npm - @the-ai-company/cbio-node-runtime - Versions diffs - 0.39.0 → 1.1.0 - Mend

@the-ai-company/cbio-node-runtime 0.39.0 → 1.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (113) hide show

package/README.md +122 -54
package/dist/clients/agent/client.d.ts +9 -0
package/dist/clients/agent/client.js +72 -0
package/dist/clients/agent/client.js.map +1 -0
package/dist/clients/agent/contracts.d.ts +34 -0
package/dist/clients/agent/contracts.js +2 -0
package/dist/clients/agent/contracts.js.map +1 -0
package/dist/clients/agent/index.d.ts +3 -0
package/dist/clients/agent/index.js +2 -0
package/dist/clients/agent/index.js.map +1 -0
package/dist/clients/owner/client.d.ts +19 -0
package/dist/clients/owner/client.js +195 -0
package/dist/clients/owner/client.js.map +1 -0
package/dist/clients/owner/contracts.d.ts +38 -0
package/dist/clients/owner/contracts.js +2 -0
package/dist/clients/owner/contracts.js.map +1 -0
package/dist/clients/owner/index.d.ts +3 -0
package/dist/clients/owner/index.js +2 -0
package/dist/clients/owner/index.js.map +1 -0
package/dist/runtime/index.d.ts +8 -10
package/dist/runtime/index.js +8 -7
package/dist/runtime/index.js.map +1 -1
package/dist/storage/fs.d.ts +1 -0
package/dist/storage/fs.js +28 -0
package/dist/storage/fs.js.map +1 -1
package/dist/storage/memory.d.ts +1 -0
package/dist/storage/memory.js +20 -0
package/dist/storage/memory.js.map +1 -1
package/dist/storage/provider.d.ts +2 -0
package/dist/vault-core/contracts.d.ts +247 -0
package/dist/vault-core/contracts.js +2 -0
package/dist/vault-core/contracts.js.map +1 -0
package/dist/vault-core/core.d.ts +24 -0
package/dist/vault-core/core.js +379 -0
package/dist/vault-core/core.js.map +1 -0
package/dist/vault-core/defaults.d.ts +142 -0
package/dist/vault-core/defaults.js +619 -0
package/dist/vault-core/defaults.js.map +1 -0
package/dist/vault-core/errors.d.ts +4 -0
package/dist/vault-core/errors.js +9 -0
package/dist/vault-core/errors.js.map +1 -0
package/dist/vault-core/index.d.ts +6 -0
package/dist/vault-core/index.js +5 -0
package/dist/vault-core/index.js.map +1 -0
package/dist/vault-core/persistence.d.ts +87 -0
package/dist/vault-core/persistence.js +309 -0
package/dist/vault-core/persistence.js.map +1 -0
package/dist/vault-core/ports.d.ts +105 -0
package/dist/vault-core/ports.js +2 -0
package/dist/vault-core/ports.js.map +1 -0
package/dist/vault-ingress/defaults.d.ts +14 -0
package/dist/vault-ingress/defaults.js +41 -0
package/dist/vault-ingress/defaults.js.map +1 -0
package/dist/vault-ingress/flow-factories.d.ts +24 -0
package/dist/vault-ingress/flow-factories.js +48 -0
package/dist/vault-ingress/flow-factories.js.map +1 -0
package/dist/vault-ingress/index.d.ts +82 -0
package/dist/vault-ingress/index.js +364 -0
package/dist/vault-ingress/index.js.map +1 -0
package/docs/ARCHITECTURE.md +44 -76
package/docs/REFERENCE.md +222 -217
package/docs/WORKS_WITH_CUSTOM_FETCH.md +16 -191
package/docs/es/README.md +8 -24
package/docs/fr/README.md +8 -24
package/docs/ja/README.md +8 -24
package/docs/ko/README.md +8 -24
package/docs/pt/README.md +8 -24
package/docs/zh/README.md +21 -7
package/package.json +2 -10
package/dist/agent/agent.d.ts +0 -267
package/dist/agent/agent.js +0 -689
package/dist/agent/agent.js.map +0 -1
package/dist/audit/ActivityLog.d.ts +0 -25
package/dist/audit/ActivityLog.js +0 -71
package/dist/audit/ActivityLog.js.map +0 -1
package/dist/http/authClient.d.ts +0 -26
package/dist/http/authClient.js +0 -132
package/dist/http/authClient.js.map +0 -1
package/dist/http/genericSecretValidator.d.ts +0 -11
package/dist/http/genericSecretValidator.js +0 -42
package/dist/http/genericSecretValidator.js.map +0 -1
package/dist/http/localAuthProxy.d.ts +0 -33
package/dist/http/localAuthProxy.js +0 -93
package/dist/http/localAuthProxy.js.map +0 -1
package/dist/http/localSecretIngress.d.ts +0 -33
package/dist/http/localSecretIngress.js +0 -162
package/dist/http/localSecretIngress.js.map +0 -1
package/dist/http/secretAcquisition.d.ts +0 -54
package/dist/http/secretAcquisition.js +0 -177
package/dist/http/secretAcquisition.js.map +0 -1
package/dist/protocol/childSecretNaming.d.ts +0 -7
package/dist/protocol/childSecretNaming.js +0 -12
package/dist/protocol/childSecretNaming.js.map +0 -1
package/dist/protocol/identity.d.ts +0 -8
package/dist/protocol/identity.js +0 -16
package/dist/protocol/identity.js.map +0 -1
package/dist/sealed/index.d.ts +0 -6
package/dist/sealed/index.js +0 -6
package/dist/sealed/index.js.map +0 -1
package/dist/vault/secretPolicy.d.ts +0 -3
package/dist/vault/secretPolicy.js +0 -14
package/dist/vault/secretPolicy.js.map +0 -1
package/dist/vault/vault.d.ts +0 -100
package/dist/vault/vault.js +0 -603
package/dist/vault/vault.js.map +0 -1
package/docs/TODO-multi-vault.md +0 -29
package/docs/spec/runtime/README.md +0 -44
package/docs/spec/runtime/activity-log.md +0 -71
package/docs/spec/runtime/exposure-surfaces.md +0 -99
package/docs/spec/runtime/managed-agent-record.md +0 -52
package/docs/spec/runtime/merge-rules.md +0 -52
package/docs/spec/runtime/secret-origin-policy.md +0 -46
package/docs/spec/runtime/secret-validation.md +0 -113

