@vorionsys/atsf-core 0.2.0 → 0.2.2

package/dist/phase6/types.d.ts

@@ -0,0 +1,1829 @@
+/**
+ * Phase 6 Type System - Trust Engine Hardening
+ *
+ * Implements all 5 architecture decisions:
+ * - Q1: Ceiling Enforcement (Hybrid Dual-Layer + Regulatory Observability)
+ * - Q2: Hierarchical Context (4-Tier with Tiered Immutability)
+ * - Q3: Stratified Role Gates (3-Layer Enforcement)
+ * - Q4: Federated Weight Presets (3-Tier with Derivation Chains)
+ * - Q5: Provenance Capture + Policy Interpretation
+ *
+ * Critical Path: Q2 → Q4 → Q5 → Q1 → Q3
+ *
+ * @packageDocumentation
+ */
+import { z } from 'zod';
+/**
+ * Trust tiers (0-7) with score ranges — canonical 8-tier model
+ */
+export declare enum TrustTier {
+    T0 = "T0",// 0-199: Sandbox
+    T1 = "T1",// 200-349: Observed
+    T2 = "T2",// 350-499: Provisional
+    T3 = "T3",// 500-649: Monitored
+    T4 = "T4",// 650-799: Standard
+    T5 = "T5",// 800-875: Trusted
+    T6 = "T6",// 876-950: Certified
+    T7 = "T7"
+}
+export declare const TRUST_TIER_BOUNDARIES: Record<TrustTier, {
+    min: number;
+    max: number;
+}>;
+/**
+ * Agent role levels (structural capability, not earned trust)
+ */
+export declare enum AgentRole {
+    R_L0 = "R-L0",// Listener (observe only)
+    R_L1 = "R-L1",// Executor (simple tasks)
+    R_L2 = "R-L2",// Planner (multi-step)
+    R_L3 = "R-L3",// Orchestrator (coordinate agents)
+    R_L4 = "R-L4",// Architect (design systems)
+    R_L5 = "R-L5",// Leader (strategic decisions)
+    R_L6 = "R-L6",// Domain Authority
+    R_L7 = "R-L7",// Strategic
+    R_L8 = "R-L8"
+}
+/**
+ * Context types with ceiling implications
+ */
+export declare enum ContextType {
+    LOCAL = "local",// Development - ceiling 700
+    ENTERPRISE = "enterprise",// Production - ceiling 900
+    SOVEREIGN = "sovereign"
+}
+export declare const CONTEXT_CEILINGS: Record<ContextType, number>;
+/**
+ * Creation types for provenance tracking
+ */
+export declare enum CreationType {
+    FRESH = "fresh",// New agent, no history
+    CLONED = "cloned",// Copy of existing agent
+    EVOLVED = "evolved",// Has verifiable history
+    PROMOTED = "promoted",// Earned advancement
+    IMPORTED = "imported"
+}
+/**
+ * Regulatory frameworks for compliance tracking
+ */
+export declare enum RegulatoryFramework {
+    NONE = "none",
+    HIPAA = "hipaa",
+    GDPR = "gdpr",
+    EU_AI_ACT = "eu-ai-act",
+    SOC2 = "soc2",
+    ISO_42001 = "iso-42001"
+}
+/**
+ * Tier 1: Deployment Context (IMMUTABLE)
+ * Set at deployment time, cannot be changed without redeployment.
+ * Example: HIPAA compliance mode cannot be disabled at runtime.
+ */
+export interface DeploymentContext {
+    readonly deploymentId: string;
+    readonly deploymentHash: string;
+    readonly regulatoryFramework: RegulatoryFramework;
+    readonly maxAllowedTier: TrustTier;
+    readonly allowedContextTypes: readonly ContextType[];
+    readonly deployedAt: Date;
+    readonly deployedBy: string;
+    readonly immutable: true;
+}
+export declare const deploymentContextSchema: z.ZodObject<{
+    deploymentId: z.ZodString;
+    deploymentHash: z.ZodString;
+    regulatoryFramework: z.ZodNativeEnum<typeof RegulatoryFramework>;
+    maxAllowedTier: z.ZodNativeEnum<typeof TrustTier>;
+    allowedContextTypes: z.ZodArray<z.ZodNativeEnum<typeof ContextType>, "many">;
+    deployedAt: z.ZodDate;
+    deployedBy: z.ZodString;
+    immutable: z.ZodLiteral<true>;
+}, "strip", z.ZodTypeAny, {
+    deploymentId?: string;
+    deploymentHash?: string;
+    regulatoryFramework?: RegulatoryFramework;
+    maxAllowedTier?: TrustTier;
+    allowedContextTypes?: ContextType[];
+    deployedAt?: Date;
+    deployedBy?: string;
+    immutable?: true;
+}, {
+    deploymentId?: string;
+    deploymentHash?: string;
+    regulatoryFramework?: RegulatoryFramework;
+    maxAllowedTier?: TrustTier;
+    allowedContextTypes?: ContextType[];
+    deployedAt?: Date;
+    deployedBy?: string;
+    immutable?: true;
+}>;
+/**
+ * Tier 2: Organizational Context (LOCKED POST-STARTUP)
+ * Can be configured during startup, then frozen.
+ * Example: Tenant isolation settings locked after initialization.
