version |
 
-## Programmatic SDK Integration
+## Programmatic Usage
 
-You can easily integrate AgentVault directly into custom Node.js/TypeScript agent architectures.
+### SecureChannel
 
-```ts
+The core class for establishing an E2E encrypted channel between your agent and its owner.
+
+```typescript
 import { SecureChannel } from "@agentvault/agentvault";
 
 const channel = new SecureChannel({
   inviteToken: process.env.AGENTVAULT_INVITE_TOKEN,
   dataDir: "./agentvault-data",
   apiUrl: "https://api.agentvault.chat",
-  agentName: "My Custom Agent",
+  agentName: "My Agent",
 });
 
 channel.on("message", (text, metadata) => {
-  console.log(`[AgentVault] Received: ${text}`);
-  // Execute agent logic, then send response:
-  channel.send(`Task complete. Result: ${text}`);
+  console.log(`Owner says: ${text}`);
+  console.log(`Type: ${metadata.messageType}`);
 });
 
 channel.on("ready", () => {
-  console.log(`Secure channel established! Routing address: did:hub:${channel.deviceId}`);
+  console.log(`Secure channel established: did:hub:${channel.deviceId}`);
 });
 
 await channel.start();
 ```
 
-### Advanced: Telemetry & OTel
-To enable behavioral trust scoring, configure the telemetry exporter:
+### Gateway Send Helpers
+
+Send messages from your agent code without managing the channel directly:
+
+```typescript
+import { sendToOwner, sendToRoom, sendToTarget, listTargets } from "@agentvault/agentvault";
+
+// Send to the agent owner
+await sendToOwner("Task complete — 3 files processed");
+
+// Send to a multi-agent room
+await sendToRoom("room_abc123", "Ready for review");
+
+// Send to any target (auto-resolves owner, room, or A2A)
+await sendToTarget("did:hub:other_agent", "Handoff data");
+
+// List available targets
+const targets = await listTargets();
+```
+
+### Structured Messages
 
-```ts
-// Telemetry is automatically routed through the established E2E channel
-channel.enableTelemetry({
-  serviceName: "my-custom-agent",
-  exportIntervalMs: 5000
+```typescript
+import { sendDecisionToOwner } from "@agentvault/agentvault";
+
+// Decision request — ask the owner to choose
+await sendDecisionToOwner({
+  question: "Which database should I use?",
+  options: [
+    { label: "PostgreSQL", value: "postgres" },
+    { label: "SQLite", value: "sqlite" },
+  ],
+  urgency: "medium",
 });
 ```
 
+All 8 message types are supported: `text`, `decision_request`, `decision_response`, `approval_request`, `approval_response`, `policy_alert`, `artifact_share`.
+
+### Skill Management
+
+Define skills using SKILL.md frontmatter:
+
+```markdown
+---
+name: code-review
+version: "1.0.0"
+description: Reviews code for issues
+tags: [code-review, typescript]
+sla:
+  p95_latency_ms: 5000
+  max_error_rate: 0.05
+schema:
+  type: object
+  properties:
+    code:
+      type: string
+  required: [code]
+agentVault:
+  certification: certified
+  integrity:
+    algorithm: XChaCha20-Poly1305
+    hashChain: SHA-256
+  requiredPolicies: ["network: agentvault"]
+  runtime:
+    capabilities: [file.read, web.fetch]
+    forbidden: [shell.exec]
+  model:
+    allowed: [gpt-4, claude-sonnet-4-20250514]
+    default: claude-sonnet-4-20250514
 ---
+# Code Review Skill
 
-## Security Architecture
+Review the provided code for bugs, security issues, and style violations...
+```
 
-AgentVault is a **zero-knowledge** platform. The server only routes ciphertext and NEVER sees your data in plaintext.
+Load and use skills programmatically:
 
-* **Identity:** Ed25519 dual-key model (Owner Key + Operational Key) linked to a `did:hub` identifier.
-* **Encryption:** XChaCha20-Poly1305 symmetric encryption with 192-bit nonces (eliminating nonce reuse risk).
-* **Forward Secrecy:** Double Ratchet protocol and X3DH key agreement. Old keys are mathematically destroyed.
-* **Group Cryptography:** Sender key distribution with automatic force rekeying (`room_message_sk`) for multi-agent rooms.
-* **Audit Trails:** All operations are chained using BLAKE2b hashes and W3C TraceContext traceparents.
+```typescript
+import { parseSkillMd, loadSkillsFromDirectory, invokeSkill } from "@agentvault/agentvault";
 
