@vorionsys/a3i 0.1.0

package/dist/hooks/types.d.ts

@@ -0,0 +1,226 @@
+/**
+ * Hook System Types - Type definitions for the hook system
+ *
+ * Hooks allow extensibility at key points in the authorization
+ * and execution lifecycle.
+ */
+import type { Intent, Decision, TrustProfile, ProofEvent } from '@vorionsys/contracts';
+/**
+ * Hook lifecycle phases
+ */
+export declare enum HookPhase {
+    /** Before authorization decision */
+    PRE_AUTHORIZE = "pre-authorize",
+    /** After authorization decision */
+    POST_AUTHORIZE = "post-authorize",
+    /** Before action execution */
+    PRE_EXECUTE = "pre-execute",
+    /** After successful execution */
+    POST_EXECUTE = "post-execute",
+    /** After failed execution */
+    EXECUTION_FAILED = "execution-failed",
+    /** When trust score changes */
+    TRUST_CHANGE = "trust-change",
+    /** When a trust violation occurs */
+    TRUST_VIOLATION = "trust-violation",
+    /** When a proof event is emitted */
+    EVENT_EMITTED = "event-emitted"
+}
+/**
+ * Hook execution priority
+ * Lower numbers execute first
+ */
+export declare enum HookPriority {
+    CRITICAL = 0,
+    HIGH = 100,
+    NORMAL = 500,
+    LOW = 900,
+    MONITOR = 1000
+}
+/**
+ * Result of hook execution
+ */
+export interface HookResult {
+    /** Whether the hook succeeded */
+    success: boolean;
+    /** Whether to abort the operation (for pre- hooks) */
+    abort?: boolean;
+    /** Reason for abort */
+    abortReason?: string;
+    /** Modified data (if applicable) */
+    modified?: unknown;
+    /** Error if hook failed */
+    error?: Error;
+    /** Execution time in ms */
+    durationMs: number;
+}
+/**
+ * Context passed to all hooks
+ */
+export interface HookContext {
+    /** Unique ID for this hook execution chain */
+    executionId: string;
+    /** Correlation ID for tracing */
+    correlationId: string;
+    /** Timestamp when the hook chain started */
+    startedAt: Date;
+    /** Custom metadata */
+    metadata: Record<string, unknown>;
+}
+/**
+ * Context for pre-authorize hooks
+ */
+export interface PreAuthorizeContext extends HookContext {
+    /** The intent being authorized */
+    intent: Intent;
+    /** Agent's trust profile (if available) */
+    profile?: TrustProfile;
+}
+/**
+ * Context for post-authorize hooks
+ */
+export interface PostAuthorizeContext extends HookContext {
+    /** The original intent */
+    intent: Intent;
+    /** The authorization decision */
+    decision: Decision;
+    /** Agent's trust profile */
+    profile: TrustProfile;
+}
+/**
+ * Context for pre-execute hooks
+ */
+export interface PreExecuteContext extends HookContext {
+    /** The authorization decision */
+    decision: Decision;
+    /** The original intent */
+    intent: Intent;
+    /** Agent's trust profile */
+    profile: TrustProfile;
+    /** Execution parameters */
+    params?: Record<string, unknown>;
+}
+/**
+ * Context for post-execute hooks
+ */
+export interface PostExecuteContext extends HookContext {
+    /** The authorization decision */
+    decision: Decision;
+    /** The original intent */
+    intent: Intent;
+    /** Execution result */
+    result: unknown;
+    /** Execution duration in ms */
+    durationMs: number;
+}
+/**
+ * Context for execution-failed hooks
+ */
+export interface ExecutionFailedContext extends HookContext {
+    /** The authorization decision */
+    decision: Decision;
+    /** The original intent */
+    intent: Intent;
+    /** The error that occurred */
+    error: Error;
+    /** Execution duration before failure in ms */
+    durationMs: number;
+    /** Whether the operation can be retried */
+    retryable: boolean;
+}
+/**
+ * Context for trust-change hooks
+ */
+export interface TrustChangeContext extends HookContext {
+    /** Agent ID */
+    agentId: string;
+    /** Previous trust profile */
+    previousProfile: TrustProfile;
+    /** New trust profile */
+    newProfile: TrustProfile;
+    /** Reason for the change */
+    reason: string;
+}
+/**
+ * Context for trust-violation hooks
+ */
+export interface TrustViolationContext extends HookContext {
+    /** Agent ID */
+    agentId: string;
+    /** Current trust profile */
+    profile: TrustProfile;
+    /** Type of violation */
+    violationType: string;
+    /** Violation details */
+    details: Record<string, unknown>;
+    /** Severity level */
+    severity: 'low' | 'medium' | 'high' | 'critical';
+}
+/**
+ * Context for event-emitted hooks
+ */
+export interface EventEmittedContext extends HookContext {
+    /** The emitted proof event */
+    event: ProofEvent;
+}
+/**
+ * Union type for all hook contexts
+ */
+export type AnyHookContext = PreAuthorizeContext | PostAuthorizeContext | PreExecuteContext | PostExecuteContext | ExecutionFailedContext | TrustChangeContext | TrustViolationContext | EventEmittedContext;
+/**
+ * Hook handler function signature
+ */
+export type HookHandler<T extends AnyHookContext = AnyHookContext> = (context: T) => HookResult | Promise<HookResult>;
+/**
+ * Hook definition
+ */
+export interface HookDefinition<T extends AnyHookContext = AnyHookContext> {
+    /** Unique hook ID */
+    id: string;
+    /** Hook name for display */
+    name: string;
+    /** Hook phase */
+    phase: HookPhase;
+    /** Execution priority */
+    priority: HookPriority;
+    /** The hook handler function */
+    handler: HookHandler<T>;
