@the-ai-company/cbio-node-runtime 1.1.0 → 1.4.0

package/dist/vault-core/ports.d.ts

@@ -1,4 +1,4 @@
-import type { AuditEntry, AuditQuery, AgentIdentityRecord, OwnerIdentityRecord, OwnerAuditRequest, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRegisterOwnerIdentityCommand, OwnerSecretExport, CustomHttpFlowDefinition, DispatchInstruction, DispatchRequest, DispatchResult, SecretAlias, SecretId, SecretRecord, VaultPrincipal, VaultWriteSecretCommand, VaultId } from "./contracts.js";
+import type { AuditEntry, AuditQuery, AgentCapability, AgentIdentityRecord, OwnerIdentityRecord, OwnerAuditRequest, OwnerExportSecretRequest, OwnerRegisterCapabilityCommand, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerSecretExport, CustomHttpFlowDefinition, DispatchInstruction, DispatchRequest, DispatchResult, SecretAlias, SecretId, SecretRecord, VaultPrincipal, VaultWriteSecretCommand, VaultId } from "./contracts.js";
 export interface SecretRepository {
     save(record: SecretRecord): Promise<void>;
     delete(secretId: SecretId): Promise<void>;
@@ -62,14 +62,18 @@ export interface OwnerProofVerifier {
     }>): Promise<void>;
     verifyAudit(request: OwnerAuditRequest): Promise<void>;
     verifyExport(request: OwnerExportSecretRequest): Promise<void>;
+    verifyRegisterCapability(command: OwnerRegisterCapabilityCommand): Promise<void>;
     verifyRegisterAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
-    verifyRegisterOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
     verifyRegisterCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
 }
 export interface CustomHttpFlowRegistry {
     register(flow: CustomHttpFlowDefinition): Promise<void>;
     get(vaultId: VaultId, flowId: string): Promise<CustomHttpFlowDefinition | null>;
 }
+export interface CapabilityRegistry {
+    register(capability: AgentCapability): Promise<void>;
+    get(vaultId: VaultId, agentId: string, capabilityId: string): Promise<AgentCapability | null>;
+}
 export interface VaultCoreDependencies {
     vaultId: VaultId;
     secrets: SecretRepository;
@@ -81,6 +85,7 @@ export interface VaultCoreDependencies {
     agentIdentities: AgentIdentityRegistry;
     ownerProofVerifier: OwnerProofVerifier;
     ownerIdentities: OwnerIdentityRegistry;
+    capabilities: CapabilityRegistry;
     customFlows: CustomHttpFlowRegistry;
     replayGuard: ReplayGuard;
     clock: Clock;
@@ -93,8 +98,9 @@ export interface VaultCore {
     dispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
     bootstrapOwnerIdentity(identity: OwnerIdentityRecord): Promise<void>;
     registerAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
-    registerOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
+    registerCapability(command: OwnerRegisterCapabilityCommand): Promise<void>;
     registerCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
+    getCapability(vaultId: VaultId, agentId: string, capabilityId: string): Promise<AgentCapability | null>;
     storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
     getAudit(actor: VaultPrincipal & {
         kind: "owner";

package/dist/vault-ingress/defaults.d.ts

@@ -1,11 +1,5 @@
 import type { AgentDispatchTransport } from "../clients/agent/index.js";
-import type { AgentCapability } from "../vault-core/index.js";
-import type { VaultCapabilityResolver, VaultService } from "./index.js";
-export declare class InMemoryVaultCapabilityResolver implements VaultCapabilityResolver {
-    private readonly _capabilities;
-    set(capability: AgentCapability): void;
-    resolve(vaultId: import("../vault-core/index.js").VaultId, agentId: string, capabilityId: string): Promise<AgentCapability>;
-}
+import type { VaultService } from "./index.js";
 export declare class LocalVaultTransport implements AgentDispatchTransport {
     private readonly _vault;
     private readonly _capabilityId;

package/dist/vault-ingress/defaults.js

@@ -1,16 +1,3 @@
-export class InMemoryVaultCapabilityResolver {
-    _capabilities = new Map();
-    set(capability) {
-        this._capabilities.set(`${capability.vaultId.value}:${capability.agentId}:${capability.capabilityId}`, capability);
-    }
-    async resolve(vaultId, agentId, capabilityId) {
-        const capability = this._capabilities.get(`${vaultId.value}:${agentId}:${capabilityId}`);
-        if (!capability) {
-            throw new Error("VAULT_CAPABILITY_NOT_FOUND");
-        }
-        return capability;
-    }
-}
 export class LocalVaultTransport {
     _vault;
     _capabilityId;

package/dist/vault-ingress/defaults.js.map

@@ -1 +1 @@
-{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../../src/vault-ingress/defaults.ts"],"names":[],"mappings":"AAIA,MAAM,OAAO,+BAA+B;IACzB,aAAa,GAAG,IAAI,GAAG,EAA2B,CAAC;IAEpE,GAAG,CAAC,UAA2B;QAC7B,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,UAAU,CAAC,OAAO,CAAC,KAAK,IAAI,UAAU,CAAC,OAAO,IAAI,UAAU,CAAC,YAAY,EAAE,EAAE,UAAU,CAAC,CAAC;IACrH,CAAC;IAED,KAAK,CAAC,OAAO,CACX,OAAiD,EACjD,OAAe,EACf,YAAoB;QAEpB,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,KAAK,IAAI,OAAO,IAAI,YAAY,EAAE,CAAC,CAAC;QACzF,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;CACF;AAED,MAAM,OAAO,mBAAmB;IAEX;IACA;IAFnB,YACmB,MAAoB,EACpB,aAAqB;QADrB,WAAM,GAAN,MAAM,CAAc;QACpB,kBAAa,GAAb,aAAa,CAAQ;IACrC,CAAC;IAEJ,KAAK,CAAC,QAAQ,CACZ,OAAyD;QAEzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC;YACrD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;YAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,EAAE;YACzB,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE;SAC9C,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,QAAQ,CAAC,MAAM,CAAC;IACzB,CAAC;CACF"}
+{"version":3,"file":"defaults.js","sourceRoot":"","sources":["../../src/vault-ingress/defaults.ts"],"names":[],"mappings":"AAGA,MAAM,OAAO,mBAAmB;IAEX;IACA;IAFnB,YACmB,MAAoB,EACpB,aAAqB;QADrB,WAAM,GAAN,MAAM,CAAc;QACpB,kBAAa,GAAb,aAAa,CAAQ;IACrC,CAAC;IAEJ,KAAK,CAAC,QAAQ,CACZ,OAAyD;QAEzD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC;YACrD,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK;YAC9B,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,OAAO,EAAE,OAAO,CAAC,KAAK,CAAC,EAAE;YACzB,YAAY,EAAE,IAAI,CAAC,aAAa;YAChC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS,EAAE;SAC9C,CAAC,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,QAAQ,CAAC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;QACtE,CAAC;QACD,OAAO,QAAQ,CAAC,MAAM,CAAC;IACzB,CAAC;CACF"}

