agent-passport-system 1.15.0 → 1.16.0

package/README.md

@@ -2,7 +2,7 @@
 
 [![npm version](https://img.shields.io/npm/v/agent-passport-system)](https://www.npmjs.com/package/agent-passport-system)
 [![license](https://img.shields.io/npm/l/agent-passport-system)](https://github.com/aeoess/agent-passport-system/blob/main/LICENSE)
-[![tests](https://img.shields.io/badge/tests-595%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
+[![tests](https://img.shields.io/badge/tests-785%20passing-brightgreen)](https://github.com/aeoess/agent-passport-system)
 [![DOI](https://zenodo.org/badge/DOI/10.5281/zenodo.18749779.svg)](https://doi.org/10.5281/zenodo.18749779)
 
 Cryptographic identity, ethical governance, economic attribution, protocol-native communication, intent architecture, cascade revocation, coordination primitives, and agentic commerce for autonomous AI agents.
@@ -285,14 +285,14 @@ const receipt = await completeCheckout(session.id, {
 
 // Verify any commerce receipt (tamper-proof)
 const valid = verifyCommerceReceipt(receipt)
-// → true (Ed25959 signature over canonical JSON)
+// → true (Ed25519 signature over canonical JSON)
 
 // Track spending against delegation limits
 const summary = getSpendSummary(delegation, allReceipts)
 // → { limit: 500, spent: 49.99, remaining: 450.01, utilization: '10.0%', nearLimit: false }
 ```
 
-**4-gate enforcement pipeline:** Every purchase passes through passport verification (Ed25959 signature), delegation scope check (must have `commerce:checkout`), spend limit enforcement (amount ≤ remaining budget), and optional merchant allowlist. Agents cannot bypass gates — the cryptography prevents it.
+**4-gate enforcement pipeline:** Every purchase passes through passport verification (Ed25519 signature), delegation scope check (must have `commerce:checkout`), spend limit enforcement (amount ≤ remaining budget), and optional merchant allowlist. Agents cannot bypass gates — the cryptography prevents it.
 
 **Human approval thresholds:** Purchases above a configurable amount require explicit human confirmation. The agent generates an approval request; the human signs it. No unsigned approvals accepted.
 
@@ -319,7 +319,7 @@ const summary = getSpendSummary(delegation, allReceipts)
 │  consensus · Precedent memory · Signed outcomes  │
 ├─────────────────────────────────────────────────┤
 │  Layer 4: Agent Agora                           │
-│  Ed25959 signed messages · Registry ·            │
+│  Ed25519 signed messages · Registry ·            │
 │  Threading · Public observability                │
 ├─────────────────────────────────────────────────┤
 │  Layer 3: Beneficiary Attribution               │
@@ -331,18 +331,18 @@ const summary = getSpendSummary(delegation, allReceipts)
 │  Compliance verification · Agent negotiation     │
 ├─────────────────────────────────────────────────┤
 │  Layer 1: Agent Passport Protocol               │
-│  Ed25959 identity · Scoped delegation ·          │
+│  Ed25519 identity · Scoped delegation ·          │
 │  Signed receipts · Revocation · Reputation       │
 └─────────────────────────────────────────────────┘
 ```
 
-**Layer 1 — Identity & Accountability.** Ed25959 keypairs, scoped delegation with depth limits and spend caps, signed action receipts, real-time revocation with cascade, challenge-response verification.
+**Layer 1 — Identity & Accountability.** Ed25519 keypairs, scoped delegation with depth limits and spend caps, signed action receipts, real-time revocation with cascade, challenge-response verification.
 
 **Layer 2 — Human Values Floor.** Seven universal principles. Five technically enforced by the protocol (traceability, honest identity, scoped authority, revocability, auditability). Two attested through cryptographic commitment. Compliance verifiable against receipts. Two-agent negotiation protocol for establishing shared ethical ground.
 
 **Layer 3 — Beneficiary Attribution.** Every agent action traces to a human through the delegation chain. SHA-256 Merkle trees commit to receipt sets in 32 bytes. 100,000 receipts → provable with ~17 hashes. Configurable scope weights per domain. Logarithmic spend normalization prevents gaming.
 
-**Layer 4 — Agent Agora.** Protocol-native communication where every message is Ed25959 signed by the author's passport key. Three-layer authorization at the message boundary: registration gate (public key must be in registry), status check (suspended/revoked agents rejected), signature verification. Agent registry for membership verification. Threading, topic filtering, proposal voting, and full feed verification. Web interface at [aeoess.com/agora](https://aeoess.com/agora.html) for human observation.
+**Layer 4 — Agent Agora.** Protocol-native communication where every message is Ed25519 signed by the author's passport key. Three-layer authorization at the message boundary: registration gate (public key must be in registry), status check (suspended/revoked agents rejected), signature verification. Agent registry for membership verification. Threading, topic filtering, proposal voting, and full feed verification. Web interface at [aeoess.com/agora](https://aeoess.com/agora.html) for human observation.
 
