@remnic/core 1.0.0

package/dist/chunk-EQINRHYR.js

@@ -0,0 +1,672 @@
+import {
+  countRecallTokenOverlap,
+  normalizeRecallTokens
+} from "./chunk-DT5TVLJE.js";
+import {
+  assertIsoRecordedAt,
+  assertSafePathSegment,
+  assertString,
+  isRecord,
+  optionalString,
+  optionalStringArray,
+  recordStoreDay,
+  validateStringRecord
+} from "./chunk-DGXUHMOV.js";
+import {
+  listJsonFiles,
+  readJsonFile
+} from "./chunk-LPSF4OQH.js";
+
+// src/trust-zones.ts
+import path from "path";
+import { mkdir, writeFile } from "fs/promises";
+function isTrustZoneName(value) {
+  return value === "quarantine" || value === "working" || value === "trusted";
+}
+function validateMetadata(raw) {
+  return validateStringRecord(raw, "metadata");
+}
+function validateZone(raw, field) {
+  const value = assertString(raw, field);
+  if (!["quarantine", "working", "trusted"].includes(value)) {
+    throw new Error(`${field} must be one of quarantine|working|trusted`);
+  }
+  return value;
+}
+function validateKind(raw) {
+  const value = assertString(raw, "kind");
+  if (!["memory", "artifact", "state", "trajectory", "external"].includes(value)) {
+    throw new Error("kind must be one of memory|artifact|state|trajectory|external");
+  }
+  return value;
+}
+function validateProvenance(raw) {
+  if (!isRecord(raw)) throw new Error("provenance must be an object");
+  const sourceClass = assertString(raw.sourceClass, "provenance.sourceClass");
+  if (!["tool_output", "web_content", "subagent_trace", "system_memory", "user_input", "manual"].includes(sourceClass)) {
+    throw new Error("provenance.sourceClass must be one of tool_output|web_content|subagent_trace|system_memory|user_input|manual");
+  }
+  return {
+    sourceClass,
+    observedAt: assertIsoRecordedAt(assertString(raw.observedAt, "provenance.observedAt"), "provenance.observedAt"),
+    sessionKey: optionalString(raw.sessionKey),
+    sourceId: optionalString(raw.sourceId),
+    evidenceHash: optionalString(raw.evidenceHash)
+  };
+}
+function resolveTrustZoneStoreDir(memoryDir, overrideDir) {
+  if (typeof overrideDir === "string" && overrideDir.trim().length > 0) {
+    return overrideDir.trim();
+  }
+  return path.join(memoryDir, "state", "trust-zones");
+}
+function validateTrustZoneRecord(raw) {
+  if (!isRecord(raw)) throw new Error("trust-zone record must be an object");
+  if (raw.schemaVersion !== 1) throw new Error("schemaVersion must be 1");
+  return {
+    schemaVersion: 1,
+    recordId: assertSafePathSegment(assertString(raw.recordId, "recordId"), "recordId"),
+    zone: validateZone(raw.zone, "zone"),
+    recordedAt: assertIsoRecordedAt(assertString(raw.recordedAt, "recordedAt")),
+    kind: validateKind(raw.kind),
+    summary: assertString(raw.summary, "summary"),
+    provenance: validateProvenance(raw.provenance),
+    promotedFromZone: raw.promotedFromZone === void 0 ? void 0 : validateZone(raw.promotedFromZone, "promotedFromZone"),
+    entityRefs: optionalStringArray(raw.entityRefs, "entityRefs"),
+    tags: optionalStringArray(raw.tags, "tags"),
+    metadata: validateMetadata(raw.metadata)
+  };
+}
+async function recordTrustZoneRecord(options) {
+  const rootDir = resolveTrustZoneStoreDir(options.memoryDir, options.trustZoneStoreDir);
+  const validated = validateTrustZoneRecord(options.record);
+  const day = recordStoreDay(validated.recordedAt);
+  const zoneDir = path.join(rootDir, "zones", validated.zone, day);
+  const filePath = path.join(zoneDir, `${validated.recordId}.json`);
+  await mkdir(zoneDir, { recursive: true });
+  await writeFile(filePath, JSON.stringify(validated, null, 2), "utf8");
+  return filePath;
+}
+function hasAnchoredProvenance(record) {
+  return Boolean(record.provenance.sourceId && record.provenance.evidenceHash);
+}
+function buildPromotionRecordId(sourceRecordId, targetZone, recordedAt) {
