@aletheia-labs/core 0.1.0

package/LICENSE

@@ -0,0 +1,176 @@
+Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction,
+and distribution as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by
+the copyright owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all
+other entities that control, are controlled by, or are under common
+control with that entity. For the purposes of this definition,
+"control" means (i) the power, direct or indirect, to cause the
+direction or management of such entity, whether by contract or
+otherwise, or (ii) ownership of fifty percent (50%) or more of the
+outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity
+exercising permissions granted by this License.
+
+"Source" form shall mean the preferred form for making modifications,
+including but not limited to software source code, documentation
+source, and configuration files.
+
+"Object" form shall mean any form resulting from mechanical
+transformation or translation of a Source form, including but
+not limited to compiled object code, generated documentation,
+and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or
+Object form, made available under the License, as indicated by a
+copyright notice that is included in or attached to the work
+(an example is provided in the Appendix below).
+
+"Derivative Works" shall mean any work, whether in Source or Object
+form, that is based on (or derived from) the Work and for which the
+editorial revisions, annotations, elaborations, or other modifications
+represent, as a whole, an original work of authorship. For the purposes
+of this License, Derivative Works shall not include works that remain
+separable from, or merely link (or bind by name) to the interfaces of,
+the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including
+the original version of the Work and any modifications or additions
+to that Work or Derivative Works thereof, that is intentionally
+submitted to Licensor for inclusion in the Work by the copyright owner
+or by an individual or Legal Entity authorized to submit on behalf of
+the copyright owner. For the purposes of this definition, "submitted"
+means any form of electronic, verbal, or written communication sent
+to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems,
+and issue tracking systems that are managed by, or on behalf of, the
+Licensor for the purpose of discussing and improving the Work, but
+excluding communication that is conspicuously marked or otherwise
+designated in writing by the copyright owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity
+on behalf of whom a Contribution has been received by Licensor and
+subsequently incorporated within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+copyright license to reproduce, prepare Derivative Works of,
+publicly display, publicly perform, sublicense, and distribute the
+Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of
+this License, each Contributor hereby grants to You a perpetual,
+worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+(except as stated in this section) patent license to make, have made,
+use, offer to sell, sell, import, and otherwise transfer the Work,
+where such license applies only to those patent claims licensable
+by such Contributor that are necessarily infringed by their
+Contribution(s) alone or by combination of their Contribution(s)
+with the Work to which such Contribution(s) was submitted. If You
+institute patent litigation against any entity (including a
+cross-claim or counterclaim in a lawsuit) alleging that the Work
+or a Contribution incorporated within the Work constitutes direct
+or contributory patent infringement, then any patent licenses
+granted to You under this License for that Work shall terminate
+as of the date such litigation is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the
+Work or Derivative Works thereof in any medium, with or without
+modifications, and in Source or Object form, provided that You
+meet the following conditions:
+
+(a) You must give any other recipients of the Work or
+Derivative Works a copy of this License; and
+
+(b) You must cause any modified files to carry prominent notices
+stating that You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works
+that You distribute, all copyright, patent, trademark, and
+attribution notices from the Source form of the Work,
+excluding those notices that do not pertain to any part of
+the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its
+distribution, then any Derivative Works that You distribute must
+include a readable copy of the attribution notices contained
+within such NOTICE file, excluding those notices that do not
+pertain to any part of the Derivative Works, in at least one
+of the following places: within a NOTICE text file distributed
+as part of the Derivative Works; within the Source form or
+documentation, if provided along with the Derivative Works; or,
+within a display generated by the Derivative Works, if and
+wherever such third-party notices normally appear. The contents
+of the NOTICE file are for informational purposes only and
+do not modify the License. You may add Your own attribution
+notices within Derivative Works that You distribute, alongside
+or as an addendum to the NOTICE text from the Work, provided
+that such additional attribution notices cannot be construed
+as modifying the License.
+
+You may add Your own copyright statement to Your modifications and
+may provide additional or different license terms and conditions
+for use, reproduction, or distribution of Your modifications, or
+for any such Derivative Works as a whole, provided Your use,
+reproduction, and distribution of the Work otherwise complies with
+the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise,
+any Contribution intentionally submitted for inclusion in the Work
+by You to the Licensor shall be under the terms and conditions of
+this License, without any additional terms or conditions.
+Notwithstanding the above, nothing herein shall supersede or modify
+the terms of any separate license agreement you may have executed
+with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade
+names, trademarks, service marks, or product names of the Licensor,
+except as required for reasonable and customary use in describing the
+origin of the Work and reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or
+agreed to in writing, Licensor provides the Work (and each
+Contributor provides its Contributions) on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+implied, including, without limitation, any warranties or conditions
+of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+PARTICULAR PURPOSE. You are solely responsible for determining the
+appropriateness of using or redistributing the Work and assume any
+risks associated with Your exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory,
+whether in tort (including negligence), contract, or otherwise,
+unless required by applicable law (such as deliberate and grossly
+negligent acts) or agreed to in writing, shall any Contributor be
+liable to You for damages, including any direct, indirect, special,
+incidental, or consequential damages of any character arising as a
+result of this License or out of the use or inability to use the
+Work (including but not limited to damages for loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all
+other commercial damages or losses), even if such Contributor
+has been advised of the possibility of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing
+the Work or Derivative Works thereof, You may choose to offer,
+and charge a fee for, acceptance of support, warranty, indemnity,
+or other liability obligations and/or rights consistent with this
+License. However, in accepting such obligations, You may act only
+on Your own behalf and on Your sole responsibility, not on behalf
+of any other Contributor, and only if You agree to indemnify,
+defend, and hold each Contributor harmless for any liability
+incurred by, or claims asserted against, such Contributor by reason
+of your accepting any such warranty or additional liability.
+
+END OF TERMS AND CONDITIONS

