@agentvault/agentvault 0.17.2 → 0.17.3

package/README.md

@@ -1,16 +1,20 @@
 # @agentvault/agentvault
 
-The security infrastructure layer for AI agents — cryptographic identity, earned trust, and Signal-grade encrypted communications natively integrated with [OpenClaw](https://openclaw.ai).
+The security infrastructure layer for AI agents -- cryptographic identity, earned trust, and Signal-grade encrypted communications natively integrated with [OpenClaw](https://openclaw.ai).
 
 Connect your agent to its owner with XChaCha20-Poly1305 encryption, Double Ratchet forward secrecy, and W3C Decentralized Identifiers (DIDs). No plaintext ever touches the server.
 
-## What's New in v0.17.0
+## What's New in v0.17.3
 
-* **Policy Enforcer:** 5-stage policy pipeline (Parse → Validate → Enforce → Log → Report) with tool blocklists, model routing rules, and telemetry emission.
-* **SKILL.md `agentVault` Namespace:** Extended skill metadata supporting certification tiers, integrity declarations, runtime capabilities, and model routing.
-* **Unified Delivery Protocol:** Single `deliver()` dispatcher for all outbound messages — text, decisions, approvals, policy alerts, and artifacts.
-* **20 OTel Span Types:** Full observability with `av.*`-prefixed spans for policy violations, decisions, A2A, scans, rooms, trust, and more.
-* **W3C TraceContext:** All telemetry spans carry `traceparent` and `tracestate` for cross-agent trace correlation.
+- **Runtime Shadow Mode:** Agents in shadow mode send recommendations instead of executing. Config synced via `shadow_config_sync` WS event on connect. Supports `shadow_session_created`, `shadow_session_graduated`, and `shadow_session_deleted` events. Use `getShadowConfig(skillName)` to check if a skill is shadowed before execution.
+- **Shadow Recommendations:** New `shadow_recommendation` delivery type. Agents deliver structured recommendation cards to owners for Agree/Override review in chat.
+- **Agent Roles:** Lead/peer role assignment via `agentRole` config. Lead agents get workspace-level file access. Roles sync automatically via `hub_identity_role_changed` events.
+- **Eval Framework Integration:** `av.eval_run` telemetry spans for evaluation pipelines. Shadow mode and review queue support via the observability dashboard.
+- **Policy Enforcer:** 5-stage policy pipeline (Parse, Validate, Enforce, Log, Report) with tool blocklists, model routing rules, and telemetry emission.
+- **SKILL.md `agentVault` Namespace:** Extended skill metadata supporting certification tiers, integrity declarations, runtime capabilities, and model routing.
+- **Unified Delivery Protocol:** Single `deliver()` dispatcher for all outbound messages -- text, decisions, approvals, policy alerts, shadow recommendations, and artifacts.
+- **21 OTel Span Types:** Full observability with `av.*`-prefixed spans for policy violations, decisions, A2A, scans, rooms, trust, eval runs, and more.
+- **W3C TraceContext:** All telemetry spans carry `traceparent` and `tracestate` for cross-agent trace correlation.
 
 ## Installation
 
@@ -47,6 +51,33 @@ The CLI will generate an Ed25519 identity keypair, enroll with the server (ancho
 | `doctor [--fix]` | Diagnose and fix LaunchAgent / gateway issues |
 | `version` | Print the installed version |
 
+## Configuration
+
+```typescript
+const channel = new SecureChannel({
+  // Required
+  inviteToken: process.env.AGENTVAULT_INVITE_TOKEN,
+  dataDir: "./agentvault-data",
+  apiUrl: "https://api.agentvault.chat",
+
+  // Optional
+  agentName: "My Agent",
+  agentVersion: "1.0.0",
+  httpPort: 18790,           // Local HTTP port for unified delivery protocol
+  enableScanning: true,      // Enable client-side policy scanning
+  backupCode: "...",         // Auto-backup encrypted state to server
+
+  // Callbacks
+  onMessage: (text, metadata) => {},
+  onStateChange: (state) => {},
+  onA2AMessage: (msg) => {},
+  onA2AChannelReady: (info) => {},
+});
+```
+
+The persisted state also tracks:
+- `agentRole` -- `"lead"` or `"peer"` (synced from server, determines workspace file access)
+
 ## Programmatic Usage
 
