@undefineds.co/linx 0.3.5 → 0.3.8

package/dist/lib/auto-mode/pod-approval.js

@@ -1,13 +1,14 @@
 import { setTimeout as delay } from 'node:timers/promises';
+import { resolvePodBaseUrl } from '@undefineds.co/drizzle-solid';
 import { getDefaultPodDataSession } from '../pod-data-session.js';
-import { approvalResource, auditResource, buildApprovalSubjectPath, buildGrantSubjectPath, drizzle, grantResource, inboxNotificationResource, solidResources, } from '../models.js';
+import { agentResource, approvalResource, auditResource, chatResource, drizzle, grantResource, inboxNotificationResource, solidResources, threadRepository, } from '../models.js';
 import { AS, ODRL, UDFS } from '@undefineds.co/models/namespaces';
 import { ApprovalVocab, AuditVocab, GrantReadVocab, GrantVocab, InboxNotificationVocab } from '@undefineds.co/models/vocab/sidecar';
-import { autoModeApprovalActionUri, autoModeApprovalRequestMessage, autoModeApprovalRisk, autoModeApprovalToolName, } from '../../../vendor/agent-runtime/dist/auto-mode.js';
+import { autoModeApprovalActionUri, autoModeApprovalDecisionForStoredApproval, autoModeApprovalRequestMessage, autoModeApprovalRisk, autoModeApprovalToolName, buildAutoModeApprovalDecisionReason, encodeAutoModeApprovalOptions, parseAutoModeApprovalDecisionReason, parseAutoModeApprovalOptions, shouldMaterializeAutoModeGrant, } from '../../../vendor/agent-runtime/dist/auto-mode.js';
 import { resolveAutoModeGrantCoverage } from './secretary.js';
 import { buildApprovalDocumentUrl, RDF_TYPE, buildApprovalResourceUrl, buildAuditDocumentUrl, buildAuditResourceUrl, buildGrantResourceUrl, buildInboxResourceUrl, firstIri, firstLiteral, iri, listTurtleResources, listTurtleResourcesRecursive, literal, parseManagedTurtleBlocks, readTurtleResource, subjectIdFromResourceUrl, upsertManagedTurtleBlock, } from '../pi-adapter/pod-native.js';
 const AUTO_MODE_CHAT_ID_PREFIX = 'linx-auto-mode';
-const AUTO_MODE_AGENT_ID = 'linx-auto-mode-assistant';
+const AUTO_MODE_AGENT_ID = '__secretary__';
 const REMOTE_APPROVAL_POLICY_VERSION = 'linx-auto-mode-remote-approval/v1';
 const DEFAULT_REMOTE_APPROVAL_POLL_MS = 1000;
 const DEFAULT_WARN_ONLY_TIMEOUT_MS = 5000;
@@ -17,6 +18,7 @@ const MAX_APPROVAL_CONTEXT_LENGTH = 1400;
 const MIN_GRANT_COVERAGE_CONFIDENCE = 0.75;
 const MAX_GRANT_COVERAGE_CANDIDATES = 5;
 const remoteApprovalClientCache = new WeakMap();
+let remoteApprovalSyncSeq = 0;
 function createAbortError() {
     const error = new Error('The operation was aborted.');
     error.name = 'AbortError';
@@ -37,42 +39,32 @@ function toIsoString(value, fallback) {
     }
     return fallback;
 }
-function getPodBaseUrl(webIdOrUri) {
-    if (webIdOrUri.includes('/profile/card#me')) {
-        return webIdOrUri.replace('/profile/card#me', '').replace(/\/$/, '');
-    }
-    const match = webIdOrUri.match(/^(https?:\/\/[^?#]+?)(?:\/\.data\/|\/inbox\/)/u);
-    if (match) {
-        return match[1].replace(/\/$/, '');
-    }
-    return webIdOrUri.replace(/\/$/, '');
-}
 function buildAutoModeChatId(record) {
     return `${AUTO_MODE_CHAT_ID_PREFIX}-${record.backend}`;
 }
-function buildThreadUri(webId, record) {
-    return `${getPodBaseUrl(webId)}/.data/chat/${buildAutoModeChatId(record)}/index.ttl#${record.id}`;
+function buildAutoModeChatUri(webId, record) {
+    return chatResource.buildIri(webId, { id: buildAutoModeChatId(record) });
 }
-function buildApprovalUriForDate(webIdOrUri, approvalId, createdAt) {
-    return buildPodResourceIri(webIdOrUri, buildApprovalSubjectPath(approvalId, createdAt));
+function autoModeThreadUri(webId, record) {
+    return threadRepository.iriForChat(webId, buildAutoModeChatId(record), record.id);
+}