+    /** Whether the hook is enabled */
+    enabled: boolean;
+    /** Timeout in ms (default: 5000) */
+    timeoutMs?: number;
+    /** Whether to continue on error */
+    continueOnError?: boolean;
+    /** Optional filter function */
+    filter?: (context: T) => boolean;
+    /** Hook metadata */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Summary of hook execution
+ */
+export interface HookExecutionSummary {
+    /** Hook phase */
+    phase: HookPhase;
+    /** Number of hooks executed */
+    hooksExecuted: number;
+    /** Number of hooks that succeeded */
+    succeeded: number;
+    /** Number of hooks that failed */
+    failed: number;
+    /** Number of hooks that were skipped */
+    skipped: number;
+    /** Whether any hook requested abort */
+    aborted: boolean;
+    /** Abort reason (if aborted) */
+    abortReason?: string;
+    /** Total execution time in ms */
+    totalDurationMs: number;
+    /** Individual hook results */
+    results: Array<{
+        hookId: string;
+        hookName: string;
+        result: HookResult;
+    }>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/hooks/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/hooks/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EACV,MAAM,EACN,QAAQ,EACR,YAAY,EACZ,UAAU,EACX,MAAM,sBAAsB,CAAC;AAE9B;;GAEG;AACH,oBAAY,SAAS;IACnB,oCAAoC;IACpC,aAAa,kBAAkB;IAC/B,mCAAmC;IACnC,cAAc,mBAAmB;IACjC,8BAA8B;IAC9B,WAAW,gBAAgB;IAC3B,iCAAiC;IACjC,YAAY,iBAAiB;IAC7B,6BAA6B;IAC7B,gBAAgB,qBAAqB;IACrC,+BAA+B;IAC/B,YAAY,iBAAiB;IAC7B,oCAAoC;IACpC,eAAe,oBAAoB;IACnC,oCAAoC;IACpC,aAAa,kBAAkB;CAChC;AAED;;;GAGG;AACH,oBAAY,YAAY;IACtB,QAAQ,IAAI;IACZ,IAAI,MAAM;IACV,MAAM,MAAM;IACZ,GAAG,MAAM;IACT,OAAO,OAAO;CACf;AAED;;GAEG;AACH,MAAM,WAAW,UAAU;IACzB,iCAAiC;IACjC,OAAO,EAAE,OAAO,CAAC;IACjB,sDAAsD;IACtD,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,uBAAuB;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,2BAA2B;IAC3B,KAAK,CAAC,EAAE,KAAK,CAAC;IACd,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,8CAA8C;IAC9C,WAAW,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,aAAa,EAAE,MAAM,CAAC;IACtB,4CAA4C;IAC5C,SAAS,EAAE,IAAI,CAAC;IAChB,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,WAAW;IACtD,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,2CAA2C;IAC3C,OAAO,CAAC,EAAE,YAAY,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAqB,SAAQ,WAAW;IACvD,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,iCAAiC;IACjC,QAAQ,EAAE,QAAQ,CAAC;IACnB,4BAA4B;IAC5B,OAAO,EAAE,YAAY,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAkB,SAAQ,WAAW;IACpD,iCAAiC;IACjC,QAAQ,EAAE,QAAQ,CAAC;IACnB,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,4BAA4B;IAC5B,OAAO,EAAE,YAAY,CAAC;IACtB,2BAA2B;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,WAAW;IACrD,iCAAiC;IACjC,QAAQ,EAAE,QAAQ,CAAC;IACnB,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,uBAAuB;IACvB,MAAM,EAAE,OAAO,CAAC;IAChB,+BAA+B;IAC/B,UAAU,EAAE,MAAM,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,sBAAuB,SAAQ,WAAW;IACzD,iCAAiC;IACjC,QAAQ,EAAE,QAAQ,CAAC;IACnB,0BAA0B;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,8BAA8B;IAC9B,KAAK,EAAE,KAAK,CAAC;IACb,8CAA8C;IAC9C,UAAU,EAAE,MAAM,CAAC;IACnB,2CAA2C;IAC3C,SAAS,EAAE,OAAO,CAAC;CACpB;AAED;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,WAAW;IACrD,eAAe;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,6BAA6B;IAC7B,eAAe,EAAE,YAAY,CAAC;IAC9B,wBAAwB;IACxB,UAAU,EAAE,YAAY,CAAC;IACzB,4BAA4B;IAC5B,MAAM,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAsB,SAAQ,WAAW;IACxD,eAAe;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,4BAA4B;IAC5B,OAAO,EAAE,YAAY,CAAC;IACtB,wBAAwB;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,wBAAwB;IACxB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACjC,qBAAqB;IACrB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;CAClD;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,WAAW;IACtD,8BAA8B;IAC9B,KAAK,EAAE,UAAU,CAAC;CACnB;AAED;;GAEG;AACH,MAAM,MAAM,cAAc,GACtB,mBAAmB,GACnB,oBAAoB,GACpB,iBAAiB,GACjB,kBAAkB,GAClB,sBAAsB,GACtB,kBAAkB,GAClB,qBAAqB,GACrB,mBAAmB,CAAC;AAExB;;GAEG;AACH,MAAM,MAAM,WAAW,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc,IAAI,CACnE,OAAO,EAAE,CAAC,KACP,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAAC;AAEtC;;GAEG;AACH,MAAM,WAAW,cAAc,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACvE,qBAAqB;IACrB,EAAE,EAAE,MAAM,CAAC;IACX,4BAA4B;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,iBAAiB;IACjB,KAAK,EAAE,SAAS,CAAC;IACjB,yBAAyB;IACzB,QAAQ,EAAE,YAAY,CAAC;IACvB,gCAAgC;IAChC,OAAO,EAAE,WAAW,CAAC,CAAC,CAAC,CAAC;IACxB,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,oCAAoC;IACpC,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,mCAAmC;IACnC,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,+BAA+B;IAC/B,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,KAAK,OAAO,CAAC;IACjC,oBAAoB;IACpB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,iBAAiB;IACjB,KAAK,EAAE,SAAS,CAAC;IACjB,+BAA+B;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,qCAAqC;IACrC,SAAS,EAAE,MAAM,CAAC;IAClB,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAC;IACf,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,OAAO,EAAE,OAAO,CAAC;IACjB,gCAAgC;IAChC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,iCAAiC;IACjC,eAAe,EAAE,MAAM,CAAC;IACxB,8BAA8B;IAC9B,OAAO,EAAE,KAAK,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,UAAU,CAAC;KACpB,CAAC,CAAC;CACJ"}

