@the-ai-company/cbio-node-runtime 1.47.2 → 1.48.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +51 -23
- package/dist/clients/agent/client.js +1 -1
- package/dist/clients/agent/client.js.map +1 -1
- package/dist/clients/owner/client.js +34 -2
- package/dist/clients/owner/client.js.map +1 -1
- package/dist/clients/owner/contracts.d.ts +22 -1
- package/dist/vault-core/contracts.d.ts +38 -6
- package/dist/vault-core/contracts.js +6 -0
- package/dist/vault-core/contracts.js.map +1 -1
- package/dist/vault-core/core.d.ts +7 -0
- package/dist/vault-core/core.js +152 -7
- package/dist/vault-core/core.js.map +1 -1
- package/dist/vault-core/defaults.d.ts +11 -1
- package/dist/vault-core/defaults.js +42 -22
- package/dist/vault-core/defaults.js.map +1 -1
- package/dist/vault-core/errors.d.ts +2 -2
- package/dist/vault-core/errors.js.map +1 -1
- package/dist/vault-core/index.d.ts +3 -3
- package/dist/vault-core/index.js +1 -1
- package/dist/vault-core/index.js.map +1 -1
- package/dist/vault-core/persistence.js +3 -1
- package/dist/vault-core/persistence.js.map +1 -1
- package/dist/vault-core/ports.d.ts +7 -0
- package/dist/vault-ingress/defaults.js +1 -1
- package/dist/vault-ingress/defaults.js.map +1 -1
- package/dist/vault-ingress/index.d.ts +7 -1
- package/dist/vault-ingress/index.js +15 -6
- package/dist/vault-ingress/index.js.map +1 -1
- package/dist/vault-ingress/remote-transport.js +1 -1
- package/dist/vault-ingress/remote-transport.js.map +1 -1
- package/docs/ARCHITECTURE.md +3 -3
- package/docs/IDENTITY_MODEL.md +2 -1
- package/docs/REFERENCE.md +12 -4
- package/docs/api/README.md +2 -2
- package/docs/api/classes/IdentityError.md +1 -1
- package/docs/api/classes/VaultCore.md +55 -1
- package/docs/api/classes/VaultCoreError.md +3 -3
- package/docs/api/enumerations/IdentityErrorCode.md +1 -1
- package/docs/api/functions/createAgentClient.md +1 -1
- package/docs/api/functions/createIdentity.md +1 -1
- package/docs/api/functions/createOwnerHttpFlowBoundary.md +1 -1
- package/docs/api/functions/createPersistentVaultCoreDependencies.md +1 -1
- package/docs/api/functions/createStandardAcquireBoundary.md +1 -1
- package/docs/api/functions/createStandardDispatchBoundary.md +1 -1
- package/docs/api/functions/createVault.md +1 -1
- package/docs/api/functions/createVaultClient.md +1 -1
- package/docs/api/functions/createVaultCore.md +1 -1
- package/docs/api/functions/createVaultCoreDependencies.md +1 -1
- package/docs/api/functions/createVaultService.md +1 -1
- package/docs/api/functions/createWorkspaceStorage.md +1 -1
- package/docs/api/functions/deriveIdentityId.md +1 -1
- package/docs/api/functions/deriveVaultWorkingKeyFromPassword.md +1 -1
- package/docs/api/functions/getDefaultWorkspaceDir.md +1 -1
- package/docs/api/functions/handleVaultHttpDispatch.md +1 -1
- package/docs/api/functions/initializeVaultCustody.md +1 -1
- package/docs/api/functions/listVaults.md +1 -1
- package/docs/api/functions/readVaultProfile.md +1 -1
- package/docs/api/functions/recoverVault.md +1 -1
- package/docs/api/functions/recoverVaultWorkingKey.md +1 -1
- package/docs/api/functions/restoreIdentity.md +1 -1
- package/docs/api/functions/updateVaultMetadata.md +1 -1
- package/docs/api/functions/wrapVaultCoreAsVaultService.md +1 -1
- package/docs/api/functions/writeVaultProfile.md +1 -1
- package/docs/api/interfaces/AgentClient.md +1 -1
- package/docs/api/interfaces/AgentDispatchIntent.md +1 -1
- package/docs/api/interfaces/AgentDispatchTransport.md +1 -1
- package/docs/api/interfaces/AgentIdentity.md +1 -1
- package/docs/api/interfaces/AgentSigner.md +1 -1
- package/docs/api/interfaces/CbioRuntime.md +1 -1
- package/docs/api/interfaces/CreateAgentClientOptions.md +1 -1
- package/docs/api/interfaces/CreateIdentityOptions.md +1 -1
- package/docs/api/interfaces/CreatePersistentVaultCoreDependenciesOptions.md +31 -1
- package/docs/api/interfaces/CreateVaultClientOptions.md +1 -1
- package/docs/api/interfaces/CreateVaultOptions.md +31 -1
- package/docs/api/interfaces/CreatedVault.md +1 -1
- package/docs/api/interfaces/DefaultPolicyEngineOptions.md +1 -1
- package/docs/api/interfaces/IStorageProvider.md +1 -1
- package/docs/api/interfaces/InitializeVaultCustodyOptions.md +1 -1
- package/docs/api/interfaces/InitializedVaultCustody.md +1 -1
- package/docs/api/interfaces/OwnerDefineSecretTargetsInput.md +1 -1
- package/docs/api/interfaces/OwnerSecretTargetBinding.md +1 -1
- package/docs/api/interfaces/OwnerStoreSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerWriteSecretInput.md +1 -1
- package/docs/api/interfaces/RecoverVaultOptions.md +31 -1
- package/docs/api/interfaces/RecoveredVault.md +1 -1
- package/docs/api/interfaces/RestoreIdentityOptions.md +1 -1
- package/docs/api/interfaces/Signer.md +1 -1
- package/docs/api/interfaces/VaultAuditQueryInput.md +1 -1
- package/docs/api/interfaces/VaultClient.md +1 -1
- package/docs/api/interfaces/VaultCoreDependenciesOptions.md +19 -1
- package/docs/api/interfaces/VaultCreateAgentInput.md +1 -1
- package/docs/api/interfaces/VaultDeleteSecretInput.md +1 -1
- package/docs/api/interfaces/VaultExportSecretInput.md +1 -1
- package/docs/api/interfaces/VaultGrantCapabilityInput.md +65 -3
- package/docs/api/interfaces/VaultIdentity.md +1 -1
- package/docs/api/interfaces/VaultListAgentsInput.md +1 -1
- package/docs/api/interfaces/VaultListCapabilitiesInput.md +1 -1
- package/docs/api/interfaces/VaultMetadata.md +1 -1
- package/docs/api/interfaces/VaultObject.md +1 -1
- package/docs/api/interfaces/VaultProfile.md +1 -1
- package/docs/api/interfaces/VaultRegisterAgentInput.md +1 -1
- package/docs/api/interfaces/VaultRegisterFlowInput.md +1 -1
- package/docs/api/interfaces/VaultRevokeCapabilityInput.md +1 -1
- package/docs/api/interfaces/VaultSigner.md +1 -1
- package/docs/api/type-aliases/AgentCapabilityEnvelope.md +1 -1
- package/docs/api/type-aliases/CbioRuntimeModule.md +1 -1
- package/docs/api/variables/DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY.md +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -11,6 +11,7 @@ Node.js vault runtime with a **Sovereign Vault** architecture: authority is root
|
|
|
11
11
|
- **No CLI / No TUI**: Pure library for integration into Node.js applications.
