@the-ai-company/cbio-node-runtime 1.15.1 → 1.16.0

package/README.md

@@ -22,10 +22,10 @@ Node.js vault runtime with a hard-cut architecture: vault core first, explicit c
 - No TUI
 
 Main export now centers on:
-- `vault-core`
-- `vault-ingress`
-- `clients/owner`
-- `clients/agent`
+- identity creation and recovery
+- persistent vault bootstrap and recovery
+- owner and agent clients
+- owner flow-boundary helpers
 
 ## Install
 
@@ -39,8 +39,6 @@ npm install @the-ai-company/cbio-node-runtime
 
 ```ts
 import {
-  createVaultService,
-  createDefaultVaultCoreDependencies,
   createChildIdentity,
   createIdentity,
   createWorkspaceStorage,
@@ -50,12 +48,9 @@ import {
   recoverVault,
   createOwnerHttpFlowBoundary,
   createStandardAcquireBoundary,
-  createStandardDispatchBoundary,
   createVaultClient,
   createAgentClient,
   FsStorageProvider,
-  LocalVaultTransport,
-  LocalSigner,
 } from '@the-ai-company/cbio-node-runtime';
 ```
 
@@ -159,20 +154,6 @@ An owner-defined exception path also exists for non-standard but intentional int
 - agent may only invoke the registered `customFlowId`
 - this is an explicit escape hatch, not the default path
 
-## Modules
-
-- `vault-core`
-  The vault kernel. Stores plaintext, authorizes writes, authorizes dispatch, executes dispatch, appends audit.
-
-- `vault-ingress`
-  Vault boundary/facade. Accepts request-shaped calls, handles trusted acquisition paths, and keeps capability resolution plus dispatch ingress inside the vault trust boundary.
-
-- `clients/owner`
-  Owner-facing client. The owner is the single vault admin. It writes secrets, exports plaintext secrets, manages agents/capabilities, and reads audit.
-
-- `clients/agent`
-  Agent-facing client. Creates signed dispatch requests. Never handles plaintext secret.
-
 ## Status
 
 The old identity-centric runtime is no longer the intended public architecture.
@@ -183,19 +164,41 @@ This package now exposes the production local vault runtime surface as the prima
 ```ts
 const ownerIdentity = createIdentity({ nickname: 'owner-main' });
 const agentIdentity = createIdentity({ nickname: 'agent-worker' });
-const vault = createVaultService(createDefaultVaultCoreDependencies());
-const client = createVaultClient({ identityId: ownerIdentity.identityId }, vault, new LocalSigner(ownerIdentity), clock);
-const transport = new LocalVaultTransport(vault, capability.capabilityId);
-const agent = createAgentClient({ agentId: agentIdentity.identityId }, capability, new LocalSigner(agentIdentity), transport, clock);
+const createdVault = await createVault({ ownerIdentity });
+const client = createVaultClient({ ownerIdentity, vault: createdVault.vault });
+const agent = createAgentClient({ agentIdentity, capability, vault: createdVault.vault });
 ```
 
+Owner API example:
+
+```ts
+const storedSecret = await client.storeSecret({
+  alias: 'api-token',
+  plaintext: 'secret-value',
+});
+
+await client.defineSecretTargets({
+  alias: storedSecret.alias.value,
+  targetBindings: [
+    {
+      kind: 'site',
+      targetId: 'api.example.com',
+      targetUrl: 'https://api.example.com/endpoint',
+      methods: ['POST'],
+    },
+  ],
+});
+```
+
+`writeSecret(...)` is the one-step variant and requires `targetBindings`.
