@the-ai-company/cbio-node-runtime 1.63.3 → 1.63.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +48 -209
- package/dist/clients/agent/client.d.ts +18 -40
- package/dist/clients/agent/client.js +22 -109
- package/dist/clients/agent/client.js.map +1 -1
- package/dist/clients/agent/contracts.d.ts +1 -8
- package/dist/clients/agent/index.d.ts +1 -1
- package/dist/clients/owner/client.d.ts +2 -102
- package/dist/clients/owner/client.js +111 -266
- package/dist/clients/owner/client.js.map +1 -1
- package/dist/clients/owner/contracts.d.ts +37 -75
- package/dist/clients/owner/index.d.ts +2 -4
- package/dist/clients/owner/index.js +1 -2
- package/dist/clients/owner/index.js.map +1 -1
- package/dist/internal/id-factory.d.ts +0 -2
- package/dist/internal/id-factory.js +0 -6
- package/dist/internal/id-factory.js.map +1 -1
- package/dist/protocol/identity.d.ts +1 -1
- package/dist/protocol/identity.js +3 -3
- package/dist/protocol/identity.js.map +1 -1
- package/dist/public-types.d.ts +5 -14
- package/dist/public-types.js +1 -8
- package/dist/public-types.js.map +1 -1
- package/dist/runtime/bootstrap.d.ts +1 -3
- package/dist/runtime/bootstrap.js.map +1 -1
- package/dist/runtime/identity.d.ts +2 -2
- package/dist/runtime/identity.js +3 -5
- package/dist/runtime/identity.js.map +1 -1
- package/dist/runtime/index.d.ts +10 -12
- package/dist/runtime/index.js +7 -8
- package/dist/runtime/index.js.map +1 -1
- package/dist/runtime/owner-session.d.ts +7 -6
- package/dist/runtime/owner-session.js +5 -6
- package/dist/runtime/owner-session.js.map +1 -1
- package/dist/storage/fs.d.ts +3 -2
- package/dist/storage/fs.js +8 -5
- package/dist/storage/fs.js.map +1 -1
- package/dist/storage/prefix.d.ts +1 -0
- package/dist/storage/prefix.js +7 -0
- package/dist/storage/prefix.js.map +1 -1
- package/dist/storage/provider.d.ts +2 -0
- package/dist/vault-core/contracts.d.ts +95 -210
- package/dist/vault-core/contracts.js +8 -11
- package/dist/vault-core/contracts.js.map +1 -1
- package/dist/vault-core/core.d.ts +119 -62
- package/dist/vault-core/core.js +518 -1180
- package/dist/vault-core/core.js.map +1 -1
- package/dist/vault-core/defaults.d.ts +22 -44
- package/dist/vault-core/defaults.js +65 -234
- package/dist/vault-core/defaults.js.map +1 -1
- package/dist/vault-core/errors.d.ts +3 -2
- package/dist/vault-core/errors.js.map +1 -1
- package/dist/vault-core/index.d.ts +5 -5
- package/dist/vault-core/index.js +2 -2
- package/dist/vault-core/index.js.map +1 -1
- package/dist/vault-core/persistence.d.ts +72 -119
- package/dist/vault-core/persistence.js +310 -427
- package/dist/vault-core/persistence.js.map +1 -1
- package/dist/vault-core/ports.d.ts +19 -30
- package/dist/vault-core/read-policy.d.ts +3 -2
- package/dist/vault-core/read-policy.js.map +1 -1
- package/dist/vault-core/tool-metadata.js +2 -2
- package/dist/vault-core/tool-metadata.js.map +1 -1
- package/dist/vault-ingress/defaults.d.ts +4 -2
- package/dist/vault-ingress/defaults.js +14 -8
- package/dist/vault-ingress/defaults.js.map +1 -1
- package/dist/vault-ingress/index.d.ts +39 -119
- package/dist/vault-ingress/index.js +98 -456
- package/dist/vault-ingress/index.js.map +1 -1
- package/dist/vault-ingress/remote-transport.d.ts +5 -3
- package/dist/vault-ingress/remote-transport.js +8 -28
- package/dist/vault-ingress/remote-transport.js.map +1 -1
- package/docs/ARCHITECTURE.md +39 -22
- package/docs/CUSTODY_MODEL.md +1 -1
- package/docs/IDENTITY_MODEL.md +5 -5
- package/docs/MIGRATION-1.51.md +19 -19
- package/docs/MIGRATION-1.65.md +87 -0
- package/docs/PROCESS_ISOLATION.md +2 -2
- package/docs/REFERENCE.md +42 -224
- package/docs/api/README.md +48 -30
- package/docs/api/classes/IdentityError.md +1 -1
- package/docs/api/classes/OwnerClientError.md +1 -1
- package/docs/api/classes/PersistentVaultAgentIdentityRegistry.md +89 -0
- package/docs/api/classes/PersistentVaultAgentSecretGrantRegistry.md +125 -0
- package/docs/api/classes/PersistentVaultAuditLog.md +65 -0
- package/docs/api/classes/PersistentVaultSecretCustody.md +93 -0
- package/docs/api/classes/PersistentVaultSecretDestinationGrantRegistry.md +125 -0
- package/docs/api/classes/PersistentVaultSecretRepository.md +127 -0
- package/docs/api/classes/VaultCore.md +264 -237
- package/docs/api/classes/VaultCoreError.md +3 -3
- package/docs/api/enumerations/AuditAction.md +143 -0
- package/docs/api/enumerations/AuditOutcome.md +35 -0
- package/docs/api/enumerations/DispatchStatus.md +35 -0
- package/docs/api/enumerations/IdentityErrorCode.md +1 -1
- package/docs/api/enumerations/OwnerClientErrorCode.md +1 -1
- package/docs/api/functions/createAgentClient.md +1 -15
- package/docs/api/functions/createIdentity.md +2 -2
- package/docs/api/functions/createOwnerClient.md +17 -0