|
|
12
12
|
- **Authority-centric**: Administrative control is tied to the vault's master password, not an external identity.
|
|
13
13
|
- **Managed Agent Custody**: Generate and store agent private keys securely inside the vault.
|
|
14
|
+
- **Agent Session Tokens**: Issue revocable, short-lived (or long-lived) tokens for agents to avoid handling raw private keys.
|
|
14
15
|
- **Process Isolation**: Hard separation between the Security Process (Master) and Agent Processes (Consumers).
|
|
15
16
|
- **Zero-Leak Discovery**: Vault metadata is fully encrypted and hidden until unlocked.
|
|
16
17
|
|
|
@@ -74,9 +75,14 @@ const [agentRecord, agentPrivateKey] = await client.createAgent({
|
|
|
74
75
|
|
|
75
76
|
console.log(`Agent public key: ${agentRecord.publicKey}`);
|
|
76
77
|
// Private key is returned during creation and stored securely in the vault.
|
|
78
|
+
|
|
79
|
+
// 4. Issue a Session Token (Optional but Recommended)
|
|
80
|
+
// Avoid passing the raw private key to agent processes.
|
|
81
|
+
const session = await client.issueSessionToken({ agentId: 'worker-1' });
|
|
82
|
+
console.log(`Session Token: ${session.token}`);
|
|
77
83
|
```
|
|
78
84
|
|
|
79
|
-
###
|
|
85
|
+
### 5. Secret Management (Owner)
|
|
80
86
|
|
|
81
87
|
```ts
|
|
82
88
|
// Write a secret and bind it to a target site
|
|
@@ -91,40 +97,43 @@ const record = await client.writeSecret({
|
|
|
91
97
|
}]
|
|
92
98
|
});
|
|
93
99
|
|
|
94
|
-
// Grant
|
|
100
|
+
// 4. Grant agent capabilities (Simplified Flattened API)
|
|
95
101
|
await client.grantCapability({
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
operation: 'dispatch_http',
|
|
102
|
-
allowedTargets: ['https://api.example.com/endpoint'],
|
|
103
|
-
allowedMethods: ['POST'],
|
|
104
|
-
issuedAt: new Date().toISOString()
|
|
105
|
-
}
|
|
102
|
+
agentId: 'worker-1',
|
|
103
|
+
secretAliases: ['api-token'],
|
|
104
|
+
allowedTargets: ['https://api.example.com/*'],
|
|
105
|
+
requiresApproval: true,
|
|
106
|
+
skipAudit: false // Optional, defaults to false
|
|
106
107
|
});
|
|
107
108
|
```
|
|
108
109
|
|
|
109
|
-
###
|
|
110
|
+
### 6. Consuming Secrets (Agent)
|
|
110
111
|
|
|
111
|
-
Agents run in isolated processes and communicate with the vault via a transport.
|
|
112
|
+
Agents run in isolated processes and communicate with the vault via a transport. They can use either a **Session Token** (recommended) or a **Signature** (raw private key).
|
|
112
113
|
|
|
114
|
+
#### Using a Session Token (Stateless/Token-based)
|
|
113
115
|
```ts
|
|
114
|
-
import { createAgentClient
|
|
116
|
+
import { createAgentClient } from '@the-ai-company/cbio-node-runtime';
|
|
115
117
|
|
|
116
118
|
const agent = createAgentClient({
|
|
117
119
|
agentIdentity: { agentId: 'worker-1' },
|
|
118
|
-
capability: myCapability,
|
|
119
|
-
|
|
120
|
-
|
|
120
|
+
capability: myCapability,
|
|
121
|
+
token: session.token, // Issued by the owner
|
|
122
|
+
vault: vault.vault
|
|
121
123
|
});
|
|
122
124
|
|
|
123
|
-
const result = await agent.dispatch({
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
125
|
+
const result = await agent.dispatch({ ... });
|
|
126
|
+
```
|
|
127
|
+
|
|
128
|
+
#### Using a Signature (Stateful/Key-based)
|
|
129
|
+
```ts
|
|
130
|
+
import { createAgentClient, LocalSigner } from '@the-ai-company/cbio-node-runtime';
|
|
131
|
+
|
|
132
|
+
const agent = createAgentClient({
|
|
133
|
+
agentIdentity: { agentId: 'worker-1' },
|
|
134
|
+
capability: myCapability,
|
|
135
|
+
signer: new LocalSigner({ privateKey: agentPrivateKey }),
|
|
136
|
+
vault: vault.vault
|
|
128
137
|
});
|
|
129
138
|
```
|
|
130
139
|
|
|
@@ -142,6 +151,25 @@ const result = await agent.dispatch({
|
|
|
142
151
|
3. **Auditability**: Every administrative and agent action is recorded in the vault's audit log under the `vault-master` or agent principal.
|
|
143
152
|
4. **Binary Discovery**: Either the vault is unlocked and visible, or it is a silent directory of encrypted shards.
