@the-ai-company/cbio-node-runtime 0.33.0 → 1.0.0

package/dist/protocol/identity.js

@@ -1,16 +0,0 @@
-/**
- * Claw-biometric Core Identity. Runtime utilities over protocol primitives.
- * getVaultPath (runtime). Re-exports protocol for consumers.
- */
-import * as os from 'node:os';
-import * as path from 'node:path';
-import * as crypto from 'node:crypto';
-import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
-import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
-export { deriveRootAgentId, getChildIdentitySecretName, CHILD_KEY_PREFIX };
-export function getVaultPath(publicKey) {
-    const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
-    const baseDir = process.env.C_BIO_VAULT_DIR || path.join(os.homedir(), '.c-bio');
-    return path.join(baseDir, `vault_${hash}.enc`);
-}
-//# sourceMappingURL=identity.js.map

package/dist/protocol/identity.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,CAAC;AAE3E,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,IAAI,MAAM,CAAC,CAAC;AACnD,CAAC"}

package/dist/sealed/index.d.ts

@@ -1,6 +0,0 @@
-/**
- * Sealed blob export. Seal/unseal primitives and sealed blob format helpers.
- * Do not depend on CbioAgent.
- */
-export { sealBlob, unsealBlob, SEALED_BLOB_VERSION } from './seal.js';
-export type { SealedBlobPayload } from './seal.js';

package/dist/sealed/index.js

@@ -1,6 +0,0 @@
-/**
- * Sealed blob export. Seal/unseal primitives and sealed blob format helpers.
- * Do not depend on CbioAgent.
- */
-export { sealBlob, unsealBlob, SEALED_BLOB_VERSION } from './seal.js';
-//# sourceMappingURL=index.js.map

package/dist/sealed/index.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sealed/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,QAAQ,EAAE,UAAU,EAAE,mBAAmB,EAAE,MAAM,WAAW,CAAC"}

package/dist/vault/secretPolicy.d.ts

@@ -1,3 +0,0 @@
-export declare function isLoopbackHost(hostname: string): boolean;
-export declare function isAllowedSecretUrl(url: URL): boolean;
-export declare function normalizeSecretPolicyOrigin(origin: string): string;

package/dist/vault/secretPolicy.js

@@ -1,14 +0,0 @@
-export function isLoopbackHost(hostname) {
-    return hostname === 'localhost' || hostname === '127.0.0.1' || hostname === '::1';
-}
-export function isAllowedSecretUrl(url) {
-    return url.protocol === 'https:' || (url.protocol === 'http:' && isLoopbackHost(url.hostname));
-}
-export function normalizeSecretPolicyOrigin(origin) {
-    const url = new URL(origin);
-    if (!isAllowedSecretUrl(url)) {
-        throw new Error(`Secret policy requires HTTPS origin or loopback HTTP for local development. Received: ${origin}`);
-    }
-    return url.origin;
-}
-//# sourceMappingURL=secretPolicy.js.map

package/dist/vault/secretPolicy.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"secretPolicy.js","sourceRoot":"","sources":["../../src/vault/secretPolicy.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,cAAc,CAAC,QAAgB;IAC3C,OAAO,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,WAAW,IAAI,QAAQ,KAAK,KAAK,CAAC;AACtF,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAQ;IACvC,OAAO,GAAG,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,GAAG,CAAC,QAAQ,KAAK,OAAO,IAAI,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC;AACnG,CAAC;AAED,MAAM,UAAU,2BAA2B,CAAC,MAAc;IACtD,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,CAAC;IAC5B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,yFAAyF,MAAM,EAAE,CAAC,CAAC;IACvH,CAAC;IACD,OAAO,GAAG,CAAC,MAAM,CAAC;AACtB,CAAC"}

