@the-ai-company/cbio-node-runtime 1.48.5 → 1.49.0

package/dist/vault-core/core.js

@@ -1,5 +1,6 @@
 import { AuditAction, AuditOutcome, DispatchStatus, } from "./contracts.js";
 import { VaultCoreError } from "./errors.js";
+import { verifySignature } from "../protocol/crypto.js";
 function toAuditEntry(deps, actor, action, outcome, detail, options) {
     return {
         entryId: deps.ids.newAuditEntryId(),
@@ -33,6 +34,21 @@ function buildSecretRecord(deps, command) {
         updatedAt: now,
     };
 }
+function isScopeMatch(scope, targetUrl) {
+    if (scope.endsWith("*")) {
+        return targetUrl.startsWith(scope.slice(0, -1));
+    }
+    return scope === targetUrl;
+}
+function createAgentControlBinding(requestId, requestedAt, agentId, action, payload = {}) {
+    return JSON.stringify({
+        requestId,
+        requestedAt,
+        agentId,
+        action,
+        ...payload,
+    });
+}
 /**
  * The Sovereign Vault Core.
  * This is the primary implementation of the Vault logic.
@@ -40,13 +56,14 @@ function buildSecretRecord(deps, command) {
 export class VaultCore {
     _deps;
     _pendingObservers = new Set();
+    _pendingCapabilityObservers = new Set();
     constructor(_deps) {
         this._deps = _deps;
     }
     get vaultId() {
         return this._deps.vaultId;
     }
-    async appendAudit(entry) {
+    async _appendAudit(entry) {
         try {
             await this._deps.audit.append(entry);
         }
@@ -55,8 +72,8 @@ export class VaultCore {
             throw new VaultCoreError(`audit append failed: ${message}`, "VAULT_AUDIT_FAILED");
         }
     }
-    async appendDecisionAudit(request, outcome, detail, options) {
-        await this.appendAudit(toAuditEntry(this._deps, request.agent, AuditAction.AUTHORIZE_DISPATCH, outcome, detail, {
+    async _appendDecisionAudit(request, outcome, detail, options) {
+        await this._appendAudit(toAuditEntry(this._deps, request.agent, AuditAction.AUTHORIZE_DISPATCH, outcome, detail, {
             requestId: request.requestId,
             capabilityId: request.capability?.capabilityId,
             operation: request.capability?.operation ?? AuditAction.AUTHORIZE_DISPATCH,
@@ -65,13 +82,75 @@ export class VaultCore {
             secretId: options?.secretId,
         }));
     }
-    onPendingRequest(callback) {
+    async _verifyAgentControlProof(request, action, payload = {}) {
+        if (request.proof.agentId !== request.agent.id) {
+            throw new VaultCoreError("agent identity mismatch", "VAULT_DISPATCH_DENIED");
+        }
+        if (request.proof.token) {
+            const valid = await this._deps.sessionTokens.verify(request.proof.token, request.agent.id);
+            if (!valid) {
+                throw new VaultCoreError("invalid or expired session token", "VAULT_DISPATCH_DENIED");
+            }
+            return;
+        }
+        if (!request.proof.signature) {
+            throw new VaultCoreError("missing agent proof (signature or token required)", "VAULT_DISPATCH_DENIED");
+        }
+        if (request.proof.requestId !== request.requestId || request.proof.requestedAt !== request.requestedAt) {
+            throw new VaultCoreError("proof binding mismatch", "VAULT_DISPATCH_DENIED");
+        }
+        const identity = await this._deps.agentIdentities.get(request.vaultId, request.agent.id);
+        if (!identity) {
+            throw new VaultCoreError("agent identity not registered", "VAULT_DISPATCH_DENIED");
+        }
+        const binding = createAgentControlBinding(request.requestId, request.requestedAt, request.agent.id, action, payload);
+        if (!verifySignature(identity.publicKey, request.proof.signature, binding)) {
+            throw new VaultCoreError("invalid proof signature", "VAULT_DISPATCH_DENIED");
+        }
+    }
+    async _listVisibleSecretsForAgent(agentId) {
+        const capabilities = await this._deps.capabilities.list(this._deps.vaultId, agentId);
+        const capabilityMap = new Map();
+        for (const capability of capabilities) {
+            for (const alias of capability.secretAliases ?? []) {
+                const existing = capabilityMap.get(alias) ?? [];
+                existing.push({
+                    capabilityId: capability.capabilityId,
+                    scope: capability.scope,
+                    methods: [...capability.methods],
+                });
+                capabilityMap.set(alias, existing);
