@the-ai-company/cbio-node-runtime 0.39.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +116 -54
- package/dist/clients/agent/client.d.ts +9 -0
- package/dist/clients/agent/client.js +72 -0
- package/dist/clients/agent/client.js.map +1 -0
- package/dist/clients/agent/contracts.d.ts +34 -0
- package/dist/clients/agent/contracts.js +2 -0
- package/dist/clients/agent/contracts.js.map +1 -0
- package/dist/clients/agent/index.d.ts +3 -0
- package/dist/clients/agent/index.js +2 -0
- package/dist/clients/agent/index.js.map +1 -0
- package/dist/clients/owner/client.d.ts +18 -0
- package/dist/clients/owner/client.js +169 -0
- package/dist/clients/owner/client.js.map +1 -0
- package/dist/clients/owner/contracts.d.ts +34 -0
- package/dist/clients/owner/contracts.js +2 -0
- package/dist/clients/owner/contracts.js.map +1 -0
- package/dist/clients/owner/index.d.ts +3 -0
- package/dist/clients/owner/index.js +2 -0
- package/dist/clients/owner/index.js.map +1 -0
- package/dist/runtime/index.d.ts +8 -10
- package/dist/runtime/index.js +8 -7
- package/dist/runtime/index.js.map +1 -1
- package/dist/storage/fs.d.ts +1 -0
- package/dist/storage/fs.js +28 -0
- package/dist/storage/fs.js.map +1 -1
- package/dist/storage/memory.d.ts +1 -0
- package/dist/storage/memory.js +20 -0
- package/dist/storage/memory.js.map +1 -1
- package/dist/storage/provider.d.ts +2 -0
- package/dist/vault-core/contracts.d.ts +230 -0
- package/dist/vault-core/contracts.js +2 -0
- package/dist/vault-core/contracts.js.map +1 -0
- package/dist/vault-core/core.d.ts +21 -0
- package/dist/vault-core/core.js +335 -0
- package/dist/vault-core/core.js.map +1 -0
- package/dist/vault-core/defaults.d.ts +141 -0
- package/dist/vault-core/defaults.js +602 -0
- package/dist/vault-core/defaults.js.map +1 -0
- package/dist/vault-core/errors.d.ts +4 -0
- package/dist/vault-core/errors.js +9 -0
- package/dist/vault-core/errors.js.map +1 -0
- package/dist/vault-core/index.d.ts +6 -0
- package/dist/vault-core/index.js +5 -0
- package/dist/vault-core/index.js.map +1 -0
- package/dist/vault-core/persistence.d.ts +87 -0
- package/dist/vault-core/persistence.js +309 -0
- package/dist/vault-core/persistence.js.map +1 -0
- package/dist/vault-core/ports.d.ts +101 -0
- package/dist/vault-core/ports.js +2 -0
- package/dist/vault-core/ports.js.map +1 -0
- package/dist/vault-ingress/defaults.d.ts +14 -0
- package/dist/vault-ingress/defaults.js +41 -0
- package/dist/vault-ingress/defaults.js.map +1 -0
- package/dist/vault-ingress/flow-factories.d.ts +24 -0
- package/dist/vault-ingress/flow-factories.js +48 -0
- package/dist/vault-ingress/flow-factories.js.map +1 -0
- package/dist/vault-ingress/index.d.ts +81 -0
- package/dist/vault-ingress/index.js +357 -0
- package/dist/vault-ingress/index.js.map +1 -0
- package/docs/ARCHITECTURE.md +44 -76
- package/docs/REFERENCE.md +217 -218
- package/docs/WORKS_WITH_CUSTOM_FETCH.md +16 -191
- package/docs/es/README.md +8 -24
- package/docs/fr/README.md +8 -24
- package/docs/ja/README.md +8 -24
- package/docs/ko/README.md +8 -24
- package/docs/pt/README.md +8 -24
- package/docs/zh/README.md +21 -7
- package/package.json +2 -10
- package/dist/agent/agent.d.ts +0 -267
- package/dist/agent/agent.js +0 -689
- package/dist/agent/agent.js.map +0 -1
- package/dist/audit/ActivityLog.d.ts +0 -25
