@the-ai-company/cbio-node-runtime 1.56.0 → 1.58.0

package/dist/vault-core/contracts.d.ts

@@ -21,17 +21,20 @@ export interface SecretRecord {
     alias: SecretAlias;
     version: SecretVersion;
     issuerId: string | null;
-    targetBindings: VaultTargetBinding[];
+    source: SecretSource;
     createdAt: string;
     updatedAt: string;
     retiredAt?: string;
 }
-export interface VaultTargetBinding {
-    kind: "owner" | "site";
-    targetId: string;
-    targetUrl?: string;
-    methods?: readonly string[];
-    paths?: readonly string[];
+export type SecretSource = {
+    kind: "manual";
+} | {
+    kind: "request";
+    requestId: string;
+};
+export interface SecretSourceInput {
+    kind: "manual" | "request";
+    requestId?: string;
 }
 export interface OwnerWriteSecretCommand {
     kind: "owner.write_secret";
@@ -42,17 +45,7 @@ export interface OwnerWriteSecretCommand {
     };
     alias: string;
     plaintext: string;
-    targetBindings?: readonly VaultTargetBinding[];
-    requestedAt: string;
-}
-export interface OwnerDefineSecretTargetsCommand {
-    vaultId: VaultId;
-    requestId: string;
-    owner: VaultPrincipal & {
-        kind: "owner";
-    };
-    alias: string;
-    targetBindings: readonly VaultTargetBinding[];
+    source?: SecretSourceInput;
     requestedAt: string;
 }
 export interface IssuerWriteSecretCommand {
@@ -64,7 +57,7 @@ export interface IssuerWriteSecretCommand {
     alias: string;
     plaintext: string;
     issuerSiteId: string;
-    targetBindings?: readonly VaultTargetBinding[];
+    source?: SecretSourceInput;
     requestedAt: string;
 }
 export interface OwnerDeleteSecretCommand {
@@ -182,7 +175,7 @@ export interface AgentVisibleSecretRecord {
     secretId: SecretId;
     alias: SecretAlias;
     issuerId: string | null;
-    targetBindings: VaultTargetBinding[];
+    source: SecretSource;
     createdAt: string;
     updatedAt: string;
     isAuthorizedForAgent?: boolean;
@@ -209,12 +202,53 @@ export interface AgentGetRuntimeManifestCommand {
     };
     requestedAt: string;
 }
+export interface AgentSelfContext {
+    agentId: string;
+    identityId: string;
+    publicKey: string;
+    nickname?: string;
+    metadata?: Record<string, any>;
+}
+export type AgentCapabilityStateStatus = "GRANTED" | "PENDING" | "REJECTED";
+export type AgentCapabilityStateSource = "owner_grant" | "explicit_request" | "dispatch_discovery";
+export interface AgentCapabilityState {
+    status: AgentCapabilityStateStatus;
+    source: AgentCapabilityStateSource;
+    agentId: string;
+    requestId?: string;
+    capabilityId?: string;
+    operation: "dispatch_http" | "custom_http";
+    secretIds?: readonly string[];
+    secretAliases?: readonly string[];
+    customFlowId?: string;
+    scope: string;
+    methods: readonly string[];
+    issuedAt?: string;
+    requestedAt: string;
+    expiresAt?: string;
+    rateLimit?: {
+        maxRequests: number;
+        windowMs: number;
+    };
+    skipAudit?: boolean;
+    justification?: string;
+    secretAlias?: string;