+ */
+export interface OrganizationalContext {
+    readonly orgId: string;
+    readonly tenantId: string;
+    readonly parentDeployment: DeploymentContext;
+    readonly lockedAt?: Date;
+    readonly constraints: OrganizationalConstraints;
+    readonly orgHash: string;
+}
+export interface OrganizationalConstraints {
+    readonly maxTrustTier: TrustTier;
+    readonly deniedDomains: readonly string[];
+    readonly requiredAttestations: readonly string[];
+    readonly dataClassification: 'public' | 'internal' | 'confidential' | 'restricted';
+    readonly auditLevel: 'minimal' | 'standard' | 'comprehensive' | 'forensic';
+}
+export declare const organizationalContextSchema: z.ZodObject<{
+    orgId: z.ZodString;
+    tenantId: z.ZodString;
+    parentDeployment: z.ZodObject<{
+        deploymentId: z.ZodString;
+        deploymentHash: z.ZodString;
+        regulatoryFramework: z.ZodNativeEnum<typeof RegulatoryFramework>;
+        maxAllowedTier: z.ZodNativeEnum<typeof TrustTier>;
+        allowedContextTypes: z.ZodArray<z.ZodNativeEnum<typeof ContextType>, "many">;
+        deployedAt: z.ZodDate;
+        deployedBy: z.ZodString;
+        immutable: z.ZodLiteral<true>;
+    }, "strip", z.ZodTypeAny, {
+        deploymentId?: string;
+        deploymentHash?: string;
+        regulatoryFramework?: RegulatoryFramework;
+        maxAllowedTier?: TrustTier;
+        allowedContextTypes?: ContextType[];
+        deployedAt?: Date;
+        deployedBy?: string;
+        immutable?: true;
+    }, {
+        deploymentId?: string;
+        deploymentHash?: string;
+        regulatoryFramework?: RegulatoryFramework;
+        maxAllowedTier?: TrustTier;
+        allowedContextTypes?: ContextType[];
+        deployedAt?: Date;
+        deployedBy?: string;
+        immutable?: true;
+    }>;
+    lockedAt: z.ZodOptional<z.ZodDate>;
+    constraints: z.ZodObject<{
+        maxTrustTier: z.ZodNativeEnum<typeof TrustTier>;
+        deniedDomains: z.ZodArray<z.ZodString, "many">;
+        requiredAttestations: z.ZodArray<z.ZodString, "many">;
+        dataClassification: z.ZodEnum<["public", "internal", "confidential", "restricted"]>;
+        auditLevel: z.ZodEnum<["minimal", "standard", "comprehensive", "forensic"]>;
+    }, "strip", z.ZodTypeAny, {
+        maxTrustTier?: TrustTier;
+        deniedDomains?: string[];
+        requiredAttestations?: string[];
+        dataClassification?: "public" | "internal" | "confidential" | "restricted";
+        auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+    }, {
+        maxTrustTier?: TrustTier;
+        deniedDomains?: string[];
+        requiredAttestations?: string[];
+        dataClassification?: "public" | "internal" | "confidential" | "restricted";
+        auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+    }>;
+    orgHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    tenantId?: string;
+    constraints?: {
+        maxTrustTier?: TrustTier;
+        deniedDomains?: string[];
+        requiredAttestations?: string[];
+        dataClassification?: "public" | "internal" | "confidential" | "restricted";
+        auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+    };
+    orgId?: string;
+    parentDeployment?: {
+        deploymentId?: string;
+        deploymentHash?: string;
+        regulatoryFramework?: RegulatoryFramework;
+        maxAllowedTier?: TrustTier;
+        allowedContextTypes?: ContextType[];
+        deployedAt?: Date;
+        deployedBy?: string;
+        immutable?: true;
+    };
+    lockedAt?: Date;
+    orgHash?: string;
+}, {
+    tenantId?: string;
+    constraints?: {
+        maxTrustTier?: TrustTier;
+        deniedDomains?: string[];
+        requiredAttestations?: string[];
+        dataClassification?: "public" | "internal" | "confidential" | "restricted";
+        auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+    };
+    orgId?: string;
+    parentDeployment?: {
+        deploymentId?: string;
+        deploymentHash?: string;
+        regulatoryFramework?: RegulatoryFramework;
+        maxAllowedTier?: TrustTier;
+        allowedContextTypes?: ContextType[];
+        deployedAt?: Date;
+        deployedBy?: string;
+        immutable?: true;
+    };
+    lockedAt?: Date;
+    orgHash?: string;
+}>;
+/**
+ * Tier 3: Agent Context (FROZEN AT CREATION)
+ * Set when agent is instantiated, cannot be modified.
+ * Example: Agent's assigned context type is permanent.
+ */
+export interface AgentContext {
+    readonly agentId: string;
+    readonly parentOrg: OrganizationalContext;
+    readonly contextType: ContextType;
+    readonly createdAt: Date;
+    readonly createdBy: string;
+    readonly contextHash: string;
+}
+export declare const agentContextSchema: z.ZodObject<{
+    agentId: z.ZodString;
+    parentOrg: z.ZodObject<{
+        orgId: z.ZodString;
+        tenantId: z.ZodString;
+        parentDeployment: z.ZodObject<{
+            deploymentId: z.ZodString;
+            deploymentHash: z.ZodString;
+            regulatoryFramework: z.ZodNativeEnum<typeof RegulatoryFramework>;
+            maxAllowedTier: z.ZodNativeEnum<typeof TrustTier>;
+            allowedContextTypes: z.ZodArray<z.ZodNativeEnum<typeof ContextType>, "many">;
+            deployedAt: z.ZodDate;
+            deployedBy: z.ZodString;
+            immutable: z.ZodLiteral<true>;
+        }, "strip", z.ZodTypeAny, {
+            deploymentId?: string;
+            deploymentHash?: string;
+            regulatoryFramework?: RegulatoryFramework;
+            maxAllowedTier?: TrustTier;
+            allowedContextTypes?: ContextType[];
+            deployedAt?: Date;
+            deployedBy?: string;
+            immutable?: true;
+        }, {
+            deploymentId?: string;
+            deploymentHash?: string;
+            regulatoryFramework?: RegulatoryFramework;
+            maxAllowedTier?: TrustTier;
+            allowedContextTypes?: ContextType[];
+            deployedAt?: Date;
+            deployedBy?: string;
+            immutable?: true;
+        }>;
+        lockedAt: z.ZodOptional<z.ZodDate>;
+        constraints: z.ZodObject<{
+            maxTrustTier: z.ZodNativeEnum<typeof TrustTier>;
+            deniedDomains: z.ZodArray<z.ZodString, "many">;
+            requiredAttestations: z.ZodArray<z.ZodString, "many">;
+            dataClassification: z.ZodEnum<["public", "internal", "confidential", "restricted"]>;
+            auditLevel: z.ZodEnum<["minimal", "standard", "comprehensive", "forensic"]>;
+        }, "strip", z.ZodTypeAny, {
+            maxTrustTier?: TrustTier;
+            deniedDomains?: string[];
+            requiredAttestations?: string[];
+            dataClassification?: "public" | "internal" | "confidential" | "restricted";
+            auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+        }, {
+            maxTrustTier?: TrustTier;
+            deniedDomains?: string[];
+            requiredAttestations?: string[];
+            dataClassification?: "public" | "internal" | "confidential" | "restricted";
+            auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+        }>;
