agent-passport-system 1.22.0 → 1.25.0

package/README.md

@@ -9,7 +9,7 @@
 
 Cryptographic identity, ethical governance, economic attribution, data source registration, protocol-native communication, intent architecture, cascade revocation, coordination primitives, and agentic commerce for autonomous AI agents.
 
-**42 core modules + 32 v2 constitutional modules. 1421 tests. Zero heavy dependencies. Running code. MCP server included.**
+**42 core modules + 32 v2 constitutional modules. 1480 tests. Zero heavy dependencies. Running code. MCP server included.**
 
 > *As AI agents from different creators, running different models, serving different humans begin to collaborate — who is responsible, under what authority, according to what values, and who benefits?*
 
@@ -409,7 +409,7 @@ Or zero-install remote mode:
 npx agent-passport-system-mcp setup --remote
 ```
 
-**102 tools across all 46 modules, role-scoped access control.** Identity, delegation, agora, values/policy, coordination, and commerce — all accessible via MCP. Every operation Ed25519 signed. Auto-configures Claude Desktop and Cursor.
+**108 tools across all 48 modules, role-scoped access control.** Identity, delegation, agora, values/policy, coordination, and commerce — all accessible via MCP. Every operation Ed25519 signed. Auto-configures Claude Desktop and Cursor.
 
 Every operation is Ed25519 signed. Role is auto-detected from task assignments. Role-specific prompts served via MCP prompts API. File-backed task persistence at `~/.agent-passport-tasks.json`.
 
@@ -431,7 +431,7 @@ PyPI: [agent-passport-system](https://pypi.org/project/agent-passport-system/)
 
 ```bash
 npm test
-# 1421 tests across 58 files, 374 suites, 0 failures
+# 1480 tests across 58 files, 384 suites, 0 failures
 ```
 
 Includes 50 adversarial tests across 4 test files: Merkle tree tampering, attribution gaming resistance, compliance violations, floor negotiation attacks, wrong-key attestations, cross-chain confused deputy, taint laundering, permit bypass, causal chain manipulation.
@@ -527,7 +527,7 @@ src/                    32 source files
     reputation-authority.ts — Reputation/tier types
     cross-chain.ts     — Cross-chain taint/SAO types
     data-source.ts     — Data source/access receipt types
-tests/                  72 test files, 1421 tests (374 suites)
+tests/                  78 test files, 1480 tests (384 suites)
   adversarial.ts       — 50 adversarial cases
   adversarial-paper.test.ts — 22 paper-linked attack scenarios
   adversarial-causal-chain.test.ts — 18 causal chain attacks

package/dist/src/core/aps-txt.d.ts

@@ -0,0 +1,120 @@
+/**
+ * aps.txt — Site-Wide Governance Declaration
+ *
+ * Like robots.txt but for AI governance. A file at yourdomain.com/aps.txt
+ * declares site-wide governance: publisher identity, default terms,
+ * revocation endpoint, and MCP upgrade path.
+ *
+ * Any agent visiting any page on the domain checks aps.txt first.
+ * One file governs the entire site.
+ *
+ * Format: JSON, signed with Ed25519, served at /.well-known/aps.txt or /aps.txt
+ */
+import type { GovernanceTerms, RevocationPolicy } from './governance-block.js';
+export interface ApsTxt {
+    /** APS protocol identifier */
+    '@context': 'https://aeoess.com/governance/v1';
+    '@type': 'ApsTxt';
+    /** Domain this declaration covers */
+    domain: string;
+    /** Publisher's DID */
+    publisher_did: string;
+    /** Publisher name (human-readable) */
+    publisher_name: string;
+    /** Default terms for all content on this domain */
+    default_terms: GovernanceTerms;
+    /** Default revocation policy */
+    default_revocation_policy: RevocationPolicy;
+    /** URL for revocation status checks */
+    revocation_endpoint?: string;
+    /** MCP endpoint for full enforcement channel */
+    mcp_endpoint?: string;
+    /** Per-path overrides (e.g. /api/* has different terms than /blog/*) */
+    path_overrides?: PathOverride[];
+    /** When this declaration was generated */
+    generated_at: string;
+    /** Ed25519 signature */
+    signature: string;
+}
+export interface PathOverride {
+    /** Glob pattern (e.g. "/api/*", "/blog/*", "/data/**") */
+    pattern: string;
+    /** Terms override for this path */
+    terms: GovernanceTerms;
+    /** Optional revocation policy override */
+    revocation_policy?: RevocationPolicy;
+}
+export interface GenerateApsTxtInput {
+    domain: string;
+    publisherName: string;
+    publicKey: string;
+    privateKey: string;
+    defaultTerms: GovernanceTerms;
+    defaultRevocationPolicy?: RevocationPolicy;
+    revocationEndpoint?: string;
+    mcpEndpoint?: string;
+    pathOverrides?: PathOverride[];
+}
+export declare function generateApsTxt(input: GenerateApsTxtInput): ApsTxt;
+export declare function verifyApsTxt(doc: ApsTxt, publicKey: string): {
+    valid: boolean;
+    errors: string[];
+};
+/**
+ * Resolve terms for a specific path using aps.txt path overrides.
+ * Falls back to default_terms if no override matches.
+ */
+export declare function resolveTermsForPath(doc: ApsTxt, path: string): GovernanceTerms;
+/**
+ * Serialize aps.txt to a JSON string ready to serve as a file.
