@the-ai-company/cbio-node-runtime 1.45.5 → 1.46.0

package/dist/runtime/bootstrap.js

@@ -1,29 +1,12 @@
 import crypto from "node:crypto";
 import { createVaultCore } from "../vault-core/core.js";
 import { createPersistentVaultCoreDependencies, } from "../vault-core/index.js";
+import { deriveVaultWorkingKeyFromPassword } from "../protocol/crypto.js";
 import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
 import { createPrefixedStorage } from "../storage/prefix.js";
 import { FsStorageProvider } from "../storage/fs.js";
-import { readVaultProfile, writeVaultProfile, readVaultPublicMetadata } from "./vault-metadata.js";
+import { readVaultProfile, writeVaultProfile } from "./vault-metadata.js";
 import { createWorkspaceStorage } from "./workspace-storage.js";
-/**
- * Derives the deterministic working key for a vault.
- *
- * @param privateKey - The owner's private key.
- * @param vaultId - The unique ID of the vault.
- * @returns A base64url-encoded 256-bit key.
- * @internal Used by `createVault` and `recoverVault`.
- */
-export function deriveVaultWorkingKey(privateKey, vaultId) {
-    return crypto
-        .createHash("sha256")
-        .update("cbio:vault-working-key:v1")
-        .update("\n")
-        .update(vaultId)
-        .update("\n")
-        .update(privateKey)
-        .digest("base64url");
-}
 function vaultStoragePrefix(vaultId) {
     return `vaults/${vaultId}`;
 }
@@ -47,33 +30,19 @@ export async function createVault(storageOrOptions, maybeOptions) {
     const { storage: workspaceStorage, options } = resolveStorage(storageOrOptions, maybeOptions);
     const vaultId = options.vaultId ?? `vault_${crypto.randomUUID()}`;
     const storage = createPrefixedStorage(workspaceStorage, vaultStoragePrefix(vaultId));
-    const vaultWorkingKey = deriveVaultWorkingKey(options.ownerIdentity.privateKey, vaultId);
+    const vaultWorkingKey = deriveVaultWorkingKeyFromPassword(options.password, vaultId);
     const deps = createPersistentVaultCoreDependencies(storage, {
         ...options,
         vaultId,
         vaultWorkingKey,
     });
     const core = createVaultCore(deps);
-    const bootstrapOwner = {
-        vaultId: core.vaultId,
-        ownerId: options.ownerIdentity.identityId,
-        publicKey: options.ownerIdentity.publicKey,
-    };
-    await core.bootstrapOwnerIdentity(bootstrapOwner);
     const nickname = options.nickname?.trim() ? options.nickname.trim() : undefined;
-    // 1. Critical configuration (e.g. key materials, sensitive bounds) remains in private
-    // 2. Discovery metadata (ownerId, nickname, custom tags) is stored in the public sealed profile for easy UI retrieval
+    // Single encrypted profile block. Hold the password to see everything.
     await writeVaultProfile(storage, {
-        sealedPrivate: {
-            vaultId,
-            ownerId: options.ownerIdentity.identityId,
-        },
-        sealedPublic: {
-            vaultId,
-            ownerId: options.ownerIdentity.identityId,
-            ...options.publicMetadata,
-            nickname, // Nickname override takes precedence
-        }
+        vaultId,
+        nickname,
+        ...options.metadata,
     }, vaultWorkingKey, vaultId);
     return {
         core,
@@ -85,7 +54,7 @@ export async function createVault(storageOrOptions, maybeOptions) {
 export async function recoverVault(storageOrOptions, maybeOptions) {
     const { storage: workspaceStorage, options } = resolveStorage(storageOrOptions, maybeOptions);
     const storage = createPrefixedStorage(workspaceStorage, vaultStoragePrefix(options.vaultId));
-    const vaultWorkingKey = deriveVaultWorkingKey(options.ownerIdentity.privateKey, options.vaultId);
+    const vaultWorkingKey = deriveVaultWorkingKeyFromPassword(options.password, options.vaultId);
     const deps = createPersistentVaultCoreDependencies(storage, {
         ...options,
         vaultId: options.vaultId,
@@ -99,7 +68,7 @@ export async function recoverVault(storageOrOptions, maybeOptions) {
     return {
         core,
         vault: wrapVaultCoreAsVaultService(core, options.vault),
-        nickname: profile.sealedPublic.nickname,
+        nickname: profile.nickname,
         storage,
     };
 }
@@ -113,35 +82,20 @@ export async function listVaults(storage) {
     if (!storage.list) {
         return [];
     }
-    const ids = await storage.list("vaults");
-    const results = [];
-    for (const id of ids) {
-        const vaultStorage = createPrefixedStorage(storage, vaultStoragePrefix(id));
-        const publicData = await readVaultPublicMetadata(vaultStorage, id);
-        results.push({
-            vaultId: id,
-            public: publicData || {},
-        });
-    }
-    return results;
+    return await storage.list("vaults");
 }
 /**
  * Updates the metadata (like nickname) of an existing vault.
