npm - @the-ai-company/cbio-node-runtime - Versions diffs - 1.2.0 → 1.5.0 - Mend

@the-ai-company/cbio-node-runtime 1.2.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (52) hide show

package/README.md +34 -14
package/dist/clients/owner/client.d.ts +2 -2
package/dist/clients/owner/client.js +7 -8
package/dist/clients/owner/client.js.map +1 -1
package/dist/clients/owner/contracts.d.ts +4 -5
package/dist/clients/owner/index.d.ts +1 -1
package/dist/protocol/childSecretNaming.d.ts +7 -0
package/dist/protocol/childSecretNaming.js +12 -0
package/dist/protocol/childSecretNaming.js.map +1 -0
package/dist/protocol/identity.d.ts +8 -0
package/dist/protocol/identity.js +16 -0
package/dist/protocol/identity.js.map +1 -0
package/dist/runtime/bootstrap.d.ts +8 -10
package/dist/runtime/bootstrap.js +3 -5
package/dist/runtime/bootstrap.js.map +1 -1
package/dist/runtime/identity.d.ts +6 -0
package/dist/runtime/identity.js +14 -0
package/dist/runtime/identity.js.map +1 -0
package/dist/runtime/index.d.ts +7 -6
package/dist/runtime/index.js +5 -4
package/dist/runtime/index.js.map +1 -1
package/dist/vault-core/contracts.d.ts +11 -11
package/dist/vault-core/core.d.ts +3 -2
package/dist/vault-core/core.js +26 -8
package/dist/vault-core/core.js.map +1 -1
package/dist/vault-core/defaults.d.ts +9 -3
package/dist/vault-core/defaults.js +18 -8
package/dist/vault-core/defaults.js.map +1 -1
package/dist/vault-core/index.d.ts +4 -4
package/dist/vault-core/index.js +2 -2
package/dist/vault-core/index.js.map +1 -1
package/dist/vault-core/persistence.d.ts +33 -4
package/dist/vault-core/persistence.js +92 -1
package/dist/vault-core/persistence.js.map +1 -1
package/dist/vault-core/ports.d.ts +9 -3
package/dist/vault-ingress/defaults.d.ts +1 -7
package/dist/vault-ingress/defaults.js +0 -13
package/dist/vault-ingress/defaults.js.map +1 -1
package/dist/vault-ingress/index.d.ts +2 -7
package/dist/vault-ingress/index.js +10 -11
package/dist/vault-ingress/index.js.map +1 -1
package/docs/ARCHITECTURE.md +23 -4
package/docs/CUSTODY_MODEL.md +5 -2
package/docs/IDENTITY_MODEL.md +120 -0
package/docs/REFERENCE.md +32 -11
package/docs/es/README.md +42 -2
package/docs/fr/README.md +42 -2
package/docs/ja/README.md +42 -2
package/docs/ko/README.md +42 -2
package/docs/pt/README.md +42 -2
package/docs/zh/README.md +5 -5
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -8,6 +8,7 @@ Node.js vault runtime with a hard-cut architecture: vault core first, explicit c
 - [English](README.md)
 - [Custody Model](docs/CUSTODY_MODEL.md)
+- [Identity Model](docs/IDENTITY_MODEL.md)
 - [中文](docs/zh/README.md)
 - [日本語](docs/ja/README.md)
 - [한국어](docs/ko/README.md)
@@ -40,21 +41,36 @@ npm install @the-ai-company/cbio-node-runtime
 import {
   createVaultService,
   createDefaultVaultCoreDependencies,
-  initializePersistentVault,
-  recoverPersistentVault,
+  createIdentity,
+  createOwnedVault,
+  recoverVault,
   createOwnerHttpFlowBoundary,
   createStandardAcquireBoundary,
   createStandardDispatchBoundary,
   createOwnerClient,
   createAgentClient,
   FsStorageProvider,
-  InMemoryVaultCapabilityResolver,
   LocalVaultTransport,
 } from '@the-ai-company/cbio-node-runtime';
 ```
 ## Architecture
+Core terms:
+- `identity`
+  An external principal represented by a public/private keypair.
+- `owner`
+  The single admin role that a vault binds to one identity.
+- `agent`
+  A delegated role that a vault binds to an identity registered by the owner.
+Important role rule:
+- outside the vault there are only identities
+- inside a specific vault, those identities may be bound to roles such as `owner` or `agent`
+- identities are independent; they do not imply parent/child lineage or inheritance by default
 The public runtime surface follows four hard rules:
 1. Secret plaintext lives only in vault core.
@@ -104,7 +120,7 @@ An owner-defined exception path also exists for non-standard but intentional int
   Vault boundary/facade. Accepts request-shaped calls, handles trusted acquisition paths, and keeps capability resolution plus dispatch ingress inside the vault trust boundary.
 - `clients/owner`
-  Owner-facing client. Writes secrets, exports plaintext secrets, and reads audit.
+  Owner-facing client. The owner is the single vault admin. It writes secrets, exports plaintext secrets, manages agents/capabilities, and reads audit.
 - `clients/agent`
   Agent-facing client. Creates signed dispatch requests. Never handles plaintext secret.
@@ -117,11 +133,12 @@ This package now exposes the production local vault runtime surface as the prima
 ## Example Shape
 ```ts
-const capabilities = new InMemoryVaultCapabilityResolver();
-const vault = createVaultService(createDefaultVaultCoreDependencies(), { capabilities });
-const owner = createOwnerClient(ownerIdentity, vault, ownerSigner, clock);
+const ownerIdentity = createIdentity();
+const agentIdentity = createIdentity();
+const vault = createVaultService(createDefaultVaultCoreDependencies());
+const owner = createOwnerClient({ ownerId: ownerIdentity.identityId }, vault, new LocalSigner(ownerIdentity), clock);
 const transport = new LocalVaultTransport(vault, capability.capabilityId);
-const agent = createAgentClient(agentIdentity, capability, signer, transport, clock);
+const agent = createAgentClient({ agentId: agentIdentity.identityId }, capability, new LocalSigner(agentIdentity), transport, clock);
 ```
 Capability example:
@@ -137,6 +154,8 @@ const capability = {
   allowedMethods: ['POST'],
   issuedAt: new Date().toISOString(),
 };
+await owner.registerCapability({ capability });
 ```
 Custom flow example:
@@ -183,22 +202,23 @@ console.log(exported.plaintext);
 Persistent custody bootstrap example:
 ```ts
+const ownerIdentity = createIdentity();
 const storage = new FsStorageProvider('/tmp/cbio-vault');
-const initializedVault = await initializePersistentVault(storage, {
+const createdVault = await createOwnedVault(storage, {
   vaultId: 'vault-persistent',
   bootstrapOwner: {
     vaultId: { value: 'vault-persistent' },
-    ownerId: 'owner-1',
-    publicKey: ownerPublicKey,
+    ownerId: ownerIdentity.identityId,
+    publicKey: ownerIdentity.publicKey,
   },
 });
 // Show once to the owner and let them store it offline.
-console.log(initializedVault.initializedCustody.vaultRecoveryKey);
+console.log(createdVault.initializedCustody.vaultRecoveryKey);
-const recoveredVault = await recoverPersistentVault(storage, {
+const recoveredVault = await recoverVault(storage, {
   vaultId: 'vault-persistent',
-  initializedVault.initializedCustody.vaultRecoveryKey,
+  vaultRecoveryKey: createdVault.initializedCustody.vaultRecoveryKey,
 });
 ```