 ### SecureChannel
@@ -75,6 +106,54 @@ channel.on("ready", () => {
 await channel.start();
 ```
 
+### Unified Delivery Protocol -- `deliver()`
+
+All outbound messages should flow through `deliver()`. It routes based on explicit target and never silently falls back.
+
+```typescript
+// Send to the agent owner
+await channel.deliver(
+  { kind: "owner" },
+  { type: "text", text: "Task complete" },
+);
+
+// Send to a multi-agent room
+await channel.deliver(
+  { kind: "room", roomId: "room_abc123" },
+  { type: "text", text: "Ready for review" },
+);
+
+// Send to another agent (A2A)
+await channel.deliver(
+  { kind: "a2a", hubAddress: "did:hub:other_agent" },
+  { type: "text", text: "Handoff data" },
+);
+
+// Send a decision request
+await channel.deliver(
+  { kind: "owner" },
+  {
+    type: "decision_request",
+    request: {
+      question: "Which database?",
+      options: [
+        { label: "PostgreSQL", value: "postgres" },
+        { label: "SQLite", value: "sqlite" },
+      ],
+      urgency: "medium",
+    },
+  },
+);
+```
+
+**Delivery targets:**
+- `{ kind: "owner" }` -- Send to the agent owner
+- `{ kind: "room", roomId: "..." }` -- Send to a multi-agent room
+- `{ kind: "a2a", hubAddress: "..." }` -- Send to another agent
+- `{ kind: "context" }` -- Resolve from last inbound room (opt-in only)
+
+**Content types:** `text`, `decision_request`, `decision_response`, `approval_request`, `approval_response`, `policy_alert`, `artifact_share`, `action_confirmation`, `attachment`
+
 ### Gateway Send Helpers
 
 Send messages from your agent code without managing the channel directly:
@@ -82,36 +161,41 @@ Send messages from your agent code without managing the channel directly:
 ```typescript
 import { sendToOwner, sendToRoom, sendToTarget, listTargets } from "@agentvault/agentvault";
 
-// Send to the agent owner
-await sendToOwner("Task complete — 3 files processed");
-
-// Send to a multi-agent room
+await sendToOwner("Task complete -- 3 files processed");
 await sendToRoom("room_abc123", "Ready for review");
-
-// Send to any target (auto-resolves owner, room, or A2A)
 await sendToTarget("did:hub:other_agent", "Handoff data");
 
-// List available targets
 const targets = await listTargets();
 ```
 
-### Structured Messages
+### Policy Enforcement
+
+The PolicyEnforcer validates skill invocations against a 5-stage pipeline:
 
 ```typescript
-import { sendDecisionToOwner } from "@agentvault/agentvault";
-
-// Decision request — ask the owner to choose
-await sendDecisionToOwner({
-  question: "Which database should I use?",
-  options: [
-    { label: "PostgreSQL", value: "postgres" },
-    { label: "SQLite", value: "sqlite" },
-  ],
-  urgency: "medium",
+import { PolicyEnforcer } from "@agentvault/agentvault";
+
+const enforcer = new PolicyEnforcer();
+
+enforcer.registerSkill({
+  name: "code-review",
+  toolsAllowed: ["file.read"],
+  toolsDenied: ["shell.exec", "network.raw"],
+  modelRouting: { allowed: ["gpt-4", "claude-sonnet-4-20250514"] },
 });
-```
 
-All 8 message types are supported: `text`, `decision_request`, `decision_response`, `approval_request`, `approval_response`, `policy_alert`, `artifact_share`.
+const result = enforcer.evaluate({
+  skillName: "code-review",
+  toolName: "shell.exec",
+  model: "gpt-4",
+});
+
+if (!result.allowed) {
+  console.log("Blocked:", result.violations);
+}
+
+const metrics = enforcer.getMetrics();
+```
 
 ### Skill Management
 
@@ -126,12 +210,6 @@ tags: [code-review, typescript]
 sla:
   p95_latency_ms: 5000
   max_error_rate: 0.05
-schema:
-  type: object
-  properties:
-    code:
-      type: string
-  required: [code]
 agentVault:
   certification: certified
   integrity:
@@ -145,57 +223,18 @@ agentVault:
     allowed: [gpt-4, claude-sonnet-4-20250514]
     default: claude-sonnet-4-20250514
 ---
-# Code Review Skill
-
-Review the provided code for bugs, security issues, and style violations...
 ```
 
-Load and use skills programmatically:
-
-```typescript
-import { parseSkillMd, loadSkillsFromDirectory, invokeSkill } from "@agentvault/agentvault";
-
-// Load all SKILL.md files from a directory
-const manifest = await loadSkillsFromDirectory("./skills");
-
-// Invoke a skill with policy enforcement
-const result = await invokeSkill("code-review", {
-  args: { code: "function foo() { eval(input); }" },
-});
-```
-
-### Policy Enforcement
+### Telemetry
 
-The PolicyEnforcer validates skill invocations against a 5-stage pipeline:
+The plugin auto-instruments all message operations with OTel-shaped telemetry spans. Spans feed the trust scoring engine and observability dashboard.
 
