@nuanu-ai/agentbrowse 0.2.46 → 0.2.48

package/dist/secrets/intent-output.js

@@ -1,64 +1,10 @@
+import { describeSecretRequestStatus, serializeSecretRequest, serializeSecretRequestContext, } from './request-output.js';
 export function serializeSecretIntent(snapshot) {
-    return {
-        intentId: snapshot.intentId,
-        fillRef: snapshot.fillRef,
-        storedSecretRef: snapshot.storedSecretRef,
-        status: snapshot.status,
-        ...(snapshot.approvalChannel ? { approvalChannel: snapshot.approvalChannel } : {}),
-        createdAt: snapshot.createdAt,
-        ...(snapshot.expiresAt ? { expiresAt: snapshot.expiresAt } : {}),
-        ...(snapshot.approvedAt ? { approvedAt: snapshot.approvedAt } : {}),
-        ...(snapshot.completedAt ? { completedAt: snapshot.completedAt } : {}),
-    };
+    return serializeSecretRequest(snapshot);
 }
 export function serializeSecretIntentContext(snapshot) {
-    return {
-        storedSecretRef: snapshot.storedSecretRef,
-        ...(snapshot.approvalChannel ? { approvalChannel: snapshot.approvalChannel } : {}),
-        createdAt: snapshot.createdAt,
-        ...(snapshot.expiresAt ? { expiresAt: snapshot.expiresAt } : {}),
-        ...(snapshot.approvedAt ? { approvedAt: snapshot.approvedAt } : {}),
-        ...(snapshot.completedAt ? { completedAt: snapshot.completedAt } : {}),
-    };
+    return serializeSecretRequestContext(snapshot);
 }
 export function describeSecretIntentStatus(status) {
-    switch (status) {
-        case 'pending':
-        case 'checking':
-        case 'notify':
-        case 'confirmation':
-            return {
-                outcomeType: 'approval_pending',
-                message: 'Protected intent is waiting for user approval.',
-                reason: 'AgentPay Cabinet has not approved this intent yet.',
-                nextAction: 'wait-for-approval',
-            };
-        case 'approved':
-            return {
-                message: 'Protected intent is approved and waiting for one-time delivery polling.',
-                reason: 'AgentPay approved this protected request, but AgentBrowse must poll again to receive the one-time secret payload.',
-                nextAction: 'poll-intent',
-            };
-        case 'denied':
-            return {
-                outcomeType: 'approval_denied',
-                message: 'Protected intent was denied and cannot be used.',
-                reason: 'AgentPay Cabinet reports that the user denied this protected action.',
-                nextAction: 'ask-user',
-            };
-        case 'timed_out':
-            return {
-                outcomeType: 'intent_expired',
-                message: 'Protected intent is no longer usable.',
-                reason: 'AgentPay Cabinet reports that this intent timed out before it could be used.',
-                nextAction: 'ask-user',
-            };
-        case 'completed':
-            return {
-                outcomeType: 'intent_expired',
-                message: 'Protected intent is no longer reusable.',
-                reason: 'AgentPay reports that this intent already completed, so any further protected action requires a new intent.',
-                nextAction: 'ask-user',
-            };
-    }
+    return describeSecretRequestStatus(status, 'secret_read');
 }

