@the-ai-company/cbio-node-runtime 1.63.7 → 1.64.0

package/dist/clients/owner/client.js

@@ -1,26 +1,22 @@
 import { OwnerClientError, OwnerClientErrorCode } from "../../errors.js";
 import { createRequestIdValue, } from "../../internal/id-factory.js";
 import { createIdentity, restoreIdentity } from "../../runtime/identity.js";
-import { SystemClock } from "../../vault-core/index.js";
+import { SystemClock, VaultCoreError } from "../../vault-core/index.js";
 const VAULT_MASTER_ID = "vault-master";
 class DefaultOwnerClient {
     _vault;
-    _rootAgentIdInput;
-    _signer;
     _clock;
     _skipWarmup;
-    _passwordVerifier;
+    _password_verifier;
     _sensitiveActionVerifier;
-    _rootAgentId;
-    constructor(_vault, _rootAgentIdInput, _signer, _clock = new SystemClock(), _skipWarmup = false, _passwordVerifier, _sensitiveActionVerifier) {
+    _root_agent_id;
+    constructor(_vault, _clock = new SystemClock(), _skipWarmup = false, _password_verifier, _sensitiveActionVerifier) {
         this._vault = _vault;
-        this._rootAgentIdInput = _rootAgentIdInput;
-        this._signer = _signer;
         this._clock = _clock;
         this._skipWarmup = _skipWarmup;
-        this._passwordVerifier = _passwordVerifier;
+        this._password_verifier = _password_verifier;
         this._sensitiveActionVerifier = _sensitiveActionVerifier;
-        this._rootAgentId = _rootAgentIdInput ?? VAULT_MASTER_ID;
+        this._root_agent_id = VAULT_MASTER_ID;
     }
     async _confirmSensitiveAction(confirmation, context) {
         const normalizedPassword = confirmation.password.trim();
@@ -37,60 +33,81 @@ class DefaultOwnerClient {
             }
             return;
         }
-        if (!this._passwordVerifier) {
-            throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_VERIFIER_REQUIRED, "OwnerClient: sensitiveActionVerifier or passwordVerifier is required for sensitive reads");
+        if (!this._password_verifier) {
+            throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_VERIFIER_REQUIRED, "OwnerClient: sensitiveActionVerifier or password_verifier is required for sensitive reads");
         }
-        const valid = await this._passwordVerifier(normalizedPassword);
+        const valid = await this._password_verifier(normalizedPassword);
         if (!valid) {
             throw new OwnerClientError(OwnerClientErrorCode.SENSITIVE_ACTION_INVALID_PASSWORD, "invalid vault password");
         }
     }
     async ownerCreateSecret(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("create_secret");
-        return this._vault.ownerCreateSecret({
-            kind: "owner.create_secret",
-            vaultId: this._vault.vaultId,
-            requestId,
-            owner: {
-                kind: "owner",
-                id: this._rootAgentId,
-            },
-            alias: input.alias,
-            plaintext: input.plaintext,
-            source: { kind: "manual" },
-            requestedAt,
-        });
+        const isBatch = Array.isArray(input);
+        const items = isBatch ? input : [input];
+        const requested_at = this._clock.nowIso();
+        // Phase 1: 并行校验（所有别名不得已存在）
+        // 通过 ownerListSecrets 获取当前所有别名，批量对比，避免逐个网络往返
+        const existing = await this._vault.ownerListSecrets({ vault_id: this._vault.vault_id, owner: { kind: "owner", id: this._root_agent_id } });
+        const existingAliases = new Set(existing.map(s => s.alias.value));
+        const duplicates = items.filter(item => existingAliases.has(item.alias));
+        if (duplicates.length > 0) {
+            const names = duplicates.map(d => `"${d.alias}"`).join(", ");
+            throw new VaultCoreError(`secret alias already exists: ${names}`, "VAULT_ALIAS_ALREADY_EXISTS");
+        }
+        // Phase 2: 并行写入（校验全过才到这里）
+        const results = await Promise.all(items.map(item => {
+            return this._vault.ownerCreateSecret({
+                kind: "owner.create_secret",
+                vault_id: this._vault.vault_id,
+                request_id: createRequestIdValue("create_secret"),
+                owner: { kind: "owner", id: this._root_agent_id },
+                alias: item.alias,
+                plaintext: item.plaintext,
+                source: { kind: "manual" },
+                requested_at: item.requested_at ?? requested_at,
+            });
+        }));
+        return isBatch ? results : results[0];
     }
     async ownerUpdateSecret(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("update_secret");
-        return this._vault.ownerUpdateSecret({
-            kind: "owner.update_secret",
-            vaultId: this._vault.vaultId,
-            requestId,
-            owner: {
-                kind: "owner",
-                id: this._rootAgentId,
-            },
-            alias: input.alias,
-            plaintext: input.plaintext,