+            }
+        }
+        const records = await this._deps.secrets.list(this._deps.vaultId);
+        return records.map((record) => {
+            const authorizedCapabilities = capabilityMap.get(record.alias.value) ?? [];
+            return {
+                vaultId: record.vaultId,
+                secretId: record.secretId,
+                alias: record.alias,
+                issuerId: record.issuerId,
+                targetBindings: [...record.targetBindings],
+                createdAt: record.createdAt,
+                updatedAt: record.updatedAt,
+                isAuthorizedForAgent: authorizedCapabilities.length > 0,
+                authorizedCapabilities,
+            };
+        });
+    }
+    ownerOnPendingDispatch(callback) {
         this._pendingObservers.add(callback);
         return () => {
             this._pendingObservers.delete(callback);
         };
     }
-    async registerAgentIdentity(command) {
+    ownerOnPendingCapabilityRequest(callback) {
+        this._pendingCapabilityObservers.add(callback);
+        return () => {
+            this._pendingCapabilityObservers.delete(callback);
+        };
+    }
+    async ownerRegisterAgentIdentity(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("identity registration vault mismatch", "VAULT_IDENTITY_DENIED");
         }
@@ -81,15 +160,15 @@ export class VaultCore {
         try {
             // Sovereign Vault: Owner has full privileges. No signature required for unlocked vault.
             await this._deps.agentIdentities.register(command.agentIdentity);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_AGENT_IDENTITY, AuditOutcome.SUCCEEDED, `agent identity registered: ${command.agentIdentity.agentId}`));
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_AGENT_IDENTITY, AuditOutcome.SUCCEEDED, `agent identity registered: ${command.agentIdentity.agentId}`));
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_AGENT_IDENTITY, AuditOutcome.DENIED, detail));
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_AGENT_IDENTITY, AuditOutcome.DENIED, detail));
             throw error;
         }
     }
-    async registerCapability(command) {
+    async ownerRegisterCapability(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("capability registration vault mismatch", "VAULT_IDENTITY_DENIED");
         }
@@ -104,27 +183,73 @@ export class VaultCore {
         }
         try {
             await this._deps.capabilities.register(command.capability);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CAPABILITY, AuditOutcome.SUCCEEDED, `capability registered: ${command.capability.capabilityId}`, {
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CAPABILITY, AuditOutcome.SUCCEEDED, `capability registered: ${command.capability.capabilityId}`, {
                 capabilityId: command.capability.capabilityId,
                 operation: command.capability.operation,
             }));
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CAPABILITY, AuditOutcome.DENIED, detail, {
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CAPABILITY, AuditOutcome.DENIED, detail, {
                 capabilityId: command.capability.capabilityId,
                 operation: command.capability.operation,
             }));
             throw error;
         }
     }
-    async getCapability(vaultId, agentId, capabilityId) {
+    async ownerSubmitCapabilityRequest(command) {
+        if (command.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("capability request vault mismatch", "VAULT_IDENTITY_DENIED");
+        }
+        if (!command.agentId.trim()) {
+            throw new VaultCoreError("capability request agent id required", "VAULT_IDENTITY_DENIED");
+        }
+        if (!command.scope.scope.trim()) {
+            throw new VaultCoreError("capability request scope required", "VAULT_IDENTITY_DENIED");
+        }
+        if (command.scope.methods.length === 0) {
+            throw new VaultCoreError("capability request method required", "VAULT_IDENTITY_DENIED");
+        }
+        const pendingRecord = {
+            vaultId: this._deps.vaultId,
+            requestId: command.requestId,
+            requester: command.requester,
+            agentId: command.agentId,
+            scope: {
+                operation: command.scope.operation,
+                secretAliases: command.scope.secretAliases ? [...command.scope.secretAliases] : [],
+                scope: command.scope.scope,
