@svsprotocol/solana 0.1.0

package/dist/verified-agent-trust-score.js

@@ -0,0 +1,335 @@
+import { hashObject } from "./receipt.js";
+
+export const VERIFIED_AGENT_TRUST_SCORE_VERSION = "svs.verified-agent-trust-score.v1";
+export const VERIFIED_AGENT_TRUST_SCORE_MAX = 100;
+export const VERIFIED_AGENT_TRUST_SCORE_HIGH_TRUST_MIN = 90;
+
+export const VERIFIED_AGENT_TRUST_SCORE_SIGNAL_DEFINITIONS = Object.freeze([
+  {
+    id: "profile_verification",
+    label: "Verified-agent profile",
+    weight: 15,
+    required: true
+  },
+  {
+    id: "registry_membership",
+    label: "Registry membership",
+    weight: 15,
+    required: true
+  },
+  {
+    id: "production_certification",
+    label: "Current production certification",
+    weight: 15,
+    required: true
+  },
+  {
+    id: "action_production_proof",
+    label: "Fresh action production proof",
+    weight: 15,
+    required: true
+  },
+  {
+    id: "custom_registry_proof",
+    label: "Custom receipt registry proof",
+    weight: 10,
+    required: true
+  },
+  {
+    id: "credential_lifecycle",
+    label: "Credential lifecycle health",
+    weight: 10,
+    required: false
+  },
+  {
+    id: "host_framework_validation",
+    label: "Host-framework validation",
+    weight: 10,
+    required: false
+  },
+  {
+    id: "secret_safety",
+    label: "Secret-safe public evidence",
+    weight: 5,
+    required: true
+  },
+  {
+    id: "portable_or_webhook_proof",
+    label: "Portable export or webhook proof",
+    weight: 5,
+    required: false
+  }
+].map((signal) => Object.freeze({ ...signal })));
+
+export const VERIFIED_AGENT_TRUST_SCORE_POLICY = Object.freeze({
+  version: "svs.verified-agent-trust-score-policy.v1",
+  scoreVersion: VERIFIED_AGENT_TRUST_SCORE_VERSION,
+  maxScore: VERIFIED_AGENT_TRUST_SCORE_MAX,
+  highTrustMinimumScore: VERIFIED_AGENT_TRUST_SCORE_HIGH_TRUST_MIN,
+  highTrustRequiresEvidenceComplete: true,
+  requiredSignalIds: Object.freeze(
+    VERIFIED_AGENT_TRUST_SCORE_SIGNAL_DEFINITIONS
+      .filter((signal) => signal.required)
+      .map((signal) => signal.id)
+  ),
+  optionalSignalIds: Object.freeze(
+    VERIFIED_AGENT_TRUST_SCORE_SIGNAL_DEFINITIONS
+      .filter((signal) => !signal.required)
+      .map((signal) => signal.id)
+  ),
+  signals: VERIFIED_AGENT_TRUST_SCORE_SIGNAL_DEFINITIONS
+});
+
+export function createVerifiedAgentTrustScore({
+  profile = null,
+  profileVerification = null,
+  registryVerification = null,
+  actionProductionProofEvidence = null,
+  actionProductionProofVerification = null,
+  credentialReadiness = null,
+  hostValidation = null,
+  generatedAt = new Date()
+} = {}) {
+  const generatedAtIso = toIsoString(generatedAt);
+  const profileOk = profileVerification?.ok === true ||
+    profile?.status?.ok === true && profile?.status?.value === "verified";
+  const registryOk = registryVerification?.ok === true ||
+    registryVerification?.status === "verified";
+  const productionCertificationOk = profile?.status?.ok === true &&
+    profile?.certification?.stale !== true &&
+    Boolean(profile?.certification?.certificationHash);
+  const actionProductionProofOk = actionProductionProofVerification?.ok === true ||
+    actionProductionProofEvidence?.productionProof?.ready === true &&
+      actionProductionProofEvidence?.request?.requestSignatureVerified === true &&
+      actionProductionProofEvidence?.humanApproval?.verified === true &&
+      actionProductionProofEvidence?.broadcast?.confirmed === true;
+  const customRegistryOk = profile?.proofs?.actionRecordVerificationOk === true &&
+    profile?.proofs?.receiptRegistrySubmissionVerificationOk === true ||
+    actionProductionProofEvidence?.receiptRegistry?.confirmed === true &&
+      actionProductionProofEvidence?.actionRecordVerification?.ok === true;
+  const credentialCleanupRequiredCount = Number(credentialReadiness?.summary?.cleanupRequiredCount ??
+    credentialReadiness?.credentialCleanup?.expiredPreviousSecretCount ??
+    credentialReadiness?.summary?.expiredPreviousGraceCount ??
+    0);
+  const credentialActiveBotCount = Number(credentialReadiness?.summary?.activeBotCount ??
+    credentialReadiness?.summary?.botCount ??
+    credentialReadiness?.activeBotCount ??
+    0);
+  const credentialProductionReadyCount = Number(credentialReadiness?.summary?.productionReadyCount ??
