@the-ai-company/cbio-node-runtime 1.72.0 → 1.74.0

package/dist/vault-core/core.js

@@ -1,4 +1,4 @@
-import { AuditOperation, DispatchStatus, } from "./contracts.js";
+import { DispatchStatus, } from "./contracts.js";
 import { VaultCoreError } from "./errors.js";
 import { getAgentToolbox } from "./tool-metadata.js";
 import { InMemoryRequestRecordRegistry } from "./defaults.js";
@@ -17,19 +17,6 @@ function extractDomain(url) {
         return url;
     }
 }
-function toAuditEntry(deps, actor, operation, decision, execution_status, detail, extra = {}) {
-    return {
-        event_id: deps.ids.newAuditEntryId(),
-        ts: deps.clock.nowIso(),
-        vault_id: deps.vault_id.value,
-        actor,
-        operation,
-        decision,
-        execution_status,
-        detail,
-        ...extra,
-    };
-}
 export class VaultCore {
     _deps;
     constructor(deps) {
@@ -52,13 +39,8 @@ export class VaultCore {
             await this._deps.replayGuard.assertNotReplayed(command);
         }
         catch (error) {
-            const detail = error instanceof Error ? error.message : String(error);
-            await this._appendAudit(toAuditEntry(this._deps, command.agent, AuditOperation.POLICY_EVALUATE, "denied", "not_executed", `proof verification failed: ${detail}`, {
-                request_id: command.request_id,
-                root_agent_id: command.agent.id,
-                secret_alias: command.secret_alias,
-                ...extraAudit,
-            }));
+            const errorMsg = error instanceof Error ? error.message : String(error);
+            await this._appendAuditEntry(command.agent, actionName, { ...command, ...extraAudit }, undefined, errorMsg);
             throw error;
         }
     }
@@ -75,11 +57,7 @@ export class VaultCore {
             granted_at: now,
         };
         await this._deps.agent_secretGrants.upsert(grant);
-        await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.GRANT_SECRET, "allowed", "succeeded", `granted secret "${secret_id.value}" to agent "${root_agent_id}"`, {
-            request_id: request?.request_id,
-            root_agent_id,
-            secret_id: secret_id.value,
-        }));
+        await this._appendAuditEntry(actor, "ownerGrantAgentSecret", { root_agent_id, secret_id, request_id: request?.request_id }, grant);
         return grant;
     }
     async ownerGrantSecretDestination(actor, secret_id, site_id, request) {
@@ -94,30 +72,18 @@ export class VaultCore {
             granted_at: now,
         };
         await this._deps.secret_destinationGrants.upsert(grant);
-        await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.GRANT_DESTINATION, "allowed", "succeeded", `granted destination "${site_id}" for secret "${secret_id.value}"`, {
-            request_id: request?.request_id,
-            secret_id: secret_id.value,
-            site_id,
-        }));
+        await this._appendAuditEntry(actor, "ownerGrantSecretDestination", { secret_id, site_id, request_id: request?.request_id }, grant);
         return grant;
     }
     async ownerRevokeAgentSecret(actor, root_agent_id, secret_id, request) {
         this._assertOwnerPrincipal(actor);
         await this._deps.agent_secretGrants.delete(this._deps.vault_id, root_agent_id, secret_id);
-        await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.REVOKE_SECRET, "allowed", "succeeded", `revoked secret "${secret_id.value}" from agent "${root_agent_id}"`, {
-            request_id: request?.request_id,
-            root_agent_id,
-            secret_id: secret_id.value,
-        }));
+        await this._appendAuditEntry(actor, "ownerRevokeAgentSecret", { root_agent_id, secret_id, request_id: request?.request_id }, undefined);
     }
     async ownerRevokeSecretDestination(actor, secret_id, site_id, request) {
         this._assertOwnerPrincipal(actor);
         await this._deps.secret_destinationGrants.delete(this._deps.vault_id, secret_id, site_id);
-        await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.REVOKE_DESTINATION, "allowed", "succeeded", `revoked destination "${site_id}" from secret "${secret_id.value}"`, {
-            request_id: request?.request_id,
-            secret_id: secret_id.value,
-            site_id,
