@undefineds.co/linx 0.2.19 → 0.2.24

package/dist/lib/{watch → auto-mode}/pod-approval.js

@@ -1,12 +1,17 @@
 import { setTimeout as delay } from 'node:timers/promises';
 import { getDefaultPodDataSession } from '../pod-data-session.js';
-import { approvalResource, auditResource, drizzle, grantResource, inboxNotificationTable, initSolidTables, solidSchema, } from '../models.js';
-import { resolveWatchGrantCoverage } from './secretary.js';
-const WATCH_CHAT_ID_PREFIX = 'linx-watch';
-const WATCH_AGENT_ID = 'linx-watch-assistant';
-const REMOTE_APPROVAL_POLICY_VERSION = 'linx-watch-remote-approval/v1';
+import { approvalResource, auditResource, buildApprovalSubjectPath, buildGrantSubjectPath, drizzle, grantResource, inboxNotificationResource, solidResources, } from '../models.js';
+import { AS, ODRL, UDFS } from '@undefineds.co/models/namespaces';
+import { ApprovalVocab, AuditVocab, GrantVocab, InboxNotificationVocab } from '@undefineds.co/models/vocab/sidecar';
+import { autoModeApprovalActionUri, autoModeApprovalRequestMessage, autoModeApprovalRisk, autoModeApprovalToolName, } from '../../../vendor/agent-runtime/dist/auto-mode.js';
+import { resolveAutoModeGrantCoverage } from './secretary.js';
+import { buildApprovalDocumentUrl, RDF_TYPE, buildApprovalResourceUrl, buildAuditDocumentUrl, buildAuditResourceUrl, buildGrantResourceUrl, buildInboxResourceUrl, firstIri, firstLiteral, iri, listTurtleResources, listTurtleResourcesRecursive, literal, parseManagedTurtleBlocks, readTurtleResource, subjectIdFromResourceUrl, upsertManagedTurtleBlock, } from '../pi-adapter/pod-native.js';
+const AUTO_MODE_CHAT_ID_PREFIX = 'linx-auto-mode';
+const AUTO_MODE_AGENT_ID = 'linx-auto-mode-assistant';
+const REMOTE_APPROVAL_POLICY_VERSION = 'linx-auto-mode-remote-approval/v1';
 const DEFAULT_REMOTE_APPROVAL_POLL_MS = 1000;
 const DEFAULT_WARN_ONLY_TIMEOUT_MS = 5000;
+const DEFAULT_APPROVAL_LIST_DAYS = 7;
 const MAX_GRANT_POLICY_LENGTH = 1200;
 const MAX_APPROVAL_CONTEXT_LENGTH = 1400;
 const MIN_GRANT_COVERAGE_CONFIDENCE = 0.75;
@@ -42,53 +47,41 @@ function getPodBaseUrl(webIdOrUri) {
     }
     return webIdOrUri.replace(/\/$/, '');
 }
-function buildWatchChatId(record) {
-    return `${WATCH_CHAT_ID_PREFIX}-${record.backend}`;
+function buildAutoModeChatId(record) {
+    return `${AUTO_MODE_CHAT_ID_PREFIX}-${record.backend}`;
 }
 function buildThreadUri(webId, record) {
-    return `${getPodBaseUrl(webId)}/.data/chat/${buildWatchChatId(record)}/index.ttl#${record.id}`;
+    return `${getPodBaseUrl(webId)}/.data/chat/${buildAutoModeChatId(record)}/index.ttl#${record.id}`;
 }
-function isAbsoluteIri(value) {
-    return value.startsWith('http://') || value.startsWith('https://');
+function buildApprovalUriForDate(webIdOrUri, approvalId, createdAt) {
+    return buildPodResourceIri(webIdOrUri, buildApprovalSubjectPath(approvalId, createdAt));
+}
+function documentUrlFromResourceUri(resourceUri) {
+    return resourceUri.split('#', 1)[0] ?? resourceUri;
+}
+function buildGrantUri(webIdOrUri, grantId) {
+    return buildPodResourceIri(webIdOrUri, buildGrantSubjectPath(grantId));
+}
+function buildPodResourceIri(webIdOrUri, relativeUri) {
+    if (/^https?:\/\//.test(relativeUri)) {
+        return relativeUri;
+    }
+    return new URL(relativeUri.replace(/^\//, ''), `${getPodBaseUrl(webIdOrUri)}/`).toString();
 }
 function buildGrantSchemaUri(webIdOrUri) {
     return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/schema/grant.ttl#GrantWikiPage`;
 }
 function buildAgentUri(webId) {
-    return `${getPodBaseUrl(webId)}/.data/agents/${WATCH_AGENT_ID}.ttl`;
+    return `${getPodBaseUrl(webId)}/.data/agents/${AUTO_MODE_AGENT_ID}.ttl`;
 }
 function buildActionUri(request) {
-    if (request.kind === 'command-approval') {
-        return 'https://undefineds.co/ns#commandExecution';
-    }
-    if (request.kind === 'file-change-approval') {
-        return 'https://undefineds.co/ns#fileChange';
-    }
-    if (request.kind === 'permissions-approval') {
-        return 'https://undefineds.co/ns#permissionRequest';
-    }
-    return 'https://undefineds.co/ns#runtimeApproval';
+    return autoModeApprovalActionUri(request);
 }
 function buildToolName(request) {
-    if (request.kind === 'command-approval') {
-        return 'commandExecution';
-    }
-    if (request.kind === 'file-change-approval') {
-        return 'fileChange';
-    }
-    if (request.kind === 'permissions-approval') {
-        return 'permissionRequest';
-    }
-    return 'runtimeApproval';
+    return autoModeApprovalToolName(request);
 }
 function buildRisk(request) {
-    if (request.kind === 'permissions-approval') {
-        return 'high';
-    }
-    if (request.kind === 'file-change-approval') {
-        return 'high';
-    }
-    return 'medium';
+    return autoModeApprovalRisk(request);
 }
 function riskScore(risk) {
     switch (risk) {
@@ -103,13 +96,7 @@ function riskScore(risk) {
     }
 }
 function buildRequestMessage(request) {
-    if (request.kind === 'command-approval') {
-        return request.command?.trim() || request.message;
-    }
-    if (request.kind === 'file-change-approval') {
-        return request.reason?.trim() || request.message;
-    }
-    return request.message;
+    return autoModeApprovalRequestMessage(request);
 }
 function extractToolCallId(request) {
     if (!isRecord(request.raw)) {
@@ -253,7 +240,7 @@ function grantWikiTagsFromApproval(row, explicitTags) {
 }
 function grantContextFromApproval(row) {
     return safeCompactJson({
-        sourceApproval: row.approvalUri ?? row.id,
+        sourceApproval: buildApprovalUriForDate(row.session, row.id, new Date(toIsoString(row.createdAt, new Date().toISOString()))),
         session: row.session,
         toolCallId: row.toolCallId,
         toolName: row.toolName,
@@ -263,6 +250,16 @@ function grantContextFromApproval(row) {
         approvalContext: row.context,
     }, MAX_APPROVAL_CONTEXT_LENGTH);
 }
+function literalValues(predicates, predicate) {
+    return (predicates.get(predicate) ?? [])
+        .map((object) => isRecord(object) && object.type === 'literal' && typeof object.value === 'string' ? object.value : '')
+        .filter(Boolean);
+}
+function iriValues(predicates, predicate) {
+    return (predicates.get(predicate) ?? [])
+        .map((object) => isRecord(object) && object.type === 'iri' && typeof object.value === 'string' ? object.value : '')
+        .filter(Boolean);
+}
 function grantSourceHash(row) {