-## Webhook Notifications
+// Load all SKILL.md files from a directory
+const manifest = await loadSkillsFromDirectory("./skills");
 
-Enable HTTP POST webhooks when a new message arrives for offline-capable agents:
+// Invoke a skill with policy enforcement
+const result = await invokeSkill("code-review", {
+  args: { code: "function foo() { eval(input); }" },
+});
+```
 
-```ts
-const channel = new SecureChannel({
-  // ...
-  webhookUrl: "https://your-server.com/webhook/agentvault",
+### Policy Enforcement
+
+The PolicyEnforcer validates skill invocations against a 5-stage pipeline:
+
+```typescript
+import { PolicyEnforcer } from "@agentvault/agentvault";
+
+const enforcer = new PolicyEnforcer();
+
+// Register a skill with its policy constraints
+enforcer.registerSkill({
+  name: "code-review",
+  toolsAllowed: ["file.read"],
+  toolsDenied: ["shell.exec", "network.raw"],
+  modelRouting: { allowed: ["gpt-4", "claude-sonnet-4-20250514"] },
+});
+
+// Evaluate before execution
+const result = enforcer.evaluate({
+  skillName: "code-review",
+  toolName: "shell.exec",
+  model: "gpt-4",
 });
+
+if (!result.allowed) {
+  console.log("Blocked:", result.violations);
+  // [{ ruleId: "tool_deny", scope: "tool", message: "shell.exec is forbidden" }]
+}
+
+// Get aggregate metrics
+const metrics = enforcer.getMetrics();
+// { totalEvaluations: 42, totalBlocks: 3, bySkill: {...}, byRule: {...} }
 ```
-*Verify incoming webhooks using the HMAC-SHA256 signature provided in the `X-AgentVault-Signature` header.*
 
----
+### MCP Server (Embedded)
+
+Expose your agent's skills as MCP tools:
+
+```typescript
+import { AgentVaultMcpServer } from "@agentvault/agentvault";
+
+const mcpServer = new AgentVaultMcpServer({
+  skills: manifest.skills,
+  channel,          // SecureChannel instance for message relay
+  enforcer,         // PolicyEnforcer for pre-execution checks
+});
+```
+
+### Telemetry
+
+The plugin auto-instruments all message operations with OTel-shaped telemetry spans. Spans are exported to `https://api.agentvault.chat/api/v1/otel/push` and feed the trust scoring engine and observability dashboard.
+
+```typescript
+import { wrapSkillExecution, reportSkillInvocation } from "@agentvault/agentvault";
+
+// Wrap a skill execution to auto-emit spans
+const result = await wrapSkillExecution("code-review", async () => {
+  // Your skill logic here
+  return { issues: 3 };
+});
+```
+
+## OpenClaw Integration
+
+When installed as an OpenClaw plugin, AgentVault registers as the `agentvault` channel:
+
+```json
+{
+  "channels": {
+    "agentvault": {
+      "accountId": "your-agent-account-id"
+    }
+  }
+}
+```
+
+The plugin hooks into OpenClaw's lifecycle:
+
+- **Channel gateway** — routes inbound/outbound messages through the E2E encrypted channel
+- **Heartbeat wake** — keeps the agent alive via OpenClaw's heartbeat system
+- **Agent events** — listens for session start/end and transcript updates
+- **Managed HTTP routes** — `/send`, `/status`, `/targets`, `/action`, `/decision`
+- **MCP serving** — exposes skills as MCP tools via `/mcp` route
+
+## Security Architecture
+
+AgentVault is a **zero-knowledge** platform. The server routes ciphertext and NEVER sees plaintext.
+
+| Layer | Technology |
+|-------|-----------|
+| Identity | Ed25519 keypairs linked to `did:hub` identifiers |
+| Encryption | XChaCha20-Poly1305 with 192-bit nonces |
+| Forward Secrecy | Double Ratchet protocol + X3DH key agreement |
+| Group Crypto | Sender Key distribution with automatic force rekeying |
+| Audit | BLAKE2b hash-chained entries with W3C TraceContext |
+| Policy | 5-stage pipeline: Parse → Validate → Enforce → Log → Report |
+
+## Related Packages
+
+| Package | Description |
+|---------|-------------|