package/dist/vault-ingress/index.d.ts

@@ -1,11 +1,8 @@
-import { type AgentCapability, type VaultCore, type VaultCoreDependencies, type DispatchRequest, type DispatchResult, type Clock, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerRegisterOwnerIdentityCommand, type CustomHttpFlowDefinition, type OwnerIdentityRecord, type OwnerSecretExport, type SecretRecord, type VaultId } from "../vault-core/index.js";
+import { type VaultCore, type VaultCoreDependencies, type DispatchRequest, type DispatchResult, type Clock, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type CustomHttpFlowDefinition, type OwnerIdentityRecord, type OwnerSecretExport, type SecretRecord, type VaultId } from "../vault-core/index.js";
 export type RedactedResponseShape = null | string | number | boolean | RedactedResponseShape[] | {
     [key: string]: RedactedResponseShape;
 };
 export type VaultAcquireSecretFlow = "oauth_token_response.access_token" | "oauth_token_response.refresh_token" | "openid_token_response.id_token";
-export interface VaultCapabilityResolver {
-    resolve(vaultId: VaultId, agentId: string, capabilityId: string): Promise<AgentCapability>;
-}
 export interface VaultAgentDispatchRequest {
     vaultId: string;
     requestId: string;
@@ -56,8 +53,8 @@ export interface VaultCustomFlowResolver {
 export interface VaultService {
     readonly vaultId: VaultCore["vaultId"];
     bootstrapOwnerIdentity(request: OwnerIdentityRecord): Promise<void>;
+    registerCapability(request: OwnerRegisterCapabilityCommand): Promise<void>;
     registerAgentIdentity(request: OwnerRegisterAgentIdentityCommand): Promise<void>;
-    registerOwnerIdentity(request: OwnerRegisterOwnerIdentityCommand): Promise<void>;
     registerCustomFlow(request: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
     writeSecret(request: import("../vault-core/index.js").VaultWriteSecretCommand): Promise<SecretRecord>;
     acquireSecret(request: VaultAcquireSecretInput): Promise<VaultAcquireSecretResult>;
@@ -67,13 +64,11 @@ export interface VaultService {
     exportSecret(request: OwnerExportSecretRequest): Promise<OwnerSecretExport>;
 }
 export declare function createVaultService(deps: VaultCoreDependencies, options?: {
-    capabilities?: VaultCapabilityResolver;
     customFlows?: VaultCustomFlowResolver;
     clock?: Clock;
     fetchImpl?: typeof fetch;
 }): VaultService;
 export declare function wrapVaultCoreAsVaultService(core: VaultCore, options?: {
-    capabilities?: VaultCapabilityResolver;
     customFlows?: VaultCustomFlowResolver;
     clock?: Clock;
     fetchImpl?: typeof fetch;

package/dist/vault-ingress/index.js

@@ -2,13 +2,11 @@ import { createVaultCore, } from "../vault-core/index.js";
 import { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, toOwnerHttpFlowBoundary, } from "./flow-factories.js";
 class LocalVaultService {
     _authority;
-    _capabilities;
     _customFlows;
     _clock;
     _fetchImpl;
-    constructor(_authority, _capabilities, _customFlows, _clock, _fetchImpl = fetch) {
+    constructor(_authority, _customFlows, _clock, _fetchImpl = fetch) {
         this._authority = _authority;
-        this._capabilities = _capabilities;
         this._customFlows = _customFlows;
         this._clock = _clock;
         this._fetchImpl = _fetchImpl;
@@ -19,12 +17,12 @@ class LocalVaultService {
     bootstrapOwnerIdentity(request) {
         return this._authority.bootstrapOwnerIdentity(request);
     }
+    registerCapability(request) {
+        return this._authority.registerCapability(request);
+    }
     registerAgentIdentity(request) {
         return this._authority.registerAgentIdentity(request);
     }
-    registerOwnerIdentity(request) {
-        return this._authority.registerOwnerIdentity(request);
-    }
     registerCustomFlow(request) {
         return this._authority.registerCustomFlow(request);
     }
@@ -324,10 +322,11 @@ class LocalVaultService {
         });
     }
     async resolveCapability(vaultId, agentId, capabilityId) {
-        if (!this._capabilities) {
-            throw new Error("VAULT_CAPABILITY_RESOLVER_NOT_CONFIGURED");
+        const capability = await this._authority.getCapability(vaultId, agentId, capabilityId);
+        if (!capability) {
+            throw new Error("VAULT_CAPABILITY_NOT_FOUND");
         }
-        return this._capabilities.resolve(vaultId, agentId, capabilityId);
+        return capability;
     }
     parseBody(body) {
         if (!body) {
@@ -355,10 +354,10 @@ class LocalVaultService {
     }
 }
 export function createVaultService(deps, options = {}) {
-    return new LocalVaultService(createVaultCore(deps), options.capabilities, options.customFlows ?? deps.customFlows, options.clock, options.fetchImpl);
+    return new LocalVaultService(createVaultCore(deps), options.customFlows ?? deps.customFlows, options.clock, options.fetchImpl);
 }
 export function wrapVaultCoreAsVaultService(core, options = {}) {
-    return new LocalVaultService(core, options.capabilities, options.customFlows, options.clock, options.fetchImpl);
+    return new LocalVaultService(core, options.customFlows, options.clock, options.fetchImpl);
 }
 export { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "./flow-factories.js";
 //# sourceMappingURL=index.js.map