+    targetUrl?: string;
+}
+export interface CapabilityStateRecord extends AgentCapabilityState {
+    vaultId: VaultId;
+    proof?: AgentProof;
+    headers?: Record<string, string>;
+    body?: string;
+    decidedAt?: string;
+}
 export interface AgentRuntimeManifest {
     agentId: string;
     vaultId: string;
     vaultNickname?: string;
     issuedAt: string;
-    capabilities: readonly AgentCapability[];
+    agent: AgentSelfContext;
+    capabilities: readonly AgentCapabilityState[];
     tools: readonly VaultToolDefinition[];
 }
 export interface VaultToolDefinition {
@@ -251,30 +285,6 @@ export interface AgentSubmitCapabilityRequestCommand {
     scope: CapabilityRequestScope;
     justification?: string;
 }
-export interface PendingDispatchRecord {
-    requestId: string;
-    agentId: string;
-    capabilityId?: string;
-    secretAlias: string;
-    targetUrl: string;
-    method: string;
-    headers?: Record<string, string>;
-    body?: string;
-    requestedAt: string;
-    proof: AgentProof;
-}
-export interface OwnerApproveDispatchCommand {
-    vaultId: VaultId;
-    requestId: string;
-    owner: VaultPrincipal;
-    permanent?: boolean;
-    skipAudit?: boolean;
-}
-export interface OwnerRejectDispatchCommand {
-    vaultId: VaultId;
-    requestId: string;
-    owner: VaultPrincipal;
-}
 export interface CapabilityRequestScope {
     operation: "dispatch_http" | "custom_http";
     secretAliases?: readonly string[];
@@ -296,22 +306,18 @@ export interface SubmitCapabilityRequestCommand {
     justification?: string;
     requestedAt: string;
 }
-export interface PendingCapabilityRequestRecord {
+export interface OwnerListCapabilityStatesRequest {
     vaultId: VaultId;
-    requestId: string;
-    requester: VaultPrincipal;
-    agentId: string;
-    scope: CapabilityRequestScope;
-    justification?: string;
-    requestedAt: string;
+    owner: VaultPrincipal;
+    agentId?: string;
+    status?: AgentCapabilityStateStatus;
 }
-export interface OwnerApproveCapabilityRequestCommand {
+export interface OwnerExecuteCapabilityStateCommand {
     vaultId: VaultId;
     requestId: string;
     owner: VaultPrincipal;
-    capabilityId?: string;
 }
-export interface OwnerRejectCapabilityRequestCommand {
+export interface OwnerRejectCapabilityStateCommand {
     vaultId: VaultId;
     requestId: string;
     owner: VaultPrincipal;
@@ -337,7 +343,6 @@ export interface DispatchAuthorization {
     decision: DispatchDecision;
     reason: string | null;
     secretId: SecretId | null;
-    executorTarget: VaultTargetBinding | null;
     capability?: AgentCapability;
 }
 export interface DispatchInstruction {
@@ -382,7 +387,6 @@ export declare enum AuditAction {
     REJECT_CAPABILITY_REQUEST = "REJECT_CAPABILITY_REQUEST",
     REVOKE_CAPABILITY = "REVOKE_CAPABILITY",
     WRITE_SECRET = "WRITE_SECRET",
-    DEFINE_SECRET_TARGETS = "DEFINE_SECRET_TARGETS",
     EXPORT_SECRET = "EXPORT_SECRET",
     REASSIGN_ALIAS = "REASSIGN_ALIAS",
     DELETE_SECRET = "DELETE_SECRET",

package/dist/vault-core/contracts.js

