@undefineds.co/linx 0.2.15 → 0.2.17

package/dist/lib/watch/pod-approval.js

@@ -1,18 +1,17 @@
 import { setTimeout as delay } from 'node:timers/promises';
-import { getDefaultPodDataSession } from '../pod-data-session.js';
-import { AS, ODRL, UDFS } from '@undefineds.co/models/namespaces';
-import { ApprovalVocab, AuditVocab, GrantVocab, InboxNotificationVocab } from '@undefineds.co/models/vocab/sidecar';
-import { buildApprovalDocumentUrl, RDF_TYPE, buildApprovalResourceUrl, buildAuditDocumentUrl, buildAuditResourceUrl, buildGrantResourceUrl, buildInboxResourceUrl, firstIri, firstLiteral, iri, listTurtleResources, listTurtleResourcesRecursive, literal, parseManagedTurtleBlocks, readTurtleResource, subjectIdFromResourceUrl, upsertManagedTurtleBlock, } from '../pi-adapter/pod-native.js';
 const WATCH_CHAT_ID = 'linx-watch';
 const WATCH_AGENT_ID = 'linx-watch-assistant';
 const REMOTE_APPROVAL_POLICY_VERSION = 'linx-watch-remote-approval/v1';
 const DEFAULT_REMOTE_APPROVAL_POLL_MS = 1000;
-const remoteApprovalClientCache = new WeakMap();
 function createAbortError() {
     const error = new Error('The operation was aborted.');
     error.name = 'AbortError';
     return error;
 }
+async function dynamicImport(specifier) {
+    const loader = new Function('modulePath', 'return import(modulePath)');
+    return loader(specifier);
+}
 function normalizeString(value) {
     return typeof value === 'string' && value.trim() ? value.trim() : undefined;
 }
@@ -42,19 +41,10 @@ function buildThreadUri(webId, threadId) {
     return `${getPodBaseUrl(webId)}/.data/chat/${WATCH_CHAT_ID}/index.ttl#${threadId}`;
 }
 function buildApprovalUri(webIdOrUri, approvalId) {
-    return buildApprovalResourceUrl(webIdOrUri, approvalId);
-}
-function buildApprovalUriForDate(webIdOrUri, approvalId, createdAt) {
-    return buildApprovalResourceUrl(webIdOrUri, approvalId, createdAt);
-}
-function documentUrlFromResourceUri(resourceUri) {
-    return resourceUri.split('#', 1)[0] ?? resourceUri;
+    return `${getPodBaseUrl(webIdOrUri)}/.data/approvals/${approvalId}.ttl`;
 }
 function buildGrantUri(webIdOrUri, grantId) {
-    return buildGrantResourceUrl(webIdOrUri, grantId);
-}
-function buildGrantDocumentUrl(webIdOrUri) {
-    return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/grants.ttl`;
+    return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/grants/${grantId}.ttl`;
 }
 function buildAgentUri(webId) {
     return `${getPodBaseUrl(webId)}/.data/agents/${WATCH_AGENT_ID}.ttl`;
@@ -113,6 +103,16 @@ function buildRequestMessage(request) {
     }
     return request.message;
 }
+function buildRequestAuditContext(record, request) {
+    return {
+        kind: request.kind,
+        message: buildRequestMessage(request),
+        ...(request.kind === 'command-approval' && request.command ? { command: request.command } : {}),
+        ...(request.kind === 'command-approval' && request.cwd ? { cwd: request.cwd } : {}),
+        backend: record.backend,
+        sessionId: record.id,
+    };
+}
 function extractToolCallId(request) {
     if (!isRecord(request.raw)) {
         return crypto.randomUUID();
@@ -124,7 +124,7 @@ function extractToolCallId(request) {
         ?? crypto.randomUUID();
 }
 function encodeDecisionReason(decision, note) {
-    return safeJsonStringify({
+    return JSON.stringify({
         decision,
         ...(note?.trim() ? { note: note.trim() } : {}),
     });
@@ -151,25 +151,33 @@ function parseDecisionReason(value) {
         return null;
     }
 }
-async function warnOnly(runtime, task) {
-    try {
-        await task();
-    }
-    catch (error) {
-        if (runtime.onWarning) {
-            runtime.onWarning(error);
-            return;
-        }
-        const message = error instanceof Error ? error.message : String(error);
-        process.emitWarning(`LinX Pod sync failed: ${message}`);
+function parseRequestAuditContext(value) {
+    if (typeof value !== 'string' || !value.trim()) {
+        return null;
     }
-}
-function safeJsonStringify(value) {
     try {
-        return JSON.stringify(value);
+        const parsed = JSON.parse(value);
+        if (!isRecord(parsed)) {
+            return null;
+        }
+        const kind = normalizeString(parsed.kind);
+        const message = normalizeString(parsed.message);
+        const backend = normalizeString(parsed.backend);
+        const sessionId = normalizeString(parsed.sessionId);
+        if (!kind || !message || !backend || !sessionId) {
+            return null;
+        }
+        return {
+            kind: kind,
+            message,
+            backend: backend,
+            sessionId,
+            ...(normalizeString(parsed.command) ? { command: normalizeString(parsed.command) } : {}),
+            ...(normalizeString(parsed.cwd) ? { cwd: normalizeString(parsed.cwd) } : {}),
+        };
     }
     catch {
-        return JSON.stringify({ error: 'unserializable_context' });
+        return null;
     }
 }
 function extractSessionId(sessionUri) {