package/dist/hooks/types.js

@@ -0,0 +1,41 @@
+/**
+ * Hook System Types - Type definitions for the hook system
+ *
+ * Hooks allow extensibility at key points in the authorization
+ * and execution lifecycle.
+ */
+/**
+ * Hook lifecycle phases
+ */
+export var HookPhase;
+(function (HookPhase) {
+    /** Before authorization decision */
+    HookPhase["PRE_AUTHORIZE"] = "pre-authorize";
+    /** After authorization decision */
+    HookPhase["POST_AUTHORIZE"] = "post-authorize";
+    /** Before action execution */
+    HookPhase["PRE_EXECUTE"] = "pre-execute";
+    /** After successful execution */
+    HookPhase["POST_EXECUTE"] = "post-execute";
+    /** After failed execution */
+    HookPhase["EXECUTION_FAILED"] = "execution-failed";
+    /** When trust score changes */
+    HookPhase["TRUST_CHANGE"] = "trust-change";
+    /** When a trust violation occurs */
+    HookPhase["TRUST_VIOLATION"] = "trust-violation";
+    /** When a proof event is emitted */
+    HookPhase["EVENT_EMITTED"] = "event-emitted";
+})(HookPhase || (HookPhase = {}));
+/**
+ * Hook execution priority
+ * Lower numbers execute first
+ */
+export var HookPriority;
+(function (HookPriority) {
+    HookPriority[HookPriority["CRITICAL"] = 0] = "CRITICAL";
+    HookPriority[HookPriority["HIGH"] = 100] = "HIGH";
+    HookPriority[HookPriority["NORMAL"] = 500] = "NORMAL";
+    HookPriority[HookPriority["LOW"] = 900] = "LOW";
+    HookPriority[HookPriority["MONITOR"] = 1000] = "MONITOR";
+})(HookPriority || (HookPriority = {}));
+//# sourceMappingURL=types.js.map