package/dist/vault-ingress/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault-ingress/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,GAmBhB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,uBAAuB,GACxB,MAAM,qBAAqB,CAAC;AA2F7B,MAAM,iBAAiB;IAEF;IACA;IACA;IACA;IACA;IALnB,YACmB,UAAqB,EACrB,aAAuC,EACvC,YAAsC,EACtC,MAAc,EACd,aAA2B,KAAK;QAJhC,eAAU,GAAV,UAAU,CAAW;QACrB,kBAAa,GAAb,aAAa,CAA0B;QACvC,iBAAY,GAAZ,YAAY,CAA0B;QACtC,WAAM,GAAN,MAAM,CAAQ;QACd,eAAU,GAAV,UAAU,CAAsB;IAChD,CAAC;IAEJ,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;IACjC,CAAC;IAED,sBAAsB,CAAC,OAA4B;QACjD,OAAO,IAAI,CAAC,UAAU,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,qBAAqB,CAAC,OAA0C;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,qBAAqB,CAAC,OAA0C;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,kBAAkB,CAAC,OAA2C;QAC5D,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,WAAW,CAAC,OAAiE;QAC3E,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAEO,mBAAmB,CAAC,KAAc;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CACpF,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,yBAAyB,CAAC,IAA4B,EAAE,OAAgB;QAC9E,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACtE,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,MAAM,GAAG,OAAkC,CAAC;QAClD,MAAM,QAAQ,GAA0C,EAAE,CAAC;QAC3D,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,mCAAmC,CAAC;YACzC,KAAK,oCAAoC,CAAC;YAC1C,KAAK,gCAAgC,CAAC,CAAC,CAAC;gBACtC,IAAI,YAAY,IAAI,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,UAAU,GAAG,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;gBACzF,CAAC;gBACD,IAAI,YAAY,IAAI,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,UAAU,GAAG,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;gBACzF,CAAC;gBACD,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;oBACtB,QAAQ,CAAC,KAAK,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC1E,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,oBAAoB,CAAC,IAA4B,EAAE,OAAgB;QACzE,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,MAAM,MAAM,GAAG,OAAkC,CAAC;QAClD,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,mCAAmC,CAAC,CAAC,CAAC;gBACzC,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;oBACpE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,YAAY,CAAC;YAC7B,CAAC;YACD,KAAK,oCAAoC,CAAC,CAAC,CAAC;gBAC1C,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;oBACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,aAAa,CAAC;YAC9B,CAAC;YACD,KAAK,gCAAgC,CAAC,CAAC,CAAC;gBACtC,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC5D,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,QAAQ,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,WAA0B,EAAE,UAAkB;QACrE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,OAK3B;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;YAC/B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO;YACL,WAAW;YACX,OAAO;YACP,UAAU,EAAE,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC;YACvD,cAAc,EAAE,QAAQ,CAAC,MAAM;SAChC,CAAC;IACJ,CAAC;IAEO,uBAAuB,CAAC,IAA8B,EAAE,OAAgB;QAC9E,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YACD,MAAM,KAAK,GAAI,OAAmC,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAC9E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAgC;QAClD,MAAM,gBAAgB,GAAG,6BAA6B,CAAC;YACrD,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,aAAa,EAAE,OAAO,CAAC,IAAI,KAAK,mCAAmC;gBACjE,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,OAAO,CAAC,IAAI,KAAK,oCAAoC;oBACrD,CAAC,CAAC,eAAe;oBACjB,CAAC,CAAC,UAAU;YAChB,UAAU,EAAE,OAAO,CAAC,KAAK;SAC1B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,cAAc,GAAkC,CAAC;gBACrD,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,SAAS,EAAE,gBAAgB,CAAC,SAAS;gBACrC,OAAO,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;gBAClC,KAAK,EAAE,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAC;aAC7D,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;YAChC,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,MAAM,EAAE;gBACN,IAAI,EAAE,gBAAgB;gBACtB,EAAE,EAAE,OAAO,CAAC,QAAQ;aACrB;YACD,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,SAAS,EAAE,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC;YACtE,YAAY,EAAE,OAAO,CAAC,QAAQ;YAC9B,cAAc;YACd,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;SACxF,CAAC,CAAC;QACH,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,QAAQ;YAChB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,aAAa,EAAE,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC;SAChF,CAAC;IACJ,CAAC;IAED,QAAQ,CAAC,OAAwB;QAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,OAAkC;QAElC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;YAChG,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,KAAK,aAAa;gBACvD,CAAC,CAAC,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,UAAU,CAAC,YAAY,CAAC;gBAChE,CAAC,CAAC,IAAI,CAAC;YACT,MAAM,QAAQ,GAAG,UAAU;gBACzB,CAAC,CAAC,uBAAuB,CAAC,UAAU,CAAC;gBACrC,CAAC,CAAC,2BAA2B,CAAC;oBAC5B,IAAI,EAAE,aAAa;oBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,kBAAkB,EAAE,aAAa;iBAClC,CAAC,CAAC;YACL,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