- package/dist/audit/ActivityLog.js +0 -71
- package/dist/audit/ActivityLog.js.map +0 -1
- package/dist/http/authClient.d.ts +0 -26
- package/dist/http/authClient.js +0 -132
- package/dist/http/authClient.js.map +0 -1
- package/dist/http/genericSecretValidator.d.ts +0 -11
- package/dist/http/genericSecretValidator.js +0 -42
- package/dist/http/genericSecretValidator.js.map +0 -1
- package/dist/http/localAuthProxy.d.ts +0 -33
- package/dist/http/localAuthProxy.js +0 -93
- package/dist/http/localAuthProxy.js.map +0 -1
- package/dist/http/localSecretIngress.d.ts +0 -33
- package/dist/http/localSecretIngress.js +0 -162
- package/dist/http/localSecretIngress.js.map +0 -1
- package/dist/http/secretAcquisition.d.ts +0 -54
- package/dist/http/secretAcquisition.js +0 -177
- package/dist/http/secretAcquisition.js.map +0 -1
- package/dist/protocol/childSecretNaming.d.ts +0 -7
- package/dist/protocol/childSecretNaming.js +0 -12
- package/dist/protocol/childSecretNaming.js.map +0 -1
- package/dist/protocol/identity.d.ts +0 -8
- package/dist/protocol/identity.js +0 -16
- package/dist/protocol/identity.js.map +0 -1
- package/dist/sealed/index.d.ts +0 -6
- package/dist/sealed/index.js +0 -6
- package/dist/sealed/index.js.map +0 -1
- package/dist/vault/secretPolicy.d.ts +0 -3
- package/dist/vault/secretPolicy.js +0 -14
- package/dist/vault/secretPolicy.js.map +0 -1
- package/dist/vault/vault.d.ts +0 -100
- package/dist/vault/vault.js +0 -603
- package/dist/vault/vault.js.map +0 -1
- package/docs/TODO-multi-vault.md +0 -29
- package/docs/spec/runtime/README.md +0 -44
- package/docs/spec/runtime/activity-log.md +0 -71
- package/docs/spec/runtime/exposure-surfaces.md +0 -99
- package/docs/spec/runtime/managed-agent-record.md +0 -52
- package/docs/spec/runtime/merge-rules.md +0 -52
- package/docs/spec/runtime/secret-origin-policy.md +0 -46
- package/docs/spec/runtime/secret-validation.md +0 -113
package/dist/runtime/index.js
CHANGED
|
@@ -1,13 +1,14 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Runtime export.
|
|
3
|
-
*
|
|
2
|
+
* Runtime export.
|
|
3
|
+
* Hard-cut public surface: vault core plus explicit clients only.
|
|
4
4
|
*/
|
|
5
|
-
export { CbioIdentity, CbioAgent } from "../agent/agent.js";
|
|
6
|
-
export { generateIdentityKeys, derivePublicKey } from "../protocol/crypto.js";
|
|
7
5
|
export { IdentityError, IdentityErrorCode } from "../errors.js";
|
|
6
|
+
export { generateIdentityKeys, derivePublicKey, LocalSigner } from "../protocol/crypto.js";
|
|
8
7
|
export { FsStorageProvider } from "../storage/fs.js";
|
|
9
8
|
export { MemoryStorageProvider } from "../storage/memory.js";
|
|
10
|
-
export {
|
|
11
|
-
export {
|
|
12
|
-
export {
|
|
9
|
+
export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, PersistentVaultAuditLog, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
|
|
10
|
+
export { createOwnerClient, } from "../clients/owner/index.js";
|
|
11
|
+
export { createAgentClient, } from "../clients/agent/index.js";
|
|
12
|
+
export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
|
|
13
|
+
export { InMemoryVaultCapabilityResolver, LocalVaultTransport, } from "../vault-ingress/defaults.js";
|
|
13
14
|
