@the-ai-company/cbio-node-runtime 1.63.2 → 1.63.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +48 -209
- package/dist/clients/agent/client.d.ts +18 -40
- package/dist/clients/agent/client.js +22 -109
- package/dist/clients/agent/client.js.map +1 -1
- package/dist/clients/agent/contracts.d.ts +1 -8
- package/dist/clients/agent/index.d.ts +1 -1
- package/dist/clients/owner/client.d.ts +2 -102
- package/dist/clients/owner/client.js +119 -240
- package/dist/clients/owner/client.js.map +1 -1
- package/dist/clients/owner/contracts.d.ts +37 -70
- package/dist/clients/owner/index.d.ts +2 -4
- package/dist/clients/owner/index.js +1 -2
- package/dist/clients/owner/index.js.map +1 -1
- package/dist/internal/id-factory.d.ts +0 -2
- package/dist/internal/id-factory.js +0 -6
- package/dist/internal/id-factory.js.map +1 -1
- package/dist/protocol/identity.d.ts +1 -1
- package/dist/protocol/identity.js +3 -3
- package/dist/protocol/identity.js.map +1 -1
- package/dist/public-types.d.ts +5 -0
- package/dist/public-types.js +2 -0
- package/dist/public-types.js.map +1 -0
- package/dist/runtime/bootstrap.js.map +1 -1
- package/dist/runtime/identity.d.ts +2 -2
- package/dist/runtime/identity.js +3 -5
- package/dist/runtime/identity.js.map +1 -1
- package/dist/runtime/index.d.ts +10 -11
- package/dist/runtime/index.js +7 -8
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/owner-session.d.ts +7 -6
- package/dist/runtime/owner-session.js +5 -6
- package/dist/runtime/owner-session.js.map +1 -1
- package/dist/storage/fs.d.ts +3 -2
- package/dist/storage/fs.js +8 -5
- package/dist/storage/fs.js.map +1 -1
- package/dist/storage/prefix.d.ts +1 -0
- package/dist/storage/prefix.js +7 -0
- package/dist/storage/prefix.js.map +1 -1
- package/dist/storage/provider.d.ts +2 -0
- package/dist/vault-core/contracts.d.ts +112 -193
- package/dist/vault-core/contracts.js +5 -8
- package/dist/vault-core/contracts.js.map +1 -1
- package/dist/vault-core/core.d.ts +127 -62
- package/dist/vault-core/core.js +500 -1182
- package/dist/vault-core/core.js.map +1 -1
- package/dist/vault-core/defaults.d.ts +26 -42
- package/dist/vault-core/defaults.js +73 -229
- package/dist/vault-core/defaults.js.map +1 -1
- package/dist/vault-core/errors.d.ts +3 -2
- package/dist/vault-core/errors.js.map +1 -1
- package/dist/vault-core/index.d.ts +5 -5
- package/dist/vault-core/index.js +2 -2
- package/dist/vault-core/index.js.map +1 -1
- package/dist/vault-core/persistence.d.ts +78 -118
- package/dist/vault-core/persistence.js +329 -421
- package/dist/vault-core/persistence.js.map +1 -1
- package/dist/vault-core/ports.d.ts +19 -24
- package/dist/vault-core/read-policy.d.ts +3 -2
- package/dist/vault-core/read-policy.js.map +1 -1
- package/dist/vault-core/tool-metadata.js +2 -2
- package/dist/vault-core/tool-metadata.js.map +1 -1
- package/dist/vault-ingress/defaults.d.ts +4 -2
- package/dist/vault-ingress/defaults.js +14 -8
- package/dist/vault-ingress/defaults.js.map +1 -1
- package/dist/vault-ingress/index.d.ts +43 -117
- package/dist/vault-ingress/index.js +98 -453
- package/dist/vault-ingress/index.js.map +1 -1
- package/dist/vault-ingress/remote-transport.d.ts +5 -3
- package/dist/vault-ingress/remote-transport.js +8 -28
- package/dist/vault-ingress/remote-transport.js.map +1 -1
- package/docs/ARCHITECTURE.md +39 -22
- package/docs/CUSTODY_MODEL.md +1 -1
- package/docs/IDENTITY_MODEL.md +5 -5
- package/docs/MIGRATION-1.51.md +19 -19
- package/docs/MIGRATION-1.65.md +61 -0
- package/docs/PROCESS_ISOLATION.md +2 -2
- package/docs/REFERENCE.md +42 -200
- package/docs/api/README.md +50 -22
- package/docs/api/classes/IdentityError.md +1 -1
- package/docs/api/classes/OwnerClientError.md +1 -1
- package/docs/api/classes/PersistentVaultAgentIdentityRegistry.md +89 -0
- package/docs/api/classes/PersistentVaultAgentSecretGrantRegistry.md +125 -0
- package/docs/api/classes/PersistentVaultAuditLog.md +65 -0
- package/docs/api/classes/PersistentVaultCustomHttpFlowRegistry.md +69 -0
- package/docs/api/classes/PersistentVaultSecretCustody.md +93 -0
- package/docs/api/classes/PersistentVaultSecretDestinationGrantRegistry.md +125 -0
- package/docs/api/classes/PersistentVaultSecretRepository.md +127 -0
- package/docs/api/classes/VaultCore.md +299 -214
- package/docs/api/classes/VaultCoreError.md +3 -3
- package/docs/api/enumerations/AuditAction.md +143 -0
- package/docs/api/enumerations/AuditOutcome.md +35 -0
- package/docs/api/enumerations/DispatchStatus.md +35 -0
- package/docs/api/enumerations/IdentityErrorCode.md +1 -1
- package/docs/api/enumerations/OwnerClientErrorCode.md +1 -1
- package/docs/api/functions/createAgentClient.md +1 -15
- package/docs/api/functions/createIdentity.md +2 -2
- package/docs/api/functions/createOwnerClient.md +17 -0
- package/docs/api/functions/createOwnerSession.md +1 -1
- package/docs/api/functions/createPersistentVaultCoreDependencies.md +4 -4
- package/docs/api/functions/createVault.md +1 -1
- package/docs/api/functions/createVaultCore.md +1 -1
- package/docs/api/functions/createVaultCoreDependencies.md +1 -1
- package/docs/api/functions/createVaultService.md +5 -9
- package/docs/api/functions/createWorkspaceStorage.md +1 -1
- package/docs/api/functions/deriveRootAgentId.md +17 -0
- package/docs/api/functions/deriveVaultWorkingKeyFromPassword.md +1 -1
- package/docs/api/functions/getDefaultWorkspaceDir.md +1 -1
- package/docs/api/functions/handleVaultAgentControlHttp.md +2 -2
- package/docs/api/functions/handleVaultHttpDispatch.md +2 -2
- package/docs/api/functions/initializeVaultCustody.md +7 -3
- package/docs/api/functions/listVaults.md +1 -1
- package/docs/api/functions/readVaultProfile.md +1 -1
- package/docs/api/functions/recoverVault.md +1 -1
- package/docs/api/functions/recoverVaultWorkingKey.md +4 -8
- package/docs/api/functions/restoreIdentity.md +1 -1
- package/docs/api/functions/updateVaultMetadata.md +1 -1
- package/docs/api/functions/writeVaultProfile.md +1 -1
