@the-ai-company/cbio-node-runtime 1.47.0 → 1.48.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +104 -231
- package/dist/clients/agent/client.d.ts +1 -0
- package/dist/clients/agent/client.js +26 -9
- package/dist/clients/agent/client.js.map +1 -1
- package/dist/clients/owner/client.js +57 -2
- package/dist/clients/owner/client.js.map +1 -1
- package/dist/clients/owner/contracts.d.ts +44 -1
- package/dist/vault-core/contracts.d.ts +58 -5
- package/dist/vault-core/contracts.js +8 -0
- package/dist/vault-core/contracts.js.map +1 -1
- package/dist/vault-core/core.d.ts +16 -2
- package/dist/vault-core/core.js +115 -1
- package/dist/vault-core/core.js.map +1 -1
- package/dist/vault-core/defaults.d.ts +25 -3
- package/dist/vault-core/defaults.js +71 -16
- package/dist/vault-core/defaults.js.map +1 -1
- package/dist/vault-core/errors.d.ts +2 -2
- package/dist/vault-core/errors.js.map +1 -1
- package/dist/vault-core/index.d.ts +3 -3
- package/dist/vault-core/index.js +1 -1
- package/dist/vault-core/index.js.map +1 -1
- package/dist/vault-core/persistence.js +7 -2
- package/dist/vault-core/persistence.js.map +1 -1
- package/dist/vault-core/ports.d.ts +13 -0
- package/dist/vault-ingress/index.d.ts +17 -2
- package/dist/vault-ingress/index.js +17 -0
- package/dist/vault-ingress/index.js.map +1 -1
- package/dist/vault-ingress/remote-transport.js +4 -1
- package/dist/vault-ingress/remote-transport.js.map +1 -1
- package/docs/ARCHITECTURE.md +34 -107
- package/docs/CUSTODY_MODEL.md +27 -129
- package/docs/IDENTITY_MODEL.md +35 -112
- package/docs/REFERENCE.md +60 -404
- package/docs/api/README.md +2 -2
- package/docs/api/classes/IdentityError.md +1 -1
- package/docs/api/classes/VaultCore.md +97 -1
- package/docs/api/classes/VaultCoreError.md +3 -3
- package/docs/api/enumerations/IdentityErrorCode.md +1 -1
- package/docs/api/functions/createAgentClient.md +1 -1
- package/docs/api/functions/createIdentity.md +1 -1
- package/docs/api/functions/createOwnerHttpFlowBoundary.md +1 -1
- package/docs/api/functions/createPersistentVaultCoreDependencies.md +1 -1
- package/docs/api/functions/createStandardAcquireBoundary.md +1 -1
- package/docs/api/functions/createStandardDispatchBoundary.md +1 -1
- package/docs/api/functions/createVault.md +1 -1
- package/docs/api/functions/createVaultClient.md +1 -1
- package/docs/api/functions/createVaultCore.md +1 -1
- package/docs/api/functions/createVaultCoreDependencies.md +1 -1
- package/docs/api/functions/createVaultService.md +1 -1
- package/docs/api/functions/createWorkspaceStorage.md +1 -1
- package/docs/api/functions/deriveIdentityId.md +1 -1
- package/docs/api/functions/deriveVaultWorkingKeyFromPassword.md +1 -1
- package/docs/api/functions/getDefaultWorkspaceDir.md +1 -1
- package/docs/api/functions/handleVaultHttpDispatch.md +1 -1
- package/docs/api/functions/initializeVaultCustody.md +1 -1
- package/docs/api/functions/listVaults.md +1 -1
- package/docs/api/functions/readVaultProfile.md +1 -1
- package/docs/api/functions/recoverVault.md +1 -1
- package/docs/api/functions/recoverVaultWorkingKey.md +1 -1
- package/docs/api/functions/restoreIdentity.md +1 -1
- package/docs/api/functions/updateVaultMetadata.md +1 -1