+
 Capability example:
 
 ```ts
 const capability = {
   vaultId: vault.vaultId,
   capabilityId: 'cap-1',
-  agentId: 'agent-1',
+  agentId: agentIdentity.identityId,
   secretAliases: ['api-token'],
   operation: 'dispatch_http',
   allowedTargets: ['https://api.example.com/endpoint'],

package/dist/clients/agent/client.d.ts

@@ -1,4 +1,6 @@
-import type { Clock } from "../../vault-core/index.js";
+import type { CreatedIdentity } from "../../runtime/identity.js";
+import { type Clock } from "../../vault-core/index.js";
+import type { VaultService } from "../../vault-ingress/index.js";
 import type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSigner } from "./contracts.js";
 export interface AgentIdentity {
     agentId: string;
@@ -6,4 +8,12 @@ export interface AgentIdentity {
 export interface AgentClient {
     dispatch(intent: AgentDispatchIntent): Promise<import("../../vault-core/index.js").DispatchResult>;
 }
-export declare function createAgentClient(identity: AgentIdentity, capability: AgentCapabilityEnvelope, signer: AgentSigner, transport: AgentDispatchTransport, clock: Clock): AgentClient;
+export interface CreateAgentClientOptions {
+    agentIdentity: CreatedIdentity | AgentIdentity;
+    capability: AgentCapabilityEnvelope;
+    vault?: VaultService;
+    transport?: AgentDispatchTransport;
+    signer?: AgentSigner;
+    clock?: Clock;
+}
+export declare function createAgentClient(options: CreateAgentClientOptions): AgentClient;

package/dist/clients/agent/client.js

@@ -1,3 +1,6 @@
+import { LocalSigner } from "../../protocol/crypto.js";
+import { SystemClock } from "../../vault-core/index.js";
+import { LocalVaultTransport } from "../../vault-ingress/defaults.js";
 function createDispatchBinding(requestId, requestedAt, agentId, capabilityId, secretAlias, targetUrl, method, body) {
     return JSON.stringify({
         requestId,
@@ -26,7 +29,6 @@ class DefaultAgentClient {
     async dispatch(intent) {
         const requestedAt = intent.requestedAt ?? this._clock.nowIso();
         const requestId = `${this._identity.agentId}:${requestedAt}:${intent.secretAlias ?? "no-secret"}:${intent.method}`;
-        const publicKey = await this._signer.getPublicKey();
         const signature = await this._signer.sign(createDispatchBinding(requestId, requestedAt, this._identity.agentId, this._capability.capabilityId, intent.secretAlias, intent.targetUrl, intent.method, intent.body));
         return this._transport.dispatch({
             vaultId: this._capability.vaultId,
@@ -66,7 +68,39 @@ class DefaultAgentClient {
         });
     }
 }
-export function createAgentClient(identity, capability, signer, transport, clock) {
-    return new DefaultAgentClient(identity, capability, signer, transport, clock);
+function isCreateAgentClientOptions(value) {
+    return typeof value === "object" && value !== null && "agentIdentity" in value && "capability" in value;
+}
+function isCreatedIdentity(value) {
+    return "privateKey" in value && "publicKey" in value;
+}
+function resolveAgentSigner(identity, signer) {
+    if (signer) {
+        return signer;
+    }
+    if (isCreatedIdentity(identity)) {
+        return new LocalSigner(identity);
+    }
+    throw new Error("createAgentClient() requires signer when agentIdentity does not include keys");
+}
+function resolveAgentIdentity(options) {
+    return "agentId" in options.agentIdentity
+        ? options.agentIdentity
+        : { agentId: options.agentIdentity.identityId };
+}
+function resolveAgentTransport(options) {
+    if (options.transport) {
+        return options.transport;
+    }
+    if (options.vault) {
+        return new LocalVaultTransport(options.vault);
+    }
+    throw new Error("createAgentClient() requires transport or vault");
+}
+export function createAgentClient(options) {
+    if (!isCreateAgentClientOptions(options)) {
+        throw new Error("createAgentClient() requires a single options object");
+    }
+    return new DefaultAgentClient(resolveAgentIdentity(options), options.capability, resolveAgentSigner(options.agentIdentity, options.signer), resolveAgentTransport(options), options.clock ?? new SystemClock());
 }
 //# sourceMappingURL=client.js.map

package/dist/clients/agent/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AAgBA,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,YAAoB,EACpB,WAA+B,EAC/B,SAAiB,EACjB,MAAc,EACd,IAAa;IAEb,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,SAAS;QACT,WAAW;QACX,OAAO;QACP,YAAY;QACZ,WAAW,EAAE,WAAW,IAAI,IAAI;QAChC,SAAS;QACT,MAAM;QACN,IAAI,EAAE,IAAI,IAAI,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IALnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,OAAoB,EACpB,UAAkC,EAClC,MAAa;QAJb,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,YAAO,GAAP,OAAO,CAAa;QACpB,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,QAAQ,CAAC,MAA2B;QACxC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACnH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC;QACpD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACvC,qBAAqB,CACnB,SAAS,EACT,WAAW,EACX,IAAI,CAAC,SAAS,CAAC,OAAO,EACtB,IAAI