package/README.md

@@ -0,0 +1,163 @@
+# @aletheia-labs/core
+
+The core authority engine of Aletheia: memory as governance for LLM agents.
+
+> **Status**: `0.1.0` public baseline. The consumer facade (`AletheiaAuthority`) and strict TypeScript domain/storage/runtime contracts are live.
+
+## Quickstart
+
+```bash
+pnpm add @aletheia-labs/core @aletheia-labs/store-sqlite
+```
+
+```ts
+import { AletheiaAuthority, staticVisibilityPolicy } from '@aletheia-labs/core';
+import { openSqliteStores } from '@aletheia-labs/store-sqlite';
+
+const stores = openSqliteStores('./aletheia.sqlite');
+const authority = new AletheiaAuthority({
+  eventLedger: stores.eventLedger,
+  memoryStore: stores.memoryStore,
+  conflictRegistry: stores.conflictRegistry,
+  visibilityPolicy: staticVisibilityPolicy([{ kind: 'private:user' }]),
+});
+```
+
+Hosts provide storage and visibility policy. LLM adapters are optional and live outside core.
+
+## Consumer API
+
+Parse raw literals through the exported zod schemas when constructing values
+by hand; they preserve the branded ID types used by the runtime contracts.
+This assumes the source event already exists in the ledger and recalled atoms
+have reached an actionable status (`verified` or `trusted`).
+
+```ts
+import {
+  ActionContextSchema,
+  MemoryProposalSchema,
+  ProposedActionSchema,
+  RecallQuerySchema,
+} from '@aletheia-labs/core';
+
+const proposalResult = await authority.propose(
+  MemoryProposalSchema.parse({
+    proposalId: 'prop-1',
+    proposedBy: 'agent-1',
+    proposedAt: '2026-05-17T12:00:00Z',
+    candidateType: 'preference',
+    claim: 'The user prefers concise Spanish progress updates.',
+    sourceEventIds: ['evt-1'],
+    intendedScope: { kind: 'project', projectId: 'demo' },
+    intendedVisibility: { kind: 'private:user' },
+    riskLevel: 'low_local',
+    knownConflicts: [],
+  }),
+);
+
+const recall = await authority.recall(
+  RecallQuerySchema.parse({
+    agentId: 'agent-1',
+    scope: { kind: 'project', projectId: 'demo' },
+    limit: 5,
+  }),
+);
+
+const action = await authority.tryAct(
+  ProposedActionSchema.parse({ classifiedAction: 'local_report', target: 'local summary' }),
+  ActionContextSchema.parse({
+    agentId: 'agent-1',
+    scope: { kind: 'project', projectId: 'demo' },
+    citedMemoryIds: recall.atoms.map((atom) => atom.memoryId),
+  }),
+);
+
+console.log(proposalResult.decision.outcome, recall.decision.outcome, action.decision.outcome);
+```
+
+Every call returns a structured decision. Memory text, receipts, model prose, confidence, and consensus never grant permission by themselves.
+
+## What this package does
+
+- **Domain schemas and types**: `HumanReadableReceipt`, `CompressedReceipt`, `MemoryAtom`, `MemoryProposal`, `ActionContextPacket`, `CoverageReceipt`, `ConflictRecord`, `Decision`, and discriminated unions for status/scope/visibility.
+- **Storage interfaces**: `EventLedger`, `MemoryStore`, and `ConflictRegistry`. Implementations live in other packages.
+- **WriteGate**: validates source events, scope, visibility, risk, and conflict boundaries before memory insertion.
+- **Proposal safety guard**: deterministic checks for credential-like claims, permission-bypass policies, and destructive durable instructions before a proposal can become actionable memory.
+- **RetrievalRouter**: non-semantic recall by visibility, scope, status, type, freshness, optional receipt-derived authority scoring, and conflict state.