+                methods: [...command.scope.methods],
+                rateLimit: command.scope.rateLimit,
+                skipAudit: command.scope.skipAudit,
+                expiresAt: command.scope.expiresAt,
+            },
+            justification: command.justification,
+            requestedAt: command.requestedAt,
+        };
+        await this._deps.pendingCapabilityRequests.save(pendingRecord);
+        for (const observer of this._pendingCapabilityObservers) {
+            try {
+                observer(pendingRecord);
+            }
+            catch (error) {
+                console.error("VaultCore: error in pending capability observer:", error);
+            }
+        }
+        await this._appendAudit(toAuditEntry(this._deps, command.requester, AuditAction.SUBMIT_CAPABILITY_REQUEST, AuditOutcome.PENDING, `capability request submitted for agent: ${command.agentId}`, {
+            requestId: command.requestId,
+            agentId: command.agentId,
+            operation: command.scope.operation,
+        }));
+        return pendingRecord;
+    }
+    async _getCapability(vaultId, agentId, capabilityId) {
         if (vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("capability lookup vault mismatch", "VAULT_IDENTITY_DENIED");
         }
         return this._deps.capabilities.get(vaultId, agentId, capabilityId);
     }
-    async registerCustomFlow(command) {
+    async ownerRegisterCustomFlow(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("custom flow vault mismatch", "VAULT_IDENTITY_DENIED");
         }
@@ -146,15 +271,15 @@ export class VaultCore {
                 responseSecret: command.flow.responseSecret,
                 createdAt: this._deps.clock.nowIso(),
             });
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CUSTOM_FLOW, AuditOutcome.SUCCEEDED, `custom http flow registered: ${command.flow.flowId}`));
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CUSTOM_FLOW, AuditOutcome.SUCCEEDED, `custom http flow registered: ${command.flow.flowId}`));
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CUSTOM_FLOW, AuditOutcome.DENIED, detail));
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REGISTER_CUSTOM_FLOW, AuditOutcome.DENIED, detail));
             throw error;
         }
     }
-    async storeCustomFlowSecret(flow, alias, plaintext) {
+    async _storeCustomFlowSecret(flow, alias, plaintext) {
         const actor = { kind: "owner", id: flow.ownerId };
         const targetBindings = [{
                 kind: "site",
@@ -165,7 +290,7 @@ export class VaultCore {
             }];
         const existing = await this._deps.secrets.getByAlias({ value: alias });
         if (existing) {
-            await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.REASSIGN_ALIAS, AuditOutcome.DENIED, "alias already bound to existing secret; explicit alias lifecycle required", {
+            await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.REASSIGN_ALIAS, AuditOutcome.DENIED, "alias already bound to existing secret; explicit alias lifecycle required", {
                 secretAlias: existing.alias.value,
                 secretId: existing.secretId.value,
             }));
@@ -184,7 +309,7 @@ export class VaultCore {
         try {
             await this._deps.custody.store(record.secretId, plaintext);
             await this._deps.secrets.save(record);
-            await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.WRITE_SECRET, AuditOutcome.SUCCEEDED, `custom flow stored secret: ${alias}`, {
+            await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.WRITE_SECRET, AuditOutcome.SUCCEEDED, `custom flow stored secret: ${alias}`, {
                 secretAlias: record.alias.value,
                 secretId: record.secretId.value,
             }));
@@ -198,7 +323,7 @@ export class VaultCore {
         }
         return record;
     }
-    async writeSecret(command) {
+    async ownerWriteSecret(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
         }
@@ -207,14 +332,14 @@ export class VaultCore {
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, AuditAction.WRITE_SECRET, AuditOutcome.DENIED, detail, {
+            await this._appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, AuditAction.WRITE_SECRET, AuditOutcome.DENIED, detail, {
                 secretAlias: command.alias,
             }));
             throw error;
         }