  */
 export async function updateVaultMetadata(vault, options) {
     const vaultId = vault.core.vaultId.value;
-    const vaultWorkingKey = deriveVaultWorkingKey(options.ownerIdentity.privateKey, vaultId);
-    // Read current profile to preserve secret part
+    const vaultWorkingKey = deriveVaultWorkingKeyFromPassword(options.password, vaultId);
+    // Read current profile to preserve other fields
     const current = await readVaultProfile(vault.storage, vaultWorkingKey, vaultId);
     await writeVaultProfile(vault.storage, {
-        sealedPrivate: current?.sealedPrivate || { vaultId, ownerId: options.ownerIdentity.identityId },
-        sealedPublic: {
-            ...current?.sealedPublic, // Preserve existing public metadata
-            vaultId,
-            ownerId: options.ownerIdentity.identityId, // Ensure ownerId is always populated for discovery
-            ...(options.publicMetadata ?? {}), // Merge new custom fields if any
-            nickname: options.nickname ?? current?.sealedPublic.nickname,
-        }
+        ...(current || {}),
+        nickname: options.nickname ?? current?.nickname,
+        ...(options.metadata ?? {}),
     }, vaultWorkingKey, vaultId);
 }
 //# sourceMappingURL=bootstrap.js.map

package/dist/runtime/bootstrap.js.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAItC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,uBAAuB,EAAE,MAAM,qBAAqB,CAAC;AACnG,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAEhE;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CAAC,UAAkB,EAAE,OAAe;IACvE,OAAO,MAAM;SACV,UAAU,CAAC,QAAQ,CAAC;SACpB,MAAM,CAAC,2BAA2B,CAAC;SACnC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,UAAU,CAAC;SAClB,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAe;IACzC,OAAO,UAAU,OAAO,EAAE,CAAC;AAC7B,CAAC;AAkDD,SAAS,cAAc,CACrB,gBAAsF,EACtF,YAAuD;IAEvD,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,OAAO,gBAAgB,KAAK,QAAQ;YAClD,CAAC,CAAC,IAAI,iBAAiB,CAAC,gBAAgB,CAAC;YACzC,CAAC,CAAC,gBAAoC,CAAC;QACzC,OAAO;YACL,OAAO;YACP,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IACD,gEAAgE;IAChE,OAAO;QACL,OAAO,EAAE,sBAAsB,EAAE;QACjC,OAAO,EAAE,gBAA4D;KACtE,CAAC;AACJ,CAAC;AAwBD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,gBAAgE,EAChE,YAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAEzF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,cAAc,GAAwB;QAC1C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;QACzC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS;KAC3C,CAAC;IACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC;IAElD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhF,sFAAsF;IACtF,sHAAsH;IACtH,MAAM,iBAAiB,CAAC,OAAO,EAAE;QAC/B,aAAa,EAAE;YACb,OAAO;YACP,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;SAC1C;QACD,YAAY,EAAE;YACZ,OAAO;YACP,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;YACzC,GAAG,OAAO,CAAC,cAAc;YACzB,QAAQ,EAAE,qCAAqC;SAChD;KACF,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IAE7B,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC;AAwBD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,gBAAiE,EACjE,YAAkC;IAElC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IACjG,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ,EAAE,OAAO,CAAC,YAAY,CAAC,QAAQ;QACvC,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAyB;IACxD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAG,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzC,MAAM,OAAO,GAA4C,EAAE,CAAC;IAC5D,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,MAAM,YAAY,GAAG,qBAAqB,CAAC,OAAO,EAAE,kBAAkB,CAAC,EAAE,CAAC,CAAC,CAAC;QAC5E,MAAM,UAAU,GAAG,MAAM,uBAAuB,CAAC,YAAY,EAAE,EAAE,CAAC,CAAC;QAEnE,OAAO,CAAC,IAAI,CAAC;YACX,OAAO,EAAE,EAAE;YACX,MAAM,EAAE,UAAU,IAAI,EAAE;SACzB,CAAC,CAAC;IACL,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAoC,EACpC,OAAoG;IAEpG,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;IACzC,MAAM,eAAe,GAAG,qBAAqB,CAAC,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,OAAO,CAAC,CAAC;IAEzF,+CAA+C;IAC/C,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IAEhF,MAAM,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE;QACrC,aAAa,EAAE,OAAO,EAAE,aAAa,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE;QAC/F,YAAY,EAAE;YACZ,GAAG,OAAO,EAAE,YAAY,EAAE,oCAAoC;YAC9D,OAAO;YACP,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,mDAAmD;YAC9F,GAAG,CAAC,OAAO,CAAC,cAAc,IAAI,EAAE,CAAC,EAAE,iCAAiC;YACpE,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,OAAO,EAAE,YAAY,CAAC,QAAQ;SAC7D;KACF,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;AAC/B,CAAC"}
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,GAGtC,MAAM,wBAAwB,CAAC;AAChC,OAAO,EAAE,iCAAiC,EAAE,MAAM,uBAAuB,CAAC;AAC1E,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AACnC,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,gBAAgB,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AAC1E,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAIhE,SAAS,kBAAkB,CAAC,OAAe;IACzC,OAAO,UAAU,OAAO,EAAE,CAAC;AAC7B,CAAC;AAkDD,SAAS,cAAc,CACrB,gBAAsF,EACtF,YAAuD;IAEvD,IAAI,YAAY,EAAE,CAAC;QACjB,MAAM,OAAO,GAAG,OAAO,gBAAgB,KAAK,QAAQ;YAClD,CAAC,CAAC,IAAI,iBAAiB,CAAC,gBAAgB,CAAC;YACzC,CAAC,CAAC,gBAAoC,CAAC;QACzC,OAAO;YACL,OAAO;YACP,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IACD,gEAAgE;IAChE,OAAO;QACL,OAAO,EAAE,sBAAsB,EAAE;QACjC,OAAO,EAAE,gBAA4D;KACtE,CAAC;AACJ,CAAC;AAwBD,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,gBAAgE,EAChE,YAAiC;IAEjC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,SAAS,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;IAClE,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