 ```typescript
-import { PolicyEnforcer } from "@agentvault/agentvault";
-
-const enforcer = new PolicyEnforcer();
-
-// Register a skill with its policy constraints
-enforcer.registerSkill({
-  name: "code-review",
-  toolsAllowed: ["file.read"],
-  toolsDenied: ["shell.exec", "network.raw"],
-  modelRouting: { allowed: ["gpt-4", "claude-sonnet-4-20250514"] },
-});
+import { wrapSkillExecution } from "@agentvault/agentvault";
 
-// Evaluate before execution
-const result = enforcer.evaluate({
-  skillName: "code-review",
-  toolName: "shell.exec",
-  model: "gpt-4",
+const result = await wrapSkillExecution("code-review", async () => {
+  return { issues: 3 };
 });
-
-if (!result.allowed) {
-  console.log("Blocked:", result.violations);
-  // [{ ruleId: "tool_deny", scope: "tool", message: "shell.exec is forbidden" }]
-}
-
-// Get aggregate metrics
-const metrics = enforcer.getMetrics();
-// { totalEvaluations: 42, totalBlocks: 3, bySkill: {...}, byRule: {...} }
 ```
 
 ### MCP Server (Embedded)
@@ -207,25 +246,87 @@ import { AgentVaultMcpServer } from "@agentvault/agentvault";
 
 const mcpServer = new AgentVaultMcpServer({
   skills: manifest.skills,
-  channel,          // SecureChannel instance for message relay
-  enforcer,         // PolicyEnforcer for pre-execution checks
+  channel,
+  enforcer,
 });
 ```
 
-### Telemetry
+## Shadow Mode
 
-The plugin auto-instruments all message operations with OTel-shaped telemetry spans. Spans are exported to `https://api.agentvault.chat/api/v1/otel/push` and feed the trust scoring engine and observability dashboard.
+Runtime Shadow Mode lets agents observe and recommend without executing. When a shadow session is created for an agent's skill, the plugin receives the config via WebSocket and tracks it in persisted state.
 
-```typescript
-import { wrapSkillExecution, reportSkillInvocation } from "@agentvault/agentvault";
+### Checking Shadow Status
 
