@the-ai-company/cbio-node-runtime 1.48.5 → 1.49.0

package/README.md

@@ -68,27 +68,23 @@ import { createVaultClient } from '@the-ai-company/cbio-node-runtime';
 const client = createVaultClient({ vault: vault.vault });
 
 // Generate and register a new agent in one step
-const [agentRecord, agentPrivateKey] = await client.createAgent({
+const createdAgent = await client.ownerCreateAgent({
   agentId: 'worker-1',
   nickname: 'Background Worker'
 });
 
-console.log(`Agent public key: ${agentRecord.publicKey}`);
-// Private key is returned during creation and stored securely in the vault.
-
-// 4. Issue a Session Token (Optional but Recommended)
-// Avoid passing the raw private key to agent processes (v1.48+).
-const session = await client.issueSessionToken({ agentId: 'worker-1' });
+console.log(`Agent public key: ${createdAgent.agent.publicKey}`);
+const session = createdAgent.sessionToken;
 
 // RECOMENDED (v1.48.4+): Batch issue tokens for all agents at once
-const tokens = await client.issueAllSessionTokens();
+const tokens = await client.ownerIssueAllSessionTokens();
 ```
 
 ### 5. Secret Management (Owner)
 
 ```ts
 // Write a secret and bind it to a target site
-const record = await client.writeSecret({
+const record = await client.ownerWriteSecret({
   alias: 'api-token',
   plaintext: 'super-secret-value',
   targetBindings: [{
@@ -100,10 +96,11 @@ const record = await client.writeSecret({
 });
 
 // 4. Grant agent capabilities
-await client.grantCapability({
+await client.ownerGrantCapability({
   agentId: 'worker-1',
   secretAliases: ['api-token'],
-  allowedTargets: ['https://api.example.com/*']
+  scope: 'https://api.example.com/*',
+  methods: ['POST']
 });
 
 // 5. Setup client with automatic warmup (v1.48.4+)
@@ -117,7 +114,7 @@ const client = createVaultClient({
 
 ### 6. Consuming Secrets (Agent)
 
-Agents run in isolated processes and communicate with the vault via a transport. They can use either a **Session Token** (recommended) or a **Signature** (raw private key).
+Agents run in isolated processes and communicate with the vault via a transport. Agent execution now requires a **Session Token** issued by the owner.
 
 #### Using a Session Token (Stateless/Token-based)
 ```ts
@@ -126,25 +123,43 @@ import { createAgentClient } from '@the-ai-company/cbio-node-runtime';
 const agent = createAgentClient({
   agentIdentity: { agentId: 'worker-1' },
   capability: myCapability, 
-  token: session.token,     // Issued by the owner
+  token: session.token,
   vault: vault.vault
 });
 
-const result = await agent.dispatch({ ... });
+const result = await agent.agentDispatch({ ... });
 ```
 
-#### Using a Signature (Stateful/Key-based)
+The agent process does not execute directly with its raw private key. If it has an identity key, it still needs to exchange that trust for a session token before dispatching.
+
+### 7. Proactive Capability Requests
+
+If an LLM or orchestration layer already knows it needs a broader scope, it can ask for that scope up front instead of triggering one pending dispatch per concrete URL.
+
 ```ts
-import { createAgentClient, LocalSigner } from '@the-ai-company/cbio-node-runtime';
+const request = await client.ownerSubmitCapabilityRequest({
+  requester: { kind: 'trusted_executor', id: 'llm-planner' },
+  agentId: 'worker-1',
+  secretAliases: ['api-token'],
+  scope: 'https://api.example.com/users/*',
+  methods: ['GET'],
+  justification: 'Need collection-level user read access'
+});
 
-const agent = createAgentClient({
-  agentIdentity: { agentId: 'worker-1' },
-  capability: myCapability,
-  signer: new LocalSigner({ privateKey: agentPrivateKey }),
-  vault: vault.vault
+const pendingRequests = await client.ownerListPendingCapabilityRequests();
+
+const capability = await client.ownerApproveCapabilityRequest({
+  requestId: pendingRequests[0].requestId,
+  capabilityId: 'cap-users-read'
 });
 ```
 
