@vellumai/credential-executor 0.6.5 → 0.7.0

package/Dockerfile

@@ -14,7 +14,7 @@ RUN curl -fsSL https://bun.sh/install | bash -s "bun-v1.3.11"
 ENV PATH="/root/.bun/bin:${PATH}"
 
 # Copy shared packages first (needed for repo-local dependencies)
-COPY packages/ces-contracts ./packages/ces-contracts
+COPY packages/service-contracts ./packages/service-contracts
 COPY packages/credential-storage ./packages/credential-storage
 COPY packages/egress-proxy ./packages/egress-proxy
 
@@ -22,9 +22,6 @@ COPY packages/egress-proxy ./packages/egress-proxy
 COPY credential-executor/package.json credential-executor/bun.lock* ./credential-executor/
 RUN cd /app/credential-executor && bun install --frozen-lockfile
 
-# Copy credential-executor source
-COPY credential-executor ./credential-executor
-
 # Runtime stage
 FROM debian:trixie-slim@sha256:1d3c811171a08a5adaa4a163fbafd96b61b87aa871bbc7aa15431ac275d3d430 AS runner
 
@@ -42,9 +39,12 @@ RUN ln -sf /usr/local/bin/bun /usr/local/bin/bunx
 RUN groupadd --system --gid 1001 ces && \
     useradd --system --uid 1001 --gid ces --create-home ces
 
-# Copy built app from builder
+# Copy installed deps + shared packages from builder.
 COPY --from=builder --chown=ces:ces /app /app
 
+# Copy source separately to avoid invalidating builder layer.
+COPY --chown=ces:ces credential-executor ./
+
 # Pre-create /ces-data so the non-root ces user can write to it
 # when no PVC volume is mounted (e.g., direct docker run)
 RUN mkdir -p /ces-data && chown ces:ces /ces-data

package/bun.lock

@@ -5,9 +5,9 @@
     "": {
       "name": "@vellumai/credential-executor",
       "dependencies": {
-        "@vellumai/ces-contracts": "file:../packages/ces-contracts",
         "@vellumai/credential-storage": "file:../packages/credential-storage",
         "@vellumai/egress-proxy": "file:../packages/egress-proxy",
+        "@vellumai/service-contracts": "file:../packages/service-contracts",
         "pino": "9.14.0",
         "pino-pretty": "13.1.3",
       },
@@ -22,13 +22,15 @@
 
     "@types/bun": ["@types/bun@1.3.10", "", { "dependencies": { "bun-types": "1.3.10" } }, "sha512-0+rlrUrOrTSskibryHbvQkDOWRJwJZqZlxrUs1u4oOoTln8+WIXBPmAuCF35SWB2z4Zl3E84Nl/D0P7803nigQ=="],
 
-    "@types/node": ["@types/node@25.5.0", "", { "dependencies": { "undici-types": "~7.18.0" } }, "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw=="],
+    "@types/node": ["@types/node@25.6.0", "", { "dependencies": { "undici-types": "~7.19.0" } }, "sha512-+qIYRKdNYJwY3vRCZMdJbPLJAtGjQBudzZzdzwQYkEPQd+PJGixUL5QfvCLDaULoLv+RhT3LDkwEfKaAkgSmNQ=="],
 
-    "@vellumai/ces-contracts": ["@vellumai/ces-contracts@file:../packages/ces-contracts", { "dependencies": { "zod": "^4.3.6" }, "devDependencies": { "@types/bun": "^1.2.4", "typescript": "^5.7.3" } }],
+    "@types/ws": ["@types/ws@8.5.14", "", { "dependencies": { "@types/node": "*" } }, "sha512-bd/YFLW+URhBzMXurx7lWByOu+xzU9+kb3RboOteXYDfW+tr+JZa99OyNmPINEGB/ahzKrEuc8rcv4gnpJmxTw=="],
 
-    "@vellumai/credential-storage": ["@vellumai/credential-storage@file:../packages/credential-storage", { "devDependencies": { "@types/bun": "^1.2.4", "typescript": "^5.7.3" } }],
+    "@vellumai/credential-storage": ["@vellumai/credential-storage@file:../packages/credential-storage", { "devDependencies": { "@types/bun": "1.3.10", "typescript": "5.9.3" } }],
 