-        }));
+        await this._appendAuditEntry(actor, "ownerRevokeSecretDestination", { secret_id, site_id, request_id: request?.request_id }, undefined);
     }
     async ownerListGrants(actor, root_agent_id, secret_id) {
         this._assertOwnerPrincipal(actor);
@@ -129,13 +95,13 @@ export class VaultCore {
     }
     // ─── Dispatch Authorization ───────────────────────────────────────────────────
     async agentAuthorizeDispatch(request) {
-        const { agent, secret_alias, target_url } = request;
-        if (!secret_alias) {
-            return { vault_id: this._deps.vault_id, decision: "deny", reason: "secret_alias required", secret_id: null };
+        const { agent, secret_id, target_url } = request;
+        if (!secret_id) {
+            return { vault_id: this._deps.vault_id, decision: "deny", reason: "secret_id required", secret_id: null };
         }
-        const secret = await this._deps.secrets.getByAlias({ value: secret_alias });
+        const secret = await this._deps.secrets.getById(secret_id);
         if (!secret) {
-            return { vault_id: this._deps.vault_id, decision: "deny", reason: `secret not found: ${secret_alias}`, secret_id: null };
+            return { vault_id: this._deps.vault_id, decision: "deny", reason: `secret not found: ${secret_id}`, secret_id: null };
         }
         // 1. Check Agent-Secret Grant
         const agent_secretGrant = await this._deps.agent_secretGrants.get(this._deps.vault_id, agent.id, secret.secret_id);
@@ -165,6 +131,13 @@ export class VaultCore {
         const authorization = await this.agentAuthorizeDispatch(request);
         const secret_id = authorization.secret_id;
         await this._recordRequestInternal(request, DispatchStatus.IN_PROGRESS, secret_id);
+        await this._appendAuditEntry(request.agent, "agentDispatchSecret", { request_id: request.request_id, root_agent_id: request.agent.id, target: request.target_url, secret_id }, {
+            vault_id: this._deps.vault_id,
+            request_id: request.request_id,
+            status: DispatchStatus.IN_PROGRESS,
+            target_url: request.target_url,
+            method: request.method,
+        });
         if (authorization.decision === "deny") {
             const result = {
                 vault_id: this._deps.vault_id,
@@ -174,13 +147,7 @@ export class VaultCore {
                 method: request.method,
                 error: authorization.reason ?? "denied",
             };
-            await this._appendAudit(toAuditEntry(this._deps, request.agent, AuditOperation.POLICY_EVALUATE, "denied", "not_executed", authorization.reason ?? "denied", {
-                request_id: request.request_id,
-                root_agent_id: request.agent.id,
-                target: { kind: "http", url: request.target_url },
-                secret_alias: request.secret_alias,
-                secret_id: secret_id?.value,
-            }));
+            await this._appendAuditEntry(request.agent, "agentDispatchSecret", { request_id: request.request_id, root_agent_id: request.agent.id, target: request.target_url, secret_id }, result);
             await this._updateRequestRecordInternal(request, result, secret_id);
             return result;
         }
@@ -193,13 +160,7 @@ export class VaultCore {
                 method: request.method,
             };
             await this._updateRequestRecordInternal(request, result, secret_id, authorization.missing_grants);
-            await this._appendAudit(toAuditEntry(this._deps, request.agent, AuditOperation.DISPATCH_HOLD, "allowed", "not_executed", "request held for human approval", {
-                request_id: request.request_id,
-                root_agent_id: request.agent.id,
-                target: { kind: "http", url: request.target_url },
-                secret_alias: request.secret_alias,
-                secret_id: secret_id?.value,
-            }));
+            await this._appendAuditEntry(request.agent, "agentDispatchSecret", { request_id: request.request_id, root_agent_id: request.agent.id, target: request.target_url, secret_id }, result);
             return result;
         }
         // Proceed with dispatch
@@ -223,13 +184,7 @@ export class VaultCore {
             headers: request.headers,
