@the-ai-company/cbio-node-runtime 1.63.3 → 1.63.5

package/dist/clients/owner/client.js

@@ -1,27 +1,26 @@
-import { LocalSigner } from "../../protocol/crypto.js";
 import { OwnerClientError, OwnerClientErrorCode } from "../../errors.js";
-import { createAgentIdValue, createCapabilityIdValue, createFlowIdValue, createRequestIdValue, } from "../../internal/id-factory.js";
+import { createFlowIdValue, createRequestIdValue, } from "../../internal/id-factory.js";
 import { createIdentity, restoreIdentity } from "../../runtime/identity.js";
 import { SystemClock } from "../../vault-core/index.js";
 const VAULT_MASTER_ID = "vault-master";
-class DefaultVaultClient {
+class DefaultOwnerClient {
     _vault;
-    _identity;
+    _rootAgentIdInput;
     _signer;
     _clock;
     _skipWarmup;
     _passwordVerifier;
     _sensitiveActionVerifier;
-    _identityId;
-    constructor(_vault, _identity, _signer, _clock = new SystemClock(), _skipWarmup = false, _passwordVerifier, _sensitiveActionVerifier) {
+    _rootAgentId;
+    constructor(_vault, _rootAgentIdInput, _signer, _clock = new SystemClock(), _skipWarmup = false, _passwordVerifier, _sensitiveActionVerifier) {
         this._vault = _vault;
-        this._identity = _identity;
+        this._rootAgentIdInput = _rootAgentIdInput;
         this._signer = _signer;
         this._clock = _clock;
         this._skipWarmup = _skipWarmup;
         this._passwordVerifier = _passwordVerifier;
         this._sensitiveActionVerifier = _sensitiveActionVerifier;
-        this._identityId = _identity?.identityId ?? VAULT_MASTER_ID;
+        this._rootAgentId = _rootAgentIdInput ?? VAULT_MASTER_ID;
     }
     async _confirmSensitiveAction(confirmation, context) {
         const normalizedPassword = confirmation.password.trim();
@@ -39,38 +38,13 @@ class DefaultVaultClient {
             return;
         }
         if (!this._passwordVerifier) {
-            throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_VERIFIER_REQUIRED, "VaultClient: sensitiveActionVerifier or passwordVerifier is required for sensitive reads");
+            throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_VERIFIER_REQUIRED, "OwnerClient: sensitiveActionVerifier or passwordVerifier is required for sensitive reads");
         }
         const valid = await this._passwordVerifier(normalizedPassword);
         if (!valid) {
             throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_INVALID_PASSWORD, "invalid vault password");
         }
     }
-    _resolveGrantedCapability(input) {
-        if ("capability" in input) {
-            return {
-                requestedAt: input.requestedAt ?? input.capability.issuedAt,
-                capability: {
-                    vaultId: input.capability.vaultId,
-                    capabilityId: input.capability.capabilityId,
-                    agentId: input.capability.agentId,
-                    operation: input.capability.operation,
-                    customFlowId: input.capability.customFlowId,
-                    write: input.capability.write,
-                    read: input.capability.read,
-                    issuedAt: input.capability.issuedAt,
-                    expiresAt: input.capability.expiresAt,
-                    rateLimit: input.capability.rateLimit,
-                    skipAudit: input.capability.skipAudit,
-                    auditRequired: input.capability.auditRequired,
-                },
-            };
-        }
-        return {
-            requestedAt: input.requestedAt,
-            capability: input,
-        };
-    }
     async ownerCreateSecret(input) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
         const requestId = createRequestIdValue("create_secret");
@@ -80,7 +54,7 @@ class DefaultVaultClient {
             requestId,
             owner: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             alias: input.alias,
             plaintext: input.plaintext,
@@ -97,7 +71,7 @@ class DefaultVaultClient {
             requestId,
             owner: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             alias: input.alias,
             plaintext: input.plaintext,
@@ -112,9 +86,9 @@ class DefaultVaultClient {
             vaultId: this._vault.vaultId,
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
-            query,
+            query: { ...query, vaultId: this._vault.vaultId },
             requestId,
             requestedAt,
         });
@@ -133,7 +107,7 @@ class DefaultVaultClient {