package/dist/runtime/index.d.ts CHANGED Viewed

@@ -1,16 +1,14 @@
 /**
- * Runtime export. For agent developers.
- * Owner, Agent, storage, errors. Consumer surface only.
+ * Runtime export.
+ * Hard-cut public surface: vault core plus explicit clients only.
  */
-export { CbioIdentity, CbioAgent } from "../agent/agent.js";
-export type { ActivityLogConfig, GetAgentOptions, IssuedCapabilityName, ManagedAgentHandleConfig, ManagedAgentCapabilityInfo, ManagedAgentCapabilityStatus, ManagedAgentContext, ManagedAgentIssueConfig, ManagedAgentIssueOptions, ManagedAgentLoadOptions, ManagedAgentStorageConfig, RegisterChildIdentityOptions, RegisterChildIdentityResult, IdentityLoadKeys, IdentityLoadOptions, RuntimePermissionName, RuntimePermissions, SecretValidationResult, SecretValidationStatus, SecretValidator, SecretValidatorHandle, SecretProofAlgorithm, StartLocalSecretIngressOptions, } from "../agent/agent.js";
-export type { MergeResult } from "../vault/vault.js";
-export type { FetchFailure, FetchJsonAndAddSecretOptions, FetchJsonAndUpdateSecretOptions, FetchResult, FetchSuccess, } from "../http/secretAcquisition.js";
-export { generateIdentityKeys, derivePublicKey } from "../protocol/crypto.js";
 export { IdentityError, IdentityErrorCode } from "../errors.js";
+export { generateIdentityKeys, derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export type { IStorageProvider } from "../storage/provider.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { startLocalAuthProxy, type FetchWithAuthLike, type LocalAuthProxyOptions, type LocalAuthProxyHandle, } from "../http/localAuthProxy.js";
-export { genericHttpValidator, type GenericHttpSecretValidatorConfig, } from "../http/genericSecretValidator.js";
-export { startLocalSecretIngress, type LocalSecretIngressHandle, type LocalSecretIngressOptions, type LocalSecretIngressResult, type LocalSecretIngressWriter, } from "../http/localSecretIngress.js";
+export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, PersistentVaultAuditLog, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerRegisterOwnerIdentityCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, } from "../vault-core/index.js";
+export { createOwnerClient, type OwnerClient, type OwnerIdentity, type OwnerSigner, type OwnerAuditQueryInput, type OwnerExportSecretInput, type OwnerRegisterCustomHttpFlowInput, type OwnerRegisterAgentIdentityInput, type OwnerRegisterOwnerIdentityInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
+export { createAgentClient, type AgentClient, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
+export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultCapabilityResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
+export { InMemoryVaultCapabilityResolver, LocalVaultTransport, } from "../vault-ingress/defaults.js";

