@the-ai-company/cbio-node-runtime 1.63.3 → 1.63.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (234) hide show
  1. package/README.md +48 -209
  2. package/dist/clients/agent/client.d.ts +18 -40
  3. package/dist/clients/agent/client.js +22 -109
  4. package/dist/clients/agent/client.js.map +1 -1
  5. package/dist/clients/agent/contracts.d.ts +1 -8
  6. package/dist/clients/agent/index.d.ts +1 -1
  7. package/dist/clients/owner/client.d.ts +2 -102
  8. package/dist/clients/owner/client.js +119 -240
  9. package/dist/clients/owner/client.js.map +1 -1
  10. package/dist/clients/owner/contracts.d.ts +37 -70
  11. package/dist/clients/owner/index.d.ts +2 -4
  12. package/dist/clients/owner/index.js +1 -2
  13. package/dist/clients/owner/index.js.map +1 -1
  14. package/dist/internal/id-factory.d.ts +0 -2
  15. package/dist/internal/id-factory.js +0 -6
  16. package/dist/internal/id-factory.js.map +1 -1
  17. package/dist/protocol/identity.d.ts +1 -1
  18. package/dist/protocol/identity.js +3 -3
  19. package/dist/protocol/identity.js.map +1 -1
  20. package/dist/public-types.d.ts +5 -14
  21. package/dist/public-types.js +1 -8
  22. package/dist/public-types.js.map +1 -1
  23. package/dist/runtime/bootstrap.js.map +1 -1
  24. package/dist/runtime/identity.d.ts +2 -2
  25. package/dist/runtime/identity.js +3 -5
  26. package/dist/runtime/identity.js.map +1 -1
  27. package/dist/runtime/index.d.ts +10 -12
  28. package/dist/runtime/index.js +7 -8
  29. package/dist/runtime/index.js.map +1 -1
  30. package/dist/runtime/owner-session.d.ts +7 -6
  31. package/dist/runtime/owner-session.js +5 -6
  32. package/dist/runtime/owner-session.js.map +1 -1
  33. package/dist/storage/fs.d.ts +3 -2
  34. package/dist/storage/fs.js +8 -5
  35. package/dist/storage/fs.js.map +1 -1
  36. package/dist/storage/prefix.d.ts +1 -0
  37. package/dist/storage/prefix.js +7 -0
  38. package/dist/storage/prefix.js.map +1 -1
  39. package/dist/storage/provider.d.ts +2 -0
  40. package/dist/vault-core/contracts.d.ts +112 -193
  41. package/dist/vault-core/contracts.js +5 -8
  42. package/dist/vault-core/contracts.js.map +1 -1
  43. package/dist/vault-core/core.d.ts +127 -62
  44. package/dist/vault-core/core.js +500 -1182
  45. package/dist/vault-core/core.js.map +1 -1
  46. package/dist/vault-core/defaults.d.ts +26 -42
  47. package/dist/vault-core/defaults.js +73 -229
  48. package/dist/vault-core/defaults.js.map +1 -1
  49. package/dist/vault-core/errors.d.ts +3 -2
  50. package/dist/vault-core/errors.js.map +1 -1
  51. package/dist/vault-core/index.d.ts +5 -5
  52. package/dist/vault-core/index.js +2 -2
  53. package/dist/vault-core/index.js.map +1 -1
  54. package/dist/vault-core/persistence.d.ts +78 -118
  55. package/dist/vault-core/persistence.js +329 -421
  56. package/dist/vault-core/persistence.js.map +1 -1
  57. package/dist/vault-core/ports.d.ts +19 -24
  58. package/dist/vault-core/read-policy.d.ts +3 -2
  59. package/dist/vault-core/read-policy.js.map +1 -1
  60. package/dist/vault-core/tool-metadata.js +2 -2
  61. package/dist/vault-core/tool-metadata.js.map +1 -1
  62. package/dist/vault-ingress/defaults.d.ts +4 -2
  63. package/dist/vault-ingress/defaults.js +14 -8
  64. package/dist/vault-ingress/defaults.js.map +1 -1
  65. package/dist/vault-ingress/index.d.ts +43 -117
  66. package/dist/vault-ingress/index.js +98 -453
  67. package/dist/vault-ingress/index.js.map +1 -1
  68. package/dist/vault-ingress/remote-transport.d.ts +5 -3
  69. package/dist/vault-ingress/remote-transport.js +8 -28
  70. package/dist/vault-ingress/remote-transport.js.map +1 -1
  71. package/docs/ARCHITECTURE.md +39 -22
  72. package/docs/CUSTODY_MODEL.md +1 -1
  73. package/docs/IDENTITY_MODEL.md +5 -5
  74. package/docs/MIGRATION-1.51.md +19 -19
  75. package/docs/MIGRATION-1.65.md +61 -0
  76. package/docs/PROCESS_ISOLATION.md +2 -2
  77. package/docs/REFERENCE.md +42 -224
  78. package/docs/api/README.md +50 -29
  79. package/docs/api/classes/IdentityError.md +1 -1
  80. package/docs/api/classes/OwnerClientError.md +1 -1
  81. package/docs/api/classes/PersistentVaultAgentIdentityRegistry.md +89 -0
  82. package/docs/api/classes/PersistentVaultAgentSecretGrantRegistry.md +125 -0
  83. package/docs/api/classes/PersistentVaultAuditLog.md +65 -0
  84. package/docs/api/classes/PersistentVaultCustomHttpFlowRegistry.md +69 -0
  85. package/docs/api/classes/PersistentVaultSecretCustody.md +93 -0
  86. package/docs/api/classes/PersistentVaultSecretDestinationGrantRegistry.md +125 -0
  87. package/docs/api/classes/PersistentVaultSecretRepository.md +127 -0
  88. package/docs/api/classes/VaultCore.md +299 -214
  89. package/docs/api/classes/VaultCoreError.md +3 -3
  90. package/docs/api/enumerations/AuditAction.md +143 -0
  91. package/docs/api/enumerations/AuditOutcome.md +35 -0
  92. package/docs/api/enumerations/DispatchStatus.md +35 -0
  93. package/docs/api/enumerations/IdentityErrorCode.md +1 -1
  94. package/docs/api/enumerations/OwnerClientErrorCode.md +1 -1
  95. package/docs/api/functions/createAgentClient.md +1 -15