         const existing = await this._deps.secrets.getByAlias({ value: command.alias });
         if (existing) {
-            await this.appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, AuditAction.REASSIGN_ALIAS, AuditOutcome.DENIED, "alias already bound to existing secret; explicit alias lifecycle required", {
+            await this._appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, AuditAction.REASSIGN_ALIAS, AuditOutcome.DENIED, "alias already bound to existing secret; explicit alias lifecycle required", {
                 secretAlias: existing.alias.value,
                 secretId: existing.secretId.value,
             }));
@@ -224,7 +349,7 @@ export class VaultCore {
         try {
             await this._deps.custody.store(record.secretId, command.plaintext);
             await this._deps.secrets.save(record);
-            await this.appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, AuditAction.WRITE_SECRET, AuditOutcome.SUCCEEDED, "secret stored", {
+            await this._appendAudit(toAuditEntry(this._deps, command.kind === "owner.write_secret" ? command.owner : command.issuer, AuditAction.WRITE_SECRET, AuditOutcome.SUCCEEDED, "secret stored", {
                 secretAlias: record.alias.value,
                 secretId: record.secretId.value,
             }));
@@ -238,20 +363,20 @@ export class VaultCore {
         }
         return record;
     }
-    async deleteSecret(command) {
+    async ownerDeleteSecret(command) {
         const record = await this._deps.secrets.getByAlias({ value: command.alias });
         if (!record) {
             throw new VaultCoreError(`secret not found: ${command.alias}`, "VAULT_SECRET_NOT_FOUND");
         }
         await this._deps.secrets.delete(record.secretId);
         await this._deps.custody.delete(record.secretId);
-        await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DELETE_SECRET, AuditOutcome.SUCCEEDED, `deleted secret ${command.alias}`, {
+        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DELETE_SECRET, AuditOutcome.SUCCEEDED, `deleted secret ${command.alias}`, {
             requestId: command.requestId,
             secretAlias: command.alias,
             secretId: record.secretId.value,
         }));
     }
-    async defineSecretTargets(command) {
+    async ownerDefineSecretTargets(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
         }
@@ -260,7 +385,7 @@ export class VaultCore {
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DEFINE_SECRET_TARGETS, AuditOutcome.DENIED, detail, {
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DEFINE_SECRET_TARGETS, AuditOutcome.DENIED, detail, {
                 secretAlias: command.alias,
             }));
             throw error;
@@ -268,7 +393,7 @@ export class VaultCore {
         const existing = await this._deps.secrets.getByAlias({ value: command.alias });
         if (!existing) {
             const error = new VaultCoreError("secret not found", "VAULT_SECRET_NOT_FOUND");
-            await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DEFINE_SECRET_TARGETS, AuditOutcome.DENIED, error.message, {
+            await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DEFINE_SECRET_TARGETS, AuditOutcome.DENIED, error.message, {
                 secretAlias: command.alias,
             }));
             throw error;
@@ -279,14 +404,14 @@ export class VaultCore {
             updatedAt: this._deps.clock.nowIso(),
         };
         await this._deps.secrets.save(nextRecord);
-        await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DEFINE_SECRET_TARGETS, AuditOutcome.SUCCEEDED, "secret targets defined", {
+        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.DEFINE_SECRET_TARGETS, AuditOutcome.SUCCEEDED, "secret targets defined", {
             requestId: command.requestId,
             secretAlias: nextRecord.alias.value,
             secretId: nextRecord.secretId.value,
         }));
         return nextRecord;
     }
-    async authorizeDispatch(request) {
+    async agentAuthorizeDispatch(request) {
         if (request.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("request vault mismatch", "VAULT_DISPATCH_DENIED");
         }
@@ -294,7 +419,7 @@ export class VaultCore {
             ? await this._deps.secrets.getByAlias({ value: request.secretAlias })
             : null;
         if (request.secretAlias && !record) {
-            await this.appendDecisionAudit(request, AuditOutcome.DENIED, "secret not found");