,CAAC,WAAW,CAAC,YAAY,EAC7B,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,CACZ,CACF,CAAC;QAEF,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;gBAC7C,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;aAC9C;YACD,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;YACD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,UAAmC,EACnC,MAAmB,EACnB,SAAiC,EACjC,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;AAChF,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AA0BtE,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,YAAoB,EACpB,WAA+B,EAC/B,SAAiB,EACjB,MAAc,EACd,IAAa;IAEb,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,SAAS;QACT,WAAW;QACX,OAAO;QACP,YAAY;QACZ,WAAW,EAAE,WAAW,IAAI,IAAI;QAChC,SAAS;QACT,MAAM;QACN,IAAI,EAAE,IAAI,IAAI,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IALnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,OAAoB,EACpB,UAAkC,EAClC,MAAa;QAJb,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,YAAO,GAAP,OAAO,CAAa;QACpB,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,QAAQ,CAAC,MAA2B;QACxC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QACnH,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACvC,qBAAqB,CACnB,SAAS,EACT,WAAW,EACX,IAAI,CAAC,SAAS,CAAC,OAAO,EACtB,IAAI,CAAC,WAAW,CAAC,YAAY,EAC7B,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,CACZ,CACF,CAAC;QAEF,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;gBAC7C,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;aAC9C;YACD,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;YACD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,eAAe,IAAI,KAAK,IAAI,YAAY,IAAI,KAAK,CAAC;AAC1G,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAsC;IAC/D,OAAO,YAAY,IAAI,KAAK,IAAI,WAAW,IAAI,KAAK,CAAC;AACvD,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAyC,EAAE,MAAoB;IACzF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,8EAA8E,CAAC,CAAC;AAClG,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,OAAO,SAAS,IAAI,OAAO,CAAC,aAAa;QACvC,CAAC,CAAC,OAAO,CAAC,aAAa;QACvB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAiC;IAEjC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,IAAI,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACrE,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,IAAI,kBAAkB,CAC3B,oBAAoB,CAAC,OAAO,CAAC,EAC7B,OAAO,CAAC,UAAU,EAClB,kBAAkB,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,EACzD,qBAAqB,CAAC,OAAO,CAAC,EAC9B,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,CACnC,CAAC;AACJ,CAAC"}

package/dist/clients/agent/contracts.d.ts

@@ -6,27 +6,8 @@ export interface AgentDispatchIntent {
     body?: string;
     requestedAt?: string;
 }
-export interface AgentCapabilityEnvelope {
-    vaultId: import("../../vault-core/index.js").VaultId;
-    capabilityId: string;
-    agentId: string;
-    secretIds?: readonly string[];
-    secretAliases?: readonly string[];
-    operation: "dispatch_http";
-    allowedTargets: readonly string[];
-    allowedMethods: readonly string[];
-    allowedPaths?: readonly string[];
-    issuedAt: string;
-    expiresAt?: string;
-    revocationVersion?: number;
-    rateLimit?: {
-        maxRequests: number;
-        windowMs: number;
-    };
-    auditRequired?: boolean;
-}
+export type AgentCapabilityEnvelope = import("../../vault-core/index.js").AgentCapability;
 export interface AgentSigner {
-    getPublicKey(): Promise<string>;
     sign(input: string): Promise<string>;
 }
 export interface AgentDispatchTransport {

package/dist/clients/agent/index.d.ts

@@ -1,3 +1,3 @@
 export { createAgentClient } from "./client.js";
-export type { AgentClient, AgentIdentity, } from "./client.js";
+export type { AgentClient, CreateAgentClientOptions, AgentIdentity, } from "./client.js";
 export type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSigner, } from "./contracts.js";

package/dist/clients/owner/client.d.ts

@@ -1,14 +1,16 @@
-import type { Clock } from "../../vault-core/index.js";
+import type { CreatedIdentity } from "../../runtime/identity.js";
+import { type Clock } from "../../vault-core/index.js";
 import type { VaultService } from "../../vault-ingress/index.js";
-import type { VaultAuditQueryInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerWriteSecretInput } from "./contracts.js";
+import type { VaultAuditQueryInput, OwnerDefineSecretTargetsInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerStoreSecretInput, OwnerWriteSecretInput } from "./contracts.js";
 export interface VaultIdentity {
     identityId: string;
 }
 export interface VaultSigner {
-    getPublicKey(): Promise<string>;
     sign(input: string): Promise<string>;
 }
 export interface VaultClient {
+    storeSecret(input: OwnerStoreSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
+    defineSecretTargets(input: OwnerDefineSecretTargetsInput): Promise<import("../../vault-core/index.js").SecretRecord>;
     writeSecret(input: OwnerWriteSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
     exportSecret(input: VaultExportSecretInput): Promise<import("../../vault-core/index.js").OwnerSecretExport>;
     grantCapability(input: VaultGrantCapabilityInput): Promise<void>;
