@the-ai-company/cbio-node-runtime 1.55.1 → 1.57.0

package/dist/runtime/owner-session.js

@@ -0,0 +1,89 @@
+import { createVaultClient } from "../clients/owner/client.js";
+import { FsStorageProvider } from "../storage/fs.js";
+import { recoverVault } from "./bootstrap.js";
+import { createWorkspaceStorage } from "./workspace-storage.js";
+class DefaultOwnerSession {
+    storage;
+    _options;
+    _invalidated = false;
+    _cachedVaultPromise;
+    _nickname;
+    constructor(storage, _options) {
+        this.storage = storage;
+        this._options = _options;
+    }
+    get vaultId() {
+        return this._options.vaultId;
+    }
+    get nickname() {
+        return this._nickname;
+    }
+    isValid() {
+        return !this._invalidated;
+    }
+    invalidate() {
+        this._invalidated = true;
+        this._cachedVaultPromise = undefined;
+    }
+    async refresh() {
+        this._assertValid();
+        this._cachedVaultPromise = undefined;
+        return this.vault();
+    }
+    async vault() {
+        this._assertValid();
+        if (!this._cachedVaultPromise) {
+            this._cachedVaultPromise = recoverVault(this.storage, this._options).then((vault) => {
+                this._nickname = vault.nickname;
+                return vault;
+            });
+        }
+        return this._cachedVaultPromise;
+    }
+    async client() {
+        const vault = await this.vault();
+        this._assertValid();
+        return this._createClient(vault);
+    }
+    async withClient(callback) {
+        const vault = await this.vault();
+        this._assertValid();
+        return callback(this._createClient(vault), vault);
+    }
+    _assertValid() {
+        if (this._invalidated) {
+            throw new Error(`OwnerSession for vault '${this._options.vaultId}' has been invalidated`);
+        }
+    }
+    _createClient(vault) {
+        const clientOptions = {
+            vault: vault.vault,
+            ownerIdentity: this._options.ownerIdentity,
+            signer: this._options.signer,
+            clock: this._options.clock,
+            skipWarmup: this._options.skipWarmup,
+            passwordVerifier: vault.verifyPassword,
+            sensitiveActionVerifier: this._options.sensitiveActionVerifier,
+        };
+        return createVaultClient(clientOptions);
+    }
+}
+function resolveOwnerSessionStorage(storageOrOptions, maybeOptions) {
+    if (maybeOptions) {
+        return {
+            storage: typeof storageOrOptions === "string"
+                ? new FsStorageProvider(storageOrOptions)
+                : storageOrOptions,
+            options: maybeOptions,
+        };
+    }
+    return {
+        storage: createWorkspaceStorage(),
+        options: storageOrOptions,
+    };
+}
+export function createOwnerSession(storageOrOptions, maybeOptions) {
+    const { storage, options } = resolveOwnerSessionStorage(storageOrOptions, maybeOptions);
+    return new DefaultOwnerSession(storage, options);
+}
+//# sourceMappingURL=owner-session.js.map