- package/docs/api/interfaces/AgentClient.md +20 -59
- package/docs/api/interfaces/AgentDispatchIntent.md +1 -1
- package/docs/api/interfaces/AgentDispatchTransport.md +12 -44
- package/docs/api/interfaces/AgentIdentity.md +3 -3
- package/docs/api/interfaces/AgentIdentityRecord.md +47 -0
- package/docs/api/interfaces/AgentRequestResult.md +35 -0
- package/docs/api/interfaces/AgentRuntimeManifest.md +55 -0
- package/docs/api/interfaces/AgentSecretGrant.md +41 -0
- package/docs/api/interfaces/AgentSigner.md +1 -1
- package/docs/api/interfaces/AgentVisibleRequestRecord.md +53 -0
- package/docs/api/interfaces/AgentVisibleSecretRecord.md +65 -0
- package/docs/api/interfaces/AuditEntry.md +83 -0
- package/docs/api/interfaces/CbioRuntime.md +13 -150
- package/docs/api/interfaces/CreateAgentClientOptions.md +4 -10
- package/docs/api/interfaces/CreateIdentityOptions.md +1 -1
- package/docs/api/interfaces/{CreateVaultClientOptions.md → CreateOwnerClientOptions.md} +9 -11
- package/docs/api/interfaces/CreateOwnerSessionOptions.md +3 -117
- package/docs/api/interfaces/CreatePersistentVaultCoreDependenciesOptions.md +3 -131
- package/docs/api/interfaces/CreateVaultOptions.md +1 -121
- package/docs/api/interfaces/CreatedVault.md +2 -2
- package/docs/api/interfaces/CustomHttpFlowDefinition.md +71 -0
- package/docs/api/interfaces/DefaultPolicyEngineOptions.md +1 -13
- package/docs/api/interfaces/DispatchAuthorization.md +43 -0
- package/docs/api/interfaces/DispatchInstruction.md +47 -0
- package/docs/api/interfaces/DispatchRequest.md +83 -0
- package/docs/api/interfaces/DispatchResult.md +53 -0
- package/docs/api/interfaces/IStorageProvider.md +13 -1
- package/docs/api/interfaces/InitializeVaultCustodyOptions.md +31 -11
- package/docs/api/interfaces/InitializedVaultCustody.md +1 -7
- package/docs/api/interfaces/OwnerAgentProvisionResult.md +2 -2
- package/docs/api/interfaces/OwnerClient.md +417 -0
- package/docs/api/interfaces/OwnerCreateSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerRemoveSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerRequestRecord.md +97 -0
- package/docs/api/interfaces/OwnerSensitiveActionConfirmation.md +1 -1
- package/docs/api/interfaces/OwnerSensitiveActionContext.md +1 -1
- package/docs/api/interfaces/OwnerSession.md +3 -3
- package/docs/api/interfaces/OwnerUpdateSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerVisibleRequestRecord.md +73 -0
- package/docs/api/interfaces/RecoverVaultOptions.md +1 -121
- package/docs/api/interfaces/RecoveredVault.md +2 -2
- package/docs/api/interfaces/RequestRecord.md +107 -0
- package/docs/api/interfaces/RestoreIdentityOptions.md +1 -1
- package/docs/api/interfaces/SecretAlias.md +11 -0
- package/docs/api/interfaces/SecretDestinationGrant.md +41 -0
- package/docs/api/interfaces/SecretId.md +11 -0
- package/docs/api/interfaces/SecretRecord.md +89 -0
- package/docs/api/interfaces/Signer.md +1 -1
- package/docs/api/interfaces/VaultApproveDispatchInput.md +3 -9
- package/docs/api/interfaces/VaultAuditQueryInput.md +1 -1
- package/docs/api/interfaces/VaultCoreDependenciesOptions.md +1 -5
- package/docs/api/interfaces/VaultCreateAgentInput.md +1 -1
- package/docs/api/interfaces/VaultExportSecretInput.md +1 -1
- package/docs/api/interfaces/VaultGetRequestInput.md +17 -0
- package/docs/api/interfaces/VaultGrantAgentSecretInput.md +23 -0
- package/docs/api/interfaces/VaultGrantSecretDestinationInput.md +23 -0
- package/docs/api/interfaces/VaultId.md +11 -0
- package/docs/api/interfaces/VaultImportAgentInput.md +1 -1
- package/docs/api/interfaces/VaultIssueSessionTokenInput.md +5 -5
- package/docs/api/interfaces/VaultListAgentsInput.md +1 -1
- package/docs/api/interfaces/VaultListGrantsInput.md +23 -0
- package/docs/api/interfaces/VaultListRequestsInput.md +17 -0
- package/docs/api/interfaces/VaultListSecretsInput.md +1 -1
- package/docs/api/interfaces/VaultMetadata.md +1 -1
- package/docs/api/interfaces/VaultObject.md +2 -2
- package/docs/api/interfaces/VaultPrincipal.md +17 -0
- package/docs/api/interfaces/VaultProfile.md +1 -1
- package/docs/api/interfaces/VaultReadAgentPrivateKeyInput.md +7 -7
- package/docs/api/interfaces/VaultReadSecretPlaintextInput.md +1 -1
- package/docs/api/interfaces/VaultRegisterFlowInput.md +1 -1
- package/docs/api/interfaces/VaultRevokeAgentSecretInput.md +23 -0
- package/docs/api/interfaces/VaultRevokeSecretDestinationInput.md +23 -0
- package/docs/api/interfaces/VaultRevokeSessionTokenInput.md +1 -1
- package/docs/api/interfaces/VaultService.md +547 -0
- package/docs/api/interfaces/VaultUpdateAgentInput.md +7 -7
- package/docs/api/type-aliases/AgentId.md +7 -0
- package/docs/api/type-aliases/CbioRuntimeModule.md +1 -1
- package/docs/api/type-aliases/DispatchApprovalDecision.md +7 -0
- package/docs/api/type-aliases/GrantStatus.md +7 -0
- package/docs/api/type-aliases/SecretLifecycleStatus.md +7 -0
- package/docs/api/type-aliases/VaultPrincipalKind.md +7 -0
- package/docs/api/variables/DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY.md +2 -2
- package/docs/es/README.md +3 -3
- package/docs/fr/README.md +3 -3
- package/docs/ja/README.md +5 -5
- package/docs/ko/README.md +5 -5
- package/docs/pt/README.md +3 -3
- package/docs/zh/PROCESS_ISOLATION.md +2 -2
- package/docs/zh/README.md +24 -24
- package/examples/process-isolation.ts +26 -35
- package/package.json +3 -2
- package/docs/api/functions/createOwnerHttpFlowBoundary.md +0 -17
- package/docs/api/functions/createStandardAcquireBoundary.md +0 -31
- package/docs/api/functions/createStandardDispatchBoundary.md +0 -23
- package/docs/api/functions/createVaultClient.md +0 -32
- package/docs/api/functions/deriveIdentityId.md +0 -17
- package/docs/api/functions/wrapVaultCoreAsVaultService.md +0 -31
- package/docs/api/interfaces/AgentSubmitCapabilityRequestInput.md +0 -41
- package/docs/api/interfaces/VaultApproveCapabilityRequestInput.md +0 -23
- package/docs/api/interfaces/VaultClient.md +0 -473
- package/docs/api/interfaces/VaultGrantCapabilityInput.md +0 -79