@@ -192,20 +200,29 @@ function decisionFromApprovalRow(row) {
     }
     return 'accept';
 }
-function normalizeApprovalSummary(row) {
+function requestAuditForApproval(approvalUri, audits) {
+    const matches = audits.filter((audit) => audit.approval === approvalUri && audit.action === 'approval_requested');
+    matches.sort((left, right) => toIsoString(right.createdAt, '').localeCompare(toIsoString(left.createdAt, '')));
+    return matches[0];
+}
+function normalizeApprovalSummary(row, audits) {
+    const approvalUri = buildApprovalUri(row.session, row.id);
+    const requestAudit = requestAuditForApproval(approvalUri, audits);
+    const requestContext = parseRequestAuditContext(requestAudit?.context);
     const createdAt = toIsoString(row.createdAt, new Date(0).toISOString());
     const sessionUri = row.session;
     const decision = decisionFromApprovalRow(row);
     return {
         id: row.id,
-        ...(normalizeString(row.approvalUri) ? { approvalUri: normalizeString(row.approvalUri) } : {}),
         sessionId: extractSessionId(sessionUri),
         sessionUri,
         toolCallId: row.toolCallId,
         toolName: row.toolName,
         risk: normalizeString(row.risk) ?? 'medium',
         status: normalizeString(row.status) ?? 'pending',
-        message: formatApprovalMessage(row),
+        message: requestContext?.message ?? row.toolName,
+        ...(requestContext?.command ? { command: requestContext.command } : {}),
+        ...(requestContext?.cwd ? { cwd: requestContext.cwd } : {}),
         ...(normalizeString(row.assignedTo) ? { assignedTo: normalizeString(row.assignedTo) } : {}),
         ...(normalizeString(row.decisionBy) ? { decisionBy: normalizeString(row.decisionBy) } : {}),
         ...(decision ? { decision } : {}),
@@ -213,18 +230,6 @@ function normalizeApprovalSummary(row) {
         ...(row.resolvedAt ? { resolvedAt: toIsoString(row.resolvedAt, createdAt) } : {}),
     };
 }
-function formatApprovalMessage(row) {
-    if (row.toolName === 'commandExecution') {
-        return 'Command execution approval';
-    }
-    if (row.toolName === 'fileChange') {
-        return 'File change approval';
-    }
-    if (row.toolName === 'permissionRequest') {
-        return 'Permission approval';
-    }
-    return row.toolName;
-}
 function formatSummaryHeadline(summary) {
     return `${summary.id} | ${summary.status} | ${summary.risk} | session=${summary.sessionId}`;
 }
@@ -243,11 +248,72 @@ export function isRemoteApprovalAbortError(error) {
 function missingRemoteApprovalCredentialsMessage() {
     return 'LinX remote approval requires `linx login` first.';
 }
+function unsupportedRemoteApprovalAuthMessage() {
+    return 'LinX remote approval requires client credentials auth in `~/.linx`.';
+}
 async function createDefaultRuntime() {
+    const [credentialsStore, solidAuth, models] = await Promise.all([
+        dynamicImport(new URL('../credentials-store.js', import.meta.url).href),
+        dynamicImport(new URL('../solid-auth.js', import.meta.url).href),
+        dynamicImport(new URL('...co/models.js', import.meta.url).href),
+    ]);
     return {
-        getPodDataSession: getDefaultPodDataSession,
-        createStore(webId, fetcher) {
-            return createNativeRemoteApprovalStore(webId, fetcher);
+        loadCredentials: credentialsStore.loadCredentials,
+        getClientCredentials: credentialsStore.getClientCredentials,
+        authenticate: solidAuth.authenticate,
+        createStore(session) {
+            const db = models.drizzle(session, {
+                logger: false,
+                disableInteropDiscovery: true,
+                schema: models.solidSchema,
+            });
+            let initialized = false;
+            async function ensureInitialized() {
+                if (initialized) {
+                    return;
+                }
+                initialized = true;
+                await db.init([
+                    models.approvalTable,
+                    models.auditTable,
+                    models.grantTable,
+                    models.inboxNotificationTable,
+                ]).catch(() => undefined);
+            }
+            return {
+                async listApprovals() {
+                    await ensureInitialized();
+                    return await db.select().from(models.approvalTable).execute();
+                },
+                async insertApproval(row) {
+                    await ensureInitialized();
+                    await db.insert(models.approvalTable).values(row).execute();
+                },
+                async updateApproval(id, patch) {
+                    await ensureInitialized();
+                    await db.update(models.approvalTable).set(patch).where(models.eq(models.approvalTable.id, id)).execute();
+                },
+                async listAudits() {
+                    await ensureInitialized();
+                    return await db.select().from(models.auditTable).execute();