+function approvalIriForCreatedAt(webIdOrUri, approvalId, createdAt) {
+    return approvalResource.buildIri(webIdOrUri, {
+        id: approvalId,
+        createdAt,
+    });
 }
 function documentUrlFromResourceUri(resourceUri) {
     return resourceUri.split('#', 1)[0] ?? resourceUri;
 }
-function buildGrantUri(webIdOrUri, grantId) {
-    return buildPodResourceIri(webIdOrUri, buildGrantSubjectPath(grantId));
-}
-function buildPodResourceIri(webIdOrUri, relativeUri) {
-    if (/^https?:\/\//.test(relativeUri)) {
-        return relativeUri;
-    }
-    return new URL(relativeUri.replace(/^\//, ''), `${getPodBaseUrl(webIdOrUri)}/`).toString();
+function grantIri(webIdOrUri, grantId) {
+    return buildGrantResourceUrl(webIdOrUri, grantId);
 }
 function buildGrantSchemaUri(webIdOrUri) {
-    return `${getPodBaseUrl(webIdOrUri)}/settings/autonomy/schema/grant.ttl#GrantWikiPage`;
+    return new URL('settings/autonomy/schema/grant.ttl#GrantWikiPage', `${resolvePodBaseUrl(webIdOrUri)}/`).toString();
 }
-function buildAgentUri(webId) {
-    return `${getPodBaseUrl(webId)}/.data/agents/${AUTO_MODE_AGENT_ID}.ttl`;
+function autoModeAgentUri(webId) {
+    return agentResource.buildIri(webId, { id: AUTO_MODE_AGENT_ID });
 }
 function buildActionUri(request) {
     return autoModeApprovalActionUri(request);
@@ -108,34 +100,6 @@ function extractToolCallId(request) {
         ?? normalizeString(params?.toolCallId)
         ?? crypto.randomUUID();
 }
-function encodeDecisionReason(decision, note) {
-    return safeJsonStringify({
-        decision,
-        ...(note?.trim() ? { note: note.trim() } : {}),
-    });
-}
-function parseDecisionReason(value) {
-    if (typeof value !== 'string' || !value.trim()) {
-        return null;
-    }
-    try {
-        const parsed = JSON.parse(value);
-        if (!isRecord(parsed)) {
-            return null;
-        }
-        const decision = normalizeString(parsed.decision);
-        if (!decision || !['accept', 'accept_for_session', 'decline', 'cancel'].includes(decision)) {
-            return null;
-        }
-        return {
-            decision: decision,
-            ...(normalizeString(parsed.note) ? { note: normalizeString(parsed.note) } : {}),
-        };
-    }
-    catch {
-        return null;
-    }
-}
 async function warnOnly(runtime, task) {
     try {
         await Promise.race([
@@ -240,7 +204,7 @@ function grantWikiTagsFromApproval(row, explicitTags) {
 }
 function grantContextFromApproval(row) {
     return safeCompactJson({
-        sourceApproval: buildApprovalUriForDate(row.session, row.id, new Date(toIsoString(row.createdAt, new Date().toISOString()))),
+        sourceApproval: approvalIriForCreatedAt(row.session, row.id, new Date(toIsoString(row.createdAt, new Date().toISOString()))),
         session: row.session,
         toolCallId: row.toolCallId,
         toolName: row.toolName,
@@ -277,45 +241,7 @@ function grantSourceHash(row) {
     return `approval:${row.id}:${row.toolCallId}:${row.risk}`;
 }
 function encodeApprovalOptions(options) {
-    if (!options || options.length === 0) {
-        return undefined;
-    }
-    return safeJsonStringify(options);
-}
-function parseApprovalOptions(value) {
-    if (typeof value !== 'string' || !value.trim()) {
-        return undefined;
-    }
-    try {
-        const parsed = JSON.parse(value);
-        if (!Array.isArray(parsed)) {
-            return undefined;
-        }
-        const options = parsed
-            .map((option) => {
-            if (!isRecord(option)) {
-                return null;
-            }
-            const optionId = normalizeString(option.optionId);
-            const label = normalizeString(option.label);
-            if (!optionId || !label) {
