@undefineds.co/linx 0.2.16 → 0.2.17

package/dist/lib/watch/pod-approval.js

@@ -1,25 +1,17 @@
 import { setTimeout as delay } from 'node:timers/promises';
-import { getDefaultPodDataSession } from '../pod-data-session.js';
-import { AS, ODRL, UDFS } from '@undefineds.co/models/namespaces';
-import { ApprovalVocab, AuditVocab, GrantVocab, InboxNotificationVocab } from '@undefineds.co/models/vocab/sidecar';
-import { resolveWatchGrantCoverage } from './secretary.js';
-import { buildApprovalDocumentUrl, RDF_TYPE, buildApprovalResourceUrl, buildAuditDocumentUrl, buildAuditResourceUrl, buildGrantResourceUrl, buildInboxResourceUrl, firstIri, firstLiteral, iri, listTurtleResources, listTurtleResourcesRecursive, literal, parseManagedTurtleBlocks, readTurtleResource, subjectIdFromResourceUrl, upsertManagedTurtleBlock, } from '../pi-adapter/pod-native.js';
-const WATCH_CHAT_ID_PREFIX = 'linx-watch';
+const WATCH_CHAT_ID = 'linx-watch';
 const WATCH_AGENT_ID = 'linx-watch-assistant';
 const REMOTE_APPROVAL_POLICY_VERSION = 'linx-watch-remote-approval/v1';
 const DEFAULT_REMOTE_APPROVAL_POLL_MS = 1000;
-const DEFAULT_WARN_ONLY_TIMEOUT_MS = 5000;
-const DEFAULT_APPROVAL_LIST_DAYS = 7;
-const MAX_GRANT_POLICY_LENGTH = 1200;
-const MAX_APPROVAL_CONTEXT_LENGTH = 1400;
-const MIN_GRANT_COVERAGE_CONFIDENCE = 0.75;
-const MAX_GRANT_COVERAGE_CANDIDATES = 5;
-const remoteApprovalClientCache = new WeakMap();
 function createAbortError() {
     const error = new Error('The operation was aborted.');
     error.name = 'AbortError';
     return error;
 }
+async function dynamicImport(specifier) {
+    const loader = new Function('modulePath', 'return import(modulePath)');
+    return loader(specifier);
+}
 function normalizeString(value) {
     return typeof value === 'string' && value.trim() ? value.trim() : undefined;
 }
@@ -45,26 +37,14 @@ function getPodBaseUrl(webIdOrUri) {
     }
     return webIdOrUri.replace(/\/$/, '');
 }
-function buildWatchChatId(record) {
-    return `${WATCH_CHAT_ID_PREFIX}-${record.backend}`;
-}
-function buildThreadUri(webId, record) {
-    return `${getPodBaseUrl(webId)}/.data/chat/${buildWatchChatId(record)}/index.ttl#${record.id}`;
+function buildThreadUri(webId, threadId) {
+    return `${getPodBaseUrl(webId)}/.data/chat/${WATCH_CHAT_ID}/index.ttl#${threadId}`;
 }
 function buildApprovalUri(webIdOrUri, approvalId) {
-    return buildApprovalResourceUrl(webIdOrUri, approvalId);
-}
-function buildApprovalUriForDate(webIdOrUri, approvalId, createdAt) {
-    return buildApprovalResourceUrl(webIdOrUri, approvalId, createdAt);
-}
-function documentUrlFromResourceUri(resourceUri) {
-    return resourceUri.split('#', 1)[0] ?? resourceUri;
+    return `${getPodBaseUrl(webIdOrUri)}/.data/approvals/${approvalId}.ttl`;
 }
 function buildGrantUri(webIdOrUri, grantId) {
-    return buildGrantResourceUrl(webIdOrUri, grantId);
-}
-function buildGrantSchemaUri(webIdOrUri) {
-    return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/schema/grant.ttl#GrantWikiPage`;
+    return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/grants/${grantId}.ttl`;
 }
 function buildAgentUri(webId) {
     return `${getPodBaseUrl(webId)}/.data/agents/${WATCH_AGENT_ID}.ttl`;
@@ -123,6 +103,16 @@ function buildRequestMessage(request) {
     }
     return request.message;
 }
+function buildRequestAuditContext(record, request) {
+    return {
+        kind: request.kind,
+        message: buildRequestMessage(request),
+        ...(request.kind === 'command-approval' && request.command ? { command: request.command } : {}),
+        ...(request.kind === 'command-approval' && request.cwd ? { cwd: request.cwd } : {}),
+        backend: record.backend,
+        sessionId: record.id,
+    };
+}
 function extractToolCallId(request) {
     if (!isRecord(request.raw)) {
         return crypto.randomUUID();
@@ -134,7 +124,7 @@ function extractToolCallId(request) {
         ?? crypto.randomUUID();
 }
 function encodeDecisionReason(decision, note) {
-    return safeJsonStringify({
+    return JSON.stringify({
         decision,
         ...(note?.trim() ? { note: note.trim() } : {}),
     });
@@ -161,193 +151,34 @@ function parseDecisionReason(value) {
         return null;
     }
 }
-async function warnOnly(runtime, task) {
-    try {
-        await Promise.race([
-            task(),
-            runtime.sleep(DEFAULT_WARN_ONLY_TIMEOUT_MS).then(() => {
-                throw new Error(`Pod side-effect sync timed out after ${DEFAULT_WARN_ONLY_TIMEOUT_MS}ms`);
-            }),
-        ]);
-    }
-    catch (error) {
-        if (runtime.onWarning) {
-            runtime.onWarning(error);
-            return;
-        }
-        const message = error instanceof Error ? error.message : String(error);
-        process.emitWarning(`LinX Pod sync failed: ${message}`);
-    }
-}
-function safeJsonStringify(value) {
-    try {
-        return JSON.stringify(value);
-    }
-    catch {
-        return JSON.stringify({ error: 'unserializable_context' });
-    }
-}
-function truncatePodLiteral(value, maxLength) {
-    if (value.length <= maxLength) {
-        return value;
-    }
-    return `${value.slice(0, Math.max(0, maxLength - 15))}...[truncated]`;
-}
-function safeCompactJson(value, maxLength) {
-    return truncatePodLiteral(safeJsonStringify(value), maxLength);
-}
-function compactApprovalContext(request) {
-    return safeCompactJson({
-        kind: request.kind,
-        message: request.message,
-        toolName: request.toolName,
-        action: request.action,
-        risk: request.risk,
-        ...(request.command ? { command: request.command } : {}),
-        ...(request.cwd ? { cwd: request.cwd } : {}),
-        ...(request.approvalOptions ? { approvalOptions: request.approvalOptions } : {}),
-        ...(request.expiresAt ? { expiresAt: normalizeDateLike(request.expiresAt) } : {}),
-        ...(request.context ? { sourceContext: truncatePodLiteral(request.context, 500) } : {}),
-    }, MAX_APPROVAL_CONTEXT_LENGTH);
-}
-function grantWikiTitleFromApproval(row, explicitTitle) {
-    const explicit = normalizeString(explicitTitle);
-    if (explicit) {
-        return truncatePodLiteral(explicit, 160);
-    }
-    return truncatePodLiteral(`${row.toolName} grant wiki for ${extractSessionId(row.session)}`, 160);
-}
-function grantWikiSummaryFromApproval(row, explicitSummary) {
-    const explicit = normalizeString(explicitSummary);
-    if (explicit) {
-        return truncatePodLiteral(explicit, 500);
-    }
-    return truncatePodLiteral(`Authorization wiki page for ${row.toolName}. AI Secretary must read the page body before reusing this grant.`, 500);
-}
-function grantWikiBodyFromApproval(row, explicitBody) {
-    const explicit = normalizeString(explicitBody);
-    if (explicit) {
-        return truncatePodLiteral(explicit, MAX_GRANT_POLICY_LENGTH);
-    }
-    return truncatePodLiteral([
-        '# Grant Semantics',
-        '',
-        'This page follows the LLM Wiki pattern: it is the maintained wiki view AI Secretary reads before reusing an authorization.',
-        '',
-        '## Covers',
-        `- Requests semantically inside target ${row.target}.`,
-        `- Action family ${row.action}.`,
-        `- Risk no higher than ${row.risk}.`,
-        '',
-        '## Does Not Cover',
-        '- Requests that are materially broader than the source approval.',
-        '- Requests that change from read-oriented to write/destructive behavior.',
-        '- Requests that touch credentials, secrets, package installation, new network side effects, or workspace boundaries unless explicitly documented here.',
-        '',
-        '## Source Context',
-        row.context ?? safeJsonStringify({ toolName: row.toolName, action: row.action, risk: row.risk }),
-    ].join('\n'), MAX_GRANT_POLICY_LENGTH);
-}
-function grantIndexTextFromWikiBody(body) {
-    return truncatePodLiteral(body, MAX_GRANT_POLICY_LENGTH);
-}
-function grantWikiTagsFromApproval(row, explicitTags) {
-    const tags = [
-        'autonomy',
-        'grant',
-        row.toolName,
-        row.risk,
-        ...(explicitTags ?? []),
-    ]
-        .map((tag) => tag.trim())
-        .filter(Boolean);
-    return safeJsonStringify([...new Set(tags)]);
-}
-function grantContextFromApproval(row) {
-    return safeCompactJson({
-        sourceApproval: buildApprovalUriForDate(row.session, row.id, new Date(toIsoString(row.createdAt, new Date().toISOString()))),
-        session: row.session,
-        toolCallId: row.toolCallId,
-        toolName: row.toolName,
-        target: row.target,
-        action: row.action,
-        risk: row.risk,
-        approvalContext: row.context,
-    }, MAX_APPROVAL_CONTEXT_LENGTH);
-}
-function literalValues(predicates, predicate) {
-    return (predicates.get(predicate) ?? [])
-        .map((object) => isRecord(object) && object.type === 'literal' && typeof object.value === 'string' ? object.value : '')
-        .filter(Boolean);
-}
-function iriValues(predicates, predicate) {
-    return (predicates.get(predicate) ?? [])
-        .map((object) => isRecord(object) && object.type === 'iri' && typeof object.value === 'string' ? object.value : '')
-        .filter(Boolean);
-}
-function grantSourceHash(row) {
-    return `approval:${row.id}:${row.toolCallId}:${row.risk}`;
-}
-function encodeApprovalOptions(options) {
-    if (!options || options.length === 0) {
-        return undefined;
-    }
-    return safeJsonStringify(options);
-}
-function parseApprovalOptions(value) {
+function parseRequestAuditContext(value) {
     if (typeof value !== 'string' || !value.trim()) {
-        return undefined;
+        return null;
     }
     try {
         const parsed = JSON.parse(value);
-        if (!Array.isArray(parsed)) {
-            return undefined;
+        if (!isRecord(parsed)) {
+            return null;
         }
-        const options = parsed
-            .map((option) => {
-            if (!isRecord(option)) {
-                return null;
-            }
-            const optionId = normalizeString(option.optionId);
-            const label = normalizeString(option.label);
-            if (!optionId || !label) {
-                return null;
-            }
-            const kind = normalizeString(option.kind);
-            const description = normalizeString(option.description);
-            return {
-                optionId,
-                label,
-                ...(kind ? { kind } : {}),
-                ...(description ? { description } : {}),
-            };
-        })
-            .filter((option) => option !== null);
-        return options.length > 0 ? options : undefined;
+        const kind = normalizeString(parsed.kind);
+        const message = normalizeString(parsed.message);
+        const backend = normalizeString(parsed.backend);
+        const sessionId = normalizeString(parsed.sessionId);
+        if (!kind || !message || !backend || !sessionId) {
+            return null;
+        }
+        return {
+            kind: kind,
+            message,
+            backend: backend,
+            sessionId,
+            ...(normalizeString(parsed.command) ? { command: normalizeString(parsed.command) } : {}),
+            ...(normalizeString(parsed.cwd) ? { cwd: normalizeString(parsed.cwd) } : {}),
+        };
     }
     catch {
-        return undefined;
-    }
-}
-function normalizeDateLike(value) {
-    if (value instanceof Date) {
-        return Number.isFinite(value.getTime()) ? value.toISOString() : undefined;
-    }
-    if (typeof value !== 'string' || !value.trim()) {
-        return undefined;
-    }
-    const parsed = new Date(value);
-    return Number.isFinite(parsed.getTime()) ? parsed.toISOString() : undefined;
-}
-function resolveApprovalExpiresAt(request, now) {
-    const explicit = normalizeDateLike(request.expiresAt);
-    if (explicit) {
-        return explicit;
-    }
-    if (typeof request.timeoutMs === 'number' && Number.isFinite(request.timeoutMs) && request.timeoutMs > 0) {
-        return new Date(now.getTime() + request.timeoutMs);
+        return null;
     }
-    return undefined;
 }
 function extractSessionId(sessionUri) {
     if (sessionUri.includes('#')) {
@@ -369,42 +200,36 @@ function decisionFromApprovalRow(row) {
     }
     return 'accept';
 }
-function normalizeApprovalSummary(row) {
+function requestAuditForApproval(approvalUri, audits) {
+    const matches = audits.filter((audit) => audit.approval === approvalUri && audit.action === 'approval_requested');
+    matches.sort((left, right) => toIsoString(right.createdAt, '').localeCompare(toIsoString(left.createdAt, '')));
+    return matches[0];
+}
+function normalizeApprovalSummary(row, audits) {
+    const approvalUri = buildApprovalUri(row.session, row.id);
+    const requestAudit = requestAuditForApproval(approvalUri, audits);
+    const requestContext = parseRequestAuditContext(requestAudit?.context);
     const createdAt = toIsoString(row.createdAt, new Date(0).toISOString());
     const sessionUri = row.session;
     const decision = decisionFromApprovalRow(row);
-    const approvalOptions = parseApprovalOptions(row.approvalOptions);
     return {
         id: row.id,
-        ...(normalizeString(row.approvalUri) ? { approvalUri: normalizeString(row.approvalUri) } : {}),
         sessionId: extractSessionId(sessionUri),
         sessionUri,
         toolCallId: row.toolCallId,
         toolName: row.toolName,
         risk: normalizeString(row.risk) ?? 'medium',
         status: normalizeString(row.status) ?? 'pending',
-        message: formatApprovalMessage(row),
+        message: requestContext?.message ?? row.toolName,
+        ...(requestContext?.command ? { command: requestContext.command } : {}),
+        ...(requestContext?.cwd ? { cwd: requestContext.cwd } : {}),
         ...(normalizeString(row.assignedTo) ? { assignedTo: normalizeString(row.assignedTo) } : {}),
         ...(normalizeString(row.decisionBy) ? { decisionBy: normalizeString(row.decisionBy) } : {}),
         ...(decision ? { decision } : {}),
-        ...(approvalOptions ? { approvalOptions } : {}),
         createdAt,
-        ...(row.expiresAt ? { expiresAt: toIsoString(row.expiresAt, createdAt) } : {}),
         ...(row.resolvedAt ? { resolvedAt: toIsoString(row.resolvedAt, createdAt) } : {}),
     };
 }
-function formatApprovalMessage(row) {
-    if (row.toolName === 'commandExecution') {
-        return 'Command execution approval';
-    }
-    if (row.toolName === 'fileChange') {
-        return 'File change approval';
-    }
-    if (row.toolName === 'permissionRequest') {
-        return 'Permission approval';
-    }
-    return row.toolName;
-}
 function formatSummaryHeadline(summary) {
     return `${summary.id} | ${summary.status} | ${summary.risk} | session=${summary.sessionId}`;
 }
@@ -423,11 +248,72 @@ export function isRemoteApprovalAbortError(error) {
 function missingRemoteApprovalCredentialsMessage() {
     return 'LinX remote approval requires `linx login` first.';
 }
+function unsupportedRemoteApprovalAuthMessage() {
+    return 'LinX remote approval requires client credentials auth in `~/.linx`.';
+}
 async function createDefaultRuntime() {
+    const [credentialsStore, solidAuth, models] = await Promise.all([
+        dynamicImport(new URL('../credentials-store.js', import.meta.url).href),
+        dynamicImport(new URL('../solid-auth.js', import.meta.url).href),
+        dynamicImport(new URL('...co/models.js', import.meta.url).href),
+    ]);
     return {
-        getPodDataSession: getDefaultPodDataSession,
-        createStore(webId, fetcher) {
-            return createNativeRemoteApprovalStore(webId, fetcher);
+        loadCredentials: credentialsStore.loadCredentials,
+        getClientCredentials: credentialsStore.getClientCredentials,
+        authenticate: solidAuth.authenticate,
+        createStore(session) {
+            const db = models.drizzle(session, {
+                logger: false,
+                disableInteropDiscovery: true,
+                schema: models.solidSchema,
+            });
+            let initialized = false;
+            async function ensureInitialized() {
+                if (initialized) {
+                    return;
+                }
+                initialized = true;
+                await db.init([
+                    models.approvalTable,
+                    models.auditTable,
+                    models.grantTable,
+                    models.inboxNotificationTable,
+                ]).catch(() => undefined);
+            }
+            return {
+                async listApprovals() {
+                    await ensureInitialized();
+                    return await db.select().from(models.approvalTable).execute();
+                },
+                async insertApproval(row) {
+                    await ensureInitialized();
+                    await db.insert(models.approvalTable).values(row).execute();
+                },
+                async updateApproval(id, patch) {
+                    await ensureInitialized();
+                    await db.update(models.approvalTable).set(patch).where(models.eq(models.approvalTable.id, id)).execute();
+                },
+                async listAudits() {
+                    await ensureInitialized();
+                    return await db.select().from(models.auditTable).execute();
+                },
+                async insertAudit(row) {
+                    await ensureInitialized();
+                    await db.insert(models.auditTable).values(row).execute();
+                },
+                async listGrants() {
+                    await ensureInitialized();
+                    return await db.select().from(models.grantTable).execute();
+                },
+                async insertGrant(row) {
+                    await ensureInitialized();
+                    await db.insert(models.grantTable).values(row).execute();
+                },
+                async insertInboxNotification(row) {
+                    await ensureInitialized();
+                    await db.insert(models.inboxNotificationTable).values(row).execute();
+                },
+            };
         },
         sleep(ms) {
             return delay(ms);
@@ -435,529 +321,100 @@ async function createDefaultRuntime() {
         now() {
             return new Date();
         },
-        resolveGrantCoverage: resolveWatchGrantCoverage,
     };
 }
 async function withRemoteApprovalStore(runtime, fn) {
-    const client = await getRemoteApprovalClient(runtime);
-    if (!client) {
+    const stored = runtime.loadCredentials();
+    if (!stored) {
         throw new Error(missingRemoteApprovalCredentialsMessage());
     }
-    return await fn({
-        store: client.store,
-        webId: client.session.webId,
-        stored: client.session.credentials,
-    });
-}
-async function getRemoteApprovalClient(runtime) {
-    let promise = remoteApprovalClientCache.get(runtime);
-    if (!promise) {
-        promise = createRemoteApprovalClient(runtime)
-            .then((client) => {
-            if (!client) {
-                remoteApprovalClientCache.delete(runtime);
-            }
-            return client;
-        })
-            .catch((error) => {
-            remoteApprovalClientCache.delete(runtime);
-            throw error;
-        });
-        remoteApprovalClientCache.set(runtime, promise);
-    }
-    return promise;
-}
-async function createRemoteApprovalClient(runtime) {
-    const session = await runtime.getPodDataSession();
-    if (!session) {
-        return null;
-    }
-    return {
-        session,
-        store: runtime.createStore(session.webId, session.fetch),
-    };
-}
-function createNativeRemoteApprovalStore(webId, fetcher) {
-    return {
-        listApprovals: () => listApprovalRows(webId, fetcher),
-        findApproval: (id, options) => findApprovalRow(webId, fetcher, id, options),
-        insertApproval: (row) => writeApprovalRow(webId, fetcher, row),
-        async updateApproval(id, patch) {
-            const existing = (await listApprovalRows(webId, fetcher)).find((row) => row.id === id);
-            if (!existing) {
-                throw new Error(`Remote approval not found: ${id}`);
-            }
-            await writeApprovalRow(webId, fetcher, { ...existing, ...patch });
-        },
-        listAudits: () => listAuditRows(webId, fetcher),
-        insertAudit: (row) => writeAuditRow(webId, fetcher, row),
-        listGrants: () => listGrantRows(webId, fetcher),
-        insertGrant: (row) => writeGrantRow(webId, fetcher, row),
-        insertInboxNotification: (row) => writeInboxNotificationRow(webId, fetcher, row),
-    };
-}
-async function findApprovalRow(webId, fetcher, id, options = {}) {
-    if (options.resourceUri) {
-        return readApprovalRowFromResource(fetcher, options.resourceUri);
-    }
-    if (options.createdAt) {
-        const createdAt = new Date(toIsoString(options.createdAt, new Date().toISOString()));
-        return readApprovalRowFromResource(fetcher, buildApprovalResourceUrl(webId, id, createdAt));
+    const clientCredentials = runtime.getClientCredentials(stored);
+    if (!clientCredentials) {
+        throw new Error(unsupportedRemoteApprovalAuthMessage());
     }
-    return (await listApprovalRows(webId, fetcher)).find((row) => row.id === id) ?? null;
-}
-async function readApprovalRowFromResource(fetcher, resourceUri) {
-    const turtle = await readTurtleResource(fetcher, documentUrlFromResourceUri(resourceUri));
-    if (!turtle) {
-        return null;
-    }
-    for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, documentUrlFromResourceUri(resourceUri))) {
-        if (subject !== resourceUri) {
-            continue;
-        }
-        const row = approvalRowFromPredicates(subject, predicates);
-        if (row) {
-            return row;
-        }
+    const { session } = await runtime.authenticate(clientCredentials.clientId, clientCredentials.clientSecret, stored.url);
+    const webId = session.info.webId ?? stored.webId;
+    if (!webId) {
+        await session.logout().catch(() => undefined);
+        throw new Error('Remote approval authentication succeeded without a WebID.');
     }
-    return null;
-}
-async function listApprovalRows(webId, fetcher) {
-    const urls = [
-        ...recentApprovalDocumentUrls(webId),
-        ...await listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/.data/approvals/`).catch(() => []),
-    ];
-    const rows = [];
-    for (const url of [...new Set(urls)].filter((entry) => entry.endsWith('.ttl'))) {
-        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
-        if (!turtle)
-            continue;
-        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
-            const row = approvalRowFromPredicates(subject, predicates);
-            if (row)
-                rows.push(row);
-        }
-    }
-    return rows;
-}
-function recentApprovalDocumentUrls(webId, days = DEFAULT_APPROVAL_LIST_DAYS) {
-    const urls = [];
-    const base = Date.now();
-    for (let offset = 0; offset < days; offset += 1) {
-        const date = new Date(base - offset * 24 * 60 * 60 * 1000);
-        urls.push(buildApprovalDocumentUrl(webId, date));
-    }
-    return urls;
-}
-async function writeApprovalRow(webId, fetcher, row) {
-    const createdAt = new Date(toIsoString(row.createdAt, new Date().toISOString()));
-    const documentUrl = buildApprovalDocumentUrl(webId, createdAt);
-    const subjectUrl = buildApprovalResourceUrl(webId, row.id, createdAt);
-    await upsertManagedTurtleBlock(fetcher, documentUrl, {
-        subject: subjectUrl,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(UDFS.ApprovalRequest) },
-            { predicate: ApprovalVocab.session, object: iri(row.session) },
-            { predicate: ApprovalVocab.toolCallId, object: literal(row.toolCallId) },
-            { predicate: ApprovalVocab.toolName, object: literal(row.toolName) },
-            { predicate: ApprovalVocab.target, object: iri(row.target) },
-            { predicate: ApprovalVocab.action, object: iri(row.action) },
-            { predicate: ApprovalVocab.risk, object: literal(row.risk) },
-            { predicate: ApprovalVocab.status, object: literal(row.status) },
-            ...(row.assignedTo ? [{ predicate: ApprovalVocab.assignedTo, object: iri(row.assignedTo) }] : []),
-            ...(row.decisionBy ? [{ predicate: ApprovalVocab.decisionBy, object: iri(row.decisionBy) }] : []),
-            ...(row.decisionRole ? [{ predicate: ApprovalVocab.decisionRole, object: literal(row.decisionRole) }] : []),
-            ...(row.onBehalfOf ? [{ predicate: ApprovalVocab.onBehalfOf, object: iri(row.onBehalfOf) }] : []),
-            ...(row.reason ? [{ predicate: ApprovalVocab.reason, object: literal(row.reason) }] : []),
-            ...(row.context ? [{ predicate: ApprovalVocab.context, object: literal(row.context) }] : []),
-            ...(row.approvalOptions ? [{ predicate: ApprovalVocab.approvalOptions, object: literal(row.approvalOptions) }] : []),
-            ...(row.policyVersion ? [{ predicate: ApprovalVocab.policyVersion, object: literal(row.policyVersion) }] : []),
-            { predicate: ApprovalVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-            ...(row.expiresAt ? [{ predicate: ApprovalVocab.expiresAt, object: literal(toIsoString(row.expiresAt, new Date().toISOString())) }] : []),
-            ...(row.resolvedAt ? [{ predicate: ApprovalVocab.resolvedAt, object: literal(toIsoString(row.resolvedAt, new Date().toISOString())) }] : []),
-        ],
-    });
-}
-async function listAuditRows(webId, fetcher) {
-    const urls = await listTurtleResourcesRecursive(fetcher, `${getPodBaseUrl(webId)}/.data/audits/`);
-    const rows = [];
-    for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
-        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
-        if (!turtle)
-            continue;
-        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
-            const row = auditRowFromPredicates(subject, predicates);
-            if (row)
-                rows.push(row);
-        }
-    }
-    return rows;
-}
-async function writeAuditRow(webId, fetcher, row) {
-    const createdAt = new Date(toIsoString(row.createdAt, new Date().toISOString()));
-    const documentUrl = buildAuditDocumentUrl(webId, createdAt);
-    const subjectUrl = buildAuditResourceUrl(webId, row.id, createdAt);
-    await upsertManagedTurtleBlock(fetcher, documentUrl, {
-        subject: subjectUrl,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(UDFS.AuditEntry) },
-            { predicate: AuditVocab.action, object: literal(row.action) },
-            { predicate: AuditVocab.actor, object: iri(row.actor) },
-            { predicate: AuditVocab.actorRole, object: literal(row.actorRole) },
-            ...(row.onBehalfOf ? [{ predicate: AuditVocab.onBehalfOf, object: iri(row.onBehalfOf) }] : []),
-            ...(row.session ? [{ predicate: AuditVocab.session, object: iri(row.session) }] : []),
-            ...(row.entry ? [{ predicate: AuditVocab.entry, object: iri(row.entry) }] : []),
-            ...(row.toolCallId ? [{ predicate: AuditVocab.toolCallId, object: literal(row.toolCallId) }] : []),
-            ...(row.toolName ? [{ predicate: AuditVocab.toolName, object: literal(row.toolName) }] : []),
-            ...(row.approval ? [{ predicate: AuditVocab.approval, object: iri(row.approval) }] : []),
-            ...(row.policyVersion ? [{ predicate: AuditVocab.policyVersion, object: literal(row.policyVersion) }] : []),
-            { predicate: AuditVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-        ],
-    });
-}
-async function listGrantRows(webId, fetcher) {
-    const urls = [
-        ...await listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/settings/autonomy/grants/`).catch(() => []),
-    ];
-    const rows = [];
-    for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
-        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
-        if (!turtle)
-            continue;
-        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
-            const row = grantRowFromPredicates(subject, predicates);
-            if (row)
-                rows.push(row);
-        }
-    }
-    return rows;
-}
-async function writeGrantRow(webId, fetcher, row) {
-    const id = normalizeString(row.id) ?? crypto.randomUUID();
-    const subjectUrl = buildGrantResourceUrl(webId, id);
-    const documentUrl = subjectUrl;
-    const target = normalizeString(row.target);
-    const action = normalizeString(row.action);
-    const effect = normalizeString(row.effect);
-    const decisionBy = normalizeString(row.decisionBy);
-    const decisionRole = normalizeString(row.decisionRole);
-    if (!target || !action || !effect || !decisionBy || !decisionRole) {
-        throw new Error(`Invalid remote approval grant row: ${id}`);
-    }
-    await upsertManagedTurtleBlock(fetcher, documentUrl, {
-        subject: subjectUrl,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(ODRL.Policy) },
-            { predicate: RDF_TYPE, object: iri(UDFS.AutonomyGrant) },
-            { predicate: GrantVocab.target, object: iri(target) },
-            { predicate: GrantVocab.action, object: iri(action) },
-            ...(normalizeString(row.title) ? [{ predicate: GrantVocab.title, object: literal(truncatePodLiteral(normalizeString(row.title), 160)) }] : []),
-            ...(normalizeString(row.summary) ? [{ predicate: GrantVocab.summary, object: literal(truncatePodLiteral(normalizeString(row.summary), 500)) }] : []),
-            ...(normalizeString(row.body) ? [{ predicate: GrantVocab.body, object: literal(truncatePodLiteral(normalizeString(row.body), MAX_GRANT_POLICY_LENGTH)) }] : []),
-            ...(normalizeString(row.schema) ? [{ predicate: GrantVocab.schema, object: iri(normalizeString(row.schema)) }] : []),
-            ...(normalizeString(row.pageKind) ? [{ predicate: GrantVocab.pageKind, object: literal(normalizeString(row.pageKind)) }] : []),
-            ...(normalizeString(row.wikiStatus) ? [{ predicate: GrantVocab.wikiStatus, object: literal(normalizeString(row.wikiStatus)) }] : []),
-            ...(normalizeString(row.tags) ? [{ predicate: GrantVocab.tags, object: literal(truncatePodLiteral(normalizeString(row.tags), 500)) }] : []),
-            ...(normalizeString(row.source) ? [{ predicate: GrantVocab.source, object: literal(normalizeString(row.source)) }] : []),
-            ...(normalizeString(row.sourceHash) ? [{ predicate: GrantVocab.sourceHash, object: literal(normalizeString(row.sourceHash)) }] : []),
-            ...(row.compiledAt ? [{ predicate: GrantVocab.compiledAt, object: literal(toIsoString(row.compiledAt, new Date().toISOString())) }] : []),
-            ...(row.compiledFrom ?? []).map((value) => ({ predicate: GrantVocab.compiledFrom, object: iri(value) })),
-            ...(row.related ?? []).map((value) => ({ predicate: GrantVocab.related, object: iri(value) })),
-            { predicate: GrantVocab.effect, object: literal(effect) },
-            ...(normalizeString(row.riskCeiling) ? [{ predicate: GrantVocab.riskCeiling, object: literal(normalizeString(row.riskCeiling)) }] : []),
-            ...(normalizeString(row.policy) ? [{ predicate: GrantVocab.policy, object: literal(truncatePodLiteral(normalizeString(row.policy), MAX_GRANT_POLICY_LENGTH)) }] : []),
-            ...(normalizeString(row.context) ? [{ predicate: GrantVocab.context, object: literal(truncatePodLiteral(normalizeString(row.context), MAX_APPROVAL_CONTEXT_LENGTH)) }] : []),
-            { predicate: GrantVocab.decisionBy, object: iri(decisionBy) },
-            { predicate: GrantVocab.decisionRole, object: literal(decisionRole) },
-            ...(normalizeString(row.onBehalfOf) ? [{ predicate: GrantVocab.onBehalfOf, object: iri(normalizeString(row.onBehalfOf)) }] : []),
-            { predicate: GrantVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-            ...(normalizeString(row.revokedAt) ? [{ predicate: GrantVocab.revokedAt, object: literal(normalizeString(row.revokedAt)) }] : []),
-        ],
-    });
-}
-async function writeInboxNotificationRow(webId, fetcher, row) {
-    const url = buildInboxResourceUrl(webId, row.id);
-    await upsertManagedTurtleBlock(fetcher, url, {
-        subject: url,
-        triples: [
-            { predicate: RDF_TYPE, object: iri(AS.Announce) },
-            ...(row.actor ? [{ predicate: InboxNotificationVocab.actor, object: iri(row.actor) }] : []),
-            { predicate: InboxNotificationVocab.object, object: iri(row.object) },
-            { predicate: InboxNotificationVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
-        ],
-    });
-}
-function approvalRowFromPredicates(url, predicates) {
-    const session = firstIri(predicates, ApprovalVocab.session);
-    const toolCallId = firstLiteral(predicates, ApprovalVocab.toolCallId);
-    const toolName = firstLiteral(predicates, ApprovalVocab.toolName);
-    const target = firstIri(predicates, ApprovalVocab.target);
-    const action = firstIri(predicates, ApprovalVocab.action);
-    const risk = firstLiteral(predicates, ApprovalVocab.risk);
-    const status = firstLiteral(predicates, ApprovalVocab.status);
-    const createdAt = firstLiteral(predicates, ApprovalVocab.createdAt);
-    if (!session || !toolCallId || !toolName || !target || !action || !risk || !status || !createdAt) {
-        return null;
-    }
-    return {
-        id: subjectIdFromResourceUrl(url),
-        session,
-        toolCallId,
-        toolName,
-        target,
-        action,
-        risk,
-        status,
-        assignedTo: firstIri(predicates, ApprovalVocab.assignedTo),
-        decisionBy: firstIri(predicates, ApprovalVocab.decisionBy),
-        decisionRole: firstLiteral(predicates, ApprovalVocab.decisionRole),
-        onBehalfOf: firstIri(predicates, ApprovalVocab.onBehalfOf),
-        reason: firstLiteral(predicates, ApprovalVocab.reason),
-        context: firstLiteral(predicates, ApprovalVocab.context),
-        approvalOptions: firstLiteral(predicates, ApprovalVocab.approvalOptions),
-        policyVersion: firstLiteral(predicates, ApprovalVocab.policyVersion),
-        createdAt,
-        expiresAt: firstLiteral(predicates, ApprovalVocab.expiresAt),
-        resolvedAt: firstLiteral(predicates, ApprovalVocab.resolvedAt),
-    };
-}
-function auditRowFromPredicates(url, predicates) {
-    const action = firstLiteral(predicates, AuditVocab.action);
-    const actor = firstIri(predicates, AuditVocab.actor);
-    const actorRole = firstLiteral(predicates, AuditVocab.actorRole);
-    const createdAt = firstLiteral(predicates, AuditVocab.createdAt);
-    if (!action || !actor || !actorRole || !createdAt) {
-        return null;
-    }
-    return {
-        id: subjectIdFromResourceUrl(url),
-        action,
-        actor,
-        actorRole,
-        onBehalfOf: firstIri(predicates, AuditVocab.onBehalfOf),
-        session: firstIri(predicates, AuditVocab.session),
-        entry: firstIri(predicates, AuditVocab.entry),
-        toolCallId: firstLiteral(predicates, AuditVocab.toolCallId),
-        toolName: firstLiteral(predicates, AuditVocab.toolName),
-        approval: firstIri(predicates, AuditVocab.approval),
-        policyVersion: firstLiteral(predicates, AuditVocab.policyVersion),
-        createdAt,
-    };
-}
-function grantRowFromPredicates(url, predicates) {
-    const target = firstIri(predicates, GrantVocab.target);
-    const action = firstIri(predicates, GrantVocab.action);
-    const effect = firstLiteral(predicates, GrantVocab.effect);
-    const decisionBy = firstIri(predicates, GrantVocab.decisionBy);
-    const decisionRole = firstLiteral(predicates, GrantVocab.decisionRole);
-    const createdAt = firstLiteral(predicates, GrantVocab.createdAt);
-    if (!target || !action || !effect || !decisionBy || !decisionRole || !createdAt) {
-        return null;
-    }
-    return {
-        id: subjectIdFromResourceUrl(url),
-        target,
-        action,
-        title: firstLiteral(predicates, GrantVocab.title),
-        summary: firstLiteral(predicates, GrantVocab.summary),
-        body: firstLiteral(predicates, GrantVocab.body),
-        schema: firstIri(predicates, GrantVocab.schema),
-        pageKind: firstLiteral(predicates, GrantVocab.pageKind),
-        wikiStatus: firstLiteral(predicates, GrantVocab.wikiStatus),
-        tags: firstLiteral(predicates, GrantVocab.tags),
-        source: firstLiteral(predicates, GrantVocab.source),
-        sourceHash: firstLiteral(predicates, GrantVocab.sourceHash),
-        compiledAt: firstLiteral(predicates, GrantVocab.compiledAt),
-        compiledFrom: iriValues(predicates, GrantVocab.compiledFrom),
-        related: iriValues(predicates, GrantVocab.related),
-        effect,
-        riskCeiling: firstLiteral(predicates, GrantVocab.riskCeiling),
-        policy: firstLiteral(predicates, GrantVocab.policy),
-        context: firstLiteral(predicates, GrantVocab.context),
-        decisionBy,
-        decisionRole,
-        onBehalfOf: firstIri(predicates, GrantVocab.onBehalfOf),
-        createdAt,
-        revokedAt: firstLiteral(predicates, GrantVocab.revokedAt),
-    };
-}
-function isActiveAllowGrant(grant) {
-    return grant.effect === 'allow' && !grant.revokedAt && !!(normalizeString(grant.body) || normalizeString(grant.policy));
-}
-function isGrantRiskCandidate(grant, requestRisk) {
-    const ceiling = riskScore(typeof grant.riskCeiling === 'string' ? grant.riskCeiling : undefined);
-    return ceiling === 0 || ceiling >= riskScore(requestRisk);
-}
-function rankGrantCandidate(grant, requestContext) {
-    let score = 0;
-    if (grant.target === requestContext.target) {
-        score += 4;
-    }
-    if (grant.action === requestContext.action) {
-        score += 3;
-    }
-    if (grant.schema) {
-        score += 2;
-    }
-    if (grant.pageKind === 'autonomy-grant') {
-        score += 1;
-    }
-    return score;
-}
-function selectSemanticGrantCandidates(grants, requestContext) {
-    const risk = normalizeString(requestContext.risk) ?? 'medium';
-    return grants
-        .filter((grant) => isActiveAllowGrant(grant) && isGrantRiskCandidate(grant, risk))
-        .sort((left, right) => rankGrantCandidate(right, requestContext) - rankGrantCandidate(left, requestContext))
-        .slice(0, MAX_GRANT_COVERAGE_CANDIDATES);
-}
-function acceptsGrantCoverage(decision) {
-    return decision?.covers === true
-        && typeof decision.confidence === 'number'
-        && decision.confidence >= MIN_GRANT_COVERAGE_CONFIDENCE;
-}
-async function resolveSemanticGrantDecision(options) {
-    const candidates = selectSemanticGrantCandidates(options.grants, options.requestContext);
-    if (candidates.length === 0) {
-        return null;
+    try {
+        return await fn({
+            store: runtime.createStore(session),
+            webId,
+            stored,
+        });
     }
-    const resolver = options.runtime.resolveGrantCoverage ?? resolveWatchGrantCoverage;
-    for (const grant of candidates) {
-        const coverage = await resolver({
-            record: options.record,
-            request: options.request,
-            requestContext: options.requestContext,
-            grant,
-        }).catch(() => null);
-        if (acceptsGrantCoverage(coverage)) {
-            return 'accept_for_session';
-        }
+    finally {
+        await session.logout().catch(() => undefined);
     }
-    return null;
-}
-function buildWatchGrantRequestContext(input) {
-    return {
-        session: buildThreadUri(input.webId, input.record),
-        target: buildThreadUri(input.webId, input.record),
-        action: buildActionUri(input.request),
-        risk: buildRisk(input.request),
-        toolName: buildToolName(input.request),
-        cwd: input.record.cwd,
-        backend: input.record.backend,
-        mode: input.record.mode,
-    };
-}
-function buildGenericGrantRequestContext(input) {
-    return {
-        session: input.subject.sessionUri,
-        target: input.subject.targetUri ?? input.subject.sessionUri,
-        action: input.request.action,
-        risk: input.request.risk,
-        toolName: input.request.toolName,
-        cwd: input.request.cwd,
-        kind: input.request.kind,
-    };
 }
 export async function createRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    return createRemoteApproval({
-        subject: ({ webId }) => ({
-            sessionUri: buildThreadUri(webId, options.record),
-            actorUri: buildAgentUri(webId),
-            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
-        }),
-        request: ({ sessionUri }) => ({
-            kind: options.request.kind,
-            message: buildRequestMessage(options.request),
-            toolCallId: extractToolCallId(options.request),
-            toolName: buildToolName(options.request),
-            action: buildActionUri(options.request),
-            risk: buildRisk(options.request),
-            ...(options.request.kind === 'command-approval' && options.request.command ? { command: options.request.command } : {}),
-            ...(options.request.kind === 'command-approval' && options.request.cwd ? { cwd: options.request.cwd } : {}),
-            ...(options.request.approvalOptions ? { approvalOptions: options.request.approvalOptions } : {}),
-            ...(options.request.timeoutMs ? { timeoutMs: options.request.timeoutMs } : {}),
-            ...(options.request.expiresAt ? { expiresAt: options.request.expiresAt } : {}),
-            entry: sessionUri,
-        }),
-        runtime: activeRuntime,
-    });
-}
-export async function createRemoteApproval(options) {
-    const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    return withRemoteApprovalStore(activeRuntime, async ({ store, webId, stored }) => {
-        const subject = typeof options.subject === 'function'
-            ? options.subject({ webId, stored })
-            : options.subject;
-        const request = typeof options.request === 'function'
-            ? options.request({ webId, stored, sessionUri: subject.sessionUri })
-            : options.request;
+    return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
         const approvalId = crypto.randomUUID();
         const now = activeRuntime.now();
-        const sessionUri = subject.sessionUri;
-        const approvalUri = buildApprovalUriForDate(webId, approvalId, now);
-        const targetUri = subject.targetUri ?? sessionUri;
-        const assignedTo = subject.assignedTo ?? webId;
-        const onBehalfOf = subject.onBehalfOf ?? webId;
-        const policyVersion = subject.policyVersion ?? REMOTE_APPROVAL_POLICY_VERSION;
-        const requestEntry = request.entry ?? approvalUri;
-        const expiresAt = resolveApprovalExpiresAt(request, now);
-        const approvalOptions = encodeApprovalOptions(request.approvalOptions);
-        const context = compactApprovalContext(request);
+        const sessionUri = buildThreadUri(webId, options.record.id);
+        const approvalUri = buildApprovalUri(webId, approvalId);
+        const toolCallId = extractToolCallId(options.request);
+        const requestContext = buildRequestAuditContext(options.record, options.request);
         await store.insertApproval({
             id: approvalId,
             session: sessionUri,
-            toolCallId: request.toolCallId,