- package/docs/api/functions/createOwnerSession.md +1 -1
- package/docs/api/functions/createPersistentVaultCoreDependencies.md +4 -4
- package/docs/api/functions/createVault.md +1 -1
- package/docs/api/functions/createVaultCore.md +1 -1
- package/docs/api/functions/createVaultCoreDependencies.md +1 -1
- package/docs/api/functions/createVaultService.md +5 -13
- package/docs/api/functions/createWorkspaceStorage.md +1 -1
- package/docs/api/functions/deriveRootAgentId.md +17 -0
- package/docs/api/functions/deriveVaultWorkingKeyFromPassword.md +1 -1
- package/docs/api/functions/getDefaultWorkspaceDir.md +1 -1
- package/docs/api/functions/handleVaultAgentControlHttp.md +2 -2
- package/docs/api/functions/handleVaultHttpDispatch.md +2 -2
- package/docs/api/functions/initializeVaultCustody.md +7 -3
- package/docs/api/functions/listVaults.md +1 -1
- package/docs/api/functions/readVaultProfile.md +1 -1
- package/docs/api/functions/recoverVault.md +1 -1
- package/docs/api/functions/recoverVaultWorkingKey.md +4 -8
- package/docs/api/functions/restoreIdentity.md +1 -1
- package/docs/api/functions/updateVaultMetadata.md +1 -1
- package/docs/api/functions/writeVaultProfile.md +1 -1
- package/docs/api/interfaces/AgentClient.md +20 -59
- package/docs/api/interfaces/AgentDispatchIntent.md +1 -1
- package/docs/api/interfaces/AgentDispatchTransport.md +12 -44
- package/docs/api/interfaces/AgentIdentity.md +3 -3
- package/docs/api/interfaces/AgentIdentityRecord.md +47 -0
- package/docs/api/interfaces/AgentRequestResult.md +35 -0
- package/docs/api/interfaces/AgentRuntimeManifest.md +55 -0
- package/docs/api/interfaces/AgentSecretGrant.md +41 -0
- package/docs/api/interfaces/AgentSigner.md +1 -1
- package/docs/api/interfaces/AgentVisibleRequestRecord.md +53 -0
- package/docs/api/interfaces/AgentVisibleSecretRecord.md +65 -0
- package/docs/api/interfaces/AuditEntry.md +83 -0
- package/docs/api/interfaces/CbioRuntime.md +13 -154
- package/docs/api/interfaces/CreateAgentClientOptions.md +4 -10
- package/docs/api/interfaces/CreateIdentityOptions.md +1 -1
- package/docs/api/interfaces/{CreateVaultClientOptions.md → CreateOwnerClientOptions.md} +9 -11
- package/docs/api/interfaces/CreateOwnerSessionOptions.md +3 -121
- package/docs/api/interfaces/CreatePersistentVaultCoreDependenciesOptions.md +3 -131
- package/docs/api/interfaces/CreateVaultOptions.md +1 -125
- package/docs/api/interfaces/CreatedVault.md +2 -2
- package/docs/api/interfaces/DefaultPolicyEngineOptions.md +1 -13
- package/docs/api/interfaces/DispatchAuthorization.md +43 -0
- package/docs/api/interfaces/DispatchInstruction.md +47 -0
- package/docs/api/interfaces/DispatchRequest.md +83 -0
- package/docs/api/interfaces/DispatchResult.md +53 -0
- package/docs/api/interfaces/IStorageProvider.md +13 -1
- package/docs/api/interfaces/InitializeVaultCustodyOptions.md +31 -11
- package/docs/api/interfaces/InitializedVaultCustody.md +1 -7
- package/docs/api/interfaces/OwnerAgentProvisionResult.md +2 -2
- package/docs/api/interfaces/OwnerClient.md +401 -0
- package/docs/api/interfaces/OwnerCreateSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerRemoveSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerRequestRecord.md +97 -0
- package/docs/api/interfaces/OwnerSensitiveActionConfirmation.md +1 -1
- package/docs/api/interfaces/OwnerSensitiveActionContext.md +1 -1
- package/docs/api/interfaces/OwnerSession.md +3 -3
- package/docs/api/interfaces/OwnerUpdateSecretInput.md +1 -1
- package/docs/api/interfaces/OwnerVisibleRequestRecord.md +73 -0
- package/docs/api/interfaces/RecoverVaultOptions.md +1 -125
- package/docs/api/interfaces/RecoveredVault.md +2 -2
- package/docs/api/interfaces/RequestRecord.md +107 -0
- package/docs/api/interfaces/RestoreIdentityOptions.md +1 -1
- package/docs/api/interfaces/SecretAlias.md +11 -0
- package/docs/api/interfaces/SecretDestinationGrant.md +41 -0
- package/docs/api/interfaces/SecretId.md +11 -0
- package/docs/api/interfaces/SecretRecord.md +89 -0
- package/docs/api/interfaces/Signer.md +1 -1
- package/docs/api/interfaces/VaultApproveDispatchInput.md +3 -9
- package/docs/api/interfaces/VaultAuditQueryInput.md +1 -1
- package/docs/api/interfaces/VaultCoreDependenciesOptions.md +1 -5
- package/docs/api/interfaces/VaultCreateAgentInput.md +1 -1
- package/docs/api/interfaces/VaultExportSecretInput.md +1 -1
- package/docs/api/interfaces/VaultGetRequestInput.md +17 -0
- package/docs/api/interfaces/VaultGrantAgentSecretInput.md +23 -0
- package/docs/api/interfaces/VaultGrantSecretDestinationInput.md +23 -0
- package/docs/api/interfaces/VaultId.md +11 -0
- package/docs/api/interfaces/VaultImportAgentInput.md +1 -1
- package/docs/api/interfaces/VaultIssueSessionTokenInput.md +5 -5
