@vorionsys/basis 1.0.1

package/dist/trust-factors.test.js

@@ -0,0 +1,179 @@
+/**
+ * Trust Factors Test Suite
+ *
+ * Tests 100 simulated agents through the trust scoring system
+ * to validate tier placement is correct.
+ */
+import { TrustTier, TIER_THRESHOLDS, getTrustTierFromScore, getTierName, calculateTrustScore, } from './trust-factors';
+// All 23 factor codes
+const ALL_FACTOR_CODES = [
+    'CT-COMP', 'CT-REL', 'CT-OBS', 'CT-TRANS', 'CT-ACCT', 'CT-SAFE',
+    'CT-SEC', 'CT-PRIV', 'CT-ID', 'OP-HUMAN', 'OP-ALIGN', 'OP-STEW',
+    'SF-HUM', 'SF-ADAPT', 'SF-LEARN', 'LC-UNCERT', 'LC-HANDOFF',
+    'LC-EMPHUM', 'LC-CAUSAL', 'LC-PATIENT', 'LC-EMP', 'LC-MORAL', 'LC-TRACK'
+];
+// Generate agent with scores targeting a specific score range
+function generateAgentForScoreRange(agentId, targetTier) {
+    const tierRange = TIER_THRESHOLDS[targetTier];
+    // Target the middle of the tier's score range
+    const targetScore = (tierRange.min + tierRange.max) / 2 / 1000; // Convert to 0-1 scale
+    // Generate uniform scores around the target
+    const factorScores = ALL_FACTOR_CODES.map(code => {
+        // Add some variance but stay near target
+        const variance = (Math.random() - 0.5) * 0.1;
+        const score = Math.min(1.0, Math.max(0, targetScore + variance));
+        return {
+            code: code,
+            score,
+            timestamp: new Date(),
+            source: 'measured',
+            confidence: 0.9,
+        };
+    });
+    return {
+        id: agentId,
+        targetTier,
+        factorScores,
+        expectedScoreRange: tierRange,
+    };
+}
+// Generate edge case agent at boundary of tier
+function generateBoundaryAgent(agentId, targetTier, position) {
+    const tierRange = TIER_THRESHOLDS[targetTier];
+    // Target specific boundary score
+    const targetScore = position === 'low'
+        ? (tierRange.min + 10) / 1000 // Just inside lower bound
+        : (tierRange.max - 10) / 1000; // Just inside upper bound
+    const factorScores = ALL_FACTOR_CODES.map(code => {
+        // Very small variance to stay near boundary
+        const variance = (Math.random() - 0.5) * 0.02;
+        const score = Math.min(1.0, Math.max(0, targetScore + variance));
+        return {
+            code: code,
+            score,
+            timestamp: new Date(),
+            source: 'measured',
+            confidence: 0.9,
+        };
+    });
+    return {
+        id: agentId,
+        targetTier,
+        factorScores,
+        expectedScoreRange: tierRange,
+    };
+}
+function runTests() {
+    console.log('='.repeat(80));
+    console.log('BASIS TRUST FACTORS TEST SUITE');
+    console.log('Testing 100 agents across all trust tiers');
+    console.log('='.repeat(80));
+    console.log('');
+    // Print tier thresholds
+    console.log('TIER THRESHOLDS:');
+    console.log('-'.repeat(50));
+    Object.entries(TIER_THRESHOLDS).forEach(([tier, range]) => {
+        const tierNum = parseInt(tier);
+        console.log(`  T${tierNum} ${getTierName(tierNum)}: ${range.min} - ${range.max}`);
+    });
+    console.log('');
+    const results = [];
+    let agentCounter = 0;
+    // Generate 100 test agents distributed across tiers
+    // T0: 12 agents, T1-T6: 13 agents each, T7: 10 agents
+    const tiersToTest = [
+        { tier: TrustTier.T0_SANDBOX, count: 12 },
+        { tier: TrustTier.T1_OBSERVED, count: 13 },
+        { tier: TrustTier.T2_PROVISIONAL, count: 13 },
+        { tier: TrustTier.T3_VERIFIED, count: 13 },
+        { tier: TrustTier.T4_OPERATIONAL, count: 13 },
+        { tier: TrustTier.T5_TRUSTED, count: 13 },
+        { tier: TrustTier.T6_CERTIFIED, count: 13 },
+        { tier: TrustTier.T7_AUTONOMOUS, count: 10 },
+    ];
+    for (const { tier, count } of tiersToTest) {