+| [`@agentvault/sdk`](https://www.npmjs.com/package/@agentvault/sdk) | SDK for third-party agent integration (API key auth + E2E) |
+| [`@agentvault/mcp-server`](https://www.npmjs.com/package/@agentvault/mcp-server) | Standalone MCP server for any MCP-compatible host |
+| [`@agentvault/crypto`](https://www.npmjs.com/package/@agentvault/crypto) | Cryptographic primitives (Double Ratchet, X3DH, XChaCha20, telemetry) |
+| [`@agentvault/verify`](https://www.npmjs.com/package/@agentvault/verify) | Lightweight agent verification SDK |
 
 ## License
 

package/dist/channel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQ3C,OAAO,EAWL,iBAAiB,EAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAMZ,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,cAAc,EACd,oBAAoB,EACpB,QAAQ,EAER,UAAU,EAEV,cAAc,EACd,eAAe,EACf,eAAe,EACf,eAAe,EACf,UAAU,EACX,MAAM,YAAY,CAAC;AA6DpB,qBAAa,aAAc,SAAQ,YAAY;IAkEjC,OAAO,CAAC,MAAM;IAjE1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAAK;IAC5B,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,eAAe,CAA+C;IACtE,OAAO,CAAC,kBAAkB,CAAwC;IAClE,OAAO,CAAC,yBAAyB,CAAa;IAC9C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,iBAAiB,CAA+C;IACxE,OAAO,CAAC,eAAe,CAA4B;IAEnD,iEAAiE;IACjE,OAAO,CAAC,gBAAgB,CAA0C;IAClE,kEAAkE;IAClE,OAAO,CAAC,gBAAgB,CAA0C;IAElE,0GAA0G;IAC1G,OAAO,CAAC,gBAAgB,CAAiF;IACzG,qFAAqF;IACrF,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAO;IAC3C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,oFAAoF;IACpF,OAAO,CAAC,oBAAoB,CAAqB;IAEjD,mGAAmG;IACnG,OAAO,CAAC,kBAAkB,CAAqB;IAE/C,mFAAmF;IACnF,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,sDAAsD;IACtD,OAAO,CAAC,kBAAkB,CAA8C;IACxE,OAAO,CAAC,oBAAoB,CAAS;IAIrC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAU;IACpD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,yBAAyB,CAAU;IAC3D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAU;gBAEnC,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED,mFAAmF;IACnF,IAAI,iBAAiB,IAAI,MAAM,GAAG,SAAS,CAE1C;IAED,mFAAmF;IACnF,IAAI,OAAO,IAAI,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAGrD;IAED,gEAAgE;IAChE,IAAI,gBAAgB,IAAI,MAAM,EAAE,CAG/B;IAED,kFAAkF;IAClF,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKtD,kFAAkF;IAClF,IAAI,SAAS,IAAI,iBAAiB,GAAG,IAAI,CAExC;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoF5B;;OAEG;YACW,eAAe;IAiB7B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IA0HnE;;;OAGG;IACH,UAAU,IAAI,IAAI;IAYlB;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAazD;;;;OAIG;IACG,mBAAmB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BpE;;;;;;OAMG;IACH,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAuClF;;;OAGG;IACG,QAAQ,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,cAAc,EAAE,CAAC;QAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;QACtC,UAAU,CAAC,EAAE,OAAO,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IAuJjB;;;OAGG;IACG,UAAU,CACd,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE;QACL,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GACA,OAAO,CAAC,IAAI,CAAC;IAmHhB;;OAEG;IACG,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB9C;;OAEG;IACH,QAAQ,IAAI,QAAQ,EAAE;IAYtB,cAAc,CACZ,eAAe,EAAE,MAAM,EACvB,cAAc,EAAE,MAAM,eAAe,GACpC,IAAI;IAUD,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB9B,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBlD,YAAY,CAAC,QAAQ,EAAE;QAC3B,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IA2CX,sBAAsB,CAAC,YAAY,EAAE;QACzC,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBX,4BAA4B,CAChC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GACA,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;OAGG;IACG,OAAO,CACX,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,eAAe,EACxB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,eAAe,CAAC;IA0I3B;;OAEG;IACH,WAAW,IAAI,UAAU,EAAE;IAqC3B,OAAO,CAAC,cAAc;IAkBhB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqC3B,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAkFnC,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAiCpF;;;OAGG;IACG,iBAAiB,CAAC,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA0CrE;;;;;;;;;;OAUG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAmHpG;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YAoDhC,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAimBhB;;;;OAIG;YACW,sBAAsB;IAmRpC;;;OAGG;YACW,6BAA6B;IA6C3C;;;OAGG;YACW,iBAAiB;IAwD/B;;;OAGG;IACG,kBAAkB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC7B,OAAO,CAAC,IAAI,CAAC;IA8ChB;;;OAGG;YACW,oBAAoB;IAkDlC;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAgC5B;;;OAGG;YACW,oBAAoB;IAyBlC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAuEjC;;;;OAIG;YACW,oBAAoB;IA8ElC;;;OAGG;YACW,kBAAkB;IAyNhC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAiBlC;;;;OAIG;YACW,oBAAoB;IAuClC;;;OAGG;YACW,4BAA4B;IA2F1C;;OAEG;YACW,oBAAoB;IAqGlC;;;OAGG;IACH;;;OAGG;YACW,mBAAmB;IAsKjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;YAMJ,mBAAmB;IAmCjC,OAAO,CAAC,UAAU;IAelB,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,kBAAkB;IAe1B,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,gBAAgB;YAOV,qBAAqB;IAuCnC,OAAO,CAAC,kBAAkB;IA4C1B,OAAO,CAAC,SAAS;IAejB,OAAO,CAAC,kBAAkB;IA2H1B,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;IAyB3B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;CAqB9B"}
+{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQ3C,OAAO,EAWL,iBAAiB,EAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAMZ,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,cAAc,EACd,oBAAoB,EACpB,QAAQ,EAER,UAAU,EAEV,cAAc,EACd,eAAe,EACf,eAAe,EACf,eAAe,EACf,UAAU,EACX,MAAM,YAAY,CAAC;AA6DpB,qBAAa,aAAc,SAAQ,YAAY;IAkEjC,OAAO,CAAC,MAAM;IAjE1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAAK;IAC5B,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,eAAe,CAA+C;IACtE,OAAO,CAAC,kBAAkB,CAAwC;IAClE,OAAO,CAAC,yBAAyB,CAAa;IAC9C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,iBAAiB,CAA+C;IACxE,OAAO,CAAC,eAAe,CAA4B;IAEnD,iEAAiE;IACjE,OAAO,CAAC,gBAAgB,CAA0C;IAClE,kEAAkE;IAClE,OAAO,CAAC,gBAAgB,CAA0C;IAElE,0GAA0G;IAC1G,OAAO,CAAC,gBAAgB,CAAiF;IACzG,qFAAqF;IACrF,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAO;IAC3C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,oFAAoF;IACpF,OAAO,CAAC,oBAAoB,CAAqB;IAEjD,mGAAmG;IACnG,OAAO,CAAC,kBAAkB,CAAqB;IAE/C,mFAAmF;IACnF,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,sDAAsD;IACtD,OAAO,CAAC,kBAAkB,CAA8C;IACxE,OAAO,CAAC,oBAAoB,CAAS;IAIrC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAU;IACpD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,yBAAyB,CAAU;IAC3D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAU;gBAEnC,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED,mFAAmF;IACnF,IAAI,iBAAiB,IAAI,MAAM,GAAG,SAAS,CAE1C;IAED,mFAAmF;IACnF,IAAI,OAAO,IAAI,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAGrD;IAED,gEAAgE;IAChE,IAAI,gBAAgB,IAAI,MAAM,EAAE,CAG/B;IAED,kFAAkF;IAClF,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKtD,kFAAkF;IAClF,IAAI,SAAS,IAAI,iBAAiB,GAAG,IAAI,CAExC;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoF5B;;OAEG;YACW,eAAe;IAiB7B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IA0HnE;;;OAGG;IACH,UAAU,IAAI,IAAI;IAYlB;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAazD;;;;OAIG;IACG,mBAAmB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BpE;;;;;;OAMG;IACH,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAuClF;;;OAGG;IACG,QAAQ,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,cAAc,EAAE,CAAC;QAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;QACtC,UAAU,CAAC,EAAE,OAAO,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IAuJjB;;;OAGG;IACG,UAAU,CACd,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE;QACL,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