@the-ai-company/cbio-node-runtime 1.48.6 → 1.49.0

package/docs/api/interfaces/VaultClient.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 
@@ -9,9 +9,25 @@ In Sovereign Vault model, administrative actions are implicitly authorized by th
 
 ## Methods
 
-### createAgent()
+### ownerApproveCapabilityRequest()
 
-> **createAgent**(`input`): `Promise`\<readonly \[`AgentIdentityRecord`, `string`\]\>
+> **ownerApproveCapabilityRequest**(`input`): `Promise`\<`AgentCapability`\>
+
+#### Parameters
+
+##### input
+
+[`VaultApproveCapabilityRequestInput`](VaultApproveCapabilityRequestInput.md)
+
+#### Returns
+
+`Promise`\<`AgentCapability`\>
+
+***
+
+### ownerCreateAgent()
+
+> **ownerCreateAgent**(`input`): `Promise`\<[`OwnerAgentProvisionResult`](OwnerAgentProvisionResult.md)\>
 
 Generates a new identity and registers it as an agent in one step.
 The private key is stored in the vault for managed custody.
@@ -24,13 +40,13 @@ The private key is stored in the vault for managed custody.
 
 #### Returns
 
-`Promise`\<readonly \[`AgentIdentityRecord`, `string`\]\>
+`Promise`\<[`OwnerAgentProvisionResult`](OwnerAgentProvisionResult.md)\>
 
 ***
 
-### defineSecretTargets()
+### ownerDefineSecretTargets()
 
-> **defineSecretTargets**(`input`): `Promise`\<`SecretRecord`\>
+> **ownerDefineSecretTargets**(`input`): `Promise`\<`SecretRecord`\>
 
 Refines the allowed targets for an existing secret.
 
@@ -46,9 +62,9 @@ Refines the allowed targets for an existing secret.
 
 ***
 
-### deleteSecret()
+### ownerDeleteSecret()
 
-> **deleteSecret**(`input`): `Promise`\<`void`\>
+> **ownerDeleteSecret**(`input`): `Promise`\<`void`\>
 
 Permanently deletes a secret from the vault.
 
@@ -64,9 +80,9 @@ Permanently deletes a secret from the vault.
 
 ***
 
-### exportSecret()
+### ownerExportSecret()
 
-> **exportSecret**(`input`): `Promise`\<`OwnerSecretExport`\>
+> **ownerExportSecret**(`input`): `Promise`\<`OwnerSecretExport`\>
 
 Exports a secret's plaintext.
 
@@ -82,9 +98,9 @@ Exports a secret's plaintext.
 
 ***
 
-### grantCapability()
+### ownerGrantCapability()
 
-> **grantCapability**(`input`): `Promise`\<`void`\>
+> **ownerGrantCapability**(`input`): `Promise`\<`void`\>
 
 Grants a specific capability to an agent.
 
@@ -100,9 +116,25 @@ Grants a specific capability to an agent.
 
 ***
 
-### listAgents()
+### ownerImportAgent()
+
+> **ownerImportAgent**(`input`): `Promise`\<[`OwnerAgentProvisionResult`](OwnerAgentProvisionResult.md)\>
+
+#### Parameters
 
-> **listAgents**(`input?`): `Promise`\<readonly `AgentIdentityRecord`[]\>
+##### input
+
+[`VaultImportAgentInput`](VaultImportAgentInput.md)
+
+#### Returns
+
+`Promise`\<[`OwnerAgentProvisionResult`](OwnerAgentProvisionResult.md)\>
+
+***
+
+### ownerListAgents()
+
+> **ownerListAgents**(`input?`): `Promise`\<readonly `AgentIdentityRecord`[]\>
 
 Lists all agents registered in the vault.
 
@@ -118,9 +150,9 @@ Lists all agents registered in the vault.
 
 ***
 
-### listCapabilities()
+### ownerListCapabilities()
 
-> **listCapabilities**(`input?`): `Promise`\<readonly `AgentCapability`[]\>
+> **ownerListCapabilities**(`input?`): `Promise`\<readonly `AgentCapability`[]\>
 
 Lists all active capabilities granted to agents.
 
@@ -136,9 +168,51 @@ Lists all active capabilities granted to agents.
 