-// Wrap a skill execution to auto-emit spans
-const result = await wrapSkillExecution("code-review", async () => {
-  // Your skill logic here
-  return { issues: 3 };
-});
+```typescript
+const shadow = channel.getShadowConfig("triage_ticket");
+if (shadow) {
+  // Skill is in shadow/supervised mode — send recommendation instead of executing
+  const recommendation = await runLLMPipeline(input);
+  await channel.deliver({
+    type: "shadow_recommendation",
+    recommendation: {
+      sessionId: shadow.sessionId,
+      skillName: "triage_ticket",
+      decisionClass: shadow.decisionClass,
+      recommendedAction: recommendation,
+      observationId: observationId, // from POST /shadow/sessions/{id}/observations
+    },
+  });
+} else {
+  // Normal execution
+  await executeAction(input);
+}
 ```
 
+### Shadow Events
+
+| Event | Description |
+|-------|-------------|
+| `shadow_config_sync` | Full shadow config received on WS connect |
+| `shadow_session_created` | New shadow session for this agent |
+| `shadow_session_graduated` | Session autonomy level changed |
+| `shadow_session_deleted` | Shadow session removed |
+
+### Autonomy Levels
+
+| Level | Behavior |
+|-------|----------|
+| `shadow` | Recommend only — never execute |
+| `supervised` | Recommend + wait for approval (future) |
+| `autonomous` | Normal execution (config removed from plugin) |
+
+## Events
+
+The SecureChannel emits the following events:
+
+| Event | Payload | Description |
+|-------|---------|-------------|
+| `ready` | -- | Channel established and encrypted |
+| `message` | `(text, metadata)` | Decrypted owner message |
+| `room_message` | `{ roomId, text, ... }` | Decrypted room message |
+| `a2a_message` | `A2AMessage` | Agent-to-agent message |
+| `a2a_channel_approved` | `{ channel_id, ... }` | A2A channel approved |
+| `a2a_channel_activated` | `{ ... }` | A2A channel ready for E2E |
+| `a2a_channel_rejected` | `{ ... }` | A2A channel request rejected |
+| `a2a_channel_revoked` | `{ ... }` | A2A channel revoked |
+| `hub_identity_assigned` | `{ ... }` | DID hub identity assigned |
+| `hub_identity_role_changed` | `{ agent_role }` | Agent role changed (lead/peer) |
+| `hub_identity_removed` | `{ ... }` | Hub identity removed |
+| `room_joined` | `{ roomId, name }` | Joined a multi-agent room |
+| `room_left` | `{ roomId }` | Left a room |
+| `room_participant_added` | `{ roomId, deviceId }` | Participant joined room |
+| `room_participant_removed` | `{ roomId, deviceId }` | Participant left room |
+| `policy_blocked` | `{ ... }` | Message blocked by policy |
+| `message_held` | `{ ... }` | Message held for review |
+| `policy_rejected` | `{ ... }` | Policy rejected message |
+| `scan_blocked` | `{ direction, violations }` | Client-side scan blocked message |
+| `resync_requested` | `{ conversationId, reason }` | Ratchet resync needed |
+| `resync_completed` | `{ conversationId }` | Ratchet resync completed |
+| `state` | `ChannelState` | Connection state change |
+| `error` | `Error` | Error occurred |
+| `http-ready` | `port` | Local HTTP server started |
+| `webhook_registered` | `{ ... }` | Webhook registered with backend |
+
 ## OpenClaw Integration
 
 When installed as an OpenClaw plugin, AgentVault registers as the `agentvault` channel:
@@ -242,11 +343,11 @@ When installed as an OpenClaw plugin, AgentVault registers as the `agentvault` c
 
 The plugin hooks into OpenClaw's lifecycle:
 
-- **Channel gateway** — routes inbound/outbound messages through the E2E encrypted channel
-- **Heartbeat wake** — keeps the agent alive via OpenClaw's heartbeat system
-- **Agent events** — listens for session start/end and transcript updates
-- **Managed HTTP routes** — `/send`, `/status`, `/targets`, `/action`, `/decision`
-- **MCP serving** — exposes skills as MCP tools via `/mcp` route
+- **Channel gateway** -- routes inbound/outbound messages through the E2E encrypted channel