             body: request.body,
         }, { record: secretRecord, plaintext });
-        await this._appendAudit(toAuditEntry(this._deps, request.agent, AuditOperation.SECRET_DISPATCH, "allowed", result.status === DispatchStatus.SUCCEEDED ? "succeeded" : "failed", result.status === DispatchStatus.SUCCEEDED ? "dispatch completed" : (result.error ?? "dispatch failed"), {
-            request_id: request.request_id,
-            root_agent_id: request.agent.id,
-            target: { kind: "http", url: request.target_url },
-            secret_alias: request.secret_alias,
-            secret_id: secret_id.value,
-        }));
+        await this._appendAuditEntry(request.agent, "agentDispatchSecret", { request_id: request.request_id, root_agent_id: request.agent.id, target: request.target_url, secret_id }, result);
         await this._updateRequestRecordInternal(request, result, secret_id);
         return {
             ...result,
@@ -253,19 +208,14 @@ export class VaultCore {
                 execution: { status: DispatchStatus.DENIED },
             };
             await this._deps.requests.save(updated);
-            await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.DISPATCH_REJECT, "allowed", "succeeded", "dispatch rejected by owner", {
-                request_id,
-                root_agent_id: record.root_agent_id,
-                secret_alias: record.request.secret_alias,
-                secret_id: record.request.secret_id?.value,
-            }));
+            await this._appendAuditEntry(actor, "ownerApproveDispatch", { request_id, decision, root_agent_id: record.root_agent_id, secret_id: record.request.secret_id }, updated);
             return null;
         }
-        const secret_alias = record.request.secret_alias;
-        if (!secret_alias) {
-            throw new VaultCoreError("record missing secret_alias", "VAULT_INTERNAL_ERROR");
+        const secret_id = record.request.secret_id;
+        if (!secret_id) {
+            throw new VaultCoreError("record missing secret_id", "VAULT_INTERNAL_ERROR");
         }
-        const secret = await this._deps.secrets.getByAlias({ value: secret_alias });
+        const secret = await this._deps.secrets.getById(secret_id);
         if (!secret) {
             throw new VaultCoreError("secret not found during approval", "VAULT_SECRET_NOT_FOUND");
         }
@@ -291,18 +241,7 @@ export class VaultCore {
                     granted_at: now,
                 }),
             ]);
-            await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.GRANT_SECRET, "allowed", "succeeded", "granted during dispatch approval", {
-                request_id,
-                root_agent_id: record.root_agent_id,
-                secret_alias: secret_alias,
-                secret_id: secret.secret_id.value,
-            }));
-            await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.GRANT_DESTINATION, "allowed", "succeeded", "granted during dispatch approval", {
-                request_id,
-                secret_alias: secret_alias,
-                secret_id: secret.secret_id.value,
-                site_id,
-            }));
+            await this._appendAuditEntry(actor, "ownerApproveDispatch_grant", { request_id, root_agent_id: record.root_agent_id, secret_id: secret.secret_id, site_id }, { status: "granted", request_id });
         }
         // Execute
         const plaintext = await this._deps.custody.load(secret.secret_id);
@@ -329,19 +268,13 @@ export class VaultCore {
             execution: { status: result.status },
         };
         await this._deps.requests.save(finalRecord);
-        await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.DISPATCH_APPROVE, "allowed", "succeeded", `dispatch approved (${decision})`, {
-            request_id,
-            root_agent_id: record.root_agent_id,
-            secret_alias: record.request.secret_alias,
-            secret_id: record.request.secret_id?.value,
-        }));
-        await this._appendAudit(toAuditEntry(this._deps, { kind: "agent", id: record.root_agent_id }, AuditOperation.SECRET_DISPATCH, "allowed", result.status === DispatchStatus.SUCCEEDED ? "succeeded" : "failed", result.status === DispatchStatus.SUCCEEDED ? "dispatch completed" : (result.error ?? "dispatch failed"), {