+            await this._appendDecisionAudit(request, AuditOutcome.DENIED, "secret not found");
             return {
                 vaultId: this._deps.vaultId,
                 decision: "deny",
@@ -310,7 +435,7 @@ export class VaultCore {
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendDecisionAudit(request, AuditOutcome.DENIED, detail, {
+            await this._appendDecisionAudit(request, AuditOutcome.DENIED, detail, {
                 secretAlias: record?.alias.value ?? request.secretAlias,
                 secretId: record?.secretId.value,
             });
@@ -352,7 +477,7 @@ export class VaultCore {
                     console.error("VaultCore: error in pending observer:", error);
                 }
             }
-            await this.appendDecisionAudit(request, AuditOutcome.PENDING, "dispatch stalled for manual discovery approval", {
+            await this._appendDecisionAudit(request, AuditOutcome.PENDING, "dispatch stalled for manual discovery approval", {
                 secretAlias: record?.alias.value ?? request.secretAlias,
                 secretId: record?.secretId.value,
             });
@@ -366,7 +491,7 @@ export class VaultCore {
         }
         // Capability found, proceed
         if (!capability.skipAudit) {
-            await this.appendDecisionAudit(request, AuditOutcome.ALLOWED, "dispatch authorized", {
+            await this._appendDecisionAudit(request, AuditOutcome.ALLOWED, "dispatch authorized", {
                 secretAlias: record?.alias.value ?? request.secretAlias,
                 secretId: record?.secretId.value,
             });
@@ -380,8 +505,8 @@ export class VaultCore {
             capability, // Expose the found capability for subsequent steps
         };
     }
-    async dispatchSecret(request) {
-        const authorization = await this.authorizeDispatch(request);
+    async agentDispatchSecret(request) {
+        const authorization = await this.agentAuthorizeDispatch(request);
         if (authorization.decision === "deny" || !authorization.secretId) {
             throw new VaultCoreError("dispatch denied", "VAULT_DISPATCH_DENIED");
         }
@@ -411,7 +536,7 @@ export class VaultCore {
             headers: request.headers,
             body: request.body,
         }, { record, plaintext });
-        await this.appendAudit(toAuditEntry(this._deps, request.agent, AuditAction.DISPATCH_SECRET, result.status === DispatchStatus.SUCCEEDED ? AuditOutcome.SUCCEEDED : AuditOutcome.FAILED, result.status === DispatchStatus.SUCCEEDED ? "dispatch completed" : (result.error ?? "dispatch failed"), {
+        await this._appendAudit(toAuditEntry(this._deps, request.agent, AuditAction.DISPATCH_SECRET, result.status === DispatchStatus.SUCCEEDED ? AuditOutcome.SUCCEEDED : AuditOutcome.FAILED, result.status === DispatchStatus.SUCCEEDED ? "dispatch completed" : (result.error ?? "dispatch failed"), {
             requestId: request.requestId,
             capabilityId: authorization.capability?.capabilityId,
             operation: authorization.capability?.operation,
@@ -424,12 +549,12 @@ export class VaultCore {
             vaultId: this._deps.vaultId,
         };
     }
-    async getAudit(actor, query, request) {
+    async ownerReadAudit(actor, query, request) {
         const entries = await this._deps.audit.query(query);
-        await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.READ_AUDIT, AuditOutcome.ALLOWED, "audit queried"));
+        await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.READ_AUDIT, AuditOutcome.ALLOWED, "audit queried"));
         return entries;
     }
-    async exportSecret(actor, alias, request) {
+    async ownerExportSecret(actor, alias, request) {
         try {
             const record = await this._deps.secrets.getByAlias({ value: alias });
             if (!record) {
@@ -440,7 +565,7 @@ export class VaultCore {
                 throw new VaultCoreError("secret material not found", "VAULT_SECRET_NOT_FOUND");
             }
             const exportedAt = this._deps.clock.nowIso();
-            await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.EXPORT_SECRET, AuditOutcome.SUCCEEDED, "secret exported", {
+            await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.EXPORT_SECRET, AuditOutcome.SUCCEEDED, "secret exported", {
                 requestId: request?.requestId,
                 secretAlias: record.alias.value,
                 secretId: record.secretId.value,
