@the-ai-company/cbio-node-runtime 1.5.0 → 1.7.0

package/README.md

@@ -42,7 +42,8 @@ import {
   createVaultService,
   createDefaultVaultCoreDependencies,
   createIdentity,
-  createOwnedVault,
+  restoreIdentity,
+  createVault,
   recoverVault,
   createOwnerHttpFlowBoundary,
   createStandardAcquireBoundary,
@@ -54,6 +55,12 @@ import {
 } from '@the-ai-company/cbio-node-runtime';
 ```
 
+Identity restore example:
+
+```ts
+const identity = restoreIdentity(existingPrivateKey);
+```
+
 ## Architecture
 
 Core terms:
@@ -133,8 +140,8 @@ This package now exposes the production local vault runtime surface as the prima
 ## Example Shape
 
 ```ts
-const ownerIdentity = createIdentity();
-const agentIdentity = createIdentity();
+const ownerIdentity = createIdentity({ nickname: 'owner-main' });
+const agentIdentity = createIdentity({ nickname: 'agent-worker' });
 const vault = createVaultService(createDefaultVaultCoreDependencies());
 const owner = createOwnerClient({ ownerId: ownerIdentity.identityId }, vault, new LocalSigner(ownerIdentity), clock);
 const transport = new LocalVaultTransport(vault, capability.capabilityId);
@@ -202,15 +209,11 @@ console.log(exported.plaintext);
 Persistent custody bootstrap example:
 
 ```ts
-const ownerIdentity = createIdentity();
+const ownerIdentity = createIdentity({ nickname: 'owner-main' });
 const storage = new FsStorageProvider('/tmp/cbio-vault');
-const createdVault = await createOwnedVault(storage, {
+const createdVault = await createVault(storage, {
   vaultId: 'vault-persistent',
-  bootstrapOwner: {
-    vaultId: { value: 'vault-persistent' },
-    ownerId: ownerIdentity.identityId,
-    publicKey: ownerIdentity.publicKey,
-  },
+  ownerIdentity,
 });
 
 // Show once to the owner and let them store it offline.

package/dist/runtime/bootstrap.d.ts

@@ -1,15 +1,16 @@
-import { type CreatePersistentVaultCoreDependenciesOptions, type InitializedVaultCustody, type InitializeVaultCustodyOptions, type OwnerIdentityRecord, type VaultCore } from "../vault-core/index.js";
+import { type CreatePersistentVaultCoreDependenciesOptions, type InitializedVaultCustody, type InitializeVaultCustodyOptions, type VaultCore } from "../vault-core/index.js";
 import { type VaultService, type VaultCustomFlowResolver } from "../vault-ingress/index.js";
 import type { IStorageProvider } from "../storage/provider.js";
-export interface CreateOwnedVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
+import type { CreatedIdentity } from "./identity.js";
+export interface CreateVaultOptions extends Omit<CreatePersistentVaultCoreDependenciesOptions, "vaultWorkingKey"> {
     custody?: InitializeVaultCustodyOptions;
-    bootstrapOwner: OwnerIdentityRecord;
+    ownerIdentity: CreatedIdentity;
     vault?: {
         customFlows?: VaultCustomFlowResolver;
         fetchImpl?: typeof fetch;
     };
 }
-export interface CreatedOwnedVault {
+export interface CreatedVault {
     initializedCustody: InitializedVaultCustody;
     core: VaultCore;
     vault: VaultService;
@@ -27,5 +28,5 @@ export interface RecoveredVault {
     core: VaultCore;
     vault: VaultService;
 }
-export declare function createOwnedVault(storage: IStorageProvider, options: CreateOwnedVaultOptions): Promise<CreatedOwnedVault>;
+export declare function createVault(storage: IStorageProvider, options: CreateVaultOptions): Promise<CreatedVault>;
 export declare function recoverVault(storage: IStorageProvider, options: RecoverVaultOptions): Promise<RecoveredVault>;

package/dist/runtime/bootstrap.js

@@ -1,14 +1,19 @@
 import { createVaultCore } from "../vault-core/core.js";