+- **ActionAuthorizer**: receiver-side `tryAct()` guard. Sensitive actions always ask human.
+- **AletheiaAuthority**: small facade exposing `propose()`, `recall()`, and `tryAct()`.
+
+## Proposal Safety Guard
+
+`WriteGate` calls `evaluateProposalSafety()` after visibility/source/scope checks
+and before insertion. The guard can only deny or escalate; it never grants
+authority. Current deterministic canaries cover:
+
+- long `sk-...` provider-style tokens, AWS access keys, GitHub tokens, JWT-like compact tokens, PEM private-key headers, and explicit `api_key`/`secret`/`token`/`password` assignments;
+- durable policies that try to bypass receiver-side permission checks;
+- destructive runtime instructions such as deleting repositories or databases.
+
+This is not a general DLP system or proof that arbitrary secrets cannot appear
+in source events. It prevents matching proposal claims from becoming actionable
+MemoryAtoms. Hosts that ingest sensitive raw conversations should still redact
+or scope those source events appropriately.
+
+## Fail-closed examples
+
+- No permitted visibility -> `deny` or `fetch_abstain`.
+- Missing source event -> `deny`.
+- Candidate memory cited for action -> `fetch_abstain`.
+- Sealed or human-required memory -> `ask_human`.
+- Sensitive action (`external_send`, `delete`, `publication`, etc.) -> `ask_human`.
+- Unresolved conflict touching cited memory -> `conflict_boundary_packet`.
+
+## What this package does NOT do
+
+- No embeddings, vector store, semantic retrieval, or semantic ranking.
+- Optional authority scoring is receipt-derived and runs only after hard visibility/scope/status/freshness filters.
+- No LLM SDK dependency. Use `@aletheia-labs/adapters-anthropic`, `@aletheia-labs/adapters-openai`, or your own adapter.
+- No OAuth, CLI, MCP server, daemon, watcher, or terminal UX.
+- No authorization service. Aletheia classifies memory authority; your host still owns real-world permissions.
+- No automatic promotion to `trusted`.
+
+## Stability
+
+Public surface for the initial library cycle:
+
+- `AletheiaAuthority`
+- `WriteGate`, `RetrievalRouter`, `ActionAuthorizer` from `@aletheia-labs/core/runtime`
+- storage interfaces exported from `@aletheia-labs/core`
+- zod schemas and inferred types from `@aletheia-labs/core` or `@aletheia-labs/core/types`
+- decision outcomes and reason shapes
+
+In the `0.x` line, breaking changes are possible but semver-relevant: changes to `propose()`, `recall()`, `tryAct()`, exported schemas, storage interfaces, or decision unions should ship with an explicit version bump and migration notes.
+
+Schema changes matter operationally: changing `MemoryAtomSchema` or receipt schemas can affect persisted stores and should be paired with migration/replay guidance.
+
+## Development
+
+From the repo root:
+
+```bash
+pnpm install
+pnpm -F @aletheia-labs/core typecheck
+pnpm -F @aletheia-labs/core test
+pnpm -F @aletheia-labs/core build
+pnpm -F @aletheia-labs/core smoke:e2e
+```
+
+Publish dry-run:
+
+```bash
+pnpm -F @aletheia-labs/core publish --dry-run --no-git-checks
+```
+
+## Specs
+
+This package implements:
+
+- `specs/aletheia-memory-authority-v0.md` — system architecture.
+- `specs/memory-authority-receipt-v0.md` — receipt contract.
+- `specs/compressed-temporal-receipt-v0.md` — compressed-temporal-receipt format.
+
+Where the spec is ambiguous, fix the spec first.