//# sourceMappingURL=index.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAE3F,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,uBAAuB,EACvB,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA2CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAUlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAYxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,+BAA+B,EAC/B,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}
|
package/dist/storage/fs.d.ts
CHANGED
|
@@ -13,4 +13,5 @@ export declare class FsStorageProvider implements IStorageProvider {
|
|
|
13
13
|
delete(key: string): Promise<void>;
|
|
14
14
|
has(key: string): Promise<boolean>;
|
|
15
15
|
rename(fromKey: string, toKey: string): Promise<void>;
|
|
16
|
+
withLock<T>(key: string, task: () => Promise<T>): Promise<T>;
|
|
16
17
|
}
|
package/dist/storage/fs.js
CHANGED
|
@@ -3,6 +3,9 @@
|
|
|
3
3
|
*/
|
|
4
4
|
import * as fs from 'node:fs/promises';
|
|
5
5
|
import * as path from 'node:path';
|
|
6
|
+
function sleep(ms) {
|
|
7
|
+
return new Promise((resolve) => setTimeout(resolve, ms));
|
|
8
|
+
}
|
|
6
9
|
export class FsStorageProvider {
|
|
7
10
|
baseDir;
|
|
8
11
|
constructor(baseDir) {
|
|
@@ -64,5 +67,30 @@ export class FsStorageProvider {
|
|
|
64
67
|
async rename(fromKey, toKey) {
|
|
65
68
|
await fs.rename(this.resolve(fromKey), this.resolve(toKey));
|
|
66
69
|
}
|
|
70
|
+
async withLock(key, task) {
|
|
71
|
+
const fullPath = this.resolve(`${key}.lock`);
|
|
72
|
+
await fs.mkdir(path.dirname(fullPath), { recursive: true, mode: FsStorageProvider.DIRECTORY_MODE });
|
|
73
|
+
for (;;) {
|
|
74
|
+
try {
|
|
75
|
+
const fh = await fs.open(fullPath, 'wx', FsStorageProvider.FILE_MODE);
|
|
76
|
+
try {
|
|
77
|
+
return await task();
|
|
78
|
+
}
|
|
79
|
+
finally {
|
|
80
|
+
await fh.close();
|
|
81
|
+
await fs.unlink(fullPath).catch((error) => {
|
|
82
|
+
if (error.code !== 'ENOENT')
|
|
83
|
+
throw error;
|
|
84
|
+
});
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
catch (error) {
|
|
88
|
+
if (error.code !== 'EEXIST') {
|
|
89
|
+
throw error;
|
|
90
|
+
}
|
|
91
|
+
await sleep(10);
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
}
|
|
67
95
|
}
|
|
68
96
|
//# sourceMappingURL=fs.js.map
|
package/dist/storage/fs.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/storage/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,MAAM,OAAO,iBAAiB;IACN;IAApB,YAAoB,OAAgB;QAAhB,YAAO,GAAP,OAAO,CAAS;IAAG,CAAC;IAEhC,MAAM,CAAU,cAAc,GAAG,KAAK,CAAC;IACvC,MAAM,CAAU,SAAS,GAAG,KAAK,CAAC;IAElC,OAAO,CAAC,GAAW;QACvB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,GAAG,CAAC;QACf,CAAC;QACD,OAAO,GAAG,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,IAAI,CAAC;YACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QACpG,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC1E,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,CAAC,CAAC;QACrC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC"}
|
|
1
|
+
