@vorionsys/a3i 0.1.0

package/dist/authorization/engine.js

@@ -0,0 +1,339 @@
+/**
+ * Authorization Engine - Core authorization decision-making
+ *
+ * The AuthorizationEngine is the central component of A3I that makes
+ * permit/deny decisions for agent intents based on:
+ * - Agent's trust profile and band
+ * - Intent characteristics (action type, data sensitivity, reversibility)
+ * - Policy rules and constraints
+ * - Context factors
+ * - Hook system for extensibility
+ *
+ * Key principles:
+ * - Deterministic: Same inputs always produce same outputs
+ * - Fast: <50ms latency target for decisions
+ * - Auditable: All decisions logged with reasoning
+ * - Extensible: Hooks for pre/post authorization
+ */
+import { TrustBand, ActionType, DataSensitivity, Reversibility, DenialReason, } from '@vorionsys/contracts';
+import { generateConstraints, BAND_CONSTRAINT_PRESETS, } from './constraints.js';
+import { buildPermitDecision, buildDenyDecision, getRemediations, } from './decision.js';
+import { TrustProfileService } from '../trust/profile-service.js';
+/**
+ * Minimum trust band required for each action type
+ */
+export const ACTION_TYPE_REQUIREMENTS = {
+    [ActionType.READ]: TrustBand.T1_OBSERVED,
+    [ActionType.WRITE]: TrustBand.T2_PROVISIONAL,
+    [ActionType.DELETE]: TrustBand.T2_PROVISIONAL,
+    [ActionType.EXECUTE]: TrustBand.T2_PROVISIONAL,
+    [ActionType.COMMUNICATE]: TrustBand.T2_PROVISIONAL,
+    [ActionType.TRANSFER]: TrustBand.T3_MONITORED,
+};
+/**
+ * Minimum trust band required for each data sensitivity level
+ */
+export const DATA_SENSITIVITY_REQUIREMENTS = {
+    [DataSensitivity.PUBLIC]: TrustBand.T1_OBSERVED,
+    [DataSensitivity.INTERNAL]: TrustBand.T2_PROVISIONAL,
+    [DataSensitivity.CONFIDENTIAL]: TrustBand.T3_MONITORED,
+    [DataSensitivity.RESTRICTED]: TrustBand.T4_STANDARD,
+};
+/**
+ * Trust band adjustments for reversibility
+ */
+export const REVERSIBILITY_ADJUSTMENTS = {
+    [Reversibility.REVERSIBLE]: 0,
+    [Reversibility.PARTIALLY_REVERSIBLE]: 0,
+    [Reversibility.IRREVERSIBLE]: 1, // Requires one band higher
+};
+/**
+ * No-op proof plane logger for when proof plane is not connected
+ */
+export const noopProofLogger = {
+    async logDecision() { },
+};
+/**
+ * AuthorizationEngine - Makes permit/deny decisions for agent intents
+ */
+export class AuthorizationEngine {
+    profileService;
+    actionRequirements;
+    sensitivityRequirements;
+    proofLogger;
+    hookManager;
+    config;
+    constructor(config = {}) {
+        this.profileService = config.profileService ?? new TrustProfileService();
+        this.actionRequirements = {
+            ...ACTION_TYPE_REQUIREMENTS,
+            ...config.actionTypeRequirements,
+        };
+        this.sensitivityRequirements = {
+            ...DATA_SENSITIVITY_REQUIREMENTS,
+            ...config.dataSensitivityRequirements,
+        };
+        this.proofLogger = config.proofLogger ?? noopProofLogger;
+        this.hookManager = config.hookManager;
+        this.config = {
+            defaultPolicySetId: config.defaultPolicySetId ?? 'default',
+            decisionValidityMs: config.decisionValidityMs ?? 5 * 60 * 1000,
+            strictMode: config.strictMode ?? false,
+            enableHooks: config.enableHooks ?? (config.hookManager !== undefined),
+        };
+    }
+    /**
+     * Authorize an intent
+     *
+     * This is the main entry point for authorization decisions.
+     * Returns a Decision object indicating whether the intent is permitted.