GACA,OAAO,CAAC,IAAI,CAAC;IAmHhB;;OAEG;IACG,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB9C;;OAEG;IACH,QAAQ,IAAI,QAAQ,EAAE;IAYtB,cAAc,CACZ,eAAe,EAAE,MAAM,EACvB,cAAc,EAAE,MAAM,eAAe,GACpC,IAAI;IAUD,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB9B,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBlD,YAAY,CAAC,QAAQ,EAAE;QAC3B,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IA2CX,sBAAsB,CAAC,YAAY,EAAE;QACzC,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBX,4BAA4B,CAChC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GACA,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;OAGG;IACG,OAAO,CACX,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,eAAe,EACxB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,eAAe,CAAC;IA0I3B;;OAEG;IACH,WAAW,IAAI,UAAU,EAAE;IAqC3B,OAAO,CAAC,cAAc;IAkBhB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqC3B,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAkFnC,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAiCpF;;;OAGG;IACG,iBAAiB,CAAC,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA0CrE;;;;;;;;;;OAUG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAmHpG;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YAoDhC,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IA2mBhB;;;;OAIG;YACW,sBAAsB;IAmRpC;;;OAGG;YACW,6BAA6B;IA6C3C;;;OAGG;YACW,iBAAiB;IAwD/B;;;OAGG;IACG,kBAAkB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC7B,OAAO,CAAC,IAAI,CAAC;IA8ChB;;;OAGG;YACW,oBAAoB;IAkDlC;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;OAGG;YACW,oBAAoB;IAyBlC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAuEjC;;;;OAIG;YACW,oBAAoB;IA8ElC;;;OAGG;YACW,kBAAkB;IAyNhC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAiBlC;;;;OAIG;YACW,oBAAoB;IAuClC;;;OAGG;YACW,4BAA4B;IA2F1C;;OAEG;YACW,oBAAoB;IAqGlC;;;OAGG;IACH;;;OAGG;YACW,mBAAmB;IAsKjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;YAMJ,mBAAmB;IAmCjC,OAAO,CAAC,UAAU;IAelB,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,kBAAkB;IAe1B,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,gBAAgB;YAOV,qBAAqB;IAuCnC,OAAO,CAAC,kBAAkB;IA4C1B,OAAO,CAAC,SAAS;IAejB,OAAO,CAAC,kBAAkB;IA2H1B,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;IAyB3B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;CAqB9B"}

package/dist/cli.js

@@ -45963,6 +45963,9 @@ function buildEvalSpan(opts) {
     status: { code: 0 }
   };
 }
+function buildTraceparent(span) {
+  return `00-${span.traceId}-${span.spanId}-01`;
+}
 var init_telemetry = __esm({
   "../crypto/dist/telemetry.js"() {
     "use strict";
@@ -45985,6 +45988,9 @@ function toOtlpAttributes(attrs) {
   });
 }
 function spanToOtlp(span) {
+  const enrichedAttrs = { ...span.attributes };
+  enrichedAttrs["w3c.traceparent"] = buildTraceparent(span);
+  enrichedAttrs["w3c.tracestate"] = `av=s:${span.spanId}`;
   const otlp = {
     traceId: span.traceId,
     spanId: span.spanId,
@@ -45992,7 +45998,7 @@ function spanToOtlp(span) {
     kind: span.kind,
     startTimeUnixNano: String(span.startTime * 1e6),
     endTimeUnixNano: String(span.endTime * 1e6),
-    attributes: toOtlpAttributes(span.attributes)
+    attributes: toOtlpAttributes(enrichedAttrs)
   };
   if (span.parentSpanId !== void 0) {
     otlp.parentSpanId = span.parentSpanId;
@@ -46169,6 +46175,14 @@ var init_backup = __esm({
   }
 });
 
+// ../crypto/dist/approval.js
+var init_approval = __esm({
+  async "../crypto/dist/approval.js"() {
+    "use strict";
+    await init_did();
+  }
+});
+
 // ../crypto/dist/index.js
 var init_dist = __esm({
   async "../crypto/dist/index.js"() {
@@ -46186,6 +46200,7 @@ var init_dist = __esm({
     init_telemetry();
     init_telemetry_reporter();
     await init_backup();
+    await init_approval();
   }
 });
 
@@ -48480,10 +48495,11 @@ var init_channel = __esm({
