@the-ai-company/cbio-node-runtime 1.63.3 → 1.63.5

package/README.md

@@ -1,4 +1,4 @@
-# cbio Vault Runtime
+# cbio Vault Runtime (v1.65.1)
 
 Node.js vault runtime with a **Sovereign Vault** architecture: authority is rooted in a master password, and agent identities are fully managed within the vault's encrypted storage.
 
@@ -9,12 +9,11 @@ Node.js vault runtime with a **Sovereign Vault** architecture: authority is root
 ## Key Features
 
 - **No CLI / No TUI**: Pure library for integration into Node.js applications.
-- **Authority-centric**: Administrative control is tied to the vault's master password, not an external identity.
+- **Authority-centric**: Administrative control is tied to the vault's master password.
+- **Grant-Based Authorization**: Simplified, domain-level white-listing replaced the legacy grant model.
+- **Zero-Configuration Discovery**: Agents can self-introspect to discover their identity, grants, and toolset.
 - **Managed Agent Custody**: Generate and store agent private keys securely inside the vault.
-- **Agent Session Tokens**: Issue revocable, short-lived (or long-lived) tokens for agents to avoid handling raw private keys.
-- **Zero-Configuration Discovery**: Agents can self-introspect to discover their identity, capabilities, and toolset (v1.56.0+).
 - **Process Isolation**: Hard separation between the Security Process (Master) and Agent Processes (Consumers).
-- **Zero-Leak Discovery**: Vault metadata is fully encrypted and hidden until unlocked.
 
 ## Install
 
@@ -26,257 +25,97 @@ npm install @the-ai-company/cbio-node-runtime
 
 ## Usage
 
-### 1. Bootstrap a New Vault
-
-The Sovereign Vault requires only a storage provider and a master password.
+### 1. Bootstrap and Recover
 
 ```ts
-import { 
-  createVault, 
-  FsStorageProvider, 
-  createWorkspaceStorage 
-} from '@the-ai-company/cbio-node-runtime';
+import { createVault, recoverVault, FsStorageProvider } from '@the-ai-company/cbio-node-runtime';
 
 const storage = new FsStorageProvider('./my-vaults');
 
+// Create
 const myVault = await createVault(storage, {
   password: 'your-secure-password',
   nickname: 'Production Vault'
 });
 
-console.log(`Vault created: ${myVault.nickname}`);
-```
-
-### 2. Recover an Existing Vault
-
-```ts
-import { recoverVault, FsStorageProvider } from '@the-ai-company/cbio-node-runtime';
-
+// Recover
 const vault = await recoverVault(storage, {
   vaultId: myVault.core.vaultId.value,
   password: 'your-secure-password'
 });
 ```
 
-### 3. Owner Sessions for GUI Apps
-
-For long-running processes such as GUI apps, keep an `OwnerSession`, not a raw `VaultClient`.
-
-`createVaultClient(...)` creates an owner client for the current runtime. It is not intended to be cached across HMR, module reloads, or runtime swaps. `OwnerSession` gives you a stable SDK-managed handle and recreates owner clients on demand.
-
-```ts
-import { createOwnerSession, FsStorageProvider } from '@the-ai-company/cbio-node-runtime';
-
-const session = createOwnerSession(storage, {
-  vaultId: myVault.core.vaultId.value,
-  password: 'your-secure-password',
-});
-
-const createdAgent = await session.withClient((client) =>
-  client.ownerCreateAgent({ nickname: 'Background Worker' })
-);
-
-const ownerClient = await session.client();
-const agents = await ownerClient.ownerListAgents();
-
-// Invalidate the session when your app unloads or explicitly locks the vault.
-session.invalidate();
-```
-
-If you are writing a short-lived script, `recoverVault(...)` plus `createVaultClient(...)` is still fine.
-
-### 4. Managed Agent Identities
-
-You can generate and register agents directly within the vault. The vault holds the private keys for full custody.
+### 2. Manage Agents and Grants (Owner)
 
 ```ts
-import { createVaultClient } from '@the-ai-company/cbio-node-runtime';
+import { createOwnerClient } from '@the-ai-company/cbio-node-runtime';
 
-const client = createVaultClient({
+const client = createOwnerClient({
   vault: vault.vault,
   passwordVerifier: vault.verifyPassword
 });
 
-// Generate and register a new agent in one step
-const createdAgent = await client.ownerCreateAgent({
-  nickname: 'Background Worker'
-});
+// 1. Create an agent
+const { agent, sessionToken } = await client.ownerCreateAgent({ nickname: 'Bot' });
 
-const agentId = createdAgent.agent.agentId;
-console.log(`Agent public key: ${createdAgent.agent.publicKey}`);
-console.log(`Identity ID: ${createdAgent.agent.identityId}`);
-const session = createdAgent.sessionToken;
+// 2. Create a secret
+const secret = await client.ownerCreateSecret({ alias: 'api-key', plaintext: 'sk-...' });
 
-// RECOMENDED (v1.48.4+): Batch issue tokens for all agents at once
-const tokens = await client.ownerIssueAllSessionTokens();
-
-// ownerListAgents() also includes current session tokens for each agent
-const agents = await client.ownerListAgents();
+// 3. Grant access (Whitelist)
+await client.ownerGrantAgentSecret({ rootAgentId: agent.rootAgentId, secretAlias: 'api-key' });
+await client.ownerGrantSecretDestination({ secretAlias: 'api-key', domain: 'api.openai.com' });
 ```
 