package/dist/secrets/mock-agentpay-cabinet.d.ts

@@ -1,42 +1,53 @@
-import type { SecretIntentSnapshot } from './types.js';
-export interface MockSecretIntentRecord extends SecretIntentSnapshot {
-    approvalChannel: 'agentpay-cabinet';
-    host: string;
-    pageRef: string;
-    pollCount: number;
-}
-interface MockSecretIntentStore {
-    version: 1;
-    nextIntent: number;
-    intents: Record<string, MockSecretIntentRecord>;
+import type { SecretRequestSnapshot, StoredSecretKind } from './types.js';
+import type { ClaimSecretRequestResult, CreateSecretRequestResult, SecretRequestHintField, SecretRequestPollResult } from './backend.js';
+type MockClaimRecord = {
+    claimId: string;
+    issuedAt: string;
+};
+export interface MockSecretRequestRecord extends SecretRequestSnapshot {
+    sessionId: string;
+    purpose: string;
+    fields: SecretRequestHintField[];
+    claims: MockClaimRecord[];
+    approvedAt?: string;
 }
-interface IntentLifecycleOptions {
+type MockSecretRequestStore = {
+    version: 2;
+    nextRequest: number;
+    requests: Record<string, MockSecretRequestRecord>;
+};
+type RequestLifecycleOptions = {
     now?: string;
-}
-export interface CreateMockSecretIntentInput extends IntentLifecycleOptions {
+};
+export interface CreateMockSecretRequestInput extends RequestLifecycleOptions {
+    sessionId: string;
+    clientRequestId: string;
     fillRef: string;
-    storedSecretRef: string;
+    purpose: string;
+    merchantName?: string;
     host: string;
     pageRef: string;
     scopeRef?: string;
+    storedSecretRef?: string;
+    kind?: StoredSecretKind;
+    fields: SecretRequestHintField[];
     expiresAt?: string;
 }
-export interface CreateMockSecretIntentResult {
-    intent: MockSecretIntentRecord;
-    reused: boolean;
+export interface CreateMockSecretRequestResult extends CreateSecretRequestResult {
 }
-declare function readMockStore(): MockSecretIntentStore;
+declare function readMockStore(): MockSecretRequestStore;
 declare function defaultExpiry(createdAt: string): string;
-declare function progressIntentStatus(record: MockSecretIntentRecord, now: string): MockSecretIntentRecord;
-export declare function createOrReuseMockSecretIntent(input: CreateMockSecretIntentInput): CreateMockSecretIntentResult;
-export declare function getMockSecretIntent(intentId: string, options?: IntentLifecycleOptions): MockSecretIntentRecord | null;
-export declare function approveMockSecretIntent(intentId: string, options?: IntentLifecycleOptions): MockSecretIntentRecord;
-export declare function denyMockSecretIntent(intentId: string, options?: IntentLifecycleOptions): MockSecretIntentRecord;
-export declare function markMockSecretIntentCompleted(intentId: string, options?: IntentLifecycleOptions): MockSecretIntentRecord;
-export declare function resetMockSecretIntentStore(): void;
+export declare function createOrReuseMockSecretRequest(input: CreateMockSecretRequestInput): CreateMockSecretRequestResult;
+export declare function getMockSecretRequest(sessionId: string, requestId: string, options?: RequestLifecycleOptions): SecretRequestPollResult | null;
+export declare function approveMockSecretRequest(requestId: string, options?: RequestLifecycleOptions): MockSecretRequestRecord;
+export declare function denyMockSecretRequest(requestId: string, options?: RequestLifecycleOptions): MockSecretRequestRecord;
+export declare function claimMockSecretRequest(sessionId: string, requestId: string, claimId: string, options: RequestLifecycleOptions & {
+    resolveValues: (storedSecretRef: string) => Record<string, string> | null;
+}): ClaimSecretRequestResult;
+export declare function resetMockSecretRequestStore(): void;
+export declare function getMockSecretRequestRecord(requestId: string, options?: RequestLifecycleOptions): MockSecretRequestRecord | null;
 export declare const __testMockCabinet: {
     defaultExpiry: typeof defaultExpiry;
-    progressIntentStatus: typeof progressIntentStatus;
     readMockStore: typeof readMockStore;
 };
 export {};