     return `approval:${row.id}:${row.toolCallId}:${row.risk}`;
 }
@@ -386,7 +383,7 @@ function formatApprovalMessage(row) {
 function formatSummaryHeadline(summary) {
     return `${summary.id} | ${summary.status} | ${summary.risk} | session=${summary.sessionId}`;
 }
-export function formatRemoteWatchApprovalSummary(summary) {
+export function formatRemoteAutoModeApprovalSummary(summary) {
     const detail = summary.command ?? summary.message;
     const secondary = [
         summary.toolName,
@@ -404,8 +401,11 @@ function missingRemoteApprovalCredentialsMessage() {
 async function createDefaultRuntime() {
     return {
         getPodDataSession: getDefaultPodDataSession,
-        createStore(session, db) {
-            return createNativeRemoteApprovalStore(session.webId, db);
+        createStore(webId, fetcher, session) {
+            if (session) {
+                return createOrmRemoteApprovalStore(session);
+            }
+            return createNativeRemoteApprovalStore(webId, fetcher);
         },
         sleep(ms) {
             return delay(ms);
@@ -413,7 +413,7 @@ async function createDefaultRuntime() {
         now() {
             return new Date();
         },
-        resolveGrantCoverage: resolveWatchGrantCoverage,
+        resolveGrantCoverage: resolveAutoModeGrantCoverage,
     };
 }
 async function withRemoteApprovalStore(runtime, fn) {
@@ -450,112 +450,331 @@ async function createRemoteApprovalClient(runtime) {
     if (!session) {
         return null;
     }
-    const db = createRemoteApprovalDb(session);
-    await initSolidTables(db, [
-        approvalResource,
-        auditResource,
-        grantResource,
-        inboxNotificationTable,
-    ]);
     return {
         session,
-        store: runtime.createStore(session, db),
+        store: runtime.createStore(session.webId, session.fetch, session),
     };
 }
-function createRemoteApprovalDb(session) {
-    return drizzle(session.solidSession, {
-        logger: false,
-        disableInteropDiscovery: true,
-        schema: solidSchema,
-    });
+function createOrmRemoteApprovalStore(podSession) {
+    let dbPromise = null;
+    const getDb = async () => {
+        if (!dbPromise) {
+            dbPromise = Promise.resolve().then(async () => {
+                const db = drizzle(podSession.solidSession, {
+                    logger: false,
+                    disableInteropDiscovery: true,
+                    podUrl: podSession.podUrl,
+                    resourcePreparation: 'best-effort',
+                    schema: solidResources,
+                });
+                return db;
+            });
+        }
+        return dbPromise;
+    };
+    return createSharedModelRemoteApprovalStore(podSession.webId, getDb);
 }
-function createNativeRemoteApprovalStore(_webId, db) {
+function createSharedModelRemoteApprovalStore(webId, getDb) {
+    const listApprovals = async () => {
+        const rows = await modelList(getDb, approvalResource);
+        return rows.map((row) => enrichApprovalRow(webId, row));
+    };
     return {
-        listApprovals: () => listApprovalRows(db),
-        findApproval: (id, options) => findApprovalRow(db, id, options),
-        resolveApprovalReference: (locator) => resolveResourceReference(db, approvalResource, locator),
-        insertApproval: (row) => writeApprovalRow(db, row),
-        async updateApproval(id, patch) {
-            const data = normalizeApprovalUpdate(patch);
-            const approvalUri = normalizeString(patch.approvalUri);
-            const targetIri = approvalUri ?? (isAbsoluteIri(id) ? id : undefined);
-            if (targetIri) {
-                const updateByIri = db.updateByIri;
-                if (typeof updateByIri !== 'function') {
-                    throw new Error('Solid database does not support updateByIri');
-                }
-                const updated = await updateByIri.call(db, approvalResource, targetIri, data);
-                if (!updated) {
-                    throw new Error(`Remote approval not found: ${id}`);
-                }
-                return;
+        listApprovals,
+        findApproval: async (id, options = {}) => {
+            if (options.resourceUri) {
+                const row = await modelFindByIri(getDb, approvalResource, options.resourceUri);
+                return row ? enrichApprovalRow(webId, row, options.resourceUri) : null;
+            }
+            if (options.createdAt) {
+                const createdAt = new Date(toIsoString(options.createdAt, new Date().toISOString()));
+                const iri = buildApprovalUriForDate(webId, id, createdAt);
+                const row = await modelFindByIri(getDb, approvalResource, iri);
+                return row ? enrichApprovalRow(webId, row, iri) : null;
             }
-            const updateByLocator = db.updateByLocator;
-            if (typeof updateByLocator !== 'function') {
-                throw new Error('Solid database does not support updateByLocator');
+            const row = await modelFindById(getDb, approvalResource, id);
+            return row ? enrichApprovalRow(webId, row) : null;
+        },
+        insertApproval: async (row) => {
+            await modelInsert(getDb, approvalResource, omitInternalFields(row));
+        },
+        updateApproval: async (id, patch, options = {}) => {
+            const explicitIri = options.resourceUri
+                ?? normalizeString(patch.approvalUri)
+                ?? (options.createdAt ? buildApprovalUriForDate(webId, id, new Date(toIsoString(options.createdAt, new Date().toISOString()))) : undefined);
+            if (explicitIri) {
+                await modelUpdateByIri(getDb, approvalResource, explicitIri, omitInternalFields(patch));
+                return;
             }
-            const updated = await updateByLocator.call(db, approvalResource, { id }, data);
+            const updated = await modelUpdateById(getDb, approvalResource, id, omitInternalFields(patch));
             if (!updated) {
                 throw new Error(`Remote approval not found: ${id}`);
             }
         },
-        listAudits: () => listAuditRows(db),
-        insertAudit: (row) => writeAuditRow(db, row),
-        listGrants: () => listGrantRows(db),
-        resolveGrantReference: (locator) => resolveResourceReference(db, grantResource, locator),
-        insertGrant: (row) => writeGrantRow(db, row),
-        insertInboxNotification: (row) => writeInboxNotificationRow(db, row),