@@ -17,7 +17,6 @@ export var AuditAction;
     AuditAction["REJECT_CAPABILITY_REQUEST"] = "REJECT_CAPABILITY_REQUEST";
     AuditAction["REVOKE_CAPABILITY"] = "REVOKE_CAPABILITY";
     AuditAction["WRITE_SECRET"] = "WRITE_SECRET";
-    AuditAction["DEFINE_SECRET_TARGETS"] = "DEFINE_SECRET_TARGETS";
     AuditAction["EXPORT_SECRET"] = "EXPORT_SECRET";
     AuditAction["REASSIGN_ALIAS"] = "REASSIGN_ALIAS";
     AuditAction["DELETE_SECRET"] = "DELETE_SECRET";

package/dist/vault-core/contracts.js.map

@@ -1 +1 @@
-{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"AAiXA,MAAM,CAAN,IAAY,cAMX;AAND,WAAY,cAAc;IACxB,yCAAuB,CAAA;IACvB,mCAAiB,CAAA;IACjB,mCAAiB,CAAA;IACjB,qCAAmB,CAAA;IACnB,qCAAmB,CAAA;AACrB,CAAC,EANW,cAAc,KAAd,cAAc,QAMzB;AAoBD,MAAM,CAAN,IAAY,WAwBX;AAxBD,WAAY,WAAW;IACrB,kEAAmD,CAAA;IACnD,8DAA+C,CAAA;IAC/C,4DAA6C,CAAA;IAC7C,0DAA2C,CAAA;IAC3C,sEAAuD,CAAA;IACvD,wEAAyD,CAAA;IACzD,sEAAuD,CAAA;IACvD,sDAAuC,CAAA;IACvC,4CAA6B,CAAA;IAC7B,8DAA+C,CAAA;IAC/C,8CAA+B,CAAA;IAC/B,gDAAiC,CAAA;IACjC,8CAA+B,CAAA;IAC/B,wDAAyC,CAAA;IACzC,kDAAmC,CAAA;IACnC,0CAA2B,CAAA;IAC3B,sDAAuC,CAAA;IACvC,wCAAyB,CAAA;IACzB,0DAA2C,CAAA;IAC3C,4DAA6C,CAAA;IAC7C,oDAAqC,CAAA;IACrC,kDAAmC,CAAA;IACnC,gDAAiC,CAAA;AACnC,CAAC,EAxBW,WAAW,KAAX,WAAW,QAwBtB;AAED,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,uCAAuB,CAAA;IACvB,iCAAiB,CAAA;IACjB,mCAAmB,CAAA;AACrB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}
+{"version":3,"file":"contracts.js","sourceRoot":"","sources":["../../src/vault-core/contracts.ts"],"names":[],"mappings":"AAyXA,MAAM,CAAN,IAAY,cAMX;AAND,WAAY,cAAc;IACxB,yCAAuB,CAAA;IACvB,mCAAiB,CAAA;IACjB,mCAAiB,CAAA;IACjB,qCAAmB,CAAA;IACnB,qCAAmB,CAAA;AACrB,CAAC,EANW,cAAc,KAAd,cAAc,QAMzB;AAoBD,MAAM,CAAN,IAAY,WAuBX;AAvBD,WAAY,WAAW;IACrB,kEAAmD,CAAA;IACnD,8DAA+C,CAAA;IAC/C,4DAA6C,CAAA;IAC7C,0DAA2C,CAAA;IAC3C,sEAAuD,CAAA;IACvD,wEAAyD,CAAA;IACzD,sEAAuD,CAAA;IACvD,sDAAuC,CAAA;IACvC,4CAA6B,CAAA;IAC7B,8CAA+B,CAAA;IAC/B,gDAAiC,CAAA;IACjC,8CAA+B,CAAA;IAC/B,wDAAyC,CAAA;IACzC,kDAAmC,CAAA;IACnC,0CAA2B,CAAA;IAC3B,sDAAuC,CAAA;IACvC,wCAAyB,CAAA;IACzB,0DAA2C,CAAA;IAC3C,4DAA6C,CAAA;IAC7C,oDAAqC,CAAA;IACrC,kDAAmC,CAAA;IACnC,gDAAiC,CAAA;AACnC,CAAC,EAvBW,WAAW,KAAX,WAAW,QAuBtB;AAED,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,mCAAmB,CAAA;IACnB,iCAAiB,CAAA;IACjB,uCAAuB,CAAA;IACvB,iCAAiB,CAAA;IACjB,mCAAmB,CAAA;AACrB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}

package/dist/vault-core/core.d.ts

@@ -1,4 +1,4 @@
-import type { AgentListCapabilitiesRequest, AgentListSecretsRequest, AgentGetRuntimeManifestCommand, AgentRuntimeManifest, AgentSubmitCapabilityRequestCommand, AgentVisibleSecretRecord, AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerApproveCapabilityRequestCommand, OwnerDefineSecretTargetsCommand, OwnerIssueSessionTokenRequest, OwnerRejectCapabilityRequestCommand, OwnerDeleteSecretCommand, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerUpdateAgentIdentityCommand, OwnerRegisterCapabilityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRevokeCapabilityCommand, OwnerListAgentsRequest, OwnerListCapabilitiesRequest, OwnerSecretExport, OwnerSessionToken, PendingCapabilityRequestRecord, SecretRecord, SubmitCapabilityRequestCommand, VaultId, VaultPrincipal, VaultWriteSecretCommand, AgentIdentityRecord, AgentCapability } from "./contracts.js";