-                return null;
-            }
-            const kind = normalizeString(option.kind);
-            const description = normalizeString(option.description);
-            return {
-                optionId,
-                label,
-                ...(kind ? { kind } : {}),
-                ...(description ? { description } : {}),
-            };
-        })
-            .filter((option) => option !== null);
-        return options.length > 0 ? options : undefined;
-    }
-    catch {
-        return undefined;
-    }
+    return encodeAutoModeApprovalOptions(options);
 }
 function normalizeDateLike(value) {
     if (value instanceof Date) {
@@ -344,24 +270,17 @@ function extractSessionId(sessionUri) {
     return sessionUri;
 }
 function decisionFromApprovalRow(row) {
-    const status = normalizeString(row.status);
-    if (status === 'pending') {
-        return null;
-    }
-    const parsed = parseDecisionReason(row.reason);
-    if (status === 'rejected') {
-        return parsed?.decision === 'cancel' ? 'cancel' : 'decline';
-    }
-    if (parsed?.decision === 'accept_for_session') {
-        return 'accept_for_session';
-    }
-    return 'accept';
+    return autoModeApprovalDecisionForStoredApproval({
+        status: normalizeString(row.status),
+        reason: row.reason,
+        approvalOptions: row.approvalOptions,
+    });
 }
 function normalizeApprovalSummary(row) {
     const createdAt = toIsoString(row.createdAt, new Date(0).toISOString());
     const sessionUri = row.session;
     const decision = decisionFromApprovalRow(row);
-    const approvalOptions = parseApprovalOptions(row.approvalOptions);
+    const approvalOptions = parseAutoModeApprovalOptions(row.approvalOptions);
     return {
         id: row.id,
         ...(normalizeString(row.approvalUri) ? { approvalUri: normalizeString(row.approvalUri) } : {}),
@@ -375,7 +294,7 @@ function normalizeApprovalSummary(row) {
         ...(normalizeString(row.assignedTo) ? { assignedTo: normalizeString(row.assignedTo) } : {}),
         ...(normalizeString(row.decisionBy) ? { decisionBy: normalizeString(row.decisionBy) } : {}),
         ...(decision ? { decision } : {}),
-        ...(approvalOptions ? { approvalOptions } : {}),
+        ...(approvalOptions.length > 0 ? { approvalOptions } : {}),
         createdAt,
         ...(row.expiresAt ? { expiresAt: toIsoString(row.expiresAt, createdAt) } : {}),
         ...(row.resolvedAt ? { resolvedAt: toIsoString(row.resolvedAt, createdAt) } : {}),
@@ -501,7 +420,7 @@ function createSharedModelRemoteApprovalStore(webId, getDb) {
             }
             if (options.createdAt) {
                 const createdAt = new Date(toIsoString(options.createdAt, new Date().toISOString()));
-                const iri = buildApprovalUriForDate(webId, id, createdAt);
+                const iri = approvalIriForCreatedAt(webId, id, createdAt);
                 const row = await modelFindByIri(getDb, approvalResource, iri);
                 return row ? enrichApprovalRow(webId, row, iri) : null;
             }
@@ -514,7 +433,7 @@ function createSharedModelRemoteApprovalStore(webId, getDb) {
         updateApproval: async (id, patch, options = {}) => {
             const explicitIri = options.resourceUri
                 ?? normalizeString(patch.approvalUri)
-                ?? (options.createdAt ? buildApprovalUriForDate(webId, id, new Date(toIsoString(options.createdAt, new Date().toISOString()))) : undefined);
+                ?? (options.createdAt ? approvalIriForCreatedAt(webId, id, new Date(toIsoString(options.createdAt, new Date().toISOString()))) : undefined);
             if (explicitIri) {
                 await modelUpdateByIri(getDb, approvalResource, explicitIri, omitInternalFields(patch));