+        orgHash: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        tenantId?: string;
+        constraints?: {
+            maxTrustTier?: TrustTier;
+            deniedDomains?: string[];
+            requiredAttestations?: string[];
+            dataClassification?: "public" | "internal" | "confidential" | "restricted";
+            auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+        };
+        orgId?: string;
+        parentDeployment?: {
+            deploymentId?: string;
+            deploymentHash?: string;
+            regulatoryFramework?: RegulatoryFramework;
+            maxAllowedTier?: TrustTier;
+            allowedContextTypes?: ContextType[];
+            deployedAt?: Date;
+            deployedBy?: string;
+            immutable?: true;
+        };
+        lockedAt?: Date;
+        orgHash?: string;
+    }, {
+        tenantId?: string;
+        constraints?: {
+            maxTrustTier?: TrustTier;
+            deniedDomains?: string[];
+            requiredAttestations?: string[];
+            dataClassification?: "public" | "internal" | "confidential" | "restricted";
+            auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+        };
+        orgId?: string;
+        parentDeployment?: {
+            deploymentId?: string;
+            deploymentHash?: string;
+            regulatoryFramework?: RegulatoryFramework;
+            maxAllowedTier?: TrustTier;
+            allowedContextTypes?: ContextType[];
+            deployedAt?: Date;
+            deployedBy?: string;
+            immutable?: true;
+        };
+        lockedAt?: Date;
+        orgHash?: string;
+    }>;
+    contextType: z.ZodNativeEnum<typeof ContextType>;
+    createdAt: z.ZodDate;
+    createdBy: z.ZodString;
+    contextHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    createdAt?: Date;
+    agentId?: string;
+    parentOrg?: {
+        tenantId?: string;
+        constraints?: {
+            maxTrustTier?: TrustTier;
+            deniedDomains?: string[];
+            requiredAttestations?: string[];
+            dataClassification?: "public" | "internal" | "confidential" | "restricted";
+            auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+        };
+        orgId?: string;
+        parentDeployment?: {
+            deploymentId?: string;
+            deploymentHash?: string;
+            regulatoryFramework?: RegulatoryFramework;
+            maxAllowedTier?: TrustTier;
+            allowedContextTypes?: ContextType[];
+            deployedAt?: Date;
+            deployedBy?: string;
+            immutable?: true;
+        };
+        lockedAt?: Date;
+        orgHash?: string;
+    };
+    contextType?: ContextType;
+    createdBy?: string;
+    contextHash?: string;
+}, {
+    createdAt?: Date;
+    agentId?: string;
+    parentOrg?: {
+        tenantId?: string;
+        constraints?: {
+            maxTrustTier?: TrustTier;
+            deniedDomains?: string[];
+            requiredAttestations?: string[];
+            dataClassification?: "public" | "internal" | "confidential" | "restricted";
+            auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+        };
+        orgId?: string;
+        parentDeployment?: {
+            deploymentId?: string;
+            deploymentHash?: string;
+            regulatoryFramework?: RegulatoryFramework;
+            maxAllowedTier?: TrustTier;
+            allowedContextTypes?: ContextType[];
+            deployedAt?: Date;
+            deployedBy?: string;
+            immutable?: true;
+        };
+        lockedAt?: Date;
+        orgHash?: string;
+    };
+    contextType?: ContextType;
+    createdBy?: string;
+    contextHash?: string;
+}>;
+/**
+ * Tier 4: Operation Context (EPHEMERAL)
+ * Created per-request, discarded after operation.
+ * Example: Request-specific metadata, correlation IDs.
+ */
+export interface OperationContext {
+    readonly operationId: string;
+    readonly parentAgent: AgentContext;
+    readonly requestMetadata: Record<string, unknown>;
+    readonly correlationId: string;
+    readonly startedAt: Date;
+    readonly expiresAt: Date;
+    readonly ephemeral: true;
+}
+export declare const operationContextSchema: z.ZodObject<{
+    operationId: z.ZodString;
+    parentAgent: z.ZodObject<{
+        agentId: z.ZodString;
+        parentOrg: z.ZodObject<{
+            orgId: z.ZodString;
+            tenantId: z.ZodString;
+            parentDeployment: z.ZodObject<{
+                deploymentId: z.ZodString;
+                deploymentHash: z.ZodString;
+                regulatoryFramework: z.ZodNativeEnum<typeof RegulatoryFramework>;
+                maxAllowedTier: z.ZodNativeEnum<typeof TrustTier>;
+                allowedContextTypes: z.ZodArray<z.ZodNativeEnum<typeof ContextType>, "many">;
+                deployedAt: z.ZodDate;
+                deployedBy: z.ZodString;
+                immutable: z.ZodLiteral<true>;
+            }, "strip", z.ZodTypeAny, {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            }, {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            }>;
+            lockedAt: z.ZodOptional<z.ZodDate>;
+            constraints: z.ZodObject<{
+                maxTrustTier: z.ZodNativeEnum<typeof TrustTier>;
+                deniedDomains: z.ZodArray<z.ZodString, "many">;
+                requiredAttestations: z.ZodArray<z.ZodString, "many">;
+                dataClassification: z.ZodEnum<["public", "internal", "confidential", "restricted"]>;
+                auditLevel: z.ZodEnum<["minimal", "standard", "comprehensive", "forensic"]>;
+            }, "strip", z.ZodTypeAny, {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            }, {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            }>;
+            orgHash: z.ZodString;
+        }, "strip", z.ZodTypeAny, {
+            tenantId?: string;
+            constraints?: {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            };
+            orgId?: string;
+            parentDeployment?: {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            };
+            lockedAt?: Date;
+            orgHash?: string;
+        }, {
+            tenantId?: string;
+            constraints?: {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            };
+            orgId?: string;
+            parentDeployment?: {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            };
+            lockedAt?: Date;
+            orgHash?: string;
+        }>;
+        contextType: z.ZodNativeEnum<typeof ContextType>;
+        createdAt: z.ZodDate;
+        createdBy: z.ZodString;
+        contextHash: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        createdAt?: Date;
+        agentId?: string;
+        parentOrg?: {
+            tenantId?: string;
+            constraints?: {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            };
+            orgId?: string;
+            parentDeployment?: {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            };
+            lockedAt?: Date;
+            orgHash?: string;
+        };
+        contextType?: ContextType;
+        createdBy?: string;