package/dist/clients/owner/client.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 import type { Clock } from "../../vault-core/index.js";
 import type { VaultService } from "../../vault-ingress/index.js";
-import type { OwnerAuditQueryInput, OwnerExportSecretInput, OwnerRegisterCustomHttpFlowInput, OwnerRegisterAgentIdentityInput, OwnerRegisterOwnerIdentityInput, OwnerWriteSecretInput } from "./contracts.js";
+import type { OwnerAuditQueryInput, OwnerExportSecretInput, OwnerRegisterCapabilityInput, OwnerRegisterCustomHttpFlowInput, OwnerRegisterAgentIdentityInput, OwnerWriteSecretInput } from "./contracts.js";
 export interface OwnerIdentity {
     ownerId: string;
 }
@@ -11,9 +11,9 @@ export interface OwnerSigner {
 export interface OwnerClient {
     writeSecret(input: OwnerWriteSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
     exportSecret(input: OwnerExportSecretInput): Promise<import("../../vault-core/index.js").OwnerSecretExport>;
+    registerCapability(input: OwnerRegisterCapabilityInput): Promise<void>;
     getAudit(query?: OwnerAuditQueryInput): Promise<readonly import("../../vault-core/index.js").AuditEntry[]>;
     registerAgentIdentity(input: OwnerRegisterAgentIdentityInput): Promise<void>;
-    registerOwnerIdentity(input: OwnerRegisterOwnerIdentityInput): Promise<void>;
     registerCustomFlow(input: OwnerRegisterCustomHttpFlowInput): Promise<void>;
 }
 export declare function createOwnerClient(identity: OwnerIdentity, vault: VaultService, signer: OwnerSigner, clock: Clock): OwnerClient;