- package/docs/api/interfaces/VaultGrantCapabilityRequest.md +0 -23
- package/docs/api/interfaces/VaultIdentity.md +0 -11
- package/docs/api/interfaces/VaultListCapabilitiesInput.md +0 -17
- package/docs/api/interfaces/VaultRevokeCapabilityInput.md +0 -23
- package/docs/api/interfaces/VaultSigner.md +0 -21
- package/docs/api/interfaces/VaultSubmitCapabilityRequestInput.md +0 -73
- package/docs/api/type-aliases/AgentCapabilityEnvelope.md +0 -7
- package/docs/api/type-aliases/AgentVisibleSecretRecord.md +0 -7
- package/docs/api/type-aliases/OwnerGrantCapabilityInput.md +0 -7
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { createOwnerClient } from "../clients/owner/client.js";
|
|
2
2
|
import { FsStorageProvider } from "../storage/fs.js";
|
|
3
3
|
import { recoverVault } from "./bootstrap.js";
|
|
4
4
|
import { createWorkspaceStorage } from "./workspace-storage.js";
|
|
@@ -43,29 +43,28 @@ class DefaultOwnerSession {
|
|
|
43
43
|
async client() {
|
|
44
44
|
const vault = await this.vault();
|
|
45
45
|
this._assertValid();
|
|
46
|
-
return this._createClient(vault);
|
|
46
|
+
return await this._createClient(vault);
|
|
47
47
|
}
|
|
48
48
|
async withClient(callback) {
|
|
49
49
|
const vault = await this.vault();
|
|
50
50
|
this._assertValid();
|
|
51
|
-
return callback(this._createClient(vault), vault);
|
|
51
|
+
return callback(await this._createClient(vault), vault);
|
|
52
52
|
}
|
|
53
53
|
_assertValid() {
|
|
54
54
|
if (this._invalidated) {
|
|
55
55
|
throw new Error(`OwnerSession for vault '${this._options.vaultId}' has been invalidated`);
|
|
56
56
|
}
|
|
57
57
|
}
|
|
58
|
-
_createClient(vault) {
|
|
58
|
+
async _createClient(vault) {
|
|
59
59
|
const clientOptions = {
|
|
60
60
|
vault: vault.vault,
|
|
61
61
|
ownerIdentity: this._options.ownerIdentity,
|
|
62
|
-
signer: this._options.signer,
|
|
63
62
|
clock: this._options.clock,
|
|
64
63
|
skipWarmup: this._options.skipWarmup,
|
|
65
64
|
passwordVerifier: vault.verifyPassword,
|
|
66
65
|
sensitiveActionVerifier: this._options.sensitiveActionVerifier,
|
|
67
66
|
};
|
|
68
|
-
return
|
|
67
|
+
return await createOwnerClient(clientOptions);
|
|
69
68
|
}
|
|
70
69
|
}
|
|
71
70
|
function resolveOwnerSessionStorage(storageOrOptions, maybeOptions) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"owner-session.js","sourceRoot":"","sources":["../../src/runtime/owner-session.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"owner-session.js","sourceRoot":"","sources":["../../src/runtime/owner-session.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAGrD,OAAO,EAAE,YAAY,EAAiD,MAAM,gBAAgB,CAAC;AAC7F,OAAO,EAAE,sBAAsB,EAAE,MAAM,wBAAwB,CAAC;AAyBhE,MAAM,mBAAmB;IAMZ;IACQ;IANX,YAAY,GAAG,KAAK,CAAC;IACrB,mBAAmB,CAAsC;IACzD,SAAS,CAAqB;IAEtC,YACW,OAAyB,EACjB,QAAmC;QAD3C,YAAO,GAAP,OAAO,CAAkB;QACjB,aAAQ,GAAR,QAAQ,CAA2B;IACnD,CAAC;IAEJ,IAAI,OAAO;QACT,OAAO,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;IAC/B,CAAC;IAED,IAAI,QAAQ;QACV,OAAO,IAAI,CAAC,SAAS,CAAC;IACxB,CAAC;IAED,OAAO;QACL,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC;IAC5B,CAAC;IAED,UAAU;QACR,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC;QACzB,IAAI,CAAC,mBAAmB,GAAG,SAAS,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,OAAO;QACX,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,IAAI,CAAC,mBAAmB,GAAG,SAAS,CAAC;QACrC,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED,KAAK,CAAC,KAAK;QACT,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,IAAI,CAAC,IAAI,CAAC,mBAAmB,EAAE,CAAC;YAC9B,IAAI,CAAC,mBAAmB,GAAG,YAAY,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE;gBAClF,IAAI,CAAC,SAAS,GAAG,KAAK,CAAC,QAAQ,CAAC;gBAChC,OAAO,KAAK,CAAC;YACf,CAAC,CAAC,CAAC;QACL,CAAC;QACD,OAAO,IAAI,CAAC,mBAAmB,CAAC;IAClC,CAAC;IAED,KAAK,CAAC,MAAM;QACV,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACjC,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,OAAO,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,CAAC,UAAU,CAAI,QAAwE;QAC1F,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACjC,IAAI,CAAC,YAAY,EAAE,CAAC;QACpB,OAAO,QAAQ,CAAC,MAAM,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC,CAAC;IAC1D,CAAC;IAEO,YAAY;QAClB,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,2BAA2B,IAAI,CAAC,QAAQ,CAAC,OAAO,wBAAwB,CAAC,CAAC;QAC5F,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,aAAa,CAAC,KAAqB;QAC/C,MAAM,aAAa,GAA6B;YAC9C,KAAK,EAAE,KAAK,CAAC,KAAK;YAClB,aAAa,EAAE,IAAI,CAAC,QAAQ,CAAC,aAAoB;YACjD,KAAK,EAAE,IAAI,CAAC,QAAQ,CAAC,KAAK;YAC1B,UAAU,EAAE,IAAI,CAAC,QAAQ,CAAC,UAAU;YACpC,gBAAgB,EAAE,KAAK,CAAC,cAAc;YACtC,uBAAuB,EAAE,IAAI,CAAC,QAAQ,CAAC,uBAAuB;SAC/D,CAAC;QACF,OAAO,MAAM,iBAAiB,CAAC,aAAa,CAAC,CAAC;IAChD,CAAC;CACF;AAED,SAAS,0BAA0B,CACjC,gBAAuE,EACvE,YAAwC;IAExC,IAAI,YAAY,EAAE,CAAC;QACjB,OAAO;YACL,OAAO,EAAE,OAAO,gBAAgB,KAAK,QAAQ;gBAC3C,CAAC,CAAC,IAAI,iBAAiB,CAAC,gBAAgB,CAAC;gBACzC,CAAC,CAAC,gBAAoC;YACxC,OAAO,EAAE,YAAY;SACtB,CAAC;IACJ,CAAC;IACD,OAAO;QACL,OAAO,EAAE,sBAAsB,EAAE;QACjC,OAAO,EAAE,gBAA6C;KACvD,CAAC;AACJ,CAAC;AAOD,MAAM,UAAU,kBAAkB,CAChC,gBAAuE,EACvE,YAAwC;IAExC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,0BAA0B,CAAC,gBAAgB,EAAE,YAAY,CAAC,CAAC;IACxF,OAAO,IAAI,mBAAmB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;AACnD,CAAC"}
|
package/dist/storage/fs.d.ts
CHANGED
|
@@ -6,8 +6,9 @@ import type { IStorageProvider } from './provider.js';
|
|
|
6
6
|
* @internal
|
|
7
7
|
*/
|
|
8
8
|
export declare class FsStorageProvider implements IStorageProvider {
|
|
9
|
-
private
|
|
10
|
-
constructor(
|
|
9
|
+
private readonly _baseDir?;
|
|
10
|
+
constructor(_baseDir?: string | undefined);
|
|
11
|
+
getBaseDir(): string;
|
|
11
12
|
private static readonly DIRECTORY_MODE;
|
|
12
13
|
private static readonly FILE_MODE;
|
|
13
14
|
private resolve;
|
package/dist/storage/fs.js
CHANGED
|
@@ -10,15 +10,18 @@ function sleep(ms) {
|
|
|
10
10
|
* @internal
|
|
11
11
|
*/
|
|
12
12
|
export class FsStorageProvider {
|
|
13
|
-
|
|
14
|
-
constructor(
|
|
15
|
-
this.