+        console.log(`\nTesting T${tier} ${getTierName(tier)} (${count} agents):`);
+        console.log('-'.repeat(60));
+        for (let i = 0; i < count; i++) {
+            agentCounter++;
+            const agentId = `AGENT-${agentCounter.toString().padStart(3, '0')}`;
+            // Mix of regular and boundary agents
+            const agent = i < 2
+                ? generateBoundaryAgent(agentId, tier, i === 0 ? 'low' : 'high')
+                : generateAgentForScoreRange(agentId, tier);
+            // Calculate trust score
+            const evaluation = calculateTrustScore(agent.factorScores, tier);
+            const actualTier = getTrustTierFromScore(evaluation.totalScore);
+            const passed = evaluation.totalScore >= agent.expectedScoreRange.min &&
+                evaluation.totalScore <= agent.expectedScoreRange.max;
+            const result = {
+                agentId,
+                targetTier: `T${tier} ${getTierName(tier)}`,
+                actualTier: `T${actualTier} ${getTierName(actualTier)}`,
+                score: evaluation.totalScore,
+                expectedRange: `${agent.expectedScoreRange.min}-${agent.expectedScoreRange.max}`,
+                passed,
+                compliant: evaluation.compliant,
+                criticalFailures: evaluation.belowThreshold.length,
+            };
+            results.push(result);
+            // Print result
+            const status = passed ? '✓' : '✗';
+            const complianceStatus = evaluation.compliant ? 'COMPLIANT' : `FAILED(${evaluation.belowThreshold.length})`;
+            console.log(`  ${status} ${agentId}: Score=${evaluation.totalScore.toString().padStart(4)} ` +
+                `Target=${result.targetTier.padEnd(15)} Actual=${result.actualTier.padEnd(15)} ` +
+                `[${complianceStatus}]`);
+        }
+    }
+    // Summary
+    console.log('\n' + '='.repeat(80));
+    console.log('TEST SUMMARY');
+    console.log('='.repeat(80));
+    const passed = results.filter(r => r.passed).length;
+    const failed = results.filter(r => !r.passed).length;
+    const compliant = results.filter(r => r.compliant).length;
+    console.log(`\nTotal Agents Tested: ${results.length}`);
+    console.log(`Passed (in expected range): ${passed} (${((passed / results.length) * 100).toFixed(1)}%)`);
+    console.log(`Failed (outside range): ${failed} (${((failed / results.length) * 100).toFixed(1)}%)`);
+    console.log(`Compliant (met all critical factors): ${compliant} (${((compliant / results.length) * 100).toFixed(1)}%)`);
+    // Distribution by tier
+    console.log('\nDISTRIBUTION BY ACTUAL TIER:');
+    console.log('-'.repeat(40));
+    for (let t = 0; t <= 7; t++) {
+        const inTier = results.filter(r => r.actualTier.startsWith(`T${t}`)).length;
+        const bar = '█'.repeat(Math.round(inTier / 2));
+        console.log(`  T${t} ${getTierName(t).padEnd(12)}: ${inTier.toString().padStart(3)} ${bar}`);
+    }
+    // Score distribution
+    console.log('\nSCORE DISTRIBUTION:');
+    console.log('-'.repeat(40));
+    const scoreRanges = [
+        { label: '0-199', min: 0, max: 199 },
+        { label: '200-349', min: 200, max: 349 },
+        { label: '350-499', min: 350, max: 499 },
+        { label: '500-649', min: 500, max: 649 },
+        { label: '650-799', min: 650, max: 799 },
+        { label: '800-875', min: 800, max: 875 },
+        { label: '876-949', min: 876, max: 949 },
+        { label: '950-1000', min: 950, max: 1000 },
+    ];
+    for (const range of scoreRanges) {
+        const count = results.filter(r => r.score >= range.min && r.score <= range.max).length;
+        const bar = '█'.repeat(Math.round(count / 2));
+        console.log(`  ${range.label.padEnd(10)}: ${count.toString().padStart(3)} ${bar}`);
+    }
+    // Failed agents detail
+    if (failed > 0) {