package/dist/secrets/mock-agentpay-cabinet.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mock-agentpay-cabinet.d.ts","sourceRoot":"","sources":["../../src/secrets/mock-agentpay-cabinet.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,oBAAoB,EAAsB,MAAM,YAAY,CAAC;AAY3E,MAAM,WAAW,sBAAuB,SAAQ,oBAAoB;IAClE,eAAe,EAAE,kBAAkB,CAAC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB;AAED,UAAU,qBAAqB;IAC7B,OAAO,EAAE,CAAC,CAAC;IACX,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,sBAAsB,CAAC,CAAC;CACjD;AAED,UAAU,sBAAsB;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,2BAA4B,SAAQ,sBAAsB;IACzE,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe,EAAE,MAAM,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,4BAA4B;IAC3C,MAAM,EAAE,sBAAsB,CAAC;IAC/B,MAAM,EAAE,OAAO,CAAC;CACjB;AAQD,iBAAS,aAAa,IAAI,qBAAqB,CAyB9C;AAWD,iBAAS,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEhD;AAaD,iBAAS,oBAAoB,CAAC,MAAM,EAAE,sBAAsB,EAAE,GAAG,EAAE,MAAM,GAAG,sBAAsB,CAmCjG;AAUD,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,2BAA2B,GACjC,4BAA4B,CAuC9B;AAED,wBAAgB,mBAAmB,CACjC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,sBAAsB,GAAG,IAAI,CAW/B;AAqCD,wBAAgB,uBAAuB,CACrC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,sBAAsB,CAExB;AAED,wBAAgB,oBAAoB,CAClC,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,sBAAsB,CAExB;AAED,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE,sBAA2B,GACnC,sBAAsB,CAexB;AAED,wBAAgB,0BAA0B,IAAI,IAAI,CAIjD;AAED,eAAO,MAAM,iBAAiB;;;;CAI7B,CAAC"}
+{"version":3,"file":"mock-agentpay-cabinet.d.ts","sourceRoot":"","sources":["../../src/secrets/mock-agentpay-cabinet.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EACV,qBAAqB,EAIrB,gBAAgB,EACjB,MAAM,YAAY,CAAC;AACpB,OAAO,KAAK,EACV,wBAAwB,EACxB,yBAAyB,EAEzB,sBAAsB,EACtB,uBAAuB,EACxB,MAAM,cAAc,CAAC;AAKtB,KAAK,eAAe,GAAG;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF,MAAM,WAAW,uBAAwB,SAAQ,qBAAqB;IACpE,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACjC,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,KAAK,sBAAsB,GAAG;IAC5B,OAAO,EAAE,CAAC,CAAC;IACX,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,uBAAuB,CAAC,CAAC;CACnD,CAAC;AAIF,KAAK,uBAAuB,GAAG;IAC7B,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,CAAC;AAEF,MAAM,WAAW,4BAA6B,SAAQ,uBAAuB;IAC3E,SAAS,EAAE,MAAM,CAAC;IAClB,eAAe,EAAE,MAAM,CAAC;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,IAAI,CAAC,EAAE,gBAAgB,CAAC;IACxB,MAAM,EAAE,sBAAsB,EAAE,CAAC;IACjC,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,6BAA8B,SAAQ,yBAAyB;CAAG;AAQnF,iBAAS,aAAa,IAAI,sBAAsB,CAuB/C;AAWD,iBAAS,aAAa,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAEhD;AA+FD,wBAAgB,8BAA8B,CAC5C,KAAK,EAAE,4BAA4B,GAClC,6BAA6B,CA6C/B;AAED,wBAAgB,oBAAoB,CAClC,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,uBAA4B,GACpC,uBAAuB,GAAG,IAAI,CAchC;AAqCD,wBAAgB,wBAAwB,CACtC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,uBAA4B,GACpC,uBAAuB,CAEzB;AAED,wBAAgB,qBAAqB,CACnC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,uBAA4B,GACpC,uBAAuB,CAEzB;AAED,wBAAgB,sBAAsB,CACpC,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,uBAAuB,GAAG;IACjC,aAAa,EAAE,CAAC,eAAe,EAAE,MAAM,KAAK,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC;CAC3E,GACA,wBAAwB,CAiD1B;AAED,wBAAgB,2BAA2B,IAAI,IAAI,CAIlD;AAED,wBAAgB,0BAA0B,CACxC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,uBAA4B,kCAWtC;AAED,eAAO,MAAM,iBAAiB;;;CAG7B,CAAC"}