-    "@vellumai/egress-proxy": ["@vellumai/egress-proxy@file:../packages/egress-proxy", { "devDependencies": { "@types/bun": "^1.2.4", "typescript": "^5.7.3" } }],
+    "@vellumai/egress-proxy": ["@vellumai/egress-proxy@file:../packages/egress-proxy", { "devDependencies": { "@types/bun": "1.3.10", "typescript": "5.9.3" } }],
+
+    "@vellumai/service-contracts": ["@vellumai/service-contracts@file:../packages/service-contracts", { "dependencies": { "zod": "4.3.6" }, "devDependencies": { "@types/bun": "1.2.4", "typescript": "5.7.3" } }],
 
     "atomic-sleep": ["atomic-sleep@1.0.0", "", {}, "sha512-kNOjDqAh7px0XWNI+4QbzoiR/nTkHAWNud2uvnJquD1/x5a7EQZMJT0AczqK0Qn67oY/TTQ1LbUKajZpp3I9tQ=="],
 
@@ -40,7 +42,7 @@
 
     "end-of-stream": ["end-of-stream@1.4.5", "", { "dependencies": { "once": "^1.4.0" } }, "sha512-ooEGc6HP26xXq/N+GCGOT0JKCLDGrq2bQUZrQ7gyrJiZANJ/8YDTxTpQBXGMn+WbIQXNVpyWymm7KYVICQnyOg=="],
 
-    "fast-copy": ["fast-copy@4.0.2", "", {}, "sha512-ybA6PDXIXOXivLJK/z9e+Otk7ve13I4ckBvGO5I2RRmBU1gMHLVDJYEuJYhGwez7YNlYji2M2DvVU+a9mSFDlw=="],
+    "fast-copy": ["fast-copy@4.0.3", "", {}, "sha512-58apWr0GUiDFM8+3afrO6eYwJBn9ZAhDOzG3L+/9llab/haCARS2UIfffmOurYLwbgDRs8n0rfr6qAAPEAuAQw=="],
 
     "fast-safe-stringify": ["fast-safe-stringify@2.1.1", "", {}, "sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA=="],
 
@@ -84,12 +86,18 @@
 
     "typescript": ["typescript@5.9.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw=="],
 
-    "undici-types": ["undici-types@7.18.2", "", {}, "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w=="],
+    "undici-types": ["undici-types@7.19.2", "", {}, "sha512-qYVnV5OEm2AW8cJMCpdV20CDyaN3g0AjDlOGf1OW4iaDEx8MwdtChUp4zu4H0VP3nDRF/8RKWH+IPp9uW0YGZg=="],
 
     "wrappy": ["wrappy@1.0.2", "", {}, "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ=="],
 
     "zod": ["zod@4.3.6", "", {}, "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg=="],
 
+    "@vellumai/service-contracts/@types/bun": ["@types/bun@1.2.4", "", { "dependencies": { "bun-types": "1.2.4" } }, "sha512-QtuV5OMR8/rdKJs213iwXDpfVvnskPXY/S0ZiFbsTjQZycuqPbMW8Gf/XhLfwE5njW8sxI2WjISURXPlHypMFA=="],
+
+    "@vellumai/service-contracts/typescript": ["typescript@5.7.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-84MVSjMEHP+FQRPy3pX9sTVV/INIex71s9TL2Gm5FG/WG1SqXeKyZ0k7/blY/4FdOzI12CBy1vGc4og/eus0fw=="],
+
     "pino-pretty/pino-abstract-transport": ["pino-abstract-transport@3.0.0", "", { "dependencies": { "split2": "^4.0.0" } }, "sha512-wlfUczU+n7Hy/Ha5j9a/gZNy7We5+cXp8YL+X+PG8S0KXxw7n/JXA3c46Y0zQznIJ83URJiwy7Lh56WLokNuxg=="],
+
+    "@vellumai/service-contracts/@types/bun/bun-types": ["bun-types@1.2.4", "", { "dependencies": { "@types/node": "*", "@types/ws": "~8.5.10" } }, "sha512-nDPymR207ZZEoWD4AavvEaa/KZe/qlrbMSchqpQwovPZCKc7pwMoENjEtHgMKaAjJhy+x6vfqSBA1QU3bJgs0Q=="],
   }
 }

package/node_modules/@vellumai/credential-storage/src/__tests__/package-boundary.test.ts