package/dist/hooks/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/hooks/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AASH;;GAEG;AACH,MAAM,CAAN,IAAY,SAiBX;AAjBD,WAAY,SAAS;IACnB,oCAAoC;IACpC,4CAA+B,CAAA;IAC/B,mCAAmC;IACnC,8CAAiC,CAAA;IACjC,8BAA8B;IAC9B,wCAA2B,CAAA;IAC3B,iCAAiC;IACjC,0CAA6B,CAAA;IAC7B,6BAA6B;IAC7B,kDAAqC,CAAA;IACrC,+BAA+B;IAC/B,0CAA6B,CAAA;IAC7B,oCAAoC;IACpC,gDAAmC,CAAA;IACnC,oCAAoC;IACpC,4CAA+B,CAAA;AACjC,CAAC,EAjBW,SAAS,KAAT,SAAS,QAiBpB;AAED;;;GAGG;AACH,MAAM,CAAN,IAAY,YAMX;AAND,WAAY,YAAY;IACtB,uDAAY,CAAA;IACZ,iDAAU,CAAA;IACV,qDAAY,CAAA;IACZ,+CAAS,CAAA;IACT,wDAAc,CAAA;AAChB,CAAC,EANW,YAAY,KAAZ,YAAY,QAMvB"}

package/dist/index.d.ts

@@ -0,0 +1,20 @@
+/**
+ * @vorion/a3i - Agent Anchor AI Trust Engine
+ *
+ * The A3I package provides trust scoring, banding, and authorization
+ * for AI agents within the Vorion platform.
+ *
+ * @packageDocumentation
+ */
+export * from './trust/index.js';
+export * from './banding/index.js';
+export * from './observation/index.js';
+export * from './authorization/index.js';
+export * from './api/index.js';
+export * from './hooks/index.js';
+export * from './execution/index.js';
+export * from './orchestrator/index.js';
+export * from './canary/index.js';
+export * from './gate/index.js';
+export declare const VERSION = "0.1.0";
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,cAAc,kBAAkB,CAAC;AAGjC,cAAc,oBAAoB,CAAC;AAGnC,cAAc,wBAAwB,CAAC;AAGvC,cAAc,0BAA0B,CAAC;AAGzC,cAAc,gBAAgB,CAAC;AAG/B,cAAc,kBAAkB,CAAC;AAGjC,cAAc,sBAAsB,CAAC;AAGrC,cAAc,yBAAyB,CAAC;AAGxC,cAAc,mBAAmB,CAAC;AAGlC,cAAc,iBAAiB,CAAC;AAGhC,eAAO,MAAM,OAAO,UAAU,CAAC"}

package/dist/index.js

@@ -0,0 +1,31 @@
+/**
+ * @vorion/a3i - Agent Anchor AI Trust Engine
+ *
+ * The A3I package provides trust scoring, banding, and authorization
+ * for AI agents within the Vorion platform.
+ *
+ * @packageDocumentation
+ */
+// Trust module
+export * from './trust/index.js';
+// Banding module
+export * from './banding/index.js';
+// Observation module
+export * from './observation/index.js';
+// Authorization module
+export * from './authorization/index.js';
+// API module
+export * from './api/index.js';
+// Hooks module
+export * from './hooks/index.js';
+// Execution module
+export * from './execution/index.js';
+// Orchestrator module
+export * from './orchestrator/index.js';
+// Canary Probe module (ATSF v2.0)
+export * from './canary/index.js';
+// Pre-Action Gate module (ATSF v2.0)
+export * from './gate/index.js';
+// Version
+export const VERSION = '0.1.0';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,eAAe;AACf,cAAc,kBAAkB,CAAC;AAEjC,iBAAiB;AACjB,cAAc,oBAAoB,CAAC;AAEnC,qBAAqB;AACrB,cAAc,wBAAwB,CAAC;AAEvC,uBAAuB;AACvB,cAAc,0BAA0B,CAAC;AAEzC,aAAa;AACb,cAAc,gBAAgB,CAAC;AAE/B,eAAe;AACf,cAAc,kBAAkB,CAAC;AAEjC,mBAAmB;AACnB,cAAc,sBAAsB,CAAC;AAErC,sBAAsB;AACtB,cAAc,yBAAyB,CAAC;AAExC,kCAAkC;AAClC,cAAc,mBAAmB,CAAC;AAElC,qCAAqC;AACrC,cAAc,iBAAiB,CAAC;AAEhC,UAAU;AACV,MAAM,CAAC,MAAM,OAAO,GAAG,OAAO,CAAC"}

