agentcheck-sdk 1.0.0 → 2.0.0

package/dist/pqc/signer.js

@@ -0,0 +1,97 @@
+"use strict";
+/**
+ * PQC signer for DSSE envelopes.
+ *
+ * Signs audit records with HMAC-SHA256 locally via Web Crypto API.
+ * ML-DSA-87 signing is delegated to the fides-rs server so that
+ * private keys never exist in JavaScript memory.
+ *
+ * Tier: Atom (be-atom-agentcheck-pqc-signer-ts) - single responsibility: signing.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PqcSigner = void 0;
+const dsse_1 = require("./dsse");
+class PqcSigner {
+    /**
+     * @param hmacKey Optional HMAC-SHA256 secret for local signing.
+     * @param serverUrl Optional fides-rs base URL for ML-DSA-87 server-side signing.
+     * @param apiKey Optional API key for authenticating with the signing server.
+     */
+    constructor(opts = {}) {
+        this.hmacKey = opts.hmacKey;
+        this.serverUrl = opts.serverUrl;
+        this.apiKey = opts.apiKey;
+    }
+    /**
+     * Create a DSSE envelope with HMAC-SHA256 signature.
+     *
+     * If no hmacKey is configured, the envelope is returned unsigned.
+     *
+     * @param payload Object to sign and encode into the envelope.
+     * @param keyId Key identifier to embed in the signature.
+     * @returns Signed DsseEnvelope (or unsigned if no key).
+     */
+    async signHmac(payload, keyId = "hmac:sha256") {
+        const envelope = dsse_1.DsseEnvelope.create(payload, dsse_1.DSSE_PAYLOAD_TYPE);
+        if (!this.hmacKey) {
+            console.warn("signHmac called without hmacKey - envelope will be unsigned");
+            return envelope;
+        }
+        const pae = envelope.pae();
+        const keyBytes = new TextEncoder().encode(this.hmacKey);
+        const cryptoKey = await crypto.subtle.importKey("raw", keyBytes, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+        const sigRaw = await crypto.subtle.sign("HMAC", cryptoKey, new Uint8Array(pae));
+        const sigB64 = base64Encode(new Uint8Array(sigRaw));
+        const sig = new dsse_1.DsseSignature(keyId, sigB64);
+        return envelope.withSignature(sig);
+    }
+    /**
+     * Request ML-DSA-87 signing from the fides-rs server.
+     *
+     * Returns null if the server is unavailable or not configured.
+     *
+     * @param payload Object to sign with ML-DSA-87 on the server.
+     * @returns Signed DsseEnvelope, or null if server signing is unavailable.
+     */
+    async signPqc(payload) {
+        if (!this.serverUrl) {
+            return null;
+        }
+        try {
+            const envelope = dsse_1.DsseEnvelope.create(payload, dsse_1.DSSE_PAYLOAD_TYPE);
+            const headers = {
+                "Content-Type": "application/json",
+            };
+            if (this.apiKey) {
+                headers["X-API-Key"] = this.apiKey;
+            }
+            const resp = await fetch(`${this.serverUrl}/api/v1/auth/sign`, {
+                method: "POST",
+                headers,
+                body: JSON.stringify({ envelope: envelope.toDict() }),
+            });
+            if (!resp.ok) {
+                console.warn(`PQC signing server returned HTTP ${resp.status}`);
+                return null;
+            }
+            const result = (await resp.json());
+            const envelopeData = result.envelope;
+            if (!envelopeData) {
+                console.warn("PQC signing server returned no envelope");
+                return null;
+            }
+            return dsse_1.DsseEnvelope.fromDict(envelopeData);
+        }
+        catch (err) {
+            console.warn("PQC server signing failed:", err);
+            return null;
+        }
+    }
+}
+exports.PqcSigner = PqcSigner;
+function base64Encode(bytes) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(bytes).toString("base64");
+    }
+    return btoa(String.fromCharCode(...bytes));
+}