- package/docs/api/interfaces/VaultListAgentsInput.md +1 -1
- package/docs/api/interfaces/VaultListGrantsInput.md +23 -0
- package/docs/api/interfaces/VaultListRequestsInput.md +17 -0
- package/docs/api/interfaces/VaultListSecretsInput.md +1 -1
- package/docs/api/interfaces/VaultMetadata.md +1 -1
- package/docs/api/interfaces/VaultObject.md +2 -2
- package/docs/api/interfaces/VaultPrincipal.md +17 -0
- package/docs/api/interfaces/VaultProfile.md +1 -1
- package/docs/api/interfaces/VaultReadAgentPrivateKeyInput.md +7 -7
- package/docs/api/interfaces/VaultReadSecretPlaintextInput.md +1 -1
- package/docs/api/interfaces/VaultRevokeAgentSecretInput.md +23 -0
- package/docs/api/interfaces/VaultRevokeSecretDestinationInput.md +23 -0
- package/docs/api/interfaces/VaultRevokeSessionTokenInput.md +1 -1
- package/docs/api/interfaces/VaultService.md +511 -0
- package/docs/api/interfaces/VaultUpdateAgentInput.md +7 -7
- package/docs/api/type-aliases/AgentId.md +7 -0
- package/docs/api/type-aliases/CbioRuntimeModule.md +1 -1
- package/docs/api/type-aliases/DispatchApprovalDecision.md +7 -0
- package/docs/api/type-aliases/GrantStatus.md +7 -0
- package/docs/api/type-aliases/SecretLifecycleStatus.md +7 -0
- package/docs/api/type-aliases/VaultPrincipalKind.md +7 -0
- package/docs/api/variables/DEFAULT_VAULT_KEY_CUSTODY_BLOB_KEY.md +2 -2
- package/docs/es/README.md +3 -3
- package/docs/fr/README.md +3 -3
- package/docs/ja/README.md +5 -5
- package/docs/ko/README.md +5 -5
- package/docs/pt/README.md +3 -3
- package/docs/zh/PROCESS_ISOLATION.md +2 -2
- package/docs/zh/README.md +47 -63
- package/examples/process-isolation.ts +26 -35
- package/package.json +1 -1
- package/docs/api/functions/createOwnerHttpFlowBoundary.md +0 -17
- package/docs/api/functions/createStandardAcquireBoundary.md +0 -31
- package/docs/api/functions/createStandardDispatchBoundary.md +0 -23
- package/docs/api/functions/createVaultClient.md +0 -32
- package/docs/api/functions/deriveIdentityId.md +0 -17
- package/docs/api/functions/wrapVaultCoreAsVaultService.md +0 -31
- package/docs/api/interfaces/AgentSubmitCapabilityRequestInput.md +0 -41
- package/docs/api/interfaces/VaultApproveCapabilityRequestInput.md +0 -23
- package/docs/api/interfaces/VaultClient.md +0 -473
- package/docs/api/interfaces/VaultGrantCapabilityInput.md +0 -79
- package/docs/api/interfaces/VaultGrantCapabilityRequest.md +0 -23
- package/docs/api/interfaces/VaultIdentity.md +0 -11
- package/docs/api/interfaces/VaultListCapabilitiesInput.md +0 -17
- package/docs/api/interfaces/VaultRegisterFlowInput.md +0 -77
- package/docs/api/interfaces/VaultRevokeCapabilityInput.md +0 -23
- package/docs/api/interfaces/VaultSigner.md +0 -21
- package/docs/api/interfaces/VaultSubmitCapabilityRequestInput.md +0 -73
- package/docs/api/type-aliases/AgentCapabilityEnvelope.md +0 -7
- package/docs/api/type-aliases/AgentVisibleSecretRecord.md +0 -7
- package/docs/api/type-aliases/CreateOwnerClientOptions.md +0 -7
- package/docs/api/type-aliases/OwnerAgentView.md +0 -7
- package/docs/api/type-aliases/OwnerClient.md +0 -13
- package/docs/api/type-aliases/OwnerGrantCapabilityInput.md +0 -7
- package/docs/api/type-aliases/OwnerPendingApprovalView.md +0 -7
- package/docs/api/type-aliases/OwnerRequestDetailView.md +0 -7
- package/docs/api/type-aliases/OwnerRequestSummaryView.md +0 -7
- package/docs/api/type-aliases/OwnerSecretView.md +0 -7
|
@@ -1,27 +1,26 @@
|
|
|
1
|
-
import { LocalSigner } from "../../protocol/crypto.js";
|
|
2
1
|
import { OwnerClientError, OwnerClientErrorCode } from "../../errors.js";
|
|
3
|
-
import {
|
|
2
|
+
import { createRequestIdValue, } from "../../internal/id-factory.js";
|
|
4
3
|
import { createIdentity, restoreIdentity } from "../../runtime/identity.js";
|
|
5
4
|
import { SystemClock } from "../../vault-core/index.js";
|
|
6
5
|
const VAULT_MASTER_ID = "vault-master";
|
|
7
|
-
class
|
|
6
|
+
class DefaultOwnerClient {
|
|
8
7
|
_vault;
|
|
9
|
-
|
|
8
|
+
_rootAgentIdInput;
|
|
10
9
|
_signer;
|
|
11
10
|
_clock;
|
|
12
11
|
_skipWarmup;
|
|
13
12
|
_passwordVerifier;
|
|
14
13
|
_sensitiveActionVerifier;
|
|
15
|
-
|
|
16
|
-
constructor(_vault,
|
|
14
|
+
_rootAgentId;
|
|
15
|
+
constructor(_vault, _rootAgentIdInput, _signer, _clock = new SystemClock(), _skipWarmup = false, _passwordVerifier, _sensitiveActionVerifier) {
|
|
17
16
|
this._vault = _vault;
|
|
18
|
-
this.
|
|
17
|
+
this._rootAgentIdInput = _rootAgentIdInput;
|
|
19
18
|
this._signer = _signer;
|
|
20
19
|
this._clock = _clock;
|
|
21
20
|
this._skipWarmup = _skipWarmup;
|
|
22
21
|
this._passwordVerifier = _passwordVerifier;
|
|
23
22
|
this._sensitiveActionVerifier = _sensitiveActionVerifier;
|
|
24
|
-
this.