+        contextHash?: string;
+    }, {
+        createdAt?: Date;
+        agentId?: string;
+        parentOrg?: {
+            tenantId?: string;
+            constraints?: {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            };
+            orgId?: string;
+            parentDeployment?: {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            };
+            lockedAt?: Date;
+            orgHash?: string;
+        };
+        contextType?: ContextType;
+        createdBy?: string;
+        contextHash?: string;
+    }>;
+    requestMetadata: z.ZodRecord<z.ZodString, z.ZodUnknown>;
+    correlationId: z.ZodString;
+    startedAt: z.ZodDate;
+    expiresAt: z.ZodDate;
+    ephemeral: z.ZodLiteral<true>;
+}, "strip", z.ZodTypeAny, {
+    correlationId?: string;
+    startedAt?: Date;
+    expiresAt?: Date;
+    operationId?: string;
+    parentAgent?: {
+        createdAt?: Date;
+        agentId?: string;
+        parentOrg?: {
+            tenantId?: string;
+            constraints?: {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            };
+            orgId?: string;
+            parentDeployment?: {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            };
+            lockedAt?: Date;
+            orgHash?: string;
+        };
+        contextType?: ContextType;
+        createdBy?: string;
+        contextHash?: string;
+    };
+    requestMetadata?: Record<string, unknown>;
+    ephemeral?: true;
+}, {
+    correlationId?: string;
+    startedAt?: Date;
+    expiresAt?: Date;
+    operationId?: string;
+    parentAgent?: {
+        createdAt?: Date;
+        agentId?: string;
+        parentOrg?: {
+            tenantId?: string;
+            constraints?: {
+                maxTrustTier?: TrustTier;
+                deniedDomains?: string[];
+                requiredAttestations?: string[];
+                dataClassification?: "public" | "internal" | "confidential" | "restricted";
+                auditLevel?: "minimal" | "standard" | "comprehensive" | "forensic";
+            };
+            orgId?: string;
+            parentDeployment?: {
+                deploymentId?: string;
+                deploymentHash?: string;
+                regulatoryFramework?: RegulatoryFramework;
+                maxAllowedTier?: TrustTier;
+                allowedContextTypes?: ContextType[];
+                deployedAt?: Date;
+                deployedBy?: string;
+                immutable?: true;
+            };
+            lockedAt?: Date;
+            orgHash?: string;
+        };
+        contextType?: ContextType;
+        createdBy?: string;
+        contextHash?: string;
+    };
+    requestMetadata?: Record<string, unknown>;
+    ephemeral?: true;
+}>;
+/**
+ * Context hierarchy validation result
+ */
+export interface ContextValidationResult {
+    readonly valid: boolean;
+    readonly tier: 'deployment' | 'organizational' | 'agent' | 'operation';
+    readonly reason?: string;
+    readonly constraintViolations: readonly string[];
+    readonly hashChainValid: boolean;
+    readonly validatedAt: Date;
+}
+/**
+ * Preset source tier
+ */
+export type PresetSource = 'basis' | 'vorion' | 'axiom';
+/**
+ * Trust dimension weights (sum to 1.0)
+ */
+export interface TrustWeights {
+    readonly observability: number;
+    readonly capability: number;
+    readonly behavior: number;
+    readonly governance: number;
+    readonly context: number;
+}
+export declare const trustWeightsSchema: z.ZodEffects<z.ZodObject<{
+    observability: z.ZodNumber;
+    capability: z.ZodNumber;
+    behavior: z.ZodNumber;
+    governance: z.ZodNumber;
+    context: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    context?: number;
+    governance?: number;
+    capability?: number;
+    observability?: number;
+    behavior?: number;
+}, {
+    context?: number;
+    governance?: number;
+    capability?: number;
+    observability?: number;
+    behavior?: number;
+}>, {
+    context?: number;
+    governance?: number;
+    capability?: number;
+    observability?: number;
+    behavior?: number;
+}, {
+    context?: number;
+    governance?: number;
+    capability?: number;
+    observability?: number;
+    behavior?: number;
+}>;
+/**
+ * Trust preset with derivation chain
+ */
+export interface TrustPreset {
+    readonly presetId: string;
+    readonly name: string;
+    readonly description: string;
+    readonly source: PresetSource;
+    readonly version: number;
+    readonly weights: TrustWeights;
+    readonly parentPresetId?: string;
+    readonly parentHash?: string;
+    readonly derivationDelta?: Partial<TrustWeights>;
+    readonly createdAt: Date;
+    readonly createdBy: string;
+    readonly presetHash: string;
+    readonly comment?: string;
+}
+export declare const trustPresetSchema: z.ZodObject<{
+    presetId: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodString;
+    source: z.ZodEnum<["aci", "vorion", "axiom"]>;
+    version: z.ZodNumber;
+    weights: z.ZodEffects<z.ZodObject<{
+        observability: z.ZodNumber;
+        capability: z.ZodNumber;
+        behavior: z.ZodNumber;
+        governance: z.ZodNumber;
+        context: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }>, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }>;
+    parentPresetId: z.ZodOptional<z.ZodString>;
+    parentHash: z.ZodOptional<z.ZodString>;
+    derivationDelta: z.ZodOptional<z.ZodObject<{
+        observability: z.ZodOptional<z.ZodNumber>;
+        capability: z.ZodOptional<z.ZodNumber>;
+        behavior: z.ZodOptional<z.ZodNumber>;
+        governance: z.ZodOptional<z.ZodNumber>;
+        context: z.ZodOptional<z.ZodNumber>;
+    }, "strip", z.ZodTypeAny, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }>>;
+    createdAt: z.ZodDate;
+    createdBy: z.ZodString;
+    presetHash: z.ZodString;
+    comment: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    name?: string;
+    version?: number;
+    description?: string;
+    createdAt?: Date;
+    createdBy?: string;
+    presetId?: string;
+    source?: "vorion" | "axiom" | "aci";
+    weights?: {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    };
+    parentPresetId?: string;
+    parentHash?: string;
+    derivationDelta?: {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    };
+    presetHash?: string;
+    comment?: string;
+}, {
+    name?: string;
+    version?: number;
+    description?: string;
+    createdAt?: Date;
+    createdBy?: string;
+    presetId?: string;
+    source?: "vorion" | "axiom" | "aci";
+    weights?: {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    };
+    parentPresetId?: string;
+    parentHash?: string;
+    derivationDelta?: {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    };
+    presetHash?: string;
+    comment?: string;
+}>;
+/**
+ * Preset lineage tracking (cryptographic chain of custody)
+ */
+export interface PresetLineage {
+    readonly leafPresetId: string;
+    readonly chain: readonly string[];
+    readonly hashes: readonly string[];
+    readonly verified: boolean;
+    readonly verifiedAt?: Date;
+    readonly verifiedBy?: string;
+}