  96. package/docs/api/functions/createIdentity.md +2 -2
  97. package/docs/api/functions/createOwnerClient.md +17 -0
  98. package/docs/api/functions/createOwnerSession.md +1 -1
  99. package/docs/api/functions/createPersistentVaultCoreDependencies.md +4 -4
  100. package/docs/api/functions/createVault.md +1 -1
  101. package/docs/api/functions/createVaultCore.md +1 -1
  102. package/docs/api/functions/createVaultCoreDependencies.md +1 -1
  103. package/docs/api/functions/createVaultService.md +5 -9
  104. package/docs/api/functions/createWorkspaceStorage.md +1 -1
  105. package/docs/api/functions/deriveRootAgentId.md +17 -0
  106. package/docs/api/functions/deriveVaultWorkingKeyFromPassword.md +1 -1
  107. package/docs/api/functions/getDefaultWorkspaceDir.md +1 -1
  108. package/docs/api/functions/handleVaultAgentControlHttp.md +2 -2
  109. package/docs/api/functions/handleVaultHttpDispatch.md +2 -2
  110. package/docs/api/functions/initializeVaultCustody.md +7 -3
  111. package/docs/api/functions/listVaults.md +1 -1
  112. package/docs/api/functions/readVaultProfile.md +1 -1
  113. package/docs/api/functions/recoverVault.md +1 -1
  114. package/docs/api/functions/recoverVaultWorkingKey.md +4 -8
  115. package/docs/api/functions/restoreIdentity.md +1 -1
  116. package/docs/api/functions/updateVaultMetadata.md +1 -1
  117. package/docs/api/functions/writeVaultProfile.md +1 -1
  118. package/docs/api/interfaces/AgentClient.md +20 -59
  119. package/docs/api/interfaces/AgentDispatchIntent.md +1 -1
  120. package/docs/api/interfaces/AgentDispatchTransport.md +12 -44
  121. package/docs/api/interfaces/AgentIdentity.md +3 -3
  122. package/docs/api/interfaces/AgentIdentityRecord.md +47 -0
  123. package/docs/api/interfaces/AgentRequestResult.md +35 -0
  124. package/docs/api/interfaces/AgentRuntimeManifest.md +55 -0
  125. package/docs/api/interfaces/AgentSecretGrant.md +41 -0
  126. package/docs/api/interfaces/AgentSigner.md +1 -1
  127. package/docs/api/interfaces/AgentVisibleRequestRecord.md +53 -0
  128. package/docs/api/interfaces/AgentVisibleSecretRecord.md +65 -0
  129. package/docs/api/interfaces/AuditEntry.md +83 -0
  130. package/docs/api/interfaces/CbioRuntime.md +13 -150
  131. package/docs/api/interfaces/CreateAgentClientOptions.md +4 -10
  132. package/docs/api/interfaces/CreateIdentityOptions.md +1 -1
  133. package/docs/api/interfaces/{CreateVaultClientOptions.md → CreateOwnerClientOptions.md} +9 -11
  134. package/docs/api/interfaces/CreateOwnerSessionOptions.md +3 -117
  135. package/docs/api/interfaces/CreatePersistentVaultCoreDependenciesOptions.md +3 -131
  136. package/docs/api/interfaces/CreateVaultOptions.md +1 -121
  137. package/docs/api/interfaces/CreatedVault.md +2 -2
  138. package/docs/api/interfaces/CustomHttpFlowDefinition.md +71 -0
  139. package/docs/api/interfaces/DefaultPolicyEngineOptions.md +1 -13
  140. package/docs/api/interfaces/DispatchAuthorization.md +43 -0
  141. package/docs/api/interfaces/DispatchInstruction.md +47 -0
  142. package/docs/api/interfaces/DispatchRequest.md +83 -0
  143. package/docs/api/interfaces/DispatchResult.md +53 -0
  144. package/docs/api/interfaces/IStorageProvider.md +13 -1
  145. package/docs/api/interfaces/InitializeVaultCustodyOptions.md +31 -11
  146. package/docs/api/interfaces/InitializedVaultCustody.md +1 -7
  147. package/docs/api/interfaces/OwnerAgentProvisionResult.md +2 -2
  148. package/docs/api/interfaces/OwnerClient.md +417 -0
  149. package/docs/api/interfaces/OwnerCreateSecretInput.md +1 -1
  150. package/docs/api/interfaces/OwnerRemoveSecretInput.md +1 -1
  151. package/docs/api/interfaces/OwnerRequestRecord.md +97 -0
  152. package/docs/api/interfaces/OwnerSensitiveActionConfirmation.md +1 -1
  153. package/docs/api/interfaces/OwnerSensitiveActionContext.md +1 -1
  154. package/docs/api/interfaces/OwnerSession.md +3 -3
  155. package/docs/api/interfaces/OwnerUpdateSecretInput.md +1 -1
  156. package/docs/api/interfaces/OwnerVisibleRequestRecord.md +73 -0
  157. package/docs/api/interfaces/RecoverVaultOptions.md +1 -121
  158. package/docs/api/interfaces/RecoveredVault.md +2 -2
  159. package/docs/api/interfaces/RequestRecord.md +107 -0
  160. package/docs/api/interfaces/RestoreIdentityOptions.md +1 -1
  161. package/docs/api/interfaces/SecretAlias.md +11 -0
  162. package/docs/api/interfaces/SecretDestinationGrant.md +41 -0
  163. package/docs/api/interfaces/SecretId.md +11 -0
  164. package/docs/api/interfaces/SecretRecord.md +89 -0
  165. package/docs/api/interfaces/Signer.md +1 -1
  166. package/docs/api/interfaces/VaultApproveDispatchInput.md +3 -9
  167. package/docs/api/interfaces/VaultAuditQueryInput.md +1 -1
  168. package/docs/api/interfaces/VaultCoreDependenciesOptions.md +1 -5
  169. package/docs/api/interfaces/VaultCreateAgentInput.md +1 -1
  170. package/docs/api/interfaces/VaultExportSecretInput.md +1 -1
  171. package/docs/api/interfaces/VaultGetRequestInput.md +17 -0
  172. package/docs/api/interfaces/VaultGrantAgentSecretInput.md +23 -0
  173. package/docs/api/interfaces/VaultGrantSecretDestinationInput.md +23 -0