                 return;
@@ -543,18 +462,11 @@ async function modelList(getDb, resource) {
 }
 async function modelFindByIri(getDb, resource, iri) {
     const db = await getDb();
-    if (typeof db.findByIri === 'function') {
-        return await db.findByIri(resource, iri);
-    }
-    const rows = await db.select().from(resource).whereByIri(iri).execute();
-    return rows[0] ?? null;
+    return await db.findByIri(resource, iri);
 }
 async function modelFindById(getDb, resource, id) {
     const db = await getDb();
-    if (typeof db.findById === 'function') {
-        return await db.findById(resource, id);
-    }
-    throw new Error('Remote approval shared model store requires findById support');
+    return await db.findById(resource, id);
 }
 async function modelInsert(getDb, resource, row) {
     const db = await getDb();
@@ -565,31 +477,14 @@ async function modelUpdateByIri(getDb, resource, iri, patch) {
     const update = stripUndefined(patch);
     delete update.id;
     delete update.approvalUri;
-    if (typeof db.updateByIri === 'function') {
-        await db.updateByIri(resource, iri, update);
-        return;
-    }
-    const query = db.update(resource).set(update);
-    if (typeof query.whereByIri !== 'function') {
-        throw new Error('Remote approval shared model store requires updateByIri/whereByIri support');
-    }
-    await query.whereByIri(iri).execute();
+    await db.updateByIri(resource, iri, update);
 }
 async function modelUpdateById(getDb, resource, id, patch) {
     const db = await getDb();
     const update = stripUndefined(patch);
     delete update.id;
     delete update.approvalUri;
-    if (typeof db.updateById === 'function') {
-        return await db.updateById(resource, id, update);
-    }
-    const row = await modelFindById(getDb, resource, id);
-    const iri = rowSubject(row ?? {});
-    if (!iri) {
-        return null;
-    }
-    await modelUpdateByIri(getDb, resource, iri, update);
-    return await modelFindByIri(getDb, resource, iri);
+    return await db.updateById(resource, id, update);
 }
 function stripUndefined(row) {
     const next = {};
@@ -605,7 +500,6 @@ function omitInternalFields(row) {
     delete next.approvalUri;
     delete next['@id'];
     delete next.subject;
-    delete next.source;
     delete next.uri;
     return next;
 }
@@ -621,7 +515,7 @@ function enrichApprovalRow(webId, row, explicitIri) {
         approvalUri: explicitIri
             ?? normalizeString(row.approvalUri)
             ?? rowSubject(row)
-            ?? buildApprovalUriForDate(webId, row.id, createdAt),
+            ?? approvalIriForCreatedAt(webId, row.id, createdAt),
     };
 }
 function createNativeRemoteApprovalStore(webId, fetcher) {
@@ -677,7 +571,7 @@ async function readApprovalRowFromResource(fetcher, resourceUri) {
 async function listApprovalRows(webId, fetcher) {
     const urls = [
         ...recentApprovalDocumentUrls(webId),
-        ...await listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/.data/approvals/`).catch(() => []),
+        ...await listTurtleResources(fetcher, `${resolvePodBaseUrl(webId)}/.data/approvals/`).catch(() => []),
     ];
     const rows = [];
     for (const url of [...new Set(urls)].filter((entry) => entry.endsWith('.ttl'))) {
@@ -731,7 +625,7 @@ async function writeApprovalRow(webId, fetcher, row) {
     });
 }
 async function listAuditRows(webId, fetcher) {
-    const urls = await listTurtleResourcesRecursive(fetcher, `${getPodBaseUrl(webId)}/.data/audits/`);
+    const urls = await listTurtleResourcesRecursive(fetcher, `${resolvePodBaseUrl(webId)}/.data/audits/`);
     const rows = [];