package/dist/clients/owner/client.js CHANGED Viewed

@@ -123,28 +123,27 @@ class DefaultOwnerClient {
             },
         });
     }
-    async registerOwnerIdentity(input) {
+    async registerCapability(input) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = `${this._identity.ownerId}:${requestedAt}:${input.ownerId}:register_owner_identity`;
-        const ownerIdentity = {
+        const requestId = `${this._identity.ownerId}:${requestedAt}:${input.capability.capabilityId}:register_capability`;
+        const capability = {
+            ...input.capability,
             vaultId: this._vault.vaultId,
-            ownerId: input.ownerId,
-            publicKey: input.publicKey,
         };
         const signature = await this._signer.sign(JSON.stringify({
             requestId,
             requestedAt,
             ownerId: this._identity.ownerId,
-            ownerIdentity,
+            capability,
         }));
-        await this._vault.registerOwnerIdentity({
+        await this._vault.registerCapability({
             vaultId: this._vault.vaultId,
             requestId,
             owner: {
                 kind: "owner",
                 id: this._identity.ownerId,
             },
-            ownerIdentity,
+            capability,
             requestedAt,
             proof: {
                 ownerId: this._identity.ownerId,

package/dist/clients/owner/client.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA6BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QACzF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,QAA8B,EAAE;QAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,aAAa,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK;SACN,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK;YACL,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAC1F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,KAAsC;QAChE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACtG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,~~qBAAqB~~,CAAC,~~KAAsC~~;~~QAChE~~,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,~~OAAO~~,~~0BAA0B~~,CAAC;~~QACtG~~,MAAM,~~aAAa~~,GAAG;~~YACpB~~,~~OAAO~~,~~EAAE~~,~~IAAI,~~CAAC,~~MAAM,CAAC,OAAO~~;~~YAC5B~~,OAAO,EAAE,~~KAAK~~,CAAC,~~OAAO;YACtB~~,~~SAAS,EAAE,KAAK,~~CAAC,~~SAAS~~;~~SAC3B~~,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,~~aAAa~~;~~SACd~~,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,~~qBAAqB~~,CAAC;~~YACtC~~,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,~~aAAa~~;~~YACb~~,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAuC;QAC9D,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QAClG,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,IAAI;SACL,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,IAAI;YACJ,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,KAAmB,EACnB,MAAmB,EACnB,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC"}
1	+ {"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AA6BA,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,MAAoB,EACpB,OAAoB,EACpB,MAAa;QAHb,cAAS,GAAT,SAAS,CAAe;QACxB,WAAM,GAAN,MAAM,CAAc;QACpB,YAAO,GAAP,OAAO,CAAa;QACpB,WAAM,GAAN,MAAM,CAAO;IAC7B,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QACzF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,KAAK,CAAC,cAAc;YACpC,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,QAA8B,EAAE;QAC7C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,aAAa,CAAC;QACxE,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK;SACN,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK;YACL,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAC1F,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,qBAAqB,CAAC,KAAsC;QAChE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QACtG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;SAC3B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,aAAa;SACd,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,aAAa;YACb,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAmC;QAC1D,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,UAAU,CAAC,YAAY,sBAAsB,CAAC;QAClH,MAAM,UAAU,GAAG;YACjB,GAAG,KAAK,CAAC,UAAU;YACnB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;SAC7B,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,UAAU;SACX,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU;YACV,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAuC;QAC9D,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QAClG,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QACF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;YACvD,SAAS;YACT,WAAW;YACX,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,IAAI;SACL,CAAC,CAAC,CAAC;QACJ,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,IAAI;YACJ,WAAW;YACX,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,SAAS;gBACT,WAAW;aACZ;SACF,CAAC,CAAC;IACL,CAAC;CACF;AAED,MAAM,UAAU,iBAAiB,CAC/B,QAAuB,EACvB,KAAmB,EACnB,MAAmB,EACnB,KAAY;IAEZ,OAAO,IAAI,kBAAkB,CAAC,QAAQ,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;AAChE,CAAC"}