{"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/storage/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,SAAS,KAAK,CAAC,EAAU;IACrB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,OAAO,iBAAiB;IACN;IAApB,YAAoB,OAAgB;QAAhB,YAAO,GAAP,OAAO,CAAS;IAAG,CAAC;IAEhC,MAAM,CAAU,cAAc,GAAG,KAAK,CAAC;IACvC,MAAM,CAAU,SAAS,GAAG,KAAK,CAAC;IAElC,OAAO,CAAC,GAAW;QACvB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,GAAG,CAAC;QACf,CAAC;QACD,OAAO,GAAG,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,IAAI,CAAC;YACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QACpG,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC1E,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,CAAC,CAAC;QACrC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,QAAQ,CAAI,GAAW,EAAE,IAAsB;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,CAAC;QAC7C,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QAEpG,SAAS,CAAC;YACN,IAAI,CAAC;gBACD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;gBACtE,IAAI,CAAC;oBACD,OAAO,MAAM,IAAI,EAAE,CAAC;gBACxB,CAAC;wBAAS,CAAC;oBACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;oBACjB,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,KAAU,EAAE,EAAE;wBAC3C,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;4BAAE,MAAM,KAAK,CAAC;oBAC7C,CAAC,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBAClB,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC1B,MAAM,KAAK,CAAC;gBAChB,CAAC;gBACD,MAAM,KAAK,CAAC,EAAE,CAAC,CAAC;YACpB,CAAC;QACL,CAAC;IACL,CAAC"}
|
package/dist/storage/memory.d.ts
CHANGED
package/dist/storage/memory.js
CHANGED
|
@@ -3,6 +3,7 @@
|
|
|
3
3
|
*/
|
|
4
4
|
export class MemoryStorageProvider {
|
|
5
5
|
#store = new Map();
|
|
6
|
+
#locks = new Map();
|
|
6
7
|
async read(key) {
|
|
7
8
|
return this.#store.get(key) ?? null;
|
|
8
9
|
}
|
|
@@ -15,5 +16,24 @@ export class MemoryStorageProvider {
|
|
|
15
16
|
async has(key) {
|
|
16
17
|
return this.#store.has(key);
|
|
17
18
|
}
|
|
19
|
+
async withLock(key, task) {
|
|
20
|
+
const previous = this.#locks.get(key) ?? Promise.resolve();
|
|
21
|
+
let release;
|
|
22
|
+
const current = new Promise((resolve) => {
|
|
23
|
+
release = resolve;
|
|
24
|
+
});
|
|
25
|
+
const chained = previous.then(() => current);
|
|
26
|
+
this.#locks.set(key, chained);
|
|
27
|
+
await previous;
|
|
28
|
+
try {
|
|
29
|
+
return await task();
|
|
30
|
+
}
|
|
31
|
+
finally {
|
|
32
|
+
release();
|
|
33
|
+
if (this.#locks.get(key) === chained) {
|
|
34
|
+
this.#locks.delete(key);
|
|
35
|
+
}
|
|
36
|
+
}
|
|
37
|
+
}
|
|
18
38
|
}
|
|
19
39
|
//# sourceMappingURL=memory.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"memory.js","sourceRoot":"","sources":["../../src/storage/memory.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,OAAO,qBAAqB;IAC9B,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;
|
|
1
|
+
{"version":3,"file":"memory.js","sourceRoot":"","sources":["../../src/storage/memory.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,OAAO,qBAAqB;IAC9B,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACnC,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE1C,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAI,GAAW,EAAE,IAAsB;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QAC3D,IAAI,OAAoB,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAC1C,OAAO,GAAG,OAAO,CAAC;QACtB,CAAC,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9B,MAAM,QAAQ,CAAC;QACf,IAAI,CAAC;YACD,OAAO,MAAM,IAAI,EAAE,CAAC;QACxB,CAAC;gBAAS,CAAC;YACP,OAAO,EAAE,CAAC;YACV,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,OAAO,EAAE,CAAC;gBACnC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;QACL,CAAC;IACL,CAAC;CACJ"}
|
|
@@ -9,4 +9,6 @@ export interface IStorageProvider {