package/dist/runtime/index.js CHANGED Viewed

@@ -1,13 +1,14 @@
 /**
- * Runtime export. For agent developers.
- * Owner, Agent, storage, errors. Consumer surface only.
+ * Runtime export.
+ * Hard-cut public surface: vault core plus explicit clients only.
  */
-export { CbioIdentity, CbioAgent } from "../agent/agent.js";
-export { generateIdentityKeys, derivePublicKey } from "../protocol/crypto.js";
 export { IdentityError, IdentityErrorCode } from "../errors.js";
+export { generateIdentityKeys, derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { startLocalAuthProxy, } from "../http/localAuthProxy.js";
-export { genericHttpValidator, } from "../http/genericSecretValidator.js";
-export { startLocalSecretIngress, } from "../http/localSecretIngress.js";
+export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, PersistentVaultAuditLog, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
+export { createOwnerClient, } from "../clients/owner/index.js";
+export { createAgentClient, } from "../clients/agent/index.js";
+export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
+export { InMemoryVaultCapabilityResolver, LocalVaultTransport, } from "../vault-ingress/defaults.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,~~YAAY~~,EAAE,~~SAAS~~,EAAE,MAAM,~~mBAAmB~~,CAAC;~~AAkC5D~~,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;~~AAC9E~~,OAAO,EAAE,~~aAAa,EAAE,~~iBAAiB,EAAE,MAAM,~~cAAc~~,CAAC;~~AAEhE~~,OAAO,EAAE,~~iBAAiB~~,EAAE,MAAM,~~kBAAkB~~,CAAC;~~AACrD~~,OAAO,~~EAAE~~,qBAAqB,~~EAAE~~,MAAM,~~sBAAsB~~,CAAC;~~AAC7D~~,OAAO,EACL,~~mBAAmB~~,~~GAIpB~~,MAAM,2BAA2B,CAAC;~~AACnC~~,OAAO,EACL,~~oBAAoB~~,~~GAErB~~,MAAM,~~mCAAmC~~,CAAC;~~AAC3C~~,OAAO,EACL,uBAAuB,~~GAKxB~~,MAAM,+BAA+B,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,oBAAoB,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAE3F,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAE7D,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,uBAAuB,EACvB,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA6CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAYxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,+BAA+B,EAC/B,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}

package/dist/storage/fs.d.ts CHANGED Viewed

@@ -13,4 +13,5 @@ export declare class FsStorageProvider implements IStorageProvider {
     delete(key: string): Promise<void>;
     has(key: string): Promise<boolean>;
     rename(fromKey: string, toKey: string): Promise<void>;
+    withLock<T>(key: string, task: () => Promise<T>): Promise<T>;
 }