             vaultId: this._vault.vaultId,
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             alias: input.alias,
             requestId,
@@ -152,7 +126,7 @@ class DefaultVaultClient {
             vaultId: this._vault.vaultId,
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             alias: input.alias,
             requestId: createRequestIdValue("read_secret_plaintext"),
@@ -166,7 +140,7 @@ class DefaultVaultClient {
             verificationCode: input.verificationCode,
         }, {
             action: "read_agent_private_key",
-            subject: input.agentId,
+            subject: input.rootAgentId,
         });
         const agents = await this._vault.ownerListAgents({
             vaultId: this._vault.vaultId,
@@ -174,10 +148,10 @@ class DefaultVaultClient {
             requestedAt: input.requestedAt ?? this._clock.nowIso(),
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
         });
-        const agent = agents.find((record) => record.agentId === input.agentId);
+        const agent = agents.find((record) => record.rootAgentId === input.rootAgentId);
         if (!agent?.privateKey) {
             throw new OwnerClientError(OwnerClientErrorCode.AGENT_PRIVATE_KEY_NOT_FOUND, "agent private key not found");
         }
@@ -185,11 +159,10 @@ class DefaultVaultClient {
     }
     async _ownerRegisterManagedAgentIdentity(input) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("register_agent_identity");
-        const agentIdentity = {
+        const requestId = createRequestIdValue("register_agent.identity");
+        const agentRecord = {
             vaultId: this._vault.vaultId,
-            agentId: input.agentId,
-            identityId: input.identityId,
+            rootAgentId: input.rootAgentId,
             publicKey: input.publicKey,
             privateKey: input.privateKey,
             metadata: input.metadata,
@@ -200,18 +173,17 @@ class DefaultVaultClient {
             requestId,
             owner: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
-            agentIdentity,
+            agentRecord,
             requestedAt,
         });
-        return agentIdentity;
+        return agentRecord;
     }
     async ownerImportAgent(input) {
         const identity = restoreIdentity(input.privateKey, { nickname: input.nickname });
         const agent = await this._ownerRegisterManagedAgentIdentity({
-            agentId: createAgentIdValue(),
-            identityId: identity.identityId,
+            rootAgentId: identity.rootAgentId,
             publicKey: identity.publicKey,
             privateKey: identity.privateKey,
             metadata: input.metadata,
@@ -219,7 +191,7 @@ class DefaultVaultClient {
             requestedAt: input.requestedAt,
         });
         const sessionToken = await this.ownerIssueSessionToken({
-            agentId: agent.agentId,
+            rootAgentId: agent.rootAgentId,
             requestedAt: input.requestedAt,
         });
         return {
@@ -233,8 +205,7 @@ class DefaultVaultClient {
     async ownerCreateAgent(input) {
         const identity = createIdentity();
         const agent = await this._ownerRegisterManagedAgentIdentity({
-            agentId: createAgentIdValue(),
-            identityId: identity.identityId,
+            rootAgentId: identity.rootAgentId,
             publicKey: identity.publicKey,
             privateKey: identity.privateKey,
             metadata: input.metadata,
@@ -242,7 +213,7 @@ class DefaultVaultClient {
             requestedAt: input.requestedAt,
         });
         const sessionToken = await this.ownerIssueSessionToken({
-            agentId: agent.agentId,
+            rootAgentId: agent.rootAgentId,
             requestedAt: input.requestedAt,
         });
         return {
@@ -255,17 +226,17 @@ class DefaultVaultClient {
     }
     async ownerUpdateAgent(input) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("update_agent_identity");
+        const requestId = createRequestIdValue("update_agent.identity");
         const updated = await this._vault.ownerUpdateAgentIdentity({
             vaultId: this._vault.vaultId,
             requestId,
             owner: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
-            agentId: input.agentId,
-            nickname: input.nickname,
             metadata: input.metadata,
+            rootAgentId: input.rootAgentId,
+            nickname: input.nickname,
             requestedAt,
         });
         return {
@@ -273,42 +244,58 @@ class DefaultVaultClient {