|
|
144
153
|
|
|
154
|
+
### Human-in-the-Loop (HITL) Workflow
|
|
155
|
+
|
|
156
|
+
If a capability is granted with `requiresApproval: true`, the agent's dispatch will be paused until an owner approves it:
|
|
157
|
+
|
|
158
|
+
```ts
|
|
159
|
+
// In Agent process
|
|
160
|
+
const result = await agent.dispatch({ ... });
|
|
161
|
+
if (result.status === 'PENDING') {
|
|
162
|
+
console.log("Waiting for owner approval...");
|
|
163
|
+
}
|
|
164
|
+
|
|
165
|
+
// In Owner process (GUI or Script)
|
|
166
|
+
const pending = await client.listPendingDispatches();
|
|
167
|
+
if (pending.length > 0) {
|
|
168
|
+
// Inspect and approve the request
|
|
169
|
+
await client.approveDispatch(pending[0].requestId);
|
|
170
|
+
}
|
|
171
|
+
```
|
|
172
|
+
|
|
145
173
|
## Build & Test
|
|
146
174
|
|
|
147
175
|
```bash
|
|
@@ -64,7 +64,7 @@ class DefaultAgentClient {
|
|
|
64
64
|
expiresAt: this._capability.expiresAt,
|
|
65
65
|
revocationVersion: this._capability.revocationVersion,
|
|
66
66
|
rateLimit: this._capability.rateLimit,
|
|
67
|
-
|
|
67
|
+
skipAudit: this._capability.skipAudit,
|
|
68
68
|
},
|
|
69
69
|
proof: {
|
|
70
70
|
agentId: this._identity.agentId,
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AA+CtE,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,YAAoB,EACpB,WAA+B,EAC/B,SAAiB,EACjB,MAAc,EACd,IAAa;IAEb,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,SAAS;QACT,WAAW;QACX,OAAO;QACP,YAAY;QACZ,WAAW,EAAE,WAAW,IAAI,IAAI;QAChC,SAAS;QACT,MAAM;QACN,IAAI,EAAE,IAAI,IAAI,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IACA;IANnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,OAAgC,EAChC,UAAkC,EAClC,MAAa,EACb,MAAe;QALf,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,YAAO,GAAP,OAAO,CAAyB;QAChC,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;QACb,WAAM,GAAN,MAAM,CAAS;IAC/B,CAAC;IAEJ,KAAK,CAAC,QAAQ,CAAC,MAA2B;QACxC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAEnH,IAAI,SAA6B,CAAC;QAClC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,iCAAiC;QACnC,CAAC;aAAM,CAAC;YACN,qCAAqC;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;YAC/G,CAAC;YACD,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACjC,qBAAqB,CACnB,SAAS,EACT,WAAW,EACX,IAAI,CAAC,SAAS,CAAC,OAAO,EACtB,IAAI,CAAC,WAAW,CAAC,YAAY,EAC7B,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,CACZ,CACF,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;gBAC7C,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AA+CtE,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,YAAoB,EACpB,WAA+B,EAC/B,SAAiB,EACjB,MAAc,EACd,IAAa;IAEb,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,SAAS;QACT,WAAW;QACX,OAAO;QACP,YAAY;QACZ,WAAW,EAAE,WAAW,IAAI,IAAI;QAChC,SAAS;QACT,MAAM;QACN,IAAI,EAAE,IAAI,IAAI,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IACA;IANnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,OAAgC,EAChC,UAAkC,EAClC,MAAa,EACb,MAAe;QALf,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,YAAO,GAAP,OAAO,CAAyB;QAChC,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;QACb,WAAM,GAAN,MAAM,CAAS;IAC/B,CAAC;IAEJ,KAAK,CAAC,QAAQ,CAAC,MAA2B;QACxC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAEnH,IAAI,SAA6B,CAAC;QAClC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,iCAAiC;QACnC,CAAC;aAAM,CAAC;YACN,qCAAqC;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;YAC/G,CAAC;YACD,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACjC,qBAAqB,CACnB,SAAS,EACT,WAAW,EACX,IAAI,CAAC,SAAS,CAAC,OAAO,EACtB,IAAI,CAAC,WAAW,CAAC,YAAY,EAC7B,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,CACZ,CACF,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;gBAC7C,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;aACtC;YACD,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,KAAK,EAAE,IAAI,CAAC,MAAM;gBAClB,SAAS;gBACT,WAAW;aACZ;YACD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,eAAe,IAAI,KAAK,IAAI,YAAY,IAAI,KAAK,CAAC;AAC1G,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAsC;IAC/D,OAAO,YAAY,IAAI,KAAK,IAAI,WAAW,IAAI,KAAK,CAAC;AACvD,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAiC;IAC3D,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,OAAO,CAAC,MAAM,CAAC;IACxB,CAAC;IACD,IAAI,iBAAiB,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC,CAAC,uCAAuC;IAC3D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,sFAAsF,CAAC,CAAC;AAC1G,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,OAAO,SAAS,IAAI,OAAO,CAAC,aAAa;QACvC,CAAC,CAAC,OAAO,CAAC,aAAa;QACvB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAiC;IAEjC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,IAAI,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,IAAI,kBAAkB,CAC3B,oBAAoB,CAAC,OAAO,CAAC,EAC7B,OAAO,CAAC,UAAU,EAClB,kBAAkB,CAAC,OAAO,CAAC,EAC3B,qBAAqB,CAAC,OAAO,CAAC,EAC9B,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,EAClC,OAAO,CAAC,KAAK,CACd,CAAC;AACJ,CAAC"}
|
|
@@ -131,10 +131,20 @@ class DefaultVaultClient {
|
|
|
131
131
|
}
|
|
132
132
|
async grantCapability(input) {
|
|
133
133
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
134
|
-
const
|
|
134
|
+
const capabilityId = input.capabilityId ?? `cap_${crypto.randomUUID()}`;
|
|
135
|
+
const requestId = `${this._identityId}:${requestedAt}:${capabilityId}:register_capability`;
|
|
135
136
|
const capability = {
|
|
136
|
-
...input.capability,
|
|
137
137
|
vaultId: this._vault.vaultId,
|
|
138
|
+
agentId: input.agentId,
|
|
139
|
+
capabilityId,
|
|
140
|
+
operation: input.operation ?? "dispatch_http",
|
|
141
|
+
secretAliases: input.secretAliases ? [...input.secretAliases] : [],
|
|
142
|
+
allowedTargets: input.allowedTargets ? [...input.allowedTargets] : [],
|
|
143
|
+
allowedMethods: input.allowedMethods ? [...input.allowedMethods] : [],