-### 5. Secret Management (Owner)
+### 3. Dispatch Secrets (Agent)
 
-```ts
-// Create a secret. Active aliases must stay unique.
-const record = await client.ownerCreateSecret({
-  alias: 'api-token',
-  plaintext: 'super-secret-value'
-});
+Agents use a "Zero-Configuration" workflow. They don't need to know their permissions up front; the system guides them.
 
-// 4. Grant agent capabilities
-await client.ownerGrantCapability({
-  agentId,
-  write: {
-    secretIds: [record.secretId.value],
-    scope: 'https://api.example.com/*',
-    methods: ['POST']
-  },
-  read: { paths: ['$'] }
-});
-```
-
-### 6. Consuming Secrets (Agent)
-
-Agents run in isolated processes and communicate with the vault via a transport. Agent execution now requires a **Session Token** issued by the owner.
-
-#### Using a Session Token (Stateless/Token-based)
 ```ts
 import { createAgentClient } from '@the-ai-company/cbio-node-runtime';
 
-const agent = createAgentClient({
-  agentIdentity: { agentId },
-  capability: myCapability, 
-  token: session.token,
+const agentClient = createAgentClient({
+  rootAgentIdentity: agent,
+  token: sessionToken.token,
   vault: vault.vault
 });
 
-const result = await agent.agentDispatch({ ... });
-const requests = await agent.agentListRequests();
-const request = await agent.agentGetRequest(result.requestId);
-const ownerView = await client.ownerGetRequest({ requestId: result.requestId });
-```
-
-The agent process does not execute directly with its raw private key. If it has an identity key, it still needs to exchange that trust for a session token before dispatching.
-
-LLM-facing rule of thumb:
-- `agentDispatch(...)` means "do the task now". It attempts real execution immediately.
-- `agentDispatch(...)` requires a one-sentence `reason` for the owner explaining why this exact request should be sent.
-- `agentSubmitCapabilityRequest(...)` means "ask for permission". It never executes the task by itself.
-- `agentSubmitCapabilityRequest(...)` also requires a one-sentence `reason` so the owner understands why the broader permission is needed.
-- `agentListRequests()` / `agentGetRequest(...)` are how the agent checks asynchronous results after execution.
-- `ownerListRequests()` / `ownerGetRequest(...)` are how the owner reviews the full sealed request record before approving read.
-
-### 7. Proactive Capability Requests
-
-If an LLM or orchestration layer already knows it needs a broader scope, it can create a capability carrier up front instead of discovering one URL at a time through failed dispatch attempts.
-
-```ts
-const request = await client.ownerSubmitCapabilityRequest({
-  requester: { kind: 'trusted_executor', id: 'llm-planner' },
-  agentId,
-  write: {
-    secretIds: [record.secretId.value],
-    scope: 'https://api.example.com/users/*',
-    methods: ['GET']
-  },
-  read: { paths: ['$'] },
-  reason: 'Need collection-level user read access'
+// Dispatch request
+const result = await agentClient.agentDispatch({
+  targetUrl: 'https://api.openai.com/v1/chat/completions',
+  method: 'POST',
+  secretAlias: 'api-key',
+  reason: 'Processing user request'
 });
 
-const pendingRequests = await client.ownerListCapabilityStates({ writeGranted: false });
-
-await client.ownerAllowAlways({
-  requestId: pendingRequests[0].requestId
-});
-
-await client.ownerApproveCapabilityRead({
-  requestId: pendingRequests[0].requestId,
-  read: { paths: ['data.id', 'data.status'] }
-});
+if (result.status === 'PENDING') {
+  console.log("Stalled for HITL approval. Request ID:", result.requestId);
+}
 ```
 