-            source: { kind: "manual" },
-            requestedAt,
-        });
+        const isBatch = Array.isArray(input);
+        const items = isBatch ? input : [input];
+        const requested_at = this._clock.nowIso();
+        // Phase 1: 并行校验（所有别名必须已存在）
+        const existing = await this._vault.ownerListSecrets({ vault_id: this._vault.vault_id, owner: { kind: "owner", id: this._root_agent_id } });
+        const existingAliases = new Set(existing.map(s => s.alias.value));
+        const missing = items.filter(item => !existingAliases.has(item.alias));
+        if (missing.length > 0) {
+            const names = missing.map(d => `"${d.alias}"`).join(", ");
+            throw new VaultCoreError(`secret not found: ${names}`, "VAULT_SECRET_NOT_FOUND");
+        }
+        // Phase 2: 并行写入
+        const results = await Promise.all(items.map(item => {
+            return this._vault.ownerUpdateSecret({
+                kind: "owner.update_secret",
+                vault_id: this._vault.vault_id,
+                request_id: createRequestIdValue("update_secret"),
+                owner: { kind: "owner", id: this._root_agent_id },
+                alias: item.alias,
+                plaintext: item.plaintext,
+                source: { kind: "manual" },
+                requested_at: item.requested_at ?? requested_at,
+            });
+        }));
+        return isBatch ? results : results[0];
     }
     async ownerReadAudit(query = {}) {
-        const requestedAt = this._clock.nowIso();
-        const requestId = createRequestIdValue("read_audit");
+        const requested_at = this._clock.nowIso();
+        const request_id = createRequestIdValue("read_audit");
         return this._vault.ownerReadAudit({
-            vaultId: this._vault.vaultId,
+            vault_id: this._vault.vault_id,
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
-            query: { ...query, vaultId: this._vault.vaultId },
-            requestId,
-            requestedAt,
+            query: { ...query, vault_id: this._vault.vault_id.value },
+            request_id,
+            requested_at,
         });
     }
     async ownerExportSecret(input) {
@@ -101,17 +118,17 @@ class DefaultOwnerClient {
             action: "export_secret",
             subject: input.alias,
         });
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("export_secret");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("export_secret");
         return this._vault.ownerExportSecret({
-            vaultId: this._vault.vaultId,
+            vault_id: this._vault.vault_id,
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
             alias: input.alias,
-            requestId,
-            requestedAt,
+            request_id,
+            requested_at,
         });
     }
     async ownerReadSecretPlaintext(input) {
@@ -123,14 +140,14 @@ class DefaultOwnerClient {
             subject: input.alias,
         });
         const exported = await this._vault.ownerExportSecret({
-            vaultId: this._vault.vaultId,
+            vault_id: this._vault.vault_id,
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
             alias: input.alias,
-            requestId: createRequestIdValue("read_secret_plaintext"),
-            requestedAt: input.requestedAt ?? this._clock.nowIso(),
+            request_id: createRequestIdValue("read_secret_plaintext"),
+            requested_at: input.requested_at ?? this._clock.nowIso(),
         });
         return exported.plaintext;
     }
@@ -140,161 +157,161 @@ class DefaultOwnerClient {
             verificationCode: input.verificationCode,
         }, {
             action: "read_agent_private_key",
-            subject: input.rootAgentId,
+            subject: input.root_agent_id,
         });
         const agents = await this._vault.ownerListAgents({
-            vaultId: this._vault.vaultId,
-            requestId: createRequestIdValue("read_agent_private_key"),
-            requestedAt: input.requestedAt ?? this._clock.nowIso(),
+            vault_id: this._vault.vault_id,
+            request_id: createRequestIdValue("read_agent_private_key"),
+            requested_at: input.requested_at ?? this._clock.nowIso(),
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
         });
-        const agent = agents.find((record) => record.rootAgentId === input.rootAgentId);
-        if (!agent?.privateKey) {
+        const agent = agents.find((record) => record.root_agent_id === input.root_agent_id);
+        if (!agent?.private_key) {
             throw new OwnerClientError(OwnerClientErrorCode.AGENT_PRIVATE_KEY_NOT_FOUND, "agent private key not found");
         }
-        return agent.privateKey;
+        return agent.private_key;
     }
     async _ownerRegisterManagedAgentIdentity(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("register_agent.identity");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("register_agent.identity");