;oBAC/G,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC;YACD,IAAI,QAAQ,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACvC,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjD,CAAC;gBACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;oBAC5D,OAAO;oBACP,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,OAAO;wBACb,EAAE,EAAE,OAAO,CAAC,OAAO;qBACpB;oBACD,UAAU;oBACV,KAAK,EAAE;wBACL,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS;wBAClC,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;qBACjC;oBACD,WAAW,EAAE,SAAS;oBACtB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,IAAI,aAAa,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;oBACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC9C,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC;oBACvC,GAAG,EAAE,OAAO,CAAC,SAAS;oBACtB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;gBACpF,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,MAAM,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;gBAC9G,OAAO;oBACL,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE;wBACN,OAAO;wBACP,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,MAAM,EAAE,WAAW;wBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,cAAc,EAAE,OAAO,CAAC,cAAc;wBACtC,YAAY,EAAE,QAAQ,CAAC,kBAAkB,KAAK,YAAY;4BACxD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;4BAC9D,CAAC,CAAC,OAAO,CAAC,OAAO;qBACpB;iBACF,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC;gBAClD,OAAO;gBACP,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,KAAK,EAAE;oBACL,IAAI,EAAE,OAAO;oBACb,EAAE,EAAE,OAAO,CAAC,OAAO;iBACpB;gBACD,UAAU;gBACV,KAAK,EAAE;oBACL,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS;oBAClC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;gBACD,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjD,CAAC;gBACD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBACvD,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gBAC5E,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,MAAM,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAChH,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,MAAM,EAAE,QAAQ,CAAC,kBAAkB,KAAK,YAAY;oBAClD,CAAC,CAAC;wBACA,GAAG,MAAM;wBACT,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;qBAC5F;oBACD,CAAC,CAAC,MAAM;aACX,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,GAAG,KAAK,YAAY,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,OAAQ,KAA4B,CAAC,IAAI,KAAK,QAAQ;gBAC9G,CAAC,CAAE,KAA0B,CAAC,IAAI;gBAClC,CAAC,CAAC,+BAA+B,CAAC;YACpC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;aACzB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,SAAS,CAAC,OAA0B;QAClC,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;YAC5D,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CAAC,OAAiC;QAC5C,OAAO,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;YAChE,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAgB,EAAE,OAAe,EAAE,YAAoB;QACrF,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;YACxB,MAAM,IAAI,KAAK,CAAC,0CAA0C,CAAC,CAAC;QAC9D,CAAC;QACD,OAAO,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;IACpE,CAAC;IAEO,SAAS,CAAC,IAAwB;QACxC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAgB,EAAE,MAA0B;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,MAAM,UAAU,kBAAkB,CAChC,IAA2B,EAC3B,UAKI,EAAE;IAEN,OAAO,IAAI,iBAAiB,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;AACvJ,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,IAAe,EACf,UAKI,EAAE;IAEN,OAAO,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,YAAY,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;AAClH,CAAC;AAGD,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/vault-ingress/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,eAAe,GAkBhB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,uBAAuB,GACxB,MAAM,qBAAqB,CAAC;AAuF7B,MAAM,iBAAiB;IAEF;IACA;IACA;IACA;IAJnB,YACmB,UAAqB,EACrB,YAAsC,EACtC,MAAc,EACd,aAA2B,KAAK;QAHhC,eAAU,GAAV,UAAU,CAAW;QACrB,iBAAY,GAAZ,YAAY,CAA0B;QACtC,WAAM,GAAN,MAAM,CAAQ;QACd,eAAU,GAAV,UAAU,CAAsB;IAChD,CAAC;IAEJ,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC;IACjC,CAAC;IAED,sBAAsB,CAAC,OAA4B;QACjD,OAAO,IAAI,CAAC,UAAU,CAAC,sBAAsB,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;IAED,kBAAkB,CAAC,OAAuC;QACxD,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,qBAAqB,CAAC,OAA0C;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,kBAAkB,CAAC,OAA2C;QAC5D,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,OAAO,CAAC,CAAC;IACrD,CAAC;IAED,WAAW,CAAC,OAAiE;QAC3E,OAAO,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IAC9C,CAAC;IAEO,mBAAmB,CAAC,KAAc;QACxC,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;YAC1C,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,OAAO,KAAK,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC;QAC/D,CAAC;QACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;YAC9B,OAAO,MAAM,CAAC,WAAW,CACvB,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,mBAAmB,CAAC,KAAK,CAAC,CAAC,CAAC,CACpF,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAEO,yBAAyB,CAAC,IAA4B,EAAE,OAAgB;QAC9E,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACtE,OAAO,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,MAAM,GAAG,OAAkC,CAAC;QAClD,MAAM,QAAQ,GAA0C,EAAE,CAAC;QAC3D,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,mCAAmC,CAAC;YACzC,KAAK,oCAAoC,CAAC;YAC1C,KAAK,gCAAgC,CAAC,CAAC,CAAC;gBACtC,IAAI,YAAY,IAAI,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,UAAU,GAAG,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;gBACzF,CAAC;gBACD,IAAI,YAAY,IAAI,MAAM,EAAE,CAAC;oBAC3B,QAAQ,CAAC,UAAU,GAAG,OAAO,MAAM,CAAC,UAAU,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC;gBACzF,CAAC;gBACD,IAAI,OAAO,IAAI,MAAM,EAAE,CAAC;oBACtB,QAAQ,CAAC,KAAK,GAAG,OAAO,MAAM,CAAC,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC1E,CAAC;gBACD,MAAM;YACR,CAAC;QACH,CAAC;QACD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,oBAAoB,CAAC,IAA4B,EAAE,OAAgB;QACzE,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;QACxD,CAAC;QACD,MAAM,MAAM,GAAG,OAAkC,CAAC;QAClD,QAAQ,IAAI,EAAE,CAAC;YACb,KAAK,mCAAmC,CAAC,CAAC,CAAC;gBACzC,IAAI,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,YAAY,EAAE,CAAC;oBACpE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,YAAY,CAAC;YAC7B,CAAC;YACD,KAAK,oCAAoC,CAAC,CAAC,CAAC;gBAC1C,IAAI,OAAO,MAAM,CAAC,aAAa,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,aAAa,EAAE,CAAC;oBACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,aAAa,CAAC;YAC9B,CAAC;YACD,KAAK,gCAAgC,CAAC,CAAC,CAAC;gBACtC,IAAI,OAAO,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;oBAC5D,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,OAAO,MAAM,CAAC,QAAQ,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;IAEO,gBAAgB,CAAC,WAA0B,EAAE,UAAkB;QACrE,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAClC,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QACD,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;QAChC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,UAAU,CAAC;QACpB,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,OAK3B;QACC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE;YAClD,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;YAC/B,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QACH,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACtC,OAAO;YACL,WAAW;YACX,OAAO;YACP,UAAU,EAAE,IAAI,CAAC,gBAAgB,CAAC,WAAW,EAAE,OAAO,CAAC;YACvD,cAAc,EAAE,QAAQ,CAAC,MAAM;SAChC,CAAC;IACJ,CAAC;IAEO,uBAAuB,CAAC,IAA8B,EAAE,OAAgB;QAC9E,IAAI,CAAC,IAAI,CAAC,cAAc,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YAC9C,IAAI,CAAC,OAAO,IAAI,OAAO,OAAO,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YACD,MAAM,KAAK,GAAI,OAAmC,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;YAC9E,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,KAAK,EAAE,CAAC;gBACxC,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAgC;QAClD,MAAM,gBAAgB,GAAG,6BAA6B,CAAC;YACrD,SAAS,EAAE,OAAO,CAAC,GAAG;YACtB,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,aAAa,EAAE,OAAO,CAAC,IAAI,KAAK,mCAAmC;gBACjE,CAAC,CAAC,cAAc;gBAChB,CAAC,CAAC,OAAO,CAAC,IAAI,KAAK,oCAAoC;oBACrD,CAAC,CAAC,eAAe;oBACjB,CAAC,CAAC,UAAU;YAChB,UAAU,EAAE,OAAO,CAAC,KAAK;SAC1B,CAAC,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,cAAc,GAAkC,CAAC;gBACrD,IAAI,EAAE,MAAM;gBACZ,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,SAAS,EAAE,gBAAgB,CAAC,SAAS;gBACrC,OAAO,EAAE,CAAC,gBAAgB,CAAC,MAAM,CAAC;gBAClC,KAAK,EAAE,CAAC,IAAI,GAAG,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC,QAAQ,IAAI,GAAG,CAAC;aAC7D,CAAC,CAAC;QAEH,MAAM,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;YAChC,IAAI,EAAE,qBAAqB;YAC3B,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,MAAM,EAAE;gBACN,IAAI,EAAE,gBAAgB;gBACtB,EAAE,EAAE,OAAO,CAAC,QAAQ;aACrB;YACD,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,SAAS,EAAE,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC;YACtE,YAAY,EAAE,OAAO,CAAC,QAAQ;YAC9B,cAAc;YACd,WAAW,EAAE,OAAO,CAAC,WAAW,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;SACxF,CAAC,CAAC;QACH,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,UAAU,CAAC,OAAO;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;YACpB,MAAM,EAAE,QAAQ;YAChB,cAAc,EAAE,OAAO,CAAC,cAAc;YACtC,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,aAAa,EAAE,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,UAAU,CAAC;SAChF,CAAC;IACJ,CAAC;IAED,QAAQ,CAAC,OAAwB;QAC/B,OAAO,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC;IACjD,CAAC;IAED,KAAK,CAAC,mBAAmB,CACvB,OAAkC;QAElC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,EAAE,KAAK,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC;YAC3C,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;YAChG,MAAM,UAAU,GAAG,UAAU,CAAC,SAAS,KAAK,aAAa;gBACvD,CAAC,CAAC,MAAM,IAAI,CAAC,iBAAiB,CAAC,OAAO,EAAE,UAAU,CAAC,YAAY,CAAC;gBAChE,CAAC,CAAC,IAAI,CAAC;YACT,MAAM,QAAQ,GAAG,UAAU;gBACzB,CAAC,CAAC,uBAAuB,CAAC,UAAU,CAAC;gBACrC,CAAC,CAAC,2BAA2B,CAAC;oBAC5B,IAAI,EAAE,aAAa;oBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,kBAAkB,EAAE,aAAa;iBAClC,CAAC,CAAC;YACL,IAAI,UAAU,EAAE,CAAC;gBACf,IAAI,OAAO,CAAC,SAAS,KAAK,QAAQ,CAAC,SAAS,IAAI,OAAO,CAAC,MAAM,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,MAAM,CAAC,WAAW,EAAE,EAAE,CAAC;oBAC/G,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;YACH,CAAC;YACD,IAAI,QAAQ,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;gBACvC,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjD,CAAC;gBACD,MAAM,aAAa,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;oBAC5D,OAAO;oBACP,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;oBAChC,KAAK,EAAE;wBACL,IAAI,EAAE,OAAO;wBACb,EAAE,EAAE,OAAO,CAAC,OAAO;qBACpB;oBACD,UAAU;oBACV,KAAK,EAAE;wBACL,OAAO,EAAE,OAAO,CAAC,OAAO;wBACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS;wBAClC,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;qBACjC;oBACD,WAAW,EAAE,SAAS;oBACtB,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,IAAI,aAAa,CAAC,QAAQ,KAAK,OAAO,EAAE,CAAC;oBACvC,MAAM,IAAI,KAAK,CAAC,0BAA0B,CAAC,CAAC;gBAC9C,CAAC;gBACD,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC;oBACvC,GAAG,EAAE,OAAO,CAAC,SAAS;oBACtB,MAAM,EAAE,OAAO,CAAC,MAAM;oBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;iBACnB,CAAC,CAAC;gBACH,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;gBACpF,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,MAAM,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;gBAC9G,OAAO;oBACL,EAAE,EAAE,IAAI;oBACR,MAAM,EAAE;wBACN,OAAO;wBACP,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,MAAM,EAAE,WAAW;wBACnB,SAAS,EAAE,OAAO,CAAC,SAAS;wBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;wBACtB,cAAc,EAAE,OAAO,CAAC,cAAc;wBACtC,YAAY,EAAE,QAAQ,CAAC,kBAAkB,KAAK,YAAY;4BACxD,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,mBAAmB,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;4BAC9D,CAAC,CAAC,OAAO,CAAC,OAAO;qBACpB;iBACF,CAAC;YACJ,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,cAAc,CAAC;gBAClD,OAAO;gBACP,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,KAAK,EAAE;oBACL,IAAI,EAAE,OAAO;oBACb,EAAE,EAAE,OAAO,CAAC,OAAO;iBACpB;gBACD,UAAU;gBACV,KAAK,EAAE;oBACL,OAAO,EAAE,OAAO,CAAC,OAAO;oBACxB,SAAS,EAAE,OAAO,CAAC,KAAK,CAAC,SAAS;oBAClC,SAAS,EAAE,OAAO,CAAC,SAAS;oBAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;iBACjC;gBACD,WAAW,EAAE,OAAO,CAAC,WAAW;gBAChC,SAAS,EAAE,OAAO,CAAC,SAAS;gBAC5B,MAAM,EAAE,OAAO,CAAC,MAAM;gBACtB,OAAO,EAAE,OAAO,CAAC,OAAO;gBACxB,IAAI,EAAE,OAAO,CAAC,IAAI;aACnB,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,IAAI,KAAK,sBAAsB,EAAE,CAAC;gBAC7C,IAAI,CAAC,UAAU,EAAE,CAAC;oBAChB,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;gBACjD,CAAC;gBACD,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;gBACvD,MAAM,cAAc,GAAG,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,UAAU,CAAC,CAAC;gBAC5E,IAAI,CAAC,cAAc,IAAI,CAAC,UAAU,CAAC,cAAc,EAAE,CAAC;oBAClD,MAAM,IAAI,KAAK,CAAC,oCAAoC,CAAC,CAAC;gBACxD,CAAC;gBACD,MAAM,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC,UAAU,EAAE,UAAU,CAAC,cAAc,CAAC,UAAU,EAAE,cAAc,CAAC,CAAC;YAChH,CAAC;YACD,OAAO;gBACL,EAAE,EAAE,IAAI;gBACR,MAAM,EAAE,QAAQ,CAAC,kBAAkB,KAAK,YAAY;oBAClD,CAAC,CAAC;wBACA,GAAG,MAAM;wBACT,YAAY,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC,CAAC;qBAC5F;oBACD,CAAC,CAAC,MAAM;aACX,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YACvE,MAAM,IAAI,GAAG,KAAK,YAAY,KAAK,IAAI,MAAM,IAAI,KAAK,IAAI,OAAQ,KAA4B,CAAC,IAAI,KAAK,QAAQ;gBAC9G,CAAC,CAAE,KAA0B,CAAC,IAAI;gBAClC,CAAC,CAAC,+BAA+B,CAAC;YACpC,OAAO;gBACL,EAAE,EAAE,KAAK;gBACT,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE;aACzB,CAAC;QACJ,CAAC;IACH,CAAC;IAED,SAAS,CAAC,OAA0B;QAClC,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;YAC5D,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAED,YAAY,CAAC,OAAiC;QAC5C,OAAO,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE;YAChE,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,KAAK,EAAE,OAAO,CAAC,KAAK;SACrB,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAgB,EAAE,OAAe,EAAE,YAAoB;QACrF,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC,OAAO,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;QACvF,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;QAChD,CAAC;QACD,OAAO,UAAU,CAAC;IACpB,CAAC;IAEO,SAAS,CAAC,IAAwB;QACxC,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,OAAO,IAAI,CAAC;QACd,CAAC;QACD,IAAI,CAAC;YACH,OAAO,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAC1B,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,iBAAiB,CAAC,OAAgB,EAAE,MAA0B;QAC1E,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;QACpD,CAAC;QACD,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;QAC/D,CAAC;QACD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1D,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,KAAK,CAAC,6BAA6B,CAAC,CAAC;QACjD,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,MAAM,UAAU,kBAAkB,CAChC,IAA2B,EAC3B,UAII,EAAE;IAEN,OAAO,IAAI,iBAAiB,CAAC,eAAe,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;AACjI,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,IAAe,EACf,UAII,EAAE;IAEN,OAAO,IAAI,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;AAC5F,CAAC;AAGD,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GACxB,MAAM,qBAAqB,CAAC"}