+    credentialReadiness?.summary?.productionReadyActionObservedCount ??
+    0);
+  const credentialLifecycleReady = credentialReadiness?.productionReady === true ||
+    credentialReadiness?.status === "production_ready" ||
+    credentialReadiness?.summary?.notReadyCount === 0 && credentialActiveBotCount > 0 ||
+    credentialProductionReadyCount > 0;
+  const credentialLifecycleOk = credentialLifecycleReady &&
+    credentialCleanupRequiredCount === 0 &&
+    credentialReadiness?.credentialCleanup?.status !== "cleanup_required";
+  const hostValidationOk = hostValidation?.ok === true ||
+    ["ready", "verified"].includes(hostValidation?.status) && (hostValidation?.failedCheckCount ?? 0) === 0;
+  const secretSafetyOk = profile?.reportSafety?.secretsIncluded === false &&
+    profile?.reportSafety?.sourceEvidenceSecretsIncluded !== true &&
+    actionProductionProofEvidence?.reportSafety?.secretsIncluded !== true;
+  const portableOrWebhookOk = profile?.proofs?.portableSetVerified === true ||
+    actionProductionProofEvidence?.productionProofWebhook?.delivery?.ok === true;
+
+  const signals = [
+    createTrustSignal("profile_verification", profileOk, {
+      detail: profileOk
+        ? `status=${profile?.status?.value ?? profileVerification?.status ?? "verified"}`
+        : "Missing a verified profile or successful profile verification.",
+      evidence: {
+        profileHash: profile?.profileHash ?? profileVerification?.profileHash ?? null,
+        status: profile?.status?.value ?? profileVerification?.status ?? null
+      }
+    }),
+    createTrustSignal("registry_membership", registryOk, {
+      detail: registryOk
+        ? `status=${registryVerification?.status ?? "verified"}`
+        : "Missing a successful registry verification for this agent.",
+      evidence: {
+        registryHash: registryVerification?.registryHash ?? null,
+        botId: registryVerification?.botId ?? profile?.agent?.botId ?? null
+      }
+    }),
+    createTrustSignal("production_certification", productionCertificationOk, {
+      detail: productionCertificationOk
+        ? `certificationHash=${profile?.certification?.certificationHash}`
+        : "Missing a current production certification hash on the verified-agent profile.",
+      evidence: {
+        certificationHash: profile?.certification?.certificationHash ?? null,
+        stale: profile?.certification?.stale ?? null,
+        qualityTargetReady: profile?.qualityTarget?.ready ?? null
+      }
+    }),
+    createTrustSignal("action_production_proof", actionProductionProofOk, {
+      detail: actionProductionProofOk
+        ? `recordId=${actionProductionProofEvidence?.productionProof?.recordId ?? actionProductionProofVerification?.recordId ?? "verified"}`
+        : "Missing a fresh signed action production proof with bot request, human approval, and broadcast evidence.",
+      evidence: {
+        recordId: actionProductionProofEvidence?.productionProof?.recordId ?? actionProductionProofVerification?.recordId ?? null,
+        evidenceHash: actionProductionProofEvidence?.evidenceHash ?? actionProductionProofVerification?.evidenceHash ?? null
+      }
+    }),
+    createTrustSignal("custom_registry_proof", customRegistryOk, {
+      detail: customRegistryOk
+        ? `receiptAccount=${actionProductionProofEvidence?.receiptRegistry?.receiptAccount ?? "profile-pinned"}`
+        : "Missing custom receipt-registry and action-record verification proof.",
+      evidence: {
+        receiptAccount: actionProductionProofEvidence?.receiptRegistry?.receiptAccount ?? null,
+        registrySignature: actionProductionProofEvidence?.receiptRegistry?.signature ?? null
+      }
+    }),
+    createTrustSignal("credential_lifecycle", credentialLifecycleOk, {
+      detail: credentialLifecycleOk
+        ? "Credential readiness is production-ready with no cleanup debt."
+        : "Credential readiness is missing, not production-ready, or has cleanup debt.",
+      evidence: {
+        readinessHash: credentialReadiness?.readinessHash ?? null,
+        activeBotCount: Number.isFinite(credentialActiveBotCount) ? credentialActiveBotCount : null,
+        productionReadyCount: Number.isFinite(credentialProductionReadyCount) ? credentialProductionReadyCount : null,
+        cleanupRequiredCount: Number.isFinite(credentialCleanupRequiredCount) ? credentialCleanupRequiredCount : null,
+        cleanupStatus: credentialReadiness?.credentialCleanup?.status ?? null
+      }
+    }),
+    createTrustSignal("host_framework_validation", hostValidationOk, {
+      detail: hostValidationOk
+        ? `status=${hostValidation?.status ?? "verified"}`
+        : "Host-framework validation evidence is missing or failed.",
+      evidence: {
+        status: hostValidation?.status ?? null,
+        failedCheckCount: hostValidation?.failedCheckCount ?? null,
+        targetCount: hostValidation?.summary?.targetCount ?? hostValidation?.targetCount ?? null
+      }
+    }),
+    createTrustSignal("secret_safety", secretSafetyOk, {
+      detail: secretSafetyOk
+        ? "Public evidence is marked secret-safe."