@@ -3,8 +3,13 @@
  *
  * Ensures the package:
  * 1. Does NOT import from the assistant daemon or CES modules.
- * 2. Exposes only local storage/runtime abstractions.
- * 3. Remains portable and self-contained.
+ * 2. Does NOT import from x-client packages (@vellumai/assistant-client,
+ *    @vellumai/ces-client, @vellumai/gateway-client).
+ * 3. Does NOT import from @vellumai/service-contracts runtime/internal modules
+ *    (the aggregate root or any subpath beyond what credential-storage needs
+ *    for pure type definitions is not required at all).
+ * 4. Exposes only local storage/runtime abstractions.
+ * 5. Remains portable and self-contained.
  */
 
 import { describe, expect, test } from "bun:test";
@@ -59,6 +64,21 @@ const FORBIDDEN_IMPORT_PATTERNS = [
   /from\s+["'].*\/tools\//,
   /from\s+["'].*\/oauth\/oauth-store/,
   /from\s+["'].*\/security\/secure-keys/,
+
+  // x-client packages (must not depend on any typed service client)
+  /from\s+["']@vellumai\/assistant-client(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/assistant-client(?:\/|["'])/,
+  /from\s+["']@vellumai\/ces-client(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/ces-client(?:\/|["'])/,
+  /from\s+["']@vellumai\/gateway-client(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/gateway-client(?:\/|["'])/,
+
+  // service-contracts aggregate root or internal subpaths
+  // credential-storage is a lower-layer package and must not depend on
+  // service-contracts (which sits at the same layer but deals with RPC
+  // protocol types, not storage abstractions).
+  /from\s+["']@vellumai\/service-contracts(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/service-contracts(?:\/|["'])/,
 ];
 
 describe("package boundary", () => {
@@ -68,7 +88,7 @@ describe("package boundary", () => {
     expect(sourceFiles.length).toBeGreaterThan(0);
   });
 
-  test("does not import from assistant or CES modules", () => {
+  test("does not import from assistant, CES, x-client, or service-contracts modules", () => {
     const violations: string[] = [];
 
     for (const file of sourceFiles) {
@@ -101,7 +121,7 @@ describe("package boundary", () => {
     expect(pkg.private).toBe(true);
   });
 
-  test("package.json does not depend on assistant or CES packages", () => {
+  test("package.json does not depend on assistant, CES, x-client, or service-contracts packages", () => {
     const pkg = JSON.parse(
       readFileSync(join(PACKAGE_ROOT, "package.json"), "utf-8"),
     );
@@ -113,8 +133,14 @@ describe("package boundary", () => {
     const forbidden = Object.keys(allDeps).filter(
       (dep) =>
         dep.includes("assistant") ||
-        dep.includes("ces") ||
-        dep.includes("daemon"),
+        dep.includes("daemon") ||
+        [
+          "@vellumai/ces-client",
+          "@vellumai/ces-contracts",
+          "@vellumai/service-contracts",
+          "@vellumai/assistant-client",
+          "@vellumai/gateway-client",
+        ].includes(dep),
     );
     expect(forbidden).toEqual([]);
   });

package/node_modules/@vellumai/egress-proxy/src/__tests__/package-boundary.test.ts

@@ -4,6 +4,13 @@
  * These tests ensure the egress-proxy package remains isolated from
  * assistant runtime and CES server implementation modules. If a direct
  * import of those modules is introduced, these tests will fail.
+ *
+ * Tightened boundaries (added):
+ * - Does NOT import from x-client packages (@vellumai/assistant-client,
+ *   @vellumai/ces-client, @vellumai/gateway-client).
+ * - Does NOT import from @vellumai/service-contracts (the egress-proxy
+ *   package deals only with proxy session lifecycle and must not depend on
+ *   CES wire-protocol types).
  */
 
