@the-ai-company/cbio-node-runtime 0.33.0 → 1.0.0

package/README.md

@@ -1,8 +1,6 @@
-# cbio Node Runtime
+# cbio Vault Runtime
 
-Node.js runtime for cbio identity and credential vault. Library only.
-
-**⚠️ Actively under development — not a stable release.**
+Node.js vault runtime with a hard-cut architecture: vault core first, explicit clients second.
 
 **Source:** [https://github.com/TheAICompany/cbio-node-runtime](https://github.com/TheAICompany/cbio-node-runtime)
 
@@ -21,7 +19,11 @@ Node.js runtime for cbio identity and credential vault. Library only.
 - No CLI
 - No TUI
 
-Import and use `CbioIdentity`, `CbioAgent` from the main export.
+Main export now centers on:
+- `vault-core`
+- `vault-ingress`
+- `clients/owner`
+- `clients/agent`
 
 ## Install
 
@@ -34,11 +36,138 @@ npm install @the-ai-company/cbio-node-runtime
 ## Usage
 
 ```ts
-import { CbioIdentity, CbioAgent, generateIdentityKeys } from '@the-ai-company/cbio-node-runtime';
+import {
+  createVaultService,
+  createDefaultVaultCoreDependencies,
+  createOwnerHttpFlowBoundary,
+  createStandardAcquireBoundary,
+  createStandardDispatchBoundary,
+  createOwnerClient,
+  createAgentClient,
+  InMemoryVaultCapabilityResolver,
+  LocalVaultTransport,
+} from '@the-ai-company/cbio-node-runtime';
+```
+
+## Architecture
+
+The public runtime surface follows four hard rules:
+
+1. Secret plaintext lives only in vault core.
+2. Only owner and vault-trusted acquisition paths may write secrets.
+3. Secrets are dispatched only to owner-approved or issuer-bound targets.
+4. Vault validates and audits everything.
+
+The current HTTP-facing interface distinguishes two supported secret-flow classes:
+
+- `A` / `acquire_secret`
+  No secret leaves the vault. A secret is extracted from the response and stored into the vault. Agent-visible output includes only protocol metadata plus a redacted response shape.
+- `B` / `send_secret`
+  A stored secret is sent to an owner-approved target. The response is treated as normal business output and may be returned to the agent.
+
+This is an intentional boundary choice:
+
+- acquisition responses are treated as sensitive because they may contain newly issued secret material
+- dispatch responses are treated as ordinary protocol results because the operation itself is a standard secret-backed HTTP call to an owner-approved target
+
+The vault does not attempt to second-guess every remote protocol. If a target returns sensitive data during a normal dispatch flow, that is part of the target contract and the owner's authorization decision.
+
+The runtime does not claim to understand arbitrary remote protocols. The API boundary makes clear what is supported:
+
+- acquisition is explicit and redacted
+- secret-backed dispatch is explicit and capability-gated
+- unsupported `C` / `D` style flows are not part of the current surface
+
+Owner-defined HTTP boundaries share one factory layer:
+
+- `createOwnerHttpFlowBoundary(...)`
+- `createStandardAcquireBoundary(...)`
+- `createStandardDispatchBoundary(...)`
+
+An owner-defined exception path also exists for non-standard but intentional integrations:
+
+- owner may register a `custom_http` flow
+- the flow fixes mode, target, method, and response visibility inside the vault
+- agent may only invoke the registered `customFlowId`
+- this is an explicit escape hatch, not the default path
+
+## Modules
+
+- `vault-core`
+  The vault kernel. Stores plaintext, authorizes writes, authorizes dispatch, executes dispatch, appends audit.
+
+- `vault-ingress`
+  Vault boundary/facade. Accepts request-shaped calls, handles trusted acquisition paths, and keeps capability resolution plus dispatch ingress inside the vault trust boundary.
 
-const keys = generateIdentityKeys();
-const identity = await CbioIdentity.load({ privateKey: keys.privateKey });
-const agent: CbioAgent = identity.getAgent(); // minimal permissions: vault:fetch, vault:list
+- `clients/owner`
+  Owner-facing client. Writes secrets and reads audit.
+
+- `clients/agent`
+  Agent-facing client. Creates signed dispatch requests. Never handles plaintext secret.
+
+## Status
+
+The old identity-centric runtime is no longer the intended public architecture.
+This package now exposes the production local vault runtime surface as the primary API.
+
+## Example Shape
+
+```ts
+const capabilities = new InMemoryVaultCapabilityResolver();
+const vault = createVaultService(createDefaultVaultCoreDependencies(), { capabilities });
+const owner = createOwnerClient(ownerIdentity, vault, ownerSigner, clock);
+const transport = new LocalVaultTransport(vault, capability.capabilityId);
+const agent = createAgentClient(agentIdentity, capability, signer, transport, clock);
+```
+
+Capability example:
+
+```ts
+const capability = {
+  vaultId: vault.vaultId,
+  capabilityId: 'cap-1',
+  agentId: 'agent-1',
+  secretAliases: ['api-token'],
+  operation: 'dispatch_http',
+  allowedTargets: ['https://api.example.com/endpoint'],
+  allowedMethods: ['POST'],
+  issuedAt: new Date().toISOString(),
+};
+```
+
+Custom flow example:
+
+```ts
+await owner.registerCustomFlow({
+  flowId: 'custom-status-read',
+  ...createOwnerHttpFlowBoundary({
+    mode: 'send_secret',
+    targetUrl: 'https://api.example.com/custom-status',
+    method: 'POST',
+    responseVisibility: 'shape_only',
+  }),
+});
+```
+
+Acquisition example:
+
+```ts
+const acquireBoundary = createStandardAcquireBoundary({
+  targetUrl: 'https://issuer.example.com/token',
+  responseField: 'access_token',
+  storeAlias: 'issuer-token',
+});
+
+const acquired = await vault.acquireSecret({
+  alias: acquireBoundary.responseSecret.storeAlias,
+  issuerId: 'issuer-1',
+  url: acquireBoundary.targetUrl,
+  flow: 'oauth_token_response.access_token',
+  method: acquireBoundary.method,
+});
+
+console.log(acquired.responseShape);
+// { token_type: 'Bearer', expires_in: 3600, scope: 'read write' }
 ```
 