|
|
|
9
9
|
has(key: string): Promise<boolean>;
|
|
10
10
|
/** Optional. If present, used for atomic save. Otherwise vault does write+delete. */
|
|
11
11
|
rename?(fromKey: string, toKey: string): Promise<void>;
|
|
12
|
+
/** Optional. If present, used to serialize read-modify-write sequences across writers. */
|
|
13
|
+
withLock?<T>(key: string, task: () => Promise<T>): Promise<T>;
|
|
12
14
|
}
|
|
@@ -0,0 +1,230 @@
|
|
|
1
|
+
export type VaultPrincipalKind = "owner" | "trusted_issuer" | "agent" | "trusted_executor";
|
|
2
|
+
export interface VaultPrincipal {
|
|
3
|
+
kind: VaultPrincipalKind;
|
|
4
|
+
id: string;
|
|
5
|
+
}
|
|
6
|
+
export interface VaultId {
|
|
7
|
+
readonly value: string;
|
|
8
|
+
}
|
|
9
|
+
export interface SecretId {
|
|
10
|
+
readonly value: string;
|
|
11
|
+
}
|
|
12
|
+
export interface SecretAlias {
|
|
13
|
+
readonly value: string;
|
|
14
|
+
}
|
|
15
|
+
export interface SecretVersion {
|
|
16
|
+
readonly value: string;
|
|
17
|
+
}
|
|
18
|
+
export interface SecretRecord {
|
|
19
|
+
vaultId: VaultId;
|
|
20
|
+
secretId: SecretId;
|
|
21
|
+
alias: SecretAlias;
|
|
22
|
+
version: SecretVersion;
|
|
23
|
+
issuerId: string | null;
|
|
24
|
+
targetBindings: VaultTargetBinding[];
|
|
25
|
+
createdAt: string;
|
|
26
|
+
updatedAt: string;
|
|
27
|
+
}
|
|
28
|
+
export interface VaultTargetBinding {
|
|
29
|
+
kind: "owner" | "site";
|
|
30
|
+
targetId: string;
|
|
31
|
+
targetUrl?: string;
|
|
32
|
+
methods?: readonly string[];
|
|
33
|
+
paths?: readonly string[];
|
|
34
|
+
}
|
|
35
|
+
export interface OwnerWriteSecretCommand {
|
|
36
|
+
kind: "owner.write_secret";
|
|
37
|
+
vaultId: VaultId;
|
|
38
|
+
requestId: string;
|
|
39
|
+
owner: VaultPrincipal & {
|
|
40
|
+
kind: "owner";
|
|
41
|
+
};
|
|
42
|
+
alias: string;
|
|
43
|
+
plaintext: string;
|
|
44
|
+
targetBindings: readonly VaultTargetBinding[];
|
|
45
|
+
requestedAt: string;
|
|
46
|
+
proof: OwnerProof;
|
|
47
|
+
}
|
|
48
|
+
export interface IssuerWriteSecretCommand {
|
|
49
|
+
kind: "issuer.write_secret";
|
|
50
|
+
vaultId: VaultId;
|
|
51
|
+
issuer: VaultPrincipal & {
|
|
52
|
+
kind: "trusted_issuer";
|
|
53
|
+
};
|
|
54
|
+
alias: string;
|
|
55
|
+
plaintext: string;
|
|
56
|
+
issuerSiteId: string;
|
|
57
|
+
targetBindings?: readonly VaultTargetBinding[];
|
|
58
|
+
requestedAt: string;
|
|
59
|
+
}
|
|
60
|
+
export type VaultWriteSecretCommand = OwnerWriteSecretCommand | IssuerWriteSecretCommand;
|
|
61
|
+
export interface OwnerRegisterAgentIdentityCommand {
|
|
62
|
+
vaultId: VaultId;
|
|
63
|
+
requestId: string;
|
|
64
|
+
owner: VaultPrincipal & {
|
|
65
|
+
kind: "owner";
|
|
66
|
+
};
|
|
67
|
+
agentIdentity: AgentIdentityRecord;
|
|
68
|
+
requestedAt: string;
|
|
69
|
+
proof: OwnerProof;
|
|
70
|
+
}
|
|
71
|
+
export interface OwnerRegisterOwnerIdentityCommand {
|
|
72
|
+
vaultId: VaultId;
|
|
73
|
+
requestId: string;
|
|
74
|
+
owner: VaultPrincipal & {
|
|
75
|
+
kind: "owner";
|
|
76
|
+
};
|
|
77
|
+
ownerIdentity: OwnerIdentityRecord;
|
|
78
|
+
requestedAt: string;
|
|
79
|
+
proof: OwnerProof;
|
|
80
|
+
}
|
|
81
|
+
export interface CustomHttpFlowDefinition {
|
|
82
|
+
vaultId: VaultId;
|
|
83
|
+
flowId: string;
|
|
84
|
+
ownerId: string;
|
|
85
|
+