+        console.log('\nFAILED AGENTS:');
+        console.log('-'.repeat(60));
+        results.filter(r => !r.passed).forEach(r => {
+            console.log(`  ${r.agentId}: Score=${r.score} Expected=${r.expectedRange} Got=${r.actualTier}`);
+        });
+    }
+    console.log('\n' + '='.repeat(80));
+    console.log(failed === 0 ? 'ALL TESTS PASSED!' : `${failed} TESTS FAILED`);
+    console.log('='.repeat(80));
+}
+// Run tests
+runTests();
+//# sourceMappingURL=trust-factors.test.js.map

package/dist/validation-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation-gate.d.ts","sourceRoot":"","sources":["../src/validation-gate.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAmB,MAAM,iBAAiB,CAAC;AAO7D;;GAEG;AACH,oBAAY,YAAY;IACtB,kDAAkD;IAClD,IAAI,SAAS;IACb,8CAA8C;IAC9C,MAAM,WAAW;IACjB,oDAAoD;IACpD,QAAQ,aAAa;CACtB;AAED;;GAEG;AACH,oBAAY,kBAAkB;IAC5B,+CAA+C;IAC/C,IAAI,SAAS;IACb,4CAA4C;IAC5C,OAAO,YAAY;IACnB,+BAA+B;IAC/B,KAAK,UAAU;IACf,kDAAkD;IAClD,QAAQ,aAAa;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,sCAAsC;IACtC,IAAI,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,qBAAqB;IACrB,QAAQ,EAAE,kBAAkB,CAAC;IAC7B,uCAAuC;IACvC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,4BAA4B;IAC5B,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,+CAA+C;IAC/C,QAAQ,EAAE,YAAY,CAAC;IACvB,gCAAgC;IAChC,KAAK,EAAE,OAAO,CAAC;IACf,0CAA0C;IAC1C,OAAO,EAAE,MAAM,CAAC;IAChB,iCAAiC;IACjC,SAAS,CAAC,EAAE,SAAS,CAAC;IACtB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,qDAAqD;IACrD,MAAM,EAAE,eAAe,EAAE,CAAC;IAC1B,0BAA0B;IAC1B,QAAQ,EAAE,eAAe,EAAE,CAAC;IAC5B,8BAA8B;IAC9B,WAAW,EAAE,IAAI,CAAC;IAClB,6CAA6C;IAC7C,UAAU,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,kDAAkD;IAClD,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC9B,sDAAsD;IACtD,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;CAC5B;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,qDAAqD;IACrD,OAAO,EAAE,MAAM,CAAC;IAChB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,gCAAgC;IAChC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,uCAAuC;IACvC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,qBAAqB;IACrB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,mCAAmC;IACnC,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,4CAA4C;IAC5C,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,0BAA0B;IAC1B,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,eAAe;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,mBAAmB;IACnB,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,uBAAuB;IACvB,eAAe,EAAE,MAAM,EAAE,CAAC;IAC1B,+BAA+B;IAC/B,kBAAkB,EAAE,MAAM,CAAC;IAC3B,4BAA4B;IAC5B,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,wBAAwB;IACxB,YAAY,EAAE,IAAI,CAAC;IACnB,6BAA6B;IAC7B,cAAc,CAAC,EAAE,IAAI,CAAC;CACvB;AAED;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,6CAA6C;IAC7C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,uCAAuC;IACvC,wBAAwB,CAAC,EAAE,OAAO,CAAC;IACnC,0CAA0C;IAC1C,yBAAyB,CAAC,EAAE,OAAO,CAAC;IACpC,iCAAiC;IACjC,eAAe,CAAC,EAAE,MAAM,EAAE,CAAC;IAC3B,kCAAkC;IAClC,gBAAgB,CAAC,EAAE,SAAS,CAAC;IAC7B,+BAA+B;IAC/B,gBAAgB,CAAC,EAAE,eAAe,EAAE,CAAC;CACtC;AAED;;GAEG;AACH,MAAM,MAAM,eAAe,GAAG,CAC5B,QAAQ,EAAE,aAAa,EACvB,OAAO,CAAC,EAAE,iBAAiB,KACxB,eAAe,EAAE,CAAC;AAMvB,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;EAOhC,CAAC;AAEH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAU9B,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAUlC,CAAC;AAEH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAcrC,CAAC;AAMH;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,CAoBpD;AA8MD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,aAAa,CAC3B,QAAQ,EAAE,aAAa,EACvB,OAAO,CAAC,EAAE,iBAAiB,EAC3B,OAAO,GAAE,qBAA0B,GAClC,oBAAoB,CAiJtB;AAED;;GAEG;AACH,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,aAAa,EACvB,OAAO,CAAC,EAAE,iBAAiB,EAC3B,OAAO,CAAC,EAAE,qBAAqB,GAC9B,OAAO,CAET;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,qBAAqB;yBAEjD,aAAa,YAAY,iBAAiB,YAAY,qBAAqB;wBAE5E,aAAa,YAAY,iBAAiB,YAAY,qBAAqB;EAGlG;AAED;;GAEG;AACH,eAAO,MAAM,oBAAoB;yBAVR,aAAa,YAAY,iBAAiB,YAAY,qBAAqB;wBAE5E,aAAa,YAAY,iBAAiB,YAAY,qBAAqB;CAQzB,CAAC;AAE3E;;GAEG;AACH,eAAO,MAAM,wBAAwB;yBAfZ,aAAa,YAAY,iBAAiB,YAAY,qBAAqB;wBAE5E,aAAa,YAAY,iBAAiB,YAAY,qBAAqB;CAgBjG,CAAC"}