 ## Build

package/dist/clients/agent/client.d.ts

@@ -0,0 +1,9 @@
+import type { Clock } from "../../vault-core/index.js";
+import type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSigner } from "./contracts.js";
+export interface AgentIdentity {
+    agentId: string;
+}
+export interface AgentClient {
+    dispatch(intent: AgentDispatchIntent): Promise<import("../../vault-core/index.js").DispatchResult>;
+}
+export declare function createAgentClient(identity: AgentIdentity, capability: AgentCapabilityEnvelope, signer: AgentSigner, transport: AgentDispatchTransport, clock: Clock): AgentClient;

package/dist/clients/agent/client.js

@@ -0,0 +1,72 @@
+function createDispatchBinding(requestId, requestedAt, agentId, capabilityId, secretAlias, targetUrl, method, body) {
+    return JSON.stringify({
+        requestId,
+        requestedAt,
+        agentId,
+        capabilityId,
+        secretAlias: secretAlias ?? null,
+        targetUrl,
+        method,
+        body: body ?? null,
+    });
+}
+class DefaultAgentClient {
+    _identity;
+    _capability;
+    _signer;
+    _transport;
+    _clock;
+    constructor(_identity, _capability, _signer, _transport, _clock) {
+        this._identity = _identity;
+        this._capability = _capability;
+        this._signer = _signer;
+        this._transport = _transport;
+        this._clock = _clock;
+    }
+    async dispatch(intent) {
+        const requestedAt = intent.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.agentId}:${requestedAt}:${intent.secretAlias ?? "no-secret"}:${intent.method}`;
+        const publicKey = await this._signer.getPublicKey();
+        const signature = await this._signer.sign(createDispatchBinding(requestId, requestedAt, this._identity.agentId, this._capability.capabilityId, intent.secretAlias, intent.targetUrl, intent.method, intent.body));
+        return this._transport.dispatch({
+            vaultId: this._capability.vaultId,
+            requestId,
+            requestedAt,
+            agent: {
+                kind: "agent",
+                id: this._identity.agentId,
+            },
+            capability: {
+                vaultId: this._capability.vaultId,
+                capabilityId: this._capability.capabilityId,
+                agentId: this._capability.agentId,
+                secretIds: this._capability.secretIds,
+                secretAliases: this._capability.secretAliases,
+                operation: this._capability.operation,
+                allowedTargets: this._capability.allowedTargets,
+                allowedMethods: this._capability.allowedMethods,
+                allowedPaths: this._capability.allowedPaths,
+                issuedAt: this._capability.issuedAt,
+                expiresAt: this._capability.expiresAt,
+                revocationVersion: this._capability.revocationVersion,
+                rateLimit: this._capability.rateLimit,
+                auditRequired: this._capability.auditRequired,
+            },
+            proof: {
+                agentId: this._identity.agentId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+            secretAlias: intent.secretAlias,
+            targetUrl: intent.targetUrl,
+            method: intent.method,
+            headers: intent.headers,
+            body: intent.body,
+        });
+    }
+}
+export function createAgentClient(identity, capability, signer, transport, clock) {
+    return new DefaultAgentClient(identity, capability, signer, transport, clock);
+}
+//# sourceMappingURL=client.js.map