-This uses the same carrier model as dispatch discovery:
-- `ownerSubmitCapabilityRequest(...)` creates a capability carrier for owner review.
-- `ownerOnCapabilityState(...)` pushes new carrier changes to the owner UI or controller.
-- `ownerAllowAlways(...)` persists the carrier as an active capability. For dispatch discovery it also executes the blocked request; for explicit requests it grants the capability without sending network traffic.
-- `ownerAllowOnce(...)` executes the approved write action once and then deletes the carrier record. This option is only valid for dispatch discovery carriers that already contain a concrete blocked request.
-- `ownerApproveCapabilityRead(...)` approves response release separately on the same carrier record and may replace the pending `read` policy with a narrower `paths` whitelist.
-- Response shape is always visible. `read.paths` only controls which values are revealed, and `['$']` means the full response body is visible.
-- `ownerDeny(...)` rejects the currently pending action on the carrier.
+### 4. Human-in-the-Loop (Owner Approval)
 
-### 8. Zero-Configuration Agent Discovery (v1.56.0+)
-
-Instead of hard-coding the agent's capabilities or tools, the agent can self-introspect at runtime. This is the "--help" and "llms.txt" for your agent.
+If a dispatch is blocked (status `PENDING`), the owner reviews the request record:
 
 ```ts
-const manifest = await agent.agentIntrospect();
+// List pending requests
+const pending = await client.ownerListRequests({ status: 'PENDING' });
 
-console.log(manifest.agent.agentId);      // Vault-known agent ID
-console.log(manifest.agent.identityId);   // Stable identity ID
-console.log(manifest.agent.nickname);     // Optional nickname
-console.log(manifest.capabilities);       // Capability carriers with write/read action states
-console.log(manifest.tools);              // List of available API tools with JSON-Schema
+// Approve with the "Allow & Grant" shortcut
+await client.ownerApproveDispatch({
+  requestId: pending[0].requestId,
+  decision: 'allow_and_grant' // Approves THIS request AND provisions permanent grants
+});
 ```
 
-This manifest can be directly fed into an LLM's system prompt or tool-calling configuration to enable fully autonomous, zero-config integration.
-
-`agentListCapabilities()` returns the same carrier view used by the manifest, and `agentListRequests()` / `agentGetRequest()` expose sealed request history and per-request results through controlled interfaces.
+Decisions can be:
+- `allow_once`: Execute once, no permanent whitelist update.
+- `allow_and_grant`: Execute and add to the permanent whitelist (Zero-Config).
+- `deny`: Reject the request.
 
 ---
 
 ## Documentation
 
-- [Custody Model](docs/CUSTODY_MODEL.md) - Understanding managed agency and key storage.
-- [Process Isolation](docs/PROCESS_ISOLATION.md) - Guidelines for A/B architecture.
-
-## Architecture Rules
-
-1. **Secret Isolation**: Plane-text secrets never leave the Security Process.
-2. **Authority Root**: The master password is the only source of administrative authority.
-3. **Auditability**: Every administrative and agent action is recorded in the vault's audit log under the `vault-master` or agent principal.
-4. **Binary Discovery**: Either the vault is unlocked and visible, or it is a silent directory of encrypted shards.
-
-### Human-in-the-Loop (HITL) Workflow
-
-If an agent attempts an action not explicitly in its white-list, the dispatch returns `PENDING` and the runtime records a capability carrier whose `write` action is still pending owner approval:
-
-```ts
-// In Agent process
-const result = await agent.agentDispatch({ ... });
-if (result.status === 'PENDING') {
-  console.log("Discovery needed: Waiting for owner approval...");
-}
-
-// OR: Use the observer for real-time push
-client.ownerOnCapabilityState((state) => {
-  if (state.writeGrant === null) {
-    console.log("New pending capability carrier:", state.requestId);
-  }
-});
-
-// In Owner process (GUI or Script)
-const pending = await client.ownerListCapabilityStates({ writeGranted: false });
-if (pending.length > 0) {
-  await client.ownerAllowAlways({
-    requestId: pending[0].requestId
-  });
-  await client.ownerApproveCapabilityRead({
-    requestId: pending[0].requestId
-  });
-}
-```
-
-## Build & Test
-
-```bash
-npm run build
-npm test
-```
-```ts
-// 9. Sensitive actions (v1.55.0+)
-// Sensitive reads require the vault password again for verification
-const plaintext = await client.ownerReadSecretPlaintext({
-  alias: 'api-token',
-  password: 'your-secure-password'
-});
-```
+- [Architecture](docs/ARCHITECTURE.md) - Deep dive into the Sovereign Vault model.
+- [Reference](docs/REFERENCE.md) - API surface and type definitions.
+- [Migration Guide](docs/MIGRATION-1.65.md) - Moving from v1.4x (Capabilities) to v1.65 (Grants).