|
|
144
|
+
allowedPaths: input.allowedPaths ? [...input.allowedPaths] : [],
|
|
145
|
+
rateLimit: input.rateLimit,
|
|
146
|
+
skipAudit: input.skipAudit,
|
|
147
|
+
issuedAt: requestedAt,
|
|
138
148
|
};
|
|
139
149
|
await this._vault.registerCapability({
|
|
140
150
|
vaultId: this._vault.vaultId,
|
|
@@ -249,6 +259,28 @@ class DefaultVaultClient {
|
|
|
249
259
|
token: input.token,
|
|
250
260
|
});
|
|
251
261
|
}
|
|
262
|
+
async listPendingDispatches() {
|
|
263
|
+
return this._vault.listPendingDispatches({
|
|
264
|
+
vaultId: this._vault.vaultId,
|
|
265
|
+
owner: { kind: "owner", id: this._identityId },
|
|
266
|
+
});
|
|
267
|
+
}
|
|
268
|
+
async approveDispatch(input) {
|
|
269
|
+
return this._vault.approveDispatch({
|
|
270
|
+
vaultId: this._vault.vaultId,
|
|
271
|
+
requestId: input.requestId,
|
|
272
|
+
permanent: input.permanent,
|
|
273
|
+
skipAudit: input.skipAudit,
|
|
274
|
+
owner: { kind: "owner", id: this._identityId },
|
|
275
|
+
});
|
|
276
|
+
}
|
|
277
|
+
async rejectDispatch(requestId) {
|
|
278
|
+
return this._vault.rejectDispatch({
|
|
279
|
+
vaultId: this._vault.vaultId,
|
|
280
|
+
requestId,
|
|
281
|
+
owner: { kind: "owner", id: this._identityId },
|
|
282
|
+
});
|
|
283
|
+
}
|
|
252
284
|
}
|
|
253
285
|
function isCreateVaultClientOptions(value) {
|
|
254
286
|
return typeof value === "object" && value !== null && "vault" in value;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,cAAc,EAAwB,MAAM,2BAA2B,CAAC;AACjF,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;
|
|
1
|
+
{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/owner/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,cAAc,EAAwB,MAAM,2BAA2B,CAAC;AACjF,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AAyGpE,MAAM,eAAe,GAAG,cAAc,CAAC;AAEvC,MAAM,kBAAkB;IAIH;IACA;IACA;IACA;IANF,WAAW,CAAS;IAErC,YACmB,MAAoB,EACpB,SAAyB,EACzB,OAAqB,EACrB,SAAgB,IAAI,WAAW,EAAE;QAHjC,WAAM,GAAN,MAAM,CAAc;QACpB,cAAS,GAAT,SAAS,CAAgB;QACzB,YAAO,GAAP,OAAO,CAAc;QACrB,WAAM,GAAN,MAAM,CAA2B;QAElD,IAAI,CAAC,WAAW,GAAG,SAAS,EAAE,UAAU,IAAI,eAAe,CAAC;IAC9D,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QAEnF,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc,EAAE,EAAE;YAClB,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,mBAAmB,CAAC,KAAoC;QAC5D,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,wBAAwB,CAAC;QAC5F,MAAM,cAAc,GAAG,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC;QAEjD,OAAO,IAAI,CAAC,MAAM,CAAC,mBAAmB,CAAC;YACrC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,cAAc;YACd,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,eAAe,CAAC;QACnF,MAAM,cAAc,GAAG,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC;QAEjD,OAAO,IAAI,CAAC,MAAM,CAAC,WAAW,CAAC;YAC7B,IAAI,EAAE,oBAAoB;YAC1B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,cAAc;YACd,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,QAA8B,EAAE;QAC9C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,aAAa,CAAC;QAElE,OAAO,IAAI,CAAC,MAAM,CAAC,SAAS,CAAC;YAC3B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,KAAK;YACL,SAAS;YACT,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAEpF,OAAO,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,SAAS;YACT,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,KAA8B;QAChD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,KAAK,CAAC,OAAO,0BAA0B,CAAC;QAChG,MAAM,aAAa,GAAG;YACpB,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,UAAU,EAAE,KAAK,CAAC,UAAU;YAC5B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;SACzB,CAAC;QAEF,MAAM,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,aAAa;YACb,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,KAA4B;QAC5C,MAAM,QAAQ,GAAG,cAAc,EAAE,CAAC;QAClC,MAAM,MAAM,GAAG;YACb,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,QAAQ,CAAC,SAAS;YAC7B,UAAU,EAAE,QAAQ,CAAC,UAAU;YAC/B,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;SACzB,CAAC;QAEF,MAAM,IAAI,CAAC,aAAa,CAAC,MAAM,CAAC,CAAC;QACjC,OAAO,CAAC,MAAM,EAAE,QAAQ,CAAC,UAAU,CAAU,CAAC;IAChD,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAgC;QACpD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,YAAY,GAAG,KAAK,CAAC,YAAY,IAAI,OAAO,MAAM,CAAC,UAAU,EAAE,EAAE,CAAC;QACxE,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,YAAY,sBAAsB,CAAC;QAE3F,MAAM,UAAU,GAAwD;YACtE,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,YAAY;YACZ,SAAS,EAAG,KAAK,CAAC,SAAiB,IAAI,eAAe;YACtD,aAAa,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,EAAE;YAClE,cAAc,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE;YACrE,cAAc,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC,EAAE;YACrE,YAAY,EAAE,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE;YAC/D,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,QAAQ,EAAE,WAAW;SACtB,CAAC;QAEF,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,UAAU;YACV,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,KAAK,CAAC,MAAM,uBAAuB,CAAC;QAC5F,MAAM,IAAI,GAAG;YACX,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,kBAAkB,EAAE,KAAK,CAAC,kBAAkB;YAC5C,cAAc,EAAE,KAAK,CAAC,cAAc;SACrC,CAAC;QAEF,MAAM,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,IAAI;YACJ,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,KAA6B;QAC9C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,IAAI,KAAK,CAAC,KAAK,gBAAgB,CAAC;QAEpF,MAAM,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;YAC7B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,QAA8B,EAAE;QAC/C,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,cAAc,CAAC;QAEnE,OAAO,IAAI,CAAC,MAAM,CAAC,UAAU,CAAC;YAC5B,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;SACF,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,QAAoC,EAAE;QAC3D,