package/dist/observation/attestation.d.ts

@@ -0,0 +1,102 @@
+/**
+ * Attestation - Cryptographic proof of agent integrity
+ *
+ * For ATTESTED_BOX tier, we need hardware-backed proofs
+ * that the agent code and configuration match expected values.
+ */
+import { ObservationTier } from '@vorionsys/contracts';
+/**
+ * Types of cryptographic attestation
+ */
+export declare enum AttestationType {
+    /** No attestation */
+    NONE = "none",
+    /** Software-only hash verification */
+    SOFTWARE_HASH = "software_hash",
+    /** TPM-backed attestation */
+    TPM_QUOTE = "tpm_quote",
+    /** Intel SGX enclave quote */
+    SGX_QUOTE = "sgx_quote",
+    /** AMD SEV-SNP report */
+    SEV_SNP_REPORT = "sev_snp",
+    /** Intel TDX quote */
+    TDX_QUOTE = "tdx_quote",
+    /** NVIDIA Confidential Computing (H100) */
+    NVIDIA_CC = "nvidia_cc"
+}
+/**
+ * Hardware attestation types
+ */
+export declare const HARDWARE_ATTESTATION_TYPES: Set<AttestationType>;
+/**
+ * Map attestation type to observation tier
+ */
+export declare function getObservationTierForAttestation(type: AttestationType): ObservationTier;
+/**
+ * Attestation evidence
+ */
+export interface AttestationEvidence {
+    /** Unique attestation ID */
+    attestationId: string;
+    /** Type of attestation */
+    attestationType: AttestationType;
+    /** When attestation was created */
+    timestamp: Date;
+    /** SHA-256 hash of orchestration code */
+    codeHash: string;
+    /** SHA-256 hash of model weights (if accessible) */
+    weightsHash?: string;
+    /** SHA-256 hash of configuration */
+    configHash: string;
+    /** Raw attestation quote from TEE */
+    platformQuote?: string;
+    /** PCR/RTMR measurement values */
+    measurementRegisters?: Record<string, string>;
+    /** Certificate chain for verification */
+    certificateChain: string[];
+    /** Who verified this attestation */
+    verifiedBy?: string;
+    /** When verification occurred */
+    verificationTimestamp?: Date;
+    /** Expected hash of code */
+    goldenImageHash?: string;
+    /** Does current hash match golden image? */
+    matchesGoldenImage?: boolean;
+}
+/**
+ * Verification result
+ */
+export interface AttestationVerificationResult {
+    /** Is the attestation valid? */
+    valid: boolean;
+    /** Is it hardware-backed? */
+    hardwareBacked: boolean;
+    /** Does it match the golden image? */
+    matchesGoldenImage: boolean;
+    /** Resulting observation tier */
+    observationTier: ObservationTier;
+    /** Any issues found */
+    issues: string[];
+    /** Verification timestamp */
+    verifiedAt: Date;
+}
+/**
+ * Create attestation evidence
+ */
+export declare function createAttestationEvidence(options: Omit<AttestationEvidence, 'attestationId' | 'timestamp'>): AttestationEvidence;
+/**
+ * Check if attestation is hardware-backed
+ */
+export declare function isHardwareBacked(attestation: AttestationEvidence): boolean;
+/**
+ * Verify attestation evidence
+ *
+ * Note: This is a simplified verification. Real implementation
+ * would verify cryptographic signatures against TEE manufacturer roots.
+ */
+export declare function verifyAttestation(attestation: AttestationEvidence): AttestationVerificationResult;
+/**
+ * Compute SHA-256 hash (placeholder - would use crypto in real impl)
+ */
+export declare function computeHash(data: string): string;
+//# sourceMappingURL=attestation.d.ts.map