  174. package/docs/api/interfaces/VaultId.md +11 -0
  175. package/docs/api/interfaces/VaultImportAgentInput.md +1 -1
  176. package/docs/api/interfaces/VaultIssueSessionTokenInput.md +5 -5
  177. package/docs/api/interfaces/VaultListAgentsInput.md +1 -1
  178. package/docs/api/interfaces/VaultListGrantsInput.md +23 -0
  179. package/docs/api/interfaces/VaultListRequestsInput.md +17 -0
  180. package/docs/api/interfaces/VaultListSecretsInput.md +1 -1
  181. package/docs/api/interfaces/VaultMetadata.md +1 -1
  182. package/docs/api/interfaces/VaultObject.md +2 -2
  183. package/docs/api/interfaces/VaultPrincipal.md +17 -0
  184. package/docs/api/interfaces/VaultProfile.md +1 -1
  185. package/docs/api/interfaces/VaultReadAgentPrivateKeyInput.md +7 -7
  186. package/docs/api/interfaces/VaultReadSecretPlaintextInput.md +1 -1
  187. package/docs/api/interfaces/VaultRegisterFlowInput.md +1 -1
  188. package/docs/api/interfaces/VaultRevokeAgentSecretInput.md +23 -0
  189. package/docs/api/interfaces/VaultRevokeSecretDestinationInput.md +23 -0
  190. package/docs/api/interfaces/VaultRevokeSessionTokenInput.md +1 -1
  191. package/docs/api/interfaces/VaultService.md +547 -0
  192. package/docs/api/interfaces/VaultUpdateAgentInput.md +7 -7
  193. package/docs/api/type-aliases/AgentId.md +7 -0
  194. package/docs/api/type-aliases/CbioRuntimeModule.md +1 -1
  195. package/docs/api/type-aliases/DispatchApprovalDecision.md +7 -0
  196. package/docs/api/type-aliases/GrantStatus.md +7 -0
  197. package/docs/api/type-aliases/SecretLifecycleStatus.md +7 -0
  198. package/docs/api/type-aliases/VaultPrincipalKind.md +7 -0
  199. package/docs/api/variables/DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY.md +2 -2
  200. package/docs/es/README.md +3 -3
  201. package/docs/fr/README.md +3 -3
  202. package/docs/ja/README.md +5 -5
  203. package/docs/ko/README.md +5 -5
  204. package/docs/pt/README.md +3 -3
  205. package/docs/zh/PROCESS_ISOLATION.md +2 -2
  206. package/docs/zh/README.md +23 -24
  207. package/examples/process-isolation.ts +26 -35
  208. package/package.json +1 -1
  209. package/docs/api/functions/createOwnerHttpFlowBoundary.md +0 -17
  210. package/docs/api/functions/createStandardAcquireBoundary.md +0 -31
  211. package/docs/api/functions/createStandardDispatchBoundary.md +0 -23
  212. package/docs/api/functions/createVaultClient.md +0 -32
  213. package/docs/api/functions/deriveIdentityId.md +0 -17
  214. package/docs/api/functions/wrapVaultCoreAsVaultService.md +0 -31
  215. package/docs/api/interfaces/AgentSubmitCapabilityRequestInput.md +0 -41
  216. package/docs/api/interfaces/VaultApproveCapabilityRequestInput.md +0 -23
  217. package/docs/api/interfaces/VaultClient.md +0 -473
  218. package/docs/api/interfaces/VaultGrantCapabilityInput.md +0 -79
  219. package/docs/api/interfaces/VaultGrantCapabilityRequest.md +0 -23
  220. package/docs/api/interfaces/VaultIdentity.md +0 -11
  221. package/docs/api/interfaces/VaultListCapabilitiesInput.md +0 -17
  222. package/docs/api/interfaces/VaultRevokeCapabilityInput.md +0 -23
  223. package/docs/api/interfaces/VaultSigner.md +0 -21
  224. package/docs/api/interfaces/VaultSubmitCapabilityRequestInput.md +0 -73
  225. package/docs/api/type-aliases/AgentCapabilityEnvelope.md +0 -7
  226. package/docs/api/type-aliases/AgentVisibleSecretRecord.md +0 -7
  227. package/docs/api/type-aliases/CreateOwnerClientOptions.md +0 -7
  228. package/docs/api/type-aliases/OwnerAgentView.md +0 -7
  229. package/docs/api/type-aliases/OwnerClient.md +0 -13
  230. package/docs/api/type-aliases/OwnerGrantCapabilityInput.md +0 -7
  231. package/docs/api/type-aliases/OwnerPendingApprovalView.md +0 -7
  232. package/docs/api/type-aliases/OwnerRequestDetailView.md +0 -7
  233. package/docs/api/type-aliases/OwnerRequestSummaryView.md +0 -7
  234. package/docs/api/type-aliases/OwnerSecretView.md +0 -7
package/dist/vault-ingress/index.js CHANGED
@@ -1,6 +1,3 @@
1
- import { createVaultCore, DispatchStatus, } from "../vault-core/index.js";
2
- import { applyResponseReadPolicy } from "../vault-core/read-policy.js";
3
- import { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, toOwnerHttpFlowBoundary, } from "./flow-factories.js";
4
1
  function redactResponseShapeValue(value) {
5
2
  if (value === null || value === undefined) {
6
3
  return null;
@@ -15,37 +12,14 @@ function redactResponseShapeValue(value) {
15
12
  }
16
13
  class LocalVaultService {
17
14
  _authority;
18
- _customFlows;
19
- _clock;
20
15
  _fetchImpl;
21
- constructor(_authority, _customFlows, _clock, _fetchImpl = fetch) {
16
+ constructor(_authority, _fetchImpl = fetch) {
22
17
  this._authority = _authority;
23
- this._customFlows = _customFlows;
24
- this._clock = _clock;
25
18
  this._fetchImpl = _fetchImpl;
26
19
  }
27
20
  get vaultId() {
28
21
  return this._authority.vaultId;
29
22
  }
30
- async resolveSecretId(alias) {
31
- if (!alias)
32
- return undefined;
33
- const record = await this._authority._deps.secrets.getByAlias({ value: alias });
34