package/dist/index.d.ts

@@ -0,0 +1,18 @@
+/**
+ * @aletheia-labs/core
+ *
+ * Memory as governance for LLM agents.
+ *
+ * Phase 1.5 — domain types, storage interfaces, WriteGate, RetrievalRouter,
+ * ActionAuthorizer, and AletheiaAuthority are live.
+ *
+ * Design maxim:
+ *   "Do not build a memory that remembers more.
+ *    Build a memory that knows when to distrust itself."
+ */
+export declare const PACKAGE_NAME = "@aletheia-labs/core";
+export declare const PACKAGE_VERSION = "0.1.0";
+export * from './types/index.js';
+export * from './storage/index.js';
+export * from './runtime/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,eAAO,MAAM,YAAY,wBAAwB,CAAC;AAClD,eAAO,MAAM,eAAe,UAAU,CAAC;AAGvC,cAAc,kBAAkB,CAAC;AAGjC,cAAc,oBAAoB,CAAC;AAGnC,cAAc,oBAAoB,CAAC"}

package/dist/index.js

@@ -0,0 +1,21 @@
+/**
+ * @aletheia-labs/core
+ *
+ * Memory as governance for LLM agents.
+ *
+ * Phase 1.5 — domain types, storage interfaces, WriteGate, RetrievalRouter,
+ * ActionAuthorizer, and AletheiaAuthority are live.
+ *
+ * Design maxim:
+ *   "Do not build a memory that remembers more.
+ *    Build a memory that knows when to distrust itself."
+ */
+export const PACKAGE_NAME = '@aletheia-labs/core';
+export const PACKAGE_VERSION = '0.1.0';
+// Domain types and schemas — the public protocol surface.
+export * from './types/index.js';
+// Storage interfaces — implementations live in adapter packages.
+export * from './storage/index.js';
+// Runtime governance components — host applications provide stores + policy.
+export * from './runtime/index.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,MAAM,CAAC,MAAM,YAAY,GAAG,qBAAqB,CAAC;AAClD,MAAM,CAAC,MAAM,eAAe,GAAG,OAAO,CAAC;AAEvC,0DAA0D;AAC1D,cAAc,kBAAkB,CAAC;AAEjC,iEAAiE;AACjE,cAAc,oBAAoB,CAAC;AAEnC,6EAA6E;AAC7E,cAAc,oBAAoB,CAAC"}