@@ -16,4 +18,10 @@ export interface VaultClient {
     registerAgent(input: VaultRegisterAgentInput): Promise<void>;
     registerFlow(input: VaultRegisterFlowInput): Promise<void>;
 }
-export declare function createVaultClient(identity: VaultIdentity, vault: VaultService, signer: VaultSigner, clock: Clock): VaultClient;
+export interface CreateVaultClientOptions {
+    ownerIdentity: CreatedIdentity | VaultIdentity;
+    vault: VaultService;
+    signer?: VaultSigner;
+    clock?: Clock;
+}
+export declare function createVaultClient(options: CreateVaultClientOptions): VaultClient;

package/dist/clients/owner/client.js

@@ -1,3 +1,5 @@
+import { LocalSigner } from "../../protocol/crypto.js";
+import { SystemClock } from "../../vault-core/index.js";
 class DefaultVaultClient {
     _identity;
     _vault;
@@ -9,16 +11,77 @@ class DefaultVaultClient {
         this._signer = _signer;
         this._clock = _clock;
     }
+    async storeSecret(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.identityId}:${requestedAt}:${input.alias}:write_secret`;
+        const signature = await this._signer.sign(JSON.stringify({
+            requestId,
+            requestedAt,
+            ownerId: this._identity.identityId,
+            alias: input.alias,
+            plaintext: input.plaintext,
+            targetBindings: [],
+        }));
+        return this._vault.writeSecret({
+            kind: "owner.write_secret",
+            vaultId: this._vault.vaultId,
+            requestId,
+            owner: {
+                kind: "owner",
+                id: this._identity.identityId,
+            },
+            alias: input.alias,
+            plaintext: input.plaintext,
+            targetBindings: [],
+            requestedAt,
+            proof: {
+                ownerId: this._identity.identityId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+        });
+    }
+    async defineSecretTargets(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.identityId}:${requestedAt}:${input.alias}:define_secret_targets`;
+        const targetBindings = [...input.targetBindings];
+        const signature = await this._signer.sign(JSON.stringify({
+            requestId,
+            requestedAt,
+            ownerId: this._identity.identityId,
+            alias: input.alias,
+            targetBindings,
+        }));
+        return this._vault.defineSecretTargets({
+            vaultId: this._vault.vaultId,
+            requestId,
+            owner: {
+                kind: "owner",
+                id: this._identity.identityId,
+            },
+            alias: input.alias,
+            targetBindings,
+            requestedAt,
+            proof: {
+                ownerId: this._identity.identityId,
+                signature,
+                requestId,
+                requestedAt,
+            },
+        });
+    }
     async writeSecret(input) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
         const requestId = `${this._identity.identityId}:${requestedAt}:${input.alias}:write_secret`;
+        const targetBindings = [...input.targetBindings];
         const signature = await this._signer.sign(JSON.stringify({
             requestId,
             requestedAt,
             ownerId: this._identity.identityId,
             alias: input.alias,
             plaintext: input.plaintext,
-            targetBindings: input.targetBindings,
+            targetBindings,
         }));
         return this._vault.writeSecret({
             kind: "owner.write_secret",
@@ -30,7 +93,7 @@ class DefaultVaultClient {
             },
             alias: input.alias,
             plaintext: input.plaintext,
-            targetBindings: input.targetBindings,
+            targetBindings,
             requestedAt,
             proof: {
                 ownerId: this._identity.identityId,
@@ -188,7 +251,30 @@ class DefaultVaultClient {
         });
     }
 }
-export function createVaultClient(identity, vault, signer, clock) {
-    return new DefaultVaultClient(identity, vault, signer, clock);
+function isCreateVaultClientOptions(value) {
+    return typeof value === "object" && value !== null && "ownerIdentity" in value && "vault" in value;
+}
+function isCreatedIdentity(value) {
+    return "privateKey" in value && "publicKey" in value;
+}
+function resolveVaultSigner(identity, signer) {
+    if (signer) {
+        return signer;
+    }
+    if (isCreatedIdentity(identity)) {
+        return new LocalSigner(identity);
+    }
+    throw new Error("createVaultClient() requires signer when ownerIdentity does not include keys");
+}
+function resolveVaultIdentity(options) {
+    return {
+        identityId: options.ownerIdentity.identityId,
+    };
+}
+export function createVaultClient(options) {
+    if (!isCreateVaultClientOptions(options)) {
+        throw new Error("createVaultClient() requires a single options object");
+    }
+    return new DefaultVaultClient(resolveVaultIdentity(options), options.vault, resolveVaultSigner(options.ownerIdentity, options.signer), options.clock ?? new SystemClock());
 }