+                },
+                async insertAudit(row) {
+                    await ensureInitialized();
+                    await db.insert(models.auditTable).values(row).execute();
+                },
+                async listGrants() {
+                    await ensureInitialized();
+                    return await db.select().from(models.grantTable).execute();
+                },
+                async insertGrant(row) {
+                    await ensureInitialized();
+                    await db.insert(models.grantTable).values(row).execute();
+                },
+                async insertInboxNotification(row) {
+                    await ensureInitialized();
+                    await db.insert(models.inboxNotificationTable).values(row).execute();
+                },
+            };
         },
         sleep(ms) {
             return delay(ms);
@@ -258,395 +324,97 @@ async function createDefaultRuntime() {
     };
 }
 async function withRemoteApprovalStore(runtime, fn) {
-    const client = await getRemoteApprovalClient(runtime);
-    if (!client) {
+    const stored = runtime.loadCredentials();
+    if (!stored) {
         throw new Error(missingRemoteApprovalCredentialsMessage());
     }
-    return await fn({
-        store: client.store,
-        webId: client.session.webId,
-        stored: client.session.credentials,
-    });
-}
-async function getRemoteApprovalClient(runtime) {
-    let promise = remoteApprovalClientCache.get(runtime);
-    if (!promise) {
-        promise = createRemoteApprovalClient(runtime)
-            .then((client) => {
-            if (!client) {
-                remoteApprovalClientCache.delete(runtime);
-            }
-            return client;
-        })
-            .catch((error) => {
-            remoteApprovalClientCache.delete(runtime);
-            throw error;
-        });
-        remoteApprovalClientCache.set(runtime, promise);
-    }
-    return promise;
-}
-async function createRemoteApprovalClient(runtime) {
-    const session = await runtime.getPodDataSession();
-    if (!session) {
-        return null;
-    }
-    return {
-        session,
-        store: runtime.createStore(session.webId, session.fetch),
-    };
-}
-function createNativeRemoteApprovalStore(webId, fetcher) {
-    return {
-        listApprovals: () => listApprovalRows(webId, fetcher),
-        findApproval: (id, options) => findApprovalRow(webId, fetcher, id, options),
-        insertApproval: (row) => writeApprovalRow(webId, fetcher, row),
-        async updateApproval(id, patch) {
-            const existing = (await listApprovalRows(webId, fetcher)).find((row) => row.id === id);
-            if (!existing) {
-                throw new Error(`Remote approval not found: ${id}`);
-            }
-            await writeApprovalRow(webId, fetcher, { ...existing, ...patch });
-        },
-        listAudits: () => listAuditRows(webId, fetcher),
-        insertAudit: (row) => writeAuditRow(webId, fetcher, row),
-        listGrants: () => listGrantRows(webId, fetcher),
-        insertGrant: (row) => writeGrantRow(webId, fetcher, row),
-        insertInboxNotification: (row) => writeInboxNotificationRow(webId, fetcher, row),
-    };
-}
-async function findApprovalRow(webId, fetcher, id, options = {}) {
-    if (options.resourceUri) {
-        return readApprovalRowFromResource(fetcher, options.resourceUri);
-    }
-    if (options.createdAt) {
-        const createdAt = new Date(toIsoString(options.createdAt, new Date().toISOString()));
-        return readApprovalRowFromResource(fetcher, buildApprovalResourceUrl(webId, id, createdAt));
+    const clientCredentials = runtime.getClientCredentials(stored);
+    if (!clientCredentials) {
+        throw new Error(unsupportedRemoteApprovalAuthMessage());
     }
-    return (await listApprovalRows(webId, fetcher)).find((row) => row.id === id) ?? null;
-}
-async function readApprovalRowFromResource(fetcher, resourceUri) {
-    const turtle = await readTurtleResource(fetcher, documentUrlFromResourceUri(resourceUri));
-    if (!turtle) {
-        return null;
-    }
-    for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, documentUrlFromResourceUri(resourceUri))) {
-        if (subject !== resourceUri) {
-            continue;
-        }
-        const row = approvalRowFromPredicates(subject, predicates);
-        if (row) {
-            return row;
-        }
+    const { session } = await runtime.authenticate(clientCredentials.clientId, clientCredentials.clientSecret, stored.url);
+    const webId = session.info.webId ?? stored.webId;
+    if (!webId) {
+        await session.logout().catch(() => undefined);
+        throw new Error('Remote approval authentication succeeded without a WebID.');
     }
-    return null;
-}
-async function listApprovalRows(webId, fetcher) {
-    const [currentUrls, legacyUrls] = await Promise.all([
-        listTurtleResourcesRecursive(fetcher, `${getPodBaseUrl(webId)}/.data/approvals/`).catch(() => []),