+     *
+     * Hook integration:
+     * - PRE_AUTHORIZE hooks run before evaluation (can abort)
+     * - POST_AUTHORIZE hooks run after decision is made
+     */
+    async authorize(request) {
+        const startTime = Date.now();
+        const { intent, constraintOptions, policySetId } = request;
+        const now = new Date();
+        const buildOptions = {
+            policySetId: policySetId ?? this.config.defaultPolicySetId,
+            validityDurationMs: this.config.decisionValidityMs,
+            now,
+        };
+        // Check if intent is expired
+        if (intent.expiresAt && intent.expiresAt < now) {
+            const decision = buildDenyDecision(intent, null, DenialReason.EXPIRED_INTENT, ['Intent has expired'], buildOptions);
+            decision.latencyMs = Date.now() - startTime;
+            await this.proofLogger.logDecision(decision, intent);
+            return {
+                decision,
+                remediations: getRemediations(DenialReason.EXPIRED_INTENT),
+            };
+        }
+        // Get trust profile for agent
+        const profile = await this.profileService.get(intent.agentId);
+        if (!profile) {
+            const decision = buildDenyDecision(intent, null, DenialReason.INSUFFICIENT_TRUST, ['No trust profile found for agent', 'Agent must be registered before authorization'], buildOptions);
+            decision.latencyMs = Date.now() - startTime;
+            await this.proofLogger.logDecision(decision, intent);
+            return {
+                decision,
+                remediations: ['Register agent with trust profile before requesting authorization'],
+            };
+        }
+        // Execute pre-authorize hooks
+        let preAuthorizeResult;
+        if (this.config.enableHooks && this.hookManager) {
+            preAuthorizeResult = await this.hookManager.executePreAuthorize({
+                correlationId: intent.correlationId,
+                intent,
+                profile,
+            });
+            // If a hook aborted, deny the authorization
+            if (preAuthorizeResult.aborted) {
+                const decision = buildDenyDecision(intent, profile, DenialReason.POLICY_VIOLATION, [
+                    'Authorization aborted by pre-authorize hook',
+                    `Reason: ${preAuthorizeResult.abortReason ?? 'No reason provided'}`,
+                ], buildOptions);
+                decision.latencyMs = Date.now() - startTime;
+                await this.proofLogger.logDecision(decision, intent);
+                return {
+                    decision,
+                    remediations: [preAuthorizeResult.abortReason ?? 'Pre-authorize hook aborted the request'],
+                };
+            }
+        }
+        // Evaluate authorization
+        const evaluation = this.evaluate(intent, profile);
+        let response;
+        if (evaluation.permitted) {
+            // Generate constraints
+            const constraints = generateConstraints(profile.band, intent, constraintOptions);
+            const decision = buildPermitDecision(intent, profile, constraints, evaluation.reasoning, buildOptions);
+            decision.latencyMs = Date.now() - startTime;
+            await this.proofLogger.logDecision(decision, intent);
+            response = { decision };
+        }
+        else {
+            const decision = buildDenyDecision(intent, profile, evaluation.denialReason, evaluation.reasoning, buildOptions);
+            decision.latencyMs = Date.now() - startTime;
+            await this.proofLogger.logDecision(decision, intent);
+            response = {
+                decision,
+                remediations: getRemediations(evaluation.denialReason),
+            };
+        }
+        // Execute post-authorize hooks
+        if (this.config.enableHooks && this.hookManager) {
+            await this.hookManager.executePostAuthorize({
+                correlationId: intent.correlationId,
+                intent,
+                decision: response.decision,
+                profile,
+            });
+        }
+        return response;
+    }
+    /**
+     * Evaluate an intent against a trust profile