package/docs/ARCHITECTURE.md

@@ -2,19 +2,28 @@
 
 Current product architecture is vault-first.
 
+Related design note:
+
+- [Custody Model](CUSTODY_MODEL.md)
+
+Recommended persistent-vault lifecycle:
+
+- initialize through `initializePersistentVault(...)`
+- recover through `recoverPersistentVault(...)`
+
 ## Public Modules
 
 - `vault-core`
   Stores secret plaintext, validates writes, validates dispatch, appends audit, invokes trusted executors.
 
 - `clients/owner`
-  Owner-facing client for secret writes and audit reads.
+  Owner-facing client for the single vault admin. It performs secret writes, agent/capability administration, explicit plaintext export, and audit reads.
 
 - `clients/agent`
   Agent-facing client for signed dispatch requests. It never receives secret plaintext.
 
 - `vault-ingress`
-  Accepts request-shaped calls, resolves capability inside the vault boundary, performs trusted acquisition flows, and forwards dispatch into vault-core internals.
+  Accepts request-shaped calls, resolves vault-managed capability records inside the vault boundary, performs trusted acquisition flows, and forwards dispatch into vault-core internals.
 
 ## Core Rules
 

package/docs/CUSTODY_MODEL.md

@@ -0,0 +1,173 @@
+# Custody Model
+
+This document defines the intended key and custody model for the local vault runtime.
+
+It exists to remove ambiguity around `owner` identity, secret recovery, and the vault's working-key model.
+
+## Scope
+
+This runtime is a local vault / password-safe style infrastructure layer.
+
+It is not primarily a cloud secret manager.
+It is not a browser extension.
+It is not a CLI.
+
+The runtime is responsible for:
+
+- storing secret material safely at rest
+- using stored secret material during trusted vault operations
+- supporting explicit owner export / reveal operations
+- providing a stable custody model for higher-level products built on top
+
+## Design Goal
+
+The runtime must satisfy all of the following:
+
+1. Normal vault operation must not depend on repeated owner intervention.
+2. Owner must retain explicit recovery and export authority.
+3. Identity proof and secret-material control must not be collapsed into one key by default.
+4. The runtime must not treat a raw process-level string as the final product model.
+
+## Core Terms
+
+### `ownerPrivateKey`
+
+The owner's identity-signing key.
+
+In the current product model, this owner is the single vault admin.
+Other principals should be modeled as agents with capabilities rather than additional owners.
+
+Purpose:
+
+- prove "this request came from the owner"
+- authorize owner-scoped operations
+- bind audit-visible actions to the owner identity
+
+Non-purpose:
+
+- not the vault's secret-material root
+- not the working encryption key for stored secrets
+- not the recovery key for vault custody
+
+### `vaultWorkingKey`
+
+The runtime's working secret-material key.
+
+Purpose:
+
+- protect secret material at rest
+- support runtime secret use after the vault is in an operational state
+- back vault-side secret load / decrypt operations
+
+Non-purpose:
+
+- not an owner identity key
+- not a user-facing day-to-day API credential
+- not the preferred recovery artifact presented to the owner
+
+### `vaultRecoveryKey`
+
+The owner-held recovery artifact.
+
+Purpose:
+
+- recover or re-establish access to vault secret custody
+- support migration and disaster recovery
+- preserve owner material sovereignty over stored secrets
+
+Expected lifecycle:
+
+- generated during vault initialization
+- shown to the owner once
+- then stored by the owner outside the normal runtime working path
+
+Non-purpose:
+
+- not the owner's signing identity
+- not the normal runtime key used for every operation
+
+## Current Runtime Surface
+
+The persistent runtime surface uses `vaultWorkingKey` as the runtime material-control key.
+
+The older `custodyKey` term is intentionally not part of the current product model.
+
+## Required Separation
+
+The runtime separates three concerns:
+
+1. Identity authority
+   `ownerPrivateKey`
+
+2. Runtime material control
+   `vaultWorkingKey`
+
+3. Recovery authority
+   `vaultRecoveryKey`
+
+This separation is deliberate.
+
+The runtime should not default to a model where one owner signing key directly acts as the encryption root for all stored secret material.
+
+## Owner Relationship To Custody
+
+Owner is the authorization authority for the vault.
+
+Owner is not defined as the same thing as the runtime working key.
+
+Instead:
+
+- owner authorizes actions
+- runtime custody performs storage / load / export work
+- owner retains ultimate recovery and export authority through explicit product mechanisms
+
+In practical terms:
+
+- owner must be able to export secret plaintext through a formal audited interface
+- owner must be able to recover the vault through a formal recovery mechanism
+- owner does not need to directly hold the working key during normal runtime operation
+
+## Export / Reveal Policy
+
+For this runtime family, export is a first-class password-safe capability, not an exception.
+
+That means:
+
+- `exportSecret(...)` is valid product behavior
+- export must be explicit
+- export must be owner-scoped
+- export must be audited
+
+Future hardening such as MFA/TOTP may be added on top of this model, but it does not replace the need to define custody clearly.
+
+## Already Added
+
+The runtime now includes:
+
+1. formal persistent-vault initialization through `initializePersistentVault(...)`
+2. formal recovery-key based re-entry through `recoverPersistentVault(...)`
+3. explicit `vaultWorkingKey` terminology in the persistent dependency surface
+4. continued support for explicit owner export through `exportSecret(...)`
+
+## Next
+
+The remaining intended direction is:
+
+1. continue tightening recovery and migration flows
+2. continue reducing low-level helper use in favor of high-level lifecycle entrypoints
+3. keep the custody terminology stable across docs and APIs
+
+## What This Runtime Should Remove
+
+The runtime should move away from these ambiguous product meanings:
+
+- "owner cannot read secrets back"
+- "owner signing key and vault secret-material key are the same by default"
+
+## Non-Goals
+
+This document does not require the runtime to become a cloud KMS product.
+
+This document also does not require browser, CLI, or MCP concerns to be handled inside the runtime itself.
+
+Those layers may consume this runtime, but they do not define the runtime's custody model.

package/docs/REFERENCE.md

@@ -17,10 +17,26 @@ The main constructors are:
 
 - `createVaultCore(...)`
 - `createVaultService(...)`
+- `initializePersistentVault(...)`
+- `recoverPersistentVault(...)`
 - `createOwnerClient(...)`
 - `createAgentClient(...)`
 - `LocalVaultTransport`
 
+Related design note:
+
+- [Custody Model](CUSTODY_MODEL.md)
+
+Recommended persistent-vault entrypoints:
+
+- `initializePersistentVault(...)`
+- `recoverPersistentVault(...)`
+
+Lower-level custody helpers:
+
+- `initializeVaultCustody(...)`
+- `recoverVaultWorkingKey(...)`
+
 ## Secret-Flow Model
 
 The current HTTP-facing API supports two explicit secret-flow classes:
@@ -54,7 +70,6 @@ Important methods:
 
 - `bootstrapOwnerIdentity(...)`
 - `registerAgentIdentity(...)`
-- `registerOwnerIdentity(...)`
 - `writeSecret(...)`
 - `exportSecret(...)`
 - `acquireSecret(...)`
@@ -74,7 +89,7 @@ await vault.bootstrapOwnerIdentity({
 });
 ```
 
-After that, additional owner and agent identities should be registered through owner-signed commands rather than direct raw records.
+The runtime treats this first owner as the single vault admin. Additional principals should be modeled as agents plus capabilities rather than extra owners.
 
 ## Owner Client
 
@@ -86,7 +101,7 @@ Current owner operations:
 - `exportSecret(...)`
 - `getAudit(...)`
 - `registerAgentIdentity(...)`
-- `registerOwnerIdentity(...)`
+- `registerCapability(...)`
 - `registerCustomFlow(...)`
 
 Example:
@@ -158,6 +173,8 @@ const capability = {
   allowedMethods: ['POST'],
   issuedAt: new Date().toISOString(),
 };
+
+await owner.registerCapability({ capability });
 ```
 