package/dist/pqc/verifier.d.ts

@@ -0,0 +1,49 @@
+/**
+ * PQC signature verifier for DSSE envelopes.
+ *
+ * Verifies HMAC-SHA256 signatures locally via Web Crypto API.
+ * ML-DSA-87 verification is delegated to the fides-rs server since
+ * no stable JS binding for ML-DSA-87 is currently available.
+ *
+ * Tier: Atom (be-atom-agentcheck-pqc-verifier-ts) - single responsibility: verification.
+ */
+import type { AgentCheckClient } from "../client";
+import { DsseEnvelope } from "./dsse";
+export declare class PqcVerifier {
+    private readonly hmacKey;
+    private readonly publicKey;
+    /**
+     * @param hmacKey Optional HMAC-SHA256 secret for local verification.
+     * @param publicKey Optional ML-DSA-87 public key bytes (reserved for future use).
+     */
+    constructor(opts?: {
+        hmacKey?: string;
+        publicKey?: Uint8Array;
+    });
+    /**
+     * Verify all signatures on the envelope.
+     *
+     * Attempts HMAC-SHA256 verification locally for signatures whose keyid
+     * starts with 'hmac:'. ML-DSA-87 signatures require server-side verification.
+     *
+     * @returns true if at least one signature verified, false if all failed,
+     *          null if verification could not be performed (no key configured).
+     */
+    verify(envelope: DsseEnvelope): Promise<boolean | null>;
+    /**
+     * Verify HMAC-SHA256 signature using Web Crypto API.
+     *
+     * @param pae Pre-Authentication Encoding bytes.
+     * @param sigB64 Base64-encoded expected HMAC digest.
+     * @returns true if signature matches.
+     */
+    verifyHmac(pae: Uint8Array, sigB64: string): Promise<boolean>;
+    /**
+     * Delegate verification to the fides-rs server.
+     *
+     * @param client AgentCheckClient connected to the fides-rs server.
+     * @param envelope DSSE envelope to verify.
+     * @returns true if server confirms the signature is valid.
+     */
+    verifyViaServer(client: AgentCheckClient, envelope: DsseEnvelope): Promise<boolean>;
+}

package/dist/pqc/verifier.js

@@ -0,0 +1,93 @@
+"use strict";
+/**
+ * PQC signature verifier for DSSE envelopes.
+ *
+ * Verifies HMAC-SHA256 signatures locally via Web Crypto API.
+ * ML-DSA-87 verification is delegated to the fides-rs server since
+ * no stable JS binding for ML-DSA-87 is currently available.
+ *
+ * Tier: Atom (be-atom-agentcheck-pqc-verifier-ts) - single responsibility: verification.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PqcVerifier = void 0;
+class PqcVerifier {
+    /**
+     * @param hmacKey Optional HMAC-SHA256 secret for local verification.
+     * @param publicKey Optional ML-DSA-87 public key bytes (reserved for future use).
+     */
+    constructor(opts = {}) {
+        this.hmacKey = opts.hmacKey;
+        this.publicKey = opts.publicKey;
+    }
+    /**
+     * Verify all signatures on the envelope.
+     *
+     * Attempts HMAC-SHA256 verification locally for signatures whose keyid
+     * starts with 'hmac:'. ML-DSA-87 signatures require server-side verification.
+     *
+     * @returns true if at least one signature verified, false if all failed,
+     *          null if verification could not be performed (no key configured).
+     */
+    async verify(envelope) {
+        if (envelope.signatures.length === 0) {
+            return false;
+        }
+        const pae = envelope.pae();
+        let checkedAny = false;
+        let verifiedAny = false;
+        for (const sig of envelope.signatures) {
+            if (sig.keyid.startsWith("hmac:") && this.hmacKey) {
+                checkedAny = true;
+                const ok = await this.verifyHmac(pae, sig.sig);
+                if (ok)
+                    verifiedAny = true;
+            }
+            else if (sig.keyid.startsWith("ML-DSA-87:") || sig.keyid.startsWith("mldsa:")) {
+                // Cannot verify ML-DSA-87 locally in JS - caller should use verifyViaServer
+                checkedAny = false;
+            }
+        }
+        if (!checkedAny)
+            return null;
+        return verifiedAny;
+    }
+    /**
+     * Verify HMAC-SHA256 signature using Web Crypto API.
+     *
+     * @param pae Pre-Authentication Encoding bytes.
+     * @param sigB64 Base64-encoded expected HMAC digest.
+     * @returns true if signature matches.
+     */
+    async verifyHmac(pae, sigB64) {
+        if (!this.hmacKey)
+            return false;
+        const keyBytes = new TextEncoder().encode(this.hmacKey);
+        const cryptoKey = await crypto.subtle.importKey("raw", keyBytes, { name: "HMAC", hash: "SHA-256" }, false, ["sign"]);
+        const expectedRaw = await crypto.subtle.sign("HMAC", cryptoKey, new Uint8Array(pae));
+        const expectedB64 = base64Encode(new Uint8Array(expectedRaw));
+        return expectedB64 === sigB64;
+    }
+    /**
+     * Delegate verification to the fides-rs server.
+     *
+     * @param client AgentCheckClient connected to the fides-rs server.
+     * @param envelope DSSE envelope to verify.
+     * @returns true if server confirms the signature is valid.
+     */
+    async verifyViaServer(client, envelope) {
+        try {
+            const result = await client.request("POST", "/api/v1/auth/verify", { envelope: envelope.toDict() });
+            return result.verified === true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+exports.PqcVerifier = PqcVerifier;
+function base64Encode(bytes) {
+    if (typeof Buffer !== "undefined") {
+        return Buffer.from(bytes).toString("base64");
+    }
+    return btoa(String.fromCharCode(...bytes));
+}