-        listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/.data/approvals/`).catch(() => []),
-    ]);
-    const urls = [...new Set([...currentUrls, ...legacyUrls])];
-    const rows = [];
-    for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
-        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
-        if (!turtle)
-            continue;
-        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
-            const row = approvalRowFromPredicates(subject, predicates);
-            if (row)
-                rows.push(row);
-        }
-    }
-    return rows;
-}
-async function writeApprovalRow(webId, fetcher, row) {
-    const createdAt = new Date(toIsoString(row.createdAt, new Date().toISOString()));
-    const documentUrl = buildApprovalDocumentUrl(webId, createdAt);
-    const subjectUrl = buildApprovalResourceUrl(webId, row.id, createdAt);
-    await upsertManagedTurtleBlock(fetcher, documentUrl, {
-        subject: subjectUrl,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(UDFS.ApprovalRequest) },
-            { predicate: ApprovalVocab.session, object: iri(row.session) },
-            { predicate: ApprovalVocab.toolCallId, object: literal(row.toolCallId) },
-            { predicate: ApprovalVocab.toolName, object: literal(row.toolName) },
-            { predicate: ApprovalVocab.target, object: iri(row.target) },
-            { predicate: ApprovalVocab.action, object: iri(row.action) },
-            { predicate: ApprovalVocab.risk, object: literal(row.risk) },
-            { predicate: ApprovalVocab.status, object: literal(row.status) },
-            ...(row.assignedTo ? [{ predicate: ApprovalVocab.assignedTo, object: iri(row.assignedTo) }] : []),
-            ...(row.decisionBy ? [{ predicate: ApprovalVocab.decisionBy, object: iri(row.decisionBy) }] : []),
-            ...(row.decisionRole ? [{ predicate: ApprovalVocab.decisionRole, object: literal(row.decisionRole) }] : []),
-            ...(row.onBehalfOf ? [{ predicate: ApprovalVocab.onBehalfOf, object: iri(row.onBehalfOf) }] : []),
-            ...(row.reason ? [{ predicate: ApprovalVocab.reason, object: literal(row.reason) }] : []),
-            ...(row.policyVersion ? [{ predicate: ApprovalVocab.policyVersion, object: literal(row.policyVersion) }] : []),
-            { predicate: ApprovalVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-            ...(row.resolvedAt ? [{ predicate: ApprovalVocab.resolvedAt, object: literal(toIsoString(row.resolvedAt, new Date().toISOString())) }] : []),
-        ],
-    });
-}
-async function listAuditRows(webId, fetcher) {
-    const urls = await listTurtleResourcesRecursive(fetcher, `${getPodBaseUrl(webId)}/.data/audits/`);
-    const rows = [];
-    for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
-        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
-        if (!turtle)
-            continue;
-        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
-            const row = auditRowFromPredicates(subject, predicates);
-            if (row)
-                rows.push(row);
-        }
-    }
-    return rows;
-}
-async function writeAuditRow(webId, fetcher, row) {
-    const createdAt = new Date(toIsoString(row.createdAt, new Date().toISOString()));
-    const documentUrl = buildAuditDocumentUrl(webId, createdAt);
-    const subjectUrl = buildAuditResourceUrl(webId, row.id, createdAt);
-    await upsertManagedTurtleBlock(fetcher, documentUrl, {
-        subject: subjectUrl,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(UDFS.AuditEntry) },
-            { predicate: AuditVocab.action, object: literal(row.action) },
-            { predicate: AuditVocab.actor, object: iri(row.actor) },
-            { predicate: AuditVocab.actorRole, object: literal(row.actorRole) },
-            ...(row.onBehalfOf ? [{ predicate: AuditVocab.onBehalfOf, object: iri(row.onBehalfOf) }] : []),
-            ...(row.session ? [{ predicate: AuditVocab.session, object: iri(row.session) }] : []),
-            ...(row.entry ? [{ predicate: AuditVocab.entry, object: iri(row.entry) }] : []),
-            ...(row.toolCallId ? [{ predicate: AuditVocab.toolCallId, object: literal(row.toolCallId) }] : []),
-            ...(row.toolName ? [{ predicate: AuditVocab.toolName, object: literal(row.toolName) }] : []),
-            ...(row.approval ? [{ predicate: AuditVocab.approval, object: iri(row.approval) }] : []),
-            ...(row.policyVersion ? [{ predicate: AuditVocab.policyVersion, object: literal(row.policyVersion) }] : []),
-            { predicate: AuditVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-        ],
-    });
-}
-async function listGrantRows(webId, fetcher) {
-    const urls = [
-        `${getPodBaseUrl(webId)}/settings/autonomy/grants.ttl`,
-        ...await listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/settings/autonomy/grants/`).catch(() => []),
-    ];
-    const rows = [];
-    for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