- return record?.secretId.value;
35
- }
36
- async resolveSecretIds(aliases) {
37
- if (!aliases?.length)
38
- return undefined;
39
- const resolved = await Promise.all(aliases.map((alias) => this.resolveSecretId(alias)));
40
- const filtered = resolved.filter((value) => typeof value === "string");
41
- return filtered.length > 0 ? filtered : undefined;
42
- }
43
- ownerOnCapabilityState(callback) {
44
- return this._authority.ownerOnCapabilityState(callback);
45
- }
46
- ownerRegisterCapability(request) {
47
- return this._authority.ownerRegisterCapability(request);
48
- }
49
23
  ownerRegisterAgentIdentity(request) {
50
24
  return this._authority.ownerRegisterAgentIdentity(request);
51
25
  }
@@ -67,501 +41,172 @@ class LocalVaultService {
67
41
  ownerWriteSecret(request) {
68
42
  return this._authority.ownerWriteSecret(request);
69
43
  }
70
- redactResponseShape(value) {
71
- return redactResponseShapeValue(value);
44
+ ownerReadAudit(request) {
45
+ return this._authority.ownerReadAudit(request.actor, request.query);
72
46
  }
73
- buildAcquireResponseShape(flow, payload) {
74
- if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
75
- return this.redactResponseShape(payload);
76
- }
77
- const record = payload;
78
- const response = {};
79
- switch (flow) {
80
- case "oauth_token_response.access_token":
81
- case "oauth_token_response.refresh_token":
82
- case "openid_token_response.id_token": {
83
- if ("token_type" in record) {
84
- response.token_type = typeof record.token_type === "string" ? record.token_type : null;
85
- }
86
- if ("expires_in" in record) {
87
- response.expires_in = typeof record.expires_in === "number" ? record.expires_in : null;
88
- }
89
- if ("scope" in record) {
90
- response.scope = typeof record.scope === "string" ? record.scope : null;
91
- }
92
- break;
93
- }
94
- }
95
- return response;
47
+ ownerExportSecret(request) {
48
+ return this._authority.ownerExportSecret(request.actor, request.alias);
96
49
  }
97
- extractSecretForFlow(flow, payload) {
98
- if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
99
- throw new Error("VAULT_ACQUISITION_RESPONSE_INVALID");
100
- }
101
- const record = payload;
102
- switch (flow) {
103
- case "oauth_token_response.access_token": {
104
- if (typeof record.access_token !== "string" || !record.access_token) {
105
- throw new Error("VAULT_ACQUISITION_SECRET_NOT_FOUND");
106
- }
107
- return record.access_token;
108
- }
109
- case "oauth_token_response.refresh_token": {
110
- if (typeof record.refresh_token !== "string" || !record.refresh_token) {
111
- throw new Error("VAULT_ACQUISITION_SECRET_NOT_FOUND");
112
- }
113
- return record.refresh_token;
114
- }
115
- case "openid_token_response.id_token": {
116
- if (typeof record.id_token !== "string" || !record.id_token) {
117
- throw new Error("VAULT_ACQUISITION_SECRET_NOT_FOUND");
118
- }
119
- return record.id_token;
120
- }
121
- }
50
+ ownerListAgents(request) {
51
+ return this._authority.ownerListAgents(request.actor);
122
52
  }
123
- parseRawResponse(contentType, rawPayload) {
124
- if (!rawPayload) {
125
- return null;
126
- }
127
- if (contentType?.includes("json")) {
128
- return JSON.parse(rawPayload);
129
- }
130
- try {
131
- return JSON.parse(rawPayload);
132
- }
133
- catch {
134
- return rawPayload;
135
- }
53
+ ownerListRequests(request) {
54
+ return this._authority.ownerListRequests(request.actor, request.rootAgentId);
136
55
  }
137
- async fetchAndParse(request) {
138
- const response = await this._fetchImpl(request.url, {
139
- method: request.method ?? "GET",
140
- headers: request.headers,
141
- body: request.body,
142
- });
143
- const contentType = response.headers.get("content-type");
144
- const rawBody = await response.text();
145
- return {
146
- contentType,
147
- rawBody,
148
- parsedBody: this.parseRawResponse(contentType, rawBody),
149
- responseStatus: response.status,
150
- };
151
- }
152
- toCustomFlowResponseBody(rawBody, contentType, visibility) {
153
- if (visibility !== "shape_only") {
154
- return rawBody;
155
- }
156
- return JSON.stringify(this.redactResponseShape(this.parseRawResponse(contentType ?? null, rawBody ?? "")));
56
+ ownerGetRequest(request) {
57
+ return this._authority.ownerGetRequest(request.actor, request.targetRequestId);
157
58
  }
158
- extractCustomFlowSecret(flow, payload) {
159
- if (!flow.responseSecret) {
160
- return null;
161
- }
162
- if (flow.responseSecret.kind === "json_field") {
163
- if (!payload || typeof payload !== "object" || Array.isArray(payload)) {
164
- throw new Error("VAULT_CUSTOM_FLOW_RESPONSE_INVALID");
165
- }
166
- const value = payload[flow.responseSecret.field];
167
- if (typeof value !== "string" || !value) {
168
- throw new Error("VAULT_CUSTOM_FLOW_SECRET_NOT_FOUND");
169
- }
170
- return value;
171
- }
172
- return null;
59
+ ownerListSecrets(request) {
60
+ return this._authority.ownerListSecrets(request.owner);
61
+ }
62
+ ownerGrantAgentSecret(request) {
63
+ return this._authority.ownerGrantAgentSecret(request.actor, request.rootAgentId, request.secretAlias, request);