package/dist/secrets/mock-agentpay-cabinet.js

@@ -3,13 +3,6 @@ import { homedir } from 'node:os';
 import { join } from 'node:path';
 const MOCK_CABINET_DIR = join(homedir(), '.agentpay');
 const MOCK_CABINET_PATH = join(MOCK_CABINET_DIR, 'mock-secret-intents.json');
-const APPROVAL_CHANNEL = 'agentpay-cabinet';
-const TERMINAL_INTENT_STATUSES = new Set([
-    'approved',
-    'denied',
-    'timed_out',
-    'completed',
-]);
 function ensureMockCabinetDir() {
     if (!existsSync(MOCK_CABINET_DIR)) {
         mkdirSync(MOCK_CABINET_DIR, { recursive: true });
@@ -18,24 +11,24 @@ function ensureMockCabinetDir() {
 function readMockStore() {
     if (!existsSync(MOCK_CABINET_PATH)) {
         return {
-            version: 1,
-            nextIntent: 1,
-            intents: {},
+            version: 2,
+            nextRequest: 1,
+            requests: {},
         };
     }
     try {
         const raw = JSON.parse(readFileSync(MOCK_CABINET_PATH, 'utf-8'));
         return {
-            version: 1,
-            nextIntent: Number.isFinite(raw.nextIntent) ? Number(raw.nextIntent) : 1,
-            intents: raw.intents ?? {},
+            version: 2,
+            nextRequest: Number.isFinite(raw.nextRequest) ? Number(raw.nextRequest) : 1,
+            requests: raw.requests ?? {},
         };
     }
     catch {
         return {
-            version: 1,
-            nextIntent: 1,
-            intents: {},
+            version: 2,
+            nextRequest: 1,
+            requests: {},
         };
     }
 }
@@ -50,151 +43,224 @@ function defaultExpiry(createdAt) {
     return new Date(new Date(createdAt).getTime() + 15 * 60_000).toISOString();
 }
 function isExpired(record, now) {
-    if (!record.expiresAt || TERMINAL_INTENT_STATUSES.has(record.status)) {
+    if (!record.expiresAt || record.status !== 'pending') {
         return false;
     }
     return new Date(record.expiresAt).getTime() <= new Date(now).getTime();
 }
-function progressIntentStatus(record, now) {
-    if (isExpired(record, now)) {
-        return {
-            ...record,
-            status: 'timed_out',
-        };
+function requestStatusForSession(status) {
+    return status === 'pending' ? 'waiting_for_user' : 'in_progress';
+}
+function toSessionState(record) {
+    return {
+        sessionId: record.sessionId,
+        status: requestStatusForSession(record.status),
+        currentRequestId: record.status === 'pending' ? record.requestId : null,
+        lastEventSeq: 0,
+        browserSessionId: null,
+    };
+}
+function buildRequestKey(input) {
+    return JSON.stringify({
+        sessionId: input.sessionId,
+        fillRef: input.fillRef,
+        storedSecretRef: input.storedSecretRef ?? null,
+        kind: input.kind ?? null,
+        host: input.host,
+        scopeRef: input.scopeRef ?? null,
+        fields: [...input.fields].map((field) => field.key).sort(),
+        purpose: input.purpose,
+    });
+}
+function requestMatchesKey(record, key) {
+    return (JSON.stringify({
+        sessionId: record.sessionId,
+        fillRef: record.fillRef,
+        storedSecretRef: record.storedSecretRef ?? null,
+        kind: record.kind ?? null,
+        host: record.host ?? null,
+        scopeRef: record.scopeRef ?? null,
+        fields: [...record.fields].map((field) => field.key).sort(),
+        purpose: record.purpose,
+    }) === key);
+}
+function nextRequestId(store) {
+    return `sr_mock_${store.nextRequest++}`;
+}
+function findReusableRequest(store, input) {
+    const requestKey = buildRequestKey(input);
+    const matching = Object.values(store.requests).filter((request) => request.sessionId === input.sessionId && requestMatchesKey(request, requestKey));
+    const reusableFulfilled = matching.find((request) => request.status === 'fulfilled' && request.claims.length === 0);
+    if (reusableFulfilled) {
+        return reusableFulfilled;
+    }
+    return matching.find((request) => request.status === 'pending') ?? null;
+}
+function normalizeRequest(record, now) {
+    if (!isExpired(record, now)) {
+        return record;
     }
-    switch (record.status) {
-        case 'pending':
-            return {
-                ...record,
-                status: 'checking',
-                pollCount: record.pollCount + 1,
-            };
-        case 'checking':
-            return {