         const agentRecord = {
-            vaultId: this._vault.vaultId,
-            rootAgentId: input.rootAgentId,
-            publicKey: input.publicKey,
-            privateKey: input.privateKey,
+            vault_id: this._vault.vault_id,
+            root_agent_id: input.root_agent_id,
+            public_key: input.public_key,
+            private_key: input.private_key,
             metadata: input.metadata,
             nickname: input.nickname,
         };
         await this._vault.ownerRegisterAgentIdentity({
-            vaultId: this._vault.vaultId,
-            requestId,
+            vault_id: this._vault.vault_id,
+            request_id,
             owner: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
             agentRecord,
-            requestedAt,
+            requested_at,
         });
         return agentRecord;
     }
     async ownerImportAgent(input) {
-        const identity = restoreIdentity(input.privateKey, { nickname: input.nickname });
+        const identity = restoreIdentity(input.private_key, { nickname: input.nickname });
         const agent = await this._ownerRegisterManagedAgentIdentity({
-            rootAgentId: identity.rootAgentId,
-            publicKey: identity.publicKey,
-            privateKey: identity.privateKey,
+            root_agent_id: identity.root_agent_id,
+            public_key: identity.public_key,
+            private_key: identity.private_key,
             metadata: input.metadata,
             nickname: input.nickname,
-            requestedAt: input.requestedAt,
+            requested_at: input.requested_at,
         });
-        const sessionToken = await this.ownerIssueSessionToken({
-            rootAgentId: agent.rootAgentId,
-            requestedAt: input.requestedAt,
+        const session_token = await this.ownerIssueSessionToken({
+            root_agent_id: agent.root_agent_id,
+            requested_at: input.requested_at,
         });
         return {
             agent: {
                 ...agent,
-                privateKey: undefined,
+                private_key: undefined,
             },
-            sessionToken,
+            session_token,
         };
     }
     async ownerCreateAgent(input) {
         const identity = createIdentity();
         const agent = await this._ownerRegisterManagedAgentIdentity({
-            rootAgentId: identity.rootAgentId,
-            publicKey: identity.publicKey,
-            privateKey: identity.privateKey,
+            root_agent_id: identity.root_agent_id,
+            public_key: identity.public_key,
+            private_key: identity.private_key,
             metadata: input.metadata,
             nickname: input.nickname,
-            requestedAt: input.requestedAt,
+            requested_at: input.requested_at,
         });
-        const sessionToken = await this.ownerIssueSessionToken({
-            rootAgentId: agent.rootAgentId,
-            requestedAt: input.requestedAt,
+        const session_token = await this.ownerIssueSessionToken({
+            root_agent_id: agent.root_agent_id,
+            requested_at: input.requested_at,
         });
         return {
             agent: {
                 ...agent,
-                privateKey: undefined,
+                private_key: undefined,
             },
-            sessionToken,
+            session_token,
         };
     }
     async ownerUpdateAgent(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("update_agent.identity");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("update_agent.identity");
         const updated = await this._vault.ownerUpdateAgentIdentity({
-            vaultId: this._vault.vaultId,
-            requestId,
+            vault_id: this._vault.vault_id,
+            request_id,
             owner: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
             metadata: input.metadata,
-            rootAgentId: input.rootAgentId,
+            root_agent_id: input.root_agent_id,
             nickname: input.nickname,
-            requestedAt,
+            requested_at,
         });
         return {
             ...updated,
-            privateKey: undefined,
+            private_key: undefined,
         };
     }
     async ownerGrantAgentSecret(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requested_at = input.requested_at ?? this._clock.nowIso();
         return this._vault.ownerGrantAgentSecret({
-            vaultId: this._vault.vaultId,
-            requestId: createRequestIdValue("grant_agent_secret"),
-            actor: { kind: "owner", id: this._rootAgentId },
-            rootAgentId: input.rootAgentId,
-            secretAlias: input.secretAlias,
-            requestedAt,
+            vault_id: this._vault.vault_id,
+            request_id: createRequestIdValue("grant_agent_secret"),