64
+ }
65
+ ownerGrantSecretDestination(request) {
66
+ return this._authority.ownerGrantSecretDestination(request.actor, request.secretAlias, request.domain, request);
173
67
  }
174
- async acquireSecret(request) {
175
- const standardBoundary = createStandardAcquireBoundary({
176
- targetUrl: request.url,
177
- method: request.method,
178
- responseField: request.flow === "oauth_token_response.access_token"
179
- ? "access_token"
180
- : request.flow === "oauth_token_response.refresh_token"
181
- ? "refresh_token"
182
- : "id_token",
183
- storeAlias: request.alias,
184
- });
185
- const payload = await this.fetchAndParse(request);
186
- const requestId = `acquire_secret:${Date.now()}:${request.alias}`;
187
- await this._authority.ownerWriteSecret({
188
- kind: "issuer.write_secret",
189
- vaultId: this._authority.vaultId,
190
- issuer: {
191
- kind: "trusted_issuer",
192
- id: request.issuerId,
193
- },
194
- alias: request.alias,
195
- plaintext: this.extractSecretForFlow(request.flow, payload.parsedBody),
196
- issuerSiteId: request.issuerId,
197
- source: { kind: "request", requestId },
198
- requestedAt: request.requestedAt ?? (this._clock?.nowIso() ?? new Date().toISOString()),
199
- });
200
- return {
201
- vaultId: this._authority.vaultId,
202
- alias: request.alias,
203
- status: "stored",
204
- responseStatus: payload.responseStatus,
205
- contentType: payload.contentType,
206
- responseShape: this.buildAcquireResponseShape(request.flow, payload.parsedBody),
207
- };
68
+ ownerRevokeAgentSecret(request) {
69
+ return this._authority.ownerRevokeAgentSecret(request.actor, request.rootAgentId, request.secretAlias, request);
70
+ }
71
+ ownerRevokeSecretDestination(request) {
72
+ return this._authority.ownerRevokeSecretDestination(request.actor, request.secretAlias, request.domain, request);
73
+ }
74
+ ownerListGrants(request) {
75
+ return this._authority.ownerListGrants(request.actor, request.rootAgentId, request.secretAlias);
76
+ }
77
+ ownerIssueSessionToken(request) {
78
+ return this._authority.ownerIssueSessionToken(request);
79
+ }
80
+ ownerIssueAllAgentSessionTokens(actor) {
81
+ return this._authority.ownerIssueAllAgentSessionTokens(actor);
82
+ }
83
+ ownerRevokeSessionToken(request) {
84
+ return this._authority.ownerRevokeSessionToken(request);
208
85
  }
209
86
  agentDispatch(request) {
210
87
  return this._authority.agentDispatchSecret(request);
211
88
  }
89
+ ownerApproveDispatch(request) {
90
+ return this._authority.ownerApproveDispatch(request.actor, request.requestId, request.decision);
91
+ }
92
+ ownerOnPendingDispatch(callback) {
93
+ return this._authority.ownerOnPendingDispatch(callback);
94
+ }
95
+ agentListSecrets(request) {
96
+ return this._authority.agentListSecrets(request);
97
+ }
98
+ agentListRequests(request) {
99
+ return this._authority.agentListRequests(request);
100
+ }
101
+ agentGetRequest(request) {
102
+ return this._authority.agentGetRequest(request);
103
+ }
104
+ agentGetRuntimeManifest(request) {
105
+ return this._authority.agentGetRuntimeManifest(request);
106
+ }
212
107
  async agentHandleDispatch(request) {
213
108
  try {
214
- const vaultId = { value: request.vaultId };
215
- const capability = await this.resolveCapability(vaultId, request.agentId, request.capabilityId);
216
- const secretId = await this.resolveSecretId(request.secretAlias);
217
- const customFlow = capability?.operation === "custom_http"
218
- ? await this.resolveCustomFlow(vaultId, capability.customFlowId)
219
- : null;
220
- const boundary = customFlow
221
- ? toOwnerHttpFlowBoundary(customFlow)
222
- : createOwnerHttpFlowBoundary({
223
- mode: "send_secret",
224
- targetUrl: request.targetUrl,
225
- method: request.method,
226
- responseVisibility: "passthrough",
227
- });
228
- if (customFlow) {
229
- if (request.targetUrl !== boundary.targetUrl || request.method.toUpperCase() !== boundary.method.toUpperCase()) {
230
- throw new Error("VAULT_CUSTOM_FLOW_BINDING_MISMATCH");
231
- }
232
- }
233
- if (boundary.mode === "acquire_secret") {
234
- if (!customFlow) {
235
- throw new Error("VAULT_CUSTOM_FLOW_NOT_FOUND");
236
- }
237
- const authorization = await this._authority.agentAuthorizeDispatch({
238
- vaultId,
239
- requestId: request.requestId,
240
- requestedAt: request.requestedAt,
241
- agent: {
242
- kind: "agent",
243
- id: request.agentId,
244
- },
245
- capability,
246
- proof: {
247
- agentId: request.agentId,
248
- signature: request.proof.signature,
249
- token: request.proof.token,
250
- requestId: request.requestId,
251
- requestedAt: request.requestedAt,
252
- },
253
- secretId: undefined,
254
- reason: request.reason,
255
- targetUrl: request.targetUrl,
256
- method: request.method,
257
- headers: request.headers,
258
- body: request.body,
259
- });
260
- if (authorization.decision !== "allow") {
261
- throw new Error("VAULT_CUSTOM_FLOW_DENIED");
262
- }
263
- const payload = await this.fetchAndParse({
264
- url: request.targetUrl,
265
- method: request.method,
266
- headers: request.headers,
267
- body: request.body,
268
- });
