@canonmsg/core 0.20.0 → 0.21.0

package/dist/approval-format.d.ts

@@ -5,6 +5,7 @@ export declare function buildApprovalRequest(approvalId: string, toolName: strin
     riskLevel?: 'normal' | 'destructive';
     risk?: ApprovalRisk;
     category?: ApprovalRequestCategory;
+    responseUserId?: string;
     runtimeId?: string;
     turnId?: string;
     native?: ApprovalNativeRequestMetadata;

package/dist/approval-format.js

@@ -64,6 +64,7 @@ export function buildApprovalRequest(approvalId, toolName, toolInput, opts) {
     const metadata = {
         type: 'approval_request',
         approvalId,
+        ...(opts.responseUserId ? { responseUserId: opts.responseUserId.slice(0, 128) } : {}),
         toolName,
         toolSummary: summary,
         ...(opts.category ? { category: opts.category } : {}),

package/dist/approval-manager.js

@@ -54,6 +54,7 @@ export class ApprovalManager {
             riskLevel: opts?.riskLevel,
             risk: opts?.risk,
             category: opts?.category,
+            responseUserId: this.ownerId,
             runtimeId: opts?.runtimeId,
             turnId: opts?.turnId,
             native: opts?.native,
@@ -65,7 +66,11 @@ export class ApprovalManager {
         // Send the approval request message with metadata
         // Spread to satisfy Record<string, unknown> without double cast
         await this.client.sendMessage(conversationId, text, {
-            metadata: { ...metadata },
+            metadata: {
+                ...metadata,
+                turnSemantics: 'control',
+                replyBehavior: 'suppress_auto_reply',
+            },
         });
         // Wait for reply or timeout
         return new Promise((resolve) => {

package/dist/approval-types.d.ts

@@ -1,6 +1,8 @@
 export interface ApprovalRequestMetadata {
     type: 'approval_request';
     approvalId: string;
+    /** Canon user who should answer this card. UI hint only; reply APIs still enforce authorization. */
+    responseUserId?: string;
     toolName: string;
     /** Pre-computed, redacted summary — raw toolInput is never stored */
     toolSummary: string;

package/dist/approval-types.js

@@ -172,6 +172,7 @@ export function parseApprovalRequestMetadata(value) {
     const expiresMs = Date.parse(expiresAt);
     if (!Number.isFinite(expiresMs))
         return null;
+    const responseUserId = normalizeString(value.responseUserId, 128) ?? undefined;
     const riskLevel = value.riskLevel === 'destructive' || value.riskLevel === 'normal'
         ? value.riskLevel
         : undefined;
@@ -184,6 +185,7 @@ export function parseApprovalRequestMetadata(value) {
     return {
         type: 'approval_request',
         approvalId,
+        ...(responseUserId ? { responseUserId } : {}),
         toolName,
         toolSummary,
         ...(category ? { category } : {}),

package/dist/client.d.ts

@@ -1,4 +1,5 @@
 import { type CanonMessage, type CanonConversation, type CanonContact, type CanonContactRequest, type CanonMessagesPage, type CanonResolveAdmissionResult, type AgentContext, type AddMemberResult, type CreateContactRequestResult, type MediaAttachment, type SendMessageOptions, type CreateConversationOptions, type RegistrationStatus, type SetStreamingOptions } from './types.js';
+import type { RuntimeInputKind } from './runtime-cards.js';
 import type { SendContextualMessageOptions, SendContextualMessageResult } from './self-context.js';
 import type { InboundDisposition } from './turn-protocol.js';
 /**
@@ -53,6 +54,38 @@ export declare class CanonClient {
     setStreaming(options: SetStreamingOptions): Promise<void>;
     clearStreaming(conversationId: string): Promise<void>;
     setTyping(conversationId: string, typing: boolean, status?: 'thinking' | 'typing'): Promise<void>;
+    createRuntimeInputRequest(options: {
+        conversationId: string;
+        inputId: string;
+        kind: RuntimeInputKind;
+        expiresAt: number;
+    }): Promise<{
+        success: true;
+        inputId: string;
+        expiresAt: number;
+    }>;
+    consumeRuntimeInputResponse(options: {
+        conversationId: string;
+        inputId: string;
+        cancel?: boolean;
+    }): Promise<{
+        status: 'pending';
+        inputId: string;
+        expiresAt?: number;
+    } | {
+        status: 'submitted';
+        inputId: string;
+        kind: RuntimeInputKind;
+        value: string;
+    } | {
+        status: 'cancelled';
+        inputId: string;
+        kind: RuntimeInputKind;
+    } | {
+        status: 'timeout';
+        inputId: string;
+        kind: RuntimeInputKind;
+    }>;
     static register(baseUrl: string | undefined, body: {
         name: string;
         description: string;