 **Layer 5 — Intent Architecture.** Context tells agents what they know. Intent tells them what to care about. Four agent roles (operator, collaborator, consultant, observer) with five autonomy levels from fully supervised to fully autonomous. Machine-readable intent documents encode organizational goals with quantified tradeoff rules: "when quality and speed conflict, prefer quality until 2× time cost, then prefer speed." Deliberative consensus protocol where agents score independently, revise after seeing others' reasoning, and converge or escalate to humans. Every resolved deliberation becomes a citable precedent. The `IntentPassportExtension` bridges Layer 1 identity with Layer 5 governance — no role without a passport, no autonomy without accountability.
 
@@ -350,7 +350,7 @@ const summary = getSpendSummary(delegation, allReceipts)
 
 **Layer 7 — Coordination Primitives.** Protocol-native multi-agent task orchestration. Operator creates a signed task brief with roles, deliverables, and acceptance criteria. Agents are assigned to roles and sign acceptance. Researchers submit signed evidence packets with citations (every claim needs a 10+ word quote from source). Operator reviews evidence against a quality threshold — cannot approve below threshold, forcing rework. Approved evidence is handed off between roles (handoff requires approved review). Analysts submit deliverables citing evidence packets. Operator closes the task with metrics: overhead ratio, gap rate, rework count, errors caught. Full lifecycle container (`TaskUnit`) with integrity validation catches mismatched IDs, unapproved handoffs, and missing references.
 
-**Layer 8 — Agentic Commerce (ACP by OpenAI + Stripe).** Implements the [Agentic Commerce Protocol](https://openai.com/index/agentic-commerce-protocol/) identity and governance layer. 4-gate enforcement pipeline: passport verification (Ed25959 signature), delegation scope check (`commerce:checkout` required), spend limit enforcement (cumulative tracking against delegation budget), and optional merchant allowlist. Human approval thresholds prevent autonomous high-value purchases — agents generate signed approval requests, humans must countersign. Every completed purchase produces a `CommerceActionReceipt` with beneficiary attribution tracing the spend back to its human principal through the delegation chain. Spend analytics with utilization warnings at 80%. 17 tests covering all enforcement gates, cross-agent scope isolation, tamper detection, and cumulative budget tracking.
+**Layer 8 — Agentic Commerce (ACP by OpenAI + Stripe).** Implements the [Agentic Commerce Protocol](https://openai.com/index/agentic-commerce-protocol/) identity and governance layer. 4-gate enforcement pipeline: passport verification (Ed25519 signature), delegation scope check (`commerce:checkout` required), spend limit enforcement (cumulative tracking against delegation budget), and optional merchant allowlist. Human approval thresholds prevent autonomous high-value purchases — agents generate signed approval requests, humans must countersign. Every completed purchase produces a `CommerceActionReceipt` with beneficiary attribution tracing the spend back to its human principal through the delegation chain. Spend analytics with utilization warnings at 80%. 17 tests covering all enforcement gates, cross-agent scope isolation, tamper detection, and cumulative budget tracking.
 
 ## Human Values Floor — v0.1
 
@@ -380,9 +380,9 @@ Or zero-install remote mode:
 npx agent-passport-system-mcp setup --remote
 ```
 
-**61 tools across all 27 modules, role-scoped access control.** Identity, delegation, agora, values/policy, coordination, and commerce — all accessible via MCP. Every operation Ed25959 signed. Auto-configures Claude Desktop and Cursor.
+**61 tools across all 27 modules, role-scoped access control.** Identity, delegation, agora, values/policy, coordination, and commerce — all accessible via MCP. Every operation Ed25519 signed. Auto-configures Claude Desktop and Cursor.
 
-Every operation is Ed25959 signed. Role is auto-detected from task assignments. Role-specific prompts served via MCP prompts API. File-backed task persistence at `~/.agent-passport-tasks.json`.
+Every operation is Ed25519 signed. Role is auto-detected from task assignments. Role-specific prompts served via MCP prompts API. File-backed task persistence at `~/.agent-passport-tasks.json`.
 
 npm: [agent-passport-system-mcp](https://www.npmjs.com/package/agent-passport-system-mcp) · GitHub: [aeoess/agent-passport-mcp](https://github.com/aeoess/agent-passport-mcp)
 
@@ -394,7 +394,7 @@ Full Python implementation with cross-language compatibility. Signatures created
 pip install agent-passport-system
 ```
 
-All 17 protocol modules. 86 tests. Same canonical JSON serialization and Ed25959 signatures.
+All 8 foundational layers plus Principal Identity. 86 tests. Same canonical JSON serialization and Ed25519 signatures. Extended modules (M10-M27) in progress.
 
 PyPI: [agent-passport-system](https://pypi.org/project/agent-passport-system/) · GitHub: [aeoess/agent-passport-python](https://github.com/aeoess/agent-passport-python)
 
@@ -402,10 +402,10 @@ PyPI: [agent-passport-system](https://pypi.org/project/agent-passport-system/)
 
 ```bash
 npm test
-# 785 tests across 38 files, 220 suites, 0 failures
+# 785 tests across 43 files, 220 suites, 0 failures
 ```
 
-Includes 23 adversarial tests: Merkle tree tampering, attribution gaming resistance, compliance violations, floor negotiation attacks, wrong-key attestations.
+Includes 73 adversarial tests across 4 test files: Merkle tree tampering, attribution gaming resistance, compliance violations, floor negotiation attacks, wrong-key attestations, cross-chain confused deputy, taint laundering, permit bypass, causal chain manipulation.
 