+        listAudits: () => modelList(getDb, auditResource),
+        insertAudit: async (row) => {
+            await modelInsert(getDb, auditResource, omitInternalFields(row));
+        },
+        listGrants: () => modelList(getDb, grantResource),
+        insertGrant: async (row) => {
+            await modelInsert(getDb, grantResource, omitInternalFields(row));
+        },
+        insertInboxNotification: async (row) => {
+            await modelInsert(getDb, inboxNotificationResource, omitInternalFields(row));
+        },
     };
 }
-async function findApprovalRow(db, id, options = {}) {
-    const approvalUri = normalizeString(options.approvalUri) ?? (isAbsoluteIri(id) ? id : undefined);
-    if (approvalUri) {
-        const findByIri = db.findByIri;
-        if (typeof findByIri !== 'function') {
-            throw new Error('Solid database does not support findByIri');
-        }
-        const row = await findByIri.call(db, approvalResource, approvalUri);
-        return normalizeApprovalRow(row);
+async function modelList(getDb, resource) {
+    const db = await getDb();
+    return await db.select().from(resource).execute();
+}
+async function modelFindByIri(getDb, resource, iri) {
+    const db = await getDb();
+    if (typeof db.findByIri === 'function') {
+        return await db.findByIri(resource, iri);
     }
-    const findByLocator = db.findByLocator;
-    if (typeof findByLocator !== 'function') {
-        throw new Error('Solid database does not support findByLocator');
+    const rows = await db.select().from(resource).whereByIri(iri).execute();
+    return rows[0] ?? null;
+}
+async function modelFindById(getDb, resource, id) {
+    const db = await getDb();
+    if (typeof db.findById === 'function') {
+        return await db.findById(resource, id);
     }
-    const row = await findByLocator.call(db, approvalResource, {
-        id,
-        ...(options.createdAt ? { createdAt: options.createdAt } : {}),
-    });
-    return normalizeApprovalRow(row);
+    throw new Error('Remote approval shared model store requires findById support');
+}
+async function modelInsert(getDb, resource, row) {
+    const db = await getDb();
+    await db.insert(resource).values(stripUndefined(row)).execute();
+}
+async function modelUpdateByIri(getDb, resource, iri, patch) {
+    const db = await getDb();
+    const update = stripUndefined(patch);
+    delete update.id;
+    delete update.approvalUri;
+    if (typeof db.updateByIri === 'function') {
+        await db.updateByIri(resource, iri, update);
+        return;
+    }
+    const query = db.update(resource).set(update);
+    if (typeof query.whereByIri !== 'function') {
+        throw new Error('Remote approval shared model store requires updateByIri/whereByIri support');
+    }
+    await query.whereByIri(iri).execute();
+}
+async function modelUpdateById(getDb, resource, id, patch) {
+    const db = await getDb();
+    const update = stripUndefined(patch);
+    delete update.id;
+    delete update.approvalUri;
+    if (typeof db.updateById === 'function') {
+        return await db.updateById(resource, id, update);
+    }
+    const row = await modelFindById(getDb, resource, id);
+    const iri = rowSubject(row ?? {});
+    if (!iri) {
+        return null;
+    }
+    await modelUpdateByIri(getDb, resource, iri, update);
+    return await modelFindByIri(getDb, resource, iri);
 }
-function resolveResourceReference(db, resource, locator) {
-    if (typeof db.resolveLocatorIri !== 'function' || typeof db.resolveLocatorId !== 'function') {
-        throw new Error('Solid database does not support locator reference resolution');
+function stripUndefined(row) {
+    const next = {};
+    for (const [key, value] of Object.entries(row)) {
+        if (value !== undefined) {
+            next[key] = value;
+        }
     }
+    return next;
+}
+function omitInternalFields(row) {
+    const next = stripUndefined(row);
+    delete next.approvalUri;
+    delete next['@id'];
+    delete next.subject;
+    delete next.source;
+    delete next.uri;
+    return next;
+}
+function rowSubject(row) {
+    return normalizeString(row['@id'])
+        ?? normalizeString(row.subject)
+        ?? normalizeString(row.uri);
+}
+function enrichApprovalRow(webId, row, explicitIri) {
+    const createdAt = new Date(toIsoString(row.createdAt, new Date().toISOString()));
     return {
-        id: db.resolveLocatorId(resource, locator),
-        iri: db.resolveLocatorIri(resource, locator),
+        ...row,
+        approvalUri: explicitIri
+            ?? normalizeString(row.approvalUri)
+            ?? rowSubject(row)
+            ?? buildApprovalUriForDate(webId, row.id, createdAt),
     };
 }
-async function listApprovalRows(db) {
-    const rows = await db.select().from(approvalResource).execute();
-    return rows.map((row) => normalizeApprovalRow(row)).filter((row) => row !== null);
+function createNativeRemoteApprovalStore(webId, fetcher) {
+    return {
+        listApprovals: () => listApprovalRows(webId, fetcher),
+        findApproval: (id, options) => findApprovalRow(webId, fetcher, id, options),
+        insertApproval: (row) => writeApprovalRow(webId, fetcher, row),
+        async updateApproval(id, patch, options = {}) {
+            const explicitIri = options.resourceUri
+                ?? normalizeString(patch.approvalUri)
+                ?? (options.createdAt ? buildApprovalResourceUrl(webId, id, new Date(toIsoString(options.createdAt, new Date().toISOString()))) : undefined);
+            const existing = explicitIri
+                ? await readApprovalRowFromResource(fetcher, explicitIri)
+                : (await listApprovalRows(webId, fetcher)).find((row) => row.id === id);
+            if (!existing) {
+                throw new Error(`Remote approval not found: ${id}`);
+            }
+            await writeApprovalRow(webId, fetcher, { ...existing, ...patch });
+        },
+        listAudits: () => listAuditRows(webId, fetcher),
+        insertAudit: (row) => writeAuditRow(webId, fetcher, row),
+        listGrants: () => listGrantRows(webId, fetcher),
+        insertGrant: (row) => writeGrantRow(webId, fetcher, row),
+        insertInboxNotification: (row) => writeInboxNotificationRow(webId, fetcher, row),
+    };
 }
-async function writeApprovalRow(db, row) {
-    await db.insert(approvalResource).values(normalizeApprovalInsert(row)).execute();
+async function findApprovalRow(webId, fetcher, id, options = {}) {
+    if (options.resourceUri) {