+This flow is separate from dispatch discovery:
+- `ownerSubmitCapabilityRequest(...)` creates a pending capability request for owner review.
+- `ownerOnPendingCapabilityRequest(...)` pushes new requests to the owner UI or controller.
+- `ownerApproveCapabilityRequest(...)` turns the request into a real stored capability.
+- `ownerRejectCapabilityRequest(...)` drops the request without granting access.
+
 ---
 
 ## Documentation
@@ -165,21 +180,21 @@ The system uses a **Discovery-first** model. If an agent attempts an action not
 
 ```ts
 // In Agent process
-const result = await agent.dispatch({ ... });
+const result = await agent.agentDispatch({ ... });
 if (result.status === 'PENDING') {
   console.log("Discovery needed: Waiting for owner approval...");
 }
 
 // OR: Use the Observer for real-time push (v1.48.4+)
-ownerClient.onPendingRequest((req) => {
+ownerClient.ownerOnPendingDispatch((req) => {
   console.log("New discovery request:", req.requestId);
 });
 
 // In Owner process (GUI or Script)
-const pending = await client.listPendingDispatches();
+const pending = await client.ownerListPendingDispatches();
 if (pending.length > 0) {
   // Inspect and approve the request, optionally making it permanent
-  await client.approveDispatch({ 
+  await client.ownerApproveDispatch({ 
     requestId: pending[0].requestId, 
     permanent: true 
   });

package/dist/clients/agent/client.d.ts

@@ -1,7 +1,7 @@
 import type { CreatedIdentity } from "../../runtime/identity.js";
 import { type Clock } from "../../vault-core/index.js";
 import type { VaultService } from "../../vault-ingress/index.js";
-import type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSigner } from "./contracts.js";
+import type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSubmitCapabilityRequestInput, AgentVisibleSecretRecord } from "./contracts.js";
 export interface AgentIdentity {
     agentId: string;
 }
@@ -11,14 +11,14 @@ export interface AgentIdentity {
  */
 export interface AgentClient {
     /**
-     * Dispatches a signed request to a target using a vault secret.
+     * Dispatches a session-token-authenticated request to a target using a vault secret.
      *
      * @param intent - The destination, method, and secret alias to use.
      * @returns The result of the remote operation.
      *
      * @example
      * ```ts
-     * const result = await agent.dispatch({
+     * const result = await agent.agentDispatch({
      *   targetUrl: 'https://api.example.com/data',
      *   method: 'POST',
      *   secretAlias: 'api-token',
@@ -26,15 +26,17 @@ export interface AgentClient {
      * });
      * ```
      */
-    dispatch(intent: AgentDispatchIntent): Promise<import("../../vault-core/index.js").DispatchResult>;
+    agentDispatch(intent: AgentDispatchIntent): Promise<import("../../vault-core/index.js").DispatchResult>;
+    agentListCapabilities(): Promise<readonly import("../../vault-core/index.js").AgentCapability[]>;
+    agentListSecrets(): Promise<readonly AgentVisibleSecretRecord[]>;
+    agentSubmitCapabilityRequest(input: AgentSubmitCapabilityRequestInput): Promise<import("../../vault-core/index.js").PendingCapabilityRequestRecord>;
 }
 export interface CreateAgentClientOptions {
     agentIdentity: CreatedIdentity | AgentIdentity;
     capability: AgentCapabilityEnvelope;
     vault?: VaultService;
     transport?: AgentDispatchTransport;
-    signer?: AgentSigner;
-    token?: string;
+    token: string;
     clock?: Clock;
 }
 /**

package/dist/clients/agent/client.js

@@ -1,48 +1,22 @@
-import { LocalSigner } from "../../protocol/crypto.js";
 import { SystemClock } from "../../vault-core/index.js";
 import { LocalVaultTransport } from "../../vault-ingress/defaults.js";
-function createDispatchBinding(requestId, requestedAt, agentId, capabilityId, secretAlias, targetUrl, method, body) {
-    return JSON.stringify({
-        requestId,
-        requestedAt,
-        agentId,
-        capabilityId,
-        secretAlias: secretAlias ?? null,
-        targetUrl,
-        method,