 import { describe, expect, test } from "bun:test";
@@ -66,6 +73,25 @@ const FORBIDDEN_PATTERNS = [
   /require\s*\(.*\/gateway\/src\//,
   /import\s+['"].*\/gateway\/src\//,
   /import\s+['"]@vellumai\/vellum-gateway/,
+
+  // x-client packages (must not depend on any typed service client)
+  /from\s+['"]@vellumai\/assistant-client(?:\/|['"])/,
+  /import\s+['"]@vellumai\/assistant-client(?:\/|['"])/,
+  /require\s*\(['"]@vellumai\/assistant-client(?:\/|['"])/,
+  /from\s+['"]@vellumai\/ces-client(?:\/|['"])/,
+  /import\s+['"]@vellumai\/ces-client(?:\/|['"])/,
+  /require\s*\(['"]@vellumai\/ces-client(?:\/|['"])/,
+  /from\s+['"]@vellumai\/gateway-client(?:\/|['"])/,
+  /import\s+['"]@vellumai\/gateway-client(?:\/|['"])/,
+  /require\s*\(['"]@vellumai\/gateway-client(?:\/|['"])/,
+
+  // service-contracts (RPC protocol types — egress-proxy must not depend on CES wire types)
+  /from\s+['"]@vellumai\/service-contracts(?:\/|['"])/,
+  /import\s+['"]@vellumai\/service-contracts(?:\/|['"])/,
+  /require\s*\(['"]@vellumai\/service-contracts(?:\/|['"])/,
+  /from\s+['"]@vellumai\/ces-contracts(?:\/|['"])/,
+  /import\s+['"]@vellumai\/ces-contracts(?:\/|['"])/,
+  /require\s*\(['"]@vellumai\/ces-contracts(?:\/|['"])/,
 ];
 
 describe("package boundary", () => {
@@ -94,7 +120,7 @@ describe("package boundary", () => {
     }
   });
 
-  test("package.json has no dependencies on assistant, CES, or gateway", async () => {
+  test("package.json has no dependencies on assistant, CES, gateway, x-client, or service-contracts", async () => {
     const pkgJsonPath = resolve(PKG_SRC, "..", "package.json");
     const pkgJson = JSON.parse(await Bun.file(pkgJsonPath).text());
 
@@ -109,6 +135,11 @@ describe("package boundary", () => {
       "@vellumai/assistant",
       "@vellumai/ces",
       "@vellumai/vellum-gateway",
+      "@vellumai/assistant-client",
+      "@vellumai/ces-client",
+      "@vellumai/ces-contracts",
+      "@vellumai/gateway-client",
+      "@vellumai/service-contracts",
     ];
 
     for (const dep of forbidden) {

package/node_modules/@vellumai/egress-proxy/src/types.ts

@@ -197,12 +197,19 @@ export type PolicyDecision =
 /**
  * Callback invoked by the proxy HTTP forwarder for each outbound request.
  * Returns injected headers on allow, or `null` to block the request.
+ *
+ * `method` and `requestHeaders` are populated for plain-HTTP proxied
+ * requests (absolute-URL form). For HTTPS CONNECT tunnels the proxy has
+ * not yet terminated TLS and cannot see HTTP-level details, so these are
+ * left undefined.
  */
 export type PolicyCallback = (
   hostname: string,
   port: number | null,
   path: string,
   scheme: "http" | "https",
+  method?: string,
+  requestHeaders?: Record<string, string | string[] | undefined>,
 ) => Promise<Record<string, string> | null>;
 
 /**
@@ -216,6 +223,18 @@ export interface ProxyApprovalRequest {
     | PolicyDecisionAskUnauthenticated;
   /** The proxy session ID that originated the request. */
   sessionId: ProxySessionId;
+  /**
+   * HTTP method of the incoming request, when available. Undefined for HTTPS
+   * CONNECT tunnels — at CONNECT time the proxy has not terminated TLS so
+   * no HTTP-level information is visible.
+   */
+  method?: string;
+  /**
+   * Curated subset of request headers, when available. Only non-sensitive
+   * headers are surfaced (content-type, content-length, user-agent, accept).
+   * Undefined for HTTPS CONNECT tunnels.
+   */
+  requestHeaders?: Record<string, string>;
 }
 