+export declare const presetLineageSchema: z.ZodObject<{
+    leafPresetId: z.ZodString;
+    chain: z.ZodArray<z.ZodString, "many">;
+    hashes: z.ZodArray<z.ZodString, "many">;
+    verified: z.ZodBoolean;
+    verifiedAt: z.ZodOptional<z.ZodDate>;
+    verifiedBy: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    verifiedAt?: Date;
+    chain?: string[];
+    leafPresetId?: string;
+    hashes?: string[];
+    verified?: boolean;
+    verifiedBy?: string;
+}, {
+    verifiedAt?: Date;
+    chain?: string[];
+    leafPresetId?: string;
+    hashes?: string[];
+    verified?: boolean;
+    verifiedBy?: string;
+}>;
+/**
+ * Agent provenance (IMMUTABLE - captured at instantiation)
+ */
+export interface AgentProvenance {
+    readonly agentId: string;
+    readonly creationType: CreationType;
+    readonly parentAgentId?: string;
+    readonly parentProvenanceHash?: string;
+    readonly createdAt: Date;
+    readonly createdBy: string;
+    readonly provenanceHash: string;
+}
+export declare const agentProvenanceSchema: z.ZodObject<{
+    agentId: z.ZodString;
+    creationType: z.ZodNativeEnum<typeof CreationType>;
+    parentAgentId: z.ZodOptional<z.ZodString>;
+    parentProvenanceHash: z.ZodOptional<z.ZodString>;
+    createdAt: z.ZodDate;
+    createdBy: z.ZodString;
+    provenanceHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    createdAt?: Date;
+    provenanceHash?: string;
+    agentId?: string;
+    createdBy?: string;
+    creationType?: CreationType;
+    parentAgentId?: string;
+    parentProvenanceHash?: string;
+}, {
+    createdAt?: Date;
+    provenanceHash?: string;
+    agentId?: string;
+    createdBy?: string;
+    creationType?: CreationType;
+    parentAgentId?: string;
+    parentProvenanceHash?: string;
+}>;
+/**
+ * Creation modifier policy (MUTABLE - can evolve independently)
+ */
+export interface CreationModifierPolicy {
+    readonly policyId: string;
+    readonly version: number;
+    readonly creationType: CreationType;
+    readonly baselineModifier: number;
+    readonly conditions?: CreationModifierConditions;
+    readonly effectiveFrom: Date;
+    readonly effectiveUntil?: Date;
+    readonly createdAt: Date;
+    readonly createdBy: string;
+    readonly policyHash: string;
+    readonly supersedes?: string;
+}
+export interface CreationModifierConditions {
+    readonly parentCreationType?: CreationType;
+    readonly parentTrustScore?: {
+        min: number;
+        max: number;
+    };
+    readonly trustedSources?: readonly string[];
+    readonly requiredAttestations?: readonly string[];
+}
+export declare const creationModifierPolicySchema: z.ZodObject<{
+    policyId: z.ZodString;
+    version: z.ZodNumber;
+    creationType: z.ZodNativeEnum<typeof CreationType>;
+    baselineModifier: z.ZodNumber;
+    conditions: z.ZodOptional<z.ZodObject<{
+        parentCreationType: z.ZodOptional<z.ZodNativeEnum<typeof CreationType>>;
+        parentTrustScore: z.ZodOptional<z.ZodObject<{
+            min: z.ZodNumber;
+            max: z.ZodNumber;
+        }, "strip", z.ZodTypeAny, {
+            min?: number;
+            max?: number;
+        }, {
+            min?: number;
+            max?: number;
+        }>>;
+        trustedSources: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        requiredAttestations: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        requiredAttestations?: string[];
+        parentCreationType?: CreationType;
+        parentTrustScore?: {
+            min?: number;
+            max?: number;
+        };
+        trustedSources?: string[];
+    }, {
+        requiredAttestations?: string[];
+        parentCreationType?: CreationType;
+        parentTrustScore?: {
+            min?: number;
+            max?: number;
+        };
+        trustedSources?: string[];
+    }>>;
+    effectiveFrom: z.ZodDate;
+    effectiveUntil: z.ZodOptional<z.ZodDate>;
+    createdAt: z.ZodDate;
+    createdBy: z.ZodString;
+    policyHash: z.ZodString;
+    supersedes: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    version?: number;
+    conditions?: {
+        requiredAttestations?: string[];
+        parentCreationType?: CreationType;
+        parentTrustScore?: {
+            min?: number;
+            max?: number;
+        };
+        trustedSources?: string[];
+    };
+    createdAt?: Date;
+    createdBy?: string;
+    creationType?: CreationType;
+    policyId?: string;
+    baselineModifier?: number;
+    effectiveFrom?: Date;
+    effectiveUntil?: Date;
+    policyHash?: string;
+    supersedes?: string;
+}, {
+    version?: number;
+    conditions?: {
+        requiredAttestations?: string[];
+        parentCreationType?: CreationType;
+        parentTrustScore?: {
+            min?: number;
+            max?: number;
+        };
+        trustedSources?: string[];
+    };
+    createdAt?: Date;
+    createdBy?: string;
+    creationType?: CreationType;
+    policyId?: string;
+    baselineModifier?: number;
+    effectiveFrom?: Date;
+    effectiveUntil?: Date;
+    policyHash?: string;
+    supersedes?: string;
+}>;
+/**
+ * Modifier evaluation record (AUDIT TRAIL)
+ */
+export interface ModifierEvaluationRecord {
+    readonly evaluationId: string;
+    readonly agentId: string;
+    readonly provenanceHash: string;
+    readonly policyId: string;
+    readonly policyVersion: number;
+    readonly computedModifier: number;
+    readonly conditionsMatched: readonly string[];
+    readonly evaluatedAt: Date;
+    readonly evaluationHash: string;
+}
+export declare const modifierEvaluationRecordSchema: z.ZodObject<{
+    evaluationId: z.ZodString;
+    agentId: z.ZodString;
+    provenanceHash: z.ZodString;
+    policyId: z.ZodString;
+    policyVersion: z.ZodNumber;
+    computedModifier: z.ZodNumber;
+    conditionsMatched: z.ZodArray<z.ZodString, "many">;
+    evaluatedAt: z.ZodDate;
+    evaluationHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    evaluatedAt?: Date;
+    provenanceHash?: string;
+    agentId?: string;
+    policyId?: string;
+    evaluationId?: string;
+    policyVersion?: number;
+    computedModifier?: number;
+    conditionsMatched?: string[];
+    evaluationHash?: string;
+}, {
+    evaluatedAt?: Date;
+    provenanceHash?: string;
+    agentId?: string;
+    policyId?: string;
+    evaluationId?: string;
+    policyVersion?: number;
+    computedModifier?: number;
+    conditionsMatched?: string[];
+    evaluationHash?: string;
+}>;
+/**
+ * Enforcement layer designation
+ */
+export type EnforcementLayer = 'kernel' | 'policy' | 'regulatory';
+/**
+ * Trust computation event with dual logging
+ */
+export interface TrustComputationEvent {
+    readonly eventId: string;
+    readonly agentId: string;
+    readonly timestamp: Date;
+    readonly rawScore: number;
+    readonly clampedScore: number;
+    readonly ceilingApplied: boolean;
+    readonly ceilingSource?: CeilingSource;
+    readonly enforcementLayer: EnforcementLayer;
+    readonly kernelValidated: boolean;
+    readonly policyValidated: boolean;
+    readonly regulatoryLogged: boolean;
+    readonly contextType: ContextType;
+    readonly contextCeiling: number;