-        body: body ?? null,
-    });
-}
 class DefaultAgentClient {
     _identity;
     _capability;
-    _signer;
     _transport;
     _clock;
     _token;
-    constructor(_identity, _capability, _signer, _transport, _clock, _token) {
+    constructor(_identity, _capability, _transport, _clock, _token) {
         this._identity = _identity;
         this._capability = _capability;
-        this._signer = _signer;
         this._transport = _transport;
         this._clock = _clock;
         this._token = _token;
     }
-    async dispatch(intent) {
+    async agentDispatch(intent) {
         const requestedAt = intent.requestedAt ?? this._clock.nowIso();
         const requestId = `${this._identity.agentId}:${requestedAt}:${intent.secretAlias ?? "no-secret"}:${intent.method}`;
-        let signature;
-        if (this._token) {
-            // Use token-based authentication
-        }
-        else {
-            // Use signature-based authentication
-            if (!this._signer) {
-                throw new Error("AgentClient: signer required for signature-based authentication when no token is provided");
-            }
-            signature = await this._signer.sign(createDispatchBinding(requestId, requestedAt, this._identity.agentId, this._capability.capabilityId, intent.secretAlias, intent.targetUrl, intent.method, intent.body));
-        }
-        return this._transport.dispatch({
+        return this._transport.agentDispatch({
             vaultId: this._capability.vaultId,
             requestId,
             requestedAt,
@@ -57,9 +31,8 @@ class DefaultAgentClient {
                 secretIds: this._capability.secretIds,
                 secretAliases: this._capability.secretAliases,
                 operation: this._capability.operation,
-                allowedTargets: this._capability.allowedTargets,
-                allowedMethods: this._capability.allowedMethods,
-                allowedPaths: this._capability.allowedPaths,
+                scope: this._capability.scope,
+                methods: this._capability.methods,
                 issuedAt: this._capability.issuedAt,
                 expiresAt: this._capability.expiresAt,
                 revocationVersion: this._capability.revocationVersion,
@@ -68,7 +41,6 @@ class DefaultAgentClient {
             },
             proof: {
                 agentId: this._identity.agentId,
-                signature,
                 token: this._token,
                 requestId,
                 requestedAt,
@@ -80,30 +52,76 @@ class DefaultAgentClient {
             body: intent.body,
         });
     }
-}
-function isCreateAgentClientOptions(value) {
-    return typeof value === "object" && value !== null && "agentIdentity" in value && "capability" in value;
-}
-function isCreatedIdentity(value) {
-    return "privateKey" in value && "publicKey" in value;
-}
-function resolveAgentSigner(options) {
-    if (options.signer) {
-        return options.signer;
+    async _createProof(requestId, requestedAt, _action, _payload = {}) {
+        return {
+            agentId: this._identity.agentId,
+            token: this._token,
+            requestId,
+            requestedAt,
+        };
     }
-    if (isCreatedIdentity(options.agentIdentity)) {
-        return new LocalSigner(options.agentIdentity);
+    async agentListCapabilities() {
+        const requestedAt = this._clock.nowIso();
+        const requestId = `${this._identity.agentId}:${requestedAt}:list_capabilities`;
+        return this._transport.agentListCapabilities({
+            vaultId: this._capability.vaultId,
+            requestId,
+            requestedAt,
+            agent: { kind: "agent", id: this._identity.agentId },
+            proof: await this._createProof(requestId, requestedAt, "list_capabilities"),
+        });
     }
-    if (options.token) {
-        return undefined; // No signer needed if token is present
+    async agentListSecrets() {
+        const requestedAt = this._clock.nowIso();
+        const requestId = `${this._identity.agentId}:${requestedAt}:list_secrets`;