- package/docs/api/functions/wrapVaultCoreAsVaultService.md +1 -1
- package/docs/api/functions/writeVaultProfile.md +1 -1
- package/docs/api/interfaces/AgentClient.md +1 -1
- package/docs/api/interfaces/AgentDispatchIntent.md +1 -1
- package/docs/api/interfaces/AgentDispatchTransport.md +1 -1
- package/docs/api/interfaces/AgentIdentity.md +1 -1
- package/docs/api/interfaces/AgentSigner.md +1 -1
- package/docs/api/interfaces/CbioRuntime.md +1 -1
- package/docs/api/interfaces/CreateAgentClientOptions.md +7 -1
- package/docs/api/interfaces/CreateIdentityOptions.md +1 -1
- package/docs/api/interfaces/CreatePersistentVaultCoreDependenciesOptions.md +31 -1
- package/docs/api/interfaces/CreateVaultClientOptions.md +1 -1
- package/docs/api/interfaces/CreateVaultOptions.md +31 -1
- package/docs/api/interfaces/CreatedVault.md +1 -1
- package/docs/api/interfaces/DefaultPolicyEngineOptions.md +1 -1
- package/docs/api/interfaces/IStorageProvider.md +1 -1
- package/docs/api/interfaces/InitializeVaultCustodyOptions.md +1 -1
- package/docs/api/interfaces/InitializedVaultCustody.md +1 -1
- package/docs/api/interfaces/OwnerDefineSecretTargetsInput.md +1 -1
- package/docs/api/interfaces/OwnerSecretTargetBinding.md +1 -1
- package/docs/api/interfaces/OwnerStoreSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerWriteSecretInput.md +1 -1
- package/docs/api/interfaces/RecoverVaultOptions.md +31 -1
- package/docs/api/interfaces/RecoveredVault.md +1 -1
- package/docs/api/interfaces/RestoreIdentityOptions.md +1 -1
- package/docs/api/interfaces/Signer.md +1 -1
- package/docs/api/interfaces/VaultAuditQueryInput.md +1 -1
- package/docs/api/interfaces/VaultClient.md +1 -1
- package/docs/api/interfaces/VaultCoreDependenciesOptions.md +19 -1
- package/docs/api/interfaces/VaultCreateAgentInput.md +1 -1
- package/docs/api/interfaces/VaultDeleteSecretInput.md +1 -1
- package/docs/api/interfaces/VaultExportSecretInput.md +1 -1
- package/docs/api/interfaces/VaultGrantCapabilityInput.md +71 -3
- package/docs/api/interfaces/VaultIdentity.md +1 -1
- package/docs/api/interfaces/VaultListAgentsInput.md +1 -1
- package/docs/api/interfaces/VaultListCapabilitiesInput.md +1 -1
- package/docs/api/interfaces/VaultMetadata.md +1 -1
- package/docs/api/interfaces/VaultObject.md +1 -1
- package/docs/api/interfaces/VaultProfile.md +1 -1
- package/docs/api/interfaces/VaultRegisterAgentInput.md +1 -1
- package/docs/api/interfaces/VaultRegisterFlowInput.md +1 -1
- package/docs/api/interfaces/VaultRevokeCapabilityInput.md +1 -1
- package/docs/api/interfaces/VaultSigner.md +1 -1
- package/docs/api/type-aliases/AgentCapabilityEnvelope.md +1 -1
- package/docs/api/type-aliases/CbioRuntimeModule.md +1 -1
- package/docs/api/variables/DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY.md +1 -1
- package/docs/zh/README.md +64 -39
- package/package.json +1 -1
package/docs/zh/README.md
CHANGED
|
@@ -1,60 +1,85 @@
|
|
|
1
|
-
# cbio Vault Runtime
|
|
1
|
+
# cbio Vault Runtime (中文文档)
|
|
2
2
|
|
|
3
|
-
cbio
|
|
3
|
+
cbio 权限核心运行时:采用 **Sovereign Vault(主权保险箱)** 架构。管理权限扎根于主密码,Agent 身份完全由保险箱加密存储托管。
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
---
|
|
6
6
|
|
|
7
|
-
|
|
8
|
-
- [根目录文档](../../README.md)
|
|
7
|
+
## 核心特性
|
|
9
8
|
|
|
10
|
-
