@the-ai-company/cbio-node-runtime 1.63.3 → 1.63.5

package/docs/api/type-aliases/VaultPrincipalKind.md

@@ -0,0 +1,7 @@
+[**CBIO Node Runtime Agent API v1.63.5**](../README.md)
+
+***
+
+# Type Alias: VaultPrincipalKind
+
+> **VaultPrincipalKind** = `"owner"` \| `"trusted_issuer"` \| `"agent"` \| `"trusted_executor"`

package/docs/api/variables/DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY.md

@@ -1,7 +1,7 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
+[**CBIO Node Runtime Agent API v1.63.5**](../README.md)
 
 ***
 
 # Variable: DEFAULT\_VAULT\_KEY\_CUSTODY\_BLOB\_KEY
 
-> `const` **DEFAULT\_VAULT\_KEY\_CUSTODY\_BLOB\_KEY**: `"working-key.sealed"` = `"working-key.sealed"`
+> `const` **DEFAULT\_VAULT\_KEY\_CUSTODY\_BLOB\_KEY**: `"master_key.sealed"` = `"master_key.sealed"`

package/docs/es/README.md

@@ -23,7 +23,7 @@ import {
   listVaults,
   recoverVault,
   createOwnerSession,
-  createVaultClient,
+  createOwnerClient,
   createAgentClient,
   FsStorageProvider,
 } from '@the-ai-company/cbio-node-runtime';
@@ -40,8 +40,8 @@ Ruta principal recomendada para vault persistente:
 
 - crear el vault persistente con `createVault(...)`
 - recuperar el vault persistente con `recoverVault(...)` usando `vaultId` + `password`
-- para GUIs o procesos de larga duración, conservar `createOwnerSession(...)` en lugar de cachear un `createVaultClient(...)` crudo
-- usar `createVaultClient(...)` solo para scripts breves o tareas puntuales en el runtime actual
+- para GUIs o procesos de larga duración, conservar `createOwnerSession(...)` en lugar de cachear un `createOwnerClient(...)` crudo
+- usar `createOwnerClient(...)` solo para scripts breves o tareas puntuales en el runtime actual
 
 La API antigua centrada en `CbioIdentity` ya no es la superficie principal del producto.
 

package/docs/fr/README.md

@@ -23,7 +23,7 @@ import {
   listVaults,
   recoverVault,
   createOwnerSession,
-  createVaultClient,
+  createOwnerClient,
   createAgentClient,
   FsStorageProvider,
 } from '@the-ai-company/cbio-node-runtime';
@@ -40,8 +40,8 @@ Chemin principal recommande pour un vault persistant :
 
 - créer le coffre persistant avec `createVault(...)`
 - restaurer le coffre persistant avec `recoverVault(...)` via `vaultId` + `password`
-- pour les GUIs ou processus longs, conserver `createOwnerSession(...)` plutôt qu'un `createVaultClient(...)` brut en cache
-- réserver `createVaultClient(...)` aux scripts courts ou aux tâches ponctuelles dans le runtime courant
+- pour les GUIs ou processus longs, conserver `createOwnerSession(...)` plutôt qu'un `createOwnerClient(...)` brut en cache
+- réserver `createOwnerClient(...)` aux scripts courts ou aux tâches ponctuelles dans le runtime courant
 
 L'ancienne API centree sur `CbioIdentity` n'est plus la surface principale du produit.
 

package/docs/ja/README.md

@@ -23,7 +23,7 @@ import {
   listVaults,
   recoverVault,
   createOwnerSession,
-  createVaultClient,
+  createOwnerClient,
   createAgentClient,
   FsStorageProvider,
 } from '@the-ai-company/cbio-node-runtime';
@@ -32,16 +32,16 @@ import {
 ## アーキテクチャ
 