package/dist/storage/fs.js CHANGED Viewed

@@ -3,6 +3,9 @@
  */
 import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
+function sleep(ms) {
+    return new Promise((resolve) => setTimeout(resolve, ms));
+}
 export class FsStorageProvider {
     baseDir;
     constructor(baseDir) {
@@ -64,5 +67,30 @@ export class FsStorageProvider {
     async rename(fromKey, toKey) {
         await fs.rename(this.resolve(fromKey), this.resolve(toKey));
     }
+    async withLock(key, task) {
+        const fullPath = this.resolve(`${key}.lock`);
+        await fs.mkdir(path.dirname(fullPath), { recursive: true, mode: FsStorageProvider.DIRECTORY_MODE });
+        for (;;) {
+            try {
+                const fh = await fs.open(fullPath, 'wx', FsStorageProvider.FILE_MODE);
+                try {
+                    return await task();
+                }
+                finally {
+                    await fh.close();
+                    await fs.unlink(fullPath).catch((error) => {
+                        if (error.code !== 'ENOENT')
+                            throw error;
+                    });
+                }
+            }
+            catch (error) {
+                if (error.code !== 'EEXIST') {
+                    throw error;
+                }
+                await sleep(10);
+            }
+        }
+    }
 }
 //# sourceMappingURL=fs.js.map

package/dist/storage/fs.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/storage/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,MAAM,OAAO,iBAAiB;IACN;IAApB,YAAoB,OAAgB;QAAhB,YAAO,GAAP,OAAO,CAAS;IAAG,CAAC;IAEhC,MAAM,CAAU,cAAc,GAAG,KAAK,CAAC;IACvC,MAAM,CAAU,SAAS,GAAG,KAAK,CAAC;IAElC,OAAO,CAAC,GAAW;QACvB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,GAAG,CAAC;QACf,CAAC;QACD,OAAO,GAAG,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,IAAI,CAAC;YACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QACpG,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC1E,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,CAAC,CAAC;QACrC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC"}
1	+ {"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/storage/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,SAAS,KAAK,CAAC,EAAU;IACrB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED,MAAM,OAAO,iBAAiB;IACN;IAApB,YAAoB,OAAgB;QAAhB,YAAO,GAAP,OAAO,CAAS;IAAG,CAAC;IAEhC,MAAM,CAAU,cAAc,GAAG,KAAK,CAAC;IACvC,MAAM,CAAU,SAAS,GAAG,KAAK,CAAC;IAElC,OAAO,CAAC,GAAW;QACvB,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACf,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QACxC,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,GAAG,CAAC;QACf,CAAC;QACD,OAAO,GAAG,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,IAAI,CAAC;YACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QACpG,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC1E,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,CAAC,CAAC;QACrC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,QAAQ,CAAI,GAAW,EAAE,IAAsB;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,CAAC;QAC7C,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QAEpG,SAAS,CAAC;YACN,IAAI,CAAC;gBACD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;gBACtE,IAAI,CAAC;oBACD,OAAO,MAAM,IAAI,EAAE,CAAC;gBACxB,CAAC;wBAAS,CAAC;oBACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;oBACjB,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,KAAU,EAAE,EAAE;wBAC3C,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;4BAAE,MAAM,KAAK,CAAC;oBAC7C,CAAC,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBAClB,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC1B,MAAM,KAAK,CAAC;gBAChB,CAAC;gBACD,MAAM,KAAK,CAAC,EAAE,CAAC,CAAC;YACpB,CAAC;QACL,CAAC;IACL,CAAC"}

package/dist/storage/memory.d.ts CHANGED Viewed

@@ -8,4 +8,5 @@ export declare class MemoryStorageProvider implements IStorageProvider {
     write(key: string, data: Buffer): Promise<void>;
     delete(key: string): Promise<void>;
     has(key: string): Promise<boolean>;
+    withLock<T>(key: string, task: () => Promise<T>): Promise<T>;
 }