+        await this._appendAuditEntry(actor, "ownerApproveDispatch", { request_id, decision, root_agent_id: record.root_agent_id, secret_id: record.request.secret_id }, result);
+        await this._appendAuditEntry({ kind: "agent", id: record.root_agent_id }, "agentDispatchSecret", {
             request_id,
             root_agent_id: record.root_agent_id,
             target: { kind: "http", url: record.request.target_url },
-            secret_alias,
-            secret_id: secret.secret_id.value,
-        }));
+            secret_id: secret.secret_id,
+        }, result);
         return result;
     }
     // ─── Agent Control APIs ───────────────────────────────────────────────────────
@@ -355,11 +288,11 @@ export class VaultCore {
             this._deps.agent_secretGrants.list(this._deps.vault_id, command.agent.id),
             this._deps.secret_destinationGrants.list(this._deps.vault_id),
         ]);
-        const secret_ids = new Set(agent_secrets.map(g => g.secret_id.value));
-        const relevantDestinations = secret_destinations.filter(d => secret_ids.has(d.secret_id.value));
+        const secret_ids = new Set(agent_secrets.map(g => g.secret_id));
+        const relevantDestinations = secret_destinations.filter(d => secret_ids.has(d.secret_id));
         return {
             root_agent_id: command.agent.id,
-            vault_id: this._deps.vault_id.value,
+            vault_id: this._deps.vault_id,
             issued_at: this._deps.clock.nowIso(),
             agent: {
                 root_agent_id: agentRecord.root_agent_id,
@@ -378,7 +311,7 @@ export class VaultCore {
         await this._verifyAgentControlProof(command, "list_secrets");
         const records = await this._deps.secrets.list(this._deps.vault_id);
         const grants = await this._deps.agent_secretGrants.list(this._deps.vault_id, command.agent.id);
-        const approvedSecretIds = new Set(grants.filter(g => g.status === "approved").map(g => g.secret_id.value));
+        const approvedSecretIds = new Set(grants.filter(g => g.status === "approved").map(g => g.secret_id));
         return records.map(record => ({
             vault_id: record.vault_id,
             secret_id: record.secret_id,
@@ -389,13 +322,13 @@ export class VaultCore {
             source: record.source,
             created_at: record.created_at,
             updated_at: record.updated_at,
-            granted: approvedSecretIds.has(record.secret_id.value),
+            granted: approvedSecretIds.has(record.secret_id),
         }));
     }
     async agentListRequests(command) {
         await this._verifyAgentControlProof(command, "list_requests");
         const records = await this._deps.requests.list(this._deps.vault_id, command.agent.id);
-        return records.map(r => this.toAgentVisibleRequestRecord(r));
+        return records.map(r => this.toAgentRequestRecord(r));
     }
     async agentGetRequest(command) {
         await this._verifyAgentControlProof(command, "read_request");
@@ -403,27 +336,21 @@ export class VaultCore {
         if (!record || record.root_agent_id !== command.agent.id) {
             throw new VaultCoreError("request record not found", "VAULT_READ_DENIED");
         }
-        return {
-            request_id: record.request_id,
-            created_at: record.created_at,
-            requested_at: record.requested_at,
-            reason: record.reason,
-            request: {
-                target_url: record.request.target_url,
-                method: record.request.method,
-                headers: record.request.headers,
-                body: record.request.body,
-                secret_alias: record.request.secret_alias,
-            },
-            response: record.response,
-            execution_status: record.execution.status,
-        };
+        return this.toAgentRequestRecord(record);
+    }
+    async agentAuditTestPing(command) {
+        await this._verifyAgentControlProof(command, "agentAuditTestPing");
+        return this._appendAuditEntry(command.agent, "agentAuditTestPing", {
+            request_id: command.request_id,
+            root_agent_id: command.agent.id,
+            label: command.label ?? null,
+        }, { ok: true });