package/dist/observation/attestation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.d.ts","sourceRoot":"","sources":["../../src/observation/attestation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD;;GAEG;AACH,oBAAY,eAAe;IACzB,qBAAqB;IACrB,IAAI,SAAS;IACb,sCAAsC;IACtC,aAAa,kBAAkB;IAC/B,6BAA6B;IAC7B,SAAS,cAAc;IACvB,8BAA8B;IAC9B,SAAS,cAAc;IACvB,yBAAyB;IACzB,cAAc,YAAY;IAC1B,sBAAsB;IACtB,SAAS,cAAc;IACvB,2CAA2C;IAC3C,SAAS,cAAc;CACxB;AAED;;GAEG;AACH,eAAO,MAAM,0BAA0B,sBAMrC,CAAC;AAEH;;GAEG;AACH,wBAAgB,gCAAgC,CAC9C,IAAI,EAAE,eAAe,GACpB,eAAe,CAQjB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,4BAA4B;IAC5B,aAAa,EAAE,MAAM,CAAC;IACtB,0BAA0B;IAC1B,eAAe,EAAE,eAAe,CAAC;IACjC,mCAAmC;IACnC,SAAS,EAAE,IAAI,CAAC;IAGhB,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,oDAAoD;IACpD,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,oCAAoC;IACpC,UAAU,EAAE,MAAM,CAAC;IAGnB,qCAAqC;IACrC,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,kCAAkC;IAClC,oBAAoB,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAG9C,yCAAyC;IACzC,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAC3B,oCAAoC;IACpC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,iCAAiC;IACjC,qBAAqB,CAAC,EAAE,IAAI,CAAC;IAG7B,4BAA4B;IAC5B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,4CAA4C;IAC5C,kBAAkB,CAAC,EAAE,OAAO,CAAC;CAC9B;AAED;;GAEG;AACH,MAAM,WAAW,6BAA6B;IAC5C,gCAAgC;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,6BAA6B;IAC7B,cAAc,EAAE,OAAO,CAAC;IACxB,sCAAsC;IACtC,kBAAkB,EAAE,OAAO,CAAC;IAC5B,iCAAiC;IACjC,eAAe,EAAE,eAAe,CAAC;IACjC,uBAAuB;IACvB,MAAM,EAAE,MAAM,EAAE,CAAC;IACjB,6BAA6B;IAC7B,UAAU,EAAE,IAAI,CAAC;CAClB;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,OAAO,EAAE,IAAI,CAAC,mBAAmB,EAAE,eAAe,GAAG,WAAW,CAAC,GAChE,mBAAmB,CAMrB;AAED;;GAEG;AACH,wBAAgB,gBAAgB,CAAC,WAAW,EAAE,mBAAmB,GAAG,OAAO,CAE1E;AAED;;;;;GAKG;AACH,wBAAgB,iBAAiB,CAC/B,WAAW,EAAE,mBAAmB,GAC/B,6BAA6B,CA8C/B;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAUhD"}

package/dist/observation/attestation.js

@@ -0,0 +1,127 @@
+/**
+ * Attestation - Cryptographic proof of agent integrity
+ *
+ * For ATTESTED_BOX tier, we need hardware-backed proofs
+ * that the agent code and configuration match expected values.
+ */
+import { v4 as uuidv4 } from 'uuid';
+import { ObservationTier } from '@vorionsys/contracts';
+/**
+ * Types of cryptographic attestation
+ */
+export var AttestationType;
+(function (AttestationType) {
+    /** No attestation */
+    AttestationType["NONE"] = "none";
+    /** Software-only hash verification */
+    AttestationType["SOFTWARE_HASH"] = "software_hash";
+    /** TPM-backed attestation */
+    AttestationType["TPM_QUOTE"] = "tpm_quote";
+    /** Intel SGX enclave quote */
+    AttestationType["SGX_QUOTE"] = "sgx_quote";
+    /** AMD SEV-SNP report */
+    AttestationType["SEV_SNP_REPORT"] = "sev_snp";
+    /** Intel TDX quote */
+    AttestationType["TDX_QUOTE"] = "tdx_quote";
+    /** NVIDIA Confidential Computing (H100) */
+    AttestationType["NVIDIA_CC"] = "nvidia_cc";
+})(AttestationType || (AttestationType = {}));
+/**
+ * Hardware attestation types
+ */
+export const HARDWARE_ATTESTATION_TYPES = new Set([
+    AttestationType.TPM_QUOTE,
+    AttestationType.SGX_QUOTE,
+    AttestationType.SEV_SNP_REPORT,
+    AttestationType.TDX_QUOTE,
+    AttestationType.NVIDIA_CC,
+]);
+/**
+ * Map attestation type to observation tier
+ */
+export function getObservationTierForAttestation(type) {
+    if (HARDWARE_ATTESTATION_TYPES.has(type)) {
+        return ObservationTier.ATTESTED_BOX;
+    }
+    if (type === AttestationType.SOFTWARE_HASH) {
+        return ObservationTier.WHITE_BOX;
+    }
+    return ObservationTier.BLACK_BOX;
+}
+/**
+ * Create attestation evidence
+ */
+export function createAttestationEvidence(options) {
+    return {
+        attestationId: uuidv4(),
+        timestamp: new Date(),
+        ...options,
+    };
+}
+/**
+ * Check if attestation is hardware-backed
+ */
+export function isHardwareBacked(attestation) {
+    return HARDWARE_ATTESTATION_TYPES.has(attestation.attestationType);
+}
+/**
+ * Verify attestation evidence
+ *
+ * Note: This is a simplified verification. Real implementation
+ * would verify cryptographic signatures against TEE manufacturer roots.
+ */
+export function verifyAttestation(attestation) {
+    const issues = [];
+    // Check attestation type
+    const hardwareBacked = isHardwareBacked(attestation);
+    if (!hardwareBacked && attestation.attestationType !== AttestationType.SOFTWARE_HASH) {
+        issues.push('No valid attestation type');
+    }
+    // Check required hashes
+    if (!attestation.codeHash) {
+        issues.push('Missing code hash');
+    }
+    if (!attestation.configHash) {
+        issues.push('Missing config hash');
+    }
+    // Check hardware-specific requirements
+    if (hardwareBacked && !attestation.platformQuote) {
+        issues.push('Hardware attestation requires platform quote');
+    }
+    // Check golden image
+    const matchesGoldenImage = attestation.matchesGoldenImage ?? false;
+    if (attestation.goldenImageHash && !matchesGoldenImage) {
+        issues.push('Code hash does not match golden image');
+    }
+    // Check certificate chain
+    if (hardwareBacked && attestation.certificateChain.length === 0) {
+        issues.push('Hardware attestation requires certificate chain');
+    }
+    const valid = issues.length === 0;
+    const observationTier = valid
+        ? getObservationTierForAttestation(attestation.attestationType)
+        : ObservationTier.BLACK_BOX;
+    return {
+        valid,
+        hardwareBacked,
+        matchesGoldenImage,
+        observationTier,
+        issues,
+        verifiedAt: new Date(),
+    };
+}
+/**
+ * Compute SHA-256 hash (placeholder - would use crypto in real impl)
+ */
+export function computeHash(data) {
+    // In real implementation, use crypto.subtle.digest or crypto.createHash
+    // This is a placeholder that would need proper crypto implementation
+    let hash = 0;
+    for (let i = 0; i < data.length; i++) {
+        const char = data.charCodeAt(i);
+        hash = ((hash << 5) - hash) + char;
+        hash = hash & hash;
+    }
+    return Math.abs(hash).toString(16).padStart(64, '0');
+}
+//# sourceMappingURL=attestation.js.map