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,oBAAoB,CAAC;QAEzE,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;YAClC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB,CAAC,KAAiC;QACtD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,oBAAoB,CAAC;QAEzE,OAAO,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC;YAClC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,YAAY,EAAE,KAAK,CAAC,YAAY;SACjC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,iBAAiB,CAAC,KAAkC;QACxD,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,WAAW,IAAI,WAAW,sBAAsB,CAAC;QAE3E,OAAO,IAAI,CAAC,MAAM,CAAC,iBAAiB,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS;YACT,WAAW;SACZ,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,KAAmC;QAC1D,OAAO,IAAI,CAAC,MAAM,CAAC,kBAAkB,CAAC;YACpC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,WAAW;aACrB;YACD,KAAK,EAAE,KAAK,CAAC,KAAK;SACnB,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,OAAO,IAAI,CAAC,MAAM,CAAC,qBAAqB,CAAC;YACvC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,WAAW,EAAE;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,KAAgC;QACpD,OAAO,IAAI,CAAC,MAAM,CAAC,eAAe,CAAC;YACjC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,SAAS,EAAE,KAAK,CAAC,SAAS;YAC1B,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,WAAW,EAAE;SAC/C,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,SAAiB;QACpC,OAAO,IAAI,CAAC,MAAM,CAAC,cAAc,CAAC;YAChC,OAAO,EAAE,IAAI,CAAC,MAAM,CAAC,OAAO;YAC5B,SAAS;YACT,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,WAAW,EAAE;SAC/C,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,OAAO,IAAI,KAAK,CAAC;AACzE,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAsC;IAC/D,OAAO,YAAY,IAAI,KAAK,IAAI,WAAW,IAAI,KAAK,CAAC;AACvD,CAAC;AAED,SAAS,kBAAkB,CAAC,QAA0C,EAAE,MAAoB;IAC1F,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC;IAChB,CAAC;IACD,IAAI,QAAQ,IAAI,iBAAiB,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5C,OAAO,IAAI,WAAW,CAAC,QAAQ,CAAC,CAAC;IACnC,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,IAAI,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC;QAC3B,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,OAAO;QACL,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;KAC7C,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,mEAAmE,CAAC,CAAC;IACvF,CAAC;IACD,OAAO,IAAI,kBAAkB,CAC3B,OAAO,CAAC,KAAK,EACb,oBAAoB,CAAC,OAAO,CAAC,EAC7B,kBAAkB,CAAC,OAAO,CAAC,aAAa,EAAE,OAAO,CAAC,MAAM,CAAC,EACzD,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,CACnC,CAAC;AACJ,CAAC"}
|
|
@@ -51,7 +51,25 @@ export interface VaultRegisterFlowInput extends OwnerHttpFlowBoundary {
|
|
|
51
51
|
requestedAt?: string;
|
|
52
52
|
}
|
|
53
53
|
export interface VaultGrantCapabilityInput {
|
|
54
|
-
|
|
54
|
+
agentId: string;
|
|
55
|
+
capabilityId?: string;
|
|
56
|
+
operation?: string;
|
|
57
|
+
secretAliases?: readonly string[];
|
|
58
|
+
allowedTargets?: readonly string[];
|
|
59
|
+
allowedMethods?: readonly string[];
|
|
60
|
+
allowedPaths?: readonly string[];
|
|
61
|
+
expiresIn?: number;
|
|
62
|
+
rateLimit?: {
|
|
63
|
+
maxRequests: number;
|
|
64
|
+
windowMs: number;
|
|
65
|
+
};
|
|
66
|
+
skipAudit?: boolean;
|
|
67
|
+
requestedAt?: string;
|
|
68
|
+
}
|
|
69
|
+
export interface VaultApproveDispatchInput {
|
|
70
|
+
requestId: string;
|
|
71
|
+
permanent?: boolean;
|
|
72
|
+
skipAudit?: boolean;
|
|
55
73
|
requestedAt?: string;
|
|
56
74
|
}
|
|
57
75
|
export interface VaultDeleteSecretInput {
|
|
@@ -96,4 +114,7 @@ export interface VaultClient {
|
|
|
96
114
|
revokeCapability(input: VaultRevokeCapabilityInput): Promise<void>;
|
|
97
115
|
issueSessionToken(input: VaultIssueSessionTokenInput): Promise<import("../../vault-core/index.js").OwnerSessionToken>;
|
|
98
116
|
revokeSessionToken(input: VaultRevokeSessionTokenInput): Promise<void>;
|
|
117
|
+
listPendingDispatches(): Promise<readonly import("../../vault-core/index.js").PendingDispatchRecord[]>;
|
|
118
|
+
approveDispatch(input: VaultApproveDispatchInput): Promise<import("../../vault-core/index.js").DispatchResult>;
|
|
119
|
+
rejectDispatch(requestId: string): Promise<void>;
|
|
99
120
|
}
|
|
@@ -157,7 +157,7 @@ export interface AgentCapability {
|
|
|
157
157
|
maxRequests: number;
|
|
158
158
|
windowMs: number;
|
|
159
159
|
};
|
|
160
|
-
|
|
160
|
+
skipAudit?: boolean;
|
|
161
161
|
}
|
|
162
162
|
export interface AgentProof {
|
|
163
163
|
agentId: string;
|
|
@@ -166,6 +166,30 @@ export interface AgentProof {
|
|
|
166
166
|
signature?: string;
|
|
167
167
|
token?: string;
|
|
168
168
|
}
|
|
169
|
+
export interface PendingDispatchRecord {
|
|
170
|
+
requestId: string;
|
|
171
|
+
agentId: string;
|
|
172
|
+
capabilityId?: string;
|
|
173
|
+
secretAlias: string;
|
|
174
|
+
targetUrl: string;
|
|
175
|
+
method: string;
|
|
176
|
+
headers?: Record<string, string>;
|
|
177
|
+
body?: string;
|
|
178
|
+
requestedAt: string;
|
|
179
|
+
proof: AgentProof;
|
|
180
|
+
}
|
|
181
|
+
export interface OwnerApproveDispatchCommand {
|
|
182
|
+
vaultId: VaultId;
|
|
183
|
+
requestId: string;
|
|
184
|
+
owner: VaultPrincipal;
|
|
185
|
+
permanent?: boolean;
|
|
186
|
+
skipAudit?: boolean;
|
|
187
|
+
}
|
|
188
|
+
export interface OwnerRejectDispatchCommand {
|
|
189
|
+
vaultId: VaultId;
|
|
190
|
+
requestId: string;
|
|
191
|
+
owner: VaultPrincipal;
|
|
192
|
+
}
|
|
169
193
|
export interface DispatchRequest {
|
|
170
194
|
vaultId: VaultId;
|
|
171
195
|
requestId: string;
|
|
@@ -173,7 +197,7 @@ export interface DispatchRequest {
|
|
|
173
197
|
agent: VaultPrincipal & {
|
|
174
198
|
kind: "agent";
|
|
175
199
|
};
|
|
176
|
-
capability
|
|
200
|
+
capability?: AgentCapability;
|
|
177
201
|