+ */
+export declare function serializeApsTxt(doc: ApsTxt): string;
+/**
+ * Parse an aps.txt JSON string back to an object.
+ */
+export declare function parseApsTxt(content: string): ApsTxt | null;
+import type { GovernanceBlock } from './governance-block.js';
+/**
+ * Generate HTTP response headers for governance.
+ * Works for ANY response type — HTML, JSON, images, PDFs.
+ */
+export declare function governanceHeaders(block: GovernanceBlock): Record<string, string>;
+/**
+ * Parse governance from HTTP response headers.
+ */
+export declare function parseGovernanceHeaders(headers: Record<string, string>): GovernanceBlock | null;
+export interface ChainedGovernanceBlock extends GovernanceBlock {
+    /** Reference to the parent governance block this is derived from */
+    parent_block_hash: string;
+    /** What type of derivation (summary, embedding, rag_chunk, etc.) */
+    derivation_type: string;
+    /** The derivative agent's DID (different from original publisher) */
+    derivative_agent_did: string;
+}
+/**
+ * Create a chained governance block for derivative content.
+ * The derivative carries its own governance AND the chain back to the source.
+ */
+export declare function createChainedGovernanceBlock(input: {
+    /** The derivative content */
+    content: string;
+    /** The derivative agent's keys */
+    publicKey: string;
+    privateKey: string;
+    /** Terms the derivative is published under */
+    terms: GovernanceTerms;
+    /** The original governance block this derives from */
+    parentBlock: GovernanceBlock;
+    /** Type of derivation */
+    derivationType: string;
+    revocationPolicy?: RevocationPolicy;
+}): ChainedGovernanceBlock;
+/**
+ * Verify a chained governance block, including parent hash consistency.
+ */
+export declare function verifyChainedBlock(chain: ChainedGovernanceBlock, content: string, derivativePublicKey: string, parentBlock?: GovernanceBlock): {
+    valid: boolean;
+    chainValid: boolean;
+    errors: string[];
+};
+//# sourceMappingURL=aps-txt.d.ts.map

package/dist/src/core/aps-txt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"aps-txt.d.ts","sourceRoot":"","sources":["../../../src/core/aps-txt.ts"],"names":[],"mappings":"AACA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,uBAAuB,CAAA;AAO9E,MAAM,WAAW,MAAM;IACrB,8BAA8B;IAC9B,UAAU,EAAE,kCAAkC,CAAA;IAC9C,OAAO,EAAE,QAAQ,CAAA;IACjB,qCAAqC;IACrC,MAAM,EAAE,MAAM,CAAA;IACd,sBAAsB;IACtB,aAAa,EAAE,MAAM,CAAA;IACrB,sCAAsC;IACtC,cAAc,EAAE,MAAM,CAAA;IACtB,mDAAmD;IACnD,aAAa,EAAE,eAAe,CAAA;IAC9B,gCAAgC;IAChC,yBAAyB,EAAE,gBAAgB,CAAA;IAC3C,uCAAuC;IACvC,mBAAmB,CAAC,EAAE,MAAM,CAAA;IAC5B,gDAAgD;IAChD,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,wEAAwE;IACxE,cAAc,CAAC,EAAE,YAAY,EAAE,CAAA;IAC/B,0CAA0C;IAC1C,YAAY,EAAE,MAAM,CAAA;IACpB,wBAAwB;IACxB,SAAS,EAAE,MAAM,CAAA;CAClB;AAED,MAAM,WAAW,YAAY;IAC3B,0DAA0D;IAC1D,OAAO,EAAE,MAAM,CAAA;IACf,mCAAmC;IACnC,KAAK,EAAE,eAAe,CAAA;IACtB,0CAA0C;IAC1C,iBAAiB,CAAC,EAAE,gBAAgB,CAAA;CACrC;AAMD,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,MAAM,CAAA;IACd,aAAa,EAAE,MAAM,CAAA;IACrB,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,YAAY,EAAE,eAAe,CAAA;IAC7B,uBAAuB,CAAC,EAAE,gBAAgB,CAAA;IAC1C,kBAAkB,CAAC,EAAE,MAAM,CAAA;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAA;IACpB,aAAa,CAAC,EAAE,YAAY,EAAE,CAAA;CAC/B;AAED,wBAAgB,cAAc,CAAC,KAAK,EAAE,mBAAmB,GAAG,MAAM,CAqBjE;AAED,wBAAgB,YAAY,CAAC,GAAG,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAWjG;AAED;;;GAGG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,eAAe,CAS9E;AAWD;;GAEG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAEnD;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAM1D;AAMD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,uBAAuB,CAAA;AAE5D;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,eAAe,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAUhF;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,eAAe,GAAG,IAAI,CAM9F;AAMD,MAAM,WAAW,sBAAuB,SAAQ,eAAe;IAC7D,oEAAoE;IACpE,iBAAiB,EAAE,MAAM,CAAA;IACzB,oEAAoE;IACpE,eAAe,EAAE,MAAM,CAAA;IACvB,qEAAqE;IACrE,oBAAoB,EAAE,MAAM,CAAA;CAC7B;AAED;;;GAGG;AACH,wBAAgB,4BAA4B,CAAC,KAAK,EAAE;IAClD,6BAA6B;IAC7B,OAAO,EAAE,MAAM,CAAA;IACf,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAA;IACjB,UAAU,EAAE,MAAM,CAAA;IAClB,8CAA8C;IAC9C,KAAK,EAAE,eAAe,CAAA;IACtB,sDAAsD;IACtD,WAAW,EAAE,eAAe,CAAA;IAC5B,yBAAyB;IACzB,cAAc,EAAE,MAAM,CAAA;IACtB,gBAAgB,CAAC,EAAE,gBAAgB,CAAA;CACpC,GAAG,sBAAsB,CAuBzB;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAChC,KAAK,EAAE,sBAAsB,EAC7B,OAAO,EAAE,MAAM,EACf,mBAAmB,EAAE,MAAM,EAC3B,WAAW,CAAC,EAAE,eAAe,GAC5B;IAAE,KAAK,EAAE,OAAO,CAAC;IAAC,UAAU,EAAE,OAAO,CAAC;IAAC,MAAM,EAAE,MAAM,EAAE,CAAA;CAAE,CAwB3D"}

package/dist/src/core/aps-txt.js

@@ -0,0 +1,172 @@
+// Copyright 2024-2026 Tymofii Pidlisnyi. Apache-2.0 license. See LICENSE.