package/dist/storage/memory.js CHANGED Viewed

@@ -3,6 +3,7 @@
  */
 export class MemoryStorageProvider {
     #store = new Map();
+    #locks = new Map();
     async read(key) {
         return this.#store.get(key) ?? null;
     }
@@ -15,5 +16,24 @@ export class MemoryStorageProvider {
     async has(key) {
         return this.#store.has(key);
     }
+    async withLock(key, task) {
+        const previous = this.#locks.get(key) ?? Promise.resolve();
+        let release;
+        const current = new Promise((resolve) => {
+            release = resolve;
+        });
+        const chained = previous.then(() => current);
+        this.#locks.set(key, chained);
+        await previous;
+        try {
+            return await task();
+        }
+        finally {
+            release();
+            if (this.#locks.get(key) === chained) {
+                this.#locks.delete(key);
+            }
+        }
+    }
 }
 //# sourceMappingURL=memory.js.map

package/dist/storage/memory.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"memory.js","sourceRoot":"","sources":["../../src/storage/memory.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,OAAO,qBAAqB;IAC9B,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;~~IAEnC~~,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;CACJ"}
1	+ {"version":3,"file":"memory.js","sourceRoot":"","sources":["../../src/storage/memory.ts"],"names":[],"mappings":"AAAA;;GAEG;AAIH,MAAM,OAAO,qBAAqB;IAC9B,MAAM,GAAG,IAAI,GAAG,EAAkB,CAAC;IACnC,MAAM,GAAG,IAAI,GAAG,EAAyB,CAAC;IAE1C,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC;IACxC,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,OAAO,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IAChC,CAAC;IAED,KAAK,CAAC,QAAQ,CAAI,GAAW,EAAE,IAAsB;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QAC3D,IAAI,OAAoB,CAAC;QACzB,MAAM,OAAO,GAAG,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE;YAC1C,OAAO,GAAG,OAAO,CAAC;QACtB,CAAC,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC,OAAO,CAAC,CAAC;QAC7C,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,CAAC;QAC9B,MAAM,QAAQ,CAAC;QACf,IAAI,CAAC;YACD,OAAO,MAAM,IAAI,EAAE,CAAC;QACxB,CAAC;gBAAS,CAAC;YACP,OAAO,EAAE,CAAC;YACV,IAAI,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,KAAK,OAAO,EAAE,CAAC;gBACnC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAC5B,CAAC;QACL,CAAC;IACL,CAAC;CACJ"}

package/dist/storage/provider.d.ts CHANGED Viewed

@@ -9,4 +9,6 @@ export interface IStorageProvider {
     has(key: string): Promise<boolean>;
     /** Optional. If present, used for atomic save. Otherwise vault does write+delete. */
     rename?(fromKey: string, toKey: string): Promise<void>;
+    /** Optional. If present, used to serialize read-modify-write sequences across writers. */
+    withLock?<T>(key: string, task: () => Promise<T>): Promise<T>;
 }