-        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
-        if (!turtle)
-            continue;
-        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
-            const row = grantRowFromPredicates(subject, predicates);
-            if (row)
-                rows.push(row);
-        }
-    }
-    return rows;
-}
-async function writeGrantRow(webId, fetcher, row) {
-    const id = normalizeString(row.id) ?? crypto.randomUUID();
-    const documentUrl = buildGrantDocumentUrl(webId);
-    const subjectUrl = buildGrantResourceUrl(webId, id);
-    const target = normalizeString(row.target);
-    const action = normalizeString(row.action);
-    const effect = normalizeString(row.effect);
-    const decisionBy = normalizeString(row.decisionBy);
-    const decisionRole = normalizeString(row.decisionRole);
-    if (!target || !action || !effect || !decisionBy || !decisionRole) {
-        throw new Error(`Invalid remote approval grant row: ${id}`);
-    }
-    await upsertManagedTurtleBlock(fetcher, documentUrl, {
-        subject: subjectUrl,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(ODRL.Policy) },
-            { predicate: RDF_TYPE, object: iri(UDFS.AutonomyGrant) },
-            { predicate: GrantVocab.target, object: iri(target) },
-            { predicate: GrantVocab.action, object: iri(action) },
-            { predicate: GrantVocab.effect, object: literal(effect) },
-            ...(normalizeString(row.riskCeiling) ? [{ predicate: GrantVocab.riskCeiling, object: literal(normalizeString(row.riskCeiling)) }] : []),
-            { predicate: GrantVocab.decisionBy, object: iri(decisionBy) },
-            { predicate: GrantVocab.decisionRole, object: literal(decisionRole) },
-            ...(normalizeString(row.onBehalfOf) ? [{ predicate: GrantVocab.onBehalfOf, object: iri(normalizeString(row.onBehalfOf)) }] : []),
-            { predicate: GrantVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-            ...(normalizeString(row.revokedAt) ? [{ predicate: GrantVocab.revokedAt, object: literal(normalizeString(row.revokedAt)) }] : []),
-        ],
-    });
-}
-async function writeInboxNotificationRow(webId, fetcher, row) {
-    const url = buildInboxResourceUrl(webId, row.id);
-    await upsertManagedTurtleBlock(fetcher, url, {
-        subject: url,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(AS.Announce) },
-            ...(row.actor ? [{ predicate: InboxNotificationVocab.actor, object: iri(row.actor) }] : []),
-            { predicate: InboxNotificationVocab.object, object: iri(row.object) },
-            { predicate: InboxNotificationVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-        ],
-    });
-}
-function approvalRowFromPredicates(url, predicates) {
-    const session = firstIri(predicates, ApprovalVocab.session);
-    const toolCallId = firstLiteral(predicates, ApprovalVocab.toolCallId);
-    const toolName = firstLiteral(predicates, ApprovalVocab.toolName);
-    const target = firstIri(predicates, ApprovalVocab.target);
-    const action = firstIri(predicates, ApprovalVocab.action);
-    const risk = firstLiteral(predicates, ApprovalVocab.risk);
-    const status = firstLiteral(predicates, ApprovalVocab.status);
-    const createdAt = firstLiteral(predicates, ApprovalVocab.createdAt);
-    if (!session || !toolCallId || !toolName || !target || !action || !risk || !status || !createdAt) {
-        return null;
-    }
-    return {
-        id: subjectIdFromResourceUrl(url),
-        session,
-        toolCallId,
-        toolName,
-        target,
-        action,
-        risk,
-        status,
-        assignedTo: firstIri(predicates, ApprovalVocab.assignedTo),
-        decisionBy: firstIri(predicates, ApprovalVocab.decisionBy),
-        decisionRole: firstLiteral(predicates, ApprovalVocab.decisionRole),
-        onBehalfOf: firstIri(predicates, ApprovalVocab.onBehalfOf),
-        reason: firstLiteral(predicates, ApprovalVocab.reason),
-        policyVersion: firstLiteral(predicates, ApprovalVocab.policyVersion),
-        createdAt,
-        resolvedAt: firstLiteral(predicates, ApprovalVocab.resolvedAt),
-    };
-}
-function auditRowFromPredicates(url, predicates) {
-    const action = firstLiteral(predicates, AuditVocab.action);
-    const actor = firstIri(predicates, AuditVocab.actor);
-    const actorRole = firstLiteral(predicates, AuditVocab.actorRole);
-    const createdAt = firstLiteral(predicates, AuditVocab.createdAt);
-    if (!action || !actor || !actorRole || !createdAt) {
-        return null;
+    try {
+        return await fn({
+            store: runtime.createStore(session),
+            webId,
+            stored,
+        });
     }
-    return {
-        id: subjectIdFromResourceUrl(url),
-        action,
-        actor,
-        actorRole,
-        onBehalfOf: firstIri(predicates, AuditVocab.onBehalfOf),
-        session: firstIri(predicates, AuditVocab.session),
-        entry: firstIri(predicates, AuditVocab.entry),