+        return readApprovalRowFromResource(fetcher, options.resourceUri);
+    }
+    if (options.createdAt) {
+        const createdAt = new Date(toIsoString(options.createdAt, new Date().toISOString()));
+        return readApprovalRowFromResource(fetcher, buildApprovalResourceUrl(webId, id, createdAt));
+    }
+    return (await listApprovalRows(webId, fetcher)).find((row) => row.id === id) ?? null;
 }
-async function listAuditRows(db) {
-    const rows = await db.select().from(auditResource).execute();
-    return rows.map((row) => normalizeAuditRow(row)).filter((row) => row !== null);
+async function readApprovalRowFromResource(fetcher, resourceUri) {
+    const turtle = await readTurtleResource(fetcher, documentUrlFromResourceUri(resourceUri));
+    if (!turtle) {
+        return null;
+    }
+    for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, documentUrlFromResourceUri(resourceUri))) {
+        if (subject !== resourceUri) {
+            continue;
+        }
+        const row = approvalRowFromPredicates(subject, predicates);
+        if (row) {
+            return row;
+        }
+    }
+    return null;
 }
-async function writeAuditRow(db, row) {
-    await db.insert(auditResource).values(normalizeAuditInsert(row)).execute();
+async function listApprovalRows(webId, fetcher) {
+    const urls = [
+        ...recentApprovalDocumentUrls(webId),
+        ...await listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/.data/approvals/`).catch(() => []),
+    ];
+    const rows = [];
+    for (const url of [...new Set(urls)].filter((entry) => entry.endsWith('.ttl'))) {
+        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
+        if (!turtle)
+            continue;
+        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
+            const row = approvalRowFromPredicates(subject, predicates);
+            if (row)
+                rows.push(row);
+        }
+    }
+    return rows;
+}
+function recentApprovalDocumentUrls(webId, days = DEFAULT_APPROVAL_LIST_DAYS) {
+    const urls = [];
+    const base = Date.now();
+    for (let offset = 0; offset < days; offset += 1) {
+        const date = new Date(base - offset * 24 * 60 * 60 * 1000);
+        urls.push(buildApprovalDocumentUrl(webId, date));
+    }
+    return urls;
+}
+async function writeApprovalRow(webId, fetcher, row) {
+    const createdAt = new Date(toIsoString(row.createdAt, new Date().toISOString()));
+    const documentUrl = buildApprovalDocumentUrl(webId, createdAt);
+    const subjectUrl = buildApprovalResourceUrl(webId, row.id, createdAt);
+    await upsertManagedTurtleBlock(fetcher, documentUrl, {
+        subject: subjectUrl,
+        triples: [
+            { predicate: RDF_TYPE, object: iri(UDFS.ApprovalRequest) },
+            { predicate: ApprovalVocab.session, object: iri(row.session) },
+            { predicate: ApprovalVocab.toolCallId, object: literal(row.toolCallId) },
+            { predicate: ApprovalVocab.toolName, object: literal(row.toolName) },
+            { predicate: ApprovalVocab.target, object: iri(row.target) },
+            { predicate: ApprovalVocab.action, object: iri(row.action) },
+            { predicate: ApprovalVocab.risk, object: literal(row.risk) },
+            { predicate: ApprovalVocab.status, object: literal(row.status) },
+            ...(row.assignedTo ? [{ predicate: ApprovalVocab.assignedTo, object: iri(row.assignedTo) }] : []),
+            ...(row.decisionBy ? [{ predicate: ApprovalVocab.decisionBy, object: iri(row.decisionBy) }] : []),
+            ...(row.decisionRole ? [{ predicate: ApprovalVocab.decisionRole, object: literal(row.decisionRole) }] : []),
+            ...(row.onBehalfOf ? [{ predicate: ApprovalVocab.onBehalfOf, object: iri(row.onBehalfOf) }] : []),
+            ...(row.reason ? [{ predicate: ApprovalVocab.reason, object: literal(row.reason) }] : []),
+            ...(row.context ? [{ predicate: ApprovalVocab.context, object: literal(row.context) }] : []),
+            ...(row.approvalOptions ? [{ predicate: ApprovalVocab.approvalOptions, object: literal(row.approvalOptions) }] : []),
+            ...(row.policyVersion ? [{ predicate: ApprovalVocab.policyVersion, object: literal(row.policyVersion) }] : []),
+            { predicate: ApprovalVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
+            ...(row.expiresAt ? [{ predicate: ApprovalVocab.expiresAt, object: literal(toIsoString(row.expiresAt, new Date().toISOString())) }] : []),
+            ...(row.resolvedAt ? [{ predicate: ApprovalVocab.resolvedAt, object: literal(toIsoString(row.resolvedAt, new Date().toISOString())) }] : []),
+        ],
+    });
+}
+async function listAuditRows(webId, fetcher) {
+    const urls = await listTurtleResourcesRecursive(fetcher, `${getPodBaseUrl(webId)}/.data/audits/`);
+    const rows = [];
+    for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
+        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
+        if (!turtle)
+            continue;
+        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
+            const row = auditRowFromPredicates(subject, predicates);
+            if (row)
+                rows.push(row);
+        }
+    }
+    return rows;
+}
+async function writeAuditRow(webId, fetcher, row) {
+    const createdAt = new Date(toIsoString(row.createdAt, new Date().toISOString()));
+    const documentUrl = buildAuditDocumentUrl(webId, createdAt);
+    const subjectUrl = buildAuditResourceUrl(webId, row.id, createdAt);
+    await upsertManagedTurtleBlock(fetcher, documentUrl, {
+        subject: subjectUrl,
+        triples: [
+            { predicate: RDF_TYPE, object: iri(UDFS.AuditEntry) },
+            { predicate: AuditVocab.action, object: literal(row.action) },
+            { predicate: AuditVocab.actor, object: iri(row.actor) },
+            { predicate: AuditVocab.actorRole, object: literal(row.actorRole) },
+            ...(row.onBehalfOf ? [{ predicate: AuditVocab.onBehalfOf, object: iri(row.onBehalfOf) }] : []),
+            ...(row.session ? [{ predicate: AuditVocab.session, object: iri(row.session) }] : []),
+            ...(row.entry ? [{ predicate: AuditVocab.entry, object: iri(row.entry) }] : []),
+            ...(row.toolCallId ? [{ predicate: AuditVocab.toolCallId, object: literal(row.toolCallId) }] : []),
+            ...(row.toolName ? [{ predicate: AuditVocab.toolName, object: literal(row.toolName) }] : []),
+            ...(row.approval ? [{ predicate: AuditVocab.approval, object: iri(row.approval) }] : []),