package/dist/validation-gate.js

@@ -0,0 +1,468 @@
+/**
+ * BASIS Validation Gate
+ *
+ * Central validation gate that verifies agent manifests before execution.
+ * Combines CAR parsing, schema validation, and capability matching.
+ *
+ * This gate returns PASS/REJECT decisions for the Kaizen pipeline.
+ */
+import { z } from 'zod';
+import { TrustTier, TIER_THRESHOLDS } from './trust-factors';
+import { hasCapability } from './trust-capabilities';
+// =============================================================================
+// VALIDATION GATE TYPES
+// =============================================================================
+/**
+ * Gate decision - determines whether agent can proceed
+ */
+export var GateDecision;
+(function (GateDecision) {
+    /** Agent passes validation, proceed to Layer 2 */
+    GateDecision["PASS"] = "PASS";
+    /** Agent fails validation, block execution */
+    GateDecision["REJECT"] = "REJECT";
+    /** Agent requires human review before proceeding */
+    GateDecision["ESCALATE"] = "ESCALATE";
+})(GateDecision || (GateDecision = {}));
+/**
+ * Validation error severity levels
+ */
+export var ValidationSeverity;
+(function (ValidationSeverity) {
+    /** Informational - does not affect decision */
+    ValidationSeverity["INFO"] = "info";
+    /** Warning - may affect future decisions */
+    ValidationSeverity["WARNING"] = "warning";
+    /** Error - causes rejection */
+    ValidationSeverity["ERROR"] = "error";
+    /** Critical - immediate rejection with logging */
+    ValidationSeverity["CRITICAL"] = "critical";
+})(ValidationSeverity || (ValidationSeverity = {}));
+// =============================================================================
+// ZOD SCHEMAS
+// =============================================================================
+export const validationIssueSchema = z.object({
+    code: z.string(),
+    message: z.string(),
+    severity: z.nativeEnum(ValidationSeverity),
+    path: z.string().optional(),
+    expected: z.string().optional(),
+    actual: z.string().optional(),
+});
+export const agentManifestSchema = z.object({
+    agentId: z.string().min(1),
+    organization: z.string().optional(),
+    agentClass: z.string().optional(),
+    domains: z.array(z.string()).optional(),
+    capabilityLevel: z.number().int().min(0).max(7).optional(),
+    version: z.string().optional(),
+    trustScore: z.number().min(0).max(1000).optional(),
+    requestedCapabilities: z.array(z.string()).optional(),
+    metadata: z.record(z.unknown()).optional(),
+});
+export const registeredProfileSchema = z.object({
+    agentId: z.string(),
+    organization: z.string(),
+    agentClass: z.string(),
+    approvedDomains: z.array(z.string()),
+    maxCapabilityLevel: z.number().int().min(0).max(7),
+    approvedCapabilities: z.array(z.string()),
+    trustScore: z.number().min(0).max(1000),
+    registeredAt: z.date(),
+    lastVerifiedAt: z.date().optional(),
+});
+export const validationGateResultSchema = z.object({
+    decision: z.nativeEnum(GateDecision),
+    valid: z.boolean(),
+    agentId: z.string(),
+    trustTier: z.nativeEnum(TrustTier).optional(),
+    trustScore: z.number().optional(),
+    issues: z.array(validationIssueSchema),
+    errors: z.array(validationIssueSchema),
+    warnings: z.array(validationIssueSchema),
+    validatedAt: z.date(),
+    durationMs: z.number(),
+    allowedCapabilities: z.array(z.string()).optional(),