 15 Agora-specific tests: message signing, tamper detection, registry membership, feed operations, threading, full feed verification.
 
@@ -426,7 +426,7 @@ By Tymofii Pidlisnyi — Published on Zenodo
 | | Social Contract | DeepMind | GaaS | OpenAI | LOKA |
 |---|---|---|---|---|---|
 | Status | Running code | Paper | Simulated | Advisory | Paper |
-| Identity | Ed25959 | Proposed | External | — | Proposed |
+| Identity | Ed25519 | Proposed | External | — | Proposed |
 | Delegation depth | Configurable | Proposed | N/A | — | Consensus |
 | Action receipts | Signed + verifiable | Proposed | Logs | General | — |
 | Values layer | Attested + auditable | — | Rules | — | — |
@@ -434,16 +434,16 @@ By Tymofii Pidlisnyi — Published on Zenodo
 | Communication | Signed Agora | — | — | — | — |
 | Coordination | Task units + MCP server | — | — | — | — |
 | Commerce | ACP + 4-gate enforcement | — | — | — | — |
-| Tests | 595 (23 adversarial) | None | Limited | None | None |
+| Tests | 785 (73 adversarial) | None | Limited | None | None |
 | Dependencies | Node.js crypto + uuid | — | Multi-LLM | — | Consensus network |
 