package/dist/clients/agent/client.d.ts

@@ -1,52 +1,42 @@
-import type { CreatedIdentity } from "../../runtime/identity.js";
 import { type Clock } from "../../vault-core/index.js";
 import type { VaultService } from "../../vault-ingress/index.js";
-import type { AgentCapabilityEnvelope, AgentDispatchIntent, AgentDispatchTransport, AgentSubmitCapabilityRequestInput, AgentVisibleRequestRecord, AgentVisibleSecretRecord } from "./contracts.js";
+import type { AgentDispatchIntent, AgentDispatchTransport, AgentVisibleRequestRecord, AgentVisibleSecretRecord } from "./contracts.js";
 export interface AgentIdentity {
-    agentId: string;
+    rootAgentId: string;
 }
 /**
  * A client for agents to perform authorized operations (e.g., dispatch HTTP requests with secrets).
- * This client uses a delegated capability granted by the owner.
+ * This client uses a session token managed by the owner.
  * Agents can use secrets and request broader access, but they do not directly manage
- * the secret lifecycle inside the vault. Newly obtained credentials are persisted only
- * through owner actions or owner-configured vault flows that explicitly capture them.
+ * the secret lifecycle inside the vault.
  */
 export interface AgentClient {
     /**
      * Dispatches a session-token-authenticated request to a target using a vault secret.
-     *
-     * @param intent - The destination, method, and secret alias to use.
-     * @returns The result of the remote operation.
-     *
-     * @example
-     * ```ts
-     * const result = await agent.agentDispatch({
-     *   targetUrl: 'https://api.example.com/data',
-     *   method: 'POST',
-     *   secretAlias: 'api-token',
-     *   body: JSON.stringify({ key: 'value' })
-     * });
-     * ```
+     * If the grant is missing, it will return a PENDING status.
      */
     agentDispatch(intent: AgentDispatchIntent): Promise<import("../../vault-core/index.js").DispatchResult>;
-    agentListCapabilities(): Promise<readonly import("../../vault-core/index.js").AgentCapabilityState[]>;
+    /**
+     * List secrets the agent can see, including whether they are granted or not.
+     */
     agentListSecrets(): Promise<readonly AgentVisibleSecretRecord[]>;
+    /**
+     * List previous requests sent by this agent.
+     */
     agentListRequests(): Promise<readonly AgentVisibleRequestRecord[]>;
+    /**
+     * Get details of a specific request.
+     */
     agentGetRequest(requestId: string): Promise<import("../../vault-core/index.js").AgentRequestResult>;
     /**
-     * Introspects the current runtime environment, providing identity, capabilities, and a toolbox manifest.
-     * Equivalent to '--help' or 'llms.txt' for the agent.
-     * This is the primary place where an agent should learn its operational boundary:
-     * it can use existing secrets and request more permission, but it cannot directly
-     * create, update, or remove secrets in the vault.
+     * Introspects the current runtime environment, providing identity, grants, and a toolbox manifest.
      */
     agentIntrospect(): Promise<import("../../vault-core/index.js").AgentRuntimeManifest>;
-    agentSubmitCapabilityRequest(input: AgentSubmitCapabilityRequestInput): Promise<import("../../vault-core/index.js").CapabilityStateRecord>;
 }
 export interface CreateAgentClientOptions {
-    agentIdentity: CreatedIdentity | AgentIdentity;
-    capability: AgentCapabilityEnvelope;
+    agentRecord: AgentIdentity | {
+        id: string;
+    };
     vault?: VaultService;
     transport?: AgentDispatchTransport;
     token: string;
@@ -54,17 +44,5 @@ export interface CreateAgentClientOptions {
 }
 /**
  * Creates an {@link AgentClient} for a delegated identity.
- *
- * @param options - Configuration including agent identity, capability, and transport.
- * @returns An initialized {@link AgentClient}.
- *
- * @example
- * ```ts
- * const agent = createAgentClient({
- *   agentIdentity,
- *   capability,
- *   vault
- * });
- * ```
  */
 export declare function createAgentClient(options: CreateAgentClientOptions): AgentClient;