proof: AgentProof;
|
|
178
202
|
secretAlias?: string;
|
|
179
203
|
targetUrl: string;
|
|
@@ -181,12 +205,14 @@ export interface DispatchRequest {
|
|
|
181
205
|
headers?: Record<string, string>;
|
|
182
206
|
body?: string;
|
|
183
207
|
}
|
|
208
|
+
export type DispatchDecision = "allow" | "deny" | "pending";
|
|
184
209
|
export interface DispatchAuthorization {
|
|
185
210
|
vaultId: VaultId;
|
|
186
|
-
decision:
|
|
211
|
+
decision: DispatchDecision;
|
|
187
212
|
reason: string | null;
|
|
188
213
|
secretId: SecretId | null;
|
|
189
214
|
executorTarget: VaultTargetBinding | null;
|
|
215
|
+
capability?: AgentCapability;
|
|
190
216
|
}
|
|
191
217
|
export interface DispatchInstruction {
|
|
192
218
|
vaultId: VaultId;
|
|
@@ -200,7 +226,9 @@ export interface DispatchInstruction {
|
|
|
200
226
|
export declare enum DispatchStatus {
|
|
201
227
|
SUCCEEDED = "SUCCEEDED",
|
|
202
228
|
DENIED = "DENIED",
|
|
203
|
-
FAILED = "FAILED"
|
|
229
|
+
FAILED = "FAILED",
|
|
230
|
+
PENDING = "PENDING",
|
|
231
|
+
STALLED = "STALLED"
|
|
204
232
|
}
|
|
205
233
|
export interface DispatchResult {
|
|
206
234
|
vaultId: VaultId;
|
|
@@ -234,13 +262,17 @@ export declare enum AuditAction {
|
|
|
234
262
|
LIST_CAPABILITIES = "LIST_CAPABILITIES",
|
|
235
263
|
READ_AUDIT = "READ_AUDIT",
|
|
236
264
|
ISSUE_SESSION_TOKEN = "ISSUE_SESSION_TOKEN",
|
|
237
|
-
REVOKE_SESSION_TOKEN = "REVOKE_SESSION_TOKEN"
|
|
265
|
+
REVOKE_SESSION_TOKEN = "REVOKE_SESSION_TOKEN",
|
|
266
|
+
APPROVE_DISPATCH = "APPROVE_DISPATCH",
|
|
267
|
+
REJECT_DISPATCH = "REJECT_DISPATCH",
|
|
268
|
+
STALL_DISPATCH = "STALL_DISPATCH"
|
|
238
269
|
}
|
|
239
270
|
export declare enum AuditOutcome {
|
|
240
271
|
ALLOWED = "ALLOWED",
|
|
241
272
|
DENIED = "DENIED",
|
|
242
273
|
SUCCEEDED = "SUCCEEDED",
|
|
243
|
-
FAILED = "FAILED"
|
|
274
|
+
FAILED = "FAILED",
|
|
275
|
+
PENDING = "PENDING"
|
|
244
276
|
}
|
|
245
277
|
export interface AuditEntry {
|
|
246
278
|
entryId: string;
|
|
@@ -3,6 +3,8 @@ export var DispatchStatus;
|
|
|
3
3
|
DispatchStatus["SUCCEEDED"] = "SUCCEEDED";
|
|
4
4
|
DispatchStatus["DENIED"] = "DENIED";
|
|
5
5
|
DispatchStatus["FAILED"] = "FAILED";
|
|
6
|
+
DispatchStatus["PENDING"] = "PENDING";
|
|
7
|
+
DispatchStatus["STALLED"] = "STALLED";
|
|
6
8
|
})(DispatchStatus || (DispatchStatus = {}));
|
|
7
9
|
export var AuditAction;
|
|
8
10
|
(function (AuditAction) {
|
|
@@ -22,6 +24,9 @@ export var AuditAction;
|
|
|
22
24
|
AuditAction["READ_AUDIT"] = "READ_AUDIT";
|
|
23
25
|
AuditAction["ISSUE_SESSION_TOKEN"] = "ISSUE_SESSION_TOKEN";
|
|
24
26
|
AuditAction["REVOKE_SESSION_TOKEN"] = "REVOKE_SESSION_TOKEN";
|
|
27
|
+
AuditAction["APPROVE_DISPATCH"] = "APPROVE_DISPATCH";
|
|
28
|
+
AuditAction["REJECT_DISPATCH"] = "REJECT_DISPATCH";
|
|
29
|
+
AuditAction["STALL_DISPATCH"] = "STALL_DISPATCH";
|
|
25
30
|
})(AuditAction || (AuditAction = {}));
|
|
26
31
|
export var AuditOutcome;
|
|
27
32
|
(function (AuditOutcome) {
|
|
@@ -29,5 +34,6 @@ export var AuditOutcome;
|
|
|
29
34
|
AuditOutcome["DENIED"] = "DENIED";
|
|
30
35
|
AuditOutcome["SUCCEEDED"] = "SUCCEEDED";
|
|
31
36
|
AuditOutcome["FAILED"] = "FAILED";
|
|
37
|
+
AuditOutcome["PENDING"] = "PENDING";
|
|
32
38
|
})(AuditOutcome || (AuditOutcome = {}));
|
|
33
39
|
//# sourceMappingURL=contracts.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"AAiPA,MAAM,CAAN,IAAY,cAMX;AAND,WAAY,cAAc;IACxB,yCAAuB,CAAA;IACvB,mCAAiB,CAAA;IACjB,mCAAiB,CAAA;IACjB,qCAAmB,CAAA;IACnB,qCAAmB,CAAA;AACrB,CAAC,EANW,cAAc,KAAd,cAAc,QAMzB;AAoBD,MAAM,CAAN,IAAY,WAoBX;AApBD,WAAY,WAAW;IACrB,kEAAmD,CAAA;IACnD,4DAA6C,CAAA;IAC7C,0DAA2C,CAAA;IAC3C,sDAAuC,CAAA;IACvC,4CAA6B,CAAA;IAC7B,8DAA+C,CAAA;IAC/C,8CAA+B,CAAA;IAC/B,gDAAiC,CAAA;IACjC,8CAA+B,CAAA;IAC/B,wDAAyC,CAAA;IACzC,kDAAmC,CAAA;IACnC,0CAA2B,CAAA;IAC3B,sDAAuC,CAAA;IACvC,wCAAyB,CAAA;IACzB,0DAA2C,CAAA;IAC3C,4DAA6C,CAAA;IAC7C,oDAAqC,CAAA;IACrC,kDAAmC,CAAA;IACnC,gDAAiC,CAAA;AACnC,CAAC,EApBW,WAAW,KAAX,WAAW,QAoBtB;AAED,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,uCAAuB,CAAA;IACvB,iCAAiB,CAAA;IACjB,mCAAmB,CAAA;AACrB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}
|
|
@@ -26,6 +26,7 @@ export declare class VaultCore {
|
|
|
26
26
|
exportSecret(actor: VaultPrincipal & {
|
|
27
27
|
kind: "owner";
|
|
28
28
|
}, alias: string, request?: Omit<OwnerExportSecretRequest, "actor" | "alias" | "vaultId">): Promise<OwnerSecretExport>;
|
|
29
|
+
private isCapabilityMatch;
|
|
29
30
|
listAgents(actor: VaultPrincipal & {
|
|
30
31
|
kind: "owner";
|
|
31
32
|
}, request?: Omit<OwnerListAgentsRequest, "actor" | "vaultId">): Promise<readonly AgentIdentityRecord[]>;
|
|
@@ -41,5 +42,11 @@ export declare class VaultCore {
|
|
|
41
42
|
};
|
|
42
43
|
token: string;
|
|
43
44
|
}): Promise<void>;
|
|
45
|
+
listPendingDispatches(command: {
|
|
46
|
+
vaultId: VaultId;
|
|
47
|
+
owner: VaultPrincipal;
|
|
48
|
+
}): Promise<readonly import("./contracts.js").PendingDispatchRecord[]>;
|
|
49
|
+
approveDispatch(command: import("./contracts.js").OwnerApproveDispatchCommand): Promise<DispatchResult>;
|
|
50
|
+
rejectDispatch(command: import("./contracts.js").OwnerRejectDispatchCommand): Promise<void>;
|
|
44
51
|
}
|
|
45
52
|
export declare function createVaultCore(deps: VaultCoreDependencies): VaultCore;
|
package/dist/vault-core/core.js
CHANGED
|
@@ -57,8 +57,8 @@ export class VaultCore {
|
|
|
57
57
|
async appendDecisionAudit(request, outcome, detail, options) {
|
|
58
58
|
await this.appendAudit(toAuditEntry(this._deps, request.agent, AuditAction.AUTHORIZE_DISPATCH, outcome, detail, {
|
|
59
59
|
requestId: request.requestId,
|
|
60
|
-
capabilityId: request.capability
|
|
61
|
-
operation: request.capability.