269
- const acquiredSecret = this.extractCustomFlowSecret(customFlow, payload.parsedBody);
270
- if (!acquiredSecret || !customFlow.responseSecret) {
271
- throw new Error("VAULT_CUSTOM_FLOW_SECRET_NOT_FOUND");
272
- }
273
- await this._authority._storeCustomFlowSecret(customFlow, customFlow.responseSecret.storeAlias, acquiredSecret);
274
- return {
275
- ok: true,
276
- result: {
277
- vaultId,
278
- requestId: request.requestId,
279
- status: DispatchStatus.SUCCEEDED,
280
- targetUrl: request.targetUrl,
281
- method: request.method,
282
- responseStatus: payload.responseStatus,
283
- responseBody: applyResponseReadPolicy(this.toCustomFlowResponseBody(payload.rawBody, payload.contentType, boundary.responseVisibility), capability?.read ?? { paths: [] }),
284
- },
285
- };
286
- }
287
109
  const result = await this._authority.agentDispatchSecret({
288
- vaultId,
110
+ vaultId: { value: request.vaultId },
289
111
  requestId: request.requestId,
290
112
  requestedAt: request.requestedAt,
291
- agent: {
292
- kind: "agent",
293
- id: request.agentId,
294
- },
295
- capability,
113
+ agent: { kind: "agent", id: request.rootAgentId },
296
114
  proof: {
297
- agentId: request.agentId,
115
+ rootAgentId: request.rootAgentId,
298
116
  signature: request.proof.signature,
299
117
  token: request.proof.token,
300
118
  requestId: request.requestId,
301
119
  requestedAt: request.requestedAt,
302
120
  },
303
- secretId,
304
- secretAlias: request.secretAlias,
305
121
  reason: request.reason,
122
+ secretAlias: request.secretAlias,
306
123
  targetUrl: request.targetUrl,
307
124
  method: request.method,
308
125
  headers: request.headers,
309
126
  body: request.body,
310
127
  });
311
- if (boundary.mode === "bidirectional_secret") {
312
- if (!customFlow) {
313
- throw new Error("VAULT_CUSTOM_FLOW_NOT_FOUND");
314
- }
315
- const parsedBody = this.parseBody(result.responseBody);
316
- const acquiredSecret = this.extractCustomFlowSecret(customFlow, parsedBody);
317
- if (!acquiredSecret || !customFlow.responseSecret) {
318
- throw new Error("VAULT_CUSTOM_FLOW_SECRET_NOT_FOUND");
319
- }
320
- await this._authority._storeCustomFlowSecret(customFlow, customFlow.responseSecret.storeAlias, acquiredSecret);
321
- }
322
- return {
323
- ok: true,
324
- result: {
325
- ...result,
326
- responseBody: applyResponseReadPolicy(this.toCustomFlowResponseBody(result.responseBody, null, boundary.responseVisibility), capability?.read ?? { paths: [] }),
327
- },
328
- };
128
+ return { ok: true, result };
329
129
  }
330
130
  catch (error) {
331
- const message = error instanceof Error ? error.message : String(error);
332
- const code = error instanceof Error && "code" in error && typeof error.code === "string"
333
- ? error.code
334
- : "VAULT_AGENT_DISPATCH_REJECTED";
335
131
  return {
336
132
  ok: false,
337
- error: { code, message },
133
+ error: {
134
+ code: error.code || "VAULT_DISPATCH_FAILED",
135
+ message: error instanceof Error ? error.message : String(error),
136
+ },
338
137
  };
339
138
  }
340
139
  }
341
- ownerReadAudit(request) {
342
- return this._authority.ownerReadAudit(request.actor, request.query, {
343
- requestId: request.requestId,
344
- requestedAt: request.requestedAt,
345
- });
346
- }
347
- ownerExportSecret(request) {
348
- return this._authority.ownerExportSecret(request.actor, request.alias, {
349
- requestId: request.requestId,
350
- requestedAt: request.requestedAt,
351
- });
352
- }
353
- ownerDeleteSecret(request) {
354
- return this._authority.ownerRemoveSecret(request);
355
- }
356
- async ownerListAgents(request) {
357
- return await this._authority.ownerListAgents(request.actor, request);
358
- }
359
- async ownerListCapabilities(request) {
360
- return await this._authority.ownerListCapabilities(request.actor, request.agentId, request);
361
- }
362
- async ownerListRequests(request) {
363
- return await this._authority.ownerListRequests(request.actor, request.agentId, request);
364
- }
365
- async ownerGetRequest(request) {
366
- return await this._authority.ownerGetRequest(request.actor, request.targetRequestId, request);
367
- }
368
- async ownerListSecrets(request) {
369
- return await this._authority.ownerListSecrets(request.owner, request);
370
- }
371
- async ownerRevokeCapability(command) {
372
- return await this._authority.ownerRevokeCapability(command);
373
- }
374
- async ownerIssueSessionToken(request) {
375
- return await this._authority.ownerIssueSessionToken(request);
376
- }
377
- async ownerIssueAllAgentSessionTokens(request) {
378
- return await this._authority.ownerIssueAllAgentSessionTokens(request.actor);
379
- }
380
- async ownerRevokeSessionToken(request) {
381
- return this._authority.ownerRevokeSessionToken(request);
382
- }
383
- ownerSubmitCapabilityRequest(request) {
384
- return this._authority.ownerSubmitCapabilityRequest(request);
385
- }
386
- ownerApproveCapabilityRead(request) {
387
- return this._authority.ownerApproveCapabilityRead(request);
388
- }
389
- ownerListCapabilityStates(request) {
390
- return this._authority.ownerListCapabilityStates(request);