package/dist/runtime/action-authorizer.d.ts

@@ -0,0 +1,48 @@
+/**
+ * ActionAuthorizer — receiver-side `tryAct` guard.
+ *
+ * The Action Context Packet is not a permission token. This guard re-checks
+ * the cited atoms against visibility, scope, status, conflicts, and action
+ * sensitivity before allowing only local/shadow effects.
+ */
+import type { ConflictRegistry, MemoryStore } from '../storage/index.js';
+import { type ActionContext, type ActionDecision, type ConflictRecord, type MemoryAtom, type ProposedAction } from '../types/index.js';
+import type { Clock } from './decision-helpers.js';
+import { type VisibilityPolicy } from './visibility-policy.js';
+export interface ActionAuthorizerOptions {
+    readonly memoryStore: MemoryStore;
+    readonly conflictRegistry: ConflictRegistry;
+    readonly visibilityPolicy?: VisibilityPolicy;
+    readonly clock?: Clock;
+}
+export interface ActionAuthorizationResult {
+    readonly decision: ActionDecision;
+    readonly citedAtoms: readonly MemoryAtom[];
+    readonly conflicts: readonly ConflictRecord[];
+}
+export declare class ActionAuthorizer {
+    private readonly options;
+    private readonly visibilityPolicy;
+    private readonly clock;
+    /**
+     * Create a receiver-side action guard.
+     *
+     * @remarks
+     * Hosts provide the same memory/conflict stores used for recall plus a
+     * visibility policy. The guard has no knowledge of provider tokens, tools,
+     * or real-world permissions.
+     */
+    constructor(options: ActionAuthorizerOptions);
+    /**
+     * Decide whether a proposed action may use cited memory as authority.
+     *
+     * @remarks
+     * Use this after recall and before executing any effect. The implementation
+     * parses the action/context, asks human for sensitive actions, denies unknown
+     * non-local effects, reloads cited atoms with visibility filtering, checks
+     * scope/freshness/status, and blocks unresolved conflicts.
+     */
+    tryAct(action: ProposedAction, context: ActionContext): Promise<ActionAuthorizationResult>;
+    private loadCitedAtoms;
+}
+//# sourceMappingURL=action-authorizer.d.ts.map

package/dist/runtime/action-authorizer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"action-authorizer.d.ts","sourceRoot":"","sources":["../../src/runtime/action-authorizer.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,gBAAgB,EAAE,WAAW,EAAE,MAAM,qBAAqB,CAAC;AACzE,OAAO,EACL,KAAK,aAAa,EAElB,KAAK,cAAc,EACnB,KAAK,cAAc,EAEnB,KAAK,UAAU,EAEf,KAAK,cAAc,EAMpB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,uBAAuB,CAAC;AAGnD,OAAO,EAA8B,KAAK,gBAAgB,EAAE,MAAM,wBAAwB,CAAC;AAE3F,MAAM,WAAW,uBAAuB;IACtC,QAAQ,CAAC,WAAW,EAAE,WAAW,CAAC;IAClC,QAAQ,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;IAC5C,QAAQ,CAAC,gBAAgB,CAAC,EAAE,gBAAgB,CAAC;IAC7C,QAAQ,CAAC,KAAK,CAAC,EAAE,KAAK,CAAC;CACxB;AAED,MAAM,WAAW,yBAAyB;IACxC,QAAQ,CAAC,QAAQ,EAAE,cAAc,CAAC;IAClC,QAAQ,CAAC,UAAU,EAAE,SAAS,UAAU,EAAE,CAAC;IAC3C,QAAQ,CAAC,SAAS,EAAE,SAAS,cAAc,EAAE,CAAC;CAC/C;AAED,qBAAa,gBAAgB;IAYf,OAAO,CAAC,QAAQ,CAAC,OAAO;IAXpC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAmB;IACpD,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAQ;IAE9B;;;;;;;OAOG;gBAC0B,OAAO,EAAE,uBAAuB;IAK7D;;;;;;;;OAQG;IACG,MAAM,CAAC,MAAM,EAAE,cAAc,EAAE,OAAO,EAAE,aAAa,GAAG,OAAO,CAAC,yBAAyB,CAAC;YAuOlF,cAAc;CAS7B"}