package/dist/clients/agent/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AAgBA,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,YAAoB,EACpB,WAA+B,EAC/B,SAAiB,EACjB,MAAc,EACd,IAAa;IAEb,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,SAAS;QACT,WAAW;QACX,OAAO;QACP,YAAY;QACZ,WAAW,EAAE,WAAW,IAAI,IAAI;QAChC,SAAS;QACT,MAAM;QACN,IAAI,EAAE,IAAI,IAAI,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IALnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,OAAoB,EACpB,UAAkC,EAClC,MAAa;QAJb,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,YAAO,GAAP,OAAO,CAAa;QACpB,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,QAAQ,CAAC,MAA2B;QACxC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACnH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACvC,qBAAqB,CACnB,SAAS,EACT,WAAW,EACX,IAAI,CAAC,SAAS,CAAC,OAAO,EACtB,IAAI,CAAC,WAAW,CAAC,YAAY,EAC7B,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,CACZ,CACF,CAAC;QAEF,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;gBAC7C,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;aAC9C;YACD,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;YACD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,UAAmC,EACnC,MAAmB,EACnB,SAAiC,EACjC,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;AAChF,CAAC"}

package/dist/clients/agent/contracts.d.ts

@@ -0,0 +1,34 @@
+export interface AgentDispatchIntent {
+    secretAlias?: string;
+    targetUrl: string;
+    method: string;
+    headers?: Record<string, string>;
+    body?: string;
+    requestedAt?: string;
+}
+export interface AgentCapabilityEnvelope {
+    vaultId: import("../../vault-core/index.js").VaultId;
+    capabilityId: string;
+    agentId: string;
+    secretIds?: readonly string[];
+    secretAliases?: readonly string[];
+    operation: "dispatch_http";
+    allowedTargets: readonly string[];
+    allowedMethods: readonly string[];
+    allowedPaths?: readonly string[];
+    issuedAt: string;
+    expiresAt?: string;
+    revocationVersion?: number;
+    rateLimit?: {
+        maxRequests: number;
+        windowMs: number;
+    };
+    auditRequired?: boolean;
+}
+export interface AgentSigner {
+    getPublicKey(): Promise<string>;
+    sign(input: string): Promise<string>;
+}
+export interface AgentDispatchTransport {
+    dispatch(request: import("../../vault-core/index.js").DispatchRequest): Promise<import("../../vault-core/index.js").DispatchResult>;
+}

package/dist/clients/agent/contracts.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=contracts.js.map

package/dist/clients/agent/contracts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../../src/clients/agent/contracts.ts"],"names":[],"mappings":""}

package/dist/clients/agent/index.d.ts

@@ -0,0 +1,3 @@
+export { createAgentClient } from "./client.js";
+export type { AgentClient, AgentIdentity, } from "./client.js";
+export type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSigner, } from "./contracts.js";

