@vorionsys/sdk 0.1.1 → 0.1.2

package/CHANGELOG.md

@@ -0,0 +1,40 @@
+# Changelog
+
+All notable changes to `@vorionsys/sdk` will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.2] - 2026-02-17
+
+### Changed
+- Removed raw `src` from published tarball (dist-only)
+- Standardized package metadata for npm publish
+
+## [0.1.1] - 2026-02-11
+
+### Fixed
+
+- Corrected default observation tier assignment during agent registration
+- Improved error messages for missing capabilities in local mode
+
+## [0.1.0] - 2026-02-08
+
+### Added
+
+- Initial release of `@vorionsys/sdk`
+- `Vorion` client class with local and remote mode support
+- `Agent` class with governance request lifecycle (register, request, report)
+- `createVorion()` factory function
+- Local mode with in-memory trust scoring and capability-based authorization
+- Remote mode connecting to Cognigate API (`/api/v1/intents`, `/api/v1/trust`)
+- Trust tier system (T0-T7) with asymmetric score adjustments
+- Constraint application based on trust tier (rate limits, audit levels, sandboxing)
+- Proof commitment IDs on every action decision for audit compliance
+- Action history tracking per agent
+- Health check endpoint support
+- Full TypeScript type definitions (`VorionConfig`, `AgentOptions`, `ActionResult`, `TrustInfo`)
+- Re-exported runtime types (`TrustTier`, `DecisionTier`, `AgentCredentials`, `Action`, `TrustSignal`)
+
+[0.1.1]: https://github.com/vorionsys/vorion/compare/@vorionsys/sdk@0.1.0...@vorionsys/sdk@0.1.1
+[0.1.0]: https://github.com/vorionsys/vorion/releases/tag/@vorionsys/sdk@0.1.0

package/LICENSE

@@ -0,0 +1,190 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to the Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   Copyright 2026 Vorion
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

package/README.md

@@ -1,6 +1,9 @@
 # @vorionsys/sdk
 
-Developer-friendly SDK for AI agent governance. Register agents, request action permissions, and report outcomes with a simple API. Supports both local mode (in-memory, for testing) and remote mode (Cognigate API).
+Simple, developer-friendly SDK for AI agent governance powered by the Vorion platform and the BASIS (Baseline Authority for Safe & Interoperable Systems) framework.
+
+[![npm version](https://img.shields.io/npm/v/@vorionsys/sdk.svg)](https://www.npmjs.com/package/@vorionsys/sdk)
+[![License: Apache-2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
 
 ## Installation
 
@@ -8,149 +11,302 @@ Developer-friendly SDK for AI agent governance. Register agents, request action
 npm install @vorionsys/sdk
 ```
 
+The SDK requires `@vorionsys/runtime` as a peer dependency:
+
+```bash
+npm install @vorionsys/sdk @vorionsys/runtime
+```
+
+## What It Provides
+
+`@vorionsys/sdk` provides a simple interface for AI agent governance. It lets you:
+
+- **Register agents** with declared capabilities and observation tiers
+- **Submit governance requests** to check whether an agent is permitted to perform an action
+- **Report outcomes** (success or failure) that dynamically adjust an agent's trust score
+- **Query trust scores** to understand an agent's current standing in the trust tier system
+
+The SDK operates in two modes: **local mode** for development and testing (in-memory, no external dependencies) and **remote mode** for production (connects to a Cognigate API instance).
+
 ## Quick Start
 
 ```typescript
 import { Vorion } from '@vorionsys/sdk';
 
-// Local mode (for development/testing)
+// Local mode -- in-memory governance for development and testing
 const vorion = new Vorion({ localMode: true });
 
+// 1. Register an agent with its capabilities
 const agent = await vorion.registerAgent({
-  agentId: 'my-agent',
-  name: 'My AI Agent',
+  agentId: 'research-assistant',
+  name: 'Research Assistant',
   capabilities: ['read:*', 'write:documents'],
 });
 
+// 2. Request permission before performing an action
 const result = await agent.requestAction({
   type: 'read',
-  resource: 'documents/report.pdf',
+  resource: 'documents/quarterly-report.pdf',
 });
 