-        toolCallId: firstLiteral(predicates, AuditVocab.toolCallId),
-        toolName: firstLiteral(predicates, AuditVocab.toolName),
-        approval: firstIri(predicates, AuditVocab.approval),
-        policyVersion: firstLiteral(predicates, AuditVocab.policyVersion),
-        createdAt,
-    };
-}
-function grantRowFromPredicates(url, predicates) {
-    const target = firstIri(predicates, GrantVocab.target);
-    const action = firstIri(predicates, GrantVocab.action);
-    const effect = firstLiteral(predicates, GrantVocab.effect);
-    const decisionBy = firstIri(predicates, GrantVocab.decisionBy);
-    const decisionRole = firstLiteral(predicates, GrantVocab.decisionRole);
-    const createdAt = firstLiteral(predicates, GrantVocab.createdAt);
-    if (!target || !action || !effect || !decisionBy || !decisionRole || !createdAt) {
-        return null;
+    finally {
+        await session.logout().catch(() => undefined);
     }
-    return {
-        id: subjectIdFromResourceUrl(url),
-        target,
-        action,
-        effect,
-        riskCeiling: firstLiteral(predicates, GrantVocab.riskCeiling),
-        decisionBy,
-        decisionRole,
-        onBehalfOf: firstIri(predicates, GrantVocab.onBehalfOf),
-        createdAt,
-        revokedAt: firstLiteral(predicates, GrantVocab.revokedAt),
-    };
 }
 export async function createRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    return createRemoteApproval({
-        subject: ({ webId }) => ({
-            sessionUri: buildThreadUri(webId, options.record.id),
-            actorUri: buildAgentUri(webId),
-            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
-        }),
-        request: ({ sessionUri }) => ({
-            kind: options.request.kind,
-            message: buildRequestMessage(options.request),
-            toolCallId: extractToolCallId(options.request),
-            toolName: buildToolName(options.request),
-            action: buildActionUri(options.request),
-            risk: buildRisk(options.request),
-            ...(options.request.kind === 'command-approval' && options.request.command ? { command: options.request.command } : {}),
-            ...(options.request.kind === 'command-approval' && options.request.cwd ? { cwd: options.request.cwd } : {}),
-            entry: sessionUri,
-        }),
-        runtime: activeRuntime,
-    });
-}
-export async function createRemoteApproval(options) {
-    const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    return withRemoteApprovalStore(activeRuntime, async ({ store, webId, stored }) => {
-        const subject = typeof options.subject === 'function'
-            ? options.subject({ webId, stored })
-            : options.subject;
-        const request = typeof options.request === 'function'
-            ? options.request({ webId, stored, sessionUri: subject.sessionUri })
-            : options.request;
+    return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
         const approvalId = crypto.randomUUID();
         const now = activeRuntime.now();
-        const sessionUri = subject.sessionUri;
-        const approvalUri = buildApprovalUriForDate(webId, approvalId, now);
-        const targetUri = subject.targetUri ?? sessionUri;
-        const assignedTo = subject.assignedTo ?? webId;
-        const onBehalfOf = subject.onBehalfOf ?? webId;
-        const policyVersion = subject.policyVersion ?? REMOTE_APPROVAL_POLICY_VERSION;
-        const requestEntry = request.entry ?? approvalUri;
+        const sessionUri = buildThreadUri(webId, options.record.id);
+        const approvalUri = buildApprovalUri(webId, approvalId);
+        const toolCallId = extractToolCallId(options.request);
+        const requestContext = buildRequestAuditContext(options.record, options.request);
         await store.insertApproval({
             id: approvalId,
             session: sessionUri,
-            toolCallId: request.toolCallId,
-            toolName: request.toolName,
-            target: targetUri,
-            action: request.action,
-            risk: request.risk,
+            toolCallId,
+            toolName: buildToolName(options.request),
+            target: sessionUri,
+            action: buildActionUri(options.request),
+            risk: buildRisk(options.request),
             status: 'pending',
-            assignedTo,
-            policyVersion,
+            assignedTo: webId,
+            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
         });
-        const requestAudit = {
+        await store.insertAudit({
             id: crypto.randomUUID(),
             action: 'approval_requested',
-            actor: subject.actorUri,
+            actor: buildAgentUri(webId),
             actorRole: 'secretary',
-            onBehalfOf,
+            onBehalfOf: webId,
             session: sessionUri,
-            entry: requestEntry,
-            toolCallId: request.toolCallId,
-            toolName: request.toolName,
+            toolCallId,
             approval: approvalUri,