package/dist/clients/agent/index.js

@@ -0,0 +1,2 @@
+export { createAgentClient } from "./client.js";
+//# sourceMappingURL=index.js.map

package/dist/clients/agent/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/clients/agent/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC"}

package/dist/clients/owner/client.d.ts

@@ -0,0 +1,18 @@
+import type { Clock } from "../../vault-core/index.js";
+import type { VaultService } from "../../vault-ingress/index.js";
+import type { OwnerAuditQueryInput, OwnerRegisterCustomHttpFlowInput, OwnerRegisterAgentIdentityInput, OwnerRegisterOwnerIdentityInput, OwnerWriteSecretInput } from "./contracts.js";
+export interface OwnerIdentity {
+    ownerId: string;
+}
+export interface OwnerSigner {
+    getPublicKey(): Promise<string>;
+    sign(input: string): Promise<string>;
+}
+export interface OwnerClient {
+    writeSecret(input: OwnerWriteSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
+    getAudit(query?: OwnerAuditQueryInput): Promise<readonly import("../../vault-core/index.js").AuditEntry[]>;
+    registerAgentIdentity(input: OwnerRegisterAgentIdentityInput): Promise<void>;
+    registerOwnerIdentity(input: OwnerRegisterOwnerIdentityInput): Promise<void>;
+    registerCustomFlow(input: OwnerRegisterCustomHttpFlowInput): Promise<void>;
+}
+export declare function createOwnerClient(identity: OwnerIdentity, vault: VaultService, signer: OwnerSigner, clock: Clock): OwnerClient;

package/dist/clients/owner/client.js

@@ -0,0 +1,169 @@
+class DefaultOwnerClient {
+    _identity;
+    _vault;
+    _signer;
+    _clock;
+    constructor(_identity, _vault, _signer, _clock) {
+        this._identity = _identity;
+        this._vault = _vault;
+        this._signer = _signer;
+        this._clock = _clock;
+    }
+    async writeSecret(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.ownerId}:${requestedAt}:${input.alias}:write_secret`;
+        const signature = await this._signer.sign(JSON.stringify({
+            requestId,
+            requestedAt,
+            ownerId: this._identity.ownerId,
+            alias: input.alias,
+            plaintext: input.plaintext,
+            targetBindings: input.targetBindings,
+        }));
+        return this._vault.writeSecret({
+            kind: "owner.write_secret",
+            vaultId: this._vault.vaultId,
+            requestId,
+            owner: {
+                kind: "owner",
+                id: this._identity.ownerId,
+            },
+            alias: input.alias,
+            plaintext: input.plaintext,
+            targetBindings: input.targetBindings,
+            requestedAt,
+            proof: {
+                ownerId: this._identity.ownerId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+        });
+    }
+    async getAudit(query = {}) {
+        const requestedAt = this._clock.nowIso();
+        const requestId = `${this._identity.ownerId}:${requestedAt}:read_audit`;
+        const signature = await this._signer.sign(JSON.stringify({
+            requestId,
+            requestedAt,
+            ownerId: this._identity.ownerId,
+            query,
+        }));
+        return this._vault.readAudit({
+            vaultId: this._vault.vaultId,
+            actor: {
+                kind: "owner",
+                id: this._identity.ownerId,
+            },
+            query,
+            requestId,
+            requestedAt,
+            proof: {
+                ownerId: this._identity.ownerId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+        });
+    }
+    async registerAgentIdentity(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.ownerId}:${requestedAt}:${input.agentId}:register_agent_identity`;
+        const agentIdentity = {
+            vaultId: this._vault.vaultId,
+            agentId: input.agentId,
+            publicKey: input.publicKey,
+        };
+        const signature = await this._signer.sign(JSON.stringify({
+            requestId,
+            requestedAt,
+            ownerId: this._identity.ownerId,
+            agentIdentity,
+        }));
+        await this._vault.registerAgentIdentity({
+            vaultId: this._vault.vaultId,
+            requestId,
+            owner: {
+                kind: "owner",
+                id: this._identity.ownerId,
+            },
+            agentIdentity,
+            requestedAt,
+            proof: {
+                ownerId: this._identity.ownerId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+        });
+    }
+    async registerOwnerIdentity(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.ownerId}:${requestedAt}:${input.ownerId}:register_owner_identity`;
+        const ownerIdentity = {
+            vaultId: this._vault.vaultId,
+            ownerId: input.ownerId,
+            publicKey: input.publicKey,
+        };
+        const signature = await this._signer.sign(JSON.stringify({
+            requestId,
+            requestedAt,
+            ownerId: this._identity.ownerId,
+            ownerIdentity,
+        }));
+        await this._vault.registerOwnerIdentity({
+            vaultId: this._vault.vaultId,
+            requestId,
+            owner: {
+                kind: "owner",
+                id: this._identity.ownerId,
+            },
+            ownerIdentity,
+            requestedAt,
+            proof: {
+                ownerId: this._identity.ownerId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+        });
+    }
+    async registerCustomFlow(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.ownerId}:${requestedAt}:${input.flowId}:register_custom_flow`;
+        const flow = {
+            flowId: input.flowId,
+            mode: input.mode,
+            targetUrl: input.targetUrl,
+            method: input.method,
+            responseVisibility: input.responseVisibility,
+            responseSecret: input.responseSecret,
+        };
+        const signature = await this._signer.sign(JSON.stringify({
+            requestId,
+            requestedAt,
+            ownerId: this._identity.ownerId,
+            flow,
+        }));
+        await this._vault.registerCustomFlow({
+            vaultId: this._vault.vaultId,
+            requestId,
+            owner: {
+                kind: "owner",
+                id: this._identity.ownerId,
+            },
+            flow,
+            requestedAt,
+            proof: {
+                ownerId: this._identity.ownerId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+        });
+    }
+}
+export function createOwnerClient(identity, vault, signer, clock) {
+    return new DefaultOwnerClient(identity, vault, signer, clock);
+}
+//# sourceMappingURL=client.js.map