 ***
 
-### readAudit()
+### ownerListPendingCapabilityRequests()
+
+> **ownerListPendingCapabilityRequests**(): `Promise`\<readonly `PendingCapabilityRequestRecord`[]\>
+
+#### Returns
+
+`Promise`\<readonly `PendingCapabilityRequestRecord`[]\>
+
+***
+
+### ownerListSecrets()
 
-> **readAudit**(`query?`): `Promise`\<readonly `AuditEntry`[]\>
+> **ownerListSecrets**(`input?`): `Promise`\<readonly `AgentVisibleSecretRecord`[]\>
+
+#### Parameters
+
+##### input?
+
+[`VaultListSecretsInput`](VaultListSecretsInput.md)
+
+#### Returns
+
+`Promise`\<readonly `AgentVisibleSecretRecord`[]\>
+
+***
+
+### ownerOnPendingCapabilityRequest()
+
+> **ownerOnPendingCapabilityRequest**(`callback`): () => `void`
+
+#### Parameters
+
+##### callback
+
+(`record`) => `void`
+
+#### Returns
+
+() => `void`
+
+***
+
+### ownerReadAudit()
+
+> **ownerReadAudit**(`query?`): `Promise`\<readonly `AuditEntry`[]\>
 
 Reads the tamper-evident audit log for the vault.
 
@@ -154,15 +228,17 @@ Reads the tamper-evident audit log for the vault.
 
 ***
 
-### registerAgent()
+### ownerRegisterFlow()
+
+> **ownerRegisterFlow**(`input`): `Promise`\<`void`\>
 
-> **registerAgent**(`input`): `Promise`\<`void`\>
+Registers a custom HTTP flow for complex secret usage.
 
 #### Parameters
 
 ##### input
 
-[`VaultRegisterAgentInput`](VaultRegisterAgentInput.md)
+[`VaultRegisterFlowInput`](VaultRegisterFlowInput.md)
 
 #### Returns
 
@@ -170,17 +246,15 @@ Reads the tamper-evident audit log for the vault.
 
 ***
 
-### registerFlow()
+### ownerRejectCapabilityRequest()
 
-> **registerFlow**(`input`): `Promise`\<`void`\>
-
-Registers a custom HTTP flow for complex secret usage.
+> **ownerRejectCapabilityRequest**(`requestId`): `Promise`\<`void`\>
 
 #### Parameters
 
-##### input
+##### requestId
 
-[`VaultRegisterFlowInput`](VaultRegisterFlowInput.md)
+`string`
 
 #### Returns
 
@@ -188,9 +262,9 @@ Registers a custom HTTP flow for complex secret usage.
 
 ***
 
-### revokeCapability()
+### ownerRevokeCapability()
 
-> **revokeCapability**(`input`): `Promise`\<`void`\>
+> **ownerRevokeCapability**(`input`): `Promise`\<`void`\>
 
 Revokes a previously granted capability.
 
@@ -206,9 +280,9 @@ Revokes a previously granted capability.
 
 ***
 
-### storeSecret()
+### ownerStoreSecret()
 
-> **storeSecret**(`input`): `Promise`\<`SecretRecord`\>
+> **ownerStoreSecret**(`input`): `Promise`\<`SecretRecord`\>
 
 Securely stores a new secret in the vault.
 
@@ -224,9 +298,25 @@ Securely stores a new secret in the vault.
 
 ***
 
-### writeSecret()
+### ownerSubmitCapabilityRequest()
+
+> **ownerSubmitCapabilityRequest**(`input`): `Promise`\<`PendingCapabilityRequestRecord`\>
+
+#### Parameters
+
+##### input
+
+[`VaultSubmitCapabilityRequestInput`](VaultSubmitCapabilityRequestInput.md)
+
+#### Returns
+
+`Promise`\<`PendingCapabilityRequestRecord`\>
+
+***
+
+### ownerWriteSecret()
 
-> **writeSecret**(`input`): `Promise`\<`SecretRecord`\>
+> **ownerWriteSecret**(`input`): `Promise`\<`SecretRecord`\>
 
 Atomic operation to store a secret and define its targets in one step.
 

package/docs/api/interfaces/VaultCoreDependenciesOptions.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultCreateAgentInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultDeleteSecretInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultExportSecretInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultGrantCapabilityInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 
@@ -12,24 +12,6 @@
 
 ***
 
-### allowedMethods?
-
-> `optional` **allowedMethods?**: readonly `string`[]
-
-***
-
-### allowedPaths?
-
-> `optional` **allowedPaths?**: readonly `string`[]
-
-***
-
-### allowedTargets?
-
-> `optional` **allowedTargets?**: readonly `string`[]
-
-***
-
 ### capabilityId?
 