             privateKey: undefined,
         };
     }
-    async ownerGrantCapability(input) {
-        const normalized = this._resolveGrantedCapability(input);
-        const requestedAt = normalized.requestedAt ?? this._clock.nowIso();
-        const capabilityId = normalized.capability.capabilityId ?? createCapabilityIdValue();
-        const requestId = createRequestIdValue("register_capability");
-        const skipAudit = normalized.capability.skipAudit ?? (normalized.capability.auditRequired === undefined
-            ? undefined
-            : !normalized.capability.auditRequired);
-        const capability = {
-            vaultId: normalized.capability.vaultId ?? this._vault.vaultId,
-            agentId: normalized.capability.agentId,
-            capabilityId,
-            operation: normalized.capability.operation ?? "dispatch_http",
-            customFlowId: normalized.capability.customFlowId,
-            write: {
-                secretIds: normalized.capability.write.secretIds ? [...normalized.capability.write.secretIds] : undefined,
-                scope: normalized.capability.write.scope,
-                methods: [...normalized.capability.write.methods],
-            },
-            read: { paths: [...normalized.capability.read.paths] },
-            expiresAt: normalized.capability.expiresAt,
-            rateLimit: normalized.capability.rateLimit,
-            skipAudit,
-            issuedAt: normalized.capability.issuedAt ?? requestedAt,
-        };
-        await this._vault.ownerRegisterCapability({
+    async ownerGrantAgentSecret(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        return this._vault.ownerGrantAgentSecret({
             vaultId: this._vault.vaultId,
-            requestId,
-            owner: {
-                kind: "owner",
-                id: this._identityId,
-            },
-            capability,
+            requestId: createRequestIdValue("grant_agent_secret"),
+            actor: { kind: "owner", id: this._rootAgentId },
+            rootAgentId: input.rootAgentId,
+            secretAlias: input.secretAlias,
+            requestedAt,
+        });
+    }
+    async ownerGrantSecretDestination(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        return this._vault.ownerGrantSecretDestination({
+            vaultId: this._vault.vaultId,
+            requestId: createRequestIdValue("grant_secret_destination"),
+            actor: { kind: "owner", id: this._rootAgentId },
+            secretAlias: input.secretAlias,
+            domain: input.domain,
+            requestedAt,
+        });
+    }
+    async ownerRevokeAgentSecret(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        return this._vault.ownerRevokeAgentSecret({
+            vaultId: this._vault.vaultId,
+            requestId: createRequestIdValue("revoke_agent_secret"),
+            actor: { kind: "owner", id: this._rootAgentId },
+            rootAgentId: input.rootAgentId,
+            secretAlias: input.secretAlias,
+            requestedAt,
+        });
+    }
+    async ownerRevokeSecretDestination(input) {
+        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        return this._vault.ownerRevokeSecretDestination({
+            vaultId: this._vault.vaultId,
+            requestId: createRequestIdValue("revoke_secret_destination"),
+            actor: { kind: "owner", id: this._rootAgentId },
+            secretAlias: input.secretAlias,
+            domain: input.domain,
+            requestedAt,
+        });
+    }
+    async ownerListGrants(input = {}) {
+        const requestedAt = this._clock.nowIso();
+        return this._vault.ownerListGrants({
+            vaultId: this._vault.vaultId,
+            requestId: createRequestIdValue("list_grants"),
+            actor: { kind: "owner", id: this._rootAgentId },
             requestedAt,
         });
-        return capability;
     }
     async ownerRegisterFlow(input) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
@@ -327,7 +314,7 @@ class DefaultVaultClient {
             requestId,
             owner: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             flow,
             requestedAt,
@@ -335,7 +322,7 @@ class DefaultVaultClient {
         return {
             vaultId: this._vault.vaultId,
             flowId,
-            ownerId: this._identityId,
+            ownerId: this._rootAgentId,
             mode: input.mode,
             targetUrl: input.targetUrl,
             method: input.method,