package/dist/router.d.ts

@@ -0,0 +1,78 @@
+/**
+ * Layer Router - Dynamic safety layer selection based on trust and context.
+ *
+ * Tier: Atom (single responsibility: decide which safety layers to execute)
+ *
+ * Maps an agent's trust tier to an ordered list of layer names. The
+ * SafetyStack and VerificationPipeline read this list to skip unnecessary
+ * layers for high-trust agents while applying all layers to low-trust or
+ * risky actions.
+ *
+ * Default routing table:
+ *   high:   scope_engine, budget_tracker
+ *   medium: scope_engine, semantic_verifier, budget_tracker, pattern_monitor
+ *   low:    scope_engine, semantic_verifier, budget_tracker,
+ *           pattern_monitor, human_escalation
+ *
+ * Context overrides:
+ *   - riskLevel == "critical": human_escalation is always appended.
+ *   - amount > pqcAmountThreshold: "pqc_signing" flag is appended.
+ */
+import { TrustScore } from "./trust";
+/** Routing rules: tier label -> ordered list of layer name strings. */
+export type RoutingRules = Partial<Record<"high" | "medium" | "low", string[]>>;
+/** Options for LayerRouter constructor. */
+export interface LayerRouterConfig {
+    /** Override default tier->layers mapping. */
+    rules?: RoutingRules;
+    /** Monetary threshold above which PQC signing is required. Default: 10000. */
+    pqcAmountThreshold?: number;
+}
+export declare class LayerRouter {
+    /**
+     * Determine which safety layers to run based on trust and action context.
+     *
+     * Usage:
+     *   const router = new LayerRouter();
+     *   const layers = router.route(trustScore, "order_parts", { amount: 5000 });
+     *   // ["scope_engine", "budget_tracker", "pattern_monitor"]
+     */
+    /** Default routing rules per trust tier. */
+    static readonly DEFAULT_RULES: Record<string, string[]>;
+    private rules;
+    private pqcThreshold;
+    constructor(config?: LayerRouterConfig);
+    /**
+     * Return the ordered list of layer names to execute.
+     *
+     * Resolution order:
+     *   1. Base layers from trust tier.
+     *   2. If riskLevel == "critical", ensure "human_escalation" is included.
+     *   3. If amount > pqcThreshold, append "pqc_signing".
+     *
+     * @param trust - TrustScore for the acting agent.
+     * @param action - The action being attempted (reserved for future per-action rules).
+     * @param opts.amount - Optional monetary amount of the action.
+     * @param opts.riskLevel - Optional contextual risk label. "critical" forces
+     *   human escalation regardless of trust tier.
+     * @returns Ordered array of layer name strings to execute.
+     */
+    route(trust: TrustScore, action: string, opts?: {
+        amount?: number;
+        riskLevel?: string;
+    }): string[];
+    /**
+     * Add or override the routing rule for a given tier.
+     *
+     * @param tier - One of "high", "medium", or "low".
+     * @param layers - Ordered list of layer names for this tier.
+     */
+    addRule(tier: string, layers: string[]): void;
+    /**
+     * Check whether PQC signing is required based on the action amount.
+     *
+     * @param amount - Monetary value of the action. undefined or 0 returns false.
+     * @returns True if amount exceeds the configured PQC threshold.
+     */
+    requiresPqc(amount?: number): boolean;
+}

