ThirdKeyAI
diff --git a/‎LICENSE‎
Lines changed: 47 additions & 6 deletions b/‎LICENSE‎
Lines changed: 47 additions & 6 deletions
diff --git a/‎README.md‎
Lines changed: 36 additions & 2 deletions b/‎README.md‎
Lines changed: 36 additions & 2 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 1 addition & 1 deletion b/‎SECURITY.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎crates/runtime/src/communication/mod.rs‎
Lines changed: 174 additions & 2 deletions b/‎crates/runtime/src/communication/mod.rs‎
Lines changed: 174 additions & 2 deletions
@@ -1,13 +1,30 @@
-MIT License
+# Symbiont by ThirdKey.ai
+Combined Licensing Notice
+
+This repository includes software licensed under both the MIT License and the GNU Affero General Public License v3.0 (AGPL-3.0).
+
+Please review the license terms for each component carefully.
+
+--------------------------------------------------------------------------------
+MIT License Applies To:
+
+All files in this repository **except**:
+- `/crates/runtime/src/communication/`
+
+This includes:
+- `/crates/runtime/` (except `src/communication/`)
+- `/crates/cli/`
+- `/crates/sdk-python/`, `/sdk-go/`, `/sdk-js/`
+- `/examples/`, `/docs/`, `/tools/`, and all other paths
 
 Copyright (c) 2025 Jascha Wanger / ThirdKey.ai
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+in the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
 
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
@@ -18,4 +35,28 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+SOFTWARE.
+
+--------------------------------------------------------------------------------
+AGPL-3.0 License Applies To:
+
+The communication layer code located in:
+
+- `/crates/runtime/src/communication/`
+
+This component implements the Symbiont Message Bus and Coordination Layer.
+
+It is licensed under the GNU Affero General Public License v3.0:
+
+https://www.gnu.org/licenses/agpl-3.0.html
+
+### Commercial Licensing
+
+If you wish to:
+- Use the Symbiont Message Bus in a proprietary or closed-source application,
+- Offer it as part of a hosted or managed service,
+- Embed it within a commercial product,
+
+you must obtain a commercial license from ThirdKey.ai.
+
+Contact: **licensing@thirdkey.ai**
@@ -97,8 +97,9 @@ symbi/
 - **RAG Engine**: Retrieval-augmented generation with vector search
 - **Context Management**: Persistent agent memory and knowledge storage
 - **Vector Database**: Qdrant integration for semantic search
-- **Basic Secrets Management**: Local encrypted file storage for configurations
-- **Cryptographic CLI**: Tool for encrypting/decrypting secret files
+- **Comprehensive Secrets Management**: HashiCorp Vault integration with multiple auth methods
+- **Encrypted File Backend**: AES-256-GCM encryption with OS keychain integration
+- **Secrets CLI Tools**: Complete encrypt/decrypt/edit operations with audit trails
 - **HTTP API**: Optional RESTful interface (feature-gated)
 
 ### 🏢 Enterprise Features (License Required)
@@ -140,12 +141,45 @@ agent analyze_data(input: DataSet) -> Result {
 }
 ```
 
+## 🔐 Secrets Management
+
+Symbi provides enterprise-grade secrets management with multiple backend options:
+
+### Backend Options
+- **HashiCorp Vault**: Production-ready secrets management with multiple authentication methods
+  - Token-based authentication
+  - Kubernetes service account authentication
+- **Encrypted Files**: Local AES-256-GCM encrypted storage with OS keychain integration
+- **Agent Namespaces**: Scoped secrets access per agent for isolation
+
+### CLI Operations
+```bash
+# Encrypt secrets file
+symbi secrets encrypt config.json --output config.enc
+
+# Decrypt secrets file
+symbi secrets decrypt config.enc --output config.json
+
+# Edit encrypted secrets directly
+symbi secrets edit config.enc
+
+# Configure Vault backend
+symbi secrets configure vault --endpoint https://vault.company.com
+```
+
+### Audit & Compliance
+- Complete audit trails for all secrets operations
+- Cryptographic integrity verification
+- Agent-scoped access controls
+- Tamper-evident logging
+
 ## 🔒 Security Model
 
 ### Basic Security (Community)
 - **Tier 1 Isolation**: Docker containerized agent execution
 - **Schema Verification**: Cryptographic tool validation with SchemaPin
 - **Policy Engine**: Basic resource access control
+- **Secrets Management**: Vault integration and encrypted file storage
 - **Audit Logging**: Operation tracking and compliance
 
 ### Advanced Security (Enterprise)
 
@@ -18,7 +18,7 @@ We take security vulnerabilities seriously. If you discover a security vulnerabi
 
 Instead, please:
 
-1. **Email**: Send details to [INSERT SECURITY EMAIL]
+1. **Email**: Send details to security@symbiont.dev
 2. **Subject**: Include "SECURITY" in the subject line
 3. **Content**: Include the following information:
    - Description of the vulnerability
 
@@ -7,8 +7,8 @@ use parking_lot::RwLock;
 use std::collections::HashMap;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime};
-use tokio::sync::{mpsc, Notify};
-use tokio::time::interval;
+use tokio::sync::{mpsc, oneshot, Notify};
+use tokio::time::{interval, timeout};
 