@@ -360,7 +347,7 @@ class DefaultVaultClient {
             requestId,
             owner: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             alias: input.alias,
             requestedAt,
@@ -375,7 +362,7 @@ class DefaultVaultClient {
             requestedAt,
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
         });
         return agents.map((agent) => ({
@@ -383,20 +370,6 @@ class DefaultVaultClient {
             privateKey: undefined,
         }));
     }
-    async ownerListCapabilities(input = {}) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("list_capabilities");
-        return this._vault.ownerListCapabilities({
-            vaultId: this._vault.vaultId,
-            requestId,
-            requestedAt,
-            actor: {
-                kind: "owner",
-                id: this._identityId,
-            },
-            agentId: input.agentId,
-        });
-    }
     async ownerListRequests(input = {}) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
         const requestId = createRequestIdValue("list_requests");
@@ -404,11 +377,8 @@ class DefaultVaultClient {
             vaultId: this._vault.vaultId,
             requestId,
             requestedAt,
-            actor: {
-                kind: "owner",
-                id: this._identityId,
-            },
-            agentId: input.agentId,
+            actor: { kind: "owner", id: this._rootAgentId },
+            rootAgentId: input.rootAgentId,
         });
     }
     async ownerGetRequest(input) {
@@ -420,20 +390,11 @@ class DefaultVaultClient {
             requestedAt,
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             targetRequestId: input.requestId,
         });
     }
-    async ownerListCapabilityStates(input = {}) {
-        return this._vault.ownerListCapabilityStates({
-            vaultId: this._vault.vaultId,
-            owner: { kind: "owner", id: this._identityId },
-            agentId: input.agentId,
-            writeGranted: input.writeGranted,
-            readGranted: input.readGranted,
-        });
-    }
     async ownerListSecrets(input = {}) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
         const requestId = createRequestIdValue("list_secrets");
@@ -441,37 +402,22 @@ class DefaultVaultClient {
             vaultId: this._vault.vaultId,
             owner: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             requestId,
         });
     }
-    async ownerRevokeCapability(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("revoke_capability");
-        return this._vault.ownerRevokeCapability({
-            vaultId: this._vault.vaultId,
-            requestId,
-            requestedAt,
-            owner: {
-                kind: "owner",
-                id: this._identityId,
-            },
-            agentId: input.agentId,
-            capabilityId: input.capabilityId,
-        });
-    }
     async ownerIssueSessionToken(input) {
         const requestedAt = input.requestedAt ?? this._clock.nowIso();
         const requestId = createRequestIdValue("issue_session_token");
         return this._vault.ownerIssueSessionToken({
             vaultId: this._vault.vaultId,
+            requestId,
+            rootAgentId: input.rootAgentId,
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
-            agentId: input.agentId,
-            requestId,
             requestedAt,
         });
     }
@@ -480,120 +426,53 @@ class DefaultVaultClient {
             vaultId: this._vault.vaultId,
             actor: {
                 kind: "owner",
-                id: this._identityId,
+                id: this._rootAgentId,
             },
             token: input.token,
         });
     }
-    async ownerSubmitCapabilityRequest(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("submit_capability_request");
-        return this._vault.ownerSubmitCapabilityRequest({
-            vaultId: this._vault.vaultId,
-            requestId,
-            requester: input.requester,
-            agentId: input.agentId,
-            capability: {
-                operation: input.operation ?? "dispatch_http",
-                write: {
-                    secretIds: input.write.secretIds ? [...input.write.secretIds] : undefined,
-                    scope: input.write.scope,
-                    methods: [...input.write.methods],
-                },
-                read: { paths: [...input.read.paths] },
-                rateLimit: input.rateLimit,
-                skipAudit: input.skipAudit,
-                expiresAt: input.expiresAt,