 //# sourceMappingURL=client.js.map

package/dist/clients/owner/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA6BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QAC5F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAA8B,EAAE;QAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,aAAa,CAAC;QAC3E,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK;SACN,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK;YACL,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAC7F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAA8B;QAChD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACzG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAgC;QACpD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,UAAU,CAAC,YAAY,sBAAsB,CAAC;QACrH,MAAM,UAAU,GAAG;YACjB,GAAG,KAAK,CAAC,UAAU;YACnB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,UAAU;SACX,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,UAAU;YACV,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QACrG,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,IAAI;SACL,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,IAAI;YACJ,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,KAAmB,EACnB,MAAmB,EACnB,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AAuCpE,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QAC5F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,EAAE;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,EAAE;YAClB,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,KAAoC;QAC5D,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,wBAAwB,CAAC;QACrG,MAAM,cAAc,GAAG,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,cAAc;SACf,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC;YACrC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,cAAc;YACd,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QAC5F,MAAM,cAAc,GAAG,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC;QACjD,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc;SACf,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc;YACd,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAA8B,EAAE;QAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,aAAa,CAAC;QAC3E,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK;SACN,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK;YACL,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAC7F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAA8B;QAChD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACzG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAgC;QACpD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,UAAU,CAAC,YAAY,sBAAsB,CAAC;QACrH,MAAM,UAAU,GAAG;YACjB,GAAG,KAAK,CAAC,UAAU;YACnB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,UAAU;SACX,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,UAAU;YACV,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,UAAU,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QACrG,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;YAClC,IAAI;SACL,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;aAC9B;YACD,IAAI;YACJ,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU;gBAClC,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,eAAe,IAAI,KAAK,IAAI,OAAO,IAAI,KAAK,CAAC;AACrG,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAsC;IAC/D,OAAO,YAAY,IAAI,KAAK,IAAI,WAAW,IAAI,KAAK,CAAC;AACvD,CAAC;AAED,SAAS,kBAAkB,CAAC,QAAyC,EAAE,MAAoB;IACzF,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAChC,OAAO,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,8EAA8E,CAAC,CAAC;AAClG,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;KAC7C,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,IAAI,kBAAkB,CAC3B,oBAAoB,CAAC,OAAO,CAAC,EAC7B,OAAO,CAAC,KAAK,EACb,kBAAkB,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,EACzD,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,CACnC,CAAC;AACJ,CAAC"}

package/dist/clients/owner/contracts.d.ts

@@ -12,6 +12,16 @@ export interface OwnerWriteSecretInput {
     targetBindings: readonly OwnerSecretTargetBinding[];
     requestedAt?: string;
 }
+export interface OwnerStoreSecretInput {
+    alias: string;
+    plaintext: string;
+    requestedAt?: string;
+}
+export interface OwnerDefineSecretTargetsInput {
+    alias: string;
+    targetBindings: readonly OwnerSecretTargetBinding[];
+    requestedAt?: string;
+}
 export interface VaultAuditQueryInput {
     actorId?: string;
     secretAlias?: string;

package/dist/clients/owner/index.d.ts

@@ -1,3 +1,3 @@
 export { createVaultClient } from "./client.js";
-export type { VaultClient, VaultIdentity, VaultSigner, } from "./client.js";
-export type { VaultAuditQueryInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerSecretTargetBinding, OwnerWriteSecretInput, } from "./contracts.js";
+export type { VaultClient, CreateVaultClientOptions, VaultIdentity, VaultSigner, } from "./client.js";
+export type { VaultAuditQueryInput, OwnerDefineSecretTargetsInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, OwnerSecretTargetBinding, OwnerStoreSecretInput, OwnerWriteSecretInput, } from "./contracts.js";

package/dist/runtime/index.d.ts

@@ -1,21 +1,16 @@
 /**
  * Runtime export.