+    readonly effectiveTier: TrustTier;
+    readonly eventHash: string;
+    readonly previousEventHash?: string;
+}
+export interface CeilingSource {
+    readonly type: 'context' | 'organizational' | 'deployment' | 'attestation';
+    readonly value: number;
+    readonly constraint: string;
+}
+export declare const trustComputationEventSchema: z.ZodObject<{
+    eventId: z.ZodString;
+    agentId: z.ZodString;
+    timestamp: z.ZodDate;
+    rawScore: z.ZodNumber;
+    clampedScore: z.ZodNumber;
+    ceilingApplied: z.ZodBoolean;
+    ceilingSource: z.ZodOptional<z.ZodObject<{
+        type: z.ZodEnum<["context", "organizational", "deployment", "attestation"]>;
+        value: z.ZodNumber;
+        constraint: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    }, {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    }>>;
+    enforcementLayer: z.ZodEnum<["kernel", "policy", "regulatory"]>;
+    kernelValidated: z.ZodBoolean;
+    policyValidated: z.ZodBoolean;
+    regulatoryLogged: z.ZodBoolean;
+    contextType: z.ZodNativeEnum<typeof ContextType>;
+    contextCeiling: z.ZodNumber;
+    effectiveTier: z.ZodNativeEnum<typeof TrustTier>;
+    eventHash: z.ZodString;
+    previousEventHash: z.ZodOptional<z.ZodString>;
+}, "strip", z.ZodTypeAny, {
+    timestamp?: Date;
+    agentId?: string;
+    contextType?: ContextType;
+    eventId?: string;
+    rawScore?: number;
+    clampedScore?: number;
+    ceilingApplied?: boolean;
+    ceilingSource?: {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    };
+    enforcementLayer?: "policy" | "kernel" | "regulatory";
+    kernelValidated?: boolean;
+    policyValidated?: boolean;
+    regulatoryLogged?: boolean;
+    contextCeiling?: number;
+    effectiveTier?: TrustTier;
+    eventHash?: string;
+    previousEventHash?: string;
+}, {
+    timestamp?: Date;
+    agentId?: string;
+    contextType?: ContextType;
+    eventId?: string;
+    rawScore?: number;
+    clampedScore?: number;
+    ceilingApplied?: boolean;
+    ceilingSource?: {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    };
+    enforcementLayer?: "policy" | "kernel" | "regulatory";
+    kernelValidated?: boolean;
+    policyValidated?: boolean;
+    regulatoryLogged?: boolean;
+    contextCeiling?: number;
+    effectiveTier?: TrustTier;
+    eventHash?: string;
+    previousEventHash?: string;
+}>;
+/**
+ * Regulatory audit ledger entry (SEPARATE from operational events)
+ */
+export interface RegulatoryAuditEntry {
+    readonly entryId: string;
+    readonly agentId: string;
+    readonly timestamp: Date;
+    readonly rawScore: number;
+    readonly clampedScore: number;
+    readonly variance: number;
+    readonly varianceAnomaly: boolean;
+    readonly frequencyAnomaly: boolean;
+    readonly patternAnomaly: boolean;
+    readonly regulatoryFramework: RegulatoryFramework;
+    readonly complianceStatus: 'compliant' | 'warning' | 'violation';
+    readonly retentionRequired: boolean;
+    readonly retentionUntil?: Date;
+    readonly entryHash: string;
+    readonly previousEntryHash?: string;
+    readonly ledgerSequence: number;
+}
+export declare const regulatoryAuditEntrySchema: z.ZodObject<{
+    entryId: z.ZodString;
+    agentId: z.ZodString;
+    timestamp: z.ZodDate;
+    rawScore: z.ZodNumber;
+    clampedScore: z.ZodNumber;
+    variance: z.ZodNumber;
+    varianceAnomaly: z.ZodBoolean;
+    frequencyAnomaly: z.ZodBoolean;
+    patternAnomaly: z.ZodBoolean;
+    regulatoryFramework: z.ZodNativeEnum<typeof RegulatoryFramework>;
+    complianceStatus: z.ZodEnum<["compliant", "warning", "violation"]>;
+    retentionRequired: z.ZodBoolean;
+    retentionUntil: z.ZodOptional<z.ZodDate>;
+    entryHash: z.ZodString;
+    previousEntryHash: z.ZodOptional<z.ZodString>;
+    ledgerSequence: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    timestamp?: Date;
+    agentId?: string;
+    regulatoryFramework?: RegulatoryFramework;
+    rawScore?: number;
+    clampedScore?: number;
+    entryId?: string;
+    variance?: number;
+    varianceAnomaly?: boolean;
+    frequencyAnomaly?: boolean;
+    patternAnomaly?: boolean;
+    complianceStatus?: "warning" | "compliant" | "violation";
+    retentionRequired?: boolean;
+    retentionUntil?: Date;
+    entryHash?: string;
+    previousEntryHash?: string;
+    ledgerSequence?: number;
+}, {
+    timestamp?: Date;
+    agentId?: string;
+    regulatoryFramework?: RegulatoryFramework;
+    rawScore?: number;
+    clampedScore?: number;
+    entryId?: string;
+    variance?: number;
+    varianceAnomaly?: boolean;
+    frequencyAnomaly?: boolean;
+    patternAnomaly?: boolean;
+    complianceStatus?: "warning" | "compliant" | "violation";
+    retentionRequired?: boolean;
+    retentionUntil?: Date;
+    entryHash?: string;
+    previousEntryHash?: string;
+    ledgerSequence?: number;
+}>;
+/**
+ * Role gate matrix entry
+ */
+export interface RoleGateEntry {
+    readonly role: AgentRole;
+    readonly minimumTier: TrustTier;
+    readonly allowedTiers: readonly TrustTier[];
+}
+/**
+ * Pre-computed role gate matrix
+ * Higher-capability roles require higher trust.
+ */
+export declare const ROLE_GATE_MATRIX: Record<AgentRole, Record<TrustTier, boolean>>;
+/**
+ * Policy rule for role gate (policy-as-code layer)
+ */
+export interface RoleGatePolicy {
+    readonly policyId: string;
+    readonly version: number;
+    readonly rules: readonly RoleGatePolicyRule[];
+    readonly effectiveFrom: Date;
+    readonly effectiveUntil?: Date;
+    readonly createdAt: Date;
+    readonly createdBy: string;
+    readonly policyHash: string;
+}
+export interface RoleGatePolicyRule {
+    readonly ruleId: string;
+    readonly name: string;
+    readonly condition: RoleGateCondition;
+    readonly action: 'ALLOW' | 'DENY' | 'ESCALATE';
+    readonly priority: number;
+    readonly reason: string;
+}
+export interface RoleGateCondition {
+    readonly roles?: readonly AgentRole[];
+    readonly tiers?: readonly TrustTier[];
+    readonly contextTypes?: readonly ContextType[];
+    readonly domains?: readonly string[];
+    readonly timeWindow?: {
+        start: string;
+        end: string;
+    };
+    readonly requiresAttestation?: readonly string[];
+}
+export declare const roleGatePolicySchema: z.ZodObject<{
+    policyId: z.ZodString;
+    version: z.ZodNumber;
+    rules: z.ZodArray<z.ZodObject<{
+        ruleId: z.ZodString;
+        name: z.ZodString;
+        condition: z.ZodObject<{
+            roles: z.ZodOptional<z.ZodArray<z.ZodNativeEnum<typeof AgentRole>, "many">>;
+            tiers: z.ZodOptional<z.ZodArray<z.ZodNativeEnum<typeof TrustTier>, "many">>;
+            contextTypes: z.ZodOptional<z.ZodArray<z.ZodNativeEnum<typeof ContextType>, "many">>;
+            domains: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            timeWindow: z.ZodOptional<z.ZodObject<{
+                start: z.ZodString;
+                end: z.ZodString;
+            }, "strip", z.ZodTypeAny, {
+                start?: string;
+                end?: string;
+            }, {
+                start?: string;
+                end?: string;
+            }>>;