+            ...(row.policyVersion ? [{ predicate: AuditVocab.policyVersion, object: literal(row.policyVersion) }] : []),
+            { predicate: AuditVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
+        ],
+    });
 }
-async function listGrantRows(db) {
-    const rows = await db.select().from(grantResource).execute();
-    return rows.map((row) => normalizeGrantRow(row)).filter((row) => row !== null);
+async function listGrantRows(webId, fetcher) {
+    const urls = [
+        ...await listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/settings/autonomy/grants/`).catch(() => []),
+    ];
+    const rows = [];
+    for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
+        const turtle = await readTurtleResource(fetcher, url).catch(() => null);
+        if (!turtle)
+            continue;
+        for (const [subject, predicates] of parseManagedTurtleBlocks(turtle, url)) {
+            const row = grantRowFromPredicates(subject, predicates);
+            if (row)
+                rows.push(row);
+        }
+    }
+    return rows;
 }
-async function writeGrantRow(db, row) {
+async function writeGrantRow(webId, fetcher, row) {
     const id = normalizeString(row.id) ?? crypto.randomUUID();
+    const subjectUrl = buildGrantResourceUrl(webId, id);
+    const documentUrl = subjectUrl;
     const target = normalizeString(row.target);
     const action = normalizeString(row.action);
     const effect = normalizeString(row.effect);
@@ -564,190 +783,141 @@ async function writeGrantRow(db, row) {
     if (!target || !action || !effect || !decisionBy || !decisionRole) {
         throw new Error(`Invalid remote approval grant row: ${id}`);
     }
-    await db.insert(grantResource).values(normalizeGrantInsert({ ...row, id, target, action, effect, decisionBy, decisionRole })).execute();
+    await upsertManagedTurtleBlock(fetcher, documentUrl, {
+        subject: subjectUrl,
+        triples: [
+            { predicate: RDF_TYPE, object: iri(ODRL.Policy) },
+            { predicate: RDF_TYPE, object: iri(UDFS.AutonomyGrant) },
+            { predicate: GrantVocab.target, object: iri(target) },
+            { predicate: GrantVocab.action, object: iri(action) },
+            ...(normalizeString(row.title) ? [{ predicate: GrantVocab.title, object: literal(truncatePodLiteral(normalizeString(row.title), 160)) }] : []),
+            ...(normalizeString(row.summary) ? [{ predicate: GrantVocab.summary, object: literal(truncatePodLiteral(normalizeString(row.summary), 500)) }] : []),
+            ...(normalizeString(row.body) ? [{ predicate: GrantVocab.body, object: literal(truncatePodLiteral(normalizeString(row.body), MAX_GRANT_POLICY_LENGTH)) }] : []),
+            ...(normalizeString(row.schema) ? [{ predicate: GrantVocab.schema, object: iri(normalizeString(row.schema)) }] : []),
+            ...(normalizeString(row.pageKind) ? [{ predicate: GrantVocab.pageKind, object: literal(normalizeString(row.pageKind)) }] : []),
+            ...(normalizeString(row.wikiStatus) ? [{ predicate: GrantVocab.wikiStatus, object: literal(normalizeString(row.wikiStatus)) }] : []),
+            ...(normalizeString(row.tags) ? [{ predicate: GrantVocab.tags, object: literal(truncatePodLiteral(normalizeString(row.tags), 500)) }] : []),
+            ...(normalizeString(row.source) ? [{ predicate: GrantVocab.source, object: literal(normalizeString(row.source)) }] : []),
+            ...(normalizeString(row.sourceHash) ? [{ predicate: GrantVocab.sourceHash, object: literal(normalizeString(row.sourceHash)) }] : []),
+            ...(row.compiledAt ? [{ predicate: GrantVocab.compiledAt, object: literal(toIsoString(row.compiledAt, new Date().toISOString())) }] : []),
+            ...(row.compiledFrom ?? []).map((value) => ({ predicate: GrantVocab.compiledFrom, object: iri(value) })),
+            ...(row.related ?? []).map((value) => ({ predicate: GrantVocab.related, object: iri(value) })),
+            { predicate: GrantVocab.effect, object: literal(effect) },
+            ...(normalizeString(row.riskCeiling) ? [{ predicate: GrantVocab.riskCeiling, object: literal(normalizeString(row.riskCeiling)) }] : []),
+            ...(normalizeString(row.policy) ? [{ predicate: GrantVocab.policy, object: literal(truncatePodLiteral(normalizeString(row.policy), MAX_GRANT_POLICY_LENGTH)) }] : []),
+            ...(normalizeString(row.context) ? [{ predicate: GrantVocab.context, object: literal(truncatePodLiteral(normalizeString(row.context), MAX_APPROVAL_CONTEXT_LENGTH)) }] : []),
+            { predicate: GrantVocab.decisionBy, object: iri(decisionBy) },
+            { predicate: GrantVocab.decisionRole, object: literal(decisionRole) },
+            ...(normalizeString(row.onBehalfOf) ? [{ predicate: GrantVocab.onBehalfOf, object: iri(normalizeString(row.onBehalfOf)) }] : []),
+            { predicate: GrantVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
+            ...(normalizeString(row.revokedAt) ? [{ predicate: GrantVocab.revokedAt, object: literal(normalizeString(row.revokedAt)) }] : []),
+        ],
+    });
 }
-async function writeInboxNotificationRow(db, row) {
-    await db.insert(inboxNotificationTable).values(normalizeInboxNotificationInsert(row)).execute();
+async function writeInboxNotificationRow(webId, fetcher, row) {
+    const url = buildInboxResourceUrl(webId, row.id);
+    await upsertManagedTurtleBlock(fetcher, url, {
+        subject: url,
+        triples: [
+            { predicate: RDF_TYPE, object: iri(AS.Announce) },
+            ...(row.actor ? [{ predicate: InboxNotificationVocab.actor, object: iri(row.actor) }] : []),
+            { predicate: InboxNotificationVocab.object, object: iri(row.object) },
+            { predicate: InboxNotificationVocab.createdAt, object: literal(toIsoString(row.createdAt, new Date().toISOString())) },
+        ],
+    });
 }
-function normalizeApprovalRow(row) {
-    if (!row)
+function approvalRowFromPredicates(url, predicates) {
+    const session = firstIri(predicates, ApprovalVocab.session);
+    const toolCallId = firstLiteral(predicates, ApprovalVocab.toolCallId);
+    const toolName = firstLiteral(predicates, ApprovalVocab.toolName);
+    const target = firstIri(predicates, ApprovalVocab.target);
+    const action = firstIri(predicates, ApprovalVocab.action);
+    const risk = firstLiteral(predicates, ApprovalVocab.risk);
+    const status = firstLiteral(predicates, ApprovalVocab.status);
+    const createdAt = firstLiteral(predicates, ApprovalVocab.createdAt);