 /**

package/node_modules/@vellumai/{ces-contracts → service-contracts}/bun.lock

@@ -3,7 +3,7 @@
   "configVersion": 1,
   "workspaces": {
     "": {
-      "name": "@vellumai/ces-contracts",
+      "name": "@vellumai/service-contracts",
       "dependencies": {
         "zod": "4.3.6",
       },

package/node_modules/@vellumai/{ces-contracts → service-contracts}/package.json

@@ -1,16 +1,18 @@
 {
-  "name": "@vellumai/ces-contracts",
+  "name": "@vellumai/service-contracts",
   "version": "0.0.1",
   "private": true,
   "license": "MIT",
   "type": "module",
   "exports": {
     ".": "./src/index.ts",
+    "./credential-rpc": "./src/credential-rpc.ts",
+    "./trust-rules": "./src/trust-rules.ts",
     "./handles": "./src/handles.ts",
     "./grants": "./src/grants.ts",
     "./rpc": "./src/rpc.ts",
     "./rendering": "./src/rendering.ts",
-    "./trust-rules": "./src/trust-rules.ts"
+    "./error": "./src/error.ts"
   },
   "scripts": {
     "typecheck": "bunx tsc --noEmit",

package/node_modules/@vellumai/{ces-contracts → service-contracts}/src/__tests__/contracts.test.ts

@@ -1,5 +1,5 @@
 /**
- * Tests for @vellumai/ces-contracts
+ * Tests for @vellumai/service-contracts
  *
  * These tests verify:
  * 1. The package can be consumed independently (no assistant/ or CES imports).
@@ -30,6 +30,10 @@ describe("package independence", () => {
     "../grants.ts",
     "../rpc.ts",
     "../rendering.ts",
+    "../transport.ts",
+    "../credential-rpc.ts",
+    "../trust-rules.ts",
+    "../error.ts",
   ];
 
   for (const file of sourceFiles) {

package/node_modules/@vellumai/service-contracts/src/__tests__/package-boundary.test.ts