-                ...record,
-                status: 'notify',
-                pollCount: record.pollCount + 1,
-            };
-        case 'notify':
-            return {
-                ...record,
-                status: 'confirmation',
-                pollCount: record.pollCount + 1,
-            };
-        case 'confirmation':
-            return {
-                ...record,
-                pollCount: record.pollCount + 1,
-            };
-        default:
-            return record;
-    }
-}
-function isActiveIntentStatus(status) {
-    return !TERMINAL_INTENT_STATUSES.has(status);
-}
-function nextIntentId(store) {
-    return `si_mock_${store.nextIntent++}`;
-}
-export function createOrReuseMockSecretIntent(input) {
+    return {
+        ...record,
+        status: 'expired',
+        updatedAt: now,
+        resolvedAt: now,
+    };
+}
+function requestTypeForStoredSecret(storedSecretRef) {
+    return storedSecretRef ? 'secret_read' : 'secret_write';
+}
+export function createOrReuseMockSecretRequest(input) {
     const store = readMockStore();
-    const createdAt = nowIso(input.now);
-    const existing = Object.values(store.intents).find((intent) => intent.fillRef === input.fillRef &&
-        intent.storedSecretRef === input.storedSecretRef &&
-        isActiveIntentStatus(intent.status));
+    const now = nowIso(input.now);
+    const existing = findReusableRequest(store, input);
     if (existing) {
+        const normalized = normalizeRequest(existing, now);
+        store.requests[normalized.requestId] = normalized;
+        writeMockStore(store);
         return {
-            intent: existing,
+            snapshot: normalized,
             reused: true,
+            duplicate: false,
+            session: toSessionState(normalized),
         };
     }
-    const intentId = nextIntentId(store);
-    const intent = {
-        intentId,
+    const requestId = nextRequestId(store);
+    const request = {
+        requestId,
+        sessionId: input.sessionId,
         fillRef: input.fillRef,
-        storedSecretRef: input.storedSecretRef,
+        requestType: requestTypeForStoredSecret(input.storedSecretRef),
         status: 'pending',
-        approvalChannel: APPROVAL_CHANNEL,
+        ...(input.storedSecretRef ? { storedSecretRef: input.storedSecretRef } : {}),
+        ...(input.kind ? { kind: input.kind } : {}),
         host: input.host,
         pageRef: input.pageRef,
         scopeRef: input.scopeRef,
-        createdAt,
-        expiresAt: input.expiresAt ?? defaultExpiry(createdAt),
-        pollCount: 0,
+        createdAt: now,
+        updatedAt: now,
+        expiresAt: input.expiresAt ?? defaultExpiry(now),
+        purpose: input.purpose,
+        fields: input.fields.map((field) => ({ ...field })),
+        claims: [],
     };
-    store.intents[intentId] = intent;
+    store.requests[requestId] = request;
     writeMockStore(store);
     return {
-        intent,
+        snapshot: request,
         reused: false,
+        duplicate: false,
+        session: toSessionState(request),
     };
 }
-export function getMockSecretIntent(intentId, options = {}) {
+export function getMockSecretRequest(sessionId, requestId, options = {}) {
     const store = readMockStore();
-    const current = store.intents[intentId];
-    if (!current) {
+    const current = store.requests[requestId];
+    if (!current || current.sessionId !== sessionId) {
         return null;
     }
-    const next = progressIntentStatus(current, nowIso(options.now));
-    store.intents[intentId] = next;
+    const normalized = normalizeRequest(current, nowIso(options.now));
+    store.requests[requestId] = normalized;
     writeMockStore(store);
-    return next;
+    return {
+        snapshot: normalized,
+        session: toSessionState(normalized),
+    };
 }
-function transitionIntentDecision(intentId, status, options = {}) {
+function transitionRequestDecision(requestId, status, options = {}) {
     const store = readMockStore();
-    const current = store.intents[intentId];
+    const current = store.requests[requestId];
     if (!current) {
-        throw new Error('secret_intent_not_found');
+        throw new Error('secret_request_not_found');
     }
-    if (isExpired(current, nowIso(options.now))) {
-        const timedOut = {
-            ...current,