+    if (!session || !toolCallId || !toolName || !target || !action || !risk || !status || !createdAt) {
         return null;
+    }
     return {
-        id: String(row.id),
-        approvalUri: normalizeString(row['@id']) ?? normalizeString(row.subject) ?? normalizeString(row.uri),
-        session: row.session,
-        toolCallId: row.toolCallId,
-        toolName: row.toolName,
-        target: row.target,
-        action: row.action,
-        risk: row.risk,
-        status: row.status,
-        assignedTo: row.assignedTo,
-        decisionBy: row.decisionBy,
-        decisionRole: row.decisionRole,
-        onBehalfOf: row.onBehalfOf,
-        reason: row.reason,
-        context: row.context,
-        approvalOptions: row.approvalOptions,
-        policyVersion: row.policyVersion,
-        createdAt: row.createdAt,
-        expiresAt: row.expiresAt,
-        resolvedAt: row.resolvedAt,
+        id: subjectIdFromResourceUrl(url),
+        session,
+        toolCallId,
+        toolName,
+        target,
+        action,
+        risk,
+        status,
+        assignedTo: firstIri(predicates, ApprovalVocab.assignedTo),
+        decisionBy: firstIri(predicates, ApprovalVocab.decisionBy),
+        decisionRole: firstLiteral(predicates, ApprovalVocab.decisionRole),
+        onBehalfOf: firstIri(predicates, ApprovalVocab.onBehalfOf),
+        reason: firstLiteral(predicates, ApprovalVocab.reason),
+        context: firstLiteral(predicates, ApprovalVocab.context),
+        approvalOptions: firstLiteral(predicates, ApprovalVocab.approvalOptions),
+        policyVersion: firstLiteral(predicates, ApprovalVocab.policyVersion),
+        createdAt,
+        expiresAt: firstLiteral(predicates, ApprovalVocab.expiresAt),
+        resolvedAt: firstLiteral(predicates, ApprovalVocab.resolvedAt),
     };
 }
-function normalizeAuditRow(row) {
-    if (!row)
+function auditRowFromPredicates(url, predicates) {
+    const action = firstLiteral(predicates, AuditVocab.action);
+    const actor = firstIri(predicates, AuditVocab.actor);
+    const actorRole = firstLiteral(predicates, AuditVocab.actorRole);
+    const createdAt = firstLiteral(predicates, AuditVocab.createdAt);
+    if (!action || !actor || !actorRole || !createdAt) {
         return null;
+    }
     return {
-        id: String(row.id),
-        action: row.action,
-        actor: row.actor,
-        actorRole: row.actorRole,
-        onBehalfOf: row.onBehalfOf,
-        session: row.session,
-        entry: row.entry,
-        toolCallId: row.toolCallId,
-        toolName: row.toolName,
-        approval: row.approval,
-        policyVersion: row.policyVersion,
-        createdAt: row.createdAt,
+        id: subjectIdFromResourceUrl(url),
+        action,
+        actor,
+        actorRole,
+        onBehalfOf: firstIri(predicates, AuditVocab.onBehalfOf),
+        session: firstIri(predicates, AuditVocab.session),
+        entry: firstIri(predicates, AuditVocab.entry),
+        toolCallId: firstLiteral(predicates, AuditVocab.toolCallId),
+        toolName: firstLiteral(predicates, AuditVocab.toolName),
+        approval: firstIri(predicates, AuditVocab.approval),
+        policyVersion: firstLiteral(predicates, AuditVocab.policyVersion),
+        createdAt,
     };
 }
-function normalizeGrantRow(row) {
-    if (!row)
+function grantRowFromPredicates(url, predicates) {
+    const target = firstIri(predicates, GrantVocab.target);
+    const action = firstIri(predicates, GrantVocab.action);
+    const effect = firstLiteral(predicates, GrantVocab.effect);
+    const decisionBy = firstIri(predicates, GrantVocab.decisionBy);
+    const decisionRole = firstLiteral(predicates, GrantVocab.decisionRole);
+    const createdAt = firstLiteral(predicates, GrantVocab.createdAt);
+    if (!target || !action || !effect || !decisionBy || !decisionRole || !createdAt) {
         return null;
-    return {
-        id: String(row.id),
-        target: row.target,
-        action: row.action,
-        title: row.title,
-        summary: row.summary,
-        body: row.body,
-        schema: row.schema,
-        pageKind: row.pageKind,
-        wikiStatus: row.wikiStatus,
-        tags: row.tags,
-        source: row.source,
-        sourceHash: row.sourceHash,
-        compiledAt: row.compiledAt,
-        compiledFrom: row.compiledFrom,
-        related: row.related,
-        effect: row.effect,
-        riskCeiling: row.riskCeiling,
-        policy: row.policy,
-        context: row.context,
-        decisionBy: row.decisionBy,
-        decisionRole: row.decisionRole,
-        onBehalfOf: row.onBehalfOf,
-        createdAt: row.createdAt,
-        revokedAt: row.revokedAt,
-    };
-}
-function normalizeApprovalInsert(row) {
-    return {
-        id: row.id,
-        session: row.session,
-        toolCallId: row.toolCallId,
-        toolName: row.toolName,
-        target: row.target,
-        action: row.action,
-        risk: row.risk,
-        status: row.status,
-        ...(row.assignedTo ? { assignedTo: row.assignedTo } : {}),
-        ...(row.decisionBy ? { decisionBy: row.decisionBy } : {}),
-        ...(row.decisionRole ? { decisionRole: row.decisionRole } : {}),
-        ...(row.onBehalfOf ? { onBehalfOf: row.onBehalfOf } : {}),
-        ...(row.reason ? { reason: row.reason } : {}),
-        ...(row.context ? { context: row.context } : {}),
-        ...(row.approvalOptions ? { approvalOptions: row.approvalOptions } : {}),
-        ...(row.policyVersion ? { policyVersion: row.policyVersion } : {}),
-        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
-        ...(row.expiresAt ? { expiresAt: new Date(toIsoString(row.expiresAt, new Date().toISOString())) } : {}),
-        ...(row.resolvedAt ? { resolvedAt: new Date(toIsoString(row.resolvedAt, new Date().toISOString())) } : {}),
-    };
-}
-function normalizeApprovalUpdate(patch) {
-    const next = {};
-    for (const key of [
-        'session',
-        'toolCallId',
-        'toolName',
-        'target',
-        'action',
-        'risk',
-        'status',
-        'assignedTo',
-        'decisionBy',
-        'decisionRole',
-        'onBehalfOf',
-        'reason',
-        'context',
-        'approvalOptions',
-        'policyVersion',
-    ]) {
-        if (patch[key] !== undefined) {
-            ;
-            next[key] = patch[key];
-        }
     }
-    if (patch.createdAt !== undefined)
-        next.createdAt = new Date(toIsoString(patch.createdAt, new Date().toISOString()));