+        return this._transport.agentListSecrets({
+            vaultId: this._capability.vaultId,
+            requestId,
+            requestedAt,
+            agent: { kind: "agent", id: this._identity.agentId },
+            proof: await this._createProof(requestId, requestedAt, "list_secrets"),
+        });
     }
-    throw new Error("createAgentClient() requires signer or private key when no session token is provided");
+    async agentSubmitCapabilityRequest(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requestId = `${this._identity.agentId}:${requestedAt}:submit_capability_request`;
+        const payload = {
+            scope: input.scope,
+            methods: input.methods,
+            operation: input.operation ?? "dispatch_http",
+            secretAliases: input.secretAliases ?? [],
+            justification: input.justification ?? null,
+        };
+        return this._transport.agentSubmitCapabilityRequest({
+            vaultId: this._capability.vaultId,
+            requestId,
+            requestedAt,
+            agent: { kind: "agent", id: this._identity.agentId },
+            proof: await this._createProof(requestId, requestedAt, "submit_capability_request", payload),
+            scope: {
+                operation: input.operation ?? "dispatch_http",
+                secretAliases: input.secretAliases ?? [],
+                scope: input.scope,
+                methods: [...input.methods],
+            },
+            justification: input.justification,
+        });
+    }
+}
+function isCreateAgentClientOptions(value) {
+    return typeof value === "object" && value !== null && "agentIdentity" in value && "capability" in value;
 }
 function resolveAgentIdentity(options) {
     return "agentId" in options.agentIdentity
         ? options.agentIdentity
         : { agentId: options.agentIdentity.identityId };
 }
+function resolveAgentToken(options) {
+    if (!options.token) {
+        throw new Error("createAgentClient() requires a session token; raw private-key execution is not supported");
+    }
+    return options.token;
+}
 function resolveAgentTransport(options) {
     if (options.transport) {
         return options.transport;
@@ -132,6 +150,6 @@ export function createAgentClient(options) {
     if (!isCreateAgentClientOptions(options)) {
         throw new Error("createAgentClient() requires a single options object");
     }
-    return new DefaultAgentClient(resolveAgentIdentity(options), options.capability, resolveAgentSigner(options), resolveAgentTransport(options), options.clock ?? new SystemClock(), options.token);
+    return new DefaultAgentClient(resolveAgentIdentity(options), options.capability, resolveAgentTransport(options), options.clock ?? new SystemClock(), resolveAgentToken(options));
 }
 //# sourceMappingURL=client.js.map

package/dist/clients/agent/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AAEvD,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AA+CtE,SAAS,qBAAqB,CAC5B,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,YAAoB,EACpB,WAA+B,EAC/B,SAAiB,EACjB,MAAc,EACd,IAAa;IAEb,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,SAAS;QACT,WAAW;QACX,OAAO;QACP,YAAY;QACZ,WAAW,EAAE,WAAW,IAAI,IAAI;QAChC,SAAS;QACT,MAAM;QACN,IAAI,EAAE,IAAI,IAAI,IAAI;KACnB,CAAC,CAAC;AACL,CAAC;AAED,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IACA;IANnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,OAAgC,EAChC,UAAkC,EAClC,MAAa,EACb,MAAe;QALf,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,YAAO,GAAP,OAAO,CAAyB;QAChC,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;QACb,WAAM,GAAN,MAAM,CAAS;IAC/B,CAAC;IAEJ,KAAK,CAAC,QAAQ,CAAC,MAA2B;QACxC,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAEnH,IAAI,SAA6B,CAAC;QAClC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAChB,iCAAiC;QACnC,CAAC;aAAM,CAAC;YACN,qCAAqC;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CAAC,2FAA2F,CAAC,CAAC;YAC/G,CAAC;YACD,SAAS,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,IAAI,CACjC,qBAAqB,CACnB,SAAS,