,CAAC,CAAC;IACrF,MAAM,eAAe,GAAG,iCAAiC,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAErF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO;QACP,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IAEnC,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAEhF,uEAAuE;IACvE,MAAM,iBAAiB,CAAC,OAAO,EAAE;QAC/B,OAAO;QACP,QAAQ;QACR,GAAG,OAAO,CAAC,QAAQ;KACpB,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IAG7B,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ;QACR,OAAO;KACR,CAAC;AACJ,CAAC;AAwBD,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,gBAAiE,EACjE,YAAkC;IAElC,MAAM,EAAE,OAAO,EAAE,gBAAgB,EAAE,OAAO,EAAE,GAAG,cAAc,CAAC,gBAAgB,EAAE,YAAY,CAG3F,CAAC;IACF,MAAM,OAAO,GAAG,qBAAqB,CAAC,gBAAgB,EAAE,kBAAkB,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;IAC7F,MAAM,eAAe,GAAG,iCAAiC,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAC7F,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,IAAI,KAAK,CAAC,8CAA8C,CAAC,CAAC;IAClE,CAAC;IAED,OAAO;QACL,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;QACvD,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,OAAO;KACR,CAAC;AACJ,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,OAAyB;IACxD,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC;QAClB,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,OAAO,MAAM,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;AACtC,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB,CACvC,KAAoC,EACpC,OAAgF;IAEhF,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC;IACzC,MAAM,eAAe,GAAG,iCAAiC,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;IAErF,gDAAgD;IAChD,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,KAAK,CAAC,OAAO,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;IAEhF,MAAM,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE;QACrC,GAAG,CAAC,OAAO,IAAI,EAAE,CAAC;QAClB,QAAQ,EAAE,OAAO,CAAC,QAAQ,IAAI,OAAO,EAAE,QAAQ;QAC/C,GAAG,CAAC,OAAO,CAAC,QAAQ,IAAI,EAAE,CAAC;KAC5B,EAAE,eAAe,EAAE,OAAO,CAAC,CAAC;AAC/B,CAAC"}

package/dist/runtime/identity.d.ts

@@ -7,19 +7,11 @@ export interface CreatedIdentity {
     identityId: string;
     /** A human-readable label (local only, not part of the crypto identity). */
     nickname?: string;
-    /** The identity ID of the parent, if this is a child identity. */
-    parentIdentityId?: string;
-    /** The derivation index, if this is a child identity. */
-    childIndex?: number;
     /** The base64url-encoded public key. */
     publicKey: string;
     /** The base64url-encoded Ed25519 PKCS#8 private key. */
     privateKey: string;
 }
-export interface ChildIdentity extends CreatedIdentity {
-    parentIdentityId: string;
-    childIndex: number;
-}
 export interface CreateIdentityOptions {
     nickname?: string;
 }
@@ -30,7 +22,7 @@ export interface DeriveIdentityOptions {
     nickname?: string;
 }
 /**
- * Creates a new root identity with a fresh Ed25519 keypair.
+ * Creates a new identity with a fresh Ed25519 keypair.
  *
  * @param options - Configuration for the new identity.
  * @returns A {@link CreatedIdentity} containing the ID and keys.
@@ -55,17 +47,3 @@ export declare function createIdentity(options?: CreateIdentityOptions): Created
  * ```
  */
 export declare function restoreIdentity(privateKey: string, options?: RestoreIdentityOptions): CreatedIdentity;
-/**
- * Deterministically derives a child identity from a parent's private key and an index.
- *
- * @param parent - The parent identity object or its private key string.
- * @param childIndex - A non-negative integer for derivation.
- * @param options - Optional nickname for the child.
- * @returns A {@link ChildIdentity} with derivation metadata.
- *
- * @example
- * ```ts
- * const child = deriveChildIdentity(parentIdentity, 0, { nickname: 'sub-agent-0' });
- * ```
- */
-export declare function deriveChildIdentity(parent: CreatedIdentity | string, childIndex: number, options?: DeriveIdentityOptions): ChildIdentity;

package/dist/runtime/identity.js

@@ -1,4 +1,3 @@
-import { createHmac, createPrivateKey, createPublicKey } from "node:crypto";
 import { derivePublicKey, generateIdentityKeys } from "../protocol/crypto.js";
 import { deriveIdentityId } from "../protocol/identity.js";
 const ED25519_PKCS8_PREFIX = Buffer.from("302e020100300506032b657004220420", "hex");
@@ -17,12 +16,6 @@ function decodeEd25519Seed(privateKey) {
 function encodeEd25519PrivateKey(seed) {
     return Buffer.concat([ED25519_PKCS8_PREFIX, seed]).toString("base64url");
 }
-function toParentPrivateKey(parent) {
-    if (!parent) {
-        return undefined;
-    }
-    return typeof parent === "string" ? parent.trim() : parent.privateKey.trim();
-}
 function createRootIdentity(options = {}) {
     const keyPair = generateIdentityKeys();
     if (!keyPair.publicKey || !keyPair.privateKey) {
@@ -36,15 +29,8 @@ function createRootIdentity(options = {}) {
         privateKey: keyPair.privateKey,
     };
 }
-export function createIdentity(parentOrOptions, childIndexOrOptions, maybeOptions = {}) {
-    const hasParent = typeof parentOrOptions === "string" ||
-        (typeof parentOrOptions === "object" &&
-            parentOrOptions !== null &&
-            "privateKey" in parentOrOptions);
-    if (hasParent) {
-        throw new Error("createIdentity() only creates root identities; use createChildIdentity() or deriveChildIdentity()");
-    }
-    return createRootIdentity(parentOrOptions ?? {});
+export function createIdentity(optionsOrParams) {
+    return createRootIdentity(optionsOrParams ?? {});
 }
 /**
  * Restores an identity from an existing private key.