+  const suffix = recordedAt.replace(/[^0-9]/g, "").slice(0, 14);
+  return `${sourceRecordId}-${targetZone}-${suffix}`;
+}
+function dedupeStrings(values) {
+  const out = values.filter((value) => typeof value === "string" && value.length > 0);
+  if (out.length === 0) return void 0;
+  return [...new Set(out)];
+}
+function hasOverlap(left, right) {
+  if (!left || !right || left.length === 0 || right.length === 0) return false;
+  const rightSet = new Set(right);
+  return left.some((value) => rightSet.has(value));
+}
+function corroborationTags(record) {
+  if (!record.tags || record.tags.length === 0) return void 0;
+  const filtered = record.tags.filter((tag) => tag !== "trust-zone-demo" && tag !== "enterprise-demo");
+  return filtered.length > 0 ? filtered : void 0;
+}
+function requiresCorroboration(record, targetZone, poisoningDefenseEnabled) {
+  return poisoningDefenseEnabled === true && targetZone === "trusted" && record.zone === "working" && ["tool_output", "web_content", "subagent_trace"].includes(record.provenance.sourceClass);
+}
+function summarizeCorroboration(options) {
+  const corroborating = options.records.filter((candidate) => {
+    if (candidate.recordId === options.sourceRecord.recordId) return false;
+    if (candidate.zone === "quarantine") return false;
+    if (hasAnchoredProvenance(candidate) !== true) return false;
+    if (candidate.provenance.sourceClass === options.sourceRecord.provenance.sourceClass) return false;
+    return hasOverlap(candidate.entityRefs, options.sourceRecord.entityRefs) || hasOverlap(corroborationTags(candidate), corroborationTags(options.sourceRecord));
+  });
+  return {
+    count: corroborating.length,
+    sourceClasses: [...new Set(corroborating.map((record) => record.provenance.sourceClass))]
+  };
+}
+var SOURCE_CLASS_WEIGHTS = {
+  manual: 0.9,
+  system_memory: 0.85,
+  user_input: 0.75,
+  tool_output: 0.55,
+  subagent_trace: 0.45,
+  web_content: 0.35
+};
+function roundTrustScore(value) {
+  return Math.round(value * 1e3) / 1e3;
+}
+function trustScoreBand(total) {
+  if (total >= 0.8) return "high";
+  if (total >= 0.5) return "medium";
+  return "low";
+}
+function scoreTrustZoneProvenance(record) {
+  const sourceClassWeight = SOURCE_CLASS_WEIGHTS[record.provenance.sourceClass];
+  const sourceIdBonus = typeof record.provenance.sourceId === "string" ? 0.1 : 0;
+  const evidenceHashBonus = typeof record.provenance.evidenceHash === "string" ? 0.2 : 0;
+  const sessionKeyBonus = typeof record.provenance.sessionKey === "string" ? 0.05 : 0;
+  const total = roundTrustScore(
+    Math.min(1, sourceClassWeight + sourceIdBonus + evidenceHashBonus + sessionKeyBonus)
+  );
+  return {
+    total,
+    band: trustScoreBand(total),
+    anchored: hasAnchoredProvenance(record),
+    sourceClassWeight,
+    sourceIdBonus,
+    evidenceHashBonus,
+    sessionKeyBonus
+  };
+}
+function planTrustZonePromotion(options) {
+  const { record, targetZone } = options;
+  const reasons = [];
+  const provenanceAnchored = hasAnchoredProvenance(record);
+  if (record.zone === targetZone) {
+    reasons.push(`record is already in the ${targetZone} zone`);
+  }
+  if (record.zone === "trusted") {
+    reasons.push("trusted records are terminal and cannot be promoted again");
+  }
+  if (record.zone === "quarantine" && targetZone === "trusted") {
+    reasons.push("quarantine records must pass through working before trusted promotion");
+  }
+  if (record.zone === "working" && targetZone === "quarantine") {
+    reasons.push("working records cannot be demoted back into quarantine in this promotion path");
+  }
+  if (record.zone === "quarantine" && targetZone !== "working") {
+    reasons.push("quarantine promotions only support the working zone");
+  }
+  if (record.zone === "working" && targetZone !== "trusted") {
