@the-ai-company/cbio-node-runtime 1.48.6 → 1.49.0

package/dist/vault-core/contracts.d.ts

@@ -147,9 +147,8 @@ export interface AgentCapability {
     secretAliases?: readonly string[];
     operation: "dispatch_http" | "custom_http";
     customFlowId?: string;
-    allowedTargets: readonly string[];
-    allowedMethods: readonly string[];
-    allowedPaths?: readonly string[];
+    scope: string;
+    methods: readonly string[];
     issuedAt: string;
     expiresAt?: string;
     revocationVersion?: number;
@@ -166,6 +165,50 @@ export interface AgentProof {
     signature?: string;
     token?: string;
 }
+export interface AgentVisibleSecretRecord {
+    vaultId: VaultId;
+    secretId: SecretId;
+    alias: SecretAlias;
+    issuerId: string | null;
+    targetBindings: VaultTargetBinding[];
+    createdAt: string;
+    updatedAt: string;
+    isAuthorizedForAgent?: boolean;
+    authorizedCapabilities?: readonly {
+        capabilityId: string;
+        scope: string;
+        methods: readonly string[];
+    }[];
+}
+export interface AgentListCapabilitiesRequest {
+    vaultId: VaultId;
+    requestId: string;
+    requestedAt: string;
+    agent: VaultPrincipal & {
+        kind: "agent";
+    };
+    proof: AgentProof;
+}
+export interface AgentListSecretsRequest {
+    vaultId: VaultId;
+    requestId: string;
+    requestedAt: string;
+    agent: VaultPrincipal & {
+        kind: "agent";
+    };
+    proof: AgentProof;
+}
+export interface AgentSubmitCapabilityRequestCommand {
+    vaultId: VaultId;
+    requestId: string;
+    requestedAt: string;
+    agent: VaultPrincipal & {
+        kind: "agent";
+    };
+    proof: AgentProof;
+    scope: CapabilityRequestScope;
+    justification?: string;
+}
 export interface PendingDispatchRecord {
     requestId: string;
     agentId: string;
@@ -190,6 +233,47 @@ export interface OwnerRejectDispatchCommand {
     requestId: string;
     owner: VaultPrincipal;
 }
+export interface CapabilityRequestScope {
+    operation: "dispatch_http" | "custom_http";
+    secretAliases?: readonly string[];
+    scope: string;
+    methods: readonly string[];
+    rateLimit?: {
+        maxRequests: number;
+        windowMs: number;
+    };
+    skipAudit?: boolean;
+    expiresAt?: string;
+}
+export interface SubmitCapabilityRequestCommand {
+    vaultId: VaultId;
+    requestId: string;
+    requester: VaultPrincipal;
+    agentId: string;
+    scope: CapabilityRequestScope;
+    justification?: string;
+    requestedAt: string;
+}
+export interface PendingCapabilityRequestRecord {
+    vaultId: VaultId;
+    requestId: string;
+    requester: VaultPrincipal;
+    agentId: string;
+    scope: CapabilityRequestScope;
+    justification?: string;
+    requestedAt: string;
+}
+export interface OwnerApproveCapabilityRequestCommand {
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal;
+    capabilityId?: string;
+}
+export interface OwnerRejectCapabilityRequestCommand {
+    vaultId: VaultId;
+    requestId: string;
+    owner: VaultPrincipal;
+}
 export interface DispatchRequest {
     vaultId: VaultId;
     requestId: string;
@@ -250,6 +334,9 @@ export declare enum AuditAction {
     REGISTER_AGENT_IDENTITY = "REGISTER_AGENT_IDENTITY",
     REGISTER_CUSTOM_FLOW = "REGISTER_CUSTOM_FLOW",
     REGISTER_CAPABILITY = "REGISTER_CAPABILITY",
+    SUBMIT_CAPABILITY_REQUEST = "SUBMIT_CAPABILITY_REQUEST",
+    APPROVE_CAPABILITY_REQUEST = "APPROVE_CAPABILITY_REQUEST",
+    REJECT_CAPABILITY_REQUEST = "REJECT_CAPABILITY_REQUEST",
     REVOKE_CAPABILITY = "REVOKE_CAPABILITY",
     WRITE_SECRET = "WRITE_SECRET",
     DEFINE_SECRET_TARGETS = "DEFINE_SECRET_TARGETS",