@@ -72,62 +58,4 @@ export function restoreIdentity(privateKey, options = {}) {
         privateKey: normalizedPrivateKey,
     };
 }
-function deriveIdentity(parentPrivateKey, childIndex, options = {}) {
-    const normalizedParentPrivateKey = parentPrivateKey.trim();
-    if (!normalizedParentPrivateKey) {
-        throw new Error("parent private key is required");
-    }
-    if (!Number.isInteger(childIndex) || childIndex < 0) {
-        throw new Error("childIndex must be a non-negative integer");
-    }
-    const parentSeed = decodeEd25519Seed(normalizedParentPrivateKey);
-    const childSeed = createHmac("sha256", parentSeed)
-        .update("cbio:identity:child:v1")
-        .update("\0")
-        .update(String(childIndex))
-        .digest();
-    const privateKey = encodeEd25519PrivateKey(childSeed);
-    const privateKeyObject = createPrivateKey({
-        key: Buffer.from(privateKey, "base64url"),
-        format: "der",
-        type: "pkcs8",
-    });
-    const publicKey = Buffer.from(createPublicKey(privateKeyObject).export({
-        type: "spki",
-        format: "der",
-    })).toString("base64url");
-    return {
-        identityId: deriveIdentityId(publicKey),
-        nickname: normalizeNickname(options.nickname),
-        publicKey,
-        privateKey,
-    };
-}
-/**
- * Deterministically derives a child identity from a parent's private key and an index.
- *
- * @param parent - The parent identity object or its private key string.
- * @param childIndex - A non-negative integer for derivation.
- * @param options - Optional nickname for the child.
- * @returns A {@link ChildIdentity} with derivation metadata.
- *
- * @example
- * ```ts
- * const child = deriveChildIdentity(parentIdentity, 0, { nickname: 'sub-agent-0' });
- * ```
- */
-export function deriveChildIdentity(parent, childIndex, options = {}) {
-    const parentPrivateKey = toParentPrivateKey(parent);
-    if (!parentPrivateKey) {
-        throw new Error("parent private key is required");
-    }
-    const parentIdentity = typeof parent === "string"
-        ? restoreIdentity(parentPrivateKey)
-        : parent;
-    return {
-        ...deriveIdentity(parentPrivateKey, childIndex, options),
-        parentIdentityId: parentIdentity.identityId,
-        childIndex,
-    };
-}
 //# sourceMappingURL=identity.js.map

package/dist/runtime/identity.js.map

@@ -1 +1 @@
-{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAC5E,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAsC3D,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;AACpF,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,SAAS,iBAAiB,CAAC,QAAiB;IAC1C,OAAO,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACjD,IACE,GAAG,CAAC,MAAM,KAAK,oBAAoB,CAAC,MAAM,GAAG,mBAAmB;QAChE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAC1E,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAiC;IAC3D,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,CAAC,IAAI,EAAE,CAAC;AAC/E,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAiC,EAAE;IAC7D,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC;QAC/C,QAAQ;QACR,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAeD,MAAM,UAAU,cAAc,CAC5B,eAAkE,EAClE,mBAAoD,EACpD,eAAsC,EAAE;IAExC,MAAM,SAAS,GACb,OAAO,eAAe,KAAK,QAAQ;QACnC,CAAC,OAAO,eAAe,KAAK,QAAQ;YAClC,eAAe,KAAK,IAAI;YACxB,YAAY,IAAI,eAAe,CAAC,CAAC;IAErC,IAAI,SAAS,EAAE,CAAC;QACd,MAAM,IAAI,KAAK,CAAC,mGAAmG,CAAC,CAAC;IACvH,CAAC;IACD,OAAO,kBAAkB,CAAE,eAAqD,IAAI,EAAE,CAAC,CAAC;AAC1F,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,UAAkC,EAAE;IACtF,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,oBAAoB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,oBAAoB;KACjC,CAAC;AACJ,CAAC;AAED,SAAS,cAAc,CACrB,gBAAwB,EACxB,UAAkB,EAClB,UAAiC,EAAE;IAEnC,MAAM,0BAA0B,GAAG,gBAAgB,CAAC,IAAI,EAAE,CAAC;IAC3D,IAAI,CAAC,0BAA0B,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC,UAAU,CAAC,IAAI,UAAU,GAAG,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IAC/D,CAAC;IAED,MAAM,UAAU,GAAG,iBAAiB,CAAC,0BAA0B,CAAC,CAAC;IACjE,MAAM,SAAS,GAAG,UAAU,CAAC,QAAQ,EAAE,UAAU,CAAC;SAC/C,MAAM,CAAC,wBAAwB,CAAC;SAChC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;SAC1B,MAAM,EAAE,CAAC;IAEZ,MAAM,UAAU,GAAG,uBAAuB,CAAC,SAAS,CAAC,CAAC;IACtD,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;QACxC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC;QACzC,MAAM,EAAE,KAAK;QACb,IAAI,EAAE,OAAO;KACd,CAAC,CAAC;IACH,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAC3B,eAAe,CAAC,gBAAgB,CAAC,CAAC,MAAM,CAAC;QACvC,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,KAAK;KACd,CAAC,CACH,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExB,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ,EAAE,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC7C,SAAS;QACT,UAAU;KACX,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,mBAAmB,CACjC,MAAgC,EAChC,UAAkB,EAClB,UAAiC,EAAE;IAEnC,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACpD,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,MAAM,cAAc,GAAG,OAAO,MAAM,KAAK,QAAQ;QAC/C,CAAC,CAAC,eAAe,CAAC,gBAAgB,CAAC;QACnC,CAAC,CAAC,MAAM,CAAC;IACX,OAAO;QACL,GAAG,cAAc,CAAC,gBAAgB,EAAE,UAAU,EAAE,OAAO,CAAC;QACxD,gBAAgB,EAAE,cAAc,CAAC,UAAU;QAC3C,UAAU;KACX,CAAC;AACJ,CAAC"}
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AA6B3D,MAAM,oBAAoB,GAAG,MAAM,CAAC,IAAI,CAAC,kCAAkC,EAAE,KAAK,CAAC,CAAC;AACpF,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B,SAAS,iBAAiB,CAAC,QAAiB;IAC1C,OAAO,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACxD,CAAC;AAED,SAAS,iBAAiB,CAAC,UAAkB;IAC3C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACjD,IACE,GAAG,CAAC,MAAM,KAAK,oBAAoB,CAAC,MAAM,GAAG,mBAAmB;QAChE,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,EAAE,oBAAoB,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,oBAAoB,CAAC,EAC1E,CAAC;QACD,MAAM,IAAI,KAAK,CAAC,gCAAgC,CAAC,CAAC;IACpD,CAAC;IACD,OAAO,GAAG,CAAC,QAAQ,CAAC,oBAAoB,CAAC,MAAM,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,uBAAuB,CAAC,IAAY;IAC3C,OAAO,MAAM,CAAC,MAAM,CAAC,CAAC,oBAAoB,EAAE,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;AAC3E,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAiC,EAAE;IAC7D,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,OAAO,CAAC,SAAS,CAAC;QAC/C,QAAQ;QACR,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAeD,MAAM,UAAU,cAAc,CAC5B,eAAuC;IAEvC,OAAO,kBAAkB,CAAC,eAAe,IAAI,EAAE,CAAC,CAAC;AACnD,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,UAAkC,EAAE;IACtF,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,oBAAoB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACrD,OAAO;QACL,UAAU,EAAE,gBAAgB,CAAC,SAAS,CAAC;QACvC,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,oBAAoB;KACjC,CAAC;AACJ,CAAC"}

package/dist/runtime/index.d.ts

@@ -3,24 +3,20 @@
  * Public surface: typed high-level runtime plus supported low-level building blocks.