     }
     // ─── Owner Management APIs ────────────────────────────────────────────────────
     async ownerRegisterAgentIdentity(command) {
         this._assertOwnerPrincipal(command.owner);
         await this._deps.agentRecords.register(command.agentRecord);
-        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditOperation.IDENTITY_REGISTER, "allowed", "succeeded", `agent identity registered: "${command.agentRecord.root_agent_id}"`, { root_agent_id: command.agentRecord.root_agent_id }));
+        await this._appendAuditEntry(command.owner, "ownerRegisterAgentIdentity", { root_agent_id: command.agentRecord.root_agent_id }, undefined);
     }
     async ownerUpdateAgentIdentity(command) {
         this._assertOwnerPrincipal(command.owner);
@@ -432,13 +359,13 @@ export class VaultCore {
             throw new VaultCoreError("agent identity not found", "VAULT_IDENTITY_NOT_FOUND");
         const updated = { ...existing, nickname: command.nickname ?? existing.nickname, metadata: command.metadata ?? existing.metadata };
         await this._deps.agentRecords.register(updated);
-        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditOperation.IDENTITY_UPDATE, "allowed", "succeeded", `agent identity updated: "${command.root_agent_id}"`, { root_agent_id: command.root_agent_id }));
+        await this._appendAuditEntry(command.owner, "ownerUpdateAgentIdentity", { root_agent_id: command.root_agent_id }, updated);
         return updated;
     }
     async ownerCreateSecret(command) {
         this._assertOwnerPrincipal(command.owner);
         await this._deps.policy.authorizeWrite(command);
-        const existing = await this._deps.secrets.getByAlias({ value: command.alias });
+        const existing = await this._deps.secrets.getByAlias(command.alias);
         if (existing) {
             throw new VaultCoreError(`secret alias already exists: "${command.alias}"`, "VAULT_ALIAS_ALREADY_EXISTS");
         }
@@ -447,7 +374,7 @@ export class VaultCore {
         const record = {
             vault_id: command.vault_id,
             secret_id,
-            alias: { value: command.alias },
+            alias: command.alias,
             version: this._deps.ids.newVersion(),
             lifecycle_status: "ACTIVE",
             issuer_id: null,
@@ -457,19 +384,19 @@ export class VaultCore {
         };
         await this._deps.secrets.save(record);
         await this._deps.custody.store(secret_id, command.plaintext);
-        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditOperation.SECRET_WRITE, "allowed", "succeeded", `secret created: "${command.alias}"`, { secret_alias: command.alias, secret_id: secret_id.value }));
+        await this._appendAuditEntry(command.owner, "ownerCreateSecret", { secret_alias: command.alias, secret_id }, record);
         return record;
     }
     async ownerUpdateSecret(command) {
         this._assertOwnerPrincipal(command.owner);
         await this._deps.policy.authorizeWrite(command);
-        const existing = await this._deps.secrets.getByAlias({ value: command.alias });
+        const existing = await this._deps.secrets.getByAlias(command.alias);
         if (!existing)
             throw new VaultCoreError("secret not found", "VAULT_SECRET_NOT_FOUND");
         const finalAlias = command.new_alias && command.new_alias !== command.alias ? command.new_alias : command.alias;
         const isRename = finalAlias !== command.alias;
         if (isRename) {
-            const duplicate = await this._deps.secrets.getByAlias({ value: finalAlias });
+            const duplicate = await this._deps.secrets.getByAlias(finalAlias);
             if (duplicate) {
                 throw new VaultCoreError(`secret alias already exists: "${finalAlias}"`, "VAULT_ALIAS_ALREADY_EXISTS");
             }
@@ -478,27 +405,24 @@ export class VaultCore {
         const now = this._deps.clock.nowIso();
         const record = {
             ...existing,
-            alias: { value: finalAlias },
+            alias: finalAlias,
             version: this._deps.ids.newVersion(),
             updated_at: now,
         };
-        // No migration needed! Grants and pending requests are already tied to secret_id
-        // or resolved via alias lookup at runtime.
