@the-ai-company/cbio-node-runtime 0.39.0 → 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +116 -54
- package/dist/clients/agent/client.d.ts +9 -0
- package/dist/clients/agent/client.js +72 -0
- package/dist/clients/agent/client.js.map +1 -0
- package/dist/clients/agent/contracts.d.ts +34 -0
- package/dist/clients/agent/contracts.js +2 -0
- package/dist/clients/agent/contracts.js.map +1 -0
- package/dist/clients/agent/index.d.ts +3 -0
- package/dist/clients/agent/index.js +2 -0
- package/dist/clients/agent/index.js.map +1 -0
- package/dist/clients/owner/client.d.ts +18 -0
- package/dist/clients/owner/client.js +169 -0
- package/dist/clients/owner/client.js.map +1 -0
- package/dist/clients/owner/contracts.d.ts +34 -0
- package/dist/clients/owner/contracts.js +2 -0
- package/dist/clients/owner/contracts.js.map +1 -0
- package/dist/clients/owner/index.d.ts +3 -0
- package/dist/clients/owner/index.js +2 -0
- package/dist/clients/owner/index.js.map +1 -0
- package/dist/runtime/index.d.ts +8 -10
- package/dist/runtime/index.js +8 -7
- package/dist/runtime/index.js.map +1 -1
- package/dist/storage/fs.d.ts +1 -0
- package/dist/storage/fs.js +28 -0
- package/dist/storage/fs.js.map +1 -1
- package/dist/storage/memory.d.ts +1 -0
- package/dist/storage/memory.js +20 -0
- package/dist/storage/memory.js.map +1 -1
- package/dist/storage/provider.d.ts +2 -0
- package/dist/vault-core/contracts.d.ts +230 -0
- package/dist/vault-core/contracts.js +2 -0
- package/dist/vault-core/contracts.js.map +1 -0
- package/dist/vault-core/core.d.ts +21 -0
- package/dist/vault-core/core.js +335 -0
- package/dist/vault-core/core.js.map +1 -0
- package/dist/vault-core/defaults.d.ts +141 -0
- package/dist/vault-core/defaults.js +602 -0
- package/dist/vault-core/defaults.js.map +1 -0
- package/dist/vault-core/errors.d.ts +4 -0
- package/dist/vault-core/errors.js +9 -0
- package/dist/vault-core/errors.js.map +1 -0
- package/dist/vault-core/index.d.ts +6 -0
- package/dist/vault-core/index.js +5 -0
- package/dist/vault-core/index.js.map +1 -0
- package/dist/vault-core/persistence.d.ts +87 -0
- package/dist/vault-core/persistence.js +309 -0
- package/dist/vault-core/persistence.js.map +1 -0
- package/dist/vault-core/ports.d.ts +101 -0
- package/dist/vault-core/ports.js +2 -0
- package/dist/vault-core/ports.js.map +1 -0
- package/dist/vault-ingress/defaults.d.ts +14 -0
- package/dist/vault-ingress/defaults.js +41 -0
- package/dist/vault-ingress/defaults.js.map +1 -0
- package/dist/vault-ingress/flow-factories.d.ts +24 -0
- package/dist/vault-ingress/flow-factories.js +48 -0
- package/dist/vault-ingress/flow-factories.js.map +1 -0
- package/dist/vault-ingress/index.d.ts +81 -0
- package/dist/vault-ingress/index.js +357 -0
- package/dist/vault-ingress/index.js.map +1 -0
- package/docs/ARCHITECTURE.md +44 -76
- package/docs/REFERENCE.md +217 -218
- package/docs/WORKS_WITH_CUSTOM_FETCH.md +16 -191
- package/docs/es/README.md +8 -24
- package/docs/fr/README.md +8 -24
- package/docs/ja/README.md +8 -24
- package/docs/ko/README.md +8 -24
- package/docs/pt/README.md +8 -24
- package/docs/zh/README.md +21 -7
- package/package.json +2 -10
- package/dist/agent/agent.d.ts +0 -267
- package/dist/agent/agent.js +0 -689
- package/dist/agent/agent.js.map +0 -1
- package/dist/audit/ActivityLog.d.ts +0 -25
- package/dist/audit/ActivityLog.js +0 -71
- package/dist/audit/ActivityLog.js.map +0 -1
- package/dist/http/authClient.d.ts +0 -26
- package/dist/http/authClient.js +0 -132
- package/dist/http/authClient.js.map +0 -1
- package/dist/http/genericSecretValidator.d.ts +0 -11
- package/dist/http/genericSecretValidator.js +0 -42
- package/dist/http/genericSecretValidator.js.map +0 -1
- package/dist/http/localAuthProxy.d.ts +0 -33
- package/dist/http/localAuthProxy.js +0 -93
- package/dist/http/localAuthProxy.js.map +0 -1
- package/dist/http/localSecretIngress.d.ts +0 -33
- package/dist/http/localSecretIngress.js +0 -162
- package/dist/http/localSecretIngress.js.map +0 -1
- package/dist/http/secretAcquisition.d.ts +0 -54
- package/dist/http/secretAcquisition.js +0 -177
- package/dist/http/secretAcquisition.js.map +0 -1
- package/dist/protocol/childSecretNaming.d.ts +0 -7
- package/dist/protocol/childSecretNaming.js +0 -12
- package/dist/protocol/childSecretNaming.js.map +0 -1
- package/dist/protocol/identity.d.ts +0 -8
- package/dist/protocol/identity.js +0 -16
- package/dist/protocol/identity.js.map +0 -1
- package/dist/sealed/index.d.ts +0 -6
- package/dist/sealed/index.js +0 -6
- package/dist/sealed/index.js.map +0 -1
- package/dist/vault/secretPolicy.d.ts +0 -3
- package/dist/vault/secretPolicy.js +0 -14
- package/dist/vault/secretPolicy.js.map +0 -1
- package/dist/vault/vault.d.ts +0 -100
- package/dist/vault/vault.js +0 -603
- package/dist/vault/vault.js.map +0 -1
- package/docs/TODO-multi-vault.md +0 -29
- package/docs/spec/runtime/README.md +0 -44
- package/docs/spec/runtime/activity-log.md +0 -71
- package/docs/spec/runtime/exposure-surfaces.md +0 -99
- package/docs/spec/runtime/managed-agent-record.md +0 -52
- package/docs/spec/runtime/merge-rules.md +0 -52
- package/docs/spec/runtime/secret-origin-policy.md +0 -46
- package/docs/spec/runtime/secret-validation.md +0 -113
|