package/dist/clients/owner/contracts.d.ts CHANGED Viewed

@@ -27,12 +27,11 @@ export interface OwnerRegisterAgentIdentityInput {
     publicKey: string;
     requestedAt?: string;
 }
-export interface OwnerRegisterOwnerIdentityInput {
-    ownerId: string;
-    publicKey: string;
-    requestedAt?: string;
-}
 export interface OwnerRegisterCustomHttpFlowInput extends OwnerHttpFlowBoundary {
     flowId: string;
     requestedAt?: string;
 }
+export interface OwnerRegisterCapabilityInput {
+    capability: import("../../vault-core/index.js").AgentCapability;
+    requestedAt?: string;
+}

package/dist/clients/owner/index.d.ts CHANGED Viewed

@@ -1,3 +1,3 @@
 export { createOwnerClient } from "./client.js";
 export type { OwnerClient, OwnerIdentity, OwnerSigner, } from "./client.js";
-export type { OwnerAuditQueryInput, OwnerExportSecretInput, OwnerRegisterCustomHttpFlowInput, OwnerRegisterAgentIdentityInput, OwnerRegisterOwnerIdentityInput, OwnerSecretTargetBinding, OwnerWriteSecretInput, } from "./contracts.js";
+export type { OwnerAuditQueryInput, OwnerExportSecretInput, OwnerRegisterCapabilityInput, OwnerRegisterCustomHttpFlowInput, OwnerRegisterAgentIdentityInput, OwnerSecretTargetBinding, OwnerWriteSecretInput, } from "./contracts.js";

package/dist/protocol/childSecretNaming.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * Vault secret naming for child identities. CHILD_KEY_PREFIX, getChildIdentitySecretName.
+ * Not protocol objects. Protocol talks about public identities and signatures,
+ * not local secret names or internal storage prefixes.
+ */
+export declare const CHILD_KEY_PREFIX: "cbio:child:";
+export declare function getChildIdentitySecretName(publicKey: string): string;

package/dist/protocol/childSecretNaming.js ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Vault secret naming for child identities. CHILD_KEY_PREFIX, getChildIdentitySecretName.
+ * Not protocol objects. Protocol talks about public identities and signatures,
+ * not local secret names or internal storage prefixes.
+ */
+import * as crypto from 'node:crypto';
+export const CHILD_KEY_PREFIX = 'cbio:child:';
+export function getChildIdentitySecretName(publicKey) {
+    const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
+    return CHILD_KEY_PREFIX + hash;
+}
+//# sourceMappingURL=childSecretNaming.js.map

package/dist/protocol/childSecretNaming.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"childSecretNaming.js","sourceRoot":"","sources":["../../src/protocol/childSecretNaming.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AAEtC,MAAM,CAAC,MAAM,gBAAgB,GAAG,aAAsB,CAAC;AAEvD,MAAM,UAAU,0BAA0B,CAAC,SAAiB;IACxD,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,OAAO,gBAAgB,GAAG,IAAI,CAAC;AACnC,CAAC"}