     for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
         const turtle = await readTurtleResource(fetcher, url).catch(() => null);
@@ -769,7 +663,7 @@ async function writeAuditRow(webId, fetcher, row) {
 }
 async function listGrantRows(webId, fetcher) {
     const urls = [
-        ...await listTurtleResources(fetcher, `${getPodBaseUrl(webId)}/settings/autonomy/grants/`).catch(() => []),
+        ...await listTurtleResources(fetcher, `${resolvePodBaseUrl(webId)}/settings/autonomy/grants/`).catch(() => []),
     ];
     const rows = [];
     for (const url of urls.filter((entry) => entry.endsWith('.ttl'))) {
@@ -989,8 +883,8 @@ async function resolveSemanticGrantDecision(options) {
 }
 function buildAutoModeGrantRequestContext(input) {
     return {
-        session: buildThreadUri(input.webId, input.record),
-        target: buildThreadUri(input.webId, input.record),
+        session: autoModeThreadUri(input.webId, input.record),
+        target: autoModeThreadUri(input.webId, input.record),
         action: buildActionUri(input.request),
         risk: buildRisk(input.request),
         toolName: buildToolName(input.request),
@@ -1002,7 +896,7 @@ function buildAutoModeGrantRequestContext(input) {
 function buildGenericGrantRequestContext(input) {
     return {
         session: input.subject.sessionUri,
-        target: input.subject.targetUri ?? input.subject.sessionUri,
+        target: input.subject.target ?? input.subject.sessionUri,
         action: input.request.action,
         risk: input.request.risk,
         toolName: input.request.toolName,
@@ -1014,8 +908,8 @@ export async function createRemoteAutoModeApproval(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
     return createRemoteApproval({
         subject: ({ webId }) => ({
-            sessionUri: buildThreadUri(webId, options.record),
-            actorUri: buildAgentUri(webId),
+            sessionUri: autoModeThreadUri(webId, options.record),
+            actorUri: autoModeAgentUri(webId),
             policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
         }),
         request: ({ sessionUri }) => ({
@@ -1047,8 +941,8 @@ export async function createRemoteApproval(options) {
         const approvalId = crypto.randomUUID();
         const now = activeRuntime.now();
         const sessionUri = subject.sessionUri;
-        const approvalUri = buildApprovalUriForDate(webId, approvalId, now);
-        const targetUri = subject.targetUri ?? sessionUri;
+        const approvalUri = approvalIriForCreatedAt(webId, approvalId, now);
+        const target = subject.target ?? sessionUri;
         const assignedTo = subject.assignedTo ?? webId;
         const onBehalfOf = subject.onBehalfOf ?? webId;
         const policyVersion = subject.policyVersion ?? REMOTE_APPROVAL_POLICY_VERSION;
@@ -1061,7 +955,7 @@ export async function createRemoteApproval(options) {
             session: sessionUri,
             toolCallId: request.toolCallId,
             toolName: request.toolName,
-            target: targetUri,
+            target,
             action: request.action,
             risk: request.risk,
             status: 'pending',
@@ -1099,7 +993,7 @@ export async function createRemoteApproval(options) {
             session: sessionUri,
             toolCallId: request.toolCallId,
             toolName: request.toolName,
-            target: targetUri,
+            target,
             action: request.action,
             risk: request.risk,
             status: 'pending',
@@ -1159,13 +1053,21 @@ export async function requestRemoteAutoModeApproval(options) {
         request: options.request,
         runtime: activeRuntime,
     });
-    return waitForRemoteAutoModeApproval({