 import { createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, } from "../vault-core/index.js";
 import { wrapVaultCoreAsVaultService, } from "../vault-ingress/index.js";
-export async function createOwnedVault(storage, options) {
+export async function createVault(storage, options) {
     const initializedCustody = await initializeVaultCustody(storage, options.custody);
     const deps = createPersistentVaultCoreDependencies(storage, {
         ...options,
         vaultWorkingKey: initializedCustody.vaultWorkingKey,
     });
     const core = createVaultCore(deps);
-    await core.bootstrapOwnerIdentity(options.bootstrapOwner);
+    const bootstrapOwner = {
+        vaultId: core.vaultId,
+        ownerId: options.ownerIdentity.identityId,
+        publicKey: options.ownerIdentity.publicKey,
+    };
+    await core.bootstrapOwnerIdentity(bootstrapOwner);
     return {
         initializedCustody,
         core,

package/dist/runtime/bootstrap.js.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,GAMvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AAiCnC,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,OAAyB,EACzB,OAAgC;IAEhC,MAAM,kBAAkB,GAAG,MAAM,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe,EAAE,kBAAkB,CAAC,eAAe;KACpD,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,IAAI,CAAC,sBAAsB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAC1D,OAAO;QACL,kBAAkB;QAClB,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAyB,EACzB,OAA4B;IAE5B,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAClD,OAAO,EACP,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,iBAAiB,CAC1B,CAAC;IACF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO;QACL,eAAe;QACf,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC"}
+{"version":3,"file":"bootstrap.js","sourceRoot":"","sources":["../../src/runtime/bootstrap.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAC;AACxD,OAAO,EACL,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,GAMvB,MAAM,wBAAwB,CAAC;AAChC,OAAO,EACL,2BAA2B,GAG5B,MAAM,2BAA2B,CAAC;AAkCnC,MAAM,CAAC,KAAK,UAAU,WAAW,CAC/B,OAAyB,EACzB,OAA2B;IAE3B,MAAM,kBAAkB,GAAG,MAAM,sBAAsB,CAAC,OAAO,EAAE,OAAO,CAAC,OAAO,CAAC,CAAC;IAClF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe,EAAE,kBAAkB,CAAC,eAAe;KACpD,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,MAAM,cAAc,GAAwB;QAC1C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU;QACzC,SAAS,EAAE,OAAO,CAAC,aAAa,CAAC,SAAS;KAC3C,CAAC;IACF,MAAM,IAAI,CAAC,sBAAsB,CAAC,cAAc,CAAC,CAAC;IAClD,OAAO;QACL,kBAAkB;QAClB,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,OAAyB,EACzB,OAA4B;IAE5B,MAAM,eAAe,GAAG,MAAM,sBAAsB,CAClD,OAAO,EACP,OAAO,CAAC,gBAAgB,EACxB,OAAO,CAAC,iBAAiB,CAC1B,CAAC;IACF,MAAM,IAAI,GAAG,qCAAqC,CAAC,OAAO,EAAE;QAC1D,GAAG,OAAO;QACV,eAAe;KAChB,CAAC,CAAC;IACH,MAAM,IAAI,GAAG,eAAe,CAAC,IAAI,CAAC,CAAC;IACnC,OAAO;QACL,eAAe;QACf,IAAI;QACJ,KAAK,EAAE,2BAA2B,CAAC,IAAI,EAAE,OAAO,CAAC,KAAK,CAAC;KACxD,CAAC;AACJ,CAAC"}

package/dist/runtime/identity.d.ts

@@ -1,6 +1,14 @@
 export interface CreatedIdentity {
     identityId: string;
+    nickname?: string;
     publicKey: string;
     privateKey: string;
 }
-export declare function createIdentity(): CreatedIdentity;
+export interface CreateIdentityOptions {
+    nickname?: string;
+}
+export interface RestoreIdentityOptions {
+    nickname?: string;
+}
+export declare function createIdentity(options?: CreateIdentityOptions): CreatedIdentity;
+export declare function restoreIdentity(privateKey: string, options?: RestoreIdentityOptions): CreatedIdentity;

package/dist/runtime/identity.js

@@ -1,14 +1,30 @@