EACT,WAAW,EACX,IAAI,CAAC,SAAS,CAAC,OAAO,EACtB,IAAI,CAAC,WAAW,CAAC,YAAY,EAC7B,MAAM,CAAC,WAAW,EAClB,MAAM,CAAC,SAAS,EAChB,MAAM,CAAC,MAAM,EACb,MAAM,CAAC,IAAI,CACZ,CACF,CAAC;QACJ,CAAC;QAED,OAAO,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC;YAC9B,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;gBAC7C,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,cAAc,EAAE,IAAI,CAAC,WAAW,CAAC,cAAc;gBAC/C,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;aACtC;YACD,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,SAAS;gBACT,KAAK,EAAE,IAAI,CAAC,MAAM;gBAClB,SAAS;gBACT,WAAW;aACZ;YACD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,eAAe,IAAI,KAAK,IAAI,YAAY,IAAI,KAAK,CAAC;AAC1G,CAAC;AAED,SAAS,iBAAiB,CAAC,KAAsC;IAC/D,OAAO,YAAY,IAAI,KAAK,IAAI,WAAW,IAAI,KAAK,CAAC;AACvD,CAAC;AAED,SAAS,kBAAkB,CAAC,OAAiC;IAC3D,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACnB,OAAO,OAAO,CAAC,MAAM,CAAC;IACxB,CAAC;IACD,IAAI,iBAAiB,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;QAC7C,OAAO,IAAI,WAAW,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IAChD,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,SAAS,CAAC,CAAC,uCAAuC;IAC3D,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,sFAAsF,CAAC,CAAC;AAC1G,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,OAAO,SAAS,IAAI,OAAO,CAAC,aAAa;QACvC,CAAC,CAAC,OAAO,CAAC,aAAa;QACvB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAiC;IAEjC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,IAAI,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,IAAI,kBAAkB,CAC3B,oBAAoB,CAAC,OAAO,CAAC,EAC7B,OAAO,CAAC,UAAU,EAClB,kBAAkB,CAAC,OAAO,CAAC,EAC3B,qBAAqB,CAAC,OAAO,CAAC,EAC9B,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,EAClC,OAAO,CAAC,KAAK,CACd,CAAC;AACJ,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAkDtE,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IALnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,UAAkC,EAClC,MAAa,EACb,MAAc;QAJd,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;QACb,WAAM,GAAN,MAAM,CAAQ;IAC9B,CAAC;IAEJ,KAAK,CAAC,aAAa,CAAC,MAA2B;QAC7C,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,IAAI,MAAM,CAAC,WAAW,IAAI,WAAW,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;QAEnH,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,aAAa,EAAE,IAAI,CAAC,WAAW,CAAC,aAAa;gBAC7C,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;gBAC7B,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;aACtC;YACD,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,KAAK,EAAE,IAAI,CAAC,MAAM;gBAClB,SAAS;gBACT,WAAW;aACZ;YACD,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,WAAoC,EAAE;QAEtC,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK,EAAE,IAAI,CAAC,MAAM;YAClB,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,oBAAoB,CAAC;QAC/E,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC;YAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,mBAAmB,CAAC;SAC5E,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,eAAe,CAAC;QAC1E,OAAO,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,cAAc,CAAC;SACvE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,4BAA4B,CAAC,KAAwC;QACzE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,IAAI,WAAW,4BAA4B,CAAC;QACvF,MAAM,OAAO,GAAG;YACd,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,OAAO,EAAE,KAAK,CAAC,OAAO;YACtB,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,eAAe;YAC7C,aAAa,EAAE,KAAK,CAAC,aAAa,IAAI,EAAE;YACxC,aAAa,EAAE,KAAK,CAAC,aAAa,IAAI,IAAI;SAC3C,CAAC;QACF,OAAO,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAAC;YAClD,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,2BAA2B,EAAE,OAAO,CAAC;YAC5F,KAAK,EAAE;gBACL,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,eAAe;gBAC7C,aAAa,EAAE,KAAK,CAAC,aAAa,IAAI,EAAE;gBACxC,KAAK,EAAE,KAAK,CAAC,KAAK;gBAClB,OAAO,EAAE,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC;aAC5B;YACD,aAAa,EAAE,KAAK,CAAC,aAAa;SACnC,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,eAAe,IAAI,KAAK,IAAI,YAAY,IAAI,KAAK,CAAC;AAC1G,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,OAAO,SAAS,IAAI,OAAO,CAAC,aAAa;QACvC,CAAC,CAAC,OAAO,CAAC,aAAa;QACvB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAiC;IAC1D,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,0FAA0F,CAAC,CAAC;IAC9G,CAAC;IACD,OAAO,OAAO,CAAC,KAAK,CAAC;AACvB,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAiC;IAEjC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,IAAI,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,IAAI,kBAAkB,CAC3B,oBAAoB,CAAC,OAAO,CAAC,EAC7B,OAAO,CAAC,UAAU,EAClB,qBAAqB,CAAC,OAAO,CAAC,EAC9B,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,EAClC,iBAAiB,CAAC,OAAO,CAAC,CAC3B,CAAC;AACJ,CAAC"}