package/dist/router.js

@@ -0,0 +1,102 @@
+"use strict";
+/**
+ * Layer Router - Dynamic safety layer selection based on trust and context.
+ *
+ * Tier: Atom (single responsibility: decide which safety layers to execute)
+ *
+ * Maps an agent's trust tier to an ordered list of layer names. The
+ * SafetyStack and VerificationPipeline read this list to skip unnecessary
+ * layers for high-trust agents while applying all layers to low-trust or
+ * risky actions.
+ *
+ * Default routing table:
+ *   high:   scope_engine, budget_tracker
+ *   medium: scope_engine, semantic_verifier, budget_tracker, pattern_monitor
+ *   low:    scope_engine, semantic_verifier, budget_tracker,
+ *           pattern_monitor, human_escalation
+ *
+ * Context overrides:
+ *   - riskLevel == "critical": human_escalation is always appended.
+ *   - amount > pqcAmountThreshold: "pqc_signing" flag is appended.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LayerRouter = void 0;
+class LayerRouter {
+    constructor(config = {}) {
+        // Start from defaults then overlay caller-supplied rules
+        this.rules = { ...LayerRouter.DEFAULT_RULES };
+        if (config.rules) {
+            for (const [tier, layers] of Object.entries(config.rules)) {
+                this.rules[tier] = [...layers];
+            }
+        }
+        this.pqcThreshold = config.pqcAmountThreshold ?? 10000.0;
+    }
+    /**
+     * Return the ordered list of layer names to execute.
+     *
+     * Resolution order:
+     *   1. Base layers from trust tier.
+     *   2. If riskLevel == "critical", ensure "human_escalation" is included.
+     *   3. If amount > pqcThreshold, append "pqc_signing".
+     *
+     * @param trust - TrustScore for the acting agent.
+     * @param action - The action being attempted (reserved for future per-action rules).
+     * @param opts.amount - Optional monetary amount of the action.
+     * @param opts.riskLevel - Optional contextual risk label. "critical" forces
+     *   human escalation regardless of trust tier.
+     * @returns Ordered array of layer name strings to execute.
+     */
+    route(trust, action, opts = {}) {
+        const tier = this.rules[trust.tier] ? trust.tier : "medium";
+        const layers = [...this.rules[tier]];
+        if (opts.riskLevel === "critical" && !layers.includes("human_escalation")) {
+            layers.push("human_escalation");
+        }
+        if (this.requiresPqc(opts.amount) && !layers.includes("pqc_signing")) {
+            layers.push("pqc_signing");
+        }
+        return layers;
+    }
+    /**
+     * Add or override the routing rule for a given tier.
+     *
+     * @param tier - One of "high", "medium", or "low".
+     * @param layers - Ordered list of layer names for this tier.
+     */
+    addRule(tier, layers) {
+        this.rules[tier] = [...layers];
+    }
+    /**
+     * Check whether PQC signing is required based on the action amount.
+     *
+     * @param amount - Monetary value of the action. undefined or 0 returns false.
+     * @returns True if amount exceeds the configured PQC threshold.
+     */
+    requiresPqc(amount) {
+        if (amount === undefined)
+            return false;
+        return amount > this.pqcThreshold;
+    }
+}
+exports.LayerRouter = LayerRouter;
+/**
+ * Determine which safety layers to run based on trust and action context.
+ *
+ * Usage:
+ *   const router = new LayerRouter();
+ *   const layers = router.route(trustScore, "order_parts", { amount: 5000 });
+ *   // ["scope_engine", "budget_tracker", "pattern_monitor"]
+ */
+/** Default routing rules per trust tier. */
+LayerRouter.DEFAULT_RULES = {
+    high: ["scope_engine", "budget_tracker"],
+    medium: ["scope_engine", "semantic_verifier", "budget_tracker", "pattern_monitor"],
+    low: [
+        "scope_engine",
+        "semantic_verifier",
+        "budget_tracker",
+        "pattern_monitor",
+        "human_escalation",
+    ],
+};