package/dist/vault-core/contracts.d.ts ADDED Viewed

@@ -0,0 +1,247 @@
+export type VaultPrincipalKind = "owner" | "trusted_issuer" | "agent" | "trusted_executor";
+export interface VaultPrincipal {
+    kind: VaultPrincipalKind;
+    id: string;
+}
+export interface VaultId {
+    readonly value: string;
+}
+export interface SecretId {
+    readonly value: string;
+}
+export interface SecretAlias {
+    readonly value: string;
+}
+export interface SecretVersion {
+    readonly value: string;
+}
+export interface SecretRecord {
+    vaultId: VaultId;
+    secretId: SecretId;
+    alias: SecretAlias;
+    version: SecretVersion;
+    issuerId: string | null;
+    targetBindings: VaultTargetBinding[];
+    createdAt: string;
+    updatedAt: string;
+}
+export interface VaultTargetBinding {
+    kind: "owner" | "site";
+    targetId: string;
+    targetUrl?: string;
+    methods?: readonly string[];
+    paths?: readonly string[];
+}
+export interface OwnerWriteSecretCommand {
+    kind: "owner.write_secret";
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal & {
+        kind: "owner";
+    };
+    alias: string;
+    plaintext: string;
+    targetBindings: readonly VaultTargetBinding[];
+    requestedAt: string;
+    proof: OwnerProof;
+}
+export interface IssuerWriteSecretCommand {
+    kind: "issuer.write_secret";
+    vaultId: VaultId;
+    issuer: VaultPrincipal & {
+        kind: "trusted_issuer";
+    };
+    alias: string;
+    plaintext: string;
+    issuerSiteId: string;
+    targetBindings?: readonly VaultTargetBinding[];
+    requestedAt: string;
+}
+export type VaultWriteSecretCommand = OwnerWriteSecretCommand | IssuerWriteSecretCommand;
+export interface OwnerRegisterAgentIdentityCommand {
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal & {
+        kind: "owner";
+    };
+    agentIdentity: AgentIdentityRecord;
+    requestedAt: string;
+    proof: OwnerProof;
+}
+export interface OwnerRegisterOwnerIdentityCommand {
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal & {
+        kind: "owner";
+    };
+    ownerIdentity: OwnerIdentityRecord;
+    requestedAt: string;
+    proof: OwnerProof;
+}
+export interface CustomHttpFlowDefinition {
+    vaultId: VaultId;
+    flowId: string;
+    ownerId: string;
+    mode: "acquire_secret" | "send_secret" | "bidirectional_secret";
+    targetUrl: string;
+    method: string;
+    responseVisibility: "passthrough" | "shape_only";
+    responseSecret?: {
+        kind: "json_field";
+        field: string;
+        storeAlias: string;
+    };
+    createdAt: string;
+}
+export interface OwnerRegisterCustomHttpFlowCommand {
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal & {
+        kind: "owner";
+    };
+    flow: {
+        flowId: string;
+        mode: "acquire_secret" | "send_secret" | "bidirectional_secret";
+        targetUrl: string;
+        method: string;
+        responseVisibility: "passthrough" | "shape_only";
+        responseSecret?: {
+            kind: "json_field";
+            field: string;
+            storeAlias: string;
+        };
+    };
+    requestedAt: string;
+    proof: OwnerProof;
+}
+export interface AgentCapability {
+    vaultId: VaultId;
+    capabilityId: string;
+    agentId: string;
+    secretIds?: readonly string[];
+    secretAliases?: readonly string[];
+    operation: "dispatch_http" | "custom_http";
+    customFlowId?: string;
+    allowedTargets: readonly string[];
+    allowedMethods: readonly string[];
+    allowedPaths?: readonly string[];
+    issuedAt: string;
+    expiresAt?: string;
+    revocationVersion?: number;
+    rateLimit?: {
+        maxRequests: number;
+        windowMs: number;
+    };
+    auditRequired?: boolean;
+}
+export interface AgentProof {
+    agentId: string;
+    signature: string;
+    requestId: string;
+    requestedAt: string;
+}
+export interface OwnerProof {
+    ownerId: string;
+    signature: string;
+    requestId: string;
+    requestedAt: string;
+}
+export interface DispatchRequest {
+    vaultId: VaultId;
+    requestId: string;
+    requestedAt: string;
+    agent: VaultPrincipal & {
+        kind: "agent";
+    };
+    capability: AgentCapability;
+    proof: AgentProof;
+    secretAlias?: string;
+    targetUrl: string;
+    method: string;
+    headers?: Record<string, string>;
+    body?: string;
+}
+export interface DispatchAuthorization {
+    vaultId: VaultId;
+    decision: "allow" | "deny";
+    reason: string | null;
+    secretId: SecretId | null;
+    executorTarget: VaultTargetBinding | null;
+}
+export interface DispatchInstruction {
+    vaultId: VaultId;
+    requestId: string;
+    secretId: SecretId;
+    targetUrl: string;
+    method: string;
+    headers?: Record<string, string>;
+    body?: string;
+}
+export interface DispatchResult {
+    vaultId: VaultId;
+    requestId: string;
+    status: "succeeded" | "denied" | "failed";
+    targetUrl: string;
+    method: string;
+    responseStatus?: number;
+    responseBody?: string;
+    error?: string;
+}
+export interface AuditQuery {
+    actorId?: string;
+    secretAlias?: string;
+    requestId?: string;
+    since?: string;
+}
+export interface AuditEntry {
+    entryId: string;
+    occurredAt: string;
+    vaultId: string;
+    actor: VaultPrincipal;
+    action: "bootstrap_owner_identity" | "register_agent_identity" | "register_owner_identity" | "register_custom_flow" | "write_secret" | "export_secret" | "reassign_alias" | "authorize_dispatch" | "dispatch_secret" | "read_audit";
+    requestId?: string;
+    capabilityId?: string;
+    operation?: AgentCapability["operation"] | AuditEntry["action"];
+    targetUrl?: string;
+    secretAlias?: string;
+    secretId?: string;
+    outcome: "allowed" | "denied" | "succeeded" | "failed";
+    detail: string;
+}
+export interface AgentIdentityRecord {
+    vaultId: VaultId;
+    agentId: string;
+    publicKey: string;
+}
+export interface OwnerIdentityRecord {
+    vaultId: VaultId;
+    ownerId: string;
+    publicKey: string;
+}
+export interface OwnerAuditRequest {
+    vaultId: VaultId;
+    actor: VaultPrincipal & {
+        kind: "owner";
+    };
+    query: AuditQuery;
+    requestId: string;
+    requestedAt: string;
+    proof: OwnerProof;
+}
+export interface OwnerExportSecretRequest {
+    vaultId: VaultId;
+    actor: VaultPrincipal & {
+        kind: "owner";
+    };
+    alias: string;
+    requestId: string;
+    requestedAt: string;
+    proof: OwnerProof;
+}
+export interface OwnerSecretExport {
+    vaultId: VaultId;
+    secretId: SecretId;
+    alias: SecretAlias;
+    plaintext: string;
+    exportedAt: string;
+}