+            requiresAttestation: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        }, "strip", z.ZodTypeAny, {
+            roles?: AgentRole[];
+            tiers?: TrustTier[];
+            contextTypes?: ContextType[];
+            domains?: string[];
+            timeWindow?: {
+                start?: string;
+                end?: string;
+            };
+            requiresAttestation?: string[];
+        }, {
+            roles?: AgentRole[];
+            tiers?: TrustTier[];
+            contextTypes?: ContextType[];
+            domains?: string[];
+            timeWindow?: {
+                start?: string;
+                end?: string;
+            };
+            requiresAttestation?: string[];
+        }>;
+        action: z.ZodEnum<["ALLOW", "DENY", "ESCALATE"]>;
+        priority: z.ZodNumber;
+        reason: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        name?: string;
+        ruleId?: string;
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        priority?: number;
+        condition?: {
+            roles?: AgentRole[];
+            tiers?: TrustTier[];
+            contextTypes?: ContextType[];
+            domains?: string[];
+            timeWindow?: {
+                start?: string;
+                end?: string;
+            };
+            requiresAttestation?: string[];
+        };
+    }, {
+        name?: string;
+        ruleId?: string;
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        priority?: number;
+        condition?: {
+            roles?: AgentRole[];
+            tiers?: TrustTier[];
+            contextTypes?: ContextType[];
+            domains?: string[];
+            timeWindow?: {
+                start?: string;
+                end?: string;
+            };
+            requiresAttestation?: string[];
+        };
+    }>, "many">;
+    effectiveFrom: z.ZodDate;
+    effectiveUntil: z.ZodOptional<z.ZodDate>;
+    createdAt: z.ZodDate;
+    createdBy: z.ZodString;
+    policyHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    version?: number;
+    rules?: {
+        name?: string;
+        ruleId?: string;
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        priority?: number;
+        condition?: {
+            roles?: AgentRole[];
+            tiers?: TrustTier[];
+            contextTypes?: ContextType[];
+            domains?: string[];
+            timeWindow?: {
+                start?: string;
+                end?: string;
+            };
+            requiresAttestation?: string[];
+        };
+    }[];
+    createdAt?: Date;
+    createdBy?: string;
+    policyId?: string;
+    effectiveFrom?: Date;
+    effectiveUntil?: Date;
+    policyHash?: string;
+}, {
+    version?: number;
+    rules?: {
+        name?: string;
+        ruleId?: string;
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        priority?: number;
+        condition?: {
+            roles?: AgentRole[];
+            tiers?: TrustTier[];
+            contextTypes?: ContextType[];
+            domains?: string[];
+            timeWindow?: {
+                start?: string;
+                end?: string;
+            };
+            requiresAttestation?: string[];
+        };
+    }[];
+    createdAt?: Date;
+    createdBy?: string;
+    policyId?: string;
+    effectiveFrom?: Date;
+    effectiveUntil?: Date;
+    policyHash?: string;
+}>;
+/**
+ * Role gate evaluation result (3-layer)
+ */
+export interface RoleGateEvaluation {
+    readonly evaluationId: string;
+    readonly agentId: string;
+    readonly role: AgentRole;
+    readonly tier: TrustTier;
+    readonly timestamp: Date;
+    readonly kernelResult: {
+        readonly valid: boolean;
+        readonly matrixAllows: boolean;
+        readonly reason?: string;
+    };
+    readonly policyResult: {
+        readonly valid: boolean;
+        readonly appliedRuleId?: string;
+        readonly appliedPolicyVersion?: number;
+        readonly action: 'ALLOW' | 'DENY' | 'ESCALATE';
+        readonly reason: string;
+    };
+    readonly basisResult: {
+        readonly valid: boolean;
+        readonly requiresOverride: boolean;
+        readonly overrideSignatures?: readonly string[];
+        readonly contextConstraintsMet: boolean;
+        readonly reason?: string;
+    };
+    readonly decision: 'ALLOW' | 'DENY' | 'ESCALATE';
+    readonly decidedAt: Date;
+    readonly evaluationHash: string;
+}
+export declare const roleGateEvaluationSchema: z.ZodObject<{
+    evaluationId: z.ZodString;
+    agentId: z.ZodString;
+    role: z.ZodNativeEnum<typeof AgentRole>;
+    tier: z.ZodNativeEnum<typeof TrustTier>;
+    timestamp: z.ZodDate;
+    kernelResult: z.ZodObject<{
+        valid: z.ZodBoolean;
+        matrixAllows: z.ZodBoolean;
+        reason: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        reason?: string;
+        valid?: boolean;
+        matrixAllows?: boolean;
+    }, {
+        reason?: string;
+        valid?: boolean;
+        matrixAllows?: boolean;
+    }>;
+    policyResult: z.ZodObject<{
+        valid: z.ZodBoolean;
+        appliedRuleId: z.ZodOptional<z.ZodString>;
+        appliedPolicyVersion: z.ZodOptional<z.ZodNumber>;
+        action: z.ZodEnum<["ALLOW", "DENY", "ESCALATE"]>;
+        reason: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        valid?: boolean;
+        appliedRuleId?: string;
+        appliedPolicyVersion?: number;
+    }, {
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        valid?: boolean;
+        appliedRuleId?: string;
+        appliedPolicyVersion?: number;
+    }>;
+    basisResult: z.ZodObject<{
+        valid: z.ZodBoolean;
+        requiresOverride: z.ZodBoolean;
+        overrideSignatures: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+        contextConstraintsMet: z.ZodBoolean;
+        reason: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        reason?: string;
+        valid?: boolean;
+        requiresOverride?: boolean;
+        overrideSignatures?: string[];
+        contextConstraintsMet?: boolean;
+    }, {
+        reason?: string;
+        valid?: boolean;
+        requiresOverride?: boolean;
+        overrideSignatures?: string[];
+        contextConstraintsMet?: boolean;
+    }>;
+    decision: z.ZodEnum<["ALLOW", "DENY", "ESCALATE"]>;
+    decidedAt: z.ZodDate;
+    evaluationHash: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    timestamp?: Date;
+    tier?: TrustTier;
+    decision?: "ALLOW" | "DENY" | "ESCALATE";
+    decidedAt?: Date;
+    agentId?: string;
+    role?: AgentRole;
+    evaluationId?: string;
+    evaluationHash?: string;
+    kernelResult?: {
+        reason?: string;
+        valid?: boolean;
+        matrixAllows?: boolean;
+    };
+    policyResult?: {
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        valid?: boolean;
+        appliedRuleId?: string;
+        appliedPolicyVersion?: number;
+    };
+    basisResult?: {
+        reason?: string;
+        valid?: boolean;
+        requiresOverride?: boolean;
+        overrideSignatures?: string[];
+        contextConstraintsMet?: boolean;
+    };
+}, {
+    timestamp?: Date;
+    tier?: TrustTier;