package/dist/runtime/action-authorizer.js

@@ -0,0 +1,231 @@
+/**
+ * ActionAuthorizer — receiver-side `tryAct` guard.
+ *
+ * The Action Context Packet is not a permission token. This guard re-checks
+ * the cited atoms against visibility, scope, status, conflicts, and action
+ * sensitivity before allowing only local/shadow effects.
+ */
+import { ActionContextSchema, ProposedActionSchema, SAFE_LOCAL_ACTIONS, SENSITIVE_ACTIONS, scopeKey, } from '../types/index.js';
+import { SYSTEM_CLOCK, decision } from './decision-helpers.js';
+import { sameScope } from './scope-helpers.js';
+import { DENY_ALL_VISIBILITY_POLICY } from './visibility-policy.js';
+export class ActionAuthorizer {
+    options;
+    visibilityPolicy;
+    clock;
+    /**
+     * Create a receiver-side action guard.
+     *
+     * @remarks
+     * Hosts provide the same memory/conflict stores used for recall plus a
+     * visibility policy. The guard has no knowledge of provider tokens, tools,
+     * or real-world permissions.
+     */
+    constructor(options) {
+        this.options = options;
+        this.visibilityPolicy = options.visibilityPolicy ?? DENY_ALL_VISIBILITY_POLICY;
+        this.clock = options.clock ?? SYSTEM_CLOCK;
+    }
+    /**
+     * Decide whether a proposed action may use cited memory as authority.
+     *
+     * @remarks
+     * Use this after recall and before executing any effect. The implementation
+     * parses the action/context, asks human for sensitive actions, denies unknown
+     * non-local effects, reloads cited atoms with visibility filtering, checks
+     * scope/freshness/status, and blocks unresolved conflicts.
+     */
+    async tryAct(action, context) {
+        const emittedAt = this.clock.now();
+        const contextResult = ActionContextSchema.safeParse(context);
+        if (!contextResult.success) {
+            return {
+                decision: decision('fetch_abstain', [
+                    {
+                        kind: 'tuple_incomplete',
+                        missingFields: schemaIssuePaths(contextResult.error.issues, 'context'),
+                    },
+                ], [], [], emittedAt),
+                citedAtoms: [],
+                conflicts: [],
+            };
+        }
+        const validContext = contextResult.data;
+        const actionResult = ProposedActionSchema.safeParse(action);
+        if (!actionResult.success) {
+            return {
+                decision: decision('ask_human', [{ kind: 'unknown_action', raw: 'invalid proposed action' }], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: [],
+                conflicts: [],
+            };
+        }
+        const validAction = actionResult.data;
+        if (SENSITIVE_ACTIONS.has(validAction.classifiedAction)) {
+            return {
+                decision: decision('ask_human', [
+                    {
+                        kind: 'sensitive_action',
+                        actionClass: validAction.classifiedAction,
+                    },
+                ], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: [],
+                conflicts: [],
+            };
+        }
+        if (!SAFE_LOCAL_ACTIONS.has(validAction.classifiedAction)) {
+            return {
+                decision: decision('deny', [
+                    {
+                        kind: 'forbidden_effect_present',
+                        effect: validAction.classifiedAction,
+                    },
+                ], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: [],
+                conflicts: [],
+            };
+        }
+        if (validContext.citedMemoryIds.length === 0) {
+            return {
+                decision: decision('fetch_abstain', [{ kind: 'tuple_incomplete', missingFields: ['citedMemoryIds'] }], [], [], emittedAt),
+                citedAtoms: [],
+                conflicts: [],
+            };
+        }
+        const permitted = this.visibilityPolicy.permittedVisibilitiesForAgent(validContext.agentId);
+        if (permitted.length === 0) {
+            return {
+                decision: decision('deny', [
+                    {
+                        kind: 'visibility_denied',
+                        detail: 'actor has no permitted visibility planes',
+                    },
+                ], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: [],
+                conflicts: [],
+            };
+        }
+        const atoms = await this.loadCitedAtoms(validContext.citedMemoryIds, permitted);
+        if (atoms.length !== validContext.citedMemoryIds.length) {
+            return {
+                decision: decision('fetch_abstain', [
+                    {
+                        kind: 'source_check_failed',