-            policyVersion,
+            context: JSON.stringify(requestContext),
+            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-        };
-        await warnOnly(activeRuntime, () => store.insertAudit(requestAudit));
-        await warnOnly(activeRuntime, () => store.insertInboxNotification({
+        });
+        await store.insertInboxNotification({
             id: crypto.randomUUID(),
-            actor: subject.actorUri,
+            actor: buildAgentUri(webId),
             object: approvalUri,
             createdAt: now,
-        }));
+        }).catch(() => undefined);
         return normalizeApprovalSummary({
             id: approvalId,
-            approvalUri,
             session: sessionUri,
-            toolCallId: request.toolCallId,
-            toolName: request.toolName,
-            target: targetUri,
-            action: request.action,
-            risk: request.risk,
+            toolCallId,
+            toolName: buildToolName(options.request),
+            target: sessionUri,
+            action: buildActionUri(options.request),
+            risk: buildRisk(options.request),
             status: 'pending',
-            assignedTo,
-            policyVersion,
+            assignedTo: webId,
+            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-        });
+        }, [{
+                id: crypto.randomUUID(),
+                action: 'approval_requested',
+                actor: buildAgentUri(webId),
+                actorRole: 'secretary',
+                onBehalfOf: webId,
+                session: sessionUri,
+                toolCallId,
+                approval: approvalUri,
+                context: JSON.stringify(requestContext),
+                policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
+                createdAt: now,
+            }]);
     });
 }
 export async function waitForRemoteWatchApproval(options) {
@@ -656,13 +424,10 @@ export async function waitForRemoteWatchApproval(options) {
             if (options.signal?.aborted) {
                 throw createAbortError();
             }
-            const row = await readRemoteApprovalRow(store, {
-                approvalId: options.approvalId,
-                approvalUri: options.approvalUri,
-            });
+            const approvals = await store.listApprovals();
+            const row = approvals.find((entry) => entry.id === options.approvalId);
             if (!row) {
-                await activeRuntime.sleep(options.pollMs ?? DEFAULT_REMOTE_APPROVAL_POLL_MS);
-                continue;
+                throw new Error(`Remote approval disappeared before resolution: ${options.approvalId}`);
             }
             const decision = decisionFromApprovalRow(row);
             if (decision) {
@@ -695,40 +460,6 @@ export async function requestRemoteWatchApproval(options) {
     });
     return waitForRemoteWatchApproval({
         approvalId: summary.id,
-        approvalUri: summary.approvalUri,
-        pollMs: options.pollMs,
-        signal: options.signal,
-        runtime: activeRuntime,
-    });
-}
-export async function requestRemoteApproval(options) {
-    const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    const delegated = await withRemoteApprovalStore(activeRuntime, async ({ store, webId, stored }) => {
-        const subject = typeof options.subject === 'function'
-            ? options.subject({ webId, stored })
-            : options.subject;
-        const request = typeof options.request === 'function'
-            ? options.request({ webId, stored, sessionUri: subject.sessionUri })
-            : options.request;
-        const grants = await store.listGrants();
-        const requestTarget = subject.targetUri ?? subject.sessionUri;
-        return grants.some((grant) => (grant.effect === 'allow'
-            && grant.action === request.action
-            && grant.target === requestTarget
-            && riskScore(typeof grant.riskCeiling === 'string' ? grant.riskCeiling : undefined) >= riskScore(request.risk)
-            && !grant.revokedAt));
-    });
-    if (delegated) {
-        return 'accept_for_session';
-    }
-    const summary = await createRemoteApproval({
-        subject: options.subject,
-        request: options.request,
-        runtime: activeRuntime,
-    });
-    return waitForRemoteWatchApproval({
-        approvalId: summary.id,
-        approvalUri: summary.approvalUri,
         pollMs: options.pollMs,
         signal: options.signal,
         runtime: activeRuntime,
@@ -738,9 +469,12 @@ export async function listRemoteWatchApprovals(options = {}) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     const requestedStatus = options.status ?? 'pending';
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const approvals = await store.listApprovals();
+        const [approvals, audits] = await Promise.all([
+            store.listApprovals(),
+            store.listAudits(),
+        ]);
         return approvals