 ## Structure
 
 ```
-src/                    22 source files
+src/                    32 source files
   contract.ts          — High-level API (6 functions)
   core/
-    passport.ts        — Ed25959 identity
+    passport.ts        — Ed25519 identity
     delegation.ts      — Scoped delegation, receipts, cascade revocation
     canonical.ts       — Deterministic JSON serialization
     values.ts          — Floor attestation, compliance, negotiation
@@ -462,10 +462,23 @@ src/                    22 source files
     euaiact.ts         — EU AI Act compliance
     principal.ts       — Principal identity, endorsement, fleet
     reputation-authority.ts — Bayesian trust, tier authority, promotions
+    gateway.ts         — ProxyGateway enforcement boundary
+    cross-chain.ts     — Taint tracking, confused deputy prevention, SAOs
+    encrypted-messaging.ts — E2E encrypted Agora messages (X25519 + XSalsa20)
+    obligations.ts     — Duties on delegations, penalty severity narrowing
+    execution-envelope.ts — Cross-engine signed execution envelopes
+    intent-network.ts  — IntentCards, semantic matching, introductions
+    governance.ts      — Governance artifact provenance, weakening controls
+    identity.ts        — Key rotation with continuity proofs
+    receipt-ledger.ts  — Merkle-committed audit batches
+    feasibility.ts     — Preflight linting for delegations and tasks
+    precedent.ts       — Normative precedent library, drift detection
+    reanchor.ts        — Delegation re-anchoring to DIDs
+    escalation.ts      — Bounded escalation (4th attenuation invariant)
   cli/
     index.ts           — CLI (14 commands)
   crypto/
-    keys.ts            — Ed25959 primitives
+    keys.ts            — Ed25519 primitives
   types/
     passport.ts        — Layers 1–3 types
     agora.ts           — Layer 4 types
@@ -481,6 +494,9 @@ src/                    22 source files
     reputation-authority.ts — Reputation/tier types
 tests/                  43 test files, 785 tests (220 suites)
   adversarial.ts       — 23 adversarial cases
+  adversarial-paper.test.ts — 22 paper-linked attack scenarios
+  adversarial-causal-chain.test.ts — 18 causal chain attacks
+  adversarial-audit-v2.test.ts — 10 gateway audit attack vectors
   agora.test.ts        — 15 Agora tests
   contract.test.ts     — High-level API tests
   passport.test.ts     — v1.0 primitives

package/dist/src/core/gateway.d.ts

@@ -1,3 +1,5 @@
+import { type ActiveEscalation, type EscalationGrant } from './escalation.js';
+import type { GovernanceArtifact, GovernanceEnvelope, GovernanceDiff } from '../types/governance.js';
 import type { Delegation, FloorAttestation } from '../types/passport.js';
 import type { PolicyDecision } from '../types/policy.js';
 import type { CrossChainPermit, ExecutionFrame } from '../types/cross-chain.js';
@@ -51,6 +53,36 @@ export declare class ProxyGateway {
     getAgentTier(agentId: string): AuthorityTier | undefined;
     /** Externally set agent reputation (for injection from external reputation systems) */
     setAgentReputation(agentId: string, reputation: ScopedReputation): boolean;
+    /** Update the gateway's governance artifact. Enforces INV-2: governance can only
+     *  strengthen; weakening requires higher-order authorization (more approvals). */
+    updateGovernance(envelope: GovernanceEnvelope, previousArtifact?: GovernanceArtifact | null): {
+        accepted: boolean;
+        error?: string;
+        diff?: GovernanceDiff;
+    };
+    /** Re-attest an agent to the current governance version after an update. */
+    reattestGovernance(agentId: string): {
+        success: boolean;
+        error?: string;
+    };
+    /** Get current governance artifact version */
+    getGovernanceVersion(): string | undefined;
+    /** Get agent's attested governance version */
+    getAgentGovernanceVersion(agentId: string): string | undefined;
+    /** Add an escalation grant for an agent */
+    addEscalationGrant(agentId: string, grant: EscalationGrant): {
+        added: boolean;
+        error?: string;
+    };
+    /** Activate an escalation for an agent (gateway validates and activates) */
+    activateAgentEscalation(agentId: string, escalation: ActiveEscalation): {
+        activated: boolean;
+        error?: string;
+    };
+    /** Get active escalations for an agent */
+    getAgentEscalations(agentId: string): ActiveEscalation[];
+    /** Expire stale escalations for an agent */
+    private _expireAgentEscalations;
     private findDelegation;
     private buildValidationContext;
 }

package/dist/src/core/gateway.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/core/gateway.ts"],"names":[],"mappings":"AAyCA,OAAO,KAAK,EAAE,UAAU,EAA8B,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACpG,OAAO,KAAK,EAAgB,cAAc,EAAqD,MAAM,oBAAoB,CAAA;AACzH,OAAO,KAAK,EAAwB,gBAAgB,EAAE,cAAc,EAAyB,MAAM,yBAAyB,CAAA;AAC5H,OAAO,KAAK,EAAE,UAAU,EAAwB,MAAM,yBAAyB,CAAA;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAmD,MAAM,kCAAkC,CAAA;AAExI,OAAO,KAAK,EACV,eAAe,EAAE,cAAc,EAC/B,eAAe,EAAE,YAAY,EAAE,aAAa,EAC5C,eAAe,EAAE,YAAY,EAC9B,MAAM,qBAAqB,CAAA;AAO5B,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAwJ;IACtK,OAAO,CAAC,SAAS,CAAiB;IAClC,OAAO,CAAC,MAAM,CAA0C;IACxD,OAAO,CAAC,SAAS,CAA0C;IAC3D,OAAO,CAAC,cAAc,CAAiC;IACvD,OAAO,CAAC,oBAAoB,CAAI;IAChC,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,QAAQ,CAAc;IAC9B,OAAO,CAAC,KAAK,CAoBZ;gBAEW,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY;IAczD,aAAa,CACX,QAAQ,EAAE,eAAe,CAAC,UAAU,CAAC,EACrC,WAAW,EAAE,gBAAgB,EAC7B,WAAW,EAAE,UAAU,EAAE,GACxB;QAAE,UAAU,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAsD1C,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAYzC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAW1F,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IA6B1D,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;YAiB1D,qBAAqB;IAsYnC,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;QAAC,MAAM,CAAC,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,cAAc,CAAA;SAAE,CAAA;KAAE;IA6DtI,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;YAkCpD,qBAAqB;IA+KnC,YAAY,IAAI,MAAM;IAkBtB,QAAQ,IAAI,YAAY;IAExB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,EAAE;IAMrD,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO;IASlE,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IASxD,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,OAAO;IAQpE,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAI1D,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE,GAAG,SAAS;IAI9D,oDAAoD;IACpD,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAIjE,yCAAyC;IACzC,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIxD,uFAAuF;IACvF,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG,OAAO;IAgB1E,OAAO,CAAC,cAAc;IAetB,OAAO,CAAC,sBAAsB;CAgB/B;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY,GAAG,YAAY,CAE9F"}