 if (result.allowed) {
-  // Perform the action
+  // Action is permitted -- perform it
+  console.log('Proof ID:', result.proofId); // audit trail
+  console.log('Constraints:', result.constraints); // e.g. ['rate_limit:100/min']
+
+  // 3. Report the outcome to update trust
   await agent.reportSuccess('read');
 } else {
   console.log('Denied:', result.reason);
 }
+
+// 4. Check the agent's current trust score
+const trust = await agent.getTrustInfo();
+console.log(`Trust: ${trust.score}/1000 (${trust.tierName})`);
 ```
 
-## Features
+## Usage Examples
 
-- **Simple API**: Register agents, request permissions, report outcomes
-- **Local Mode**: In-memory governance for development and testing
-- **Remote Mode**: Connect to a hosted Cognigate API for production
-- **Trust Signals**: Report success/failure to dynamically update agent trust scores
-- **Capability Checks**: Permission-based action authorization
-- **Audit Trail**: Every action request returns a proof ID for compliance
-- **Full TypeScript**: Complete type definitions for all APIs
+### Registering an Agent
 
-## Modes
+```typescript
+import { Vorion } from '@vorionsys/sdk';
 
-### Local Mode
+const vorion = new Vorion({ localMode: true });
 
-No external dependencies. Agent trust is managed in-memory with a simple capability check:
+const agent = await vorion.registerAgent({
+  agentId: 'data-analyst-01',
+  name: 'Data Analyst',
+  capabilities: ['read:*', 'write:reports', 'execute:queries'],
+  observationTier: 'GRAY_BOX', // BLACK_BOX | GRAY_BOX | WHITE_BOX
+  metadata: { version: '2.1', team: 'analytics' },
+});
 
-```typescript
-const vorion = new Vorion({ localMode: true });
+console.log(agent.getId());           // 'data-analyst-01'
+console.log(agent.getName());         // 'Data Analyst'
+console.log(agent.getCapabilities()); // ['read:*', 'write:reports', 'execute:queries']
 ```
 
-### Remote Mode
+### Submitting a Governance Request
 
-Connects to a Cognigate API instance for production governance:
+Every action an agent wants to perform goes through the governance pipeline. The SDK checks capabilities and trust score, then returns a decision with an audit-grade proof ID.
 
 ```typescript
-const vorion = new Vorion({
-  apiEndpoint: 'https://cognigate.dev',
-  apiKey: process.env.VORION_API_KEY,
+const result = await agent.requestAction({
+  type: 'write',
+  resource: 'reports/summary.md',
+  parameters: { format: 'markdown', overwrite: false },
 });
+
+// result structure:
+// {
+//   allowed: true,
+//   tier: 'GREEN',            // GREEN = approved, YELLOW = conditional, RED = denied
+//   reason: 'Action permitted',
+//   proofId: 'a1b2c3d4-...',  // unique proof commitment ID for audit
+//   constraints: ['rate_limit:100/min', 'audit:standard'],
+// }
 ```
 
-## API Reference
+### Checking Trust Scores
 
-### Vorion Client
+Trust scores range from 0 to 1000. Agents start at 500 (T3 -- Monitored) and move up or down based on reported outcomes. Trust adjustment is asymmetric: failures cost more than successes gain.
 
 ```typescript
-const vorion = new Vorion({
-  apiEndpoint?: string,       // Cognigate API URL (enables remote mode)
-  apiKey?: string,            // API key (required for remote mode)
-  localMode?: boolean,        // Force local mode (default: true if no endpoint)
-  defaultObservationTier?: 'BLACK_BOX' | 'GRAY_BOX' | 'WHITE_BOX',
-  timeout?: number,           // Request timeout in ms (default: 30000)
-});
+const trust = await agent.getTrustInfo();
+console.log(trust.score);          // 500
+console.log(trust.tierName);       // 'Monitored'
+console.log(trust.tierNumber);     // 3
+console.log(trust.observationTier); // 'GRAY_BOX'
+
+// Report successes to build trust
+await agent.reportSuccess('read');
+await agent.reportSuccess('read');
+
+const updated = await agent.getTrustInfo();
+console.log(updated.score); // 504 (each success adds +2)
+
+// Failures decrease trust more aggressively
+await agent.reportFailure('write', 'Upstream permission denied');
 
-// Or use the factory
+const afterFailure = await agent.getTrustInfo();
+console.log(afterFailure.score); // 484 (failure subtracts -20)
+```
+
+### Using the Factory Function
+
+```typescript
 import { createVorion } from '@vorionsys/sdk';
+
 const vorion = createVorion({ localMode: true });
 ```
 