+    reasons.push("working promotions only support the trusted zone");
+  }
+  if (targetZone === "trusted" && ["tool_output", "web_content", "subagent_trace"].includes(record.provenance.sourceClass) && provenanceAnchored !== true) {
+    reasons.push("trusted promotion for external/tool-derived provenance requires both provenance.sourceId and provenance.evidenceHash");
+  }
+  return {
+    allowed: reasons.length === 0,
+    reasons,
+    sourceRecordId: record.recordId,
+    sourceZone: record.zone,
+    targetZone,
+    provenanceAnchored
+  };
+}
+async function findTrustZoneRecordById(options) {
+  const { entries } = await readTrustZoneRecordEntries(options);
+  entries.sort((a, b) => b.record.recordedAt.localeCompare(a.record.recordedAt));
+  return entries.find((entry) => entry.record.recordId === options.recordId)?.record ?? null;
+}
+async function promoteTrustZoneRecord(options) {
+  if (options.enabled !== true) {
+    throw new Error("trust zone promotion requires trustZonesEnabled=true");
+  }
+  if (options.promotionEnabled !== true) {
+    throw new Error("trust zone promotion requires quarantinePromotionEnabled=true");
+  }
+  const sourceRecord = await findTrustZoneRecordById({
+    memoryDir: options.memoryDir,
+    trustZoneStoreDir: options.trustZoneStoreDir,
+    recordId: assertSafePathSegment(assertString(options.sourceRecordId, "sourceRecordId"), "sourceRecordId")
+  });
+  if (!sourceRecord) {
+    throw new Error(`source trust-zone record not found: ${options.sourceRecordId}`);
+  }
+  const plan = planTrustZonePromotion({
+    record: sourceRecord,
+    targetZone: options.targetZone
+  });
+  if (!plan.allowed) {
+    throw new Error(`trust-zone promotion denied: ${plan.reasons.join("; ")}`);
+  }
+  const corroboration = requiresCorroboration(sourceRecord, options.targetZone, options.poisoningDefenseEnabled === true) ? summarizeCorroboration({
+    sourceRecord,
+    records: (await readTrustZoneRecordEntries({
+      memoryDir: options.memoryDir,
+      trustZoneStoreDir: options.trustZoneStoreDir
+    })).entries.map((entry) => entry.record)
+  }) : null;
+  if (corroboration && corroboration.count === 0) {
+    throw new Error("trust-zone promotion denied: corroboration is required for risky trusted promotions");
+  }
+  const recordedAt = assertIsoRecordedAt(assertString(options.recordedAt, "recordedAt"));
+  const promotionReason = assertString(options.promotionReason, "promotionReason");
+  const nextRecord = {
+    schemaVersion: 1,
+    recordId: buildPromotionRecordId(sourceRecord.recordId, options.targetZone, recordedAt),
+    zone: options.targetZone,
+    recordedAt,
+    kind: sourceRecord.kind,
+    summary: optionalString(options.summary) ?? sourceRecord.summary,
+    provenance: sourceRecord.provenance,
+    promotedFromZone: sourceRecord.zone,
+    entityRefs: sourceRecord.entityRefs,
+    tags: dedupeStrings([...sourceRecord.tags ?? [], "promotion"]),
+    metadata: {
+      ...sourceRecord.metadata ?? {},
+      sourceRecordId: sourceRecord.recordId,
+      promotionReason,
+      ...corroboration ? {
+        corroborated: "true",
+        corroborationCount: String(corroboration.count),
+        corroborationSources: corroboration.sourceClasses.join(",")
+      } : {}
+    }
+  };
+  if (options.dryRun === true) {
+    return {
+      plan,
+      wroteRecord: false,
+      record: nextRecord,
+      sourceRecord
+    };
+  }
+  const filePath = await recordTrustZoneRecord({
+    memoryDir: options.memoryDir,
+    trustZoneStoreDir: options.trustZoneStoreDir,
+    record: nextRecord
+  });
+  return {
+    plan,
+    wroteRecord: true,
+    record: nextRecord,
+    filePath,
+    sourceRecord
+  };
+}
+async function readTrustZoneRecordEntries(options) {
+  const rootDir = resolveTrustZoneStoreDir(options.memoryDir, options.trustZoneStoreDir);
