npm - @the-ai-company/cbio-node-runtime - Versions diffs - 0.39.0 → 1.0.0 - Mend

@the-ai-company/cbio-node-runtime 0.39.0 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/README.md +116 -54
package/dist/clients/agent/client.d.ts +9 -0
package/dist/clients/agent/client.js +72 -0
package/dist/clients/agent/client.js.map +1 -0
package/dist/clients/agent/contracts.d.ts +34 -0
package/dist/clients/agent/contracts.js +2 -0
package/dist/clients/agent/contracts.js.map +1 -0
package/dist/clients/agent/index.d.ts +3 -0
package/dist/clients/agent/index.js +2 -0
package/dist/clients/agent/index.js.map +1 -0
package/dist/clients/owner/client.d.ts +18 -0
package/dist/clients/owner/client.js +169 -0
package/dist/clients/owner/client.js.map +1 -0
package/dist/clients/owner/contracts.d.ts +34 -0
package/dist/clients/owner/contracts.js +2 -0
package/dist/clients/owner/contracts.js.map +1 -0
package/dist/clients/owner/index.d.ts +3 -0
package/dist/clients/owner/index.js +2 -0
package/dist/clients/owner/index.js.map +1 -0
package/dist/runtime/index.d.ts +8 -10
package/dist/runtime/index.js +8 -7
package/dist/runtime/index.js.map +1 -1
package/dist/storage/fs.d.ts +1 -0
package/dist/storage/fs.js +28 -0
package/dist/storage/fs.js.map +1 -1
package/dist/storage/memory.d.ts +1 -0
package/dist/storage/memory.js +20 -0
package/dist/storage/memory.js.map +1 -1
package/dist/storage/provider.d.ts +2 -0
package/dist/vault-core/contracts.d.ts +230 -0
package/dist/vault-core/contracts.js +2 -0
package/dist/vault-core/contracts.js.map +1 -0
package/dist/vault-core/core.d.ts +21 -0
package/dist/vault-core/core.js +335 -0
package/dist/vault-core/core.js.map +1 -0
package/dist/vault-core/defaults.d.ts +141 -0
package/dist/vault-core/defaults.js +602 -0
package/dist/vault-core/defaults.js.map +1 -0
package/dist/vault-core/errors.d.ts +4 -0
package/dist/vault-core/errors.js +9 -0
package/dist/vault-core/errors.js.map +1 -0
package/dist/vault-core/index.d.ts +6 -0
package/dist/vault-core/index.js +5 -0
package/dist/vault-core/index.js.map +1 -0
package/dist/vault-core/persistence.d.ts +87 -0
package/dist/vault-core/persistence.js +309 -0
package/dist/vault-core/persistence.js.map +1 -0
package/dist/vault-core/ports.d.ts +101 -0
package/dist/vault-core/ports.js +2 -0
package/dist/vault-core/ports.js.map +1 -0
package/dist/vault-ingress/defaults.d.ts +14 -0
package/dist/vault-ingress/defaults.js +41 -0
package/dist/vault-ingress/defaults.js.map +1 -0
package/dist/vault-ingress/flow-factories.d.ts +24 -0
package/dist/vault-ingress/flow-factories.js +48 -0
package/dist/vault-ingress/flow-factories.js.map +1 -0
package/dist/vault-ingress/index.d.ts +81 -0
package/dist/vault-ingress/index.js +357 -0
package/dist/vault-ingress/index.js.map +1 -0
package/docs/ARCHITECTURE.md +44 -76
package/docs/REFERENCE.md +217 -218
package/docs/WORKS_WITH_CUSTOM_FETCH.md +16 -191
package/docs/es/README.md +8 -24
package/docs/fr/README.md +8 -24
package/docs/ja/README.md +8 -24
package/docs/ko/README.md +8 -24
package/docs/pt/README.md +8 -24
package/docs/zh/README.md +21 -7
package/package.json +2 -10
package/dist/agent/agent.d.ts +0 -267
package/dist/agent/agent.js +0 -689
package/dist/agent/agent.js.map +0 -1
package/dist/audit/ActivityLog.d.ts +0 -25
package/dist/audit/ActivityLog.js +0 -71
package/dist/audit/ActivityLog.js.map +0 -1
package/dist/http/authClient.d.ts +0 -26
package/dist/http/authClient.js +0 -132
package/dist/http/authClient.js.map +0 -1