|
|
23
|
+
this._rootAgentId = _rootAgentIdInput ?? VAULT_MASTER_ID;
|
|
25
24
|
}
|
|
26
25
|
async _confirmSensitiveAction(confirmation, context) {
|
|
27
26
|
const normalizedPassword = confirmation.password.trim();
|
|
@@ -39,38 +38,13 @@ class DefaultVaultClient {
|
|
|
39
38
|
return;
|
|
40
39
|
}
|
|
41
40
|
if (!this._passwordVerifier) {
|
|
42
|
-
throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_VERIFIER_REQUIRED, "
|
|
41
|
+
throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_VERIFIER_REQUIRED, "OwnerClient: sensitiveActionVerifier or passwordVerifier is required for sensitive reads");
|
|
43
42
|
}
|
|
44
43
|
const valid = await this._passwordVerifier(normalizedPassword);
|
|
45
44
|
if (!valid) {
|
|
46
45
|
throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_INVALID_PASSWORD, "invalid vault password");
|
|
47
46
|
}
|
|
48
47
|
}
|
|
49
|
-
_resolveGrantedCapability(input) {
|
|
50
|
-
if ("capability" in input) {
|
|
51
|
-
return {
|
|
52
|
-
requestedAt: input.requestedAt ?? input.capability.issuedAt,
|
|
53
|
-
capability: {
|
|
54
|
-
vaultId: input.capability.vaultId,
|
|
55
|
-
capabilityId: input.capability.capabilityId,
|
|
56
|
-
agentId: input.capability.agentId,
|
|
57
|
-
operation: input.capability.operation,
|
|
58
|
-
customFlowId: input.capability.customFlowId,
|
|
59
|
-
write: input.capability.write,
|
|
60
|
-
read: input.capability.read,
|
|
61
|
-
issuedAt: input.capability.issuedAt,
|
|
62
|
-
expiresAt: input.capability.expiresAt,
|
|
63
|
-
rateLimit: input.capability.rateLimit,
|
|
64
|
-
skipAudit: input.capability.skipAudit,
|
|
65
|
-
auditRequired: input.capability.auditRequired,
|
|
66
|
-
},
|
|
67
|
-
};
|
|
68
|
-
}
|
|
69
|
-
return {
|
|
70
|
-
requestedAt: input.requestedAt,
|
|
71
|
-
capability: input,
|
|
72
|
-
};
|
|
73
|
-
}
|
|
74
48
|
async ownerCreateSecret(input) {
|
|
75
49
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
76
50
|
const requestId = createRequestIdValue("create_secret");
|
|
@@ -80,7 +54,7 @@ class DefaultVaultClient {
|
|
|
80
54
|
requestId,
|
|
81
55
|
owner: {
|
|
82
56
|
kind: "owner",
|
|
83
|
-
id: this.
|
|
57
|
+
id: this._rootAgentId,
|
|
84
58
|
},
|
|
85
59
|
alias: input.alias,
|
|
86
60
|
plaintext: input.plaintext,
|
|
@@ -97,7 +71,7 @@ class DefaultVaultClient {
|
|
|
97
71
|
requestId,
|
|
98
72
|
owner: {
|
|
99
73
|
kind: "owner",
|
|
100
|
-
id: this.
|
|
74
|
+
id: this._rootAgentId,
|
|
101
75
|
},
|
|
102
76
|
alias: input.alias,
|
|
103
77
|
plaintext: input.plaintext,
|
|
@@ -112,9 +86,9 @@ class DefaultVaultClient {
|
|
|
112
86
|
vaultId: this._vault.vaultId,
|
|
113
87
|
actor: {
|
|
114
88
|
kind: "owner",
|
|
115
|
-
id: this.
|
|
89
|
+
id: this._rootAgentId,
|
|
116
90
|
},
|
|
117
|
-
query,
|
|
91
|
+
query: { ...query, vaultId: this._vault.vaultId },
|
|
118
92
|
requestId,
|
|
119
93
|
requestedAt,
|
|
120
94
|
});
|
|
@@ -133,7 +107,7 @@ class DefaultVaultClient {
|
|
|
133
107
|
vaultId: this._vault.vaultId,
|
|
134
108
|
actor: {
|
|
135
109
|
kind: "owner",
|
|
136
|
-
id: this.
|
|
110
|
+
id: this._rootAgentId,
|
|
137
111
|
},
|
|
138
112
|
alias: input.alias,
|
|
139
113
|
requestId,
|
|
@@ -152,7 +126,7 @@ class DefaultVaultClient {
|
|
|
152
126
|
vaultId: this._vault.vaultId,
|
|
153
127
|
actor: {
|
|
154
128
|
kind: "owner",
|
|
155
|
-
id: this.
|
|
129
|
+
id: this._rootAgentId,
|
|
156
130
|
},
|
|
157
131
|
alias: input.alias,
|
|
158
132
|
requestId: createRequestIdValue("read_secret_plaintext"),
|
|
@@ -166,7 +140,7 @@ class DefaultVaultClient {
|
|
|
166
140
|
verificationCode: input.verificationCode,
|
|
167
141
|
}, {
|
|
168
142
|
action: "read_agent_private_key",
|
|
169
|
-
subject: input.
|
|
143
|
+
subject: input.rootAgentId,
|
|
170
144
|
});
|
|
171
145
|
const agents = await this._vault.ownerListAgents({
|
|
172
146
|
vaultId: this._vault.vaultId,
|
|
@@ -174,10 +148,10 @@ class DefaultVaultClient {
|
|
|
174
148
|
requestedAt: input.requestedAt ?? this._clock.nowIso(),
|
|
175
149
|
actor: {
|
|
176
150
|
kind: "owner",
|
|
177
|
-
id: this.
|
|
151
|
+
id: this._rootAgentId,
|
|
178
152
|
},
|
|
179
153
|
});
|
|
180
|
-
const agent = agents.find((record) => record.