@@ -455,7 +580,7 @@ export class VaultCore {
         }
         catch (error) {
             const detail = error instanceof Error ? error.message : String(error);
-            await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.EXPORT_SECRET, AuditOutcome.DENIED, detail, {
+            await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.EXPORT_SECRET, AuditOutcome.DENIED, detail, {
                 requestId: request?.requestId,
                 secretAlias: alias,
             }));
@@ -467,47 +592,88 @@ export class VaultCore {
         if (request.secretAlias && !capability.secretAliases?.includes(request.secretAlias)) {
             return false;
         }
-        if (request.method && capability.allowedMethods?.length > 0 && !capability.allowedMethods.includes(request.method)) {
+        if (request.method && capability.methods?.length > 0 && !capability.methods.includes(request.method)) {
             return false;
         }
-        // Target match (supports glob-like patterns in simple string comparison for now)
-        if (capability.allowedTargets?.length > 0) {
-            const match = capability.allowedTargets.some(target => {
-                if (target.endsWith("*")) {
-                    const prefix = target.slice(0, -1);
-                    return request.targetUrl.startsWith(prefix);
-                }
-                return target === request.targetUrl;
-            });
-            if (!match)
-                return false;
+        if (capability.scope && !isScopeMatch(capability.scope, request.targetUrl)) {
+            return false;
         }
         return true;
     }
-    async listAgents(actor, request) {
+    async ownerListAgents(actor, request) {
         const identities = await this._deps.agentIdentities.list(this._deps.vaultId);
-        await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.LIST_AGENTS, AuditOutcome.ALLOWED, "agent identities listed", {
+        await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.LIST_AGENTS, AuditOutcome.ALLOWED, "agent identities listed", {
             requestId: request?.requestId,
         }));
         return identities;
     }
-    async listCapabilities(actor, agentId, request) {
+    async ownerListCapabilities(actor, agentId, request) {
         const capabilities = await this._deps.capabilities.list(this._deps.vaultId, agentId);
-        await this.appendAudit(toAuditEntry(this._deps, actor, AuditAction.LIST_CAPABILITIES, AuditOutcome.ALLOWED, "capabilities listed", {
+        await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.LIST_CAPABILITIES, AuditOutcome.ALLOWED, "capabilities listed", {
             requestId: request?.requestId,
             agentId,
         }));
         return capabilities;
     }
-    async revokeCapability(command) {
+    async ownerListSecrets(actor, request) {
+        const records = await this._deps.secrets.list(this._deps.vaultId);
+        await this._appendAudit(toAuditEntry(this._deps, actor, AuditAction.READ_AUDIT, AuditOutcome.ALLOWED, "secret metadata listed", {
+            requestId: request?.requestId,
+        }));
+        return records.map((record) => ({
+            vaultId: record.vaultId,
+            secretId: record.secretId,
+            alias: record.alias,
+            issuerId: record.issuerId,
+            targetBindings: [...record.targetBindings],
+            createdAt: record.createdAt,
+            updatedAt: record.updatedAt,
+        }));
+    }
+    async agentListCapabilities(request) {
+        if (request.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("read vault mismatch", "VAULT_READ_DENIED");
+        }
+        await this._verifyAgentControlProof(request, "list_capabilities");
+        return this._deps.capabilities.list(this._deps.vaultId, request.agent.id);
+    }
+    async agentListSecrets(request) {
+        if (request.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("read vault mismatch", "VAULT_READ_DENIED");
+        }
+        await this._verifyAgentControlProof(request, "list_secrets");
+        return this._listVisibleSecretsForAgent(request.agent.id);
+    }
+    async agentSubmitCapabilityRequest(command) {
+        if (command.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
+        }
+        await this._verifyAgentControlProof(command, "submit_capability_request", {
+            scope: command.scope.scope,
+            methods: command.scope.methods,