|
|
60
|
+
capabilityId: request.capability?.capabilityId,
|
|
61
|
+
operation: request.capability?.operation ?? AuditAction.AUTHORIZE_DISPATCH,
|
|
62
62
|
targetUrl: request.targetUrl,
|
|
63
63
|
secretAlias: options?.secretAlias ?? request.secretAlias,
|
|
64
64
|
secretId: options?.secretId,
|
|
@@ -299,7 +299,7 @@ export class VaultCore {
|
|
|
299
299
|
try {
|
|
300
300
|
await this._deps.replayGuard.assertNotReplayed(request);
|
|
301
301
|
await this._deps.agentProofVerifier.verify(request);
|
|
302
|
-
|
|
302
|
+
// Removed direct policy.authorizeDispatch here to handle discovery
|
|
303
303
|
}
|
|
304
304
|
catch (error) {
|
|
305
305
|
const detail = error instanceof Error ? error.message : String(error);
|
|
@@ -309,12 +309,46 @@ export class VaultCore {
|
|
|
309
309
|
});
|
|
310
310
|
throw error;
|
|
311
311
|
}
|
|
312
|
+
// DISCOVERY LOGIC: Find best matching capability
|
|
313
|
+
const agentRecord = await this._deps.agentIdentities.get(this._deps.vaultId, request.agent.id);
|
|
314
|
+
if (!agentRecord) {
|
|
315
|
+
return { vaultId: this._deps.vaultId, decision: "deny", reason: "agent not found", secretId: null, executorTarget: null };
|
|
316
|
+
}
|
|
317
|
+
const capabilities = await this._deps.capabilities.list(this._deps.vaultId, request.agent.id);
|
|
318
|
+
const capability = capabilities.find(cap => this.isCapabilityMatch(cap, request));
|
|
312
319
|
const executorTarget = record
|
|
313
320
|
? record.targetBindings.find((binding) => binding.targetUrl === request.targetUrl)
|
|
314
321
|
?? record.targetBindings.find((binding) => binding.targetId === request.targetUrl)
|
|
315
322
|
?? null
|
|
316
323
|
: null;
|
|
317
|
-
if (
|
|
324
|
+
if (!capability) {
|
|
325
|
+
// It's a discovery case if the agent and secret exist but no capability matches
|
|
326
|
+
await this._deps.pendingRequests.save({
|
|
327
|
+
requestId: request.requestId,
|
|
328
|
+
agentId: request.agent.id,
|
|
329
|
+
capabilityId: undefined,
|
|
330
|
+
secretAlias: request.secretAlias ?? "unknown",
|
|
331
|
+
targetUrl: request.targetUrl,
|
|
332
|
+
method: request.method,
|
|
333
|
+
headers: request.headers,
|
|
334
|
+
body: request.body,
|
|
335
|
+
requestedAt: request.requestedAt,
|
|
336
|
+
proof: request.proof,
|
|
337
|
+
});
|
|
338
|
+
await this.appendDecisionAudit(request, AuditOutcome.PENDING, "dispatch stalled for manual discovery approval", {
|
|
339
|
+
secretAlias: record?.alias.value ?? request.secretAlias,
|
|
340
|
+
secretId: record?.secretId.value,
|
|
341
|
+
});
|
|
342
|
+
return {
|
|
343
|
+
vaultId: this._deps.vaultId,
|
|
344
|
+
decision: "pending",
|
|
345
|
+
reason: "no matching capability found (discovery needed)",
|
|
346
|
+
secretId: record?.secretId ?? null,
|
|
347
|
+
executorTarget,
|
|
348
|
+
};
|
|
349
|
+
}
|
|
350
|
+
// Capability found, proceed
|
|
351
|
+
if (!capability.skipAudit) {
|
|
318
352
|
await this.appendDecisionAudit(request, AuditOutcome.ALLOWED, "dispatch authorized", {
|
|
319
353
|
secretAlias: record?.alias.value ?? request.secretAlias,
|
|
320
354
|
secretId: record?.secretId.value,
|
|
@@ -326,13 +360,23 @@ export class VaultCore {
|
|
|
326
360
|
reason: null,
|
|
327
361
|
secretId: record?.secretId ?? null,
|
|
328
362
|
executorTarget,
|
|
363
|
+
capability, // Expose the found capability for subsequent steps
|
|
329
364
|
};
|
|
330
365
|
}
|
|
331
366
|
async dispatchSecret(request) {
|
|
332
367
|
const authorization = await this.authorizeDispatch(request);
|
|
333
|
-
if (authorization.decision
|
|
368
|
+
if (authorization.decision === "deny" || !authorization.secretId) {
|
|
334
369
|
throw new VaultCoreError("dispatch denied", "VAULT_DISPATCH_DENIED");
|
|
335
370
|
}
|
|
371
|
+
if (authorization.decision === "pending") {
|
|
372
|
+
return {
|
|
373
|
+
vaultId: this._deps.vaultId,
|
|
374
|
+
requestId: request.requestId,
|
|
375
|
+
status: DispatchStatus.PENDING,
|
|
376
|
+
targetUrl: request.targetUrl,
|
|
377
|
+
method: request.method,
|
|
378
|
+
};
|
|
379
|
+
}
|
|
336
380
|
const record = await this._deps.secrets.getById(authorization.secretId);
|
|
337
381
|
if (!record) {
|
|
338
382
|
throw new VaultCoreError("secret not found", "VAULT_SECRET_NOT_FOUND");
|
|
@@ -352,8 +396,8 @@ export class VaultCore {
|
|
|
352
396
|
}, { record, plaintext });
|
|
353
397
|
await this.appendAudit(toAuditEntry(this._deps, request.agent, AuditAction.DISPATCH_SECRET, result.status === DispatchStatus.SUCCEEDED ? AuditOutcome.SUCCEEDED : AuditOutcome.FAILED, result.status === DispatchStatus.SUCCEEDED ? "dispatch completed" : (result.error ?? "dispatch failed"), {
|
|
354
398
|
requestId: request.requestId,
|
|
355
|
-
capabilityId:
|
|
356
|
-
operation:
|
|
399
|
+
capabilityId: authorization.capability?.capabilityId,
|
|
400
|
+
operation: authorization.capability?.operation,
|
|
357
401
|
targetUrl: request.targetUrl,
|
|
358
402
|
secretAlias: record.alias.value,
|
|
359
403
|
secretId: record.secretId.value,
|
|
@@ -401,6 +445,28 @@ export class VaultCore {
|
|
|
401
445
|
throw error;
|
|
402
446
|
}
|
|
403
447
|
}
|
|
448
|
+
isCapabilityMatch(capability, request) {
|
|
449
|
+
// Basic Iron Triangle match
|
|
450
|
+
if (request.secretAlias && !capability.secretAliases?.includes(request.secretAlias)) {
|
|
451