+    deniedCapabilities: z.array(z.string()).optional(),
+    recommendations: z.array(z.string()).optional(),
+});
+// =============================================================================
+// HELPER FUNCTIONS
+// =============================================================================
+/**
+ * Convert trust score to trust tier
+ */
+export function scoreToTier(score) {
+    // Iterate through tiers in reverse order (highest first)
+    const tiers = [
+        TrustTier.T7_AUTONOMOUS,
+        TrustTier.T6_CERTIFIED,
+        TrustTier.T5_TRUSTED,
+        TrustTier.T4_OPERATIONAL,
+        TrustTier.T3_VERIFIED,
+        TrustTier.T2_PROVISIONAL,
+        TrustTier.T1_OBSERVED,
+        TrustTier.T0_SANDBOX,
+    ];
+    for (const tier of tiers) {
+        const thresholds = TIER_THRESHOLDS[tier];
+        if (score >= thresholds.min && score <= thresholds.max) {
+            return tier;
+        }
+    }
+    return TrustTier.T0_SANDBOX;
+}
+/**
+ * Validate CAR string format
+ */
+function validateCARFormat(agentId) {
+    const issues = [];
+    // Handle undefined/empty agentId
+    if (!agentId) {
+        issues.push({
+            code: 'MISSING_AGENT_ID',
+            message: 'Agent ID is required',
+            severity: ValidationSeverity.ERROR,
+            path: 'agentId',
+        });
+        return issues;
+    }
+    // Basic CAR format: registry.org.class:DOMAINS-Ln@version
+    const carRegex = /^([a-z0-9]+)\.([a-z0-9-]+)\.([a-z0-9-]+):([A-Z]+)-L([0-7])@(\d+\.\d+\.\d+)(?:#[a-z0-9,_-]+)?$/;
+    if (!carRegex.test(agentId)) {
+        // Check if it looks like a legacy format or just an ID
+        if (agentId.includes(':') && agentId.includes('@')) {
+            issues.push({
+                code: 'INVALID_CAR_FORMAT',
+                message: 'CAR string format is invalid',
+                severity: ValidationSeverity.ERROR,
+                path: 'agentId',
+                expected: 'registry.org.class:DOMAINS-Ln@x.y.z',
+                actual: agentId,
+            });
+        }
+        else if (!agentId.includes('.')) {
+            // Simple ID format - acceptable but noted
+            issues.push({
+                code: 'SIMPLE_ID_FORMAT',
+                message: 'Agent uses simple ID format instead of full CAR string',
+                severity: ValidationSeverity.INFO,
+                path: 'agentId',
+            });
+        }
+    }
+    return issues;
+}
+/**
+ * Validate manifest against registered profile
+ */
+function validateAgainstProfile(manifest, profile) {
+    const issues = [];
+    // Check organization match
+    if (manifest.organization && manifest.organization !== profile.organization) {
+        issues.push({
+            code: 'ORG_MISMATCH',
+            message: 'Organization does not match registered profile',
+            severity: ValidationSeverity.ERROR,
+            path: 'organization',
+            expected: profile.organization,
+            actual: manifest.organization,
+        });
+    }
+    // Check agent class match
+    if (manifest.agentClass && manifest.agentClass !== profile.agentClass) {
+        issues.push({
+            code: 'CLASS_MISMATCH',
+            message: 'Agent class does not match registered profile',
+            severity: ValidationSeverity.ERROR,
+            path: 'agentClass',
+            expected: profile.agentClass,
+            actual: manifest.agentClass,
+        });
+    }
+    // Check capability level
+    if (manifest.capabilityLevel !== undefined) {
+        if (manifest.capabilityLevel > profile.maxCapabilityLevel) {
+            issues.push({
+                code: 'CAPABILITY_LEVEL_EXCEEDED',
+                message: 'Claimed capability level exceeds registered maximum',
+                severity: ValidationSeverity.ERROR,