-    if (patch.expiresAt !== undefined)
-        next.expiresAt = new Date(toIsoString(patch.expiresAt, new Date().toISOString()));
-    if (patch.resolvedAt !== undefined)
-        next.resolvedAt = new Date(toIsoString(patch.resolvedAt, new Date().toISOString()));
-    return next;
-}
-function normalizeAuditInsert(row) {
     return {
-        id: row.id,
-        action: row.action,
-        actor: row.actor,
-        actorRole: row.actorRole,
-        ...(row.onBehalfOf ? { onBehalfOf: row.onBehalfOf } : {}),
-        ...(row.session ? { session: row.session } : {}),
-        ...(row.entry ? { entry: row.entry } : {}),
-        ...(row.toolCallId ? { toolCallId: row.toolCallId } : {}),
-        ...(row.toolName ? { toolName: row.toolName } : {}),
-        ...(row.approval ? { approval: row.approval } : {}),
-        ...(row.policyVersion ? { policyVersion: row.policyVersion } : {}),
-        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
-    };
-}
-function normalizeGrantInsert(row) {
-    return {
-        id: row.id,
-        target: row.target,
-        action: row.action,
-        ...(row.title ? { title: truncatePodLiteral(row.title, 160) } : {}),
-        ...(row.summary ? { summary: truncatePodLiteral(row.summary, 500) } : {}),
-        ...(row.body ? { body: truncatePodLiteral(row.body, MAX_GRANT_POLICY_LENGTH) } : {}),
-        ...(row.schema ? { schema: row.schema } : {}),
-        ...(row.pageKind ? { pageKind: row.pageKind } : {}),
-        ...(row.wikiStatus ? { wikiStatus: row.wikiStatus } : {}),
-        ...(row.tags ? { tags: truncatePodLiteral(row.tags, 500) } : {}),
-        ...(row.source ? { source: row.source } : {}),
-        ...(row.sourceHash ? { sourceHash: row.sourceHash } : {}),
-        ...(row.compiledAt ? { compiledAt: new Date(toIsoString(row.compiledAt, new Date().toISOString())) } : {}),
-        ...(row.compiledFrom ? { compiledFrom: row.compiledFrom } : {}),
-        ...(row.related ? { related: row.related } : {}),
-        effect: row.effect,
-        ...(row.riskCeiling ? { riskCeiling: row.riskCeiling } : {}),
-        ...(row.policy ? { policy: truncatePodLiteral(row.policy, MAX_GRANT_POLICY_LENGTH) } : {}),
-        ...(row.context ? { context: truncatePodLiteral(row.context, MAX_APPROVAL_CONTEXT_LENGTH) } : {}),
-        decisionBy: row.decisionBy,
-        decisionRole: row.decisionRole,
-        ...(row.onBehalfOf ? { onBehalfOf: row.onBehalfOf } : {}),
-        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
-        ...(row.revokedAt ? { revokedAt: new Date(toIsoString(row.revokedAt, new Date().toISOString())) } : {}),
-    };
-}
-function normalizeInboxNotificationInsert(row) {
-    return {
-        id: row.id,
-        ...(row.actor ? { actor: row.actor } : {}),
-        object: row.object,
-        createdAt: new Date(toIsoString(row.createdAt, new Date().toISOString())),
+        id: subjectIdFromResourceUrl(url),
+        target,
+        action,
+        title: firstLiteral(predicates, GrantVocab.title),
+        summary: firstLiteral(predicates, GrantVocab.summary),
+        body: firstLiteral(predicates, GrantVocab.body),
+        schema: firstIri(predicates, GrantVocab.schema),
+        pageKind: firstLiteral(predicates, GrantVocab.pageKind),
+        wikiStatus: firstLiteral(predicates, GrantVocab.wikiStatus),
+        tags: firstLiteral(predicates, GrantVocab.tags),
+        source: firstLiteral(predicates, GrantVocab.source),
+        sourceHash: firstLiteral(predicates, GrantVocab.sourceHash),
+        compiledAt: firstLiteral(predicates, GrantVocab.compiledAt),
+        compiledFrom: iriValues(predicates, GrantVocab.compiledFrom),
+        related: iriValues(predicates, GrantVocab.related),
+        effect,
+        riskCeiling: firstLiteral(predicates, GrantVocab.riskCeiling),
+        policy: firstLiteral(predicates, GrantVocab.policy),
+        context: firstLiteral(predicates, GrantVocab.context),
+        decisionBy,
+        decisionRole,
+        onBehalfOf: firstIri(predicates, GrantVocab.onBehalfOf),
+        createdAt,
+        revokedAt: firstLiteral(predicates, GrantVocab.revokedAt),
     };
 }
 function isActiveAllowGrant(grant) {
@@ -790,7 +960,7 @@ async function resolveSemanticGrantDecision(options) {
     if (candidates.length === 0) {
         return null;
     }
-    const resolver = options.runtime.resolveGrantCoverage ?? resolveWatchGrantCoverage;
+    const resolver = options.runtime.resolveGrantCoverage ?? resolveAutoModeGrantCoverage;
     for (const grant of candidates) {
         const coverage = await resolver({
             record: options.record,
@@ -804,7 +974,7 @@ async function resolveSemanticGrantDecision(options) {
     }
     return null;
 }
-function buildWatchGrantRequestContext(input) {
+function buildAutoModeGrantRequestContext(input) {
     return {
         session: buildThreadUri(input.webId, input.record),
         target: buildThreadUri(input.webId, input.record),
@@ -827,7 +997,7 @@ function buildGenericGrantRequestContext(input) {
         kind: input.request.kind,
     };
 }
-export async function createRemoteWatchApproval(options) {
+export async function createRemoteAutoModeApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return createRemoteApproval({
         subject: ({ webId }) => ({
@@ -861,12 +1031,10 @@ export async function createRemoteApproval(options) {
         const request = typeof options.request === 'function'
             ? options.request({ webId, stored, sessionUri: subject.sessionUri })
             : options.request;
-        const approvalLocalId = crypto.randomUUID();
+        const approvalId = crypto.randomUUID();
         const now = activeRuntime.now();
-        const approvalReference = store.resolveApprovalReference({ id: approvalLocalId, createdAt: now });
-        const approvalId = approvalReference.id;
         const sessionUri = subject.sessionUri;
-        const approvalUri = approvalReference.iri;
+        const approvalUri = buildApprovalUriForDate(webId, approvalId, now);
         const targetUri = subject.targetUri ?? sessionUri;
         const assignedTo = subject.assignedTo ?? webId;
         const onBehalfOf = subject.onBehalfOf ?? webId;
@@ -877,7 +1045,6 @@ export async function createRemoteApproval(options) {
         const context = compactApprovalContext(request);
         await store.insertApproval({
             id: approvalId,
-            approvalUri,
             session: sessionUri,