|
|
154
|
+
const agent = agents.find((record) => record.rootAgentId === input.rootAgentId);
|
|
181
155
|
if (!agent?.privateKey) {
|
|
182
156
|
throw new OwnerClientError(OwnerClientErrorCode.AGENT_PRIVATE_KEY_NOT_FOUND, "agent private key not found");
|
|
183
157
|
}
|
|
@@ -185,11 +159,10 @@ class DefaultVaultClient {
|
|
|
185
159
|
}
|
|
186
160
|
async _ownerRegisterManagedAgentIdentity(input) {
|
|
187
161
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
188
|
-
const requestId = createRequestIdValue("
|
|
189
|
-
const
|
|
162
|
+
const requestId = createRequestIdValue("register_agent.identity");
|
|
163
|
+
const agentRecord = {
|
|
190
164
|
vaultId: this._vault.vaultId,
|
|
191
|
-
|
|
192
|
-
identityId: input.identityId,
|
|
165
|
+
rootAgentId: input.rootAgentId,
|
|
193
166
|
publicKey: input.publicKey,
|
|
194
167
|
privateKey: input.privateKey,
|
|
195
168
|
metadata: input.metadata,
|
|
@@ -200,18 +173,17 @@ class DefaultVaultClient {
|
|
|
200
173
|
requestId,
|
|
201
174
|
owner: {
|
|
202
175
|
kind: "owner",
|
|
203
|
-
id: this.
|
|
176
|
+
id: this._rootAgentId,
|
|
204
177
|
},
|
|
205
|
-
|
|
178
|
+
agentRecord,
|
|
206
179
|
requestedAt,
|
|
207
180
|
});
|
|
208
|
-
return
|
|
181
|
+
return agentRecord;
|
|
209
182
|
}
|
|
210
183
|
async ownerImportAgent(input) {
|
|
211
184
|
const identity = restoreIdentity(input.privateKey, { nickname: input.nickname });
|
|
212
185
|
const agent = await this._ownerRegisterManagedAgentIdentity({
|
|
213
|
-
|
|
214
|
-
identityId: identity.identityId,
|
|
186
|
+
rootAgentId: identity.rootAgentId,
|
|
215
187
|
publicKey: identity.publicKey,
|
|
216
188
|
privateKey: identity.privateKey,
|
|
217
189
|
metadata: input.metadata,
|
|
@@ -219,7 +191,7 @@ class DefaultVaultClient {
|
|
|
219
191
|
requestedAt: input.requestedAt,
|
|
220
192
|
});
|
|
221
193
|
const sessionToken = await this.ownerIssueSessionToken({
|
|
222
|
-
|
|
194
|
+
rootAgentId: agent.rootAgentId,
|
|
223
195
|
requestedAt: input.requestedAt,
|
|
224
196
|
});
|
|
225
197
|
return {
|
|
@@ -233,8 +205,7 @@ class DefaultVaultClient {
|
|
|
233
205
|
async ownerCreateAgent(input) {
|
|
234
206
|
const identity = createIdentity();
|
|
235
207
|
const agent = await this._ownerRegisterManagedAgentIdentity({
|
|
236
|
-
|
|
237
|
-
identityId: identity.identityId,
|
|
208
|
+
rootAgentId: identity.rootAgentId,
|
|
238
209
|
publicKey: identity.publicKey,
|
|
239
210
|
privateKey: identity.privateKey,
|
|
240
211
|
metadata: input.metadata,
|
|
@@ -242,7 +213,7 @@ class DefaultVaultClient {
|
|
|
242
213
|
requestedAt: input.requestedAt,
|
|
243
214
|
});
|
|
244
215
|
const sessionToken = await this.ownerIssueSessionToken({
|
|
245
|
-
|
|
216
|
+
rootAgentId: agent.rootAgentId,
|
|
246
217
|
requestedAt: input.requestedAt,
|
|
247
218
|
});
|
|
248
219
|
return {
|
|
@@ -255,17 +226,17 @@ class DefaultVaultClient {
|
|
|
255
226
|
}
|
|
256
227
|
async ownerUpdateAgent(input) {
|
|
257
228
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
258
|
-
const requestId = createRequestIdValue("
|
|
229
|
+
const requestId = createRequestIdValue("update_agent.identity");
|
|
259
230
|
const updated = await this._vault.ownerUpdateAgentIdentity({
|
|
260
231
|
vaultId: this._vault.vaultId,
|
|
261
232
|
requestId,
|
|
262
233
|
owner: {
|
|
263
234
|
kind: "owner",
|
|
264
|
-
id: this.