@@ -0,0 +1,335 @@
|
|
|
1
|
+
import { VaultCoreError } from "./errors.js";
|
|
2
|
+
function toAuditEntry(deps, actor, action, outcome, detail, options) {
|
|
3
|
+
return {
|
|
4
|
+
entryId: deps.ids.newAuditEntryId(),
|
|
5
|
+
occurredAt: deps.clock.nowIso(),
|
|
6
|
+
vaultId: deps.vaultId.value,
|
|
7
|
+
actor,
|
|
8
|
+
action,
|
|
9
|
+
outcome,
|
|
10
|
+
detail,
|
|
11
|
+
requestId: options?.requestId,
|
|
12
|
+
capabilityId: options?.capabilityId,
|
|
13
|
+
operation: options?.operation ?? action,
|
|
14
|
+
targetUrl: options?.targetUrl,
|
|
15
|
+
secretAlias: options?.secretAlias,
|
|
16
|
+
secretId: options?.secretId,
|
|
17
|
+
};
|
|
18
|
+
}
|
|
19
|
+
function buildSecretRecord(deps, command) {
|
|
20
|
+
const now = deps.clock.nowIso();
|
|
21
|
+
return {
|
|
22
|
+
vaultId: deps.vaultId,
|
|
23
|
+
secretId: deps.ids.newSecretId(),
|
|
24
|
+
alias: { value: command.alias },
|
|
25
|
+
version: deps.ids.newVersion(),
|
|
26
|
+
issuerId: command.kind === "issuer.write_secret" ? command.issuerSiteId : null,
|
|
27
|
+
targetBindings: command.kind === "issuer.write_secret"
|
|
28
|
+
? [...(command.targetBindings ?? [{ kind: "site", targetId: command.issuerSiteId }])]
|
|
29
|
+
: [...command.targetBindings],
|
|
30
|
+
createdAt: now,
|
|
31
|
+
updatedAt: now,
|
|
32
|
+
};
|
|
33
|
+
}
|
|
34
|
+
export class DefaultVaultCore {
|
|
35
|
+
_deps;
|
|
36
|
+
constructor(_deps) {
|
|
37
|
+
this._deps = _deps;
|
|
38
|
+
}
|
|
39
|
+
get vaultId() {
|
|
40
|
+
return this._deps.vaultId;
|
|
41
|
+
}
|
|
42
|
+
async appendAudit(entry) {
|
|
43
|
+
try {
|
|
44
|
+
await this._deps.audit.append(entry);
|
|
45
|
+
}
|
|
46
|
+
catch (error) {
|
|
47
|
+
const message = error instanceof Error ? error.message : String(error);
|
|
48
|
+
throw new VaultCoreError(`audit append failed: ${message}`, "VAULT_AUDIT_FAILED");
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
async appendDecisionAudit(request, outcome, detail, options) {
|
|
52
|
+
await this.appendAudit(toAuditEntry(this._deps, request.agent, "authorize_dispatch", outcome, detail, {
|
|
53
|
+
requestId: request.requestId,
|
|
54
|
+
capabilityId: request.capability.capabilityId,
|
|
55
|
+
operation: request.capability.operation,
|
|
56
|
+
targetUrl: request.targetUrl,
|
|
57
|
+
secretAlias: options?.secretAlias ?? request.secretAlias,
|
|
58
|
+
secretId: options?.secretId,
|
|
59
|
+
}));
|
|
60
|
+
}
|
|
61
|
+
async bootstrapOwnerIdentity(identity) {
|
|
62
|
+
if (identity.vaultId.value !== this._deps.vaultId.value) {
|
|
63
|
+
throw new VaultCoreError("owner identity vault mismatch", "VAULT_IDENTITY_DENIED");
|
|
64
|
+
}
|
|
65
|
+
if (await this._deps.ownerIdentities.hasAny(this._deps.vaultId)) {
|
|
66
|
+
throw new VaultCoreError("owner bootstrap already completed", "VAULT_IDENTITY_DENIED");
|
|
67
|
+
}
|
|
68
|
+
await this._deps.ownerIdentities.register(identity);
|
|
69
|
+
await this.appendAudit(toAuditEntry(this._deps, { kind: "owner", id: identity.ownerId }, "bootstrap_owner_identity", "succeeded", "initial owner identity bootstrapped"));
|
|
70
|
+
}
|
|
71
|
+
async registerAgentIdentity(command) {
|
|
72
|
+
if (command.vaultId.value !== this._deps.vaultId.value) {
|
|
73
|
+
throw new VaultCoreError("identity registration vault mismatch", "VAULT_IDENTITY_DENIED");
|
|
74
|
+
}
|
|
75
|
+
if (command.agentIdentity.vaultId.value !== this._deps.vaultId.value) {
|
|
76
|
+
throw new VaultCoreError("agent identity vault mismatch", "VAULT_IDENTITY_DENIED");
|
|
77
|
+
}
|
|
78
|
+
try {
|
|
79
|
+
await this._deps.ownerProofVerifier.verifyRegisterAgentIdentity(command);
|
|
80
|
+
await this._deps.agentIdentities.register(command.agentIdentity);
|
|
81
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_agent_identity", "succeeded", `agent identity registered: ${command.agentIdentity.agentId}`));
|
|
82
|
+
}
|
|
83
|
+
catch (error) {
|
|
84
|
+
const detail = error instanceof Error ? error.message : String(error);
|
|
85
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_agent_identity", "denied", detail));
|
|
86
|
+
throw error;
|
|
87
|
+
}
|
|
88
|
+
}
|
|
89
|
+
async registerOwnerIdentity(command) {
|
|
90
|
+
if (command.vaultId.value !== this._deps.vaultId.value) {
|
|
91
|
+
throw new VaultCoreError("identity registration vault mismatch", "VAULT_IDENTITY_DENIED");
|
|
92
|
+
}
|
|
93
|
+
if (command.ownerIdentity.vaultId.value !== this._deps.vaultId.value) {
|
|
94
|
+
throw new VaultCoreError("owner identity vault mismatch", "VAULT_IDENTITY_DENIED");
|
|
95
|
+
}
|
|
96
|
+
try {
|
|
97
|
+
await this._deps.ownerProofVerifier.verifyRegisterOwnerIdentity(command);
|
|
98
|
+
await this._deps.ownerIdentities.register(command.ownerIdentity);
|
|
99
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_owner_identity", "succeeded", `owner identity registered: ${command.ownerIdentity.ownerId}`));
|
|
100
|
+
}
|
|
101
|
+
catch (error) {
|
|
102
|
+
const detail = error instanceof Error ? error.message : String(error);
|
|
103
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_owner_identity", "denied", detail));
|
|
104
|
+
throw error;
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
async registerCustomFlow(command) {