-import { generateIdentityKeys } from "../protocol/crypto.js";
+import { derivePublicKey, generateIdentityKeys } from "../protocol/crypto.js";
 import { deriveRootAgentId } from "../protocol/identity.js";
-export function createIdentity() {
+export function createIdentity(options = {}) {
     const keyPair = generateIdentityKeys();
     if (!keyPair.publicKey || !keyPair.privateKey) {
         throw new Error("identity generation failed");
     }
+    const nickname = options.nickname?.trim() ? options.nickname.trim() : undefined;
     return {
         identityId: deriveRootAgentId(keyPair.publicKey),
+        nickname,
         publicKey: keyPair.publicKey,
         privateKey: keyPair.privateKey,
     };
 }
+export function restoreIdentity(privateKey, options = {}) {
+    const normalizedPrivateKey = privateKey.trim();
+    if (!normalizedPrivateKey) {
+        throw new Error("private key is required");
+    }
+    const publicKey = derivePublicKey(normalizedPrivateKey);
+    const nickname = options.nickname?.trim() ? options.nickname.trim() : undefined;
+    return {
+        identityId: deriveRootAgentId(publicKey),
+        nickname,
+        publicKey,
+        privateKey: normalizedPrivateKey,
+    };
+}
 //# sourceMappingURL=identity.js.map

package/dist/runtime/identity.js.map

@@ -1 +1 @@
-{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAQ5D,MAAM,UAAU,cAAc;IAC5B,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,OAAO;QACL,UAAU,EAAE,iBAAiB,CAAC,OAAO,CAAC,SAAS,CAAC;QAChD,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC"}
+{"version":3,"file":"identity.js","sourceRoot":"","sources":["../../src/runtime/identity.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,uBAAuB,CAAC;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,yBAAyB,CAAC;AAiB5D,MAAM,UAAU,cAAc,CAAC,UAAiC,EAAE;IAChE,MAAM,OAAO,GAAG,oBAAoB,EAAE,CAAC;IACvC,IAAI,CAAC,OAAO,CAAC,SAAS,IAAI,CAAC,OAAO,CAAC,UAAU,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,4BAA4B,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAChF,OAAO;QACL,UAAU,EAAE,iBAAiB,CAAC,OAAO,CAAC,SAAS,CAAC;QAChD,QAAQ;QACR,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,UAAU,EAAE,OAAO,CAAC,UAAU;KAC/B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,UAAkB,EAAE,UAAkC,EAAE;IACtF,MAAM,oBAAoB,GAAG,UAAU,CAAC,IAAI,EAAE,CAAC;IAC/C,IAAI,CAAC,oBAAoB,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IACD,MAAM,SAAS,GAAG,eAAe,CAAC,oBAAoB,CAAC,CAAC;IACxD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;IAChF,OAAO;QACL,UAAU,EAAE,iBAAiB,CAAC,SAAS,CAAC;QACxC,QAAQ;QACR,SAAS;QACT,UAAU,EAAE,oBAAoB;KACjC,CAAC;AACJ,CAAC"}

package/dist/runtime/index.d.ts

@@ -7,8 +7,8 @@ export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export type { IStorageProvider } from "../storage/provider.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { createIdentity, type CreatedIdentity, } from "./identity.js";
-export { createOwnedVault, recoverVault, type CreateOwnedVaultOptions, type CreatedOwnedVault, type RecoverVaultOptions, type RecoveredVault, } from "./bootstrap.js";
+export { createIdentity, restoreIdentity, type CreateIdentityOptions, type RestoreIdentityOptions, type CreatedIdentity, } from "./identity.js";
+export { createVault, recoverVault, type CreateVaultOptions, type CreatedVault, type RecoverVaultOptions, type RecoveredVault, } from "./bootstrap.js";