  */
 export { IdentityError, IdentityErrorCode } from "../errors.js";
-export { derivePublicKey, LocalSigner, type Signer } from "../protocol/crypto.js";
+export { derivePublicKey, LocalSigner, type Signer, deriveVaultWorkingKeyFromPassword } from "../protocol/crypto.js";
 export { deriveIdentityId } from "../protocol/identity.js";
 export type { IStorageProvider } from "../storage/provider.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { createIdentity, deriveChildIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type ChildIdentity, type CreatedIdentity, type DeriveIdentityOptions, } from "./identity.js";
-export { createChildIdentity, type CreateChildIdentityOptions, } from "./child-identity.js";
-export { readVaultProfile, writeVaultProfile, readVaultPublicMetadata, type VaultProfile, } from "./vault-metadata.js";
+export { createIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type CreatedIdentity, } from "./identity.js";
+export { readVaultProfile, writeVaultProfile, type VaultProfile, } from "./vault-metadata.js";
 export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
-export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, type IdentityPrivateVaultAccess, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultPublicSealedKey, identityPrivateVaultChildrenKey, type IdentityPrivateVaultProfile, type IdentityPrivateVaultChildRecord, type IdentityPrivateVaultChildrenState, } from "./private-vault.js";
-export { createVault, recoverVault, deriveVaultWorkingKey, listVaults, updateVaultMetadata, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type VaultMetadata as VaultPublicMetadata, } from "./bootstrap.js";
-export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerDefineSecretTargetsCommand, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, type AuditAction, type AuditOutcome, type DispatchStatus, type OwnerWriteSecretCommand, type IssuerWriteSecretCommand, type OwnerDeleteSecretCommand, type OwnerListAgentsRequest, type OwnerListCapabilitiesRequest, type OwnerRevokeCapabilityCommand, } from "../vault-core/index.js";
+export { createVault, recoverVault, listVaults, updateVaultMetadata, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, type VaultObject, type VaultMetadata as VaultPublicMetadata, } from "./bootstrap.js";
+export { createVaultCore, VaultCore, VaultCoreError, createVaultCoreDependencies, type VaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, } from "../vault-core/index.js";
 export { createVaultClient, type VaultClient, type CreateVaultClientOptions, type VaultIdentity, type VaultSigner, type VaultAuditQueryInput, type OwnerDefineSecretTargetsInput, type VaultExportSecretInput, type VaultGrantCapabilityInput, type VaultRegisterFlowInput, type VaultRegisterAgentInput, type OwnerSecretTargetBinding, type OwnerStoreSecretInput, type OwnerWriteSecretInput, type VaultDeleteSecretInput, type VaultListAgentsInput, type VaultListCapabilitiesInput, type VaultRevokeCapabilityInput, } from "../clients/owner/index.js";
 export { createAgentClient, type AgentClient, type CreateAgentClientOptions, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";
-export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, type VaultService, type VaultAcquireSecretInput, type VaultAcquireSecretResult, type VaultAcquireSecretFlow, type VaultCustomFlowResolver, type VaultAgentDispatchRequest, type VaultAgentDispatchResponse, type VaultAgentDispatchErrorResponse, type RedactedResponseShape, type OwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
+export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, AgentDispatchHttpTransport, handleVaultHttpDispatch, } from "../vault-ingress/index.js";
 export { LocalVaultTransport } from "../vault-ingress/defaults.js";
-export { AgentDispatchHttpTransport } from "../vault-ingress/remote-transport.js";
-export { handleVaultHttpDispatch } from "../vault-ingress/server-utils.js";
 /**
  * Main runtime interface.