 use crate::types::*;
 
@@ -50,6 +50,14 @@ pub trait CommunicationBus {
     /// Unregister an agent
     async fn unregister_agent(&self, agent_id: AgentId) -> Result<(), CommunicationError>;
 
+    /// Send a request and wait for response with timeout
+    async fn request(
+        &self,
+        target_agent: AgentId,
+        request_payload: bytes::Bytes,
+        timeout_duration: Duration,
+    ) -> Result<bytes::Bytes, CommunicationError>;
+
     /// Shutdown the communication bus
     async fn shutdown(&self) -> Result<(), CommunicationError>;
 }
@@ -89,6 +97,7 @@ pub struct DefaultCommunicationBus {
     subscriptions: Arc<RwLock<HashMap<String, Vec<AgentId>>>>,
     message_tracker: Arc<RwLock<HashMap<MessageId, MessageTracker>>>,
     dead_letter_queue: Arc<RwLock<DeadLetterQueue>>,
+    pending_requests: Arc<RwLock<HashMap<RequestId, oneshot::Sender<bytes::Bytes>>>>,
     event_sender: mpsc::UnboundedSender<CommunicationEvent>,
     shutdown_notify: Arc<Notify>,
     is_running: Arc<RwLock<bool>>,
@@ -103,6 +112,7 @@ impl DefaultCommunicationBus {
         let dead_letter_queue = Arc::new(RwLock::new(DeadLetterQueue::new(
             config.dead_letter_queue_size,
         )));
+        let pending_requests = Arc::new(RwLock::new(HashMap::new()));
         let (event_sender, event_receiver) = mpsc::unbounded_channel();
         let shutdown_notify = Arc::new(Notify::new());
         let is_running = Arc::new(RwLock::new(true));
@@ -113,6 +123,7 @@ impl DefaultCommunicationBus {
             subscriptions,
             message_tracker,
             dead_letter_queue,
+            pending_requests,
             event_sender,
             shutdown_notify,
             is_running,
@@ -134,6 +145,7 @@ impl DefaultCommunicationBus {
         let subscriptions = self.subscriptions.clone();
         let message_tracker = self.message_tracker.clone();
         let dead_letter_queue = self.dead_letter_queue.clone();
+        let pending_requests = self.pending_requests.clone();
         let shutdown_notify = self.shutdown_notify.clone();
         let config = self.config.clone();
 
@@ -148,6 +160,7 @@ impl DefaultCommunicationBus {
                                 &subscriptions,
                                 &message_tracker,
                                 &dead_letter_queue,
+                                &pending_requests,
                                 &config,
                             ).await;
                         } else {
@@ -198,13 +211,24 @@ impl DefaultCommunicationBus {
         subscriptions: &Arc<RwLock<HashMap<String, Vec<AgentId>>>>,
         message_tracker: &Arc<RwLock<HashMap<MessageId, MessageTracker>>>,
         dead_letter_queue: &Arc<RwLock<DeadLetterQueue>>,
+        pending_requests: &Arc<RwLock<HashMap<RequestId, oneshot::Sender<bytes::Bytes>>>>,
         config: &CommunicationConfig,
     ) {
         match event {
             CommunicationEvent::MessageSent { message } => {
                 let recipient = message.recipient;
                 let message_id = message.id;
 
+                // Check if this is a response to a pending request
+                if let MessageType::Response(request_id) = &message.message_type {
+                    if let Some(sender) = pending_requests.write().remove(request_id) {
+                        // Send response payload to waiting request
+                        let _ = sender.send(message.payload.data.clone());
+                        tracing::debug!("Response {} sent for request {:?}", message_id, request_id);
+                        return;
+                    }
+                }
+
                 // Add to message tracker
                 message_tracker
                     .write()
@@ -302,6 +326,7 @@ impl DefaultCommunicationBus {
                         subscriptions,
                         message_tracker,
                         dead_letter_queue,
+                        pending_requests,
                         config,
                     ))
                     .await;
@@ -518,6 +543,66 @@ impl CommunicationBus for DefaultCommunicationBus {
         Ok(())
     }
 
+    async fn request(
+        &self,
+        target_agent: AgentId,
+        request_payload: bytes::Bytes,
+        timeout_duration: Duration,
+    ) -> Result<bytes::Bytes, CommunicationError> {
+        if !*self.is_running.read() {
+            return Err(CommunicationError::ShuttingDown);
+        }
+
+        // Create request ID and oneshot channel for response
+        let request_id = RequestId::new();
+        let (response_sender, response_receiver) = oneshot::channel();
+
+        // Store the response sender
+        self.pending_requests.write().insert(request_id, response_sender);
+
+        // Create request message
+        let request_message = SecureMessage {
+            id: MessageId::new(),
+            sender: AgentId::new(), // TODO: Should be the actual sender agent ID
+            recipient: Some(target_agent),
+            topic: None,
+            message_type: MessageType::Request(request_id),
+            payload: EncryptedPayload {