|
|
13
|
+
_baseDir;
|
|
14
|
+
constructor(_baseDir) {
|
|
15
|
+
this._baseDir = _baseDir;
|
|
16
|
+
}
|
|
17
|
+
getBaseDir() {
|
|
18
|
+
return this._baseDir || process.cwd();
|
|
16
19
|
}
|
|
17
20
|
static DIRECTORY_MODE = 0o700;
|
|
18
21
|
static FILE_MODE = 0o600;
|
|
19
22
|
resolve(key) {
|
|
20
|
-
if (this.
|
|
21
|
-
return path.join(this.
|
|
23
|
+
if (this._baseDir) {
|
|
24
|
+
return path.join(this._baseDir, key);
|
|
22
25
|
}
|
|
23
26
|
const dir = path.dirname(key);
|
|
24
27
|
if (dir && dir !== '.') {
|
package/dist/storage/fs.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/storage/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,SAAS,KAAK,CAAC,EAAU;IACrB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,iBAAiB;
|
|
1
|
+
{"version":3,"file":"fs.js","sourceRoot":"","sources":["../../src/storage/fs.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACvC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,SAAS,KAAK,CAAC,EAAU;IACrB,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC,CAAC;AAC7D,CAAC;AAED;;GAEG;AACH,MAAM,OAAO,iBAAiB;IACG;IAA7B,YAA6B,QAAiB;QAAjB,aAAQ,GAAR,QAAQ,CAAS;IAAG,CAAC;IAElD,UAAU;QACN,OAAO,IAAI,CAAC,QAAQ,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;IAC1C,CAAC;IAEO,MAAM,CAAU,cAAc,GAAG,KAAK,CAAC;IACvC,MAAM,CAAU,SAAS,GAAG,KAAK,CAAC;IAElC,OAAO,CAAC,GAAW;QACvB,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;YAChB,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;QACzC,CAAC;QACD,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QAC9B,IAAI,GAAG,IAAI,GAAG,KAAK,GAAG,EAAE,CAAC;YACrB,OAAO,GAAG,CAAC;QACf,CAAC;QACD,OAAO,GAAG,CAAC;IACf,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,GAAW;QAClB,IAAI,CAAC;YACD,OAAO,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QAChD,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,IAAI,CAAC;YACrC,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC;IAED,KAAK,CAAC,KAAK,CAAC,GAAW,EAAE,IAAY;QACjC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QACpG,MAAM,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,EAAE,CAAC,CAAC;QAC1E,MAAM,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;QACtD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;QACzC,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,IAAI,EAAE,CAAC;QACpB,CAAC;gBAAS,CAAC;YACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,GAAW;QACpB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACvC,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,MAAM,CAAC,CAAC;QACrC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,GAAG,CAAC,GAAW;QACjB,IAAI,CAAC;YACD,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;YACnC,OAAO,IAAI,CAAC;QAChB,CAAC;QAAC,MAAM,CAAC;YACL,OAAO,KAAK,CAAC;QACjB,CAAC;IACL,CAAC;IAED,KAAK,CAAC,MAAM,CAAC,OAAe,EAAE,KAAa;QACvC,MAAM,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,QAAQ,CAAI,GAAW,EAAE,IAAsB;QACjD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,GAAG,OAAO,CAAC,CAAC;QAC7C,MAAM,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,iBAAiB,CAAC,cAAc,EAAE,CAAC,CAAC;QAEpG,SAAS,CAAC;YACN,IAAI,CAAC;gBACD,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,QAAQ,EAAE,IAAI,EAAE,iBAAiB,CAAC,SAAS,CAAC,CAAC;gBACtE,IAAI,CAAC;oBACD,OAAO,MAAM,IAAI,EAAE,CAAC;gBACxB,CAAC;wBAAS,CAAC;oBACP,MAAM,EAAE,CAAC,KAAK,EAAE,CAAC;oBACjB,MAAM,EAAE,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,KAAK,CAAC,CAAC,KAAU,EAAE,EAAE;wBAC3C,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ;4BAAE,MAAM,KAAK,CAAC;oBAC7C,CAAC,CAAC,CAAC;gBACP,CAAC;YACL,CAAC;YAAC,OAAO,KAAU,EAAE,CAAC;gBAClB,IAAI,KAAK,CAAC,IAAI,KAAK,QAAQ,EAAE,CAAC;oBAC1B,MAAM,KAAK,CAAC;gBAChB,CAAC;gBACD,MAAM,KAAK,CAAC,EAAE,CAAC,CAAC;YACpB,CAAC;QACL,CAAC;IACL,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAc;QACrB,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACjC,IAAI,CAAC;YACD,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/D,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QACpC,CAAC;QAAC,OAAO,CAAM,EAAE,CAAC;YACd,IAAI,CAAC,CAAC,IAAI,KAAK,QAAQ;gBAAE,OAAO,EAAE,CAAC;YACnC,MAAM,CAAC,CAAC;QACZ,CAAC;IACL,CAAC"}
|
package/dist/storage/prefix.d.ts
CHANGED
|
@@ -3,6 +3,7 @@ export declare class PrefixStorageProvider implements IStorageProvider {
|
|
|
3
3
|
private readonly base;
|
|
4
4
|
private readonly prefix;
|
|
5
5
|
constructor(base: IStorageProvider, prefix: string);
|
|
6
|
+
getBaseDir(): string;
|
|
6
7
|
private key;
|
|
7
8
|
read(key: string): Promise<Buffer | null>;
|
|
8
9
|
write(key: string, data: Buffer): Promise<void>;
|
package/dist/storage/prefix.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import * as path from "node:path";
|
|
1
2
|
function joinPrefix(prefix, key) {
|
|
2
3
|
return key ? `${prefix}/${key}` : prefix;
|
|
3
4
|
}
|
|
@@ -8,6 +9,12 @@ export class PrefixStorageProvider {
|
|
|
8
9
|
this.base = base;
|
|
9
10
|
this.prefix = prefix;
|
|
10
11
|
}
|
|
12
|
+
getBaseDir() {
|
|
13
|
+
if (this.base.getBaseDir) {
|
|
14
|
+
return path.join(this.base.getBaseDir(), this.prefix);
|
|
15
|
+
}
|
|
16
|
+
return this.prefix;
|
|
17
|
+
}
|
|
11
18
|
key(key) {
|
|
12
19
|
return joinPrefix(this.prefix, key);
|
|
13
20