+        : "Public evidence is missing secret-safety flags or reports source secrets.",
+      evidence: {
+        profileSecretsIncluded: profile?.reportSafety?.secretsIncluded ?? null,
+        sourceEvidenceSecretsIncluded: profile?.reportSafety?.sourceEvidenceSecretsIncluded ?? null,
+        proofSecretsIncluded: actionProductionProofEvidence?.reportSafety?.secretsIncluded ?? null
+      }
+    }),
+    createTrustSignal("portable_or_webhook_proof", portableOrWebhookOk, {
+      detail: portableOrWebhookOk
+        ? "Portable verification set or signed webhook delivery is present."
+        : "Missing portable-set or signed production-proof webhook delivery evidence.",
+      evidence: {
+        portableSetVerified: profile?.proofs?.portableSetVerified ?? null,
+        webhookDeliveryOk: actionProductionProofEvidence?.productionProofWebhook?.delivery?.ok ?? null
+      }
+    })
+  ];
+  const score = signals.reduce((sum, signal) => sum + signal.earned, 0);
+  const failedSignals = signals.filter((signal) => !signal.ok);
+  const blockingSignals = failedSignals.filter((signal) => signal.required);
+  const evidenceComplete = blockingSignals.length === 0;
+  const status = evidenceComplete && score >= VERIFIED_AGENT_TRUST_SCORE_HIGH_TRUST_MIN
+    ? "high_trust"
+    : score >= 70
+      ? "needs_review"
+      : "low_trust";
+  const unsigned = {
+    version: VERIFIED_AGENT_TRUST_SCORE_VERSION,
+    generatedAt: generatedAtIso,
+    status,
+    score,
+    maxScore: VERIFIED_AGENT_TRUST_SCORE_MAX,
+    evidenceComplete,
+    botId: profile?.agent?.botId ?? registryVerification?.botId ?? actionProductionProofEvidence?.productionProof?.botId ?? null,
+    recordId: actionProductionProofEvidence?.productionProof?.recordId ?? actionProductionProofVerification?.recordId ?? profile?.certification?.recordId ?? null,
+    profileHash: profile?.profileHash ?? profileVerification?.profileHash ?? null,
+    registryHash: registryVerification?.registryHash ?? null,
+    signalCount: signals.length,
+    passedSignalCount: signals.length - failedSignals.length,
+    failedSignalCount: failedSignals.length,
+    blockingSignalCount: blockingSignals.length,
+    signals,
+    nextAction: createTrustScoreNextAction({ status, failedSignals, blockingSignals })
+  };
+
+  return {
+    ...unsigned,
+    trustScoreHash: hashVerifiedAgentTrustScore(unsigned)
+  };
+}
+
+export function hashVerifiedAgentTrustScore(score) {
+  if (!score || typeof score !== "object") {
+    return null;
+  }
+
+  const {
+    trustScoreHash: _trustScoreHash,
+    computedTrustScoreHash: _computedTrustScoreHash,
+    ...unsigned
+  } = score;
+
+  return hashObject(unsigned);
+}
+
+function createTrustSignal(id, ok, {
+  detail,
+  evidence
+} = {}) {
+  const definition = VERIFIED_AGENT_TRUST_SCORE_SIGNAL_DEFINITIONS.find((item) => item.id === id);
+  if (!definition) {
+    throw new Error(`Unknown SVS trust score signal: ${id}`);
+  }
+
+  return {
+    id,
+    label: definition.label,
+    weight: definition.weight,
+    earned: ok ? definition.weight : 0,
+    required: definition.required,
+    ok: Boolean(ok),
+    detail,
+    evidence: pruneNullish(evidence)
+  };
+}
+
+function createTrustScoreNextAction({
+  status,
+  failedSignals,
+  blockingSignals
+}) {
+  const firstBlocking = blockingSignals[0];
+  const firstFailed = failedSignals[0];
+  const target = firstBlocking ?? firstFailed;
+
+  if (!target) {
+    return {
+      code: "none",
+      message: "Verified-agent trust score has all evidence signals present."
+    };
+  }
+
+  return {
+    code: firstBlocking ? "fix_required_trust_signal" : "improve_optional_trust_signal",
+    message: `${status === "needs_review" ? "Improve" : "Fix"} ${target.label}: ${target.detail}`,
+    signalId: target.id
+  };
+}
+
+function toIsoString(value) {
+  const date = value instanceof Date ? value : new Date(value);
+
+  if (Number.isNaN(date.getTime())) {
+    return new Date().toISOString();
+  }
+
+  return date.toISOString();
+}
+
+function pruneNullish(value) {
+  if (!value || typeof value !== "object") {
+    return {};
+  }
+
+  return Object.fromEntries(
+    Object.entries(value).filter((entry) => entry[1] !== null && entry[1] !== undefined)
+  );
+}