package/dist/observation/attestation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"attestation.js","sourceRoot":"","sources":["../../src/observation/attestation.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,EAAE,IAAI,MAAM,EAAE,MAAM,MAAM,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AAEvD;;GAEG;AACH,MAAM,CAAN,IAAY,eAeX;AAfD,WAAY,eAAe;IACzB,qBAAqB;IACrB,gCAAa,CAAA;IACb,sCAAsC;IACtC,kDAA+B,CAAA;IAC/B,6BAA6B;IAC7B,0CAAuB,CAAA;IACvB,8BAA8B;IAC9B,0CAAuB,CAAA;IACvB,yBAAyB;IACzB,6CAA0B,CAAA;IAC1B,sBAAsB;IACtB,0CAAuB,CAAA;IACvB,2CAA2C;IAC3C,0CAAuB,CAAA;AACzB,CAAC,EAfW,eAAe,KAAf,eAAe,QAe1B;AAED;;GAEG;AACH,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAC;IAChD,eAAe,CAAC,SAAS;IACzB,eAAe,CAAC,SAAS;IACzB,eAAe,CAAC,cAAc;IAC9B,eAAe,CAAC,SAAS;IACzB,eAAe,CAAC,SAAS;CAC1B,CAAC,CAAC;AAEH;;GAEG;AACH,MAAM,UAAU,gCAAgC,CAC9C,IAAqB;IAErB,IAAI,0BAA0B,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;QACzC,OAAO,eAAe,CAAC,YAAY,CAAC;IACtC,CAAC;IACD,IAAI,IAAI,KAAK,eAAe,CAAC,aAAa,EAAE,CAAC;QAC3C,OAAO,eAAe,CAAC,SAAS,CAAC;IACnC,CAAC;IACD,OAAO,eAAe,CAAC,SAAS,CAAC;AACnC,CAAC;AA4DD;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,OAAiE;IAEjE,OAAO;QACL,aAAa,EAAE,MAAM,EAAE;QACvB,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,GAAG,OAAO;KACX,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAAC,WAAgC;IAC/D,OAAO,0BAA0B,CAAC,GAAG,CAAC,WAAW,CAAC,eAAe,CAAC,CAAC;AACrE,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,iBAAiB,CAC/B,WAAgC;IAEhC,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,yBAAyB;IACzB,MAAM,cAAc,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;IACrD,IAAI,CAAC,cAAc,IAAI,WAAW,CAAC,eAAe,KAAK,eAAe,CAAC,aAAa,EAAE,CAAC;QACrF,MAAM,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC;IAC3C,CAAC;IAED,wBAAwB;IACxB,IAAI,CAAC,WAAW,CAAC,QAAQ,EAAE,CAAC;QAC1B,MAAM,CAAC,IAAI,CAAC,mBAAmB,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IACrC,CAAC;IAED,uCAAuC;IACvC,IAAI,cAAc,IAAI,CAAC,WAAW,CAAC,aAAa,EAAE,CAAC;QACjD,MAAM,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC;IAC9D,CAAC;IAED,qBAAqB;IACrB,MAAM,kBAAkB,GAAG,WAAW,CAAC,kBAAkB,IAAI,KAAK,CAAC;IACnE,IAAI,WAAW,CAAC,eAAe,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACvD,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;IACvD,CAAC;IAED,0BAA0B;IAC1B,IAAI,cAAc,IAAI,WAAW,CAAC,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAChE,MAAM,CAAC,IAAI,CAAC,iDAAiD,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,KAAK,CAAC,CAAC;IAClC,MAAM,eAAe,GAAG,KAAK;QAC3B,CAAC,CAAC,gCAAgC,CAAC,WAAW,CAAC,eAAe,CAAC;QAC/D,CAAC,CAAC,eAAe,CAAC,SAAS,CAAC;IAE9B,OAAO;QACL,KAAK;QACL,cAAc;QACd,kBAAkB;QAClB,eAAe;QACf,MAAM;QACN,UAAU,EAAE,IAAI,IAAI,EAAE;KACvB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,IAAY;IACtC,wEAAwE;IACxE,qEAAqE;IACrE,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrC,MAAM,IAAI,GAAG,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAChC,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,GAAG,IAAI,CAAC;QACnC,IAAI,GAAG,IAAI,GAAG,IAAI,CAAC;IACrB,CAAC;IACD,OAAO,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,GAAG,CAAC,CAAC;AACvD,CAAC"}