|
|
108
|
+
if (command.vaultId.value !== this._deps.vaultId.value) {
|
|
109
|
+
throw new VaultCoreError("custom flow vault mismatch", "VAULT_IDENTITY_DENIED");
|
|
110
|
+
}
|
|
111
|
+
if (!command.flow.flowId.trim()) {
|
|
112
|
+
throw new VaultCoreError("custom flow id required", "VAULT_IDENTITY_DENIED");
|
|
113
|
+
}
|
|
114
|
+
if (command.flow.mode !== "send_secret" && !command.flow.responseSecret) {
|
|
115
|
+
throw new VaultCoreError("custom flow response secret rule required", "VAULT_IDENTITY_DENIED");
|
|
116
|
+
}
|
|
117
|
+
try {
|
|
118
|
+
await this._deps.ownerProofVerifier.verifyRegisterCustomFlow(command);
|
|
119
|
+
await this._deps.customFlows.register({
|
|
120
|
+
vaultId: this._deps.vaultId,
|
|
121
|
+
flowId: command.flow.flowId,
|
|
122
|
+
ownerId: command.owner.id,
|
|
123
|
+
mode: command.flow.mode,
|
|
124
|
+
targetUrl: command.flow.targetUrl,
|
|
125
|
+
method: command.flow.method,
|
|
126
|
+
responseVisibility: command.flow.responseVisibility,
|
|
127
|
+
responseSecret: command.flow.responseSecret,
|
|
128
|
+
createdAt: this._deps.clock.nowIso(),
|
|
129
|
+
});
|
|
130
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_custom_flow", "succeeded", `custom http flow registered: ${command.flow.flowId}`));
|
|
131
|
+
}
|
|
132
|
+
catch (error) {
|
|
133
|
+
const detail = error instanceof Error ? error.message : String(error);
|
|
134
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_custom_flow", "denied", detail));
|
|
135
|
+
throw error;
|
|
136
|
+
}
|
|
137
|
+
}
|
|
138
|
+
async storeCustomFlowSecret(flow, alias, plaintext) {
|
|
139
|
+
const actor = { kind: "owner", id: flow.ownerId };
|
|
140
|
+
const targetBindings = [{
|
|
141
|
+
kind: "site",
|
|
142
|
+
targetId: flow.flowId,
|
|
143
|
+
targetUrl: flow.targetUrl,
|
|
144
|
+
methods: [flow.method],
|
|
145
|
+
paths: [new URL(flow.targetUrl).pathname || "/"],
|
|
146
|
+
}];
|
|
147
|
+
const existing = await this._deps.secrets.getByAlias({ value: alias });
|
|
148
|
+
if (existing) {
|
|
149
|
+
await this.appendAudit(toAuditEntry(this._deps, actor, "reassign_alias", "denied", "alias already bound to existing secret; explicit alias lifecycle required", {
|
|
150
|
+
secretAlias: existing.alias.value,
|
|
151
|
+
secretId: existing.secretId.value,
|
|
152
|
+
}));
|
|
153
|
+
throw new VaultCoreError("alias already bound to existing secret", "VAULT_WRITE_DENIED");
|
|
154
|
+
}
|
|
155
|
+
const record = buildSecretRecord(this._deps, {
|
|
156
|
+
kind: "owner.write_secret",
|
|
157
|
+
vaultId: this._deps.vaultId,
|
|
158
|
+
requestId: `${flow.flowId}:${alias}:custom_flow_store`,
|
|
159
|
+
owner: actor,
|
|
160
|
+
alias,
|
|
161
|
+
plaintext,
|
|
162
|
+
targetBindings,
|
|
163
|
+
requestedAt: this._deps.clock.nowIso(),
|
|
164
|
+
proof: {
|
|
165
|
+
ownerId: actor.id,
|
|
166
|
+
requestId: `${flow.flowId}:${alias}:custom_flow_store`,
|
|
167
|
+
requestedAt: this._deps.clock.nowIso(),
|
|
168
|
+
signature: "vault-internal",
|
|
169
|
+
},
|
|
170
|
+
});
|
|
171
|
+
try {
|
|
172
|
+
await this._deps.custody.store(record.secretId, plaintext);
|
|
173
|
+
await this._deps.secrets.save(record);
|
|
174
|
+
await this.appendAudit(toAuditEntry(this._deps, actor, "write_secret", "succeeded", `custom flow stored secret: ${alias}`, {
|
|
175
|
+
secretAlias: record.alias.value,
|
|
176
|
+
secretId: record.secretId.value,
|
|
177
|
+
}));
|
|
178
|
+
}
|
|
179
|
+
catch (error) {
|
|
180
|
+
await Promise.allSettled([
|
|
181
|
+
this._deps.secrets.delete(record.secretId),
|
|
182
|
+
this._deps.custody.delete(record.secretId),
|
|
183
|
+
]);
|
|
184
|
+
throw error;
|
|
185
|
+
}
|
|
186
|
+
return record;
|
|
187
|
+
}
|
|
188
|
+
async writeSecret(command) {
|
|
189
|
+
if (command.vaultId.value !== this._deps.vaultId.value) {
|
|
190
|
+
throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
|
|
191
|
+
}
|
|
192
|
+
try {
|
|
193
|
+
if (command.kind === "owner.write_secret") {
|
|
194
|
+
await this._deps.ownerProofVerifier.verifyWrite(command);
|
|
195
|
+
}
|
|
196
|
+
await this._deps.policy.authorizeWrite(command);
|
|
197
|
+
}
|
|
198
|
+
catch (error) {
|
|
199
|
+
const detail = error instanceof Error ? error.message : String(error);
|
|
200
|
+
await this.appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, "write_secret", "denied", detail, {
|
|
201
|
+
secretAlias: command.alias,
|
|
202
|
+
}));
|
|
203
|
+
throw error;
|
|
204
|
+
}
|
|
205
|
+
const existing = await this._deps.secrets.getByAlias({ value: command.alias });
|
|
206
|
+
if (existing) {
|
|
207
|
+
await this.appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, "reassign_alias", "denied", "alias already bound to existing secret; explicit alias lifecycle required", {
|
|
208
|
+
secretAlias: existing.alias.value,
|
|
209
|
+
secretId: existing.secretId.value,
|
|
210
|
+
}));
|
|
211
|
+
throw new VaultCoreError("alias already bound to existing secret", "VAULT_WRITE_DENIED");
|
|
212
|
+
}
|
|
213
|
+
const record = buildSecretRecord(this._deps, command);
|
|
214
|
+
try {
|
|
215
|
+
await this._deps.custody.store(record.secretId, command.plaintext);
|
|
216
|
+
await this._deps.secrets.save(record);
|
|