|
|
235
|
+
id: this._rootAgentId,
|
|
265
236
|
},
|
|
266
|
-
agentId: input.agentId,
|
|
267
|
-
nickname: input.nickname,
|
|
268
237
|
metadata: input.metadata,
|
|
238
|
+
rootAgentId: input.rootAgentId,
|
|
239
|
+
nickname: input.nickname,
|
|
269
240
|
requestedAt,
|
|
270
241
|
});
|
|
271
242
|
return {
|
|
@@ -273,76 +244,58 @@ class DefaultVaultClient {
|
|
|
273
244
|
privateKey: undefined,
|
|
274
245
|
};
|
|
275
246
|
}
|
|
276
|
-
async
|
|
277
|
-
const
|
|
278
|
-
|
|
279
|
-
const capabilityId = normalized.capability.capabilityId ?? createCapabilityIdValue();
|
|
280
|
-
const requestId = createRequestIdValue("register_capability");
|
|
281
|
-
const skipAudit = normalized.capability.skipAudit ?? (normalized.capability.auditRequired === undefined
|
|
282
|
-
? undefined
|
|
283
|
-
: !normalized.capability.auditRequired);
|
|
284
|
-
const capability = {
|
|
285
|
-
vaultId: normalized.capability.vaultId ?? this._vault.vaultId,
|
|
286
|
-
agentId: normalized.capability.agentId,
|
|
287
|
-
capabilityId,
|
|
288
|
-
operation: normalized.capability.operation ?? "dispatch_http",
|
|
289
|
-
customFlowId: normalized.capability.customFlowId,
|
|
290
|
-
write: {
|
|
291
|
-
secretIds: normalized.capability.write.secretIds ? [...normalized.capability.write.secretIds] : undefined,
|
|
292
|
-
scope: normalized.capability.write.scope,
|
|
293
|
-
methods: [...normalized.capability.write.methods],
|
|
294
|
-
},
|
|
295
|
-
read: { paths: [...normalized.capability.read.paths] },
|
|
296
|
-
expiresAt: normalized.capability.expiresAt,
|
|
297
|
-
rateLimit: normalized.capability.rateLimit,
|
|
298
|
-
skipAudit,
|
|
299
|
-
issuedAt: normalized.capability.issuedAt ?? requestedAt,
|
|
300
|
-
};
|
|
301
|
-
await this._vault.ownerRegisterCapability({
|
|
247
|
+
async ownerGrantAgentSecret(input) {
|
|
248
|
+
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
249
|
+
return this._vault.ownerGrantAgentSecret({
|
|
302
250
|
vaultId: this._vault.vaultId,
|
|
303
|
-
requestId,
|
|
304
|
-
owner:
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
},
|
|
308
|
-
capability,
|
|
251
|
+
requestId: createRequestIdValue("grant_agent_secret"),
|
|
252
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
253
|
+
rootAgentId: input.rootAgentId,
|
|
254
|
+
secretAlias: input.secretAlias,
|
|
309
255
|
requestedAt,
|
|
310
256
|
});
|
|
311
|
-
return capability;
|
|
312
257
|
}
|
|
313
|
-
async
|
|
258
|
+
async ownerGrantSecretDestination(input) {
|
|
314
259
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
315
|
-
|
|
316
|
-
const requestId = createRequestIdValue("register_custom_flow");
|
|
317
|
-
const flow = {
|
|
318
|
-
flowId,
|
|
319
|
-
mode: input.mode,
|
|
320
|
-
targetUrl: input.targetUrl,
|
|
321
|
-
method: input.method,
|
|
322
|
-
responseVisibility: input.responseVisibility,
|
|
323
|
-
responseSecret: input.responseSecret,
|
|
324
|
-
};
|
|
325
|
-
await this._vault.ownerRegisterCustomFlow({
|
|
260
|
+
return this._vault.ownerGrantSecretDestination({
|
|
326
261
|
vaultId: this._vault.vaultId,
|
|
327
|
-
requestId,
|
|
328
|
-
owner:
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
},
|
|
332
|
-
flow,
|
|
262
|
+
requestId: createRequestIdValue("grant_secret_destination"),
|
|
263
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
264
|
+
secretAlias: input.secretAlias,
|
|
265
|
+
siteId: input.siteId,
|
|
333
266
|
requestedAt,
|
|
334
267
|
});
|
|
335
|
-
|
|
268
|
+
}
|
|
269
|
+
async ownerRevokeAgentSecret(input) {
|
|
270
|
+
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
271
|
+
return this._vault.ownerRevokeAgentSecret({
|
|
336
272
|
vaultId: this._vault.vaultId,
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
|
|
340
|
-
|
|
341
|
-
|
|
342
|
-
|
|
343
|
-
|
|
344
|
-
|
|
345
|
-
|
|
273
|
+
requestId: createRequestIdValue("revoke_agent_secret"),
|
|
274
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
275
|
+
rootAgentId: input.rootAgentId,
|
|
276
|
+
secretAlias: input.secretAlias,
|
|
277
|
+
requestedAt,
|
|
278
|
+
});
|
|
279
|
+
}
|
|
280
|
+
async ownerRevokeSecretDestination(input) {
|
|
281
|
+
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
282
|
+
return this._vault.ownerRevokeSecretDestination({
|
|
283
|
+
vaultId: this._vault.vaultId,
|
|
284
|
+
requestId: createRequestIdValue("revoke_secret_destination"),
|
|
285
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
286
|
+
secretAlias: input.secretAlias,
|
|
287
|
+
siteId: input.siteId,
|
|
288
|
+
requestedAt,
|
|
289
|
+
});
|
|
290
|
+
}
|
|
291
|
+
async ownerListGrants(input = {}) {
|
|
292
|
+
const requestedAt = this._clock.nowIso();
|
|
293
|
+
return this._vault.ownerListGrants({
|
|
294
|
+
vaultId: this._vault.vaultId,
|
|
295
|
+
requestId: createRequestIdValue("list_grants"),
|
|
296
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
297
|
+
requestedAt,
|
|
298
|
+
});
|
|
346
299
|
}
|
|
347
300
|
async ownerRemoveSecret(input) {
|
|
348
301
|
await this._confirmSensitiveAction({
|
|
@@ -360,7 +313,7 @@ class DefaultVaultClient {
|
|
|
360
313
|
requestId,
|
|
361
314
|
owner: {
|
|
362
315
|
kind: "owner",
|
|
363
|
-
id: this.
|
|
316
|
+
id: this._rootAgentId,
|
|
364
317
|
},
|
|
365
318
|
alias: input.alias,
|
|
366
319
|
requestedAt,
|
|
@@ -375,7 +328,7 @@ class DefaultVaultClient {
|
|
|
375
328
|
requestedAt,
|
|
376
329
|
actor: {
|
|
377
330
|
kind: "owner",
|
|
378
|
-
id: this.