 Custom capability example:
@@ -174,6 +191,8 @@ const customCapability = {
   allowedMethods: ['POST'],
   issuedAt: new Date().toISOString(),
 };
+
+await owner.registerCapability({ capability: customCapability });
 ```
 
 ## Acquisition Result Shape

package/docs/es/README.md

@@ -1,6 +1,6 @@
 # cbio Vault Runtime
 
-Primera version publica del runtime centrado en autoridad.
+Runtime local de vault para el nucleo de autorizacion de cbio. No incluye CLI ni TUI.
 
 Superficie principal:
 - `vault-core`
@@ -8,4 +8,43 @@ Superficie principal:
 - `clients/agent`
 - `vault-ingress`
 
-La API antigua centrada en `CbioIdentity` ya no forma parte del producto.
+## Instalacion
+
+```bash
+npm install @the-ai-company/cbio-node-runtime
+```
+
+## Uso
+
+```ts
+import {
+  createVaultService,
+  initializePersistentVault,
+  recoverPersistentVault,
+  LocalVaultTransport,
+  createOwnerClient,
+  createAgentClient,
+  FsStorageProvider,
+} from '@the-ai-company/cbio-node-runtime';
+```
+
+## Arquitectura
+
+1. El plaintext del secret existe solo dentro de `vault-core`
+2. `clients/owner` actua como el unico admin del vault: escribe secrets, exporta plaintext, administra agents/capabilities y lee audit
+3. `clients/agent` crea solicitudes de dispatch firmadas por el agent
+4. `vault-ingress` resuelve capabilities y maneja el ingress de dispatch dentro del limite de confianza del vault
+
+Ruta principal recomendada para vault persistente:
+
+- inicializar el vault persistente con `initializePersistentVault(...)`
+- recuperar el vault persistente con `recoverPersistentVault(...)` usando la recovery key
+
+La API antigua centrada en `CbioIdentity` ya no es la superficie principal del producto.
+
+## Build
+
+```bash
+npm run build
+npm run test
+```

package/docs/fr/README.md

@@ -1,6 +1,6 @@
 # cbio Vault Runtime
 
-Premiere version publique du runtime centre sur l'autorite.
+Runtime local de vault pour le noyau d'autorisation cbio. Il ne fournit ni CLI ni TUI.
 
 Surface principale :
 - `vault-core`
@@ -8,4 +8,43 @@ Surface principale :
 - `clients/agent`
 - `vault-ingress`
 
-L'ancienne API centree sur `CbioIdentity` ne fait plus partie du produit.
+## Installation
+
+```bash
+npm install @the-ai-company/cbio-node-runtime
+```
+
+## Utilisation
+
+```ts
+import {
+  createVaultService,
+  initializePersistentVault,
+  recoverPersistentVault,
+  LocalVaultTransport,
+  createOwnerClient,
+  createAgentClient,
+  FsStorageProvider,
+} from '@the-ai-company/cbio-node-runtime';
+```
+
+## Architecture
+
+1. Le plaintext du secret n'existe qu'a l'interieur de `vault-core`
+2. `clients/owner` agit comme l'unique admin du vault : ecriture de secrets, export plaintext, administration des agents/capabilities et lecture de l'audit
+3. `clients/agent` cree les requetes de dispatch signees par l'agent
+4. `vault-ingress` resout les capabilities et traite l'ingress de dispatch a l'interieur de la frontiere de confiance du vault
+
+Chemin principal recommande pour un vault persistant :
+
+- initialiser le vault persistant avec `initializePersistentVault(...)`
+- restaurer le vault persistant avec `recoverPersistentVault(...)` via la recovery key
+
+L'ancienne API centree sur `CbioIdentity` n'est plus la surface principale du produit.
+
+## Build
+
+```bash
+npm run build
+npm run test
+```

package/docs/ja/README.md

@@ -1,6 +1,6 @@
 # cbio Vault Runtime
 
-Vault first の第一版ランタイムです。
+cbio 権限コアのローカル vault ランタイムです。CLI や TUI は含みません。
 
 主な公開モジュール:
 - `vault-core`
@@ -8,4 +8,43 @@ Vault first の第一版ランタイムです。
 - `clients/agent`
 - `vault-ingress`
 
-旧 `CbioIdentity` 中心 API は公開面から外れています。
+## インストール
+
+```bash
+npm install @the-ai-company/cbio-node-runtime
+```
+
+## 使い方
+
+```ts
+import {
+  createVaultService,
+  initializePersistentVault,
+  recoverPersistentVault,
+  LocalVaultTransport,
+  createOwnerClient,
+  createAgentClient,
+  FsStorageProvider,
+} from '@the-ai-company/cbio-node-runtime';
+```
+
+## アーキテクチャ
+
+1. secret の平文は `vault-core` の内部にのみ存在します
+2. `clients/owner` は単一の vault admin として secret 書き込み、平文 export、agent/capability 管理、audit 読み取りを行います
+3. `clients/agent` は agent の signed dispatch request を作ります
+4. `vault-ingress` は vault 境界の内側で capability 解決と dispatch ingress を扱います
+
+推奨される persistent-vault の主経路:
+
+- `initializePersistentVault(...)` で persistent vault を初期化する
+- `recoverPersistentVault(...)` で recovery key を使って persistent vault を復旧する
+
+旧 `CbioIdentity` 中心 API は、もはや主要な公開面ではありません。
+
+## ビルド
+
+```bash
+npm run build
+npm run test
+```