package/dist/safety.d.ts

@@ -5,8 +5,15 @@
  * Layer 2: BudgetTracker    - "How much total?"
  * Layer 3: PatternMonitor   - "Is this normal?"
  * Layer 4: HumanEscalation  - "Should a human decide?"
+ *
+ * Phase 3 addition: SafetyStack accepts optional LayerRouter and TrustEngine
+ * parameters. When provided, the router determines which layers to run for
+ * each check call based on the agent's current trust score. When omitted the
+ * original fixed-order behaviour is preserved (backwards compatible).
  */
 import { ScopeEngine, StructuredScope, VerificationResult } from "./scope-engine";
+import { LayerRouter } from "./router";
+import { TrustEngine } from "./trust";
 export declare class BudgetTracker {
     private dailyLimit?;
     private monthlyLimit?;
@@ -53,17 +60,69 @@ export interface SafetyResult {
     reason: string;
     alerts: PatternAlert[];
 }
+export interface SafetyStackConfig {
+    scopeEngine?: ScopeEngine;
+    budget?: BudgetTracker;
+    pattern?: PatternMonitor;
+    escalation?: HumanEscalation;
+    /** Optional router for dynamic layer selection (Phase 3). */
+    router?: LayerRouter;
+    /** Optional trust engine for agent trust scores (Phase 3). */
+    trustEngine?: TrustEngine;
+}
+export interface CheckOpts {
+    amount?: number;
+    /** Agent identifier - required for dynamic routing. */
+    agentId?: string;
+    /** Risk label forwarded to the router (e.g. "critical"). */
+    riskLevel?: string;
+}
 export declare class SafetyStack {
+    /**
+     * Combine all safety layers into a single check.
+     *
+     * Basic usage (fixed order, all configured layers run):
+     *   const stack = new SafetyStack({ budget, pattern, escalation });
+     *   const result = stack.check(scope, "order_parts", { amount: 8000 });
+     *
+     * Phase 3 usage (dynamic routing based on agent trust):
+     *   const stack = new SafetyStack({ budget, pattern, escalation, router, trustEngine });
+     *   const result = stack.check(scope, "order_parts", { amount: 8000, agentId: "bot-001" });
+     *   stack.recordOutcome("bot-001", result.allowed);
+     */
     private scopeEngine;
     private budget?;
     private pattern?;
     private escalation?;
-    constructor(opts?: {
-        scopeEngine?: ScopeEngine;
-        budget?: BudgetTracker;
-        pattern?: PatternMonitor;
-        escalation?: HumanEscalation;
-    });
-    check(scope: StructuredScope | string, action: string, amount?: number): SafetyResult;
+    private router?;
+    private trustEngine?;
+    constructor(opts?: SafetyStackConfig);
+    /**
+     * Run safety layers and return a combined result.
+     *
+     * When a router and trustEngine are configured and agentId is provided,
+     * only the layers specified by the router for the agent's current trust
+     * tier are executed. Otherwise all configured layers run in fixed order.
+     *
+     * @param scope - Parsed scope object or free-text string.
+     * @param action - The action being attempted.
+     * @param opts.amount - Optional monetary amount.
+     * @param opts.agentId - Optional agent identifier. Required for dynamic routing.
+     * @param opts.riskLevel - Optional risk label forwarded to the router.
+     * @returns SafetyResult with allowed status, passed layers, and any alerts.
+     */
+    check(scope: StructuredScope | string, action: string, opts?: CheckOpts | number): SafetyResult;
+    private checkFixed;
+    private checkDynamic;
+    /** Record execution for budget tracking and pattern monitoring. */
     recordExecution(action: string, amount?: number): void;
+    /**
+     * Record an agent execution outcome to update its trust score.
+     *
+     * Delegates to the TrustEngine if one was configured. No-ops otherwise.
+     *
+     * @param agentId - The agent identifier.
+     * @param success - True if the execution succeeded, false otherwise.
+     */
+    recordOutcome(agentId: string, success: boolean): void;
 }