+                data: request_payload,
+                nonce: vec![0u8; 12], // TODO: Generate proper nonce
+                encryption_algorithm: EncryptionAlgorithm::Aes256Gcm,
+            },
+            signature: MessageSignature {
+                signature: vec![0u8; 64], // TODO: Generate proper signature
+                algorithm: SignatureAlgorithm::Ed25519,
+                public_key: vec![0u8; 32], // TODO: Use proper public key
+            },
+            ttl: timeout_duration,
+            timestamp: SystemTime::now(),
+        };
+
+        // Send the request
+        self.send_message(request_message).await?;
+
+        // Wait for response with timeout
+        match timeout(timeout_duration, response_receiver).await {
+            Ok(Ok(response_payload)) => Ok(response_payload),
+            Ok(Err(_)) => {
+                // Remove from pending requests if channel was dropped
+                self.pending_requests.write().remove(&request_id);
+                Err(CommunicationError::RequestCancelled { request_id })
+            }
+            Err(_) => {
+                // Timeout occurred
+                self.pending_requests.write().remove(&request_id);
+                Err(CommunicationError::RequestTimeout {
+                    request_id,
+                    timeout: timeout_duration,
+                })
+            }
+        }
+    }
+
     async fn shutdown(&self) -> Result<(), CommunicationError> {
         tracing::info!("Shutting down communication bus");
 
@@ -826,4 +911,91 @@ mod tests {
         let result = bus.receive_messages(agent_id).await;
         assert!(result.is_err());
     }
+
+    #[tokio::test]
+    async fn test_request_response_timeout() {
+        let bus = DefaultCommunicationBus::new(CommunicationConfig::default())
+            .await
+            .unwrap();
+        let target_agent = AgentId::new();
+
+        // Register target agent (but it won't respond)
+        bus.register_agent(target_agent).await.unwrap();
+        tokio::time::sleep(Duration::from_millis(50)).await;
+
+        // Make request with short timeout
+        let request_payload = bytes::Bytes::from("test request");
+        let timeout = Duration::from_millis(100);
+
+        let result = bus.request(target_agent, request_payload, timeout).await;
+        assert!(result.is_err());
+
+        if let Err(CommunicationError::RequestTimeout { request_id: _, timeout: actual_timeout }) = result {
+            assert_eq!(actual_timeout, timeout);
+        } else {
+            panic!("Expected RequestTimeout error");
+        }
+    }
+
+    #[tokio::test]
+    async fn test_request_response_success() {
+        let bus = DefaultCommunicationBus::new(CommunicationConfig::default())
+            .await
+            .unwrap();
+        let requester = AgentId::new();
+        let responder = AgentId::new();
+
+        // Register both agents
+        bus.register_agent(requester).await.unwrap();
+        bus.register_agent(responder).await.unwrap();
+        tokio::time::sleep(Duration::from_millis(50)).await;
+
+        let request_payload = bytes::Bytes::from("test request");
+        let response_payload = bytes::Bytes::from("test response");
+
+        // Start request in background
+        let bus_clone = Arc::new(bus);
+        let request_bus = bus_clone.clone();
+        let request_handle = tokio::spawn(async move {
+            request_bus.request(responder, request_payload, Duration::from_secs(5)).await
+        });
+
+        // Give request time to be sent
+        tokio::time::sleep(Duration::from_millis(100)).await;
+
+        // Responder receives the request and sends response
+        let messages = bus_clone.receive_messages(responder).await.unwrap();
+        assert_eq!(messages.len(), 1);
+        assert!(matches!(messages[0].message_type, MessageType::Request(_)));
+
+        // Extract request ID and send response
+        if let MessageType::Request(request_id) = &messages[0].message_type {
+            let response_message = SecureMessage {
+                id: MessageId::new(),
+                sender: responder,
+                recipient: Some(requester),
+                topic: None,
+                message_type: MessageType::Response(*request_id),
+                payload: EncryptedPayload {
+                    data: response_payload.clone(),
+                    nonce: vec![0u8; 12],
+                    encryption_algorithm: EncryptionAlgorithm::Aes256Gcm,
+                },
+                signature: MessageSignature {
+                    signature: vec![0u8; 64],
+                    algorithm: SignatureAlgorithm::Ed25519,
+                    public_key: vec![0u8; 32],
+                },
+                ttl: Duration::from_secs(3600),
+                timestamp: SystemTime::now(),
+            };
+
+            bus_clone.send_message(response_message).await.unwrap();
+        }
+
+        // Wait for request to complete
+        let result = request_handle.await.unwrap();
+        assert!(result.is_ok());
+        assert_eq!(result.unwrap(), response_payload);
+    }
 }