+/**
+ * aps.txt — Site-Wide Governance Declaration
+ *
+ * Like robots.txt but for AI governance. A file at yourdomain.com/aps.txt
+ * declares site-wide governance: publisher identity, default terms,
+ * revocation endpoint, and MCP upgrade path.
+ *
+ * Any agent visiting any page on the domain checks aps.txt first.
+ * One file governs the entire site.
+ *
+ * Format: JSON, signed with Ed25519, served at /.well-known/aps.txt or /aps.txt
+ */
+import { createHash } from 'node:crypto';
+import { sign, verify, canonicalize, createDID } from '../index.js';
+import { DEFAULT_REVOCATION_POLICY } from './governance-block.js';
+export function generateApsTxt(input) {
+    const publisherDid = createDID(input.publicKey);
+    const now = new Date().toISOString();
+    const doc = {
+        '@context': 'https://aeoess.com/governance/v1',
+        '@type': 'ApsTxt',
+        domain: input.domain,
+        publisher_did: publisherDid,
+        publisher_name: input.publisherName,
+        default_terms: input.defaultTerms,
+        default_revocation_policy: input.defaultRevocationPolicy || DEFAULT_REVOCATION_POLICY,
+        generated_at: now,
+        ...(input.revocationEndpoint && { revocation_endpoint: input.revocationEndpoint }),
+        ...(input.mcpEndpoint && { mcp_endpoint: input.mcpEndpoint }),
+        ...(input.pathOverrides?.length && { path_overrides: input.pathOverrides }),
+    };
+    const payload = canonicalize(doc);
+    const signature = sign(payload, input.privateKey);
+    return { ...doc, signature };
+}
+export function verifyApsTxt(doc, publicKey) {
+    const errors = [];
+    const { signature, ...rest } = doc;
+    const payload = canonicalize(rest);
+    const sigValid = verify(payload, signature, publicKey);
+    if (!sigValid)
+        errors.push('Signature verification failed');
+    const expectedDid = createDID(publicKey);
+    if (doc.publisher_did !== expectedDid)
+        errors.push(`DID mismatch: expected ${expectedDid}`);
+    return { valid: errors.length === 0, errors };
+}
+/**
+ * Resolve terms for a specific path using aps.txt path overrides.
+ * Falls back to default_terms if no override matches.
+ */
+export function resolveTermsForPath(doc, path) {
+    if (doc.path_overrides) {
+        for (const override of doc.path_overrides) {
+            if (matchGlob(override.pattern, path)) {
+                return { ...doc.default_terms, ...override.terms };
+            }
+        }
+    }
+    return doc.default_terms;
+}
+function matchGlob(pattern, path) {
+    // Simple glob: * matches one segment, ** matches multiple segments
+    const regex = pattern
+        .replace(/\*\*/g, '§DOUBLESTAR§')
+        .replace(/\*/g, '[^/]*')
+        .replace(/§DOUBLESTAR§/g, '.*');
+    return new RegExp(`^${regex}$`).test(path);
+}
+/**
+ * Serialize aps.txt to a JSON string ready to serve as a file.
+ */
+export function serializeApsTxt(doc) {
+    return JSON.stringify(doc, null, 2);
+}
+/**
+ * Parse an aps.txt JSON string back to an object.
+ */
+export function parseApsTxt(content) {
+    try {
+        const parsed = JSON.parse(content);
+        if (parsed['@type'] !== 'ApsTxt')
+            return null;
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Generate HTTP response headers for governance.
+ * Works for ANY response type — HTML, JSON, images, PDFs.
+ */
+export function governanceHeaders(block) {
+    const compact = JSON.stringify(block);
+    const b64 = Buffer.from(compact).toString('base64');
+    return {
+        'X-APS-Governance': b64,
+        'X-APS-DID': block.source_did,
+        'X-APS-Content-Hash': block.content_hash,
+        'X-APS-Terms-Training': block.terms.training || 'not_specified',
+        'X-APS-Terms-Inference': block.terms.inference || 'not_specified',
+    };
+}
+/**
+ * Parse governance from HTTP response headers.
+ */
+export function parseGovernanceHeaders(headers) {
+    const b64 = headers['x-aps-governance'] || headers['X-APS-Governance'];
+    if (!b64)
+        return null;
+    try {
+        return JSON.parse(Buffer.from(b64, 'base64').toString('utf-8'));
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Create a chained governance block for derivative content.
+ * The derivative carries its own governance AND the chain back to the source.