-            },
-            reason: input.reason,
-            requestedAt,
-        });
-    }
     async ownerIssueAllSessionTokens() {
         return this._vault.ownerIssueAllAgentSessionTokens({
-            vaultId: this._vault.vaultId,
-            actor: { kind: "owner", id: this._identityId },
+            kind: "owner",
+            id: this._rootAgentId,
         });
     }
-    async ownerApproveCapabilityRead(input) {
-        return this._vault.ownerApproveCapabilityRead({
-            vaultId: this._vault.vaultId,
-            requestId: input.requestId,
-            owner: { kind: "owner", id: this._identityId },
-            read: input.read ? { paths: [...input.read.paths] } : undefined,
-        });
-    }
-    async ownerAllowOnce(input) {
-        return this._vault.ownerAllowOnce({
-            vaultId: this._vault.vaultId,
-            requestId: input.requestId,
-            owner: { kind: "owner", id: this._identityId },
-        });
-    }
-    async ownerAllowAlways(input) {
-        return this._vault.ownerAllowAlways({
+    async ownerApproveDispatch(input) {
+        const requestedAt = this._clock.nowIso();
+        return this._vault.ownerApproveDispatch({
             vaultId: this._vault.vaultId,
             requestId: input.requestId,
-            owner: { kind: "owner", id: this._identityId },
+            actor: { kind: "owner", id: this._rootAgentId },
+            decision: input.decision,
+            requestedAt,
         });
     }
-    async ownerDeny(requestId) {
-        return this._vault.ownerDeny({
+    async ownerDenyDispatch(requestId) {
+        const requestedAt = this._clock.nowIso();
+        await this._vault.ownerApproveDispatch({
             vaultId: this._vault.vaultId,
             requestId,
-            owner: { kind: "owner", id: this._identityId },
+            actor: { kind: "owner", id: this._rootAgentId },
+            decision: "deny",
+            requestedAt,
         });
     }
-    ownerOnCapabilityState(callback) {
-        return this._vault.ownerOnCapabilityState(callback);
+    ownerOnPendingDispatch(callback) {
+        return this._vault.ownerOnPendingDispatch(callback);
     }
 }
-function isCreateVaultClientOptions(value) {
-    return typeof value === "object" && value !== null && "vault" in value;
-}
-function isCreatedIdentity(value) {
-    return "privateKey" in value && "publicKey" in value;
-}
-function resolveVaultSigner(identity, signer) {
-    if (signer) {
-        return signer;
-    }
-    if (identity && isCreatedIdentity(identity)) {
-        return new LocalSigner(identity);
-    }
-    return undefined;
-}
-function resolveVaultIdentity(options) {
-    if (!options.ownerIdentity) {
-        return undefined;
-    }
-    return {
-        identityId: options.ownerIdentity.identityId,
-    };
-}
-/**
- * Creates a {@link VaultClient} instance for a specific vault owner.
- *
- * @param options - Configuration including optional owner identity and the vault service.
- * @returns An initialized {@link VaultClient}.
- *
- * @example
- * ```ts
- * const client = createVaultClient({
- *   ownerIdentity,
- *   vault
- * });
- * ```
- */
-export function createVaultClient(options) {
-    if (!isCreateVaultClientOptions(options)) {
-        throw new OwnerClientError(OwnerClientErrorCode.INVALID_CREATE_VAULT_CLIENT_OPTIONS, "createVaultClient() requires a single options object with 'vault'");
-    }
-    const client = new DefaultVaultClient(options.vault, resolveVaultIdentity(options), resolveVaultSigner(options.ownerIdentity, options.signer), options.clock ?? new SystemClock(), options.skipWarmup, options.passwordVerifier, options.sensitiveActionVerifier);
+export async function createOwnerClient(options) {
+    const identity = options.ownerIdentity;
+    const rootAgentId = identity.rootAgentId;
+    const client = new DefaultOwnerClient(options.vault, rootAgentId, undefined, // signer no longer directly used in simple owner client
+    options.clock ?? new SystemClock(), options.skipWarmup ?? false, options.passwordVerifier, options.sensitiveActionVerifier);
     if (!options.skipWarmup) {
-        client.ownerIssueAllSessionTokens().catch((err) => {
-            console.error("VaultClient: failed to warmup session tokens:", err);
-        });
+        try {
+            await client.ownerIssueAllSessionTokens();
+        }
+        catch (e) {
+            console.warn("OwnerClient warmup failed:", e);
+        }
     }
     return client;
 }