@@ -0,0 +1,155 @@
+/**
+ * Package boundary tests for @vellumai/service-contracts.
+ *
+ * Ensures the package:
+ * 1. Does NOT import from assistant, gateway, credential-executor, or other
+ *    service runtime modules.
+ * 2. Does NOT import from runtime shared packages that sit above it in the
+ *    dependency hierarchy (@vellumai/credential-storage, @vellumai/egress-proxy,
+ *    @vellumai/skill-host-contracts).
+ * 3. Does NOT import from x-client packages (@vellumai/assistant-client,
+ *    @vellumai/ces-client, @vellumai/gateway-client).
+ * 4. Remains a pure schema/type package — no runtime dependencies beyond zod.
+ *
+ * @vellumai/service-contracts is the lowest layer of the shared packages
+ * hierarchy and must not depend on any higher-layer package.
+ */
+
+import { describe, expect, test } from "bun:test";
+import { readFileSync, readdirSync, statSync } from "node:fs";
+import { join, resolve } from "node:path";
+
+const PACKAGE_ROOT = resolve(import.meta.dirname, "../..");
+const SRC_DIR = join(PACKAGE_ROOT, "src");
+
+/**
+ * Recursively collect all .ts source files, excluding test and declaration files.
+ */
+function collectSourceFiles(dir: string): string[] {
+  const files: string[] = [];
+  for (const entry of readdirSync(dir)) {
+    const full = join(dir, entry);
+    const stat = statSync(full);
+    if (stat.isDirectory()) {
+      if (entry === "node_modules" || entry === "__tests__") continue;
+      files.push(...collectSourceFiles(full));
+    } else if (
+      entry.endsWith(".ts") &&
+      !entry.endsWith(".test.ts") &&
+      !entry.endsWith(".d.ts")
+    ) {
+      files.push(full);
+    }
+  }
+  return files;
+}
+
+/**
+ * Patterns that must NOT appear in any import/require statement within
+ * source files. These catch imports from higher-layer packages that would
+ * create a forbidden upward dependency.
+ */
+const FORBIDDEN_IMPORT_PATTERNS = [
+  // Assistant runtime
+  /from\s+["'](?:\.\.\/)*assistant(?:\/|["'])/,
+  /require\s*\(\s*["'](?:\.\.\/)*assistant(?:\/|["'])/,
+  /from\s+["']@vellumai\/assistant(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/assistant(?:\/|["'])/,
+
+  // Gateway
+  /from\s+["'](?:\.\.\/)*gateway(?:\/|["'])/,
+  /require\s*\(\s*["'](?:\.\.\/)*gateway(?:\/|["'])/,
+  /from\s+["']@vellumai\/(?:vellum-)?gateway(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/(?:vellum-)?gateway(?:\/|["'])/,
+
+  // Credential executor
+  /from\s+["'](?:\.\.\/)*credential-executor(?:\/|["'])/,
+  /require\s*\(\s*["'](?:\.\.\/)*credential-executor(?:\/|["'])/,
+  /from\s+["']@vellumai\/credential-executor(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/credential-executor(?:\/|["'])/,
+
+  // Runtime shared packages (higher layer)
+  /from\s+["']@vellumai\/credential-storage(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/credential-storage(?:\/|["'])/,
+  /from\s+["']@vellumai\/egress-proxy(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/egress-proxy(?:\/|["'])/,
+  /from\s+["']@vellumai\/skill-host-contracts(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/skill-host-contracts(?:\/|["'])/,
+
+  // x-client packages (higher layer)
+  /from\s+["']@vellumai\/assistant-client(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/assistant-client(?:\/|["'])/,
+  /from\s+["']@vellumai\/ces-client(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/ces-client(?:\/|["'])/,
+  /from\s+["']@vellumai\/gateway-client(?:\/|["'])/,
+  /require\s*\(\s*["']@vellumai\/gateway-client(?:\/|["'])/,
+];
+
+describe("package boundary", () => {
+  const sourceFiles = collectSourceFiles(SRC_DIR);
+
+  test("has source files to validate", () => {
+    expect(sourceFiles.length).toBeGreaterThan(0);
+  });
+
+  test("does not import from runtime or higher-layer packages", () => {
+    const violations: string[] = [];
+
+    for (const file of sourceFiles) {
+      const content = readFileSync(file, "utf-8");
+      const lines = content.split("\n");
+
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const pattern of FORBIDDEN_IMPORT_PATTERNS) {
+          if (pattern.test(line)) {
+            const relative = file.replace(PACKAGE_ROOT + "/", "");
+            violations.push(`${relative}:${i + 1}: ${line.trim()}`);
+          }
+        }
+      }
+    }
+
+    if (violations.length > 0) {
+      throw new Error(
+        `Found ${violations.length} forbidden import(s) in service-contracts package:\n` +
+          violations.map((v) => `  - ${v}`).join("\n") +
+          "\n\n" +
+          "@vellumai/service-contracts is a pure schema/type package and must not\n" +
+          "import from runtime services or higher-layer packages.",
+      );
+    }
+  });
+
+  test("package.json declares it as private", () => {
+    const pkg = JSON.parse(
+      readFileSync(join(PACKAGE_ROOT, "package.json"), "utf-8"),
+    );
+    expect(pkg.private).toBe(true);
+  });
+
+  test("package.json does not depend on runtime or higher-layer packages", () => {
+    const pkg = JSON.parse(
+      readFileSync(join(PACKAGE_ROOT, "package.json"), "utf-8"),
+    );
+    const allDeps = {
+      ...pkg.dependencies,
+      ...pkg.devDependencies,
+      ...pkg.peerDependencies,
+    };
+
+    const forbidden = Object.keys(allDeps).filter((dep) =>
+      [
+        "@vellumai/assistant",
+        "@vellumai/credential-storage",
+        "@vellumai/egress-proxy",
+        "@vellumai/skill-host-contracts",
+        "@vellumai/assistant-client",
+        "@vellumai/ces-client",
+        "@vellumai/gateway-client",
+      ].includes(dep),
+    );
+
+    expect(forbidden).toEqual([]);
+  });
+});