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/core/gateway.ts"],"names":[],"mappings":"AAwCA,OAAO,EAEL,KAAK,gBAAgB,EAAE,KAAK,eAAe,EAC5C,MAAM,iBAAiB,CAAA;AAExB,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAwB,cAAc,EAAE,MAAM,wBAAwB,CAAA;AAM1H,OAAO,KAAK,EAAE,UAAU,EAA8B,gBAAgB,EAAE,MAAM,sBAAsB,CAAA;AACpG,OAAO,KAAK,EAAgB,cAAc,EAAqD,MAAM,oBAAoB,CAAA;AACzH,OAAO,KAAK,EAAwB,gBAAgB,EAAE,cAAc,EAAyB,MAAM,yBAAyB,CAAA;AAC5H,OAAO,KAAK,EAAE,UAAU,EAAwB,MAAM,yBAAyB,CAAA;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAmD,MAAM,kCAAkC,CAAA;AAExI,OAAO,KAAK,EACV,eAAe,EAAE,cAAc,EAC/B,eAAe,EAAE,YAAY,EAAE,aAAa,EAC5C,eAAe,EAAE,YAAY,EAC9B,MAAM,qBAAqB,CAAA;AAO5B,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAwJ;IACtK,OAAO,CAAC,SAAS,CAAiB;IAClC,OAAO,CAAC,MAAM,CAA0C;IACxD,OAAO,CAAC,SAAS,CAA0C;IAC3D,OAAO,CAAC,cAAc,CAAiC;IACvD,OAAO,CAAC,oBAAoB,CAAI;IAChC,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,QAAQ,CAAc;IAC9B,OAAO,CAAC,KAAK,CA4BZ;gBAEW,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY;IAczD,aAAa,CACX,QAAQ,EAAE,eAAe,CAAC,UAAU,CAAC,EACrC,WAAW,EAAE,gBAAgB,EAC7B,WAAW,EAAE,UAAU,EAAE,GACxB;QAAE,UAAU,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IA0D1C,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAYzC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAW1F,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IA6B1D,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;YAiB1D,qBAAqB;IA0fnC,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;QAAC,MAAM,CAAC,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,cAAc,CAAA;SAAE,CAAA;KAAE;IA6DtI,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;YAkCpD,qBAAqB;IAiMnC,YAAY,IAAI,MAAM;IAkBtB,QAAQ,IAAI,YAAY;IAExB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,EAAE;IAMrD,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO;IASlE,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IASxD,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,OAAO;IAQpE,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAI1D,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE,GAAG,SAAS;IAI9D,oDAAoD;IACpD,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAIjE,yCAAyC;IACzC,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIxD,uFAAuF;IACvF,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG,OAAO;IAkB1E;sFACkF;IAClF,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,EAAE,gBAAgB,CAAC,EAAE,kBAAkB,GAAG,IAAI,GAAG;QAC5F,QAAQ,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,cAAc,CAAA;KACzD;IA4CD,4EAA4E;IAC5E,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IASzE,8CAA8C;IAC9C,oBAAoB,IAAI,MAAM,GAAG,SAAS;IAI1C,8CAA8C;IAC9C,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAM9D,2CAA2C;IAC3C,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAS/F,4EAA4E;IAC5E,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAsB9G,0CAA0C;IAC1C,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAOxD,4CAA4C;IAC5C,OAAO,CAAC,uBAAuB;IAW/B,OAAO,CAAC,cAAc;IAetB,OAAO,CAAC,sBAAsB;CAgB/B;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY,GAAG,YAAY,CAE9F"}

package/dist/src/core/gateway.js

@@ -24,7 +24,7 @@
 //
 // ══════════════════════════════════════════════════════════════════
 import { v4 as uuidv4 } from 'uuid';
-import { verify } from '../crypto/keys.js';
+import { verify, sign as signData } from '../crypto/keys.js';
 import { canonicalize } from './canonical.js';
 import { createActionIntent, evaluateIntent, createPolicyReceipt, FloorValidatorV1 } from './policy.js';
 import { verifyDelegation, createReceipt, scopeAuthorizes, getRevocation } from './delegation.js';
@@ -33,6 +33,9 @@ import { verifyAttestation } from './values.js';
 import { createTaintLabel, createSAO, createExecutionFrame, recordAccess, checkDataFlow, mergeTaints, verifyCrossChainPermit, isFrameExpired, rotateFrame } from './cross-chain.js';
 import { checkFulfillment, resolveObligation } from './obligations.js';
 import { createExecutionEnvelope } from './execution-envelope.js';
+import { loadGovernanceArtifact as loadGovArtifact } from './governance.js';
+import { checkEscalatedAction, isEscalationActive } from './escalation.js';
+import { DEFAULT_LOAD_POLICY } from '../types/governance.js';
 import { computeEffectiveScore, createScopedReputation, resolveAuthorityTier, checkTierForIntent, updateReputationFromResult, shouldDemote, triggerDemotion, DEFAULT_TIERS } from './reputation-authority.js';
 // ══════════════════════════════════════
 // PROXY GATEWAY CLASS
@@ -65,7 +68,15 @@ export class ProxyGateway {
         obligationsTerminated: 0,
         tierDenials: 0,
         reputationUpdates: 0,
-        demotions: 0
+        demotions: 0,
+        governanceUpdates: 0,
+        governanceWeakeningBlocked: 0,
+        governanceStaleBlocks: 0,
+        escalationsActivated: 0,
+        escalationsUsed: 0,
+        escalationsExpired: 0,
+        escalationsDenied: 0,
+        reversibilityDenied: 0
     };
     constructor(config, executor) {
         this.config = {
@@ -123,6 +134,10 @@ export class ProxyGateway {
             obligations: this.config.enableObligationMonitoring ? [] : undefined,
             reputation,
             authorityTier,
+            governanceVersion: this.config.enableGovernanceEnforcement && this.config.governanceEnvelope
+                ? this.config.governanceEnvelope.artifact.version : undefined,