 1. secret の平文は `vault-core` の内部にのみ存在します
-2. `clients/owner` は、オーナーによる書き込み、平文エクスポート、監査の読み取り、および **Agent/権限管理** (`listAgents`, `listCapabilities`, `revokeCapability`) を担当します。
+2. `clients/owner` は、オーナーによる書き込み、平文エクスポート、監査の読み取り、および **Agent/権限管理** (`listAgents`, `listGrants`, `revokeGrant`) を担当します。
 3. `clients/agent` は agent の signed dispatch request を作ります
-4. `vault-ingress` は vault 境界の内側で capability 解決と dispatch ingress を扱います
+4. `vault-ingress` は vault 境界の内側で grant 解決と dispatch ingress を扱います
 
 推奨される persistent-vault の主経路:
 
 - `createVault(...)` で persistent vault を作成する
 - `recoverVault(...)` で `vaultId` と `password` を使って persistent vault を復旧する
-- GUI や長寿命プロセスでは、生の `createVaultClient(...)` をキャッシュせず `createOwnerSession(...)` を保持する
-- `createVaultClient(...)` は短命スクリプトやその runtime 限定の単発処理に使う
+- GUI や長寿命プロセスでは、生の `createOwnerClient(...)` をキャッシュせず `createOwnerSession(...)` を保持する
+- `createOwnerClient(...)` は短命スクリプトやその runtime 限定の単発処理に使う
 
 旧 `CbioIdentity` 中心 API は、もはや主要な公開面ではありません。
 

package/docs/ko/README.md

@@ -23,7 +23,7 @@ import {
   listVaults,
   recoverVault,
   createOwnerSession,
-  createVaultClient,
+  createOwnerClient,
   createAgentClient,
   FsStorageProvider,
 } from '@the-ai-company/cbio-node-runtime';
@@ -32,16 +32,16 @@ import {
 ## 아키텍처
 
 1. secret 평문은 `vault-core` 내부에만 존재합니다
-2. `clients/owner`는 소유자 쓰기, 평문 내보내기, 감사 읽기 및 **Agent/권한 관리** (`listAgents`, `listCapabilities`, `revokeCapability`)를 담당합니다.
+2. `clients/owner`는 소유자 쓰기, 평문 내보내기, 감사 읽기 및 **Agent/권한 관리** (`listAgents`, `listGrants`, `revokeGrant`)를 담당합니다.
 3. `clients/agent` 는 agent 서명 dispatch 요청을 만듭니다
-4. `vault-ingress` 는 vault 경계 내부에서 capability 해석과 dispatch ingress 를 처리합니다
+4. `vault-ingress` 는 vault 경계 내부에서 grant 해석과 dispatch ingress 를 처리합니다
 
 권장되는 persistent-vault 주 경로:
 
 - `createVault(...)` 로 persistent vault 를 생성합니다
 - `recoverVault(...)` 로 `vaultId` 와 `password` 를 사용해 persistent vault 를 복구합니다
-- GUI 나 장수명 프로세스에서는 raw `createVaultClient(...)` 를 캐시하지 말고 `createOwnerSession(...)` 을 유지합니다
-- `createVaultClient(...)` 는 현재 runtime 안의 짧은 스크립트나 일회성 작업에 사용합니다
+- GUI 나 장수명 프로세스에서는 raw `createOwnerClient(...)` 를 캐시하지 말고 `createOwnerSession(...)` 을 유지합니다
+- `createOwnerClient(...)` 는 현재 runtime 안의 짧은 스크립트나 일회성 작업에 사용합니다
 
 이전 `CbioIdentity` 중심 API 는 더 이상 주요 제품 표면이 아닙니다.
 

package/docs/pt/README.md

@@ -23,7 +23,7 @@ import {
   listVaults,
   recoverVault,
   createOwnerSession,
-  createVaultClient,
+  createOwnerClient,
   createAgentClient,
   FsStorageProvider,
 } from '@the-ai-company/cbio-node-runtime';
@@ -40,8 +40,8 @@ Caminho principal recomendado para vault persistente:
 