+ */
+export function createChainedGovernanceBlock(input) {
+    const contentHash = `sha256:${createHash('sha256').update(input.content).digest('hex')}`;
+    const derivativeDid = createDID(input.publicKey);
+    const parentBlockHash = `sha256:${createHash('sha256').update(canonicalize(input.parentBlock)).digest('hex')}`;
+    const now = new Date().toISOString();
+    const block = {
+        '@context': 'https://aeoess.com/governance/v1',
+        '@type': 'GovernanceBlock',
+        source_did: input.parentBlock.source_did,
+        content_hash: contentHash,
+        published_at: now,
+        governance_generated_at: now,
+        terms: input.terms,
+        revocation_policy: input.revocationPolicy || input.parentBlock.revocation_policy,
+        parent_block_hash: parentBlockHash,
+        derivation_type: input.derivationType,
+        derivative_agent_did: derivativeDid,
+    };
+    const payload = canonicalize(block);
+    const signature = sign(payload, input.privateKey);
+    return { ...block, signature };
+}
+/**
+ * Verify a chained governance block, including parent hash consistency.
+ */
+export function verifyChainedBlock(chain, content, derivativePublicKey, parentBlock) {
+    const errors = [];
+    // Verify derivative signature
+    const { signature, ...rest } = chain;
+    const payload = canonicalize(rest);
+    const sigValid = verify(payload, signature, derivativePublicKey);
+    if (!sigValid)
+        errors.push('Derivative signature verification failed');
+    // Verify content hash
+    const expectedHash = `sha256:${createHash('sha256').update(content).digest('hex')}`;
+    if (chain.content_hash !== expectedHash)
+        errors.push('Content hash mismatch');
+    // Verify parent chain if parent provided
+    let chainValid = true;
+    if (parentBlock) {
+        const expectedParentHash = `sha256:${createHash('sha256').update(canonicalize(parentBlock)).digest('hex')}`;
+        if (chain.parent_block_hash !== expectedParentHash) {
+            errors.push('Parent block hash mismatch — chain broken');
+            chainValid = false;
+        }
+    }
+    return { valid: sigValid && errors.length === 0, chainValid, errors };
+}
+//# sourceMappingURL=aps-txt.js.map

package/dist/src/core/aps-txt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"aps-txt.js","sourceRoot":"","sources":["../../../src/core/aps-txt.ts"],"names":[],"mappings":"AAAA,0EAA0E;AAC1E;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAA;AACxC,OAAO,EAAE,IAAI,EAAE,MAAM,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,aAAa,CAAA;AAEnE,OAAO,EAAE,yBAAyB,EAAE,MAAM,uBAAuB,CAAA;AAyDjE,MAAM,UAAU,cAAc,CAAC,KAA0B;IACvD,MAAM,YAAY,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;IAC/C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAEpC,MAAM,GAAG,GAA8B;QACrC,UAAU,EAAE,kCAAkC;QAC9C,OAAO,EAAE,QAAQ;QACjB,MAAM,EAAE,KAAK,CAAC,MAAM;QACpB,aAAa,EAAE,YAAY;QAC3B,cAAc,EAAE,KAAK,CAAC,aAAa;QACnC,aAAa,EAAE,KAAK,CAAC,YAAY;QACjC,yBAAyB,EAAE,KAAK,CAAC,uBAAuB,IAAI,yBAAyB;QACrF,YAAY,EAAE,GAAG;QACjB,GAAG,CAAC,KAAK,CAAC,kBAAkB,IAAI,EAAE,mBAAmB,EAAE,KAAK,CAAC,kBAAkB,EAAE,CAAC;QAClF,GAAG,CAAC,KAAK,CAAC,WAAW,IAAI,EAAE,YAAY,EAAE,KAAK,CAAC,WAAW,EAAE,CAAC;QAC7D,GAAG,CAAC,KAAK,CAAC,aAAa,EAAE,MAAM,IAAI,EAAE,cAAc,EAAE,KAAK,CAAC,aAAa,EAAE,CAAC;KAC5E,CAAA;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,GAAG,CAAC,CAAA;IACjC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,CAAA;IACjD,OAAO,EAAE,GAAG,GAAG,EAAE,SAAS,EAAE,CAAA;AAC9B,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,GAAW,EAAE,SAAiB;IACzD,MAAM,MAAM,GAAa,EAAE,CAAA;IAC3B,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,GAAG,CAAA;IAClC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;IAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,SAAS,EAAE,SAAS,CAAC,CAAA;IACtD,IAAI,CAAC,QAAQ;QAAE,MAAM,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAA;IAE3D,MAAM,WAAW,GAAG,SAAS,CAAC,SAAS,CAAC,CAAA;IACxC,IAAI,GAAG,CAAC,aAAa,KAAK,WAAW;QAAE,MAAM,CAAC,IAAI,CAAC,0BAA0B,WAAW,EAAE,CAAC,CAAA;IAE3F,OAAO,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,mBAAmB,