package/dist/runtime/owner-session.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"owner-session.js","sourceRoot":"","sources":["../../src/runtime/owner-session.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,YAAY,EAAiD,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAyBhE,MAAM,mBAAmB;IAMZ;IACQ;IANX,YAAY,GAAG,KAAK,CAAC;IACrB,mBAAmB,CAAsC;IACzD,SAAS,CAAqB;IAEtC,YACW,OAAyB,EACjB,QAAmC;QAD3C,YAAO,GAAP,OAAO,CAAkB;QACjB,aAAQ,GAAR,QAAQ,CAA2B;IACnD,CAAC;IAEJ,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;IAC/B,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,OAAO;QACL,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC;IAC5B,CAAC;IAED,UAAU;QACR,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,mBAAmB,GAAG,SAAS,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,IAAI,CAAC,mBAAmB,GAAG,SAAS,CAAC;QACrC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,CAAC,mBAAmB,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;gBAClF,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC;gBAChC,OAAO,KAAK,CAAC;YACf,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM;QACV,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACjC,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,OAAO,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IAED,KAAK,CAAC,UAAU,CAAI,QAAwE;QAC1F,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACjC,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,OAAO,QAAQ,CAAC,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,CAAC;IACpD,CAAC;IAEO,YAAY;QAClB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,QAAQ,CAAC,OAAO,wBAAwB,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,KAAqB;QACzC,MAAM,aAAa,GAA6B;YAC9C,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC,aAAa;YAC1C,MAAM,EAAE,IAAI,CAAC,QAAQ,CAAC,MAAM;YAC5B,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK;YAC1B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU;YACpC,gBAAgB,EAAE,KAAK,CAAC,cAAc;YACtC,uBAAuB,EAAE,IAAI,CAAC,QAAQ,CAAC,uBAAuB;SAC/D,CAAC;QACF,OAAO,iBAAiB,CAAC,aAAa,CAAC,CAAC;IAC1C,CAAC;CACF;AAED,SAAS,0BAA0B,CACjC,gBAAuE,EACvE,YAAwC;IAExC,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,OAAO,gBAAgB,KAAK,QAAQ;gBAC3C,CAAC,CAAC,IAAI,iBAAiB,CAAC,gBAAgB,CAAC;gBACzC,CAAC,CAAC,gBAAoC;YACxC,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,sBAAsB,EAAE;QACjC,OAAO,EAAE,gBAA6C;KACvD,CAAC;AACJ,CAAC;AAOD,MAAM,UAAU,kBAAkB,CAChC,gBAAuE,EACvE,YAAwC;IAExC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,0BAA0B,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC;IACxF,OAAO,IAAI,mBAAmB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC"}

package/dist/vault-core/contracts.d.ts

@@ -209,12 +209,53 @@ export interface AgentGetRuntimeManifestCommand {
     };
     requestedAt: string;
 }
+export interface AgentSelfContext {
+    agentId: string;
+    identityId: string;
+    publicKey: string;
+    nickname?: string;
+    metadata?: Record<string, any>;
+}
+export type AgentCapabilityStateStatus = "GRANTED" | "PENDING" | "REJECTED";
+export type AgentCapabilityStateSource = "owner_grant" | "explicit_request" | "dispatch_discovery";
+export interface AgentCapabilityState {
+    status: AgentCapabilityStateStatus;
+    source: AgentCapabilityStateSource;
+    agentId: string;
+    requestId?: string;
+    capabilityId?: string;
+    operation: "dispatch_http" | "custom_http";
+    secretIds?: readonly string[];
+    secretAliases?: readonly string[];
+    customFlowId?: string;
+    scope: string;
+    methods: readonly string[];
+    issuedAt?: string;
+    requestedAt: string;
+    expiresAt?: string;
+    rateLimit?: {
+        maxRequests: number;
+        windowMs: number;
+    };
+    skipAudit?: boolean;
+    justification?: string;
+    secretAlias?: string;
+    targetUrl?: string;
+}
+export interface CapabilityStateRecord extends AgentCapabilityState {
+    vaultId: VaultId;
+    proof?: AgentProof;
+    headers?: Record<string, string>;
+    body?: string;
+    decidedAt?: string;
+}
 export interface AgentRuntimeManifest {
     agentId: string;
     vaultId: string;
     vaultNickname?: string;
     issuedAt: string;
-    capabilities: readonly AgentCapability[];
+    agent: AgentSelfContext;
+    capabilities: readonly AgentCapabilityState[];
     tools: readonly VaultToolDefinition[];
 }
 export interface VaultToolDefinition {
@@ -251,30 +292,6 @@ export interface AgentSubmitCapabilityRequestCommand {
     scope: CapabilityRequestScope;
     justification?: string;
 }
-export interface PendingDispatchRecord {
-    requestId: string;
-    agentId: string;
-    capabilityId?: string;
-    secretAlias: string;
-    targetUrl: string;
-    method: string;
-    headers?: Record<string, string>;
-    body?: string;
-    requestedAt: string;
-    proof: AgentProof;
-}
-export interface OwnerApproveDispatchCommand {
-    vaultId: VaultId;
-    requestId: string;
-    owner: VaultPrincipal;
-    permanent?: boolean;
-    skipAudit?: boolean;
-}
-export interface OwnerRejectDispatchCommand {
-    vaultId: VaultId;
-    requestId: string;
-    owner: VaultPrincipal;
-}
 export interface CapabilityRequestScope {
     operation: "dispatch_http" | "custom_http";
     secretAliases?: readonly string[];
@@ -296,22 +313,18 @@ export interface SubmitCapabilityRequestCommand {
     justification?: string;
     requestedAt: string;
 }
-export interface PendingCapabilityRequestRecord {
+export interface OwnerListCapabilityStatesRequest {
     vaultId: VaultId;
-    requestId: string;
-    requester: VaultPrincipal;
-    agentId: string;
-    scope: CapabilityRequestScope;
-    justification?: string;
-    requestedAt: string;
+    owner: VaultPrincipal;
+    agentId?: string;
+    status?: AgentCapabilityStateStatus;
 }
-export interface OwnerApproveCapabilityRequestCommand {
+export interface OwnerExecuteCapabilityStateCommand {
     vaultId: VaultId;
     requestId: string;
     owner: VaultPrincipal;
-    capabilityId?: string;
 }
-export interface OwnerRejectCapabilityRequestCommand {
+export interface OwnerRejectCapabilityStateCommand {
     vaultId: VaultId;
     requestId: string;
     owner: VaultPrincipal;