 - criar o cofre persistente com `createVault(...)`
 - recuperar o cofre persistente com `recoverVault(...)` usando `vaultId` + `password`
-- para GUIs ou processos longos, manter `createOwnerSession(...)` em vez de cachear um `createVaultClient(...)` bruto
-- usar `createVaultClient(...)` apenas para scripts curtos ou tarefas pontuais no runtime atual
+- para GUIs ou processos longos, manter `createOwnerSession(...)` em vez de cachear um `createOwnerClient(...)` bruto
+- usar `createOwnerClient(...)` apenas para scripts curtos ou tarefas pontuais no runtime atual
 
 A antiga API centrada em `CbioIdentity` nao e mais a superficie principal do produto.
 

package/docs/zh/PROCESS_ISOLATION.md

@@ -20,8 +20,8 @@ import { createAgentClient, AgentDispatchHttpTransport } from '@the-ai-company/c
 const transport = new AgentDispatchHttpTransport('http://localhost:3000/dispatch');
 
 const agent = createAgentClient({
-  agentIdentity, // 进程 A 仅持有自己的身份私钥
-  capability,    // 进程 A 仅了解被授予的权限
+  rootAgentIdentity, // 进程 A 仅持有自己的身份私钥
+  grant,    // 进程 A 仅了解被授予的权限
   transport,
 });
 

package/docs/zh/README.md

@@ -49,9 +49,9 @@ const vault = await recoverVault(storage, {
 
 ### 3. GUI 的 Owner Session
 
-对于 GUI 这类长生命周期进程，应该持有 `OwnerSession`，而不是长期缓存裸 `VaultClient`。
+对于 GUI 这类长生命周期进程，应该持有 `OwnerSession`，而不是长期缓存裸 `OwnerClient`。
 
-`createVaultClient(...)` 只负责基于当前 runtime 创建 owner client；它不应该跨 HMR、模块重载或 runtime 替换被长期复用。`OwnerSession` 会提供稳定的 SDK 句柄，并按需重新创建 owner client。
+`createOwnerClient(...)` 只负责基于当前 runtime 创建 owner client；它不应该跨 HMR、模块重载或 runtime 替换被长期复用。`OwnerSession` 会提供稳定的 SDK 句柄，并按需重新创建 owner client。
 
 ```ts
 import { createOwnerSession } from '@the-ai-company/cbio-node-runtime';
@@ -72,14 +72,14 @@ const agents = await ownerClient.ownerListAgents();
 session.invalidate();
 ```
 
-如果你写的是一次性脚本，`recoverVault(...)` 配合 `createVaultClient(...)` 仍然是合适的。
+如果你写的是一次性脚本，`recoverVault(...)` 配合 `createOwnerClient(...)` 仍然是合适的。
 
 ### 4. 托管 Agent 身份
 
 ```ts
-import { createVaultClient } from '@the-ai-company/cbio-node-runtime';
+import { createOwnerClient } from '@the-ai-company/cbio-node-runtime';
 
-const client = createVaultClient({
+const client = createOwnerClient({
   vault: vault.vault,
   passwordVerifier: vault.verifyPassword,
 });
@@ -88,26 +88,26 @@ const createdAgent = await client.ownerCreateAgent({
   nickname: '后台处理插件',
 });
 
-const agentId = createdAgent.agent.agentId;
+const rootAgentId = createdAgent.agent.rootAgentId;
 const sessionToken = createdAgent.sessionToken;
 ```
 
 ### 5. 机密管理
 
 ```ts
-const record = await client.ownerWriteSecret({
+const record = await client.ownerCreateSecret({
   alias: 'api-token',
   plaintext: 'secret-value'
 });
 
-await client.ownerGrantCapability({
-  agentId,
-  write: {
-    secretIds: [record.secretId.value],
-    scope: 'https://api.example.com/*',
-    methods: ['POST']
-  },
-  read: { paths: ['$'] }
+await client.ownerGrantAgentSecret({
+  rootAgentId,
+  secretAlias: 'api-token',
+});
+
+await client.ownerGrantSecretDestination({
+  secretAlias: 'api-token',
+  domain: 'api.example.com',
 });
 ```
 