+            actor: { kind: "owner", id: this._root_agent_id },
+            root_agent_id: input.root_agent_id,
+            secret_alias: input.secret_alias,
+            requested_at,
         });
     }
     async ownerGrantSecretDestination(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requested_at = input.requested_at ?? this._clock.nowIso();
         return this._vault.ownerGrantSecretDestination({
-            vaultId: this._vault.vaultId,
-            requestId: createRequestIdValue("grant_secret_destination"),
-            actor: { kind: "owner", id: this._rootAgentId },
-            secretAlias: input.secretAlias,
-            siteId: input.siteId,
-            requestedAt,
+            vault_id: this._vault.vault_id,
+            request_id: createRequestIdValue("grant_secret_destination"),
+            actor: { kind: "owner", id: this._root_agent_id },
+            secret_alias: input.secret_alias,
+            site_id: input.site_id,
+            requested_at,
         });
     }
     async ownerRevokeAgentSecret(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requested_at = input.requested_at ?? this._clock.nowIso();
         return this._vault.ownerRevokeAgentSecret({
-            vaultId: this._vault.vaultId,
-            requestId: createRequestIdValue("revoke_agent_secret"),
-            actor: { kind: "owner", id: this._rootAgentId },
-            rootAgentId: input.rootAgentId,
-            secretAlias: input.secretAlias,
-            requestedAt,
+            vault_id: this._vault.vault_id,
+            request_id: createRequestIdValue("revoke_agent_secret"),
+            actor: { kind: "owner", id: this._root_agent_id },
+            root_agent_id: input.root_agent_id,
+            secret_alias: input.secret_alias,
+            requested_at,
         });
     }
     async ownerRevokeSecretDestination(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
+        const requested_at = input.requested_at ?? this._clock.nowIso();
         return this._vault.ownerRevokeSecretDestination({
-            vaultId: this._vault.vaultId,
-            requestId: createRequestIdValue("revoke_secret_destination"),
-            actor: { kind: "owner", id: this._rootAgentId },
-            secretAlias: input.secretAlias,
-            siteId: input.siteId,
-            requestedAt,
+            vault_id: this._vault.vault_id,
+            request_id: createRequestIdValue("revoke_secret_destination"),
+            actor: { kind: "owner", id: this._root_agent_id },
+            secret_alias: input.secret_alias,
+            site_id: input.site_id,
+            requested_at,
         });
     }
     async ownerListGrants(input = {}) {
-        const requestedAt = this._clock.nowIso();
+        const requested_at = this._clock.nowIso();
         return this._vault.ownerListGrants({
-            vaultId: this._vault.vaultId,
-            requestId: createRequestIdValue("list_grants"),
-            actor: { kind: "owner", id: this._rootAgentId },
-            requestedAt,
+            vault_id: this._vault.vault_id,
+            request_id: createRequestIdValue("list_grants"),
+            actor: { kind: "owner", id: this._root_agent_id },
+            requested_at,
         });
     }
     async ownerRemoveSecret(input) {
@@ -305,94 +322,94 @@ class DefaultOwnerClient {
             action: "delete_secret",
             subject: input.alias,
         });
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("remove_secret");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("remove_secret");
         await this._vault.ownerRemoveSecret({
             kind: "owner.remove_secret",
-            vaultId: this._vault.vaultId,
-            requestId,
+            vault_id: this._vault.vault_id,
+            request_id,
             owner: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
             alias: input.alias,
-            requestedAt,
+            requested_at,
         });
     }
     async ownerListAgents(input = {}) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("list_agents");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("list_agents");
         const agents = await this._vault.ownerListAgents({
-            vaultId: this._vault.vaultId,
-            requestId,
-            requestedAt,
+            vault_id: this._vault.vault_id,
+            request_id,
+            requested_at,
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
         });
         return agents.map((agent) => ({
             ...agent,
-            privateKey: undefined,
+            private_key: undefined,
         }));
     }
     async ownerListRequests(input = {}) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("list_requests");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("list_requests");
         return this._vault.ownerListRequests({