CAAC,GAAW,EAAE,IAAY;IAC3D,IAAI,GAAG,CAAC,cAAc,EAAE,CAAC;QACvB,KAAK,MAAM,QAAQ,IAAI,GAAG,CAAC,cAAc,EAAE,CAAC;YAC1C,IAAI,SAAS,CAAC,QAAQ,CAAC,OAAO,EAAE,IAAI,CAAC,EAAE,CAAC;gBACtC,OAAO,EAAE,GAAG,GAAG,CAAC,aAAa,EAAE,GAAG,QAAQ,CAAC,KAAK,EAAE,CAAA;YACpD,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC,aAAa,CAAA;AAC1B,CAAC;AAED,SAAS,SAAS,CAAC,OAAe,EAAE,IAAY;IAC9C,mEAAmE;IACnE,MAAM,KAAK,GAAG,OAAO;SAClB,OAAO,CAAC,OAAO,EAAE,cAAc,CAAC;SAChC,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC;SACvB,OAAO,CAAC,eAAe,EAAE,IAAI,CAAC,CAAA;IACjC,OAAO,IAAI,MAAM,CAAC,IAAI,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAA;AAC5C,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,eAAe,CAAC,GAAW;IACzC,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAA;AACrC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAe;IACzC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;QAClC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,QAAQ;YAAE,OAAO,IAAI,CAAA;QAC7C,OAAO,MAAgB,CAAA;IACzB,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,IAAI,CAAA;IAAC,CAAC;AACzB,CAAC;AAQD;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAsB;IACtD,MAAM,OAAO,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAA;IACrC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAA;IACnD,OAAO;QACL,kBAAkB,EAAE,GAAG;QACvB,WAAW,EAAE,KAAK,CAAC,UAAU;QAC7B,oBAAoB,EAAE,KAAK,CAAC,YAAY;QACxC,sBAAsB,EAAE,KAAK,CAAC,KAAK,CAAC,QAAQ,IAAI,eAAe;QAC/D,uBAAuB,EAAE,KAAK,CAAC,KAAK,CAAC,SAAS,IAAI,eAAe;KAClE,CAAA;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CAAC,OAA+B;IACpE,MAAM,GAAG,GAAG,OAAO,CAAC,kBAAkB,CAAC,IAAI,OAAO,CAAC,kBAAkB,CAAC,CAAA;IACtE,IAAI,CAAC,GAAG;QAAE,OAAO,IAAI,CAAA;IACrB,IAAI,CAAC;QACH,OAAO,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAoB,CAAA;IACpF,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO,IAAI,CAAA;IAAC,CAAC;AACzB,CAAC;AAeD;;;GAGG;AACH,MAAM,UAAU,4BAA4B,CAAC,KAa5C;IACC,MAAM,WAAW,GAAG,UAAU,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;IACxF,MAAM,aAAa,GAAG,SAAS,CAAC,KAAK,CAAC,SAAS,CAAC,CAAA;IAChD,MAAM,eAAe,GAAG,UAAU,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;IAC9G,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAA;IAEpC,MAAM,KAAK,GAA8C;QACvD,UAAU,EAAE,kCAAkC;QAC9C,OAAO,EAAE,iBAAiB;QAC1B,UAAU,EAAE,KAAK,CAAC,WAAW,CAAC,UAAU;QACxC,YAAY,EAAE,WAAW;QACzB,YAAY,EAAE,GAAG;QACjB,uBAAuB,EAAE,GAAG;QAC5B,KAAK,EAAE,KAAK,CAAC,KAAK;QAClB,iBAAiB,EAAE,KAAK,CAAC,gBAAgB,IAAI,KAAK,CAAC,WAAW,CAAC,iBAAiB;QAChF,iBAAiB,EAAE,eAAe;QAClC,eAAe,EAAE,KAAK,CAAC,cAAc;QACrC,oBAAoB,EAAE,aAAa;KACpC,CAAA;IAED,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,CAAC,CAAA;IACnC,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,CAAA;IACjD,OAAO,EAAE,GAAG,KAAK,EAAE,SAAS,EAAE,CAAA;AAChC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB,CAChC,KAA6B,EAC7B,OAAe,EACf,mBAA2B,EAC3B,WAA6B;IAE7B,MAAM,MAAM,GAAa,EAAE,CAAA;IAE3B,8BAA8B;IAC9B,MAAM,EAAE,SAAS,EAAE,GAAG,IAAI,EAAE,GAAG,KAAK,CAAA;IACpC,MAAM,OAAO,GAAG,YAAY,CAAC,IAAI,CAAC,CAAA;IAClC,MAAM,QAAQ,GAAG,MAAM,CAAC,OAAO,EAAE,SAAS,EAAE,mBAAmB,CAAC,CAAA;IAChE,IAAI,CAAC,QAAQ;QAAE,MAAM,CAAC,IAAI,CAAC,0CAA0C,CAAC,CAAA;IAEtE,sBAAsB;IACtB,MAAM,YAAY,GAAG,UAAU,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;IACnF,IAAI,KAAK,CAAC,YAAY,KAAK,YAAY;QAAE,MAAM,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAA;IAE7E,yCAAyC;IACzC,IAAI,UAAU,GAAG,IAAI,CAAA;IACrB,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,kBAAkB,GAAG,UAAU,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAA;QAC3G,IAAI,KAAK,CAAC,iBAAiB,KAAK,kBAAkB,EAAE,CAAC;YACnD,MAAM,CAAC,IAAI,CAAC,2CAA2C,CAAC,CAAA;YACxD,UAAU,GAAG,KAAK,CAAA;QACpB,CAAC;IACH,CAAC;IAED,OAAO,EAAE,KAAK,EAAE,QAAQ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC,EAAE,UAAU,EAAE,MAAM,EAAE,CAAA;AACvE,CAAC"}

package/dist/src/core/gateway.d.ts

@@ -15,8 +15,20 @@ export declare class ProxyGateway {
     private requestsSinceCleanup;
     private agentLocks;
     private executor;
+    private storage?;
     private stats;
     constructor(config: GatewayConfig, executor: ToolExecutor);
+    /**
+     * Load persisted state from StorageBackend into in-memory Maps.