package/node_modules/@vellumai/service-contracts/src/credential-rpc.ts

@@ -0,0 +1,23 @@
+/**
+ * @vellumai/service-contracts/credential-rpc
+ *
+ * Domain entrypoint for the CES (Credential Execution Service) transport and
+ * RPC surface. Re-exports the transport/RPC/handles/grants/rendering/error
+ * contracts without the trust-rule helpers.
+ *
+ * Prefer this subpath over the root `.` import when you only need the
+ * credential RPC surface:
+ *
+ *   import { CesRpcMethod, MakeAuthenticatedRequestSchema } from "@vellumai/service-contracts/credential-rpc";
+ *
+ * For trust-rule types use the dedicated subpath:
+ *
+ *   import { TrustRule, parseTrustRule } from "@vellumai/service-contracts/trust-rules";
+ */
+
+export * from "./transport.js";
+export * from "./error.js";
+export * from "./handles.js";
+export * from "./grants.js";
+export * from "./rendering.js";
+export * from "./rpc.js";

package/node_modules/@vellumai/service-contracts/src/index.ts

@@ -0,0 +1,25 @@
+/**
+ * @vellumai/service-contracts — aggregate export (compat entry point)
+ *
+ * This is a compatibility aggregate that re-exports everything from all
+ * submodules. Prefer the explicit domain subpaths for new code:
+ *
+ *   - `@vellumai/service-contracts/credential-rpc`  — transport, RPC, handles, grants, rendering, error
+ *   - `@vellumai/service-contracts/trust-rules`     — trust-rule types and parsing helpers
+ *
+ * Fine-grained subpaths are also available for low-friction migration:
+ *   `./rpc`, `./handles`, `./grants`, `./rendering`, `./error`, `./trust-rules`
+ *
+ * Neutral wire-protocol contracts for communication between the assistant
+ * daemon and the Credential Execution Service (CES). This package is
+ * intentionally free of imports from `assistant/` or any CES implementation
+ * module so that both sides can depend on it without circular references.
+ */
+
+export * from "./transport.js";
+export * from "./error.js";
+export * from "./handles.js";
+export * from "./grants.js";
+export * from "./rpc.js";
+export * from "./rendering.js";
+export * from "./trust-rules.js";

package/node_modules/@vellumai/{ces-contracts/src/index.ts → service-contracts/src/transport.ts}

@@ -1,10 +1,9 @@
 /**
- * @vellumai/ces-contracts
+ * Transport-level handshake and envelope schemas.
  *
- * Neutral wire-protocol contracts for communication between the assistant
- * daemon and the Credential Execution Service (CES). This package is
- * intentionally free of imports from `assistant/` or any CES implementation
- * module so that both sides can depend on it without circular references.
+ * Extracted from the aggregate index to allow credential-rpc.ts to import
+ * the full transport surface without creating a circular dependency through
+ * index.ts.
  */
 
 import { z } from "zod";
@@ -35,9 +34,8 @@ export const HandshakeRequestSchema = z.object({
   assistantApiKey: z.string().optional(),
   /**
    * Optional platform assistant ID passed from the assistant runtime.
-   * In managed (sidecar) mode with warm pools, the PLATFORM_ASSISTANT_ID
-   * env var may not be set at CES startup. The assistant forwards it here
-   * so CES can use it for platform credential materialisation.
+   * The assistant ID is not available at CES startup (warm-pool pods),
+   * so the assistant forwards it here for platform credential materialisation.
    */
   assistantId: z.string().optional(),
 });
@@ -75,16 +73,6 @@ export const RpcEnvelopeSchema = z.object({
 });
 export type RpcEnvelope = z.infer<typeof RpcEnvelopeSchema>;
 
-// ---------------------------------------------------------------------------
-// RPC error (defined in error.ts to avoid circular deps with rpc.ts)
-// ---------------------------------------------------------------------------
-
-export {
-  RpcErrorSchema,
-  type RpcError,
-  MANAGED_LOCAL_STATIC_REJECTION_ERROR,
-} from "./error.js";
-
 // ---------------------------------------------------------------------------
 // Tool request / response base shapes
 // ---------------------------------------------------------------------------
@@ -143,13 +131,3 @@ export const TransportMessageSchema = z.discriminatedUnion("type", [
   RpcEnvelopeSchema.extend({ type: z.literal("rpc") }),
 ]);
 export type TransportMessage = z.infer<typeof TransportMessageSchema>;
-
-// ---------------------------------------------------------------------------
-// Re-exports from sub-modules
-// ---------------------------------------------------------------------------
-
-export * from "./handles.js";
-export * from "./grants.js";
-export * from "./rpc.js";
-export * from "./rendering.js";
-export * from "./trust-rules.js";