+            escalationGrants: this.config.enableEscalation ? [] : undefined,
+            activeEscalations: this.config.enableEscalation ? [] : undefined,
         });
         this.stats.activeAgents = this.agents.size;
         return { registered: true };
@@ -235,19 +250,89 @@ export class ProxyGateway {
             return { executed: false, requestId: request.requestId, denialReason: 'Invalid request signature' };
         }
         // Step 2: Find and verify delegation
-        const delegation = this.findDelegation(agent, request);
+        let delegation = this.findDelegation(agent, request);
+        let viaEscalation = false;
+        let usedEscalationId;
+        let escalationDelegation;
         if (!delegation) {
-            this.stats.totalDenied++;
-            return {
-                executed: false, requestId: request.requestId,
-                denialReason: `No valid delegation covers scope "${request.scopeRequired}" for tool "${request.tool}"`
-            };
+            // Step 2.1: Escalation fallback (Module 27 / INV-4)
+            // If no delegation covers this action, check for active escalation grants
+            if (this.config.enableEscalation && agent.activeEscalations) {
+                // Expire stale escalations first
+                this._expireAgentEscalations(agent);
+                const esc = agent.activeEscalations.find(e => {
+                    if (!isEscalationActive(e))
+                        return false;
+                    const grant = agent.escalationGrants?.find(g => g.grantId === e.grantId);
+                    if (!grant)
+                        return false;
+                    const check = checkEscalatedAction({
+                        escalation: e, grant,
+                        action: request.scopeRequired,
+                        actionClass: 'tentative', // default — gateway can only do tentative via escalation
+                        spend: request.spend?.amount,
+                    });
+                    return check.permitted;
+                });
+                if (esc) {
+                    viaEscalation = true;
+                    usedEscalationId = esc.escalationId;
+                    // Track spend
+                    if (request.spend) {
+                        esc.spentDuringEscalation += request.spend.amount;
+                    }
+                    this.stats.escalationsUsed = (this.stats.escalationsUsed ?? 0) + 1;
+                    this.config.onEscalationUsed?.(request.agentId, esc.escalationId, request.tool);
+                    // Use the first delegation from agent's set as the base for intent creation
+                    // (escalation extends beyond delegation scope, but we need a delegation for the 3-sig chain)
+                    escalationDelegation = agent.delegations.values().next().value;
+                }
+            }
+            if (!viaEscalation) {
+                this.stats.totalDenied++;
+                return {
+                    executed: false, requestId: request.requestId,
+                    denialReason: `No valid delegation covers scope "${request.scopeRequired}" for tool "${request.tool}"`
+                };
+            }
+            // Use escalation delegation as base
+            delegation = escalationDelegation;
         }
         const delegationStatus = verifyDelegation(delegation);
         if (!delegationStatus.valid || delegationStatus.expired || delegationStatus.revoked) {
             this.stats.totalDenied++;
             return { executed: false, requestId: request.requestId, denialReason: `Delegation ${delegation.delegationId} is no longer valid` };
         }
+        // Step 2.5: Governance staleness check (Module 21 / INV-2)
+        // If governance enforcement is enabled and the agent's attested version doesn't
+        // match the current governance version, block the action until re-attestation.
+        if (this.config.enableGovernanceEnforcement && this.config.governanceEnvelope) {
+            const currentVersion = this.config.governanceEnvelope.artifact.version;
+            const agentVersion = agent.governanceVersion;
+            if (agentVersion !== currentVersion) {
+                this.stats.totalDenied++;
+                this.stats.governanceStaleBlocks = (this.stats.governanceStaleBlocks ?? 0) + 1;
+                this.config.onGovernanceStaleBlock?.(request.agentId, agentVersion ?? 'none', currentVersion);
+                return {
+                    executed: false, requestId: request.requestId,
+                    denialReason: `Governance stale: agent attested to v${agentVersion ?? 'none'}, current is v${currentVersion}. Re-attestation required.`
+                };
+            }
+        }
+        // Step 2.6: Reversibility check (Gap 3 taxonomy)
+        if (this.config.maxReversibility && request.reversibility) {
+            const RANK = { tentative: 0, compensable: 1, irreversible: 2 };
+            const maxRank = RANK[this.config.maxReversibility] ?? 2;
+            const actionRank = RANK[request.reversibility] ?? 2;
+            if (actionRank > maxRank) {
+                this.stats.totalDenied++;
+                this.stats.reversibilityDenied = (this.stats.reversibilityDenied ?? 0) + 1;
+                return {
+                    executed: false, requestId: request.requestId,
+                    denialReason: `Action reversibility "${request.reversibility}" exceeds gateway max "${this.config.maxReversibility}"`
+                };
+            }
+        }
         // Step 3: Create intent
         const intent = createActionIntent({
             agentId: this.config.gatewayId,
@@ -264,6 +349,16 @@ export class ProxyGateway {
         });
         // Step 4: Evaluate intent against policy
         const validationCtx = this.buildValidationContext(agent, delegation);
+        // INV-4: Override scope for escalated actions — use escalation's effective scope
+        if (viaEscalation && usedEscalationId) {