-            .map((row) => normalizeApprovalSummary(row))
+            .map((row) => normalizeApprovalSummary(row, audits))
             .filter((summary) => !summary.assignedTo || summary.assignedTo === webId)
             .filter((summary) => requestedStatus === 'all' || summary.status === requestedStatus)
             .sort((left, right) => right.createdAt.localeCompare(left.createdAt));
@@ -749,19 +483,17 @@ export async function listRemoteWatchApprovals(options = {}) {
 export async function resolveRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const row = await readRemoteApprovalRow(store, {
-            approvalId: options.approvalId,
-            approvalUri: options.approvalUri,
-        });
+        const approvals = await store.listApprovals();
+        const row = approvals.find((entry) => entry.id === options.approvalId);
         if (!row) {
             throw new Error(`Remote approval not found: ${options.approvalId}`);
         }
         if (row.status !== 'pending') {
-            return normalizeApprovalSummary(row);
+            const audits = await store.listAudits();
+            return normalizeApprovalSummary(row, audits);
         }
         const now = activeRuntime.now();
-        const approvalCreatedAt = new Date(toIsoString(row.createdAt, now.toISOString()));
-        const approvalUri = buildApprovalUriForDate(row.session, row.id, approvalCreatedAt);
+        const approvalUri = buildApprovalUri(row.session, row.id);
         const nextStatus = options.decision === 'accept' || options.decision === 'accept_for_session'
             ? 'approved'
             : 'rejected';
@@ -773,20 +505,22 @@ export async function resolveRemoteWatchApproval(options) {
             reason: encodeDecisionReason(options.decision, options.note),
             resolvedAt: now,
         });
-        await warnOnly(activeRuntime, () => store.insertAudit({
+        await store.insertAudit({
             id: crypto.randomUUID(),
             action: nextStatus === 'approved' ? 'approval_approved' : 'approval_rejected',
             actor: webId,
             actorRole: 'human',
             onBehalfOf: webId,
             session: row.session,
-            entry: approvalUri,
             toolCallId: row.toolCallId,
-            toolName: row.toolName,
             approval: approvalUri,
+            context: JSON.stringify({
+                decision: options.decision,
+                ...(options.note?.trim() ? { note: options.note.trim() } : {}),
+            }),
             policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-        }));
+        });
         if (options.decision === 'accept_for_session') {
             const grantId = crypto.randomUUID();
             await store.insertGrant({
@@ -800,19 +534,19 @@ export async function resolveRemoteWatchApproval(options) {
                 onBehalfOf: webId,
                 createdAt: now,
             });
-            await warnOnly(activeRuntime, () => store.insertInboxNotification({
+            await store.insertInboxNotification({
                 id: crypto.randomUUID(),
                 actor: webId,
                 object: buildGrantUri(row.session, grantId),
                 createdAt: now,
-            }));
+            }).catch(() => undefined);
         }
-        await warnOnly(activeRuntime, () => store.insertInboxNotification({
+        await store.insertInboxNotification({
             id: crypto.randomUUID(),
             actor: webId,
             object: approvalUri,
             createdAt: now,
-        }));
+        }).catch(() => undefined);
         const nextRow = {
             ...row,
             status: nextStatus,
@@ -822,35 +556,23 @@ export async function resolveRemoteWatchApproval(options) {
             reason: encodeDecisionReason(options.decision, options.note),
             resolvedAt: now,
         };
-        return normalizeApprovalSummary(nextRow);
+        const audits = await store.listAudits();
+        return normalizeApprovalSummary(nextRow, audits);
     });
 }
-async function readRemoteApprovalRow(store, options) {
-    if (store.findApproval) {
-        const row = await store.findApproval(options.approvalId, {
-            resourceUri: options.approvalUri,
-        });
-        if (row || options.approvalUri) {
-            return row;
-        }
-    }
-    const approvals = await store.listApprovals();
-    return approvals.find((entry) => entry.id === options.approvalId) ?? null;
-}
 export const __podApprovalInternal = {
     createAbortError,
-    createDefaultRuntime,
     buildActionUri,
+    buildRequestAuditContext,
     buildRisk,
     buildToolName,
-    createNativeRemoteApprovalStore,
     extractToolCallId,
     decisionFromApprovalRow,
     encodeDecisionReason,
     formatSummaryHeadline,
-    readRemoteApprovalRow,
     isRemoteApprovalAbortError,
     normalizeApprovalSummary,
     parseDecisionReason,
+    parseRequestAuditContext,
 };
 //# sourceMappingURL=pod-approval.js.map