+import type { AgentListCapabilitiesRequest, AgentListSecretsRequest, AgentGetRuntimeManifestRequest, AgentRuntimeManifest, AgentSubmitCapabilityRequestCommand, AgentVisibleSecretRecord, AuditEntry, AuditQuery, CustomHttpFlowDefinition, DispatchAuthorization, DispatchRequest, DispatchResult, OwnerExecuteCapabilityStateCommand, OwnerIssueSessionTokenRequest, OwnerRejectCapabilityStateCommand, OwnerDeleteSecretCommand, OwnerExportSecretRequest, OwnerRegisterAgentIdentityCommand, OwnerUpdateAgentIdentityCommand, OwnerRegisterCapabilityCommand, OwnerRegisterCustomHttpFlowCommand, OwnerRevokeCapabilityCommand, OwnerListAgentsRequest, OwnerListCapabilitiesRequest, OwnerListCapabilityStatesRequest, OwnerSecretExport, OwnerSessionToken, SecretRecord, SubmitCapabilityRequestCommand, VaultId, VaultPrincipal, VaultWriteSecretCommand, AgentIdentityRecord, AgentCapability, CapabilityStateRecord } from "./contracts.js";
 import type { VaultCoreDependencies } from "./ports.js";
 /**
  * The Sovereign Vault Core.
@@ -6,27 +6,28 @@ import type { VaultCoreDependencies } from "./ports.js";
  */
 export declare class VaultCore {
     private readonly _deps;
-    private readonly _pendingObservers;
-    private readonly _pendingCapabilityObservers;
+    private readonly _capabilityStateObservers;
     constructor(_deps: VaultCoreDependencies);
     private _assertOwnerPrincipal;
+    private _stateToGrantedCapability;
+    private _buildAgentCapabilityStates;
+    private _isExecutablePendingState;
+    private _executePendingCapabilityState;
     get vaultId(): VaultId;
     private _appendAudit;
     private _appendDecisionAudit;
     private _verifyAgentControlProof;
     private _listVisibleSecretsForAgent;
-    ownerOnPendingDispatch(callback: (record: import("./contracts.js").PendingDispatchRecord) => void): () => void;
-    ownerOnPendingCapabilityRequest(callback: (record: PendingCapabilityRequestRecord) => void): () => void;
+    ownerOnCapabilityState(callback: (record: CapabilityStateRecord) => void): () => void;
     ownerRegisterAgentIdentity(command: OwnerRegisterAgentIdentityCommand): Promise<void>;
     ownerUpdateAgentIdentity(command: OwnerUpdateAgentIdentityCommand): Promise<AgentIdentityRecord>;
     ownerRegisterCapability(command: OwnerRegisterCapabilityCommand): Promise<void>;
-    ownerSubmitCapabilityRequest(command: SubmitCapabilityRequestCommand): Promise<PendingCapabilityRequestRecord>;
+    ownerSubmitCapabilityRequest(command: SubmitCapabilityRequestCommand): Promise<CapabilityStateRecord>;
     _getCapability(vaultId: import("./contracts.js").VaultId, agentId: string, capabilityId: string): Promise<AgentCapability | null>;
     ownerRegisterCustomFlow(command: OwnerRegisterCustomHttpFlowCommand): Promise<void>;
     _storeCustomFlowSecret(flow: CustomHttpFlowDefinition, alias: string, plaintext: string): Promise<SecretRecord>;