- * Hard-cut public surface: vault core plus explicit clients only.
+ * Public surface: high-level runtime and client APIs only.
  */
 export { IdentityError, IdentityErrorCode } from "../errors.js";
-export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
-export { deriveIdentityId } from "../protocol/identity.js";
 export type { IStorageProvider } from "../storage/provider.js";
 export { FsStorageProvider } from "../storage/fs.js";
-export { MemoryStorageProvider } from "../storage/memory.js";
 export { createIdentity, deriveChildIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type CreatedIdentity, } from "./identity.js";
 export { createChildIdentity, type CreateChildIdentityOptions, } from "./child-identity.js";
-export { readVaultProfile, writeVaultProfile, type VaultProfile, } from "./vault-metadata.js";
 export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
-export { ensurePrivateVault, readPrivateVaultProfile, readPrivateVaultChildrenState, privateVaultPrefix, privateVaultProfileKey, privateVaultChildrenKey, type PrivateVaultProfile, type PrivateVaultChildRecord, type PrivateVaultChildrenState, } from "./private-vault.js";
+export { ensurePrivateVault, } from "./private-vault.js";
 export { createVault, recoverVault, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, } from "./bootstrap.js";
-export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
-export { createVaultClient, type VaultClient, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
-export { createAgentClient, type AgentClient, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
-export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
-export { LocalVaultTransport, } from "../vault-ingress/defaults.js";
+export { VaultCoreError, type AgentCapability, type SecretRecord } from "../vault-core/index.js";
+export { createVaultClient, type VaultClient, type CreateVaultClientOptions, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type OwnerDefineSecretTargetsInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerStoreSecretInput, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
+export { createAgentClient, type AgentClient, type CreateAgentClientOptions, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
+export { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";

package/dist/runtime/index.js

@@ -1,21 +1,16 @@
 /**
  * Runtime export.
- * Hard-cut public surface: vault core plus explicit clients only.
+ * Public surface: high-level runtime and client APIs only.
  */
 export { IdentityError, IdentityErrorCode } from "../errors.js";
-export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
-export { deriveIdentityId } from "../protocol/identity.js";
 export { FsStorageProvider } from "../storage/fs.js";
-export { MemoryStorageProvider } from "../storage/memory.js";
 export { createIdentity, deriveChildIdentity, restoreIdentity, } from "./identity.js";
 export { createChildIdentity, } from "./child-identity.js";
-export { readVaultProfile, writeVaultProfile, } from "./vault-metadata.js";
 export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
-export { ensurePrivateVault, readPrivateVaultProfile, readPrivateVaultChildrenState, privateVaultPrefix, privateVaultProfileKey, privateVaultChildrenKey, } from "./private-vault.js";
+export { ensurePrivateVault, } from "./private-vault.js";
 export { createVault, recoverVault, } from "./bootstrap.js";
-export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
+export { VaultCoreError } from "../vault-core/index.js";
 export { createVaultClient, } from "../clients/owner/index.js";
 export { createAgentClient, } from "../clients/agent/index.js";
-export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
-export { LocalVaultTransport, } from "../vault-ingress/defaults.js";
+export { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, } from "../vault-ingress/index.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AACrE,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAIhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,GAElB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,kBAAkB,EAClB,uBAAuB,EACvB,6BAA6B,EAC7B,kBAAkB,EAClB,sBAAsB,EACtB,uBAAuB,GAIxB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA8CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAEhE,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAIhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,kBAAkB,GACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EAAE,cAAc,EAA2C,MAAM,wBAAwB,CAAC;AAEjG,OAAO,EACL,iBAAiB,GAclB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAQlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,GAE/B,MAAM,2BAA2B,CAAC"}

package/dist/vault-core/contracts.d.ts

@@ -41,6 +41,17 @@ export interface OwnerWriteSecretCommand {
     };
     alias: string;
     plaintext: string;