+     * Call after constructor when using persistent storage.
+     * Performs integrity verification on startup.
+     */
+    loadFromStorage(): Promise<{
+        loaded: boolean;
+        agents: number;
+        receipts: number;
+        errors: string[];
+    }>;
     registerAgent(passport: RegisteredAgent['passport'], attestation: FloorAttestation, delegations: Delegation[], role?: GatewayAgentRole): {
         registered: boolean;
         error?: string;

package/dist/src/core/gateway.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/core/gateway.ts"],"names":[],"mappings":"AAsCA,OAAO,EAEL,KAAK,gBAAgB,EAAE,KAAK,eAAe,EAC5C,MAAM,iBAAiB,CAAA;AAExB,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA;AAMpG,OAAO,KAAK,EAAE,UAAU,EAAiB,gBAAgB,EAAkB,MAAM,sBAAsB,CAAA;AACvG,OAAO,KAAK,EAAE,cAAc,EAAsC,MAAM,oBAAoB,CAAA;AAC5F,OAAO,KAAK,EAAE,gBAAgB,EAAE,cAAc,EAAyB,MAAM,yBAAyB,CAAA;AACtG,OAAO,KAAK,EAAE,UAAU,EAAwB,MAAM,yBAAyB,CAAA;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAmD,MAAM,kCAAkC,CAAA;AAExI,OAAO,KAAK,EACV,eAAe,EAAE,cAAc,EAC/B,eAAe,EAAE,YAAY,EAAE,aAAa,EAC5C,eAAe,EAAE,YAAY,EAAE,gBAAgB,EAChD,MAAM,qBAAqB,CAAA;AAO5B,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAwJ;IACtK,OAAO,CAAC,SAAS,CAAiB;IAClC,OAAO,CAAC,MAAM,CAA0C;IACxD,OAAO,CAAC,SAAS,CAA0C;IAC3D,OAAO,CAAC,cAAc,CAAiC;IACvD,OAAO,CAAC,oBAAoB,CAAI;IAChC,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,QAAQ,CAAc;IAC9B,OAAO,CAAC,KAAK,CA4BZ;gBAEW,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY;IAuBzD,aAAa,CACX,QAAQ,EAAE,eAAe,CAAC,UAAU,CAAC,EACrC,WAAW,EAAE,gBAAgB,EAC7B,WAAW,EAAE,UAAU,EAAE,EACzB,IAAI,GAAE,gBAA6B,GAClC;QAAE,UAAU,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IA2D1C,mFAAmF;IACnF,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAM/C,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAYzC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAW1F,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IA6B1D,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;YAiB1D,qBAAqB;IA0fnC,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;QAAC,MAAM,CAAC,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,cAAc,CAAA;SAAE,CAAA;KAAE;IA6DtI,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;YAkCpD,qBAAqB;IAiMnC,YAAY,IAAI,MAAM;IAkBtB,QAAQ,IAAI,YAAY;IAExB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,EAAE;IAMrD,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO;IASlE,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IASxD,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,OAAO;IAQpE,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAI1D,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE,GAAG,SAAS;IAI9D,oDAAoD;IACpD,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAIjE,yCAAyC;IACzC,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIxD,uFAAuF;IACvF,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG,OAAO;IAkB1E;sFACkF;IAClF,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,EAAE,gBAAgB,CAAC,EAAE,kBAAkB,GAAG,IAAI,GAAG;QAC5F,QAAQ,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,cAAc,CAAA;KACzD;IA2CD,4EAA4E;IAC5E,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IASzE,8CAA8C;IAC9C,oBAAoB,IAAI,MAAM,GAAG,SAAS;IAI1C,8CAA8C;IAC9C,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAM9D,2CAA2C;IAC3C,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAS/F,4EAA4E;IAC5E,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAsB9G,0CAA0C;IAC1C,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAOxD,4CAA4C;IAC5C,OAAO,CAAC,uBAAuB;IAW/B,OAAO,CAAC,cAAc;IAetB,OAAO,CAAC,sBAAsB;CAgB/B;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY,GAAG,YAAY,CAE9F"}