217
|
+
await this.appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, "write_secret", "succeeded", "secret stored", {
|
|
218
|
+
secretAlias: record.alias.value,
|
|
219
|
+
secretId: record.secretId.value,
|
|
220
|
+
}));
|
|
221
|
+
}
|
|
222
|
+
catch (error) {
|
|
223
|
+
await Promise.allSettled([
|
|
224
|
+
this._deps.secrets.delete(record.secretId),
|
|
225
|
+
this._deps.custody.delete(record.secretId),
|
|
226
|
+
]);
|
|
227
|
+
throw error;
|
|
228
|
+
}
|
|
229
|
+
return record;
|
|
230
|
+
}
|
|
231
|
+
async authorizeDispatch(request) {
|
|
232
|
+
if (request.vaultId.value !== this._deps.vaultId.value) {
|
|
233
|
+
throw new VaultCoreError("request vault mismatch", "VAULT_DISPATCH_DENIED");
|
|
234
|
+
}
|
|
235
|
+
const record = request.secretAlias
|
|
236
|
+
? await this._deps.secrets.getByAlias({ value: request.secretAlias })
|
|
237
|
+
: null;
|
|
238
|
+
if (request.secretAlias && !record) {
|
|
239
|
+
await this.appendDecisionAudit(request, "denied", "secret not found");
|
|
240
|
+
return {
|
|
241
|
+
vaultId: this._deps.vaultId,
|
|
242
|
+
decision: "deny",
|
|
243
|
+
reason: "secret not found",
|
|
244
|
+
secretId: null,
|
|
245
|
+
executorTarget: null,
|
|
246
|
+
};
|
|
247
|
+
}
|
|
248
|
+
try {
|
|
249
|
+
await this._deps.replayGuard.assertNotReplayed(request);
|
|
250
|
+
await this._deps.proofVerifier.verify(request);
|
|
251
|
+
await this._deps.policy.authorizeDispatch(request, record);
|
|
252
|
+
}
|
|
253
|
+
catch (error) {
|
|
254
|
+
const detail = error instanceof Error ? error.message : String(error);
|
|
255
|
+
await this.appendDecisionAudit(request, "denied", detail, {
|
|
256
|
+
secretAlias: record?.alias.value ?? request.secretAlias,
|
|
257
|
+
secretId: record?.secretId.value,
|
|
258
|
+
});
|
|
259
|
+
throw error;
|
|
260
|
+
}
|
|
261
|
+
const executorTarget = record
|
|
262
|
+
? record.targetBindings.find((binding) => binding.targetUrl === request.targetUrl)
|
|
263
|
+
?? record.targetBindings.find((binding) => binding.targetId === request.targetUrl)
|
|
264
|
+
?? null
|
|
265
|
+
: null;
|
|
266
|
+
if (request.capability.auditRequired !== false) {
|
|
267
|
+
await this.appendDecisionAudit(request, "allowed", "dispatch authorized", {
|
|
268
|
+
secretAlias: record?.alias.value ?? request.secretAlias,
|
|
269
|
+
secretId: record?.secretId.value,
|
|
270
|
+
});
|
|
271
|
+
}
|
|
272
|
+
return {
|
|
273
|
+
vaultId: this._deps.vaultId,
|
|
274
|
+
decision: "allow",
|
|
275
|
+
reason: null,
|
|
276
|
+
secretId: record?.secretId ?? null,
|
|
277
|
+
executorTarget,
|
|
278
|
+
};
|
|
279
|
+
}
|
|
280
|
+
async dispatchSecret(request) {
|
|
281
|
+
const authorization = await this.authorizeDispatch(request);
|
|
282
|
+
if (authorization.decision !== "allow" || !authorization.secretId) {
|
|
283
|
+
throw new VaultCoreError("dispatch denied", "VAULT_DISPATCH_DENIED");
|
|
284
|
+
}
|
|
285
|
+
const record = await this._deps.secrets.getById(authorization.secretId);
|
|
286
|
+
if (!record) {
|
|
287
|
+
throw new VaultCoreError("secret not found", "VAULT_SECRET_NOT_FOUND");
|
|
288
|
+
}
|
|
289
|
+
const plaintext = await this._deps.custody.load(record.secretId);
|
|
290
|
+
if (plaintext === null) {
|
|
291
|
+
throw new VaultCoreError("secret material not found", "VAULT_SECRET_NOT_FOUND");
|
|
292
|
+
}
|
|
293
|
+
const result = await this._deps.executor.dispatch({
|
|
294
|
+
vaultId: this._deps.vaultId,
|
|
295
|
+
requestId: request.requestId,
|
|
296
|
+
secretId: record.secretId,
|
|
297
|
+
targetUrl: request.targetUrl,
|
|
298
|
+
method: request.method,
|
|
299
|
+
headers: request.headers,
|
|
300
|
+
body: request.body,
|
|
301
|
+
}, { record, plaintext });
|
|
302
|
+
await this.appendAudit(toAuditEntry(this._deps, request.agent, "dispatch_secret", result.status === "succeeded" ? "succeeded" : "failed", result.status === "succeeded" ? "dispatch completed" : (result.error ?? "dispatch failed"), {
|
|
303
|
+
requestId: request.requestId,
|
|
304
|
+
capabilityId: request.capability.capabilityId,
|
|
305
|
+
operation: request.capability.operation,
|
|
306
|
+
targetUrl: request.targetUrl,
|
|
307
|
+
secretAlias: record.alias.value,
|
|
308
|
+
secretId: record.secretId.value,
|
|
309
|
+
}));
|
|
310
|
+
return {
|
|
311
|
+
...result,
|
|
312
|
+
vaultId: this._deps.vaultId,
|
|
313
|
+
};
|
|
314
|
+
}
|
|
315
|
+
async getAudit(actor, query, request) {
|
|
316
|
+
if (!request) {
|
|
317
|
+
throw new VaultCoreError("owner audit proof required", "VAULT_AUDIT_DENIED");
|
|
318
|
+
}
|
|
319
|
+
await this._deps.ownerProofVerifier.verifyAudit({
|
|
320
|
+
vaultId: this._deps.vaultId,
|
|
321
|
+
actor,
|
|
322
|
+
query,
|
|
323
|
+
requestId: request.requestId,
|
|
324
|
+
requestedAt: request.requestedAt,
|
|
325
|
+
proof: request.proof,
|
|
326
|
+
});
|
|
327
|
+
const entries = await this._deps.audit.query(query);
|
|
328
|
+
await this.appendAudit(toAuditEntry(this._deps, actor, "read_audit", "allowed", "audit queried"));
|
|
329
|
+
return entries;
|
|
330
|
+
}
|
|
331
|
+
}
|
|
332
|
+
export function createVaultCore(deps) {
|
|
333
|
+
return new DefaultVaultCore(deps);
|
|
334
|
+
}
|
|
335
|
+