@@ -117,8 +117,7 @@ await client.ownerGrantCapability({
 import { createAgentClient } from '@the-ai-company/cbio-node-runtime';
 
 const agent = createAgentClient({
-  agentIdentity: { agentId },
-  capability: myCapability,
+  rootAgentIdentity: { rootAgentId },
   token: sessionToken.token,
   vault: vault.vault
 });
@@ -134,8 +133,8 @@ Agent 进程不会直接使用原始私钥执行请求。即使 Agent 拥有身
 给 LLM 的直白规则：
 - `agentDispatch(...)` = 立刻尝试执行真实任务
 - `agentDispatch(...)` 必须带一条给 owner 看的 `reason`，说明为什么要发这个请求
-- `agentSubmitCapabilityRequest(...)` = 只申请权限，不会执行任务
-- `agentSubmitCapabilityRequest(...)` 也必须带 `reason`，说明为什么需要这项权限
+- `agentSubmitGrantRequest(...)` = 只申请权限，不会执行任务
+- `agentSubmitGrantRequest(...)` 也必须带 `reason`，说明为什么需要这项权限
 - `agentListRequests()` / `agentGetRequest(...)` = 在请求执行后查看异步结果
 - `ownerListRequests()` / `ownerGetRequest(...)` = owner 查看完整请求记录，用于决定是否放行 read
 - `read.paths` 只控制哪些响应值可见；响应结构始终可见，`['$']` 表示整个 body 都可见
@@ -143,8 +142,8 @@ Agent 进程不会直接使用原始私钥执行请求。即使 Agent 拥有身
 ```ts
 const manifest = await agent.agentIntrospect();
 
-console.log(manifest.agent.agentId);
-console.log(manifest.agent.identityId);
+console.log(manifest.agent.rootAgentId);
+console.log(manifest.agent.rootAgentId);
 console.log(manifest.agent.nickname);
 console.log(manifest.capabilities); // 同一组能力载体里包含 write/read 动作状态
 ```
@@ -161,18 +160,18 @@ if (result.status === 'PENDING') {
   console.log('触发发现流程：等待所有者审批...');
 }
 
-client.ownerOnCapabilityState((state) => {
+client.ownerOnGrantState((state) => {
   if (state.writeGrant === null) {
     console.log('收到新的待审批能力状态:', state.requestId);
   }
 });
 
-const pending = await client.ownerListCapabilityStates({ writeGranted: false });
+const pending = await client.ownerListGrantStates({ writeGranted: false });
 if (pending.length > 0) {
   await client.ownerAllowAlways({
     requestId: pending[0].requestId
   });
-  await client.ownerApproveCapabilityRead({
+  await client.ownerApproveGrantRead({
     requestId: pending[0].requestId,
     read: { paths: ['data.id', 'data.status'] }
   });

package/examples/process-isolation.ts

@@ -59,14 +59,13 @@ async function startVaultServer(port: number) {
 }
 
 // --- Process A: The LLM Agent Logic ---
-async function runAgentDemo(port: number, agentIdentity: any, capability: any, token: string) {
+async function runAgentDemo(port: number, agentRecord: any, token: string) {
   // Process A ONLY knows the remote URL and its own Agent Identity.
   // It has NO access to the Vault's master key or storage.
   const transport = new AgentDispatchHttpTransport(`http://localhost:${port}/dispatch`);
   
   const agentClient = createAgentClient({
-    agentIdentity,
-    capability,
+    agentRecord: agentRecord,
     transport,
     token,
   });
@@ -78,6 +77,7 @@ async function runAgentDemo(port: number, agentIdentity: any, capability: any, t
       secretAlias: "api-token",
       targetUrl: "https://httpbin.org/post",
       method: "POST",
+      reason: "LLM agent needs to perform isolated dispatch",
       body: JSON.stringify({ message: "Hello from isolated Process A" }),
     });
 
@@ -97,65 +97,56 @@ async function main() {
   const { ownerIdentity, vault, server } = await startVaultServer(PORT);
   