package/dist/clients/agent/contracts.d.ts

@@ -6,10 +6,22 @@ export interface AgentDispatchIntent {
     body?: string;
     requestedAt?: string;
 }
+export interface AgentSubmitCapabilityRequestInput {
+    operation?: "dispatch_http" | "custom_http";
+    secretAliases?: readonly string[];
+    scope: string;
+    methods: readonly string[];
+    justification?: string;
+    requestedAt?: string;
+}
 export type AgentCapabilityEnvelope = import("../../vault-core/index.js").AgentCapability;
+export type AgentVisibleSecretRecord = import("../../vault-core/index.js").AgentVisibleSecretRecord;
 export interface AgentSigner {
     sign(input: string): Promise<string>;
 }
 export interface AgentDispatchTransport {
-    dispatch(request: import("../../vault-core/index.js").DispatchRequest): Promise<import("../../vault-core/index.js").DispatchResult>;
+    agentDispatch(request: import("../../vault-core/index.js").DispatchRequest): Promise<import("../../vault-core/index.js").DispatchResult>;
+    agentListCapabilities(request: import("../../vault-core/index.js").AgentListCapabilitiesRequest): Promise<readonly import("../../vault-core/index.js").AgentCapability[]>;
+    agentListSecrets(request: import("../../vault-core/index.js").AgentListSecretsRequest): Promise<readonly AgentVisibleSecretRecord[]>;
+    agentSubmitCapabilityRequest(request: import("../../vault-core/index.js").AgentSubmitCapabilityRequestCommand): Promise<import("../../vault-core/index.js").PendingCapabilityRequestRecord>;
 }

package/dist/clients/agent/index.d.ts

@@ -1,3 +1,3 @@
 export { createAgentClient } from "./client.js";
 export type { AgentClient, CreateAgentClientOptions, AgentIdentity, } from "./client.js";
-export type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSigner, } from "./contracts.js";
+export type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSigner, AgentSubmitCapabilityRequestInput, AgentVisibleSecretRecord, } from "./contracts.js";

package/dist/clients/owner/client.d.ts

@@ -1,7 +1,7 @@
 import { type CreatedIdentity } from "../../runtime/identity.js";
 import { type Clock } from "../../vault-core/index.js";
 import type { VaultService } from "../../vault-ingress/index.js";
-import type { VaultAuditQueryInput, OwnerDefineSecretTargetsInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultRegisterAgentInput, VaultCreateAgentInput, OwnerStoreSecretInput, OwnerWriteSecretInput, VaultDeleteSecretInput, VaultListAgentsInput, VaultListCapabilitiesInput, VaultRevokeCapabilityInput } from "./contracts.js";
+import type { VaultAuditQueryInput, OwnerDefineSecretTargetsInput, VaultExportSecretInput, VaultGrantCapabilityInput, VaultRegisterFlowInput, VaultImportAgentInput, VaultCreateAgentInput, OwnerAgentProvisionResult, OwnerStoreSecretInput, OwnerWriteSecretInput, VaultDeleteSecretInput, VaultListAgentsInput, VaultListCapabilitiesInput, VaultListSecretsInput, VaultRevokeCapabilityInput, VaultSubmitCapabilityRequestInput, VaultApproveCapabilityRequestInput } from "./contracts.js";
 export interface VaultIdentity {
     identityId: string;
 }
@@ -16,53 +16,59 @@ export interface VaultClient {
     /**
      * Securely stores a new secret in the vault.
      */
-    storeSecret(input: OwnerStoreSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
+    ownerStoreSecret(input: OwnerStoreSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
     /**
      * Refines the allowed targets for an existing secret.
      */