 export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, type CreateDefaultVaultCoreDependenciesOptions, type DefaultPolicyEngineOptions, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, type InitializeVaultCustodyOptions, type InitializedVaultCustody, type CreatePersistentVaultCoreDependenciesOptions, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, type SignatureAgentProofVerifierOptions, SignatureAgentProofVerifier, SystemClock, type AgentCapability, type AgentIdentityRecord, type AgentProof, type OwnerAuditRequest, type OwnerExportSecretRequest, type OwnerRegisterCapabilityCommand, type OwnerRegisterAgentIdentityCommand, type OwnerRegisterCustomHttpFlowCommand, type OwnerSecretExport, type OwnerIdentityRecord, type CustomHttpFlowDefinition, type OwnerProof, type AuditEntry, type AuditLog, type AuditQuery, type Clock, type DispatchAuthorization, type DispatchInstruction, type DispatchRequest, type DispatchResult, type IdGenerator, type OwnerIdentityRegistry, type OwnerProofVerifier, type PolicyEngine, type RateLimitStore, type ReplayGuard, type CustomHttpFlowRegistry, type SecretAlias, type SecretCustody, type SecretId, type SecretRecord, type SecretRepository, type SecretVersion, type TrustedExecutor, type VaultCore, type VaultCoreDependencies, type VaultPrincipal, type VaultPrincipalKind, type VaultTargetBinding, type VaultWriteSecretCommand, type VaultId, type AgentIdentityRegistry, type AgentProofVerifier, type CapabilityRevocationRegistry, type CapabilityRegistry, } from "../vault-core/index.js";
 export { createOwnerClient, type OwnerClient, type OwnerIdentity, type OwnerSigner, type OwnerAuditQueryInput, type OwnerExportSecretInput, type OwnerRegisterCapabilityInput, type OwnerRegisterCustomHttpFlowInput, type OwnerRegisterAgentIdentityInput, type OwnerSecretTargetBinding, type OwnerWriteSecretInput, } from "../clients/owner/index.js";
 export { createAgentClient, type AgentClient, type AgentIdentity, type AgentCapabilityEnvelope, type AgentDispatchIntent, type AgentDispatchTransport, type AgentSigner, } from "../clients/agent/index.js";

package/dist/runtime/index.js

@@ -6,8 +6,8 @@ export { IdentityError, IdentityErrorCode } from "../errors.js";
 export { derivePublicKey, LocalSigner } from "../protocol/crypto.js";
 export { FsStorageProvider } from "../storage/fs.js";
 export { MemoryStorageProvider } from "../storage/memory.js";
-export { createIdentity, } from "./identity.js";
-export { createOwnedVault, recoverVault, } from "./bootstrap.js";
+export { createIdentity, restoreIdentity, } from "./identity.js";
+export { createVault, recoverVault, } from "./bootstrap.js";
 export { createVaultCore, DefaultVaultCore, VaultCoreError, createDefaultVaultCoreDependencies, DefaultPolicyEngine, createPersistentVaultCoreDependencies, initializeVaultCustody, recoverVaultWorkingKey, DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY, PersistentVaultAuditLog, PersistentVaultCapabilityRegistry, PersistentVaultCapabilityRevocationRegistry, PersistentVaultCustomHttpFlowRegistry, PersistentVaultRateLimitStore, PersistentVaultReplayGuard, PersistentVaultSecretCustody, PersistentVaultSecretRepository, HttpDispatchExecutor, InMemoryAgentIdentityRegistry, InMemoryCapabilityRegistry, InMemoryCapabilityRevocationRegistry, InMemoryCustomHttpFlowRegistry, InMemoryRateLimitStore, InMemoryReplayGuard, InMemoryAuditLog, InMemoryOwnerIdentityRegistry, InMemorySecretCustody, InMemorySecretRepository, RandomIdGenerator, SignatureOwnerProofVerifier, SignatureAgentProofVerifier, SystemClock, } from "../vault-core/index.js";
 export { createOwnerClient, } from "../clients/owner/index.js";
 export { createAgentClient, } from "../clients/agent/index.js";