package/dist/http/genericSecretValidator.d.ts +0 -11
package/dist/http/genericSecretValidator.js +0 -42
package/dist/http/genericSecretValidator.js.map +0 -1
package/dist/http/localAuthProxy.d.ts +0 -33
package/dist/http/localAuthProxy.js +0 -93
package/dist/http/localAuthProxy.js.map +0 -1
package/dist/http/localSecretIngress.d.ts +0 -33
package/dist/http/localSecretIngress.js +0 -162
package/dist/http/localSecretIngress.js.map +0 -1
package/dist/http/secretAcquisition.d.ts +0 -54
package/dist/http/secretAcquisition.js +0 -177
package/dist/http/secretAcquisition.js.map +0 -1
package/dist/protocol/childSecretNaming.d.ts +0 -7
package/dist/protocol/childSecretNaming.js +0 -12
package/dist/protocol/childSecretNaming.js.map +0 -1
package/dist/protocol/identity.d.ts +0 -8
package/dist/protocol/identity.js +0 -16
package/dist/protocol/identity.js.map +0 -1
package/dist/sealed/index.d.ts +0 -6
package/dist/sealed/index.js +0 -6
package/dist/sealed/index.js.map +0 -1
package/dist/vault/secretPolicy.d.ts +0 -3
package/dist/vault/secretPolicy.js +0 -14
package/dist/vault/secretPolicy.js.map +0 -1
package/dist/vault/vault.d.ts +0 -100
package/dist/vault/vault.js +0 -603
package/dist/vault/vault.js.map +0 -1
package/docs/TODO-multi-vault.md +0 -29
package/docs/spec/runtime/README.md +0 -44
package/docs/spec/runtime/activity-log.md +0 -71
package/docs/spec/runtime/exposure-surfaces.md +0 -99
package/docs/spec/runtime/managed-agent-record.md +0 -52
package/docs/spec/runtime/merge-rules.md +0 -52
package/docs/spec/runtime/secret-origin-policy.md +0 -46
package/docs/spec/runtime/secret-validation.md +0 -113

package/dist/agent/agent.d.ts DELETED Viewed

@@ -1,267 +0,0 @@
-import { Signer, KeyPair } from "../protocol/crypto.js";
-import { CbioVault, type MergeResult, type SecretPolicy } from "../vault/vault.js";
-import { AuthClient, type FetchWithAuthOptions } from "../http/authClient.js";
-import { SecretAcquisition, type FetchJsonAndAddSecretOptions, type FetchJsonAndUpdateSecretOptions, type FetchResult } from "../http/secretAcquisition.js";
-import { type LocalSecretIngressHandle, type LocalSecretIngressOptions } from "../http/localSecretIngress.js";
-import type { ActivityLogEntry, ActivityLogMetadata } from "../audit/ActivityLog.js";
-import { type IssuedAgentIdentity, type RevocationRecord } from "@the-ai-company/cbio-protocol";
-import type { IStorageProvider } from "../storage/provider.js";
-interface ManagedAgentRecord {
-    agentId: string;
-    publicKey: string;
-    privateKey: string;
-    issuedIdentity: IssuedAgentIdentity;
-    /** Vault storage key used when the managed agent was issued. Enables loadManagedAgent to restore the same binding. */
-    storageKey?: string;
-}
-export interface IdentityLoadKeys {
-    privateKey: string;
-    publicKey?: string;
-}
-export interface IdentityLoadOptions {
-    storage?: IStorageProvider;
-    storageKey?: string;
-    activityLog?: ActivityLogConfig;
-    issuedIdentity?: IssuedAgentIdentity;
-}
-export interface ActivityLogConfig {
-    enabled?: boolean;
-    key?: string;
-}
-export type StartLocalSecretIngressOptions = Omit<LocalSecretIngressOptions, "vault">;
-export type SecretProofAlgorithm = "sha256" | "sha512";
-export type SecretValidationStatus = "valid" | "invalid" | "indeterminate";
-export interface SecretValidationResult {
-    valid: boolean;
-    status: SecretValidationStatus;
-    reason?: string;