mode: "acquire_secret" | "send_secret" | "bidirectional_secret";
|
|
86
|
+
targetUrl: string;
|
|
87
|
+
method: string;
|
|
88
|
+
responseVisibility: "passthrough" | "shape_only";
|
|
89
|
+
responseSecret?: {
|
|
90
|
+
kind: "json_field";
|
|
91
|
+
field: string;
|
|
92
|
+
storeAlias: string;
|
|
93
|
+
};
|
|
94
|
+
createdAt: string;
|
|
95
|
+
}
|
|
96
|
+
export interface OwnerRegisterCustomHttpFlowCommand {
|
|
97
|
+
vaultId: VaultId;
|
|
98
|
+
requestId: string;
|
|
99
|
+
owner: VaultPrincipal & {
|
|
100
|
+
kind: "owner";
|
|
101
|
+
};
|
|
102
|
+
flow: {
|
|
103
|
+
flowId: string;
|
|
104
|
+
mode: "acquire_secret" | "send_secret" | "bidirectional_secret";
|
|
105
|
+
targetUrl: string;
|
|
106
|
+
method: string;
|
|
107
|
+
responseVisibility: "passthrough" | "shape_only";
|
|
108
|
+
responseSecret?: {
|
|
109
|
+
kind: "json_field";
|
|
110
|
+
field: string;
|
|
111
|
+
storeAlias: string;
|
|
112
|
+
};
|
|
113
|
+
};
|
|
114
|
+
requestedAt: string;
|
|
115
|
+
proof: OwnerProof;
|
|
116
|
+
}
|
|
117
|
+
export interface AgentCapability {
|
|
118
|
+
vaultId: VaultId;
|
|
119
|
+
capabilityId: string;
|
|
120
|
+
agentId: string;
|
|
121
|
+
secretIds?: readonly string[];
|
|
122
|
+
secretAliases?: readonly string[];
|
|
123
|
+
operation: "dispatch_http" | "custom_http";
|
|
124
|
+
customFlowId?: string;
|
|
125
|
+
allowedTargets: readonly string[];
|
|
126
|
+
allowedMethods: readonly string[];
|
|
127
|
+
allowedPaths?: readonly string[];
|
|
128
|
+
issuedAt: string;
|
|
129
|
+
expiresAt?: string;
|
|
130
|
+
revocationVersion?: number;
|
|
131
|
+
rateLimit?: {
|
|
132
|
+
maxRequests: number;
|
|
133
|
+
windowMs: number;
|
|
134
|
+
};
|
|
135
|
+
auditRequired?: boolean;
|
|
136
|
+
}
|
|
137
|
+
export interface AgentProof {
|
|
138
|
+
agentId: string;
|
|
139
|
+
signature: string;
|
|
140
|
+
requestId: string;
|
|
141
|
+
requestedAt: string;
|
|
142
|
+
}
|
|
143
|
+
export interface OwnerProof {
|
|
144
|
+
ownerId: string;
|
|
145
|
+
signature: string;
|
|
146
|
+
requestId: string;
|
|
147
|
+
requestedAt: string;
|
|
148
|
+
}
|
|
149
|
+
export interface DispatchRequest {
|
|
150
|
+
vaultId: VaultId;
|
|
151
|
+
requestId: string;
|
|
152
|
+
requestedAt: string;
|
|
153
|
+
agent: VaultPrincipal & {
|
|
154
|
+
kind: "agent";
|
|
155
|
+
};
|
|
156
|
+
capability: AgentCapability;
|
|
157
|
+
proof: AgentProof;
|
|
158
|
+
secretAlias?: string;
|
|
159
|
+
targetUrl: string;
|
|
160
|
+
method: string;
|
|
161
|
+
headers?: Record<string, string>;
|
|
162
|
+
body?: string;
|
|
163
|
+
}
|
|
164
|
+
export interface DispatchAuthorization {
|
|
165
|
+
vaultId: VaultId;
|
|
166
|
+
decision: "allow" | "deny";
|
|
167
|
+
reason: string | null;
|
|
168
|
+
secretId: SecretId | null;
|
|
169
|
+
executorTarget: VaultTargetBinding | null;
|
|
170
|
+
}
|
|
171
|
+
export interface DispatchInstruction {
|
|
172
|
+
vaultId: VaultId;
|
|
173
|
+
requestId: string;
|
|
174
|
+
secretId: SecretId;
|
|
175
|
+
targetUrl: string;
|
|
176
|
+
method: string;
|
|
177
|
+
headers?: Record<string, string>;
|
|
178
|
+
body?: string;
|
|
179
|
+
}
|
|
180
|
+
export interface DispatchResult {
|
|
181
|
+
vaultId: VaultId;
|
|
182
|
+
requestId: string;
|
|
183
|
+
status: "succeeded" | "denied" | "failed";
|
|
184
|
+