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"prefix.js","sourceRoot":"","sources":["../../src/storage/prefix.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"prefix.js","sourceRoot":"","sources":["../../src/storage/prefix.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAGlC,SAAS,UAAU,CAAC,MAAc,EAAE,GAAW;IAC7C,OAAO,GAAG,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;AAC3C,CAAC;AAED,MAAM,OAAO,qBAAqB;IAEb;IACA;IAFnB,YACmB,IAAsB,EACtB,MAAc;QADd,SAAI,GAAJ,IAAI,CAAkB;QACtB,WAAM,GAAN,MAAM,CAAQ;IAC9B,CAAC;IAEJ,UAAU;QACR,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC;QACxD,CAAC;QACD,OAAO,IAAI,CAAC,MAAM,CAAC;IACrB,CAAC;IAGO,GAAG,CAAC,GAAW;QACrB,OAAO,UAAU,CAAC,IAAI,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,CAAC,GAAW;QACd,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,CAAC,GAAW,EAAE,IAAY;QAC7B,OAAO,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;IAC9C,CAAC;IAED,MAAM,CAAC,GAAW;QAChB,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACzC,CAAC;IAED,GAAG,CAAC,GAAW;QACb,OAAO,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,CAAE,OAAe,EAAE,KAAa;QACpC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAC;QACzE,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,QAAQ,CAAK,GAAW,EAAE,IAAsB;QAC9C,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;YACxB,OAAO,IAAI,EAAE,CAAC;QAChB,CAAC;QACD,OAAO,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,IAAI,CAAC,CAAC;IACjD,CAAC;CACF;AAED,MAAM,UAAU,qBAAqB,CAAC,IAAsB,EAAE,MAAc;IAC1E,OAAO,IAAI,qBAAqB,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AACjD,CAAC"}
|
|
@@ -13,4 +13,6 @@ export interface IStorageProvider {
|
|
|
13
13
|
withLock?<T>(key: string, task: () => Promise<T>): Promise<T>;
|
|
14
14
|
/** Optional. Returns sub-keys (names) under a given prefix. */
|
|
15
15
|
list?(prefix: string): Promise<string[]>;
|
|
16
|
+
/** Optional. Returns the base directory for file-system based storage. */
|
|
17
|
+
getBaseDir?(): string;
|
|
16
18
|
}
|
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
export type AgentId = string;
|
|
1
2
|
export type VaultPrincipalKind = "owner" | "trusted_issuer" | "agent" | "trusted_executor";
|
|
2
3
|
export interface VaultPrincipal {
|
|
3
4
|
kind: VaultPrincipalKind;
|
|
@@ -42,6 +43,24 @@ export interface SecretSourceInput {
|
|
|
42
43
|
kind: "manual" | "request";
|
|
43
44
|
requestId?: string;
|
|
44
45
|
}
|
|
46
|
+
export type GrantStatus = "pending" | "approved";
|
|
47
|
+
export interface AgentSecretGrant {
|
|
48
|
+
vaultId: VaultId;
|
|
49
|
+
rootAgentId: string;
|
|
50
|
+
secretAlias: string;
|
|
51
|
+
status: GrantStatus;
|
|
52
|
+
requestedAt: string;
|
|
53
|
+
grantedAt?: string;
|
|
54
|
+
}
|
|
55
|
+
export interface SecretDestinationGrant {
|
|
56
|
+
vaultId: VaultId;
|
|
57
|
+
secretAlias: string;
|
|
58
|
+
domain: string;
|
|
59
|
+
status: GrantStatus;
|
|
60
|
+
requestedAt: string;
|
|
61
|
+
grantedAt?: string;
|
|
62
|
+
}
|
|
63
|
+
export type DispatchApprovalDecision = "allow_once" | "allow_and_grant" | "deny";
|
|
45
64
|
export interface OwnerCreateSecretCommand {
|
|
46
65
|
kind: "owner.create_secret";
|
|
47
66
|
vaultId: VaultId;
|
|
@@ -95,7 +114,7 @@ export interface OwnerRegisterAgentIdentityCommand {
|
|
|
95
114
|
owner: VaultPrincipal & {
|
|
96
115
|
kind: "owner";
|
|
97
116
|
};
|
|
98
|
-
|
|
117
|
+
agentRecord: AgentIdentityRecord;
|
|
99
118
|
requestedAt: string;
|
|
100
119
|
}
|
|
101
120
|
export interface OwnerUpdateAgentIdentityCommand {
|
|
@@ -104,11 +123,51 @@ export interface OwnerUpdateAgentIdentityCommand {
|
|
|
104
123
|
owner: VaultPrincipal & {
|
|
105
124
|
kind: "owner";
|
|
106
125
|
};
|
|
107
|
-
|
|
126
|
+
rootAgentId: string;
|
|
108
127
|
nickname?: string;
|
|
109
128
|
metadata?: Record<string, any>;
|
|
110
129
|
requestedAt: string;
|
|
111
130
|
}
|
|
131
|
+
export interface OwnerGrantAgentSecretCommand {
|
|
132
|
+
vaultId: VaultId;
|
|
133
|
+
requestId: string;
|
|
134
|
+
actor: VaultPrincipal & {
|
|
135
|
+
kind: "owner";
|
|
136
|
+
};
|
|
137
|
+
rootAgentId: string;
|
|
138
|
+
secretAlias: string;
|
|
139
|
+
requestedAt: string;
|
|
140
|
+
}
|
|
141
|
+
export interface OwnerGrantSecretDestinationCommand {
|
|
142
|
+
vaultId: VaultId;
|
|
143
|
+
requestId: string;
|
|
144
|
+
actor: VaultPrincipal & {
|
|
145
|
+
kind: "owner";
|
|
146
|
+
};
|
|
147
|
+
secretAlias: string;
|
|
148
|
+
domain: string;
|
|
149
|
+
requestedAt: string;
|
|
150
|
+
}
|
|
151
|
+
export interface OwnerRevokeAgentSecretCommand {
|
|
152
|
+
vaultId: VaultId;
|
|
153
|
+
requestId: string;
|
|
154
|
+
actor: VaultPrincipal & {
|
|
155
|
+
kind: "owner";
|
|
156
|
+
};
|
|
157
|
+
rootAgentId: string;
|
|
158
|
+
secretAlias: string;
|
|
159
|
+
requestedAt: string;
|
|
160
|
+
}
|
|
161
|
+
export interface OwnerRevokeSecretDestinationCommand {
|
|
162
|
+
vaultId: VaultId;
|
|
163
|
+
requestId: string;
|
|
164
|
+
actor: VaultPrincipal & {
|
|
165
|
+
kind: "owner";
|
|
166
|
+
};
|
|
167
|
+
secretAlias: string;
|
|
168
|
+
domain: string;
|
|
169
|
+
requestedAt: string;
|
|
170
|
+
}
|
|
112
171
|
export interface CustomHttpFlowDefinition {
|
|
113
172
|
vaultId: VaultId;