+- **Heartbeat wake** -- keeps the agent alive via OpenClaw's heartbeat system
+- **Agent events** -- listens for session start/end and transcript updates
+- **Managed HTTP routes** -- `/send`, `/status`, `/targets`, `/action`, `/decision`
+- **MCP serving** -- exposes skills as MCP tools via `/mcp` route
 
 ## Security Architecture
 
@@ -259,7 +360,7 @@ AgentVault is a **zero-knowledge** platform. The server routes ciphertext and NE
 | Forward Secrecy | Double Ratchet protocol + X3DH key agreement |
 | Group Crypto | Sender Key distribution with automatic force rekeying |
 | Audit | BLAKE2b hash-chained entries with W3C TraceContext |
-| Policy | 5-stage pipeline: Parse → Validate → Enforce → Log → Report |
+| Policy | 5-stage pipeline: Parse, Validate, Enforce, Log, Report |
 
 ## Related Packages
 

package/dist/channel.d.ts

@@ -78,6 +78,14 @@ export declare class SecureChannel extends EventEmitter {
     resolveA2AChannelHub(channelId: string): string | null;
     /** Returns the TelemetryReporter instance (available after WebSocket connect). */
     get telemetry(): TelemetryReporter | null;
+    /**
+     * Check if a skill is in shadow mode. Returns the shadow config if active, undefined otherwise.
+     */
+    getShadowConfig(skillName: string): {
+        sessionId: string;
+        autonomyLevel: string;
+        decisionClass: string;
+    } | undefined;
     start(): Promise<void>;
     /**
      * Fetch scan rules from the server and load them into the ScanEngine.

package/dist/channel.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQ3C,OAAO,EAWL,iBAAiB,EAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAMZ,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,cAAc,EACd,oBAAoB,EACpB,QAAQ,EAER,UAAU,EAEV,cAAc,EACd,eAAe,EACf,eAAe,EACf,eAAe,EACf,UAAU,EACX,MAAM,YAAY,CAAC;AA6DpB,qBAAa,aAAc,SAAQ,YAAY;IAkEjC,OAAO,CAAC,MAAM;IAjE1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAAK;IAC5B,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,eAAe,CAA+C;IACtE,OAAO,CAAC,kBAAkB,CAAwC;IAClE,OAAO,CAAC,yBAAyB,CAAa;IAC9C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,iBAAiB,CAA+C;IACxE,OAAO,CAAC,eAAe,CAA4B;IAEnD,iEAAiE;IACjE,OAAO,CAAC,gBAAgB,CAA0C;IAClE,kEAAkE;IAClE,OAAO,CAAC,gBAAgB,CAA0C;IAElE,0GAA0G;IAC1G,OAAO,CAAC,gBAAgB,CAAiF;IACzG,qFAAqF;IACrF,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAO;IAC3C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,oFAAoF;IACpF,OAAO,CAAC,oBAAoB,CAAqB;IAEjD,mGAAmG;IACnG,OAAO,CAAC,kBAAkB,CAAqB;IAE/C,mFAAmF;IACnF,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,sDAAsD;IACtD,OAAO,CAAC,kBAAkB,CAA8C;IACxE,OAAO,CAAC,oBAAoB,CAAS;IAIrC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAU;IACpD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,yBAAyB,CAAU;IAC3D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAU;gBAEnC,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED,mFAAmF;IACnF,IAAI,iBAAiB,IAAI,MAAM,GAAG,SAAS,CAE1C;IAED,mFAAmF;IACnF,IAAI,OAAO,IAAI,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAGrD;IAED,gEAAgE;IAChE,IAAI,gBAAgB,IAAI,MAAM,EAAE,CAG/B;IAED,kFAAkF;IAClF,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKtD,kFAAkF;IAClF,IAAI,SAAS,IAAI,iBAAiB,GAAG,IAAI,CAExC;IAEK,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoF5B;;OAEG;YACW,eAAe;IAiB7B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IA0HnE;;;OAGG;IACH,UAAU,IAAI,IAAI;IAYlB;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAazD;;;;OAIG;IACG,mBAAmB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BpE;;;;;;OAMG;IACH,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAuClF;;;OAGG;IACG,QAAQ,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,cAAc,EAAE,CAAC;QAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;QACtC,UAAU,CAAC,EAAE,OAAO,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IAuJjB;;;OAGG;IACG,UAAU,CACd,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE;QACL,