//# sourceMappingURL=core.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core.js","sourceRoot":"","sources":["../../src/vault-core/core.ts"],"names":[],"mappings":"AAeA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAE7C,SAAS,YAAY,CACnB,IAA2B,EAC3B,KAAqB,EACrB,MAA4B,EAC5B,OAA8B,EAC9B,MAAc,EACd,OAOC;IAED,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,eAAe,EAAE;QACnC,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE;QAC/B,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK;QAC3B,KAAK;QACL,MAAM;QACN,OAAO;QACP,MAAM;QACN,SAAS,EAAE,OAAO,EAAE,SAAS;QAC7B,YAAY,EAAE,OAAO,EAAE,YAAY;QACnC,SAAS,EAAE,OAAO,EAAE,SAAS,IAAI,MAAM;QACvC,SAAS,EAAE,OAAO,EAAE,SAAS;QAC7B,WAAW,EAAE,OAAO,EAAE,WAAW;QACjC,QAAQ,EAAE,OAAO,EAAE,QAAQ;KAC5B,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CACxB,IAA2B,EAC3B,OAAgC;IAEhC,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;IAChC,OAAO;QACL,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,QAAQ,EAAE,IAAI,CAAC,GAAG,CAAC,WAAW,EAAE;QAChC,KAAK,EAAE,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;QAC/B,OAAO,EAAE,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE;QAC9B,QAAQ,EAAE,OAAO,CAAC,IAAI,KAAK,qBAAqB,CAAC,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC,CAAC,IAAI;QAC9E,cAAc,EAAE,OAAO,CAAC,IAAI,KAAK,qBAAqB;YACpD,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC;YACrF,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,cAAc,CAAC;QAC/B,SAAS,EAAE,GAAG;QACd,SAAS,EAAE,GAAG;KACf,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,gBAAgB;IACE;IAA7B,YAA6B,KAA4B;QAA5B,UAAK,GAAL,KAAK,CAAuB;IAAG,CAAC;IAE7D,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC;IAC5B,CAAC;IAEO,KAAK,CAAC,WAAW,CAAC,KAAiB;QACzC,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,cAAc,CAAC,wBAAwB,OAAO,EAAE,EAAE,oBAAoB,CAAC,CAAC;QACpF,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,mBAAmB,CAC/B,OAAwB,EACxB,OAA6B,EAC7B,MAAc,EACd,OAGC;QAED,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,oBAAoB,EAAE,OAAO,EAAE,MAAM,EAAE;YAC7E,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,YAAY,EAAE,OAAO,CAAC,UAAU,CAAC,YAAY;YAC7C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,SAAS;YACvC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,EAAE,WAAW,IAAI,OAAO,CAAC,WAAW;YACxD,QAAQ,EAAE,OAAO,EAAE,QAAQ;SAC5B,CAAC,CACH,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,sBAAsB,CAAC,QAAsD;QACjF,IAAI,QAAQ,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACxD,MAAM,IAAI,cAAc,CAAC,+BAA+B,EAAE,uBAAuB,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;YAChE,MAAM,IAAI,cAAc,CAAC,mCAAmC,EAAE,uBAAuB,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACpD,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,QAAQ,CAAC,OAAO,EAAE,EACvC,0BAA0B,EAC1B,WAAW,EACX,qCAAqC,CACtC,CACF,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,OAA0C;QACpE,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACvD,MAAM,IAAI,cAAc,CAAC,sCAAsC,EAAE,uBAAuB,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACrE,MAAM,IAAI,cAAc,CAAC,+BAA+B,EAAE,uBAAuB,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,2BAA2B,CAAC,OAAO,CAAC,CAAC;YACzE,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;YACjE,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,KAAK,EACb,yBAAyB,EACzB,WAAW,EACX,8BAA8B,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,CAC9D,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,KAAK,EACb,yBAAyB,EACzB,QAAQ,EACR,MAAM,CACP,CACF,CAAC;YACF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,OAA0C;QACpE,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACvD,MAAM,IAAI,cAAc,CAAC,sCAAsC,EAAE,uBAAuB,CAAC,CAAC;QAC5F,CAAC;QACD,IAAI,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACrE,MAAM,IAAI,cAAc,CAAC,+BAA+B,EAAE,uBAAuB,CAAC,CAAC;QACrF,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,2BAA2B,CAAC,OAAO,CAAC,CAAC;YACzE,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;YACjE,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,KAAK,EACb,yBAAyB,EACzB,WAAW,EACX,8BAA8B,OAAO,CAAC,aAAa,CAAC,OAAO,EAAE,CAC9D,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,KAAK,EACb,yBAAyB,EACzB,QAAQ,EACR,MAAM,CACP,CACF,CAAC;YACF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,OAA2C;QAClE,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACvD,MAAM,IAAI,cAAc,CAAC,4BAA4B,EAAE,uBAAuB,CAAC,CAAC;QAClF,CAAC;QACD,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,CAAC;YAChC,MAAM,IAAI,cAAc,CAAC,yBAAyB,EAAE,uBAAuB,CAAC,CAAC;QAC/E,CAAC;QACD,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,KAAK,aAAa,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACxE,MAAM,IAAI,cAAc,CAAC,2CAA2C,EAAE,uBAAuB,CAAC,CAAC;QACjG,CAAC;QACD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,wBAAwB,CAAC,OAAO,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,QAAQ,CAAC;gBACpC,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;gBAC3B,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;gBAC3B,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,EAAE;gBACzB,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,IAAI;gBACvB,SAAS,EAAE,OAAO,CAAC,IAAI,CAAC,SAAS;gBACjC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM;gBAC3B,kBAAkB,EAAE,OAAO,CAAC,IAAI,CAAC,kBAAkB;gBACnD,cAAc,EAAE,OAAO,CAAC,IAAI,CAAC,cAAc;gBAC3C,SAAS,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE;aACrC,CAAC,CAAC;YACH,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,KAAK,EACb,sBAAsB,EACtB,WAAW,EACX,gCAAgC,OAAO,CAAC,IAAI,CAAC,MAAM,EAAE,CACtD,CACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,KAAK,EACb,sBAAsB,EACtB,QAAQ,EACR,MAAM,CACP,CACF,CAAC;YACF,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,IAA8B,EAAE,KAAa,EAAE,SAAiB;QAC1F,MAAM,KAAK,GAAuC,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;QACtF,MAAM,cAAc,GAAG,CAAC;gBACtB,IAAI,EAAE,MAAe;gBACrB,QAAQ,EAAE,IAAI,CAAC,MAAM;gBACrB,SAAS,EAAE,IAAI,CAAC,SAAS;gBACzB,OAAO,EAAE,CAAC,IAAI,CAAC,MAAM,CAAC;gBACtB,KAAK,EAAE,CAAC,IAAI,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAC;aACjD,CAAC,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC;QACvE,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,KAAK,EACL,gBAAgB,EAChB,QAAQ,EACR,2EAA2E,EAC3E;gBACE,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,KAAK;gBACjC,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK;aAClC,CACF,CACF,CAAC;YACF,MAAM,IAAI,cAAc,CAAC,wCAAwC,EAAE,oBAAoB,CAAC,CAAC;QAC3F,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE;YAC3C,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAC3B,SAAS,EAAE,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,oBAAoB;YACtD,KAAK,EAAE,KAAK;YACZ,KAAK;YACL,SAAS;YACT,cAAc;YACd,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE;YACtC,KAAK,EAAE;gBACL,OAAO,EAAE,KAAK,CAAC,EAAE;gBACjB,SAAS,EAAE,GAAG,IAAI,CAAC,MAAM,IAAI,KAAK,oBAAoB;gBACtD,WAAW,EAAE,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,EAAE;gBACtC,SAAS,EAAE,gBAAgB;aAC5B;SACF,CAAC,CAAC;QACH,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;YAC3D,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,8BAA8B,KAAK,EAAE,EAAE;gBAClG,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;gBAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK;aAChC,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,CAAC,UAAU,CAAC;gBACvB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;gBAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;aAC3C,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAgC;QAChD,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACvD,MAAM,IAAI,cAAc,CAAC,sBAAsB,EAAE,oBAAoB,CAAC,CAAC;QACzE,CAAC;QACD,IAAI,CAAC;YACH,IAAI,OAAO,CAAC,IAAI,KAAK,oBAAoB,EAAE,CAAC;gBAC1C,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC3D,CAAC;YACD,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;QAClD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,IAAI,KAAK,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EACtE,cAAc,EACd,QAAQ,EACR,MAAM,EACN;gBACE,WAAW,EAAE,OAAO,CAAC,KAAK;aAC3B,CACF,CACF,CAAC;YACF,MAAM,KAAK,CAAC;QACd,CAAC;QACD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QAC/E,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,IAAI,KAAK,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EACtE,gBAAgB,EAChB,QAAQ,EACR,2EAA2E,EAC3E;gBACE,WAAW,EAAE,QAAQ,CAAC,KAAK,CAAC,KAAK;gBACjC,QAAQ,EAAE,QAAQ,CAAC,QAAQ,CAAC,KAAK;aAClC,CACF,CACF,CAAC;YACF,MAAM,IAAI,cAAc,CAAC,wCAAwC,EAAE,oBAAoB,CAAC,CAAC;QAC3F,CAAC;QACD,MAAM,MAAM,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;QACtD,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;YACnE,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtC,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,OAAO,CAAC,IAAI,KAAK,oBAAoB,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,cAAc,EAAE,WAAW,EAAE,eAAe,EAAE;gBAC7I,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;gBAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK;aAChC,CAAC,CACH,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,CAAC,UAAU,CAAC;gBACvB,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;gBAC1C,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC;aAC3C,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,OAAwB;QAC9C,IAAI,OAAO,CAAC,OAAO,CAAC,KAAK,KAAK,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;YACvD,MAAM,IAAI,cAAc,CAAC,wBAAwB,EAAE,uBAAuB,CAAC,CAAC;QAC9E,CAAC;QACD,MAAM,MAAM,GAAG,OAAO,CAAC,WAAW;YAChC,CAAC,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,WAAW,EAAE,CAAC;YACrE,CAAC,CAAC,IAAI,CAAC;QACT,IAAI,OAAO,CAAC,WAAW,IAAI,CAAC,MAAM,EAAE,CAAC;YACnC,MAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,QAAQ,EAAE,kBAAkB,CAAC,CAAC;YACtE,OAAO;gBACL,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;gBAC3B,QAAQ,EAAE,MAAM;gBAChB,MAAM,EAAE,kBAAkB;gBAC1B,QAAQ,EAAE,IAAI;gBACd,cAAc,EAAE,IAAI;aACrB,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;YACxD,MAAM,IAAI,CAAC,KAAK,CAAC,aAAa,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAC/C,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,iBAAiB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC7D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,MAAM,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACtE,MAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,QAAQ,EAAE,MAAM,EAAE;gBACxD,WAAW,EAAE,MAAM,EAAE,KAAK,CAAC,KAAK,IAAI,OAAO,CAAC,WAAW;gBACvD,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,KAAK;aACjC,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;QAED,MAAM,cAAc,GAAG,MAAM;YAC3B,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,CAAC,SAAS,CAAC;mBAC7E,MAAM,CAAC,cAAc,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC,SAAS