-    providerSubject?: string;
-    expiresAt?: string;
-    scopes?: readonly string[];
-    metadata?: Record<string, unknown>;
-}
-export interface SecretValidatorHandle {
-    fetchWithAuth(url: string, options?: FetchWithAuthOptions): Promise<Response>;
-    compare(candidate: string): Promise<boolean>;
-    prove(challenge: string, options?: {
-        algorithm?: SecretProofAlgorithm;
-    }): Promise<string>;
-}
-export interface SecretValidator {
-    validate(handle: SecretValidatorHandle): Promise<SecretValidationResult>;
-}
-/**
- * Protocol-level capability strings embedded into signed identities.
- */
-export type IssuedCapabilityName = "vault:list" | "vault:fetch" | "vault:acquire" | "admin:secrets" | "admin:issue" | "identity:sign";
-/**
- * Valid runtime permission strings for a CbioAgent handle.
- */
-export type RuntimePermissionName = "vault:list" | "vault:fetch" | "vault:acquire" | "admin:secrets" | "admin:issue" | "identity:sign";
-/**
- * Granular permissions for a CbioAgent handle.
- * These are runtime switches that control access to specific facets.
- */
-export type RuntimePermissions = Partial<Record<RuntimePermissionName, boolean>>;
-/**
- * Options for getAgent(). Mutually exclusive: either pass `permissions` OR `deriveFromIssuedIdentity`, not both.
- * When deriving, pass `deriveFromIssuedIdentity: true` explicitly; only this literal has effect.
- */
-export type GetAgentOptions = {
-    permissions: RuntimePermissions;
-    deriveFromIssuedIdentity?: never;
-} | {
-    permissions?: never;
-    deriveFromIssuedIdentity?: true;
-};
-/**
- * CbioIdentity
- *
- * The primary Identity container. Represents an agent's identity and its associated vault.
- * This is the high-privilege handle that contains administrative capabilities (.admin)
- * and private keys.
- */
-export declare class CbioIdentity {
-    #private;
-    readonly signer: Signer;
-    private readonly _vault;
-    readonly admin: CbioAdmin;
-    readonly agentId: string;
-    readonly publicKey: string;
-    private readonly _authClient;
-    private readonly _secretAcquisition;
-    private constructor();
-    /**
-     * Primary entry point: Load identity from keys and initialize vault.
-     */
-    static load(keys: IdentityLoadKeys, options?: IdentityLoadOptions): Promise<CbioIdentity>;
-    fetchWithAuth(secretName: string, url: string, options?: FetchWithAuthOptions): Promise<Response>;
-    createFetchWithAuth(secretName: string): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
-    getPublicKey(): Promise<string>;
-    getAgentId(): Promise<string>;
-    fetchJsonAndAddSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndAddSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
-    fetchJsonAndUpdateSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndUpdateSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
-    startLocalSecretIngress(options: StartLocalSecretIngressOptions): Promise<LocalSecretIngressHandle>;
-    compareSecret(secretName: string, candidate: string): Promise<boolean>;
-    proveSecret(secretName: string, challenge: string, options?: {
-        algorithm?: SecretProofAlgorithm;
-    }): Promise<string>;
-    validateSecret(secretName: string, validator: SecretValidator): Promise<SecretValidationResult>;
-    hasSecret(secretName: string): boolean;
-    listSecretNames(): string[];
-    /**
-     * Register a newly created child identity to the parent vault.