+     * This is the core authorization logic - deterministic and fast
+     */
+    evaluate(intent, profile) {
+        const reasoning = [];
+        // Calculate minimum required trust band
+        const actionBand = this.actionRequirements[intent.actionType];
+        const sensitivityBand = this.sensitivityRequirements[intent.dataSensitivity];
+        const reversibilityAdjustment = REVERSIBILITY_ADJUSTMENTS[intent.reversibility];
+        // Take the maximum of all requirements
+        let requiredBand = Math.max(actionBand, sensitivityBand);
+        // Apply reversibility adjustment
+        if (reversibilityAdjustment > 0) {
+            requiredBand = Math.min(requiredBand + reversibilityAdjustment, TrustBand.T5_TRUSTED);
+        }
+        reasoning.push(`Action type '${intent.actionType}' requires band ${TrustBand[actionBand]}`, `Data sensitivity '${intent.dataSensitivity}' requires band ${TrustBand[sensitivityBand]}`);
+        if (reversibilityAdjustment > 0) {
+            reasoning.push(`Irreversible action increases requirement by ${reversibilityAdjustment} band(s)`);
+        }
+        reasoning.push(`Minimum required band: ${TrustBand[requiredBand]}`);
+        reasoning.push(`Agent's current band: ${TrustBand[profile.band]} (score: ${profile.adjustedScore})`);
+        // Check band requirement
+        if (profile.band < requiredBand) {
+            reasoning.push(`DENIED: Agent band ${TrustBand[profile.band]} is below required ${TrustBand[requiredBand]}`);
+            return {
+                permitted: false,
+                reasoning,
+                denialReason: DenialReason.INSUFFICIENT_TRUST,
+                requiredBand,
+            };
+        }
+        // Check T0 always denied
+        if (profile.band === TrustBand.T0_SANDBOX) {
+            reasoning.push('DENIED: T0_SANDBOX agents cannot perform any actions');
+            return {
+                permitted: false,
+                reasoning,
+                denialReason: DenialReason.INSUFFICIENT_TRUST,
+                requiredBand,
+            };
+        }
+        // Check resource scope restrictions
+        const scopeCheck = this.checkResourceScope(intent, profile);
+        if (!scopeCheck.allowed) {
+            reasoning.push(`DENIED: ${scopeCheck.reason}`);
+            return {
+                permitted: false,
+                reasoning,
+                denialReason: DenialReason.RESOURCE_RESTRICTED,
+                requiredBand,
+            };
+        }
+        // Check context restrictions
+        const contextCheck = this.checkContext(intent, profile);
+        if (!contextCheck.allowed) {
+            reasoning.push(`DENIED: ${contextCheck.reason}`);
+            return {
+                permitted: false,
+                reasoning,
+                denialReason: DenialReason.CONTEXT_MISMATCH,
+                requiredBand,
+            };
+        }
+        // All checks passed
+        reasoning.push('PERMITTED: All authorization checks passed');
+        return {
+            permitted: true,
+            reasoning,
+            denialReason: DenialReason.POLICY_VIOLATION, // Not used
+            requiredBand,
+        };
+    }
+    /**
+     * Check resource scope restrictions
+     */
+    checkResourceScope(intent, profile) {
+        const preset = BAND_CONSTRAINT_PRESETS[profile.band];
+        // Check if band allows any data scopes
+        if (preset.defaultDataScopes.length === 0) {
+            return { allowed: false, reason: 'Band does not allow any data access' };
+        }
+        // Check for restricted resources at lower bands
+        if (intent.dataSensitivity === DataSensitivity.RESTRICTED &&
+            !preset.defaultDataScopes.includes('restricted') &&
+            !preset.defaultDataScopes.includes('*')) {
+            return {
+                allowed: false,
+                reason: 'Restricted data requires higher trust band',
+            };
+        }
+        return { allowed: true };
+    }
+    /**
+     * Check context restrictions
+     */
+    checkContext(intent, profile) {
+        const context = intent.context;
+        // Check production environment restrictions