|
|
11
|
-
-
|
|
12
|
-
-
|
|
13
|
-
-
|
|
14
|
-
-
|
|
9
|
+
- **库优先**:纯 JavaScript/TypeScript 库,无 CLI 或 TUI。
|
|
10
|
+
- **权限中心化**:管理权限绑定于保险箱主密码,而非外部身份密钥。
|
|
11
|
+
- **Agent 身份托管**:支持在保险箱内直接生成并加密存储 Agent 私钥。
|
|
12
|
+
- **进程隔离**:安全进程(Security Process - 掌管主密码)与 Agent 进程(Consumer Process - 消费机密)的物理分离。
|
|
13
|
+
- **零泄露发现**:保险箱元数据全加密,未解锁前对外部完全透明。
|
|
15
14
|
|
|
16
15
|
## 安装
|
|
17
16
|
|
|
17
|
+
需要 Node.js >= 18。
|
|
18
|
+
|
|
18
19
|
```bash
|
|
19
20
|
npm install @the-ai-company/cbio-node-runtime
|
|
20
21
|
```
|
|
21
22
|
|
|
22
|
-
##
|
|
23
|
+
## 使用指南
|
|
24
|
+
|
|
25
|
+
### 1. 初始化保险箱
|
|
26
|
+
|
|
27
|
+
主权保险箱仅需存储提供者(Storage Provider)和主密码。
|
|
23
28
|
|
|
24
29
|
```ts
|
|
25
|
-
import {
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
|
|
33
|
-
|
|
34
|
-
LocalVaultTransport,
|
|
35
|
-
createVaultClient,
|
|
36
|
-
createAgentClient,
|
|
37
|
-
FsStorageProvider,
|
|
38
|
-
} from '@the-ai-company/cbio-node-runtime';
|
|
30
|
+
import { createVault, FsStorageProvider } from '@the-ai-company/cbio-node-runtime';
|
|
31
|
+
|
|
32
|
+
const storage = new FsStorageProvider('./my-vaults');
|
|
33
|
+
|
|
34
|
+
const myVault = await createVault(storage, {
|
|
35
|
+
vaultId: 'main-vault',
|
|
36
|
+
password: 'your-secure-password',
|
|
37
|
+
nickname: '生产环境保险箱'
|
|
38
|
+
});
|
|
39
39
|
```
|
|
40
40
|
|
|
41
|
-
|
|
41
|
+
### 2. 托管 Agent 身份
|
|
42
42
|
|
|
43
|
-
|
|
44
|
-
2. `clients/owner` 负责 owner 写入、明文导出、审计读取、以及 **Agent/权限管理**(`listAgents`, `listCapabilities`, `revokeCapability`)
|
|
45
|
-
3. `clients/agent` 负责 agent 签名 dispatch 请求
|
|
46
|
-
4. `vault-ingress` 负责在 vault 边界内部处理 capability 解析与 dispatch ingress
|
|
43
|
+
你可以直接在保险箱内创建 Agent,私钥将由保险箱全程托管。
|
|
47
44
|
|
|
48
|
-
|
|
45
|
+
```ts
|
|
46
|
+
import { createVaultClient } from '@the-ai-company/cbio-node-runtime';
|
|
49
47
|
|
|
50
|
-
|
|
51
|
-
- 通过 `recoverVault(...)` 用 owner 身份恢复持久化 vault
|
|
52
|
-
- 分区存储:`vaults/` (具名保险箱) 与 `identities/` (身份私有空间)
|
|
53
|
-
- 所有公开元数据(如昵称)现在遵循 `VaultPublicMetadata` 接口,并附带**数字签名**。SDK 自动验证其真实性。
|
|
48
|
+
const client = createVaultClient({ vault: myVault.vault });
|
|
54
49
|
|
|
55
|
-
|
|
50
|
+
// 一键生成并注册 Agent
|
|
51
|
+
const [agentRecord, agentPrivateKey] = await client.createAgent({
|
|
52
|
+
agentId: 'worker-1',
|
|
53
|
+
nickname: '后台处理插件'
|
|
54
|
+
});
|
|
55
|
+
```
|
|
56
56
|
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
57
|
+
### 3. 机密管理
|
|
58
|
+
|
|
59
|
+
```ts
|
|
60
|
+
// 写入机密并绑定目标
|
|
61
|
+
const record = await client.writeSecret({
|
|
62
|
+
alias: 'api-token',
|
|
63
|
+
plaintext: 'secret-value',
|
|
64
|
+
targetBindings: [{
|
|
65
|
+
kind: 'site',
|
|
66
|
+
targetId: 'my-api',
|
|
67
|
+
targetUrl: 'https://api.example.com/endpoint',
|
|
68
|
+
methods: ['POST']
|
|
69
|
+
}]
|
|
70
|
+
});
|
|
60
71
|
```
|
|
72
|
+
|
|
73
|
+
---
|
|
74
|
+
|
|
75
|
+
## 详细详细文档
|
|
76
|
+
|
|
77
|
+
- [进程隔离 (A/B 架构)](../PROCESS_ISOLATION.md)
|
|
78
|
+
- [根目录 README (英文)](../../README.md)
|
|
79
|
+
|
|
80
|
+
## 架构原则
|
|
81
|
+
|
|
82
|
+
1. **机密隔离**:机密明文绝不离开安全进程。
|
|
83
|
+
2. **密码即权限**:主密码是唯一的管理授权来源。
|
|
84
|
+
3. **可审计性**:所有管理动作在高层均记录为 `vault-master` 身份。
|
|
85
|
+
4. **二元状态**:保险箱要么被解锁并可见,要么是磁盘上一堆加密的碎片。
|