package/dist/clients/owner/client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA2BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QACzF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,QAA8B,EAAE;QAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,aAAa,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK;SACN,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK;YACL,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,KAAsC;QAChE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACtG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,KAAsC;QAChE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACtG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAuC;QAC9D,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QAClG,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,IAAI;SACL,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,IAAI;YACJ,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,KAAmB,EACnB,MAAmB,EACnB,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC"}

package/dist/clients/owner/contracts.d.ts

@@ -0,0 +1,34 @@
+import type { OwnerHttpFlowBoundary } from "../../vault-ingress/flow-factories.js";
+export interface OwnerSecretTargetBinding {
+    kind: "owner" | "site";
+    targetId: string;
+    targetUrl?: string;
+    methods?: readonly string[];
+    paths?: readonly string[];
+}
+export interface OwnerWriteSecretInput {
+    alias: string;
+    plaintext: string;
+    targetBindings: readonly OwnerSecretTargetBinding[];
+    requestedAt?: string;
+}
+export interface OwnerAuditQueryInput {
+    actorId?: string;
+    secretAlias?: string;
+    requestId?: string;
+    since?: string;
+}
+export interface OwnerRegisterAgentIdentityInput {
+    agentId: string;
+    publicKey: string;
+    requestedAt?: string;
+}
+export interface OwnerRegisterOwnerIdentityInput {
+    ownerId: string;
+    publicKey: string;
+    requestedAt?: string;
+}
+export interface OwnerRegisterCustomHttpFlowInput extends OwnerHttpFlowBoundary {
+    flowId: string;
+    requestedAt?: string;
+}

package/dist/clients/owner/contracts.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=contracts.js.map

package/dist/clients/owner/contracts.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../../src/clients/owner/contracts.ts"],"names":[],"mappings":""}

package/dist/clients/owner/index.d.ts

@@ -0,0 +1,3 @@
+export { createOwnerClient } from "./client.js";
+export type { OwnerClient, OwnerIdentity, OwnerSigner, } from "./client.js";
+export type { OwnerAuditQueryInput, OwnerRegisterCustomHttpFlowInput, OwnerRegisterAgentIdentityInput, OwnerRegisterOwnerIdentityInput, OwnerSecretTargetBinding, OwnerWriteSecretInput, } from "./contracts.js";