package/dist/clients/agent/client.js

@@ -3,13 +3,11 @@ import { SystemClock } from "../../vault-core/index.js";
 import { LocalVaultTransport } from "../../vault-ingress/defaults.js";
 class DefaultAgentClient {
     _identity;
-    _capability;
     _transport;
     _clock;
     _token;
-    constructor(_identity, _capability, _transport, _clock, _token) {
+    constructor(_identity, _transport, _clock, _token) {
         this._identity = _identity;
-        this._capability = _capability;
         this._transport = _transport;
         this._clock = _clock;
         this._token = _token;
@@ -22,30 +20,15 @@ class DefaultAgentClient {
             throw new Error("agentDispatch requires a non-empty reason for owner review");
         }
         return this._transport.agentDispatch({
-            vaultId: this._capability.vaultId,
+            vaultId: { value: "" }, // Will be filled by transport/vault if needed, or ignored if local
             requestId,
             requestedAt,
             agent: {
                 kind: "agent",
-                id: this._identity.agentId,
-            },
-            capability: {
-                vaultId: this._capability.vaultId,
-                capabilityId: this._capability.capabilityId,
-                agentId: this._capability.agentId,
-                operation: this._capability.operation,
-                customFlowId: this._capability.customFlowId,
-                write: this._capability.write,
-                read: this._capability.read,
-                issuedAt: this._capability.issuedAt,
-                expiresAt: this._capability.expiresAt,
-                revocationVersion: this._capability.revocationVersion,
-                rateLimit: this._capability.rateLimit,
-                skipAudit: this._capability.skipAudit,
+                id: this._identity.rootAgentId,
             },
             proof: {
-                agentId: this._identity.agentId,
-                token: this._token,
+                rootAgentId: this._identity.rootAgentId,
                 requestId,
                 requestedAt,
             },
@@ -57,118 +40,63 @@ class DefaultAgentClient {
             body: intent.body,
         });
     }
-    async _createProof(requestId, requestedAt, _action, _payload = {}) {
+    async _createProof(requestId, requestedAt) {
         return {
-            agentId: this._identity.agentId,
-            token: this._token,
+            rootAgentId: this._identity.rootAgentId,
             requestId,
             requestedAt,
         };
     }
-    async agentListCapabilities() {
-        const requestedAt = this._clock.nowIso();
-        const requestId = createRequestIdValue("list_capabilities");
-        return this._transport.agentListCapabilities({
-            vaultId: this._capability.vaultId,
-            requestId,
-            requestedAt,
-            agent: { kind: "agent", id: this._identity.agentId },
-            proof: await this._createProof(requestId, requestedAt, "list_capabilities"),
-        });
-    }
     async agentListSecrets() {
         const requestedAt = this._clock.nowIso();
         const requestId = createRequestIdValue("list_secrets");
         return this._transport.agentListSecrets({
-            vaultId: this._capability.vaultId,
+            vaultId: { value: "" },
             requestId,
             requestedAt,
-            agent: { kind: "agent", id: this._identity.agentId },
-            proof: await this._createProof(requestId, requestedAt, "list_secrets"),
+            agent: { kind: "agent", id: this._identity.rootAgentId },
+            proof: await this._createProof(requestId, requestedAt),
         });
     }
     async agentIntrospect() {
         const requestedAt = this._clock.nowIso();
         const requestId = createRequestIdValue("get_manifest");
         return this._transport.agentGetRuntimeManifest({
-            vaultId: this._capability.vaultId,
+            vaultId: { value: "" },
             requestId,
             requestedAt,
-            agent: { kind: "agent", id: this._identity.agentId },
-            proof: await this._createProof(requestId, requestedAt, "get_manifest"),
+            agent: { kind: "agent", id: this._identity.rootAgentId },
+            proof: await this._createProof(requestId, requestedAt),
         });
     }
     async agentListRequests() {
         const requestedAt = this._clock.nowIso();
