npm - @r4-sdk/cli - Versions diffs - 1.0.1 → 1.0.2 - Mend

@r4-sdk/cli 1.0.1 → 1.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -25,7 +25,7 @@ Manage machine agents and bootstrap the local runtime.
 - `r4 agent update <id>` -- Update agent name, budget, and security-group memberships
 - `r4 agent get-tenant-roles <id>` -- Show the explicit and inherited tenant roles for an agent
 - `r4 agent set-tenant-roles <id>` -- Replace the explicit tenant roles for an agent
-- `r4 agent init` -- Read credentials, generate/reuse a private key, register the public key, save the profile, and run a health check
+- `r4 agent init` -- Read credentials, generate/reuse a private key, register the public key, send the local hostname claim for operator visibility, save the profile, and run a health check
 ### `r4 auth`
 Manage API key authentication.
@@ -76,9 +76,10 @@ Inspect the active runtime context.
 Manage vault secrets.
 - `r4 vault create` -- Create a checkpoint-signed vault from inline JSON or `--body-file`
 - `r4 vault create-item <vaultId>` -- Create a checkpoint-signed vault item from inline JSON or `--body-file`
+- `r4 vault download-asset <vaultId> <assetId> [--output <path>]` -- Download and locally decrypt a vault attachment
 - `r4 vault list` -- List locally decrypted environment variables
 - `r4 vault get <name>` -- Get a specific locally decrypted secret
-- `r4 vault list-items` -- List vault item metadata without local decryption
+- `r4 vault list-items` -- List vault item metadata without local decryption, including hidden parent-vault item shares
 - `r4 vault items --metadata-only` -- Metadata-only alias when decryption is failing
 ### `r4 project`
@@ -160,11 +161,16 @@ Operators should let the runtime complete that first public-key registration
 before they assign security-group, project, or direct vault access to the
 agent. Re-registering the same key is safe, and rotating to a different key is
 supported when the caller submits the replacement `rewrappedVaultKeys` batch for
-the active vault DEKs that key can reach.
+the active vault DEKs that key can reach. Official CLI registration requests
+also send `X-R4-Agent-Hostname: <local hostname>` so the platform Agents table
+can show where the active runtime key most recently initialized.
 When decryption is failing but API access is otherwise correct, use
 `r4 doctor`, `r4 vault list-items`, or `r4 vault items --metadata-only` to
 separate metadata/access problems from local key or trust issues.
+Metadata-only item listing now also merges `/vault/shared-items`, so item-level
+shares from otherwise hidden parent vaults still appear with
+`vaultName: "[Direct Item Share]"`.
 `r4 auth whoami` is the fastest way to confirm the current machine scope,
 tenant binding, and policy summary without exercising vault reads.
 `r4 space info` and `r4 profile show` expose the same identity view together
@@ -176,6 +182,17 @@ and the checkpoint-signed `vault create` / `vault create-item` wrappers, but
 use `--body-file` for large signed checkpoint or permission payloads when you
 do drop down to the generic surface.
+Vault attachments now have a first-class zero-trust download helper too:
+```bash
+r4 vault download-asset <vaultId> <assetId> --output ./artifact.bin
+r4 --json vault download-asset <vaultId> <assetId>
+```
+That path verifies the signed attachment checkpoint, checks ciphertext and
+plaintext hashes/sizes, decrypts the blob locally with the vault DEK, and then
+writes the plaintext file to disk. JSON output returns metadata only.
 ## Profile Storage
 The CLI now keeps profile state under one consistent root: