@undefineds.co/linx 0.2.17 → 0.2.19

package/dist/lib/watch/pod-approval.js

@@ -1,17 +1,22 @@
 import { setTimeout as delay } from 'node:timers/promises';
-const WATCH_CHAT_ID = 'linx-watch';
+import { getDefaultPodDataSession } from '../pod-data-session.js';
+import { approvalResource, auditResource, drizzle, grantResource, inboxNotificationTable, initSolidTables, solidSchema, } from '../models.js';
+import { resolveWatchGrantCoverage } from './secretary.js';
+const WATCH_CHAT_ID_PREFIX = 'linx-watch';
 const WATCH_AGENT_ID = 'linx-watch-assistant';
 const REMOTE_APPROVAL_POLICY_VERSION = 'linx-watch-remote-approval/v1';
 const DEFAULT_REMOTE_APPROVAL_POLL_MS = 1000;
+const DEFAULT_WARN_ONLY_TIMEOUT_MS = 5000;
+const MAX_GRANT_POLICY_LENGTH = 1200;
+const MAX_APPROVAL_CONTEXT_LENGTH = 1400;
+const MIN_GRANT_COVERAGE_CONFIDENCE = 0.75;
+const MAX_GRANT_COVERAGE_CANDIDATES = 5;
+const remoteApprovalClientCache = new WeakMap();
 function createAbortError() {
     const error = new Error('The operation was aborted.');
     error.name = 'AbortError';
     return error;
 }
-async function dynamicImport(specifier) {
-    const loader = new Function('modulePath', 'return import(modulePath)');
-    return loader(specifier);
-}
 function normalizeString(value) {
     return typeof value === 'string' && value.trim() ? value.trim() : undefined;
 }
@@ -37,14 +42,17 @@ function getPodBaseUrl(webIdOrUri) {
     }
     return webIdOrUri.replace(/\/$/, '');
 }
-function buildThreadUri(webId, threadId) {
-    return `${getPodBaseUrl(webId)}/.data/chat/${WATCH_CHAT_ID}/index.ttl#${threadId}`;
+function buildWatchChatId(record) {
+    return `${WATCH_CHAT_ID_PREFIX}-${record.backend}`;
+}
+function buildThreadUri(webId, record) {
+    return `${getPodBaseUrl(webId)}/.data/chat/${buildWatchChatId(record)}/index.ttl#${record.id}`;
 }
-function buildApprovalUri(webIdOrUri, approvalId) {
-    return `${getPodBaseUrl(webIdOrUri)}/.data/approvals/${approvalId}.ttl`;
+function isAbsoluteIri(value) {
+    return value.startsWith('http://') || value.startsWith('https://');
 }
-function buildGrantUri(webIdOrUri, grantId) {
-    return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/grants/${grantId}.ttl`;
+function buildGrantSchemaUri(webIdOrUri) {
+    return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/schema/grant.ttl#GrantWikiPage`;
 }
 function buildAgentUri(webId) {
     return `${getPodBaseUrl(webId)}/.data/agents/${WATCH_AGENT_ID}.ttl`;
@@ -103,16 +111,6 @@ function buildRequestMessage(request) {
     }
     return request.message;
 }
-function buildRequestAuditContext(record, request) {
-    return {
-        kind: request.kind,
-        message: buildRequestMessage(request),
-        ...(request.kind === 'command-approval' && request.command ? { command: request.command } : {}),
-        ...(request.kind === 'command-approval' && request.cwd ? { cwd: request.cwd } : {}),
-        backend: record.backend,
-        sessionId: record.id,
-    };
-}
 function extractToolCallId(request) {
     if (!isRecord(request.raw)) {
         return crypto.randomUUID();
@@ -124,7 +122,7 @@ function extractToolCallId(request) {
         ?? crypto.randomUUID();
 }
 function encodeDecisionReason(decision, note) {
-    return JSON.stringify({
+    return safeJsonStringify({
         decision,
         ...(note?.trim() ? { note: note.trim() } : {}),
     });
@@ -151,35 +149,184 @@ function parseDecisionReason(value) {
         return null;
     }
 }
-function parseRequestAuditContext(value) {
+async function warnOnly(runtime, task) {
+    try {
+        await Promise.race([
+            task(),
+            runtime.sleep(DEFAULT_WARN_ONLY_TIMEOUT_MS).then(() => {
+                throw new Error(`Pod side-effect sync timed out after ${DEFAULT_WARN_ONLY_TIMEOUT_MS}ms`);
+            }),
+        ]);
+    }
+    catch (error) {
+        if (runtime.onWarning) {
+            runtime.onWarning(error);
+            return;
+        }
+        const message = error instanceof Error ? error.message : String(error);
+        process.emitWarning(`LinX Pod sync failed: ${message}`);
+    }
+}
+function safeJsonStringify(value) {
+    try {
+        return JSON.stringify(value);
+    }
+    catch {
+        return JSON.stringify({ error: 'unserializable_context' });
+    }
+}
+function truncatePodLiteral(value, maxLength) {
+    if (value.length <= maxLength) {
+        return value;
+    }
+    return `${value.slice(0, Math.max(0, maxLength - 15))}...[truncated]`;
+}
+function safeCompactJson(value, maxLength) {
+    return truncatePodLiteral(safeJsonStringify(value), maxLength);
+}
+function compactApprovalContext(request) {
+    return safeCompactJson({
+        kind: request.kind,
+        message: request.message,
+        toolName: request.toolName,
+        action: request.action,
+        risk: request.risk,
+        ...(request.command ? { command: request.command } : {}),
+        ...(request.cwd ? { cwd: request.cwd } : {}),
+        ...(request.approvalOptions ? { approvalOptions: request.approvalOptions } : {}),
+        ...(request.expiresAt ? { expiresAt: normalizeDateLike(request.expiresAt) } : {}),
+        ...(request.context ? { sourceContext: truncatePodLiteral(request.context, 500) } : {}),
+    }, MAX_APPROVAL_CONTEXT_LENGTH);
+}
+function grantWikiTitleFromApproval(row, explicitTitle) {
+    const explicit = normalizeString(explicitTitle);
+    if (explicit) {
+        return truncatePodLiteral(explicit, 160);
+    }
+    return truncatePodLiteral(`${row.toolName} grant wiki for ${extractSessionId(row.session)}`, 160);
+}
+function grantWikiSummaryFromApproval(row, explicitSummary) {
+    const explicit = normalizeString(explicitSummary);
+    if (explicit) {
+        return truncatePodLiteral(explicit, 500);
+    }
+    return truncatePodLiteral(`Authorization wiki page for ${row.toolName}. AI Secretary must read the page body before reusing this grant.`, 500);
+}
+function grantWikiBodyFromApproval(row, explicitBody) {
+    const explicit = normalizeString(explicitBody);
+    if (explicit) {
+        return truncatePodLiteral(explicit, MAX_GRANT_POLICY_LENGTH);
+    }
+    return truncatePodLiteral([
+        '# Grant Semantics',
+        '',
+        'This page follows the LLM Wiki pattern: it is the maintained wiki view AI Secretary reads before reusing an authorization.',
+        '',
+        '## Covers',
+        `- Requests semantically inside target ${row.target}.`,
+        `- Action family ${row.action}.`,
+        `- Risk no higher than ${row.risk}.`,
+        '',
+        '## Does Not Cover',
+        '- Requests that are materially broader than the source approval.',
+        '- Requests that change from read-oriented to write/destructive behavior.',
+        '- Requests that touch credentials, secrets, package installation, new network side effects, or workspace boundaries unless explicitly documented here.',
+        '',
+        '## Source Context',
+        row.context ?? safeJsonStringify({ toolName: row.toolName, action: row.action, risk: row.risk }),
+    ].join('\n'), MAX_GRANT_POLICY_LENGTH);
+}
+function grantIndexTextFromWikiBody(body) {
+    return truncatePodLiteral(body, MAX_GRANT_POLICY_LENGTH);
+}
+function grantWikiTagsFromApproval(row, explicitTags) {
+    const tags = [
+        'autonomy',
+        'grant',
+        row.toolName,
+        row.risk,
+        ...(explicitTags ?? []),
+    ]
+        .map((tag) => tag.trim())
+        .filter(Boolean);
+    return safeJsonStringify([...new Set(tags)]);
+}
+function grantContextFromApproval(row) {
+    return safeCompactJson({
+        sourceApproval: row.approvalUri ?? row.id,
+        session: row.session,
+        toolCallId: row.toolCallId,
+        toolName: row.toolName,
+        target: row.target,
+        action: row.action,
+        risk: row.risk,
+        approvalContext: row.context,
+    }, MAX_APPROVAL_CONTEXT_LENGTH);
+}
+function grantSourceHash(row) {
+    return `approval:${row.id}:${row.toolCallId}:${row.risk}`;
+}
+function encodeApprovalOptions(options) {
+    if (!options || options.length === 0) {
+        return undefined;
+    }
+    return safeJsonStringify(options);
+}
+function parseApprovalOptions(value) {
     if (typeof value !== 'string' || !value.trim()) {
-        return null;
+        return undefined;
     }
     try {
         const parsed = JSON.parse(value);
-        if (!isRecord(parsed)) {
-            return null;
-        }
-        const kind = normalizeString(parsed.kind);
-        const message = normalizeString(parsed.message);
-        const backend = normalizeString(parsed.backend);
-        const sessionId = normalizeString(parsed.sessionId);
-        if (!kind || !message || !backend || !sessionId) {
-            return null;
+        if (!Array.isArray(parsed)) {
+            return undefined;
         }
-        return {
-            kind: kind,
-            message,
-            backend: backend,
-            sessionId,
-            ...(normalizeString(parsed.command) ? { command: normalizeString(parsed.command) } : {}),
-            ...(normalizeString(parsed.cwd) ? { cwd: normalizeString(parsed.cwd) } : {}),
-        };
+        const options = parsed
+            .map((option) => {
+            if (!isRecord(option)) {
+                return null;
+            }
+            const optionId = normalizeString(option.optionId);
+            const label = normalizeString(option.label);
+            if (!optionId || !label) {
+                return null;
+            }
+            const kind = normalizeString(option.kind);
+            const description = normalizeString(option.description);
+            return {
+                optionId,
+                label,
+                ...(kind ? { kind } : {}),
+                ...(description ? { description } : {}),
+            };
+        })
+            .filter((option) => option !== null);
+        return options.length > 0 ? options : undefined;
     }
     catch {
-        return null;
+        return undefined;
     }
 }
+function normalizeDateLike(value) {
+    if (value instanceof Date) {
+        return Number.isFinite(value.getTime()) ? value.toISOString() : undefined;
+    }
+    if (typeof value !== 'string' || !value.trim()) {
+        return undefined;
+    }
+    const parsed = new Date(value);
+    return Number.isFinite(parsed.getTime()) ? parsed.toISOString() : undefined;
+}
+function resolveApprovalExpiresAt(request, now) {
+    const explicit = normalizeDateLike(request.expiresAt);
+    if (explicit) {
+        return explicit;
+    }
+    if (typeof request.timeoutMs === 'number' && Number.isFinite(request.timeoutMs) && request.timeoutMs > 0) {
+        return new Date(now.getTime() + request.timeoutMs);
+    }
+    return undefined;
+}
 function extractSessionId(sessionUri) {
     if (sessionUri.includes('#')) {
         return sessionUri.split('#').pop() || sessionUri;
@@ -200,36 +347,42 @@ function decisionFromApprovalRow(row) {
     }
     return 'accept';
 }
-function requestAuditForApproval(approvalUri, audits) {
-    const matches = audits.filter((audit) => audit.approval === approvalUri && audit.action === 'approval_requested');
-    matches.sort((left, right) => toIsoString(right.createdAt, '').localeCompare(toIsoString(left.createdAt, '')));
-    return matches[0];
-}
-function normalizeApprovalSummary(row, audits) {
-    const approvalUri = buildApprovalUri(row.session, row.id);
-    const requestAudit = requestAuditForApproval(approvalUri, audits);
-    const requestContext = parseRequestAuditContext(requestAudit?.context);
+function normalizeApprovalSummary(row) {
     const createdAt = toIsoString(row.createdAt, new Date(0).toISOString());
     const sessionUri = row.session;
     const decision = decisionFromApprovalRow(row);
+    const approvalOptions = parseApprovalOptions(row.approvalOptions);
     return {
         id: row.id,
+        ...(normalizeString(row.approvalUri) ? { approvalUri: normalizeString(row.approvalUri) } : {}),
         sessionId: extractSessionId(sessionUri),
         sessionUri,
         toolCallId: row.toolCallId,
         toolName: row.toolName,
         risk: normalizeString(row.risk) ?? 'medium',
         status: normalizeString(row.status) ?? 'pending',
-        message: requestContext?.message ?? row.toolName,
-        ...(requestContext?.command ? { command: requestContext.command } : {}),
-        ...(requestContext?.cwd ? { cwd: requestContext.cwd } : {}),
+        message: formatApprovalMessage(row),
         ...(normalizeString(row.assignedTo) ? { assignedTo: normalizeString(row.assignedTo) } : {}),
         ...(normalizeString(row.decisionBy) ? { decisionBy: normalizeString(row.decisionBy) } : {}),
         ...(decision ? { decision } : {}),
+        ...(approvalOptions ? { approvalOptions } : {}),
         createdAt,
+        ...(row.expiresAt ? { expiresAt: toIsoString(row.expiresAt, createdAt) } : {}),
         ...(row.resolvedAt ? { resolvedAt: toIsoString(row.resolvedAt, createdAt) } : {}),
     };
 }
+function formatApprovalMessage(row) {
+    if (row.toolName === 'commandExecution') {
+        return 'Command execution approval';
+    }
+    if (row.toolName === 'fileChange') {
+        return 'File change approval';
+    }
+    if (row.toolName === 'permissionRequest') {
+        return 'Permission approval';
+    }
+    return row.toolName;
+}
 function formatSummaryHeadline(summary) {
     return `${summary.id} | ${summary.status} | ${summary.risk} | session=${summary.sessionId}`;
 }
@@ -248,72 +401,11 @@ export function isRemoteApprovalAbortError(error) {
 function missingRemoteApprovalCredentialsMessage() {
     return 'LinX remote approval requires `linx login` first.';
 }
-function unsupportedRemoteApprovalAuthMessage() {
-    return 'LinX remote approval requires client credentials auth in `~/.linx`.';
-}
 async function createDefaultRuntime() {
-    const [credentialsStore, solidAuth, models] = await Promise.all([
-        dynamicImport(new URL('../credentials-store.js', import.meta.url).href),
-        dynamicImport(new URL('../solid-auth.js', import.meta.url).href),
-        dynamicImport(new URL('...co/models.js', import.meta.url).href),
-    ]);
     return {
-        loadCredentials: credentialsStore.loadCredentials,
-        getClientCredentials: credentialsStore.getClientCredentials,
-        authenticate: solidAuth.authenticate,
-        createStore(session) {
-            const db = models.drizzle(session, {
-                logger: false,
-                disableInteropDiscovery: true,
-                schema: models.solidSchema,
-            });
-            let initialized = false;
-            async function ensureInitialized() {
-                if (initialized) {
-                    return;
-                }
-                initialized = true;
-                await db.init([
-                    models.approvalTable,
-                    models.auditTable,
-                    models.grantTable,
-                    models.inboxNotificationTable,
-                ]).catch(() => undefined);
-            }
-            return {
-                async listApprovals() {
-                    await ensureInitialized();
-                    return await db.select().from(models.approvalTable).execute();
-                },
-                async insertApproval(row) {
-                    await ensureInitialized();
-                    await db.insert(models.approvalTable).values(row).execute();
-                },
-                async updateApproval(id, patch) {
-                    await ensureInitialized();
-                    await db.update(models.approvalTable).set(patch).where(models.eq(models.approvalTable.id, id)).execute();
-                },
-                async listAudits() {
-                    await ensureInitialized();
-                    return await db.select().from(models.auditTable).execute();
-                },
-                async insertAudit(row) {
-                    await ensureInitialized();
-                    await db.insert(models.auditTable).values(row).execute();
-                },
-                async listGrants() {
-                    await ensureInitialized();
-                    return await db.select().from(models.grantTable).execute();
-                },
-                async insertGrant(row) {
-                    await ensureInitialized();
-                    await db.insert(models.grantTable).values(row).execute();
-                },
-                async insertInboxNotification(row) {
-                    await ensureInitialized();
-                    await db.insert(models.inboxNotificationTable).values(row).execute();
-                },
-            };
+        getPodDataSession: getDefaultPodDataSession,
+        createStore(session, db) {
+            return createNativeRemoteApprovalStore(session.webId, db);
         },
         sleep(ms) {
             return delay(ms);
@@ -321,100 +413,523 @@ async function createDefaultRuntime() {
         now() {
             return new Date();
         },
+        resolveGrantCoverage: resolveWatchGrantCoverage,
     };
 }
 async function withRemoteApprovalStore(runtime, fn) {
-    const stored = runtime.loadCredentials();
-    if (!stored) {
+    const client = await getRemoteApprovalClient(runtime);
+    if (!client) {
         throw new Error(missingRemoteApprovalCredentialsMessage());
     }
-    const clientCredentials = runtime.getClientCredentials(stored);
-    if (!clientCredentials) {
-        throw new Error(unsupportedRemoteApprovalAuthMessage());
+    return await fn({
+        store: client.store,
+        webId: client.session.webId,
+        stored: client.session.credentials,
+    });
+}
+async function getRemoteApprovalClient(runtime) {
+    let promise = remoteApprovalClientCache.get(runtime);
+    if (!promise) {
+        promise = createRemoteApprovalClient(runtime)
+            .then((client) => {
+            if (!client) {
+                remoteApprovalClientCache.delete(runtime);
+            }
+            return client;
+        })
+            .catch((error) => {
+            remoteApprovalClientCache.delete(runtime);
+            throw error;
+        });
+        remoteApprovalClientCache.set(runtime, promise);
     }
-    const { session } = await runtime.authenticate(clientCredentials.clientId, clientCredentials.clientSecret, stored.url);
-    const webId = session.info.webId ?? stored.webId;
-    if (!webId) {
-        await session.logout().catch(() => undefined);
-        throw new Error('Remote approval authentication succeeded without a WebID.');
+    return promise;
+}
+async function createRemoteApprovalClient(runtime) {
+    const session = await runtime.getPodDataSession();
+    if (!session) {
+        return null;
     }
-    try {
-        return await fn({
-            store: runtime.createStore(session),
-            webId,
-            stored,
-        });
+    const db = createRemoteApprovalDb(session);
+    await initSolidTables(db, [
+        approvalResource,
+        auditResource,
+        grantResource,
+        inboxNotificationTable,
+    ]);
+    return {
+        session,
+        store: runtime.createStore(session, db),
+    };
+}
+function createRemoteApprovalDb(session) {
+    return drizzle(session.solidSession, {
+        logger: false,
+        disableInteropDiscovery: true,
+        schema: solidSchema,
+    });
+}
+function createNativeRemoteApprovalStore(_webId, db) {
+    return {
+        listApprovals: () => listApprovalRows(db),
+        findApproval: (id, options) => findApprovalRow(db, id, options),
+        resolveApprovalReference: (locator) => resolveResourceReference(db, approvalResource, locator),
+        insertApproval: (row) => writeApprovalRow(db, row),
+        async updateApproval(id, patch) {
+            const data = normalizeApprovalUpdate(patch);
+            const approvalUri = normalizeString(patch.approvalUri);
+            const targetIri = approvalUri ?? (isAbsoluteIri(id) ? id : undefined);
+            if (targetIri) {
+                const updateByIri = db.updateByIri;
+                if (typeof updateByIri !== 'function') {
+                    throw new Error('Solid database does not support updateByIri');
+                }
+                const updated = await updateByIri.call(db, approvalResource, targetIri, data);
+                if (!updated) {
+                    throw new Error(`Remote approval not found: ${id}`);
+                }
+                return;
+            }
+            const updateByLocator = db.updateByLocator;
+            if (typeof updateByLocator !== 'function') {
+                throw new Error('Solid database does not support updateByLocator');
+            }
+            const updated = await updateByLocator.call(db, approvalResource, { id }, data);
+            if (!updated) {
+                throw new Error(`Remote approval not found: ${id}`);
+            }
+        },
+        listAudits: () => listAuditRows(db),
+        insertAudit: (row) => writeAuditRow(db, row),
+        listGrants: () => listGrantRows(db),
+        resolveGrantReference: (locator) => resolveResourceReference(db, grantResource, locator),
+        insertGrant: (row) => writeGrantRow(db, row),
+        insertInboxNotification: (row) => writeInboxNotificationRow(db, row),
+    };
+}
+async function findApprovalRow(db, id, options = {}) {
+    const approvalUri = normalizeString(options.approvalUri) ?? (isAbsoluteIri(id) ? id : undefined);
+    if (approvalUri) {
+        const findByIri = db.findByIri;
+        if (typeof findByIri !== 'function') {
+            throw new Error('Solid database does not support findByIri');
+        }
+        const row = await findByIri.call(db, approvalResource, approvalUri);
+        return normalizeApprovalRow(row);
     }
-    finally {
-        await session.logout().catch(() => undefined);
+    const findByLocator = db.findByLocator;
+    if (typeof findByLocator !== 'function') {
+        throw new Error('Solid database does not support findByLocator');
+    }
+    const row = await findByLocator.call(db, approvalResource, {
+        id,
+        ...(options.createdAt ? { createdAt: options.createdAt } : {}),
+    });
+    return normalizeApprovalRow(row);
+}
+function resolveResourceReference(db, resource, locator) {
+    if (typeof db.resolveLocatorIri !== 'function' || typeof db.resolveLocatorId !== 'function') {
+        throw new Error('Solid database does not support locator reference resolution');
+    }
+    return {
+        id: db.resolveLocatorId(resource, locator),
+        iri: db.resolveLocatorIri(resource, locator),
+    };
+}
+async function listApprovalRows(db) {
+    const rows = await db.select().from(approvalResource).execute();
+    return rows.map((row) => normalizeApprovalRow(row)).filter((row) => row !== null);
+}
+async function writeApprovalRow(db, row) {
+    await db.insert(approvalResource).values(normalizeApprovalInsert(row)).execute();
+}
+async function listAuditRows(db) {
+    const rows = await db.select().from(auditResource).execute();
+    return rows.map((row) => normalizeAuditRow(row)).filter((row) => row !== null);
+}
+async function writeAuditRow(db, row) {
+    await db.insert(auditResource).values(normalizeAuditInsert(row)).execute();
+}
+async function listGrantRows(db) {
+    const rows = await db.select().from(grantResource).execute();
+    return rows.map((row) => normalizeGrantRow(row)).filter((row) => row !== null);
+}
+async function writeGrantRow(db, row) {
+    const id = normalizeString(row.id) ?? crypto.randomUUID();
+    const target = normalizeString(row.target);
+    const action = normalizeString(row.action);
+    const effect = normalizeString(row.effect);
+    const decisionBy = normalizeString(row.decisionBy);
+    const decisionRole = normalizeString(row.decisionRole);
+    if (!target || !action || !effect || !decisionBy || !decisionRole) {
+        throw new Error(`Invalid remote approval grant row: ${id}`);
     }
+    await db.insert(grantResource).values(normalizeGrantInsert({ ...row, id, target, action, effect, decisionBy, decisionRole })).execute();
+}
+async function writeInboxNotificationRow(db, row) {
+    await db.insert(inboxNotificationTable).values(normalizeInboxNotificationInsert(row)).execute();
+}
+function normalizeApprovalRow(row) {
+    if (!row)
+        return null;
+    return {
+        id: String(row.id),
+        approvalUri: normalizeString(row['@id']) ?? normalizeString(row.subject) ?? normalizeString(row.uri),
+        session: row.session,
+        toolCallId: row.toolCallId,
+        toolName: row.toolName,
+        target: row.target,
+        action: row.action,
+        risk: row.risk,
+        status: row.status,
+        assignedTo: row.assignedTo,
+        decisionBy: row.decisionBy,
+        decisionRole: row.decisionRole,
+        onBehalfOf: row.onBehalfOf,
+        reason: row.reason,
+        context: row.context,
+        approvalOptions: row.approvalOptions,
+        policyVersion: row.policyVersion,
+        createdAt: row.createdAt,
+        expiresAt: row.expiresAt,
+        resolvedAt: row.resolvedAt,
+    };
+}
+function normalizeAuditRow(row) {
+    if (!row)
+        return null;
+    return {
+        id: String(row.id),
+        action: row.action,
+        actor: row.actor,
+        actorRole: row.actorRole,
+        onBehalfOf: row.onBehalfOf,
+        session: row.session,
+        entry: row.entry,
+        toolCallId: row.toolCallId,
+        toolName: row.toolName,
+        approval: row.approval,
+        policyVersion: row.policyVersion,
+        createdAt: row.createdAt,
+    };
+}
+function normalizeGrantRow(row) {
+    if (!row)
+        return null;
+    return {
+        id: String(row.id),
+        target: row.target,
+        action: row.action,
+        title: row.title,
+        summary: row.summary,
+        body: row.body,
+        schema: row.schema,
+        pageKind: row.pageKind,
+        wikiStatus: row.wikiStatus,
+        tags: row.tags,
+        source: row.source,
+        sourceHash: row.sourceHash,
+        compiledAt: row.compiledAt,
+        compiledFrom: row.compiledFrom,
+        related: row.related,
+        effect: row.effect,
+        riskCeiling: row.riskCeiling,
+        policy: row.policy,
+        context: row.context,
+        decisionBy: row.decisionBy,
+        decisionRole: row.decisionRole,
+        onBehalfOf: row.onBehalfOf,
+        createdAt: row.createdAt,
+        revokedAt: row.revokedAt,
+    };
+}
+function normalizeApprovalInsert(row) {
+    return {
+        id: row.id,
+        session: row.session,
+        toolCallId: row.toolCallId,
+        toolName: row.toolName,
+        target: row.target,
+        action: row.action,
+        risk: row.risk,
+        status: row.status,
+        ...(row.assignedTo ? { assignedTo: row.assignedTo } : {}),
+        ...(row.decisionBy ? { decisionBy: row.decisionBy } : {}),
+        ...(row.decisionRole ? { decisionRole: row.decisionRole } : {}),
+        ...(row.onBehalfOf ? { onBehalfOf: row.onBehalfOf } : {}),
+        ...(row.reason ? { reason: row.reason } : {}),
+        ...(row.context ? { context: row.context } : {}),
+        ...(row.approvalOptions ? { approvalOptions: row.approvalOptions } : {}),
+        ...(row.policyVersion ? { policyVersion: row.policyVersion } : {}),
+        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
+        ...(row.expiresAt ? { expiresAt: new Date(toIsoString(row.expiresAt, new Date().toISOString())) } : {}),
+        ...(row.resolvedAt ? { resolvedAt: new Date(toIsoString(row.resolvedAt, new Date().toISOString())) } : {}),
+    };
+}
+function normalizeApprovalUpdate(patch) {
+    const next = {};
+    for (const key of [
+        'session',
+        'toolCallId',
+        'toolName',
+        'target',
+        'action',
+        'risk',
+        'status',
+        'assignedTo',
+        'decisionBy',
+        'decisionRole',
+        'onBehalfOf',
+        'reason',
+        'context',
+        'approvalOptions',
+        'policyVersion',
+    ]) {
+        if (patch[key] !== undefined) {
+            ;
+            next[key] = patch[key];
+        }
+    }
+    if (patch.createdAt !== undefined)
+        next.createdAt = new Date(toIsoString(patch.createdAt, new Date().toISOString()));
+    if (patch.expiresAt !== undefined)
+        next.expiresAt = new Date(toIsoString(patch.expiresAt, new Date().toISOString()));
+    if (patch.resolvedAt !== undefined)
+        next.resolvedAt = new Date(toIsoString(patch.resolvedAt, new Date().toISOString()));
+    return next;
+}
+function normalizeAuditInsert(row) {
+    return {
+        id: row.id,
+        action: row.action,
+        actor: row.actor,
+        actorRole: row.actorRole,
+        ...(row.onBehalfOf ? { onBehalfOf: row.onBehalfOf } : {}),
+        ...(row.session ? { session: row.session } : {}),
+        ...(row.entry ? { entry: row.entry } : {}),
+        ...(row.toolCallId ? { toolCallId: row.toolCallId } : {}),
+        ...(row.toolName ? { toolName: row.toolName } : {}),
+        ...(row.approval ? { approval: row.approval } : {}),
+        ...(row.policyVersion ? { policyVersion: row.policyVersion } : {}),
+        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
+    };
+}
+function normalizeGrantInsert(row) {
+    return {
+        id: row.id,
+        target: row.target,
+        action: row.action,
+        ...(row.title ? { title: truncatePodLiteral(row.title, 160) } : {}),
+        ...(row.summary ? { summary: truncatePodLiteral(row.summary, 500) } : {}),
+        ...(row.body ? { body: truncatePodLiteral(row.body, MAX_GRANT_POLICY_LENGTH) } : {}),
+        ...(row.schema ? { schema: row.schema } : {}),
+        ...(row.pageKind ? { pageKind: row.pageKind } : {}),
+        ...(row.wikiStatus ? { wikiStatus: row.wikiStatus } : {}),
+        ...(row.tags ? { tags: truncatePodLiteral(row.tags, 500) } : {}),
+        ...(row.source ? { source: row.source } : {}),
+        ...(row.sourceHash ? { sourceHash: row.sourceHash } : {}),
+        ...(row.compiledAt ? { compiledAt: new Date(toIsoString(row.compiledAt, new Date().toISOString())) } : {}),
+        ...(row.compiledFrom ? { compiledFrom: row.compiledFrom } : {}),
+        ...(row.related ? { related: row.related } : {}),
+        effect: row.effect,
+        ...(row.riskCeiling ? { riskCeiling: row.riskCeiling } : {}),
+        ...(row.policy ? { policy: truncatePodLiteral(row.policy, MAX_GRANT_POLICY_LENGTH) } : {}),
+        ...(row.context ? { context: truncatePodLiteral(row.context, MAX_APPROVAL_CONTEXT_LENGTH) } : {}),
+        decisionBy: row.decisionBy,
+        decisionRole: row.decisionRole,
+        ...(row.onBehalfOf ? { onBehalfOf: row.onBehalfOf } : {}),
+        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
+        ...(row.revokedAt ? { revokedAt: new Date(toIsoString(row.revokedAt, new Date().toISOString())) } : {}),
+    };
+}
+function normalizeInboxNotificationInsert(row) {
+    return {
+        id: row.id,
+        ...(row.actor ? { actor: row.actor } : {}),
+        object: row.object,
+        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
+    };
+}
+function isActiveAllowGrant(grant) {
+    return grant.effect === 'allow' && !grant.revokedAt && !!(normalizeString(grant.body) || normalizeString(grant.policy));
+}
+function isGrantRiskCandidate(grant, requestRisk) {
+    const ceiling = riskScore(typeof grant.riskCeiling === 'string' ? grant.riskCeiling : undefined);
+    return ceiling === 0 || ceiling >= riskScore(requestRisk);
+}
+function rankGrantCandidate(grant, requestContext) {
+    let score = 0;
+    if (grant.target === requestContext.target) {
+        score += 4;
+    }
+    if (grant.action === requestContext.action) {
+        score += 3;
+    }
+    if (grant.schema) {
+        score += 2;
+    }
+    if (grant.pageKind === 'autonomy-grant') {
+        score += 1;
+    }
+    return score;
+}
+function selectSemanticGrantCandidates(grants, requestContext) {
+    const risk = normalizeString(requestContext.risk) ?? 'medium';
+    return grants
+        .filter((grant) => isActiveAllowGrant(grant) && isGrantRiskCandidate(grant, risk))
+        .sort((left, right) => rankGrantCandidate(right, requestContext) - rankGrantCandidate(left, requestContext))
+        .slice(0, MAX_GRANT_COVERAGE_CANDIDATES);
+}
+function acceptsGrantCoverage(decision) {
+    return decision?.covers === true
+        && typeof decision.confidence === 'number'
+        && decision.confidence >= MIN_GRANT_COVERAGE_CONFIDENCE;
+}
+async function resolveSemanticGrantDecision(options) {
+    const candidates = selectSemanticGrantCandidates(options.grants, options.requestContext);
+    if (candidates.length === 0) {
+        return null;
+    }
+    const resolver = options.runtime.resolveGrantCoverage ?? resolveWatchGrantCoverage;
+    for (const grant of candidates) {
+        const coverage = await resolver({
+            record: options.record,
+            request: options.request,
+            requestContext: options.requestContext,
+            grant,
+        }).catch(() => null);
+        if (acceptsGrantCoverage(coverage)) {
+            return 'accept_for_session';
+        }
+    }
+    return null;
+}
+function buildWatchGrantRequestContext(input) {
+    return {
+        session: buildThreadUri(input.webId, input.record),
+        target: buildThreadUri(input.webId, input.record),
+        action: buildActionUri(input.request),
+        risk: buildRisk(input.request),
+        toolName: buildToolName(input.request),
+        cwd: input.record.cwd,
+        backend: input.record.backend,
+        mode: input.record.mode,
+    };
+}
+function buildGenericGrantRequestContext(input) {
+    return {
+        session: input.subject.sessionUri,
+        target: input.subject.targetUri ?? input.subject.sessionUri,
+        action: input.request.action,
+        risk: input.request.risk,
+        toolName: input.request.toolName,
+        cwd: input.request.cwd,
+        kind: input.request.kind,
+    };
 }
 export async function createRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
-    return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const approvalId = crypto.randomUUID();
+    return createRemoteApproval({
+        subject: ({ webId }) => ({
+            sessionUri: buildThreadUri(webId, options.record),
+            actorUri: buildAgentUri(webId),
+            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
+        }),
+        request: ({ sessionUri }) => ({
+            kind: options.request.kind,
+            message: buildRequestMessage(options.request),
+            toolCallId: extractToolCallId(options.request),
+            toolName: buildToolName(options.request),
+            action: buildActionUri(options.request),
+            risk: buildRisk(options.request),
+            ...(options.request.kind === 'command-approval' && options.request.command ? { command: options.request.command } : {}),
+            ...(options.request.kind === 'command-approval' && options.request.cwd ? { cwd: options.request.cwd } : {}),
+            ...(options.request.approvalOptions ? { approvalOptions: options.request.approvalOptions } : {}),
+            ...(options.request.timeoutMs ? { timeoutMs: options.request.timeoutMs } : {}),
+            ...(options.request.expiresAt ? { expiresAt: options.request.expiresAt } : {}),
+            entry: sessionUri,
+        }),
+        runtime: activeRuntime,
+    });
+}
+export async function createRemoteApproval(options) {
+    const activeRuntime = options.runtime ?? await createDefaultRuntime();
+    return withRemoteApprovalStore(activeRuntime, async ({ store, webId, stored }) => {
+        const subject = typeof options.subject === 'function'
+            ? options.subject({ webId, stored })
+            : options.subject;
+        const request = typeof options.request === 'function'
+            ? options.request({ webId, stored, sessionUri: subject.sessionUri })
+            : options.request;
+        const approvalLocalId = crypto.randomUUID();
         const now = activeRuntime.now();
-        const sessionUri = buildThreadUri(webId, options.record.id);
-        const approvalUri = buildApprovalUri(webId, approvalId);
-        const toolCallId = extractToolCallId(options.request);
-        const requestContext = buildRequestAuditContext(options.record, options.request);
+        const approvalReference = store.resolveApprovalReference({ id: approvalLocalId, createdAt: now });
+        const approvalId = approvalReference.id;
+        const sessionUri = subject.sessionUri;
+        const approvalUri = approvalReference.iri;
+        const targetUri = subject.targetUri ?? sessionUri;
+        const assignedTo = subject.assignedTo ?? webId;
+        const onBehalfOf = subject.onBehalfOf ?? webId;
+        const policyVersion = subject.policyVersion ?? REMOTE_APPROVAL_POLICY_VERSION;
+        const requestEntry = request.entry ?? approvalUri;
+        const expiresAt = resolveApprovalExpiresAt(request, now);
+        const approvalOptions = encodeApprovalOptions(request.approvalOptions);
+        const context = compactApprovalContext(request);
         await store.insertApproval({
             id: approvalId,
+            approvalUri,
             session: sessionUri,
-            toolCallId,
-            toolName: buildToolName(options.request),
-            target: sessionUri,
-            action: buildActionUri(options.request),
-            risk: buildRisk(options.request),
+            toolCallId: request.toolCallId,
+            toolName: request.toolName,
+            target: targetUri,
+            action: request.action,
+            risk: request.risk,
             status: 'pending',
-            assignedTo: webId,
-            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
+            assignedTo,
+            context,
+            ...(approvalOptions ? { approvalOptions } : {}),
+            policyVersion,
             createdAt: now,
+            ...(expiresAt ? { expiresAt } : {}),
         });
-        await store.insertAudit({
+        const requestAudit = {
             id: crypto.randomUUID(),
             action: 'approval_requested',
-            actor: buildAgentUri(webId),
+            actor: subject.actorUri,
             actorRole: 'secretary',
-            onBehalfOf: webId,
+            onBehalfOf,
             session: sessionUri,
-            toolCallId,
+            entry: requestEntry,
+            toolCallId: request.toolCallId,
+            toolName: request.toolName,
             approval: approvalUri,
-            context: JSON.stringify(requestContext),
-            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
+            policyVersion,
             createdAt: now,
-        });
-        await store.insertInboxNotification({
+        };
+        await warnOnly(activeRuntime, () => store.insertAudit(requestAudit));
+        await warnOnly(activeRuntime, () => store.insertInboxNotification({
             id: crypto.randomUUID(),
-            actor: buildAgentUri(webId),
+            actor: subject.actorUri,
             object: approvalUri,
             createdAt: now,
-        }).catch(() => undefined);
+        }));
         return normalizeApprovalSummary({
             id: approvalId,
+            approvalUri,
             session: sessionUri,
-            toolCallId,
-            toolName: buildToolName(options.request),
-            target: sessionUri,
-            action: buildActionUri(options.request),
-            risk: buildRisk(options.request),
+            toolCallId: request.toolCallId,
+            toolName: request.toolName,
+            target: targetUri,
+            action: request.action,
+            risk: request.risk,
             status: 'pending',
-            assignedTo: webId,
-            policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
+            assignedTo,
+            context,
+            ...(approvalOptions ? { approvalOptions } : {}),
+            policyVersion,
             createdAt: now,
-        }, [{
-                id: crypto.randomUUID(),
-                action: 'approval_requested',
-                actor: buildAgentUri(webId),
-                actorRole: 'secretary',
-                onBehalfOf: webId,
-                session: sessionUri,
-                toolCallId,
-                approval: approvalUri,
-                context: JSON.stringify(requestContext),
-                policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
-                createdAt: now,
-            }]);
+            ...(expiresAt ? { expiresAt } : {}),
+        });
     });
 }
 export async function waitForRemoteWatchApproval(options) {
@@ -424,10 +939,13 @@ export async function waitForRemoteWatchApproval(options) {
             if (options.signal?.aborted) {
                 throw createAbortError();
             }
-            const approvals = await store.listApprovals();
-            const row = approvals.find((entry) => entry.id === options.approvalId);
+            const row = await readRemoteApprovalRow(store, {
+                approvalId: options.approvalId,
+                approvalUri: options.approvalUri,
+            });
             if (!row) {
-                throw new Error(`Remote approval disappeared before resolution: ${options.approvalId}`);
+                await activeRuntime.sleep(options.pollMs ?? DEFAULT_REMOTE_APPROVAL_POLL_MS);
+                continue;
             }
             const decision = decisionFromApprovalRow(row);
             if (decision) {
@@ -441,17 +959,20 @@ export async function requestRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     const delegated = await withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
         const grants = await store.listGrants();
-        const requestAction = buildActionUri(options.request);
-        const requestTarget = buildThreadUri(webId, options.record.id);
-        const requestRisk = buildRisk(options.request);
-        return grants.some((grant) => (grant.effect === 'allow'
-            && grant.action === requestAction
-            && grant.target === requestTarget
-            && riskScore(typeof grant.riskCeiling === 'string' ? grant.riskCeiling : undefined) >= riskScore(requestRisk)
-            && !grant.revokedAt));
+        return resolveSemanticGrantDecision({
+            runtime: activeRuntime,
+            grants,
+            record: options.record,
+            request: options.request,
+            requestContext: buildWatchGrantRequestContext({
+                webId,
+                record: options.record,
+                request: options.request,
+            }),
+        });
     });
     if (delegated) {
-        return 'accept_for_session';
+        return delegated;
     }
     const summary = await createRemoteWatchApproval({
         record: options.record,
@@ -460,6 +981,62 @@ export async function requestRemoteWatchApproval(options) {
     });
     return waitForRemoteWatchApproval({
         approvalId: summary.id,
+        approvalUri: summary.approvalUri,
+        pollMs: options.pollMs,
+        signal: options.signal,
+        runtime: activeRuntime,
+    });
+}
+export async function resolveExistingRemoteWatchGrant(options) {
+    const activeRuntime = options.runtime ?? await createDefaultRuntime();
+    return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
+        const grants = await store.listGrants();
+        return resolveSemanticGrantDecision({
+            runtime: activeRuntime,
+            grants,
+            record: options.record,
+            request: options.request,
+            requestContext: buildWatchGrantRequestContext({
+                webId,
+                record: options.record,
+                request: options.request,
+            }),
+        });
+    });
+}
+export async function requestRemoteApproval(options) {
+    const activeRuntime = options.runtime ?? await createDefaultRuntime();
+    const delegated = await withRemoteApprovalStore(activeRuntime, async ({ store, webId, stored }) => {
+        const subject = typeof options.subject === 'function'
+            ? options.subject({ webId, stored })
+            : options.subject;
+        const request = typeof options.request === 'function'
+            ? options.request({ webId, stored, sessionUri: subject.sessionUri })
+            : options.request;
+        const grants = await store.listGrants();
+        const requestContext = buildGenericGrantRequestContext({ subject, request });
+        return resolveSemanticGrantDecision({
+            runtime: activeRuntime,
+            grants,
+            request: {
+                ...request,
+                session: subject.sessionUri,
+                target: requestContext.target,
+            },
+            requestContext,
+        });
+    });
+    if (delegated) {
+        return delegated;
+    }
+    const summary = await createRemoteApproval({
+        subject: options.subject,
+        request: options.request,
+        runtime: activeRuntime,
+    });
+    return waitForRemoteWatchApproval({
+        approvalId: summary.id,
+        approvalUri: summary.approvalUri,
         pollMs: options.pollMs,
         signal: options.signal,
         runtime: activeRuntime,
@@ -469,12 +1046,9 @@ export async function listRemoteWatchApprovals(options = {}) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     const requestedStatus = options.status ?? 'pending';
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const [approvals, audits] = await Promise.all([