         const requestId = createRequestIdValue("list_requests");
         return this._transport.agentListRequests({
-            vaultId: this._capability.vaultId,
+            vaultId: { value: "" },
             requestId,
             requestedAt,
-            agent: { kind: "agent", id: this._identity.agentId },
-            proof: await this._createProof(requestId, requestedAt, "list_requests"),
+            agent: { kind: "agent", id: this._identity.rootAgentId },
+            proof: await this._createProof(requestId, requestedAt),
         });
     }
     async agentGetRequest(targetRequestId) {
         const requestedAt = this._clock.nowIso();
         const requestId = createRequestIdValue("read_request_result");
         return this._transport.agentGetRequest({
-            vaultId: this._capability.vaultId,
+            vaultId: { value: "" },
             requestId,
             requestedAt,
             targetRequestId,
-            agent: { kind: "agent", id: this._identity.agentId },
-            proof: await this._createProof(requestId, requestedAt, "read_request_result", { targetRequestId }),
+            agent: { kind: "agent", id: this._identity.rootAgentId },
+            proof: await this._createProof(requestId, requestedAt),
         });
     }
-    async agentSubmitCapabilityRequest(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("submit_capability_request");
-        const reason = input.reason.trim();
-        if (!reason) {
-            throw new Error("agentSubmitCapabilityRequest requires a non-empty reason for owner review");
-        }
-        const payload = {
-            write: {
-                ...input.write,
-                secretAliases: input.secretAliases ?? null,
-            },
-            read: input.read,
-            operation: input.operation ?? "dispatch_http",
-            reason,
-        };
-        return this._transport.agentSubmitCapabilityRequest({
-            vaultId: this._capability.vaultId,
-            requestId,
-            requestedAt,
-            agent: { kind: "agent", id: this._identity.agentId },
-            proof: await this._createProof(requestId, requestedAt, "submit_capability_request", payload),
-            capability: {
-                operation: input.operation ?? "dispatch_http",
-                write: {
-                    scope: input.write.scope,
-                    methods: [...input.write.methods],
-                },
-                read: { paths: [...input.read.paths] },
-            },
-            secretAliases: input.secretAliases ? [...input.secretAliases] : undefined,
-            reason,
-        });
-    }
-}
-function isCreateAgentClientOptions(value) {
-    return typeof value === "object" && value !== null && "agentIdentity" in value && "capability" in value;
 }
 function resolveAgentIdentity(options) {
-    return "agentId" in options.agentIdentity
-        ? options.agentIdentity
-        : { agentId: options.agentIdentity.identityId };
-}
-function resolveAgentToken(options) {
-    if (!options.token) {
-        throw new Error("createAgentClient() requires a session token; raw private-key execution is not supported");
-    }
-    return options.token;
+    return "rootAgentId" in options.agentRecord
+        ? options.agentRecord
+        : { rootAgentId: options.agentRecord.id };
 }
 function resolveAgentTransport(options) {
     if (options.transport) {
@@ -181,23 +109,8 @@ function resolveAgentTransport(options) {
 }
 /**
  * Creates an {@link AgentClient} for a delegated identity.
- *
- * @param options - Configuration including agent identity, capability, and transport.
- * @returns An initialized {@link AgentClient}.
- *
- * @example
- * ```ts
- * const agent = createAgentClient({
- *   agentIdentity,
- *   capability,
- *   vault
- * });
- * ```
  */
 export function createAgentClient(options) {
-    if (!isCreateAgentClientOptions(options)) {
-        throw new Error("createAgentClient() requires a single options object");
-    }
-    return new DefaultAgentClient(resolveAgentIdentity(options), options.capability, resolveAgentTransport(options), options.clock ?? new SystemClock(), resolveAgentToken(options));
+    return new DefaultAgentClient(resolveAgentIdentity(options), resolveAgentTransport(options), options.clock ?? new SystemClock(), options.token);
 }
 //# sourceMappingURL=client.js.map