  */
@@ -35,24 +31,14 @@ export interface CbioRuntime {
     PersistentVaultCapabilityRevocationRegistry: typeof import("../vault-core/index.js").PersistentVaultCapabilityRevocationRegistry;
     createIdentity: typeof import("./identity.js").createIdentity;
     restoreIdentity: typeof import("./identity.js").restoreIdentity;
-    createChildIdentity: typeof import("./child-identity.js").createChildIdentity;
-    deriveChildIdentity: typeof import("./identity.js").deriveChildIdentity;
-    ensureIdentityPrivateVault: typeof import("./private-vault.js").ensureIdentityPrivateVault;
-    readIdentityPrivateVaultProfile: typeof import("./private-vault.js").readIdentityPrivateVaultProfile;
-    readIdentityPrivateVaultChildrenState: typeof import("./private-vault.js").readIdentityPrivateVaultChildrenState;
-    readIdentityMetadata: typeof import("./private-vault.js").readIdentityMetadata;
-    listIdentities: typeof import("./private-vault.js").listIdentities;
     listVaults: typeof import("./bootstrap.js").listVaults;
     createVault: typeof import("./bootstrap.js").createVault;
     recoverVault: typeof import("./bootstrap.js").recoverVault;
-    deriveVaultWorkingKey: typeof import("./bootstrap.js").deriveVaultWorkingKey;
+    deriveVaultWorkingKeyFromPassword: typeof import("../protocol/crypto.js").deriveVaultWorkingKeyFromPassword;
     createVaultClient: typeof import("../clients/owner/index.js").createVaultClient;
     createAgentClient: typeof import("../clients/agent/index.js").createAgentClient;
     createVaultCore: typeof import("../vault-core/index.js").createVaultCore;
-    createDefaultVaultCoreDependencies: typeof import("../vault-core/index.js").createDefaultVaultCoreDependencies;
-    createPersistentVaultCoreDependencies: typeof import("../vault-core/index.js").createPersistentVaultCoreDependencies;
-    initializeVaultCustody: typeof import("../vault-core/index.js").initializeVaultCustody;
-    recoverVaultWorkingKey: typeof import("../vault-core/index.js").recoverVaultWorkingKey;
+    createVaultCoreDependencies: typeof import("../vault-core/index.js").createVaultCoreDependencies;
     createVaultService: typeof import("../vault-ingress/index.js").createVaultService;
     wrapVaultCoreAsVaultService: typeof import("../vault-ingress/index.js").wrapVaultCoreAsVaultService;
     createOwnerHttpFlowBoundary: typeof import("../vault-ingress/index.js").createOwnerHttpFlowBoundary;

package/dist/runtime/index.js

@@ -3,21 +3,17 @@
  * Public surface: typed high-level runtime plus supported low-level building blocks.
  */
 export { IdentityError, IdentityErrorCode } from "../errors.js";
-export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
+export { derivePublicKey, LocalSigner, deriveVaultWorkingKeyFromPassword } from "../protocol/crypto.js";
 export { deriveIdentityId } from "../protocol/identity.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { createIdentity, deriveChildIdentity, restoreIdentity, } from "./identity.js";
-export { createChildIdentity, } from "./child-identity.js";
-export { readVaultProfile, writeVaultProfile, readVaultPublicMetadata, } from "./vault-metadata.js";
+export { createIdentity, restoreIdentity, } from "./identity.js";
+export { readVaultProfile, writeVaultProfile, } from "./vault-metadata.js";
 export { createWorkspaceStorage, getDefaultWorkspaceDir, } from "./workspace-storage.js";
-export { ensureIdentityPrivateVault, readIdentityPrivateVaultProfile, readIdentityPrivateVaultChildrenState, readIdentityMetadata, listIdentities, identityPrivateVaultPrefix, identityPrivateVaultProfileKey, identityPrivateVaultPublicSealedKey, identityPrivateVaultChildrenKey, } from "./private-vault.js";
-export { createVault, recoverVault, deriveVaultWorkingKey, listVaults, updateVaultMetadata, } from "./bootstrap.js";
-export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultOwnerIdentityRegistry, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
+export { createVault, recoverVault, listVaults, updateVaultMetadata, } from "./bootstrap.js";
+export { createVaultCore, VaultCore, VaultCoreError, createVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAgentIdentityRegistry, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, } from "../vault-core/index.js";
 export { createVaultClient, } from "../clients/owner/index.js";
 export { createAgentClient, } from "../clients/agent/index.js";
-export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "../vault-ingress/index.js";
+export { createVaultService, wrapVaultCoreAsVaultService, createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, AgentDispatchHttpTransport, handleVaultHttpDispatch, } from "../vault-ingress/index.js";
 export { LocalVaultTransport } from "../vault-ingress/defaults.js";
-export { AgentDispatchHttpTransport } from "../vault-ingress/remote-transport.js";
-export { handleVaultHttpDispatch } from "../vault-ingress/server-utils.js";
 //# sourceMappingURL=index.js.map

package/dist/runtime/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAe,MAAM,uBAAuB,CAAC;AAClF,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,mBAAmB,EACnB,eAAe,GAMhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,mBAAmB,GAEpB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,gBAAgB,EAChB,iBAAiB,EACjB,uBAAuB,GAExB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,0BAA0B,EAC1B,+BAA+B,EAC/B,qCAAqC,EACrC,oBAAoB,EACpB,cAAc,EAEd,0BAA0B,EAC1B,8BAA8B,EAC9B,mCAAmC,EACnC,+BAA+B,GAIhC,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EACL,WAAW,EACX,YAAY,EACZ,qBAAqB,EACrB,UAAU,EACV,mBAAmB,GAOpB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,oCAAoC,EACpC,uBAAuB,EACvB,oCAAoC,EACpC,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GAwDZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAkBlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAQlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC;AACnE,OAAO,EAAE,0BAA0B,EAAE,MAAM,sCAAsC,CAAC;AAClF,OAAO,EAAE,uBAAuB,EAAE,MAAM,kCAAkC,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAe,iCAAiC,EAAE,MAAM,uBAAuB,CAAC;AACrH,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,eAAe,GAIhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,gBAAgB,EAChB,iBAAiB,GAElB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,sBAAsB,EACtB,sBAAsB,GACvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,WAAW,EACX,YAAY,EACZ,UAAU,EACV,mBAAmB,GAOpB,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,SAAS,EACT,cAAc,EACd,2BAA2B,EAG3B,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,oCAAoC,EACpC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,GAChC,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAkBlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAQlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,0BAA0B,EAC1B,uBAAuB,GACxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,mBAAmB,EAAE,MAAM,8BAA8B,CAAC"}

package/dist/runtime/vault-metadata.d.ts

@@ -1,18 +1,6 @@
 import type { IStorageProvider } from "../storage/provider.js";
-export interface VaultProfile {
-    sealedPublic: Record<string, any> & {
-        nickname?: string;
-    };
-    sealedPrivate: Record<string, any>;
+export interface VaultProfile extends Record<string, any> {
+    nickname?: string;
 }
-/**
- * Derives a key that is publicly available to anyone who knows the vaultId.