+                path: 'capabilityLevel',
+                expected: `<= ${profile.maxCapabilityLevel}`,
+                actual: String(manifest.capabilityLevel),
+            });
+        }
+    }
+    // Check domains
+    if (manifest.domains) {
+        const unauthorizedDomains = manifest.domains.filter((d) => !profile.approvedDomains.includes(d));
+        if (unauthorizedDomains.length > 0) {
+            issues.push({
+                code: 'UNAUTHORIZED_DOMAINS',
+                message: `Agent claims unauthorized domains: ${unauthorizedDomains.join(', ')}`,
+                severity: ValidationSeverity.ERROR,
+                path: 'domains',
+                expected: profile.approvedDomains.join(', '),
+                actual: manifest.domains.join(', '),
+            });
+        }
+    }
+    // Check requested capabilities
+    if (manifest.requestedCapabilities) {
+        const unauthorizedCaps = manifest.requestedCapabilities.filter((c) => !profile.approvedCapabilities.includes(c));
+        if (unauthorizedCaps.length > 0) {
+            issues.push({
+                code: 'UNAUTHORIZED_CAPABILITIES',
+                message: `Agent requests unauthorized capabilities: ${unauthorizedCaps.join(', ')}`,
+                severity: ValidationSeverity.WARNING,
+                path: 'requestedCapabilities',
+            });
+        }
+    }
+    return issues;
+}
+/**
+ * Validate trust tier requirements
+ */
+function validateTrustTier(manifest, minimumTier) {
+    const issues = [];
+    if (manifest.trustScore === undefined) {
+        issues.push({
+            code: 'MISSING_TRUST_SCORE',
+            message: 'Agent manifest does not include trust score',
+            severity: ValidationSeverity.WARNING,
+            path: 'trustScore',
+        });
+        return issues;
+    }
+    const agentTier = scoreToTier(manifest.trustScore);
+    if (minimumTier !== undefined) {
+        // Compare numeric tier values directly (TrustTier is a numeric enum 0-7)
+        if (agentTier < minimumTier) {
+            issues.push({
+                code: 'INSUFFICIENT_TRUST_TIER',
+                message: `Agent trust tier T${agentTier} is below minimum required T${minimumTier}`,
+                severity: ValidationSeverity.ERROR,
+                path: 'trustScore',
+                expected: `>= T${minimumTier}`,
+                actual: `T${agentTier}`,
+            });
+        }
+    }
+    return issues;
+}
+/**
+ * Validate requested capabilities against trust tier
+ */
+function validateCapabilitiesAgainstTier(manifest) {
+    const issues = [];
+    const allowed = [];
+    const denied = [];
+    if (!manifest.requestedCapabilities || manifest.requestedCapabilities.length === 0) {
+        return { issues, allowed, denied };
+    }
+    const trustScore = manifest.trustScore ?? 0;
+    const agentTier = scoreToTier(trustScore);
+    for (const capability of manifest.requestedCapabilities) {
+        if (hasCapability(agentTier, capability)) {
+            allowed.push(capability);
+        }
+        else {
+            denied.push(capability);
+            issues.push({
+                code: 'CAPABILITY_TIER_INSUFFICIENT',
+                message: `Capability ${capability} requires higher trust tier than ${agentTier}`,
+                severity: ValidationSeverity.WARNING,
+                path: 'requestedCapabilities',
+                actual: capability,
+            });
+        }
+    }
+    return { issues, allowed, denied };
+}
+// =============================================================================
+// MAIN VALIDATION GATE
+// =============================================================================
+/**
+ * BASIS Validation Gate
+ *
+ * Validates an agent manifest and returns a PASS/REJECT/ESCALATE decision.