package/dist/clients/agent/client.js.map

@@ -1 +1 @@
-{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAgEtE,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IACA;IALnB,YACmB,SAAwB,EACxB,WAAoC,EACpC,UAAkC,EAClC,MAAa,EACb,MAAc;QAJd,cAAS,GAAT,SAAS,CAAe;QACxB,gBAAW,GAAX,WAAW,CAAyB;QACpC,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;QACb,WAAM,GAAN,MAAM,CAAQ;IAC9B,CAAC;IAEJ,KAAK,CAAC,aAAa,CAAC,MAA2B;QAC7C,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QAED,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC;YACnC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;aAC3B;YACD,UAAU,EAAE;gBACV,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;gBACjC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,YAAY,EAAE,IAAI,CAAC,WAAW,CAAC,YAAY;gBAC3C,KAAK,EAAE,IAAI,CAAC,WAAW,CAAC,KAAK;gBAC7B,IAAI,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI;gBAC3B,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC,QAAQ;gBACnC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,iBAAiB,EAAE,IAAI,CAAC,WAAW,CAAC,iBAAiB;gBACrD,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;gBACrC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,SAAS;aACtC;YACD,KAAK,EAAE;gBACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;gBAC/B,KAAK,EAAE,IAAI,CAAC,MAAM;gBAClB,SAAS;gBACT,WAAW;aACZ;YACD,MAAM;YACN,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,SAAiB,EACjB,WAAmB,EACnB,OAAe,EACf,WAAoC,EAAE;QAEtC,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO;YAC/B,KAAK,EAAE,IAAI,CAAC,MAAM;YAClB,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,qBAAqB;QACzB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,mBAAmB,CAAC,CAAC;QAC5D,OAAO,IAAI,CAAC,UAAU,CAAC,qBAAqB,CAAC;YAC3C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,mBAAmB,CAAC;SAC5E,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC;YACtC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,cAAc,CAAC;SACvE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,UAAU,CAAC,uBAAuB,CAAC;YAC7C,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,cAAc,CAAC;SACvE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,eAAe,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;YACvC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,eAAe,CAAC;SACxE,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,eAAuB;QAC3C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,qBAAqB,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;YACrC,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,eAAe;YACf,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,qBAAqB,EAAE,EAAE,eAAe,EAAE,CAAC;SACnG,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,4BAA4B,CAAC,KAAwC;QACzE,MAAM,WAAW,GAAG,KAAK,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC9D,MAAM,SAAS,GAAG,oBAAoB,CAAC,2BAA2B,CAAC,CAAC;QACpE,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACnC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,2EAA2E,CAAC,CAAC;QAC/F,CAAC;QACD,MAAM,OAAO,GAAG;YACd,KAAK,EAAE;gBACL,GAAG,KAAK,CAAC,KAAK;gBACd,aAAa,EAAE,KAAK,CAAC,aAAa,IAAI,IAAI;aAC3C;YACD,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,eAAe;YAC7C,MAAM;SACP,CAAC;QACF,OAAO,IAAI,CAAC,UAAU,CAAC,4BAA4B,CAAC;YAClD,OAAO,EAAE,IAAI,CAAC,WAAW,CAAC,OAAO;YACjC,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE;YACpD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,EAAE,2BAA2B,EAAE,OAAO,CAAC;YAC5F,UAAU,EAAE;gBACV,SAAS,EAAE,KAAK,CAAC,SAAS,IAAI,eAAe;gBAC7C,KAAK,EAAE;oBACL,KAAK,EAAE,KAAK,CAAC,KAAK,CAAC,KAAK;oBACxB,OAAO,EAAE,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC;iBAClC;gBACD,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,GAAG,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE;aACvC;YACD,aAAa,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS;YACzE,MAAM;SACP,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,0BAA0B,CAAC,KAAc;IAChD,OAAO,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,eAAe,IAAI,KAAK,IAAI,YAAY,IAAI,KAAK,CAAC;AAC1G,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,OAAO,SAAS,IAAI,OAAO,CAAC,aAAa;QACvC,CAAC,CAAC,OAAO,CAAC,aAAa;QACvB,CAAC,CAAC,EAAE,OAAO,EAAE,OAAO,CAAC,aAAa,CAAC,UAAU,EAAE,CAAC;AACpD,CAAC;AAED,SAAS,iBAAiB,CAAC,OAAiC;IAC1D,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,IAAI,KAAK,CAAC,0FAA0F,CAAC,CAAC;IAC9G,CAAC;IACD,OAAO,OAAO,CAAC,KAAK,CAAC;AACvB,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAiC;IAEjC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,IAAI,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACrE,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,IAAI,CAAC,0BAA0B,CAAC,OAAO,CAAC,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,sDAAsD,CAAC,CAAC;IAC1E,CAAC;IACD,OAAO,IAAI,kBAAkB,CAC3B,oBAAoB,CAAC,OAAO,CAAC,EAC7B,OAAO,CAAC,UAAU,EAClB,qBAAqB,CAAC,OAAO,CAAC,EAC9B,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,EAClC,iBAAiB,CAAC,OAAO,CAAC,CAC3B,CAAC;AACJ,CAAC"}