|
+
return false;
|
|
452
|
+
}
|
|
453
|
+
if (request.method && capability.allowedMethods?.length > 0 && !capability.allowedMethods.includes(request.method)) {
|
|
454
|
+
return false;
|
|
455
|
+
}
|
|
456
|
+
// Target match (supports glob-like patterns in simple string comparison for now)
|
|
457
|
+
if (capability.allowedTargets?.length > 0) {
|
|
458
|
+
const match = capability.allowedTargets.some(target => {
|
|
459
|
+
if (target.endsWith("*")) {
|
|
460
|
+
const prefix = target.slice(0, -1);
|
|
461
|
+
return request.targetUrl.startsWith(prefix);
|
|
462
|
+
}
|
|
463
|
+
return target === request.targetUrl;
|
|
464
|
+
});
|
|
465
|
+
if (!match)
|
|
466
|
+
return false;
|
|
467
|
+
}
|
|
468
|
+
return true;
|
|
469
|
+
}
|
|
404
470
|
async listAgents(actor, request) {
|
|
405
471
|
const identities = await this._deps.agentIdentities.list(this._deps.vaultId);
|
|
406
472
|
await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.LIST_AGENTS, AuditOutcome.ALLOWED, "agent identities listed", {
|
|
@@ -448,6 +514,85 @@ export class VaultCore {
|
|
|
448
514
|
await this._deps.sessionTokens.revoke(request.token);
|
|
449
515
|
await this.appendAudit(toAuditEntry(this._deps, request.actor, AuditAction.REVOKE_SESSION_TOKEN, AuditOutcome.SUCCEEDED, "session token revoked"));
|
|
450
516
|
}
|
|
517
|
+
async listPendingDispatches(command) {
|
|
518
|
+
if (command.vaultId.value !== this._deps.vaultId.value) {
|
|
519
|
+
throw new VaultCoreError("read vault mismatch", "VAULT_READ_DENIED");
|
|
520
|
+
}
|
|
521
|
+
return this._deps.pendingRequests.list(command.vaultId);
|
|
522
|
+
}
|
|
523
|
+
async approveDispatch(command) {
|
|
524
|
+
if (command.vaultId.value !== this._deps.vaultId.value) {
|
|
525
|
+
throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
|
|
526
|
+
}
|
|
527
|
+
const pending = await this._deps.pendingRequests.get(command.requestId);
|
|
528
|
+
if (!pending) {
|
|
529
|
+
throw new VaultCoreError("pending request not found", "VAULT_REQUEST_NOT_FOUND");
|
|
530
|
+
}
|
|
531
|
+
const agentRecord = await this._deps.agentIdentities.get(this._deps.vaultId, pending.agentId);
|
|
532
|
+
if (!agentRecord) {
|
|
533
|
+
throw new VaultCoreError("agent identity not found", "VAULT_AGENT_NOT_FOUND");
|
|
534
|
+
}
|
|
535
|
+
let capability;
|
|
536
|
+
if (pending.capabilityId) {
|
|
537
|
+
const existing = await this._deps.capabilities.get(this._deps.vaultId, pending.agentId, pending.capabilityId);
|
|
538
|
+
if (!existing) {
|
|
539
|
+
throw new VaultCoreError("capability not found", "VAULT_CAPABILITY_NOT_FOUND");
|
|
540
|
+
}
|
|
541
|
+
capability = existing;
|
|
542
|
+
}
|
|
543
|
+
else {
|
|
544
|
+
// Discovery case: derive from request
|
|
545
|
+
const capabilityId = `cap-${this._deps.clock.nowIso()}-${Math.random().toString(36).slice(2, 7)}`;
|
|
546
|
+
capability = {
|
|
547
|
+
vaultId: this._deps.vaultId,
|
|
548
|
+
agentId: pending.agentId,
|
|
549
|
+
capabilityId,
|
|
550
|
+
secretAliases: [pending.secretAlias],
|
|
551
|
+
allowedMethods: [pending.method],
|
|
552
|
+
allowedTargets: [pending.targetUrl],
|
|
553
|
+
allowedPaths: [],
|
|
554
|
+
operation: "dispatch_http",
|
|
555
|
+
issuedAt: this._deps.clock.nowIso(),
|
|
556
|
+
skipAudit: command.skipAudit ?? false,
|
|
557
|
+
};
|
|
558
|
+
if (command.permanent) {
|
|
559
|
+
await this._deps.capabilities.register(capability);
|
|
560
|
+
}
|
|
561
|
+
}
|
|
562
|
+
const result = await this.dispatchSecret({
|
|
563
|
+
vaultId: this._deps.vaultId,
|
|
564
|
+
agent: { kind: "agent", id: pending.agentId },
|
|
565
|
+
capability: capability,
|
|
566
|
+
secretAlias: pending.secretAlias === "unknown" ? undefined : pending.secretAlias,
|
|
567
|
+
targetUrl: pending.targetUrl,
|
|
568
|
+
method: pending.method,
|
|
569
|
+
headers: pending.headers,
|
|
570
|
+
body: pending.body,
|
|
571
|
+
proof: pending.proof,
|
|
572
|
+
requestId: pending.requestId,
|
|
573
|
+
requestedAt: pending.requestedAt,
|
|
574
|
+
});
|
|
575
|
+
await this._deps.pendingRequests.delete(command.requestId);
|
|
576
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.APPROVE_DISPATCH, AuditOutcome.SUCCEEDED, `approved dispatch ${command.requestId}${command.permanent ? " and granted permanent capability" : ""}`, {
|
|
577
|
+
requestId: command.requestId,
|
|
578
|
+
agentId: pending.agentId,
|
|
579
|
+
capabilityId: capability.capabilityId,
|
|
580
|
+
}));
|
|
581
|
+
return result;
|
|
582
|
+
}
|
|
583
|
+
async rejectDispatch(command) {
|
|
584
|
+
if (command.vaultId.value !== this._deps.vaultId.value) {
|
|
585
|
+
throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
|
|
586
|
+
}
|
|
587
|
+
const pending = await this._deps.pendingRequests.get(command.requestId);
|
|
588
|
+
if (!pending) {
|
|
589
|
+
throw new VaultCoreError("pending request not found", "VAULT_REQUEST_NOT_FOUND");
|
|
590
|
+
}
|
|
591
|
+
await this._deps.pendingRequests.delete(command.requestId);
|
|
592
|
+
await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REJECT_DISPATCH, AuditOutcome.SUCCEEDED, `rejected dispatch ${command.requestId}`, {
|
|
593
|
+
requestId: command.requestId,
|
|
594
|
+
}));
|
|
595
|
+
}
|
|
451
596
|
}
|
|
452
597
|
export function createVaultCore(deps) {
|
|
453
598
|
return new VaultCore(deps);
|