-            status: 'timed_out',
-        };
-        store.intents[intentId] = timedOut;
+    const now = nowIso(options.now);
+    const normalized = normalizeRequest(current, now);
+    if (normalized.status === 'expired') {
+        store.requests[requestId] = normalized;
         writeMockStore(store);
-        throw new Error('secret_intent_timed_out');
+        throw new Error('secret_request_expired');
     }
-    if (!(current.status === 'notify' || current.status === 'confirmation')) {
-        throw new Error(`secret_intent_not_awaiting_decision:${current.status}`);
+    if (normalized.status !== 'pending') {
+        throw new Error(`secret_request_not_pending:${normalized.status}`);
     }
     const decided = {
-        ...current,
+        ...normalized,
         status,
-        approvedAt: status === 'approved' ? nowIso(options.now) : current.approvedAt,
+        updatedAt: now,
+        resolvedAt: now,
+        ...(status === 'fulfilled' ? { approvedAt: now } : {}),
     };
-    store.intents[intentId] = decided;
+    store.requests[requestId] = decided;
     writeMockStore(store);
     return decided;
 }
-export function approveMockSecretIntent(intentId, options = {}) {
-    return transitionIntentDecision(intentId, 'approved', options);
+export function approveMockSecretRequest(requestId, options = {}) {
+    return transitionRequestDecision(requestId, 'fulfilled', options);
 }
-export function denyMockSecretIntent(intentId, options = {}) {
-    return transitionIntentDecision(intentId, 'denied', options);
+export function denyMockSecretRequest(requestId, options = {}) {
+    return transitionRequestDecision(requestId, 'denied', options);
 }
-export function markMockSecretIntentCompleted(intentId, options = {}) {
+export function claimMockSecretRequest(sessionId, requestId, claimId, options) {
     const store = readMockStore();
-    const current = store.intents[intentId];
-    if (!current) {
-        throw new Error('secret_intent_not_found');
+    const current = store.requests[requestId];
+    if (!current || current.sessionId !== sessionId) {
+        throw new Error('secret_request_not_found');
+    }
+    const now = nowIso(options.now);
+    const normalized = normalizeRequest(current, now);
+    if (normalized.status !== 'fulfilled') {
+        throw new Error(`secret_request_not_fulfilled:${normalized.status}`);
     }
-    const completed = {
-        ...current,
-        status: 'completed',
-        completedAt: nowIso(options.now),
+    const existingClaim = normalized.claims.find((claim) => claim.claimId === claimId);
+    if (!existingClaim && normalized.claims.length > 0) {
+        throw new Error('secret_request_already_claimed');
+    }
+    const storedSecretRef = normalized.storedSecretRef;
+    if (!storedSecretRef) {
+        throw new Error('mock_secret_values_missing');
+    }
+    const values = options.resolveValues(storedSecretRef);
+    if (!values) {
+        throw new Error('mock_secret_values_missing');
+    }
+    const issuedAt = existingClaim?.issuedAt ?? now;
+    if (!existingClaim) {
+        store.requests[requestId] = {
+            ...normalized,
+            updatedAt: now,
+            claims: [...normalized.claims, { claimId, issuedAt }],
+        };
+        writeMockStore(store);
+    }
+    return {
+        requestId,
+        issuedAt,
+        expiresAt: normalized.expiresAt,
+        secret: {
+            values: values,
+            source: 'saved_secret',
+            storedSecretRef,
+            ...(normalized.kind ? { kind: normalized.kind } : {}),
+        },
     };
-    store.intents[intentId] = completed;
-    writeMockStore(store);
-    return completed;
 }
-export function resetMockSecretIntentStore() {
+export function resetMockSecretRequestStore() {
     if (existsSync(MOCK_CABINET_PATH)) {
         unlinkSync(MOCK_CABINET_PATH);
     }
 }
+export function getMockSecretRequestRecord(requestId, options = {}) {
+    const store = readMockStore();
+    const current = store.requests[requestId];
+    if (!current) {
+        return null;
+    }
+    const normalized = normalizeRequest(current, nowIso(options.now));
+    store.requests[requestId] = normalized;
+    writeMockStore(store);
+    return normalized;
+}
 export const __testMockCabinet = {
     defaultExpiry,
-    progressIntentStatus,
     readMockStore,
 };