+{"version":3,"file":"client.js","sourceRoot":"","sources":["../../../src/clients/agent/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAc,MAAM,2BAA2B,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,MAAM,iCAAiC,CAAC;AAuDtE,MAAM,kBAAkB;IAEH;IACA;IACA;IACA;IAJnB,YACmB,SAAwB,EACxB,UAAkC,EAClC,MAAa,EACb,MAAc;QAHd,cAAS,GAAT,SAAS,CAAe;QACxB,eAAU,GAAV,UAAU,CAAwB;QAClC,WAAM,GAAN,MAAM,CAAO;QACb,WAAM,GAAN,MAAM,CAAQ;IAC9B,CAAC;IAEJ,KAAK,CAAC,aAAa,CAAC,MAA2B;QAC7C,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QAC/D,MAAM,SAAS,GAAG,oBAAoB,CAAC,UAAU,CAAC,CAAC;QACnD,MAAM,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACpC,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CAAC,4DAA4D,CAAC,CAAC;QAChF,CAAC;QAED,OAAO,IAAI,CAAC,UAAU,CAAC,aAAa,CAAC;YACnC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,EAAE,mEAAmE;YAC3F,SAAS;YACT,WAAW;YACX,KAAK,EAAE;gBACL,IAAI,EAAE,OAAO;gBACb,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW;aAC/B;YACD,KAAK,EAAE;gBACL,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW;gBACvC,SAAS;gBACT,WAAW;aACZ;YACD,MAAM;YACN,WAAW,EAAE,MAAM,CAAC,WAAW;YAC/B,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAEO,KAAK,CAAC,YAAY,CACxB,SAAiB,EACjB,WAAmB;QAEnB,OAAO;YACL,WAAW,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW;YACvC,SAAS;YACT,WAAW;SACZ,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,gBAAgB;QACpB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,UAAU,CAAC,gBAAgB,CAAC;YACtC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;YACtB,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE;YACxD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC;SACvD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe;QACnB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,cAAc,CAAC,CAAC;QACvD,OAAO,IAAI,CAAC,UAAU,CAAC,uBAAuB,CAAC;YAC7C,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;YACtB,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE;YACxD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC;SACvD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,iBAAiB;QACrB,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,eAAe,CAAC,CAAC;QACxD,OAAO,IAAI,CAAC,UAAU,CAAC,iBAAiB,CAAC;YACvC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;YACtB,SAAS;YACT,WAAW;YACX,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE;YACxD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC;SACvD,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,eAAe,CAAC,eAAuB;QAC3C,MAAM,WAAW,GAAG,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,MAAM,SAAS,GAAG,oBAAoB,CAAC,qBAAqB,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC,UAAU,CAAC,eAAe,CAAC;YACrC,OAAO,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;YACtB,SAAS;YACT,WAAW;YACX,eAAe;YACf,KAAK,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE;YACxD,KAAK,EAAE,MAAM,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,WAAW,CAAC;SACvD,CAAC,CAAC;IACL,CAAC;CACF;AAED,SAAS,oBAAoB,CAAC,OAAiC;IAC7D,OAAO,aAAa,IAAI,OAAO,CAAC,WAAW;QACzC,CAAC,CAAC,OAAO,CAAC,WAAW;QACrB,CAAC,CAAC,EAAE,WAAW,EAAG,OAAO,CAAC,WAAmB,CAAC,EAAE,EAAE,CAAC;AACvD,CAAC;AAED,SAAS,qBAAqB,CAC5B,OAAiC;IAEjC,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACtB,OAAO,OAAO,CAAC,SAAS,CAAC;IAC3B,CAAC;IACD,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QAClB,OAAO,IAAI,mBAAmB,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAChD,CAAC;IACD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;AACrE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,OAAiC;IACjE,OAAO,IAAI,kBAAkB,CAC3B,oBAAoB,CAAC,OAAO,CAAC,EAC7B,qBAAqB,CAAC,OAAO,CAAC,EAC9B,OAAO,CAAC,KAAK,IAAI,IAAI,WAAW,EAAE,EAClC,OAAO,CAAC,KAAK,CACd,CAAC;AACJ,CAAC"}