,CAAC;mBAC/E,IAAI;YACT,CAAC,CAAC,IAAI,CAAC;QAET,IAAI,OAAO,CAAC,UAAU,CAAC,aAAa,KAAK,KAAK,EAAE,CAAC;YAC/C,MAAM,IAAI,CAAC,mBAAmB,CAAC,OAAO,EAAE,SAAS,EAAE,qBAAqB,EAAE;gBACxE,WAAW,EAAE,MAAM,EAAE,KAAK,CAAC,KAAK,IAAI,OAAO,CAAC,WAAW;gBACvD,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,KAAK;aACjC,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAC3B,QAAQ,EAAE,OAAO;YACjB,MAAM,EAAE,IAAI;YACZ,QAAQ,EAAE,MAAM,EAAE,QAAQ,IAAI,IAAI;YAClC,cAAc;SACf,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,OAAwB;QAC3C,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC;QAC5D,IAAI,aAAa,CAAC,QAAQ,KAAK,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,CAAC;YAClE,MAAM,IAAI,cAAc,CAAC,iBAAiB,EAAE,uBAAuB,CAAC,CAAC;QACvE,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;QACxE,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,cAAc,CAAC,kBAAkB,EAAE,wBAAwB,CAAC,CAAC;QACzE,CAAC;QACD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;QACjE,IAAI,SAAS,KAAK,IAAI,EAAE,CAAC;YACvB,MAAM,IAAI,cAAc,CAAC,2BAA2B,EAAE,wBAAwB,CAAC,CAAC;QAClF,CAAC;QAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAC/C;YACE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAC3B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,EACD,EAAE,MAAM,EAAE,SAAS,EAAE,CACtB,CAAC;QAEF,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CACV,IAAI,CAAC,KAAK,EACV,OAAO,CAAC,KAAK,EACb,iBAAiB,EACjB,MAAM,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,QAAQ,EACtD,MAAM,CAAC,MAAM,KAAK,WAAW,CAAC,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,IAAI,iBAAiB,CAAC,EAC1F;YACE,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,YAAY,EAAE,OAAO,CAAC,UAAU,CAAC,YAAY;YAC7C,SAAS,EAAE,OAAO,CAAC,UAAU,CAAC,SAAS;YACvC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,KAAK;YAC/B,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK;SAChC,CACF,CACF,CAAC;QAEF,OAAO;YACL,GAAG,MAAM;YACT,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;SAC5B,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,QAAQ,CACZ,KAAyC,EACzC,KAAiB,EACjB,OAAyF;QAEzF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,cAAc,CAAC,4BAA4B,EAAE,oBAAoB,CAAC,CAAC;QAC/E,CAAC;QACD,MAAM,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,WAAW,CAAC;YAC9C,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,OAAO;YAC3B,KAAK;YACL,KAAK;YACL,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACpD,MAAM,IAAI,CAAC,WAAW,CACpB,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,SAAS,EAAE,eAAe,CAAC,CAC1E,CAAC;QACF,OAAO,OAAO,CAAC;IACjB,CAAC;CACF;AAED,MAAM,UAAU,eAAe,CAAC,IAA2B;IACzD,OAAO,IAAI,gBAAgB,CAAC,IAAI,CAAC,CAAC;AACpC,CAAC"}
|
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
import type { AgentIdentityRecord, OwnerAuditRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRegisterOwnerIdentityCommand, OwnerIdentityRecord, AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchInstruction, DispatchRequest, DispatchResult, SecretAlias, SecretId, SecretRecord, VaultId } from "./contracts.js";
|
|
2
|
+
import type { AgentIdentityRegistry, AgentProofVerifier, AuditLog, CustomHttpFlowRegistry, CapabilityRevocationRegistry, Clock, IdGenerator, OwnerIdentityRegistry, OwnerProofVerifier, PolicyEngine, RateLimitStore, ReplayGuard, SecretCustody, SecretRepository, TrustedExecutor } from "./ports.js";
|
|
3
|
+
export interface DefaultPolicyEngineOptions {
|
|
4
|
+
now?: () => Date;
|
|
5
|
+
trustedIssuerIds?: readonly string[];
|
|
6
|
+
trustedIssuerIdResolver?: (issuerId: string) => Promise<boolean> | boolean;
|
|
7
|
+
capabilityRevocationRegistry?: CapabilityRevocationRegistry;
|
|
8
|
+
rateLimitStore?: RateLimitStore;
|
|
9
|
+
}
|
|
10
|
+
export interface SignatureAgentProofVerifierOptions {
|
|
11
|
+
maxSkewMs?: number;
|
|
12
|
+
now?: () => Date;
|
|
13
|
+
}
|
|
14
|
+
export declare class SystemClock implements Clock {
|
|
15
|
+
nowIso(): string;
|
|
16
|
+
}
|
|
17
|
+
export declare class RandomIdGenerator implements IdGenerator {
|
|
18
|
+
newSecretId(): SecretId;
|
|
19
|
+
newVersion(): {
|
|
20
|
+
value: string;
|
|
21
|
+
};
|
|
22
|
+
newAuditEntryId(): string;
|
|
23
|
+
}
|
|
24
|
+
export declare class InMemorySecretRepository implements SecretRepository {
|
|
25
|
+
private readonly _byAlias;
|
|
26
|
+
private readonly _byId;
|
|
27
|
+
save(record: SecretRecord): Promise<void>;
|
|
28
|
+
delete(secretId: SecretId): Promise<void>;
|
|
29
|
+
getByAlias(alias: SecretAlias): Promise<SecretRecord | null>;
|
|
30
|
+
getById(secretId: SecretId): Promise<SecretRecord | null>;
|
|
31
|
+
}
|
|
32
|
+
export declare class InMemoryAuditLog implements AuditLog {
|
|
33
|
+
private readonly _entries;
|
|
34
|
+
append(entry: AuditEntry): Promise<void>;
|
|
35
|
+
query(query: AuditQuery): Promise<readonly AuditEntry[]>;
|
|
36
|
+
}
|
|
37
|
+
export declare class InMemorySecretCustody implements SecretCustody {
|
|
38
|
+
private readonly _plaintextById;
|
|
39
|
+
store(secretId: SecretId, plaintext: string): Promise<void>;
|
|
40
|
+
load(secretId: SecretId): Promise<string | null>;
|
|
41
|
+
delete(secretId: SecretId): Promise<void>;
|
|
42
|
+
}
|
|
43
|
+
export declare class InMemoryAgentIdentityRegistry implements AgentIdentityRegistry {
|
|
44
|
+
private readonly _identities;
|
|
45
|
+