-### Agent Registration
+### Remote Mode (Production)
+
+Connect to a Cognigate API instance for production-grade governance with persistent trust state, distributed coordination, and full audit logging.
 
 ```typescript
-const agent = await vorion.registerAgent({
-  agentId: 'unique-id',
-  name: 'Agent Name',
-  capabilities: ['read:*', 'write:documents'],
-  observationTier: 'GRAY_BOX',  // Optional
-  metadata: { version: '1.0' }, // Optional
+const vorion = new Vorion({
+  apiEndpoint: 'https://cognigate.example.com',
+  apiKey: process.env.VORION_API_KEY,
+  timeout: 15000, // request timeout in ms (default: 30000)
 });
-```
 
-### Action Requests
+// API works identically -- the SDK handles remote calls transparently
+const agent = await vorion.registerAgent({
+  agentId: 'prod-agent',
+  name: 'Production Agent',
+  capabilities: ['read:*'],
+});
 
-```typescript
 const result = await agent.requestAction({
   type: 'read',
-  resource: 'documents/report.pdf',
-  parameters: { format: 'json' }, // Optional
+  resource: 'data/users.json',
 });
 
-// result: {
-//   allowed: boolean,
-//   tier: 'GREEN' | 'YELLOW' | 'RED',
-//   reason: string,
-//   proofId: string,
-//   constraints?: string[],
-//   processingTimeMs?: number,  // Remote mode only
-// }
+// Remote mode includes server-side processing time
+console.log(result.processingTimeMs); // e.g. 12
 ```
 
-### Trust Signals
+### Health Check
 
 ```typescript
-// Report successful action
-await agent.reportSuccess('read');
+const health = await vorion.healthCheck();
+// Local:  { status: 'healthy', version: 'local' }
+// Remote: { status: 'healthy', version: '1.2.0' }
+```
 
-// Report failed action
-await agent.reportFailure('write', 'Permission denied by upstream service');
+### Managing Multiple Agents
 
-// Get current trust info
-const trust = await agent.getTrustInfo();
-// { score: 750, tierName: 'Standard', tierNumber: 4, observationTier: 'GRAY_BOX' }
+```typescript
+const vorion = new Vorion({ localMode: true });
+
+await vorion.registerAgent({ agentId: 'agent-a', name: 'Agent A', capabilities: ['read:*'] });
+await vorion.registerAgent({ agentId: 'agent-b', name: 'Agent B', capabilities: ['write:*'] });
+
+const agentA = vorion.getAgent('agent-a');  // Agent | undefined
+const all = vorion.getAllAgents();           // Agent[]
+console.log(all.length);                    // 2
+console.log(vorion.isLocalMode());          // true
 ```
 
-### Utilities
+## API Reference
+
+### Exports
+
+| Export | Type | Description |
+|--------|------|-------------|
+| `Vorion` | Class | Main SDK client for agent governance |
+| `Agent` | Class | Agent wrapper returned by `registerAgent()` |
+| `createVorion` | Function | Factory function to create a `Vorion` instance |
+| `VorionConfig` | Interface | Configuration options for `Vorion` |
+| `AgentOptions` | Interface | Options for registering an agent |
+| `ActionResult` | Interface | Result returned by `requestAction()` |
+| `TrustInfo` | Interface | Trust score information from `getTrustInfo()` |
+| `TrustTier` | Type | Re-exported from `@vorionsys/runtime` |
+| `DecisionTier` | Type | Re-exported from `@vorionsys/runtime` |
+| `AgentCredentials` | Type | Re-exported from `@vorionsys/runtime` |
+| `Action` | Type | Re-exported from `@vorionsys/runtime` |
+| `TrustSignal` | Type | Re-exported from `@vorionsys/runtime` |
+
+### `Vorion` Class
 
 ```typescript
-vorion.isLocalMode();      // boolean
-vorion.getAgent('id');     // Agent | undefined
-vorion.getAllAgents();     // Agent[]
-await vorion.healthCheck(); // { status, version }
+new Vorion(config?: VorionConfig)
+```
+
+**Config options:**
+
+| Property | Type | Default | Description |
+|----------|------|---------|-------------|
+| `apiEndpoint` | `string` | -- | Cognigate API URL. Enables remote mode when set. |
+| `apiKey` | `string` | -- | API key. Required when `apiEndpoint` is set. |
+| `localMode` | `boolean` | `true` | Force local (in-memory) mode. Defaults to `true` when no endpoint is provided. |
+| `defaultObservationTier` | `'BLACK_BOX' \| 'GRAY_BOX' \| 'WHITE_BOX'` | `'GRAY_BOX'` | Default observation tier for registered agents. |
+| `timeout` | `number` | `30000` | Request timeout in milliseconds (remote mode). |
+
+**Methods:**
+
+| Method | Returns | Description |
+|--------|---------|-------------|
+| `registerAgent(options)` | `Promise<Agent>` | Register an agent with the governance system |
+| `getAgent(agentId)` | `Agent \| undefined` | Retrieve a registered agent by ID |
+| `getAllAgents()` | `Agent[]` | List all registered agents |
+| `getConfig()` | `VorionConfig` | Get the current SDK configuration |
+| `isLocalMode()` | `boolean` | Check if the SDK is running in local mode |
+| `healthCheck()` | `Promise<{ status, version }>` | Check API health (returns local status in local mode) |
+
+### `Agent` Class
+
+Returned by `vorion.registerAgent()`. Do not instantiate directly.
+
+**Methods:**
+
+| Method | Returns | Description |
+|--------|---------|-------------|
+| `requestAction(action)` | `Promise<ActionResult>` | Request permission to perform an action |
+| `reportSuccess(actionType)` | `Promise<void>` | Report a successful action (positive trust signal, +2 score in local mode) |
+| `reportFailure(actionType, reason?)` | `Promise<void>` | Report a failed action (negative trust signal, -20 score in local mode) |
+| `getTrustInfo()` | `Promise<TrustInfo>` | Get current trust score and tier information |
+| `getId()` | `string` | Get the agent's unique identifier |
+| `getName()` | `string` | Get the agent's human-readable name |
+| `getCapabilities()` | `string[]` | Get the agent's declared capabilities |
+| `getActionHistory()` | `Array<{ action, allowed, timestamp }>` | Get the agent's action request history |
+
+### `ActionResult` Interface
+
+```typescript
+interface ActionResult {
+  allowed: boolean;                    // Whether the action was permitted
+  tier: 'GREEN' | 'YELLOW' | 'RED';   // Decision tier
+  reason: string;                      // Human-readable explanation
+  proofId: string;                     // Unique proof commitment ID for audit
+  constraints?: string[];              // Applied constraints (e.g. rate limits)
+  processingTimeMs?: number;           // Server processing time (remote mode only)
+}
+```
+
+### `TrustInfo` Interface
+
+```typescript
+interface TrustInfo {
+  score: number;          // Current trust score (0-1000)
+  tierName: string;       // Human-readable tier name (e.g. 'Monitored')
+  tierNumber: number;     // Tier number (0-7)
+  observationTier: string; // Observation tier (BLACK_BOX, GRAY_BOX, WHITE_BOX)
+}
 ```
 