 > `optional` **capabilityId?**: `string`
@@ -42,6 +24,12 @@
 
 ***
 
+### methods
+
+> **methods**: readonly `string`[]
+
+***
+
 ### operation?
 
 > `optional` **operation?**: `string`
@@ -68,6 +56,12 @@
 
 ***
 
+### scope
+
+> **scope**: `string`
+
+***
+
 ### secretAliases?
 
 > `optional` **secretAliases?**: readonly `string`[]

package/docs/api/interfaces/VaultIdentity.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/{VaultRegisterAgentInput.md → VaultImportAgentInput.md}

@@ -1,8 +1,8 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 
-# Interface: VaultRegisterAgentInput
+# Interface: VaultImportAgentInput
 
 ## Properties
 
@@ -24,15 +24,9 @@
 
 ***
 
-### privateKey?
+### privateKey
 
-> `optional` **privateKey?**: `string`
-
-***
-
-### publicKey
-
-> **publicKey**: `string`
+> **privateKey**: `string`
 
 ***
 

package/docs/api/interfaces/VaultListAgentsInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultListCapabilitiesInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultListSecretsInput.md

@@ -0,0 +1,11 @@
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
+
+***
+
+# Interface: VaultListSecretsInput
+
+## Properties
+
+### requestedAt?
+
+> `optional` **requestedAt?**: `string`

package/docs/api/interfaces/VaultMetadata.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultObject.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultProfile.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultRegisterFlowInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultRevokeCapabilityInput.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultSigner.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/interfaces/VaultSubmitCapabilityRequestInput.md

@@ -0,0 +1,79 @@
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
+
+***
+
+# Interface: VaultSubmitCapabilityRequestInput
+
+## Properties
+
+### agentId
+
+> **agentId**: `string`
+
+***
+
+### expiresAt?
+
+> `optional` **expiresAt?**: `string`
+
+***
+
+### justification?
+
+> `optional` **justification?**: `string`
+
+***
+
+### methods
+
+> **methods**: readonly `string`[]
+
+***
+
+### operation?
+
+> `optional` **operation?**: `string`
+
+***
+
+### rateLimit?
+
+> `optional` **rateLimit?**: `object`
+
+#### maxRequests
+
+> **maxRequests**: `number`
+
+#### windowMs
+
+> **windowMs**: `number`
+
+***
+
+### requestedAt?
+
+> `optional` **requestedAt?**: `string`
+
+***
+
+### requester
+
+> **requester**: `VaultPrincipal`
+
+***
+
+### scope
+
+> **scope**: `string`
+
+***
+
+### secretAliases?
+
+> `optional` **secretAliases?**: readonly `string`[]
+
+***
+
+### skipAudit?
+
+> `optional` **skipAudit?**: `boolean`

package/docs/api/type-aliases/AgentCapabilityEnvelope.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/type-aliases/AgentVisibleSecretRecord.md

@@ -0,0 +1,7 @@
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
+
+***
+
+# Type Alias: AgentVisibleSecretRecord
+
+> **AgentVisibleSecretRecord** = `AgentVisibleSecretRecord`

package/docs/api/type-aliases/CbioRuntimeModule.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/docs/api/variables/DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY.md

@@ -1,4 +1,4 @@
-[**CBIO Node Runtime Agent API v1.48.6**](../README.md)
+[**CBIO Node Runtime Agent API v1.49.0**](../README.md)
 
 ***
 

package/examples/process-isolation.ts

@@ -8,13 +8,12 @@ import {
   AgentDispatchHttpTransport,
   MemoryStorageProvider,
 } from "../src/runtime/index.js";
-import { LocalSigner } from "../src/protocol/crypto.js";
 
 /**
  * This example demonstrates the A/B Process Architecture (Process Isolation).
  * 
  * - Process B (The Vault): Hosts the actual secrets and performs the HTTP dispatch.
- * - Process A (The Agent): Signs requests and sends them to Process B. A never sees the secret.
+ * - Process A (The Agent): Uses a session token to call Process B. A never sees the secret.
  */
 