+ *
+ * @param manifest - Agent manifest to validate
+ * @param profile - Optional registered profile for comparison
+ * @param options - Validation options
+ * @returns Validation result with decision
+ *
+ * @example
+ * ```typescript
+ * const result = validateAgent({
+ *   agentId: 'a3i.acme-corp.invoice-bot:ABF-L3@1.0.0',
+ *   trustScore: 450,
+ *   requestedCapabilities: ['CAP-DB-READ', 'CAP-WRITE-APPROVED'],
+ * });
+ *
+ * if (result.decision === GateDecision.PASS) {
+ *   // Proceed to Layer 2 (INTENT)
+ * } else if (result.decision === GateDecision.REJECT) {
+ *   // Block execution, log reasons
+ *   console.log('Rejected:', result.errors);
+ * }
+ * ```
+ */
+export function validateAgent(manifest, profile, options = {}) {
+    const startTime = Date.now();
+    const issues = [];
+    // 1. Validate manifest schema
+    const schemaResult = agentManifestSchema.safeParse(manifest);
+    if (!schemaResult.success) {
+        for (const error of schemaResult.error.errors) {
+            issues.push({
+                code: 'SCHEMA_VALIDATION_FAILED',
+                message: error.message,
+                severity: ValidationSeverity.ERROR,
+                path: error.path.join('.'),
+            });
+        }
+    }
+    // 2. Validate CAR format (handles undefined agentId)
+    const carIssues = validateCARFormat(manifest.agentId);
+    issues.push(...carIssues);
+    // If agentId is missing, short-circuit with early rejection
+    if (carIssues.some(i => i.code === 'MISSING_AGENT_ID')) {
+        return {
+            decision: GateDecision.REJECT,
+            valid: false,
+            agentId: manifest.agentId ?? 'unknown',
+            issues,
+            errors: issues.filter(i => i.severity === ValidationSeverity.ERROR || i.severity === ValidationSeverity.CRITICAL),
+            warnings: issues.filter(i => i.severity === ValidationSeverity.WARNING),
+            validatedAt: new Date(),
+            durationMs: Date.now() - startTime,
+        };
+    }
+    // 3. Validate against registered profile
+    if (profile) {
+        issues.push(...validateAgainstProfile(manifest, profile));
+    }
+    else if (options.requireRegisteredProfile) {
+        issues.push({
+            code: 'PROFILE_NOT_FOUND',
+            message: 'Agent must have a registered profile',
+            severity: ValidationSeverity.ERROR,
+            path: 'agentId',
+        });
+    }
+    // 4. Validate trust tier requirements
+    issues.push(...validateTrustTier(manifest, options.minimumTrustTier));
+    // 5. Validate required domains
+    if (options.requiredDomains && options.requiredDomains.length > 0) {
+        const agentDomains = manifest.domains || [];
+        const missingDomains = options.requiredDomains.filter((d) => !agentDomains.includes(d));
+        if (missingDomains.length > 0) {
+            issues.push({
+                code: 'MISSING_REQUIRED_DOMAINS',
+                message: `Agent missing required domains: ${missingDomains.join(', ')}`,
+                severity: ValidationSeverity.ERROR,
+                path: 'domains',
+                expected: options.requiredDomains.join(', '),
+                actual: agentDomains.join(', ') || 'none',
+            });
+        }
+    }
+    // 6. Validate capabilities against trust tier
+    const capValidation = validateCapabilitiesAgainstTier(manifest);
+    issues.push(...capValidation.issues);
+    // 7. Run custom validators
+    if (options.customValidators) {
+        for (const validator of options.customValidators) {
+            try {
+                issues.push(...validator(manifest, profile));
+            }
+            catch (e) {