-            vaultId: this._vault.vaultId,
-            requestId,
-            requestedAt,
-            actor: { kind: "owner", id: this._rootAgentId },
-            rootAgentId: input.rootAgentId,
+            vault_id: this._vault.vault_id,
+            request_id,
+            requested_at,
+            actor: { kind: "owner", id: this._root_agent_id },
+            root_agent_id: input.root_agent_id,
         });
     }
     async ownerGetRequest(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("get_request");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("get_request");
         return this._vault.ownerGetRequest({
-            vaultId: this._vault.vaultId,
-            requestId,
-            requestedAt,
+            vault_id: this._vault.vault_id,
+            request_id,
+            requested_at,
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
-            targetRequestId: input.requestId,
+            target_request_id: input.request_id,
         });
     }
     async ownerListSecrets(input = {}) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("list_secrets");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("list_secrets");
         return this._vault.ownerListSecrets({
-            vaultId: this._vault.vaultId,
+            vault_id: this._vault.vault_id,
             owner: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
-            requestId,
+            request_id,
         });
     }
     async ownerIssueSessionToken(input) {
-        const requestedAt = input.requestedAt ?? this._clock.nowIso();
-        const requestId = createRequestIdValue("issue_session_token");
+        const requested_at = input.requested_at ?? this._clock.nowIso();
+        const request_id = createRequestIdValue("issue_session_token");
         return this._vault.ownerIssueSessionToken({
-            vaultId: this._vault.vaultId,
-            requestId,
-            rootAgentId: input.rootAgentId,
+            vault_id: this._vault.vault_id,
+            request_id,
+            root_agent_id: input.root_agent_id,
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
-            requestedAt,
+            requested_at,
         });
     }
     async ownerRevokeSessionToken(input) {
         return this._vault.ownerRevokeSessionToken({
-            vaultId: this._vault.vaultId,
+            vault_id: this._vault.vault_id,
             actor: {
                 kind: "owner",
-                id: this._rootAgentId,
+                id: this._root_agent_id,
             },
             token: input.token,
         });
@@ -400,27 +417,27 @@ class DefaultOwnerClient {
     async ownerIssueAllSessionTokens() {
         return this._vault.ownerIssueAllAgentSessionTokens({
             kind: "owner",
-            id: this._rootAgentId,
+            id: this._root_agent_id,
         });
     }
     async ownerApproveDispatch(input) {
-        const requestedAt = this._clock.nowIso();
+        const requested_at = this._clock.nowIso();
         return this._vault.ownerApproveDispatch({
-            vaultId: this._vault.vaultId,
-            requestId: input.requestId,
-            actor: { kind: "owner", id: this._rootAgentId },
+            vault_id: this._vault.vault_id,
+            request_id: input.request_id,
+            actor: { kind: "owner", id: this._root_agent_id },
             decision: input.decision,
-            requestedAt,
+            requested_at,
         });
     }
-    async ownerDenyDispatch(requestId) {
-        const requestedAt = this._clock.nowIso();
+    async ownerDenyDispatch(request_id) {
+        const requested_at = this._clock.nowIso();
         await this._vault.ownerApproveDispatch({
-            vaultId: this._vault.vaultId,
-            requestId,
-            actor: { kind: "owner", id: this._rootAgentId },
+            vault_id: this._vault.vault_id,
+            request_id,
+            actor: { kind: "owner", id: this._root_agent_id },
             decision: "deny",
-            requestedAt,
+            requested_at,
         });
     }
     ownerOnPendingDispatch(callback) {
@@ -428,10 +445,7 @@ class DefaultOwnerClient {
     }
 }
 export async function createOwnerClient(options) {
-    const identity = options.ownerIdentity;
-    const rootAgentId = identity.rootAgentId;
-    const client = new DefaultOwnerClient(options.vault, rootAgentId, undefined, // signer no longer directly used in simple owner client
-    options.clock ?? new SystemClock(), options.skipWarmup ?? false, options.passwordVerifier, options.sensitiveActionVerifier);
+    const client = new DefaultOwnerClient(options.vault, options.clock ?? new SystemClock(), options.skipWarmup ?? false, options.password_verifier, options.sensitiveActionVerifier);
     if (!options.skipWarmup) {
         try {
             await client.ownerIssueAllSessionTokens();