package/dist/protocol/identity.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+/**
+ * Claw-biometric Core Identity. Runtime utilities over protocol primitives.
+ * getVaultPath (runtime). Re-exports protocol for consumers.
+ */
+import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
+import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
+export { deriveRootAgentId, getChildIdentitySecretName, CHILD_KEY_PREFIX };
+export declare function getVaultPath(publicKey: string): string;

package/dist/protocol/identity.js ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Claw-biometric Core Identity. Runtime utilities over protocol primitives.
+ * getVaultPath (runtime). Re-exports protocol for consumers.
+ */
+import * as os from 'node:os';
+import * as path from 'node:path';
+import * as crypto from 'node:crypto';
+import { deriveRootAgentId } from '@the-ai-company/cbio-protocol';
+import { getChildIdentitySecretName, CHILD_KEY_PREFIX } from './childSecretNaming.js';
+export { deriveRootAgentId, getChildIdentitySecretName, CHILD_KEY_PREFIX };
+export function getVaultPath(publicKey) {
+    const hash = crypto.createHash('sha256').update(publicKey).digest('hex').substring(0, 12);
+    const baseDir = process.env.C_BIO_VAULT_DIR || path.join(os.homedir(), '.c-bio');
+    return path.join(baseDir, `vault_${hash}.enc`);
+}
+//# sourceMappingURL=identity.js.map

package/dist/protocol/identity.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/protocol/identity.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAClC,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAEtF,OAAO,EAAE,iBAAiB,EAAE,0BAA0B,EAAE,gBAAgB,EAAE,CAAC;AAE3E,MAAM,UAAU,YAAY,CAAC,SAAiB;IAC1C,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAC1F,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,eAAe,IAAI,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,QAAQ,CAAC,CAAC;IACjF,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,SAAS,IAAI,MAAM,CAAC,CAAC;AACnD,CAAC"}

package/dist/runtime/bootstrap.d.ts CHANGED Viewed

@@ -1,33 +1,31 @@
 import { type CreatePersistentVaultCoreDependenciesOptions, type InitializedVaultCustody, type InitializeVaultCustodyOptions, type OwnerIdentityRecord, type VaultCore } from "../vault-core/index.js";
-import { type VaultService, type VaultCapabilityResolver, type VaultCustomFlowResolver } from "../vault-ingress/index.js";
+import { type VaultService, type VaultCustomFlowResolver } from "../vault-ingress/index.js";
 import type { IStorageProvider } from "../storage/provider.js";
-export interface InitializePersistentVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
+export interface CreateOwnedVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
     custody?: InitializeVaultCustodyOptions;
-    bootstrapOwner?: OwnerIdentityRecord;
+    bootstrapOwner: OwnerIdentityRecord;
     vault?: {
-        capabilities?: VaultCapabilityResolver;
         customFlows?: VaultCustomFlowResolver;
         fetchImpl?: typeof fetch;
     };
 }
-export interface InitializedPersistentVault {
+export interface CreatedOwnedVault {
     initializedCustody: InitializedVaultCustody;
     core: VaultCore;
     vault: VaultService;
 }
-export interface RecoverPersistentVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
+export interface RecoverVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
     vaultRecoveryKey: string;
     custodyStorageKey?: string;
     vault?: {
-        capabilities?: VaultCapabilityResolver;
         customFlows?: VaultCustomFlowResolver;
         fetchImpl?: typeof fetch;
     };
 }
-export interface RecoveredPersistentVault {
+export interface RecoveredVault {
     vaultWorkingKey: string;
     core: VaultCore;
     vault: VaultService;
 }
-export declare function initializePersistentVault(storage: IStorageProvider, options: InitializePersistentVaultOptions): Promise<InitializedPersistentVault>;
-export declare function recoverPersistentVault(storage: IStorageProvider, options: RecoverPersistentVaultOptions): Promise<RecoveredPersistentVault>;
+export declare function createOwnedVault(storage: IStorageProvider, options: CreateOwnedVaultOptions): Promise<CreatedOwnedVault>;
+export declare function recoverVault(storage: IStorageProvider, options: RecoverVaultOptions): Promise<RecoveredVault>;