- * Used to encrypt 'public' metadata to prevent JSON tampering on disk.
- */
-export declare function deriveVaultPublicWorkingKey(vaultId: string): string;
-/**
- * Reads the 'public' metadata of a vault. Requires vaultId but no private key.
- */
-export declare function readVaultPublicMetadata(storage: IStorageProvider, vaultId: string): Promise<Record<string, any>>;
-export declare function writeVaultProfile(storage: IStorageProvider, profile: VaultProfile, vaultWorkingKey: string, vaultId: string): Promise<void>;
-export declare function readVaultProfile(storage: IStorageProvider, vaultWorkingKey: string, vaultId: string): Promise<VaultProfile | null>;
+export declare function writeVaultProfile(storage: IStorageProvider, profile: VaultProfile, vaultWorkingKey: string, _vaultId: string): Promise<void>;
+export declare function readVaultProfile(storage: IStorageProvider, vaultWorkingKey: string, _vaultId: string): Promise<VaultProfile | null>;

package/dist/runtime/vault-metadata.js

@@ -1,46 +1,11 @@
-import { createHash } from "node:crypto";
 import { SealedJsonRepository } from "../sealed/index.js";
-const VAULT_SEALED_PROFILE_KEY = "vault/sealed/profile.sealed";
-const VAULT_PUBLIC_SEALED_PROFILE_KEY = "vault/sealed/public.sealed";
-/**
- * Derives a key that is publicly available to anyone who knows the vaultId.
- * Used to encrypt 'public' metadata to prevent JSON tampering on disk.
- */
-export function deriveVaultPublicWorkingKey(vaultId) {
-    return createHash("sha256")
-        .update("cbio:vault-public-metadata:v1")
-        .update("\n")
-        .update(vaultId)
-        .digest("base64url");
-}
-/**
- * Reads the 'public' metadata of a vault. Requires vaultId but no private key.
- */
-export async function readVaultPublicMetadata(storage, vaultId) {
-    const publicWorkingKey = deriveVaultPublicWorkingKey(vaultId);
-    const repo = new SealedJsonRepository(storage, VAULT_PUBLIC_SEALED_PROFILE_KEY, publicWorkingKey);
-    const data = await repo.read(null).catch(() => null);
-    return data || {};
-}
-export async function writeVaultProfile(storage, profile, vaultWorkingKey, vaultId) {
-    // 1. Write Private Sealed Profile
-    const privateRepo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
-    await privateRepo.write(profile.sealedPrivate, "vault_profile_private");
-    // 2. Write Public Sealed Profile (encrypted for format protection, but publicly-read via side-channel)
-    const publicWorkingKey = deriveVaultPublicWorkingKey(vaultId);
-    const publicRepo = new SealedJsonRepository(storage, VAULT_PUBLIC_SEALED_PROFILE_KEY, publicWorkingKey);
-    await publicRepo.write(profile.sealedPublic, "vault_profile_public");
-}
-export async function readVaultProfile(storage, vaultWorkingKey, vaultId) {
-    const privateRepo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
-    const sealedPrivate = await privateRepo.read(null);
-    if (!sealedPrivate) {
-        return null;
-    }
-    const sealedPublic = await readVaultPublicMetadata(storage, vaultId);
-    return {
-        sealedPublic,
-        sealedPrivate,
-    };
+const VAULT_SEALED_PROFILE_KEY = "vault/profile.sealed";
+export async function writeVaultProfile(storage, profile, vaultWorkingKey, _vaultId) {
+    const repo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
+    await repo.write(profile, "vault_profile");
+}
+export async function readVaultProfile(storage, vaultWorkingKey, _vaultId) {
+    const repo = new SealedJsonRepository(storage, VAULT_SEALED_PROFILE_KEY, vaultWorkingKey);
+    return await repo.read(null);
 }
 //# sourceMappingURL=vault-metadata.js.map

package/dist/runtime/vault-metadata.js.map

@@ -1 +1 @@
-{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAO1D,MAAM,wBAAwB,GAAG,6BAA6B,CAAC;AAC/D,MAAM,+BAA+B,GAAG,4BAA4B,CAAC;AAErE;;;GAGG;AACH,MAAM,UAAU,2BAA2B,CAAC,OAAe;IACzD,OAAO,UAAU,CAAC,QAAQ,CAAC;SACxB,MAAM,CAAC,+BAA+B,CAAC;SACvC,MAAM,CAAC,IAAI,CAAC;SACZ,MAAM,CAAC,OAAO,CAAC;SACf,MAAM,CAAC,WAAW,CAAC,CAAC;AACzB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAAyB,EACzB,OAAe;IAEf,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,IAAI,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,+BAA+B,EAAE,gBAAgB,CAAC,CAAC;IACvH,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,CAAC;IAC5D,OAAO,IAAI,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAyB,EACzB,OAAqB,EACrB,eAAuB,EACvB,OAAe;IAEf,kCAAkC;IAClC,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACtH,MAAM,WAAW,CAAC,KAAK,CAAC,OAAO,CAAC,aAAa,EAAE,uBAAuB,CAAC,CAAC;IAExE,uGAAuG;IACvG,MAAM,gBAAgB,GAAG,2BAA2B,CAAC,OAAO,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,+BAA+B,EAAE,gBAAgB,CAAC,CAAC;IAC7H,MAAM,UAAU,CAAC,KAAK,CAAC,OAAO,CAAC,YAAY,EAAE,sBAAsB,CAAC,CAAC;AACvE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,eAAuB,EACvB,OAAe;IAEf,MAAM,WAAW,GAAG,IAAI,oBAAoB,CAAsB,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACtH,MAAM,aAAa,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;IAC1D,IAAI,CAAC,aAAa,EAAE,CAAC;QACnB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,MAAM,YAAY,GAAG,MAAM,uBAAuB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;IAErE,OAAO;QACL,YAAY;QACZ,aAAa;KACd,CAAC;AACJ,CAAC"}