package/dist/runtime/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,GAEf,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,gBAAgB,EAChB,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA8CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/runtime/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,aAAa,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AAChE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAC;AAErE,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,sBAAsB,CAAC;AAC7D,OAAO,EACL,cAAc,EACd,eAAe,GAIhB,MAAM,eAAe,CAAC;AACvB,OAAO,EACL,WAAW,EACX,YAAY,GAKb,MAAM,gBAAgB,CAAC;AAExB,OAAO,EACL,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,kCAAkC,EAGlC,mBAAmB,EACnB,qCAAqC,EACrC,sBAAsB,EACtB,sBAAsB,EACtB,kCAAkC,EAIlC,uBAAuB,EACvB,iCAAiC,EACjC,2CAA2C,EAC3C,qCAAqC,EACrC,6BAA6B,EAC7B,0BAA0B,EAC1B,4BAA4B,EAC5B,+BAA+B,EAC/B,oBAAoB,EACpB,6BAA6B,EAC7B,0BAA0B,EAC1B,oCAAoC,EACpC,8BAA8B,EAC9B,sBAAsB,EACtB,mBAAmB,EACnB,gBAAgB,EAChB,6BAA6B,EAC7B,qBAAqB,EACrB,wBAAwB,EACxB,iBAAiB,EACjB,2BAA2B,EAE3B,2BAA2B,EAC3B,WAAW,GA8CZ,MAAM,wBAAwB,CAAC;AAEhC,OAAO,EACL,iBAAiB,GAWlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,iBAAiB,GAOlB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,kBAAkB,EAClB,2BAA2B,EAC3B,2BAA2B,EAC3B,6BAA6B,EAC7B,8BAA8B,EAC9B,uBAAuB,GAWxB,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EACL,mBAAmB,GACpB,MAAM,8BAA8B,CAAC"}

package/docs/ARCHITECTURE.md

@@ -9,7 +9,7 @@ Related design note:
 
 Recommended persistent-vault lifecycle:
 
-- create through `createOwnedVault(...)`
+- create through `createVault(...)`
 - recover through `recoverVault(...)`
 
 ## Identity And Roles

package/docs/CUSTODY_MODEL.md

@@ -144,7 +144,7 @@ Future hardening such as MFA/TOTP may be added on top of this model, but it does
 
 The runtime now includes:
 
-1. formal owned-vault creation through `createOwnedVault(...)`
+1. formal vault creation through `createVault(...)`
 2. formal recovery-key based re-entry through `recoverVault(...)`
 3. explicit `vaultWorkingKey` terminology in the persistent dependency surface
 4. continued support for explicit owner export through `exportSecret(...)`

package/docs/IDENTITY_MODEL.md

@@ -74,6 +74,10 @@ Examples:
 
 These should be treated as labels, aliases, or local names rather than the deepest identity truth.
 
+The runtime now exposes this concept directly as optional `nickname` on `createIdentity(...)`.
+
+For existing private keys, the runtime exposes `restoreIdentity(...)`, which reconstructs the same identity shape from the private key alone.
+
 In other words:
 
 - public key or a stable derived id answers "who is this cryptographically"

package/docs/REFERENCE.md

@@ -18,7 +18,8 @@ The main constructors are:
 - `createVaultCore(...)`
 - `createVaultService(...)`
 - `createIdentity(...)`
-- `createOwnedVault(...)`
+- `restoreIdentity(...)`
+- `createVault(...)`
 - `recoverVault(...)`
 - `createOwnerClient(...)`
 - `createAgentClient(...)`
@@ -30,7 +31,7 @@ Related design note:
 
 Recommended persistent-vault entrypoints:
 
-- `createOwnedVault(...)`
+- `createVault(...)`
 - `recoverVault(...)`
 
 Lower-level custody helpers:
@@ -54,6 +55,19 @@ Role rules:
 - identities are independent; there is no built-in lineage or inheritance between identities
 - the same identity may be `owner` in one vault and `agent` in another
 
+## Identity Creation
+
+`createIdentity(...)` returns:
+
+- `identityId`
+- `publicKey`
+- `privateKey`
+- optional `nickname`
+
+`nickname` is human-readable only. It does not affect the derived `identityId`, cryptographic verification, or vault-local role binding.
+
+`restoreIdentity(privateKey)` returns the same shape for an existing private key.