package/dist/client.js

@@ -319,6 +319,26 @@ export class CanonClient {
         if (!res.ok)
             throw new CanonApiError(res.status, await res.text());
     }
+    async createRuntimeInputRequest(options) {
+        const res = await fetch(`${this.baseUrl}/runtime-input/request`, {
+            method: 'POST',
+            headers: this.authHeaders(),
+            body: JSON.stringify(options),
+        });
+        if (!res.ok)
+            throw new CanonApiError(res.status, await res.text());
+        return res.json();
+    }
+    async consumeRuntimeInputResponse(options) {
+        const res = await fetch(`${this.baseUrl}/runtime-input/consume`, {
+            method: 'POST',
+            headers: this.authHeaders(),
+            body: JSON.stringify(options),
+        });
+        if (!res.ok)
+            throw new CanonApiError(res.status, await res.text());
+        return res.json();
+    }
     // ── Static unauthenticated registration endpoints ────────────────────
     static async register(baseUrl, body) {
         const url = baseUrl || DEFAULT_BASE_URL;

package/dist/runtime-cards.d.ts

@@ -11,6 +11,8 @@ export interface RuntimeQuestionDefinition {
 export interface ClaudeQuestionMetadata {
     type: 'claude_question';
     questionId: string;
+    /** Canon user who should answer this card. UI hint only; reply APIs still enforce authorization. */
+    responseUserId?: string;
     questions: RuntimeQuestionDefinition[];
 }
 export interface ClaudeQuestionReplyMetadata {
@@ -21,6 +23,8 @@ export interface ClaudeQuestionReplyMetadata {
 export interface PlanApprovalMetadata {
     type: 'plan_approval';
     planId: string;
+    /** Canon user who should answer this card. UI hint only; reply APIs still enforce authorization. */
+    responseUserId?: string;
     title?: string;
     summary?: string;
     body?: string;
@@ -54,6 +58,8 @@ export interface RuntimeInputNativeMetadata {
 export interface RuntimeInputRequestMetadata {
     type: 'runtime_input_request';
     inputId: string;
+    /** Canon user who should answer this card. UI hint only; reply APIs still enforce authorization. */
+    responseUserId?: string;
     kind: RuntimeInputKind;
     prompt: string;
     title?: string;
@@ -78,7 +84,9 @@ export interface RuntimeInputOutcomeMetadata {
     status: RuntimeInputResolutionStatus;
     reason?: 'submitted' | 'cancelled' | 'timeout' | 'expired' | 'interrupted';
 }
-export declare function buildQuestionRequest(questionId: string, questions: RuntimeQuestionDefinition[]): {
+export declare function buildQuestionRequest(questionId: string, questions: RuntimeQuestionDefinition[], options?: {
+    responseUserId?: string;
+}): {
     text: string;
     metadata: ClaudeQuestionMetadata;
 };

package/dist/runtime-cards.js

@@ -68,7 +68,7 @@ function assertNoSensitiveRuntimeInputPayload(value) {
         && !('secret' in value)
         && !('rawValue' in value);
 }
-export function buildQuestionRequest(questionId, questions) {
+export function buildQuestionRequest(questionId, questions, options) {
     const text = questions.length === 1
         ? questions[0]?.question || 'Question'
         : `Please answer ${questions.length} questions.`;
@@ -77,6 +77,7 @@ export function buildQuestionRequest(questionId, questions) {
         metadata: {
             type: 'claude_question',
             questionId,
+            ...(options?.responseUserId ? { responseUserId: options.responseUserId.slice(0, 128) } : {}),
             questions,
         },
     };
@@ -124,6 +125,7 @@ export function buildRuntimeInputRequest(inputId, input) {
         metadata: {
             type: 'runtime_input_request',
             inputId,
+            ...(input.responseUserId ? { responseUserId: input.responseUserId.slice(0, 128) } : {}),
             kind: input.kind,
             prompt: input.prompt.slice(0, 1000),
             title: title.slice(0, 120),
@@ -171,6 +173,7 @@ export function parseRuntimeInputRequestMetadata(value) {
     if (!assertNoSensitiveRuntimeInputPayload(value))
         return null;
     const inputId = normalizeString(value.inputId, 128);
+    const responseUserId = normalizeString(value.responseUserId, 128) ?? undefined;
     const kind = normalizeRuntimeInputKind(value.kind);
     const prompt = normalizeString(value.prompt, 1000);
     const expiresAt = normalizeString(value.expiresAt, 128);
@@ -186,6 +189,7 @@ export function parseRuntimeInputRequestMetadata(value) {
     return {
         type: 'runtime_input_request',
         inputId,
+        ...(responseUserId ? { responseUserId } : {}),
         kind,
         prompt,
         ...(title ? { title } : {}),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@canonmsg/core",
-  "version": "0.20.0",
+  "version": "0.21.0",
   "description": "Canon core — shared types, REST client, SSE stream, and registration for Canon messaging",
   "type": "module",
   "main": "dist/index.js",