package/dist/secrets/protected-artifact-guard.d.ts

@@ -5,7 +5,7 @@ export interface ProtectedArtifactsSuppressed {
     reason: string;
     pageRef: string;
     fillRef: string;
-    intentId: string;
+    requestId: string;
     activatedAt: string;
     exposureReason: ProtectedExposureState['reason'];
     message: string;
@@ -17,7 +17,7 @@ export declare function buildProtectedScreenshotBlockedResult(exposure: Protecte
     reason: string;
     pageRef: string;
     fillRef: string;
-    intentId: string;
+    requestId: string;
     activatedAt: string;
     exposureReason: "protected_fill_success" | "protected_fill_binding_stale" | "protected_fill_validation_failed" | "protected_fill_unexpected_error";
     message: string;

package/dist/secrets/protected-artifact-guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"protected-artifact-guard.d.ts","sourceRoot":"","sources":["../../src/secrets/protected-artifact-guard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAElE,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,IAAI,CAAC;IACjB,WAAW,EAAE,2BAA2B,CAAC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACjD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,iCAAiC,CAC/C,QAAQ,EAAE,sBAAsB,GAC/B,4BAA4B,CAc9B;AAED,wBAAgB,qCAAqC,CAAC,QAAQ,EAAE,sBAAsB;;;;;;;;;;EAcrF"}
+{"version":3,"file":"protected-artifact-guard.d.ts","sourceRoot":"","sources":["../../src/secrets/protected-artifact-guard.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAElE,MAAM,WAAW,4BAA4B;IAC3C,UAAU,EAAE,IAAI,CAAC;IACjB,WAAW,EAAE,2BAA2B,CAAC;IACzC,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,sBAAsB,CAAC,QAAQ,CAAC,CAAC;IACjD,OAAO,EAAE,MAAM,CAAC;CACjB;AAED,wBAAgB,iCAAiC,CAC/C,QAAQ,EAAE,sBAAsB,GAC/B,4BAA4B,CAc9B;AAED,wBAAgB,qCAAqC,CAAC,QAAQ,EAAE,sBAAsB;;;;;;;;;;EAcrF"}

package/dist/secrets/protected-artifact-guard.js

@@ -5,7 +5,7 @@ export function buildProtectedArtifactsSuppressed(exposure) {
         reason: 'Failure artifacts were suppressed because protected values may still be visible on the page.',
         pageRef: exposure.pageRef,
         fillRef: exposure.fillRef,
-        intentId: exposure.intentId,
+        requestId: exposure.requestId,
         activatedAt: exposure.activatedAt,
         exposureReason: exposure.reason,
         message: 'Failure artifacts were suppressed because protected values may still be visible on the page.',
@@ -18,7 +18,7 @@ export function buildProtectedScreenshotBlockedResult(exposure) {
         reason: 'Screenshot capture is currently restricted because protected values may still be visible on the page.',
         pageRef: exposure.pageRef,
         fillRef: exposure.fillRef,
-        intentId: exposure.intentId,
+        requestId: exposure.requestId,
         activatedAt: exposure.activatedAt,
         exposureReason: exposure.reason,
         message: 'Screenshot capture is blocked because protected values may still be visible on the page.',