 // --- Process B: The Vault Server Logic ---
@@ -25,7 +24,7 @@ async function startVaultServer(port: number) {
   // Create a real vault in memory
   const { core } = await createVault(storage, {
     vaultId: "vault-isolated-server",
-    ownerIdentity,
+    password: "process-isolation-demo-password",
   });
   
   // Wrap as a Service
@@ -61,7 +60,7 @@ async function startVaultServer(port: number) {
 }
 
 // --- Process A: The LLM Agent Logic ---
-async function runAgentDemo(port: number, agentIdentity: any, capability: any) {
+async function runAgentDemo(port: number, agentIdentity: any, capability: any, token: string) {
   // Process A ONLY knows the remote URL and its own Agent Identity.
   // It has NO access to the Vault's master key or storage.
   const transport = new AgentDispatchHttpTransport(`http://localhost:${port}/dispatch`);
@@ -70,13 +69,13 @@ async function runAgentDemo(port: number, agentIdentity: any, capability: any) {
     agentIdentity,
     capability,
     transport,
-    signer: new LocalSigner(agentIdentity),
+    token,
   });
 
   console.log("[Process A] LLM Agent requesting secret-backed dispatch...");
   
   try {
-    const result = await agentClient.dispatch({
+    const result = await agentClient.agentDispatch({
       secretAlias: "api-token",
       targetUrl: "https://httpbin.org/post",
       method: "POST",
@@ -102,27 +101,28 @@ async function main() {
   const agentIdentity = createIdentity({ nickname: "llm-agent-1" });
   
   // Owner registers the agent and a capability (simulated local call for setup)
-  await vault.registerAgentIdentity({
+  await vault.ownerRegisterAgentIdentity({
     vaultId: vault.vaultId,
+    requestId: `setup:${Date.now()}:register_agent`,
     owner: { kind: "owner", id: ownerIdentity.identityId },
     agentIdentity: {
       vaultId: vault.vaultId,
       agentId: agentIdentity.identityId,
       publicKey: agentIdentity.publicKey,
     },
-    proof: { signature: "setup-proof", ownerId: ownerIdentity.identityId, requestedAt: new Date().toISOString() },
+    requestedAt: new Date().toISOString(),
   });
 
   // Owner writes a secret (simulated local call for setup)
-  const secret = await vault.writeSecret({
+  const secret = await vault.ownerWriteSecret({
     kind: "owner.write_secret",
     vaultId: vault.vaultId,
+    requestId: `setup:${Date.now()}:write_secret`,
     owner: { kind: "owner", id: ownerIdentity.identityId },
     alias: "api-token",
     plaintext: "SK-PROD-12345",
     targetBindings: [{ kind: "site", targetId: "httpbin.org", targetUrl: "https://httpbin.org/post", methods: ["POST"] }],
     requestedAt: new Date().toISOString(),
-    proof: { signature: "setup-proof", ownerId: ownerIdentity.identityId, requestedAt: new Date().toISOString() },
   });
 
   const capability = {
@@ -132,20 +132,29 @@ async function main() {
     secretIds: [secret.secretId.value],
     secretAliases: ["api-token"],
     operation: "dispatch_http" as const,
-    allowedTargets: ["https://httpbin.org/post"],
-    allowedMethods: ["POST"],
+    scope: "https://httpbin.org/post",
+    methods: ["POST"],
     issuedAt: new Date().toISOString(),
   };
 
-  await vault.registerCapability({
+  await vault.ownerRegisterCapability({
     vaultId: vault.vaultId,
+    requestId: `setup:${Date.now()}:register_capability`,
     owner: { kind: "owner", id: ownerIdentity.identityId },
     capability,
-    proof: { signature: "setup-proof", ownerId: ownerIdentity.identityId, requestedAt: new Date().toISOString() },
+    requestedAt: new Date().toISOString(),
+  });
+
+  const session = await vault.ownerIssueSessionToken({
+    vaultId: vault.vaultId,
+    requestId: `setup:${Date.now()}:issue_session_token`,
+    actor: { kind: "owner", id: ownerIdentity.identityId },
+    agentId: agentIdentity.identityId,
+    requestedAt: new Date().toISOString(),
   });
 
   // 3. Run the "LLM Agent" (Process A)
-  await runAgentDemo(PORT, agentIdentity, capability);
+  await runAgentDemo(PORT, agentIdentity, capability, session.token);
 
   // 4. Cleanup
   server.close();