   // 2. Setup: Owner (in Process B's context) grants permission to an Agent
-  const agentIdentity = createIdentity({ nickname: "llm-agent-1" });
+  const agentRecord = createIdentity({ nickname: "llm-agent-1" });
   
-  // Owner registers the agent and a capability (simulated local call for setup)
+  // Owner registers the agent and a grant (simulated local call for setup)
   await vault.ownerRegisterAgentIdentity({
     vaultId: vault.vaultId,
     requestId: `setup:${Date.now()}:register_agent`,
-    owner: { kind: "owner", id: ownerIdentity.identityId },
-    agentIdentity: {
+    owner: { kind: "owner", id: ownerIdentity.rootAgentId },
+    agentRecord: {
       vaultId: vault.vaultId,
-      agentId: agentIdentity.identityId,
-      publicKey: agentIdentity.publicKey,
+      rootAgentId: agentRecord.rootAgentId,
+      publicKey: agentRecord.publicKey,
     },
     requestedAt: new Date().toISOString(),
   });
 
   // Owner writes a secret (simulated local call for setup)
-  const secret = await vault.ownerWriteSecret({
-    kind: "owner.write_secret",
+  const secret = await vault.ownerCreateSecret({
+    kind: "owner.create_secret",
     vaultId: vault.vaultId,
     requestId: `setup:${Date.now()}:write_secret`,
-    owner: { kind: "owner", id: ownerIdentity.identityId },
+    owner: { kind: "owner", id: ownerIdentity.rootAgentId },
     alias: "api-token",
     plaintext: "SK-PROD-12345",
     source: { kind: "manual" },
     requestedAt: new Date().toISOString(),
   });
 
-  const capability = {
-    vaultId: vault.vaultId,
-    capabilityId: "cap-llm-1",
-    agentId: agentIdentity.identityId,
-    operation: "dispatch_http" as const,
-    write: {
-      secretIds: [secret.secretId.value],
-      scope: "https://httpbin.org/post",
-      methods: ["POST"],
-    },
-    read: { mode: "full" },
-    issuedAt: new Date().toISOString(),
-  };
+  // Owner grants permissions (New Grant-based API)
+  await vault.ownerGrantAgentSecret(
+    { kind: "owner", id: ownerIdentity.rootAgentId },
+    agentRecord.rootAgentId,
+    "api-token"
+  );
 
-  await vault.ownerRegisterCapability({
-    vaultId: vault.vaultId,
-    requestId: `setup:${Date.now()}:register_capability`,
-    owner: { kind: "owner", id: ownerIdentity.identityId },
-    capability,
-    requestedAt: new Date().toISOString(),
-  });
+  await vault.ownerGrantSecretDestination(
+    { kind: "owner", id: ownerIdentity.rootAgentId },
+    "api-token",
+    "httpbin.org"
+  );
 
   const session = await vault.ownerIssueSessionToken({
     vaultId: vault.vaultId,
     requestId: `setup:${Date.now()}:issue_session_token`,
-    actor: { kind: "owner", id: ownerIdentity.identityId },
-    agentId: agentIdentity.identityId,
+    actor: { kind: "owner", id: ownerIdentity.rootAgentId },
+    rootAgentId: agentRecord.rootAgentId,
     requestedAt: new Date().toISOString(),
   });
 
   // 3. Run the "LLM Agent" (Process A)
-  await runAgentDemo(PORT, agentIdentity, capability, session.token);
+  await runAgentDemo(PORT, agentRecord, session.token);
 
   // 4. Cleanup
   server.close();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@the-ai-company/cbio-node-runtime",
-  "version": "1.63.3",
+  "version": "1.63.5",
   "publishConfig": {
     "access": "public"
   },

package/docs/api/functions/createOwnerHttpFlowBoundary.md

@@ -1,17 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Function: createOwnerHttpFlowBoundary()
-
-> **createOwnerHttpFlowBoundary**(`boundary`): `OwnerHttpFlowBoundary`
-
-## Parameters
-
-### boundary
-
-`OwnerHttpFlowBoundary`
-
-## Returns
-
-`OwnerHttpFlowBoundary`