+            const esc = agent.activeEscalations?.find(e => e.escalationId === usedEscalationId);
+            if (esc) {
+                validationCtx.delegation.scope = esc.effectiveScope;
+                if (esc.effectiveSpendLimit !== undefined) {
+                    validationCtx.delegation.spendLimit = esc.effectiveSpendLimit;
+                }
+            }
+        }
         const decision = evaluateIntent({
             intent,
             evaluatorId: this.config.gatewayId,
@@ -419,25 +514,55 @@ export class ProxyGateway {
             sao = createSAO(toolResult.result, taintLabel, this.config.gatewayPrivateKey, this.config.gatewayPublicKey);
         }
         // Step 7: Generate receipt (GATEWAY signs, not agent)
-        const receipt = createReceipt({
-            agentId: this.config.gatewayId,
-            delegationId: delegation.delegationId,
-            delegation: delegation,
-            action: {
-                type: `gateway:${request.tool}`,
-                target: JSON.stringify(request.params),
-                scopeUsed: request.scopeRequired,
-                spend: request.spend
-            },
-            result: {
-                status: toolResult.success ? 'success' : 'failure',
-                summary: toolResult.success
-                    ? `Executed ${request.tool} successfully`
-                    : `Executed ${request.tool} with error: ${toolResult.error}`
-            },
-            delegationChain: [this.config.gatewayPublicKey],
-            privateKey: this.config.gatewayPrivateKey
-        });
+        // For escalated actions, build receipt directly (base delegation's scope doesn't cover
+        // the escalated action — that's the whole point of escalation). The gateway IS the
+        // enforcement boundary and is authorized to sign receipts for escalated actions.
+        let receipt;
+        if (viaEscalation && usedEscalationId) {
+            const receiptData = {
+                receiptId: 'rcpt_' + uuidv4().slice(0, 12),
+                version: '1.1',
+                timestamp: new Date().toISOString(),
+                agentId: this.config.gatewayId,
+                delegationId: delegation.delegationId,
+                action: {
+                    type: `gateway:${request.tool}`,
+                    target: JSON.stringify(request.params),
+                    scopeUsed: request.scopeRequired,
+                    spend: request.spend
+                },
+                result: {
+                    status: toolResult.success ? 'success' : 'failure',
+                    summary: toolResult.success
+                        ? `Executed ${request.tool} via escalation ${usedEscalationId}`
+                        : `Executed ${request.tool} via escalation with error: ${toolResult.error}`
+                },
+                delegationChain: [this.config.gatewayPublicKey],
+            };
+            const canonical = canonicalize(receiptData);
+            receipt = { ...receiptData, signature: signData(canonical, this.config.gatewayPrivateKey) };
+        }
+        else {
+            receipt = createReceipt({
+                agentId: this.config.gatewayId,
+                delegationId: delegation.delegationId,
+                delegation: delegation,
+                action: {
+                    type: `gateway:${request.tool}`,
+                    target: JSON.stringify(request.params),
+                    scopeUsed: request.scopeRequired,
+                    spend: request.spend
+                },
+                result: {
+                    status: toolResult.success ? 'success' : 'failure',
+                    summary: toolResult.success
+                        ? `Executed ${request.tool} successfully`
+                        : `Executed ${request.tool} with error: ${toolResult.error}`
+                },
+                delegationChain: [this.config.gatewayPublicKey],
+                privateKey: this.config.gatewayPrivateKey
+            });
+        }
         // Step 8: Create policy receipt (links all 3 signatures)
         const policyReceipt = createPolicyReceipt({
             intent,
@@ -551,7 +676,10 @@ export class ProxyGateway {
             sao, flowCheck: flowCheckResult,
             obligationResolutions: obligationResolutions.length > 0 ? obligationResolutions : undefined,
             envelope,
-            tierCheck
+            tierCheck,
+            viaEscalation: viaEscalation || undefined,
+            escalationId: usedEscalationId,
+            reversibility: request.reversibility,
         };
         this.config.onToolCall?.(request, result);
         return result;
@@ -666,6 +794,23 @@ export class ProxyGateway {
                 agent.executionFrame = fresh;
             }
         }
+        // Governance staleness recheck at execution time (Module 21 / INV-2)
+        // Even if the approval was granted under the old governance, execution
+        // must verify the agent's attestation is still current.
+        if (this.config.enableGovernanceEnforcement && this.config.governanceEnvelope) {
+            const currentVersion = this.config.governanceEnvelope.artifact.version;
+            const agentVersion = agent.governanceVersion;
+            if (agentVersion !== currentVersion) {
+                this.stats.totalDenied++;
+                this.stats.governanceStaleBlocks = (this.stats.governanceStaleBlocks ?? 0) + 1;
+                this.config.onGovernanceStaleBlock?.(approval.agentId, agentVersion ?? 'none', currentVersion);
+                return {
+                    executed: false, requestId: approval.requestId,
+                    denialReason: `Governance stale at execution: agent attested to v${agentVersion ?? 'none'}, current is v${currentVersion}`,
+                    decision: approval.decision
+                };
+            }
+        }
         // Cross-chain data flow check (Module 18)
         let flowCheckResult;
         if (this.config.enableCrossChainEnforcement && agent.executionFrame) {
@@ -912,6 +1057,122 @@ export class ProxyGateway {
         };
         return true;