|
|
114
173
|
flowId: string;
|
|
@@ -144,52 +203,8 @@ export interface OwnerRegisterCustomHttpFlowCommand {
|
|
|
144
203
|
};
|
|
145
204
|
requestedAt: string;
|
|
146
205
|
}
|
|
147
|
-
export interface OwnerRegisterCapabilityCommand {
|
|
148
|
-
vaultId: VaultId;
|
|
149
|
-
requestId: string;
|
|
150
|
-
owner: VaultPrincipal & {
|
|
151
|
-
kind: "owner";
|
|
152
|
-
};
|
|
153
|
-
capability: AgentCapability;
|
|
154
|
-
requestedAt: string;
|
|
155
|
-
}
|
|
156
|
-
export interface OwnerRevokeCapabilityCommand {
|
|
157
|
-
vaultId: VaultId;
|
|
158
|
-
requestId: string;
|
|
159
|
-
owner: VaultPrincipal & {
|
|
160
|
-
kind: "owner";
|
|
161
|
-
};
|
|
162
|
-
agentId: string;
|
|
163
|
-
capabilityId: string;
|
|
164
|
-
requestedAt: string;
|
|
165
|
-
}
|
|
166
|
-
export interface CapabilityWritePolicy {
|
|
167
|
-
secretIds?: readonly string[];
|
|
168
|
-
scope: string;
|
|
169
|
-
methods: readonly string[];
|
|
170
|
-
}
|
|
171
|
-
export interface CapabilityReadPolicy {
|
|
172
|
-
paths: readonly string[];
|
|
173
|
-
}
|
|
174
|
-
export interface AgentCapability {
|
|
175
|
-
vaultId: VaultId;
|
|
176
|
-
capabilityId: string;
|
|
177
|
-
agentId: string;
|
|
178
|
-
operation: "dispatch_http" | "custom_http";
|
|
179
|
-
customFlowId?: string;
|
|
180
|
-
write: CapabilityWritePolicy;
|
|
181
|
-
read: CapabilityReadPolicy;
|
|
182
|
-
issuedAt: string;
|
|
183
|
-
expiresAt?: string;
|
|
184
|
-
revocationVersion?: number;
|
|
185
|
-
rateLimit?: {
|
|
186
|
-
maxRequests: number;
|
|
187
|
-
windowMs: number;
|
|
188
|
-
};
|
|
189
|
-
skipAudit?: boolean;
|
|
190
|
-
}
|
|
191
206
|
export interface AgentProof {
|
|
192
|
-
|
|
207
|
+
rootAgentId: string;
|
|
193
208
|
requestId: string;
|
|
194
209
|
requestedAt: string;
|
|
195
210
|
signature?: string;
|
|
@@ -205,12 +220,7 @@ export interface AgentVisibleSecretRecord {
|
|
|
205
220
|
source: SecretSource;
|
|
206
221
|
createdAt: string;
|
|
207
222
|
updatedAt: string;
|
|
208
|
-
|
|
209
|
-
authorizedCapabilities?: readonly {
|
|
210
|
-
capabilityId: string;
|
|
211
|
-
write: CapabilityWritePolicy;
|
|
212
|
-
read: CapabilityReadPolicy;
|
|
213
|
-
}[];
|
|
223
|
+
granted: boolean;
|
|
214
224
|
}
|
|
215
225
|
export interface AgentGetRuntimeManifestRequest {
|
|
216
226
|
vaultId: VaultId;
|
|
@@ -230,69 +240,35 @@ export interface AgentGetRuntimeManifestCommand {
|
|
|
230
240
|
requestedAt: string;
|
|
231
241
|
}
|
|
232
242
|
export interface AgentSelfContext {
|
|
233
|
-
|
|
234
|
-
identityId: string;
|
|
243
|
+
rootAgentId: string;
|
|
235
244
|
publicKey: string;
|
|
236
245
|
nickname?: string;
|
|
237
246
|
metadata?: Record<string, any>;
|
|
238
247
|
}
|
|
239
|
-
export type AgentCapabilityStateSource = "owner_grant" | "explicit_request" | "dispatch_discovery";
|
|
240
|
-
export type CapabilityWriteGrant = "none" | "once" | "always";
|
|
241
|
-
export interface AgentCapabilityState {
|
|
242
|
-
source: AgentCapabilityStateSource;
|
|
243
|
-
agentId: string;
|
|
244
|
-
requestId?: string;
|
|
245
|
-
capabilityId?: string;
|
|
246
|
-
operation: "dispatch_http" | "custom_http";
|
|
247
|
-
customFlowId?: string;
|
|
248
|
-
write: CapabilityWritePolicy;
|
|
249
|
-
read: CapabilityReadPolicy;
|
|
250
|
-
issuedAt?: string;
|
|
251
|
-
requestedAt: string;
|
|
252
|
-
expiresAt?: string;
|
|
253
|
-
rateLimit?: {
|
|
254
|
-
maxRequests: number;
|
|
255
|
-
windowMs: number;
|
|
256
|
-
};
|
|
257
|
-
skipAudit?: boolean;
|
|
258
|
-
writeGrant: CapabilityWriteGrant | null;
|
|
259
|
-
writeGrantedAt?: string;
|
|
260
|
-
readGrant: readonly string[] | null;
|
|
261
|
-
readGrantedAt?: string;
|
|
262
|
-
reason?: string;
|
|
263
|
-
secretId?: string;
|
|
264
|
-
targetUrl?: string;
|
|
265
|
-
}
|
|
266
|
-
export interface CapabilityStateRecord extends AgentCapabilityState {
|
|
267
|
-
vaultId: VaultId;
|
|
268
|
-
proof?: AgentProof;
|
|
269
|
-
headers?: Record<string, string>;
|
|
270
|
-
body?: string;
|
|
271
|
-
decidedAt?: string;
|
|
272
|
-
}
|
|
273
248
|
export interface AgentRuntimeManifest {
|
|
274
|
-
|
|
249
|
+
rootAgentId: string;
|
|
275
250
|
vaultId: string;
|
|
276
251
|
vaultNickname?: string;
|
|
277
252
|
issuedAt: string;
|
|
278
253
|
agent: AgentSelfContext;
|
|
279
|
-
|
|
254
|
+
grants: {
|
|
255
|
+
agentSecrets: readonly AgentSecretGrant[];
|
|
256
|
+
secretDestinations: readonly SecretDestinationGrant[];
|
|
257
|
+
};
|
|
280
258
|
tools: readonly VaultToolDefinition[];
|
|
281
259
|
}
|
|
282
260
|
export interface RequestRecord {
|
|
283
261
|
vaultId: VaultId;
|
|
284
262
|
requestId: string;
|
|
285
|
-
|
|
263
|
+
rootAgentId: string;
|
|
286
264
|
reason: string;
|
|
287
|
-
capabilityId?: string;
|
|
288
|
-
operation: "dispatch_http" | "custom_http";
|
|
289
265
|
createdAt: string;
|
|
290
266
|
request: {
|
|
291
267
|
targetUrl: string;
|
|
292
268
|
method: string;
|
|
293
269
|
headers?: Record<string, string>;
|
|
294
270
|
body?: string;
|
|
295
|
-
|
|
271
|
+
secretAlias?: string;
|
|
296
272
|
};
|
|
297
273
|
response?: {
|
|
298
274
|
status?: number;
|
|
@@ -303,51 +279,47 @@ export interface RequestRecord {