+  const files = await listJsonFiles(path.join(rootDir, "zones"));
+  const entries = [];
+  const invalidRecords = [];
+  for (const filePath of files) {
+    try {
+      entries.push({
+        filePath,
+        record: validateTrustZoneRecord(await readJsonFile(filePath))
+      });
+    } catch (error) {
+      invalidRecords.push({
+        path: filePath,
+        error: error instanceof Error ? error.message : String(error)
+      });
+    }
+  }
+  return { files, entries, invalidRecords };
+}
+function lexicalScoreTrustZoneRecord(record, queryTokens) {
+  const weightedFields = [
+    ["summary", record.summary, 4],
+    ["kind", record.kind, 1],
+    ["zone", record.zone, 1],
+    ["sourceClass", record.provenance.sourceClass, 1],
+    ["entityRefs", record.entityRefs?.join(" "), 2],
+    ["tags", record.tags?.join(" "), 2],
+    ["metadata", record.metadata ? Object.values(record.metadata).join(" ") : void 0, 1]
+  ];
+  let score = 0;
+  const matchedFields = [];
+  for (const [field, value, weight] of weightedFields) {
+    const matches = countRecallTokenOverlap(queryTokens, value, ["what"]);
+    if (matches > 0) matchedFields.push(field);
+    score += matches * weight;
+  }
+  return { score, matchedFields };
+}
+function zonePriority(zone) {
+  switch (zone) {
+    case "trusted":
+      return 3;
+    case "working":
+      return 2;
+    case "quarantine":
+      return 1;
+  }
+}
+function scoreTrustZoneRecord(record, lexicalScore, sessionKey) {
+  let score = lexicalScore;
+  score += zonePriority(record.zone);
+  if (sessionKey && record.provenance.sessionKey === sessionKey) score += 1;
+  const recordedAtMs = Date.parse(record.recordedAt);
+  if (Number.isFinite(recordedAtMs)) {
+    const ageHours = Math.max(0, (Date.now() - recordedAtMs) / 36e5);
+    score += 1 / (1 + ageHours);
+  }
+  return score;
+}
+async function searchTrustZoneRecords(options) {
+  const maxResults = Math.max(0, Math.floor(options.maxResults));
+  if (maxResults === 0) return [];
+  const { entries } = await readTrustZoneRecordEntries(options);
+  const records = entries.map((entry) => entry.record);
+  const candidates = records.filter((record) => record.zone !== "quarantine");
+  if (candidates.length === 0) return [];
+  const queryTokens = new Set(normalizeRecallTokens(options.query, ["what"]));
+  if (queryTokens.size === 0) return [];
+  const scored = candidates.map((record) => {
+    const lexical = lexicalScoreTrustZoneRecord(record, queryTokens);
+    return {
+      record,
+      matchedFields: lexical.matchedFields,
+      lexicalScore: lexical.score,
+      score: scoreTrustZoneRecord(record, lexical.score, options.sessionKey)
+    };
+  });
+  const filtered = scored.filter((result) => result.lexicalScore > 0);
+  filtered.sort((left, right) => {
+    if (right.score !== left.score) return right.score - left.score;
+    return right.record.recordedAt.localeCompare(left.record.recordedAt);
+  });
+  return filtered.slice(0, maxResults).map(({ record, score, matchedFields }) => ({
+    record,
+    score,
+    matchedFields
+  }));
+}
+async function listTrustZoneRecords(options) {
+  const limit = Number.isFinite(options.limit) ? Math.max(1, Math.min(200, Math.floor(options.limit ?? 25))) : 25;
+  const offset = Number.isFinite(options.offset) ? Math.max(0, Math.floor(options.offset ?? 0)) : 0;
+  const zoneFilter = options.zone?.trim();
+  const kindFilter = options.kind?.trim();
+  const sourceClassFilter = options.sourceClass?.trim();
+  const queryTokens = new Set(normalizeRecallTokens(options.query ?? "", ["what"]));
+  const { entries } = await readTrustZoneRecordEntries(options);