package/dist/vault-core/contracts.js.map

@@ -1 +1 @@
-{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"AAiXA,MAAM,CAAN,IAAY,cAMX;AAND,WAAY,cAAc;IACxB,yCAAuB,CAAA;IACvB,mCAAiB,CAAA;IACjB,mCAAiB,CAAA;IACjB,qCAAmB,CAAA;IACnB,qCAAmB,CAAA;AACrB,CAAC,EANW,cAAc,KAAd,cAAc,QAMzB;AAoBD,MAAM,CAAN,IAAY,WAwBX;AAxBD,WAAY,WAAW;IACrB,kEAAmD,CAAA;IACnD,8DAA+C,CAAA;IAC/C,4DAA6C,CAAA;IAC7C,0DAA2C,CAAA;IAC3C,sEAAuD,CAAA;IACvD,wEAAyD,CAAA;IACzD,sEAAuD,CAAA;IACvD,sDAAuC,CAAA;IACvC,4CAA6B,CAAA;IAC7B,8DAA+C,CAAA;IAC/C,8CAA+B,CAAA;IAC/B,gDAAiC,CAAA;IACjC,8CAA+B,CAAA;IAC/B,wDAAyC,CAAA;IACzC,kDAAmC,CAAA;IACnC,0CAA2B,CAAA;IAC3B,sDAAuC,CAAA;IACvC,wCAAyB,CAAA;IACzB,0DAA2C,CAAA;IAC3C,4DAA6C,CAAA;IAC7C,oDAAqC,CAAA;IACrC,kDAAmC,CAAA;IACnC,gDAAiC,CAAA;AACnC,CAAC,EAxBW,WAAW,KAAX,WAAW,QAwBtB;AAED,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,uCAAuB,CAAA;IACvB,iCAAiB,CAAA;IACjB,mCAAmB,CAAA;AACrB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}
+{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"AA+XA,MAAM,CAAN,IAAY,cAMX;AAND,WAAY,cAAc;IACxB,yCAAuB,CAAA;IACvB,mCAAiB,CAAA;IACjB,mCAAiB,CAAA;IACjB,qCAAmB,CAAA;IACnB,qCAAmB,CAAA;AACrB,CAAC,EANW,cAAc,KAAd,cAAc,QAMzB;AAoBD,MAAM,CAAN,IAAY,WAwBX;AAxBD,WAAY,WAAW;IACrB,kEAAmD,CAAA;IACnD,8DAA+C,CAAA;IAC/C,4DAA6C,CAAA;IAC7C,0DAA2C,CAAA;IAC3C,sEAAuD,CAAA;IACvD,wEAAyD,CAAA;IACzD,sEAAuD,CAAA;IACvD,sDAAuC,CAAA;IACvC,4CAA6B,CAAA;IAC7B,8DAA+C,CAAA;IAC/C,8CAA+B,CAAA;IAC/B,gDAAiC,CAAA;IACjC,8CAA+B,CAAA;IAC/B,wDAAyC,CAAA;IACzC,kDAAmC,CAAA;IACnC,0CAA2B,CAAA;IAC3B,sDAAuC,CAAA;IACvC,wCAAyB,CAAA;IACzB,0DAA2C,CAAA;IAC3C,4DAA6C,CAAA;IAC7C,oDAAqC,CAAA;IACrC,kDAAmC,CAAA;IACnC,gDAAiC,CAAA;AACnC,CAAC,EAxBW,WAAW,KAAX,WAAW,QAwBtB;AAED,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,uCAAuB,CAAA;IACvB,iCAAiB,CAAA;IACjB,mCAAmB,CAAA;AACrB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}