package/dist/runtime/bootstrap.js CHANGED Viewed

@@ -1,23 +1,21 @@
 import { createVaultCore } from "../vault-core/core.js";
 import { createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, } from "../vault-core/index.js";
 import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
-export async function initializePersistentVault(storage, options) {
+export async function createOwnedVault(storage, options) {
     const initializedCustody = await initializeVaultCustody(storage, options.custody);
     const deps = createPersistentVaultCoreDependencies(storage, {
         ...options,
         vaultWorkingKey: initializedCustody.vaultWorkingKey,
     });
     const core = createVaultCore(deps);
-    if (options.bootstrapOwner) {
-        await core.bootstrapOwnerIdentity(options.bootstrapOwner);
-    }
+    await core.bootstrapOwnerIdentity(options.bootstrapOwner);
     return {
         initializedCustody,
         core,
         vault: wrapVaultCoreAsVaultService(core, options.vault),
     };
 }
-export async function recoverPersistentVault(storage, options) {
+export async function recoverVault(storage, options) {
     const vaultWorkingKey = await recoverVaultWorkingKey(storage, options.vaultRecoveryKey, options.custodyStorageKey);
     const deps = createPersistentVaultCoreDependencies(storage, {
         ...options,

package/dist/runtime/bootstrap.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,GAMvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,~~GAI5B~~,MAAM,2BAA2B,CAAC;~~AAmCnC~~,MAAM,CAAC,KAAK,UAAU,~~yBAAyB~~,~~CAC7C~~,OAAyB,EACzB,~~OAAyC~~;~~IAEzC~~,MAAM,kBAAkB,GAAG,MAAM,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe,EAAE,kBAAkB,CAAC,eAAe;KACpD,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,~~IAAI,OAAO,CAAC,cAAc,EAAE,CAAC;QAC3B,~~MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;~~IAC5D~~,~~CAAC;IACD,~~OAAO;QACL,kBAAkB;QAClB,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,~~sBAAsB~~,~~CAC1C~~,OAAyB,EACzB,~~OAAsC~~;~~IAEtC~~,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAClD,OAAO,EACP,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,iBAAiB,CAC1B,CAAC;IACF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO;QACL,eAAe;QACf,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC"}
1	+ {"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,GAMvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AAiCnC,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,OAAgC;IAEhC,MAAM,kBAAkB,GAAG,MAAM,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe,EAAE,kBAAkB,CAAC,eAAe;KACpD,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC1D,OAAO;QACL,kBAAkB;QAClB,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAyB,EACzB,OAA4B;IAE5B,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAClD,OAAO,EACP,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,iBAAiB,CAC1B,CAAC;IACF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO;QACL,eAAe;QACf,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC"}

package/dist/runtime/identity.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export interface CreatedIdentity {
+    identityId: string;
+    publicKey: string;
+    privateKey: string;
+}
+export declare function createIdentity(): CreatedIdentity;

package/dist/runtime/identity.js ADDED Viewed

@@ -0,0 +1,14 @@
+import { generateIdentityKeys } from "../protocol/crypto.js";
+import { deriveRootAgentId } from "../protocol/identity.js";
+export function createIdentity() {
+    const keyPair = generateIdentityKeys();
+    if (!keyPair.publicKey || !keyPair.privateKey) {
+        throw new Error("identity generation failed");
+    }
+    return {
+        identityId: deriveRootAgentId(keyPair.publicKey),
+        publicKey: keyPair.publicKey,
+        privateKey: keyPair.privateKey,
+    };
+}
+//# sourceMappingURL=identity.js.map

package/dist/runtime/identity.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAQ5D,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,OAAO;QACL,UAAU,EAAE,iBAAiB,CAAC,OAAO,CAAC,SAAS,CAAC;QAChD,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC"}