package/dist/observation/ceilings.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Trust Ceilings - Score limits based on observation tier
+ *
+ * Key insight: Cannot fully trust what you cannot inspect.
+ * API-accessed proprietary models are capped at 60% max trust.
+ */
+import { ObservationTier, OBSERVATION_CEILINGS } from '@vorionsys/contracts';
+export { OBSERVATION_CEILINGS };
+/**
+ * Apply trust ceiling based on observation tier
+ *
+ * @param score - The raw trust score (0-100)
+ * @param tier - The observation tier
+ * @returns The adjusted score after applying ceiling
+ */
+export declare function applyCeiling(score: number, tier: ObservationTier): number;
+/**
+ * Calculate how much trust is being lost to the ceiling
+ */
+export declare function getCeilingLoss(score: number, tier: ObservationTier): number;
+/**
+ * Check if a score is at the ceiling
+ */
+export declare function isAtCeiling(score: number, tier: ObservationTier): boolean;
+/**
+ * Get the room for improvement (how much higher can trust go)
+ */
+export declare function getRoomForImprovement(currentScore: number, tier: ObservationTier): number;
+/**
+ * Calculate what tier would be needed to achieve a target score
+ */
+export declare function requiredTierForScore(targetScore: number): ObservationTier | null;
+/**
+ * Ceiling impact analysis
+ */
+export interface CeilingAnalysis {
+    /** Original score before ceiling */
+    originalScore: number;
+    /** Score after ceiling applied */
+    adjustedScore: number;
+    /** Trust points lost to ceiling */
+    ceilingLoss: number;
+    /** Is the score currently at the ceiling? */
+    atCeiling: boolean;
+    /** Room for improvement within current tier */
+    improvementRoom: number;
+    /** Would a tier upgrade unlock more trust? */
+    tierUpgradeWouldHelp: boolean;
+    /** Next tier that would unlock more trust */
+    nextUnlockingTier: ObservationTier | null;
+}
+/**
+ * Analyze the impact of trust ceiling on a score
+ */
+export declare function analyzeCeilingImpact(score: number, tier: ObservationTier): CeilingAnalysis;
+/**
+ * Format ceiling information for display
+ */
+export declare function formatCeilingInfo(tier: ObservationTier): string;
+//# sourceMappingURL=ceilings.d.ts.map

package/dist/observation/ceilings.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ceilings.d.ts","sourceRoot":"","sources":["../../src/observation/ceilings.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,eAAe,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE7E,OAAO,EAAE,oBAAoB,EAAE,CAAC;AAEhC;;;;;;GAMG;AACH,wBAAgB,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,GAAG,MAAM,CAGzE;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,GAAG,MAAM,CAG3E;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,eAAe,GAAG,OAAO,CAGzE;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,YAAY,EAAE,MAAM,EACpB,IAAI,EAAE,eAAe,GACpB,MAAM,CAGR;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,WAAW,EAAE,MAAM,GAClB,eAAe,GAAG,IAAI,CAiBxB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,oCAAoC;IACpC,aAAa,EAAE,MAAM,CAAC;IACtB,kCAAkC;IAClC,aAAa,EAAE,MAAM,CAAC;IACtB,mCAAmC;IACnC,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,SAAS,EAAE,OAAO,CAAC;IACnB,+CAA+C;IAC/C,eAAe,EAAE,MAAM,CAAC;IACxB,8CAA8C;IAC9C,oBAAoB,EAAE,OAAO,CAAC;IAC9B,6CAA6C;IAC7C,iBAAiB,EAAE,eAAe,GAAG,IAAI,CAAC;CAC3C;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,eAAe,GACpB,eAAe,CA0CjB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,eAAe,GAAG,MAAM,CAG/D"}