|
|
331
|
+
id: this._rootAgentId,
|
|
379
332
|
},
|
|
380
333
|
});
|
|
381
334
|
return agents.map((agent) => ({
|
|
@@ -383,20 +336,6 @@ class DefaultVaultClient {
|
|
|
383
336
|
privateKey: undefined,
|
|
384
337
|
}));
|
|
385
338
|
}
|
|
386
|
-
async ownerListCapabilities(input = {}) {
|
|
387
|
-
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
388
|
-
const requestId = createRequestIdValue("list_capabilities");
|
|
389
|
-
return this._vault.ownerListCapabilities({
|
|
390
|
-
vaultId: this._vault.vaultId,
|
|
391
|
-
requestId,
|
|
392
|
-
requestedAt,
|
|
393
|
-
actor: {
|
|
394
|
-
kind: "owner",
|
|
395
|
-
id: this._identityId,
|
|
396
|
-
},
|
|
397
|
-
agentId: input.agentId,
|
|
398
|
-
});
|
|
399
|
-
}
|
|
400
339
|
async ownerListRequests(input = {}) {
|
|
401
340
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
402
341
|
const requestId = createRequestIdValue("list_requests");
|
|
@@ -404,11 +343,8 @@ class DefaultVaultClient {
|
|
|
404
343
|
vaultId: this._vault.vaultId,
|
|
405
344
|
requestId,
|
|
406
345
|
requestedAt,
|
|
407
|
-
actor: {
|
|
408
|
-
|
|
409
|
-
id: this._identityId,
|
|
410
|
-
},
|
|
411
|
-
agentId: input.agentId,
|
|
346
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
347
|
+
rootAgentId: input.rootAgentId,
|
|
412
348
|
});
|
|
413
349
|
}
|
|
414
350
|
async ownerGetRequest(input) {
|
|
@@ -420,20 +356,11 @@ class DefaultVaultClient {
|
|
|
420
356
|
requestedAt,
|
|
421
357
|
actor: {
|
|
422
358
|
kind: "owner",
|
|
423
|
-
id: this.
|
|
359
|
+
id: this._rootAgentId,
|
|
424
360
|
},
|
|
425
361
|
targetRequestId: input.requestId,
|
|
426
362
|
});
|
|
427
363
|
}
|
|
428
|
-
async ownerListCapabilityStates(input = {}) {
|
|
429
|
-
return this._vault.ownerListCapabilityStates({
|
|
430
|
-
vaultId: this._vault.vaultId,
|
|
431
|
-
owner: { kind: "owner", id: this._identityId },
|
|
432
|
-
agentId: input.agentId,
|
|
433
|
-
writeGranted: input.writeGranted,
|
|
434
|
-
readGranted: input.readGranted,
|
|
435
|
-
});
|
|
436
|
-
}
|
|
437
364
|
async ownerListSecrets(input = {}) {
|
|
438
365
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
439
366
|
const requestId = createRequestIdValue("list_secrets");
|
|
@@ -441,37 +368,22 @@ class DefaultVaultClient {
|
|
|
441
368
|
vaultId: this._vault.vaultId,
|
|
442
369
|
owner: {
|
|
443
370
|
kind: "owner",
|
|
444
|
-
id: this.
|
|
371
|
+
id: this._rootAgentId,
|
|
445
372
|
},
|
|
446
373
|
requestId,
|
|
447
374
|
});
|
|
448
375
|
}
|
|
449
|
-
async ownerRevokeCapability(input) {
|
|
450
|
-
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
451
|
-
const requestId = createRequestIdValue("revoke_capability");
|
|
452
|
-
return this._vault.ownerRevokeCapability({
|
|
453
|
-
vaultId: this._vault.vaultId,
|
|
454
|
-
requestId,
|
|
455
|
-
requestedAt,
|
|
456
|
-
owner: {
|
|
457
|
-
kind: "owner",
|
|
458
|
-
id: this._identityId,
|
|
459
|
-
},
|
|
460
|
-
agentId: input.agentId,
|
|
461
|
-
capabilityId: input.capabilityId,
|
|
462
|
-
});
|
|
463
|
-
}
|
|
464
376
|
async ownerIssueSessionToken(input) {
|
|
465
377
|
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
466
378
|
const requestId = createRequestIdValue("issue_session_token");
|
|
467
379
|
return this._vault.ownerIssueSessionToken({
|
|
468
380
|
vaultId: this._vault.vaultId,
|
|
381
|
+
requestId,
|
|
382
|
+
rootAgentId: input.rootAgentId,
|
|
469
383
|
actor: {
|
|
470
384
|
kind: "owner",
|
|
471
|
-
id: this.
|
|
385
|
+
id: this._rootAgentId,
|
|
472
386
|
},
|
|
473
|
-
agentId: input.agentId,
|
|
474
|
-
requestId,
|
|
475
387
|
requestedAt,
|
|
476
388
|
});
|
|
477
389
|
}
|
|
@@ -480,120 +392,53 @@ class DefaultVaultClient {
|
|
|
480
392
|
vaultId: this._vault.vaultId,
|
|
481
393
|
actor: {
|
|
482
394
|
kind: "owner",
|
|
483
|
-
id: this.