+        if (context?.environment === 'production' && profile.band < TrustBand.T3_MONITORED) {
+            return {
+                allowed: false,
+                reason: 'Production environment requires T3+ trust band',
+            };
+        }
+        // Check PII handling restrictions
+        if (context?.handlesPii && profile.band < TrustBand.T2_PROVISIONAL) {
+            return {
+                allowed: false,
+                reason: 'PII handling requires T2+ trust band',
+            };
+        }
+        // Check PHI handling restrictions
+        if (context?.handlesPhi && profile.band < TrustBand.T3_MONITORED) {
+            return {
+                allowed: false,
+                reason: 'PHI handling requires T3+ trust band',
+            };
+        }
+        // In strict mode, require domain match
+        if (this.config.strictMode && context?.domain) {
+            // This would be extended with actual domain policy checks
+        }
+        return { allowed: true };
+    }
+    /**
+     * Quick check if an agent can perform an action type
+     * (Without full profile lookup - uses cached band if available)
+     */
+    canPerformActionType(band, actionType) {
+        return band >= this.actionRequirements[actionType];
+    }
+    /**
+     * Quick check if an agent can access data sensitivity level
+     */
+    canAccessDataSensitivity(band, sensitivity) {
+        return band >= this.sensitivityRequirements[sensitivity];
+    }
+    /**
+     * Get the minimum band required for an action + sensitivity combination
+     */
+    getRequiredBand(actionType, dataSensitivity, reversibility = Reversibility.REVERSIBLE) {
+        const actionBand = this.actionRequirements[actionType];
+        const sensitivityBand = this.sensitivityRequirements[dataSensitivity];
+        const adjustment = REVERSIBILITY_ADJUSTMENTS[reversibility];
+        const required = Math.max(actionBand, sensitivityBand) + adjustment;
+        return Math.min(required, TrustBand.T5_TRUSTED);
+    }
+    /**
+     * Get the profile service
+     */
+    getProfileService() {
+        return this.profileService;
+    }
+}
+/**
+ * Create an AuthorizationEngine with default configuration
+ */
+export function createAuthorizationEngine(config) {
+    return new AuthorizationEngine(config);
+}
+//# sourceMappingURL=engine.js.map

package/dist/authorization/engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"engine.js","sourceRoot":"","sources":["../../src/authorization/engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EACL,SAAS,EACT,UAAU,EACV,eAAe,EACf,aAAa,EACb,YAAY,GAKb,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,mBAAmB,EAEnB,uBAAuB,GACxB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,GAEhB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AAMlE;;GAEG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAkC;IACrE,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,SAAS,CAAC,WAAW;IACxC,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,SAAS,CAAC,cAAc;IAC5C,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC,cAAc;IAC7C,CAAC,UAAU,CAAC,OAAO,CAAC,EAAE,SAAS,CAAC,cAAc;IAC9C,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,SAAS,CAAC,cAAc;IAClD,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,SAAS,CAAC,YAAY;CAC9C,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,6BAA6B,GAAuC;IAC/E,CAAC,eAAe,CAAC,MAAM,CAAC,EAAE,SAAS,CAAC,WAAW;IAC/C,CAAC,eAAe,CAAC,QAAQ,CAAC,EAAE,SAAS,CAAC,cAAc;IACpD,CAAC,eAAe,CAAC,YAAY,CAAC,EAAE,SAAS,CAAC,YAAY;IACtD,CAAC,eAAe,CAAC,UAAU,CAAC,EAAE,SAAS,CAAC,WAAW;CACpD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,yBAAyB,GAAkC;IACtE,CAAC,aAAa,CAAC,UAAU,CAAC,EAAE,CAAC;IAC7B,CAAC,aAAa,CAAC,oBAAoB,CAAC,EAAE,CAAC;IACvC,CAAC,aAAa,CAAC,YAAY,CAAC,EAAE,CAAC,EAAE,2BAA2B;CAC7D,CAAC;AAUF;;GAEG;AACH,MAAM,CAAC,MAAM,eAAe,GAAqB;IAC/C,KAAK,CAAC,WAAW,KAAI,CAAC;CACvB,CAAC;AAsCF;;GAEG;AACH,MAAM,OAAO,mBAAmB;IACb,cAAc,CAAsB;IACpC,kBAAkB,CAAgC;IAClD,uBAAuB,CAAqC;IAC5D,WAAW,CAAmB;IAC9B,WAAW,CAAe;IAC1B,MAAM,CAAyJ;IAEhL,YAAY,SAAoC,EAAE;QAChD,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC,cAAc,IAAI,IAAI,mBAAmB,EAAE,CAAC;QACzE,IAAI,CAAC,kBAAkB,GAAG;YACxB,GAAG,wBAAwB;YAC3B,GAAG,MAAM,CAAC,sBAAsB;SACjC,CAAC;QACF,IAAI,CAAC,uBAAuB,GAAG;YAC7B,GAAG,6BAA6B;YAChC,GAAG,MAAM,CAAC,2BAA2B;SACtC,CAAC;QACF,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,IAAI,eAAe,CAAC;QACzD,IAAI,CAAC,WAAW,GAAG,MAAM,CAAC,WAAW,CAAC;QACtC,IAAI,CAAC,MAAM,GAAG;YACZ,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,SAAS;YAC1D,kBAAkB,EAAE,MAAM,CAAC,kBAAkB,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI;YAC9D,UAAU,EAAE,MAAM,CAAC,UAAU,IAAI,KAAK;YACtC,WAAW,EAAE,MAAM,CAAC,WAAW,IAAI,CAAC,MAAM,CAAC,WAAW,KAAK,SAAS,CAAC;SACtE,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,SAAS,CAAC,OAAyB;QACvC,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,MAAM,EAAE,MAAM,EAAE,iBAAiB,EAAE,WAAW,EAAE,GAAG,OAAO,CAAC;QAC3D,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QAEvB,MAAM,YAAY,GAAyB;YACzC,WAAW,EAAE,WAAW,IAAI,IAAI,CAAC,MAAM,CAAC,kBAAkB;YAC1D,kBAAkB,EAAE,IAAI,CAAC,MAAM,CAAC,kBAAkB;YAClD,GAAG;SACJ,CAAC;QAEF,6BAA6B;QAC7B,IAAI,MAAM,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YAC/C,MAAM,QAAQ,GAAG,iBAAiB,CAChC,MAAM,EACN,IAAI,EACJ,YAAY,CAAC,cAAc,EAC3B,CAAC,oBAAoB,CAAC,EACtB,YAAY,CACb,CAAC;YACF,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACrD,OAAO;gBACL,QAAQ;gBACR,YAAY,EAAE,eAAe,CAAC,YAAY,CAAC,cAAc,CAAC;aAC3D,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAC9D,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,QAAQ,GAAG,iBAAiB,CAChC,MAAM,EACN,IAAI,EACJ,YAAY,CAAC,kBAAkB,EAC/B,CAAC,kCAAkC,EAAE,+CAA+C,CAAC,EACrF,YAAY,CACb,CAAC;YACF,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YACrD,OAAO;gBACL,QAAQ;gBACR,YAAY,EAAE,CAAC,mEAAmE,CAAC;aACpF,CAAC;QACJ,CAAC;QAED,8BAA8B;QAC9B,IAAI,kBAAoD,CAAC;QACzD,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAChD,kBAAkB,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,mBAAmB,CAAC;gBAC9D,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,MAAM;gBACN,OAAO;aACR,CAAC,CAAC;YAEH,4CAA4C;YAC5C,IAAI,kBAAkB,CAAC,OAAO,EAAE,CAAC;gBAC/B,MAAM,QAAQ,GAAG,iBAAiB,CAChC,MAAM,EACN,OAAO,EACP,YAAY,CAAC,gBAAgB,EAC7B;oBACE,6CAA6C;oBAC7C,WAAW,kBAAkB,CAAC,WAAW,IAAI,oBAAoB,EAAE;iBACpE,EACD,YAAY,CACb,CAAC;gBACF,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;gBAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;gBACrD,OAAO;oBACL,QAAQ;oBACR,YAAY,EAAE,CAAC,kBAAkB,CAAC,WAAW,IAAI,wCAAwC,CAAC;iBAC3F,CAAC;YACJ,CAAC;QACH,CAAC;QAED,yBAAyB;QACzB,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAElD,IAAI,QAA+B,CAAC;QAEpC,IAAI,UAAU,CAAC,SAAS,EAAE,CAAC;YACzB,uBAAuB;YACvB,MAAM,WAAW,GAAG,mBAAmB,CAAC,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,iBAAiB,CAAC,CAAC;YAEjF,MAAM,QAAQ,GAAG,mBAAmB,CAClC,MAAM,EACN,OAAO,EACP,WAAW,EACX,UAAU,CAAC,SAAS,EACpB,YAAY,CACb,CAAC;YACF,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAErD,QAAQ,GAAG,EAAE,QAAQ,EAAE,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,MAAM,QAAQ,GAAG,iBAAiB,CAChC,MAAM,EACN,OAAO,EACP,UAAU,CAAC,YAAY,EACvB,UAAU,CAAC,SAAS,EACpB,YAAY,CACb,CAAC;YACF,QAAQ,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YAC5C,MAAM,IAAI,CAAC,WAAW,CAAC,WAAW,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAErD,QAAQ,GAAG;gBACT,QAAQ;gBACR,YAAY,EAAE,eAAe,CAAC,UAAU,CAAC,YAAY,CAAC;aACvD,CAAC;QACJ,CAAC;QAED,+BAA+B;QAC/B,IAAI,IAAI,CAAC,MAAM,CAAC,WAAW,IAAI,IAAI,CAAC,WAAW,EAAE,CAAC;YAChD,MAAM,IAAI,CAAC,WAAW,CAAC,oBAAoB,CAAC;gBAC1C,aAAa,EAAE,MAAM,CAAC,aAAa;gBACnC,MAAM;gBACN,QAAQ,EAAE,QAAQ,CAAC,QAAQ;gBAC3B,OAAO;aACR,CAAC,CAAC;QACL,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED;;;OAGG;IACH,QAAQ,CACN,MAAc,EACd,OAAqB;QAOrB,MAAM,SAAS,GAAa,EAAE,CAAC;QAE/B,wCAAwC;QACxC,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC;QAC9D,MAAM,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAAC,MAAM,CAAC,eAAe,CAAC,CAAC;QAC7E,MAAM,uBAAuB,GAAG,yBAAyB,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAEhF,uCAAuC;QACvC,IAAI,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,eAAe,CAAc,CAAC;QAEtE,iCAAiC;QACjC,IAAI,uBAAuB,GAAG,CAAC,EAAE,CAAC;YAChC,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,YAAY,GAAG,uBAAuB,EAAE,SAAS,CAAC,UAAU,CAAc,CAAC;QACrG,CAAC;QAED,SAAS,CAAC,IAAI,CACZ,gBAAgB,MAAM,CAAC,UAAU,mBAAmB,SAAS,CAAC,UAAU,CAAC,EAAE,EAC3E,qBAAqB,MAAM,CAAC,eAAe,mBAAmB,SAAS,CAAC,eAAe,CAAC,EAAE,CAC3F,CAAC;QAEF,IAAI,uBAAuB,GAAG,CAAC,EAAE,CAAC;YAChC,SAAS,CAAC,IAAI,CACZ,gDAAgD,uBAAuB,UAAU,CAClF,CAAC;QACJ,CAAC;QAED,SAAS,CAAC,IAAI,CAAC,0BAA0B,SAAS,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC;QACpE,SAAS,CAAC,IAAI,CAAC,yBAAyB,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,YAAY,OAAO,CAAC,aAAa,GAAG,CAAC,CAAC;QAErG,yBAAyB;QACzB,IAAI,OAAO,CAAC,IAAI,GAAG,YAAY,EAAE,CAAC;YAChC,SAAS,CAAC,IAAI,CACZ,sBAAsB,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,sBAAsB,SAAS,CAAC,YAAY,CAAC,EAAE,CAC7F,CAAC;YACF,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,SAAS;gBACT,YAAY,EAAE,YAAY,CAAC,kBAAkB;gBAC7C,YAAY;aACb,CAAC;QACJ,CAAC;QAED,yBAAyB;QACzB,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,CAAC,UAAU,EAAE,CAAC;YAC1C,SAAS,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC;YACvE,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,SAAS;gBACT,YAAY,EAAE,YAAY,CAAC,kBAAkB;gBAC7C,YAAY;aACb,CAAC;QACJ,CAAC;QAED,oCAAoC;QACpC,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAC5D,IAAI,CAAC,UAAU,CAAC,OAAO,EAAE,CAAC;YACxB,SAAS,CAAC,IAAI,CAAC,WAAW,UAAU,CAAC,MAAM,EAAE,CAAC,CAAC;YAC/C,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,SAAS;gBACT,YAAY,EAAE,YAAY,CAAC,mBAAmB;gBAC9C,YAAY;aACb,CAAC;QACJ,CAAC;QAED,6BAA6B;QAC7B,MAAM,YAAY,GAAG,IAAI,CAAC,YAAY,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QACxD,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;YAC1B,SAAS,CAAC,IAAI,CAAC,WAAW,YAAY,CAAC,MAAM,EAAE,CAAC,CAAC;YACjD,OAAO;gBACL,SAAS,EAAE,KAAK;gBAChB,SAAS;gBACT,YAAY,EAAE,YAAY,CAAC,gBAAgB;gBAC3C,YAAY;aACb,CAAC;QACJ,CAAC;QAED,oBAAoB;QACpB,SAAS,CAAC,IAAI,CAAC,4CAA4C,CAAC,CAAC;QAC7D,OAAO;YACL,SAAS,EAAE,IAAI;YACf,SAAS;YACT,YAAY,EAAE,YAAY,CAAC,gBAAgB,EAAE,WAAW;YACxD,YAAY;SACb,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,kBAAkB,CACxB,MAAc,EACd,OAAqB;QAErB,MAAM,MAAM,GAAG,uBAAuB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAErD,uCAAuC;QACvC,IAAI,MAAM,CAAC,iBAAiB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC1C,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM,EAAE,qCAAqC,EAAE,CAAC;QAC3E,CAAC;QAED,gDAAgD;QAChD,IACE,MAAM,CAAC,eAAe,KAAK,eAAe,CAAC,UAAU;YACrD,CAAC,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,YAAY,CAAC;YAChD,CAAC,MAAM,CAAC,iBAAiB,CAAC,QAAQ,CAAC,GAAG,CAAC,EACvC,CAAC;YACD,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,4CAA4C;aACrD,CAAC;QACJ,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;OAEG;IACK,YAAY,CAClB,MAAc,EACd,OAAqB;QAErB,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;QAE/B,4CAA4C;QAC5C,IAAI,OAAO,EAAE,WAAW,KAAK,YAAY,IAAI,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,YAAY,EAAE,CAAC;YACnF,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,gDAAgD;aACzD,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,IAAI,OAAO,EAAE,UAAU,IAAI,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,cAAc,EAAE,CAAC;YACnE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,sCAAsC;aAC/C,CAAC;QACJ,CAAC;QAED,kCAAkC;QAClC,IAAI,OAAO,EAAE,UAAU,IAAI,OAAO,CAAC,IAAI,GAAG,SAAS,CAAC,YAAY,EAAE,CAAC;YACjE,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,MAAM,EAAE,sCAAsC;aAC/C,CAAC;QACJ,CAAC;QAED,uCAAuC;QACvC,IAAI,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;YAC9C,0DAA0D;QAC5D,CAAC;QAED,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAED;;;OAGG;IACH,oBAAoB,CAAC,IAAe,EAAE,UAAsB;QAC1D,OAAO,IAAI,IAAI,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC;IAED;;OAEG;IACH,wBAAwB,CAAC,IAAe,EAAE,WAA4B;QACpE,OAAO,IAAI,IAAI,IAAI,CAAC,uBAAuB,CAAC,WAAW,CAAC,CAAC;IAC3D,CAAC;IAED;;OAEG;IACH,eAAe,CACb,UAAsB,EACtB,eAAgC,EAChC,gBAA+B,aAAa,CAAC,UAAU;QAEvD,MAAM,UAAU,GAAG,IAAI,CAAC,kBAAkB,CAAC,UAAU,CAAC,CAAC;QACvD,MAAM,eAAe,GAAG,IAAI,CAAC,uBAAuB,CAAC,eAAe,CAAC,CAAC;QACtE,MAAM,UAAU,GAAG,yBAAyB,CAAC,aAAa,CAAC,CAAC;QAC5D,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,eAAe,CAAC,GAAG,UAAU,CAAC;QACpE,OAAO,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,SAAS,CAAC,UAAU,CAAc,CAAC;IAC/D,CAAC;IAED;;OAEG;IACH,iBAAiB;QACf,OAAO,IAAI,CAAC,cAAc,CAAC;IAC7B,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,MAAkC;IAElC,OAAO,IAAI,mBAAmB,CAAC,MAAM,CAAC,CAAC;AACzC,CAAC"}

package/dist/authorization/index.d.ts

@@ -0,0 +1,10 @@
+/**
+ * A3I Authorization Module
+ *
+ * Core authorization functionality including the authorization engine,
+ * constraint generation, and decision building.