+    decision?: "ALLOW" | "DENY" | "ESCALATE";
+    decidedAt?: Date;
+    agentId?: string;
+    role?: AgentRole;
+    evaluationId?: string;
+    evaluationHash?: string;
+    kernelResult?: {
+        reason?: string;
+        valid?: boolean;
+        matrixAllows?: boolean;
+    };
+    policyResult?: {
+        action?: "ALLOW" | "DENY" | "ESCALATE";
+        reason?: string;
+        valid?: boolean;
+        appliedRuleId?: string;
+        appliedPolicyVersion?: number;
+    };
+    basisResult?: {
+        reason?: string;
+        valid?: boolean;
+        requiresOverride?: boolean;
+        overrideSignatures?: string[];
+        contextConstraintsMet?: boolean;
+    };
+}>;
+/**
+ * Trust score computation configuration
+ */
+export interface TrustScoreConfig {
+    readonly agentContext: AgentContext;
+    readonly provenance: AgentProvenance;
+    readonly preset: TrustPreset;
+    readonly role: AgentRole;
+}
+/**
+ * Trust metrics input
+ */
+export interface TrustMetrics {
+    readonly observability: number;
+    readonly capability: number;
+    readonly behavior: number;
+    readonly governance: number;
+    readonly context: number;
+}
+export declare const trustMetricsSchema: z.ZodObject<{
+    observability: z.ZodNumber;
+    capability: z.ZodNumber;
+    behavior: z.ZodNumber;
+    governance: z.ZodNumber;
+    context: z.ZodNumber;
+}, "strip", z.ZodTypeAny, {
+    context?: number;
+    governance?: number;
+    capability?: number;
+    observability?: number;
+    behavior?: number;
+}, {
+    context?: number;
+    governance?: number;
+    capability?: number;
+    observability?: number;
+    behavior?: number;
+}>;
+/**
+ * Complete trust computation result
+ */
+export interface TrustComputationResult {
+    readonly agentId: string;
+    readonly computedAt: Date;
+    readonly rawScore: number;
+    readonly finalScore: number;
+    readonly effectiveTier: TrustTier;
+    readonly ceilingApplied: boolean;
+    readonly ceilingValue: number;
+    readonly ceilingSource: CeilingSource;
+    readonly creationModifier: number;
+    readonly modifierPolicyVersion: number;
+    readonly weightsUsed: TrustWeights;
+    readonly presetId: string;
+    readonly presetLineage: PresetLineage;
+    readonly contextValid: boolean;
+    readonly roleGateValid: boolean;
+    readonly overallValid: boolean;
+    readonly computationHash: string;
+    readonly auditTrail: readonly string[];
+}
+export declare const trustComputationResultSchema: z.ZodObject<{
+    agentId: z.ZodString;
+    computedAt: z.ZodDate;
+    rawScore: z.ZodNumber;
+    finalScore: z.ZodNumber;
+    effectiveTier: z.ZodNativeEnum<typeof TrustTier>;
+    ceilingApplied: z.ZodBoolean;
+    ceilingValue: z.ZodNumber;
+    ceilingSource: z.ZodObject<{
+        type: z.ZodEnum<["context", "organizational", "deployment", "attestation"]>;
+        value: z.ZodNumber;
+        constraint: z.ZodString;
+    }, "strip", z.ZodTypeAny, {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    }, {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    }>;
+    creationModifier: z.ZodNumber;
+    modifierPolicyVersion: z.ZodNumber;
+    weightsUsed: z.ZodEffects<z.ZodObject<{
+        observability: z.ZodNumber;
+        capability: z.ZodNumber;
+        behavior: z.ZodNumber;
+        governance: z.ZodNumber;
+        context: z.ZodNumber;
+    }, "strip", z.ZodTypeAny, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }>, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }, {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    }>;
+    presetId: z.ZodString;
+    presetLineage: z.ZodObject<{
+        leafPresetId: z.ZodString;
+        chain: z.ZodArray<z.ZodString, "many">;
+        hashes: z.ZodArray<z.ZodString, "many">;
+        verified: z.ZodBoolean;
+        verifiedAt: z.ZodOptional<z.ZodDate>;
+        verifiedBy: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        verifiedAt?: Date;
+        chain?: string[];
+        leafPresetId?: string;
+        hashes?: string[];
+        verified?: boolean;
+        verifiedBy?: string;
+    }, {
+        verifiedAt?: Date;
+        chain?: string[];
+        leafPresetId?: string;
+        hashes?: string[];
+        verified?: boolean;
+        verifiedBy?: string;
+    }>;
+    contextValid: z.ZodBoolean;
+    roleGateValid: z.ZodBoolean;
+    overallValid: z.ZodBoolean;
+    computationHash: z.ZodString;
+    auditTrail: z.ZodArray<z.ZodString, "many">;
+}, "strip", z.ZodTypeAny, {
+    agentId?: string;
+    finalScore?: number;
+    presetId?: string;
+    rawScore?: number;
+    ceilingApplied?: boolean;
+    ceilingSource?: {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    };
+    effectiveTier?: TrustTier;
+    computedAt?: Date;
+    ceilingValue?: number;
+    creationModifier?: number;
+    modifierPolicyVersion?: number;
+    weightsUsed?: {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    };
+    presetLineage?: {
+        verifiedAt?: Date;
+        chain?: string[];
+        leafPresetId?: string;
+        hashes?: string[];
+        verified?: boolean;
+        verifiedBy?: string;
+    };
+    contextValid?: boolean;
+    roleGateValid?: boolean;
+    overallValid?: boolean;
+    computationHash?: string;
+    auditTrail?: string[];
+}, {
+    agentId?: string;
+    finalScore?: number;
+    presetId?: string;
+    rawScore?: number;
+    ceilingApplied?: boolean;
+    ceilingSource?: {
+        value?: number;
+        type?: "context" | "deployment" | "organizational" | "attestation";
+        constraint?: string;
+    };
+    effectiveTier?: TrustTier;
+    computedAt?: Date;
+    ceilingValue?: number;
+    creationModifier?: number;
+    modifierPolicyVersion?: number;
+    weightsUsed?: {
+        context?: number;
+        governance?: number;
+        capability?: number;
+        observability?: number;
+        behavior?: number;
+    };
+    presetLineage?: {
+        verifiedAt?: Date;
+        chain?: string[];
+        leafPresetId?: string;
+        hashes?: string[];
+        verified?: boolean;
+        verifiedBy?: string;
+    };
+    contextValid?: boolean;
+    roleGateValid?: boolean;
+    overallValid?: boolean;
+    computationHash?: string;
+    auditTrail?: string[];
+}>;
+export declare const BASIS_CANONICAL_PRESETS: Record<string, TrustPreset>;
+/** @deprecated Use BASIS_CANONICAL_PRESETS instead */
+export declare const ACI_CANONICAL_PRESETS: Record<string, TrustPreset>;
+/**
+ * Get trust tier from score
+ */
+export declare function getTierFromScore(score: number): TrustTier;
+/**
+ * Get ceiling for context type
+ */
+export declare function getCeilingForContext(contextType: ContextType): number;
+/**
+ * Validate role+tier combination against kernel matrix
+ */
+export declare function validateRoleGateKernel(role: AgentRole, tier: TrustTier): boolean;
+/**
+ * Clamp score to ceiling
+ */
+export declare function clampToCeiling(score: number, ceiling: number): number;
+/**
+ * Generate SHA-256 hash (placeholder - use crypto in implementation)
+ */
+export declare function generateHash(data: string): string;
+//# sourceMappingURL=types.d.ts.map