package/dist/vault-core/core.d.ts

@@ -1,4 +1,4 @@
-import type { AgentListCapabilitiesRequest, AgentListSecretsRequest, AgentGetRuntimeManifestCommand, AgentRuntimeManifest, AgentSubmitCapabilityRequestCommand, AgentVisibleSecretRecord, AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerApproveCapabilityRequestCommand, OwnerDefineSecretTargetsCommand, OwnerIssueSessionTokenRequest, OwnerRejectCapabilityRequestCommand, OwnerDeleteSecretCommand, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerUpdateAgentIdentityCommand, OwnerRegisterCapabilityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRevokeCapabilityCommand, OwnerListAgentsRequest, OwnerListCapabilitiesRequest, OwnerSecretExport, OwnerSessionToken, PendingCapabilityRequestRecord, SecretRecord, SubmitCapabilityRequestCommand, VaultId, VaultPrincipal, VaultWriteSecretCommand, AgentIdentityRecord, AgentCapability } from "./contracts.js";
+import type { AgentListCapabilitiesRequest, AgentListSecretsRequest, AgentGetRuntimeManifestRequest, AgentRuntimeManifest, AgentSubmitCapabilityRequestCommand, AgentVisibleSecretRecord, AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerExecuteCapabilityStateCommand, OwnerDefineSecretTargetsCommand, OwnerIssueSessionTokenRequest, OwnerRejectCapabilityStateCommand, OwnerDeleteSecretCommand, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerUpdateAgentIdentityCommand, OwnerRegisterCapabilityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRevokeCapabilityCommand, OwnerListAgentsRequest, OwnerListCapabilitiesRequest, OwnerListCapabilityStatesRequest, OwnerSecretExport, OwnerSessionToken, SecretRecord, SubmitCapabilityRequestCommand, VaultId, VaultPrincipal, VaultWriteSecretCommand, AgentIdentityRecord, AgentCapability, CapabilityStateRecord } from "./contracts.js";
 import type { VaultCoreDependencies } from "./ports.js";
 /**
  * The Sovereign Vault Core.
@@ -6,20 +6,23 @@ import type { VaultCoreDependencies } from "./ports.js";
  */
 export declare class VaultCore {
     private readonly _deps;
-    private readonly _pendingObservers;
-    private readonly _pendingCapabilityObservers;
+    private readonly _capabilityStateObservers;
     constructor(_deps: VaultCoreDependencies);
+    private _assertOwnerPrincipal;
+    private _stateToGrantedCapability;
+    private _buildAgentCapabilityStates;
+    private _isExecutablePendingState;
+    private _executePendingCapabilityState;
     get vaultId(): VaultId;
     private _appendAudit;
     private _appendDecisionAudit;
     private _verifyAgentControlProof;
     private _listVisibleSecretsForAgent;
-    ownerOnPendingDispatch(callback: (record: import("./contracts.js").PendingDispatchRecord) => void): () => void;
-    ownerOnPendingCapabilityRequest(callback: (record: PendingCapabilityRequestRecord) => void): () => void;
+    ownerOnCapabilityState(callback: (record: CapabilityStateRecord) => void): () => void;
     ownerRegisterAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
     ownerUpdateAgentIdentity(command: OwnerUpdateAgentIdentityCommand): Promise<AgentIdentityRecord>;