package/dist/vault-core/contracts.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export {};
2	+ //# sourceMappingURL=contracts.js.map

package/dist/vault-core/contracts.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":""}

package/dist/vault-core/core.d.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import type { AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRegisterOwnerIdentityCommand, OwnerSecretExport, SecretRecord, VaultPrincipal, VaultWriteSecretCommand } from "./contracts.js";
+import type { VaultCore, VaultCoreDependencies } from "./ports.js";
+export declare class DefaultVaultCore implements VaultCore {
+    private readonly _deps;
+    constructor(_deps: VaultCoreDependencies);
+    get vaultId(): import("./contracts.js").VaultId;
+    private appendAudit;
+    private appendDecisionAudit;
+    bootstrapOwnerIdentity(identity: import("./contracts.js").OwnerIdentityRecord): Promise<void>;
+    registerAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
+    registerOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
+    registerCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
+    storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
+    writeSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;
+    authorizeDispatch(request: DispatchRequest): Promise<DispatchAuthorization>;
+    dispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
+    getAudit(actor: VaultPrincipal & {
+        kind: "owner";
+    }, query: AuditQuery, request?: Omit<import("./contracts.js").OwnerAuditRequest, "actor" | "query" | "vaultId">): Promise<readonly AuditEntry[]>;
+    exportSecret(actor: VaultPrincipal & {
+        kind: "owner";
+    }, alias: string, request?: Omit<OwnerExportSecretRequest, "actor" | "alias" | "vaultId">): Promise<OwnerSecretExport>;
+}
+export declare function createVaultCore(deps: VaultCoreDependencies): VaultCore;