@r4-sdk/cli 1.0.0 → 1.0.2

package/README.md

@@ -25,7 +25,7 @@ Manage machine agents and bootstrap the local runtime.
 - `r4 agent update <id>` -- Update agent name, budget, and security-group memberships
 - `r4 agent get-tenant-roles <id>` -- Show the explicit and inherited tenant roles for an agent
 - `r4 agent set-tenant-roles <id>` -- Replace the explicit tenant roles for an agent
-- `r4 agent init` -- Read credentials, generate/reuse a private key, register the public key, save the profile, and run a health check
+- `r4 agent init` -- Read credentials, generate/reuse a private key, register the public key, send the local hostname claim for operator visibility, save the profile, and run a health check
 
 ### `r4 auth`
 Manage API key authentication.
@@ -76,9 +76,10 @@ Inspect the active runtime context.
 Manage vault secrets.
 - `r4 vault create` -- Create a checkpoint-signed vault from inline JSON or `--body-file`
 - `r4 vault create-item <vaultId>` -- Create a checkpoint-signed vault item from inline JSON or `--body-file`
+- `r4 vault download-asset <vaultId> <assetId> [--output <path>]` -- Download and locally decrypt a vault attachment
 - `r4 vault list` -- List locally decrypted environment variables
 - `r4 vault get <name>` -- Get a specific locally decrypted secret
-- `r4 vault list-items` -- List vault item metadata without local decryption
+- `r4 vault list-items` -- List vault item metadata without local decryption, including hidden parent-vault item shares
 - `r4 vault items --metadata-only` -- Metadata-only alias when decryption is failing
 
 ### `r4 project`
@@ -160,11 +161,16 @@ Operators should let the runtime complete that first public-key registration
 before they assign security-group, project, or direct vault access to the
 agent. Re-registering the same key is safe, and rotating to a different key is
 supported when the caller submits the replacement `rewrappedVaultKeys` batch for
-the active vault DEKs that key can reach.
+the active vault DEKs that key can reach. Official CLI registration requests
+also send `X-R4-Agent-Hostname: <local hostname>` so the platform Agents table
+can show where the active runtime key most recently initialized.
 
 When decryption is failing but API access is otherwise correct, use
 `r4 doctor`, `r4 vault list-items`, or `r4 vault items --metadata-only` to
 separate metadata/access problems from local key or trust issues.
+Metadata-only item listing now also merges `/vault/shared-items`, so item-level
+shares from otherwise hidden parent vaults still appear with
+`vaultName: "[Direct Item Share]"`.
 `r4 auth whoami` is the fastest way to confirm the current machine scope,
 tenant binding, and policy summary without exercising vault reads.
 `r4 space info` and `r4 profile show` expose the same identity view together
@@ -176,6 +182,17 @@ and the checkpoint-signed `vault create` / `vault create-item` wrappers, but
 use `--body-file` for large signed checkpoint or permission payloads when you
 do drop down to the generic surface.
 
+Vault attachments now have a first-class zero-trust download helper too:
+
+```bash
+r4 vault download-asset <vaultId> <assetId> --output ./artifact.bin
+r4 --json vault download-asset <vaultId> <assetId>
+```
+
+That path verifies the signed attachment checkpoint, checks ciphertext and
+plaintext hashes/sizes, decrypts the blob locally with the vault DEK, and then
+writes the plaintext file to disk. JSON output returns metadata only.
+
 ## Profile Storage
 
 The CLI now keeps profile state under one consistent root:
@@ -196,7 +213,7 @@ The CLI now keeps profile state under one consistent root:
 
 ## Dependencies
 
-Uses the published `@r4-sdk/sdk` package under the hood for API communication. Built with Commander, Chalk, ora, and cli-table3.
+Uses the published `@r4-sdk/node` package under the hood for API communication. Built with Commander, Chalk, ora, and cli-table3.
 
 ## Development