+                        detail: 'one or more cited memories are missing or not visible',
+                    },
+                ], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: atoms,
+                conflicts: [],
+            };
+        }
+        const outOfScope = atoms.find((atom) => !sameScope(atom.scope, validContext.scope));
+        if (outOfScope !== undefined) {
+            return {
+                decision: decision('block_local', [
+                    {
+                        kind: 'scope_outside_boundary',
+                        requestedScope: scopeKey(validContext.scope),
+                        allowedScope: scopeKey(outOfScope.scope),
+                    },
+                ], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: atoms,
+                conflicts: [],
+            };
+        }
+        const invalidAt = atoms.find((atom) => !atomIsValidAt(atom, emittedAt));
+        if (invalidAt !== undefined) {
+            return {
+                decision: decision('fetch_abstain', [
+                    {
+                        kind: 'freshness_not_current',
+                        observed: `memory ${invalidAt.memoryId} is not valid at ${emittedAt}`,
+                    },
+                ], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: atoms,
+                conflicts: [],
+            };
+        }
+        const statusReason = firstUnsafeStatusReason(atoms);
+        if (statusReason !== null) {
+            return {
+                decision: decision(statusReason.outcome, [statusReason.reason], validContext.citedMemoryIds, [], emittedAt),
+                citedAtoms: atoms,
+                conflicts: [],
+            };
+        }
+        const conflicts = await this.options.conflictRegistry.query({
+            touchingMemoryIds: validContext.citedMemoryIds,
+            statuses: ['unresolved', 'requires_human'],
+            scope: validContext.scope,
+            permittedVisibilities: permitted,
+        });
+        if (conflicts.length > 0) {
+            return {
+                decision: decision('conflict_boundary_packet', conflicts.map((conflict) => ({
+                    kind: 'unresolved_conflict',
+                    conflictId: conflict.conflictId,
+                })), validContext.citedMemoryIds, conflicts.map((conflict) => conflict.conflictId), emittedAt),
+                citedAtoms: atoms,
+                conflicts,
+            };
+        }
+        return {
+            decision: decision('allow_local_shadow', [
+                {
+                    kind: 'all_checks_passed',
+                    citedMemoryIds: validContext.citedMemoryIds,
+                },
+            ], validContext.citedMemoryIds, [], emittedAt),
+            citedAtoms: atoms,
+            conflicts,
+        };
+    }
+    async loadCitedAtoms(memoryIds, permitted) {
+        const atoms = await Promise.all(memoryIds.map((memoryId) => this.options.memoryStore.get(memoryId, permitted)));
+        return atoms.filter((atom) => atom !== null);
+    }
+}
+function firstUnsafeStatusReason(atoms) {
+    const humanRequired = atoms.find((atom) => atom.status === 'human_required' || atom.status === 'sealed');
+    if (humanRequired !== undefined) {
+        return {
+            outcome: 'ask_human',
+            reason: {
+                kind: 'promotion_boundary_blocked',
+                detail: `memory ${humanRequired.memoryId} requires human or sealed handling`,
+            },
+        };
+    }
+    const rejected = atoms.find((atom) => atom.status === 'rejected' || atom.status === 'deprecated');
+    if (rejected !== undefined) {
+        return {
+            outcome: 'deny',
+            reason: {
+                kind: 'promotion_boundary_blocked',
+                detail: `memory ${rejected.memoryId} is ${rejected.status}`,
+            },
+        };
+    }
+    const candidate = atoms.find((atom) => atom.status === 'candidate');
+    if (candidate !== undefined) {
+        return {
+            outcome: 'fetch_abstain',
+            reason: {
+                kind: 'tuple_incomplete',
+                missingFields: [`verifiedAuthority:${candidate.memoryId}`],
+            },
+        };
+    }
+    return null;
+}
+function atomIsValidAt(atom, at) {
+    if (atom.validFrom > at)
+        return false;
+    if (atom.validUntil !== null && atom.validUntil < at)
+        return false;
+    return true;
+}
+function schemaIssuePaths(issues, fallback) {
+    const paths = issues.map((issue) => issue.path.length > 0 ? issue.path.map(String).join('.') : fallback);
+    return paths.length > 0 ? paths : [fallback];
+}
+//# sourceMappingURL=action-authorizer.js.map