-    defineSecretTargets(input: OwnerDefineSecretTargetsInput): Promise<import("../../vault-core/index.js").SecretRecord>;
+    ownerDefineSecretTargets(input: OwnerDefineSecretTargetsInput): Promise<import("../../vault-core/index.js").SecretRecord>;
     /**
      * Atomic operation to store a secret and define its targets in one step.
      */
-    writeSecret(input: OwnerWriteSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
+    ownerWriteSecret(input: OwnerWriteSecretInput): Promise<import("../../vault-core/index.js").SecretRecord>;
     /**
      * Exports a secret's plaintext.
      */
-    exportSecret(input: VaultExportSecretInput): Promise<import("../../vault-core/index.js").OwnerSecretExport>;
+    ownerExportSecret(input: VaultExportSecretInput): Promise<import("../../vault-core/index.js").OwnerSecretExport>;
     /**
      * Grants a specific capability to an agent.
      */
-    grantCapability(input: VaultGrantCapabilityInput): Promise<void>;
+    ownerGrantCapability(input: VaultGrantCapabilityInput): Promise<void>;
     /**
      * Reads the tamper-evident audit log for the vault.
      */
-    readAudit(query?: VaultAuditQueryInput): Promise<readonly import("../../vault-core/index.js").AuditEntry[]>;
-    registerAgent(input: VaultRegisterAgentInput): Promise<void>;
+    ownerReadAudit(query?: VaultAuditQueryInput): Promise<readonly import("../../vault-core/index.js").AuditEntry[]>;
+    ownerImportAgent(input: VaultImportAgentInput): Promise<OwnerAgentProvisionResult>;
     /**
      * Generates a new identity and registers it as an agent in one step.
      * The private key is stored in the vault for managed custody.
      */
-    createAgent(input: VaultCreateAgentInput): Promise<readonly [import("../../vault-core/index.js").AgentIdentityRecord, string]>;
+    ownerCreateAgent(input: VaultCreateAgentInput): Promise<OwnerAgentProvisionResult>;
     /**
      * Registers a custom HTTP flow for complex secret usage.
      */
-    registerFlow(input: VaultRegisterFlowInput): Promise<void>;
+    ownerRegisterFlow(input: VaultRegisterFlowInput): Promise<void>;
     /**
      * Permanently deletes a secret from the vault.
      */
-    deleteSecret(input: VaultDeleteSecretInput): Promise<void>;
+    ownerDeleteSecret(input: VaultDeleteSecretInput): Promise<void>;
     /**
      * Lists all agents registered in the vault.
      */
-    listAgents(input?: VaultListAgentsInput): Promise<readonly import("../../vault-core/index.js").AgentIdentityRecord[]>;
+    ownerListAgents(input?: VaultListAgentsInput): Promise<readonly import("../../vault-core/index.js").AgentIdentityRecord[]>;
     /**
      * Lists all active capabilities granted to agents.
      */
-    listCapabilities(input?: VaultListCapabilitiesInput): Promise<readonly import("../../vault-core/index.js").AgentCapability[]>;
+    ownerListCapabilities(input?: VaultListCapabilitiesInput): Promise<readonly import("../../vault-core/index.js").AgentCapability[]>;
+    ownerListSecrets(input?: VaultListSecretsInput): Promise<readonly import("../../vault-core/index.js").AgentVisibleSecretRecord[]>;
     /**
      * Revokes a previously granted capability.
      */
-    revokeCapability(input: VaultRevokeCapabilityInput): Promise<void>;
+    ownerRevokeCapability(input: VaultRevokeCapabilityInput): Promise<void>;
+    ownerSubmitCapabilityRequest(input: VaultSubmitCapabilityRequestInput): Promise<import("../../vault-core/index.js").PendingCapabilityRequestRecord>;
+    ownerListPendingCapabilityRequests(): Promise<readonly import("../../vault-core/index.js").PendingCapabilityRequestRecord[]>;
+    ownerApproveCapabilityRequest(input: VaultApproveCapabilityRequestInput): Promise<import("../../vault-core/index.js").AgentCapability>;
+    ownerRejectCapabilityRequest(requestId: string): Promise<void>;
+    ownerOnPendingCapabilityRequest(callback: (record: import("../../vault-core/index.js").PendingCapabilityRequestRecord) => void): () => void;
 }
 export interface CreateVaultClientOptions {
     vault: VaultService;