register(identity: AgentIdentityRecord): Promise<void>;
|
|
46
|
+
get(vaultId: VaultId, agentId: string): Promise<AgentIdentityRecord | null>;
|
|
47
|
+
}
|
|
48
|
+
export declare class InMemoryOwnerIdentityRegistry implements OwnerIdentityRegistry {
|
|
49
|
+
private readonly _identities;
|
|
50
|
+
register(identity: OwnerIdentityRecord): Promise<void>;
|
|
51
|
+
get(vaultId: VaultId, ownerId: string): Promise<OwnerIdentityRecord | null>;
|
|
52
|
+
hasAny(vaultId: VaultId): Promise<boolean>;
|
|
53
|
+
}
|
|
54
|
+
export declare class InMemoryCapabilityRevocationRegistry implements CapabilityRevocationRegistry {
|
|
55
|
+
private readonly _versions;
|
|
56
|
+
revoke(vaultId: VaultId, agentId: string, capabilityId: string): number;
|
|
57
|
+
get(vaultId: VaultId, agentId: string, capabilityId: string): number;
|
|
58
|
+
}
|
|
59
|
+
export declare class InMemoryCustomHttpFlowRegistry implements CustomHttpFlowRegistry {
|
|
60
|
+
private readonly _flows;
|
|
61
|
+
register(flow: CustomHttpFlowDefinition): Promise<void>;
|
|
62
|
+
get(vaultId: VaultId, flowId: string): Promise<CustomHttpFlowDefinition | null>;
|
|
63
|
+
}
|
|
64
|
+
export declare class InMemoryRateLimitStore implements RateLimitStore {
|
|
65
|
+
private readonly _buckets;
|
|
66
|
+
consume(key: string, maxRequests: number, windowMs: number, nowMs: number): Promise<void>;
|
|
67
|
+
}
|
|
68
|
+
export declare class DefaultPolicyEngine implements PolicyEngine {
|
|
69
|
+
private readonly _options;
|
|
70
|
+
private readonly _rateLimitStore;
|
|
71
|
+
constructor(_options?: DefaultPolicyEngineOptions);
|
|
72
|
+
private validateRequestedAt;
|
|
73
|
+
private isTrustedIssuer;
|
|
74
|
+
private validateTargetBindings;
|
|
75
|
+
private assertCapabilityRateLimit;
|
|
76
|
+
authorizeWrite(command: import("./contracts.js").VaultWriteSecretCommand): Promise<void>;
|
|
77
|
+
authorizeDispatch(request: DispatchRequest, record?: SecretRecord | null): Promise<void>;
|
|
78
|
+
}
|
|
79
|
+
export declare class SignatureAgentProofVerifier implements AgentProofVerifier {
|
|
80
|
+
private readonly _maxSkewMs;
|
|
81
|
+
private readonly _now;
|
|
82
|
+
private readonly _agentIdentities;
|
|
83
|
+
constructor(agentIdentities: AgentIdentityRegistry, options?: SignatureAgentProofVerifierOptions);
|
|
84
|
+
verify(request: DispatchRequest): Promise<void>;
|
|
85
|
+
}
|
|
86
|
+
export declare class SignatureOwnerProofVerifier implements OwnerProofVerifier {
|
|
87
|
+
private readonly _maxSkewMs;
|
|
88
|
+
private readonly _now;
|
|
89
|
+
private readonly _ownerIdentities;
|
|
90
|
+
constructor(ownerIdentities: OwnerIdentityRegistry, options?: SignatureAgentProofVerifierOptions);
|
|
91
|
+
private verifyBinding;
|
|
92
|
+
verifyWrite(command: Extract<import("./contracts.js").VaultWriteSecretCommand, {
|
|
93
|
+
kind: "owner.write_secret";
|
|
94
|
+
}>): Promise<void>;
|
|
95
|
+
verifyAudit(request: OwnerAuditRequest): Promise<void>;
|
|
96
|
+
verifyRegisterAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
|
|
97
|
+
verifyRegisterOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
|
|
98
|
+
verifyRegisterCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
|
|
99
|
+
}
|
|
100
|
+
export declare class InMemoryReplayGuard implements ReplayGuard {
|
|
101
|
+
private readonly _seen;
|
|
102
|
+
private readonly _ttlMs;
|
|
103
|
+
private readonly _now;
|
|
104
|
+
constructor(options?: SignatureAgentProofVerifierOptions);
|
|
105
|
+
assertNotReplayed(request: DispatchRequest): Promise<void>;
|
|
106
|
+
}
|
|
107
|
+
export declare class HttpDispatchExecutor implements TrustedExecutor {
|
|
108
|
+
private readonly _fetchImpl;
|
|
109
|
+
private readonly _authHeaderName;
|
|
110
|
+
private readonly _authPrefix;
|
|
111
|
+
constructor(_fetchImpl?: typeof fetch, _authHeaderName?: string, _authPrefix?: string);
|
|
112
|
+
dispatch(instruction: DispatchInstruction, secret: {
|
|
113
|
+
record: SecretRecord;
|
|
114
|
+
plaintext: string;
|
|
115
|
+
}): Promise<DispatchResult>;
|
|
116
|
+
}
|
|
117
|
+
export interface CreateDefaultVaultCoreDependenciesOptions {
|
|
118
|
+
vaultId?: string;
|
|
119
|
+
fetchImpl?: typeof fetch;
|
|
120
|
+
authHeaderName?: string;
|
|
121
|
+
authPrefix?: string;
|
|
122
|
+
custodyKey?: string;
|
|
123
|
+
policy?: DefaultPolicyEngineOptions;
|
|
124
|
+
proofVerifier?: SignatureAgentProofVerifierOptions;
|
|
125
|
+
}
|
|
126
|
+
export declare function createDefaultVaultCoreDependencies(options?: CreateDefaultVaultCoreDependenciesOptions): {
|
|
127
|
+
vaultId: VaultId;
|
|
128
|
+
secrets: InMemorySecretRepository;
|
|
129
|
+
custody: InMemorySecretCustody;
|
|
130
|
+
policy: DefaultPolicyEngine;
|
|
131
|
+
audit: InMemoryAuditLog;
|
|
132
|
+
executor: HttpDispatchExecutor;
|
|
133
|
+
agentIdentities: InMemoryAgentIdentityRegistry;
|
|
134
|
+
ownerIdentities: InMemoryOwnerIdentityRegistry;
|
|
135
|
+
proofVerifier: SignatureAgentProofVerifier;
|
|
136
|
+
ownerProofVerifier: SignatureOwnerProofVerifier;
|
|
137
|
+
customFlows: InMemoryCustomHttpFlowRegistry;
|
|
138
|
+
replayGuard: InMemoryReplayGuard;
|
|
139
|
+
clock: SystemClock;
|
|
140
|
+
ids: RandomIdGenerator;
|
|
141
|
+
};
|