391
- }
392
- ownerAllowOnce(request) {
393
- return this._authority.ownerAllowOnce(request);
394
- }
395
- ownerAllowAlways(request) {
396
- return this._authority.ownerAllowAlways(request);
397
- }
398
- ownerDeny(request) {
399
- return this._authority.ownerDeny(request);
400
- }
401
- agentListCapabilities(request) {
402
- return this._authority.agentListCapabilities(request);
403
- }
404
- agentListSecrets(request) {
405
- return this._authority.agentListSecrets(request);
406
- }
407
- agentListRequests(request) {
408
- return this._authority.agentListRequests(request);
409
- }
410
- agentGetRequest(request) {
411
- return this._authority.agentGetRequest(request);
412
- }
413
- agentGetRuntimeManifest(request) {
414
- return this._authority.agentGetRuntimeManifest(request);
415
- }
416
- agentSubmitCapabilityRequest(request) {
417
- return this._authority.agentSubmitCapabilityRequest(request);
418
- }
419
140
  async agentHandleControl(request) {
420
141
  try {
421
142
  const base = {
422
143
  vaultId: { value: request.vaultId },
423
144
  requestId: request.requestId,
424
145
  requestedAt: request.requestedAt,
425
- agent: { kind: "agent", id: request.agentId },
146
+ agent: { kind: "agent", id: request.rootAgentId },
426
147
  proof: {
427
- agentId: request.agentId,
148
+ rootAgentId: request.rootAgentId,
428
149
  signature: request.proof.signature,
429
150
  token: request.proof.token,
430
151
  requestId: request.requestId,
431
152
  requestedAt: request.requestedAt,
432
153
  },
433
154
  };
155
+ let result;
434
156
  switch (request.action) {
435
- case "list_capabilities":
436
- return { ok: true, result: await this.agentListCapabilities(base) };
437
157
  case "list_secrets":
438
- return { ok: true, result: await this.agentListSecrets(base) };
158
+ result = await this.agentListSecrets(base);
159
+ break;
439
160
  case "list_requests":
440
- return { ok: true, result: await this.agentListRequests(base) };
161
+ result = await this.agentListRequests(base);
162
+ break;
441
163
  case "read_request_result":
442
- return { ok: true, result: await this.agentGetRequest({ ...base, targetRequestId: request.targetRequestId }) };
164
+ result = await this.agentGetRequest({ ...base, targetRequestId: request.targetRequestId });
165
+ break;
443
166
  case "get_manifest":
444
- return { ok: true, result: await this.agentGetRuntimeManifest(base) };
445
- case "submit_capability_request":
446
- {
447
- const secretIds = await this.resolveSecretIds(request.secretAliases);
448
- return {
449
- ok: true,
450
- result: await this.agentSubmitCapabilityRequest({
451
- ...base,
452
- capability: {
453
- operation: request.operation ?? "dispatch_http",
454
- write: {
455
- secretIds,
456
- scope: request.write.scope,
457
- methods: [...request.write.methods],
458
- },
459
- read: {
460
- paths: [...request.read.paths],
461
- },
462
- },
463
- reason: request.reason,
464
- }),
465
- };
466
- }
167
+ result = await this.agentGetRuntimeManifest(base);
168
+ break;
467
169
  }
170
+ return { ok: true, result };
468
171
  }
469
172
  catch (error) {
470
- const message = error instanceof Error ? error.message : String(error);
471
- const code = error instanceof Error && "code" in error && typeof error.code === "string"
472
- ? error.code
473
- : "VAULT_AGENT_CONTROL_REJECTED";
474
- return { ok: false, error: { code, message } };
173
+ return { ok: false, error: { code: error.code || "VAULT_CONTROL_FAILED", message: error instanceof Error ? error.message : String(error) } };
475
174
  }
476
175
  }
477
176
  async ownerHandleControl(request) {
478
- const owner = { kind: "owner", id: request.ownerId ?? "vault-master" };
479
- const vaultId = { value: request.vaultId };
480
177
  try {
178
+ const actor = { kind: "owner", id: request.actorId || "owner" };
179
+ let result;
481
180
  switch (request.action) {
482
- case "list_capability_states":
483
- return { ok: true, result: await this.ownerListCapabilityStates({ vaultId, owner, agentId: request.agentId, writeGranted: request.writeGranted, readGranted: request.readGranted }) };
484
- case "approve_capability_read":
485
- return {
486
- ok: true,
487
- result: await this.ownerApproveCapabilityRead({
488
- vaultId,
489
- requestId: request.requestId,
490
- owner,
491
- read: request.read ? { paths: [...request.read.paths] } : undefined,
492
- }),
493
- };
494
- case "allow_once":
495
- return { ok: true, result: await this.ownerAllowOnce({ vaultId, requestId: request.requestId, owner }) };
496
- case "allow_always":
497
- return { ok: true, result: await this.ownerAllowAlways({ vaultId, requestId: request.requestId, owner }) };
498
- case "deny":
499
- return { ok: true, result: await this.ownerDeny({ vaultId, requestId: request.requestId, owner }) };
500
181
  case "list_agents":
501
- return { ok: true, result: await this.ownerListAgents({ vaultId, actor: owner, requestId: `owner:list_agents:${Date.now()}`, requestedAt: this._clock?.nowIso?.() ?? new Date().toISOString() }) };
502
- case "list_capabilities":
503