-     * @returns The child's publicKey (domain-level identifier). Use getChildIdentitySecretName(publicKey) from the protocol subpath for low-level vault access.
-     */
-    registerChildIdentity(keys: KeyPair, options?: RegisterChildIdentityOptions): Promise<RegisterChildIdentityResult>;
-    authenticate(nonce: string): Promise<string>;
-    /**
-     * Create a standard Agent handle for this identity.
-     * The Agent handle DOES NOT have an .admin property and does not expose the signer/private key.
-     * This is the recommended handle to pass to an autonomous LLM.
-     *
-     * By default this returns a minimally privileged handle (`vault:fetch`, `vault:list`).
-     * Runtime permissions are only widened when passed explicitly or when
-     * `deriveFromIssuedIdentity` is set to `true`.
-     */
-    getAgent(options?: GetAgentOptions): CbioAgent;
-}
-/**
- * CbioAgent
- *
- * A safety-wrapped version of an Identity designed for autonomous LLMs.
- * It provides only the Standard facet (fetchWithAuth, etc.) by default and hides
- * all administrative capabilities and private keys.
- */
-export declare class CbioAgent {
-    #private;
-    readonly agentId: string;
-    readonly publicKey: string;
-    constructor(authClient: AuthClient, secretAcquisition: SecretAcquisition, vault: CbioVault, agentId: string, publicKey: string, permissions?: RuntimePermissions);
-    /**
-     * View the runtime permissions granted to this handle.
-     */
-    get permissions(): Readonly<RuntimePermissions>;
-    private _checkPermission;
-    fetchWithAuth(secretName: string, url: string, options?: FetchWithAuthOptions): Promise<Response>;
-    createFetchWithAuth(secretName: string): (input: RequestInfo | URL, init?: RequestInit) => Promise<Response>;
-    getPublicKey(): Promise<string>;
-    getAgentId(): Promise<string>;
-    fetchJsonAndAddSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndAddSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
-    fetchJsonAndUpdateSecret<TResponse = unknown, TBody = unknown>(options: FetchJsonAndUpdateSecretOptions<TResponse, TBody>): Promise<FetchResult<TResponse>>;
-    startLocalSecretIngress(options: StartLocalSecretIngressOptions): Promise<LocalSecretIngressHandle>;
-    compareSecret(secretName: string, candidate: string): Promise<boolean>;
-    proveSecret(secretName: string, challenge: string, options?: {
-        algorithm?: SecretProofAlgorithm;
-    }): Promise<string>;
-    validateSecret(secretName: string, validator: SecretValidator): Promise<SecretValidationResult>;
-    hasSecret(secretName: string): boolean;
-    listSecretNames(): string[];
-    /**
-     * Check if this agent handle has the specified runtime permission.
-     */
-    can(permission: RuntimePermissionName): boolean;
-}
-export interface ManagedAgentContext {
-    agentId: string;
-    publicKey: string;
-    agent: CbioAgent;
-}
-export interface RegisterChildIdentityOptions {
-    /** Protocol-level capabilities embedded into the signed child identity. */
-    issuedCapabilities?: IssuedCapabilityName[];
-}
-export interface RegisterChildIdentityResult {
-    publicKey: string;
-}
-export interface ManagedAgentIssueConfig {
-    keys?: KeyPair;
-    secretName?: string;
-    /** Protocol-level capabilities embedded into the signed managed identity. */
-    issuedCapabilities?: IssuedCapabilityName[];
-}
-export interface ManagedAgentHandleConfig {
-    /** Runtime permissions granted to the returned `CbioAgent` handle. */
-    runtimePermissions?: RuntimePermissions;
-}
-export interface ManagedAgentStorageConfig {
-    storage?: IStorageProvider;
-    storageKey?: string;
-    activityLog?: ActivityLogConfig;
-}
-export interface ManagedAgentIssueOptions {
-    issue?: ManagedAgentIssueConfig;
-    handle?: ManagedAgentHandleConfig;
-    storage?: ManagedAgentStorageConfig;
-}
-export interface ManagedAgentLoadOptions {
-    handle?: ManagedAgentHandleConfig;
-    storage?: ManagedAgentStorageConfig;
-}
-export type ManagedAgentCapabilityStatus = "active" | "revoked" | "missing" | "invalid";
-export interface ManagedAgentCapabilityInfo {
-    status: ManagedAgentCapabilityStatus;
-    capabilities: readonly IssuedCapabilityName[];
-}
-/**
- * CbioManagementFacet
- *
- * Provides administrative (high-risk) capabilities for a CbioIdentity.