+  const filtered = entries.filter((entry) => !zoneFilter || entry.record.zone === zoneFilter).filter((entry) => !kindFilter || entry.record.kind === kindFilter).filter((entry) => !sourceClassFilter || entry.record.provenance.sourceClass === sourceClassFilter).map((entry) => ({
+    entry,
+    lexical: queryTokens.size > 0 ? lexicalScoreTrustZoneRecord(entry.record, queryTokens) : null
+  })).filter((candidate) => queryTokens.size === 0 || (candidate.lexical?.score ?? 0) > 0);
+  filtered.sort((left, right) => {
+    const leftScore = left.lexical?.score ?? 0;
+    const rightScore = right.lexical?.score ?? 0;
+    if (rightScore !== leftScore) return rightScore - leftScore;
+    return right.entry.record.recordedAt.localeCompare(left.entry.record.recordedAt);
+  });
+  return {
+    total: filtered.length,
+    count: filtered.slice(offset, offset + limit).length,
+    limit,
+    offset,
+    records: filtered.slice(offset, offset + limit).map((candidate) => candidate.entry),
+    allRecords: entries.map((entry) => entry.record)
+  };
+}
+function summarizeTrustZonePromotionReadiness(options) {
+  if (options.record.zone === "trusted") {
+    return {
+      allowed: false,
+      reasons: ["trusted records are terminal and do not have a next promotion step"],
+      requiresCorroboration: false,
+      corroborationCount: 0,
+      corroborationSourceClasses: []
+    };
+  }
+  const nextTargetZone = options.record.zone === "quarantine" ? "working" : "trusted";
+  const plan = planTrustZonePromotion({
+    record: options.record,
+    targetZone: nextTargetZone
+  });
+  const requires = requiresCorroboration(options.record, nextTargetZone, options.poisoningDefenseEnabled);
+  const corroboration = requires ? summarizeCorroboration({
+    sourceRecord: options.record,
+    records: options.allRecords
+  }) : { count: 0, sourceClasses: [] };
+  const reasons = [...plan.reasons];
+  if (requires && corroboration.count === 0) {
+    reasons.push("trusted promotion requires corroboration from an independent non-quarantine source");
+  }
+  return {
+    nextTargetZone,
+    allowed: plan.allowed && (!requires || corroboration.count > 0),
+    reasons,
+    requiresCorroboration: requires,
+    corroborationCount: corroboration.count,
+    corroborationSourceClasses: corroboration.sourceClasses
+  };
+}
+function addMinutes(baseIso, minutes) {
+  const baseMs = Date.parse(baseIso);
+  if (!Number.isFinite(baseMs)) {
+    throw new Error("recordedAt must be a valid ISO timestamp");
+  }
+  return new Date(baseMs + minutes * 6e4).toISOString();
+}
+function buildTrustZoneDemoSeedRunId(baseRecordedAt) {
+  return baseRecordedAt.replace(/[^0-9]/g, "");
+}
+function buildTrustZoneDemoRecordId(baseId, seedRunId) {
+  return `${baseId}-${seedRunId}`;
+}
+function buildTrustZoneDemoRecords(baseRecordedAt, scenario) {
+  const demoTag = "trust-zone-demo";
+  const commonMetadata = {
+    demoScenario: scenario,
+    demoSeed: "true"
+  };
+  const seedRunId = buildTrustZoneDemoSeedRunId(baseRecordedAt);
+  return [
+    {
+      schemaVersion: 1,
+      recordId: buildTrustZoneDemoRecordId("tz-demo-enterprise-buyer-v1-quarantine-ready", seedRunId),
+      zone: "quarantine",
+      recordedAt: addMinutes(baseRecordedAt, 0),
+      kind: "external",
+      summary: "Vendor portal policy excerpt captured before validation for Acme Industrial onboarding.",
+      provenance: {
+        sourceClass: "web_content",
+        observedAt: addMinutes(baseRecordedAt, -2),
+        sessionKey: "demo:enterprise-buyer-v1",
+        sourceId: "https://vendor.example.com/policies/acme-industrial.pdf",
+        evidenceHash: "sha256:vendor-portal-policy-proof"
+      },
+      entityRefs: ["account:acme-industrial", "policy:vendor-onboarding"],
+      tags: [demoTag, "enterprise-demo", "vendor-policy"],
+      metadata: {
+        ...commonMetadata,
+        story: "captured-external-policy"
+      }
+    },
+    {