+{"version":3,"file":"gateway.d.ts","sourceRoot":"","sources":["../../../src/core/gateway.ts"],"names":[],"mappings":"AAuCA,OAAO,EAEL,KAAK,gBAAgB,EAAE,KAAK,eAAe,EAC5C,MAAM,iBAAiB,CAAA;AAExB,OAAO,KAAK,EAAE,kBAAkB,EAAE,kBAAkB,EAAE,cAAc,EAAE,MAAM,wBAAwB,CAAA;AAMpG,OAAO,KAAK,EAAE,UAAU,EAAiB,gBAAgB,EAAkB,MAAM,sBAAsB,CAAA;AACvG,OAAO,KAAK,EAAE,cAAc,EAAsC,MAAM,oBAAoB,CAAA;AAC5F,OAAO,KAAK,EAAE,gBAAgB,EAAE,cAAc,EAAyB,MAAM,yBAAyB,CAAA;AACtG,OAAO,KAAK,EAAE,UAAU,EAAwB,MAAM,yBAAyB,CAAA;AAE/E,OAAO,KAAK,EAAE,gBAAgB,EAAE,aAAa,EAAmD,MAAM,kCAAkC,CAAA;AAExI,OAAO,KAAK,EACV,eAAe,EAAE,cAAc,EAC/B,eAAe,EAAE,YAAY,EAAE,aAAa,EAC5C,eAAe,EAAE,YAAY,EAAE,gBAAgB,EAChD,MAAM,qBAAqB,CAAA;AAO5B,qBAAa,YAAY;IACvB,OAAO,CAAC,MAAM,CAAwJ;IACtK,OAAO,CAAC,SAAS,CAAiB;IAClC,OAAO,CAAC,MAAM,CAA0C;IACxD,OAAO,CAAC,SAAS,CAA0C;IAC3D,OAAO,CAAC,cAAc,CAAiC;IACvD,OAAO,CAAC,oBAAoB,CAAI;IAChC,OAAO,CAAC,UAAU,CAAwC;IAC1D,OAAO,CAAC,QAAQ,CAAc;IAC9B,OAAO,CAAC,OAAO,CAAC,CAAgB;IAChC,OAAO,CAAC,KAAK,CA4BZ;gBAEW,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY;IA2BzD;;;;OAIG;IACG,eAAe,IAAI,OAAO,CAAC;QAAE,MAAM,EAAE,OAAO,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,EAAE,CAAA;KAAE,CAAC;IAqDzG,aAAa,CACX,QAAQ,EAAE,eAAe,CAAC,UAAU,CAAC,EACrC,WAAW,EAAE,gBAAgB,EAC7B,WAAW,EAAE,UAAU,EAAE,EACzB,IAAI,GAAE,gBAA6B,GAClC;QAAE,UAAU,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAwE1C,mFAAmF;IACnF,qBAAqB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAM/C,eAAe,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO;IAYzC,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAW1F,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IA6B1D,eAAe,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC;YAiB1D,qBAAqB;IAygBnC,OAAO,CAAC,OAAO,EAAE,eAAe,GAAG;QAAE,QAAQ,EAAE,OAAO,CAAC;QAAC,QAAQ,CAAC,EAAE,eAAe,CAAC;QAAC,MAAM,CAAC,EAAE;YAAE,MAAM,EAAE,MAAM,CAAC;YAAC,QAAQ,CAAC,EAAE,cAAc,CAAA;SAAE,CAAA;KAAE;IA6DtI,eAAe,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,cAAc,CAAC;YAkCpD,qBAAqB;IAgNnC,YAAY,IAAI,MAAM;IAkBtB,QAAQ,IAAI,YAAY;IAExB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,eAAe,EAAE;IAMrD,cAAc,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,gBAAgB,GAAG,OAAO;IASlE,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,OAAO;IASxD,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,UAAU,GAAG,OAAO;IAQpE,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,cAAc,GAAG,SAAS;IAI1D,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,EAAE,GAAG,SAAS;IAI9D,oDAAoD;IACpD,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,GAAG,SAAS;IAIjE,yCAAyC;IACzC,YAAY,CAAC,OAAO,EAAE,MAAM,GAAG,aAAa,GAAG,SAAS;IAIxD,uFAAuF;IACvF,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG,OAAO;IAkB1E;sFACkF;IAClF,gBAAgB,CAAC,QAAQ,EAAE,kBAAkB,EAAE,gBAAgB,CAAC,EAAE,kBAAkB,GAAG,IAAI,GAAG;QAC5F,QAAQ,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,cAAc,CAAA;KACzD;IA2CD,4EAA4E;IAC5E,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG;QAAE,OAAO,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IASzE,8CAA8C;IAC9C,oBAAoB,IAAI,MAAM,GAAG,SAAS;IAI1C,8CAA8C;IAC9C,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS;IAM9D,2CAA2C;IAC3C,kBAAkB,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,eAAe,GAAG;QAAE,KAAK,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAS/F,4EAA4E;IAC5E,uBAAuB,CAAC,OAAO,EAAE,MAAM,EAAE,UAAU,EAAE,gBAAgB,GAAG;QAAE,SAAS,EAAE,OAAO,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE;IAsB9G,0CAA0C;IAC1C,mBAAmB,CAAC,OAAO,EAAE,MAAM,GAAG,gBAAgB,EAAE;IAOxD,4CAA4C;IAC5C,OAAO,CAAC,uBAAuB;IAW/B,OAAO,CAAC,cAAc;IAetB,OAAO,CAAC,sBAAsB;CAgB/B;AAED,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,aAAa,EAAE,QAAQ,EAAE,YAAY,GAAG,YAAY,CAE9F"}

package/dist/src/core/gateway.js

@@ -50,6 +50,7 @@ export class ProxyGateway {
     requestsSinceCleanup = 0; // V5-MED-4: auto-cleanup counter
     agentLocks = new Map(); // Per-agent sequential execution (concurrency fix)
     executor;
+    storage;
     stats = {
         totalRequests: 0,
         totalPermitted: 0,
@@ -89,13 +90,70 @@ export class ProxyGateway {
         };
         this.validator = config.validator || new FloorValidatorV1();
         this.executor = executor;
-        // B-1 security warning: all gateway state is in-memory
-        if (typeof console !== 'undefined') {
+        this.storage = config.storage;
+        // B-1 security warning: only if no persistent storage
+        if (!this.storage && typeof console !== 'undefined') {
             console.warn('[ProxyGateway] WARNING: All security state (revocations, registrations, replay protection) ' +
                 'is stored in-memory. Process restart will erase all security state. ' +
                 'NOT SAFE FOR PRODUCTION. Implement a persistent StorageBackend for production use.');
         }
     }
+    // ── Storage Persistence (write-through cache) ──
+    // Maps remain the hot path for sync lookups.