- */
-declare class ManagedAgentSupport {
-    protected readonly _identity: CbioIdentity;
-    protected readonly _vault: CbioVault;
-    constructor(_identity: CbioIdentity, _vault: CbioVault);
-    protected getSecret(secretName: string): string | undefined;
-    addSecret(secretName: string, secretValue: string, options?: SecretPolicy): Promise<void>;
-    protected _getManagedAgentRecord(publicKey: string): ManagedAgentRecord | null;
-    protected _getManagedAgentRevocation(publicKey: string): RevocationRecord | null;
-    protected _isManagedAgentRevoked(publicKey: string): boolean;
-    protected _assertManagedAgentNotRevoked(publicKey: string): void;
-}
-export declare class CbioVaultAdmin {
-    private readonly _identity;
-    private readonly _vault;
-    constructor(_identity: CbioIdentity, _vault: CbioVault);
-    hasSecret(secretName: string): boolean;
-    deleteSecret(secretName: string): Promise<void>;
-    setSecretAllowedOrigins(secretName: string, allowedOrigins: readonly string[]): Promise<void>;
-    getActivityLog(): Promise<readonly ActivityLogEntry[]>;
-    getActivityLogMetadata(): Promise<ActivityLogMetadata | null>;
-    mergeFrom(otherIdentity: CbioIdentity, options?: {
-        onConflict?: "abort" | "skip" | "overwrite";
-    }): Promise<MergeResult>;
-    seal(kdk: string): string;
-    loadFromSealedBlob(kdk: string, sealedBlob: string): void;
-    serializeToBlob(): Promise<string>;
-    saveVault(): Promise<void>;
-    /**
-     * One-time save of the vault to the given storage key.
-     * Does NOT change the bound storage for subsequent saveVault() or autosave.
-     * Binding is set during identity load (initFromStorage/initFromBlob).
-     */
-    saveVaultAs(storageKey: string): Promise<void>;
-}
-export declare class CbioManagedAgentAdmin extends ManagedAgentSupport {
-    getManagedAgentCapabilities(publicKey: string): ManagedAgentCapabilityInfo;
-    revokeManagedAgent(publicKey: string, reason?: string): Promise<void>;
-    issueManagedAgent(options?: ManagedAgentIssueOptions): Promise<ManagedAgentContext>;
-    loadManagedAgent(publicKey: string, options?: ManagedAgentLoadOptions): Promise<ManagedAgentContext>;
-}
-export declare class CbioChildIdentityAdmin {
-    private readonly _identity;
-    private readonly _vault;
-    constructor(_identity: CbioIdentity, _vault: CbioVault);
-    /**
-     * Registers a child identity in the parent vault.
-     * @returns The child's publicKey (domain-level identifier). Use getChildIdentitySecretName from @the-ai-company/cbio-node-runtime/protocol for vault lookups.
-     */
-    registerChildIdentity(keys: KeyPair, options?: RegisterChildIdentityOptions): Promise<RegisterChildIdentityResult>;
-}
-export declare class CbioAdmin {
-    readonly vault: CbioVaultAdmin;
-    readonly managedAgents: CbioManagedAgentAdmin;
-    readonly children: CbioChildIdentityAdmin;
-    constructor(identity: CbioIdentity, vault: CbioVault);
-}
-export {};