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GACA,OAAO,CAAC,IAAI,CAAC;IAmHhB;;OAEG;IACG,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB9C;;OAEG;IACH,QAAQ,IAAI,QAAQ,EAAE;IAYtB,cAAc,CACZ,eAAe,EAAE,MAAM,EACvB,cAAc,EAAE,MAAM,eAAe,GACpC,IAAI;IAUD,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB9B,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBlD,YAAY,CAAC,QAAQ,EAAE;QAC3B,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IA2CX,sBAAsB,CAAC,YAAY,EAAE;QACzC,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBX,4BAA4B,CAChC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GACA,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;OAGG;IACG,OAAO,CACX,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,eAAe,EACxB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,eAAe,CAAC;IA0I3B;;OAEG;IACH,WAAW,IAAI,UAAU,EAAE;IAqC3B,OAAO,CAAC,cAAc;IAkBhB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqC3B,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAkFnC,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAiCpF;;;OAGG;IACG,iBAAiB,CAAC,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA0CrE;;;;;;;;;;OAUG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAmHpG;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YAoDhC,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IA2mBhB;;;;OAIG;YACW,sBAAsB;IAmRpC;;;OAGG;YACW,6BAA6B;IA6C3C;;;OAGG;YACW,iBAAiB;IAwD/B;;;OAGG;IACG,kBAAkB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC7B,OAAO,CAAC,IAAI,CAAC;IA8ChB;;;OAGG;YACW,oBAAoB;IAkDlC;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;OAGG;YACW,oBAAoB;IAyBlC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAuEjC;;;;OAIG;YACW,oBAAoB;IA8ElC;;;OAGG;YACW,kBAAkB;IAyNhC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAiBlC;;;;OAIG;YACW,oBAAoB;IAuClC;;;OAGG;YACW,4BAA4B;IA2F1C;;OAEG;YACW,oBAAoB;IAqGlC;;;OAGG;IACH;;;OAGG;YACW,mBAAmB;IAsKjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;YAMJ,mBAAmB;IAmCjC,OAAO,CAAC,UAAU;IAelB,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,kBAAkB;IAe1B,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,gBAAgB;YAOV,qBAAqB;IAuCnC,OAAO,CAAC,kBAAkB;IA4C1B,OAAO,CAAC,SAAS;IAejB,OAAO,CAAC,kBAAkB;IA2H1B,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;IAyB3B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;CAqB9B"}
+{"version":3,"file":"channel.d.ts","sourceRoot":"","sources":["../src/channel.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQ3C,OAAO,EAWL,iBAAiB,EAClB,MAAM,oBAAoB,CAAC;AAE5B,OAAO,KAAK,EACV,mBAAmB,EACnB,YAAY,EAMZ,WAAW,EACX,eAAe,EACf,gBAAgB,EAChB,eAAe,EACf,WAAW,EACX,cAAc,EACd,oBAAoB,EACpB,QAAQ,EAER,UAAU,EAEV,cAAc,EACd,eAAe,EACf,eAAe,EACf,eAAe,EACf,UAAU,EACX,MAAM,YAAY,CAAC;AA6DpB,qBAAa,aAAc,SAAQ,YAAY;IAkEjC,OAAO,CAAC,MAAM;IAjE1B,OAAO,CAAC,MAAM,CAAwB;IACtC,OAAO,CAAC,SAAS,CAAuB;IACxC,OAAO,CAAC,YAAY,CAAuB;IAC3C,OAAO,CAAC,sBAAsB,CAAc;IAC5C,OAAO,CAAC,UAAU,CAAuB;IACzC,OAAO,CAAC,SAAS,CAGH;IACd,OAAO,CAAC,GAAG,CAA0B;IACrC,OAAO,CAAC,UAAU,CAA8C;IAChE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAA8C;IACrE,OAAO,CAAC,iBAAiB,CAAK;IAC9B,OAAO,CAAC,eAAe,CAAK;IAC5B,OAAO,CAAC,UAAU,CAA+C;IACjE,OAAO,CAAC,kBAAkB,CAAK;IAC/B,OAAO,CAAC,YAAY,CAAgB;IACpC,OAAO,CAAC,SAAS,CAA8C;IAC/D,OAAO,CAAC,QAAQ,CAAS;IACzB,OAAO,CAAC,UAAU,CAA+B;IACjD,OAAO,CAAC,WAAW,CAAuB;IAC1C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,eAAe,CAA+C;IACtE,OAAO,CAAC,kBAAkB,CAAwC;IAClE,OAAO,CAAC,yBAAyB,CAAa;IAC9C,OAAO,CAAC,kBAAkB,CAA+C;IACzE,OAAO,CAAC,aAAa,CAAsB;IAC3C,OAAO,CAAC,iBAAiB,CAA+C;IACxE,OAAO,CAAC,eAAe,CAA4B;IAEnD,iEAAiE;IACjE,OAAO,CAAC,gBAAgB,CAA0C;IAClE,kEAAkE;IAClE,OAAO,CAAC,gBAAgB,CAA0C;IAElE,0GAA0G;IAC1G,OAAO,CAAC,gBAAgB,CAAiF;IACzG,qFAAqF;IACrF,OAAO,CAAC,kBAAkB,CAAqB;IAC/C,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,YAAY,CAAO;IAC3C,OAAO,CAAC,WAAW,CAA2B;IAC9C,OAAO,CAAC,mBAAmB,CAAK;IAChC,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,oFAAoF;IACpF,OAAO,CAAC,oBAAoB,CAAqB;IAEjD,mGAAmG;IACnG,OAAO,CAAC,kBAAkB,CAAqB;IAE/C,mFAAmF;IACnF,OAAO,CAAC,kBAAkB,CAAkC;IAE5D,sDAAsD;IACtD,OAAO,CAAC,kBAAkB,CAA8C;IACxE,OAAO,CAAC,oBAAoB,CAAS;IAIrC,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,gBAAgB,CAAU;IAClD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,kBAAkB,CAAU;IACpD,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,yBAAyB,CAAU;IAC3D,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,qBAAqB,CAAU;gBAEnC,MAAM,EAAE,mBAAmB;IAI/C,IAAI,KAAK,IAAI,YAAY,CAExB;IAED,IAAI,QAAQ,IAAI,MAAM,GAAG,IAAI,CAE5B;IAED,IAAI,WAAW,IAAI,MAAM,GAAG,IAAI,CAE/B;IAED,iEAAiE;IACjE,IAAI,cAAc,IAAI,MAAM,GAAG,IAAI,CAElC;IAED,2CAA2C;IAC3C,IAAI,eAAe,IAAI,MAAM,EAAE,CAE9B;IAED,6CAA6C;IAC7C,IAAI,YAAY,IAAI,MAAM,CAEzB;IAED,mFAAmF;IACnF,IAAI,iBAAiB,IAAI,MAAM,GAAG,SAAS,CAE1C;IAED,mFAAmF;IACnF,IAAI,OAAO,IAAI,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAGrD;IAED,gEAAgE;IAChE,IAAI,gBAAgB,IAAI,MAAM,EAAE,CAG/B;IAED,kFAAkF;IAClF,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI;IAKtD,kFAAkF;IAClF,IAAI,SAAS,IAAI,iBAAiB,GAAG,IAAI,CAExC;IAED;;OAEG;IACH,eAAe,CAAC,SAAS,EAAE,MAAM,GAAG;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAC;QAAC,aAAa,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS;IAI7G,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAoF5B;;OAEG;YACW,eAAe;IAiB7B;;OAEG;IACH,OAAO,CAAC,cAAc;IAuBtB;;;OAGG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,EAAE,OAAO,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IA0HnE;;;OAGG;IACH,UAAU,IAAI,IAAI;IAYlB;;;OAGG;IACH,gBAAgB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;IAazD;;;;OAIG;IACG,mBAAmB,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,MAAM,CAAC;IA6BpE;;;;;;OAMG;IACH,eAAe,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAuClF;;;OAGG;IACG,QAAQ,CAAC,QAAQ,EAAE;QACvB,MAAM,EAAE,MAAM,CAAC;QACf,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,cAAc,EAAE,CAAC;QAC1B,aAAa,EAAE,oBAAoB,EAAE,CAAC;QACtC,UAAU,CAAC,EAAE,OAAO,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IAuJjB;;;OAGG;IACG,UAAU,CACd,MAAM,EAAE,MAAM,EACd,SAAS,EAAE,MAAM,EACjB,IAAI,CAAC,EAAE;QACL,WAAW,CAAC,EAAE,MAAM,CAAC;QACrB,QAAQ,CAAC,EAAE,MAAM,CAAC;QAClB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACpC,GACA,OAAO,CAAC,IAAI,CAAC;IAmHhB;;OAEG;IACG,SAAS,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAoB9C;;OAEG;IACH,QAAQ,IAAI,QAAQ,EAAE;IAYtB,cAAc,CACZ,eAAe,EAAE,MAAM,EACvB,cAAc,EAAE,MAAM,eAAe,GACpC,IAAI;IAUD,aAAa,IAAI,OAAO,CAAC,IAAI,CAAC;IAuB9B,eAAe,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IAsBlD,YAAY,CAAC,QAAQ,EAAE;QAC3B,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,QAAQ,EAAE,MAAM,CAAC;QACjB,WAAW,CAAC,EAAE,MAAM,CAAC;KACtB,GAAG,OAAO,CAAC,IAAI,CAAC;IA2CX,sBAAsB,CAAC,YAAY,EAAE;QACzC,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;KACjB,GAAG,OAAO,CAAC,IAAI,CAAC;IAkBX,4BAA4B,CAChC,MAAM,EAAE,MAAM,EACd,YAAY,EAAE;QACZ,MAAM,EAAE,MAAM,CAAC;QACf,MAAM,EAAE,WAAW,GAAG,QAAQ,GAAG,SAAS,CAAC;QAC3C,UAAU,CAAC,EAAE,MAAM,CAAC;QACpB,MAAM,CAAC,EAAE,MAAM,CAAC;QAChB,cAAc,CAAC,EAAE,MAAM,CAAC;KACzB,GACA,OAAO,CAAC,IAAI,CAAC;IA0BhB;;;OAGG;IACG,OAAO,CACX,MAAM,EAAE,cAAc,EACtB,OAAO,EAAE,eAAe,EACxB,OAAO,CAAC,EAAE,eAAe,GACxB,OAAO,CAAC,eAAe,CAAC;IA0I3B;;OAEG;IACH,WAAW,IAAI,UAAU,EAAE;IAqC3B,OAAO,CAAC,cAAc;IAkBhB,IAAI,IAAI,OAAO,CAAC,IAAI,CAAC;IAqC3B,eAAe,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI;IAkFnC,OAAO,CAAC,eAAe;IASvB;;;OAGG;IACG,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC;IAsC1F;;;OAGG;IACG,UAAU,IAAI,OAAO,CAAC,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAiCpF;;;OAGG;IACG,iBAAiB,CAAC,mBAAmB,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC;IA0CrE;;;;;;;;;;OAUG;IACG,WAAW,CAAC,UAAU,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE;QAAE,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAmHpG;;;OAGG;IACG,eAAe,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;YAoDhC,OAAO;IAgDrB,OAAO,CAAC,KAAK;YAsCC,SAAS;IAyIvB,OAAO,CAAC,QAAQ;IAypBhB;;;;OAIG;YACW,sBAAsB;IAmRpC;;;OAGG;YACW,6BAA6B;IA6C3C;;;OAGG;YACW,iBAAiB;IAwD/B;;;OAGG;IACG,kBAAkB,CACtB,SAAS,EAAE,MAAM,EACjB,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;QAAE,OAAO,CAAC,EAAE,MAAM,CAAA;KAAE,GAC7B,OAAO,CAAC,IAAI,CAAC;IA8ChB;;;OAGG;YACW,oBAAoB;IAkDlC;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAqC5B;;;OAGG;YACW,oBAAoB;IAyBlC;;;OAGG;YACW,uBAAuB;IAkCrC;;;;OAIG;YACW,mBAAmB;IAuEjC;;;;OAIG;YACW,oBAAoB;IA8ElC;;;OAGG;YACW,kBAAkB;IAyNhC;;OAEG;IACH,OAAO,CAAC,0BAA0B;IAiBlC;;;;OAIG;YACW,oBAAoB;IAuClC;;;OAGG;YACW,4BAA4B;IA2F1C;;OAEG;YACW,oBAAoB;IAqGlC;;;OAGG;IACH;;;OAGG;YACW,mBAAmB;IAsKjC,OAAO,CAAC,QAAQ;IAMhB,OAAO,CAAC,UAAU;YAMJ,mBAAmB;IAmCjC,OAAO,CAAC,UAAU;IAelB,OAAO,CAAC,SAAS;IAOjB,OAAO,CAAC,kBAAkB;IAe1B,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,iBAAiB;IAOzB,OAAO,CAAC,gBAAgB;YAOV,qBAAqB;IAuCnC,OAAO,CAAC,kBAAkB;IA4C1B,OAAO,CAAC,SAAS;IAejB,OAAO,CAAC,kBAAkB;IA2H1B,OAAO,CAAC,iBAAiB;IAQzB,OAAO,CAAC,YAAY;IAKpB;;;OAGG;YACW,aAAa;IAyB3B;;;OAGG;IACH,OAAO,CAAC,qBAAqB;CAqB9B"}

package/dist/cli.js

@@ -46919,6 +46919,12 @@ var init_channel = __esm({
       get telemetry() {
         return this._telemetryReporter;
       }
+      /**
+       * Check if a skill is in shadow mode. Returns the shadow config if active, undefined otherwise.
+       */
+      getShadowConfig(skillName) {
+        return this._persisted?.shadowSkills?.[skillName];
+      }
       async start() {
         this._stopped = false;
         await libsodium_wrappers_default.ready;
@@ -48529,6 +48535,46 @@ var init_channel = __esm({
               }
               this.emit("hub_identity_role_changed", data.data);
             }
+            if (data.event === "shadow_config_sync") {
+              if (this._persisted && data.data?.skills) {
+                this._persisted.shadowSkills = data.data.skills;
+                this._persistState();
+                console.log(`[SecureChannel] Shadow config synced: ${Object.keys(data.data.skills).length} skill(s)`);
+              }
+            }
+            if (data.event === "shadow_session_created") {
+              if (this._persisted && data.data?.skill_name) {
+                if (!this._persisted.shadowSkills) this._persisted.shadowSkills = {};
+                this._persisted.shadowSkills[data.data.skill_name] = {
+                  sessionId: data.data.session_id,
+                  autonomyLevel: data.data.autonomy_level,
+                  decisionClass: data.data.decision_class
+                };
+                this._persistState();
+                console.log(`[SecureChannel] Shadow session created for skill: ${data.data.skill_name}`);
+              }
+              this.emit("shadow_session_created", data.data);
+            }
+            if (data.event === "shadow_session_graduated") {
+              if (this._persisted?.shadowSkills && data.data?.skill_name) {
+                if (data.data.autonomy_level === "autonomous") {
+                  delete this._persisted.shadowSkills[data.data.skill_name];
+                } else {
+                  const entry = this._persisted.shadowSkills[data.data.skill_name];
+                  if (entry) entry.autonomyLevel = data.data.autonomy_level;
+                }
+                this._persistState();
+                console.log(`[SecureChannel] Shadow session graduated: ${data.data.skill_name} \u2192 ${data.data.autonomy_level}`);
+              }
+              this.emit("shadow_session_graduated", data.data);
+            }
+            if (data.event === "shadow_session_deleted") {
+              if (this._persisted?.shadowSkills && data.data?.skill_name) {
+                delete this._persisted.shadowSkills[data.data.skill_name];
+                this._persistState();
+              }
+              this.emit("shadow_session_deleted", data.data);
+            }
             if (data.event === "hub_identity_removed") {
               if (this._persisted) {
                 delete this._persisted.hubAddress;