- return { ok: true, result: await this.ownerListCapabilities({ vaultId, actor: owner, agentId: request.agentId, requestId: `owner:list_capabilities:${Date.now()}`, requestedAt: this._clock?.nowIso?.() ?? new Date().toISOString() }) };
182
+ result = await this.ownerListAgents({ vaultId: { value: request.vaultId }, actor: { kind: "owner", id: request.actorId || "owner" }, requestId: "internal", requestedAt: new Date().toISOString() });
183
+ break;
504
184
  case "list_requests":
505
- return { ok: true, result: await this.ownerListRequests({ vaultId, actor: owner, agentId: request.agentId, requestId: `owner:list_requests:${Date.now()}`, requestedAt: this._clock?.nowIso?.() ?? new Date().toISOString() }) };
185
+ result = await this.ownerListRequests({ vaultId: { value: request.vaultId }, actor: { kind: "owner", id: request.actorId || "owner" }, rootAgentId: request.rootAgentId, requestId: "internal", requestedAt: new Date().toISOString() });
186
+ break;
506
187
  case "get_request":
507
- return { ok: true, result: await this.ownerGetRequest({ vaultId, actor: owner, targetRequestId: request.requestId, requestId: `owner:get_request:${Date.now()}`, requestedAt: this._clock?.nowIso?.() ?? new Date().toISOString() }) };
188
+ result = await this.ownerGetRequest({ vaultId: { value: request.vaultId }, actor: { kind: "owner", id: request.actorId || "owner" }, targetRequestId: request.requestId, requestId: "internal", requestedAt: new Date().toISOString() });
189
+ break;
508
190
  case "list_secrets":
509
- return { ok: true, result: await this.ownerListSecrets({ vaultId, owner, requestId: `owner:list_secrets:${Date.now()}` }) };
191
+ result = await this.ownerListSecrets({ vaultId: { value: request.vaultId }, owner: { kind: "owner", id: request.actorId || "owner" } });
192
+ break;
193
+ case "list_grants":
194
+ result = await this.ownerListGrants({ vaultId: { value: request.vaultId }, actor: { kind: "owner", id: request.actorId || "owner" }, rootAgentId: request.rootAgentId, secretAlias: request.secretAlias, requestId: "internal", requestedAt: new Date().toISOString() });
195
+ break;
196
+ case "approve_dispatch":
197
+ result = await this.ownerApproveDispatch({ vaultId: { value: request.vaultId }, actor: { kind: "owner", id: request.actorId || "owner" }, requestId: request.requestId, decision: request.decision, requestedAt: new Date().toISOString() });
198
+ break;
510
199
  }
200
+ return { ok: true, result };
511
201
  }
512
202
  catch (error) {
513
- const message = error instanceof Error ? error.message : String(error);
514
- const code = error instanceof Error && "code" in error && typeof error.code === "string"
515
- ? error.code
516
- : "VAULT_OWNER_CONTROL_REJECTED";
517
- return { ok: false, error: { code, message } };
518
- }
519
- }
520
- async resolveCapability(vaultId, agentId, capabilityId) {
521
- if (!capabilityId) {
522
- return undefined;
203
+ return { ok: false, error: { code: error.code || "VAULT_CONTROL_FAILED", message: error instanceof Error ? error.message : String(error) } };
523
204
  }
524
- const capability = await this._authority._getCapability(vaultId, agentId, capabilityId);
525
- return capability ?? undefined;
526
205
  }
527
- parseBody(body) {
528
- if (!body) {
529
- return null;
530
- }
531
- try {
532
- return JSON.parse(body);
533
- }
534
- catch {
535
- return body;
536
- }
537
- }
538
- async resolveCustomFlow(vaultId, flowId) {
539
- if (!flowId) {
540
- throw new Error("VAULT_CUSTOM_FLOW_NOT_PROVIDED");
541
- }
542
- if (!this._customFlows) {
543
- throw new Error("VAULT_CUSTOM_FLOW_RESOLVER_NOT_CONFIGURED");
544
- }
545
- const flow = await this._customFlows.get(vaultId, flowId);
546
- if (!flow) {
547
- throw new Error("VAULT_CUSTOM_FLOW_NOT_FOUND");
548
- }
549
- return flow;
550
- }
551
- }
552
- export function createVaultService(deps, options = {}) {
553
- return new LocalVaultService(createVaultCore(deps), options.customFlows ?? deps.customFlows, options.clock, options.fetchImpl);
554
206
  }
555
- export function wrapVaultCoreAsVaultService(core, options = {}) {
556
- return new LocalVaultService(core, options.customFlows, options.clock, options.fetchImpl);
207
+ export function createVaultService(authority, options) {
208
+ return new LocalVaultService(authority, options?.fetchImpl);
557
209
  }
558
- export { createOwnerHttpFlowBoundary, createStandardAcquireBoundary, createStandardDispatchBoundary, toOwnerHttpFlowBoundary, } from "./flow-factories.js";
559
- export { AgentDispatchHttpTransport } from "./remote-transport.js";
560
- export { handleVaultHttpDispatch, handleVaultAgentControlHttp } from "./server-utils.js";
561
- /*
562
- * Owner remote control export is intentionally disabled until it has a real
563
- * authentication story. Restore the export below when that work is done.
564
- *
565
- * export { handleVaultOwnerControlHttp } from "./server-utils.js";
566
- */
210
+ /** Legacy alias for createVaultService */
211
+ export const wrapVaultCoreAsVaultService = createVaultService;
567
212
  //# sourceMappingURL=index.js.map