+    const decision = await waitForRemoteAutoModeApproval({
         approvalId: summary.id,
         approvalUri: summary.approvalUri,
         pollMs: options.pollMs,
         signal: options.signal,
         runtime: activeRuntime,
     });
+    if (decision === 'accept_for_session') {
+        await materializeRemoteAutoModeGrant({
+            approvalId: summary.id,
+            approvalUri: summary.approvalUri,
+            runtime: activeRuntime,
+        });
+    }
+    return decision;
 }
 export async function resolveExistingRemoteAutoModeGrant(options) {
     const activeRuntime = options.runtime ?? await createDefaultRuntime();
@@ -1249,7 +1151,7 @@ export async function resolveRemoteAutoModeApproval(options) {
         }
         const now = activeRuntime.now();
         const approvalCreatedAt = new Date(toIsoString(row.createdAt, now.toISOString()));
-        const approvalUri = buildApprovalUriForDate(row.session, row.id, approvalCreatedAt);
+        const approvalUri = approvalIriForCreatedAt(row.session, row.id, approvalCreatedAt);
         const nextStatus = options.decision === 'accept' || options.decision === 'accept_for_session'
             ? 'approved'
             : 'rejected';
@@ -1259,7 +1161,7 @@ export async function resolveRemoteAutoModeApproval(options) {
             decisionBy: webId,
             decisionRole,
             onBehalfOf: webId,
-            reason: encodeDecisionReason(options.decision, options.note),
+            reason: buildAutoModeApprovalDecisionReason(options.decision, options.note),
             resolvedAt: now,
         }, {
             resourceUri: options.approvalUri ?? row.approvalUri ?? approvalUri,
@@ -1278,41 +1180,6 @@ export async function resolveRemoteAutoModeApproval(options) {
             policyVersion: REMOTE_APPROVAL_POLICY_VERSION,
             createdAt: now,
         }));
-        if (options.decision === 'accept_for_session') {
-            const grantId = crypto.randomUUID();
-            const body = grantWikiBodyFromApproval(row, options.grantWikiBody);
-            await store.insertGrant({
-                id: grantId,
-                target: row.target,
-                action: row.action,
-                title: grantWikiTitleFromApproval(row, options.grantWikiTitle),
-                summary: grantWikiSummaryFromApproval(row, options.grantWikiSummary),
-                body,
-                schema: buildGrantSchemaUri(webId),
-                pageKind: 'autonomy-grant',
-                wikiStatus: 'active',
-                tags: grantWikiTagsFromApproval(row, options.grantWikiTags),
-                source: 'approval',
-                sourceHash: grantSourceHash(row),
-                compiledAt: now,
-                compiledFrom: [approvalUri],
-                related: [row.session],
-                effect: 'allow',
-                riskCeiling: row.risk,
-                policy: grantIndexTextFromWikiBody(body),
-                context: grantContextFromApproval(row),
-                decisionBy: webId,
-                decisionRole,
-                onBehalfOf: webId,
-                createdAt: now,
-            });
-            await warnOnly(activeRuntime, () => store.insertInboxNotification({
-                id: crypto.randomUUID(),
-                actor: webId,
-                object: buildGrantUri(row.session, grantId),
-                createdAt: now,
-            }));
-        }
         await warnOnly(activeRuntime, () => store.insertInboxNotification({
             id: crypto.randomUUID(),
             actor: webId,
@@ -1325,12 +1192,73 @@ export async function resolveRemoteAutoModeApproval(options) {
             decisionBy: webId,
             decisionRole,