package/dist/vault-core/contracts.js

@@ -11,6 +11,9 @@ export var AuditAction;
     AuditAction["REGISTER_AGENT_IDENTITY"] = "REGISTER_AGENT_IDENTITY";
     AuditAction["REGISTER_CUSTOM_FLOW"] = "REGISTER_CUSTOM_FLOW";
     AuditAction["REGISTER_CAPABILITY"] = "REGISTER_CAPABILITY";
+    AuditAction["SUBMIT_CAPABILITY_REQUEST"] = "SUBMIT_CAPABILITY_REQUEST";
+    AuditAction["APPROVE_CAPABILITY_REQUEST"] = "APPROVE_CAPABILITY_REQUEST";
+    AuditAction["REJECT_CAPABILITY_REQUEST"] = "REJECT_CAPABILITY_REQUEST";
     AuditAction["REVOKE_CAPABILITY"] = "REVOKE_CAPABILITY";
     AuditAction["WRITE_SECRET"] = "WRITE_SECRET";
     AuditAction["DEFINE_SECRET_TARGETS"] = "DEFINE_SECRET_TARGETS";

package/dist/vault-core/contracts.js.map

@@ -1 +1 @@
-{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"AAiPA,MAAM,CAAN,IAAY,cAMX;AAND,WAAY,cAAc;IACxB,yCAAuB,CAAA;IACvB,mCAAiB,CAAA;IACjB,mCAAiB,CAAA;IACjB,qCAAmB,CAAA;IACnB,qCAAmB,CAAA;AACrB,CAAC,EANW,cAAc,KAAd,cAAc,QAMzB;AAoBD,MAAM,CAAN,IAAY,WAoBX;AApBD,WAAY,WAAW;IACrB,kEAAmD,CAAA;IACnD,4DAA6C,CAAA;IAC7C,0DAA2C,CAAA;IAC3C,sDAAuC,CAAA;IACvC,4CAA6B,CAAA;IAC7B,8DAA+C,CAAA;IAC/C,8CAA+B,CAAA;IAC/B,gDAAiC,CAAA;IACjC,8CAA+B,CAAA;IAC/B,wDAAyC,CAAA;IACzC,kDAAmC,CAAA;IACnC,0CAA2B,CAAA;IAC3B,sDAAuC,CAAA;IACvC,wCAAyB,CAAA;IACzB,0DAA2C,CAAA;IAC3C,4DAA6C,CAAA;IAC7C,oDAAqC,CAAA;IACrC,kDAAmC,CAAA;IACnC,gDAAiC,CAAA;AACnC,CAAC,EApBW,WAAW,KAAX,WAAW,QAoBtB;AAED,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,uCAAuB,CAAA;IACvB,iCAAiB,CAAA;IACjB,mCAAmB,CAAA;AACrB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}
+{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"AAwUA,MAAM,CAAN,IAAY,cAMX;AAND,WAAY,cAAc;IACxB,yCAAuB,CAAA;IACvB,mCAAiB,CAAA;IACjB,mCAAiB,CAAA;IACjB,qCAAmB,CAAA;IACnB,qCAAmB,CAAA;AACrB,CAAC,EANW,cAAc,KAAd,cAAc,QAMzB;AAoBD,MAAM,CAAN,IAAY,WAuBX;AAvBD,WAAY,WAAW;IACrB,kEAAmD,CAAA;IACnD,4DAA6C,CAAA;IAC7C,0DAA2C,CAAA;IAC3C,sEAAuD,CAAA;IACvD,wEAAyD,CAAA;IACzD,sEAAuD,CAAA;IACvD,sDAAuC,CAAA;IACvC,4CAA6B,CAAA;IAC7B,8DAA+C,CAAA;IAC/C,8CAA+B,CAAA;IAC/B,gDAAiC,CAAA;IACjC,8CAA+B,CAAA;IAC/B,wDAAyC,CAAA;IACzC,kDAAmC,CAAA;IACnC,0CAA2B,CAAA;IAC3B,sDAAuC,CAAA;IACvC,wCAAyB,CAAA;IACzB,0DAA2C,CAAA;IAC3C,4DAA6C,CAAA;IAC7C,oDAAqC,CAAA;IACrC,kDAAmC,CAAA;IACnC,gDAAiC,CAAA;AACnC,CAAC,EAvBW,WAAW,KAAX,WAAW,QAuBtB;AAED,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,uCAAuB,CAAA;IACvB,iCAAiB,CAAA;IACjB,mCAAmB,CAAA;AACrB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}