+ */
+export { generateConstraints, constraintsPermit, mergeConstraints, BAND_CONSTRAINT_PRESETS, DEFAULT_APPROVAL_POLICIES, type ConstraintPreset, type ApprovalPolicy, type ConstraintGenerationOptions, } from './constraints.js';
+export { buildPermitDecision, buildDenyDecision, getRemediations, determineDenialReason, summarizeDecision, isDecisionValid, DecisionBuilder, type DecisionBuildOptions, type PermitResult, type DenyResult, type AuthorizationResult, } from './decision.js';
+export { AuthorizationEngine, createAuthorizationEngine, ACTION_TYPE_REQUIREMENTS, DATA_SENSITIVITY_REQUIREMENTS, REVERSIBILITY_ADJUSTMENTS, noopProofLogger, type AuthorizationEngineConfig, type AuthorizeRequest, type ProofPlaneLogger, } from './engine.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/authorization/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/authorization/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,EACzB,KAAK,gBAAgB,EACrB,KAAK,cAAc,EACnB,KAAK,2BAA2B,GACjC,MAAM,kBAAkB,CAAC;AAG1B,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,EACf,qBAAqB,EACrB,iBAAiB,EACjB,eAAe,EACf,eAAe,EACf,KAAK,oBAAoB,EACzB,KAAK,YAAY,EACjB,KAAK,UAAU,EACf,KAAK,mBAAmB,GACzB,MAAM,eAAe,CAAC;AAGvB,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,wBAAwB,EACxB,6BAA6B,EAC7B,yBAAyB,EACzB,eAAe,EACf,KAAK,yBAAyB,EAC9B,KAAK,gBAAgB,EACrB,KAAK,gBAAgB,GACtB,MAAM,aAAa,CAAC"}

package/dist/authorization/index.js

@@ -0,0 +1,13 @@
+/**
+ * A3I Authorization Module
+ *
+ * Core authorization functionality including the authorization engine,
+ * constraint generation, and decision building.
+ */
+// Constraints
+export { generateConstraints, constraintsPermit, mergeConstraints, BAND_CONSTRAINT_PRESETS, DEFAULT_APPROVAL_POLICIES, } from './constraints.js';
+// Decision building
+export { buildPermitDecision, buildDenyDecision, getRemediations, determineDenialReason, summarizeDecision, isDecisionValid, DecisionBuilder, } from './decision.js';
+// Authorization Engine
+export { AuthorizationEngine, createAuthorizationEngine, ACTION_TYPE_REQUIREMENTS, DATA_SENSITIVITY_REQUIREMENTS, REVERSIBILITY_ADJUSTMENTS, noopProofLogger, } from './engine.js';
+//# sourceMappingURL=index.js.map

package/dist/authorization/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/authorization/index.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,cAAc;AACd,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,gBAAgB,EAChB,uBAAuB,EACvB,yBAAyB,GAI1B,MAAM,kBAAkB,CAAC;AAE1B,oBAAoB;AACpB,OAAO,EACL,mBAAmB,EACnB,iBAAiB,EACjB,eAAe,EACf,qBAAqB,EACrB,iBAAiB,EACjB,eAAe,EACf,eAAe,GAKhB,MAAM,eAAe,CAAC;AAEvB,uBAAuB;AACvB,OAAO,EACL,mBAAmB,EACnB,yBAAyB,EACzB,wBAAwB,EACxB,6BAA6B,EAC7B,yBAAyB,EACzB,eAAe,GAIhB,MAAM,aAAa,CAAC"}

package/dist/banding/band-calculator.d.ts

@@ -0,0 +1,137 @@
+/**
+ * BandCalculator - Trust band management with asymmetric transitions
+ *
+ * Key principles:
+ * - Fast demotion: Safety-critical, immediate response to issues
+ * - Slow promotion: Build trust gradually over time
+ * - Hysteresis: Prevent oscillation near thresholds
+ * - History tracking: Evidence-based promotion decisions
+ */
+import { TrustBand, type BandingConfig } from '@vorionsys/contracts';
+import { type BandHistoryEntry } from './hysteresis.js';
+/**
+ * Band transition types
+ */
+export declare enum TransitionType {
+    NONE = "none",
+    PROMOTION = "promotion",
+    DEMOTION = "demotion"
+}
+/**
+ * Result of a band transition attempt
+ */
+export interface TransitionResult {
+    /** Was the transition allowed? */
+    allowed: boolean;
+    /** Type of transition */
+    transitionType: TransitionType;
+    /** Previous band */
+    previousBand: TrustBand;
+    /** New band (same as previous if not allowed) */
+    newBand: TrustBand;
+    /** Reason for the result */
+    reason: string;
+    /** Days until promotion (if blocked by time) */
+    daysUntilPromotion?: number;
+    /** Score needed for transition */
+    scoreThreshold?: number;
+    /** Timestamp */
+    timestamp: Date;
+}
+/**
+ * Band stability metrics
+ */
+export interface BandStability {
+    /** Current band */
+    currentBand: TrustBand;
+    /** Days at current band */
+    daysAtBand: number;
+    /** Number of transitions in last 30 days */
+    recentTransitions: number;
+    /** Is the band stable? */
+    stable: boolean;
+    /** Stability score (0-1) */
+    stabilityScore: number;
+}
+/**
+ * Band transition event for audit trail
+ */
+export interface BandTransitionEvent {
+    /** Unique event ID */
+    eventId: string;
+    /** Agent ID */
+    agentId: string;
+    /** Transition type */
+    transitionType: TransitionType;
+    /** Previous band */
+    fromBand: TrustBand;
+    /** New band */
+    toBand: TrustBand;