+    targetBindings?: readonly VaultTargetBinding[];
+    requestedAt: string;
+    proof: OwnerProof;
+}
+export interface OwnerDefineSecretTargetsCommand {
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal & {
+        kind: "owner";
+    };
+    alias: string;
     targetBindings: readonly VaultTargetBinding[];
     requestedAt: string;
     proof: OwnerProof;
@@ -198,7 +209,7 @@ export interface AuditEntry {
     occurredAt: string;
     vaultId: string;
     actor: VaultPrincipal;
-    action: "bootstrap_owner_identity" | "register_agent_identity" | "register_custom_flow" | "register_capability" | "write_secret" | "export_secret" | "reassign_alias" | "authorize_dispatch" | "dispatch_secret" | "read_audit";
+    action: "bootstrap_owner_identity" | "register_agent_identity" | "register_custom_flow" | "register_capability" | "write_secret" | "define_secret_targets" | "export_secret" | "reassign_alias" | "authorize_dispatch" | "dispatch_secret" | "read_audit";
     requestId?: string;
     capabilityId?: string;
     operation?: AgentCapability["operation"] | AuditEntry["action"];

package/dist/vault-core/core.d.ts

@@ -1,4 +1,4 @@
-import type { AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerExportSecretRequest, OwnerRegisterCapabilityCommand, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerSecretExport, SecretRecord, VaultPrincipal, VaultWriteSecretCommand } from "./contracts.js";
+import type { AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerDefineSecretTargetsCommand, OwnerExportSecretRequest, OwnerRegisterCapabilityCommand, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerSecretExport, SecretRecord, VaultPrincipal, VaultWriteSecretCommand } from "./contracts.js";
 import type { VaultCore, VaultCoreDependencies } from "./ports.js";
 export declare class DefaultVaultCore implements VaultCore {
     private readonly _deps;
@@ -13,6 +13,7 @@ export declare class DefaultVaultCore implements VaultCore {
     registerCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
     storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
     writeSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;
+    defineSecretTargets(command: OwnerDefineSecretTargetsCommand): Promise<SecretRecord>;
     authorizeDispatch(request: DispatchRequest): Promise<DispatchAuthorization>;
     dispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
     getAudit(actor: VaultPrincipal & {

package/dist/vault-core/core.js

@@ -26,7 +26,7 @@ function buildSecretRecord(deps, command) {
         issuerId: command.kind === "issuer.write_secret" ? command.issuerSiteId : null,
         targetBindings: command.kind === "issuer.write_secret"
             ? [...(command.targetBindings ?? [{ kind: "site", targetId: command.issuerSiteId }])]
-            : [...command.targetBindings],
+            : [...(command.targetBindings ?? [])],
         createdAt: now,
         updatedAt: now,
     };
@@ -246,6 +246,42 @@ export class DefaultVaultCore {
         }
         return record;
     }
+    async defineSecretTargets(command) {
+        if (command.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
+        }
+        try {
+            await this._deps.ownerProofVerifier.verifyDefineSecretTargets(command);
+            await this._deps.policy.authorizeDefineSecretTargets(command);
+        }
+        catch (error) {
+            const detail = error instanceof Error ? error.message : String(error);
+            await this.appendAudit(toAuditEntry(this._deps, command.owner, "define_secret_targets", "denied", detail, {
+                secretAlias: command.alias,
+            }));
+            throw error;
+        }
+        const existing = await this._deps.secrets.getByAlias({ value: command.alias });
+        if (!existing) {
+            const error = new VaultCoreError("secret not found", "VAULT_SECRET_NOT_FOUND");
+            await this.appendAudit(toAuditEntry(this._deps, command.owner, "define_secret_targets", "denied", error.message, {
+                secretAlias: command.alias,
+            }));
+            throw error;
+        }
+        const nextRecord = {
+            ...existing,
+            targetBindings: [...command.targetBindings],
+            updatedAt: this._deps.clock.nowIso(),
+        };
+        await this._deps.secrets.save(nextRecord);
+        await this.appendAudit(toAuditEntry(this._deps, command.owner, "define_secret_targets", "succeeded", "secret targets defined", {
+            requestId: command.requestId,
+            secretAlias: nextRecord.alias.value,
+            secretId: nextRecord.secretId.value,
+        }));
+        return nextRecord;
+    }
     async authorizeDispatch(request) {
         if (request.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("request vault mismatch", "VAULT_DISPATCH_DENIED");