-        await this._deps.secrets.save(record);
         if (command.plaintext !== undefined) {
             await this._deps.custody.store(secret_id, command.plaintext);
         }
-        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditOperation.SECRET_WRITE, "allowed", "succeeded", `secret updated: "${finalAlias}"`, { secret_alias: finalAlias, secret_id: secret_id.value }));
+        await this._deps.secrets.save(record);
+        await this._appendAuditEntry(command.owner, "ownerUpdateSecret", { secret_alias: finalAlias, secret_id }, record);
         return record;
     }
     async ownerRemoveSecret(command) {
         this._assertOwnerPrincipal(command.owner);
-        const record = await this._deps.secrets.getByAlias({ value: command.alias });
+        const record = await this._deps.secrets.getByAlias(command.alias);
         if (!record)
             throw new VaultCoreError("secret not found", "VAULT_SECRET_NOT_FOUND");
         await this._deps.secrets.delete(record.secret_id);
-        await this._deps.custody.delete(record.secret_id);
-        await this._appendAudit(toAuditEntry(this._deps, command.owner, AuditOperation.SECRET_DELETE, "allowed", "succeeded", `secret deleted: "${command.alias}"`, { secret_alias: command.alias, secret_id: record.secret_id.value }));
+        await this._appendAuditEntry(command.owner, "ownerRemoveSecret", { secret_alias: command.alias, secret_id: record.secret_id }, undefined);
     }
     async ownerReadAudit(actor, query) {
         this._assertOwnerPrincipal(actor);
@@ -507,21 +431,16 @@ export class VaultCore {
     async ownerExportSecret(actor, alias) {
         this._assertOwnerPrincipal(actor);
         if (alias) {
-            const record = await this._deps.secrets.getByAlias({ value: alias });
+            const record = await this._deps.secrets.getByAlias(alias);
             if (!record)
                 throw new VaultCoreError("secret not found", "VAULT_SECRET_NOT_FOUND");
             const plaintext = await this._deps.custody.load(record.secret_id);
-            if (plaintext === null)
-                throw new VaultCoreError("secret material not found", "VAULT_SECRET_NOT_FOUND");
-            await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.SECRET_EXPORT, "allowed", "succeeded", `secret exported as plaintext: "${alias}"`, {
-                secret_alias: alias,
-                secret_id: record.secret_id.value
-            }));
+            await this._appendAuditEntry(actor, "ownerExportSecret", { secret_alias: alias, secret_id: record.secret_id }, undefined);
             return [{
                     vault_id: this._deps.vault_id,
                     secret_id: record.secret_id,
                     alias: record.alias,
-                    plaintext,
+                    plaintext: plaintext ?? "MISSING",
                     exported_at: this._deps.clock.nowIso()
                 }];
         }
@@ -537,7 +456,7 @@ export class VaultCore {
                 exported_at: this._deps.clock.nowIso()
             };
         }));
-        await this._appendAudit(toAuditEntry(this._deps, actor, AuditOperation.SECRET_BATCH_EXPORT, "allowed", "succeeded", "full vault material exported", {}));
+        await this._appendAuditEntry(actor, "ownerExportSecret_batch", {}, undefined);
         return exports;
     }
     async ownerListAgents(actor) {
@@ -553,7 +472,7 @@ export class VaultCore {
     async ownerListRequests(actor, root_agent_id) {
         this._assertOwnerPrincipal(actor);
         const records = await this._deps.requests.list(this._deps.vault_id, root_agent_id);
-        return records.map(r => this.toOwnerVisibleRequestRecord(r));
+        return records.map(r => this.toOwnerRequestRecord(r));
     }
     async ownerGetRequest(actor, request_id) {
         this._assertOwnerPrincipal(actor);
@@ -581,7 +500,7 @@ export class VaultCore {
     async ownerIssueSessionToken(request) {
         this._assertOwnerPrincipal(request.actor);
         const token = await this._deps.sessionTokenRegistry.issue(request.root_agent_id);
-        await this._appendAudit(toAuditEntry(this._deps, request.actor, AuditOperation.IDENTITY_ISSUE_TOKEN, "allowed", "succeeded", `session token issued for agent: "${request.root_agent_id}"`, { root_agent_id: request.root_agent_id }));
+        await this._appendAuditEntry(request.actor, "ownerIssueSessionToken", { root_agent_id: request.root_agent_id }, { root_agent_id: request.root_agent_id, issued_at: this._deps.clock.nowIso() });
         return { token, root_agent_id: request.root_agent_id, issued_at: this._deps.clock.nowIso() };
     }
     async ownerIssueAllAgentSessionTokens(actor) {
@@ -592,15 +511,16 @@ export class VaultCore {
     async ownerRevokeSessionToken(request) {
         this._assertOwnerPrincipal(request.actor);
         await this._deps.sessionTokenRegistry.revoke(request.token);
-        await this._appendAudit(toAuditEntry(this._deps, request.actor, AuditOperation.IDENTITY_REVOKE_TOKEN, "allowed", "succeeded", "session token revoked"));
+        await this._appendAuditEntry(request.actor, "ownerRevokeSessionToken", { token: request.token }, undefined);
     }
     ownerOnPendingDispatch(subscription) {
         return this._deps.audit.subscribe(this._deps.vault_id, {