package/dist/secrets/protected-bindings.d.ts

@@ -1,6 +1,6 @@
 import { z } from 'zod';
 import { type ProtectedBindingValueHint } from './types.js';
-export declare const protectedBindingValueHintSchema: z.ZodEnum<["direct", "full_name.given", "full_name.family"]>;
+export declare const protectedBindingValueHintSchema: z.ZodEnum<["direct", "full_name.given", "full_name.family", "date_of_birth.day", "date_of_birth.month", "date_of_birth.year"]>;
 export declare function normalizeProtectedBindingValueHint(fieldKey: string, valueHint?: string | null): ProtectedBindingValueHint;
 export declare function protectedBindingKey(binding: {
     targetRef: string;

package/dist/secrets/protected-bindings.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"protected-bindings.d.ts","sourceRoot":"","sources":["../../src/secrets/protected-bindings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAiC,KAAK,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE3F,eAAO,MAAM,+BAA+B,8DAAwC,CAAC;AAErF,wBAAgB,kCAAkC,CAChD,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,yBAAyB,CAS3B;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,MAAM,CAMT;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,MAAM,CAKT"}
+{"version":3,"file":"protected-bindings.d.ts","sourceRoot":"","sources":["../../src/secrets/protected-bindings.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAiC,KAAK,yBAAyB,EAAE,MAAM,YAAY,CAAC;AAE3F,eAAO,MAAM,+BAA+B,gIAAwC,CAAC;AAErF,wBAAgB,kCAAkC,CAChD,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GACxB,yBAAyB,CAkB3B;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE;IAC3C,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,MAAM,CAMT;AAED,wBAAgB,0BAA0B,CAAC,OAAO,EAAE;IAClD,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,GAAG,MAAM,CAKT"}

package/dist/secrets/protected-bindings.js

@@ -6,6 +6,12 @@ export function normalizeProtectedBindingValueHint(fieldKey, valueHint) {
         (valueHint === 'full_name.given' || valueHint === 'full_name.family')) {
         return valueHint;
     }
+    if (fieldKey === 'date_of_birth' &&
+        (valueHint === 'date_of_birth.day' ||
+            valueHint === 'date_of_birth.month' ||
+            valueHint === 'date_of_birth.year')) {
+        return valueHint;
+    }
     return 'direct';
 }
 export function protectedBindingKey(binding) {

package/dist/secrets/protected-field-semantics.d.ts

@@ -0,0 +1,9 @@
+import type { TargetDescriptor } from '../runtime-state.js';
+import type { ProtectedBindingValueHint, StoredSecretFieldKey, StoredSecretKind } from './types.js';
+export interface ProtectedFieldMeaningHint {
+    kind: StoredSecretKind;
+    fieldKey: StoredSecretFieldKey;
+    valueHint: ProtectedBindingValueHint;
+}
+export declare function inferProtectedFieldMeaningFromTarget(target: TargetDescriptor): ProtectedFieldMeaningHint[];
+//# sourceMappingURL=protected-field-semantics.d.ts.map

package/dist/secrets/protected-field-semantics.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protected-field-semantics.d.ts","sourceRoot":"","sources":["../../src/secrets/protected-field-semantics.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,qBAAqB,CAAC;AAC5D,OAAO,KAAK,EAAE,yBAAyB,EAAE,oBAAoB,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AAEpG,MAAM,WAAW,yBAAyB;IACxC,IAAI,EAAE,gBAAgB,CAAC;IACvB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,SAAS,EAAE,yBAAyB,CAAC;CACtC;AAiED,wBAAgB,oCAAoC,CAClD,MAAM,EAAE,gBAAgB,GACvB,yBAAyB,EAAE,CAwJ7B"}