+            operation: command.scope.operation,
+            secretAliases: command.scope.secretAliases ?? [],
+            justification: command.justification ?? null,
+        });
+        return this.ownerSubmitCapabilityRequest({
+            vaultId: command.vaultId,
+            requestId: command.requestId,
+            requester: command.agent,
+            agentId: command.agent.id,
+            scope: command.scope,
+            justification: command.justification,
+            requestedAt: command.requestedAt,
+        });
+    }
+    async ownerRevokeCapability(command) {
         await this._deps.policy.revokeCapability(command.vaultId, command.agentId, command.capabilityId);
-        await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REVOKE_CAPABILITY, AuditOutcome.SUCCEEDED, "capability revoked", {
+        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REVOKE_CAPABILITY, AuditOutcome.SUCCEEDED, "capability revoked", {
             requestId: command.requestId,
             agentId: command.agentId,
             capabilityId: command.capabilityId,
         }));
     }
-    async issueAgentSessionToken(request) {
+    async ownerIssueSessionToken(request) {
         if (request.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("session token vault mismatch", "VAULT_IDENTITY_DENIED");
         }
@@ -517,19 +683,19 @@ export class VaultCore {
         }
         const token = await this._deps.sessionTokens.issue(request.agentId);
         const issuedAt = this._deps.clock.nowIso();
-        await this.appendAudit(toAuditEntry(this._deps, request.actor, AuditAction.ISSUE_SESSION_TOKEN, AuditOutcome.SUCCEEDED, `session token issued for agent: ${request.agentId}`));
+        await this._appendAudit(toAuditEntry(this._deps, request.actor, AuditAction.ISSUE_SESSION_TOKEN, AuditOutcome.SUCCEEDED, `session token issued for agent: ${request.agentId}`));
         return {
             token,
             agentId: request.agentId,
             issuedAt,
         };
     }
-    async issueAllAgentSessionTokens(actor) {
+    async ownerIssueAllAgentSessionTokens(actor) {
         const agents = await this._deps.agentIdentities.list(this._deps.vaultId);
         const results = [];
         const requestedAt = this._deps.clock.nowIso();
         for (const agent of agents) {
-            results.push(await this.issueAgentSessionToken({
+            results.push(await this.ownerIssueSessionToken({
                 vaultId: this._deps.vaultId,
                 requestId: `warmup_${this._deps.ids.newVersion().value}`,
                 actor,
@@ -539,20 +705,72 @@ export class VaultCore {
         }
         return results;
     }
-    async revokeAgentSessionToken(request) {
+    async ownerRevokeSessionToken(request) {
         if (request.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("session token vault mismatch", "VAULT_IDENTITY_DENIED");
         }
         await this._deps.sessionTokens.revoke(request.token);
-        await this.appendAudit(toAuditEntry(this._deps, request.actor, AuditAction.REVOKE_SESSION_TOKEN, AuditOutcome.SUCCEEDED, "session token revoked"));
+        await this._appendAudit(toAuditEntry(this._deps, request.actor, AuditAction.REVOKE_SESSION_TOKEN, AuditOutcome.SUCCEEDED, "session token revoked"));
     }
-    async listPendingDispatches(command) {
+    async ownerListPendingDispatches(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("read vault mismatch", "VAULT_READ_DENIED");
         }
         return this._deps.pendingRequests.list(command.vaultId);
     }
-    async approveDispatch(command) {
+    async ownerListPendingCapabilityRequests(command) {
+        if (command.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("read vault mismatch", "VAULT_READ_DENIED");
+        }
+        return this._deps.pendingCapabilityRequests.list(command.vaultId);
+    }
+    async ownerApproveCapabilityRequest(command) {
+        if (command.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
+        }
+        const pending = await this._deps.pendingCapabilityRequests.get(command.requestId);
+        if (!pending) {
+            throw new VaultCoreError("pending capability request not found", "VAULT_REQUEST_NOT_FOUND");
+        }
+        const capability = {
+            vaultId: this._deps.vaultId,
+            agentId: pending.agentId,
+            capabilityId: command.capabilityId ?? `cap_${this._deps.ids.newVersion().value}`,