             }
             if (data.event === "hub_identity_sync") {
               if (this._persisted && data.data?.hub_id) {
-                const changed = this._persisted.hubId !== data.data.hub_id;
+                const changed = this._persisted.hubId !== data.data.hub_id || this._persisted.agentRole !== (data.data.agent_role ?? "peer");
                 this._persisted.hubAddress = data.data.hub_address;
                 this._persisted.hubId = data.data.hub_id;
                 this._persisted.agentHubId = data.data.hub_id;
+                this._persisted.agentRole = data.data.agent_role ?? "peer";
                 if (changed) this._persistState();
                 if (!this._telemetryReporter && this._persisted.deviceJwt && this._persisted.hubId) {
                   this._telemetryReporter = new TelemetryReporter({
@@ -48505,6 +48521,14 @@ var init_channel = __esm({
               }
               this.emit("hub_identity_assigned", data.data);
             }
+            if (data.event === "hub_identity_role_changed") {
+              if (this._persisted && data.data?.agent_role) {
+                this._persisted.agentRole = data.data.agent_role;
+                this._persistState();
+                console.log(`[SecureChannel] Agent role changed to: ${data.data.agent_role}`);
+              }
+              this.emit("hub_identity_role_changed", data.data);
+            }
             if (data.event === "hub_identity_removed") {
               if (this._persisted) {
                 delete this._persisted.hubAddress;
@@ -49171,6 +49195,9 @@ ${messageText}`;
       _resolveWorkspaceDir() {
         const homedir = process.env.HOME ?? process.env.USERPROFILE ?? "/tmp";
         const agentName = this.config.agentName;
+        if (this._persisted?.agentRole === "lead") {
+          return join3(homedir, ".openclaw", "workspace");
+        }
         try {
           const configPath = join3(homedir, ".openclaw", "openclaw.json");
           const raw = __require("node:fs").readFileSync(configPath, "utf-8");
@@ -70821,7 +70848,7 @@ function parseSkillMd(content) {
   if (!frontmatter.name) return null;
   const instructionLines = lines.slice(endIdx + 1);
   const instructions = instructionLines.join("\n").trim();
-  return {
+  const skill = {
     name: frontmatter.name,
     version: frontmatter.version,
     description: frontmatter.description,
@@ -70830,82 +70857,76 @@ function parseSkillMd(content) {
     slaDefinition: frontmatter.sla,
     instructions: instructions || void 0
   };
+  if (frontmatter.agentVault) {
+    const av = frontmatter.agentVault;
+    if (av.certification) skill.certificationTier = av.certification;
+    if (av.runtime?.capabilities) skill.toolsAllowed = av.runtime.capabilities;
+    if (av.runtime?.forbidden) skill.toolsDenied = av.runtime.forbidden;
+    if (av.runtime?.output_schema) skill.outputSchema = av.runtime.output_schema;
+    if (av.model?.routing) skill.modelRouting = av.model.routing;
+    if (av.model?.allowed) skill.allowedModels = av.model.allowed;
+    if (av.model?.default) skill.defaultModel = av.model.default;
+    if (av.integrity) skill.integrity = av.integrity;
+    if (av.requiredPolicies) skill.requiredPolicies = av.requiredPolicies;
+  }
+  return skill;
 }
 function parseSimpleYaml(yaml) {
   const result = {};
   const lines = yaml.split("\n");
-  let currentKey = "";
-  let currentIndent = 0;
-  let nestedObj = null;
+  const stack = [];
+  let currentObj = result;
+  function parseValue(raw) {
+    const value = raw.replace(/^["']|["']$/g, "");
+    const num = Number(value);
+    if (!isNaN(num) && value !== "") return num;
+    if (value === "true") return true;
+    if (value === "false") return false;
+    return value;
+  }
   for (const line of lines) {