+                issues.push({
+                    code: 'CUSTOM_VALIDATOR_ERROR',
+                    message: `Custom validator failed: ${e instanceof Error ? e.message : String(e)}`,
+                    severity: ValidationSeverity.WARNING,
+                });
+            }
+        }
+    }
+    // Separate errors and warnings
+    const errors = issues.filter((i) => i.severity === ValidationSeverity.ERROR || i.severity === ValidationSeverity.CRITICAL);
+    const warnings = issues.filter((i) => i.severity === ValidationSeverity.WARNING);
+    // Determine decision
+    let decision;
+    let valid;
+    const hasCritical = issues.some((i) => i.severity === ValidationSeverity.CRITICAL);
+    const hasErrors = errors.length > 0;
+    const hasWarnings = warnings.length > 0;
+    if (hasCritical || hasErrors) {
+        decision = GateDecision.REJECT;
+        valid = false;
+    }
+    else if (options.strict && hasWarnings) {
+        decision = GateDecision.REJECT;
+        valid = false;
+    }
+    else if (!options.strict && hasWarnings && capValidation.denied.length > 0) {
+        // Agent wants capabilities they can't have - escalate for review
+        decision = options.allowCapabilityEscalation ? GateDecision.ESCALATE : GateDecision.REJECT;
+        valid = decision === GateDecision.ESCALATE;
+    }
+    else {
+        decision = GateDecision.PASS;
+        valid = true;
+    }
+    // Build recommendations
+    const recommendations = [];
+    if (capValidation.denied.length > 0) {
+        recommendations.push(`Increase trust score to access denied capabilities: ${capValidation.denied.join(', ')}`);
+    }
+    if (!profile && !options.requireRegisteredProfile) {
+        recommendations.push('Consider registering agent profile for enhanced validation');
+    }
+    // Calculate trust tier
+    const trustTier = manifest.trustScore !== undefined ? scoreToTier(manifest.trustScore) : undefined;
+    return {
+        decision,
+        valid,
+        agentId: manifest.agentId,
+        trustTier,
+        trustScore: manifest.trustScore,
+        issues,
+        errors,
+        warnings,
+        validatedAt: new Date(),
+        durationMs: Date.now() - startTime,
+        allowedCapabilities: capValidation.allowed.length > 0 ? capValidation.allowed : undefined,
+        deniedCapabilities: capValidation.denied.length > 0 ? capValidation.denied : undefined,
+        recommendations: recommendations.length > 0 ? recommendations : undefined,
+    };
+}
+/**
+ * Quick validation check - returns boolean
+ */
+export function isValidAgent(manifest, profile, options) {
+    return validateAgent(manifest, profile, options).valid;
+}
+/**
+ * Create a validation gate with preset options
+ */
+export function createValidationGate(defaultOptions) {
+    return {
+        validate: (manifest, profile, options) => validateAgent(manifest, profile, { ...defaultOptions, ...options }),
+        isValid: (manifest, profile, options) => isValidAgent(manifest, profile, { ...defaultOptions, ...options }),
+    };
+}
+/**
+ * Strict validation gate - treats warnings as errors
+ */
+export const strictValidationGate = createValidationGate({ strict: true });
+/**
+ * Production validation gate - requires registered profile
+ */
+export const productionValidationGate = createValidationGate({
+    requireRegisteredProfile: true,
+    minimumTrustTier: TrustTier.T2_PROVISIONAL,
+});
+//# sourceMappingURL=validation-gate.js.map

package/dist/validation-gate.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation-gate.test.d.ts","sourceRoot":"","sources":["../src/validation-gate.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}