+      schemaVersion: 1,
+      recordId: buildTrustZoneDemoRecordId("tz-demo-enterprise-buyer-v1-working-blocked", seedRunId),
+      zone: "working",
+      recordedAt: addMinutes(baseRecordedAt, 2),
+      kind: "external",
+      summary: "Unverified rumor about a production freeze captured without source evidence.",
+      provenance: {
+        sourceClass: "subagent_trace",
+        observedAt: addMinutes(baseRecordedAt, 1),
+        sessionKey: "demo:enterprise-buyer-v1"
+      },
+      entityRefs: ["workspace:finance", "incident:freeze-rumor"],
+      tags: [demoTag, "enterprise-demo", "needs-evidence"],
+      metadata: {
+        ...commonMetadata,
+        story: "working-missing-provenance"
+      }
+    },
+    {
+      schemaVersion: 1,
+      recordId: buildTrustZoneDemoRecordId("tz-demo-enterprise-buyer-v1-working-awaiting-corroboration", seedRunId),
+      zone: "working",
+      recordedAt: addMinutes(baseRecordedAt, 6),
+      kind: "state",
+      summary: "Tool output says the finance SSO certificate rotation completed successfully.",
+      provenance: {
+        sourceClass: "tool_output",
+        observedAt: addMinutes(baseRecordedAt, 5),
+        sessionKey: "demo:enterprise-buyer-v1",
+        sourceId: "tool:sso-rotation-run-42",
+        evidenceHash: "sha256:sso-rotation-log"
+      },
+      entityRefs: ["finding:finance-sso-certificate-rotation-tool-output-pending"],
+      tags: [demoTag, "enterprise-demo", "sso-rotation-pending"],
+      metadata: {
+        ...commonMetadata,
+        story: "working-awaiting-corroboration"
+      }
+    },
+    {
+      schemaVersion: 1,
+      recordId: buildTrustZoneDemoRecordId("tz-demo-enterprise-buyer-v1-working-corroborated", seedRunId),
+      zone: "working",
+      recordedAt: addMinutes(baseRecordedAt, 7),
+      kind: "state",
+      summary: "Tool output says the vendor onboarding policy sync completed with anchored evidence ready for promotion.",
+      provenance: {
+        sourceClass: "tool_output",
+        observedAt: addMinutes(baseRecordedAt, 6),
+        sessionKey: "demo:enterprise-buyer-v1",
+        sourceId: "tool:vendor-policy-sync-run-9",
+        evidenceHash: "sha256:vendor-policy-sync-log"
+      },
+      entityRefs: ["account:acme-industrial", "policy:vendor-onboarding"],
+      tags: [demoTag, "enterprise-demo", "vendor-policy"],
+      metadata: {
+        ...commonMetadata,
+        story: "working-with-corroboration"
+      }
+    },
+    {
+      schemaVersion: 1,
+      recordId: buildTrustZoneDemoRecordId("tz-demo-enterprise-buyer-v1-working-corroboration", seedRunId),
+      zone: "working",
+      recordedAt: addMinutes(baseRecordedAt, 9),
+      kind: "external",
+      summary: "Change ticket confirms the same vendor onboarding policy sync with matching artifact hash.",
+      provenance: {
+        sourceClass: "web_content",
+        observedAt: addMinutes(baseRecordedAt, 7),
+        sessionKey: "demo:enterprise-buyer-v1",
+        sourceId: "https://tickets.example.com/changes/CHG-4821",
+        evidenceHash: "sha256:sso-rotation-ticket-proof"
+      },
+      entityRefs: ["account:acme-industrial", "policy:vendor-onboarding"],
+      tags: [demoTag, "enterprise-demo", "vendor-policy"],
+      metadata: {
+        ...commonMetadata,
+        story: "independent-corroboration"
+      }
+    },
+    {
+      schemaVersion: 1,
+      recordId: buildTrustZoneDemoRecordId("tz-demo-enterprise-buyer-v1-trusted-governance-rule", seedRunId),
+      zone: "trusted",
+      recordedAt: addMinutes(baseRecordedAt, 13),
+      kind: "memory",
+      summary: "Trusted promotion requires a ticket id and artifact hash before shared recall can use operator actions.",
+      provenance: {
+        sourceClass: "manual",
+        observedAt: addMinutes(baseRecordedAt, 11),