package/dist/safety.js

@@ -6,6 +6,11 @@
  * Layer 2: BudgetTracker    - "How much total?"
  * Layer 3: PatternMonitor   - "Is this normal?"
  * Layer 4: HumanEscalation  - "Should a human decide?"
+ *
+ * Phase 3 addition: SafetyStack accepts optional LayerRouter and TrustEngine
+ * parameters. When provided, the router determines which layers to run for
+ * each check call based on the agent's current trust score. When omitted the
+ * original fixed-order behaviour is preserved (backwards compatible).
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SafetyStack = exports.HumanEscalation = exports.PatternMonitor = exports.BudgetTracker = void 0;
@@ -26,13 +31,13 @@ class BudgetTracker {
         if (this.dailyCountLimit && (this.dailyCounts[dayKey] || 0) >= this.dailyCountLimit) {
             return { allowed: false, reason: `Daily action count limit reached (${this.dailyCountLimit})` };
         }
-        if (this.dailyLimit && amount > 0) {
+        if (this.dailyLimit !== undefined && amount > 0) {
             const projected = (this.dailyTotals[dayKey] || 0) + amount;
             if (projected > this.dailyLimit) {
                 return { allowed: false, reason: `Daily budget exceeded: ${projected} > ${this.dailyLimit}` };
             }
         }
-        if (this.monthlyLimit && amount > 0) {
+        if (this.monthlyLimit !== undefined && amount > 0) {
             const projected = (this.monthlyTotals[monthKey] || 0) + amount;
             if (projected > this.monthlyLimit) {
                 return { allowed: false, reason: `Monthly budget exceeded: ${projected} > ${this.monthlyLimit}` };
@@ -41,6 +46,8 @@ class BudgetTracker {
         return { allowed: true, reason: "Within budget" };
     }
     recordUsage(action, amount = 0) {
+        if (amount < 0)
+            return; // Prevent budget gaming via negative amounts
         const dayKey = new Date().toISOString().slice(0, 10);
         const monthKey = dayKey.slice(0, 7);
         this.dailyTotals[dayKey] = (this.dailyTotals[dayKey] || 0) + amount;
@@ -123,8 +130,34 @@ class SafetyStack {
         this.budget = opts.budget;
         this.pattern = opts.pattern;
         this.escalation = opts.escalation;
+        this.router = opts.router;
+        this.trustEngine = opts.trustEngine;
+    }
+    /**
+     * Run safety layers and return a combined result.
+     *
+     * When a router and trustEngine are configured and agentId is provided,
+     * only the layers specified by the router for the agent's current trust
+     * tier are executed. Otherwise all configured layers run in fixed order.
+     *
+     * @param scope - Parsed scope object or free-text string.
+     * @param action - The action being attempted.
+     * @param opts.amount - Optional monetary amount.
+     * @param opts.agentId - Optional agent identifier. Required for dynamic routing.
+     * @param opts.riskLevel - Optional risk label forwarded to the router.
+     * @returns SafetyResult with allowed status, passed layers, and any alerts.
+     */
+    check(scope, action, opts = {}) {
+        // Support legacy signature: check(scope, action, amount: number)
+        const amount = typeof opts === "number" ? opts : (opts.amount ?? 0);
+        const agentId = typeof opts === "object" ? opts.agentId : undefined;
+        const riskLevel = typeof opts === "object" ? opts.riskLevel : undefined;
+        if (this.router && this.trustEngine && agentId) {
+            return this.checkDynamic(scope, action, amount, agentId, riskLevel);
+        }
+        return this.checkFixed(scope, action, amount);
     }
-    check(scope, action, amount = 0) {