|
|
395
|
+
id: this._rootAgentId,
|
|
484
396
|
},
|
|
485
397
|
token: input.token,
|
|
486
398
|
});
|
|
487
399
|
}
|
|
488
|
-
async ownerSubmitCapabilityRequest(input) {
|
|
489
|
-
const requestedAt = input.requestedAt ?? this._clock.nowIso();
|
|
490
|
-
const requestId = createRequestIdValue("submit_capability_request");
|
|
491
|
-
return this._vault.ownerSubmitCapabilityRequest({
|
|
492
|
-
vaultId: this._vault.vaultId,
|
|
493
|
-
requestId,
|
|
494
|
-
requester: input.requester,
|
|
495
|
-
agentId: input.agentId,
|
|
496
|
-
capability: {
|
|
497
|
-
operation: input.operation ?? "dispatch_http",
|
|
498
|
-
write: {
|
|
499
|
-
secretIds: input.write.secretIds ? [...input.write.secretIds] : undefined,
|
|
500
|
-
scope: input.write.scope,
|
|
501
|
-
methods: [...input.write.methods],
|
|
502
|
-
},
|
|
503
|
-
read: { paths: [...input.read.paths] },
|
|
504
|
-
rateLimit: input.rateLimit,
|
|
505
|
-
skipAudit: input.skipAudit,
|
|
506
|
-
expiresAt: input.expiresAt,
|
|
507
|
-
},
|
|
508
|
-
reason: input.reason,
|
|
509
|
-
requestedAt,
|
|
510
|
-
});
|
|
511
|
-
}
|
|
512
400
|
async ownerIssueAllSessionTokens() {
|
|
513
401
|
return this._vault.ownerIssueAllAgentSessionTokens({
|
|
514
|
-
|
|
515
|
-
|
|
402
|
+
kind: "owner",
|
|
403
|
+
id: this._rootAgentId,
|
|
516
404
|
});
|
|
517
405
|
}
|
|
518
|
-
async
|
|
519
|
-
|
|
520
|
-
|
|
521
|
-
requestId: input.requestId,
|
|
522
|
-
owner: { kind: "owner", id: this._identityId },
|
|
523
|
-
read: input.read ? { paths: [...input.read.paths] } : undefined,
|
|
524
|
-
});
|
|
525
|
-
}
|
|
526
|
-
async ownerAllowOnce(input) {
|
|
527
|
-
return this._vault.ownerAllowOnce({
|
|
528
|
-
vaultId: this._vault.vaultId,
|
|
529
|
-
requestId: input.requestId,
|
|
530
|
-
owner: { kind: "owner", id: this._identityId },
|
|
531
|
-
});
|
|
532
|
-
}
|
|
533
|
-
async ownerAllowAlways(input) {
|
|
534
|
-
return this._vault.ownerAllowAlways({
|
|
406
|
+
async ownerApproveDispatch(input) {
|
|
407
|
+
const requestedAt = this._clock.nowIso();
|
|
408
|
+
return this._vault.ownerApproveDispatch({
|
|
535
409
|
vaultId: this._vault.vaultId,
|
|
536
410
|
requestId: input.requestId,
|
|
537
|
-
|
|
411
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
412
|
+
decision: input.decision,
|
|
413
|
+
requestedAt,
|
|
538
414
|
});
|
|
539
415
|
}
|
|
540
|
-
async
|
|
541
|
-
|
|
416
|
+
async ownerDenyDispatch(requestId) {
|
|
417
|
+
const requestedAt = this._clock.nowIso();
|
|
418
|
+
await this._vault.ownerApproveDispatch({
|
|
542
419
|
vaultId: this._vault.vaultId,
|
|
543
420
|
requestId,
|
|
544
|
-
|
|
421
|
+
actor: { kind: "owner", id: this._rootAgentId },
|
|
422
|
+
decision: "deny",
|
|
423
|
+
requestedAt,
|
|
545
424
|
});
|
|
546
425
|
}
|
|
547
|
-
|
|
548
|
-
return this._vault.
|
|
426
|
+
ownerOnPendingDispatch(callback) {
|
|
427
|
+
return this._vault.ownerOnPendingDispatch(callback);
|
|
549
428
|
}
|
|
550
429
|
}
|
|
551
|
-
function
|
|
552
|
-
|
|
553
|
-
|
|
554
|
-
|
|
555
|
-
|
|
556
|
-
}
|
|
557
|
-
function resolveVaultSigner(identity, signer) {
|
|
558
|
-
if (signer) {
|
|
559
|
-
return signer;
|
|
560
|
-
}
|
|
561
|
-
if (identity && isCreatedIdentity(identity)) {
|
|
562
|
-
return new LocalSigner(identity);
|
|
563
|
-
}
|
|
564
|
-
return undefined;
|
|
565
|
-
}
|
|
566
|
-
function resolveVaultIdentity(options) {
|
|
567
|
-
if (!options.ownerIdentity) {
|
|
568
|
-
return undefined;
|
|
569
|
-
}
|
|
570
|
-
return {
|
|
571
|
-
identityId: options.ownerIdentity.identityId,
|
|
572
|
-
};
|
|
573
|
-
}
|
|
574
|
-
/**
|
|
575
|
-
* Creates a {@link VaultClient} instance for a specific vault owner.
|
|
576
|
-
*
|
|
577
|
-
* @param options - Configuration including optional owner identity and the vault service.
|
|
578
|
-
* @returns An initialized {@link VaultClient}.
|
|
579
|
-
*
|
|
580
|
-
* @example
|
|
581
|
-
* ```ts
|
|
582
|
-
* const client = createVaultClient({
|
|
583
|
-
* ownerIdentity,
|
|
584
|
-
* vault
|
|
585
|
-
* });
|
|
586
|
-
* ```
|
|
587
|
-
*/
|
|
588
|
-
export function createVaultClient(options) {
|
|
589
|
-
if (!isCreateVaultClientOptions(options)) {
|
|
590
|
-
throw new OwnerClientError(OwnerClientErrorCode.INVALID_CREATE_VAULT_CLIENT_OPTIONS, "createVaultClient() requires a single options object with 'vault'");
|
|
591
|
-
}
|
|
592
|
-
const client = new DefaultVaultClient(options.vault, resolveVaultIdentity(options), resolveVaultSigner(options.ownerIdentity, options.signer), options.clock ?? new SystemClock(), options.skipWarmup, options.passwordVerifier, options.sensitiveActionVerifier);
|
|
430
|
+
export async function createOwnerClient(options) {
|
|
431
|
+
const identity = options.ownerIdentity;
|
|
432
|
+
const rootAgentId = identity.rootAgentId;
|
|
433
|
+
const client = new DefaultOwnerClient(options.vault, rootAgentId, undefined, // signer no longer directly used in simple owner client
|
|
434
|
+
options.clock ?? new SystemClock(), options.skipWarmup ?? false, options.passwordVerifier, options.sensitiveActionVerifier);
|
|
593
435
|
if (!options.skipWarmup) {
|
|
594
|
-
|
|
595
|
-
|
|
596
|
-
}
|
|
436
|
+
try {
|
|
437
|
+
await client.ownerIssueAllSessionTokens();
|
|
438
|
+
}
|
|
439
|
+
catch (e) {
|
|
440
|
+
console.warn("OwnerClient warmup failed:", e);
|
|
441
|
+
}
|
|
597
442
|
}
|
|
598
443
|
return client;
|
|
599
444
|
}
|