package/dist/runtime/index.d.ts CHANGED Viewed

@@ -3,13 +3,14 @@
  * Hard-cut public surface: vault core plus explicit clients only.
  */
 export { IdentityError, IdentityErrorCode } from "../errors.js";
-export { generateIdentityKeys, derivePublicKey, LocalSigner } from "../protocol/crypto.js";
+export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export type { IStorageProvider } from "../storage/provider.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { initializePersistentVault, recoverPersistentVault, type InitializePersistentVaultOptions, type InitializedPersistentVault, type RecoverPersistentVaultOptions, type RecoveredPersistentVault, } from "./bootstrap.js";
-export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAuditLog, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerRegisterOwnerIdentityCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, } from "../vault-core/index.js";
-export { createOwnerClient, type OwnerClient, type OwnerIdentity, type OwnerSigner, type OwnerAuditQueryInput, type OwnerExportSecretInput, type OwnerRegisterCustomHttpFlowInput, type OwnerRegisterAgentIdentityInput, type OwnerRegisterOwnerIdentityInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
+export { createIdentity, type CreatedIdentity, } from "./identity.js";
+export { createOwnedVault, recoverVault, type CreateOwnedVaultOptions, type CreatedOwnedVault, type RecoverVaultOptions, type RecoveredVault, } from "./bootstrap.js";
+export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
+export { createOwnerClient, type OwnerClient, type OwnerIdentity, type OwnerSigner, type OwnerAuditQueryInput, type OwnerExportSecretInput, type OwnerRegisterCapabilityInput, type OwnerRegisterCustomHttpFlowInput, type OwnerRegisterAgentIdentityInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
 export { createAgentClient, type AgentClient, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
-export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultCapabilityResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
-export { InMemoryVaultCapabilityResolver, LocalVaultTransport, } from "../vault-ingress/defaults.js";
+export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
+export { LocalVaultTransport, } from "../vault-ingress/defaults.js";

package/dist/runtime/index.js CHANGED Viewed

@@ -3,13 +3,14 @@
  * Hard-cut public surface: vault core plus explicit clients only.
  */
 export { IdentityError, IdentityErrorCode } from "../errors.js";
-export { generateIdentityKeys, derivePublicKey, LocalSigner } from "../protocol/crypto.js";
+export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { initializePersistentVault, recoverPersistentVault, } from "./bootstrap.js";
-export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAuditLog, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
+export { createIdentity, } from "./identity.js";
+export { createOwnedVault, recoverVault, } from "./bootstrap.js";
+export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
 export { createOwnerClient, } from "../clients/owner/index.js";
 export { createAgentClient, } from "../clients/agent/index.js";
 export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
-export { InMemoryVaultCapabilityResolver, LocalVaultTransport, } from "../vault-ingress/defaults.js";
+export { LocalVaultTransport, } from "../vault-ingress/defaults.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,~~oBAAoB,EAAE,~~eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;~~AAE3F~~,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,~~yBAAyB~~,~~EACzB~~,~~sBAAsB~~,~~GAKvB~~,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,~~GA6CZ~~,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,~~GAYxB~~,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL~~,+BAA+B~~,~~EAC/B,~~mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,GAEf,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,gBAAgB,EAChB,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA8CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}

package/dist/vault-core/contracts.d.ts CHANGED Viewed

@@ -68,16 +68,6 @@ export interface OwnerRegisterAgentIdentityCommand {
     requestedAt: string;
     proof: OwnerProof;
 }
-export interface OwnerRegisterOwnerIdentityCommand {
-    vaultId: VaultId;
-    requestId: string;
-    owner: VaultPrincipal & {
-        kind: "owner";
-    };
-    ownerIdentity: OwnerIdentityRecord;
-    requestedAt: string;
-    proof: OwnerProof;
-}
 export interface CustomHttpFlowDefinition {
     vaultId: VaultId;
     flowId: string;
@@ -114,6 +104,16 @@ export interface OwnerRegisterCustomHttpFlowCommand {
     requestedAt: string;
     proof: OwnerProof;
 }
+export interface OwnerRegisterCapabilityCommand {
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal & {
+        kind: "owner";
+    };
+    capability: AgentCapability;
+    requestedAt: string;
+    proof: OwnerProof;
+}
 export interface AgentCapability {
     vaultId: VaultId;
     capabilityId: string;
@@ -198,7 +198,7 @@ export interface AuditEntry {
     occurredAt: string;
     vaultId: string;
     actor: VaultPrincipal;
-    action: "bootstrap_owner_identity" | "register_agent_identity" | "register_owner_identity" | "register_custom_flow" | "write_secret" | "export_secret" | "reassign_alias" | "authorize_dispatch" | "dispatch_secret" | "read_audit";
+    action: "bootstrap_owner_identity" | "register_agent_identity" | "register_custom_flow" | "register_capability" | "write_secret" | "export_secret" | "reassign_alias" | "authorize_dispatch" | "dispatch_secret" | "read_audit";
     requestId?: string;
     capabilityId?: string;
     operation?: AgentCapability["operation"] | AuditEntry["action"];