             toolCallId: request.toolCallId,
             toolName: request.toolName,
@@ -932,7 +1099,7 @@ export async function createRemoteApproval(options) {
         });
     });
 }
-export async function waitForRemoteWatchApproval(options) {
+export async function waitForRemoteAutoModeApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return withRemoteApprovalStore(activeRuntime, async ({ store }) => {
         while (true) {
@@ -955,7 +1122,7 @@ export async function waitForRemoteWatchApproval(options) {
         }
     });
 }
-export async function requestRemoteWatchApproval(options) {
+export async function requestRemoteAutoModeApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     const delegated = await withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
         const grants = await store.listGrants();
@@ -964,7 +1131,7 @@ export async function requestRemoteWatchApproval(options) {
             grants,
             record: options.record,
             request: options.request,
-            requestContext: buildWatchGrantRequestContext({
+            requestContext: buildAutoModeGrantRequestContext({
                 webId,
                 record: options.record,
                 request: options.request,
@@ -974,12 +1141,12 @@ export async function requestRemoteWatchApproval(options) {
     if (delegated) {
         return delegated;
     }
-    const summary = await createRemoteWatchApproval({
+    const summary = await createRemoteAutoModeApproval({
         record: options.record,
         request: options.request,
         runtime: activeRuntime,
     });
-    return waitForRemoteWatchApproval({
+    return waitForRemoteAutoModeApproval({
         approvalId: summary.id,
         approvalUri: summary.approvalUri,
         pollMs: options.pollMs,
@@ -987,7 +1154,7 @@ export async function requestRemoteWatchApproval(options) {
         runtime: activeRuntime,
     });
 }
-export async function resolveExistingRemoteWatchGrant(options) {
+export async function resolveExistingRemoteAutoModeGrant(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
         const grants = await store.listGrants();
@@ -996,7 +1163,7 @@ export async function resolveExistingRemoteWatchGrant(options) {
             grants,
             record: options.record,
             request: options.request,
-            requestContext: buildWatchGrantRequestContext({
+            requestContext: buildAutoModeGrantRequestContext({
                 webId,
                 record: options.record,
                 request: options.request,
@@ -1034,7 +1201,7 @@ export async function requestRemoteApproval(options) {
         request: options.request,
         runtime: activeRuntime,
     });
-    return waitForRemoteWatchApproval({
+    return waitForRemoteAutoModeApproval({
         approvalId: summary.id,
         approvalUri: summary.approvalUri,
         pollMs: options.pollMs,
@@ -1042,7 +1209,7 @@ export async function requestRemoteApproval(options) {
         runtime: activeRuntime,
     });
 }
-export async function listRemoteWatchApprovals(options = {}) {
+export async function listRemoteAutoModeApprovals(options = {}) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     const requestedStatus = options.status ?? 'pending';
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
@@ -1054,7 +1221,7 @@ export async function listRemoteWatchApprovals(options = {}) {
             .sort((left, right) => right.createdAt.localeCompare(left.createdAt));
     });
 }
-export async function resolveRemoteWatchApproval(options) {
+export async function resolveRemoteAutoModeApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
         const row = await readRemoteApprovalRow(store, {
@@ -1068,20 +1235,21 @@ export async function resolveRemoteWatchApproval(options) {
             return normalizeApprovalSummary(row);
         }
         const now = activeRuntime.now();
-        const approvalUri = normalizeString(row.approvalUri)
-            ?? store.resolveApprovalReference({ id: row.id, createdAt: row.createdAt }).iri;
+        const approvalCreatedAt = new Date(toIsoString(row.createdAt, now.toISOString()));
+        const approvalUri = buildApprovalUriForDate(row.session, row.id, approvalCreatedAt);
         const nextStatus = options.decision === 'accept' || options.decision === 'accept_for_session'
             ? 'approved'
             : 'rejected';
         const decisionRole = options.decisionRole ?? 'human';
         await store.updateApproval(row.id, {
-            approvalUri,
             status: nextStatus,
             decisionBy: webId,
             decisionRole,
             onBehalfOf: webId,
             reason: encodeDecisionReason(options.decision, options.note),
             resolvedAt: now,
+        }, {
+            resourceUri: options.approvalUri ?? row.approvalUri ?? approvalUri,
         });
         await warnOnly(activeRuntime, () => store.insertAudit({
             id: crypto.randomUUID(),
@@ -1128,7 +1296,7 @@ export async function resolveRemoteWatchApproval(options) {
             await warnOnly(activeRuntime, () => store.insertInboxNotification({
                 id: crypto.randomUUID(),
                 actor: webId,
-                object: store.resolveGrantReference({ id: grantId }).iri,
+                object: buildGrantUri(row.session, grantId),
                 createdAt: now,
             }));
         }
@@ -1140,7 +1308,6 @@ export async function resolveRemoteWatchApproval(options) {
         }));
         const nextRow = {
             ...row,
-            approvalUri,
             status: nextStatus,
             decisionBy: webId,
             decisionRole,
@@ -1154,9 +1321,11 @@ export async function resolveRemoteWatchApproval(options) {
 async function readRemoteApprovalRow(store, options) {
     if (store.findApproval) {
         const row = await store.findApproval(options.approvalId, {
-            approvalUri: options.approvalUri,
+            resourceUri: options.approvalUri,
         });
-        return row;
+        if (row || options.approvalUri) {
+            return row;
+        }
     }
     const approvals = await store.listApprovals();
     return approvals.find((entry) => entry.id === options.approvalId) ?? null;
@@ -1167,6 +1336,7 @@ export const __podApprovalInternal = {
     buildActionUri,
     buildRisk,
     buildToolName,
+    createSharedModelRemoteApprovalStore,
     createNativeRemoteApprovalStore,
     extractToolCallId,
     decisionFromApprovalRow,