targetUrl: string;
|
|
185
|
+
method: string;
|
|
186
|
+
responseStatus?: number;
|
|
187
|
+
responseBody?: string;
|
|
188
|
+
error?: string;
|
|
189
|
+
}
|
|
190
|
+
export interface AuditQuery {
|
|
191
|
+
actorId?: string;
|
|
192
|
+
secretAlias?: string;
|
|
193
|
+
requestId?: string;
|
|
194
|
+
since?: string;
|
|
195
|
+
}
|
|
196
|
+
export interface AuditEntry {
|
|
197
|
+
entryId: string;
|
|
198
|
+
occurredAt: string;
|
|
199
|
+
vaultId: string;
|
|
200
|
+
actor: VaultPrincipal;
|
|
201
|
+
action: "bootstrap_owner_identity" | "register_agent_identity" | "register_owner_identity" | "register_custom_flow" | "write_secret" | "reassign_alias" | "authorize_dispatch" | "dispatch_secret" | "read_audit";
|
|
202
|
+
requestId?: string;
|
|
203
|
+
capabilityId?: string;
|
|
204
|
+
operation?: AgentCapability["operation"] | AuditEntry["action"];
|
|
205
|
+
targetUrl?: string;
|
|
206
|
+
secretAlias?: string;
|
|
207
|
+
secretId?: string;
|
|
208
|
+
outcome: "allowed" | "denied" | "succeeded" | "failed";
|
|
209
|
+
detail: string;
|
|
210
|
+
}
|
|
211
|
+
export interface AgentIdentityRecord {
|
|
212
|
+
vaultId: VaultId;
|
|
213
|
+
agentId: string;
|
|
214
|
+
publicKey: string;
|
|
215
|
+
}
|
|
216
|
+
export interface OwnerIdentityRecord {
|
|
217
|
+
vaultId: VaultId;
|
|
218
|
+
ownerId: string;
|
|
219
|
+
publicKey: string;
|
|
220
|
+
}
|
|
221
|
+
export interface OwnerAuditRequest {
|
|
222
|
+
vaultId: VaultId;
|
|
223
|
+
actor: VaultPrincipal & {
|
|
224
|
+
kind: "owner";
|
|
225
|
+
};
|
|
226
|
+
query: AuditQuery;
|
|
227
|
+
requestId: string;
|
|
228
|
+
requestedAt: string;
|
|
229
|
+
proof: OwnerProof;
|
|
230
|
+
}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":""}
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
import type { AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRegisterOwnerIdentityCommand, SecretRecord, VaultPrincipal, VaultWriteSecretCommand } from "./contracts.js";
|
|
2
|
+
import type { VaultCore, VaultCoreDependencies } from "./ports.js";
|
|
3
|
+
export declare class DefaultVaultCore implements VaultCore {
|
|
4
|
+
private readonly _deps;
|
|
5
|
+
constructor(_deps: VaultCoreDependencies);
|
|
6
|
+
get vaultId(): import("./contracts.js").VaultId;
|
|
7
|
+
private appendAudit;
|
|
8
|
+
private appendDecisionAudit;
|
|
9
|
+
bootstrapOwnerIdentity(identity: import("./contracts.js").OwnerIdentityRecord): Promise<void>;
|
|
10
|
+
registerAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
|
|
11
|
+
registerOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
|
|
12
|
+
registerCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
|
|
13
|
+
storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
|
|
14
|
+
writeSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;
|
|
15
|
+
authorizeDispatch(request: DispatchRequest): Promise<DispatchAuthorization>;
|
|
16
|
+
dispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
|
|
17
|
+
getAudit(actor: VaultPrincipal & {
|
|
18
|
+
kind: "owner";
|
|
19
|
+
}, query: AuditQuery, request?: Omit<import("./contracts.js").OwnerAuditRequest, "actor" | "query" | "vaultId">): Promise<readonly AuditEntry[]>;
|
|
20
|
+
}
|
|
21
|
+
export declare function createVaultCore(deps: VaultCoreDependencies): VaultCore;
|