package/docs/api/functions/createStandardAcquireBoundary.md

@@ -1,31 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Function: createStandardAcquireBoundary()
-
-> **createStandardAcquireBoundary**(`input`): `OwnerHttpFlowBoundary`
-
-## Parameters
-
-### input
-
-#### method?
-
-`string`
-
-#### responseField
-
-`"access_token"` \| `"refresh_token"` \| `"id_token"`
-
-#### storeAlias
-
-`string`
-
-#### targetUrl
-
-`string`
-
-## Returns
-
-`OwnerHttpFlowBoundary`

package/docs/api/functions/createStandardDispatchBoundary.md

@@ -1,23 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Function: createStandardDispatchBoundary()
-
-> **createStandardDispatchBoundary**(`input`): `OwnerHttpFlowBoundary`
-
-## Parameters
-
-### input
-
-#### method
-
-`string`
-
-#### targetUrl
-
-`string`
-
-## Returns
-
-`OwnerHttpFlowBoundary`

package/docs/api/functions/createVaultClient.md

@@ -1,32 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Function: createVaultClient()
-
-> **createVaultClient**(`options`): [`VaultClient`](../interfaces/VaultClient.md)
-
-Creates a [VaultClient](../interfaces/VaultClient.md) instance for a specific vault owner.
-
-## Parameters
-
-### options
-
-[`CreateVaultClientOptions`](../interfaces/CreateVaultClientOptions.md)
-
-Configuration including optional owner identity and the vault service.
-
-## Returns
-
-[`VaultClient`](../interfaces/VaultClient.md)
-
-An initialized [VaultClient](../interfaces/VaultClient.md).
-
-## Example
-
-```ts
-const client = createVaultClient({
-  ownerIdentity,
-  vault
-});
-```

package/docs/api/functions/deriveIdentityId.md

@@ -1,17 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Function: deriveIdentityId()
-
-> **deriveIdentityId**(`publicKey`): `string`
-
-## Parameters
-
-### publicKey
-
-`string`
-
-## Returns
-
-`string`

package/docs/api/functions/wrapVaultCoreAsVaultService.md

@@ -1,31 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Function: wrapVaultCoreAsVaultService()
-
-> **wrapVaultCoreAsVaultService**(`core`, `options?`): `VaultService`
-
-## Parameters
-
-### core
-
-[`VaultCore`](../classes/VaultCore.md)
-
-### options?
-
-#### clock?
-
-`Clock`
-
-#### customFlows?
-
-`VaultCustomFlowResolver`
-
-#### fetchImpl?
-
-\{(`input`, `init?`): `Promise`\<`Response`\>; (`input`, `init?`): `Promise`\<`Response`\>; \}
-
-## Returns
-
-`VaultService`

package/docs/api/interfaces/AgentSubmitCapabilityRequestInput.md

@@ -1,41 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Interface: AgentSubmitCapabilityRequestInput
-
-## Properties
-
-### operation?
-
-> `optional` **operation?**: `"dispatch_http"` \| `"custom_http"`
-
-***
-
-### read
-
-> **read**: `CapabilityReadPolicy`
-
-***
-
-### reason
-
-> **reason**: `string`
-
-***
-
-### requestedAt?
-
-> `optional` **requestedAt?**: `string`
-
-***
-
-### secretAliases?
-
-> `optional` **secretAliases?**: readonly `string`[]
-
-***
-
-### write
-
-> **write**: `Omit`\<`CapabilityWritePolicy`, `"secretIds"`\>

package/docs/api/interfaces/VaultApproveCapabilityRequestInput.md

@@ -1,23 +0,0 @@
-[**CBIO Node Runtime Agent API v1.63.3**](../README.md)
-
-***
-
-# Interface: VaultApproveCapabilityRequestInput
-
-## Properties
-
-### read?
-
-> `optional` **read?**: `CapabilityReadPolicy`
-
-***
-
-### requestedAt?
-
-> `optional` **requestedAt?**: `string`
-
-***
-
-### requestId
-
-> **requestId**: `string`