+    // StorageBackend persists behind them for durability.
+    // On restart: loadFromStorage() hydrates Maps from backend.
+    /**
+     * Load persisted state from StorageBackend into in-memory Maps.
+     * Call after constructor when using persistent storage.
+     * Performs integrity verification on startup.
+     */
+    async loadFromStorage() {
+        if (!this.storage)
+            return { loaded: false, agents: 0, receipts: 0, errors: ['No storage backend configured'] };
+        // Integrity check first
+        const report = await this.storage.verifyIntegrity();
+        if (report.errors.length > 0) {
+            return { loaded: false, agents: 0, receipts: report.receiptCount, errors: report.errors };
+        }
+        // Load agents
+        const agents = await this.storage.listAgents();
+        for (const stored of agents) {
+            // Re-register: load delegations for this agent
+            const delegations = await this.storage.getDelegationsForAgent(stored.passport.passport?.publicKey || '');
+            const delegationMap = new Map();
+            for (const d of delegations) {
+                const revoked = await this.storage.isRevoked(d.delegationId);
+                if (!revoked)
+                    delegationMap.set(d.delegationId, d);
+            }
+            // Load reputation if it exists
+            let reputation;
+            let authorityTier;
+            if (this.config.enableReputationGating) {
+                reputation = (await this.storage.getReputation(stored.agentId, '*')) ?? undefined;
+                if (reputation) {
+                    const score = computeEffectiveScore(reputation.mu, reputation.sigma);
+                    const demotions = await this.storage.getDemotionCount(stored.agentId);
+                    const tierDef = resolveAuthorityTier(score, demotions);
+                    authorityTier = {
+                        tier: tierDef.tier, name: tierDef.name,
+                        origin: 'earned', autonomyLevel: tierDef.autonomyLevel,
+                        maxDelegationDepth: tierDef.maxDelegationDepth,
+                        maxSpendPerAction: tierDef.maxSpendPerAction, demotionCount: demotions,
+                    };
+                }
+            }
+            this.agents.set(stored.agentId, {
+                passport: stored.passport,
+                attestation: stored.attestation,
+                delegations: delegationMap,
+                role: stored.metadata?.role ?? 'executor',
+                reputation, authorityTier,
+            });
+        }
+        this.stats.activeAgents = this.agents.size;
+        return { loaded: true, agents: agents.length, receipts: report.receiptCount, errors: [] };
+    }
     // ── Agent Registration ──
     registerAgent(passport, attestation, delegations, role = 'executor') {
         // Verify passport (SignedPassport wraps AgentPassport)
@@ -148,6 +206,20 @@ export class ProxyGateway {
             activeEscalations: this.config.enableEscalation ? [] : undefined,
         });
         this.stats.activeAgents = this.agents.size;
+        // Write-through to persistent storage (fire-and-forget)
+        if (this.storage) {
+            const s = this.storage;
+            (async () => {
+                try {
+                    await s.putAgent({ agentId, passport, attestation, registeredAt: new Date().toISOString() });
+                    for (const d of delegations)
+                        await s.putDelegation(d);
+                    if (reputation)
+                        await s.putReputation(reputation);
+                }
+                catch (e) { /* storage write failure — logged but not fatal */ }
+            })();
+        }
         return { registered: true };
     }
     /** Check if an agent is registered with evaluator role (B-9 security hardening) */
@@ -696,6 +768,22 @@ export class ProxyGateway {
             escalationId: usedEscalationId,
             reversibility: request.reversibility,
         };
+        // ── Persist to storage (write-through) ──
+        if (this.storage && receipt) {
+            const s = this.storage;
+            const agentRep = agent.reputation;
+            (async () => {
+                try {
+                    await s.transaction(async (tx) => {
+                        await tx.appendReceipt(receipt);
+                        await tx.checkAndStoreNonce(request.requestId, Math.floor((this.config.requestIdTTLMs || 3600000) / 1000));
+                        if (agentRep)
+                            await tx.putReputation(agentRep);
+                    });
+                }
+                catch (_e) { /* storage write failure — in-memory state is still authoritative */ }
+            })();
+        }
         this.config.onToolCall?.(request, result);
         return result;
     }
@@ -975,6 +1063,22 @@ export class ProxyGateway {
         }
         const proof = { requestSignature: approval.intent.signature, decisionSignature: approval.decision.signature, receiptSignature: receipt.signature, policyReceipt };
         this.stats.pendingApprovals = Array.from(this.approvals.values()).filter(a => !a.consumed).length;
+        // ── Persist to storage (write-through, 2-phase path) ──
+        if (this.storage && receipt) {
+            const s = this.storage;
+            const agentRep = agent.reputation;
+            (async () => {
+                try {
+                    await s.transaction(async (tx) => {
+                        await tx.appendReceipt(receipt);
+                        await tx.checkAndStoreNonce(approval.requestId, Math.floor((this.config.requestIdTTLMs || 3600000) / 1000));
+                        if (agentRep)
+                            await tx.putReputation(agentRep);
+                    });
+                }
+                catch (_e) { /* storage write failure — in-memory state is still authoritative */ }
+            })();
+        }
         return {
             executed: true, requestId: approval.requestId,
             result: toolResult.result, toolError: toolResult.success ? undefined : toolResult.error,