     ownerRegisterCapability(command: OwnerRegisterCapabilityCommand): Promise<void>;
-    ownerSubmitCapabilityRequest(command: SubmitCapabilityRequestCommand): Promise<PendingCapabilityRequestRecord>;
+    ownerSubmitCapabilityRequest(command: SubmitCapabilityRequestCommand): Promise<CapabilityStateRecord>;
     _getCapability(vaultId: import("./contracts.js").VaultId, agentId: string, capabilityId: string): Promise<AgentCapability | null>;
     ownerRegisterCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
     _storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
@@ -46,10 +49,10 @@ export declare class VaultCore {
     }, request?: {
         requestId?: string;
     }): Promise<readonly AgentVisibleSecretRecord[]>;
-    agentListCapabilities(request: AgentListCapabilitiesRequest): Promise<readonly AgentCapability[]>;
+    agentListCapabilities(request: AgentListCapabilitiesRequest): Promise<readonly import("./contracts.js").AgentCapabilityState[]>;
     agentListSecrets(request: AgentListSecretsRequest): Promise<readonly AgentVisibleSecretRecord[]>;
-    agentGetRuntimeManifest(command: AgentGetRuntimeManifestCommand): Promise<AgentRuntimeManifest>;
-    agentSubmitCapabilityRequest(command: AgentSubmitCapabilityRequestCommand): Promise<PendingCapabilityRequestRecord>;
+    agentGetRuntimeManifest(command: AgentGetRuntimeManifestRequest): Promise<AgentRuntimeManifest>;
+    agentSubmitCapabilityRequest(command: AgentSubmitCapabilityRequestCommand): Promise<CapabilityStateRecord>;
     ownerRevokeCapability(command: OwnerRevokeCapabilityCommand): Promise<void>;
     ownerIssueSessionToken(request: OwnerIssueSessionTokenRequest): Promise<OwnerSessionToken>;
     ownerIssueAllAgentSessionTokens(actor: VaultPrincipal & {
@@ -62,17 +65,9 @@ export declare class VaultCore {
         };
         token: string;
     }): Promise<void>;
-    ownerListPendingDispatches(command: {
-        vaultId: VaultId;
-        owner: VaultPrincipal;
-    }): Promise<readonly import("./contracts.js").PendingDispatchRecord[]>;
-    ownerListPendingCapabilityRequests(command: {
-        vaultId: VaultId;
-        owner: VaultPrincipal;
-    }): Promise<readonly PendingCapabilityRequestRecord[]>;
-    ownerApproveCapabilityRequest(command: OwnerApproveCapabilityRequestCommand): Promise<AgentCapability>;
-    ownerRejectCapabilityRequest(command: OwnerRejectCapabilityRequestCommand): Promise<void>;
-    ownerApproveDispatch(command: import("./contracts.js").OwnerApproveDispatchCommand): Promise<DispatchResult>;
-    ownerRejectDispatch(command: import("./contracts.js").OwnerRejectDispatchCommand): Promise<void>;
+    ownerListCapabilityStates(command: OwnerListCapabilityStatesRequest): Promise<readonly CapabilityStateRecord[]>;
+    ownerExecuteCapabilityStateOnce(command: OwnerExecuteCapabilityStateCommand): Promise<DispatchResult>;
+    ownerExecuteCapabilityStateAndGrant(command: OwnerExecuteCapabilityStateCommand): Promise<DispatchResult>;
+    ownerRejectCapabilityState(command: OwnerRejectCapabilityStateCommand): Promise<CapabilityStateRecord>;
 }
 export declare function createVaultCore(deps: VaultCoreDependencies): VaultCore;