+{"version":3,"file":"vault-metadata.js","sourceRoot":"","sources":["../../src/runtime/vault-metadata.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AAM1D,MAAM,wBAAwB,GAAG,sBAAsB,CAAC;AAExD,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAyB,EACzB,OAAqB,EACrB,eAAuB,EACvB,QAAgB;IAEhB,MAAM,IAAI,GAAG,IAAI,oBAAoB,CAAe,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACxG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,eAAe,CAAC,CAAC;AAC7C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,eAAuB,EACvB,QAAgB;IAEhB,MAAM,IAAI,GAAG,IAAI,oBAAoB,CAAe,OAAO,EAAE,wBAAwB,EAAE,eAAe,CAAC,CAAC;IACxG,OAAO,MAAM,IAAI,CAAC,IAAI,CAAC,IAAW,CAAC,CAAC;AACtC,CAAC"}

package/dist/vault-core/contracts.d.ts

@@ -43,7 +43,6 @@ export interface OwnerWriteSecretCommand {
     plaintext: string;
     targetBindings?: readonly VaultTargetBinding[];
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface OwnerDefineSecretTargetsCommand {
     vaultId: VaultId;
@@ -54,7 +53,6 @@ export interface OwnerDefineSecretTargetsCommand {
     alias: string;
     targetBindings: readonly VaultTargetBinding[];
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface IssuerWriteSecretCommand {
     kind: "issuer.write_secret";
@@ -76,7 +74,6 @@ export interface OwnerDeleteSecretCommand {
     };
     alias: string;
     requestedAt: string;
-    proof: OwnerProof;
 }
 export type VaultWriteSecretCommand = OwnerWriteSecretCommand | IssuerWriteSecretCommand;
 export interface OwnerRegisterAgentIdentityCommand {
@@ -87,7 +84,6 @@ export interface OwnerRegisterAgentIdentityCommand {
     };
     agentIdentity: AgentIdentityRecord;
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface CustomHttpFlowDefinition {
     vaultId: VaultId;
@@ -123,7 +119,6 @@ export interface OwnerRegisterCustomHttpFlowCommand {
         };
     };
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface OwnerRegisterCapabilityCommand {
     vaultId: VaultId;
@@ -133,7 +128,6 @@ export interface OwnerRegisterCapabilityCommand {
     };
     capability: AgentCapability;
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface OwnerRevokeCapabilityCommand {
     vaultId: VaultId;
@@ -144,7 +138,6 @@ export interface OwnerRevokeCapabilityCommand {
     agentId: string;
     capabilityId: string;
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface AgentCapability {
     vaultId: VaultId;
@@ -172,12 +165,6 @@ export interface AgentProof {
     requestId: string;
     requestedAt: string;
 }
-export interface OwnerProof {
-    ownerId: string;
-    signature: string;
-    requestId: string;
-    requestedAt: string;
-}
 export interface DispatchRequest {
     vaultId: VaultId;
     requestId: string;
@@ -231,7 +218,6 @@ export interface AuditQuery {
     since?: string;
 }
 export declare enum AuditAction {
-    BOOTSTRAP_OWNER_IDENTITY = "BOOTSTRAP_OWNER_IDENTITY",
     REGISTER_AGENT_IDENTITY = "REGISTER_AGENT_IDENTITY",
     REGISTER_CUSTOM_FLOW = "REGISTER_CUSTOM_FLOW",
     REGISTER_CAPABILITY = "REGISTER_CAPABILITY",
@@ -274,11 +260,6 @@ export interface AgentIdentityRecord {
     agentId: string;
     publicKey: string;
 }
-export interface OwnerIdentityRecord {
-    vaultId: VaultId;
-    ownerId: string;
-    publicKey: string;
-}
 export interface OwnerAuditRequest {
     vaultId: VaultId;
     actor: VaultPrincipal & {
@@ -287,7 +268,6 @@ export interface OwnerAuditRequest {
     query: AuditQuery;
     requestId: string;
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface OwnerExportSecretRequest {
     vaultId: VaultId;
@@ -297,7 +277,6 @@ export interface OwnerExportSecretRequest {
     alias: string;
     requestId: string;
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface OwnerSecretExport {
     vaultId: VaultId;
@@ -313,7 +292,6 @@ export interface OwnerListAgentsRequest {
         kind: "owner";
     };
     requestedAt: string;
-    proof: OwnerProof;
 }
 export interface OwnerListCapabilitiesRequest {
     vaultId: VaultId;
@@ -323,5 +301,4 @@ export interface OwnerListCapabilitiesRequest {
     };
     agentId?: string;
     requestedAt: string;
-    proof: OwnerProof;
 }

package/dist/vault-core/contracts.js

@@ -6,7 +6,6 @@ export var DispatchStatus;
 })(DispatchStatus || (DispatchStatus = {}));
 export var AuditAction;
 (function (AuditAction) {
-    AuditAction["BOOTSTRAP_OWNER_IDENTITY"] = "BOOTSTRAP_OWNER_IDENTITY";
     AuditAction["REGISTER_AGENT_IDENTITY"] = "REGISTER_AGENT_IDENTITY";
     AuditAction["REGISTER_CUSTOM_FLOW"] = "REGISTER_CUSTOM_FLOW";
     AuditAction["REGISTER_CAPABILITY"] = "REGISTER_CAPABILITY";