|
|
|
303
279
|
execution: {
|
|
304
280
|
status: DispatchStatus;
|
|
305
281
|
};
|
|
282
|
+
missingGrants?: {
|
|
283
|
+
agentSecret?: boolean;
|
|
284
|
+
secretDestination?: boolean;
|
|
285
|
+
};
|
|
306
286
|
}
|
|
307
287
|
export interface AgentVisibleRequestRecord {
|
|
308
288
|
requestId: string;
|
|
309
289
|
createdAt: string;
|
|
310
290
|
reason: string;
|
|
311
|
-
capabilityId?: string;
|
|
312
|
-
operation: "dispatch_http" | "custom_http";
|
|
313
291
|
targetUrl: string;
|
|
314
|
-
method: string;
|
|
315
292
|
executionStatus: DispatchStatus;
|
|
316
293
|
responseStatus?: number;
|
|
317
294
|
error?: string;
|
|
318
|
-
readGrant: readonly string[] | null;
|
|
319
295
|
hasResponseBody: boolean;
|
|
320
|
-
resultVisible: boolean;
|
|
321
296
|
}
|
|
322
297
|
export interface OwnerVisibleRequestRecord {
|
|
323
298
|
requestId: string;
|
|
324
299
|
createdAt: string;
|
|
325
|
-
|
|
300
|
+
rootAgentId: string;
|
|
326
301
|
reason: string;
|
|
327
|
-
capabilityId?: string;
|
|
328
|
-
operation: "dispatch_http" | "custom_http";
|
|
329
302
|
targetUrl: string;
|
|
330
|
-
method: string;
|
|
331
303
|
executionStatus: DispatchStatus;
|
|
332
304
|
responseStatus?: number;
|
|
333
305
|
error?: string;
|
|
334
|
-
writeGrant: CapabilityWriteGrant | null;
|
|
335
|
-
readGrant: readonly string[] | null;
|
|
336
306
|
hasResponseBody: boolean;
|
|
307
|
+
missingGrants?: {
|
|
308
|
+
agentSecret?: boolean;
|
|
309
|
+
secretDestination?: boolean;
|
|
310
|
+
};
|
|
337
311
|
}
|
|
338
312
|
export interface OwnerRequestRecord {
|
|
339
313
|
requestId: string;
|
|
340
314
|
createdAt: string;
|
|
341
|
-
|
|
315
|
+
rootAgentId: string;
|
|
342
316
|
reason: string;
|
|
343
|
-
capabilityId?: string;
|
|
344
|
-
operation: "dispatch_http" | "custom_http";
|
|
345
317
|
request: {
|
|
346
318
|
targetUrl: string;
|
|
347
319
|
method: string;
|
|
348
320
|
headers?: Record<string, string>;
|
|
349
321
|
body?: string;
|
|
350
|
-
|
|
322
|
+
secretAlias?: string;
|
|
351
323
|
};
|
|
352
324
|
response?: {
|
|
353
325
|
status?: number;
|
|
@@ -355,18 +327,18 @@ export interface OwnerRequestRecord {
|
|
|
355
327
|
body?: string;
|
|
356
328
|
error?: string;
|
|
357
329
|
};
|
|
358
|
-
writeGrant: CapabilityWriteGrant | null;
|
|
359
|
-
writeGrantedAt?: string;
|
|
360
|
-
readGrant: readonly string[] | null;
|
|
361
|
-
readGrantedAt?: string;
|
|
362
330
|
executionStatus: DispatchStatus;
|
|
331
|
+
missingGrants?: {
|
|
332
|
+
agentSecret?: boolean;
|
|
333
|
+
secretDestination?: boolean;
|
|
334
|
+
};
|
|
363
335
|
}
|
|
364
336
|
export interface VaultToolDefinition {
|
|
365
337
|
name: string;
|
|
366
338
|
description: string;
|
|
367
339
|
parameters: Record<string, any>;
|
|
368
340
|
}
|
|
369
|
-
export interface
|
|
341
|
+
export interface AgentListGrantsRequest {
|
|
370
342
|
vaultId: VaultId;
|
|
371
343
|
requestId: string;
|
|
372
344
|
requestedAt: string;
|
|
@@ -409,7 +381,7 @@ export interface OwnerListRequestsRequest {
|
|
|
409
381
|
actor: VaultPrincipal & {
|
|
410
382
|
kind: "owner";
|
|
411
383
|
};
|
|
412
|
-
|
|
384
|
+
rootAgentId?: string;
|
|
413
385
|
requestedAt: string;
|
|
414
386
|
}
|
|
415
387
|
export interface OwnerGetRequestRequest {
|
|
@@ -421,66 +393,15 @@ export interface OwnerGetRequestRequest {
|
|
|
421
393
|
targetRequestId: string;
|
|
422
394
|
requestedAt: string;
|
|
423
395
|
}
|
|
424
|
-
export interface
|
|
396
|
+
export interface OwnerApproveDispatchCommand {
|
|
425
397
|
vaultId: VaultId;
|
|
426
398
|
requestId: string;
|
|
427
|
-
|
|
428
|
-
|
|
429
|
-
kind: "agent";
|
|
430
|
-
};
|
|
431
|
-
proof: AgentProof;
|
|
432
|
-
capability: CapabilityRequestScope;
|
|
433
|
-
secretAliases?: readonly string[];
|
|
434
|
-
reason: string;
|
|
435
|
-
}
|
|
436
|
-
export interface CapabilityRequestScope {
|
|
437
|
-
operation: "dispatch_http" | "custom_http";
|
|
438
|
-
write: CapabilityWritePolicy;
|
|
439
|
-
read: CapabilityReadPolicy;
|
|
440
|
-
rateLimit?: {
|
|
441
|
-
maxRequests: number;
|
|
442
|
-
windowMs: number;
|
|
399
|
+
actor: VaultPrincipal & {
|
|
400
|
+
kind: "owner";
|
|
443
401
|
};
|
|
444
|
-
|
|
445
|
-
expiresAt?: string;
|
|
446
|
-
}
|
|
447
|
-
export interface SubmitCapabilityRequestCommand {
|
|
448
|
-
vaultId: VaultId;
|
|
449
|
-
requestId: string;
|
|
450
|
-
requester: VaultPrincipal;
|
|
451
|
-
agentId: string;
|
|
452
|
-
capability: CapabilityRequestScope;
|
|
453
|
-
reason?: string;
|
|
402
|
+
decision: DispatchApprovalDecision;
|
|
454
403
|
requestedAt: string;
|
|
455
404
|
}
|
|
456
|
-
export interface OwnerListCapabilityStatesRequest {
|
|
457
|
-
vaultId: VaultId;
|
|
458
|
-
owner: VaultPrincipal;
|
|
459
|
-
agentId?: string;
|
|
460
|
-
writeGranted?: boolean;
|
|
461
|
-
readGranted?: boolean;
|
|
462
|
-
}
|
|
463
|
-
export interface OwnerApproveCapabilityReadCommand {
|
|
464
|
-
vaultId: VaultId;
|
|
465
|
-
requestId: string;
|
|
466
|
-
owner: VaultPrincipal;
|
|
467
|
-
read?: CapabilityReadPolicy;
|
|
468
|
-
}
|
|
469
|
-
export interface OwnerAllowOnceCommand {
|
|
470
|
-