package/dist/clients/owner/index.js

@@ -0,0 +1,2 @@
+export { createOwnerClient } from "./client.js";
+//# sourceMappingURL=index.js.map

package/dist/clients/owner/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/clients/owner/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,aAAa,CAAC"}

package/dist/errors.d.ts

@@ -19,7 +19,8 @@ export declare enum IdentityErrorCode {
     SECRET_POLICY_REQUIRED = "SECRET_POLICY_REQUIRED",
     SECRET_SOURCE_ORIGIN_MISMATCH = "SECRET_SOURCE_ORIGIN_MISMATCH",
     UNSUPPORTED_SIGNED_BODY = "UNSUPPORTED_SIGNED_BODY",
-    PERMISSION_DENIED = "PERMISSION_DENIED"
+    PERMISSION_DENIED = "PERMISSION_DENIED",
+    SECRET_OPERATION_RATE_LIMITED = "SECRET_OPERATION_RATE_LIMITED"
 }
 export declare class IdentityError extends Error {
     readonly code: IdentityErrorCode;

package/dist/errors.js

@@ -21,6 +21,7 @@ export var IdentityErrorCode;
     IdentityErrorCode["SECRET_SOURCE_ORIGIN_MISMATCH"] = "SECRET_SOURCE_ORIGIN_MISMATCH";
     IdentityErrorCode["UNSUPPORTED_SIGNED_BODY"] = "UNSUPPORTED_SIGNED_BODY";
     IdentityErrorCode["PERMISSION_DENIED"] = "PERMISSION_DENIED";
+    IdentityErrorCode["SECRET_OPERATION_RATE_LIMITED"] = "SECRET_OPERATION_RATE_LIMITED";
 })(IdentityErrorCode || (IdentityErrorCode = {}));
 export class IdentityError extends Error {
     code;

package/dist/errors.js.map

@@ -1 +1 @@
-{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,CAAN,IAAY,iBAmBX;AAnBD,WAAY,iBAAiB;IACzB,0EAAqD,CAAA;IACrD,0DAAqC,CAAA;IACrC,wEAAmD,CAAA;IACnD,kFAA6D,CAAA;IAC7D,gDAA2B,CAAA;IAC3B,wDAAmC,CAAA;IACnC,kEAA6C,CAAA;IAC7C,wEAAmD,CAAA;IACnD,8EAAyD,CAAA;IACzD,gFAA2D,CAAA;IAC3D,kFAA6D,CAAA;IAC7D,gGAA2E,CAAA;IAC3E,oEAA+C,CAAA;IAC/C,kEAA6C,CAAA;IAC7C,sEAAiD,CAAA;IACjD,oFAA+D,CAAA;IAC/D,wEAAmD,CAAA;IACnD,4DAAuC,CAAA;AAC3C,CAAC,EAnBW,iBAAiB,KAAjB,iBAAiB,QAmB5B;AAED,MAAM,OAAO,aAAc,SAAQ,KAAK;IAC3B,IAAI,CAAoB;IAEjC,YAAY,IAAuB,EAAE,OAAe,EAAE,OAAsB;QACxE,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,eAAe,CAAC,CAAU;QAC7B,OAAO,CAAC,YAAY,aAAa,CAAC;IACtC,CAAC;CACJ"}
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,MAAM,CAAN,IAAY,iBAoBX;AApBD,WAAY,iBAAiB;IACzB,0EAAqD,CAAA;IACrD,0DAAqC,CAAA;IACrC,wEAAmD,CAAA;IACnD,kFAA6D,CAAA;IAC7D,gDAA2B,CAAA;IAC3B,wDAAmC,CAAA;IACnC,kEAA6C,CAAA;IAC7C,wEAAmD,CAAA;IACnD,8EAAyD,CAAA;IACzD,gFAA2D,CAAA;IAC3D,kFAA6D,CAAA;IAC7D,gGAA2E,CAAA;IAC3E,oEAA+C,CAAA;IAC/C,kEAA6C,CAAA;IAC7C,sEAAiD,CAAA;IACjD,oFAA+D,CAAA;IAC/D,wEAAmD,CAAA;IACnD,4DAAuC,CAAA;IACvC,oFAA+D,CAAA;AACnE,CAAC,EApBW,iBAAiB,KAAjB,iBAAiB,QAoB5B;AAED,MAAM,OAAO,aAAc,SAAQ,KAAK;IAC3B,IAAI,CAAoB;IAEjC,YAAY,IAAuB,EAAE,OAAe,EAAE,OAAsB;QACxE,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;QAC5B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,MAAM,CAAC,cAAc,CAAC,IAAI,EAAE,aAAa,CAAC,SAAS,CAAC,CAAC;IACzD,CAAC;IAED,MAAM,CAAC,eAAe,CAAC,CAAU;QAC7B,OAAO,CAAC,YAAY,aAAa,CAAC;IACtC,CAAC;CACJ"}