+    /** Score at transition */
+    score: number;
+    /** Reason for transition */
+    reason: string;
+    /** Timestamp */
+    timestamp: Date;
+}
+/**
+ * BandCalculator - Manages trust band transitions
+ */
+export declare class BandCalculator {
+    private readonly config;
+    private readonly hysteresis;
+    private readonly historyByAgent;
+    private readonly transitionEvents;
+    constructor(config?: Partial<BandingConfig>);
+    /**
+     * Get the trust band for a score
+     */
+    getBand(score: number): TrustBand;
+    /**
+     * Evaluate a potential band transition
+     */
+    evaluateTransition(agentId: string, currentBand: TrustBand, newScore: number, options?: {
+        now?: Date;
+    }): TransitionResult;
+    /**
+     * Evaluate a demotion (always immediate for safety)
+     */
+    private evaluateDemotion;
+    /**
+     * Evaluate a promotion (requires time at current band)
+     */
+    private evaluatePromotion;
+    /**
+     * Record a band transition
+     */
+    private recordTransition;
+    /**
+     * Record a score snapshot (for history tracking)
+     */
+    recordScoreSnapshot(agentId: string, band: TrustBand, score: number, timestamp?: Date): void;
+    /**
+     * Get band history for an agent
+     */
+    getHistory(agentId: string): BandHistoryEntry[];
+    /**
+     * Get transition events for an agent
+     */
+    getTransitionEvents(agentId: string): BandTransitionEvent[];
+    /**
+     * Calculate band stability metrics
+     */
+    calculateStability(agentId: string, now?: Date): BandStability;
+    /**
+     * Clear history for an agent (for testing)
+     */
+    clearHistory(agentId: string): void;
+    /**
+     * Get configuration
+     */
+    getConfig(): Readonly<BandingConfig>;
+}
+/**
+ * Create a BandCalculator with default configuration
+ */
+export declare function createBandCalculator(config?: Partial<BandingConfig>): BandCalculator;
+//# sourceMappingURL=band-calculator.d.ts.map

package/dist/banding/band-calculator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"band-calculator.d.ts","sourceRoot":"","sources":["../../src/banding/band-calculator.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,EAAE,SAAS,EAAE,KAAK,aAAa,EAA0B,MAAM,sBAAsB,CAAC;AAE7F,OAAO,EAAwB,KAAK,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAE9E;;GAEG;AACH,oBAAY,cAAc;IACxB,IAAI,SAAS;IACb,SAAS,cAAc;IACvB,QAAQ,aAAa;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,yBAAyB;IACzB,cAAc,EAAE,cAAc,CAAC;IAC/B,oBAAoB;IACpB,YAAY,EAAE,SAAS,CAAC;IACxB,iDAAiD;IACjD,OAAO,EAAE,SAAS,CAAC;IACnB,4BAA4B;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,gDAAgD;IAChD,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,kCAAkC;IAClC,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,gBAAgB;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,mBAAmB;IACnB,WAAW,EAAE,SAAS,CAAC;IACvB,2BAA2B;IAC3B,UAAU,EAAE,MAAM,CAAC;IACnB,4CAA4C;IAC5C,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0BAA0B;IAC1B,MAAM,EAAE,OAAO,CAAC;IAChB,4BAA4B;IAC5B,cAAc,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,sBAAsB;IACtB,OAAO,EAAE,MAAM,CAAC;IAChB,eAAe;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,sBAAsB;IACtB,cAAc,EAAE,cAAc,CAAC;IAC/B,oBAAoB;IACpB,QAAQ,EAAE,SAAS,CAAC;IACpB,eAAe;IACf,MAAM,EAAE,SAAS,CAAC;IAClB,0BAA0B;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,4BAA4B;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,gBAAgB;IAChB,SAAS,EAAE,IAAI,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,cAAc;IACzB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAuB;IAClD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAA8C;IAC7E,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAA6B;gBAElD,MAAM,GAAE,OAAO,CAAC,aAAa,CAAM;IAK/C;;OAEG;IACH,OAAO,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS;IAIjC;;OAEG;IACH,kBAAkB,CAChB,OAAO,EAAE,MAAM,EACf,WAAW,EAAE,SAAS,EACtB,QAAQ,EAAE,MAAM,EAChB,OAAO,GAAE;QAAE,GAAG,CAAC,EAAE,IAAI,CAAA;KAAO,GAC3B,gBAAgB;IAyBnB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAuCxB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAqEzB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IA2BxB;;OAEG;IACH,mBAAmB,CACjB,OAAO,EAAE,MAAM,EACf,IAAI,EAAE,SAAS,EACf,KAAK,EAAE,MAAM,EACb,SAAS,GAAE,IAAiB,GAC3B,IAAI;IAUP;;OAEG;IACH,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAI/C;;OAEG;IACH,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,mBAAmB,EAAE;IAI3D;;OAEG;IACH,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,GAAE,IAAiB,GAAG,aAAa;IA4C1E;;OAEG;IACH,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,IAAI;IAInC;;OAEG;IACH,SAAS,IAAI,QAAQ,CAAC,aAAa,CAAC;CAGrC;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,MAAM,CAAC,EAAE,OAAO,CAAC,aAAa,CAAC,GAC9B,cAAc,CAEhB"}