+        sessionKey: "demo:enterprise-buyer-v1",
+        sourceId: "review:trust-zone-policy",
+        evidenceHash: "sha256:trust-zone-policy"
+      },
+      promotedFromZone: "working",
+      entityRefs: ["policy:trust-zone-promotion"],
+      tags: [demoTag, "enterprise-demo", "operator-policy"],
+      metadata: {
+        ...commonMetadata,
+        story: "trusted-policy"
+      }
+    }
+  ];
+}
+async function seedTrustZoneDemoDataset(options) {
+  if (options.enabled !== true) {
+    throw new Error("trust zone demo seed requires trustZonesEnabled=true");
+  }
+  const scenario = (options.scenario ?? "enterprise-buyer-v1").trim();
+  if (scenario !== "enterprise-buyer-v1") {
+    throw new Error(`unsupported trust-zone demo scenario: ${scenario}`);
+  }
+  const baseRecordedAt = assertIsoRecordedAt(options.recordedAt ?? (/* @__PURE__ */ new Date()).toISOString(), "recordedAt");
+  if (!Number.isFinite(Date.parse(baseRecordedAt))) {
+    throw new Error("recordedAt must be a valid ISO timestamp");
+  }
+  const records = buildTrustZoneDemoRecords(baseRecordedAt, scenario);
+  if (options.dryRun === true) {
+    return {
+      scenario,
+      dryRun: true,
+      recordsWritten: 0,
+      records,
+      filePaths: []
+    };
+  }
+  const filePaths = [];
+  for (const record of records) {
+    filePaths.push(await recordTrustZoneRecord({
+      memoryDir: options.memoryDir,
+      trustZoneStoreDir: options.trustZoneStoreDir,
+      record
+    }));
+  }
+  return {
+    scenario,
+    dryRun: false,
+    recordsWritten: filePaths.length,
+    records,
+    filePaths
+  };
+}
+async function getTrustZoneStoreStatus(options) {
+  const rootDir = resolveTrustZoneStoreDir(options.memoryDir, options.trustZoneStoreDir);
+  const zonesDir = path.join(rootDir, "zones");
+  const { files, entries, invalidRecords } = await readTrustZoneRecordEntries(options);
+  const records = entries.map((entry) => entry.record);
+  records.sort((a, b) => b.recordedAt.localeCompare(a.recordedAt));
+  const byZone = {};
+  const byKind = {};
+  const byTrustBand = {};
+  let trustScoreTotal = 0;
+  for (const record of records) {
+    byZone[record.zone] = (byZone[record.zone] ?? 0) + 1;
+    byKind[record.kind] = (byKind[record.kind] ?? 0) + 1;
+    if (options.poisoningDefenseEnabled === true) {
+      const score = scoreTrustZoneProvenance(record);
+      byTrustBand[score.band] = (byTrustBand[score.band] ?? 0) + 1;
+      trustScoreTotal += score.total;
+    }
+  }
+  const averageTrustScore = options.poisoningDefenseEnabled === true && records.length > 0 ? roundTrustScore(trustScoreTotal / records.length) : void 0;
+  const latestRecordTrustScore = options.poisoningDefenseEnabled === true && records[0] ? scoreTrustZoneProvenance(records[0]) : void 0;
+  return {
+    enabled: options.enabled,
+    promotionEnabled: options.promotionEnabled,
+    poisoningDefenseEnabled: options.poisoningDefenseEnabled,
+    rootDir,
+    zonesDir,
+    records: {
+      total: files.length,
+      valid: records.length,
+      invalid: invalidRecords.length,
+      byZone,
+      byKind,
+      latestRecordId: records[0]?.recordId,
+      latestRecordedAt: records[0]?.recordedAt,
+      latestZone: records[0]?.zone,
+      averageTrustScore,
+      byTrustBand: options.poisoningDefenseEnabled === true ? byTrustBand : void 0
+    },
+    latestRecord: records[0],
+    latestRecordTrustScore,
+    invalidRecords
+  };
+}
+
+export {
+  isTrustZoneName,
+  resolveTrustZoneStoreDir,
+  validateTrustZoneRecord,
+  recordTrustZoneRecord,
+  scoreTrustZoneProvenance,
+  planTrustZonePromotion,
+  promoteTrustZoneRecord,
+  searchTrustZoneRecords,
+  listTrustZoneRecords,
+  summarizeTrustZonePromotionReadiness,
+  seedTrustZoneDemoDataset,
+  getTrustZoneStoreStatus
+};
+//# sourceMappingURL=chunk-EQINRHYR.js.map