-            store.listApprovals(),
-            store.listAudits(),
-        ]);
+        const approvals = await store.listApprovals();
         return approvals
-            .map((row) => normalizeApprovalSummary(row, audits))
+            .map((row) => normalizeApprovalSummary(row))
             .filter((summary) => !summary.assignedTo || summary.assignedTo === webId)
             .filter((summary) => requestedStatus === 'all' || summary.status === requestedStatus)
             .sort((left, right) => right.createdAt.localeCompare(left.createdAt));
@@ -483,96 +1057,124 @@ export async function listRemoteWatchApprovals(options = {}) {
 export async function resolveRemoteWatchApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
-        const approvals = await store.listApprovals();
-        const row = approvals.find((entry) => entry.id === options.approvalId);
+        const row = await readRemoteApprovalRow(store, {
+            approvalId: options.approvalId,
+            approvalUri: options.approvalUri,
+        });
         if (!row) {
             throw new Error(`Remote approval not found: ${options.approvalId}`);
         }
         if (row.status !== 'pending') {
-            const audits = await store.listAudits();
-            return normalizeApprovalSummary(row, audits);
+            return normalizeApprovalSummary(row);
         }
         const now = activeRuntime.now();
-        const approvalUri = buildApprovalUri(row.session, row.id);
+        const approvalUri = normalizeString(row.approvalUri)
+            ?? store.resolveApprovalReference({ id: row.id, createdAt: row.createdAt }).iri;
         const nextStatus = options.decision === 'accept' || options.decision === 'accept_for_session'
             ? 'approved'
             : 'rejected';
+        const decisionRole = options.decisionRole ?? 'human';
         await store.updateApproval(row.id, {
+            approvalUri,
             status: nextStatus,
             decisionBy: webId,
-            decisionRole: 'human',
+            decisionRole,
             onBehalfOf: webId,
             reason: encodeDecisionReason(options.decision, options.note),
             resolvedAt: now,
         });
-        await store.insertAudit({
+        await warnOnly(activeRuntime, () => store.insertAudit({
             id: crypto.randomUUID(),
             action: nextStatus === 'approved' ? 'approval_approved' : 'approval_rejected',
             actor: webId,
-            actorRole: 'human',
+            actorRole: decisionRole,
             onBehalfOf: webId,
             session: row.session,
+            entry: approvalUri,
             toolCallId: row.toolCallId,
+            toolName: row.toolName,
             approval: approvalUri,
-            context: JSON.stringify({
-                decision: options.decision,
-                ...(options.note?.trim() ? { note: options.note.trim() } : {}),
-            }),
             policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
-        });
+        }));
         if (options.decision === 'accept_for_session') {
             const grantId = crypto.randomUUID();
+            const body = grantWikiBodyFromApproval(row, options.grantWikiBody);
             await store.insertGrant({
                 id: grantId,
                 target: row.target,
                 action: row.action,
+                title: grantWikiTitleFromApproval(row, options.grantWikiTitle),
+                summary: grantWikiSummaryFromApproval(row, options.grantWikiSummary),
+                body,
+                schema: buildGrantSchemaUri(webId),
+                pageKind: 'autonomy-grant',
+                wikiStatus: 'active',
+                tags: grantWikiTagsFromApproval(row, options.grantWikiTags),
+                source: 'approval',
+                sourceHash: grantSourceHash(row),
+                compiledAt: now,
+                compiledFrom: [approvalUri],
+                related: [row.session],
                 effect: 'allow',
                 riskCeiling: row.risk,
+                policy: grantIndexTextFromWikiBody(body),
+                context: grantContextFromApproval(row),
                 decisionBy: webId,
-                decisionRole: 'human',
+                decisionRole,
                 onBehalfOf: webId,
                 createdAt: now,
             });
-            await store.insertInboxNotification({
+            await warnOnly(activeRuntime, () => store.insertInboxNotification({
                 id: crypto.randomUUID(),
                 actor: webId,
-                object: buildGrantUri(row.session, grantId),
+                object: store.resolveGrantReference({ id: grantId }).iri,
                 createdAt: now,
-            }).catch(() => undefined);
+            }));
         }
-        await store.insertInboxNotification({
+        await warnOnly(activeRuntime, () => store.insertInboxNotification({
             id: crypto.randomUUID(),
             actor: webId,
             object: approvalUri,
             createdAt: now,
-        }).catch(() => undefined);
+        }));
         const nextRow = {
             ...row,
+            approvalUri,
             status: nextStatus,
             decisionBy: webId,
-            decisionRole: 'human',
+            decisionRole,
             onBehalfOf: webId,
             reason: encodeDecisionReason(options.decision, options.note),
             resolvedAt: now,
         };
-        const audits = await store.listAudits();
-        return normalizeApprovalSummary(nextRow, audits);
+        return normalizeApprovalSummary(nextRow);
     });
 }
+async function readRemoteApprovalRow(store, options) {
+    if (store.findApproval) {
+        const row = await store.findApproval(options.approvalId, {
+            approvalUri: options.approvalUri,
+        });
+        return row;
+    }
+    const approvals = await store.listApprovals();
+    return approvals.find((entry) => entry.id === options.approvalId) ?? null;
+}
 export const __podApprovalInternal = {
     createAbortError,
+    createDefaultRuntime,
     buildActionUri,
-    buildRequestAuditContext,
     buildRisk,
     buildToolName,
+    createNativeRemoteApprovalStore,
     extractToolCallId,
     decisionFromApprovalRow,
     encodeDecisionReason,
     formatSummaryHeadline,
+    readRemoteApprovalRow,
     isRemoteApprovalAbortError,
     normalizeApprovalSummary,
     parseDecisionReason,
-    parseRequestAuditContext,
 };
 //# sourceMappingURL=pod-approval.js.map