package/dist/vault-core/core.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import type { AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRegisterOwnerIdentityCommand, OwnerSecretExport, SecretRecord, VaultPrincipal, VaultWriteSecretCommand } from "./contracts.js";
+import type { AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerExportSecretRequest, OwnerRegisterCapabilityCommand, OwnerRegisterAgentIdentityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerSecretExport, SecretRecord, VaultPrincipal, VaultWriteSecretCommand } from "./contracts.js";
 import type { VaultCore, VaultCoreDependencies } from "./ports.js";
 export declare class DefaultVaultCore implements VaultCore {
     private readonly _deps;
@@ -8,7 +8,8 @@ export declare class DefaultVaultCore implements VaultCore {
     private appendDecisionAudit;
     bootstrapOwnerIdentity(identity: import("./contracts.js").OwnerIdentityRecord): Promise<void>;
     registerAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
-    registerOwnerIdentity(command: OwnerRegisterOwnerIdentityCommand): Promise<void>;
+    registerCapability(command: OwnerRegisterCapabilityCommand): Promise<void>;
+    getCapability(vaultId: import("./contracts.js").VaultId, agentId: string, capabilityId: string): Promise<import("./contracts.js").AgentCapability | null>;
     registerCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
     storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
     writeSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;

package/dist/vault-core/core.js CHANGED Viewed

@@ -86,24 +86,42 @@ export class DefaultVaultCore {
             throw error;
         }
     }
-    async registerOwnerIdentity(command) {
+    async registerCapability(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
-            throw new VaultCoreError("identity registration vault mismatch", "VAULT_IDENTITY_DENIED");
+            throw new VaultCoreError("capability registration vault mismatch", "VAULT_IDENTITY_DENIED");
         }
-        if (command.ownerIdentity.vaultId.value !== this._deps.vaultId.value) {
-            throw new VaultCoreError("owner identity vault mismatch", "VAULT_IDENTITY_DENIED");
+        if (command.capability.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("capability vault mismatch", "VAULT_IDENTITY_DENIED");
+        }
+        if (command.capability.agentId !== command.capability.agentId.trim() || !command.capability.agentId.trim()) {
+            throw new VaultCoreError("capability agent id required", "VAULT_IDENTITY_DENIED");
+        }
+        if (!command.capability.capabilityId.trim()) {
+            throw new VaultCoreError("capability id required", "VAULT_IDENTITY_DENIED");
         }
         try {
-            await this._deps.ownerProofVerifier.verifyRegisterOwnerIdentity(command);
-            await this._deps.ownerIdentities.register(command.ownerIdentity);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_owner_identity", "succeeded", `owner identity registered: ${command.ownerIdentity.ownerId}`));
+            await this._deps.ownerProofVerifier.verifyRegisterCapability(command);
+            await this._deps.capabilities.register(command.capability);
+            await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_capability", "succeeded", `capability registered: ${command.capability.capabilityId}`, {
+                capabilityId: command.capability.capabilityId,
+                operation: command.capability.operation,
+            }));
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_owner_identity", "denied", detail));
+            await this.appendAudit(toAuditEntry(this._deps, command.owner, "register_capability", "denied", detail, {
+                capabilityId: command.capability.capabilityId,
+                operation: command.capability.operation,
+            }));
             throw error;
         }
     }
+    async getCapability(vaultId, agentId, capabilityId) {
+        if (vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("capability lookup vault mismatch", "VAULT_IDENTITY_DENIED");
+        }
+        return this._deps.capabilities.get(vaultId, agentId, capabilityId);
+    }
     async registerCustomFlow(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("custom flow vault mismatch", "VAULT_IDENTITY_DENIED");