-            toolName: request.toolName,
-            target: targetUri,
-            action: request.action,
-            risk: request.risk,
+            toolCallId,
+            toolName: buildToolName(options.request),
+            target: sessionUri,
+            action: buildActionUri(options.request),
+            risk: buildRisk(options.request),
             status: 'pending',
-            assignedTo,
-            context,
-            ...(approvalOptions ? { approvalOptions } : {}),
-            policyVersion,
+            assignedTo: webId,
+            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-            ...(expiresAt ? { expiresAt } : {}),
         });
-        const requestAudit = {
+        await store.insertAudit({
             id: crypto.randomUUID(),
             action: 'approval_requested',
-            actor: subject.actorUri,
+            actor: buildAgentUri(webId),
             actorRole: 'secretary',
-            onBehalfOf,
+            onBehalfOf: webId,
             session: sessionUri,
-            entry: requestEntry,
-            toolCallId: request.toolCallId,
-            toolName: request.toolName,
+            toolCallId,
             approval: approvalUri,
-            policyVersion,
+            context: JSON.stringify(requestContext),
+            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-        };
-        await warnOnly(activeRuntime, () => store.insertAudit(requestAudit));
-        await warnOnly(activeRuntime, () => store.insertInboxNotification({
+        });
+        await store.insertInboxNotification({
             id: crypto.randomUUID(),
-            actor: subject.actorUri,
+            actor: buildAgentUri(webId),
             object: approvalUri,
             createdAt: now,
-        }));
+        }).catch(() => undefined);
         return normalizeApprovalSummary({
             id: approvalId,
-            approvalUri,
             session: sessionUri,
-            toolCallId: request.toolCallId,
-            toolName: request.toolName,
-            target: targetUri,
-            action: request.action,
-            risk: request.risk,
+            toolCallId,
+            toolName: buildToolName(options.request),
+            target: sessionUri,
+            action: buildActionUri(options.request),
+            risk: buildRisk(options.request),
             status: 'pending',
-            assignedTo,
-            context,
-            ...(approvalOptions ? { approvalOptions } : {}),
-            policyVersion,
+            assignedTo: webId,
+            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-            ...(expiresAt ? { expiresAt } : {}),
-        });
+        }, [{
+                id: crypto.randomUUID(),
+                action: 'approval_requested',
+                actor: buildAgentUri(webId),
+                actorRole: 'secretary',
+                onBehalfOf: webId,
+                session: sessionUri,
+                toolCallId,
+                approval: approvalUri,
+                context: JSON.stringify(requestContext),
+                policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
+                createdAt: now,
+            }]);
     });
 }
 export async function waitForRemoteWatchApproval(options) {
@@ -967,13 +424,10 @@ export async function waitForRemoteWatchApproval(options) {
             if (options.signal?.aborted) {
                 throw createAbortError();
             }
-            const row = await readRemoteApprovalRow(store, {
-                approvalId: options.approvalId,
-                approvalUri: options.approvalUri,
-            });
+            const approvals = await store.listApprovals();
+            const row = approvals.find((entry) => entry.id === options.approvalId);
             if (!row) {
-                await activeRuntime.sleep(options.pollMs ?? DEFAULT_REMOTE_APPROVAL_POLL_MS);
-                continue;
+                throw new Error(`Remote approval disappeared before resolution: ${options.approvalId}`);
             }
             const decision = decisionFromApprovalRow(row);
             if (decision) {
@@ -987,20 +441,17 @@ export async function requestRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     const delegated = await withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
         const grants = await store.listGrants();
-        return resolveSemanticGrantDecision({
-            runtime: activeRuntime,
-            grants,
-            record: options.record,
-            request: options.request,
-            requestContext: buildWatchGrantRequestContext({
-                webId,
-                record: options.record,
-                request: options.request,
-            }),
-        });
+        const requestAction = buildActionUri(options.request);
+        const requestTarget = buildThreadUri(webId, options.record.id);
+        const requestRisk = buildRisk(options.request);
+        return grants.some((grant) => (grant.effect === 'allow'
+            && grant.action === requestAction
+            && grant.target === requestTarget
+            && riskScore(typeof grant.riskCeiling === 'string' ? grant.riskCeiling : undefined) >= riskScore(requestRisk)
+            && !grant.revokedAt));
     });
     if (delegated) {
-        return delegated;
+        return 'accept_for_session';
     }
     const summary = await createRemoteWatchApproval({
         record: options.record,
@@ -1009,62 +460,6 @@ export async function requestRemoteWatchApproval(options) {
     });
     return waitForRemoteWatchApproval({
         approvalId: summary.id,
-        approvalUri: summary.approvalUri,
-        pollMs: options.pollMs,
-        signal: options.signal,
-        runtime: activeRuntime,
-    });
-}
-export async function resolveExistingRemoteWatchGrant(options) {
-    const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const grants = await store.listGrants();
-        return resolveSemanticGrantDecision({
-            runtime: activeRuntime,
-            grants,
-            record: options.record,
-            request: options.request,
-            requestContext: buildWatchGrantRequestContext({
-                webId,
-                record: options.record,
-                request: options.request,
-            }),
-        });
-    });
-}
-export async function requestRemoteApproval(options) {
-    const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    const delegated = await withRemoteApprovalStore(activeRuntime, async ({ store, webId, stored }) => {
-        const subject = typeof options.subject === 'function'
-            ? options.subject({ webId, stored })
-            : options.subject;
-        const request = typeof options.request === 'function'
-            ? options.request({ webId, stored, sessionUri: subject.sessionUri })
-            : options.request;
-        const grants = await store.listGrants();
-        const requestContext = buildGenericGrantRequestContext({ subject, request });
-        return resolveSemanticGrantDecision({
-            runtime: activeRuntime,
-            grants,
-            request: {
-                ...request,
-                session: subject.sessionUri,
-                target: requestContext.target,
-            },
-            requestContext,
-        });
-    });
-    if (delegated) {
-        return delegated;
-    }
-    const summary = await createRemoteApproval({
-        subject: options.subject,
-        request: options.request,
-        runtime: activeRuntime,
-    });
-    return waitForRemoteWatchApproval({
-        approvalId: summary.id,
-        approvalUri: summary.approvalUri,
         pollMs: options.pollMs,
         signal: options.signal,
         runtime: activeRuntime,
@@ -1074,9 +469,12 @@ export async function listRemoteWatchApprovals(options = {}) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     const requestedStatus = options.status ?? 'pending';
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const approvals = await store.listApprovals();
+        const [approvals, audits] = await Promise.all([
+            store.listApprovals(),
+            store.listAudits(),
+        ]);
         return approvals
-            .map((row) => normalizeApprovalSummary(row))
+            .map((row) => normalizeApprovalSummary(row, audits))
             .filter((summary) => !summary.assignedTo || summary.assignedTo === webId)
             .filter((summary) => requestedStatus === 'all' || summary.status === requestedStatus)
             .sort((left, right) => right.createdAt.localeCompare(left.createdAt));
@@ -1085,124 +483,96 @@ export async function listRemoteWatchApprovals(options = {}) {
 export async function resolveRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const row = await readRemoteApprovalRow(store, {
-            approvalId: options.approvalId,
-            approvalUri: options.approvalUri,
-        });
+        const approvals = await store.listApprovals();
+        const row = approvals.find((entry) => entry.id === options.approvalId);
         if (!row) {
             throw new Error(`Remote approval not found: ${options.approvalId}`);
         }
         if (row.status !== 'pending') {
-            return normalizeApprovalSummary(row);
+            const audits = await store.listAudits();
+            return normalizeApprovalSummary(row, audits);
         }
         const now = activeRuntime.now();
-        const approvalCreatedAt = new Date(toIsoString(row.createdAt, now.toISOString()));
-        const approvalUri = buildApprovalUriForDate(row.session, row.id, approvalCreatedAt);
+        const approvalUri = buildApprovalUri(row.session, row.id);
         const nextStatus = options.decision === 'accept' || options.decision === 'accept_for_session'
             ? 'approved'
             : 'rejected';
-        const decisionRole = options.decisionRole ?? 'human';
         await store.updateApproval(row.id, {
             status: nextStatus,
             decisionBy: webId,
-            decisionRole,
+            decisionRole: 'human',
             onBehalfOf: webId,
             reason: encodeDecisionReason(options.decision, options.note),
             resolvedAt: now,
         });
-        await warnOnly(activeRuntime, () => store.insertAudit({
+        await store.insertAudit({
             id: crypto.randomUUID(),
             action: nextStatus === 'approved' ? 'approval_approved' : 'approval_rejected',
             actor: webId,
-            actorRole: decisionRole,
+            actorRole: 'human',
             onBehalfOf: webId,
             session: row.session,
-            entry: approvalUri,
             toolCallId: row.toolCallId,
-            toolName: row.toolName,
             approval: approvalUri,
+            context: JSON.stringify({
+                decision: options.decision,
+                ...(options.note?.trim() ? { note: options.note.trim() } : {}),
+            }),
             policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-        }));
+        });
         if (options.decision === 'accept_for_session') {
             const grantId = crypto.randomUUID();
-            const body = grantWikiBodyFromApproval(row, options.grantWikiBody);
             await store.insertGrant({
                 id: grantId,
                 target: row.target,
                 action: row.action,
-                title: grantWikiTitleFromApproval(row, options.grantWikiTitle),
-                summary: grantWikiSummaryFromApproval(row, options.grantWikiSummary),
-                body,
-                schema: buildGrantSchemaUri(webId),
-                pageKind: 'autonomy-grant',
-                wikiStatus: 'active',
-                tags: grantWikiTagsFromApproval(row, options.grantWikiTags),
-                source: 'approval',
-                sourceHash: grantSourceHash(row),
-                compiledAt: now,
-                compiledFrom: [approvalUri],
-                related: [row.session],
                 effect: 'allow',
                 riskCeiling: row.risk,
-                policy: grantIndexTextFromWikiBody(body),
-                context: grantContextFromApproval(row),
                 decisionBy: webId,
-                decisionRole,
+                decisionRole: 'human',
                 onBehalfOf: webId,
                 createdAt: now,
             });
-            await warnOnly(activeRuntime, () => store.insertInboxNotification({
+            await store.insertInboxNotification({
                 id: crypto.randomUUID(),
                 actor: webId,
                 object: buildGrantUri(row.session, grantId),
                 createdAt: now,
-            }));
+            }).catch(() => undefined);
         }
-        await warnOnly(activeRuntime, () => store.insertInboxNotification({
+        await store.insertInboxNotification({
             id: crypto.randomUUID(),
             actor: webId,
             object: approvalUri,
             createdAt: now,
-        }));
+        }).catch(() => undefined);
         const nextRow = {
             ...row,
             status: nextStatus,
             decisionBy: webId,
-            decisionRole,
+            decisionRole: 'human',
             onBehalfOf: webId,
             reason: encodeDecisionReason(options.decision, options.note),
             resolvedAt: now,
         };
-        return normalizeApprovalSummary(nextRow);
+        const audits = await store.listAudits();
+        return normalizeApprovalSummary(nextRow, audits);
     });
 }
-async function readRemoteApprovalRow(store, options) {
-    if (store.findApproval) {
-        const row = await store.findApproval(options.approvalId, {
-            resourceUri: options.approvalUri,
-        });
-        if (row || options.approvalUri) {
-            return row;
-        }
-    }
-    const approvals = await store.listApprovals();
-    return approvals.find((entry) => entry.id === options.approvalId) ?? null;
-}
 export const __podApprovalInternal = {
     createAbortError,
-    createDefaultRuntime,
     buildActionUri,
+    buildRequestAuditContext,
     buildRisk,
     buildToolName,
-    createNativeRemoteApprovalStore,
     extractToolCallId,
     decisionFromApprovalRow,
     encodeDecisionReason,
     formatSummaryHeadline,
-    readRemoteApprovalRow,
     isRemoteApprovalAbortError,
     normalizeApprovalSummary,
     parseDecisionReason,
+    parseRequestAuditContext,
 };
 //# sourceMappingURL=pod-approval.js.map