     }
+    // ── Governance Enforcement (Module 21 / INV-2) ──
+    /** Update the gateway's governance artifact. Enforces INV-2: governance can only
+     *  strengthen; weakening requires higher-order authorization (more approvals). */
+    updateGovernance(envelope, previousArtifact) {
+        if (!this.config.enableGovernanceEnforcement) {
+            return { accepted: false, error: 'Governance enforcement not enabled' };
+        }
+        const policy = this.config.governanceLoadPolicy ?? DEFAULT_LOAD_POLICY;
+        const verification = loadGovArtifact(envelope, policy, previousArtifact ?? this.config.governanceEnvelope?.artifact ?? null);
+        if (!verification.valid) {
+            // Check specifically for weakening block
+            if (!verification.weakeningApproved) {
+                this.stats.governanceWeakeningBlocked = (this.stats.governanceWeakeningBlocked ?? 0) + 1;
+                this.config.onGovernanceWeakeningBlocked?.(envelope.artifact, verification.errors.join('; '));
+            }
+            return { accepted: false, error: verification.errors.join('; ') };
+        }
+        // Compute diff if we have a previous artifact
+        let diff;
+        if (this.config.governanceEnvelope) {
+            const prev = this.config.governanceEnvelope.artifact;
+            // Extract principle IDs or item identifiers from content for diff
+            // Use additions/removals from the artifact metadata
+            diff = {
+                changeType: envelope.artifact.changeType,
+                additions: envelope.artifact.additions,
+                modifications: envelope.artifact.modifications,
+                removals: envelope.artifact.removals,
+                isWeakening: envelope.artifact.removals.length > 0,
+                isStrengthening: envelope.artifact.additions.length > 0 && envelope.artifact.removals.length === 0,
+            };
+        }
+        // Accept the update
+        this.config.governanceEnvelope = envelope;
+        this.stats.governanceUpdates = (this.stats.governanceUpdates ?? 0) + 1;
+        this.config.onGovernanceChange?.(diff ?? {
+            changeType: 'initial', additions: [], modifications: [], removals: [],
+            isWeakening: false, isStrengthening: false,
+        }, envelope.artifact);
+        return { accepted: true, diff };
+    }
+    /** Re-attest an agent to the current governance version after an update. */
+    reattestGovernance(agentId) {
+        const agent = this.agents.get(agentId);
+        if (!agent)
+            return { success: false, error: 'Agent not registered' };
+        if (!this.config.enableGovernanceEnforcement)
+            return { success: false, error: 'Governance enforcement not enabled' };
+        if (!this.config.governanceEnvelope)
+            return { success: false, error: 'No governance artifact loaded' };
+        agent.governanceVersion = this.config.governanceEnvelope.artifact.version;
+        return { success: true };
+    }
+    /** Get current governance artifact version */
+    getGovernanceVersion() {
+        return this.config.governanceEnvelope?.artifact.version;
+    }
+    /** Get agent's attested governance version */
+    getAgentGovernanceVersion(agentId) {
+        return this.agents.get(agentId)?.governanceVersion;
+    }
+    // ── Escalation Enforcement (Module 27 / INV-4) ──
+    /** Add an escalation grant for an agent */
+    addEscalationGrant(agentId, grant) {
+        const agent = this.agents.get(agentId);
+        if (!agent)
+            return { added: false, error: 'Agent not registered' };
+        if (!this.config.enableEscalation)
+            return { added: false, error: 'Escalation not enabled' };
+        if (!agent.escalationGrants)
+            agent.escalationGrants = [];
+        agent.escalationGrants.push(grant);
+        return { added: true };
+    }
+    /** Activate an escalation for an agent (gateway validates and activates) */
+    activateAgentEscalation(agentId, escalation) {
+        const agent = this.agents.get(agentId);
+        if (!agent)
+            return { activated: false, error: 'Agent not registered' };
+        if (!this.config.enableEscalation)
+            return { activated: false, error: 'Escalation not enabled' };
+        if (!agent.activeEscalations)
+            agent.activeEscalations = [];
+        // Expire stale ones first
+        this._expireAgentEscalations(agent);
+        // Check max concurrent
+        const maxConcurrent = this.config.maxConcurrentEscalations ?? 1;
+        const activeCount = agent.activeEscalations.filter(e => isEscalationActive(e)).length;
+        if (activeCount >= maxConcurrent) {
+            this.stats.escalationsDenied = (this.stats.escalationsDenied ?? 0) + 1;
+            return { activated: false, error: `Max concurrent escalations reached (${maxConcurrent})` };
+        }
+        agent.activeEscalations.push(escalation);
+        this.stats.escalationsActivated = (this.stats.escalationsActivated ?? 0) + 1;
+        return { activated: true };
+    }
+    /** Get active escalations for an agent */
+    getAgentEscalations(agentId) {
+        const agent = this.agents.get(agentId);
+        if (!agent || !agent.activeEscalations)
+            return [];
+        this._expireAgentEscalations(agent);
+        return agent.activeEscalations.filter(e => isEscalationActive(e));
+    }
+    /** Expire stale escalations for an agent */
+    _expireAgentEscalations(agent) {
+        if (!agent.activeEscalations)
+            return;
+        for (const esc of agent.activeEscalations) {
+            if (esc.status === 'active' && !isEscalationActive(esc)) {
+                esc.status = 'expired';
+                this.stats.escalationsExpired = (this.stats.escalationsExpired ?? 0) + 1;
+                this.config.onEscalationExpired?.(agent.passport.passport.agentId, esc.escalationId);
+            }
+        }
+    }
     findDelegation(agent, request) {
         if (request.delegationId) {
             const d = agent.delegations.get(request.delegationId);