+            operation: pending.scope.operation,
+            secretAliases: pending.scope.secretAliases ? [...pending.scope.secretAliases] : [],
+            scope: pending.scope.scope,
+            methods: [...pending.scope.methods],
+            rateLimit: pending.scope.rateLimit,
+            skipAudit: pending.scope.skipAudit,
+            expiresAt: pending.scope.expiresAt,
+            issuedAt: this._deps.clock.nowIso(),
+        };
+        await this._deps.capabilities.register(capability);
+        await this._deps.pendingCapabilityRequests.delete(command.requestId);
+        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.APPROVE_CAPABILITY_REQUEST, AuditOutcome.SUCCEEDED, `approved capability request ${command.requestId}`, {
+            requestId: command.requestId,
+            agentId: pending.agentId,
+            capabilityId: capability.capabilityId,
+            operation: capability.operation,
+        }));
+        return capability;
+    }
+    async ownerRejectCapabilityRequest(command) {
+        if (command.vaultId.value !== this._deps.vaultId.value) {
+            throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
+        }
+        const pending = await this._deps.pendingCapabilityRequests.get(command.requestId);
+        if (!pending) {
+            throw new VaultCoreError("pending capability request not found", "VAULT_REQUEST_NOT_FOUND");
+        }
+        await this._deps.pendingCapabilityRequests.delete(command.requestId);
+        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REJECT_CAPABILITY_REQUEST, AuditOutcome.SUCCEEDED, `rejected capability request ${command.requestId}`, {
+            requestId: command.requestId,
+            agentId: pending.agentId,
+            operation: pending.scope.operation,
+        }));
+    }
+    async ownerApproveDispatch(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
         }
@@ -580,9 +798,8 @@ export class VaultCore {
                 agentId: pending.agentId,
                 capabilityId,
                 secretAliases: [pending.secretAlias],
-                allowedMethods: [pending.method],
-                allowedTargets: [pending.targetUrl],
-                allowedPaths: [],
+                methods: [pending.method],
+                scope: pending.targetUrl,
                 operation: "dispatch_http",
                 issuedAt: this._deps.clock.nowIso(),
                 skipAudit: command.skipAudit ?? false,
@@ -591,7 +808,7 @@ export class VaultCore {
                 await this._deps.capabilities.register(capability);
             }
         }
-        const result = await this.dispatchSecret({
+        const result = await this.agentDispatchSecret({
             vaultId: this._deps.vaultId,
             agent: { kind: "agent", id: pending.agentId },
             capability: capability,
@@ -605,14 +822,14 @@ export class VaultCore {
             requestedAt: pending.requestedAt,
         });
         await this._deps.pendingRequests.delete(command.requestId);
-        await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.APPROVE_DISPATCH, AuditOutcome.SUCCEEDED, `approved dispatch ${command.requestId}${command.permanent ? " and granted permanent capability" : ""}`, {
+        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.APPROVE_DISPATCH, AuditOutcome.SUCCEEDED, `approved dispatch ${command.requestId}${command.permanent ? " and granted permanent capability" : ""}`, {
             requestId: command.requestId,
             agentId: pending.agentId,
             capabilityId: capability.capabilityId,
         }));
         return result;
     }
-    async rejectDispatch(command) {
+    async ownerRejectDispatch(command) {
         if (command.vaultId.value !== this._deps.vaultId.value) {
             throw new VaultCoreError("write vault mismatch", "VAULT_WRITE_DENIED");
         }
@@ -621,7 +838,7 @@ export class VaultCore {
             throw new VaultCoreError("pending request not found", "VAULT_REQUEST_NOT_FOUND");
         }
         await this._deps.pendingRequests.delete(command.requestId);
-        await this.appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REJECT_DISPATCH, AuditOutcome.SUCCEEDED, `rejected dispatch ${command.requestId}`, {
+        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditAction.REJECT_DISPATCH, AuditOutcome.SUCCEEDED, `rejected dispatch ${command.requestId}`, {
             requestId: command.requestId,
         }));
     }