     const trimmed = line.trim();
     if (!trimmed || trimmed.startsWith("#")) continue;
     const indent = line.length - line.trimStart().length;
-    const inlineArrayMatch = trimmed.match(/^(\w[\w-]*)\s*:\s*\[(.+)\]$/);
+    while (stack.length > 0 && indent <= stack[stack.length - 1].indent) {
+      const popped = stack.pop();
+      currentObj = stack.length > 0 ? stack[stack.length - 1].obj : result;
+      currentObj[popped.key] = popped.obj;
+    }
+    const inlineArrayMatch = trimmed.match(/^(\w[\w_-]*)\s*:\s*\[(.+)\]$/);
     if (inlineArrayMatch) {
       const key = inlineArrayMatch[1];
       const values = inlineArrayMatch[2].split(",").map((v2) => v2.trim().replace(/^["']|["']$/g, ""));
-      if (nestedObj && indent > currentIndent) {
-        nestedObj[key] = values;
+      if (stack.length > 0) {
+        stack[stack.length - 1].obj[key] = values;
       } else {
-        if (nestedObj && currentKey) {
-          result[currentKey] = nestedObj;
-          nestedObj = null;
-        }
-        result[key] = values;
+        currentObj[key] = values;
       }
       continue;
     }
-    const kvMatch = trimmed.match(/^(\w[\w-]*)\s*:\s*(.+)$/);
-    if (kvMatch && indent === 0) {
-      if (nestedObj && currentKey) {
-        result[currentKey] = nestedObj;
-        nestedObj = null;
-      }
+    const kvMatch = trimmed.match(/^(\w[\w_-]*)\s*:\s*(.+)$/);
+    if (kvMatch) {
       const key = kvMatch[1];
-      const value = kvMatch[2].replace(/^["']|["']$/g, "");
-      const num = Number(value);
-      if (!isNaN(num) && value !== "") {
-        result[key] = num;
-      } else if (value === "true") {
-        result[key] = true;
-      } else if (value === "false") {
-        result[key] = false;
+      const val = parseValue(kvMatch[2]);
+      if (stack.length > 0) {
+        stack[stack.length - 1].obj[key] = val;
       } else {
-        result[key] = value;
+        currentObj[key] = val;
       }
       continue;
     }
-    const nestedMatch = trimmed.match(/^(\w[\w-]*)\s*:$/);
-    if (nestedMatch && indent === 0) {
-      if (nestedObj && currentKey) {
-        result[currentKey] = nestedObj;
-      }
-      currentKey = nestedMatch[1];
-      currentIndent = indent;
-      nestedObj = {};
+    const nestedMatch = trimmed.match(/^(\w[\w_-]*)\s*:$/);
+    if (nestedMatch) {
+      const key = nestedMatch[1];
+      const newObj = {};
+      stack.push({ key, obj: newObj, indent });
       continue;
     }
-    if (nestedObj && indent > 0) {
-      const nestedKv = trimmed.match(/^(\w[\w-]*)\s*:\s*(.+)$/);
-      if (nestedKv) {
-        const key = nestedKv[1];
-        const value = nestedKv[2].replace(/^["']|["']$/g, "");
-        const num = Number(value);
-        if (!isNaN(num) && value !== "") {
-          nestedObj[key] = num;
-        } else if (value === "true") {
-          nestedObj[key] = true;
-        } else if (value === "false") {
-          nestedObj[key] = false;
-        } else {
-          nestedObj[key] = value;
-        }
-      }
-    }
   }
-  if (nestedObj && currentKey) {
-    result[currentKey] = nestedObj;
+  while (stack.length > 0) {
+    const popped = stack.pop();
+    const parent = stack.length > 0 ? stack[stack.length - 1].obj : result;
+    parent[popped.key] = popped.obj;
   }
   return result;
 }
@@ -70930,6 +70951,14 @@ var init_skill_telemetry = __esm({
   }
 });
 
+// src/policy-enforcer.ts
+var init_policy_enforcer = __esm({
+  async "src/policy-enforcer.ts"() {
+    "use strict";
+    await init_dist();
+  }
+});
+
 // src/index.ts
 var VERSION;
 var init_index = __esm({
@@ -70948,6 +70977,7 @@ var init_index = __esm({
     init_skill_manifest();
     init_skill_invoker();
     await init_skill_telemetry();
+    await init_policy_enforcer();
     VERSION = "0.14.1";
   }
 });