package/dist/vault-core/core.d.ts

@@ -1,4 +1,4 @@
-import type { AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerDefineSecretTargetsCommand, OwnerIssueSessionTokenRequest, OwnerDeleteSecretCommand, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCapabilityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRevokeCapabilityCommand, OwnerListAgentsRequest, OwnerListCapabilitiesRequest, OwnerSecretExport, OwnerSessionToken, SecretRecord, VaultId, VaultPrincipal, VaultWriteSecretCommand, AgentIdentityRecord, AgentCapability } from "./contracts.js";
+import type { AgentListCapabilitiesRequest, AgentListSecretsRequest, AgentSubmitCapabilityRequestCommand, AgentVisibleSecretRecord, AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerApproveCapabilityRequestCommand, OwnerDefineSecretTargetsCommand, OwnerIssueSessionTokenRequest, OwnerRejectCapabilityRequestCommand, OwnerDeleteSecretCommand, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerRegisterCapabilityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRevokeCapabilityCommand, OwnerListAgentsRequest, OwnerListCapabilitiesRequest, OwnerSecretExport, OwnerSessionToken, PendingCapabilityRequestRecord, SecretRecord, SubmitCapabilityRequestCommand, VaultId, VaultPrincipal, VaultWriteSecretCommand, AgentIdentityRecord, AgentCapability } from "./contracts.js";
 import type { VaultCoreDependencies } from "./ports.js";
 /**
  * The Sovereign Vault Core.
@@ -7,51 +7,70 @@ import type { VaultCoreDependencies } from "./ports.js";
 export declare class VaultCore {
     private readonly _deps;
     private readonly _pendingObservers;
+    private readonly _pendingCapabilityObservers;
     constructor(_deps: VaultCoreDependencies);
     get vaultId(): VaultId;
-    private appendAudit;
-    private appendDecisionAudit;
-    onPendingRequest(callback: (record: import("./contracts.js").PendingDispatchRecord) => void): () => void;
-    registerAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
-    registerCapability(command: OwnerRegisterCapabilityCommand): Promise<void>;
-    getCapability(vaultId: import("./contracts.js").VaultId, agentId: string, capabilityId: string): Promise<AgentCapability | null>;
-    registerCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
-    storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
-    writeSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;
-    deleteSecret(command: OwnerDeleteSecretCommand): Promise<void>;
-    defineSecretTargets(command: OwnerDefineSecretTargetsCommand): Promise<SecretRecord>;
-    authorizeDispatch(request: DispatchRequest): Promise<DispatchAuthorization>;
-    dispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
-    getAudit(actor: VaultPrincipal & {
+    private _appendAudit;
+    private _appendDecisionAudit;
+    private _verifyAgentControlProof;
+    private _listVisibleSecretsForAgent;
+    ownerOnPendingDispatch(callback: (record: import("./contracts.js").PendingDispatchRecord) => void): () => void;
+    ownerOnPendingCapabilityRequest(callback: (record: PendingCapabilityRequestRecord) => void): () => void;
+    ownerRegisterAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
+    ownerRegisterCapability(command: OwnerRegisterCapabilityCommand): Promise<void>;
+    ownerSubmitCapabilityRequest(command: SubmitCapabilityRequestCommand): Promise<PendingCapabilityRequestRecord>;
+    _getCapability(vaultId: import("./contracts.js").VaultId, agentId: string, capabilityId: string): Promise<AgentCapability | null>;
+    ownerRegisterCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
+    _storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
+    ownerWriteSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;