     ownerWriteSecret(command: VaultWriteSecretCommand): Promise<SecretRecord>;
     ownerDeleteSecret(command: OwnerDeleteSecretCommand): Promise<void>;
-    ownerDefineSecretTargets(command: OwnerDefineSecretTargetsCommand): Promise<SecretRecord>;
     agentAuthorizeDispatch(request: DispatchRequest): Promise<DispatchAuthorization>;
     agentDispatchSecret(request: DispatchRequest): Promise<DispatchResult>;
     ownerReadAudit(actor: VaultPrincipal & {
@@ -47,10 +48,10 @@ export declare class VaultCore {
     }, request?: {
         requestId?: string;
     }): Promise<readonly AgentVisibleSecretRecord[]>;
-    agentListCapabilities(request: AgentListCapabilitiesRequest): Promise<readonly AgentCapability[]>;
+    agentListCapabilities(request: AgentListCapabilitiesRequest): Promise<readonly import("./contracts.js").AgentCapabilityState[]>;
     agentListSecrets(request: AgentListSecretsRequest): Promise<readonly AgentVisibleSecretRecord[]>;
-    agentGetRuntimeManifest(command: AgentGetRuntimeManifestCommand): Promise<AgentRuntimeManifest>;
-    agentSubmitCapabilityRequest(command: AgentSubmitCapabilityRequestCommand): Promise<PendingCapabilityRequestRecord>;
+    agentGetRuntimeManifest(command: AgentGetRuntimeManifestRequest): Promise<AgentRuntimeManifest>;
+    agentSubmitCapabilityRequest(command: AgentSubmitCapabilityRequestCommand): Promise<CapabilityStateRecord>;
     ownerRevokeCapability(command: OwnerRevokeCapabilityCommand): Promise<void>;
     ownerIssueSessionToken(request: OwnerIssueSessionTokenRequest): Promise<OwnerSessionToken>;
     ownerIssueAllAgentSessionTokens(actor: VaultPrincipal & {
@@ -63,17 +64,9 @@ export declare class VaultCore {
         };
         token: string;
     }): Promise<void>;
-    ownerListPendingDispatches(command: {
-        vaultId: VaultId;
-        owner: VaultPrincipal;
-    }): Promise<readonly import("./contracts.js").PendingDispatchRecord[]>;
-    ownerListPendingCapabilityRequests(command: {
-        vaultId: VaultId;
-        owner: VaultPrincipal;
-    }): Promise<readonly PendingCapabilityRequestRecord[]>;
-    ownerApproveCapabilityRequest(command: OwnerApproveCapabilityRequestCommand): Promise<AgentCapability>;
-    ownerRejectCapabilityRequest(command: OwnerRejectCapabilityRequestCommand): Promise<void>;
-    ownerApproveDispatch(command: import("./contracts.js").OwnerApproveDispatchCommand): Promise<DispatchResult>;
-    ownerRejectDispatch(command: import("./contracts.js").OwnerRejectDispatchCommand): Promise<void>;
+    ownerListCapabilityStates(command: OwnerListCapabilityStatesRequest): Promise<readonly CapabilityStateRecord[]>;
+    ownerExecuteCapabilityStateOnce(command: OwnerExecuteCapabilityStateCommand): Promise<DispatchResult>;
+    ownerExecuteCapabilityStateAndGrant(command: OwnerExecuteCapabilityStateCommand): Promise<DispatchResult>;
+    ownerRejectCapabilityState(command: OwnerRejectCapabilityStateCommand): Promise<CapabilityStateRecord>;
 }
 export declare function createVaultCore(deps: VaultCoreDependencies): VaultCore;