package/dist/runtime/index.d.ts

@@ -1,14 +1,14 @@
 /**
- * Runtime export. For agent developers.
- * Owner, Agent, storage, errors. Consumer surface only.
+ * Runtime export.
+ * Hard-cut public surface: vault core plus explicit clients only.
  */
-export { CbioIdentity, CbioAgent } from "../agent/agent.js";
-export type { ActivityLogConfig, GetAgentOptions, IssuedCapabilityName, ManagedAgentHandleConfig, ManagedAgentCapabilityInfo, ManagedAgentCapabilityStatus, ManagedAgentContext, ManagedAgentIssueConfig, ManagedAgentIssueOptions, ManagedAgentLoadOptions, ManagedAgentStorageConfig, RegisterChildIdentityOptions, RegisterChildIdentityResult, IdentityLoadKeys, IdentityLoadOptions, RuntimePermissionName, RuntimePermissions, } from "../agent/agent.js";
-export type { MergeResult } from "../vault/vault.js";
-export type { FetchFailure, FetchJsonAndAddSecretOptions, FetchJsonAndUpdateSecretOptions, FetchResult, FetchSuccess, } from "../http/secretAcquisition.js";
-export { generateIdentityKeys, derivePublicKey } from "../protocol/crypto.js";
 export { IdentityError, IdentityErrorCode } from "../errors.js";
+export { generateIdentityKeys, derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export type { IStorageProvider } from "../storage/provider.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { startLocalAuthProxy, type FetchWithAuthLike, type LocalAuthProxyOptions, type LocalAuthProxyHandle, } from "../http/localAuthProxy.js";
+export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, PersistentVaultAuditLog, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerRegisterOwnerIdentityCommand, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, } from "../vault-core/index.js";
+export { createOwnerClient, type OwnerClient, type OwnerIdentity, type OwnerSigner, type OwnerAuditQueryInput, type OwnerRegisterCustomHttpFlowInput, type OwnerRegisterAgentIdentityInput, type OwnerRegisterOwnerIdentityInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
+export { createAgentClient, type AgentClient, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
+export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultCapabilityResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
+export { InMemoryVaultCapabilityResolver, LocalVaultTransport, } from "../vault-ingress/defaults.js";

package/dist/runtime/index.js

@@ -1,11 +1,14 @@
 /**
- * Runtime export. For agent developers.
- * Owner, Agent, storage, errors. Consumer surface only.
+ * Runtime export.
+ * Hard-cut public surface: vault core plus explicit clients only.
  */
-export { CbioIdentity, CbioAgent } from "../agent/agent.js";
-export { generateIdentityKeys, derivePublicKey } from "../protocol/crypto.js";
 export { IdentityError, IdentityErrorCode } from "../errors.js";
+export { generateIdentityKeys, derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { startLocalAuthProxy, } from "../http/localAuthProxy.js";
+export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, PersistentVaultAuditLog, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
+export { createOwnerClient, } from "../clients/owner/index.js";
+export { createAgentClient, } from "../clients/agent/index.js";
+export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
+export { InMemoryVaultCapabilityResolver, LocalVaultTransport, } from "../vault-ingress/defaults.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,mBAAmB,CAAC;AA4B5D,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,mBAAmB,GAIpB,MAAM,2BAA2B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAE3F,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,uBAAuB,EACvB,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA2CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAUlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAYxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,+BAA+B,EAC/B,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}