             onBehalfOf: webId,
-            reason: encodeDecisionReason(options.decision, options.note),
+            reason: buildAutoModeApprovalDecisionReason(options.decision, options.note),
             resolvedAt: now,
         };
         return normalizeApprovalSummary(nextRow);
     });
 }
+export async function materializeRemoteAutoModeGrant(options) {
+    const activeRuntime = options.runtime ?? await createDefaultRuntime();
+    return withRemoteApprovalStore(activeRuntime, async ({ store, webId }) => {
+        const row = await readRemoteApprovalRow(store, {
+            approvalId: options.approvalId,
+            approvalUri: options.approvalUri,
+        });
+        if (!row || row.status !== 'approved') {
+            return null;
+        }
+        const decision = decisionFromApprovalRow(row);
+        if (!shouldMaterializeAutoModeGrant(decision)) {
+            return null;
+        }
+        const existing = await store.listGrants();
+        const sourceHash = grantSourceHash(row);
+        const existingGrant = existing.find((grant) => grant.source === 'approval' && grant.sourceHash === sourceHash);
+        if (existingGrant) {
+            return existingGrant;
+        }
+        const now = activeRuntime.now();
+        const decisionRole = options.decisionRole ?? (row.decisionRole === 'secretary' ? 'secretary' : 'human');
+        const grantId = crypto.randomUUID();
+        const body = grantWikiBodyFromApproval(row, options.grantWikiBody);
+        const approvalCreatedAt = new Date(toIsoString(row.createdAt, now.toISOString()));
+        const approvalUri = options.approvalUri ?? row.approvalUri ?? approvalIriForCreatedAt(row.session, row.id, approvalCreatedAt);
+        const grant = {
+            id: grantId,
+            target: row.target,
+            action: row.action,
+            title: grantWikiTitleFromApproval(row, options.grantWikiTitle),
+            summary: grantWikiSummaryFromApproval(row, options.grantWikiSummary),
+            body,
+            schema: buildGrantSchemaUri(webId),
+            pageKind: 'autonomy-grant',
+            wikiStatus: 'active',
+            tags: grantWikiTagsFromApproval(row, options.grantWikiTags),
+            source: 'approval',
+            sourceHash,
+            compiledAt: now,
+            compiledFrom: [approvalUri],
+            related: [row.session],
+            effect: 'allow',
+            riskCeiling: row.risk,
+            policy: grantIndexTextFromWikiBody(body),
+            context: grantContextFromApproval(row),
+            decisionBy: row.decisionBy ?? webId,
+            decisionRole,
+            onBehalfOf: row.onBehalfOf ?? webId,
+            createdAt: now,
+        };
+        await store.insertGrant(grant);
+        await warnOnly(activeRuntime, () => store.insertInboxNotification({
+            id: crypto.randomUUID(),
+            actor: webId,
+            object: grantIri(row.session, grantId),
+            createdAt: now,
+        }));
+        return grant;
+    });
+}
 async function readRemoteApprovalRow(store, options) {
     if (store.findApproval) {
         const row = await store.findApproval(options.approvalId, {
@@ -1353,11 +1281,12 @@ export const __podApprovalInternal = {
     createNativeRemoteApprovalStore,
     extractToolCallId,
     decisionFromApprovalRow,
-    encodeDecisionReason,
+    encodeDecisionReason: buildAutoModeApprovalDecisionReason,
     formatSummaryHeadline,
+    grantSourceHash,
     readRemoteApprovalRow,
     isRemoteApprovalAbortError,
     normalizeApprovalSummary,
-    parseDecisionReason,
+    parseDecisionReason: parseAutoModeApprovalDecisionReason,
 };
 //# sourceMappingURL=pod-approval.js.map