 ## Trust Tiers
 
-Agents start at T3 (Monitored, score 500) in local mode. Trust adjusts based on signals:
+Agents start at T3 (Monitored, score 500) in local mode. Trust adjusts asymmetrically based on reported signals -- successes increase score gradually while failures decrease it more aggressively.
+
+| Tier | Score Range | Name | Constraints |
+|------|-------------|------|-------------|
+| T0 | 0--199 | Sandbox | `rate_limit:10/min`, `audit:full`, `sandbox:true` |
+| T1 | 200--349 | Observed | `rate_limit:10/min`, `audit:full`, `sandbox:true` |
+| T2 | 350--499 | Provisional | `rate_limit:100/min`, `audit:standard` |
+| T3 | 500--649 | Monitored | `rate_limit:100/min`, `audit:standard` |
+| T4 | 650--799 | Standard | `rate_limit:1000/min`, `audit:light` |
+| T5 | 800--875 | Trusted | `rate_limit:1000/min`, `audit:light` |
+| T6 | 876--950 | Certified | No constraints |
+| T7 | 951--1000 | Autonomous | No constraints |
+
+## Capability Patterns
 
-| Tier | Score | Name | Constraints |
-|------|-------|------|-------------|
-| T0-T1 | 0-349 | Sandbox/Observed | rate_limit:10/min, audit:full, sandbox:true |
-| T2-T3 | 350-649 | Provisional/Monitored | rate_limit:100/min, audit:standard |
-| T4-T5 | 650-875 | Standard/Trusted | rate_limit:1000/min, audit:light |
-| T6-T7 | 876-1000 | Certified/Autonomous | No constraints |
+Capabilities use a `type:resource` pattern with glob support:
+
+| Pattern | Matches |
+|---------|---------|
+| `read` | Exact match on `read` action type |
+| `read:*` | Any `read` action regardless of resource |
+| `read:documents` | `read` actions on resources starting with `documents/` |
+| `*` | All actions (unrestricted) |
 
 ## TypeScript
 
+The SDK ships with full TypeScript type definitions. All interfaces and types are exported for direct use:
+
 ```typescript
 import type {
   VorionConfig,
@@ -165,6 +321,25 @@ import type {
 } from '@vorionsys/sdk';
 ```
 
+## Requirements
+
+- Node.js >= 18.0.0
+- `@vorionsys/runtime` >= 0.1.0 (peer dependency)
+
+## Related Packages
+
+| Package | Description |
+|---------|-------------|
+| [`@vorionsys/runtime`](https://www.npmjs.com/package/@vorionsys/runtime) | Core orchestration layer (trust facade, proof committer, intent pipeline) |
+
+## Contributing
+
+See the [main repository](https://github.com/vorionsys/vorion) for contribution guidelines.
+
 ## License
 
-MIT
+Apache-2.0 -- see [LICENSE](./LICENSE) for details.
+
+---
+
+Part of the [Vorion](https://github.com/vorionsys/vorion) project.