+
 ## Secret-Flow Model
 
 The current HTTP-facing API supports two explicit secret-flow classes:

package/docs/es/README.md

@@ -20,7 +20,7 @@ npm install @the-ai-company/cbio-node-runtime
 import {
   createVaultService,
   createIdentity,
-  createOwnedVault,
+  createVault,
   recoverVault,
   LocalVaultTransport,
   createOwnerClient,
@@ -38,7 +38,7 @@ import {
 
 Ruta principal recomendada para vault persistente:
 
-- crear el vault persistente con `createOwnedVault(...)`
+- crear el vault persistente con `createVault(...)`
 - recuperar el vault persistente con `recoverVault(...)` usando la recovery key
 
 La API antigua centrada en `CbioIdentity` ya no es la superficie principal del producto.

package/docs/fr/README.md

@@ -20,7 +20,7 @@ npm install @the-ai-company/cbio-node-runtime
 import {
   createVaultService,
   createIdentity,
-  createOwnedVault,
+  createVault,
   recoverVault,
   LocalVaultTransport,
   createOwnerClient,
@@ -38,7 +38,7 @@ import {
 
 Chemin principal recommande pour un vault persistant :
 
-- creer le vault persistant avec `createOwnedVault(...)`
+- creer le vault persistant avec `createVault(...)`
 - restaurer le vault persistant avec `recoverVault(...)` via la recovery key
 
 L'ancienne API centree sur `CbioIdentity` n'est plus la surface principale du produit.

package/docs/ja/README.md

@@ -20,7 +20,7 @@ npm install @the-ai-company/cbio-node-runtime
 import {
   createVaultService,
   createIdentity,
-  createOwnedVault,
+  createVault,
   recoverVault,
   LocalVaultTransport,
   createOwnerClient,
@@ -38,7 +38,7 @@ import {
 
 推奨される persistent-vault の主経路:
 
-- `createOwnedVault(...)` で persistent vault を作成する
+- `createVault(...)` で persistent vault を作成する
 - `recoverVault(...)` で recovery key を使って persistent vault を復旧する
 
 旧 `CbioIdentity` 中心 API は、もはや主要な公開面ではありません。

package/docs/ko/README.md

@@ -20,7 +20,7 @@ npm install @the-ai-company/cbio-node-runtime
 import {
   createVaultService,
   createIdentity,
-  createOwnedVault,
+  createVault,
   recoverVault,
   LocalVaultTransport,
   createOwnerClient,
@@ -38,7 +38,7 @@ import {
 
 권장되는 persistent-vault 주 경로:
 
-- `createOwnedVault(...)` 로 persistent vault 를 생성합니다
+- `createVault(...)` 로 persistent vault 를 생성합니다
 - `recoverVault(...)` 로 recovery key 를 사용해 persistent vault 를 복구합니다
 
 이전 `CbioIdentity` 중심 API 는 더 이상 주요 제품 표면이 아닙니다.

package/docs/pt/README.md

@@ -20,7 +20,7 @@ npm install @the-ai-company/cbio-node-runtime
 import {
   createVaultService,
   createIdentity,
-  createOwnedVault,
+  createVault,
   recoverVault,
   LocalVaultTransport,
   createOwnerClient,
@@ -38,7 +38,7 @@ import {
 
 Caminho principal recomendado para vault persistente:
 
-- criar o vault persistente com `createOwnedVault(...)`
+- criar o vault persistente com `createVault(...)`
 - recuperar o vault persistente com `recoverVault(...)` usando a recovery key
 
 A antiga API centrada em `CbioIdentity` nao e mais a superficie principal do produto.

package/docs/zh/README.md

@@ -20,7 +20,7 @@ npm install @the-ai-company/cbio-node-runtime
 import {
   createVaultService,
   createIdentity,
-  createOwnedVault,
+  createVault,
   recoverVault,
   LocalVaultTransport,
   createOwnerClient,
@@ -38,7 +38,7 @@ import {
 
 推荐的持久化主路径：
 
-- 通过 `createOwnedVault(...)` 创建持久化 vault
+- 通过 `createVault(...)` 创建持久化 vault
 - 通过 `recoverVault(...)` 用 recovery key 恢复持久化 vault
 
 ## 构建

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@the-ai-company/cbio-node-runtime",
-  "version": "1.5.0",
+  "version": "1.7.0",
   "description": "Node.js runtime for cbio identity and credential vault. Library only, no CLI or TUI.",
   "type": "module",
   "main": "./dist/runtime/index.js",