+    checkFixed(scope, action, amount) {
         const passed = [];
         const alerts = [];
         const r1 = this.scopeEngine.verify(scope, action, { amount });
@@ -153,9 +186,62 @@ class SafetyStack {
         }
         return { allowed: true, passedLayers: passed, reason: "All safety layers passed", alerts };
     }
+    checkDynamic(scope, action, amount, agentId, riskLevel) {
+        const trust = this.trustEngine.getScore(agentId);
+        const layerNames = this.router.route(trust, action, { amount, riskLevel });
+        const passed = [];
+        const alerts = [];
+        for (const name of layerNames) {
+            if (name === "scope_engine") {
+                const r = this.scopeEngine.verify(scope, action, { amount });
+                if (!r.allowed)
+                    return { allowed: false, passedLayers: passed, failedLayer: name, reason: r.reason, alerts };
+                passed.push(name);
+            }
+            else if (name === "budget_tracker" && this.budget) {
+                const r = this.budget.check(action, amount);
+                if (!r.allowed)
+                    return { allowed: false, passedLayers: passed, failedLayer: name, reason: r.reason, alerts };
+                passed.push(name);
+            }
+            else if (name === "pattern_monitor" && this.pattern) {
+                const pa = this.pattern.check(action, amount);
+                alerts.push(...pa);
+                const critical = pa.filter(a => a.level === "critical");
+                if (critical.length)
+                    return { allowed: false, passedLayers: passed, failedLayer: name, reason: critical[0].message, alerts };
+                passed.push(name);
+            }
+            else if (name === "human_escalation" && this.escalation) {
+                const r = this.escalation.check(action, amount);
+                if (!r.allowed)
+                    return { allowed: false, passedLayers: passed, failedLayer: name, reason: r.reason, alerts };
+                passed.push(name);
+            }
+            // "semantic_verifier" and "pqc_signing" are handled by VerificationPipeline
+        }
+        return {
+            allowed: true,
+            passedLayers: passed,
+            reason: `All routed layers passed (tier=${trust.tier})`,
+            alerts,
+        };
+    }
+    /** Record execution for budget tracking and pattern monitoring. */
     recordExecution(action, amount = 0) {
         this.budget?.recordUsage(action, amount);
         this.pattern?.record(action, amount);
     }
+    /**
+     * Record an agent execution outcome to update its trust score.
+     *
+     * Delegates to the TrustEngine if one was configured. No-ops otherwise.
+     *
+     * @param agentId - The agent identifier.
+     * @param success - True if the execution succeeded, false otherwise.
+     */
+    recordOutcome(agentId, success) {
+        this.trustEngine?.recordOutcome(agentId, success);
+    }
 }
 exports.SafetyStack = SafetyStack;

package/dist/scope-engine.js

@@ -34,8 +34,8 @@ class ScopeEngine {
         if (scope.denied?.includes(action)) {
             return { allowed: false, reason: `Action '${action}' is in denied list` };
         }
-        // Allowed list
-        if (scope.allowed?.length && !scope.allowed.includes(action)) {
+        // Allowed list (empty array = nothing allowed, undefined = no whitelist)
+        if (scope.allowed !== undefined && !scope.allowed.includes(action)) {
             return { allowed: false, reason: `Action '${action}' not in allowed list: ${scope.allowed.join(", ")}` };
         }
         // Amount limits