+    ownerDeleteSecret(command: OwnerDeleteSecretCommand): Promise<void>;
+    ownerDefineSecretTargets(command: OwnerDefineSecretTargetsCommand): Promise<SecretRecord>;
+    agentAuthorizeDispatch(request: DispatchRequest): Promise<DispatchAuthorization>;
+    agentDispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
+    ownerReadAudit(actor: VaultPrincipal & {
         kind: "owner";
     }, query: AuditQuery, request?: Omit<import("./contracts.js").OwnerAuditRequest, "actor" | "query" | "vaultId">): Promise<readonly AuditEntry[]>;
-    exportSecret(actor: VaultPrincipal & {
+    ownerExportSecret(actor: VaultPrincipal & {
         kind: "owner";
     }, alias: string, request?: Omit<OwnerExportSecretRequest, "actor" | "alias" | "vaultId">): Promise<OwnerSecretExport>;
     private isCapabilityMatch;
-    listAgents(actor: VaultPrincipal & {
+    ownerListAgents(actor: VaultPrincipal & {
         kind: "owner";
     }, request?: Omit<OwnerListAgentsRequest, "actor" | "vaultId">): Promise<readonly AgentIdentityRecord[]>;
-    listCapabilities(actor: VaultPrincipal & {
+    ownerListCapabilities(actor: VaultPrincipal & {
         kind: "owner";
     }, agentId?: string, request?: Omit<OwnerListCapabilitiesRequest, "actor" | "agentId" | "vaultId">): Promise<readonly AgentCapability[]>;
-    revokeCapability(command: OwnerRevokeCapabilityCommand): Promise<void>;
-    issueAgentSessionToken(request: OwnerIssueSessionTokenRequest): Promise<OwnerSessionToken>;
-    issueAllAgentSessionTokens(actor: VaultPrincipal & {
+    ownerListSecrets(actor: VaultPrincipal & {
+        kind: "owner";
+    }, request?: {
+        requestId?: string;
+    }): Promise<readonly AgentVisibleSecretRecord[]>;
+    agentListCapabilities(request: AgentListCapabilitiesRequest): Promise<readonly AgentCapability[]>;
+    agentListSecrets(request: AgentListSecretsRequest): Promise<readonly AgentVisibleSecretRecord[]>;
+    agentSubmitCapabilityRequest(command: AgentSubmitCapabilityRequestCommand): Promise<PendingCapabilityRequestRecord>;
+    ownerRevokeCapability(command: OwnerRevokeCapabilityCommand): Promise<void>;
+    ownerIssueSessionToken(request: OwnerIssueSessionTokenRequest): Promise<OwnerSessionToken>;
+    ownerIssueAllAgentSessionTokens(actor: VaultPrincipal & {
         kind: "owner";
     }): Promise<OwnerSessionToken[]>;
-    revokeAgentSessionToken(request: {
+    ownerRevokeSessionToken(request: {
         vaultId: VaultId;
         actor: VaultPrincipal & {
             kind: "owner";
         };
         token: string;
     }): Promise<void>;
-    listPendingDispatches(command: {
+    ownerListPendingDispatches(command: {
         vaultId: VaultId;
         owner: VaultPrincipal;
     }): Promise<readonly import("./contracts.js").PendingDispatchRecord[]>;
-    approveDispatch(command: import("./contracts.js").OwnerApproveDispatchCommand): Promise<DispatchResult>;
-    rejectDispatch(command: import("./contracts.js").OwnerRejectDispatchCommand): Promise<void>;
+    ownerListPendingCapabilityRequests(command: {
+        vaultId: VaultId;
+        owner: VaultPrincipal;
+    }): Promise<readonly PendingCapabilityRequestRecord[]>;
+    ownerApproveCapabilityRequest(command: OwnerApproveCapabilityRequestCommand): Promise<AgentCapability>;
+    ownerRejectCapabilityRequest(command: OwnerRejectCapabilityRequestCommand): Promise<void>;
+    ownerApproveDispatch(command: import("./contracts.js").OwnerApproveDispatchCommand): Promise<DispatchResult>;
+    ownerRejectDispatch(command: import("./contracts.js").OwnerRejectDispatchCommand): Promise<void>;
 }
 export declare function createVaultCore(deps: VaultCoreDependencies): VaultCore;