package/dist/vault/vault.d.ts

@@ -1,91 +0,0 @@
-import { Signer } from '../protocol/crypto.js';
-import type { IStorageProvider } from '../storage/provider.js';
-import { type ActivityLogEntry, type ActivityLogMetadata } from '../audit/ActivityLog.js';
-export interface SecretPolicy {
-    allowedOrigins?: string[];
-}
-/**
- * CbioVault
- *
- * A secure container for third-party API keys and secrets.
- * Secrets are stored in a private field (#) and are inaccessible
- * to the outside Agent logic. Vault stores ONLY secrets (encrypted).
- */
-export declare class CbioVault {
-    #private;
-    private static readonly PERSIST_SALT;
-    private static readonly VERSIONED_SECRET_PREFIX;
-    /**
-     * @internal Used by Owner. Binds storage and loads vault from disk. Do not call directly.
-     */
-    initFromStorage(signer: Signer, storageKey: string, storage?: IStorageProvider, activityLogKey?: string, activityLogKeyIsDerived?: boolean): Promise<void>;
-    /**
-     * @internal Used by Owner.importIdentity. Binds storage and loads vault from blob. Do not call directly.
-     */
-    initFromBlob(signer: Signer, blob: string, storageKey: string, storage?: IStorageProvider, activityLogKey?: string, activityLogKeyIsDerived?: boolean): Promise<void>;
-    /**
-     * Add a new secret. Fails if secretName already exists.
-     */
-    addSecret(secretName: string, secretValue: string, options?: SecretPolicy): Promise<void>;
-    /**
-     * Update an existing secret. Fails if secretName does not exist.
-     */
-    updateSecret(secretName: string, secretValue: string): Promise<void>;
-    setSecretAllowedOrigins(secretName: string, allowedOrigins: readonly string[]): Promise<void>;
-    rotateSecret(secretName: string, secretValue: string, sourceOrigin: string): Promise<void>;
-    /**
-     * Case 3: Retrieve a secret in plaintext.
-     * @internal @admin
-     * WARNING: This is an ADMIN-ONLY method. Do not use in Agent's autonomous logic.
-     */
-    getSecret(secretName: string): string | undefined;
-    /**
-     * Case 4: Permanently delete a secret from memory and disk.
-     * @internal @admin
-     * WARNING: This is an ADMIN-ONLY method. Agent should NEVER be allowed
-     * to delete its own memory autonomously. Only Owner (Human) can call this.
-     */
-    deleteSecret(secretName: string): Promise<void>;
-    /**
-     * @internal Used by AuthClient to append activity log entries.
-     */
-    appendActivityLogEntry(entry: ActivityLogEntry): Promise<void>;
-    /**
-     * Persistence: Atomic save with write-read-verify.
-     */
-    save(signer: Signer, storageKey?: string, storage?: IStorageProvider): Promise<void>;
-    serializeToBlob(signer: Signer): Promise<string>;
-    /**
-     * Seal vault with external key (AES-256-GCM) for portable local storage.
-     */
-    seal(kdk: string): string;
-    /**
-     * Unseal vault from blob encrypted with kdk.
-     */
-    unseal(kdk: string, sealed: string): void;
-    hasSecret(secretName: string): boolean;
-    listSecretNames(): string[];
-    /**
-     * Read activity log. Owner-only. Returns [] if activity log not enabled.
-     */
-    getActivityLog(): Promise<readonly ActivityLogEntry[]>;
-    /**
-     * Read activity log metadata (agentId, storageKey). Returns null if not present.
-     */
-    getActivityLogMetadata(): Promise<ActivityLogMetadata | null>;
-    /**
-     * Merge secrets from another vault instance.
-     * Only allowed if both vaults belong to the same identity.
-     * @param options.onConflict 'abort' = return conflicts (default); 'skip' = merge non-conflicting only; 'overwrite' = use other's value for conflicts.
-     */
-    mergeFrom(otherVault: CbioVault, options?: {
-        onConflict?: 'abort' | 'skip' | 'overwrite';
-    }): Promise<MergeResult>;
-}
-export interface MergeResult {
-    merged: boolean;
-    added: string[];
-    skipped: string[];
-    overwritten: string[];
-    conflicts?: string[];
-}