vaultId: VaultId;
|
|
471
|
-
requestId: string;
|
|
472
|
-
owner: VaultPrincipal;
|
|
473
|
-
}
|
|
474
|
-
export interface OwnerAllowAlwaysCommand {
|
|
475
|
-
vaultId: VaultId;
|
|
476
|
-
requestId: string;
|
|
477
|
-
owner: VaultPrincipal;
|
|
478
|
-
}
|
|
479
|
-
export interface OwnerDenyCommand {
|
|
480
|
-
vaultId: VaultId;
|
|
481
|
-
requestId: string;
|
|
482
|
-
owner: VaultPrincipal;
|
|
483
|
-
}
|
|
484
405
|
export interface DispatchRequest {
|
|
485
406
|
vaultId: VaultId;
|
|
486
407
|
requestId: string;
|
|
@@ -488,10 +409,8 @@ export interface DispatchRequest {
|
|
|
488
409
|
agent: VaultPrincipal & {
|
|
489
410
|
kind: "agent";
|
|
490
411
|
};
|
|
491
|
-
capability?: AgentCapability;
|
|
492
412
|
proof: AgentProof;
|
|
493
413
|
secretAlias?: string;
|
|
494
|
-
secretId?: string;
|
|
495
414
|
reason: string;
|
|
496
415
|
targetUrl: string;
|
|
497
416
|
method: string;
|
|
@@ -505,7 +424,10 @@ export interface DispatchAuthorization {
|
|
|
505
424
|
decision: DispatchDecision;
|
|
506
425
|
reason: string | null;
|
|
507
426
|
secretId: SecretId | null;
|
|
508
|
-
|
|
427
|
+
missingGrants?: {
|
|
428
|
+
agentSecret?: boolean;
|
|
429
|
+
secretDestination?: boolean;
|
|
430
|
+
};
|
|
509
431
|
}
|
|
510
432
|
export interface DispatchInstruction {
|
|
511
433
|
vaultId: VaultId;
|
|
@@ -541,6 +463,7 @@ export interface AgentRequestResult {
|
|
|
541
463
|
error?: string;
|
|
542
464
|
}
|
|
543
465
|
export interface AuditQuery {
|
|
466
|
+
vaultId: VaultId;
|
|
544
467
|
actorId?: string;
|
|
545
468
|
secretAlias?: string;
|
|
546
469
|
requestId?: string;
|
|
@@ -550,13 +473,10 @@ export declare enum AuditAction {
|
|
|
550
473
|
REGISTER_AGENT_IDENTITY = "REGISTER_AGENT_IDENTITY",
|
|
551
474
|
UPDATE_AGENT_IDENTITY = "UPDATE_AGENT_IDENTITY",
|
|
552
475
|
REGISTER_CUSTOM_FLOW = "REGISTER_CUSTOM_FLOW",
|
|
553
|
-
|
|
554
|
-
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
REJECT_CAPABILITY_WRITE = "REJECT_CAPABILITY_WRITE",
|
|
558
|
-
REJECT_CAPABILITY_READ = "REJECT_CAPABILITY_READ",
|
|
559
|
-
REVOKE_CAPABILITY = "REVOKE_CAPABILITY",
|
|
476
|
+
GRANT_AGENT_SECRET = "GRANT_AGENT_SECRET",
|
|
477
|
+
GRANT_SECRET_DESTINATION = "GRANT_SECRET_DESTINATION",
|
|
478
|
+
REVOKE_AGENT_SECRET = "REVOKE_AGENT_SECRET",
|
|
479
|
+
REVOKE_SECRET_DESTINATION = "REVOKE_SECRET_DESTINATION",
|
|
560
480
|
WRITE_SECRET = "WRITE_SECRET",
|
|
561
481
|
EXPORT_SECRET = "EXPORT_SECRET",
|
|
562
482
|
REASSIGN_ALIAS = "REASSIGN_ALIAS",
|
|
@@ -564,7 +484,7 @@ export declare enum AuditAction {
|
|
|
564
484
|
AUTHORIZE_DISPATCH = "AUTHORIZE_DISPATCH",
|
|
565
485
|
DISPATCH_SECRET = "DISPATCH_SECRET",
|
|
566
486
|
LIST_AGENTS = "LIST_AGENTS",
|
|
567
|
-
|
|
487
|
+
LIST_GRANTS = "LIST_GRANTS",
|
|
568
488
|
LIST_REQUESTS = "LIST_REQUESTS",
|
|
569
489
|
READ_REQUEST = "READ_REQUEST",
|
|
570
490
|
READ_AUDIT = "READ_AUDIT",
|
|
@@ -584,23 +504,21 @@ export declare enum AuditOutcome {
|
|
|
584
504
|
export interface AuditEntry {
|
|
585
505
|
entryId: string;
|
|
586
506
|
occurredAt: string;
|
|
587
|
-
vaultId:
|
|
507
|
+
vaultId: VaultId;
|
|
588
508
|
actor: VaultPrincipal;
|
|
589
509
|
action: AuditAction;
|
|
590
510
|
requestId?: string;
|
|
591
|
-
capabilityId?: string;
|
|
592
|
-
operation?: AgentCapability["operation"] | AuditAction;
|
|
593
511
|
targetUrl?: string;
|
|
594
512
|
secretAlias?: string;
|
|
595
513
|
secretId?: string;
|
|
596
|
-
|
|
514
|
+
rootAgentId?: string;
|
|
515
|
+
domain?: string;
|
|
597
516
|
outcome: AuditOutcome;
|
|
598
517
|
detail: string;
|
|
599
518
|
}
|
|
600
519
|
export interface AgentIdentityRecord {
|
|
601
520
|
vaultId: VaultId;
|
|
602
|
-
|
|
603
|
-
identityId: string;
|
|
521
|
+
rootAgentId: string;
|
|
604
522
|
publicKey: string;
|
|
605
523
|
privateKey?: string;
|
|
606
524
|
metadata?: Record<string, any>;
|
|
@@ -609,7 +527,7 @@ export interface AgentIdentityRecord {
|
|
|
609
527
|
}
|
|
610
528
|
export interface StoredSessionToken {
|
|
611
529
|
token: string;
|
|
612
|
-
|
|
530
|
+
rootAgentId: string;
|
|
613
531
|
issuedAt: string;
|
|
614
532
|
expiresAt?: string;
|
|
615
533
|
}
|
|
@@ -646,13 +564,14 @@ export interface OwnerListAgentsRequest {
|
|
|
646
564
|
};
|
|
647
565
|
requestedAt: string;
|
|
648
566
|
}
|
|
649
|
-
export interface
|
|
567
|
+
export interface OwnerListGrantsRequest {
|
|
650
568
|
vaultId: VaultId;
|
|
651
569
|
requestId: string;
|
|
652
570
|
actor: VaultPrincipal & {
|
|
653
571
|
kind: "owner";
|
|
654
572
|
};
|
|
655
|
-
|
|
573
|
+
rootAgentId?: string;
|
|
574
|
+
secretAlias?: string;
|
|
656
575
|
requestedAt: string;
|
|
657
576
|
}
|
|
658
577
|
export interface OwnerIssueSessionTokenRequest {
|
|
@@ -661,11 +580,11 @@ export interface OwnerIssueSessionTokenRequest {
|
|
|
661
580
|
actor: VaultPrincipal & {
|
|
662
581
|
kind: "owner";
|
|
663
582
|
};
|
|
664
|
-
|
|
583
|
+
rootAgentId: string;
|
|
665
584
|
requestedAt: string;
|
|
666
585
|
}
|
|
667
586
|
export interface OwnerSessionToken {
|
|
668
587
|
token: string;
|
|
669
|
-
|
|
588
|
+
rootAgentId: string;
|
|
670
589
|
issuedAt: string;
|
|
671
590
|
}
|