-            operations: [AuditOperation.DISPATCH_HOLD],
+            function_names: ["agentDispatchSecret"],
             onEvent: async (entry) => {
-                if (!entry.request_id)
+                const request_id = entry.input?.request_id;
+                if (!request_id)
                     return;
-                const record = await this._deps.requests.get(this._deps.vault_id, entry.request_id);
+                const record = await this._deps.requests.get(this._deps.vault_id, request_id);
                 if (!record || record.execution.status !== DispatchStatus.AWAITING_APPROVAL)
                     return;
                 const pendingEventId = record.pending_dispatch_event?.event_id ?? entry.event_id;
@@ -631,7 +551,6 @@ export class VaultCore {
                 method: request.method,
                 headers: request.headers,
                 body: request.body,
-                secret_alias: request.secret_alias,
                 secret_id,
             },
             execution: { status },
@@ -655,7 +574,6 @@ export class VaultCore {
                 method: request.method,
                 headers: request.headers,
                 body: request.body,
-                secret_alias: request.secret_alias,
                 secret_id: secret_id,
             },
             execution: { status: DispatchStatus.IN_PROGRESS },
@@ -683,83 +601,25 @@ export class VaultCore {
         };
         await this._deps.requests.save(record);
     }
-    toAgentVisibleRequestRecord(record) {
-        return {
-            request_id: record.request_id,
-            created_at: record.created_at,
-            reason: record.reason,
-            target_url: record.request.target_url,
-            execution_status: record.execution.status,
-            response_status: record.response?.status,
-            error: record.response?.error,
-            has_response_body: !!record.response?.body,
-            secret_id: record.request.secret_id ?? undefined,
-        };
-    }
-    toOwnerVisibleRequestRecord(record) {
-        return {
-            request_id: record.request_id,
-            created_at: record.created_at,
-            root_agent_id: record.root_agent_id,
-            reason: record.reason,
-            target_url: record.request.target_url,
-            execution_status: record.execution.status,
-            response_status: record.response?.status,
-            error: record.response?.error,
-            has_response_body: !!record.response?.body,
-            missing_grants: record.missing_grants,
-            secret_id: record.request.secret_id ?? undefined,
-        };
+    toAgentRequestRecord(record) {
+        return record;
     }
     toOwnerRequestRecord(record) {
-        return {
-            request_id: record.request_id,
-            created_at: record.created_at,
-            requested_at: record.requested_at,
-            root_agent_id: record.root_agent_id,
-            reason: record.reason,
-            request: {
-                target_url: record.request.target_url,
-                method: record.request.method,
-                headers: record.request.headers,
-                body: record.request.body,
-                secret_alias: record.request.secret_alias,
-                secret_id: record.request.secret_id ?? undefined,
-            },
-            response: record.response ? {
-                status: record.response.status,
-                headers: record.response.headers,
-                body: record.response.body,
-                error: record.response.error,
-            } : undefined,
-            execution_status: record.execution.status,
-            missing_grants: record.missing_grants,
-            secret_id: record.request.secret_id ?? undefined,
-        };
+        return record;
     }
-    toAgentRequestRecord(record) {
-        return {
-            request_id: record.request_id,
-            created_at: record.created_at,
-            requested_at: record.requested_at,
-            reason: record.reason,
-            request: {
-                target_url: record.request.target_url,
-                method: record.request.method,
-                headers: record.request.headers,
-                body: record.request.body,
-                secret_alias: record.request.secret_alias,
-                secret_id: record.request.secret_id ?? undefined,
-            },
-            response: record.response ? {
-                status: record.response.status,
-                headers: record.response.headers,
-                body: record.response.body,
-                error: record.response.error,
-            } : undefined,
-            execution_status: record.execution.status,
-            secret_id: record.request.secret_id ?? undefined,
+    async _appendAuditEntry(actor, functionName, input, output, error) {
+        const entry = {
+            event_id: this._deps.ids.newAuditEntryId(),
+            ts: this._deps.clock.nowIso(),
+            vault_id: this._deps.vault_id,
+            actor,
+            function_name: functionName,
+            input,
+            output,
+            error,
         };
+        await this._appendAudit(entry);
+        return entry;
     }
 }
 export function createVaultCore(deps) {